31865 – libreswan new security issue - CVE-2023-30570,CVE-2023-38710,CVE-2023-38711,CVE-2023-38712

Bug 31865 - libreswan new security issue - CVE-2023-30570,CVE-2023-38710,CVE-2023-38711,CVE-2023-38712

Summary: libreswan new security issue - CVE-2023-30570,CVE-2023-38710,CVE-2023-38711,C...

Status:	NEW

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	Stig-Ørjan Smelror
QA Contact:	Sec team

URL:
Whiteboard:	MGA8TOO
Keywords:

Depends on:	32211
Blocks:
	Show dependency tree / graph

Reported:	2023-05-04 07:01 CEST by Stig-Ørjan Smelror
Modified:	2023-09-01 16:08 CEST (History)
CC List:	1 user (show)

See Also:
Source RPM:
CVE:	CVE-2023-30570,CVE-2023-38710,CVE-2023-38711,CVE-2023-38712
Status comment:	Fixed upstream in version 4.12

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Stig-Ørjan Smelror 2023-05-04 07:01:53 CEST

Upstream have released a patch to fix CVE-2023-30570

https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570.txt

Fixed in version 4.11. Cauldron updated.

Stig-Ørjan Smelror 2023-05-04 14:36:49 CEST

Status comment: (none) => Fixed upstream in version 4.11
CVE: (none) => CVE-2023-30570

Comment 1 David Walser 2023-05-04 15:47:25 CEST

RedHat has issued an advisory for this today (May 4):
https://access.redhat.com/errata/RHSA-2023:2120

Comment 2 David Walser 2023-05-15 16:41:38 CEST

Fedora has issued an advisory for this on May 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/APPXJHIVUBS4I2AVIB6C36ED6XNUYVC2/

Severity: normal => critical

Comment 3 Stig-Ørjan Smelror 2023-08-29 22:27:56 CEST

New security fixes in version 4.12

https://github.com/libreswan/libreswan/blob/26f713c76db27cfd8498c560cac5eade46165155/CHANGES#L28

* SECURITY IKEv2: Fixes https://libreswan.org/security/CVE-2023-38710
* SECURITY IKEv1: Fixes https://libreswan.org/security/CVE-2023-38711
* SECURITY IKEv1: Fixes https://libreswan.org/security/CVE-2023-38712

CVE: CVE-2023-30570 => CVE-2023-30570,CVE-2023-38710,CVE-2023-38711,CVE-2023-38712
Status comment: Fixed upstream in version 4.11 => Fixed upstream in version 4.12
Summary: libreswan new security issue - CVE-2023-30570 => libreswan new security issue - CVE-2023-30570,CVE-2023-38710,CVE-2023-38711,CVE-2023-38712

Stig-Ørjan Smelror 2023-08-29 22:28:32 CEST

Version: 8 => 9
Whiteboard: (none) => MGA8

Stig-Ørjan Smelror 2023-08-29 22:31:16 CEST

Whiteboard: MGA8 => MGA8_TOO

David Walser 2023-08-29 22:48:50 CEST

Whiteboard: MGA8_TOO => MGA8TOO
CC: (none) => luigiwalser

Comment 4 Thomas Backlund 2023-09-01 16:08:29 CEST

updating to 4.12 in mga8 will break atleast networkmanager-l2tp
(it's already broken in mga9 with 4.11)

so bug 32211 needs to be validated before this can be pushed...

Depends on: (none) => 32211

Note You need to log in before you can comment on or make changes to this bug.