1 |
I noticed that latest gentoo-sources kernel (gentoo-sources-2.4.26-r3) is |
2 |
still shipped with the 04-01.superFreeSWAN-1.99.8.patch. |
3 |
|
4 |
I wanted to upgrade to openswan after the latest exploits in freeswan ([ |
5 |
GLSA 200406-20 ] FreeS/WAN, Openswan, strongSwan: Vulnerabilities in |
6 |
certificate handling), so I downloaded the gentoo-sources and patched the |
7 |
kernel with all patches by hand without the freeswan patch. |
8 |
|
9 |
Next I patched the kernel for NAT-T support with make nattpatch | (cd |
10 |
/usr/src/linux && patch -p1) and did make KERNELSRC=/usr/src/linux module && |
11 |
make KERNELSRC=/usr/src/linux minstall in the openswan sources dir which |
12 |
provides a new openswan compatible ipsec.o module. |
13 |
|
14 |
So in my opinion the 04-01.superFreeSWAN-1.99.8.patch should be removed from |
15 |
the gentoo-sources and replaced with the NAT-T patch if we are forced to use |
16 |
openswan instead of freeswan. |
17 |
|
18 |
Regards, |
19 |
|
20 |
Marlon. |
21 |
|
22 |
|
23 |
-- |
24 |
gentoo-security@g.o mailing list |