Skip to navigation

Bug Fix Advisory openswan bug fix update

Advisory: RHBA-2011:0961-1
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2011-07-19
Last updated on: 2011-07-19
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server EUS (v. 6.1.z)
Red Hat Enterprise Linux Workstation (v. 6)

Details

Updated openswan packages that resolve several issues are now available for Red
Hat Enterprise Linux 6.

Openswan is a free implementation of IPsec and IKE (Internet Key Exchange) for
Linux. The openswan package contains the daemons and user space tools for
setting up Openswan. It supports the NETKEY/XFRM IPsec kernel stack that exists
in the default Linux kernel. Openswan 2.6.x also supports IKEv2 (RFC4306).

These updated openswan packages provide fixes for the following bugs:

* Openswan did not handle protocol and port (leftprotoport) configuration
correctly if the hostname parameter was configured instead of the ipaddress
parameter using Openswan. This update solves this issue, and Openswan now
correctly sets up policies with the correct protocol and port even when the
hostname parameter is configured. (BZ#712112)

* Prior to this update, very large security label strings received from the peer
were being truncated. The truncated string was then still used. However, this
truncated string could, under rare circumstances, turn out to be a valid string,
leading to an incorrect policy. Additionally, erroneous queuing of on-demand
requests of setting up an IPsec connection was discovered in the IKEv2 (Internet
Key Exchange) code. Although not harmful, it was not the intended design. This
update fixes both of these issues, and Openswan now correctly handles the IKE
setup. (BZ#712114)

* Previously, Openswan failed to set up AH (Authentication Header) mode security
associations (SAs). This was because Openswan was erroneously processing the AH
mode as if it was the ESP (Ecrypted Secure Payload) mode, and was expecting an
encryption key. This update fixes this issue, and it is now possible to properly
set up AH mode SAs. (BZ#712168)

* IPsec connections over a loopback interface did not work properly when a
specific port was configured. This was because incomplete IPsec policies were
being set up, leading to connection failures. This update fixes this issue, and
complete policies are now correctly established. (BZ#718078)

All users of openswan are advised to upgrade to these updated packages, which
resolve these issues.


Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat
Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
openswan-2.6.32-4.el6_1.1.src.rpm
File outdated by:  RHSA-2014:0185
    MD5: 43db0b771e6e0ba6c726aefa3fa5a953
SHA-256: 7d5abe2f8e1f29ab0483c211288a1746f67f47c1a2673e7ee19c71eff4170350
 
IA-32:
openswan-2.6.32-4.el6_1.1.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 30fba3e82a589ee73fcf2f121e8b6a57
SHA-256: 8b56e07f8bca61da6af61971f270217c95630f7767c22826d8c8020839783a8f
openswan-debuginfo-2.6.32-4.el6_1.1.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 767ca36a983e2ed53d8ce3e92ee4cc24
SHA-256: e4060e919b746fb0e9e5eeebb643ef0bb770af2c6feca4279624143557e872a8
openswan-doc-2.6.32-4.el6_1.1.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 2e910c6c745fba4a90049d7504c94899
SHA-256: 8ffc104f4cf5895f133701b5737f740dbc29692b1e127a8e8dc6c01a0511317e
 
x86_64:
openswan-2.6.32-4.el6_1.1.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: c64c18d05c4f992b6d56752d49beff55
SHA-256: 42bcaed85f9f7b90603d7f088e0f3c184e7ee3dd309e6ec4009ad6d01b538bd4
openswan-debuginfo-2.6.32-4.el6_1.1.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 3e30147df2849fca98bbf09e23126b3d
SHA-256: f6da050edc53e9ab0a5380eb1d179b354d83b7be0795d3bda79b38662b5dcd68
openswan-doc-2.6.32-4.el6_1.1.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: d453e3f4f1a2d906af5392c02013a969
SHA-256: a50ffcf3dcf792c1a25bb1271f829b7f54e0794a7042525c1d9be2ecc94da0da
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
openswan-2.6.32-4.el6_1.1.src.rpm
File outdated by:  RHSA-2014:0185
    MD5: 43db0b771e6e0ba6c726aefa3fa5a953
SHA-256: 7d5abe2f8e1f29ab0483c211288a1746f67f47c1a2673e7ee19c71eff4170350
 
IA-32:
openswan-2.6.32-4.el6_1.1.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 30fba3e82a589ee73fcf2f121e8b6a57
SHA-256: 8b56e07f8bca61da6af61971f270217c95630f7767c22826d8c8020839783a8f
openswan-debuginfo-2.6.32-4.el6_1.1.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 767ca36a983e2ed53d8ce3e92ee4cc24
SHA-256: e4060e919b746fb0e9e5eeebb643ef0bb770af2c6feca4279624143557e872a8
openswan-doc-2.6.32-4.el6_1.1.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 2e910c6c745fba4a90049d7504c94899
SHA-256: 8ffc104f4cf5895f133701b5737f740dbc29692b1e127a8e8dc6c01a0511317e
 
PPC:
openswan-2.6.32-4.el6_1.1.ppc64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 087a4ec74af368d13b7b360c7ba1afcc
SHA-256: 62680a840d061a907bbdd1a93526214112c7f874d4904d59e9e99272f1d6a3f4
openswan-debuginfo-2.6.32-4.el6_1.1.ppc64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 72f01b49e0921deccb09b95911006be0
SHA-256: c5cb6ceb3b7582db8de1fa01820d9e47afe35277595e864c15859640e2d380a2
openswan-doc-2.6.32-4.el6_1.1.ppc64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 3ed01944ae60dc4958794587d3422a40
SHA-256: 9379ca8ab5799c2d597f926e3552e24343c85de734498bb819afe07e4c98f90b
 
s390x:
openswan-2.6.32-4.el6_1.1.s390x.rpm
File outdated by:  RHSA-2014:0185
    MD5: 0a12e8575d541e69fd532090c4547d58
SHA-256: 710509cd980eb26a5e4616a8208810d45bc48d8be84db801e40618ce33074ead
openswan-debuginfo-2.6.32-4.el6_1.1.s390x.rpm
File outdated by:  RHSA-2014:0185
    MD5: 36090581094d742ebc58842c8a2db9a8
SHA-256: 8ca0d378fa39870c0f20dcb8ed3bbcac02fa35d49b174c9ae86d41d91416b89a
openswan-doc-2.6.32-4.el6_1.1.s390x.rpm
File outdated by:  RHSA-2014:0185
    MD5: fc081661ebfa56fb3c94ee6d9a6f81fc
SHA-256: 35c63ce193862315df8a422957b2e7c674224b51fc5e8d3bc1c8b621a552b5ba
 
x86_64:
openswan-2.6.32-4.el6_1.1.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: c64c18d05c4f992b6d56752d49beff55
SHA-256: 42bcaed85f9f7b90603d7f088e0f3c184e7ee3dd309e6ec4009ad6d01b538bd4
openswan-debuginfo-2.6.32-4.el6_1.1.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 3e30147df2849fca98bbf09e23126b3d
SHA-256: f6da050edc53e9ab0a5380eb1d179b354d83b7be0795d3bda79b38662b5dcd68
openswan-doc-2.6.32-4.el6_1.1.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: d453e3f4f1a2d906af5392c02013a969
SHA-256: a50ffcf3dcf792c1a25bb1271f829b7f54e0794a7042525c1d9be2ecc94da0da
 
Red Hat Enterprise Linux Server EUS (v. 6.1.z)

SRPMS:
openswan-2.6.32-4.el6_1.1.src.rpm
File outdated by:  RHSA-2014:0185
    MD5: 43db0b771e6e0ba6c726aefa3fa5a953
SHA-256: 7d5abe2f8e1f29ab0483c211288a1746f67f47c1a2673e7ee19c71eff4170350
 
IA-32:
openswan-2.6.32-4.el6_1.1.i686.rpm
File outdated by:  RHSA-2011:1422
    MD5: 30fba3e82a589ee73fcf2f121e8b6a57
SHA-256: 8b56e07f8bca61da6af61971f270217c95630f7767c22826d8c8020839783a8f
openswan-debuginfo-2.6.32-4.el6_1.1.i686.rpm
File outdated by:  RHSA-2011:1422
    MD5: 767ca36a983e2ed53d8ce3e92ee4cc24
SHA-256: e4060e919b746fb0e9e5eeebb643ef0bb770af2c6feca4279624143557e872a8
openswan-doc-2.6.32-4.el6_1.1.i686.rpm
File outdated by:  RHSA-2011:1422
    MD5: 2e910c6c745fba4a90049d7504c94899
SHA-256: 8ffc104f4cf5895f133701b5737f740dbc29692b1e127a8e8dc6c01a0511317e
 
PPC:
openswan-2.6.32-4.el6_1.1.ppc64.rpm
File outdated by:  RHSA-2011:1422
    MD5: 087a4ec74af368d13b7b360c7ba1afcc
SHA-256: 62680a840d061a907bbdd1a93526214112c7f874d4904d59e9e99272f1d6a3f4
openswan-debuginfo-2.6.32-4.el6_1.1.ppc64.rpm
File outdated by:  RHSA-2011:1422
    MD5: 72f01b49e0921deccb09b95911006be0
SHA-256: c5cb6ceb3b7582db8de1fa01820d9e47afe35277595e864c15859640e2d380a2
openswan-doc-2.6.32-4.el6_1.1.ppc64.rpm
File outdated by:  RHSA-2011:1422
    MD5: 3ed01944ae60dc4958794587d3422a40
SHA-256: 9379ca8ab5799c2d597f926e3552e24343c85de734498bb819afe07e4c98f90b
 
s390x:
openswan-2.6.32-4.el6_1.1.s390x.rpm
File outdated by:  RHSA-2011:1422
    MD5: 0a12e8575d541e69fd532090c4547d58
SHA-256: 710509cd980eb26a5e4616a8208810d45bc48d8be84db801e40618ce33074ead
openswan-debuginfo-2.6.32-4.el6_1.1.s390x.rpm
File outdated by:  RHSA-2011:1422
    MD5: 36090581094d742ebc58842c8a2db9a8
SHA-256: 8ca0d378fa39870c0f20dcb8ed3bbcac02fa35d49b174c9ae86d41d91416b89a
openswan-doc-2.6.32-4.el6_1.1.s390x.rpm
File outdated by:  RHSA-2011:1422
    MD5: fc081661ebfa56fb3c94ee6d9a6f81fc
SHA-256: 35c63ce193862315df8a422957b2e7c674224b51fc5e8d3bc1c8b621a552b5ba
 
x86_64:
openswan-2.6.32-4.el6_1.1.x86_64.rpm
File outdated by:  RHSA-2011:1422
    MD5: c64c18d05c4f992b6d56752d49beff55
SHA-256: 42bcaed85f9f7b90603d7f088e0f3c184e7ee3dd309e6ec4009ad6d01b538bd4
openswan-debuginfo-2.6.32-4.el6_1.1.x86_64.rpm
File outdated by:  RHSA-2011:1422
    MD5: 3e30147df2849fca98bbf09e23126b3d
SHA-256: f6da050edc53e9ab0a5380eb1d179b354d83b7be0795d3bda79b38662b5dcd68
openswan-doc-2.6.32-4.el6_1.1.x86_64.rpm
File outdated by:  RHSA-2011:1422
    MD5: d453e3f4f1a2d906af5392c02013a969
SHA-256: a50ffcf3dcf792c1a25bb1271f829b7f54e0794a7042525c1d9be2ecc94da0da
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
openswan-2.6.32-4.el6_1.1.src.rpm
File outdated by:  RHSA-2014:0185
    MD5: 43db0b771e6e0ba6c726aefa3fa5a953
SHA-256: 7d5abe2f8e1f29ab0483c211288a1746f67f47c1a2673e7ee19c71eff4170350
 
IA-32:
openswan-2.6.32-4.el6_1.1.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 30fba3e82a589ee73fcf2f121e8b6a57
SHA-256: 8b56e07f8bca61da6af61971f270217c95630f7767c22826d8c8020839783a8f
openswan-debuginfo-2.6.32-4.el6_1.1.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 767ca36a983e2ed53d8ce3e92ee4cc24
SHA-256: e4060e919b746fb0e9e5eeebb643ef0bb770af2c6feca4279624143557e872a8
openswan-doc-2.6.32-4.el6_1.1.i686.rpm
File outdated by:  RHSA-2014:0185
    MD5: 2e910c6c745fba4a90049d7504c94899
SHA-256: 8ffc104f4cf5895f133701b5737f740dbc29692b1e127a8e8dc6c01a0511317e
 
x86_64:
openswan-2.6.32-4.el6_1.1.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: c64c18d05c4f992b6d56752d49beff55
SHA-256: 42bcaed85f9f7b90603d7f088e0f3c184e7ee3dd309e6ec4009ad6d01b538bd4
openswan-debuginfo-2.6.32-4.el6_1.1.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: 3e30147df2849fca98bbf09e23126b3d
SHA-256: f6da050edc53e9ab0a5380eb1d179b354d83b7be0795d3bda79b38662b5dcd68
openswan-doc-2.6.32-4.el6_1.1.x86_64.rpm
File outdated by:  RHSA-2014:0185
    MD5: d453e3f4f1a2d906af5392c02013a969
SHA-256: a50ffcf3dcf792c1a25bb1271f829b7f54e0794a7042525c1d9be2ecc94da0da
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

712112 - Protocol ports does not work if hostname is given instead of ipaddress with Openswan
712114 - Implementation issues found during Openswan code review for CCC evaluation
712168 - AH protocol broken with Openswan
718078 - incomplete policy for loopback when using *protoport=X/Y



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/