secnet 0.3.4 - *FIXED* IMPORTANT SECURITY FIX
Ian Jackson
ijackson at chiark.greenend.org.uk
Mon Sep 22 16:40:02 BST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I am chagrined to announce secnet 0.3.4.
The security fix in 0.3.3 is itself buggy. 0.3.4 contains a corrected
version. Thanks to Simon Tatham for discovering the bug and proposing
a patch, which I have adopted (after review and testing).
Also, it is probably worth mentioning that the bug which was wrongly
fixed in 0.3.3 and is (hopefully) correctly fixed in 0.3.4 was
introduced by me in commit 6af9a984 and first released in 0.3.0~beta1.
Everyone running 0.3.0~beta1 or later should upgrade ASAP.
Anyone running an earlier version should definitely upgrade anyway
because versions before 0.3.0 (final) are affected by numerous other
security-relevant bugs, including several buffer overruns and a
trivially-remotely-triggerable NAK storm.
0.3.4 can be found here:
http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/secnet.git/
http://www.chiark.greenend.org.uk/~secnet/release/0.3.4/
0.3.4 should be backwards-compatibile with previous versions. For
those on the SGO VPN: chiark is currently running an equivalent
version.
For a summary of the changes see the changelog extract below. For
full details see the git history.
If you are upgrading from pre-0.3 secnet, you should make a change to
your secnet.conf file, as follows:
-transform serpent256-cbc {
- max-sequence-skew 10;
-};
+transform eax-serpent { }, serpent256-cbc { };
The previously-specified transform "serpent256-cbc" has serious
security weaknesses. If you make this change, your new secnet
will automatically negotiate the new "eax-serpent" transform with
suitably capable peers.
secnet (0.3.4) unstable; urgency=low
SECURITY FIX:
* The previous security fix to buffer handling was entirely wrong. This
one is better. Thanks to Simon Tatham for the report and the patch.
-- Ian Jackson <ijackson at chiark.greenend.org.uk> Mon, 22 Sep 2014 16:16:11 +0100
dc12efba03952682361ec6684ebb6f4b69f4c1226722920d9ab51db51ba5937f secnet_0.3.4_i386.deb
1cfd5bf28f033cc7fc53bbfc05f8c1a289e5f0d6f215a1985bdcfdf03c6cb9c5 secnet-0.3.4.tar.gz
9899aa59f69d930e2e94ba48cad2a33a3346f60c6e2ef19a80bb7257638c839a secnet-0.3.4.tar.gz.sig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJUIEK7AAoJEOPjOSNItQ05HxIIAMgz6DRIFuB8EhOTz304ELbJ
x3k7bEH5zLkOZwLo9OSMaM6Yscm6GjZkVHHTmqaQ9sfgVwbU+PYu8POZWo1s6N1Q
5jxgQHNmSWGWPr+NpZo62wRcvl1nhpL+/ycJpd+v7yiMA16ODI2776IaH5wEk/Dp
Zb9lf6x26+Kai0Q8lNKyPHXmVU+eCom8hlq6i0dgPj/XRFGrwqsYt1gSa2wvUamx
NVuYWIjxED+MZFwAUulnHapONTFIe3rvTRCFrGvdi5eWDohdSugXK2eOAa8ERHtL
jvg/fK0NtoLbhe5+wtaDRvFvKKWG++fzE8MdBIVJDICslwXsq0yQWzfD+a18A4I=
=E3FT
-----END PGP SIGNATURE-----
More information about the sgo-software-announce
mailing list