diff mbox series

strongswan: Update to version 5.9.10

Message ID	20230306153355.3445300-1-adolf.belka@ipfire.org
State	Accepted
Commit	ee80a12db0f1a724eefff241d3db8e7c2394917a
Headers	From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] strongswan: Update to version 5.9.10 Date: Mon, 6 Mar 2023 16:33:55 +0100 Message-Id: <20230306153355.3445300-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	strongswan: Update to version 5.9.10 \| strongswan: Update to version 5.9.10

Commit Message

Adolf Belka March 6, 2023, 3:33 p.m. UTC

  - Update from version 5.9.9 to 5.9.10
- Update of rootfile not required
- Changelog
strongswan-5.9.10
- Fixed a vulnerability related to certificate verification in TLS-based EAP
  methods that leads to an authentication bypass followed by an expired pointer
  dereference that results in a denial of service and possibly even remote code
  execution.
  This vulnerability has been registered as CVE-2023-26463.
- Added support for full packet hardware offload for IPsec SAs and policies with
  Linux 6.2 kernels to the kernel-netlink plugin.
- TLS-based EAP methods now use the standardized key derivation when used
  with TLS 1.3.
- The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by
  implementing the "protected success indication".
- With the `prefer` value for the `childless` setting, initiators will create
  a childless IKE_SA if the responder supports the extension.
- Routes via XFRM interfaces can optionally be installed automatically by
  enabling the `install_routes_xfrmi` option of the kernel-netlink plugin.
- charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid
  issues with name resolution if they are supported by the kernel.
- The `pki --req` command can encode extendedKeyUsage (EKU) flags in the
  PKCS#10 certificate signing request.
- The `pki --issue` command adopts EKU flags from CSRs but allows modifying them
  (replace them completely, or adding/removing specific flags).
- On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the
  IPsec SAs instead of the policies.
- For libcurl with MultiSSL support, the curl plugin provides an option to
  select the SSL/TLS backend.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 lfs/strongswan | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Peter Müller March 6, 2023, 4:42 p.m. UTC | #1

As always, thank you very much! :-)

Reviewed-by: Peter Müller <peter.mueller@ipfire.org>

> - Update from version 5.9.9 to 5.9.10
> - Update of rootfile not required
> - Changelog
> strongswan-5.9.10
> - Fixed a vulnerability related to certificate verification in TLS-based EAP
>   methods that leads to an authentication bypass followed by an expired pointer
>   dereference that results in a denial of service and possibly even remote code
>   execution.
>   This vulnerability has been registered as CVE-2023-26463.
> - Added support for full packet hardware offload for IPsec SAs and policies with
>   Linux 6.2 kernels to the kernel-netlink plugin.
> - TLS-based EAP methods now use the standardized key derivation when used
>   with TLS 1.3.
> - The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by
>   implementing the "protected success indication".
> - With the `prefer` value for the `childless` setting, initiators will create
>   a childless IKE_SA if the responder supports the extension.
> - Routes via XFRM interfaces can optionally be installed automatically by
>   enabling the `install_routes_xfrmi` option of the kernel-netlink plugin.
> - charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid
>   issues with name resolution if they are supported by the kernel.
> - The `pki --req` command can encode extendedKeyUsage (EKU) flags in the
>   PKCS#10 certificate signing request.
> - The `pki --issue` command adopts EKU flags from CSRs but allows modifying them
>   (replace them completely, or adding/removing specific flags).
> - On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the
>   IPsec SAs instead of the policies.
> - For libcurl with MultiSSL support, the curl plugin provides an option to
>   select the SSL/TLS backend.
> 
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>  lfs/strongswan | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/lfs/strongswan b/lfs/strongswan
> index db4607bc2..7cb886fe7 100644
> --- a/lfs/strongswan
> +++ b/lfs/strongswan
> @@ -24,7 +24,7 @@
>  
>  include Config
>  
> -VER        = 5.9.9
> +VER        = 5.9.10
>  
>  THISAPP    = strongswan-$(VER)
>  DL_FILE    = $(THISAPP).tar.bz2
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_BLAKE2 = 9cbc73192527254a2d20b28295e7583a0d9ec81e4d6eb1b7d78e54b30ba8e5304a33e813145d8a47b2b4319d7b49762cd35cdbdaf1d41161d7746d68d3cef1b5
> +$(DL_FILE)_BLAKE2 = 757d55aa0c623356c5d8bf0360df63990ec18294d06f50b6dd475273b75a883354ea8723708e4856a8f0acc4d3237ac6bcf5adc40346fded7051d78375b2bcc9
>  
>  install : $(TARGET)
>

diff mbox series

Patch

diff --git a/lfs/strongswan b/lfs/strongswan
index db4607bc2..7cb886fe7 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -24,7 +24,7 @@ 
 
 include Config
 
-VER        = 5.9.9
+VER        = 5.9.10
 
 THISAPP    = strongswan-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -40,7 +40,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 9cbc73192527254a2d20b28295e7583a0d9ec81e4d6eb1b7d78e54b30ba8e5304a33e813145d8a47b2b4319d7b49762cd35cdbdaf1d41161d7746d68d3cef1b5
+$(DL_FILE)_BLAKE2 = 757d55aa0c623356c5d8bf0360df63990ec18294d06f50b6dd475273b75a883354ea8723708e4856a8f0acc4d3237ac6bcf5adc40346fded7051d78375b2bcc9
 
 install : $(TARGET)