- Issued:
- 2011-07-19
- Updated:
- 2011-07-19
RHBA-2011:0961 - openswan bug fix update
Synopsis
openswan bug fix update
Type/Severity
Bug Fix Advisory
Topic
Updated openswan packages that resolve several issues are now available for Red Hat Enterprise Linux 6.
Description
Openswan is a free implementation of IPsec and IKE (Internet Key Exchange) for Linux. The openswan package contains the daemons and user space tools for setting up Openswan. It supports the NETKEY/XFRM IPsec kernel stack that exists in the default Linux kernel. Openswan 2.6.x also supports IKEv2 (RFC4306).
These updated openswan packages provide fixes for the following bugs:
-
Openswan did not handle protocol and port (leftprotoport) configuration correctly if the hostname parameter was configured instead of the ipaddress parameter using Openswan. This update solves this issue, and Openswan now correctly sets up policies with the correct protocol and port even when the hostname parameter is configured. (BZ#712112)
-
Prior to this update, very large security label strings received from the peer were being truncated. The truncated string was then still used. However, this truncated string could, under rare circumstances, turn out to be a valid string, leading to an incorrect policy. Additionally, erroneous queuing of on-demand requests of setting up an IPsec connection was discovered in the IKEv2 (Internet Key Exchange) code. Although not harmful, it was not the intended design. This update fixes both of these issues, and Openswan now correctly handles the IKE setup. (BZ#712114)
-
Previously, Openswan failed to set up AH (Authentication Header) mode security associations (SAs). This was because Openswan was erroneously processing the AH mode as if it was the ESP (Ecrypted Secure Payload) mode, and was expecting an encryption key. This update fixes this issue, and it is now possible to properly set up AH mode SAs. (BZ#712168)
-
IPsec connections over a loopback interface did not work properly when a specific port was configured. This was because incomplete IPsec policies were being set up, leading to connection failures. This update fixes this issue, and complete policies are now correctly established. (BZ#718078)
All users of openswan are advised to upgrade to these updated packages, which resolve these issues.
Solution
Before applying this update, make sure that all previously-released errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Virtual Storage Appliance (from RHUI) | 6.1 | x86_64 |
| Red Hat Enterprise Linux for x86_64 - Extended Update Support | 6.1 | x86_64 |
| Red Hat Enterprise Linux for x86_64 - Extended Update Support | 6.1 | i386 |
| Red Hat Enterprise Linux for Power, big endian | 6 | ppc64 |
| Red Hat Enterprise Linux for Power, big endian - Extended Update Support | 6.1 | ppc64 |
| Red Hat Enterprise Linux for IBM z Systems | 6 | s390x |
| Red Hat Enterprise Linux for IBM z Systems - Extended Update Support | 6.1 | s390x |
| Red Hat Enterprise Linux Workstation | 6 | x86_64 |
| Red Hat Enterprise Linux Workstation | 6 | i386 |
| Red Hat Enterprise Linux Server | 6 | x86_64 |
| Red Hat Enterprise Linux Server | 6 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 6 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 6 | i386 |
| Red Hat Enterprise Linux Server - Retired Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Update Support from RHUI | 6.1 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Update Support from RHUI | 6.1 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Desktop | 6 | x86_64 |
| Red Hat Enterprise Linux Desktop | 6 | i386 |
Updated Packages
- openswan-2.6.32-4.el6_1.1.i686.rpm
- openswan-debuginfo-2.6.32-4.el6_1.1.i686.rpm
- openswan-doc-2.6.32-4.el6_1.1.ppc64.rpm
- openswan-2.6.32-4.el6_1.1.ppc64.rpm
- openswan-debuginfo-2.6.32-4.el6_1.1.s390x.rpm
- openswan-doc-2.6.32-4.el6_1.1.s390x.rpm
- openswan-debuginfo-2.6.32-4.el6_1.1.x86_64.rpm
- openswan-2.6.32-4.el6_1.1.src.rpm
- openswan-debuginfo-2.6.32-4.el6_1.1.ppc64.rpm
- openswan-2.6.32-4.el6_1.1.x86_64.rpm
- openswan-2.6.32-4.el6_1.1.s390x.rpm
- openswan-doc-2.6.32-4.el6_1.1.x86_64.rpm
- openswan-doc-2.6.32-4.el6_1.1.i686.rpm
Fixes
- This content is not included.BZ - 712112
- This content is not included.BZ - 712114
- This content is not included.BZ - 712168
- This content is not included.BZ - 718078
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.