Debian Security Advisory

DSA-5249-1 strongswan -- security update

Date Reported:
06 Oct 2022
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 1021271.
In Mitre's CVE dictionary: CVE-2022-40617.
More information:

Lahav Schlesinger discovered a vulnerability in the revocation plugin of strongSwan, an IKE/IPsec suite.

The revocation plugin uses OCSP URIs and CRL distribution points (CDP) which come from certificates provided by the remote endpoint. The plugin didn't check for the certificate chain of trust before using those URIs, so an attacker could provided a crafted certificate containing URIs pointing to servers under their control, potentially leading to denial-of-service attacks.

For the stable distribution (bullseye), this problem has been fixed in version 5.9.1-1+deb11u3.

We recommend that you upgrade your strongswan packages.

For the detailed security status of strongswan please refer to its security tracker page at: