diff options
author | Wang Mingyu <wangmy@fujitsu.com> | 2023-11-22 14:39:22 +0800 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2024-01-05 07:52:17 -0500 |
commit | 3c4c97f2309e56e50f78aed4354e1df48815d533 (patch) | |
tree | 8f49c74fb81ac309107474c1cc7e75e28c474db7 | |
parent | 60cb9119251ac47771161939aa726c4dbaf57666 (diff) | |
download | meta-openembedded-3c4c97f2309e56e50f78aed4354e1df48815d533.tar.gz |
strongswan: upgrade 5.9.11 -> 5.9.12
Changelog:
==========
- Fixed a vulnerability in charon-tkm related to processing DH public values
that can lead to a buffer overflow and potentially remote code execution.
- The new `pki --ocsp` command produces OCSP responses based on certificate
status information provided by plugins.
- The cert-enroll script handles the initial enrollment of an X.509 host
certificate with a PKI server via the EST or SCEP protocols.
- The --priv argument for charon-cmd allows using any type of private key.
- Support for nameConstraints of type iPAddress has been added (the openssl
plugin previously didn't support nameConstraints at all).
- SANs of type uniformResourceIdentifier can now be encoded in certificates.
- Password-less PKCS#12 and PKCS#8 files are supported.
- A new global option allows preventing peers from authenticating with trusted
end-entity certificates (i.e. local certificates).
- ECDSA public keys that encode curve parameters explicitly are now rejected by
all plugins that support ECDSA.
- charon-nm now actually uses the XFRM interfaces added with 5.9.10, it can
also use the name in connection.interface-name.
- The resolve plugin tries to maintain the order of installed DNS servers.
- The kernel-libipsec plugin always installs routes even if no address is found
in the local traffic selectors.
- Increased the default receive buffer size for Netlink sockets to 8 MiB and
simplified its configuration.
- Copy the issuer's subjectKeyIdentifier as authorityKeyIdentifier instead of
always generating a hash of the subjectPublicKey.
- Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD
timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with
unrelated traffic selectors.
- Fixed a possible infinite loop issue in watcher_t and removed WATCHER_EXCEPT,
instead callbacks are always invoked even if only errors are signaled.
- Fixed a regression in the IKE_SA_INIT tracking code added with 5.9.6 when
handling invalid messages.
- Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs.
- Correctly encode SPI from REKEY_SA notify in CHILD_SA_NOT_FOUND notify if
CHILD_SA is not found during rekeying.
- The testing environment is now based on Debian 12 (bookworm), by default.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 077489fda8f27336942457da1eaa022804f327c2)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-networking/recipes-support/strongswan/strongswan_5.9.12.bb (renamed from meta-networking/recipes-support/strongswan/strongswan_5.9.11.bb) | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.11.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.12.bb index fb1bea2d87..87d12bc6c8 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.9.11.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.12.bb @@ -11,7 +11,7 @@ DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \ " -SRC_URI[sha256sum] = "ddf53f1f26ad26979d5f55e8da95bd389552f5de3682e35593f9a70b2584ed2d" +SRC_URI[sha256sum] = "5e6018b07cbe9f72c044c129955a13be3e2f799ceb53f53a4459da6a922b95e5" UPSTREAM_CHECK_REGEX = "strongswan-(?P<pver>\d+(\.\d+)+)\.tar" |