Version 4.2.14

  • The new server-side EAP RADIUS plugin (--enable-eap-radius)
    relays EAP messages to and from a RADIUS server. Succesfully
    tested with with a freeradius server using EAP-MD5 and EAP-SIM.
  • A vulnerability in the Dead Peer Detection (RFC 3706) code was found by
    Gerd v. Egidy <gerd.von.egidy AT intra2net DOT com> of Intra2net AG affecting
    all Openswan and strongSwan releases. A malicious (or expired ISAKMP)
    R_U_THERE or R_U_THERE_ACK Dead Peer Detection packet can cause the
    pluto IKE daemon to crash and restart. No authentication or encryption
    is required to trigger this bug. One spoofed UDP packet can cause the
    pluto IKE daemon to restart and be unresponsive for a few seconds while
    restarting. This DPD null state vulnerability has been officially
    registered as CVE-2009-0790 and is fixed by this release.
  • ASN.1 to time_t conversion caused a time wrap-around for
    dates after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
    As a workaround such dates are set to the maximum representable
    time, i.e. Jan 19 03:14:07 UTC 2038.
  • Distinguished Names containing wildcards (*) are not sent in the
    IDr payload anymore.