secnet 0.3.4 - *FIXED* IMPORTANT SECURITY FIX

Ian Jackson ijackson at chiark.greenend.org.uk
Mon Sep 22 16:40:02 BST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I am chagrined to announce secnet 0.3.4.

The security fix in 0.3.3 is itself buggy.  0.3.4 contains a corrected
version.  Thanks to Simon Tatham for discovering the bug and proposing
a patch, which I have adopted (after review and testing).


Also, it is probably worth mentioning that the bug which was wrongly
fixed in 0.3.3 and is (hopefully) correctly fixed in 0.3.4 was
introduced by me in commit 6af9a984 and first released in 0.3.0~beta1.
Everyone running 0.3.0~beta1 or later should upgrade ASAP.

Anyone running an earlier version should definitely upgrade anyway
because versions before 0.3.0 (final) are affected by numerous other
security-relevant bugs, including several buffer overruns and a
trivially-remotely-triggerable NAK storm.


0.3.4 can be found here:

 http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/secnet.git/
 http://www.chiark.greenend.org.uk/~secnet/release/0.3.4/

0.3.4 should be backwards-compatibile with previous versions.  For
those on the SGO VPN: chiark is currently running an equivalent
version.

For a summary of the changes see the changelog extract below.  For
full details see the git history.


If you are upgrading from pre-0.3 secnet, you should make a change to
your secnet.conf file, as follows:
  -transform serpent256-cbc {
  -	max-sequence-skew 10;
  -};
  +transform eax-serpent { }, serpent256-cbc { };
 
The previously-specified transform "serpent256-cbc" has serious
security weaknesses.  If you make this change, your new secnet
will automatically negotiate the new "eax-serpent" transform with
suitably capable peers.


secnet (0.3.4) unstable; urgency=low

  SECURITY FIX:
  * The previous security fix to buffer handling was entirely wrong.  This
    one is better.  Thanks to Simon Tatham for the report and the patch.

 -- Ian Jackson <ijackson at chiark.greenend.org.uk>  Mon, 22 Sep 2014 16:16:11 +0100

dc12efba03952682361ec6684ebb6f4b69f4c1226722920d9ab51db51ba5937f  secnet_0.3.4_i386.deb
1cfd5bf28f033cc7fc53bbfc05f8c1a289e5f0d6f215a1985bdcfdf03c6cb9c5  secnet-0.3.4.tar.gz
9899aa59f69d930e2e94ba48cad2a33a3346f60c6e2ef19a80bb7257638c839a  secnet-0.3.4.tar.gz.sig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJUIEK7AAoJEOPjOSNItQ05HxIIAMgz6DRIFuB8EhOTz304ELbJ
x3k7bEH5zLkOZwLo9OSMaM6Yscm6GjZkVHHTmqaQ9sfgVwbU+PYu8POZWo1s6N1Q
5jxgQHNmSWGWPr+NpZo62wRcvl1nhpL+/ycJpd+v7yiMA16ODI2776IaH5wEk/Dp
Zb9lf6x26+Kai0Q8lNKyPHXmVU+eCom8hlq6i0dgPj/XRFGrwqsYt1gSa2wvUamx
NVuYWIjxED+MZFwAUulnHapONTFIe3rvTRCFrGvdi5eWDohdSugXK2eOAa8ERHtL
jvg/fK0NtoLbhe5+wtaDRvFvKKWG++fzE8MdBIVJDICslwXsq0yQWzfD+a18A4I=
=E3FT
-----END PGP SIGNATURE-----

More information about the sgo-software-announce mailing list