ports/129468: [vuxml] security/ipsec-tools: document CVE-2008-3651 and CVE-2008-3652
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Sat Dec 6 17:50:01 UTC 2008
>Number: 129468
>Category: ports
>Synopsis: [vuxml] security/ipsec-tools: document CVE-2008-3651 and CVE-2008-3652
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Dec 06 17:50:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.1-PRERELEASE amd64
>Description:
Two remotely-exploitable vulnerabilities that can cause DoS were found
in ipsec-tools before 0.7.1. The port was updated in Jul 2008, but no
VuXML entry was submitted.
>How-To-Repeat:
http://www.securityfocus.com/bid/30657/info
>Fix:
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="8c46a4c4-c3b7-11dd-b08d-001fc66e7203">
<topic>ipsec-tools -- two DoS attacks</topic>
<affects>
<package>
<name>ipsec-tools</name>
<range><lt>0.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Two Denial of Service vulnerabilities that could allow a
remote attacker to consume all available memory were discovered
by vendor:</p>
<blockquote
cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3651">
<p>Memory leak in racoon/proposal.c in the racoon daemon in
ipsec-tools before 0.7.1 allows remote authenticated users to
cause a denial of service (memory consumption) via invalid
proposals.</p>
</blockquote>
<blockquote
cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3652">
<p>src/racoon/handler.c in racoon in ipsec-tools does not
remove an "orphaned ph1" (phase 1) handle when it has been
initiated remotely, which allows remote attackers to cause a
denial of service (resource consumption).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-3651</cvename>
<cvename>CVE-2008-3652</cvename>
<bid>30657</bid>
<mlist msgid="20080724084529.GA3768 at zen.inc">http://marc.info/?l=ipsec-tools-devel&m=121688914101709&w=2</mlist>
</references>
<dates>
<discovery>24-07-2008</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list