Changelog:
Noteworthy changes in version 2.1.10 (2015-12-04)
-------------------------------------------------
* gpg: New trust models "tofu" and "tofu+pgp".
* gpg: New command --tofu-policy. New options --tofu-default-policy
and --tofu-db-format.
* gpg: New option --weak-digest to specify hash algorithms which
should be considered weak.
* gpg: Allow the use of multiple --default-key options; take the last
available key.
* gpg: New option --encrypt-to-default-key.
* gpg: New option --unwrap to only strip the encryption layer.
* gpg: New option --only-sign-text-ids to exclude photo IDs from key
signing.
* gpg: Check for ambigious or non-matching key specification in the
config file or given to --encrypt-to.
* gpg: Show the used card reader with --card-status.
* gpg: Print export statistics and an EXPORTED status line.
* gpg: Allow selecting subkeys by keyid in --edit-key.
* gpg: Allow updating the expiration time of multiple subkeys at
once.
* dirmngr: New option --use-tor. For full support this requires
libassuan version 2.4.2 and a patched version of libadns
(e.g. adns-1.4-g10-7 as used by the standard Windows installer).
* dirmngr: New option --nameserver to specify the nameserver used in
Tor mode.
* dirmngr: Keyservers may again be specified by IP address.
* dirmngr: Fixed problems in resolving keyserver pools.
* dirmngr: Fixed handling of premature termination of TLS streams so
that large numbers of keys can be refreshed via hkps.
* gpg: Fixed a regression in --locate-key [since 2.1.9].
* gpg: Fixed another bug for keyrings with legacy keys.
* gpgsm: Allow combinations of usage flags in --gen-key.
* Make tilde expansion work with most options.
* Many other cleanups and bug fixes.
Changelog:
Noteworthy changes in version 2.4.2 (2015-12-02) [C7/A7/R2]
------------------------------------------------
* The nPth version of the connect system hook does now wrap the call
with npth_unprotec/npth_protect to avoid blocking during a connect.
* Add feature to assuan_sock_connect_byname to test for SOCKS5
availability.
Noteworthy changes in version 2.4.1 (2015-11-23) [C7/A7/R1]
------------------------------------------------
* In Tor mode fallback to port 9150 if 9050 is not listening.
* Allow building with older mingw-w64 versions.
Noteworthy changes in version 2.4.0 (2015-11-03) [C7/A7/R0]
------------------------------------------------
* New flags "socks" and "tor-mode" for assuan_sock_{set,get}_flag.
* New function assuan_sock_connect_byname.
* Require at least libgpg-error 1.17.
* Interface changes relative to the 2.3.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
assuan_sock_connect_byname NEW.
ASSUAN_SOCK_TOR NEW.
ASSUAN_SOCK_SOCKS NEW.
assuan_sock_set_flag EXTENDED.
assuan_sock_get_flag EXTENDED.
Noteworthy changes in version 2.3.0 (2015-08-28) [C6/A6/R0]
------------------------------------------------
* Now wipes out the memory of the context structure before freeing.
The context may have stored sensitive data in its line buffers.
* Fixed a problem with the data length limit in assuan_inquire.
* Returns GPG_ERR_SOURCE_ASSUAN with errors from functions w/o a
context.
* Two new functions to tweak the behaviour of the socket wrappers.
* Experimental code to support Cygwin's local sockets.
* By default build without a build timestamp.
* Interface changes relative to the 2.2.1 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
assuan_sock_set_flag NEW.
assuan_sock_get_flag NEW.
Jetty provides a Web server and javax.servlet container, plus support for
HTTP/2, WebSocket, OSGi, JMX, JNDI, JAAS and many other integrations. These
components are open source and available for commercial use and distribution.
This package builds on the existing www/jetty7 package which is retained for
users of that maintenance release, simplifies the packaging, and adds SMF
support.
This is a major feature release with a bit of bugfixes.
With this release jabberd2 joins HTTP realm with WebSocket client
connections handling built in C2S module! :-)
Changes:
* Rewrite TLS ephemeral key + cipher handling
* Recover Berkeley DB before opening it
* bcrypt support for PostgreSQL
* Option to set authreg module per realm
* AuthReg ANONYMOUS does not offer password check
* Answer to disco#info queries to user JID
* WebSocket C2S SX plugin
Note: websockets are not available, as the required http-parser module
is not (yet) in pkgsrc.
of software such as Ruby to build on Tiger/PowerPC.
Tested with & without on a G4 with Tiger & Leopard.
It was not needed on Leopard as the linker defaults to a target of 10.5 &
setting it back broke the bootstrap process.
Reviewed by wiz@ long ago.
CHANGES IN V1.3.0
- cups-browsed: Added new BrowseFilter directive in
cups-browsed.conf. This directive allows filtering of the
remote printers to be accepted on most properties/metadata
supplied with the DNS-SD broadcasts. This allows, in
addition to BrowseAllow/BrowseDeny/BrowseOrder, to reduce
the amount of printers listed in print dialogs to a more
useful amount.
- cups-browsed: Added support for BrowseDeny and BrowseOrder
directives in cups-browsed.conf.
- cups-browsed: Let the BrowseAllow lines in cups-browsed.conf
also apply to remote printers discovered via DNS-SD.
- cups-browsed: Auto-create queues for PCL-5c/e printers but
not for HP inkjet printers (which also advertise themselves
as PCL printers).
- cups-browsed, sys5ippprinter: Recognize PCL-5c/e printers
not only by the application/vnd.hp-pcl MIME type but also by
application/pcl and application/x-pcl.
Noteworthy changes in version 0.9.7 (2015-12-07)
------------------------------------------------
* Fix regressions in the Qt pinentry.
* Fix minor problems pinnetyr-tty.
* New option --invisible-char.
Noteworthy changes in version 1.21 (2015-12-12) [C17/A17/R0]
-----------------------------------------------
* New functions gpgrt_poll and gpgrt_set_nonblock. For now only
pipes and sockets on Unix are supported.
* Fixes gettext output encoding problems on Windows.
* Interface changes relative to the 1.20 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgrt_set_nonblock NEW.
gpgrt_get_nonblock NEW.
gpgrt_poll NEW.
gpgrt_poll_t NEW type.
es_poll_t NEW type.
es_set_nonblock NEW macro.
es_get_nonblock NEW macro.
es_poll NEW macro.
GPG_ERR_TRUE NEW.
GPG_ERR_FALSE NEW.
GPG_ERR_NO_NAME NEW.
GPG_ERR_NO_KEY NEW.
GPG_ERR_SERVER_FAILED NEW.
Changes in version 0.2.7.6 - 2015-12-10
Tor version 0.2.7.6 fixes a major bug in entry guard selection, as
well as a minor bug in hidden service reliability.
o Major bugfixes (guard selection):
- Actually look at the Guard flag when selecting a new directory
guard. When we implemented the directory guard design, we
accidentally started treating all relays as if they have the Guard
flag during guard selection, leading to weaker anonymity and worse
performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
by Mohsen Imani.
o Minor features (geoip):
- Update geoip and geoip6 to the December 1 2015 Maxmind GeoLite2
Country database.
o Minor bugfixes (compilation):
- When checking for net/pfvar.h, include netinet/in.h if possible.
This fixes transparent proxy detection on OpenBSD. Fixes bug
17551; bugfix on 0.1.2.1-alpha. Patch from "rubiate".
- Fix a compilation warning with Clang 3.6: Do not check the
presence of an address which can never be NULL. Fixes bug 17781.
o Minor bugfixes (correctness):
- When displaying an IPv6 exit policy, include the mask bits
correctly even when the number is greater than 31. Fixes bug
16056; bugfix on 0.2.4.7-alpha. Patch from "gturner".
- The wrong list was used when looking up expired intro points in a
rend service object, causing what we think could be reachability
issues for hidden services, and triggering a BUG log. Fixes bug
16702; bugfix on 0.2.7.2-alpha.
- Fix undefined behavior in the tor_cert_checksig function. Fixes
bug 17722; bugfix on 0.2.7.2-alpha.
Release 1.14.6 (2015-12-09 Bryce Harrington <bryce@osg.samsung.com>)
========================================================================
Simple bugfix release to fix one Windows issue.
Bug Fixes
---------
* Fix failure on Windows due to reference of the function
cairo_win32_surface_create_with_format(), which isn't included in the
1.14.4 release. (Bug #92771)
1.1.2 - 2015-12-10
~~~~~~~~~~~~~~~~~~
* Fixed a SIGBUS crash with the OS X wheels caused by redefinition of a
method.
* Fixed a runtime error ``undefined symbol EC_GFp_nistp224_method`` that
occurred with some OpenSSL installations.
* Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2e.
----
18.8
----
* Deprecated ``egg_info.get_pkg_info_revision``.
* Issue #471: Don't rely on repr for an HTML attribute value in
package_index.
* Issue #419: Avoid errors in FileMetadata when the metadata directory
is broken.
* Issue #472: Remove deprecated use of 'U' in mode parameter
when opening files.
NEW IN WAF 1.8.17
-----------------
* Added customizations that enable building whole projects from the build folder instead of the variant folder
* Added a project generator for Xcode 6 #1648
* Force scanner functions to run after task failures #1660
* Improved the Intel Fortran compiler detection #1655
* Added processing of chmod attributes on subst and rule when provided #1650
* Enabled global_define in conf.check() tests
* Enabled usage of home folder/tilde ~ in Configure.find_files
* Added usage of options.enable_gccdeps when provided by user scripts
* Enabled 'waf -v' to catch invalid string on hcode values in Python3
* Fixed the function names returned by the @conf and @run_once decorators
* Let 'subst' change permissions for all its files with chmod (not just the first one)
* Added quoting for space-containing-arguments in print_commands.py
Security Fixes
* An incorrect boundary check in the OPENPGPKEY rdatatype could
trigger an assertion failure. This flaw is disclosed in
CVE-2015-5986. [RT #40286]
* A buffer accounting error could trigger an assertion failure when
parsing certain malformed DNSSEC keys.
This flaw was discovered by Hanno Böck of the Fuzzing Project, and
is disclosed in CVE-2015-5722. [RT #40212]
* A specially crafted query could trigger an assertion failure in
message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in
CVE-2015-5477. [RT #40046]
* On servers configured to perform DNSSEC validation, an assertion
failure could be triggered on answers from a specially configured
server.
This flaw was discovered by Breno Silveira Soares, and is disclosed
in CVE-2015-4620. [RT #39795]
New Features
* New quotas have been added to limit the queries that are sent by
recursive resolvers to authoritative servers experiencing
denial-of-service attacks. When configured, these options can both
reduce the harm done to authoritative servers and also avoid the
resource exhaustion that can be experienced by recursives when they
are being used as a vehicle for such an attack.
NOTE: These options are not available by default; use configure
--enable-fetchlimit to include them in the build.
+ fetches-per-server limits the number of simultaneous queries
that can be sent to any single authoritative server. The
configured value is a starting point; it is automatically
adjusted downward if the server is partially or completely
non-responsive. The algorithm used to adjust the quota can be
configured via the fetch-quota-params option.
+ fetches-per-zone limits the number of simultaneous queries
that can be sent for names within a single domain. (Note:
Unlike "fetches-per-server", this value is not self-tuning.)
Statistics counters have also been added to track the number of
queries affected by these quotas.
* An --enable-querytrace configure switch is now available to enable
very verbose query tracelogging. This option can only be set at
compile time. This option has a negative performance impact and
should be used only for debugging.
* EDNS COOKIE options content is now displayed as "COOKIE:
<hexvalue>".
Feature Changes
* Large inline-signing changes should be less disruptive. Signature
generation is now done incrementally; the number of signatures to
be generated in each quantum is controlled by
"sig-signing-signatures number;". [RT #37927]
* Retrieving the local port range from net.ipv4.ip_local_port_range
on Linux is now supported.
* Active Directory names of the form gc._msdcs.<forest> are now
accepted as valid hostnames when using the check-names option.
<forest> is still restricted to letters, digits and hyphens.
* Names containing rich text are now accepted as valid hostnames in
PTR records in DNS-SD reverse lookup zones, as specified in RFC
6763. [RT #37889]
Bug Fixes
* Asynchronous zone loads were not handled correctly when the zone
load was already in progress; this could trigger a crash in zt.c.
[RT #37573]
* A race during shutdown or reconfiguration could cause an assertion
failure in mem.c. [RT #38979]
* Some answer formatting options didn't work correctly with dig
+short. [RT #39291]
* Malformed records of some types, including NSAP and UNSPEC, could
trigger assertion failures when loading text zone files. [RT
#40274] [RT #40285]
* Fixed a possible crash in ratelimiter.c caused by NOTIFY messages
being removed from the wrong rate limiter queue. [RT #40350]
* The default rrset-order of random was inconsistently applied. [RT
#40456]
* BADVERS responses from broken authoritative name servers were not
handled correctly. [RT #40427]
Security Fixes
* An incorrect boundary check in the OPENPGPKEY rdatatype could
trigger an assertion failure. This flaw is disclosed in
CVE-2015-5986. [RT #40286]
* A buffer accounting error could trigger an assertion failure when
parsing certain malformed DNSSEC keys.
This flaw was discovered by Hanno Böck of the Fuzzing Project, and
is disclosed in CVE-2015-5722. [RT #40212]
* A specially crafted query could trigger an assertion failure in
message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in
CVE-2015-5477. [RT #40046]
* On servers configured to perform DNSSEC validation, an assertion
failure could be triggered on answers from a specially configured
server.
This flaw was discovered by Breno Silveira Soares, and is disclosed
in CVE-2015-4620. [RT #39795]
New Features
* New quotas have been added to limit the queries that are sent by
recursive resolvers to authoritative servers experiencing
denial-of-service attacks. When configured, these options can both
reduce the harm done to authoritative servers and also avoid the
resource exhaustion that can be experienced by recursives when they
are being used as a vehicle for such an attack.
NOTE: These options are not available by default; use configure
--enable-fetchlimit to include them in the build.
+ fetches-per-server limits the number of simultaneous queries
that can be sent to any single authoritative server. The
configured value is a starting point; it is automatically
adjusted downward if the server is partially or completely
non-responsive. The algorithm used to adjust the quota can be
configured via the fetch-quota-params option.
+ fetches-per-zone limits the number of simultaneous queries
that can be sent for names within a single domain. (Note:
Unlike "fetches-per-server", this value is not self-tuning.)
Statistics counters have also been added to track the number of
queries affected by these quotas.
* dig +ednsflags can now be used to set yet-to-be-defined EDNS flags
in DNS requests.
* dig +[no]ednsnegotiation can now be used enable / disable EDNS
version negotiation.
* An --enable-querytrace configure switch is now available to enable
very verbose query tracelogging. This option can only be set at
compile time. This option has a negative performance impact and
should be used only for debugging.
Feature Changes
* Large inline-signing changes should be less disruptive. Signature
generation is now done incrementally; the number of signatures to
be generated in each quantum is controlled by
"sig-signing-signatures number;". [RT #37927]
* The experimental SIT extension now uses the EDNS COOKIE option code
point (10) and is displayed as "COOKIE: <value>". The existing
named.conf directives; "request-sit", "sit-secret" and
"nosit-udp-size", are still valid and will be replaced by
"send-cookie", "cookie-secret" and "nocookie-udp-size" in BIND
9.11. The existing dig directive "+sit" is still valid and will be
replaced with "+cookie" in BIND 9.11.
* When retrying a query via TCP due to the first answer being
truncated, dig will now correctly send the COOKIE value returned by
the server in the prior response. [RT #39047]
* Retrieving the local port range from net.ipv4.ip_local_port_range
on Linux is now supported.
* Active Directory names of the form gc._msdcs.<forest> are now
accepted as valid hostnames when using the check-names option.
<forest> is still restricted to letters, digits and hyphens.
* Names containing rich text are now accepted as valid hostnames in
PTR records in DNS-SD reverse lookup zones, as specified in RFC
6763. [RT #37889]
Bug Fixes
* Asynchronous zone loads were not handled correctly when the zone
load was already in progress; this could trigger a crash in zt.c.
[RT #37573]
* A race during shutdown or reconfiguration could cause an assertion
failure in mem.c. [RT #38979]
* Some answer formatting options didn't work correctly with dig
+short. [RT #39291]
* Malformed records of some types, including NSAP and UNSPEC, could
trigger assertion failures when loading text zone files. [RT
#40274] [RT #40285]
* Fixed a possible crash in ratelimiter.c caused by NOTIFY messages
being removed from the wrong rate limiter queue. [RT #40350]
* The default rrset-order of random was inconsistently applied. [RT
#40456]
* BADVERS responses from broken authoritative name servers were not
handled correctly. [RT #40427]
* Several bugs have been fixed in the RPZ implementation:
+ Policy zones that did not specifically require recursion could
be treated as if they did; consequently, setting
qname-wait-recurse no; was sometimes ineffective. This has
been corrected. In most configurations, behavioral changes due
to this fix will not be noticeable. [RT #39229]
+ The server could crash if policy zones were updated (e.g. via
rndc reload or an incoming zone transfer) while RPZ processing
was still ongoing for an active query. [RT #39415]
+ On servers with one or more policy zones configured as slaves,
if a policy zone updated during regular operation (rather than
at startup) using a full zone reload, such as via AXFR, a bug
could allow the RPZ summary data to fall out of sync,
potentially leading to an assertion failure in rpz.c when
further incremental updates were made to the zone, such as via
IXFR. [RT #39567]
+ The server could match a shorter prefix than what was
available in CLIENT-IP policy triggers, and so, an unexpected
action could be taken. This has been corrected. [RT #39481]
+ The server could crash if a reload of an RPZ zone was
initiated while another reload of the same zone was already in
progress. [RT #39649]
+ Query names could match against the wrong policy zone if
wildcard records were present. [RT #40357]
