[ANNOUNCE] WireGuard Snapshot `0.0.20191127` Available
Jason A. Donenfeld
Jason at zx2c4.com
Wed Nov 27 15:48:16 CET 2019
-----BEGIN PGP SIGNED MESSAGE-----
A new snapshot, `0.0.20191127`, has been tagged in the git repository.
Please note that this snapshot is a snapshot rather than a final
release that is considered secure and bug-free. WireGuard is generally
thought to be fairly stable, and most likely will not crash your
computer (though it may). However, as this is a snapshot, it comes
with no guarantees; it is not applicable for CVEs.
With all that said, if you'd like to test this snapshot out, there are a
few relevant changes.
== Changes ==
* wg-quick: android: check for null in binder cleanup functions
This fixes a bug in Android 10 when using the kernel module.
* messages: recalculate rekey max based on a one minute flood
This is a mostly theoretical fix, but an interesting one nonetheless. The idea
is that if we're nearing the reject limit, the rekey limit should probably be
somewhat far away to give time for rekeying.
* allowedips: safely dereference rcu roots
* socket: remove redundant check of new4
* allowedips: avoid double lock in selftest error case
Some nits from sparse/spatch.
* wg-quick: linux: only touch net.ipv4 for v4
* wg-quick: linux: filter bogus injected packets and don't disable rpfilter
I'm not very happy about adding iptables invocations to wg-quick(8), and maybe
we'll get rid of this for the next snapshot, but publishing this now seems
worthwhile. Essentially the problem is that an attacker on the same local
network can send packets to a host that has a 0.0.0.0/0 VPN (not just
wireguard) and do some mischief with an active protected TCP session. We
mitigate this in wg-quick(8) by rejecting packets to the VPN local IP that
don't come from the VPN interface. This isn't perfect and is kind of ugly, but
it seems important to get something mostly working out there now, and we can
refine this as suggestions come in.
* qemu: work around build bug with powerpc64le
* qemu: respect PATH when finding CBUILD
* qemu: bump version
Usual improvements to our QEMU test suite.
* reresolve-dns: remove invalid anchors on regex match
The DNS reresolution script now works when configurations have multiple peers.
* tools: add syncconf command
Long desired, `wg synconf` now exists, which is like `setconf`, except it
first gets the existing configuration and merges them in memory before writing
back only the changes.
This snapshot contains commits from: Jason A. Donenfeld.
As always, the source is available at https://git.zx2c4.com/WireGuard/ and
information about the project is available at https://www.wireguard.com/ .
This snapshot is available in compressed tarball form here:
A PGP signature of that file decompressed is available here:
Signing key: AB9942E6D4A4CFC3412620A749FC7012A5DE03AE
If you're a snapshot package maintainer, please bump your package version. If
you're a user, the WireGuard team welcomes any and all feedback on this latest
Finally, WireGuard development thrives on donations. By popular demand, we
have a webpage for this: https://www.wireguard.com/donations/
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the WireGuard