Security update for strongswan SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:1473-1 Final 1 1 2017-06-01T11:13:01Z current 2017-06-01T11:13:01Z 2017-06-01T11:13:01Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for strongswan This update for strongswan fixes the following issues: - CVE-2017-9022: Insufficient Input Validation in gmp Plugin leads to Denial of service (bsc#1039514) - CVE-2017-9023: Incorrect x509 ASN.1 parser error handling could lead to Denial of service (bsc#1039515) - IKEv1 protocol is vulnerable to DoS amplification attack (bsc#985012) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-SP2-2017-906,SUSE-SLE-RPI-12-SP2-2017-906,SUSE-SLE-SERVER-12-SP2-2017-906 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20171473-1/ Link for SUSE-SU-2017:1473-1 https://lists.suse.com/pipermail/sle-security-updates/2017-June/002934.html E-Mail link for SUSE-SU-2017:1473-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1039514 SUSE Bug 1039514 https://bugzilla.suse.com/1039515 SUSE Bug 1039515 https://bugzilla.suse.com/985012 SUSE Bug 985012 https://www.suse.com/security/cve/CVE-2017-9022/ SUSE CVE CVE-2017-9022 page https://www.suse.com/security/cve/CVE-2017-9023/ SUSE CVE CVE-2017-9023 page SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP2 strongswan-5.1.3-25.1 strongswan-doc-5.1.3-25.1 strongswan-ipsec-5.1.3-25.1 strongswan-libs0-5.1.3-25.1 strongswan-hmac-5.1.3-25.1 strongswan-5.1.3-25.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 strongswan-doc-5.1.3-25.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 strongswan-ipsec-5.1.3-25.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 strongswan-libs0-5.1.3-25.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 strongswan-5.1.3-25.1 as a component of SUSE Linux Enterprise Server 12 SP2 strongswan-doc-5.1.3-25.1 as a component of SUSE Linux Enterprise Server 12 SP2 strongswan-hmac-5.1.3-25.1 as a component of SUSE Linux Enterprise Server 12 SP2 strongswan-ipsec-5.1.3-25.1 as a component of SUSE Linux Enterprise Server 12 SP2 strongswan-libs0-5.1.3-25.1 as a component of SUSE Linux Enterprise Server 12 SP2 strongswan-5.1.3-25.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 strongswan-doc-5.1.3-25.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 strongswan-hmac-5.1.3-25.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 strongswan-ipsec-5.1.3-25.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 strongswan-libs0-5.1.3-25.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 strongswan-5.1.3-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 strongswan-doc-5.1.3-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 strongswan-hmac-5.1.3-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 strongswan-ipsec-5.1.3-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 strongswan-libs0-5.1.3-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 The gmp plugin in strongSwan before 5.5.3 does not properly validate RSA public keys before calling mpz_powm_sec, which allows remote peers to cause a denial of service (floating point exception and process crash) via a crafted certificate. CVE-2017-9022 SUSE Linux Enterprise Desktop 12 SP2:strongswan-5.1.3-25.1 SUSE Linux Enterprise Desktop 12 SP2:strongswan-doc-5.1.3-25.1 SUSE Linux Enterprise Desktop 12 SP2:strongswan-ipsec-5.1.3-25.1 SUSE Linux Enterprise Desktop 12 SP2:strongswan-libs0-5.1.3-25.1 SUSE Linux Enterprise Server 12 SP2:strongswan-5.1.3-25.1 SUSE Linux Enterprise Server 12 SP2:strongswan-doc-5.1.3-25.1 SUSE Linux Enterprise Server 12 SP2:strongswan-hmac-5.1.3-25.1 SUSE Linux Enterprise Server 12 SP2:strongswan-ipsec-5.1.3-25.1 SUSE Linux Enterprise Server 12 SP2:strongswan-libs0-5.1.3-25.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:strongswan-5.1.3-25.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:strongswan-doc-5.1.3-25.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:strongswan-hmac-5.1.3-25.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:strongswan-ipsec-5.1.3-25.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:strongswan-libs0-5.1.3-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:strongswan-5.1.3-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:strongswan-doc-5.1.3-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:strongswan-hmac-5.1.3-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:strongswan-ipsec-5.1.3-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:strongswan-libs0-5.1.3-25.1 moderate 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20171473-1/ https://www.suse.com/security/cve/CVE-2017-9022.html CVE-2017-9022 https://bugzilla.suse.com/1039514 SUSE Bug 1039514 The ASN.1 parser in strongSwan before 5.5.3 improperly handles CHOICE types when the x509 plugin is enabled, which allows remote attackers to cause a denial of service (infinite loop) via a crafted certificate. CVE-2017-9023 SUSE Linux Enterprise Desktop 12 SP2:strongswan-5.1.3-25.1 SUSE Linux Enterprise Desktop 12 SP2:strongswan-doc-5.1.3-25.1 SUSE Linux Enterprise Desktop 12 SP2:strongswan-ipsec-5.1.3-25.1 SUSE Linux Enterprise Desktop 12 SP2:strongswan-libs0-5.1.3-25.1 SUSE Linux Enterprise Server 12 SP2:strongswan-5.1.3-25.1 SUSE Linux Enterprise Server 12 SP2:strongswan-doc-5.1.3-25.1 SUSE Linux Enterprise Server 12 SP2:strongswan-hmac-5.1.3-25.1 SUSE Linux Enterprise Server 12 SP2:strongswan-ipsec-5.1.3-25.1 SUSE Linux Enterprise Server 12 SP2:strongswan-libs0-5.1.3-25.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:strongswan-5.1.3-25.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:strongswan-doc-5.1.3-25.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:strongswan-hmac-5.1.3-25.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:strongswan-ipsec-5.1.3-25.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:strongswan-libs0-5.1.3-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:strongswan-5.1.3-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:strongswan-doc-5.1.3-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:strongswan-hmac-5.1.3-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:strongswan-ipsec-5.1.3-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:strongswan-libs0-5.1.3-25.1 moderate 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20171473-1/ https://www.suse.com/security/cve/CVE-2017-9023.html CVE-2017-9023 https://bugzilla.suse.com/1039515 SUSE Bug 1039515