Skip to content
Snippets Groups Projects

Tags

Tags give the ability to mark specific points in history as being important
  • Name
  • Oldest updated
  • Updated date
  • Latest version
  • Oldest version
  • debian/4.3-1+deb11u3
    0f274aaa · use new upstream patch ·
    libreswan Debian release 4.3-1+deb11u3
    
  • debian/4.3-1+deb11u2
    libreswan Debian release 4.3-1+deb11u2
    
  • v4.10
    v4.10 (February 28, 2023)
    * SECURITY IKEv2: Fixes https://libreswan.org/security/CVE-2023-23009
    * IKEv1: only clean up a connection when it isn't deleted [Andrew]
    
  • debian/4.9-2
    8e055d14 · prepare debian release ·
    libreswan Debian release 4.9-2
    
  • debian/4.9-1
    1016bfa5 · prepare debian release ·
    libreswan Debian release 4.9-1
    
  • v4.9
    v4.9 (October 13, 2022)
    
    * IKEv1: fix crasher (introduced in 4.8) when USE_NSS_KDF=false or MD5 [Andrew]
    * IKEv2: fix RFC 8229 IKE/ESP over IPv6 TCP [Andrew]
    
  • v4.8
    v4.8 (October 2, 2022)
    
    * release: remove SHA1 bindings from LIBRESWAN OpenPGP key [dkg/Paul]
    * pluto: ignore obsoleted unused interfaces= / --iface [Paul/Andrew]
    * pluto: various internal crypto struct changes [Andrew]
    * pluto: fix traffic counters for AH and IPCOMP [Andrew]
    * pluto: improve logging of duplicate serial cert error [Andrew]
    * pluto: support for maxbytes/maxpacket counters [Antony/Paul]
    * pluto: handle HW tokens using strange CKAIDs; github/815 [Andrew]
    * pluto: added --ipsec-max-bytes / --ipsec-max-packets support [Antony]
    * libipsecconf: added ipsec-max-bytes= and ipsec-max-packets= options [Paul]
    * IKEv2: emit one CERTREQ payload with all the hashes [Andrew]
    * addconn/whack: add support for {left,right}pubkey= [Andrew]
    * showhostkey: add support for ECDSA pubkeys [Andrew]
    * Crypto: add KDF self tests [Daiki Ueno]
    * IPv6: open IPv6 IKE port 4500; github/800 [Andrew]
    * showhostkey: add --pem option to print PEM encoded public key [Andrew]
    * unbound: _unbound-hook converted from python to shell [Andrew]
    * BSD: delete old BSDKAME code replaced by PFKEYV2 code [Andrew]
    * BSD: fix replay window byte vs bit math [Andrew]
    * BSD: fix code finding interfaces; github/728 [Andrew]
    * FreeBSD: support large replay window; github/756 [Andrew]
    * FreeBSD: support ESN; github/721 [Andrew]
    * linux: update copy of xfrm.h header [Paul]
    * packaging: update fedora spec file [Paul/Tuomo]
    * building: on BSD, always use GCC; freebsd/264288 llvm/55963 [Andrew]
    * building: enable LTO when USE_LTO=true; github/836 github/834 [Andrew]
    * building: dropped default build and packaging support for:
      	    Fedora 22, 28, 29, 30
                Debian stretch
                Ubuntu cosmic, xenial
                RHEL6 was removed in v4.5
                Add SUSE, Arch, Mint
    
  • debian/4.7-1
    32a297a1 · prepare debian release ·
    libreswan Debian release 4.7-1
    
  • v4.7
    19eabcd8 · bump to 4.7 ·
    v4.7 (May 24, 2022)
    * IKEv2: EAPTLS support [Timo Teräs / Andrew]
    * IKEv2: EAPONLY support [Andrew]
    * IKEv2: fix interop when IPCOMP+transport-mode [Andrew]
    * IKEv2: fix race between new IKE SA and liveness [Andrew]
    * IKEv2: fix interop with Android 12 + certificates [Andrew]
    * IKEv1: reject IKEv2 only authby=secret+rsasig [Andrew]
    * config: end keywords with no left/right prefix are applied to both ends
    * kernel: fix double delete of kernel policy when tearing down SA [Andrew]
    * kernel: fix deleting policy when an XFRMi FD ID; github/618 [Andrew]
    * kernel: general cleanups [Andrew]
    * _stackmanager / pluto: support Ubuntu 18.04 LTS kernels [Paul]
    * FreeBSD: libreswan builds out-of-the-box [Andrew]
    * BSD: Add IPv6 support (tested on NetBSD)
    * building: fix build on fedora rawhide [Paul]
    * internals: initiate IKEv2 CREATE_CHILD_SA exchange using IKE SA [Andrew]
    * internals: _updown.bsdkame renamed to _updown.bsd
    
  • debian/4.3-1+deb11u1
    f8233349 · use urgency=high ·
    libreswan Debian release 4.3-1+deb11u1
    
  • debian/4.6-1
    87462ebb · prepare debian release ·
    libreswan Debian release 4.6-1
    
  • v4.6
    v4.6 (January 11, 2022)
    * SECURITY: Fixes CVE-2022-23094 https://libreswan.org/security/CVE-2022-23094
    * IKEv2: aggressively check incoming fragments [Andrew]
    * IKEv2: when rekeying and PFS, only propose/allow original crypt-suite [Andrew]
    * IKEv2: when PFS, don't repeatedly log all proposals [Andrew]
    * IKEv2: Labeled IPsec improvements [Andrew]
    * IKEv1: support for ISAKMP_N_CISCO_LOAD_BALANCE removed [Andrew]
    * pluto: Revamp the host connection lookup mechanism [Andrew]
    * pluto: Change default replay-window from 32 to 128 [Paul]
    * pluto: Change default esn= to "either" and prefer "yes" [Paul]
    * pluto: Disable esn when replay-window=0 [Paul]
    * pluto: Drop obsolete debug options such as crypto-low [Andrew]
    * seccomp: Updated syscall allow-list [Paul]
    * packaging: replace old SUSE packaging with pointer to downstream [Andrew]
    * NetBSD: Don't use ESN - not supported by kernel [Andrew]
    * letsencrypt: Fix bashisms in letsencrypt script [dkg]
    * libipsecconf: allow leftauth=ecdsa|rsa (match authby= values) [Paul]
    * testing: significantly improved testing [Andrew, Paul]
    
  • debian/4.5-2
    libreswan Debian release 4.5-2
    
  • debian/4.5-1
    8aa8eaa8 · prepare debian release ·
    libreswan Debian release 4.5-1
    
  • v4.5
    v4.5 (August 20, 2021)
    
    * IKEv1: multiple subnets could lead to crossed wires, failures [Paul/Andrew]
    * IKEv2: don't tear down IKE SA on TS_UNACCEPTABLE [Paul]
    * IKEv2: unpend/delete Child SA when rejected by IKE_AUTH response [Andrew]
    * IKEv2: mobike: resolve_defaultroute_one() updates [Andrew]
    * IKEv2: mobike: prevent sending duplicate mobike response [Andrew]
    * IKEv2: Support for Childless IKE SA [Andrew]
    * IKEv2: redirect: make peer redirecting in IKE_AUTH childless [Vukasin]
    * IKEv2: Labeled IPsec --up causes Childless IKE SA [Andrew/Paul]
    * IKEv2: Labeled IPsec conns share SPD policies (as IKEv1) [Andrew/Paul/Kavinda]
    * IKEv2: Performance; eliminate more O(#CONNECTIONS) code [Andrew]
    * IKEv2: Immediately delete replaced Child from new (IC) IKE SA [Andrew/Paul]
    * pluto: mismatched subnets= could take down all conns [Paul]
    * pluto: Don't delete existing IKE SA of connection instance [Paul]
    * pluto: fail better on parse errors in subnet= clause [Paul]
    * libswan: use getaddrinfo(3) instead of gethostbyname2(3) [Hugh]
    * libipsecconf: fail to load conn if no right= or left= set [Paul]
    * libipsecconf: change default of initial-contact= to yes [Paul]
    * X509: directly append new CRL requests to the fetch queue [Andrew]
    * whack: implement --impair trigger:<global-event> [Andrew]
    * ipsec.service: remove reload which did not work as expected [Tuomo]
    * portexcludes: update to use python3 [Kim]
    * building: fix NetBSD build [Andrew]
    * building: fix arm / aarch64 build [kekePower@github]
    * building: Remove support for RHEL6 USE_OLD_SELINUX [Paul]
    * packaging: handle properly rpm sysctl config [Tuomo]
    * packaging: rhel7: fix python2 shebang [Tuomo]
    
  • v4.4
    383a28eb · bump version to 4.4 ·
    v4.4 (April 22, 2021)
    * IKEv2: Fixes for TCP encap in Transport Mode and host-to-host [Paul/Sabrina]
    * IKEv2: Fixes to Labeled IPsec policies [Kavinda Wewegama/Paul]
    * IKEv2: Add redirect statistics to whack --globalstatus [Clive Zagno]
    * IKEv2: Connections would not always switch when needed [Andrew/Paul]
    * pluto: Fix for host-to-host connections use non-standard IKE ports [Paul]
    * pluto: Use peer ID (IKEv2 IDr, IKEv1 Aggr) to select best initial conn [Paul]
    * pluto: Disable interface-ip= as the feature is not yet implemented [Paul]
    * pluto: Fix PLUTO_PEER_CLIENT* in updown for NAT + Transport Mode [Paul]
    * pluto: Remove never updated PLUTO_VERSION for updown scripts [Paul]
    * pluto: Actually set PLUTO_CONNECTION_TYPE= to transport or tunnel [Paul]
    * pluto: Allow non-templated wildcard ID connections to match [Paul]
    * pluto: Reduce and merge various logging messages [Andrew]
    * libipsecconf: Do not allow vhost/vnet in IKEv2 connections [Paul]
    * XFRM: Restarting pluto when using ipsec-interface= could fail [Paul]
    * contrib/munin: Update plugin to use python3 and update doc header [Tuomo]
    * testing: Enable OpenBSD interop tests [Paul/Ravi]
    * testing: Make tests more reliable on KVM [Andrew]
    
  • debian/4.3-1
    libreswan Debian release 4.3-1
    
  • v4.3
    8a6ccf7c · bump version to 4.3 ·
    v4.3 (February 21, 2021)
    * pluto: Restore range checking on Labeled IPsec [Paul/Andrew]
    * pluto: Higher state serialno does not imply newest state [Paul]
    * pluto: Cleanup ip_address vs ip_endpoint (protoport dropping) [Andrew]
    * pluto: Revival of code could accidentally fallback to IKEv1 [Andrew]
    * newhostkey: Add support for generating ECDSA keys [Daiki Ueno]
    * libipsecconf: Ignore empty option at end of config (rhbz#1685653) [Andrew]
    * whack: Add --global-redirect and --global-redirect-to options [Pietro Monteiro]
    
  • debian/4.2-1
    libreswan Debian release 4.2-1
    
  • v4.2
    89eab903 · bump version to 4.2 ·
    v4.2 (February 2, 2021)
    * IKEv2: Support for IKEv2 Labeled IPsec [Hugh, Sahana, Paul, Kavinda Wewegama]
    * IKEv2: MOBIKE could cause assertion failure due to eroute ownership [Paul]
    * IKEv2: MOBIKE and NAT port update code interfered with each other [Andrew]
    * IKEv1: Re-enable questionable Microsoft proposals to fix L2TP/IPsec [Paul]
    * IKEv1: Do not load IKEv1 conns when IKEv1 support not compiled in [Paul]
    * IKEv1: Fix XAUTH: re-transmit when sending CFG request [Andrew]
    * pluto: New config setup option ikev1-policy=<accept|drop|reject> [Paul]
    * pluto: Change default ikelifetime from 1h to 8h [Paul]
    * pluto: Add ignore-peer-dns=yes|no and whack --ignore-peer-dns [Paul]
    * pluto: Startup could take long time closing fd's (github#373) [Andrew]
    * pluto: IKEv2 connection could accidentally retry as IKEv1 [Andrew]
    * pluto: change default IKE SA lifetime from 1h to 8h [Paul]
             Resolves: github#362, github#405, hwdsl2/setup-ipsec-vpn#912
    * pluto: Revived conns can try to quickly re-use existing NAT mapping.
             Can be used with new auto=keep [Paul, Andrew]
    * pluto: Don't complain about DNS names starting with number [Paul]
    * pluto: Re-implement Labeled IPsec for IKEv1 [Paul, Sahana]
    * pluto: Support for --shutdown --leave-state [Paul]
    * whack: add very raw --processstatus [Andrew]
    * whack: no longer require --ipv6 when specifying raw IPv6 host addresses
    * libswan: Re-introduce xauthusername/remote_peer_type for NM-libreswan [Paul]
    * initsystem: fix docker/podman startup with sysvinit [Paul]
    * initsystem: ensure non-testing namespaces work with systemd [Paul]
    * initsystem: systemd support for ipsec whack --shutdown --leave-state [Paul]
    * pluto: prefer IPv4 over IPv6 when performing DNS lookups [Andrew]
    * building: Support for compiling without IKEv1 via USE_IKEv1=false [Paul]
    * building: Various clang compiler related fixes [Timm Baeder]
    * building: fix NetBSD arm64 build [Andrew]
    * testing: many updates [Andrew, Paul]