NEWS: Added some news for 5.6.3
This commit is contained in:
parent
887885f33b
commit
7f14fefff4
58
NEWS
58
NEWS
|
@ -1,3 +1,61 @@
|
|||
strongswan-5.6.3
|
||||
----------------
|
||||
|
||||
- Fixes a vulnerability in the stroke plugin, which did not check the received
|
||||
length before reading a message from the socket. Unless a group is configured,
|
||||
root privileges are required to access that socket, so in the default
|
||||
configuration this shouldn't be an issue.
|
||||
This vulnerability has been registered as CVE-2018-5388.
|
||||
|
||||
⁻ CRLs that are not yet valid are now ignored to avoid problems in scenarios
|
||||
where expired certificates are removed from CRLs and the clock on the host
|
||||
doing the revocation check is trailing behind that of the host issuing CRLs.
|
||||
|
||||
- The issuer of fetched CRLs is now compared to the issuer of the checked
|
||||
certificate.
|
||||
|
||||
- CRL results other than revocation (e.g. a skipped check because the CRL
|
||||
couldn't be fetched) are now stored also for intermediate CA certificates and
|
||||
not only for end-entity certificates, so a strict CRL policy can be enforced
|
||||
in such cases.
|
||||
|
||||
- In compliance with RFC 4945, section 5.1.3.2, certificates used for IKE must
|
||||
now either not contain a keyUsage extension (like the ones generated by pki)
|
||||
or have at least one of the digitalSignature or nonReputiation bits set.
|
||||
|
||||
- New options for vici/swanctl allow forcing the local termination of an IKE_SA.
|
||||
This might be useful in situations where it's known the other end is not
|
||||
reachable anymore or that it already removed the IKE_SA, so there is no point
|
||||
in retransmitting a DELETE and waiting for a response (it's also possible to
|
||||
wait for a certain amount of time, e.g. shorter than all retransmits, until
|
||||
destroying the SA).
|
||||
|
||||
- When removing routes, the kernel-netlink plugin now checks if it tracks other
|
||||
routes for the same destination and replaces the installed route instead of
|
||||
just removing it. Same during installation, where existing routes previously
|
||||
weren't replaced. This should allow using traps with virtual IPs on Linux.
|
||||
|
||||
- The dhcp plugin only sends the client identifier option if identity_lease is
|
||||
enabled. It also can send longer identities (up to 255 bytes instead of the
|
||||
previous 64 bytes). If a server address is configured, DHCP requests are now
|
||||
sent from port 67 instead of 68.
|
||||
|
||||
- Roam events are now completely ignored for IKEv1 SAs.
|
||||
|
||||
- ChaCha20/Poly1305 is now correctly proposed without key length. For
|
||||
compatibility with older releases the chacha20poly1305compat keyword may be
|
||||
included in proposals to also propose the algorithm with a key length.
|
||||
|
||||
- Configuration of hardware offload of IPsec SAs is now more flexible and allows
|
||||
a new mode, which automatically uses it if the kernel and hardware support it.
|
||||
|
||||
- SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1.
|
||||
|
||||
- The pki --verify tool may load CA certificates and CRLs from directories.
|
||||
|
||||
- Fixed an issue with DNS servers passed to NetworkManager in charon-nm.
|
||||
|
||||
|
||||
strongswan-5.6.2
|
||||
----------------
|
||||
|
||||
|
|
Loading…
Reference in New Issue