diff options
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 102 |
1 files changed, 84 insertions, 18 deletions
@@ -1,3 +1,69 @@ +strongswan-5.7.0 +---------------- + +- Fixes a potential authorization bypass vulnerability in the gmp plugin that + was caused by a too lenient verification of PKCS#1 v1.5 signatures. Several + flaws could be exploited by a Bleichenbacher-style attack to forge signatures + for low-exponent keys (i.e. with e=3). CVE-2018-16151 has been assigned to + the problem of accepting random bytes after the OID of the hash function in + such signatures, and CVE-2018-16152 has been assigned to the issue of not + verifying that the parameters in the ASN.1 algorithmIdentitifer structure is + empty. Other flaws that don't lead to a vulnerability directly (e.g. not + checking for at least 8 bytes of padding) have no separate CVE assigned. + +- Dots are not allowed anymore in section names in swanctl.conf and + strongswan.conf. This mainly affects the configuration of file loggers. If the + path for such a log file contains dots it now has to be configured in the new + `path` setting within the arbitrarily renamed subsection in the `filelog` + section. + +- Sections in swanctl.conf and strongswan.conf may now reference other sections. + All settings and subsections from such a section are inherited. This allows + to simplify configs as redundant information has only to be specified once + and may then be included in other sections (refer to the example in the man + page for strongswan.conf). + +- The originally selected IKE config (based on the IPs and IKE version) can now + change if no matching algorithm proposal is found. This way the order + of the configs doesn't matter that much anymore and it's easily possible to + specify separate configs for clients that require weak algorithms (instead + of having to also add them in other configs that might be selected). + +- Support for Postquantum Preshared Keys for IKEv2 (draft-ietf-ipsecme-qr-ikev2) + has been added. + +- The new botan plugin is a wrapper around the Botan C++ crypto library. It + requires a fairly recent build from Botan's master branch (or the upcoming + 2.8.0 release). Thanks to René Korthaus and his team from Rohde & Schwarz + Cybersecurity for the initial patch. + +- The pki tool accepts a xmppAddr otherName as a subjectAlternativeName using + the syntax --san xmppaddr:<jid>. + +- Implementation of RFC 8412 "Software Inventory Message and Attributes (SWIMA) + for PA-TNC". SWIMA subscription option sets CLOSE_WRITE trigger on apt + history.log file resulting in a ClientRetry PB-TNC batch to initialize + a new measurement cycle. + +- Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793) NEA + protocols on Google's OSS-Fuzz infrastructure. + +- Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The presence of + the in-kernel /dev/tpmrm0 resource manager is automatically detected. + +- Marks the in- and/or outbound SA should apply to packets after processing may + be configured in swanctl.conf on Linux. For outbound SAs this requires at + least a 4.14 kernel. Setting a mask and configuring a mark/mask for inbound + SAs will be added with the upcoming 4.19 kernel. + +- New options in swanctl.conf allow configuring how/whether DF, ECN and DS + fields in the IP headers are copied during IPsec processing. Controlling this + is currently only possible on Linux. + +- To avoid conflicts, the dhcp plugin now only uses the DHCP server port if + explicitly configured. + + strongswan-5.6.3 ---------------- @@ -1199,9 +1265,9 @@ strongswan-4.6.1 thus causing failures during the loading of the plugins which depend on these libraries for resolving external symbols. -- Therefore our approach of computing integrity checksums for plugins had to be - changed radically by moving the hash generation from the compilation to the - post-installation phase. +- Therefore our approach of computing integrity checksums for plugins had to be + changed radically by moving the hash generation from the compilation to the + post-installation phase. strongswan-4.6.0 @@ -2309,7 +2375,7 @@ strongswan-4.1.4 Thanks to the rightallowany flag the connection behaves later on as - right=%any + right=%any so that the peer can rekey the connection as an initiator when his IP address changes. An alternative notation is @@ -2366,8 +2432,8 @@ strongswan-4.1.3 is provided and more advanced backends (using e.g. a database) are trivial to implement. - - Fixed a compilation failure in libfreeswan occurring with Linux kernel - headers > 2.6.17. +- Fixed a compilation failure in libfreeswan occurring with Linux kernel + headers > 2.6.17. strongswan-4.1.2 @@ -2517,7 +2583,7 @@ strongswan-4.0.5 The debugging levels can either be specified statically in ipsec.conf as config setup - charondebug="lib 1, cfg 3, net 2" + charondebug="lib 1, cfg 3, net 2" or changed at runtime via stroke as @@ -2759,9 +2825,9 @@ strongswan-2.6.2 if an FQDN, USER_FQDN, or Key ID was defined, as in the following example. conn rw - right=%any - rightid=@foo.bar - authby=secret + right=%any + rightid=@foo.bar + authby=secret - the ipsec command now supports most ipsec auto commands (e.g. ipsec listall). @@ -2904,7 +2970,7 @@ strongswan-2.5.3 - fixed the initialization of the ESP key length to a default of 128 bits in the case that the peer does not send a key length - attribute for AES encryption. + attribute for AES encryption. - applied Herbert Xu's uniqueIDs patch @@ -3309,16 +3375,16 @@ strongswan-2.1.0 - The new "ca" section allows to define the following parameters: ca kool - cacert=koolCA.pem # cacert of kool CA - ocspuri=http://ocsp.kool.net:8001 # ocsp server - ldapserver=ldap.kool.net # default ldap server - crluri=http://www.kool.net/kool.crl # crl distribution point - crluri2="ldap:///O=Kool, C= .." # crl distribution point #2 - auto=add # add, ignore + cacert=koolCA.pem # cacert of kool CA + ocspuri=http://ocsp.kool.net:8001 # ocsp server + ldapserver=ldap.kool.net # default ldap server + crluri=http://www.kool.net/kool.crl # crl distribution point + crluri2="ldap:///O=Kool, C= .." # crl distribution point #2 + auto=add # add, ignore The ca definitions can be monitored via the command - ipsec auto --listcainfos + ipsec auto --listcainfos - Fixed cosmetic corruption of /proc filesystem by integrating D. Hugh Redelmeier's freeswan-2.06 kernel fixes. |