[strongSwan] Queries on vulnerability fixes
Bhatt, Rakshesh 1. (Nokia - IN/Bangalore)
rakshesh.1.bhatt at nokia.com
Wed Mar 11 13:51:39 CET 2015
Hi,
We are using strongswan version 4.2.8 (ikev2) in our product.
We are trying to check for the fixes provided by strongswan for the below vulnerabilities -
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2185
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2661
As per the description of vulnerabilities in above links, the vulnerability is only applicable and will lead to crash in pluto IKE daemon alone. Charon is not mentioned.
We understood that the fix provided for this is @ links -
http://download.strongswan.org/patches/05_asn1_rdn_patch/strongswan-4.x.x_asn1_rdn.patch
http://download.strongswan.org/patches/07_asn1_length_patch/strongswan-4.x.x_asn1_length.patch
But as per the details in this fix, the changes are present in files - pluto/asn1.c, libstrongswan/asn1/asn1.c, libstrongswan/asn1/asn1_parser.c.
We are assuming that these 2 files libstrongswan/asn1/asn1.c & libstrongswan/asn1/asn1_parser.c could be used by charon ( ikev2).
In which case, this vulnerability should also be applicable for charon as well. Is that not the case. ?
The background is that we do not run Pluto is our product, but we use charon. So, in that case, we are trying to check if we still have to take this fix.
Can you please confirm on this ?
Regards,
Rakshesh
More information about the Users
mailing list