When an IKEv1 Quick Mode connection configured with ID_IPV4_ADDR or ID_IPV6_ADDR, receives an IDcr payload with ID_FQDN, a null pointer dereference causes a crash and restart of the pluto daemon. https://libreswan.org/security/CVE-2023-38711/CVE-2023-38711.txt
Vulnerable versions : libreswan 4.6 - 4.11 Not vulnerable : libreswan 3.0 - 4.5, 4.12+ Vulnerable code introduced in libreswan v4.6
This CVE is now public by upstream: https://libreswan.org/security/CVE-2023-38711/CVE-2023-38711.txt https://libreswan.org/security/CVE-2023-38711/CVE-2023-38711.patch
Created libreswan tracking bugs for this issue: Affects: fedora-all [bug 2230238]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6549 https://access.redhat.com/errata/RHSA-2023:6549
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7052 https://access.redhat.com/errata/RHSA-2023:7052