compact/trim changelog - https://en.opensuse.org/openSUSE:Creating_a_changes_file_(RPM)

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=151

strongswan.changes

@@ -7,48 +7,26 @@ Mon Jun 12 15:54:53 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
 Mon Jun 12 15:22:09 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
 
 - Update to release 5.9.11
-  * A long-standing deadlock in the vici plugin has been fixed that
-    could get triggered when multiple connections were
-    initiated/terminated concurrently and control-log events were
-    raised by the watcher_t component (#566). 
-  * In compliance with RFC 5280, CRLs now have to be signed by a
-    certificate that either encodes the cRLSign keyUsage bit
-    (even if it is a CA certificate), or is a CA certificate without
-    a keyUsage extension. strongSwan encodes a keyUsage extension
-    with cRLSign bit set in all CA certificates since 13 years. And
-    before that it didn't encode the extension, so these certificates
-    would also be accepted as CRL issuer in case they are still valid
-    (7dc82de).
-  * Support for optional CA labels in EST server URIs
-    (e.g. https://www.example.org/.well-known/est/arbitraryLabel1/<operation>)
-    was added to the pki --est and pki --estca commands (#1614).
-  * The pkcs7 and openssl plugins now support CMS-style signatures in
-    PKCS#7 containers, which allows verifying RSA-PSS and ECDSA
-    signatures (#1615).
+  * A deadlock in the vici plugin has been fixed
+  * Per RFC 5280, CRLs now have to be signed by a certificate that
+    either encodes the cRLSign keyUsage bit (even if it is a CA
+    certificate), or is a CA certificate without a keyUsage
+    extension.
+  * Support for optional CA labels in EST server URIs was added to
+    the pki --est and pki --estca commands.
+  * The pkcs7 and openssl plugins now support CMS-style signatures
+    in PKCS#7 containers, which allows verifying RSA-PSS and ECDSA
+    signatures.
   * Fixed a regression in the server implementation of EAP-TLS when
-    using TLS 1.2 or earlier that was introduced with 5.9.10
-    (#1613, 3d0d3f5).
+    using TLS <=1.2.
   * The EAP-TLS client does now enforce that the TLS handshake is
-    complete when using TLS 1.2 or earlier. It was possible to
-    shortcut it by sending an early EAP-Success message. Note that
-    this isn't a security issue as the server is authenticated at
-    that point (db87087).
+    complete when using TLS <=1.2.
   * On Linux, the kernel-libipsec plugin can now optionally handle
-    ESP packets without UDP encapsulation (uses RAW sockets, disabled
-    by default, e3cb756). The plugin and libipsec also gained support
-    trap policies (23d20bb).
-  * The dhcp plugin uses an alternative method to determine the source
-    address when sending unicast DHCP requests, which is not affected
-    by interface filtering that might be employed for the IKE sockets
-    (#1573).
-  * The selection of certificates and trust chains as initiator has
-    been improved if the local trust chain is incomplete (i.e. the
-    root CA certificate for the local certificate is not loaded)
-    while a certificate request for a known but unrelated CA is
-    received, which caused any local intermediate CA certificates not
-    to get sent (efdcbd1).
-  * ECDSA and EdDSA public keys are supported by the ipseckey plugin
-    when parsing RFC 4025 IPSECKEY resource records (7be55ad).
+    ESP packets without UDP encapsulation.
+  * The dhcp plugin uses an alternative method to determine the
+    source address when sending unicast DHCP requests.
+  * ECDSA and EdDSA public keys are supported by the ipseckey
+    plugin when parsing RFC 4025 IPSECKEY resource records.
 
 -------------------------------------------------------------------
 Wed Apr  5 01:34:28 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>