Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7294 to the following vulnerability: Name: CVE-2013-7294 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7294 Assigned: 20140115 Reference: https://lists.libreswan.org/pipermail/swan-announce/2013/000007.html Reference: https://github.com/libreswan/libreswan/commit/2899351224fe2940aec37d7656e1e392c0fe07f0 Reference: OSVDB:101573 Reference: http://www.osvdb.org/101573 Reference: SECUNIA:56276 Reference: http://secunia.com/advisories/56276 The ikev2parent_inI1outR1 function in pluto/ikev2_parent.c in libreswan before 3.7 allows remote attackers to cause a denial of service (restart) via an IKEv2 I1 notification without a KE payload.
who created this CVE number? It is wrong. This is covered in CVE-2013-6467. The openswan CVE for this is CVE-2013-6466 See: https://libreswan.org/security/CVE-2013-6467/CVE-2013-6467.txt
sorry my bad. this is referring to the _previous_ CVE. While openswan had the same bug, it could not cause a problem because of a size of IKE packet versus described length check. in libreswan 3.7, this check has more conditionals due to an added ike padding feature, and thus exposing the vulnerable code in some cases. So there is no openswan CVE for libreswan CVE-2013-7294
This was addressed in the release of RHEL 7.