secnet 0.3.0~beta2

Ian Jackson ijackson at chiark.greenend.org.uk
Thu Aug 1 20:32:47 BST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I am pleased to announce secnet 0.3.0~beta2.  This is the second beta
of secnet 0.3.0, and contains many important changes from ~beta1.

0.3.0 is a new upstream version with substantial changes from 0.2.0,
including important security fixes.  0.3.0~beta2 can be found here:

 http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/secnet.git/
 http://www.chiark.greenend.org.uk/~secnet/release/0.3.0~beta2/

If you are able to do so conveniently, please test it.  It should be
backwards-compatibile with previous versions.  For those on the SGO
VPN: chiark is already running this version.

When you have upgraded, you should make a change to your secnet.conf
file, as follows:
  +transform eax-serpent { }, serpent256-cbc { }
  -transform serpent256-cbc {
  -       max-sequence-skew 10;
  -};
The previously-specified transform "serpent256-cbc" has serious
security weaknesses.  If you make this change, your new secnet
will automatically negotiate the new "eax-serpent" transform with
suitably capable peers.

For a summary of the changes see the changelog extracts below.  For
full details see the git history.


secnet (0.3.0~beta2) unstable; urgency=low

  * New upstream version.
   - SECURITY FIX: RSA public modulus and exponent buffer overflow.
   - SECURITY FIX: Use constant-time memcmp for message authentication.
   - SECURITY FIX: Provide a new transform, eax-serpent, to replace cbcmac.
   - SECURITY FIX: No longer send NAKs for NAKs, avoiding NAK storm.
   - SECURITY FIX: Fix site name checking when site name A is prefix of B.
   - SECURITY FIX: Safely reject too-short IP packets.
   - Better robustness for mobile sites (proper user of NAKs, new PROD msg).
   - Better robustness against SLIP decoding errors.
   - Fix bugs which caused routes to sometimes not be advertised.
   - Protocol capability negotiation mechanism.
   - Improvements and fixes to protocol and usage documentation.
   - Other bugfixes and code tidying up.

 -- Ian Jackson <ijackson at chiark.greenend.org.uk>  Thu, 25 Jul 2013 18:26:01 +0100

secnet (0.3.0~beta1) unstable; urgency=low

  * New upstream version.
   - SECURITY FIX: avoid crashes (or buffer overrun) on short packets.
   - Bugfixes relating to packet loss during key exchange.
   - Bugfixes relating to link up/down status.
   - Bugfixes relating to logging.
   - make-secnet-sites made more sophisticated to support two vpns on chiark.
   - Documentation improvements.
   - Build system improvements.
  * Debian packaging improvements:
   - Native package.
   - Maintainer / uploaders.
   - init script requires $remove_fs since we're in /usr.

 -- Ian Jackson <ijackson at chiark.greenend.org.uk>  Thu, 12 Jul 2012 20:18:16 +0100

Here are the distribution files' SHA-256 checksums:

fd93b3ed7908fab79ed94801a1801115fffedbea8b79a23185a08fe33d7b722b  secnet_0.3.0~beta2.dsc
8092794e530175c0504c6b6c764a38e4c4aed53ae63b33a0cb609c90059f8a44  secnet_0.3.0~beta2.tar.gz
d9cbbf9a3b378b21a5c39086f3ef1d9c8cccead57152cbff64534fe46725ead3  secnet_0.3.0~beta2_i386.build
cc01edea50676911bdc9ef1231f9a171485b8dc2be61fbc02212ca9dd7fe67e1  secnet_0.3.0~beta2_i386.changes
75aad7ba2c6f1669ab0c3412d4f49b7de284975648c4b5425a4ac175b37d863c  secnet_0.3.0~beta2_i386.deb

Ian.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBCAAGBQJR+rfQAAoJEOPjOSNItQ05+7AH+wdBxlVcr3ZQZGAqGlLen4Y/
F3RpV1Y7kZj6zoh8USPmlEP/cyBu2TXnVyRCWrMOyYt9NhtCUXwb8i7UkPoQkEEy
9qXO1VXP8GRa6I0eKVHozB5vwpNnOaKpH4GhBFyAbtSOLDUaEY/fYnRz6yl+GoZN
HMrhIHjE1f+2wZns0hfrUtZJDej01/UGhWk0rX/G/q4lJBo8dKdimRM08OwYETRF
NNnTkbL5G7GVDxozjwDRE5Y2XTf3No5BHHouc96G/l905lfHaQ8f3GcvUWM7PrwU
AARFcyXbzzeRliHPlk5iWDSM2EZ6Xtfq0Aqkd3iYlnz9n5rTVejdmOV5abOymAU=
=AI0D
-----END PGP SIGNATURE-----

More information about the sgo-software-announce mailing list