Skip to content

Tags

Tags give the ability to mark specific points in history as being important

  • v2.6.37

    b4c37b5d · updated changes · 
    * Fix for CVE-2011-4073 crypto helper crash [Paul/dhr]
* KLIPS: Fixes to run on Linux 3.1 [David McCullough / Greg Ungerer]
* KLIPS: Fix sending icmpv6 packets in an ipv6 ipsec tunnel [David McCullough]
* Fix for ike_alg_get_encrypter() possibly returning NULL [Steve Grubb]
  (this is rhbz#747852)
* Bugtracker bugs fixed:
   #1241 vhost allows connections with subnets proposed and ignores
         virtual_privat [Wolfgang Nothdurft]
    Unverified

  • v2.6.36

    69b6e7ff · formatting fixes for CHANGES · 
    v2.6.36 (October 5th, 2011)
* CVE-2011-3380 Openswan IKE invalid key length fix [Paul/Hugh]
* auto: Add --checkpubkeys option for checking expiry of X.509 certs
        [Mika Ilmaranta]
* Update building (with SAref) on SLES10 / SLES11 / Opensuse [Shinichi Furuso]
* KLIPS: backported 2.6.19 CryptoAPI for SuSe kernels [Shinichi Furuso]
* KLIPS: ipsecdevices index overflow [Shinichi Furuso]
* KLIPS: cleanup off by one interface,prevented module unload [Shinichi Furuso]
* tncfg called incorrectly for adding more ipsecX interfaces [Shinichi Furuso]
* KLIPS: ipsec_sa_getbyid() did not work properly on IPv6 [Shinichi Furuso]
* NAT-T: Fix delete for port floating case [Shinichi Furuso]
* IKEv2: We always sent the openswan VID instead of using #ifdef [Avesh/Paul]
* IKEv2: ikev2_get_dcookie used SHA1Update() with pointer size [Avesh]
* TESTING: Added some more consistent logging in prerunsetup() [Paul]
* pcr_init() should memset the request helper size, not pointer size [Avesh]
* Prevent deferencing ctx->trans_cur in db_trans_add() [Avesh/Paul]
* XAUTH: whack_get_value() never decremeanted "tries" [Avesh]
* Fix closing fd in lib/libopenswan/oswconf.c [Avesh]
* rsasigkey: configdir is always set in the NSS #ifdef part [Avesh]
* examples: clarify hub-spoke netkey design [Tuomo]
* NAT-T: Fixed logging for broken NAT-T keepalives [Tobias Brunner]
* Use iptables-save instead of iptables -L if possible (rhbz#737973) [Avesh]
* ipsec verify: New kernels use nf_conntrack instead of ip_conntrack [Avesh]
* LDAP/CRL needs liblber (rhbz#737975 [Avesh]
* SAREF: kernel patch added for Linux 2.6.36 and 2.6.38 [Paul]
* SAREF: Remap IP_IPSEC_REFINFO/BINDREF from 22/23 to 30/31 [Sony Japan]
* Disable USE_IPSECPOLICY per default, was only proof of concept code [Paul]
  (local user could cause pluto to stop responding if /var/run is a tmpfs
   mount and /var/run/pluto was manually deleted, Found by Sony Japan)
* Bugtracker bugs fixed:
   #1270 malloc is being used which does not use alloc_bytes/pfree [Paul]
    Unverified

  • v2.6.36rc1

    9c8ee101 · * UML: Enable USE_IPSECPOLICY=true for uml builds, now the default is off · 
    rc1 candidate release for Wednesday
    Unverified

  • v2.6.36dr1

    b463e4df · Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan · 
    * auto: Add --checkpubkeys option for checking expiry of X.509 certs
        [Mika Ilmaranta]
* Update building (with SAref) on SLES10 / SLES11 / Opensuse [Shinichi Furuso]
* KLIPS: backported 2.6.19 CryptoAPI for SuSe kernels [Shinichi Furuso]
* NAT-T: Fix delete for port floating case [Shinichi Furuso]
* IKEv2: We always sent the openswan VID instead of using #ifdef [Avesh/Paul]
* IKEv2: ikev2_get_dcookie used SHA1Update() with pointer size [Avesh]
* TESTING: Added some more consistent logging in prerunsetup() [Paul]
* pcr_init() should memset the request helper size, not pointer size [Avesh]
* Prevent deferencing ctx->trans_cur  using passert() in db_trans_add() [Avesh/Paul]
* XAUTH: whack_get_value() never decremeanted "tries" so asked indefinitely [Avesh]
* Fix closing fd in lib/libopenswan/oswconf.c [Avesh]
* rsasigkey: configdir is always set in the NSS #ifdef part [Avesh]
* examples: clarify hub-spoke netkey design [Tuomo]
* NAT-T: Fixed logging for broken NAT-T keepalives [Tobias Brunner]
* Bugtracker bugs fixed:
   #1270 malloc is being used which does not use alloc_bytes/pfree
    Unverified

  • v2.6.35

    fd9be2a9 · update CHANGES release date · 
    v2.6.35 (July 23, 2011)
* OCF: Fix accidental 'always' setting of large resources [Sony Japan]
* OCF: Give a hard #error in ipsec_ocf.h without proper CONFIG_KLIPS_OCF [Paul]
* OCF: Only include ipsec_ocf.h when using CONFIG_KLIPS_OCF
* MAST: Add ipsec_xmit_sanity_check_dev() in the mast path [Paul]
* MAST: Be more careful about {mast,ipsec}priv structure [Bart]
* MAST: Fix host-host connections, bug introduced in v2.6.34 [David[
* SAREF: Fix crasher in ipsec.ko unload with saref kernel [Sony Japan]
* SAREF: ip_cmsg_recv_ipsec_refinfo() doesn't initialize refs array [Sony Japan]
* SAREF: Added null check of secpath_dup(NULL) [Sony Japan]
* KLIPS: Fix possible double skb free [Sony Japan]
* KLIPS: Fix MTU on interface - bug introduced in 2.6.33 [Wolfgang Nothdurft]
* KLIPS: debug messages often had pre-refactor names in prefix [Paul]
* DPD: Do not ignore failure in dpd_init() but return STF_FAIL [Paul]
* pluto: Fix IPcomp pull-up from 2.4 introduced in 2.6.20 [Paul]
         (malloc <-> pfree caused assertion with LEAK_DETECTIVE set)
* pluto: st_peeridentity_port missed ntohs() causing interop
         failure between big/little-endian machines [Magnus Öberg]
* pluto: Fix for Tuomo's (rare) crasher where globals were not reset [dhr]
    Unverified

  • v2.6.35rc1

    daf04afe · updated changes · 
    Release candidate 1!
    Unverified

  • v2.6.35dr1

    df6f04b1 · be more careful about which {mast,ipsec}priv structure is being used · 
    MAST: be more careful about which {mast,ipsec}priv structure is being used
    Unverified

  • v2.6.34

    c583887a · remove blank line in CHANGES · 
    * Fix build without USE_EXTRACRYPTO introduced in 2.6.33 [Tuomo]
* Fix new leftmtu= option to pass correctly to _updown [Mattias Walstrom]
* Add Apple iOS work-around to l2tp example configs [Tuomo]
* KLIPS: Support to compile on Linux 2.6.38 and 2.6.39 [David]
* KLIPS: Make sin_family setting in delflow the same as addflow [David]
* KLIPS: IPv6 and SLES10 compile fixes [Sony Japan]
* KLIPS: IPv6 outbound policy check used wrong index [Sony Japan]
* KLIPS: Enable CryptoAPI per default [Paul]
* KLIPS: Module unload fixes [David]
* KLIPS: Routing cache corruption due to ip_select_ident [David]
* KLIPS: Only fixup the ethernet header it might be on [David]
* KLIPS: Fix for ixs->skb->dev is null at the top of ipsec_xmit_send [David]
* MAST: refcount bug in transport mode prevented ipsec.ko unload [Sony Japan]
* MAST: Don't autopick mast [David]
* NETKEY: Fix AH mode [Avesh]
  - rh #704548
* DYNDNS: using hostnames could lead to loss of ports in SA [Avesh]
  - rh #703473
* Many uml testing harness fixes and updates, mostly IPv6 related [Paul/Hugh]
* "ipsec look" now shows NETKEY/XFRM and IPv6 routing table [Paul]
* "ipsec look" now shows iptables NEW_IPSEC_CONN mangle table [Paul]
* "ipsec look" and "ipsec barf" now shows ip6tables like iptables [Paul]
* Fix inbound policy --addin, and added --replacein [David]
* KLIPS: Fix family check when policies are not set [David]
* MAST: Fix family check when policies are not set [Sony Japan]
* Improve build speed (don't recalculate build version all the time [David]
* XAUTH: Fix rekey with Cisco when remote_peer_type=cisco [Avesh]
* Openswan (IKEv2/IKEv1) icmp issue (redhat bz 681974) [Avesh]
* IKEv2: port range was hardcoded to 0-65535, not local policy [Avesh]
* MAST: Fix oops on module unload [David]
* Improve build speed, calulate version once [David]
* Import OpenWRT packaging updates [Simon]
* contrib: added openswan patch for 2.4.37.9 [Yannick Koehler]
* KLIPS: Fix for compiling on 2.6.22 (Fedora Core 6 based) kernels [Paul]
* KLIPS IPV6: Fix packet fragmentation [Paul]
* Added PLUTO_CONN_ADDRFAMILY= to updown.* (to disable SAref on v6) [Paul]
* KLIPS: cleanup packaging/*/config-* files [Paul]
* Fix a bunch of gcc unused-but-set-variable warnings [Paul]
* Fix some WERROR warnings [mcr]
* Various file descriptor leaks and mimor memleaks [Avesh/dhr]
* Removed reference to http://www.freeswan.org from ipsec --help [Tuomo]
* Bugtracker bugs fixed:
   #1233 WARNING: at net/ipv4/af_inet.c:151 inet_sock_destruct on stop [David]
    Unverified

  • v2.6.34rc6

    9544d04d · updated changes · 
    netkey fixup for acquire after mcr's gcc warning patch
klips fixup for non-ethernet packets after 6in4/4in6 patch
    Unverified

  • v2.6.34rc5

    86a5945e · Routing cache corruption due to ip_select_ident · 
    Routing cache corruption due to ip_select_ident [David]
    Unverified

  • v2.6.34rc4

    157cd317 · updated changes · 
    * KLIPS: Support to compile on Linux 2.6.38 and 2.6.39 [David]
* DYNDNS: using hostnames could lead to loss of ports in SA [Avesh]
* NETKEY: Fix AH mode [Avesh]
  - rh #704548
* DYNDNS: using hostnames could lead to loss of ports in SA [Avesh]
  - rh #703473
* Fix some WERROR warnings [mcr]
* Various file descriptor leaks and mimor memleaks [Avesh/dhr]
    Unverified

  • v2.6.34rc3

    d8c07adb · updated changes · 
    Fixes for module unload, klips for 2.6.39 and some gcc warnings
    Unverified

  • v2.6.34rc2

    693bec1c · remove unused but set len variable from do_md5_authentication() · 
    Various gcc fixes and the vendorid fix. don't autopick mast
    Unverified

  • v2.6.34rc1

    e509d8f7 · updated changes · 
    v2.6.34 (unreleased)
* Fix build without USE_EXTRACRYPTO introduced in 2.6.33 [Tuomo]
* Fix new leftmtu= option to pass correctly to _updown [Mattias Walstrom]
* Add Apple iOS work-around to l2tp example configs [Tuomo]
* KLIPS: Support to compile on Linux 2.6.38 [David]
* KLIPS: Make sin_family setting in delflow the same as addflow [David]
* KLIPS: IPv6 and SLES10 compile fixes [Sony Japan]
* KLIPS: IPv6 outbound policy check used wrong index [Sony Japan]
* MAST: refcount bug in transport mode prevented ipsec.ko unload [Sony Japan]
* Many uml testing harness fixes and updates, mostly IPv6 related [Paul/Hugh]
* "ipsec look" now shows NETKEY/XFRM and IPv6 routing table [Paul]
* "ipsec look" now shows iptables NEW_IPSEC_CONN mangle table [Paul]
* "ipsec look" and "ipsec barf" now shows ip6tables like iptables [Paul]
* Fix inbound policy --addin, and added --replacein [David]
* KLIPS: Fix family check when policies are not set [David]
* MAST: Fix family check when policies are not set [Sony Japan]
* Improve build speed (don't recalculate build version all the time [David]
* XAUTH: Fix rekey with Cisco when remote_peer_type=cisco [Avesh]
* Openswan (IKEv2/IKEv1) icmp issue (redhat bz 681974) [Avesh]
* IKEv2: port range was hardcoded to 0-65535, not local policy [Avesh]
* MAST: Fix oops on module unload [David]
* Improve build speed, calulate version once [David]
* Import OpenWRT packaging updates [Simon]
* contrib: added openswan patch for 2.4.37.9 [Yannick Koehler]
* KLIPS: Fix for compiling on 2.6.22 (Fedora Core 6 based) kernels [Paul]
* KLIPS IPV6: Fix packet fragmentation [Paul]
* Added PLUTO_CONN_ADDRFAMILY= to updown.* (to disable SAref on v6) [Paul]
* KLIPS: cleanup packaging/*/config-* files [Paul]
* Fix a few gcc unused-but-set-variable warnings [Paul]
* Bugtracker bugs fixed:
   #1233 WARNING: at net/ipv4/af_inet.c:151 inet_sock_destruct on stop [David]
    Unverified

  • v2.6.34dr2

    97cfa6ba · update ipsec.conf man page with updated connaddrfamily= information. · 
    Most important since dr1:
* KLIPS: Make sin_family setting in delflow the same as addflow [David]
* KLIPS: IPv6 and SLES10 compile fixes [Sony Japan]
* KLIPS: IPv6 outbound policy check used wrong index [Sony Japan]
* Fix inbound policy --addin, and added --replacein [David]
* KLIPS: Fix family check when policies are not set [David]
* MAST: Fix family check when policies are not set [Sony Japan]
    Unverified

  • v2.6.34dr1

    e54c88b5 · updated changes · 
    * Fix build without USE_EXTRACRYPTO introduced in 2.6.33 [Tuomo]
* Fix new leftmtu= option to pass correctly to _updown [Mattias Walstrom]
* Add Apple iOS work-around to l2tp example configs [Tuomo]
* KLIPS: Support to compile on Linux 2.6.38 [David]
* Many uml testing harness fixes and updates [Paul/Hugh]
* Improve build speed (don't recalculate build version all the time [David]
* XAUTH: Fix rekey with Cisco when remote_peer_type=cisco [Avesh]
* Openswan (IKEv2/IKEv1) icmp issue (redhat bz 681974) [Avesh]
* IKEv2: port range was hardcoded to 0-65535, not local policy [Avesh]
* MAST: Fix oops on module unload [David]
* Improve build speed, calulate version once [David]
* Import OpenWRT packaging updates [Simon]
* contrib: added openswan patch for 2.4.37.9 [Yannick Koehler]
* Bugtracker bugs fixed:
   #1233 WARNING: at net/ipv4/af_inet.c:151 inet_sock_destruct on stop [David]
    Unverified

  • v2.6.33

    381894cf · updated changes · 
    v2.6.33
* Merge in the klips-ipv6 branch [David]
* modprobe more crypto modules on startup (gcm, camelia, sha2* etc) [Paul]
* Added %v4:26/8 to virtual_private ("thanks" to T-Mobile/Rogers/FIDO) [Paul]
* Pluto did not start nhelpers due to --nofork, bug introduced in 2.6.32 [Paul]
* OCF: Set the OCF queues to 10000 when 256MB+ RAM and 1000+ bogomips [Paul]
* Improved NetworkManager support [Avesh]
  - This is Red Hat bugzilla 642722, 658253, 659709 and 641068
* ipsec verify now also shows parse errors in ipsec.conf [Paul]
* Always build SHA2 family support for IKE [Paul]
* KLIPS: Add a new option to override the replay window via /sys [David]
  (echo 0 > /sys/module/ipsec/parameters/ipsec_replaywin_override)
* Add aesni_intel to the list of crypto modules we attempt to load [Paul]
* enable dumpdir= in stock ipsec.conf for use with abrtd [Paul]
* New per-conn keyword mtu= allows setting the mtu per tunnel [Paul]
* per-conn keyword metric= did not export to userland or updown [Paul/Tuomo]
* Cleaned up and moved some old docs [Paul]
* KLIPS: arp_broken_ops is no longer exported in 2.6.37+ [Paul]
* KLIPS: Fix crasher in ipsec_xmit_state_delete [David]
* Bugtracker bugs fixed:
   # 601 KLIPS: NAT-OA UDP checksum bad in transport mode when both sides are
         NATted [Wolfgang]
   # 645 hundreds of replacements [...]: 000 #3: pending Phase 2 [Anthony Tong]
   #1182 Verification of X509 certificate signed by SHA2 [fryasu@yahoo.co.jp]
   #1183 Fix documentation typo (in ipsec.conf) [Tuomo]
   #1190 nat-t broke on transport mode for klips between 2.6.31 and 2.6.32
         [Paul]
   #1199 when leftsubnet has a different netmask than the localnet, a route
         is added for the localnet to the ipsec device [Tuomo]
   #1201 dpd + ddns does not work [Mattias Walström]
   #1204 Workaround for iPhone/MacOS X NAT problem [Wolfgang Nothdurft]
   #1210 Failes to compile with uClibc >= 0.9.29 [mb@openwrt]
    Unverified

  • v2.6.33rc1

    66d5fe41 · Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan · 
    * Add aesni_intel to the list of crypto modules we attempt to load [Paul]
* New per-conn keyword mtu= allows setting the mtu per tunnel [Paul]
* per-conn keyword metric= did not export to userland or updown [Paul/Tuomo]
* MAST: increase traffic counters for mast0 [David]
* Bugtracker bugs fixed:
   # 645 hundreds of replacements [...]: 000 #3: pending Phase 2 [Anthony Tong]
   #1199 when leftsubnet has a different netmask than the localnet, a route
         is added for the localnet to the ipsec device [Tuomo]
   #1201 dpd + ddns does not work [Mattias Walström]
   #1204 Workaround for iPhone/MacOS X NAT problem [Wolfgang Nothdurft]
   #1210 Failes to compile with uClibc >= 0.9.29 [mb@openwrt]
    Unverified

  • v2.6.33dr2

    577ee1d6 · Merge branch 'master' of ssh://vault.xelerance.com/xelerance/MASTER/git-master/openswan · 
    * ipsec verify now also shows parse errors in ipsec.conf [Paul]
* Always build SHA2 family support for IKE [Paul]
* KLIPS: Add a new option to override the replay window via /sys [David]
  (echo 0 > /sys/module/ipsec/parameters/ipsec_replaywin_override)
    Unverified

  • v2.6.33dr1

    98115889 · update changes · 
    * Merge in the klips-ipv6 branch [David]
* modprobe more crypto modules on startup (gcm, camelia, sha2* etc) [Paul]
* Added %v4:26/8 to virtual_private ("thanks" to T-Mobile/Rogers/FIDO) [Paul]
* Pluto did not start nhelpers due to --nofork, bug introduced in 2.6.32 [Paul]
* OCF: Set the OCF queues to 10000 when 256MB+ RAM and 1000+ bogomips [Paul]
* Improved NetworkManager support [Avesh]
  - This is Red Hat bugzilla 642722, 658253, 659709 and 641068
* Bugtracker bugs fixed:
   #1182 Verification of X509 certificate signed by SHA2 [fryasu@yahoo.co.jp]
   #1183 Fix documentation typo (in ipsec.conf) [Tuomo]
   #1190 nat-t broke on transport mode for klips between 2.6.31 and 2.6.32 [Paul]
    Unverified