Take maintainership.
New in 2.1.25
-------------
* Make sure that a failed authorization doesn't preclude
further server-side SASL authentication attempts from working.
* Fixed a crash caused by aborted SASL authentication
and initiation of another one using the same SASL context.
* (Windows) Fixed the random number generator to actually produce random
output on each run.
* Be protective against calling sasl_server_step once authentication
has failed (multiple SASL plugins)
* Fixed several bugs in the mech_avail callback handling
in the server side code.
* Added support for channel bindings
* Added support for ordering SASL mechanisms by strength (on the client side),
or using the "client_mech_list" option.
* server_idle needs to obey server's SASL mechanism list from the server
context.
* Better server plugin API mismatch reporting
* Build:
- Updated config to the latest GNU snapshot
- Fixed SASL's libtool MacOS/X 64-bit file magic
* New SASL plugin: SCRAM
* New SASL plugin: GS2
* DIGEST-MD5 plugin:
- Allow DIGEST-MD5 plugin to be used for client-side and
server-side HTTP Digest, including running over non-persistent
connections (RFC 2617)
- Use the same username for reauthentication cache lookup and update
- Minimize the number of auxprop lookups in the server side DIGEST-MD5
plugin for the most common case when authentication and authorization
identities are the same.
- Updated digestmd5_server_mech_step2() to be more defensive against
empty client input.
- Fixed some memory leaks on failed plugin initialization.
Prevent potential race condition when freeding plugin state.
Set the freed reauthentication cache mutex to NULL, to make errors
due to mutex access after free more obvious.
- Test against broken UTF-8 based hashes if calculation using special
ISO-8859-1 code fails.
- Fixed an interop problem with some LDAP clients ignoring server
advertised realm and providing their own.
* GSSAPI plugin:
- Fix to build GSSAPI with Heimdal
- Properly set serveroutlen to 0 in one place.
Don't send empty challenge once server context establishment is done,
as this is in violation of the RFC 2222 and its successor.
- Don't send maxbuf, if no security layer can be established.
Added additional checks for buffer lengths.
* LDAPDB plugin:
- build fixes
New in 2.1.24
-------------
* Order advertised server-side SASL mechanisms per the specified 'mech_list'
option or by relative "strength"
* Make sure that sasl_set_alloc() has no effect once sasl_client_init()
or sasl_server_init() is called
* Fixed sasl_set_mutex() to disallow changing mutex management functions
once sasl_server_init()/sasl_client_init() is called (bug # 3083)
* Removed unused mutexes in lib/client.c and lib/server.c (bug # 3141)
* Added direct support for hashed password to auxprop API
* Don't treat a constraint violation as an error to store an auxprop property
* Extended libsasl (auxprop) to support user deletion
* Extended SASL auxprop_lookup to return error code
* Updated sasl_user_exists() so that it can handle passwordless accounts (e.g. disabled)
* (Windows) Free handles of shared libraries on Windows that were loaded
but are not SASL plugins (bug # 2089)
* Prevent freeing of common state on a subsequent call to _sasl_common_init.
Make sure that the last global callback always wins.
* Implemented sasl_client_done()/sasl_server_done()
* Added automatic hostname canonicalization inside libsasl
* Made sasl_config_init() public
* Strip trailing spaces from server config file option values (bug # 3139, bug # 3041)
* Fixed potential buffer overflow in saslautd_verify_password().
* Fixed segfault in dlclose() on HPUX
* Various bugfixes for 64bit platforms
* Fixed bug # 2895 (passing LF to sasl_decode64) in sample/sample-client.c,
sample/sample-server.c, utils/smtptest.c
* pluginviewer: Code cleanup, improved human readable messages
* Build:
- (Windows) Updated makefiles to build with VC 8.0 (VC++ 2005)
- (Windows) Added Windows64 build
- Updated to use .plugin extension on MacOS
- Changed 64bit HP-UX build to use .so for shared libraries
* saslauthd:
- Fixed bug counting double-quotes in username/password in
auth_rimap.c. Also fixed bug zeroing password.
- auth_krb.c: improved diagnostic in the k5support_verify_tgt() function.
- auth_sasldb.c: pid_file_lock is created with a mask of 644 instead of 0644
- auth_shadow.c: Define _XOPEN_SOURCE before including unistd.h,
so that crypt is correctly defined
- auth_getpwent.c: Fixed Solaris build
* SASLDB plugin:
- Fixed spurious 'user not found' errors caused by an attempt
to delete a non-existent property
- Added direct support for hashed password to auxprop API
- Sleepycat driver: Return SASL_NOUSER instead of SASL_FAIL when the database
file doesn't exist
- Ignore properties starting with '*' in the auxprop store function
* SQL plugin:
- Added support for SQLITE3
- Uninitialized variables can cause crash when the searched user is not found
- Added direct support for hashed password
- Ignore properties starting with '*' in the auxprop store function
* LDAPDB plugin:
- Added code to extend LDAPDB into a canon_user plugin in addition
to its existing auxprop plugin functionality
* PLAIN plugin:
- Advertise SASL_SEC_PASS_CREDENTIALS feature
* LOGIN plugin:
- Advertise SASL_SEC_PASS_CREDENTIALS feature
* DIGEST-MD5 plugin:
- Fixed a memory leak in the DIGEST-MD5 security layer
- Fixed memory leaks in client-side reauth and other places
- More detailed error reporting.
- Fixed parsing of challenges/responses with extra commas.
- Allow for multiple qop options from the server and require
a single qop option from the client.
* GSSAPI plugin:
- Check that params->serverFQDN is not NULL before using strlen on it
- Make auxprop lookup calls optional
* EXTERNAL plugin:
- Make auxprop lookup calls optional
* NTLM plugin:
- allow a comma separated list of servernames in 'ntlm_server' option
- Fixed crash in calculating NTv2 reponse
* OTP plugin:
- Don't use a stack variable for an OTP prompt (bug # 2822)
- Downgrade the failure to store OTP secret to debug level
* KERBEROS_V4 plugin:
- Make auxprop lookup calls optional
NEWS for the 2.4 release
This is a bugfix release only. It turned out ripemd160 in the
2.3 release was broken on all big-endian systems, due to a
missing include of config.h. nettle-2.4 fixes this.
The library is intended to be binary compatible with
nettle-2.2 and nettle-2.3. The shared library names are
libnettle.so.4.3 and libhogweed.so.2.1, with sonames still
libnettle.so.4 and libhogweed.so.2.
NEWS for the 2.3 release
* Support for the ripemd-160 hash function.
* Generates and installs nettle.pc and hogweed.pc files, for
use with pkg-config. Feedback appreciated. For projects
using autoconf, the traditional non-pkg-config ways of
detecting libraries, and setting LIBS and LDFLAGS, is still
recommended.
* Fixed a bug which made the testsuite fail in the GCM test on
certain platforms. Should not affect any documented features
of the library.
* Reorganization of the code for the various Merkle-Damg
hash functions. Some fields in the context structs for md4,
md5 and sha1 have been renamed, for consistency.
Applications should not peek inside these structs, and the
ABI is unchanged.
* In the manual, fixed mis-placed const in certain function
prototypes.
The library is intended to be binary compatible with
nettle-2.2. The shared library names are libnettle.so.4.2 and
libhogweed.so.2.1, with sonames still libnettle.so.4 and
libhogweed.so.2.
in its stable branch (ie firefox-6.0.2) too,
so deal with this in the mozilla-rootcerts script (this is not great -
it depends on syntactic details of the file where it should better
use checksums, but the perl script which is distributed with "curl"
works the same way),
and switch back to the certificate list in CVS HEAD
Changes from 1.35:
v1.44 2011.05.27
- fix invalid call to inet_pton in verify_hostname_of_cert when
identity should be verified as ipv6 address, because it contains
colon.
v1.43_1 2011.05.12
- try to make t/nonblock.t more stable, especially on Mac OS X
v1.43 2011.05.11
- fix t/nonblock.t
- stability improvements t/inet6.t
v1.42 2011.05.10
- add SSL_create_ctx_callback to have a way to adjust context on
creation. https://rt.cpan.org/Ticket/Display.html?id=67799
- describe problem of fake memory leak because of big session cache
and how to fix it, see https://rt.cpan.org/Ticket/Display.html?id=68073
v1.41 2011.05.09
- fix issue in stop_SSL where it did not issue a shutdown of the
SSL connection if it first received the shutdown from the other
side. Thanks to fencingleo[AT]gmail[DOT]com for reporting
- try to make t/nonblock.t more reliable, at least report the real
cause of ssl connection errors
v1.40 2011.05.02
- integrated patch from GAAS to get IDN support from URI.
https://rt.cpan.org/Ticket/Display.html?id=67676
v1.39_1 2011.05.02
- fix in exampel/async_https_server.
Thanks to DetlefPilzecker[AT]web[DOT]de for reporting
v1.39 2011.03.03
- fixed documentation of http verification: wildcards in cn is allowed
v1.38_1 2011.01.24
- close should undef _SSL_fileno, because the fileno is no longer
valid (SSL connection and socket are closed)
v1.38 2011.01.18
- fixed wildcards_in_cn setting for http (wrongly set in 1.34 to 1
instead of anywhere). Thanks to dagolden[AT]cpan[DOT]org for
reporting
https://rt.cpan.org/Ticket/Display.html?id=64864
v1.37 2010.12.09
- don't complain about invalid certificate locations if user explicitly
set SSL_ca_path and SSL_ca_file to undef. Assume that user knows what
he is doing and will work around the problems by itself.
http://rt.cpan.org/Ticket/Display.html?id=63741
v1.36 2010.12.08
- update documentation for SSL_verify_callback based on
https://rt.cpan.org/Ticket/Display.html?id=63743https://rt.cpan.org/Ticket/Display.html?id=63740
Mozilla::CA provides a copy of Mozilla's bundle of Certificate
Authority certificates in a form that can be consumed by modules and
libraries based on OpenSSL.
set in PKG_SYSCONFDIR variable, so it is passed down to Makefile.
Configuration final path ends up being etc/stunnel/stunnel/stunnel.conf,
which is wrong.
- New features
- New verify level 0 to request and ignore peer certificate. This
feature is useful with the new Windows GUI menu to save cached peer
certificate chains, as SSL client certificates are not sent by default.
- Manual page has been updated.
- Removed support for changing Windows Service name with "service" option.
- Hardcoded 2048-bit DH parameters are used as a fallback if DH parameters
are not provided in stunnel.pem.
- Default "ciphers" value updated to prefer ECDH:
"ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH".
- Default ECDH curve updated to "prime256v1".
- Removed support for temporary RSA keys (used in obsolete export ciphers).
- Bugfixes
- The -quiet commandline option was applied to *all* message boxes.
- Silent install (/S option) no longer attempts to create stunnel.pem.
* Version 2.12.9 (released 2011-08-21)
** libgnutls-extra: Replaced enumeration with unsigned
int, in openssl.h to make it identical to the 3.0.0 version.
This shouldn't introduce binary incompatibility.
** libgnutls: When asking for a PIN multiple times, the
flags in the callback were not being updated to reflect
for PIN low count or final try.
** API and ABI modifications:
GNUTLS_PKCS11_PIN_WRONG: New flag for PIN callback
NEWS for the 2.2 release
Licensing change:
* Relicensed as LGPL v2.1 or later (user's option).
* Replaced blowfish and serpent implementation. New code is
based on the LGPLed code in libgcrypt.
New features:
* Support for Galois/Counter Mode (GCM).
* New interface for enumerating (most) available algorithms,
contributed by Daniel Kahn Gillmor.
* New tool nettle-hash. Can generate hash digests using any
supported hash function, with output compatible with md5sum
and friends from GNU coreutils. Checking (like md5sum -c)
not yet implemented.
Bug fixes:
* The old serpent code had a byte order bug (introduced by
yours truly about ten years ago). New serpent implementation
does not interoperate with earlier versions of nettle.
* Fixed ABI-dependent libdir default for Linux-based systems
which do not follow the Linux File Hierarchy Standard, e.g.,
Debian GNU/Linux.
Optimizations:
* x86_64 implemention of serpent.
* x86_64 implemention of camellia.
* Optimized memxor using word rather than byte operations.
Both generic C and x86_64 assembler.
* Eliminated a memcpy for in-place CBC decrypt.
Miscellaneous:
* In command line tools, no longer support -? for requesting
help, since using it without shell quoting is a dangerous
habit. Use long option --help instead.
The shared library names are libnettle.so.4.1 and
libhogweed.so.2.1, with sonames libnettle.so.4 and
libhogweed.so.2.
* use perl5/module.mk and its stuff for perl module build
* using packlist, so PLIST entries for perl modules are not required.
* PKG_SYSCONFSUBDIR is handled automatically, no need to be in PLIST.
* fix substitute handling with USE_DESTDIR=yes.
Bump PKGREVISION.
What's new in Sudo 1.7.7
* I/O logging is now supported for commands run in background mode
(using sudo's -b flag).
* Group ownership of the sudoers file is now only enforced when
the file mode on sudoers allows group readability or writability.
* Visudo now checks the contents of an alias and warns about cycles
when the alias is expanded.
* If the user specifes a group via sudo's -g option that matches
the target user's group in the password database, it is now
allowed even if no groups are present in the Runas_Spec.
* "sudo -i command" now works correctly with the bash version
2.0 and higher. Previously, the .bash_profile would not be
sourced prior to running the command unless bash was built with
NON_INTERACTIVE_LOGIN_SHELLS defined.
* Multi-factor authentication is now supported on AIX.
* Added support for non-RFC 4517 compliant LDAP servers that require
that seconds be present in a timestamp, such as Tivoli Directory Server.
* If the group vector is to be preserved, the PATH search for the
command is now done with the user's original group vector.
* For LDAP-based sudoers, the "runas_default" sudoOption now works
properly in a sudoRole that contains a sudoCommand.
* Spaces in command line arguments for "sudo -s" and "sudo -i" are
now escaped with a backslash when checking the sudoers file.
* libgnutls: PKCS-11 back-end was replaced by p11-kit
* libgnutls: gcrypt: replaced occurences of gcry_sexp_nth_mpi (..., 0)
with gcry_sexp_nth_mpi (..., GCRYMPI_FMT_USG) to fix errors with 1.5.0.
* libgnutls: Verify that a certificate liste specified using
gnutls_certificate_set_x509_key*(), is sorted according to TLS specification
* libgnutls: Added GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED flag for
gnutls_x509_crt_list_import. It checks whether the list to be imported is
properly sorted.
* libgnutls: writev_emu: stop on the first incomplete write.
* libgnutls: Fix zlib handling in gnutls.pc.
* certtool: bug fixes in certificate request generation.
* API and ABI modifications: GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED:
New element in gnutls_certificate_import_flags
* Bug fix for newer versions of Libgcrypt.
* Support the SSH confirm flag and show SSH fingerprints in ssh
related pinentries.
* Improved dirmngr/gpgsm interaction for OCSP.
* Allow generation of card keys up to 4096 bit.
* A new flag may now be used to convey comments via assuan_transact.
* A new flag value may now be used to disable logging.
* The gpgcedev.c driver now provides a log device.
* It is now possible to overwrite socket and connect functions in
struct assuan_system_hooks.
