--------------------------------
Common
~~~~~~
- Fix OpenStack drivers not correctly setting URLs when used with identity API, would default to 127.0.0.1 and service
catalog URLs were not adhered to.
- Fix Aliyun ECS, Load balancer and storage adapters when using unicode UTF-8 characters in the names of resources
in 2.0.0rc2 < it would fail as a MalformedResponseError, Python 2.7 element tree was raising a unicode error
- Refactor the test classes to use the full libcloud.http and libcloud.common.base modules, with Connection,
Response all used with requests_mock. This increases our test coverages and catches bugs in drivers' custom
parse_body and auth modules
- Rename libcloud.httplib_ssl to libcloud.http now that we don't use httplib
* Default to use VLANID>0 for IAID instead of MAC address
* BSD: Add support for RTA_LABEL
* Stop sharing the DHCPv6 port in master mode with other processes
* Fix some prefix delegation issues when the carrier drops or
addresses become stale
* Fix a crash when starting dhcpcd with -n
* Fix test for preferring a fake lease over a real one
* Show to real address lifetimes being added when adding IPv6
addresses
* Install dhcpcd-definitions.conf to the correct directory
* Restore the -G, --nogateway option
2017-04-26 Dustin Lundquist <dustin@null-ptr.net>
0.5.0 Release
* Transparent proxy support
* Use accept4() on Linix
* Run as group specified in config
Changelog:
Apr 25, 2017
Features
zone parser can parse acronyms for algorithms ED25519 and ED448.
Fix 1243: Option to make NSD emit really minimal responses, minimal-responses: yes in nsd.conf.
Bugfixes
Calculate new udb index after growing the array, fix from Chaofeng Liu.
Fix missing _t to _type conversion for disable-radix-tree option.
Printout serial error with hint it may be too big.
Fix 1228: OpenSSL include is not guarded with HAVE_SSL
Patch for expire state in multi-master when masters includes broken master, from Manabu Sonoda.
minor manpage fix.
Changes in version 0.3.0.6 - 2017-04-26
Tor 0.3.0.6 is the first stable release of the Tor 0.3.0 series.
With the 0.3.0 series, clients and relays now use Ed25519 keys to
authenticate their link connections to relays, rather than the old
RSA1024 keys that they used before. (Circuit crypto has been
Curve25519-authenticated since 0.2.4.8-alpha.) We have also replaced
the guard selection and replacement algorithm to behave more robustly
in the presence of unreliable networks, and to resist guard-
capture attacks.
This series also includes numerous other small features and bugfixes,
along with more groundwork for the upcoming hidden-services revamp.
Per our stable release policy, we plan to support the Tor 0.3.0
release series for at least the next nine months, or for three months
after the first stable release of the 0.3.1 series: whichever is
longer. If you need a release with long-term support, we recommend
that you stay with the 0.2.9 series.
Below are the changes since 0.2.9.10. For a list of only the changes
since 0.3.0.5-rc, see the ChangeLog file.
o Major features (directory authority, security):
- The default for AuthDirPinKeys is now 1: directory authorities
will reject relays where the RSA identity key matches a previously
seen value, but the Ed25519 key has changed. Closes ticket 18319.
o Major features (guard selection algorithm):
- Tor's guard selection algorithm has been redesigned from the
ground up, to better support unreliable networks and restrictive
sets of entry nodes, and to better resist guard-capture attacks by
hostile local networks. Implements proposal 271; closes
ticket 19877.
o Major features (next-generation hidden services):
- Relays can now handle v3 ESTABLISH_INTRO cells as specified by
prop224 aka "Next Generation Hidden Services". Service and clients
don't use this functionality yet. Closes ticket 19043. Based on
initial code by Alec Heifetz.
- Relays now support the HSDir version 3 protocol, so that they can
can store and serve v3 descriptors. This is part of the next-
generation onion service work detailled in proposal 224. Closes
ticket 17238.
o Major features (protocol, ed25519 identity keys):
- Clients now support including Ed25519 identity keys in the EXTEND2
cells they generate. By default, this is controlled by a consensus
parameter, currently disabled. You can turn this feature on for
testing by setting ExtendByEd25519ID in your configuration. This
might make your traffic appear different than the traffic
generated by other users, however. Implements part of ticket
15056; part of proposal 220.
- Relays now understand requests to extend to other relays by their
Ed25519 identity keys. When an Ed25519 identity key is included in
an EXTEND2 cell, the relay will only extend the circuit if the
other relay can prove ownership of that identity. Implements part
of ticket 15056; part of proposal 220.
- Relays now use Ed25519 to prove their Ed25519 identities and to
one another, and to clients. This algorithm is faster and more
secure than the RSA-based handshake we've been doing until now.
Implements the second big part of proposal 220; Closes
ticket 15055.
o Major features (security):
- Change the algorithm used to decide DNS TTLs on client and server
side, to better resist DNS-based correlation attacks like the
DefecTor attack of Greschbach, Pulls, Roberts, Winter, and
Feamster. Now relays only return one of two possible DNS TTL
values, and clients are willing to believe DNS TTL values up to 3
hours long. Closes ticket 19769.
o Major bugfixes (client, onion service, also in 0.2.9.9):
- Fix a client-side onion service reachability bug, where multiple
socks requests to an onion service (or a single slow request)
could cause us to mistakenly mark some of the service's
introduction points as failed, and we cache that failure so
eventually we run out and can't reach the service. Also resolves a
mysterious "Remote server sent bogus reason code 65021" log
warning. The bug was introduced in ticket 17218, where we tried to
remember the circuit end reason as a uint16_t, which mangled
negative values. Partially fixes bug 21056 and fixes bug 20307;
bugfix on 0.2.8.1-alpha.
o Major bugfixes (crash, directory connections):
- Fix a rare crash when sending a begin cell on a circuit whose
linked directory connection had already been closed. Fixes bug
21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett.
o Major bugfixes (directory authority):
- During voting, when marking a relay as a probable sybil, do not
clear its BadExit flag: sybils can still be bad in other ways
too. (We still clear the other flags.) Fixes bug 21108; bugfix
on 0.2.0.13-alpha.
o Major bugfixes (DNS):
- Fix a bug that prevented exit nodes from caching DNS records for
more than 60 seconds. Fixes bug 19025; bugfix on 0.2.4.7-alpha.
o Major bugfixes (IPv6 Exits):
- Stop rejecting all IPv6 traffic on Exits whose exit policy rejects
any IPv6 addresses. Instead, only reject a port over IPv6 if the
exit policy rejects that port on more than an IPv6 /16 of
addresses. This bug was made worse by 17027 in 0.2.8.1-alpha,
which rejected a relay's own IPv6 address by default. Fixes bug
21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.
o Major bugfixes (parsing):
- Fix an integer underflow bug when comparing malformed Tor
versions. This bug could crash Tor when built with
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
0.2.9.8, which were built with -ftrapv by default. In other cases
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
on 0.0.8pre1. Found by OSS-Fuzz.
- When parsing a malformed content-length field from an HTTP
message, do not read off the end of the buffer. This bug was a
potential remote denial-of-service attack against Tor clients and
relays. A workaround was released in October 2016, to prevent this
bug from crashing Tor. This is a fix for the underlying issue,
which should no longer matter (if you applied the earlier patch).
Fixes bug 20894; bugfix on 0.2.0.16-alpha. Bug found by fuzzing
using AFL (http://lcamtuf.coredump.cx/afl/).
o Major bugfixes (scheduler):
- Actually compare circuit policies in ewma_cmp_cmux(). This bug
caused the channel scheduler to behave more or less randomly,
rather than preferring channels with higher-priority circuits.
Fixes bug 20459; bugfix on 0.2.6.2-alpha.
o Major bugfixes (security, also in 0.2.9.9):
- Downgrade the "-ftrapv" option from "always on" to "only on when
--enable-expensive-hardening is provided." This hardening option,
like others, can turn survivable bugs into crashes--and having it
on by default made a (relatively harmless) integer overflow bug
into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001);
bugfix on 0.2.9.1-alpha.
o Minor feature (client):
- Enable IPv6 traffic on the SocksPort by default. To disable this,
a user will have to specify "NoIPv6Traffic". Closes ticket 21269.
o Minor feature (fallback scripts):
- Add a check_existing mode to updateFallbackDirs.py, which checks
if fallbacks in the hard-coded list are working. Closes ticket
20174. Patch by haxxpop.
o Minor feature (protocol versioning):
- Add new protocol version for proposal 224. HSIntro now advertises
version "3-4" and HSDir version "1-2". Fixes ticket 20656.
o Minor features (ciphersuite selection):
- Allow relays to accept a wider range of ciphersuites, including
chacha20-poly1305 and AES-CCM. Closes the other part of 15426.
- Clients now advertise a list of ciphersuites closer to the ones
preferred by Firefox. Closes part of ticket 15426.
o Minor features (controller):
- Add "GETINFO sr/current" and "GETINFO sr/previous" keys, to expose
shared-random values to the controller. Closes ticket 19925.
- When HSFETCH arguments cannot be parsed, say "Invalid argument"
rather than "unrecognized." Closes ticket 20389; patch from
Ivan Markin.
o Minor features (controller, configuration):
- Each of the *Port options, such as SocksPort, ORPort, ControlPort,
and so on, now comes with a __*Port variant that will not be saved
to the torrc file by the controller's SAVECONF command. This
change allows TorBrowser to set up a single-use domain socket for
each time it launches Tor. Closes ticket 20956.
- The GETCONF command can now query options that may only be
meaningful in context-sensitive lists. This allows the controller
to query the mixed SocksPort/__SocksPort style options introduced
in feature 20956. Implements ticket 21300.
o Minor features (diagnostic, directory client):
- Warn when we find an unexpected inconsistency in directory
download status objects. Prevents some negative consequences of
bug 20593.
o Minor features (directory authorities):
- Directory authorities now reject descriptors that claim to be
malformed versions of Tor. Helps prevent exploitation of
bug 21278.
- Reject version numbers with components that exceed INT32_MAX.
Otherwise 32-bit and 64-bit platforms would behave inconsistently.
Fixes bug 21450; bugfix on 0.0.8pre1.
o Minor features (directory authority):
- Add a new authority-only AuthDirTestEd25519LinkKeys option (on by
default) to control whether authorities should try to probe relays
by their Ed25519 link keys. This option will go away in a few
releases--unless we encounter major trouble in our ed25519 link
protocol rollout, in which case it will serve as a safety option.
o Minor features (directory cache):
- Relays and bridges will now refuse to serve the consensus they
have if they know it is too old for a client to use. Closes
ticket 20511.
o Minor features (ed25519 link handshake):
- Advertise support for the ed25519 link handshake using the
subprotocol-versions mechanism, so that clients can tell which
relays can identity themselves by Ed25519 ID. Closes ticket 20552.
o Minor features (entry guards):
- Add UseEntryGuards to TEST_OPTIONS_DEFAULT_VALUES in order to not
break regression tests.
- Require UseEntryGuards when UseBridges is set, in order to make
sure bridges aren't bypassed. Resolves ticket 20502.
o Minor features (fallback directories):
- Allow 3 fallback relays per operator, which is safe now that we
are choosing 200 fallback relays. Closes ticket 20912.
- Annotate updateFallbackDirs.py with the bandwidth and consensus
weight for each candidate fallback. Closes ticket 20878.
- Display the relay fingerprint when downloading consensuses from
fallbacks. Closes ticket 20908.
- Exclude relays affected by bug 20499 from the fallback list.
Exclude relays from the fallback list if they are running versions
known to be affected by bug 20499, or if in our tests they deliver
a stale consensus (i.e. one that expired more than 24 hours ago).
Closes ticket 20539.
- Make it easier to change the output sort order of fallbacks.
Closes ticket 20822.
- Reduce the minimum fallback bandwidth to 1 MByte/s. Part of
ticket 18828.
- Require fallback directories to have the same address and port for
7 days (now that we have enough relays with this stability).
Relays whose OnionOO stability timer is reset on restart by bug
18050 should upgrade to Tor 0.2.8.7 or later, which has a fix for
this issue. Closes ticket 20880; maintains short-term fix
in 0.2.8.2-alpha.
- Require fallbacks to have flags for 90% of the time (weighted
decaying average), rather than 95%. This allows at least 73% of
clients to bootstrap in the first 5 seconds without contacting an
authority. Part of ticket 18828.
- Select 200 fallback directories for each release. Closes
ticket 20881.
o Minor features (fingerprinting resistence, authentication):
- Extend the length of RSA keys used for TLS link authentication to
2048 bits. (These weren't used for forward secrecy; for forward
secrecy, we used P256.) Closes ticket 13752.
o Minor features (geoip):
- Update geoip and geoip6 to the April 4 2017 Maxmind GeoLite2
Country database.
o Minor features (geoip, also in 0.2.9.9):
- Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
Country database.
o Minor features (infrastructure):
- Implement smartlist_add_strdup() function. Replaces the use of
smartlist_add(sl, tor_strdup(str)). Closes ticket 20048.
o Minor features (linting):
- Enhance the changes file linter to warn on Tor versions that are
prefixed with "tor-". Closes ticket 21096.
o Minor features (logging):
- In several places, describe unset ed25519 keys as "<unset>",
rather than the scary "AAAAAAAA...AAA". Closes ticket 21037.
o Minor features (portability, compilation):
- Autoconf now checks to determine if OpenSSL structures are opaque,
instead of explicitly checking for OpenSSL version numbers. Part
of ticket 21359.
- Support building with recent LibreSSL code that uses opaque
structures. Closes ticket 21359.
o Minor features (relay):
- We now allow separation of exit and relay traffic to different
source IP addresses, using the OutboundBindAddressExit and
OutboundBindAddressOR options respectively. Closes ticket 17975.
Written by Michael Sonntag.
o Minor features (reliability, crash):
- Try better to detect problems in buffers where they might grow (or
think they have grown) over 2 GB in size. Diagnostic for
bug 21369.
o Minor features (testing):
- During 'make test-network-all', if tor logs any warnings, ask
chutney to output them. Requires a recent version of chutney with
the 21572 patch. Implements 21570.
o Minor bugfix (control protocol):
- The reply to a "GETINFO config/names" request via the control
protocol now spells the type "Dependent" correctly. This is a
breaking change in the control protocol. (The field seems to be
ignored by the most common known controllers.) Fixes bug 18146;
bugfix on 0.1.1.4-alpha.
- The GETINFO extra-info/digest/<digest> command was broken because
of a wrong base16 decode return value check, introduced when
refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha.
o Minor bugfix (logging):
- Don't recommend the use of Tor2web in non-anonymous mode.
Recommending Tor2web is a bad idea because the client loses all
anonymity. Tor2web should only be used in specific cases by users
who *know* and understand the issues. Fixes bug 21294; bugfix
on 0.2.9.3-alpha.
o Minor bugfixes (bug resilience):
- Fix an unreachable size_t overflow in base64_decode(). Fixes bug
19222; bugfix on 0.2.0.9-alpha. Found by Guido Vranken; fixed by
Hans Jerry Illikainen.
o Minor bugfixes (build):
- Replace obsolete Autoconf macros with their modern equivalent and
prevent similar issues in the future. Fixes bug 20990; bugfix
on 0.1.0.1-rc.
o Minor bugfixes (certificate expiration time):
- Avoid using link certificates that don't become valid till some
time in the future. Fixes bug 21420; bugfix on 0.2.4.11-alpha
o Minor bugfixes (client):
- Always recover from failures in extend_info_from_node(), in an
attempt to prevent any recurrence of bug 21242. Fixes bug 21372;
bugfix on 0.2.3.1-alpha.
- When clients that use bridges start up with a cached consensus on
disk, they were ignoring it and downloading a new one. Now they
use the cached one. Fixes bug 20269; bugfix on 0.2.3.12-alpha.
o Minor bugfixes (code correctness):
- Repair a couple of (unreachable or harmless) cases of the risky
comparison-by-subtraction pattern that caused bug 21278.
o Minor bugfixes (config):
- Don't assert on startup when trying to get the options list and
LearnCircuitBuildTimeout is set to 0: we are currently parsing the
options so of course they aren't ready yet. Fixes bug 21062;
bugfix on 0.2.9.3-alpha.
o Minor bugfixes (configuration):
- Accept non-space whitespace characters after the severity level in
the `Log` option. Fixes bug 19965; bugfix on 0.2.1.1-alpha.
- Support "TByte" and "TBytes" units in options given in bytes.
"TB", "terabyte(s)", "TBit(s)" and "terabit(s)" were already
supported. Fixes bug 20622; bugfix on 0.2.0.14-alpha.
o Minor bugfixes (configure, autoconf):
- Rename the configure option --enable-expensive-hardening to
--enable-fragile-hardening. Expensive hardening makes the tor
daemon abort when some kinds of issues are detected. Thus, it
makes tor more at risk of remote crashes but safer against RCE or
heartbleed bug category. We now try to explain this issue in a
message from the configure script. Fixes bug 21290; bugfix
on 0.2.5.4-alpha.
o Minor bugfixes (consensus weight):
- Add new consensus method that initializes bw weights to 1 instead
of 0. This prevents a zero weight from making it all the way to
the end (happens in small testing networks) and causing an error.
Fixes bug 14881; bugfix on 0.2.2.17-alpha.
o Minor bugfixes (crash prevention):
- Fix an (currently untriggerable, but potentially dangerous) crash
bug when base32-encoding inputs whose sizes are not a multiple of
5. Fixes bug 21894; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (dead code):
- Remove a redundant check for PidFile changes at runtime in
options_transition_allowed(): this check is already performed
regardless of whether the sandbox is active. Fixes bug 21123;
bugfix on 0.2.5.4-alpha.
o Minor bugfixes (descriptors):
- Correctly recognise downloaded full descriptors as valid, even
when using microdescriptors as circuits. This affects clients with
FetchUselessDescriptors set, and may affect directory authorities.
Fixes bug 20839; bugfix on 0.2.3.2-alpha.
o Minor bugfixes (directory mirrors):
- Allow relays to use directory mirrors without a DirPort: these
relays need to be contacted over their ORPorts using a begindir
connection. Fixes one case of bug 20711; bugfix on 0.2.8.2-alpha.
- Clarify the message logged when a remote relay is unexpectedly
missing an ORPort or DirPort: users were confusing this with a
local port. Fixes another case of bug 20711; bugfix
on 0.2.8.2-alpha.
o Minor bugfixes (directory system):
- Bridges and relays now use microdescriptors (like clients do)
rather than old-style router descriptors. Now bridges will blend
in with clients in terms of the circuits they build. Fixes bug
6769; bugfix on 0.2.3.2-alpha.
- Download all consensus flavors, descriptors, and authority
certificates when FetchUselessDescriptors is set, regardless of
whether tor is a directory cache or not. Fixes bug 20667; bugfix
on all recent tor versions.
o Minor bugfixes (documentation):
- Update the tor manual page to document every option that can not
be changed while tor is running. Fixes bug 21122.
o Minor bugfixes (ed25519 certificates):
- Correctly interpret ed25519 certificates that would expire some
time after 19 Jan 2038. Fixes bug 20027; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (fallback directories):
- Avoid checking fallback candidates' DirPorts if they are down in
OnionOO. When a relay operator has multiple relays, this
prioritizes relays that are up over relays that are down. Fixes
bug 20926; bugfix on 0.2.8.3-alpha.
- Stop failing when OUTPUT_COMMENTS is True in updateFallbackDirs.py.
Fixes bug 20877; bugfix on 0.2.8.3-alpha.
- Stop failing when a relay has no uptime data in
updateFallbackDirs.py. Fixes bug 20945; bugfix on 0.2.8.1-alpha.
o Minor bugfixes (hidden service):
- Clean up the code for expiring intro points with no associated
circuits. It was causing, rarely, a service with some expiring
introduction points to not open enough additional introduction
points. Fixes part of bug 21302; bugfix on 0.2.7.2-alpha.
- Resolve two possible underflows which could lead to creating and
closing a lot of introduction point circuits in a non-stop loop.
Fixes bug 21302; bugfix on 0.2.7.2-alpha.
- Stop setting the torrc option HiddenServiceStatistics to "0" just
because we're not a bridge or relay. Instead, we preserve whatever
value the user set (or didn't set). Fixes bug 21150; bugfix
on 0.2.6.2-alpha.
o Minor bugfixes (hidden services):
- Make hidden services check for failed intro point connections,
even when they have exceeded their intro point creation limit.
Fixes bug 21596; bugfix on 0.2.7.2-alpha. Reported by Alec Muffett.
- Make hidden services with 8 to 10 introduction points check for
failed circuits immediately after startup. Previously, they would
wait for 5 minutes before performing their first checks. Fixes bug
21594; bugfix on 0.2.3.9-alpha. Reported by Alec Muffett.
- Stop ignoring misconfigured hidden services. Instead, refuse to
start tor until the misconfigurations have been corrected. Fixes
bug 20559; bugfix on multiple commits in 0.2.7.1-alpha
and earlier.
o Minor bugfixes (IPv6):
- Make IPv6-using clients try harder to find an IPv6 directory
server. Fixes bug 20999; bugfix on 0.2.8.2-alpha.
- When IPv6 addresses have not been downloaded yet (microdesc
consensus documents don't list relay IPv6 addresses), use hard-
coded addresses for authorities, fallbacks, and configured
bridges. Now IPv6-only clients can use microdescriptors. Fixes bug
20996; bugfix on b167e82 from 19608 in 0.2.8.5-alpha.
o Minor bugfixes (memory leak at exit):
- Fix a small harmless memory leak at exit of the previously unused
RSA->Ed identity cross-certificate. Fixes bug 17779; bugfix
on 0.2.7.2-alpha.
o Minor bugfixes (onion services):
- Allow the number of introduction points to be as low as 0, rather
than as low as 3. Fixes bug 21033; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (portability):
- Use "OpenBSD" compiler macro instead of "OPENBSD" or "__OpenBSD__".
It is supported by OpenBSD itself, and also by most OpenBSD
variants (such as Bitrig). Fixes bug 20980; bugfix
on 0.1.2.1-alpha.
o Minor bugfixes (portability, also in 0.2.9.9):
- Avoid crashing when Tor is built using headers that contain
CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel
without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix
on 0.2.9.1-alpha.
- Fix Libevent detection on platforms without Libevent 1 headers
installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (relay):
- Avoid a double-marked-circuit warning that could happen when we
receive DESTROY cells under heavy load. Fixes bug 20059; bugfix
on 0.1.0.1-rc.
- Honor DataDirectoryGroupReadable when tor is a relay. Previously,
initializing the keys would reset the DataDirectory to 0700
instead of 0750 even if DataDirectoryGroupReadable was set to 1.
Fixes bug 19953; bugfix on 0.0.2pre16. Patch by "redfish".
o Minor bugfixes (testing):
- Fix Raspbian build issues related to missing socket errno in
test_util.c. Fixes bug 21116; bugfix on 0.2.8.2. Patch by "hein".
- Remove undefined behavior from the backtrace generator by removing
its signal handler. Fixes bug 21026; bugfix on 0.2.5.2-alpha.
- Use bash in src/test/test-network.sh. This ensures we reliably
call chutney's newer tools/test-network.sh when available. Fixes
bug 21562; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (tor-resolve):
- The tor-resolve command line tool now rejects hostnames over 255
characters in length. Previously, it would silently truncate them,
which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
Patch by "junglefowl".
o Minor bugfixes (unit tests):
- Allow the unit tests to pass even when DNS lookups of bogus
addresses do not fail as expected. Fixes bug 20862 and 20863;
bugfix on unit tests introduced in 0.2.8.1-alpha
through 0.2.9.4-alpha.
o Minor bugfixes (util):
- When finishing writing a file to disk, if we were about to replace
the file with the temporary file created before and we fail to
replace it, remove the temporary file so it doesn't stay on disk.
Fixes bug 20646; bugfix on 0.2.0.7-alpha. Patch by fk.
o Minor bugfixes (Windows services):
- Be sure to initialize the monotonic time subsystem before using
it, even when running as an NT service. Fixes bug 21356; bugfix
on 0.2.9.1-alpha.
o Minor bugfixes (Windows):
- Check for getpagesize before using it to mmap files. This fixes
compilation in some MinGW environments. Fixes bug 20530; bugfix on
0.1.2.1-alpha. Reported by "ice".
o Code simplification and refactoring:
- Abolish all global guard context in entrynodes.c; replace with new
guard_selection_t structure as preparation for proposal 271.
Closes ticket 19858.
- Extract magic numbers in circuituse.c into defined variables.
- Introduce rend_service_is_ephemeral() that tells if given onion
service is ephemeral. Replace unclear NULL-checkings for service
directory with this function. Closes ticket 20526.
- Refactor circuit_is_available_for_use to remove unnecessary check.
- Refactor circuit_predict_and_launch_new for readability and
testability. Closes ticket 18873.
- Refactor code to manipulate global_origin_circuit_list into
separate functions. Closes ticket 20921.
- Refactor large if statement in purpose_needs_anonymity to use
switch statement instead. Closes part of ticket 20077.
- Refactor the hashing API to return negative values for errors, as
is done as throughout the codebase. Closes ticket 20717.
- Remove data structures that were used to index or_connection
objects by their RSA identity digests. These structures are fully
redundant with the similar structures used in the
channel abstraction.
- Remove duplicate code in the channel_write_*cell() functions.
Closes ticket 13827; patch from Pingl.
- Remove redundant behavior of is_sensitive_dir_purpose, refactor to
use only purpose_needs_anonymity. Closes part of ticket 20077.
- The code to generate and parse EXTEND and EXTEND2 cells has been
replaced with code automatically generated by the
"trunnel" utility.
o Documentation (formatting):
- Clean up formatting of tor.1 man page and HTML doc, where <pre>
blocks were incorrectly appearing. Closes ticket 20885.
o Documentation (man page):
- Clarify many options in tor.1 and add some min/max values for
HiddenService options. Closes ticket 21058.
o Documentation:
- Change '1' to 'weight_scale' in consensus bw weights calculation
comments, as that is reality. Closes ticket 20273. Patch
from pastly.
- Clarify that when ClientRejectInternalAddresses is enabled (which
is the default), multicast DNS hostnames for machines on the local
network (of the form *.local) are also rejected. Closes
ticket 17070.
- Correct the value for AuthDirGuardBWGuarantee in the manpage, from
250 KBytes to 2 MBytes. Fixes bug 20435; bugfix on 0.2.5.6-alpha.
- Include the "TBits" unit in Tor's man page. Fixes part of bug
20622; bugfix on 0.2.5.1-alpha.
- Small fixes to the fuzzing documentation. Closes ticket 21472.
- Stop the man page from incorrectly stating that HiddenServiceDir
must already exist. Fixes 20486.
- Update the description of the directory server options in the
manual page, to clarify that a relay no longer needs to set
DirPort in order to be a directory cache. Closes ticket 21720.
o Removed features:
- The AuthDirMaxServersPerAuthAddr option no longer exists: The same
limit for relays running on a single IP applies to authority IP
addresses as well as to non-authority IP addresses. Closes
ticket 20960.
- The UseDirectoryGuards torrc option no longer exists: all users
that use entry guards will also use directory guards. Related to
proposal 271; implements part of ticket 20831.
o Testing:
- Add tests for networkstatus_compute_bw_weights_v10.
- Add unit tests circuit_predict_and_launch_new.
- Extract dummy_origin_circuit_new so it can be used by other
test functions.
- New unit tests for tor_htonll(). Closes ticket 19563. Patch
from "overcaffeinated".
- Perform the coding style checks when running the tests and fail
when coding style violations are found. Closes ticket 5500.
Changes:
version 2017.05.01
Core
+ [extractor/common] Extract view count from JSON-LD
* [utils] Improve unified_timestamp
+ [utils] Add video/mp2t to mimetype2ext
* [downloader/external] Properly handle live stream downloading cancellation
(#8932)
+ [utils] Add support for unicode whitespace in clean_html on python 2 (#12906)
Extractors
* [infoq] Make audio format extraction non fatal (#12938)
* [brightcove] Allow whitespace around attribute names in embedded code
+ [zaq1] Add support for zaq1.pl (#12693)
+ [xvideos] Extract duration (#12828)
* [vevo] Fix extraction (#12879)
+ [noovo] Add support for noovo.ca (#12792)
+ [washingtonpost] Add support for embeds (#12699)
* [yandexmusic:playlist] Fix extraction for python 3 (#12888)
* [anvato] Improve extraction (#12913)
* Promote to regular shortcut based extractor
* Add mcp to access key mapping table
* Add support for embeds extraction
* Add support for anvato embeds in generic extractor
* [xtube] Fix extraction for older FLV videos (#12734)
* [tvplayer] Fix extraction (#12908)
version 2017.04.28
Core
+ [adobepass] Use geo verification headers for all requests
- [downloader/fragment] Remove assert for resume_len when no fragments
downloaded
+ [extractor/common] Add manifest_url for explicit group rendition formats
* [extractor/common] Fix manifest_url for m3u8 formats
- [extractor/common] Don't list master m3u8 playlists in format list (#12832)
Extractor
* [aenetworks] Fix extraction for shows with single season
+ [go] Add support for Disney, DisneyJunior and DisneyXD show pages
* [youtube] Recognize new locale-based player URLs (#12885)
+ [streamable] Add support for new embedded URL schema (#12844)
* [arte:+7] Relax URL regular expression (#12837)
Changes:
version 2017.04.26
Core
* Introduce --keep-fragments for keeping fragments of fragmented download
on disk after download is finished
* [YoutubeDL] Fix output template for missing timestamp (#12796)
* [socks] Handle cases where credentials are required but missing
* [extractor/common] Improve HLS extraction (#12211)
- Extract m3u8 parsing to separate method
- Improve rendition groups extraction
- Build stream name according stream GROUP-ID
- Ignore reference to AUDIO group without URI when stream has no CODECS
- Use float for scaled tbr in _parse_m3u8_formats
* [utils] Add support for TTML styles in dfxp2srt
* [downloader/hls] No need to download keys for fragments that have been
already downloaded
* [downloader/fragment] Improve fragment downloading
- Resume immediately
- Don't concatenate fragments and decrypt them on every resume
- Optimize disk storage usage, don't store intermediate fragments on disk
- Store bookkeeping download state file
+ [extractor/common] Add support for multiple getters in try_get
+ [extractor/common] Add support for video of WebPage context in _json_ld
(#12778)
+ [extractor/common] Relax JWPlayer regular expression and remove
duplicate URLs (#12768)
Extractors
* [iqiyi] Fix extraction of Yule videos
* [vidio] Improve extraction and sort formats
+ [brightcove] Match only video elements with data-video-id attribute
* [iqiyi] Fix playlist detection (#12504)
- [azubu] Remove extractor (#12813)
* [porn91] Fix extraction (#12814)
* [vidzi] Fix extraction (#12793)
+ [amp] Extract error message (#12795)
+ [xfileshare] Add support for gorillavid.com and daclips.com (#12776)
* [instagram] Fix extraction (#12777)
+ [generic] Support Brightcove videos in <iframe> (#12482)
+ [brightcove] Support URLs with bcpid instead of playerID (#12482)
* [brightcove] Fix _extract_url (#12782)
+ [odnoklassniki] Extract HLS formats
version 2017.04.17
Extractors
* [limelight] Improve extraction LimelightEmbeddedPlayerFlash media embeds and
add support for channel and channelList embeds
* [generic] Extract multiple Limelight embeds (#12761)
+ [itv] Extract series metadata
* [itv] Fix RTMP formats downloading (#12759)
* [itv] Use native HLS downloader by default
+ [go90] Extract subtitles (#12752)
+ [go90] Extract series metadata (#12752)
version 2017.04.16
Core
* [YoutubeDL] Apply expand_path after output template substitution
+ [YoutubeDL] Propagate overridden meta fields to extraction results of type
url (#11163)
Extractors
+ [generic] Extract RSS entries as url_transparent (#11163)
+ [streamango] Add support for streamango.com (#12643)
+ [wsj:article] Add support for articles (#12558)
* [brightcove] Relax video tag embeds extraction and validate ambiguous embeds'
URLs (#9163, #12005, #12178, #12480)
+ [udemy] Add support for react rendition (#12744)
version 2017.04.15
Extractors
* [youku] Fix fileid extraction (#12741, #12743)
version 2017.04.14
Core
+ [downloader/hls] Add basic support for EXT-X-BYTERANGE tag (#10955)
+ [adobepass] Improve Comcast and Verison login code (#10803)
+ [adobepass] Add support for Verizon (#10803)
Extractors
+ [aenetworks] Add support for specials (#12723)
+ [hbo] Extract HLS formats
+ [go90] Add support for go90.com (#10127)
+ [tv2hu] Add support for tv2.hu (#10509)
+ [generic] Exclude URLs with xml ext from valid video URLs (#10768, #11654)
* [youtube] Improve HLS formats extraction
* [afreecatv] Fix extraction for videos with different key layout (#12718)
- [youtube] Remove explicit preference for audio-only and video-only formats in
order not to break sorting when new formats appear
* [canalplus] Bypass geo restriction
version 2017.04.11
Extractors
* [afreecatv] Fix extraction (#12706)
+ [generic] Add support for <object> YouTube embeds (#12637)
* [bbccouk] Treat bitrate as audio+video bitrate in media selector
+ [bbccouk] Skip unrecognized formats in media selector (#12701)
+ [bbccouk] Add support for https protocol in media selector (#12701)
* [curiositystream] Fix extraction (#12638)
* [adn] Update subtitle decryption key
* [chaturbate] Fix extraction (#12665, #12688, #12690)
This is a regularly scheduled stable release.
Resolved issues since v0.14.26:
#219: Devices can now have a list of allowed subnets (advanced config)
#234: The transfer rate units can now be changed by clicking on the value
#1819: UI text explaining "Introducer" is improved
#2267: Advanced config editor can now edit lists of things
#2519: Directories created for new folders now obey the user umask setting (on Unixes)
#4053: Incoming index updates are consistency checked better
This is a regularly scheduled stable release.
Resolved issues since v0.14.25:
#4035: Symlinks are now properly ignored on Windows.
#2344: Discovery errors are more clearly displayed in the GUI.
#3913: The language dropdown menu in the GUI is now correctly sorted.
Also:
When there are items that could not be synced, their full path is displayed in the GUI.
Changes:
15 March 2017: mitmproxy 2.0.1
* bump cryptography dependency
* bump pyparsing dependency
* HTTP/2: use header normalization from hyper-h2
21 February 2017: mitmproxy 2.0
* HTTP/2 is now enabled by default.
* Image ContentView: Parse images with Kaitai Struct (kaitai.io) instead of Pillow.
This simplifies installation, reduces binary size, and allows parsing in pure Python.
* Web: Add missing flow filters.
* Add transparent proxy support for OpenBSD.
* Check the mitmproxy CA for expiration and warn the user to regenerate it if necessary.
* Testing: Tremendous improvements, enforced 100% coverage for large parts of the
codebase, increased overall coverage.
* Enforce individual coverage: one source file -> one test file with 100% coverage.
* A myriad of other small improvements throughout the project.
* Numerous bugfixes.
26 December 2016: mitmproxy 1.0
* All mitmproxy tools are now Python 3 only! We plan to support Python 3.5 and higher.
* Web-Based User Interface: Mitmproxy now offically has a web-based user interface
called mitmweb. We consider it stable for all features currently exposed
in the UI, but it still misses a lot of mitmproxy’s options.
* Windows Compatibility: With mitmweb, mitmproxy is now useable on Windows.
We are also introducing an installer (kindly sponsored by BitRock) that
simplifies setup.
* Configuration: The config file format is now a single YAML file. In most cases,
converting to the new format should be trivial - please see the docs for
more information.
* Console: Significant UI improvements - including sorting of flows by
size, type and url, status bar improvements, much faster indentation for
HTTP views, and more.
* HTTP/2: Significant improvements, but is temporarily disabled by default
due to wide-spread protocol implementation errors on some large website
* WebSocket: The protocol implementation is now mature, and is enabled by
default. Complete UI support is coming in the next release. Hooks for
message interception and manipulation are available.
* A myriad of other small improvements throughout the project.
16 October 2016: mitmproxy 0.18
* Python 3 Compatibility for mitmproxy and pathod (Shadab Zafar, GSoC 2016)
* Major improvements to mitmweb (Clemens Brunner & Jason Hao, GSoC 2016)
* Internal Core Refactor: Separation of most features into isolated Addons
* Initial Support for WebSockets
* Improved HTTP/2 Support
* Reverse Proxy Mode now automatically adjusts host headers and TLS Server Name Indication
* Improved HAR export
* Improved export functionality for curl, python code, raw http etc.
* Flow URLs are now truncated in the console for better visibility
* New filters for TCP, HTTP and marked flows.
* Mitmproxy now handles comma-separated Cookie headers
* Merge mitmproxy and pathod documentation
* Mitmdump now sanitizes its console output to not include control characters
* Improved message body handling for HTTP messages:
.raw_content provides the message body as seen on the wire
.content provides the decompressed body (e.g. un-gzipped)
.text provides the body decompressed and decoded body
* New HTTP Message getters/setters for cookies and form contents.
* Add ability to view only marked flows in mitmproxy
* Improved Script Reloader (Always use polling, watch for whole directory)
* Use tox for testing
* Unicode support for tnetstrings
* Add dumpfile converters for mitmproxy versions 0.11 and 0.12
* Numerous bugfixes
Changes:
3.0.0 (2017-03-29)
------------------
**API Changes (Backward Incompatible)**
- Removed nghttp2 support. This support had rotted and was essentially
non-functional, so it has now been removed until someone has time to re-add
the support in a functional form.
- Attempts by the encoder to exceed the maximum allowed header table size via
dynamic table size updates (or the absence thereof) are now forbidden.
**API Changes (Backward Compatible)**
- Added a new ``InvalidTableSizeError`` thrown when the encoder does not
respect the maximum table size set by the user.
- Added a ``Decoder.max_allowed_table_size`` field that sets the maximum
allowed size of the decoder header table. See the documentation for an
indication of how this should be used.
**Bugfixes**
- Up to 25% performance improvement decoding HPACK-packed integers, depending
on the platform.
- HPACK now tolerates receiving multiple header table size changes in sequence,
rather than only one.
- HPACK now forbids header table size changes anywhere but first in a header
block, as required by RFC 7541 § 4.2.
- Other miscellaneous performance improvements.
2.3.0 (2016-08-04)
------------------
**Security Fixes**
- CVE-2016-6581: HPACK Bomb. This release now enforces a maximum value of the
decompressed size of the header list. This is to avoid the so-called "HPACK
Bomb" vulnerability, which is caused when a malicious peer sends a compressed
HPACK body that decompresses to a gigantic header list size.
This also adds a ``OversizedHeaderListError``, which is thrown by the
``decode`` method if the maximum header list size is being violated. This
places the HPACK decoder into a broken state: it must not be used after this
exception is thrown.
This also adds a ``max_header_list_size`` to the ``Decoder`` object. This
controls the maximum allowable decompressed size of the header list. By
default this is set to 64kB.
2.2.0 (2016-04-20)
------------------
**API Changes (Backward Compatible)**
- Added ``HeaderTuple`` and ``NeverIndexedHeaderTuple`` classes that signal
whether a given header field may ever be indexed in HTTP/2 header
compression.
- Changed ``Decoder.decode()`` to return the newly added ``HeaderTuple`` class
and subclass. These objects behave like two-tuples, so this change does not
break working code.
**Bugfixes**
- Improve Huffman decoding speed by 4x using an approach borrowed from nghttp2.
- Improve HPACK decoding speed by 10% by caching header table sizes.
2.1.1 (2016-03-16)
------------------
**Bugfixes**
- When passing a dictionary or dictionary subclass to ``Encoder.encode``, HPACK
now ensures that HTTP/2 special headers (headers whose names begin with
``:`` characters) appear first in the header block.
* restored --logfile support as a few people complained it vanished
The new logging code even makes the overall binary size smaller
on most platforms.
* BPF filter now trims garbage trailing the payload
OK, it's not garbage, but userland doesn't know some drivers append
FCS to it.
* install udev.so on supported platforms to fix segfaults.
* support NetBSD's RO_MSGFILTER socket option to reduce avoid context
switching for route(4) messages that don't interest us.
* support OpenBSD's ROUTE_MSGFILTER which does the same.
* Don't open sockets if just sending signals.
* HMAC-MD5 test's now check expectations in code rather than relying
on visual confirmation.
* added eloop-bench to test performance of eloop with available
polling mechanisms.
Quote from release announce:
BIND 9.9.9-P8 addresses the security issues described in CVE-2017-3136,
CVE-2017-3137, and CVE-2017-3138, and updates the built-in trusted keys
for the root zone.
Quote from CHANGELOG:
--- 9.9.9-P8 released ---
4582. [security] 'rndc ""' could trigger a assertion failure in named.
(CVE-2017-3138) [RT #44924]
4580. [bug] 4578 introduced a regression when handling CNAME to
referral below the current domain. [RT #44850]
--- 9.9.9-P7 released ---
4578. [security] Some chaining (CNAME or DNAME) responses to upstream
queries could trigger assertion failures.
(CVE-2017-3137) [RT #44734]
4575. [security] DNS64 with "break-dnssec yes;" can result in an
assertion failure. (CVE-2017-3136) [RT #44653]
4564. [maint] Update the built in managed keys to include the
upcoming root KSK. [RT #44579]
Quote from release announce:
BIND 9.10.4-P8 addresses the security issues described in
CVE-2017-3136, CVE-2017-3137, and CVE-2017-3138, and updates the
built-in trusted keys for the root zone.
From CHANGELOG:
--- 9.10.4-P8 released ---
4582. [security] 'rndc ""' could trigger a assertion failure in named.
(CVE-2017-3138) [RT #44924]
4580. [bug] 4578 introduced a regression when handling CNAME to
referral below the current domain. [RT #44850]
--- 9.10.4-P7 released ---
4578. [security] Some chaining (CNAME or DNAME) responses to upstream
queries could trigger assertion failures.
(CVE-2017-3137) [RT #44734]
4575. [security] DNS64 with "break-dnssec yes;" can result in an
assertion failure. (CVE-2017-3136) [RT #44653]
4564. [maint] Update the built in managed keys to include the
upcoming root KSK. [RT #44579]
* Requirements: Now depends on Kombu 4.0.2.
* Tasks: Fixed problem with JSON serialization of group
* Worker: Fixed JSON serialization issue when using inspect active and friends
* App: Fixed saferef errors when using signals
* Prefork: Fixed bug with pack requiring bytes argument on Python 2.7.5 and earlier
* Tasks: Saferepr did not handle unicode in bytestrings on Python 2
* Testing: Added new celery_worker_paremeters fixture.
* Tasks: Added new app argument to GroupResult.restore
This makes the restore method behave the same way as the GroupResult constructor.
* Tasks: Fixed type checking crash when task takes *args on Python 3
* Documentation and examples improvements
- Now depends on :mod:`amqp` 2.1.4
This new version takes advantage of TCP Keepalive settings on Linux,
making it better at detecting closed connections, also in failover
conditions.
- Redis: Priority was reversed so, e.g. priority 0 became priority 9.
Removes byte string comparison warnings when running under python -b.
Fix contributed by Jon Dufresne.
Linux version parsing broke when the version included a ‘+’ character (Issue 119).
Now sets default TCP settings for platforms that support them (e.g. Linux).
Changes:
version 2017.04.09
Extractors
+ [medici] Add support for medici.tv (#3406)
+ [rbmaradio] Add support for redbullradio.com URLs (#12687)
+ [npo:live] Add support for default URL (#12555)
* [mixcloud:playlist] Fix title, description and view count extraction (#12582)
+ [thesun] Add suport for thesun.co.uk (#11298, #12674)
+ [ceskateleveize:porady] Add support for porady (#7411, #12645)
* [ceskateleveize] Improve extraction and remove URL replacement hacks
+ [kaltura] Add support for iframe embeds (#12679)
* [airmozilla] Fix extraction (#12670)
* [wshh] Extract html5 entries and delegate to generic extractor (12676)
+ [raiplay] Extract subtitles
+ [xfileshare] Add support for vidlo.us (#12660)
+ [xfileshare] Add support for vidbom.com (#12661)
+ [aenetworks] Add more video URL regular expressions (#12657)
+ [odnoklassniki] Fix format sorting for 1080p quality
+ [rtl2] Add support for you.rtl2.de (#10257)
+ [vshare] Add support for vshare.io (#12278)
version 2017.04.03
Core
+ [extractor/common] Add censorship check for TransTelekom ISP
* [extractor/common] Move censorship checks to a separate method
Extractors
+ [discoveryvr] Add support for discoveryvr.com (#12578)
+ [tv5mondeplus] Add support for tv5mondeplus.com (#11386)
+ [periscope] Add support for pscp.tv URLs (#12618, #12625)
version 2017.04.02
Core
* [YoutubeDL] Return early when extraction of url_transparent fails
Extractors
* [rai] Fix and improve extraction (#11790)
+ [vrv] Add support for series pages
* [limelight] Improve extraction for audio only formats
* [funimation] Fix extraction (#10696, #11773)
+ [xfileshare] Add support for vidabc.com (#12589)
+ [xfileshare] Improve extraction and extract hls formats
+ [crunchyroll] Pass geo verifcation proxy
+ [cwtv] Extract ISM formats
+ [tvplay] Bypass geo restriction
+ [vrv] Add support for vrv.co
+ [packtpub] Add support for packtpub.com (#12610)
+ [generic] Pass base_url to _parse_jwplayer_data
+ [adn] Add support for animedigitalnetwork.fr (#4866)
+ [allocine] Extract more metadata
* [allocine] Fix extraction (#12592)
* [openload] Fix extraction
version 2017.03.26
Core
* Don't raise an error if JWPlayer config data is not a Javascript object
literal. _find_jwplayer_data now returns a dict rather than an str. (#12307)
* Expand environment variables for options representing paths (#12556)
+ [utils] Introduce expand_path
* [downloader/hls] Delegate downloading to ffmpeg immediately for live streams
Extractors
* [afreecatv] Fix extraction (#12179)
+ [atvat] Add support for atv.at (#5325)
+ [fox] Add metadata extraction (#12391)
+ [atresplayer] Extract DASH formats
+ [atresplayer] Extract HD manifest (#12548)
* [atresplayer] Fix login error detection (#12548)
* [franceculture] Fix extraction (#12547)
* [youtube] Improve URL regular expression (#12538)
* [generic] Do not follow redirects to the same URL
version 2017.03.24
Extractors
- [9c9media] Remove mp4 URL extraction request
+ [bellmedia] Add support for etalk.ca and space.ca (#12447)
* [channel9] Fix extraction (#11323)
* [cloudy] Fix extraction (#12525)
+ [hbo] Add support for free episode URLs and new formats extraction (#12519)
* [condenast] Fix extraction and style (#12526)
* [viu] Relax URL regular expression (#12529)
version 2017.03.22
Extractors
- [pluralsight] Omit module title from video title (#12506)
* [pornhub] Decode obfuscated video URL (#12470, #12515)
* [senateisvp] Allow https URL scheme for embeds (#12512)
* Use internal heimdal
Changelog:
Changes since 4.6.1:
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 12721: Fix regression with "follow symlinks = no".
Changes since 4.6.0:
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share
directory.
o Ralph Boehme <slow@samba.org>
* BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share
directory.
CHANGES SINCE 4.6.0rc4
======================
o Jeremy Allison <jra@samba.org>
* BUG 12592: Fix several issues found by covscan.
* BUG 12608: s3: smbd: Restart reading the incoming SMB2 fd when the send
queue is drained.
o Ralph Boehme <slow@samba.org>
* BUG 12427: vfs_fruit doesn't work with fruit:metadata=stream.
* BUG 12526: vfs_fruit: Only veto AppleDouble files if "fruit:resource" is
set to "file".
* BUG 12604: vfs_fruit: Enabling AAPL extensions must be a global switch.
o Volker Lendecke <vl@samba.org>
* BUG 12612: Re-enable token groups fallback.
o Stefan Metzmacher <metze@samba.org>
* BUG 9048: Samba4 ldap error codes.
* BUG 12557: gensec:spnego: Add debug message for the failed principal.
* BUG 12605: s3:winbindd: Fix endless forest trust scan.
* BUG 12612: winbindd: Find the domain based on the sid within
wb_lookupusergroups_send().
o Andreas Schneider <asn@samba.org>
* BUG 12557: s3:librpc: Handle gss_min in gse_get_client_auth_token()
correctly.
* BUG 12582: idmap_hash: Add a deprecation message, improve the idmap_hash
manpage.
* BUG 12592: Fix several issues found by covscan.
o Martin Schwenke <martin@meltin.net>
* BUG 12592: ctdb-logging: CID 1396883 Dereference null return value
(NULL_RETURNS).
CHANGES SINCE 4.6.0rc3
======================
o Jeremy Allison <jra@samba.org>
* BUG 12545: s3: rpc_server/mdssvc: Add attribute "kMDItemContentType".
* BUG 12572: s3: smbd: Don't loop infinitely on bad-symlink resolution.
o Ralph Boehme <slow@samba.org>
* BUG 12490: vfs_fruit: Correct Netatalk metadata xattr on FreeBSD.
* BUG 12536: s3/smbd: Check for invalid access_mask
smbd_calculate_access_mask().
* BUG 12591: vfs_streams_xattr: use fsp, not base_fsp.
o Amitay Isaacs <amitay@gmail.com>
* BUG 12580: ctdb-common: Fix use-after-free error in comm_fd_handler().
* BUG 12595: build: Fix generation of CTDB manpages while creating tarball.
o Bryan Mason <bmason@redhat.com>
* BUG 12575: Modify smbspool_krb5_wrapper to just fall through to smbspool if
AUTH_INFO_REQUIRED is not set or is not "negotiate".
o Stefan Metzmacher <metze@samba.org>
* BUG 11830: s3:winbindd: Try a NETLOGON connection with noauth over NCACN_NP
against trusted domains.
* BUG 12262: 'net ads testjoin' and smb access fails after winbindd changed the
trust password.
* BUG 12585: librpc/rpc: fix regression in
NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE error mapping.
* BUG 12586: netlogon_creds_cli_LogonSamLogon doesn't work without
netr_LogonSamLogonEx.
* BUG 12587: winbindd child segfaults on connect to an NT4 domain.
* BUG 12588: s3:winbindd: Make sure cm_prepare_connection() only returns OK
with a valid tree connect.
* BUG 12598: winbindd (as member) requires kerberos against trusted ad domain,
while it shouldn't.
* BUG 12601: Backport pytalloc_GenericObject_reference() related changes to
4.6.
o Garming Sam <garming@catalyst.net.nz>
* BUG 12600: dbchecker: Stop ignoring linked cases where both objects are
alive.
o Andreas Schneider <asn@samba.org>
* BUG 12571: s3-vfs: Only walk the directory once in open_and_sort_dir().
o Martin Schwenke <martin@meltin.net>
* BUG 12589: CTDB statd-callout does not cause grace period when
CTDB_NFS_CALLOUT="".
* BUG 12595: ctdb-build: Fix RPM build.
CHANGES SINCE 4.6.0rc2
======================
o Jeremy Allison <jra@samba.org>
* BUG 12499: s3: vfs: dirsort doesn't handle opendir of "." correctly.
* BUG 12546: s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open() store
the same path as streams_xattr_recheck().
* BUG 12531: Make vfs_shadow_copy2 cope with server changing directories.
o Andrew Bartlett <abartlet@samba.org>
* BUG 12543: samba-tool: Correct handling of default value for use_ntvfs and
use_xattrs.
* BUG 12573: Samba < 4.7 does not know about compatibleFeatures and
requiredFeatures.
* BUG 12577: 'samba-tool dbcheck' gives errors on one-way links after a
rename.
o Ralph Boehme <slow@samba.org>
* BUG 12184: s3/rpc_server: Shared rpc modules loading.
* BUG 12520: Ensure global "smb encrypt = off" is effective.
* BUG 12524: s3/rpc_server: Move rpc_modules.c to its own subsystem.
* BUG 12541: vfs_fruit: checks wrong AAPL config state and so always uses
readdirattr.
o Volker Lendecke <vl@samba.org>
* BUG 12551: smbd: Fix "map acl inherit" = yes.
o Stefan Metzmacher <metze@samba.org>
* BUG 12398: Replication with DRSUAPI_DRS_CRITICAL_ONLY and
DRSUAPI_DRS_GET_ANC results in WERR_DS_DRA_MISSING_PARENT S
* BUG 12540: s3:smbd: allow "server min protocol = SMB3_00" to go via "SMB
2.???" negprot.
o John Mulligan <jmulligan@nasuni.com>
* BUG 12542: docs: Improve description of "unix_primary_group" parameter in
idmap_ad manpage.
o Andreas Schneider <asn@samba.org>
* BUG 12552: waf: Do not install the unit test binary for krb5samba.
o Amitay Isaacs <amitay@gmail.com>
* BUG 12547: ctdb-build: Install CTDB tests correctly from toplevel.
* BUG 12549: ctdb-common: ioctl(.. FIONREAD ..) returns an int value.
o Garming Sam <garming@catalyst.net.nz>
* BUG 12577: 'samba-tool dbcheck' gives errors on one-way links after a
rename.
o Uri Simchoni <uri@samba.org>
* BUG 12529: waf: Backport finding of pkg-config.
CHANGES SINCE 4.6.0rc1
======================
o Amitay Isaacs <amitay@gmail.com>
* BUG 12469: CTDB lock helper getting stuck trying to lock a record.
* BUG 12500: ctdb-common: Fix a bug in packet reading code for generic socket
I/O.
* BUG 12510: sock_daemon_test 4 crashes with SEGV.
* BUG 12513: ctdb-daemon: Remove stale eventd socket.
o Björn Jacke <bj@sernet.de>
* BUG 12535: vfs_default: Unlock the right file in copy chunk.
o Volker Lendecke <vl@samba.org>
* BUG 12509: messaging: Fix dead but not cleaned-up-yet destination sockets.
* BUG 12538: Backport winbind fixes.
o Stefan Metzmacher <metze@samba.org>
* BUG 12501: s3:winbindd: talloc_steal the extra_data in
winbindd_list_users_recv().
o Martin Schwenke <martin@meltin.net>
* BUG 12511: ctdb-takeover: Handle case where there are no RELEASE_IPs to
send.
* BUG 12512: ctdb-scripts: Fix remaining uses of "ctdb gratiousarp".
* BUG 12516: ctdb-scripts: /etc/iproute2/rt_tables gets populated with multiple
'default' entries.
Upstream changes:
mikutter 3.5.7
* support Ayanoniwa's icecream image (thanks @ahiru3net)
* associations against (undefined) was not invoked (thanks @moguno)
* custom Model :modified key which included MessageMixin was ignored
(thanks @moguno)
1.3.5d - Released 15-Jan-2017
--------------------------------
- Bug 4283 - All FTP logins treated as anonymous logins again. This is a
regression of Bug#3307.
1.3.5c - Released 14-Jan-2017
--------------------------------
- Bug 4254 - SSH rekey during authentication can cause issues with clients.
- Bug 4257 - Recursive SCP uploads of multiple directories not handled properly.
- Bug 4259 - LIST returns different results for file, depending on path syntax.
- Bug 4255 - "AuthAliasOnly on" in server config breaks anonymous logins.
- Bug 4272 - CapabilitiesEngine directive not honored for <IfUser>/<IfGroup>
sections.
- Bug 4275 - Support OpenSSL 1.1.x API.
- Bug 4278 - Memory leak when mod_facl is used.
ChangeLog:
2017/04/03 : 1.7.5
- BUG/MEDIUM: peers: fix buffer overflow control in intdecode.
- BUG/MEDIUM: buffers: Fix how input/output data are injected into buffers
- BUG/MEDIUM: http: Fix blocked HTTP/1.0 responses when compression is enabled
- BUG/MINOR: filters: Don't force the stream's wakeup when we wait in flt_end_analyze
- DOC: fix parenthesis and add missing "Example" tags
- DOC: update the contributing file
- DOC: log-format/tcplog/httplog update
- MINOR: config parsing: add warning when log-format/tcplog/httplog is overriden in "defaults" sections
2017/03/27 : 1.7.4
- MINOR: config: warn when some HTTP rules are used in a TCP proxy
- BUG/MINOR: spoe: Fix soft stop handler using a specific id for spoe filters
- BUG/MINOR: spoe: Fix parsing of arguments in spoe-message section
- BUG/MEDIUM: ssl: Clear OpenSSL error stack after trying to parse OCSP file
- BUG/MEDIUM: cli: Prevent double free in CLI ACL lookup
- BUG/MINOR: Fix "get map <map> <value>" CLI command
- BUG/MAJOR: connection: update CO_FL_CONNECTED before calling the data layer
- BUG/MEDIUM: ssl: switchctx should not return SSL_TLSEXT_ERR_ALERT_WARNING
- BUG/MINOR: checks: attempt clean shutw for SSL check
- CONTRIB: tcploop: add limits.h to fix build issue with some compilers
- CONTRIB: tcploop: make it build on FreeBSD
- CONTRIB: tcploop: fix time format to silence build warnings
- CONTRIB: tcploop: report action 'K' (kill) in usage message
- CONTRIB: tcploop: fix connect's address length
- CONTRIB: tcploop: use the trash instead of NULL for recv()
- BUG/MEDIUM: listener: do not try to rebind another process' socket
- BUG/MEDIUM: filters: Fix channels synchronization in flt_end_analyze
- BUG/MAJOR: stream-int: do not depend on connection flags to detect connection
- BUG/MEDIUM: connection: ensure to always report the end of handshakes
- BUG: payload: fix payload not retrieving arbitrary lengths
- BUG/MAJOR: http: fix typo in http_apply_redirect_rule
- MINOR: doc: 2.4. Examples should be 2.5. Examples
- BUG/MEDIUM: stream: fix client-fin/server-fin handling
- MINOR: fd: add a new flag HAP_POLL_F_RDHUP to struct poller
- BUG/MINOR: raw_sock: always perfom the last recv if RDHUP is not available
- DOC/MINOR: Fix typos in proxy protocol doc
- DOC: Protocol doc: add checksum, TLV type ranges
- DOC: Protocol doc: add SSL TLVs, rename CHECKSUM
- DOC: Protocol doc: add noop TLV
- MEDIUM: global: add a 'hard-stop-after' option to cap the soft-stop time
- BUG/MINOR: cfgparse: loop in tracked servers lists not detected by check_config_validity().
- MINOR: server: irrelevant error message with 'default-server' config file keyword.
- MINOR: doc: fix use-server example (imap vs mail)
- BUG/MEDIUM: tcp: don't require privileges to bind to device
- BUILD: make the release script use shortlog for the final changelog
- BUILD: scripts: fix typo in announce-release error message
Changes since 2.0.0:
- Added support for provider Glesys.
- Added provider for Memset DNS API.
- Update Namesilo provider with correct query param fixes.
- Use transip-api library from pypi.
Upstream changes:
mikutter 3.5.6
* crash when icons for extract tabs could not be accessed (thanks ahiru3net)
* remove unused code (thanks ahiru3net)
* support files with .jpeg extentions in image viewer (thanks moguno)
* change timing of argument evaluation on startup (thanks ahiru3net)
* fix warnings (thanks ahiru3net)
Summary of changes since dhcpcd-6.11.5:
* source file locations reworked:
dhcpcd source is in src
dhcpcd hooks are in hooks
compat is in compat
* README split into README.md and BUILDING.md
* internal routing is now protocol agnostic
* avoid using __packed and use compile time asserts instead
* addresses some alignment issues
* disable some ARP code on kernels which support RFC5227
* BSD IPv6 kernel settings are now updated to reflect dhcpcd config
* custom logger has been removed, syslog handles everything
as such, the --logfile option has been removed as well.
If you need better/earlier logging, get a better syslogger!
* distinfo and signed distinfo files are now available alongside
release taraballs from this point onwards
* default DBDIR has changed from /var/db to /var/db/dhcpcd
* /etc/dhcpcd.duid moves to DBDIR/duid
* /etc/dhcpcd.secret moves to DBDIR/secret
* lease file names have dhcpcd removed from them as they are now
inside a directory of the same name
* fixed issues with reject routes not working on some platforms
* improved nl80211 support on Linux for working out the SSID
* no longer request NTP by default in dhcpcd.conf
* fix detecting IPv6 DAD on OpenBSD
* remove custom Solaris DLPI filtering in favour of BPF
(note there seems to be a kernel issue where the DHCP
fd receives ARP's as well, the only side effect is
a noisy syslog)
* BPF filtering vastly improved so dhcpcd only wake up on
ARP or DHCP packets destined for it
* support for MUD URL (draft-ietf-opsawg-mud-05)
* if the kernel isn't doing DAD, don't insist on waiting for it
to actually do it
* fix a potential crash where the DHCP or ARP states could be
freed before the packet processing loop naturally breaks
* removed gateway and nogateway options
(these can be controlled by the nooption directive which
works for more than just gateways)
* removed ipv6ra_own and ipv6ra_own_default options
(these can be controled by the ipv6rs/noipv6rs directive)
* fix a memory leak on systems where posix_spawnattr_init
allocates memory by calling posix_spawnattr_destroy afterwards
* fix a crash receiving SIGUSR1
dnsdist is a highly DNS-, DoS- and abuse-aware loadbalancer. Its
goal in life is to route traffic to the best server, delivering top
performance to legitimate users while shunting or blocking abusive
traffic.
Management and Management Agent Plugins
- Security Vulnerability Patches
- CVE-2017-4965: XSS vulnerabilities in management UI
- CVE-2017-4966: authentication details are stored in browser-local
storage without expiration
- CVE-2017-4967: XSS vulnerabilities in management UI
- Bug Fixes
- Certain TCP and TLS listener configuration settings could break
JSON serialisation of GET /api/overview responses.
Federation Plugin
- More numerical types are now handled for the "hops" property.
.NET Client
- Calling ExchangeBind more than once with the same arguments threw an
exception.
Version 1.1.9
- Deprecate jid:to_string/1 and jid:from_string/1
- Only check resource with stringprep
- Improve type specs
- Add documentation
- Add set_tr_callback/2 function
- Make it possible to uninstall translation callback
- Use translation callback in data form encoders
- Fix external codec registration for OTP 17
- Include compiler app when generating erlang.plt
- Add notes about API instability
Version 1.1.8
- Add get_meta/2 and get_meta/3
- Get rid of some dialyzer warnings
Version 1.1.7
- Generate modular code for xmpp_codec
- Improve type specs for set_from()/set_to()
Version 1.1.6
- Add xmpp:serr_unsupported_feature()
- Don't replace existing delay tag with the same 'from'
This is a regularly scheduled stable release.
Resolved issues since v0.14.24:
#4003: "Pause All"/"Resume All" icons are improved.
#3959: There are now mips and mipsle builds by default.
#3183: The "overwriting protected files" warning now correctly handles relative paths to the config directory.
#804: The experimental KCP protocol for transfers over UDP has been merged, although it's not currently enabled by default.
Changes Between 1.6.0 and 1.7.0 (Feb 2nd, 2017)
* Clear Framesets on Exception
Unprocessed frames received on a connection are now correctly
cleared when an exception occurs.
Contributed by Michael Lutsiuk.
GitHub issue: #218
* amq-protocol Update
Minimum amq-protocol version is now 2.1.0.
Upstream changes:
mikutter 3.5.5
* avoid posts with full-width spaces only in Postbox (thanks @ahiru3net)
* user_detail_view: put auto new lines on printing Twitter start date etc.
Release date: 2017-03-08 14:32 UTC
Changelog:
* Set minimum PHP version to 5.4.0
* Set minimum PEAR version to 1.10.1
* Bug #18262: Incomplete buffer sent with fwrite after bugfix #14619
* Bug #20113: package.xml does not validate
* Bug #21031: Warning on connection error(stream_socket_client)
* PR #7: Fix for "Maximum execution time of 30 seconds exceeded" error
* PR #8: Make PHP5 compatible
Release Date: 2017-03-06 15:50 UTC
Changelog:
* Set minimum PHP version to 5.4.0
* Set minimum PEAR version to 1.10.1
* Bug #19375: Add static to the fuction getInstance
* Bug #21123: Signing the source package
- Add OTP to test filters
- Remove unnecessary filter from test
- Update DNSimple provider to v2
- Add username/password authentication (with optional 2fa) to
dnsimplev
++++++++++++++++++
- Added `upload_video` endpoint
- Fix quoted status checks in `html_for_tweet`
- Fix `html_for_tweet` method response when hashtag/mention is a substring of another
WebSocket++ is a header-only C++ library that implements RFC6455
The WebSocket Protocol. It allows integrating WebSocket client and
server functionality into C++ programs. It uses interchangeable
network transport modules, including one based on raw char buffers,
one based on C++ iostreams, and one based on Asio (either via Boost
or standalone). End users can write additional transport policies
to support other networking or event libraries as needed.
PowerDNS Recursor 4.0.4
=======================
Change highlights include:
- Check TSIG signature on IXFR (Security Advisory 2016-04)
- Don't parse spurious RRs in queries when we don't need them
(Security Advisory 2016-02)
- Add 'max-recursion-depth' to limit the number of internal recursion
- Wait until after daemonizing to start the RPZ and protobuf threads
- On RPZ customPolicy, follow the resulting CNAME
- Make the negcache forwarded zones aware
- Cache records for zones that were delegated to from a forwarded zone
- DNSSEC: don't go bogus on zero configured DSs
- DNSSEC: NSEC3 optout and Bogus insecure forward fixes
- DNSSEC: Handle CNAMEs at the apex of secure zones to other secure
zones
PowerDNS Recursor 4.0.3
=======================
Bug fixes
- Call gettag() for TCP queries
- Fix the use of an uninitialized filtering policy
- Parse query-local-address before lua-config-file
- Fix accessing an empty policyCustom, policyName from Lua
- ComboAddress: don't allow invalid ports
- Fix RPZ default policy not being applied over IXFR
- DNSSEC: Actually follow RFC 7646 §2.1
- Add boost context ldflags so freebsd builds can find the libs
- Ignore NS records in a RPZ zone received over IXFR
- Fix build with OpenSSL 1.1.0 final
- Don't validate when a Lua hook took the query
- Fix a protobuf regression (requestor/responder mix-up)
Additions and Enhancements
- Support Boost 1.61+ fcontext
- Add Lua binding for DNSRecord::d_place
PowerDNS Recursor 4.0.2
=======================
Bug fixes
- Set dq.rcode before calling postresolve
- Honor PIE flags.
- Fix build with LibreSSL, for which OPENSSL_VERSION_NUMBER is
irrelevant
- Don't shuffle CNAME records. (thanks to Gert van Dijk for the
extensive bug report!)
- Fix delegation-only
Additions and enhancements
- Respect the timeout when connecting to a protobuf server
- allow newDN to take a DNSName in; document missing methods
- expose SMN toString to lua
- Anonymize the protobuf ECS value as well (thanks to Kai Storbeck of
XS4All for finding this)
- Allow Lua access to the result of the Policy Engine decision, skip
RPZ, finish RPZ implementation
- Remove unused DNSPacket::d_qlen
- RPZ: Use query-local-address(6) by default (thanks to Oli Schacher
of switch.ch for the feature request)
- Move the root DNSSEC data to a header file
PowerDNS Recursor 4.0.1
=======================
Bug fixes
- Improve DNSSEC record skipping for non dnssec queries (Kees
Monshouwer)
- Don't validate zones from the local auth store, go one level down
while validating when there is a CNAME
- Don't go bogus on islands of security
- Check all possible chains for Insecures
- Don't go Bogus on a CNAME at the apex
- RPZ: default policy should also override local data RRs
- Fix a crash when the next name in a chained query is empty and
rec_control current-queries is invoked
Improvements
- OpenSSL 1.1.0 support (Christian Hofstaedtler)
- Fix warnings with gcc on musl-libc (James Taylor)
- Also validate on +DO
- Fail to start when the lua-dns-script does not exist
- Add more Netmask methods for Lua (Aki Tuomi)
- Validate DNSSEC for security polling
- Turn on root-nx-trust by default and log-common-errors=off
- Allow for multiple trust anchors per zone
- Fix compilation warning when building without Protobuf
PowerDNS Recursor 4.0.0
=======================
- Moved to C++ 2011, a cleaner more powerful version of C++ that has
allowed us to improve the quality of implementation in many places.
- Implemented dedicated infrastructure for dealing with DNS names that
is fully "DNS Native" and needs less escaping and unescaping.
- Switched to binary storage of DNS records in all places.
- Moved ACLs to a dedicated Netmask Tree.
- Implemented a version of RCU for configuration changes
- Instrumented our use of the memory allocator, reduced number of
malloc calls substantially.
- The Lua hook infrastructure was redone using LuaWrapper; old scripts
will no longer work, but new scripts are easier to write under the
new interface.
- DNSSEC processing: if you ask for DNSSEC records, you will get them.
- DNSSEC validation: if so configured, PowerDNS perform DNSSEC
validation of your answers.
- Completely revamped Lua scripting API that is "DNSName" native and
therefore far less error prone, and likely faster for most commonly
used scenarios.
- New asynchronous per-domain, per-ip address, query engine.
- RPZ (from file, over AXFR or IXFR) support.
- All caches can now be wiped on suffixes, because of canonical
ordering.
- Many, many more relevant performance metrics, including upstream
authoritative performance measurements.
- EDNS Client Subnet support, including cache awareness of
subnet-varying answers.
pkgsrc changes:
- Remove options for cryptopp and geoip (the latter to go into a
separate package).
- Clean up a lot of patches that do not seem to be needed anymore.
PowerDNS Authoritative Server 4.0.3
===================================
- Revert "In 'Bind2Backend::lookup()', use the 'zoneId' when we have it"
PowerDNS Authoritative Server 4.0.2
Security issues fixed:
- 2016-02: Crafted queries can cause abnormal CPU usage
- 2016-03: Denial of service via the web server
- 2016-04: Insufficient validation of TSIG signatures
- 2016-05: Crafted zone record can cause a denial of service
Other highlights:
- Don't parse spurious RRs in queries when we don't need them (Security
Advisory 2016-02)
- Don't exit if the webserver can't accept a connection (Security
Advisory 2016-03)
- Check TSIG signature on IXFR (Security Advisory 2016-04)
- Correctly check unknown record content size (Security Advisory
2016-05)
- ODBC backend: actually prepare statements
- Improve root-zone performance
- Plug memory leak in postgresql backend (Christian Hofstaedtler)
- calidns: Don't crash if we don't have enough 'unknown' queries
remaining
- Improve PacketCache cleaning (Kees Monshouwer)
- Bind backend: update status message on reload, keep the existing zone
on failure
- Fix TSIG for single thread distributor (Kees Monshouwer)
- Change default for any-to-tcp to yes (Kees Monshouwer)
- Don't look up the packet cache for TSIG-enabled queries
- Fix build with OpenSSL 1.1.0 final (Christian Hofstaedtler)
- pdnsutil: create-slave-zone accept multiple masters (Hannu Ylitalo)
PowerDNS Authoritative Server 4.0.1
===================================
Bug fixes
- Wait for the connection to the carbon server to be established
- Don't try to deallocate empty PG statements
- Send the correct response when queried for an NSEC directly (Kees
Monshouwer)
- Don't include bind files if length <= 2 or > sizeof(filename)
- Catch runtime_error when parsing a broken MNAME
Improvements
- Make DNSPacket return a ComboAddredd for local and remote (Aki Tuomi)
- OpenSSL 1.1.0 support (Christian Hofstaedtler)
- Fix typos in a logmessage and exception (Christian Hofsteadtler)
- pdnsutil: Remove checking of ctime and always diff the changes (Hannu
Ylitalo)
- dnsreplay: Only add Client Subnet stamp when asked
- Use toLogString() for ringAccount (Kees Monshouwer)
Additions
- Add limits to the size of received {A,I}XFR
- Add used filedescriptor statistic (Kees Monshouwer)
PowerDNS Authoritative Server 4.0.0
===================================
- Moved to C++ 2011, a cleaner more powerful version of C++ that has
allowed us to improve the quality of implementation in many places.
- Implemented dedicated infrastructure for dealing with DNS names that
is fully "DNS Native" and needs less escaping and unescaping.
- Due to this, the PowerDNS Authoritative Server can now serve
DNSSEC-enabled root-zones.
- All backends derived from the Generic SQL backend use prepared
statements.
- Both the server and pdns_control do the right thing when chroot'ed.
- Caches are now fully canonically ordered, which means entries can be
wiped on suffix in all places
- A revived and supported ODBC backend (godbc).
- A revived and supported LDAP backend (ldap).
- Support for CDS/CDNSKEY and RFC 7344 key-rollovers.
- Support for the ALIAS record.
- The webserver and API are no longer experimental.
- The API-path has moved to /api/v1
- DNSUpdate is no longer experimental.
- ECDSA (algorithm 13 and 14) supported without in-tree cryptographic
libraries (provided by OpenSSL).
- Experimental support for ed25519 DNSSEC signatures (when compiled with
libsodium support).
- Many new pdnsutil commands.
- GeoIP backend has gained many features, and can now e.g. run based on
explicit netmasks not present in the GeoIP databases
- Removed support for LMDB.
- Removed the Geo backened (use the improved GeoIP instead).
- pdnssec has been renamed to pdnsutil.
- Support for the PolarSSL/MbedTLS, Crypto++ and Botan cryptographic
libraries have been dropped in favor of the (faster) OpenSSL libcrypto
(except for GOST, which is still provided by Botan).
- ECDSA P256 SHA256 (algorithm 13) is now the default algorithm when
securing zones.
- The PowerDNS Authoritative Server now listens by default on all IPv6
addresses.
- Several superfluous queries have been dropped from the Generic SQL
backends.
- The INCEPTION, INCEPTION-WEEK and EPOCH SOA-EDIT metadata values are
marked as deprecated and will be removed in 4.1.0
This is a regularly scheduled stable release.
Resolved issues since v0.12.23:
#3884: lib/sync: Fix a race in unlocker logging
#3976: Links and log messages refer to https instead of http where possible
Also:
As of this release, symlinks are no longer supported on Windows.
The default number of parallel file processing routines per
folder is now two (previously one), and the number of simultaneously
outstanding network requests has been increased.
The GUI now contains buttons to pause or resume all folders
with a single action.
Changes in version 0.2.9.10 - 2017-03-01
Tor 0.2.9.10 backports a security fix for users who build Tor with
the --enable-expensive-hardening option. It also includes fixes for
some major issues affecting directory authorities, LibreSSL
compatibility, and IPv6 correctness.
The Tor 0.2.9.x release series is now marked as a long-term-support
series. We intend to backport security fixes to 0.2.9.x until at
least January of 2020.
o Major bugfixes (directory authority, 0.3.0.3-alpha):
- During voting, when marking a relay as a probable sybil, do not
clear its BadExit flag: sybils can still be bad in other ways
too. (We still clear the other flags.) Fixes bug 21108; bugfix
on 0.2.0.13-alpha.
o Major bugfixes (IPv6 Exits, backport from 0.3.0.3-alpha):
- Stop rejecting all IPv6 traffic on Exits whose exit policy rejects
any IPv6 addresses. Instead, only reject a port over IPv6 if the
exit policy rejects that port on more than an IPv6 /16 of
addresses. This bug was made worse by 17027 in 0.2.8.1-alpha,
which rejected a relay's own IPv6 address by default. Fixes bug
21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.
o Major bugfixes (parsing, also in 0.3.0.4-rc):
- Fix an integer underflow bug when comparing malformed Tor
versions. This bug could crash Tor when built with
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
0.2.9.8, which were built with -ftrapv by default. In other cases
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
on 0.0.8pre1. Found by OSS-Fuzz.
o Minor features (directory authorities, also in 0.3.0.4-rc):
- Directory authorities now reject descriptors that claim to be
malformed versions of Tor. Helps prevent exploitation of
bug 21278.
- Reject version numbers with components that exceed INT32_MAX.
Otherwise 32-bit and 64-bit platforms would behave inconsistently.
Fixes bug 21450; bugfix on 0.0.8pre1.
o Minor features (geoip):
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
Country database.
o Minor features (portability, compilation, backport from 0.3.0.3-alpha):
- Autoconf now checks to determine if OpenSSL structures are opaque,
instead of explicitly checking for OpenSSL version numbers. Part
of ticket 21359.
- Support building with recent LibreSSL code that uses opaque
structures. Closes ticket 21359.
o Minor bugfixes (code correctness, also in 0.3.0.4-rc):
- Repair a couple of (unreachable or harmless) cases of the risky
comparison-by-subtraction pattern that caused bug 21278.
o Minor bugfixes (tor-resolve, backport from 0.3.0.3-alpha):
- The tor-resolve command line tool now rejects hostnames over 255
characters in length. Previously, it would silently truncate them,
which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
Patch by "junglefowl".
removed).
According the Changelog (only relevant entries for "lua" added/removed scripts):
o [NSE] Added 12 NSE scripts from 4 authors, bringing the total up to 552!
They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
+ cics-enum enumerates CICS transaction IDs, mapping to screens in TN3270
services. [Soldier of Fortran]
+ cics-user-enum brute-forces usernames for CICS users on TN3270 services.
[Soldier of Fortran]
+ fingerprint-strings will print the ASCII strings it finds in the service
fingerprints that Nmap shows for unidentified services. [Daniel Miller]
+ [GH#606] ip-geolocation-map-bing renders IP geolocation data as an image
via Bing Maps API. [Mak Kolybabi]
+ [GH#606] ip-geolocation-map-google renders IP geolocation data as an image
via Google Maps API. [Mak Kolybabi]
+ [GH#606] ip-geolocation-map-kml records IP geolocation data in a KML file
for import into other mapping software [Mak Kolybabi]
+ nje-pass-brute brute-forces the password to a NJE node, given a valid RHOST
and OHOST. Helpfully, nje-node-brute can now brute force both of those
values. [Soldier of Fortran]
+ [GH#557] ssl-cert-intaddr will search for private IP addresses in TLS
certificate fields and extensions. [Steve Benson]
+ tn3270-screen shows the login screen from mainframe TN3270 Telnet services,
including any hidden fields. The script is accompanied by the new tn3270
library. [Soldier of Fortran]
+ tso-enum enumerates usernames for TN3270 Telnet services. [Soldier of Fortran]
+ tso-brute brute-forces passwords for TN3270 Telnet services. [Soldier of Fortran]
+ vtam-enum brute-forces VTAM application IDs for TN3270 services.
[Soldier of Fortran]
o [NSE][GH#533] Removed ssl-google-cert-catalog, since Google shut off that
service at some point. Reported by Brian Morin.
o [NSE][GH#606] New NSE library, geoip.lua, provides a common framework for
storing and retrieving IP geolocation results. [Mak Kolybabi]
Upstream changes:
# mikutter 3.5.3
* sometimes UserList shows empty lines and they cause crashes by clicks
* unexpected behavior when TL timestamp is clicked in polluted environments
* support Ruby 2.4
* Ruby-GNOME2 3.1.1
Changelog:
NSD 4.1.15
Feb 16, 2017
Bugfixes
Fix nsd-control and ipv6 only.
Squelch zone transfer error address family not supported by protocol at low verbosity levels.
Fix#1195: Fix so that NSD fails on non-compliant values for Serial.
Fix to rename _t typedefs because POSIX reserves them.
Fix that nsec3 hash collisions only reported on verbosity level 3.
fixes and new functionality, made since iperf 3.1.5.
* User-visible changes
* Specifying --fq-rate or --no-fq-socket-pacing on a system where
these options are not supported now generate an error instead of a
warning. This change makes diagnosing issues related to pacing
more apparent.
* Fixed a bug where two recently-added diagnostic messages spammed
the JSON output on UDP tests.
3.24.1 (2017-02-21)
- Fixed rendering icons in the remote directory tree when DPI scaling is enabled on Windows Vista and some Windows 7 machines
- SFTP components have been updated and are now based on PuTTY 0.68
- Updated builtin pugixml to version 1.8
0.9.1 (2017-02-20)
+ Added a small helper function to fz::file to get the current position in the file
+ Added another version of fz::to_wstring_from_utf8 that takes a char buffer + length
- Fixed extraction of single-character tokens in fz::strtok
New Features:
- Flag uploads coming from G2 servents with a "[G2]" tag after IP address.
- Added alias support in sharing/querying.
- Made the "Clear completed" button in Downloads/Tools do something useful.
- Moved "Clear completed" button to the bottom right of the download pane.
- Remember fileinfo notebook tab number across sessions.
- Remember main notebook tab number across sessions, only restored after crash.
- Remember Gnet stats notebook tab number across sessions.
- Remember download info / tools notebook tab number across sessions.
Improvements:
- Added --cleanup to explicitly request for final memory cleanup sequence.
- Updated Italian translation.
- Updated GeoIP databases.
Bug Fixes:
- Leaf nodes could end-up being connected to more ultrapeers than configured.
- Fixed monitoring of alien threads, important when GTK file selector is used.
Under the Hood:
- Debian compatibility level changed from 4 to 5.
- Make sure we can deal with older pkg-config, which needs leading arguments.
- Use "embedded" symbols for xmalloc(), xfree() and friends.
- Added "query_trace" property to trace all queries which were searched.
- Moved halloc-based string functions like h_strdup() to dedicated hstrfn.c.
- Expanded search mask to 64 bits to be able to hold all digits and letters.
- Count aliased queries and hits from aliases.
- Pre-compute shared file media type at record creation time.
- Pass query limits to st_search() to avoid needless pattern matching.
- Added h_strsplit() and h_strsplit_set().
- Added strvec_append_with() to expand vector by appending another vector.
- crash_assert_logv(): don't call crash_mode() if assert failure was recorded.
- entropy_clock_time(): mix the entropy nonce through hashing for more diffusion.
- node_can_accept_connection(): only send headers back when handshaking.
- qrp_add_file(): optimized to avoid computing word length if not required.
- thread_stack_check_overflow(): ignore virtual addresses outside stack range.
- vmm_init_once(): ensure any shared library for stacktrace unwinding is loaded.
Changes:
1.31.0
------
* Better error message when local file status cannot be retrieved
(GH-836)
* Fix assertion failure in SimpleRandomizer::getRandomBytes
* Add option content-disposition-default-utf8
Patch from JimmyZ (GH-813)
This Python 3 module provides an DNS API for looking up DNS entries
from within Python 3 modules and applications. This module is a
simple, lightweight implementation.
**** 1.08 [unreleased]
Fix rt.cpan.org #120208
Unable to install 1.07 in local::lib environment
Feature rt.cpan.org #119679
Net::DNS::Nameserver: UpdateHandler for responding to UPDATE packets
Feature rt.cpan.org #75357
Net::DNS::Nameserver: optionmask (similar to headermask) added
to allow user to set EDNS CLIENT-SUBNET option in reply packet
Discontinue support for pre-5.6 perl
Remove pre-5.6 workarounds and outdated language features
Changelog:
* Changes in Wget 1.19.1
* Fix bugs, a regression, portability/build issues
* Add new option --retry-on-http-error
* Changes in Wget 1.19
* New option --use-askpass=COMMAND. Fetch user/password by calling
an external program.
* Use IDNA2008 (+ TR46 if available) through libidn2
* When processing a Metalink header, --metalink-index=<number> allows
to process the header's application/metalink4+xml files.
* When processing a Metalink file, --trust-server-names enables the
use of the destination file names specified in the Metalink file,
otherwise a safe destination file name is computed.
* When processing a Metalink file, enforce a safe destination path.
Remove any drive letter prefix under w32, i.e. 'C:D:file'. Call
libmetalink's metalink_check_safe_path() to prevent absolute,
relative, or home paths:
https://tools.ietf.org/html/rfc5854#section-4.1.2.1https://tools.ietf.org/html/rfc5854#section-4.2.8.3
* When processing a Metalink file, --directory-prefix=<prefix> sets
the top of the retrieval tree to prefix for Metalink downloads.
* When processing a Metalink file, reject downloaded files which don't
agree with their own metalink:size value:
https://tools.ietf.org/html/rfc5854#section-4.2.16
* When processing a Metalink file, with --continue resume partially
downloaded files and keep fully downloaded files even if they fail
the verification.
* When processing a Metalink file, create the parent directories of a
"path/file" destination file name:
https://tools.ietf.org/html/rfc5854#section-4.1.2.1https://tools.ietf.org/html/rfc5854#section-4.2.8.3
* On a recursive download, append a .tmp suffix to temporary files
that will be deleted after being parsed, and create them
readable/writable only by the owner.
* New make target 'check-valgrind'
* Fix several bugs
* Fix compatibility issues
