Release Notes: A vulnerability in the Dead Peer Detection (RFC 3706) code was found affecting all strongSwan releases (CVE-2009-0790). A malicious or expired ISAKMP R_U_THERE or R_U_THERE_ACK DPD packet can cause the pluto IKEv1 daemon to crash and restart. The new server-side IKEv2 EAP RADIUS plugin relays EAP messages to and from a RADIUS server. It has been successfully tested with a FreeRadius server using EAP-MD5 and EAP-SIM.
Release Notes: The mixed PSK/RSA roadwarrior detection capability introduced by the strongswan-2.7.0 release necessitated the pre-parsing of the IKE proposal payloads before any defined IKE Main Mode state had been established. Although bad proposal syntax was correctly being detected by the parser, the subsequent error handler didn't check the state pointer before logging current state information, causing an immediate crash of the pluto keying daemon due to a NULL pointer. This release fixes this vulnerability to malformed proposal payloads that could otherwise be exploited by Denial-of-Service attacks.