1.1.2 maintenance release
This release includes a number of bugfixes and security patches. First, it fixes the NTP vulnerabilities that were discovered lately, so if you chose to block NTP traffic rather than install updated packages by hand, it’s a good idea to upgrade now.
Second, it fixes the UnionFS problem that caused “Failed to generate commited config” in some cases when the config was modified by multiple users.
Other fixes include a fix for loading SSH keys with whitespace in name (important for AWS users), fixes for incorrect behaviour of IKEv2 versions of IPsec op mode commands, an imporved fix for SSH segfault on AMD hardware, and some fixes for identifier-based IPsec authentication.
One of the last group probably deserves some attention. In earlier versions if you set “authentication remote-id” option for an IPsec peer with “@something” name that is interpreted as right ID, that option was silently ignored. That was an undocumented and hardly reasonable behaviour. Now “remote-id” option overrides the ID based on the peer name. The reason for this change is that it makes it possible to use x.509 CNs for peer identifiers, which was not possible in the original CLI design (I have no idea why the original design required IDs to start with “@” and include only alphanumeric characters—StrongSWAN never required it). However, if you somehow relied on this undefined behaviour, you’ll need to remove the remote-id now.
Also, IPsec pre-shared keys may contain any printable characters now, since those restrictions never had any basis in StrongSWAN and some peers may insist on using keys with “/” or other characters that used to be disallowed.
The last fix to mention: squidguard used to be built without LDAP support, so related commands didn’t work properly. Now they should work, tell us if they still don’t.
Thanks to Alex Harpin, Jared Baldridge, Jason Hendry (he did enormous work on IKEv2!), Hiroyuki Sato, Igor Golubkov, and everyone who participated!