Minor Release


12 issues   (12 closed — 0 open)

Version 5.2.2

  • Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange
    payload that contains the Diffie-Hellman group 1025. This identifier was
    used internally for DH groups with custom generator and prime. Because
    these arguments are missing when creating DH objects based on the KE payload
    an invalid pointer dereference occurred. This allowed an attacker to crash
    the IKE daemon with a single IKE_SA_INIT message containing such a KE
    payload. The vulnerability has been registered as CVE-2014-9221.
    Please refer to our blog for details.
  • The left/rightid options in ipsec.conf, or any other identity in strongSwan,
    now accept prefixes to enforce an explicit type, such as email: or fqdn:.
    Note that no conversion is done for the remaining string, refer to the
    conn section reference (or the ipsec.conf(5) man page) for details.
  • Fixed mapping of integrity algorithms negotiated for AH via IKEv1. This could
    cause interoperability issues when connecting to older versions of charon (#771).
  • Support to configure IP address pools as ranges (<from IP>-<to IP>) in
    ipsec.conf and swanctl.conf has been added.
  • The first and last addresses in subnet based pools are now skipped properly and
    the pools' sizes are adjusted accordingly. Which is also the case if pools are
    configured with an offset, e.g., which reduces the number of
    available addresses from 254 to 155 and assignment now starts at .100 not .101,
    that is, .100-.254 are assignable to clients.
  • Many uses of select(2) have been replaced by call to poll(2), which avoids problems
    with more than 1024 open file descriptors (see #757).
  • Only payloads with payload types defined for the currently handled IKE version are now parsed,
    all other payloads are ignored (see mailing list).
  • On Windows ALE layer WFP rules are introduced to accept tunnel mode packets in
    stateful packet filtering if default-drop policies are used (e61841a211).
  • The new --pkcs12 command for pki provides basic support for PKCS#12
    containers, namely listing and exporting credentials.
  • Correctly configure replay window size on FreeBSD and Mac OS X (d21b01462e).
  • Accept IPComp proposals with 4 octet long CPI values (4141f01671).
Issues by