rpms/ipsec-tools/devel ipsec-tools-0.6.5-CVE-2007-1841.patch, NONE, 1.1 ipsec-tools.spec, 1.40, 1.41

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Wed Apr 25 16:30:58 UTC 2007 

Author: jantill

Update of /cvs/dist/rpms/ipsec-tools/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv17199

Modified Files:
	ipsec-tools.spec 
Added Files:
	ipsec-tools-0.6.5-CVE-2007-1841.patch 
Log Message:
* Mon Apr 23 2007 Steve Grubb <sgrubb at redhat.com> - 0.6.5-8
- Upstream fix for Racoon DOS, informational delete must be encrypted
- Resolves: rhbz#235388 - CVE-2007-1841 ipsec-tools racoon DoS


ipsec-tools-0.6.5-CVE-2007-1841.patch:
 isakmp_inf.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

--- NEW FILE ipsec-tools-0.6.5-CVE-2007-1841.patch ---
Index: src/racoon/isakmp_inf.c
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/isakmp_inf.c,v
retrieving revision 1.14.4.9
diff -u -p -r1.14.4.9 isakmp_inf.c
--- src/racoon/isakmp_inf.c	2 Aug 2005 15:09:26 -0000	1.14.4.9
+++ src/racoon/isakmp_inf.c	2 Apr 2007 12:52:07 -0000
@@ -267,12 +267,12 @@ isakmp_info_recv(iph1, msg0)
 
 	switch (np) {
 	case ISAKMP_NPTYPE_N:
-		if (isakmp_info_recv_n(iph1, msg) < 0)
-			goto end;
+		if ( encrypted )
+			isakmp_info_recv_n(iph1, msg);
 		break;
 	case ISAKMP_NPTYPE_D:
-		if (isakmp_info_recv_d(iph1, msg) < 0)
-			goto end;
+		if ( encrypted )
+			isakmp_info_recv_d(iph1, msg);
 		break;
 	case ISAKMP_NPTYPE_NONCE:
 		/* XXX to be 6.4.2 ike-01.txt */


Index: ipsec-tools.spec
===================================================================
RCS file: /cvs/dist/rpms/ipsec-tools/devel/ipsec-tools.spec,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41
--- ipsec-tools.spec	14 Apr 2007 21:02:15 -0000	1.40
+++ ipsec-tools.spec	25 Apr 2007 16:30:51 -0000	1.41
@@ -20,13 +20,15 @@
 Patch10: ipsec-tools-0.6.5-ctx.patch
 Patch11: ipsec-tools-0.6.5-acquires.patch
 Patch12: ipsec-tools-0.6.5-loopback.patch
-Patch13: ipsec-tools-0.6.5-context-increase.patch
-Patch14: ipsec-tools-0.6.5-leak.patch
-
+#Patch13: ipsec-tools-0.6.5-context-increase.patch
+#Patch14: ipsec-tools-0.6.5-leak.patch
+Patch13: ipsec-tools-0.6.5-CVE-2007-1841.patch
+ 
 BuildRequires: openssl-devel, krb5-devel, bison, flex, automake, libtool
 BuildRequires: libselinux-devel >= 1.30.28-2
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: initscripts >= 7.31.11.EL-1
+BuildRequires: audit-libs-devel >= 1.3.1
 	
 %description
 This is the IPsec-Tools package.  You need this package in order to
@@ -46,8 +48,7 @@
 %patch10 -p1 -b .hctx
 %patch11 -p1 -b .acquires
 %patch12 -p1 -b .loopback
-%patch13 -p1 -b .context
-%patch14 -p1 -b .leak
+%patch13 -p0 -b .CVE-2007-1841
 
 mkdir -p kernel-headers/linux
 cp %{SOURCE1} %{SOURCE2} %{SOURCE5} %{SOURCE6} kernel-headers/linux
@@ -66,7 +67,8 @@
  --enable-gssapi \
  --enable-natt \
  --enable-security-context \
- --enable-racoon-over-loopback
+ --enable-racoon-over-loopback \
+ --enable-audit
 make
 
 %install
@@ -107,6 +109,16 @@
 %config(noreplace) /etc/racoon/racoon.conf
 
 %changelog
+* Mon Apr 23 2007 Steve Grubb <sgrubb at redhat.com> - 0.6.5-8
+- Upstream fix for Racoon DOS, informational delete must be encrypted
+- Resolves: rhbz#235388 - CVE-2007-1841 ipsec-tools racoon DoS
+
+* Fri Apr 20 2007 Steve Grubb <sgrubb at redhat.com> - 0.6.5-7
+- Resolves: #218386 labeled ipsec does not work over loopback
+
+* Mon Apr 16 2007 Steve Grubb <sgrubb at redhat.com> - 0.6.5-6.6
+- Related: #232508 add auditing to racoon
+
 * Sat Apr 14 2007 Steve Grubb <sgrubb at redhat.com> - 0.6.6-6%{?dist}
 - Resolves: #235680 racoon socket descriptor exhaustion

More information about the fedora-cvs-commits mailing list