Blog

Release and vulnerability announcements for strongSwan

We are happy to announce the release of strongSwan 5.9.13, which fixes a regression related to handling OCSP error responses that was introduced with 5.9.12, adds a new setting to specify the length of nonces in OCSP requests, and includes several other fixes.

A vulnerability in charon-tkm related to processing DH public values was discovered in strongSwan that can result in a buffer overflow and potentially remote code execution. All versions since 5.3.0 are affected.

We are happy to announce the release of strongSwan 5.9.12, which fixes a vulnerability in charon-tkm, provides a new OCSP responder utility, adds a new certificate enrollment and renewal script, and comes with several other new features and fixes.

We are happy to announce the release of strongSwan 5.9.11, which fixes a deadlock in the vici plugin, changes requirements for CRL signers, supports optional CA labels in EST server URIs, and comes with several other new features and fixes.

A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected.

We are happy to announce the release of strongSwan 5.9.10, which fixes a vulnerability affecting TLS-based EAP methods, adds support for full packet hardware offload with Linux 6.2, properly supports TLS 1.3 in TLS-based EAP methods, can automatically install routes via XFRM interfaces, and comes with several other new features and fixes.

We are happy to announce the release of strongSwan 5.9.9, which unifies serial number handling, updates resolvconf handling, optionally makes listen() in VICI Python bindings time out and comes with several other new features and fixes.

A vulnerability related to online certificate revocation checking was discovered in strongSwan that can lead to a denial-of-service attack. All versions may be affected.