diff options
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 71 |
1 files changed, 71 insertions, 0 deletions
@@ -1,3 +1,74 @@ +strongswan-5.1.1 +---------------- + +- Fixed a denial-of-service vulnerability and potential authorization bypass + triggered by a crafted ID_DER_ASN1_DN ID payload. The cause is an insufficient + length check when comparing such identities. The vulnerability has been + registered as CVE-2013-6075. + +- Fixed a denial-of-service vulnerability triggered by a crafted IKEv1 + fragmentation payload. The cause is a NULL pointer dereference. The + vulnerability has been registered as CVE-2013-6076. + +- The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS session + with a strongSwan policy enforcement point which uses the tnc-pdp charon + plugin. + +- The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests for either + full SWID Tag or concise SWID Tag ID inventories. + +- The XAuth backend in eap-radius now supports multiple XAuth exchanges for + different credential types and display messages. All user input gets + concatenated and verified with a single User-Password RADIUS attribute on + the AAA. With an AAA supporting it, one for example can implement + Password+Token authentication with proper dialogs on iOS and OS X clients. + +- charon supports IKEv1 Mode Config exchange in push mode. The ipsec.conf + modeconfig=push option enables it for both client and server, the same way + as pluto used it. + +- Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2 connections, + charon can negotiate and install Security Associations integrity-protected by + the Authentication Header protocol. Supported are plain AH(+IPComp) SAs only, + but not the deprecated RFC2401 style ESP+AH bundles. + +- The generation of initialization vectors for IKE and ESP (when using libipsec) + is now modularized and IVs for e.g. AES-GCM are now correctly allocated + sequentially, while other algorithms like AES-CBC still use random IVs. + +- The left and right options in ipsec.conf can take multiple address ranges + and subnets. This allows connection matching against a larger set of + addresses, for example to use a different connection for clients connecting + from a internal network. + +- For all those who have a queasy feeling about the NIST elliptic curve set, + the Brainpool curves introduced for use with IKE by RFC 6932 might be a + more trustworthy alternative. + +- The kernel-libipsec userland IPsec backend now supports usage statistics, + volume based rekeying and accepts ESPv3 style TFC padded packets. + +- With two new strongswan.conf options fwmarks can be used to implement + host-to-host tunnels with kernel-libipsec. + +- load-tester supports transport mode connections and more complex traffic + selectors, including such using unique ports for each tunnel. + +- The new dnscert plugin provides support for authentication via CERT RRs that + are protected via DNSSEC. The plugin was created by Ruslan N. Marchenko. + +- The eap-radius plugin supports forwarding of several Cisco Unity specific + RADIUS attributes in corresponding configuration payloads. + +- Database transactions are now abstracted and implemented by the two backends. + If you use MySQL make sure all tables use the InnoDB engine. + +- libstrongswan now can provide an experimental custom implementation of the + printf family functions based on klibc if neither Vstr nor glibc style printf + hooks are available. This can avoid the Vstr dependency on some systems at + the cost of slower and less complete printf functions. + + strongswan-5.1.0 ---------------- |