The patch looks wrong to me, though, because stdint.h should be
generated in lib/gllib/ if the system does not have it (or if it is not
correct), and the -I's should make the code find the local file instead.
Thus, the code should be able to unconditionally include the header
file.
(missed those and *emacs* the first time round because they pull
in their png dependencies via default-on options; they were included
in the test bulk build though)
Lots of changes, including
* After a transition period of about 10 years, this release disables
SSH protocol 1 by default. Clients and servers that need to use the
legacy protocol must explicitly enable it in ssh_config / sshd_config
or on the command-line.
* Remove the libsectok/OpenSC-based smartcard code and add support for
PKCS#11 tokens. This support is automatically enabled on all
platforms that support dlopen(3) and was inspired by patches written
by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) manpages.
* Add support for certificate authentication of users and hosts using a
new, minimal OpenSSH certificate format (not X.509). Certificates
contain a public key, identity information and some validity
constraints and are signed with a standard SSH public key using
ssh-keygen(1). CA keys may be marked as trusted in authorized_keys
or via a TrustedUserCAKeys option in sshd_config(5) (for user
authentication), or in known_hosts (for host authentication).
Documentation for certificate support may be found in ssh-keygen(1),
sshd(8) and ssh(1) and a description of the protocol extensions in
PROTOCOL.certkeys.
* Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects
stdio on the client to a single port forward on the server. This
allows, for example, using ssh as a ProxyCommand to route connections
via intermediate servers. bz#1618
This switches to the gnome-2.30 release branch
pkgsrc note: temporarily add a dependency on libgnome-keyring which
was split out of the old gnome-keyring pkg, so that client pkgs
get the same as before
Noteworthy changes in version 1.8 (2010-05-06)
----------------------------------------------
* Support for WindowsCE.
* New option --list for gpg-error.
* Interface changes relative to the 1.7 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPG_ERR_NOT_ENABLED NEW.
GPG_ERR_SOURCE_G13 NEW.
GPG_ERR_NO_ENGINE NEW.
gpg_err_set_errno NEW.
* May 26 2010
Changes in XML Security Library 1.2.16 release:
* New xmlsec-gcrypt library.
* xmlsec-gcrypt: Added RSA with SHA1/SHA256/SHA384/SHA512/MD5/RIPEMD160, DSA
with SHA1, AES/DES KW support.
* xmlsec-gnutls: Added X509 support and converted the library to use xmlsec-
crypt library for all crypto operations.
* xmlsec-mscrypto: RSA/OAEP and AES/DES KW support.
* Several minor bug fixes and code cleanups.
* April 29 2010
Changes in XML Security Library 1.2.15 release:
* xmlsec-mscrypto: Added HMAC with MD5, SHA1, SHA256/384/512; RSA with MD5,
SHA256/384/512 support.
* xmlsec-mscrypto: Converted to Unicode (the non-Unicode builds are still
available as compile time option).
* xmlsec-nss: Added MD5 and SHA256/384/512 support for digest, HMAC and RSA
(the new minimum required version for NSS library is 3.9).
* xmlsec-gnutls: Added SHA256/384/512 for digest and HMAC; MD5 and RIPEMD160
digests support (the new minimum required version for GnuTLS library is
2.8.0).
* Fixed typo: "Copyrigth" should be "Copyright".
* Several critical bug fixes and code cleanups.
* December 5 2009
Changes in XML Security Library 1.2.14 release:
* XMLSec library is switched from built-in LTDL library to the system LTDL
library on Linux/Unix and native calls on Windows to fix security issue
(CVE-2009-3736) in LTDL.
* Fixed minor bugs (see log for complete list).
* Noteworthy changes in release 2.7 (2010-05-20) [stable]
- Doc: Build a PDF manual using GTK-PDC.
- Doc: Fix of asn1_check_version, documentation was missing from last release.
- Build: Avoid warnings about ignored visibility attributes on Windows.
For more detail: http://www.sudo.ws/sudo/alerts/secure_path.html
Summary:
Sudo "secure path" feature works by replacing the PATH environment
variable with a value specified in the sudoers file, or at
compile time if the --with-secure-path configure option is used.
The flaw is that sudo only replaces the first instance of PATH
in the environment. If the program being run through sudo uses
the last instance of PATH in the environment, an attacker may
be able to avoid the "secure path" restrictions.
Sudo versions affected:
Sudo 1.3.1 through 1.6.9p22 and Sudo 1.7.0 through 1.7.2p6.
OpenSSL CHANGES
_______________
Changes between 0.9.8n and 0.9.8o [01 Jun 2010]
*) Correct a typo in the CMS ASN1 module which can result in invalid memory
access or freeing data twice (CVE-2010-0742)
[Steve Henson, Ronald Moesbergen <intercommit@gmail.com>]
*) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more
common in certificates and some applications which only call
SSL_library_init and not OpenSSL_add_all_algorithms() will fail.
[Steve Henson]
*) VMS fixes:
Reduce copying into .apps and .test in makevms.com
Don't try to use blank CA certificate in CA.com
Allow use of C files from original directories in maketests.com
[Steven M. Schweda" <sms@antinode.info>]
+ avoid possible free() of new value passed to netpgp_setvar(),
with thanks to Anon Ymous.
+ netpgpkeys(1): print keys to stdout, not stderr - reported by Anon
Ymous.
+ fix DSA signatures and verification
+ simplify and shorten the internals of packet processing by getting rid of
the intermediate pseudo-abstraction layer, which detracted from understanding
and had no benefit whatsoever. Rename some enums and some definitions.
+ add some checking to new key generation, and don't try to read in
the keys after writing them - reported by Tyler Retzlaff
+ netpgpverify - avoid the separate codebase, and just use libnetpgp(3)
pkgsrc changes:
- patches/patch-aa no longer required
- Added LICENSE
Changelog:
ARC4 & CTR support, IP6 support, and various bug fixes (incl. an important
Windows random number generation fix)
2.2.91 - January 26th 2010
--------------------------
A new Perl binding, fix for backward compatibility with old versions of glib,
LassoLogout API is more robust since it does not need anymore for all SP logout
to finish to work, new macro lasso_list_add_new_xml_node, add support for
WS-Security UsernameToken (equivalent of poor man HTTP Digest Authentication),
make public internal APIs: lasso_session_add_assertion,
lasso_session_get_assertion and lasso_session_remove_assertion.
2.2.90 - January 18th 2010
--------------------------
Lots of internal changes and some external one too.
There is a new api to force, forbid or let Lasso sign messages, it is called
lasso_profile_set_signature_hint.
Big overhaul of the ID-WSF 1 and 2 codes, and of the SAML 2.0 profiles. Now all
SAML 2.0 profile use common internal functions from the lasso_saml20_profile_
namespace to handle bindings (SOAP,Redirect,POST,Artifact,PAOS). New internal
API to load SSL keys from many more formats from the public API.
In ID-WSF 2.0, Data Service Template has been simplified, we no more try to
apply queries, it is the responsability of the using code to handle them.
In bindings land, the file bindings/utils.py has been stuffed with utility
function to manipulate 'type' tuple, with are now used to transfer argument and
type description, their schema is (name, C-type, { dictionary of options } ),
they are now used everywhere in the different bindings. We support output
argument in PHP5, Python and Java, i.e. pointer of pointer arguments with are
written to in order to return multiple values. For language where the binding
convert error codes to exceptions (all of them now), the ouput value is
returned as the normal return value of the method, so only one output argument
is handled for now.
We now use GObject-introspection annotations in the documentation to transfer
to the binding generator the necessary metadata about the API (content of
lists, hashtables, wheter pointer are caller/callee owned, can be NULL or if
argument have a default value). The file bindings/override.xml is now
deprecated.
In documentation land, the main reference documentation was reorganizaed and
more symbols have been added to it. Many more functions are documented.
There is now tools to control the evolution of the ABI/API of Lasso.
Pkgsrc changes:
- placate pkglint
Upstream changes:
[Changes for 0.64 - Sun, 9 May 2010 00:50:11 +0200]
* Avoid creating gnupg configuration files for the user invoking Makefile.PL
(Closes RT#41978).
* Correctly detect the version of gnupg on cygwin and add tests for it
(Paul Fenwick) (Closes RT#39258).
- Addition of a "make clean" target. removal of runtests as it is currently
broken.
- New release process in Makefile and release.sh - keychain release tarball
will now contain pre-generated keychain, keychain.1 and keychain.spec so
that users do not need to run "make". Updated README.rst to refer to the
"source code" as a "release archive" since it contains both source code and
ready-to-go script and man page.
- GPG fix from Gentoo bug 203871; This fix will fix the issue with pinentry
starting in the background and not showing up in the terminal.
* keychain 2.7.0 (23 Oct 2009)
- lockfile() replacement from Parallels Inc. OpenVZ code, takelock() rewrite,
resulting in ~100 line code savings. Default lock timeout set to 5 seconds,
and now keychain will try to forcefully acquire the lock if the timeout
aborts, rather than simply failing and aborting.
- MacOS X/BSD improvements: fix sed call in Makefile for MacOS X and presumably
other *BSD environments. Rename COPYING to COPYING.txt + slight COPYING.txt
formatting change. Fixed POD errors (removed '=end').
- Disable "Identity added" messages when --quiet is specified.
(Gentoo bug #250328)
--help will print output to stdout (Gentoo bug #196060)
output cleanup and colorization changes - moving away from blue and over to
cyan as it displays better terminals with black background.
Also some additional colorization.
* keychain 2.6.9 (26 Jul 2009)
- Close Gentoo bug 222953 fix potential issues with GNU grep, Mac OS X color
fix when called with --eval.
- Perl 5.10 Makefile fix. Transition README to README.rst (reStructuredText).
Updated maintainership information.
Simplified default output
* Respect --disable-64bit
* Respect $DESTDIR for config files
* The binaries can now show the version number
* softhsm-keyconv could not handle --ttl properly
* Link softhsm static with libsofthsm
* Build libsofthsm.so without version number
* libsofthsm.so is now a loadable module
that manages the security of domain names on the Internet.
The project intends to drive adoption of Domain Name System Security Extensions
(DNSSEC) to further enhance Internet security.
Upstream changes:
v1.33 2010.03.17
- attempt to make t/memleak_bad_handshake.t more stable, it fails
for unknown reason on various systems
- fix hostname checking: an IP should only be checked against
subjectAltName GEN_IPADD, never against GEN_DNS or CN.
Thanks to rusch[AT]genua[DOT]de for bug report
* Noteworthy changes in release 2.6 (2010-04-20) [stable]
- Fix build failure on platforms without support for GNU LD version scripts.
- libtasn1: Simplified implementation of asn1_check_version.
- tests: Improved self-checks.
- Update gnulib files, fix many syntax-check nits, indent code,
fix license templates.
Changes since 0.0.8a:
- Decoder can now treat values of unknown types as opaque OctetString.
- Fix to Set/SetOf type decoder to handle uninitialized scalar SetOf
components correctly.
- API versioning mechanics retired (pyasn1.v1 -> pyasn1) what makes
it possible to zip-import pyasn1 sources (used by egg and py2exe).
- Allow any non-zero values in Boolean type BER decoder, as it's in
accordnance with the standard.
