Openswan; Rhsa-2009:1138: Important Security Update - Red Hat ENTERPRISE LINUX 5.4 - TECHNICAL NOTES Manual

• both the libcrypto and libssl shared libraries, which are part of the OpenSSL FIPS module, are now
checked for integrity on initialization of FIPS mode. (
• an issuing Certificate Authority (CA) allows multiple certificate templates to inherit the CA's Common
Name (CN). Because this CN is used as a unique identifier, each template had to have its own
Certificate Revocation List (CRL). With this update, multiple CRLs with the same subject name
can now be stored in a X509_STORE structure, with their signature field being used to distinguish
between them. (BZ#457134
• the fipscheck library is no longer needed for rebuilding the openssl source RPM. (
13691368
)
OpenSSL users should upgrade to these updated packages, which resolve these issues and add
these enhancements.

1.166. openswan

1.166.1. RHSA-2009:1138: Important security update

Important
This update has already been released (prior to the GA of this release) as the security
RHSA-2009:1138
errata
Updated openswan packages that fix multiple security issues are now available for Red Hat Enterprise
Linux 5.
This update has been rated as having important security impact by the Red Hat Security Response
Team.
Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange
(IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These
services allow you to build secure tunnels through untrusted networks. Everything passing through the
untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the
other end of the tunnel. The resulting tunnel is a virtual private network (VPN).
Multiple insufficient input validation flaws were found in the way Openswan's pluto IKE daemon
processed some fields of X.509 certificates. A remote attacker could provide a specially-crafted X.509
certificate that would crash the pluto daemon.
All users of openswan are advised to upgrade to these updated packages, which contain a
backported patch to correct these issues. After installing this update, the ipsec service will be restarted
automatically.
1371
https://www.redhat.com/security/data/cve/CVE-2009-2185.html
1367
)
1370
(CVE-2009-2185
13661365
BZ#475798
)
1371
)
openswan
BZ#475798
193