secnet 0.3.0~beta2

Ian Jackson ijackson at
Thu Aug 1 20:32:47 BST 2013

Hash: SHA256

I am pleased to announce secnet 0.3.0~beta2.  This is the second beta
of secnet 0.3.0, and contains many important changes from ~beta1.

0.3.0 is a new upstream version with substantial changes from 0.2.0,
including important security fixes.  0.3.0~beta2 can be found here:

If you are able to do so conveniently, please test it.  It should be
backwards-compatibile with previous versions.  For those on the SGO
VPN: chiark is already running this version.

When you have upgraded, you should make a change to your secnet.conf
file, as follows:
  +transform eax-serpent { }, serpent256-cbc { }
  -transform serpent256-cbc {
  -       max-sequence-skew 10;
The previously-specified transform "serpent256-cbc" has serious
security weaknesses.  If you make this change, your new secnet
will automatically negotiate the new "eax-serpent" transform with
suitably capable peers.

For a summary of the changes see the changelog extracts below.  For
full details see the git history.

secnet (0.3.0~beta2) unstable; urgency=low

  * New upstream version.
   - SECURITY FIX: RSA public modulus and exponent buffer overflow.
   - SECURITY FIX: Use constant-time memcmp for message authentication.
   - SECURITY FIX: Provide a new transform, eax-serpent, to replace cbcmac.
   - SECURITY FIX: No longer send NAKs for NAKs, avoiding NAK storm.
   - SECURITY FIX: Fix site name checking when site name A is prefix of B.
   - SECURITY FIX: Safely reject too-short IP packets.
   - Better robustness for mobile sites (proper user of NAKs, new PROD msg).
   - Better robustness against SLIP decoding errors.
   - Fix bugs which caused routes to sometimes not be advertised.
   - Protocol capability negotiation mechanism.
   - Improvements and fixes to protocol and usage documentation.
   - Other bugfixes and code tidying up.

 -- Ian Jackson <ijackson at>  Thu, 25 Jul 2013 18:26:01 +0100

secnet (0.3.0~beta1) unstable; urgency=low

  * New upstream version.
   - SECURITY FIX: avoid crashes (or buffer overrun) on short packets.
   - Bugfixes relating to packet loss during key exchange.
   - Bugfixes relating to link up/down status.
   - Bugfixes relating to logging.
   - make-secnet-sites made more sophisticated to support two vpns on chiark.
   - Documentation improvements.
   - Build system improvements.
  * Debian packaging improvements:
   - Native package.
   - Maintainer / uploaders.
   - init script requires $remove_fs since we're in /usr.

 -- Ian Jackson <ijackson at>  Thu, 12 Jul 2012 20:18:16 +0100

Here are the distribution files' SHA-256 checksums:

fd93b3ed7908fab79ed94801a1801115fffedbea8b79a23185a08fe33d7b722b  secnet_0.3.0~beta2.dsc
8092794e530175c0504c6b6c764a38e4c4aed53ae63b33a0cb609c90059f8a44  secnet_0.3.0~beta2.tar.gz
cc01edea50676911bdc9ef1231f9a171485b8dc2be61fbc02212ca9dd7fe67e1  secnet_0.3.0~beta2_i386.changes
75aad7ba2c6f1669ab0c3412d4f49b7de284975648c4b5425a4ac175b37d863c  secnet_0.3.0~beta2_i386.deb

Version: GnuPG v1.4.10 (GNU/Linux)


More information about the sgo-software-announce mailing list