Bug 14191

Summary: Openswan is broken as per CVE fix
Product: Mageia Reporter: Erwan VELU <erwanaliasr1>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: luigiwalser, olchal, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK advisory
Source RPM: Openswan CVE:
Status comment:

Description Erwan VELU 2014-09-29 12:56:40 CEST 
Description of problem:
Openswan is no more able to established a NAT-d communication.

Version-Release number of selected component (if applicable):


How reproducible:
Try to setup a NAT-d


I had the exact same behavior on my mga4 as shown on this thread. I did apply that patch (had to fix the filename in the patch to gain the -p0) and rebuilt the openswan package.
http://comments.gmane.org/gmane.network.openswan.user/22391

Since it works perfectly. I don't know if this is the right way to fix it (is there a better fix upstream ?) but it worked.

Reproducible: 

Steps to Reproduce:
David Walser 2014-09-29 15:40:13 CEST

Assignee: bugsquad => luigiwalser

Comment 1 Erwan VELU 2014-09-29 20:14:46 CEST 
Cauldron is also affected.
Comment 2 David Walser 2014-10-02 01:01:47 CEST 
Yes, the same patch exists upstream:
https://github.com/xelerance/Openswan/commit/b6041cb5d1d07974596be79606a977e88dd9ec48
Comment 3 David Walser 2014-10-02 01:27:45 CEST 
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
----------------------------------------

The fixes in Openswan for the CVE-2013-6466 security issue caused the NAT
traversal feature to stop working.  This functionality has been restored.

References:
http://permalink.gmane.org/gmane.network.openswan.user/22393
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
openswan-2.6.28-5.2.mga3
openswan-doc-2.6.28-5.2.mga3
openswan-2.6.39-3.2.mga4
openswan-doc-2.6.39-3.2.mga4

from SRPMS:
openswan-2.6.28-5.2.mga3.src.rpm
openswan-2.6.39-3.2.mga4.src.rpm

CC: (none) => luigiwalser
Assignee: luigiwalser => qa-bugs
Whiteboard: (none) => MGA3TOO
Severity: major => normal

Comment 4 claire robinson 2014-10-02 15:22:01 CEST 
Erwan can you please verify the updates correct the issue for you.

Thanks
Comment 5 Erwan VELU 2014-10-02 16:09:52 CEST 
Tested it and the patch is ok.
Comment 6 David Walser 2014-10-02 17:29:16 CEST 
Thanks Erwan.  Which architecture and release did you test?
Comment 7 Erwan VELU 2014-10-02 17:40:44 CEST 
(In reply to David Walser from comment #6)
> Thanks Erwan.  Which architecture and release did you test?

x86_64
Comment 8 Erwan VELU 2014-10-02 17:41:03 CEST 
and mga4 sorry
Comment 9 David Walser 2014-10-02 17:44:00 CEST 
OK, thanks.

Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Comment 10 claire robinson 2014-10-09 14:28:23 CEST 
Basic test procedure: https://bugs.mageia.org/show_bug.cgi?id=7095#c7
claire robinson 2014-10-09 14:29:12 CEST

Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK

Comment 11 olivier charles 2014-10-09 23:32:36 CEST 
Testing on Mageia4-32

Using test procedure in Comment 10


With normal package :
-------------------

openswan Version : 2.6.39-3.1.mga4
openswan-doc Version : 2.6.39-3.1.mga4

# service ipsec start
ipsec_setup: Starting Openswan IPsec 2.6.39...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY

(...) waited a long long time but read in https://bugs.mageia.org/show_bug.cgi?id=7095#c9 that it was expected on first use of openswan.
and ...

ipsec_setup: mv: cannot stat '/etc/openswan/ipsec.secrets.new': No such file or directory
ipsec_setup: 003 "/etc/openswan/ipsec.secrets" line 2: premature end of RSA key
ipsec_setup: 003 "/etc/openswan/ipsec.secrets" line 20: malformed end of RSA private key -- unexpected token after '}'

# service ipsec status
IPsec running  - pluto pid: 4525
pluto pid 4525
No tunnels up

# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...

# service ipsec status
IPsec stopped


With testing packages :
---------------------

- openswan-2.6.39-3.2.mga4.i586
- openswan-doc-2.6.39-3.2.mga4.i586

# service ipsec start
ipsec_setup: Starting Openswan IPsec 2.6.39...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY

* didn't have to wait this time, I guessed it use the ipsec.secrets (in/etc/openswan) already generated.

# service ipsec status
IPsec running  - pluto pid: 5542
pluto pid 5542
No tunnels up

# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...

# service ipsec status
IPsec stopped


With testing packages (secound round) :
---------------------

As I was bothered with output messages after generating the key, uninstalled openswan-testing, removed /etc/openswan/ipsec.secrets, reinstalled openswan-testing.

# service ipsec start
ipsec_setup: Starting Openswan IPsec 2.6.39...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY

After a long wait, gave me the prompt with no error messages and generated a new/etc/openswan/ipsec.secrets

# service ipsec status
IPsec running  - pluto pid: 9337
pluto pid 9337
No tunnels up

# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...

# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...


Ipsec Service started, stopped and reported its status correctly with - openswan-2.6.39-3.2.mga4.i586

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32 OK

olivier charles 2014-10-10 08:43:54 CEST

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32 OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK

Comment 12 Rémi Verschelde 2014-10-28 13:44:28 CET 
Testing complete on Mageia 3 64bit with procedure from comment 10, same output as comment 11 (apart from the mv issue with the .new file).

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK

Comment 13 Rémi Verschelde 2014-10-28 13:46:25 CET 
Advisory uploaded, validating.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK advisory
CC: (none) => sysadmin-bugs

Comment 14 Mageia Robot 2014-10-31 16:54:06 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGAA-2014-0183.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED