Debian has issued an advisory on March 3: https://www.debian.org/security/2023/dsa-5368 The issue is fixed upstream in 4.10: https://libreswan.org/security/CVE-2023-23009/CVE-2023-23009.txt
I see Cauldron has already been updated to v4.10, which leaves M8. Assigning to Stig who looks after libreswan.
Assignee: bugsquad => smelror
Advisory ======== This update fixes CVE-2023-23009 by adding an upstream patch. CVE-2023-23009: A change in the libreswan 4.2 Traffic Selector parsing code introduced a missing check that would reject palformed Traffic Selector payloads. As such, in such case the code stumbles on to hit a double free, leading to a crash and restart of the pluto daemon. No remote code execution is possible. References ========== https://libreswan.org/security/CVE-2023-23009/CVE-2023-23009.txt https://security-tracker.debian.org/tracker/CVE-2023-23009 Files ===== Uploaded to updates_testing libreswan-4.6-4.1.mga8 from libreswan-4.6-4.1.mga8.src.rpm
Assignee: smelror => qa-bugs
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Ref bug 25065, no ill effects on my own LAN with own DNS server and NFS-shares. OK for me.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
CC: (none) => smelror
Validating. Advisory in comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0089.html
Status: NEW => RESOLVEDResolution: (none) => FIXED