- Issued:
- 2010-08-24
- Updated:
- 2010-08-24
RHBA-2010:0645 - Bug Fix Advisory
Synopsis
ipsec-tools bug fix update
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An updated ipsec-tools package that fixes various bugs is now available.
Description
The ipsec-tools package contains configuration and management tools for IPsec.
This updated ipsec-tools package resolves the following bugs:
- when clients connected and disconnected under load the racoon daemon stopped
responding for a few minutes due to a race condition in the code handling dumps
of the Security Association Database (SAD) from the kernel through a pfkey
socket. The updated package uses a separate pfkey socket for the SA database
dumps effectively removing the possibility for the race condition. (BZ#609084)
- when receiving a delete notification for the IKE SA the racoon daemon
incorrectly deleted also the IPsec SA associated with the IKE SA. The updated
package just expires the IKE SA and waits for the IPsec SAs to expire before the
IKE SA is purged from the racoon memory. (BZ#609085)
- when looking at the security policy database entries the racoon daemon used to
match inexact entries even if there was an exact entry in the database. The
updated package matches the exact entry before falling back to inexact matching.
(BZ#609087)
- when dumping the pfkey database the kernel used to return only part of the
database due to the small socket buffer size. When racoon was deployed on a
system with a large number of network security policy entries, the racoon could
not find all of the security policy entries in the database. The updated package
supports a new configuration option pfkey_buffer to the racoon.conf file that
allows to set the buffer size as appropriate for the deployment requirements.
(BZ#609090)
All users of IPsec Tools are advised to upgrade to this updated package, which
resolves these issues.
Solution
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
Affected Products
- Red Hat Enterprise Linux Server 5 x86_64
- Red Hat Enterprise Linux Server 5 ia64
- Red Hat Enterprise Linux Server 5 i386
- Red Hat Enterprise Linux Workstation 5 x86_64
- Red Hat Enterprise Linux Workstation 5 i386
- Red Hat Enterprise Linux Desktop 5 x86_64
- Red Hat Enterprise Linux Desktop 5 i386
- Red Hat Enterprise Linux for IBM z Systems 5 s390x
- Red Hat Enterprise Linux for Power, big endian 5 ppc
- Red Hat Enterprise Linux Server from RHUI 5 x86_64
- Red Hat Enterprise Linux Server from RHUI 5 i386
Fixes
- BZ - 609084 - pfkey socket buffer overflow
- BZ - 609085 - Racoon: getsp_r() returns first non-exact SP match result, even if there is an exact match after that point.
- BZ - 609087 - Racoon deletes all associated phase 2 sa's after deleting of phase 1 sa
- BZ - 609090 - Racoon daemon blocks on recv() call due to empty pfkey socket
CVEs
(none)
References
(none)
Red Hat Enterprise Linux Server 5
SRPM | |
---|---|
ipsec-tools-0.6.5-14.el5_5.5.src.rpm | SHA-256: f92e290d88c8c9b0cbf9308b31366d2d2b8993e4eeea0a90dd4b0c33819b5667 |
x86_64 | |
ipsec-tools-0.6.5-14.el5_5.5.x86_64.rpm | SHA-256: 90f06a83376b94d264afb398eaa1fd06916d0034cf75899916aec47d510508cb |
ia64 | |
ipsec-tools-0.6.5-14.el5_5.5.ia64.rpm | SHA-256: 957577acb6344a9b3702c5ea91350f437a5c32aae4a9d358145e8bece8e93b6a |
i386 | |
ipsec-tools-0.6.5-14.el5_5.5.i386.rpm | SHA-256: f9f2c0df0b94fa1aed016a63d0305368a2d64a223a05401d469592fe4594c8eb |
Red Hat Enterprise Linux Workstation 5
SRPM | |
---|---|
ipsec-tools-0.6.5-14.el5_5.5.src.rpm | SHA-256: f92e290d88c8c9b0cbf9308b31366d2d2b8993e4eeea0a90dd4b0c33819b5667 |
x86_64 | |
ipsec-tools-0.6.5-14.el5_5.5.x86_64.rpm | SHA-256: 90f06a83376b94d264afb398eaa1fd06916d0034cf75899916aec47d510508cb |
i386 | |
ipsec-tools-0.6.5-14.el5_5.5.i386.rpm | SHA-256: f9f2c0df0b94fa1aed016a63d0305368a2d64a223a05401d469592fe4594c8eb |
Red Hat Enterprise Linux Desktop 5
SRPM | |
---|---|
ipsec-tools-0.6.5-14.el5_5.5.src.rpm | SHA-256: f92e290d88c8c9b0cbf9308b31366d2d2b8993e4eeea0a90dd4b0c33819b5667 |
x86_64 | |
ipsec-tools-0.6.5-14.el5_5.5.x86_64.rpm | SHA-256: 90f06a83376b94d264afb398eaa1fd06916d0034cf75899916aec47d510508cb |
i386 | |
ipsec-tools-0.6.5-14.el5_5.5.i386.rpm | SHA-256: f9f2c0df0b94fa1aed016a63d0305368a2d64a223a05401d469592fe4594c8eb |
Red Hat Enterprise Linux for IBM z Systems 5
SRPM | |
---|---|
ipsec-tools-0.6.5-14.el5_5.5.src.rpm | SHA-256: f92e290d88c8c9b0cbf9308b31366d2d2b8993e4eeea0a90dd4b0c33819b5667 |
s390x | |
ipsec-tools-0.6.5-14.el5_5.5.s390x.rpm | SHA-256: bb317de56cda99857f765fc1699aeb34658a68e95d13a029a1f9e537663ed1d9 |
Red Hat Enterprise Linux for Power, big endian 5
SRPM | |
---|---|
ipsec-tools-0.6.5-14.el5_5.5.src.rpm | SHA-256: f92e290d88c8c9b0cbf9308b31366d2d2b8993e4eeea0a90dd4b0c33819b5667 |
ppc | |
ipsec-tools-0.6.5-14.el5_5.5.ppc.rpm | SHA-256: 135100f2e815176622e85427703a26740b400534c1e26a564c228b84b4dbfe2b |
Red Hat Enterprise Linux Server from RHUI 5
SRPM | |
---|---|
ipsec-tools-0.6.5-14.el5_5.5.src.rpm | SHA-256: f92e290d88c8c9b0cbf9308b31366d2d2b8993e4eeea0a90dd4b0c33819b5667 |
x86_64 | |
ipsec-tools-0.6.5-14.el5_5.5.x86_64.rpm | SHA-256: 90f06a83376b94d264afb398eaa1fd06916d0034cf75899916aec47d510508cb |
i386 | |
ipsec-tools-0.6.5-14.el5_5.5.i386.rpm | SHA-256: f9f2c0df0b94fa1aed016a63d0305368a2d64a223a05401d469592fe4594c8eb |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.