drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mangelnde Prüfung von Zertifikaten in strongSwan
Name: |
Mangelnde Prüfung von Zertifikaten in strongSwan |
|
ID: |
DSA-2665-1 |
|
Distribution: |
Debian |
|
Plattformen: |
Debian sid, Debian squeeze, Debian wheezy |
|
Datum: |
Di, 30. April 2013, 22:31 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2944 |
|
Applikationen: |
strongSwan |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
- ------------------------------------------------------------------------- Debian Security Advisory DSA-2665-1 security@debian.org http://www.debian.org/security/ Yves-Alexis Perez April 30, 2013 http://www.debian.org/security/faq - -------------------------------------------------------------------------
Package : strongswan Vulnerability : authentication bypass Problem type : remote Debian-specific: no CVE ID : CVE-2013-2944
Kevin Wojtysiak discovered a vulnerability in strongSwan, an IPsec based VPN solution.
When using the openssl plugin for ECDSA based authentication, an empty, zeroed or otherwise invalid signature is handled as a legitimate one. An attacker could use a forged signature to authenticate like a legitimate user and gain access to the VPN (and everything protected by this).
While the issue looks like CVE-2012-2388 (RSA signature based authentication bypass), it is unrelated.
For the stable distribution (squeeze), this problem has been fixed in version 4.4.1-5.3.
For the testing distribution (wheezy), this problem has been fixed in version 4.5.2-1.5+deb7u1.
For the unstable distribution (sid), this problem has been fixed in version 4.6.4-7.
We recommend that you upgrade your strongswan packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux)
iQEcBAEBCgAGBQJRf9owAAoJEG3bU/KmdcClCOUIAJrk1tERsSDSH308tjwSnI2O 7iNJGuo2euCKyp160yk2ZJlCfM+n/7j5Bu95bGzr9u7XvPzzoQD9HMdEZ3Tux/8/ FQ54pFqq/xL1btemBYaPNFr92nppiedLLV2e30OzyAvfHMwPdkRwfsU6LypG6Keb CdljTXadZktCoBPK3hy3z5qNYzN2Ycde3GDFw8hTaYJ+1kZwuTxATpL2+O4YVB+k ecAVf3d/YFMlHajI/e+YEP6COHV/t6dBlyYcQtAH2DHWu5lsltl5v/68ModhXNP3 rCDfu+boGL/672tuN36hcrQLb6KO7CMqXgmEVu5W2jPFBo+1RVKrQNkjxU63+ys= =1nHw -----END PGP SIGNATURE-----
-- To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: http://lists.debian.org/20130430145029.GA8365@scapa.corsac.net
|
|
|
|