- support for newer Python versions
- various bug fixes and security improvements
- moved from LGPL to MIT license
Based on the update by Christian Sturm in wip with additional fixes from
me.
* Version 2.8.3 (released 2009-08-13)
** libgnutls: Fix patch for NUL in CN/SAN in last release.
Code intended to be removed would lead to an read-out-bound error in
some situations. Reported by Tomas Hoger <thoger@redhat.com>. A CVE
code have been allocated for the vulnerability: [CVE-2009-2730].
** libgnutls: Fix rare failure in gnutls_x509_crt_import.
The function may fail incorrectly when an earlier certificate was
imported to the same gnutls_x509_crt_t structure.
** libgnutls-extra, libgnutls-openssl: Fix MinGW cross-compiling build
error.
** tests: Made self-test mini-eagain take less time.
** doc: Typo fixes.
** API and ABI modifications:
No changes since last version.
* Version 2.8.2 (released 2009-08-10)
** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields.
By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS
into 1) not printing the entire CN/SAN field value when printing a
certificate and 2) cause incorrect positive matches when matching a
hostname against a certificate. Some CAs apparently have poor
checking of CN/SAN values and issue these (arguable invalid)
certificates. Combined, this can be used by attackers to become a
MITM on server-authenticated TLS sessions. The problem is mitigated
since attackers needs to get one certificate per site they want to
attack, and the attacker reveals his tracks by applying for a
certificate at the CA. It does not apply to client authenticated TLS
sessions. Research presented independently by Dan Kaminsky and Moxie
Marlinspike at BlackHat09. Thanks to Tomas Hoger <thoger@redhat.com>
for providing one part of the patch. [GNUTLS-SA-2009-4].
** libgnutls: Fix return value of gnutls_certificate_client_get_request_status.
Before it always returned false. Reported by Peter Hendrickson
<pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3668>.
** libgnutls: Fix off-by-one size computation error in unknown DN printing.
The error resulted in truncated strings when printing unknown OIDs in
X.509 certificate DNs. Reported by Tim Kosse
<tim.kosse@filezilla-project.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3651>.
** libgnutls: Return correct bit lengths of some MPIs.
gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and
gnutls_dh_get_peers_public_bits. Before the reported value was
overestimated. Reported by Peter Hendrickson <pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3607>.
** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN.
Report and patch by Tim Kosse <tim.kosse@filezilla-project.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3671>
and
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3670>.
** libgnutls: Relax checking of required libtasn1/libgcrypt versions.
Before we required that the runtime library used the same (or more
recent) libgcrypt/libtasn1 as it was compiled with. Now we just check
that the runtime usage is above the minimum required. Reported by
Marco d'Itri <md@linux.it> via Andreas Metzler
<ametzler@downhill.at.eu.org> in <http://bugs.debian.org/540449>.
** minitasn1: Internal copy updated to libtasn1 v2.3.
** tests: Fix failure in "chainverify" because a certificate have expired.
** API and ABI modifications:
No changes since last version.
* Noteworthy changes in release 2.3 (2009-07-29) [stable]
- Libtasn1 is now an official GNU project.
- Solve build problem on Tru64 related to TRUE/FALSE.
- More careful decoding of OIDs.
- Fixed warning in ASN1.y.
- Use "Software libraries" info dircategory.
- Drop GPL/LGPL copies from the manual (not needed there).
- New configure parameters to set packaging specific information.
The parameters are --with-packager, --with-packager-version, and
--with-packager-bug-reports. See
<http://article.gmane.org/gmane.comp.lib.gnulib.bugs/17791> for more
details.
Shamir's Secret Sharing Scheme (SSSS) is an implementation of a
threshold scheme for sharing a secret between third parties, and
requiring a threshold of those parties to collaborate to reveal the
secret.
Taken from the Wikipedia article about Secret Sharing:
In cryptography, a secret sharing scheme is a method for
distributing a secret amongst a group of participants, each of
which is allocated a share of the secret. The secret can only
be reconstructed when the shares are combined together;
individual shares are of no use on their own.
Shamir's scheme is provable secure: in a (t,n) scheme one can prove
that it makes no difference whether an attacker has t-1 valid shares
at his disposal or none at all; as long as he has less than t shares,
there is no better option than guessing to find out the secret.
Changelog:
The following changes have been made between John 1.7.3 and 1.7.3.1:
* Corrected the x86 assembly files for building on Mac OS X.
* Merged in some generic changes from JtR Pro.
The following changes have been made between John 1.7.2 and 1.7.3:
* Two Blowfish-based crypt(3) hashes may now be computed in parallel for much
better performance on modern multi-issue CPUs with a sufficient number of
registers (e.g., x86-64).
* Bitslice DES assembly code for x86-64 has been converted to use
instruction pointer relative addressing (needed for Mac OS X support).
* New make targets: macosx-universal, macosx-x86-64, solaris-x86-64-cc,
solaris-x86-64-gcc, solaris-x86-sse2-cc, solaris-x86-sse2-gcc,
solaris-x86-mmx-cc, solaris-x86-mmx-gcc, solaris-x86-any-cc, linux-ia64;
other changes to the Makefile.
* Minor bug fixes.
* "DumbForce" and "KnownForce" external mode samples have been added to the
default john.conf.
pcsc-lite-1.5.5: Ludovic Rousseau
28 July 2009
- add the reader interface name if provided by the device
- SCardTransmit(): return SCARD_E_UNSUPPORTED_FEATURE if
SCARD_PROTOCOL_RAW is requested by unsupported
- SCardConnect() and SCardReconnect(): set dwActiveProtocol to
SCARD_PROTOCOL_UNDEFINED if SCARD_SHARE_DIRECT is used (conform to
MSDN). Contrary to Windows winscard behavior, the reader is accessed in
shared mode and not exclusive mode if SCARD_SHARE_DIRECT is used.
- SCardControl(): correctly check for buffer overflow (bug introduced in
pcsc-lite 1.5.4)
- some other minor improvements and bug corrections
New in OpenSC 0.11.9; 2009-07-29; Andreas Jellinghaus
* New rutoken_ecp driver by Aktiv Co. / Aleksey Samsonov
* Allow more keys/certificates/files etc. with entersafe tokens
* Updates pkcs11.h from scute fixing warnings
* Small fixes in rutoken driver
* Major update for piv driver with increased compatibility
1.3.11 - 28 July 2009, Ludovic Rousseau
- add support of Raritan D2CIM-DVUSB VM/CCID, Feitian SCR301,
Softforum XecureHSM, 2 Neowave Weneo tokens, Synnix STD200, Aktiv
Rutoken ECP, Alcor Micro SCR001, ATMEL AT91SC192192CT-USB,
Panasonic USB Smart Card Reader 7A-Smart, Gemalto GemProx DU and SU
- remove support of Reiner-SCT cyberJack pinpad(a) on request of
Reiner-SCT. You should user the Reiner-SCT driver instead
- define CFBundleName to CCIDCLASSDRIVER so that non class drivers
have a higher priority. Used by pcsc-lite 1.5.5 and up.
Add a --disable-class configure option so that the Info.plist does
not define a Class driver. Default is class driver.
- do not power up a card with a voltage not supported by the reader
- add support of PIN_PROPERTIES_STRUCTURE structure and
FEATURE_IFD_PIN_PROPERTIES
- adds support of FEATURE_MCT_READERDIRECT. Only the Kobil TriB@nk
reader supports this feature for now. This is used for the Secoder
functionality in connected mode.
- add support of a composite device. No change needed with libhal.
use --enable-composite-as-multislot on Mac OS X since libhal is
not available on Mac OS X or with libusb on Linux
- some minor bugs removed
Changes in 1.7.2p1 since 1.7.2:
===============================
* Fixed the expansion of the %h escape in #include file names introduced in
sudo 1.7.1.
Changes in 1.7.2 since 1.7.1:
=============================
* A new #includedir directive is available in sudoers. This can be used to
implement an /etc/sudo.d directory. Files in an includedir are not edited
by visudo unless they contain a syntax error.
* The -g option did not work properly when only setting the group (and not
the user). Also, in -l mode the wrong user was displayed for sudoers
entries where only the group was allowed to be set.
* Fixed a problem with the alias checking in visudo which could prevent
visudo from exiting.
* Sudo will now correctly parse the shell-style /etc/environment file format
used by pam_env on Linux.
* When doing password and group database lookups, sudo will only cache an
entry by name or by id, depending on how the entry was looked up.
Previously, sudo would cache by both name and id from a single lookup, but
this breaks sites that have multiple password or group database names that
map to the same uid or gid.
* User and group names in sudoers may now be enclosed in double quotes to
avoid having to escape special characters.
* BSM audit fixes when changing to a non-root uid.
* Experimental non-Unix group support. Currently only works with Quest
Authorization Services and allows Active Directory groups fixes for
Minix-3.
* For Netscape/Mozilla-derived LDAP SDKs the certificate and key paths may
be specified as a directory or a file. However, version 5.0 of the SDK
only appears to support using a directory (despite documentation to the
contrary). If SSL client initialization fails and the certificate or key
paths look like they could be default file name, strip off the last path
element and try again.
* A setenv() compatibility fix for Linux systems, where a NULL value is
treated the same as an empty string and the variable name is checked
against the NULL pointer.
tested with:
-1.0.0beta3 (which already identifies itself as 1.0.0)
-the snapshot in NetBSD-current (identifies itself as 1.1.0)
-the 0.9.8 we had in -current before
Upstream changes:
v1.27 2009.07.24
- changed possible local/utf-8 depended \w in some regex against more
explicit [a-zA-Z0-9_]. Fixed one regex, where it assumed, that service
names can't have '-' inside
- fixed bug https://rt.cpan.org/Ticket/Display.html?id=48131
where eli[AT]dvns[DOT]com reported warnings when perl -w was used.
While there made it more aware of errors in Net::ssl_write_all (return
undef not 0 in generic_write)
1.5.1 release provides some bug fixes and a fix for the recently announced
HMAC vulnerability in the XML Signature specification (CVE-2009-0217).
1.5.0 release provides more bug fixes, partial support for Inclusive
Canonicalization 1.1, and support for the Xerces 3.x official release and
32/64-bit portability APIs.
it, and it only has a potential to conflict with the real openssl
(bad things will happen if a program links or dlopen()s both)
bump PKGREVISION
(the bug fixed in the added patches is already fixed upstream, will
be in the next release)
Shared directories can now be created independently by the pacakges
needing them and will be removed automatically by pkg_delete when empty.
Packages needing empty directories can use the @pkgdir command in PLIST.
Discussed and ok'd in thread starting at
http://mail-index.netbsd.org/tech-pkg/2009/06/30/msg003546.html
Version 2.2 (released 2009-05-20)
- Change how the ASN1_API decorator is used in libtasn1.h, for GTK-DOC.
- Changed license of libtasn1.pc from GPLv3+ to LGPLv2.1+.
Reported by Jeff Cai <Jeff.Cai@Sun.COM>.
- Building with many warning flags now requires --enable-gcc-warnings.
- Some warnings fixed.
* Version 2.8.1 (released 2009-06-10)
** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cycle.
Forwarded by Martin von Gagern <Martin.vGagern@gmx.net> from
<http://bugs.gentoo.org/272388>.
** libgnutls: Fix PKCS#12 decryption from password.
The encryption key derived from the password was incorrect for (on
average) 1 in every 128 input for random inputs. Reported by "Kukosa,
Tomas" <tomas.kukosa@siemens-enterprise.com> in
<http://permalink.gmane.org/gmane.network.gnutls.general/1663>.
** API and ABI modifications:
No changes since last version.
Upstream changes:
0.36 Jul 8, 2009
- open2pty, open3 and open3pty where not handling transparent
options for open_ex, and other minor bugs
- pty handling in open_ex was broken
- expect sample added
- New features
- FIPS support was updated for openssl-fips 1.2.
- New priority failover strategy for multiple "connect" targets,
controlled with "failover=rr" (default) or "failover=prio".
- pgsql protocol negotiation by Marko Kreen <markokr@gmail.com>.
- Bugfixes
- Libwrap helper processes fixed to close standard
input/output/error file descriptors.
changes:
-Build fixes
-Fix problem with RSA key sizes that are not a multiple of 8.
This affected use of SSH keys in particular
-Fix crash related to secure memory
- Updating package for p5 module Net::DNS::SEC from 0.14nb1 to 0.15
- Adjusting / reordering dependencies according to META.yml
Upstream changes:
***0.15 December 31, 2008
Fix: digestbin not set when an empty value passed to hash.
Feature: Added DLV (rfcc 4431). The RR object is simply a clone of
the DS RR and inherits ... everything
Feature: Added NSEC3 and NSEC3PARAM support (RFC5155).
This adds Mime::Base32 to the module dependency list.
The RR type was still experimental at that time and is maintained
in Net::DNS::RR.
Fix: Test script recognizes change in Time::Local. Note that
Time::Local does not deal with dates beyond 03:14:07 UTC on
Tuesday, 19 January 2038. Therefore this code has a year 2038
problem.
Fix: DS create_from_hash now produces objects that can create
wireformat.
Other: minor changes to the debug statements
added t/05-rr.t (and identified a couple of bugs using it)
Fix: a few inconsistencies with respect to parsing of trailing dots.
During development the test signatures generated with the BIND tools
were re-generated in order to troubleshoot a bug that (most
probably) was caused by a version incompatibility between Net::DNS
and Net::DNS::SEC. Before release the original test from the 0.14
release were ran against this version too.
