this is the official release announcement for IPFire 2.13 – Core Update 76. It comes with a security fix for the
strongswan package which is responsible for IPsec VPN connections. The vulnerability has got the number CVE-2014-2338. It was possible to bypass the authentication and therefore to overtake a VPN connection whilst the original peers are rekeying. IKEv1 connections are not vulnerable, but IKEv2. Check out the blog post by the strongswan team.
Please update as soon as possible.
I would also like to draw your attention towards the upcoming release of IPFire 2.15. The first release candidate has been released a couple of weeks ago and we are searching for testers to find any last-minute bugs. We are also already thinking about the releases past that and raising funds to implement Single Sign-On Authentication for the Web proxy against Windows Active Directory. So please check this out, too. Your support is very much appreciated!
Michael Tremer - April 16, 2014 at 10:00 am