Bug 1716918 (CVE-2019-12312)
Summary: | CVE-2019-12312 libreswan: null-pointer dereference by sending two IKEv2 packets | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | avagarwa, code, mikhail.zabaluev, pwouters, scorneli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-11-24 05:18:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1716920, 1716921, 1716924, 1716925 | ||
Bug Blocks: | 1716919 |
Description
Dhananjay Arunesh
2019-06-04 12:05:06 UTC
Created strongswan tracking bugs for this issue: Affects: epel-all [bug 1716920] Created libreswan tracking bugs for this issue: Affects: epel-6 [bug 1716921] Created libreswan tracking bugs for this issue: Affects: fedora-all [bug 1716924] Created strongswan tracking bugs for this issue: Affects: fedora-all [bug 1716925] correction: only version 3.27 is vulnerable. versions older and later are not vulnerable. See https://libreswan.org/security/CVE-2019-12312/CVE-2019-12312.txt why were strongswan bugs created for this? strongswan is not known to be vulnerable. We did not test it for this. The code involved in libreswan was never part of strongswan Upstream patch: https://libreswan.org/security/CVE-2019-12312/libreswan-3.27-CVE-2019-12312.patch https://libreswan.org/security/CVE-2019-12312/CVE-2019-12312.txt (In reply to msiddiqu from comment #8) > Upstream patch: > > https://libreswan.org/security/CVE-2019-12312/libreswan-3.27-CVE-2019-12312. > patch > https://libreswan.org/security/CVE-2019-12312/CVE-2019-12312.txt This is for libreswan. The vulnerability report never mentions strongswan. Please reopen if you can show how strongswan is affected by this. |