RHBA-2011:1761 - Bug Fix Advisory

Topic

An updated openswan package that fixes several bugs and adds one enhancement is
now available for Red Hat Enterprise Linux 6.

Description

Openswan is a free implementation of IPsec (Internet Protocol Security) and IKE
(Internet Key Exchange) for Linux. The openswan package contains the daemons and
user space tools for setting up Openswan. It supports the NETKEY/XFRM IPsec
kernel stack that exists in the default Linux kernel. Openswan 2.6.x also
supports IKEv2 (RFC4306).

This update fixes the following bugs:

• Openswan did not handle protocol and port configuration correctly if the ports

were defined and the host was defined with its hostname instead of its IP
address. This update solves this issue, and Openswan now correctly sets up
policies with the correct protocol and port under such circumstances.
(BZ#703473)

• Prior to this update, very large security label strings received from a peer

were being truncated. The truncated string was then still used. However, this
truncated string could turn out to be a valid string, leading to an incorrect
policy. Additionally, erroneous queuing of on-demand requests of setting up an
IPsec connection was discovered in the IKEv2 (Internet Key Exchange) code.
Although not harmful, it was not the intended design. This update fixes both of
these bugs and Openswan now handles the IKE setup correctly. (BZ#703985)

• Previously, Openswan failed to set up AH (Authentication Header) mode security

associations (SAs). This was because Openswan was erroneously processing the AH
mode as if it was the ESP (Encrypted Secure Payload) mode and was expecting an
encryption key. This update fixes this bug and it is now possible to set up AH
mode SAs properly. (BZ#704548)

• IPsec connections over a loopback interface did not work properly when a

specific port was configured. This was because incomplete IPsec policies were
being set up, leading to connection failures. This update fixes this bug and
complete policies are now established correctly. (BZ#711975)

• Openswan failed to support retrieving Certificate Revocation Lists (CRLs) from

HTTP or LDAP CRL Distribution Points (CDPs) because the flags for enabling CRL
functionality were disabled on compilation. With this update, the flags have
been enabled and the CRL functionality is available as expected. (BZ#737975)

• Openswan failed to discover some certificates. This happened because the

README.x509 file contained incorrect information on the directories to be
scanned for certification files and some directories failed to be scanned. With
this update, the file has been modified to provide accurate information.
(BZ#737976)

• The Network Manager padlock icon was not cleared after a VPN connection

terminated unexpectedly. This update fixes the bug and the padlock icon is
cleared when a VPN connection is terminated as expected. (BZ#738385)

• Openswan sent wrong IKEv2 (Internet Key Exchange) ICMP (Internet Control

Message Protocol) selectors to an IPsec destination. This happened due to an
incorrect conversion of the host to network byte order. This update fixes this
bug and Openswan now sends correct ICMP selectors. (BZ#742632)

• The Pluto daemon terminated unexpectedly with a segmentation fault after an IP

address had been removed from one end of an established IPsec tunnel. This
occurred if the other end of the tunnel attempted to reuse the particular IP
address to create a new tunnel as the previous tunnel failed to close properly.
With this update, such tunnel is closed properly and the problem no longer
occurs. (BZ#749605)

In addition, this update adds the following enhancement:

• On run, the "ipsec barf" and "ipsec verify" commands load new kernel modules,

which influences the system configuration. This update adds the "iptable-save"
command, which uses only iptables and does not load kernel modules. (BZ#737973)

Users are advised to upgrade to this updated openswan package, which fixes these
bugs and adds the enhancement.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 703473 - Protocol ports does not work if hostname is given instead of ipaddress with Openswan
• BZ - 703985 - Implementation issues found during Openswan code review for CCC evaluation
• BZ - 704548 - AH protocol broken with Openswan
• BZ - 711975 - incomplete policy for loopback when using *protoport=X/Y
• BZ - 738385 - Doesn't work as an idicator of the VPN connection
• BZ - 742632 - Openswan sends wrong ikev2 icmp selectors in its packets

CVEs

(none)

References

(none)