[Openswan dev] Openswan 2.6.39 released, fixes CVE-2013-2053

Mattias Walström mattias.walstrom at westermo.se
Mon Jun 17 14:15:01 UTC 2013 

Hi!
Just upgraded from 2.6.38 to 2.6.39 and noticed a problem, if the tunnel goes down, and up again
the routes is not set as it should in the kernel, the second time it comes up.

Applied the following patch from libreswan:
https://github.com/libreswan/libreswan/commit/f58b4a322c54062994bd7bb0417553380f0d2f91

This fixed the problems for me.

Mattias

On 2013-06-03 22:51, Patrick Naubert wrote:
> Openswan 2.6.39 released to the community
>
> http://download.openswan.org/openswan/openswan-2.6.39.tar.gz
> http://download.openswan.org/openswan/openswan-2.6.39.tar.gz.sig
>
> Fixes CVE-2013-2053, Linux kernel 3.9 compile problems, and includes compilation hardening.
>
> This is a security release.
>
> Please be aware that the patches made available for Openswan for this CVE, by the Libreswan community, were never reviewed by Xelerance before their publication by the Libreswan team.  The final fix deployed in this release addresses the vulnerability itself and doesn't rely on LIBNSS compile flags being true.
>
> Additionally, we are entertaining a new version numbering system for the next releases.
>
> Monitor http://www.openswan.org/projects/openswan/news for further information.
>
> v2.6.39 (May 31, 2013)
> 	• Hardening patches from Florian Weimer
> 	• Created .in files for distro packages [Patrick]
> 	• Target deb builds for Precise instead of Lucid [Simon]
> 	• Enable hardened builds by default [Simon]
> 	• Bring 'ipsec policy' back form the dead [Simon]
> 	• Drop the builddep on htmldoc and man2html as those are not needed anymore [Simon]
> 	• CVE-2013-2053 fix: Integrated fix from Andreas Steffan
> 	• Refactor x509dn to seperate out atodn from other functions [MCR]
> 	• Fixed regression test to be 64-bit and IPv6 aware [MCR]
> 	• Patches for kernel 3.9 and changes to work with Linux 3.9 [MCR]
> 	• Nighly builds fixes and whitespace fixes [MCR]
> 	• Fix for three AES-GCM issues with key lengths 128, 192, 256 bits and IV
> of 8, 12, 16 bytes as per RFC 4106 [Avesh]
> 	• SAREF: kernel patches updated to linux 3.2.0 [Simon]
> 	• Refresh debian/control files to point to the right git URL [Simon]
> 	• KLIPS: startklips-ip_route patch [Harald]
> 	• MAST: updown.mast-scriptfix patch [Harald]
> 	• Refresh debian/po from Debian [Simon]
> 	• Fixed ipsec verify to avoid perl and use python instead. It helps during minimum install so that openswan does not have to pull perl packages, and it keeps minimal install really minimum. Also Removed compilation of ipsec policy subprogram as it is not needed with NETKEY. [Paul]
> 	• NATT: rhbz #834400 NAT-OA reserved field issue. [Avesh]
> 	• rhbz #834396 Coverity scan fixes, warnings, dead code. [Avesh]
> 	• rhbz #785180 openswan uses ifconfig which is deprecated. [Avesh]
> 	• barf: ipsec barf should not grep sparse file. [Paul]
> 	• XAUTH: Phase15 as xauth and modecfg is called in openswan is not handled properly when only xauth (without modecfg) is used. [Avesh]
> 	• Interop: Fixes to interop issues (related to updating/removing local interface with remote ip address and removing local routes) between cisco ASA and openswan. [Avesh]
> 	• XAUTH: Fixes to interop issues between cisco ASA and openswan in main mode. These fixes prevents xauth/modecfg negotiation during IKE rekey in main mode. [Avesh]
> 	• rhbz #831676 [Avesh]
> 	• IKE: ikev1 aes-gcm esp fixes [Avesh]
> 	• IKE: ikev1/ikev2 sha2-256 related changes [Avesh]
> 	• rhbz#609343: pluto crashes when removing logical interface [Avesh]
> 	• Reading password from a file when creating keys. [Avesh]
> 	• IKEv2: IKEv2 RFC4306/5996 related changes [Avesh]
> 	• Interop: Fixes to solve interop issues between cisco ASA and openswan in aggressive mode.[Avesh]
> 	• Fix for the issue where ipsec help shows the list twice (rhbz 524146, 509318) [Avesh]
> 	• relpath changes [Avesh]
> 	• Bugtracker bugs fixed:
> #1308 forceencaps= setting does now show up in "ipsec auto --status"
> [Matt Rogers]
> #1329 IKEv2 core dumps on 2.6.32 with changes backported from the 2.6.38
> tree [Steve Lanser]
> #1349 pluto logging no subjectAltName matches ID '%fromcert', replaced
> by subject DN [Tuomo]
> #1371 SAref patches 3.2.0 [Simon]
> 	• Fix url to bugs system. [Tuomo]
>
>
>
> _______________________________________________
> Dev mailing list
> Dev at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/dev
>

More information about the Dev mailing list