* Suppress the notice that the password is being changed because it's
expired if force_first_pass or use_first_pass is set in the password
stack, indicating that it's stacked with another module that's also
doing password changes. This is arguable, but without this change the
notification message of why the password is being changed shows up
confusingly in the middle of the password change interaction.
* Some old versions of Heimdal (0.7.2 in OpenBSD 4.9, specifically)
reportedly return KRB5KDC_ERR_KEY_EXP for accounts with expired
keys even if the supplied password is wrong. Work around this by
confirming that the PAM module can obtain tickets for kadmin/changepw
before returning a password expiration error instead of an invalid
password error.
* The location of the temporary root-owned ticket cache created during
the authentication process is now also controlled by the ccache_dir
option (but not the ccache option) rather than forced to be in /tmp.
This will allow system administrators to configure an alternative
cache directory so that pam-krb5 can continue working when /tmp is
full.
* Report more specific errors in syslog if authorization checks (such as
.k5login checks) fail.
* Pass a NULL principal to krb5_set_password with MIT client libraries
to prefer the older change password protocol for compatibility with
older KDCs. This is not necessary on Heimdal since Heimdal's
krb5_set_password tries both protocols.
* Improve logging and authorization checks when defer_pwchange is set
and a user authenticates with an expired password.
* When probing for Kerberos libraries, always add any supplemental
libraries found to that point to the link command. This will fix
configure failures on platforms without working transitive shared
library dependencies.
* Close some memory leaks where unparsed Kerberos principal names were
never freed.
* Restructure the code to work with OpenPAM's default PAM build
machinery, which exports a struct containing module entry points
rather than public pam_sm_* functions.
* In debug logging, report symbolic names for PAM flags on PAM function
entry rather than the numeric PAM flags. This helps with automated
testing and with debugging PAM problems on different operating
systems.
* Include <krb5/krb5.h> if <krb5.h> is missing, which permits finding
the header file on NetBSD systems.
* Replace the Kerberos compatibility layer with equivalent but
better-structured code from rra-c-util 4.0.
* Avoid krb5-config and use manual library probing if --with-krb5-lib or
--with-krb5-include were given to configure. This avoids having to
point configure at a nonexistent krb5-config to override its results.
* Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config in
configure, to avoid a conflict with the variable used by the Kerberos
libraries to find krb5.conf.
* Change references to Kerberos v5 to just Kerberos in the documentation.
* Update to rra-c-util 4.0
* Update to C TAP Harness 1.9
- Minor bug fix release
- Fix perl Validator module so it compiles after a header move
- Make all OSes use the new dnssec-check gui as they should have
1.12 (1/26/12)
- New Features:
- libval: - Made improvements to support IPv6,
added the ability to fetch IPv6 glue
- Fixed the EDNS0 fallback behavior.
- Tidied up the locking semantics in libval.
- Added support for hard-coding validator configuration
information that gets used in the absence of other
configuration data. This feature allows the
validator library to be self-contained in
environments where setting up configuration data at
specific locations in the file system is not always
feasible.
- The library has been ported to the Android OS
- rollerd: - Added support for phase-specific commands. This allows
the zone operator to customize processing of the rollerd
utility during different rollerd phases.
- Added support for zone groups. This allows a collection
of zones to be controlled as a group, rather each of
those zones individually.
- Improved the manner in which rollerd indexes the zones
being managed, with the significantly decreased access
times for rollerd's data files. This results in rollerd
being able to support a lot more zones with a single
rollerd instance.
- rollctl and the rollover GUI programs may have new
commands to allow for immediate termination of rollerd.
- apps - Added patch to enable local validation in NTP, with
the ability to handle a specific chicken and egg problem
related to the interdependency between DNSSEC and an
accurate system clock.
- Added a patch to enable DNSSEC validation in Qt
based applications
- dnssec-check - Completely rewritten GUI with many new features
- Now contains the ability to submit the results
to a central DNSSEC-Tools repository. The
results will be analyzed and published on a
regular basis. Please help us get started by
running dnssec-check on your networks! Note
that it explains that it only sends hashed IP
addresses to our servers and the reports
generated will be aggregation summaries of the
data collected.
- It now runs on both Android and Harmattan (N9) devices
- maketestzone - Now produces zones with wildcards and changes to
NSEC record signatures
- dnssec-nodes - parses unbound log files
- Initial work porting to Android
- dnssec-system-tray
- parses unbound log files
1.11 (9/30/11)
- New Features:
- libval: - Significant improvements and bug fixes to the
asynchronous support.
- Added asynchronous version of val_getaddr_info.
- Some reworking of the asynchronous API and callbacks.
Note the asynchronous api is still under development and
subject to changes that break backwards compatibility.
- rollerd: - Added an experimental time-based method for queuing
rollover operations. This original method (full list
of all zones) is the default queuing method, but the
new method can be used by editing the rollerd script.
rollctl and rollrec.pm were also modified to support
this change.
- Added support for merging a set of rollrec files.
rollctl and rollrec.pm were also modified to support
this change.
- dnssec-nodes - This graphical DNS debugging utility was greatly enhanced
- Now parses both bind and libval log files
- Multiple log files can be watched
- Node's represent multiple data sets
internally, which are independently displayed
and tracked.
- Added support for searching for and
highlighting DNS data and DNSSEC status
results
- dnssec-system-tray
- This utility can now report on BOGUS responses
detected in both libval and bind log files.
- Summary window revamped to group similar
messages together.
Plus many more minor features and bug fixes
* OPENDNSSEC-215: Signer Engine: Always recover serial from backup,
even if it is corrupted, preventing unnecessary serial decrementals.
* OPENDNSSEC-217: Enforcer: Tries to detect pidfile staleness, so that
the daemon will start after a power failure.
Bugfixes:
* ods-hsmutil: Fixed a small memory leak when printing a DNSKEY.
* OPENDNSSEC-216: Signer Engine: Fix duplicate NSEC3PARAM bug.
* OPENDNSSEC-218: Signer Engine: Prevent endless loop in case the locators
in the signer backup files and the HSM are out of sync.
* OPENDNSSEC-225: Fix problem with pid found when not existing.
* SUPPORT-21: HSM SCA 6000 in combination with OpenCryptoki can return RSA key
material with leading zeroes. DNSSEC does not allow leading zeroes in key
data. You are affected by this bug if your DNSKEY RDATA e.g. begins with
"BAABA". Normal keys begin with e.g. "AwEAA". OpenDNSSEC will now sanitize
incoming data before adding it to the DNSKEY. Do not upgrade to this version
if you are affected by the bug. You first need to go unsigned, then do the
upgrade, and finally sign your zone again. SoftHSM and other HSM:s will not
produce data with leading zeroes and the bug will thus not affect you.
OpenDNSSEC 1.3.6
* OPENDNSSEC-33: Signer Engine: Check HSM connection before use, attempt to
reconnect if it is not valid.
* OPENDNSSEC-178: Signer Engine: Instead of waiting an arbitrary amount of
time, let worker wait with pushing sign operations until the queue is
non-full.
* Signer Engine: Adjust some log messages.
Bugfixes:
* ods-control: Wrong exit status if Enforcer was already running.
* OPENDNSSEC-56: ods-ksmutil had the wrong option for config file in the
help usage text.
* OPENDNSSEC-207: Signer Engine: Fix communication from a process not
attached to a shell.
* OPENDNSSEC-209: Signer Engine: Make output file adapter atomic by writing
signed file to an intermediate file first.
* Update the README with information on moving the database
between different architectures.
Bugfixes:
* Fix the destruction order of the Singleton objects.
=== 2.3.0 / 11 Jan 2012
* Support for hmac-sha2 and diffie-hellman-group-exchange-sha256 [Ryosuke Yamazaki]
=== 2.2.2 / 04 Jan 2012
* Fixed: Connection hangs on ServerVersion.new(socket, logger) [muffl0n]
* Avoid dying when unsupported auth mechanisms are defined [pcn]
(Yes, that ridiculous version number really is what upstream calls it.)
No NEWS entry, but announcement includes:
2012-03-13 Zooko Wilcox-O'Hearn <zooko@zooko.com>
* src/pycryptopp/_version.py: release pycryptopp-0.6.0
* add Ed25519 signatures (#75)
* add XSalsa20 cipher (#40)
* switch from darcs to git for revision control
* pycryptopp version numbers now include a decimal encoding of *
* reorganize the source tree and the version number generation
* aesmodule.cpp: validate size of IV and throw exception if it
is not 16 (#70)
* fixed compile errors with gcc-4.7.0 (#78)
* fixed compile errors concerning "CryptoPP::g_nullNameValuePairs" (#77)
* suppress warnings from valgrind with new OpenSSL 1.0.1 on Fedora (#82)
* raise Python exception instead of uncaught C++ exception
(resulting in abort) when deserializing malformed RSA keys (#83)
* libgnutls: Corrections in record packet parsing.
* libgnutls: Fixes in SRP authentication.
* libgnutls: Added function to force explicit reinitialization of PKCS 11
modules. This is required on the child process after a fork.
* libgnutls: PKCS 11 objects that do not have ID no longer crash listing.
* API and ABI modifications: gnutls_pkcs11_reinit: Added
Changes between 0.9.8t and 0.9.8u [12 Mar 2012]
*) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
in CMS and PKCS7 code. When RSA decryption fails use a random key for
content decryption and always return the same error. Note: this attack
needs on average 2^20 messages so it only affects automated senders. The
old behaviour can be reenabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
an MMA defence is not necessary.
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
this issue. (CVE-2012-0884)
[Steve Henson]
*) Fix CVE-2011-4619: make sure we really are receiving a
client hello before rejecting multiple SGC restarts. Thanks to
Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
[Steve Henson]
from 1.42 to 1.45.
Upstream changes:
1.45 2012-02-25
Added mising doc for SESSION_cmp. Patch by paul.
1.44 2012-02-25
Added missing t/data/binary-test.file to MANIFEST
1.43 2012-02-24
Fixed some typos. Patched by Neil Bowers.
SSLeay.pm convenience functions now call Net::SSLeay::initialize that
initializes the SSL library at most once.
Patch from kmx to protect SSLeay_add_ssl_algorithms from multiple loads
and reentrancy in multi-threaded perls.
Patch from kmx to add reentrancy protection for callbacks in
multithreading.
Updated ppport.h, fixed some complaints from ppport.h
Fixed a problem with CTX_use_PKCS12_file on Windows, since the file was
not opened in binary mode. Reported by kmx.
Added resources line for SVN repository to Makefile. Suggested by kmx.
Fixed complaints unders some windows compilers about cast from pointer to integer of
different size. Suggested by kmx.
Added thread safety and dynamic locking. This should complete thread
safety work, making Net::SSLeay completely thread-safe. Patches by kind
assistance of kmx.
Improvements to openssl backwards compatibility. Now build with versions
back to 0.9.6. With extreme thanks to kmx.
Improvements to documentation, thanks to kmx.
SUMMARY OF NEWLY INTRODUCED FUNCTIONS:
- Net::SSLeay::initialize
- Net::SSLeay::SSLeay
- Net::SSLeay::SSLeay_version
- Net::SSLeay::SSLeay_version
- Net::SSLeay::ASN1_TIME_new
- Net::SSLeay::ASN1_TIME_free
- Net::SSLeay::ASN1_TIME_set
- Net::SSLeay::P_ASN1_TIME_get_isotime
- Net::SSLeay::P_ASN1_TIME_set_isotime
- Net::SSLeay::P_ASN1_TIME_put2string
- Net::SSLeay::OpenSSL_add_all_digests
- Net::SSLeay::P_EVP_MD_list_all
- Net::SSLeay::EVP_get_digestbyname
- Net::SSLeay::EVP_MD_type
- Net::SSLeay::EVP_MD_size
- Net::SSLeay::EVP_MD_CTX_md
- Net::SSLeay::EVP_MD_CTX_create
- Net::SSLeay::EVP_MD_CTX_destroy
- Net::SSLeay::EVP_DigestInit
- Net::SSLeay::EVP_DigestInit_ex
- Net::SSLeay::EVP_DigestUpdate
- Net::SSLeay::EVP_DigestFinal
- Net::SSLeay::EVP_DigestFinal_ex
- Net::SSLeay::EVP_Digest
- Net::SSLeay::SHA1
- Net::SSLeay::SHA256
- Net::SSLeay::SHA512
- Net::SSLeay::EVP_sha1
- Net::SSLeay::EVP_sha512
Fixed a problem with set_proxy where the password was not properly
set. The code to do this went missing at some stage. Reported by Ulrich
Weber via RT.
Further improvements to testing time functions.
Added t/local/37_asn1_time.t
Added various digest functions, documentation and tests
Removed debug from P_ASN1_TIME_get_isotime. Courtesy kmx.
Remove unnecessary warnings about Random number generator not
seeded. Courtesy kmx.
Fixed an error in 04_basic.t triggered if Test::Exception not present.
Added documentation for many CTX_ functions. Courtesy kmx.
Fixed mionor typos in SSLeay.xs. Courtesy kmx.
Moved documentation to new lib/Net/SSLeay.pod. Courtesy kmx.
Additions to documentation in pod. Courtesy kmx.
Fixed some incorrect return types from SSL_set_options
SSL_CTX_set_options. Courtesy kmx.
Further documentation in pod. Courtesy kmx.
Small fixes to XS code + one new trivial function SSL_CIPHER_get_name
And one more thing - 02_pod_coverage.t is turned ON passing all tests -
never ever allow a new function without at least a short doc. Courtesy
kmx.
Removed 2 unnecessary 'local $[;' from SSLeay.pm
Noteworthy changes in version 1.4.12 (2012-01-30)
-------------------------------------------------
* GPG now accepts a space separated fingerprint as a user ID.
This allows to copy and paste the fingerprint from the key
listing.
* Removed support for the original HKP keyserver which is not
anymore used by any site.
* Rebuild the trustdb after changing the option --min-cert-level.
* Improved JPEG detection.
* Included more VMS patches
* Made it easier to create an installer for Windows.
* Supports the 32 bit variant of the mingw-w64 toolchain.
* Made file locking more portable.
* Minor bug fixes.
Release Notes - Heimdal - Version Heimdal 1.5.2
Security fixes
- CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege
- Check that key types strictly match - denial of service
Release Notes - Heimdal - Version Heimdal 1.5.1
Bug fixes
- Fix building on Solaris, requires c99
- Fix building on Windows
- Build system updates
Release Notes - Heimdal - Version Heimdal 1.5
New features
- Support GSS name extensions/attributes
- SHA512 support
- No Kerberos 4 support
- Basic support for MIT Admin protocol (SECGSS flavor)
in kadmind (extract keytab)
- Replace editline with libedit
This is primarily a bugfix release.
* Fix an interaction in iprop that could cause spurious excess kadmind processes
when a kprop child fails.
Changes 1.8.5:
This is primarily a bugfix release.
* Fix MITKRB5-SA-2011-006 KDC denial of service vulnerabilities
[CVE-2011-1528 CVE-2011-1529 CVE-2011-4151].
Fixed incorrect documentation of how to enable CRL checking.
Fixed incorrect letter in Sebastien in Credits.
Reversed order of the Changes file to be reverse chronological.
Fixed a a compile error when building on Windows with MSVC6.
1.41
Fixed incorrect const signatures for 1.0 that were causing warnings.
Now have clean compile with 0.9.8a through 1.0.0.
1.40
Fixed incorrect argument type in call to SSL_set1_param
Fixed a number of issues with pointer sizes
Removed redundant pointer cast tests from t/
Added Perl version requirements to SSLeay.pm
1.39
Downgraded Module::Install to 0.93 since 1.01 was causing problems in
the Makefile.
1.38
- Fixed a problem with various symbols that only became available
in OpenSSL 0.9.8 such as X509_VERIFY_PARAM and X509_POLICY_NODE,
causing build failures with older versions of OpenSSL.
1.37
- Added X509_get_fingerprint, contributed by Thierry Walrant (with
minor changes die to the fact that stricmp is not avialable. Cert
types must be lowercase. Also added test to 07_sslecho.t
- Added suport for SSL_CTX_set1_param, SSL_set1_param,
selected X509_VERIFY_PARAM_* OBJ_* functions. Added new test
t/local/36_verify.t
- Fixed an uninitialized value warning in $Net::SSLeay::proxyauth
- Update so net-ssleay will compile if SSLV2 is not present.
- Fixed a problem where sslcat (and possibly other functions) expect
RSA keys and will not load DSA keys for client certificates.
- Removed SSL_CTX_v2_new and SSLv2_method() for OpenSSL 1.0 and later.
- Added CTX_use_PKCS12_file contributed by "Andrew A. Budkin".
