
[ Note: libreswan 2.6.22 and 2.4.15 contain these patches and were released
  on June 22 and June 25 2009 ]

Date: Mon, 22 Jun 2009 12:34:51 -0400 (EDT)
From: Paul Wouters <paul@xelerance.com>
To: vendor-sec@lst.de
cc: Andreas Steffen <andreas.steffen@strongswan.org>
Subject: ASN.1 vulnerabilities in strongswan / libreswan

Thanks to Mr. Steffen for his irrresponsible behaviour, the libreswan
project is currently dealing with two 0-day bugs as reported here:

http://www.vupen.com/english/advisories/2009/1639

We are currently looking into these bugs. We plan to release libreswan
2.6.22 later today. If you wish to get only the bugfixes instead of a
new release, please monitor the git repository at http://git.libreswan.org/
over the next couple of hours.

After doing all the work to co-ordinate with the strongswan project on
the previous CVE (and not receiving any credit for it whatsoever, despite
giving him the patches on a silver platter), I had expected to at least
receive a courtesy warning a few days before publishing such remotely
exploitable vulnerabilities. Mr Steffen knows his ASN.1 code in the pluto
daemon from strongswan comes from his code in the libreswan version.

I kindly request people on this list to notify me personally in the future
if any strongswan undisclosed vulnerabilities are posted to this list that
involve strongswan's IKEv1 pluto daemon from the libreswan project, as Mr.
Steffen obviously cares more about his project, then the security of the
community at large.

Paul

