-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
The Libreswan Project has released libreswan-3.16 This is a maintanance release that also includes experimental support for Opportunistic Encryption using AUTH-NULL A bug was fixed that caused keyingtries=0 to be misinterpreted, which could cause failing tunnels to not be retried indefinately. Some IKEv1 PAM modules for pluto would always return a failure. Stricter checks on IKE padding in 3.14 were relaxed a little to ensure interop with broken racoon implementations. An XAUTH based connection that was brought up, down and up quickly could cause a crash. A new experimental initial release of Opportunistic IPsec has been included. For more information about Opportunistic IPsec see: https://libreswan.org/wiki/edit/HOWTO:_Opportunistic_IPsec You can download libreswan via https at: https://download.libreswan.org/libreswan-3.16.tar.gz https://download.libreswan.org/libreswan-3.16.tar.gz.asc The full changelog is available at: https://download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our bug tracker: https://lists.libreswan.org/ https://bugs.libreswan.org/ Binary packages for RHEL/EPEL and Debian/Ubuntu can be found at https://download.libreswan.org/binaries/ Binary packages for Fedora can be found in the respective fedora repositories. See also https://libreswan.org/ v3.16 (December 18, 2015) * auto: add new option --start which is like auto=start [Tuomo] * libipsecconf: allow time with no unit suffix (openswan compat) [Hugh] * libipsecconf: cleanup parser.y to work on old/new GCC and 32/64bit [Hugh] * libipsecconf: re-introduce strictcrlpolicy= as alias for crl-strict= [Paul] * libipsecconf: Allow time specification for dpdtimeout= / dpddelay= [Paul] * libipsecconf: aliases curl_timeout / curl_iface for openswan migration [Paul] * libswan: Fix memory leak in match_rdn() [Valeriu Goldberger] * PAM: Fix some IKEv1 XAUTH methods always returning "denied" [Antony] * PAM: stacked pam modules (eg pam_ssss) need CAP_DAC_READ_SEARCH [Matt] * newhostkey: fix seedev device [Paul] * pluto: terminate_connection() when we become unoriented (rhbz#609343) [Paul] * pluto: find_client_connection() must ignore unoriented c (rhbz#1166146) [Paul] * pluto: Fix trafficstatus byte counter output [Antony] * pluto: accept racoon's over-sized padding (got rejected in 3.14) [Andrew] * pluto: obsolete plutofork= and ignore the keyword on startup [Paul] * pluto: send_crl_to_import: use waitpid(2) to wait for correct child [Hugh] * pluto: cleanup struct spd_route and related tidying [Hugh] * pluto: fix eclipsed to iterate over connection's spd_routes [Hugh] * pluto: accept delete payload with wrong side's SPI (CISCO bug) [Paul+Hugh] * pluto: initialise phase2 our_lastused/peer_lastused on creation [Paul+Hugh] * pluto: pluto: OE: add shunts.total count to ipsec whack --globalstatus [Paul] * pluto: Add keyword replay-window= (default 32, 0 means disable) [Paul] * pluto: Add fake-strongswan=yes|no (default no) to send strongswan VID [Paul] * pluto: Add support for XFRM marking cia mark=val/mask [Amir Naftali] * pluto: Use selinux dynamic class/perm discovery, not old API [Lubomir Rintel] * pluto: Fix for uniqueids killing second tunnel between hosts [Tuomo] * pluto: Don't refuse to load passthrough conn with ike= / esp= settings [Paul] * pluto: Free the event struct initialzed in main loop and tidy [Antony] * pluto: Add event for child handling of addconn [Wolfgang/Antony] * pluto: release_fragments() cannot try both IKEv1 and IKEv2 fragments [Paul] * X509: load_end_nss_certificate() cleanup [Matt] * X509: Add on-demand loading of NSS certificate private keys [Matt] * X509: Fix possible NSS cert leaks in trusted_ca_nss() [Matt] * IKEv2: delete_state() should only handle shunt of real parent SA [Paul] * IKEv2: retransmit_v2_msg() should delete parent and child SA on failure [Paul] * IKEv2: mixup in parent/child SA caused keyingtries to be lost [Paul] * IKEv2: Remove two bogus state machine entries for INFORMATIONAL [Paul] * IKEv2: Remove duplicate SEND_V2_NOTIFICATION() [Paul] * IKEv2: Only let passthrough conn win if it has longer prefix [Paul] * OE: Deleting opportunistic Parent with no Child SA [Paul] * OE: Send authentication failed for OE child fail [Paul] * OE: Don't reject IPv6 family for OE foodgroups [Antony] * OE: Move orphan_holdpass() call into delete_state() [Paul] * OE: Call orphan_holdpass() for opportunistic conns for EVENT_SA_EXPIRE [Paul] * OE: Do not answer IKE request if we matched authby=never conn [Paul] * OE: Fix memory leaks in nullgw and bs->why [Antony] * OE: At IKE rekey time, delete the IKE/IPsec SA when idle [Antony] * FIPS: fips.h should only require compiled libexec/ components [Paul] * XAUTH: Fix for connection going up->down->up causing passert [Hugh] * XAUTH: Do not interpret padding as incomplete attribute [Lubomir Rintel] * XAUTH: Improve failure logging [Paul] * XFRM: Workaround bug in Linux kernel NLMSG_OK's definition [Hugh] * KLIPS: kernels 4.1.x+ always use the same interface to uids [Roel van Meer] * KLIPS: Various changes to support 4.1.x kernels [Wolfgang] * ipsec: custom directory not recognized, github issue #44 [Tuomo] * updown.*: Fix NetworkManager callback [Lubomir Rintel] * addconn: tidy [Hugh] * building: obsolete USE_ADNS and disable building adns helpers [Paul] * building: Do not link all binaries with nss,nspr and gmp [Paul] * building install "ipsec_initnss.8" and "ipsec_import.8" man pages [Andrew] * packaging: debian/ directory update [Paul/Daniel] * testing: Various testing updates and improvements [Antony/Paul/Andrew] * documentation: added CODE_OF_CONDUCT.d [Paul] * Bugtracker bugs fixed: #216 No longer require :RSA entries for X.509 certs in ipsec.secrets [Matt] #233 pluto sends delete SAs in wrong order and reconnection issues [Wolfgang] #247 KLIPS: fix pluto can't add ipv6 addresses to ipsec devices [Wolfgang] #248 keyingtries=%forever doesn't work anymore [Wolfgang] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWdGwaAAoJEIX/S0OzD8b566EP/iAHIJIGx/lrZexlVQpTTs0Q M+lmDsiUzhvq97LoKFOzzKuNjLMGHcNhU2tEYRJIPOfTJqDhsB37IN6exiN319Lx 2AphkFP1Aqd42iUIhZD75cfcIk7u2+qOB89hRI2JugefHfLK5RpfsShQsa/k5REz /SLtggafYFNjA1J/0Picw3czwdbH6DyMCdsSWEc46X9aXNnYlB7GNctb9KemC91N mj2AJxAdVdaxUSZO7u0fuxSMLH7xtZv90mw69OFvmpwGwchuYT/lGBXhnytc7LK7 ykftIzu0842ThUJOosrTLefDP7wzen5iUGda7PlUB1Gw6Ib8KIq9AIMmazFxDO2q LRmqapJwGY3Z45SLhvumM2tGXiy02jjtb+gtNuFsAbONxngmiZm/RBUKonTikK4A FuSD+jCWOq0qj9KS1ZwWP5tUHEw8p5ExV8ARy0fd3hoz0U3EafU3/uTXSWM2VaAu 8bfI6zqyuMhkg889zljY2uS84SiF835AoFGKdhHwDT7p3oIYSdtr2QAfRIcPE6sk sNOCMojqigfylOJYlOaMSK2VjKxchVlwbXhdLZuVxQ6rzYw0itHBVzsTGGKe6yot O46m4taMhUTLlcpYdXl7y7GkYHe3BzBnVngnn+LLHF2v/NaoeDGI1yShijBuMeb2 W78ZHlfQ1P0Xd/qneufa =dJvs -----END PGP SIGNATURE----- _______________________________________________ Swan-announce mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-announce _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
