out of date - it was based on a.out OBJECT_FMT, and added entries in the
generated PLISTs to reflect the symlinks that ELF packages uses. It also
tried to be clever, and removed and recreated any symbolic links that were
created, which has resulted in some fun, especially with packages which
use dlopen(3) to load modules. Some recent changes to our ld.so to bring
it more into line with other Operating Systems also exposed some cracks.
+ Modify bsd.pkg.mk and its shared object handling, so that PLISTs now contain
the ELF symlinks.
+ Don't mess about with file system entries when handling shared objects in
bsd.pkg.mk, since it's likely that libtool and the BSD *.mk processing will
have got it right, and have a much better idea than we do.
+ Modify PLISTs to contain "ELF symlinks"
+ On a.out platforms, delete any "ELF symlinks" from the generated PLISTs
+ On ELF platforms, no extra processing needs to be done in bsd.pkg.mk
+ Modify print-PLIST target in bsd.pkg.mk to add dummy symlink entries on
a.out platforms
+ Update the documentation in Packages.txt
With many thanks to Thomas Klausner for keeping me honest with this.
Remote Intrusion Detection to track down compromised hosts
Purpose: To use intrusion fingerprints to track down compromised hosts.
Scope: TCP/UDP/ICMP (No fragmentation reassembly)
Specs: Program can create somewhat arbitrary UDP/ICMP/TCP packets/streams
and send them to a range of hosts. It also listens promiscuously
for predefined intrusion "fingerprints".
default certificate directory is now /etc/openssl/certs (matches OpenSSL's
default), but if stunnel uses the pkgsrc OpenSSL, then the default is
${PREFIX}/certs.
Changes from version 3.8 include:
* Updated temporary key generation:
- stunnel is now honoring requested key-lengths correctly,
- temporary key is changed every hour.
* transfer() no longer hangs on some platforms.
Special thanks to Peter Wagemans for the patch.
* Potential security problem with syslog() call fixed.
* use daemon() function instead of daemonize, if available
* added -S flag, allowing you to choose which default verify
sources to use
* relocated service name output logging until after log_open.
(no longer outputs log info to inetd socket, causing bad SSL)
* -V flag now outputs the default values used by stunnel
* Added rigerous PRNG seeding
* PID changes (and related security-fix)
* Man page fixes
* Client SSL Session-IDs now used
* -N flag to specify tcpwrapper service name
* UPGRADE NOTE: this version seriously changes several previous stunnel
default behaviours. There are no longer any default cert file/dirs
compilied into stunnel, you must use the --with-cert-dir and
--with-cert-file configure arguments to set these manually, if desired.
Stunnel does not use the underlying ssl library defaults by default
unless configured with --enable-ssllib-cs. Note that these can always
be enabled at run time with the -A,-a, and -S flags.
Additionally, unless --with-pem-dir is specified at compile time,
stunnel will default to looking for stunnel.pem in the current directory.
pcap-int.h is normally installed, as it is internal to libpcap.
$Id: CHANGES,v 1.54 2000/12/17 16:39:05 dugsong Exp $
v2.3 Sun Dec 17 11:35:38 EST 2000
- Add VRRP parsing to dsniff, from Eric Jackson <shinobi@monkey.org>.
- Require pcap filter argument for tcpkill, tcpnice.
- Add Microsoft PPTP MS-CHAP (v1, v2) parsing to dsniff, based on
anger.c by Aleph One <aleph1@securityfocus.com>.
- Fix pcAnywhere 7, 9.x parsing in dsniff.
- Add -t trigger[,...] flag to dsniff, to specify individual triggers
on the command line.
- Convert most everything to use new buf interface.
- New programs: dnsspoof, msgsnarf, sshmitm, webmitm.
- Fix inverted regex matching in *snarf programs.
- Consistent arpspoof, macof, tcpnice, tcpkill output.
- Rename arpredirect to arpspoof (maintain consistent *sniff, *snarf,
*spoof, *spy nomenclature).
- Consistent pcap filter argument to dsniff, *snarf programs.
- Add trigger for Checkpoint Firewall-1 Session Authentication Agent
(261/tcp), as suggested by Joe Segreti <seg@clark.net>.
- Add SMTP parsing to dsniff, as requested by Denis Ducamp
<Denis.Ducamp@hsc.fr>.
- Add rexec and RPC ypserv parsing to dsniff, as requested by
Oliver Friedrichs <of@securityfocus.com>.
- Add HTTP proxy auth parsing back to dsniff, it got lost in the
shuffle. Reported by Denis Ducamp <Denis.Ducamp@hsc.fr>.
- Add NNTPv2 and other AUTHINFO extensions to dsniff.
The socket creation code in fshd was not paranoid enough. There
were are at least two possible attacks:
- If a malicious user has symlinked /tmp/fshd-<UID> to another
file, fshd will chmod 0700 that file.
- A race condition made it possible for an attacker to create an
unsafe socket directory, so that the attacker can access an
fshd tunnel.
The attacker must alread have a local shell on the computer where
fsh or fshd is invoked.
Other changes:
New timeout option, fixed to work with openssh2, now also usable if
you have to enter a password to connect, and some others.
