[Announce] Openswan 2.6.36 released

Paul Wouters paul at xelerance.com
Wed Oct 5 10:26:36 EDT 2011


See also: 
Openswan 2.6.36 released to address CVE-2011-3380 IKE invalid key length vulnerability
http://lists.openswan.org/pipermail/announce/2011-October/000050.html


Xelerance has released openswan 2.6.36

http://www.openswan.org/download/openswan-2.6.36.tar.gz
http://www.openswan.org/download/openswan-2.6.36.tar.gz.asc

This is a security release


v2.6.36 (October 5th, 2011)
* CVE-2011-3380 Openswan IKE invalid key length fix [Paul/Hugh]
* auto: Add --checkpubkeys option for checking expiry of X.509 certs
         [Mika Ilmaranta]
* Update building (with SAref) on SLES10 / SLES11 / Opensuse [Shinichi Furuso]
* KLIPS: backported 2.6.19 CryptoAPI for SuSe kernels [Shinichi Furuso]
* KLIPS: ipsecdevices index overflow [Shinichi Furuso]
* KLIPS: cleanup off by one interface,prevented module unload [Shinichi Furuso]
* tncfg called incorrectly for adding more ipsecX interfaces [Shinichi Furuso]
* KLIPS: ipsec_sa_getbyid() did not work properly on IPv6 [Shinichi Furuso]
* NAT-T: Fix delete for port floating case [Shinichi Furuso]
* IKEv2: We always sent the openswan VID instead of using #ifdef [Avesh/Paul]
* IKEv2: ikev2_get_dcookie used SHA1Update() with pointer size [Avesh]
* TESTING: Added some more consistent logging in prerunsetup() [Paul]
* pcr_init() should memset the request helper size, not pointer size [Avesh]
* Prevent deferencing ctx->trans_cur in db_trans_add() [Avesh/Paul]
* XAUTH: whack_get_value() never decremeanted "tries" [Avesh]
* Fix closing fd in lib/libopenswan/oswconf.c [Avesh]
* rsasigkey: configdir is always set in the NSS #ifdef part [Avesh]
* examples: clarify hub-spoke netkey design [Tuomo]
* NAT-T: Fixed logging for broken NAT-T keepalives [Tobias Brunner]
* Use iptables-save instead of iptables -L if possible (rhbz#737973) [Avesh]
* ipsec verify: New kernels use nf_conntrack instead of ip_conntrack [Avesh]
* LDAP/CRL needs liblber (rhbz#737975 [Avesh]
* SAREF: kernel patch added for Linux 2.6.36 and 2.6.38 [Paul]
* SAREF: Remap IP_IPSEC_REFINFO/BINDREF from 22/23 to 30/31 [Sony Japan]
* Disable USE_IPSECPOLICY per default, was only proof of concept code [Paul]
   (local user could cause pluto to stop responding if /var/run is a tmpfs
    mount and /var/run/pluto was manually deleted, Found by Sony Japan)
* Bugtracker bugs fixed:
    #1270 malloc is being used which does not use alloc_bytes/pfree [Paul]



More information about the Announce mailing list