Issued:

2011-05-19

Updated:

2011-05-19

RHBA-2011:0652 - openswan bug fix and enhancement update

Synopsis

openswan bug fix and enhancement update

Type/Severity

Bug Fix Advisory (none)

Topic

Updated openswan package that fix various bugs and provide several enhancements are now available for Red Hat Enterprise Linux 6.

Description

Openswan is a free implementation of IPsec and IKE (Internet Key Exchange) for Linux. This package contains the daemons and user space tools for setting up Openswan. It supports the NETKEY/XFRM IPsec kernel stack that exists in the default Linux kernel.

Openswan 2.6.x also supports IKEv2 (RFC4306)

The openswan packages have been upgraded to upstream version 2.6.32, which provides a number of bug fixes and enhancements over the previous version. (BZ#642724)

These updated openswan packages provide fixes for the following bugs:

• Openswan was previously unable to negotiate using the HMAC-SHA2-256 algorithm in transport mode. With this update, Openswan is able to set up IPsec in using HMAC-SHA2-256 in transport mode. (BZ#621790)

• The Openswan init script accessed the current working directory, which led to an SELinux AVC Denial. This update ensures that the current working directory is set to the root ("/") directory, and thus Openswan's pluto daemon starts without incurring an SELinux denial. (BZ#628879)

• Previously, the Openswan packages were not compiled with the "-Wl,-z,relro" parameter. These updated openswan packages have been compiled with the "-Wl,-z,relro" parameter. (BZ#642722)

• The IPsec NETKEY kernel code sent thousands of ACQUIRE messages which led to a segmentation fault. With this update, ACQUIRE messages are now properly processed with the result that Openswan does not crash. (BZ#658121)

• When the system's IP address was renewed using DHCP, the Openswan IPsec connection failed. This update ensures that the IPsec connection continues to operate across DHCP IP address renewals. (BZ#658253)

• Entering an incorrect IKE Extended Authentication (Xauth) password during IKE negotiation leads to a failure to connect. However, the failure was not communicated to NetworkManager, with the result that NetworkManager continued to wait for a timeout. With this update, Openswan sends a failure message to NetworkManager over the D-Bus system message bus, informing it of the failure to connect. As a result, NetworkManager knows about the failure as soon as it happens, and is able to inform the user about it immediately. (BZ#668785)

• Internet Control Message Protocol (ICMP)-specific IPsec connections were set up incorrectly, with incorrect "Type" and "Code" fields, in the code. This has been fixed so that ICMP selectors are now processed correctly according to the IKEv2 protocol specification (RFC 4306). (BZ#681974)

• Configuring a second IPsec policy using a different host behind the same gateway caused Openswan to crash due to the policy not being set up correctly. With this update, Openswan's IKEv2 implementation processes the traffic selectors correctly so that the correct definition is picked up during the key exchange. As a result, a second IPsec policy using a different host behind the same gateway can successfully set up. (BZ#683604)

In addition, these updated packages provide the following enhancements:

• Openswan's IKEv1 implementation and NETKEY interactions now understand SELinux labeled flows, and Openswan has been integrated with SELinux. As a result, it's now possible to exchange SELinux labels in IKE, and set up labeled IPsec policies and Security Associations (SAs) in SELinux Multi-Level Security (MLS) mode. (BZ#235720)

• Previously, Openswan did not support the Internet Key Exchange version 2 (IKEv2) USE_TRANSPORT_MODE functionality, with the result that Openswan could not interoperate with racoon2 in transport mode. With this update, Openswan's IKEv2 protocol support has been enhanced so that it now works in transport mode, and interoperate with racoon2. (BZ#646718)

Users are advised to upgrade to these updated openswan packages, which resolve these issues and add these enhancements.

Solution

Before applying this update, make sure that all previously-released errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259

Affected Products

Updated Packages

• openswan-doc-2.6.32-4.el6.x86_64.rpm
• openswan-2.6.32-4.el6.i686.rpm
• openswan-debuginfo-2.6.32-4.el6.s390x.rpm
• openswan-debuginfo-2.6.32-4.el6.i686.rpm
• openswan-doc-2.6.32-4.el6.s390x.rpm
• openswan-debuginfo-2.6.32-4.el6.ppc64.rpm
• openswan-2.6.32-4.el6.x86_64.rpm
• openswan-2.6.32-4.el6.src.rpm
• openswan-doc-2.6.32-4.el6.i686.rpm
• openswan-2.6.32-4.el6.s390x.rpm
• openswan-doc-2.6.32-4.el6.ppc64.rpm
• openswan-debuginfo-2.6.32-4.el6.x86_64.rpm
• openswan-2.6.32-4.el6.ppc64.rpm

Fixes

• This content is not included.BZ - 621790
• This content is not included.BZ - 628879
• This content is not included.BZ - 642722
• This content is not included.BZ - 642724
• This content is not included.BZ - 646718
• This content is not included.BZ - 668785
• This content is not included.BZ - 681974
• This content is not included.BZ - 683604

CVEs

(none)

References

(none)

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.