From tottiviljami at gmail.com  Tue Jan 25 14:37:52 2022
From: tottiviljami at gmail.com (tiio vossi)
Date: Tue, 25 Jan 2022 15:37:52 +0200
Subject: [strongSwan-dev] About Strongswan vuln CVE-2021-45079
Message-ID: <CAFVbLLHyeWz6AiaD1md5_Q8maxHAxVt-+P_r-JSoAk_Cwh+VrA@mail.gmail.com>

Hi,

regarding the vulnerability CVE-2021-45079 and blog post regarding that:
https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-(cve-2021-45079).html

Thanks for detailed descriptio of the issue. Just wanted to make sure that
I understood it correctly. The issue is only at Strongswan client side,
right? Meaning that running server 5.9.4 is still safe?

BR,
Totti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20220125/8563f206/attachment.html>

From tobias at strongswan.org  Tue Jan 25 16:37:03 2022
From: tobias at strongswan.org (Tobias Brunner)
Date: Tue, 25 Jan 2022 16:37:03 +0100
Subject: [strongSwan-dev] About Strongswan vuln CVE-2021-45079
In-Reply-To: <CAFVbLLHyeWz6AiaD1md5_Q8maxHAxVt-+P_r-JSoAk_Cwh+VrA@mail.gmail.com>
References: <CAFVbLLHyeWz6AiaD1md5_Q8maxHAxVt-+P_r-JSoAk_Cwh+VrA@mail.gmail.com>
Message-ID: <64dcad82-6092-e5a7-5f73-9f458ea6c674@strongswan.org>

Hi Totti,

> The issue is only at Strongswan client 
> side, right? Meaning that running server 5.9.4 is still safe?

That's correct.  Only the EAP client implementation is affected.

The patch does update the server part of the EAP implementation, 
however, that's only because it adds NOT_SUPPORTED as valid return value 
for eap_method_t::get_msk(), which is used on both client and server.

Regards,
Tobias