The Libreswan Project has released libreswan-3.7. This is a security
release.
This releases addresses an IKE vulnerability introduced in libreswan
3.6. It has been submitted as CVE-2013-4564. A malicious IKE packet
could cause libreswan to restart. It also fixes a tmp file race condition in
the
The Libreswan Project has released libreswan-3.8. This is a security release.
This releases addresses an IKEv2 vulnerability discovered by Iustina
Melinte. It has been submitted as CVE-2013-6467. A malicious IKEv2 packet
with missing payloads or bad payload chains could cause libreswan to
The Libreswan Project is about to release libreswan-3.9. It includes a
very large bugfix and enhancement patch set. Therefor, we would really
like people to do some additional testing before we release it.
You can find the 3.9rc1 pre-release at:
https://download.libreswan.org/development
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
The Libreswan Project has released libreswan-3.9.
This is a feature and major bugfix release. It contains more than the
usual amount of changes. Users of IKEv2 are encouraged to upgrade as this
release contains many IKEv2 enhancements and
The Libreswan Project has released libreswan-3.10
This is a major bugfix release.
Libreswan 3.9 did not enforce "strict mode", resulting in the default
proposals of 3des/aes/sha1/md5 to always be allowed despite the
configuration with esp= and ike=. Although none of these algorithms
Yesterday and today saw three important security announcements. Two for
bash and one for NSS.
-
libreswan IS vulnerable to NSS CVE-2014-1568 RSA Signature Forgery
(MSF 2014-73). Please upgrade NSS to one of 3.17.1, 3.16.1 or
The Libreswan Project has released libreswan-3.11
This is a major bugfix release.
Not all startup timing issues were resolved in 3.10, and this release
fixes the remaining ones with systemd and and auto=route|start
connections. IKEv2 did not ignore certain reserved fields of the IKE
header
The Libreswan Project has released libreswan-3.12
This is a bugfix release, with mostly IKEv2 bugfixes, along with an
X509 chaining certificate bugfix.
You can download libreswan via https at:
https://download.libreswan.org/libreswan-3.12.tar.gz
https://download.libreswan.org/libreswan-3.12
/
The Libreswan Project was notified by Javantea of two
vulnerabilities found by fuzzing IKEv1 payloads. The malicious IKE packet
causes an unexpected state in the IKE daemon resulting in passert() calls
terminating and restarting the IKE daemon. No remote code execution is
possible.
Vulnerable
The Libreswan Project has released libreswan-3.14
This is a major feature and bugfix release. Upgrade with caution.
Support for two new RFC's was added, RFC 7383 IKEv2 Fragmentation
(fragmentation=|yes|no|force) and RFC 7619 IKEv2 Auth Null (authby=null,
leftid=%null). Support was add
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
The Libreswan Project has released libreswan-3.15
This is a security release to address CVE-2015-3240
(note this CVE number looks very similar to our previous one, CVE-2015-3204)
The Libreswan Team discovered a bug in the DH handling of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
The Libreswan Project has released libreswan-3.16
This is a maintanance release that also includes experimental support
for Opportunistic Encryption using AUTH-NULL
A bug was fixed that caused keyingtries=0 to be misinterpreted, which
could
following URLs:
https: //libreswan.org/security/CVE-2016-3071/
The Libreswan Project found a bug in the default proposal set for IKEv2.
This code, introduced in version 3.16, includes the AES_XCBC integrity
algorithm. It wrongly assumes that the NSS cryptographic library supports
this algorithm. As a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
The Libreswan Project has released libreswan-3.17
This is a security release. It fixes CVE-2016-3071 which can cause the
pluto IKE daemon to restart when receiving an IKE transform containg
AES_XCBC.
New features are ESN support (esn=yes|no
:
https: //libreswan.org/security/CVE-2016-5391/
The Libreswan Project has found a vulnerability in processing IKEv2
proposals that miss a Diffie-Hellman transform for the IKE SA. A NULL
pointer dererefence causes the pluto IKE daemon to crash and restart.
No remote code execution is possible
The Libreswan Project has released libreswan-3.18
This is a security release for CVE-2016-5391 as well as a feature
release.
The CVE-2016-5391 issue can cause the IKE daemon to restart on a missing
DH IKEv2 transform. This could cause a denial of service.
Three new experimental features are
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
The Libreswan Project has released libreswan-3.19
This is a major bugfix and feature release.
Important bugfixes:
This version fixes a crasher and/or lockup in the bare shunt handling.
It also includes various memory leak fixes related to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
The Libreswan Project has released libreswan-3.20
This is a bugfix and feature release.
New Features:
This releases completes support for the CREATE_CHILD_SA Exchange,
support for the ECP DiffieHellman Groups (19-21), statistics support
via
Please upgrade nss to one of the recommend versions:
https://rhn.redhat.com/errata/RHSA-2017-1100.html
An out-of-bounds write flaw was found in the way NSS performed certain
Base64-decoding operations. An attacker could use this flaw to create a
specially crafted certificate which, when parsed
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
The Libreswan Project has released libreswan-3.21
This is a bugfix and feature release.
New Features:
This release features Opportunistic IPsec using DNSSEC lookups of
IPSECKEY records. It also adds support for the DNSSEC root key rollover
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
The Libreswan Project has released libreswan-3.22
This is a performance enhancement and feature release.
Performance improvements:
After investigating performance under high load, we found a number of
issues that slowed down performance. This
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
The Libreswan Project has released libreswan-3.23
This is a feature and maintenance release.
New Features:
MOBIKE support (RFC 4555) via mobike=yes|no using XFRM_MIGRATE
IKEv2 split DNS support (draft-ietf-split-dns) via modecfg* options
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
The Libreswan Project has released libreswan-3.25
This is a major bugfix release with some additional features
New Features:
Various Opportunistic IPsec related features
Harden IP triggered OE with new dns-match-id=yes|no
Important bugfixes
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
The Libreswan Project has released libreswan-3.26
This is a feature release with some minor bugfixes
New Features:
* Support for RSA-PSS (RFC 7427) via authby=rsa-sha2
* Support for ECDSA (RFC 7427) via authby=ecdsa-sha2
* Support for
24 matches
Mail list logo