[Swan-announce] libreswan-4.13 released to address CVE-2024-2357

The Libreswan Team team at libreswan.org
Mon Mar 11 21:40:20 EET 2024 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


The Libreswan Project has released libreswan-4.13

This is a security release that addresses one minor CVEs and a few bugfixes:

* Security: Fixes http://libreswan.org/security/CVE-2024-2357
* BSD: fix esp=aes_gcm [Andrew]
* x509: unpack IPv6 general names based on length [Andrew]
* pluto: TFC padding was not set for AEAD algorithms [SaiKumarCholleti at github]

The vulnerability disclosed in CVE-2024-2357 can only be triggered
when using IKEv2 with PreSharedKey (authby=secret) when no matching
secret has been loaded into pluto.

For details and patches see:

https://libreswan.org/security/CVE-2024-2357

You can download libreswan via https at:

https://download.libreswan.org/libreswan-4.13.tar.gz
https://download.libreswan.org/libreswan-4.13.tar.gz.asc

The full changelog is available at: https://download.libreswan.org/CHANGES

Please report bugs either via one of the mailinglists or at our bug
tracker:

https://lists.libreswan.org/
https://github.com/libreswan/libreswan/

Binary packages for RHEL/CentOS can be found at:
https://download.libreswan.org/binaries/

Binary packages for Fedora and Debian should be available in their
respective repositories a few days after this release.

See also https://libreswan.org/

v4.13 (March 11, 2024)
* Security: Fixes http://libreswan.org/security/CVE-2024-2357
* Linux: make libcap-ng failures non-fatal [Andrew]
* BSD: fix esp=aes_gcm [Andrew]
* NetBSD: fix compiler warning in lib/libswan/x509.c [Andrew]
* x509: unpack IPv6 general names based on length [Andrew]
* pluto: TFC padding was not set for AEAD algorithms [SaiKumarCholleti at github]

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmXvWjkTHHRlYW1AbGli
cmVzd2FuLm9yZwAKCRCF/0tDsw/G+UaID/9rDK+K0v8UxCdMeAT8k9D8Eze8o9fZ
+PFk9dNLIjy/jGVJmYkKt03oV3T95Hqs6NvseIqoiKxpou5QEbW94u37YQmT/+18
+8HlRrMH7dGz0T1U49PXgI5InYBUITCZ5dNxDLcbh0RsjBkpyRk8mkHUoro3Ucp3
/kXUEfr8HKULie4rprvey/5fcMgc3MQAOzAFg/thvHEhW6ebVEj3f8O6ndZYIYJS
6TYfbOzCo400770KQvhdytJYMlB8Z5+t8gTdw238QHTqium4HUC3gF/250AcLXTR
zXww7NvHR6DMlcEUfDhHfBkL6ygFeleKXD/pFM4mM20WcvbubbMYlRLoVoeiIGE4
aRig06siNl7J4RvYEMUb52caWX/fg4dh/9t12VCEe/oh1kQ6UIkDsC6YgDri4TFo
fnYQrAWcE/yy4b1juX+bd8kDaIvwVEhGuk2ePGBRYT3a2Wx03GzHJd+HLGanY8QI
12pKILar5Fpe+QZmDhHJUFUy5EgGJjioNdznESDtfU/f21qXcjUj7YBmGRaD+FjP
5gfEqdXKg0WsrcNkTXBZVgfybEuMFtsFJVZ/82UhWVYY0JwjdvMtuIsLSNOjgl92
ZEBTYVUYD1PSazsgxR/PFVWg1T4SrBL413cL5KIwKCNBJ4RFc4Gh/M9XFBjTQ/OV
KzTbIDsCuHN73g==
=OgHe
-----END PGP SIGNATURE-----

More information about the Swan-announce mailing list