diff options
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 83 |
1 files changed, 83 insertions, 0 deletions
@@ -1,3 +1,86 @@ +strongswan-5.1.0 +---------------- + +- Fixed a denial-of-service vulnerability triggered by specific XAuth usernames + and EAP identities (since 5.0.3), and PEM files (since 4.1.11). The crash + was caused by insufficient error handling in the is_asn1() function. + The vulnerability has been registered as CVE-2013-5018. + +- The new charon-cmd command line IKE client can establish road warrior + connections using IKEv1 or IKEv2 with different authentication profiles. + It does not depend on any configuration files and can be configured using a + few simple command line options. + +- The kernel-pfroute networking backend has been greatly improved. It now + can install virtual IPs on TUN devices on OS X and FreeBSD, allowing these + systems to act as a client in common road warrior scenarios. + +- The new kernel-libipsec plugin uses TUN devices and libipsec to provide IPsec + processing in userland on Linux, FreeBSD and Mac OS X. + +- The eap-radius plugin can now serve as an XAuth backend called xauth-radius, + directly verifying XAuth credentials using RADIUS User-Name/User-Password + attributes. This is more efficient than the existing xauth-eap+eap-radius + combination, and allows RADIUS servers without EAP support to act as AAA + backend for IKEv1. + +- The new osx-attr plugin installs configuration attributes (currently DNS + servers) via SystemConfiguration on Mac OS X. The keychain plugin provides + certificates from the OS X keychain service. + +- The sshkey plugin parses SSH public keys, which, together with the --agent + option for charon-cmd, allows the use of ssh-agent for authentication. + To configure SSH keys in ipsec.conf the left|rightrsasigkey options are + replaced with left|rightsigkey, which now take public keys in one of three + formats: SSH (RFC 4253, ssh: prefix), DNSKEY (RFC 3110, dns: prefix), and + PKCS#1 (the default, no prefix). + +- Extraction of certificates and private keys from PKCS#12 files is now provided + by the new pkcs12 plugin or the openssl plugin. charon-cmd (--p12) as well + as charon (via P12 token in ipsec.secrets) can make use of this. + +- IKEv2 can now negotiate transport mode and IPComp in NAT situations. + +- IKEv2 exchange initiators now properly close an established IKE or CHILD_SA + on error conditions using an additional exchange, keeping state in sync + between peers. + +- Using a SQL database interface a Trusted Network Connect (TNC) Policy Manager + can generate specific measurement workitems for an arbitrary number of + Integrity Measurement Verifiers (IMVs) based on the history of the VPN user + and/or device. + +- Several core classes in libstrongswan are now tested with unit tests. These + can be enabled with --enable-unit-tests and run with 'make check'. Coverage + reports can be generated with --enable-coverage and 'make coverage' (this + disables any optimization, so it should not be enabled when building + production releases). + +- The leak-detective developer tool has been greatly improved. It works much + faster/stabler with multiple threads, does not use deprecated malloc hooks + anymore and has been ported to OS X. + +- chunk_hash() is now based on SipHash-2-4 with a random key. This provides + better distribution and prevents hash flooding attacks when used with + hashtables. + +- All default plugins implement the get_features() method to define features + and their dependencies. The plugin loader has been improved, so that plugins + in a custom load statement can be ordered freely or to express preferences + without being affected by dependencies between plugin features. + +- A centralized thread can take care for watching multiple file descriptors + concurrently. This removes the need for a dedicated listener threads in + various plugins. The number of "reserved" threads for such tasks has been + reduced to about five, depending on the plugin configuration. + +- Plugins that can be controlled by a UNIX socket IPC mechanism gained network + transparency. Third party applications querying these plugins now can use + TCP connections from a different host. + +- libipsec now supports AES-GCM. + + strongswan-5.0.4 ---------------- |