- Issued:
- 2009-01-20
- Updated:
- 2009-01-20
RHBA-2009:0239 - Bug Fix Advisory
Synopsis
ipsec-tools bug fix update
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An updated ipsec-tools package that fixes various bugs is now available.
Description
The ipsec-tools package contains configuration and management tools for IPsec.
This updated ipsec-tools package includes fixes for the following bugs:
- The Dead Peer Detection (DPD) algorithm did not properly clean up IPSec
Security Associations (SAs) in the kernel. In this updated package,
Security Associations in the kernel are purged, thus resolving the issue.
- when a new interface was added, or an existing interface was deleted, the
racoon key management daemon did not immediately detect the change and
either open or close the ISAKMP socket. In this updated package, racoon
immediately detects whenever a new interface is added or an existing
interface is deleted and performs the appropriate socket action, thus
resolving the problem.
- The racoonctl command did not properly honor the '-s' option, which
specifies the admin socket on which the racoon daemon listens for
connections by racoonctl.
- even when racoon was configured not to log messages, the racoon daemon
still incorrectly called logging routines. Although doing so did not result
in actual messages being logged, it did cause unnecessary computational
overhead. In this updated package, racoon does not call this code at all
when configured not to log messages, thus increasing performance.
- the racoon daemon could crash due to a segmentation fault when Dead Peer
Detection (DPD) was enabled and a remote peer disappeared. In this updated
package, racoon no longer segfaults under this condition.
- the setkey command was unnecessarily linked to the libcrypto and other
Kerberos-related libraries. One consequence of this could have been that
setkey would fail when the /usr filesystem was not available, among others.
This unnecessary linkage to various libraries has been removed in this
updated package, thus resolving any potential linkage-related problems.
All users of ipsec-tools are advised to upgrade to this updated package,
which resolves these issues.
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188
Affected Products
- Red Hat Enterprise Linux Server 5 x86_64
- Red Hat Enterprise Linux Server 5 ia64
- Red Hat Enterprise Linux Server 5 i386
- Red Hat Enterprise Linux Workstation 5 x86_64
- Red Hat Enterprise Linux Workstation 5 i386
- Red Hat Enterprise Linux Desktop 5 x86_64
- Red Hat Enterprise Linux Desktop 5 i386
- Red Hat Enterprise Linux for IBM z Systems 5 s390x
- Red Hat Enterprise Linux for Power, big endian 5 ppc
- Red Hat Enterprise Linux Server from RHUI 5 x86_64
- Red Hat Enterprise Linux Server from RHUI 5 i386
Fixes
- BZ - 248567 - Racoon slow because of debug logging code overhead
- BZ - 458631 - Setkey is unnecessarily linked to libcrypto and other libraries
CVEs
(none)
References
(none)
Red Hat Enterprise Linux Server 5
SRPM | |
---|---|
ipsec-tools-0.6.5-13.el5.src.rpm | SHA-256: 0c0ecd171cb96b5044c5ae0fd1ca1160f140e2504ed75273647c8aa6c0cf8418 |
x86_64 | |
ipsec-tools-0.6.5-13.el5.x86_64.rpm | SHA-256: 02f982d7b2ed803016f1eb98886f2e8506c58c18a1b16660e23341e355fb2eff |
ia64 | |
ipsec-tools-0.6.5-13.el5.ia64.rpm | SHA-256: 24eedbb8bd69b3e7b1b01e9de484055c0888dc0e1d8524763738fe565a5825a0 |
i386 | |
ipsec-tools-0.6.5-13.el5.i386.rpm | SHA-256: 0b66a8292729ffdd3768d4b7c96f0295118abc9f10ce8bb51e5dfbde899780fc |
Red Hat Enterprise Linux Workstation 5
SRPM | |
---|---|
ipsec-tools-0.6.5-13.el5.src.rpm | SHA-256: 0c0ecd171cb96b5044c5ae0fd1ca1160f140e2504ed75273647c8aa6c0cf8418 |
x86_64 | |
ipsec-tools-0.6.5-13.el5.x86_64.rpm | SHA-256: 02f982d7b2ed803016f1eb98886f2e8506c58c18a1b16660e23341e355fb2eff |
i386 | |
ipsec-tools-0.6.5-13.el5.i386.rpm | SHA-256: 0b66a8292729ffdd3768d4b7c96f0295118abc9f10ce8bb51e5dfbde899780fc |
Red Hat Enterprise Linux Desktop 5
SRPM | |
---|---|
ipsec-tools-0.6.5-13.el5.src.rpm | SHA-256: 0c0ecd171cb96b5044c5ae0fd1ca1160f140e2504ed75273647c8aa6c0cf8418 |
x86_64 | |
ipsec-tools-0.6.5-13.el5.x86_64.rpm | SHA-256: 02f982d7b2ed803016f1eb98886f2e8506c58c18a1b16660e23341e355fb2eff |
i386 | |
ipsec-tools-0.6.5-13.el5.i386.rpm | SHA-256: 0b66a8292729ffdd3768d4b7c96f0295118abc9f10ce8bb51e5dfbde899780fc |
Red Hat Enterprise Linux for IBM z Systems 5
SRPM | |
---|---|
ipsec-tools-0.6.5-13.el5.src.rpm | SHA-256: 0c0ecd171cb96b5044c5ae0fd1ca1160f140e2504ed75273647c8aa6c0cf8418 |
s390x | |
ipsec-tools-0.6.5-13.el5.s390x.rpm | SHA-256: f2ab2f8a528ee99efa8f2900856f35c84b4c2c9759878cc09107fc70d97ccb74 |
Red Hat Enterprise Linux for Power, big endian 5
SRPM | |
---|---|
ipsec-tools-0.6.5-13.el5.src.rpm | SHA-256: 0c0ecd171cb96b5044c5ae0fd1ca1160f140e2504ed75273647c8aa6c0cf8418 |
ppc | |
ipsec-tools-0.6.5-13.el5.ppc.rpm | SHA-256: d17534ed3987c11e3a05e9155f22771bf989dbd56c5cbe5a0ce9f0c5ac356fb5 |
Red Hat Enterprise Linux Server from RHUI 5
SRPM | |
---|---|
ipsec-tools-0.6.5-13.el5.src.rpm | SHA-256: 0c0ecd171cb96b5044c5ae0fd1ca1160f140e2504ed75273647c8aa6c0cf8418 |
x86_64 | |
ipsec-tools-0.6.5-13.el5.x86_64.rpm | SHA-256: 02f982d7b2ed803016f1eb98886f2e8506c58c18a1b16660e23341e355fb2eff |
i386 | |
ipsec-tools-0.6.5-13.el5.i386.rpm | SHA-256: 0b66a8292729ffdd3768d4b7c96f0295118abc9f10ce8bb51e5dfbde899780fc |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.