RHBA-2009:0239 - Bug Fix Advisory

Topic

An updated ipsec-tools package that fixes various bugs is now available.

Description

The ipsec-tools package contains configuration and management tools for IPsec.

This updated ipsec-tools package includes fixes for the following bugs:

• The Dead Peer Detection (DPD) algorithm did not properly clean up IPSec

Security Associations (SAs) in the kernel. In this updated package,
Security Associations in the kernel are purged, thus resolving the issue.

• when a new interface was added, or an existing interface was deleted, the

racoon key management daemon did not immediately detect the change and
either open or close the ISAKMP socket. In this updated package, racoon
immediately detects whenever a new interface is added or an existing
interface is deleted and performs the appropriate socket action, thus
resolving the problem.

• The racoonctl command did not properly honor the '-s' option, which

specifies the admin socket on which the racoon daemon listens for
connections by racoonctl.

• even when racoon was configured not to log messages, the racoon daemon

still incorrectly called logging routines. Although doing so did not result
in actual messages being logged, it did cause unnecessary computational
overhead. In this updated package, racoon does not call this code at all
when configured not to log messages, thus increasing performance.

• the racoon daemon could crash due to a segmentation fault when Dead Peer

Detection (DPD) was enabled and a remote peer disappeared. In this updated
package, racoon no longer segfaults under this condition.

• the setkey command was unnecessarily linked to the libcrypto and other

Kerberos-related libraries. One consequence of this could have been that
setkey would fail when the /usr filesystem was not available, among others.
This unnecessary linkage to various libraries has been removed in this
updated package, thus resolving any potential linkage-related problems.

All users of ipsec-tools are advised to upgrade to this updated package,
which resolves these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 248567 - Racoon slow because of debug logging code overhead
• BZ - 458631 - Setkey is unnecessarily linked to libcrypto and other libraries

CVEs

(none)

References

(none)