Clean up the package a little, and merge in patches from the shared
nagios-plugin-* packages to avoid duplication. Changes since 2.0.3:
2.2.1 2017-04-19
FIXES
check_users: not accepting zero as the threshold
check_http: reports warning where it should report ok with -e
check_snmp: does not work with -6 --ipv6 flags
check_swap: threshold calculation in bytes requires subtracting 65
check_uptime: fixed backward help text for thresholds
check_http: Don’t prematurely report success when checking HTTP TLS cert validity
check_http: fix parsing the last header
check_mailq: Fix for Postfix and better Sudo Checking
configure.ac: Fix spelling error
check_ntp_peer: requires newline when there is a socket timeout (fix in netutils.c)
check_users: segmentation fault if both thresholds are not provided
check_dns: DNS CRITICAL - expected ‘{hostname}.’ but got 'name = {hostname}.'
check_mailq: Nullmailer Regex is not working for Ubuntu 16.04
check_swap: Downstream Fedora patch: Prevent check_swap from returning OK, if no swap activated
Building RPMs on Amazon Linux - Add 'install-root' on line 165 of spec file
2.2.0 2017-01-19
ENHANCEMENTS
check_flexlm: if `-F <license file>` is not specified, will use `LM_LICENSE_FILE` environment var
check_load: Added per cpu load average message
check_smtp: add -L flag to support LMTP (LHLO instead of HELO/EHLO)
FIXES
check_http: -e breaks -f
check_mrtg: Add state to status output
check_ping: ping runs 30 times when host is down
check_icmp: does not have the -p argument in the help
check_dns: Segfaulting with timeout > 26 sec
check_disk: missing -lrt on Solaris
check_http: segmentation fault
check_http: help text update for virtual hosts
check_snmp: Thresholds were being shown twice
check_hpjd: some jd 610 cards have a false flag that printer is offline
check_http: Handle reference redirect like //www.site.org/test
check_disk: alerts issued too soon
fix: Allocator sizeof operand mismatch
fix: Dead assignment
Shellcheck: fix most of the shellcheck warnings.
check_ntp: touch ntp servers at most once every seconds
check_dns: authoritative test (-A) is broken
check_dns: reports TXT records incorrectly
check_file_age: does not handle filenames WITHOUT space!
de,fr.po: fix syntax errors end-of-line within string
lib/parse_ini.c: fix gcc warning: implicit declaration of function ‘idpriv_temp_drop’ and ‘idpriv_temp_restore’
add openssl 1.1 support
2.1.4 2016-11-17
FIXES
check_http: Don't include default Accept header if one is provided
check_disk: added "fuse.gvfsd-fuse" to list of fs types to ignore
check_http: Fixed non-text chunked-encoded decoding
check_http: segmentation fault (FreeBSD)
check_dns: Update IF_RECORD to not erase query_found
check_http: SSL Certificate check returns 12:00:00AM <local timezone>
check_http: -u is misleading. Changed help text
check_file_age: does not handle filenames with space
check_snmp: units label option outputs the label in the incorrect location
plugins-root/check_dhcp.c: fix a potential segfault
check_users: not correctly detecting thresholds
2.1.3 2016-09-12
ENHANCEMENTS
SNI support in check_tcp (ddbilik)
check_disk_smb.pl: add support for -k for kerberos authentication
check_file_age.c: allow wildcard matching
FIXES
check_tcp.c: tools/build_perl_modules hardcodes the perl used
check_game.c: reports ping as number of players (Jason Rivers)
fix some gcc5 warnings (Mario Trangoni)
check_cluster.c: Update wording in comments (Troy Lea)
check_nagios.c: could not locate a running nagios process
check_swap.c: does not accept threshold of zero
check_swap.c: uses inconsistent checks on negative thresholds
check_snmp.c: --offset does not appear to do anything (Troy Lea)
sslutils.c: output has first line of "SSL Version: xxxxxx"
effects anything using sslutils including check_http, check_dhcp
and others
utils_cmd.c: when using ssh (or check-by-ssh) with ControlMaster/ControlPersist,
nagios times out the first time and one gets zombie processes (Gordon Messmer)
2.1.2 2016-08-01
SECURITY FIXES
ENHANCEMENTS
check_snmp's performance data now also includes warning/critical
thresholds
New check_snmp "-N" option to specify SNMPv3 context name
New check_nt "-l" parameters: seconds|minutes|hours|days
New check_mailq -s option which tells the plugin to use sudo(8)
New -W/-C option for check_ldap to check number of entries (Gerhard Lausser)
The check_http -S/--ssl option now accepts the arguments "1.1" and "1.2"
to force TLSv1.1 and TLSv1.2 connections, respectively
The check_http -S/--ssl option now allows for specifying the desired
protocol with a "+" suffix to also accept newer versions
New check_disk "-v" option to show troubled partition in verbose mode
check_log.sh: Added a parameter -w (--max_warning) defining upper value to return a warning code
check_ldap: Add support for LDAP URIs.
check_file_age: Provide performance data
check_by_ssh: added --hostname support
check_ifstatus.pl: Add check_ifstatus option to ignore interfaces by name
check_snmp: Introduce support for SNMPv3 context using "-N" option
check_snmp.c: Added IPv6 support
check_http: Added support for checking SSL-Websites through Proxies
FIXES
check_dig can now also use "drill" instead of "dig"
check_dig honor the -4 and -6 switches
check_ntp_peer: do not use uninitialized results for max state
check_log.sh, check_oracle.sh, check_sensors.sh: Setting PATH at first
check_log.sh: droping path from basename while evaluating PROGNAME
check_tcp: Fix check_jabber to work with Openfire servers
check_ifstatus.pl: Fix "-n" and "-u" options to ignore if either is set, not just both
check_mrtgtraf: Fix perfdata to comply with perfdata UOM definition
check_real, check_ntp: fix null termination
check_apt: fix memset
check_ssh: change warning to critical for protocal/version errors
utils_cmd.c: avoid a segfault, if ulimit is set to unlimited
utils_cmd.c: make constants from maxfd values
configure.ac: Added particular ps command for HP-UX
check_disk: Fix pthread start routine type
check_http: Make header_value() and chunked-encoding decoding more robust
check_http: fix Host header if explicitly set with -k
sslutils.c: Forcing furter restriction of ciphers for current security concerns
check_nagios, check_procs: Enable check_proc to monitor processes in PID name-spaced environments.
check_dhcp.c: use /dev/urandom if available
check_http.c: Don't decode page if it's not there
check_disk.c: Prevent large tide values from truncation
pst3.c: Fix for unclosed filehandle in pst3 on Solaris
check_snmp: Timeticks are not being parsed correctly before performance data
multiple *.h files: standardized header include fences
multiple plugins/*.c files: fix unsafe signal handling
sslutils.c: Fix compilation with GnuTLS which doesn't provide SSL_CTX_check_private_key()
check_mailq.pl: fixed mailer names
check_swap.c: Improving output when swap space has zero size
check_icmp.c: Use kernel reception time on ICMP packets to compute rtt.
check_icmp.c: make use of MSG_CONFIRM optional
check_ldap.c: add counting of entries to check_ldap
utils.c: add sperfdata() function which can handle threshold ranges
sslutils.c: Check if OpenSSL supports SSLv3.
check_dhcp.c: Fixes segfaults when running via monitoring worker (off-by-one)
check_fping.c: autodetect ipv6 addresses
sslutils.c: optimize output if certificate expires in less then 24h
check_smtp.c: Let "-D" option imply "-S". Also QUIT SMTP connection when "-D" is used
check_smtp.c: modified SSL check for use with -e
check_tcp.c: Validate sent data size
check_dns.c: conditional assignment
check_dns.c: macro querytypes and auto cnames
utils_cmd.c, utils_base.c: Multiple resource leaks
check_http.c: Increase MAX_RE_SIZE from 256 to 2048
check_procs.c: Changed the ps command args from axwo to axwwo allowing for longer output
check_http.c: Allow a server to reply using only 'HTTP/1.x 200 OK' and a
body, with no headers
check_nt.c: check_nt does not correctly report a DNS entry it cannot resolve
check_dhcp.c: check_dhcp broken on BSD
TESTS
check_procs.t: Add delay after forking in test to avoid race condition
test.pl.in: Use "C" locale when running test suite
check_http.t: Adjust date strings to the now-localized output
check_dns.t - Fix Perl Warning. perl doesn't understand /d within "".
check_snmp.t: skip extented snmp tests if snmpd has no perl support
check_snmp.t: fix snmp test for included threshold
check_http.t: fix tests for certificates expire date with seconds
check_http.t: add faketime based tests for check_http
LOCALIZATION
2.1.0 30th July 2015
SECURITY FIXES
ssl_utils.c - Disable SSLv3 & SSLv2 autonegotiation by default to limit poodle and other weak cipher attacks (sreinhardt)
ENHANCEMENTS
Timeout States Implemented - Plugins that support a timeout state will now also support specifying the exit state in case of timeout with the syntax -t <timeout>:<state> (abrist)
Perl plugins now use FindBin for path discovery, obsoleting the nasty AWK script (evgeni, abrist)
check_http.c - Added support for chunked transfer-encoding (koenwtje, dermoth, sreinhardt)
check_radius.c - Added support for the FreeRADIUS Client library (weiss)
check_snmp.c - Added thresholds to performance data (seemuellera)
check_snmp.c - Added new option (-N) for SNMPv3 context (Johannes Engel)
check_snmp.c - Added IPv6 support (abrist)
check_ldap.c - Added a new option (-U) for LDAP URI support (qris)
check_ifstatus.pl - Added new option (-n) to exclude interfaces (peelman, weiss)
check_file_age.pl - Performance data output added (hggh)
check_mailq.pl - Now supports sudo (Christopher Schultz, weiss)
check_log.sh - Added a new option (-w) defining upper value to return a warning code (arvanus)
FIXES
check_by_ssh.c - Added --hostname support (sni)
check_dbi.c - Spelling corrections (sreinhardt)
check_dig.c - Fixed to work with dig/drill tools and ip version switch is now respected (abgandar)
check_disk.c - Fix for hanging filesystems (Gerhard Lausser)
check_disk.c - Partitions in problem state now reported in verbose mode (waja)
check_disk.c - Prevent large tide values from truncation (JesperForsberg)
check_dns.c - Server specific fixes and other cleanup (sreinhardt)
check_http.c - Some small changes for readability (koenwtje)
check_mrtgtraf.c - Added verbose output (sreinhardt)
check_mrtgtraf.c - Perfdata now complies with UOM definition (Bobzikwick)
check_ntp_peer.c - No longer uses uninitialized results for max state (sni)
check_procs.c - Rare race condition fixed (Mikael Falkvidd)
check_ssh.c - Now exits with CRITICAL when version/protocol string check fails to match (sni)
check_tcp.c - Help description of escape characters now correct (Sebastian Herbszt)
check_tcp.c - Fix to support Openfire servers with check_jabber (weiss)
check_ups.c - Spelling corrections (sreinhardt)
pst3.c - Fix for unclosed file handle in pst3 on Solaris (jwinkle01)
plugins-scripts/*.sh - Trusted path fixes (waja)
netutils.h - Decreased max path to 104 bytes to compensate for BSD paths (sreinhardt)
configure.ac - Fix for HP-UX ps command (Tontonitch)
lib/utils_cmd.c - Fix for potential segfault when ulimits are set to unlimited (nafets)
lib/parse_ini.c - Many small fixes from coverity scans and the community (sreinhardt, weiss)
lib/util_base.c - Code cleanup (sreinhardt)
lib/utils_base.c - Add EIUD to state retention path for multi-user permissions support (sreinhardt)
po/* - Spelling corrections (sreinhardt)
Multiple resource leaks fixed (sreinhardt)
Many other small fixes and cleanup caught by coverity (multiple contributors)
TESTS
Many small fixes to tests (multiple contributors)
LOCALIZATION
Many small fixes for locales and localizations (multiple contributors)
This package was last updated in 2004, since then it has changed maintainers
and looks quite different. An incomplete changelog is as follows:
Version 1.3.1 NOV ??
Complete rewrite of the TCP state machine, now handles flows larger
than 4GiB.
Version 1.3.0 SEP 30 2012
Release for end of FY2012, includes bug fixes, better support for
autoconf, DFXML standardizations, and the ability to compile under
mingw for Windows (that was a LOT of work).
Version 1.2.7 May 24 2012 (GIT)
Version 1.2.7 offers two significant features over previous versions
relating to the processing of the -r and the new -R options.
-r file1.pcap - This option specifies a pcap file to be read.
New with version 1.2.7, the -r flag may be
repeated any number of times.
-R file0.pcap - This option, new with version 1.2.7, allows a file
to be specified that was captured in time *before*
the file specified with -r. This option allows TCP
sessions that started in file0.pcap and which
continued into file1.pcap to be properly
started. This option is useful when some external
process makes packet capture files at regular
intervals and then the files are reassembled
later. Typically these files result from tcpdump run
with the -w or -C options.
Version 1.2 March 15 2012 (SVN )
Version 1.2 is the first to include post-processing of TCP connections
integrated directly into the tcpflow program itself. post-processing
is optional and is performed on a per-connection basis when the
connection is closed.
The following post-processing method methods are currently defined.
-FM - Compute the MD5 hash value of every stream on close. Currently
MD5 hashes are only computed for TCP streams that contain
packets transmitted contigiously. -FM processing can happen
even when output is suppressed. The MD5 is written into the
DFXML file.
-AH - Detect Email/HTTP responses and separate headers from
body. This requires that the output files be captured.
If the output file is
208.111.153.175.00080-192.168.001.064.37314,
Then the post-processing will create the files:
208.111.153.175.00080-192.168.001.064.37314-HTTP
208.111.153.175.00080-192.168.001.064.37314-HTTPBODY
If the HTTPBODY was compressed with GZIP, you may get a
third file as well:
208.111.153.175.00080-192.168.001.064.37314-HTTPBODY-GZIP
Additional information about these streams, such as their MD5
hash value, is also written to the DFXML file
Version 1.1.0 19 January 2012 (SVN 8118)
Version 1.1 represents a significant rewrite of tcpflow. All users are
encouraged to upgrade.
Significant changes include:
* Entire code base migrated to C++ ; code generally
improved. tcpflow's original hash table has been replaced with a
tr1::unordered_map which should offer significantly more
scalability.
* tcpflow now automatically expires out old connections. This finally
end the program's memory-hogging problem. (You can disable this
behavior with -P, which makes tcpflow run faster because it never
cleans up after itself. That's fine if you are working with less
than a million connections.)
* Multiple connections with the same (source/destination) are now
detected and stored in different files. This is significant, as the
previous implementation would make a single file 1-2GB in length if
you the same host/port pairs with two different flows. Additional
files have the same filename and a "c0001", "c0002" appended.
* Filenames may now be prefixed with either the ISO8601 time or a Unix
timestamp indicating the time that the connection was first seen.
* tcpflow will now save a DFXML file containing information for each
flow that it reconstructs.
* The following new options are now implemented:
-o outdir --- now works (previously was not implemented)
-X xmfile --- now reports execution results in a DFXML
file. (Version 1.1 will include complete notion in the
XML file of every TCP connection as a DFXML <fileobject>
-Fc --- Every file has the 'cXXXX' postfix, rather than just
the files with duplicate source/destination.
-Ft --- Every file has the <time_t>T prefix.
-FT --- Every file has an ISO8601 time prefix,
e.g. 2012-01-01T09:45:15Z
-mNNNN --- Specifies the minimum number of bytes that need to be
skipped in a TCP connection before a new
-Lname --- use the named semaphore 'name' to prevent multiple
tcpflow processes printing to standard output from
overprinting each other.
-P --- do not prune the tcp connection table.
Other improvements include:
* Support for IPv6
* Support for VLANs
* The default filter which was causing problems under MacOS has been
removed.
Version 1.0.4 November 24, 2011
* Default fitler changed to ""; previous default filter was causing
problems on macs.
Version 1.0.2 September 30, 2011
* IPv6 code added
Version 1.0.0 January 2011
* Updated to support VLANs. VLAN packets are marked by hex 0x8100
following the destination and source mac addresses, followed by the
16-bit VLAN address, followed by 0x0800 marking the beginning of the
traditional IP header.
Version 0.30 October 2007
* Simson Garfinkel <simsong@acm.org> is now the maintainer of this
package
* Modified to set the time of each tcpflow with the time of the first
packet.
* Created a regression test, so "make check" and "make distcheck" now
work.
* Updated to modern autoconf tools.
Xandikos is a lightweight yet complete CardDAV/CalDAV server that
backs onto a Git repository.
Xandikos takes its name from the name of the March month in the
ancient Macedonian calendar, used in Macedon in the first millennium
BC.
**** 1.11 Jun 26, 2017
Fix rt.cpan.org #122138
Send a UDP query with udppacketsize=512
Feature
Extract default resolver configuration from OS/390 MVS datasets.
Thanks to Sandra Carroll and Yaroslav Kuzmin for their assistance.
- BUG/MINOR: Wrong peer task expiration handling during synchronization processing.
- BUG/MEDIUM: http: Drop the connection establishment when a redirect is performed
- BUG/MEDIUM: cfgparse: Check if tune.http.maxhdr is in the range 1..32767
- DOC: fix references to the section about the unix socket
- BUG/MINOR: haproxy/cli : fix for solaris/illumos distros for CMSG* macros
- BUG/MINOR: log: pin the front connection when front ip/ports are logged
1.7.6:
- DOC: changed "block"(deprecated) examples to http-request deny
- DOC: add few comments to examples.
- DOC: update sample code for PROXY protocol
- DOC: mention lighttpd 1.4.46 implements PROXY
- DOC: stick-table is available in frontend sections
- BUG/MINOR: dns: Wrong address family used when creating IPv6 sockets.
- BUG/MINOR: config: missing goto out after parsing an incorrect ACL character
- BUG/MINOR: arg: don't try to add an argument on failed memory allocation
- BUG/MEDIUM: arg: ensure that we properly unlink unresolved arguments on error
- BUG/MEDIUM: acl: don't free unresolved args in prune_acl_expr()
- MINOR: lua: ensure the memory allocator is used all the time
- CLEANUP: logs: typo: simgle => single
- BUG/MEDIUM: acl: proprely release unused args in prune_acl_expr()
- BUG/MAJOR: Use -fwrapv.
- BUG/MINOR: server: don't use "proxy" when px is really meant.
- BUG/MINOR: server: missing default server 'resolvers' setting duplication.
- DOC: add layer 4 links/cross reference to "block" keyword.
- DOC: errloc/errorloc302/errorloc303 missing status codes.
- BUG/MEDIUM: lua: memory leak
- MEDIUM: config: don't check config validity when there are fatal errors
- BUG/MINOR: hash-balance-factor isn't effective in certain circumstances
- MINOR/DOC: lua: just precise one thing
- BUG/MINOR: http: Fix conditions to clean up a txn and to handle the next request
- DOC: update RFC references
- BUG/MINOR: checks: don't send proxy protocol with agent checks
- BUG/MAJOR: dns: Broken kqueue events handling (BSD systems).
- BUG/MEDIUM: lua: segfault if a converter or a sample doesn't return anything
- BUG/MINOR: Makefile: fix compile error with USE_LUA=1 in ubuntu16.04
- BUG/MAJOR: http: call manage_client_side_cookies() before erasing the buffer
- BUG/MINOR: buffers: Fix bi/bo_contig_space to handle full buffers
- BUG/MINOR: acls: Set the right refflag when patterns are loaded from a map
- BUG/MINOR: http/filters: Be sure to wait if a filter loops in HTTP_MSG_ENDING
- BUG/MEDIUM: peers: Peers CLOSE_WAIT issue.
- BUG/MAJOR: server: Segfault after parsing server state file.
- BUG/MEDIUM: unix: never unlink a unix socket from the file system
- scripts: create-release pass -n to tail
- SCRIPTS: create-release: enforce GIT_COMMITTER_{NAME|EMAIL} validity
Changes in version 0.3.0.9 - 2017-06-29
Tor 0.3.0.9 fixes a path selection bug that would allow a client
to use a guard that was in the same network family as a chosen exit
relay. This is a security regression; all clients running earlier
versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or
0.3.1.4-alpha.
This release also backports several other bugfixes from the 0.3.1.x
series.
o Major bugfixes (path selection, security, backport from 0.3.1.4-alpha):
- When choosing which guard to use for a circuit, avoid the exit's
family along with the exit itself. Previously, the new guard
selection logic avoided the exit, but did not consider its family.
Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2016-
006 and CVE-2017-0377.
o Major bugfixes (entry guards, backport from 0.3.1.1-alpha):
- Don't block bootstrapping when a primary bridge is offline and we
can't get its descriptor. Fixes bug 22325; fixes one case of bug
21969; bugfix on 0.3.0.3-alpha.
o Major bugfixes (entry guards, backport from 0.3.1.4-alpha):
- When starting with an old consensus, do not add new entry guards
unless the consensus is "reasonably live" (under 1 day old). Fixes
one root cause of bug 22400; bugfix on 0.3.0.1-alpha.
o Minor features (geoip):
- Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (voting consistency, backport from 0.3.1.1-alpha):
- Reject version numbers with non-numeric prefixes (such as +, -, or
whitespace). Disallowing whitespace prevents differential version
parsing between POSIX-based and Windows platforms. Fixes bug 21507
and part of 21508; bugfix on 0.0.8pre1.
o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.4-alpha):
- Permit the fchmod system call, to avoid crashing on startup when
starting with the seccomp2 sandbox and an unexpected set of
permissions on the data directory or its contents. Fixes bug
22516; bugfix on 0.2.5.4-alpha.
o Minor bugfixes (defensive programming, backport from 0.3.1.4-alpha):
- Fix a memset() off the end of an array when packing cells. This
bug should be harmless in practice, since the corrupted bytes are
still in the same structure, and are always padding bytes,
ignored, or immediately overwritten, depending on compiler
behavior. Nevertheless, because the memset()'s purpose is to make
sure that any other cell-handling bugs can't expose bytes to the
network, we need to fix it. Fixes bug 22737; bugfix on
0.2.4.11-alpha. Fixes CID 1401591.
Python, which allows Python developers to write software that makes use of
services like Amazon S3 and Amazon EC2. You can find the latest, most up to
date, documentation at Read the Docs, including a list of services that are
supported. To see only those features which have been released, check out
the stable docs.
This project is not currently GA. If you are planning to use this code in
production, make sure to lock to a minor version as interfaces may break from
minor version to minor version. For a basic, stable interface of s3transfer,
try the interfaces exposed in boto3.
This is a regularly scheduled stable release.
Resolved issues:
#4100: Icons and directory information in local device summary is consistent with that in folders
#4177: A data race in KCP & STUN is fixed
#4203: Ignore patterns on newly accepted folders are no longer erroneously inherited from an earlier added folder
--- 9.9.10-P2 released ---
4643. [security] An error in TSIG handling could permit unauthorized
zone transfers or zone updates. (CVE-2017-3142)
(CVE-2017-3143) [RT #45383]
4633. [maint] Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
--- 9.10.5-P2 released ---
4643. [security] An error in TSIG handling could permit unauthorized
zone transfers or zone updates. (CVE-2017-3142)
(CVE-2017-3143) [RT #45383]
4633. [maint] Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
This release features a fix for the ed25519 signer. This signer hashed the
message before signing, resulting in unverifiable signatures. Also on the
Elliptic Curve front, support was added for ED448 (DNSSEC algorithm 16)
by using libdecaf.
Bug fixes
- Do not hash the message in the ed25519 signer
- Make URI integers 16 bits, fixes#5443
- configure.ac: Corrects syntax error in test statement on existance
of libcrypto_ecdsa
- configure.ac: Fix quoting issue fixes#5401
- configure.ac: Check in the detected OpenSSL/libcrypto for ECDSA
- configure.ac: Check if we can link against libatomic if needed
- Fix typo in ldapbackend.cc from issue #5091
- Sort NSEC record case insensitive
- Make sure NSEC ordernames are always lower case
- API: correctly take TTL from first record even if we are at
the last comment
- Fix AtomicCounter unit tests on 32-bit
- Fix negative port detection for IPv6 addresses on 32-bit
- Remove support for 'right' timezones, as this code turned out to be broken
- Lowercase the TSIG algorithm name in hash computation
- Handle exceptions raised by closesocket()
- Don't leak on signing errors during outgoing AXFR; signpipe stumbles over
interrupted rrsets; fix memory leak in gmysql backend
- TinyCDB backend: Don't leak a CDB object in case of bogus data
Improvements
- ODBC backend: Allow query logging
- Add ED25519 (algo 15) and ED448 (algo 16) support with libdecaf signer
- YaHTTP: Sync with upstream changes
- Send a notification to all slave servers after every dnsupdate
- Add option to set a global lua-axfr-script value
- dnsreplay: Add --source-ip and --source-port options
- calidns: Use the correct socket family (IPv4 / IPv6)
- Add an option to allow AXFR of zones with a different (higher/lower) serial
- API: Make trailing dot handling consistent with pdnsutil
- SuffixMatchNode: Fix insertion issue for an existing node
- Do not resolve the NS-records for NOTIFY targets if the "only-notify"
whitelist is empty, as a target will never match an empty whitelist.
- Improve the AXFR DNSSEC freshness check; Ignore NSEC3PARAM metadata in
an unsigned zone
- Create additional reuseport sockets before dropping privileges; remove
transaction in pgpsql backend
- Wrap long command lines for readability
- Document where we set procname=${name} for rc.d
- Detach long-running processes from controlling terminal
- Configurable path to tcpserver
- Configurable user and group names:
DJBDNS_AXFR_USER?= axfrdns
DJBDNS_CACHE_USER?= dnscache
DJBDNS_RBL_USER?= rbldns
DJBDNS_TINY_USER?= tinydns
DJBDNS_DJBDNS_GROUP?= djbdns
Bump version.
Ignore auth-nocache for auth-user-pass if auth-token is pushed
crypto: Enable SHA256 fingerprint checking in --verify-hash
copyright: Update GPLv2 license texts
auth-token with auth-nocache fix broke --disable-crypto builds
OpenSSL: don't use direct access to the internal of X509
OpenSSL: don't use direct access to the internal of EVP_PKEY
OpenSSL: don't use direct access to the internal of RSA
OpenSSL: don't use direct access to the internal of DSA
OpenSSL: force meth->name as non-const when we free() it
OpenSSL: don't use direct access to the internal of EVP_MD_CTX
OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
OpenSSL: don't use direct access to the internal of HMAC_CTX
Fix NCP behaviour on TLS reconnect.
Remove erroneous limitation on max number of args for --plugin
Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
Fix potential 1-byte overread in TCP option parsing.
Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
refactor my_strupr
Fix 2 memory leaks in proxy authentication routine
Fix memory leak in add_option() for option 'connection'
Ensure option array p[] is always NULL-terminated
Fix a null-pointer dereference in establish_http_proxy_passthru()
Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
Fix an unaligned access on OpenBSD/sparc64
Missing include for socket-flags TCP_NODELAY on OpenBSD
Make openvpn-plugin.h self-contained again.
Pass correct buffer size to GetModuleFileNameW()
Log the negotiated (NCP) cipher
Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
Skip tls-crypt unit tests if required crypto mode not supported
openssl: fix overflow check for long --tls-cipher option
Add a DSA test key/cert pair to sample-keys
Fix mbedtls fingerprint calculation
mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
mbedtls: require C-string compatible types for --x509-username-field
Fix remote-triggerable memory leaks (CVE-2017-7521)
Restrict --x509-alt-username extension types
Fix potential double-free in --x509-alt-username (CVE-2017-7521)
Fix gateway detection with OpenBSD routing domains