Openswan: Denial of Service
1.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 201203-13 / Openswan |
| Release Date |
March 16, 2012 |
| Latest Revision |
March 16, 2012: 1 |
| Impact |
normal |
| Exploitable |
local, remote |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| net-misc/openswan |
<
2.6.37 |
>=
2.6.37 |
All supported architectures
|
Related bugreports:
#372961, #389097
Synopsis
Multiple vulnerabilities in Openswan may create a Denial of Service
condition.
2.
Impact Information
Background
Openswan is an implementation of IPsec for Linux.
Description
Two vulnerabilities have been found in Openswan:
- Improper permissions are used on /var/run/starter.pid and
/var/lock/subsys/ipsec (CVE-2011-2147).
- Openswan contains a use-after-free error in the cryptographic helper
handler (CVE-2011-4073).
Impact
A remote authenticated attacker or a local attacker may be able to cause
a Denial of Service condition.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All Openswan users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/openswan-2.6.37"
|
NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since November 10, 2011. It is likely that your system is
already no longer affected by this issue.
4.
References
|
