Security Advisory Important: ipsec-tools security update

Advisory: RHSA-2008:0849-5
Type: Security Advisory
Severity: Important
Issued on: 2008-08-26
Last updated on: 2008-08-26
Affected Products: Red Hat Desktop (v. 3)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.7.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.7.z)
Red Hat Enterprise Linux EUS (v. 5.2.z server)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20080849.xml
CVEs (cve.mitre.org): CVE-2008-3651
CVE-2008-3652

Details

An updated ipsec-tools package that fixes two security issues is now
available for Red Hat Enterprise Linux 3, 4, and 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

The ipsec-tools package is used in conjunction with the IPsec functionality
in the Linux kernel and includes racoon, an IKEv1 keying daemon.

Two denial of service flaws were found in the ipsec-tools racoon daemon. It
was possible for a remote attacker to cause the racoon daemon to consume
all available memory. (CVE-2008-3651, CVE-2008-3652)

Users of ipsec-tools should upgrade to this updated package, which contains
backported patches that resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Desktop (v. 3)
SRPMS:
ipsec-tools-0.2.5-0.7.rhel3.5.src.rpm     43b62917d476c93f333d4dbca244cda2
 
IA-32:
ipsec-tools-0.2.5-0.7.rhel3.5.i386.rpm     c15ef46ffddbf3e2e81dd7ac3745aaf8
 
x86_64:
ipsec-tools-0.2.5-0.7.rhel3.5.x86_64.rpm     e3d28dbefef37ffef00a5797434c42e7
 
Red Hat Desktop (v. 4)
SRPMS:
ipsec-tools-0.3.3-7.el4_7.src.rpm     57eec905f89a436d3061bfb04f9a9d93
 
IA-32:
ipsec-tools-0.3.3-7.el4_7.i386.rpm     734d4d91a188210f16532fb7afcc1d5a
 
x86_64:
ipsec-tools-0.3.3-7.el4_7.x86_64.rpm     b68d9392bddf985fa2f5835854436e3a
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
ipsec-tools-0.6.5-9.el5_2.3.src.rpm
File outdated by:  RHSA-2009:1036		     42089b3ed60ba87496cdfd28a5db18e1
 
IA-32:
ipsec-tools-0.6.5-9.el5_2.3.i386.rpm
File outdated by:  RHSA-2009:1036		     f60db238cc520f8dffc32f9bd04e47ec
 
IA-64:
ipsec-tools-0.6.5-9.el5_2.3.ia64.rpm
File outdated by:  RHSA-2009:1036		     42156a2a9298ed680956d1ee0861f228
 
PPC:
ipsec-tools-0.6.5-9.el5_2.3.ppc.rpm
File outdated by:  RHSA-2009:1036		     b2ab36e6fd92afd340c9adfd6fbaf3a8
 
s390x:
ipsec-tools-0.6.5-9.el5_2.3.s390x.rpm
File outdated by:  RHSA-2009:1036		     7484fd4389f98072b6b3598b4d43b09a
 
x86_64:
ipsec-tools-0.6.5-9.el5_2.3.x86_64.rpm
File outdated by:  RHSA-2009:1036		     2a8a07f1aa7da017f4ce8a7a8fae4305
 
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
ipsec-tools-0.2.5-0.7.rhel3.5.src.rpm     43b62917d476c93f333d4dbca244cda2
 
IA-32:
ipsec-tools-0.2.5-0.7.rhel3.5.i386.rpm     c15ef46ffddbf3e2e81dd7ac3745aaf8
 
IA-64:
ipsec-tools-0.2.5-0.7.rhel3.5.ia64.rpm     0a707a16c2dc3b00bb4ebe619509a81d
 
PPC:
ipsec-tools-0.2.5-0.7.rhel3.5.ppc.rpm     9006ebe1005542a051979d477504ad9c
 
s390:
ipsec-tools-0.2.5-0.7.rhel3.5.s390.rpm     c7426b5683dd620175ad8894ae59cf87
 
s390x:
ipsec-tools-0.2.5-0.7.rhel3.5.s390x.rpm     254e3aa7ad7742ed4c37c01f88f09bc3
 
x86_64:
ipsec-tools-0.2.5-0.7.rhel3.5.x86_64.rpm     e3d28dbefef37ffef00a5797434c42e7
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
ipsec-tools-0.3.3-7.el4_7.src.rpm     57eec905f89a436d3061bfb04f9a9d93
 
IA-32:
ipsec-tools-0.3.3-7.el4_7.i386.rpm     734d4d91a188210f16532fb7afcc1d5a
 
IA-64:
ipsec-tools-0.3.3-7.el4_7.ia64.rpm     a9737304c05b07ae239abeae44b3d5de
 
PPC:
ipsec-tools-0.3.3-7.el4_7.ppc.rpm     c3ab69eb34114d3ba5e3bf4fc28003f2
 
s390:
ipsec-tools-0.3.3-7.el4_7.s390.rpm     8766f60c0bcf2e4c1af529111c8670dd
 
s390x:
ipsec-tools-0.3.3-7.el4_7.s390x.rpm     151b7a11f940b1cf05919ca06587126b
 
x86_64:
ipsec-tools-0.3.3-7.el4_7.x86_64.rpm     b68d9392bddf985fa2f5835854436e3a
 
Red Hat Enterprise Linux AS (v. 4.7.z)
SRPMS:
ipsec-tools-0.3.3-7.el4_7.src.rpm     57eec905f89a436d3061bfb04f9a9d93
 
IA-32:
ipsec-tools-0.3.3-7.el4_7.i386.rpm     734d4d91a188210f16532fb7afcc1d5a
 
IA-64:
ipsec-tools-0.3.3-7.el4_7.ia64.rpm     a9737304c05b07ae239abeae44b3d5de
 
PPC:
ipsec-tools-0.3.3-7.el4_7.ppc.rpm     c3ab69eb34114d3ba5e3bf4fc28003f2
 
s390:
ipsec-tools-0.3.3-7.el4_7.s390.rpm     8766f60c0bcf2e4c1af529111c8670dd
 
s390x:
ipsec-tools-0.3.3-7.el4_7.s390x.rpm     151b7a11f940b1cf05919ca06587126b
 
x86_64:
ipsec-tools-0.3.3-7.el4_7.x86_64.rpm     b68d9392bddf985fa2f5835854436e3a
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
ipsec-tools-0.6.5-9.el5_2.3.src.rpm
File outdated by:  RHSA-2009:1036		     42089b3ed60ba87496cdfd28a5db18e1
 
IA-32:
ipsec-tools-0.6.5-9.el5_2.3.i386.rpm
File outdated by:  RHSA-2009:1036		     f60db238cc520f8dffc32f9bd04e47ec
 
x86_64:
ipsec-tools-0.6.5-9.el5_2.3.x86_64.rpm
File outdated by:  RHSA-2009:1036		     2a8a07f1aa7da017f4ce8a7a8fae4305
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
ipsec-tools-0.2.5-0.7.rhel3.5.src.rpm     43b62917d476c93f333d4dbca244cda2
 
IA-32:
ipsec-tools-0.2.5-0.7.rhel3.5.i386.rpm     c15ef46ffddbf3e2e81dd7ac3745aaf8
 
IA-64:
ipsec-tools-0.2.5-0.7.rhel3.5.ia64.rpm     0a707a16c2dc3b00bb4ebe619509a81d
 
x86_64:
ipsec-tools-0.2.5-0.7.rhel3.5.x86_64.rpm     e3d28dbefef37ffef00a5797434c42e7
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
ipsec-tools-0.3.3-7.el4_7.src.rpm     57eec905f89a436d3061bfb04f9a9d93
 
IA-32:
ipsec-tools-0.3.3-7.el4_7.i386.rpm     734d4d91a188210f16532fb7afcc1d5a
 
IA-64:
ipsec-tools-0.3.3-7.el4_7.ia64.rpm     a9737304c05b07ae239abeae44b3d5de
 
x86_64:
ipsec-tools-0.3.3-7.el4_7.x86_64.rpm     b68d9392bddf985fa2f5835854436e3a
 
Red Hat Enterprise Linux ES (v. 4.7.z)
SRPMS:
ipsec-tools-0.3.3-7.el4_7.src.rpm     57eec905f89a436d3061bfb04f9a9d93
 
IA-32:
ipsec-tools-0.3.3-7.el4_7.i386.rpm     734d4d91a188210f16532fb7afcc1d5a
 
IA-64:
ipsec-tools-0.3.3-7.el4_7.ia64.rpm     a9737304c05b07ae239abeae44b3d5de
 
x86_64:
ipsec-tools-0.3.3-7.el4_7.x86_64.rpm     b68d9392bddf985fa2f5835854436e3a
 
Red Hat Enterprise Linux EUS (v. 5.2.z server)
SRPMS:
ipsec-tools-0.6.5-9.el5_2.3.src.rpm
File outdated by:  RHSA-2009:1036		     42089b3ed60ba87496cdfd28a5db18e1
 
IA-32:
ipsec-tools-0.6.5-9.el5_2.3.i386.rpm     f60db238cc520f8dffc32f9bd04e47ec
 
IA-64:
ipsec-tools-0.6.5-9.el5_2.3.ia64.rpm     42156a2a9298ed680956d1ee0861f228
 
PPC:
ipsec-tools-0.6.5-9.el5_2.3.ppc.rpm     b2ab36e6fd92afd340c9adfd6fbaf3a8
 
s390x:
ipsec-tools-0.6.5-9.el5_2.3.s390x.rpm     7484fd4389f98072b6b3598b4d43b09a
 
x86_64:
ipsec-tools-0.6.5-9.el5_2.3.x86_64.rpm     2a8a07f1aa7da017f4ce8a7a8fae4305
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
ipsec-tools-0.2.5-0.7.rhel3.5.src.rpm     43b62917d476c93f333d4dbca244cda2
 
IA-32:
ipsec-tools-0.2.5-0.7.rhel3.5.i386.rpm     c15ef46ffddbf3e2e81dd7ac3745aaf8
 
IA-64:
ipsec-tools-0.2.5-0.7.rhel3.5.ia64.rpm     0a707a16c2dc3b00bb4ebe619509a81d
 
x86_64:
ipsec-tools-0.2.5-0.7.rhel3.5.x86_64.rpm     e3d28dbefef37ffef00a5797434c42e7
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
ipsec-tools-0.3.3-7.el4_7.src.rpm     57eec905f89a436d3061bfb04f9a9d93
 
IA-32:
ipsec-tools-0.3.3-7.el4_7.i386.rpm     734d4d91a188210f16532fb7afcc1d5a
 
IA-64:
ipsec-tools-0.3.3-7.el4_7.ia64.rpm     a9737304c05b07ae239abeae44b3d5de
 
x86_64:
ipsec-tools-0.3.3-7.el4_7.x86_64.rpm     b68d9392bddf985fa2f5835854436e3a
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

456660 - CVE-2008-3651 ipsec-tools: racoon memory leak caused by invalid proposals
458846 - CVE-2008-3652 ipsec-tools: racoon orphaned ph1s memory leak


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3651
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3652
http://www.redhat.com/security/updates/classification/#important

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/