Bug 1173064 (CVE-2014-9221)
| Summary: | CVE-2014-9221 strongswan: denial-of-service vulnerability in libtls when processing crafted Key Exchange payload | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | strongSwan 5.2.2 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:37:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1178956, 1178957, 1205617 | ||
| Bug Blocks: | |||
| Attachments: | |||
|
Description
Vasyl Kaigorodov
2014-12-11 11:45:58 UTC
Created attachment 967203 [details]
strongswan-5.1.1_modp_custom.patch
Created attachment 967204 [details]
strongswan-5.1.2-5.2.1_modp_custom.patch
Upstrem decided to move dislosure date earlier: ... Due to feedback we received we will not do the release in Christmas week. Instead we'll disclose the vulnerability and release 5.2.2 on Friday Dec 19th, 12:00 noon UTC. ... Another upstream update, disclosure date moved to Jan 5th 2015: ... Our integration tests that we run before every release revealed that these patches were inadequate. They broke most of the TLS scenarios. The intention was to increase the identifier of MODP_CUSTOM beyond the 16-bit size limit of DH identifiers in IKEv2 so this DH group can't be negotiated anymore. A side effect of this is that the size of the diffie_hellman_group_t enum increases to 32-bit. The problem with that is that it went unnoticed that the Diffie Hellman implementations in the different plugins (gmp, openssl etc.) internally used u_int16_t instead of diffie_hellman_group_t to store the group identifier. One set of the attached patches fix this specific problem in the respective strongSwan versions and should apply with appropriate hunk offsets. Patches that include both fixes are attached too. I'm terribly sorry we missed this issue earlier and having to send this email so close to the intended release date. Instead of rushing out the 5.2.2 release and the vulnerability disclosure today, we will move the release date to Jan 5th, 12:00 noon UTC. For a coordinated public disclosure of the issue we're kindly asking to hold back any prepared release for today and defer such releases to the mentioned date. Once again, our apologies for the inconvenience. Created attachment 971115 [details]
strongswan-4.5.0-4.5.3_dh_group.patch
Created attachment 971116 [details]
strongswan-4.5.0-4.5.3_modp_custom.patch
Created attachment 971117 [details]
strongswan-4.6.0-5.0.2_dh_group.patch
Created attachment 971118 [details]
strongswan-4.6.0-5.0.2_modp_custom.patch
Created attachment 971119 [details]
strongswan-5.0.3-5.1.0_modp_custom.patch
Created attachment 971120 [details]
strongswan-5.0.3-5.1.1_dh_group.patch
Created attachment 971121 [details]
strongswan-5.1.1_modp_custom.patch
Created attachment 971122 [details]
strongswan-5.1.2-5.2.1_dh_group.patch
Created attachment 971123 [details]
strongswan-5.1.2-5.2.1_modp_custom.patch
External References: https://www.strongswan.org/blog/2015/01/05/strongswan-denial-of-service-vulnerability-(cve-2014-9221).html Created strongswan tracking bugs for this issue: Affects: fedora-all [bug 1178956] Affects: epel-all [bug 1178957] strongswan-5.2.2-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. strongswan-5.3.2-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. |