Issued:

2011-12-06

Updated:

2011-12-06

RHBA-2011:1761 - openswan bug fix and enhancement update

Synopsis

openswan bug fix and enhancement update

Type/Severity

Bug Fix Advisory (none)

Topic

An updated openswan package that fixes several bugs and adds one enhancement is now available for Red Hat Enterprise Linux 6.

Description

Openswan is a free implementation of IPsec (Internet Protocol Security) and IKE (Internet Key Exchange) for Linux. The openswan package contains the daemons and user space tools for setting up Openswan. It supports the NETKEY/XFRM IPsec kernel stack that exists in the default Linux kernel. Openswan 2.6.x also supports IKEv2 (RFC4306).

This update fixes the following bugs:

• Openswan did not handle protocol and port configuration correctly if the ports were defined and the host was defined with its hostname instead of its IP address. This update solves this issue, and Openswan now correctly sets up policies with the correct protocol and port under such circumstances. (BZ#703473)

• Prior to this update, very large security label strings received from a peer were being truncated. The truncated string was then still used. However, this truncated string could turn out to be a valid string, leading to an incorrect policy. Additionally, erroneous queuing of on-demand requests of setting up an IPsec connection was discovered in the IKEv2 (Internet Key Exchange) code. Although not harmful, it was not the intended design. This update fixes both of these bugs and Openswan now handles the IKE setup correctly. (BZ#703985)

• Previously, Openswan failed to set up AH (Authentication Header) mode security associations (SAs). This was because Openswan was erroneously processing the AH mode as if it was the ESP (Encrypted Secure Payload) mode and was expecting an encryption key. This update fixes this bug and it is now possible to set up AH mode SAs properly. (BZ#704548)

• IPsec connections over a loopback interface did not work properly when a specific port was configured. This was because incomplete IPsec policies were being set up, leading to connection failures. This update fixes this bug and complete policies are now established correctly. (BZ#711975)

• Openswan failed to support retrieving Certificate Revocation Lists (CRLs) from HTTP or LDAP CRL Distribution Points (CDPs) because the flags for enabling CRL functionality were disabled on compilation. With this update, the flags have been enabled and the CRL functionality is available as expected. (BZ#737975)

• Openswan failed to discover some certificates. This happened because the README.x509 file contained incorrect information on the directories to be scanned for certification files and some directories failed to be scanned. With this update, the file has been modified to provide accurate information. (BZ#737976)

• The Network Manager padlock icon was not cleared after a VPN connection terminated unexpectedly. This update fixes the bug and the padlock icon is cleared when a VPN connection is terminated as expected. (BZ#738385)

• Openswan sent wrong IKEv2 (Internet Key Exchange) ICMP (Internet Control Message Protocol) selectors to an IPsec destination. This happened due to an incorrect conversion of the host to network byte order. This update fixes this bug and Openswan now sends correct ICMP selectors. (BZ#742632)

• The Pluto daemon terminated unexpectedly with a segmentation fault after an IP address had been removed from one end of an established IPsec tunnel. This occurred if the other end of the tunnel attempted to reuse the particular IP address to create a new tunnel as the previous tunnel failed to close properly. With this update, such tunnel is closed properly and the problem no longer occurs. (BZ#749605)

In addition, this update adds the following enhancement:

• On run, the "ipsec barf" and "ipsec verify" commands load new kernel modules, which influences the system configuration. This update adds the "iptable-save" command, which uses only iptables and does not load kernel modules. (BZ#737973)

Users are advised to upgrade to this updated openswan package, which fixes these bugs and adds the enhancement.

Solution

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259

Affected Products

Updated Packages

• openswan-doc-2.6.32-9.el6.i686.rpm
• openswan-debuginfo-2.6.32-9.el6.ppc64.rpm
• openswan-debuginfo-2.6.32-9.el6.x86_64.rpm
• openswan-2.6.32-9.el6.s390x.rpm
• openswan-doc-2.6.32-9.el6.x86_64.rpm
• openswan-debuginfo-2.6.32-9.el6.s390x.rpm
• openswan-2.6.32-9.el6.x86_64.rpm
• openswan-debuginfo-2.6.32-9.el6.i686.rpm
• openswan-2.6.32-9.el6.i686.rpm
• openswan-2.6.32-9.el6.src.rpm
• openswan-doc-2.6.32-9.el6.ppc64.rpm
• openswan-2.6.32-9.el6.ppc64.rpm
• openswan-doc-2.6.32-9.el6.s390x.rpm

Fixes

• This content is not included.BZ - 703473
• This content is not included.BZ - 703985
• This content is not included.BZ - 704548
• This content is not included.BZ - 711975
• This content is not included.BZ - 738385
• This content is not included.BZ - 742632

CVEs

(none)

References

(none)

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.