[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: L2TP/IPSec on Mac OSX stop working after openswan upgrade [with patches]

Yes, it shouldn't support bad draft anymore, but the mac os x/ios
intend to use it..
And in my opionin, a fix for cve shouldn't change the compatibility,
but only focus on the cve's problem.

Otherwise, people would rollback to the original version without the cve fix.
Actually, several people did so to keep their mac os x/ios devices working.
Best regards,
Liu DongMiao

2014-05-03 5:57 GMT+08:00 Yves-Alexis Perez <corsac@debian.org>:
> On ven., 2014-05-02 at 19:12 +0800, Liu DongMiao wrote:
>> I think it didn't reintroduce CVE-2013-6466.
>> I have use some packets to test them.
>> ref: http://www.openwall.com/lists/oss-security/2014/02/18/1
>> on 1:2.6.37-3, it didn't show message droped, and on
>> 1:2.6.37-3+deb7u1 and the one with my patch, it shows:
>> missing payload(s)
>> (ISAKMP_NEXT_v2SA+ISAKMP_NEXT_v2KE+ISAKMP_NEXT_v2Ni). Message dropped.
>> Furthermore, I have diffed the patch in debian and the patch in rhel5.
>> The patch in rhel5 is almost the same with the patch in debian,
>> without the removal of compatible codes for mac os x's
>> The original CVE-2013-6466 is something related with NULL pointer.
>> From the other side, it's unnecessary to remove the compatible codes
>> for mac os x.
> Hey,
> Paul Wouters (which originally wrote most of the patches we used in the
> DSA) is currently looking at the regression. The NATD_BADDRAFTS values
> should not be used by anyone actually, but we might end up re-adding
> them to support really old/obsoletes systems which can't be upgraded.
> Regards,
> --
> Yves-Alexis

Reply to: