From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 14 Apr 2014 11:32:36 +0000 (+0200)
Subject: NEWS: Added info about CVE-2014-2338
X-Git-Tag: 5.1.3~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e59ce07bfaf3b7390013d0d79f6979050391654e;p=thirdparty%2Fstrongswan.git

NEWS: Added info about CVE-2014-2338
---

diff --git a/NEWS b/NEWS
index 60f48f74f3..fd33fb08d4 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,12 @@
 strongswan-5.1.3
 ----------------
 
+- Fixed an authentication bypass vulnerability triggered by rekeying an
+  unestablished IKEv2 SA while it gets actively initiated.  This allowed an
+  attacker to trick a peer's IKE_SA state to established, without the need to
+  provide any valid authentication credentials.  The vulnerability has been
+  registered as CVE-2014-2338.
+
 - The acert plugin evaluates X.509 Attribute Certificates. Group membership
   information encoded as strings can be used to fulfill authorization checks
   defined with the rightgroups option. Attribute Certificates can be loaded