CVE-2019-10155

NameCVE-2019-10155
DescriptionThe Libreswan Project has found a vulnerability in the processing of IKEv1 informational exchange packets which are encrypted and integrity protected using the established IKE SA encryption and integrity keys, but as a receiver, the integrity check value was not verified. This issue affects versions before 3.29.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs930338

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libreswan (PTS)buster, buster (security)3.27-6+deb10u1fixed
bullseye (security), bullseye4.3-1+deb11u3fixed
bookworm, sid4.10-2fixed
strongswan (PTS)buster5.7.2-1+deb10u2fixed
buster (security)5.7.2-1+deb10u3fixed
bullseye (security), bullseye5.9.1-1+deb11u3fixed
bookworm, sid5.9.8-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
freeswansource(unstable)(unfixed)
libreswansource(unstable)3.27-6930338
openswansource(unstable)(unfixed)
strongswansource(unstable)5.1.0-1

Notes

https://libreswan.org/security/CVE-2019-10155/
Not vulnerable: libreswan 3.29 and later, strongswan 5.0 and later, freeswan

Search for package or bug name: Reporting problems