Skip to navigation

Bug Fix Advisory openswan bug fix and enhancement update

Advisory: RHBA-2011:1761-2
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2011-12-06
Last updated on: 2011-12-06
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)

Details

An updated openswan package that fixes several bugs and adds one enhancement is
now available for Red Hat Enterprise Linux 6.

Openswan is a free implementation of IPsec (Internet Protocol Security) and IKE
(Internet Key Exchange) for Linux. The openswan package contains the daemons and
user space tools for setting up Openswan. It supports the NETKEY/XFRM IPsec
kernel stack that exists in the default Linux kernel. Openswan 2.6.x also
supports IKEv2 (RFC4306).

This update fixes the following bugs:

* Openswan did not handle protocol and port configuration correctly if the ports
were defined and the host was defined with its hostname instead of its IP
address. This update solves this issue, and Openswan now correctly sets up
policies with the correct protocol and port under such circumstances.
(BZ#703473)

* Prior to this update, very large security label strings received from a peer
were being truncated. The truncated string was then still used. However, this
truncated string could turn out to be a valid string, leading to an incorrect
policy. Additionally, erroneous queuing of on-demand requests of setting up an
IPsec connection was discovered in the IKEv2 (Internet Key Exchange) code.
Although not harmful, it was not the intended design. This update fixes both of
these bugs and Openswan now handles the IKE setup correctly. (BZ#703985)

* Previously, Openswan failed to set up AH (Authentication Header) mode security
associations (SAs). This was because Openswan was erroneously processing the AH
mode as if it was the ESP (Encrypted Secure Payload) mode and was expecting an
encryption key. This update fixes this bug and it is now possible to set up AH
mode SAs properly. (BZ#704548)

* IPsec connections over a loopback interface did not work properly when a
specific port was configured. This was because incomplete IPsec policies were
being set up, leading to connection failures. This update fixes this bug and
complete policies are now established correctly. (BZ#711975)

* Openswan failed to support retrieving Certificate Revocation Lists (CRLs) from
HTTP or LDAP CRL Distribution Points (CDPs) because the flags for enabling CRL
functionality were disabled on compilation. With this update, the flags have
been enabled and the CRL functionality is available as expected. (BZ#737975)

* Openswan failed to discover some certificates. This happened because the
README.x509 file contained incorrect information on the directories to be
scanned for certification files and some directories failed to be scanned. With
this update, the file has been modified to provide accurate information.
(BZ#737976)

* The Network Manager padlock icon was not cleared after a VPN connection
terminated unexpectedly. This update fixes the bug and the padlock icon is
cleared when a VPN connection is terminated as expected. (BZ#738385)

* Openswan sent wrong IKEv2 (Internet Key Exchange) ICMP (Internet Control
Message Protocol) selectors to an IPsec destination. This happened due to an
incorrect conversion of the host to network byte order. This update fixes this
bug and Openswan now sends correct ICMP selectors. (BZ#742632)

* The Pluto daemon terminated unexpectedly with a segmentation fault after an IP
address had been removed from one end of an established IPsec tunnel. This
occurred if the other end of the tunnel attempted to reuse the particular IP
address to create a new tunnel as the previous tunnel failed to close properly.
With this update, such tunnel is closed properly and the problem no longer
occurs. (BZ#749605)

In addition, this update adds the following enhancement:

* On run, the "ipsec barf" and "ipsec verify" commands load new kernel modules,
which influences the system configuration. This update adds the "iptable-save"
command, which uses only iptables and does not load kernel modules. (BZ#737973)

Users are advised to upgrade to this updated openswan package, which fixes these
bugs and adds the enhancement.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
openswan-2.6.32-9.el6.src.rpm
File outdated by:  RHSA-2014:0185
    MD5: 3f5b578e470a9ae0b7f339757073cbed
SHA-256: a9bf1c79e4df8a7d6cc410780c1aa46751ad05b8eff1916b4628e10e8086a739
 
IA-32:
openswan-2.6.32-9.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: bb8168a398cd9d0eac9ef59be464e8c4
SHA-256: ae87c3ae3489f74692a96134577d9b1b337f1361d7d5290376ae1bbde60ad709
openswan-debuginfo-2.6.32-9.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 22f535430c59e4659d95d87a69e0177e
SHA-256: ff455f1694e41677b12b056c9cfbb132aeaf2a8de6cbb5aa307a6e897d97d937
openswan-doc-2.6.32-9.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 81062b25b03778cfe575079047fd13cb
SHA-256: 466bb309aee899582a53c455d8687a772dd0b88fe576771241d5288bbef089ab
 
x86_64:
openswan-2.6.32-9.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 1e63012983d9bb667cb1d90f818a7b95
SHA-256: 3fe396e80d98cd2113effa774739754f94def03e8854f89910c2fe848b97e93d
openswan-debuginfo-2.6.32-9.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: dc838d1178a6d2411842248c98e8e742
SHA-256: 3aa09fe7dbfcec4224bc93bb8ac47099ea4ff723e12d65b28d8dcd1a4c7ef710
openswan-doc-2.6.32-9.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 5b5697e8a724080462ce2c25b961f116
SHA-256: dc26b5b2587e2532ff1c8fd8ad4e0d3d500e1456de89c39ccdd4b316f802a0b7
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
openswan-2.6.32-9.el6.src.rpm
File outdated by:  RHSA-2014:0185
    MD5: 3f5b578e470a9ae0b7f339757073cbed
SHA-256: a9bf1c79e4df8a7d6cc410780c1aa46751ad05b8eff1916b4628e10e8086a739
 
IA-32:
openswan-2.6.32-9.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: bb8168a398cd9d0eac9ef59be464e8c4
SHA-256: ae87c3ae3489f74692a96134577d9b1b337f1361d7d5290376ae1bbde60ad709
openswan-debuginfo-2.6.32-9.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 22f535430c59e4659d95d87a69e0177e
SHA-256: ff455f1694e41677b12b056c9cfbb132aeaf2a8de6cbb5aa307a6e897d97d937
openswan-doc-2.6.32-9.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 81062b25b03778cfe575079047fd13cb
SHA-256: 466bb309aee899582a53c455d8687a772dd0b88fe576771241d5288bbef089ab
 
PPC:
openswan-2.6.32-9.el6.ppc64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 829a0e8692dc48492aa1450b1b590fb3
SHA-256: 2b21cfb0304a876823d0578bd9773ff4e755558fdf26f20e807ba8b8c916da2f
openswan-debuginfo-2.6.32-9.el6.ppc64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 16fcc3d6bdf85bef4d8bc4c4948f212c
SHA-256: 16f7e61fac19dc5148bf037e09b8cd4bc46612517a8cb767fd01ac413043fdf2
openswan-doc-2.6.32-9.el6.ppc64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 133373a13281bef2ee67d30964e53b00
SHA-256: 1fe1c2162447d5d01b2183ab293bf7ebf8cb60ba0d35138c71a1b7eab3339758
 
s390x:
openswan-2.6.32-9.el6.s390x.rpm
File outdated by:  RHSA-2014:0185
    MD5: 214c1a15ba4f7f574b45679064e6ec48
SHA-256: d93dcf644d5166f0368c24629d72fff215c85512f9efc6125e41e97a53a05251
openswan-debuginfo-2.6.32-9.el6.s390x.rpm
File outdated by:  RHSA-2014:0185
    MD5: cf7fafc1ab4b5ad6c63a1543df9cdd24
SHA-256: 45e4e9957bbb8b78af58d1e7757a6469f8090d9b6a8561e57de794cd4cc0c226
openswan-doc-2.6.32-9.el6.s390x.rpm
File outdated by:  RHSA-2014:0185
    MD5: e5d92ad6c05be2cfc5ded3a2562f4b7a
SHA-256: 6419f3f5bb90bd1ff08dc201a96bfbb1158c519b087f3c77a5810ff74ac11e75
 
x86_64:
openswan-2.6.32-9.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 1e63012983d9bb667cb1d90f818a7b95
SHA-256: 3fe396e80d98cd2113effa774739754f94def03e8854f89910c2fe848b97e93d
openswan-debuginfo-2.6.32-9.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: dc838d1178a6d2411842248c98e8e742
SHA-256: 3aa09fe7dbfcec4224bc93bb8ac47099ea4ff723e12d65b28d8dcd1a4c7ef710
openswan-doc-2.6.32-9.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 5b5697e8a724080462ce2c25b961f116
SHA-256: dc26b5b2587e2532ff1c8fd8ad4e0d3d500e1456de89c39ccdd4b316f802a0b7
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
openswan-2.6.32-9.el6.src.rpm
File outdated by:  RHSA-2014:0185
    MD5: 3f5b578e470a9ae0b7f339757073cbed
SHA-256: a9bf1c79e4df8a7d6cc410780c1aa46751ad05b8eff1916b4628e10e8086a739
 
IA-32:
openswan-2.6.32-9.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: bb8168a398cd9d0eac9ef59be464e8c4
SHA-256: ae87c3ae3489f74692a96134577d9b1b337f1361d7d5290376ae1bbde60ad709
openswan-debuginfo-2.6.32-9.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 22f535430c59e4659d95d87a69e0177e
SHA-256: ff455f1694e41677b12b056c9cfbb132aeaf2a8de6cbb5aa307a6e897d97d937
openswan-doc-2.6.32-9.el6.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 81062b25b03778cfe575079047fd13cb
SHA-256: 466bb309aee899582a53c455d8687a772dd0b88fe576771241d5288bbef089ab
 
x86_64:
openswan-2.6.32-9.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 1e63012983d9bb667cb1d90f818a7b95
SHA-256: 3fe396e80d98cd2113effa774739754f94def03e8854f89910c2fe848b97e93d
openswan-debuginfo-2.6.32-9.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: dc838d1178a6d2411842248c98e8e742
SHA-256: 3aa09fe7dbfcec4224bc93bb8ac47099ea4ff723e12d65b28d8dcd1a4c7ef710
openswan-doc-2.6.32-9.el6.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 5b5697e8a724080462ce2c25b961f116
SHA-256: dc26b5b2587e2532ff1c8fd8ad4e0d3d500e1456de89c39ccdd4b316f802a0b7
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

703473 - Protocol ports does not work if hostname is given instead of ipaddress with Openswan
703985 - Implementation issues found during Openswan code review for CCC evaluation
704548 - AH protocol broken with Openswan
711975 - incomplete policy for loopback when using *protoport=X/Y
738385 - Doesn't work as an idicator of the VPN connection
742632 - Openswan sends wrong ikev2 icmp selectors in its packets



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/