For high and medium severity vulnerabilities we are going to apply for a CVE Identifier first. Next we notify all known strongSwan customers and the major Linux distributions, giving them a time of about three weeks to patch their software release. On a predetermined date we officially issue an advisory and a patch for the vulnerability and usually a new stable strongSwan release containing the security fix. Also the CVE entry will be published.
Minor vulnerabilities of low severity usually will be fixed immediately and the corresponding patch will be posted on the strongSwan mailing list.
Please report all non-security-related flaws and bugs by opening a new issue in our wiki. If you don't have a user account yet, please register first.
Our Redmine Tracker classifies user issues into the following three categories:
Issue: Please choose this generic category if you are not sure whether your problem is caused by a strongSwan misconfiguration, an interoperability problem with third party VPN software or an actual bug in the strongSwan code. We are going to reclassify your report after a first analysis.
Feature: Please choose this category for requesting new features that we might implement in future versions of the strongSwan software.
Bug: Please post under this category only if you are quite sure that you identified a bug in the strongSwan code, e.g. if the charon daemon crashes which it shouldn't. Of course it is helpful if you can already pinpoint the code file where you suspect the bug or in the case of a crash to provide a backtrack analysis of the core dump. User patches fixing flaws are always welcome.