diff options
| author | Romain Francoise <rfrancoise@debian.org> | 2014-04-15 19:35:31 +0200 |
|---|---|---|
| committer | Romain Francoise <rfrancoise@debian.org> | 2014-04-15 19:35:31 +0200 |
| commit | df40590dead5696facf9943f46e222a5e831286d (patch) | |
| tree | d701325b24c0e1c5676fa9cb8ed959254dd4367a /NEWS | |
| parent | 91b54afb0421705a4fb9d990d813007cd45bc2ce (diff) | |
| parent | c5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9 (diff) | |
| download | vyos-strongswan-df40590dead5696facf9943f46e222a5e831286d.tar.gz vyos-strongswan-df40590dead5696facf9943f46e222a5e831286d.zip | |
Merge tag 'upstream/5.1.3'
Upstream version 5.1.3
* tag 'upstream/5.1.3':
Import upstream version 5.1.3
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 22 |
1 files changed, 22 insertions, 0 deletions
@@ -1,3 +1,25 @@ +strongswan-5.1.3 +---------------- + +- Fixed an authentication bypass vulnerability triggered by rekeying an + unestablished IKEv2 SA while it gets actively initiated. This allowed an + attacker to trick a peer's IKE_SA state to established, without the need to + provide any valid authentication credentials. The vulnerability has been + registered as CVE-2014-2338. + +- The acert plugin evaluates X.509 Attribute Certificates. Group membership + information encoded as strings can be used to fulfill authorization checks + defined with the rightgroups option. Attribute Certificates can be loaded + locally or get exchanged in IKEv2 certificate payloads. + +- The pki command gained support to generate X.509 Attribute Certificates + using the --acert subcommand, while the --print command supports the ac type. + The openac utility has been removed in favor of the new pki functionality. + +- The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other protocols + has been extended by AEAD mode support, currently limited to AES-GCM. + + strongswan-5.1.2 ---------------- |