OK folks, there's a new release of l2tpd out there, version 0.68. The biggest change, and the reason that Bugtraq is getting a copy of this, is adding other sources of entropy for l2tpd to use. All versions of l2tpd up to this point used the rand() function to generate random numbers, but didn't seed rand() with srand() *AT ALL*! (Hey, I didn't originally write it, folks ;). rand() was used as a source for random numbers for tunnel, and session ids (which means that, previously, tunnel and session ids were predictable...not a big deal), but also for challenge generation in the challenge-response mechanism (which *IS* a big deal). So, we now seed rand() using time(), which sucks, but doesn't suck *nearly* as bad as not seeding rand() at all! Suggestions for better seeds are welcome. :) We also implemented the ability to read randomness from /dev/urandom, which hopefully is a better source of randomness (it is on Linux at least). So, if anyone is using the L2TP challenge-reponse authentication in l2tpd, you will almost assuredly want to upgrade to 0.68. Its available at http://www.l2tpd.org/downloads/l2tpd-0.68.tar.gz. For Debian users, the Debian maintainer of this package is preparing a security release update for it as we speak, it should be available before long (I'm not sure how long that process takes). Any other distribution maintainers...I don't know who you are, don't have any contact with you, but I'd like to...get in touch with me and I can give you heads up in the future about security issues. Now...on to other changes (Bugtraq folks probably won't care about the rest of these as much as they are not security issues)... Updated copyright notice on all relevent files Just added a copyright notice for my work...nothing major Changed vendor name as it appears in AVP's It was still reporting Adtran, which they have had nothing to do with l2tpd development in quite some time. Add new sources of randomness, reading /dev/urandom detailed above Seed rand() with time() also detailed above Stubs available for egd randomness source, not implemented yet though This is another source of randomness that will be available in the future...I don't have the actual code in place to use it yet. Don't close fd 0 as workaround for signal problems in daemon mode This is not a great fix for this...but should at least make it work better...a better fix should be forthcoming as more investigation into what's causing these errors is made Fix some off by 6 errors in avp handling When dealing with the size of the value in an AVP, don't use the length field of the AVP...at least not without subtracting 6 bytes for the AVP header...I think there are more places for this to be fixed in the code...haven't auditted all of the avp handling code for this yet. Oh...and one that I forgot to add in the CHANGELOG. Jean-Francois Dive (the aforementioned Debian maintainer for this package) submitted a rough draft of a l2tpd.conf.5 man page...I already know of at least one error in it (the control pipe is l2tp-control, not l2tpd-control), but I wanted to go ahead and get this release out since there were security implications...patches to the man page (or anything else in the software that would be useful) are greatfully welcomed on the l2tpd-devel list (l2tpd-develat_private). Further information about the l2tpd project is, as always, available at http://www.l2tpd.org. Thanks! -- Jeff McAdams Email: jeffmat_private Head Network Administrator Voice: (502) 966-3848 IgLou Internet Services (800) 436-4456
This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 09:31:51 PDT