[meta-networking] strongswan: upgrade 5.9.11 -> 5.9.12

From: Wang Mingyu <wangmy@fujitsu.com>

Changelog:
==========
- Fixed a vulnerability in charon-tkm related to processing DH public values
  that can lead to a buffer overflow and potentially remote code execution.
- The new `pki --ocsp` command produces OCSP responses based on certificate
  status information provided by plugins.
- The cert-enroll script handles the initial enrollment of an X.509 host
  certificate with a PKI server via the EST or SCEP protocols.
- The --priv argument for charon-cmd allows using any type of private key.
- Support for nameConstraints of type iPAddress has been added (the openssl
  plugin previously didn't support nameConstraints at all).
- SANs of type uniformResourceIdentifier can now be encoded in certificates.
- Password-less PKCS#12 and PKCS#8 files are supported.
- A new global option allows preventing peers from authenticating with trusted
  end-entity certificates (i.e. local certificates).
- ECDSA public keys that encode curve parameters explicitly are now rejected by
  all plugins that support ECDSA.
- charon-nm now actually uses the XFRM interfaces added with 5.9.10, it can
  also use the name in connection.interface-name.
- The resolve plugin tries to maintain the order of installed DNS servers.
- The kernel-libipsec plugin always installs routes even if no address is found
  in the local traffic selectors.
- Increased the default receive buffer size for Netlink sockets to 8 MiB and
  simplified its configuration.
- Copy the issuer's subjectKeyIdentifier as authorityKeyIdentifier instead of
  always generating a hash of the subjectPublicKey.
- Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD
  timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with
  unrelated traffic selectors.
- Fixed a possible infinite loop issue in watcher_t and removed WATCHER_EXCEPT,
  instead callbacks are always invoked even if only errors are signaled.
- Fixed a regression in the IKE_SA_INIT tracking code added with 5.9.6 when
  handling invalid messages.
- Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs.
- Correctly encode SPI from REKEY_SA notify in CHILD_SA_NOT_FOUND notify if
  CHILD_SA is not found during rekeying.
- The testing environment is now based on Debian 12 (bookworm), by default.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
---
 .../strongswan/{strongswan_5.9.11.bb => strongswan_5.9.12.bb}   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-networking/recipes-support/strongswan/{strongswan_5.9.11.bb => strongswan_5.9.12.bb} (99%)

On Wed, 22 Nov 2023 14:39:22 +0800, wangmy@fujitsu.com wrote:
> Changelog:
> ==========
> - Fixed a vulnerability in charon-tkm related to processing DH public values
>   that can lead to a buffer overflow and potentially remote code execution.
> - The new `pki --ocsp` command produces OCSP responses based on certificate
>   status information provided by plugins.
> - The cert-enroll script handles the initial enrollment of an X.509 host
>   certificate with a PKI server via the EST or SCEP protocols.
> - The --priv argument for charon-cmd allows using any type of private key.
> - Support for nameConstraints of type iPAddress has been added (the openssl
>   plugin previously didn't support nameConstraints at all).
> - SANs of type uniformResourceIdentifier can now be encoded in certificates.
> - Password-less PKCS#12 and PKCS#8 files are supported.
> - A new global option allows preventing peers from authenticating with trusted
>   end-entity certificates (i.e. local certificates).
> - ECDSA public keys that encode curve parameters explicitly are now rejected by
>   all plugins that support ECDSA.
> - charon-nm now actually uses the XFRM interfaces added with 5.9.10, it can
>   also use the name in connection.interface-name.
> - The resolve plugin tries to maintain the order of installed DNS servers.
> - The kernel-libipsec plugin always installs routes even if no address is found
>   in the local traffic selectors.
> - Increased the default receive buffer size for Netlink sockets to 8 MiB and
>   simplified its configuration.
> - Copy the issuer's subjectKeyIdentifier as authorityKeyIdentifier instead of
>   always generating a hash of the subjectPublicKey.
> - Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD
>   timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with
>   unrelated traffic selectors.
> - Fixed a possible infinite loop issue in watcher_t and removed WATCHER_EXCEPT,
>   instead callbacks are always invoked even if only errors are signaled.
> - Fixed a regression in the IKE_SA_INIT tracking code added with 5.9.6 when
>   handling invalid messages.
> - Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs.
> - Correctly encode SPI from REKEY_SA notify in CHILD_SA_NOT_FOUND notify if
>   CHILD_SA is not found during rekeying.
> - The testing environment is now based on Debian 12 (bookworm), by default.
> 
> [...]

Applied, thanks!

[1/1] strongswan: upgrade 5.9.11 -> 5.9.12
      commit: 077489fda8f27336942457da1eaa022804f327c2

Best regards,