Commit | Line | Data |
---|---|---|
3c35339b IJ |
1 | secnet (0.3.3) unstable; urgency=high |
2 | ||
3 | SECURITY FIXES: | |
4 | * Pass correct size argument to recvfrom. This is a serious security | |
5 | problem which may be exploitable from outside the VPN. | |
6 | * Fix a memory leak in some error logging. | |
7 | ||
8 | Other related fixes: | |
9 | * Two other latent bugs in buffer length handling found and fixed. | |
10 | * Non-critical stylistic improvements to buffer length handling, to make | |
11 | the code clearer and to assist audit. | |
12 | ||
13 | -- Ian Jackson <ijackson@chiark.greenend.org.uk> Fri, 19 Sep 2014 23:50:45 +0100 | |
14 | ||
cad61687 IJ |
15 | secnet (0.3.3~beta1) unstable; urgency=low |
16 | ||
17 | Installation compatibility fix: | |
18 | * In make-secnet-sites, always use our own ipaddr.py even if the | |
19 | incompatible modern ipaddr.py is installed (eg via python-ipaddr.deb). | |
20 | (Future versions of secnet are going to need that Python module to be | |
21 | installed.) | |
22 | ||
23 | For links involving mobile sites: | |
24 | * Use source of NAK packets as hint for peer transport address. | |
25 | * When initiating rekey, make use of data transport peer addresses. | |
26 | ||
27 | Build fix: | |
28 | * Provide clean target in test-example/Makefile. | |
29 | ||
30 | -- Ian Jackson <ijackson@chiark.greenend.org.uk> Fri, 19 Sep 2014 00:11:44 +0100 | |
31 | ||
79c6c87c IJ |
32 | secnet (0.3.2) unstable; urgency=low |
33 | ||
34 | * Release of 0.3.2. No code changes since 0.3.1~beta1. | |
35 | ||
36 | -- Ian Jackson <ijackson@chiark.greenend.org.uk> Thu, 26 Jun 2014 20:27:58 +0100 | |
37 | ||
27ee084e | 38 | secnet (0.3.2~beta1) unstable; urgency=low |
af0869f5 | 39 | |
27ee084e | 40 | For links involving mobile sites: |
f09b3955 | 41 | * SECURITY: Properly update peer address array when it is full. |
27ee084e IJ |
42 | * Do name-resolution on peer-initiated key setup too, when we are mobile |
43 | (and other name-resolution improvements). | |
44 | ||
45 | Other minor improvements: | |
f09b3955 | 46 | * Log peer addresses on key exchange timeout. |
e4cfe537 IJ |
47 | * When printing version (eg during startup), use value from git-describe |
48 | and thus include git commit id where applicable. | |
af0869f5 | 49 | * Updates to release checklist in Makefile.in. |
09aecaa2 | 50 | * Use C99 _Bool for bool_t. |
af0869f5 | 51 | |
27ee084e | 52 | -- Ian Jackson <ijackson@chiark.greenend.org.uk> Fri, 06 Jun 2014 01:17:54 +0100 |
af0869f5 | 53 | |
88356888 IJ |
54 | secnet (0.3.1) unstable; urgency=low |
55 | ||
56 | * Release of 0.3.1. No code changes since 0.3.1~beta3. | |
57 | ||
58 | -- Ian Jackson <ijackson@chiark.greenend.org.uk> Thu, 15 May 2014 01:08:30 +0100 | |
59 | ||
c1e8412b IJ |
60 | secnet (0.3.1~beta3) unstable; urgency=low |
61 | ||
62 | * Build fixes for non-i386 architectures and gcc 4.8.2. | |
63 | ||
64 | -- Ian Jackson <ijackson@chiark.greenend.org.uk> Thu, 08 May 2014 19:53:43 +0100 | |
65 | ||
2368720d IJ |
66 | secnet (0.3.1~beta2) unstable; urgency=low |
67 | ||
68 | Fix relating to new fragmentation / ICMP functionality: | |
69 | * Generate ICMP packets correctly in point-to-point configurations. | |
70 | ||
71 | -- Ian Jackson <ijackson@chiark.greenend.org.uk> Sat, 03 May 2014 18:58:09 +0100 | |
72 | ||
d3dd9ddc | 73 | secnet (0.3.1~beta1) unstable; urgency=low |
1ca0593d | 74 | |
d3dd9ddc | 75 | Security fixes (vulnerabilities are to inside attackers only): |
32240a83 | 76 | * SECURITY: Fixes to MTU and fragmentation handling. |
cfd79482 | 77 | * SECURITY: Correctly set "unused" ICMP header field. |
e8b1adac | 78 | * SECURITY: Fix IP length check not to crash on very short packets. |
d3dd9ddc IJ |
79 | |
80 | New feature: | |
3ed1846a | 81 | * Make the inter-site MTU configurable, and negotiate it with the peer. |
1ca0593d | 82 | |
d3dd9ddc IJ |
83 | Bugfixes etc.: |
84 | * Fix netlink SEGV on clientless netlinks (i.e. configuration error). | |
85 | * Fix formatting error in p-t-p startup message. | |
86 | * Do not send ICMP errors in response to unknown incoming ICMP. | |
87 | * Fix formatting error in secnet.8 manpage. | |
88 | * Internal code rearrangements and improvements. | |
89 | ||
90 | Packaging improvements: | |
91 | * Updates to release checklist in Makefile.in. | |
92 | * Additions to the test-example suite. | |
93 | ||
94 | -- Ian Jackson <ijackson@chiark.greenend.org.uk> Thu, 01 May 2014 19:02:56 +0100 | |
1ca0593d | 95 | |
53dea2fb IJ |
96 | secnet (0.3.0) unstable; urgency=low |
97 | ||
98 | * Release of 0.3.0. No code changes since 0.3.0~beta3. | |
99 | * Update release checklist. | |
100 | ||
101 | -- Ian Jackson <ijackson@chiark.greenend.org.uk> Sun, 01 Sep 2013 20:27:48 +0100 | |
102 | ||
74f85762 | 103 | secnet (0.3.0~beta3) unstable; urgency=low |
8aaaa634 IJ |
104 | |
105 | * New upstream version. | |
106 | - Stability bugfix: properly initialise site's scratch buffer. | |
107 | ||
74f85762 | 108 | -- Ian Jackson <ijackson@chiark.greenend.org.uk> Mon, 05 Aug 2013 11:54:09 +0100 |
8aaaa634 | 109 | |
f0b0f549 IJ |
110 | secnet (0.3.0~beta2) unstable; urgency=low |
111 | ||
112 | * New upstream version. | |
113 | - SECURITY FIX: RSA public modulus and exponent buffer overflow. | |
114 | - SECURITY FIX: Use constant-time memcmp for message authentication. | |
115 | - SECURITY FIX: Provide a new transform, eax-serpent, to replace cbcmac. | |
116 | - SECURITY FIX: No longer send NAKs for NAKs, avoiding NAK storm. | |
117 | - SECURITY FIX: Fix site name checking when site name A is prefix of B. | |
663d9d5f | 118 | - SECURITY FIX: Safely reject too-short IP packets. |
f0b0f549 IJ |
119 | - Better robustness for mobile sites (proper user of NAKs, new PROD msg). |
120 | - Better robustness against SLIP decoding errors. | |
121 | - Fix bugs which caused routes to sometimes not be advertised. | |
122 | - Protocol capability negotiation mechanism. | |
123 | - Improvements and fixes to protocol and usage documentation. | |
124 | - Other bugfixes and code tidying up. | |
125 | ||
126 | -- Ian Jackson <ijackson@chiark.greenend.org.uk> Thu, 25 Jul 2013 18:26:01 +0100 | |
127 | ||
e42d5acf IJ |
128 | secnet (0.3.0~beta1) unstable; urgency=low |
129 | ||
130 | * New upstream version. | |
131 | - SECURITY FIX: avoid crashes (or buffer overrun) on short packets. | |
132 | - Bugfixes relating to packet loss during key exchange. | |
133 | - Bugfixes relating to link up/down status. | |
134 | - Bugfixes relating to logging. | |
135 | - make-secnet-sites made more sophisticated to support two vpns on chiark. | |
136 | - Documentation improvements. | |
137 | - Build system improvements. | |
f2376399 IJ |
138 | * Debian packaging improvements: |
139 | - Native package. | |
140 | - Maintainer / uploaders. | |
141 | - init script requires $remove_fs since we're in /usr. | |
e42d5acf IJ |
142 | |
143 | -- Ian Jackson <ijackson@chiark.greenend.org.uk> Thu, 12 Jul 2012 20:18:16 +0100 | |
144 | ||
37b5bdcf IJ |
145 | secnet (0.2.1-1) unstable; urgency=low |
146 | ||
147 | * New upstream version. (authbind endianness fix) | |
148 | ||
149 | -- Ian Jackson <ijackson@chiark.greenend.org.uk> Sun, 11 Dec 2011 13:14:57 +0000 | |
150 | ||
9ee89d42 IJ |
151 | secnet (0.2.0-1) unstable; urgency=low |
152 | ||
153 | * New upstream version. | |
154 | ||
4253701c | 155 | -- Ian Jackson <ijackson@chiark.greenend.org.uk> Sat, 10 Dec 2011 22:44:41 +0000 |
9ee89d42 | 156 | |
ca58ee48 | 157 | secnet (0.1.18-1) unstable; urgency=low |
9d3a4132 SE |
158 | |
159 | * New upstream version. | |
160 | ||
ca58ee48 | 161 | -- Stephen Early <steve@greenend.org.uk> Tue, 18 Mar 2008 17:45:00 +0000 |