crpytographic PKCS#11 tokens such as smart cards and usb crypto
tokens for local authentication.
Pam_p11 implements two authentication modules:
* pam_p11_openssh authenticates the user against public keys found
in OpenSSH ~/.ssh/authorized_keys file.
* pam_p11_opensc authenticates the user against certificates found
in ~/.eid/authorized_certificates.
pkgsrc changes:
* Fix PKGNAME to really intended to.
* Some permission problem with using scan-mail.pl
6.0.3 (Initially NetBSD only):
- Scanning inside NSIS (Nullsoft) installer files
- Generic IFRAME exploit detection
- Numerous additions to the Eldorado heuristic engine, making it
significantly more powerful than before - Scanning of 7-Zip, ACE
and "solid RAR" archives - Improved scanning of JavaScript files
- List of detected malware now includes Eldorado heuristic detections
- Much faster initial loading of ANTIVIR.DEF
- Scan engine updated
* Partial Auditor added
* Dnsruby-1.46 required
* Improved error messages when the system runs out of keys
* Optimise communication of signconfs for multiple zones sharing keys.
Group zones in zonelist.xml by policy to get this benefit.
* Bugreport #101: Signer Engine now maintains its own pidfile.
* Jitter redefined: now in the range of [-jitter, ..., +jitter]
* Optimized sorter: quicksorter (sorter becomes obsolete).
* Optimized zone_reader, includes nseccing/nsec3ing (nseccer and nsec3er
become obsolete).
* Enable database selection using --with-database-backend={sqlite3|mysql}
* Enable the EPP-client using --enable-eppclient
For sending DS RR to the parent zone (experimental)
* Turn NSEC3 OptOut off by default
* Install kasp2html XML stylesheet
* Add simple kasp2html conversion script
* DNSKEY records communicated to an external script if configured
* The command 'ods-signer restart' is removed.
* Signer Engine now also reuses signatures after a change in NSEC(3)
configuration or rolling keys.
* Quicksorter defaults to class IN.
And a lot of bugfixes...
* authldapescape.c: Factor out LDAP string escape function.
* authldap.schema: Various fixes
* authldap.ldif (olcObjectClasses): Create LDIF format schema from
authldap.schema
* authoption.c (auth_getoptionenvint): For account options that
are parsed to an int, an option value that begins with t, T, y, or Y
is evaluated as 1, other alphabetic values as 0; so that 'true'
or 'yes' get evaluated as 1.
(See the Changelog for the previous releases)
Based on patch(es) from PR pkg/42989 by Brian Candler
The patch looks wrong to me, though, because stdint.h should be
generated in lib/gllib/ if the system does not have it (or if it is not
correct), and the -I's should make the code find the local file instead.
Thus, the code should be able to unconditionally include the header
file.
(missed those and *emacs* the first time round because they pull
in their png dependencies via default-on options; they were included
in the test bulk build though)
Lots of changes, including
* After a transition period of about 10 years, this release disables
SSH protocol 1 by default. Clients and servers that need to use the
legacy protocol must explicitly enable it in ssh_config / sshd_config
or on the command-line.
* Remove the libsectok/OpenSC-based smartcard code and add support for
PKCS#11 tokens. This support is automatically enabled on all
platforms that support dlopen(3) and was inspired by patches written
by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) manpages.
* Add support for certificate authentication of users and hosts using a
new, minimal OpenSSH certificate format (not X.509). Certificates
contain a public key, identity information and some validity
constraints and are signed with a standard SSH public key using
ssh-keygen(1). CA keys may be marked as trusted in authorized_keys
or via a TrustedUserCAKeys option in sshd_config(5) (for user
authentication), or in known_hosts (for host authentication).
Documentation for certificate support may be found in ssh-keygen(1),
sshd(8) and ssh(1) and a description of the protocol extensions in
PROTOCOL.certkeys.
* Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects
stdio on the client to a single port forward on the server. This
allows, for example, using ssh as a ProxyCommand to route connections
via intermediate servers. bz#1618
This switches to the gnome-2.30 release branch
pkgsrc note: temporarily add a dependency on libgnome-keyring which
was split out of the old gnome-keyring pkg, so that client pkgs
get the same as before
Noteworthy changes in version 1.8 (2010-05-06)
----------------------------------------------
* Support for WindowsCE.
* New option --list for gpg-error.
* Interface changes relative to the 1.7 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPG_ERR_NOT_ENABLED NEW.
GPG_ERR_SOURCE_G13 NEW.
GPG_ERR_NO_ENGINE NEW.
gpg_err_set_errno NEW.
* May 26 2010
Changes in XML Security Library 1.2.16 release:
* New xmlsec-gcrypt library.
* xmlsec-gcrypt: Added RSA with SHA1/SHA256/SHA384/SHA512/MD5/RIPEMD160, DSA
with SHA1, AES/DES KW support.
* xmlsec-gnutls: Added X509 support and converted the library to use xmlsec-
crypt library for all crypto operations.
* xmlsec-mscrypto: RSA/OAEP and AES/DES KW support.
* Several minor bug fixes and code cleanups.
* April 29 2010
Changes in XML Security Library 1.2.15 release:
* xmlsec-mscrypto: Added HMAC with MD5, SHA1, SHA256/384/512; RSA with MD5,
SHA256/384/512 support.
* xmlsec-mscrypto: Converted to Unicode (the non-Unicode builds are still
available as compile time option).
* xmlsec-nss: Added MD5 and SHA256/384/512 support for digest, HMAC and RSA
(the new minimum required version for NSS library is 3.9).
* xmlsec-gnutls: Added SHA256/384/512 for digest and HMAC; MD5 and RIPEMD160
digests support (the new minimum required version for GnuTLS library is
2.8.0).
* Fixed typo: "Copyrigth" should be "Copyright".
* Several critical bug fixes and code cleanups.
* December 5 2009
Changes in XML Security Library 1.2.14 release:
* XMLSec library is switched from built-in LTDL library to the system LTDL
library on Linux/Unix and native calls on Windows to fix security issue
(CVE-2009-3736) in LTDL.
* Fixed minor bugs (see log for complete list).
* Noteworthy changes in release 2.7 (2010-05-20) [stable]
- Doc: Build a PDF manual using GTK-PDC.
- Doc: Fix of asn1_check_version, documentation was missing from last release.
- Build: Avoid warnings about ignored visibility attributes on Windows.
For more detail: http://www.sudo.ws/sudo/alerts/secure_path.html
Summary:
Sudo "secure path" feature works by replacing the PATH environment
variable with a value specified in the sudoers file, or at
compile time if the --with-secure-path configure option is used.
The flaw is that sudo only replaces the first instance of PATH
in the environment. If the program being run through sudo uses
the last instance of PATH in the environment, an attacker may
be able to avoid the "secure path" restrictions.
Sudo versions affected:
Sudo 1.3.1 through 1.6.9p22 and Sudo 1.7.0 through 1.7.2p6.
OpenSSL CHANGES
_______________
Changes between 0.9.8n and 0.9.8o [01 Jun 2010]
*) Correct a typo in the CMS ASN1 module which can result in invalid memory
access or freeing data twice (CVE-2010-0742)
[Steve Henson, Ronald Moesbergen <intercommit@gmail.com>]
*) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more
common in certificates and some applications which only call
SSL_library_init and not OpenSSL_add_all_algorithms() will fail.
[Steve Henson]
*) VMS fixes:
Reduce copying into .apps and .test in makevms.com
Don't try to use blank CA certificate in CA.com
Allow use of C files from original directories in maketests.com
[Steven M. Schweda" <sms@antinode.info>]
+ avoid possible free() of new value passed to netpgp_setvar(),
with thanks to Anon Ymous.
+ netpgpkeys(1): print keys to stdout, not stderr - reported by Anon
Ymous.
+ fix DSA signatures and verification
+ simplify and shorten the internals of packet processing by getting rid of
the intermediate pseudo-abstraction layer, which detracted from understanding
and had no benefit whatsoever. Rename some enums and some definitions.
+ add some checking to new key generation, and don't try to read in
the keys after writing them - reported by Tyler Retzlaff
+ netpgpverify - avoid the separate codebase, and just use libnetpgp(3)
pkgsrc changes:
- patches/patch-aa no longer required
- Added LICENSE
Changelog:
ARC4 & CTR support, IP6 support, and various bug fixes (incl. an important
Windows random number generation fix)
2.2.91 - January 26th 2010
--------------------------
A new Perl binding, fix for backward compatibility with old versions of glib,
LassoLogout API is more robust since it does not need anymore for all SP logout
to finish to work, new macro lasso_list_add_new_xml_node, add support for
WS-Security UsernameToken (equivalent of poor man HTTP Digest Authentication),
make public internal APIs: lasso_session_add_assertion,
lasso_session_get_assertion and lasso_session_remove_assertion.
2.2.90 - January 18th 2010
--------------------------
Lots of internal changes and some external one too.
There is a new api to force, forbid or let Lasso sign messages, it is called
lasso_profile_set_signature_hint.
Big overhaul of the ID-WSF 1 and 2 codes, and of the SAML 2.0 profiles. Now all
SAML 2.0 profile use common internal functions from the lasso_saml20_profile_
namespace to handle bindings (SOAP,Redirect,POST,Artifact,PAOS). New internal
API to load SSL keys from many more formats from the public API.
In ID-WSF 2.0, Data Service Template has been simplified, we no more try to
apply queries, it is the responsability of the using code to handle them.
In bindings land, the file bindings/utils.py has been stuffed with utility
function to manipulate 'type' tuple, with are now used to transfer argument and
type description, their schema is (name, C-type, { dictionary of options } ),
they are now used everywhere in the different bindings. We support output
argument in PHP5, Python and Java, i.e. pointer of pointer arguments with are
written to in order to return multiple values. For language where the binding
convert error codes to exceptions (all of them now), the ouput value is
returned as the normal return value of the method, so only one output argument
is handled for now.
We now use GObject-introspection annotations in the documentation to transfer
to the binding generator the necessary metadata about the API (content of
lists, hashtables, wheter pointer are caller/callee owned, can be NULL or if
argument have a default value). The file bindings/override.xml is now
deprecated.
In documentation land, the main reference documentation was reorganizaed and
more symbols have been added to it. Many more functions are documented.
There is now tools to control the evolution of the ABI/API of Lasso.
