pkgsrc change: added DESTDIR support.
Major changes since Sudo 1.6.9p6:
o Reverted back to to using TCSAFLUSH instead of TCSADRAIN when
turning off echo during password reading.
o Fixed a configure bug that was preventing the addition of -lutil for
login.conf support on FreeBSD and NetBSD.
o Added a configure check for struct in6_addr since some systems
define AF_INET6 but have no real IPv6 support.
* Version 2.0.2 (released 2007-10-17)
** TLS authorization support removed.
This technique may be patented in the future, and it is not of crucial
importance for the Internet community. After deliberation we have
concluded that the best thing we can do in this situation is to
encourage society not to adopt this technique. We have decided to
lead the way with our own actions.
** certtool: Fixed data corruption when using --outder.
** Fix configure-time Guile detection.
** API and ABI modifications:
GNUTLS_SUPPLEMENTAL_USER_MAPPING_DATA: ADDED. To avoid that the
gnutls_supplemental_data_format_type_t enum type becomes empty.
* Version 2.0.1 (released 2007-09-20)
** New directory doc/credentials/ with test credentials.
This collects the test credentials from the web page and from src/.
The script gnutls-http-serv has also been moved to that directory.
** Update SRP extension type and cipher suite with official IANA values.
This breaks backwards compatibility with SRP in older versions of
GnuTLS, but this is intentional to speed up the adoption of the
official values. The old values we used were incorrect.
** Guile: Fix `x509-certificate-dn-oid'
** API and ABI modifications:
No changes since last version.
1.30 2006.03.17
- Fix for local *READ/*WRITE tie problem in open2 function (Bas van
Sisseren).
- Add back 'use IO::Socket' to fix 'Can't locate object method "blocking"
via package "IO::Handle"' error (rt.cpan.org #15102).
- Allow "The socket is already in use" as well as "Address already in use"
to detect port already in use (for AIX, rt.cpan.org #16301).
- Use sysread (not <>) to read the version string to avoid mixing read
types and allow pre-version data (fix by Denis Bider, rt.cpan.org #14812).
- Fix warnings on empty hostfile lines (fix by JOHANL, rt.cpan.org #13750).
- Get the user's home directory from getpwuid() if the HOME environment
variable isn't set (rt.cpan.org #13434).
manage your passwords in a secure way. You can put all your passwords in one
database, which is locked with one master key or a key-disk. So you only have
to remember one single master password or insert the key-disk to unlock the
whole database. The databases are encrypted using the best and most secure
encryption algorithms currently known (AES and Twofish).
- Fixed base_conf_contents.php to include colored alerts -- Jonathan W Miner
- Fixed base_main.php to remove an extra table and repair two column display -- Jonathan W Miner
- Added exit() to the redirect to fix security hole -- Jon Hart
- removed fpdf file to save room since we are not using them. -- Kevin Johnson
- Fixed bug #1723928 Top Right, Database and User not shown -- Kevin Johnson
- Added base_header wrapper, please use it instead of header if you're not sure -- GaRaGeD
- Fixed Bug #1675094 snort signature information links broken (really a hack!) -- Kevin Johnson
- Fixed Bug #1689885 Maybe need count(DISTINCT ip_src) to sort by IP correctly -- Kevin Johnson
- Fixed Bug #1649659 Use of archive DB seems broken in "karen" release -- Kevin Johnson
- Cleaned a warning -- Marek Cruz
- Spanish install guide -- Daniel Medianero
v1.11
- fixed errors in accept_SSL which would work when called from start_SSL
but not from accept
v1.10
- start_SSL, accept_SSL and connect_SSL have argument for Timeout
so that the SSL handshake will not block forever. Only used if the
socket is blocking. If not set the Timeout value from the underlying
IO::Socket is used
include:
* MYSQL_CHARACTER_SET option.
* Allow underscores, colons and plusses, in account names.
* Add {MD5RAW} hash method.
* Fix runtime problems with hardcoded file descriptors in the daemon
code by using OPEN_MAX instead.
Patch provided by Jukka Salmi in PR 37056.
These features are new in beta 0.60 (released 2007-04-29):
* Pressing Ctrl+Break now sends a serial break signal. (The previous behaviour
can still be obtained with Ctrl+C.)
* Serial ports higher than COM9 now no longer need a leading \\.\.
* You can now store a host name in the Default Settings.
* Bug fix: serial connections and local proxies should no longer crash all the
time.
* Bug fix: configuring the default connection type to serial should no longer
cause the configuration dialog to be skipped on startup.
* Bug fix: "Unable to read from standard input" should now not happen, or if it
still does it should produce more detailed diagnostics.
* Bug fix: fixed some malformed SSH-2 packet generation.
* Other minor bug fixes.
Major changes since Sudo 1.6.9p5:
o Worked around bugs in the session support of some PAM implementations.
The full tty path is now passed to PAM as well.
o Sudo now only prints the password prompt if the process is in the
foreground.
o inttypes.h is now included when appropriate if it is present.
o Simplified alias allocation in the parser.
This package provides a script which can be used to extract the root
CA certificates distributed by the Mozilla Project into the current
working directory and to rehash the existing certificates. The directory
can be used by most SSL-aware programs that expect a "CA certificate
path".
v1.09
- new method stop_SSL as opposite of start_SSL based on a idea
of Bron Gondwana <brong[AT]fastmail[DOT]fm>
To support this method the SSL_shutdown handling had to be
fixed, e.g. in close a proper unidirectional shutdown
should be done while in stop_SSL a bidirectional shutdown
- try to make it clearer that thread support is buggy
617) Fixed a bug in the IP address matching introduced by the IPV6 merge.
618) For "visudo -f file" we now use the permissions of the original file
and not the hard-coded sudoers owner/group/mode. This makes
it possible to use visudo with a revision control system.
619) Fixed sudoedit when used on a non-existent file.
620) Regenerated configure using autoconf 2.6.1 and libtool 1.5.24.
621) Groups and netgroups are now valid in an LDAP sudoRunas statement.
and to support the "inet6" option instead.
Remaining usage of USE_INET6 was solely for the benefit of the scripts
that generate the README.html files. Replace:
BUILD_DEFS+= USE_INET6
with
BUILD_DEFS+= IPV6_READY
and teach the README-generation tools to look for that instead.
This nukes USE_INET6 from pkgsrc proper. We leave a tiny bit of code
to continue to support USE_INET6 for pkgsrc-wip until it has been nuked
from there as well.
built with support for threads. This is done by adding the following
line to the package Makefile before the inclusion of openssl/buildlink3.mk:
USE_FEATURES.openssl= threads
The openssl/builtin.mk file is also adjusted to detect whether or not
the built-in OpenSSL was built with support for threads and the result
is used accordingly to determine whether or not a pkgsrc OpenSSL is
needed.
Changes since OpenSSH 4.6:
============================
Security bugs resolved in this release:
* Prevent ssh(1) from using a trusted X11 cookie if creation of an
untrusted cookie fails; found and fixed by Jan Pechanec.
Other changes, new functionality and fixes in this release:
* sshd(8) in new installations defaults to SSH Protocol 2 only.
Existing installations are unchanged.
* The SSH channel window size has been increased, and both ssh(1)
sshd(8) now send window updates more aggressively. These improves
performance on high-BDP (Bandwidth Delay Product) networks.
* ssh(1) and sshd(8) now preserve MAC contexts between packets, which
saves 2 hash calls per packet and results in 12-16% speedup for
arcfour256/hmac-md5.
* A new MAC algorithm has been added, UMAC-64 (RFC4418) as
"umac-64@openssh.com". UMAC-64 has been measured to be
approximately 20% faster than HMAC-MD5.
* A -K flag was added to ssh(1) to set GSSAPIAuthentication=Yes
* Failure to establish a ssh(1) TunnelForward is now treated as a
fatal error when the ExitOnForwardFailure option is set.
* ssh(1) returns a sensible exit status if the control master goes
away without passing the full exit status. (bz #1261)
* The following bugs have been fixed in this release:
- When using a ProxyCommand in ssh(1), set the outgoing hostname with
gethostname(2), allowing hostbased authentication to work (bz #616)
- Make scp(1) skip FIFOs rather than hanging (bz #856)
- Encode non-printing characters in scp(1) filenames.
these could cause copies to be aborted with a "protocol error"
(bz #891)
- Handle SIGINT in sshd(8) privilege separation child process to
ensure that wtmp and lastlog records are correctly updated
(bz #1196)
- Report GSSAPI mechanism in errors, for libraries that support
multiple mechanisms (bz #1220)
- Improve documentation for ssh-add(1)'s -d option (bz #1224)
- Rearrange and tidy GSSAPI code, removing server-only code being
linked into the client. (bz #1225)
- Delay execution of ssh(1)'s LocalCommand until after all forwadings
have been established. (bz #1232)
- In scp(1), do not truncate non-regular files (bz #1236)
- Improve exit message from ControlMaster clients. (bz #1262)
- Prevent sftp-server(8) from reading until it runs out of buffer
space, whereupon it would exit with a fatal error. (bz #1286)
* Portable OpenSSH bugs fixed:
- Fix multiple inclusion of paths.h on AIX 5.1 systems. (bz #1243)
- Implement getpeereid for Solaris using getpeerucred. Solaris
systems will now refuse ssh-agent(1) and ssh(1) ControlMaster
clients from different, non-root users (bz #1287)
- Fix compilation warnings by including string.h if found. (bz #1294)
- Remove redefinition of _res in getrrsetbyname.c for platforms that
already define it. (bz #1299)
- Fix spurious "chan_read_failed for istate 3" errors from sshd(8),
a side-effect of the "hang on exit" fix introduced in 4.6p1.
(bz #1306)
- pam_end() was not being called if authentication failed (bz #1322)
- Fix SELinux support when SELinux is in permissive mode. Previously
sshd(8) was treating SELinux errors as always fatal. (bz #1325)
- Ensure that pam_setcred(..., PAM_ESTABLISH_CRED) is called before
pam_setcred(..., PAM_REINITIALIZE_CRED), fixing pam_dhkeys.
(bz #1339)
- Fix privilege separation on QNX - pre-auth only, this platform does
not support file descriptior passing needed for post-auth privilege
separation. (bz #1343)
- BUGFIX: Correct several small signedness and initialization bugs
discovered during review by the NetBSD team.
- BUGFIX: Modify gendoc.pl to sort cross-references in dictionary
order within each section.
- ENHANCE: if a policy specifies a relative module path,
prepend the
module directory so we never call dlopen(3) with a relative
path.
- ENHANCE: add a pam.conf(5) manual page.
While an update to a .0 version is somehow risky, it finishes the
unfortunate state that the pkgsrc gnutls didn't work with the pkgsrc
opencdk, which I wouldn't like to go into the next stable branch.
Release candidates have worked for me, and there is some time left
before the Q3 branch, so I'm confident.
changes:
* Support for external RSA/DSA signing for TLS client authentication
-many X.509 enhancements
Support for Supplemental handshakes messages (RFC 4680)
* Support for TLS authorization extension (draft-housley-tls-authz-extns-07)
* Improve logic of gnutls_set_default_priority()
* New APIs to enumerate supported algorithms in the library
* Certtool can export more than one certificate to PKCS#12
* Several message translation improvements
* Improved manual
* Many bugfixes and minor improvements
changes:
- Add DROPBEAR_PASSWORD environment variable to specify a dbclient password
- Use /dev/urandom by default, since that's what everyone does anyway
- Exit with an exit code of 1 if dropbear can't bind to any ports
- Improve network performance and add a -W <receive_window> argument for
adjusting the tradeoff between network performance and memory consumption
- Fix a problem where reply packets could be sent during key exchange,
in violation of the SSH spec. This could manifest itself with connections
being terminated after 8 hours with new TCP-forward connections being
established
- Add -K <keepalive_time> argument, ensuring that data is transmitted
over the connection at least every N seconds
- dropbearkey will no longer generate DSS keys of sizes other than 1024
bits, as required by the DSS specification. (Other sizes are still
accepted for use to provide backwards compatibility)
(I didn't adopt the libtool change for now because it is not clear for
be whether that PAM modules is useful for non-NetBSD.)
-block SIGCHLD while the forked helper process is running, so that a
calling process with a SIGCHLD handler won't steal the exit status
which is used to report success of the authentication.
This makes the "dropbear" ssh server usable if started with user
privileges.
bump revision to 1.1
- Fix for new libprelude (0.9.15) runtime warning.
- Add documentation for SQLite3 in the template configuration file
(Sébastien Tricaud <toady at gscore.org>).
- Source and Target now use a 16 bits index (required for CorrelationAlert with
large number of source/target). CorrelationAlert Alertident now use a 32 bits
index (required to link large number of Alert together).
- Fix compilation on system without ENOTSUP (fix#227):
Include modified patch from Alexandre Anriot <aanriot@atlantilde.com>.
conversions preventing PostgreSQL to use indexes (fix#225).
- [preludedb-admin] Use separate alert / heartbeat command: this is done to
have a coherent implementation of the --offset and --count command line
options.
- [preludedb-admin] Fix --offset with the load command.
- [preludedb-admin] Give the delete table a decent size, should speedup the
delete command.
- [documentation] preludedb-admin manpage (fix#230), by Pierre Chifflier
<chifflier@inl.fr>.
- Make SSH rules IPv6 compliants, allowing to merge old
IPv6 only rules with IPv4 rules. Some additional minor
bug fixes (fix#232).
- Fix incorrect target user assignment, as well as incorrect
PCRE reference in assessment.impact.description
(Paul Robert Marino <prmarino1@gmail.com>) (fix#232).
- CISCO router acl lists can now use names instead of numbers. This made
rule id=500 in cisco-router.rules fail to alert on packet denys on newer
cisco devices (Paul Robert Marino <prmarino1@gmail.com>).
- Fix Apache formating when Apache logname or user is set
(Robin Gruyters <r.gruyters@yirdis.nl> and <andre@vandervlies.xs4all.nl>)
(fix#229).
- Invalid user.user_id(0).name assignement in SSH rule 1913
(Scott Olihovik <skippylou@gmail.com>) (fix#243).
- Various bug fixes and minor improvements.
- Fix build error on system that use native awk implementation in place of GNU awk
(Pierre Chifflier <chifflier at inl.fr>), fix#256.
- Avoid a prelude-string fatal assertion, by denying copy/cloning of an empty
prelude-string.
- Correction to the 'prelude-admin send' help message.
- Convert prelude-string to use prelude_return_if_fail() in place of prelude_log().
on tech-pkg.
Noteworthy changes in version 2.0.6 (2007-08-16)
------------------------------------------------
* GPGSM does now grok --default-key.
* GPGCONF is now aware of --default-key and --encrypt-to.
* GPGSM does again correctly print the serial number as well the the
various keyids. This was broken since 2.0.4.
* New option --validation-model and support for the chain-model.
* Improved Windows support.
libident 0.32
--------------
# A serious portability fix for *BSD and Solaris was submitted by:
Nicolas Rachinsky <nicolas@rachinsky.de>.
# Build of sample programs ("testers") was fixed.
libident 0.31
--------------
# libtool is used instead of ranlib, so that a shared library can be built
automatically if the OS supports it.
libident 0.30
--------------
# This new release is meant to provide Internet Protocol version independant
support: libident can now handles IPv6 addresses and perform queries over
IPv6, as well as IPv4. The IP version is selected automatically.
# I also have ported the library to the GNU autotools (autoconf & automake),
and removed support for non ANSI C platforms. If you use such an old system,
do NOT update. It doesn't support IPv6 anyway.
XXX This package is out of date and should be updated. It doesn't work
XXX on current versions of NetBSD due to the silly way it detects the
XXX the running OS and tries to figure out the corresponding binary.
* Remove unncessary dependency on netbsd32_compat16 on NetBSD/amd64.
This package installs statically linked binaries, so there is no
need for any shared libraries or ld.elf_so to run fprot.
* Stop pretending to support non-NetBSD platforms -- the build and
install targets bear no relation to the extracted distfiles on Linux
or Solaris. Support will be re-added in the fullness of time.
pkgsrc change:
Make these options mutual exclusive: kerberos pam skey.
(Really, combinations of kerberos and pam, pam and skey are conflicts.)
CHANGES:
609) Worked around a bug ins some PAM implementations that caused a crash
when no tty was present.
610) Fixed a crash on some platforms in the error logging function.
611) Documentation improvements.
Sudo 1.6.9p1 released.
612) Fixed updating of the saved environment when the environ pointer
gets changed out from underneath us.
Sudo 1.6.9p2 released.
613) Fixed a bug related to supplemental group matching introduced
in 1.6.9.
Sudo 1.6.9p3 released.
614) Added IPv6 support from YOSHIFUJI Hideaki.
615) Fixed sudo_noexec installation path.
616) Fixed a K&R compilation error.
Sudo 1.6.9p4 released.
include:
* authpipe.c (auth_pipe_pre): Fix leak when authpipe module is
enabled, but the actual authpipe script/external prog is not
installed.
* authmysqlrc: Implement SSL-encrypted MySQL connections
* authldaplib.c (l_simple_bind_s): Fix anon binds.
* authldaplib.c (auth_ldap_enumerate): Fix LDAP account enumeration
* userdb/makeuserdb.in: Added the -f option to makeuserdb
* authldaplib.c: Try to recover when the LDAP server closes the
persistent socket, for inactivity.
* Switched license to GPLv3.
* Fixed bug when using the --p12-charset without --armor.
* The command --gen-key may now be used instead of the
gpgsm-gencert.sh script.
* Changed key generation to reveal less information about the
machine. Bug fixes for gpg2's card key generation.
- Update configuration template, add documentation for Prelude
generic TCP options.
- Implement modified patch from Pierre Chifflier <chifflier@inl.fr>
to fix the example log path (fix#224).
- Move IDMEF message normalization in the scheduler, rather than
doing it upon reception. This remove some load from the server
and allow Prelude-Manager own IDMEF messages to go through the
normalizer path.
- Implement heartbeat->analyzer normalization.
- Improve IPv4 / IPv6 address normalization.
IPv4 mapped IPv6 addresses are now mapped back to IPv4.
Additionally, the Normalize plugin now provide two additionals option:
ipv6-only: Map any incoming IPv4 address to IPv6.
keep-ipv4-mapped-ipv6: do not map IPv4 mapped IPv6 addresses back to IPv4.
- Make a difference between exceptional report plugin failure (example:
a single message couldn't be processed) and "global" plugin failure
(example: database server is down). We use a different failover for
'exceptional' failure, so that we don't try to reinsert a bogus message
(fix#247).
- Start of a Prelude-Manager manpages (#236).
- Various bug fixes.
- Ability to use regular expressions in plugins.rules to define
monitored sources, this can be very useful when combined to file
globing.
- [SPEEDUP] When the "*" keyword is used, the data is passed to the
upper layer without trying to match anything.
- Fix NULL pointer dereference when a rule reference an existing,
but empty context (fix#226).
- Remove deprecated use of prelude_client_print_setup_error(),
directly handled via prelude_perror().
- Make the log parser more robust.
- Implement an Auto-Refresh system (fix#231). (including code from
Paul Robert Marino <prmarino1@gmail.com>).
- Ability to filter on missing/offline/online/unknown agents. Make more easier
to read each agent status in collapsed mode.
- Fix filter load/save/delete issue with translation.
- New 'My account' tabs, under the Settings section (fix#241).
- New messageid and analyzerid parameters, allowing link to a Prewikka alert
from an external tool (previously required a database query in order to
retrieve the database event id).
- Don't redirect to user listing once an user preference are recorded. Fix
changing of another user language by an user with PERM_USER_MANAGEMENT.
Display target user language rather than current user language.
- Improve the timeline control table layout.
- Fix translation of string possibly using plural.
http://denyhosts.sourceforge.net/
DenyHosts is a script intended to be run by system administrators
to help thwart SSH server attacks (also known as dictionary based
attacks and brute force attacks).
In short, it does this by monitoring your syslog output for failed
login attempts and tweaking /etc/hosts.deny accordingly, and it can
optionally send and fetch lists of ssh probers from a central server.
Thanks to joerg@ for review and corrections.
* Major changes in 0.0.14
** epa-file can handle remote files over Tramp.
** Workaround for a face initialization bug of GNU Emacs.
** Follow the face naming convention of GNU Emacs.
* Major changes in 0.0.13
** epa-file bug fixes.
*** Fixed a compatibility bug on XEmacs 21.5.
*** Do not mark the buffer as modified.
* Major changes in 0.0.12
** epa-file.el usability improvements.
*** Ask recipients only the first time.
*** Respect epa-armor and epa-textmode.
*** Customizing epa-file-name-regexp now works.
*** Backup files for "*.gpg" are also encrypted.
* Major changes in 0.0.11
** Include the EasyPG Assistant user's manual
** Decode user-id's encoded in UTF-8 with "%" or "\" escape
** If a user attempt to encrypt data to an untrusted recipient, EasyPG
prompt the key-id (it requires GnuPG version 2.0.2 or later)
** epa-file.el turns off auto-saving by default
binary-only packages that require binary "emulation" on the native
operating system. Please see pkgsrc/mk/emulator/README for more
details.
* Teach the plist framework to automatically use any existing
PLIST.${EMUL_PLATFORM} as part of the default PLIST_SRC definition.
* Convert all of the binary-only packages in pkgsrc to use the
emulator framework. Most of them have been tested to install and
deinstall correctly. This involves the following cleanup actions:
* Remove use of custom PLIST code and use PLIST.${EMUL_PLATFORM}
more consistently.
* Simplify packages by using default INSTALL and DEINSTALL scripts
instead of custom INSTALL/DEINSTALL code.
* Remove "SUSE_COMPAT32" and "PKG_OPTIONS.suse" from pkgsrc.
Packages only need to state exactly which emulations they support,
and the framework handles any i386-on-x86_64 or sparc-on-sparc64
uses.
* Remove "USE_NATIVE_LINUX" from pkgsrc. The framework will
automatically detect when the package is installing on Linux.
Specific changes to packages include:
* Bump the PKGREVISIONs for all of the suse100* and suse91* packages
due to changes in the +INSTALL/+DEINSTALL scripts used in all
of the packages.
* Remove pkgsrc/emulators/suse_linux, which is unused by any
packages.
* cad/lc -- remove custom code to create the distinfo file for
all supported platforms; just use "emul-fetch" and "emul-distinfo"
instead.
* lang/Cg-compiler -- install the shared libraries under ${EMULDIR}
instead of ${PREFIX}/lib so that compiled programs will find
the shared libraries.
* mail/thunderbird-bin-nightly -- update to latest binary
distributions for supported platforms.
* multimedia/ns-flash -- update Linux version to 9.0.48 as the
older version is no longer available for interactive fetch.
* security/uvscan -- set LD_LIBRARY_PATH explicitly so that
it's not necessary to install library symlinks into
${EMULDIR}/usr/local/lib.
* www/firefox-bin-flash -- update Linux version to 9.0.48 as the
older version is no longer available for interactive fetch.
Packages Collection.
The Perl 5 module Crypt::RC4 provides a simple implementation of
the RC4 algorithm, developed by RSA Security, Inc.
Disclaimer: Strictly speaking, this module uses the "alleged" RC4
algorithm. The Algorithm known as "RC4" is a trademark of RSA
Security Inc., and this document [the module documentation] makes
no claims one way or another that this is the correct algorithm,
and further, make no claims about the quality of the source code
nor any licensing requirements for commercial use.
changes:
- More protection : Automatic identification and
removal of viruses delivering the next generation
of best-of-breed anti-virus scanning engines.
It offers improved protection against existing,
new and potential threats and increases the depth
and breadth of the protection we provide.
- It's faster than before : We've listened to our
customers who asked for a faster Engine and it
delivers superior performance to current McAfee
Anti-Virus products on all supported platforms.
- Support for many more packed-executable formats
in which known malware is often re-packaged
for obfuscation purposes.
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
and visudo manpages in man/man1, and the sudoers manpage in man/man5.
Remove the platform-specific PLISTs that only differed in the location
of the man pages.
Bump the PKGREVISION to 5.
BUG FIXES
- in a milter setup log_id was left undefined, which resulted in log lines
without id, and a SQL constraint violation "Column 'am_id' cannot be null"
when logging to SQL was enabled. The bug was introduced in 2.5.1;
problem reported by Martin Svensson;
- suppress a quarantining attempt if the message also needs to be archived
to the same location (same sql key or same local filename);
reported by Wazir Shpoon;
- adjust $socketname in amavisd-release to match its default counterpart
in amavisd (i.e. /var/amavis/amavisd.sock); reported by Stanley Appel;
And more... please review the Changelog file.
(in fact, it's not clear that there is a good way to do so). The resulting
configuration works fine *except* if it encounters a host that has 3DES
but no DES service keys in its keytab.
Fix this by explicitly passing 0 ("default enctype") to Kerberos.
install script. The latter are special install-sh script options that
check whether the invoking user is the root user or not, which is
completely unnecessary.
cleanse environment of variables that alter behavior of Kerberos library
so the user can't override the default keytab location, and do *not*
ignore missing keytab errors. Prevents root compromise via spoofed KDC
on systems with Kerberos libraries but no host key in keytab, no keytab,
or keytab overidden via environment.
Don't insist that the keytab key be DES -- some Kerberos sites are 3DES/AES
only.
Somewhat less invasive than the fix Todd incorporated into the 1.6.9 branch
of sudo (presently beta) but equivalent (though not as clean).
things are restricted, pkgsrc's labeling rules aren't intended to
address export control issues, and there are vast numbers of packages
with apparently similar export control status and no RESTRICTED.)
Noteworthy changes in version 0.6.4 (2007-06-12)
------------------------------------------------
* Make sure the test suite uses non-guessable file names
for temporary files.
* Fix a problem in the file handling code.
Noteworthy changes in version 0.6.3 (2007-06-06)
------------------------------------------------
* Remove unused references in the opencdk config script.
This fixes an error because a variable were not referenced.
Interface changes relative to 0.6.2
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cdk_dek_get_cipher NEW
cdk_dek_get_mdc_flag NEW
Noteworthy changes in version 0.6.2 (2007-05-25)
------------------------------------------------
* Fix versioning script of the library.
* Bug fixes for the remaining memory leaks.
* Better way to handle gcrypt initialization.
Interface changes relative to 0.6.1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cdk_lit_format_t NEW
functions:
cdk_pk_to_fingerprint NEW
v1.07
- fix t/nonblock.t on systems which have by default a larger
socket buffer. Set SO_SNDBUF explicitly with setsockopt
to force smaller writes on the socket
signing-party (0.4.10-1) unstable; urgency=low
* caff:
+ Fix syntax error in example config variables (Closes: #413020).
+ Fix perl warnings when calling pgp-fixkey with unknown keyid or
with empty signature create date.
* gpg-key2ps:
+ Add '-1' option to only display one column of slips, for extra
wide keys (Closes: #399474).
* keylookup:
+ Fix perl warnings caused by empty lines from gpg output.
* Drop transitional and now obsolete keylookup package.
* Remove no longer needed dependency on mailx.
v1.06
- instead of setting undef args to '' in configure_SSL drop
them. This makes Net::SMTP::SSL working again because it
does not give LocalPort of '' to IO::Socket::INET any more
0.55 2007-06-01 17:34:22 UTC
- Added a blocking() method to Net::SSL (and bumped version to
2.81).
0.54 2007-04-12 22:05:26 UTC
- Rebadged 0.53_05, since no bugs appear to have surfaced.
0.53_05
- Fixed up incorrect LIBS key in WriteMakefile args. Thanks to
David Cantrell for giving me access to an OpenBSD box that
revealed this problem.
- Added the list of modules that depend on Crypt::SSLeay to
the README, as per cpants.perl.org. (think: improvements
to the test suite).
0.53_04 2007-03-06 09:39:01 UTC
- add diag() info to determine possible reasons for failure as per
http://www.nntp.perl.org/group/perl.cpan.testers/2007/03/msg428964.html
- Tweaks for Strawberry Perl detection.
0.53_03 2007-03-04 18:30:06 UTC
- Adjusted the typemap shims to silence the compiler warnings that
occur when sizeof(IV) is larger than sizeof(char *).
- use XSLoader for faster loading if available, otherwise fall
back to DynaLoader.
- Makefile.PL heavily reworked, lots of cruft removed.
- Ask to see whether the live tests should be run.
- renamed net_sst.t to 01-connect.t
- added 02-live.t that performs live HTTPS requests.
0.53_02 2007-01-29 10:02:34 UTC
- don't proxy hosts in NO_PROXY environment variable (CPAN
bug #11078).
- don't send user agent string to proxy unless
send_useragent_to_proxy is enabled. (CPAN bug #4759).
- Net::SSL bumped to 2.80
0.53_01 2007-01-24 22:21:09 UTC
- patch for CPAN #12444 applied (Jeff Lavallee). Net::SSL bumped
tp 2.79.
- example scripts moved into eg/ directory and the documentation
updated.
- added a TODO to remind me of what needs to be done.
0.53 2006-12-26 17:21:22 UTC
- 0.52_02 deemed stable
0.52_02 2006-12-20 19:29:01 UTC
- improved VMS support (CPAN bug #19829).
- add a test to see if cert file is readable in
Net::SSL::configure_certs (CPAN bug #8498) and Net::SSL version
to 2.78.
- known working platforms list removed from documentation. Too old,
and CPAN Testers has the up-to-date information.
- minor documentation improvements.
0.52_01 2006-12-17
- add call to SSL_library_init() in new()
- maintenance taken over by brian d foy and David Landgren.
