ELSA-2024-2033

Опубликовано: 24 апр. 2024

Источник: oracle-oval

Платформа: Oracle Linux 9

Описание

ELSA-2024-2033: libreswan security and bug fix update (MODERATE)

[4.12-1.0.1.1]

Add libreswan-oracle.patch to detect Oracle Linux distro

[4.12-1.1]

Fix CVE-2024-2357 (RHEL-29734)
x509: unpack IPv6 general names based on length (RHEL-32719)

[4.12-1]

Update to 4.12 to fix CVE-2023-38710, CVE-2023-38711, CVE-2023-38712
Resolves: rhbz#2215956

[4.9-5]

Just bumping up the version to include bugs for CVE-2023-2295. There is no code fix for it. Fix for it is including the code fix for CVE-2023-30570.
Fix CVE-2023-2295 Regression of CVE-2023-30570 fixes in the Red Hat Enterprise Linux
Resolves: rhbz#2189777, rhbz#2190148

[4.9-4]

Just bumping up the version as an incorrect 9.3 build was created.
Related: rhbz#2187171

[4.9-3]

Fix CVE-2023-30570:Malicious IKEv1 Aggressive Mode packets can crash libreswan
Resolves: rhbz#2187171

[4.9-2]

Fix CVE-2023-23009: remote DoS via crafted TS payload with an incorrect selector length (rhbz#2173674)

[4.9-1]

Update to 4.9. Resolves: rhbz#2128669
Switch to using %autopatch as in Fedora

Обновленные пакеты

Oracle Linux 9

Oracle Linux aarch64

libreswan

4.12-1.0.1.el9_3.1

Oracle Linux x86_64

libreswan

4.12-1.0.1.el9_3.1

Связанные CVE

CVE-2024-2357

Ссылки на источники

Связанные уязвимости

CVE-2024-2357

CVSS3: 6.5

ubuntu

больше 1 года назад

The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service.