secnet 0.5.0 - SECURITY UPDATE
Ian Jackson
ijackson at chiark.greenend.org.uk
Thu Oct 24 19:25:29 BST 2019
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
It is a mixed pleasure to announce secnet 0.5.0.
secnet 0.5.0 contains critical SECURITY FIXES for make-secnet-sites.
Everyone who is using make-secnet-sites on not-completely-trusted
input must upgrade before they next run make-secnet-sites.
This release also contains some refactoring changes in secnet itself -
but it also contains new tests run as part of `make check'. I have
not provided a backport of the make-secnet-sites changes to earlier
versions, although that might be possible if someone needs it.
0.5.0 can be found here:
http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/secnet.git/
http://www.chiark.greenend.org.uk/~secnet/release/0.5.0/
SHA-256 checksums are listed below.
The .deb is from Debian amd64 stretch (oldstable) and should work on
more recent versions of Debian.
secnet (0.5.0) unstable; urgency=medium
make-secnet-sites SECURITY FIX:
* Do not blindly trust inputs; instead, check the syntax for sanity.
Previous releases can be induced to run arbitrary code as the user
invoking secnet (which might be root), if a secnet sites.conf is used
that was generated from an untrustworthy sites file.
* The userv invocation mode of make-secnet-sites seems to have been safe
in itself, but it previously allowed hazardous data to be propagated
into the master sites file. This is now prevented too.
make-secnet-sites overhaul work:
* make-secnet-sites is now in the common subset of Python2 and Python3.
The #! is python3 now, but it works with Python2.7 too.
It will probably *not* work with old versions of Python2.
* We no longer depend on the obsolete `ipaddr' library. We use
`ipaddress' now. And this is onlo a Recommends in the .deb.
* Ad-hoc argument parser been replaced with `argparse'.
There should be no change to existing working invocations.
* Bad address syntax error does not wrongly mention IPv6 scopes.
* Minor refactoring to support forthcoming work. [Mark Wooding]
other bugfixes, improvements and changes to secnet itself:
* Better logging of why we are sending NAK messages.
* Correctly use the verified copy of the peer remote capabilities
from MSG3. (Bug is not a vulnerability.) [Mark Wooding]
* Significant internal rearrangements and refactorings, to support
forthcoming key management work. [Mark Wooding and Ian Jackson]
build system etc.:
* Completely overhaul release checklist; drop dist target.
* Remove dependency on `libfl.a'. [Mark Wooding]
* polypath.c: Fix missing include of <limits.h>. [Mark Wooding]
* Add a Wireshark dissector `secnet-wireshark.lua'. It is not
installed anywhere right now. [Mark Wooding]
documentation:
* Improve documentation of capability negotiation in NOTES, secnet(8)
and magic.h. [Mark Wooding]
-- Ian Jackson <ijackson at chiark.greenend.org.uk> Thu, 24 Oct 2019 19:11:54 +0100
f54106470a4b42159be2a83492aaa14416f5d03eaf86e39371046dc3cdac9ace secnet_0.5.0.dsc
4519bfee367983d6c9b1ec23541b3f13952ae1736924abddf6172f7c2c693d4b secnet_0.5.0.tar.gz
5927ac63c1c3c1e148d5a336bf2794112775a1319218de79e8d1049c7a4774ee secnet-dbgsym_0.5.0_amd64.deb
d4aef86744f7eee0102a9da3a761d67c5ee57e3e5c21346e9a45d6d268cf927e secnet_0.5.0_amd64.buildinfo
4e6f143c2d551781e5b961623bd5099e6e5eee5e18de78985ee157dc563400f5 secnet_0.5.0_amd64.deb
09789d6787a94d8001e93aacbe7144fd61620ea2aa61dc54f7b402edc9208ef5 secnet_0.5.0_multi.changes
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEVZrkbC1rbTJl58uh4+M5I0i1DTkFAl2x6+8ACgkQ4+M5I0i1
DTmE9wf+I7+niYr+JgkVTS2u0BM5qYsZrIj69D5TTGt1REACp1kc/M2XP6AHVdfF
3XqxaNEryv29rUXubAgr4CPw2GW2684WRZZ8h7mblFACuioMEDWMjg3HVxlwkQEc
0QpJQVHOWELZJhUCPPWV/Th0kQNWxEF6ugv8VYz7dhZcrNtWyYOOWnIoYmMnihRi
p7/78IxG5xRBnVzXTn7PFpVY8L9eklgwKUXGruVuDUanTTrGNWr9Uyj8gOQ9MjpZ
ottIDY6B++RXujLLH/s7MaRANN5altu3kR95PoAlhMiVBmZrOpeo9nOW4zasZo2f
HQowI8PiMlt+U6SxyIKNaXpIGteaQQ==
=/U2T
-----END PGP SIGNATURE-----
--
Ian Jackson <ijackson at chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
More information about the sgo-software-announce
mailing list