all PEAR packages to php?-pear-* and all Apache packages to ap13-* or
ap2-* respectively. Add new variables to simplify the Makefile
handling. Add CONFLICTS on the old names. Reset revisions of bumped
packages. ap-php will now depend on the default Apache and PHP version.
All programs using it have an implicit option of the Apache version
as well.
OK from jlam@ and adrianp@.
it will live with other "check" targets run after package installation.
Get rid of SHLIB_HANDLING, whose meaning had mutated over the years
from one thing to another. Currently, it is used to basically note
whether the system's "ldd" command can be usefully run on the package's
binaries and libraries. Rename this variable to CHECK_SHLIBS_SUPPORTED
for more clarity.
CHECK_SHLIBS is now a variable set exclusively by the user in /etc/mk.conf
to note whether the check for missing run-time search paths is performed
after a package is installed. It defaults to "no" unless PKG_DEVELOPER
is set.
2) Changed permissions on plugins.rules and prelude-lml.conf so that
prelude-lml can run unpriviledged
3) Changed confdir in configure so that plugins.rules and prelude-lml.conf
are found.
Changes in 0.9.5:
- Experimental context support (ala SEC): we now handle
multiline log matching.
- Update PAX rules so that it use the new context feature.
- Don't exit on statistics signal, improve statistics precision,
make them easier to read.
- Fix some problem with user & group options.
- text-output argument is optional.
- New experimental ruleset: Sonicwall and Spamassassin. These
need to be manually hooked to pcre.rules if you plan to use
them.
- Fix FAM activation switches.
* Version 1.4.0 (released 2006-05-15)
** Remove GnuTLS 0.8.x compatibility functions.
** The libgcrypt RNG is initialized in gnutls_global_init().
** TLS/IA API changes from Emile van Bergen.
A dummy credential structure is not needed now, if you wish to use the
low-level TLS/IA API, simply call gnutls_ia_enable to enable TLS/IA on
a session.
** The self-tests are now run under valgrind, if it is installed.
** Libtasn1 is updated to 0.3.4, and that version is now required.
** The command line tools now use getaddrinfo and support IPv6.
** API and ABI modifications:
_gnutls_x509_get_raw_crt_activation_time,
_gnutls_x509_get_raw_crt_expiration_time: Removed.
gnutls_ia_require_inner_phase: Removed, replaced by gnutls_ia_enable.
gnutls_ia_enable: Added.
Version 0.3.4 (released 2006-05-10)
- Really fix encodings.
- Add new self test, tests/Test_encoding.c.
- Self tests are ran under valgrind, if it is available.
- We test for the -Wno-pointer-sign parameter before using it.
Version 0.3.3 (released 2006-05-07)
- Add some 'const' to prototypes.
- Remove some 'unsigned' keywords.
- Corrected asn1_der_coding() bug introduced when it became reentrant.
Now it produces correct encodings.
Gives access to the routines of the GSSAPI library, as described in
rfc2743 and rfc2744 and implemented by the Kerberos-1.2 distribution
from MIT.
Since 0.14 it also compiles and works with Heimdal. Lacks of Heimdal
support are gss_release_oid(), gss_str_to_oid() and fail of some tests.
The API presented by this module is a mildly object oriented
reinterpretation of the C API, where opaque C structures are Perl
objects, but the style of function call has been left mostly untouched.
As a result, most routines modify one or more of the parameters passed
to them, reflecting the C call-by-reference (or call-by-value-return)
semantics.
All users of this module are therefore strongly advised to localize all
usage of these routines to minimize pain if and when the API changes.
Separate out options.mk functionality
Add in options for subversion and postresql support
> CHANGELOG for 5.3:
> ###########
> * Added NTLM support modules for pop3, imap, smtp-auth and http-proxy.
> Work done by ilo (at) reversing.org. THANKS!
> * Added a http form module, thanks to phil (at) irmplc.com
> * Fixed a bug in the vnc module (thanks to kan (at) dcit.cz)
> * Input files may *not* contain null bytes. I might fix that in the future
> but currently I have enough other things on my todo sheet.
> Thanks to didiln (at) gmail.com for reporting.
> Changes:
> - Fixed issue with PostGRES and schema in base_db.inc.php -- Kevin J and Nikns
> - Fixed bug 1284695 Error in SQL with PostgreSQL -- Kevin J and Nikns
> - Fixed issues displaying PortScans -- Nikns
> - Fixed sig_class (bug 1407325) and sig_priority filter bug -- Nikns and Max Valdez (garaged)
> - Fixed bug 1408387 Archive move and Email summary issues -- Nikns
> - Fixed bug when, after setup, archive database wasn't used -- Nikns
> - Fixed PostgreSQL archive database support -- Nikns
> - Fixed bug 1313261 Unable to use actions in base_stat_sensor.php -- Nikns
> - Fixed bug 1371532 First of month timestamp issue -- Nikns
> - Fixed bug 1406945 Lost alert order when switching between payload display -- Nikns
> - Fixed bug 1413712 base_conf.php file path issue under MS Windows -- garaged
> - Fixed search by signature name -- Nikns
> - Converted sql/create_base_tbls_mssql_extra.sql to CRLF line terminators -- Nikns
> - Fixed broken auth system for MSSQL -- Nikns
> - Changed MSSQL schema for table acid_event, sig_name now has type VARCHAR instead of TEXT -- Nikns
> - Fixed bug 1307250 broken base_stat_alerts.php with MSSQL -- Nikns
> - Fixed bug 1413594 Force to use alert database for auth system stuff -- Nikns
> - Setup fix, on error form values are remembered, default language is English -- garaged
> - Uppercased name 'Archive' in base_main.php (in sync with base_hdr1.php) -- Nikns
> - Fixed support for actions in base_stat_class.php -- Nikns
> - Fixed bug 1418660 Broken search by IP criteria -- Nikns
> - Added checkboxes and fixed support for actions in base_stat_iplink.php -- Nikns
> - Implemented RFE 1123382 support for actions in base_stat_uaddr.php -- Nikns
> - Implemented support for actions in base_stat_ports.php -- Nikns
> - Fixed bug 1422575 when empty email sent even if action unsuccessful -- Nikns
> - Fixed bug 1424033 Unable to Graph Alert Detection Time -- Nikns
> - Fixed bug 1426089 Score removed from email address -- Nikns
> - Fixed bug 1210542 and 1288402 Packet display mode issues -- Nikns
> - Detect archiving duplicates with select queries instead of catching db conflict error -- Nikns
> - Fixed bug 1430686 Update alert cache for archived alert right after it is coppied to archive db -- Nikns
> - Implemented archiving support for schema 107 -- Nikns
> - Added sig_gid (signature generator id) to snort signature reference url for schema 107 -- Nikns
> - session_start() on base_conf.php avoiding repetition, easier to handle with debug output -- garaged
> - debug_mode needs to be off on login (index.php:45 ) -- garaged
> - Fixed bug 1275536 Unable to download binary payload in Internet Explorer when using SSL -- Nikns
> - Implemented archiving support for FLoP extended database schema -- Nikns
> - Implemented rebuild of packet in pcap format for FLoP extended database -- Nikns
> - Added display of MAC addresses in base_query_alert.php for FLoP extended database -- Nikns
> - Fixed BASE authentication bypass in standalone mode for base_maintenance.php -- Nikns
> - Added HTTP response codes on authentication failure in base_maintenance.php for standalone mode -- Nikns
> - Fixed bug 1341286 Show IP header length in bytes, not words -- Juergen Leising
> - In plain display mode several sequential non-ASCII payload characters join together displaying their count -- Nikns
> - Changed input type of the password field in useradmin -- Kevin Johnson
Remove the hostname subst, since it was fixed upstream
Changelog:
caff: - try hostname without -f first to be compatible with BSD
- make local-user a config option, and let it accept a list of keyids
pkg-clean: - add option to allow importing subkeys
Add LICENSE=, and license file.
Set RESTRICTED and NO_BIN_ON_* because permission to distribute
derived works is unclear, limited to some operating systems, and
requires a reciprocal license grant.
Changelog:
* Update FSF addresses.
* caff: tweak documentation.
* caff: note that mailed keys are encrypted (suggested by Sune Vuorela).
* caff: You can now specify additional arguments to pass to the
send method of Mail::Mailer. This allows you to send mails via
SMTP and use authentication for instance. Thanks to Martin von Gagern.
* gpg-key2ps, keylookup: make them less dependent on specific
installation paths and thus better portable outside of Debian
(Closes: #354142).
- Replace patch with official fix 'Filter on Target' link (fix#148).
- Fix alert summary exception with alert including file permission (fix#149).
- Fix creation of an empty __init__.py file in lib/site-packages (#147).
- Print currently installed version on libpreludedb requirement error.
- Make sure /usr/bin/env is expanded.
- Improve idmef-path error reporting.
- Rework configure script so that it use --with[out] in
place of --(en|dis)able where we deal with external dependencies.
- Rework configure script so that --with[out] work as expected (enabling and
disabling the feature, explicit error if "with" feature is explicitly
specified but the feature it is unavailable, etc).
- Rework SNMPService class for IDMEF draft 16 compliance.
- Make sure we set alert CreateTime if the caller did not do it for us.
- Fix handling of \r\n terminated line.
- Ignore character that are part of the option value when comparing
option specified using --option=value. Fix handling of parent option.
Approved by <frueauf>
Changes:
- make it work as binary packages,
- remove useless MESSAGE files,
- add nmap.nasl plugin, not included by default upstream,
- make the installation a bit more sane and easier to configure.
2.2.7:
======
Nessus 2.2.7 contains several fixes for bugs which have been found
during the 3.x developement process and have been backported to this
branch. It also slightly extends the NASL language by adding support for
arrays of arrays. We will use this feature in some key plugins (SMB in
particular) within 6 months, so you should definitely upgrade to 2.2.7
or 3.0.x.
nessus-libraries:
- Fixed a NULL pointer dereferencement in the BPF server (this mostly
affects OpenBSD and FreeBSD < 5)
- The 'service' functions now only deal with the services file provided
- with Nessus (instead of using a mix of /etc/services and others)
libnasl:
- Fixed off-by-one bugs in insstr() and str_replace() which would
sometimes prevent these two functions from properly dealing with the
last character of a string
- Fixed tcp_ping() which was too aggressive and may therefore sometimes
miss a live host
- Fixed a bug in send() which would not properly validate the value of the
'length' variable
- Now handle arrays of arrays
- Fixed open_priv_sock_tcp() which would report a successful connection
when timing out
nessusd:
- Properly install the file 'nessus-services' in $prefix/var/nessus/
- Bigger buffer when receiving preferences from the client (to avoid a
possible truncation of the plugin list in the future)
- Fixed a bug in the preferences parser which would cause nessusd to die
on startup when processing a malformed preference file
nessus client:
- Fixed an unlikely but potential segmentation fault when viewing the
report in the GUI
- Erase the credentials from memory after having used them (thanks to
Sumiut Siddhart for noticing this)
plugins:
- Fixed several bugs in find_services.c which would not properly set the
key Transport/SSL or which may read some data beyond its buffer
- Fixed a bad #if/#endif clause in nessus_tcp_scanner.c which prevented it
from recomputing the RTT, hence negatively impacting the performance
- nmap.nasl has been removed from the main distribution (to use nmap from
within Nessus read http://www.nessus.org/documentation/?doc=nmap-usage)
Add --confirm option and corresponding regression tests for Debian bug 296382.
Thanks to Liyang HU for the patch. Also add initialization for $ssh_timeout
which was being inherited from the environment and add regression tests for
--timeout
- Enable write notification on queued write (Fix reverse relaying).
- Fix IDMEF message scheduler warning when plugin failover is enabled.
- Fix reverse relaying on some architecture due to thread safety
issue.
- Server scalability improvement in case of message burst.
- Start work on a normalization plugin. Very simple for now, mostly
sanitize IDMEF Address and IDMEF Service classes.
- When an analyzer have read and write permission to prelude-manager,
avoid acting as an echo server, don't send received message from this
analyzer to itself.
- When no listen address is specified, try to bind all
system address (both ipv4/ipv6).
- Send an alert to the peer on handshake failure, so that
the peer have some information on what happened.
- Consistency work accross all plugin logfile option.
- Various bug fixes and improvements.
Changes:
- Fix Perl/Python bindings uint64 handling on 32 bits machine.
- Make preludedb_check_version available from Perl/Python bindings.
- Use new IDMEF_LIST_APPEND primitive, require libprelude 0.9.6.
- Add libprelude dependencie to SQL plugins, since they depend on
libprelude symbols. Fix compilation problem with some distribution.
- Use global transaction surrounding all operation in preludedb-admin,
this bring a major performance improvement for insert operation.
- API improvement.
include:
* saslauthd/lak.c: leak fix from Igor Brezac
* saslauthd/krbtf.c: updated from CMUCS
* saslauthd/auth_krb5.c: log the krb5 error return if get_creds fails
* saslauthd/auth_krb5.c, saslauthd/auth_krb4.c,
saslauthd/krbtf.h (added), saslauthd/krbtf.c (added),
saslauthd/cfile.h (added), saslauthd/cfile.c (added),
saslauthd/Makefile.am: Kerberos V4/V5 alternate keytab
in saslauthd, plus common code merging (from David Eckhardt
via Dale Moore)
* saslauthd/auth_krb5.c: verify against the service we
were passed. needs to be made configurable.
hashcash-1.22 - 08-Apr-2006 - Adam Back <adam@cypherspace.org>
[BUG FIXES]
hashcash-1.18 - 05-Jul-2005 - Adam Back <adam@cypherspace.org>
* add a simpler minting API to make it easier to mint stamps
from VB scripting
hashcash-1.17 - 30-Mar-2005 - Adam Back <adam@cypherspace.org>
[BUG FIXES]
hashcash-1.15 - 12-Jan-2005 - Adam Back <adam@cypherspace.org>
* make "Hashcash:" be accepted as well as "X-Hashcash:"
suggestion by Simon Josefsson <jas@extundo.com>. This way
if/when the X- is dropped from hashcash headers we will not
have a backwards compatibility problem. (Well not after
version 1.15).
* implement the -Z option to compress stamps; in fact the
usage changed so -Z takes an argument: 0, 1 or 2. 0 = not
compressed, 1 = compressed but not so the counter + padding
is split, and 2 = very compressed, but slow. (Due to a late
discovered bug 2 is the same as 1 for now until I can fix
that.)
* added -O x -sv to request benchtest of core x only
* make code work with -DOPENSSL, think this slipped during
integration of Jonathan's libfastmint as it uses some lower
level openssl APIs internally. I fixed it but it might be
a bit openssl version specific, if they changed the state
fields at any point. (This change coincidentally I think
should work around the linking with openssl problem that Hal
Finney <hal@finney.org> reported).
* add libhashcash.a intermediate target to make hashcash more
convenient to link into other software on linux. (A
suggestion from Hal Finney who was trying to link to his
RPOW system.)
hashcash-1.14 - 14-Dec-2004 - Adam Back <adam@cypherspace.org>
* make hashcash -cX accept continuation lines starting with
space as well as tab
* add library function to wrap lines and use it from hashcash
command line tool.
* fix long vs time_t prototype mismatch that was giving
compile errors on BSD; also cleaned up some warnings that
can be obtained with gcc -Wall.
PKGLOCALEDIR and which install their locale files directly under
${PREFIX}/${PKGLOCALEDIR} and sort the PLIST file entries. From now
on, pkgsrc/mk/plist/plist-locale.awk will automatically handle
transforming the PLIST to refer to the correct locale directory.
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
"unix_random.c in lshd for lsh 2.0.1 leaks file descriptors related
to the randomness generator, which allows local users to cause a denial
of service by truncating the seed file, which prevents the server from
starting, or obtain sensitive seed information that could be used to
crack keys."
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0353
Noteworthy changes in version 1.4.3 (2006-04-03)
------------------------------------------------
* If available, cURL-based keyserver helpers are built that can
retrieve keys using HKP or any protocol that cURL supports
(HTTP, HTTPS, FTP, FTPS, etc). If cURL is not available, HKP
and HTTP are still supported using a built-in cURL emulator. To
force building the old pre-cURL keyserver helpers, use the
configure option --enable-old-keyserver-helpers. Note that none
of this affects finger or LDAP support, which are unchanged.
Note also that a future version of GnuPG will remove the old
keyserver helpers altogether.
* Implemented Public Key Association (PKA) signature verification.
This uses special DNS records and notation data to associate a
mail address with an OpenPGP key to prove that mail coming from
that address is legitimate without the need for a full trust
path to the signing key.
* When exporting subkeys, those specified with a key ID or
fingerpint and the '!' suffix are now merged into one keyblock.
* Added "gpg-zip", a program to create encrypted archives that can
interoperate with PGP Zip.
* Added support for signing subkey cross-certification "back
signatures". Requiring cross-certification to be present is
currently off by default, but will be changed to on by default
in the future, once more keys use it. A new "cross-certify"
command in the --edit-key menu can be used to update signing
subkeys to have cross-certification.
* The key cleaning options for --import-options and
--export-options have been further polished. "import-clean" and
"export-clean" replace the older
import-clean-sigs/import-clean-uids and
export-clean-sigs/export-clean-uids option pairs.
* New "minimize" command in the --edit-key menu removes everything
that can be removed from a key, rendering it as small as
possible. There are corresponding "export-minimal" and
"import-minimal" commands for --export-options and
--import-options.
* New --fetch-keys command to retrieve keys by specifying a URI.
This allows direct key retrieval from a web page or other
location that can be specified in a URI. Available protocols
are HTTP and finger, plus anything that cURL supplies, if built
with cURL support.
* Files containing several signed messages are not allowed any
longer as there is no clean way to report the status of such
files back to the caller. To partly revert to the old behaviour
the new option --allow-multisig-verification may be used.
* The keyserver helpers can now handle keys in either ASCII armor
or binary format.
* New auto-key-locate option that takes an ordered list of methods
to locate a key if it is not available at encryption time (-r or
--recipient). Possible methods include "cert" (use DNS CERT as
per RFC2538bis, "pka" (use DNS PKA), "ldap" (consult the LDAP
server for the domain in question), "keyserver" (use the
currently defined keyserver), as well as arbitrary keyserver
URIs that will be contacted for the key.
* Able to retrieve keys using DNS CERT records as per RFC-2538bis
(currently in draft): http://www.josefsson.org/rfc2538bis
pkgsrc change:
make architecture-specific options really architecture-specific.
Version 0.3.2
- Corrected bug in asn1_der_coding() which overwrited some
data in the original structure.
- The asn1Parser, asn1Coding and asn1Decoding programs are now installed.
Ruby/Password is a suite of password handling methods for Ruby. It
supports the manual entry of passwords from the keyboard in both
buffered and unbuffered modes, password strength checking, random
password generation, phonemic password generation (for easy
memorization by human-beings) and the encryption of passwords.
GNOME Keyring Manager is an application that manages user keyrings.
The default window shows 'default' keyrings with its items and allows
to remove, add and edit them. It also lets you edit your secrets and
copy them using drag and drop. The Manager window allows to lock/unlock,
create and open other keyrings. At last, items can be moved between
different keyrings.
qt4 support (doesn't compile yet).
2006-03-26 19:06 nolan
* src/serializers.cpp: Had a reported bug in which only the items
in a single group got saved with a PwSafe 1.0 safe. The repro
steps were: Create a safe with a few entries Save it as a
PwSafe 1.0 safe Create a couple of folders Move the items
into those folders Save the safe. Reopen the safe It ended
up with the items from a single group instead of all the items.
The cause was that I was returning from a recursive call to
BlowfishLizer::saveGroup instead of only returning on an error.
2006-01-23 20:57 nolan
* MyPasswordSafe.pro, MyPasswordSafe.qrc, src/aboutdlg.ui,
src/main.cpp, src/manualdlg.ui, src/mypasswordsafe.ui,
src/mypasswordsafe.ui.h, src/newpassphrasedlg.ui,
src/passphrasedlg.ui, src/plaintextlizer.cpp,
src/plaintextlizer.hpp, src/preferencesdlg.ui,
src/preferencesdlg.ui.h, src/pwordeditdlg.ui, src/safe.hpp,
src/safedragobject.cpp, src/safedragobject.hpp,
src/safelistview.cpp, src/safelistview.hpp, src/serializers.cpp,
src/startupdlgbase.ui, src/xmlserializer.cpp,
src/tools/idle/idle_x11.cpp, uuid-1.0.0/Makefile,
uuid-1.0.0/config.status: Converted to Qt4
2005-12-17 06:47 nolan
* src/: mypasswordsafe.ui.h, pwordeditdlg.ui, pwordeditdlg.ui.h:
Set the edit dialog as the active window if the user tries to
edit that item a second time. Moved the future group handling
for new items into MyPasswordSafe
2005-12-17 06:33 nolan
* src/: mypasswordsafe.ui, mypasswordsafe.ui.h, pwordeditdlg.ui,
pwordeditdlg.ui.h, safelistview.cpp: Made the add and edit
dialogs non-modal Hiding during a lock now works
2005-12-17 05:03 nolan
* src/: mypasswordsafe.ui, mypasswordsafe.ui.h, pwordeditdlg.ui,
pwordeditdlg.ui.h, safelistview.cpp, safelistview.hpp: Attempted
to hide the edit dialog when MyPS got locked, but that caused a
crash so they get closed. Moved entry creation and updating to
PwordEditDlg Moved the default user name and generation length
into PwordEditDlg
2005-12-17 02:42 nolan
* src/pwordeditdlg.ui.h, src/serializers.cpp, uuid-1.0.0/Makefile,
uuid-1.0.0/config.status: Fixed the problem with the show
password button; was checking for a normal echo mode
2005-11-25 00:21 nolan
* src/: mypasswordsafe.ui, mypasswordsafe.ui.h: Lock on minimize
works under WindowMaker
2005-11-24 01:23 nolan
* src/mypasswordsafe.ui.h: Parented all the dialogs
2005-11-23 22:15 nolan
* release/Makefile: Updated release path and upload rules
2005-11-23 11:14 nolan
* src/: mypasswordsafe.ui.h, pwordeditdlg.ui, pwordeditdlg.ui.h:
Had a bug in the user name and password checking in the edit
dialog. Fixed that by adding an isNew attribute.
2005-11-23 08:21 nolan
* src/tools/idle/: idle.cpp, idle.h, idle.pri, idle_mac.cpp,
idle_win.cpp, idle_x11.cpp, win32/Makefile, win32/idleui.cpp,
win32/idleui.def, win32/idleui.dll, win32/idleui.h: Added Idle
from Psi to lock MyPS
2005-11-23 08:21 nolan
* src/mypasswordsafe.ui, src/mypasswordsafe.ui.h,
src/preferencesdlg.ui, src/preferencesdlg.ui.h,
src/pwordeditdlg.ui, src/pwordeditdlg.ui.h, src/safe.cpp,
src/safe.hpp, src/safelistview.cpp, src/safelistview.hpp,
src/serializers.cpp, test/safe/safe.pro, test/safe/safetest.cpp:
Added Idle from Psi to lock MyPS Add Password: automatically
generate a new password and display it to the user Confirm
changes to user name and/or password in entries Empty fields are
now saved working around a bug in Password Safe Clipboard will be
cleared after a specified time Generated passwords are
automatically fetched
2005-11-23 08:19 nolan
* MyPasswordSafe.pro: Added Idle from Psi
and replace with appropriate references to PKGINFODIR instead.
* Properly account for split info files during installation.
* Move info file listings directly into the package PLISTs.
This fixes info-file-related PLIST problems.
changes:
-a security fix which was already in pkgsrc (0.46nb1)
-bugfixes
-zlib compression for dbclient
-Set "low delay" TOS bit
-client keyboard-interactive mode support
-logging improvements
-Added aes-256 cipher and sha1-96 hmac
-allow connections to listening forwarded ports from remote machines
changes:
Fixed a couple of problems in lshd, where the server process
leaks file descriptors to user shells that it starts. These
bugs implied a local denial of service hole, at best.
Support for aes256-ctr.
Newer nettle library. Bugfixes and performance improvements
for the assembler code, in particular support for sparc64, and
Makefile fixes.
changes:
* Better HKP support for strange key servers.
* Updated gedit plugin to work with gedit 2.14
* Fixed signing of keys with GPG 1.4.2 [Daniel Rodriguez Garcia]
* Fixed some minor packaging and build problems.
* Many smaller fixes.
pkgsrc changes:
-don't build nautilus plugin to limit dependencies
(will be provided in a separate pkg)
-remove some more unneeded dependencies
-prepare for the gedit plugin as a separate pkg
The following changes have been made between John 1.7 and 1.7.0.1:
* Minor bug and portability fixes.
* Better handling of certain uncommon scenarios and improper uses of John.
* Bonus: "Keyboard" cracker included in the default john.conf (john.ini)
that will try sequences of adjacent keys on a keyboard as passwords.
The following major changes have been made since John 1.6:
* Bitslice DES code for x86 with MMX: more than twice faster than older
non-bitslice MMX code.
* Bitsliced the LM hash code as well: now several times faster.
* Significant improvements to the generic bitslice DES code: +20% on RISC.
* PowerPC G4+ AltiVec support (Mac OS X and Linux): effective 128-bitness
for bitslice DES, resulting in huge speedups.
* First attempt at generic vectorization support for bitslice DES.
* Two MD5 hashes at a time for extra ILP on RISC: up to +80% on Alpha EV5+.
* Generic Blowfish x86 assembly code in addition to the original Pentium
version: +15% on the Pentium Pro family (up to and including Pentium III),
+20% on AMD K6 (Pentium 4 and newer AMD CPUs are more happy running the
original Pentium code for Blowfish).
* Verbose logging of events to the global or a session-specific log file.
* Better idle priority emulation with POSIX.1b (POSIX.4) scheduling calls.
* System-wide installation support for *BSD ports and Linux distributions.
* AIX, DU/Tru64 C2, HP-UX tcb files support in unshadow.
* New make targets for Linux/x86-64, Linux/PowerPC, FreeBSD/Alpha,
OpenBSD/x86-64, OpenBSD/Alpha, OpenBSD/SPARC, OpenBSD/SPARC64,
OpenBSD/PowerPC, OpenBSD/PA-RISC, OpenBSD/VAX, NetBSD/VAX, Solaris/SPARC64,
Mac OS X (PowerPC and x86), SCO, BeOS.
* Bug and portability fixes, and new bugs.
* Bonus: "Strip" cracker included in the default john.conf (john.ini).
INSTALL/DEINSTALL script creation within pkgsrc.
If an INSTALL or DEINSTALL script is found in the package directory,
it is automatically used as a template for the pkginstall-generated
scripts. If instead, they should be used simply as the full scripts,
then the package Makefile should set INSTALL_SRC or DEINSTALL_SRC
explicitly, e.g.:
INSTALL_SRC= ${PKGDIR}/INSTALL
DEINSTALL_SRC= # emtpy
As part of the restructuring of the pkginstall framework internals,
we now *always* generate temporary INSTALL or DEINSTALL scripts. By
comparing these temporary scripts with minimal INSTALL/DEINSTALL
scripts formed from only the base templates, we determine whether or
not the INSTALL/DEINSTALL scripts are actually needed by the package
(see the generate-install-scripts target in bsd.pkginstall.mk).
In addition, more variables in the framework have been made private.
The *_EXTRA_TMPL variables have been renamed to *_TEMPLATE, which are
more sensible names given the very few exported variables in this
framework. The only public variables relating to the templates are:
INSTALL_SRC INSTALL_TEMPLATE
DEINSTALL_SRC DEINSTALL_TEMPLATE
HEADER_TEMPLATE
The packages in pkgsrc have been modified to reflect the changes in
the pkginstall framework.
> - Added Turkish -- Umut Nacak
> - Changed login button to actually say login -- Jonathan W Minor
> - Fixed issue with signature names and MySQL 5.0 -- Kade P. Cole
> - Fixed Bug# 1347623 auto-refresh ignored for stat pages -- Shane Castle
> - Fixed Sort order issues -- Timothy Doty
> - Applied patch from Debian maintainer for final SQL injection fix -- Kevin
> - Updated project lead comments -- Kevin
> - Added Portscan Information -- Kevin for Nikns
called. Also include pthread.buildlink3.mk directly.
- With the update of qt3-tools to use the libtool mode of qmake, it is
unnecessary to install files manually; "make install" just works.
Bump PKGREVISION.
Pkgsrc changes:
- The new release includes the patch by Peter Behroozi (already contained
in Peter's unofficial release 1.26) that adds get1_session() for session
caching.
- Reverted to using MASTER_SITE_PERL_CPAN
Changes since version 1.25:
===========================
1.30 21.12.2005
- Fixed the MD5 function for hashsums containing \0
- Fixed some compile warnings with recent gcc.
- Fixed do_httpx3:
+ Don't add additional Host: headers if it's already given
+ Omit the :$port suffix for standard ports
+ Thanks to ivan-cpan-rt@420.am
- Limit the chunk size when reading with tcp_read_all to 0x1000.
This fixes various rt tickets.
- Added patch to allow session caching
- Mike McCauley and Florian Ragwitz maintain this module now
Pkgsrc changes:
none
Changes since version 2.15:
===========================
2.17 Mon Jan 9 18:22:51 EST 2006
-IMPORTANT NOTE: Versions of this module prior to 2.17 were incorrectly
using 8 byte IVs when generating the old-style RandomIV style header
(as opposed to the new-style random salt header). This affects data
encrypted using the Rijndael algorithm, which has a 16 byte blocksize,
and is a significant security issue.
The bug has been corrected in versions 2.17 and higher by making it
impossible to use 16-byte block ciphers with RandomIV headers. You may
still read legacy encrypted data by explicitly passing the
-insecure_legacy_decrypt option to Crypt::CBC->new().
-The salt, iv and key are now reset before each complete encryption
cycle. This avoids inadvertent reuse of the same salt.
-A new -header option has been added that allows you to select
among the various types of headers, and avoids the ambiguity
of having multiple interacting options.
-A new random_bytes() method provides access to /dev/urandom on
suitably-equipped hardware.
2.16 Tue Dec 6 14:17:45 EST 2005
- Added two new options to new():
-keysize => <bytes> Force the keysize -- useful for Blowfish
-blocksize => <bytes> Force the blocksize -- not known to be useful
("-keysize=>16" is necessary to decrypt OpenSSL messages encrypted
with Blowfish)
(so lsh2 and lsh DESCRiptions are different.)
Also uppercase ssh2 to SSH2.
TODO: anyone want to document features or differences between
these two packages?
Changes:
- Remove trailing space from regex we get from plugins.rules (this fix
a match problem on log entry that didn't contain any space).
- Add --user / --group option to drop privilege. However, make sure it is
not allowed to open file that the target user can not read, because it
would lead to failure when trying to re-open the logfile after a rotation.
- Signal handling improvement.
- Fix priority for --quiet option.
- Use newer libprelude IDMEF_LIST_APPEND/IDMEF_LIST_PREPEND addition.
- Add unhandled arguments warning.
Changes:
- Fix PostgreSQL plugin compilation problem.
- Update database schema: enforce that AdditionalData data field is not NULL.
- Improve Swig basic type mapping situation regarding to the target architecture.
- Fix query time calculation.
Changes:
- Fix an issue with system using both IP v4 and v6 interfaces which
doesn't allow binding both 0.0.0.0 and :: .
- Add autoconf detection for libgcrypt: this fix a build issue for
distribution shipping with broken libgnutls-config script.
- Generate Perl and Python bindings for the prelude-timer API.
- Fix for upcoming plugin that doesn't provide an activation option.
- Various bug fixes.
Pkgsrc changes:
- Rewrote patch-aa to be specific to NetBSD.
Changes since version 0.02:
===========================
- generate more efficient code with gcc-3.4 and later.
* Files containing several signed messages are not allowed any
longer as there is no clean way to report the status of such
files back to the caller. To partly revert to the old behaviour
the new option --allow-multisig-verification may be used.
- Error messages are now translated using GNU Gettext.
- The function gnutls_x509_crt_to_xml now return an internal error.
This means that the code to convert X.509 certificates to XML format
does not work any more. The reason is that the function called
libtasn1 internal functions. It seems unclean for libtasn1 to export
the APIs needed here. Instead it would be better to implement XML
support inside libtasn1 properly. If you need this functionality
strongly, please consider looking into implementing this suggested
approach instead. As a workaround, you may also modify lib/x509/xml.c
(change '#if 1' to '#if 0') and build using --with-included-libtasn1.
- Doc fixes to explain that gnutls_record_send can block.
- gnutls-cli can now recognize services and port numbers with the -p option.
- Support constant size bit strings, as in 'BIT STRING (SIZE(42))'.
Reported by Cyril Holweck <cyril.holweck@q-free.com>.
- Add two more APIs required by GnuTLS.
- New public APIs:
asn1_find_node function
asn1_copy_node
Let the caff package install other gpg related tools
- pgp-clean: removes all non-self signatures from key
- pgp-fixkey: removes broken packets from keys
- gpg-mailkeys: simply mail out a signed key to its owner
- gpg-key2ps: generate PostScript file with fingerprint paper strips
- gpglist: show who signed which of your UIDs
- gpgsigs: annotates list of GnuPG keys with already done signatures
- keylookup: ncurses wrapper around gpg --search
Fix hardcoded path in man pages
caff is a script that helps you in keysigning. It takes a list of
keyids on the command line, fetches them from a keyserver and calls
GnuPG so that you can sign it. It then mails each key to all its
email addresses - only including the one UID that we send to in each
mail.
Features:
* Easy to setup.
* Attaches only the very UID that we send to in the mail.
* Prunes the key from all signatures that are not self sigs and
not done by you, thereby greatly reducing the size of mails.
* Sends the mail encrypted if possible, will warn before sending
unencrypted mail (sign only keys)
* Creates proper PGP MIME messages.
* Uses separate GNUPGHOME for all its operations.
From NEWS:
Version 0.7-RC1 2006/1/10 <moriyoshi@users.sourceforge.net>
* Add a option "disconnect_every_op" option that forces pam_mysql to
disconnect from the database every operation (PR #1325395). -moriyoshi
* Use geteuid() instead of getuid() to check if the current user is authorized
to change the password (PR #1338667). -moriyoshi
* Allow root (uid=0) to change the passwords of other users without their old
password. -moriyoshi
Version 0.7-pre3 2005/9/29 <moriyoshi@users.sourceforge.net>
* Changed handling of the "where" option to not escape meta characters
(PR #1261484). -moriyoshi
* Overhauled the SQL logging facility (PR #1256243). -moriyoshi
* Added logrhostcolumn (log.rhost_column) option that enables you to log the
value of the "rhost" item specified by the application. -moriyoshi
* Fixed possible security flaw (though not considered to be severe). -moriyoshi
* Fixed memory leaks spotted when "config_file" option is used. -moriyoshi
* Fixed try_first_pass behaviour. -moriyoshi
* Changed option parsing behaviour so "=" following each option name is not
needed. -moriyoshi
Version 0.7-pre2 2005/9/18 <moriyoshi@users.sourceforge.net>
* Changed column name handling to not escape meta characters. Now you can
specify an expression to every XXXcolumn variable like "CONCAT(a, b, c)".
-moriyoshi
* Supported SHA1 hash (PR #1117036). -moriyoshi, alexeen
* Supported use_first_pass and try_first_pass options. -moriyoshi
Version 0.7-pre1 2005/6/13 <moriyoshi@users.sourceforge.net>
* Support for NSS-mysql style configuration file which is inspired
by the Florian's work. -moriyoshi
Version 0.6.2 2005/9/29 <moriyoshi@users.sourceforge.net>
* Overhauled the SQL logging facility (PR #1256243). -moriyoshi
* Fixed possible security flaw (though not considered to be severe). -moriyoshi
Version 0.6.1 2005/9/18 <moriyoshi@users.sourceforge.net>
* Added use_323_passwd option that allows you to use an encryption function
used in the old MySQL versions (3.23.x). -moriyoshi, Daniel Renaud
* Fixed account management code that wouldn't work at all :-p -moriyoshi
* Included pam_mysql.spec to the tarball by default. This enables you to
make a RPM with the following oneliner: (rpmbuild -tb pam_mysql.tar.gz).
-moriyoshi
* Fixed compile failure that occurs with the old mysql_config (< 4.0.16).
-moriyoshi
* Fixed compile failure on Solaris when --with-openssl is specified to the
configure script.
Version 0.6 2005/6/13 <moriyoshi@users.sourceforge.net>
* Adopted autoconf / automake for build system. -moriyoshi
* Portable MD5 support by using OpenSSL / Cyrus-SASL. -moriyoshi
* MySQL library detection. -moriyoshi
* Added RPM spec file. -moriyoshi
* Tidied up the entire code for security and maintainability. -moriyoshi
* Modified log output to be more verbose. -moriyoshi
* Changed log facility type to LOG_AUTHPRIV as per the recommendation in
the PAM documentation. -moriyoshi
* Added support for unix socket and non-default ports. -moriyoshi
* Added account management and authentication token alteration code. -moriyoshi
* Remove default values for string parameters for the sake of performance.
-moriyoshi
* Enhanced SQL logging function to log session state as well. -moriyoshi
* Solaris support. -moriyoshi
makeinfo if no native makeinfo executable exists. Honor TEXINFO_REQD
when determining whether the native makeinfo can be used.
* Remove USE_MAKEINFO and replace it with USE_TOOLS+=makeinfo.
* Get rid of all the "split" argument deduction for makeinfo since
the PLIST module already handles varying numbers of split info files
correctly.
NOTE: Platforms that have "makeinfo" in the base system should check
that the makeinfo entries of pkgsrc/mk/tools.${OPSYS}.mk are
correct.
developer is officially maintaining the package.
The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list). Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
Changes:
* libpreludedb-0.9.5.1:
- Correctly read database schema version.
* libpreludedb-0.9.5:
- Fix important memory leak in Python bindings, Prewikka should end-up
consuming way less memory than it used to.
- Fix PostgreSQL plugin compilation problem.
- Fix for preludedb-admin --count handling when --offset was used.
- Provide more information in preludedb-admin error message.
- Various cleanup.
Changes:
* libprelude-0.9.6.1:
- Flex generated file build fix for FreeBSD / NetBSD.
* libprelude-0.9.6:
- Implement workaround for buggy libtool that will fail
looking up symbol with preopening enabled in case the
libtool archive is missing. Lot of distribution package
seem to suffer from this.
- idmef-path API improvement, allow user to specify negative
index to address the list in reverse. Developer are now
supposed to use IDMEF_LIST_APPEND (in place of index -1) and
IDMEF_LIST_PREPEND (in place of 0) on listed object operation.
- idmef-path API improvement: support for (<<) and (>>) listed
object index, meaning to prepend the object / to append it,
as well as (*) meaning to retrieve all object from a list. This
deprecate the usage of (-1) previously used for appending.
- Fix deconnection problem in client reading mode.
- Improve option parsing: option value can now be provided using
--option=value. This format is now a requirement for option that
use an optional argument. Provide arguments information in the
option help.
- Fix deadlock on asynchronous prelude-client destruction.
- Definitely fix the problem where prelude-adduser will, on some system,
listen to Ipv6 IP address as the default: we now bind every address
returned by getaddrinfo().
- Fix crash in case of successive call to prelude_init(), prelude_deinit(),
then prelude_init() again.
- Introduce --passwd and --passwd-file option for prelude-adduser
register and registration-server mode, allowing to specify one shot
password on the command line, from a file, or from stdin.
- Verbose error handling for prelude-adduser.
- Fix perl bindings, make them more robust by adding type checking, and fix
memory leak.
- Fix parsing of string based broken down time criterion.
- Handle configuration file containing \r.
- Fix prelude_read_multiline2() return value (fix Prelude-Manager
idmef-criteria-filter plugin).
- Fix a bug in per thread error handling code which resulted in NULL
error to be returned in case an application thread exited.
- Various bug fixes.
Version 0.3.0
- Export DER utility functions, mostly so that GnuTLS can avoid using
libtasn1 internals.
- The _asn1* symbols are not exported in the shared library file (when
using GNU ld).
- The library can now be built using Visual Studio, and the project
files are included in windows/.
- New public APIs:
asn1_get_tag_der
asn1_octet_der
asn1_get_octet_der
asn1_bit_der
asn1_get_bit_der
asn1_get_length_der
asn1_length_der
and NetBSD-current which caused serius lossage:
depend on librfuncs>=1.0.7nb1 which implements NetBSD-current's
behaviour, change the patch to _gpgme_getenv() accordingly,
and bump PKGREVISION
New features include:
* Statistics Collector: A daemon that can process netflow-like information
exported by several Honeyd instances and do computations on the data - see
live data.
* Improved Subsystems: Improved support for subsystems permits running more
complicated UNIX applications like mwcollect as a subsystem for Honeyd.
* Proxy and SMTP subsystems: Example subsystems to simulate open proxies and
mail relays. These subsystems are written with performance in mind and have
no problem in keeping up with a busy network.
Bugfixes include:
A bug in Honeyd's IP reassembly code allows adversaries to remotely fingerprint
honeypots. Thanks to Jon Oberheide for finding the bug; see adv.2006-01 for
more information
