- Issued:
- 2012-02-20
- Updated:
- 2012-02-20
RHBA-2012:0211 - Bug Fix Advisory
Synopsis
openswan bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated openswan packages that fix various bugs and add various enhancements are
now available for Red Hat Enterprise Linux 5.
Description
Openswan is a free implementation of Internet Protocol Security (IPsec) and
Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both
authentication and encryption services. These services allow you to build secure
tunnels through untrusted networks.
The openswan packages have been upgraded to upstream version 2.6.32, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#698248)
These updated openswan packages provide fixes for the following bugs:
- When an NSS database is created with a password (either in FIPS or non-FIPS
mode), access to a private key (associated with a certificate or a raw public
key) requires authentication. At authentication time, openswan passes the
database password to NSS. Previously, when this happened, openswan also logged
the password to /var/log/secure. The password could also be seen by running
"ipsec barf". With this update, openswan still passes the database password at
authentication time but no longer logs it in any fashion. (BZ#549811)
- The pluto key management daemon terminated unexpectedly with a segmentation
fault when removing a logical IP interface. With this update the code has been
improved, pluto now withdraws a connection to a dead logical interface cleanly
and no longer crashes in the scenario described. (BZ#609343)
- Due to an error in a buffer initialization, the following message may have
been written to the /var/log/secure log file during the IKE negotiation: "size
([size]) differs from size specified in ISAKMP HDR ([size])". Consequently, the
establishment of secure connections could be significantly delayed. This update
applies an upstream patch that resolves this issue, and the establishment of
IPsec connections is no longer delayed. (BZ#652733)
In addition, these updated openswan packages provide the following enhancements:
- With this update, the openswan packages now include support for message digest
algorithm HMAC-SHA1-96 as per RFC 2404. (BZ#524191)
- RFC 5114, Additional Diffie-Hellman Groups for Use with IETF Standards, adds
eight Diffie-Hellman groups (three prime modulus groups and five elliptic curve
groups) to the extant 21 groups set out in previous RFCs (e.g. RFCs 2409, 3526
and 4492) for use with IKE, TLS, SSH and so on.
This update implements groups 22, 23 and 24: a 1024-bit MODular exPonential
(MODP) Group with 160-bit Prime Order Subgroup; a 2048-bit MODP Group with
224-bit Prime Order Subgroup; and a 2048-bit MODP Group with 256-bit Prime Order
Subgroup respectively. (BZ#591104)
Note: implementation of group 24 (a 2048-bit MODP Group with 256-bit Prime Order
Subgroup) is required for US National Institute of Standards and Technology
(NIST) IPv6 compliance and ongoing FIPS-140 certification.
All users of openswan are advised to upgrade to these updated packages, which
fix these bugs and provide these enhancements.
Solution
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
Affected Products
- Red Hat Enterprise Linux Server 5 x86_64
- Red Hat Enterprise Linux Server 5 ia64
- Red Hat Enterprise Linux Server 5 i386
- Red Hat Enterprise Linux Workstation 5 x86_64
- Red Hat Enterprise Linux Workstation 5 i386
- Red Hat Enterprise Linux Desktop 5 x86_64
- Red Hat Enterprise Linux Desktop 5 i386
- Red Hat Enterprise Linux for IBM z Systems 5 s390x
- Red Hat Enterprise Linux for Power, big endian 5 ppc
- Red Hat Enterprise Linux Server from RHUI 5 x86_64
- Red Hat Enterprise Linux Server from RHUI 5 i386
Fixes
- BZ - 524191 - openswan doesn't support HMAC-SHA1-96
- BZ - 549811 - Openswan (pluto) logs NSS password which should not happen
- BZ - 609343 - pluto crashes when removing logical interface
- BZ - 652733 - 2 tunnels (IPv4 and IPv6) do not work together using certs/keys
- BZ - 698248 - Rebase openswan in rhel5.8 with the one (including all patches) in RHEL6.1.
CVEs
(none)
References
(none)
Red Hat Enterprise Linux Server 5
SRPM | |
---|---|
openswan-2.6.32-3.el5.src.rpm | SHA-256: f6a7dc32b8936fdc44029dbf286c00f37fd1399a1bd751a87f25922c030906d8 |
x86_64 | |
openswan-2.6.32-3.el5.x86_64.rpm | SHA-256: 6405af7fe6da7434b0955c18bde7fbaf62feeb1e47e39b5f35fc7908df022c91 |
openswan-doc-2.6.32-3.el5.x86_64.rpm | SHA-256: c17d934ca080a4a6b46d51399356bdeccb860a59e676de12b322a4794a0329a2 |
ia64 | |
openswan-2.6.32-3.el5.ia64.rpm | SHA-256: 784fb041338725847c6fd8b5e95442de175316801f99fe1f7856eb36bcbd7c32 |
openswan-doc-2.6.32-3.el5.ia64.rpm | SHA-256: d1e350c23eacaa9b928f5480e6a695c265b201892c8fda76d98907c48966f133 |
i386 | |
openswan-2.6.32-3.el5.i386.rpm | SHA-256: e733eeaba61ba56ad170ec127ffb24d7b06eaef12e6a6f8e9a9cd05377ad3a66 |
openswan-doc-2.6.32-3.el5.i386.rpm | SHA-256: 0a3e09236d405646111a8ec5bb43294080d8e34861bbaeb120f0caf7085e4659 |
Red Hat Enterprise Linux Workstation 5
SRPM | |
---|---|
openswan-2.6.32-3.el5.src.rpm | SHA-256: f6a7dc32b8936fdc44029dbf286c00f37fd1399a1bd751a87f25922c030906d8 |
x86_64 | |
openswan-2.6.32-3.el5.x86_64.rpm | SHA-256: 6405af7fe6da7434b0955c18bde7fbaf62feeb1e47e39b5f35fc7908df022c91 |
openswan-doc-2.6.32-3.el5.x86_64.rpm | SHA-256: c17d934ca080a4a6b46d51399356bdeccb860a59e676de12b322a4794a0329a2 |
i386 | |
openswan-2.6.32-3.el5.i386.rpm | SHA-256: e733eeaba61ba56ad170ec127ffb24d7b06eaef12e6a6f8e9a9cd05377ad3a66 |
openswan-doc-2.6.32-3.el5.i386.rpm | SHA-256: 0a3e09236d405646111a8ec5bb43294080d8e34861bbaeb120f0caf7085e4659 |
Red Hat Enterprise Linux Desktop 5
SRPM | |
---|---|
openswan-2.6.32-3.el5.src.rpm | SHA-256: f6a7dc32b8936fdc44029dbf286c00f37fd1399a1bd751a87f25922c030906d8 |
x86_64 | |
openswan-2.6.32-3.el5.x86_64.rpm | SHA-256: 6405af7fe6da7434b0955c18bde7fbaf62feeb1e47e39b5f35fc7908df022c91 |
openswan-doc-2.6.32-3.el5.x86_64.rpm | SHA-256: c17d934ca080a4a6b46d51399356bdeccb860a59e676de12b322a4794a0329a2 |
i386 | |
openswan-2.6.32-3.el5.i386.rpm | SHA-256: e733eeaba61ba56ad170ec127ffb24d7b06eaef12e6a6f8e9a9cd05377ad3a66 |
openswan-doc-2.6.32-3.el5.i386.rpm | SHA-256: 0a3e09236d405646111a8ec5bb43294080d8e34861bbaeb120f0caf7085e4659 |
Red Hat Enterprise Linux for IBM z Systems 5
SRPM | |
---|---|
openswan-2.6.32-3.el5.src.rpm | SHA-256: f6a7dc32b8936fdc44029dbf286c00f37fd1399a1bd751a87f25922c030906d8 |
s390x | |
openswan-2.6.32-3.el5.s390x.rpm | SHA-256: f5c7c379f9556728f295bb250df8f865d68b4451f1eb384300b996c81086a38e |
openswan-doc-2.6.32-3.el5.s390x.rpm | SHA-256: a38e78f59ff8f5158954265091f94b789878c5d52b2bf4b530ced09ecac5292f |
Red Hat Enterprise Linux for Power, big endian 5
SRPM | |
---|---|
openswan-2.6.32-3.el5.src.rpm | SHA-256: f6a7dc32b8936fdc44029dbf286c00f37fd1399a1bd751a87f25922c030906d8 |
ppc | |
openswan-2.6.32-3.el5.ppc.rpm | SHA-256: e66e33bdb308875148ddae0d56b6356e7258c98f46b0693285c4148bbc108efc |
openswan-doc-2.6.32-3.el5.ppc.rpm | SHA-256: 3f3a52f220c84fb0a9d8d611762df2de968525f09412c344c314aac3c639bdb5 |
Red Hat Enterprise Linux Server from RHUI 5
SRPM | |
---|---|
openswan-2.6.32-3.el5.src.rpm | SHA-256: f6a7dc32b8936fdc44029dbf286c00f37fd1399a1bd751a87f25922c030906d8 |
x86_64 | |
openswan-2.6.32-3.el5.x86_64.rpm | SHA-256: 6405af7fe6da7434b0955c18bde7fbaf62feeb1e47e39b5f35fc7908df022c91 |
openswan-doc-2.6.32-3.el5.x86_64.rpm | SHA-256: c17d934ca080a4a6b46d51399356bdeccb860a59e676de12b322a4794a0329a2 |
i386 | |
openswan-2.6.32-3.el5.i386.rpm | SHA-256: e733eeaba61ba56ad170ec127ffb24d7b06eaef12e6a6f8e9a9cd05377ad3a66 |
openswan-doc-2.6.32-3.el5.i386.rpm | SHA-256: 0a3e09236d405646111a8ec5bb43294080d8e34861bbaeb120f0caf7085e4659 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.