Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#78025 - [strongswan] 5.9.9-1: CVE-2023-26463 (authentication bypass, DoS, potentially RCE)
Attached to Project:
Community Packages
Opened by Pascal Ernster (hardfalcon) - Tuesday, 28 March 2023, 21:01 GMT
Last edited by T.J. Townsend (blakkheim) - Thursday, 18 May 2023, 16:03 GMT
Opened by Pascal Ernster (hardfalcon) - Tuesday, 28 March 2023, 21:01 GMT
Last edited by T.J. Townsend (blakkheim) - Thursday, 18 May 2023, 16:03 GMT
|
DetailsStrongswan 5.9.8 and 5.9.9 are affected by CVE-2023-26463, and Strongswan 5.9.10 has been published to fix the issue:
https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-2023-26463).html Quote: "A user publicly reported a bug related certificate verification in TLS-based EAP methods that leads to an authentication bypass followed by an expired pointer dereference that results in a denial of service but possibly even remote code execution." Although upstream don't seem to have formally assigned a severity to this CVE, the above description leads me to believe that "high" would be an appropriate classification. |
This task depends upon