Message ID | 20230306153355.3445300-1-adolf.belka@ipfire.org |
---|---|
State | Accepted |
Commit | ee80a12db0f1a724eefff241d3db8e7c2394917a |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4PVjKq1Ftgz3wfc for <patchwork@web04.haj.ipfire.org>; Mon, 6 Mar 2023 15:34:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4PVjKm30d5zlw; Mon, 6 Mar 2023 15:34:04 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4PVjKm13vYz2xry; Mon, 6 Mar 2023 15:34:04 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4PVjKk51B7z2xry for <development@lists.ipfire.org>; Mon, 6 Mar 2023 15:34:02 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4PVjKj1PSqzNW; Mon, 6 Mar 2023 15:34:01 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1678116841; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=YIL8oaPjaih6eR1dz9Q3e+f5uagJkM/s8yLA27llmbo=; b=qF5Jq7J/GsOOw2wb8GjEh9kPKaPyMD/DC8av+mYn3/k74pOaNtgP16aGlZoSdzeM8RYVcc Sxu2ypEaXfGKhyAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1678116841; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=YIL8oaPjaih6eR1dz9Q3e+f5uagJkM/s8yLA27llmbo=; b=pr+mPeRNBDdTwl2N+Wlhgzeyvk9u+P4ntu9MqJZK0RsPfY6k8ZRmW7xnmgNilB76uCWuCh Rd55IFdgohnONqvoU5S33k17x7ll7KdtoMBTuuGgLdTWTvAcAxdPjUf/CS4T1Yt3Uy6As3 oh7L+CihIbBV3YsJ1W+wCCiUFJH27eqjMJVr0sa0pUC6CWAHR1tcphy5WzvJgMQG5DKaXu hhqOfGakmre2kLPnTG4az8M0PwRs3JwoaMDjw+1k45jJRZgx1rXaSgvYxoFbPUbV1hFIHk W4tFEfyyWuH6HcrL65H1SJA6R1GWVv+tAUCUQMRYZaHhGCUOkQhIHpLs+Vqu8Q== From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] strongswan: Update to version 5.9.10 Date: Mon, 6 Mar 2023 16:33:55 +0100 Message-Id: <20230306153355.3445300-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
strongswan: Update to version 5.9.10
|
|
Commit Message
Adolf Belka
March 6, 2023, 3:33 p.m. UTC
- Update from version 5.9.9 to 5.9.10
- Update of rootfile not required
- Changelog
strongswan-5.9.10
- Fixed a vulnerability related to certificate verification in TLS-based EAP
methods that leads to an authentication bypass followed by an expired pointer
dereference that results in a denial of service and possibly even remote code
execution.
This vulnerability has been registered as CVE-2023-26463.
- Added support for full packet hardware offload for IPsec SAs and policies with
Linux 6.2 kernels to the kernel-netlink plugin.
- TLS-based EAP methods now use the standardized key derivation when used
with TLS 1.3.
- The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by
implementing the "protected success indication".
- With the `prefer` value for the `childless` setting, initiators will create
a childless IKE_SA if the responder supports the extension.
- Routes via XFRM interfaces can optionally be installed automatically by
enabling the `install_routes_xfrmi` option of the kernel-netlink plugin.
- charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid
issues with name resolution if they are supported by the kernel.
- The `pki --req` command can encode extendedKeyUsage (EKU) flags in the
PKCS#10 certificate signing request.
- The `pki --issue` command adopts EKU flags from CSRs but allows modifying them
(replace them completely, or adding/removing specific flags).
- On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the
IPsec SAs instead of the policies.
- For libcurl with MultiSSL support, the curl plugin provides an option to
select the SSL/TLS backend.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
lfs/strongswan | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
As always, thank you very much! :-) Reviewed-by: Peter Müller <peter.mueller@ipfire.org> > - Update from version 5.9.9 to 5.9.10 > - Update of rootfile not required > - Changelog > strongswan-5.9.10 > - Fixed a vulnerability related to certificate verification in TLS-based EAP > methods that leads to an authentication bypass followed by an expired pointer > dereference that results in a denial of service and possibly even remote code > execution. > This vulnerability has been registered as CVE-2023-26463. > - Added support for full packet hardware offload for IPsec SAs and policies with > Linux 6.2 kernels to the kernel-netlink plugin. > - TLS-based EAP methods now use the standardized key derivation when used > with TLS 1.3. > - The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by > implementing the "protected success indication". > - With the `prefer` value for the `childless` setting, initiators will create > a childless IKE_SA if the responder supports the extension. > - Routes via XFRM interfaces can optionally be installed automatically by > enabling the `install_routes_xfrmi` option of the kernel-netlink plugin. > - charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid > issues with name resolution if they are supported by the kernel. > - The `pki --req` command can encode extendedKeyUsage (EKU) flags in the > PKCS#10 certificate signing request. > - The `pki --issue` command adopts EKU flags from CSRs but allows modifying them > (replace them completely, or adding/removing specific flags). > - On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the > IPsec SAs instead of the policies. > - For libcurl with MultiSSL support, the curl plugin provides an option to > select the SSL/TLS backend. > > Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> > --- > lfs/strongswan | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/lfs/strongswan b/lfs/strongswan > index db4607bc2..7cb886fe7 100644 > --- a/lfs/strongswan > +++ b/lfs/strongswan > @@ -24,7 +24,7 @@ > > include Config > > -VER = 5.9.9 > +VER = 5.9.10 > > THISAPP = strongswan-$(VER) > DL_FILE = $(THISAPP).tar.bz2 > @@ -40,7 +40,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_BLAKE2 = 9cbc73192527254a2d20b28295e7583a0d9ec81e4d6eb1b7d78e54b30ba8e5304a33e813145d8a47b2b4319d7b49762cd35cdbdaf1d41161d7746d68d3cef1b5 > +$(DL_FILE)_BLAKE2 = 757d55aa0c623356c5d8bf0360df63990ec18294d06f50b6dd475273b75a883354ea8723708e4856a8f0acc4d3237ac6bcf5adc40346fded7051d78375b2bcc9 > > install : $(TARGET) >
diff --git a/lfs/strongswan b/lfs/strongswan index db4607bc2..7cb886fe7 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@ include Config -VER = 5.9.9 +VER = 5.9.10 THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 9cbc73192527254a2d20b28295e7583a0d9ec81e4d6eb1b7d78e54b30ba8e5304a33e813145d8a47b2b4319d7b49762cd35cdbdaf1d41161d7746d68d3cef1b5 +$(DL_FILE)_BLAKE2 = 757d55aa0c623356c5d8bf0360df63990ec18294d06f50b6dd475273b75a883354ea8723708e4856a8f0acc4d3237ac6bcf5adc40346fded7051d78375b2bcc9 install : $(TARGET)