NEWS: Add info about CVE-2015-4171

author Tobias Brunner <tobias@strongswan.org>

Wed, 3 Jun 2015 10:33:58 +0000 (12:33 +0200)

committer Tobias Brunner <tobias@strongswan.org>

Fri, 5 Jun 2015 11:44:43 +0000 (13:44 +0200)
author Tobias Brunner <tobias@strongswan.org>
Wed, 3 Jun 2015 10:33:58 +0000 (12:33 +0200)
committer Tobias Brunner <tobias@strongswan.org>
Fri, 5 Jun 2015 11:44:43 +0000 (13:44 +0200)
diff --git a/NEWS b/NEWS

index b2e8cb2e67bedca90c6b0898e24a6fe01eba71a1..e0cfb7e98c9bb6c4a367bd5d147bdd1b0704ac32 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,13 @@
+strongswan-5.3.2
+----------------
+
+- Fixed a vulnerability that allowed rogue servers with a valid certificate
+  accepted by the client to trick it into disclosing its username and even
+  password (if the client accepts EAP-GTC).  This was caused because constraints
+  against the responder's authentication were enforced too late.
+  This vulnerability has been registered as CVE-2015-4171.
+
+
  strongswan-5.3.1
  ----------------
author	Tobias Brunner <tobias@strongswan.org>
	Wed, 3 Jun 2015 10:33:58 +0000 (12:33 +0200)
committer	Tobias Brunner <tobias@strongswan.org>
	Fri, 5 Jun 2015 11:44:43 +0000 (13:44 +0200)