| Summary: | libreswan new security issue CVE-2023-23009 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, smelror, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | libreswan-4.6-4.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2023-03-04 22:59:36 CET
I see Cauldron has already been updated to v4.10, which leaves M8. Assigning to Stig who looks after libreswan. Assignee:
bugsquad =>
smelror Advisory ======== This update fixes CVE-2023-23009 by adding an upstream patch. CVE-2023-23009: A change in the libreswan 4.2 Traffic Selector parsing code introduced a missing check that would reject palformed Traffic Selector payloads. As such, in such case the code stumbles on to hit a double free, leading to a crash and restart of the pluto daemon. No remote code execution is possible. References ========== https://libreswan.org/security/CVE-2023-23009/CVE-2023-23009.txt https://security-tracker.debian.org/tracker/CVE-2023-23009 Files ===== Uploaded to updates_testing libreswan-4.6-4.1.mga8 from libreswan-4.6-4.1.mga8.src.rpm Assignee:
smelror =>
qa-bugs MGA8-64 MATE on Acer Aspire 5253 No installation issues. Ref bug 25065, no ill effects on my own LAN with own DNS server and NFS-shares. OK for me. Whiteboard:
(none) =>
MGA8-64-OK
David Walser
2023-03-06 13:18:28 CET
CC:
(none) =>
smelror Validating. Advisory in comment 2. Keywords:
(none) =>
validated_update
Dave Hodgins
2023-03-10 00:26:58 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0089.html Status:
NEW =>
RESOLVED |