Security update for strongswan SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:14827-1 Final 1 1 2021-10-19T11:16:08Z current 2021-10-19T11:16:08Z 2021-10-19T11:16:08Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for strongswan This update for strongswan fixes the following issues: - CVE-2021-41991: Fixed an integer overflow when replacing certificates in cache. (bsc#1191435) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sleposp3-strongswan-14827,slessp4-strongswan-14827 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-202114827-1/ Link for SUSE-SU-2021:14827-1 https://lists.suse.com/pipermail/sle-security-updates/2021-October/009612.html E-Mail link for SUSE-SU-2021:14827-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1191435 SUSE Bug 1191435 https://www.suse.com/security/cve/CVE-2021-41991/ SUSE CVE CVE-2021-41991 page SUSE Linux Enterprise Point of Sale 11 SP3 SUSE Linux Enterprise Server 11 SP4-LTSS strongswan-4.4.0-6.36.9.1 strongswan-doc-4.4.0-6.36.9.1 strongswan-4.4.0-6.36.9.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 strongswan-doc-4.4.0-6.36.9.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 strongswan-4.4.0-6.36.9.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS strongswan-doc-4.4.0-6.36.9.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries. The code attempts to select a less-often-used cache entry by means of a random number generator, but this is not done correctly. Remote code execution might be a slight possibility. CVE-2021-41991 SUSE Linux Enterprise Point of Sale 11 SP3:strongswan-4.4.0-6.36.9.1 SUSE Linux Enterprise Point of Sale 11 SP3:strongswan-doc-4.4.0-6.36.9.1 SUSE Linux Enterprise Server 11 SP4-LTSS:strongswan-4.4.0-6.36.9.1 SUSE Linux Enterprise Server 11 SP4-LTSS:strongswan-doc-4.4.0-6.36.9.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114827-1/ https://www.suse.com/security/cve/CVE-2021-41991.html CVE-2021-41991 https://bugzilla.suse.com/1191367 SUSE Bug 1191367 https://bugzilla.suse.com/1191435 SUSE Bug 1191435 https://bugzilla.suse.com/1192640 SUSE Bug 1192640