[Openswan dev] Openswan 2.6.39 released, fixes CVE-2013-2053

Simon Deziel simon at xelerance.com
Fri Jun 28 19:10:15 UTC 2013 

Hi Mattias,

Thanks for reporting this along with a commit ID. We applied it to
OpenSwan's git few days ago and forgot to report about it afterward.

Thanks again,
Simon

On 13-06-17 10:15 AM, Mattias Walström wrote:
> Hi!
> Just upgraded from 2.6.38 to 2.6.39 and noticed a problem, if the tunnel
> goes down, and up again
> the routes is not set as it should in the kernel, the second time it
> comes up.
> 
> Applied the following patch from libreswan:
> https://github.com/libreswan/libreswan/commit/f58b4a322c54062994bd7bb0417553380f0d2f91
> 
> 
> This fixed the problems for me.
> 
> Mattias
> 
> On 2013-06-03 22:51, Patrick Naubert wrote:
>> Openswan 2.6.39 released to the community
>>
>> http://download.openswan.org/openswan/openswan-2.6.39.tar.gz
>> http://download.openswan.org/openswan/openswan-2.6.39.tar.gz.sig
>>
>> Fixes CVE-2013-2053, Linux kernel 3.9 compile problems, and includes
>> compilation hardening.
>>
>> This is a security release.
>>
>> Please be aware that the patches made available for Openswan for this
>> CVE, by the Libreswan community, were never reviewed by Xelerance
>> before their publication by the Libreswan team.  The final fix
>> deployed in this release addresses the vulnerability itself and
>> doesn't rely on LIBNSS compile flags being true.
>>
>> Additionally, we are entertaining a new version numbering system for
>> the next releases.
>>
>> Monitor http://www.openswan.org/projects/openswan/news for further
>> information.
>>
>> v2.6.39 (May 31, 2013)
>>     • Hardening patches from Florian Weimer
>>     • Created .in files for distro packages [Patrick]
>>     • Target deb builds for Precise instead of Lucid [Simon]
>>     • Enable hardened builds by default [Simon]
>>     • Bring 'ipsec policy' back form the dead [Simon]
>>     • Drop the builddep on htmldoc and man2html as those are not
>> needed anymore [Simon]
>>     • CVE-2013-2053 fix: Integrated fix from Andreas Steffan
>>     • Refactor x509dn to seperate out atodn from other functions [MCR]
>>     • Fixed regression test to be 64-bit and IPv6 aware [MCR]
>>     • Patches for kernel 3.9 and changes to work with Linux 3.9 [MCR]
>>     • Nighly builds fixes and whitespace fixes [MCR]
>>     • Fix for three AES-GCM issues with key lengths 128, 192, 256 bits
>> and IV
>> of 8, 12, 16 bytes as per RFC 4106 [Avesh]
>>     • SAREF: kernel patches updated to linux 3.2.0 [Simon]
>>     • Refresh debian/control files to point to the right git URL [Simon]
>>     • KLIPS: startklips-ip_route patch [Harald]
>>     • MAST: updown.mast-scriptfix patch [Harald]
>>     • Refresh debian/po from Debian [Simon]
>>     • Fixed ipsec verify to avoid perl and use python instead. It
>> helps during minimum install so that openswan does not have to pull
>> perl packages, and it keeps minimal install really minimum. Also
>> Removed compilation of ipsec policy subprogram as it is not needed
>> with NETKEY. [Paul]
>>     • NATT: rhbz #834400 NAT-OA reserved field issue. [Avesh]
>>     • rhbz #834396 Coverity scan fixes, warnings, dead code. [Avesh]
>>     • rhbz #785180 openswan uses ifconfig which is deprecated. [Avesh]
>>     • barf: ipsec barf should not grep sparse file. [Paul]
>>     • XAUTH: Phase15 as xauth and modecfg is called in openswan is not
>> handled properly when only xauth (without modecfg) is used. [Avesh]
>>     • Interop: Fixes to interop issues (related to updating/removing
>> local interface with remote ip address and removing local routes)
>> between cisco ASA and openswan. [Avesh]
>>     • XAUTH: Fixes to interop issues between cisco ASA and openswan in
>> main mode. These fixes prevents xauth/modecfg negotiation during IKE
>> rekey in main mode. [Avesh]
>>     • rhbz #831676 [Avesh]
>>     • IKE: ikev1 aes-gcm esp fixes [Avesh]
>>     • IKE: ikev1/ikev2 sha2-256 related changes [Avesh]
>>     • rhbz#609343: pluto crashes when removing logical interface [Avesh]
>>     • Reading password from a file when creating keys. [Avesh]
>>     • IKEv2: IKEv2 RFC4306/5996 related changes [Avesh]
>>     • Interop: Fixes to solve interop issues between cisco ASA and
>> openswan in aggressive mode.[Avesh]
>>     • Fix for the issue where ipsec help shows the list twice (rhbz
>> 524146, 509318) [Avesh]
>>     • relpath changes [Avesh]
>>     • Bugtracker bugs fixed:
>> #1308 forceencaps= setting does now show up in "ipsec auto --status"
>> [Matt Rogers]
>> #1329 IKEv2 core dumps on 2.6.32 with changes backported from the 2.6.38
>> tree [Steve Lanser]
>> #1349 pluto logging no subjectAltName matches ID '%fromcert', replaced
>> by subject DN [Tuomo]
>> #1371 SAref patches 3.2.0 [Simon]
>>     • Fix url to bugs system. [Tuomo]
>>
>>
>>
>> _______________________________________________
>> Dev mailing list
>> Dev at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/dev
>>
> 
> _______________________________________________
> Dev mailing list
> Dev at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/dev

More information about the Dev mailing list