* Add an anon_fast option that attempts anonymous authentication
(generally implemented via anonymous PKINIT inside the Kerberos
library) and then, if successful, uses those credentials for FAST
armor. If fast_ccache and anon_fast are both specified, anonymous
authentication will be used as a fallback if the specified FAST ticket
cache doesn't exist. Based on patches from Yair Yarom.
* Add a user_realm option to only set the realm for unqualified user
principals. This differs from the existing realm option in that realm
also changes the default realm for authorization decisions and for
verification of credentials. Update the realm option documentation to
clarify the differences and remove incorrect information. Patch from
Roland C. Dowdeswell.
* Add a no_prompt option to suppress the PAM module's prompt for the
user's password and defer all prompting to the Kerberos library. This
allows the Kerberos library to have complete control of the prompting
process, which may be desireable if authentication mechanisms other
than password are in use. Be aware that, with this option set, the
PAM module has no control over the contents of the prompt and cannot
store the user's password in the PAM data. Based on a patch by Yair
Yarom.
* Add a silent option to force the module to behave as if the
application had passed in PAM_SILENT and suppress text messages and
errors from the Kerberos library. Patch from Yair Yarom.
* Add preliminary support for Kerberos trace logging via a trace option
that enables trace logging if supported by the underlying Kerberos
library. The option takes as an argument the file name to which to
log trace output. This option does not yet work with any released
version of Kerberos, but may work with the next release of MIT
Kerberos.
* MIT Kerberos does not add a colon and space to its password prompts,
but Heimdal does. pam-krb5 previously unconditionally added a colon
and space, resulting in doubled colons with Heimdal. Work around this
inconsistency by not adding the colon and space if already present.
* Fix alt_auth_map support to preserve the realm of the authentication
identity when forming the alternate authentication principal, matching
the documentation.
* Document that the alt_auth_map format may contain a realm to force all
mapped principals to be in that realm. In that case, don't add the
realm of the authentication identity. Note that this can be used as a
simple way to attempt authentication in an alternate realm first and
then fall back to the local realm, although any complex attempt at
authentication in multiple realms should instead run the module
multiple times with different realm settings.
* Avoid a NULL pointer dereference if krb5_init_context fails.
* Fix initialization of time values in the module configuration on
platforms (like S/390X) where krb5_deltat is not equivalent to long.
* Close a memory leak when search_k5login is set but the user has no
.k5login file.
* Close several memory leaks in alt_auth_map support.
* Suppress bogus error messages about unknown option for the realm
option. The option was being parsed and honored despite the error.
* Retry authentication under try_first_pass on several other errors in
addition to decrypt integrity check errors to handle a wider array of
possible "password incorrect" error messages from the KDC.
* Update to rra-c-util 4.4:
* Update to C TAP Harness 1.12:
- Bux fix release
- Rollerd's -alwayssign flag logic had a critical error that could
have caused a zone to be signed with the wrong ZSK at particular
points of the ZSK key rolling process.
* Only use libyubikey when --with-cr is used.
* Set correct permissions on tempfile.
* YubiKey 2.2 contains a bug in challenge-response that makes it output the
same response to all challenges unless HMAC_LT64 is set. Add warnings to
ykpamcfg and a warning through conversate in the pam module. Keys programmed
like this should be reprogrammed with the HMAC_LT64 flag set.
* Implement option -ooath-id to easily set OATH token identifier.
* Fix numerous compiler warnings from clang. Thanks to
Clemens Lang <neverpanic@gmail.com>.
* ykclient: Add C++ namespace protection.
* Add multi-server support with curl_multi.
Enabled by default for YubiCloud servers.
Settable with the new library function set_template_urls() or
the urls parameter to ykclient_verify_otp_v2().
* Remove extra % in ykclient help.
* Add ca path option to ykclient, --ca.
Patch from Jay Kline <jay.kline.ctr@hpcmo.hpc.mil>.
* Make the nonce unique for consecutive calls to the same ykclient handle.
* Do url encoding of OTP before sending.
* Fix segfault on curl error.
Patch from Lee Hinman <lee.hinman.ctr@hpc.mil>
decentralized, and highly reliable synchronization. That means that a key
submitted to one SKS server will quickly be distributed to all key servers,
and even wildly out-of-date servers, or servers that experience spotty
connectivity, can fully synchronize with rest of the system.
* authpam.c (callback_pam): Call pam_end() after an authentication attempt.
* Makefile.am: Renamed authstaticlist.h to courierauthstaticlist.h, and
added it to the list of header files that 'make install' puts into
includedir.
* Fix gcc 4.6 warnings
* courier.spec.in: switch to systemd.
* Fix autoconf warnings.
* courier-authlib.spec: Make rmplint happy.
* Noteworthy changes in release 2.13 (2012-05-31) [stable]
- Updated fix for DER decoding issue to not depend on specific compilers.
- Updated DER decoding check to apply to short form integers as well.
This module provides a Perl API for the BSDs' arc4random(3) suite
of functions and adds a few high-level functions, such as the new
arc4random_uniform(3). The Perl functions are ithreads-safe (only
if threads::shared is required). Scalars can be tied to this pak-
kage, yielding uniformly distributed random numbers with an arbi-
trary upper bound on read access, contributing to the RC4 entropy
pool on write access. An exported global $RANDOM variable returns
15-bit unsigned random numbers, from [0; 32767], similar to mksh.
Furthermore, Perl's internal PRNG is seeded with entropy obtained
from the arc4random generator once on module load time.
Collection.
The is the Perl application bundle for ClusterSSH (a.k.a cssh), formally
a GNU tools based project.
ClusterSSH is a tool for making the same change on multiple servers at
the same time. The 'cssh' command opens an administration console and
an xterm to all specified hosts. Any text typed into the administration
console is replicated to all windows. All windows may also be typed into
directly.
This tool is intended for (but not limited to) cluster administration
where the same configuration or commands must be run on each node
within the cluster. Performing these commands all at once via this
tool ensures all nodes are kept in sync.
The OpenSSH LDAP Public Key patch provides an easy way of centralizing strong
user authentication by using an LDAP server for retrieving public keys instead
of ~/.ssh/authorized_keys.
from 0.52 to 0.57.
Upstream changes:
0.57 Dec 21, 2011
- quote equal sign
- do not quote commas
0.56_01 Dec 8, 2011
- rsync methods were failing when user was defined (bug report
by black_fire)
- detect when the destructor is being called from a different
thread (bug report by troy99 at PerlMonks)
- support for Net::OpenSSH::Gateway added
0.55 Dec 6, 2011
- solve regression from 0.53_03: rsync methods were broken
because the hostname was not being correctly removed from
the ssh command passed to rsync (bug report by Mithun
Ayachit)
0.54 Dec 4, 2011
- release as stable
0.53_05 Nov 23, 2011
- scp methods were broken when a user was given (bug report by
Andrew J. Slezak)
- add support for verbose option in scp methods
- implement parse_connections_opts
- solve bug related to expansion of HOST var when an IPv6
address was given
- move FACTORY docs to the right place
- add FAQ about running remote commands via sudo
- add sample for Net::Telnet integration
- add sample for sudo usage reading password from DATA
0.53_04 Sep 2, 2011
- add default_ssh_opts feature
- getpwuid may fail, check $home is defined before using it
- add FAQ entry about MaxSessions limit reached
- move FACTORY docs to the right place
0.53_03 Aug 18, 2011
- handling of default_std*_file was broken (bug report and
patch by Nic Sandfield)
- keep errors from opening default slave streams
- add Net::OpenSSH::ConnectionCache package
- add FACTORY hook
- place '--' in ssh command after host name
- add support for die_on_error
- add support for batch_mode feature
- typo in sample code corrected (reported by Fernando Sierra)
- using { stdin_data => [] } was generating warnings
0.53_02 Jul 12, 2011
- add support for custom login handlers
- remove SIG{__WARN__} localizations
0.53_01 May 15, 2011
- quoter and glob_quoter fully rewritten from scratch
- quoter was not handling "\n" correctly (bug report and work
around by Skeeve)
- minor doc improvements
security/p5-IO-Socket-SSL from 1.66 to 1.74.
Upstream changes:
v1.74 2012.05.13
- accept a version of SSLv2/3 as SSLv23, because older documentation
could be interpreted like this
v1.73 2012.05.11
- make test t/dhe.t hopefully work for more version of openssl
Thanks to paul[AT]city-fan[DOT]org for providing bug reports and
testing environment
v1.72 2012.05.10
- set DEFAULT_CIPHER_LIST to ALL:!LOW instead of HIGH:!LOW
Thanks to dcostas[AT]gmail[DOT]com for problem report
v1.71 2012.05.09
- 1.70 done right. Also don't disable SSLv2 ciphers, SSLv2 support is better
disabled by the default SSL_version of 'SSLv23:!SSLv2'
v1.70 2012.05.08
- make it possible to disable protols using SSL_version, make SSL_version
default to 'SSLv23:!SSLv2'
v1.69 2012.05.08
- re-added workaround in t/dhe.t
v1.68 2012.05.07
- remove SSLv2 from default cipher list, which makes failed tests after last
change work again, fix behvior for empty cipher list (use default)
v1.67 2012.05.07
- https://rt.cpan.org/Ticket/Display.html?id=76929
thanks to d[DOT]thomas[AT]its[DOT]uq[DOT]edu[DOT]au for reporting
- if no explicit cipher list is given it will now default to ALL:!LOW instead
of the openssl default, which usually includes weak ciphers like DES.
- new config key SSL_honor_cipher_order and documented how to use it to fight
BEAST attack.
from 0.17 to 0.18.
Upstream changes:
0.18 Sat Nov 12 23:09:05 2011
- added convenience wrappers for 'cont', #70672
- fixed few issues in xs code, #70674
- added openpgparmor support, #72387
This is a new major stable release. Brief changes compared to 1.6.x:
* SAML20 support following RFC 6595.
* OPENID20 support following RFC 6616.
* Added SMTP server examples (for e.g., SCRAM, SAML20, OPENID20).
* Various cleanups, portability and other bug fixes.
See the NEWS entries during the 1.7.x branch for details.
* libgnutls: When decoding a PKCS #11 URL the pin-source field is assumed to be
a file that stores the pin.
* libgnutls: Added strict tests in Diffie-Hellman and SRP key exchange public
keys.
* minitasn1: Upgraded to libtasn1 version 2.13 (pre-release).
2.6
===
* [CVE-2012-2417] Fix LP#985164: insecure ElGamal key generation.
(thanks: Legrandin)
In the ElGamal schemes (for both encryption and signatures), g is
supposed to be the generator of the entire Z^*_p group. However, in
PyCrypto 2.5 and earlier, g is more simply the generator of a random
sub-group of Z^*_p.
The result is that the signature space (when the key is used for
signing) or the public key space (when the key is used for encryption)
may be greatly reduced from its expected size of log(p) bits, possibly
down to 1 bit (the worst case if the order of g is 2).
While it has not been confirmed, it has also been suggested that an
attacker might be able to use this fact to determine the private key.
Anyone using ElGamal keys should generate new keys as soon as practical.
Any additional information about this bug will be tracked at
https://bugs.launchpad.net/pycrypto/+bug/985164
* Huge documentation cleanup (thanks: Legrandin).
* Added more tests, including test vectors from NIST 800-38A
(thanks: Legrandin)
* Remove broken MODE_PGP, which never actually worked properly.
A new mode, MODE_OPENPGP, has been added for people wishing to write
OpenPGP implementations. Note that this does not implement the full
OpenPGP specification, only the "OpenPGP CFB mode" part of that
specification.
https://bugs.launchpad.net/pycrypto/+bug/996814
* Fix: getPrime with invalid input causes Python to abort with fatal error
https://bugs.launchpad.net/pycrypto/+bug/988431
* Fix: Segfaults within error-handling paths
(thanks: Paul Howarth & Dave Malcolm)
https://bugs.launchpad.net/pycrypto/+bug/934294
* Fix: Block ciphers allow empty string as IV
https://bugs.launchpad.net/pycrypto/+bug/997464
* Fix DevURandomRNG to work with Python3's new I/O stack.
(thanks: Sebastian Ramacher)
* Remove automagic dependencies on libgmp and libmpir, let the caller
disable them using args.
* Many other minor bug fixes and improvements (mostly thanks to Legrandin)
* OPENDNSSEC-228: Signer Engine: Make 'ods-signer update' reload signconfs
even if zonelist has not changed.
* OPENDNSSEC-231: Signer Engine: Allow for Classless IN-ADDR.ARPA names
(RFC 2317).
* OPENDNSSEC-234: Enforcer: Add indexes for foreign keys in kasp DB. (sqlite
only, MySQL already has them.)
* OPENDNSSEC-246: Signer Engine: Warn if <Audit/> is in signer configuration,
but ods-auditor is not installed
* OPENDNSSEC-249: Enforcer: ods-ksmutil: If key export finds nothing to do
then say so rather than display nothing which might be misinterpreted.
Bugfixes:
* OPENDNSSEC-247: Signer Engine: TTL on NSEC(3) was not updated on SOA
Minimum change.
* OPENDNSSEC-253: Enforcer: Fix "ods-ksmutil zone delete --all"
* Increased performance by adding more indexes to the database.
* Describe the usage of SO and user PIN in the README.
Bugfixes:
* Detect if a C++ compiler is missing.
AuthCAS aims at providing a Perl API to Yale's Central Authentication System
(CAS). Only a basic Perl library is provided with CAS whereas AuthCAS is a
full object-oriented library.
Fix seuciry problem of CVE-2012-2337.
What's new in Sudo 1.7.9p1?
* Fixed a bug when matching against an IP address with an associated
netmask in the sudoers file. In certain circumstances, this
could allow users to run commands on hosts they are not authorized
for.
What's new in Sudo 1.7.9?
* Fixed a false positive in visudo strict mode when aliases are
in use.
* The line on which a syntax error is reported in the sudoers file
is now more accurate. Previously it was often off by a line.
* The #include and #includedir directives in sudoers now support
relative paths. If the path is not fully qualified it is expected
to be located in the same directory of the sudoers file that is
including it.
* visudo will now fix the mode on the sudoers file even if no changes
are made unless the -f option is specified.
* The "use_loginclass" sudoers option works properly again.
* For LDAP-based sudoers, values in the search expression are now
escaped as per RFC 4515.
* Fixed a race condition when I/O logging is not enabled that could
result in tty-generated signals (e.g. control-C) being received
by the command twice.
* If none of the standard input, output or error are connected to
a tty device, sudo will now check its parent's standard input,
output or error for the tty name on systems with /proc and BSD
systems that support the KERN_PROC_PID sysctl. This allows
tty-based tickets to work properly even when, e.g. standard
input, output and error are redirected to /dev/null.
* Fixed a bug where a pattern like "/usr/*" included /usr/bin/ in
the results, which would be incorrectly be interpreted as if the
sudoers file had specified a directory.
* "visudo -c" will now list any include files that were checked
in addition to the main sudoers file when everything parses OK.
* Users that only have read-only access to the sudoers file may
now run "visudo -c". Previously, write permissions were required
even though no writing is down in check-only mode.
What's new in Sudo 1.7.8p2?
* Fixed a crash in the monitor process on Solaris when NOPASSWD
was specified or when authentication was disabled.
