Red Hat Product Errata RHSA-2005:232 - Security Advisory
Issued:
2005-03-23
Updated:
2005-03-23

RHSA-2005:232 - Security Advisory

Synopsis

ipsec-tools security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An updated ipsec-tools package that fixes a bug in parsing of ISAKMP headers
is now available.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

The ipsec-tools package is used in conjunction with the IPsec functionality
in the linux kernel. The ipsec-tools package includes:

  • setkey, a program to directly manipulate policies and SAs
  • racoon, an IKEv1 keying daemon

A bug was found in the way the racoon daemon handled incoming ISAKMP
requests. It is possible that an attacker could crash the racoon daemon by
sending a specially crafted ISAKMP packet. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2005-0398 to
this issue.

Additionally, the following issues have been fixed:

  • racoon mishandled restarts in the presence of stale administration sockets.
  • on Red Hat Enterprise Linux 4, racoon and setkey did not properly set up

forward policies, which prevented tunnels from working.

Users of ipsec-tools should upgrade to this updated package, which contains
backported patches, and is not vulnerable to these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Affected Products

  • Red Hat Enterprise Linux Server 4 x86_64
  • Red Hat Enterprise Linux Server 4 ia64
  • Red Hat Enterprise Linux Server 4 i386
  • Red Hat Enterprise Linux Server 3 x86_64
  • Red Hat Enterprise Linux Server 3 ia64
  • Red Hat Enterprise Linux Server 3 i386
  • Red Hat Enterprise Linux Workstation 4 x86_64
  • Red Hat Enterprise Linux Workstation 4 ia64
  • Red Hat Enterprise Linux Workstation 4 i386
  • Red Hat Enterprise Linux Workstation 3 x86_64
  • Red Hat Enterprise Linux Workstation 3 ia64
  • Red Hat Enterprise Linux Workstation 3 i386
  • Red Hat Enterprise Linux Desktop 4 x86_64
  • Red Hat Enterprise Linux Desktop 4 i386
  • Red Hat Enterprise Linux Desktop 3 x86_64
  • Red Hat Enterprise Linux Desktop 3 i386
  • Red Hat Enterprise Linux for IBM z Systems 4 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390
  • Red Hat Enterprise Linux for IBM z Systems 3 s390x
  • Red Hat Enterprise Linux for IBM z Systems 3 s390
  • Red Hat Enterprise Linux for Power, big endian 4 ppc
  • Red Hat Enterprise Linux for Power, big endian 3 ppc

Fixes

  • BZ - 145531 - CAN-2005-0398 racoon DoS
  • BZ - 145535 - CAN-2005-0398 racoon DoS
  • BZ - 148950 - racoon unable to start with stale socket /tmp/.racoon
  • BZ - 150179 - ipsec/racoon/setkey does not properly forward packets to vpn peer

References

(none)

Red Hat Enterprise Linux Server 4

SRPM
ipsec-tools-0.3.3-6.src.rpm SHA-256: 8dbad992dcc6018c30ed8791c7692d53da109ff1f06745ac1f16bc6e7f976e16
x86_64
ipsec-tools-0.3.3-6.x86_64.rpm SHA-256: 83641c85c921c08612c159038e5b0e02cd8dd99502406e91a68a71e6f47037bd
ipsec-tools-0.3.3-6.x86_64.rpm SHA-256: 83641c85c921c08612c159038e5b0e02cd8dd99502406e91a68a71e6f47037bd
ia64
ipsec-tools-0.3.3-6.ia64.rpm SHA-256: 36cd2f14c4aa8dd5509d988754cff4e989d0bc1a9ba6b5ff1ade7d8fff6b406e
ipsec-tools-0.3.3-6.ia64.rpm SHA-256: 36cd2f14c4aa8dd5509d988754cff4e989d0bc1a9ba6b5ff1ade7d8fff6b406e
i386
ipsec-tools-0.3.3-6.i386.rpm SHA-256: 60fcab0bdb8246405e4b01e25c481aac04d35d669c43e21419222568740433df
ipsec-tools-0.3.3-6.i386.rpm SHA-256: 60fcab0bdb8246405e4b01e25c481aac04d35d669c43e21419222568740433df

Red Hat Enterprise Linux Server 3

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux Workstation 4

SRPM
ipsec-tools-0.3.3-6.src.rpm SHA-256: 8dbad992dcc6018c30ed8791c7692d53da109ff1f06745ac1f16bc6e7f976e16
x86_64
ipsec-tools-0.3.3-6.x86_64.rpm SHA-256: 83641c85c921c08612c159038e5b0e02cd8dd99502406e91a68a71e6f47037bd
ia64
ipsec-tools-0.3.3-6.ia64.rpm SHA-256: 36cd2f14c4aa8dd5509d988754cff4e989d0bc1a9ba6b5ff1ade7d8fff6b406e
i386
ipsec-tools-0.3.3-6.i386.rpm SHA-256: 60fcab0bdb8246405e4b01e25c481aac04d35d669c43e21419222568740433df

Red Hat Enterprise Linux Workstation 3

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux Desktop 4

SRPM
ipsec-tools-0.3.3-6.src.rpm SHA-256: 8dbad992dcc6018c30ed8791c7692d53da109ff1f06745ac1f16bc6e7f976e16
x86_64
ipsec-tools-0.3.3-6.x86_64.rpm SHA-256: 83641c85c921c08612c159038e5b0e02cd8dd99502406e91a68a71e6f47037bd
i386
ipsec-tools-0.3.3-6.i386.rpm SHA-256: 60fcab0bdb8246405e4b01e25c481aac04d35d669c43e21419222568740433df

Red Hat Enterprise Linux Desktop 3

SRPM
x86_64
i386

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
ipsec-tools-0.3.3-6.src.rpm SHA-256: 8dbad992dcc6018c30ed8791c7692d53da109ff1f06745ac1f16bc6e7f976e16
s390x
ipsec-tools-0.3.3-6.s390x.rpm SHA-256: c36d4db3242c336e8ea097ebe00a44d10f19913f4eeb6515035546f9aafedbe5
s390
ipsec-tools-0.3.3-6.s390.rpm SHA-256: 7e07c4c56856e70b8400a04763a4e01d9c4e272e76850077105c0b2f578e0b41

Red Hat Enterprise Linux for IBM z Systems 3

SRPM
s390x
s390

Red Hat Enterprise Linux for Power, big endian 4

SRPM
ipsec-tools-0.3.3-6.src.rpm SHA-256: 8dbad992dcc6018c30ed8791c7692d53da109ff1f06745ac1f16bc6e7f976e16
ppc
ipsec-tools-0.3.3-6.ppc.rpm SHA-256: df8c6992e483f722622296c0df9fbeea1777b8a3a857a942e9bdd2d9439cb1c0

Red Hat Enterprise Linux for Power, big endian 3

SRPM
ppc

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.