New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 759288 link

Starred by 1 user
Status: Fixed
Owner:
cernekee@chromium.org
Last visit > 30 days ago
Closed: Sep 2017
Cc:
vapier@chromium.org
cernekee@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

CrOS: Vulnerability reported in net-vpn/strongswan

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Aug 26 2017 
Automated analysis has detected that the following third party packages have had vulnerabilities publicly reported. 

NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package.

Package Name: net-vpn/strongswan
Package Version: [cpe:/a:strongswan:strongswan:5.5.3]

Advisory: CVE-2017-11185
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-11185
  CVSS severity score: 5/10.0
  Confidence: high
  Description:

The gmp plugin in strongSwan before 5.6.0 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted RSA signature.

Comment 1 by ta...@google.com, Aug 28 2017

Components: OS>Packages
Labels: Security_Severity-Medium Security_Impact-Stable
Owner: vapier@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by vapier@chromium.org, Aug 28 2017

Cc: vapier@chromium.org cernekee@chromium.org
Owner: cernekee@chromium.org
Project Member

Comment 3 by sheriffbot@chromium.org, Aug 29 2017

Labels: M-61
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 29 2017

Labels: -Pri-2 Pri-1
Project Member

Comment 5 by bugdroid1@chromium.org, Sep 9 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/8f604600ea58e40aa0165153610f4f08a2d69640

commit 8f604600ea58e40aa0165153610f4f08a2d69640
Author: Kevin Cernekee <cernekee@chromium.org>
Date: Sat Sep 09 00:36:18 2017

net-vpn/strongswan: Add upstream patch for CVE-2017-11185

This was cherry-picked on top of strongSwan 5.5.3.

BUG= chromium:759288 
TEST=buildbots

Change-Id: I7651217893781f1e98f3ff5f2417422600f6a1b3
Reviewed-on: https://chromium-review.googlesource.com/657810
Commit-Ready: Kevin Cernekee <cernekee@chromium.org>
Tested-by: Kevin Cernekee <cernekee@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/8f604600ea58e40aa0165153610f4f08a2d69640/net-vpn/strongswan/strongswan-5.5.3.ebuild
[add] https://crrev.com/8f604600ea58e40aa0165153610f4f08a2d69640/net-vpn/strongswan/files/strongswan-5.5.3-fix-cve-2017-11185.patch
[rename] https://crrev.com/8f604600ea58e40aa0165153610f4f08a2d69640/net-vpn/strongswan/strongswan-5.5.3-r2.ebuild

Comment 6 by cernekee@chromium.org, Sep 9 2017

Status: Fixed (was: Assigned)
Project Member

Comment 7 by sheriffbot@chromium.org, Sep 9 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 8 by sheriffbot@chromium.org, Dec 16 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by dchan@chromium.org, Jan 22 2018

Status: Archived (was: Fixed)

Comment 10 by dchan@chromium.org, Jan 23 2018

Status: Fixed (was: Archived)

Sign in to add a comment