1
1
This NEWS file records noteworthy changes, very tersely.
2
2
See the manual for detailed information.
4
Version 1.7.20 (2018-08-19)
6
** Fix: Adapt to the Debian cryptsetup package 2.0.3 or later.
7
Important: in that version or later, the plugins "askpass-fifo",
8
"password-prompt", and "plymouth" will no longer be run, since they
9
would conflict with what cryptsetup is doing. Other plugins, such
10
as mandos-client and any user-supplied plugins, will still run.
11
** Better error message if failing to decrypt secret data
12
** Check for (and report) any key import failure from GPGME
13
** Better error message if self-signature verification fails
14
** Set system clock if not set; required by GnuPG for key import
15
** When debugging plugin-runner, it will now show starting plugins
17
Version 1.7.19 (2018-02-22)
19
** Do not print "unlink(...): No such file or directory".
20
** Bug fixes: Fix file descriptor leaks.
21
** Bug fix: Don't use leak sanitizer with leaking libraries.
23
Version 1.7.18 (2018-02-12)
25
** Bug fix: Revert faulty fix for a nonexistent bug in the
28
Version 1.7.17 (2018-02-10)
30
** Bug fix: Fix a memory leak in the plugin-runner
31
** Bug fix: Fix memory leaks in the plymouth plugin
33
Version 1.7.16 (2017-08-20)
35
** Bug fix: ignore "resumedev" entries in initramfs' cryptroot file
36
** Bug fix in plymouth plugin: fix memory leak, avoid warning output
38
Version 1.7.15 (2017-02-23)
40
** Bug fix: Respect the mandos.conf "zeroconf" and "restore" options
42
** Bug fix in mandos-keygen: Handle backslashes in passphrases
44
Version 1.7.14 (2017-01-25)
46
** Use "Requisite" instead of "RequisiteOverridable" in systemd
49
Version 1.7.13 (2016-10-08)
51
** Minor bug fix: Don't ask for passphrase or fail when generating
52
keys using GnuPG 2.1 in a chrooted environment.
54
Version 1.7.12 (2016-10-05)
56
** Bug fix: Don't crash after exit() when using DH parameters file
58
Version 1.7.11 (2016-10-01)
60
** Security fix: Don't compile with AddressSanitizer
62
** Bug fix: Find GnuTLS library when gnutls28-dev is not installed
63
** Bug fix: Include "Expires" and "Last Checker Status" in mandos-ctl
65
** New option for mandos-ctl: --dump-json
67
Version 1.7.10 (2016-06-23)
69
** Security fix: restrict permissions of /etc/mandos/plugin-helpers
71
** Bug fix: Make the --interface flag work with Python 2.7 when "cc"
74
Version 1.7.9 (2016-06-22)
76
** Do not include intro(8mandos) man page
78
Version 1.7.8 (2016-06-21)
80
** Include intro(8mandos) man page
81
** mandos-keygen: Use ECDSA SSH keys by default
82
** Bug fix: Work with GnuPG 2 when booting (Debian bug #819982)
83
by copying /usr/bin/gpg-agent into initramfs
85
** Bug fix: Work with GnuPG 2 (don't use --no-use-agent option)
86
** Bug fix: Make the --interface option work when using Python 2.7
87
by trying harder to find SO_BINDTODEVICE
89
Version 1.7.7 (2016-03-19)
91
** Fix bug in Plymouth client, broken since 1.7.2
93
Version 1.7.6 (2016-03-13)
95
** Fix bug where stopping server would time out
96
** Make server runnable with Python 3
98
Version 1.7.5 (2016-03-08)
100
** Fix security restrictions in systemd service file.
101
** Work around bug where stopping server would time out
103
Version 1.7.4 (2016-03-05)
105
** Bug fix: Tolerate errors from configure_networking (Debian Bug
107
** Compilation: Only use sanitizing options which work with the
108
compiler used when building. This should fix compilation with GCC
109
4.9 on mips, mipsel, and s390x.
111
** Add extra security restrictions in systemd service file.
113
Version 1.7.3 (2016-02-29)
115
** Bug fix: Remove new type of keyring directory user by GnuPG 2.1.
116
** Bug fix: Remove "nonnull" attribute from a function argument, which
117
would otherwise generate a spurious runtime warning.
119
Version 1.7.2 (2016-02-28)
121
** Stop using python-gnutls library; it was not updated to GnuTLS 3.3.
122
** Bug fix: Only send D-Bus signal ClientRemoved if using D-Bus.
123
** Use GnuPG 2 if available.
125
** Compile with various sanitizing flags.
127
Version 1.7.1 (2015-10-24)
129
** Bug fix: Can now really find Mandos server even if the server has
130
an IPv6 address on a network other than the one which the Mandos
133
Version 1.7.0 (2015-08-10)
135
** Bug fix: Handle local Zeroconf service name collisions better.
136
** Bug fix: Finally fix "ERROR: Child process vanished" bug.
137
** Bug fix: Fix systemd service file to start server correctly.
138
** Bug fix: Be compatible with old 2048-bit DSA keys.
139
** The D-Bus API now provides the standard D-Bus ObjectManager
140
interface, and deprecates older functionality. See the DBUS-API
141
file for the currently recommended API. Note: the original API
142
still works, but is deprecated.
144
** Can now find Mandos server even if the server has an IPv6 address
145
on a network without IPv6 Router Advertisment (like if the Mandos
146
client itself is the router, or there is an IPv6 router advertising
147
a network other than the one which the Mandos server is on.)
148
** Use a better value than 1024 for the default number of DH bits.
149
This better value is either provided by a DH parameters file (see
150
below) or an appropriate number of DH bits is determined based on
152
** Bug fix: mandos-keygen now generates correct output for the
153
"Checker" variable even if the SSH server on the Mandos client has
154
multiple SSH key types.
155
** Can now use pre-generated Diffie-Hellman parameters from a file.
157
Version 1.6.9 (2014-10-05)
159
** Changed to emit standard D-Bus signal when D-Bus properties change.
160
(The old signal is still emitted too, but marked as deprecated.)
162
Version 1.6.8 (2014-08-06)
164
** Bug fix: mandos-keygen now generates working SSH checker commands.
166
** Bug fix: "mandos-monitor" now really redraws screen on Ctrl-L.
167
** Now requires Python 2.7.
169
Version 1.6.7 (2014-07-17)
171
** Bug fix: Now compatible with GPGME 1.5.0.
172
** Bug fix: Fixed minor memory leaks.
174
** "mandos-monitor" now has verbose logging, toggleable with "v".
176
Version 1.6.6 (2014-07-13)
178
** If client host has an SSH server, "mandos-keygen --password" now
179
outputs "checker" option which uses "ssh-keyscan"; this is more
180
secure than the default "fping" checker.
181
** Bug fix: allow "." in network hook names, to match documentation.
182
** Better error messages.
184
** New --no-zeroconf option.
185
** Bug fix: Fix --servicename option, broken since 1.6.4.
186
** Bug fix: Fix --socket option work for --socket=0.
188
Version 1.6.5 (2014-05-11)
190
** Work around bug in GnuPG <http://bugs.g10code.com/gnupg/issue1622>
191
** Give better error messages when run without sufficient privileges
192
** Only warn if workaround for Debian bug #633582 was necessary and
193
failed, not if it failed and was unnecessary.
195
4
Version 1.6.4 (2014-02-16)
197
6
** Very minor fix to self-test code.