CVE-2017-9022 RSA public keys passed to the gmp plugin aren't validated sufficiently before attempting signature verification, so that invalid input might lead to a floating point exception and crash of the process. A certificate with an appropriately prepared public key sent by a peer could be used for a denial-of-service attack. CVE-2017-9023 ASN.1 CHOICE types are not correctly handled by the ASN.1 parser when parsing X.509 certificates with extensions that use such types. This could lead to infinite looping of the thread parsing a specifically crafted certificate.Description of problem:
URL: (none) => http://www.linuxsecurity.com/content/view/171609/170/
I can't find strongswan... do we have that software?
CC: (none) => marja11QA Contact: (none) => securityComponent: RPM Packages => Security
If you don't it should be a Package Request.
QA Contact: security => (none)Component: Security => New RPM package request
I don't see why this should be a package request. It was an invalid bug for software we don't have and is undesirable due to frequent security issues. We already provide openswan.
Resolution: (none) => INVALIDStatus: NEW => RESOLVEDComponent: New RPM package request => Security
Strongswan has not done badly WRT security. It seems to be doing better than, for instance, Samba in terms of both quantity and severity of bugs. http://www.cvedetails.com/vulnerability-list.php?vendor_id=2278&product_id=0&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=1&trc=19&sha=e2447106f854224208d5c3292e0bd3753d94cf07
CC: (none) => jiml