ijackson at chiark.greenend.org.uk
Sat May 3 19:10:00 BST 2014
-----BEGIN PGP SIGNED MESSAGE-----
I am pleased to announce secnet 0.3.1~beta2. This is the 2nd beta of
0.3.1 contains bugfixes, including some security fixes to
vulnerabilities which are exposed to internal vpn traffic. It also
has a new feature intended to help with underlying network with broken
handling of large packets.
0.3.1~beta2 contains a bugfix to 0.3.1~beta1. The fix is important
for point-to-point links when the new mtu-target feature is in use (or
with point-to-point links in other mixed-mtu situations).
One symptom of this bug is broken path mtu discovery (resulting in TCP
hanging) when a new (0.3.1~beta) secnet with a low mtu target talks to
an old secnet (one without mtu negotiation, 0.3.0 and earlier).
The bugfix is not important in non-point-to-point configurations -
i.e. when the secnet instance has its own IP address.
0.3.1~beta2 can be found here:
If you are able to do so conveniently, please test it. It should be
backwards-compatibile with previous versions. For those on the SGO
VPN: chiark is already running this version.
For a summary of the changes see the changelog extracts below. For
full details see the git history.
secnet (0.3.1~beta2) unstable; urgency=low
Fix relating to new fragmentation / ICMP functionality:
* Generate ICMP packets correctly in point-to-point configurations.
-- Ian Jackson <ijackson at chiark.greenend.org.uk> Sat, 03 May 2014 18:58:09 +0100
secnet (0.3.1~beta1) unstable; urgency=low
Security fixes (vulnerabilities are to inside attackers only):
* SECURITY: Fixes to MTU and fragmentation handling.
* SECURITY: Correctly set "unused" ICMP header field.
* SECURITY: Fix IP length check not to crash on very short packets.
* Make the inter-site MTU configurable, and negotiate it with the peer.
* Fix netlink SEGV on clientless netlinks (i.e. configuration error).
* Fix formatting error in p-t-p startup message.
* Do not send ICMP errors in response to unknown incoming ICMP.
* Fix formatting error in secnet.8 manpage.
* Internal code rearrangements and improvements.
* Updates to release checklist in Makefile.in.
* Additions to the test-example suite.
-- Ian Jackson <ijackson at chiark.greenend.org.uk> Thu, 01 May 2014 19:02:56 +0100
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the sgo-software-announce