Libreswan Versions Save

libreswan

v5.0

2 weeks ago

This is major version release with some incompatible changes in default options.

  • IKEv1:
    • globally disabled by default (ikev1-policy=drop); see RFC9395 [Daniel]
    • limit default cryptosuite [Andrew, Paul, Tuomo] IKE={AES_CBC,3DES_CBC}-{HMAC_SHA2_256,HMAC_SHA2_512HMAC_SHA1}-{MODP2048,MODP1536,DH19,DH31} ESP={AES_CBC,3DES_CBC}-{HMAC_SHA1_96,HMAC_SHA2_512_256,HMAC_SHA2_256_128}-{AES_GCM_16_128,AES_GCM_16_256} AH=HMAC_SHA1_96+HMAC_SHA2_512_256+HMAC_SHA2_256_128
    • remove support for Labeled IPsec [Andrew]
    • properly ignore dpdaction= [Andrew]
    • see also IKEv2 routing/revival changes
  • IKEv2:
    • warn that fragmentation=force is ignored [Andrew]
    • avoid post-authentication crash on corrupt TS payload [Andrew]
    • support addresspool=v4/mask,v6/mask [Andrew]
    • support subnet=SELECTOR,... using a single Child SA [Andrew]
    • when non-MOBIKE never update NATed endpoint [#1492/Wofferl/Andrew]
    • fix revival of IKE_AUTH (first) Child SA [Andrew]
    • properly ignore dpdaction=, keyingtries= [Andrew]
    • when reviving, install trap then block [Andrew]
    • for auto=keep only retry once [Andrew]
    • when redirect fails, fall back to revival [Andrew]
  • Linux:
    • HW packet offload support [Raed Salem [email protected],Paul]
    • XFRM interface IP management with ref-counting [Brady Johnson]
    • fix IPcomp with XFRM interfaces [Wolfgang]
  • BSD:
    • fix esp=aes_gcm [github/1220, Igor V. Gubenko, Andrew]
  • whack:
    • review ipsec-whack.8 [Tuomo, Andrew, Paul]
    • change defaults to match addconn [Andrew]
    • add --{rekey,delete,down}-{ike,child} --name [Andrew]
    • match whack and addconn option names [Andrew]
    • drop NNN_ prefix from all output [Andrew]
  • config (ipsec.conf, addconn):
    • update ipsec.conf.5 [Tuomo, Andrew, Paul]
    • log ipsec.conf errors and warnings in Pluto [Andrew]
    • <<include {a,b,c}.conf>> no longer supported [Andrew]
    • fix keyexchange={ikev1,ikev2}; deprecate ikev2= [Andrew]
    • remove nic-offload=auto option, only accept packet,crypto,yes [Paul]
    • warn when converting legacy ",," to "," in {left,right}id= [Andrew]
    • change also= to expand inline (more like C's #include) [Andrew]
    • fix KEYWORD= sometimes causing Pluto to exit [Andrew]
    • parse <<KEYWORD=>> as <<KEYWORD=''>>, i.e., empty [Andrew]
    • warn when, within a conn, there are duplicate keys [Andrew]
    • add encap-dscp= [Wolfgang]
    • implement interface-ip= [Brady]
    • implement subnet=SELECTOR,SELECTOR,... [Andrew]
    • default ikev1-policy to drop [Daniel]
    • add ppk-ids= [Vukasin]
    • add experimental per-connection debug= [Andrew]
    • drop obsolete forceencaps= [Andrew]
    • add groundhog= [Andrew]
    • reject non-numeric sourceip=
      [Andrew]
    • fix crash when dpdtimeout= missing [Andrew]
  • building:
    • remove dependency on libxz via libsystemd [Tuomo Andrew]
    • use INSTALL_INITSYSTEM=false to prevent update of /etc/ [Andrew]
    • use INSTALL_CONFIGS=false prevents update of /etc/ipsec.d et.al. [Andrew]
    • drop FINAL* make variables; see mk/config.mk for alternatives [Andrew]
    • remove old copy of unbound headers [Andrew]
    • use DESTDIR instead of FINAL* env vars [Andrew]
    • fix "make git-rpm" [Paul/Tuomo]
    • check return values of libcap-ng functions [Paul]
    • don't call ischar(signed char) [Andrew]
  • packaging:
    • fix Debian systemd service install [Antonio Silva]
  • testing:
    • fix namespace tests for super long dir names [Paul]
    • add Alpine, Debian, NetBSD and FreeBSD KVMs [Andrew]
    • add Alpine, Debian, NetBSD, FreeBSD and OpenBSD to nightly builds [Andrew]
    • add man pages to nightly build [Andrew]
  • initsystem:
    • use documented ipsec sub-commands [Tuomo]
    • stop using _stackmanager [Tuomo]
  • documentation:
    • update to docbook xml 4.5 [Tuomo]
    • re-org pages adding libreswan.5 [Andrew]
  • ipsec utilities:
    • ipsec auto sub-command: deprecate [Tuomo]
    • ipsec auto --{cmd} connection -> ipsec {cmd} connection [Tuomo]
    • ipsec look: script moved to contrib/; use ip xfrm et.al. [Andrew]
    • ipsec portexcludes: script moved to contrib/ [Andrew]
    • ipsec barf: script moved to contrib/ [Andrew]
    • ipsec _secretsensor: script moved to contrib/ [Andrew]
    • ipsec show: drop ipsec subcommand (old, incomplete) [Paul]
    • ipsec verify: drop ipsec subcommand (old, incomplete) [Paul]

v5.0rc3

3 weeks ago

has fix to CVE-2024-3652

v5.0rc2

3 weeks ago

this is where 5.0 was cut from mainline

v4.15

1 month ago

Address CVE-2024-3652

v5.0rc1

5 months ago

The first pre-release of the libreswan 5.x series. Please test and give us feedback. Read the CHANGES file and the updated man pages for any incompatibility changes between 4.x and 5.x

v4.11

9 months ago

Fix for medium security CVE-2023-30570

v4.12

9 months ago

This is a medium risk security release. All CVEs addressed in this release require the peer to successfully authenticate before it can start a Denial of Service attack.