|Category:||SuSE Local Security Checks|
|Title:||SUSE: Security Advisory (SUSE-SU-2020:0743-1)|
|Summary:||The remote host is missing an update for the 'strongswan' package(s) announced via the SUSE-SU-2020:0743-1 advisory.|
The remote host is missing an update for the 'strongswan' package(s) announced via the SUSE-SU-2020:0743-1 advisory.
This update for strongswan fixes the following issues:
Strongswan was updated to version 5.8.2 (jsc#SLE-11370).
Security issue fixed:
CVE-2018-6459: Fixed a DoS vulnerability in the parser for PKCS#1
RSASSA-PSS signatures that was caused by insufficient input validation
* Identity-based CA constraints, which enforce that the certificate
chain of the remote peer contains a CA certificate with a specific
identity, are supported via vici/swanctl.conf. This is similar to the
existing CA constraints but doesn't require that the CA certificate is
locally installed, for instance, intermediate CA certificates received
from the peers. Wildcard identity matching (e.g. ..., OU=Research,
CN=*) could also be used for the latter but requires trust in the
intermediate CAs to only issue certificates with legitimate subject
DNs (e.g. the 'Sales' CA must not issue certificates with
OU=Research). With the new constraint that's not necessary as long as
a path length basic constraint (--pathlen for pki --issue) prevents
intermediate CAs from issuing further intermediate CAs.
* Intermediate CA certificates may now be sent in hash-and-URL encoding
by configuring a base URL for the parent CA (#3234,
* Implemented NIST SP-800-90A Deterministic Random Bit Generator (DRBG)
based on AES-CTR and SHA2-HMAC modes. Currently used by the gmp and
* Random nonces sent in an OCSP requests are now expected in the
corresponding OCSP responses.
* The kernel-netlink plugin now ignores deprecated IPv6 addresses for
MOBIKE. Whether temporary
or permanent IPv6 addresses are included now depends on the
charon.prefer_temporary_addrs setting (#3192).
* Extended Sequence Numbers (ESN) are configured via PF_KEY if supported
by the kernel.
* The PF_KEY socket's receive buffer in the kernel-pfkey plugin is now
cleared before sending requests, as many of the messages sent by the
kernel are sent as broadcasts to all PF_KEY sockets. This is an issue
if an external tool is used to manage SAs/policies unrelated to IPsec
* The vici plugin now uses unique section names for CHILD_SAs in
child-updown events (7c74ce9190).
* For individually deleted CHILD_SAs (in particular for IKEv1) the vici
child-updown event now includes more information about the CHILD_SAs
such as traffic statistics (#3198).
* Custom loggers are correctly re-registered if log levels are changed
via stroke loglevel (#3182).
* Avoid lockups during startup on low entropy systems when using OpenSSL
* Instead of failing later when setting a key, creating HMACs via
openssl plugin now fails instantly if the underlying hash algorithm
isn't supported (e.g. MD5 in FIPS-mode) so fallbacks to other plugins
work properly (#3284).
* Exponents of RSA keys read from TPM 2.0 via SAPI are correctly
co... [Please see the references for more information on the vulnerabilities]
'strongswan' package(s) on SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1, SUSE Linux Enterprise Module for Basesystem 15-SP1
Please install the updated package(s).
Common Vulnerability Exposure (CVE) ID: CVE-2018-5388|
BugTraq ID: 104263
CERT/CC vulnerability note: VU#338343
Debian Security Information: DSA-4229 (Google Search)
SuSE Security Announcement: openSUSE-SU-2019:2594 (Google Search)
SuSE Security Announcement: openSUSE-SU-2019:2598 (Google Search)
SuSE Security Announcement: openSUSE-SU-2020:0403 (Google Search)
Common Vulnerability Exposure (CVE) ID: CVE-2018-6459
|Copyright||Copyright (C) 2021 Greenbone Networks GmbH|
|This is only one of 97459 vulnerability tests in our test suite. Find out more about running a complete security audit.|
To run a free test of this vulnerability against your system, register below.