[Swan-dev] [Swan-announce] Libreswan 3.8 released - SECURITY release for CVE-2013-6467

The Libreswan Project team at libreswan.org
Thu Jan 16 10:22:57 EET 2014

The Libreswan Project has released libreswan-3.8. This is a security release.

This releases addresses an IKEv2 vulnerability discovered by Iustina
Melinte. It has been submitted as CVE-2013-6467. A malicious IKEv2 packet
with missing payloads or bad payload chains could cause libreswan to restart.
This bug affects all versions of libreswan upto 3.7. This bug also
applies to openswan versions up to 2.6.39 are also affected.

The full CVE text (with workaround) and a stand-alone patch are available at:


Other changes in this release include an easier migration path from
openswan to libreswan by re-introducing and ignoring some command line
options, and whack magic, improved support for the "sha2" alias (it now
maps to sha2_256 for ike= and esp=) and some init scripts improvements.

You can download libreswan via https at:


or via ftp at:


The full changelog is available at:

Please report bugs either via one of the mailinglists or at our bug tracker:


Binary packages for Fedora, RHEL and Ubuntu can be found at

See also https://libreswan.org/

v3.8 (January 15, 2014)
* SECURITY: CVE-2013-6467 missing IKEv2 payloads causes restart [Iustina/Hugh]
* building: Remove #ifdef DEBUG - always compile into userland [Paul]
* IKEv2: Updated AUTH names to latest IANA registry entries [Paul]
* pluto/whack: Added --impair-send-ikev2-ke test option [Paul]
* pluto: allow shutdown command even with bad WHACK_BASIC_MAGIC [Paul]
* addconn: ignore obsoleted --defaultroute and --defaultroutenexthop [Paul]
* Various code cleanup [Hugh]
* initscripts: sysv should try harder to kill pluto without ctl file [Tuomo]
* gentoo: fixes to build and init system on Gentoo [Mike Gilbert]
* KLIPS: fix NAT-T status in eroute output [Paul]
* pluto: updated ietf_constants.h with IANA entries [Paul]
* IKE: Make sure sha2 is an alias for sha2_256 for ike= and esp= [Hugh/Paul]
* Bugtracker bugs fixed:
   #171: showhostkey.c:322: bad switch statement
Swan-announce mailing list
Swan-announce at lists.libreswan.org

More information about the Swan-dev mailing list