Launchpad CVE tracker

CVE 2015-8023

The server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin in strongSwan 4.2.12 through 5.x before 5.3.4 does not properly validate local state, which allows remote attackers to bypass authentication via an empty Success message in response to an initial Challenge message.

Related bugs and status

CVE-2015-8023 (Candidate) is related to these bugs:

Bug #1309594: kernel-libipsec not loading

Summary				In	Importance	Status
	1309594	kernel-libipsec not loading		strongswan (Ubuntu)	Medium	Fix Released
	1309594	kernel-libipsec not loading		strongswan (Ubuntu Trusty)	Undecided	Won't Fix

Bug #1330504: strongSwan 5.1.3

Summary				In	Importance	Status
	1330504	strongSwan 5.1.3		strongswan (Ubuntu)	High	Fix Released

Bug #1333655: strongSwan AppArmor profile does not allow user priv dropping

Summary				In	Importance	Status
	1333655	strongSwan AppArmor profile does not allow user priv dropping		strongswan (Ubuntu)	Wishlist	Fix Released

Bug #1448870: Certificate policies cause rejections

Summary				In	Importance	Status
	1448870	Certificate policies cause rejections		strongswan (Ubuntu)	Undecided	Fix Released

Bug #1451091: new upstream version 5.2.2

Summary				In	Importance	Status
	1451091	new upstream version 5.2.2		strongswan (Ubuntu)	Wishlist	Fix Released

Bug #1470277: strongswan apparmor profile doesn't permit xauth-pam

Summary				In	Importance	Status
	1470277	strongswan apparmor profile doesn't permit xauth-pam		strongswan (Ubuntu)	Undecided	Fix Released

Bug #1505222: strongSwan AppArmor prevents CRL caching

Summary				In	Importance	Status
	1505222	strongSwan AppArmor prevents CRL caching		strongswan (Ubuntu)	Medium	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2015-8023

References