A security flaw was found in the way OpenSSL plug-in of strongSwan, an open-source IPsec-based VPN solution, performed ECDSA signature verificationin certain cases (empty, zeroed or otherwise invalid signature was treated as valid one previously). A remote attacker could provide a forged signature and / or certificate, leading to their ability to be successfully authenticated as legitimate user for particular service. References: [1] https://lists.strongswan.org/pipermail/announce/2013-April/000078.html [2] http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50 Relevant upstream patch: [3] http://download.strongswan.org/patches/10_openssl_ecdsa_signature_patch/
This issue affects the versions of the strongswan package, as shipped with Fedora release of 17 and 18. Please schedule an update. -- This issue did NOT affect the version of the strongswan package, as shipped with Fedora EPEL-6 as it did not enable the strongSwan OpenSSL plug-in yet.
Created strongswan tracking bugs for this issue Affects: fedora-all [bug 958125]
(In reply to comment #1) > This issue affects the versions of the strongswan package, as shipped with > Fedora release of 17 and 18. Please schedule an update. While the upstream patch would be applicable to those versions, since openssl package in Fedora release of 17 and 18 is not build with ECDSA support, particular affected strongswan code branch is not reachable and therefore strongswan packages in Fedora release of 17 and 18 are NOT affected by this problem. Closing this bug as such. > > -- > > This issue did NOT affect the version of the strongswan package, as shipped > with Fedora EPEL-6 as it did not enable the strongSwan OpenSSL plug-in yet.