Version 5.7.0 » History » Version 3
Tobias Brunner, 24.09.2018 14:05
| 1 | 1 | Tobias Brunner | h1. Version 5.7.0 |
|---|---|---|---|
| 2 | 1 | Tobias Brunner | |
| 3 | 3 | Tobias Brunner | * Fixes a potential authorization bypass vulnerability in the _gmp_ plugin that was caused by a too lenient |
| 4 | 3 | Tobias Brunner | verification of PKCS#1 v1.5 signatures. Several flaws could be exploited by a Bleichenbacher-style attack |
| 5 | 3 | Tobias Brunner | to forge signatures for low-exponent keys (i.e. with e=3). |
| 6 | 3 | Tobias Brunner | "CVE-2018-16151":https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-16151 has been assigned to the problem of accepting random bytes after the OID of the |
| 7 | 3 | Tobias Brunner | hash function in such signatures, and "CVE-2018-16152":https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-16152 has been assigned to the issue of not verifying |
| 8 | 3 | Tobias Brunner | that the parameters in the ASN.1 @algorithmIdentitifer@ structure is empty. Other flaws that don't lead |
| 9 | 3 | Tobias Brunner | to a vulnerability directly (e.g. not checking for at least 8 bytes of padding) have no separate CVE assigned. |
| 10 | 3 | Tobias Brunner | Please refer to "our blog":https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html for details. |
| 11 | 2 | Tobias Brunner | |
| 12 | 2 | Tobias Brunner | * Dots are not allowed anymore in section names in [[swanctl.conf]] and [[strongswan.conf]]. |
| 13 | 2 | Tobias Brunner | This mainly affects the [[LoggerConfiguration|configuration of file loggers]]. If the path for such a log file contains dots |
| 14 | 2 | Tobias Brunner | it now has to be configured in the new _path_ setting within the arbitrarily renamed subsection in the |
| 15 | 2 | Tobias Brunner | _filelog_ section. |
| 16 | 2 | Tobias Brunner | |
| 17 | 2 | Tobias Brunner | * Sections in [[swanctl.conf]] and [[strongswan.conf]] may now reference other sections. All settings and |
| 18 | 1 | Tobias Brunner | subsections from such a section are inherited. This allows to simplify configs as redundant information |
| 19 | 3 | Tobias Brunner | has only to be specified once and may then be included in other sections (see [[strongswan.conf#Referencing-other-Sections]] for |
| 20 | 2 | Tobias Brunner | an example). |
| 21 | 2 | Tobias Brunner | |
| 22 | 1 | Tobias Brunner | * The originally selected IKE config (based on the IPs and IKE version) can now change if no matching |
| 23 | 2 | Tobias Brunner | algorithm proposal is found. This way the order of the configs doesn't matter that much anymore and |
| 24 | 3 | Tobias Brunner | it's easily possible to specify separate configs for clients that require weaker algorithms (instead |
| 25 | 2 | Tobias Brunner | of having to also add them in other configs that might be selected). |
| 26 | 1 | Tobias Brunner | |
| 27 | 2 | Tobias Brunner | * Support for Postquantum Preshared Keys for IKEv2 ("draft-ietf-ipsecme-qr-ikev2":https://tools.ietf.org/html/draft-ietf-ipsecme-qr-ikev2) has been added. |
| 28 | 3 | Tobias Brunner | For an example refer to the {{tc(swanctl/rw-cert-ppk)}} scenario (or with {{tc(swanctl/rw-eap-md5-id-rsa-ppk, EAP)}}, or {{tc(swanctl/rw-psk-ppk, PSK)}} authentication). |
| 29 | 1 | Tobias Brunner | |
| 30 | 1 | Tobias Brunner | * The new _botan_ plugin is a wrapper around the "Botan C++ crypto library":https://botan.randombit.net. |
| 31 | 1 | Tobias Brunner | It requires a fairly recent build from Botan's master branch (or the upcoming 2.8.0 release). |
| 32 | 3 | Tobias Brunner | Thanks to René Korthaus and his team from Rohde & Schwarz Cybersecurity for the initial patch and to |
| 33 | 3 | Tobias Brunner | Jack Lloyd for quickly adding missing functions to Botan's FFI (C89) interface. |
| 34 | 1 | Tobias Brunner | |
| 35 | 3 | Tobias Brunner | * Implementation of "RFC 8412":https://tools.ietf.org/html/rfc8412 "Software Inventory Message and Attributes (SWIMA) for PA-TNC". |
| 36 | 3 | Tobias Brunner | SWIMA subscription option sets @CLOSE_WRITE@ trigger on @apt@ @history.log@ file resulting in a _ClientRetry_ |
| 37 | 3 | Tobias Brunner | PB-TNC batch to initialize a new measurement cycle. The new _imv/imc-swima_ plugins replace the previous |
| 38 | 3 | Tobias Brunner | _imv/imc-swid_ plugins, which were removed. |
| 39 | 2 | Tobias Brunner | |
| 40 | 3 | Tobias Brunner | * Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793) NEA protocols |
| 41 | 3 | Tobias Brunner | on Google's OSS-Fuzz infrastructure. |
| 42 | 2 | Tobias Brunner | |
| 43 | 3 | Tobias Brunner | * Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The presence of the in-kernel @/dev/tpmrm0@ |
| 44 | 3 | Tobias Brunner | resource manager is automatically detected. |
| 45 | 2 | Tobias Brunner | |
| 46 | 3 | Tobias Brunner | * The pki tool accepts a xmppAddr otherName as a subjectAlternativeName using the |
| 47 | 3 | Tobias Brunner | syntax @--san xmppaddr:<jid>@. |
| 48 | 2 | Tobias Brunner | |
| 49 | 2 | Tobias Brunner | * [[swanctl.conf]] supports the configuration of marks the in- and/or outbound SA should apply to packets after |
| 50 | 2 | Tobias Brunner | processing on Linux. Configuring such a mark for outbound SAs requires at least a 4.14 kernel. The ability |
| 51 | 2 | Tobias Brunner | to set a mask and configuring a mark/mask for inbound SAs will be added with the upcoming 4.19 kernel. |
| 52 | 2 | Tobias Brunner | |
| 53 | 2 | Tobias Brunner | * New options in [[swanctl.conf]] allow configuring how/whether DF, ECN and DS fields in the IP headers are |
| 54 | 1 | Tobias Brunner | copied during IPsec processing. Controlling this is currently only possible on Linux. |
| 55 | 3 | Tobias Brunner | |
| 56 | 3 | Tobias Brunner | * The handling of sequence numbers in IKEv1 DPDs has been improved (#2714). |
| 57 | 1 | Tobias Brunner | |
| 58 | 1 | Tobias Brunner | * To avoid conflicts, the [[dhcpplugin|dhcp plugin]] now only uses the DHCP server port if explicitly configured. |