[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Problems with k_deflt-2.4.19-329 and IPSEC



Roman Drahtmueller wrote:
Roman,

I saw the new freeswan package this morning and tried to reinstall the
k_deflt-2.4.19-329 package as well as the
freeswan-1.98_0.9.14-238.i586.patch.rpm package. These two packages
still wont play together though, maybe I misunderstood you and you're
saying that I need to wait for a kernel update as well. Anyway, the
error messages are:

Jul 28 06:19:33 <hostname> kernel: ipsec4_rcv: no policy for packet
Jul 28 06:19:38 <hostname> kernel: NET: 9 messages suppressed.
Jul 28 06:19:38 <hostname> kernel: ipsec4_rcv: no policy for packet
Jul 28 06:19:43 <hostname> kernel: NET: 9 messages suppressed.


This is strange. It worked well in all of our tests, and I've just tried
it out on my machine at home. The originally installed RPM from the CD
plus the patch RPM make the new RPM, bitwise. My tunnels work correctly.

Now, please make sure that you

* Only have one package called k_deflt and freeswan installed
* that `rpm -q freeswan` tells you "freeswan-1.98_0.9.14-238".
* that you executed mk_initrd and lilo (just in case...) before you have
  actually rebooted (must be).

Roman,

So I tried to install the new packages once more, so here goes (from a working 8.1 system):

<hostname>:~ # fou4s -in
ftp.sunet.se: Checking [#################################] 100 %
New freeswan 1.98_0.9.14-238 (old 1.98_0.9.14-72) [recommended, 595kB] [ok]
Installing freeswan-1.98_0.9.14-238.i586.patch.rpm
New k_deflt 2.4.19-329 (old 2.4.19-110) [security, 19351kB] [ok]
Installing k_deflt-2.4.19-329.i586.patch.rpm
Starting SuSEconfig, the SuSE Configuration Tool...
Running in full featured mode.
Reading /etc/sysconfig and updating the system...
Executing /sbin/conf.d/SuSEconfig.aaa_at_first...
Executing /sbin/conf.d/SuSEconfig.alljava...
Executing /sbin/conf.d/SuSEconfig.doublecheck...
Executing /sbin/conf.d/SuSEconfig.fonts...
Executing /sbin/conf.d/SuSEconfig.groff...
Executing /sbin/conf.d/SuSEconfig.hostname...
Executing /sbin/conf.d/SuSEconfig.libxml2...
Executing /sbin/conf.d/SuSEconfig.man_info...
Executing /sbin/conf.d/SuSEconfig.news...
Executing /sbin/conf.d/SuSEconfig.perl...
Executing /sbin/conf.d/SuSEconfig.permissions...
Executing /sbin/conf.d/SuSEconfig.profiles...
Executing /sbin/conf.d/SuSEconfig.sendmail...
Executing /sbin/conf.d/SuSEconfig.sortpasswd...
Finished.

WARNING
=======

The following processes are accessing deleted files:

  PID  COMMAND
18211  pluto

Please restart these processes to finish the update.

You can check for used files using the command
fou4s --checkdeleted (can be abbreviated with --checkd)
or using the command
lsof -n | grep RPMDELETE
<hostname>:~ # mk_initrd
using "/dev/hda3" as root device (mounted on "/" as "reiserfs")

creating initrd "/boot/initrd" for kernel "/boot/vmlinuz"
(version 2.4.19-4GB)
 - insmod reiserfs            (kernel/fs/reiserfs/reiserfs.o)

creating initrd "/boot/initrd.shipped" for kernel "/boot/vmlinuz.shipped"
(version 2.4.19-4GB)
 - insmod reiserfs            (kernel/fs/reiserfs/reiserfs.o)


Note that I use grub (the default for 8.1 as far as I know), this is the first time a use grub but from reading the docs I can't see any reason why I would have to rerun anythin. Please correct me if I'm wrong here !

*reboot*

After the reboot, no go, same stuff:

Jul 28 11:52:02 <hostname> kernel: ipsec0: no IPv6 routers present
Jul 28 11:52:02 <hostname> kernel: ipsec4_rcv: no policy for packet
Jul 28 11:52:02 <hostname> kernel: ipsec4_rcv: incoming packet failed policy check; dropped
Jul 28 11:52:03 <hostname> kernel: ipsec4_rcv: no policy for packet
Jul 28 11:52:07 <hostname> kernel: NET: 7 messages suppressed.
Jul 28 11:52:07 <hostname> kernel: ipsec4_rcv: no policy for packet
Jul 28 11:52:12 <hostname> kernel: NET: 9 messages suppressed.


/root# rpm -qa | grep k_deflt
k_deflt-2.4.19-329
/root# rpm -qa | grep freeswan
freeswan-1.98_0.9.14-238
/root# rpm -qf /lib/modules/2.4.19-4GB/kernel/net/ipv4/ipsec/ipsec.o
k_deflt-2.4.19-329

Go bak to the old kernel, I assume this is safe ???

root# rpm -U --force k_deflt-2.4.19-110.i586.rpm
Please do not forget to run 'mk_initrd' after updating the kernel.
/root# mk_initrd
using "/dev/hda3" as root device (mounted on "/" as "reiserfs")

creating initrd "/boot/initrd" for kernel "/boot/vmlinuz"
(version 2.4.19-4GB)
 - insmod reiserfs            (kernel/fs/reiserfs/reiserfs.o)

creating initrd "/boot/initrd.shipped" for kernel "/boot/vmlinuz.shipped"
(version 2.4.19-4GB)
 - insmod reiserfs            (kernel/fs/reiserfs/reiserfs.o)
/root# rpm -U --force freeswan-1.98_0.9.14-72.i586.rpm
warning: /etc/ipsec.conf created as /etc/ipsec.conf.rpmnew
Leave old IPsec RSA signature key untouched.
/root# reboot

After reboot all is fine again (using the old rpms).

--
Daniel Nilsson
Principal Consultant
Signal Integrity Software Inc.
6 Clock Tower Place, Suite 250
Maynard, MA 01754
Phone: (978) 461-0449, ext 12
Cell:  (508) 783-1379
http://www.sisoft.com


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here