Last week, Mozilla released a security advisory regarding a NSS crypto library memory corruption bug: https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/ Libreswan uses the NSS library and is vulnerable to this memory corruption bug. While it is not trivial to exploit, the Libreswan Team cannot rule out that this exploit can lead to an attacker gaining Remote Code Execution on servers running libreswan. To trigger this exploit, no authentication credentials are required. The vulnerability uses a malicious X.509 certificate signature, but even connections not using certificates and using authby=secret (PSK), are still vulnerable because connections might still attempt to process certificate payloads before switching to a better connection, or to obtain a better ID of the remote peer. There is no workaround for libreswan itself. Please upgrade to NSS version 3.73 or look at the security updates for your Operating System that address CVE-2021-43527. _______________________________________________ Swan-announce mailing list swan-annou...@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-announce _______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev