Many fixes including:
* Restored cache updating, which was broken by changes to BBC web
sites. If you find search results missing programmes from the week
of 19 Feb, rebuild your cache with --rebuild-cache to fill any
holes.
* Fixed a bug that generated incorrect schedule URLs (used for cache
refresh) for the first calendar week of 2018 (and some future
years). (@welwood08)
* Added support for setproctitle(3)
* Kernel RA is no longer disabled when IPv6 is disabled in dhcpcd
* DHCPv6 PD is no longer stopped if no Routers are found
* If the DHCP leased address is deleted, enter the reboot state
* DHCPv6 unicast is no longer performed when not in master mode
* dhcpcd will now detect netlink/route socket overflows ad re-sync
Version 3.53 (2018-03-22)
[NEW FEATURES]
* #12 add Cisco PortFast support via CiscoStpExtensions::i_faststart_enabled
[ENHANCEMENTS]
* Report serial/version on Netgear FSM (paecker)
* Add test harness and expand developer test coverage
* Add back the base (RFC) MIBs for when net-snmp does not have them builtin
[BUG FIXES]
* Fix AUTOLOAD / can() bug that could result in DESTROY being redefined and
dynamic methods not being added to the symbol table.
- Updating fast_tls to version 1.0.21.
- Updating p1_utils to version 1.0.11.
- Fix compilation with rebar3
- Fix warning about deprecated random
- Fix typo in README
- Updating fast_xml to version 1.1.29.
- Updating p1_utils to version 1.0.11.
- Updating stringprep to version 1.0.11.
- Fix compilation with rebar3
- Add new namespace from XEP-0398
- Update for changes in fast_xml
- Make mk_text() append original text
New maintenance releases in the 9.9, 9.10, 9.11, and 9.12 branches of
BIND are now available.
Release notes can be found with the releases or in the ISC Knowledge Base:
9.9.12: https://kb.isc.org/article/AA-01596/0/9.9.12-Notes.html
9.10.7: https://kb.isc.org/article/AA-01595/0/9.10.7-Notes.html
9.11.3: https://kb.isc.org/article/AA-01597/0/9.11.3-Notes.html
9.12.1: https://kb.isc.org/article/AA-01598/0/9.12.1-Notes.html
Users who are migrating an existing BIND configuration to these new
versions should take special note of two changes in the behavior
of the "update-policy" statement which slightly change the behavior
of two update-policy options.
The first such change is discussed in greater length in the BIND
Operational Notification issued today:
https://kb.isc.org/article/AA-01599/update-policy-local-was-named-misleadingly
The second change to update-policy behavior concerns this change:
"update-policy rules that otherwise ignore the name field now
require that it be set to "." to ensure that any type list present
is properly interpreted. Previously, if the name field was omitted
from the rule declaration but a type list was present, it wouldn't
be interpreted as expected."
which is a correction to an ambiguous case that was previously allowed,
but which was capable of causing unexpected results when accidentally
applied. The new requirement eliminates is intended to eliminate the
confusion, which previously caused some operators to misapply security
policies. However, due to the new requirement, named configuration
files that relied on the previous behavior will no longer be accepted.
These changes should not affect most operators, even those using
"update-policy" to define Dynamic DNS permissions, but we would like
to draw your attention to them so that operators are informed about
the new behaviors.
New maintenance releases in the 9.9, 9.10, 9.11, and 9.12 branches of
BIND are now available.
Release notes can be found with the releases or in the ISC Knowledge Base:
9.9.12: https://kb.isc.org/article/AA-01596/0/9.9.12-Notes.html
9.10.7: https://kb.isc.org/article/AA-01595/0/9.10.7-Notes.html
9.11.3: https://kb.isc.org/article/AA-01597/0/9.11.3-Notes.html
9.12.1: https://kb.isc.org/article/AA-01598/0/9.12.1-Notes.html
Users who are migrating an existing BIND configuration to these new
versions should take special note of two changes in the behavior
of the "update-policy" statement which slightly change the behavior
of two update-policy options.
The first such change is discussed in greater length in the BIND
Operational Notification issued today:
https://kb.isc.org/article/AA-01599/update-policy-local-was-named-misleadingly
The second change to update-policy behavior concerns this change:
"update-policy rules that otherwise ignore the name field now
require that it be set to "." to ensure that any type list present
is properly interpreted. Previously, if the name field was omitted
from the rule declaration but a type list was present, it wouldn't
be interpreted as expected."
which is a correction to an ambiguous case that was previously allowed,
but which was capable of causing unexpected results when accidentally
applied. The new requirement eliminates is intended to eliminate the
confusion, which previously caused some operators to misapply security
policies. However, due to the new requirement, named configuration
files that relied on the previous behavior will no longer be accepted.
These changes should not affect most operators, even those using
"update-policy" to define Dynamic DNS permissions, but we would like
to draw your attention to them so that operators are informed about
the new behaviors.
Changes:
1.3.2
-----
* Added extractors for `artstation` albums, challenges and search results
* Improved URL and metadata extraction for `hitomi`and `nhentai`
* Fixed page transitions for `danbooru` API results (#82)
youtube-dl 2018.03.20:
Core
[extractor/common] Improve thumbnail extraction for HTML5 entries
Generalize XML manifest processing code and improve XSPF parsing
[extractor/common] Add _download_xml_handle
[extractor/common] Add support for relative URIs in _parse_xspf
Extractors
[7plus] Extract series metadata
[9now] Bypass geo restriction
[cbs] Skip unavailable assets
[canalc2] Add support for HTML5 videos
[ceskatelevize] Add support for iframe embeds
[prosiebensat1] Add support for galileo.tv
[generic] Add support for xfileshare embeds
[bilibili] Switch to v2 playurl API
[bilibili] Fix and improve extraction
[heise] Improve extraction
[instagram] Fix user videos extraction
version 2.79
Fix parsing of CNAME arguments, which are confused by extra spaces.
Thanks to Diego Aguirre for spotting the bug.
Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
upstream servers to an interface, rather than SO_BINDTODEVICE.
Thanks to Beniamino Galvani for the patch.
Always return a SERVFAIL answer to DNS queries without the
recursion desired bit set, UNLESS acting as an authoritative
DNS server. This avoids a potential route to cache snooping.
Add support for Ed25519 signatures in DNSSEC validation.
No longer support RSA/MD5 signatures in DNSSEC validation,
since these are not secure. This behaviour is mandated in
RFC-6944.
Fix incorrect error exit code from dhcp_release6 utility.
Thanks Gaudenz Steinlin for the bug report.
Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
time validation when --dnssec-no-timecheck is in use.
Note that this is an incompatible change from earlier releases.
Allow more than one --bridge-interface option to refer to an
interface, so that we can use
--bridge-interface=int1,alias1
--bridge-interface=int1,alias2
as an alternative to
--bridge-interface=int1,alias1,alias2
Thanks to Neil Jerram for work on this.
Fix for DNSSEC with wildcard-derived NSEC records.
It's OK for NSEC records to be expanded from wildcards,
but in that case, the proof of non-existence is only valid
starting at the wildcard name, *.<domain> NOT the name expanded
from the wildcard. Without this check it's possible for an
attacker to craft an NSEC which wrongly proves non-existence.
Thanks to Ralph Dolmans for finding this, and co-ordinating
the vulnerability tracking and fix release.
CVE-2017-15107 applies.
Remove special handling of A-for-A DNS queries. These
are no longer a significant problem in the global DNS.
http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
Thanks to Mattias Hellström for the initial patch.
Fix failure to delete dynamically created dhcp options
from files in -dhcp-optsdir directories. Thanks to
Lindgren Fredrik for the bug report.
Add to --synth-domain the ability to create names using
sequential numbers, as well as encodings of IP addresses.
For instance,
--synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
creates 21 domain names of the form
internal-4.thekelleys.org.uk over the address range given, with
internal-0.thekelleys.org.uk being 192.168.0.50 and
internal-20.thekelleys.org.uk being 192.168.0.70
Thanks to Andy Hawkins for the suggestion.
Tidy up Crypto code, removing workarounds for ancient
versions of libnettle. We now require libnettle 3.
The areas of focus for ISC DHCP 4.4 were:
1. Dynamic DNS additions
2. dhclient improvements
3. Support for dynamic shared libraries
Dynamic DNS Improvements:
- We added three new server configuration parameters which influence DDNS
conflict resolution:
1. ddns-dual-stack-mixed-mode - alters DNS conflict resolution behavior
to mitigate issues with non-compliant clients in dual stack environments.
2. ddns-guard-id-must-match - relaxes the DHCID RR client id matching
requirement of DNS conflict resolution.
3. ddns-other-guard-is-dynamic - alters dual-stack-mixed-mode behavior to
allow unguarded DNS entries to be overwritten in certain cases
- The server now honors update-static-leases parameter for static DHCPv6
hosts.
dhclient Improvements:
- We've added three command line parameters to dhclient:
1. --prefix-len-hint - directs dhclient to use the given length as
the prefix length hint when requesting prefixes
2. --decline-wait-time - instructs the client to wait the given number
of seconds after declining an IPv4 address before issuing a discover
3. --address-prefix-len - specifies the prefix length passed by dhclient
into the client script (via the environment variable ip6_prefixlen) with
each IPv6 address. We added this parameter because we have changed the
default value from 64 to 128 in order to be compliant with RFC3315bis
draft (-09, page 64) and RFC5942, Section 4, point 1.
**WARNING**: The new default value of 128 may not be backwardly compatible
with your environment. If you are operating without a router, such as
between VMs on a host, you may find they cannot see each other with prefix
length of 128. In such cases, you'll need to either provide routing or use
the command line parameter to set the value to 64. Alternatively you may
change the default at compile time by setting DHCLIENT_DEFAULT_PREFIX_LEN
in includes/site.h.
- dhclient will now generate a DHCPv6 DECLINE message when the client script
indicates a DAD failure
Dynamic shared library support:
Configure script, configure.ac+lt, which supports libtool is now provided
with the source tar ball. This script can be used to configure ISC DHCP
to build with libtool and thus use dynamic shared libraries.
Other Highlights:
- The server now supports dhcp-cache-threshold for DHCPv6 operations
- The server now supports DHPv6 address allocation based on EUI-64 DUIDs
- Experimental support for alternate relay port in the both the server
and relay for IPv4, IPv6 and 4o6 (see: draft-ietf-dhc-relay-port-10.txt)
For information on how to install, configure and run this software, as
well as how to find documentation and report bugs, please consult the
README file.
ISC DHCP uses standard GNU configure for installation. Please review the
output of "./configure --help" to see what options are available.
The system has only been tested on Linux, FreeBSD, and Solaris, and may not
work on other platforms. Please report any problems and suggested fixes to
<dhcp-users@isc.org>.
ISC DHCP is open source software maintained by Internet Systems
Consortium. This product includes cryptographic software written
by Eric Young (eay@cryptsoft.com).
Changes since 4.4.0 (New Features)
- none
Changes since 4.4.0 (Bug Fixes)
- A delayed-ack value of 0 (the default), now correctly disables the delayed
feature. A change in 4.4.0 prohibited lease updates marking leases active
from be written to the lease file when delayed-ack is 0. This in turn,
caused servers to lose active lease assignments upon restart.
[ISC-Bugs #47141]
! Option reference count was not correctly decremented in error path
when parsing buffer for options. Reported by Felix Wilhelm, Google
Security Team.
[ISC-Bugs #47140]
CVE: CVE-2018-5733
! Corrected an issue where large sized 'X/x' format options were causing
option handling logic to overwrite memory when expanding them to human
readable form. Reported by Felix Wilhelm, Google Security Team.
[ISC-Bugs #47139]
CVE: CVE-2018-5732
version 3.52 (2018-03-19)
[ENHANCEMENTS]
* set fallback for nonmatching interfaces in Cumulus class
* better interface naming for Ubiquiti
* modify mock utility to work under a perlbrew environment
version 3.50 (2018-03-14)
[ENHANCEMENTS]
* #198 Add Support for Gigamon devices
[BUG FIXES]
* #226 Avaya VSP devices - no ifAlias
* #227 Remove bogus can() check in _set()
* Fix SNMP::Info::IEEE802dot3ad when more than 1 LAG
Pkgsrc changes:
* Add libunbound.pc to PLIST.
Upstream changes:
Features
- auth-zone provides a way to configure RFC7706 from unbound.conf,
eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
fallback-enabled: yes and masters or a zonefile with data.
- Aggressive use of NSEC implementation. Use cached NSEC records to
generate NXDOMAIN, NODATA and positive wildcard answers.
- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
also recognized and means the same. Also for tls-port,
tls-service-key, tls-service-pem, stub-tls-upstream and
forward-tls-upstream.
- [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
from Manu Bretelle.
This option allows handling multiple cert/key pairs while only
distributing some of them.
In order to reliably match a client magic with a given key without
strong assumption as to how those were generated, we need both key and
cert. Likewise, in order to know which ES version should be used.
On the other hand, when rotating a cert, it can be desirable to only
serve the new cert but still be able to handle clients that are still
using the old certs's public key.
The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
publish the cert as part of the DNS's provider_name's TXT answer.
- Update B root ipv4 address.
- make ip-transparent option work on OpenBSD.
- Fix#2801: Install libunbound.pc.
- ltrace.conf file for libunbound in contrib.
- Fix#3598: Fix swig build issue on rhel6 based system.
configure --disable-swig-version-check stops the swig version check.
Bug Fixes
- Fix#1749: With harden-referral-path: performance drops, due to
circular dependency in NS and DS lookups.
- [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
duplicates
- Better documentation for cache-max-negative-ttl.
- Fixed libunbound manual typo.
- Fix#1949: [dnscrypt] make provider name mismatch more obvious.
- Fix#2031: Double included headers
- Document that errno is left informative on libunbound config read
fail.
- iana port update.
- Fix#1913: ub_ctx_config is under circumstances thread-safe.
- Fix#2362: TLS1.3/openssl-1.1.1 not working.
- Fix#2034 - Autoconf and -flto.
- Fix#2141 - for libsodium detect lack of entropy in chroot, print
a message and exit.
- Fix#2492: Documentation libunbound.
- Fix#2882: Unbound behaviour changes (wrong) when domain-insecure is
set for stub zone. It no longer searches for DNSSEC information.
- Fix#3299 - forward CNAME daisy chain is not working
- Fix link failure on OmniOS.
- Check whether --with-libunbound-only is set when using --with-nettle
or --with-nss.
- Fix qname-minimisation documentation (A QTYPE, not NS)
- Fix that DS queries with referral replies are answered straight
away, without a repeat query picking the DS from cache.
The correct reply should have been an answer, the reply is fixed
by the scrubber to have the answer in the answer section.
- Fix that expiration date checks don't fail with clang -O2.
- Fix queries being leaked above stub when refetching glue.
- Copy query and correctly set flags on REFUSED answers when cache
snooping is not allowed.
- make depend: code dependencies updated in Makefile.
- Fix#3397: Fix that cachedb could return a partial CNAME chain.
- Fix#3397: Fix that when the cache contains an unsigned DNAME in
the middle of a cname chain, a result without the DNAME could
be returned.
- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
for startup scripts to get the full pathname(s) of anchor file(s).
- Print fatal errors about remote control setup before log init,
so that it is printed to console.
- Use NSEC with longest ce to prove wildcard absence.
- Only use *.ce to prove wildcard absence, no longer names.
- Fix unfreed locks in log and arc4random at exit of unbound.
- Fix lock race condition in dns cache dname synthesis.
- Fix#3451: dnstap not building when you have a separate build dir.
And removed protoc warning, set dnstap.proto syntax to proto2.
- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
- Unit test for auth zone https url download.
- tls-cert-bundle option in unbound.conf enables TLS authentication.
- Fixes for clang static analyzer, the missing ; in
edns-subnet/addrtree.c after the assert made clang analyzer
produce a failure to analyze it.
- Fix#3505: Documentation for default local zones references
wrong RFC.
- Fix#3494: local-zone noview can be used to break out of the view
to the global local zone contents, for queries for that zone.
- Fix for more maintainable code in localzone.
- more robust cachedump rrset routine.
- Save wildcard RRset from answer with original owner for use in
aggressive NSEC.
- Fixup contrib/fastrpz.patch so that it applies.
- Fix compile without threads, and remove unused variable.
- Fix compile with staticexe and python module.
- Fix nettle compile.
- Fix to check define of DSA for when openssl is without deprecated.
- iana port update.
- Fix#3582: Squelch address already in use log when reuseaddr option
causes same port to be used twice for tcp connections.
- Reverted fix for #3512, this may not be the best way forward;
although it could be changed at a later time, to stay similar to
other implementations.
- Fix for windows compile.
- Fixed contrib/fastrpz.patch, even though this already applied
cleanly for me, now also for others.
- patch to log creates keytag queries, from A. Schulze.
- patch suggested by Debian lintian: allow to -> allow one to, from
A. Schulze.
- Attempt to remove warning about trailing whitespace.
- Added documentation for aggressive-nsec: yes.
pkgsrc change:
* update HOMEPAGE.
* LICENSE is apache-2.0 for netaddr 2.x.
Version 2.x
A complete rewrite and totally incompatible with 1.x. My main motivation now
is to reduce bug reports resulting from the poor code quality of 1.x.
2.0.1 2016/08/08
o Update changelog for missing latest version …
o in case of running on busybox the external command don't set -i argument
o detect if it's running in busybox
o Fixing test running:
* development dependencies
* adding pry-byebug for being able to debug
o Adding set_cap check
2.0.2 2018/03/06
o Improved readability + exception set to sting prob
o Fixed tests after adding setcap check feature
o Changed Gemfile source to use https
o Correct the gem version...
o Use port from location uri for http redirection. Reset start_time on
redirect request
0.3.2 2018/01/02
* Stop overly eager rescue in `connect_parse_response`
* fixed connection problem when authorization provided
* Remove space between method call and parentheses.
Changes Between 1.7.0 and 1.8.0 (Jan 2nd, 2018)
* Ruby 2.4 Warnings Squashed
Contributed by utilum.
GitHub issues: #233, #229.
* amq-protocol Update
Minimum amq-protocol version is now 2.2.0.
OpenVPN 2.4.5:
reload HTTP proxy credentials when moving to the next connection profile
Allow learning iroutes with network made up of all 0s (only if netbits < 8)
mbedtls: fix typ0 in comment
manpage: fix simple typ0
Treat dhcp-option DNS6 and DNS identical
show the right string for key-direction
Fix typo in error message: "optione" -> "option"
lz4: Fix confused version check
lz4: Fix broken builds when pkg-config is not present but system library is
Remove references to keychain-mcd in Changes.rst
lz4: Rebase compat-lz4 against upstream v1.7.5
systemd: Add and ship README.systemd
Update copyright to include 2018 plus company name change
man: Add .TQ groff support macro
man: Reword --management to prefer unix sockets over TCP
OpenSSL: check EVP_PKEY key types before returning the pkey
Remove warning on pushed tun-ipv6 option.
Fix removal of on-link prefix on windows with netsh
travis-ci: add brew cache, remove ccache
travis-ci: modify openssl build script to support openssl-1.1.0
autoconf: Fix engine checks for openssl 1.1
Cast time_t to long long in order to print it.
Fix build with LibreSSL
Check whether in pull_mode before warning about previous connection blocks
Avoid illegal memory access when malformed data is read from the pipe
Fix missing check for return value of malloc'd buffer
Return NULL if GetAdaptersInfo fails
Use RSA_meth_free instead of free
Bring cryptoapi.c upto speed with openssl 1.1
Add SSL_CTX_get_max_proto_version() not in openssl 1.0
TLS v1.2 support for cryptoapicert -- RSA only
Refactor get_interface_metric to return metric and auto flag separately
Ensure strings read from registry are null-terminated
Make most registry values optional
Use lowest metric interface when multiple interfaces match a route
Adapt to RegGetValue brokenness in Windows 7
Fix format spec errors in Windows builds
Local functions are not supported in MSVC. Bummer.
Mixing wide and regular strings in concatenations is not allowed in MSVC.
RtlIpv6AddressToStringW() and RtlIpv4AddressToStringW() require mstcpip.h
Simplify iphlpapi.dll API calls
Fix local #include to use quoted form
Document ">PASSWORD:Auth-Token" real-time message
Fix typo in "verb" command examples
Uniform swprintf() across MinGW and MSVC compilers
MSVC meta files added to .gitignore list
openvpnserv: Add support for multi-instances
Document missing OpenVPN states
make struct key * argument of init_key_ctx const
buffer_list_aggregate_separator(): add unit tests
Add --tls-cert-profile option.
Use P_DATA_V2 for server->client packets too
Fix memory leak in buffer unit tests
buffer_list_aggregate_separator(): update list size after aggregating
buffer_list_aggregate_separator(): don't exceed max_len
buffer_list_aggregate_separator(): prevent 0-byte malloc
Fix types around buffer_list_push(_data)
ssl_openssl: fix compiler warning by removing getbio() wrapper
travis: use clang's -fsanitize=address to catch more bugs
Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
Add support for TLS 1.3 in --tls-version-{min, max}
Plug memory leak if push is interrupted
Fix format errors when cross-compiling for Windows
Log pre-handshake packet drops using D_MULTI_DROPPED
Enable stricter compiler warnings by default
Get rid of ax_check_compile_flag.m4
mbedtls: don't use API deprecated in mbed 2.7
Warn if tls-version-max < tls-version-min
Don't throw fatal errors from create_temp_file()
Fix '--bind ipv6only'
New I/O for Ruby (nio4r): cross-platform asynchronous I/O primitives for
scalable network clients and servers. Modeled after the Java NIO API, but
simplified for ease-of-use.
nio4r provides an abstract, cross-platform stateful I/O selector API for Ruby.
I/O selectors are the heart of "reactor"-based event loops, and monitor
multiple I/O objects for various types of readiness, e.g. ready for reading or
writing.
Generic connection pooling for Ruby.
MongoDB has its own connection pool. ActiveRecord has its own connection pool.
This is a generic connection pool that can be used with anything, e.g. Redis,
Dalli and other Ruby network clients.
**WARNING**: Don't ever use `Timeout.timeout` in your Ruby code or you will see
occasional silent corruption and mysterious errors. The Timeout API is unsafe
and cannot be used correctly, ever. Use proper socket timeout options as
exposed by Net::HTTP, Redis, Dalli, etc.
- Add testenv that ensures lexicon still works even if an optional
library is missing.
- Add Sakura Cloud DNS provider
- Add Gehirn Infrastructure Service DNS provider
