Issued:
2012-09-24
Updated:
2012-09-24

RHBA-2012:1305 - openswan bug fix update

Synopsis

openswan bug fix update

Type/Severity

Bug Fix Advisory

Topic

Updated openswan packages that fix a bug are now available for Red Hat Enterprise Linux 6.

Description

Openswan is a free implementation of IPsec (Internet Protocol Security) and IKE (Internet Key Exchange) for Linux. The openswan packages contain daemons and user-space tools for setting up Openswan. It supports the NETKEY/XFRM IPsec kernel stack that exists in the default Linux kernel. Openswan 2.6 and later also supports IKEv2 (Internet Key Exchange Protocol version 2), which is defined in RFC5996.

This update fixes the following bug:

  • When a tunnel was established between two IPsec hosts (say host1 and host2) utilizing DPD (Dead Peer Detection), and if host2 went offline while host1 continued to transmit data, host1 continually queued multiple phase 2 requests after the DPD action. When host2 came back online, the stack of pending phase 2 requests was established, leaving a new IPsec SA (Security Association), and a large group of extra SA's that consumed system resources and eventually expired. This update ensures that openswan has just a single pending phase 2 request during the time that host2 is down, and when host2 comes back up, only a single new IPsec SA is established, thus preventing this bug. (BZ#852454)

All users of openswan are advised to upgrade to these updated packages, which fix this bug.

Solution

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258

Affected Products

ProductVersionArch
Red Hat Enterprise Linux for x86_64 - Extended Update Support6.3x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support6.3i386
Red Hat Enterprise Linux for Power, big endian6ppc64
Red Hat Enterprise Linux for Power, big endian - Extended Update Support6.3ppc64
Red Hat Enterprise Linux for IBM z Systems6s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support6.3s390x
Red Hat Enterprise Linux Workstation6x86_64
Red Hat Enterprise Linux Workstation6i386
Red Hat Enterprise Linux Server6x86_64
Red Hat Enterprise Linux Server6i386
Red Hat Enterprise Linux Server from RHUI6x86_64
Red Hat Enterprise Linux Server from RHUI6i386
Red Hat Enterprise Linux Server - Retired Extended Life Cycle Support6x86_64
Red Hat Enterprise Linux Server - Extended Update Support from RHUI6.3x86_64
Red Hat Enterprise Linux Server - Extended Update Support from RHUI6.3i386
Red Hat Enterprise Linux Server - Extended Life Cycle Support6x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support6i386
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension6x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension6i386
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems)6s390x
Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems)6s390x
Red Hat Enterprise Linux Desktop6x86_64
Red Hat Enterprise Linux Desktop6i386

Updated Packages

  • openswan-debuginfo-2.6.32-19.el6_3.x86_64.rpm
  • openswan-2.6.32-19.el6_3.src.rpm
  • openswan-debuginfo-2.6.32-19.el6_3.ppc64.rpm
  • openswan-debuginfo-2.6.32-19.el6_3.s390x.rpm
  • openswan-2.6.32-19.el6_3.x86_64.rpm
  • openswan-doc-2.6.32-19.el6_3.ppc64.rpm
  • openswan-doc-2.6.32-19.el6_3.s390x.rpm
  • openswan-2.6.32-19.el6_3.s390x.rpm
  • openswan-2.6.32-19.el6_3.ppc64.rpm
  • openswan-debuginfo-2.6.32-19.el6_3.i686.rpm
  • openswan-doc-2.6.32-19.el6_3.i686.rpm
  • openswan-doc-2.6.32-19.el6_3.x86_64.rpm
  • openswan-2.6.32-19.el6_3.i686.rpm

Fixes

(none)

CVEs

(none)

References

(none)

Additional information