We are happy to announce the release of strongSwan 5.9.4, which fixes two denial-of-service vulnerabilities and comes with several other new features and fixes.
A denial-of-service vulnerability in the gmp plugin was fixed that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. All strongSwan versions since 5.6.1 may be affected.
More information is provided in a separate blog entry.
A denial-of-service vulnerability in the in-memory certificate cache was fixed. If cached certificates are replaced, very large random values caused an integer overflow that could lead to a segmentation fault. All strongSwan versions since 4.2.10 may be affected.
More information is provided in a separate blog entry.
Also fixed is a related flaw that caused the daemon to accept and cache an infinite number of versions of a valid certificate by modifying the parameters in the signatureAlgorithm field of the outer X.509 Certificate structure.
AUTH_LIFETIME
notifies are now only sent by a responder if it can't reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or the use of virtual IPs.pki
sub-commands has been fixed so they don't start with an unintended zero byte.