123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758 |
- Version 1.0.36 August 26 2019
- * Fix compiling tinc with certain versions of the OpenSSL library.
- * Fix parsing some IPv6 addresses with :: in them.
- * Fix GraphDumpFile output to handle node names starting with a digit.
- * Fix a potential segmentation fault when fragmenting packets.
- Thanks to Rosen Penev, Quentin Rameau and Werner Schreiber for their
- contributions to this version of tinc.
- Version 1.0.35 October 5 2018
- * Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738).
- * Prevent a MITM from forcing a NULL cipher for UDP (CVE-2018-16758).
- * Minor fixes in the documentation.
- Thanks to Amine Amri and Rafael Sadowski for their contributions to this
- version of tinc.
- Version 1.0.34 June 12 2018
- * Fix a potential segmentation fault when connecting to an IPv6 peer via a
- proxy.
- * Minor improvements to the build system.
- * Make the systemd service file identical to the one from the 1.1 branch.
- * Fix a potential problem causing IPv4 sockets to not work on macOS.
- Thanks to Maximilian Stein and Wang Liu Shuai for their contributions to this
- version of tinc.
- Version 1.0.33 November 4 2017
- * Allow compilation from a build directory.
- * Source code cleanups.
- * Fix some options specified on the command line not surviving a HUP signal.
- * Handle tun/tap device returning EPERM or EBUSY.
- * Disable PMTUDiscovery when TCPOnly is used.
- * Support the --runstatedir option of the autoconf 2.70.
- Thanks to Rafael Sadowski and Pierre-Olivier Mercier for their contributions to
- this version of tinc.
- Version 1.0.32 September 2 2017
- * Fix segmentation fault when using Cipher = none.
- * Fix Proxy = exec.
- * Support PriorityInheritance for IPv6 packets.
- * Fixes for Solaris tun/tap support.
- * Bind outgoing TCP sockets when ListenAddress is used.
- Thanks to Vittorio Gambaletta for his contribution to this version of tinc.
- Version 1.0.31 January 15 2017
- * Remove ExecStop in tinc@.service.
- Thanks to Élie Bouttier for his contribution to this version of tinc.
- Version 1.0.30 October 30 2016
- * Fix troubles connecting to some HTTP proxies.
- * Add mitigations for the Sweet32 attack when using a 64-bit block cipher.
- * Use AES256 and SHA256 as the default encryption and digest algorithms.
- Version 1.0.29 October 9 2016
- * Fix UDP communication with peers with link-local IPv6 addresses.
- * Ensure compatibility with OpenSSL 1.1.0.
- * Ensure autoreconf can be run without requiring autoconf-archive.
- * Log warnings about dropped packets only at debug level 5.
- Version 1.0.28 April 10 2016
- * Fix compilation on BSD platforms.
- * Add systemd service files.
- Version 1.0.27 April 10 2016
- * When using Proxy, let the proxy resolve hostnames if tinc can't.
- * Fixes and improvements of the DecrementTTL option.
- * Fixed the $NAME variable in subnet-up/down scripts for the local Subnets.
- * Fixed potentially wrong checksum generation when clamping the MSS.
- * Properly choose between the system's or our own copy of getopt.
- * Fixed compiling tinc for Cygwin with MinGW installed.
- * Added support for OS X utun interfaces.
- * Documentation updates and minor fixes.
- Thanks to Vittorio Gambaletta, LunarShaddow, Florian Weik and Nathan Stratton
- Treadway for their contributions to this version of tinc.
- Version 1.0.26 July 5 2015
- * Tinc now forces glibc to reload /etc/resolv.conf for every hostname lookup.
- * Fixed --logfile without a filename on Windows.
- * Ensure tinc can be compiled when using musl libc.
- Thanks to Jo-Philipp Wich for his contribution to this version of tinc.
- Version 1.0.25 December 22 2014
- * Documentation updates.
- * Support linking against -lresolv on Mac OS X.
- * Fix scripts on Windows when using the ScriptsInterpreter option.
- * Allow a minimum reconnect timeout to be specified.
- * Support PriorityInheritance on IPv6 sockets.
- Thanks to David Pflug, Baptiste Jonglez, Alexis Hildebrandt, Borg, Jochen Voss,
- Tomislav Čohar and VittGam for their contributions to this version of tinc.
- Version 1.0.24 May 11 2014
- * Various compiler hardening flags are enabled by default.
- * Updated support for Solaris, allowing switch mode on Solaris 11.
- * Configuration will now also be read from a conf.d directory.
- * Various updates to the documentation.
- * Tinc now forces glibc to reload /etc/resolv.conf after it receives SIGALRM.
- * Fixed a potential routing loop when IndirectData or TCPOnly is used and
- broadcast packets are being sent.
- * Improved security with constant time memcmp and stricter use of OpenSSL's
- RNG functions.
- * Fixed all issues found by Coverity.
- Thanks to Florent Clairambault, Vilbrekin, luckyhacky, Armin Fisslthaler, Loïc
- Dachary and Steffan Karger for their contributions to this version of tinc.
- Version 1.0.23 October 19 2013
- * Start authentication immediately on outgoing connections (useful for sslh).
- * Fixed segfault when Name = $HOST but $HOST is not set.
- * Updated the build system and the documentation.
- * Clean up child processes left over from Proxy = exec.
- Version 1.0.22 August 13 2013
- * Fixed the combination of Mode = router and DeviceType = tap.
- * The $NAME variable is now set in subnet-up/down scripts.
- * Tinc now gives an error when unknown options are given on the command line.
- * Tinc now correctly handles a space between a short command line option and
- an optional argument.
- Thanks to Etienne Dechamps for his contribution to this version of tinc.
- Version 1.0.21 April 22 2013
- * Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
- Thanks to Martin Schobert for auditing tinc and reporting this vulnerability.
- Version 1.0.20 March 03 2013
- * Use /dev/tap0 by default on FreeBSD and NetBSD when using switch mode.
- * Minor improvements and clarifications in the documentation.
- * Allow tinc to be cross-compiled with Android's NDK.
- * The discovered PMTU is now also applied to VLAN tagged traffic.
- * The LocalDiscovery option now makes use of all addresses tinc is bound to.
- * Fixed support for tunemu on iOS devices.
- * The PriorityInheritance option now also works with switch mode.
- * Fixed tinc crashing when using a SOCKS5 proxy.
- Thanks to Mesar Hameed, Vilbrekin and Martin Schürrer for their contributions
- to this version of tinc.
- Version 1.0.19 June 25 2012
- * Allow :: notation in IPv6 Subnets.
- * Add support for systemd style socket activation.
- * Allow environment variables to be used for the Name option.
- * Add basic support for SOCKS proxies, HTTP proxies, and proxying through an
- external command.
- Thanks to Anthony G. Basile and Michael Tokarev for their contributions to
- this version of tinc.
- Version 1.0.18 March 25 2012
- * Fixed IPv6 in switch mode by turning off DecrementTTL by default.
- * Allow a port number to be specified in BindToAddress, which also allows tinc
- to listen on multiple ports.
- * Add support for multicast communication with UML/QEMU/KVM.
- Version 1.0.17 March 10 2012
- * The DeviceType option can now be used to select dummy, raw socket, UML and
- VDE devices without needing to recompile tinc.
- * Allow multiple BindToAddress statements.
- * Decrement TTL value of IPv4 and IPv6 packets.
- * Add LocalDiscovery option allowing tinc to detect peers that are behind the
- same NAT.
- * Accept Subnets passed with the -o option when StrictSubnets = yes.
- * Disabling old RSA keys when generating new ones now also works properly on
- Windows.
- Thanks to Nick Hibma for his contribution to this version of tinc.
- Version 1.0.16 July 23 2011
- * Fixed a performance issue with TCP communication under Windows.
- * Fixed code that, during network outages, would cause tinc to exit when it
- thought two nodes with identical Names were on the VPN.
- Version 1.0.15 June 24 2011
- * Improved logging to file.
- * Reduced amount of process wakeups on platforms which support pselect().
- * Fixed ProcessPriority option under Windows.
- Version 1.0.14 May 8 2011
- * Fixed reading configuration files that do not end with a newline. Again.
- * Allow arbitrary configuration options being specified on the command line.
- * Allow all options in both tinc.conf and the local host config file.
- * Configurable replay window, UDP send and receive buffers for performance tuning.
- * Try harder to get UDP communication back after falling back to TCP.
- * Initial support for attaching tinc to a VDE switch.
- * DragonFly BSD support.
- * Allow linking with OpenSSL 1.0.0.
- Thanks to Brandon Black, Julien Muchembled, Michael Tokarev, Rumko and Timothy
- Redaelli for their contributions to this version of tinc.
- Version 1.0.13 Apr 11 2010
- * Allow building tinc without LZO and/or Zlib.
- * Clamp MSS of TCP packets in both directions.
- * Experimental StrictSubnets, Forwarding and DirectOnly options,
- giving more control over information and packets received from/sent to other
- nodes.
- * Ensure tinc never sends symbolic names for ports over the wire.
- Version 1.0.12 Feb 3 2010
- * Really allow fast roaming of hosts to other nodes in a switched VPN.
- * Fixes missing or incorrect environment variables when calling host-up/down
- and subnet-up/down scripts in some cases.
- * Allow port to be specified in Address statements.
- * Clamp MSS of TCP packets to the discovered path MTU.
- * Let two nodes behind NAT learn each others current UDP address and port via
- a third node, potentially allowing direct communications in a similar way to
- STUN.
- Version 1.0.11 Nov 1 2009
- * Fixed potential crash when the HUP signal is sent.
- * Fixes handling of weighted Subnets in switch and hub modes, preventing
- unnecessary broadcasts.
- * Works around a MinGW bug that caused packets to Windows nodes to always be
- sent via TCP.
- * Improvements to the PMTU discovery code, especially on Windows.
- * Use UDP again in certain cases where 1.0.10 was too conservative and fell
- back to TCP unnecessarily.
- * Allow fast roaming of hosts to other nodes in a switched VPN.
- Version 1.0.10 Oct 18 2009
- * Fixed potential crashes during shutdown and (in rare conditions) when other
- nodes disconnected from the VPN.
- * Improved NAT handling: tinc now copes with mangled port numbers, and will
- automatically fall back to TCP if direct UDP connection between nodes is not
- possible. The TCPOnly option should not have to be used anymore.
- * Allow configuration files with CRLF line endings to be read on UNIX.
- * Disable old RSA keys when generating new ones, and raise the default size of
- new RSA keys to 2048 bits.
- * Many fixes in the path MTU discovery code, especially when Compression is
- being used.
- * Tinc can now drop privileges and/or chroot itself.
- * The TunnelServer code now just ignores information from clients instead of
- disconnecting them.
- * Improved performance on Windows by using the new ProcessPriority option and
- by making the handling of packets received from the TAP-Win32 adapter more
- efficient.
- * Code cleanups: tinc now follows the C99 standard, copyright headers have
- been updated to include patch authors, checkpoint tracing and localisation
- features have been removed.
- * Support for (jailbroken) iPhone and iPod Touch has been added.
- Thanks to Florian Forster, Grzegorz Dymarek and especially Michael Tokarev for
- their contributions to this version of tinc.
- Version 1.0.9 Dec 26 2008
- * Fixed tinc as a service under Windows 2003.
- * Fixed reading configuration files that do not end with a newline.
- * Fixed crashes in situations where hostnames could not be resolved or hosts
- would disconnect at the same time as session keys were exchanged.
- * Improved default settings of tun and tap devices on BSD platforms.
- * Make IPv6 sockets bind only to IPv6 on Linux.
- * Enable path MTU discovery by default.
- * Fixed a memory leak that occurred when connections were closed.
- Thanks to Max Rijevski for his contributions to this version of tinc.
- Version 1.0.8 May 16 2007
- * Fixed some memory and resource leaks.
- * Made network sockets non-blocking under Windows.
- Thanks to Scott Lamb and "dnk" for their contributions to this version of tinc.
- Version 1.0.7 Jan 5 2007
- * Fixed a bug that caused slow network speeds on Windows.
- * Fixed a bug that caused tinc unable to write packets to the tun device on
- OpenBSD.
- Version 1.0.6 Dec 18 2006
- * More flexible detection of the LZO libraries when compiling.
- * Fixed a bug where broadcasts in switch and hub modes sometimes would not
- work anymore when part of the VPN had become disconnected from the rest.
- version 1.0.5 Nov 14 2006
- * Lots of small fixes.
- * Broadcast packets no longer grow in size with each hop. This should
- fix switch mode (again).
-
- * Generic host-up and host-down scripts.
- * Optionally dump graph in graphviz format to a file or a script.
- * Support LZO 2.0 and later.
- Thanks to Scott Lamb for his contributions to this version of tinc.
- version 1.0.4 May 4 2005
- * Fix switch and hub modes.
- * Optionally start scripts when a Subnet becomes (un)reachable.
- version 1.0.3 Nov 11 2004
- * Show error message when failing to write a PID file.
- * Ignore spaces at end of lines in config files.
- * Fix handling of late packets.
- * Unify BSD tun/tap device handling. This allows IPv6 on tun devices and
- anything on tap devices as long as the underlying OS supports it.
- * Handle IPv6 on Solaris tun devices.
- * Allow tinc to work properly under Windows XP SP2.
- * Allow VLAN tagged Ethernet frames in switch and hub mode.
- * Experimental PMTUDiscovery, TunnelServer and BlockingTCP options.
- version 1.0.2 Nov 8 2003
- * Fix address and hostname resolving under Windows.
- * Remove warnings about non-existing scripts and unsupported address families.
- * Use the event logger under Windows.
- * Fix quoting of filenames and command line arguments under Windows.
- * Strict checks for length incoming network packets and return values of
- cryptographic functions,
- * Fix a bug in metadata handling that made the tinc daemon abort.
- version 1.0.1 Aug 14 2003
- * Allow empty lines in config files.
- * Fix handling of spaces and backslashes in filenames under native Windows.
- * Allow scripts to be executed under native Windows.
- * Update documentation, make it less Linux specific.
- version 1.0 Aug 4 2003
- * Lots of small bugfixes and code cleanups.
- * Throughput doubled and latency reduced.
- * Added support for LZO compression.
- * No need to set MAC address or disable ARP anymore.
- * Added support for Windows 2000 and XP, both natively and in a Cygwin
- environment.
- version 1.0pre8 Sep 16 2002
- * More fixes for subnets with prefixlength undivisible by 8.
- * Added support for NetBSD and MacOS/X.
- * Switched from undirected graphs to directed graphs to avoid certain race
- conditions and improve scalability.
- * Generalized broadcasting and forwarding of protocol messages.
- * Cleanup of source code.
- version 1.0pre7 Apr 7 2002
- * Don't do blocking read()s when getting a signal.
- * Remove RSA key checking code, since it sometimes thinks perfectly good RSA
- keys are bad.
- * Fix handling of subnets when prefixlength isn't divisible by 8.
- version 1.0pre6 Mar 27 2002
- * Improvement of redundant links:
- * Non-blocking connects.
-
- * Protocol broadcast messages can no longer go into an infinite loop.
-
- * Graph algorithm updated to look harder for direct connections.
- * Good support for routing IPv6 packets over the VPN. Works on Linux,
- FreeBSD, possibly OpenBSD but not on Solaris.
- * Support for tunnels over IPv6 networks. Works on all supported
- operating systems.
- * Optional compression of UDP connections using zlib.
- * Optionally let UDP connections inherit TOS field of tunneled packets.
- * Optionally start scripts when certain hosts become (un)reachable.
- version 1.0pre5 Feb 9 2002
- * Security enhancements:
- * Added sequence number and optional message authentication code to
- the packets.
- * Configurable encryption cipher and digest algorithms.
- * More robust handling of dis- and reconnects.
- * Added a "switch" and a "hub" mode to allow bridging setups.
- * Preliminary support for routing of IPv6 packets.
- * Supports Linux, FreeBSD, OpenBSD and Solaris.
- It looks like this might be the last release before 1.0.
- version 1.0pre4 Jan 17 2001
- * Updated documentation; the documentation now reflects the
- configuration as it is.
- * Some internal changes to make tinc scale better for large
- networks, such as using AVL trees instead of linked lists for the
- connection list.
- * RSA keys can be stored in separate files if needed. See the
- documentation for more information.
- * tinc has now been reported to run on Linux PowerPC and FreeBSD x86.
- version 1.0pre3 Oct 31 2000
- * The protocol has been redesigned, and although some details are
- still under discussion, this is secure. Care has been taken to
- resist most, if not all, attacks.
-
- * Unfortunately this protocol is not compatible with earlier versions,
- nor are earlier versions compatible with this version. Because the
- older protocol has huge security flaws, we feel that not
- implementing backwards compatibility is justified.
- * Some data about the protocol:
- * It uses public/private RSA keys for authentication (this is the
- actual fix for the security hole).
- * All cryptographic functions have been taken out of tinc, instead
- it uses the OpenSSL library functions.
- * Offers support for multiple subnets per tinc daemon.
- * New is also the support for the universal tun/tap device. This
- means better portability to FreeBSD and Solaris.
- * tinc is tested to compile on Solaris, Linux x86, Linux alpha.
- * tinc now uses the OpenSSL library for cryptographic operations.
- More information on getting and installing OpenSSL is in the manual.
- This also means that the GMP library is no longer required.
- * Further, thanks to Enrique Zanardi, we have Spanish messages; Matias
- Carrasco provided us with a Spanish translation of the manual.
- What still needs to be done before 1.0:
- * Documentation. Especially since the protocol has changed, and a lot
- of configuration directives have been added.
- version 1.0pre2 May 31 2000
- * This version has been internationalized; and a Dutch translation has
- been included.
-
- * Two configuration variables have been added:
- * VpnMask - the IP network mask for the entire VPN, not just our
- subnet (as given by MyVirtualIP). The Redhat and Debian packages
- use this variable in their system startup scripts, but it is
- ignored by tinc.
- * Hostnames - if set to `yes', look up the names of IP addresses
- trying to connect to us. Default set to `no', to prevent lockups
- during lookups.
-
- * The system startup scripts for Debian and Redhat use
- /etc/tinc/nets.boot to find out which networks need to be started
- during system boot.
-
- * Fixes to prevent denial of service attacks by sending random data
- after connecting (and even when the connection has been established),
- either random garbage or just nonsensical protocol fields.
-
- * tinc will retry to connect upon startup, does not quit if it doesn't
- work the first time.
-
- * Hosts that are disconnected implicitly if we lose a connection get
- deleted from the internal list, to prevent hogging eachother with
- add and delete requests when the connection is restored.
-
-
- What still needs to be done before 1.0:
-
- * Documentation.
- * Failover ConnectTo lines, try another one if the first doesn't work.
- version 1.0pre1 May 12 2000
- * New meta-protocol
- * Various other bugfixes
- * Documentation updates
- version 0.3.3 Feb 9 2000
- * Fixed bug that made tinc stop working with latest kernels (Guus
- Sliepen)
- * Updated the manual
- version 0.3.2 Nov 12 1999
- * no more `Invalid filedescriptor' when working with multiple
- connections
- * forward unknown packets to uplink
- version 0.3.1 Oct 20 1999
- * fixed a bug where tinc would exit without a trace
- version 0.3 Aug 20 1999
- * pings now work immediately
- * all packet sizes get transmitted correctly
- version 0.2.26 Aug 15 1999
- * fixed some remaining bugs
- * --sysconfdir works with configure
- * last version before 0.3
- version 0.2.25 Aug 8 1999
- * improved stability, going towards 0.3 now.
- version 0.2.24 Aug 7 1999
- * added key aging, there's a new config variable, KeyExpire.
- * updated man and info pages
- version 0.2.23 Aug 5 1999
- * all known bugs fixed, this is a candidate for 0.3
- version 0.2.22 Apr 11 1999
- * multiconnection thing is now working nearly perfect :)
- version 0.2.21 Apr 10 1999
- * You shouldn't notice a thing, but a lot has changed wrt key
- management - except that it refuses to talk to versions < 0.2.20
- version 0.2.20
- version 0.2.19 Apr 3 1999
- * don't install a libcipher.so
- version 0.2.18 Apr 3 1999
- * blowfish library dynamically loaded upon execution
- * included Eric Young's IDEA library
- version 0.2.17 Apr 1 1999
- * tincd now re-executes itself in case of a segmentation fault.
- version 0.2.16 Apr 1 1999
- * wrote tincd.conf(5) man page, which still needs a lot of work.
- * config file now accepts and tolerates spaces, and any integer base
- for integer variables, and better error reporting. See
- doc/tincd.conf.sample for an example.
- version 0.2.15 Mar 29 1999
- * fixed bugs
- version 0.2.14 Feb 10 1999
- * added --timeout flag and PingTimeout configuration
- * did some first syslog cleanup work
- version 0.2.13 Jan 23 1999
- * bugfixes
- version 0.2.12 Jan 23 1999
- * fixed nauseating bug so that it would crash whenever a connection
- got lost
- version 0.2.11 Jan 22 1999
- * framework for multiple connections has been done
- * simple manpage for tincd
- version 0.2.10 Jan 18 1999
- * passphrase support added
- version 0.2.9 Jan 13 1999
- * bugs fixed.
- version 0.2.8 Jan 11 1999
- * a reworked protocol version
- * a ping/pong system
- * more reliable networking code
- * automatic reconnection
- * still does not work with more than one connection :)
- * strips MAC addresses before sending, so there's less overhead, and
- less redundancy
- version 0.2.7 Jan 3 1999
- * several updates to make extending more easy.
- version 0.2.6 Dec 20 1998
- * Point-to-Point connections have been established, including
- blowfish encryption and a secret key-exchange.
- version 0.2.5 Dec 16 1998
- * Project renamed to tinc, in honour of TINC.
- version 0.2.4 Dec 16 1998
- * now it really does ;)
- version 0.2.3 Nov 24 1998
- * it sort of works now
- version 0.2.2 Nov 20 1998
- * uses GNU gmp.
- version 0.2.1 Nov 14 1998
- * Bare version.
|