strongswan-5.9.4-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11655 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z strongswan-5.9.4-1.1 on GA media These are all security issues fixed in the strongswan-5.9.4-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11655 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11655 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2021-41990/ SUSE CVE CVE-2021-41990 page https://www.suse.com/security/cve/CVE-2021-41991/ SUSE CVE CVE-2021-41991 page openSUSE Tumbleweed strongswan-5.9.4-1.1 strongswan-doc-5.9.4-1.1 strongswan-hmac-5.9.4-1.1 strongswan-ipsec-5.9.4-1.1 strongswan-libs0-5.9.4-1.1 strongswan-mysql-5.9.4-1.1 strongswan-nm-5.9.4-1.1 strongswan-sqlite-5.9.4-1.1 strongswan-5.9.4-1.1 as a component of openSUSE Tumbleweed strongswan-doc-5.9.4-1.1 as a component of openSUSE Tumbleweed strongswan-hmac-5.9.4-1.1 as a component of openSUSE Tumbleweed strongswan-ipsec-5.9.4-1.1 as a component of openSUSE Tumbleweed strongswan-libs0-5.9.4-1.1 as a component of openSUSE Tumbleweed strongswan-mysql-5.9.4-1.1 as a component of openSUSE Tumbleweed strongswan-nm-5.9.4-1.1 as a component of openSUSE Tumbleweed strongswan-sqlite-5.9.4-1.1 as a component of openSUSE Tumbleweed The gmp plugin in strongSwan before 5.9.4 has a remote integer overflow via a crafted certificate with an RSASSA-PSS signature. For example, this can be triggered by an unrelated self-signed CA certificate sent by an initiator. Remote code execution cannot occur. CVE-2021-41990 openSUSE Tumbleweed:strongswan-5.9.4-1.1 openSUSE Tumbleweed:strongswan-doc-5.9.4-1.1 openSUSE Tumbleweed:strongswan-hmac-5.9.4-1.1 openSUSE Tumbleweed:strongswan-ipsec-5.9.4-1.1 openSUSE Tumbleweed:strongswan-libs0-5.9.4-1.1 openSUSE Tumbleweed:strongswan-mysql-5.9.4-1.1 openSUSE Tumbleweed:strongswan-nm-5.9.4-1.1 openSUSE Tumbleweed:strongswan-sqlite-5.9.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-41990.html CVE-2021-41990 https://bugzilla.suse.com/1191367 SUSE Bug 1191367 The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries. The code attempts to select a less-often-used cache entry by means of a random number generator, but this is not done correctly. Remote code execution might be a slight possibility. CVE-2021-41991 openSUSE Tumbleweed:strongswan-5.9.4-1.1 openSUSE Tumbleweed:strongswan-doc-5.9.4-1.1 openSUSE Tumbleweed:strongswan-hmac-5.9.4-1.1 openSUSE Tumbleweed:strongswan-ipsec-5.9.4-1.1 openSUSE Tumbleweed:strongswan-libs0-5.9.4-1.1 openSUSE Tumbleweed:strongswan-mysql-5.9.4-1.1 openSUSE Tumbleweed:strongswan-nm-5.9.4-1.1 openSUSE Tumbleweed:strongswan-sqlite-5.9.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-41991.html CVE-2021-41991 https://bugzilla.suse.com/1191367 SUSE Bug 1191367 https://bugzilla.suse.com/1191435 SUSE Bug 1191435 https://bugzilla.suse.com/1192640 SUSE Bug 1192640