[Bug 1658268] [NEW] Please update to 3.0
Launchpad Bug Tracker
1658268 at bugs.launchpad.net
Sat Jan 21 04:13:32 UTC 2017
You have been subscribed to a public bug by Unit 193 (unit193):
This is a backwards incompatible release, but better security by default
(keys are 3072 bit and configurable now.)
Upstream changelog:
3.0 Thu Nov 10 15:39:58 CET 2016
- INCOMPATIBLE CHANGE: core protocol version 1.0.
- INCOMPATIBLE CHANGE: node sections are now introduced
with "node nodename", not "node = nodename".
- INCOMPATIBLE CHANGE: gvpectrl -g will now generate a single
keypair, while -G will try to generate all keypairs as before.
- openssl 1.0.2 is the latest supported openssl release,
openssl 1.1.0 is not supported at the moment as the work to
make it compatible to both versions is just too much. a switch
to openssl 1.1 or another library will be done in a future release.
- update examples to not generate keys centrally, but locally on each
node.
- add workaround for temporary/rare ENOBUFS condition.
- while individual packets couldn't be replayed, a whole session
could be replayed - this has been fixed by an extra key exchange.
- fix a delete vs. delete [] mismatch in the central logging function.
- in addition to rsa key exchange and authentication, the handshake now
adds a diffie-hellman key exchange (using curve25119) for perfect
forward secrecy. mac and cipher keys are derived using HKDF.
- rsa key sizes are now configurable and larger (default is 3072).
correspondingly, the minimum mtu is no longer 296 but 576.
- fixed a potential (unverified) buffer overrun on rsa decryption.
- new per-node low-power setting that tries to reduce cpu/network usage.
- router reconnects could cause excessive rekeying on other connections.
- gvpectrl no longer generates all missing public keys, but
only missing private keys. private keys are also put
into the configured location.
- the pid-file now accepts %s as nodename as elsewhere.
- switch to counter mode (only aes supported at the moment in
openssl). this gets rid of the need to generate a random iv,
is likely more secure (and, as a side effect, gets rid of
slow randomness generation. counter mode is often faster
then cbc mode as well, and packets are smaller).
- no longer use RAND_bytes to generate session keys - you NEED
a real source of entropy now (e.g. egd or /dev/random - see the
openssl documentation).
- multiple node statements for the same node are now supported
and will be merged.
- a new directive "global" switches back to the global section
of the config file.
- if-up scripts can now be specified with absolute paths.
- new global option: serial, to detect configuration mismatches.
- use HKDF as authentication proof, not HMAC or a plain hash
(hint by Ilmari Karonen).
- during rekeying or connection establishments, hmac authentication
errors could occur and reset the connection. Transient hmac
authentication errors are now being ignored for 3 seconds.
- log the reason for a conneciton loss.
- use a (hopefully) constant time memcmp to compare internal secrets.
- fix a (harmless) errornous out of bounds stack read that would trigger
gcc's -fsanitize=address.
- bump old packet window size from 512 to 65536.
- update for big changes in openssl 1.1 API, wrap primitives
to make further changes easier.
- correctly check return values for openssl 1.0.0 and later.
- check for both public and private key file when deciding whether
to skip generating a key to avoid accidental overwrites.
** Affects: gvpe (Ubuntu)
Importance: Undecided
Status: New
--
Please update to 3.0
https://bugs.launchpad.net/bugs/1658268
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.
More information about the Ubuntu-sponsors
mailing list