Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3753 to the following vulnerability: programs/pluto/xauth.c in the client in Openswan 2.6.26 through 2.6.28 allows remote authenticated gateways to execute arbitrary commands via shell metacharacters in the cisco_banner (aka server_banner) field, a different vulnerability than CVE-2010-3308. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3753 [2] http://www.openswan.org/download/CVE-2010-3308/CVE-2010-3308.txt [3] http://www.openswan.org/download/CVE-2010-3308/openswan-2.6.26-2.6.28-CVE-2010-330x.patch [4] http://www.securityfocus.com/bid/43588 [5] http://www.vupen.com/english/advisories/2010/2526 Acknowledgements: Red Hat would like to thank the Openswan project for reporting this issue. Upstream acknowledges D. Hugh Redelmeier and Paul Wouters as the original reporters.
This issue did NOT affect the version of the openswan package, as shipped with Red Hat Enterprise Linux 5. -- This issue does NOT affect the versions of the openswan package, as shipped with Fedora release of 12 and 13 (relevant package versions are already updated).
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0892 https://rhn.redhat.com/errata/RHSA-2010-0892.html