Upstream changes:
0.24 Sat Jan 10 00:45:34 MST 2015
- simplified shabits() routine (bitwise input buffering)
-- slightly less efficient but easier to understand
- minor documentation tweaks and additions
0.23 Sun Jan 4 05:36:30 MST 2015
- updated to reflect Draft FIPS 202
-- append domain separation bits to message
-- implement SHAKE128 and SHAKE256 Extendable-Output
Functions (XOFs)
The intention of zmsystemctl.pl is to use bin/pkexec to allow the apache user
to start and stop the ZoneMinder services on operating systems using systemd
and newer versions of Polkit than Pkgsrc currently has.
If the base OS doesn't use systemd (E.g. anything not Linux), this file
shouldn't be used anyway.
In Pkgsrc we ignore the potentially absent pkexec interpreter in this file.
If the base OS uses systemd, it probably also has pkexec in its base
installation.
Bump PKGREVISION.
service_identity aspires to give you all the tools you need for
verifying whether a certificate is valid for the intended purposes.
In the simplest case, this means host name verification. However,
service_identity implements RFC 6125 fully and plans to add other
relevant RFCs too.
py-bcrypt is a Python wrapper of OpenBSD's Blowfish password hashing code, as
described in "A Future-Adaptable Password Scheme" by Niels Provos and David
Mazieres.
This system hashes passwords using a version of Bruce Schneier's Blowfish block
cipher with modifications designed to raise the cost of off-line password
cracking and frustrate fast hardware implementation. The computation cost of the
algorithm is parametised, so it can be increased as computers get faster. The
intent is to make a compromise of a password database less likely to result in
an attacker gaining knowledge of the plaintext passwords (e.g. using John the
Ripper).
As of py-bcrypt-0.4, this module can also be used as a Key Derivation Function
(KDF) to turn a password and salt into a cryptographic key.
It operates the mozilla-rootcerts installer script in order to allow
managing the resulting output openssl certs with the package tools.
Since openssl does not support more than one directory of certificates
(sheesh) this is an abusive package - it installs directly into the
openssl certs directory even though this is a sysconfig directory that
should normally only be touched using the config files infrastructure.
And, for native openssl, it's in the root /etc outside of $PREFIX.
Nonetheless, having this package is better than not having it.
Probably at some point this and the mozilla-rootcerts package should
be folded together in some fashion; but I didn't want to do that up
front, and in particular I didn't want to muck with the installer
script in mozilla-rootcerts any more than necessary to make this
package possible. This in particular prevented e.g. installing the
certs in share/ and symlinking them into the certs directory.
As things are, if you already have the certs installed manually you
can install this package over them cleanly, and thenceforth not have
to update them by hand.
Noteworthy changes in version 0.9.1 (2015-03-18)
------------------------------------------------
* Fixed build problems for systems without ncurses.
* Reworked the option parser to allow building on systems without
getopt_long.
* Fixed Qt4 build problems.
Noteworthy changes in version 1.19 (2015-04-10) [C15/A15/R0]
-----------------------------------------------
* New set of error codes for use with LDAP.
* New options --help and --defines for gpg-error.
* Allow building with gcc 5.
* Interface changes relative to the 1.18 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPG_ERR_LDAP_* NEW.
* Avoid compilation error on tolower and char type.
Changelog:
2015-02-28 PuTTY 0.64 released, fixing a SECURITY HOLE
PuTTY 0.64, released today, fixes a security hole in 0.63 and before:
private-key-not-wiped-2. Also diffie-hellman-range-check has been argued
to be a security hole. In addition to these and other less critical bug
fixes, 0.64 also supports the major new feature of sharing an SSH connection
between multiple instances of PuTTY and its tools, and a command-line and
config option to specify the expected host key(s).
Numerous changes, documented at:
https://github.com/ZoneMinder/ZoneMinder/releases
Addresses two security advisories:
https://github.com/ZoneMinder/ZoneMinder/releases/tag/v1.28.0http://secunia.com/advisories/62918/
Pkgsrc changes:
patch-src_zm_signal_h is no longer necessary because zm_signal.h uses
HAVE_EXECINFO_H.
patch-src_zmf_cpp appears to be applied upstream.
patch-configure_ac no longer needs to set PATH_BUILD to
PREFIX/share/zoneminder, so that zmupdate.pl can locate the database build
scripts as installed files. Upstream has now implemented this via the
ZM_PATH_DATA entry in zm.conf, and adds a ZM_PATH_DATA/db subdirectory.
src/Makefile.am no longer setuid's zmfix, as zmfix was removed from
ZoneMinder 1.26.6.
The code now uses clock_gettime(), which on some systems (like Linux), calls
for -lrt. Since the build system isn't aware of this, but Pkgsrc is, just set
PTHREAD_AUTO_VARS=yes.
The PHP code now uses PDO for DB access, but it looks like there are some
straggling dependencies on the raw MySQL driver, so both are pulled in.
py-six and removed py-mock as dependencies for the tests option. Some
commits from the repo:
Enable coverage testing and require 100% coverage
Upgrade crypt_blowfish to 1.3
Removed usage of mock which wasn't really doing anything
NEWS from last pkgsrc version:
2.4.1 - Septembre 28th 2014
---------------------------
56 commits, 35 files changed, 12590 insertions(+), 31117 deletions(-)
- fix bug #4455 runtime bug in perl binding on debian wheezy 32bits #
- fix warning on g_type_init() on GLib > 2.36
- lot of null pointer, boundary checks, and dead code removal after validation
using Coverity and Clang static analyzer (Simo Sorce)
- always set NotOnOrAfter on the Condition element
- fix pkg-config typo (Simon Josefsson)
- Python binding now conserve the order of session indexes values
- fix memory leaks
- Python bindings now automatically convert unicode values to UTF-8
2.4.0 - January 7th 2014
------------------------
281 commits, 933 files changed, 45384 insertions, 6313 deletions
Minor version number increase since ABI was extended (new methods).
- Key rollover support:
Lasso is now able to accept messages signed by any key declared as a signing
key in a metadata and not just the last one. You can also decrypt encrypted
nodes using any of a list of private keys, allowing roll-over of encryption
certificates. Signing key roll-over is automatic, your provider just have to
provide the new signing key in their metadata. For multiple-encryption key
you can load another private key than the one loaded in the LassoServer
constuctor with code like that:
>>> import lasso
>>> server = lasso.Server(our_metadata, first_private_key_path)
>>> server.setEncryptionPrivateKey(second_private_key_path)
See the FAQ file for the workflow of a proper key roll-over.
- Partial logout response now produces a specific error code when parsed by
lasso_logout_process_response_msg()
- Bugs in lasso_assertion_query_build_request_msg() were fixed
- Processing of assertions is not stopped when checking that first level
status code is not success, so that later code can check the second level
status code.
- A new generic error for denied request was added,
LASSO_PROFILE_ERROR_REQUEST_DENIED
- A new API lasso_server_load_metadata() was added to load federation files
(XML files containing metadata from multiple providers) and to check
signatures on them.
- Better warning and errors are reported in logs when failing to load a
metadata file.
- Bugs around missing namespace declaration for dump file were fixed, it
prevented reloading dumped object (like LassoLogin).
- lasso_node_get_xml_node_for_any_type() must be able to copy the content of
an XML node to another (namespace, attribute and children). It did not, now
it is fixed. It can be used for example to add specific attribute like
xsi:type="string" to a Saml2AttributeValue. Here is a python snippet to do that:
>>> import lasso
>>> a = lasso.Saml2AttributeValue()
>>> a.setOriginalXmlnode('<Dummy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="string">Value</Dummy>')
>>> print a.debug(0)
<saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="string">Value</saml:AttributeValue>
- support for symetric keys signatures: for a long time XMLDsig standard has
supported HMAC signature, or signature based on a shared secret key an hash
algorithm. Lasso now supports to share a key with another Lasso using
service or identity provider and to verify and sign SAML exchange using this
key. Performance can be 100 times more than with assymetric cryptography,
i.e. RSA.
- nodes able to hold any XML attribyte (like saml:AttributeValue) contains a
hashtable to for holding those attributes, those hashtable have a new syntax
for attributes of another namespace than the current node namespace,
inspired by the Python ElementTree library:
{the_namespace}the_attribute_name
ex:
{http://www.w3.org/2001/XMLSchema-instance}type
for the classic xsi:type attribute.
- xmldsig:X509Data node now possess a binding as a Lasso object. You can use
it combined with the new class LassoSaml2KeyInformationDataType to use the
holder-of-key subject confirmation method.
- The perfs benchmarking tools now allows to select a different metadata set
(for example to test with different public key sizes).
- Perl minimal version for the binding was downgraded to 5
- pseudo-XSchema validation: the new XML deserializer does more to enforce
constraints of the schema defining SAML messages. It means Lasso is less
forgiving with non-conform implementation of SAML.
- thin-sessions mode: A new flag was added named thin-session, you can set it
using lasso_set_flag("thin-sessions") or by setting the LASSO_FLAG
environement variable to the string "thin-sessions". The effect of this flag
is to remove complete storage of assertions in the LassoSession object,
which was made mainly to support logout and the artifact binding for ID-FF
1.2. A new thinner structure is used for supporting logout, and ID-FF 1.2
can now use the same storage mechanism as the SAML 2 implementation for the
artifact binding (i.e. using lasso_profile_get_artifact_message after
artifact generation and lasso_profile_set_artifact_message before artifact
retrieval).
- better initialization and access to SessionIndex in logout requests:
LassoSession now store all generated SessionIndex for a session using a
small structure, using it the LassoLogout profile can now initialize
LassoLogout message with all of them. It's not necessary to implement this
functionnalitý in your service or identity provider anymore.
- new LassoKey object: this new class was introduced to simplify management of
keys when using shared key signature. But you can also use it to load
assymetric keys. In the future it should gain API to do XML signature and
encryptiong independently of any SAML 2.0 or ID-FF 1.2 exchange. Providing
the first simple binding of libxmlsec to Python.
- Improvements to autoconf and automake files to compile under Darwin (Mac Os
X) and Fedora.
- a FAQ file was started.
- added API:
LASSO_LOGOUT_ERROR_PARTIAL_LOGOUT
LASSO_PROFILE_ERROR_ENDPOINT_INDEX_NOT_FOUND
LASSO_PROFILE_ERROR_REQUEST_DENIED
LASSO_PROVIDER_ROLE_ALL
LASSO_SERVER_ERROR_NO_PROVIDER_LOADED
LASSO_SERVER_LOAD_METADATA_FLAG_CHECK_ENTITIES_DESCRIPTOR_SIGNATURE
LASSO_SERVER_LOAD_METADATA_FLAG_CHECK_ENTITY_DESCRIPTOR_SIGNATURE
LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT
LASSO_SERVER_LOAD_METADATA_FLAG_INHERIT_SIGNATURE
LASSO_SIGNATURE_METHOD_HMAC_SHA1
LASSO_SIGNATURE_METHOD_NONE
LASSO_XMLENC_ERROR_INVALID_ENCRYPTED_DATA
LASSO_XMLENC_HREF
LASSO_XMLENC_PREFIX
struct LassoDsX509Data { LassoDsX509DataPrivate* private_data }
struct LassoKey { LassoKeyPrivate* private_data }
struct LassoSaml2KeyInfoConfirmationDataType { LassoSaml2KeyInfoConfirmationDataTypePrivate* private_data }
LassoServerLoadMetadataFlag
LassoDsX509Data* lasso_ds_key_value_get_x509_data ( LassoDsKeyValue* key_value )
None lasso_ds_key_value_set_x509_data ( LassoDsKeyValue* key_value, LassoDsX509Data* x509_data )
const char* lasso_ds_x509_data_get_certificate ( LassoDsX509Data* x509_data )
const char* lasso_ds_x509_data_get_crl ( LassoDsX509Data* x509_data )
const char* lasso_ds_x509_data_get_subject_name ( LassoDsX509Data* x509_data )
GType lasso_ds_x509_data_get_type ( )
LassoDsX509Data* lasso_ds_x509_data_new ( )
None lasso_ds_x509_data_set_certificate ( LassoDsX509Data* x509_data, const char* certificate )
None lasso_ds_x509_data_set_crl ( LassoDsX509Data* x509_data, const char* crl )
None lasso_ds_x509_data_set_subject_name ( LassoDsX509Data* x509_data, const char* subject_name )
GType lasso_key_get_type ( )
LassoKey* lasso_key_new_for_signature_from_base64_string ( char* base64_string, char* password, LassoSignatureMethod signature_method, char* certificate )
LassoKey* lasso_key_new_for_signature_from_file ( char* filename_or_buffer, char* password, LassoSignatureMethod signature_method, char* certificate )
char* lasso_key_query_sign ( LassoKey* key, const char* query )
lasso_error_t lasso_key_query_verify ( LassoKey* key, const char* query )
xmlNode* lasso_key_saml2_xml_sign ( LassoKey* key, const char* id, xmlNode* document )
lasso_error_t lasso_key_saml2_xml_verify ( LassoKey* key, char* id, xmlNode* document )
GList* lasso_lib_logout_request_get_session_indexes ( LassoLibLogoutRequest* lib_logout_request )
None lasso_lib_logout_request_set_session_indexes ( LassoLibLogoutRequest* lib_logout_request, GList* session_indexes )
lasso_error_t lasso_provider_add_key ( LassoProvider* provider, LassoKey* key, gboolean after )
lasso_error_t lasso_provider_set_server_signing_key ( LassoProvider* provider, LassoKey* key )
int lasso_provider_verify_signature ( LassoProvider* provider, const char* message, const char* id_attr_name, LassoMessageFormat format )
GList* lasso_saml2_key_info_confirmation_data_type_get_key_info ( LassoSaml2KeyInfoConfirmationDataType* kicdt )
GType lasso_saml2_key_info_confirmation_data_type_get_type ( )
LassoNode* lasso_saml2_key_info_confirmation_data_type_new ( )
None lasso_saml2_key_info_confirmation_data_type_set_key_info ( LassoSaml2KeyInfoConfirmationDataType* kicdt, GList* key_infos )
gboolean lasso_saml_name_identifier_equals ( LassoSamlNameIdentifier* a, LassoSamlNameIdentifier* b )
lasso_error_t lasso_server_add_provider2 ( LassoServer* server, LassoProvider* provider )
lasso_error_t lasso_server_load_metadata ( LassoServer* server, LassoProviderRole role, const gchar* federation_file, const gchar* trusted_roots, GList* blacklisted_entity_ids, GList** loaded_entity_ids, LassoServerLoadMetadataFlag flags )
GList* lasso_session_get_assertion_ids ( LassoSession* session, const gchar* providerID )
GList* lasso_session_get_name_ids ( LassoSession* session, const gchar* providerID )
GList* lasso_session_get_session_indexes ( LassoSession* session, const gchar* providerID, LassoNode* name_id )
devel/zlib, textproc/libxslt, textproc/libxml2, devel/cppunit, mk/pthread.
Patches were defuzzed and updated. Patch added to fix LIBDIR expansion.
List of changes since the last version and this one is 2788 lines long.
Interested parties can find the ChangeLog in the doc/ directory of the
distfile or at:
http://sourceforge.net/p/fwbuilder/code/ci/builds/tree/doc/ChangeLog
default and users of other package management systems might imagine this
package functioning the same way. However, the PLIST differs by one item
without it, which users may change at their discretion. Add zlib option
too which I'd missed during the previous update. Bump PKGREVISION.
is very long and, if you're interested, they can be found here:
https://tls.mbed.org/download-archive
by reading all the ChangeLogs from 1.2.12-1.3.9. The pkgsrc changes are:
Use cmake for build, as that's what upstream recommends and is less likely
to fail cross-platform for future releases. Needs pkg-config due to that.
Build and install shared library. Remove executable permission from static
library during post-install. Needs pthreads and openssl. Tested this build
against the build of latest version of powerdns (update coming).
'#' and 'define') - avoids unconditionally building pkgsrc openssl
on netbsd-current.
ok'd for during the freeze after an excessively long discussion :-/
