- Issued:
- 2010-02-09
- Updated:
- 2010-02-09
RHBA-2010:0096 - Openswan bug fix update
Synopsis
Openswan bug fix update
Type/Severity
Bug Fix Advisory
Topic
Updated openswan packages that fix an issue with NSS passwords being logged at run time are now available.
Description
Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE) for Linux. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the IPsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network, or VPN.
These packages contain the daemons and userland tools for setting up openswan. They support the NETKEY/XFRM IPsec stack in the default Linux kernel. The openswan 2.6.x-series also supports IKEv2 as described in RFC 4309.
This update addresses the following issue:
- when an NSS database is created with a password (either in FIPS or non-FIPS mode), access to a private key (associated with a certificate or a raw public key) requires authentication. At authentication time, openswan passes the database password to NSS. Previously, when this happened, openswan also logged the password to /var/log/secure. The password could also be seen by running "ipsec barf". With this update, openswan still passes the database password at authentication time but no longer logs it in any fashion. (BZ#557688)
All openswan users are advised to upgrade to these updated packages, which resolve this issue.
Solution
Before applying this update, make sure all previously-released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.http://kbase.redhat.com/faq/docs/DOC-11259
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for x86_64 - Extended Update Support | 5.4 | x86_64 |
| Red Hat Enterprise Linux for x86_64 - Extended Update Support | 5.4 | ia64 |
| Red Hat Enterprise Linux for x86_64 - Extended Update Support | 5.4 | i386 |
| Red Hat Enterprise Linux for Power, big endian | 5 | ppc |
| Red Hat Enterprise Linux for Power, big endian - Extended Update Support | 5.4 | ppc |
| Red Hat Enterprise Linux for IBM z Systems | 5 | s390x |
| Red Hat Enterprise Linux for IBM z Systems - Extended Update Support | 5.4 | s390x |
| Red Hat Enterprise Linux Workstation | 5 | x86_64 |
| Red Hat Enterprise Linux Workstation | 5 | i386 |
| Red Hat Enterprise Linux Server | 5 | x86_64 |
| Red Hat Enterprise Linux Server | 5 | ia64 |
| Red Hat Enterprise Linux Server | 5 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 5 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 5 | i386 |
| Red Hat Enterprise Linux Desktop | 5 | x86_64 |
| Red Hat Enterprise Linux Desktop | 5 | i386 |
Updated Packages
- openswan-doc-2.6.21-5.el5_4.2.ppc.rpm
- openswan-2.6.21-5.el5_4.2.ia64.rpm
- openswan-2.6.21-5.el5_4.2.i386.rpm
- openswan-2.6.21-5.el5_4.2.src.rpm
- openswan-2.6.21-5.el5_4.2.x86_64.rpm
- openswan-doc-2.6.21-5.el5_4.2.i386.rpm
- openswan-doc-2.6.21-5.el5_4.2.s390x.rpm
- openswan-doc-2.6.21-5.el5_4.2.x86_64.rpm
- openswan-2.6.21-5.el5_4.2.ppc.rpm
- openswan-doc-2.6.21-5.el5_4.2.ia64.rpm
- openswan-2.6.21-5.el5_4.2.s390x.rpm
Fixes
CVEs
(none)
References
- Content from www.ietf.org is not included.Content from www.ietf.org is not included.http://www.ietf.org/rfc/rfc4309.txt
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.