jengelh/strongswan
SHA256
1
0
Fork 0
forked from pool/strongswan
Code Pull Requests Activity

Accepting request 1092621 from home:msaquib:branches:network:vpn

Browse Source 
- Update to release 5.9.11
  * A long-standing deadlock in the vici plugin has been fixed that
    could get triggered when multiple connections were
    initiated/terminated concurrently and control-log events were
    raised by the watcher_t component (#566). 
  * In compliance with RFC 5280, CRLs now have to be signed by a
    certificate that either encodes the cRLSign keyUsage bit
    (even if it is a CA certificate), or is a CA certificate without
    a keyUsage extension. strongSwan encodes a keyUsage extension
    with cRLSign bit set in all CA certificates since 13 years. And
    before that it didn't encode the extension, so these certificates
    would also be accepted as CRL issuer in case they are still valid
    (7dc82de).
  * Support for optional CA labels in EST server URIs
    (e.g. https://www.example.org/.well-known/est/arbitraryLabel1/<operation>)
    was added to the pki --est and pki --estca commands (#1614).
  * The pkcs7 and openssl plugins now support CMS-style signatures in
    PKCS#7 containers, which allows verifying RSA-PSS and ECDSA
    signatures (#1615).
  * Fixed a regression in the server implementation of EAP-TLS when
    using TLS 1.2 or earlier that was introduced with 5.9.10
    (#1613, 3d0d3f5).
  * The EAP-TLS client does now enforce that the TLS handshake is
    complete when using TLS 1.2 or earlier. It was possible to
    shortcut it by sending an early EAP-Success message. Note that
    this isn't a security issue as the server is authenticated at
    that point (db87087).
  * On Linux, the kernel-libipsec plugin can now optionally handle
    ESP packets without UDP encapsulation (uses RAW sockets, disabled
    by default, e3cb756). The plugin and libipsec also gained support

OBS-URL: https://build.opensuse.org/request/show/1092621
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=149
This commit is contained in:
Mohd Saquib 2023-06-12 15:41:55 +00:00 committed by Git OBS Bridge
parent 8148349f08
commit 73a1c9e320
6 changed files with 65 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
strongswan-5.9.10.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3b72789e243c9fa6f0a01ccaf4f83766eba96a5e5b1e071d36e997572cf34654
size 4765407

14
strongswan-5.9.10.tar.bz2.sig
View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmQAZmIACgkQ30LBcLNN
uncmawv8DgoR/EdXdzvqzToiDYREwU5CfIYAPCYmUfw7tdwTZsiN9rdt13lI8+ei
8IqYIrtGvKVtiV3qwNaxxD/spQ+b/jbOk+ifzCQzylD5gv9fFyyKjiYIiLmK3qhr
7sc+tN90HY443qN4JV1rwHP4jN57pmNZ2qg2CbzU/zpePUHj5MlM3kgGd5bO5Q6L
MWmstO/RcjIIsZusqscrOGsaZrkULTeLyrOTLoJcM06b0F4vzeDwhLJjVoqYFVt5
dPXLXygUfVUr+aAvCfNA03zokt6Ok9aSOBZZ8+nMPLU6wmWjjIdOf0/H9JG3/v6F
SGHVxlB4Z7sCkDzvmB/vmYquGw+gx+0Fx28eEV4E7TnrJrdlqC5n8wrPO9iFQ36y
QEua+S/q7qHSUBr01DW35e70oiJmbOqSH+poPVz2Qwk3ZVgcqIxCUpz6aWPjAicL
7VMYBssX6R5cCD3nIuHSe1+Iyx/AuFP7nuPHQrkIAKsDMVZR8GClNz+M8ZM7Cbar
a6YUUR/D
=FN1F
-----END PGP SIGNATURE-----

3
strongswan-5.9.11.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ddf53f1f26ad26979d5f55e8da95bd389552f5de3682e35593f9a70b2584ed2d
size 4786552

14
strongswan-5.9.11.tar.bz2.sig Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmSGsnAACgkQ30LBcLNN
unfqXQv/Rfi3bcaIaULwNXnBgW2mWrsUFFUzQN/PB9fdPK/u0JUBWufUV/1/LUc9
yA1S3ESubQMOYkPmSrQRfXwkrdGTQ3DwApuFL/42Q/TOk8jpTVaPM28Gs6D+77YC
QjB3JYcR2VxvgsEFZatqFgUaGyety1dB1P364EPnzzb7L0+7HBWT0IVkdpvPT/zX
5tQ6M4czD2cqv1fi8+Tjaq3mpw0PdyZSIoLuD7kL6AeWcrtzhfhr1vXQKwo0K5wh
5uuUbxPZIrmxLGk1vkoMuEKZ7XVvs3ulFFK9EvJXWM9USce0Br0irGEdO2sDAxWA
20jFzsW2wL5mkVLvLfQQrNC1qwsYKq3s3PInZEoUICE4zNC6zWS8tTtaq5Ul8X1J
AFhcrdy6cVs87LDyvEWiMcSwLpYk1egWwmF9acuMUE6bYSNUnYMkYwS7CjWQUXix
JMf3b60Ztm+r8RfitpWHp+N1pAGZCNJ3ZXTV0/4d65HB4GA1dWZuubRvUXbV7Ayb
oYKPlR2G
=+d5Q
-----END PGP SIGNATURE-----

47
strongswan.changes
View File

@ -1,3 +1,50 @@
-------------------------------------------------------------------
Mon Jun 12 15:22:09 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
- Update to release 5.9.11
* A long-standing deadlock in the vici plugin has been fixed that
could get triggered when multiple connections were
initiated/terminated concurrently and control-log events were
raised by the watcher_t component (#566).
* In compliance with RFC 5280, CRLs now have to be signed by a
certificate that either encodes the cRLSign keyUsage bit
(even if it is a CA certificate), or is a CA certificate without
a keyUsage extension. strongSwan encodes a keyUsage extension
with cRLSign bit set in all CA certificates since 13 years. And
before that it didn't encode the extension, so these certificates
would also be accepted as CRL issuer in case they are still valid
(7dc82de).
* Support for optional CA labels in EST server URIs
(e.g. https://www.example.org/.well-known/est/arbitraryLabel1/<operation>)
was added to the pki --est and pki --estca commands (#1614).
* The pkcs7 and openssl plugins now support CMS-style signatures in
PKCS#7 containers, which allows verifying RSA-PSS and ECDSA
signatures (#1615).
* Fixed a regression in the server implementation of EAP-TLS when
using TLS 1.2 or earlier that was introduced with 5.9.10
(#1613, 3d0d3f5).
* The EAP-TLS client does now enforce that the TLS handshake is
complete when using TLS 1.2 or earlier. It was possible to
shortcut it by sending an early EAP-Success message. Note that
this isn't a security issue as the server is authenticated at
that point (db87087).
* On Linux, the kernel-libipsec plugin can now optionally handle
ESP packets without UDP encapsulation (uses RAW sockets, disabled
by default, e3cb756). The plugin and libipsec also gained support
trap policies (23d20bb).
* The dhcp plugin uses an alternative method to determine the source
address when sending unicast DHCP requests, which is not affected
by interface filtering that might be employed for the IKE sockets
(#1573).
* The selection of certificates and trust chains as initiator has
been improved if the local trust chain is incomplete (i.e. the
root CA certificate for the local certificate is not loaded)
while a certificate request for a known but unrelated CA is
received, which caused any local intermediate CA certificates not
to get sent (efdcbd1).
* ECDSA and EdDSA public keys are supported by the ipseckey plugin
when parsing RFC 4025 IPSECKEY resource records (7be55ad).
-------------------------------------------------------------------
Wed Apr 5 01:34:28 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>

2
strongswan.spec
View File

@ -17,7 +17,7 @@
Name: strongswan
Version: 5.9.10
Version: 5.9.11
Release: 0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}