Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jun 2016 10:34:53 -0400
From: Paul Wouters <pwouters@...hat.com>
To: oss-security@...ts.openwall.com, huzaifas@...hat.com
Cc: cve-assign@...re.org
Subject: Re: Re: CVE Request: IKEv1 protocol is vulnerable to
 DoS amplification attack

On 06/13/2016 10:40 AM, cve-assign@...re.org wrote:
>> Its not libreswan which is flawed, but its the protocol which they are trying to implement.
> 
>> which implement IKEv1 are flawed, since they follow this protocol
> 
> Many protocols could be described as "flawed." The IKEv1 protocol amplification concern does not make it flawed in a way that would lead to a per-protocol
> CVE ID assignment.

Then you should pull the CVE-2016-5361 which deals with retransmission amplification in IKEv1

 We are maintaining the
> CVE-2016-5361 ID assignment for the upstream announcement of "libreswan 3.16 vulnerable to DDOS attack. Please upgrade to 3.17"

That statement on the libreswan website is clearly referring to CVE-2016-3071 not CVE-2016-5361.

 and
> accompanying upstream patch, as described in the http://www.openwall.com/lists/oss-security/2016/06/10/4 post.

Which again clearly refers to CVE-2016-5361 and not CVE-2016-3071

So again, please fix CVE-2016-5361 or drop it.

Paul

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ