- Issued:
- 2012-02-20
- Updated:
- 2012-02-20
RHBA-2012:0211 - openswan bug fix and enhancement update
Synopsis
openswan bug fix and enhancement update
Type/Severity
Bug Fix Advisory (none)
Topic
Updated openswan packages that fix various bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
Description
Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks.
The openswan packages have been upgraded to upstream version 2.6.32, which provides a number of bug fixes and enhancements over the previous version. (BZ#698248)
These updated openswan packages provide fixes for the following bugs:
-
When an NSS database is created with a password (either in FIPS or non-FIPS mode), access to a private key (associated with a certificate or a raw public key) requires authentication. At authentication time, openswan passes the database password to NSS. Previously, when this happened, openswan also logged the password to /var/log/secure. The password could also be seen by running "ipsec barf". With this update, openswan still passes the database password at authentication time but no longer logs it in any fashion. (BZ#549811)
-
The pluto key management daemon terminated unexpectedly with a segmentation fault when removing a logical IP interface. With this update the code has been improved, pluto now withdraws a connection to a dead logical interface cleanly and no longer crashes in the scenario described. (BZ#609343)
-
Due to an error in a buffer initialization, the following message may have been written to the /var/log/secure log file during the IKE negotiation: "size ([size]) differs from size specified in ISAKMP HDR ([size])". Consequently, the establishment of secure connections could be significantly delayed. This update applies an upstream patch that resolves this issue, and the establishment of IPsec connections is no longer delayed. (BZ#652733)
In addition, these updated openswan packages provide the following enhancements:
-
With this update, the openswan packages now include support for message digest algorithm HMAC-SHA1-96 as per RFC 2404. (BZ#524191)
-
RFC 5114, Additional Diffie-Hellman Groups for Use with IETF Standards, adds eight Diffie-Hellman groups (three prime modulus groups and five elliptic curve groups) to the extant 21 groups set out in previous RFCs (e.g. RFCs 2409, 3526 and 4492) for use with IKE, TLS, SSH and so on.
This update implements groups 22, 23 and 24: a 1024-bit MODular exPonential (MODP) Group with 160-bit Prime Order Subgroup; a 2048-bit MODP Group with 224-bit Prime Order Subgroup; and a 2048-bit MODP Group with 256-bit Prime Order Subgroup respectively. (BZ#591104)
Note: implementation of group 24 (a 2048-bit MODP Group with 256-bit Prime Order Subgroup) is required for US National Institute of Standards and Technology (NIST) IPv6 compliance and ongoing FIPS-140 certification.
All users of openswan are advised to upgrade to these updated packages, which fix these bugs and provide these enhancements.
Solution
Before applying this update, make sure all previously-released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for Power, big endian | 5 | ppc |
| Red Hat Enterprise Linux for IBM z Systems | 5 | s390x |
| Red Hat Enterprise Linux Workstation | 5 | x86_64 |
| Red Hat Enterprise Linux Workstation | 5 | i386 |
| Red Hat Enterprise Linux Server | 5 | x86_64 |
| Red Hat Enterprise Linux Server | 5 | ia64 |
| Red Hat Enterprise Linux Server | 5 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 5 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 5 | i386 |
| Red Hat Enterprise Linux Desktop | 5 | x86_64 |
| Red Hat Enterprise Linux Desktop | 5 | i386 |
Updated Packages
- openswan-2.6.32-3.el5.src.rpm
- openswan-doc-2.6.32-3.el5.i386.rpm
- openswan-2.6.32-3.el5.ppc.rpm
- openswan-doc-2.6.32-3.el5.x86_64.rpm
- openswan-2.6.32-3.el5.s390x.rpm
- openswan-doc-2.6.32-3.el5.ppc.rpm
- openswan-doc-2.6.32-3.el5.s390x.rpm
- openswan-doc-2.6.32-3.el5.ia64.rpm
- openswan-2.6.32-3.el5.ia64.rpm
- openswan-2.6.32-3.el5.i386.rpm
- openswan-2.6.32-3.el5.x86_64.rpm
Fixes
- This content is not included.BZ - 524191
- This content is not included.BZ - 549811
- This content is not included.BZ - 609343
- This content is not included.BZ - 652733
- This content is not included.BZ - 698248
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.