Debian: New openswan packages fix denial of service
Posted by Benjamin D. Thomas   
Debian Two vulnerabilities have been discovered in openswan, an IPSec implementation for linux.
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1760-1                  security@debian.org
http://www.debian.org/security/                      Steffen Joeris
March 30, 2009                   	http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : openswan
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE Id         : CVE-2008-4190 CVE-2009-0790
Debian Bug     : 496374


Two vulnerabilities have been discovered in openswan, an IPSec
implementation for linux. The Common Vulnerabilities and Exposures
project identifies the following problems:


CVE-2008-4190

Dmitry E. Oboukhov discovered that the livetest tool is using temporary
files insecurely, which could lead to a denial of service attack.


CVE-2009-0790

Gerd v. Egidy discovered that the Pluto IKE daemon in openswan is prone
to a denial of service attack via a malicious packet.


For the stable distribution (lenny), this problem has been fixed in
version 2.4.12+dfsg-1.3+lenny1.

For the oldstable distribution (etch), this problem has been fixed in
version 2.4.6+dfsg.2-1.1+etch1.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem will be fixed soon.

We recommend that you upgrade your openswan packages.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1.diff.gz
    Size/MD5 checksum:    92351 d43193ea57c9ba646aa9a2ae479c65dd
  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2.orig.tar.gz
    Size/MD5 checksum:  3555236 e5ef22979f8a67038f445746fdc7ff38
  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1.dsc
    Size/MD5 checksum:      887 0bb9a0b8fda2229aed2ea1e7755259db

Architecture independent packages:

  http://security.debian.org/pool/updates/main/o/openswan/linux-patch-openswan_2.4.6+dfsg.2-1.1+etch1_all.deb
    Size/MD5 checksum:   598920 7f24c626025d0725409fc5f282834859
  http://security.debian.org/pool/updates/main/o/openswan/openswan-modules-source_2.4.6+dfsg.2-1.1+etch1_all.deb
    Size/MD5 checksum:   525862 69a5d63858abbde46369f1178715bb23

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_alpha.deb
    Size/MD5 checksum:  1742492 a6a7ab937c9a172c74e19bf85ed5af15

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_amd64.deb
    Size/MD5 checksum:  1744812 6c1cd62d31174fce3dae9b8393594c73

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_arm.deb
    Size/MD5 checksum:  1719132 30678772efa350b67ba19b7eb5ebc4c2

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_hppa.deb
    Size/MD5 checksum:  1758480 cc2108239ed20143d7dc8ead6c6cb6c0

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_i386.deb
    Size/MD5 checksum:  1712448 07a390d204baaf83a5fb4cb6745a786a

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_ia64.deb
    Size/MD5 checksum:  1930720 1c95baf380d131f78767af55841566ab

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_mips.deb
    Size/MD5 checksum:  1692214 90f1710f68414a17fb4d29168746bbed

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_mipsel.deb
    Size/MD5 checksum:  1697294 ce452a37b284bd1c49925482c4be6554

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_powerpc.deb
    Size/MD5 checksum:  1667818 786f2533b336ced17cb15b988586c224

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_s390.deb
    Size/MD5 checksum:  1671506 d8981c0fd7db865ae7a2172b7d6a4ffa

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.6+dfsg.2-1.1+etch1_sparc.deb
    Size/MD5 checksum:  1622248 f6cd4abafd3ddfdcc50ad4a346bde5cf


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.12+dfsg-1.3+lenny1.dsc
    Size/MD5 checksum:     1315 df7cd3ea125815e36b74b98857b3d5be
  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.12+dfsg.orig.tar.gz
    Size/MD5 checksum:  3765276 f753413e9c705dee9a23ab8db6c26ee4
  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.12+dfsg-1.3+lenny1.diff.gz
    Size/MD5 checksum:   127288 eaed626706af274b44a51210f8eb9d13

Architecture independent packages:

  http://security.debian.org/pool/updates/main/o/openswan/openswan-modules-source_2.4.12+dfsg-1.3+lenny1_all.deb
    Size/MD5 checksum:   544388 a26397193d910b2b469fba692760e4a2
  http://security.debian.org/pool/updates/main/o/openswan/linux-patch-openswan_2.4.12+dfsg-1.3+lenny1_all.deb
    Size/MD5 checksum:   609908 dbbd73cc5402dc1b3e1ae205546f4d9f

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.12+dfsg-1.3+lenny1_alpha.deb
    Size/MD5 checksum:  1754216 1b179d83df0d9efa17f6987e9c9501d8

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.12+dfsg-1.3+lenny1_amd64.deb
    Size/MD5 checksum:  1772492 f330caae76805540227bf51974dbd6c6

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.12+dfsg-1.3+lenny1_arm.deb
    Size/MD5 checksum:  1756426 ca71fca809dd7268ae73365bfe13fd12

armel architecture (ARM EABI)

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.12+dfsg-1.3+lenny1_armel.deb
    Size/MD5 checksum:  1736800 0d22e152defbd8f1c71831ac407ae34a

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.12+dfsg-1.3+lenny1_hppa.deb
    Size/MD5 checksum:  1775916 a9fc238495fe9c5c7f770d08e677639b

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.12+dfsg-1.3+lenny1_i386.deb
    Size/MD5 checksum:  1730858 3187b4ea1c4b4827e2016abb8ff44eae

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.12+dfsg-1.3+lenny1_ia64.deb
    Size/MD5 checksum:  1964194 6fbf238ebc2e1294349985fb42ccab28

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.12+dfsg-1.3+lenny1_mips.deb
    Size/MD5 checksum:  1703004 61a50f377061161973b841833752aafb

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.12+dfsg-1.3+lenny1_mipsel.deb
    Size/MD5 checksum:  1709240 a0f724d83f9435684af2aec5a2386545

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.12+dfsg-1.3+lenny1_powerpc.deb
    Size/MD5 checksum:  1710422 41aab00fccc6b17ae3d6a9a4aaccd729

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.12+dfsg-1.3+lenny1_s390.deb
    Size/MD5 checksum:  1694918 31692764017d63e6a86f595ed9366e15

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/o/openswan/openswan_2.4.12+dfsg-1.3+lenny1_sparc.deb
    Size/MD5 checksum:  1649130 681f2aa23b6d79c5ecf0e2dec3ffbd7f


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org