* Fixed a critical security bug with RSA signature
verification. Mitigating factors: DSA is used by default (not
vulnerable). Also, the attack requires that attacker has the
public key and the attacker needs to precompute the signature
data so, that it looks like a valid PKCS#1 signature. This is a
non-trivial task to perform without the private
key. Nonetheless, all users should update their servers and
clients as soon as convenient. Workarounds are to not use RSA
keys as host keys (though connecting to existing hosts with RSA
hostkeys poses a serious risk with a vulnerable client), and
disabling publickey authentication. Update your clients and
servers.
Update MASTER_SITES, remove sites that are down or no langer carry ssh2
and add some new.
- Turn Kerberos and group writeability support into knobs so one hasn't to
edit the Makefile.
- Remove dependency on security/tcp_wrapper for tcp-wrapper support on
systems < FreeBSD 4.0, that port is no longer persistent.
- Fix pkg-plist for WITH_STATIC_SFTP case.
- Replace referneces to /etc/ssh2/* in man pages with references to
PREFIX/etc/ssh2/* in order to better fit for FreeBSD.
- Replace "$(ETCDIR)" in ssh_dummy_shell.out with PREFIX/etc.
- Remove duplicated mechanism for generating the host key if an old one isn't
found in the post-install target in the Makefile of the port, this is
already done by the generate-host-key target in WRKSRC/apps/ssh/Makefile.
- Fix differences between the install action done when installing the
package versus installing the port. I.e. make the package create the host
key with what ever bits ssh-keygen2 defaults to (currently 2048) instead
of 1024 bits, copy over the configuration files for ssh2 and sshd2 from
the examples if not already existent and create the directories for the
global host keys and known hosts files.
- Add some foo to pkg-plist to remove as much as possible from PREFIX/etc/ssh2,
i.e. configuration files that don't differ from the corresponding examples
and empty directories. Inform the user to remove what's left over if any.
- Use _PATH_STDPATH instead of _PATH_DEFPATH so that the default PATH gets
set to "/usr/bin:/bin:/usr/sbin:/sbin:PREFIX/bin" instead of
"/usr/bin:/bin:PREFIX/bin". Using _PATH_STDPATH is consistent with OpenSSH
and seems more usefull. One might want to patch ssh2 to also use login_cap(3)
so that e.g. PATH gets picked up from whatever is defined in /etc/login.conf.
- Change MAINTAINER.
- Replace "share/doc/ssh2" with %%DATADIR%% in pkg-plist.
Submitted by: Marius Strobl <marius@alchemy.franken.de>
Approved by: maintainer
Submitted by:
Reviewed by:
Approved by:
Obtained from:
MFC after:
Revert the change of pkg-install r1.3, it shouldn't be there.
Pointy hat to: me
Requested by: maintainer
Submitted by:
Reviewed by:
Approved by:
Obtained from:
MFC after:
Add a critical patch to fix a problem with normalization, which does not
cause problems in normal operation but might lead to a pagefault => crash.
Submitted by: Pyun YongHyeon <yongari@kt-is.co.kr>
Approved by: maintainer
Submitted by: maintainer
Reviewed by:
Approved by:
Obtained from:
MFC after:
1. Upgrade Nmap to 3.30, which released at Jun 29, 2003. Major enchancement is
OS fingerprints update. The fingerprint DB now contains almost 1000
fingerprints.
See ChangeLog at this link:
http://lists.insecure.org/lists/nmap-hackers/2003/Apr-Jun/0016.html
2. Renamed the patch files to be more descriptive.
4274 Emergency Dat release due to:
W32/COLEVO@MM - a Medium Risk Threat
In addition for this emergency release AVERT has
added detection for
W32/KLEXE@MM and
W32/MUMU.B.WORM.
These are emerging threats that while rated a
low risk have been reported to AVERT over this
past weekend and may potentially become a
greater risk before the regularly scheduled
DAT release.
***********************************************
- install missing document which was added during update to 2.1.14.
PR: ports/53932 (partly)
Submitted by: Oliver Eikemeier <eikemeier@fillmore-labs.com>
Approved by:
Obtained from:
MFC after:
Import hydra-2.2, base on PR/43942. This port is provided as a standalone
program to avoid installing a full Nessus scanner system.
Submitted by: Laurent LEVIER <llevier@argosnet.com>
* kill devel/libtool and move to devel/libtool13, upgrading to 1.3.5
* upgrade repo-copied devel/libtool14 to 1.4.3
* break out libltdl into its own separate port
* move to version-numbered binaries/scripts (ie: there is *no* 'libtool'
any more -- USE_LIBTOOL and USE_LIBTOOL_VER are your friends)
Approved by: portmgr (kris) - for the bsd.port.mk hooks
Tested by: bento 4-exp builds (repeatedly)
o Remove unnecsesary patches for current.
o Add/remove users when installing/removing.
o Set permissions on virus database dir.
PR: ports/53305
Submitted by: Rob Evers<rob@debank.tv>
Approved by: TERAMOTO Masahiro <markun@onohara.to> (maintainer)
Submitted by: maintainer
Reviewed by:
Approved by:
Obtained from:
MFC after:
Add two patches to solve the following problems:
patch-ab
- resolves a problem with a mbuf-tag in 5.1
- Submitted by: Pyun YongHyeon <yongari@kt-is.co.kr>
patch-ac
- pulls in two critical fixes from OpenBSD patch branch
- Obtained from: OpenBSD
Change BROKEN to IGNORE tag in Makefile, suggested by: kris@
&& bump PORTREVISION.
Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org>
Add prelude-manager 0.8.7, System central logging point of prelude Network
Intrusion Detection.
prelude-manager : the manager is the central logging point. It receives
alerts from sensors and logs them using one or several plugins (the default
logging being to a text file, but logging to a database is also possible -
and recommended).
Submitted by: Clement Laforet <sheepkiller@cultdeadsheep.org>
Add prelude-nids 0.8.1,
Sensor program of prelude Network Intrusion Detection System
prelude-nids : the Prelude Network Intrusion Detection System is a sensor,
that may be installed on the same machine as the manager or not, which watches
network traffic and looks for familiar patterns. This is functionally
equivalent to Snort (http://www.snort.org).
Submitted by: Vadim Kurland <vadim@vk.crocodile.org>
Add ports dependency: aclocal && gdk_pixbuf to build without problem,
and add patches for -current. Bump PORTREVISION as well.
Switch maitainership to Vadim Kurland <vadim@vk.crocodile.org>, who
is the developer of fwbuilder (approved by original maintainer).
Submitted by: Vadim Kurland <vadim@vk.crocodile.org>
Reviewed by:
Approved by:
Obtained from:
MFC after:
Fixed libfwbuilder's dependency and bump PORTREVISION[1].
Switch maitainership to Vadim Kurland <vadim@vk.crocodile.org>, who
is the developer of fwbuilder (approved by original maintainer)[2].
[1]: also noticed by kris@
[2]: most parts of patch were from PR/53119, small adjustment was made by
me and reviewed by Vadim.
Turn on building clamd and clamdscan.
PR: 53056
Pointed out by: Olivier Tharan <olive@oban.frmug.org>
Submitted by: TERAMOTO Masahiro <markun@onohara.to>
Changes/update for myself
- Bring GNUTLS as optional flavor
Changes/update from KATO Tsuguru <tkato@prontomail.com> (thanks!)
- Do not install useless .la file
- Install .pc file to correct place
PR: ports/52769
Submitted by: Jim Geovedi <jim@corebsd.or.id>
Changes from KATO Tsuguru <tkato@prontomail.com> (thanks!)
- Do not install useless .la files
- Install .pc file to correct place
PR: ports/52767
Submitted by: Jim Geovedi <jim@corebsd.or.id>
Update to version 1.7.8
Fix build when MySQL logging is enabled
Add LOG_SERVER and ALT_LOG_SERVER tunables
Require LOG_SERVER be defined for clients
Have clients request config and signatures from server by default
Change TRUSTED_USER to a more accurate name (RUNAS_USER)
Fix sample config file install/deinstall
Add documentation on tunables
PR: ports/52912
Submitted by: David Thiel <lx@redundancy.redundancy.org>
