[secnet] / debian / changelog

secnet (0.4.6~) unstable; urgency=medium

  * 

 --

secnet (0.4.5) unstable; urgency=medium

  * INSTALL: Mention that rsa key generation might need ssh-keygen1.
  * mobile: Fix negotiation bug with mixed old/new secnets and
    simultaneous key setup attempts by each end.  [Mark Wooding]
  * Makefile.in: Support installation from a `VPATH' build.  [Mark Wooding]
  * Portability fixes for clang.  [Mark Wooding]

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Sat, 21 Sep 2019 12:04:31 +0100

secnet (0.4.4) unstable; urgency=medium

  Security fix:
  * make-secnet-sites: Don't allow setting new VPN-level properties
    when restricted.  This could allow denial of service by
    users with delegated authorisation.  [Mark Wooding]

  Bugfixes for poor network environments:
  * polypath: cope properly with asymmetric routing, by correcting
    the handling of late duplicated packets etc.   Protocol is now
    incompatible with secnet prior to 0.3.0 when either end is mobile.
  * Randomise key setup retry time.

  Other bugfixes:
  * rsa and cbcmac: Fix configuration error messages.  [Mark Wooding]
  * Handle IPv4 addresses properly (ie, not foolishly byte-swapped),
    when IPv6 is not available.  [Mark Wooding]
  * Better logging (and less foolish debug), especially about whether
    key is set up, and about crossed key setup attempts.
  * Internal refactoring and fixes.  [Ian Jackson and Mark Wooding]

  Build system and portability:
  * configure: rerun autogen.sh with autoconf 2.69-10
  * Avoid memset(0,0,0) wrt st->sharedsecret.  (Fixes compiler warning;
    in theory might cause miscompilation.)  [Mark Wooding]

  Documentation:
  * README.make-secnet-sites: new documentation file.  [Mark Wooding]
  * NOTES: Describe current allocation of capability bits.  [Mark Wooding]
  * NOTES: tiny fix tot protocol description.
  * secnet(8): Delete wrong information about dh groups.  [Mark Wooding]

  Administrivia:
  * Fix erroneous GPL3+ licence notices "version d or later" (!)
  * .dir-locals.el: Settings for Python code.  [Mark Wooding]

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Sun, 08 Sep 2019 22:53:14 +0100

secnet (0.4.3) unstable; urgency=low

  Security improvement:
  * Use `mpz_powm_sec' for modexps.

  Enhancements:
  * Implement comm-info and dedicated-interface-addr feature, for
    benefit of hippotat.
  * Implement `keepalive' site option, to try to keep link always up.

  Build etc. fixes:
  * #include <limits.h> (fixes the build on jessie).
  * Tolerate building from a git checkout, but with git not installed.
    (This can happen in chroots.)
  * Turn off -Wsign-compare for bison output.
  * Makefile.in: Fix `check-ipaddrset' rule to get reference from
    $(srcdir).  (Makes out-of-tree builds work properly.)
  * Release checklist fixes.
  * Burn version numbers 0.4.1 and 0.4.2 due to errors in release prep.

  Bugfixes:
  * When printing messages about dropping IPv6, do not print anything
    about ihl.  (Check the IP version field first!)
  * When turning on debug, turn on verbose too.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Sat, 25 Nov 2017 13:36:41 +0000

secnet (0.4.0) unstable; urgency=low

  Debugging improvements:
  * Packet-level debugging from site notes errors from transmit.
  * Report when transport peers updated as a result of transmit.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Sat, 28 Feb 2015 15:03:00 +0000

secnet (0.4.0~beta2) unstable; urgency=low

  Polypath bugfixes:
  * Ignore IPv6 Unique Local unicast addresses.
  * Skip "tentative" IPv6 local addresses.
  * Improve logging and debug output.

  Portability fix:
  * Build where size_t is not compatible with int.

  Build system and packaging fixes:
  * Makefile: support DESTDIR.
  * debian/rules: set DESTDIR (not prefix).
  * debian/rules: Support dpkg-buildflags.
  * Install ipaddrset.py and secnet.8 with correct permissions.
  * Fix check for <linux/if_tun.h> and git rid of our copy.
  * Use -lresolv only if inet_aton is not found otherwise.
  * Use -lnsl only if inet_ntoa is not found otherwise.
  * debian/rules: Provide build-arch and build-indep targets.
  * debian/rules: Do not run build for *-indep (!)
  * Makefile.in: Putative dual (backport and not) release build process doc.

  Copyright updates:
  * Update to GPLv3.  Add missing copyright notices and credits.
  * Get rid of old FSF street address; use URL instead.
  * Remove obsolete LICENCE.txt (which was for snprintf reimplementation).
  * Remove obsolete references to Cendio (for old ipaddr.py).

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Sun, 28 Dec 2014 17:14:10 +0000

secnet (0.4.0~beta1) unstable; urgency=low

  New features:
  * Support transport over IPv6.  (We do not yet carry IPv6 in the private
    network.)  IPv6 support depends on IPv6-capable adns (adns 1.5.x).
  * New polypath comm, which can duplicate packets so as to send them via
    multiple routes over the public network, for increased
    reliability/performance (but increased cost).  Currently Linux-only
    but should be fairly easy to port.
  * Support multiple public addresses for peers.
  * Discard previously-received packets (by default).

  Logging improvements:
  * Report (each first) transmission and reception success and failure.
  * Log reason for DNS reolution failure.
  * Log unexpected kinds of death from userv.
  * Log authbind exit status as errno value (if appropriate).

  Configuration adjustments:
  * Adjust default number of mobile peer addresses to store when a peer
    public address is also configured.
  * Make specifying peer public port optional.  This avoids making special
    arrangements to bind to a port for in mobile sites with no public
    stable address.

  Bugfixes:
  * Hackypar children will die if they get a terminating signal.
  * Fix signal dispositions inherited by secnet's child processes.
  * Fix off-by-one error which prevented setting transport-peers-max to 5.

  Test, build and internal improvements:
  * Use conventional IP address handling library ipaddr.py.
  * Provide a fuzzer for the slip decoder.
  * Build system improvements.
  * Many source code cleanups.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Sun, 26 Oct 2014 15:28:31 +0000

secnet (0.3.4) unstable; urgency=low

  SECURITY FIX:
  * The previous security fix to buffer handling was entirely wrong.  This
    one is better.  Thanks to Simon Tatham for the report and the patch.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Mon, 22 Sep 2014 16:16:11 +0100

secnet (0.3.3) unstable; urgency=high

  SECURITY FIXES:
  * Pass correct size argument to recvfrom.  This is a serious security
    problem which may be exploitable from outside the VPN.
  * Fix a memory leak in some error logging.

  Other related fixes:
  * Two other latent bugs in buffer length handling found and fixed.
  * Non-critical stylistic improvements to buffer length handling, to make
    the code clearer and to assist audit.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Fri, 19 Sep 2014 23:50:45 +0100

secnet (0.3.3~beta1) unstable; urgency=low

  Installation compatibility fix:
  * In make-secnet-sites, always use our own ipaddr.py even if the
    incompatible modern ipaddr.py is installed (eg via python-ipaddr.deb).
    (Future versions of secnet are going to need that Python module to be
    installed.)

  For links involving mobile sites:
  * Use source of NAK packets as hint for peer transport address.
  * When initiating rekey, make use of data transport peer addresses.

  Build fix:
  * Provide clean target in test-example/Makefile.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Fri, 19 Sep 2014 00:11:44 +0100

secnet (0.3.2) unstable; urgency=low

  * Release of 0.3.2.  No code changes since 0.3.1~beta1.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Thu, 26 Jun 2014 20:27:58 +0100

secnet (0.3.2~beta1) unstable; urgency=low

  For links involving mobile sites:
  * SECURITY: Properly update peer address array when it is full.
  * Do name-resolution on peer-initiated key setup too, when we are mobile
    (and other name-resolution improvements).

  Other minor improvements:
  * Log peer addresses on key exchange timeout.
  * When printing version (eg during startup), use value from git-describe
    and thus include git commit id where applicable.
  * Updates to release checklist in Makefile.in.
  * Use C99 _Bool for bool_t.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Fri, 06 Jun 2014 01:17:54 +0100

secnet (0.3.1) unstable; urgency=low

  * Release of 0.3.1.  No code changes since 0.3.1~beta3.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Thu, 15 May 2014 01:08:30 +0100

secnet (0.3.1~beta3) unstable; urgency=low

  * Build fixes for non-i386 architectures and gcc 4.8.2.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Thu, 08 May 2014 19:53:43 +0100

secnet (0.3.1~beta2) unstable; urgency=low

  Fix relating to new fragmentation / ICMP functionality:
  * Generate ICMP packets correctly in point-to-point configurations.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Sat, 03 May 2014 18:58:09 +0100

secnet (0.3.1~beta1) unstable; urgency=low

  Security fixes (vulnerabilities are to inside attackers only):
  * SECURITY: Fixes to MTU and fragmentation handling.
  * SECURITY: Correctly set "unused" ICMP header field.
  * SECURITY: Fix IP length check not to crash on very short packets.

  New feature:
  * Make the inter-site MTU configurable, and negotiate it with the peer.

  Bugfixes etc.:
  * Fix netlink SEGV on clientless netlinks (i.e. configuration error).
  * Fix formatting error in p-t-p startup message.
  * Do not send ICMP errors in response to unknown incoming ICMP.
  * Fix formatting error in secnet.8 manpage.
  * Internal code rearrangements and improvements.

  Packaging improvements:
  * Updates to release checklist in Makefile.in.
  * Additions to the test-example suite.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Thu, 01 May 2014 19:02:56 +0100

secnet (0.3.0) unstable; urgency=low

  * Release of 0.3.0.  No code changes since 0.3.0~beta3.
  * Update release checklist.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Sun, 01 Sep 2013 20:27:48 +0100

secnet (0.3.0~beta3) unstable; urgency=low

  * New upstream version.
   - Stability bugfix: properly initialise site's scratch buffer.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Mon, 05 Aug 2013 11:54:09 +0100

secnet (0.3.0~beta2) unstable; urgency=low

  * New upstream version.
   - SECURITY FIX: RSA public modulus and exponent buffer overflow.
   - SECURITY FIX: Use constant-time memcmp for message authentication.
   - SECURITY FIX: Provide a new transform, eax-serpent, to replace cbcmac.
   - SECURITY FIX: No longer send NAKs for NAKs, avoiding NAK storm.
   - SECURITY FIX: Fix site name checking when site name A is prefix of B.
   - SECURITY FIX: Safely reject too-short IP packets.
   - Better robustness for mobile sites (proper user of NAKs, new PROD msg).
   - Better robustness against SLIP decoding errors.
   - Fix bugs which caused routes to sometimes not be advertised.
   - Protocol capability negotiation mechanism.
   - Improvements and fixes to protocol and usage documentation.
   - Other bugfixes and code tidying up.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Thu, 25 Jul 2013 18:26:01 +0100

secnet (0.3.0~beta1) unstable; urgency=low

  * New upstream version.
   - SECURITY FIX: avoid crashes (or buffer overrun) on short packets.
   - Bugfixes relating to packet loss during key exchange.
   - Bugfixes relating to link up/down status.
   - Bugfixes relating to logging.
   - make-secnet-sites made more sophisticated to support two vpns on chiark.
   - Documentation improvements.
   - Build system improvements.
  * Debian packaging improvements:
   - Native package.
   - Maintainer / uploaders.
   - init script requires $remove_fs since we're in /usr.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Thu, 12 Jul 2012 20:18:16 +0100

secnet (0.2.1-1) unstable; urgency=low

  * New upstream version.  (authbind endianness fix)

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Sun, 11 Dec 2011 13:14:57 +0000

secnet (0.2.0-1) unstable; urgency=low

  * New upstream version.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Sat, 10 Dec 2011 22:44:41 +0000

secnet (0.1.18-1) unstable; urgency=low

  * New upstream version.

 -- Stephen Early <steve@greenend.org.uk>  Tue,  18 Mar 2008 17:45:00 +0000
Commit	Line	Data
b3626b7a IJ	1	secnet (0.4.6~) unstable; urgency=medium
	2
	3	*
	4
	5	--
	6
0083ebff	7	secnet (0.4.5) unstable; urgency=medium
b621d42a	8
e33d827e IJ	9	* INSTALL: Mention that rsa key generation might need ssh-keygen1.
	10	* mobile: Fix negotiation bug with mixed old/new secnets and
	11	simultaneous key setup attempts by each end. [Mark Wooding]
	12	* Makefile.in: Support installation from a `VPATH' build. [Mark Wooding]
	13	* Portability fixes for clang. [Mark Wooding]
b621d42a	14
0083ebff	15	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Sat, 21 Sep 2019 12:04:31 +0100
b621d42a	16
1cef26c2	17	secnet (0.4.4) unstable; urgency=medium
d723b9dc	18
8c944ec9 IJ	19	Security fix:
	20	* make-secnet-sites: Don't allow setting new VPN-level properties
	21	when restricted. This could allow denial of service by
	22	users with delegated authorisation. [Mark Wooding]
	23
	24	Bugfixes for poor network environments:
	25	* polypath: cope properly with asymmetric routing, by correcting
ef7be25b IJ	26	the handling of late duplicated packets etc. Protocol is now
ef7be25b IJ	27	incompatible with secnet prior to 0.3.0 when either end is mobile.
8c944ec9 IJ	28	* Randomise key setup retry time.
	29
	30	Other bugfixes:
	31	* rsa and cbcmac: Fix configuration error messages. [Mark Wooding]
	32	* Handle IPv4 addresses properly (ie, not foolishly byte-swapped),
	33	when IPv6 is not available. [Mark Wooding]
	34	* Better logging (and less foolish debug), especially about whether
	35	key is set up, and about crossed key setup attempts.
	36	* Internal refactoring and fixes. [Ian Jackson and Mark Wooding]
	37
	38	Build system and portability:
	39	* configure: rerun autogen.sh with autoconf 2.69-10
	40	* Avoid memset(0,0,0) wrt st->sharedsecret. (Fixes compiler warning;
	41	in theory might cause miscompilation.) [Mark Wooding]
	42
	43	Documentation:
	44	* README.make-secnet-sites: new documentation file. [Mark Wooding]
	45	* NOTES: Describe current allocation of capability bits. [Mark Wooding]
	46	* NOTES: tiny fix tot protocol description.
	47	* secnet(8): Delete wrong information about dh groups. [Mark Wooding]
	48
9c6a8729 IJ	49	Administrivia:
9c6a8729 IJ	50	* Fix erroneous GPL3+ licence notices "version d or later" (!)
8c944ec9	51	* .dir-locals.el: Settings for Python code. [Mark Wooding]
d723b9dc	52
1cef26c2	53	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Sun, 08 Sep 2019 22:53:14 +0100
d723b9dc	54
daaccb8a	55	secnet (0.4.3) unstable; urgency=low
e6d6991c	56
dc905acb IJ	57	Security improvement:
	58	* Use `mpz_powm_sec' for modexps.
	59
	60	Enhancements:
86420bb7 IJ	61	* Implement comm-info and dedicated-interface-addr feature, for
86420bb7 IJ	62	benefit of hippotat.
e6d6991c	63	* Implement `keepalive' site option, to try to keep link always up.
dc905acb IJ	64
dc905acb IJ	65	Build etc. fixes:
658e8a99 IJ	66	* #include <limits.h> (fixes the build on jessie).
	67	* Tolerate building from a git checkout, but with git not installed.
	68	(This can happen in chroots.)
dc905acb IJ	69	* Turn off -Wsign-compare for bison output.
	70	* Makefile.in: Fix `check-ipaddrset' rule to get reference from
	71	$(srcdir). (Makes out-of-tree builds work properly.)
658e8a99 IJ	72	* Release checklist fixes.
658e8a99 IJ	73	* Burn version numbers 0.4.1 and 0.4.2 due to errors in release prep.
dc905acb IJ	74
dc905acb IJ	75	Bugfixes:
59a5b098 IJ	76	* When printing messages about dropping IPv6, do not print anything
59a5b098 IJ	77	about ihl. (Check the IP version field first!)
cb807040	78	* When turning on debug, turn on verbose too.
e6d6991c	79
8f9d08fa	80	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Sat, 25 Nov 2017 13:36:41 +0000
e6d6991c	81
11653375	82	secnet (0.4.0) unstable; urgency=low
62846523 IJ	83
	84	Debugging improvements:
	85	* Packet-level debugging from site notes errors from transmit.
92ae57c5	86	* Report when transport peers updated as a result of transmit.
62846523	87
11653375	88	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Sat, 28 Feb 2015 15:03:00 +0000
62846523	89
a0898ee0	90	secnet (0.4.0~beta2) unstable; urgency=low
b073e347	91
60cb91a9 IJ	92	Polypath bugfixes:
	93	* Ignore IPv6 Unique Local unicast addresses.
	94	* Skip "tentative" IPv6 local addresses.
	95	* Improve logging and debug output.
	96
	97	Portability fix:
	98	* Build where size_t is not compatible with int.
	99
	100	Build system and packaging fixes:
af720152	101	* Makefile: support DESTDIR.
fb75bb37	102	* debian/rules: set DESTDIR (not prefix).
24982c27	103	* debian/rules: Support dpkg-buildflags.
60cb91a9 IJ	104	* Install ipaddrset.py and secnet.8 with correct permissions.
	105	* Fix check for <linux/if_tun.h> and git rid of our copy.
	106	* Use -lresolv only if inet_aton is not found otherwise.
	107	* Use -lnsl only if inet_ntoa is not found otherwise.
	108	* debian/rules: Provide build-arch and build-indep targets.
	109	* debian/rules: Do not run build for *-indep (!)
ca535922	110	* Makefile.in: Putative dual (backport and not) release build process doc.
b073e347	111
c215a4bc IJ	112	Copyright updates:
	113	* Update to GPLv3. Add missing copyright notices and credits.
	114	* Get rid of old FSF street address; use URL instead.
	115	* Remove obsolete LICENCE.txt (which was for snprintf reimplementation).
	116	* Remove obsolete references to Cendio (for old ipaddr.py).
	117
a0898ee0	118	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Sun, 28 Dec 2014 17:14:10 +0000
b073e347	119
537ff1ad	120	secnet (0.4.0~beta1) unstable; urgency=low
6c23d95c	121
1e36b4e9 IJ	122	New features:
	123	* Support transport over IPv6. (We do not yet carry IPv6 in the private
	124	network.) IPv6 support depends on IPv6-capable adns (adns 1.5.x).
	125	* New polypath comm, which can duplicate packets so as to send them via
	126	multiple routes over the public network, for increased
	127	reliability/performance (but increased cost). Currently Linux-only
	128	but should be fairly easy to port.
	129	* Support multiple public addresses for peers.
	130	* Discard previously-received packets (by default).
	131
	132	Logging improvements:
	133	* Report (each first) transmission and reception success and failure.
	134	* Log reason for DNS reolution failure.
	135	* Log unexpected kinds of death from userv.
	136	* Log authbind exit status as errno value (if appropriate).
	137
	138	Configuration adjustments:
	139	* Adjust default number of mobile peer addresses to store when a peer
	140	public address is also configured.
	141	* Make specifying peer public port optional. This avoids making special
	142	arrangements to bind to a port for in mobile sites with no public
	143	stable address.
	144
	145	Bugfixes:
	146	* Hackypar children will die if they get a terminating signal.
	147	* Fix signal dispositions inherited by secnet's child processes.
	148	* Fix off-by-one error which prevented setting transport-peers-max to 5.
	149
	150	Test, build and internal improvements:
	151	* Use conventional IP address handling library ipaddr.py.
	152	* Provide a fuzzer for the slip decoder.
	153	* Build system improvements.
	154	* Many source code cleanups.
6c23d95c	155
537ff1ad	156	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Sun, 26 Oct 2014 15:28:31 +0000
6c23d95c	157
5d8fc5c0 IJ	158	secnet (0.3.4) unstable; urgency=low
	159
	160	SECURITY FIX:
	161	* The previous security fix to buffer handling was entirely wrong. This
	162	one is better. Thanks to Simon Tatham for the report and the patch.
	163
	164	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Mon, 22 Sep 2014 16:16:11 +0100
	165
3c35339b IJ	166	secnet (0.3.3) unstable; urgency=high
	167
	168	SECURITY FIXES:
	169	* Pass correct size argument to recvfrom. This is a serious security
	170	problem which may be exploitable from outside the VPN.
	171	* Fix a memory leak in some error logging.
	172
	173	Other related fixes:
	174	* Two other latent bugs in buffer length handling found and fixed.
	175	* Non-critical stylistic improvements to buffer length handling, to make
	176	the code clearer and to assist audit.
	177
	178	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Fri, 19 Sep 2014 23:50:45 +0100
	179
cad61687 IJ	180	secnet (0.3.3~beta1) unstable; urgency=low
	181
	182	Installation compatibility fix:
	183	* In make-secnet-sites, always use our own ipaddr.py even if the
	184	incompatible modern ipaddr.py is installed (eg via python-ipaddr.deb).
	185	(Future versions of secnet are going to need that Python module to be
	186	installed.)
	187
	188	For links involving mobile sites:
	189	* Use source of NAK packets as hint for peer transport address.
	190	* When initiating rekey, make use of data transport peer addresses.
	191
	192	Build fix:
	193	* Provide clean target in test-example/Makefile.
	194
	195	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Fri, 19 Sep 2014 00:11:44 +0100
	196
79c6c87c IJ	197	secnet (0.3.2) unstable; urgency=low
	198
	199	* Release of 0.3.2. No code changes since 0.3.1~beta1.
	200
	201	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Thu, 26 Jun 2014 20:27:58 +0100
	202
27ee084e	203	secnet (0.3.2~beta1) unstable; urgency=low
af0869f5	204
27ee084e	205	For links involving mobile sites:
f09b3955	206	* SECURITY: Properly update peer address array when it is full.
27ee084e IJ	207	* Do name-resolution on peer-initiated key setup too, when we are mobile
	208	(and other name-resolution improvements).
	209
	210	Other minor improvements:
f09b3955	211	* Log peer addresses on key exchange timeout.
e4cfe537 IJ	212	* When printing version (eg during startup), use value from git-describe
e4cfe537 IJ	213	and thus include git commit id where applicable.
af0869f5	214	* Updates to release checklist in Makefile.in.
09aecaa2	215	* Use C99 _Bool for bool_t.
af0869f5	216
27ee084e	217	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Fri, 06 Jun 2014 01:17:54 +0100
af0869f5	218
88356888 IJ	219	secnet (0.3.1) unstable; urgency=low
	220
	221	* Release of 0.3.1. No code changes since 0.3.1~beta3.
	222
	223	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Thu, 15 May 2014 01:08:30 +0100
	224
c1e8412b IJ	225	secnet (0.3.1~beta3) unstable; urgency=low
	226
	227	* Build fixes for non-i386 architectures and gcc 4.8.2.
	228
	229	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Thu, 08 May 2014 19:53:43 +0100
	230
2368720d IJ	231	secnet (0.3.1~beta2) unstable; urgency=low
	232
	233	Fix relating to new fragmentation / ICMP functionality:
	234	* Generate ICMP packets correctly in point-to-point configurations.
	235
	236	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Sat, 03 May 2014 18:58:09 +0100
	237
d3dd9ddc	238	secnet (0.3.1~beta1) unstable; urgency=low
1ca0593d	239
d3dd9ddc	240	Security fixes (vulnerabilities are to inside attackers only):
32240a83	241	* SECURITY: Fixes to MTU and fragmentation handling.
cfd79482	242	* SECURITY: Correctly set "unused" ICMP header field.
e8b1adac	243	* SECURITY: Fix IP length check not to crash on very short packets.
d3dd9ddc IJ	244
d3dd9ddc IJ	245	New feature:
3ed1846a	246	* Make the inter-site MTU configurable, and negotiate it with the peer.
1ca0593d	247
d3dd9ddc IJ	248	Bugfixes etc.:
	249	* Fix netlink SEGV on clientless netlinks (i.e. configuration error).
	250	* Fix formatting error in p-t-p startup message.
	251	* Do not send ICMP errors in response to unknown incoming ICMP.
	252	* Fix formatting error in secnet.8 manpage.
	253	* Internal code rearrangements and improvements.
	254
	255	Packaging improvements:
	256	* Updates to release checklist in Makefile.in.
	257	* Additions to the test-example suite.
	258
	259	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Thu, 01 May 2014 19:02:56 +0100
1ca0593d	260
53dea2fb IJ	261	secnet (0.3.0) unstable; urgency=low
	262
	263	* Release of 0.3.0. No code changes since 0.3.0~beta3.
	264	* Update release checklist.
	265
	266	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Sun, 01 Sep 2013 20:27:48 +0100
	267
74f85762	268	secnet (0.3.0~beta3) unstable; urgency=low
8aaaa634 IJ	269
	270	* New upstream version.
	271	- Stability bugfix: properly initialise site's scratch buffer.
	272
74f85762	273	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Mon, 05 Aug 2013 11:54:09 +0100
8aaaa634	274
f0b0f549 IJ	275	secnet (0.3.0~beta2) unstable; urgency=low
	276
	277	* New upstream version.
	278	- SECURITY FIX: RSA public modulus and exponent buffer overflow.
	279	- SECURITY FIX: Use constant-time memcmp for message authentication.
	280	- SECURITY FIX: Provide a new transform, eax-serpent, to replace cbcmac.
	281	- SECURITY FIX: No longer send NAKs for NAKs, avoiding NAK storm.
	282	- SECURITY FIX: Fix site name checking when site name A is prefix of B.
663d9d5f	283	- SECURITY FIX: Safely reject too-short IP packets.
f0b0f549 IJ	284	- Better robustness for mobile sites (proper user of NAKs, new PROD msg).
	285	- Better robustness against SLIP decoding errors.
	286	- Fix bugs which caused routes to sometimes not be advertised.
	287	- Protocol capability negotiation mechanism.
	288	- Improvements and fixes to protocol and usage documentation.
	289	- Other bugfixes and code tidying up.
	290
	291	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Thu, 25 Jul 2013 18:26:01 +0100
	292
e42d5acf IJ	293	secnet (0.3.0~beta1) unstable; urgency=low
	294
	295	* New upstream version.
	296	- SECURITY FIX: avoid crashes (or buffer overrun) on short packets.
	297	- Bugfixes relating to packet loss during key exchange.
	298	- Bugfixes relating to link up/down status.
	299	- Bugfixes relating to logging.
	300	- make-secnet-sites made more sophisticated to support two vpns on chiark.
	301	- Documentation improvements.
	302	- Build system improvements.
f2376399 IJ	303	* Debian packaging improvements:
	304	- Native package.
	305	- Maintainer / uploaders.
	306	- init script requires $remove_fs since we're in /usr.
e42d5acf IJ	307
	308	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Thu, 12 Jul 2012 20:18:16 +0100
	309
37b5bdcf IJ	310	secnet (0.2.1-1) unstable; urgency=low
	311
	312	* New upstream version. (authbind endianness fix)
	313
	314	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Sun, 11 Dec 2011 13:14:57 +0000
	315
9ee89d42 IJ	316	secnet (0.2.0-1) unstable; urgency=low
	317
	318	* New upstream version.
	319
4253701c	320	-- Ian Jackson <ijackson@chiark.greenend.org.uk> Sat, 10 Dec 2011 22:44:41 +0000
9ee89d42	321
ca58ee48	322	secnet (0.1.18-1) unstable; urgency=low
9d3a4132 SE	323
	324	* New upstream version.
	325
ca58ee48	326	-- Stephen Early <steve@greenend.org.uk> Tue, 18 Mar 2008 17:45:00 +0000