Sicherheit: Ausführen beliebiger Kommandos in strongSwan

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============7379747128421948135==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="BxE5V3WdTKsIVqvktLXHuRDHgCz24Im0P"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--BxE5V3WdTKsIVqvktLXHuRDHgCz24Im0P
Content-Type: multipart/mixed;
boundary="LzdYKeM5mW5jOhHaaZmWKxqYjwgXyxMyt";
protected-headers="v1"
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <d5d6ca6c-f600-01f3-b05a-0fb6c778caea@canonical.com>
Subject: [USN-3774-1] strongSwan vulnerability

--LzdYKeM5mW5jOhHaaZmWKxqYjwgXyxMyt
Content-Type: text/plain; charset=utf-8
Content-Language: en-C
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-3774-1
October 01, 2018

strongswan vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

strongSwan could be made to crash or run programs if it received specially
crafted network traffic.

Software Description:
- strongswan: IPsec VPN solution

Details:

It was discovered that strongSwan incorrectly handled signature validation
in the gmp plugin. A remote attacker could use this issue to cause
strongSwan to crash, resulting in a denial of service, or possibly execute
arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
libstrongswan 5.6.2-1ubuntu2.3
strongswan 5.6.2-1ubuntu2.3

Ubuntu 16.04 LTS:
libstrongswan 5.3.5-1ubuntu3.8
strongswan 5.3.5-1ubuntu3.8

Ubuntu 14.04 LTS:
libstrongswan 5.1.2-0ubuntu2.11
strongswan 5.1.2-0ubuntu2.11

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3774-1
CVE-2018-17540

Package Information:
https://launchpad.net/ubuntu/+source/strongswan/5.6.2-1ubuntu2.3
https://launchpad.net/ubuntu/+source/strongswan/5.3.5-1ubuntu3.8
https://launchpad.net/ubuntu/+source/strongswan/5.1.2-0ubuntu2.11

--LzdYKeM5mW5jOhHaaZmWKxqYjwgXyxMyt--

--BxE5V3WdTKsIVqvktLXHuRDHgCz24Im0P
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAluyZhoACgkQZWnYVadE
vpM7uQ/+ObWVu9T5cLXlaJADMoM/vtFh93+N0LqZffQ1jL68K3RHEdh5lIGXCgi2
wRCRP5vfPkKXTHtw0WjoOTGQGyHqOmPxnhDm93htDztg/FbiWayeBdYPUHbRQveA
rSqrAl7fvWNV4L91oS8eGJFMbKSq83AgRt1KhyWksq6X5cwuPF88aL19HXUNkDp9
BstU+UopEQs9o9XfLZxVk7CikNl2HOvPKpHw/sZUThGT0nnxhR/rsUfuommcma6q
YfvJUTHfT5G5+FObXc/to50vU6B2Hy1hTT5u2OFg0I9mj0wT1QeEdYlmQt3VDbxG
HKIcx4btlmrSXgslrwcNqZNF8KedO+hylxGke86lzt7vmvqhuwRtEhW65rxl6vfm
Js0ijChCZzi//9P3MpbMXa1waPvdrdh/EghFXmNjvT9h67wZgID0JBYd6nsXkA4h
Xv3R72DXD0JIOlUFQIR5fmQd2s8L44K5ESs9eXHOKUaP0nCKq1KIHzJ5g4Qw8BLi
DEyOYVvd13K1aCHGiBC7eTWHAYpVQ58iwP9HEspM87f4jisrfWYcV7qiPivs2dAx
5BeWugK6CzhGb9e5aosZvRy6MTN68Cnk67/j7Z+w3QfScpn0AUnP/fQzwKp7BEpu
1EyhpSMfZ08e/VI7Woo2OlOwBDTBihauJHGB6LbOIumXmdg2vlY=
=Ab+9
-----END PGP SIGNATURE-----

--BxE5V3WdTKsIVqvktLXHuRDHgCz24Im0P--

--===============7379747128421948135==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

--===============7379747128421948135==--