[Openswan dev] [Announce] Openswan 2.6.29 released to address CVE-2010-3302 / CVE-2010-3308

Paul Wouters paul at xelerance.com
Mon Sep 27 13:36:47 EDT 2010

Xelerance has released openswan 2.6.29


This is an important security release that addresses two issues, for
which we have been assigned the following CVE's:

CVE-2010-3308 Openswan cisco banner option handling vulnerability
CVE-2010-3302: Openswan cisco DNS option handling vulnerability

ExecSum: openswan 2.6.25 upto 2.6.28 as client authenticated to
a malicious XAUTH server when used with remote_peer_type=cisco is
vulnerable to two buffer overflows and shell command injection.

CVE listings should appear shortly at:


Local copies can be obtained at the URLs below. These URLs also
contain patches that address these issues for those that cannot
upgrade to 2.6.29.


The full changeset for this release follows below. Notably, this release
includes the "L2TP cannot reconnect when using NETKEY" bugfix as well.

v2.6.29 (September 27, 2010)
! This release is made for CVE-2010-3302 and CVE-2010-3308
* XAUTH: Avoid buffer overflow in CISCO DNS info [dhr/paul]
          Avoid shell problems with single quotes CISCO DNS paramters [dhr/paul]
* XAUTH: Avoid buffer overflow in CISCO BANNER [dhr/paul]
          Avoid shell problems with single quotes in CISCO paramters [dhr/paul]
* NETKEY: Fix for spurious %hold netlink-acquires [Paul/dhr]
* KLIPS: Fix compiling on 2.6.18 based RHEL5 kernels [Paul]
* Various fixes based on automated source code review [dhr]
* SAREF: Updated for 2.6.35 kernel [Harald]
* KLIPS: Updated for 2.6.35 kernel [Harald]
* PACKAGING Use Epoch 1: for Debian/Ubuntu [Simon]
* MAST: fix iptables rule "leak" on rekey [Bart]
* MAST: use only the most recent iptables rule [Bart]
* pluto: restrict rekeymargin to be smaller than salifetime [Bart]
* MAST: ensure we don't end up with mtu=0 on mast0 [Bart/Paul]
* MAST: enforce outgoing tunnel policy [Bart]
* MAST: use addflow pfkey command to set policy on tunnel SAs [Bart]
* Added a new pfkey flag, POLICYONLY, to the ADDFLOW command [Bart]
* MAST: allow for setting of policy for inbound SAs [Bart]
* MAST: favour deleting an SA even if the pfkey op failed [Bart]
* HAVESTATSD: Log new phase2 messages as a result of a rekey [Paul]
* MAST: use iptables --comment to show the conn name [Bart]
* VNET: differentiate instantiation of road warriors and vnet [Paul]
* Log LEAK_DETECTIVE and HAVE_LIBNSS support on startup [Paul]
* [IKEv2] connections were broken since 2.6.25 [Avesh]
* MAST: new "ipsec policy" command replaces "ipsec eroute" [Bart]
* Fix SElinux warning in realsetup (bz628879) [Avesh]
* Support for SHA2_256 in IKEv2 (bz621790) [Avesh]
* IKEv2: Fix for using MD5 and PRF conversion function [Avesh]
* SAREF: Improved workaround for rp_filter [Bart]
* NSS: Increase minimum nss for rhbz#453577 [Paul]
   (this allows us to revert workaround in git 6c8ff2791d1)
* SAREF: Added /proc/net/ipsec/saref that shows kernel patch state [Bart]
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: CVE-2010-3302.txt
Url: http://lists.openswan.org/pipermail/dev/attachments/20100927/5f828510/attachment.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: CVE-2010-3308.txt
Url: http://lists.openswan.org/pipermail/dev/attachments/20100927/5f828510/attachment-0001.txt 
-------------- next part --------------
Announce mailing list
Announce at openswan.org

More information about the Dev mailing list