CVE-2023-41913 seems potentially gnarly

As IPFire uses charon-tkm, as far as I can see, it should be vulnerable.

Is there a plan for releasing a version with fixes for this?

As has always been the case with CVE’s in IPFire, when we discover a CVE or someone tells us about one then a patch to implement the fix is raised as quickly as possible.

That will also be the case here, however the CVE and the fix were only notified yesterday, so this is the first time I am aware of it.

Looking through the CVE notification is is also related to the charon-tkm daemon which is used as a proxy for DH operation between the IKE daemon in Strongswan and the Trusted Key Manager (TKM) package.

IPFire has not enabled the TKM support in Strongswan and therefore has not installed the TKM package so the charon-tkm daemon will not be running in IPFire systems, only the charon daemon.

Based on that my interpretation of the CVE is that it will not have an impact on IPFire IPSec users.
However, I am sure the updated package will get submitted by someone just to be on the safe side.


Patch submission for update to 5.9.12 has been made.


Correct! IPFire is not affected.


Good to know, thanks :slight_smile: