From: Tobias Brunner Date: Wed, 23 May 2018 18:25:18 +0000 (+0200) Subject: NEWS: Added some news for 5.6.3 X-Git-Tag: 5.6.3rc1~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7f14fefff4d3f01f8f07202b99493daca5cece27;p=thirdparty%2Fstrongswan.git NEWS: Added some news for 5.6.3 --- diff --git a/NEWS b/NEWS index 743c3b5566..2126ca89cf 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,61 @@ +strongswan-5.6.3 +---------------- + +- Fixes a vulnerability in the stroke plugin, which did not check the received + length before reading a message from the socket. Unless a group is configured, + root privileges are required to access that socket, so in the default + configuration this shouldn't be an issue. + This vulnerability has been registered as CVE-2018-5388. + +⁻ CRLs that are not yet valid are now ignored to avoid problems in scenarios + where expired certificates are removed from CRLs and the clock on the host + doing the revocation check is trailing behind that of the host issuing CRLs. + +- The issuer of fetched CRLs is now compared to the issuer of the checked + certificate. + +- CRL results other than revocation (e.g. a skipped check because the CRL + couldn't be fetched) are now stored also for intermediate CA certificates and + not only for end-entity certificates, so a strict CRL policy can be enforced + in such cases. + +- In compliance with RFC 4945, section 5.1.3.2, certificates used for IKE must + now either not contain a keyUsage extension (like the ones generated by pki) + or have at least one of the digitalSignature or nonReputiation bits set. + +- New options for vici/swanctl allow forcing the local termination of an IKE_SA. + This might be useful in situations where it's known the other end is not + reachable anymore or that it already removed the IKE_SA, so there is no point + in retransmitting a DELETE and waiting for a response (it's also possible to + wait for a certain amount of time, e.g. shorter than all retransmits, until + destroying the SA). + +- When removing routes, the kernel-netlink plugin now checks if it tracks other + routes for the same destination and replaces the installed route instead of + just removing it. Same during installation, where existing routes previously + weren't replaced. This should allow using traps with virtual IPs on Linux. + +- The dhcp plugin only sends the client identifier option if identity_lease is + enabled. It also can send longer identities (up to 255 bytes instead of the + previous 64 bytes). If a server address is configured, DHCP requests are now + sent from port 67 instead of 68. + +- Roam events are now completely ignored for IKEv1 SAs. + +- ChaCha20/Poly1305 is now correctly proposed without key length. For + compatibility with older releases the chacha20poly1305compat keyword may be + included in proposals to also propose the algorithm with a key length. + +- Configuration of hardware offload of IPsec SAs is now more flexible and allows + a new mode, which automatically uses it if the kernel and hardware support it. + +- SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1. + +- The pki --verify tool may load CA certificates and CRLs from directories. + +- Fixed an issue with DNS servers passed to NetworkManager in charon-nm. + + strongswan-5.6.2 ----------------