[prev in list] [next in list] [prev in thread] [next in thread]
List: fwknop-discuss
Subject: [Fwknop-discuss] fwknop-2.6.2 released
From: Michael Rash <michael.rash () gmail ! com>
Date: 2014-04-29 1:46:31
Message-ID: CAA9wn8kEz5OwjVX8+HgghpifWiXGPwadGu+x39Go+rCD0JAQEA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
fwknop-2.6.2 has been released:
http://www.cipherdyne.org/fwknop/download/
https://github.com/mrash/fwknop/releases/tag/2.6.2
This is a bug fix release that addresses the following as described in the
ChangeLog:
- [libfko] fix double free bug in SPA parser discovered with the new
python SPA payload fuzzer (see the 'spa_encoding_fuzzing' branch which
is not merged into the master branch yet). This bug could be
triggered
in fwknopd with a malicious SPA payload, but only when GnuPG is used
and
when an attacker is in possession of valid GnuPG keys listed in the
access.conf file. In other words, an arbitrary attacker cannot trigger
this bug. Further, when Rijndael is used for SPA packet encryption,
this
bug cannot be triggered at all due to an length/format check towards
the
end of _rijndael_decrypt(). This bug was introduced in the 2.6.1
development series, and no previous versions of fwknop are affected.
The spa_encoding_fuzzing branch will be merged back to master soon, and
here is the fuzzer itself which behind the scenes uses a new #define to
assist in the effort to fuzz libfko:
https://github.com/mrash/fwknop/blob/spa_encoding_fuzzing/test/spa_fuzzing.py
Additional releases in the 2.6.x series will be made to emphasize run time
function, line, and branch test coverage.
Thanks,
--Mike
[Attachment #5 (text/html)]
<div dir="ltr"><div><div><br></div>fwknop-2.6.2 has been released:<br><br></div><a \
href="http://www.cipherdyne.org/fwknop/download/">http://www.cipherdyne.org/fwknop/download/</a><br><a \
href="https://github.com/mrash/fwknop/releases/tag/2.6.2">https://github.com/mrash/fwknop/releases/tag/2.6.2</a><br>
<br>This is a bug fix release that addresses the following as described in the \
ChangeLog:<br><br> - [libfko] fix double free bug in SPA parser discovered with \
the new<br> python SPA payload fuzzer (see the \
'spa_encoding_fuzzing' branch which<br> is not merged into the master branch \
yet). This bug could be triggered<br> in fwknopd with a malicious SPA \
payload, but only when GnuPG is used and<br> when an attacker is in \
possession of valid GnuPG keys listed in the<br> access.conf file. In other words, \
an arbitrary attacker cannot trigger<br> this bug. Further, when Rijndael \
is used for SPA packet encryption, this<br> bug cannot be triggered at all \
due to an length/format check towards the<br> end of _rijndael_decrypt(). This bug \
was introduced in the 2.6.1<br> development series, and no previous \
versions of fwknop are affected.<br \
clear="all"><div><div><div><div><br></div><div>The spa_encoding_fuzzing branch will \
be merged back to master soon, and here is the fuzzer itself which behind the scenes \
uses a new #define to assist in the effort to fuzz libfko:<br> <br><a \
href="https://github.com/mrash/fwknop/blob/spa_encoding_fuzzing/test/spa_fuzzing.py">h \
ttps://github.com/mrash/fwknop/blob/spa_encoding_fuzzing/test/spa_fuzzing.py</a><br><br></div><div>Additional \
releases in the 2.6.x series will be made to emphasize run time function, line, and \
branch test coverage.<br> \
<br>Thanks,<br><br></div><div>--Mike<br></div></div></div></div></div>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic