New l2tpd release 0.68

[Jeff Mcadams <jeffm () iglou com>]

OK folks, there's a new release of l2tpd out there, version 0.68.

The biggest change, and the reason that Bugtraq is getting a copy of
this, is adding other sources of entropy for l2tpd to use.  All versions
of l2tpd up to this point used the rand() function to generate random
numbers, but didn't seed rand() with srand() *AT ALL*! (Hey, I didn't
originally write it, folks ;).  rand() was used as a source for random
numbers for tunnel, and session ids (which means that, previously, tunnel
and session ids were predictable...not a big deal), but also for
challenge generation in the challenge-response mechanism (which *IS* a
big deal).

So, we now seed rand() using time(), which sucks, but doesn't suck
*nearly* as bad as not seeding rand() at all!  Suggestions for better
seeds are welcome.  :)

We also implemented the ability to read randomness from /dev/urandom,
which hopefully is a better source of randomness (it is on Linux at
least).

So, if anyone is using the L2TP challenge-reponse authentication in
l2tpd, you will almost assuredly want to upgrade to 0.68.  Its available
at http://www.l2tpd.org/downloads/l2tpd-0.68.tar.gz.  For Debian users,
the Debian maintainer of this package is preparing a security release
update for it as we speak, it should be available before long (I'm not
sure how long that process takes).  Any other distribution
maintainers...I don't know who you are, don't have any contact with you,
but I'd like to...get in touch with me and I can give you heads up in
the future about security issues.

Now...on to other changes (Bugtraq folks probably won't care about the
rest of these as much as they are not security issues)...

Updated copyright notice on all relevent files
    Just added a copyright notice for my work...nothing major

Changed vendor name as it appears in AVP's
    It was still reporting Adtran, which they have had nothing to do
    with l2tpd development in quite some time.

Add new sources of randomness, reading /dev/urandom
    detailed above

Seed rand() with time()
    also detailed above

Stubs available for egd randomness source, not implemented yet though
    This is another source of randomness that will be available in the
    future...I don't have the actual code in place to use it yet.

Don't close fd 0 as workaround for signal problems in daemon mode
    This is not a great fix for this...but should at least make it work
    better...a better fix should be forthcoming as more investigation
    into what's causing these errors is made

Fix some off by 6 errors in avp handling
    When dealing with the size of the value in an AVP, don't use the
    length field of the AVP...at least not without subtracting 6 bytes
    for the AVP header...I think there are more places for this to be
    fixed in the code...haven't auditted all of the avp handling code
    for this yet.

Oh...and one that I forgot to add in the CHANGELOG.  Jean-Francois Dive
    (the aforementioned Debian maintainer for this package) submitted a
    rough draft of a l2tpd.conf.5 man page...I already know of at least
    one error in it (the control pipe is l2tp-control, not
    l2tpd-control), but I wanted to go ahead and get this release out
    since there were security implications...patches to the man page (or
    anything else in the software that would be useful) are greatfully
    welcomed on the l2tpd-devel list (l2tpd-devel () l2tpd org).

Further information about the l2tpd project is, as always, available at
http://www.l2tpd.org.

Thanks!
-- 
Jeff McAdams                            Email: jeffm () iglou com
Head Network Administrator              Voice: (502) 966-3848
IgLou Internet Services                        (800) 436-4456