From 7f14fefff4d3f01f8f07202b99493daca5cece27 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 23 May 2018 20:25:18 +0200 Subject: [PATCH] NEWS: Added some news for 5.6.3 --- NEWS | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/NEWS b/NEWS index 743c3b5566..2126ca89cf 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,61 @@ +strongswan-5.6.3 +---------------- + +- Fixes a vulnerability in the stroke plugin, which did not check the received + length before reading a message from the socket. Unless a group is configured, + root privileges are required to access that socket, so in the default + configuration this shouldn't be an issue. + This vulnerability has been registered as CVE-2018-5388. + +⁻ CRLs that are not yet valid are now ignored to avoid problems in scenarios + where expired certificates are removed from CRLs and the clock on the host + doing the revocation check is trailing behind that of the host issuing CRLs. + +- The issuer of fetched CRLs is now compared to the issuer of the checked + certificate. + +- CRL results other than revocation (e.g. a skipped check because the CRL + couldn't be fetched) are now stored also for intermediate CA certificates and + not only for end-entity certificates, so a strict CRL policy can be enforced + in such cases. + +- In compliance with RFC 4945, section 5.1.3.2, certificates used for IKE must + now either not contain a keyUsage extension (like the ones generated by pki) + or have at least one of the digitalSignature or nonReputiation bits set. + +- New options for vici/swanctl allow forcing the local termination of an IKE_SA. + This might be useful in situations where it's known the other end is not + reachable anymore or that it already removed the IKE_SA, so there is no point + in retransmitting a DELETE and waiting for a response (it's also possible to + wait for a certain amount of time, e.g. shorter than all retransmits, until + destroying the SA). + +- When removing routes, the kernel-netlink plugin now checks if it tracks other + routes for the same destination and replaces the installed route instead of + just removing it. Same during installation, where existing routes previously + weren't replaced. This should allow using traps with virtual IPs on Linux. + +- The dhcp plugin only sends the client identifier option if identity_lease is + enabled. It also can send longer identities (up to 255 bytes instead of the + previous 64 bytes). If a server address is configured, DHCP requests are now + sent from port 67 instead of 68. + +- Roam events are now completely ignored for IKEv1 SAs. + +- ChaCha20/Poly1305 is now correctly proposed without key length. For + compatibility with older releases the chacha20poly1305compat keyword may be + included in proposals to also propose the algorithm with a key length. + +- Configuration of hardware offload of IPsec SAs is now more flexible and allows + a new mode, which automatically uses it if the kernel and hardware support it. + +- SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1. + +- The pki --verify tool may load CA certificates and CRLs from directories. + +- Fixed an issue with DNS servers passed to NetworkManager in charon-nm. + + strongswan-5.6.2 ---------------- -- 2.47.2