Product SiteDocumentation Site

1.166.  openswan

1.166.1.  RHSA-2009:1138: Important security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1138
Updated openswan packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN).
Multiple insufficient input validation flaws were found in the way Openswan's pluto IKE daemon processed some fields of X.509 certificates. A remote attacker could provide a specially-crafted X.509 certificate that would crash the pluto daemon. (CVE-2009-2185)
All users of openswan are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. After installing this update, the ipsec service will be restarted automatically.

1.166.2.  RHSA-2009:0402: Important security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:0402
Updated openswan packages that fix various security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN).
Gerd v. Egidy discovered a flaw in the Dead Peer Detection (DPD) in Openswan's pluto IKE daemon. A remote attacker could use a malicious DPD packet to crash the pluto daemon. (CVE-2009-0790)
It was discovered that Openswan's livetest script created temporary files in an insecure manner. A local attacker could use this flaw to overwrite arbitrary files owned by the user running the script. (CVE-2008-4190)
Note: The livetest script is an incomplete feature and was not automatically executed by any other script distributed with Openswan, or intended to be used at all, as was documented in its man page. In these updated packages, the script only prints an informative message and exits immediately when run.
All users of openswan are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the ipsec service will be restarted automatically.

1.166.3.  RHEA-2009:1350: bug fix update

An updated openswan package that resolves several issues and provides FIPS-1402-2 compliance is now available.
Openswan is a free implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network or VPN.
This package contains the daemons and userland tools for setting up Openswan. It optionally also builds the Openswan KLIPS IPsec stack that is an alternative for the NETKEY/XFRM IPsec stack that exists in the default Linux kernel.
Openswan 2.6.x also supports IKEv2 (RFC 4309)
Bugs fixed in these updated packages include:
  • Openswan would not allow IPsec connections between a physical IP on one system and a virtual IP on another system if the physical IP on the first system was already connected to the physical IP on the second system that was associated with that virtual IP. Now, Openswan creates a new route if a route already exists. This allows simultaneous IPsec connections to a physical IP and the virtual IP associated with it. (BZ#438998)
  • the parser in lib/libipsecconf/ does not correctly interpret values supplied in manual keyring, and the use of the manual keyring could therefore result in a segmentation fault in Openswan. Because the manual keyring is no longer supported, Openswan will now exit with an error when ipsec manual up <connection-name> is used. (BZ#449725)
  • the ipsec.conf file included any .conf files placed in /etc/ipsec.d but Openswan's default installation did not place any files in this directory. Therefore, error messages similar to "could not open include filename: '/etc/ipsec.d/*.conf'" would appear when starting or stopping the IPsec service. Although the service operated correctly, the appearance of these error messages could mislead a user to think that there was a problem with IPsec. The ipsec.conf file now comments out the include of /etc/ipsec.d and contains a note suggesting that users uncomment the line and use /etc/ipsec.d for their customized configuration files. (BZ#463931)
  • Openswan did not close file decriptors on exec. The resulting file descriptor leaks would then cause AVC denial warnings on systems set to enforce SELinux policy. Openswan now closes file descriptors on exec, both for sockets that it has opened and for sockets that it has accepted. Because Openswan does not now leak these file descriptors, the corresponding AVC denial warnings do not appear. (BZ#466861)
  • Openswan's cryptographic methods did not meet the standards for FIPS 140-2 certification, therefore precluding the use of Openswan in environments that require this certification. Openswan now uses the NSS library and includes:
    • encryption/decryption algorithms (AES, 3DES)
    • hash and data integrity algorithm (MD5, SHA1, SHA2(256, 384, 512))
    • HMAC mechanisms for the above hash algorithms.
    • authentication with signature (without certificates) (DS_AUTH). Specifically, it uses RSA signatures.
    • authentication with signature (with x.509 certificates ) (DS_AUTH).
    • Oakley Diffie-Hellman (DH) related cryptographic operations.
    • random number generation through NSS.
    • support for NSS DB without and with password.
    • FIPS integrity check using fipscheck library
    • support for old (dbm) and new (sql) NSS databases (dbm)
  • Openswan now meets the FIPS 140-2 standard. (BZ#444801 , BZ#469763)
  • previously, the package description included a reference to a "freeswan enabled kernel". This reference could have mislead users into thinking that Openswan required some special kernel, when no such kernel exists. The reference has therefore been removed, eliminating the potential for confusion. (BZ#487708)
All users of openswan are advised to upgrade to this updated package, which resolves these issues.

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.