L2TP/IPSec on Mac OSX stop working after openswan upgrade [with patches]
Dear Yves-Alexis Perez and Debian Security Team,
Related bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744717
>From the changelog of debian, I know that your are the maintainer of
openswan in debian:
openswan (1:2.6.37-3+deb7u1) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
* debian/patches:
- CVE-2013-2053 added, fix pre-authentication buffer overflow in atodn() /
atoid() (CVE-2013-2053). closes: #709144
- CVE-2013-6466 added, fix pre-authentication remote denial of service in
IKEv2 daemon (CVE-2013-6466) closes: #737406
-- Yves-Alexis Perez <corsac@debian.org> Sun, 23 Mar 2014 16:12:16 +0100
After upgrade the openswan in wheezy to 1:2.6.37-3+deb7u1, I found
that I cannot connect to ipsec from mac os x and ios any more. And
there are some guys encoutered the same problem as me:
http://superuser.com/questions/740545/l2tp-ipsec-stopped-working-after-openssl-upgrade
(however, the subject was mis understanding).
After checking the patch, I found the it's CVE-2013-6466.patch, it
removes the compatible code for mac os x and ios, which use a bad
draft. Now, I have fixed this, and test on mac os x and ios. However,
I didn't test on other platform, such as linux, windows.
I'm attaching the patch, and if you cannot see it, you can download it
from http://piebridge.me/openswan_osx_nat_d_baddraft.patch
--
Best regards,
Liu DongMiao
Reply to: