[Announcement] Tinc version 1.0.35 and 1.1pre17 released

Saverio Proto zioproto at gmail.com
Tue Oct 9 23:31:36 CEST 2018


OpenWrt master has been updated now.

I am travelling, I will not be able to push patches to stable branches
until next saturday.

Cheers,

Saverio


Il giorno lun 8 ott 2018 alle ore 10:15 Guus Sliepen
<guus at tinc-vpn.org> ha scritto:
>
> Because of security vulnerabilities in tinc that have recently been
> discovered, we hereby release tinc versions 1.0.35 and 1.1pre17. Here is a summary of
> the changes in tinc 1.0.35:
>
>  * Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738).
>  * Prevent a MITM from forcing a NULL cipher for UDP (CVE-2018-16758).
>
> Here is a summery of the changes in tinc 1.1pre17:
>
>  * Prevent oracle attacks in the legacy protocol (CVE-2018-16737,
>    CVE-2018-16738).
>  * AutoConnect is now enabled by default.
>  * Per-node network traffic statistics are now shown in the output of
>    "info" and "dump nodes" commands.
>
> Thanks to Michael Yonli for auditing tinc and reporting the
> vulnerabilities. Thanks to volth and Rafael Sadowski for their
> contributions to version 1.1pre17 of tinc.
>
> Michael Yonli discovered two security flaws. The first is an issue with
> the implementation of the authentication protocol used in tinc 1.0,
> which allows a remote attacker to establish an authenticated connection
> with a node in the VPN, and send messages one-way. In tinc 1.0.29 and
> earlier, this is unfortunately trivial to exploit. In tinc 1.0.30 to
> 1.0.34, the mitigations implemented for the Sweet32 attack also make
> this attack much harder, but in principle still possible. This is fixed
> in tinc 1.0.35.
>
> The second issue allows a man-in-the-middle that has intercepted the TCP
> connection between two nodes, to potentially force one of the nodes to
> start sending unencrypted UDP packets. This is also fixed in tinc
> 1.0.35.
>
> The new protocol used in tinc 1.1 is not affected by these
> vulnerabilities. However, since it is backwards compatible with tinc
> 1.0, it uses the legacy protocol when communicating with tinc 1.0 nodes.
> Tinc 1.1pre17 fixes the first issue, and it wasn't vulnerable to the
> second issue to begin with.
>
> --
> Met vriendelijke groet / with kind regards,
>      Guus Sliepen <guus at tinc-vpn.org>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc


More information about the tinc mailing list