From rjk at terraraq.org.uk Sun Feb 3 12:46:16 2013 From: rjk at terraraq.org.uk (Richard Kettlewell) Date: Sun, 03 Feb 2013 12:46:16 +0000 Subject: rsbackup 0.4 Message-ID: <510E5C18.4090603@terraraq.org.uk> I have released rsbackup version 0.4. Description: rsbackup is a backup tool that uses rsync to back up your files to harddisks. It uses rsync's ability to hardlink unchanged files to keep multiple copies with at only the space cost of the directories. Backups may be taken from multiple machines (over SSH) and stored to multiple disks. Getting: http://www.greenend.org.uk/rjk/rsbackup/ Changes in 0.4: * The new pre-access-hook and post-access-hook options support running ?hook? scripts before and after any access to backup storage devices. * The new pre-backup-hook and post-backup-hook options support running ?hook? scripts before and after a backup. Although these can be used for any purpose, the motivation is to enable the creation of LVM snapshots of the subject filesystems (and their destruction afterwards), resulting in more consistent backups. The supplied hook script only knows about the Linux logical volume system. * The new devices option allows a host or volume to be restricted to a subset of devices, identified by a filename glob pattern. * The new rsync-timeout option allows a time limit to be imposed on a backup. * The new check-file option allows backups of a volume to be suppressed when it is not available (for instance, because it is only sometimes mounted). * --verbose (and therefore --dry-run) is now more verbose. * --text and --html now accept - to write to standard output. * Improved error reporting. * Minor bug fixes and portability and build script improvements. * rsbackup-mount now supports unencrypted devices and separate key material files (contributed by Matthew Vernon). ttfn/rjk From ijackson at chiark.greenend.org.uk Thu Aug 1 20:32:47 2013 From: ijackson at chiark.greenend.org.uk (Ian Jackson) Date: Thu, 1 Aug 2013 20:32:47 +0100 Subject: secnet 0.3.0~beta2 Message-ID: <20986.47071.647754.67985@chiark.greenend.org.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I am pleased to announce secnet 0.3.0~beta2. This is the second beta of secnet 0.3.0, and contains many important changes from ~beta1. 0.3.0 is a new upstream version with substantial changes from 0.2.0, including important security fixes. 0.3.0~beta2 can be found here: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/secnet.git/ http://www.chiark.greenend.org.uk/~secnet/release/0.3.0~beta2/ If you are able to do so conveniently, please test it. It should be backwards-compatibile with previous versions. For those on the SGO VPN: chiark is already running this version. When you have upgraded, you should make a change to your secnet.conf file, as follows: +transform eax-serpent { }, serpent256-cbc { } -transform serpent256-cbc { - max-sequence-skew 10; -}; The previously-specified transform "serpent256-cbc" has serious security weaknesses. If you make this change, your new secnet will automatically negotiate the new "eax-serpent" transform with suitably capable peers. For a summary of the changes see the changelog extracts below. For full details see the git history. secnet (0.3.0~beta2) unstable; urgency=low * New upstream version. - SECURITY FIX: RSA public modulus and exponent buffer overflow. - SECURITY FIX: Use constant-time memcmp for message authentication. - SECURITY FIX: Provide a new transform, eax-serpent, to replace cbcmac. - SECURITY FIX: No longer send NAKs for NAKs, avoiding NAK storm. - SECURITY FIX: Fix site name checking when site name A is prefix of B. - SECURITY FIX: Safely reject too-short IP packets. - Better robustness for mobile sites (proper user of NAKs, new PROD msg). - Better robustness against SLIP decoding errors. - Fix bugs which caused routes to sometimes not be advertised. - Protocol capability negotiation mechanism. - Improvements and fixes to protocol and usage documentation. - Other bugfixes and code tidying up. -- Ian Jackson Thu, 25 Jul 2013 18:26:01 +0100 secnet (0.3.0~beta1) unstable; urgency=low * New upstream version. - SECURITY FIX: avoid crashes (or buffer overrun) on short packets. - Bugfixes relating to packet loss during key exchange. - Bugfixes relating to link up/down status. - Bugfixes relating to logging. - make-secnet-sites made more sophisticated to support two vpns on chiark. - Documentation improvements. - Build system improvements. * Debian packaging improvements: - Native package. - Maintainer / uploaders. - init script requires $remove_fs since we're in /usr. -- Ian Jackson Thu, 12 Jul 2012 20:18:16 +0100 Here are the distribution files' SHA-256 checksums: fd93b3ed7908fab79ed94801a1801115fffedbea8b79a23185a08fe33d7b722b secnet_0.3.0~beta2.dsc 8092794e530175c0504c6b6c764a38e4c4aed53ae63b33a0cb609c90059f8a44 secnet_0.3.0~beta2.tar.gz d9cbbf9a3b378b21a5c39086f3ef1d9c8cccead57152cbff64534fe46725ead3 secnet_0.3.0~beta2_i386.build cc01edea50676911bdc9ef1231f9a171485b8dc2be61fbc02212ca9dd7fe67e1 secnet_0.3.0~beta2_i386.changes 75aad7ba2c6f1669ab0c3412d4f49b7de284975648c4b5425a4ac175b37d863c secnet_0.3.0~beta2_i386.deb Ian. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBCAAGBQJR+rfQAAoJEOPjOSNItQ05+7AH+wdBxlVcr3ZQZGAqGlLen4Y/ F3RpV1Y7kZj6zoh8USPmlEP/cyBu2TXnVyRCWrMOyYt9NhtCUXwb8i7UkPoQkEEy 9qXO1VXP8GRa6I0eKVHozB5vwpNnOaKpH4GhBFyAbtSOLDUaEY/fYnRz6yl+GoZN HMrhIHjE1f+2wZns0hfrUtZJDej01/UGhWk0rX/G/q4lJBo8dKdimRM08OwYETRF NNnTkbL5G7GVDxozjwDRE5Y2XTf3No5BHHouc96G/l905lfHaQ8f3GcvUWM7PrwU AARFcyXbzzeRliHPlk5iWDSM2EZ6Xtfq0Aqkd3iYlnz9n5rTVejdmOV5abOymAU= =AI0D -----END PGP SIGNATURE----- From ijackson at chiark.greenend.org.uk Mon Aug 5 12:08:33 2013 From: ijackson at chiark.greenend.org.uk (Ian Jackson) Date: Mon, 5 Aug 2013 12:08:33 +0100 Subject: secnet 0.3.0~beta3 Message-ID: <20991.34737.453459.955501@chiark.greenend.org.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I am pleased to announce secnet 0.3.0~beta3. This is the third beta of secnet 0.3.0. It contains many important changes from beta1 (and earlier versions of secnet). beta3 contains one important bugfix since beta2. 0.3.0 is a new upstream version with substantial changes from 0.2.0, including important security fixes. 0.3.0~beta3 can be found here: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/secnet.git/ http://www.chiark.greenend.org.uk/~secnet/release/0.3.0~beta3/ If you are able to do so conveniently, please test it. It should be backwards-compatibile with previous versions. For those on the SGO VPN: chiark is already running this version. When you have upgraded, you should make a change to your secnet.conf file, as follows: -transform serpent256-cbc { - max-sequence-skew 10; -}; +transform eax-serpent { }, serpent256-cbc { }; (diff corrected since the beta2 announcement). The previously-specified transform "serpent256-cbc" has serious security weaknesses. If you make this change, your new secnet will automatically negotiate the new "eax-serpent" transform with suitably capable peers. For a summary of the changes see the changelog extracts below. For full details see the git history. secnet (0.3.0~beta3) unstable; urgency=low * New upstream version. - Stability bugfix: properly initialise site's scratch buffer. -- Ian Jackson Mon, 05 Aug 2013 11:54:09 +0100 secnet (0.3.0~beta2) unstable; urgency=low * New upstream version. - SECURITY FIX: RSA public modulus and exponent buffer overflow. - SECURITY FIX: Use constant-time memcmp for message authentication. - SECURITY FIX: Provide a new transform, eax-serpent, to replace cbcmac. - SECURITY FIX: No longer send NAKs for NAKs, avoiding NAK storm. - SECURITY FIX: Fix site name checking when site name A is prefix of B. - SECURITY FIX: Safely reject too-short IP packets. - Better robustness for mobile sites (proper user of NAKs, new PROD msg). - Better robustness against SLIP decoding errors. - Fix bugs which caused routes to sometimes not be advertised. - Protocol capability negotiation mechanism. - Improvements and fixes to protocol and usage documentation. - Other bugfixes and code tidying up. Here are the distribution files' SHA-256 checksums: dcfd6ca710717ead334e5553adc3f5e9f9562d87f588fa4bb560230fdfd61d2c secnet_0.3.0~beta3.dsc 791a87440875be9f8bfee97bf5ef34c329838d2316d5ecf072f2173bb9800a41 secnet_0.3.0~beta3.tar.gz 748225d895b7a97cedd21cd68d79caea58bcd16212c48de184f26a6840182800 secnet_0.3.0~beta3_i386.build f282504bb6437ef9e7031b3ae6a5d2ae2acd51f6d4abda4948b0265c04ac7ccf secnet_0.3.0~beta3_i386.changes 63e55bae87747836e1eaae92478f7a36aaa2521edfec41e308f1ed82408d84e9 secnet_0.3.0~beta3_i386.deb Ian. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBCAAGBQJR/4eQAAoJEOPjOSNItQ052YYIAJDTXELYjSPkrIekSxMewaG8 Kn0AQ3pY+V9edBURTp3UXp9ehNj96vreeL9VReTOgoLNXbsxEBsw6AlhLWt2I72D 98P9Gv2TUwLyFtDrX3sE+PZNamBEFOrJMO2JrUlmN0ezjt9Jt5/kNdqrDtHsQmpv wH2w5jmFQeY0hQhXMRBUI0dEB6Tbz/CNRodOBCKBQkdo+Xx+2kbYSkespV6irTfv w7tNE7AK5z1YdO4vlXLy+DdwYxcizBW5dGtomR/pzjcf9UN4akoPdaDNojHmEVgX ylfmZdjdxeD1wlUmHEE4ABwl1C0OJcxydAa12S+2ooI0tODmJT1FCT0+lUREeJI= =5WlV -----END PGP SIGNATURE----- From ijackson at chiark.greenend.org.uk Sun Sep 1 20:59:08 2013 From: ijackson at chiark.greenend.org.uk (Ian Jackson) Date: Sun, 1 Sep 2013 20:59:08 +0100 Subject: secnet 0.3.0 Message-ID: <21027.40076.682619.623918@chiark.greenend.org.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I am pleased to announce secnet 0.3.0. 0.3.0 is a new upstream version with substantial changes from 0.2.1, including important security and stability fixes. It is backwards- compatibile with previous versions. You are advised to upgrade. For those on the SGO VPN: chiark is already running this version. secnet 0.3.0 can be found here: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/secnet.git/ http://www.chiark.greenend.org.uk/~secnet/release/0.3.0/ When you have upgraded, you should make a change to your secnet.conf file, as follows: -transform serpent256-cbc { - max-sequence-skew 10; -}; +transform eax-serpent { }, serpent256-cbc { }; The previously-specified transform "serpent256-cbc" has serious security weaknesses. If you make this change, your new secnet will automatically negotiate the new "eax-serpent" transform with suitably capable peers. The changes between 0.2.1 and 0.3.0 are too extensive to list here, but here is a summary of the most important changes: * New EAX-based encryption (old transform was insecure) * Eliminate many remotely-triggerable DOS bugs * New "mobile sites" feature for sites with unstable public addresses * Many bugfixes For full details see the git history. There are no code changes from 0.3.0~beta3 to 0.3.0. Here are the distribution files' SHA-256 checksums: c79eb8c8099fd7abb32ebdb89598da9324d30a9bc30dac341e9c3dcd09103c44 secnet-0.3.0.tar.gz c6388d22d370aa28d36242111503825070c644d2ae638a2c18e1af3d722f8144 secnet-0.3.0.tar.gz.sig b0eb5bda51f96827da2a22aba16e3a2c5c2b6100f9cdce52bcc954682ecd1869 secnet_0.3.0_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBCAAGBQJSI5xSAAoJEOPjOSNItQ05GZQH/2ETz53P7L3+AIduWzdqqi3h 4X7GT/WNXFvc10I58c7uPel75Ytd3pDFT0kDERmnUBt//T8KU7gCDZjICRcDDyRG Lohw3ECi4NdFJZuK8SZeXcDEaJZh3YYTZsGzqRphlBjAA+3H6IqfDY+LgIzllJTL hfm+66B1RSPUduRzYH2r17ktxItOaRHJQ/WG7DRqnz1DWtueObLDlm5TGDAooZO6 1hmk+d0aPTqjsZn3pfWGEr5f0yCzImqjZHbVrhyn49rhu/Lo78U0rbVPOz2eEi1m zwQxMIdDwYt9JKO/AF6mC4epCBOgKUucnwGEW2JjAZSaRiZKBKptLff4vQXB820= =1mXS -----END PGP SIGNATURE-----