strongSwan 5.1.3 fixes a security vulnerability and adds support for X.509 attribute certificates.
An authentication bypass vulnerability was fixed that can be triggered by rekeying an unestablished IKEv2 SA while it gets actively initiated. All versions since 4.0.7 are affected.
More information is provided in a separate blog entry.
The acert plugin evaluates X.509 Attribute Certificates. Group membership information encoded as strings can be used to fulfill authorization checks defined with the rightgroups option. Attribute Certificates can be loaded locally or get exchanged in IKEv2 certificate payloads.
The pki command gained support to generate X.509 Attribute Certificates using the --acert subcommand, while the --print command supports the ac type.
The openac utility has been removed in favor of the new pki functionality.
Download it from here - a more extensive changelog can be found on our wiki.