Packages Collection.
The Perl 5 module Crypt::RC4 provides a simple implementation of
the RC4 algorithm, developed by RSA Security, Inc.
Disclaimer: Strictly speaking, this module uses the "alleged" RC4
algorithm. The Algorithm known as "RC4" is a trademark of RSA
Security Inc., and this document [the module documentation] makes
no claims one way or another that this is the correct algorithm,
and further, make no claims about the quality of the source code
nor any licensing requirements for commercial use.
changes:
- More protection : Automatic identification and
removal of viruses delivering the next generation
of best-of-breed anti-virus scanning engines.
It offers improved protection against existing,
new and potential threats and increases the depth
and breadth of the protection we provide.
- It's faster than before : We've listened to our
customers who asked for a faster Engine and it
delivers superior performance to current McAfee
Anti-Virus products on all supported platforms.
- Support for many more packed-executable formats
in which known malware is often re-packaged
for obfuscation purposes.
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
and visudo manpages in man/man1, and the sudoers manpage in man/man5.
Remove the platform-specific PLISTs that only differed in the location
of the man pages.
Bump the PKGREVISION to 5.
BUG FIXES
- in a milter setup log_id was left undefined, which resulted in log lines
without id, and a SQL constraint violation "Column 'am_id' cannot be null"
when logging to SQL was enabled. The bug was introduced in 2.5.1;
problem reported by Martin Svensson;
- suppress a quarantining attempt if the message also needs to be archived
to the same location (same sql key or same local filename);
reported by Wazir Shpoon;
- adjust $socketname in amavisd-release to match its default counterpart
in amavisd (i.e. /var/amavis/amavisd.sock); reported by Stanley Appel;
And more... please review the Changelog file.
(in fact, it's not clear that there is a good way to do so). The resulting
configuration works fine *except* if it encounters a host that has 3DES
but no DES service keys in its keytab.
Fix this by explicitly passing 0 ("default enctype") to Kerberos.
install script. The latter are special install-sh script options that
check whether the invoking user is the root user or not, which is
completely unnecessary.
cleanse environment of variables that alter behavior of Kerberos library
so the user can't override the default keytab location, and do *not*
ignore missing keytab errors. Prevents root compromise via spoofed KDC
on systems with Kerberos libraries but no host key in keytab, no keytab,
or keytab overidden via environment.
Don't insist that the keytab key be DES -- some Kerberos sites are 3DES/AES
only.
Somewhat less invasive than the fix Todd incorporated into the 1.6.9 branch
of sudo (presently beta) but equivalent (though not as clean).
things are restricted, pkgsrc's labeling rules aren't intended to
address export control issues, and there are vast numbers of packages
with apparently similar export control status and no RESTRICTED.)
Noteworthy changes in version 0.6.4 (2007-06-12)
------------------------------------------------
* Make sure the test suite uses non-guessable file names
for temporary files.
* Fix a problem in the file handling code.
Noteworthy changes in version 0.6.3 (2007-06-06)
------------------------------------------------
* Remove unused references in the opencdk config script.
This fixes an error because a variable were not referenced.
Interface changes relative to 0.6.2
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cdk_dek_get_cipher NEW
cdk_dek_get_mdc_flag NEW
Noteworthy changes in version 0.6.2 (2007-05-25)
------------------------------------------------
* Fix versioning script of the library.
* Bug fixes for the remaining memory leaks.
* Better way to handle gcrypt initialization.
Interface changes relative to 0.6.1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cdk_lit_format_t NEW
functions:
cdk_pk_to_fingerprint NEW
v1.07
- fix t/nonblock.t on systems which have by default a larger
socket buffer. Set SO_SNDBUF explicitly with setsockopt
to force smaller writes on the socket
signing-party (0.4.10-1) unstable; urgency=low
* caff:
+ Fix syntax error in example config variables (Closes: #413020).
+ Fix perl warnings when calling pgp-fixkey with unknown keyid or
with empty signature create date.
* gpg-key2ps:
+ Add '-1' option to only display one column of slips, for extra
wide keys (Closes: #399474).
* keylookup:
+ Fix perl warnings caused by empty lines from gpg output.
* Drop transitional and now obsolete keylookup package.
* Remove no longer needed dependency on mailx.
v1.06
- instead of setting undef args to '' in configure_SSL drop
them. This makes Net::SMTP::SSL working again because it
does not give LocalPort of '' to IO::Socket::INET any more
0.55 2007-06-01 17:34:22 UTC
- Added a blocking() method to Net::SSL (and bumped version to
2.81).
0.54 2007-04-12 22:05:26 UTC
- Rebadged 0.53_05, since no bugs appear to have surfaced.
0.53_05
- Fixed up incorrect LIBS key in WriteMakefile args. Thanks to
David Cantrell for giving me access to an OpenBSD box that
revealed this problem.
- Added the list of modules that depend on Crypt::SSLeay to
the README, as per cpants.perl.org. (think: improvements
to the test suite).
0.53_04 2007-03-06 09:39:01 UTC
- add diag() info to determine possible reasons for failure as per
http://www.nntp.perl.org/group/perl.cpan.testers/2007/03/msg428964.html
- Tweaks for Strawberry Perl detection.
0.53_03 2007-03-04 18:30:06 UTC
- Adjusted the typemap shims to silence the compiler warnings that
occur when sizeof(IV) is larger than sizeof(char *).
- use XSLoader for faster loading if available, otherwise fall
back to DynaLoader.
- Makefile.PL heavily reworked, lots of cruft removed.
- Ask to see whether the live tests should be run.
- renamed net_sst.t to 01-connect.t
- added 02-live.t that performs live HTTPS requests.
0.53_02 2007-01-29 10:02:34 UTC
- don't proxy hosts in NO_PROXY environment variable (CPAN
bug #11078).
- don't send user agent string to proxy unless
send_useragent_to_proxy is enabled. (CPAN bug #4759).
- Net::SSL bumped to 2.80
0.53_01 2007-01-24 22:21:09 UTC
- patch for CPAN #12444 applied (Jeff Lavallee). Net::SSL bumped
tp 2.79.
- example scripts moved into eg/ directory and the documentation
updated.
- added a TODO to remind me of what needs to be done.
0.53 2006-12-26 17:21:22 UTC
- 0.52_02 deemed stable
0.52_02 2006-12-20 19:29:01 UTC
- improved VMS support (CPAN bug #19829).
- add a test to see if cert file is readable in
Net::SSL::configure_certs (CPAN bug #8498) and Net::SSL version
to 2.78.
- known working platforms list removed from documentation. Too old,
and CPAN Testers has the up-to-date information.
- minor documentation improvements.
0.52_01 2006-12-17
- add call to SSL_library_init() in new()
- maintenance taken over by brian d foy and David Landgren.
Bastille is a system hardening / lockdown program which enhances the
security of a Unix host. It configures daemons, system settings and
firewalls to be more secure. It can shut off unneeded services like rcp
and rlogin, and helps create "chroot jails" that help limit the
vulnerability of common Internet services like Web services and DNS.
This tool currently hardens Red Hat (Fedora Core, Enterprise and
Legacy/Classic), SuSE, Debian, Gentoo, Mandrake Linux, HP-UX, Mac OS X
and Turbo Linux.
If run in the preferred interactive mode, it can teach you a good deal
about security while personalizing your system security state.
Bastille can also assess and report on the state of a system, which may
serve as an aid to security administrators, auditors and system
administrators who wish to investigate the state of their system's
hardening without making changes to such. This assessment functionality
has only been tested on Red Hat Linux (Fedora, Legacy, Enterprise) and
SUSE systems.
gnutls-1.6.x (the stable branch).
No further PKGREVISION bumps necessary, because opencdk caused recursive
PKGREVISION bumps and afterwards gnutls wouldn't build.
Addresses PR pkg/36448.
Package change: Fix opencdk-config and opencdk.pc.
Noteworthy changes in version 0.6.1 (2007-05-12)
------------------------------------------------
* The opencdk.def file is included in the distribution archive,
fixes build failures on mingw32.
* Some bug fixes for the mingw32 build in combination with WINE.
* Now the decryption code uses the name in the literal packet
for the output file whenever this is possible.
* Take care of absolute file names in literal packets.
Noteworthy changes in version 0.6.0 (2007-05-XX)
------------------------------------------------
* Dropped all internal random, cipher, digest libs and only use gcrypt
for such tasks. The library should only provide functions dedicated
to parsing and packet creation for the protocol.
* Adjust code for the new Libgcrypt interface.
Now Libgcrypt >1.2.2 is required to build the code.
* This new version introduces an API change and thus incompatibilities
to prior versions.
* Lots of cleanups all over the place. This also includes simplification
for various code parts.
* Better support for larger files.
* Map the libgcrypt error directly and remove the
invalid CDK_Gcry_Error type.
* Add more regression tests for the various code parts.
* We do not support ElGamal signatures any longer.
* Merged patches from the other opencdk branch which is
currently used by GnuTLS.
* Provide user callback for the stream. As a sample
implementation, socket callbacks are implemented
and use in cdk_stream_sockopen().
* Drop most of the rfc1991 legacy format. This means
we do not generate any rfc1991 data, but we still
understand it. An exception is the packet header output.
* Removed gnulib interface for now because the lib
is currently not in use.
* Interfaces changes relative to 0.5.x
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
functions:
cdk_stream_tmp CHANGED: is now cdk_stream_tmp_new
cdk_stream_new_from_mem CHANGED: new argument and return error code
cdk_stream_control CHANGED: is no available any longer
cdk_stream_new_from_cbs NEW
cdk_stream_mmap_part NEW
cdk_keydb_new_from_file NEW
cdk_keydb_new_from_mem NEW
cdk_keydb_new_from_stream NEW
cdk_keydb_import CHANGED: second argument removed.
cdk_keydb_pk_cache_sigs DELETED
cdk_kbnode_write_to_mem_alloc NEW
cdk_lib_startup NEW
cdk_lib_shutdown NEW
cdk_handle_set_keyring NEW
cdk_handle_get_verify_result NEW
cdk_subpkt_find_next NEW
cdk_subpkt_find_nth NEW
cdk_set_progress_handler DELETED
cdk_userid_get_pref_array DELETED
cdk_pk_encrypt CHANGED: last argument is now gcry_mpi_t
cdk_pk_decrypt CHANGED: last argument is now gcry_mpi_t
cdk_pk_get_mpi CHANGED: new argument nwritten.
cdk_sk_get_mpi CHANGED: new argument nwritten.
cdk_pk_release NEW
cdk_sk_release NEW
cdk_pubkey_to_sexp NEW
cdk_seckey_to_sexp NEW
cdk_armor_encode_buffer NEW
cdk_keygen_set_mdc_feature DELETED
cdk_keygen_set_algo_info CHANGED: new argument usage.
cdk_seskey_new DELETED
cdk_seskey_free DELETED
cdk_dek_encode_pkcs1 CHANGED: not public any longer.
cdk_dek_decode_pkcs1 CHANGED: not public any longer.
cdk_stream_tell CHANGED: return type is now off_t
cdk_stream_seek CHANGED: argument is now off_t
cdk_pk_check_self_sig NEW
constants:
CDK_No_Data NEW
CDK_CTL_TRUSTMODEL DELETED
CDK_CTL_FORCE_DIGEST DELETED
CDK_COMPRESS_BZIP2 NEW
CDK_MD_SHA{256,384,512} NEW
CDK_MD_{TIGER, MD2} DELETED
CDK_CIPHER_{SAFER_SK128, DES_SK} DELETED
CDK_CTL_COMPAT DELETED
structures:
cdk_md_hd_t CHANGED: is now gcry_md_hd_t
cdk_cipher_hd_t CHANGED: is now gcry_cipher_hd_t
cdk_sesskey_t CHANGED: is now gcry_mpi_t
* Version 1.6.3 (released 2007-05-26)
** New API functions to extract DER encoded X.509 Subject/Issuer DN.
Suggested by Nate Nielsen <nielsen-list@memberwebs.com>. Backported
from the 1.7.x branch, see
<http://lists.gnu.org/archive/html/help-gnutls/2007-05/msg00029.html>.
** Have PKCS8 parser return better error codes.
Reported by Nate Nielsen <nielsen-list@memberwebs.com>, see
<http://lists.gnupg.org/pipermail/gnutls-dev/2007-May/001653.html> and
<http://lists.gnupg.org/pipermail/gnutls-dev/2007-May/001654.html>.
** Fix mem leak for sessions with client authentication via certificates.
Reported by Andrew W. Nosenko <andrew.w.nosenko@gmail.com>, see
<http://lists.gnupg.org/pipermail/gnutls-dev/2007-April/001539.html>.
** Fix building of 'tlsia' self test.
Earlier some gcc are known to build tlsia linking to
$prefix/lib/libgnutls-extra.so rather than the libgnutls-extra.so in
the build directory, even though command line parameters look OK.
Changing order of some parameters fixes it.
** API and ABI modifications:
gnutls_x509_crt_get_raw_issuer_dn: ADD.
gnutls_x509_crt_get_raw_dn: ADD.
This release adds checking of a number of archive members to improve
protection from runaway dearchivers.
It fixes SQL quarantining of mail with a null sender, and recognizes
PostgreSQL error S8006.
Parsing of invalid header has been improved.
Calling 'finish' on a SA message object was added.
A nonstandard SMTP status code 254 is no longer used, and enforcing
of option 8BITMIME is avoid even on 8-bit contents.
Checking of eval status was improved to recognize additional failure
modes.
Disabling of MIME decoding and invoking of a file(1) utility has been
made possible. An AV entry for ArcaVir was added.
Lots of updates but some highlights in brief:
- Added base64 encoding support for ICMP payload additional table in base_qr
y_alert.php -- Juergen Leising
- Changed input type of the password field to actually be password in setup3
.php -- Nikns
- Fixed Time error in searches -- Jeff Kell
- Added FQDN to display -- Jonathan W Miner
- Fixed issues with graphing -- Kevin J
- Updated tons of HTML for complience -- Marek Cruz
-------------------
* Add the PCRE_DOLLAR_ENDONLY option when compiling regular expression
for the @rx operator and variables.
* Really set PCRE_DOTALL option when compiling the regular expression
for the @rx operator as the docs state.
* Fixed potential memory corruption when expanding macros.
* Fixed error when a collection was retrieved from storage in the same second
as creation by setting the rate to zero.
* Fixed ASCIIZ (NUL) parsing for application/x-www-form-urlencoded forms.
* Fixed the faulty REQUEST_FILENAME variable, which used to change
the internal Apache structures by mistake.
* Updates to quiet some compiler warnings.
* Fixed some casting issues for compiling on NetWare (patch from Guenter Knauf)
Pkgsrc changes:
- Added support for installation to DESTDIR.
- p5-Digest-SHA is a new requirement.
Changes since version 0.12:
===========================
0.14 February 14, 2005
FIX: The introducion of the keytag warning triggered a bug with RSAMD5
keys, causing RSAMD5 keys not to be loaded.
0.13 December 9, 2005
FEAT: rt.cpan.org 14588
Added support for passing (a reference to) an array of keys to the
RRSIG verify function.
FIX/FEAT:
The Net::DNS::SEC::Private function will for RSA based keys verify if
the keytag in the filename is actually correct.
Since at parsing the value of the DNSKEY RR flags is not known we
test against the currently defined flag values 256 and 257.
If we cannot find a keytag match a warning is printed and Private
key generation fails
This inconsistency was spotted by Jakob Shlyter.
FEAT: Added support for SHA256 to the DS RR. Assigned the expected
digest type2 for SHA256 type hashes.
Note that this makes the Net::DNS::SEC depend on Digest::SHA instead
of Digest::SHA1.
The default digest type is still set to 1.
NB. The code makes assumptions about the IANA assignment of the
digest type. The assignment may change. Do not use SHA256 in
production zones!!
FIX: rt.cpan.org #15662
Roy Arends noticed and patched the label counting did not ignore
an initial asterisk label.
FIX: Wes Hardaker noticed the default TTL values for created signatures to
be different from the TTLs from the data that is being signed.
FIX: Wes Hardaker reported there was a problem with validating
RRsets that had ownernames with capitals.
The fix depends on a fix in Net::DNS::RR that is available in
version 0.53_03 or later of the Net::DNS distribution.
FEAT: Propper dealing with mnemonics for algorithm and digest type
added to DS
FIX/FEAT: Mnemonics were written as RSA/MD5 and RSA/SHA1. This has been
corrected tp RSASHA1 and RSAMD5, as in the IANA registry.
0.12_02 June 6, 2005 (beta 2 release for 0.13)
Bug: new_from_hash would not correctly create the RR since internally
typebm is used to store the data this has been fixed so that
the following works
Net::DNS::RR->new(name=>$name,
ttl=>$ttl,
type=>"NSEC",
nxtdname=>$nxtdname,
typelist=>join(" ",@types)
);
FEAT: Introduced the "use bytes" pragma to force character interpretation
of all the scalars. Any utf processing by perl makes the code behave
unpredictable.
0.12_01 April 18, 2005. (beta release for version 0.13)
FEAT (!!!): Changed the symantics of the Net::DNS::Keyset::verify method.
Read the perldoc for details. The requirement that each key in a
keyset has to be selfsigned has been loosened.
FEAT: Added a "carp" to the new methods of the NXT RR. Warning that
that record is depricated.
FEAT: Cleaned the tests so that RRSIG and DNSKEY are used except for
SIG0 based tests.
FEAT: Changed the name of the siginceptation[SIC] to siginception.
Thanks Jakob Schlyter for notifying me of this mistyping.
An alias for the method remains available.
FEAT: Renamed unset_sep() to clear_sep().
NOTE: To avoid confusion the Net::DNS::SIG::Private class has been
removed. Use Net::DNS::SEC::Private!
DOC: Added references to RFC 4033, RFC 4034 and RFC 4035. Rewrote parts
of the perlpod.
Pkgsrc changes:
- The package supports installation to DESTDIR
- A C compiler is necessary.
Changes since version 5.43:
===========================
5.44 Sat Oct 14 00:42:44 MST 2006
- removed SIGNATURE file from distribution
-- spurious errors from CPANPLUS can break build
- eliminated ppport.h header file
-- significantly reduces size of distribution
- modified C functions in src/hmac.c to use ANSI prototypes
-- thanks to Jarkko Hietaniemi for patch
Pkgsrc changes:
- Package supports installation to DESTDIR.
- Removed patch-aa (missing includes when using OpenSSL 0.9.8 were fixed).
- patch-ab corrects wrong test count.
Changes since version 0.22:
=====================================
0.24 Mon Nov 13 2006 08:21:14
- Fix a bug reported by Mark Martinec <Mark.Martinec@ijs.si>
where encrypt could segfault if called with insufficient
data; it now informatively croaks instead.
- Fix a bug reported by Mark Martinec where check_key would
segfault instead of croaking when called on a public key.
- Fix decrypt and private_encrypt to croak instead of segfault when
called on a public key.
- Add an is_private method.
- Silence a few compiler warnings about ignoring return values
from certain BIO_* methods.
0.23 Wed Apr 12 2006 00:06:10
- Provide 32 bytes of seeding in tests, up from 19.
- Stop relying on implicit includes, which disappeared in the 0.98
release of OpenSSL.
- Apply patch from Jim Radford <radford@blackbean.org> to add support
for SHA{224,256,384,512}
- Implement TCP keepalive settings on platform that support it,
check client.conf for details.
- When reading prelude-adduser password from a file, remove
newline at the end of the string (fix#221).
- When we fail to read an IDMEF message, provide more information
about the place where the error happened.
- Fix an issue with idmef_path_get() on empty path (pointing to the
root message).
- Various bug fixes and minor API improvements.
pkgsrc, in preparation for gnome1-libs removal(*).
There was no feedback for keeping these packages after my
HEADS UP mail to pkgsrc-users a week ago.
(*) More to come before that can happen, though.
- Initial implementation of the 'thresholding' plugin, allowing you to
suppress events after a certain limit/threshold.
- Filters hooking to a reporting plugin are now OR'ed instead of being
AND'ed. AND is already possible by hooking filtering plugin one with
another.
- Improved error reporting.
- Minor bug fixes.
- Pattern can now be used to specify file to be monitored.
- Fix an issue in the detection of buggy writev() FAM notification.
- Add bonding.rules, by Paul Robert Marino <prmarino1@gmail.com>.
- ModSecurity ruleset update: remove unnecessary fields + ModSecurity 2.0 compatibility.
- New Cisco IOS common ruleset, by Alexandre Racine.
- Avoid duplicating information in node name and node address.
- Add rule ID and revision to the generated alert for each matched rule. Fix#206.
- Handle "last" keyword even if the rule does not contain any IDMEF assignment. Fix#218.
- Various bug fixes.
One-time cipher based back door program for executing emergency
commands.
Secure Back Door(SBD) is an alternative to leaving SSH open all the
time. It is based on a secure one-time keypad method, that insures
maximum security. Since SBD is very small, it is less likely to have
security exploits, as compared to SSH. Therefore, you could leave an
important computer up and running with just sbdd running in the
background, and if an emergency came about, you could simple execute a
command to bring ssh up, then work on the computer as regular. It
would be as simple as doing ./sbd domain.com "/etc/init.d/sshd start",
and with the proper key file set, the remote computer would have ssh
up and running shortly.
SSLCrypto is a package for Python that dramatically eases the task of
adding encryption to Python programs.
It provides a unified API that is almost totally compatible with that
of ezPyCrypto, except that it takes advantage of the OpenSSL Crypto
Library to deliver massive improvements in speed and security.
After using ezPyCrypto myself, I found that while it performed ok with
smaller public key sizes, it proved impossibly slow with larger keys.
This slowness, resulting from non-optimal code in its backend (the
Python Cryptography Toolkit) meant that on a 1.5 GHz Athlon XP, it was
taking several minutes to generate 4096-bit keys. Completely
unacceptable if you need real security.
Performance is absolutely critical for an encryption API. If slowness
deters people from using adequate-sized keys, security will be
severely compromised, almost to the extent that there's little point
in using encryption in the first place.
v1.05
- make session cache working even if the IO::Socket::SSL object
was not created with IO::Socket::SSL->new but with
IO::Socket::SSL->start_SSL on an established socket
* Version 1.6.2 (released 2007-04-18)
** Fix X.509 signing with RSA-PKCS#1 to set a NULL parameters fields.
Before, we remove the parameters field, which resulted in a slightly
different DER encoding which in turn caused signature verification
failures of GnuTLS-generated RSA certificates in some other
implementations (e.g., GnuPG 2.x's gpgsm). Depending on which RFCs
you read, this may or may not be correct, but our new behaviour appear
to be consistent with other widely used implementations.
** Regenerate the PKIX ASN.1 syntax tree.
For some reason, after changing the ASN.1 type of ldap-UID in the last
release, the generated C file built from the ASN.1 schema was not
refreshed. This can cause problems when reading/writing UID
components inside X.500 Distinguished Names. Reported by devel
<dev001@pas-world.com>.
** Updated translations.
** API and ABI modifications:
No changes since last version.
v1.04
- added way to create SSL object with predefined session
cache, thus making it possible to share the cache between
objects even if the rest of the context is not shared
key SSL_session_cache
Note that the arguments of IO::Socket::SSL::SessionCache::new
changed (but you should never have used this class directly
because it's internal to IO::Socket::SSL)
- Improve error reporting with the central option interface.
- Fix a bug when comparing IDMEF object with optional fields.
- Fix a problem with the logger, where large log entry wouldn't be
logged.
Mac OS X. This is harmless under recent versions of Mac OS X where
"libdl.dylib" is symbolic link to "libSystem.dylib". And it is necessary
under old versions of Mac OS X (Jaguar and older) where we need the
"libdl.dylib" from the "dlcompat" package.
This should finally fix PR pkg/36086 by John D. Baker.
Changes since 2.1.7 are:
Version 2.1.10
Improvements and bug fixes in the GUI
* fixed bug #1661140: "built-in installer broken in 2.1.9 for PF".
Installer incorrectly set name for files it copied to the firewall if
generated configuration consisted of several files. Affected platforms
are PF and ipfilter because normally for these platforms compiler
generates two files.
* fixed bug #1659832: "No compile with QT without STL support"
* a workaround for the bug 1629461: "Policy tabs do not scroll @ window
extent on OSX". The tab widget used to show policy, nat, routing and
policy branch rulesets does not switch to a "folded" mode on Mac OS X
when it needs to show more tabs that fit in the window. Since I can't
figure out a way to force it to do that, I am dropping "Policy/" from
the tab titles for branches to make them shorter. This will help users
with policies with many branches, however it does not solve the
problem because as they keep adding branches, at some point they won't
fit in the window again.
* added an item "Where used" to the context menu associated with objects
in rules
Version 2.1.9
Improvements and bug fixes in the GUI
* New feature: new operation "Tools/Find Conflicting Objects in Two Data
Files". This operation inspects two data files (either .fwb or .fwl)
and finds conflicting objects. Conflicting objects have the same
internal ID but different attributes. Two data files can not be
merged, or one imported into another, if they contain such objects.
This operation also helps identify changes made to objects in two
copies of the same data file. This operation does not find objects
present in one file but not in the other, such objects present no
problem for merge or import operations. This operation works with two
external files, neither of which needs to be opened in the program.
Currently opened data file is not affected by this operation and
objects in the tree do not change. In the process of this operation
user is presented with series of dialogs showing conflicting objects
side by side. In the end the program can generate report and write it
to a text file.
* installOptionsDialog was too large and did not fit on some laptop
screens. Doing tricks to make sure the dialog properly resized after
unused GUI elements are hidden.
* bug #1629521: "can't delete empty chain/policy tab"
* bug #1619842: "prolog "script editor" opens behind other windows"
* bug #1620206: "RuleOptions' "Apply" button greyed-out until menu
selection"
* bug 1619930: "Prolog tab's ScriptEditor's import fails to overwrite"
* bug #1617501:"Install fails after compile". The GUI got confused when
user enter full path to the policy file in the "Output file name"
input field in the "Compiler" tab of firewall object dialog. Making
sure we always strip directory path from the file name if user
specified full path for the policy file in the "Output file name"
input field in the "Compiler" tab of firewall object dialog. Need to
strip path when macro "%FWSCRIPT%" is substituted in installation
scriptlets and in some other places.
* "Apply" and "Close" buttons in the objct editor panel should be of
fixed size horizontally
* bug #1624577: "group window doesn't stay open on multiple-adds". Using
special flag to tell ObjectTreeView that it should ignore
MouseReleaseEvent it gets after d&d operation, so it wont switch
object in the editor panel. Note the bug triggered only on Mac OS X.
* bug (no num.): GUI used show fanthom 'Policy', 'NAT' and 'Routing'
tabs when user deleted objects from the Deleted Objects library,
provided some of these objects were previously deleted firewalls.
* bug #1620284: "conflict when adding library to Preferences/Libraries".
When the user tried to add a library to the list in
Preferemces/Libraries when a data file with the same object library
was loaded, the GUI detected the conflict and showed error dialog.
* bug #1650369: "[patch] please add support for GNU/kFreeBSD". Applied
patch to make code compile on kFreeBSD.
Compiler for iptables
* bug #1623338: "Can not disable rules in a branch". Compiler for
iptables ignored flag 'disabled' on rules in a branch.
* bug #1623113: 'connlimit fails in compiled "address table" rules'
Module connlimit can only be used in iptables rules matching TCP
services. Such iptables commands have "-p tcp" and/or "-m tcp"
options. If a rule in fwbuilder uses TCP Service and connlimit option
and has multiple objects in src and dst, optimizer used to split it to
minimize matches. It however preserved connlimit option in all
subrules, even though some of them did not have TCP service after the
split. This lead to generation of incorrect iptables commands.
* bug #1620925: "compile-time AddressTable object with empty file".
Compile-time AddressTable object that uses file with no addresses
should be treated as an empty group according to the "Ignore empty
groups" option.
* bug #1618381: "CLASSIFY/MARK are non-terminating". This bug report in
fact reported several problems.
* For action Branch with option to add branching rule to the mangle
table: we now generate rules in PREROUTING, POSTROUTING, INPUT,
OUTPUT and FORWARD chains. This is because some targets can only
work in PREROUTING or POSTROUTING chains but we do not know what
rules will user put in the branch. So we need to branch in all
chains
* For rules in mangle table with direction set to Inbound or
Outbound force chain to PREROUTING or POSTROUTING respectively
early. This eliminates duplicates such as the same rule in
PREROUTING and INPUT chains. Also since most (all?) targets that
require mangle table go into either PREROUTING or POSTROUTING
chains, it should be enough to use these two chains.
* Non-terminating rules shadow each other "backwards", that is more
general rule shadows other rules _above_ it. Added flag 'reverse'
to the method find_more_general_rule and added new rule processor
DetectShadowingForNonTerminatingRules that finds such cases of
'reverse' shadowing. Using it for rules in the mangle table for
iptables.
* Adding iptables rule with target ACCEPT to emulate terminating
behavior for Tag and Classify actions. Emulation is controlled by
a global option in the "Compiler" tab of the firewall properties
dialog (default is "off"). This means emulation can be turned on
and off for all rules that might require it at once. It is
impossible to mix such rules with terminating and
non-termninating behavior. The reason for this is that shadowing
detection algorithm can only work with either terminating or
non-terminating rules, not with the mix.
* bug #1628989: "run-time-loaded rules don't accept ";" as line comment"
* bug #1632054: "Runtime AddressObjects FAIL to load if "Name:" contains
"."". Compiler checks if the name of the run-time AddressTable object
contains characters that have special meaning in sheel and relaces
them with '_' when it generates the name of the temporary shell
variable.
* bug (no num.): data files used for run-time AddressTable objects can
have empty lines, the script should skip them.
Firewall Builder Release Notes
Version 2.1.8
Installation
Optinon poll ran on the fwbuilder-discussion mailing list showed that
majority of users are not interested in ability to install and run both
fwbuilder 2.0 and 2.1 on the same machine at the same time. Hence we are
reverting to the old naming schema without suffix '21' for the binaries
and man pages in this release.
Improvements and bug fixes in the GUI
* The user can search for objects using regular expressions matching
their names or attributes.
* Fixed bug #1592130: "Policy Chaining Issues". The GUI should properly
display nested branch rulesets. The user can create policy branches
within other branches.
All compilers
* Fixed bug #1590746 "problem with using "DNS Names" objects on MS
Windows". Compiler failed to convert DNSName objects set to resolve at
compile time into IP addresses.
Compiler for iptables
* fixed bug #1593221: "iptables filtering bridge problem - PHYSDEV: no
physdev opti..." Some times rules were generated with "-m physdev" but
witout "--physdev-in" or "--physdev-out" options.
Compiler for Cisco PIX
* fixed a bug (no num, support req. #1604103: "fwb_pix policy compiler
dies when SNMP or NTP hosts defined". Compiler did not print error
message when it could not find an interface with network zone matching
IP address of NTP or SNMP server (it just printed the address without
explanation of what went wrong)
* Experimental utility fwb_pix_diff has been added to the package. This
utility takes two PIX configurations on the command line and produces
the 'diff' that consists of a set of commands that should bring the
firewall from the state defined by the first config to the state
defined by the second. Only PIX 7.0 is supported. This utility will be
incorporated into policy installer in the future to make policy
updates simpler and faster, especially when small changes are made to
the large set of access lists and nat rules.
Pkgsrc changes:
- Added CHECK_INTERPRETER_SKIP patterns to stop complaints about
non-existing "/usr/bin/perl" interpreter.
Changes since version 1.57:
===========================
1.58 Dec 21, 2006
* We turn on binmode() on filehandles when reading and writing
keys from disk, so allow safe exchange of SSH private keys
from Windows and *nix systems. Thanks to Ulisses Gomes
<ulisses@ibiz.com.br> for pointing this out.
* Include a copy of the GPL in the distribution. This addresses
bug #18771. (http://rt.cpan.org/Public/Bug/Display.html?id=18771)
* Removed warnings from t/15-benchmark.t
this fixes the same problem which was fixed by gpg-1.4.7: depending
on use, additional text could get through undetected
this gpgme uses gpg in a save way -- since we have gpg-1.4.7 in pkgsrc
this is kindo belt-and-suspender, but anyway...
Changes in version 0.8 are:
* Translations
Changes in version 0.7.92 are:
* Fix build by including sys/types.h
* In gnome_keyring_free() don't crash on NULL parameter.
Changes in version 0.7.91 are:
* Add method for library to discover daemon via DBus. Adds soft
DBus dependency.
* Fixes for building on kFreeBSD.
Changes in version 0.7.3 are:
* Fix endless loop when creating a keyring and a file by that name
already exists.
* Fix crasher when deleting session keyring.
* Fix crasher when doing find operation with NULL attribute string.
* Sync files to disk after writing to keyring.
Changes in version 0.7.2 are:
* Don't have multiple password dialogs presented for the same
keyring
Changes in version 0.7.1 are:
* Added GNOME_KEYRING_ITEM_APPLICATION_SECRET which allows an item
to be for a single application only with strict access controls.
* New function gnome_keyring_item_get_info_full(_sync) which allow
retrieval of item meta data without the secret, thus not incurring
an ACL prompt.
* Translation updates
Provided by MAINTAINER, Jaap Boender in PR 35942.
CHANGES:
0.4.1 (2007-02-21)
=====
* file_descr_of_socket is not marked as deprecated anymore.
* Patched the Makefile to be compatible with FreeBSD (thanks Jaap Boender).
* Explicitely link with libcrypto since we use it. Compilation should now work
on Mac OS X too (thanks Janne Hellsten).
Changes since OpenSSH 4.5:
============================
* sshd now allows the enabling and disabling of authentication
methods on a per user, group, host and network basis via the
Match directive in sshd_config.
* The following bugs have been fixed in this release:
- Clear SIGALRM when restarting due to SIGHUP. Prevents stray
signal from taking down sshd if a connection was pending at
the time SIGHUP was received
- sftp returned a zero exit status when upload failed due to write
errors (bugzilla #1252)
- fixed an inconsistent check for a terminal when displaying scp
progress meter (bugzilla #1265)
- Parsing of time values in Match blocks was incorrectly applied
to the global configuration (bugzilla #1275)
- Allow multiple forwarding options to work when specified in a
PermitOpen directive (bugzilla #1267)
- Interoperate with ssh.com versions that do not support binding
remote port forwarding sessions to a hostname (bugzilla #1019)
* Portable OpenSSH bugs fixed:
- "hang on exit" when background processes are running at the time
of exit on a ttyful/login session (bugzilla #52)
- Fix typos in the ssh-rand-helper(8) man page (bugzilla #1259)
- Check that some SIG records have been returned in getrrsetbyname
(bugzilla #1281)
- Fix contrib/findssl for platforms that lack "which" (bugzilla
#1237)
- Work around bug in OpenSSL 0.9.8e that broke aes256-ctr,
aes192-ctr, arcfour256 (bugzilla #1291)
Fix a typo in options.mk
23 Feb 2006 - 2.1.0
-------------------
* Removed the "Connection reset by peer" message, which has nothing
to do with us. Actually the message was downgraded from ERROR to
NOTICE so it will still appear in the debug log.
* Removed the (harmless) message mentioning LAST_UPDATE_TIME missing.
* It was not possible to remove a rule placed in phase 4 using
SecRuleRemoveById or SecRuleRemoveByMsg. Fixed.
* Fixed a problem with incorrectly setting requestBodyProcessor using
the ctl action.
* Bundled Core Rules 2.1-1.3.2b4.
* Updates to the reference manual.
* Reversed the return values of @validateDTD and @validateSchema, to
make them consistent with other operators.
* Added a few helpful debug messages in the XML validation area.
* Updates to the reference manual.
* Fixed the validateByteRange operator.
* Default value for the status action is now 403 (as it was supposed to
be but it was effectively 500).
* Rule exceptions (removing using an ID range or an regular expression)
is now applied to the current context too. (Previously it only worked
on rules that are inherited from the parent context.)
* Fix of a bug with expired variables.
* Fixed regular expression variable selectors for many collections.
* Performance improvements - up to two times for real-life work loads!
* Memory consumption improvements (not measured but significant).
* The allow action did not work in phases 3 and 4. Fixed.
* Unlocked collections GLOBAL and RESOURCE.
* Added support for variable expansion in the msg action.
* New feature: It is now possible to make relative changes to the
audit log parts with the ctl action. For example: "ctl:auditLogParts=+E".
* New feature: "tag" action. To be used for event categorisation.
* XML parser was not reporting errors that occured at the end
of XML payload.
* Files were not extracted from request if SecUploadKeepFiles was
Off. Fixed.
* Regular expressions that are too long are truncated to 256
characters before used in error messages. (In order to keep
the error messages in the log at a reasonable size.)
* Fixed the sha1 transformation function.
* Fixed the skip action.
* Fixed REQUEST_PROTOCOL, REMOTE_USER, and AUTH_TYPE.
* SecRuleEngine did not work in child configuration contexts
(e.g. <Location>).
* Fixed base64Decode and base64Encode.
15 Nov 2006 - 2.0.4
-------------------
* Fixed the "deprecatevar" action.
* Decreasing variable values did not work.
* Made "nolog" do what it is supposed to do - cause a rule match to
not be logged. Also "nolog" now implies "noauditlog" but it's
possible to follow "nolog" with "auditlog" and have the match
not logged to the error log but logged to the auditlog. (Not
something that strikes me as useful but it's possible.)
* Relative paths given to SecDataDir will now be treated as relative
* Decreasing variable values did not work.
* Made "nolog" do what it is supposed to do - cause a rule match to
not be logged. Also "nolog" now implies "noauditlog" but it's
possible to follow "nolog" with "auditlog" and have the match
not logged to the error log but logged to the auditlog. (Not
something that strikes me as useful but it's possible.)
* Relative paths given to SecDataDir will now be treated as relative
to the Apache server root.
* Added checks to make sure only correct actions are specified in
SecDefaultAction (some actions are required, some don't make any
sense) and in rules that are not chain starters (same). This should
make the unhelpful "Internal Error: Failed to add rule to the ruleset"
message go away.
* Fixed the problem when "SecRuleInheritance Off" is used in a context
with no rules defined.
* Fixed a problem of lost input (request body) data on some redirections,
for example when mod_rewrite is used.
Changes since 0.58:
* PuTTY can now connect to local serial ports as well as making
network connections.
* Windows PuTTY now supports "local proxying", where a network
connection is replaced by a local command. (Unix PuTTY has
supported this since it was first released in 0.54.) Also, Plink
has gained a "-nc" mode where the primary channel is replaced by
an SSH tunnel, which makes it particularly useful as the local
command to run.
* Improved speed of SSH on Windows (particularly SSH-2 key exchange
and public-key authentication).
* Improved SFTP throughput.
* Various cryptographic improvements in SSH-2, including SDCTR
cipher modes, a workaround for a weakness in CBC cipher modes, and
Diffie-Hellman group exchange with SHA-256.
* Support for the Arcfour cipher in SSH-2.
* Support for sending terminal modes in SSH.
* When Pageant is running and an SSH key is specified in the
configuration, PuTTY will now only try Pageant authentication with
that key. This gets round a problem where some servers would only
allow a limited number of keys to be offered before disconnecting.
* Support for SSH-2 password expiry mechanisms, and various other
improvements and bugfixes in authentication.
* A change to the SSH-2 password camouflage mechanism in 0.58 upset
some Cisco servers, so we have reverted to the old method.
* The Windows version now comes with documentation in HTML Help
format. (Windows Vista does not support the older WinHelp format.
However, we still provide documentation in that format, since
Win95 does not support HTML Help.)
* On Windows, when pasting as RTF, attributes of the selection such
as colours and formatting are also pasted.
* Ability to configure font quality on Windows (including
antialiasing and ClearType).
* The terminal is now restored to a sensible state when reusing a
window to restart a session.
* We now support an escape sequence invented by xterm which lets the
server clear the scrollback (CSI 3 J). This is useful for
applications such as terminal locking programs.
* Improvements to the Unix port:
+ now compiles cleanly with GCC 4
+ now has a configure script, and should be portable to more
platforms
* Bug fix: 0.58 utterly failed to run on some installations of
Windows XP.
* Bug fix: PSCP and PSFTP now support large files (greater than 4
gigabytes), provided the underlying operating system does too.
* Bug fix: PSFTP (and PSCP) sometimes ran slowly and consumed lots
of CPU when started directly from Windows Explorer.
* Bug fix: font linking (the automatic use of other fonts on the
system to provide Unicode characters not present in the selected
one) should now work again on Windows, after being broken in 0.58.
(However, it unfortunately still won't work for Arabic and other
right-to-left text.)
* Bug fix: if the remote server saturated PuTTY with data, PuTTY
could become unresponsive.
* Bug fix: certain large clipboard operations could cause PuTTY to
crash.
* Bug fix: SSH-1 connections tended to crash, particularly when
using port forwarding.
* Bug fix: SSH Tectia Server would reject SSH-2 tunnels from PuTTY
due to a malformed request.
* Bug fix: SSH-2 login banner messages were being dropped silently
under some circumstances.
* Bug fix: the cursor could end up in the wrong place when a
server-side application used the alternate screen.
* Bug fix: on Windows, PuTTY now tries harder to find a suitable
place to store its random seed file PUTTY.RND (previously it was
tending to end up in C:\ or C:\WINDOWS).
* Bug fix: IPv6 should now work on Windows Vista.
* Numerous other bugfixes, as usual.
This fixes the issue that, when "options edns0" is turned on (usually in
/etc/resolv.conf), ssh doesn't see it, and thus fails to request a DNSSEC
response, which in turn leads to SSHFP records being considered insecure.
Crypt::GeneratePassword generates random passwords that are (more
or less) pronounceable. Unlike Crypt::RandPasswd, it doesn't use
the FIPS-181 NIST standard, which is proven to be insecure. It does
use a similar interface, so it should be a drop-in replacement in
most cases.
If you want to use passwords from a different language than english,
you can use one of the packaged alternate unit tables or generate
your own.
Version 0.3.9 (released 2007-03-02)
- In generated code, config.h is pulled in if HAVE_CONFIG_H.
- Development changes: changed from CVS to GIT as an experiment.
I push my changes to <http://repo.or.cz/w/libtasn1.git>.
- Autoconf 2.61 and automake 1.10 is required.
Version 0.3.8 (released 2006-11-16)
- Fix reading of binary files in asn1Decoding, for Windows.
Version 0.3.7 (released 2006-10-19)
- When asn1_der_coding encoded a TYPE_NULL and the output buffer is
NULL, it would not increment the counter properly, so the size of
the required buffer would be off by one. Fixed. Reported by
Stephen Wrobleski <steve@localtoast.org>.
- Fix configure to respect user-definable flags. Reported by "Diego
'Flameeyes' Pettenò" <flameeyes@gentoo.org>.
- The --help and --version outputs from the tools have been improved.
Version 0.3.6 (released 2006-08-13)
- Fix man pages to use \- instead of - for negative signs (as in "-1").
- Add -I's when building in src/, so that unistd.h etc is found on
systems that doesn't have them.
- Valgrind isn't used for cross-compilation by default, and there is
also --disable-valgrind-tests to unconditionally disable it.
- Valgrind is invoked without parameters, put things you like into
~/.valgrindrc instead.
This fixes a security problem which is rather an application issue:
The user wasn't notified about additional text (not covered by the
signature) unless the --status-fd flag is used.
Patches from Matthias Drochner (thanks !)
Version 2.0.8:
-------------
More fingerprints, signature cleanup.
p0fping.c and diagnostic queries added.
Socket ownership fix when dropping privs.
Some -O signatures.
Version 2.0.7:
--------------
Added -0 mode for port 0 wildcards in queries.
Added -e option to make p0f work on some boxes.
HDLC support added.
New fingerprints, including Windows Vista betas.
[BUG] Fixed timezone in logs after chroot().
[BUG] Unlikely command-line overflow with VLANs fixed.
Version 2.0.6:
--------------
[BUG] Fixed pcap naming madness.
Support for Cygwin.
More signatures. Plenty of -A sigs from Ryan Kruse.
[BUG] Fix to a command-line parsing snafu with sprintf; shame on me ;-)
Timestamps in masquerade detection.
Write PID to /var/run/p0f.pid
TLS Lite is a free python library that implements SSL 3.0, TLS 1.0,
and TLS 1.1. TLS Lite supports non-traditional authentication methods
such as SRP, shared keys, and cryptoIDs in addition to X.509
certificates. TLS Lite is pure Python, however it can access OpenSSL,
cryptlib, pycrypto, and GMPY for faster crypto operations. TLS Lite
integrates with httplib, xmlrpclib, poplib, imaplib, smtplib,
SocketServer, asyncore, and Twisted.
[Changes for 0.55 - 2006-07-29]
* ANDK submitted a patch to fix versioning problem when
the user elects to install Crypt::OpenPGP.
* Major refactoring of the Makefile.PL to ease the installation process.
[Changes for 0.54 - 2006-05-12]
* Fixed a long-standing bug where differing end-of-line conventions
could cause bogus comparisons in signature checks.
* Fixed another long-standing bug where CRLF text files were hashed
into different digests under Unix and Dosish platforms. Now it's
consistently hashed as if it's been normalized to LF.
* Optional dependencies are no longer installed-by-default.
[Changes for 0.53 - 2006-01-31]
* The explicit call to "readline(D)" didn't compile on earlier perls which
demanded either "readline(*D)" or "<D>" -- I elected the latter form.
Reported by: Matthew Persic
* Update my author key to reflect revoked past uids.
[Changes for 0.52 - 2006-01-19]
* POD and source code cleanup; no functional changes.
* Updated my author key to reflect my new name and identity.
* Upgrade to the latest Module::Install to fix Cygwin
installation problems.
Reported by: Lyle Ziegelmiller
[Changes for 0.51 - 2006-01-02]
* Even more flexible CRLF handling for SIGNATURE files,
Contributed by: Andreas Koenig.
[Changes for 0.50 - 2005-08-21]
* Add support for to SHA-256, requested by Mark Shelor in light
of the recent SHA1 attacks. SHA1 is still the default, but
you can now override this by settings MODULE_SIGNATURE_CIPHER
environment variable to SHA256.
[Changes for 0.45 - 2005-08-09]
* Andreas Koenig ported out that "Import GPG keys?" was asked
far too many times during autoinstall.
1.00 Tue Jul 12 23:45:00 UTC 2005
- migrated to Build.PL
- added POD, POD coverage, and signature tests
- generated traditional Makefile.PL
- bumped up version number
- ported tests to Test::Simple
- bumped up test coverage
- updated README
0.61 Sat May 25 17:31:52 UTC 2002
- avoid uninitialized value warnings in fh_crypt()
Thu May 10 2001
- fixed _gen_iv() to generate 255 characters (thanks to John Wiersba)
Sun Apr 29 2001
- added license/copyright information to the pod in the module itself
- Improve database performance by reducing the number of query. (Paul Robert Marino)
- Activate CleanOutput filtering (lot of escaping fixes).
- More action logging.
- Bug fixes with the error pages Back/Retry buttons.
- Fix error on group by user (#191).
- Fix template compilation error with Cheetah version 2 (#184).
- Fix a startup problem on system with different address of different family
mapping to the same IP.
- Fix for system using the GnuLib poll replacement modules. The module was
broken when used in conjunction with server socket.
- Various portability fixes
- Fix preludedb-admin copy/move operations
- Fix a Python binding memory leak upon alert list deletion.
- Various bugfixes.
- Various portability fixes.
1.07 - Wed 22 Feb 06 08:57:02 UTC
added || defined(__hpux) to idea.h to cope with
HPUX 11.11 w/ANSI C compiler per RT ticket 17796
1.08 - Fri 21 Apr 06 10:40:52 UTC
added || defined(WIN32) to idea.h
added ifdef for WIN32 to _idea.c
Thanks to Carl Franks for the pach contributions
per RT ticket 18811
Updated README - added additional known-good platforms
Updated COPYRIGHT
0.14 2006.05.08
- Win32 fixes: use Data::Random as a fallback in make_random, better
support for locating openssl. Thanks to CFRANKS for the patch.
- Makefile.PL update, to the latest Module::Install. Thanks to Adam
Kennedy for the patch.
- Fix a crash with Python bindings upon signal reception (Fix#200).
- New --with-system-ltdl configure switch. The default is now to use the
system wide ltdl library if it is available, unless specified otherwise
(Fix#199).
- Prevent NULL pointer dereference if no permission is specified after the
permission type (Fix#197).
- Upon IDMEFCriteria parsing error, recover from broken parser stater (Fix#195).
- Detailed error reporting on IDMEFCriteria parsing error.
- Fix string and possible criteria leak on IDMEFCriteria syntax error.
- Prefer anonymous authentication rather than SRP. We do this because there
are compatibility issue with SRP between different GnuTLS version
(Should fix#187).
- When dumping AdditionalData of type byte-string to string, encode the data using base64.
- 8/5/2006 1.2.7 (karen)
- Improved HTML <table> output in "base_qry_alert.php" -- Jonathan W Miner
- Remove message when 0 alerts -- Jonathan W Miner
- PrintBase64PacketPayload fix for payload lenght modulo = 0 -- Juergen Leising
- Added empty function to ProtocolFieldCriteria -- Kevin Johnson
- Fixed issue if sig_gid was empty -- Valter Santos
- Added SnortUnified, a perl replacement for Barnyard -- Jason Brvenik
- Updated base-rss.php -- Dan Michitsch
Changes (new this version)
Added -404 option to specify a "404 string" on the command line
Added plugin to chek for PUT and DELETE
Additional checks for HTTP methods
Additional checks for headers
Other bugfixes, please see the CHANGES file for more details
Patch provided by MAINTAINER, Julian Dunn in PR 35578.
---------------------------------------------------------------------------
January 30, 2007
amavisd-new-2.4.5 release notes
SECURITY
- Recommended version of Convert::UUlib is 1.08 or higher
to avoid processing of uninitialized data containing 'random' garbage.
Note that a security hole in uulib which comes with Convert::UUlib 1.04
and older is now (as of 2006-12-05) known to be exploitable:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1349
credits to Jean-Sebastien Guay-Leroux;
- p0f-analyzer.pl will no longer reply to queries coming from low-numbered
UDP ports below 1024 or from nfsd port 2049, and will ignore queries
with nonce longer than 1024 character or containing characters outside
of \040-\177 range to limit its usefulness as a potential reflector
for an attacker from internal networks.
INCOMPATIBLE CHANGE WITH 2.4.4
- p0f-analyzer.pl now only binds to a loopback interface by default, instead
of to all interfaces; change $bind_addr in p0f-analyzer.pl to '0.0.0.0'
if p0f-analyzer.pl is running on a different host from amavisd or from
other querying clients; suggested by Shaun T. Erickson and Mario Liehr;
BUG FIXES
- let p0f-analyzer.pl exit when a pipe on stdin is closed (e.g. when p0f
is killed or crashes), instead of entering a tight loop; reported by
Justin Piszcz and Henrik Krohns;
- hard-blacklisting no longer skips quarantining when
$spam_quarantine_cutoff_level is undefined (or is an empty string);
- restart timer after Sophie times out; previously the next attempt
would run with no time limit; reported by Nick Leverton and
Nicklas Bondesson;
- fixed AM.PDP code to always provide smtp-quoted form in angle brackets
in delrcpt and addrcpt attributes of a response, i.e. in the same form
as was received in sender and recipient attributes;
- fix error reporting in open_on_specific_fd when POSIX::dup2 fails;
thanks to Chris (decoder);
- fix signal handling in read_snmp_variables() and register_proc(),
a signal could previously get lost (not re-signaled) if it occurred
within these subroutines;
- fixed get_body_digest which incorrectly determined 7- or 8-bitness
of mail header and body, setting body_type incorrectly (with only
cosmetic ill-effects);
- AM.PDP protocol: ensure proper address form is used in server response
attributes 'delrcpt' and 'addrcpt': the same form should be used as
in 'sender' and 'recipient' attributes. The attribute value syntax is
specified in RFC 2821 as 'Reverse-path' (i.e. smtp-quoted form, enclosed
in <>); previously enclosing angle brackets were missing in a server reply;
- documentation - amavisd.conf-default incorrectly stated that a default
value for $prepend_header_fields_hdridx is 1; actually the default is 0
as correctly indicated in release notes; reported by Jo Rhett;
OTHER
- qmail interfacing notice:
MTA timeout for waiting on results from amavisd should be longer than
$child_timeout (8 minutes by default) with some margin, setting MTA timeout
to 15 or 20 minutes is usual. With qmail however the QMQP code in qmail
has hard-coded timeouts set, 10 seconds for connect and 60 seconds for
read/write. If amavisd processing takes longer than 60 seconds, the MTA
drops connection and retries later, yet amavisd continues processing
and eventually delivers a mail (with each MTA retry), causing repeated
deliveries of the same message. The following patch by Eric Huss on
the www.qmail.org page: http://www.ehuss.org/qmail/qmqpc-timeout.tar.gz
should be applied to qmail when interfacing it to a post-queue content
filter. Problem researched by Nicklas Bondesson;
- better timeout handling in interface code to daemonized virus scanners
like clamd, Sophie, Trophie: allow short time (10 s) for connect and
for sending a request, then allow normal (long) time to collect results;
keep evidence of the initial deadline on retries;
- prefer '7bit' as Content-Transfer-Encoding when attaching original message
or its headers (message/rfc822 or text/rfc822-headers) to DSN or to a
defanged mail, and only specify '8bit' when necessary;
- remove protecting the $ and @ characters in second argument
of a regexp selector macro, it is unnecessary and confusing;
- sanitize Message-ID and Resent-Message-ID header field bodies in
macros %m, %r and header_field by providing angle brackets if missing
to facilitate log parsing (angle brackets are RFC 2822 required syntax
and are semantically not part of a message id);
- updated $map_full_type_to_short_type_re to avoid mapping file(1) result
'MS-DOS executable (built-in)' to types 'exe-ms' and 'exe'; the file(1)
utility generously declares any text file starting with LZ to be a
'MS-DOS executable (built-in)'; thanks to Noel Jones, Jakob Curdes
and Clifton Royston for troubleshooting;
- add X-Spam-* header fields to quarantined mail if spam score is at or
above tag_level. Previously message needed to be recognized as spammy
or spam (tag2 or kill level) in order to receive spam header fields
in quarantined copy. This also makes it more consistent with adding
such header fields to passed mail; suggested by Michael Gaskins;
- add X-Amavis-OS-Fingerprint header field to quarantined mail;
- header field X-Spam-Score in a passed or quarantined mail now reflects
score boost even when SA score is unknown (e.g. when SA was not called),
and reflects white and blacklisting by pushing score to 0 or 64, to
make it consistent with a bar size in X-Spam-Level header field;
- resignal "timed out" after (almost) every eval {} which has no subsequent
call to prolong_timer() to ensure we do not continue running with
disabled timer. Exceptions are DESTROY and END handlers, and code which
handles timer in some other way (e.g. by keeping evidence of a deadline);
- for the purpose of looking up client IP address in @mynetworks_maps,
treat unknown/unavailable IP address as 0.0.0.0; this allows treating
directly submitted mail on the MTA host (not submitted through SMTP) as
coming from IP address 0.0.0.0 (i.e. "This" Network - according to RFC 1700);
Note that this is indistinguishable from other reasons when IP address
is not made available to amavisd, e.g. when smtp_send_xforward_command
option in Postfix smtp service is not enabled, which is why the default
setting of @mynetworks does not include a 0.0.0.0/8 network to prevent
falsely loading a MYNETS policy bank.
One should add 0.0.0.0/8 to a @mynetworks list only when XFORWARD is known
to work and if some software on the MTA host is submitting its mail to MTA
directly, e.g. through a sendmail command, and MYNETS policy bank loading
is needed for proper processing of such mail;
- report a more informative message when a file(1) utility fails to produce
useful results: joins exit status with a parsing report into one message;
thanks to Andres, whose file(1) utility was crashing with SEGV;
- consistency: rearrange implicitly adding $X_HEADER_TAG to a hash
%allowed_added_header_fields so that it is possible to turn off
insertion of $X_HEADER_TAG header field by turning off associated key in
%allowed_added_header_fields even when $X_HEADER_TAG is explicitly defined;
- let %allowed_added_header_fields also control insertion of header fields
into quarantined message;
- amavisd-nanny now displays a title line indicating the semantics of columns;
- Courier patch: ensure the information is stored to newly introduced
recip_addr_smtp and sender_smtp object attributes, which are needed
to preserve pristine address forms for DSN and ORCPT use and for logging;
a patch by Martin Orr;
- qmqpqq (qmail): ensure the information is stored to newly introduced
recip_addr_smtp and sender_smtp object attributes;
- qmail patch now activates line-by-line sending to qmail to avoid qmail bug
('bare LF' reported when CR and LF are separated by a TCP packet boundary);
- tighten a regexp on matching a p0f fingerprint for Windows XP to avoid
matching 'Windows XP SP1+, 2000 SP3'; suggested by Michael Scheidell;
- updated AV entry for CentralCommand Vexira (vascan):
removed hard-coded option '--vdb'; by Brian Wong;
- internal: move code dealing with a SA call to a dedicated
subroutine call_spamassassin;
- internal: provide new routines to collect scalar and structured results
from a subprocess (collect_results, collect_results_structured) and
take advantage of them in decoding, in AV and in dspam interface routines,
unifying code and providing results size sanity limit and consistent
killing of runaway external programs;
- experimental: taking advantage of the above, make it possible to run SA in
a spawned process, requested by setting a new config variable $sa_spawned
to true (it is off by default); benefits are that a mainstream child process
can not be brought down by potential processing problems in SA or its
external modules, and timeouts are handled cleanly by a calling process;
downside is an increase of process count (worst case: doubled), with
corresponding increase in memory footprint, plus about 20 .. 30 ms
of additional processing time for each call to SA;
- added a tuning tip on buffer sizes to README.sql for MySQL with InnoDB,
by Wayne Smith;
- updated URL of Sophie AV scanner;
Noteworthy changes in version 0.5.13 (2007-02-01)
------------------------------------------------
* Fixed shared library for newly added APIs in last release.
* Add -no-undefined to LDFLAGS, to make opencdk build under mingw32.
* Add AC_LIBTOOL_WIN32_DLL to configure.ac, which is required for
* libtool to behave correctly for cross-compiles to mingw32.
* Use gnulib for mingw32 support.
Noteworthy changes in version 0.5.12 (2007-02-01)
------------------------------------------------
* Add new API to extract public/secret OpenPGP key to S-expr.
The functions are cdk_pubkey_to_sexp and cdk_seckey_to_sexp. Patch by
Mario Lenz <mario.lenz@gmx.net>.
* Autoconf 2.60 and automake 1.10 are now required.
* Doc fixes.
OpenBSD.
Changes:
The following changes have been made between John 1.7.1 and 1.7.2:
* Bitslice DES assembly code for x86-64 making use of the 64-bit mode
extended SSE2 with 16 XMM registers has been added for better performance
at DES-based crypt(3) hashes with x86-64 builds on AMD processors.
* New make target for FreeBSD/x86-64.
The following changes have been made between John 1.7.0.2 and 1.7.1:
* Bitslice DES code for x86 with SSE2 has been added for better performance
at DES-based crypt(3) hashes on Pentium 4 and SSE2-capable AMD processors.
* Assorted high-level changes have been applied to improve performance
on current x86-64 processors.
* New make target for NetBSD/SPARC64.
* Minor source code cleanups.
Noteworthy changes in version 1.2.4 (2007-02-01)
------------------------------------------------
* Fixed a bug in the memory allocator which could have been the
reason for some of non-duplicable bugs.
* Other minor bug fixes.
v1.02
- added some info to BUGS and to BUGS section of pod
- added TELL and BINMODE to IO::Socket::SSL::SSL_HANDLE, even
if they do nothing useful.
- all tests allocate now the ports dynamically, so there should
be no longer a conflict with open ports on the system where
the tests run
v1.01
- work around Bug in Net::HTTPS where it defines sub blocking
as {}, e.g. force scalar context when calling sub blocking
(in IO::Socket::SSL::write)
see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=383106
v1.0
- fix depreciated and practically undocumented function
get_peer_certificate so that LWP Net::HTTPS works again
- set arg 'Blocking' while calling SUPER::configure only
if it was set by the caller to work around Problem in LWP
Net::HTTPS
* Major changes in 0.0.10
** Support GnuPG versions older than 1.4.3
** Provide a minor-mode to encrypt/sign mails
* Major changes in 0.0.9
** epa.el usablity improvements.
*** M-x epa-encrypt-region specifies --armor & --textmode by default
*** M-x epa-sign-region and M-x epa-sign-file create a cleartext signature by
default
*** Region based commands now determine the coding-system used to
encode the plain text
*** Fingerprints are pretty-printed
*** New user option epa-protocol to use the S/MIME.
** Support XEmacs compiled with --with-mule=no --with-file-coding=no.
a) Experimental IKEv2 support (--ikev2)
b) RFC 3947 NAT traversal support (--nat-t)
c) Source IP spoofing (--sourceip) - Requires raw sockets.
d) Nortel proprietary pre-shared key cracking support.
e) psk-crack can read dictionary files from stdin (--dictionary=-)
f) Backoff patterns may contain only a single packet.
g) Two new packet display options: --timestamp and --shownum
h) ike-scan now uses the Mersenne twister PRNG, with new --randomseed option.
i) --rcookie option allows the responder cookie to be specified in outgoing packets.
j) Several new backoff patterns and vendor IDs added.
k) ike-scan wiki launched: http://www.nta-monitor.com/wiki/
Update to 1.2.8 (formerly in devel/apr1), no longer build from the
httpd distfile.
devel/rapidsvn:
devel/subversion-base:
parallel/ganglia-monitor-core:
security/hydra:
www/apache2:
Use devel/apr0.
www/apache22:
Use devel/apr and devel/apr-util.
* Version 1.6.1 (released 2006-12-28)
** Fix the list of trusted CAs that server's send to clients.
Before, the list contained issuer DN's instead of subject DN's of the
trusted CAs. Reported by Max Kellermann
** Fix gnutls_certificate_set_x509_crl to initialize the CRL before using it.
Reported by Max Kellermann
** Encode UID fields in DN's as DirectoryString.
Before GnuTLS encoded and parsed UID fields as IA5String. This was
incorrect, it should have used DirectoryString. Now it will use
DirectoryString for the UID field, but for backwards compatibility it
will also accept IA5String UID's. Reported by Max Kellermann
** Fix ./configure failure with non-GCC compilers.
This fixes the following error message:
configure: error: conditional "HAVE_LD_OUTPUT_DEF" was never defined.
Reported by "Michael C. Vergallen"
* Version 1.6.0 (released 2006-11-17)
** No changes since 1.5.5.
The major changes compared to the 1.4.x branch are:
*** A GnuTLS C++ library is part of the official distribution.
Currently there are no examples or documentation, but hopefully this
will change. See gnutlsxx.h for the API.
*** Windows is a supported platform.
There are, however, two know bugs. One is related to select() in
command line tools (not, nota bene, in the library), the other is a
problem with libgcrypt that causes delays. Help is needed to resolve
those issues, so we feel we can't delay the release because of this.
*** New APIs for custom push/pull function error reporting.
The new APIs are gnutls_transport_set_errno and
gnutls_transport_set_global_errno. See the release notes for version
1.5.4 for more information.
*** Self tests are run under valgrind, if available. See --disable-valgrind.
2007-01-16 David A. Wheeler <dwheeler, at, dwheeler.com>
* Release version 1.27
2007-01-16 Sebastien Tandel <sebastien, at, tandel (doht) be)
* Cleaned up code for patch handling, fix bug in subdir handling,
include patch info in help.
2007-01-15 Steve Kemp <steve at shellcode dot org>
* Fix Debian bug 268236.
This complains that flawfinder crashes when presented with a
file it cannot read. The patch obviously can't prevent
the problem, since the tool can't review what it can't read,
but at least it halts with a cleaner error message.
2007-01-15 cmorgan <cmorgan47, at earthlink dooot net>
* Fixed Debian bug 271287 (flawfinder).
Fixed skipping newlines when line ended with \,
which caused incorrect line number reporting.
Skip multiple whitespace at one time.
2007-01-15 David A. Wheeler <dwheeler, at, dwheeler.com>
* Modified Sebastien Tandel's code so that it also supports GNU diff
(his code worked only for svn diff)
* When using a patchfile, skip analysis of any file not
listed in the patchfile.
2007-01-15 Sebastien Tandel <sebastien, at, tandel (doht) be)
* Add support for using "svn diff" created patch files, based
on the approach described by David A. Wheeler on how it
could be done.
2007-01-15 David A. Wheeler <dwheeler, at, dwheeler.com>
* By default, now skips directories beginning with "."
(this makes it work nicely with many SCM systems).
Added "--followdotdir" option if you WANT it to enter
such directories.
* Fixed divide-by-zero when no code found (not exactly common
in normal use, but anyway!)
clear that these variables are completely unrelated to
BUILDLINK_TRANSFORM.
Added a legacy check that catches appearances of BUILDLINK_TRANSFORM.*.
XXX: Where should incompatible changes in pkgsrc be documented?
Changelog:
* caff:
+ Fix a bug with checking if we have exactly one or more keys that failed
downloading.
+ Mention in manpage that keyserver-options is a useful setting in
.caff/gnupghome/gpg.conf (Closes: #392811).
+ q-p-encode From: header (Closes: #366745).
- Fix miscellaneous pkglint warnings.
- Fix security problem; CAN-2006-5170.
$Id: ChangeLog,v 1.212 2006/10/05 23:23:52 lukeh Exp $
===============================================================
183 Luke Howard <lukeh@padl.com>
* fix for BUG#291: don't suppress password policy
errors which should not be suppressed
182 Luke Howard <lukeh@padl.com>
* fix for BUG#269: compile time error in call to
ldap_sasl_interactive_bind_s()
181 Luke Howard <lukeh@padl.com>
* fix for BUG#256: don't send password policy request
control if pam_lookup_policy no specified
* fix for BUG#254: check gethostbyname() result
* fix for BUG#237: typo in ldap_get_lderrno()
implementation
* fix for BUG#207: if ldap_start_tls_s() fails
return PAM_AUTHINFO_UNAVAIL
* fix for BUG#261: sslpath example wrong
* fix for BUG#268: POLICY_ERROR_CHANGE_AFTER_RESET
should be handled as POLICY_ERROR_PASSWORD_EXPIRED,
other password policy errors to be treated as fatal
* keychain 2.6.8 (24 Oct 2006)
Save LC_ALL for gpg invocation so that pinentry-curses works. This affected
peper and kloeri, though it seems to work for me in any case.
* keychain 2.6.7 (24 Oct 2006)
Prevent gpg_listmissing from accidentally loading keys
Version 4.20, 2006.11.30, urgency: MEDIUM:
* Release notes
- The new transfer() function has been well tested.
I recommend upgrading any previous version with this one.
* Bugfixes
- Fixed support for encrypted passphases (broken in 4.19).
- Reduced amount of debug logs.
- A minor man page update.
Version 4.19, 2006.11.11, urgency: LOW/EXPERIMENTAL:
* Release notes
- There are a lot of new features in this version. I recommend
to test it well before upgrading your mission-critical systems.
* New features
- New service-level option to specify OCSP server flag:
OCSPflag = <flag>
- "protocolCredentials" option changed to "protocolUsername"
and "protocolPassword"
- NTLM support to be enabled with the new service-level option:
protocolAuthentication = NTLM
- imap protocol negotiation support added.
- Passphrase cache was added so the user does not need to reenter
the same passphrase for each defined service any more.
- New service-level option to retry connect+exec section:
retry = yes|no
- Local IP and port is logged for each established connection.
- Win32 DLLs for OpenSSL 0.9.8d.
* Bugfixes
- Serious problem with SSL_WANT_* retries fixed.
The new code requires extensive testing!
Version 4.18, 2006.09.26, urgency: MEDIUM:
* Bugfixes
- GPF on entering private key pass phrase on Win32 fixed.
- Updated OpenSSL Win32 DLLs.
- Minor configure script update.
Version 4.17, 2006.09.10, urgency: MEDIUM:
* New features
- Win32 DLLs for OpenSSL 0.9.8c.
* Bugfixes
- Problem with detecting getaddrinfo() in ./configure fixed.
- Compilation problem due to misplaced #endif in ssl.c fixed.
- Duplicate 220 in smtp_server() function in protocol.c fixed.
- Minor os2.mak update.
- Minor update of safestring()/safename() macros.
Version 4.16, 2006.08.31, urgency: MEDIUM:
* New features sponsored by Hewlett-Packard
- A new global option to control engine:
engineCtrl = <command>[:<parameter>]
- A new service-level option to select engine to read private key:
engineNum = <engine number>
- OCSP support:
ocsp = <URL>
* New features
- A new option to select version of SSL protocol:
sslVersion = all|SSLv2|SSLv3|TLSv1
- Visual Studio vc.mak by David Gillingham <dgillingham@gmail.com>.
- OS2 support by Paul Smedley (http://smedley.info)
* Bugfixes
- An ordinary user can install stunnel again.
- Compilation problem with --enable-dh fixed.
- Some minor compilation warnings fixed.
- Service-level CRL cert store implemented.
- GPF on protocol negotiations fixed.
- Problem detecting addrinfo() on Tru64 fixed.
- Default group is now detected by configure script.
- Check for maximum number of defined services added.
- OpenSSL_add_all_algorithms() added to SSL initialization.
- configure script sections reordered to detect pthread library funcions.
- RFC 2487 autdoetection improved. High resolution s_poll_wait()
not currently supported by UCONTEXT threading.
- More precise description of cert directory file names (thx to Muhammad
Muquit).
* Other changes
- Maximum number of services increased from 64 to 256 when poll() is used.
pam_af is a simple anti-bruteforce PAM module for authentification
services. It can be used to prevent brute-force attacks on services
like SSH or Telnet.
INSTALLATION_DIRS, as well as all occurrences of ${PREFIX}/man with
${PREFIX}/${PKGMANDIR}.
Fixes PR 35265, although I did not use the patch provided therein.
or USE_X11BASE set, but don't include mk/x11.buildlink3.mk directly or
via buildlink3.mks
- introduce BUILDLINK_PREFIX.libXpm as alias for BUILDLINK_PREFIX.xpm
in the !modular case
- fix some cases where the check for libX11 couldn't work at all by using
C++ for compilation without including the proper headers
Verified using a full X11_TYPE=xorg bulk build without additional
breakage. Discussed with salo@, wiz@ and send to packages@ for feedback.
ok <frueauf>, the MAINTAINER.
changes:
2.2.9:
======
- nessus-mkcert-client:
- Make sure that the user calling nessus-mkcert-client is root
- nessus-libraries:
- Fixed a bug in the PCAP handler which in turn should fix synscan.nes
- nessus:
- Fixed a possible memory corruption issue when creating a list of plugins
to launch
- Fixed a corruption of the .nessusrc files when receiving some plugin
prefs ending by a space
- nessus-fetch:
- Make sure that every request (including the proxy CONNECT request)
is done with the user-specified user-agent.
- nessus-plugins:
- Fixed a banner encoding problem in nessus_tcp_scanner and find_service
- Fixed a possible deadlock in synscan
- nessusd:
- Avoid a deadlock when waiting for a sub process to die
2.2.8:
======
- nessusd:
- Make sure that plugins of type ACT_INIT and ACT_SETTINGS are
always enabled during a scan
- Display more error verbose error messages when it's impossible to
load a .nes plugin
- Fixed a harmless memory reallocation problem which would truncate
a very long preference name
- nessus-libraries:
- Fixed a possible memory corruption when forwarding data from a process
to another
- libnasl:
- 'a = b + c ++' would not work as expected
- fixed a memory allocation problem when split() is passed an argument
of the wrong type
Dirmngr is a server for managing and downloading certificate
revocation lists (CRLs) for X.509 certificates and for downloading the
certificates themselves. Dirmngr also handles OCSP requests as an
alternative to CRLs. Dirmngr is either invoked internally by gpgsm
(from GnuPG-2) or when running as a system daemon through the
dirmngr-client tool.
* Version 0.2.15 (released 2006-08-22)
** Changed libgsasl shared library version.
The shared library version was not incremented correctly in the last
release, even though new APIs were added.
* Version 0.2.14 (released 2006-08-19)
** New section "Requirements" in the manual, lists the external components.
Suggested by James Mansion.
** Update of gnulib files.
* Version 0.2.13 (released 2006-06-14)
** Update of gnulib files.
Further improves portability to MinGW.
** Various improvements in the manuals.
** The tests are run under valgrind, if it is installed.
Use --disable-valgrind-tests to unconditionally disable this. It is
disabled by default for cross compiles.
** Various minor fixes.
* Version 0.2.12 (released 2006-03-08)
** Update of gnulib files.
Improves portability to Mingw32.
* Version 0.2.11 (released 2006-02-07)
** Ported to Windows by cross-compiling using Mingw32.
Using Debian's mingw32 compiler, you can build it for Windows by invoking
`./configure --host=i586-mingw32msvc --disable-gssapi'.
** Update of gnulib files.
* Version 0.2.10 (released 2005-10-23)
** Work around bug in GnuTLS that made the command line tool exit after
** failing to write a zero length message to the peer.
** Don't use GnuTLS if gnutls_certificate_verify_peers2 isn't present.
** Update of gnulib files.
* Version 0.2.9 (released 2005-10-07)
** Update of gnulib files.
* Version 0.2.8 (released 2005-09-08)
** The gsasl tool now support STARTTLS for IMAP and SMTP using GnuTLS.
** The --client and --server parameters for the gsasl tool now work properly.
** The --client and --server stdin/stdout modes now use the readline library.
** Fixed build problems in getpass on uClibc and Mingw32 platforms.
** Kinyarwanda translation added.
* Version 0.2.7 (released 2005-08-25)
** Fix build problems when cross-compiling to uClibc and Mingw32 platforms.
** Detecting and using the readline library has been improved.
* Version 0.2.6 (released 2005-08-08)
** The gsasl tool now try to connect to all addresses for a server name.
** The help-gsasl@gnu.org mailing list is now mentioned in documentation.
** The license template in files were updated with the new FSF address.
** Update of gnulib files.
Add IGNORE_URLS code from agc@:
"If a URL is specified in IGNORE_URLS then all entries listed in
pkg-vulnerabilities that match that URL will not be reported when
audit-packages is run. Running audit-packages -v will display the
details of all entries skipped if IGNORE_URLS is set."
Add a sample audit-packages.conf detailing all the options we now support.
Update to 1.46
Noteworthy changes in version 1.4.6 (2006-12-06)
------------------------------------------------
* Fixed a serious and exploitable bug in processing encrypted
packages. [CVE-2006-6235].
* Fixed a buffer overflow in gpg. [bug#728, CVE-2006-6169]
(already fixed in pkgsrc)
* Fixed a bug while decrypting certain compressed and encrypted
messages. [bug#537]
* Added --s2k-count to set the number of times passphrase mangling
is repeated. The default is 65536 times.
* Added --passphrase-repeat to set the number of times GPG will
prompt for a new passphrase to be repeated. This is useful to
help memorize a new passphrase. The default is 1 repetition.
* Added a GPL license exception to the keyserver helper programs
gpgkeys_ldap, gpgkeys_curl, and gpgkeys_hkp, to clarify any
potential questions about the ability to distribute binaries
that link to the OpenSSL library. GnuPG does not link directly
to OpenSSL, but libcurl (used for HKP, HTTP, and FTP) and
OpenLDAP (used for LDAP) may. Note that this license exception
is considered a bug fix and is intended to forgive any
violations pertaining to this issue, including those that may
have occurred in the past.
* Man pages are now build from the same source as those of GnuPG-2.
