Security update for strongswan SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:3469-1 Final 1 1 2021-10-19T13:45:21Z current 2021-10-19T13:45:21Z 2021-10-19T13:45:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for strongswan This update for strongswan fixes the following issues: - Fix trailing quotation mark missing from example in README. (bsc#1167880) - CVE-2021-41991: Fixed an integer overflow when replacing certificates in cache. (bsc#1191435) - CVE-2021-41990: Fixed an integer Overflow in the gmp Plugin. (bsc#1191367) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-3469,SUSE-SLE-Product-HPC-15-2021-3469,SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-3469,SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-3469,SUSE-SLE-Product-SLES-15-2021-3469,SUSE-SLE-Product-SLES-15-SP1-BCL-2021-3469,SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-3469,SUSE-SLE-Product-SLES_SAP-15-2021-3469,SUSE-SLE-Product-SLES_SAP-15-SP1-2021-3469,SUSE-Storage-6-2021-3469 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20213469-1/ Link for SUSE-SU-2021:3469-1 https://lists.suse.com/pipermail/sle-security-updates/2021-October/009614.html E-Mail link for SUSE-SU-2021:3469-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1167880 SUSE Bug 1167880 https://bugzilla.suse.com/1191367 SUSE Bug 1191367 https://bugzilla.suse.com/1191435 SUSE Bug 1191435 https://www.suse.com/security/cve/CVE-2021-41990/ SUSE CVE CVE-2021-41990 page https://www.suse.com/security/cve/CVE-2021-41991/ SUSE CVE CVE-2021-41991 page SUSE Enterprise Storage 6 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise Server 15 SP1-BCL SUSE Linux Enterprise Server 15 SP1-LTSS SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Server for SAP Applications 15 SP1 strongswan-5.8.2-4.14.2 strongswan-doc-5.8.2-4.14.2 strongswan-hmac-5.8.2-4.14.2 strongswan-ipsec-5.8.2-4.14.2 strongswan-libs0-5.8.2-4.14.2 strongswan-mysql-5.8.2-4.14.2 strongswan-nm-5.8.2-4.14.2 strongswan-sqlite-5.8.2-4.14.2 strongswan-5.8.2-4.14.2 as a component of SUSE Enterprise Storage 6 strongswan-doc-5.8.2-4.14.2 as a component of SUSE Enterprise Storage 6 strongswan-hmac-5.8.2-4.14.2 as a component of SUSE Enterprise Storage 6 strongswan-ipsec-5.8.2-4.14.2 as a component of SUSE Enterprise Storage 6 strongswan-libs0-5.8.2-4.14.2 as a component of SUSE Enterprise Storage 6 strongswan-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS strongswan-doc-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS strongswan-hmac-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS strongswan-ipsec-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS strongswan-libs0-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS strongswan-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS strongswan-doc-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS strongswan-hmac-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS strongswan-ipsec-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS strongswan-libs0-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS strongswan-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS strongswan-doc-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS strongswan-hmac-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS strongswan-ipsec-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS strongswan-libs0-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS strongswan-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS strongswan-doc-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS strongswan-hmac-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS strongswan-ipsec-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS strongswan-libs0-5.8.2-4.14.2 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS strongswan-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server 15 SP1-BCL strongswan-doc-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server 15 SP1-BCL strongswan-hmac-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server 15 SP1-BCL strongswan-ipsec-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server 15 SP1-BCL strongswan-libs0-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server 15 SP1-BCL strongswan-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS strongswan-doc-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS strongswan-hmac-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS strongswan-ipsec-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS strongswan-libs0-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS strongswan-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server 15-LTSS strongswan-doc-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server 15-LTSS strongswan-hmac-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server 15-LTSS strongswan-ipsec-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server 15-LTSS strongswan-libs0-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server 15-LTSS strongswan-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 strongswan-doc-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 strongswan-hmac-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 strongswan-ipsec-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 strongswan-libs0-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 strongswan-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 strongswan-doc-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 strongswan-hmac-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 strongswan-ipsec-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 strongswan-libs0-5.8.2-4.14.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 The gmp plugin in strongSwan before 5.9.4 has a remote integer overflow via a crafted certificate with an RSASSA-PSS signature. For example, this can be triggered by an unrelated self-signed CA certificate sent by an initiator. Remote code execution cannot occur. CVE-2021-41990 SUSE Enterprise Storage 6:strongswan-5.8.2-4.14.2 SUSE Enterprise Storage 6:strongswan-doc-5.8.2-4.14.2 SUSE Enterprise Storage 6:strongswan-hmac-5.8.2-4.14.2 SUSE Enterprise Storage 6:strongswan-ipsec-5.8.2-4.14.2 SUSE Enterprise Storage 6:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-ESPOS:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-ESPOS:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-ESPOS:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-ESPOS:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-ESPOS:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-LTSS:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-LTSS:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-LTSS:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-LTSS:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-LTSS:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-BCL:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-BCL:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-BCL:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-BCL:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-BCL:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-LTSS:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-LTSS:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-LTSS:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-LTSS:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-LTSS:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise Server 15-LTSS:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise Server 15-LTSS:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise Server 15-LTSS:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise Server 15-LTSS:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise Server 15-LTSS:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15:strongswan-libs0-5.8.2-4.14.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20213469-1/ https://www.suse.com/security/cve/CVE-2021-41990.html CVE-2021-41990 https://bugzilla.suse.com/1191367 SUSE Bug 1191367 The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries. The code attempts to select a less-often-used cache entry by means of a random number generator, but this is not done correctly. Remote code execution might be a slight possibility. CVE-2021-41991 SUSE Enterprise Storage 6:strongswan-5.8.2-4.14.2 SUSE Enterprise Storage 6:strongswan-doc-5.8.2-4.14.2 SUSE Enterprise Storage 6:strongswan-hmac-5.8.2-4.14.2 SUSE Enterprise Storage 6:strongswan-ipsec-5.8.2-4.14.2 SUSE Enterprise Storage 6:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-ESPOS:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-ESPOS:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-ESPOS:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-ESPOS:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-ESPOS:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-LTSS:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-LTSS:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-LTSS:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-LTSS:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise High Performance Computing 15-LTSS:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-BCL:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-BCL:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-BCL:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-BCL:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-BCL:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-LTSS:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-LTSS:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-LTSS:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-LTSS:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise Server 15 SP1-LTSS:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise Server 15-LTSS:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise Server 15-LTSS:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise Server 15-LTSS:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise Server 15-LTSS:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise Server 15-LTSS:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1:strongswan-libs0-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15:strongswan-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15:strongswan-doc-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15:strongswan-hmac-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15:strongswan-ipsec-5.8.2-4.14.2 SUSE Linux Enterprise Server for SAP Applications 15:strongswan-libs0-5.8.2-4.14.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20213469-1/ https://www.suse.com/security/cve/CVE-2021-41991.html CVE-2021-41991 https://bugzilla.suse.com/1191367 SUSE Bug 1191367 https://bugzilla.suse.com/1191435 SUSE Bug 1191435 https://bugzilla.suse.com/1192640 SUSE Bug 1192640