Hi Daniel, [CC added for team@s.d.o]
On Wed, Feb 22, 2023 at 07:54:47PM -0500, Daniel Kahn Gillmor wrote: > Package: libreswan 4.9-1 > Control: found -1 4.3-1+deb11u1 > Control: found -1 4.7-1 > Control: fixed -1 4.9-2 > Control: forwarded -1 https://github.com/libreswan/libreswan/issues/954 > Control: tags -1 + security patch fixed-upstream > > There is a remotely-triggerable crash in libreswan, known as > CVE-2023-23009, based on a null pointer dereference. It is apparently > present in the versions of libreswan in bullseye, testing, and unstable > at least. > > On the linked github issue, upstream says that the attached patch fixes > the problem (though i do not have a reproducer to verify). > > I've applied the patch in unstable already. > > I'll prepare an upload for bullseye if the security team is OK with > that. Please confirm! Can you confirm on the following point: Is my understanding from the upstream issue discussion correct, that this requires an authenticated peer and for an authenticated peer, and then it leads to at most self-DoS'ing his own connection? Regards, Salvatore