Date: Tue, 14 Jun 2016 10:34:53 -0400 From: Paul Wouters <pwouters@...hat.com> To: oss-security@...ts.openwall.com, huzaifas@...hat.com Cc: cve-assign@...re.org Subject: Re: Re: CVE Request: IKEv1 protocol is vulnerable to DoS amplification attack On 06/13/2016 10:40 AM, cve-assign@...re.org wrote: >> Its not libreswan which is flawed, but its the protocol which they are trying to implement. > >> which implement IKEv1 are flawed, since they follow this protocol > > Many protocols could be described as "flawed." The IKEv1 protocol amplification concern does not make it flawed in a way that would lead to a per-protocol > CVE ID assignment. Then you should pull the CVE-2016-5361 which deals with retransmission amplification in IKEv1 We are maintaining the > CVE-2016-5361 ID assignment for the upstream announcement of "libreswan 3.16 vulnerable to DDOS attack. Please upgrade to 3.17" That statement on the libreswan website is clearly referring to CVE-2016-3071 not CVE-2016-5361. and > accompanying upstream patch, as described in the http://www.openwall.com/lists/oss-security/2016/06/10/4 post. Which again clearly refers to CVE-2016-5361 and not CVE-2016-3071 So again, please fix CVE-2016-5361 or drop it. Paul
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ