Sudo versions 1.7.2p6 and 1.6.9p22 are now available. These releases
fix a privilege escalation bug in the sudoedit functionality.
Summary:
A flaw exists in sudo's -e option (aka sudoedit) in sudo versions
1.6.8 through 1.7.2p5 that may give a user with permission to
run sudoedit the ability to run arbitrary commands. This bug
is related to, but distinct from, CVE 2010-0426.
Sudo versions affected:
1.6.8 through 1.7.2p5 inclusive.
k5start, and krenew are modified versions of kinit which add support
for running as a daemon to maintain a ticket cache, running a
command with credentials from a keytab and maintaining a ticket
cache until that command completes, obtaining AFS tokens (via an
external aklog) after obtaining tickets, and creating an AFS PAG
for a command. They are primarily useful in conjunction with
long-running jobs; for moving ticket handling code out of servers,
cron jobs, or daemons; and to obtain tickets and AFS tokens with
a single command.
- New features
- New service-level "libwrap" option for run-time control whether
/etc/hosts.allow and /etc/hosts.deny are used for access control.
Disabling libwrap significantly increases performance of stunnel.
- Log file reopen on USR1 signal was added.
- Graceful configuration reload with HUP signal on Unix
and with GUI on Windows.
- Bugfixes
- Inetd mode fixed
- Fixed a transfer() loop issue with SSLv2 connections.
- Fixed a "setsockopt IP_TRANSPARENT" warning with "local" option.
- Logging subsystem bugfixes and cleanup.
- Installer bugfixes for Vista and later versions of Windows.
- FIPS mode can be enabled/disabled at runtime.
either netcat or stunnel except that it is Kerberised. You can use
it to construct client/server applications while keeping the Kerberos
libraries out of your programs address space quickly and easily.
Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
*) When rejecting SSL/TLS records due to an incorrect version number, never
update s->server with a new major version number. As of
- OpenSSL 0.9.8m if 'short' is a 16-bit type,
- OpenSSL 0.9.8f if 'short' is longer than 16 bits,
the previous behavior could result in a read attempt at NULL when
receiving specific incorrect SSL/TLS records once record payload
protection is active. (CVE-2010-0740)
[Bodo Moeller, Adam Langley <agl@chromium.org>]
*) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
[Tomas Hoger <thoger@redhat.com>]
Upstream changes:
[Changes for 0.63 - Sun, 28 Mar 2010 04:46:27 +0100]
* Fix diagnostic message from Makefile.PL when the user dosn't have gnupg or
Crypt::OpenPGP (miyagawa).
[Changes for 0.62 - Tue, 23 Mar 2010 22:17:39 +0100]
* Change the default keyserver from the outdated pgp.mit.edu to
pool.sks-keyservers.net.
in src/lib as that is the location it wants to pick it up. Work around
the dependencies in other places by symlinking to that, effectively
reverting the direction. Link telnet(d) consistently. Add DESTDIR support.
pkgsrc changes:
- Adjust dependencies
- Add license definition
Upstream changes:
***0.16 March 12, 2010
Feature: KEY inherits DNSKEY
This helps maintenance in one part of the code.
Feature: keylength methode rt.cpan.org #53468
Added keylength method for RSA and DSA
Acknowledgements Hugo Salgado
Fix: rt.cpan.org #51778
Empty bitmap would cause error about undefined ARRAY in NSEC/NSEC3.
Now the code will allow empty bitmaps gracefully
Feature: New Algorithm Support (rt.cpan.org #51092)
SHA2 algorithm support, including NSEC3 algorithm parameters updated
Acknowledgement Jakob Shlyter
Fix: rt.cpan.org #42089
NSEC3 Algorithm support in NSEC3 broken
patch by Wes Hardaker
pkgsrc changes:
- Adding license definition
- Adjusting dependencies
Upstream changes:
version 0.008; 2010-03-11
* bugfix: avoid memory leak when returning block to Perl space
* check for required Perl version at runtime
* in XS, avoid using "class" as a variable name, for compatibility
with C++ compilers
* in Build.PL, explicitly declare configure-time requirements
* remove bogus "exit 0" from Build.PL
* Fixed bug with reading gzipped aide.db files
* Removed dead ustat code
Version 0.13
* Added support for selinux and xattr attributes
* Added support for the Linux Audit System
* Fixed usage of libgcrypt instead of libmhash
* Added file locking for output files
* Fixed bugs
Version 0.12
* Fixed bugs
* Allow http/https/ftp URLs through libcurl
* Support posix_fadvice() to avoid caching files
Version 0.11
* Fixed many bugs
* Updated automake/autoconf scripts
* Use snprintf by Mark Martinec if not in C library
* Support for more (legacy) Unix systems and cygwin
* Open files with O_NOATIME on supported Linux systems
* Added I/ANF/ARF directives
Changes to 2.99.1/20100313
+ add functionality to parse basic signature subkeys
+ in doing so, add expiration of keys
+ at the same time, add revocation of keys
+ recognise the primary user id, and use it when displaying user ids
+ recognise self signed keys and subkeys
+ rework the indentation of output
+ add the --list-sigs [userid] option to netpgpkeys(1)
+ use memcmp(3) rather than strcmp(3) when checking binary user ids to
be exported
+ add expiration display to subkey signature output
+ update libnetpgp library version major number to 3
The Zone Key Tool consist of two commands:
* dnssec-zkt to create and list dnssec zone keys and
* dnssec-signer to sign a zone and manage the lifetime of the zone signing keys
Both commands are simple wrapper commands around the dnssec-keygen(8) and
dnssec-signzone(8) commands provided by BIND.
PKCS#11 interface. You can use it to explore PKCS#11 without having a
Hardware Security Module. It is being developed as a part of the OpenDNSSEC
project. SoftHSM uses Botan for its cryptographic operations.
While here,
* set LICENSE=gnu-gpl-v2
* marked as user-destdir installation ready
* switch to use system argp
* add missing zlib buildlink
News for the 2.0.4 release
Fixed x11 forwarding bug in the lsh client.
News for the 2.0.3 release
At startup, lshd now tries to close any spurious open file
descriptors. New test case for lshd fd leakage.
lshd --daemonic --no-syslog now sets up a proper daemonic
environment, except that log messages are still sent to
stderr. Improved testing of this feature.
This PAM module support authentication, authorization (account
management) and accounting (session management) performed using
TACACS+ protocol designed by Cisco.
