Security and Functional Flaw Reporting

Security Flaws

Please email any security-relevant flaw to the special mail account security@strongswan.org. Whenever possible encrypt your posting using the strongSwan security PGP key for the security@strongswan.org account.

Allows remote access to the VPN with improper, missing, or invalid credentials
Allows local escalation of privileges on the server
Plain text traffic on the secure interface
Key generation and crypto flaws that reduce the difficulty in decrypting secure traffic

Remotely crashing the strongSwan daemon which would allow DoS attacks on the VPN service

All other minor issues not directly compromising security or availability of the strongSwan daemon or the host the daemon is running on

For high and medium severity vulnerabilities we are going to apply for a CVE Identifier first. Next we notify all known strongSwan customers and the major Linux distributions, giving them a time of about three weeks to patch their software release. On a predetermined date we officially issue an advisory and a patch for the vulnerability and usually a new stable strongSwan release containing the security fix. Also the CVE entry will be published.
Minor vulnerabilities of low severity usually will be fixed immediately and the corresponding patch will be pushed to the repository on GitHub.

Here is the list of all reported strongSwan high and medium security flaws registered in the CVE database which were fixed by the following security patches. Each security patch is signed by the strongSwan release PGP key.

Please report all non-security-related flaws and bugs by opening a new issue on our strongSwan GitHub site. Of course it is helpful if you can already pinpoint the code file where you suspect the bug or in the case of a crash to provide a backtrack analysis of the core dump.
User patches fixing flaws are always welcome can be posted as a pull request on our strongSwan GitHub site.