ALAS-2014-303

Amazon Linux 1 Security Advisory: ALAS-2014-303
Advisory Release Date: 2014-03-10 09:40 Pacific
Advisory Updated Date: 2014-09-17 22:50 Pacific

Severity: Medium

References: CVE-2013-6466 RHSA-2014-0185
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A NULL pointer dereference flaw was discovered in the way Openswan's IKE daemon processed IKEv2 payloads. A remote attacker could send specially crafted IKEv2 payloads that, when processed, would lead to a denial of service (daemon crash), possibly causing existing VPN connections to be dropped. (CVE-2013-6466)

Affected Packages:

openswan

Issue Correction:
Run yum update openswan to update your system.

New Packages:

i686:
    openswan-2.6.37-3.17.amzn1.i686
    openswan-debuginfo-2.6.37-3.17.amzn1.i686
    openswan-doc-2.6.37-3.17.amzn1.i686

src:
    openswan-2.6.37-3.17.amzn1.src

x86_64:
    openswan-doc-2.6.37-3.17.amzn1.x86_64
    openswan-debuginfo-2.6.37-3.17.amzn1.x86_64
    openswan-2.6.37-3.17.amzn1.x86_64

Additional References

Red Hat: CVE-2013-6466

Mitre: CVE-2013-6466