=============================
Release Notes for Samba 4.9.3
November 27, 2018
=============================
This is a security release in order to address the following defects:
o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
Internal DNS server)
o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers)
o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
configuration (unsupported))
o CVE-2018-16857 (Bad password count in AD DC not always effective)
=======
Details
=======
o CVE-2018-14629:
All versions of Samba from 4.0.0 onwards are vulnerable to infinite
query recursion caused by CNAME loops. Any dns record can be added via
ldap by an unprivileged user using the ldbadd tool, so this is a
security issue.
o CVE-2018-16841:
When configured to accept smart-card authentication, Samba's KDC will call
talloc_free() twice on the same memory if the principal in a validly signed
certificate does not match the principal in the AS-REQ.
This is only possible after authentication with a trusted certificate.
talloc is robust against further corruption from a double-free with
talloc_free() and directly calls abort(), terminating the KDC process.
There is no further vulnerability associated with this issue, merely a
denial of service.
o CVE-2018-16851:
During the processing of an LDAP search before Samba's AD DC returns
the LDAP entries to the client, the entries are cached in a single
memory object with a maximum size of 256MB. When this size is
reached, the Samba process providing the LDAP service will follow the
NULL pointer, terminating the process.
There is no further vulnerability associated with this issue, merely a
denial of service.
o CVE-2018-16852:
During the processing of an DNS zone in the DNS management DCE/RPC server,
the internal DNS server or the Samba DLZ plugin for BIND9, if the
DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS
property is set, the server will follow a NULL pointer and terminate.
There is no further vulnerability associated with this issue, merely a
denial of service.
o CVE-2018-16853:
A user in a Samba AD domain can crash the KDC when Samba is built in the
non-default MIT Kerberos configuration.
With this advisory we clarify that the MIT Kerberos build of the Samba
AD DC is considered experimental. Therefore the Samba Team will not
issue security patches for this configuration.
o CVE-2018-16857:
AD DC Configurations watching for bad passwords (to restrict brute forcing
of passwords) in a window of more than 3 minutes may not watch for bad
passwords at all.
For more details and workarounds, please refer to the security advisories.
ChangeLog:
Released version 1.8.13 with the following main changes :
- MINOR: systemd: consider exit status 143 as successful
- BUG/MINOR: ssl: properly ref-count the tls_keys entries
- MINOR: mux: add a "show_fd" function to dump debugging information for "show fd"
- MINOR: h2: implement a basic "show_fd" function
- BUG/MINOR: h2: remove accidental debug code introduced with show_fd function
- MINOR: h2: keep a count of the number of conn_streams attached to the mux
- MINOR: h2: add the mux and demux buffer lengths on "show fd"
- BUG/MEDIUM: h2: don't accept new streams if conn_streams are still in excess
- BUG/MEDIUM: h2: never leave pending data in the output buffer on close
- BUG/MEDIUM: h2: make sure the last stream closes the connection after a timeout
- BUG/MINOR: http: Set brackets for the unlikely macro at the right place
- BUILD: Generate sha256 checksums in publish-release
- MINOR: debug: Add check for CO_FL_WILL_UPDATE
- MINOR: debug: Add checks for conn_stream flags
- BUG/MEDIUM: threads: Fix the exit condition of the thread barrier
- MINOR: h2: add the error code and the max/last stream IDs to "show fd"
- BUG/MEDIUM: stream-int: don't immediately enable reading when the buffer was reportedly full
- BUG/MEDIUM: stats: don't ask for more data as long as we're responding
- BUG/MINOR: servers: Don't make "server" in a frontend fatal.
- BUG/MEDIUM: threads/sync: use sched_yield when available
- BUG/MEDIUM: h2: prevent orphaned streams from blocking a connection forever
- BUG/MINOR: config: stick-table is not supported in defaults section
- BUG/MINOR: threads: Handle nbthread == MAX_THREADS.
- BUG/MEDIUM: threads: properly fix nbthreads == MAX_THREADS
- MINOR: threads: move "nbthread" parsing to hathreads.c
- BUG/MEDIUM: threads: unbreak "bind" referencing an incorrect thread number
- MEDIUM: proxy_protocol: Convert IPs to v6 when protocols are mixed
- SCRIPTS: git-show-backports: add missing quotes to "echo"
Released version 1.8.14 with the following main changes :
- BUG/MEDIUM: servers: check the queues once enabling a server
- BUG/MEDIUM: queue: prevent a backup server from draining the proxy's connections
- MINOR: dns: fix wrong score computation in dns_get_ip_from_response
- MINOR: dns: new DNS options to allow/prevent IP address duplication
- BUG/MEDIUM: lua: possible CLOSE-WAIT state with '\n' headers
- MINOR: threads: Introduce double-width CAS on x86_64 and arm.
- BUG/MEDIUM: threads: fix the double CAS implementation for ARMv7
- MINOR: threads: add more consistency between certain variables in no-thread case
- BUG/MEDIUM: threads: fix the no-thread case after the change to the sync point
- MEDIUM: hathreads: implement a more flexible rendez-vous point
- BUG/MEDIUM: cli: make "show fd" thread-safe
- BUG/MINOR: ssl: empty connections reported as errors.
- BUG/MEDIUM: ssl: fix missing error loading a keytype cert from a bundle.
- BUG/MEDIUM: ssl: loading dh param from certifile causes unpredictable error.
- BUG/MINOR: map: fix map_regm with backref
- DOC: dns: explain set server ... fqdn requires resolver
- DOC: ssl: Use consistent naming for TLS protocols
- BUG/MEDIUM: lua: socket timeouts are not applied
- BUG/MEDIUM: cli/threads: protect all "proxy" commands against concurrent updates
- BUG/MEDIUM: cli/threads: protect some server commands against concurrent operations
- DOC: Fix spelling error in configuration doc
- BUG/MEDIUM: unix: provide a ->drain() function
- BUG/MINOR: lua: Bad HTTP client request duration.
- BUG/MEDIUM: mux_pt: dereference the connection with care in mux_pt_wake()
- BUG/MEDIUM: lua: reset lua transaction between http requests
- BUG/MEDIUM: hlua: Make sure we drain the output buffer when done.
- BUG/MAJOR: thread: lua: Wrong SSL context initialization.
- BUG/MEDIUM: hlua: Don't call RESET_SAFE_LJMP if SET_SAFE_LJMP returns 0.
- BUG/MEDIUM: dns/server: fix incomatibility between SRV resolution and server state file
- BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1
- MINOR: thread: implement HA_ATOMIC_XADD()
- BUG/MINOR: stream: use atomic increments for the request counter
- BUG/MEDIUM: session: fix reporting of handshake processing time in the logs
- BUG/MEDIUM: h2: fix risk of memory leak on malformated wrapped frames
- BUG/MINOR: dns: check and link servers' resolvers right after config parsing
- BUG/MINOR: http/threads: atomically increment the error snapshot ID
- BUG/MEDIUM: snapshot: take the proxy's lock while dumping errors
- BUG/MAJOR: kqueue: Don't reset the changes number by accident.
- BUG/MINOR: server: Crash when setting FQDN via CLI.
- DOC: Fix typos in lua documentation
- BUG/MEDIUM: patterns: fix possible double free when reloading a pattern list
- BUG/MINOR: tools: fix set_net_port() / set_host_port() on IPv4
- BUG/MINOR: cli: make sure the "getsock" command is only called on connections
- BUG/CRITICAL: hpack: fix improper sign check on the header index value
c-ares version 1.15.0:
Changes:
- Add ares_init_options() configurability for path to resolv.conf file
- Ability to exclude building of tools (adig, ahost, acountry) in CMake
- Android: Support for domain search suffix
- Report ARES_ENOTFOUND for .onion domain names as per RFC7686
Bug fixes:
- AIX build fix for trying to include both nameser_compat.h and onameser_compat.h
- Windows: Improve DNS suffixes extracting from WinNT registry
- Fix modern GCC warnings
- Apply the IPv6 server blacklist to all nameserver sources, not just Windows
- Fix warnings emitted by MSVC when using -W4
- Prevent changing name servers while queries are outstanding
- Harden and rationalize c-ares timeout computation
- Distribute ares_android.h
- ares_set_servers_csv() on failure should not leave channel in a bad state
- Add missing docs to distribution
Changes:
Jesse Smith <jessefrgsmith@yahoo.ca> -> 5.0
- Added more checks to places where we are mapping a file
or checking for symbolic links. Should avoid trying to
operating on invalid path names or broken symlinks.
Issue reported by Xu.
Jesse Smith <jessefrgsmith@yahoo.ca> -> 4.9
- Several checks added to chdir() and other
return codes to make sure syscalls are all returning
properly. Patch provided by Zhouyang Jia.
- Fixed some compiler warnings due to unused or
oddly indented code.
Jesse Smith <jessefrgsmith@yahoo.ca> -> 4.8
- Fixed potential double-free bug during Bftpd shutdown.
- Fixed potential unititalized variable.
Thanks to Alex for reporting these bugs.
Jesse Smith <jessefrgsmith@yahoo.ca> -> 4.7
- Fixed memory leak in rename function.
Thanks to Alex for reporting this bug.
Jesse Smith <jessefrgsmith@yahoo.ca> -> 4.6
- Avoid memory corruption when reading config file by initalizing memory.
- Make sure CHROOT is default option, even if it is not specified
in the config file.
Thanks for Anton Yuzhaninov for providing the above two fixes.
Jesse Smith <jessefrgsmith@yahoo.ca> -> 4.5
- Avoid potential buffer underflow in main.c
Thanks to Andreas for pointing out this problem.
Changelog:
* The value for netprobe_timeout was read from the command-line, but not from the configuration file any more. This is a regression introduced in the previous version, that has been fixed.
* The default value for netprobe timeouts has been raised to 60 seconds.
* A hash of the body is added to query parameters when sending DoH queries with the POST method in order to work around badly configured proxies.
pkgsrc changes:
- Remove patches/patch-aa, no longer needed (config.h is now
included and HAVE_DECL_BSWAP64 is now properly checked)
- perl is needed in the test phase and at runtime, add it to USE_TOOLS
- Remove no longer needed dependency to p5-IO-tty
- Add support for the test target (and REPLACE_PERL test target scripts)
Changes:
1.3.2
-----
* Platform support:
* Explicitly enable binding to both IPv4 and IPv6 addresses.
(Giel van Schijndel)
* Restore perl 5.8.8 support for RHEL5. (Alexander Chernyakhovsky)
* Make tests detect UTF-8 locale with a helper executable. (John Hood)
* Don't print /etc/motd on IllumOS. (John Hood)
* Print {,/var}/run/motd.dynamic on Ubuntu. (John Hood)
* Fix build on Haiku. (Adrien Destugues)
* Disable unicode-later-combining.test for tmux 2.4.
This fixes build failures. (John Hood)
* Bug fixes:
* In tests, explicitly set 80x24 tmux window, for newer versions
of tmux. (John Hood)
* Work around JuiceSSH rendering bug. (John Hood)
* Do not move cursor for SCROLL UP and SCROLL DOWN--
fixes an issue with tmux 2.4. (John Hood)
Discussed with <agc>, thanks!
pkgsrc changes:
- Update MASTER_SITES to avoid MASTER_SITE_DEBIAN
Changes:
2018-11-19 torsocks 2.3.0
* Fix a bunch of stuff in the wrapper script, #24967
* gethostbyaddr_r: always assign result
* log: Remove log line when logging is stopped
* gethostbyaddr_r: Don't put garbage in data->hostname
* gethostbyaddr_r: Populate h_addrtype field
* log: Avoid crash or file corruption when closing logs
* connect: Always pass .onion IP cookie to connection object
* Merge remote-tracking branch 'yawning/bug23715'
* Make torsocks always connect to the configured Tor port
* test: Make getpeername test connect to moria1
* socks5: Always use ATYP 0x03 for CONNECT command
* Merge remote-tracking branch 'upstream/master'
* doc: Clarify the libc limitation in README
* accept4: Initialize libc symbol early
* Bug 23715: Support memfd_create(2).
* test: Detect if tor is running in test_fd_passing
* No tab in the README
* Merge remote-tracking branch 'debian/bugfix/typo-subsytem'
* Merge remote-tracking branch 'debian/bugfix/typo-catched'
* Merge remote-tracking branch 'debian/bugfix/typo-conect'
* doc: Add autogen.sh step to README
* Add a -q/--quiet to torsocks
* tests: Add a check for a running Tor
* Make cpp conditional for definition of handle_mmap match use
* utils: Add useful function for later use
* man: Some words were missing
* Remove clang warnings
* Add missing quotes to variable in torsocks.in
* Fix check_addr() to return either 0 or 1
* Ignore stderr for getcap command
* syscall: Add seccomp, gettimeofday, clock_gettime, fork
* Fix typo: conect -> connect.
* Fix typo: subsytem -> subsystem.
* Fix typo: catched -> caught.
Changes:
1.6.0
-----
- Add wallhaven extractor
- Add yuki extractor
- Add a ytdl (youtube-dl) downloader to download media via youtube-dl
(Unfortunately at the moment youtube-dl package is not a multipackage (we do
not have py{27,34,35,37}-youtube-dl so this will work only if youtube-dl was
built with the same PYTHON_VERSION_DEFAULT of gallery-dl))
- Add '--no-check-certificate' command-line option
- Misc bug fixes and improvements
Changes:
Geomyidae v0.34 Release »Above the Oceans«
------------------------------------------
I am proud to announce the v0.34 release of geomyidae!
It is named »Above the Oceans«, because it is released 11km above the Atlantic
Ocean. I can't see whales from here.
Why a new release in such a short time?
In geomyidae v0.33 is a nasty listening bug, so do not use it.
What has changed from v0.33 v0.34:
* There is finally a multi-listening implementation, which allows constant
behaviour of IPv6 and IPv4 across all platforms, including the BSDs.
# bind to 0.0.0.0 and :: on port 7070
geomyidae -b $(pwd) -p 7070 -d
# bind to :: only on port 7070
geomyidae -6 -b $(pwd) -p 7070 -d
# bind to the IPv4 address of some interface only
geomyidae -4 -b $(pwd) -i google.com
# bind to IPv6 and IPv4 of many interfaces
geomyidae -b $(pwd) -i google.com -i google.de -i nsa.gov
Geomyidae v0.33 Release
-----------------------
I am proud to announce the v0.33 release of geomyidae!
What has changed:
* More links for geomyidae resources.
* Fixes in error messages. They now show useful messages.
* Do not exit on SIGHUP. (Fix for OpenBSD startup.)
* Fix of some memory leaks.
* Relative path support in gph files!
* This will make portable CGI applications easier possible.
* This is now possible:
[1|Some Cool Menu|../cool/menu|server|port]
* Fix to set the gph replacement port.
* Fix some IPv6 binding issues.
* Some separate binding for BSDs is still in the works.
* Manpage has been beautified.
* '/' is now stripped from base path.
I want to thank all contributors! You are making gopher better!
* Version 2.0.18
- Official builds now support TLS 1.3.
- The timeout for the initial connectivity check can now be set from
the command line.
- An `Accept:` header is now always sent with `GET` queries.
- BOMs are now ignored in configuration files.
- In addition to SOCKS, HTTP and HTTPS proxies are now supported for
DoH servers.
registrations of SIP clients on a private IP network, and rewrites the
SIP message bodies to make SIP connections work via a NAT firewall.
Imported from wip/siproxd.
Upstream changes:
mikutter 3.8.3
* fix use of an unintended function that should have been removed
but accidentally released in the Diva gem
* insufficient file dependencies
* thanks @ahiru3net
* remove dependencies on Photo plugin from the twitter, gui, and skin plugins
* add missed dependencies in the intent plugin
* thanks @ahiru3net
Upstream changes:
0.53 MOn Nov 05 2018 "Dean Hamstead" <dean@bytefoundry.com.au>"
- Fix some tests on Windows
- Various coding changes internally
- Expose CC Addresses and Admin CC Addresses on Queues
Upstream changes:
Changes for version 3.62 - 2018-10-29
ENHANCEMENTS
#278 Support for Cisco Firepower Threat Defense
#275 Document peth_port_ifindex for Junipers
#274 Add peth_port_ifindex override for Junipers
#270 Add support for additional Mikrotik models
Add HP 3810M, 2930M, 2930F and 2540 series switches
BUG FIXES
#265 Fix typos in L3::Huawei
Tor 0.3.4.9 is the second stable release in its series; it backports
numerous fixes, including a fix for a bandwidth management bug that
was causing memory exhaustion on relays. Anyone running an earlier
version of Tor 0.3.4.9 should upgrade.
o Major bugfixes (compilation, backport from 0.3.5.3-alpha):
- Fix compilation on ARM (and other less-used CPUs) when compiling
with OpenSSL before 1.1. Fixes bug 27781; bugfix on 0.3.4.1-alpha.
o Major bugfixes (mainloop, bootstrap, backport from 0.3.5.3-alpha):
- Make sure Tor bootstraps and works properly if only the
ControlPort is set. Prior to this fix, Tor would only bootstrap
when a client port was set (Socks, Trans, NATD, DNS or HTTPTunnel
port). Fixes bug 27849; bugfix on 0.3.4.1-alpha.
o Major bugfixes (relay, backport from 0.3.5.3-alpha):
- When our write bandwidth limit is exhausted, stop writing on the
connection. Previously, we had a typo in the code that would make
us stop reading instead, leading to relay connections being stuck
indefinitely and consuming kernel RAM. Fixes bug 28089; bugfix
on 0.3.4.1-alpha.
o Major bugfixes (restart-in-process, backport from 0.3.5.1-alpha):
- Fix a use-after-free error that could be caused by passing Tor an
impossible set of options that would fail during options_act().
Fixes bug 27708; bugfix on 0.3.3.1-alpha.
o Minor features (continuous integration, backport from 0.3.5.1-alpha):
- Don't do a distcheck with --disable-module-dirauth in Travis.
Implements ticket 27252.
- Only run one online rust build in Travis, to reduce network
errors. Skip offline rust builds on Travis for Linux gcc, because
they're redundant. Implements ticket 27252.
- Skip gcc on OSX in Travis CI, because it's rarely used. Skip a
duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on
Linux with default settings, because all the non-default builds
use gcc on Linux. Implements ticket 27252.
o Minor features (continuous integration, backport from 0.3.5.3-alpha):
- Use the Travis Homebrew addon to install packages on macOS during
Travis CI. The package list is the same, but the Homebrew addon
does not do a `brew update` by default. Implements ticket 27738.
o Minor features (geoip):
- Update geoip and geoip6 to the October 9 2018 Maxmind GeoLite2
Country database. Closes ticket 27991.
o Minor bugfixes (32-bit OSX and iOS, timing, backport from 0.3.5.2-alpha):
- Fix an integer overflow bug in our optimized 32-bit millisecond-
difference algorithm for 32-bit Apple platforms. Previously, it
would overflow when calculating the difference between two times
more than 47 days apart. Fixes part of bug 27139; bugfix
on 0.3.4.1-alpha.
- Improve the precision of our 32-bit millisecond difference
algorithm for 32-bit Apple platforms. Fixes part of bug 27139;
bugfix on 0.3.4.1-alpha.
- Relax the tolerance on the mainloop/update_time_jumps test when
running on 32-bit Apple platforms. Fixes part of bug 27139; bugfix
on 0.3.4.1-alpha.
o Minor bugfixes (C correctness, to appear in 0.3.5.4-alpha):
- Avoid undefined behavior in an end-of-string check when parsing
the BEGIN line in a directory object. Fixes bug 28202; bugfix
on 0.2.0.3-alpha.
o Minor bugfixes (CI, appveyor, to appear in 0.3.5.4-alpha):
- Only install the necessary mingw packages during our appveyor
builds. This change makes the build a little faster, and prevents
a conflict with a preinstalled mingw openssl that appveyor now
ships. Fixes bugs 27943 and 27765; bugfix on 0.3.4.2-alpha.
o Minor bugfixes (code safety, backport from 0.3.5.3-alpha):
- Rewrite our assertion macros so that they no longer suppress the
compiler's -Wparentheses warnings. Fixes bug 27709; bugfix
o Minor bugfixes (continuous integration, backport from 0.3.5.1-alpha):
- Stop reinstalling identical packages in our Windows CI. Fixes bug
27464; bugfix on 0.3.4.1-alpha.
o Minor bugfixes (directory authority, to appear in 0.3.5.4-alpha):
- Log additional info when we get a relay that shares an ed25519 ID
with a different relay, instead making a BUG() warning. Fixes bug
27800; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (directory connection shutdown, backport from 0.3.5.1-alpha):
- Avoid a double-close when shutting down a stalled directory
connection. Fixes bug 26896; bugfix on 0.3.4.1-alpha.
o Minor bugfixes (HTTP tunnel, backport from 0.3.5.1-alpha):
- Fix a bug warning when closing an HTTP tunnel connection due to an
HTTP request we couldn't handle. Fixes bug 26470; bugfix
on 0.3.2.1-alpha.
o Minor bugfixes (netflow padding, backport from 0.3.5.1-alpha):
- Ensure circuitmux queues are empty before scheduling or sending
padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (onion service v3, backport from 0.3.5.1-alpha):
- When the onion service directory can't be created or has the wrong
permissions, do not log a stack trace. Fixes bug 27335; bugfix
on 0.3.2.1-alpha.
o Minor bugfixes (onion service v3, backport from 0.3.5.2-alpha):
- Close all SOCKS request (for the same .onion) if the newly fetched
descriptor is unusable. Before that, we would close only the first
one leaving the other hanging and let to time out by themselves.
Fixes bug 27410; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (onion service v3, backport from 0.3.5.3-alpha):
- When selecting a v3 rendezvous point, don't only look at the
protover, but also check whether the curve25519 onion key is
present. This way we avoid picking a relay that supports the v3
rendezvous but for which we don't have the microdescriptor. Fixes
bug 27797; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (protover, backport from 0.3.5.3-alpha):
- Reject protocol names containing bytes other than alphanumeric
characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix
on 0.2.9.4-alpha.
o Minor bugfixes (rust, backport from 0.3.5.1-alpha):
- Compute protover votes correctly in the rust version of the
protover code. Previously, the protover rewrite in 24031 allowed
repeated votes from the same voter for the same protocol version
to be counted multiple times in protover_compute_vote(). Fixes bug
27649; bugfix on 0.3.3.5-rc.
- Reject protover names that contain invalid characters. Fixes bug
27687; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (rust, backport from 0.3.5.2-alpha):
- protover_all_supported() would attempt to allocate up to 16GB on
some inputs, leading to a potential memory DoS. Fixes bug 27206;
bugfix on 0.3.3.5-rc.
o Minor bugfixes (rust, directory authority, to appear in 0.3.5.4-alpha):
- Fix an API mismatch in the rust implementation of
protover_compute_vote(). This bug could have caused crashes on any
directory authorities running Tor with Rust (which we do not yet
recommend). Fixes bug 27741; bugfix on 0.3.3.6.
o Minor bugfixes (rust, to appear in 0.3.5.4-alpha):
- Fix a potential null dereference in protover_all_supported(). Add
a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.
- Return a string that can be safely freed by C code, not one
created by the rust allocator, in protover_all_supported(). Fixes
bug 27740; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (testing, backport from 0.3.5.1-alpha):
- If a unit test running in a subprocess exits abnormally or with a
nonzero status code, treat the test as having failed, even if the
test reported success. Without this fix, memory leaks don't cause
the tests to fail, even with LeakSanitizer. Fixes bug 27658;
bugfix on 0.2.2.4-alpha.
o Minor bugfixes (testing, backport from 0.3.5.3-alpha):
- Make the hs_service tests use the same time source when creating
the introduction point and when testing it. Now tests work better
on very slow systems like ARM or Travis. Fixes bug 27810; bugfix
on 0.3.2.1-alpha.
o Minor bugfixes (testing, to appear in 0.3.5.4-alpha):
- Treat backtrace test failures as expected on BSD-derived systems
(NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808.
(FreeBSD failures have been treated as expected since 18204 in
0.2.8.) Fixes bug 27948; bugfix on 0.2.5.2-alpha.
0.10.2
- Fixed build setup to use undeprecated pytest bin stub.
- Updated tox configuration.
- Added example of using responses with pytest.fixture
- Removed dependency on biscuits in py3. Instead http.cookies is being used.
0.10.1
- Packaging fix to distribute wheel
0.10.0
- Fix passing through extra settings
- Fix collections.abc warning on Python 3.7
- Use 'biscuits' library instead of 'cookies' on Python 3.4+
Changes:
version 2018.11.03
Core
* [extractor/common] Ensure response handle is not prematurely closed before
it can be read if it matches expected_status (#17195, #17846, #17447)
Extractors
* [laola1tv:embed] Set correct stream access URL scheme (#16341)
+ [ehftv] Add support for ehftv.com (#15408)
* [azmedien] Adopt to major site redesign (#17745, #17746)
+ [twitcasting] Add support for twitcasting.tv (#17981)
* [orf:tvthek] Fix extraction (#17737, #17956, #18024)
+ [openload] Add support for oload.fun (#18045)
* [njpwworld] Fix authentication (#17427)
+ [linkedin:learning] Add support for linkedin.com/learning (#13545)
* [theplatform] Improve error detection (#13222)
* [cnbc] Simplify extraction (#14280, #17110)
+ [cbnc] Add support for new URL schema (#14193)
* [aparat] Improve extraction and extract more metadata (#17445, #18008)
* [aparat] Fix extraction
Changes:
2.6.0
-----
Features
--------
- Use "scissors" line to delineate comments in editable messages instead of
stripping away lines that start with #. This helps preserve Markdown
headings in hub pull-request, hub release create, and similar commands
that open a text editor interactively.
Everything above the following line is kept in the message; everything
below is discarded:
# ------------------------ >8 ------------------------
- New command hub issue show <NUMBER>
- Add hub release show --format=<FORMAT> functionality
- hub pr list --format=%rs lists requested reviewers
- Add support for communicating with GitHub Enterprise over Unix socket
# ~/.config/hub
example.com:
user: USER
oauth_token: TOKEN
unix_socket: /path/to/socket
Fixes
-----
- Prevent hub create setting a public upstream when creating a private repo
- Fix hub create in place of a renamed repo
- Fix hub release create/edit/delete when there are multiple git remotes
- Auto-detect private/pushable repos in hub remote add
- Fix hub ci-status exit code when there is only Checks
- Allow hub compare <RANGE> even if not on any branch
- Ensure consistent sort direction when listing issues, PRs
- Match requested team names by slug instead of name in
hub pull-request -r <TEAM>
From i3endek, thanks!
version 2.80
Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
for the initial patch and motivation.
Alter the default for dnssec-check-unsigned. Versions of
dnsmasq prior to 2.80 defaulted to not checking unsigned
replies, and used --dnssec-check-unsigned to switch
this on. Such configurations will continue to work as before,
but those which used the default of no checking will need to be
altered to explicitly select no checking. The new default is
because switching off checking for unsigned replies is
inherently dangerous. Not only does it open the possiblity of forged
replies, but it allows everything to appear to be working even
when the upstream namesevers do not support DNSSEC, and in this
case no DNSSEC validation at all is occuring.
Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
are set. Thanks to Daniel Miess for help with this.
Add a facilty to store DNS packets sent/recieved in a
pcap-format file for later debugging. The file location
is given by the --dumpfile option, and a bitmap controlling
which packets should be dumped is given by the --dumpmask
option.
Handle the case of both standard and constructed dhcp-ranges on the
same interface better. We don't now contruct a dhcp-range if there's
already one specified. This allows the specified interface to
have different parameters and avoids advertising the same
prefix twice. Thanks to Luis Marsano for spotting this case.
Allow zone transfer in authoritative mode if auth-peer is specified,
even if auth-sec-servers is not. Thanks to Raphaël Halimi for
the suggestion.
Fix bug which sometimes caused dnsmasq to wrongly return answers
without DNSSEC RRs to queries with the do-bit set, but only when
DNSSEC validation was not enabled.
Thanks to Petr Menšík for spotting this.
Fix missing fatal errors with some malformed options
(server, local, address, rebind-domain-ok, ipset, alias).
Thanks to Eugene Lozovoy for spotting the problem.
Fix crash on startup with a --synth-domain which has no prefix.
Introduced in 2.79. Thanks to Andreas Engel for the bug report.
Fix missing EDNS0 section in some replies generated by local
DNS configuration which confused systemd-resolvd. Thanks to
Steve Dodd for characterising the problem.
Add --dhcp-name-match config option.
Add --caa-record config option.
Implement --address=/example.com/# as (more efficient) syntactic
sugar for --address=/example.com/0.0.0.0 and
--address=/example.com/::
Returning null addresses is a useful technique for ad-blocking.
Thanks to Peter Russell for the suggestion.
Change anti cache-snooping behaviour with queries with the
recursion-desired bit unset. Instead to returning SERVFAIL, we
now always forward, and never answer from the cache. This
allows "dig +trace" command to work.
Include in the example config file a formulation which
stops DHCP clients from claiming the DNS name "wpad".
This is a fix for the CERT Vulnerability VU#598349.
pkgsrc changes:
- Add a dependency to www/libpsl
- Add a patch to adjust running of the tests (otherwise because
`APACHE_HTTPD' is defined to `no' a `no' program will be executed but
will fail because no `no' program is usually available)
Changes:
Changes in libsoup from 2.64.1 to 2.64.2:
* TLD tests updated (Claudio Saavedra)
* Updated translations: Serbian
Changes in libsoup from 2.63.92 to 2.64.1:
* Many fixes to the meson build system (which, by the way, is
NOT official yet) (#13, Tomas Popela)
* Updated translations: Belarusian.
Changes in libsoup from 2.63.92 to 2.64.0:
* Many fixes to the meson build system [#7, #8, #9, #11, Tomas Popela]
* Updated translations: Brazilian Portuguese, Galician,
Hungarian, Latvian, Danish.
Changes in libsoup from 2.63.91 to 2.63.92:
* Make sure that XMLRPC tests build in Debian too [Claudio Saavedra]
* Distribute missing meson files [Claudio Saavedra]
* Some fixes to the meson build files [Claudio Saavedra]
* Updated Korean and Swedish translations
Changes in libsoup from 2.63.90 to 2.63.91:
* Simplify soup_hosts_matches_host() [Claudio Saavedra]
* Add new tests for trailing dots in domain names [Claudio Saavedra]
* Updated Turkish translation
Changes in libsoup from 2.63.2 to 2.63.90:
* Set default cookie path for NULL origins [#1, Adrian Perez de Castro]
* Fixes to GObject-introspection [bgo#794787, Corentin Noël]
* Use atomic-refcounting in classes that are not using GObject-refcounting
[bgo#785110, Edward Hervey]
* Many Coverity-found code fixes [bgo#781771, Milan Crha]
* Bail out on cookie-jar calls with empty hostnames [#3, Michael Catanzaro]
* Fixes to the simple-httpd example [#2, Mooffie]
* Updated translations: Chinese (Taiwan), Catalan
Note: from now onwards bgo# references bugs in GNOME Bugzilla
and # issues in GNOME gitlab.
Changes in libsoup from 2.63.1 to 2.63.2:
* Many fixes to the meson build system support [#795324,
#782410, Tomas Popela, Jan Alexander Steffens]
* Fixes to xmlrpc-server test with PHP >= 7.2 and related
[#795111, #782410 Jan Alexander Steffens]
* Fix critical warning in SoupSocket [Carlos Garcia Campos]
* Updated translations: Romanian, Friulian, Slovenian,
Czech, Spanish, Indonesian, Chinese (China).
1.3.7:
- Formatting run info no longer includes gevent.local.local
objects that have no value in the greenlet.
- Fixed negative length in pywsgi's Input read functions for non chunked body.
- Upgrade libuv from 1.22.0 to 1.23.2.
- Fix opening files in text mode in CPython 2 on Windows by patching
libuv.
stem-1.7.0: Python library for controlling the tor daemon
nyx-2.0.4: curses monitor for the tor daemon
sbws-0.8.0: bandwidth scanner
nyx is a standalone application, so give it a meta-package net/nyx
with no py- prefix.
sbws is a standalone application too but only for designated Tor
plumbers, not for ordinary users, so leave it as py-sbws.
--- 9.12.3 released ---
--- 9.12.3rc1 released ---
5038. [bug] Chaosnet addresses were compared incorrectly.
[GL #562]
5035. [test] Fixed errors that prevented the DNSRPS subtests
from running in the rpz and rpzrecurse system
tests. [GL #503]
5034. [bug] A race between threads could prevent zone maintenance
scheduled immediately after zone load from being
performed. [GL #542]
5033. [bug] When adding NTAs to multiple views using "rndc nta",
the text returned via rndc was incorrectly terminated
after the first line, making it look as if only one
NTA had been added. Also, it was not possible to
differentiate between views with the same name but
different classes; this has been corrected with the
addition of a "-class" option. [GL #105]
5032. [func] Add krb5-selfsub and ms-selfsub update policy rules.
[GL #511]
5030. [bug] Align CMSG buffers to a 64-bit boundary, fixes crash
on architectures with strict alignment. [GL #521]
5028. [bug] Spread the initial RRSIG expiration times over the
entire working sig-validity-interval when signing a
zone in named to even out re-signing and transfer
loads. [GL #418]
5026. [bug] rndc reconfig should not touch already loaded zones.
[GL #276]
5022. [doc] Update ms-self, ms-subdomain, krb5-self, and
krb5-subdomain documentation. [GL !708]
5021. [bug] dig returned a non-zero exit code when it received a
reply over TCP after a retry. [GL #487]
5019. [cleanup] A message is now logged when ixfr-from-differences is
set at zone level for an inline-signed zone. [GL #470]
5018. [bug] Fix incorrect sizeof arguments in lib/isc/pk11.c.
[GL !588]
5017. [bug] lib/isc/pk11.c failed to unlink the session before
releasing the lock which is unsafe. [GL !589]
5016. [bug] Named could assert with overlapping filter-aaaa and
dns64 acls. [GL #445]
5015. [bug] Reloading all zones caused zone maintenance to cease
for inline-signed zones. [GL #435]
5014. [bug] Signatures loaded from the journal for the signed
version of an inline-signed zone were not scheduled for
refresh. [GL #482]
5013. [bug] A referral response with a non-empty ANSWER section was
inadvertently being treated as an error. [GL #390]
5012. [bug] Fix lock order reversal in pk11_initialize. [GL !590]
5009. [bug] Upon an OpenSSL failure, the first error in the OpenSSL
error queue was not logged. [GL #476]
5008. [bug] "rndc signing -nsec3param ..." requests were silently
ignored for zones which were not yet loaded or
transferred. [GL #468]
5007. [cleanup] Replace custom ISC boolean and integer data types
with C99 stdint.h and stdbool.h types. [GL #9]
5006. [cleanup] Code preparing a delegation response was extracted from
query_delegation() and query_zone_delegation() into a
separate function in order to decrease code
duplication. [GL #431]
5005. [bug] dnssec-verify, and dnssec-signzone at the verification
step, failed on some validly signed zones. [GL #442]
5004. [bug] 'rndc reconfig' could cause inline zones to stop
re-signing. [GL #439]
5003. [bug] dns_acl_isinsecure did not handle geoip elements.
[GL #406]
5002. [bug] mdig: Handle malformed +ednsopt option, support 100
+ednsopt options per query rather than 100 total and
address memory leaks if +ednsopt was specified.
[GL #410]
5001. [bug] Fix refcount errors on error paths. [GL !563]
5000. [bug] named_server_servestale() could leave the server in
exclusive mode if an error occured. [GL #441]
4996. [bug] dig: Handle malformed +ednsopt option. [GL #403]
4995. [test] Add tests for "tcp-self" update policy. [GL !282]
4994. [bug] Trust anchor telemetry queries were not being sent
upstream for locally served zones. [GL #392]
4992. [bug] The wrong address was being logged for trust anchor
telemetry queries. [GL #379]
4990. [bug] Prevent a possible NULL reference in pkcs11-keygen.
[GL #401]
4988. [bug] Don't synthesize NXDOMAIN from NSEC for records under
a DNAME. [GL #386]
--- 9.11.5 released ---
--- 9.11.5rc1 released ---
5038. [bug] Chaosnet addresses were compared incorrectly.
[GL #562]
5034. [bug] A race between threads could prevent zone maintenance
scheduled immediately after zone load from being
performed. [GL #542]
5033. [bug] When adding NTAs to multiple views using "rndc nta",
the text returned via rndc was incorrectly terminated
after the first line, making it look as if only one
NTA had been added. Also, it was not possible to
differentiate between views with the same name but
different classes; this has been corrected with the
addition of a "-class" option. [GL #105]
5032. [func] Add krb5-selfsub and ms-selfsub update policy rules.
[GL #511]
5030. [bug] Align CMSG buffers to a 64-bit boundary, fixes crash
on architectures with strict alignment. [GL #521]
5028. [bug] Spread the initial RRSIG expiration times over the
entire working sig-validity-interval when signing a
zone in named to even out re-signing and transfer
loads. [GL #418]
5026. [bug] rndc reconfig should not touch already loaded zones.
[GL #276]
5022. [doc] Update ms-self, ms-subdomain, krb5-self, and
krb5-subdomain documentation. [GL !708]
5021. [bug] dig returned a non-zero exit code when it received a
reply over TCP after a retry. [GL #487]
5019. [cleanup] A message is now logged when ixfr-from-differences is
set at zone level for an inline-signed zone. [GL #470]
5018. [bug] Fix incorrect sizeof arguments in lib/isc/pk11.c.
[GL !588]
5017. [bug] lib/isc/pk11.c failed to unlink the session before
releasing the lock which is unsafe. [GL !589]
5016. [bug] Named could assert with overlapping filter-aaaa and
dns64 acls. [GL #445]
5015. [bug] Reloading all zones caused zone maintenance to cease
for inline-signed zones. [GL #435]
5014. [bug] Signatures loaded from the journal for the signed
version of an inline-signed zone were not scheduled for
refresh. [GL #482]
5012. [bug] Fix lock order reversal in pk11_initialize. [GL !590]
5009. [bug] Upon an OpenSSL failure, the first error in the OpenSSL
error queue was not logged. [GL #476]
5008. [bug] "rndc signing -nsec3param ..." requests were silently
ignored for zones which were not yet loaded or
transferred. [GL #468]
5007. [cleanup] Replace custom ISC boolean and integer data types
with C99 stdint.h and stdbool.h types. [GL #9]
5005. [bug] dnssec-verify, and dnssec-signzone at the verification
step, failed on some validly signed zones. [GL #442]
5004. [bug] 'rndc reconfig' could cause inline zones to stop
re-signing. [GL #439]
5003. [bug] dns_acl_isinsecure did not handle geoip elements.
[GL #406]
5002. [bug] mdig: Handle malformed +ednsopt option, support 100
+ednsopt options per query rather than 100 total and
address memory leaks if +ednsopt was specified.
[GL #410]
5001. [bug] Fix refcount errors on error paths. [GL !563]
4996. [bug] dig: Handle malformed +ednsopt option. [GL #403]
4995. [test] Add tests for "tcp-self" update policy. [GL !282]
4994. [bug] Trust anchor telemetry queries were not being sent
upstream for locally served zones. [GL #392]
4992. [bug] The wrong address was being logged for trust anchor
telemetry queries. [GL #379]
4990. [bug] Prevent a possible NULL reference in pkcs11-keygen.
[GL #401]
Upstream changes:
1.18 Sep 21, 2018
Documentation revised to remove ambigous use of "answer" which
has been used to refer to both the answer section of a packet
and the entire reply packet received from a nameserver.
Fix rt.cpan.org #127018
Net::DNS::ZoneFile->parse() fails if include directory specified.
Fix rt.cpan.org #127012
DNS resolution broken when options ndots used in /etc/resolv.conf
Update DEPENDS
Upstream changes:
0.96 2018-10-06
* Requirement on Math::BigInt changed to add version
0.95 2018-10-06
* "from_bigint" method added
* Documentation updated to reflect the current RFCs
* Tests of "to_bigint", rfc compliance; fix broken string test
* Any valid ipv6 value can now be output as mixed ipv6 and ipv4
0.94 2018-10-06 Ben Bullock <bkb@cpan.org>
* Pod error fixed
* EXPORTS_OK corrected
0.93 2018-10-05 Ben Bullock <bkb@cpan.org>
* Remove README and use generated one
* Fix bad links in documentation
0.92 2018-10-05 Ben Bullock <bkb@cpan.org>
* Documentation expanded with working examples
* UTF-8 in Makefile.PL marked
* to_* routines exported on demand
* Repetition in error messages removed
Upstream changes:
2018-09-30 Hajimu UMEMOTO <ume@mahoroba.org>
* Socket6.pm: Bump version number to 0.29.
* Socket6.xs: Updates the tests for handling the correct headers
on NetBSD and DragonFly BSD.
Submitted by: Sevan Janiyan <venture37 [...] geeklan.co.uk>
3.6.1 Stable
Brew formula fixes
3.6 Stable
New features
------------
New pro charts
Ability to compare data with the past (time shift)
Trend lines based on ASAP
Average and percentile lines overlayed on the graph and animated
New color scheme that uses pastel colors for better visualization
https://www.ntop.org/ntopng/ntopng-and-time-series-from-rrd-to-influxdb-new-charts-with-time-shift/
New timeseries API with support for RRD and InfluxDB
Abstracts and handles multiple sources transparently
https://www.ntop.org/guides/ntopng/api/lua/timeseries/index.html
Streaming pcap captures with BPF support
Download live packet captures right from the browser
New SNMP devices caching
Periodically cache information of all the SNMP device configured
Calculate and visualize interfaces throughput
Improvements
------------
Security
Access to the web user interface is controlled with ACLs
Secure ntopng cookies with SameSite and HttpOnly
HTTP cookie authentication
Improved random session id generation
Various SNMP improvemenets
Caching
Interfaces status change alerts
Device interfaces page
Devices and interfaces added to flows
Fixed several library memory leaks
Improved device and interface charts
Interfaces throughput calculation and visualization
Ability to delete all SNMP devices at once
Improved active devices discovery
OS detection via HTTP User-Agent
Alerts
Crypto miners alerts toggle
Detection and alerting of anomalous terminations
Module for sending telegram.org alerts
Slack
Configurable Slack channel names
Added Slack test button
Charts
Active flows vs local hosts chart
Active flows vs interface traffic chart
Ubuntu 18.04 support
Support for ElasticSearch 6 export
Added support for custom categories lists
Added ability to use the non-JIT Lua interpreter
Improved ntopng startup and shutdown time
Support for capturing from interface pairs with PF_RING ZC
Support for variable PPP header lenght
Migrated geolocation to GeoLite2 and libmaxminddb
Configuration backup and restore
Improved IE browser support
Using client SSL certificate for protocol detection
Optimized host/flows purging
2.4 Stable:
New Supported Protocols and Services
------------------------------------
Showmax.com
Musical.ly
RapidVideo
VidTO streaming service
Apache JServ Protocol
Facebook Messenger
FacebookZero protocol
Improvements
------------
Improved YouTube support
Improved Netflix support
Updated Google Hangout detection
Updated Twitter address range
Updated Viber ports, subnet and domain
Updated AmazonVideo detection
Updated list of FaceBook sites
Initial Skype in/out support
Improved Tor detection
Improved hyperscan support and category definition
Custom categories loading, extended ndpiReader (-c <file>) for loading name-based categories
Fixes
-----
Fixes for Instagram flows classified as Facebook
Fixed Spotify detection
Fixed minimum packet payload length for SSDP
Fixed length check in MSN, x-steam-sid, Tor certificate name
Increase client's maximum payload length for SSH
Fixed end-of-line bounds handling
Fixed substring matching
Fix for handling IP address based custom categories
Repaired wrong timestamp calculation
Fixed memory leak
Optimized memory usage
Other/Changes
-------------
New API calls:
ndpi_set_detection_preferences()
ndpi_load_hostname_category()
ndpi_enable_loaded_categories()
ndpi_fill_protocol_category()
ndpi_process_extra_packet()
Skype CallIn/CallOut are now set as Skype.SkypeCallOut Skype.SkypeCallIn
Added support for SMTPS on port 587
Changed RTP from VoIP to Media category
Added site unavailable category
Added custom categories CUSTOM_CATEGORY_MINING, CUSTOM_CATEGORY_MALWARE, CUSTOM_CATEGORY_ADVERTISEMENT, CUSTOM_CATEGORY_BANNED_SITE
Implemented hash-based categories
Converted some not popular protocols to NDPI_PROTOCOL_GENERIC with category detection
5.5.3:
Added slcli user delete
Added slcli order quote to let users create a quote from the slcli.
Fixed vs upgrades when using flavors.
Added pagination to ticket list commands
Fixed DNS manager to be more flexible and support more zone types.
Pinned Click library version at >=5 < 7
5.5.2:
Fixed hardware credentials.
support for ticket priorities
create dedicated host with gpu fixed.
5.5.1:
added paginations to several slcli methods, making them work better with large result sets.
Fixed an issue displaying VLANs.
Fixed an issue displaying some NAS passwords
Ability to delete users
5.5.0:
Added a warning when ordering legacy storage volumes
Added documentation link to volume-order
Increased slcli output width limit to 999 characters
More unit tests
Fixed an issue canceling some block storage volumes
Fixed slcli order to work with network gateways
Fixed an issue showing hardware credentials when they do not exist
Fixed an issue showing addressSpace when listing virtual servers
Updated ordering class to support baremetal servers with multiple GPU
Updated prompt-toolkit as a fix for slcli shell
Fixed slcli vlan detail to not fail when objects don't have a hostname
Added user management
Twisted 18.9.0:
Features
--------
twisted.internet._sslverify.ClientTLSOptions no longer raises IDNAError when given an IPv6 address as a hostname in a HTTPS URL.
The repr() of a twisted.internet.base.DelayedCall now encodes the same information as its str(), exposing details of its scheduling and target callable.
Python 3.7 is now supported.
Bugfixes
--------
twisted.logger.LogBeginner's default critical observer now prints tracebacks for new and legacy log system events through the use of the new eventAsText API. This API also does not raise an error for non-ascii encoded data in Python2, it attempts as well as possible to format the traceback.
Syntax error under Python 3.7 fixed for twisted.conch.manhole and twisted.main.imap4.
trial -j reports tracebacks on test failures under Python 3.
Properly format multi-byte and non-ascii encoded data in a traceback.
twisted.python.rebuild now functions on Python 3.7.
HTTP/2 server connections will no longer time out active downloads that take too long.
Improved Documentation
----------------------
Several minor formatting problems in the API documentation have been corrected.
The documentation of twisted.internet.defer.Deferred.fromFuture() has been updated to reflect upstream changes.
Deprecations and Removals
-------------------------
async keyword argument is deprecated in twisted.conch.manhole (ManholeInterpreter.write and Manhole.add) and in twisted.main.imap4.IMAP4Server.sendUntaggedResponse, isAsync keyword argument is introduced instead.
0.12.1:
Fix progress callback failing when it is an instance or class method
0.12.0:
Fix README.rst for PyPI
Add possibility of getting the peer IP and port from the progress callback
Make putfo() work with file-like objects that don't provide getvalue()
- Complete refurbish based on fehQlibs.
- Native handling of IPv4/IPv6 address for sslclient.
- Added experimental 'ecdhparam' file.
- Removed experimental 'ecdhparam' handling -- OpenSSL does not support it.
- Finished TLS 1.3 integration (based on OpenSSL 1.1.1).
- Removed compiler flags for ECDH -- now required.
- fehQlibs-09 based.
Changes:
* Go >= 1.11 is now supported
* When dropping privileges, there is no supervisor process any more.
* DNS options used to be cleared from DNS queries, with the exception of flags and payload sizes. This is not the case any more.
* DoH queries are smaller, since workarounds are not required any more after Google updated their implementation.
Tor 0.3.4.8 is the first stable release in its series; it includes
compilation and portability fixes.
The Tor 0.3.4 series includes improvements for running Tor in
low-power and embedded environments, which should help performance in
general. We've begun work on better modularity, and included preliminary
changes on the directory authority side to accommodate a new bandwidth
measurement system. We've also integrated more continuous-integration
systems into our development process, and made corresponding changes to
Tor's testing infrastructure. Finally, we've continued to refine
our anti-denial-of-service code.
Below are the changes since 0.3.4.7-rc. For a complete list of changes
since 0.3.3.9, see the ReleaseNotes file.
o Minor features (compatibility):
- Tell OpenSSL to maintain backward compatibility with previous
RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these
ciphers are disabled by default. Closes ticket 27344.
o Minor features (continuous integration):
- Log the compiler path and version during Appveyor builds.
Implements ticket 27449.
- Show config.log and test-suite.log after failed Appveyor builds.
Also upload the zipped full logs as a build artifact. Implements
ticket 27430.
o Minor bugfixes (compilation):
- Silence a spurious compiler warning on the GetAdaptersAddresses
function pointer cast. This issue is already fixed by 26481 in
0.3.5 and later, by removing the lookup and cast. Fixes bug 27465;
bugfix on 0.2.3.11-alpha.
- Stop calling SetProcessDEPPolicy() on 64-bit Windows. It is not
supported, and always fails. Some compilers warn about the
function pointer cast on 64-bit Windows. Fixes bug 27461; bugfix
on 0.2.2.23-alpha.
o Minor bugfixes (continuous integration):
- Disable gcc hardening in Appveyor Windows 64-bit builds. As of
August 29 2018, Appveyor images come with gcc 8.2.0 by default.
Executables compiled for 64-bit Windows with this version of gcc
crash when Tor's --enable-gcc-hardening flag is set. Fixes bug
27460; bugfix on 0.3.4.1-alpha.
- When a Travis build fails, and showing a log fails, keep trying to
show the other logs. Fixes bug 27453; bugfix on 0.3.4.7-rc.
- When we use echo in Travis, don't pass a --flag as the first
argument. Fixes bug 27418; bugfix on 0.3.4.7-rc.
o Minor bugfixes (onion services):
- Silence a spurious compiler warning in
rend_client_send_introduction(). Fixes bug 27463; bugfix
on 0.1.1.2-alpha.
o Minor bugfixes (testing, chutney):
- When running make test-network-all, use the mixed+hs-v2 network.
(A previous fix to chutney removed v3 onion services from the
mixed+hs-v23 network, so seeing "mixed+hs-v23" in tests is
confusing.) Fixes bug 27345; bugfix on 0.3.2.1-alpha.
- Before running make test-network-all, delete old logs and test
result files, to avoid spurious failures. Fixes bug 27295; bugfix
on 0.2.7.3-rc.
This isn't supported on some operating systems. If it turns out to be
required by more packages we should create a tool.mk for lang/elixir.
Mark the package MAKE_JOBS safe again.
pkgsrc changes:
- Adjust CATEGORIES to just `net'
- Remove dependency to glib-networking, it does not seem no longer
needed
- Remove no longer needed PKGCONFIG_OVERRIDE
Discussed with MAINTAINER, thanks Aleksej!
Changes:
megatools 1.10.2 - 2018-07-31
=============================
This is a bugfix release. This release was sponsored by donations to fix
large file downloads and improve download robustness after recent mega.nz
API change. Thank you!
Fixes:
- Actually fix connection dropping when downloading big files
Improvements:
- Add DNS resolution cache sharing accross all cURL handles
- Increase receive buffer size to 256kB
megatools 1.10.1 - 2018-07-27
=============================
This is a bugfix release + one feature addition by del1a.
New features:
- Allow to interactively choose which files to download from a public folder via
megadl --choose-files
Fixes:
- Connection dropping when downloading big files
- Compatibility with older libcurl releases
- Fix occasional crashes when starting transfer worker threads
- Fix clang compatibility
megatools 1.10.0 - 2018-07-22
=============================
This release contains new features and optimizaions.
New features/optimizations:
- Chunked upload using up to 16 concurrent connections. Remember, more is not
always better.
- Improved upload stability. When mega drops or hangs the data connection,
megatools will simply restart the upload of the chunk of data that got lost.
- 5x AES enryption/decryption speed increase for uploads and downloads. Now
it's possible to max out a gigabit connection on a cheap Intel based VPS.
- Improved progress reporting wih a summary of the average speed at the end.
- You can use --debug http to see all HTTP requests and connections, for
debugging connection isues.
- Error 509 is reported with explanation.
- Implemented automatic resume for interrupted downloads. Megatools now
writes data to a temporary file and renames it to the target name, when the
download is fully completed. This way you'll notice that download was
interrupted by CTRL+C and megatools will not leave half finished work behind.
- Add contributed bash auto-completion file by albaldi #368
- Add support for authenticated downloads of exported files using megadl #298
(So that your account download quota is used instead of public quota.)
- Add Upload section and CreatePreviews setting into rc file. Add --enable-previews
option.
- Add support for megals --print0|-0
Fixes:
- Upload hangs at 100% #366#360#365
- Don't send tetrminal escape sequences, when redirecting stdout.
- Fix comments syntax in megarc man page #359
- Use glib's variants of PRIu64, fixes#328
- megadl doesn't use account session when downloading folder links #304
- Skip symlinked folders when uploading in megacopy #262
- Turn on TCP keepalive probes in CURL #271
- Fix socks proxy support in megareg (it was not enabled correctly) #287
- Fix OpenSSL 1.1 compatibility #263
- Fix compiling against libressl
- Fix b64_aes128_cbc_encrypt_str string length handling #242
- Minor docummentation updates/fixes
Credits:
- Thanks to ERap320, megatools is also available on Chocolatey (see gihub issue
#347) (If you want to verify origin of the binaries, because they are not
distributed in the officialy signed zip file)
- Thanks to christarazi, megatools supports downloading specific sub-nodes of
a public folder. (#254)
Thanks also go to all other contributors for improving documentation, reporting
bugs and testing.
megatools 1.9.98 - 2016-11-03
=============================
Bugfix release with some UI imporvements.
New features:
- Support upload/download speed limit settings
- Support socks proxy
- Improved progress reporting
- Support for OpenSSL 1.1.x
Removals:
- Remove undocummented --abort-on-error option. Tools now always
report errors through exit status.
- Remove libmega.so public library support and a lot of unused code
that was planned to be used for 2.0
- Remove megamv (it was never implemented and confused users)
- Remove megafs (it was just an experiment and confused users)
Cleanups:
- Cleanup build system a bit
- Cleanup CLI option handling, improved --help output
Fixes:
- Enable automatic decompression (CURLOPT_ACCEPT_ENCODING) (by protomouse)
(This finally fixes the problem with HTTP compression.)
- Exit status from all the tools is now correctly reported
- Fix syncing of symlinked files
- Support very long passwords in the password prompt (up to 1024 chars)
megatools 1.9.97 - 2016-02-02
=============================
Bugfix release.
Fixes:
- Mega started compressing HTTP responses to API calls. Megatools now
uses libcurl to handle API requests, so HTTP compression is now
supproted.
megatools 1.9.96 - 2016-01-02
=============================
Bugfix release.
Fixes:
- Refer to mega.nz and use mega.nz links instead of deprecated mega.co.nz
- Fix various build issues
Flower is a web based tool for monitoring and administrating Celery clusters.
Features
* Real-time monitoring using Celery Events
- Task progress and history
- Ability to show task details (arguments, start time, runtime, and more)
- Graphs and statistics
* Remote Control
- View worker status and statistics
- Shutdown and restart worker instances
- Control worker pool size and autoscale settings
- View and modify the queues a worker instance consumes from
- View currently running tasks
- View scheduled tasks (ETA/countdown)
- View reserved and revoked tasks
- Apply time and rate limits
- Configuration viewer
- Revoke or terminate tasks
* Broker monitoring
- View statistics for all Celery queues
- Queue length graphs
* HTTP API
* Basic Auth and Google OpenID authentication
Upstream changes:
Features:
- Perform TLS SNI indication of the host that is being contacted
for DNS over TLS service. It sets the configured tls auth name.
This is useful for hosts that apart from the DNS over TLS services
also provide other (web) services.
Bug Fixes:
- More explicitly mention the type of ratelimit when applying
ip-ratelimit.
- Fix spelling error in header, from getdns commit by Andreas Gelmini.
- iana port update.
- Fixed unused return value warnings in contrib/fastrpz.patch for
asprintf.
- Fix to squelch respip warning in unit test, it is printed at
higher verbosity settings.
- Fix spelling errors.
- Fix initialisation in remote.c
- Fix seed for random backup code to use explicit zero when wiped.
- exit log routine is annotated as noreturn function.
- free memory leaks in config strlist and str2list insert functions.
- do not move unused argv variable after getopt.
- Remove unused if clause in testcode.
- in testcode, free async ids, initialise array, and check for null
pointer during test of the test. And use exit for return to note
irregular program stop.
- Free memory leak in config strlist append.
- make sure nsec3 comparison salt is initialized.
- unit test has clang analysis.
- remove unused variable assignment from iterator scrub routine.
- check for null in delegation point during iterator refetch
in forward zone.
- neater pointer cast in libunbound context quit routine.
- initialize statistics totals for printout.
- in authzone check that node exists before adding rrset.
- in unbound-anchor, use readwrite memory BIO.
- assertion in autotrust that packed rrset is formed correctly.
- Fix memory leak when message parse fails partway through copy.
- remove unused udpsize assignment in message encode.
- nicer bio free code in unbound-anchor.
- annotate exit functions with noreturn in unbound-control.
- Fix compile on Mac for unbound, provide explicit_bzero when libc
does not have it.
- Fix unbound for openssl in FIPS mode, it uses the digests with
the EVP call contexts.
- Fix that with harden-below-nxdomain and qname minisation enabled
some iterator states for nonresponsive domains can get into a
state where they waited for an empty list.
- Stop UDP to TCP failover after timeouts that causes the ping count
to be reset by the TCP time measurement (that exists for TLS),
because that causes the UDP part to not be measured as timeout.
- Fix#4156: Fix systemd service manager state change notification.
- Fix#4149: Add SSL cleanup for tcp timeout.
- Fix#4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes
qname minimisation with a forwarder when connectivity has issues
from rejecting responses.
- complete new build upon fehQlibs.
- tcprules delimiter can be customized via #define DELIMITER in tcprules.c.
- Removed options '-4' and '-6' for shell scripts and fixed bugs.
- Native handling of IPv4 and IPv6 addresses for tcpclient.
Release 4.34:
New features
- Added bucket lock support to gsutil. Currently, your project must be
whitelisted for use with the new bucket lock functionality. This restriction
will be lifted in the near future.
Bug Fixes
- Fixed issue where "rsync -P" would fail if run as the root user.
- Fixed an issue with credential caching where the source credentials for an
entity would change but the old cached credentials would still be used.
Other Changes
- OAuth2 token exchanges now go to https://oauth2.googleapis.com/token instead
of https://accounts.google.com/o/oauth2/token. Users using gsutil behind a
firewall may need to adjust their firewall rules.
- If invoked via the Cloud SDK, gsutil's debug output now displays the path to
gcloud's gsutil wrapper script for "gsutil path", rather than the actual entry
point for the bundled gsutil component.
- Improved error messages for failed Cloud KMS requests.
- Improved error messages for "iam ch" command to clarify that assigning
roles to project convenience groups (e.g. "projectEditor") is not allowed.
- Enhanced perfdiag command to include GCE instance details (if applicable)
and the target bucket's location and storage class.
- Several documentation updates and clarifications.
VERSION 2.1
* option to store remaining time in leasefile
* pf: set dst address in rule if use_ext_ip_addr is set
* Add options for netfilter scripts
* Use monotonic clock for timeouts, etc.
* Add option force_igd_desc_v1 to force devices and services versions
to 1 in IGD v2 mode
* Fix a few buffer overrun in SSDP and SOAP parsing
* PCP : reset epoch after address change
* merge https://github.com/miniupnp/miniupnp/tree/randomize_url branch
* get SSDP packet receiving interface index and use it to check if the
packet is from a LAN
* default to client address for AddPortMapping when <NewInternalClient>
is empty
* pass ext_if_name to add_pinhole()
* Fix UDA-1.2.10 Man header empty or invalid
* Do not try to open IPv6 sockets once it is disabled
* Fix "AddPinhole Twice" test
* fixes build for Solaris/SunOS
* fixes build error on DragonFly BSD
Upstream changes:
mikutter 3.8.1
* fix to explicitly make api_request_file_cache plugin depend on twitter plugin
* thanks Kazuki Y.
* use gtk2 3.2.9
* thanks Akira Ouchi
* extract images from niconico-saiga OGP
* thanks Shibafu Midorino
* remove an extra debug message
* thanks Izumi Tsutsui
* suppress error messages of findbyid when twitter accounts are not registered
* thanks cob od
Bugfixes:
#2370: Scanning and deletes should be processed even when above the free space limit
#5078: panic: nil pointer dereference when unpausing folders
#5117: cmd/stdiscosrv: Not enough traffic breaks replication between discovery servers
#5125: Symlinks marked as removed on windows
#5127: Parent directories of unignored files keep being included and immediately ignored again
#5131: Progress updates are ignored for send only folders
#5151: cmd/stdiscosrv: Should not allow localhost addresses
#5180: Docker image fails when PGID set to existing group
#5183: panic: bug: Notify backend is processing a change outside of the filesystem root
Enhancements:
#2291: Permanently notify about initial connection requests
#4782: Reduce unnecessary syncing / database traversal
#5163: GUI authentication using LDAP
Other issues:
#4758: Suture services should not survive panics
#5110: Run folder tests in temporary directories
Changes:
VERSION 2.1 : released 2018/05/07
2018/05/07:
CMake Modernize and cleanup CMakeLists.txt
Update MS Visual Studio projects
2018/04/30:
listdevices: show devices sorted by XML desc URL
2018/04/26:
Small fix in miniupnpcmodule.c (python module)
Support cross compiling in Makefile.mingw
2018/04/06:
Use SOCKET type instead of int (for Win64 compilation)
Increments API_VERSION to 17
2018/02/22:
Disable usage of MiniSSDPd when using -m option
2017/12/11:
Fix buffer over run in minixml.c
Fix uninitialized variable access in upnpreplyparse.c
2017/05/05:
Fix CVE-2017-8798 Thanks to tin/Team OSTStrom
2016/11/11:
check strlen before memcmp in XML parsing portlistingparse.c
fix build under SOLARIS and CYGWIN
2016/10/11:
Add python 3 compatibility to IGD test
2.7.9
- Minor fixes
2.7.8
- Adding henet to supported providers
2.7.7
- Fix for cloudns
2.7.6
- Tests fixes
2.7.5
- Add support for inwx provider
2.7.4
- Add support for Plesk API
Changes:
19 Sep 2018: chrony-3.4 released
Enhancements
Add filter option to server/pool/peer directive
Add minsamples and maxsamples options to hwtimestamp directive
Add support for faster frequency adjustments in Linux 4.19
Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit
Disable sub-second polling intervals for distant NTP sources
Extend range of supported sub-second polling intervals
Get/set IPv4 destination/source address of NTP packets on FreeBSD
Make burst options and command useful with short polling intervals
Modify auto_offline option to activate when sending request failed
Respond from interface that received NTP request if possible
Add onoffline command to switch between online and offline state according to current system network configuration
Improve example NetworkManager dispatcher script
Bug fixes
Avoid waiting in Linux getrandom system call
Fix PPS support on FreeBSD and NetBSD
4 Apr 2018: chrony-3.3 released
Enhancements
Add burst option to server/pool directive
Add stratum and tai options to refclock directive
Add support for Nettle crypto library
Add workaround for missing kernel receive timestamps on Linux
Wait for late hardware transmit timestamps
Improve source selection with unreachable sources
Improve protection against replay attacks on symmetric mode
Allow PHC refclock to use socket in /var/run/chrony
Add shutdown command to stop chronyd
Simplify format of response to manual list command
Improve handling of unknown responses in chronyc
Bug fixes
Respond to NTPv1 client requests with zero mode
Fix -x option to not require CAP_SYS_TIME under non-root user
Fix acquisitionport directive to work with privilege separation
Fix handling of socket errors on Linux to avoid high CPU usage
Fix chronyc to not get stuck in infinite loop after clock step
15 Sep 2017: chrony-3.2 released
Enhancements
Improve stability with NTP sources and reference clocks
Improve stability with hardware timestamping
Improve support for NTP interleaved modes
Control frequency of system clock on macOS 10.13 and later
Set TAI-UTC offset of system clock with leapsectz directive
Minimise data in client requests to improve privacy
Allow transmit-only hardware timestamping
Add support for new timestamping options introduced in Linux 4.13
Add root delay, root dispersion and maximum error to tracking log
Add mindelay and asymmetry options to server/peer/pool directive
Add extpps option to PHC refclock to timestamp external PPS signal
Add pps option to refclock directive to treat any refclock as PPS
Add width option to refclock directive to filter wrong pulse edges
Add rxfilter option to hwtimestamp directive
Add -x option to disable control of system clock
Add -l option to log to specified file instead of syslog
Allow multiple command-line options to be specified together
Allow starting without root privileges with -Q option
Update seccomp filter for new glibc versions
Dump history on exit by default with dumpdir directive
Use hardening compiler options by default
Bug fixes
Don’t drop PHC samples with low-resolution system clock
Ignore outliers in PHC tracking, RTC tracking, manual input
Increase polling interval when peer is not responding
Exit with error message when include directive fails
Don’t allow slash after hostname in allow/deny directive/command
Try to connect to all addresses in chronyc before giving up
31 Jan 2017: chrony-3.1 released
Enhancements
Add support for precise cross timestamping of PHC on Linux
Add minpoll, precision, nocrossts options to hwtimestamp directive
Add rawmeasurements option to log directive and modify measurements option to log only valid measurements from synchronised sources
Allow sub-second polling interval with NTP sources
Bug fixes
Fix time smoothing in interleaved mode
16 Jan 2017: chrony-3.0 released
Enhancements
Add support for software and hardware timestamping on Linux
Add support for client/server and symmetric interleaved modes
Add support for MS-SNTP authentication in Samba
Add support for truncated MACs in NTPv4 packets
Estimate and correct for asymmetric network jitter
Increase default minsamples and polltarget to improve stability with very low jitter
Add maxjitter directive to limit source selection by jitter
Add offset option to server/pool/peer directive
Add maxlockage option to refclock directive
Add -t option to chronyd to exit after specified time
Add partial protection against replay attacks on symmetric mode
Don’t reset polling interval when switching sources to online state
Allow rate limiting with very short intervals
Improve maximum server throughput on Linux and NetBSD
Remove dump files after start
Add tab-completion to chronyc with libedit/readline
Add ntpdata command to print details about NTP measurements
Allow all source options to be set in add server/peer command
Indicate truncated addresses/hostnames in chronyc output
Print reference IDs as hexadecimal numbers to avoid confusion with IPv4 addresses
Bug fixes
Fix crash with disabled asynchronous name resolving
21 Nov 2016: chrony-2.4.1 released
Bug fixes
Fix processing of kernel timestamps on non-Linux systems
Fix crash with smoothtime directive
Fix validation of refclock sample times
Fix parsing of refclock directive
7 Jun 2016: chrony-2.4 released
Enhancements
Add orphan option to local directive for orphan mode compatible with ntpd
Add distance option to local directive to set activation threshold (1 second by default)
Add maxdrift directive to set maximum allowed drift of system clock
Try to replace NTP sources exceeding maximum distance
Randomise source replacement to avoid getting stuck with bad sources
Randomise selection of sources from pools on start
Ignore reference timestamp as ntpd doesn’t always set it correctly
Modify tracking report to use same values as seen by NTP clients
Add -c option to chronyc to write reports in CSV format
Provide detailed manual pages
Bug fixes
Fix SOCK refclock to work correctly when not specified as last refclock
Fix initstepslew and -q/-Q options to accept time from own NTP clients
Fix authentication with keys using 512-bit hash functions
Fix crash on exit when multiple signals are received
Fix conversion of very small floating-point numbers in command packets
Removed features
Drop documentation in Texinfo format
16 Feb 2016: chrony-2.3 released
Enhancements
Add support for NTP and command response rate limiting
Add support for dropping root privileges on Mac OS X, FreeBSD, Solaris
Add require and trust options for source selection
Enable logchange by default (1 second threshold)
Set RTC on Mac OS X with rtcsync directive
Allow binding to NTP port after dropping root privileges on NetBSD
Drop CAP_NET_BIND_SERVICE capability on Linux when NTP port is disabled
Resolve names in separate process when seccomp filter is enabled
Replace old records in client log when memory limit is reached
Don’t reveal local time and synchronisation state in client packets
Don’t keep client sockets open for longer than necessary
Ignore poll in KoD RATE packets as ntpd doesn’t always set it correctly
Warn when using keys shorter than 80 bits
Add keygen command to generate random keys easily
Add serverstats command to report NTP and command packet statistics
Bug fixes
Fix clock correction after making step on Mac OS X
Fix building on Solaris
20 Jan 2016: chrony-2.2.1 and chrony-1.31.2 released
Security fixes
Restrict authentication of NTP server/peer to specified key (CVE-2016-1567)
CVE-2016-1567: Impersonation between authenticated peers
When a server/peer was specified with a key number to enable authentication with a symmetric key, packets received from the server/peer were accepted if they were authenticated with any of the keys contained in the key file and not just the specified key.
This allowed an attacker who knew one key of a client/peer to modify packets from its servers/peers that were authenticated with other keys in a man-in-the-middle (MITM) attack. For example, in a network where each NTP association had a separate key and all hosts had only keys they needed, a client of a server could not attack other clients of the server, but it could attack the server and also attack its own clients (i.e. modify packets from other servers).
To not allow the server/peer to be authenticated with other keys, the authentication test was extended to check if the key ID in the received packet is equal to the configured key number. As a consequence, it’s no longer possible to authenticate two peers to each other with two different keys, both peers have to be configured to use the same key.
This issue was discovered by Matt Street of Cisco ASIG.
19 Oct 2015: chrony-2.2 released
Enhancements
Add support for configuration and monitoring over Unix domain socket (accessible by root or chrony user when root privileges are dropped)
Add support for system call filtering with seccomp on Linux (experimental)
Add support for dropping root privileges on NetBSD
Control frequency of system clock on FreeBSD, NetBSD, Solaris
Add system leap second handling mode on FreeBSD, NetBSD, Solaris
Add dynamic drift removal on Mac OS X
Add support for setting real-time priority on Mac OS X
Add maxdistance directive to limit source selection by root distance (3 seconds by default)
Add refresh command to get new addresses of NTP sources
Allow wildcard patterns in include directive
Restore time from driftfile with -s option if later than RTC time
Add configure option to set default hwclockfile
Add -d option to chronyc to enable debug messages
Allow multiple addresses to be specified for chronyc with -h option and reconnect when no valid reply is received
Make check interval in waitsync command configurable
Bug fixes
Fix building on NetBSD, Solaris
Restore time from driftfile with -s option if reading RTC failed
Removed features
Drop support for authentication with command key (run-time configuration is now allowed only for local users that can access the Unix domain socket)
23 Jun 2015: chrony-2.1.1 released
Bug fixes
Fix clock stepping by integer number of seconds on Linux
22 Jun 2015: chrony-2.1 released
Enhancements
Add support for Mac OS X
Try to replace unreachable and falseticker servers/peers specified by name like pool sources
Add leaponly option to smoothtime directive to allow synchronised leap smear between multiple servers
Use specific reference ID when smoothing served time
Add smoothing command to report time smoothing status
Add smoothtime command to activate or reset time smoothing
Bug fixes
Fix crash in source selection with preferred sources
Fix resetting of time smoothing
Include packet precision in peer dispersion
Fix crash in chronyc on invalid command syntax
27 Apr 2015: chrony-2.0 released
Enhancements
Update to NTP version 4 (RFC 5905)
Add pool directive to specify pool of NTP servers
Add leapsecmode directive to select how to correct clock for leap second
Add smoothtime directive to smooth served time and enable leap smear
Add minsources directive to set required number of selectable sources
Add minsamples and maxsamples options for all sources
Add tempcomp configuration with list of points
Allow unlimited number of NTP sources, refclocks and keys
Allow unreachable sources to remain selected
Improve source selection
Handle offline sources as unreachable
Open NTP server port only when necessary (client access is allowed by allow directive/command or peer/broadcast is configured)
Change default bindcmdaddress to loopback address
Change default maxdelay to 3 seconds
Change default stratumweight to 0.001
Update adjtimex synchronisation status
Use system headers for adjtimex
Check for memory allocation errors
Reduce memory usage
Add configure options to compile without NTP, cmdmon, refclock support
Extend makestep command to set automatic clock stepping
Bug fixes
Add sanity checks for time and frequency offset
Don’t report synchronised status during leap second
Don’t combine reference clocks with close NTP sources
Fix accepting requests from configured sources
Fix initial fallback drift setting
Bugfixes:
#5038: Repeating INFO: UPnP parse: unrecognized UPnP device of type upnp:rootdevice
#5063: panic: cannot start already running folder
#5073: lib/logger: tests fail due to compilation error with go 1.11
#5089: Invalid files shouldn't affect global state
#5144: Tests fail on Go 1.11 / Windows
#5149: Index updates lost
Other issues:
#3595: stdiscosrv: Doesn't build on Solaris
#5043: root on symlinked path causes panic when using "Watch for changes"
Also:
This release includes initial support for "receive only" folders.
See https://docs.syncthing.net/users/foldertypes.html#receive-only-folder.
Haven't found anything that can be used as a NEWS/changelog, possibly
due to losing history in a repository move.
However, author states there's a few security/bug fixes.
update MAINTAINER, HOMEPAGE, etc.
PR pkg/53638
by default. Deprecate 'djbdns-qmerge1'.
When applying the 'djbdns-mergequeries' patch, also apply a missing
bounds check. Patch from Tim Stewart on dns@list.cr.yp.to.
Bump PKGREVISION.
Provided by Coy Hile in joyent/pkgsrc#131. Fixes an issue where the module
builds would fail if they found a system LDAP. Fix print-PLIST while here.
FreeRADIUS 3.0.17 Tue 17 Apr 2018 14:00:00 EDT urgency=low
Feature improvements
* Add CURLOPT_CAINFO. Patch from Nicolas C.
#2167
* "stats home server" now supports "src IPADDR",
to specify home server also by source IP. Fixes#2169.
* Add Dockerfiles for a selection of common systems.
* Increase number of permitted file descriptors, for
systems with many home servers.
* Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs.
Patch from Isaac Boukris. Fixes#2205.
* Update main READMEs. Patches from Matthew Newton.
* Added dictionary.mimosa
Bug fixes
* Don't call post-proxy twice when proxying to
a virtual server. Matthew Newton, #2161.
* Use "raw" string value for shared secrets and dynamic clients.
It now parses strings with backslashes and "special characters"
correctly. Fixes#2168.
* Fix RuntimeDirectory for RedHat, from Alan Buxey.
* Relax checks in 'if' parser from Isaac Bourkis
* Minor cleanups for %{debug_attr:&request} from Isaac Boukris.
* Be more aggressive about cleaning up cached certificate attributes,
due to deficiencies in OpenSSL. Reported by Nicolas Reich.
* Be more accepting when parsing IPv6 addresses. Bug noted
by Klara Mall.
* Fix double free in rlm_sql. Fixes#2180.
* rlm_detail now writes empty Access-Accept packets.
* rlm_python can now create tagged attributes.
* Don't crash on duplicate realm + authhost / accthost.
Bug found by Richard Palmer.
* Allow partial certificate chain to trusted CA. Fixes#2162
* Treat SSL_read() returning zero as error. Fixes#2164.
* detail writer now checks if the file was renamed or deleted.
* Add User-Name to Access-Accept if EAP-Message exists,
not Stripped-User-Name.
* RedHat Systemd updates. Fixes#2184
* Use correct API for State variable in rlm_securid.
* Remove broken radclient option "-i".
* Fix "users" file (and hints, etc). So that it does not
get confused about entry ordering with multiple $INCLUDEs.
* Fix rlm_sql to expand the un-escaped string, not the raw string.
* Link default and inner-tunnel only if they exist. Fixes#2206.
* Don't use both IP_PKTINFO and IP_SENDSRCADDR.
* Always install signal handler for SIGINT (needed by Docker).
* Fix intermediate CA flow for OCSP. Fixes#2160.
Intermediate certs which are not self-signed will now be
checked.
* sqlippool now returns "fail" if it fails IP allocation.
* Fix rlm_yubikey to look for correct attribute in replay
attack check.
This is the latest git version of the program (from 2015 though).
Switch the build to use gnutls for the command line program,
since openssl 1.1 is not supported.
Various changes since the last released version, but only git log
available. Mostly bugfixes.
Update bl3.mk file: neither zlib nor openssl nor gnutls headers/libraries
are used by the library, so remove all bl3.mk includes.
Changes for version 1.3.1:
* Cleaned up deprecation warnings
* Fixed SNMP::Integer#<=> method for Ruby 2.3.0 and later
* Removed artificial limit on number of non-repeaters for GetBulkRequest
* SNMP::BER module no longer pollutes global namespace
v2.1.23 (2018/09/20)
* use yaml for remapping; remove json transpose code (#177)
- use yaml for remapping; remove json transpose code
- temporarily revert cpe change on win2k3
* TELNET: Initial commit (#178)
* Add better support for Array networks/ArrayOS
v.2.1.22 - 2018.09.04
* New fingerprint coverage: apache_modules.xml #174
- Adds support for performing version detection of Apache modules in HTTP
Server headers.
- Client software calling Recog is expected to split an Apache banner based
on spaces and toss the individual values at Recog.
- This is a first pass, more work will be required to fully flesh this out.
* Improved coverage: http_servers.xml #175
- Leveraging Project Sonar data from 2018.08.13 has resulted in significant
(multiple millions) improvement of fingerprinting against that data set.
- hw.* values added where possible
* Minor FTP tweaks
v.2.1.22 - 2018.08.29
* New capability: CPE 2.3 data #172
- Added preliminary support for returning CPE 2.3 information via a new
fingerprint param named service.cpe23 which can be literal strings or
interpolated values.
Example:
<param pos="0" name="service.cpe23" value="cpe:/a:vmware:zimbra_desktop:1"/>
or
<param pos="0" name="service.cpe23" value="cpe:/a:vmware:zimbra_desktop:{service.version}"/>
- Software, other than Ruby Recog, that leverage the XML directly will need
to support interpolating the values in order to fully utilize this
capability.
- Future changes to enhance this capability and make creating interpolated
results easier are expected in the near future.
- See PR #172 for more details
* Misc fingerprint updates and changes, some of which were to support CPE
changes.
- Changed the use of 'F5 Labs' to 'F5' in multiple files #171
- Change certain Cisco PIX fingerprints from 'service.' to 'os.' #170
v.2.1.20 - 2018.06.27
* Compatibility: Adjustments to the regex of multiple fingerprints to remove
negative lookaheads and other contructs that Golang doesn't support. #162
v.2.1.19 - 2018.04.16
* Improved coverage: xml/smtp_banners.xml #160
- Note: Due to effort to cleanup description lines (remove duplicates,
remove multilines, provide context, standardize format) almost every value
for <description> has changed. This will impact the value returned as
matched with tools such as DAP.
- Project Sonar SMTP survey data was used to enhance and improve the
coverage. Full details and metrics can be found in #160
- Improved the accuracy and/or flexibility of multiple fingerprints.
- Changed ALL instances of flags="REG_ICASE" to an inline flag (?i:) in
order to make the regex compatible with more languages.
- Implemented fingerprint examples for those fingerprints where examples
could be found.
- This sometimes resulted in removing fingerprints that were actually
duplicates or trivially different.
- Reworked description values so as to remove examples and ensure that this
field is unique within the file as the value of description serves as an
identifier when processing fingerprints. Multiline descriptions were
reduced to single line where possible. Many descriptions were modified.
- Fixed multiple instances where captures where under/over capturing. For
example, some fingerprints would have captured the examples but the
examples were missing leading or ending spaces. Other fingerprints were
over-broad in what they would capture leading to fall positives or
misidentification.
- Fixed multiple instances where the portion of the version banner that was
captured was different between two products in the same family.
- Removed various real and example hostnames from examples and standardized
on 'foo.bar'
- Corrected system.time.format so as to match timestamp provided by service
- Reworked date regex for multiple matches to remove inadvertent requirement
for two digit day value when the banner included a single digit day.
2.0.4 (2018/03/29)
* Fix for exception bug
2.0.5 (2018/08/17)
* Fixed a bug in the Ping::HTTP class where it didn't reflect user_agent
setting to actual http request
* Fixed Ping::HTTP to support custom User-Agent
4.1:
Fix problem when socket fd is 0
Fix running on servers with disabled IPv6
Allow running "fping -h" or "--help" even when raw socket can't be opened
Fix build issue with FreeBSD and IPv6
