secnet 0.2.0 (major version) and 0.1.18.1 (obsolete, security fixes)
ijackson at chiark.greenend.org.uk
Sat Dec 10 23:23:55 GMT 2011
We are pleased to announce the release of secnet 0.2.0.
This is a fairly major update, including:
* Support for multiple simultaneous udp ports.
* New feature for better supporting "mobile" sites which have
intermittent and/or variable connectivity.
* Improved documentation.
* Many portability fixes, including portability to MacOS X.
* Much general cleanup of the code.
* Some security-related fixes (see below).
We are also releasing an update to the previously current release.
0.1.18.1 contains a number of security fixes:
* Reducing the impact of bogus key setup packets sent by an attacker.
* When dropping privilege, set the group and group list.
* Fix failure to completely wipe a used md5 context struct.
* Fix to a possible format string vulnerability in a call to "slilog".
All of these are in 0.2.0 as well.
We recommend that users upgrade to 0.2.0 if possible. 0.1.18.1 is
provided in case this is not appropriate for some reason (for example,
0.2.0 is found not to work).
0.2.0 should be fully compatible with 0.1.18.1 (and 0.1.18, of course).
Sources and .deb binaries (built on Debian lenny) can be found here:
The git repository is here:
chiark's secnet has already been upgraded to 0.2.0.
More information about the sgo-software-announce