Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3752 to the following vulnerability: programs/pluto/xauth.c in the client in Openswan 2.6.25 through 2.6.28 allows remote authenticated gateways to execute arbitrary commands via shell metacharacters in (1) cisco_dns_info or (2) cisco_domain_info data in a packet, a different vulnerability than CVE-2010-3302. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3752 [2] http://www.openswan.org/download/CVE-2010-3302/CVE-2010-3302.txt [3] http://www.openswan.org/download/CVE-2010-3302/openswan-2.6.25-CVE-2010-3302.patch [4] http://www.openswan.org/download/CVE-2010-3308/openswan-2.6.26-2.6.28-CVE-2010-330x.patch [5] http://www.securityfocus.com/bid/43588 [6] http://www.vupen.com/english/advisories/2010/2526 Acknowledgements: Red Hat would like to thank the Openswan project for reporting this issue. Upstream acknowledges D. Hugh Redelmeier and Paul Wouters as the original reporters.
This issue did NOT affect the version of the openswan package, as shipped with Red Hat Enterprise Linux 5. -- This issue does NOT affect the versions of the openswan package, as shipped with Fedora release of 12 and 13 (relevant package versions are already updated).
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0892 https://rhn.redhat.com/errata/RHSA-2010-0892.html