Message ID | 1700635162-8330-1-git-send-email-wangmy@fujitsu.com |
---|---|
State | Accepted |
Headers | show |
Series | [meta-networking] strongswan: upgrade 5.9.11 -> 5.9.12 | expand |
On Wed, 22 Nov 2023 14:39:22 +0800, wangmy@fujitsu.com wrote: > Changelog: > ========== > - Fixed a vulnerability in charon-tkm related to processing DH public values > that can lead to a buffer overflow and potentially remote code execution. > - The new `pki --ocsp` command produces OCSP responses based on certificate > status information provided by plugins. > - The cert-enroll script handles the initial enrollment of an X.509 host > certificate with a PKI server via the EST or SCEP protocols. > - The --priv argument for charon-cmd allows using any type of private key. > - Support for nameConstraints of type iPAddress has been added (the openssl > plugin previously didn't support nameConstraints at all). > - SANs of type uniformResourceIdentifier can now be encoded in certificates. > - Password-less PKCS#12 and PKCS#8 files are supported. > - A new global option allows preventing peers from authenticating with trusted > end-entity certificates (i.e. local certificates). > - ECDSA public keys that encode curve parameters explicitly are now rejected by > all plugins that support ECDSA. > - charon-nm now actually uses the XFRM interfaces added with 5.9.10, it can > also use the name in connection.interface-name. > - The resolve plugin tries to maintain the order of installed DNS servers. > - The kernel-libipsec plugin always installs routes even if no address is found > in the local traffic selectors. > - Increased the default receive buffer size for Netlink sockets to 8 MiB and > simplified its configuration. > - Copy the issuer's subjectKeyIdentifier as authorityKeyIdentifier instead of > always generating a hash of the subjectPublicKey. > - Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD > timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with > unrelated traffic selectors. > - Fixed a possible infinite loop issue in watcher_t and removed WATCHER_EXCEPT, > instead callbacks are always invoked even if only errors are signaled. > - Fixed a regression in the IKE_SA_INIT tracking code added with 5.9.6 when > handling invalid messages. > - Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs. > - Correctly encode SPI from REKEY_SA notify in CHILD_SA_NOT_FOUND notify if > CHILD_SA is not found during rekeying. > - The testing environment is now based on Debian 12 (bookworm), by default. > > [...] Applied, thanks! [1/1] strongswan: upgrade 5.9.11 -> 5.9.12 commit: 077489fda8f27336942457da1eaa022804f327c2 Best regards,
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.11.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.12.bb similarity index 99% rename from meta-networking/recipes-support/strongswan/strongswan_5.9.11.bb rename to meta-networking/recipes-support/strongswan/strongswan_5.9.12.bb index fb1bea2d8..87d12bc6c 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.9.11.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.12.bb @@ -11,7 +11,7 @@ DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \ " -SRC_URI[sha256sum] = "ddf53f1f26ad26979d5f55e8da95bd389552f5de3682e35593f9a70b2584ed2d" +SRC_URI[sha256sum] = "5e6018b07cbe9f72c044c129955a13be3e2f799ceb53f53a4459da6a922b95e5" UPSTREAM_CHECK_REGEX = "strongswan-(?P<pver>\d+(\.\d+)+)\.tar"