secnet 0.3.3 - IMPORTANT SECURITY FIX - CORRECTION

Ian Jackson ijackson at chiark.greenend.org.uk
Sat Sep 20 00:50:00 BST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

(Correction: the previous message body was erroneously a copy of the
0.3.3~beta1 announcement.  Here is the right message:)


I am pleased (though less than usually so) to announce secnet 0.3.3.

I am releasing 0.3.3 immediately because I have discovered a serious
security bug.  This bug is a buffer overflow on incoming packets on
the public network and may be exploitable by adversaries outside the
VPN.

This bug is fixed in 0.3.3.  Everyone should upgrade ASAP.


0.3.3 also contains a bugfix relevant on sites with the
now-conventional `ipaddr.py' Python module (as found in Debian's
python-ipaddr pacakge): on such systems earlier versions of
make-secnet-site would fail.

This bugfix is going to be important in the future: a version of
secnet capable of transport over IPv6 is in the works, and that will
have a dependency on the conventional modern ipaddr module.  0.3.3 is
provided in part to make the upgrade transition easier.

Finally, 0.3.3 has minor improvements to mobile site transport address
handling and a minor build system improvement.


0.3.3 can be found here:

 http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/secnet.git/
 http://www.chiark.greenend.org.uk/~secnet/release/0.3.3/

0.3.3 should be backwards-compatibile with previous versions.  For
those on the SGO VPN: chiark is currently running an equivalent
version.

For a summary of the changes see the changelog extract below.  For
full details see the git history.


If you are upgrading from pre-0.3 secnet, you should make a change to
your secnet.conf file, as follows:
  -transform serpent256-cbc {
  -	max-sequence-skew 10;
  -};
  +transform eax-serpent { }, serpent256-cbc { };
 
The previously-specified transform "serpent256-cbc" has serious
security weaknesses.  If you make this change, your new secnet
will automatically negotiate the new "eax-serpent" transform with
suitably capable peers.

secnet (0.3.3) unstable; urgency=high

  SECURITY FIXES:
  * Pass correct size argument to recvfrom.  This is a serious security
    problem which may be exploitable from outside the VPN.
  * Fix a memory leak in some error logging.

  Other related fixes:
  * Two other latent bugs in buffer length handling found and fixed.
  * Non-critical stylistic improvements to buffer length handling, to make
    the code clearer and to assist audit.

 -- Ian Jackson <ijackson at chiark.greenend.org.uk>  Fri, 19 Sep 2014 23:50:45 +0100

secnet (0.3.3~beta1) unstable; urgency=low

  Installation compatibility fix:
  * In make-secnet-sites, always use our own ipaddr.py even if the
    incompatible modern ipaddr.py is installed (eg via python-ipaddr.deb).
    (Future versions of secnet are going to need that Python module to be
    installed.)

  For links involving mobile sites:
  * Use source of NAK packets as hint for peer transport address.
  * When initiating rekey, make use of data transport peer addresses.

  Build fix:
  * Provide clean target in test-example/Makefile.

 -- Ian Jackson <ijackson at chiark.greenend.org.uk>  Fri, 19 Sep 2014 00:11:44 +0100


a017bcb11f93bab5bbd12f6ec4ad372853ec182156f8917b0c0f3abea4cf2902  secnet-0.3.3.tar.gz
83d95e2dc908bf975e4e2a4164ac3f548cba52d9892d3ff7f575bb5c557d1004  secnet-0.3.3.tar.gz.sig
447e73e2b258d4345f1b70d2437c419569fe8e05c58bf01931511242d1118122  secnet_0.3.3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJUHMEVAAoJEOPjOSNItQ05BjgH/3xssZOU9DLqOZapDctpqZ1E
2WvDikn6mebZ8+p7YcuBK/e32JLb3vY+sbsWIpnI3jEecxYsUOA7Na56aCkFwU10
+ktL9/j4NQCjloZlm7SrqM9fSjSmAVT5pMtGOP7cBRhWyVSaqd9Qs8T+rDuZnaf2
32skjKUf2bg6jFFckIoPGCYcrwyJO6kEL6qmin9rHr2MH0w94Ch4oFnKz8TxwMjq
EWQwjTxVU3YRaCedq1b5LndntTgJh4dsohE/MqlSlpGDBfJiX3BI8c15mc62oG6g
9Pk5Ly5jA/mbImL4xr+V210u938JHzTiC+QengwnrqC4dluiCP5UtPlNb7cnN9s=
=wdQn
-----END PGP SIGNATURE-----

More information about the sgo-software-announce mailing list