conf/plugins/bypass-lan.conf | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 don't load bypass-lan plugin by default

init/systemd-starter/strongswan-starter.service.in | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 tune the ipsec systemd service file

- add a reload argument
- don't wait on syslog

src/libtls/Makefile.am | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 disable libtls tests

They're too intensive for the buildd network and cause FTBFS

conf/plugins/kernel-libipsec.conf | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 dont-load-kernel-libipsec-plugin-by-default

src/libstrongswan/plugins/openssl/openssl_kdf.c | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 [patch] openssl: fix testing kdf_prf in the constructor with openssl
 3.5.1

Setting the salt to NULL now fails, so we set it to hash length's zeroes,
which is the default value for HKDF-Extract if no salt is passed.

Fixes strongswan/strongswan#2828

src/libstrongswan/plugins/openssl/openssl_kdf.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] openssl: don't allocate salt if prf/hash is unknown

This can happen if e.g. AES-XCBC is selected.

Fixes: 2dbeecfc029b ("openssl: Fix testing KDF_PRF in the constructor with OpenSSL 3.5.1")

src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 eap-mschapv2: fix length check for failure request packets on the
 client

For message lengths between 6 and 8, subtracting HEADER_LEN (9) causes
`message_len` to become negative, which is then used in calls to malloc()
and memcpy() that both take size_t arguments, causing an integer
underflow.

For 6 and 7, the huge size requested from malloc() will fail (it exceeds