[Openswan Users] [Announce] openswan-2.6.22 released

Paul Wouters paul at xelerance.com
Mon Jun 22 23:06:06 EDT 2009

Xelerance has released openswan 2.6.22.


This is a major security and bugfix release

This release addresses the vulnerability as described in


We were not notified before public release of this information. As such,
we are not aware if a CVE number was requested or reserved for this

Openswan versions 1.0.x upto 2.6.21 are vulnerable. Openswan 2.6.22 (and
openswan 2.4.15 shortly) are not vulnerable.

Thanks to the many contributors of this release!

* Malicious X.509 certificates could crash the asn.1 parser.
   Found by Orange Labs vulnerability research team. Patches via
   an irresponsible 0-day public announcement by Andreas Steffen 
* NSS support via USE_LIBNSS updated [Avesh Agarwal]
* Added USE_FIPSCHECK. [Avesh Agarwal]
* NAT-T cleanup (no nat-t patch needed for >= 2.6.23) [Harald Jenny/David]
* Enabled USE_DYNAMICDNS per default. Disabled USE_LWRES. [Paul]
* Fix for gcc 4.4 errors [Avesh Agarwal]
* AVC Denail with /var/tmp and openswan ipsec service [Avesh Agarwal]
   (see https://bugzilla.redhat.com/show_bug.cgi?id=489113)
* misc. fixes to the build system [mcr]
* Updated various Copyrights [Paul]
* Fix for DYNAMICDNS when dns name was unknown on initial load [David]
* Fix for ttoaddr when passing AF_INET/AF_INET6 [David]
* newer CA's (openssl) now use a crlnumber. Create one with 01 [Paul]
* Fixes to new nat-t code (HAVE_UDP_ENCAP_CONVERT ) [mcr]
* Some ipsec_tunnel KLIPS cleanups [mcr]
* Implement a fallback to SW for failed HW requests [David]
* Make sure that ipsec starts after the crypto layer [David]
* Fix compilation without OCF and cryptoapi instead [David]
* Fixes to compile with 2.6.29 [David]
* Fixed to compile on 2.6.30 [Harald Jenny]
* Fix for the default assigned of "ipsec0" to all packets [David]
* Fix for concurrent ISAKMP negotiations from different hosts to a
   single host with nhelpers>=1 [Anthony Tong]
* UDP port 501 encaps to interop with Lucent in contrib/lucent
   Contributed by  Rolando Zappacosta <zappacor at yahoo.com.ar>
* Various warnings fixed in pluto [Gilles Espinasse]
* Bugtracker bugs fixed:
    #1031: Fail to compile KLIPS module on RHEL5.3 or CentOS5.3 [Mark Keir]
    #1030: aggressive mode & dead peer detection fails [Tim Horsburgh]
    #1023: Oops due to improper ipsec_sa destruction [Nick Jones]
    #1036: sysctl variables are not correctly set anymore [David]

Announce mailing list
Announce at openswan.org

More information about the Users mailing list