-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2008-9016 2008-11-07 01:38:41 --------------------------------------------------------------------------------
Name : ipsec-tools Product : Fedora 8 Version : 0.7.1 Release : 5.fc8 URL : http://ipsec-tools.sourceforge.net/ Summary : Tools for configuring and using IPSEC Description : This is the IPsec-Tools package. You need this package in order to really use the IPsec functionality in the linux-2.5+ kernels. This package builds:
- setkey, a program to directly manipulate policies and SAs - racoon, an IKEv1 keying daemon
-------------------------------------------------------------------------------- Update Information:
The update fixes memory leaks potentially leading to DoS (CVE-2008-3651 CVE-2008-3652). It also fixes problems with DPD and NAT-T support. This has been in rawhide for a while, with no bad reports. It improves remote-access client connection to Cisco ASA. -------------------------------------------------------------------------------- ChangeLog:
* Fri Oct 17 2008 Tomas Mraz tmraz@redhat.com - 0.7.1-5 - fix CVE-2008-3652 (memory leak DoS) - compile racoon as PIE - another fix for teardown of the IPSEC SAs on DPD in some circumstances * Sun Aug 10 2008 Tomas Mraz tmraz@redhat.com - 0.7.1-4 - Even better fix for IPSEC SA purging avoiding code duplication (original idea by Darrel Goeddel) * Fri Aug 8 2008 Tomas Mraz tmraz@redhat.com - 0.7.1-3 - Fix IPSEC SA purge with NAT_T enabled * Wed Jul 30 2008 Tomas Mraz tmraz@redhat.com - 0.7.1-2 - Different approach to allow racoon to add loopback SAs for labeled IPSec (without ISAKMP) * Tue Jul 29 2008 Tomas Mraz tmraz@redhat.com - 0.7.1-1 - Update to a new upstream version * Thu Feb 28 2008 Steve Conklin sconklin@redhat.com - 0.7-13 - Resolves bz#273261 remote-access client connection to Cisco ASA * Mon Feb 25 2008 Steve Conklin sconklin@redhat.com - 0.7-12 - And again * Mon Feb 25 2008 Steve Conklin sconklin@redhat.com - 0.7-11 - Messed that up, bumping * Mon Feb 25 2008 Steve Conklin sconklin@redhat.com - 0.7-10 - Added upstream patch to fix ipv6 cookie alen * Thu Feb 14 2008 Steve Conklin sconklin@redhat.com - 0.7-9 - rebuild for gcc4.3 * Wed Dec 19 2007 Steve Conklin sconklin@redhat.com - 0.7-8 - sourced krb5-devel.sh to set path * Tue Dec 18 2007 Steve Conklin sconklin@redhatcom - 0.7-7 - bumped for retag * Tue Dec 18 2007 Steve Conklin sconklin@redhat.com - 0.7-6 - Added a patch for context size change - Resolves #413331 racoon dies with buffer overflow in MCS/MLS loopback * Fri Dec 7 2007 Steve Conklin sconklin@redhat.com - 0.7-5 - Bump for retagging * Fri Dec 7 2007 Steve Conklin sconklin@redhat.com - 0.7-4 - Rebuild for dependencies -------------------------------------------------------------------------------- References:
[ 1 ] Bug #456660 - CVE-2008-3651 ipsec-tools: racoon memory leak caused by invalid proposals https://bugzilla.redhat.com/show_bug.cgi?id=456660 [ 2 ] Bug #458846 - CVE-2008-3652 ipsec-tools: racoon orphaned ph1s memory leak https://bugzilla.redhat.com/show_bug.cgi?id=458846 --------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use su -c 'yum update ipsec-tools' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at http://fedoraproject.org/keys --------------------------------------------------------------------------------
package-announce@lists.fedoraproject.org