Skip to navigation

Bug Fix Advisory openswan bug fix and enhancement update

Advisory: RHBA-2011:0652-1
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2011-05-19
Last updated on: 2011-05-19
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)

Details

Updated openswan package that fix various bugs and provide several enhancements
are now available for Red Hat Enterprise Linux 6.

Openswan is a free implementation of IPsec and IKE (Internet Key Exchange) for
Linux. This package contains the daemons and user space tools for setting up
Openswan. It supports the NETKEY/XFRM IPsec kernel stack that exists in the
default Linux kernel.

Openswan 2.6.x also supports IKEv2 (RFC4306)

The openswan packages have been upgraded to upstream version 2.6.32, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#642724)

These updated openswan packages provide fixes for the following bugs:

* Openswan was previously unable to negotiate using the HMAC-SHA2-256 algorithm
in transport mode. With this update, Openswan is able to set up IPsec in using
HMAC-SHA2-256 in transport mode. (BZ#621790)

* The Openswan init script accessed the current working directory, which led to
an SELinux AVC Denial. This update ensures that the current working directory is
set to the root ("/") directory, and thus Openswan's pluto daemon starts without
incurring an SELinux denial. (BZ#628879)

* Previously, the Openswan packages were not compiled with the "-Wl,-z,relro"
parameter. These updated openswan packages have been compiled with the
"-Wl,-z,relro" parameter. (BZ#642722)

* The IPsec NETKEY kernel code sent thousands of ACQUIRE messages which led to a
segmentation fault. With this update, ACQUIRE messages are now properly
processed with the result that Openswan does not crash. (BZ#658121)

* When the system's IP address was renewed using DHCP, the Openswan IPsec
connection failed. This update ensures that the IPsec connection continues to
operate across DHCP IP address renewals. (BZ#658253)

* Entering an incorrect IKE Extended Authentication (Xauth) password during IKE
negotiation leads to a failure to connect. However, the failure was not
communicated to NetworkManager, with the result that NetworkManager continued to
wait for a timeout. With this update, Openswan sends a failure message to
NetworkManager over the D-Bus system message bus, informing it of the failure to
connect. As a result, NetworkManager knows about the failure as soon as it
happens, and is able to inform the user about it immediately. (BZ#668785)

* Internet Control Message Protocol (ICMP)-specific IPsec connections were set
up incorrectly, with incorrect "Type" and "Code" fields, in the code. This has
been fixed so that ICMP selectors are now processed correctly according to the
IKEv2 protocol specification (RFC 4306). (BZ#681974)

* Configuring a second IPsec policy using a different host behind the same
gateway caused Openswan to crash due to the policy not being set up correctly.
With this update, Openswan's IKEv2 implementation processes the traffic
selectors correctly so that the correct definition is picked up during the key
exchange. As a result, a second IPsec policy using a different host behind the
same gateway can successfully set up. (BZ#683604)

In addition, these updated packages provide the following enhancements:

* Openswan's IKEv1 implementation and NETKEY interactions now understand SELinux
labeled flows, and Openswan has been integrated with SELinux. As a result, it's
now possible to exchange SELinux labels in IKE, and set up labeled IPsec
policies and Security Associations (SAs) in SELinux Multi-Level Security (MLS)
mode. (BZ#235720)

* Previously, Openswan did not support the Internet Key Exchange version 2
(IKEv2) USE_TRANSPORT_MODE functionality, with the result that Openswan could
not interoperate with racoon2 in transport mode. With this update, Openswan's
IKEv2 protocol support has been enhanced so that it now works in transport mode,
and interoperate with racoon2. (BZ#646718)

Users are advised to upgrade to these updated openswan packages, which resolve
these issues and add these enhancements.


Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
openswan-2.6.32-4.el6.src.rpm
File outdated by:  RHSA-2014:0185
    MD5: b90d9f1e34b3e0b5c1be3d4936a25f70
SHA-256: 3fa6b02063219998de2a505d3efc4d78b8f2856917c45f5f2d8c78c56ec1148f
 
IA-32:
openswan-2.6.32-4.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 887baa87cac95403fef1ba619ad33fda
SHA-256: bf19697dfeb4862135f5dec89c95f3ab997e5b2c0ac7141f5f90146cb8b251b1
openswan-debuginfo-2.6.32-4.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: bac80e38f0ad7edbbe29d9cbd1e3c4f4
SHA-256: cfadce02c03d3d5756633983657b64f45baf6fc28fd8845e77a7f95373320b4a
openswan-doc-2.6.32-4.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 4ca39063564efffc89333a4dda42197d
SHA-256: 1a1f6529f6897d5f947e9d84ce8d520769db6a8de5232761527c5216d6cc3acb
 
x86_64:
openswan-2.6.32-4.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 2348a96d950d127ec8379816f1126376
SHA-256: 857cf3ee8bd0eb77f81c9b430c7b734aa67a48f23d35c142cdffcdd45d2bf5a7
openswan-debuginfo-2.6.32-4.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 318d088b0199703c28c427e44ad3f916
SHA-256: 86d9dec00b18fa670b7b5a005d925d90936ddc148a60c733098561bc9462aaf8
openswan-doc-2.6.32-4.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 10ac0622e9b403b9b8575f4856847d69
SHA-256: cf18e9c98e13ee8dbd7614173186066318ecf2f5d75b627199457dba1ed8c7b6
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
openswan-2.6.32-4.el6.src.rpm
File outdated by:  RHSA-2014:0185
    MD5: b90d9f1e34b3e0b5c1be3d4936a25f70
SHA-256: 3fa6b02063219998de2a505d3efc4d78b8f2856917c45f5f2d8c78c56ec1148f
 
IA-32:
openswan-2.6.32-4.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 887baa87cac95403fef1ba619ad33fda
SHA-256: bf19697dfeb4862135f5dec89c95f3ab997e5b2c0ac7141f5f90146cb8b251b1
openswan-debuginfo-2.6.32-4.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: bac80e38f0ad7edbbe29d9cbd1e3c4f4
SHA-256: cfadce02c03d3d5756633983657b64f45baf6fc28fd8845e77a7f95373320b4a
openswan-doc-2.6.32-4.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 4ca39063564efffc89333a4dda42197d
SHA-256: 1a1f6529f6897d5f947e9d84ce8d520769db6a8de5232761527c5216d6cc3acb
 
PPC:
openswan-2.6.32-4.el6.ppc64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 8b9bbb6234d8ce56e7d5e18657acbeae
SHA-256: 176e8be9736f28867778b03a629c64646670a942939147a436aedc2c8bb1af45
openswan-debuginfo-2.6.32-4.el6.ppc64.rpm
File outdated by:  RHSA-2014:0185
    MD5: c4c90d1996f95e663ed88aef6d6b5fc5
SHA-256: b80fdc811254e565933c710fe9ef07b2eb758427dd961dae5c7ef06b0071259f
openswan-doc-2.6.32-4.el6.ppc64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 623480191ada3ad4ba095566f5c762e8
SHA-256: 6bd7bea4560835cce7fac801bcd1bc3f10ade313a86a8e207f14377fc5efca26
 
s390x:
openswan-2.6.32-4.el6.s390x.rpm
File outdated by:  RHSA-2014:0185
    MD5: 8ad2f0118e5967205a867f37f16bc1a3
SHA-256: 16eea6e4e2c5679fcf48976d504b38a6c91e52db1e619e406ec5bc4d8342e90f
openswan-debuginfo-2.6.32-4.el6.s390x.rpm
File outdated by:  RHSA-2014:0185
    MD5: 8a197b2c27f2bea6b8f03e10273a2864
SHA-256: 401af05c517224d496a2a2eb098d8ae89b6204e83f9a9ac543d4859d0487a853
openswan-doc-2.6.32-4.el6.s390x.rpm
File outdated by:  RHSA-2014:0185
    MD5: 5ca6fa993994684c69699afda638dbd9
SHA-256: bd1260e8aefa1b3997a10128eb67838d5240bbfcd16d201ce58138b010ff731b
 
x86_64:
openswan-2.6.32-4.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 2348a96d950d127ec8379816f1126376
SHA-256: 857cf3ee8bd0eb77f81c9b430c7b734aa67a48f23d35c142cdffcdd45d2bf5a7
openswan-debuginfo-2.6.32-4.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 318d088b0199703c28c427e44ad3f916
SHA-256: 86d9dec00b18fa670b7b5a005d925d90936ddc148a60c733098561bc9462aaf8
openswan-doc-2.6.32-4.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 10ac0622e9b403b9b8575f4856847d69
SHA-256: cf18e9c98e13ee8dbd7614173186066318ecf2f5d75b627199457dba1ed8c7b6
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
openswan-2.6.32-4.el6.src.rpm
File outdated by:  RHSA-2014:0185
    MD5: b90d9f1e34b3e0b5c1be3d4936a25f70
SHA-256: 3fa6b02063219998de2a505d3efc4d78b8f2856917c45f5f2d8c78c56ec1148f
 
IA-32:
openswan-2.6.32-4.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 887baa87cac95403fef1ba619ad33fda
SHA-256: bf19697dfeb4862135f5dec89c95f3ab997e5b2c0ac7141f5f90146cb8b251b1
openswan-debuginfo-2.6.32-4.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: bac80e38f0ad7edbbe29d9cbd1e3c4f4
SHA-256: cfadce02c03d3d5756633983657b64f45baf6fc28fd8845e77a7f95373320b4a
openswan-doc-2.6.32-4.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 4ca39063564efffc89333a4dda42197d
SHA-256: 1a1f6529f6897d5f947e9d84ce8d520769db6a8de5232761527c5216d6cc3acb
 
x86_64:
openswan-2.6.32-4.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 2348a96d950d127ec8379816f1126376
SHA-256: 857cf3ee8bd0eb77f81c9b430c7b734aa67a48f23d35c142cdffcdd45d2bf5a7
openswan-debuginfo-2.6.32-4.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 318d088b0199703c28c427e44ad3f916
SHA-256: 86d9dec00b18fa670b7b5a005d925d90936ddc148a60c733098561bc9462aaf8
openswan-doc-2.6.32-4.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 10ac0622e9b403b9b8575f4856847d69
SHA-256: cf18e9c98e13ee8dbd7614173186066318ecf2f5d75b627199457dba1ed8c7b6
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

621790 - [TAHI]openswan doesn't support auth alg with "ESP=3DES-CBC HMAC-SHA2-256" in transport mode
628879 - init script searches cwd which can cause SELinux denials
642722 - Openswan does not have RELRO ELF flag set
642724 - Openswan rebase to the latest upstream version
646718 - [IPv6][TAHI]interoperation issue in transport mode between openswan and racoon2
668785 - Openswan modifications needed for bz 659709
681974 - Openswan's current IKEv2 implementation does not correctly process ICMPv6 Selectors for Type and Code
683604 - Openswan-IKEv2 can not setup 2nd SA with traffic selector for different host behind the same security gateway.



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/