diff options
| author | Yves-Alexis Perez <corsac@corsac.net> | 2017-09-01 17:21:25 +0200 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@corsac.net> | 2017-09-01 17:21:25 +0200 |
| commit | 11d6b62db969bdd808d0f56706cb18f113927a31 (patch) | |
| tree | 8aa7d8fb611c3da6a3523cb78a082f62ffd0dac8 /NEWS | |
| parent | bba25e2ff6c4a193acb54560ea4417537bd2954e (diff) | |
| download | vyos-strongswan-11d6b62db969bdd808d0f56706cb18f113927a31.tar.gz vyos-strongswan-11d6b62db969bdd808d0f56706cb18f113927a31.zip | |
New upstream version 5.6.0
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 44 |
1 files changed, 43 insertions, 1 deletions
@@ -1,3 +1,45 @@ +strongswan-5.6.0 +---------------- + +- Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient + input validation when verifying RSA signatures, which requires decryption + with the operation m^e mod n, where m is the signature, and e and n are the + exponent and modulus of the public key. The value m is an integer between + 0 and n-1, however, the gmp plugin did not verify this. So if m equals n the + calculation results in 0, in which case mpz_export() returns NULL. This + result wasn't handled properly causing a null-pointer dereference. + This vulnerability has been registered as CVE-2017-11185. + +- New SWIMA IMC/IMV pair implements the "draft-ietf-sacm-nea-swima-patnc" + Internet Draft and has been demonstrated at the IETF 99 Prague Hackathon. + +- The IMV database template has been adapted to achieve full compliance + with the ISO 19770-2:2015 SWID tag standard. + +- The sw-collector tool extracts software events from apt history logs + and stores them in an SQLite database to be used by the SWIMA IMC. + The tool can also generate SWID tags both for installed and removed + package versions. + +- The pt-tls-client can attach and use TPM 2.0 protected private keys + via the --keyid parameter. + +- libtpmtss supports Intel's TSS2 Architecture Broker and Resource + Manager interface (tcti-tabrmd). + +- The new eap-aka-3gpp plugin implements the 3GPP MILENAGE algorithms + in software. K (optionally concatenated with OPc) may be configured as + binary EAP secret. + +- CHILD_SA rekeying was fixed in charon-tkm and was slightly changed: The + switch to the new outbound IPsec SA now happens via SPI on the outbound + policy on Linux, and in case of lost rekey collisions no outbound SA/policy + is temporarily installed for the redundant CHILD_SA. + +- The new %unique-dir value for mark* settings allocates separate unique marks + for each CHILD_SA direction (in/out). + + strongswan-5.5.3 ---------------- @@ -894,7 +936,7 @@ strongswan-5.0.0 keying protocols. The feature-set of IKEv1 in charon is almost on par with pluto, but currently does not support AH or bundled AH+ESP SAs. Beside RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication - mode. Informations for interoperability and migration is available at + mode. Information for interoperability and migration is available at http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1. - Charon's bus_t has been refactored so that loggers and other listeners are |