CVE-2016-5361

NameCVE-2016-5361
Descriptionprograms/pluto/ikev1.c in libreswan before 3.17 retransmits in initial-responder states, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed UDP packet. NOTE: the original behavior complies with the IKEv1 protocol, but has a required security update from the libreswan vendor; as of 2016-06-10, it is expected that several other IKEv1 implementations will have vendor-required security updates, with separate CVE IDs assigned to each.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libreswan (PTS)buster3.27-6fixed
bullseye, sid3.29-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libreswansource(unstable)(not affected)

Notes

- libreswan <not-affected> (Fixed before initial upload to Debian)
Possibly the CVE should be rejected: http://www.openwall.com/lists/oss-security/2016/06/13/1
MITRE has not assigned the CVE to the protocol flaw, but specific to libreswan, but as
Huzaifa Sidhpurwala <huzaifas@redhat.com> pointed out that is not a libreswan issue, rather
the protocol is flawed.

Search for package or bug name: Reporting problems