27 Commits

Author SHA256 Message Date
917ab35d88 Accepting request 1332861 from network:vpn
- Update to version 1.10.3:
  * Fix an issue where blocklist bypass is possible when using curve P256
    Any newly issued P256 based certificates will have their signature clamped
    to the low-s form.  Nebula will assert the low-s signature form when
    validating certificates in a future version (forwarded request 1332860 from rrahl0)

OBS-URL: https://build.opensuse.org/request/show/1332861
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nebula?expand=0&rev=13
2026-02-13 15:40:05 +00:00
Richard Rahl
4df371bdec - Update to version 1.10.3:
* Fix an issue where blocklist bypass is possible when using curve P256
    Any newly issued P256 based certificates will have their signature clamped
    to the low-s form.  Nebula will assert the low-s signature form when
    validating certificates in a future version

OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=26
2026-02-13 13:29:46 +00:00
8d43afbd9a Accepting request 1328570 from network:vpn
- Update to version 1.10.2:
  * Fix panic when using use_system_route_table (forwarded request 1328569 from rrahl0)

OBS-URL: https://build.opensuse.org/request/show/1328570
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nebula?expand=0&rev=12
2026-01-22 14:13:38 +00:00
Richard Rahl
0754e4697a Accepting request 1328569 from home:rrahl0
- Update to version 1.10.2:
  * Fix panic when using use_system_route_table

OBS-URL: https://build.opensuse.org/request/show/1328569
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=24
2026-01-21 20:50:44 +00:00
Richard Rahl
7ec8f8fd28 Accepting request 1328399 from home:rrahl0
- Update to version 1.10.1:
  * Fix a bug where an unsafe route derived from the system route table could
    be lost on a config reload
  * Fix the PEM banner for ECDSA P256 public keys
  * Fix a bug in handshake processing when a peer sends an unexpected public key
  * Add a config option to control accepting recv_error packets which defaults
    to always

OBS-URL: https://build.opensuse.org/request/show/1328399
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=23
2026-01-20 23:53:23 +00:00
95788e0bd9 Accepting request 1321349 from network:vpn
- Update to version 1.10.0:
  * Support for ipv6 and multiple ipv4/6 addresses in the overlay
  * Add the ability to mark packets on linux to better target nebula packets in
    iptables/nftables
  * Add ECMP support for unsafe_routes
  * PKCS11 support for P256 keys when built with pkcs11 tag
  * default_local_cidr_any now defaults to false
  * Improve logging when a relay is in use on an inbound packet
  * Avoid fatal errors if rountines is > 1 on systems that <= 1
  * Log a warning if a firewall rule contains an any that negates a more
    restrictive filter
  * Accept encrypted CA passphrase from an environment variable
  * Allow handshaking with any trusted remote
  * Log only the count of blocklisted certificate fingerprints instead of the
    entire list
  * Don't fatal when the ssh server is unable to be configured successfully
  * Improve lost packet statistics
  * Honor remote_allow_list in hole punch response
- remove patch fix-CVE-2025-22869.patch, fixed upstream (forwarded request 1321348 from rrahl0)

OBS-URL: https://build.opensuse.org/request/show/1321349
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nebula?expand=0&rev=11
2025-12-08 10:54:23 +00:00
Richard Rahl
678918be63 Accepting request 1321348 from home:rrahl0
- Update to version 1.10.0:
  * Support for ipv6 and multiple ipv4/6 addresses in the overlay
  * Add the ability to mark packets on linux to better target nebula packets in
    iptables/nftables
  * Add ECMP support for unsafe_routes
  * PKCS11 support for P256 keys when built with pkcs11 tag
  * default_local_cidr_any now defaults to false
  * Improve logging when a relay is in use on an inbound packet
  * Avoid fatal errors if rountines is > 1 on systems that <= 1
  * Log a warning if a firewall rule contains an any that negates a more
    restrictive filter
  * Accept encrypted CA passphrase from an environment variable
  * Allow handshaking with any trusted remote
  * Log only the count of blocklisted certificate fingerprints instead of the
    entire list
  * Don't fatal when the ssh server is unable to be configured successfully
  * Improve lost packet statistics
  * Honor remote_allow_list in hole punch response
- remove patch fix-CVE-2025-22869.patch, fixed upstream

OBS-URL: https://build.opensuse.org/request/show/1321348
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=21
2025-12-06 11:43:55 +00:00
99518d3f13 Accepting request 1310730 from network:vpn
- update to version 1.9.7:
  * Disable sending recv_error messages when a packet is received outside the
    allowable counter window
  * Improve error messages and remove some unnecessary fatal conditions in the
    generic udp listener (forwarded request 1310729 from rrahl0)

OBS-URL: https://build.opensuse.org/request/show/1310730
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nebula?expand=0&rev=10
2025-10-11 20:51:06 +00:00
Richard Rahl
84ac28fc40 Accepting request 1310729 from home:rrahl0
- update to version 1.9.7:
  * Disable sending recv_error messages when a packet is received outside the
    allowable counter window
  * Improve error messages and remove some unnecessary fatal conditions in the
    generic udp listener

OBS-URL: https://build.opensuse.org/request/show/1310729
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=19
2025-10-11 14:59:40 +00:00
0a4d826805 Accepting request 1295367 from network:vpn
- update to version 1.9.6:
  * Support dropping inactive tunnels. This is disabled by default
  * Ensure the same relay tunnel is always used when multiple relay
    tunnels are present
  * Fix relay migration panic (forwarded request 1295366 from rrahl0)

OBS-URL: https://build.opensuse.org/request/show/1295367
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nebula?expand=0&rev=9
2025-07-24 16:44:47 +00:00
Richard Rahl
83844a4035 Accepting request 1295366 from home:rrahl0
- update to version 1.9.6:
  * Support dropping inactive tunnels. This is disabled by default
  * Ensure the same relay tunnel is always used when multiple relay
    tunnels are present
  * Fix relay migration panic

OBS-URL: https://build.opensuse.org/request/show/1295366
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=17
2025-07-23 15:15:49 +00:00
df883f1d8b Accepting request 1252352 from network:vpn
- add patch fix-CVE-2025-22869.patch, fixes bsc#1239387 (forwarded request 1252351 from rrahl0)

OBS-URL: https://build.opensuse.org/request/show/1252352
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nebula?expand=0&rev=8
2025-03-12 19:13:52 +00:00
Richard Rahl
562d06e54f Accepting request 1252351 from home:rrahl0
- add patch fix-CVE-2025-22869.patch, fixes bsc#1239387

OBS-URL: https://build.opensuse.org/request/show/1252351
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=15
2025-03-12 09:21:58 +00:00
13eefac736 Accepting request 1228828 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/1228828
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nebula?expand=0&rev=7
2024-12-08 10:37:28 +00:00
Richard Rahl
6aa859591d Accepting request 1228827 from home:rrahl0
- update to 1.9.5:
  * Backport reestablish relays from cert-v2 to release-1.9
  * do not panic when loading a V2 CA certificate

OBS-URL: https://build.opensuse.org/request/show/1228827
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=13
2024-12-06 17:32:15 +00:00
a89ff3dba2 Accepting request 1199852 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/1199852
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nebula?expand=0&rev=6
2024-09-10 19:14:31 +00:00
Richard Rahl
c447fe0946 Accepting request 1199851 from home:rrahl0
- update to 1.9.4:
  * Support UDP dialing with gVisor
  * Make some Nebula state programmatically available via control object
  * Switch internal representation of IPs to netip, to prepare for IPv6 support
  * Various dependency updates
  * Fix a bug on big endian hosts, like mips
  * Fix a rare panic if a local index collision happens
  * Fix integer wraparound in the calculation of handshake timeouts on 32-bit
- build the binaries non statically
- remove enable-pie.patch as it's not needed anymore, since we build the binaries
  manually, not using the Makefile anymore

OBS-URL: https://build.opensuse.org/request/show/1199851
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=11
2024-09-10 09:33:03 +00:00
11482a66d4 Accepting request 1179136 from network:vpn
- update to version 1.9.3:
  * Initialize messageCounter to 2 instead of verifying later (forwarded request 1179135 from rrahl0)

OBS-URL: https://build.opensuse.org/request/show/1179136
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nebula?expand=0&rev=5
2024-06-07 13:04:50 +00:00
Richard Rahl
58f538733a Accepting request 1179135 from home:rrahl0:upgrades
- update to version 1.9.3:
  * Initialize messageCounter to 2 instead of verifying later

OBS-URL: https://build.opensuse.org/request/show/1179135
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=9
2024-06-07 06:44:34 +00:00
eea79958fd Accepting request 1178401 from network:vpn
- update to version 1.9.2:
  * Ensure messageCounter is set before handshake is complete (forwarded request 1178400 from rrahl0)

OBS-URL: https://build.opensuse.org/request/show/1178401
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nebula?expand=0&rev=4
2024-06-05 15:39:10 +00:00
Richard Rahl
af11cfbb3f Accepting request 1178400 from home:rrahl0:upgrades
- update to version 1.9.2:
  * Ensure messageCounter is set before handshake is complete

OBS-URL: https://build.opensuse.org/request/show/1178400
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=7
2024-06-03 23:18:02 +00:00
05ed13c8fc Accepting request 1177650 from network:vpn
- update to version 1.9.1:
  * Fixed a potential deadlock in GetOrHandshake (forwarded request 1177649 from rrahl0)

OBS-URL: https://build.opensuse.org/request/show/1177650
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nebula?expand=0&rev=3
2024-05-30 13:33:39 +00:00
Richard Rahl
c70606bc3c Accepting request 1177649 from home:rrahl0:upgrades
- update to version 1.9.1:
  * Fixed a potential deadlock in GetOrHandshake

OBS-URL: https://build.opensuse.org/request/show/1177649
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=5
2024-05-29 21:45:16 +00:00
2207cd5213 Accepting request 1174693 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/1174693
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nebula?expand=0&rev=2
2024-05-17 18:05:43 +00:00
Richard Rahl
fc3733a861 Accepting request 1174692 from home:rrahl0:upgrades
- update to version 1.9.0:
    * This release adds a new setting default_local_cidr_any that defaults to
      true to match previous behavior, but will default to false in the next
      release (1.10)
    * Added example service script for OpenRC
    * The SSH daemon now supports inlined host keys
    * The SSH daemon now supports certificates with sshd.trusted_cas
    * Config setting tun.unsafe_routes is now reloadable
    * Support for the deprecated local_range option has been removed
    * Remove the TCP round trip tracking metrics, as they never had correct data
    * Fixed a potential deadlock introduced in 1.8.1
    * Fixed support for Linux when IPv6 has been disabled at the OS level
    * DNS will return NXDOMAIN now when there are no results
    * Allow :: in lighthouse.dns.host
    * Capitalization of NotAfter fixed in DNS TXT response
    * Don't log invalid certificates. It is untrusted data and can cause a large
      volume of logs

OBS-URL: https://build.opensuse.org/request/show/1174692
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=3
2024-05-16 23:16:34 +00:00
8f7cff3ab8 Accepting request 1167047 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/1167047
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nebula?expand=0&rev=1
2024-04-12 15:35:13 +00:00
c0b64a34f8 Accepting request 1166884 from home:rrahl0
OBS-URL: https://build.opensuse.org/request/show/1166884
OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=1
2024-04-11 14:11:02 +00:00