* Fix an issue where blocklist bypass is possible when using curve P256
Any newly issued P256 based certificates will have their signature clamped
to the low-s form. Nebula will assert the low-s signature form when
validating certificates in a future version
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=26
- Update to version 1.10.1:
* Fix a bug where an unsafe route derived from the system route table could
be lost on a config reload
* Fix the PEM banner for ECDSA P256 public keys
* Fix a bug in handshake processing when a peer sends an unexpected public key
* Add a config option to control accepting recv_error packets which defaults
to always
OBS-URL: https://build.opensuse.org/request/show/1328399
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=23
- Update to version 1.10.0:
* Support for ipv6 and multiple ipv4/6 addresses in the overlay
* Add the ability to mark packets on linux to better target nebula packets in
iptables/nftables
* Add ECMP support for unsafe_routes
* PKCS11 support for P256 keys when built with pkcs11 tag
* default_local_cidr_any now defaults to false
* Improve logging when a relay is in use on an inbound packet
* Avoid fatal errors if rountines is > 1 on systems that <= 1
* Log a warning if a firewall rule contains an any that negates a more
restrictive filter
* Accept encrypted CA passphrase from an environment variable
* Allow handshaking with any trusted remote
* Log only the count of blocklisted certificate fingerprints instead of the
entire list
* Don't fatal when the ssh server is unable to be configured successfully
* Improve lost packet statistics
* Honor remote_allow_list in hole punch response
- remove patch fix-CVE-2025-22869.patch, fixed upstream (forwarded request 1321348 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1321349
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nebula?expand=0&rev=11
- Update to version 1.10.0:
* Support for ipv6 and multiple ipv4/6 addresses in the overlay
* Add the ability to mark packets on linux to better target nebula packets in
iptables/nftables
* Add ECMP support for unsafe_routes
* PKCS11 support for P256 keys when built with pkcs11 tag
* default_local_cidr_any now defaults to false
* Improve logging when a relay is in use on an inbound packet
* Avoid fatal errors if rountines is > 1 on systems that <= 1
* Log a warning if a firewall rule contains an any that negates a more
restrictive filter
* Accept encrypted CA passphrase from an environment variable
* Allow handshaking with any trusted remote
* Log only the count of blocklisted certificate fingerprints instead of the
entire list
* Don't fatal when the ssh server is unable to be configured successfully
* Improve lost packet statistics
* Honor remote_allow_list in hole punch response
- remove patch fix-CVE-2025-22869.patch, fixed upstream
OBS-URL: https://build.opensuse.org/request/show/1321348
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=21
- update to 1.9.4:
* Support UDP dialing with gVisor
* Make some Nebula state programmatically available via control object
* Switch internal representation of IPs to netip, to prepare for IPv6 support
* Various dependency updates
* Fix a bug on big endian hosts, like mips
* Fix a rare panic if a local index collision happens
* Fix integer wraparound in the calculation of handshake timeouts on 32-bit
- build the binaries non statically
- remove enable-pie.patch as it's not needed anymore, since we build the binaries
manually, not using the Makefile anymore
OBS-URL: https://build.opensuse.org/request/show/1199851
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=11
- update to version 1.9.0:
* This release adds a new setting default_local_cidr_any that defaults to
true to match previous behavior, but will default to false in the next
release (1.10)
* Added example service script for OpenRC
* The SSH daemon now supports inlined host keys
* The SSH daemon now supports certificates with sshd.trusted_cas
* Config setting tun.unsafe_routes is now reloadable
* Support for the deprecated local_range option has been removed
* Remove the TCP round trip tracking metrics, as they never had correct data
* Fixed a potential deadlock introduced in 1.8.1
* Fixed support for Linux when IPv6 has been disabled at the OS level
* DNS will return NXDOMAIN now when there are no results
* Allow :: in lighthouse.dns.host
* Capitalization of NotAfter fixed in DNS TXT response
* Don't log invalid certificates. It is untrusted data and can cause a large
volume of logs
OBS-URL: https://build.opensuse.org/request/show/1174692
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=3
