RHEA-2009:1350: bug fix update
195
Openswan 2.6.x also supports IKEv2 (RFC 4309)
Bugs fixed in these updated packages include:
• Openswan would not allow IPsec connections between a physical IP on one system and a virtual IP
on another system if the physical IP on the first system was already connected to the physical IP on
the second system that was associated with that virtual IP. Now, Openswan creates a new route if a
route already exists. This allows simultaneous IPsec connections to a physical IP and the virtual IP
associated with it. (
BZ#438998
1375
)
• the parser in lib/libipsecconf/ does not correctly interpret values supplied in manual keyring, and the
use of the manual keyring could therefore result in a segmentation fault in Openswan. Because the
manual keyring is no longer supported, Openswan will now exit with an error when ipsec manual up
<connection-name> is used. (
BZ#449725
1376
)
• the ipsec.conf file included any .conf files placed in /etc/ipsec.d but Openswan's default installation
did not place any files in this directory. Therefore, error messages similar to "could not open include
filename: '/etc/ipsec.d/*.conf'" would appear when starting or stopping the IPsec service. Although
the service operated correctly, the appearance of these error messages could mislead a user to
think that there was a problem with IPsec. The ipsec.conf file now comments out the include of /etc/
ipsec.d and contains a note suggesting that users uncomment the line and use /etc/ipsec.d for their
customized configuration files. (
BZ#463931
1377
)
• Openswan did not close file decriptors on exec. The resulting file descriptor leaks would then
cause AVC denial warnings on systems set to enforce SELinux policy. Openswan now closes
file descriptors on exec, both for sockets that it has opened and for sockets that it has accepted.
Because Openswan does not now leak these file descriptors, the corresponding AVC denial
warnings do not appear. (
BZ#466861
1378
)
• Openswan's cryptographic methods did not meet the standards for FIPS 140-2 certification,
therefore precluding the use of Openswan in environments that require this certification. Openswan
now uses the NSS library and includes:
• encryption/decryption algorithms (AES, 3DES)
• hash and data integrity algorithm (MD5, SHA1, SHA2(256, 384, 512))
• HMAC mechanisms for the above hash algorithms.
• authentication with signature (without certificates) (DS_AUTH). Specifically, it uses RSA
signatures.
• authentication with signature (with x.509 certificates ) (DS_AUTH).
• Oakley Diffie-Hellman (DH) related cryptographic operations.
• random number generation through NSS.
• support for NSS DB without and with password.
• FIPS integrity check using fipscheck library
• support for old (dbm) and new (sql) NSS databases (dbm)
• Openswan now meets the FIPS 140-2 standard. (
BZ#444801
1379
,
BZ#469763
1380
)
Summary of Contents for ENTERPRISE 5.4 RELEASE NOTES
Page 1: ...Red Hat Enterprise Linux 5 4 Technical Notes Every Change to Every Package ...
Page 18: ...xviii ...
Page 306: ...288 ...
Page 464: ...446 ...
Page 466: ...448 ...