nebula/nebula.changes

-------------------------------------------------------------------
Fri Feb 13 13:23:16 UTC 2026 - Richard Rahl <rrahl0@opensuse.org>

- Update to version 1.10.3:
  * Fix an issue where blocklist bypass is possible when using curve P256
    Any newly issued P256 based certificates will have their signature clamped
    to the low-s form.  Nebula will assert the low-s signature form when
    validating certificates in a future version

-------------------------------------------------------------------
Wed Jan 21 20:34:05 UTC 2026 - Richard Rahl <rrahl0@opensuse.org>

- Update to version 1.10.2:
  * Fix panic when using use_system_route_table

-------------------------------------------------------------------
Tue Jan 20 23:44:43 UTC 2026 - Richard Rahl <rrahl0@opensuse.org>

- Update to version 1.10.1:
  * Fix a bug where an unsafe route derived from the system route table could
    be lost on a config reload
  * Fix the PEM banner for ECDSA P256 public keys
  * Fix a bug in handshake processing when a peer sends an unexpected public key
  * Add a config option to control accepting recv_error packets which defaults
    to always

-------------------------------------------------------------------
Sat Dec  6 11:29:27 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>

- Update to version 1.10.0:
  * Support for ipv6 and multiple ipv4/6 addresses in the overlay
  * Add the ability to mark packets on linux to better target nebula packets in
    iptables/nftables
  * Add ECMP support for unsafe_routes
  * PKCS11 support for P256 keys when built with pkcs11 tag
  * default_local_cidr_any now defaults to false
  * Improve logging when a relay is in use on an inbound packet
  * Avoid fatal errors if rountines is > 1 on systems that <= 1
  * Log a warning if a firewall rule contains an any that negates a more
    restrictive filter
  * Accept encrypted CA passphrase from an environment variable
  * Allow handshaking with any trusted remote
  * Log only the count of blocklisted certificate fingerprints instead of the
    entire list
  * Don't fatal when the ssh server is unable to be configured successfully
  * Improve lost packet statistics
  * Honor remote_allow_list in hole punch response
- remove patch fix-CVE-2025-22869.patch, fixed upstream

-------------------------------------------------------------------
Sat Oct 11 14:48:33 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>

- update to version 1.9.7:
  * Disable sending recv_error messages when a packet is received outside the
    allowable counter window
  * Improve error messages and remove some unnecessary fatal conditions in the
    generic udp listener

-------------------------------------------------------------------
Wed Jul 23 13:31:01 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>

- update to version 1.9.6:
  * Support dropping inactive tunnels. This is disabled by default
  * Ensure the same relay tunnel is always used when multiple relay
    tunnels are present
  * Fix relay migration panic

-------------------------------------------------------------------
Wed Mar 12 08:57:08 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>

- add patch fix-CVE-2025-22869.patch, fixes bsc#1239387

-------------------------------------------------------------------
Fri Dec  6 17:28:15 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>

- update to 1.9.5:
  * Backport reestablish relays from cert-v2 to release-1.9
  * do not panic when loading a V2 CA certificate

-------------------------------------------------------------------
Tue Sep 10 08:26:36 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>

- update to 1.9.4:
  * Support UDP dialing with gVisor
  * Make some Nebula state programmatically available via control object
  * Switch internal representation of IPs to netip, to prepare for IPv6 support
  * Various dependency updates
  * Fix a bug on big endian hosts, like mips
  * Fix a rare panic if a local index collision happens
  * Fix integer wraparound in the calculation of handshake timeouts on 32-bit
- build the binaries non statically
- remove enable-pie.patch as it's not needed anymore, since we build the binaries
  manually, not using the Makefile anymore

-------------------------------------------------------------------
Fri Jun  7 06:10:38 UTC 2024 - Richard Rahl <rrahl0@disroot.org>

- update to version 1.9.3:
  * Initialize messageCounter to 2 instead of verifying later

-------------------------------------------------------------------
Mon Jun  3 23:08:15 UTC 2024 - Richard Rahl <rrahl0@disroot.org>

- update to version 1.9.2:
  * Ensure messageCounter is set before handshake is complete

-------------------------------------------------------------------
Wed May 29 21:39:44 UTC 2024 - Richard Rahl <rrahl0@disroot.org>

- update to version 1.9.1:
  * Fixed a potential deadlock in GetOrHandshake

-------------------------------------------------------------------
Thu May 16 23:07:47 UTC 2024 - Richard Rahl <rrahl0@disroot.org>

- update to version 1.9.0:
    * This release adds a new setting default_local_cidr_any that defaults to
      true to match previous behavior, but will default to false in the next
      release (1.10)
    * Added example service script for OpenRC
    * The SSH daemon now supports inlined host keys
    * The SSH daemon now supports certificates with sshd.trusted_cas
    * Config setting tun.unsafe_routes is now reloadable
    * Support for the deprecated local_range option has been removed
    * Remove the TCP round trip tracking metrics, as they never had correct data
    * Fixed a potential deadlock introduced in 1.8.1
    * Fixed support for Linux when IPv6 has been disabled at the OS level
    * DNS will return NXDOMAIN now when there are no results
    * Allow :: in lighthouse.dns.host
    * Capitalization of NotAfter fixed in DNS TXT response
    * Don't log invalid certificates. It is untrusted data and can cause a large
      volume of logs

-------------------------------------------------------------------
Tue Apr  9 06:08:08 UTC 2024 - Richard Rahl <rrahl0@proton.me>

- initial packaging