secnet 0.5.0 - SECURITY UPDATE

Ian Jackson ijackson at chiark.greenend.org.uk
Thu Oct 24 19:25:29 BST 2019 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

It is a mixed pleasure to announce secnet 0.5.0.

secnet 0.5.0 contains critical SECURITY FIXES for make-secnet-sites.

Everyone who is using make-secnet-sites on not-completely-trusted
input must upgrade before they next run make-secnet-sites.

This release also contains some refactoring changes in secnet itself -
but it also contains new tests run as part of `make check'.  I have
not provided a backport of the make-secnet-sites changes to earlier
versions, although that might be possible if someone needs it.

0.5.0 can be found here:
  http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/secnet.git/
  http://www.chiark.greenend.org.uk/~secnet/release/0.5.0/

SHA-256 checksums are listed below.

The .deb is from Debian amd64 stretch (oldstable) and should work on
more recent versions of Debian.


secnet (0.5.0) unstable; urgency=medium

  make-secnet-sites SECURITY FIX:
  * Do not blindly trust inputs; instead, check the syntax for sanity.
    Previous releases can be induced to run arbitrary code as the user
    invoking secnet (which might be root), if a secnet sites.conf is used
    that was generated from an untrustworthy sites file.
  * The userv invocation mode of make-secnet-sites seems to have been safe
    in itself, but it previously allowed hazardous data to be propagated
    into the master sites file.  This is now prevented too.

  make-secnet-sites overhaul work:
  * make-secnet-sites is now in the common subset of Python2 and Python3.
    The #! is python3 now, but it works with Python2.7 too.
    It will probably *not* work with old versions of Python2.
  * We no longer depend on the obsolete `ipaddr' library.  We use
    `ipaddress' now.  And this is onlo a Recommends in the .deb.
  * Ad-hoc argument parser been replaced with `argparse'.
    There should be no change to existing working invocations.
  * Bad address syntax error does not wrongly mention IPv6 scopes.
  * Minor refactoring to support forthcoming work.  [Mark Wooding]

  other bugfixes, improvements and changes to secnet itself:
  * Better logging of why we are sending NAK messages.
  * Correctly use the verified copy of the peer remote capabilities
    from MSG3.  (Bug is not a vulnerability.)    [Mark Wooding]
  * Significant internal rearrangements and refactorings, to support
    forthcoming key management work.  [Mark Wooding and Ian Jackson]

  build system etc.:
  * Completely overhaul release checklist; drop dist target.
  * Remove dependency on `libfl.a'.  [Mark Wooding]
  * polypath.c: Fix missing include of <limits.h>.  [Mark Wooding]
  * Add a Wireshark dissector `secnet-wireshark.lua'.  It is not
    installed anywhere right now.  [Mark Wooding]

  documentation:
  * Improve documentation of capability negotiation in NOTES, secnet(8)
    and magic.h.  [Mark Wooding]

 -- Ian Jackson <ijackson at chiark.greenend.org.uk>  Thu, 24 Oct 2019 19:11:54 +0100



f54106470a4b42159be2a83492aaa14416f5d03eaf86e39371046dc3cdac9ace  secnet_0.5.0.dsc
4519bfee367983d6c9b1ec23541b3f13952ae1736924abddf6172f7c2c693d4b  secnet_0.5.0.tar.gz
5927ac63c1c3c1e148d5a336bf2794112775a1319218de79e8d1049c7a4774ee  secnet-dbgsym_0.5.0_amd64.deb
d4aef86744f7eee0102a9da3a761d67c5ee57e3e5c21346e9a45d6d268cf927e  secnet_0.5.0_amd64.buildinfo
4e6f143c2d551781e5b961623bd5099e6e5eee5e18de78985ee157dc563400f5  secnet_0.5.0_amd64.deb
09789d6787a94d8001e93aacbe7144fd61620ea2aa61dc54f7b402edc9208ef5  secnet_0.5.0_multi.changes
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEVZrkbC1rbTJl58uh4+M5I0i1DTkFAl2x6+8ACgkQ4+M5I0i1
DTmE9wf+I7+niYr+JgkVTS2u0BM5qYsZrIj69D5TTGt1REACp1kc/M2XP6AHVdfF
3XqxaNEryv29rUXubAgr4CPw2GW2684WRZZ8h7mblFACuioMEDWMjg3HVxlwkQEc
0QpJQVHOWELZJhUCPPWV/Th0kQNWxEF6ugv8VYz7dhZcrNtWyYOOWnIoYmMnihRi
p7/78IxG5xRBnVzXTn7PFpVY8L9eklgwKUXGruVuDUanTTrGNWr9Uyj8gOQ9MjpZ
ottIDY6B++RXujLLH/s7MaRANN5altu3kR95PoAlhMiVBmZrOpeo9nOW4zasZo2f
HQowI8PiMlt+U6SxyIKNaXpIGteaQQ==
=/U2T
-----END PGP SIGNATURE-----

-- 
Ian Jackson <ijackson at chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

More information about the sgo-software-announce mailing list