Hey Everyone,

As of about 3 hours ago, Homebrew should have fwknop 2.6.2. It took awhile to get the maintainers of Homebrew to facilitate the merge. As usual, if there are any problems with the fwknop package please let me know.


On Mon, Apr 28, 2014 at 6:46 PM, Michael Rash <michael.rash@gmail.com> wrote:

fwknop-2.6.2 has been released:


This is a bug fix release that addresses the following as described in the ChangeLog:

    - [libfko] fix double free bug in SPA parser discovered with the new
      python SPA payload fuzzer (see the 'spa_encoding_fuzzing' branch which
      is not merged into the master branch yet).  This bug could be triggered
      in fwknopd with a malicious SPA payload, but only when GnuPG is used and
      when an attacker is in possession of valid GnuPG keys listed in the
      access.conf file. In other words, an arbitrary attacker cannot trigger
      this bug. Further, when Rijndael is used for SPA packet encryption, this
      bug cannot be triggered at all due to an length/format check towards the
      end of _rijndael_decrypt(). This bug was introduced in the 2.6.1
      development series, and no previous versions of fwknop are affected.

The spa_encoding_fuzzing branch will be merged back to master soon, and here is the fuzzer itself which behind the scenes uses a new #define to assist in the effort to fuzz libfko:


Additional releases in the 2.6.x series will be made to emphasize run time function, line, and branch test coverage.



"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
Fwknop-discuss mailing list