RedHat has issued an advisory on November 16, 2010: https://rhn.redhat.com/errata/RHSA-2010-0892.html This fixes the following CVEs: CVE-2010-3308 and CVE-2010-3302 (fixed in 2.6.29) CVE-2010-3752 and CVE-2010-3753 (presumably fixed in 2.6.29) RedHat has issued an advisory on November 2, 2011: http://rhn.redhat.com/errata/RHSA-2011-1422.html This fixes the following CVE: CVE-2011-4073 (fixed in 2.6.37) There may be other issues that I missed. Mageia 1 and Mageia 2 are also affected. CVE links: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3302 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3308 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4073
CC: (none) => dlucioWhiteboard: (none) => MGA2TOO, MGA1TOO
CC: (none) => fundawang
Those look like the only ones. The patch for CVE-2011-4073 applies cleanly. The patch for the other issues needs to be re-diffed.
Created attachment 2653 [details] openswan-cve-2010-3302-3308.patch RedHat patch to fix the first 4 issues, needs re-diffed.
Created attachment 2654 [details] openswan-cve-2011-4073.patch RedHat patch for CVE-2011-4073
CC: (none) => oe
Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron. Advisory: ======================== Updated openswan packages fix security vulnerabilities: Two buffer overflow flaws were found in the Openswan client-side XAUTH handling code used when connecting to certain Cisco gateways. A malicious or compromised VPN gateway could use these flaws to execute arbitrary code on the connecting Openswan client (CVE-2010-3302, CVE-2010-3308). Two input sanitization flaws were found in the Openswan client-side handling of Cisco gateway banners. A malicious or compromised VPN gateway could use these flaws to execute arbitrary code on the connecting Openswan client (CVE-2010-3752, CVE-2010-3753). A use-after-free flaw was found in the way Openswan's pluto IKE daemon used cryptographic helpers. A remote, authenticated attacker could send a specially-crafted IKE packet that would crash the pluto daemon. This issue only affected SMP (symmetric multiprocessing) systems that have the cryptographic helpers enabled (CVE-2011-4073). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3302 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3308 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4073 https://rhn.redhat.com/errata/RHSA-2010-0892.html http://rhn.redhat.com/errata/RHSA-2011-1422.html ======================== Updated packages in core/updates_testing: ======================== openswan-2.6.28-2.1.mga1 openswan-doc-2.6.28-2.1.mga1 openswan-2.6.28-2.1.mga2 openswan-doc-2.6.28-2.1.mga2 from SRPMS: openswan-2.6.28-2.1.mga1.src.rpm openswan-2.6.28-2.1.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO, MGA1TOO => MGA1TOOSeverity: normal => major
No poc, so I'll be testing this following http://www.scribd.com/doc/15585156/Openswan-Installation-and-Configuration-Tutorial
CC: (none) => davidwhodginsWhiteboard: MGA1TOO => MGA1TOO has_procedure
Found another tutorial that looks a bit easier to follow at http://www.enterprisenetworkingplanet.com/netsysm/article.php/3845966/Build-an-IPSEC-VPN-Without-Losing-Your-Mind.htm
Just testing the ipsec service starts and stops without error. # service ipsec start ipsec_setup: Starting Openswan IPsec 2.6.28... ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY # service ipsec status IPsec running - pluto pid: 9504 pluto pid 9504 No tunnels up # service ipsec stop ipsec_setup: Stopping Openswan IPsec... # service ipsec status IPsec stopped Testing complete mga2 32
Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure mga2-32-OK
On mga2 64.. # service ipsec start ipsec_setup: Starting Openswan IPsec 2.6.28... ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY I have to use ctrl-c to interrupt it as it just sits as if it's waiting for something which never arrives. Not a regression though and could be due to lack of proper configuration. # service ipsec status IPsec running - pluto pid: 12171 pluto pid 12171 No tunnels up Shows it is actually starting. # service ipsec stop ipsec_setup: Stopping Openswan IPsec... # service ipsec status IPsec stopped I don't see any different messages in syslog between 32 bit and 64 bit but 32bit does start without having to use ctrl-c with the default configuration. I guess testing complete mga2 64 unless there is an obvious reason for this?
Whiteboard: MGA1TOO has_procedure mga2-32-OK => MGA1TOO has_procedure mga2-32-OK mga2-64-OK?
The long wait is due to the key generation process reading from /dev/random, rather then /dev/urandom. To provide the random data, you either have to wait for the normal interrupts to provide enough, or open an editor, and start typing. Note the key generation is only done once. Testing complete Mageia 1 i586 and x86-64. Could someone from the sysadmin team push the srpm openswan-2.6.28-2.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core updates and the srpm openswan-2.6.28-2.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated openswan packages fix security vulnerabilities: Two buffer overflow flaws were found in the Openswan client-side XAUTH handling code used when connecting to certain Cisco gateways. A malicious or compromised VPN gateway could use these flaws to execute arbitrary code on the connecting Openswan client (CVE-2010-3302, CVE-2010-3308). Two input sanitization flaws were found in the Openswan client-side handling of Cisco gateway banners. A malicious or compromised VPN gateway could use these flaws to execute arbitrary code on the connecting Openswan client (CVE-2010-3752, CVE-2010-3753). A use-after-free flaw was found in the way Openswan's pluto IKE daemon used cryptographic helpers. A remote, authenticated attacker could send a specially-crafted IKE packet that would crash the pluto daemon. This issue only affected SMP (symmetric multiprocessing) systems that have the cryptographic helpers enabled (CVE-2011-4073). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3302 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3308 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4073 https://rhn.redhat.com/errata/RHSA-2010-0892.html http://rhn.redhat.com/errata/RHSA-2011-1422.html https://bugs.mageia.org/show_bug.cgi?id=7095
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO has_procedure mga2-32-OK mga2-64-OK? => MGA1TOO has_procedure mga2-32-OK mga2-64-OK MGA1-64-OK MGA1-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0300
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED