Release and vulnerability announcements for strongSwan

strongSwan 5.1.3 Released

strongSwan 5.1.3 fixes a security vulnerability and adds support for X.509 attribute certificates.

Authentication Bypass Vulnerability (CVE-2014-2338)

An authentication bypass vulnerability was fixed that can be triggered by rekeying an unestablished IKEv2 SA while it gets actively initiated. All versions since 4.0.7 are affected.

More information is provided in a separate blog entry.

Support for X.509 Attribute Certificates

The acert plugin evaluates X.509 Attribute Certificates. Group membership information encoded as strings can be used to fulfill authorization checks defined with the rightgroups option. Attribute Certificates can be loaded locally or get exchanged in IKEv2 certificate payloads.

The pki command gained support to generate X.509 Attribute Certificates using the --acert subcommand, while the --print command supports the ac type.

The openac utility has been removed in favor of the new pki functionality.

Other Notable Changes

Download it from here - a more extensive changelog can be found on our wiki.