Upstream changes:
## ssh 1.7.13 (2012-02-13)
* #5: Moved a `fcntl` import closer to where it's used to help avoid
`ImportError` problems on Windows platforms. Thanks to Jason Coombs for the
catch + suggested fix.
* #4: Updated implementation of WinPageant integration to work on 64-bit
Windows. Thanks again to Jason Coombs for the patch.
Remove devel/py-ctypes (only needed by and supporting python24).
Remove PYTHON_VERSIONS_ACCEPTED and PYTHON_VERSIONS_INCOMPATIBLE
lines that just mirror defaults now.
Miscellaneous cleanup while editing all these files.
KGpg is a simple interface for GnuPG, a powerful encryption utility. It
can help you set up and manage your keys, import and export keys, view key
signatures, trust status and expiry dates.
Upstream's version is 0.6.0.X, where X appears to be a large integer
in decimal that corresponds to a git sha1 has. Such large numbers
violate the assumption, true with just about every previous package,
that version number components will fit in an int --- code that
handles version numbers does not use a multiprecision integer library
like gmp. To address this, split the version into what would have
been the version under normal procedures (0.6.0), and put the bignum
into ${VERSION_EXCESSIVE}, allowing it be used in DISTNAME but not
PKGNAME.
* Noteworthy changes in release 2.12 (2012-03-19) [stable]
- Cleanup license headers.
- build: Update gnulib files.
- Corrected DER decoding issue (reported by Matthew Hall).
Added self check to detect the problem, see tests/Test_overflow.c.
This problem can lead to at least remotely triggered crashes, see
further analysis on the libtasn1 mailing list.
* Suppress the notice that the password is being changed because it's
expired if force_first_pass or use_first_pass is set in the password
stack, indicating that it's stacked with another module that's also
doing password changes. This is arguable, but without this change the
notification message of why the password is being changed shows up
confusingly in the middle of the password change interaction.
* Some old versions of Heimdal (0.7.2 in OpenBSD 4.9, specifically)
reportedly return KRB5KDC_ERR_KEY_EXP for accounts with expired
keys even if the supplied password is wrong. Work around this by
confirming that the PAM module can obtain tickets for kadmin/changepw
before returning a password expiration error instead of an invalid
password error.
* The location of the temporary root-owned ticket cache created during
the authentication process is now also controlled by the ccache_dir
option (but not the ccache option) rather than forced to be in /tmp.
This will allow system administrators to configure an alternative
cache directory so that pam-krb5 can continue working when /tmp is
full.
* Report more specific errors in syslog if authorization checks (such as
.k5login checks) fail.
* Pass a NULL principal to krb5_set_password with MIT client libraries
to prefer the older change password protocol for compatibility with
older KDCs. This is not necessary on Heimdal since Heimdal's
krb5_set_password tries both protocols.
* Improve logging and authorization checks when defer_pwchange is set
and a user authenticates with an expired password.
* When probing for Kerberos libraries, always add any supplemental
libraries found to that point to the link command. This will fix
configure failures on platforms without working transitive shared
library dependencies.
* Close some memory leaks where unparsed Kerberos principal names were
never freed.
* Restructure the code to work with OpenPAM's default PAM build
machinery, which exports a struct containing module entry points
rather than public pam_sm_* functions.
* In debug logging, report symbolic names for PAM flags on PAM function
entry rather than the numeric PAM flags. This helps with automated
testing and with debugging PAM problems on different operating
systems.
* Include <krb5/krb5.h> if <krb5.h> is missing, which permits finding
the header file on NetBSD systems.
* Replace the Kerberos compatibility layer with equivalent but
better-structured code from rra-c-util 4.0.
* Avoid krb5-config and use manual library probing if --with-krb5-lib or
--with-krb5-include were given to configure. This avoids having to
point configure at a nonexistent krb5-config to override its results.
* Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config in
configure, to avoid a conflict with the variable used by the Kerberos
libraries to find krb5.conf.
* Change references to Kerberos v5 to just Kerberos in the documentation.
* Update to rra-c-util 4.0
* Update to C TAP Harness 1.9
- Minor bug fix release
- Fix perl Validator module so it compiles after a header move
- Make all OSes use the new dnssec-check gui as they should have
1.12 (1/26/12)
- New Features:
- libval: - Made improvements to support IPv6,
added the ability to fetch IPv6 glue
- Fixed the EDNS0 fallback behavior.
- Tidied up the locking semantics in libval.
- Added support for hard-coding validator configuration
information that gets used in the absence of other
configuration data. This feature allows the
validator library to be self-contained in
environments where setting up configuration data at
specific locations in the file system is not always
feasible.
- The library has been ported to the Android OS
- rollerd: - Added support for phase-specific commands. This allows
the zone operator to customize processing of the rollerd
utility during different rollerd phases.
- Added support for zone groups. This allows a collection
of zones to be controlled as a group, rather each of
those zones individually.
- Improved the manner in which rollerd indexes the zones
being managed, with the significantly decreased access
times for rollerd's data files. This results in rollerd
being able to support a lot more zones with a single
rollerd instance.
- rollctl and the rollover GUI programs may have new
commands to allow for immediate termination of rollerd.
- apps - Added patch to enable local validation in NTP, with
the ability to handle a specific chicken and egg problem
related to the interdependency between DNSSEC and an
accurate system clock.
- Added a patch to enable DNSSEC validation in Qt
based applications
- dnssec-check - Completely rewritten GUI with many new features
- Now contains the ability to submit the results
to a central DNSSEC-Tools repository. The
results will be analyzed and published on a
regular basis. Please help us get started by
running dnssec-check on your networks! Note
that it explains that it only sends hashed IP
addresses to our servers and the reports
generated will be aggregation summaries of the
data collected.
- It now runs on both Android and Harmattan (N9) devices
- maketestzone - Now produces zones with wildcards and changes to
NSEC record signatures
- dnssec-nodes - parses unbound log files
- Initial work porting to Android
- dnssec-system-tray
- parses unbound log files
1.11 (9/30/11)
- New Features:
- libval: - Significant improvements and bug fixes to the
asynchronous support.
- Added asynchronous version of val_getaddr_info.
- Some reworking of the asynchronous API and callbacks.
Note the asynchronous api is still under development and
subject to changes that break backwards compatibility.
- rollerd: - Added an experimental time-based method for queuing
rollover operations. This original method (full list
of all zones) is the default queuing method, but the
new method can be used by editing the rollerd script.
rollctl and rollrec.pm were also modified to support
this change.
- Added support for merging a set of rollrec files.
rollctl and rollrec.pm were also modified to support
this change.
- dnssec-nodes - This graphical DNS debugging utility was greatly enhanced
- Now parses both bind and libval log files
- Multiple log files can be watched
- Node's represent multiple data sets
internally, which are independently displayed
and tracked.
- Added support for searching for and
highlighting DNS data and DNSSEC status
results
- dnssec-system-tray
- This utility can now report on BOGUS responses
detected in both libval and bind log files.
- Summary window revamped to group similar
messages together.
Plus many more minor features and bug fixes
* OPENDNSSEC-215: Signer Engine: Always recover serial from backup,
even if it is corrupted, preventing unnecessary serial decrementals.
* OPENDNSSEC-217: Enforcer: Tries to detect pidfile staleness, so that
the daemon will start after a power failure.
Bugfixes:
* ods-hsmutil: Fixed a small memory leak when printing a DNSKEY.
* OPENDNSSEC-216: Signer Engine: Fix duplicate NSEC3PARAM bug.
* OPENDNSSEC-218: Signer Engine: Prevent endless loop in case the locators
in the signer backup files and the HSM are out of sync.
* OPENDNSSEC-225: Fix problem with pid found when not existing.
* SUPPORT-21: HSM SCA 6000 in combination with OpenCryptoki can return RSA key
material with leading zeroes. DNSSEC does not allow leading zeroes in key
data. You are affected by this bug if your DNSKEY RDATA e.g. begins with
"BAABA". Normal keys begin with e.g. "AwEAA". OpenDNSSEC will now sanitize
incoming data before adding it to the DNSKEY. Do not upgrade to this version
if you are affected by the bug. You first need to go unsigned, then do the
upgrade, and finally sign your zone again. SoftHSM and other HSM:s will not
produce data with leading zeroes and the bug will thus not affect you.
OpenDNSSEC 1.3.6
* OPENDNSSEC-33: Signer Engine: Check HSM connection before use, attempt to
reconnect if it is not valid.
* OPENDNSSEC-178: Signer Engine: Instead of waiting an arbitrary amount of
time, let worker wait with pushing sign operations until the queue is
non-full.
* Signer Engine: Adjust some log messages.
Bugfixes:
* ods-control: Wrong exit status if Enforcer was already running.
* OPENDNSSEC-56: ods-ksmutil had the wrong option for config file in the
help usage text.
* OPENDNSSEC-207: Signer Engine: Fix communication from a process not
attached to a shell.
* OPENDNSSEC-209: Signer Engine: Make output file adapter atomic by writing
signed file to an intermediate file first.
* Update the README with information on moving the database
between different architectures.
Bugfixes:
* Fix the destruction order of the Singleton objects.
=== 2.3.0 / 11 Jan 2012
* Support for hmac-sha2 and diffie-hellman-group-exchange-sha256 [Ryosuke Yamazaki]
=== 2.2.2 / 04 Jan 2012
* Fixed: Connection hangs on ServerVersion.new(socket, logger) [muffl0n]
* Avoid dying when unsupported auth mechanisms are defined [pcn]
(Yes, that ridiculous version number really is what upstream calls it.)
No NEWS entry, but announcement includes:
2012-03-13 Zooko Wilcox-O'Hearn <zooko@zooko.com>
* src/pycryptopp/_version.py: release pycryptopp-0.6.0
* add Ed25519 signatures (#75)
* add XSalsa20 cipher (#40)
* switch from darcs to git for revision control
* pycryptopp version numbers now include a decimal encoding of *
* reorganize the source tree and the version number generation
* aesmodule.cpp: validate size of IV and throw exception if it
is not 16 (#70)
* fixed compile errors with gcc-4.7.0 (#78)
* fixed compile errors concerning "CryptoPP::g_nullNameValuePairs" (#77)
* suppress warnings from valgrind with new OpenSSL 1.0.1 on Fedora (#82)
* raise Python exception instead of uncaught C++ exception
(resulting in abort) when deserializing malformed RSA keys (#83)
* libgnutls: Corrections in record packet parsing.
* libgnutls: Fixes in SRP authentication.
* libgnutls: Added function to force explicit reinitialization of PKCS 11
modules. This is required on the child process after a fork.
* libgnutls: PKCS 11 objects that do not have ID no longer crash listing.
* API and ABI modifications: gnutls_pkcs11_reinit: Added
Changes between 0.9.8t and 0.9.8u [12 Mar 2012]
*) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
in CMS and PKCS7 code. When RSA decryption fails use a random key for
content decryption and always return the same error. Note: this attack
needs on average 2^20 messages so it only affects automated senders. The
old behaviour can be reenabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
an MMA defence is not necessary.
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
this issue. (CVE-2012-0884)
[Steve Henson]
*) Fix CVE-2011-4619: make sure we really are receiving a
client hello before rejecting multiple SGC restarts. Thanks to
Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
[Steve Henson]
