MESSAGE
| DATE | 2005-12-20 |
| FROM | Ruben Safir
|
| SUBJECT | Subject: [NYLXS - HANGOUT] [Fwd: [suse-security-announce] SUSE Security Announcement:
|
-----Forwarded Message-----
> From: Marcus Meissner
> To: suse-security-announce-at-suse.com
> Subject: [suse-security-announce] SUSE Security Announcement: openswan,freeswan,ipsec-tools denial of service (SUSE-SA:2005:070)
> Date: Tue, 20 Dec 2005 11:25:42 +0100
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ______________________________________________________________________________
>
> SUSE Security Announcement
>
> Package: ipsec-tools,freeswan,openswan
> Announcement ID: SUSE-SA:2005:070
> Date: Tue, 20 Dec 2005 11:00:00 +0000
> Affected Products: SUSE LINUX 10.0
> SUSE LINUX 9.3
> SUSE LINUX 9.2
> SUSE LINUX 9.1
> SUSE Linux Enterprise Server 9
> Vulnerability Type: remote denial of service
> Severity (1-10): 5
> SUSE Default Package: no
> Cross-References: CVE-2005-3671, CVE-2005-3732
>
> Content of This Advisory:
> 1) Security Vulnerability Resolved:
> Internet Key Exchange v1 problems in various IPsec implementations
> Problem Description
> 2) Solution or Work-Around
> 3) Special Instructions and Notes
> 4) Package Location and Checksums
> 5) Pending Vulnerabilities, Solutions, and Work-Arounds:
> See SUSE Security Summary Report.
> 6) Authenticity Verification and Additional Information
>
> ______________________________________________________________________________
>
> 1) Problem Description and Brief Discussion
>
> Openswan, Freeswan and raccoon (ipsec-tools) have been updated to fix
> crashes in aggressive mode. An attacker might send specially crafted
> packets that can crash racoon or Pluto.
>
> The ipsec-tools / racoon crashes are tracked by the Mitre CVE ID
> CVE-2005-3732.
>
> The openswan / freeswan crashes are tracked by the Mitre CVE ID
> CVE-2005-3671.
>
> SUSE Linux Enterprise Server 8 and SUSE Linux 9.0 contain freeswan
> 1.x and seem no to be affected by this problem.
>
> 2) Solution or Work-Around
>
> There is no known workaround, please install the update packages.
>
> 3) Special Instructions and Notes
>
> Please close and restart all running instances of openswan, freeswan
> or racoon after the update.
>
> 4) Package Location and Checksums
>
> The preferred method for installing security updates is to use the YaST
> Online Update (YOU) tool. YOU detects which updates are required and
> automatically performs the necessary steps to verify and install them.
> Alternatively, download the update packages for your distribution manually
> and verify their integrity by the methods listed in Section 6 of this
> announcement. Then install the packages using the command
>
> rpm -Fhv
>
> to apply the update, replacing with the filename of the
> downloaded RPM package.
>
>
> x86 Platform:
>
> SUSE LINUX 10.0:
> ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/ipsec-tools-0.6-4.2.i586.rpm
> f82b5941ca8143a7f81315f2309c28e9
> ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openswan-2.4.4-1.1.i586.rpm
> 9d2318b4da837ae3175547ba261235c5
>
> SUSE LINUX 9.3:
> ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/ipsec-tools-0.5-5.2.i586.rpm
> 57b586b7aaa612c6250a8b037afe9335
> ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/openswan-2.2.0-12.4.i586.rpm
> 6c152ba37641677fc4c59c44199a9225
>
> SUSE LINUX 9.2:
> ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/ipsec-tools-0.4rc1-3.4.i586.rpm
> ca1ffa39b311744976bc9754f003c71f
> ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/openswan-2.2.0-8.4.i586.rpm
> 88dedfd8ad12456158b0f60d0a4714f4
>
> SUSE LINUX 9.1:
> ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/freeswan-2.04_1.5.4-1.23.i586.rpm
> 64b2fc324586f4af0060b8dd0c6597eb
> ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/ipsec-tools-0.3.3-1.9.i586.rpm
> c523ed28073d5d76a1468763cc3820ea
>
> Power PC Platform:
>
> SUSE LINUX 10.0:
> ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/ipsec-tools-0.6-4.2.ppc.rpm
> fc12c770db47d6a51b7cfc7e92b0f003
> ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/openswan-2.4.4-1.1.ppc.rpm
> 6a0c80ce5f3a489221e605ea7ee724d5
>
> x86-64 Platform:
>
> SUSE LINUX 10.0:
> ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/ipsec-tools-0.6-4.2.x86_64.rpm
> 7550e022c5557841a06c6334d1a2632c
> ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/openswan-2.4.4-1.1.x86_64.rpm
> b25da775ec60a014febb111179a42e91
>
> SUSE LINUX 9.3:
> ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/ipsec-tools-0.5-5.2.x86_64.rpm
> 8ee673f4f3386e6e0a5ea123cad19064
> ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/openswan-2.2.0-12.4.x86_64.rpm
> b65ee8de2eae744f40b7d33ae912995c
>
> SUSE LINUX 9.2:
> ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/ipsec-tools-0.4rc1-3.4.x86_64.rpm
> 8e4f8794e3f8322b4b5c301d964cfabd
> ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/openswan-2.2.0-8.4.x86_64.rpm
> 30af3b8e87fe2018ae2b4a1a884887e2
>
> SUSE LINUX 9.1:
> ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/freeswan-2.04_1.5.4-1.23.x86_64.rpm
> dbdf3e6c1d45a0e42f0facfd78edc29c
> ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/ipsec-tools-0.3.3-1.9.x86_64.rpm
> bcf17a5cd915276de386e8181c87ec99
>
> Sources:
>
> SUSE LINUX 10.0:
> ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/ipsec-tools-0.6-4.2.src.rpm
> 6ecfb0963c478d0962fad9146110466c
> ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/openswan-2.4.4-1.1.src.rpm
> e8f841c893e062f2e378eb269ba7d128
>
> SUSE LINUX 9.3:
> ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/ipsec-tools-0.5-5.2.src.rpm
> 0944add00587f50f20c5f7a38fac5b4f
> ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/openswan-2.2.0-12.4.src.rpm
> 5d89968ca8f4b1718f0018c8c466ddf9
>
> SUSE LINUX 9.2:
> ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/ipsec-tools-0.4rc1-3.4.src.rpm
> 26d12b6a99b2723272a74f402ba4ff58
> ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/openswan-2.2.0-8.4.src.rpm
> f097a1113a838a007c586c72bb7e43a2
>
> SUSE LINUX 9.1:
> ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/freeswan-2.04_1.5.4-1.23.src.rpm
> 362067f9c39a902c433af5f998b4eecf
> ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/ipsec-tools-0.3.3-1.9.src.rpm
> b7443b44f2ee6cab65f214e6e983f113
> ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/freeswan-2.04_1.5.4-1.23.src.rpm
> 95d18a7cf39acaabb747edfc7b5411cd
> ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/ipsec-tools-0.3.3-1.9.src.rpm
> 517f4afbe1f3d1b3ad554582d4463bb2
>
> Our maintenance customers are notified individually. The packages are
> offered for installation from the maintenance web:
>
> http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/9f8549c0fdb4c32ce15be24ba50f632b.html
> http://portal.suse.com/psdb/9f8549c0fdb4c32ce15be24ba50f632b.html
> http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/b009511f6a95df19e9a44b526dd24358.html
> http://portal.suse.com/psdb/b009511f6a95df19e9a44b526dd24358.html
>
> ______________________________________________________________________________
>
> 5) Pending Vulnerabilities, Solutions, and Work-Arounds:
>
> none
> ______________________________________________________________________________
>
> 6) Authenticity Verification and Additional Information
>
> - Announcement authenticity verification:
>
> SUSE security announcements are published via mailing lists and on Web
> sites. The authenticity and integrity of a SUSE security announcement is
> guaranteed by a cryptographic signature in each announcement. All SUSE
> security announcements are published with a valid signature.
>
> To verify the signature of the announcement, save it as text into a file
> and run the command
>
> gpg --verify
>
> replacing with the name of the file where you saved the
> announcement. The output for a valid signature looks like:
>
> gpg: Signature made using RSA key ID 3D25D3D9
> gpg: Good signature from "SuSE Security Team "
>
> where is replaced by the date the document was signed.
>
> If the security team's key is not contained in your key ring, you can
> import it from the first installation CD. To import the key, use the
> command
>
> gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
>
> - Package authenticity verification:
>
> SUSE update packages are available on many mirror FTP servers all over the
> world. While this service is considered valuable and important to the free
> and open source software community, the authenticity and the integrity of
> a package needs to be verified to ensure that it has not been tampered
> with.
>
> There are two verification methods that can be used independently from
> each other to prove the authenticity of a downloaded file or RPM package:
>
> 1) Using the internal gpg signatures of the rpm package
> 2) MD5 checksums as provided in this announcement
>
> 1) The internal rpm package signatures provide an easy way to verify the
> authenticity of an RPM package. Use the command
>
> rpm -v --checksig
>
> to verify the signature of the package, replacing with the
> filename of the RPM package downloaded. The package is unmodified if it
> contains a valid signature from build-at-suse.de with the key ID 9C800ACA.
>
> This key is automatically imported into the RPM database (on
> RPMv4-based distributions) and the gpg key ring of 'root' during
> installation. You can also find it on the first installation CD and at
> the end of this announcement.
>
> 2) If you need an alternative means of verification, use the md5sum
> command to verify the authenticity of the packages. Execute the command
>
> md5sum
>
> after you downloaded the file from a SUSE FTP server or its mirrors.
> Then compare the resulting md5sum with the one that is listed in the
> SUSE security announcement. Because the announcement containing the
> checksums is cryptographically signed (by security-at-suse.de), the
> checksums show proof of the authenticity of the package if the
> signature of the announcement is valid. Note that the md5 sums
> published in the SUSE Security Announcements are valid for the
> respective packages only. Newer versions of these packages cannot be
> verified.
>
> - SUSE runs two security mailing lists to which any interested party may
> subscribe:
>
> suse-security-at-suse.com
> - General Linux and SUSE security discussion.
> All SUSE security announcements are sent to this list.
> To subscribe, send an e-mail to
> .
>
> suse-security-announce-at-suse.com
> - SUSE's announce-only mailing list.
> Only SUSE's security announcements are sent to this list.
> To subscribe, send an e-mail to
> .
>
> For general information or the frequently asked questions (FAQ),
> send mail to or
> .
>
> =====================================================================
> SUSE's security contact is or .
> The public key is listed below.
> =====================================================================
> ______________________________________________________________________________
>
> The information in this advisory may be distributed or reproduced,
> provided that the advisory is not modified in any way. In particular, the
> clear text signature should show proof of the authenticity of the text.
>
> SUSE Linux Products GmbH provides no warranties of any kind whatsoever
> with respect to the information contained in this security advisory.
>
> Type Bits/KeyID Date User ID
> pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team
> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key
>
> - -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
> 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
> M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
> QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
> XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
> D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
> G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
> CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
> myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
> YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
> wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
> NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
> QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
> LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
> XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
> D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
> 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
> 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
> cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
> ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
> AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
> Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
> HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
> t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
> tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
> 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
> 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
> QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
> JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
> 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
> ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
> wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
> EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
> 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
> CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
> SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
> omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
> A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
> /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
> GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
> ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
> ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
> RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
> 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
> B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
> 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
> 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
> qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
> WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
> hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
> BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
> AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
> RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
> zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
> /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
> whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
> D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
> dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
> RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
> DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
> =LRKC
> - -----END PGP PUBLIC KEY BLOCK-----
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iQEVAwUBQ6fbyHey5gA9JdPZAQKFpAf/UFb+/A6Rz6FPhCW1qO7a01mnnJRhL+WA
> hRh8vFHu6Ct0XpjWwRLcbkDRmaFifiLfuYAcJU6PpgNlB1DGlxfNigBhK17TBMQD
> DlAbLYIGdLDxXx5ZcT1I2Uza9REY7htJp8JvXwv0qXXibxdmMCXf62hDcc3UCxfR
> uNxML6AkjQaPLzVC5NKDIa10PHE7Tj6JWh3qKPzkVMhtoB1rTdp/7t0fTaF/btJQ
> OAtLshFIHTUwWFQy3Omjsb87vxKXzgQviUIpEfJChAw+jmN2ejDq8ZyiviRjTant
> pn57z0Uw7cv8YlWMWZroV7bR6Bs+ouK+oFb1Q4CwcYFuUbcVat8Tsw==
> =q68S
> -----END PGP SIGNATURE-----
|
|
