This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 7ad27c50903b55a44d51c08760a085d8d9a73aae (commit) via ee80a12db0f1a724eefff241d3db8e7c2394917a (commit) from cf66a3f133428dcd51be0cc36161237c20cda84b (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 7ad27c50903b55a44d51c08760a085d8d9a73aae Author: Peter Müller peter.mueller@ipfire.org Date: Mon Mar 6 16:43:47 2023 +0000
Core Update 174: Ship and restart strongSwan
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit ee80a12db0f1a724eefff241d3db8e7c2394917a Author: Adolf Belka adolf.belka@ipfire.org Date: Mon Mar 6 16:33:55 2023 +0100
strongswan: Update to version 5.9.10
- Update from version 5.9.9 to 5.9.10 - Update of rootfile not required - Changelog strongswan-5.9.10 - Fixed a vulnerability related to certificate verification in TLS-based EAP methods that leads to an authentication bypass followed by an expired pointer dereference that results in a denial of service and possibly even remote code execution. This vulnerability has been registered as CVE-2023-26463. - Added support for full packet hardware offload for IPsec SAs and policies with Linux 6.2 kernels to the kernel-netlink plugin. - TLS-based EAP methods now use the standardized key derivation when used with TLS 1.3. - The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by implementing the "protected success indication". - With the `prefer` value for the `childless` setting, initiators will create a childless IKE_SA if the responder supports the extension. - Routes via XFRM interfaces can optionally be installed automatically by enabling the `install_routes_xfrmi` option of the kernel-netlink plugin. - charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid issues with name resolution if they are supported by the kernel. - The `pki --req` command can encode extendedKeyUsage (EKU) flags in the PKCS#10 certificate signing request. - The `pki --issue` command adopts EKU flags from CSRs but allows modifying them (replace them completely, or adding/removing specific flags). - On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the IPsec SAs instead of the policies. - For libcurl with MultiSSL support, the curl plugin provides an option to select the SSL/TLS backend.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/{oldcore/106 => core/174}/filelists/strongswan | 0 config/rootfiles/core/174/update.sh | 4 ++++ lfs/strongswan | 4 ++-- 3 files changed, 6 insertions(+), 2 deletions(-) copy config/rootfiles/{oldcore/106 => core/174}/filelists/strongswan (100%)
Difference in files: diff --git a/config/rootfiles/core/174/filelists/strongswan b/config/rootfiles/core/174/filelists/strongswan new file mode 120000 index 000000000..90c727e26 --- /dev/null +++ b/config/rootfiles/core/174/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/core/174/update.sh b/config/rootfiles/core/174/update.sh index 3f8263f22..9dcdb491f 100644 --- a/config/rootfiles/core/174/update.sh +++ b/config/rootfiles/core/174/update.sh @@ -33,6 +33,7 @@ done
# Stop services /etc/rc.d/init.d/squid stop +/etc/rc.d/init.d/ipsec stop
# Extract files extract_files @@ -64,6 +65,9 @@ telinit u if [ -f /var/ipfire/proxy/enable ]; then /etc/init.d/squid start fi +if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then + /etc/rc.d/init.d/ipsec start +fi
# Rebuild initial ramdisk to apply microcode updates dracut --regenerate-all --force diff --git a/lfs/strongswan b/lfs/strongswan index db4607bc2..7cb886fe7 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@
include Config
-VER = 5.9.9 +VER = 5.9.10
THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 9cbc73192527254a2d20b28295e7583a0d9ec81e4d6eb1b7d78e54b30ba8e5304a33e813145d8a47b2b4319d7b49762cd35cdbdaf1d41161d7746d68d3cef1b5 +$(DL_FILE)_BLAKE2 = 757d55aa0c623356c5d8bf0360df63990ec18294d06f50b6dd475273b75a883354ea8723708e4856a8f0acc4d3237ac6bcf5adc40346fded7051d78375b2bcc9
install : $(TARGET)
hooks/post-receive -- IPFire 2.x development tree