[Swan-announce] libreswan-3.32 released to address CVE-2020-1763 [version corrected]

The Libreswan Team team at libreswan.org
Mon May 11 14:34:39 UTC 2020



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The Libreswan Project has released libreswan-3.32

(previous announcement was mistakenly referring to 3.33)

This is a security release that addresses CVE-2020-1763. This
vulnerability can cause libreswan to restart after receiving
an unauthenticated bogus IKEv1 Informational Exchange packet.

For details and patches see:

https://libreswan.org/security/CVE-2020-1763/

You can download libreswan via https at:

https://download.libreswan.org/libreswan-3.32.tar.gz
https://download.libreswan.org/libreswan-3.32.tar.gz.asc

The full changelog is available at: https://download.libreswan.org/CHANGES

Please report bugs either via one of the mailinglists or at our bug
tracker:

https://lists.libreswan.org/
https://bugs.libreswan.org/

Binary packages for RHEL/CentOS can be found at:
https://download.libreswan.org/binaries/

Binary packages for Fedora and Debian should be available in their
respective repositories a few days after this release.

See also https://libreswan.org/

v3.32 (May 11, 2020)
* SECURITY: Fixes CVE-2020-1763 https://libreswan.org/security/CVE-2020-1763
* IKEv2: Support non-narrowed child rekey for narrowing (regression in 3.31)
* FIPS: ECDSA keys were mistakenly rejected as "too weak" [Paul]
* FIPS: Minimum RSA key size is 2048, not 3072 [Paul]
* FIPS: Use NSS to check FIPS mode instead of manually checking fips=1 [Paul]
* IKEv2: Do not use fragments if not appropriate (regression from v3.30) [Paul]
* IKEv1: Add NSS KDF support for the Quick Mode KDF [Andrew/Paul]
* libipsecconf: support old-style ",," to mean "\," in specifying id [Paul]
* libipsecconf: left/rightinterface-ip= are not kt_obsolete [Paul]
* whack: Add missing ecdsa/sha2 and compat rsa policy options to whack [Paul]
* Fix left=%iface syntax due to string length miscalculation [Antony]
* X509: don't try to match up ID on SAN when ID type is ID_DER_ASN1_DN [Paul]
* packaging: debian fixes [Antony]
* building: USE_NSS_KDF=true now uses NSS for all KDF functions
             Using this option, libreswan no longer needs FIPS certification
-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAl65Yi4THHRlYW1AbGli
cmVzd2FuLm9yZwAKCRCF/0tDsw/G+QcMD/9hVWruPG4RsarJSvu7oVjYKInF11a0
iICQWDeR7ZUGyBiCJTe/FXrBgJKc3hPJ9BRCw0ALZuRewHSdfCKIbSx8IMdbQUzd
wmXvBudtJwDNJgNmaHBvBedcGVRhMH9nhGLuHUJvB4/PNYa5kZFjhuONB674KXdD
jBwXWyDiHA4w7B8zyLPlLCY6vSK6siPe2CT5o0fUIy0k+MkTmj+ERuiUBnPhM8lG
6n0J7y7dKEz6vOTNrrC1OzEBwF6mcSM8tSxoHLa7U4hdOK9eJ6wwORT2CH73tWXJ
7ynSXNQ5dIopPI6qlquaJiYqVoIyTvXUjyYEniiE3mFbae336fqiHtsKwgKy2yva
oI7r9rpum396ZNrDUDDmfMCsGSixag9p+mp3JAOH3Ot5S9OHJn4wnr/lH2VnJrZp
q7ztL0g/TIIefd9AsgKnNeNcAhvj3G4zh3u60FN8ifQkw54Zd87ad6YtdoEKCCbZ
toxVidY/rARoelOfOpwpkT+2hPZerV5tPkIAz8o5amk4ykzQ8eFz3URmmmYLpyKe
m5BTNTB0j77r6DePEGTzAGMiE4I3MDRmgvMbP/vHRO06/Sb3TuXUu6X+j1VoG6dQ
7rSnH0ej12NlA9cdIDKhEQzLPjX7j5F139zVmdp/yJhCtxgZKVzIfwf0D7zrmQvG
A75eTAxXUBZsfQ==
=C9LE
-----END PGP SIGNATURE-----


More information about the Swan-announce mailing list