RHEA-2019:0178 - Product Enhancement Advisory

Topic

Updated libreswan packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 7.

Description

Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network (VPN).

This update fixes the following bugs:

• While running in FIPS mode, Libreswan incorrectly checked the length of X.509 public keys as if it is in bytes. Consequently, 3072-bit keys were incorrectly detected as 384-bit and rejected. With this update, the check has been fixed to count with bits instead of bytes, and the keys are no longer incorrectly rejected in the described scenario. (BZ#1665369)
• Prior to this update, Libreswan could use deleted objects while printing errors and it also did not properly fail when the AES key size was less than 128 bits. As a consequence, the pluto daemon crashed on assertion failed when the IPsec initiator sent "OAKLEY_KEY_LENGTH == 0 (0x00)" for the AES_CBC encryption algorithm. The error printing has been simplified and the AES key size check has been added to an earlier phase. As a result, Libreswan now correctly handles the described scenario. (BZ#1660536)
• Previously, Libreswan continued to process an IKEv1 packet after it had already processed a delete payload. Consequently, Libreswan had deleted the IKE session state, then tried to read the next payload from that deleted state and crashed. The handling of such packets has been fixed, and Libreswan now correctly stops processing payloads once it processes a delete payload. (BZ#1660542)
• Prior to this update, the recursive include function was not implemented correctly. As a consequence, the "systemctl start ipsec" command hanged and the addconn process used 100 % CPU resources when a recursive include was used in IPsec configuration files. The include processing has been fixed, and recursive includes now work properly. (BZ#1660544)
• Previously, Libreswan incorrectly passed the zero-length IKEv1 XAUTH password as NULL to the crypt() function. Consequently, Libreswan crashed with the "strncpy(): /usr/libexec/ipsec/pluto killed by 11" message. This has been fixed, and Libreswan now processes IKEv1 empty passwords correctly. (BZ#1664244)

In addition, this update adds the following enhancement:

• With this update, Libreswan uses the recently-added IPsec profiles functionality in the NSS library to validate certificates. This uses the certificate's validation for IKE specification of RFC 4945. Prior to this, Extended Key Usage (EKU) attributes were interpreted as TLS instead of IPsec profiles by the NSS library. As a result, Libreswan now accepts validation of X.509 certificates containing non-empty EKU attributes that does not contain serverAuth and clientAuth attributes. (BZ#1655440)

Users of libreswan are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.6 x86_64
• Red Hat Enterprise Linux Server - AUS 7.6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64
• Red Hat Enterprise Linux Workstation 7 x86_64
• Red Hat Enterprise Linux Desktop 7 x86_64
• Red Hat Enterprise Linux for IBM z Systems 7 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6 s390x
• Red Hat Enterprise Linux for Power, big endian 7 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6 ppc64
• Red Hat Enterprise Linux for Power, little endian 7 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.6 ppc64le
• Red Hat Enterprise Linux Server - TUS 7.6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x
• Red Hat Enterprise Linux for ARM 64 7 aarch64
• Red Hat Enterprise Linux for Power 9 7 ppc64le
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 7.6 ppc64le
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 7.6 x86_64
• Red Hat Enterprise Linux for IBM System z (Structure A) 7 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 ppc64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 ppc64le

Fixes

• BZ - 1664244 - [abrt] [faf] libreswan: strncpy(): /usr/libexec/ipsec/pluto killed by 11 [rhel-7.6.z]
• BZ - 1665369 - libreswan 3.25 in FIPS mode is incorrectly rejecting X.509 public keys that are >= 3072 bits [rhel-7.6.z]

CVEs

(none)

References

(none)