NEWS: Added some news for 5.6.3

This commit is contained in:
Tobias Brunner 2018-05-23 20:25:18 +02:00
parent 887885f33b
commit 7f14fefff4
1 changed files with 58 additions and 0 deletions

58
NEWS
View File

@ -1,3 +1,61 @@
strongswan-5.6.3
----------------
- Fixes a vulnerability in the stroke plugin, which did not check the received
length before reading a message from the socket. Unless a group is configured,
root privileges are required to access that socket, so in the default
configuration this shouldn't be an issue.
This vulnerability has been registered as CVE-2018-5388.
⁻ CRLs that are not yet valid are now ignored to avoid problems in scenarios
where expired certificates are removed from CRLs and the clock on the host
doing the revocation check is trailing behind that of the host issuing CRLs.
- The issuer of fetched CRLs is now compared to the issuer of the checked
certificate.
- CRL results other than revocation (e.g. a skipped check because the CRL
couldn't be fetched) are now stored also for intermediate CA certificates and
not only for end-entity certificates, so a strict CRL policy can be enforced
in such cases.
- In compliance with RFC 4945, section 5.1.3.2, certificates used for IKE must
now either not contain a keyUsage extension (like the ones generated by pki)
or have at least one of the digitalSignature or nonReputiation bits set.
- New options for vici/swanctl allow forcing the local termination of an IKE_SA.
This might be useful in situations where it's known the other end is not
reachable anymore or that it already removed the IKE_SA, so there is no point
in retransmitting a DELETE and waiting for a response (it's also possible to
wait for a certain amount of time, e.g. shorter than all retransmits, until
destroying the SA).
- When removing routes, the kernel-netlink plugin now checks if it tracks other
routes for the same destination and replaces the installed route instead of
just removing it. Same during installation, where existing routes previously
weren't replaced. This should allow using traps with virtual IPs on Linux.
- The dhcp plugin only sends the client identifier option if identity_lease is
enabled. It also can send longer identities (up to 255 bytes instead of the
previous 64 bytes). If a server address is configured, DHCP requests are now
sent from port 67 instead of 68.
- Roam events are now completely ignored for IKEv1 SAs.
- ChaCha20/Poly1305 is now correctly proposed without key length. For
compatibility with older releases the chacha20poly1305compat keyword may be
included in proposals to also propose the algorithm with a key length.
- Configuration of hardware offload of IPsec SAs is now more flexible and allows
a new mode, which automatically uses it if the kernel and hardware support it.
- SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1.
- The pki --verify tool may load CA certificates and CRLs from directories.
- Fixed an issue with DNS servers passed to NetworkManager in charon-nm.
strongswan-5.6.2
----------------