From e59ce07bfaf3b7390013d0d79f6979050391654e Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 14 Apr 2014 13:32:36 +0200
Subject: [PATCH] NEWS: Added info about CVE-2014-2338

---
 NEWS | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/NEWS b/NEWS
index 60f48f74f3..fd33fb08d4 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,12 @@
 strongswan-5.1.3
 ----------------
 
+- Fixed an authentication bypass vulnerability triggered by rekeying an
+  unestablished IKEv2 SA while it gets actively initiated.  This allowed an
+  attacker to trick a peer's IKE_SA state to established, without the need to
+  provide any valid authentication credentials.  The vulnerability has been
+  registered as CVE-2014-2338.
+
 - The acert plugin evaluates X.509 Attribute Certificates. Group membership
   information encoded as strings can be used to fulfill authorization checks
   defined with the rightgroups option. Attribute Certificates can be loaded
-- 
2.47.2