RHBA-2014:1049 - Bug Fix Advisory

Topic

Updated libreswan packages that fix one bug are now available for Red Hat
Enterprise Linux 7.

Description

Libreswan is an implementation of IPsec & IKE for Linux. IPsec is the Internet
Protocol Security and uses strong cryptography to provide both authentication
and encryption services. These services allow you to build secure tunnels
through untrusted networks such as virtual private network (VPN).

• Previously, applications generating libreswan configuration files as non-root

had to change the ownership of these files to root, otherwise libreswan could
refuse to use these configuration files due to releasing the capability
to read non-root owned files (CAP_DAC_OVERRIDE). With this update, libreswan
releases the CAP_DAC_OVERRIDE capability after reading all its configuration
files. As a result, libreswan reads its configuration files successfully even
when these files are not owned by the root user. (BZ#1119723)

Users of libreswan are advised to upgrade to these updated packages, which fix
this bug.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.7 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.6 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.5 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.4 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.3 x86_64
• Red Hat Enterprise Linux Server - AUS 7.7 x86_64
• Red Hat Enterprise Linux Server - AUS 7.6 x86_64
• Red Hat Enterprise Linux Server - AUS 7.4 x86_64
• Red Hat Enterprise Linux Server - AUS 7.3 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64
• Red Hat Enterprise Linux Workstation 7 x86_64
• Red Hat Enterprise Linux Desktop 7 x86_64
• Red Hat Enterprise Linux for IBM z Systems 7 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.7 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.5 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.4 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.3 s390x
• Red Hat Enterprise Linux for Power, big endian 7 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.7 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.5 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.4 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.3 ppc64
• Red Hat Enterprise Linux Server from RHUI 7 x86_64
• Red Hat Enterprise Linux Server - TUS 7.7 x86_64
• Red Hat Enterprise Linux Server - TUS 7.6 x86_64
• Red Hat Enterprise Linux Server - TUS 7.3 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 7.7 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 7.6 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 7.4 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 7.3 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 ppc64

Fixes

• BZ - 1119723 - Due to lack of CAP_DAC_OVERRIDE, pluto cannot write to directories not owned by root

CVEs

(none)

References

(none)