oss-security - CVE request: strongswam denial-of-service

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <20081014125400.GG17682@suse.de>
Date: Tue, 14 Oct 2008 14:54:00 +0200
From: Thomas Biege <thomas@...e.de>
To: oss-security@...ts.openwall.com
Cc: coley@...re.org
Subject: CVE request: strongswam denial-of-service

Hi,
our maintainer of strongswan found this:

See also http://download.strongswan.org/CHANGES4.txt
"[...]
strongswan-4.2.7
----------------

- Fixed a Denial-of-Service vulnerability where an IKE_SA_INIT message with
  a KE payload containing zeroes only can cause a crash of the IKEv2 charon
  daemon due to a NULL pointer returned by the mpz_export() function of the
  GNU Multiprecision Library (GMP). Thanks go to Mu Dynamics Research Labs
  for making us aware of this problem.
[...]"


patch: http://trac.strongswan.org/changeset/4345Hi,




-- 
Bye,
     Thomas
-- 
 Thomas Biege <thomas@...e.de>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
-- 
           Hamming's Motto:
           The purpose of computing is insight, not numbers.
                                -- Richard W. Hamming

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.