[Tech ARP] The Computex Taipei 2017 Live Coverage (Day 3)

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

Package : strongswan

Version : 4.5.2-1.5+deb7u9

CVE ID : CVE-2017-9022 CVE-2017-9023

 

Two denial of service vulnerabilities were identified in strongSwan, an

IKE/IPsec suite, using Google's OSS-Fuzz fuzzing project.

 

CVE-2017-9022

 

RSA public keys passed to the gmp plugin aren't validated sufficiently

before attempting signature verification, so that invalid input might

lead to a floating point exception and crash of the process.

A certificate with an appropriately prepared public key sent by a peer

could be used for a denial-of-service attack.

 

CVE-2017-9023

 

ASN.1 CHOICE types are not correctly handled by the ASN.1 parser when

parsing X.509 certificates with extensions that use such types. This could

lead to infinite looping of the thread parsing a specifically crafted

certificate.

 

For Debian 7 "Wheezy", these problems have been fixed in version

4.5.2-1.5+deb7u9.

 

We recommend that you upgrade your strongswan packages.

 

Further information about Debian LTS security advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

 

iQEzBAEBCgAdFiEEl0WwInMjgf6efq/1bdtT8qZ1wKUFAlkwan8ACgkQbdtT8qZ1

wKX8kwf9HD1z1N3o/atabA6uCRDWMWpyjkbBrYwZ1e8JUoAwaARORGeYCrh9OrKl

zQCEc9J8ljyyMHj/XwyyWd4+sRldH9VSQAmq1zDLddFkQS5pQu15QwCQJrV07Bhd

e5LzJ0o7rOB/vf4sM57qcEI2rwPgZnTDiNZjRVhSJXJUZKCxdWHcoN/su2cHGG2d

6A5/C8d1FBB2xFPf/1otDgAcZ57qaSQcpJbdLpnO0C4bif74NeV8JmYyDBk7TyyT

YELcqBSab8TTFMESkxJ17SZrn6L6OSKDMO4Df306Gxf+m0FKu3CMH/b7Ehu9+h0A

Fhyj6n23MaS6hu6Lfoln0ipiO7yAKg==

=sUzv

-----END PGP SIGNATURE-----