- New Features:
- New Apps: (see the validator/apps directory for details)
- dnssec-check: check dnssec support from your ISP
- dnssec-nodes: graphically displays a DNS
hierarchy, color coded by each node's DNSSEC status
- dnssec-system-tray: displays pop-up
notifications when a libval-enabled application
triggers a DNSSEC error
- lookup: a graphical DNS lookup utility that
displays the results in a hierarchical tree and
color codes the window according to DNSSEC status
- libval: - Added support for building on Windows.
- added support for falling back to recursion when
the caching name server does not appear to
support DNSSEC. This also works as a mechanism
to work around poisoned or misbehaving cache.
- Significant improvements to the the asynchronous support.
- lsdnssec: - Improvements to lsdnssec to display different
output depending on whether a zone is a
stand-alone zone or under control of rollerd.
- nagios: - Plugins for the nagios monitoring system which
enable monitoring of zone rollerover states.
- firefox: - Improved patches that work with the most recent firefox
Plus many more minor features and bug fixes
1.9:
- New Features:
- lsdnssec: - Added a new flag (-p) to show only zones in a
particular rollerd phase.
- fixed bugs to align timing output with rollerd.
- rollerd: - Added a -logtz flag for logging timezones
- fixed bugs related to the -alwayssign flag.
- zonesigner's path is taken from the config file.
- rollctl: - Added -rollall and -rollzone options.
- zonesigner: - Assumes keys need to be generated for new zones
(Assumes -genkeys option was given if a keyrec file
can't be found.)
- Exits with unique exit codes if a failure occurs.
("zonesigner -xc CODE" can lookup a description for it.")
- Added the -phase option so rollover options could be
more easily specified.
- lights: - A simple GUI to check the status of rollover states
- blinkenlights:- Added hide/show commands for rollrec names and zone
names, for split-zone support
- cleankrf: - Fixed deletion of obsolete set keyrecs.
- GUI commands: - Fixed how the Exit command works so they don't coredump.
- libsres
& libval: - New beta support for issuing asynchronous requests.
This can speed up queries by up to 4 times if used.
(see example code in validator/apps/validator_selftest.c)
- NSEC3, DLV and IPv6 are enabled by default.
- improved logging and logging-callback support.
- drawvalmap - Can output PNG files now
- Packaging:
- Our download page now allows you to download
the C validator libraries independently of the
full DNNSEC-Tools tool-suite.
- Many bugs were also fixed in the 240+ changes.
* Include simple-dnskey-mailer-plugin in dist.
* Enforcer: Change message about KSK retirement to make it less confusing.
Bugfixes:
* ods-control: If the Enforcer did not close down, you entered an infinite loop.
* Signer Engine: Fix log message typos.
* Signer Engine: Fix crash where ods-signer update
* Signer Engine: Also replace DNSKEYs if <DNSKEY><TTL> has changed in policy.
* Zonefetcher: Sometimes invalid 'Address already in use' occurred.
* Bugfix #247: Fixes bug introduced by bugfix #242.
OpenDNSSEC 1.3.0rc3
* Do not distribute trang.
Bugfixes:
* Fix test for java executable and others.
* Auditor: Fix delegation checks.
* Bugfix #242: Race condition when receiving multiple NOTIFIES for a zone.
* ods-kaspcheck: Do not expect resalt in NSEC policy.
* Signer Engine: Ifdef a header file.
* Signer Engine: The default working directory was not specified.
* Signer Engine: Handle stdout console output throttling that would
truncate daemon output intermittently.
OpenDNSSEC 1.3.0.rc2
* Match the names of the signer pidfile and enforcer pidfile.
* Include check for resign < resalt in ods-kaspcheck.
Bugfixes:
* Bugfix #231: Fix MySQL version check.
* ods-ksmutil: Update now sends a HUP to the enforcerd.
* Signer Engine: Fix assertion failure if zone was just added.
* Signer Engine: Don't hsm_close() on setup error.
* Signer Engine: Fix race condition bug when doing a single run.
* Signer Engine: In case of failure, also mark zone processed (single run).
* Signer Engine: Don't leak backup file descriptor.
* signconf.rnc now allows NSEC3 Iterations of 0
OpenDNSSEC 1.3.0rc1
* <SkipPublicKey/> is enabled for SoftHSM in the default configuration.
It improves the performance by only using the private key objects.
* Document the <RolloverNotification> tag in conf.xml.
Bugfixes:
* Bugfix #221: Segmentation Fault on schedule.c:232
* Enforcer: 'make check' now works.
* Enforcer: Fixed some memory leaks in the tests.
* Signer Engine: Coverity report fixes some leaks and thread issues.
* Signer Engine: Now logs to the correct facility again.
OpenDNSSEC 1.3.0b1
* Support for signing the root. Use the zone name "."
* Enforcer: Stop import of policy if it is not consistent.
* ods-signer: The queue command will now also show what tasks the workers
are working on.
* Signer Engine: Just warn if occluded zone data was found, don't stop signing p
rocess.
* Signer Engine: Simpler serial maintenance, reduces the number of conflicts.
Less chance to hit a 'cannot update: serial too small' error message.
* Signer Engine: Simpler NSEC(3) maintenance.
* Signer Engine: Temperate the number of backup files.
* Signer Engine: Set number of <SignerThreads> in conf.xml to
get peak performance from HSMs that can handle multiple threads.
Bugfixes:
* Bugreport #139: ods-auditor fails on root zone.
* Bugreport #198: Zone updates ignored?
* Replace tab with white-space when writing to syslog.
* Signer Engine: Do not block update command while signing.
ClamAV 0.97.2 fixes problems with the bytecode engine, Safebrowsing detection,
hash matcher, and other minor issues. Please see the ChangeLog file for
details.
* No need to prefix with ${WRKSRC}.
* It must not be overwritten multiple time, or only last one will be activate.
* library/gnome-keyring part is now in separate libgnome-keyring package.
Bump PKGREVISION.
* New function gcry_kdf_derive implementing OpenPGP S2K algorithms
and PBKDF2.
* Support for WindowsCE.
* Support for ECDH.
* Support for OAEP and PSS methods as described by RFC-3447.
* Fixed PKCS v1.5 code to always return the leading zero.
* New format specifiers "%M" and "%u" for gcry_sexp_build.
* Support opaque MPIs with "%m" and "%M" in gcry_sexp_build.
* New functions gcry_pk_get_curve and gcry_pk_get_param to map ECC
parameters to a curve name and to retrieve parameter values.
* gcry_mpi_cmp applied to opaque values has a defined semantic now.
* Uses the Intel AES-NI instructions if available.
* The use of the deprecated Alternative Public Key Interface
(gcry_ac_*) will now print compile time warnings.
* The module register subsystem has been deprecated. This subsystem
is not flexible enough and would always require ABI changes to
extend the internal interfaces. It will eventually be removed.
Please contact us on the gcrypt-devel mailing list to discuss
whether you really need this feature or how it can be replaced by
an internal plugin mechanism.
* CTR mode may now be used with data chunks of arbitrary length.
changes:
-bugfixes
-minor feature additions
pkgsrc change: since the pkg was changed to build against "nettle"
instead of libgcrypt (whether this was a good idea or not...), the
latter isn't needed anymore, so remove the stale dependency
This can cause build breakage -- in this case addition of a local
dependency should restore the old state. (This dependency is technically
unnecessary often, but the assumption that gnutls needs libgcrypt
is sometimes hardwired in configure scripts and/or code.)
Version 4.39, 2011.07.06, urgency: LOW:
New features
New Win32 installer module to build self-signed stunnel.pem.
Added configuration file editing with Windows GUI.
Added log file reopening file editing with Windows GUI. It might be useful to also implement log file rotation.
Improved configuration file reload with Windows GUI.
Version 4.38, 2011.06.28, urgency: MEDIUM:
New features
Server-side SNI implemented (RFC 3546 section 3.1) with a new service-level option "nsi".
"socket" option also accepts "yes" and "no" for flags.
Nagle's algorithm is now disabled by default for improved interactivity.
Bugfixes
A compilation fix was added for OpenSSL version < 1.0.0.
Signal pipe set to non-blocking mode. This bug caused hangs of stunnel features based on signals, e.g. local mode, FORK threading, or configuration file reload on Unix. Win32 platform was not affected.
Version 4.37, 2011.06.17, urgency: MEDIUM:
New features
Client-side SNI implemented (RFC 3546 section 3.1).
Default "ciphers" changed from the OpenSSL default to a more secure and faster "RC4-MD5:HIGH:!aNULL:!SSLv2". A paranoid (and usually slower) setting would be "HIGH:!aNULL:!SSLv2".
Recommended "options = NO_SSLv2" added to the sample stunnel.conf file.
Default client method upgraded from SSLv3 to TLSv1. To connect servers without TLS support use "sslVersion = SSLv3" option.
Improved --enable-fips and --disable-fips ./configure option handling.
On startup stunnel now compares the compiled version of OpenSSL against the running version of OpenSSL. A warning is logged on mismatch.
Bugfixes
Non-blocking socket handling in local mode fixed (Debian bug #626856).
UCONTEXT threading mode fixed.
Removed the use of gcc Thread-Local Storage for improved portability.
va_copy macro defined for platforms that do not have it.
Fixed "local" option parsing on IPv4 systems.
Solaris compilation fix (redefinition of "STR").
Version 4.36, 2011.05.03, urgency: LOW:
New features
Updated Win32 DLLs for OpenSSL 1.0.0d.
Dynamic memory management for strings manipulation: no more static STRLEN limit, lower stack footprint.
Strict public key comparison added for "verify = 3" certificate checking mode (thx to Philipp Hartwig).
Backlog parameter of listen(2) changed from 5 to SOMAXCONN: improved behavior on heavy load.
Example tools/stunnel.service file added for systemd service manager.
Bugfixes
Missing pthread_attr_destroy() added to fix memory leak (thx to Paul Allex and Peter Pentchev).
Fixed the incorrect way of setting FD_CLOEXEC flag.
Fixed --enable-libwrap option of ./configure script.
/opt/local added to OpenSSL search path for MacPorts compatibility.
Workaround implemented for signal handling on MacOS X.
A trivial bug fixed in the stunnel.init script.
Retry implemented on EAI_AGAIN error returned by resolver calls.
Version 4.35, 2011.02.05, urgency: LOW:
New features
Updated Win32 DLLs for OpenSSL 1.0.0c.
Transparent source (non-local bind) added for FreeBSD 8.x.
Transparent destination ("transparent = destination") added for Linux.
Bugfixes
Fixed reload of FIPS-enabled stunnel.
Compiler options are now auto-detected by ./configure script in order to support obsolete versions of gcc.
Async-signal-unsafe s_log() removed from SIGTERM/SIGQUIT/SIGINT handler.
CLOEXEC file descriptor leaks fixed on Linux >= 2.6.28 with glibc >= 2.10. Irreparable race condition leaks remain on other Unix platforms. This issue may have security implications on some deployments: http://udrepper.livejournal.com/20407.html
Directory lib64 included in the OpenSSL library search path.
Windows CE compilation fixes (thx to Pierre Delaage).
Deprecated RSA_generate_key() replaced with RSA_generate_key_ex().
Domain name changes (courtesy of Bri Hatch)
http://stunnel.mirt.net/ --> http://www.stunnel.org/
ftp://stunnel.mirt.net/ --> http://ftp.stunnel.org/
stunnel.mirt.net::stunnel --> rsync.stunnel.org::stunnel
stunnel-users@mirt.net --> stunnel-users@stunnel.orgstunnel-announce@mirt.net --> stunnel-announce@stunnel.org
Version 4.34, 2010.09.19, urgency: LOW:
New features
Updated Win32 DLLs for OpenSSL 1.0.0a.
Updated Win32 DLLs for zlib 1.2.5.
Updated automake to version 1.11.1
Updated libtool to version 2.2.6b
Added ECC support with a new service-level "curve" option.
DH support is now enabled by default.
Added support for OpenSSL builds with some algorithms disabled.
./configure modified to support cross-compilation.
Sample stunnel.init updated based on Debian init script.
Bugfixes
Implemented fixes in user interface to enter engine PIN.
Fixed a transfer() loop issue on socket errors.
Fixed missing WIN32 taskbar icon while displaying a global option error.
=== 0.4.5 2011-06-25
* Add explicit require for rsa/sha1 (Juris Galang)
* Use webmock to mock all http-requests in tests (Adrian Feldman)
* Add gemtest support (Adrian Feldman)
* Fix POST Requests with Typhoeus proxy (niedhui)
* Mention Typhoeus require in the README (Kim Ahlström)
* Fix incorrect hardcoded port (Ian Taylor)
* Use Net::HTTPGenericRequest (Jakub Kuźma)
This is primarily a bugfix release.
Fix vulnerabilities:
* KDC uninitialized pointer crash [MITKRB5-SA-2010-006 CVE-2010-1322]
* kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
* KDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282 CVE-2011-0283]
* KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284]
* kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285]
Interoperability:
* Correctly encrypt GSSAPI forwarded credentials using the session key, not
a subkey.
* Set NT-SRV-INST on TGS principal names as expected by some Windows Server
Domain Controllers.
* Don't reject AP-REQ messages if their PAC doesn't validate; suppress the PAC
instead.
* Correctly validate HMAC-MD5 checksums that use DES keys
New features
* Support for reading MIT database file directly
* KCM is polished up and now used in production
* NTLM first class citizen, credentials stored in KCM
* Table driven ASN.1 compiler, smaller!, not enabled by default
* Native Windows client support
Notes
* Disabled write support NDBM hdb backend (read still in there) since
it can't handle large records, please migrate to a diffrent backend
(like BDB4)
Changes 1.3.3:
Bug fixes
* Check the GSS-API checksum exists before trying to use it [CVE-2010-1321]
* Check NULL pointers before dereference them [kdc]
Changes 1.3.2:
Bug fixes
* Don't mix length when clearing hmac (could memset too much)
* More paranoid underrun checking when decrypting packets
* Check the password change requests and refuse to answer empty packets
* Build on OpenSolaris
* Renumber AD-SIGNED-TICKET since it was stolen from US
* Don't cache /dev/*random file descriptor, it doesn't get unloaded
* Make C++ safe
* Misc warnings
* Allow to build with builtin libevent, because just libevent>=1.0 is required,
and builtin libevent version detection was added quite a few years ago.
No bump PKGREVISION, because it is impossible to build with libevent-2
from pkgsrc.
What's new in Sudo 1.7.6p2
* Two-character CIDR-style IPv4 netmasks are now matched correctly
in the sudoers file.
* A build error with MIT Kerberos V has been resolved.
What's new in Sudo 1.7.6p1
* A non-existent includedir is now treated the same as an empty
directory and not reported as an error.
* Removed extraneous parens in LDAP filter when sudoers_search_filter
is enabled that can cause an LDAP search error.
bcrypt() is a sophisticated and secure hash algorithm designed by The
OpenBSD project for hashing passwords. bcrypt-ruby provides a simple,
humane wrapper for safely handling passwords.
= bcrypt-ruby
An easy way to keep your users' passwords secure.
* http://bcrypt-ruby.rubyforge.org/
* http://github.com/codahale/bcrypt-ruby/tree/master
== Why you should use bcrypt
If you store user passwords in the clear, then an attacker who steals
a copy of your database has a giant list of emails and passwords. Some
of your users will only have one password -- for their email account,
for their banking account, for your application. A simple hack could
escalate into massive identity theft.
It's your responsibility as a web developer to make your web
application secure -- blaming your users for not being security
experts is not a professional response to risk.
bcrypt allows you to easily harden your application against these
kinds of attacks.
* build: Demand gettext >= 0.18.1 in order to get newer M4 files.
The old M4 files associated with 0.17 caused problems on Solaris,
which will hopefully be fixed with this.
* doc: Typo fix in autoconf snippet.
* i18n: Updated translations.
by Billy Bob Brumley and Nicola Tuveri, see:
http://eprint.iacr.org/2011/232.pdf
[Billy Bob Brumley and Nicola Tuveri]
(patch confirmed in upstream cvs)
