5.81 Mon Jan 14 05:17:08 MST 2013
- corrected load subroutine (SHA.pm) to prevent double-free
-- Bug #82655: Security issue - segfault
-- thanks to Victor Efimov and Nicholas Clark
for technical expertise and suggestions
5.80 Mon Dec 10 14:15:26 MST 2012
- obtained noticeable speedup on Intel/gcc
-- by setting -O1 and -fomit-frame-pointer
-- SHA-1 about 63% faster, SHA-2 improves 11-20%
5.74 Sat Nov 24 03:10:18 MST 2012
- handle wide-string input by converting to bytes first
-- viz. use SvPVbyte instead of SvPV in SHA.xs
-- thanks to Eric Brine for summary and code
5.73 Wed Oct 31 04:32:44 MST 2012
- provided workaround for DEC compiler bug (ref. Makefile.PL)
New Win32 features
FIPS module updated to version 2.0.
OpenSSL DLLs updated to version 1.0.1c.
zlib DLL updated to version 1.2.7.
Engine DLLs added: 4758cca, aep, atalla, capi, chil, cswift, gmp, gost, nuron, padlock, sureware, ubsec.
Other new features
"session" option renamed to more readable "sessionCacheTimeout". The old name remains accepted for backward compatibility.
New service-level "sessionCacheSize" option to control session cache size.
New service-level option "reset" to control whether TCP RST flag is used to indicate errors. The default value is "reset = yes".
New service-level option "renegotiation" to disable SSL renegotiation. This feature is based on a public-domain patch by Janusz Dziemidowicz.
New FreeBSD socket options: IP_FREEBIND, IP_BINDANY, IPV6_BINDANY (thx to Janusz Dziemidowicz).
New parameters to configure TLS v1.1/v1.2 with OpenSSL version 1.0.1 or higher (thx to Henrik Riomar).
Bugfixes
Fixed "Application Failed to Initialize Properly (0xc0150002)" error.
Fixed missing SSL state debug log entries.
Fixed a race condition in libwrap code resulting in random stalls (thx to Andrew Skalski).
Session cache purged at configuration file reload to reduce memory leak. Remaining leak of a few kilobytes per section is yet to be fixed.
Fixed regression bug in "transparent = destination" functionality (thx to Stefan Lauterbach). This bug was introduced in stunnel 4.51.
"transparent = destination" is now a valid endpoint in inetd mode.
"delay = yes" fixed to work even if specified *after* "connect" option.
Multiple "connect" targets fixed to also work with delayed resolver.
The number of resolver retries of EAI_AGAIN error has been limited to 3 in order to prevent infinite loops.
Fix some directory owner/group rights and take over maintainership as I
use it almost daily.
-Add support of
. SCR3310-NTTCom USB (was removed in version 1.4.6)
. Inside Secure VaultIC 420 Smart Object
. Inside Secure VaultIC 440 Smart Object
- Wait up to 3 seconds for reader start up
- Add support of new PC/SC V2 part 10 properties:
. dwMaxAPDUDataSize
. wIdVendor
. wIdProduct
- Use helper functions from libPCSCv2part10 to parse the PC/SC v2
part 10 features
1.4.7:
-Add support of
. ACS ACR101 ICC Reader
. ACS CryptoMate64
. Alcor Micro AU9522
. Bit4id CKey4
. Bit4id cryptokey
. Bit4id iAM
. Bit4id miniLector
. Bit4id miniLector-s
. CCB eSafeLD
. Gemalto Ezio Shield Branch
. KOBIL Systems IDToken
. NXP PR533
- KOBIL Systems IDToken special cases:
. Give more time (3 seconds instead of 2) to the reader to answer
. Hack for the Kobil IDToken and Geman eID card. The German eID
card is bogus and need to be powered off before a power on
. Add Reader-Info-Commands special APDU/command
- Manufacturer command
- Product name command
- Firmware version command
- Driver version command
- Use auto suspend for CCID devices only (Closes Alioth bug
[#313445] "Do not activate USB suspend for composite devices:
keyboard")
- Fix some error management in the T=1 TPDU state machine
- some minor bugs removed
- some minor improvements added
1.4.6:
-Add support of
. Avtor SC Reader 371
. Avtor SecureToken
. DIGIPASS KEY 202
. Fujitsu SmartCase KB SCR eSIG
. Giesecke & Devrient StarSign CUT
. Inside Secure VaultIC 460 Smart Object
. Macally NFC CCID eNetPad reader
. OmniKey 6321 USB
. SCM SDI 011
. Teridian TSC12xxF
. Vasco DIGIPASS KEY 101
- Remove support of readers without a USB CCID descriptor file
. 0x08E6:0x34C1:Gemalto Ezio Shield Secure Channel
. 0x08E6:0x34C4:Gemalto Ezio Generic
. 0x04E6:0x511A:SCM SCR 3310 NTTCom
. 0x0783:0x0008:C3PO LTC32 USBv2 with keyboard support
. 0x0783:0x9002:C3PO TLTC2USB
. 0x047B:0x020B:Silitek SK-3105
- Disable SPE for HP USB CCID Smartcard Keyboard. The reader is
bogus and unsafe.
- Convert "&" in a reader name into "&" to fix a problem on Mac OS X
- Fix a problem with ICCD type A devices. We now wait for device ready
- Secure PIN Verify and PIN Modify: set the minimum timeout to 90
seconds
- Add support of wIdVendor and wIdProduct properties
- Add support of dwMaxAPDUDataSize
- Add support of Gemalto firmware features
- some minor bugs removed
- Fix a problem when a reader is unplugged (and the reader is still in use)
pcsc-lite-1.8.6:
- Fix a problem when only serial drivers are used (no hotplug/USB
driver)
- increase log buffer size from 160 to 2048. Some "long" log lines where
truncated.
- Fix redirection of stdin, stdout and stderr to /dev/null when pcscd is
started as a daemon (default)
- Some other minor improvements and bug corrections
pcsc-lite-1.8.5:
- Fix crash when a reader is unplugged while pcscd is in the middle of a
PC/SC function
- SCardBeginTransaction(): fix a bug introduced in version 1.8.4
related to sharing
- Some other minor improvements and bug corrections
pcsc-lite-1.8.4:
- Add [ and ] in the list of accepted characters for a reader name
- truncates the reader name if it is too long instead of rejecting the
reader
- The restriction to have to call SCardEstablishContext() in each thread
has been removed. Threads could now share a PC/SC context.
- Fix compiler failure for static driver
- Update IFDHandler API Doxygen regarding the "libusb-1.0" naming scheme
- Some other minor improvements and bug corrections
pcsc-lite-1.8.3:
- ignore directories and hidden (.*) files when parsing a configuration
directory (like /etc/reader.conf.d/)
- add Mac OS X for PC/SC spy tool
- fix a bug in PC/SC spy tool when loading of the real library fails
- add PCSCv2_PART10_PROPERTY_dwMaxAPDUDataSize,
PCSCv2_PART10_PROPERTY_wIdVendor and PCSCv2_PART10_PROPERTY_wIdProduct
from PC/SC v2 part 10 release 2.02.09 (not yet published)
- Some other minor improvements and bug corrections
pcsc-lite-1.8.2:
- rename pcsc-spy.py to pcsc-spy and install it as a normal binary (in
/usr/local/bin by default)
- write a pcsc-spy.1 manpage
- fix a bug with a multi-slot reader
- Info.plist parser: avoid a buffer read overflow in & management
- Some Doxygen improvements
pcsc-lite-1.8.1:
- Distribute missing files from src/spy/
pcsc-lite-1.8.0:
- PC/SC spy tool
- Support systemd socket activation (the auto start of pcscd from the
library has been removed. Use systemd instead)
- SCardGetStatusChange(): check all the readers are already known and
return SCARD_E_UNKNOWN_READER if a reader name is not present.
Windows XP has this behavior.
- SCardEstablishContext(): Invalidate all the handles in the son after a
fork
- Add define of FEATURE_EXECUTE_PACE from PCSC v2 Part 10 Amendment 1
2011-06-03
- Fix some memory leaks reported by Coverity
- Enable silent build by default
- log_line(): correctly calculate delta time when no color is used
The update of last_time was only done in case of colorization
(LogDoColor). So on unsupported consoles the time was wrong.
- log_xxd_always(): Use a variable-length array
The debug message buffer is no more with a fixed size (around 600
bytes of buffer to log) but uses a variable-length array.
It is now possible to log extended APDU of 64kB.
The variable-length array feature is available in GCC in C90 mode and
is mandatory in C99 standard.
- Some other minor improvements and bug corrections
Fixes CVE-2012-6085
Upstream Changes:
* Add support for the old cipher algorithm IDEA.
* Minor bug fixes.
* Small changes to better cope with future OpenPGP and GnuPG
features.
* added totals method
* added a note about repeat authorizations
* added documatation about pin-based flow
* fixed textile formating
* using the https endpoint for all oauth negotiation
* made the api host and version configurable
* wrapping the json parse error so you can programatically acces the response
* added configurable search host
Upstream changes:
2.32 Fri Dec 14 14:20:17 EST 2012
- Fixes "Taint checks are turned on and your key is tainted" error when autogenerating salt and IV.
=== 2.6.0 / 19 Sep 2012
* Use OpenSSL::PKey.read to read arbitrary private key. [nagachika]
* Check availability of UNIXSocket and UNIXServer for Windows [Nobuhiro IMAI]
* Bump version to 2.5.3 and depend on newer jruby-pageant version for Java 1.5 compat. [arturaz]
* Implementation of the "none"-authentication method [dubspeed]
* Add class for stricter host key verification [Andy Brody]
New in 2.1.26
-------------
* Modernize SASL malloc/realloc callback prototypes
* Added sasl_config_done() to plug a memory leak when using an application
specific config file
* Fixed PLAIN/LOGIN authentication failure when using saslauthd
with no auxprop plugins (bug # 3590).
* unlock the mutex in sasl_dispose if the context was freed by another thread
* MINGW32 compatibility patches
* Fixed broken logic in get_fqhostname() when abort_if_no_fqdn is 0
* Fixed some memory leaks in libsasl
* GSSAPI plugin:
- Fixed a segfault in gssapi.c introduced in 2.1.25.
- Code refactoring
- Added support for GSS-SPNEGO SASL mechanism (Unix only), which is also
HTTP capable
* GS2 plugin:
- Updated GS2 plugin not to lose minor GSS-API status codes on errors
* DIGEST-MD5 plugin:
- Correctly send "stale" directive to prevent clients from (re)promtping
for password
- Better handling of HTTP reauthentication cases
- fixed some memory leaks
* SASLDB plugin:
- Added support for BerkleyDB 5.X or later
* OTP plugin:
- Removed calling of EVP_cleanup() on plugin shutdown in order to prevent
TLS from failing in calling applications
* SRP plugin:
- Removed calling of EVP_cleanup() on plugin shutdown in order to prevent
TLS from failing in calling applications
* saslauthd:
- auth_rimap.c: qstring incorrectly appending the closing double quote,
which might be causing crashes
- auth_rimap.c: read the whole IMAP greeting
- better error reporting from some drivers
- fixed some memory leaks
- Do not log the time every second on "old" PC/SC without support of
\\?PnP?\Notification like on Mac OS X.
- 79 new ATRS
- minor fixes
1.4.20 - 16 June 2012, Ludovic ROUSSEAU
- Makefile: Add arguments to CFLAGS instead of overwritting them
- 3 new ATRs
1.4.19
- ATR_analysis: use XDG_CACHE_HOME env variable
The smartcard_list.txt file is now searched in ~/.cache/ by default
- 115 new ATRs
1.4.18
- gscriptor: Display hex dumps in lines of 16 bytes instead of 17
- gscriptor: Display bytes of value 0x20 as ' ' instead of '.'
- scriptor: Display lines of 16 bytes instead of 24
- 223 new ATRs
- pcsc_scan: Correctly detect reader Plug and Play support
1.4.17
- 153 new ATRs
- Allow to build with pcsc-lite >= 1.6.2
1.4.16
- 153 new ATR
- pcsc_scan.c: check for PnP support at run time instead of using a
#define
- ATR_analysis: use curl instead of wget on Darwin
- gscriptor: ReaderConfig(): escape metacharacters []() in
the reader name when using reader name as a pattern matching
