diff --git a/strongswan.changes b/strongswan.changes index ec29cee..c67e46f 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -7,48 +7,26 @@ Mon Jun 12 15:54:53 UTC 2023 - Jan Engelhardt Mon Jun 12 15:22:09 UTC 2023 - Mohd Saquib - Update to release 5.9.11 - * A long-standing deadlock in the vici plugin has been fixed that - could get triggered when multiple connections were - initiated/terminated concurrently and control-log events were - raised by the watcher_t component (#566). - * In compliance with RFC 5280, CRLs now have to be signed by a - certificate that either encodes the cRLSign keyUsage bit - (even if it is a CA certificate), or is a CA certificate without - a keyUsage extension. strongSwan encodes a keyUsage extension - with cRLSign bit set in all CA certificates since 13 years. And - before that it didn't encode the extension, so these certificates - would also be accepted as CRL issuer in case they are still valid - (7dc82de). - * Support for optional CA labels in EST server URIs - (e.g. https://www.example.org/.well-known/est/arbitraryLabel1/) - was added to the pki --est and pki --estca commands (#1614). - * The pkcs7 and openssl plugins now support CMS-style signatures in - PKCS#7 containers, which allows verifying RSA-PSS and ECDSA - signatures (#1615). + * A deadlock in the vici plugin has been fixed + * Per RFC 5280, CRLs now have to be signed by a certificate that + either encodes the cRLSign keyUsage bit (even if it is a CA + certificate), or is a CA certificate without a keyUsage + extension. + * Support for optional CA labels in EST server URIs was added to + the pki --est and pki --estca commands. + * The pkcs7 and openssl plugins now support CMS-style signatures + in PKCS#7 containers, which allows verifying RSA-PSS and ECDSA + signatures. * Fixed a regression in the server implementation of EAP-TLS when - using TLS 1.2 or earlier that was introduced with 5.9.10 - (#1613, 3d0d3f5). + using TLS <=1.2. * The EAP-TLS client does now enforce that the TLS handshake is - complete when using TLS 1.2 or earlier. It was possible to - shortcut it by sending an early EAP-Success message. Note that - this isn't a security issue as the server is authenticated at - that point (db87087). + complete when using TLS <=1.2. * On Linux, the kernel-libipsec plugin can now optionally handle - ESP packets without UDP encapsulation (uses RAW sockets, disabled - by default, e3cb756). The plugin and libipsec also gained support - trap policies (23d20bb). - * The dhcp plugin uses an alternative method to determine the source - address when sending unicast DHCP requests, which is not affected - by interface filtering that might be employed for the IKE sockets - (#1573). - * The selection of certificates and trust chains as initiator has - been improved if the local trust chain is incomplete (i.e. the - root CA certificate for the local certificate is not loaded) - while a certificate request for a known but unrelated CA is - received, which caused any local intermediate CA certificates not - to get sent (efdcbd1). - * ECDSA and EdDSA public keys are supported by the ipseckey plugin - when parsing RFC 4025 IPSECKEY resource records (7be55ad). + ESP packets without UDP encapsulation. + * The dhcp plugin uses an alternative method to determine the + source address when sending unicast DHCP requests. + * ECDSA and EdDSA public keys are supported by the ipseckey + plugin when parsing RFC 4025 IPSECKEY resource records. ------------------------------------------------------------------- Wed Apr 5 01:34:28 UTC 2023 - Mohd Saquib