[Pkg-swan-devel] Bug#1120004: strongswan: CVE-2025-62291
Yves-Alexis Perez
corsac at debian.org
Wed Nov 12 07:43:30 GMT 2025
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, 2025-11-03 at 20:54 +0100, Salvatore Bonaccorso wrote:
> The following vulnerability was published for strongswan.
>
> CVE-2025-62291[0]:
> > A vulnerability in the eap-mschapv2 plugin related to processing
> > Failure Request packets on the client was discovered in strongSwan
> > that can result in a heap-based buffer overflow and potentially remote
> > code execution.
>
> (just filling for visibility, alls security supported suites are
> already been fixed)
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2025-62291
> https://www.cve.org/CVERecord?id=CVE-2025-62291
> [1]
> https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-(cve-2025-62291).html
Just a bit of information to the bug since it's taking a bit of time: the
package for unstable is ready (since the CRD actually) but I'm waiting on the
keyring update (which should happen on the 24th apparently) before I can
upload.
Meanwhile updated (and signed) packages are available at:
https://perso.corsac.net/~corsac/debian/strongswan/
Regards,
- --
Yves-Alexis
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmkUOqMACgkQ3rYcyPpX
RFusXAf8DYZpWybesirH0QGzf1JG3S66TbiqU+HmJk2XxCWEdb+r970deCri5rMa
tpzeevdzzCNEqaliYgDJ6BcUijAT1cHDFScaeu8XupB/JzGiFFpcVtUZJt40uue9
n235rysa2d5J2rxohhA3NlMzZa7O4c8adXpQv860mRvQ6F6oeQ4FWaAdoQwbqWDR
CBBs9vHCICrcQAqgqbNeBqcDskmon0+2KGEmYjYD4Wu5V9cWJqksqPztt8s5baQl
DA2nf8XuEPjDqxeXc9CjF6oISinGe5yq7k/lJQWK9howwEw0R0SUzT6uqZGAgZeM
asAm8/o9Z6vw66WdJfLRKnOfk5FOgw==
=BOEf
-----END PGP SIGNATURE-----
More information about the Pkg-swan-devel
mailing list