[iodine] - Update to 0.7.0 to fix CVE-2014-4168 iodine: authentication bypass vulnerability (bz#1110339, bz#1
Pavel Alexeev
hubbitus at fedoraproject.org
Thu Aug 7 14:46:42 UTC 2014
commit a7a798a4b797676f957cce7d20efdf7990a78498
Author: Hubbitus <pahan at hubbitus.info>
Date: Thu Aug 7 18:46:30 2014 +0400
- Update to 0.7.0 to fix CVE-2014-4168 iodine: authentication bypass vulnerability (bz#1110339, bz#1110338 [bz#1110340, bz#1110341, bz#1110342]).
- Drop old Patch0: iodine-0.5.2-prefix.patch
- Rebase iodine-0.6.0-rc1.split-man.patch -> iodine-0.7.0.split-man.patch
- Some spec cleanup.
.gitignore | 9 +-
iodine-0.5.2-prefix.patch | 12 -
iodine-0.7.0.split-man.patch | 1090 ++++++++++++++++++++++++++++++++++++++++++
iodine.logrotate.client | 7 +
iodine.logrotate.server | 7 +
iodine.spec | 37 +-
sources | 10 +-
7 files changed, 1123 insertions(+), 49 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index df0e721..5e4b5bd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,9 +1,2 @@
/iodine-0.6.0-rc1.tar.gz
-/iodine.logrotate.client
-/iodine.logrotate.server
-/iodine-server.init
-/iodine-server.conf
-/iodine-client.init
-/iodine-client.conf
-/iodine-0.5.2-prefix.patch
-/iodine-0.6.0-rc1.split-man.patch
+/iodine-0.7.0.tar.gz
diff --git a/iodine-0.7.0.split-man.patch b/iodine-0.7.0.split-man.patch
new file mode 100644
index 0000000..2003320
--- /dev/null
+++ b/iodine-0.7.0.split-man.patch
@@ -0,0 +1,1090 @@
+diff -NurEbBH iodine-0.7.0.orig/Makefile iodine-0.7.0/Makefile
+--- iodine-0.7.0.orig/Makefile 2014-06-17 00:28:43.000000000 +0400
++++ iodine-0.7.0/Makefile 2014-07-25 18:34:06.000000000 +0400
+@@ -26,13 +26,13 @@
+ $(INSTALL) $(INSTALL_FLAGS) bin/iodined $(DESTDIR)$(sbindir)/iodined
+ chmod 755 $(DESTDIR)$(sbindir)/iodined
+ $(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(mandir)/man8
+- $(INSTALL) $(INSTALL_FLAGS) man/iodine.8 $(DESTDIR)$(mandir)/man8/iodine.8
+- chmod 644 $(DESTDIR)$(mandir)/man8/iodine.8
++ $(INSTALL) $(INSTALL_FLAGS) man/iodine{,d}.8 $(DESTDIR)$(mandir)/man8/
++ chmod 644 $(DESTDIR)$(mandir)/man8/iodine{,d}.8
+
+ uninstall:
+ $(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodine
+ $(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodined
+- $(RM) $(RM_FLAGS) $(DESTDIR)$(mandir)/man8/iodine.8
++ $(RM) $(RM_FLAGS) $(DESTDIR)$(mandir)/man8/iodine{,d}.8
+
+ test: all
+ @echo "!! The check library is required for compiling and running the tests"
+diff -NurEbBH iodine-0.7.0.orig/Makefile.orig iodine-0.7.0/Makefile.orig
+--- iodine-0.7.0.orig/Makefile.orig 1970-01-01 03:00:00.000000000 +0300
++++ iodine-0.7.0/Makefile.orig 2014-07-25 18:32:06.000000000 +0400
+@@ -0,0 +1,104 @@
++prefix?=/usr/local
++sbindir=$(prefix)/sbin
++datadir=$(prefix)/share
++mandir=$(datadir)/man
++
++DESTDIR=
++
++INSTALL=install
++INSTALL_FLAGS=
++
++MKDIR=mkdir
++MKDIR_FLAGS=-p
++
++RM=rm
++RM_FLAGS=-f
++
++TARGETOS = `uname`
++
++all:
++ @(cd src; $(MAKE) TARGETOS=$(TARGETOS) all)
++
++install: all
++ $(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(sbindir)
++ $(INSTALL) $(INSTALL_FLAGS) bin/iodine $(DESTDIR)$(sbindir)/iodine
++ chmod 755 $(DESTDIR)$(sbindir)/iodine
++ $(INSTALL) $(INSTALL_FLAGS) bin/iodined $(DESTDIR)$(sbindir)/iodined
++ chmod 755 $(DESTDIR)$(sbindir)/iodined
++ $(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(mandir)/man8
++ $(INSTALL) $(INSTALL_FLAGS) man/iodine.8 $(DESTDIR)$(mandir)/man8/iodine.8
++ chmod 644 $(DESTDIR)$(mandir)/man8/iodine.8
++
++uninstall:
++ $(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodine
++ $(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodined
++ $(RM) $(RM_FLAGS) $(DESTDIR)$(mandir)/man8/iodine.8
++
++test: all
++ @echo "!! The check library is required for compiling and running the tests"
++ @echo "!! Get it at http://check.sf.net"
++ @(cd tests; $(MAKE) TARGETOS=$(TARGETOS) all)
++
++clean:
++ @echo "Cleaning..."
++ @(cd src; $(MAKE) clean)
++ @(cd tests; $(MAKE) clean)
++ @rm -rf bin iodine-latest*
++
++#Helper target for windows/android zipfiles
++iodine-latest:
++ @rm -rf iodine-latest*
++ @mkdir -p iodine-latest
++ @echo "Create date: " > iodine-latest/VERSION.txt
++ @date >> iodine-latest/VERSION.txt
++ @echo "Git version: " >> iodine-latest/VERSION.txt
++ @git rev-parse HEAD >> iodine-latest/VERSION.txt
++ @for i in README CHANGELOG TODO; do cp $$i iodine-latest/$$i.txt; done
++ @unix2dos iodine-latest/*
++
++cross-android:
++ @(cd src; $(MAKE) base64u.c base64u.h)
++ @(cd src; ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=Android.mk)
++
++iodine-latest-android.zip: iodine-latest
++ @mv iodine-latest iodine-latest-android
++ @mkdir -p iodine-latest-android/armeabi iodine-latest-android/x86
++ @$(MAKE) cross-android TARGET_ARCH_ABI=armeabi
++ @cp src/libs/armeabi/* iodine-latest-android/armeabi
++ @$(MAKE) cross-android TARGET_ARCH_ABI=x86
++ @cp src/libs/x86/* iodine-latest-android/x86
++ @cp README-android.txt iodine-latest-android
++ @zip -r iodine-latest-android.zip iodine-latest-android
++
++cross-mingw32:
++ @(cd src; $(MAKE) TARGETOS=windows32 CC=i686-w64-mingw32-gcc all)
++
++cross-mingw64:
++ @(cd src; $(MAKE) TARGETOS=windows32 CC=x86_64-w64-mingw32-gcc all)
++
++iodine-latest-windows.zip: iodine-latest
++ @mv iodine-latest iodine-latest-windows
++ @mkdir -p iodine-latest-windows/64bit iodine-latest-windows/32bit
++ @(cd src; $(MAKE) TARGETOS=windows32 CC=i686-w64-mingw32-gcc clean all)
++ @i686-w64-mingw32-strip bin/iodine*
++ @for i in `ls bin`; do cp bin/$$i iodine-latest-windows/32bit/$$i.exe; done
++ @cp /usr/i686-w64-mingw32/bin/zlib1.dll iodine-latest-windows/32bit
++ @(cd src; $(MAKE) TARGETOS=windows32 CC=x86_64-w64-mingw32-gcc clean all)
++ @x86_64-w64-mingw32-strip bin/iodine*
++ @for i in `ls bin`; do cp bin/$$i iodine-latest-windows/64bit/$$i.exe; done
++ @cp /usr/x86_64-w64-mingw32/bin/zlib1.dll iodine-latest-windows/64bit
++ @cp README-win32.txt iodine-latest-windows
++ @zip -r iodine-latest-windows.zip iodine-latest-windows
++
++cross-mingw:
++ @(cd src; $(MAKE) TARGETOS=windows32 CC=i686-mingw32-gcc all)
++
++iodine-latest-win32.zip: cross-mingw iodine-latest
++ @mv iodine-latest iodine-latest-win32
++ @mkdir -p iodine-latest-win32/bin
++ @i686-mingw32-strip bin/iodine*
++ @for i in `ls bin`; do cp bin/$$i iodine-latest-win32/bin/$$i.exe; done
++ @cp /usr/i686-mingw32/usr/bin/zlib1.dll iodine-latest-win32/bin
++ @cp README-win32.txt iodine-latest-win32
++ @zip -r iodine-latest-win32.zip iodine-latest-win32
++
+diff -NurEbBH iodine-0.7.0.orig/Makefile.rej iodine-0.7.0/Makefile.rej
+--- iodine-0.7.0.orig/Makefile.rej 1970-01-01 03:00:00.000000000 +0300
++++ iodine-0.7.0/Makefile.rej 2014-07-25 18:32:06.000000000 +0400
+@@ -0,0 +1,19 @@
++--- Makefile 2009-01-25 22:40:04.000000000 +0100
+++++ Makefile 2012-01-08 14:45:19.310809769 +0100
++@@ -41,13 +41,13 @@
++ $(INSTALL) $(INSTALL_FLAGS) bin/iodined $(DESTDIR)$(sbindir)/iodined
++ chmod 755 $(DESTDIR)$(sbindir)/iodined
++ $(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(mandir)/man8
++- $(INSTALL) $(INSTALL_FLAGS) man/iodine.8 $(DESTDIR)$(mandir)/man8/iodine.8
++- chmod 644 $(DESTDIR)$(mandir)/man8/iodine.8
+++ $(INSTALL) $(INSTALL_FLAGS) man/iodine{,d}.8 $(DESTDIR)$(mandir)/man8/
+++ chmod 644 $(DESTDIR)$(mandir)/man8/iodine{,d}.8
++
++ uninstall:
++ $(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodine
++ $(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodined
++- $(RM) $(RM_FLAGS) $(DESTDIR)$(mandir)/man8/iodine.8
+++ $(RM) $(RM_FLAGS) $(DESTDIR)$(mandir)/man8/iodine{,d}.8
++
++ test: all
++ @echo "!! The check library is required for compiling and running the tests"
+diff -NurEbBH iodine-0.7.0.orig/man/iodine.8 iodine-0.7.0/man/iodine.8
+--- iodine-0.7.0.orig/man/iodine.8 2014-06-17 00:28:43.000000000 +0400
++++ iodine-0.7.0/man/iodine.8 2014-07-25 18:51:15.000000000 +0400
+@@ -1,7 +1,7 @@
+ .\" groff -man -Tascii iodine.8
+ .TH IODINE 8 "JUN 2014" "User Manuals"
+ .SH NAME
+-iodine, iodined \- tunnel IPv4 over DNS
++iodine \- tunnel IPv4 over DNS
+ .SH SYNOPSIS
+ .B iodine [-v]
+
+@@ -41,44 +41,7 @@
+ .B ]
+ .I topdomain
+
+-.B iodined [-v]
+
+-.B iodined [-h]
+-
+-.B iodined [-c] [-s] [-f] [-D] [-u
+-.I user
+-.B ] [-t
+-.I chrootdir
+-.B ] [-d
+-.I device
+-.B ] [-m
+-.I mtu
+-.B ] [-l
+-.I listen_ip
+-.B ] [-p
+-.I port
+-.B ] [-n
+-(
+-.B auto
+-|
+-.I external_ip
+-)
+-.B ] [-b
+-.I dnsport
+-.B ] [-P
+-.I password
+-.B ] [-z
+-.I context
+-.B ] [-F
+-.I pidfile
+-.B ] [-i
+-.I max_idle_time
+-.B ]
+-.I tunnel_ip
+-.B [
+-.I /netmask
+-.B ]
+-.I topdomain
+ .SH DESCRIPTION
+ .B iodine
+ lets you tunnel IPv4 data through a DNS
+@@ -235,114 +198,6 @@
+ and these errors can be ignored.
+ Maximum useful value is 59, since iodined will close a client's
+ connection after 60 seconds of inactivity.
+-.SS Server Options:
+-.TP
+-.B -c
+-Disable checking the client IP address on all incoming requests.
+-By default, requests originating from non-matching IP addresses will be
+-rejected, however this will cause problems when requests are routed
+-via a cluster of DNS servers.
+-.TP
+-.B -s
+-Don't try to configure IP address or MTU.
+-This should only be used if you have already configured the device that will be
+-used.
+-.TP
+-.B -D
+-Increase debug level. Level 1 prints info about each RX/TX packet.
+-Implies the
+-.B -f
+-option.
+-On level 2 (\-DD) or higher, DNS queries will be printed literally.
+-When using Base128 upstream encoding, this is best viewed as
+-ISO Latin-1 text instead of (illegal) UTF-8.
+-This is easily done with : "LC_ALL=C luit iodined \-DD ..."
+-(see luit(1)).
+-.TP
+-.B -m mtu
+-Set 'mtu' as mtu size for the tun device.
+-This will be sent to the client on login, and the client will use the same mtu
+-for its tun device. Default 1130. Note that the DNS traffic will be
+-automatically fragmented when needed.
+-.TP
+-.B -l listen_ip
+-Make the server listen only on 'listen_ip' for incoming requests.
+-By default, incoming requests are accepted from all interfaces.
+-.TP
+-.B -p port
+-Make the server listen on 'port' instead of 53 for traffic.
+-If 'listen_ip' does not include localhost, this 'port' can be the same
+-as 'dnsport'.
+-.B Note:
+-You must make sure the dns requests are forwarded to this port yourself.
+-.TP
+-.B -n auto|external_ip
+-The IP address to return in NS responses. Default is to return the address used
+-as destination in the query.
+-If external_ip is 'auto', iodined will use externalip.net web service to
+-retrieve the external IP of the host and use that for NS responses.
+-.TP
+-.B -b dnsport
+-If this port is specified, all incoming requests not inside the tunnel domain
+-will be forwarded to this port on localhost, to be handled by a real dns.
+-If 'listen_ip' does not include localhost, this 'dnsport' can be the
+-same as 'port'.
+-.B Note:
+-The forwarding is not fully transparent, and not advised for use
+-in production environments.
+-.TP
+-.B -i max_idle_time
+-Make the server stop itself after max_idle_time seconds if no traffic have been received.
+-This should be combined with systemd or upstart on demand activation for being effective.
+-.SS Client Arguments:
+-.TP
+-.B nameserver
+-The nameserver to use to relay the dns traffic. This can be any relaying
+-nameserver or the server running iodined if reachable. This field can be
+-given as an IPv4/IPv6 address or as a hostname. This argument is optional,
+-and if not specified a nameserver will be read from the
+-.I /etc/resolv.conf
+-file.
+-.TP
+-.B topdomain
+-The dns traffic will be sent as queries for subdomains under
+-\'topdomain'. This is normally a subdomain to a domain you own. Use a short
+-domain name to get better throughput. If
+-.B nameserver
+-is the iodined server, then the topdomain can be chosen freely. This argument
+-must be the same on both the client and the server.
+-.SS Server Arguments:
+-.TP
+-.B tunnel_ip[/netmask]
+-This is the server's ip address on the tun interface. The client will be
+-given the next ip number in the range. It is recommended to use the
+-10.0.0.0 or 172.16.0.0 ranges. The default netmask is /27, can be overridden
+-by specifying it here. Using a smaller network will limit the number of
+-concurrent users.
+-.TP
+-.B topdomain
+-The dns traffic is expected to arrive as queries for
+-subdomains under 'topdomain'. This is normally a subdomain to a domain you
+-own. Use a short domain name to get better throughput. This argument must be
+-the same on both the client and the server. Queries for domains other
+-than 'topdomain' will be forwarded when the \-b option is given, otherwise
+-they will be dropped.
+-.SH EXAMPLES
+-See the README file for both a quick test scenario, and a detailed description
+-of real-world deployment.
+-.SH SECURITY
+-Login is a relatively secure challenge-response MD5 hash, with the
+-password never passing the wire.
+-However, all other data is
+-.B NOT
+-encrypted in any way. The DNS traffic is also vulnerable to replay,
+-injection and man-in-the-middle attacks, especially when iodined is used
+-with the \-c option. Use of ssh or vpn tunneling is strongly recommended.
+-On both server and client, use
+-.IR iptables ,
+-.I pf
+-or other firewalls to block all traffic coming in from the tun interfaces,
+-except to the used ssh or vpn ports.
+ .SH ENVIRONMENT
+ .SS IODINE_PASS
+ If the environment variable
+@@ -351,13 +206,6 @@
+ for one. The
+ .B -P
+ option still has precedence.
+-.SS IODINED_PASS
+-If the environment variable
+-.B IODINED_PASS
+-is set, iodined will use the value it is set to as password instead of asking
+-for one. The
+-.B -P
+-option still has precedence.
+ .SH SEE ALSO
+ The README file in the source distribution contains some more elaborate
+ information.
+diff -NurEbBH iodine-0.7.0.orig/man/iodine.8.orig iodine-0.7.0/man/iodine.8.orig
+--- iodine-0.7.0.orig/man/iodine.8.orig 1970-01-01 03:00:00.000000000 +0300
++++ iodine-0.7.0/man/iodine.8.orig 2014-06-17 00:28:43.000000000 +0400
+@@ -0,0 +1,368 @@
++.\" groff -man -Tascii iodine.8
++.TH IODINE 8 "JUN 2014" "User Manuals"
++.SH NAME
++iodine, iodined \- tunnel IPv4 over DNS
++.SH SYNOPSIS
++.B iodine [-v]
++
++.B iodine [-h]
++
++.B iodine [-4] [-6] [-f] [-r] [-u
++.I user
++.B ] [-P
++.I password
++.B ] [-m
++.I fragsize
++.B ] [-t
++.I chrootdir
++.B ] [-d
++.I device
++.B ] [-R
++.I rdomain
++.B ] [-m
++.I fragsize
++.B ] [-M
++.I namelen
++.B ] [-z
++.I context
++.B ] [-F
++.I pidfile
++.B ] [-T
++.I dnstype
++.B ] [-O
++.I downenc
++.B ] [-L
++.I 0|1
++.B ] [-I
++.I interval
++.B ]
++.B [
++.I nameserver
++.B ]
++.I topdomain
++
++.B iodined [-v]
++
++.B iodined [-h]
++
++.B iodined [-c] [-s] [-f] [-D] [-u
++.I user
++.B ] [-t
++.I chrootdir
++.B ] [-d
++.I device
++.B ] [-m
++.I mtu
++.B ] [-l
++.I listen_ip
++.B ] [-p
++.I port
++.B ] [-n
++(
++.B auto
++|
++.I external_ip
++)
++.B ] [-b
++.I dnsport
++.B ] [-P
++.I password
++.B ] [-z
++.I context
++.B ] [-F
++.I pidfile
++.B ] [-i
++.I max_idle_time
++.B ]
++.I tunnel_ip
++.B [
++.I /netmask
++.B ]
++.I topdomain
++.SH DESCRIPTION
++.B iodine
++lets you tunnel IPv4 data through a DNS
++server. This can be useful in situations where Internet access is firewalled,
++but DNS queries are allowed. It needs a TUN/TAP device to operate. The
++bandwidth is asymmetrical,
++with a measured maximum of 680 kbit/s upstream and 2.3 Mbit/s
++downstream in a wired LAN test network.
++Realistic sustained throughput on a Wifi network using a carrier-grade
++DNS cache has been measured at some 50 kbit/s upstream and over 200 kbit/s
++downstream.
++.B iodine
++is the client application,
++.B iodined
++is the server.
++
++Note: server and client are required to speak the exact same protocol. In most
++cases, this means running the same iodine version. Unfortunately, implementing
++backward and forward protocol compatibility is usually not feasible.
++.SH OPTIONS
++.SS Common Options:
++.TP
++.B -v
++Print version info and exit.
++.TP
++.B -h
++Print usage info and exit.
++.TP
++.B -f
++Keep running in foreground.
++.TP
++.B -u user
++Drop privileges and run as user 'user' after setting up tunnel.
++.TP
++.B -t chrootdir
++Chroot to 'chrootdir' after setting up tunnel.
++.TP
++.B -d device
++Use the TUN device 'device' instead of the normal one, which is dnsX on Linux
++and otherwise tunX.
++.TP
++.B -P password
++Use 'password' to authenticate. If not used,
++.B stdin
++will be used as input. Only the first 32 characters will be used.
++.TP
++.B -z context
++Apply SELinux 'context' after initialization.
++.TP
++.B -F pidfile
++Create 'pidfile' and write process id in it.
++.SS Client Options:
++.TP
++.B -4
++Force IPv4 DNS queries
++.TP
++.B -6
++Force IPv6 DNS queries
++.TP
++.B -r
++Skip raw UDP mode. If not used, iodine will try getting the public IP address
++of the iodined host and test if it is reachable directly. If it is, traffic
++will be sent to the server instead of the DNS relay.
++.TP
++.B -R rdomain
++Use OpenBSD routing domain 'rdomain' for the DNS connection.
++.TP
++.B -m fragsize
++Force maximum downstream fragment size. Not setting this will cause the
++client to automatically probe the maximum accepted downstream fragment size.
++.TP
++.B -M namelen
++Maximum length of upstream hostnames, default 255.
++Usable range ca. 100 to 255.
++Use this option to scale back upstream bandwidth in favor of downstream
++bandwidth.
++Also useful for DNS servers that perform unreliably when using full-length
++hostnames, noticeable when fragment size autoprobe returns very
++different results each time.
++.TP
++.B -T dnstype
++DNS request type override.
++By default, autodetection will probe for working DNS request types, and
++will select the request type that is expected to provide the most bandwidth.
++However, it may turn out that a DNS relay imposes limits that skew the
++picture, which may lead to an "unexpected" DNS request type providing
++more bandwidth.
++In that case, use this option to override the autodetection.
++In (expected) decreasing bandwidth order, the supported DNS request types are:
++.IR NULL ,
++.IR PRIVATE ,
++.IR TXT ,
++.IR SRV ,
++.IR MX ,
++.I CNAME
++and
++.I A
++(returning CNAME).
++Note that
++.IR SRV ,
++.I MX
++and
++.I A
++may/will cause additional lookups by "smart" caching
++nameservers to get an actual IP address, which may either slow down or fail
++completely. The
++.IR PRIVATE
++type uses value 65399 (in the 'private use' range) and requires servers
++implementing RFC 3597.
++.TP
++.B -O downenc
++Force downstream encoding type for all query type responses except NULL.
++Default is autodetected, but may not spot all problems for the more advanced
++codecs.
++Use this option to override the autodetection.
++.I Base32
++is the lowest-grade codec and should always work; this is used when
++autodetection fails.
++.I Base64
++provides more bandwidth, but may not work on all nameservers.
++.I Base64u
++is equal to Base64 except in using underscore ('_')
++instead of plus sign ('+'), possibly working where
++.I Base64
++does not.
++.I Base128
++uses high byte values (mostly accented letters in iso8859-1),
++which might work with some nameservers.
++For TXT queries,
++.I Raw
++will provide maximum performance, but this will only work if the nameserver
++path is fully 8-bit-clean for responses that are assumed to be "legible text".
++.TP
++.B -L 0|1
++Lazy-mode switch.
++\-L1 (default): Use lazy mode for improved performance and decreased latency.
++A very small minority of DNS relays appears to be unable to handle the
++lazy mode traffic pattern, resulting in no or very little data coming through.
++The iodine client will detect this and try to switch back to legacy mode,
++but this may not always work.
++In these situations use \-L0 to force running in legacy mode
++(implies \-I1).
++.TP
++.B -I interval
++Maximum interval between requests (pings) so that intermediate DNS
++servers will not time out. Default is 4 in lazy mode, which will work
++fine in most cases. When too many SERVFAIL errors occur, iodine
++will automatically reduce this to 1.
++To get absolute minimum DNS traffic,
++increase well above 4, but not so high that SERVFAIL errors start to occur.
++There are some DNS relays with very small timeouts,
++notably dnsadvantage.com (ultradns), that will give
++SERVFAIL errors even with \-I1; data will still get trough,
++and these errors can be ignored.
++Maximum useful value is 59, since iodined will close a client's
++connection after 60 seconds of inactivity.
++.SS Server Options:
++.TP
++.B -c
++Disable checking the client IP address on all incoming requests.
++By default, requests originating from non-matching IP addresses will be
++rejected, however this will cause problems when requests are routed
++via a cluster of DNS servers.
++.TP
++.B -s
++Don't try to configure IP address or MTU.
++This should only be used if you have already configured the device that will be
++used.
++.TP
++.B -D
++Increase debug level. Level 1 prints info about each RX/TX packet.
++Implies the
++.B -f
++option.
++On level 2 (\-DD) or higher, DNS queries will be printed literally.
++When using Base128 upstream encoding, this is best viewed as
++ISO Latin-1 text instead of (illegal) UTF-8.
++This is easily done with : "LC_ALL=C luit iodined \-DD ..."
++(see luit(1)).
++.TP
++.B -m mtu
++Set 'mtu' as mtu size for the tun device.
++This will be sent to the client on login, and the client will use the same mtu
++for its tun device. Default 1130. Note that the DNS traffic will be
++automatically fragmented when needed.
++.TP
++.B -l listen_ip
++Make the server listen only on 'listen_ip' for incoming requests.
++By default, incoming requests are accepted from all interfaces.
++.TP
++.B -p port
++Make the server listen on 'port' instead of 53 for traffic.
++If 'listen_ip' does not include localhost, this 'port' can be the same
++as 'dnsport'.
++.B Note:
++You must make sure the dns requests are forwarded to this port yourself.
++.TP
++.B -n auto|external_ip
++The IP address to return in NS responses. Default is to return the address used
++as destination in the query.
++If external_ip is 'auto', iodined will use externalip.net web service to
++retrieve the external IP of the host and use that for NS responses.
++.TP
++.B -b dnsport
++If this port is specified, all incoming requests not inside the tunnel domain
++will be forwarded to this port on localhost, to be handled by a real dns.
++If 'listen_ip' does not include localhost, this 'dnsport' can be the
++same as 'port'.
++.B Note:
++The forwarding is not fully transparent, and not advised for use
++in production environments.
++.TP
++.B -i max_idle_time
++Make the server stop itself after max_idle_time seconds if no traffic have been received.
++This should be combined with systemd or upstart on demand activation for being effective.
++.SS Client Arguments:
++.TP
++.B nameserver
++The nameserver to use to relay the dns traffic. This can be any relaying
++nameserver or the server running iodined if reachable. This field can be
++given as an IPv4/IPv6 address or as a hostname. This argument is optional,
++and if not specified a nameserver will be read from the
++.I /etc/resolv.conf
++file.
++.TP
++.B topdomain
++The dns traffic will be sent as queries for subdomains under
++\'topdomain'. This is normally a subdomain to a domain you own. Use a short
++domain name to get better throughput. If
++.B nameserver
++is the iodined server, then the topdomain can be chosen freely. This argument
++must be the same on both the client and the server.
++.SS Server Arguments:
++.TP
++.B tunnel_ip[/netmask]
++This is the server's ip address on the tun interface. The client will be
++given the next ip number in the range. It is recommended to use the
++10.0.0.0 or 172.16.0.0 ranges. The default netmask is /27, can be overridden
++by specifying it here. Using a smaller network will limit the number of
++concurrent users.
++.TP
++.B topdomain
++The dns traffic is expected to arrive as queries for
++subdomains under 'topdomain'. This is normally a subdomain to a domain you
++own. Use a short domain name to get better throughput. This argument must be
++the same on both the client and the server. Queries for domains other
++than 'topdomain' will be forwarded when the \-b option is given, otherwise
++they will be dropped.
++.SH EXAMPLES
++See the README file for both a quick test scenario, and a detailed description
++of real-world deployment.
++.SH SECURITY
++Login is a relatively secure challenge-response MD5 hash, with the
++password never passing the wire.
++However, all other data is
++.B NOT
++encrypted in any way. The DNS traffic is also vulnerable to replay,
++injection and man-in-the-middle attacks, especially when iodined is used
++with the \-c option. Use of ssh or vpn tunneling is strongly recommended.
++On both server and client, use
++.IR iptables ,
++.I pf
++or other firewalls to block all traffic coming in from the tun interfaces,
++except to the used ssh or vpn ports.
++.SH ENVIRONMENT
++.SS IODINE_PASS
++If the environment variable
++.B IODINE_PASS
++is set, iodine will use the value it is set to as password instead of asking
++for one. The
++.B -P
++option still has precedence.
++.SS IODINED_PASS
++If the environment variable
++.B IODINED_PASS
++is set, iodined will use the value it is set to as password instead of asking
++for one. The
++.B -P
++option still has precedence.
++.SH SEE ALSO
++The README file in the source distribution contains some more elaborate
++information.
++.SH BUGS
++File bugs at http://dev.kryo.se/iodine/
++.SH AUTHORS
++Erik Ekman <yarrick at kryo.se> and Bjorn Andersson <flex at kryo.se>. Major
++contributions by Anne Bezemer.
+diff -NurEbBH iodine-0.7.0.orig/man/iodine.8.rej iodine-0.7.0/man/iodine.8.rej
+--- iodine-0.7.0.orig/man/iodine.8.rej 1970-01-01 03:00:00.000000000 +0300
++++ iodine-0.7.0/man/iodine.8.rej 2014-07-25 18:32:06.000000000 +0400
+@@ -0,0 +1,155 @@
++--- man/iodine.8 2009-12-29 21:10:02.000000000 +0100
+++++ man/iodine.8 2012-01-08 14:43:48.256155811 +0100
++@@ -39,38 +39,6 @@
++ .B ]
++ .I topdomain
++
++-.B iodined [-v]
++-
++-.B iodined [-h]
++-
++-.B iodined [-c] [-s] [-f] [-D] [-u
++-.I user
++-.B ] [-t
++-.I chrootdir
++-.B ] [-d
++-.I device
++-.B ] [-m
++-.I mtu
++-.B ] [-l
++-.I listen_ip
++-.B ] [-p
++-.I port
++-.B ] [-n
++-.I external_ip
++-.B ] [-b
++-.I dnsport
++-.B ] [-P
++-.I password
++-.B ] [-z
++-.I context
++-.B ] [-F
++-.I pidfile
++-.B ]
++-.I tunnel_ip
++-.B [
++-.I /netmask
++-.B ]
++-.I topdomain
++ .SH DESCRIPTION
++ .B iodine
++ lets you tunnel IPv4 data through a DNS
++@@ -214,55 +182,6 @@
++ and these errors can be ignored.
++ Maximum useful value is 59, since iodined will close a client's
++ connection after 60 seconds of inactivity.
++-.SS Server Options:
++-.TP
++-.B -c
++-Disable checking the client IP address on all incoming requests.
++-By default, requests originating from non-matching IP adresses will be
++-rejected, however this will cause problems when requests are routed
++-via a cluster of DNS servers.
++-.TP
++-.B -s
++-Don't try to configure IP address or MTU.
++-This should only be used if you have already configured the device that will be
++-used.
++-.TP
++-.B -D
++-Increase debug level. Level 1 prints info about each RX/TX packet.
++-Implies the
++-.B -f
++-option.
++-On level 2 (-DD) or higher, DNS queries will be printed literally.
++-When using Base128 upstream encoding, this is best viewed as
++-ISO Latin-1 text instead of (illegal) UTF-8.
++-This is easily done with : "LC_ALL=C luit iodined -DD ..."
++-(see luit(1)).
++-.TP
++-.B -m mtu
++-Set 'mtu' as mtu size for the tun device.
++-This will be sent to the client on login, and the client will use the same mtu
++-for its tun device. Default 1130. Note that the DNS traffic will be
++-automatically fragmented when needed.
++-.TP
++-.B -l listen_ip
++-Make the server listen only on 'listen_ip' for incoming requests.
++-By default, incoming requests are accepted from all interfaces.
++-.TP
++-.B -p port
++-Make the server listen on 'port' instead of 53 for traffic.
++-.B Note:
++-You must make sure the dns requests are forwarded to this port yourself.
++-.TP
++-.B -n external_ip
++-The IP address to return in NS responses. Default is to return the address used
++-as destination in the query.
++-.TP
++-.B -b dnsport
++-If this port is specified, all incoming requests not inside the tunnel domain
++-will be forwarded to this port on localhost, to be handled by a real dns.
++-.B Note:
++-The forwarding is not fully transparent, and not advised for use
++-in production environments.
++ .SS Client Arguments:
++ .TP
++ .B nameserver
++@@ -280,38 +199,6 @@
++ .B nameserver
++ is the iodined server, then the topdomain can be chosen freely. This argument
++ must be the same on both the client and the server.
++-.SS Server Arguments:
++-.TP
++-.B tunnel_ip[/netmask]
++-This is the server's ip address on the tun interface. The client will be
++-given the next ip number in the range. It is recommended to use the
++-10.0.0.0 or 172.16.0.0 ranges. The default netmask is /27, can be overriden
++-by specifying it here. Using a smaller network will limit the number of
++-concurrent users.
++-.TP
++-.B topdomain
++-The dns traffic is expected to arrive as queries for
++-subdomains under 'topdomain'. This is normally a subdomain to a domain you
++-own. Use a short domain name to get better throughput. This argument must be
++-the same on both the client and the server. Queries for domains other
++-than 'topdomain' will be forwarded when the \-b option is given, otherwise
++-they will be dropped.
++-.SH EXAMPLES
++-See the README file for both a quick test scenario, and a detailed description
++-of real-world deployment.
++-.SH SECURITY
++-Login is a relatively secure challenge-response MD5 hash, with the
++-password never passing the wire.
++-However, all other data is
++-.B NOT
++-encrypted in any way. The DNS traffic is also vulnerable to replay,
++-injection and man-in-the-middle attacks, especially when iodined is used
++-with the \-c option. Use of ssh or vpn tunneling is strongly recommended.
++-On both server and client, use
++-.IR iptables ,
++-.I pf
++-or other firewalls to block all traffic coming in from the tun interfaces,
++-except to the used ssh or vpn ports.
++ .SH ENVIRONMENT
++ .SS IODINE_PASS
++ If the environment variable
++@@ -320,16 +207,9 @@
++ for one. The
++ .B -P
++ option still has precedence.
++-.SS IODINED_PASS
++-If the environment variable
++-.B IODINED_PASS
++-is set, iodined will use the value it is set to as password instead of asking
++-for one. The
++-.B -P
++-option still has precedence.
++-.El
++ .SH SEE ALSO
++-The README file in the source distribution contains some more elaborate
+++\fBiodined\fR(8),
+++the README file in the source distribution contains some more elaborate
++ information.
++ .SH BUGS
++ File bugs at http://dev.kryo.se/iodine/
+diff -NurEbBH iodine-0.7.0.orig/man/iodined.8 iodine-0.7.0/man/iodined.8
+--- iodine-0.7.0.orig/man/iodined.8 1970-01-01 03:00:00.000000000 +0300
++++ iodine-0.7.0/man/iodined.8 2014-07-25 18:51:25.000000000 +0400
+@@ -0,0 +1,218 @@
++.\" groff -man -Tascii iodine.8
++.TH IODINE 8 "JUN 2014" "User Manuals"
++.SH NAME
++iodined \- tunnel IPv4 over DNS
++.SH SYNOPSIS
++.B iodined [-v]
++
++.B iodined [-h]
++
++.B iodined [-c] [-s] [-f] [-D] [-u
++.I user
++.B ] [-t
++.I chrootdir
++.B ] [-d
++.I device
++.B ] [-m
++.I mtu
++.B ] [-l
++.I listen_ip
++.B ] [-p
++.I port
++.B ] [-n
++(
++.B auto
++|
++.I external_ip
++)
++.B ] [-b
++.I dnsport
++.B ] [-P
++.I password
++.B ] [-z
++.I context
++.B ] [-F
++.I pidfile
++.B ] [-i
++.I max_idle_time
++.B ]
++.I tunnel_ip
++.B [
++.I /netmask
++.B ]
++.I topdomain
++.SH DESCRIPTION
++.B iodined
++lets you tunnel IPv4 data through a DNS
++server. This can be useful in situations where Internet access is firewalled,
++but DNS queries are allowed. It needs a TUN/TAP device to operate. The
++bandwidth is asymmetrical,
++with a measured maximum of 680 kbit/s upstream and 2.3 Mbit/s
++downstream in a wired LAN test network.
++Realistic sustained throughput on a Wifi network using a carrier-grade
++DNS cache has been measured at some 50 kbit/s upstream and over 200 kbit/s
++downstream.
++.B iodine
++is the client application,
++.B iodined
++is the server.
++
++Note: server and client are required to speak the exact same protocol. In most
++cases, this means running the same iodine[d] version. Unfortunately, implementing
++backward and forward protocol compatibility is usually not feasible.
++.SH OPTIONS
++.SS Common Options:
++.TP
++.B -v
++Print version info and exit.
++.TP
++.B -h
++Print usage info and exit.
++.TP
++.B -f
++Keep running in foreground.
++.TP
++.B -u user
++Drop privileges and run as user 'user' after setting up tunnel.
++.TP
++.B -t chrootdir
++Chroot to 'chrootdir' after setting up tunnel.
++.TP
++.B -d device
++Use the TUN device 'device' instead of the normal one, which is dnsX on Linux
++and otherwise tunX.
++.TP
++.B -P password
++Use 'password' to authenticate. If not used,
++.B stdin
++will be used as input. Only the first 32 characters will be used.
++.TP
++.B -z context
++Apply SELinux 'context' after initialization.
++.TP
++.B -F pidfile
++Create 'pidfile' and write process id in it.
++.SS Server Options:
++.TP
++.B -c
++Disable checking the client IP address on all incoming requests.
++By default, requests originating from non-matching IP addresses will be
++rejected, however this will cause problems when requests are routed
++via a cluster of DNS servers.
++.TP
++.B -s
++Don't try to configure IP address or MTU.
++This should only be used if you have already configured the device that will be
++used.
++.TP
++.B -D
++Increase debug level. Level 1 prints info about each RX/TX packet.
++Implies the
++.B -f
++option.
++On level 2 (\-DD) or higher, DNS queries will be printed literally.
++When using Base128 upstream encoding, this is best viewed as
++ISO Latin-1 text instead of (illegal) UTF-8.
++This is easily done with : "LC_ALL=C luit iodined \-DD ..."
++(see luit(1)).
++.TP
++.B -m mtu
++Set 'mtu' as mtu size for the tun device.
++This will be sent to the client on login, and the client will use the same mtu
++for its tun device. Default 1130. Note that the DNS traffic will be
++automatically fragmented when needed.
++.TP
++.B -l listen_ip
++Make the server listen only on 'listen_ip' for incoming requests.
++By default, incoming requests are accepted from all interfaces.
++.TP
++.B -p port
++Make the server listen on 'port' instead of 53 for traffic.
++If 'listen_ip' does not include localhost, this 'port' can be the same
++as 'dnsport'.
++.B Note:
++You must make sure the dns requests are forwarded to this port yourself.
++.TP
++.B -n auto|external_ip
++The IP address to return in NS responses. Default is to return the address used
++as destination in the query.
++If external_ip is 'auto', iodined will use externalip.net web service to
++retrieve the external IP of the host and use that for NS responses.
++.TP
++.B -b dnsport
++If this port is specified, all incoming requests not inside the tunnel domain
++will be forwarded to this port on localhost, to be handled by a real dns.
++If 'listen_ip' does not include localhost, this 'dnsport' can be the
++same as 'port'.
++.B Note:
++The forwarding is not fully transparent, and not advised for use
++in production environments.
++.TP
++.B -i max_idle_time
++Make the server stop itself after max_idle_time seconds if no traffic have been received.
++This should be combined with systemd or upstart on demand activation for being effective.
++.SS Client Arguments:
++.TP
++.B nameserver
++The nameserver to use to relay the dns traffic. This can be any relaying
++nameserver or the server running iodined if reachable. This field can be
++given as an IPv4/IPv6 address or as a hostname. This argument is optional,
++and if not specified a nameserver will be read from the
++.I /etc/resolv.conf
++file.
++.TP
++.B topdomain
++The dns traffic will be sent as queries for subdomains under
++\'topdomain'. This is normally a subdomain to a domain you own. Use a short
++domain name to get better throughput. If
++.B nameserver
++is the iodined server, then the topdomain can be chosen freely. This argument
++must be the same on both the client and the server.
++.SS Server Arguments:
++.TP
++.B tunnel_ip[/netmask]
++This is the server's ip address on the tun interface. The client will be
++given the next ip number in the range. It is recommended to use the
++10.0.0.0 or 172.16.0.0 ranges. The default netmask is /27, can be overridden
++by specifying it here. Using a smaller network will limit the number of
++concurrent users.
++.TP
++.B topdomain
++The dns traffic is expected to arrive as queries for
++subdomains under 'topdomain'. This is normally a subdomain to a domain you
++own. Use a short domain name to get better throughput. This argument must be
++the same on both the client and the server. Queries for domains other
++than 'topdomain' will be forwarded when the \-b option is given, otherwise
++they will be dropped.
++.SH EXAMPLES
++See the README file for both a quick test scenario, and a detailed description
++of real-world deployment.
++.SH SECURITY
++Login is a relatively secure challenge-response MD5 hash, with the
++password never passing the wire.
++However, all other data is
++.B NOT
++encrypted in any way. The DNS traffic is also vulnerable to replay,
++injection and man-in-the-middle attacks, especially when iodined is used
++with the \-c option. Use of ssh or vpn tunneling is strongly recommended.
++On both server and client, use
++.IR iptables ,
++.I pf
++or other firewalls to block all traffic coming in from the tun interfaces,
++except to the used ssh or vpn ports.
++.SH ENVIRONMENT
++.SS IODINED_PASS
++If the environment variable
++.B IODINED_PASS
++is set, iodined will use the value it is set to as password instead of asking
++for one. The
++.B -P
++option still has precedence.
++.SH SEE ALSO
++The README file in the source distribution contains some more elaborate
++information.
++.SH BUGS
++File bugs at http://dev.kryo.se/iodine/
++.SH AUTHORS
++Erik Ekman <yarrick at kryo.se> and Bjorn Andersson <flex at kryo.se>. Major
++contributions by Anne Bezemer.
diff --git a/iodine.logrotate.client b/iodine.logrotate.client
new file mode 100644
index 0000000..f8cc559
--- /dev/null
+++ b/iodine.logrotate.client
@@ -0,0 +1,7 @@
+/var/log/iodine-client.log {
+ missingok
+ create 0600 root root
+ postrotate
+ /etc/init.d/iodine-client condrestart > /dev/null 2>&1 || :
+ endscript
+}
diff --git a/iodine.logrotate.server b/iodine.logrotate.server
new file mode 100644
index 0000000..35b62e6
--- /dev/null
+++ b/iodine.logrotate.server
@@ -0,0 +1,7 @@
+/var/log/iodine-server.log {
+ missingok
+ create 0600 root root
+ postrotate
+ /etc/init.d/iodine-server condrestart > /dev/null 2>&1 || :
+ endscript
+}
diff --git a/iodine.spec b/iodine.spec
index 41d9a94..eb12987 100644
--- a/iodine.spec
+++ b/iodine.spec
@@ -1,14 +1,14 @@
-%global prerel -rc1
+#% global prerel -rc1
Name: iodine
-Version: 0.6.0
-Release: 0.rc1.12%{?dist}.1
+Version: 0.7.0
+Release: 1%{?dist}
Summary: Solution to tunnel IPv4 data through a DNS server
Summary(ru): Решение для туннелирования IPv4 трафика через DNS сервер
Group: System Environment/Daemons
License: ISC
URL: http://code.kryo.se/iodine/
-Source0: http://code.kryo.se/%{name}/%{name}-%{version}%{prerel}.tar.gz
+Source0: http://code.kryo.se/%{name}/%{name}-%{version}%{?prerel}.tar.gz
# Initscripts and separate configs made by Nikolay Ulyanitsky
Source1: %{name}-client.conf
Source2: %{name}-server.conf
@@ -24,12 +24,11 @@ Source8: %{name}-server.service
# It still needed for EPEL5
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-# http://dev.kryo.se/iodine/ticket/87
-Patch0: iodine-0.5.2-prefix.patch
-# http://lists.wpkg.org/pipermail/iodine-users/2012-January/000065.html
-Patch1: iodine-0.6.0-rc1.split-man.patch
-BuildRequires: zlib-devel
+# http://dev.kryo.se/iodine/ticket/119
+Patch1: iodine-0.7.0.split-man.patch
+
+BuildRequires: zlib-devel
Requires(post): chkconfig
Requires(preun): chkconfig, initscripts
Requires(postun): initscripts
@@ -128,17 +127,15 @@ May be needed f.e. on CentOS.
Могут понадобиться например на CentOS.
%prep
-%setup -q -n %{name}-%{version}%{prerel}
-%patch0 -p0 -b .prefix
+%setup -q -n %{name}-%{version}%{?prerel}
%patch1 -p1 -b .split-man
%build
# It is fail to build without -c gcc flag (comes from upstream Makefile).
-make %{?_smp_mflags} PREFIX=%{_prefix} CFLAGS="-c %{optflags} -DLINUX"
+make %{?_smp_mflags} prefix=%{_prefix} CFLAGS="-c %{optflags} -DLINUX"
%install
-rm -rf %{buildroot}
-make install PREFIX=%{buildroot}%{_prefix}
+make install prefix=%{buildroot}%{_prefix}
install -Dp -m 0644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/sysconfig/%{name}-client
install -Dp -m 0644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/sysconfig/%{name}-server
@@ -152,9 +149,6 @@ install -Dp -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/logrotate.d/%{name}-s
install -Dp -m 0644 %{SOURCE7} %{buildroot}/%{_unitdir}/%{name}-client.service
install -Dp -m 0644 %{SOURCE8} %{buildroot}/%{_unitdir}/%{name}-server.service
-%clean
-rm -rf %{buildroot}
-
%post client
%systemd_post %{name}-client.service
@@ -224,11 +218,9 @@ fi
/sbin/chkconfig --add %{name}-server >/dev/null 2>&1 || :
%files
-%defattr(-,root,root,-)
%doc CHANGELOG README TODO
%files client
-%defattr(-,root,root,-)
%{_sbindir}/%{name}
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}-client
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}-client
@@ -237,7 +229,6 @@ fi
%{_unitdir}/%{name}-client.service
%files server
-%defattr(-,root,root,-)
%{_sbindir}/%{name}d
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}-server
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}-server
@@ -246,6 +237,12 @@ fi
%{_unitdir}/%{name}-server.service
%changelog
+* Tue Jul 22 2014 Pavel Alexeev <Pahan at Hubbitus.info> - 0.7.0-1
+- Update to 0.7.0 to fix CVE-2014-4168 iodine: authentication bypass vulnerability (bz#1110339, bz#1110338 [bz#1110340, bz#1110341, bz#1110342]).
+- Drop old Patch0: iodine-0.5.2-prefix.patch
+- Rebase iodine-0.6.0-rc1.split-man.patch -> iodine-0.7.0.split-man.patch
+- Some spec cleanup.
+
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.6.0-0.rc1.12.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
diff --git a/sources b/sources
index 8be086a..b13f788 100644
--- a/sources
+++ b/sources
@@ -1,9 +1 @@
-37ffd972c64a8401836826c7b6f93bbf iodine.logrotate.server
-5b0091019b1041446f239e4c9648beaa iodine.logrotate.client
-4b5fee2882c3f289d7c5131e213dd584 iodine-server.init
-b3fef4514a892ffaaa9b031756786b3b iodine-server.conf
-aa061203c7b4e86f6849390e90da191f iodine-client.init
-3503689c59abaff2973a5190eec37013 iodine-client.conf
-a15bb4faba020d217016fde6e231074a iodine-0.6.0-rc1.tar.gz
-ea7ea39768804638eda426e03ec5b050 iodine-0.5.2-prefix.patch
-14653d20d5f55f3697e78e377040e85e iodine-0.6.0-rc1.split-man.patch
+fdbf3b81cd69caf5230d76a8b039fd99 iodine-0.7.0.tar.gz
More information about the scm-commits
mailing list