[Announce] ANNOUNCE: strongswan-4.2.14 and strongswan-2.8.9 released

Andreas Steffen andreas.steffen at strongswan.org
Tue Mar 31 05:45:23 CEST 2009


the strongSwan 4.2.14 release fixes a grave DPD denial of service
vulnerability registered as CVE-2009-0790 that had been slumbering
in the code for many years:

- A vulnerability in the Dead Peer Detection (RFC 3706) code was found
  by Gerd v. Egidy <gerd.von.egidy at intra2net.com> of Intra2net AG
  affecting all Openswan and strongSwan releases. A malicious (or
  expired ISAKMP) R_U_THERE or R_U_THERE_ACK Dead Peer Detection packet
  can cause the pluto IKE daemon to crash and restart. No authentication
  or encryption is required to trigger this bug. One spoofed UDP packet
  can cause the pluto IKE daemon to restart and be unresponsive for a
  few seconds while restarting.

We strongly recommend to update to strongSwan 4.2.14 on Linux 2.6
kernels or 2.8.9 on Linux 2.4 kernels or as an alternative to apply
the security patch available from


Here are a couple of other minor bugs that were fixed by the 4.2.14
and 4.2.13 releases:

- Fixed a use-after-free bug in the DPD timeout section of the
  IKEv1 pluto daemon which sporadically caused a segfault.

- ASN.1 to time_t conversion caused a time wrap-around for
  dates after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
  As a workaround such dates are set to the maximum representable
  time, i.e. Jan 19 03:14:07 UTC 2038. 64-bit platforms use
  a 64-bit signed integer for the time_t type and are not affected
  by the year 2038 problem.

- Fixed a crash in the IKEv2 charon daemon occuring with
  mixed RAM-based and SQL-based virtual IP address pools.

And now the good news:

- The new server-side IKEv2 EAP RADIUS plugin (--enable-eap-radius)
  relays EAP messages to and from a RADIUS server. We successfully
  tested with a FreeRADIUS server using EAP-MD5 and EAP-SIM but
  the EAP proxy plugin can potentially be used with any IKEv2 EAP

  Here are a couple of sample scenarios:



Kind regards

Martin Willi & Andreas Steffen

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
Url : https://lists.strongswan.org/pipermail/announce/attachments/20090331/5946e2d2/attachment.bin 

More information about the Announce mailing list