Blog

Release and vulnerability announcements for strongSwan

A vulnerability in charon-tkm related to processing DH public values was discovered in strongSwan that can result in a buffer overflow and potentially remote code execution. All versions since 5.3.0 are affected.

A vulnerability related to online certificate revocation checking was discovered in strongSwan that can lead to a denial-of-service attack. All versions may be affected.

A vulnerability in the EAP client implementation was discovered in strongSwan. All versions since 4.1.2 are affected.

A denial-of-service vulnerability in the in-memory certificate cache was discovered in strongSwan. All versions since 4.2.10 are affected.

A denial-of-service vulnerability in the gmp plugin was discovered in strongSwan. All versions since 5.6.1 are affected.

A potential authorization bypass vulnerability in the gmp plugin was discovered in strongSwan. All versions are affected in certain configurations.

We are happy to announce the release of strongSwan 5.6.3, which improves certificate chain validation, updates the DHCP plugin, allows forcing the local termination of IKE_SAs, supports trap policies with virtual IPs, and fixes two potential DoS vulnerabilities and several other issues.

A denial-of-service vulnerability in the IKEv2 key derivation if the openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated as PRF was discovered, all strongSwan versions since 5.0.1 may be affected.