CentOS Stream 9 — libreswan — multiple vulnerabilities (7 CVEs) — patch and remediation guide

📖 ~4 min read  •  Source: AlmaLinux/RHEL advisory ALSA-2023:3148

Related CVEs: CVE-2023-2295 CVE-2024-3652 CVE-2024-2357 CVE-2023-38710 CVE-2023-38711 CVE-2023-38712 CVE-2023-23009

Upstream summary: Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network (VPN).

Security Fix(es):

* libreswan: Regression of CVE-2023-30570 fixes in the AlmaLinux (CVE-2023-2295)

For more details about the security issue(s), including the impact, a CVSS scor

Table of contents

1. Symptom & Impact
2. Environment & Reproduction
3. Root Cause Analysis
4. Quick Triage
5. Step-by-Step Diagnosis
6. Solution – Primary Fix
7. Solution – Alternative Approaches
8. Verification & Acceptance Criteria
9. Rollback Plan
10. Prevention & Hardening
11. Related Errors & Cross-Refs
12. References & Further Reading

Symptom & Impact

On CentOS Stream 9 hosts that have libreswan installed, operators report behaviour consistent with AlmaLinux/RHEL advisory ALSA-2023:3148: dnf refuses to install or restart affected services, SELinux AVC denials appear in /var/log/audit/audit.log, and — for security-rated advisories — the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever libreswan sits on the serving path.

Environment & Reproduction

Reproduction targets CentOS Stream 9. Confirm release and the installed package:

cat /etc/centos-release
cat /etc/os-release
rpm -q libreswan
dnf info libreswan | head -20

Trigger the workflow that exposes libreswan — multiple vulnerabilities (7 CVEs) — patch and remediation guide while collecting:

sudo journalctl -u libreswan -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/dnf.log
sudo tail -200 /var/log/audit/audit.log
# For an evidence bundle bundle with sosreport:
sudo sosreport --batch

Root Cause Analysis

Root cause is documented in AlmaLinux/RHEL advisory ALSA-2023:3148. AlmaLinux / Red Hat maintainers shipped fixes in the corresponding libreswan update for CentOS Stream 9; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate dnf history with system logs:

sudo dnf history | head
sudo dnf history list libreswan
sudo dnf history info <id>
sudo ausearch -m AVC,USER_AVC -ts today | tail -100
cat /proc/sys/kernel/tainted   # non-zero = tainted kernel / out-of-tree modules

Quick Triage

Run these on CentOS Stream 9 to capture the current state of libreswan:

rpm -q libreswan                              # installed NVR
rpm -V libreswan                              # verify shipped files
sudo dnf check-update --security
sudo dnf updateinfo list cves
systemctl --failed --no-pager
sudo firewall-cmd --list-all
getenforce && sestatus
# If libreswan ships a systemd unit (unit name may differ from pkg name, e.g.
# bind→named, postgresql-server→postgresql, php-fpm→php-fpm):
systemctl list-unit-files | grep -i libreswan | head

Step-by-Step Diagnosis

1. List failed systemd units.

   systemctl --failed --no-pager

2. Tail the journal for libreswan and the system bus.

   sudo journalctl -u libreswan -f --no-pager
   sudo journalctl -xe -f --no-pager

3. Inspect firewall posture.

   sudo firewall-cmd --list-all-zones --permanent
   sudo nft list ruleset 2>/dev/null | head -50

4. Surface SELinux denials and author a local policy module if needed.

   sudo ausearch -m AVC,USER_AVC -ts today
   sudo ausearch -m AVC -ts today | audit2allow -a -M /tmp/local-fix
   sudo semodule -i /tmp/local-fix.pp

5. Verify libreswan integrity and reinstall if anything is altered.

   sudo rpm -V libreswan
   sudo dnf reinstall libreswan

6. Correlate findings with /var/log/dnf.log, dnf history, and AlmaLinux/RHEL advisory ALSA-2023:3148 to pin the change that introduced libreswan — multiple vulnerabilities (7 CVEs) — patch and remediation guide.

Solution – Primary Fix

Apply the corrective dnf transaction referenced by AlmaLinux/RHEL advisory ALSA-2023:3148, then reload affected systemd units:

sudo dnf -y makecache
sudo dnf -y upgrade --security              # apply ALL security errata (recommended)
# Or target a single package:
sudo dnf -y upgrade libreswan
sudo systemctl daemon-reload
# Unit name may differ from pkg name; check first:
systemctl list-unit-files | grep -i libreswan | head
sudo systemctl restart libreswan
rpm -q libreswan                                # confirm new NVR
systemctl is-active libreswan 2>/dev/null       # confirm running (if a unit exists)

For kernel / glibc / systemd / openssl advisories a reboot is required (or kpatch where licensed):

sudo needs-restarting -r                    # report whether reboot needed
sudo systemctl reboot                       # or: sudo shutdown -r now
# kpatch (Red Hat / Oracle) avoids reboot for many kernel CVEs:
sudo dnf install -y kpatch kpatch-dnf
sudo dnf kpatch auto                        # enable auto-patching
sudo kpatch list

Solution – Alternative Approaches

If the primary patch is not viable, choose from these:

• Roll back the offending dnf transaction:

  sudo dnf history list | head
  sudo dnf history info <id>
  sudo dnf history undo <id>

• Version-lock the package so dnf cannot upgrade it:

  sudo dnf install -y python3-dnf-plugin-versionlock
  sudo dnf versionlock add libreswan
  sudo dnf versionlock list
  sudo dnf versionlock delete libreswan      # remove the lock

• Install an older NVR if a regression is suspected:

  dnf --showduplicates list libreswan | tac | head
  sudo dnf install -y --allowerasing libreswan-<older-NVR>

• Switch SELinux to permissive briefly to confirm policy is the cause, then re-enforce:

  sudo setenforce 0
  # reproduce, capture denials, author a custom module:
  sudo ausearch -m AVC -ts recent | audit2allow -a -M mylocal
  sudo semodule -i mylocal.pp
  sudo setenforce 1

• Take an LVM snapshot before kernel / glibc upgrades for fast rollback:

  sudo lvs
  sudo lvcreate -s -n preupgrade -L 4G /dev/<vg>/<lv>
  # revert later via:
  sudo lvconvert --merge /dev/<vg>/preupgrade && sudo systemctl reboot

• Where kpatch is licensed, apply kernel fixes without reboot:

  sudo kpatch list
  sudo kpatch load /usr/lib/modules/$(uname -r)/extra/kpatch/*.ko

Verification & Acceptance Criteria

All of these should pass after the fix:

rpm -q libreswan                                            # expected fixed NVR
sudo dnf updateinfo list cves --installed               # CVEs above no longer listed
systemctl is-active libreswan 2>/dev/null
sudo journalctl -u libreswan --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo firewall-cmd --list-services
getenforce
sudo needs-restarting -r

The original reproduction for libreswan — multiple vulnerabilities (7 CVEs) — patch and remediation guide must not trigger across two consecutive runs.

Rollback Plan

Capture state before any change:

rpm -qa > /root/rpm-pre.txt
sudo dnf history list > /root/dnf-history-pre.txt
# Optional LVM snapshot of the root LV:
sudo lvcreate -s -n preupgrade -L 4G /dev/<vg>/<lv>

To revert if the patch is bad:

sudo dnf history undo <id>
# Or downgrade just the package:
sudo dnf install -y --allowerasing libreswan-<older-NVR>
sudo systemctl daemon-reload
sudo systemctl restart libreswan
# Or merge the LVM snapshot and reboot:
sudo lvconvert --merge /dev/<vg>/preupgrade && sudo systemctl reboot
# Custom SELinux policy cleanup:
sudo semodule -r mylocal

Prevention & Hardening

Reduce the chance of this recurring on CentOS Stream 9:

• Enable automatic security patching:

  sudo dnf install -y dnf-automatic
  sudo sed -i 's/^upgrade_type.*/upgrade_type = security/' /etc/dnf/automatic.conf
  sudo sed -i 's/^apply_updates.*/apply_updates = yes/' /etc/dnf/automatic.conf
  sudo systemctl enable --now dnf-automatic.timer

• Subscribe to centos-announce and watch Red Hat security updates for upstream changes.

• Mirror through a local Pulp / Foreman / Spacewalk-style repo for controlled rollouts:

  sudo dnf install -y dnf-utils createrepo_c
  sudo reposync --download-metadata --downloadcomps -p /srv/mirror -- repoid=baseos
  sudo createrepo_c /srv/mirror/baseos

• Version-lock sensitive packages so they cannot be auto-upgraded:

  sudo dnf install -y python3-dnf-plugin-versionlock
  sudo dnf versionlock add libreswan

• Monitor file integrity with AIDE:

  sudo dnf install -y aide
  sudo aide --init && sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
  sudo aide --check

• Enable kpatch so kernel CVEs can be remediated without reboot:

  sudo dnf install -y kpatch kpatch-dnf
  sudo dnf kpatch auto
  sudo kpatch list

• Keep SELinux in enforcing mode and review custom modules in /etc/selinux/targeted/ after every package upgrade.

• Apply CIS CentOS Stream 9 Benchmark hardening and remove unused packages.

Related Errors & Cross-Refs

Issues that commonly surface alongside libreswan — multiple vulnerabilities (7 CVEs) — patch and remediation guide: dnf lock contention, systemd unit ordering cycles, SELinux AVC bursts, firewalld zone drift, and kernel taint flags. Useful triage:

sudo dnf check
systemd-analyze critical-chain
sudo ausearch -m AVC -ts today | tail
sudo firewall-cmd --get-active-zones
cat /proc/sys/kernel/tainted
sudo needs-restarting -r

View all centos-stream-9 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: AlmaLinux/RHEL advisory ALSA-2023:3148. Manual pages useful on CentOS Stream 9:

man dnf
man dnf.conf
man systemctl
man journalctl
man firewall-cmd
man semanage
man audit2allow
man kpatch
man sosreport

Other resources: docs.centos.org, Red Hat CVE database, AlmaLinux errata, and per-package notes in /usr/share/doc/libreswan/ for components implicated in libreswan — multiple vulnerabilities (7 CVEs) — patch and remediation guide.