Ubuntu
strongswan package

update strongswan-ikev2 package for ubuntu xenial

Bug #1776857 reported by Lars
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Update strongswan-ikev2 package to latest stable release 5.6.3, or backport mentioned security and bug fixes.

[Impact]
 * Several security vulnerabilities have been fixed
   * CVE-2018-6459: Insufficient Input Validation in RSASSA-PSS Signature Parser. For more details see: https://strongswan.org/blog/2018/02/19/strongswan-vulnerability-(cve-2018-6459).html
   * CVE-2018-5388: Insufficient Input Validation in stroke Plugin: For more details see: https://strongswan.org/blog/2018/05/28/strongswan-vulnerability-(cve-2018-5388).html
   * CVE-2018-10811: Missing Initialization of a Variable in IKEv2 Key Derivation. For more details see: https://strongswan.org/blog/2018/05/28/strongswan-vulnerability-(cve-2018-10811).html
 * Packet loss during IKEv2 CHILD_SA rekeying: https://wiki.strongswan.org/issues/1291

[Test Case]

 * Consult links above for detailed information.

[Regression Potential]

 * No regression expected, as all CVEs are security fixes and one bug fix.

[Other Info]

 * n/a

----
# lsb_release -rd
Description: Ubuntu 16.04.4 LTS
Release: 16.04

# apt-cache policy strongswan-ikev2
strongswan-ikev2:
  Installed: 5.3.5-1ubuntu3.5
  Candidate: 5.3.5-1ubuntu3.5

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in strongswan (Ubuntu):
status: New → Confirmed
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Two of the three are already tracked https://people.canonical.com/~ubuntu-security/cve/pkg/strongswan.html it seems.
I'll subscribe the security Team to evaluate and comment here.

Revision history for this message
do3meli (d-info-e) wrote :

i am also affected by packet loss during IKEv2 CHILD_SA rekeying [1] and would like to see [2] backported to xenial in addition to the CVE fixes.

[1] https://wiki.strongswan.org/issues/1291
[2] https://github.com/strongswan/strongswan/commit/f8eb636e

Revision history for this message
Dani (dan1el1) wrote :

Bump, we would also welcome an update to 5.6.3 for the reasons listed above.

Revision history for this message
Simon Déziel (sdeziel) wrote :

Marking as fix released as Ubuntu Focal shipped with strongswan 5.8.2 (> 5.6.3). All supported releases also got the mentioned CVEs fixed.

Changed in strongswan (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.