Release v1.9.7

Security

• Fix an issue where Nebula could incorrectly accept and process a packet from an erroneous source IP when the sender's
  certificate is configured with unsafe_routes (cert v1/v2) or multiple IPs (cert v2). (#1494)

Changed

• Disable sending recv_error messages when a packet is received outside the allowable counter window. (#1459)
• Improve error messages and remove some unnecessary fatal conditions in the Windows and generic udp listener. (#1453)

Release v1.9.6

Added

• Support dropping inactive tunnels. This is disabled by default in this release but can be enabled with tunnels.drop_inactive. See example config for more details. (#1413)

Fixed

• Fix Darwin freeze due to presence of some Network Extensions (#1426)
• Ensure the same relay tunnel is always used when multiple relay tunnels are present (#1422)
• Fix Windows freeze due to ICMP error handling (#1412)
• Fix relay migration panic (#1403)

Release v1.9.5

Added

• Gracefully ignore v2 certificates. (#1282)

Fixed

• Fix relays that refuse to re-establish after one of the remote tunnel pairs breaks. (#1277)

Release v1.9.4

Added

• Support UDP dialing with gVisor. (#1181)

Changed

• Make some Nebula state programmatically available via control object. (#1188)
• Switch internal representation of IPs to netip, to prepare for IPv6 support
  in the overlay. (#1173)
• Minor build and cleanup changes. (#1171, #1164, #1162)
• Various dependency updates. (#1195, #1190, #1174, #1168, #1167, #1161, #1147, #1146)

Fixed

• Fix a bug on big endian hosts, like mips. (#1194)
• Fix a rare panic if a local index collision happens. (#1191)
• Fix integer wraparound in the calculation of handshake timeouts on 32-bit targets. (#1185)

Release v1.9.3

Fixed

• Initialize messageCounter to 2 instead of verifying later. (#1156)

Release v1.9.2

Fixed

• Ensure messageCounter is set before handshake is complete. (#1154)

Release v1.9.1

Fixed

• Fixed a potential deadlock in GetOrHandshake. (#1151)

Release v1.9.0

Deprecated

• This release adds a new setting default_local_cidr_any that defaults to
  true to match previous behavior, but will default to false in the next
  release (1.10). When set to false, local_cidr is matched correctly for
  firewall rules on hosts acting as unsafe routers, and should be set for any
  firewall rules you want to allow unsafe route hosts to access. See the issue
  and example config for more details. (#1071, #1099)

Added

• Nebula now has an official Docker image nebulaoss/nebula that is
  distroless and contains just the nebula and nebula-cert binaries. You
  can find it here: https://hub.docker.com/r/nebulaoss/nebula (#1037)

• Experimental binaries for loong64 are now provided. (#1003)

• Added example service script for OpenRC. (#711)

• The SSH daemon now supports inlined host keys. (#1054)

• The SSH daemon now supports certificates with sshd.trusted_cas. (#1098)

Changed

• Config setting tun.unsafe_routes is now reloadable. (#1083)

• Small documentation and internal improvements. (#1065, #1067, #1069, #1108,
  #1109, #1111, #1135)

• Various dependency updates. (#1139, #1138, #1134, #1133, #1126, #1123, #1110,
  #1094, #1092, #1087, #1086, #1085, #1072, #1063, #1059, #1055, #1053, #1047,
  #1046, #1034, #1022)

Removed

• Support for the deprecated local_range option has been removed. Please
  change to preferred_ranges (which is also now reloadable). (#1043)

• We are now building with go1.22, which means that for Windows you need at
  least Windows 10 or Windows Server 2016. This is because support for earlier
  versions was removed in Go 1.21. See https://go.dev/doc/go1.21#windows (#981)

• Removed vagrant example, as it was unmaintained. (#1129)

• Removed Fedora and Arch nebula.service files, as they are maintained in the
  upstream repos. (#1128, #1132)

• Remove the TCP round trip tracking metrics, as they never had correct data
  and were an experiment to begin with. (#1114)

Fixed

• Fixed a potential deadlock introduced in 1.8.1. (#1112)

• Fixed support for Linux when IPv6 has been disabled at the OS level. (#787)

• DNS will return NXDOMAIN now when there are no results. (#845)

• Allow :: in lighthouse.dns.host. (#1115)

• Capitalization of NotAfter fixed in DNS TXT response. (#1127)

• Don't log invalid certificates. It is untrusted data and can cause a large
  volume of logs. (#1116)

Release v1.8.2

Fixed

• Fix multiple routines when listen.port is zero. This was a regression introduced in v1.6.0. (#1057)

Changed

• Small dependency update for Noise. (#1038)

Release v1.8.1

Security

• Update golang.org/x/crypto, which includes a fix for CVE-2023-48795. (#1048)

Fixed

• Fix a deadlock introduced in v1.8.0 that could occur during handshakes. (#1044)

• Fix mobile builds. (#1035)