This release features a fix for the ed25519 signer. This signer hashed the
message before signing, resulting in unverifiable signatures. Also on the
Elliptic Curve front, support was added for ED448 (DNSSEC algorithm 16)
by using libdecaf.
Bug fixes
- Do not hash the message in the ed25519 signer
- Make URI integers 16 bits, fixes#5443
- configure.ac: Corrects syntax error in test statement on existance
of libcrypto_ecdsa
- configure.ac: Fix quoting issue fixes#5401
- configure.ac: Check in the detected OpenSSL/libcrypto for ECDSA
- configure.ac: Check if we can link against libatomic if needed
- Fix typo in ldapbackend.cc from issue #5091
- Sort NSEC record case insensitive
- Make sure NSEC ordernames are always lower case
- API: correctly take TTL from first record even if we are at
the last comment
- Fix AtomicCounter unit tests on 32-bit
- Fix negative port detection for IPv6 addresses on 32-bit
- Remove support for 'right' timezones, as this code turned out to be broken
- Lowercase the TSIG algorithm name in hash computation
- Handle exceptions raised by closesocket()
- Don't leak on signing errors during outgoing AXFR; signpipe stumbles over
interrupted rrsets; fix memory leak in gmysql backend
- TinyCDB backend: Don't leak a CDB object in case of bogus data
Improvements
- ODBC backend: Allow query logging
- Add ED25519 (algo 15) and ED448 (algo 16) support with libdecaf signer
- YaHTTP: Sync with upstream changes
- Send a notification to all slave servers after every dnsupdate
- Add option to set a global lua-axfr-script value
- dnsreplay: Add --source-ip and --source-port options
- calidns: Use the correct socket family (IPv4 / IPv6)
- Add an option to allow AXFR of zones with a different (higher/lower) serial
- API: Make trailing dot handling consistent with pdnsutil
- SuffixMatchNode: Fix insertion issue for an existing node
- Do not resolve the NS-records for NOTIFY targets if the "only-notify"
whitelist is empty, as a target will never match an empty whitelist.
- Improve the AXFR DNSSEC freshness check; Ignore NSEC3PARAM metadata in
an unsigned zone
- Create additional reuseport sockets before dropping privileges; remove
transaction in pgpsql backend
- Wrap long command lines for readability
- Document where we set procname=${name} for rc.d
- Detach long-running processes from controlling terminal
- Configurable path to tcpserver
- Configurable user and group names:
DJBDNS_AXFR_USER?= axfrdns
DJBDNS_CACHE_USER?= dnscache
DJBDNS_RBL_USER?= rbldns
DJBDNS_TINY_USER?= tinydns
DJBDNS_DJBDNS_GROUP?= djbdns
Bump version.
Ignore auth-nocache for auth-user-pass if auth-token is pushed
crypto: Enable SHA256 fingerprint checking in --verify-hash
copyright: Update GPLv2 license texts
auth-token with auth-nocache fix broke --disable-crypto builds
OpenSSL: don't use direct access to the internal of X509
OpenSSL: don't use direct access to the internal of EVP_PKEY
OpenSSL: don't use direct access to the internal of RSA
OpenSSL: don't use direct access to the internal of DSA
OpenSSL: force meth->name as non-const when we free() it
OpenSSL: don't use direct access to the internal of EVP_MD_CTX
OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
OpenSSL: don't use direct access to the internal of HMAC_CTX
Fix NCP behaviour on TLS reconnect.
Remove erroneous limitation on max number of args for --plugin
Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
Fix potential 1-byte overread in TCP option parsing.
Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
refactor my_strupr
Fix 2 memory leaks in proxy authentication routine
Fix memory leak in add_option() for option 'connection'
Ensure option array p[] is always NULL-terminated
Fix a null-pointer dereference in establish_http_proxy_passthru()
Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
Fix an unaligned access on OpenBSD/sparc64
Missing include for socket-flags TCP_NODELAY on OpenBSD
Make openvpn-plugin.h self-contained again.
Pass correct buffer size to GetModuleFileNameW()
Log the negotiated (NCP) cipher
Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
Skip tls-crypt unit tests if required crypto mode not supported
openssl: fix overflow check for long --tls-cipher option
Add a DSA test key/cert pair to sample-keys
Fix mbedtls fingerprint calculation
mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
mbedtls: require C-string compatible types for --x509-username-field
Fix remote-triggerable memory leaks (CVE-2017-7521)
Restrict --x509-alt-username extension types
Fix potential double-free in --x509-alt-username (CVE-2017-7521)
Fix gateway detection with OpenBSD routing domains
Bugfixes:
spawnProcess no longer opens an unwanted console on Windows
The transition to the hyperlink package adds IPv6 support to twisted.python.url.URL. This is now deprecated and new code should use hyperlink directly
twisted.logger now buffers only 200 events by default (reduced from 65536) while waiting for observers to be configured.
The transition of twisted.python.url to using the hyperlink package enables a URL.click() with no arguments (or 0-length string argument) to resolve dot segments in the path.
twisted.protocols.finger now works on Python 3.
TLS-related tests now pass when run with OpenSSL 1.1.0. This makes tests pass again on macOS and Windows, as cryptography 1.8 and later include OpenSSL 1.1.0.
UNIX socket endpoints now process all messages from recvmsg's ancillary data via twisted.internet.unix.Server.doRead/twisted.internet.unix.Client.doRead, while discarding and logging ones that don't contain file descriptors.
twisted.internet.endpoints.HostnameEndpoint and twisted.web.client.Agent work again with reactors that do not provide IReactorPluggableNameResolver. This undoes the changes that broke downstream users such as treq.testing. Note that passing reactors that do not provide IReactorPluggableNameResolver to either is deprecated.
A Python 3 Perspective Broker server which receives a remote call with keyword arguments from a Python 2 client will now decode any keys which are binary to strings instead of crashing. This fixes interoperability between Python 2 Buildbot clients and Python 3 Buildbot servers.
twisted.internet._threadedselect now works on both Python 2 and 3.
twisted.internet.interfaces.IResolverSimple implementers will now always be passed bytes, properly IDNA encoded if required, on Python 2. On Python 3, they will now be passed correctly IDNA-encoded Unicode forms of the domain, taking advantage of the idna library from PyPI if possible. This is to avoid Python's standard library (which has an out of date idna module) from mis- encoding domain names when non-ASCII Unicode is passed to it.
Changes:
28 April 2017: mitmproxy 2.0.2
* Fix mitmweb's Content-Security-Policy to work with Chrome 58+
* HTTP/2: actually use header normalization from hyper-h2
Changes:
version 2017.06.18
Core
* [downloader/common] Use utils.shell_quote for debug command line
* [utils] Use compat_shlex_quote in shell_quote
* [postprocessor/execafterdownload] Encode command line (#13407)
* [compat] Fix compat_shlex_quote on Windows (#5889, #10254)
* [postprocessor/metadatafromtitle] Fix missing optional meta fields processing
in --metadata-from-title (#13408)
* [extractor/common] Fix json dumping with --geo-bypass
+ [extractor/common] Improve jwplayer subtitles extraction
+ [extractor/common] Improve jwplayer formats extraction (#13379)
Extractors
* [polskieradio] Fix extraction (#13392)
+ [xfileshare] Add support for fastvideo.me (#13385)
* [bilibili] Fix extraction of videos with double quotes in titles (#13387)
* [4tube] Fix extraction (#13381, #13382)
+ [disney] Add support for disneychannel.de (#13383)
* [npo] Improve URL regular expression (#13376)
+ [corus] Add support for showcase.ca
+ [corus] Add support for history.ca (#13359)
version 2017.06.12
Core
* [utils] Handle compat_HTMLParseError in extract_attributes (#13349)
+ [compat] Introduce compat_HTMLParseError
* [utils] Improve unified_timestamp
* [extractor/generic] Ensure format id is unicode string
* [extractor/common] Return unicode string from _match_id
+ [YoutubeDL] Sanitize more fields (#13313)
Extractors
+ [xfileshare] Add support for rapidvideo.tv (#13348)
* [xfileshare] Modernize and pass Referer
+ [rutv] Add support for testplayer.vgtrk.com (#13347)
+ [newgrounds] Extract more metadata (#13232)
+ [newgrounds:playlist] Add support for playlists (#10611)
* [newgrounds] Improve formats and uploader extraction (#13346)
* [msn] Fix formats extraction
* [turbo] Ensure format id is string
* [sexu] Ensure height is int
* [jove] Ensure comment count is int
* [golem] Ensure format id is string
* [gfycat] Ensure filesize is int
* [foxgay] Ensure height is int
* [flickr] Ensure format id is string
* [sohu] Fix numeric fields
* [safari] Improve authentication detection (#13319)
* [liveleak] Ensure height is int (#13313)
* [streamango] Make title optional (#13292)
* [rtlnl] Improve URL regular expression (#13295)
* [tvplayer] Fix extraction (#13291)
Pkgsrc changes:
* Adapt PLIST
* Adapt Makefile to new python scripts
Upstream changes:
3.4.19 ExaBGP 'LINX 97/43' release
======
* Add: IPv6 nlri-mpls to list of enabled protocol (was missing)
requested by: adrian62
* Fix: encoding of Flow Label requiring more than 2 bytes
reported by: BLAKEMMM
* Fix: decoding of capability (was potentially over reading)
* Fix: trace when trying to access PID file and this is not allowed
reported by: George Shuklin
* Fix: Remove a peer's RIB cache when it is deleted from the config file
patch by: Brian Johnson
* Fix: do not crash the reactor when an invalid IP is passed via the API
reported by: Yevgeniy Ovsyannikov
* Fix: bad defintion of Flow for ICMPType, ICMPCode and Fragment
reported by: Christoph Loibl
* Feature: allow add-path for mpls-vpn
reported by: adrian62
* Change: Backported setup.py from master
* Feature: added SRPMS for exabgp
patch by: Leonardo Amaral
3.4.18 ExaBGP 'No BETT' release
======
* Backport: backhole community (RFC 7999)
original patch by: Job Snijders
* Fix: Configuration parser does not accept configs without neighbors.
patch by doddt
* Fix: 'connect' keyword is now also allowed in neighbor scope
patch by: Stacey Sheldon (Corsa)
* Fix: removing protocol auto-cleanup (it should never be called
and seems to cause a CG issue)
reported by: Colin Petrie
* Change: default to a 0 offset for ipv6 flowspec source/destination match
patch by: Brian Johnson
* Fix: Better PID file handling
reported by: Ben Agricola
* Fix: Update RIB cache families on configuration reload
patch by: Brian Johnson
* Fix: Backport fix on SIGUSR2 (restarting process not needing to be)
patch by: Shawn Zhou
* Change: group-updates now generates one UPDATE per address family
(and not one per NLRI for non IPv4)
patch by: Brian Johnson
3.4.17 ExaBGP 'No EPF' release
======
* Fix: does not accept IPv6 as router-id
reported by: yuriya
* Fix: JSON output for flow routes with rd
reported by droon5
* Fix: Fix Path-Information
* Fix: Bad encoding of capability when multiple families are used for add-path
reported: by Alexander Bespalov
* Fix: support non ASN4 use of AS_TRANS (AS23456)
reported by: Todd Crane
* Fix: do not exit when we can not accept incoming connection
reported by: Pavel Batkov
* Fix: quote where not escaped in JSON reason field
reported by: Rob Barnes
* Fix: decoding of IPv6 flow routes
reported by: stoffi92
* Fix: decoding of Graceful Restart Capability
patch by: florinz
* Fix: ASN4 encoding
patch by: Shu Sugimoto and Eiichiro Watanabe
* Change: Run without even peers configured
patch by: Jordan Gedney
* Fix: JSON encoding of updates without NLRIs
patch by: Dhammika Pathirana
* Fix: Possible race conditions in api handling
patch by: Brian Johnson
* Feature: Add 'show neighbor status' api
patch by: Brian Johnson
* Fix: flush route api
patch by: Brian Johnson
* Fix: Allow asn4 peer to speak with asn2 only peer
patch by: Brian Johnson
* Fix: only one MP NLRI is allow per UPDATE
reported by: subsecond
* Change: configuration output does not includes ':' anymore
patch by: doddt
* Change: syslog format changed to be in line with other application
patch by: Brian Johnson
3.4.16 ExaBGP 'Free YouTube' release
======
A bug fix only release
* Feature: allow users to decide if processes must be run before
or after we drop privileges
requested by: Ben Agricola
* Fix: correctly look in /etc/exabgp for programs to run when
the path is relative
reported by: Vincent Bernat
* Fix: missing handler for NOTIFICATION
patch by: minglvyy
3.4.15 ExaBGP 'skip' release
======
Do not look for 3.4.14 - it was never released. An issue with pypi
forced us to skip this version.
* Fix: the ttl-security parameter didn't really work. Fixed for
outgoing connections now.
patch by: Borja Marcos
* Fix: configuration leak between processes for neighbor-changes
and send-packets.
reported by: spakka
* Feature: add per neighbor connection port.
requested by: dbarrosop
* Fix: ASN4 boundary off by one
* Fix: Bad peer IP when using show routes.
patch by (backported): Wayne Tucker
* Fix: Missing next-hop in the text api.
reported by: Lisa Roach
* Fix: broken route-refresh command.
reported by: Bryan Schwerer
* Fix: wrongly announcing connection issue with peer on the API.
reported by: Bryan Schwerer
3.4.13 ExaBGP 'Madrid' release
======
* Fix: add semicolon in syslog entry so it can be parsed by tools
* Fix: duplication of message following helper process death
reported by: spakka
* Fix: death of helper program would lead to BGP session drop
reported by: spakka
* Fix: mistakenly made a function private breaking some ASN4 code path
reported by: Victor Sudakov
* Feature: manual eor
patch by: Charles Ng
3.4.12 ExaBGP 'John Glenn' release
======
* Fix: issue with unknown capabilities
reported by: Sandy Breeze
* Fix: notification messages were not passed to the API
reported by: Florian Obser
* Fix: transitivity on extended community
patch by: Thomas Morin
* Fix: bad reporting of VPLS information in JSON
* Fix: wrong SAFI on MPLS routes
reported by: Hideaki HAYASHI
* Fix: bad route comparaison
reported by: Alvaro Pereira
* Fix: decoding of Update
* Fix: Flow redirect to nexhop encoding
reported by: Mickael Marchand (Thank you to Peng Xiao and Nicolas
Fevrier for their help)
* Fix/Improve: JSON for flow spec
* Fix/Improve: redirect-to-nexthop
reported by: Mickael Marchand
c-ares version 1.13.0 - June 20 2017
Changes:
cmake build system support added
Add virtual function set for socket IO: ares_set_socket_functions
Bug fixes:
CVE-2017-1000381: c-ares NAPTR parser out of bounds access
macos: do not set HAVE_CLOCK_GETTIME_MONOTONIC
test: check ares_create_query with too-long name
dist: add ares_library_initialized.* to the tarball
fix build on OpenBSD
dist: ship msvc_ver.inc too
test: Add gTest/gMock files to SOURCES
test: add fuzz entrypoint for ares_create_query()
configure: clock_gettime workaround
docs: convert INSTALL to MarkDown & tweak
ares_process: fix return type of socket_create function (win32 warning)
docs: fixed references to ares_set_local_ip4 and ares_set_local_ip6
Windows DNS server sorting
Use ares_socklen_t instead of socket_t
ares_create_query: use ares_free not naked free
msvc_ver.inc support most recent Visual Studio 2017
acountry: Convert char from ISO-8859-1 to UTF-8
ares_expand_name: limit number of indirections
configure: do not check for ar if specified manually
Added support for Windows DNS Suffix Search List
ares.h: support compiling with QNX
This is a regularly scheduled stable release.
Resolved issues:
#3433: Correctly clear warning "path is a subdirectory of other folder" in folder dialog
#3524: Conflict copies' filename now includes the ID of the last device to change the file
#3993: Folders offered by other devices can now be ignored
#4164: Changed device name takes effect with restart; device name is not sent to unknown devices
#4183: Correctly show CPU usage when started with -no-restart option
Bug Fixes
The following vulnerabilities have been fixed:
* [1]wnpa-sec-2017-22
Bazaar dissector infinite loop ([2]Bug 13599) [3]CVE-2017-9352
* [4]wnpa-sec-2017-23
DOF dissector read overflow ([5]Bug 13608) [6]CVE-2017-9348
* [7]wnpa-sec-2017-24
DHCP dissector read overflow ([8]Bug 13609, [9]Bug 13628)
[10]CVE-2017-9351
* [11]wnpa-sec-2017-25
SoulSeek dissector infinite loop ([12]Bug 13631) [13]CVE-2017-9346
* [14]wnpa-sec-2017-26
DNS dissector infinite loop ([15]Bug 13633) [16]CVE-2017-9345
* [17]wnpa-sec-2017-27
DICOM dissector infinite loop ([18]Bug 13685) [19]CVE-2017-9349
* [20]wnpa-sec-2017-28
openSAFETY dissector memory exhaustion ([21]Bug 13649)
[22]CVE-2017-9350
* [23]wnpa-sec-2017-29
BT L2CAP dissector divide by zero ([24]Bug 13701) [25]CVE-2017-9344
* [26]wnpa-sec-2017-30
MSNIP dissector crash ([27]Bug 13725) [28]CVE-2017-9343
* [29]wnpa-sec-2017-31
ROS dissector crash ([30]Bug 13637) [31]CVE-2017-9347
* [32]wnpa-sec-2017-32
RGMP dissector crash ([33]Bug 13646) [34]CVE-2017-9354
* [35]wnpa-sec-2017-33
IPv6 dissector crash ([36]Bug 13675) [37]CVE-2017-9353
The following bugs have been fixed:
* DICOM dissection error. ([38]Bug 13164)
* Qt: drag & drop of one column header in PacketList moves other
columns. ([39]Bug 13183)
* Can not export captured DICOM objects in version 2.2.5. ([40]Bug
13570)
* False complain about bad checksum of ICMP extension header.
([41]Bug 13586)
* LibFuzzer: ISUP dissector bug (isup.number_different_meaning).
([42]Bug 13588)
* Dissector Bug, protocol BT ATT. ([43]Bug 13590)
* Wireshark dispalys
RRCConnectionReestablishmentRejectRRCConnectionReestablishmentRejec
t in Info column. ([44]Bug 13595)
* [oss-fuzz] UBSAN: shift exponent 105 is too large for 32-bit type
int in packet-ositp.c:551:79. ([45]Bug 13606)
* [oss-fuzz] UBSAN: shift exponent -77 is negative in
packet-netflow.c:7717:23. ([46]Bug 13607)
* [oss-fuzz] UBSAN: shift exponent 1959 is too large for 32-bit type
int in packet-sigcomp.c:2128:28. ([47]Bug 13610)
* [oss-fuzz] UBSAN: shift exponent 63 is too large for 32-bit type
guint32 (aka unsigned int) in packet-rtcp.c:917:24. ([48]Bug 13611)
* [oss-fuzz] UBSAN: shift exponent 70 is too large for 64-bit type
guint64 (aka unsigned long) in dwarf.c:42:43. ([49]Bug 13616)
* [oss-fuzz] UBSAN: shift exponent 32 is too large for 32-bit type
int in packet-xot.c:260:23. ([50]Bug 13618)
* [oss-fuzz] UBSAN: shift exponent -5 is negative in
packet-sigcomp.c:1722:36. ([51]Bug 13619)
* [oss-fuzz] UBSAN: index 2049 out of bounds for type char [2049] in
packet-quakeworld.c:134:5. ([52]Bug 13624)
* [oss-fuzz] UBSAN: shift exponent 35 is too large for 32-bit type
int in packet-netsync.c:467:25. ([53]Bug 13639)
* [oss-fuzz] UBSAN: shift exponent 32 is too large for 32-bit type
int in packet-sigcomp.c:3857:24. ([54]Bug 13641)
* [oss-fuzz] ASAN: stack-use-after-return
epan/dissectors/packet-ieee80211.c:14341:23 in add_tagged_field.
([55]Bug 13662)
* Welcome screen invalid capture filter wihtout WinPcap installed
causes runtime error. ([56]Bug 13672)
* SMB protocol parser does not parse SMB_COM_TRANSACTION2_SECONDARY
(0x33) command correctly. ([57]Bug 13690)
* SIP packets with SDP marked as malformed. ([58]Bug 13698)
* [oss-fuzz] UBSAN: index 8 out of bounds for type gboolean const[8]
in packet-ieee80211-radiotap.c:1836:12. ([59]Bug 13713)
* Crash on "Show packet bytes..." context menu item click. ([60]Bug
13723)
* DNP3 dissector does not properly decode packed variations with
prefixed qualifiers. ([61]Bug 13733)
Updated Protocol Support
Bazaar, BT ATT, BT L2CAP, DHCP, DICOM, DNP3, DNS, DOF, DWARF, ICMP,
IEEE 802.11, IPv6, ISUP, LTE RRC, MSNIP, Netflow, Netsync, openSAFETY,
OSITP, QUAKEWORLD, Radiotap, RGMP, ROS, RTCP, SIGCOMP, SMB, SoulSeek,
and XOT
This is a HUGE bump, so look at the changelog on the Snort website !
For example, Snort does not natively handle MySQL anymore.
As for the pkgsrc changes :
- updated deps (net/daq) ;
- updated config files ;
- updated MASTER_SITE ;
- some substitution to handle pkgsrc paths ;
- updated compile options.
Enhancements
- Add the 2017 DNSSEC root key
- Add support for RPZ wildcarded target names.
- Speed up RPZ zone loading and add a zoneSizeHint parameter to
rpzFile and rpzMaster for faster reloads
- Make the RPZ summary consistent and log additions/removals at debug
level, not info
- Update Ed25519 algorithm number and mnemonic and hook up to the
Recursor
- Add use-incoming-edns-subnet option to process and pass along ECS
and fix some ECS bugs in the process
- Refuse to start with chroot set in a systemd env
- Handle exceptions raised by closesocket() to prevent process
termination
- Document missing top-pub-queries and top-pub-servfail-queries
commands for rec_control
- IPv6 address for g.root-servers.net added
- Log outgoing queries / incoming responses via protobuf
Bug fixes
- Correctly lowercase the TSIG algorithm name in hash computation
- Clear the RPZ NS IP table when clearing the policy, this prevents
false positives
- Fix cache-only queries against a forward-zone
- Only delegate if NSes are below apex in auth-zones
- Remove hardcoding of port 53 for TCP/IP forwarded zones in recursor
- Make sure labelsToAdd is not empty in getZoneCuts()
- Wait until after daemonizing to start the outgoing protobuf thread,
prevents hangs when the protobuf server is not available
- Ensure (re)priming the root never fails
- Don't age the root, fixes a regression from 3.x
- Fix exception when sending a protobuf message for an empty question
- LuaWrapper: Allow embedded NULs in strings received from Lua
- Fix coredumps on illumos/SmartOS
- StateHolder: Allocate (and copy if needed) before taking the lock
- SuffixMatchNode: Fix insertion issue for an existing node
- Fix negative port detection for IPv6 addresses on 32-bit systems
--- 9.9.10-P1 released ---
4632. [security] The BIND installer on Windows used an unquoted
service path, which can enable privilege escalation.
(CVE-2017-3141) [RT #45229]
4631. [security] Some RPZ configurations could go into an infinite
query loop when encountering responses with TTL=0.
(CVE-2017-3140) [RT #45181]
--- 9.10.5-P1 released ---
4632. [security] The BIND installer on Windows used an unquoted
service path, which can enable privilege escalation.
(CVE-2017-3141) [RT #45229]
4631. [security] Some RPZ configurations could go into an infinite
query loop when encountering responses with TTL=0.
(CVE-2017-3140) [RT #45181]
V0.92
added a few arguments to calls added by fmazu. Allows it to compile.
V0.91
only made the tag point to the proper commit. --REW
script now handles that situation (aborted release script) better.
V0.90
only fixed the release script. Should now contain fmaxullo's
patch. --rew
fmazullo (1):
Add AS number to json output
V0.89
only made the tag point to the proper commit. --REW
V0.88
Antonio Querubin (3):
Merge remote-tracking branch 'origin/master' into newdns
Need to error check getnameinfo().
Merge remote-tracking branch 'origin/master' into newdns
David Hill (1):
include <sys/select.h> for fd_set
Jakub Wilk (1):
Fix typos
Joe Bruggeman (2):
Replace all tabs tabs in net.c with spaces
cleanup the if blocks in net.c to improve readability
Jürgen Weigert (1):
Mention + and - keys in the man page
Kacper Michajłow (2):
Relax mtr-packet search rules.
Add missing errno.h include.
Matt Kimball (20):
Added mtr-packet subprocess
test: Fix mtr-packet tests for Python 3
cmdline: multiple host names dropped all but one host (issue #168)
mtr-packet: IPv6 support
mtr-packet: UDP probe support
mtr-packet: packet customization options (size, fill, mark, tos)
mtr-packet: TCP and SCTP probes
mtr-packet: MPLS decoding and local UDP port usage
mtr-packet: allow local address binding
Merge branch mtr-packet into 'master'
mtr-packet: drop capabilities + using BSD's linked lists for probes
build: moved front-end source into ui subdir
build: use AC_CHECK_LIB for ncurses, rather than pkg-tool
mtr-packet: Fall back to IPv4 only support if IPv6 sockets fail to open
build: if linking with ncurses fails, try curses (for NetBSD)
build: Fix Solaris build issues
build: fix compiler warnings when for OpenBSD, NetBSD and Solaris
mtr-packet: Report probe status on host unreachable (Cygwin)
cleanup: Fix #ifdef structure which confuses 'ident'
cleanup: reindented C source with GNU indent
Narthorn (2):
Initialize dns process before opening display
Add displaymode 2 back in
R.E. Wolff (19):
Merge branch 'newdns' of https://github.com/traviscross/mtr into newdns
Merge branch 'newdns'
fixed double printout of start time, issue 131
Updated NEWS as in v0.87.1
format sent and rcvd fields correctly for big numbers #66
increased default unknownhosts #92#132#130 (I give in).
Merge branch 'master' of github.com:traviscross/mtr
fixed no-gtk build bug introduced with e2d898cc
more cleanup
Partial reverse of 6bb5b6b3b.
re-initialize ipinfo_no and -max. Fixes#161.
Merge branch 'master' of github.com:traviscross/mtr
fixed dynamic DNS on/off switch. Fixed#160
header alignment issue found&fixed by meingtsla. Fixes#164
Merge branch 'master' of github.com:traviscross/mtr
asn fix from meingtsla, fixes#163. Pong!
put ifdefs around IPV6 only part. Fixes#184
More whitespace mangling for consistency in net.c
The release script bumped the version number
Roger Wolff (22):
New DNS works for IPV4....
moved towards IPV6 compatibilty...
removed the include mess...
merged antonios's bufsize fixes
Merge branch 'master' of github.com:traviscross/mtr into newdns
AQ: Added include for redhat, and fixed salen for BSD
removed last debug output from dns.c
One more patch to fix a getnameinfo corruption problem. -- AQ
Rogier Wolff (5):
removed AC check for features newdns doesn't use
Fixed pull #133 another way....
fixed#27 and #35 where the fix was tested a long time ago.
fixed#141 compile without SCTP if not available
fixed typo.
Sami Kerola (122):
warnings: remove unnecessary file
usage: add short and long options and descriptions to usage()
warnings: stop variable shadowing
dns: remove unnecessary dns_events() function
posix: replace bzero() and index() with modern equivelants
warnings: stop reassigning a value before the old one has been used
warnings: remove code that cannot be reached
warnings: fix printf data types
cleanup: remove unnecessary null check
build-sys; do not use subdirectory object
man: use url macro to urls and fix reference manual notations
build-sys: default to ,/configure --enable-silent-rules
warnings: do not take abs() when data type is unsigned
warnings: mark unused function input variables
warnings: fix couple unsigned vs signed variable comparisions
warnings: multiply timeval seconds only when the value is small
warnings: fix some missed unsigned vs signed variable comparisions
comment: add value range note to initialization
cast: do not downgrade to float when double should be used
warnings: remove dead code
build-sys: fix make distcheck
build-sys: remove old dist Makefile kludge
build-sys: use build version script from gnulib
build-sys: improve configure.am
build-sys: require automake 1.11.6 or newer
warnings: fix unused variable when ./configure --without-gtk is used
readability: always use EXIT_* definitions from stdlib.h
cleanup: remove unnecessary function
warnigns: add void to functions that do not take any arguments
build-sys: fix --without-ipinfo regressions
build-sys: fix ./configure --disable-ipv6
warnings: fix --disable-ipv6 --without-ipinfo compilation warnings
build-sys: check pkg-config availability
build-sys: use pkg-config to find gtk+-2.0
build-sys: use pkg-config to find ncurses
build-sys: get rid of double negative ipinfo autotools settings
cleanup: remove NO_SPLIT preprocessor check
build-sys: simplify finding resolver library
build-sys: remove unused autoconf check values
cleanup: remove obsolete herror() function
usage: reflect ./configure choices in available command line options
cleanup: remove preprocessor missing functions go-arounds
usage: be careful when parsing numeric user input
usage: use error(3) error-reporting function
cleanup: move max port number to be a define in net.h
build-sys: use system getopt_long() when it is available
build-sys: tell function locality explicitly
portability: fix float max check from values.h
portability: MacOS does not have error() function
portability: fix MacOS libresolv usage
data types: set static strings to be read-only
cleanup: remove redundant redeclaration
data types: move variable declaration from header to .c file
data types: check with smatch everything is in resonable scope
warnings: fix use of uninitialized warning
data types: get rid of all globals that are easy to remove
usability: fix --mark documentation
docs: make manual page versioning automatic
data types: move global data to control structures
data types: make control structure smaller
data types: move rest of the global variables to control structures
crash fix: make --xml not to dump core
warnings: correct function pointer prototype argument
warnings: do not use zero as NULL
warnings: avoid vla when malloc() is more appropriate
usability: print usage() if unknown options are used
cleanup: use definition for a magic value appearing twice in code
cleanup: remove commented out includes in dns.c
cleanup: avoid duplicating stdint.h
cleanup: use ICMP definitions from linux/icmp.h when possible
cleanup: move generic utility functions to a separate file
reliability: ensure string copy results to a null determined string
reliability: further removal of unsave string operation
reliability: always check malloc() return value
reliability: always check strdup() return value
reliability: check writing to stdout and stderr was successful
usability: use ISO-8601 timestamp
posix: do not use time(2) input argument
usability: add bash-completion file
bug fix: long option --gracetime is correct, --graceperiod is not
performance: use fewer printw() calls to center text
cleanup: merge two trim functions to one
crash fix: add ctl structure to gtk Pause_clicked() handler
crash fix: never return const string as address
crash fix: ctl->iiwidth_len was not initialized correctly
cleanup: make unused and const attributes to look the same
performance: make get_iiwidth() to be const function
cleanup: remove more/bottom labels header separation from mpls
cleanup: set variable only if it is used
cleanup: correct display_offset variable usage
cleanup: remove message duplicate
performance: set few variables read-only
docs: add Sami Kerola to authors
performance: make reset in net.c more effective
portability: fix bsd build
warnings: ensure printf will not overflow
misc: improve random initialization
net: fix net_reopen() initialization
warnings: fix warnings when everything possible is turned on
curses: simplify format_number()
curses: use switch case in mtr_curses_keyaction()
cleanup: remove dead code
style: convert c++ comment style to c style
display: avoid unnecessary switch case clauses
curses: convert magic numbers to an enum list
data types: move variables from a file to a function scope
cleanup: move file scope variables to the beginning of file
data types: move names list away from global scope
cleanup: move definitions and struct declarations to mtr.h
cleanup: clarify preprocessor nesting
build-sys: use proper check to find if time_t is defined
build-sys: enable all system extensions
regression: fix --displaymode=2 argument
user interface: do not allow out of range --ipinfo arguments
cleanup: use single logic to handle conditional options
docs: add very basic --sctp documentation to manual page
docs: improve mtr-packet(8) manual page
build-sys: update .gitignore file
smatch: extern keyword is needed only in header
smatch: fix couple warnings
build-sys: update .gitignore file
docs: FSF moved back in 2005
Vlad Glagolev (1):
respect theme foreground color
aquerubin (5):
Correct psize for IPv6.
Merge updates from branch 'master' into newdns
Merge branch 'master' into newdns
Merge branch 'newdns' of https://github.com/aquerubin/mtr into newdns
Fix standard deviation calculation.
Changes in version 0.3.0.8 - 2017-06-08
Tor 0.3.0.8 fixes a pair of bugs that would allow an attacker to
remotely crash a hidden service with an assertion failure. Anyone
running a hidden service should upgrade to this version, or to some
other version with fixes for TROVE-2017-004 and TROVE-2017-005.
Tor 0.3.0.8 also includes fixes for several key management bugs
that sometimes made relays unreliable, as well as several other
bugfixes described below.
o Major bugfixes (hidden service, relay, security, backport
from 0.3.1.3-alpha):
- Fix a remotely triggerable assertion failure when a hidden service
handles a malformed BEGIN cell. Fixes bug 22493, tracked as
TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha.
- Fix a remotely triggerable assertion failure caused by receiving a
BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
on 0.2.2.1-alpha.
o Major bugfixes (relay, link handshake, backport from 0.3.1.3-alpha):
- When performing the v3 link handshake on a TLS connection, report
that we have the x509 certificate that we actually used on that
connection, even if we have changed certificates since that
connection was first opened. Previously, we would claim to have
used our most recent x509 link certificate, which would sometimes
make the link handshake fail. Fixes one case of bug 22460; bugfix
on 0.2.3.6-alpha.
o Major bugfixes (relays, key management, backport from 0.3.1.3-alpha):
- Regenerate link and authentication certificates whenever the key
that signs them changes; also, regenerate link certificates
whenever the signed key changes. Previously, these processes were
only weakly coupled, and we relays could (for minutes to hours)
wind up with an inconsistent set of keys and certificates, which
other relays would not accept. Fixes two cases of bug 22460;
bugfix on 0.3.0.1-alpha.
- When sending an Ed25519 signing->link certificate in a CERTS cell,
send the certificate that matches the x509 certificate that we
used on the TLS connection. Previously, there was a race condition
if the TLS context rotated after we began the TLS handshake but
before we sent the CERTS cell. Fixes a case of bug 22460; bugfix
on 0.3.0.1-alpha.
o Major bugfixes (hidden service v3, backport from 0.3.1.1-alpha):
- Stop rejecting v3 hidden service descriptors because their size
did not match an old padding rule. Fixes bug 22447; bugfix on
tor-0.3.0.1-alpha.
o Minor features (fallback directory list, backport from 0.3.1.3-alpha):
- Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
December 2016 (of which ~126 were still functional) with a list of
151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May
2017. Resolves ticket 21564.
o Minor bugfixes (configuration, backport from 0.3.1.1-alpha):
- Do not crash when starting with LearnCircuitBuildTimeout 0. Fixes
bug 22252; bugfix on 0.2.9.3-alpha.
o Minor bugfixes (correctness, backport from 0.3.1.3-alpha):
- Avoid undefined behavior when parsing IPv6 entries from the geoip6
file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
o Minor bugfixes (link handshake, backport from 0.3.1.3-alpha):
- Lower the lifetime of the RSA->Ed25519 cross-certificate to six
months, and regenerate it when it is within one month of expiring.
Previously, we had generated this certificate at startup with a
ten-year lifetime, but that could lead to weird behavior when Tor
was started with a grossly inaccurate clock. Mitigates bug 22466;
mitigation on 0.3.0.1-alpha.
o Minor bugfixes (memory leak, directory authority, backport from
0.3.1.2-alpha):
- When directory authorities reject a router descriptor due to
keypinning, free the router descriptor rather than leaking the
memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha.
o [Windows] Updated the bundled Npcap from 0.78 to 0.91, with several bugfixes
for WiFi connectivity problems and stability issues. [Daniel Miller, Yang Luo]
o Integrated all of your service/version detection fingerprints submitted from
September to March (855 of them). The signature count went up 2.9% to 11,418.
We now detect 1193 protocols from apachemq, bro, and clickhouse to jmon,
slmp, and zookeeper. Highlights: http://seclists.org/nmap-dev/2017/q2/140
o [NSE] Added 14 NSE scripts from 12 authors, bringing the total up to 566!
They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
o [Ncat] A series of changes and fixes based on feedback from the Red Hat community:
o [NSE][GH-266][GH-704][GH-238][GH-883] NSE libraries smb and msrpc now use
fully qualified paths. SMB scripts now work against all modern versions
of Microsoft Windows. [Paulino Calderon]
o [NSE] smb library's share_get_list now properly uses anonymous connections
first before falling back authenticating as a known user.
o New service probes and matches for Apache HBase and Hadoop MapReduce.
[Paulino Calderon]
o Extended Memcached service probe and added match for Apache ZooKeeper.
[Paulino Calderon]
o [NSE] New script argument "vulns.short" will reduce vulns library script
output to a single line containing the target name or IP, the vulnerability
state, and the CVE ID or title of the vulnerability. [Daniel Miller]
o [NSE][GH-862] SNMP scripts will now take a community string provided like
`--script-args creds.snmp=private`, which previously did not work because it
was interpreted as a username. [Daniel Miller]
o [NSE] Resolved several issues in the default HTTP redirect rules:
- [GH-826] A redirect is now cancelled if the original URL contains
embedded credentials
- [GH-829] A redirect test is now more careful in determining whether
a redirect destination is related to the original host
- [GH-830] A redirect is now more strict in avoiding possible redirect
loops
[nnposter]
o [NSE][GH-766] The HTTP Host header will now include the port unless it is
the default one for a given scheme. [nnposter]
o [NSE] The HTTP response object has a new member, fragment, which contains
a partially received body (if any) when the overall request fails to
complete. [nnposter]
o [NSE][GH-866] NSE now allows cookies to have arbitrary attributes, which
are silently ignored (in accordance with RFC 6265). Unrecognized attributes
were previously causing HTTP requests with such cookies to fail. [nnposter]
o [NSE][GH-844] NSE now correctly parses a Set-Cookie header that has unquoted
whitespace in the cookie value (which is allowed per RFC 6265). [nnposter]
o [NSE][GH-731] NSE is now able to process HTTP responses with a Set-Cookie
header that has an extraneous trailing semicolon. [nnposter]
o [NSE][GH-708] TLS SNI now works correctly for NSE HTTP requests initiated
with option any_af. As an added benefit, option any_af is now available for
all connections via comm.lua, not just HTTP requests. [nnposter]
o [NSE][GH-781] There is a new common function, url.get_default_port(),
to obtain the default port number for a given scheme. [nnposter]
o [NSE][GH-833] Function url.parse() now returns the port part as a number,
not a string. [nnposter]
o No longer allow ICMP Time Exceeded messages to mark a host as down during
host discovery. Running traceroute at the same time as Nmap was causing
interference. [David Fifield]
o [NSE][GH-807] Fixed a JSON library issue that was causing long integers
to be expressed in the scientific/exponent notation. [nnposter]
o [NSE] Fixed several potential hangs in NSE scripts that used
receive_buf(pattern), which will not return if the service continues to send
data that does not match pattern. A new function in match.lua, pattern_limit,
is introduced to limit the number of bytes consumed while searching for the
pattern. [Daniel Miller, Jacek Wielemborek]
o [Nsock] Handle any and all socket connect errors the same: raise as an Nsock
error instead of fatal. This prevents Nmap and Ncat from quitting with
"Strange error from connect:" [Daniel Miller]
o [NSE] Added several commands to redis-info to extract listening addresses,
connected clients, active channels, and cluster nodes. [Vasiliy Kulikov]
o [NSE][GH-679][GH-681] Refreshed script http-robtex-reverse-ip, reflecting
changes at the source site (www.robtex.com). [aDoN]
o [NSE][GH-620][GH-715] Added 8 new http-enum fingerprints for Hadoop
infrastructure components. [Thomas Debize, Varunram Ganesh]
o [NSE][GH-629] Added two new fingerprints to http-default-accounts
(APC Management Card, older NetScreen ScreenOS) [Steve Benson, nnposter]
o [NSE][GH-716] Fix for oracle-tns-version which was sending an invalid TNS
probe due to a string escaping mixup. [Alexandr Savca]
o [NSE][GH-694] ike-version now outputs information about supported attributes
and unknown vendor ids. Also, a new fingerprint for FortiGate VPNs was
submitted by Alexis La Goutte. [Daniel Miller]
o [GH-700] Enabled support for TLS SNI on the Windows platform. [nnposter]
o [GH-649] New service probe and match lines for the JMON and RSE services of
IBM Explorer for z/OS. [Soldier of Fortran]
o Removed a duplicate service probe for Memcached added in 2011 (the original
probe was added in 2008) and reported as duplicate in 2013 by Pavel Kankovsky.
o New service probe and match line for NoMachine NX Server remote desktop.
[Justin Cacak]
o [Zenmap] Fixed a recurring installation problem on OS X/macOS where Zenmap
was installed to /Applications/Applications/Zenmap.app instead of
/Applications/Zenmap.app.
o [Zenmap][GH-639] Zenmap will no longer crash when no suitable temporary
directory is found. Patches contributed by [Varunram Ganesh] and [Sai Sundhar]
o [Zenmap][GH-626] Zenmap now properly handles the -v0 (no output) option,
which was added in Nmap 7.10. Previously, this was treated the same as not
specifying -v at all. [lymanZerga11]
o [GH-630] Updated or removed some OpenSSL library calls that were deprecated
in OpenSSL 1.1. [eroen]
o [NSE] Script ssh-hostkey now recognizes and reports Ed25519 keys [nnposter]
o [NSE][GH-627] Fixed script hang in several brute scripts due to the "threads"
script-arg not being converted to a number. Error message was
"nselib/brute.lua:1188: attempt to compare number with string" [Arne Beer]
Provides telnet client functionality.
This class also has, through delegation, all the methods of a socket object
(by default, a TCPSocket, but can be set by the Proxy option to new()).
This provides methods such as close() to end the session and sysread() to read
data directly from the host, instead of via the waitfor() mechanism.
Note that if you do use sysread() directly when in telnet mode, you should
probably pass the output through preprocess() to extract telnet command
sequences.
pkgsrc changes:
- pull upstream fix for redmine ticket #1031 (twitpic gzipped xfer)
- pull changes to use delayer-deferred 2.0.0 for redmine ticket
#916 (extra follow/follower activities) and
#995 (abnormal cpu load with delayer-deferred 1.1.0)
Upstream changes:
- ruby-gnome2 3.1.6
- subcommands that create spec files don't accept . as a pathname
- free memories on loading images earlier
- avoid to use deprecated Gdk::PixbufLoader
Pkgsrc changes:
===============
* Update dependencies to match requirements.txt
* Adapt to PLIST changes
Upstream changes:
=================
Release 2.1.3
-------------
Features Added:
* Ephemeral config support #707
* Add a srx_cluster_redundancy_group fact. #711
Bugs Fixed:
* ignore_warning fails when single that is first child of . #712
* mode='telnet' did not logout non-cli user #713
* JSONLoadError was thrown when load valid JSON config #717/#718
* Fix XML normalization feature when using NETCONF over console. #719/#720
* Handle differences in |display xml rpc #722
Release 2.1.2
-------------
Bugs Fixed:
* Doc badge was pointing to older version #694
* Fix new-style fact gathering for SRX clusters. #697/#698
* Properly handle SW upgrades on multi-RE and/or multi-chassis
systems when using new-style fact gathering. #700
* Raise JSONLoadError if json config is malformed #706
* Handle ConnectClosedError exception for lock() and unlock() #708
Release 2.1.1
-------------
Bugs Fixed:
* Fix regressions caused by ignore_warning. #691
Release 2.1.0
-------------
Features Added:
* Enhanced fact gathering. Facts are now gathered "on demand."
Additional facts are added.
* The definition of facts and return values are properly documented. #638
* Support for YANG get RPCs. #672
* Add an ignore_warning argument to suppress RpcError exceptions
for warnings. #672/#685
* Enhanced the sw.install() method with basic ISSU and NSSU
support using the issu and nssu
* boolean arguments. #606/#630/#632
* ** NSSU support has not yet been tested and should currently
be considered experimental.
* Provide a master property and a re_name property for Device. #682
* Enhanced reboot() method to take an all_re boolean parameter
which controls if only the connected
* Routing Engine, or all Routing Engines, are rebooted. #613
* Enhanced the warning message produced by the cli() method to
recommend the corresponding
* dev.rpc.<method>() call. #603
* Add support for update parameter to configuration load() method. #681
* Added directory_usage to utils #629/#631/#636
* Adding support for NFX/JDM fact gathering. #652/#659
* Connected property. #664
Bugs Fixed:
* Updated the interface-name glob pattern to correctly match
et-<x>/<y>/<z> interfaces
* in several tables and views. #609
* Take care of special chars on screen during console connection. #610
* Address issue with fact gathering stopping when it encounters
a problem. #615
* Minor typos fixed in RuntimeError exception message and in comments. #621
* Added console_has_banner parameter. #622
* Add CentOS Support to install instructions #623
* Key value is needed in _IsisAdjacencyLogTable #627
* Improved functionality and documentation of Docker build.
#637/#673/#674/#677
* added remote port ID to lldp.yml (OP) #645
* Fix documentation for rollback() #647
* Fix for fact gathering pprint. #660/#661
* update ospf view, add bgp/inventory #665
* Updated doc string for close function #686
* Add Travis builds for Python 3.5 and 3.6 #687
* StartShell.run to take this as None for non returning commands #680
* Modify ignore_warning return value to mimic normal RPC return value. #688
Release 2.0.1
-------------
* StartShell to take timeout (30 second by default) as paramter
* Proper exception handling in case of Console connection #595
* Fix: Config.lock() return exception when normalize is on
* Added microbadge badge for the Docker image #593
* Fix: print dev for Console conn was printing object not Device(....) #591
* Fix: To take care of special chars with StartShell->run function call #589
* Fix: ssh private key file to be considered for scp util #586
* Added Dockerfile to enable automated image builds on project commits #585
Pkgsrc changes:
* Adapt PLIST and patch to README.rst.
Upstream changes:
v0.5.3
- Add notifications support
- Add support for ecdsa keys
- Various bug fixes
Py-scp is a pure python scp module.
The scp.py module uses a paramiko transport to send and recieve
files via the scp1 protocol. This is the protocol as referenced
from the openssh scp program, and has only been tested with this
implementation.
Proxifier is a gem to force ruby to use a proxy.
This gem was created for 2 purposes.
First is to enable ruby programmers to use HTTP or SOCKS proxies
interchangeably when using TCPSockets. Either manually with
Proxifier::Proxy#open or by require "proxifier/env".
The second purpose is to use ruby code that doesn't user proxies for users
that have to use proxies.
The pruby and pirb executables are simple wrappers for their respective ruby
executables that support proxies from environment variables.
## v1.60.1
* DNSSEC validation switched OFF by default (but can still be switched on)
* Add APL RR support (thanks Manabu Sonoda)
* Various test fixes (thanks Keith Bennett)
* 'include' issues fixed (thanks Keith Bennett!)
* Fixnum replacement (thanks Keith Bennett)
* Zone transfer fixes (thanks Manabu Sonoda)
* Name decoding fix
* MX record passing error now raised
* CAA RR support (thanks Richard Luther)
* TLSA RR support (thanks Manabu Sonoda)
## Changes between 2.1.0 and 2.2.0 (unreleased)
### Timestamps are Encoded as 64-bit Unsigned Integers
This is a potentially **breaking change**. It is recommended that
all applications that use this gem and pass date/time values in message
properties or headers are upgraded at the same time.
GitHub issue: [#64](https://github.com/ruby-amqp/amq-protocol/issues/64).
Contributed by Carl Hoerberg.
pkgsrc changes:
removed patches:
patch-bin_afppasswd_afppasswd.c
patch-etc_uams_uams__randnum.c
ee2dee2356
patch-include_atalk_acl.h
d48ecb55ac
regen patch:
patch-config_pam_Makefile.in
changelog(from NEWS):
Changes in 3.1.11
================
* NEW: Global option "zeroconf name", FR#99
* NEW: show Zeroconf support by "netatalk -V", FR#100
* UPD: gentoo: Switch openrc init script to openrc-run, GitHub#77
* FIX: log message: name of function doese not match, GitHub#78
* UPD: volume capacity reporting to match Samba behavior, GitHub#83
* FIX: debian: sysv init status command exits with proper exit code, GitHub#84
* FIX: dsi_stream_read: len:0, unexpected EOF, GitHub#82
* UPD: dhx uams: OpenSSL 1.1 support, GitHub#87
Changes in 3.1.10
================
* FIX: cannot build when ldap is not defined, bug #630
* FIX: SIGHUP can cause core dump when mdns is enabled, bug #72
* FIX: Solaris: stale pid file puts netatalk into maintenance mode, bug #73
* FIX: dsi_stream_read: len:0, unexpected EOF, bug #633
Changes in 3.1.9
================
* FIX: afpd: fix "admin group" option
* NEW: afpd: new options "force user" and "force group"
* FIX: listening on IPv6 wildcard address may fail if IPv6 is
disabled, bug #606
* NEW: LibreSSL support, FR #98
* FIX: cannot build when acl is not defined, bug #574
* UPD: configure option "--with-init-style=" for Gentoo.
"gentoo" is renamed to "gentoo-openrc".
"gentoo-openrc" is same as "openrc".
"gentoo-systemd" is same as "systemd".
* NEW: configure option "--with-dbus-daemon=PATH" for Spotlight feature
* UPD: use "tracker daemon" command instead of "tracker-control" command
if Gnome Tracker is the recent version.
* NEW: configure options "--enable-rpath" and "--disable-rpath" which
can be used to force setting of RPATH (default on Solaris/NetBSD)
or disable it.
* NEW: configure option "--with-tracker-install-prefix" allows setting
an alternate install prefix for tracker when cross-compiling.
* UPD: asip-status.pl: IPv6 support
* UPD: asip-status.pl: show GSS-UAM SPNEGO blob
* FIX: afpd: don't use network IDs without LDAP, bug #621
* FIX: afpd: reading from file may fail, bug #619
* NEW: AFP clients should not be able to copy or manipulate special
extended attributes set by NFS and SMB servers on Solaris, issue #36
* FIX: ad: ad cp may crash, bug #622
* UPD: Update Unicode support to version 9.0.0
Changes in 3.1.8
================
* FIX: CNID/MySQL: Quote UUID table names.
https://sourceforge.net/p/netatalk/bugs/585/
* FIX: Crash in cnid_metad, bug #593
* UPD: Update Unicode support to version 8.0.0
* FIX: larger server side copyfile buffer for improved IO performance,
bug #599
* NEW: afpd: new option "ea = samba". Use Samba vfs_streams_xattr
compatible xattrs which means adding a 0 byte at the end of
xattrs.
* FIX: remove #541 workaround patch. There was this problem with only early
Fedora 20.
* FIX: rpmbuild fails on Fedora x86_64, bug #598
* FIX: Listen on IPv6 wildcard address by default, bug #602
* FIX: FCE protocol version 1 packets, bug #603
* UPD: Update list of BerkeleyDB versions searched at configure time
Generate an error when configured with a CNAME loop,
rather than a crash. Thanks to George Metz for
spotting this problem.
Calculate the length of TFTP error reply packet
correctly. This fixes a problem when the error
message in a TFTP packet exceeds the arbitrary
limit of 500 characters. The message was correctly
truncated, but not the packet length, so
extra data was appended. This is a possible
security risk, since the extra data comes from
a buffer which is also used for DNS, so that
previous DNS queries or replies may be leaked.
Fix logic error in Linux netlink code. This could
cause dnsmasq to enter a tight loop on systems
with a very large number of network interfaces.
Fix problem with --dnssec-timestamp whereby receipt
of SIGHUP would erroneously engage timestamp checking.
Bump zone serial on reloading /etc/hosts and friends
when providing authoritative DNS.
Handle v4-mapped IPv6 addresses sanely in --synth-domain.
These have standard representation like ::ffff:1.2.3.4
and are now converted to names like
<prefix>--ffff-1-2-3-4.<domain>
Handle binding upstream servers to an interface
(--server=1.2.3.4@eth0) when the named interface
is destroyed and recreated in the kernel.
Allow wildcard CNAME records in authoritative zones.
For example --cname=*.example.com,default.example.com
more...
This is a regularly scheduled stable release.
Resolved issues:
#3895: The layout of the global changes dialog is improved
#4123: Running as root or SYSTEM now triggers a warning recommending against it
#4127: Changing the theme no longer causes an HTTP error
#4143: The file paths in the failed files dialog are now correct on Windows
The expected use case for mosh is using ssh for authentication, by just
running "mosh username@host". No need to spawn mosh-server and -client
manually.
Bug Fixes
- rabbitmqctl wait exited with the status code of 0 when node stopped
because it could not contact any cluster peers to [re-]join.
- rabbitmqctl forget_cluster_node used in offline mode could result in
promotion of a node that's no longer a cluster member.
- Queue master locator could not be set using optional queue arguments
(x-arguments).
- CLI tool (e.g. rabbitmqctl) man pages were not rendered correctly.
Enhancements
- Disk space monitor will periodically retry (every 2 minutes by
default, up to 10 times) before going into disabled state as
external tools used to monitor available disk space can fail or
produce unexpected output temporarily.
- Memory relative free disk space limits now support integer values as
well as floats.
Management and Management Agent Plugins
- TLS-related settings in HTTP API listeners could break JSON
serialisation for the GET /api/overview endpoint.
- Non-numerical values for numerical stats are now handled safety by
stats aggregation.
- Stats are no longer emitted for connections that are not considered
to be in the fully initialised state.
- POST requests now instruct clients to close TCP connections.
- In some popular browsers (Chrome, Internet Explorer) a POST request
followed by an immediate GET request would result in a 400 response.
Other browsers do no exhibit this behaviour.
- I/O average time per operation graph didn't match legend.
- Sample retention policies are now validated more strictly to avoid
configurations that are not supported and will lead to exceptions.
- Certain stats for connections were not initialised as numerical
values, which resulted in log noise.
- UI operation for binding deletion did not respect optional (extra)
binding arguments.
- Current virtual host is pre-selected on the "Add/update policy"
form.
MQTT Plugin
- A non-initialized connection (e.g. one that failed early because
client-provided payload wasn't a valid MQTT payload) produced a
crash report log entry during termination.
LDAP Plugin
- Stale connection purging in LDAP connection pool could fail with a
badmatch.
Trust Store Plugin
- Certificate change detection algorithm no longer uses stat(2) on
certificate directory because of its limitations that could lead to
undetected changes in certain scenarios.
Web STOMP Plugin
- The plugin failed to start after being stopped and re-enabled.
- Server-initiated consumer cancellation failed with an exception.
Management Visualiser Plugin
- The plugin wasn't compatible with recent 3.6.x releases.
3.25.2 (2017-04-30)
- SFTP components have been updated and are now based on PuTTY 0.69
- Fixed potential stall during the final listing operation when finishing a queue which contained uploads
3.25.2-rc1 (2017-04-23)
- Fix crash if filters.xml has become corrupted
- Fix FTP proxy support
- Fix sending of FTP keep-alive commands
- MSW: Windows Vista is no longer supported
- MSW: File and directory icons now also appear on systems that have no Windows directory
3.25.1 (2017-03-20)
- OS X: Fixed a crash if connecting to old servers not supporting UTF-8
- Fixed timeout detection
3.25.0 (2017-03-13)
+ OS X: The minimum required OS X version is now 10.9
- OS X: Disable App Nap during transfers and other operations
- OS X: Downloaded updates are now stored in the Downloads directory
- OS X: Fix initial toolbar state on startup if it was hidden when FileZilla was last closed
- Fix reconnect delay logic which broke in 3.25.0-beta1
- Fix piecewise creation of remote paths using FTP which broke in 3.25.0-beta1
3.25.0-rc1 (2017-03-04)
- Fix encryption selection for FTP in the Site Manager which broke in 3.25.0-beta1
- Small changes to error message texts
3.25.0-beta1 (2017-02-24)
+ Major refactoring of the FileZilla internals.
- Scale width of fields in the status line control on high-DPI displays
- Fix duplicate mnemonic in "Files currently being edited" dialog.
0.9.2 (2017-05-25)
+ Added fz::random_bytes to obtain a vector of the passed size of uniformly distributed random bytes
+ Added fz::ltrim and fz::rtim
+ Added parameter to trim functions which characters to trim
+ It is now possible to detach threads from async_task
1.4.1 2017-05-26 13:53 UTC
Changelog:
* Use 8bit instead of latin1 for string length in bytes calculation
* Extend listScripts() so it's possible to get an active script name in one go
* Request #20491: Skip redundant CAPABILITY requests
1.4.0 2017-05-21 06:23 UTC
Changelog:
* Dropped PHP4 support, fixed PHP7 warnings
* Fixed E_DEPRECATED warning on Auth_SASL::factory() call
* Enable later TLS versions
pkgsrc change: set LICENSE to 2-clause-bsd.
1.8.0 2017-04-06 14:16 UTC
Changelog:
* Set minimum PEAR version to 1.10.1
* Change license to BSD-2 Clause
Adds features for Google Cloud Storage.
Changes:
* Loosen requirements for ID field in PROJECT_PRIVATE_RE.
* Populate storage class from HEAD Object responses
Changes since previous version:
* New features:
* Change website URLs from http://mosh.mit.edu to
https://mosh.org. (Keith Winstein)
* Add --no-ssh-pty option for Dropbear compatibility and
other issues.
* Switch to semantic versioning, making this version 1.3.0
instead of 1.2.7.
* Platform support:
* Added nonce-incrementing test. (Keith Winstein)
* Add build-source-package.sh for Debian. (Keith Winstein)
* Fix CPPFLAGS handling possibly causing curses detection
failure. (John Hood)
* Add an Appveyor/Cygwin CI build.
* Improve warning-flags detection for 'make distcheck'. (John Hood)
* Improve robustness of regression tests. (John Hood)
* Support OpenBSD pledge() sandboxing. (John Hood)
* Use backward-compatible name for AES in
AppleCommonCrypto, fixing builds with older OS X SDKs. (John Hood)
* Detect clock_gettime() and CLOCK_MONOTONIC carefully,
fixing OS X 10.12 + Xcode 7.3 builds. (John Hood)
* Support older versions of Perl, back to 5.10, fixing
RHEL 5 builds. (Anders Kaseorg)
* Add a Travis OS X CI and release build. (John Hood)
* Add --help and --version, enabling Automake's
'std-options' checks. (Anders Kaseorg)
* Add a simple smoke test not requiring tmux, to help
validate builds on older platforms including RHEL 5. (Anders Kaseorg)
* Check for presence of clock_gettime() for OS X, where
the symbol may not be resolved on older OS X versions. (John
Hood)
* Fix a memory alignment issue in OCB with ARM/Neon. (Carlos Cabanero)
* Mosh now runs correctly on Bash for Windows with Windows 10
Insider builds 15002 and higher. (No change in Mosh)
* Other minor platform compatibility fixes for Mosh
sources and tests. (John Hood)
* Bug fixes:
* Work around a pty buffering issue causing failed
connections on FreeBSD 11, or with Dropbear. (John Hood)
* Restore '-p 0' option for OS-selected UDP port bindings. (John Hood)
* Shell hygiene fixes, including better quoting of
pathnames. (Anders Kaseorg)
* Fix typos in project docs. (Jakub Wilk)
* Fix excess newlines on mosh client startup/shutdown. (John Hood)
* Exit gracefully, closing session, on pty write or ioctl failure. (John Hood)
* Fix two bugs that caused mosh-server to consume
excessive CPU in certain circumstances. (John Hood)
* Fix bug that caused text copied from mosh-client to
paste as long lines joined by spaces. (John Hood)
* Documentation improvements. (chenxiaoqino, Ashish Gupta)
* Use getuid(), not geteuid(), for correct getpw* lookups. (John Hood)
Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client's IP address changes (Peer-ID). Also, the new --tls-crypt feature can be used to increase users' connection privacy.
Compared to OpenVPN 2.4.1 there are several bugfixes and small enhancements. A summary of the changes is available in Changes.rst.
Pkgsrc changes:
* Adapt PLIST, new .so installed.
Upstream changes:
Changes since 4.6.3:
---------------------
o Volker Lendecke <vl@samba.org>
* BUG 12780: CVE-2017-7494: Avoid remote code execution from a writable
share.
Changes since 4.6.2:
--------------------
o Michael Adam <obnox@samba.org>
* BUG 12743: s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots
from shares with GlusterFS backend.
o Jeremy Allison <jra@samba.org>
* BUG 12559: Fix for Solaris C compiler.
* BUG 12628: s3: locking: Update oplock optimization for the leases era.
* BUG 12693: Make the Solaris C compiler happy.
* BUG 12695: s3: libgpo: Allow skipping GPO objects that don't have the
expected LDAP attributes.
* BUG 12747: Fix buffer overflow caused by wrong use of getgroups.
o Hanno Boeck <hanno@hboeck.de>
* BUG 12746: lib: debug: Avoid negative array access.
* BUG 12748: cleanupdb: Fix a memory read error.
o Ralph Boehme <slow@samba.org>
* BUG 7537: streams_xattr and kernel oplocks results in
NT_STATUS_NETWORK_BUSY.
* BUG 11961: winbindd: idmap_autorid allocates ids for unknown SIDs from
other backends.
* BUG 12565: vfs_fruit: Resource fork open request with
flags=O_CREAT|O_RDONLY.
* BUG 12615: manpages/vfs_fruit: Document global options.
* BUG 12624: lib/pthreadpool: Fix a memory leak.
* BUG 12727: Lookup-domain for well-known SIDs on a DC.
* BUG 12728: winbindd: Fix error handling in rpc_lookup_sids().
* BUG 12729: winbindd: Trigger possible passdb_dsdb initialisation.
o Alexander Bokovoy <ab@samba.org>
* BUG 12611: credentials_krb5: use gss_acquire_cred for client-side GSSAPI
use case.
* BUG 12690: lib/crypto: Implement samba.crypto Python module for RC4.
o Amitay Isaacs <amitay@gmail.com>
* BUG 12697: ctdb-readonly: Avoid a tight loop waiting for revoke to
complete.
* BUG 12723: ctdb_event monitor command crashes if event is not specified.
* BUG 12733: ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'.
o Volker Lendecke <vl@samba.org>
* BUG 12558: smbd: Fix smb1 findfirst with DFS.
* BUG 12610: smbd: Do an early exit on negprot failure.
* BUG 12699: winbindd: Fix substitution for 'template homedir'.
o Stefan Metzmacher <metze@samba.org>
* BUG 12554: s4:kdc: Disable principal based autodetected referral detection.
* BUG 12613: idmap_autorid: Allocate new domain range if the callers knows
the sid is valid.
* BUG 12724: LINKFLAGS_PYEMBED should not contain -L/some/path.
* BUG 12725: PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for
trusted domain.
* BUG 12731: rpcclient: Allow -U'OTHERDOMAIN\user' again.
o Christof Schmitt <cs@samba.org>
* BUG 12725: winbindd: Fix password policy for pam authentication.
o Andreas Schneider <asn@samba.org>
* BUG 12554: s3:gse: Correctly handle external trusts with MIT.
* BUG 12611: auth/credentials: Always set the realm if we set the principal
from the ccache.
* BUG 12686: replace: Include sysmacros.h.
* BUG 12687: s3:vfs_expand_msdfs: Do not open the remote address as a file.
* BUG 12704: s3:libsmb: Only print error message if kerberos use is forced.
* BUG 12708: winbindd: Child process crashes when kerberos-authenticating
a user with wrong password.
o Uri Simchoni <uri@samba.org>
* BUG 12715: vfs_fruit: Office document opens as read-only on macOS due to
CNID semantics.
* BUG 12737: vfs_acl_xattr: Fix failure to get ACL on Linux if memory is
fragmented.
The previous version in pkgsrc had a critical bug where status would not
update and nagios log "wproc: Core Worker seems to be choked". More
details at http://tracker.nagios.org/view.php?id=642
Here is the complete Changelog
4.3.2 - xxxx-xx-xx
------------------
FIXED
* Every 15sec /var/log/messages is flooded with "nagios: set_environment_var" (John Frickson)
* Changed release date to ISO format (yyyy-mm-dd) (John Frickson)
* `make all` fails if unzip is not installed (John Frickson)
* Quick Search no longer allows search by Alias (John Frickson)
* flexible downtime on a service immediately turns off notifications (John Frickson)
* Fix to allow url_encode to be called twice (Z. Liu)
* Update timeperiods.cfg.in (spelling) (Parth Laxmikant Kolekar)
* Spelling fixes (Josh Soref)
* Vent command pipe before remove to avoid deadlocks on writing end (Kai Kunstmann)
* CGI utility cgiutil.c does not process relative config file path names properly (John Frickson)
* xdata/xodtemplate.c bug in option-deprecation code (John Frickson)
* Wildcard searching causes service status links to not work properly (John Frickson)
* Quick search with no hits shows a permission denied error (John Frickson)
* Setting a service as its own parent is not caught by the sanity checker (-v) and causes a segfault (John Frickson)
4.3.1 - 2017-02-23
------------------
FIXES
* Service hard state generation and host hard or soft down status (John Frickson)
* Comments are duplicated through Nagios reload (John Frickson)
* host hourly value is incorrectly dumped as json boolean (John Frickson)
* Bug - Quick Search no longer allows search by IP (John Frickson)
* Config: status_update_interval can not be set to 1 (John Frickson)
* Check attempts not increasing if nagios is reloaded (John Frickson)
* nagios hangs on reload while sending external command to cmd file (John Frickson)
* Feature Request: return code xxx out of bounds - include message as well (John Frickson)
4.3.0 - 2017-02-21
------------------
SECURITY FIXES
* Fix for CVE-2016-6209 - The "corewindow" parameter (as in
http://localhost/nagios?corewindow=www.somewhere.com) has been disabled by
default. See the UPGRADING document for how to enable it. (John Frickson)
FIXES
* Fix early event scheduling (pmalek / John Frickson)
* on-demand host checks triggered by service checks cause attempt number increments (fredericve)
* Service notification not being send when host is in soft down state (John Frickson)
* configure does not error if no perl installed on CentOS 7 (John Frickson)
* failed passive requests leave .ok files in checkresults dir (caronc)
* Services don't show in status.cgi if "noheader" specified (John Frickson)
* Standardized check interval config file names (John Frickson)
* "Event Log" (showlog.cgi) could not open log file (John Frickson)
* "nagios_check_command" has been deprecated since v3.0. Last vestiges removed (John Frickson)
ENHANCEMENTS
* Added new flag to cgi.cfg: tac_cgi_hard_only to show only HARD states (John Frickson)
* Add broker-event for the end of a timed event (NEBTYPE_TIMEDEVENT_END) (John Frickson)
* There is no Macro to retrieve addresses of hostgroup members (now $HOSTGROUPMEMBERADDRESSES$) (John Frickson)
* Add "Page Tour" videos to several of the core web pages (John Frickson)
* Added a login page, and a `Logoff` links (John Frickson)
* On the status map, the host name will be colored if services are not all OK. (John Frickson)
* Added "Clear flapping state" command on host and services detail pages. (John Frickson)
* User-entered comment now displays below generated comment for downtime (John Frickson)
4.2.4 - 2016-12-07
------------------
SECURITY FIXES
* Fixed another root privilege escalation (CVE-2016-9566) Thanks for bringing this
to our attention go to Dawid Golunski (http://legalhackers.com).
4.2.3 - 2016-11-21
-------------------
SECURITY FIXES
* Fixed a root privilege escalation (CVE-2016-8641) (John Frickson)
FIXES
* external command during reload doesn't work (John Frickson)
* Nagios provides no error condition as to why it fails on the verify for serviceescalation (John Frickson)
* No root group in FreeBSD and Apple OS X (John Frickson)
* jsonquery.html doesn't display scheduled_time_ok correctly (John Frickson)
* daemon_dumps_core=1 has no effect on Linux when Nagios started as root (John Frickson)
* Configuration check in hostgroup - misspelled hostname does not error (John Frickson)
* contacts or contact_groups directive with no value should not be allowed (John Frickson)
* Compile 64-bit on SPARC produces LD error (John Frickson)
* HOSTSTATEID returns 0 even if host does not exist (John Frickson)
* Submitting UNREACHABLE passive result for host sets it as DOWN if the host has no parents (John Frickson)
* nagios: job XX (pid=YY): read() returned error 11 (changed from LOG_ERR to LOG_NOTICE) (John Frickson)
* Fix for quick search not showing services if wildcard used (John Frickson)
4.2.2 - 2016-10-24
------------------
SECURITY FIXES
* There was a fix to vulnerability CVE-2008-4796 in the 4.2.0 release on
August 1, 2016. The fix was apparently incomplete, as there was still a
problem. However, we are now getting all RSS feeds using AJAX calls
instead of the (outdated) MagpieRSS package. Thanks for bringing this to
our attention go to Dawid Golunski (http://legalhackers.com).
ENHANCEMENTS
* Update status.c to display passive check icon for hosts when passive checks
are enabled and actives disabled (John Frickson)
FIXES
* Fix permissions for Host Groups reports (status.cgi) (Patrik Halfar)
* Service Parents does not appear to be functioning as intended (lev)
* Availability report mixes up scheduled and unscheduled warning percentages (Helmut Mikulcik)
* Invalid values for saved_stamp in compute_subject_downtime_times() (John Frickson)
* Remove deprecated "framespacing" (John Frickson)
* The nagios tarball contains two identical jquery copies (John Frickson)
* extinfo.cgi does not set content-type (most cgi's don't) (John Frickson)
* Timeperiods are corrupted by external command CHANGE_SVC_CHECK_TIMEPERIOD (xoubih)
* Quick search doesn't show hosts without services (service status detail page) (John Frickson)
* In host/services details view, if exactly 100 entries would not show last one (John Frickson)
* nagios host URL parameter for NEW map doesn`t work - Network Map for All Hosts (John Frickson)
* next_problem_id is improperly initialized (gherteg)
* Passive problems not showing as "unhandled" (John Frickson)
* September reported as Sept instead of Sep (Rostislav Opočenský)
* Notifications are not sent for active alerts after scheduled downtime ends (John Frickson)
* Nagios 4.2.0 not working on Solaris (John Frickson)
* install-exfoliation and install-classicui don't work FreeBSD and Mac OS X (John Frickson)
* Updated makefile to delete some no-longer-needed files (John Frickson)
4.2.1 - 2016-09-06
------------------
FIXES
* Fix undefined variable php error (John Frickson)
* Links on the sidebar menu under 'Problems' are indented too far (John Frickson)
* Using $ARGn$ Macros in perfdata (John Frickson)
* using a wildcard in search returns service status total all zero's (John Frickson)
* read_only does not take priority (deppy)
* Running nagios -v on 4.2.0 takes 90+ seconds (John Frickson)
* Bare "make" invoked in subtarget (mjo)
* Theme images/stylesheets installed with inconsistent permissions (mjo / John Frickson)
* Missing Image for Host and Service State Trends in Availability Report (nichokap / John Frickson)
* Maintain non-persistent comments through reload (John Frickson)
* Servicegroup availability report ignores includesoftstates in service report links (PriceChild)
* error: format not a string literal and no format arguments (Karsten Weiss)
* Synced config.guess and config.sub with GNU (Zakhar Kleyman)
4.2.0 - 2016-08-01
------------------
SECURITY FIXES
* Fixed vulnerability CVE-2008-4796 (John Frickson)
* Fixed vulnerability CVE-2013-4214 (John Frickson)
* web interface vulnerable to Cross-Site Request Forgery attacks (John Frickson)
ENHANCEMENTS
* Increase socket queue length for listen()
* Added host name to the website page title (leres / John Frickson)
* Added additional icons for NetBSD and SuSE (John Frickson)
* The new Status Map will now use cgi.cfg options (John Frickson)
default_statusmap_layout will default to "6" for the new map
* The new Status Map will now show some valid values in the popup for "Nagios Process" (John Frickson)
FIXES
* Network outage view without access to all hosts (John Frickson)
* Core workers looping (John Frickson)
* service query returns duplicate host_name and description fields in the returned data (John Frickson)
* HTML output of plug-ins is parsed in wrong way => webgui unusable (John Frickson)
* Command worker fails to handle SIGPIPE
* "View Status" links under "Map" broken in Nagios Core Version 4.1.1 (John Frickson)
* Can't send big buffer - wproc: Core Worker seems to be choked (velripn / John Frickson)
* Too big CPU load on FreeBSD and other systems using poll() interface (cejkar)
* Flexible downtime recorded as unscheduled downtime (John Frickson)
* Service Flexible downtimes produce 1 notification before entering (John Frickson)
* Once you "set flap_detection_enabled 0" it should remove flapping state from the host/services page (John Frickson)
* New map doesn't finish loading if a logo image is not found (John Frickson)
* Extraneous Div end tag in map.html (Scott Wilkerson)
* Issue with "Problems" section (John Frickson)
* Status Map icons and online/offline status dots disappear in IE11 (John Frickson)
* New network map overlays the nagios process with objects (John Frickson)
* Added Default-Start and Default-Stop to the init script (John Frickson)
* Compile / logging issues with BSD 6
* Related to above, Fixed a lot of incorrectly handled time_t's in *printf's (John Frickson)
* New map not working for RU locale (actually, most locales) (John Frickson)
* Replaced all instances of signal() with sigaction() + blocking (John Frickson)
* UTF-8 characters like german ä are not processed properly by function url_encode (John Frickson)
* nagios worker processes can hog CPU (huxley / John Frickson)
* custom time periods that include special characters were not being handled in reports (John Frickson)
* Fixed init script to wait up to 90 seconds then kill the nagios process (John Frickson)
* No Host Groups results in wrong error message (John Frickson)
* Setup Nagios users to view specific host is not working in the new network map (John Frickson)
* statusjson.cgi fails glibc realloc truncate response output (John Frickson)
* Report Time Period does not work if an @ character is in the timeperiod name (John Frickson)
* State History does not use actual plugin long_output (John Frickson)
* Time period corruption (xoubih)
* Tactical Overview - Disabled Flap Detection Link (John Frickson)
4.1.1 - 08/19/2015
------------------
FIXES
* CGI Could not read object configuration data (broken by error in 4.1.0)
* exclude (!) not working (broken by mis-applied fix for 4.1.0)
4.1.0 - 08/18/2015
------------------
ENHANCEMENTS
* Promoted JSON CGIs to released status (Eric Stanley)
* New graphical CGI displays: statusmap, trends, histogram (Eric Stanley)
* Make sticky status for acks and comments configurable enhancement #20 (Trevor McDonald / Scott Wilkerson)
* Add host_down_disable_service_checks directive to nagios.cfg #44 (Trevor McDonald / Scott Wilkerson)
* httpd.conf doesn't support Apache versions > 2.3 (DanielB / John Frickson)
FIXES
* Fix for not all service dependencies created (John Frickson)
* Fix SIGSEGV with empty custom variable (orbis / John Frickson)
* Fix contact macros in environment variables (dvoryanchikov)
* Fixed host's current attempt goes to 1 after going to hard state (John Frickson)
* Fixed two bugs/problems: Replace use of %zd in base/utils.c & incorrect va_start() in cgi/jsonutils.c (Peter Eriksson)
* Fixed: Let remove_specialized actually remove all workers (Phil Mayers)
* Fixed log file spam caused when using perfdata command directives in nagios.cfg (shashikanthbussa)
* Fixed off-by-one error in bounds check leads to segfault (Phil Mayers)
* Added links for legacy graphical displays (Eric Stanley)
* Update embedded URL's to https versions of Nagios websites (scottwilkerson)
* Fixed doxygen comments to work with latest doxygen 1.8.9.1 #30 (Trevor McDonald)
* Fixed makefile target "html" to PHONY to fix GitHub issue #28 (Trevor McDonald)
* Fixed typo as per GitHub issue #27 (Trevor McDonald)
* Fixed jsonquery.php 404 not found error, and disabled Send Query button until form populates #43 (Scott Wilkerson)
* Fixed linking in Tactical Overview for several of the Host entries in Featured section #48 (Scott Wilkerson)
* Fixed passing limit and sort options to pagination and sort links #42 (Scott Wilkerson)
* Added form field for icon URL and clean-up when it changes in CGI Status Map. (Eric Stanley)
* Added options to cgi.cfg to uncheck sticky and send when acknowledging a problem (Trevor McDonald)
* Low impact changes to automate the generation of RPMs from nagios.spec file. (T.J. Yang)
* Update index.php (Trevor McDonald)
* Fixed escaping of corewindow parameter to account for possible XSS injection (Scott Wilkerson)
* Typo correction (T.J. Yang)
* Make getCoreStatus respect cgi_base_url (Moritz Schlarb)
* Adjusted map layout to work within frames (Eric Stanley)
* Fixed map displays are now the full size of browser window (Eric Stanley)
* Fixed labels and icons on circular markup no longer scale on zoom (Eric Stanley)
* Got all maps except circular markup working with icons (Eric Stanley)
* Fixes to make legacy CGIs work again. (Eric Stanley)
* Fixes to make all/html target tolerant of being run multiple times (Eric Stanley)
* For user-supplied maps, converted node group to have transform (Eric Stanley)
* Fixed issue transitioning from circular markup map to other maps (Eric Stanley)
* Fix displayForm to trigger on the button press (Scott Wilkerson)
* Fix fo getBBox crash on Firefox (Eric Stanley)
* Fixed map now resets zoom when form apply()'d (Eric Stanley)
* Fixed so close box on dialogs actually closes dialog (Eric Stanley)
* Corrected directive in trends display (Eric Stanley)
* Fixed minor issue with link in trends links (Eric Stanley)
* Fixed issue with map displaying on Firefox (Eric Stanley)
* Added exclusions for ctags generation (Eric Stanley)
* Update map-popup.html (Scott Wilkerson)
* Initial commit of new graphical CGIs (Eric Stanley)
* Fixed Github bug #18 - archivejson.cgi returns wrong host for state change query (Eric Stanley)
* Status JSON: Added next_check to service details (Eric Stanley)
* Fixed escaping of keys for scalar values in JSON CGIs (Eric Stanley)
* build: Include <sys/loadavg.h> if it exists. (Eric J. Mislivec)
* lib-tests: test-io{cache|broker} need -lsocket to link. (Eric J. Mislivec)
* lib-tests: test-runcmd assumes GNU echo. (Eric J. Mislivec)
* lib-tests: Signal handlers don't return int on most platforms, and using a cast was the wrong way to resolve this. (Eric J. Mislivec)
* Fix some type/format mismatch warnings for pid_t. (Eric J. Mislivec)
* Fix build on Solaris. (Eric J. Mislivec)
* runcmd: Fix build when we don't HAVE_SETENV. (Eric J. Mislivec)
* Fixed checkresult output processing (Eric Mislivec)
* Corrected escaping of long output macros (Eric Mislivec)
* Fixed null pointer dereferences in archive JSON (Eric Stanley)
* Fixed memory overwrite issue in JSON string escaping (Eric Stanley)
* JSON CGI: Now escaping object and array keys (Eric Stanley)
KNOWN ISSUES
* New map does not account for multiple parents, leaving "legacy" map as an option in the menu
Changelog:
- Media attached to tweets can be downloaded using Right Click
and selecting "save as"
- Profiles use the profile background color set in the Twitter
settings if no banner is set
- The tweet compose window now features a "favorite image" view that
allows users to save often sent images and quickly add them to tweets
- The media dialog now shows Previous/Next buttons to quickly switch
between multiple media attachments of a tweet>
- The Vine support has been removed since the project is discontinued
- Allow text selection in Direct Messages
- New --account parameter allows opening the window for the given
account only
- Support tweets with up to 50 replied-to users.
- Add back verified icons next to user avatars
- Redesigned account creation UI
- Tons of bug fixes
* fix redirect-gateway behaviour when an IPv4 default route does not exist
* Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
* Check for errors in the return value of GetModuleFileNameW()
* Fix gateway detection with OpenBSD routing domains
RCD_SCRIPT_WRK.<script> was set previously to prevent a name conflict
with ${WRKSRC} because in the past, it defaulted to ${WRKDIR}/<script>.
This has since been changed to default to ${WRKDIR}/.rc.d/<script> to
prevent unintended name collisions, which makes this definition no longer
needed.
Incompatible Changes
- fping and fping6 unification
- Option -n, not the same as -d anymore
- Discarding of late packets
- No restrictions by default
- Default interval (-i) changed from 25ms to 10ms
New features
- Unified 'fping' and 'fping6' into one binary
- Long option names for all options
- IPv6 enabled by default
- New option -4 to force IPv4
- New option -6 to force IPv6
- Keep original name if a hostname is given with -n/--name
- Option -d/--rdns now always does a rdns-lookup, even for names, as '-n' was doing until now
- Enforce -t timeout on reply packets, by discarding late packets
- Auto-adjust timeout for -c/-C/-l mode to value of -p
Bugfixes and other changes
- -i/-p restrictions disabled by default (enable with --enable-safe-limits)
- Default interval -i changed from 25ms to 10ms
- Fix compatibility issue with GNU Hurd
- A C99 compiler is now required
- Option parsing with optparse (https://github.com/skeeto/optparse)
- New changelog file format
Included ucspi-ssl-0.70_ucspitls-0.6.patch (STARTTLS support)
originally designed and provided by Scott Gifford (FEH).
Added Certchain support for sslserver and sslclient (FEH).
Integration and added man-pages (FEH).
Synced with ucspi-tcp6-0.95.
Fixed integration bug in ssl_very.c.
Included patches from Peter Conrad.
Bug fix in sslserver. Several small
corrections.
Fix for large X509 serial numbers on x86 (tx. Peter Conrad).
SAN DNSname has precedence over CN in subject.
Re-edited man pages and rts tests.
Added IPv6 support (tx. to Felix von Leitner and Brandon Turner).
UI: Changed sslserver client cert call from '-i/-I' to '-z/-Z'
for compatibility reasons.
Added '-4/-6' support for client scripts.
Added output environment variables TCP6* for sslserver.
sslperl, sslhandle, and sslprint are not IPv6 ready yet.
Added IPv6 capabilities to sslhandle, sslprint, sslperl.
Changed verification of X.509 certs.
Removed obsolete socket_4 calls in sslserver.
Streamlined code with ucspi-tcp6-1.00.
Supplied new certs with customized SAN.
Make rts working (at least some how).
Added support for personalized client certs.
New option '-m' in sslserver, complementing '-z'.
CCAFILE='-' disables client cert request.
Added verbose log output for SSL connection informations.
Fixed wrongly nested CONNECT error code for sslclient.c
producing wrong warning messages while connecting to
an IPv4 address.
Added call of '-ldl' in ssl.lib.
Mitigation of SSL connection hanging during
coincident change of daylight-saving settings.
Fixed bug in sslserver's dnsip lookup in case of paranoid settings
and additonal existance of IPv6 AAAA records for incoming IPv4 connection.
Serveral fixes from 'troy@' included to cope with compiler errors and
to solve a bug in function getbitasaddress in ip4_bit.c (= ucspi-tcp6-1.02).
Reordered conf-* variables in main dir to allow easier generation of
packages (i.e. RPM). Fixed script to identify different HW architecture
and OS. This version works in 32 bit mode on Raspian Linux / RasPi 7.
Added ECDH capabilites (tx to Frank Bergmann for the patches).
Added compatibility with LibreSSL.
Fixed missing negative return call treatment from 'poll' (tx Frank Bergmann).
Tentative 'emake' fix for Gentoo build.
Added OpenSSL 1.1 tweaks -- works under Debian (9) 'Stretch'.
fixes DoSses: CVE-2017-7478 CVE-2017-7479
fixes PR pkg/52044
relevant excerpt of ChangeLog:
OpenVPN Change Log
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
2017.05.11 -- Version 2.3.15
David Sommerseth (5):
dev-tools: Added script for updating copyright years in files
Update copyrights
docs: Further improve --reneg-bytes and SWEET32 information
git: Merge .gitignore files into a single file
Make --cipher/--auth none more explicit on the risks
Gert Doering (1):
Document --proto udp6, tcp6, etc.
Julien Muchembled (1):
Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset
Steffan Karger (6):
Add missing includes in error.h
cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
Document that OpenVPN 2.3 does not check the CRL signature
Introduce and use secure_memzero() to erase secrets
Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
Don't assert out on receiving too-large control packets (CVE-2017-7478)
2016.12.06 -- Version 2.3.14
Christian Hesse (1):
update year in copyright message
David Sommerseth (1):
Document the --auth-token option
Gert Doering (2):
Repair topology subnet on FreeBSD 11
Repair topology subnet on OpenBSD
Lev Stipakov (1):
Drop recursively routed packets
Selva Nair (4):
Support --block-outside-dns on multiple tunnels
When parsing '--setenv opt xx ..' make sure a third parameter is present
Map restart signals from event loop to SIGTERM during exit-notification wait
Correctly state the default dhcp server address in man page
Steffan Karger (1):
Clean up format_hex_ex()
2016.11.02 -- Version 2.3.13
Arne Schwabe (2):
Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
David Sommerseth (4):
t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
t_client.sh: Add support for Kerberos/ksu
t_client.sh: Improve detection if the OpenVPN process did start during tests
t_client.sh: Add prepare/cleanup possibilties for each test case
Gert Doering (5):
Do not abort t_client run if OpenVPN instance does not start.
Fix t_client runs on OpenSolaris
make t_client robust against sudoers misconfiguration
add POSTINIT_CMD_suf to t_client.sh and sample config
Fix --multihome for IPv6 on 64bit BSD systems.
Ilya Shipitsin (1):
skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
Lev Stipakov (2):
Exclude peer-id from pulled options digest
Fix compilation in pedantic mode
Samuli Seppänen (1):
Automatically cache expected IPs for t_client.sh on the first run
Steffan Karger (6):
Fix unittests for out-of-source builds
Make gnu89 support explicit
cleanup: remove code duplication in msg_test()
Update cipher-related man page text
Limit --reneg-bytes to 64MB when using small block ciphers
Add a revoked cert to the sample keys
2016.08.23 -- Version 2.3.12
Arne Schwabe (2):
Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
Move ASSERT so external-key with OpenSSL works again
David Sommerseth (3):
Only build and run cmocka unit tests if its submodule is initialized
Another fix related to unit test framework
Remove NOP function and callers
Dorian Harmans (1):
Add CHACHA20-POLY1305 ciphersuite IANA name translations.
Ivo Manca (1):
Plug memory leak in mbedTLS backend
Jeffrey Cutter (1):
Update contrib/pull-resolv-conf/client.up for no DOMAIN
Jens Neuhalfen (2):
Add unit testing support via cmocka
Add a test for auth-pam searchandreplace
Josh Cepek (1):
Push an IPv6 CIDR mask used by the server, not the pool's size
Leon Klingele (1):
Add link to bug tracker
Samuli Seppänen (2):
Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
Clarify the fact that build instructions in README are for release tarballs
Selva Nair (4):
Make error non-fatal while deleting address using netsh
Make block-outside-dns work with persist-tun
Ignore SIGUSR1/SIGHUP during exit notification
Promptly close the netcmd_semaphore handle after use
Steffan Karger (4):
Fix polarssl / mbedtls builds
Don't limit max incoming message size based on c2->frame
Fix '--cipher none --cipher' crash
Discourage using 64-bit block ciphers
