[ Note: openswan 2.6.22 and 2.4.15 contain these patches and were released

on June 22 and June 25 2009 ]

Date: Mon, 22 Jun 2009 12:34:51 -0400 (EDT)

From: Paul Wouters <paul@xelerance.com>

To: vendor-sec@lst.de

cc: Andreas Steffen <andreas.steffen@strongswan.org>

Subject: ASN.1 vulnerabilities in strongswan / openswan

Thanks to Mr. Steffen for his irrresponsible behaviour, the openswan

project is currently dealing with two 0-day bugs as reported here:

http://www.vupen.com/english/advisories/2009/1639

We are currently looking into these bugs. We plan to release openswan

2.6.22 later today. If you wish to get only the bugfixes instead of a

new release, please monitor the git repository at http://git.openswan.org/

over the next couple of hours.

After doing all the work to co-ordinate with the strongswan project on

the previous CVE (and not receiving any credit for it whatsoever, despite

giving him the patches on a silver platter), I had expected to at least

receive a courtesy warning a few days before publishing such remotely

exploitable vulnerabilities. Mr Steffen knows his ASN.1 code in the pluto

daemon from strongswan comes from his code in the openswan version.

I kindly request people on this list to notify me personally in the future

if any strongswan undisclosed vulnerabilities are posted to this list that

involve strongswan's IKEv1 pluto daemon from the openswan project, as Mr.

Steffen obviously cares more about his project, then the security of the

community at large.

Paul