ChangeLog updates, bump version to 2.6.4

ChangeLog

 fwknop-2.6.4 (10//2014):
-    - [client] Bug fix to ensure that a User-Agent string can be specified
-      when the fwknop client uses wget via SSL to resolve the external IP
-      address. This closes issue #134 on github reported by Barry Allard. The
-      fwknop client now uses the wget '-U' option to specify the User-Agent
-      string with a default of "Fwknop/<version>". In addition, a new command
-      line argument "--use-wget-user-agent" to allow the default wget
-      User-Agent string to apply instead.
+    - [server] Added a UDP server mode so that SPA packets can be acquired via
+      UDP directly without having to use libpcap. This is an optional feature
+      since it opens a UDP port, but fwknopd is careful to never send anything
+      back to a client that sends data to this port. So, from the perspective
+      of an attacker or scanner, fwknopd remains invisible. This feature is
+      enabled in fwknopd either with a new command line argument --udp-server
+      or in the fwknopd.conf file with the ENABLE_UDP_SERVER variable. When
+      deployed in this mode, it is advisable to recompile fwknop beforehand
+      with './configure --enable-udp-server' so that fwknopd does not link
+      against libpcap.
+    - [server] Replaced all popen() and system() calls with execvpe() with no
+      usage of the environment. This is a security measure to not make use of
+      the shell for firewall command execution, and is supported on systems
+      where execvpe() is available.
     - (Gerry Reno) Added support for firewalld to the fwknopd daemon on RHEL 7
       and CentOS 7. This is implemented using the current firewalld '--direct
       --passthrough' capability which accepts raw iptables commands. More
@@ -23,6 +30,13 @@ fwknop-2.6.4 (10//2014):
           BeagleBone Black rev C running 3.8.13-bone50 #1 SMP Tue May 13
           13:24:52 UTC 2014 armv7l GNU/Linux
 
+    - [client] Bug fix to ensure that a User-Agent string can be specified
+      when the fwknop client uses wget via SSL to resolve the external IP
+      address. This closes issue #134 on github reported by Barry Allard. The
+      fwknop client now uses the wget '-U' option to specify the User-Agent
+      string with a default of "Fwknop/<version>". In addition, a new command
+      line argument "--use-wget-user-agent" to allow the default wget
+      User-Agent string to apply instead.
     - [python module] When an HMAC key is passed to spa_data_final() then
       default to HMAC SHA256 if no HMAC mode was specified.
 

VERSION

-2.6.3
+2.6.4

configure.ac

@@ -11,7 +11,7 @@ AC_PREREQ(2.62)
 
 dnl Define our name, version and email.
 m4_define(my_package,   [fwknop])
-m4_define(my_version,   [2.6.3])
+m4_define(my_version,   [2.6.4])
 m4_define(my_bug_email, [dstuart@dstuart.org])
 
 AC_INIT(my_package, my_version, my_bug_email)

fwknop.spec

@@ -13,7 +13,7 @@
 %define _mandir /usr/share/man
 
 Name:		fwknop
-Version:	2.6.3
+Version:	2.6.4
 Epoch:		1
 Release:	1%{?dist}
 Summary:	Firewall Knock Operator client.  An implementation of Single Packet Authorization.
@@ -142,6 +142,9 @@ fi
 %config(noreplace) %attr(0600,root,root) %{_sysconfdir}/fwknop/access.conf
 
 %changelog
+* Mon Nov 10 2014 <mbr@cipherdyne.org> - 2.6.4
+- fwknop-2.6.4 release.
+
 * Mon Jul 28 2014 <mbr@cipherdyne.org> - 2.6.3
 - Removed gdbm and gdbm-devel dependencies since these are only
   needed if a user compiles fwknopd with the --disable-file-cache

win32/config.h

@@ -178,7 +178,7 @@
 #undef TIME_WITH_SYS_TIME
 
 /* Version number of package */
-#define VERSION "2.6.3"
+#define VERSION "2.6.4"
 
 /* Define to 1 if your processor stores words with the most significant byte
    first (like Motorola and SPARC, unlike Intel and VAX). */