From patchwork Mon Dec 15 21:46:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9369 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4dVYYc3ZPzz3wkD for ; Mon, 15 Dec 2025 21:47:00 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4dVYYc0ctXz4x for ; Mon, 15 Dec 2025 21:47:00 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4dVYYb6s6Tz331l for ; Mon, 15 Dec 2025 21:46:59 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4dVYYX44dVz308h for ; Mon, 15 Dec 2025 21:46:56 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4dVYYW3DC4z2WJ; Mon, 15 Dec 2025 21:46:55 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1765835215; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jv/9aSblMnFglZdZUmXXSlsr3bBRx7SRc5vb1q9cNZg=; b=Fecp3Ck7ZT9+vwAtuRUcHZb3ptFBwPze6vasByAnZmcRE+rSDj1kwUGGq2oWYmCwr/Hjse 4YtfqsqQA2Uh2GCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1765835215; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jv/9aSblMnFglZdZUmXXSlsr3bBRx7SRc5vb1q9cNZg=; b=uWLmtGKoYL4WBJiq1wVz6eR+N/ZYtGMTpzRUj3r6p09lVryC+LwTjbU2AQGNcm3PvDzO5A Dgp2YHEhGzvhcQw/pM20ee2TxwyzixCnmaBMgZC39tkD6de2gHgUnSmExbTssTuT3LwB+u r2yODAwjTVt3EtpZOCNkyIkyKm+AF2XRtS6x5L8pKNwVJLDVy8QMkSN17KWERPiZqzFqIi SnDePxez0ZwxwX0RKsWbjRvgtc8Qwr0oNPR46KThnNaalAfBbyxSnD+b1iqoGGVwoc/AcK 6/30XnqZva3zlmO+aWcoQAt8Kokv/w+Vqy1w3ResduZZJS2hf6YWNtaUUZvEXw== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] strongswan: Update to version 6.0.4 Date: Mon, 15 Dec 2025 22:46:50 +0100 Message-ID: <20251215214650.3647680-2-adolf.belka@ipfire.org> In-Reply-To: <20251215214650.3647680-1-adolf.belka@ipfire.org> References: <20251215214650.3647680-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from version 6.0.3 to 6.0.4 - No change to the rootfile - Changelog 6.0.4 Vulnerabilities Fixed a vulnerability in the NetworkManager plugin that potentially allows using credentials of other local users. This vulnerability has been registered as CVE-2025-9615. Please refer to our blog for details. Enhancements and Optimizations Concurrent requests to fetch the same CRL URI by multiple threads are now combined by the revocation plugin (#2918). Only the first thread actually fetches it, the others wait for that result. This is particularly helpful if the CRL can currently not be fetched due to DNS or HTTP/LDAP timeouts as it avoids that each thread has to wait individually, reducing the number of SAs that can concurrently be established as threads are blocked longer. A negative result is cached for a while (currently 30 seconds) so requests can fail quickly and threads can continue establishing SAs if they use a relaxed revocation policy. The maximum supported length for section names in swanctl.conf has been increased to the upper limit of 256 characters that's enforced by VICI (#2936). Fixes Prevent a crash if a confused peer rekeys a Child SA twice before sending a delete (#2945). Fixed a memory leak if a peer's self-signed certificate is untrusted (#2954). Signed-off-by: Adolf Belka --- lfs/strongswan | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/strongswan b/lfs/strongswan index 728e01636..a993dd39e 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@ include Config -VER = 6.0.3 +VER = 6.0.4 THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 355dff5de259e545b1bb5e24853dc91148c3d400b1977a2de35271e019dfc236c838ccac4552974a4999e2768900150c432753fc0d422444d4cc34486566e192 +$(DL_FILE)_BLAKE2 = 2291900bda3e679cb68f35e44fe20011d82b44e7a9ed3fd0ae7c40ed57154c5ecded1ab5bffc9ab30c93de667ef9b103a7da1a2b31d8e2eae97b268f0be11f01 install : $(TARGET)