Bugfixes:
* OPENDNSSEC-388: Signer Engine: Internal serial should take into account
the inbound serial.
* OPENDNSSEC-242: Signer Engine: Could get stuck on load signconf while
signconf was not changed.
* Signer Engine: Fixed locking and notification on the drudge work queue,
signals could be missed so that drudgers would stall when there was work to
be done.
Changes since previous version:
+ Minor documentation updates
+ gmake no longer needed to build
+ updated patch - still needed to quieten compiler for ctype warnings
(reported upstream)
OpenSSL version 1.0.1e released
===============================
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.0.1e of our open source toolkit for SSL/TLS. This new
OpenSSL version is a new feature release. For a complete
list of changes, please see
http://www.openssl.org/source/exp/CHANGES.
The most significant changes are:
o Corrected fix for CVE-2013-0169
troubleshooting package for ipv6, into the Packages Collection. This is version
1.3b.
The SI6 Networks' IPv6 toolkit is a set of IPv6
security/trouble-shooting tools, that can send arbitrary IPv6-based
packets.
flow6: A tool to perform a security asseessment of the IPv6 Flow Label.
frag6: A tool to perform IPv6 fragmentation-based attacks and to
perform a security assessment of a number of fragmentation-related
aspects.
icmp6: A tool to perform attacks based on ICMPv6 error messages.
jumbo6: A tool to assess potential flaws in the handling of IPv6 Jumbograms.
na6: A tool to send arbitrary Neighbor Advertisement messages.
ni6: A tool to send arbitrary ICMPv6 Node Information messages, and
assess possible flaws in the processing of such packets.
ns6: A tool to send arbitrary Neighbor Solicitation messages.
ra6: A tool to send arbitrary Router Advertisement messages.
rd6: A tool to send arbitrary ICMPv6 Redirect messages.
rs6: A tool to send arbitrary Router Solicitation messages.
scan6: An IPv6 address scanning tool.
tcp6: A tool to send arbitrary TCP segments and perform a variety of
TCP-based attacks.
=== 2.1.0 / 06 Feb 2013
* Added public cert. All gem releases are now signed. See INSTALL in readme.
* Remove self-require, it causes a warning in Ruby 1.9.2. [jbarnette]
* Allow for upload to use the filename of the local file by default [czarneckid]
* Properly handle receiving less data than requested. [thedarkone]
* Added option to create directory on directory upload [Pablo Merino]
* Remove a warnings in tests [kachick]
=== 2.6.5 / 06 Feb 2013
* Fixed path in gemspec [thanks priteau]
=== 2.6.4 / 06 Feb 2013
* Added license info to gemspec [jordimassaguerpla]
* Added public cert. All gem releases are now signed.
=== 2.6.3 / 10 Jan 2013
* Small doc fix and correct error class for PKey::EC key type [Andreas Wolff]
* Improve test dependencies [Kenichi Kamiya]
that we can now take advantage of AES-NI support in modern processors to significantly
increase performance.
Miscellaneous pkgsrc changes:
- Remove unnecessary warning message on Solaris.
- Fix RPATH for libgost.so.
- MD2 support is optional, enabled by default for compatability.
Changes between 0.9.8x and 0.9.8y [5 Feb 2013]
*) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
This addresses the flaw in CBC record processing discovered by
Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
at: http://www.isg.rhul.ac.uk/tls/
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
Emilia Käsper for the initial patch.
(CVE-2013-0169)
[Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
*) Return an error when checking OCSP signatures when key is NULL.
This fixes a DoS attack. (CVE-2013-0166)
[Steve Henson]
*) Call OCSP Stapling callback after ciphersuite has been chosen, so
the right response is stapled. Also change SSL_get_certificate()
so it returns the certificate actually sent.
See http://rt.openssl.org/Ticket/Display.html?id=2836.
(This is a backport)
[Rob Stradling <rob.stradling@comodo.com>]
*) Fix possible deadlock when decoding public keys.
[Steve Henson]
(We need to keep the old numbering syntax to make versions compare
correctly.)
There are only two consumers in pkgsrc; one of them (remmina and
remmina-plugins) actually needed library version 0.4 or later, and
didn't build the ssh/sftp/nx plugins without. Hydra is also supposed
to build with 0.4.x and later.)
Upstream changelogs:
0.5.4:
CVE-2013-0176 - NULL dereference leads to denial of service
Fixed several NULL pointer dereferences in SSHv1.
Fixed a free crash bug in options parsing.
and for completeness 0.5.3:
This is an important SECURITY and maintenance release in
order to address CVE-2012-4559, CVE-2012-4560, CVE-2012-4561
and CVE-2012-4562.
CVE-2012-4559 - Fix multiple double free() flaws
CVE-2012-4560 - Fix multiple buffer overflow flaws
CVE-2012-4561 - Fix multiple invalid free() flaws
CVE-2012-4562 - Fix multiple improper overflow checks
(...)
Suggested by Noud de Brouwer in wip/libssh and PR pkg/47518, but needed
some changes to PLIST as well as to make "pkg_admin audit" and updates
compare correctly.
(We need to keep the old numbering syntax to make versions compare
correctly.)
There are only two consumers in pkgsrc; one of them (remmina and
remmina-plugins) actually needed library version 0.4 or later, and
didn't build the ssh/sftp/nx plugins without. Hydra is also supposed
to build with 0.4.x and later.)
Upstream changelogs:
0.5.4:
CVE-2013-0176 - NULL dereference leads to denial of service
Fixed several NULL pointer dereferences in SSHv1.
Fixed a free crash bug in options parsing.
and for completeness 0.5.3:
This is an important SECURITY and maintenance release in
order to address CVE-2012-4559, CVE-2012-4560, CVE-2012-4561
and CVE-2012-4562.
CVE-2012-4559 - Fix multiple double free() flaws
CVE-2012-4560 - Fix multiple buffer overflow flaws
CVE-2012-4561 - Fix multiple invalid free() flaws
CVE-2012-4562 - Fix multiple improper overflow checks
(...)
(We need to keep the old numbering syntax to make versions compare
correctly.)
There are only two consumers in pkgsrc; one of them (remmina and
remmina-plugins) actually needed library version 0.4 or later, and
didn't build the ssh/sftp/nx plugins without. Hydra is also supposed
to build with 0.4.x and later.)
Upstream changelogs:
0.5.4:
CVE-2013-0176 - NULL dereference leads to denial of service
Fixed several NULL pointer dereferences in SSHv1.
Fixed a free crash bug in options parsing.
and for completeness 0.5.3:
This is an important SECURITY and maintenance release in
order to address CVE-2012-4559, CVE-2012-4560, CVE-2012-4561
and CVE-2012-4562.
CVE-2012-4559 - Fix multiple double free() flaws
CVE-2012-4560 - Fix multiple buffer overflow flaws
CVE-2012-4561 - Fix multiple invalid free() flaws
CVE-2012-4562 - Fix multiple improper overflow checks
(...)
Suggested by Noud de Brouwer in wip/libssh and PR pkg/47518, but needed
some changes to PLIST as well as to make "pkg_admin audit" and updates
compare correctly.
(We need to keep the old numbering syntax to make versions compare
correctly.)
There are only two consumers in pkgsrc; one of them (remmina and
remmina-plugins) actually needed library version 0.4 or later, and
didn't build the ssh/sftp/nx plugins without. Hydra is also supposed
to build with 0.4.x and later.)
Upstream changelogs:
0.5.4:
CVE-2013-0176 - NULL dereference leads to denial of service
Fixed several NULL pointer dereferences in SSHv1.
Fixed a free crash bug in options parsing.
and for completeness 0.5.3:
This is an important SECURITY and maintenance release in
order to address CVE-2012-4559, CVE-2012-4560, CVE-2012-4561
and CVE-2012-4562.
CVE-2012-4559 - Fix multiple double free() flaws
CVE-2012-4560 - Fix multiple buffer overflow flaws
CVE-2012-4561 - Fix multiple invalid free() flaws
CVE-2012-4562 - Fix multiple improper overflow checks
(...)
5.81 Mon Jan 14 05:17:08 MST 2013
- corrected load subroutine (SHA.pm) to prevent double-free
-- Bug #82655: Security issue - segfault
-- thanks to Victor Efimov and Nicholas Clark
for technical expertise and suggestions
5.80 Mon Dec 10 14:15:26 MST 2012
- obtained noticeable speedup on Intel/gcc
-- by setting -O1 and -fomit-frame-pointer
-- SHA-1 about 63% faster, SHA-2 improves 11-20%
5.74 Sat Nov 24 03:10:18 MST 2012
- handle wide-string input by converting to bytes first
-- viz. use SvPVbyte instead of SvPV in SHA.xs
-- thanks to Eric Brine for summary and code
5.73 Wed Oct 31 04:32:44 MST 2012
- provided workaround for DEC compiler bug (ref. Makefile.PL)
