The pam_mkhomedir module provides the means for automatic creation of
home directories upon login, if necessary. Key Benefits are:
* Uses the Pluggable Authentication Module API defined in OSF DCE RFC 86.0.
* Removes the need to pre-create user home directories.
The software is distributed under the terms of the 2.5-clause BSD license.
* pkgsrc change: relax restriction to kerberos package.
What's new in Sudo 1.7.0?
* Rewritten parser that converts sudoers into a set of data structures.
This eliminates a number of ordering issues and makes it possible to
apply sudoers Defaults entries before searching for the command.
It also adds support for per-command Defaults specifications.
* Sudoers now supports a #include facility to allow the inclusion of other
sudoers-format files.
* Sudo's -l (list) flag has been enhanced:
o applicable Defaults options are now listed
o a command argument can be specified for testing whether a user
may run a specific command.
o a new -U flag can be used in conjunction with "sudo -l" to allow
root (or a user with "sudo ALL") list another user's privileges.
* A new -g flag has been added to allow the user to specify a
primary group to run the command as. The sudoers syntax has been
extended to include a group section in the Runas specification.
* A uid may now be used anywhere a username is valid.
* The "secure_path" run-time Defaults option has been restored.
* Password and group data is now cached for fast lookups.
* The file descriptor at which sudo starts closing all open files is now
configurable via sudoers and, optionally, the command line.
* Visudo will now warn about aliases that are defined but not used.
* The -i and -s command line flags now take an optional command
to be run via the shell. Previously, the argument was passed
to the shell as a script to run.
* Improved LDAP support. SASL authentication may now be used in
conjunction when connecting to an LDAP server. The krb5_ccname
parameter in ldap.conf may be used to enable Kerberos.
* Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
to specify the sudoers order. E.g.:
sudoers: ldap files
to check LDAP, then /etc/sudoers. The default is "files", even
when LDAP support is compiled in. This differs from sudo 1.6
where LDAP was always consulted first.
* Support for /etc/environment on AIX and Linux. If sudo is run
with the -i flag, the contents of /etc/environment are used to
populate the new environment that is passed to the command being
run.
* If no terminal is available or if the new -A flag is specified,
sudo will use a helper program to read the password if one is
configured. Typically, this is a graphical password prompter
such as ssh-askpass.
* A new Defaults option, "mailfrom" that sets the value of the
"From:" field in the warning/error mail. If unspecified, the
login name of the invoking user is used.
* A new Defaults option, "env_file" that refers to a file containing
environment variables to be set in the command being run.
* A new flag, -n, may be used to indicate that sudo should not
prompt the user for a password and, instead, exit with an error
if authentication is required.
* If sudo needs to prompt for a password and it is unable to disable
echo (and no askpass program is defined), it will refuse to run
unless the "visiblepw" Defaults option has been specified.
* Prior to version 1.7.0, hitting enter/return at the Password: prompt
would exit sudo. In sudo 1.7.0 and beyond, this is treated as
an empty password. To exit sudo, the user must press ^C or ^D
at the prompt.
* visudo will now check the sudoers file owner and mode in -c (check)
mode when the -s (strict) flag is specified.
* Publish GCRY_MODULE_ID_USER and GCRY_MODULE_ID_USER_LAST constants.
This functionality has been in Libgcrypt since 1.3.0.
* MD5 may now be used in non-enforced fips mode.
* Fixed HMAC for SHA-384 and SHA-512 with keys longer than 64 bytes.
* In fips mode, RSA keys are now generated using the X9.31 algorithm
and DSA keys using the FIPS 186-2 algorithm.
* The transient-key flag is now also supported for DSA key
generation. DSA domain parameters may be given as well.
- Bugfix release, forward and backward compatible with 2.0.0
- Ability to build as a Mac framework (and build this way by default)
- On non-Mac Unix, the pkgconfig file is always qca2.pc, even in debug
mode
- Certificates containing wildcards are now matched properly
- DirWatch/FileWatch now work
- Keystore writes now work
- Don't delete objects in their event handler (prevents Qt 4.4 warnings)
- Fix potential hang with TLS in server mode
- Windows version can be configured/installed using paths with spaces
Upstream changes:
Authen-SASL 2.12 -- Mon Jun 30 21:35:21 CDT 2008
Enhancements
* GSSAPI implement protocol according to RFC, but by default,
remain compatible with cyrus sasl lib
* DIGEST-MD5 implement channel encryption layer
Changes between 0.9.8i and 0.9.8j [07 Jan 2009]
*) Properly check EVP_VerifyFinal() and similar return values
(CVE-2008-5077).
*) Allow the CHIL engine to be loaded, whether the application is
multithreaded or not. (This does not release the developer from the
obligation to set up the dynamic locking callbacks.)
*) Use correct exit code if there is an error in dgst command.
*) Tweak Configure so that you need to say "experimental-jpake" to enable
JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
*) Add experimental JPAKE support, including demo authentication in
s_client and s_server.
*) Set the comparison function in v3_addr_canonize().
*) Add support for XMPP STARTTLS in s_client.
*) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
to ensure that even with this option, only ciphersuites in the
server's preference list will be accepted. (Note that the option
applies only when resuming a session, so the earlier behavior was
just about the algorithm choice for symmetric cryptography.)
Changes between 0.9.8h and 0.9.8i [15 Sep 2008]
*) Fix a state transitition in s3_srvr.c and d1_srvr.c
(was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
*) The fix in 0.9.8c that supposedly got rid of unsafe
double-checked locking was incomplete for RSA blinding,
addressing just one layer of what turns out to have been
doubly unsafe triple-checked locking.
So now fix this for real by retiring the MONT_HELPER macro
in crypto/rsa/rsa_eay.c.
*) Various precautionary measures:
- Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
- Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
(NB: This would require knowledge of the secret session ticket key
to exploit, in which case you'd be SOL either way.)
- Change bn_nist.c so that it will properly handle input BIGNUMs
outside the expected range.
- Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
builds.
*) Allow engines to be "soft loaded" - i.e. optionally don't die if
the load fails. Useful for distros.
*) Add support for Local Machine Keyset attribute in PKCS#12 files.
*) Fix BN_GF2m_mod_arr() top-bit cleanup code.
*) Expand ENGINE to support engine supplied SSL client certificate functions.
This work was sponsored by Logica.
*) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
keystores. Support for SSL/TLS client authentication too.
Not compiled unless enable-capieng specified to Configure.
This work was sponsored by Logica.
*) Fix bug in X509_ATTRIBUTE creation: dont set attribute using
ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
attribute creation routines such as certifcate requests and PKCS#12
files.
network security scanner with associated tools like a graphical
user front-end. The core component is a server with a set of network
vulnerability tests (NVTs) to detect security problems in remote
systems and applications.
amavisd-new-2.6.2 release notes
MAIN NEW FEATURES SUMMARY
- bounce killer: improved detection of nonstandard bounces;
- bounces to be killed no longer waste SpamAssassin time;
- tool to convert dkim-filter keysfile into amavisd configuration;
- compatibility with SpamAssassin 3.3 (CVS head) regained;
- rewritten and expanded documentation section on DKIM signing and
verification in amavisd-new-docs.html;
COMPATIBILITY WITH 2.6.1
- apart from small differences in logging and notifications, the
version 2.6.2 is compatible with 2.6.1, with its configuration file
and its environment;
- virus scanner entries were updated (as described below, most notably by
adding a regexp flag m), so be sure to update existing configuration file;
updated virus scanner entries can be used with 2.6.1 too;
- the %sql_clause default has changed in detail (see below), if its value
is overridden in a configuration file the setting may need updating;
See full release notes:
http://www.ijs.si/software/amavisd/release-notes.txt
Correct settings for file ownership (*OWN, *GRP in patch-aa and patch-ao).
Added missing installation directories in patch-aa.
Sorted PLIST to placate pkglint.
Adapted filename in patch-an to the way mkpatches generates nowadays.
Fixes PR#39223.
THIS IS A FUCKING HACK (nichts für die Goldwaage..)
Don't read the man-pages/*.pm's (they are dummy), check t/*
and fix OpenSSL.xs
Don't forget to try -
print OpenSSL::CRL::new_from_file("crl.pem")->info
- it's the only CRL stuff that's supported :)
OpenSSL::HMAC is dummy.
OpenSSL::BN is untested.
* gnutls: Fix chain verification for chains that ends with RSA-MD2 CAs.
* gnutls: Fix memory leak in PSK authentication.
* certtool: Move gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0) call earlier.
It needs to be invoked before libgcrypt is initialized.
* gnutls-cli: Return non-zero exit code on error conditions.
* gnutls-cli: Corrected bug which caused a rehandshake request to be ignored.
Should fix PR#40189.
Upstream changes:
2008-11-14 Gisle Aas <gisle@ActiveState.com>
Release 2.38
The 2.37 tarball was infected by various '._*' files.
Thank you, Mac OS X!
Applied warning fix from Geoff Richards [RT#19643]
Applied compatiblity fix from Alexandr Ciornii [RT#30348]
2008-11-12 Gisle Aas <gisle@ActiveState.com>
Release 2.37
Sync up with consting changes from the perl core.
Fixes PR#40188, though the dependency bump is not done
(is not reflected in the module's META.yml).
Upstream changes:
v1.18 2008.11.17
- fixed typo in argument: wildcars_in_cn -> wildcards_in_cn
http://rt.cpan.org/Ticket/Display.html?id=40997
thanks to ludwig[DOT]nussel[AT]suse[DOT]de for reporting
due to GCC 4), though those aren't mentioned in the upstream change log.
Other changes:
2007-06-09 gettextize <bug-gnu-gettext@gnu.org>
* m4/gettext.m4: New file, from gettext-0.16.1.
* m4/iconv.m4: New file, from gettext-0.16.1.
* m4/lib-ld.m4: New file, from gettext-0.16.1.
* m4/lib-link.m4: New file, from gettext-0.16.1.
* m4/lib-prefix.m4: New file, from gettext-0.16.1.
* m4/nls.m4: New file, from gettext-0.16.1.
* m4/po.m4: New file, from gettext-0.16.1.
* m4/progtest.m4: New file, from gettext-0.16.1.
2003-03-08 17:38 nmav
* Makefile.am:
Honor DESTDIR variable. Patch by Andrew W. Nosenko <awn@bcs.zp.ua>
2003-03-08 17:29 nmav
* src/mcrypt.c, NEWS:
Made the algorithm and mode command line input case insensitive.
2003-03-08 17:08 nmav
* doc/mcrypt.1:
some corrections in the manpage by Michael Mason
<mgm@eskimoman.net>
avoid that warning, the ints are first cast to size_t, which is more
likely to match the size of a pointer. Unfortunately, the intptr_t and
uintptr_t types are marked optional in C99.
* skeyprune is perl script, need runtime dependency on perl5.
* Fixes mis-use of config.h (patch-a[d-i]), avoid to use a mixture of
local hash function with system RMD header.
Fixes build failure reported by PR 39872 and PR 39953.
Bump PKGREVISION.
lib/krb5/os/dnsglue.c uses statbuf structure before zeroing it.
Solaris requires it be zeroed first... all kerberos programs that
use dns lookup crash. Zeroing before use does not break anything
on any other platforms.
Bump PKGREVISION.
- Add libtasn1-config for compatibility.
Please stop use it as it will disappear in v2.0!
Use standard AC_CHECK_FUNCS autoconf tests or pkg-config instead.
- Read PKCS-12 blob as binary file, fixes self-tests under Mingw.
- Fix use of __attribute__ ((deprecated)) to work on non-GCC.
Changes 1.6:
- Fixed namespace violation for MAX_NAME_SIZE and MAX_ERROR_DESCRIPTION_SIZE.
The new names are ASN1_MAX_NAME_SIZE and ASN1_MAX_ERROR_DESCRIPTION_SIZE.
- Fixed namespace violation for libtasn1_perror and libtasn1_strerror.
The new names are asn1_perror and asn1_strerror.
- Fix namespace violation for LIBASN1_VERSION.
The new name is ASN1_VERSION.
- Decoder can now decode BER encoded octet strings.
- doc: Change license on the manual to GFDLv1.3+.
- doc: Sync gdoc script with GnuTLS, changes license on man-pages to GAP.
- doc: Improve gtk-doc manual.
- Assumes system has strdup and string.h.
- Remove libtasn1-config and libtasn1.m4,
use standard AC_CHECK_FUNCS autoconf tests or pkg-config instead.
- Change detection of when to use a linker version script,
use --enable-ld-version-script or --disable-ld-version-script to
override auto-detection logic.
Fix a problem with PK's strndup() implementation assuming all strings
passed to it would be NUL-terminated. This is known to fix crashes with
polkit-gnome-authorization and clock-applet.
PolicyKit is an application-level toolkit for defining and handling the
policy that allows unprivileged processes to speak to privileged processes:
It is a framework for centralizing the decision making process with respect
to granting access to privileged operations for unprivileged applications.
PolicyKit is specifically targeting applications in rich desktop environments
on multi-user UNIX-like operating systems. It does not imply or rely on any
exotic kernel features.
This package provides a D-Bus session bus service for bringing up
authentication dialogs used for obtaining privileges.
PolicyKit is an application-level toolkit for defining and handling the
policy that allows unprivileged processes to speak to privileged processes:
It is a framework for centralizing the decision making process with respect
to granting access to privileged operations for unprivileged applications.
PolicyKit is specifically targeting applications in rich desktop environments
on multi-user UNIX-like operating systems. It does not imply or rely on any
exotic kernel features.
against recent openpam headers produce non functioning pam_ldap.so
on NetBSD 4.99.47(?) or more recent systems.
There's something really fishy in the headers...
Pkgsrc changes:
o Adapt patch-aa, still needed for non-hanging tests...
Upstream changes:
1.33 2008.10.21
- Fix open() calls (rt.cpan.org #40020)
- Fix non-shell problem (rt.cpan.org #39980)
- Allow full agent forwarding (rt.cpan.org #32190)
- Handle hashed known_hosts files (Greg Sabino Mullane, rt.cpan.org #25175)
1.32 2008.10.16
- Add IO::Handle to Perl.pm (rt.cpan.org #40057, #35985)
- Minor test cleanups.
1.31 2008.10.02
- New co-maintainer, Greg Sabino Mullane (TURNSTEP).
- Prevent t/03-packet.t from hanging due to high file descriptor.
(altblue at n0i.net, rt.cpan.org #6101)
- Skip some tests if Math::GMP not installed (e.g. from choosing only
protocol 2 in Makefile.PL) (Greg Sabino Mullane, reported in
rt.cpan.org #25152)
- If ENV{HOME} is not set, use getpwuid. If both fail and the dir
is needed, we croak. (Greg Sabino Mullane, expanded from patch
by dgehl at inverse.ca in rt.cpan.org #25174)
- Fix incorrect logical/bitwise AND mixup (Peter.Haydon at uk.fujitsu.com,
rt.cpan.org #31490)
- Allow empty stdin for SSH2 (rcp at rcable.co.uk, rt.cpan.org #32730)
- Adjust terminal dimensions dynamically if Term::ReadKey is available
(john at sackheads.org, rt.cpan.org #34874)
Authen::PluggableCaptcha is a fully modularized and extensible
system for making Pluggable Catpcha (Completely Automated Public
Turing Test to Tell Computers and Humans Apart) tests.
Pluggable? All Captcha objects are instantiated and interfaced via
the main module, and then manipulated to require various submodules
as plug-ins.
Authen::PluggableCaptcha borrows from the functionality in
Apache::Session::Flex.
* Version 2.6.2 (released 2008-11-12)
** libgnutls: Fix crash in X.509 validation code for self-signed certificates.
The patch to fix the security problem GNUTLS-SA-2008-3 introduced a
problem for certificate chains that contained just one self-signed
certificate. Reported by Michael Meskes <meskes@debian.org> in
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505279>.
** API and ABI modifications:
No changes since last version.
Changes since 0.0.14:
* epa-mail-encrypt now skips unusable keys.
* epa-file now uses canonical file names as keys for passphrase cache.
* Fixed a load-error of epa on XEmacs.
* epa-file bug fixes.
* Prepare auto-mode-alist to strip .gpg suffix when choosing major-modes.
* Don't signal an error when opening a nonexistent file via Tramp.
* epa-verify-region now decodes the plaintext with
coding-system-for-read or one saved as epa-coding-system-used.
* Version 2.6.1 (released 2008-11-10)
** libgnutls: Fix X.509 certificate chain validation error. [GNUTLS-SA-2008-3]
The flaw makes it possible for man in the middle attackers (i.e.,
active attackers) to assume any name and trick GNU TLS clients into
trusting that name. Thanks for report and analysis from Martin von
Gagern <Martin.vGagern@gmx.net>. [CVE-2008-4989]
Any updates with more details about this vulnerability will be added
to <http://www.gnu.org/software/gnutls/security.html>
** libgnutls: Add missing prototype for gnutls_srp_set_prime_bits.
Reported by Kevin Quick <quick@sparq.org> in
<https://savannah.gnu.org/support/index.php?106454>.
** libgnutls-extra: Protect internal symbols with static.
Fixes problem when linking certtool statically. Tiny patch from Aaron
Ucko <ucko@ncbi.nlm.nih.gov>.
** libgnutls-openssl: Fix patch against X509_get_issuer_name.
It incorrectly returned the subject DN instead of issuer DN in v2.6.0.
Thanks to Thomas Viehmann <tv@beamnet.de> for report.
** certtool: Print a PKCS #8 key even if it is not encrypted.
** tests: Make tests compile when using internal libtasn1.
Patch by ludo@gnu.org (Ludovic Courtès).
** API and ABI modifications:
No changes since last version.
for all autoconf definitions that pollute namespace. Additionally,
I've prepared a distribution patch from FreeBSD ports which
fixes many memory leaks (see comment in patch).
PKGREVISION++
Eksblowfish is a variant of the Blowfish cipher, modified to make
the key setup very expensive. ("Eks" stands for "expensive key
schedule".) This doesn't make it significantly cryptographically
stronger, but is intended to hinder brute-force attacks. It also
makes it unsuitable for any application requiring key agility. It
was designed by Niels Provos and David Mazieres for password hashing
in OpenBSD. See Crypt::Eksblowfish::Bcrypt for the hash algorithm.
See Crypt::Eksblowfish::Blowfish for the unmodified Blowfish cipher.
Eksblowfish is a parameterised (family-keyed) cipher. It takes a
cost parameter that controls how expensive the key scheduling is.
It also takes a family key, known as the "salt". Cost and salt
parameters together define a cipher family. Within each family, a
key determines an encryption function in the usual way. See
Crypt::Eksblowfish::Family for a way to encapsulate an Eksblowfish
cipher family.
* gsasl: Don't use poll with POLLOUT to avoid busy-waiting.
* doc: Error codes are now extracted using official library APIs.
* doc: Included cyclomatic code complexity charts of the library code.
* tests: Add self test of obsolete base64 functions.
* Update gnulib files. Improves Windows compatibility.
Some highlights:
Bug #1680965 sans lookup fails -- Jordan Wiens
Fixed index.php redirect -- Kevin Johnson for Terry Burton
Added Worldmap feature -- Juergen Leising
Added Vendor MAC Map -- Juergen Leising
Increased memory limit from 50 to 128 MB in base_graph_common.php
Fixed "Select Signature from List" in the query form -- Juergen Leising
Newly generated coordinates file world_map6.txt. -- Juergen Leising
See docs/CHANGELOG for all the details
for IDN and inet6 support.
v.17 2008.10.13
- no code changes, publish v.16_3 as v.17 because it looks better
than v.16
- document win32 behavior regarding non-blocking and timeouts
v.16_3 2008.09.25
- fix t/nonblock.t with workaround for problems with
IO::Socket::INET on some systems (Mac,5.6.2) where it cannot do
nonblocking connect and leaves socket blocked.
- make some tests less verbose by fixing diag in t/testlib.t
(send output to STDOUT not STDERR and prefix with '#')
v.16_2 2008.09.24
- work around Bug in IO::Socket::INET6 on BSD systems
http://rt.cpan.org/Ticket/Display.html?id=39550
by setting Domain based on PeerAddr
Thanks to srezic for report and support
- remove tests of recv/send from t/core.t. Might badly interact
with SSL handshake and cause crashes as seen on OS X 10.4
v.16_1 2008.09.19
- better support for IPv6:
- IPv6 is enabled by default if IO::Socket::INET6 is available
- t/inet6.t for basic tests
--
pakchois is just another PKCS#11 wrapper library. pakchois aims to
provide a thin wrapper over the PKCS#11 interface.
The goals are:
1) to offer a modern* object-oriented C interface wrapper for PKCS#11.
2) to not hide or abstract away any details of the PKCS#11 interface
itself except where absolutely necessary.
3) to handle the details of loading DSOs
4) to allow the caller to avoid caring about where on the system
PKCS#11 modules might be stored, or exactly how they are named.
5) to avoid any dependency on a particular cryptography toolkit.
Existing PKCS#11 wrapper libraries solutions differ in at least one of
the above goals.
*: "modern" being a euphemism for not using process-global state,
having a sane symbol namespace, etc.
patch-ag and patch-ah fix void functions that attempt to return the result
of calling a void function.
patch-ai conditionally includes <sys/inttypes.h> to pick up uint32_t
is incorrect because:
1) _gcry_rngfips_deinit_external_test() is void function
2) the calling function, random, is declared void
The unpatched code will not compile with Sun compiler.
Seahorse is a GNOME front-end for GnuGP. It can be used for signing,
encrypting, verifying and decrypting text and files. The text can be
taken from the clipboard, or written directly in the little editor it
has. Seahorse is also a keymanager, which can be used to edit almost
all the properties of the keys stored in your keyrings.
This package contains various plugins for Seahorse.
tools moved to the new seahorse-plugins package.
seahorse 2.24.1
---------------
* Fix problems with seahorse crashing when searching for
remote keys. [Adam Schreiber]
* Build fixes on Solaris [Jeff Cai]
* Fix selection of keys in libcryptui. [Philip Withnall]
* I18n fixes. [Adam Schreiber]
seahorse 2.24.0
---------------
* Some tweaks to the password prompt window, including allowing
minimizing to release the keyboard grab.
* Fix compiler warnings for gcc 4.3.
* Return a 'cancelled' error when from the daemon crypto dbus
methods when a user cancels out of a password prompt.
* Show revoked subkeys properly in details view of PGP keys.
* Fix problem deleting SSH keys.
* Fix dialog prompt column widths, and elipsize long text in
key listing. [Adam Schreiber]
* Fix problem with 'no keys available' when trying to sign a
PGP key from within the key manager.
* Add 'exportable' flag to objects/keys and don't enable export
UI if selected objects are not exportable.
* Build fixes [Joe Orton, Adam Schreiber]
* Crash and other fixes. [Christian Persch]
seahorse 2.23.92
----------------
* Fix crash when changing a stored Gnome Keyring password.
* Fix certain crashes on syncing, searching and other operations.
* Fix dumb 'Couldn't import keys' error message when success.
seahorse 2.23.91
----------------
* Fix copying keys to the clipboard. [Adam Schreiber]
* Fix double free crash when importing keys.
* Fix crasher when deleting a key.
* Don't add extra null bytes to SSH authorized_keys and
similar files. [Adam Schreiber]
* Documentation fixes. [Adam Schreiber]
* Don't repeatedly load gnome-keyring items. [Adam Schreiber]
* Make help button in 'First Time Options' work proprely. [Adam Schreiber]
* Better wording for options in PGP key dialogs. [Adam Schreiber]
seahorse 2.23.90
----------------
* Icon makeover. [Michael Monreal]
seahorse 2.23.6
---------------
* Initial PKCS#11 certificate listing implementation.
* Internal code refactoring.
* Fix problems with reference counting on operations.
* Use base64 functions in glib, rather than rolling our own.
* Don't use deprecated LDAP functions. [Adam Schreiber]
* String operation fixes. [Adam Schreiber]
* Build fixes [Jeff Cai]
seahorse 2.23.5
---------------
* Fix importing keys from key servers [Mackenzie Morgan]
* Factor out seahorse-plugins to a different module.
* Add XDS drag and drop support.
* Remove gnome-vfs dependency and use gio instead.
* Return key id of signer from DBus service even when key
is not found locally [Adam Schreiber]
* Refactor UI code internally into modules.
* Remove hard GPG and GPGME dependency.
* Replace signer drop down in key chooser with just a check
button when only one secret key exists. [Adam Schreiber]
* Set sync button insensitive when no server is selected.
[Adam Schreiber]
* Test for secure memory before using it. [Coleman Kane]
* Change trust model used to match GPG's. [Adam Schreiber]
* Remove libgnome and libgnomeui dependencies. [Saleem Abdulrasool]
* Grab keyboard focus when prompting for password.
[Josselin Mouette]
* Use the vala programming language for some code.
* Add initial infrastructure for PKCS#11 key/certificate support.
* Save and load window sizes from gconf. [Adam Schreiber]
* Build fixes [Brian Cameron, Saleem Abdulrasool, Alexis Ballier,
Christian Persch, Rodrigo Moya]
ASN1-encoded files (DER, BER, PER, etc.) in Python. ASN1 is the Abstract
Syntax Notation version 1, as defined by the International Telecommunication
Union (ITU).
to trigger/signal a rebuild for the transition 5.8.8 -> 5.10.0.
The list of packages is computed by finding all packages which end
up having either of PERL5_USE_PACKLIST, BUILDLINK_API_DEPENDS.perl,
or PERL5_PACKLIST defined in their make setup (tested via
"make show-vars VARNAMES=...").
- Fix log file permission error, that could happen thought the user
Prelude-LML was running as could access the file (#291).
- ModSecurity ruleset update, by Dan Kopecek <dkopecek@redhat.com>:
provides much more descriptive classification.text, add regexps for
[file ..], [line ...], [tag ...] fields and fine tune targets/types
(#321).
- Deprecate Gamin/FAM support in favor of libev: the previous
implementation had problem on SELinux enabled system due to Gamin server
startup being triggered by other program, and thus using improper role
for Prelude-LML.
(#326).
- Improved polling architecture by using Operating System specific
backend when possible.
- We now monitor files that are not immediately available for reading on
startup: once the file can be monitored, libev provide us with a
notification.
- Fix an assertion warning upon sensor start in case the address
for the local machine could not be found.
- Consistency rework of EasyBindings IDMEFCriteria API.
- Add refcount support for prelude_client_t and
prelude_client_profile_t, and update EasyBindings destructor to use
them.
- Fix a bug where EasyBindings would be built although they were not
enabled.
- Fix path issue in case libprelude was configured with specific path
outside of $prefix (fix#319).
* libgnutls: Correct printing and parsing of IPv6 addresses.
* libgnutls-openssl: fix out of bounds access.
* certtool: Use inet_pton for parsing IPv6 addresses.
* Added API to replace and update the crypto backend.
* certtool: can add several subject alternative names via template file.
* opencdk: Parse (but not decrypt) encrypted secret keys.
* more...
* libwrap related fixes, better debugging messages, MS Visual C++ support
Changes 4.25:
* delay libwrap process spawning after dropping privs, other improvements
* Try to auto-initialize Libgcrypt to minimize the effect of
applications not doing that correctly. This is not a perfect
solution but given that many applicationion would totally fail
without such a hack, we try to help at least with the most common
cases. Folks, please read the manual to learn how to properly
initialize Libgcrypt!
* Auto-initialize the secure memory to 32k instead of aborting the
process.
* Log fatal errors via syslog.
* Changed the name and the semantics of the fips mode config file.
* Add convenience macro gcry_fips_mode_active.
* More self-tests.
* Documentation cleanups.
* Fixed a build problem under Windows.
Changes 1.5:
* Minor build system fixes.
* Updated gettext. Removed included gettext copy.
* gpg-error has a new option --version.
Need to BUILDLINK_ABI_DEPENDS on the 2.2.11 versions of the libraries.
Bump PKGREVISION wholesale to disambiguate the fixed packages from the botched
ones and depend on them.
Use GPLed version of the plugins instead of the non-free version.
While here fix permissions of PKG_SYSCONFDIR in nessus-core/Makefile.
Use ./configure as one is now supplied
libmxl2 is no longer optional but curl is
Rename doc/eg dirs from ap-security to ap-modsecurity
* Allow for disabling request body limit checks in phase:1
* Now log XML parsing/validation warnings and errors to be in the debug log
at levels 3 and 4, respectivly.
* Transformation caching has been deprecated, and is now off by default. We
now advise against using transformation caching in production.
* Improve request body processing error messages.
Any many more . . . see CHANGES for all the details
Don't call pkg_info to get the installed Emacs version; always use the
version matching EMACS_TYPE set by users. Be DEPENDS to it. This should
address pkg/37146 by Aleksey Cheusov.
While here convert some emacs lisp packages to user-destdir.
v1.16
- change code for SSL_check_crl to use X509_STORE_set_flags instead of
X509_STORE_CTX_set_flags based on bug report from
<tjtoocool[AT]phreaker[DOT]net >
- change opened() to report -1 if the IO::Handle is open, but the
SSL connection failed, needed with HTTP::Daemon::SSL which will send
an error mssage over the unencrypted socket
only suggest pthread option when native pthread exists.
We cannot use pthread.buildlink3.mk to just detect if suituable pthread
implementation exist or not.
Avoid unwanted dependency on pthread package when no native pthread and
pthread option off.
* Move inclusion of seculity/tcp_wappers/buildlink3.mk to rightful place in
options.mk.
Avoid unwanted dependency on tcp_wrappers when libwrap option off.
* Remove deprecated(?) --with-tcp-wrappers from CONFIGURE_ARGS.
* Remove --enable-libwrap from CONFIGURE_ARGS even if require tcp_wrappers.
It affect not only check of existence of tcp_wappers but also blow off
needful addition of -lwrap to LIBS.
Fixes PR 39635
* In dsniff-nox11/Makefile, add a post-configure target to move
missing/sys/queue.h out of the way if the configure script
found a real sys/queue.h.
* Add patches to #include <string.h> in some files where I noticed warnings.
Bump PKGREVISION for both dsniff and dsniff-nox11.
finally. While here, fix PLIST and depkglint a bit. Also, fix the horrid
abuse of libtool.
Changes since 0.60.2:
* courier-authlib.spec: Dummy provides: for symlinks, to allow upgrade
with older packages that require <libname>.so.0.
* Makefile.am: Switch to versionless shared libraries.
Install all shared libraries just as <libname>.so. make install manually
removes *.so.0.0 files that were left over from previous versions,
and installs a temporary *.so.0 symlink to *.so, for temporary
binary ABI compatibility with 0.60. The symlinks will be removed in
0.62.
* Cleanup: always compile md5, sha* and hmac stuff, and remove all
conditionally-compiled cruft. Move SASL list to an internal header.
Add client-side support for AUTH EXTERNAL.
* authsasl.c (auth_sasl_ex): auth_sasl_ex() supercedes auth_sasl(),
invokes auth_sasl() for non-EXTERNAL SASL methods, implements EXTERNAL
by going through the motions, then setting up a dummy authentication
request.
* authdaemon.c (auth_generic): Check for the dummy EXTERNAL
authentication request, and handle it by invoking auth_getuserinfo(),
rather than sending it down the pipe. This avoid having to implement
a stub in every authentication module.
* authmysqllib.c: Use mysql_set_character_set() instead of SET NAMES
* authmysqllib.c: Fix domain-less queries.
* Makefile: Drop the unmaintained authvchkpw module.
* authmysqllib.c: Cleanup. Use mysql_real_escape_string instead of
crude filtering.
* Makefile.am: Use _LIBADD properly.
* configure.in: More portability fixes.
Packages Collection.
The Perl 5 module Authen::CAS::Client provides a simple interface
for authenticating users using JA-SIG's CAS protocol. Both CAS v1.0
and v2.0 are supported.
Changes from OpenSSH 5.0 is huge to write here, please refer its
release note: http://www.openssh.com/txt/release-5.1.
I quote only Security section from the release note.
Security:
* sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly
other platforms) when X11UseLocalhost=no
When attempting to bind(2) to a port that has previously been bound
with SO_REUSEADDR set, most operating systems check that either the
effective user-id matches the previous bind (common on BSD-derived
systems) or that the bind addresses do not overlap (Linux and
Solaris).
Some operating systems, such as HP/UX, do not perform these checks
and are vulnerable to an X11 man-in-the-middle attack when the
sshd_config(5) option X11UseLocalhost has been set to "no" - an
attacker may establish a more-specific bind, which will be used in
preference to sshd's wildcard listener.
Modern BSD operating systems, Linux, OS X and Solaris implement the
above checks and are not vulnerable to this attack, nor are systems
where the X11UseLocalhost has been left at the default value of
"yes".
Portable OpenSSH 5.1 avoids this problem for all operating systems
by not setting SO_REUSEADDR when X11UseLocalhost is set to no.
This vulnerability was reported by sway2004009 AT hotmail.com.
Upstream changes:
1.07 - Fri Aug 15 16:53:36 2008
* Fixed the odd character problems in some of the files
* No need to upgrade if you already have this installed
1.06_03 - Sun Jun 22 11:32:46 2008
* Trying the __sgi definition. If this doesn't make things
blow up, this release will get bumped to 1.07.
1.06_02 - Thu Jun 19 11:55:21 2008
* Removed wide chars from the header file. Some compilers
like to complain about things that are wrong. :(
1.06_01 - Wed Jun 18 09:37:34 2008
This is a test of a fix for Irix.
1.06_01 - Wed Jun 4 19:18:57 2008
* This is a test of a fix for Irix.
* Rewrite to use poll instead of select.
* Improve Windows installation instructions in the manual.
* tests: New self test of gsasl_mechanism_name function.
This is not acceptable for us. Instead, we patch to use libtool.
The included test passes.
Changes since 1.0.3:
* Minor fixes.
* Build library for GNU/Linux as PIC [**but we use libtool**]
* New hook feature to enhance the internal I/O functions.
v1.15
- change internal behavior when SSL handshake failed (like when verify
callback returned an error) in the hope to fix spurios errors in
t/auto_verify_hostname.t
- Make this compile on amd64
- Don't silently look for libraries when we don't need them. This should fix
PR 39318
- Add missing depends on apr
Release 5.4
###########
* Fixes to the http modules as some Apache installations are picky
* The MySQL module also works with mysqld-5.0, updated
* Added AS/400 return code checks to pop3 module
* Fixed memory leaks in the http-form module.
* Implemented a proposal by Jean-Baptiste.BEAUFRETON (at) turbomeca.fr to
check for "530 user unknown" message in the ftp module
* Added a performance patch by alejandro.mendiondo (at) baicom.com. This one
needs stability testing!
* Beautification to remove compiler warnings of modern gcc
- preludedb-admin has a bew 'count' command, printing the result of a
COUNT() on the database.
- preludedb-admin work on smaller set of data, to prevent large
retrieval error (fix#220, refs #305).
- preludedb-admin handling of interrupted transaction was improved.
- Fix MySQL and SQLite MacOSX detection, by
Uwe Schwartz <usx303 at googlemail.com>. (fix#296).
ModSecurity ruleset rewrite, by Peter Vrabec <pvrabec@redhat.com> and
Dan Kopecek <dkopecek@redhat.com>. This ruleset handle ModSecurity 2.0
output. (Fix#216).
- New rulesets for FreeBSD su attempts, by Alexander Afonyashin <firm@iname.com>
(Fix#304).
- Add additional format to the default configuration to deal with apache
error_log file format, by Alexander Afonyashin <firm@iname.com> (Fix#307).
- Normalize some classification: introduce Remote Login, and
Credentials Change. Cleanup SSH ruleset, and remove duplicated rules.
- EasyBindings inclusion! EasyBindings provide simple C++, Python,
Perl, Ruby, and Lua bindings for using libprelude. They are still
considered experimental, thus you need to use (--enable-easy-bindings)
to activate them. Thanks to Sebastien Tricaud <toady@inl.fr> and
Pierre Chifflier <p.chifflier@inl.fr> for their contribution to this
project!
- Use automake/autoconf for building/installing Python extension.
- Fix 0.9.18 regression (alert created with empty CreateTime).
- Implement reference counting for the idmef-criteria and
prelude-connection API.
- Automatic casting when setting IDMEF Value to a field that is of
different type. Until now, if an user tried to set a path of a
specific type with an idmef_value_t object containing another type,
idmef_path_set() would return an error.
- Various bug fixes.
Based on PR 39222 by Jens Rehsack.
This module implements a wrapper around OpenSSL. Specifically, it wraps the
methods related to the US Government's Advanced Encryption Standard (the
Rijndael algorithm).
This module is compatible with Crypt::CBC (and likely other modules that
utilize a block cipher to make a stream cipher).
This module is an alternative to the implementation provided by Crypt::Rijndael
which implements AES itself. In contrast, this module is simply a wrapper
around the OpenSSL library.
The Crypt::Rijndael implementation seems to produce inaccurate results on
64-bit x86 machines. By using OpenSSL, this module aims to avoid architecture
specific problems, allowing the OpenSSL maintainers to overcome such issues.
This is the RIPE NCC DNSSEC Key Management tools, described at
https://www.ripe.net/projects/disi/dnssec_maint_tool/
This class implements an interface to a database of private keys used
during DNSSEC administration.
This package includes some diffs to the self-tests, so that they pass.
0.22 Mo Mai 29 21:15:17 CEST 2006
- Bugfixs
0.23 Mi Aug 2 15:48:19 UTC 2006
- Re-added support of MIT Kerberos 1.2.x
0.24 Wed, 21 Feb 2007 20:59:39 +0100
- Changed tests as an answer to FAIL 413320
0.25 So 3. Feb 20:18:16 UTC 2008
- Enhancement to use OpenSolaris/Solaris 10 native gss library
0.26 Fr 15. Feb 22:32:10 UTC 2008
- modified Makefile.PL to trigger no FAIL testreports
in case of missing prerequirements.
Pkgsrc changes:
o Change MAINTAINER to pkgsrc-users@ as per communication with maintainer
Upstream changes:
Authen-SASL 2.11 -- Mon Apr 21 10:23:19 CDT 2008
Enhancements
* implement securesocket() in the ::Perl set of plugins
Bug Fixes
* fix parsing challenges from GnuSASL
* update tests for DIGEST-MD5
* New test from Phil Pennock for testing final server response
Changes since the 0.6 branch:
0.7.1 - 23 July 2008
o Fixes a memory leak when invalid proposal received
o Some fixes in DPD
o do not set default gss id if xauth is used
o fixed hybrid enabled builds
o fixed compilation on FreeBSD8
o cleanup in network port value manipulation
o gets ports from SADB_X_EXT_NAT_T_[SD]PORT if present in purge_ipsec_sp
i()
o Generates a log if cert validation has been disabled by configuration
o better handling for pfkey socket read errors
o Fixes in yacc / bison stuff
o new plog() macro (reduced CPU usage when logging is disabled)
o Try to works better with huge SPD/SAD
o Corrected modecfg option syntax
o Many other various fixes...
0.7 - 09 August 2007
o Xauth with pre-shared key PSK
o Xauth with certificates
o SHA2 support
o pkcs7 support
o system accounting (utmp)
o Darwin support
o configuration can be reloaded
o Support for UNIQUE generated policies
o Support for semi anonymous sainfos
o Support for ph1id to remoteid matching
o Plain RSA authentication
o Native LDAP support for Xauth and modecfg
o Group membership checks for Xauth and sainfo selection
o Camellia cipher support
o IKE Fragment force option
o Modecfg SplitNet attribute support
o Modecfg SplitDNS attribute support ( server side )
o Modecfg Default Domain attribute support
o Modecfg DNS/WINS server multiple attribute support
v1.14
- added support for verification of hostname from certificate
including subjectAltNames, support for IDN etc based on patch and
input from christopher[AT]odenbachs[DOT]de and
achim[AT]grolmsnet[DOT]de.
It is also possible to get more information from peer_certificate
based on this patch. See documentation for peer_certificate and
verify_hostname
- automatic verification of hostnames with SSL_verifycn_scheme and
SSL_verifycn_name
- global setting of default context options like SSL_verifycn_scheme,
SSL_verify_mode with set_ctx_defaults
- fix import of inet4,inet6 which got broken within 1.13_X.
Thanks to <at[AT]altlinux[DOT]ru> for bugreport and patch
- clarified and enhanced debugging supppport based on bugreport
http://rt.cpan.org/Ticket/Display.html?id=32960
- put information into README regarding the supported and recommanded
version of Net::SSLeay
1.35 25.07.208
- Fix test plan for autoload.t if Test::Exception isn't available.
- Skip rsa_generate_key.t if Test::Exception isn't available.
1.34 24.07.2008
- Fixed problem with X509_get_subjectAltNames, where some types of Alt
Name (eg DIRNAMEs) were not properly handled, resulting in seg faults.
Reported by Achim Grolms.
- Added support for ENGINE_load_builtin_engines and
ENGINE_register_all_complete in order to enable built-in OpenSSL
crypto engines for hardware acceleration etc.
- Added support for ENGINE_by_id and ENGINE_set_default, required
to enable Sun crypto acceleration
1.33_01 14.02.2008
- Fixed a compile problem with inc_paths /usr/kerberos/include
in inc/Module/Install/PRIVATE/Net/SSLeay.pm. Reported by "J. Nick
Koston via RT"
- Added optional support for SSL_set_hello_extension,
SSL_set_session_secret_cb to support various extension patches from
a patch to openssl-0.9.9-dev contributed by Jouni Malinen.
See wpa_supplicant/patches/openssl-0.9.9-session-ticket.patch in the
latest (git) version 0.6 and later of wpa_suplicant at
http://hostap.epitest.fi/. These additions are ifdefed to
SSL_F_SSL_SET_HELLO_EXTENSION which is added by the patch
Tested with openssl-SNAP-20070816.
- Added SSL_SESSION_set_master_key and SSL_get_keyblock_size.
- Added all SSL_OP_* options flags present in 0.9.9
- Fixed a bug in SSL_set_tmp_dh
- Doc improvements in README.Win32
- Fixed a problem with proxy connections: open_proxy_tcp_connection
was stopping after the first \n from teh proxy,
but instead should have looked for
$CRLF . $CRLF to find the beginning of the SSL content
- Fixed missing / on /usr/kerberos/include, reported by several people
- removed bacus.pt from host list in t/handle/external/10_destroy.t,
since it seems no longer to respond. Reported by tco2.
- changed t/handle/external/10_destroy.t so this list of URIs to be
tested can be configured with environment variable SSLEAY_URIS, a
colon separated list of host names. Suggested by tco2.
- changed t/handle/external/50_external.t and t/external/08_external.t
so this list of sites to be
tested can be configured with environment variable SSLEAY_SITES, a
colon separated list of host names. Suggested by tco2.
- Fixed doucumentation in README of how to use OPENSSL_PREFIX
environment variable to control the location of openssl. Reported by
"Quanah Gibson-Mount via RT".
- Don't use Module::Installs auto_install.
- Bind NID_ and GEN_ constants.
- Default to not running external tests.
sshfp is a small utility that generates RFC4255 SSHFP DNS records
based on the public keys stored in a known_hosts file or obtained by
using ssh-keyscan. If the nameserver of the domain allows zone
tranfers (AXFR), an entire domain can be processed for all its A
records. These can then be easilly added to a zone, and then secured
by DNSSEC.
Changes:
** libgnutls: Fix local crash in gnutls_handshake. [GNUTLS-SA-2008-2]
** libgnutls: Fix memory leaks when doing a re-handshake.
** Fix compiler warnings.
** Fix ordering of -I's to avoid opencdk.h conflict with system headers.
** srptool: Fix a problem where --verify check does not succeed.
Pkgsrc changes:
o Change to use CPAN as distribution source
o Change HOMEPAGE to use search.cpan.org; leave old
HOMEPAGE pointing to sourceforge commented-out
Upstream changes:
0.36 Mon Aug 13 12:16:38 EDT 2007
* [rt.cpan.org #28814] - Performance improvement
from mehradek (Radoslaw Zielinski)
-use English;
+use English qw( -no_match_vars );
0.35 Fri Apr 20 12:33:53 EDT 2007 - Jesse Vincent <jesse@bestpractical.com>
* New Maintainer: Jesse Vincent <jesse@bestpractical.com> took over
maintenance of this module.
* Removed test key expiry dates. (Fixes
http://rt.cpan.org/Ticket/Display.html?id=17618)
* Applied secret key output patch for modern GPG from
http://rt.cpan.org/Ticket/Display.html?id=17619
* Applied patch to support 'tru' record types from
(http://search.cpan.org/src/JRED/Mail-GPG-1.0.6/patches/)
0.07 Thu Jul 23 10:31:33 2008
- rt 34703
- argument logic before filehandle fetch so that they'll apply
- read small chunk of file handles instead if readline() to
avoid various issues
Pkgsrc changes:
o Added full list of dependencies, from Makefile.PL.
Upstream changes:
0.04 Sun Jun 15 16:22:32 JST 2008
* fixed a bug caused memory greediness with too long strings :<
* improved internal code for PAUSE.
0.03 Sat Jun 14 19:17:30 JST 2008
* added support for Math::Random::MT::Perl.
* switched to Module::Build.
* cleaned up test scripts.
* added 'binary' option to rndpassword.