From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 3 Jun 2015 10:33:58 +0000 (+0200)
Subject: NEWS: Add info about CVE-2015-4171
X-Git-Tag: 5.3.2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2b19e517074b89af2b98440d132d4cdd8a8857dd;p=thirdparty%2Fstrongswan.git

NEWS: Add info about CVE-2015-4171
---

diff --git a/NEWS b/NEWS
index b2e8cb2e67..e0cfb7e98c 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,13 @@
+strongswan-5.3.2
+----------------
+
+- Fixed a vulnerability that allowed rogue servers with a valid certificate
+  accepted by the client to trick it into disclosing its username and even
+  password (if the client accepts EAP-GTC).  This was caused because constraints
+  against the responder's authentication were enforced too late.
+  This vulnerability has been registered as CVE-2015-4171.
+
+
 strongswan-5.3.1
 ----------------