Debian has issued an advisory on May 23: https://www.debian.org/security/2015/dsa-3272 Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated ipsec-tools packages fix security vulnerability: Javantea discovered a NULL pointer dereference flaw in racoon, the Internet Key Exchange daemon of ipsec-tools. A remote attacker can use this flaw to cause the IKE daemon to crash via specially crafted UDP packets, resulting in a denial of service (CVE-2015-4047). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4047 https://www.debian.org/security/2015/dsa-3272 ======================== Updated packages in core/updates_testing: ======================== ipsec-tools-0.8.1-2.1.mga4 libipsec0-0.8.1-2.1.mga4 libipsec-devel-0.8.1-2.1.mga4 from ipsec-tools-0.8.1-2.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Installed old versions for x86_64. Enabled core updates testing and installed ipsec-tools-0.8.1-2.1.mga4 libipsec0-0.8.1-2.1.mga4 libipsec-devel-0.8.1-2.1.mga4 ipsec-tools supplies setkey, racoon and racoonctl, which need to be run as root I think. Config files appear in /etc/racoon setkey Tool to manipulate and dump the kernel Security Policy Database (SPD) and Security Association Database (SAD). racoon Internet Key Exchange (IKE) daemon for automatically keying IPsec connections. racoonctl A shell-based control tool for racoon [root@belexeuli racoon]# ls certs/ psk.txt racoon.conf [root@belexeuli racoon]# cat psk.txt # file for pre-shared keys used for IKE authentication # format is: 'identifier' 'key' # For example: # # 10.1.1.1 flibbertigibbet # www.example.com 12345 # foo@www.example.com micropachycephalosaurus [root@belexeuli racoon]# ps aux | grep racoon [root@belexeuli racoon]# racoonctl -V racoonctl: invalid option -- 'V' Usage: racoonctl [opts] reload-config racoonctl [opts] show-schedule racoonctl [opts] show-sa [protocol] racoonctl [opts] flush-sa [protocol] racoonctl [opts] delete-sa <saopts> racoonctl [opts] establish-sa [-u identity] [-n remoteconf] [-w] <saopts> racoonctl [opts] vpn-connect [-u identity] vpn_gateway racoonctl [opts] vpn-disconnect vpn_gateway racoonctl [opts] show-event racoonctl [opts] logout-user login General options: -d Debug: hexdump admin messages before sending -l Increase output verbosity (mainly for show-sa) -s <socket> Specify adminport socket to use (default: /var/lib/racoon/racoon.sock) Parameter specifications: <protocol>: "isakmp", "esp" or "ah". In the case of "show-sa" or "flush-sa", you can use "ipsec". <saopts>: "isakmp" <family> <src> <dst> : {"esp","ah"} <family> <src/prefixlen/port> <dst/prefixlen/port> <ul_proto> <family>: "inet" or "inet6" <ul_proto>: "icmp", "tcp", "udp", "gre" or "any" So it installs and the tools respond with usage information. Not sure how to use them though. Need to play around and hope nothing breaks.
CC: (none) => tarazed25
Well done Len. Adding the OK for you :)
Whiteboard: (none) => has_procedure mga4-64-ok
Thanks Claire; I was not sure if that was sufficient. Will run it through i586 on a VM.
Installed the pre-testing rpms, checked the environment then ran the update. All looks OK on the face of it but no real idea how to manipulate the tools. This stuff is way oot a ma ken. If you were happy with the 64bit update then I guess this is OK too. Marking it as such.
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok mga4-32-ok
Oh, that was in virtualbox.
That's fine Len, well done.
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-64-ok mga4-32-ok => has_procedure advisory mga4-64-ok mga4-32-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0243.html
Status: NEW => RESOLVEDResolution: (none) => FIXED