[ANNOUNCE] WireGuard Snapshot `0.0.20191127` Available

Jason A. Donenfeld Jason at zx2c4.com
Wed Nov 27 15:48:16 CET 2019

Hash: SHA256


A new snapshot, `0.0.20191127`, has been tagged in the git repository.

Please note that this snapshot is a snapshot rather than a final
release that is considered secure and bug-free. WireGuard is generally
thought to be fairly stable, and most likely will not crash your
computer (though it may).  However, as this is a snapshot, it comes
with no guarantees; it is not applicable for CVEs.

With all that said, if you'd like to test this snapshot out, there are a
few relevant changes.

== Changes ==

  * wg-quick: android: check for null in binder cleanup functions
  This fixes a bug in Android 10 when using the kernel module.
  * messages: recalculate rekey max based on a one minute flood
  This is a mostly theoretical fix, but an interesting one nonetheless. The idea
  is that if we're nearing the reject limit, the rekey limit should probably be
  somewhat far away to give time for rekeying.
  * allowedips: safely dereference rcu roots
  * socket: remove redundant check of new4
  * allowedips: avoid double lock in selftest error case
  Some nits from sparse/spatch.
  * wg-quick: linux: only touch net.ipv4 for v4
  * wg-quick: linux: filter bogus injected packets and don't disable rpfilter
  I'm not very happy about adding iptables invocations to wg-quick(8), and maybe
  we'll get rid of this for the next snapshot, but publishing this now seems
  worthwhile. Essentially the problem is that an attacker on the same local
  network can send packets to a host that has a VPN (not just
  wireguard) and do some mischief with an active protected TCP session. We
  mitigate this in wg-quick(8) by rejecting packets to the VPN local IP that
  don't come from the VPN interface. This isn't perfect and is kind of ugly, but
  it seems important to get something mostly working out there now, and we can
  refine this as suggestions come in.
  * qemu: work around build bug with powerpc64le
  * qemu: respect PATH when finding CBUILD
  * qemu: bump version
  Usual improvements to our QEMU test suite.
  * reresolve-dns: remove invalid anchors on regex match
  The DNS reresolution script now works when configurations have multiple peers.
  * tools: add syncconf command
  Long desired, `wg synconf` now exists, which is like `setconf`, except it
  first gets the existing configuration and merges them in memory before writing
  back only the changes.

This snapshot contains commits from: Jason A. Donenfeld.

As always, the source is available at https://git.zx2c4.com/WireGuard/ and
information about the project is available at https://www.wireguard.com/ .

This snapshot is available in compressed tarball form here:
  SHA2-256: 7d4e80a6f84564d4826dd05da2b59e8d17645072c0345d0fc0d197be176c3d06
  BLAKE2b-256: 4d8281b0e6505853c636a9f329a983014019e3fde110bf750d242de0e15edfb6

A PGP signature of that file decompressed is available here:
  Signing key: AB9942E6D4A4CFC3412620A749FC7012A5DE03AE

If you're a snapshot package maintainer, please bump your package version. If
you're a user, the WireGuard team welcomes any and all feedback on this latest

Finally, WireGuard development thrives on donations. By popular demand, we
have a webpage for this: https://www.wireguard.com/donations/

Thank you,
Jason Donenfeld



More information about the WireGuard mailing list