Bug 21001

Summary: strongswan security vulnerability CVE-2017-9023
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED INVALID QA Contact:
Severity: normal    
Priority: Normal CC: jiml, marja11
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://www.linuxsecurity.com/content/view/171609/170/
Whiteboard:
Source RPM: strongswan CVE:
Status comment:

Description Zombie Ryushu 2017-06-01 08:35:45 CEST 
CVE-2017-9022

    RSA public keys passed to the gmp plugin aren't validated sufficiently
    before attempting signature verification, so that invalid input might
    lead to a floating point exception and crash of the process.
    A certificate with an appropriately prepared public key sent by a peer
    could be used for a denial-of-service attack.

CVE-2017-9023

    ASN.1 CHOICE types are not correctly handled by the ASN.1 parser when
    parsing X.509 certificates with extensions that use such types. This could
    lead to infinite looping of the thread parsing a specifically crafted
    certificate.Description of problem:
Zombie Ryushu 2017-06-01 08:36:03 CEST

URL: (none) => http://www.linuxsecurity.com/content/view/171609/170/

Comment 1 Marja Van Waes 2017-06-01 21:16:11 CEST 
I can't find strongswan... do we have that software?

CC: (none) => marja11
QA Contact: (none) => security
Component: RPM Packages => Security

Comment 2 Zombie Ryushu 2017-06-01 22:42:38 CEST 
If you don't it should be a Package Request.
Zombie Ryushu 2017-06-01 22:42:49 CEST

QA Contact: security => (none)
Component: Security => New RPM package request

Comment 3 David Walser 2017-06-02 02:38:36 CEST 
I don't see why this should be a package request.  It was an invalid bug for software we don't have and is undesirable due to frequent security issues.  We already provide openswan.

Resolution: (none) => INVALID
Status: NEW => RESOLVED
Component: New RPM package request => Security