Bastille is a system hardening / lockdown program which enhances the
security of a Unix host. It configures daemons, system settings and
firewalls to be more secure. It can shut off unneeded services like rcp
and rlogin, and helps create "chroot jails" that help limit the
vulnerability of common Internet services like Web services and DNS.
This tool currently hardens Red Hat (Fedora Core, Enterprise and
Legacy/Classic), SuSE, Debian, Gentoo, Mandrake Linux, HP-UX, Mac OS X
and Turbo Linux.
If run in the preferred interactive mode, it can teach you a good deal
about security while personalizing your system security state.
Bastille can also assess and report on the state of a system, which may
serve as an aid to security administrators, auditors and system
administrators who wish to investigate the state of their system's
hardening without making changes to such. This assessment functionality
has only been tested on Red Hat Linux (Fedora, Legacy, Enterprise) and
SUSE systems.
gnutls-1.6.x (the stable branch).
No further PKGREVISION bumps necessary, because opencdk caused recursive
PKGREVISION bumps and afterwards gnutls wouldn't build.
Addresses PR pkg/36448.
Package change: Fix opencdk-config and opencdk.pc.
Noteworthy changes in version 0.6.1 (2007-05-12)
------------------------------------------------
* The opencdk.def file is included in the distribution archive,
fixes build failures on mingw32.
* Some bug fixes for the mingw32 build in combination with WINE.
* Now the decryption code uses the name in the literal packet
for the output file whenever this is possible.
* Take care of absolute file names in literal packets.
Noteworthy changes in version 0.6.0 (2007-05-XX)
------------------------------------------------
* Dropped all internal random, cipher, digest libs and only use gcrypt
for such tasks. The library should only provide functions dedicated
to parsing and packet creation for the protocol.
* Adjust code for the new Libgcrypt interface.
Now Libgcrypt >1.2.2 is required to build the code.
* This new version introduces an API change and thus incompatibilities
to prior versions.
* Lots of cleanups all over the place. This also includes simplification
for various code parts.
* Better support for larger files.
* Map the libgcrypt error directly and remove the
invalid CDK_Gcry_Error type.
* Add more regression tests for the various code parts.
* We do not support ElGamal signatures any longer.
* Merged patches from the other opencdk branch which is
currently used by GnuTLS.
* Provide user callback for the stream. As a sample
implementation, socket callbacks are implemented
and use in cdk_stream_sockopen().
* Drop most of the rfc1991 legacy format. This means
we do not generate any rfc1991 data, but we still
understand it. An exception is the packet header output.
* Removed gnulib interface for now because the lib
is currently not in use.
* Interfaces changes relative to 0.5.x
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
functions:
cdk_stream_tmp CHANGED: is now cdk_stream_tmp_new
cdk_stream_new_from_mem CHANGED: new argument and return error code
cdk_stream_control CHANGED: is no available any longer
cdk_stream_new_from_cbs NEW
cdk_stream_mmap_part NEW
cdk_keydb_new_from_file NEW
cdk_keydb_new_from_mem NEW
cdk_keydb_new_from_stream NEW
cdk_keydb_import CHANGED: second argument removed.
cdk_keydb_pk_cache_sigs DELETED
cdk_kbnode_write_to_mem_alloc NEW
cdk_lib_startup NEW
cdk_lib_shutdown NEW
cdk_handle_set_keyring NEW
cdk_handle_get_verify_result NEW
cdk_subpkt_find_next NEW
cdk_subpkt_find_nth NEW
cdk_set_progress_handler DELETED
cdk_userid_get_pref_array DELETED
cdk_pk_encrypt CHANGED: last argument is now gcry_mpi_t
cdk_pk_decrypt CHANGED: last argument is now gcry_mpi_t
cdk_pk_get_mpi CHANGED: new argument nwritten.
cdk_sk_get_mpi CHANGED: new argument nwritten.
cdk_pk_release NEW
cdk_sk_release NEW
cdk_pubkey_to_sexp NEW
cdk_seckey_to_sexp NEW
cdk_armor_encode_buffer NEW
cdk_keygen_set_mdc_feature DELETED
cdk_keygen_set_algo_info CHANGED: new argument usage.
cdk_seskey_new DELETED
cdk_seskey_free DELETED
cdk_dek_encode_pkcs1 CHANGED: not public any longer.
cdk_dek_decode_pkcs1 CHANGED: not public any longer.
cdk_stream_tell CHANGED: return type is now off_t
cdk_stream_seek CHANGED: argument is now off_t
cdk_pk_check_self_sig NEW
constants:
CDK_No_Data NEW
CDK_CTL_TRUSTMODEL DELETED
CDK_CTL_FORCE_DIGEST DELETED
CDK_COMPRESS_BZIP2 NEW
CDK_MD_SHA{256,384,512} NEW
CDK_MD_{TIGER, MD2} DELETED
CDK_CIPHER_{SAFER_SK128, DES_SK} DELETED
CDK_CTL_COMPAT DELETED
structures:
cdk_md_hd_t CHANGED: is now gcry_md_hd_t
cdk_cipher_hd_t CHANGED: is now gcry_cipher_hd_t
cdk_sesskey_t CHANGED: is now gcry_mpi_t
* Version 1.6.3 (released 2007-05-26)
** New API functions to extract DER encoded X.509 Subject/Issuer DN.
Suggested by Nate Nielsen <nielsen-list@memberwebs.com>. Backported
from the 1.7.x branch, see
<http://lists.gnu.org/archive/html/help-gnutls/2007-05/msg00029.html>.
** Have PKCS8 parser return better error codes.
Reported by Nate Nielsen <nielsen-list@memberwebs.com>, see
<http://lists.gnupg.org/pipermail/gnutls-dev/2007-May/001653.html> and
<http://lists.gnupg.org/pipermail/gnutls-dev/2007-May/001654.html>.
** Fix mem leak for sessions with client authentication via certificates.
Reported by Andrew W. Nosenko <andrew.w.nosenko@gmail.com>, see
<http://lists.gnupg.org/pipermail/gnutls-dev/2007-April/001539.html>.
** Fix building of 'tlsia' self test.
Earlier some gcc are known to build tlsia linking to
$prefix/lib/libgnutls-extra.so rather than the libgnutls-extra.so in
the build directory, even though command line parameters look OK.
Changing order of some parameters fixes it.
** API and ABI modifications:
gnutls_x509_crt_get_raw_issuer_dn: ADD.
gnutls_x509_crt_get_raw_dn: ADD.
This release adds checking of a number of archive members to improve
protection from runaway dearchivers.
It fixes SQL quarantining of mail with a null sender, and recognizes
PostgreSQL error S8006.
Parsing of invalid header has been improved.
Calling 'finish' on a SA message object was added.
A nonstandard SMTP status code 254 is no longer used, and enforcing
of option 8BITMIME is avoid even on 8-bit contents.
Checking of eval status was improved to recognize additional failure
modes.
Disabling of MIME decoding and invoking of a file(1) utility has been
made possible. An AV entry for ArcaVir was added.
Lots of updates but some highlights in brief:
- Added base64 encoding support for ICMP payload additional table in base_qr
y_alert.php -- Juergen Leising
- Changed input type of the password field to actually be password in setup3
.php -- Nikns
- Fixed Time error in searches -- Jeff Kell
- Added FQDN to display -- Jonathan W Miner
- Fixed issues with graphing -- Kevin J
- Updated tons of HTML for complience -- Marek Cruz
-------------------
* Add the PCRE_DOLLAR_ENDONLY option when compiling regular expression
for the @rx operator and variables.
* Really set PCRE_DOTALL option when compiling the regular expression
for the @rx operator as the docs state.
* Fixed potential memory corruption when expanding macros.
* Fixed error when a collection was retrieved from storage in the same second
as creation by setting the rate to zero.
* Fixed ASCIIZ (NUL) parsing for application/x-www-form-urlencoded forms.
* Fixed the faulty REQUEST_FILENAME variable, which used to change
the internal Apache structures by mistake.
* Updates to quiet some compiler warnings.
* Fixed some casting issues for compiling on NetWare (patch from Guenter Knauf)
Pkgsrc changes:
- Added support for installation to DESTDIR.
- p5-Digest-SHA is a new requirement.
Changes since version 0.12:
===========================
0.14 February 14, 2005
FIX: The introducion of the keytag warning triggered a bug with RSAMD5
keys, causing RSAMD5 keys not to be loaded.
0.13 December 9, 2005
FEAT: rt.cpan.org 14588
Added support for passing (a reference to) an array of keys to the
RRSIG verify function.
FIX/FEAT:
The Net::DNS::SEC::Private function will for RSA based keys verify if
the keytag in the filename is actually correct.
Since at parsing the value of the DNSKEY RR flags is not known we
test against the currently defined flag values 256 and 257.
If we cannot find a keytag match a warning is printed and Private
key generation fails
This inconsistency was spotted by Jakob Shlyter.
FEAT: Added support for SHA256 to the DS RR. Assigned the expected
digest type2 for SHA256 type hashes.
Note that this makes the Net::DNS::SEC depend on Digest::SHA instead
of Digest::SHA1.
The default digest type is still set to 1.
NB. The code makes assumptions about the IANA assignment of the
digest type. The assignment may change. Do not use SHA256 in
production zones!!
FIX: rt.cpan.org #15662
Roy Arends noticed and patched the label counting did not ignore
an initial asterisk label.
FIX: Wes Hardaker noticed the default TTL values for created signatures to
be different from the TTLs from the data that is being signed.
FIX: Wes Hardaker reported there was a problem with validating
RRsets that had ownernames with capitals.
The fix depends on a fix in Net::DNS::RR that is available in
version 0.53_03 or later of the Net::DNS distribution.
FEAT: Propper dealing with mnemonics for algorithm and digest type
added to DS
FIX/FEAT: Mnemonics were written as RSA/MD5 and RSA/SHA1. This has been
corrected tp RSASHA1 and RSAMD5, as in the IANA registry.
0.12_02 June 6, 2005 (beta 2 release for 0.13)
Bug: new_from_hash would not correctly create the RR since internally
typebm is used to store the data this has been fixed so that
the following works
Net::DNS::RR->new(name=>$name,
ttl=>$ttl,
type=>"NSEC",
nxtdname=>$nxtdname,
typelist=>join(" ",@types)
);
FEAT: Introduced the "use bytes" pragma to force character interpretation
of all the scalars. Any utf processing by perl makes the code behave
unpredictable.
0.12_01 April 18, 2005. (beta release for version 0.13)
FEAT (!!!): Changed the symantics of the Net::DNS::Keyset::verify method.
Read the perldoc for details. The requirement that each key in a
keyset has to be selfsigned has been loosened.
FEAT: Added a "carp" to the new methods of the NXT RR. Warning that
that record is depricated.
FEAT: Cleaned the tests so that RRSIG and DNSKEY are used except for
SIG0 based tests.
FEAT: Changed the name of the siginceptation[SIC] to siginception.
Thanks Jakob Schlyter for notifying me of this mistyping.
An alias for the method remains available.
FEAT: Renamed unset_sep() to clear_sep().
NOTE: To avoid confusion the Net::DNS::SIG::Private class has been
removed. Use Net::DNS::SEC::Private!
DOC: Added references to RFC 4033, RFC 4034 and RFC 4035. Rewrote parts
of the perlpod.
Pkgsrc changes:
- The package supports installation to DESTDIR
- A C compiler is necessary.
Changes since version 5.43:
===========================
5.44 Sat Oct 14 00:42:44 MST 2006
- removed SIGNATURE file from distribution
-- spurious errors from CPANPLUS can break build
- eliminated ppport.h header file
-- significantly reduces size of distribution
- modified C functions in src/hmac.c to use ANSI prototypes
-- thanks to Jarkko Hietaniemi for patch
Pkgsrc changes:
- Package supports installation to DESTDIR.
- Removed patch-aa (missing includes when using OpenSSL 0.9.8 were fixed).
- patch-ab corrects wrong test count.
Changes since version 0.22:
=====================================
0.24 Mon Nov 13 2006 08:21:14
- Fix a bug reported by Mark Martinec <Mark.Martinec@ijs.si>
where encrypt could segfault if called with insufficient
data; it now informatively croaks instead.
- Fix a bug reported by Mark Martinec where check_key would
segfault instead of croaking when called on a public key.
- Fix decrypt and private_encrypt to croak instead of segfault when
called on a public key.
- Add an is_private method.
- Silence a few compiler warnings about ignoring return values
from certain BIO_* methods.
0.23 Wed Apr 12 2006 00:06:10
- Provide 32 bytes of seeding in tests, up from 19.
- Stop relying on implicit includes, which disappeared in the 0.98
release of OpenSSL.
- Apply patch from Jim Radford <radford@blackbean.org> to add support
for SHA{224,256,384,512}
- Implement TCP keepalive settings on platform that support it,
check client.conf for details.
- When reading prelude-adduser password from a file, remove
newline at the end of the string (fix#221).
- When we fail to read an IDMEF message, provide more information
about the place where the error happened.
- Fix an issue with idmef_path_get() on empty path (pointing to the
root message).
- Various bug fixes and minor API improvements.
pkgsrc, in preparation for gnome1-libs removal(*).
There was no feedback for keeping these packages after my
HEADS UP mail to pkgsrc-users a week ago.
(*) More to come before that can happen, though.
- Initial implementation of the 'thresholding' plugin, allowing you to
suppress events after a certain limit/threshold.
- Filters hooking to a reporting plugin are now OR'ed instead of being
AND'ed. AND is already possible by hooking filtering plugin one with
another.
- Improved error reporting.
- Minor bug fixes.
- Pattern can now be used to specify file to be monitored.
- Fix an issue in the detection of buggy writev() FAM notification.
- Add bonding.rules, by Paul Robert Marino <prmarino1@gmail.com>.
- ModSecurity ruleset update: remove unnecessary fields + ModSecurity 2.0 compatibility.
- New Cisco IOS common ruleset, by Alexandre Racine.
- Avoid duplicating information in node name and node address.
- Add rule ID and revision to the generated alert for each matched rule. Fix#206.
- Handle "last" keyword even if the rule does not contain any IDMEF assignment. Fix#218.
- Various bug fixes.
One-time cipher based back door program for executing emergency
commands.
Secure Back Door(SBD) is an alternative to leaving SSH open all the
time. It is based on a secure one-time keypad method, that insures
maximum security. Since SBD is very small, it is less likely to have
security exploits, as compared to SSH. Therefore, you could leave an
important computer up and running with just sbdd running in the
background, and if an emergency came about, you could simple execute a
command to bring ssh up, then work on the computer as regular. It
would be as simple as doing ./sbd domain.com "/etc/init.d/sshd start",
and with the proper key file set, the remote computer would have ssh
up and running shortly.
SSLCrypto is a package for Python that dramatically eases the task of
adding encryption to Python programs.
It provides a unified API that is almost totally compatible with that
of ezPyCrypto, except that it takes advantage of the OpenSSL Crypto
Library to deliver massive improvements in speed and security.
After using ezPyCrypto myself, I found that while it performed ok with
smaller public key sizes, it proved impossibly slow with larger keys.
This slowness, resulting from non-optimal code in its backend (the
Python Cryptography Toolkit) meant that on a 1.5 GHz Athlon XP, it was
taking several minutes to generate 4096-bit keys. Completely
unacceptable if you need real security.
Performance is absolutely critical for an encryption API. If slowness
deters people from using adequate-sized keys, security will be
severely compromised, almost to the extent that there's little point
in using encryption in the first place.
v1.05
- make session cache working even if the IO::Socket::SSL object
was not created with IO::Socket::SSL->new but with
IO::Socket::SSL->start_SSL on an established socket
* Version 1.6.2 (released 2007-04-18)
** Fix X.509 signing with RSA-PKCS#1 to set a NULL parameters fields.
Before, we remove the parameters field, which resulted in a slightly
different DER encoding which in turn caused signature verification
failures of GnuTLS-generated RSA certificates in some other
implementations (e.g., GnuPG 2.x's gpgsm). Depending on which RFCs
you read, this may or may not be correct, but our new behaviour appear
to be consistent with other widely used implementations.
** Regenerate the PKIX ASN.1 syntax tree.
For some reason, after changing the ASN.1 type of ldap-UID in the last
release, the generated C file built from the ASN.1 schema was not
refreshed. This can cause problems when reading/writing UID
components inside X.500 Distinguished Names. Reported by devel
<dev001@pas-world.com>.
** Updated translations.
** API and ABI modifications:
No changes since last version.