Import upstream version 5.1.3

1 files changed, 22 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 0d22295d4..fd33fb08d 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,25 @@
+strongswan-5.1.3
+----------------
+
+- Fixed an authentication bypass vulnerability triggered by rekeying an
+  unestablished IKEv2 SA while it gets actively initiated.  This allowed an
+  attacker to trick a peer's IKE_SA state to established, without the need to
+  provide any valid authentication credentials.  The vulnerability has been
+  registered as CVE-2014-2338.
+
+- The acert plugin evaluates X.509 Attribute Certificates. Group membership
+  information encoded as strings can be used to fulfill authorization checks
+  defined with the rightgroups option. Attribute Certificates can be loaded
+  locally or get exchanged in IKEv2 certificate payloads.
+
+- The pki command gained support to generate X.509 Attribute Certificates
+  using the --acert subcommand, while the --print command supports the ac type.
+  The openac utility has been removed in favor of the new pki functionality.
+
+- The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other protocols
+  has been extended by AEAD mode support, currently limited to AES-GCM.
+
+
 strongswan-5.1.2
 ----------------