secnet 0.3.0~beta3
Ian Jackson
ijackson at chiark.greenend.org.uk
Mon Aug 5 12:08:33 BST 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I am pleased to announce secnet 0.3.0~beta3. This is the third beta
of secnet 0.3.0. It contains many important changes from beta1 (and
earlier versions of secnet). beta3 contains one important bugfix
since beta2.
0.3.0 is a new upstream version with substantial changes from 0.2.0,
including important security fixes. 0.3.0~beta3 can be found here:
http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/secnet.git/
http://www.chiark.greenend.org.uk/~secnet/release/0.3.0~beta3/
If you are able to do so conveniently, please test it. It should be
backwards-compatibile with previous versions. For those on the SGO
VPN: chiark is already running this version.
When you have upgraded, you should make a change to your secnet.conf
file, as follows:
-transform serpent256-cbc {
- max-sequence-skew 10;
-};
+transform eax-serpent { }, serpent256-cbc { };
(diff corrected since the beta2 announcement).
The previously-specified transform "serpent256-cbc" has serious
security weaknesses. If you make this change, your new secnet
will automatically negotiate the new "eax-serpent" transform with
suitably capable peers.
For a summary of the changes see the changelog extracts below. For
full details see the git history.
secnet (0.3.0~beta3) unstable; urgency=low
* New upstream version.
- Stability bugfix: properly initialise site's scratch buffer.
-- Ian Jackson <ijackson at chiark.greenend.org.uk> Mon, 05 Aug 2013 11:54:09 +0100
secnet (0.3.0~beta2) unstable; urgency=low
* New upstream version.
- SECURITY FIX: RSA public modulus and exponent buffer overflow.
- SECURITY FIX: Use constant-time memcmp for message authentication.
- SECURITY FIX: Provide a new transform, eax-serpent, to replace cbcmac.
- SECURITY FIX: No longer send NAKs for NAKs, avoiding NAK storm.
- SECURITY FIX: Fix site name checking when site name A is prefix of B.
- SECURITY FIX: Safely reject too-short IP packets.
- Better robustness for mobile sites (proper user of NAKs, new PROD msg).
- Better robustness against SLIP decoding errors.
- Fix bugs which caused routes to sometimes not be advertised.
- Protocol capability negotiation mechanism.
- Improvements and fixes to protocol and usage documentation.
- Other bugfixes and code tidying up.
Here are the distribution files' SHA-256 checksums:
dcfd6ca710717ead334e5553adc3f5e9f9562d87f588fa4bb560230fdfd61d2c secnet_0.3.0~beta3.dsc
791a87440875be9f8bfee97bf5ef34c329838d2316d5ecf072f2173bb9800a41 secnet_0.3.0~beta3.tar.gz
748225d895b7a97cedd21cd68d79caea58bcd16212c48de184f26a6840182800 secnet_0.3.0~beta3_i386.build
f282504bb6437ef9e7031b3ae6a5d2ae2acd51f6d4abda4948b0265c04ac7ccf secnet_0.3.0~beta3_i386.changes
63e55bae87747836e1eaae92478f7a36aaa2521edfec41e308f1ed82408d84e9 secnet_0.3.0~beta3_i386.deb
Ian.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBCAAGBQJR/4eQAAoJEOPjOSNItQ052YYIAJDTXELYjSPkrIekSxMewaG8
Kn0AQ3pY+V9edBURTp3UXp9ehNj96vreeL9VReTOgoLNXbsxEBsw6AlhLWt2I72D
98P9Gv2TUwLyFtDrX3sE+PZNamBEFOrJMO2JrUlmN0ezjt9Jt5/kNdqrDtHsQmpv
wH2w5jmFQeY0hQhXMRBUI0dEB6Tbz/CNRodOBCKBQkdo+Xx+2kbYSkespV6irTfv
w7tNE7AK5z1YdO4vlXLy+DdwYxcizBW5dGtomR/pzjcf9UN4akoPdaDNojHmEVgX
ylfmZdjdxeD1wlUmHEE4ABwl1C0OJcxydAa12S+2ooI0tODmJT1FCT0+lUREeJI=
=5WlV
-----END PGP SIGNATURE-----
More information about the sgo-software-announce
mailing list