- Issued:
- 2011-12-06
- Updated:
- 2011-12-06
RHBA-2011:1761 - Bug Fix Advisory
Synopsis
openswan bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An updated openswan package that fixes several bugs and adds one enhancement is
now available for Red Hat Enterprise Linux 6.
Description
Openswan is a free implementation of IPsec (Internet Protocol Security) and IKE
(Internet Key Exchange) for Linux. The openswan package contains the daemons and
user space tools for setting up Openswan. It supports the NETKEY/XFRM IPsec
kernel stack that exists in the default Linux kernel. Openswan 2.6.x also
supports IKEv2 (RFC4306).
This update fixes the following bugs:
- Openswan did not handle protocol and port configuration correctly if the ports
were defined and the host was defined with its hostname instead of its IP
address. This update solves this issue, and Openswan now correctly sets up
policies with the correct protocol and port under such circumstances.
(BZ#703473)
- Prior to this update, very large security label strings received from a peer
were being truncated. The truncated string was then still used. However, this
truncated string could turn out to be a valid string, leading to an incorrect
policy. Additionally, erroneous queuing of on-demand requests of setting up an
IPsec connection was discovered in the IKEv2 (Internet Key Exchange) code.
Although not harmful, it was not the intended design. This update fixes both of
these bugs and Openswan now handles the IKE setup correctly. (BZ#703985)
- Previously, Openswan failed to set up AH (Authentication Header) mode security
associations (SAs). This was because Openswan was erroneously processing the AH
mode as if it was the ESP (Encrypted Secure Payload) mode and was expecting an
encryption key. This update fixes this bug and it is now possible to set up AH
mode SAs properly. (BZ#704548)
- IPsec connections over a loopback interface did not work properly when a
specific port was configured. This was because incomplete IPsec policies were
being set up, leading to connection failures. This update fixes this bug and
complete policies are now established correctly. (BZ#711975)
- Openswan failed to support retrieving Certificate Revocation Lists (CRLs) from
HTTP or LDAP CRL Distribution Points (CDPs) because the flags for enabling CRL
functionality were disabled on compilation. With this update, the flags have
been enabled and the CRL functionality is available as expected. (BZ#737975)
- Openswan failed to discover some certificates. This happened because the
README.x509 file contained incorrect information on the directories to be
scanned for certification files and some directories failed to be scanned. With
this update, the file has been modified to provide accurate information.
(BZ#737976)
- The Network Manager padlock icon was not cleared after a VPN connection
terminated unexpectedly. This update fixes the bug and the padlock icon is
cleared when a VPN connection is terminated as expected. (BZ#738385)
- Openswan sent wrong IKEv2 (Internet Key Exchange) ICMP (Internet Control
Message Protocol) selectors to an IPsec destination. This happened due to an
incorrect conversion of the host to network byte order. This update fixes this
bug and Openswan now sends correct ICMP selectors. (BZ#742632)
- The Pluto daemon terminated unexpectedly with a segmentation fault after an IP
address had been removed from one end of an established IPsec tunnel. This
occurred if the other end of the tunnel attempted to reuse the particular IP
address to create a new tunnel as the previous tunnel failed to close properly.
With this update, such tunnel is closed properly and the problem no longer
occurs. (BZ#749605)
In addition, this update adds the following enhancement:
- On run, the "ipsec barf" and "ipsec verify" commands load new kernel modules,
which influences the system configuration. This update adds the "iptable-save"
command, which uses only iptables and does not load kernel modules. (BZ#737973)
Users are advised to upgrade to this updated openswan package, which fixes these
bugs and adds the enhancement.
Solution
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
Affected Products
- Red Hat Enterprise Linux Server 6 x86_64
- Red Hat Enterprise Linux Server 6 i386
- Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
- Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
- Red Hat Enterprise Linux Workstation 6 x86_64
- Red Hat Enterprise Linux Workstation 6 i386
- Red Hat Enterprise Linux Desktop 6 x86_64
- Red Hat Enterprise Linux Desktop 6 i386
- Red Hat Enterprise Linux for IBM z Systems 6 s390x
- Red Hat Enterprise Linux for Power, big endian 6 ppc64
- Red Hat Enterprise Linux Server from RHUI 6 x86_64
- Red Hat Enterprise Linux Server from RHUI 6 i386
- Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
- Red Hat Enterprise Linux Server - Retired Extended Life Cycle Support 6 x86_64
Fixes
- BZ - 703473 - Protocol ports does not work if hostname is given instead of ipaddress with Openswan
- BZ - 703985 - Implementation issues found during Openswan code review for CCC evaluation
- BZ - 704548 - AH protocol broken with Openswan
- BZ - 711975 - incomplete policy for loopback when using *protoport=X/Y
- BZ - 738385 - Doesn't work as an idicator of the VPN connection
- BZ - 742632 - Openswan sends wrong ikev2 icmp selectors in its packets
CVEs
(none)
References
(none)
Red Hat Enterprise Linux Server 6
SRPM | |
---|---|
openswan-2.6.32-9.el6.src.rpm | SHA-256: a9bf1c79e4df8a7d6cc410780c1aa46751ad05b8eff1916b4628e10e8086a739 |
x86_64 | |
openswan-2.6.32-9.el6.x86_64.rpm | SHA-256: 3fe396e80d98cd2113effa774739754f94def03e8854f89910c2fe848b97e93d |
openswan-debuginfo-2.6.32-9.el6.x86_64.rpm | SHA-256: 3aa09fe7dbfcec4224bc93bb8ac47099ea4ff723e12d65b28d8dcd1a4c7ef710 |
openswan-debuginfo-2.6.32-9.el6.x86_64.rpm | SHA-256: 3aa09fe7dbfcec4224bc93bb8ac47099ea4ff723e12d65b28d8dcd1a4c7ef710 |
openswan-doc-2.6.32-9.el6.x86_64.rpm | SHA-256: dc26b5b2587e2532ff1c8fd8ad4e0d3d500e1456de89c39ccdd4b316f802a0b7 |
i386 | |
openswan-2.6.32-9.el6.i686.rpm | SHA-256: ae87c3ae3489f74692a96134577d9b1b337f1361d7d5290376ae1bbde60ad709 |
openswan-debuginfo-2.6.32-9.el6.i686.rpm | SHA-256: ff455f1694e41677b12b056c9cfbb132aeaf2a8de6cbb5aa307a6e897d97d937 |
openswan-debuginfo-2.6.32-9.el6.i686.rpm | SHA-256: ff455f1694e41677b12b056c9cfbb132aeaf2a8de6cbb5aa307a6e897d97d937 |
openswan-doc-2.6.32-9.el6.i686.rpm | SHA-256: 466bb309aee899582a53c455d8687a772dd0b88fe576771241d5288bbef089ab |
Red Hat Enterprise Linux Server - Extended Life Cycle Support 6
SRPM | |
---|---|
openswan-2.6.32-9.el6.src.rpm | SHA-256: a9bf1c79e4df8a7d6cc410780c1aa46751ad05b8eff1916b4628e10e8086a739 |
x86_64 | |
openswan-2.6.32-9.el6.x86_64.rpm | SHA-256: 3fe396e80d98cd2113effa774739754f94def03e8854f89910c2fe848b97e93d |
openswan-debuginfo-2.6.32-9.el6.x86_64.rpm | SHA-256: 3aa09fe7dbfcec4224bc93bb8ac47099ea4ff723e12d65b28d8dcd1a4c7ef710 |
openswan-debuginfo-2.6.32-9.el6.x86_64.rpm | SHA-256: 3aa09fe7dbfcec4224bc93bb8ac47099ea4ff723e12d65b28d8dcd1a4c7ef710 |
openswan-doc-2.6.32-9.el6.x86_64.rpm | SHA-256: dc26b5b2587e2532ff1c8fd8ad4e0d3d500e1456de89c39ccdd4b316f802a0b7 |
i386 | |
openswan-2.6.32-9.el6.i686.rpm | SHA-256: ae87c3ae3489f74692a96134577d9b1b337f1361d7d5290376ae1bbde60ad709 |
openswan-debuginfo-2.6.32-9.el6.i686.rpm | SHA-256: ff455f1694e41677b12b056c9cfbb132aeaf2a8de6cbb5aa307a6e897d97d937 |
openswan-debuginfo-2.6.32-9.el6.i686.rpm | SHA-256: ff455f1694e41677b12b056c9cfbb132aeaf2a8de6cbb5aa307a6e897d97d937 |
openswan-doc-2.6.32-9.el6.i686.rpm | SHA-256: 466bb309aee899582a53c455d8687a772dd0b88fe576771241d5288bbef089ab |
Red Hat Enterprise Linux Workstation 6
SRPM | |
---|---|
openswan-2.6.32-9.el6.src.rpm | SHA-256: a9bf1c79e4df8a7d6cc410780c1aa46751ad05b8eff1916b4628e10e8086a739 |
x86_64 | |
openswan-2.6.32-9.el6.x86_64.rpm | SHA-256: 3fe396e80d98cd2113effa774739754f94def03e8854f89910c2fe848b97e93d |
openswan-debuginfo-2.6.32-9.el6.x86_64.rpm | SHA-256: 3aa09fe7dbfcec4224bc93bb8ac47099ea4ff723e12d65b28d8dcd1a4c7ef710 |
openswan-debuginfo-2.6.32-9.el6.x86_64.rpm | SHA-256: 3aa09fe7dbfcec4224bc93bb8ac47099ea4ff723e12d65b28d8dcd1a4c7ef710 |
openswan-doc-2.6.32-9.el6.x86_64.rpm | SHA-256: dc26b5b2587e2532ff1c8fd8ad4e0d3d500e1456de89c39ccdd4b316f802a0b7 |
i386 | |
openswan-2.6.32-9.el6.i686.rpm | SHA-256: ae87c3ae3489f74692a96134577d9b1b337f1361d7d5290376ae1bbde60ad709 |
openswan-debuginfo-2.6.32-9.el6.i686.rpm | SHA-256: ff455f1694e41677b12b056c9cfbb132aeaf2a8de6cbb5aa307a6e897d97d937 |
openswan-debuginfo-2.6.32-9.el6.i686.rpm | SHA-256: ff455f1694e41677b12b056c9cfbb132aeaf2a8de6cbb5aa307a6e897d97d937 |
openswan-doc-2.6.32-9.el6.i686.rpm | SHA-256: 466bb309aee899582a53c455d8687a772dd0b88fe576771241d5288bbef089ab |
Red Hat Enterprise Linux Desktop 6
SRPM | |
---|---|
openswan-2.6.32-9.el6.src.rpm | SHA-256: a9bf1c79e4df8a7d6cc410780c1aa46751ad05b8eff1916b4628e10e8086a739 |
x86_64 | |
openswan-2.6.32-9.el6.x86_64.rpm | SHA-256: 3fe396e80d98cd2113effa774739754f94def03e8854f89910c2fe848b97e93d |
openswan-debuginfo-2.6.32-9.el6.x86_64.rpm | SHA-256: 3aa09fe7dbfcec4224bc93bb8ac47099ea4ff723e12d65b28d8dcd1a4c7ef710 |
openswan-debuginfo-2.6.32-9.el6.x86_64.rpm | SHA-256: 3aa09fe7dbfcec4224bc93bb8ac47099ea4ff723e12d65b28d8dcd1a4c7ef710 |
openswan-doc-2.6.32-9.el6.x86_64.rpm | SHA-256: dc26b5b2587e2532ff1c8fd8ad4e0d3d500e1456de89c39ccdd4b316f802a0b7 |
i386 | |
openswan-2.6.32-9.el6.i686.rpm | SHA-256: ae87c3ae3489f74692a96134577d9b1b337f1361d7d5290376ae1bbde60ad709 |
openswan-debuginfo-2.6.32-9.el6.i686.rpm | SHA-256: ff455f1694e41677b12b056c9cfbb132aeaf2a8de6cbb5aa307a6e897d97d937 |
openswan-debuginfo-2.6.32-9.el6.i686.rpm | SHA-256: ff455f1694e41677b12b056c9cfbb132aeaf2a8de6cbb5aa307a6e897d97d937 |
openswan-doc-2.6.32-9.el6.i686.rpm | SHA-256: 466bb309aee899582a53c455d8687a772dd0b88fe576771241d5288bbef089ab |
Red Hat Enterprise Linux for IBM z Systems 6
SRPM | |
---|---|
openswan-2.6.32-9.el6.src.rpm | SHA-256: a9bf1c79e4df8a7d6cc410780c1aa46751ad05b8eff1916b4628e10e8086a739 |
s390x | |
openswan-2.6.32-9.el6.s390x.rpm | SHA-256: d93dcf644d5166f0368c24629d72fff215c85512f9efc6125e41e97a53a05251 |
openswan-debuginfo-2.6.32-9.el6.s390x.rpm | SHA-256: 45e4e9957bbb8b78af58d1e7757a6469f8090d9b6a8561e57de794cd4cc0c226 |
openswan-debuginfo-2.6.32-9.el6.s390x.rpm | SHA-256: 45e4e9957bbb8b78af58d1e7757a6469f8090d9b6a8561e57de794cd4cc0c226 |
openswan-doc-2.6.32-9.el6.s390x.rpm | SHA-256: 6419f3f5bb90bd1ff08dc201a96bfbb1158c519b087f3c77a5810ff74ac11e75 |
Red Hat Enterprise Linux for Power, big endian 6
SRPM | |
---|---|
openswan-2.6.32-9.el6.src.rpm | SHA-256: a9bf1c79e4df8a7d6cc410780c1aa46751ad05b8eff1916b4628e10e8086a739 |
ppc64 | |
openswan-2.6.32-9.el6.ppc64.rpm | SHA-256: 2b21cfb0304a876823d0578bd9773ff4e755558fdf26f20e807ba8b8c916da2f |
openswan-debuginfo-2.6.32-9.el6.ppc64.rpm | SHA-256: 16f7e61fac19dc5148bf037e09b8cd4bc46612517a8cb767fd01ac413043fdf2 |
openswan-debuginfo-2.6.32-9.el6.ppc64.rpm | SHA-256: 16f7e61fac19dc5148bf037e09b8cd4bc46612517a8cb767fd01ac413043fdf2 |
openswan-doc-2.6.32-9.el6.ppc64.rpm | SHA-256: 1fe1c2162447d5d01b2183ab293bf7ebf8cb60ba0d35138c71a1b7eab3339758 |
Red Hat Enterprise Linux Server from RHUI 6
SRPM | |
---|---|
openswan-2.6.32-9.el6.src.rpm | SHA-256: a9bf1c79e4df8a7d6cc410780c1aa46751ad05b8eff1916b4628e10e8086a739 |
x86_64 | |
openswan-2.6.32-9.el6.x86_64.rpm | SHA-256: 3fe396e80d98cd2113effa774739754f94def03e8854f89910c2fe848b97e93d |
openswan-debuginfo-2.6.32-9.el6.x86_64.rpm | SHA-256: 3aa09fe7dbfcec4224bc93bb8ac47099ea4ff723e12d65b28d8dcd1a4c7ef710 |
openswan-debuginfo-2.6.32-9.el6.x86_64.rpm | SHA-256: 3aa09fe7dbfcec4224bc93bb8ac47099ea4ff723e12d65b28d8dcd1a4c7ef710 |
openswan-doc-2.6.32-9.el6.x86_64.rpm | SHA-256: dc26b5b2587e2532ff1c8fd8ad4e0d3d500e1456de89c39ccdd4b316f802a0b7 |
i386 | |
openswan-2.6.32-9.el6.i686.rpm | SHA-256: ae87c3ae3489f74692a96134577d9b1b337f1361d7d5290376ae1bbde60ad709 |
openswan-debuginfo-2.6.32-9.el6.i686.rpm | SHA-256: ff455f1694e41677b12b056c9cfbb132aeaf2a8de6cbb5aa307a6e897d97d937 |
openswan-debuginfo-2.6.32-9.el6.i686.rpm | SHA-256: ff455f1694e41677b12b056c9cfbb132aeaf2a8de6cbb5aa307a6e897d97d937 |
openswan-doc-2.6.32-9.el6.i686.rpm | SHA-256: 466bb309aee899582a53c455d8687a772dd0b88fe576771241d5288bbef089ab |
Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6
SRPM | |
---|---|
openswan-2.6.32-9.el6.src.rpm | SHA-256: a9bf1c79e4df8a7d6cc410780c1aa46751ad05b8eff1916b4628e10e8086a739 |
s390x | |
openswan-2.6.32-9.el6.s390x.rpm | SHA-256: d93dcf644d5166f0368c24629d72fff215c85512f9efc6125e41e97a53a05251 |
openswan-debuginfo-2.6.32-9.el6.s390x.rpm | SHA-256: 45e4e9957bbb8b78af58d1e7757a6469f8090d9b6a8561e57de794cd4cc0c226 |
openswan-debuginfo-2.6.32-9.el6.s390x.rpm | SHA-256: 45e4e9957bbb8b78af58d1e7757a6469f8090d9b6a8561e57de794cd4cc0c226 |
openswan-doc-2.6.32-9.el6.s390x.rpm | SHA-256: 6419f3f5bb90bd1ff08dc201a96bfbb1158c519b087f3c77a5810ff74ac11e75 |
Red Hat Enterprise Linux Server - Retired Extended Life Cycle Support 6
SRPM | |
---|---|
openswan-2.6.32-9.el6.src.rpm | SHA-256: a9bf1c79e4df8a7d6cc410780c1aa46751ad05b8eff1916b4628e10e8086a739 |
x86_64 | |
openswan-2.6.32-9.el6.x86_64.rpm | SHA-256: 3fe396e80d98cd2113effa774739754f94def03e8854f89910c2fe848b97e93d |
openswan-debuginfo-2.6.32-9.el6.x86_64.rpm | SHA-256: 3aa09fe7dbfcec4224bc93bb8ac47099ea4ff723e12d65b28d8dcd1a4c7ef710 |
openswan-debuginfo-2.6.32-9.el6.x86_64.rpm | SHA-256: 3aa09fe7dbfcec4224bc93bb8ac47099ea4ff723e12d65b28d8dcd1a4c7ef710 |
openswan-doc-2.6.32-9.el6.x86_64.rpm | SHA-256: dc26b5b2587e2532ff1c8fd8ad4e0d3d500e1456de89c39ccdd4b316f802a0b7 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.