- Update from version 5.9.9 to 5.9.10 - Update of rootfile not required - Changelog strongswan-5.9.10 - Fixed a vulnerability related to certificate verification in TLS-based EAP methods that leads to an authentication bypass followed by an expired pointer dereference that results in a denial of service and possibly even remote code execution. This vulnerability has been registered as CVE-2023-26463. - Added support for full packet hardware offload for IPsec SAs and policies with Linux 6.2 kernels to the kernel-netlink plugin. - TLS-based EAP methods now use the standardized key derivation when used with TLS 1.3. - The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by implementing the "protected success indication". - With the `prefer` value for the `childless` setting, initiators will create a childless IKE_SA if the responder supports the extension. - Routes via XFRM interfaces can optionally be installed automatically by enabling the `install_routes_xfrmi` option of the kernel-netlink plugin. - charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid issues with name resolution if they are supported by the kernel. - The `pki --req` command can encode extendedKeyUsage (EKU) flags in the PKCS#10 certificate signing request. - The `pki --issue` command adopts EKU flags from CSRs but allows modifying them (replace them completely, or adding/removing specific flags). - On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the IPsec SAs instead of the policies. - For libcurl with MultiSSL support, the curl plugin provides an option to select the SSL/TLS backend.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- lfs/strongswan | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lfs/strongswan b/lfs/strongswan index db4607bc2..7cb886fe7 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@
include Config
-VER = 5.9.9 +VER = 5.9.10
THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 9cbc73192527254a2d20b28295e7583a0d9ec81e4d6eb1b7d78e54b30ba8e5304a33e813145d8a47b2b4319d7b49762cd35cdbdaf1d41161d7746d68d3cef1b5 +$(DL_FILE)_BLAKE2 = 757d55aa0c623356c5d8bf0360df63990ec18294d06f50b6dd475273b75a883354ea8723708e4856a8f0acc4d3237ac6bcf5adc40346fded7051d78375b2bcc9
install : $(TARGET)
As always, thank you very much! :-)
Reviewed-by: Peter Müller peter.mueller@ipfire.org
- Update from version 5.9.9 to 5.9.10
- Update of rootfile not required
- Changelog
strongswan-5.9.10
- Fixed a vulnerability related to certificate verification in TLS-based EAP methods that leads to an authentication bypass followed by an expired pointer dereference that results in a denial of service and possibly even remote code execution. This vulnerability has been registered as CVE-2023-26463.
- Added support for full packet hardware offload for IPsec SAs and policies with Linux 6.2 kernels to the kernel-netlink plugin.
- TLS-based EAP methods now use the standardized key derivation when used with TLS 1.3.
- The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by implementing the "protected success indication".
- With the `prefer` value for the `childless` setting, initiators will create a childless IKE_SA if the responder supports the extension.
- Routes via XFRM interfaces can optionally be installed automatically by enabling the `install_routes_xfrmi` option of the kernel-netlink plugin.
- charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid issues with name resolution if they are supported by the kernel.
- The `pki --req` command can encode extendedKeyUsage (EKU) flags in the PKCS#10 certificate signing request.
- The `pki --issue` command adopts EKU flags from CSRs but allows modifying them (replace them completely, or adding/removing specific flags).
- On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the IPsec SAs instead of the policies.
- For libcurl with MultiSSL support, the curl plugin provides an option to select the SSL/TLS backend.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org
lfs/strongswan | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lfs/strongswan b/lfs/strongswan index db4607bc2..7cb886fe7 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@
include Config
-VER = 5.9.9 +VER = 5.9.10
THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 9cbc73192527254a2d20b28295e7583a0d9ec81e4d6eb1b7d78e54b30ba8e5304a33e813145d8a47b2b4319d7b49762cd35cdbdaf1d41161d7746d68d3cef1b5 +$(DL_FILE)_BLAKE2 = 757d55aa0c623356c5d8bf0360df63990ec18294d06f50b6dd475273b75a883354ea8723708e4856a8f0acc4d3237ac6bcf5adc40346fded7051d78375b2bcc9
install : $(TARGET)