Version 5.3.1 » History » Version 3
Martin Willi, 01.06.2015 16:30
| 1 | 1 | Tobias Brunner | h1. Version 5.3.1 |
|---|---|---|---|
| 2 | 1 | Tobias Brunner | |
| 3 | 2 | Tobias Brunner | * Fixed a denial-of-service and potential remote code execution vulnerability |
| 4 | 2 | Tobias Brunner | triggered by IKEv1/IKEv2 messages that contain payloads for the respective |
| 5 | 2 | Tobias Brunner | other IKE version. Such payload are treated specially since version:5.2.2 but because |
| 6 | 2 | Tobias Brunner | they were still identified by their original payload type they were used as |
| 7 | 2 | Tobias Brunner | such in some places causing invalid function pointer dereferences. |
| 8 | 2 | Tobias Brunner | The vulnerability has been registered as "CVE-2015-3991":http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-3991. |
| 9 | 2 | Tobias Brunner | Please refer to "our blog":https://www.strongswan.org/blog/2015/06/01/strongswan-vulnerability-(cve-2015-3991).html for details. |
| 10 | 2 | Tobias Brunner | |
| 11 | 2 | Tobias Brunner | * The new _aesni_ plugin provides CBC, CTR, XCBC, CMAC, CCM and GCM crypto |
| 12 | 2 | Tobias Brunner | primitives for AES-128/192/256. The plugin requires AES-NI and PCLMULQDQ |
| 13 | 2 | Tobias Brunner | instructions and works on both x86 and x64 architectures. It provides |
| 14 | 2 | Tobias Brunner | superior crypto performance in userland without any external libraries. |
| 15 | 2 | Tobias Brunner | |
| 16 | 2 | Tobias Brunner | * Fixed an issue with IKEv2 fragmentation (introduced with version:5.2.1) and encryption |
| 17 | 2 | Tobias Brunner | algorithms that use sequential IVs (e.g. AES-GCM). Previously the IKE message ID was |
| 18 | 2 | Tobias Brunner | used as IV, but with IKEv2 fragmentation this ID is not unique anymore, causing the |
| 19 | 2 | Tobias Brunner | same IV to get used for fragments of the same message. This was fixed by including |
| 20 | 2 | Tobias Brunner | the fragment identifier in the IV (commit:62e0abe759). |
| 21 | 2 | Tobias Brunner | |
| 22 | 2 | Tobias Brunner | * The TLS client in _libtls_ now rejects Diffie-Hellman groups with primes < 1024 bit (commit:47e96391f2). |
| 23 | 2 | Tobias Brunner | |
| 24 | 2 | Tobias Brunner | * The accuracy of usage statistics reported via [[EAPRadius#Accounting|RADIUS Accounting]] has been |
| 25 | 2 | Tobias Brunner | increased in several situations (e.g. if interim updates occur while rekeying a CHILD_SA). |
| 26 | 2 | Tobias Brunner | |
| 27 | 2 | Tobias Brunner | * A constant time memory comparison utility function (@chunk_equals_const@) was |
| 28 | 2 | Tobias Brunner | added for cryptographic purposes (commit:aa9b74931f). |
| 29 | 2 | Tobias Brunner | |
| 30 | 2 | Tobias Brunner | * The interface for DH implementations was extended to enable unit tests (commit:44136bec94). |
| 31 | 2 | Tobias Brunner | |
| 32 | 2 | Tobias Brunner | * Fixed initialization of HMAC primitives in the _openssl_ plugin for newer |
| 33 | 2 | Tobias Brunner | OpenSSL releases (commit:c2906c8f21). |
| 34 | 2 | Tobias Brunner | |
| 35 | 2 | Tobias Brunner | * _ike-updown_ and _child-updown_ events are now relayed via VICI (commit:a7e4a2d6c2). |
| 36 | 2 | Tobias Brunner | |
| 37 | 2 | Tobias Brunner | * The Ruby Gems and Python Eggs built with @--enable-ruby-gems|--enable-python-eggs@ are |
| 38 | 2 | Tobias Brunner | not installed anymore during @make install@. To do so the options @--enable-ruby-gems-install@ |
| 39 | 2 | Tobias Brunner | and/or @--enable-python-eggs-install@ may be passed to [[AutoConf|./configure]] (commit:f16f792e17). |
| 40 | 2 | Tobias Brunner | |
| 41 | 3 | Martin Willi | * The source:src/libcharon/plugins/vici/libvici.h header is now licensed under the |
| 42 | 2 | Tobias Brunner | MIT license (commit:f17861dca9). |