Commit graph

1858 commits

Author SHA1 Message Date
martti
24d78764ac Added support for FreeBSD 2003-10-02 07:13:27 +00:00
jschauma
83ca290393 Update to 0.9.6k:
Changes between 0.9.6j and 0.9.6k  [30 Sep 2003]

  *) Fix various bugs revealed by running the NISCC test suite:

     Stop out of bounds reads in the ASN1 code when presented with
     invalid tags (CAN-2003-0543 and CAN-2003-0544).

     If verify callback ignores invalid public key errors don't try to check
     certificate signature with the NULL public key.

     [Steve Henson]

  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
     if the server requested one: as stated in TLS 1.0 and SSL 3.0
     specifications.
     [Steve Henson]

  *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
     extra data after the compression methods not only for TLS 1.0
     but also for SSL 3.0 (as required by the specification).
     [Bodo Moeller; problem pointed out by Matthias Loepfe]

  *) Change X509_certificate_type() to mark the key as exported/exportable
     when it's 512 *bits* long, not 512 bytes.
     [Richard Levitte]

 Changes between 0.9.6i and 0.9.6j  [10 Apr 2003]

  *) Countermeasure against the Klima-Pokorny-Rosa extension of
     Bleichbacher's attack on PKCS  v1.5 padding: treat
     a protocol version number mismatch like a decryption error
     in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
     [Bodo Moeller]

  *) Turn on RSA blinding by default in the default implementation
     to avoid a timing attack. Applications that don't want it can call
     RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
     They would be ill-advised to do so in most cases.
     [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]

  *) Change RSA blinding code so that it works when the PRNG is not
     seeded (in this case, the secret RSA exponent is abused as
     an unpredictable seed -- if it is not unpredictable, there
     is no point in blinding anyway).  Make RSA blinding thread-safe
     by remembering the creator's thread ID in rsa->blinding and
     having all other threads use local one-time blinding factors
     (this requires more computation than sharing rsa->blinding, but
     avoids excessive locking; and if an RSA object is not shared
     between threads, blinding will still be very fast).
     [Bodo Moeller]

 Changes between 0.9.6h and 0.9.6i  [19 Feb 2003]

  *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
     via timing by performing a MAC computation even if incorrrect
     block cipher padding has been found.  This is a countermeasure
     against active attacks where the attacker has to distinguish
     between bad padding and a MAC verification error. (CAN-2003-0078)

     [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
     Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
     Martin Vuagnoux (EPFL, Ilion)]

 Changes between 0.9.6g and 0.9.6h  [5 Dec 2002]

  *) New function OPENSSL_cleanse(), which is used to cleanse a section of
     memory from it's contents.  This is done with a counter that will
     place alternating values in each byte.  This can be used to solve
     two issues: 1) the removal of calls to memset() by highly optimizing
     compilers, and 2) cleansing with other values than 0, since those can
     be read through on certain media, for example a swap space on disk.
     [Geoff Thorpe]

  *) Bugfix: client side session caching did not work with external caching,
     because the session->cipher setting was not restored when reloading
     from the external cache. This problem was masked, when
     SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
     (Found by Steve Haslam <steve@araqnid.ddts.net>.)
     [Lutz Jaenicke]

  *) Fix client_certificate (ssl/s2_clnt.c): The permissible total
     length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
     [Zeev Lieber <zeev-l@yahoo.com>]

  *) Undo an undocumented change introduced in 0.9.6e which caused
     repeated calls to OpenSSL_add_all_ciphers() and
     OpenSSL_add_all_digests() to be ignored, even after calling
     EVP_cleanup().
     [Richard Levitte]

  *) Change the default configuration reader to deal with last line not
     being properly terminated.
     [Richard Levitte]

  *) Change X509_NAME_cmp() so it applies the special rules on handling
     DN values that are of type PrintableString, as well as RDNs of type
     emailAddress where the value has the type ia5String.
     [stefank@valicert.com via Richard Levitte]

  *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
     the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
     doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
     the bitwise-OR of the two for use by the majority of applications
     wanting this behaviour, and update the docs. The documented
     behaviour and actual behaviour were inconsistent and had been
     changing anyway, so this is more a bug-fix than a behavioural
     change.
     [Geoff Thorpe, diagnosed by Nadav Har'El]

  *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
     (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
     [Bodo Moeller]

  *) Fix initialization code race conditions in
        SSLv23_method(),  SSLv23_client_method(),   SSLv23_server_method(),
        SSLv2_method(),   SSLv2_client_method(),    SSLv2_server_method(),
        SSLv3_method(),   SSLv3_client_method(),    SSLv3_server_method(),
        TLSv1_method(),   TLSv1_client_method(),    TLSv1_server_method(),
        ssl2_get_cipher_by_char(),
        ssl3_get_cipher_by_char().
     [Patrick McCormick <patrick@tellme.com>, Bodo Moeller]

  *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
     the cached sessions are flushed, as the remove_cb() might use ex_data
     contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
     (see [openssl.org ]).
     [Geoff Thorpe, Lutz Jaenicke]

  *) Fix typo in OBJ_txt2obj which incorrectly passed the content
     length, instead of the encoding length to d2i_ASN1_OBJECT.
     [Steve Henson]
2003-10-02 02:34:39 +00:00
itojun
ee7b218482 dig DIST_SUBDIR so that we can build newer version without removing
pkgsrc/distrib/p0f.tgz manually
2003-10-01 23:43:16 +00:00
recht
64f360938e Update to 2.0.2
patch provided in PR 22939 by Adrian Portelli

Version 2.0.2:
--------------
Cleanup of the RST mess in p0fr.fp and p0f.c parser.

Added isprint() text preview for -x mode.

[BUG] Fixed packet size reporting and matching for packets over 255 bytes
(_u8 -> _u16).

Extended RST+ACK to also cover plain RST, added some sane explanations
of the purpose of each mode. Clarification of the RST vs RST+ACK
occurences; test/sendack.c added.

Added -R option for RST+ACK fingerprinting. Created an empty database.
Moved databases from /etc to /etc/p0f/

Windows memory leak mystery solved.

No longer using pcap timeouts for anything. They suck. I first wanted
to use SIGALRM with no SA_RESTART, but it's broken on Linux on this
particular syscall. Fortunately, I spotted an mis-documented  pcap_fileno and can now use select(). I just hope it won't break.

Note to self: despite of the documentation saying pcap_open_live with
timeout 0 will simply never timeout (which is irrelevant for
pcap_loop anyway), it does not work on FreeBSD, inhibiting all packet
processing instead. Works fine on Linux. Go figure.

Some minor p0fq fixes to prevent warnings.

Added some SYN+ACK signatures from rfp (p0fa.fp). Hooray!
p0fa.fp is now official. Moved from test/ to ., etc. README updated.

[BUG] Fixed the default TTL for IRIX and Tru64 (60), added a note to
p0f.fp, fixed TTL checker to also support %30 values.

[BUG] Fixed query mode lookup. The old code didn't handle reverse
lookups properly.

Masquerade scoring data is now available via the query interface.
P0fq utility updated to handle this.

Dropped /bin/bash from p0frep, /bin/sh would suffice.

Added a new -c option for -M and -Q cache size scaling, packet ratio
information on Ctrl-C to help estimate the right parameter.

Extra masquerade detection flags: -T for threshold, -V for detailed
flag breakdown; masquerade reporting now recognizes -r.

The new -w option writes all matching packets to a pcap file (regardless
of -K and -U settings).

Added -M option (unix only until p0f-query.c gets ported). This option
enables advanced masquerade detection based on the cyclic buffer
used by -Q. Added - signature flag to the config file. Some
documentation for the new functionality.

[BUG] Cleaned up the -K and -U semantics with -Q.

Replaced some single-character printfs with putchars in signature
reporting code (should be a tad faster). Added signature check
reporting, generic signature count and some other minor tweaks.

The new -x option provides a hexadecimal TCP/IP packet dump. Useful
when comparing two colliding fingerprints to find some differences
not covered by the current quirks set.

PPPoE interface is now handled correctly on NetBSD.

Added a shoddy manpage and updated makefiles.

Removed E quirk and added E to the regular options; removed needless EOL
append code from the parser. Breaks the old signature format in some
rare cases, but the old quirk is still recognized, and the user will be
advised to change it.

[BUG] Fixed ? option parsing bug that prevented RISC OS signature from
working (and would prevent all ? signatures from working, should there
be any other ;-).

New signatures and other database additions, of course.

[BUG] Fixed a very minor parser bug that could cause it to loop over
an unknown option with a declared length of zero. This is not a DoS
condition, because the parser would quit the loop after parsing max. 16
options anyway.
2003-10-01 23:13:13 +00:00
mycroft
5ebe510ed0 Trivial fix for GCC3. 2003-09-29 23:31:49 +00:00
jschauma
5bc408943d On non-SunOS, bring back
LD=${CC}
2003-09-23 20:53:52 +00:00
jschauma
91cad7d231 This version of OpenSSH doesn't need special flags for Irix anymore. 2003-09-23 19:33:14 +00:00
jschauma
d22e217b00 Update to 3.7.1p2:
Most important chcanges: security relevant bug fixes in new PAM authentication code

Changes since OpenSSH 3.7.1p1:
==============================

* This release disables PAM by default. To enable it, set "UsePAM yes" in
  sshd_config. Due to complexity, inconsistencies in the specification and
  differences between vendors' PAM implementations we recommend that PAM
  be left disabled in sshd_config unless there is a need for its use.
  Sites using only public key or simple password authentication usually
  have little need to enable PAM support.

* This release now requires zlib 1.1.4 to build correctly. Previous
  versions have security problems.

* Fix compilation for versions of OpenSSL before 0.9.6. Some cipher modes
  are not supported for older OpenSSL versions.

* Fix compilation problems on systems with a missing or lacking inet_ntoa()
  function.

* Workaround problems related to unimplemented or broken setresuid/setreuid
  functions on several platforms.

* Fix compilation on older OpenBSD systems.

* Fix handling of password-less authentication (PermitEmptyPasswords=yes)
  that has not worked since the 3.7p1 release.
2003-09-23 17:52:33 +00:00
jmmv
09086b9799 This needs libpcap. Do not bump revision since the package does not change
where it already built fine.  From Jonathan Perkin in PR pkg/22913.
2003-09-23 13:15:17 +00:00
grant
0f0b2f9840 style nits 2003-09-22 03:15:33 +00:00
grant
7be5254f17 formatting nits 2003-09-22 03:13:58 +00:00
grant
4f44662287 as this pkg now calls the linker directly, we need to explicitly
specify -lc on Solaris.

remove a bogus hack setting LD=${CC} which was also breaking the
build on Solaris.
2003-09-22 01:18:38 +00:00
grant
16dbb5f911 run ranlib over libskey.a in post-install, to appease Darwin's linker 2003-09-22 00:56:48 +00:00
jmc
51812310e9 Add USE_BUILDLINK2 so this picks up a proper depend 2003-09-21 09:39:21 +00:00
jmc
a1955f66e2 Hand generate the first part of this patch to avoid an RCS expansion on
checkouts
2003-09-21 09:03:37 +00:00
jmc
0dad2927b3 Comment out setenv.c for NetBSD. System library has working copies and
unsetenv conflicts anyways.
2003-09-21 08:54:00 +00:00
jmc
b10fb83eb5 Comment out setenv.c for NetBSD. System library has working copies and
unsetenv conflicts anyways.
2003-09-21 08:53:35 +00:00
jmc
207ce032a0 Check openssl version and use new DES api if >= 0.9.7. Allows build to
work on -current again. Bump PKGREVISION
2003-09-21 08:35:51 +00:00
jmc
b74f6c1605 Bump PKGREVISION as DES patches allow this to work on -current again 2003-09-21 08:02:59 +00:00
jmc
79d0da89fe Add some patches so if using openssl >= 0.9.7 the new des API is used 2003-09-21 08:02:21 +00:00
agc
781a0fe476 Mark tripwire as being only for NetBSD and Solaris right now.
The Darwin compile time configuration is easy to write, but I don't have a
Darwin box handy, and so the tw.conf.darwin is a bit difficult to write as
there tend to be a few non-standard paths.

In response to PR 22362.
2003-09-19 13:26:12 +00:00
wiz
833162b90d Remove patch-a{a,b,c,d} -- I wonder where they are :) 2003-09-19 13:18:30 +00:00
hubertf
0149e16994 fix HOMEPAGE 2003-09-19 02:02:07 +00:00
jmc
1e1df89533 Needs USE_BUILDLINK2 to get dependency on python correctly 2003-09-18 04:17:12 +00:00
jmc
79d29b68a5 Make this work with 0.9.7 openssl (and other non-pkgsrc installed nbsd versions 2003-09-18 04:09:17 +00:00
jschauma
97b01bddae Ok, so we can make this work on Irix by adding
-DSETEUID_BREAKS_SETUID -DBROKEN_SETREUID -DBROKEN_SETREGID
to the CFLAGS.  Wuppi.
2003-09-18 02:11:38 +00:00
grant
40614d0b3c get rid of USE_GCC2/3 in pkg Makefiles, and set GCC_REQD or
USE_PKGSRC_GCC as appropriate, as this is handled by compiler.mk now.
2003-09-17 19:39:58 +00:00
jschauma
7c1fd4eb84 Mark OpenSSH-3.7x as *not available for IRIX*!
# OpenSSH 3.7x currently does *not* work on IRIX!
# To compile, we would need to remove the extraneous inclusion of the
# ``inet_ntoa.h'' header in openbsd-compat/inet_ntoa.c, but even though
# sshd will not work:  It seems the connection is closed by the daemon
# when it tries to spawn off a child to handle the incoming connection
#
# If you need the latest security patches for your openssh, I'm afraid you'll
# have to apply them by hand to the 3.6.1p2 version.

(Now wouldn't it be nice if we had a NOT_FOR_PLATFORM_REASON that is displayed
automatically?)
2003-09-17 16:42:01 +00:00
jwise
a5096f14e8 Update for _new_ new OpenSSH patch, bump pkgrevision.
``Oops, they did it again.''
2003-09-17 14:27:03 +00:00
grant
3783c766e5 move ftp.openssh.com to the top, as it's the only site which has the
new distfile so far.
2003-09-16 23:06:22 +00:00
grant
af8cc1bb0f Update openssh to 3.7.1p1.
Changes since 3.7p1:

more malloc/fatal fixes; ok millert/deraadt; ghudson at MIT.EDU
2003-09-16 23:05:33 +00:00
jwise
3f8ae3a319 Apply security patch for OpenSSH-3.6.1p2 recently released by openssh team.
PKGREVISION bump, and BROKEN= removed.

While there, fix Solaris short pkg name.
2003-09-16 18:15:26 +00:00
grant
3222b9705d missed a pkg-vulnerabilities filename 2003-09-16 14:50:47 +00:00
grant
8701611d07 netbsd.org -> NetBSD.org. 2003-09-16 14:47:49 +00:00
grant
651a74f47a correct name of pkg-vulnerabilities file; netbsd.org -> NetBSD.org;
add missing word; bump date.
2003-09-16 14:46:52 +00:00
grant
6152558d3d ftp.netbsd.org -> ftp.NetBSD.org 2003-09-16 14:33:01 +00:00
jwise
69576d038a Mark this package as broken until an updated version of the openssh+gssapi
patch is available, as OpenSSH-3.6.1p2 contains another buffer overflow.
2003-09-16 14:05:47 +00:00
grant
aaa76f9d3a Update openssh to 3.7p1.
Large number of changes since 3.6.1p2, the most pertinent being:

* do not expand buffer before attempting to reallocate it (buffer.c)

note that NetBSD-current already includes this fix.

other changes include:

* portability fixes
* regression test fixes
* add GSSAPI support and remove kerberos support from ssh1, retaining
  kerberos passwd auth for ssh1 and 2
* man page fixes
* general bug fixes

see the ChangeLog for full details.
2003-09-16 13:52:30 +00:00
agc
4842dd4749 Update audit-packages to 1.23.
Use the first word of ${FETCH_CMD} to determine which utility is used.

Addresses PR 22760 from Todd Vierling.
2003-09-16 09:06:03 +00:00
agc
1cbfd70c0e Update audit-packages to 1.22:
Make an informational message clearer.
2003-09-16 07:21:01 +00:00
recht
e914ab3288 hange extension.mk to also install optimized files for distutils packages.
Inspired by FreeBSD "ports".

Fix the PLISTs accordingly.
Also, while at it, remove now obsolete compileall.py calls in post-install
targets and insure that extension.mk is in included before builinlinks of
other Python modules.

Discussed with/ok'ed by drochner@.
2003-09-14 16:43:45 +00:00
jlam
18d4961b21 Use SHLIBTOOL to install the plugins since we used it to build them. 2003-09-13 19:18:16 +00:00
jlam
48099e406a * Use LIBTOOL_OVERRIDE instead of LTCONFIG_OVERRIDE.
* Use ${SHLIBTOOL} to build the shared plugins so we don't get the useless
  lib<plugin>.a file.
2003-09-13 19:08:50 +00:00
jlam
7ea4564bab Updated security/p5-IO-Socket-SSL to 0.95. Changes version version 0.93
include:

        - Better opened() behavior when sockets close unexpectedly.
        - Added support for WeakRef and Scalar::Util to allow
          IO::Socket::SSL objects to auto-destroy themselves when
          they go out of scope.
        - Added croak()ing for unimplemented send() and recv() methods
          so they are not accidentally used to transmit unencrypted
          data.  The Perl builtin functions cannot be reliably trapped
          and are still dangerous, a fact that the POD now reflects
        - Changed accept() to use inherited accept() instead of
          IO::Socket::accept, so that IPv6 inheritance is possible.
        - Added options to import() so that a user could specify
          IPv6 or IPv4 mode of operation.
2003-09-13 12:24:08 +00:00
jlam
e3ece173c9 Update security/p5-Net-SSLeay to 1.25. Changes from version 1.23 include:
- new features: http and raw tcp support
        - fixed apparent STDIO vs. sysread bug in proxy connect
        - added tcpecho.pl and tcpcat.pl to MANIFEST
        - fixed some further bugs with TCP read all, etc.
        - fixed some const char pointer warnings
2003-09-13 12:16:57 +00:00
jlam
79386bc77e Remove redundant TEST_TARGET definition that matches the default one in
perl5/module.mk.
2003-09-13 06:22:49 +00:00
jlam
4f81faa05b Update security/p5-Digest-MD5 to 2.27. Changes from version 2.24 include:
Don't assume PerlIO_read() works like fread() even though
   it was documented like that for perl 5.6.  It returns negative
   on read failure.

   The $md5->addfile method now croaks if it discovers
   errors on the handle after reading from it.  This should
   make it more difficult to end up with the wrong digest
   just because you are to lazy to check the error status
   on your file handles after reading from them.

   Improved documentation.
2003-09-12 23:11:03 +00:00
jlam
cb52064964 Update security/p5-Digest-SHA1 to 2.04. Changes from version 2.02 include:
Don't assume PerlIO_read() works like fread() even though
   it was documented like that for perl 5.6.  It returns negative
   on read failure.

   Implemented sha1_transform, required to implement NIST FIPS 186-2.

   Make it build on 64-bit platforms with 32-bit longs.

   Sync up with the Digest::MD5 implementation:
      - added clone method
      - addfile croaks if it can't read
      - the sha1*() functions warn if called as method
        or with reference arguments.
2003-09-12 21:22:32 +00:00
grant
ac2754dcb7 kill all references to gcc.buildlink2.mk and compiler.mk, and define
USE_GCC2 or USE_GCC3 where appropriate.

the functionality of the old gcc.buildlink2.mk has been rolled into
compiler.mk now, which is automatically used.

more changes to come later...
2003-09-12 20:07:06 +00:00
seb
336d68c05a Update to version 1.21.
download-vulnerability-list(8) now needs digest(1).
Hence put digest package as a runtime dependency of audit-packages
package.
2003-09-12 12:57:10 +00:00