NEWS: Added info about CVE-2014-2338

author Tobias Brunner <tobias@strongswan.org>

Mon, 14 Apr 2014 11:32:36 +0000 (13:32 +0200)

committer Tobias Brunner <tobias@strongswan.org>

Mon, 14 Apr 2014 11:32:36 +0000 (13:32 +0200)
author Tobias Brunner <tobias@strongswan.org>
Mon, 14 Apr 2014 11:32:36 +0000 (13:32 +0200)
committer Tobias Brunner <tobias@strongswan.org>
Mon, 14 Apr 2014 11:32:36 +0000 (13:32 +0200)
diff --git a/NEWS b/NEWS

index 60f48f74f3ad7157d4007d26f1ddd8f9eaff76cc..fd33fb08d474dd061dff4ed60996c5dc69b405af 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,12 @@
  strongswan-5.1.3
  ----------------
  
+- Fixed an authentication bypass vulnerability triggered by rekeying an
+  unestablished IKEv2 SA while it gets actively initiated.  This allowed an
+  attacker to trick a peer's IKE_SA state to established, without the need to
+  provide any valid authentication credentials.  The vulnerability has been
+  registered as CVE-2014-2338.
+
  - The acert plugin evaluates X.509 Attribute Certificates. Group membership
    information encoded as strings can be used to fulfill authorization checks
    defined with the rightgroups option. Attribute Certificates can be loaded
author	Tobias Brunner <tobias@strongswan.org>
	Mon, 14 Apr 2014 11:32:36 +0000 (13:32 +0200)
committer	Tobias Brunner <tobias@strongswan.org>
	Mon, 14 Apr 2014 11:32:36 +0000 (13:32 +0200)