73237 2002-08-13 18:31 /80 rader/ Jeff Mcadams <jeffm@iglou.com>
Importerad: 2002-08-13 18:31 av Brevbäraren
Extern mottagare: l2tpd-devel@l2tpd.org
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <1079>
Ärende: New l2tpd release 0.68
------------------------------------------------------------
OK folks, there's a new release of l2tpd out there, version 0.68.
The biggest change, and the reason that Bugtraq is getting a copy of
this, is adding other sources of entropy for l2tpd to use. All
versions of l2tpd up to this point used the rand() function to
generate random numbers, but didn't seed rand() with srand() *AT
ALL*! (Hey, I didn't originally write it, folks ;). rand() was used
as a source for random numbers for tunnel, and session ids (which
means that, previously, tunnel and session ids were predictable...not
a big deal), but also for challenge generation in the
challenge-response mechanism (which *IS* a big deal).
So, we now seed rand() using time(), which sucks, but doesn't suck
*nearly* as bad as not seeding rand() at all! Suggestions for better
seeds are welcome. :)
We also implemented the ability to read randomness from /dev/urandom,
which hopefully is a better source of randomness (it is on Linux at
least).
So, if anyone is using the L2TP challenge-reponse authentication in
l2tpd, you will almost assuredly want to upgrade to 0.68. Its
available at http://www.l2tpd.org/downloads/l2tpd-0.68.tar.gz. For
Debian users, the Debian maintainer of this package is preparing a
security release update for it as we speak, it should be available
before long (I'm not sure how long that process takes). Any other
distribution maintainers...I don't know who you are, don't have any
contact with you, but I'd like to...get in touch with me and I can
give you heads up in the future about security issues.
Now...on to other changes (Bugtraq folks probably won't care about the
rest of these as much as they are not security issues)...
Updated copyright notice on all relevent files
Just added a copyright notice for my work...nothing major
Changed vendor name as it appears in AVP's
It was still reporting Adtran, which they have had nothing to do
with l2tpd development in quite some time.
Add new sources of randomness, reading /dev/urandom
detailed above
Seed rand() with time()
also detailed above
Stubs available for egd randomness source, not implemented yet though
This is another source of randomness that will be available in the
future...I don't have the actual code in place to use it yet.
Don't close fd 0 as workaround for signal problems in daemon mode
This is not a great fix for this...but should at least make it work
better...a better fix should be forthcoming as more investigation
into what's causing these errors is made
Fix some off by 6 errors in avp handling
When dealing with the size of the value in an AVP, don't use the
length field of the AVP...at least not without subtracting 6 bytes
for the AVP header...I think there are more places for this to be
fixed in the code...haven't auditted all of the avp handling code
for this yet.
Oh...and one that I forgot to add in the CHANGELOG. Jean-Francois Dive
(the aforementioned Debian maintainer for this package) submitted a
rough draft of a l2tpd.conf.5 man page...I already know of at least
one error in it (the control pipe is l2tp-control, not
l2tpd-control), but I wanted to go ahead and get this release out
since there were security implications...patches to the man page (or
anything else in the software that would be useful) are greatfully
welcomed on the l2tpd-devel list (l2tpd-devel@l2tpd.org).
Further information about the l2tpd project is, as always, available
at http://www.l2tpd.org.
Thanks!
--
Jeff McAdams Email: jeffm@iglou.com
Head Network Administrator Voice: (502) 966-3848
IgLou Internet Services (800) 436-4456
(73237) /Jeff Mcadams <jeffm@iglou.com>/--(Ombruten)