Version 1.7.11 of Mandos is released
Teddy Hogeborn
teddy at recompile.se
Sat Oct 1 17:21:46 CEST 2016
Mandos 1.7.11 is released. It is mostly a minor bug fix release, with a
very minor security fix.
How "very minor" is the security fix? From 1.7.2 to 1.7.10, the
AddressSanitizer compilation option was used, but that option was meant
for debugging, not production, and the binaries produced were vulnerable
to privilege escalation exploits if they were set-uid, which they were
in the case of the Mandos client binaries. However, the binaries for
the Mandos Client were *always* placed in a directory only readable by
root, so there was *never* any way to exploit this. In any case, the
AddressSanitizer compilation option is now no longer used.
Version 1.7.11 (2016-10-01)
* Client
** Security fix: Don't compile with AddressSanitizer
* Server
** Bug fix: Find GnuTLS library when gnutls28-dev is not installed
** Bug fix: Include "Expires" and "Last Checker Status" in mandos-ctl
verbose output
** New option for mandos-ctl: --dump-json
Debian package changes:
* debian/control (Source: mandos/Vcs-Bzr): Change to use HTTPS.
(Vcs-Browser): - '' -
/Teddy Hogeborn & Björn Påhlsson
--
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20161001/c56ccc77/attachment.sig>
More information about the Mandos-Dev
mailing list