The Libreswan Project offers a backport of CVE-2013-6467 for openswan
users that addresses openswan's CVE-2013-6466. Information about this
vulnerability was disclosed to openswan/xelerance on January 6 2014. The
libreswan patch was given to them on January 10. On January 16, this
vulnerability became public knowledge with the libreswan-3.8 release.

On February 14, openswan-2.6.40 was released, but unfortunately it
DOES NOT fix CVE-2013-6466. A new CVE has been requested for the
openswan-2.6.40 crasher, see:

http://www.openwall.com/lists/oss-security/2014/02/18/1

The patches listed here are based on the work done for RHEL versions of
openswan that DOES address CVE-2013-6466 properly. These patches are
suitable for RHEL 5 and 6 as well as CentOS 5 and 6.

For more information, see: https://rhn.redhat.com/errata/RHSA-2014-0185.html

This will be the last security patch for openswan made by The Libreswan
Project. We strongly recommend that people using openswan switch to
libreswan immediately