Security update for strongswan SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2015:2183-1 Final 1 1 2015-12-21T19:00:13Z current 2015-12-21T19:00:13Z 2015-12-21T19:00:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for strongswan The strongswan package was updated to fix the following security issue: - CVE-2015-8023: Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin (bsc#953817). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-2015-934,SUSE-SLE-SERVER-12-2015-934 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2015/suse-su-20152183-1/ Link for SUSE-SU-2015:2183-1 https://lists.suse.com/pipermail/sle-security-updates/2015-December/001713.html E-Mail link for SUSE-SU-2015:2183-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/953817 SUSE Bug 953817 https://www.suse.com/security/cve/CVE-2015-8023/ SUSE CVE CVE-2015-8023 page SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12 strongswan-5.1.3-22.1 strongswan-doc-5.1.3-22.1 strongswan-ipsec-5.1.3-22.1 strongswan-libs0-5.1.3-22.1 strongswan-hmac-5.1.3-22.1 strongswan-5.1.3-22.1 as a component of SUSE Linux Enterprise Desktop 12 strongswan-doc-5.1.3-22.1 as a component of SUSE Linux Enterprise Desktop 12 strongswan-ipsec-5.1.3-22.1 as a component of SUSE Linux Enterprise Desktop 12 strongswan-libs0-5.1.3-22.1 as a component of SUSE Linux Enterprise Desktop 12 strongswan-5.1.3-22.1 as a component of SUSE Linux Enterprise Server 12 strongswan-doc-5.1.3-22.1 as a component of SUSE Linux Enterprise Server 12 strongswan-hmac-5.1.3-22.1 as a component of SUSE Linux Enterprise Server 12 strongswan-ipsec-5.1.3-22.1 as a component of SUSE Linux Enterprise Server 12 strongswan-libs0-5.1.3-22.1 as a component of SUSE Linux Enterprise Server 12 strongswan-5.1.3-22.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 strongswan-doc-5.1.3-22.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 strongswan-hmac-5.1.3-22.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 strongswan-ipsec-5.1.3-22.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 strongswan-libs0-5.1.3-22.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 The server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin in strongSwan 4.2.12 through 5.x before 5.3.4 does not properly validate local state, which allows remote attackers to bypass authentication via an empty Success message in response to an initial Challenge message. CVE-2015-8023 SUSE Linux Enterprise Desktop 12:strongswan-5.1.3-22.1 SUSE Linux Enterprise Desktop 12:strongswan-doc-5.1.3-22.1 SUSE Linux Enterprise Desktop 12:strongswan-ipsec-5.1.3-22.1 SUSE Linux Enterprise Desktop 12:strongswan-libs0-5.1.3-22.1 SUSE Linux Enterprise Server 12:strongswan-5.1.3-22.1 SUSE Linux Enterprise Server 12:strongswan-doc-5.1.3-22.1 SUSE Linux Enterprise Server 12:strongswan-hmac-5.1.3-22.1 SUSE Linux Enterprise Server 12:strongswan-ipsec-5.1.3-22.1 SUSE Linux Enterprise Server 12:strongswan-libs0-5.1.3-22.1 SUSE Linux Enterprise Server for SAP Applications 12:strongswan-5.1.3-22.1 SUSE Linux Enterprise Server for SAP Applications 12:strongswan-doc-5.1.3-22.1 SUSE Linux Enterprise Server for SAP Applications 12:strongswan-hmac-5.1.3-22.1 SUSE Linux Enterprise Server for SAP Applications 12:strongswan-ipsec-5.1.3-22.1 SUSE Linux Enterprise Server for SAP Applications 12:strongswan-libs0-5.1.3-22.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20152183-1/ https://www.suse.com/security/cve/CVE-2015-8023.html CVE-2015-8023 https://bugzilla.suse.com/953817 SUSE Bug 953817