[Swan-dev] [Swan-announce] libreswan-3.33 released to address CVE-2020-1763
The Libreswan Team
team at libreswan.org
Mon May 11 14:28:43 UTC 2020
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
The Libreswan Project has released libreswan-3.32
This is a security release that addresses CVE-2020-1763. This
vulnerability can cause libreswan to restart after receiving
an unauthenticated bogus IKEv1 Informational Exchange packet.
For details and patches see:
https://libreswan.org/security/CVE-2020-1763/
You can download libreswan via https at:
https://download.libreswan.org/libreswan-3.32.tar.gz
https://download.libreswan.org/libreswan-3.32.tar.gz.asc
The full changelog is available at: https://download.libreswan.org/CHANGES
Please report bugs either via one of the mailinglists or at our bug
tracker:
https://lists.libreswan.org/
https://bugs.libreswan.org/
Binary packages for RHEL/CentOS can be found at:
https://download.libreswan.org/binaries/
Binary packages for Fedora and Debian should be available in their
respective repositories a few days after this release.
See also https://libreswan.org/
v3.32 (May 11, 2020)
* SECURITY: Fixes CVE-2020-1763 https://libreswan.org/security/CVE-2020-1763
* IKEv2: Support non-narrowed child rekey for narrowing (regression in 3.31)
* FIPS: ECDSA keys were mistakenly rejected as "too weak" [Paul]
* FIPS: Minimum RSA key size is 2048, not 3072 [Paul]
* FIPS: Use NSS to check FIPS mode instead of manually checking fips=1 [Paul]
* IKEv2: Do not use fragments if not appropriate (regression from v3.30) [Paul]
* IKEv1: Add NSS KDF support for the Quick Mode KDF [Andrew/Paul]
* libipsecconf: support old-style ",," to mean "\," in specifying id [Paul]
* libipsecconf: left/rightinterface-ip= are not kt_obsolete [Paul]
* whack: Add missing ecdsa/sha2 and compat rsa policy options to whack [Paul]
* Fix left=%iface syntax due to string length miscalculation [Antony]
* X509: don't try to match up ID on SAN when ID type is ID_DER_ASN1_DN [Paul]
* packaging: debian fixes [Antony]
* building: USE_NSS_KDF=true now uses NSS for all KDF functions
Using this option, libreswan no longer needs FIPS certification
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAl65YMYTHHRlYW1AbGli
cmVzd2FuLm9yZwAKCRCF/0tDsw/G+X2ED/99ZZMFbUmAzQEgm+u+GXkQu7Ni5LnD
ta4Vre0Zu74C9R9AHmK8RrY+HysTXKcJhqXONSbq2QQNn5Y6plA8vI7hWNyEBpmS
rsav2GQX1CPNv1RPPbrZRNWXuJ5VxGA+bvNyngKuw7qD/QGvvITImcW4Q/7hOJXj
iMYmdKQstOSlsSxID9OqdKQUEJWYJ+ajOjIaA6CENzbFuGE5/78HbUvkUMhGdLAn
FGP1bXJDdXfMAyxjB0rapNakdr4RomsVbleZ0Zrbe/pRs5C0Qu6iL4zlxeVXMOWB
uHCpiNHKXLrMj6T/OLlrcsSPpqJFvY9uObwxQSP6Ihe5arhNz7Guc2IBEE6nFik/
urpUw0MjtJ4nYsoEZIexyHCNUY/0icVOXQI8z6bTDZHH2OKXrtyoQivIN6S26Ps2
htL0hAWvrSTcqv4G6b2mS1K74WZmKt5klepRbr69YzW8CasXN0kQa/Wa09EpRp1X
07+6I4wknyYniQ53T7P/gDol+R4tp0Stt6Va/hq/vog5RcccK3fTgdAXQUD8OMde
TNlbsv17mUBumcQvZQiMFXXm/EAuSxSH6B9grTxKOiHKqXBPayzJ+Y0Ex37KuciH
Ss1G9fuXxENcVoeE1/2QPCNEQ9jDuD0KX1q2lcX7yEwOQZkrj6IKj66+oL/KPKmY
Jo0HVIJ1brXTdg==
=F7cd
-----END PGP SIGNATURE-----
_______________________________________________
Swan-announce mailing list
Swan-announce at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-announce
More information about the Swan-dev
mailing list