From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] strongswan: Update to version 5.9.10 Date: Mon, 06 Mar 2023 16:42:13 +0000 Message-ID: In-Reply-To: <20230306153355.3445300-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1290147428761877366==" List-Id: --===============1290147428761877366== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable As always, thank you very much! :-) Reviewed-by: Peter M=C3=BCller > - Update from version 5.9.9 to 5.9.10 > - Update of rootfile not required > - Changelog > strongswan-5.9.10 > - Fixed a vulnerability related to certificate verification in TLS-based EAP > methods that leads to an authentication bypass followed by an expired poi= nter > dereference that results in a denial of service and possibly even remote = code > execution. > This vulnerability has been registered as CVE-2023-26463. > - Added support for full packet hardware offload for IPsec SAs and policies= with > Linux 6.2 kernels to the kernel-netlink plugin. > - TLS-based EAP methods now use the standardized key derivation when used > with TLS 1.3. > - The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by > implementing the "protected success indication". > - With the `prefer` value for the `childless` setting, initiators will crea= te > a childless IKE_SA if the responder supports the extension. > - Routes via XFRM interfaces can optionally be installed automatically by > enabling the `install_routes_xfrmi` option of the kernel-netlink plugin. > - charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid > issues with name resolution if they are supported by the kernel. > - The `pki --req` command can encode extendedKeyUsage (EKU) flags in the > PKCS#10 certificate signing request. > - The `pki --issue` command adopts EKU flags from CSRs but allows modifying= them > (replace them completely, or adding/removing specific flags). > - On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via = the > IPsec SAs instead of the policies. > - For libcurl with MultiSSL support, the curl plugin provides an option to > select the SSL/TLS backend. >=20 > Signed-off-by: Adolf Belka > --- > lfs/strongswan | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) >=20 > diff --git a/lfs/strongswan b/lfs/strongswan > index db4607bc2..7cb886fe7 100644 > --- a/lfs/strongswan > +++ b/lfs/strongswan > @@ -24,7 +24,7 @@ > =20 > include Config > =20 > -VER =3D 5.9.9 > +VER =3D 5.9.10 > =20 > THISAPP =3D strongswan-$(VER) > DL_FILE =3D $(THISAPP).tar.bz2 > @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) > =20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) > =20 > -$(DL_FILE)_BLAKE2 =3D 9cbc73192527254a2d20b28295e7583a0d9ec81e4d6eb1b7d78e= 54b30ba8e5304a33e813145d8a47b2b4319d7b49762cd35cdbdaf1d41161d7746d68d3cef1b5 > +$(DL_FILE)_BLAKE2 =3D 757d55aa0c623356c5d8bf0360df63990ec18294d06f50b6dd47= 5273b75a883354ea8723708e4856a8f0acc4d3237ac6bcf5adc40346fded7051d78375b2bcc9 > =20 > install : $(TARGET) > =20 --===============1290147428761877366==--