secnet 0.3.0~beta2
Ian Jackson
ijackson at chiark.greenend.org.uk
Thu Aug 1 20:32:47 BST 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I am pleased to announce secnet 0.3.0~beta2. This is the second beta
of secnet 0.3.0, and contains many important changes from ~beta1.
0.3.0 is a new upstream version with substantial changes from 0.2.0,
including important security fixes. 0.3.0~beta2 can be found here:
http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/secnet.git/
http://www.chiark.greenend.org.uk/~secnet/release/0.3.0~beta2/
If you are able to do so conveniently, please test it. It should be
backwards-compatibile with previous versions. For those on the SGO
VPN: chiark is already running this version.
When you have upgraded, you should make a change to your secnet.conf
file, as follows:
+transform eax-serpent { }, serpent256-cbc { }
-transform serpent256-cbc {
- max-sequence-skew 10;
-};
The previously-specified transform "serpent256-cbc" has serious
security weaknesses. If you make this change, your new secnet
will automatically negotiate the new "eax-serpent" transform with
suitably capable peers.
For a summary of the changes see the changelog extracts below. For
full details see the git history.
secnet (0.3.0~beta2) unstable; urgency=low
* New upstream version.
- SECURITY FIX: RSA public modulus and exponent buffer overflow.
- SECURITY FIX: Use constant-time memcmp for message authentication.
- SECURITY FIX: Provide a new transform, eax-serpent, to replace cbcmac.
- SECURITY FIX: No longer send NAKs for NAKs, avoiding NAK storm.
- SECURITY FIX: Fix site name checking when site name A is prefix of B.
- SECURITY FIX: Safely reject too-short IP packets.
- Better robustness for mobile sites (proper user of NAKs, new PROD msg).
- Better robustness against SLIP decoding errors.
- Fix bugs which caused routes to sometimes not be advertised.
- Protocol capability negotiation mechanism.
- Improvements and fixes to protocol and usage documentation.
- Other bugfixes and code tidying up.
-- Ian Jackson <ijackson at chiark.greenend.org.uk> Thu, 25 Jul 2013 18:26:01 +0100
secnet (0.3.0~beta1) unstable; urgency=low
* New upstream version.
- SECURITY FIX: avoid crashes (or buffer overrun) on short packets.
- Bugfixes relating to packet loss during key exchange.
- Bugfixes relating to link up/down status.
- Bugfixes relating to logging.
- make-secnet-sites made more sophisticated to support two vpns on chiark.
- Documentation improvements.
- Build system improvements.
* Debian packaging improvements:
- Native package.
- Maintainer / uploaders.
- init script requires $remove_fs since we're in /usr.
-- Ian Jackson <ijackson at chiark.greenend.org.uk> Thu, 12 Jul 2012 20:18:16 +0100
Here are the distribution files' SHA-256 checksums:
fd93b3ed7908fab79ed94801a1801115fffedbea8b79a23185a08fe33d7b722b secnet_0.3.0~beta2.dsc
8092794e530175c0504c6b6c764a38e4c4aed53ae63b33a0cb609c90059f8a44 secnet_0.3.0~beta2.tar.gz
d9cbbf9a3b378b21a5c39086f3ef1d9c8cccead57152cbff64534fe46725ead3 secnet_0.3.0~beta2_i386.build
cc01edea50676911bdc9ef1231f9a171485b8dc2be61fbc02212ca9dd7fe67e1 secnet_0.3.0~beta2_i386.changes
75aad7ba2c6f1669ab0c3412d4f49b7de284975648c4b5425a4ac175b37d863c secnet_0.3.0~beta2_i386.deb
Ian.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBCAAGBQJR+rfQAAoJEOPjOSNItQ05+7AH+wdBxlVcr3ZQZGAqGlLen4Y/
F3RpV1Y7kZj6zoh8USPmlEP/cyBu2TXnVyRCWrMOyYt9NhtCUXwb8i7UkPoQkEEy
9qXO1VXP8GRa6I0eKVHozB5vwpNnOaKpH4GhBFyAbtSOLDUaEY/fYnRz6yl+GoZN
HMrhIHjE1f+2wZns0hfrUtZJDej01/UGhWk0rX/G/q4lJBo8dKdimRM08OwYETRF
NNnTkbL5G7GVDxozjwDRE5Y2XTf3No5BHHouc96G/l905lfHaQ8f3GcvUWM7PrwU
AARFcyXbzzeRliHPlk5iWDSM2EZ6Xtfq0Aqkd3iYlnz9n5rTVejdmOV5abOymAU=
=AI0D
-----END PGP SIGNATURE-----
More information about the sgo-software-announce
mailing list