RHBA-2015:0431 - Bug Fix Advisory

Topic

Updated libreswan packages that fix multiple bugs and add various enhancements
are now available for Red Hat Enterprise Linux 7.

Description

Libreswan is an implementation of IPsec & IKE for Linux. IPsec is the Internet
Protocol Security and uses strong cryptography to provide both authentication
and encryption services. These services allow you to build secure tunnels
through untrusted networks such as a virtual private network (VPN).

The libreswan packages have been upgraded to upstream version 3.12, which
provides a number of bug fixes and enhancements over the previous version. Among
others, this update increased interoperability with the Internet Key Exchange
(IKEv2) protocol, as well as with Cisco devices. Also, the IKE daemon no longer
listens before it has loaded all connections at startup, which reduces failure
messages. In addition, support for the SHA2 algorithm has been improved and
support for the AH algorithm and for the Advanced Encryption Standard (AES) in
Galois/Counter Mode (GCM) for IKEv2 has been added. (BZ#1136124)

Users of libreswan are advised to upgrade to these updated packages, which fix
these bugs and add these enhancements.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.7 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.6 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.5 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.4 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.3 x86_64
• Red Hat Enterprise Linux Server - AUS 7.7 x86_64
• Red Hat Enterprise Linux Server - AUS 7.6 x86_64
• Red Hat Enterprise Linux Server - AUS 7.4 x86_64
• Red Hat Enterprise Linux Server - AUS 7.3 x86_64
• Red Hat Enterprise Linux Workstation 7 x86_64
• Red Hat Enterprise Linux Desktop 7 x86_64
• Red Hat Enterprise Linux for IBM z Systems 7 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.7 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.5 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.4 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.3 s390x
• Red Hat Enterprise Linux for Power, big endian 7 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.7 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.5 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.4 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.3 ppc64
• Red Hat Enterprise Linux Server from RHUI 7 x86_64
• Red Hat Enterprise Linux Server - TUS 7.7 x86_64
• Red Hat Enterprise Linux Server - TUS 7.6 x86_64
• Red Hat Enterprise Linux Server - TUS 7.3 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 7.7 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 7.6 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 7.4 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 7.3 x86_64

Fixes

• BZ - 826264 - aes-gcm implementation support for libreswan
• BZ - 1052811 - [TAHI][IKEv2]IKEv2.EN.I.1.1.11.1: Non zero RESERVED fields in IKE_SA_INIT response
• BZ - 1055865 - [TAHI][IKEv2] libreswan do not ignore the content of version bit
• BZ - 1092047 - Due to lack of CAP_DAC_OVERRIDE, pluto cannot write to directories not owned by root
• BZ - 1099877 - Missing man-pages ipsec_whack, ipsec_manual
• BZ - 1100239 - ikev2 IKE SA responder does not send delete request to IKE SA initiator
• BZ - 1100255 - libreswan Ikev2 implementation does not send an INFORMATIONAL response when it receives an INFORMATIONAL request with a Delete Payload for an IKE_SA
• BZ - 1100261 - libreswan does not send response when when it receives Delete Payload for a CHILD_SA
• BZ - 1105171 - Libreswan doesn't work with some ike options.
• BZ - 1108256 - addconn compatibility with openswan
• BZ - 1131503 - [TAHI][IKEv2]IKEv2.EN.R.1.1.6.8.A: responder sends a non-zero responder SPI when receive invalid KE payload
• BZ - 1136124 - rebase to libreswan 3.12
• BZ - 1145231 - libreswan 3.10 upgrade breaks old ipsec.secrets configs
• BZ - 1145245 - Libreswan appears to start with systemd before all the NICs are up and running.
• BZ - 1146106 - Pluto crashes after start when some ah algorithms are used
• BZ - 1147693 - NetworkManger-libreswan can not connect to Red Hat IPSec Xauth VPN
• BZ - 1152625 - [TAHI][IKEv2] IKEv2.EN.I.1.1.6.2 Part D: Integrity Algorithm AUTH_AES_XCBC_96 fail
• BZ - 1157379 - [TAHI][IKEv2] IKEv2.EN.R.1.3.3.1: Non RESERVED fields in INFORMATIONAL request
• BZ - 1162770 - ipsec.conf man page lacks example for AES-GCM configuration

CVEs

(none)

References

(none)