RELEASE NOTES
==============
TCPreen version 1.0.4 (stable release)

  This file lists major changes since version 1.0.0. It is meant for
users that have already used TCPreen before.


WHAT'S NEW BETWEEN STABLE VERSIONS 1.0.4 AND 1.0.3 ?
Minor security fixes.


1. Fixed remote Denial-Of-Service against hexadecimal log format:
------------------------------------------------------------------
  A bug in the hexadecimal and "stripped" log files format allowed any
remote client or server to interrupt execution of TCPreen. When a byte
of value 0xff (255) was received either way, hexadecimal log files
caused an error and TCPreen aborted. Stripped log files were not
affected by the bug because it failed to check for error condition
(this was fixed too).
  Other formats (ie. C-like and raw) were correctly implemented.

  Because TCPreen cannot use log files in multi-process mode, this bug
is not thought to be really dangerous, but can be rather annoying when
monitoring binary streams. Because of this limitations, production
systems, that most likely needs multi-process operation are normally
not affected. ONCE AGAIN, DO NOT USE TCPREEN IN PRODUCTION
ENVIRONMENT (at least, not yet).


2. Fixed stripped log format:
------------------------------
  The so-called "stripped" log files format was not correctly
implemented (it failed to check for I/O errors). This is now 
-hopefully- fixed.



WHAT'S NEW BETWEEN STABLE VERSIONS 1.0.3 AND 1.0.2 ?
Minor feature enhancement.


Partial support for old C library (namely Glibc 2.0):
------------------------------------------------------
  Replacement functions for systems that do not have getnameinfo()
and/or gai_strerror() were added. It is therefore now possible to use
TCPreen with old GNU libc 2.0 (and probably 2.1).
  In this case, IPv6 cannot be used however.



WHAT'S NEW BETWEEN STABLE VERSIONS 1.0.2 AND 1.0.1 ?
Code cleanup.


GNU gettext/libintl source stripped from official distribution:
----------------------------------------------------------------
  GNU gettext support has been updated. GNU gettext (libintl) is no
longer included in the distribution, which results in a smaller source
tarball and a quicker (but stilll huge) configure script.
  Please note that GNU gettext is still being used by TCPreen, as long
as it is *already* installed on your system (this is always the case if
you use the GNU C library, that is to say on GNU/Linux or GNU/Hurd).

  Non-english users are strongly encouraged to submit translation for
their native language.



WHAT'S NEW BETWEEN STABLE VERSIONS 1.0.1 AND 1.0.0 ?
Minor security fixes, minor bug fixes.


1. Safe log file opening:
--------------------------
  Various security checks are now done when trying to open a log file:
# ensure that the file is owned by the unprivileged user that tcpreen
is supposed to use,
# ensure that the log file is not a symbolic link (malicious users may
use this to alter critical files),
# ensure that the file was not modified during a race condition between
checking it and actually opening it.
If you were using links (either hard or symbolic) to real log files,
tcpreen will now refuse to operate (with error EPERM). This is an
inadequate use of log files. You should rather use scripts to rotate
script or whatever, as this is much less prone to security issues.

  Log files are now appended rather than erased when tcpreen is run
multiple times. This can be very handy for some users.


2. Anti-DNS spoofing:
----------------------
  DNS spoofing is now detected. In such circumstances, numeric address
will be displayed instead of spoofed hostname.


3. Long options segfault:
--------------------------
  Long options --inet and --inet6 would cause a segmentation fault
(SIGSEGV) in previous releases. Short options -4 and -6 were NOT
affected by this bug. Only systems that support long options are
affected, that is to say, systems that uses the GNU C library.

  This bug can probably not be exploited, as it consists of
dereferencing a pointer which is *always* NULL (unless you have an
unusual getopt_long() implementation).


--
Rmi Denis
remi@simphalempin.com

