[ Note: openswan 2.6.22 and 2.4.15 contain these patches and were released on June 22 and June 25 2009 ] Date: Mon, 22 Jun 2009 12:34:51 -0400 (EDT) From: Paul Wouters To: vendor-sec@lst.de cc: Andreas Steffen Subject: ASN.1 vulnerabilities in strongswan / openswan Thanks to Mr. Steffen for his irrresponsible behaviour, the openswan project is currently dealing with two 0-day bugs as reported here: http://www.vupen.com/english/advisories/2009/1639 We are currently looking into these bugs. We plan to release openswan 2.6.22 later today. If you wish to get only the bugfixes instead of a new release, please monitor the git repository at http://git.openswan.org/ over the next couple of hours. After doing all the work to co-ordinate with the strongswan project on the previous CVE (and not receiving any credit for it whatsoever, despite giving him the patches on a silver platter), I had expected to at least receive a courtesy warning a few days before publishing such remotely exploitable vulnerabilities. Mr Steffen knows his ASN.1 code in the pluto daemon from strongswan comes from his code in the openswan version. I kindly request people on this list to notify me personally in the future if any strongswan undisclosed vulnerabilities are posted to this list that involve strongswan's IKEv1 pluto daemon from the openswan project, as Mr. Steffen obviously cares more about his project, then the security of the community at large. Paul