[strongSwan] ANNOUNCE: strongswan-4.4.1 released

Holger Rauch holger.rauch at empic.de
Tue Aug 3 10:05:20 CEST 2010


Hi,

are the patches needed for FreeBSD 8.1 support also integrated?

Thanks & kind regards,

    Holger

On Mon, 02 Aug 2010, Andreas Steffen wrote:

> Hi,
> 
> we are happy to announce the strongSwan 4.4.1 release which
> offers a couple of new features and fixes a major potential
> vulnerability that was introduced with strongSwan 4.3.3:
> 
> - Support of XFRM marks
>    ---------------------
> 
>    The Linux 2.6.34 kernel introduced XFRM marks in IPsec SAs and
>    IPsec policies introduced. We discovered two bugs, though, which
>    are fixed by the following kernel patch
> 
>    http://download.strongswan.org/uml/xfrm_mark.patch.bz2
> 
>    This patch will be integrated into the forthcoming 2.6.35 kernel.
> 
>    XFRM marks can be used e.g. to differentiate between traffic coming
>    from identical subnets hidden behind multiple roadwarriors using the
>    Linux Netfilter mangle and nat chains. Details can be found in
>    the following example scenarios:
> 
>      http://www.strongswan.org/uml/testresults44/ikev2/nat-two-rw-mark/
> 
>      http://www.strongswan.org/uml/testresults44/ikev2/rw-mark-in-out/
> 
>    Another exotic case involves identical subnets behind the two peers
>    of an IPsec connection where the MARK and NETMAP Netfilter targets
>    are used to map the identical subnets to unique networks as shown
>    in the following example:
> 
>      http://www.strongswan.org/uml/testresults44/ikev2/net2net-same-nets/
> 
>    This example does all the Netfilter operations in a special updown
>    script
> 
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown;h=d7b68956cbf7e59e2dd740381defdf3c1f655ac5;hb=HEAD
> 
>    As you can see the new environment variables PLUTO_MARK_IN,
>    PLUTO_MARK_OUT and PLUTO_ESP_ENC are available in the updown scripts.
>    Inbound and outbound marks are set by the new mark_in=, mark_out=, and
>    mark= (same mark for inbound and outbound direction) ipsec.conf
>    parameters.
> 
> 
> - openssl plugin supports X.509 certificate and CRL functions
>    -----------------------------------------------------------
> 
>    Thus for X.509 trust chain verification and CRL lookup the x509
>    plugin is not required any more if the openssl plugin is loaded
>    instead. The use of the Online Certificate Status Protocol (OCSP)
>    still requires the x509 plugin, though. X.509 attribute certificate
>    handling rely on the x509 plugin as well.
> 
> 
> - CRL and/or OCSP checking in IKEv2 moved to revocation plugin
>    ------------------------------------------------------------
> 
>    The revocation plugin is built and loaded by default. Please
>    update any explicit load directives in strongswan.conf.
> 
> 
> - RFC3779 ipAddrBlock constraint checking moved to addrblock plugin
>    -----------------------------------------------------------------
> 
>    This rather exotic feature is disabled by default and is enabled
>    by the --enable-addrblock configure option. Please update any
>    explicit load directives in strongswan.conf.
> 
> 
> - Issue warning if explicit load lists are used
>    ---------------------------------------------
> 
>    Since the number of pluto and charon plugins are increasing
>    steadily with each release and explicit load lists might become
>    obsoleted, a warning is now issued by ipsec starter if explicit
>    load lists are found in strongswan.conf since we don't recommend
>    their use for inexperienced users. Experts please read the
>    following wiki entry:
> 
>    http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
> 
> 
> - Extension of the ipsec pki utility
>    ----------------------------------
> 
>    ipsec pki --signcrl allows the generation and update of CRLs.
>    For details see the following wiki entry:
> 
>    http://wiki.strongswan.org/projects/strongswan
> 
>    The ipsec pki --self, --issue and --req commands now support output
>    in PEM format using the --outform pem option.
> 
> 
> - Support of arbitrary IKEv1 Mode Config attributes
>    -------------------------------------------------
> 
>    A major refactoring of the IKEv1 Mode Config source code now
>    allows the transport and handling of any Mode Config attribute.
> 
>    The ipsec pool tool manages arbitrary configuration attributes
>    stored in an SQL database. ipsec pool --help gives the details.
> 
> 
> - Multiple RADIUS servers supported by eap-radius plugin
>    ------------------------------------------------------
> 
> - The RADIUS proxy plugin eap-radius now supports multiple servers.
>    Configured servers are chosen randomly, with the option to prefer
>    a specific server. Non-responding servers are automatically assigned
>    lower priorities by the selection process. Configuration details
>    can be found under
> 
>    http://wiki.strongswan.org/projects/strongswan/wiki/EapRadius
> 
> 
> - eap-simaka-sql plugin
>    ---------------------
> 
>    The new eap-simaka-sql acts as a backend for EAP-SIM and EAP-AKA,
>    reading triplets/quintuplets from an SQL database.
> 
> 
> - High Availability (HA) extensions
>    ---------------------------------
> 
>    The High Availability plugin now supports a HA enabled in-memory
>    address pool and Node re-integration without IKE_SA rekeying.
>    The latter feature allows clients without IKE_SA rekeying support
>    to keep connected during re-integration. Additionally many other
>    issues have been fixed in the ha plugin.
> 
> 
> - snprintf vulnerability
>    ----------------------
> 
>    A potential remote code execution vulnerability resulting from
>    the misuse of snprintf() was fixed. The vulnerability was
>    introduced with the strongswan-4.3.3 release and is exploitable
>    by unauthenticated users. Patches for all releases starting with
>    4.3.3 are available under the following link:
> 
>    http://download.strongswan.org/patches/08_snprintf_patch/
> 
>    Also a new 4.3.7 release has been made available for 4.3.x users
> 
>    http://www.strongswan.org/old.htm
> 
> 
> Best regards from the strongSwan team
> 
> Andreas Steffen, Tobias Brunner & Martin Willi
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
--
=========================================
Holger Rauch
Entwicklung Anwendungs-Software
Systemadministration UNIX

Tel.: +49 / 9131 / 877 - 141
Fax: +49 / 9131 / 877 - 266
Email: Holger.Rauch at empic.de
=========================================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100803/a1259c81/attachment.pgp>


More information about the Users mailing list