Package Release Info

nebula-1.10.3-bp160.1.1

Update Info: Base Release
Available in Package Hub : 16.0

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

nebula

nebula-cert

Change Logs

* Fri Feb 13 2026 Richard Rahl <rrahl0@opensuse.org>

- Update to version 1.10.3:
  * Fix an issue where blocklist bypass is possible when using curve P256
    Any newly issued P256 based certificates will have their signature clamped
    to the low-s form.  Nebula will assert the low-s signature form when
    validating certificates in a future version

* Wed Jan 21 2026 Richard Rahl <rrahl0@opensuse.org>

- Update to version 1.10.2:
  * Fix panic when using use_system_route_table

* Tue Jan 20 2026 Richard Rahl <rrahl0@opensuse.org>

- Update to version 1.10.1:
  * Fix a bug where an unsafe route derived from the system route table could
    be lost on a config reload
  * Fix the PEM banner for ECDSA P256 public keys
  * Fix a bug in handshake processing when a peer sends an unexpected public key
  * Add a config option to control accepting recv_error packets which defaults
    to always

* Sat Dec 06 2025 Richard Rahl <rrahl0@opensuse.org>

- Update to version 1.10.0:
  * Support for ipv6 and multiple ipv4/6 addresses in the overlay
  * Add the ability to mark packets on linux to better target nebula packets in
    iptables/nftables
  * Add ECMP support for unsafe_routes
  * PKCS11 support for P256 keys when built with pkcs11 tag
  * default_local_cidr_any now defaults to false
  * Improve logging when a relay is in use on an inbound packet
  * Avoid fatal errors if rountines is > 1 on systems that <= 1
  * Log a warning if a firewall rule contains an any that negates a more
    restrictive filter
  * Accept encrypted CA passphrase from an environment variable
  * Allow handshaking with any trusted remote
  * Log only the count of blocklisted certificate fingerprints instead of the
    entire list
  * Don't fatal when the ssh server is unable to be configured successfully
  * Improve lost packet statistics
  * Honor remote_allow_list in hole punch response
- remove patch fix-CVE-2025-22869.patch, fixed upstream

* Sat Oct 11 2025 Richard Rahl <rrahl0@opensuse.org>

- update to version 1.9.7:
  * Disable sending recv_error messages when a packet is received outside the
    allowable counter window
  * Improve error messages and remove some unnecessary fatal conditions in the
    generic udp listener

* Wed Jul 23 2025 Richard Rahl <rrahl0@opensuse.org>

- update to version 1.9.6:
  * Support dropping inactive tunnels. This is disabled by default
  * Ensure the same relay tunnel is always used when multiple relay
    tunnels are present
  * Fix relay migration panic