[Announce] ANNOUNCE: strongswan-4.2.14 and strongswan-2.8.9 released
Andreas Steffen
andreas.steffen at strongswan.org
Tue Mar 31 05:45:23 CEST 2009
Hi,
the strongSwan 4.2.14 release fixes a grave DPD denial of service
vulnerability registered as CVE-2009-0790 that had been slumbering
in the code for many years:
- A vulnerability in the Dead Peer Detection (RFC 3706) code was found
by Gerd v. Egidy <gerd.von.egidy at intra2net.com> of Intra2net AG
affecting all Openswan and strongSwan releases. A malicious (or
expired ISAKMP) R_U_THERE or R_U_THERE_ACK Dead Peer Detection packet
can cause the pluto IKE daemon to crash and restart. No authentication
or encryption is required to trigger this bug. One spoofed UDP packet
can cause the pluto IKE daemon to restart and be unresponsive for a
few seconds while restarting.
We strongly recommend to update to strongSwan 4.2.14 on Linux 2.6
kernels or 2.8.9 on Linux 2.4 kernels or as an alternative to apply
the security patch available from
http://download.strongswan.org/patches/dpd_null_state_patch/
Here are a couple of other minor bugs that were fixed by the 4.2.14
and 4.2.13 releases:
- Fixed a use-after-free bug in the DPD timeout section of the
IKEv1 pluto daemon which sporadically caused a segfault.
- ASN.1 to time_t conversion caused a time wrap-around for
dates after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
As a workaround such dates are set to the maximum representable
time, i.e. Jan 19 03:14:07 UTC 2038. 64-bit platforms use
a 64-bit signed integer for the time_t type and are not affected
by the year 2038 problem.
- Fixed a crash in the IKEv2 charon daemon occuring with
mixed RAM-based and SQL-based virtual IP address pools.
And now the good news:
- The new server-side IKEv2 EAP RADIUS plugin (--enable-eap-radius)
relays EAP messages to and from a RADIUS server. We successfully
tested with a FreeRADIUS server using EAP-MD5 and EAP-SIM but
the EAP proxy plugin can potentially be used with any IKEv2 EAP
protocol.
Here are a couple of sample scenarios:
http://www.strongswan.org/uml/testresults42/ikev2/rw-eap-md5-radius/
http://www.strongswan.org/uml/testresults42/ikev2/rw-eap-md5-id-radius/
http://www.strongswan.org/uml/testresults42/ikev2/rw-eap-sim-radius/
http://www.strongswan.org/uml/testresults42/ikev2/rw-eap-sim-id-radius/
Kind regards
Martin Willi & Andreas Steffen
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
Url : https://lists.strongswan.org/pipermail/announce/attachments/20090331/5946e2d2/attachment.bin
More information about the Announce
mailing list