Descriptionprograms/pluto/ikev1.c in libreswan before 3.17 retransmits in initial-responder states, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed UDP packet. NOTE: the original behavior complies with the IKEv1 protocol, but has a required security update from the libreswan vendor; as of 2016-06-10, it is expected that several other IKEv1 implementations will have vendor-required security updates, with separate CVE IDs assigned to each.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libreswan (PTS)buster, buster (security)3.27-6+deb10u1fixed
bullseye (security)4.3-1+deb11u3fixed
sid, trixie4.14-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libreswansource(unstable)(not affected)


- libreswan <not-affected> (Fixed before initial upload to Debian)
Possibly the CVE should be rejected:
MITRE has not assigned the CVE to the protocol flaw, but specific to libreswan, but as
Huzaifa Sidhpurwala <> pointed out that is not a libreswan issue, rather
the protocol is flawed.

Search for package or bug name: Reporting problems