Skip to navigation

Bug Fix Advisory ipsec-tools bug fix update

Advisory: RHBA-2010:0645-1
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2010-08-24
Last updated on: 2010-08-24
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)

Details

An updated ipsec-tools package that fixes various bugs is now available.

The ipsec-tools package contains configuration and management tools for IPsec.

This updated ipsec-tools package resolves the following bugs:

* when clients connected and disconnected under load the racoon daemon stopped
responding for a few minutes due to a race condition in the code handling dumps
of the Security Association Database (SAD) from the kernel through a pfkey
socket. The updated package uses a separate pfkey socket for the SA database
dumps effectively removing the possibility for the race condition. (BZ#609084)

* when receiving a delete notification for the IKE SA the racoon daemon
incorrectly deleted also the IPsec SA associated with the IKE SA. The updated
package just expires the IKE SA and waits for the IPsec SAs to expire before the
IKE SA is purged from the racoon memory. (BZ#609085)

* when looking at the security policy database entries the racoon daemon used to
match inexact entries even if there was an exact entry in the database. The
updated package matches the exact entry before falling back to inexact matching.
(BZ#609087)

* when dumping the pfkey database the kernel used to return only part of the
database due to the small socket buffer size. When racoon was deployed on a
system with a large number of network security policy entries, the racoon could
not find all of the security policy entries in the database. The updated package
supports a new configuration option pfkey_buffer to the racoon.conf file that
allows to set the buffer size as appropriate for the deployment requirements.
(BZ#609090)

All users of IPsec Tools are advised to upgrade to this updated package, which
resolves these issues.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux (v. 5 server)
SRPMS:
ipsec-tools-0.6.5-14.el5_5.5.src.rpm     MD5: 63ab74296199639d35bf719e85b842bd
SHA-256: f92e290d88c8c9b0cbf9308b31366d2d2b8993e4eeea0a90dd4b0c33819b5667
 
IA-32:
ipsec-tools-0.6.5-14.el5_5.5.i386.rpm     MD5: be3355a65a3488c381feff83f652dc6e
SHA-256: f9f2c0df0b94fa1aed016a63d0305368a2d64a223a05401d469592fe4594c8eb
 
IA-64:
ipsec-tools-0.6.5-14.el5_5.5.ia64.rpm     MD5: e4ed4d531ca5ebf86930e88e40481418
SHA-256: 957577acb6344a9b3702c5ea91350f437a5c32aae4a9d358145e8bece8e93b6a
 
PPC:
ipsec-tools-0.6.5-14.el5_5.5.ppc.rpm     MD5: 0963872f8b2fa410c7caff98fbd22d16
SHA-256: 135100f2e815176622e85427703a26740b400534c1e26a564c228b84b4dbfe2b
 
s390x:
ipsec-tools-0.6.5-14.el5_5.5.s390x.rpm     MD5: e5e33c9d2c0f54a4f5ebd67f512f50a5
SHA-256: bb317de56cda99857f765fc1699aeb34658a68e95d13a029a1f9e537663ed1d9
 
x86_64:
ipsec-tools-0.6.5-14.el5_5.5.x86_64.rpm     MD5: 0acda7d8951a58880577ce59cde2ee4f
SHA-256: 90f06a83376b94d264afb398eaa1fd06916d0034cf75899916aec47d510508cb
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
ipsec-tools-0.6.5-14.el5_5.5.src.rpm     MD5: 63ab74296199639d35bf719e85b842bd
SHA-256: f92e290d88c8c9b0cbf9308b31366d2d2b8993e4eeea0a90dd4b0c33819b5667
 
IA-32:
ipsec-tools-0.6.5-14.el5_5.5.i386.rpm     MD5: be3355a65a3488c381feff83f652dc6e
SHA-256: f9f2c0df0b94fa1aed016a63d0305368a2d64a223a05401d469592fe4594c8eb
 
x86_64:
ipsec-tools-0.6.5-14.el5_5.5.x86_64.rpm     MD5: 0acda7d8951a58880577ce59cde2ee4f
SHA-256: 90f06a83376b94d264afb398eaa1fd06916d0034cf75899916aec47d510508cb
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

609084 - pfkey socket buffer overflow
609085 - Racoon: getsp_r() returns first non-exact SP match result, even if there is an exact match after that point.
609087 - Racoon deletes all associated phase 2 sa's after deleting of phase 1 sa
609090 - Racoon daemon blocks on recv() call due to empty pfkey socket


Keywords

buffer, delete, hang, matching, pfkey, policy, sa

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/