Changes:
0.07 2012.06.06
- Made Math::BigInt::* dependency dynamic to avoid Math::BigInt falling
back to BigInt backends that are too slow for practical use.
=== 2.6.7 / 11 Apr 2013
* Decreased default packet size to 32768 as described in RFC 4253 [Olipro]
* Added max_pkt_size and max_win_size options to Net::SSH.start [Olipro]
* Added import/export of ycfg-json format.
Invoke with -fjson to -s or -i
Add exported functions ykp_export_config() and ykp_import_config()
* Fixup output of flags when using ykp_write_config()
* Add binary builds for mac.
* Minor cleanups noticed during debian packaging.
Version 1.12.0 (released 2013-03-14)
* Recognize firmwares 2.4 and 3.1.
* Add support for setting the new extflag LED_INV
When set the behaviour of the led on the YubiKey is inversed.
(Moved HOMEPAGE and MASTER_SITES to the new GitHub project URLs)
* Add ykclient_global_init and ykclient_global_done.
* Add ykclient_version.h header file with versioning information.
New symbols are YKCLIENT_VERSION_STRING, YKCLIENT_VERSION_NUMBER,
YKCLIENT_VERSION_MAJOR, YKCLIENT_VERSION_MINOR,
YKCLIENT_VERSION_PATCH. New function ykclient_check_version.
* Modified API to use 'ykclient_rc' enum as return type instead of 'int'.
* Enum also moved to separate new header file ykclient_errors.h.
This should be backwards compatible. It makes the return type
clearer.
* Improve curl multi usage.
* ykclient: Cleanup command line tool a bit to make it more useful.
Added --help, --version and --debug. Defaults to silent output. Exit
codes are documented and more useful. Added manpage.
(Moved HOMEPAGE and MASTER_SITES to the new GitHub project pages)
Fix a UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443]
Improve interoperability with some Windows native PKINIT clients.
- New Features
- dnssec-nodes - Many new features, including validation tree
graphing, on-the-wire traffic display, pcap dump
file display, increased data logging and
display, improved simultaneous updating, etc.
- Libval: - Added initial support for the TLSA rrtype
- Added support for ECDSA
- Implemented checking for AI_ADDRCONFIG in getaddrinfo
- Memory optimizations to improve speed-up
- dnssec-check - increased stability across all platforms.
- All Around: - Many bug fixes and other minor improvements
1.13
- New Features
- rollerd: - Added support for the signzone command. Allow
zones to be signed while in the midst of a
rollover wait.
- Added autosigning of modified zone files. Zone
files are considered modified when their "last
modification" timestamp is more recent than that
of the associated signed zone file. This
functionality includes adding the -autosign option
and config field.
- Added additional commands (via rollctl) to allow
greater control over zone rollover actions.
- Added -zsargs option to allow global options to
be passed to zonesigner.
- realms: - Added the realms feature to manage multiple
simultaneous rollover environments. Several
commands and modules (e.g., dtrealms, realms.pm,
buildrealms) were added for the realms feature.
- zonesigner: - Added the -threshold option to specify a signing
threshold.
- Better handling of serial numbers in zone files.
- keymod: - New tool that can be used to modify key
generation parameters in a keyrec file.
- dnssec-check - significant rewrite since the 1.12 release, though
individual updates have been available already.
- Asynchronous support for non-interrupting GUI support
- Letter grades assigned to each resolver
- Various user-interface improvements
- libval: - Bug fixes
- Renamed all validator command-line apps to have
a dt- prefix in order to avoid conflicts with
pre-existing executables in certain platforms.
- dnsval python module
- Add python wrapper module for the validator
library. Code contributed by Bob Novas.
- trustman: - Added an option for use by monitoring systems.
- nagios - Added the dt_donuts plugin for running trustman on
remote machines.
- Added the dt_trustman plugin for monitoring trust
anchors.
- firefox - updated nspr and firefox patches to work with
mozilla-central and nspr-4.9
- webmin: - Added the ability to perform DNSSEC
operations on DNSSEC-Tools managed signed
zones using the Webmin front-end.
- ssh: - Update the patch for enabling local DNSSEC
validation to work with OpenSSH 6.0p1.
Support for KX, DLV, DHCID, NAPTR records.
Support for X25, ISDN, RT, PX records.
Support for MB, MG, MR, MINFO, AFSDB records.
NSEC chain validation fix.
Do not allow LP point to itself.
Miscellaneous performance improvements.
Miscellaneous portability fixes.
Miscellaneous bug fixes.
* OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the algorithm for
a key is changed in a policy (as this rollover is not handled cleanly)
* OPENDNSSEC-91: Make the keytype flag required when rolling keys
* OPENDNSSEC-403: Signer Engine: new command 'ods-signer locks' that shows
locking information (for debugging purposes).
Bugfixes:
* OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on SOA
Minimum change.
* OPENDNSSEC-396: Use TTLs from kasp when generating DNSKEY and DS records for
output.
* OPENDNSSEC-398: The ods-ksmutil key rollover command does not work correctly
when rolling all keys using the --policy option
* SUPPORT-40: Signer Engine: Keep occluded data in signed zone files/transfers.
2013-Jun-09 - v2.0 - Removed the unused Clone module after a report
that Clone is no longer in core Perl as of v5.18.0. Added the stats
and pwck commands. Added clipboard commands (xw/xu/xp/xx). Fixed
some long-standing tab completion bugs. Warn if multiple groups or
entries are titled the same within a group, except for /Backup
entries.
2013-Jun-10 - v2.1 - Fixed several more tab completion bugs, and
they were serious enough to warrant a quick release.
It's Dangerous
... so better sign this
Various helpers to pass data to untrusted environments and to get it back
safe and sound.
This repository provides a module that is a port of the django signing
module. It's not directly copied but some changes were applied to
make it work better on its own.
* Update buildlink3.mk.
Changelog:
5.6.0 - added AuthenticatedSymmetricCipher interface class and Filter wrappers
- added CCM, GCM (with SSE2 assembly), EAX, CMAC, XSalsa20, and SEED
- added support for variable length IVs
- added OIDs for Brainpool elliptic curve parameters
- improved AES and SHA-256 speed on x86 and x64
- changed BlockTransformation interface to no longer assume data alignment
- fixed incorrect VMAC computation on message lengths
that are >64 mod 128 (x86 assembly version is not affected)
- fixed compiler error in vmac.cpp on x86 with GCC -fPIC
- fixed run-time validation error on x86-64 with GCC 4.3.2 -O2
- fixed HashFilter bug when putMessage=true
- fixed AES-CTR data alignment bug that causes incorrect encryption on ARM
- removed WORD64_AVAILABLE; compiler support for 64-bit int is now required
- ported to GCC 4.3, C++Builder 2009, Sun CC 5.10, Intel C++ Compiler 11
5.6.1 - added support for AES-NI and CLMUL instruction sets in AES and GMAC/GCM
- removed WAKE-CFB
- fixed several bugs in the SHA-256 x86/x64 assembly code:
* incorrect hash on non-SSE2 x86 machines on non-aligned input
* incorrect hash on x86 machines when input crosses 0x80000000
* incorrect hash on x64 when compiled with GCC with optimizations enabled
- fixed bugs in AES x86 and x64 assembly causing crashes in some MSVC build configurations
- switched to a public domain implementation of MARS
- ported to MSVC 2010, GCC 4.5.1, Sun Studio 12u1, C++Builder 2010, Intel C++ Compiler 11.1
- renamed the MSVC DLL project to "cryptopp" for compatibility with MSVC 2010
5.6.2 - changed license to Boost Software License 1.0
- added SHA-3 (Keccak)
- updated DSA to FIPS 186-3 (see DSA2 class)
- fixed Blowfish minimum keylength to be 4 bytes (32 bits)
- fixed Salsa validation failure when compiling with GCC 4.6
- fixed infinite recursion when on x64, assembly disabled, and no AESNI
- ported to MSVC 2012, GCC 4.7, Clang 3.2, Solaris Studio 12.3, Intel C++ Compiler 13.0
* Update HOMEPAGE and MASTER_SITES.
* Convert custom do-install taget to patch to Makefile.in.
Changelog:
version 0.97
* Case insensitivity when responding to S/KEY challenges. RFC1760 does
not mention case sensitivity, but I've received a report of a server
implementation that is case sensitive. OTP behavior is unchanged.
The ssdeep project page describes it as a library for "...computing context
triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match
inputs that have homologies. Such inputs have sequences of identical bytes in
the same order, although bytes in between these sequences may be different in
both content and length".
ssdeep is a program for computing context triggered piecewise hashes (CTPH).
Also called fuzzy hashes, CTPH can match inputs that have homologies. Such
inputs have sequences of identical bytes in the same order, although bytes in
between these sequences may be different in both content and length.
to address issues with NetBSD-6(and earlier)'s fontconfig not being
new enough for pango.
While doing that, also bump freetype2 dependency to current pkgsrc
version.
Suggested by tron in PR 47882
Paperkey extracts secret bytes from GnuPG key and prints them. To
reconstruct, you re-enter those bytes (whether by hand or via OCR)
and paperkey can use them to transform your existing public key
into a secret key.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
Noteworthy changes in version 2.0.20 (2013-05-10)
-------------------------------------------------
* Decryption using smartcards keys > 3072 bit does now work.
* New meta option ignore-invalid-option to allow using the same
option file by other GnuPG versions.
* gpg: The hash algorithm is now printed for sig records in key listings.
* gpg: Skip invalid keyblock packets during import to avoid a DoS.
* gpg: Correctly handle ports from DNS SRV records.
* keyserver: Improve use of SRV records
* gpg-agent: Avoid tty corruption when killing pinentry.
* scdaemon: Improve detection of card insertion and removal.
* scdaemon: Rename option --disable-keypad to --disable-pinpad.
* scdaemon: Better support for CCID readers. Now, the internal CCID
driver supports readers without the auto configuration feature.
* scdaemon: Add pinpad input for PC/SC, if your reader has pinpad and
it supports variable length PIN input, and you specify
--enable-pinpad-varlen option.
* scdaemon: New option --enable-pinpad-varlen.
* scdaemon: Install into libexecdir to avoid accidental execution
from the command line.
* Support building using w64-mingw32.
* Assorted bug fixes.
This is a bugfix release.
Bug fixes:
* Fixed a bug in the new ECC code. The ecc_j_to_a function
called GMP:s mpn_mul_n (via ecc_modp_mul) with overlapping
input and output arguments, which is not supported.
* The assembly files for SHA1, SHA256 and AES depend on ARMv6
instructions, breaking nettle-2.7 for pre-v6 ARM processors.
The configure script now enables those assembly files only
when building for ARMv6 or later.
* Use a more portable C expression for rotations. The
previous version used the following "standard" expression
for 32-bit rotation:
(x << n) | (x >> (32 - n))
But this gives undefined behavior (according to the C
specification) for n = 0. The rotate expression is replaced
by the more portable:
(x << n) | (x >> ((-n)&31))
This change affects only CAST128, which uses non-constant
rotation counts. Unfortunately, the new expression is poorly
optimized by released versions of gcc, making CAST128 a bit
slower. This is being fixed by the gcc hackers, see
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=57157.
The following problems have been reported, but are *not* fixed
in this release:
* ARM assembly files use instruction syntax which is not
supported by all assemblers. Workaround: Use a current
version of GNU as, or configure with --disable-assembler.
* Configuring with --disable-static doesn't work on windows.
The libraries are intended to be binary compatible with
nettle-2.2 and later. The shared library names are
libnettle.so.4.7 and libhogweed.so.2.5, with sonames still
libnettle.so.4 and libhogweed.so.2.
Sshpass is a tool for non-interactively performing password authentication with
SSH's so called "interactive keyboard password authentication". Most users
should use SSH's more secure public key authentication instead.
