OpenBSD Journal

y Patch 009: isakmpd

Contributed by jose on from the oops dept.

Patch 009 for OpenBSD 3.4 has been released. This patch addresses flaws in isakmpd which can allow an attacker to disrupt the normal IPsec setup. This has been fixed in -current for some time. UPDATE : The security-announce mail is now out.

Date: Fri, 16 Jan 2004 10:55:56 +0100
From: Hans-Joerg Hoexer <Hans-Joerg.Hoexer@yerbouti.franken.de>
To: security-announce@openbsd.org
Subject: Message handling flaws in isakmpd(8)
Several message handling flaws in isakmpd(8) have been reported by Thomas Walpuski. These allow an attacker to delete arbitrary SAs. Fixes have been commited to 3.3 and 3.4 -stable branches. Patches are also available at

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/009_isakmpd.patch
and
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/014_isakmpd.patch

The patch for 3.4 includes also a reliability fix for a filedescriptor leak that causes problems when a crypto card is installed. This problem does not exist in 3.3.

(Comments are closed)


Comments
  1. By SiLiZiUMM () pemessier@nospamohno.yahoo.com on http://pemessier.fr.st/

    I'll reinstalling my firewall this weekend to upgrade to OpenBSD 3.4. Would it be safe to put all the patches up to now and build once instead of building for all patches ?

    Comments
    1. By Martijn () on http://www.bunix.org/

      I would suggest install the 3.4 source and run 'cvs -d update -rOPENBSD_3_4 -Pd'. This will give you the security fixes and all the other non-security fixes.

  2. By Anonymous Coward () on

    Any indication of why the patch took so long to reach -stable from -current?

    Comments
    1. By Anonymous Coward () on

      -stable isn't priority?

  3. By Anonymous Coward () on

    Can we expect a 3.3 patch, or must we upgrade to 3.4 to protect our systems?

    Comments
    1. By Anonymous Coward () on

      This is my question as well - or does this not affect 3.3 users?

      Comments
      1. By gwyllion () on

        The patch for 3.3 is available now.
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/014_isakmpd.patch

    2. By Juanjo () on

      It's so easy.

      Get the patch and check the code your're using at CVS (your branch... OPENBSD3_3_BASE or OPENBSD3_3 (stable) or whatever). The file is src/sbin/isakmpd/crypto.c. You'll see that file is unchanged since 19 months and 1 week for both BASE and STABLE, so I bet you need to compare both files because may be isn't fixed yet.

      You'll find the problem that patch fixed isn't there for 3.3. In fact seems they go back to 3.3 code :?

      So nothing to do at this time :)

      (Discaimer: this comment comes with no warranty XD may be I'm wrong heh)

      Comments
      1. By Anonymous Coward () on

        There's a patch:
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/014_isakmpd.patch

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]