| 2018-09-17 22:32:58 |
rdratlos |
bug |
|
|
added bug |
| 2018-09-18 00:15:39 |
rdratlos |
cve linked |
|
2016-10396 |
|
| 2018-10-01 15:15:58 |
Andreas Hasenack |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986 |
|
| 2018-10-01 15:15:58 |
Andreas Hasenack |
bug task added |
|
ipsec-tools (Debian) |
|
| 2018-10-01 17:30:17 |
Andreas Hasenack |
ipsec-tools (Ubuntu): status |
New |
Incomplete |
|
| 2018-10-02 09:09:36 |
rdratlos |
attachment added |
|
0001-Fix-isakmp-fragmentation-bug-in-CVE-2016-10396-patch.patch https://bugs.launchpad.net/ubuntu/+source/ipsec-tools/+bug/1793028/+attachment/5195734/+files/0001-Fix-isakmp-fragmentation-bug-in-CVE-2016-10396-patch.patch |
|
| 2018-10-02 12:23:55 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
| 2018-10-02 12:24:01 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
| 2018-10-03 15:14:48 |
rdratlos |
attachment added |
|
Updated patch for NetBSD CVE Patch https://bugs.launchpad.net/ubuntu/+source/ipsec-tools/+bug/1793028/+attachment/5196686/+files/0001-Fix-isakmp-fragmentation-bug-in-CVE-2016-10396-patch.patch |
|
| 2018-10-04 15:09:18 |
Robie Basak |
tags |
patch |
patch server-next |
|
| 2018-10-09 19:07:44 |
Andreas Hasenack |
ipsec-tools (Ubuntu): status |
Incomplete |
Triaged |
|
| 2018-10-09 19:07:48 |
Andreas Hasenack |
ipsec-tools (Ubuntu): importance |
Undecided |
Medium |
|
| 2018-10-09 19:07:56 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Server |
| 2018-11-08 01:42:21 |
Bug Watch Updater |
ipsec-tools (Debian): status |
Unknown |
Fix Released |
|
| 2018-11-09 07:30:01 |
Christian Ehrhardt |
bug |
|
|
added subscriber Marc Deslauriers |
| 2018-11-09 07:30:11 |
Christian Ehrhardt |
bug |
|
|
added subscriber Jamie Strandboge |
| 2018-11-09 07:39:15 |
Christian Ehrhardt |
bug |
|
|
added subscriber Christian Ehrhardt |
| 2018-11-09 07:40:52 |
Christian Ehrhardt |
tags |
patch server-next |
patch regression-update server-next |
|
| 2019-05-18 02:56:53 |
Mathew Hodson |
tags |
patch regression-update server-next |
patch regression-release server-next |
|
| 2019-05-18 03:00:37 |
Mathew Hodson |
affects |
ipsec-tools (Debian) |
debian |
|
| 2019-05-18 03:00:37 |
Mathew Hodson |
debian: importance |
Unknown |
Undecided |
|
| 2019-05-18 03:00:37 |
Mathew Hodson |
debian: status |
Fix Released |
New |
|
| 2019-05-18 03:00:37 |
Mathew Hodson |
debian: remote watch |
Debian Bug tracker #867986 |
|
|
| 2019-05-18 03:00:52 |
Mathew Hodson |
affects |
debian |
ubuntu |
|
| 2019-05-18 03:01:01 |
Mathew Hodson |
bug task deleted |
ubuntu |
|
|
| 2019-05-18 03:01:11 |
Mathew Hodson |
bug watch removed |
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986 |
|
|
| 2019-06-03 16:15:46 |
Bryce Harrington |
summary |
NetBSD CVE Patch Regression |
[SRU] NetBSD CVE Patch Regression |
|
| 2019-06-08 02:24:07 |
Bryce Harrington |
description |
After upgrade racoon from 1:0.8.2+20140711-5 to 1:0.8.2+20140711-10build1 Apple iPhones, which use a racoon client cannot connect to the racoon VPN on the Ubuntu server. Following log entries outline the failure:
Sep 14 06:42:28 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch
Sep 14 06:42:28 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch
Sep 14 06:42:32 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch
Sep 14 06:42:32 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch
Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch
Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch
Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch
Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch
Sep 14 06:42:39 vpnserver racoon[1775]: ERROR: phase1 negotiation failed due to time up.
A brief check of the upstream activities shows, that maintainers switched to panic mode because of CVE-2016-10396 and provided a rough patch without support of the ipsec-tools project and without the ability to perform sufficient regression tests.
As Debian as well as NetBSD maintainers already have expressed their general concerns about this patch, there really seems to be a severe issue.
Further evidences can be provided but as the topic is pretty complicated detailed guidance is required. |
[Impact]
TBD
[Test Case]
TBD
[Regression Potential]
[Fix]
[Discussion]
[Original Report]
After upgrade racoon from 1:0.8.2+20140711-5 to 1:0.8.2+20140711-10build1 Apple iPhones, which use a racoon client cannot connect to the racoon VPN on the Ubuntu server. Following log entries outline the failure:
Sep 14 06:42:28 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch
Sep 14 06:42:28 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch
Sep 14 06:42:32 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch
Sep 14 06:42:32 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch
Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch
Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch
Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch
Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch
Sep 14 06:42:39 vpnserver racoon[1775]: ERROR: phase1 negotiation failed due to time up.
A brief check of the upstream activities shows, that maintainers switched to panic mode because of CVE-2016-10396 and provided a rough patch without support of the ipsec-tools project and without the ability to perform sufficient regression tests.
As Debian as well as NetBSD maintainers already have expressed their general concerns about this patch, there really seems to be a severe issue.
Further evidences can be provided but as the topic is pretty complicated detailed guidance is required. |
|
| 2019-09-19 13:12:56 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Disco |
|
| 2019-09-19 13:12:56 |
Christian Ehrhardt |
bug task added |
|
ipsec-tools (Ubuntu Disco) |
|
| 2019-09-19 13:12:56 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Bionic |
|
| 2019-09-19 13:12:56 |
Christian Ehrhardt |
bug task added |
|
ipsec-tools (Ubuntu Bionic) |
|
| 2019-09-19 13:13:10 |
Christian Ehrhardt |
ipsec-tools (Ubuntu Bionic): importance |
Undecided |
Low |
|
| 2019-09-19 13:13:14 |
Christian Ehrhardt |
ipsec-tools (Ubuntu Disco): importance |
Undecided |
Low |
|
| 2019-09-19 13:13:18 |
Christian Ehrhardt |
ipsec-tools (Ubuntu Bionic): status |
New |
Triaged |
|
| 2019-09-19 13:13:22 |
Christian Ehrhardt |
ipsec-tools (Ubuntu Disco): status |
New |
Triaged |
|
| 2019-09-19 13:13:59 |
Christian Ehrhardt |
ipsec-tools (Ubuntu): status |
Triaged |
Invalid |
|
| 2019-09-19 13:14:58 |
Christian Ehrhardt |
tags |
patch regression-release server-next |
patch regression-release |
|
| 2019-09-19 13:15:38 |
Christian Ehrhardt |
removed subscriber Ubuntu Server |
|
|
|
| 2020-07-02 19:55:07 |
Steve Langasek |
ipsec-tools (Ubuntu Disco): status |
Triaged |
Won't Fix |
|
