- Issued:
- 2005-03-23
- Updated:
- 2005-03-23
RHSA-2005:232 - Security Advisory
Synopsis
ipsec-tools security update
Type/Severity
Security Advisory: Moderate
Topic
An updated ipsec-tools package that fixes a bug in parsing of ISAKMP headers
is now available.
This update has been rated as having moderate security impact by the Red
Hat Security Response Team.
Description
The ipsec-tools package is used in conjunction with the IPsec functionality
in the linux kernel. The ipsec-tools package includes:
- setkey, a program to directly manipulate policies and SAs
- racoon, an IKEv1 keying daemon
A bug was found in the way the racoon daemon handled incoming ISAKMP
requests. It is possible that an attacker could crash the racoon daemon by
sending a specially crafted ISAKMP packet. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2005-0398 to
this issue.
Additionally, the following issues have been fixed:
- racoon mishandled restarts in the presence of stale administration sockets.
- on Red Hat Enterprise Linux 4, racoon and setkey did not properly set up
forward policies, which prevented tunnels from working.
Users of ipsec-tools should upgrade to this updated package, which contains
backported patches, and is not vulnerable to these issues.
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:
http://www.redhat.com/docs/manuals/enterprise/
Affected Products
- Red Hat Enterprise Linux Server 4 x86_64
- Red Hat Enterprise Linux Server 4 ia64
- Red Hat Enterprise Linux Server 4 i386
- Red Hat Enterprise Linux Server 3 x86_64
- Red Hat Enterprise Linux Server 3 ia64
- Red Hat Enterprise Linux Server 3 i386
- Red Hat Enterprise Linux Workstation 4 x86_64
- Red Hat Enterprise Linux Workstation 4 ia64
- Red Hat Enterprise Linux Workstation 4 i386
- Red Hat Enterprise Linux Workstation 3 x86_64
- Red Hat Enterprise Linux Workstation 3 ia64
- Red Hat Enterprise Linux Workstation 3 i386
- Red Hat Enterprise Linux Desktop 4 x86_64
- Red Hat Enterprise Linux Desktop 4 i386
- Red Hat Enterprise Linux Desktop 3 x86_64
- Red Hat Enterprise Linux Desktop 3 i386
- Red Hat Enterprise Linux for IBM z Systems 4 s390x
- Red Hat Enterprise Linux for IBM z Systems 4 s390
- Red Hat Enterprise Linux for IBM z Systems 3 s390x
- Red Hat Enterprise Linux for IBM z Systems 3 s390
- Red Hat Enterprise Linux for Power, big endian 4 ppc
- Red Hat Enterprise Linux for Power, big endian 3 ppc
Fixes
- BZ - 145531 - CAN-2005-0398 racoon DoS
- BZ - 145535 - CAN-2005-0398 racoon DoS
- BZ - 148950 - racoon unable to start with stale socket /tmp/.racoon
- BZ - 150179 - ipsec/racoon/setkey does not properly forward packets to vpn peer
CVEs
References
(none)
Red Hat Enterprise Linux Server 4
| SRPM | |
|---|---|
| ipsec-tools-0.3.3-6.src.rpm | SHA-256: 8dbad992dcc6018c30ed8791c7692d53da109ff1f06745ac1f16bc6e7f976e16 |
| x86_64 | |
| ipsec-tools-0.3.3-6.x86_64.rpm | SHA-256: 83641c85c921c08612c159038e5b0e02cd8dd99502406e91a68a71e6f47037bd |
| ipsec-tools-0.3.3-6.x86_64.rpm | SHA-256: 83641c85c921c08612c159038e5b0e02cd8dd99502406e91a68a71e6f47037bd |
| ia64 | |
| ipsec-tools-0.3.3-6.ia64.rpm | SHA-256: 36cd2f14c4aa8dd5509d988754cff4e989d0bc1a9ba6b5ff1ade7d8fff6b406e |
| ipsec-tools-0.3.3-6.ia64.rpm | SHA-256: 36cd2f14c4aa8dd5509d988754cff4e989d0bc1a9ba6b5ff1ade7d8fff6b406e |
| i386 | |
| ipsec-tools-0.3.3-6.i386.rpm | SHA-256: 60fcab0bdb8246405e4b01e25c481aac04d35d669c43e21419222568740433df |
| ipsec-tools-0.3.3-6.i386.rpm | SHA-256: 60fcab0bdb8246405e4b01e25c481aac04d35d669c43e21419222568740433df |
Red Hat Enterprise Linux Workstation 4
| SRPM | |
|---|---|
| ipsec-tools-0.3.3-6.src.rpm | SHA-256: 8dbad992dcc6018c30ed8791c7692d53da109ff1f06745ac1f16bc6e7f976e16 |
| x86_64 | |
| ipsec-tools-0.3.3-6.x86_64.rpm | SHA-256: 83641c85c921c08612c159038e5b0e02cd8dd99502406e91a68a71e6f47037bd |
| ia64 | |
| ipsec-tools-0.3.3-6.ia64.rpm | SHA-256: 36cd2f14c4aa8dd5509d988754cff4e989d0bc1a9ba6b5ff1ade7d8fff6b406e |
| i386 | |
| ipsec-tools-0.3.3-6.i386.rpm | SHA-256: 60fcab0bdb8246405e4b01e25c481aac04d35d669c43e21419222568740433df |
Red Hat Enterprise Linux Desktop 4
| SRPM | |
|---|---|
| ipsec-tools-0.3.3-6.src.rpm | SHA-256: 8dbad992dcc6018c30ed8791c7692d53da109ff1f06745ac1f16bc6e7f976e16 |
| x86_64 | |
| ipsec-tools-0.3.3-6.x86_64.rpm | SHA-256: 83641c85c921c08612c159038e5b0e02cd8dd99502406e91a68a71e6f47037bd |
| i386 | |
| ipsec-tools-0.3.3-6.i386.rpm | SHA-256: 60fcab0bdb8246405e4b01e25c481aac04d35d669c43e21419222568740433df |
Red Hat Enterprise Linux for IBM z Systems 4
| SRPM | |
|---|---|
| ipsec-tools-0.3.3-6.src.rpm | SHA-256: 8dbad992dcc6018c30ed8791c7692d53da109ff1f06745ac1f16bc6e7f976e16 |
| s390x | |
| ipsec-tools-0.3.3-6.s390x.rpm | SHA-256: c36d4db3242c336e8ea097ebe00a44d10f19913f4eeb6515035546f9aafedbe5 |
| s390 | |
| ipsec-tools-0.3.3-6.s390.rpm | SHA-256: 7e07c4c56856e70b8400a04763a4e01d9c4e272e76850077105c0b2f578e0b41 |
Red Hat Enterprise Linux for Power, big endian 4
| SRPM | |
|---|---|
| ipsec-tools-0.3.3-6.src.rpm | SHA-256: 8dbad992dcc6018c30ed8791c7692d53da109ff1f06745ac1f16bc6e7f976e16 |
| ppc | |
| ipsec-tools-0.3.3-6.ppc.rpm | SHA-256: df8c6992e483f722622296c0df9fbeea1777b8a3a857a942e9bdd2d9439cb1c0 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.