compact/trim changelog - https://en.opensuse.org/openSUSE:Creating_a_changes_file_(RPM)

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=151

strongswan.changes

@@ -7,48 +7,26 @@ Mon Jun 12 15:54:53 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
 Mon Jun 12 15:22:09 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
 
 - Update to release 5.9.11
-  * A long-standing deadlock in the vici plugin has been fixed that
+  * A deadlock in the vici plugin has been fixed
-    could get triggered when multiple connections were
+  * Per RFC 5280, CRLs now have to be signed by a certificate that
-    initiated/terminated concurrently and control-log events were
+    either encodes the cRLSign keyUsage bit (even if it is a CA
-    raised by the watcher_t component (#566). 
+    certificate), or is a CA certificate without a keyUsage
-  * In compliance with RFC 5280, CRLs now have to be signed by a
+    extension.
-    certificate that either encodes the cRLSign keyUsage bit
+  * Support for optional CA labels in EST server URIs was added to
-    (even if it is a CA certificate), or is a CA certificate without
+    the pki --est and pki --estca commands.
-    a keyUsage extension. strongSwan encodes a keyUsage extension
+  * The pkcs7 and openssl plugins now support CMS-style signatures
-    with cRLSign bit set in all CA certificates since 13 years. And
+    in PKCS#7 containers, which allows verifying RSA-PSS and ECDSA
-    before that it didn't encode the extension, so these certificates
+    signatures.
-    would also be accepted as CRL issuer in case they are still valid
-    (7dc82de).
-  * Support for optional CA labels in EST server URIs
-    (e.g. https://www.example.org/.well-known/est/arbitraryLabel1/<operation>)
-    was added to the pki --est and pki --estca commands (#1614).
-  * The pkcs7 and openssl plugins now support CMS-style signatures in
-    PKCS#7 containers, which allows verifying RSA-PSS and ECDSA
-    signatures (#1615).
   * Fixed a regression in the server implementation of EAP-TLS when
-    using TLS 1.2 or earlier that was introduced with 5.9.10
+    using TLS <=1.2.
-    (#1613, 3d0d3f5).
   * The EAP-TLS client does now enforce that the TLS handshake is
-    complete when using TLS 1.2 or earlier. It was possible to
+    complete when using TLS <=1.2.
-    shortcut it by sending an early EAP-Success message. Note that
-    this isn't a security issue as the server is authenticated at
-    that point (db87087).
   * On Linux, the kernel-libipsec plugin can now optionally handle
-    ESP packets without UDP encapsulation (uses RAW sockets, disabled
+    ESP packets without UDP encapsulation.
-    by default, e3cb756). The plugin and libipsec also gained support
+  * The dhcp plugin uses an alternative method to determine the
-    trap policies (23d20bb).
+    source address when sending unicast DHCP requests.
-  * The dhcp plugin uses an alternative method to determine the source
+  * ECDSA and EdDSA public keys are supported by the ipseckey
-    address when sending unicast DHCP requests, which is not affected
+    plugin when parsing RFC 4025 IPSECKEY resource records.
-    by interface filtering that might be employed for the IKE sockets
-    (#1573).
-  * The selection of certificates and trust chains as initiator has
-    been improved if the local trust chain is incomplete (i.e. the
-    root CA certificate for the local certificate is not loaded)
-    while a certificate request for a known but unrelated CA is
-    received, which caused any local intermediate CA certificates not
-    to get sent (efdcbd1).
-  * ECDSA and EdDSA public keys are supported by the ipseckey plugin
-    when parsing RFC 4025 IPSECKEY resource records (7be55ad).
 
 -------------------------------------------------------------------
 Wed Apr  5 01:34:28 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>