strongSwan 5.1.3 fixes a security vulnerability and adds support for X.509 attribute certificates.
Authentication Bypass Vulnerability (CVE-2014-2338)
An authentication bypass vulnerability was fixed that can be triggered by rekeying an unestablished IKEv2 SA while it gets actively initiated. All versions since 4.0.7 are affected.
More information is provided in a separate blog entry.
Support for X.509 Attribute Certificates
The acert plugin evaluates X.509 Attribute Certificates. Group membership information encoded as strings can be used to fulfill authorization checks defined with the rightgroups option. Attribute Certificates can be loaded locally or get exchanged in IKEv2 certificate payloads.
The openac utility has been removed in favor of the new pki functionality.
Other Notable Changes
- The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other protocols has been extended by AEAD mode support, currently limited to AES-GCM.