Bug 34705 - strongswan new security issue CVE-2025-62291
Summary: strongswan new security issue CVE-2025-62291
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-10-30 17:22 CET by Nicolas Salguero
Modified: 2025-11-10 19:55 CET (History)
3 users (show)

See Also:
Source RPM: strongswan-5.9.14-1.mga9.src.rpm
CVE: CVE-2025-62291
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2025-10-30 17:23:46 CET

Source RPM: (none) => strongswan-5.9.14-1.mga9.src.rpm
CVE: (none) => CVE-2025-62291
Version: Cauldron => 9
Status comment: (none) => Patch available from upstream

Comment 1 Lewis Smith 2025-10-30 21:23:49 CET 
Thanks for the patch ref.
The middle URL above says Oct 27, 2025 "All versions since 4.2.12 are affected". BUT:
"strongSwan 6.0.3 Released
Oct 27, 2025
We are happy to announce the release of strongSwan 6.0.3, which fixes a vulnerability in the eap-mschapv2 plugin"
Cauldron is at version: 6.0.3, just 3d ago, which fixes the problem. M9 remains.

Assigning to DavidG who is the visible packager for this pkg.

Assignee: bugsquad => geiger.david68210

Comment 2 Nicolas Salguero 2025-11-04 09:41:20 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Buffer Overflow When Handling EAP-MSCHAPv2 Failure Requests. (CVE-2025-62291)

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/QVE27CU4U3DGHAD4EVF75YM3RK423ZQS/
https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-(cve-2025-62291).html
========================

Updated packages in core/updates_testing:
========================
lib(64)strongswan0-5.9.14-1.1.mga9
strongswan-5.9.14-1.1.mga9
strongswan-charon-nm-5.9.14-1.1.mga9
strongswan-tnc-imcvs-5.9.14-1.1.mga9

from SRPM:
strongswan-5.9.14-1.1.mga9.src.rpm

Status comment: Patch available from upstream => (none)
Assignee: geiger.david68210 => qa-bugs
Status: NEW => ASSIGNED

Comment 3 Herman Viaene 2025-11-06 11:39:21 CET 
MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
I wanted to replicate the test from bug 33286 Comment 3, but I cann't figure out what TJ means by systemsettings/connections . I don't find this in systemsettings. Tried MCC - network - VPN, but that doesn't show strongswan as possible VPN-type

CC: (none) => herman.viaene

katnatek 2025-11-06 23:40:56 CET

Keywords: (none) => advisory

Comment 4 Thomas Andrews 2025-11-09 23:47:17 CET 
MGA9-64 Plasma.

There is a "Connections" tab in systemsettings under "Network" only if using Network Manager. I don't know how to do this if using our Network Center.

In the "Connections" dialog, click on the green "+" to add a connection. Scroll down in the window that comes up to reveal different types of VPN connections. For this test, select "IPsec based VPN (strongswan)" and click on "create" to bring up the setup gui.

I replicated that test, and it worked as before. Also as before, that's as far as I can take it because I know nothing of strongswan VPNs.

Calling it OK, and validating.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2025-11-10 19:55:18 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0272.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.