CVE-2023-38712: Tags · libreswan/libreswan

• Aug 8, 2023

• 273ab05

• zip

• tar.gz

• Notes

• May 3, 2023

• cbfa405

• zip

• tar.gz

• Notes

• Mar 1, 2023

• b681175

• zip

• tar.gz

v4.9 (October 13, 2022)

* IKEv1: fix crasher (introduced in 4.8) when USE_NSS_KDF=false or MD5 [Andrew] * IKEv2: fix RFC 8229 IKE/ESP over IPv6 TCP [Andrew]

• Oct 14, 2022
• 394c823
• zip
• tar.gz

v4.8 (October 2, 2022)

* release: remove SHA1 bindings from LIBRESWAN OpenPGP key [dkg/Paul] * pluto: ignore obsoleted unused interfaces= / --iface [Paul/Andrew] * pluto: various internal crypto struct changes [Andrew] * pluto: fix traffic counters for AH and IPCOMP [Andrew] * pluto: improve logging of duplicate serial cert error [Andrew] * pluto: support for maxbytes/maxpacket counters [Antony/Paul] * pluto: handle HW tokens using strange CKAIDs; github/815 [Andrew] * pluto: added --ipsec-max-bytes / --ipsec-max-packets support [Antony] * libipsecconf: added ipsec-max-bytes= and ipsec-max-packets= options [Paul] * IKEv2: emit one CERTREQ payload with all the hashes [Andrew] * addconn/whack: add support for {left,right}pubkey= [Andrew] * showhostkey: add support for ECDSA pubkeys [Andrew] * Crypto: add KDF self tests [Daiki Ueno] * IPv6: open IPv6 IKE port 4500; github/800 [Andrew] * showhostkey: add --pem option to print PEM encoded public key [Andrew] * unbound: _unbound-hook converted from python to shell [Andrew] * BSD: delete old BSDKAME code replaced by PFKEYV2 code [Andrew] * BSD: fix replay window byte vs bit math [Andrew] * BSD: fix code finding interfaces; github/728 [Andrew] * FreeBSD: support large replay window; github/756 [Andrew] * FreeBSD: support ESN; github/721 [Andrew] * linux: update copy of xfrm.h header [Paul] * packaging: update fedora spec file [Paul/Tuomo] * building: on BSD, always use GCC; freebsd/264288 llvm/55963 [Andrew] * building: enable LTO when USE_LTO=true; github/836 github/834 [Andrew] * building: dropped default build and packaging support for: Fedora 22, 28, 29, 30 Debian stretch Ubuntu cosmic, xenial RHEL6 was removed in v4.5 Add SUSE, Arch, Mint

• Oct 3, 2022
• be225bf
• zip
• tar.gz

v4.7 (May 24, 2022)

* IKEv2: EAPTLS support [Timo Teräs / Andrew] * IKEv2: EAPONLY support [Andrew] * IKEv2: fix interop when IPCOMP+transport-mode [Andrew] * IKEv2: fix race between new IKE SA and liveness [Andrew] * IKEv2: fix interop with Android 12 + certificates [Andrew] * IKEv1: reject IKEv2 only authby=secret+rsasig [Andrew] * config: end keywords with no left/right prefix are applied to both ends * kernel: fix double delete of kernel policy when tearing down SA [Andrew] * kernel: fix deleting policy when an XFRMi FD ID; github/618 [Andrew] * kernel: general cleanups [Andrew] * _stackmanager / pluto: support Ubuntu 18.04 LTS kernels [Paul] * FreeBSD: libreswan builds out-of-the-box [Andrew] * BSD: Add IPv6 support (tested on NetBSD) * building: fix build on fedora rawhide [Paul] * internals: initiate IKEv2 CREATE_CHILD_SA exchange using IKE SA [Andrew] * internals: _updown.bsdkame renamed to _updown.bsd

• May 24, 2022
• 19eabcd
• zip
• tar.gz

v4.6 (January 11, 2022)

* SECURITY: Fixes CVE-2022-23094 https://libreswan.org/security/CVE-2022-23094 * IKEv2: aggressively check incoming fragments [Andrew] * IKEv2: when rekeying and PFS, only propose/allow original crypt-suite [Andrew] * IKEv2: when PFS, don’t repeatedly log all proposals [Andrew] * IKEv2: Labeled IPsec improvements [Andrew] * IKEv1: support for ISAKMP_N_CISCO_LOAD_BALANCE removed [Andrew] * pluto: Revamp the host connection lookup mechanism [Andrew] * pluto: Change default replay-window from 32 to 128 [Paul] * pluto: Change default esn= to “either” and prefer “yes” [Paul] * pluto: Disable esn when replay-window=0 [Paul] * pluto: Drop obsolete debug options such as crypto-low [Andrew] * seccomp: Updated syscall allow-list [Paul] * packaging: replace old SUSE packaging with pointer to downstream [Andrew] * NetBSD: Don’t use ESN - not supported by kernel [Andrew] * letsencrypt: Fix bashisms in letsencrypt script [dkg] * libipsecconf: allow leftauth=ecdsa|rsa (match authby= values) [Paul] * testing: significantly improved testing [Andrew, Paul]

• Jan 12, 2022
• 5cb4ea7
• zip
• tar.gz

v4.5 (August 20, 2021)

* IKEv1: multiple subnets could lead to crossed wires, failures [Paul/Andrew] * IKEv2: don’t tear down IKE SA on TS_UNACCEPTABLE [Paul] * IKEv2: unpend/delete Child SA when rejected by IKE_AUTH response [Andrew] * IKEv2: mobike: resolve_defaultroute_one() updates [Andrew] * IKEv2: mobike: prevent sending duplicate mobike response [Andrew] * IKEv2: Support for Childless IKE SA [Andrew] * IKEv2: redirect: make peer redirecting in IKE_AUTH childless [Vukasin] * IKEv2: Labeled IPsec --up causes Childless IKE SA [Andrew/Paul] * IKEv2: Labeled IPsec conns share SPD policies (as IKEv1) [Andrew/Paul/Kavinda] * IKEv2: Performance; eliminate more O(#CONNECTIONS) code [Andrew] * IKEv2: Immediately delete replaced Child from new (IC) IKE SA [Andrew/Paul] * pluto: mismatched subnets= could take down all conns [Paul] * pluto: Don’t delete existing IKE SA of connection instance [Paul] * pluto: fail better on parse errors in subnet= clause [Paul] * libswan: use getaddrinfo(3) instead of gethostbyname2(3) [Hugh] * libipsecconf: fail to load conn if no right= or left= set [Paul] * libipsecconf: change default of initial-contact= to yes [Paul] * X509: directly append new CRL requests to the fetch queue [Andrew] * whack: implement --impair trigger:<global-event> [Andrew] * ipsec.service: remove reload which did not work as expected [Tuomo] * portexcludes: update to use python3 [Kim] * building: fix NetBSD build [Andrew] * building: fix arm / aarch64 build [kekePower@github] * building: Remove support for RHEL6 USE_OLD_SELINUX [Paul] * packaging: handle properly rpm sysctl config [Tuomo] * packaging: rhel7: fix python2 shebang [Tuomo]

• Aug 20, 2021
• f36ab1b
• zip
• tar.gz

v4.4 (April 22, 2021)

* IKEv2: Fixes for TCP encap in Transport Mode and host-to-host [Paul/Sabrina] * IKEv2: Fixes to Labeled IPsec policies [Kavinda Wewegama/Paul] * IKEv2: Add redirect statistics to whack --globalstatus [Clive Zagno] * IKEv2: Connections would not always switch when needed [Andrew/Paul] * pluto: Fix for host-to-host connections use non-standard IKE ports [Paul] * pluto: Use peer ID (IKEv2 IDr, IKEv1 Aggr) to select best initial conn [Paul] * pluto: Disable interface-ip= as the feature is not yet implemented [Paul] * pluto: Fix PLUTO_PEER_CLIENT* in updown for NAT + Transport Mode [Paul] * pluto: Remove never updated PLUTO_VERSION for updown scripts [Paul] * pluto: Actually set PLUTO_CONNECTION_TYPE= to transport or tunnel [Paul] * pluto: Allow non-templated wildcard ID connections to match [Paul] * pluto: Reduce and merge various logging messages [Andrew] * libipsecconf: Do not allow vhost/vnet in IKEv2 connections [Paul] * XFRM: Restarting pluto when using ipsec-interface= could fail [Paul] * contrib/munin: Update plugin to use python3 and update doc header [Tuomo] * testing: Enable OpenBSD interop tests [Paul/Ravi] * testing: Make tests more reliable on KVM [Andrew]

• Apr 22, 2021
• 383a28e
• zip
• tar.gz

v4.3 (February 21, 2021)

* pluto: Restore range checking on Labeled IPsec [Paul/Andrew] * pluto: Higher state serialno does not imply newest state [Paul] * pluto: Cleanup ip_address vs ip_endpoint (protoport dropping) [Andrew] * pluto: Revival of code could accidentally fallback to IKEv1 [Andrew] * newhostkey: Add support for generating ECDSA keys [Daiki Ueno] * libipsecconf: Ignore empty option at end of config (rhbz#1685653) [Andrew] * whack: Add --global-redirect and --global-redirect-to options [Pietro Monteiro]

• Feb 21, 2021
• 8a6ccf7
• zip
• tar.gz