Synopsis

openswan bug fix and enhancement update

Type/Severity

Bug Fix Advisory

Topic

Updated openswan packages that fix various bugs and add various enhancements are
now available for Red Hat Enterprise Linux 5.

Description

Openswan is a free implementation of Internet Protocol Security (IPsec) and
Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both
authentication and encryption services. These services allow you to build secure
tunnels through untrusted networks.

The openswan packages have been upgraded to upstream version 2.6.32, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#698248)

These updated openswan packages provide fixes for the following bugs:

• When an NSS database is created with a password (either in FIPS or non-FIPS
  mode), access to a private key (associated with a certificate or a raw public
  key) requires authentication. At authentication time, openswan passes the
  database password to NSS. Previously, when this happened, openswan also logged
  the password to /var/log/secure. The password could also be seen by running
  "ipsec barf". With this update, openswan still passes the database password at
  authentication time but no longer logs it in any fashion. (BZ#549811)
  
• The pluto key management daemon terminated unexpectedly with a segmentation
  fault when removing a logical IP interface. With this update the code has been
  improved, pluto now withdraws a connection to a dead logical interface cleanly
  and no longer crashes in the scenario described. (BZ#609343)
  
• Due to an error in a buffer initialization, the following message may have
  been written to the /var/log/secure log file during the IKE negotiation: "size
  ([size]) differs from size specified in ISAKMP HDR ([size])". Consequently, the
  establishment of secure connections could be significantly delayed. This update
  applies an upstream patch that resolves this issue, and the establishment of
  IPsec connections is no longer delayed. (BZ#652733)
  

In addition, these updated openswan packages provide the following enhancements:

• With this update, the openswan packages now include support for message digest
  algorithm HMAC-SHA1-96 as per RFC 2404. (BZ#524191)
  
• RFC 5114, Additional Diffie-Hellman Groups for Use with IETF Standards, adds
  eight Diffie-Hellman groups (three prime modulus groups and five elliptic curve
  groups) to the extant 21 groups set out in previous RFCs (e.g. RFCs 2409, 3526
  and 4492) for use with IKE, TLS, SSH and so on.
  

This update implements groups 22, 23 and 24: a 1024-bit MODular exPonential
(MODP) Group with 160-bit Prime Order Subgroup; a 2048-bit MODP Group with
224-bit Prime Order Subgroup; and a 2048-bit MODP Group with 256-bit Prime Order
Subgroup respectively. (BZ#591104)

Note: implementation of group 24 (a 2048-bit MODP Group with 256-bit Prime Order
Subgroup) is required for US National Institute of Standards and Technology
(NIST) IPv6 compliance and ongoing FIPS-140 certification.

All users of openswan are advised to upgrade to these updated packages, which
fix these bugs and provide these enhancements.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 524191 - openswan doesn't support HMAC-SHA1-96
• BZ - 549811 - Openswan (pluto) logs NSS password which should not happen
• BZ - 609343 - pluto crashes when removing logical interface
• BZ - 652733 - 2 tunnels (IPv4 and IPv6) do not work together using certs/keys
• BZ - 698248 - Rebase openswan in rhel5.8 with the one (including all patches) in RHEL6.1.

CVEs

(none)

References

(none)

Red Hat Enterprise Linux Server 5

SRPM
openswan-2.6.32-3.el5.src.rpm	SHA-256: f6a7dc32b8936fdc44029dbf286c00f37fd1399a1bd751a87f25922c030906d8
x86_64
openswan-2.6.32-3.el5.x86_64.rpm	SHA-256: 6405af7fe6da7434b0955c18bde7fbaf62feeb1e47e39b5f35fc7908df022c91
openswan-doc-2.6.32-3.el5.x86_64.rpm	SHA-256: c17d934ca080a4a6b46d51399356bdeccb860a59e676de12b322a4794a0329a2
ia64
openswan-2.6.32-3.el5.ia64.rpm	SHA-256: 784fb041338725847c6fd8b5e95442de175316801f99fe1f7856eb36bcbd7c32
openswan-doc-2.6.32-3.el5.ia64.rpm	SHA-256: d1e350c23eacaa9b928f5480e6a695c265b201892c8fda76d98907c48966f133
i386
openswan-2.6.32-3.el5.i386.rpm	SHA-256: e733eeaba61ba56ad170ec127ffb24d7b06eaef12e6a6f8e9a9cd05377ad3a66
openswan-doc-2.6.32-3.el5.i386.rpm	SHA-256: 0a3e09236d405646111a8ec5bb43294080d8e34861bbaeb120f0caf7085e4659

Red Hat Enterprise Linux Workstation 5

SRPM
openswan-2.6.32-3.el5.src.rpm	SHA-256: f6a7dc32b8936fdc44029dbf286c00f37fd1399a1bd751a87f25922c030906d8
x86_64
openswan-2.6.32-3.el5.x86_64.rpm	SHA-256: 6405af7fe6da7434b0955c18bde7fbaf62feeb1e47e39b5f35fc7908df022c91
openswan-doc-2.6.32-3.el5.x86_64.rpm	SHA-256: c17d934ca080a4a6b46d51399356bdeccb860a59e676de12b322a4794a0329a2
i386
openswan-2.6.32-3.el5.i386.rpm	SHA-256: e733eeaba61ba56ad170ec127ffb24d7b06eaef12e6a6f8e9a9cd05377ad3a66
openswan-doc-2.6.32-3.el5.i386.rpm	SHA-256: 0a3e09236d405646111a8ec5bb43294080d8e34861bbaeb120f0caf7085e4659

Red Hat Enterprise Linux Desktop 5

SRPM
openswan-2.6.32-3.el5.src.rpm	SHA-256: f6a7dc32b8936fdc44029dbf286c00f37fd1399a1bd751a87f25922c030906d8
x86_64
openswan-2.6.32-3.el5.x86_64.rpm	SHA-256: 6405af7fe6da7434b0955c18bde7fbaf62feeb1e47e39b5f35fc7908df022c91
openswan-doc-2.6.32-3.el5.x86_64.rpm	SHA-256: c17d934ca080a4a6b46d51399356bdeccb860a59e676de12b322a4794a0329a2
i386
openswan-2.6.32-3.el5.i386.rpm	SHA-256: e733eeaba61ba56ad170ec127ffb24d7b06eaef12e6a6f8e9a9cd05377ad3a66
openswan-doc-2.6.32-3.el5.i386.rpm	SHA-256: 0a3e09236d405646111a8ec5bb43294080d8e34861bbaeb120f0caf7085e4659

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
openswan-2.6.32-3.el5.src.rpm	SHA-256: f6a7dc32b8936fdc44029dbf286c00f37fd1399a1bd751a87f25922c030906d8
s390x
openswan-2.6.32-3.el5.s390x.rpm	SHA-256: f5c7c379f9556728f295bb250df8f865d68b4451f1eb384300b996c81086a38e
openswan-doc-2.6.32-3.el5.s390x.rpm	SHA-256: a38e78f59ff8f5158954265091f94b789878c5d52b2bf4b530ced09ecac5292f

Red Hat Enterprise Linux for Power, big endian 5

SRPM
openswan-2.6.32-3.el5.src.rpm	SHA-256: f6a7dc32b8936fdc44029dbf286c00f37fd1399a1bd751a87f25922c030906d8
ppc
openswan-2.6.32-3.el5.ppc.rpm	SHA-256: e66e33bdb308875148ddae0d56b6356e7258c98f46b0693285c4148bbc108efc
openswan-doc-2.6.32-3.el5.ppc.rpm	SHA-256: 3f3a52f220c84fb0a9d8d611762df2de968525f09412c344c314aac3c639bdb5

Red Hat Enterprise Linux Server from RHUI 5

SRPM
openswan-2.6.32-3.el5.src.rpm	SHA-256: f6a7dc32b8936fdc44029dbf286c00f37fd1399a1bd751a87f25922c030906d8
x86_64
openswan-2.6.32-3.el5.x86_64.rpm	SHA-256: 6405af7fe6da7434b0955c18bde7fbaf62feeb1e47e39b5f35fc7908df022c91
openswan-doc-2.6.32-3.el5.x86_64.rpm	SHA-256: c17d934ca080a4a6b46d51399356bdeccb860a59e676de12b322a4794a0329a2
i386
openswan-2.6.32-3.el5.i386.rpm	SHA-256: e733eeaba61ba56ad170ec127ffb24d7b06eaef12e6a6f8e9a9cd05377ad3a66
openswan-doc-2.6.32-3.el5.i386.rpm	SHA-256: 0a3e09236d405646111a8ec5bb43294080d8e34861bbaeb120f0caf7085e4659