From tottiviljami at gmail.com Tue Jan 25 14:37:52 2022 From: tottiviljami at gmail.com (tiio vossi) Date: Tue, 25 Jan 2022 15:37:52 +0200 Subject: [strongSwan-dev] About Strongswan vuln CVE-2021-45079 Message-ID: Hi, regarding the vulnerability CVE-2021-45079 and blog post regarding that: https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-(cve-2021-45079).html Thanks for detailed descriptio of the issue. Just wanted to make sure that I understood it correctly. The issue is only at Strongswan client side, right? Meaning that running server 5.9.4 is still safe? BR, Totti -------------- next part -------------- An HTML attachment was scrubbed... URL: From tobias at strongswan.org Tue Jan 25 16:37:03 2022 From: tobias at strongswan.org (Tobias Brunner) Date: Tue, 25 Jan 2022 16:37:03 +0100 Subject: [strongSwan-dev] About Strongswan vuln CVE-2021-45079 In-Reply-To: References: Message-ID: <64dcad82-6092-e5a7-5f73-9f458ea6c674@strongswan.org> Hi Totti, > The issue is only at Strongswan client > side, right? Meaning that running server 5.9.4 is still safe? That's correct. Only the EAP client implementation is affected. The patch does update the server part of the EAP implementation, however, that's only because it adds NOT_SUPPORTED as valid return value for eap_method_t::get_msk(), which is used on both client and server. Regards, Tobias