Changes since last packages version (1.1.2):
Wed Nov 2 10:03:00 CET 2005
* Fixed typos in sipcalc man page, thanks to A Costa <agcosta@gis.net>
for patch.
* Added -w ipv4 option to display some inverse mask information.
- Removed the dependency on the IO::Socket::INET and IO::Socket::INET6
modules. The IO::Socket module is now used for all socket objects.
- The port information can now be included as part of the transport
address specified with the session() Transport Domain arguments.
- Added support for specifying the scope zone index for IPv6 addresses
as described in RFC 4007 - "IPv6 Scoped Address Architecture".
- The default value for the agent-addr in SNMPv1 Trap-PDUs is now the
IP address associated with the interface on which the trap will be
transmitted.
- Support of the AES privacy protocol was updated to be compliant with
RFC 3826 - "The Advanced Encryption Standard (AES) Cipher Algorithm
in the SNMP User-based Security Model".
- Corrected an issue where any non-blocking SNMPv3 message queued prior
to calling snmp_dispatcher() was sent with an empty contextEngineID.
- The first SNMPv3 discovery message is again being sent with a zero-
length msgUserName as suggested by RFC 3414.
- All sockets are now flagged as non-blocking to prevent a possible
deadlock due to an interaction between recv() and select().
- The sending of messages is now bounded by the receive processing rate
to avoid receive buffer overflows.
- The return value of select() is now checked for both "undef" and -1.
- The "usm.t" tests are now skipped if any of the non-core modules
required by the Net::SNMP::Security::USM module are not present.
I got few private comments that one should not use buildlink3.mk but the
standard DEPENDS statement because we do not link against libraries
in this case.
${VARBASE}/db/nsd.db on all platforms and use user/group nsd for the
daemon to run as. Install sample configuration without .sample
extension. Take maintainership. Bump revision.
Changes:
2.0.5:
======
- Fixed bug in Linux get_default_gateway function
introduced in 2.0.4, which would cause redirect-gateway
on Linux clients to fail.
- Restored easy-rsa/2.0 tree (backported from 2.1 beta
series) which accidentally disappeared in
2.0.2 -> 2.0.4 transition.
2.0.4:
======
- Security fix -- Affects non-Windows OpenVPN clients of
version 2.0 or higher which connect to a malicious or
compromised server. A format string vulnerability
in the foreign_option function in options.c could
potentially allow a malicious or compromised server
to execute arbitrary code on the client. Only
non-Windows clients are affected. The vulnerability
only exists if (a) the client's TLS negotiation with
the server succeeds, (b) the server is malicious or
has been compromised such that it is configured to
push a maliciously crafted options string to the client,
and (c) the client indicates its willingness to accept
pushed options from the server by having "pull" or
"client" in its configuration file (Credit: Vade79).
CVE-2005-3393
- Security fix -- Potential DoS vulnerability on the
server in TCP mode. If the TCP server accept() call
returns an error status, the resulting exception handler
may attempt to indirect through a NULL pointer, causing
a segfault. Affects all OpenVPN 2.0 versions.
CVE-2005-3409
- Fix attempt of assertion at multi.c:1586 (note that
this precise line number will vary across different
versions of OpenVPN).
- Added ".PHONY: plugin" to Makefile.am to work around
"make dist" issue.
- Fixed double fork issue that occurs when --management-hold
is used.
- Moved TUN/TAP read/write log messages from --verb 8 to 6.
- Warn when multiple clients having the same common name or
username usurp each other when --duplicate-cn is not used.
- Modified Windows and Linux versions of get_default_gateway
to return the route with the smallest metric
if multiple 0.0.0.0/0.0.0.0 entries are present.
2.0.3:
======
- openvpn_plugin_abort_v1 function wasn't being properly
registered on Windows.
- Fixed a bug where --mode server --proto tcp-server --cipher none
operation could cause tunnel packet truncation.
