(In reply to David Walser from comment #0)
> Apparently the issue isn't fully fixed in openswan 2.6.40 upstream, so they
> will get another CVE for that, but it should be fixed in 2.6.41 when it
> comes out.

They got CVE-2014-2037, but that does *not* affect us:
http://openwall.com/lists/oss-security/2014/02/20/2

Here's the commit that didn't fully fix the issue upstream:
https://github.com/xelerance/Openswan/commit/d558afa70bcaee9bbe4008ab1a82e944e54950be

A commit to fully fix the issue hasn't been committed yet.

Re-diffed patch from RedHat committed to Mageia 3 SVN.

Upstream commit to fix CVE-2014-2037, completing the CVE-2013-6466 fix:
https://github.com/xelerance/Openswan/commit/b36d3109d05f1b069a0a712de7777cef6f6a48e4

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated openswan packages fix security vulnerability:

A NULL pointer dereference flaw was discovered in the way Openswan's IKE
daemon processed IKEv2 payloads. A remote attacker could send specially
crafted IKEv2 payloads that, when processed, would lead to a denial of
service (daemon crash), possibly causing existing VPN connections to be
dropped (CVE-2013-6466).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6466
https://rhn.redhat.com/errata/RHSA-2014-0185.html
========================

Updated packages in core/updates_testing:
========================
openswan-2.6.28-5.1.mga3
openswan-doc-2.6.28-5.1.mga3
openswan-2.6.39-3.1.mga4
openswan-doc-2.6.39-3.1.mga4

from SRPMS:
openswan-2.6.28-5.1.mga3.src.rpm
openswan-2.6.39-3.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Procedure: https://bugs.mageia.org/show_bug.cgi?id=7095#c7 onwards

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Tested on Mageia 4 x86_64

# service ipsec start
ipsec_setup: Starting Openswan IPsec 2.6.39...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY

# service ipsec status
IPsec running  - pluto pid: 27345
pluto pid 27345
No tunnels up

# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...

# service ipsec status
IPsec stopped

So looks ok here

CC: (none) => ennael1
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok

Tested on Mageia 4 i586

# service ipsec start
ipsec_setup: Starting Openswan IPsec 2.6.39...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY

# service ipsec status
IPsec running  - pluto pid: 27345
pluto pid 27345
No tunnels up

# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...

# service ipsec status
IPsec stopped

Validated on Mageia 4

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok

Testing complete mga3 32 & 64

Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs

Update pushed:
http://advisories.mageia.org/MGASA-2014-0097.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED