[Announce] ANNOUNCE: strongswan-4.2.7 released

Andreas Steffen andreas.steffen at strongswan.org
Tue Sep 23 01:57:21 CEST 2008


we decided to make an immediate 4.2.7 release due to a discovered
Denial-of-Service vulnerability in the IKEv2 charon daemon where an
IKE_SA_INIT message with a KE payload containing zeroes only can cause
a crash due to a NULL pointer returned by the mpz_export() function of
the GNU Multi Precision (GMP) library. Thanks go to Mu Dynamics Research
Labs for making us aware of this problem.

If you are using strongSwan with the GMP plugin (--enable-gmp option
which is enabled by default) then please update to the 4.2.7 release
immediately or apply the following security patch


to strongSwan 4.2.0 to 4.2.6 releases or


to strongSwan 4.1.8 to 4.1.11 releases. For still earlier versions
the 4.1.x patch must be applied manually.

Additionally the following new features are made available in 4.2.7:

- The new agent plugin (--enable-agent) provides a private key
  implementation on top of an ssh-agent.

- The NetworkManager plugin (--enable-nm) has been extended to support
  certificate client authentication using RSA keys loaded from a file
  or using ssh-agent. For details on the installation and configuration


- Daemon capability dropping has been ported to libcap and must be
  enabled explicitly --with-capabilities=libcap. Future version will
  support the newer libcap2 library.

- ipsec listalgs command lists the IKEv2 cryptografic algorithms
  registered with the charon keying daemon. Verify the additional
  cryptographical options available with the OpenSSL plugin


We apologize for the inconvenience

Martin Willi                Andreas Steffen
IKEv2 Software Architect    strongSwan Project Leader

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Announce mailing list