secnet 0.3.1~beta2

Ian Jackson ijackson at chiark.greenend.org.uk
Sat May 3 19:10:00 BST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I am pleased to announce secnet 0.3.1~beta2.  This is the 2nd beta of
secnet 0.3.1.

0.3.1 contains bugfixes, including some security fixes to
vulnerabilities which are exposed to internal vpn traffic.  It also
has a new feature intended to help with underlying network with broken
handling of large packets.


0.3.1~beta2 contains a bugfix to 0.3.1~beta1.  The fix is important
for point-to-point links when the new mtu-target feature is in use (or
with point-to-point links in other mixed-mtu situations).

One symptom of this bug is broken path mtu discovery (resulting in TCP
hanging) when a new (0.3.1~beta) secnet with a low mtu target talks to
an old secnet (one without mtu negotiation, 0.3.0 and earlier).

The bugfix is not important in non-point-to-point configurations -
i.e. when the secnet instance has its own IP address.


0.3.1~beta2 can be found here:

 http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/secnet.git/
 http://www.chiark.greenend.org.uk/~secnet/release/0.3.1~beta2/

If you are able to do so conveniently, please test it.  It should be
backwards-compatibile with previous versions.  For those on the SGO
VPN: chiark is already running this version.

For a summary of the changes see the changelog extracts below.  For
full details see the git history.

secnet (0.3.1~beta2) unstable; urgency=low

  Fix relating to new fragmentation / ICMP functionality:
  * Generate ICMP packets correctly in point-to-point configurations.

 -- Ian Jackson <ijackson at chiark.greenend.org.uk>  Sat, 03 May 2014 18:58:09 +0100

secnet (0.3.1~beta1) unstable; urgency=low

  Security fixes (vulnerabilities are to inside attackers only):
  * SECURITY: Fixes to MTU and fragmentation handling.
  * SECURITY: Correctly set "unused" ICMP header field.
  * SECURITY: Fix IP length check not to crash on very short packets.

  New feature:
  * Make the inter-site MTU configurable, and negotiate it with the peer.

  Bugfixes etc.:
  * Fix netlink SEGV on clientless netlinks (i.e. configuration error).
  * Fix formatting error in p-t-p startup message.
  * Do not send ICMP errors in response to unknown incoming ICMP.
  * Fix formatting error in secnet.8 manpage.
  * Internal code rearrangements and improvements.

  Packaging improvements:
  * Updates to release checklist in Makefile.in.
  * Additions to the test-example suite.

 -- Ian Jackson <ijackson at chiark.greenend.org.uk>  Thu, 01 May 2014 19:02:56 +0100
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJTZTDjAAoJEOPjOSNItQ059kQH/Avz+6qecrmJxVKLdFumy6T7
LGj5jZsopZQnUcV4jh6HCIeqoQ1Hg5JV0cPwsYKL162+KPcirmoVz2qEQVTPRGdB
7UVd/GucYVVLhcX4D/jn3LFs7BzLCY9uSE7tfaERvlBUtHLaX8VoY1W0KQ3vKHxW
Hop4jfEIofzBWpDlSIhpiImW/RnoWXx5JfZjHDccwGntMmm6HqZlZzEqe9kYTOU9
4oEraYS0sikMtBQH47TqjROldR/1Cul1XmxwAYVzA2x1Y9SPFP8rum+T+N+PiCUa
2NXSk0M3F+57610YGMJlnUTiLvnuLvViErafT5GI/V9/wy2i7ZpmFVbb0phfOCc=
=tp9a
-----END PGP SIGNATURE-----

More information about the sgo-software-announce mailing list