[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: L2TP/IPSec on Mac OSX stop working after openswan upgrade [with patches]

On ven., 2014-05-02 at 19:12 +0800, Liu DongMiao wrote:
> I think it didn't reintroduce CVE-2013-6466.
> I have use some packets to test them.
> ref: http://www.openwall.com/lists/oss-security/2014/02/18/1
> on 1:2.6.37-3, it didn't show message droped, and on
> 1:2.6.37-3+deb7u1 and the one with my patch, it shows:
> missing payload(s)
> (ISAKMP_NEXT_v2SA+ISAKMP_NEXT_v2KE+ISAKMP_NEXT_v2Ni). Message dropped.
> Furthermore, I have diffed the patch in debian and the patch in rhel5.
> The patch in rhel5 is almost the same with the patch in debian,
> without the removal of compatible codes for mac os x's
> The original CVE-2013-6466 is something related with NULL pointer.
> From the other side, it's unnecessary to remove the compatible codes
> for mac os x.


Paul Wouters (which originally wrote most of the patches we used in the
DSA) is currently looking at the regression. The NATD_BADDRAFTS values
should not be used by anyone actually, but we might end up re-adding
them to support really old/obsoletes systems which can't be upgraded.


Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: