27 February 2006

NuFW 1.0.21, minor security fix

This release fixes an issue related to a misuse of GnuTLS. An authenticated user using a specially modified client could by generating a lot of network traffic hang after a long delay one thread of the authentication server. This could cause nuauth to disfunction till the system destroys the concerned socket. In extreme cases this could lead to a denial of service on the authentication server.

1.0.21 also features some code cleaning.

The NuFW core team recommends users upgrade their nuauth installations.

The full changelog is as follow :
 libnuclient : free connection table when cleaning session
 nuauth : free nu_session if TLS negotiation fails
 nuauth : TLS sockets are now non-blocking to avoid potential Denial of service from authenticated users