Bug 984630 (CVE-2016-5361) - VUL-2: CVE-2016-5361: libreswan: IKEv1 protocol is vulnerable to DoS amplification attack
Summary: VUL-2: CVE-2016-5361: libreswan: IKEv1 protocol is vulnerable to DoS amplific...
Status: RESOLVED WONTFIX
Alias: CVE-2016-5361
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/169983/
Whiteboard:
Keywords:
Depends on:
Blocks: 984628
  Show dependency treegraph
 
Reported: 2016-06-14 10:55 UTC by Marcus Meissner
Modified: 2016-07-05 15:19 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-14 10:55:58 UTC 
+++ This bug was initially created as a clone of Bug #984628 +++


We can, however, assign a CVE ID to a vendor's announcement of a
required security update, such as on the https://libreswan.org/ home
page:

  "libreswan 3.16 vulnerable to DDOS attack. Please upgrade to 3.17"

Use CVE-2016-5361 for this issue only in the libreswan codebase.
Comment 1 Swamp Workflow Management 2016-06-14 22:00:41 UTC 
bugbot adjusting priority
Comment 2 Marcus Meissner 2016-06-17 15:27:56 UTC 
libreswan had assigned CVE-2016-3071 (there was some discussion which should live on)
Comment 3 Andreas Stieger 2016-07-05 15:19:00 UTC 
Statement on https://libreswan.org/

> MITRE mistakenly issues CVE-2016-5361 for libreswan
> Libreswan performs some additional hardening for the IKEv1 protocol
> that other implementations have not implemented.
> This is not a vulnerability and CVE-2016-5361 was issued erroneously.