Issued:

2014-10-13

Updated:

2014-10-13

RHBA-2014:1588 - openswan bug fix and enhancement update

Synopsis

openswan bug fix and enhancement update

Type/Severity

Bug Fix Advisory (none)

Topic

Updated openswan packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.

Description

Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services that allow to build secure tunnels through untrusted networks.

This update fixes the following bugs:

• When using the protoport option in combination with the type=passthrough setting to exclude traffic from encryption, an incorrect inverse policy was installed and the exclusion was not successful. Now, the correct policy is installed in the described situation. (BZ#739949)

• Starting multiple connections with the leftsubnets= or auto=start options led to a crypto overload and subsequent restart of Openswan. The pluto cryptohelper has been fixed to prevent the overload. (BZ#834397)

• The ikev2=insist setting was not enforced on the responder side, allowing an IKEv1 connection to be established instead. This bug has been fixed and ikev2=insist is no longer ignored. (BZ#970279)

• This update fixes multiple lingering states after reestablishing IKEv2 keys. (BZ#970349)

• This update enforces the limits set with esp, phase1alg, and andphase2alg options. Previously, any algorithm of the default set (aes, 3des, sha1, md5) was always allowed, regardless of the above options. (BZ#988106)

• IKEv2 delete payloads were not always properly delivered to the remote peer, leaving the remote endpoint with lingering unused connections. Now, IKEv2 delete payloads are delivered as expected. (BZ#993124)

• This update modifies the rightid=%fromcert option to load IDs from the local certificate when set for the local end, and from the certificate delivered by the remote peer when set for the peer end. (BZ#1002708)

• The "ipsec ikeping" command did not recognize the --exchangenum option. This option is now recognized correctly. (BZ#1019746)

• This update fixes a crash of the IKE pluto daemon when using the SHA2 encryption family with the ike= option with IKEv2. (BZ#1021961)

• Openswan no longer drops various privileges too soon, which prevented it from reading configuration files in directories not owned by root. (BZ#1041576)

• The IKE pluto daemon occasionally crashed and restarted when referencing missing IKEv2 payloads. The Openswan's state machine has been updated to reject packets with missing payloads. (BZ#1050340)

• This update fixes the compatibility problems with older versions of Cisco VPN introduced in the previous update of the openswan packages. (BZ#1070356)

• After restarting the remote endpoint, the sourceip option was not properly reset in the local route entry. This bug has been fixed. (BZ#1088656)

• If there was no NSS database available, the IKE pluto daemon created a nonfunctional replacement. A missing NSS database is now created before the pluto daemon starts and in the %post phase of the package install, which fixes this bug. (BZ#1092913)

• The "ipsec newhostkey" command did not return a correct non-zero exit code in case of failure, for example when generating keys of insufficient strength. Now, ipsec newhostkey returns the correct exit code. (BZ#1098473)

• Configuring an AH algorithm for IKEv2, or various non-standard ESP algorithms for IKEv1 or IKEv2 (such as CAST, RIPEMD160 or CAMELLIA) caused the IKE pluto daemon to terminate unexpectedly and restart. This bug has been fixed and pluto no longer crashes when AH or ESP algorithms are configured. (BZ#1114683)

• Using the "force_busy=yes" developer option to force anti-DDOS mode in IKEv2 caused the IKE pluto daemon to crash and restart. This bug has been fixed and pluto no longer crashes in the described situation. (BZ#1126066)

In addition, this update adds the following enhancements:

• This update enhances and clarifies man pages shipped with the openswan packages. (BZ#730975, BZ#1018327, BZ#1099871, BZ#1105179)

Users of openswan are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258

Affected Products

Updated Packages

• openswan-2.6.32-37.el6.i686.rpm
• openswan-debuginfo-2.6.32-37.el6.i686.rpm
• openswan-doc-2.6.32-37.el6.x86_64.rpm
• openswan-doc-2.6.32-37.el6.ppc64.rpm
• openswan-2.6.32-37.el6.ppc64.rpm
• openswan-debuginfo-2.6.32-37.el6.s390x.rpm
• openswan-doc-2.6.32-37.el6.s390x.rpm
• openswan-doc-2.6.32-37.el6.i686.rpm
• openswan-2.6.32-37.el6.s390x.rpm
• openswan-2.6.32-37.el6.x86_64.rpm
• openswan-debuginfo-2.6.32-37.el6.ppc64.rpm
• openswan-2.6.32-37.el6.src.rpm
• openswan-debuginfo-2.6.32-37.el6.x86_64.rpm

Fixes

• This content is not included.BZ - 730975
• This content is not included.BZ - 739949
• This content is not included.BZ - 834397
• This content is not included.BZ - 1018327
• This content is not included.BZ - 1019746
• This content is not included.BZ - 1021961
• This content is not included.BZ - 1041576
• This content is not included.BZ - 1070356
• This content is not included.BZ - 1092913
• This content is not included.BZ - 1098473
• This content is not included.BZ - 1099871
• This content is not included.BZ - 1105179
• This content is not included.BZ - 1114683
• This content is not included.BZ - 1126066

CVEs

(none)

References

(none)

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.