Blog

Release and vulnerability announcements for strongSwan

strongSwan 6.0.4 Released

We are happy to announce the release of strongSwan 6.0.4, which fixes a vulnerability in the NetworkManager plugin, combines concurrent CRL fetches, and comes with several other improvements and fixes.

release6.0.x

Vulnerability in NetworkManager Plugin (CVE-2025-9615)

A vulnerability in the NetworkManager plugin was fixed that potentially allows using credentials of other local users. All strongSwan are affected.

More information is provided in a separate blog entry.

Combine Concurrent CRL Fetches

Concurrent requests to fetch the same CRL URI by multiple threads are now combined by the revocation plugin. Only the first thread actually fetches the CRL, the others wait for that result. This is particularly helpful if the CRL can currently not be fetched due to DNS or HTTP/LDAP timeouts as it avoids that each thread has to wait for these timeouts individually, which would reduce the number of SAs that can concurrently be established as threads are blocked for longer.

A negative result is cached for a while (currently three times the fetch timeout, i.e. 30 seconds by default), so requests can fail quickly and threads can continue establishing SAs if they use a relaxed revocation policy.

Other Notable Features and Fixes

  • The maximum supported length for section names in swanctl.conf has been increased to the upper limit of 256 characters that's enforced by VICI.
  • Prevent a crash if a confused peer rekeys a Child SA twice before sending a delete.
  • Fixed a memory leak if a peer's self-signed certificate is untrusted.

Download Complete Changelog