* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 7ad27c50903b55a44d51c08760a085d8d9a73aae
@ 2023-03-06 16:44 Peter Müller
0 siblings, 0 replies; only message in thread
From: Peter Müller @ 2023-03-06 16:44 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 5202 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 7ad27c50903b55a44d51c08760a085d8d9a73aae (commit)
via ee80a12db0f1a724eefff241d3db8e7c2394917a (commit)
from cf66a3f133428dcd51be0cc36161237c20cda84b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 7ad27c50903b55a44d51c08760a085d8d9a73aae
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Mar 6 16:43:47 2023 +0000
Core Update 174: Ship and restart strongSwan
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit ee80a12db0f1a724eefff241d3db8e7c2394917a
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Mon Mar 6 16:33:55 2023 +0100
strongswan: Update to version 5.9.10
- Update from version 5.9.9 to 5.9.10
- Update of rootfile not required
- Changelog
strongswan-5.9.10
- Fixed a vulnerability related to certificate verification in TLS-based EAP
methods that leads to an authentication bypass followed by an expired pointer
dereference that results in a denial of service and possibly even remote code
execution.
This vulnerability has been registered as CVE-2023-26463.
- Added support for full packet hardware offload for IPsec SAs and policies with
Linux 6.2 kernels to the kernel-netlink plugin.
- TLS-based EAP methods now use the standardized key derivation when used
with TLS 1.3.
- The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by
implementing the "protected success indication".
- With the `prefer` value for the `childless` setting, initiators will create
a childless IKE_SA if the responder supports the extension.
- Routes via XFRM interfaces can optionally be installed automatically by
enabling the `install_routes_xfrmi` option of the kernel-netlink plugin.
- charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid
issues with name resolution if they are supported by the kernel.
- The `pki --req` command can encode extendedKeyUsage (EKU) flags in the
PKCS#10 certificate signing request.
- The `pki --issue` command adopts EKU flags from CSRs but allows modifying them
(replace them completely, or adding/removing specific flags).
- On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the
IPsec SAs instead of the policies.
- For libcurl with MultiSSL support, the curl plugin provides an option to
select the SSL/TLS backend.
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/{oldcore/106 => core/174}/filelists/strongswan | 0
config/rootfiles/core/174/update.sh | 4 ++++
lfs/strongswan | 4 ++--
3 files changed, 6 insertions(+), 2 deletions(-)
copy config/rootfiles/{oldcore/106 => core/174}/filelists/strongswan (100%)
Difference in files:
diff --git a/config/rootfiles/core/174/filelists/strongswan b/config/rootfiles/core/174/filelists/strongswan
new file mode 120000
index 000000000..90c727e26
--- /dev/null
+++ b/config/rootfiles/core/174/filelists/strongswan
@@ -0,0 +1 @@
+../../../common/strongswan
\ No newline at end of file
diff --git a/config/rootfiles/core/174/update.sh b/config/rootfiles/core/174/update.sh
index 3f8263f22..9dcdb491f 100644
--- a/config/rootfiles/core/174/update.sh
+++ b/config/rootfiles/core/174/update.sh
@@ -33,6 +33,7 @@ done
# Stop services
/etc/rc.d/init.d/squid stop
+/etc/rc.d/init.d/ipsec stop
# Extract files
extract_files
@@ -64,6 +65,9 @@ telinit u
if [ -f /var/ipfire/proxy/enable ]; then
/etc/init.d/squid start
fi
+if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
+ /etc/rc.d/init.d/ipsec start
+fi
# Rebuild initial ramdisk to apply microcode updates
dracut --regenerate-all --force
diff --git a/lfs/strongswan b/lfs/strongswan
index db4607bc2..7cb886fe7 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -24,7 +24,7 @@
include Config
-VER = 5.9.9
+VER = 5.9.10
THISAPP = strongswan-$(VER)
DL_FILE = $(THISAPP).tar.bz2
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 9cbc73192527254a2d20b28295e7583a0d9ec81e4d6eb1b7d78e54b30ba8e5304a33e813145d8a47b2b4319d7b49762cd35cdbdaf1d41161d7746d68d3cef1b5
+$(DL_FILE)_BLAKE2 = 757d55aa0c623356c5d8bf0360df63990ec18294d06f50b6dd475273b75a883354ea8723708e4856a8f0acc4d3237ac6bcf5adc40346fded7051d78375b2bcc9
install : $(TARGET)
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-03-06 16:44 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-06 16:44 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 7ad27c50903b55a44d51c08760a085d8d9a73aae Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox