[Swan] Cannot compile Libreswan 3.14 and newer on CentOS 5

Tomas France tomfra at centrum.cz
Fri Sep 25 02:35:58 UTC 2015


OK, I understand. We are talking about 20+ servers that would need a full
reinstallation by the way... Done by myself...

It seems I have been able to compile OpenSwan 2.6.45 on the CentOS 5 (test)
server though, although with some nasty makefile modifications. I'd really
prefer Libreswan as it works really well on one of our CentOS 6 servers
already (well, too early to say really but so far so good).

Also, if someone would consider modifying the patch from 3.14 to 3.13, I'd
be willing to send a small donation for that :)

Tomas



-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca] 
Sent: Friday, September 25, 2015 4:18 AM
To: Tomas France
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] Cannot compile Libreswan 3.14 and newer on CentOS 5

On Fri, 25 Sep 2015, Tomas France wrote:

> I am afraid modifying the patch is beyond my skills. Is there a way 
> how to limit the possible impact of the CVE-2015-3240 security issue 
> by different means, for the pre-3.15 versions, and without using the
patch?
>
> Unfortunately, some of our servers are stuck with CentOS 5 and they 
> cannot be upgraded at this time.

Well, the impact is that someone can run a denial of service against you.
The pluto IKE daemon will hit a passert() in the code and restart.
There is no compromise or either data or the system.

So, you'll notice when this happens. If it happens from a botnet, you'll be
in trouble because you won't be able to firewall all the IP addresses to
prevent the crashes. At which point you'll be forced to put in a centos6 or
centos7 server :P

Paul



More information about the Swan mailing list