Project

General

Profile

Version 5.1.3 » History » Version 2

Tobias Brunner, 14.04.2014 23:15

1 1 Tobias Brunner
h1. Version 5.1.3
2 1 Tobias Brunner
3 2 Tobias Brunner
* Fixed an authentication bypass vulnerability triggered by rekeying an
4 2 Tobias Brunner
  unestablished IKE_SA while it gets actively initiated. This allowed an
5 2 Tobias Brunner
  attacker to trick a peer's IKE_SA state to established, without the need to
6 2 Tobias Brunner
  provide any valid authentication credentials.  The vulnerability has been
7 2 Tobias Brunner
  registered as "CVE-2014-2338":http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2014-2338.
8 2 Tobias Brunner
  Refer to "our blog":http://www.strongswan.org/blog/2014/04/14/strongswan-authentication-bypass-vulnerability-(cve-2014-2338).html for details.
9 2 Tobias Brunner
10 2 Tobias Brunner
* The _acert_ plugin evaluates X.509 Attribute Certificates. Group membership
11 2 Tobias Brunner
  information encoded as strings can be used to fulfill authorization checks
12 2 Tobias Brunner
  defined with the _rightgroups_ [[ConnSection|ipsec.conf]] option. Attribute Certificates can be
13 2 Tobias Brunner
  loaded [[IpsecDirectoryAcerts|locally]] or get exchanged in IKEv2 certificate payloads.
14 2 Tobias Brunner
15 2 Tobias Brunner
* The [[IpsecPki|pki]] command gained support to generate X.509 Attribute Certificates
16 2 Tobias Brunner
  using the [[IpsecPkiAcert|--acert]] subcommand, while the [[IpsecPkiPrint|--print]] command supports the _ac_ type.
17 2 Tobias Brunner
  The _openac_ utility has been removed in favor of the new pki functionality.
18 2 Tobias Brunner
19 2 Tobias Brunner
* The _libtls_ TLS 1.2 implementation as used by EAP-(T)TLS and other protocols
20 2 Tobias Brunner
  has been extended by AEAD mode support, currently limited to AES-GCM.
21 2 Tobias Brunner
22 2 Tobias Brunner
* Fixed an issue where CRL/OCSP trustchain validation broke enforcing CA constraints (commit:a844b6589034).
23 2 Tobias Brunner
24 2 Tobias Brunner
* Limited OCSP signing to specific certificates to improve performance (commit:91d71abb16a9).
25 2 Tobias Brunner
26 2 Tobias Brunner
* _authKeyIdentifier_ is not added to self-signed certificates anymore (commit:f7d04ba6c462).
27 2 Tobias Brunner
28 2 Tobias Brunner
* Fixed the comparison of IKE configs if only the cipher suites were different (commit:23f34f6ed504).
29 2 Tobias Brunner
30 2 Tobias Brunner
* Added a "Travis CI":https://travis-ci.org config, a test script, and some unit test improvements (e.g. the
31 2 Tobias Brunner
  @TESTS_SUITES@ option), see [[DeveloperDocumentation]].