-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
The Libreswan Project has released libreswan-3.20 This is a bugfix and feature release. New Features: This releases completes support for the CREATE_CHILD_SA Exchange, support for the ECP DiffieHellman Groups (19-21), statistics support via ipsec whack --globalstatus and changed the IKE and ESP defaults to match rfc4307bis and rfc7321bis. Important bugfixes: A number of memory leaks were fixed, two use-after-free bugs, improved linking reducing binary sizes, and some misc bugfixes. Compatiblity changes: The uniqueids= keywords is ignored for PSK based connections, allowing uniqueids=yes and mixing RSA/PSK connections. Some minor logging changes. You can download libreswan via https at: https: //download.libreswan.org/libreswan-3.20.tar.gz https: //download.libreswan.org/libreswan-3.20.tar.gz.asc The full changelog is available at: https: //download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our bug tracker: https: //lists.libreswan.org/ https: //bugs.libreswan.org/ Binary packages for RHEL/EPEL and Debian/Ubuntu can be found at https: //download.libreswan.org/binaries/ Binary packages for Fedora and Debian should be available in their respective repositories a few days after this release. See also https://libreswan.org/ v3.20 (March 14, 2017) * pluto: Add ECP dh19(secp256r1), dh20(secp384r1) and dh21(secp521r1) [Andrew] * pluto: Add dh= aliases for all modp= groups (eg "dh2" for "modp1024") [Paul] * pluto: Add statistics support to ipsec whack --globalstatus [Paul] * pluto: Add statistics clearing support using ipsec whack --clearstats [Paul] * pluto: Fix use-after-free in whack event handler (since v3.19) [Andrew] * pluto: Cleanup kernel_netlink.c [Hugh] * pluto: Print AH= algorithm and ESN when established [Paul/Andrew] * pluto: strip file path from abort messages [Andrew] * pluto: Support initiating template conn with --remote-host <ipaddr> [Paul] * pluto/libswan: Change most ttoaddr() to ttoaddr_num() to prevent DNS [Paul] * pluto: fix use-after-free with EVENT_v2_RELEASE_WHACK [Andrew] * pluto: orient() asserted on SPLIT_INC without remote-peer-type=cisco [Paul] (reported by Oleg Rosowiecki) * pluto: accurately size a buffer for the decimal representation [Hugh] (debian bug 853507) * pluto: avoid gcc unused variable warnings when USE_KLIPS=false [dkg] * pluto: Support for Linux systems without IFA_F_TENTATIVE (CentOS5) [Paul] * pluto: Ignore uniqueids= for roadwarrior PSK and assume non-unique [Paul] * IKEv2: CREATE_CHILD support for Parent SA and Child SA rekeying [Antony] * IKEv2: Various refactoring for CREATE_CHILD support [Antony] * IKEV2: OE/CAT: Don't send CP request when responder is behind NAT [Antony] * IKEv2: log first notify payload when we receive an Notify Error [Paul] * IKEv2: Fix memory leak in DH secret calculation (since v3.9) [Andrew] (reported by Eric Andresson) * IKEv2: If re-entering ikev2_crypto_start(), reset msgid [Paul] * IKEv2: prevent copying bogus peer id when ID kind is IPv4/IPv6 [Paul] (rhbz#1392191) * IKEv2: suppress DELETE notifies for connections being replaced [Paul] * IKEv2: re-instate ISAKMP_SA_established() [Paul] * IKEv1: For IKE (phase 1), prefer 256-bit bit encryption [Andrew] * IKEv1: Print conn algo's when using XAUTH [Andrew] * IKEv1: Simplify ike= defaults (drop MODP1024, MD5, add MODP2048) [Andrew] * IKEv1: Prefer 256-bit keys over 128-bit keys for IKE [Andrew] * IKEv1: Also call ISAKMP_SA_established() in Aggressive Mode [Paul] * newhostkey: Convert remaining --configdir for --nssdir [Tuomo] * barf: Ensure proper macros are used. Add certutil/crlutil output [Paul] * misc: Fix various spelling errors in code/comments/man pages [dkg] * packaging: spec files should use 0 and 1, not true and false [David Arnold] * building: NSS_REQ_AVA_COPY?=true to support new NSS lib export fix [Paul] * building: Remove no longer needed NSSCERT_CheckCrlTimes() copy [Paul] * building: fetch: remove support for ancient LDAP version 2 [Tuomo] * building: move whack to separate programs/whack/ directory [Andrew] * building: Various Makefile variable cleanups and double link fixes [Andrew] * building: Don't check runtime for SElinux/systemd with DESTDIR [Paul] * documentation: added oe-letsencrypt-* example configs [Paul] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJY0yfEAAoJEIX/S0OzD8b50ycP/0pP4UGlf3c7rwWmydgI88jF 9lNYxZvL7Gy+g69LY7TeqJ/XVVZ/kvX4e0a/AuZeZ+2YWPstjwa13xhTcdDQRiGa 6VXWj3fW88alHHxY15MNPdgDFUC2UmvBiy5TGRg+dICRdHtK/ydsKs5kRR7rB/G+ WA3h9VAOMUyZbkwaR79cTfCfAyy9GFDMeFpd0IFE+wfJ//l3n5QlEuBKB0OyLP4P 0LHD3VZprxvpkfIzKR2adkQuITRBze6sXAJrbC+glz8FRvkNYUL+g3WR1gYX9Y/A zT6n+S9LT+sZRhIOSYa2uBKOI+pq09UGPG4xZLwfa7qh3CBePZPkPVuzRl7UODwR m7rn8rdfuKrIPh7rrwFaWeWnnTNkZbB1QKLyHk95WWDj+blQCR3lECTtZLdFf/eI HQGtAo1p57JAyB7vN7soj8RZtjrdq5vn5dJ3E1sMwYI9umc2/YRX+2bL6e9FaYV+ zIjopM1q0AhqM0Wipgx/xLfFq+ICNN3YPuqReyXdPzZiSaLXtdCSt3YSrH9dO0cg v9dQ/3NlK33KljWw8gFWvR9yU85FuUHxu92cREN407h3OsWtr/qlQGvh4ZFc/Xxl bnv7LRfzxec3oAWkRjGEUqZPS2slCJ9NqKopVj+dp5HN7Alh8E5cRopTpTeqmoUQ EULyZggo6LL4tCuEAZo3 =P0o7 -----END PGP SIGNATURE----- _______________________________________________ Swan-announce mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-announce _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
