Описание
ELSA-2016-2603: libreswan security and bug fix update (MODERATE)
[3.15-8.0.1]
- add libreswan-oracle.patch to detect Oracle Linux distro
[3.15-8]
- Resolves: rhbz#1361721 libreswan pluto segfault [UPDATED]
- Resolves: rhbz#1276524 [USGv6] IKEv2.EN.R.1.1.3.2 case failed due to response to bad INFORMATIONAL request [UPDATED]
- Resolves: rhbz#1309764 ipsec barf [additional man page update and --no-pager]
[3.15-7]
- Resolves: rhbz#1311360 When IKE rekeys, if on a different tunnel, all subsequent attempts to rekey fail
- Resolves: rhbz#1361721 libreswan pluto segfault
[3.15-6]
- Resolves: rhbz#1283468 keyingtries=0 is broken
- Resolves: rhbz#1297816 When using SHA2 as PRF algorithm, nonce payload is below the RFC minimum size
- Resolves: rhbz#1344567 CVE-2016-5361 libreswan: IKEv1 protocol is vulnerable to DoS amplification attack
- Resolves: rhbz#1313747 ipsec pluto returns zero even if it fails
- Resolves: rhbz#1302778 fips does not check hash of some files (like _import_crl)
- Resolves: rhbz#1278063 Unable to authenticate with PAM for IKEv1 XAUTH
- Resolves: rhbz#1257079 Libreswan doesn't call NetworkManager helper in case of a connection error
- Resolves: rhbz#1272112 ipsec whack man page discrepancies
- Resolves: rhbz#1280449 PAM xauth method does not work with pam_sss
- Resolves: rhbz#1290907 ipsec initnss/checknss custom directory not recognized
- Resolves: rhbz#1309764 ipsec barf does not show pluto log correctly in the output
- Resolves: rhbz#1347735 libreswan needs to check additional CRLs after LDAP CRL distributionpoint fails
- Resolves: rhbz#1219049 Pluto does not handle delete message from responder site in ikev1
- Resolves: rhbz#1276524 [USGv6] IKEv2.EN.R.1.1.3.2 case failed due to response to bad INFORMATIONAL request
- Resolves: rhbz#1315412 ipsec.conf manpage does not contain any mention about crl-strict option
- Resolves: rhbz#1229766 Pluto crashes after stop when I use floating ip address
Обновленные пакеты
Oracle Linux 7
Oracle Linux x86_64
libreswan
3.15-8.0.1.el7
Связанные CVE
Связанные уязвимости
programs/pluto/ikev1.c in libreswan before 3.17 retransmits in initial-responder states, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed UDP packet. NOTE: the original behavior complies with the IKEv1 protocol, but has a required security update from the libreswan vendor; as of 2016-06-10, it is expected that several other IKEv1 implementations will have vendor-required security updates, with separate CVE IDs assigned to each.
programs/pluto/ikev1.c in libreswan before 3.17 retransmits in initial-responder states, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed UDP packet. NOTE: the original behavior complies with the IKEv1 protocol, but has a required security update from the libreswan vendor; as of 2016-06-10, it is expected that several other IKEv1 implementations will have vendor-required security updates, with separate CVE IDs assigned to each.
programs/pluto/ikev1.c in libreswan before 3.17 retransmits in initial ...
programs/pluto/ikev1.c in libreswan before 3.17 retransmits in initial-responder states, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed UDP packet. NOTE: the original behavior complies with the IKEv1 protocol, but has a required security update from the libreswan vendor; as of 2016-06-10, it is expected that several other IKEv1 implementations will have vendor-required security updates, with separate CVE IDs assigned to each.