[strongSwan] Queries on vulnerability fixes

Martin Willi martin at strongswan.org
Thu Mar 12 17:04:49 CET 2015


Hi,

> As per the description of vulnerabilities in above links, the
> vulnerability is only applicable and will lead to crash in pluto IKE
> daemon alone. Charon is not mentioned.

You should apply these fixes even if using charon only, the
libstrongswan code is used by charon. Not sure where this CVE text
exactly comes from; our patch notes [1] mention both pluto and charon.

> We understood that the fix provided for this is @ links 
> http://download.strongswan.org/patches/05_asn1_rdn_patch/strongswan-4.x.x_asn1_rdn.patch
> http://download.strongswan.org/patches/07_asn1_length_patch/strongswan-4.x.x_asn1_length.patch
> 
You shouldn't miss 06_asn1_time_patch [2]. Also, you may have a look at
the security directory [3] to find patches by CVE.

Regards
Martin

[1]http://download.strongswan.org/security/CVE-2009-2185a/strongswan-4.x.x_asn1_rdn.readme
[2]http://download.strongswan.org/patches/06_asn1_time_patch/
[3]http://download.strongswan.org/security/



More information about the Users mailing list