Stay Connected:

ELBA-2021-9558

ELBA-2021-9558 - libreswan bug fix update

Type:BUG
Severity:NA
Release Date:2021-11-19

Description


[3.25-9.1.0.3]
- Add KDF self-tests for IKEV1 and IKEV2 [Orabug: 33094002]

[3.25-9.1.0.1]
- add libreswan-oracle.patch to detect Oracle Linux distro

[3.25-9.1]
- Resolves: rhbz#1844621 Backport FIPS keysize fixes from RHEL8

[3.25-9]
- Resolves: rhbz#1724200 libreswan: XFRM policy for OE/32 peer is deleted when shunts for previous half-open state expire

[3.25-8]
- Resolves: rhbz#1686991 IKEv1 traffic interruption when responder deletes SAs 60 seconds before EVENT_SA_REPLACE

[3.25-7]
- Resolves: rhbz#1673105 Opportunistic IPsec instances of /32 groups or auto=start that receive delete won't restart

[3.25-6]
- Resolves: rhbz#1630355 Libreswan crash upon receiving ISAKMP_NEXT_D with appended ISAKMP_NEXT_N [updated]
- Resolves: rhbz#1679735 libreswan using NSS IPsec profiles regresses when critical flags are set causing validation failure

[3.25-5]
- Resolves: rhbz#1639404 Unable to verify certificate with non-empty Extended Key Usage which does not include serverAuth or clientAuth
- Resolves: rhbz#1630355 Libreswan crash upon receiving ISAKMP_NEXT_D with appended ISAKMP_NEXT_N
- Resolves: rhbz#1629902 libreswan assertion failed when OAKLEY_KEY_LENGTH is zero for IKE using AES_CBC
- Resolves: rhbz#1623279 [abrt] [faf] libreswan: strncpy(): /usr/libexec/ipsec/pluto killed by 11
- Resolves: rhbz#1625303 config: recursive include check doesn't work
- Resolves: rhbz#1664521 libreswan 3.25 in FIPS mode is incorrectly rejecting X.509 public keys that are >= 3072 bits

[3.25-2]
- Resolves: rhbz#1597322 Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors

[3.25-1]
- Resolves: rhbz#1591817 rebase libreswan to 3.25
- Resolves: rhbz#1536404 CERT_PKCS7_WRAPPED_X509 error
- Resolves: rhbz#1544143 ipsec newhostkey fails in FIPS mode when RSA key is generated
- Resolves: rhbz#1574011 libreswan is missing a Requires: unbound-libs >= 1.6.6

[3.23-4]
- Resolves: rhbz#1544143 ipsec newhostkey fails in FIPS mode when RSA key is generated
- Resolves: rhbz#1553406 IKEv2 liveness false positive on IKEv2 idle connections causes tunnel to be restarted
- Resolves: rhbz#1572425 shared IKE SA leads to rekey interop issues

[3.23-3]
- Resolves: rhbz#1471553 libreswan postquantum preshared key (PPK) support [IANA update]

[3.23-2]
- Resolves: rhbz#1457904 rebase libreswan to 3.23 [updated]
- Resolves: rhbz#1375750 SECCOMP support for libreswan [updated]

[3.23-1]
- Resolves: rhbz#1457904 rebase libreswan to 3.23 [updated]

[3.23-0.1.rc4]
- Resolves: rhbz#1471763 RFE: libreswan MOBIKE support (RFC-4555) [client support]
- Resolves: rhbz#1457904 rebase libreswan to 3.23 [updated]
- Resolves: rhbz#1471553 libreswan postquantum preshared key (PPK) support
- Resolves: rhbz#1492501 Reboot or 'systemctl stop ipsec' brings down _ethernet_ interfaces on _both_ ends of ipv4 ipsec tunnel
- Resolves: rhbz#1324421 libreswan works not well when setting leftid field to be email address
- Resolves: rhbz#1136076 After IKE rekeying Pluto sends DPD even if there is active SA

[3.22-5]
- Resolves: rhbz#1471763 RFE: libreswan MOBIKE support (RFC-4555) [updated]
- Resolves: rhbz#1471553 libreswan postquantum preshared key (PPK) support
- Resolves: rhbz#1375776 [IKEv2 Conformance] Test IKEv2.EN.R.1.2.2.1: Receipt of retransmitted CREATE_CHILD_SA reques failed
- Resolves: rhbz#1375750 SECCOMP support for libreswan [updated for libunbound syscalls]
- Resolves: rhbz#1300763 Implement draft-ietf-ipsecme-split-dns for libreswan

[3.22-4]
- Resolves: rhbz#1463062 NIC-card hardware offload support backport

[3.22-3]
- Resolves: rhbz#1475434 Add support for AES-GMAC for ESP (RFC-4543) to libreswan
- Resolves: rhbz#1300759 Implement RFC-7427 Digital Signature authentication

[3.22-2]
- Resolves: rhbz#1471763 RFE: libreswan MOBIKE support (RFC-4555)
- Resolves: rhbz#1372050 RFE: Support IKE and ESP over TCP: RFC 8229

[3.22-1]
- Resolves: rhbz#1457904 rebase libreswan to 3.22 [updated]

[3.21-2]
- Resolves: rhbz#1499845 libreswan does not establish IKE with xauth enabled but modecfg disabled
- Resolves: rhbz#1497158 xauth password length limited to 64 bytes while XAUTH_MAX_PASS_LENGTH (128)

[3.21-1]
- Resolves: rhbz#1457904 rebase libreswan to 3.22

[3.20-3]
- Resolves: rhbz#1372279 ipsec auto --down CONNECTION returns error for tunnels [updated]
- Resolves: rhbz#1458227 CAVS test driver does not work in FIPS mode
- Resolves: rhbz#1452672 (new-ksk-libreswan-el7) DNSSEC trust anchor cannot be updated without recompilation

[3.20-2]
- Resolves: rhbz#1372279 ipsec auto --down CONNECTION returns error for tunnels
- Resolves: rhbz#1444115 FIPS: libreswan must generate RSA keys with a minimal exponent of F4, nor E=3
- Resolves: rhbz#1341353 Allow Preshared Key authentication in FIPS mode for libreswan

[3.20-1]
- Resolves: rhbz#1399883 rebase libreswan to 3.20 (full release)

[3.20-0.1.dr3]
- Resolves: rhbz#1399883 rebase libreswan to 3.20

[3.15-8]
- Resolves: rhbz#1361721 libreswan pluto segfault [UPDATED]
- Resolves: rhbz#1276524 [USGv6] IKEv2.EN.R.1.1.3.2 case failed due to response to bad INFORMATIONAL request [UPDATED]
- Resolves: rhbz#1309764 ipsec barf [additional man page update and --no-pager]

[3.15-7]
- Resolves: rhbz#1311360 When IKE rekeys, if on a different tunnel, all subsequent attempts to rekey fail
- Resolves: rhbz#1361721 libreswan pluto segfault

[3.15-6]
- Resolves: rhbz#1283468 keyingtries=0 is broken
- Resolves: rhbz#1297816 When using SHA2 as PRF algorithm, nonce payload is below the RFC minimum size
- Resolves: rhbz#1344567 CVE-2016-5361 libreswan: IKEv1 protocol is vulnerable to DoS amplification attack
- Resolves: rhbz#1313747 ipsec pluto returns zero even if it fails
- Resolves: rhbz#1302778 fips does not check hash of some files (like _import_crl)
- Resolves: rhbz#1278063 Unable to authenticate with PAM for IKEv1 XAUTH
- Resolves: rhbz#1257079 Libreswan doesn't call NetworkManager helper in case of a connection error
- Resolves: rhbz#1272112 ipsec whack man page discrepancies
- Resolves: rhbz#1280449 PAM xauth method does not work with pam_sss
- Resolves: rhbz#1290907 ipsec initnss/checknss custom directory not recognized
- Resolves: rhbz#1309764 ipsec barf does not show pluto log correctly in the output
- Resolves: rhbz#1347735 libreswan needs to check additional CRLs after LDAP CRL distributionpoint fails
- Resolves: rhbz#1219049 Pluto does not handle delete message from responder site in ikev1
- Resolves: rhbz#1276524 [USGv6] IKEv2.EN.R.1.1.3.2 case failed due to response to bad INFORMATIONAL request
- Resolves: rhbz#1315412 ipsec.conf manpage does not contain any mention about crl-strict option
- Resolves: rhbz#1229766 Pluto crashes after stop when I use floating ip address

[3.15-5]
- Resolves: rhbz#1271811 libreswan FIPS test mistakenly looks for non-existent file hashes

[3.15-4]
- Resolves: rhbz#1267370 libreswan should support strictcrlpolicy alias
- Resolves: rhbz#1229766 Pluto crashes after stop when I use floating ip address
- Resolves: rhbz#1166146 Pluto crashes on INITIATOR site during 'service ipsec stop'
- Resolves: rhbz#1259209 CVE-2015-3240
- Resolves: rhbz#1199374 libreswan does not enforce all FIPS or IPsec Suite B restrictions
- Resolves: rhbz#1207689 libreswan ignores module blacklist rules
- Merge rhel6 and rhel7 spec into one
- Be lenient for racoon padding behaviour
- Fix seedev option to /dev/random
- Some IKEv1 PAM methods always gave 'Permission denied'
- Parser workarounds for differences in gcc/flex/bison on rhel6/rhel7
- Parser fix to allow specifying time without unit (openswan compat)
- Fix Labeled IPsec on rekeyed IPsec SA's
- Workaround for wrong padding by racoon2
- Disable NSS HW GCM to workaround rhel6 xen builers bug

[3.12-12]
- Resolves: rhbz#1212121 Support CAVS [updated bogus fips mode fix]

[3.12-11]
- Resolves: rhbz#1226408 CVE-2015-3204 libreswan: crafted IKE packet causes daemon restart

[3.12-10]
- Resolves: rhbz#1212121 Support CAVS testing of the PRF/PRF+ functions
- Resolves: rhbz#1127313 Libreswan with IPv6 [updated patch by Jaroslav Aster]
- Resolves: rhbz#1207689 libreswan ignores module blacklist [updated modprobe handling]
- Resolves: rhbz#1218358 pluto crashes in fips mode without dracut-fips package

[3.12-6]
- Resolves: rhbz#1056559 loopback support deprecated
- Resolves: rhbz#1182224 Add new option for BSI random requirement
- Resolves: rhbz#1170018 [increase] SELinux context string size limit
- Resolves: rhbz#1127313 Libreswan with IPv6 in RHEL7 fails after reboot
- Resolves: rhbz#1207689 libreswan ignores module blacklist rules
- Resolves: rhbz#1203794 pluto crashes in fips mode

[3.12-5]
- Resolves: rhbz#826264 aes-gcm implementation support (for IKEv2)
- Resolves: rhbz#1074018 Audit key agreement (integ gcm fixup)

[3.12-4]
- Resolves: rhbz#1134297 aes-ctr cipher is not supported
- Resolves: rhbz#1131503 non-zero rSPI on INVALID_KE (and proper INVALID_KE handling)

[3.12-2]
- Resolves: rhbz#1105171 (Update man page entry)
- Resolves: rhbz#1144120 (Update for ESP CAMELLIA with IKEv2)
- Resolves: rhbz#1074018 Audit key agreement

[3.12-1]
- Resolves: rhbz#1136124 rebase to libreswan 3.12
- Resolves: rhbz#1052811 [TAHI] (also clear reserved flags for isakmp_sa header)
- Resolves: rhbz#1157379 [TAHI][IKEv2] IKEv2.EN.R.1.3.3.1: Non RESERVED fields in INFORMATIONAL request

[3.11-2]
- Resolves: rhbz#1136124 rebase to libreswan 3.11 (coverity fixup, dpdaction=clear fix)

[3.11-1]
- Resolves: rhbz#1136124 rebase to libreswan 3.11
- Resolves: rhbz#1099905 ikev2 delete payloads are not delivered to peer
- Resolves: rhbz#1147693 NetworkManger-libreswan can not connect to Red Hat IPSec Xauth VPN
- Resolves: rhbz#1055865 [TAHI][IKEv2] libreswan do not ignore the content of version bit
- Resolves: rhbz#1146106 Pluto crashes after start when some ah algorithms are used
- Resolves: rhbz#1108256 addconn compatibility with openswan
- Resolves: rhbz#1152625 [TAHI][IKEv2] IKEv2.EN.I.1.1.6.2 Part D: Integrity Algorithm AUTH_AES_XCBC_96 fail
- Resolves: rhbz#1119704 [TAHI][IKEv2]IKEv2Interop.1.13a test fail
- Resolves: rhbz#1100261 libreswan does not send response when when it receives Delete Payload for a CHILD_SA
- Resolves: rhbz#1100239 ikev2 IKE SA responder does not send delete request to IKE SA initiator
- Resolves: rhbz#1052811 [TAHI][IKEv2]IKEv2.EN.I.1.1.11.1: Non zero RESERVED fields in IKE_SA_INIT response
- Resolves: rhbz#1126868 ikev2 sequence numbers are implemented incorrectly
- Resolves: rhbz#1145245 Libreswan appears to start with systemd before all the NICs are up and running.
- Resolves: rhbz#1145231 libreswan 3.10 upgrade breaks old ipsec.secrets configs
- Resolves: rhbz#1144123 Add ESP support for AES_XCBC hash for USGv6 and IPsec-v3 compliance
- Resolves: rhbz#1144120 Add ESP support for CAMELLIA for USGv6 and IPsec-v3 compliance
- Resolves: rhbz#1099877 Missing man-pages ipsec_whack, ipsec_manual
- Resolves: rhbz#1100255 libreswan Ikev2 implementation does not send an INFORMATIONAL response when it receives an INFORMATIONAL request with a Delete Payload for an IKE_SA

[3.10-3]
- Resolves: rhbz#1136124 rebase to 3.10 (auto=route bug on startup)

[3.10-2]
- Resolves: rhbz#1136124 rebase to libreswan 3.10

[3.8-6]
- Resolves: rhbz#1092047 pluto cannot write to directories not owned by root

[3.8-5]
- Resolves: rhbz#1052834 create_child_sa message ID handling

[3.8-4]
- Resolves: rhbz#1052834 create_child_sa response

[3.8-3]
- Resolves: rhbz#1069024 erroneous debug line with mixture [...]
- Resolves: rhbz#1030939 update nss/x509 documents, don't load acerts
- Resolves: rhbz#1058813 newhostkey returns zero value when it fails

[3.8-2]
- Mass rebuild 2014-01-24

[3.8-1]
- Resolves: rhbz#CVE-2013-6467
- Resolves: rhbz#1043642 rebase to version 3.8
- Resolves: rhbz#1029912 ipsec force-reload doesn't work
- Resolves: rhbz#826261 Implement SHA384/512 support for Openswan
- Resolves: rhbz#1039655 ipsec newhostkey generates false configuration

[3.6-3]
- Mass rebuild 2013-12-27

[3.6-2]
- Fix race condition in post for creating nss db

[3.6-1]
- Updated to version 3.6 (IKEv2, MODECFG, Cisco interop fixes)
- Generate empty NSS db if none exists
- FIPS update using /etc/system-fips
- Provide: openswan-doc

[3.5-2]
- rebuilt and bumped EVR to avoid confusion of import->delete->import
- require iproute

[3.5-1]
- Initial package for RHEL7
- Added interop patch for (some?) Cisco VPN clients sending 16 zero
bytes of extraneous IKE data
- Removed fipscheck_version




Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle Linux 7 (x86_64) libreswan-3.25-9.1.0.3.el7_8.src.rpm05412228e2266f9dd4696251fed47c60-
libreswan-3.25-9.1.0.3.el7_8.x86_64.rpm909e3de4d162a60d78ace46cc45ef339-



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete
Subscribe | Careers | Contact Us | Legal Notices | Terms of Use | Your Privacy Rights