-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The Libreswan Project has released libreswan 4.1 This is a major bugfix release. A bug in libreswan 4.0 that rejected invalid IKEv2 Notify protocol ID's instead of ignoring these as per RFC 7296 resulted in an interoperability issue with some Cisco devices that send invalid Notify protocol IDs. A DNS resolving bug was fixed that could lead to connections failing to resolve properly when the connection used left=%defaultroute and a right= with DNS name that published both A and AAAA records. If upgrading from libreswan 3.32 or earlier to libreswan 4.1, please read the libreswan 4.0 announcement: https://lists.libreswan.org/pipermail/swan-announce/2020/000038.html This latest version of libreswan can be downloaded from: https://download.libreswan.org/libreswan-4.1.tar.gz https://download.libreswan.org/libreswan-4.1.tar.gz.asc The full changelog is available at: https://download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our bug tracker: https://lists.libreswan.org/ https://bugs.libreswan.org/ Binary packages for RHEL/CentOS can be found at: https://download.libreswan.org/binaries/ Binary packages for Fedora and Debian should be available in their respective repositories a few days after this release. See also https://libreswan.org/ v4.1 (October 18, 2020) * IKEv2: Fix Notify protocol ID interop with Cisco introduced in 4.0 [Antony] * addconn: Fix resolving with %defaultroute plus peer with A + AAAA [Antony] * building: minor cleanups [Andrew/Tuomo] v4.0 (October 14, 2020) * KLIPS: Support for KLIPS completely removed [Paul] * pluto: Removed support for deprecated algos: serpent, twofish, cast [Paul] * IKEv2: EXPERIMENTAL: Support for RFC 8229 IKE/ESP over TCP [Andrew] New per-conn keywords: listen-tcp=yes|no, tcponly=yes|no, tcp-remoteport= Requires: Linux kernel >= 5.8 * IKEv2: Support for leftikeport= / rightikeport= [Andrew/Paul] * IKEv2: EXPERIMENTAL: Support for INTERMEDIATE Exchange [Yulia Kuzovkova/GSoC] New keyword: intermediate=yes * FIPS: Remove DH 23/24 from FIPS allowed list as per SP 800 56A Rev 3 [Paul] * pluto: Support for rereading configured certificates from NSS [Myungjin Lee] * pluto: plutodebug= keywords are now: base,cpu-usage,crypt,tmi,private [Andrew] * pluto: find_pluto_xfrmi_interface() would only check first interface [Paul] * pluto: ddos cookies-threshold and max-halfopen output was swapped [John Mah] * pluto: Fix leased IP address leak [Andrew/Paul] * pluto: Fix displaying PLUTO_BYTES_ counters [Paul] * pluto: Replace/remove deprecated libselinux functions [Eduardo Barretto] * pluto: Update selinux calls for Labeled IPsec support [Richard Haines] * pluto: Memory leak fixes [Hugh] * pluto: Remove unused per peer logging [Andrew] * pluto: Cleanup logging code for minimal logging support [Andrew] * pluto: Cleanup netlink / XFRM code [Hugh] * pluto: xfrmi used mark-out for XFRMA_SET_MARK [Antony/Wolfgang] * pluto: Support for ipsec0 interface to help migrate from KLIPS to XFRM [Paul] * pluto: Fix logging some IKE messages to proper IKE SA state [Andrew] * pluto: Remove global ikeport/nat-ikeport, add listen-udp/listen-tcp [Paul] * pluto: Connections now have serial numbers which are logged [Paul/Andrew] * pluto: No longer require :RSA sections in ipsec.secrets [Andrew] * pluto: pluto chooses wrong raw RSA key (github#352) [Andrew] * seccomp: Update syscall allowlist for pluto and addconn [Paul] * whack: Support for ipsec whack --rereadcerts [Paul] * whack: Rename --ikev1-allow and --ikev2-allow to --ikev1 and --ikev2 [Paul] * whack: Clear inherited defaults for IKEv2 from IKEv1 connections [Paul] * show: Fixup for python3 version of ipaddress module [Paul] * IKEv2: Fix Windows 10 rekey being rejected [Antony/Paul] * IKEv2: Remove duplicaes from proposals using "+" [Andrew] * IKEv2: CERTREQ payload was not sent for authby=ecdsa [Paul] * IKEv2: Decode notify payloads into the message digest [Andrew] * IKEv2: Don't use NAT-T port when no NAT DETECTION payloads received [Andrew] * IKEv2: Add load-balance support (multiple targets) to redirect [Vukasin] * IKEv2: Only sent REDIRECTs to established IKE SA's (not IPsec SAs) [Paul] * IKEv2: Fix AUTH failure if ID payload reserved fields != 0 [Paul/Andrew/Hugh] * IKEv2: A delete(IKE SA) request should not trigger a delete request [Andrew] * IKEv2: Ignore, not abort when receiving unknown type transforms [Andrew] * IKEv2: Don't switch NAT port on receiving non-NAT notify payloads [Andrew] * IKEv1: Prevent crashing in Quick Mode on unused NAT payload [Daniel Wendler] * libipsecconf: Fix config handling of policy-label [bauen1] * libipsecconf: Promote ah= / esp= as desired keywords over phase2alg= [Paul] * libipsecconf: Remove most obsoleted option names with undersscore(_) [Paul] * rsasigkey/newhostkey: Remove obsoleted --output option [Paul] * building: Add NetBSD support [Andrew] * building: Remove support for SINGLE_CONF_DIR, EMIT_ISAKMP_SPI, [Paul] USE_KEYRR and TEST_INDECENT_PROPOSAL * building: Merge userland.mk into config.mk to simplify makefiles [Tuomo] * building: Deprecate INC_ variables [Tuomo] * building: Remove all support for SERPENT, TWOFISH, CAST and RIPEMD [Paul] * building: Remove -DALLOW_MICROSOFT_BAD_PROPOSAL [Tuomo] * building: The define USE_NSS_PRF was renamed to USE_NSS_KDF [Tuomo] * building: Rename master branch to main branch [Paul] * building: Fix finding ipsec command in non-standard bin dirs [Tuomo] * building: Introduce USE_OLD_SELINUX to support libselinux < 2.1.9 [Paul] * building: NETKEY options changed to XFRM options [Paul] * building: NSS database (*.db) are now expected in /var/lib/ipsec/nss [Tuomo] ipsec checknss called in initsystem will migrate files Use FINALNSSDIR=/etc/ipsec.d to use the pre-4.0 location * packaging: Debian: remove runtime dependency on systemd [Stephen Kitt] * packaging: Fedora: add missing build dependency for certutil [Stephen Kitt] * packaging: Debian switched to using /usr/libexec/ [dkg] * testing: Support Fedora32, Ubuntu, improved namespaces support [Paul/Others] * testing: Work around kernel ICMP Acquire bug [Paul] * testing: Added interop testing with OpenBSD iked [Ravi Teja] * documentation: friendler ipsec cmd output [Paul] -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAl+NAvUTHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+Q91D/wKXPmX9o5NckJPmVsxVCN0PHBX8J0m YT2v2cA6C8o51mZKrErjWS2dtZ+nVi26HAg29nfoGFiA/zcIabgn5XHG61LFgTcZ 1xnVwASIFFD4bhwZmGIzGVbmKZOx7EjPYzjdtQ6JEDCtbnkQtQ7L5mj8bOewcCIY sNN0OptqrfDH4RDjcgIs7QJyp6fw5bK1YX0QEHWEiZEdoeMDDFBwJU5VheDtMmIH A7XpvRM6RgsXstoDDvOf4w2MKci1WYVFJgulBiBg/WOqLyiK94w+mK+sdlVFkXRW PsHHj7V2ZIOa3fThcXzYqtQFtb+tut2ImjJgMHLASJHx7VrmO+EiSjO37DMvWOr0 0OVfTSO+hA3ZjPh/rwGtbDZ2vDWlegQ+sl3q7aKU9fqiQjrEwzCY46c+oixQmJfI P7sdP7yQsktC3yAvK1+WjpLaDQrI5gD0H3gDE9pzLLNOC+XctnWyyyI3xLZeqouc oPSLmXiGpZRVdLlMh/+X7OZ4W7z4jZnHOklxrCHOJZAZEGI++LdUL43PbH2a4Sa8 o7ImvRexjsls9v1GKjWBtZ/vpaSCaWkiMcjZ7sX7gKis+0TnG7Ar7WyvQUi7Wjn9 NOb1JPTcTTzwDFWMu5ZE+CKSvm4hXspLBEoFQV0wAWg0ef+NJ2KnK5fgvkCKjstK uZfwRg5bzBo/xw== =Ibh+ -----END PGP SIGNATURE----- _______________________________________________ Swan-announce mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-announce _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
