From 766a6e5c0ba77fbcb7c7141cb4f66be2d20dc7e7 Mon Sep 17 00:00:00 2001
From: Thomas Perale <thomas.perale@mind.be>
Date: Thu, 5 Feb 2026 20:04:10 +0100
Subject: [PATCH 1/4] package/strongswan: fix patch header

Commit [1] introduced a patch to fix CVE-2025-62291. Since [2] the
security patches neeed to reference the vulnerability with the `CVE: `
trailer in the patch header.

[1] b009935e27 package/strongswan: add patch to fix CVE-2025-62291
[2] 1167d0ff3d docs/manual: mention CVE trailer

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
---
 package/strongswan/0001-eap_mschapv2_failure_request_len.patch | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/strongswan/0001-eap_mschapv2_failure_request_len.patch b/package/strongswan/0001-eap_mschapv2_failure_request_len.patch
index 8442cc78163..7442c123c45 100644
--- a/package/strongswan/0001-eap_mschapv2_failure_request_len.patch
+++ b/package/strongswan/0001-eap_mschapv2_failure_request_len.patch
@@ -21,7 +21,7 @@ Ubuntu), the compiler will use __memcpy_chk(), which prevents that buffer
 overflow and causes the daemon to get aborted immediately instead.
 
 Fixes: f98cdf7a4765 ("adding plugin for EAP-MS-CHAPv2")
-Fixes: CVE-2025-62291
+CVE: CVE-2025-62291
 Upstream: https://github.com/strongswan/strongswan/commit/c687ada6a6f68913651e355fd09f906893096b32
 Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
 ---

From 8090d0eb9e252eb6a589d2b4fddee8b6ec83764d Mon Sep 17 00:00:00 2001
From: Waldemar Brodkorb <wbx@openadk.org>
Date: Wed, 4 Feb 2026 16:35:27 +0100
Subject: [PATCH 2/4] package/strongswan: add Linux kernel options

See here for options required by Strongswan to work properly:
https://docs.strongswan.org/docs/latest/install/kernelModules.html

We only enable a subset, which is the bare minimum to start
charon IKEv2 daemon. For advanced users this might be not enough.

Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
---
 package/strongswan/strongswan.mk | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
index caf214cefa8..d27341a8606 100644
--- a/package/strongswan/strongswan.mk
+++ b/package/strongswan/strongswan.mk
@@ -114,4 +114,16 @@ STRONGSWAN_CONF_OPTS += \
 	--disable-connmark \
 	--disable-forecast
 
+# bare minimum to start charon
+define STRONGSWAN_LINUX_CONFIG_FIXUPS
+	$(call KCONFIG_ENABLE_OPT,CONFIG_INET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETLINK)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_INET_AH)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_INET_ESP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_XFRM)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_XFRM_USER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_XFRM_INTERFACE)
+endef
+
 $(eval $(autotools-package))

From d6ce4e260263ef293b7a5dc7052ec56615ffd9eb Mon Sep 17 00:00:00 2001
From: Waldemar Brodkorb <wbx@openadk.org>
Date: Wed, 4 Feb 2026 16:34:37 +0100
Subject: [PATCH 3/4] package/strongswan: update to 6.0.4

See here for Changes:
https://github.com/strongswan/strongswan/releases/tag/6.0.4

Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
[Marcus: remove patch and CVE_IGNORE]
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
---
 ...001-eap_mschapv2_failure_request_len.patch | 46 -------------------
 package/strongswan/strongswan.hash            |  6 +--
 package/strongswan/strongswan.mk              |  4 +-
 3 files changed, 4 insertions(+), 52 deletions(-)
 delete mode 100644 package/strongswan/0001-eap_mschapv2_failure_request_len.patch

diff --git a/package/strongswan/0001-eap_mschapv2_failure_request_len.patch b/package/strongswan/0001-eap_mschapv2_failure_request_len.patch
deleted file mode 100644
index 7442c123c45..00000000000
--- a/package/strongswan/0001-eap_mschapv2_failure_request_len.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From dda24815d148b91209ebf2d27e3a7acefe9b6435 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Thu, 9 Oct 2025 11:33:45 +0200
-Subject: [PATCH] eap-mschapv2: Fix length check for Failure Request packets on
- the client
-
-For message lengths between 6 and 8, subtracting HEADER_LEN (9) causes
-`message_len` to become negative, which is then used in calls to malloc()
-and memcpy() that both take size_t arguments, causing an integer
-underflow.
-
-For 6 and 7, the huge size requested from malloc() will fail (it exceeds
-PTRDIFF_MAX) and the returned NULL pointer will cause a segmentation
-fault in memcpy().
-
-However, for 8, the allocation is 0, which succeeds.  But then the -1
-passed to memcpy() causes a heap-based buffer overflow (and possibly a
-segmentation fault when attempting to read/write that much data).
-Fortunately, if compiled with -D_FORTIFY_SOURCE=3 (the default on e.g.
-Ubuntu), the compiler will use __memcpy_chk(), which prevents that buffer
-overflow and causes the daemon to get aborted immediately instead.
-
-Fixes: f98cdf7a4765 ("adding plugin for EAP-MS-CHAPv2")
-CVE: CVE-2025-62291
-Upstream: https://github.com/strongswan/strongswan/commit/c687ada6a6f68913651e355fd09f906893096b32
-Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
----
- src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
-index 21cc95a6a360..35faad2e0bb5 100644
---- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
-+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
-@@ -974,7 +974,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
- 	data = in->get_data(in);
- 	eap = (eap_mschapv2_header_t*)data.ptr;
- 
--	if (data.len < 3) /* we want at least an error code: E=e */
-+	if (data.len < HEADER_LEN + 3) /* we want at least an error code: E=e */
- 	{
- 		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
- 		return FAILED;
--- 
-2.43.0
-
diff --git a/package/strongswan/strongswan.hash b/package/strongswan/strongswan.hash
index f6b16fc8a2a..7a6939b9797 100644
--- a/package/strongswan/strongswan.hash
+++ b/package/strongswan/strongswan.hash
@@ -1,7 +1,7 @@
-# From http://download.strongswan.org/strongswan-5.9.14.tar.bz2.md5
-md5  21ca3fc7c18456405d03b77266ba630a  strongswan-5.9.14.tar.bz2
+# From http://download.strongswan.org/strongswan-6.0.4.tar.bz2.md5
+md5  f6b78a99e95179b6a65df218d75da7ca  strongswan-6.0.4.tar.bz2
 # Calculated based on the hash above
-sha256  728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678  strongswan-5.9.14.tar.bz2
+sha256  79576bb61b9a406cea9eb73d0c565cc6254a6b6d2e7198f44758d2d7c61a7aec  strongswan-6.0.4.tar.bz2
 # Locally calculated
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
 sha256  2292e21797754548dccdef9eef6aee7584e552fbd890fa914e1de8d3577d23f0  LICENSE
diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
index d27341a8606..fd46445df3c 100644
--- a/package/strongswan/strongswan.mk
+++ b/package/strongswan/strongswan.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-STRONGSWAN_VERSION = 5.9.14
+STRONGSWAN_VERSION = 6.0.4
 STRONGSWAN_SOURCE = strongswan-$(STRONGSWAN_VERSION).tar.bz2
 STRONGSWAN_SITE = http://download.strongswan.org
 STRONGSWAN_LICENSE = GPL-2.0+
@@ -12,8 +12,6 @@ STRONGSWAN_LICENSE_FILES = COPYING LICENSE
 STRONGSWAN_CPE_ID_VENDOR = strongswan
 STRONGSWAN_DEPENDENCIES = host-pkgconf
 STRONGSWAN_INSTALL_STAGING = YES
-# 0001-eap_mschapv2_failure_request_len.patch
-STRONGSWAN_IGNORE_CVES += CVE-2025-62291
 STRONGSWAN_CONF_OPTS += \
 	--without-lib-prefix \
 	--enable-led \

From 94a817a58909e1cfe0c1f63b63754079f1866523 Mon Sep 17 00:00:00 2001
From: Waldemar Brodkorb <wbx@openadk.org>
Date: Wed, 4 Feb 2026 19:05:58 +0100
Subject: [PATCH 4/4] package/asterisk: bump to 22.8.1

See here for Changes:
https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-22.8.1.html
https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-22.8.0.html
https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-22.7.0.html
https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-22.6.0.html

Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
---
 package/asterisk/asterisk.hash | 2 +-
 package/asterisk/asterisk.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/asterisk/asterisk.hash b/package/asterisk/asterisk.hash
index 26175667c3b..f1573f65753 100644
--- a/package/asterisk/asterisk.hash
+++ b/package/asterisk/asterisk.hash
@@ -1,5 +1,5 @@
 # Locally computed
-sha256  8a94650b6f348af1f1c9cce7ed3585d280f3a31b0d3820084a42b03712df95d5  asterisk-22.5.2.tar.gz
+sha256  4f30af0695a0131fc091d85e7b91e22504609434b3fbd263898c7354d41959c9  asterisk-22.8.1.tar.gz
 
 # Locally computed
 sha256  58bb83cec4d431f48d006e455d821668450f8cf6b6c95f090def47062fa3a60c  pjproject-2.15.1.tar.bz2
diff --git a/package/asterisk/asterisk.mk b/package/asterisk/asterisk.mk
index 9a071fb8e04..b59f2bf5aab 100644
--- a/package/asterisk/asterisk.mk
+++ b/package/asterisk/asterisk.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-ASTERISK_VERSION = 22.5.2
+ASTERISK_VERSION = 22.8.1
 # Use the github mirror: it's an official mirror maintained by Digium, and
 # provides tarballs, which the main Asterisk git tree (behind Gerrit) does not.
 ASTERISK_SITE = $(call github,asterisk,asterisk,$(ASTERISK_VERSION))