* Noteworthy changes in release 2.13 (2012-05-31) [stable]
- Updated fix for DER decoding issue to not depend on specific compilers.
- Updated DER decoding check to apply to short form integers as well.
This module provides a Perl API for the BSDs' arc4random(3) suite
of functions and adds a few high-level functions, such as the new
arc4random_uniform(3). The Perl functions are ithreads-safe (only
if threads::shared is required). Scalars can be tied to this pak-
kage, yielding uniformly distributed random numbers with an arbi-
trary upper bound on read access, contributing to the RC4 entropy
pool on write access. An exported global $RANDOM variable returns
15-bit unsigned random numbers, from [0; 32767], similar to mksh.
Furthermore, Perl's internal PRNG is seeded with entropy obtained
from the arc4random generator once on module load time.
Collection.
The is the Perl application bundle for ClusterSSH (a.k.a cssh), formally
a GNU tools based project.
ClusterSSH is a tool for making the same change on multiple servers at
the same time. The 'cssh' command opens an administration console and
an xterm to all specified hosts. Any text typed into the administration
console is replicated to all windows. All windows may also be typed into
directly.
This tool is intended for (but not limited to) cluster administration
where the same configuration or commands must be run on each node
within the cluster. Performing these commands all at once via this
tool ensures all nodes are kept in sync.
The OpenSSH LDAP Public Key patch provides an easy way of centralizing strong
user authentication by using an LDAP server for retrieving public keys instead
of ~/.ssh/authorized_keys.
from 0.52 to 0.57.
Upstream changes:
0.57 Dec 21, 2011
- quote equal sign
- do not quote commas
0.56_01 Dec 8, 2011
- rsync methods were failing when user was defined (bug report
by black_fire)
- detect when the destructor is being called from a different
thread (bug report by troy99 at PerlMonks)
- support for Net::OpenSSH::Gateway added
0.55 Dec 6, 2011
- solve regression from 0.53_03: rsync methods were broken
because the hostname was not being correctly removed from
the ssh command passed to rsync (bug report by Mithun
Ayachit)
0.54 Dec 4, 2011
- release as stable
0.53_05 Nov 23, 2011
- scp methods were broken when a user was given (bug report by
Andrew J. Slezak)
- add support for verbose option in scp methods
- implement parse_connections_opts
- solve bug related to expansion of HOST var when an IPv6
address was given
- move FACTORY docs to the right place
- add FAQ about running remote commands via sudo
- add sample for Net::Telnet integration
- add sample for sudo usage reading password from DATA
0.53_04 Sep 2, 2011
- add default_ssh_opts feature
- getpwuid may fail, check $home is defined before using it
- add FAQ entry about MaxSessions limit reached
- move FACTORY docs to the right place
0.53_03 Aug 18, 2011
- handling of default_std*_file was broken (bug report and
patch by Nic Sandfield)
- keep errors from opening default slave streams
- add Net::OpenSSH::ConnectionCache package
- add FACTORY hook
- place '--' in ssh command after host name
- add support for die_on_error
- add support for batch_mode feature
- typo in sample code corrected (reported by Fernando Sierra)
- using { stdin_data => [] } was generating warnings
0.53_02 Jul 12, 2011
- add support for custom login handlers
- remove SIG{__WARN__} localizations
0.53_01 May 15, 2011
- quoter and glob_quoter fully rewritten from scratch
- quoter was not handling "\n" correctly (bug report and work
around by Skeeve)
- minor doc improvements
security/p5-IO-Socket-SSL from 1.66 to 1.74.
Upstream changes:
v1.74 2012.05.13
- accept a version of SSLv2/3 as SSLv23, because older documentation
could be interpreted like this
v1.73 2012.05.11
- make test t/dhe.t hopefully work for more version of openssl
Thanks to paul[AT]city-fan[DOT]org for providing bug reports and
testing environment
v1.72 2012.05.10
- set DEFAULT_CIPHER_LIST to ALL:!LOW instead of HIGH:!LOW
Thanks to dcostas[AT]gmail[DOT]com for problem report
v1.71 2012.05.09
- 1.70 done right. Also don't disable SSLv2 ciphers, SSLv2 support is better
disabled by the default SSL_version of 'SSLv23:!SSLv2'
v1.70 2012.05.08
- make it possible to disable protols using SSL_version, make SSL_version
default to 'SSLv23:!SSLv2'
v1.69 2012.05.08
- re-added workaround in t/dhe.t
v1.68 2012.05.07
- remove SSLv2 from default cipher list, which makes failed tests after last
change work again, fix behvior for empty cipher list (use default)
v1.67 2012.05.07
- https://rt.cpan.org/Ticket/Display.html?id=76929
thanks to d[DOT]thomas[AT]its[DOT]uq[DOT]edu[DOT]au for reporting
- if no explicit cipher list is given it will now default to ALL:!LOW instead
of the openssl default, which usually includes weak ciphers like DES.
- new config key SSL_honor_cipher_order and documented how to use it to fight
BEAST attack.
from 0.17 to 0.18.
Upstream changes:
0.18 Sat Nov 12 23:09:05 2011
- added convenience wrappers for 'cont', #70672
- fixed few issues in xs code, #70674
- added openpgparmor support, #72387
This is a new major stable release. Brief changes compared to 1.6.x:
* SAML20 support following RFC 6595.
* OPENID20 support following RFC 6616.
* Added SMTP server examples (for e.g., SCRAM, SAML20, OPENID20).
* Various cleanups, portability and other bug fixes.
See the NEWS entries during the 1.7.x branch for details.
* libgnutls: When decoding a PKCS #11 URL the pin-source field is assumed to be
a file that stores the pin.
* libgnutls: Added strict tests in Diffie-Hellman and SRP key exchange public
keys.
* minitasn1: Upgraded to libtasn1 version 2.13 (pre-release).
2.6
===
* [CVE-2012-2417] Fix LP#985164: insecure ElGamal key generation.
(thanks: Legrandin)
In the ElGamal schemes (for both encryption and signatures), g is
supposed to be the generator of the entire Z^*_p group. However, in
PyCrypto 2.5 and earlier, g is more simply the generator of a random
sub-group of Z^*_p.
The result is that the signature space (when the key is used for
signing) or the public key space (when the key is used for encryption)
may be greatly reduced from its expected size of log(p) bits, possibly
down to 1 bit (the worst case if the order of g is 2).
While it has not been confirmed, it has also been suggested that an
attacker might be able to use this fact to determine the private key.
Anyone using ElGamal keys should generate new keys as soon as practical.
Any additional information about this bug will be tracked at
https://bugs.launchpad.net/pycrypto/+bug/985164
* Huge documentation cleanup (thanks: Legrandin).
* Added more tests, including test vectors from NIST 800-38A
(thanks: Legrandin)
* Remove broken MODE_PGP, which never actually worked properly.
A new mode, MODE_OPENPGP, has been added for people wishing to write
OpenPGP implementations. Note that this does not implement the full
OpenPGP specification, only the "OpenPGP CFB mode" part of that
specification.
https://bugs.launchpad.net/pycrypto/+bug/996814
* Fix: getPrime with invalid input causes Python to abort with fatal error
https://bugs.launchpad.net/pycrypto/+bug/988431
* Fix: Segfaults within error-handling paths
(thanks: Paul Howarth & Dave Malcolm)
https://bugs.launchpad.net/pycrypto/+bug/934294
* Fix: Block ciphers allow empty string as IV
https://bugs.launchpad.net/pycrypto/+bug/997464
* Fix DevURandomRNG to work with Python3's new I/O stack.
(thanks: Sebastian Ramacher)
* Remove automagic dependencies on libgmp and libmpir, let the caller
disable them using args.
* Many other minor bug fixes and improvements (mostly thanks to Legrandin)
* OPENDNSSEC-228: Signer Engine: Make 'ods-signer update' reload signconfs
even if zonelist has not changed.
* OPENDNSSEC-231: Signer Engine: Allow for Classless IN-ADDR.ARPA names
(RFC 2317).
* OPENDNSSEC-234: Enforcer: Add indexes for foreign keys in kasp DB. (sqlite
only, MySQL already has them.)
* OPENDNSSEC-246: Signer Engine: Warn if <Audit/> is in signer configuration,
but ods-auditor is not installed
* OPENDNSSEC-249: Enforcer: ods-ksmutil: If key export finds nothing to do
then say so rather than display nothing which might be misinterpreted.
Bugfixes:
* OPENDNSSEC-247: Signer Engine: TTL on NSEC(3) was not updated on SOA
Minimum change.
* OPENDNSSEC-253: Enforcer: Fix "ods-ksmutil zone delete --all"
* Increased performance by adding more indexes to the database.
* Describe the usage of SO and user PIN in the README.
Bugfixes:
* Detect if a C++ compiler is missing.
AuthCAS aims at providing a Perl API to Yale's Central Authentication System
(CAS). Only a basic Perl library is provided with CAS whereas AuthCAS is a
full object-oriented library.
Fix seuciry problem of CVE-2012-2337.
What's new in Sudo 1.7.9p1?
* Fixed a bug when matching against an IP address with an associated
netmask in the sudoers file. In certain circumstances, this
could allow users to run commands on hosts they are not authorized
for.
What's new in Sudo 1.7.9?
* Fixed a false positive in visudo strict mode when aliases are
in use.
* The line on which a syntax error is reported in the sudoers file
is now more accurate. Previously it was often off by a line.
* The #include and #includedir directives in sudoers now support
relative paths. If the path is not fully qualified it is expected
to be located in the same directory of the sudoers file that is
including it.
* visudo will now fix the mode on the sudoers file even if no changes
are made unless the -f option is specified.
* The "use_loginclass" sudoers option works properly again.
* For LDAP-based sudoers, values in the search expression are now
escaped as per RFC 4515.
* Fixed a race condition when I/O logging is not enabled that could
result in tty-generated signals (e.g. control-C) being received
by the command twice.
* If none of the standard input, output or error are connected to
a tty device, sudo will now check its parent's standard input,
output or error for the tty name on systems with /proc and BSD
systems that support the KERN_PROC_PID sysctl. This allows
tty-based tickets to work properly even when, e.g. standard
input, output and error are redirected to /dev/null.
* Fixed a bug where a pattern like "/usr/*" included /usr/bin/ in
the results, which would be incorrectly be interpreted as if the
sudoers file had specified a directory.
* "visudo -c" will now list any include files that were checked
in addition to the main sudoers file when everything parses OK.
* Users that only have read-only access to the sudoers file may
now run "visudo -c". Previously, write permissions were required
even though no writing is down in check-only mode.
What's new in Sudo 1.7.8p2?
* Fixed a crash in the monitor process on Solaris when NOPASSWD
was specified or when authentication was disabled.
The Cryptokit library for Objective Caml provides a variety of
cryptographic primitives that can be used to implement cryptographic
protocols in security-sensitive applications. The primitives provided
include:
Symmetric-key cryptography: AES, DES, Triple-DES, ARCfour, in ECB,
CBC, CFB and OFB modes. Public-key cryptography: RSA encryption and
signature; Diffie-Hellman key agreement. Hash functions and MACs:
SHA-1, MD5, and MACs based on AES and DES. Random number generation.
Encodings and compression: base 64, hexadecimal, Zlib compression.
Additional ciphers and hashes can easily be used in conjunction
with the library. In particular, basic mechanisms such as chaining
modes, output buffering, and padding are provided by generic classes
that can easily be composed with user-provided ciphers. More
generally, the library promotes a "Lego"-like style of constructing
and composing transformations over character streams.
OpenSSL CHANGES
_______________
Changes between 0.9.8w and 0.9.8x [10 May 2012]
*) Sanity check record length before skipping explicit IV in DTLS
to fix DoS attack.
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)
[Steve Henson]
*) Initialise tkeylen properly when encrypting CMS messages.
Thanks to Solar Designer of Openwall for reporting this issue.
[Steve Henson]
The Google Authenticator includes implementations of one-time passcode
generators for several mobile platforms as well as a pluggable
authentication module (PAM). One-time passcodes are generated using
open standards developed by the Initiative for Open Authentication
(OATH) (which is unrelated to OAuth).
These implementations support the HMAC-Based One-time Password (HOTP)
algorithm specified in RFC 4226 and the Time-based One-time Password
(TOTP) algorithm specified in RFC 6238.
Because upstream does not provide a distribution file (yet), I have
pre-packaged the sources myself as of today and uploaded them to
ftp.n.o under my own directory. This explains the 0.0 prefix in the
version number, because if upstream starts providing distfiles with
proper versioning, we don't want our date stamp to be "above" all
official versions.
tool that, in addition to basic syntactic and semantic zone checks,
includes DNSSEC signature verification and NSEC/NSEC3 chain validation,
as well a number of optional policy checks on the zone.
Security fix for CVS-2012-2131.
Changes between 0.9.8v and 0.9.8w [23 Apr 2012]
*) The fix for CVE-2012-2110 did not take into account that the
'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
int in OpenSSL 0.9.8, making it still vulnerable. Fix by
rejecting negative len parameter. (CVE-2012-2131)
[Tomas Hoger <thoger@redhat.com>]
=== 0.4.6 2012-04-21
* Fixed nested attributes in #normalize (Shaliko Usubov)
* Make use the path component of the :site parameter (Jonathon M. Abbott)
* Fixed post body's being dropped in 1.9 (Steven Hammond)
* Fixed PUT request handling (Anton Panasenko)
