RHBA-2014:1588 - Bug Fix Advisory

Topic

Updated openswan packages that fix several bugs and add various enhancements are
now available for Red Hat Enterprise Linux 6.

Description

Openswan is a free implementation of Internet Protocol Security (IPsec) and
Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both
authentication and encryption services that allow to build secure tunnels
through untrusted networks.

This update fixes the following bugs:

• When using the protoport option in combination with the type=passthrough

setting to exclude traffic from encryption, an incorrect inverse policy was
installed and the exclusion was not successful. Now, the correct policy is
installed in the described situation. (BZ#739949)

• Starting multiple connections with the leftsubnets= or auto=start options led

to a crypto overload and subsequent restart of Openswan. The pluto cryptohelper
has been fixed to prevent the overload. (BZ#834397)

• The ikev2=insist setting was not enforced on the responder side, allowing an

IKEv1 connection to be established instead. This bug has been fixed and
ikev2=insist is no longer ignored. (BZ#970279)

• This update fixes multiple lingering states after reestablishing IKEv2 keys.

(BZ#970349)

• This update enforces the limits set with esp, phase1alg, and andphase2alg

options. Previously, any algorithm of the default set (aes, 3des, sha1, md5) was
always allowed, regardless of the above options. (BZ#988106)

• IKEv2 delete payloads were not always properly delivered to the remote

peer, leaving the remote endpoint with lingering unused connections. Now, IKEv2
delete payloads are delivered as expected. (BZ#993124)

• This update modifies the rightid=%fromcert option to load IDs from the local

certificate when set for the local end, and from the certificate delivered by
the remote peer when set for the peer end. (BZ#1002708)

• The "ipsec ikeping" command did not recognize the --exchangenum option. This

option is now recognized correctly. (BZ#1019746)

• This update fixes a crash of the IKE pluto daemon when using the SHA2

encryption family with the ike= option with IKEv2. (BZ#1021961)

• Openswan no longer drops various privileges too soon, which prevented it from

reading configuration files in directories not owned by root. (BZ#1041576)

• The IKE pluto daemon occasionally crashed and restarted when referencing

missing IKEv2 payloads. The Openswan's state machine has been updated to reject
packets with missing payloads. (BZ#1050340)

• This update fixes the compatibility problems with older versions of Cisco VPN

introduced in the previous update of the openswan packages. (BZ#1070356)

• After restarting the remote endpoint, the sourceip option was not properly

reset in the local route entry. This bug has been fixed. (BZ#1088656)

• If there was no NSS database available, the IKE pluto daemon

created a nonfunctional replacement. A missing NSS database is now created
before the pluto daemon starts and in the %post phase of the package install,
which fixes this bug. (BZ#1092913)

• The "ipsec newhostkey" command did not return a correct non-zero exit code in

case of failure, for example when generating keys of insufficient strength. Now,
ipsec newhostkey returns the correct exit code. (BZ#1098473)

• Configuring an AH algorithm for IKEv2, or various non-standard ESP algorithms

for IKEv1 or IKEv2 (such as CAST, RIPEMD160 or CAMELLIA) caused the IKE pluto
daemon to terminate unexpectedly and restart. This bug has been fixed and pluto
no longer crashes when AH or ESP algorithms are configured. (BZ#1114683)

• Using the "force_busy=yes" developer option to force anti-DDOS mode in IKEv2

caused the IKE pluto daemon to crash and restart. This bug has been fixed and
pluto no longer crashes in the described situation.
(BZ#1126066)

In addition, this update adds the following enhancements:

• This update enhances and clarifies man pages shipped with the openswan

packages. (BZ#730975, BZ#1018327, BZ#1099871, BZ#1105179)

Users of openswan are advised to upgrade to these updated packages, which fix
these bugs and add these enhancements.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 730975 - Openswan doesn't work with ike=modp1536 option
• BZ - 739949 - Openswan net-to-net not work with unencrypted connection on specific port, when all other connections are encrypt.
• BZ - 834397 - ikev2 crashes when firing up a few conns at once
• BZ - 1018327 - ipsec.conf man page lacks example for AES-GCM configuration
• BZ - 1019746 - ipsec ikeping does not recognize --exchangenum parameter
• BZ - 1021961 - pluto abort when using SHA2_{384,512} IKE encryption algorithm
• BZ - 1041576 - Due to lack of CAP_DAC_OVERRIDE, pluto cannot write to directories not owned by root
• BZ - 1070356 - openswan breaks NAT-T draft clients (and possibly ike fragmentation)
• BZ - 1092913 - The default nss database created by ipsec can not be used
• BZ - 1098473 - ipsec newhostkey returns 0 even if it fails and allows new RSA keys < 2048
• BZ - 1099871 - Missing man-page ipsec_whack
• BZ - 1105179 - ipsec_auto --ready doesn't work properly
• BZ - 1114683 - configuring a non-standard AH / ESP algorithm (like CAST) cause a restart of pluto
• BZ - 1126066 - dcookie code enabled with force_busy=yes uses bad pointer causing restart

CVEs

(none)

References

(none)