* build: Demand gettext >= 0.18.1 in order to get newer M4 files.
The old M4 files associated with 0.17 caused problems on Solaris,
which will hopefully be fixed with this.
* doc: Typo fix in autoconf snippet.
* i18n: Updated translations.
by Billy Bob Brumley and Nicola Tuveri, see:
http://eprint.iacr.org/2011/232.pdf
[Billy Bob Brumley and Nicola Tuveri]
(patch confirmed in upstream cvs)
* OpenSSL/crypto/x509.c: Add get_extension_count and get_extension
to the X509 type, allowing read access to certificate extensions.
* OpenSSL/crypto/x509ext.c: Add get_short_name and get_data to the
X509Extension type, allowing read access to the contents of an
extension.
* OpenSSL/ssl/ssl.c: Expose a number of symbolic constants for
values passed to the connection "info" callback.
* OpenSSL/ssl/connection.py: Add support for new-style
buffers (primarily memoryviews) to Connection.send and
Connection.sendall.
1. Add support for check and create ECDSA host key for SSH protocol
version 2.
2. Disable use of strnvis(3) on NetBSD. NetBSD current after 2011/03/12
has strnvis(3), but it has different argument from OpenBSD (and other
system).
Bump PKGREVISION.
Upstream changes:
2.1.4 / 3 Apr 2011
* Add ConnectionTimeout exception class. [Joel Watson]
See: https://github.com/net-ssh/net-ssh-multi/pull/1
2.1.3 / 2 Mar 2011
* Call to transport.closed should be transport.close [Woon Jung]
2.1.2 / 1 Mar 2011
* Fix for Net::SSH Continues to attempt authentication when notified it is
not allowed [Eric Hodel]
(see: http://net-ssh.lighthouseapp.com/projects/36253-net-ssh/tickets/26)
* Fix for transport won't be closed if authentication fails [Patrick Marchi]
2.1 / 19 Jan 2011
* Support "IdentitiesOnly" directive (LH-24) [Musy Bite, Edmund Haselwanter]
* Speeding up the Loggable module (LH-23) [robbebob]
2.0.24 / 14 Jan 2011
* Fix for process code to correctly wait until remote_id is set before
sending any output, including eof. [Daniel Pittman, Markus Roberts]
* Fix circular require warning in Ruby 1.9.2 [Gavin Brock]
20110403
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Prepare for 5.8p2 release.
- (djm) [version.h] crank version
- Release 5.8p2
20110329
- (djm) [entropy.c] closefrom() before running ssh-rand-helper; leftover fds
noticed by tmraz AT redhat.com
20110221
- (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the
Cygwin-specific service installer script ssh-host-config. The actual
functionality is the same, the revisited version is just more
exact when it comes to check for problems which disallow to run
certain aspects of the script. So, part of this script and the also
rearranged service helper script library "csih" is to check if all
the tools required to run the script are available on the system.
The new script also is more thorough to inform the user why the
script failed. Patch from vinschen at redhat com.
20110206
- (dtucker) [openbsd-compat/port-linux.c] Bug #1851: fix syntax error in
selinux code. Patch from Leonardo Chiquitto
- (dtucker) [contrib/cygwin/ssh-{host,user}-config] Add ECDSA key
generation and simplify. Patch from Corinna Vinschen.
* Rakefiles are executables, and rake loads rake, not rakefile code
* Replace rcov with simplecov
* Convert README to Markdown
* Convert LICENSE to Markdown
* Replace rdoc with yard
* Add turn in development for more verbose test output
* Trust the load path
* Remove vestigial VERSION file
* Add Travis configuration file
* Bundle setup before running tests
* Require rubygems
* Add bundler as a development dependency
* Apparently, Object#tap was added in 1.8.7, not 1.9
* Add jruby-openssl dependency
* Add link to Travis CI
* Remove vestigial rdoc options from gem specification
* Bump version to 0.1.5
* Backport mutex handling from v2 for increased multithreaded
performance.
* Remove signature verification used for debugging purposes.
(was enabled with ./configure --enable-sigver)
* Added an index to the attribute table in the database.
* Optimization of the database handling.
Changes since previous version:
version 0.9.4
- fixed possible memory corrution in oauth_curl_get
thanks to Bruce Rosen for reporting this issue
version 0.9.3
- yet more build-system fixes:
- allow to override HASH_LIBS and CURL_LIBS using envoronment variables
- include them in .pc and tests/Makefile.am
version 0.9.2
- fixed typo in build-system (LDFLAGS, -Wl,--as-needed detection)
version 0.9.1
- fixed typo in API:
oauth_time_indepenent_equals[_n] is now deprecated in favor of
oauth_time_independent_equals[_n]
- added check for 'Wl,--as-needed' linker flag.
version 0.9.0
- fixed typo in pkg-config file.
With thanks to Brad Harder for the nudge.
Tarsnap is a secure online backup service for BSD, Linux, OS X,
Solaris, Cygwin, and can probably be compiled on many other UNIX-like
operating systems. The Tarsnap client code provides a flexible and
powerful command-line interface which can be used directly or via
shell scripts.
Package zlib was not found in the pkg-config search path.
... there is no zlib.pc, so comment out the part of the configure
script that adds that to the pkg-config file.
Bump PKGREVISION.
* libgnutls: Several minor bugfixes.
* libgnutls: Restored HMAC-MD5 for compatibility. Although considered weak,
several sites require it for connection. It is enabled for "NORMAL" and
"PERFORMANCE" priority strings.
* libgnutls: depend on libdl.
* libgnutls: gnutls_transport_set_global_errno() was deprecated. Use your
system's errno fascility or gnutls_transport_set_errno().
* gnutls-cli: Correction with usage of select to check for pending data in
gnutls sessions. It now uses gnutls_record_check_pending().
* tests: More fixes and updates for win32. Patches by LRN.
* libgnutls: Several files unnecessarily included <gcrypt.h>; this has been
fixed.
** API and ABI modifications: gnutls_transport_set_global_errno: DEPRECATED
Changes 2.12.2:
* libgnutls: Several updates and fixes for win32. Patches by LRN.
* libgnutls: Several bug and memory leak fixes.
* srptool: Accepts the -d option to enable debugging.
* libgnutls: Corrected bug in gnutls_srp_verifier() that prevented the
allocation of a verifier. Reported by Andrew Wiseman.
Changes 2.12.1:
* certtool: Generated certificate request with stricter permissions.
* libgnutls: Bug fixes in opencdk code. Reported by Vitaly Kruglikov.
* libgnutls: Corrected windows system_errno() function prototype.
* libgnutls: C++ compatibility fix for compat.h. Reported by Mark Brand.
* libgnutls: Fix size of gnutls_openpgp_keyid_t by using the
GNUTLS_OPENPGP_KEYID_SIZE definition. Reported by Andreas Metzler.
or less any context: In crypto toolkits for object-oriented languages
(C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in
kernel space. In most contexts, you need more than the basic
cryptographic algorithms, you also need some way to keep track of available
algorithms, their properties and variants. You often have some algorithm
selection process, often dictated by a protocol you want to implement.
And as the requirements of applications differ in subtle and not so
subtle ways, an API that fits one application well can be a pain to use
in a different context. And that is why there are so many different
cryptographic libraries around.
Nettle tries to avoid this problem by doing one thing, the low-level
crypto stuff, and providing a simple but general interface to it.
In particular, Nettle doesn't do algorithm selection. It doesn't do
memory allocation. It doesn't do any I/O.
The idea is that one can build several application and context specific
interfaces on top of Nettle, and share the code, test cases, benchmarks,
documentation, etc. Examples are the Nettle module for the Pike
language, and LSH, which both use an object-oriented abstraction on top
of the library.
This version comes with the following usability enhancements:
* Added checkbox to the Preferences dialog, this checkbox turns off some
tooltips that can be annoying for users who are sufficiently familiar with
the GUI.
* Added a tab "Policy Rule" to the "Objects" page of the global preferences
dialog; checkbox in this tab allows the user to choose whether new policy
rules should be created with logging turned on or off.
The major bug fixes in this release include:
* Fixed installer issue for Windows users that use Putty sessions. Built-in
policy installer can use putty session on Windows when it runs pscp.exe
utility to copy generated script to the firewall
* Fixed bug in the generated iptables script that made it to not configure
broadcast address when it added ip addresses to interfaces.
* Several bugs that affected cluster configurations were fixed.
* Preparations for 1.2.17 release
* Fixed security issue with libxslt (CVE-2011-1425, reported by Nicolas Gregoire)
* Fixed pkcs12 file loading (based on patch from Andre de Souza Pinto)
* Fixed comments (based on patch from Wolfgang Woehl)
* Fixed extra quotes in configure (bug #631258)
* Fixed configure issue with empty --with-libxml/libxsl and config scripts in /bin directory
* Fixed gcrypt init/shutdown (patch from Roumen)
so that we don't have any '#' chars in it.
Avoids the following:
% grep COMMENT Makefile
COMMENT= Cryptographic store accessible through a PKCS#11 interface
% pkg_info softhsm
Information for softhsm-1.2.0:
Comment:
Cryptographic store accessible through a PKCS
authentication protocol designed to provide strong authentication for
client/server applications by using secret-key cryptography. (Kerberos
5 is discussed in RFC 1510.)
This package provides MIT Kerberos applications and servers for telnet,
the r-services and ftp. These were recently split from the mit-krb5
package due to upstream making the same split.
including MITKRB5-SA-2011-003.
Please see http://web.mit.edu/kerberos/ for the change logs since v1.4.2
Note that the r-services, telnetd and ftpd services and the related client
applications are now in a separate pacakge security/mit-krb5-appl.
* pkgsrc change: trying to use user-destdir.
What's new in Sudo 1.7.5?
* When using visudo in check mode, a file named "-" may be used to
check sudoers data on the standard input.
* Sudo now only fetches shadow password entries when using the
password database directly for authentication.
* Password and group entries are now cached using the same key
that was used to look them up. This fixes a problem when looking
up entries by name if the name in the retrieved entry does not
match the name used to look it up. This may happen on some systems
that do case insensitive lookups or that truncate long names.
* GCC will no longer display warnings on glibc systems that use
the warn_unused_result attribute for write(2) and other system calls.
* If a PAM account management module denies access, sudo now prints
a more useful error message and stops trying to validate the user.
* Fixed a potential hang on idle systems when the sudo-run process
exits immediately.
* Sudo now includes a copy of zlib that will be used on systems
that do not have zlib installed.
* The --with-umask-override configure flag has been added to enable
the "umask_override" sudoers Defaults option at build time.
* Sudo now unblocks all signals on startup to avoid problems caused
by the parent process changing the default signal mask.
* LDAP Sudoers entries may now specify a time period for which
the entry is valid. This requires an updated sudoers schema
that includes the sudoNotBefore and sudoNotAfter attributes.
Support for timed entries must be explicitly enabled in the
ldap.conf file. Based on changes from Andreas Mueller.
* LDAP Sudoers entries may now specify a sudoOrder attribute that
determines the order in which matching entries are applied. The
last matching entry is used, just like file-based sudoers. This
requires an updated sudoers schema that includes the sudOrder
attribute. Based on changes from Andreas Mueller.
* When run as sudoedit, or when given the -e flag, sudo now treats
command line arguments as pathnames. This means that slashes
in the sudoers file entry must explicitly match slashes in
the command line arguments. As a result, and entry such as:
user ALL = sudoedit /etc/*
will allow editing of /etc/motd but not /etc/security/default.
* NETWORK_TIMEOUT is now an alias for BIND_TIMELIMIT in ldap.conf for
compatibility with OpenLDAP configuration files.
* The LDAP API TIMEOUT parameter is now honored in ldap.conf.
* The I/O log directory may now be specified in the sudoers file.
* Sudo will no longer refuse to run if the sudoers file is writable
by root.
* Sudo now performs command line escaping for "sudo -s" and "sudo -i"
after validating the command so the sudoers entries do not need
to include the backslashes.
* Logging and email sending are now done in the locale specified
by the "sudoers_locale" setting ("C" by default). Email send by
sudo now includes MIME headers when "sudoers_locale" is not "C".
* The configure script has a new option, --disable-env-reset, to
allow one to change the default for the sudoers Default setting
"env_reset" at compile time.
* When logging "sudo -l command", sudo will now prepend "list "
to the command in the log line to distinguish between an
actual command invocation in the logs.
* Double-quoted group and user names may now include escaped double
quotes as part of the name. Previously this was a parse error.
* Sudo once again restores the state of the signal handlers it
modifies before executing the command. This allows sudo to be
used with the nohup command.
* Resuming a suspended shell now works properly when I/O logging
is not enabled (the I/O logging case was already correct).
* ldns 1.6.9 is required for bugfixes.
* dnsruby-1.52 required for bugfixes.
Bugfixes:
* Auditor: 'make check' now works when srcdir != builddir.
* Auditor: Include the 'make check' files in the tarball.
* Enforcer: Fix the migration script for SQLite.
* Enforcer: Increase size of keypairs(id) field in MySQL to allow more than
32767 keys; see MIGRATION for details.
* Enforcer: Minor change to NOT_READY_KEY error message.
* libhsm: Increase the maximum number of attached HSM:s from 10 to 100.
* ods-ksmutil: Send trivial MySQL messages to stdout when exporting zonelist
etc. Otherwise the resulting XML needs to be edited by hand.
* ods-control: Fix for Bourne shell.
* Signer Engine: Prevent race condition when setting up the workers and
the command handler.
* Signer Engine: Check if the signature exists before recycling it.
* Signer Engine: Quit when there are errors in the configuration.
* Signer Engine: Enable core dump on failure.
* Signer Engine: Explicitly close down log msg with null.
* Signer Engine: Backup state after writing output.
* Signer Engine: Allow update of serial if internal structure is not
initialized.
PR 44745, rest by me.
pkgsrc changes:
- fix up deps
- fix Apache module handling
- DESTDIR support
XXX: The DESTDIR support has to bypass apxs because as far as I can tell
XXX: apxs -i doesn't know how to handle DESTDIRs. Various Apache modules
XXX: do this in various different ways. Someone(TM) should teach apxs -i
XXX: about DESTDIRs and fix up all the abuse. The infrastructure for
XXX: Apache modules could use some rototilling as well.
29 Nov 2010 - 2.5.13
--------------------
* Cleaned up some mlogc code and debugging output.
* Remove the ability to use a relative path to a piped audit logger
(i.e. mlogc) as Apache does not support it in their piped loggers
and it was breaking Windows and probably other platforms that
use spaces in filesystem paths. Discovered by Tom Donovan.
* Fix memory leak freeing regex. Discovered by Tom Donovan.
* Fix some portability issues on Windows.
* Fixed Geo lookup concurrent connections bug
* Fixed Skip/SkipAfter chain bug
* Added new setvar Lua API to be used into Lua scripts
* Added PCRE messages indicates each rule that exceed match limits
* Added new Base64 transformation function called base64DecodeEx, which
can decode base64 data skipping special characters.
* Add SecReadStateLimit to limit the number of concurrent threads in BUSY connections per ip address
* Fixed redirect action was not expanding macros in chained rules
04 Feb 2010 - 2.5.12
--------------------
* Fixed SecUploadFileMode to set the correct mode.
* Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.
* Added additional file info definitions introduced in APR 0.9.5 so that
build will work with older APRs (IBM HTTP Server v6).
* Added SecUploadFileLimit to limit the number of uploaded file parts that
will be processed in a multipart POST. The default is 100.
* Fixed path normalization to better handle backreferences that extend
above root directories. Reported by Sogeti/ESEC R&D.
* Trim whitespace around phrases used with @pmFromFile and allow
for both LF and CRLF terminated lines.
* Allow for more robust parsing for multipart header folding. Reported
by Sogeti/ESEC R&D.
* Fixed failure to match internally set TX variables with regex
(TX:/.../) syntax.
* Fixed failure to log full internal TX variable names and populate
MATCHED_VAR* vars.
* Enabled PCRE "studying" by default. This is now a configure-time option.
* Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to
aide in REDoS type attacks. A rule that goes over the limits will set
TX:MSC_PCRE_LIMITS_EXCEEDED. It is intended that the next major release
of ModSecurity (2.6.x) will move these flags to a dedicated collection.
* Reduced default PCRE match limits reducing impact of REDoS on poorly
written regex rules. Reported by Sogeti/ESEC R&D.
* Fixed memory leak in v1 cookie parser. Reported by Sogeti/ESEC R&D.
* Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)
* Update copyright to 2010.
* Reserved 700,000-799,999 IDs for Ivan Ristic.
* Fixed SecAction not working when CONNECT request method is used
(MODSEC-110). [Ivan Ristic]
* Do not escape quotes in macro resolution and only escape NUL in setenv
values.
04 Nov 2009 - 2.5.11
--------------------
* Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be
set true if any invalid quoting is found during multipart parsing.
* Fixed parsing quoted strings in multipart Content-Disposition headers.
Discovered by Stefan Esser.
* Cleanup persistence database locking code.
* Added warning during configure if libcurl is found linked against
gnutls for SSL. The openssl lib is recommended as gnutls has
proven to cause issues with mutexes and may crash.
* Cleanup some mlogc (over)logging.
* Do not log output filter errors in the error log.
* Moved output filter to run before other stock filters (mod_deflate,
mod_cache, mod_expires, mod_filter) to avoid analyzing modified data
in the response. Patch originally submitted by Ivan Ristic.
18 Sep 2009 - 2.5.10
--------------------
* Cleanup mlogc so that it builds on Windows.
* Added more detailed messages to replace "Unknown error" in filters.
* Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning
auditlog permissions (especially with mpm-itk).
* Cleanup SecUploadFileMode implementation.
* Cleanup build scripts.
* Fixed crash on configuration if SecMarker is used before any rules.
* Fixed SecRuleUpdateActionById so that it will work on chain starters.
* Cleanup build system for mlogc.
* Allow mlogc to periodically flush memory pools.
* Using nolog,auditlog will now log the "Message:" line to the auditlog, but
nothing to the error log. Prior versions dropped the "Message:" line from
both logs. To do this now, just use "nolog" or "nolog,noauditlog".
* Forced mlogc to use SSLv3 to avoid some potential auto negotiation
issues with some libcurl versions.
* Fixed mlogc issue seen on big endian machines where content type
could be listed as zero.
* Removed extra newline from audit log message line when logging XML errors.
This was causing problems parsing audit logs.
* Fixed @pm/@pmFromFile case insensitivity.
* Truncate long parameters in log message for "Match of ... against ...
required" messages.
* Correctly resolve chained rule actions in logs.
* Cleanup some code for portability.
* AIX does not support hidden visibility with xlc compiler.
* Allow specifying EXTRA_CFLAGS during configure to override gcc specific
values for non-gcc compilers.
* Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented.
* Handle a newer geo database more gracefully, avoiding a potential crash for
new countries that ModSecurity is not yet aware.
* Allow checking &GEO "@eq 0" for a failed @geoLookup.
* Fixed mlogc global mutex locking issue and added more debugging output.
* Cleaned up build dependencies and configure options.
- New Features:
- zonesigner, rollerd
- Made changes so that these tools are more compatible
with recent versions of Bind
- The zone_errors configuration parameter allows a zone-
specific maximum to be set. Once exceeded, that zone
will be skipped rather than allowing rollover to continue.
- blinkenlights
- Recognizes when rollerd abruptly quits, so error messages
aren't spewed interminably.
- ZonFile::Fast - Fixed parsing of DS records containing spaces and
parsing of mname and rname SOA fields
- Added support for parsing KEY records
- keyrec.pm - Made changes to properly lock keyrec files before
writing to them.
- Begun process of deprecating keyrec_open().
- mapper: - added a new option: --node-size for mapping
complex zones.
- dnspktflow: - added two new options:
--layout-style for selecting the layout style to use
--node-size for mapping complex zones.
- Add new (default) option to cluster
authoritative nodes together to help better
understand the relationships between traffic
patterns and authoritative name server/zone arrangement.
- libval: - Now distributed with the Root TA.
- Added stricter checks for openssl SHA-256 support in
configure.
- Added several improvements that allow the validator to
lookup information within provably insecure zones that
do not handle EDNS0 requests nicely. This includes
adding support for turning off EDNS0 when traversing a
name hierarchy that leads to a provably insecure zone,
EDNS0 fallback support, and additional checks to check
the sanity of response data.
- Fixed certain bugs in CNAME handling and in the
validation of proofs accompanying wildcard responses,
referrals and alias chains.
- Fixed support for RSADSA and RSASHA-512 signature
validation.
- Mac OSX: - Added a Ports file for mac ports
- updated the fink build spec
- many other miscellaneous bug fixes and improvements.
* feat "/dev/urandom" check added to checkconfig()
* feat Config compability switch (-C) added to zkt-conf
* feat zkt-ls has a new switch -s to change sorting of domains from
subdomain before parent to subdomain below the parent
* feat "zkt-ls -T" prints only parent trust anchor
zkt 1.0rc1 -- 1. Apr 2010 (The 1.0 release was sponsored by DOMINIC(r) )
* feat Several config parameter are printed now in a more consistent and
user friendly form.
SerialFormat "Incremental" could be abbreviated as "inc" on input.
* bug use of AC_ARG_ENABLE macros changed in a way that it is possible
to use it as a "--disable-FEATURE" switch.
* port no longer checking for malloc() in configue script.
Mainly because it checks only if malloc(0) is allowed and we do
not need this.
* port --disable-color-mode added to configure script
* bug Makro PRINT_AGE_OF_YEAR renamed to PRINT_AGE_WITH_YEAR in configure.ac
* misc man page zkt-keyman added
* misc New command zkt-keyman added as replacement for dnssec-zkt's key
management functionality
* misc man page zkt-ls added
* port Check for ncurses added to Makefile.in
* misc Color mode (Option -C) added to zkt-ls (experimental)
New source file tcap.c.
* misc Deprecate "single linked list" version of ZKT. The binary tree
version is the default for years, so the VERSION string does no
longer contain a "T". Now, if someone insist on the single link
list version (configure --disable-tree) a "S" is added to the
version string.
Anyway, the code for the single link list version does no longer
have the same functionality and will be removed in one of the later
releases.
* misc New command zkt-ls added as replacement for dnssec-zkt's key
listing functionality
* func New key algorithms RSASHA256 and RSAHSHA512 added to dki.[ch]
and zconf.c
New parameter NSEC3 added. Now it's possible to configure
an NSEC3_OPTOUT zone.
* bug Token parsing function gettok() fixed to recognize tokens
with dashes ("zone-statistics" was seen as "zone").
Thanks to Andreas Baess for finding this bug.
* bug Fixed bug in (re)salting dynamic zones.
sig_zone() and gensalt() needs parameter change for this
* func New option -a added to zkt-conf
* func In zconf.c CONF_TIMEINT parameter are now able to recognize
"unset" values (which is represented internaly as 0)
* func Set Max_TTL to sig lifetime for dynamic zones or if Max_TTL
is less than 1.
max_ttl checks in checkconfig() fixed.
* func printconfigdiff() added to zconf.c and used by zkt-conf.
Now local configs are printed as diff to site wide config.
* misc man page zkt-signer.8 changed to new command syntax
* func Per domain logging added. Use parameter LogDomainDir to
enable it. For more details see file README.logging.
* func distribute.sh supports new action type "distkeys" but is
currently not used
* misc LOG_FNAMETMPL changed and moved from config_zkt.h to log.h
* misc Default soa serial format changed from "Incremental"
to "Unixtime"
* func dnssec-signer command renamed to zkt-signer. Man page updated.
* func New command zkt-conf added as replacement for dnssec-zkt -Z
* misc timeint2str() is now global (zconf.c)
* func zfparse.c - a rudimentary zone file parser
scans minimum and maximum ttl values; adds $INCLUDE dnskey.db
zkt 0.99d -- Not released
* func Option SIG_DnsKeyKSK for DNSKEY signing with KSK only added
* misc BIND 9.7 compability
* New functions to allow the creation of X.509 certificates.
* Interface changes relative to the 1.1.0 release:
ksba_certreq_set_serial NEW
ksba_certreq_set_issuer NEW
ksba_certreq_set_validity NEW
ksba_certreq_set_siginfo NEW
* libgnutls: Corrected verification of finished messages.
* libgnutls: Corrected signature generation and verification in the Certificate
Verify message when in TLS 1.2.
* pkg-config gnutls.pc improvements.
* API and ABI modifications: No changes since last version.
* GPGME does not come with an internal libassuan version anymore.
The external libassuan 1.1.0 release or later is required. For
application programmers on systems that can resolve inter-library
dependencies at runtime, this is a transparent change.
* New engine GPGME_PROTOCOL_G13 to support the new g13 tool.
* New engine GPGME_PROTOCOL_UISERVER to support UI Servers.
* New API to change the passpgrase of a key.
Bug
* Reload interval staying too low on reload failures.
* [HTTP-Redirect binding] [Message encoding] There should be no '%0A' in the
SAMLRequest parameter value
For changes from 5.5 to 5.7, please refer http://openssh.com/txt/release-5.7
and http://openssh.com/txt/release-5.6 in detail.
Changes since OpenSSH 5.7
=========================
Security:
* Fix vulnerability in legacy certificate signing introduced in
OpenSSH-5.6 and found by Mateusz Kocielski.
Legacy certificates signed by OpenSSH 5.6 or 5.7 included data from
the stack in place of a random nonce field. The contents of the stack
do not appear to contain private data at this point, but this cannot
be stated with certainty for all platform, library and compiler
combinations. In particular, there exists a risk that some bytes from
the privileged CA key may be accidentally included.
A full advisory for this issue is available at:
http://www.openssh.com/txt/legacy-cert.adv
Portable OpenSSH Bugfixes:
* Fix compilation failure when enableing SELinux support.
* Do not attempt to call SELinux functions when SELinux is disabled.
bz#1851
ClamAV 0.97 brings many improvements, including complete Windows support
(all major components compile out-of-box under Visual Studio), support for
signatures based on SHA1 and SHA256, better error detection, as well as
speed and memory optimizations. The complete list of changes is available
in the ChangeLog file.
Bugfixes:
* Enforcer: Fixed a number of build warnings.
OpenDNSSEC 1.2.0rc3:
* Moved migration instructions to the file MIGRATION
Bugfixes:
* Bugreport #199: The previous DB schema change made the zone removal broken.
* Enforcer: When retiring old KSK, use TTL(ds) and not TTL(ksk).
* Enforcer: Minimize the set of DS RRs sent to DelegationSignerSubmitCommand.
* Enforcer: Replace tab with a space character in the DNSKEY printed to syslog.
* Enforcer: Fixed pontential format string bug.
* ods-ksmutil: Log to syslog when ds-seen changes a key to active/standby.
* Signer Engine: Don't be smart with RRSIG TTLs, the hsm will set them for you.
* Signer Engine: Set notify command for zone when receiving ods-signer update.
* Signer Engine: Update TTL of NSEC(3) records if SOA Minimum has changed
in KASP.
* Signer Engine: Now logs to the correct facility.
* Signer Engine: Also remove NSEC records when detecting changes in
signconf <Denial>
* Signer Engine: Dropped privileges before starting Zonefetcher.
OpenDNSSEC 1.2.0rc2:
Bugfixes:
* Signer Engine: Use the correct TTL for RRs after the $INCLUDE directive.
* Signer Engine: Also create new signature if TTL of RR has changed.
* Signer Engine: Drop old NSEC/NSEC3 records.
* ods-ksmutil: Fixed some memory leaks.
OpenDNSSEC 1.2.0rc1:
* New commandline option for the signer: ods-signer running.
* Allow connection to different MySQL ports in the Enforcer.
* Tone down and explain warning when converting M or Y to seconds
* ldns 1.6.7 is required for bugfixes
* dnsruby 1.51 is required for bugfixes
Bugfixes:
* Bugreport #187: ods-control signer start will return non-zero if start up
failed (uses ods-signer running).
* Narrow glue at the zone cut is allowed, do not consider it as occluded.
* Move zone fetcher output to correct input adapter file.
* Enforcer shared keys on zones with ShareKeys disabled.
* Make names of key states consistent.
* Signer Engine file descriptor leak fix on engine.sock.
* Set explicit "unlimited" repository capacity to prevent random integer being
read. Requires "ods-ksmutil update conf" to be run if using an existing
database.
* Fix issue with key generation creating too many keys Ticket #194.
* Bugreport #189: Auditor did not handle white-space-seperated substrings
for base64 text
* Bugreport #190: Auditor (and signer) does not handle case correctly
* Signer now silence stdout-output from the notify command
OpenDNSSEC 1.2.0b1:
* A new signer engine, written in c. Zones are maintained in memory, instead of
in files on disk.
* Removed the python and python-4suite-xml dependencies.
* Remove separate autoconf for libhsm/conf/enforcer.
* Add option to disable building the signer.
* Signer logs statistics just after outputting a new signed zone.
* libhsm will skip processing (and not create) any public keys if the
per repository option <SkipPublicKey/> is set.
* Keysharing improved - keys can now exist in different states on each zone
that the key is in use for.
* Backup prepare/commit/rollback added for 2-step backups without taking the
enforcer offline.
* Standby keys are now optional (default to 0) and should be considered
experimental.
Bugfixes:
* Fix semantics of refresh value in Signer Engine.
* Auditor handles chains of empty nonterminals correctly.
* Recalculate salt immediately if the saltlength is changed.
* libhsm connected to slot 0 if the token label was not found.
An error is now returned instead of connecting to the slot.
* Bugreport #102: Removed the obsoleted python-4suite-xml dependency.
* Fixed Known Issue: KSK rollover requires manual timing.
* Fixed Known Issue: Key rollover and reuse of signatures.
* Fixed Known Issue: Issue with sharing keys and adding zones.
* Fixed Known Issue: Quicksorter does not allow certain owner names
(Quicksorter is removed, signer now reads and sorts the zone).
What's new in Sudo 1.7.4p6?
* A bug has been fixed in the I/O logging support that could cause
visual artifacts in full-screen programs such as text editors.
* Allow more hash algorithms with the OpenPGP v2 card.
* The gpg-agent now tests for a new gpg-agent.conf on a HUP.
* Fixed output of "gpgconf --check-options".
* Fixed a bug where Scdaemon sends a signal to Gpg-agent running in
non-daemon mode.
* Fixed TTY management for pinentries and session variable update
problem.
What's new in Sudo 1.7.4p5?
* A bug has been fixed that would allow a command to be run without the
user entering a password when sudo's -g flag is used without the -u flag.
* If user has no supplementary groups, sudo will now fall back on checking
the group file explicitly, which restores historic sudo behavior.
* A crash has been fixed when sudo's -g flag is used without the -u flag
and the sudoers file contains an entry with no runas user or group listed.
* A bug has been fixed in the I/O logging support that could cause
visual artifacts in full-screen programs such as text editors,.
* A crash has been fixed when the Solaris project support is enabled
and sudo's -g flag is used without the -u flag.
* Sudo no longer exits with an error when support for auditing is
compiled in but auditing is not enabled.
* Fixed a bug introduced in sudo 1.7.3 where the ticket file was not
being honored when the "targetpw" sudoers Defaults option was enabled.
* The LOG_INPUT and LOG_OUTPUT tags in sudoers are now parsed correctly.
* A crash has been fixed in "sudo -l" when sudo is built with auditing
support and the user is not allowed to run any commands on the host.
* only use the last 8 chars of the key -- it's the more common use, and
the wotsap urls only use them now
* convert optional "mykey" to uppercase before matching
* print correct date (misuse of non-local vars)
* On DragonFly, rmd160.h exists and required functions are defined there,
but not in any library, so ignore it.
* On DragonFly and FreeBSD, MD5 and MD4 functions are in libmd.
Changes since 1.1:
** gsasl: Add --no-cb to disable use of TLS channel bindings.
** build: Use silent build rules via automake.
Use 'make V=99' to see the command lines used.
** Update gnulib files.
** gsasl: Support for TLS channel bindings.
Requires GnuTLS 2.11.4 or later for the gnutls_session_channel_binding
function. Used by the SCRAM-SHA-1-PLUS mechanism.
** doc: Mention new property GSASL_CB_TLS_UNIQUE and SCRAM-SHA-1-PLUS.
** tests: Added self-tests for SCRAM-SHA-1-PLUS.
** gsasl: Avoid fixed size buffers.
This caused problems on Windows where the BUFSIZ was too small for
some line lengths with GS2-KRB5.
** tests: Fix error strings to be more unique.
** doc: Added section on how to build with MIT Kerberos for Windows.
** doc: Added PDF version of API reference manual.
See doc/reference/gsasl.pdf.
** i18n: Updated translations.
Thanks to Benno Schulenberg.
** doc: Explain GS2-related changes.
** doc: GTK-DOC manual improved.
Now almost all symbols and types are explained.
** gsasl: Fix crash when getaddrinfo does not get a canonical name.
** gsasl: Improve error message when server rejects authentication.
** tests: Self checks are improved.
** gsasl: Improve application data throughput.
Patch from Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de> in
<http://thread.gmane.org/gmane.comp.gnu.gsasl.general/256>.
** Improve MinGW builds.
** doc: Fix doc/cyclo/ output.
** tests/crypto: Also test newly added SHA-1 interfaces.
** tests/scram: Also test GSASL_SCRAM_SALTED_PASSWORD case.
This code path triggered a crash in v1.3.
** i18n: Added Finnish translation.
Thanks to Jorma Karvonen <karvonen.jorma@gmail.com>.
** Experimental support for SCRAM-SHA-1 added.
Please test it but don't put it into production use, the RFC have not
been finalized yet. For this reason, the mechanism priority list is
such that SCRAM-SHA-1 will never be selected over any other mechanism
(including PLAIN, CRAM-MD5, and DIGEST-MD5). When it has been tested
further, we'll make SCRAM-SHA-1 the preferred mechanism after GSSAPI.
** gsasl: Fix libintl-related build errors on MinGW.
Tiny patch from "carlo.bramix" <carlo.bramix@libero.it>.
** doc: Typo fixes to manual.
Based on report by Marco Maggi <marco.maggi-ipsu@poste.it> in
<http://thread.gmane.org/gmane.comp.gnu.gsasl.general/222>.
** tests: Rewrite basic self test using modern API.
** tests: New self-test 'crypto' to increase code coverage.
** gsasl: Fix out of bounds write when in IMAP/SMTP mode.
Reported by Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de> in
<http://thread.gmane.org/gmane.comp.gnu.gsasl.general/230>.
** doc: Rewritten introduction material.
** doc: Improved sections for the info manual.
We now follow the advice given by the texinfo manual on which
directory categories to use. In particular, libgsasl moved from the
'GNU Libraries' section to the 'Software libraries' as GNU SASL, and
'Invoking gsasl' moved from 'GNU utilities' to 'Security'.
** examples: Removed unneeded 'ctx' parameter from client_authenticate.
** Building with many warning flags now requires --enable-gcc-warnings.
This avoids crying wolf for normal compiles.
** New configure parameters to set packaging specific information.
The parameters are --with-packager, --with-packager-version, and
--with-packager-bug-reports. See
<http://article.gmane.org/gmane.comp.lib.gnulib.bugs/17791> for more
details.
alternative from mk/jpeg.buildlink3.mk
This allows selection of an alternative jpeg library (namely the x86 MMX,
SSE, SSE2 accelerated libjpeg-turbo) via JPEG_DEFAULT=libjpeg-turbo, and
follows the current standard model for alternatives (fam, motif, fuse etc).
The mechanical edits were applied via the following script:
#!/bin/sh
for d in */*; do
[ -d "$d" ] || continue
for i in "$d/"Makefile* "$d/"*.mk; do
case "$i" in *.orig|*"*"*) continue;; esac
out="$d/x"
sed -e 's;graphics/jpeg/buildlink3\.mk;mk/jpeg.buildlink3.mk;g' \
-e 's;BUILDLINK_PREFIX\.jpeg;JPEGBASE;g' \
< "$i" > "$out"
if cmp -s "$i" "$out"; then
rm -f "$out"
else
echo "Edited $i"
mv -f "$i" "$i.orig" && mv "$out" "$i"
fi
done
done
2010-07-23 - 0.9.32.1
- Fixed missing header file resulting in compile errors
2010-07-23 - 0.9.32
- Added support for memory_limit > 2GB
- Fixed missing header file resulting in wrong php_combined_lcg()
prototype being used
- Improved random number seed generation more by adding /dev/urandom juice
2010-03-28 - 0.9.31
- Fix ZTS build of session.c
- Increased session identifier entropy by using /dev/urandom if available
2010-03-25 - 0.9.30
- Added line ending characters %0a and %0d to the list of
dangerous characters handled
by suhosin.server.encode and suhosin.server.strip
- Fixed crash bug with PHP 5.3.x and session module (due to
changed session globals struct)
- Added ! protection to PHP session serializer
- Fixed simulation mode now also affects (dis)allowed functions
- Fixed missing return (1); in random number generator replacements
- Fixed random number generator replacement error case behaviour
in PHP 5.3.x
- Fixed error case handling in function_exists() PHP 5.3.x
- Merged changes/fixes in import_request_variables()/extract()
from upstream PHP
- Fixed suhosin_header_handler to be PHP 5.3.x compatible
- Merge fixes and new features of PHP's file upload code to suhosin
The following changes have been made between John 1.7.5.1 and 1.7.6:
* Generic crypt(3) support (enabled with "--format=crypt") has been added for
auditing password hash types supported by the system but not yet supported by
John's own optimized cryptographic routines (such as "SHA-crypt" and SunMD5).
* Optional parallelization of the above has been implemented by means of OpenMP
along with glibc's crypt_r(3) or Solaris' MT-safe crypt(3C).
* Optional parallelization of John's own optimized code for the OpenBSD-style
Blowfish-based crypt(3) (bcrypt) hashes with OpenMP has been added.
* A more suitable version of 32-bit x86 assembly code for Blowfish is now
chosen on Core i7 and similar CPUs (when they happen to run a 32-bit build).
* More optimal DES S-box expressions for PowerPC with AltiVec (making use of
the conditional select operation) contributed by Dumplinger Boy (Dango-Chu)
have been integrated.
* The bitslice DES C source code has been reworked to allow for the use of
arbitrary SIMD intrinsics, which was previously only implemented for AltiVec
as a special case.
* Support for SSE2 and MMX intrinsics with bitslice DES (as an alternative to
the supplied assembly code) has been added (currently only enabled for SSE2 on
x86-64 when compiling with GCC 4.4+).
* Support for mixed-type longer virtual vectors (such as SSE2+MMX, SSE2+ALU,
AltiVec+ALU, and other combinations) with bitslice DES has been added (not
enabled by default yet, primarily intended for easy benchmarks on future CPUs,
with future compiler versions, with even more SIMD instruction sets, and with
different DES S-box expressions that might be available in the future).
* The obsolete 32-bit SPARC assembly implementation of DES has been dropped.
* The loader will now detect password hashes specified on a line on their own,
not only as part of an /etc/passwd or PWDUMP format file.
* When run in "--stdin" mode and reading candidate passwords from a terminal
(to be typed by the user), John will no longer mess with the terminal settings.
* John will now restore terminal settings not only on normal termination or
interrupt, but also when forcibly interrupted with two Ctrl-C keypresses.
The following changes have been made between John 1.7.5 and 1.7.5.1:
* A new numeric variable has been added to the word mangling rules engine:
"p" for position of the character last found with the "/" or "%" commands.
The following changes have been made between John 1.7.4.2 and 1.7.5:
* Support for the use of "--format" along with "--show" or "--make-charset" has
been added.
* The choice of .rec and .log filenames for custom session names has been made
more intuitive.
* Support for "\r" (character lists with repeats) and "\p0" (reference to the
immediately preceding character list/range) has been added to the word mangling
rules preprocessor.
* The undefined and undocumented behavior of some subtle word mangling rules
preprocessor constructs has been changed to arguably be more sensible.
* Some bugs were fixed, most notably JtR crashing on no password hashes loaded
(bug introduced in 1.7.4.2).
The following changes have been made between John 1.7.4 and 1.7.4.2:
* Major performance improvements for processing of very large password files
or sets of files, especially with salt-less or same-salt hashes, achieved
primarily through introduction of two additional hash table sizes (64K and 1M
entries), changes to the loader, and smarter processing of successful guesses
(to accommodate getting thousands of hashes successfully cracked per second).
* Many default buffer and hash table sizes have been increased and thresholds
for the use of hash tables lowered, meaning that John will now tend to use
more memory to achieve better speed (unless it is told not to with the
"--save-memory" option).
* Some previously missed common website passwords found on public lists of
"top N passwords" have been added to the bundled common passwords list.
* Some bugs introduced in 1.7.4 and affecting wordlist mode's elimination of
consecutive duplicate candidate passwords have been fixed.
The following changes have been made between John 1.7.3.4 and 1.7.4:
* Support for back-references and "parallel" ranges has been added to the
word mangling rules preprocessor.
* The notion of numeric variables (to be used for character positions
and substring lengths along with numeric constants supported previously)
has been introduced into the rules engine. Two pre-defined variables
("l" for initial or updated word's length and "m" for initial or
memorized word's last character position) and 11 user-defined variables
("a" through "k") have been added. Additionally, there's a new numeric
constant: "z" for "infinite" position or length.
* New rule commands have been added: "A" (append, insert, or prefix with a
string), "X" (extract a substring from memory and insert), "v" (subtract
and assign to a numeric variable).
* New rule reject flags have been added: ":" (no-op, for use along with the
"parallel" ranges feature of the preprocessor) and "p" (reject unless word
pair commands are allowed, for sharing of the same ruleset between "single
crack" and wordlist modes).
* Processing of word mangling rules has been made significantly faster in
multiple ways (caching of the current length, less copying of data, code
and data placement changes for better branch prediction and L1 cache usage,
compiler-friendly use of local variables, code micro-optimizations,
removal of no-op rule commands in an initial pass).
* The default rulesets for "single crack" and wordlist modes have been
revised to make use of the new features, for speed, to produce fewer
duplicates, and to attempt additional kinds of candidate passwords (such
as for years 2010 through 2019 with "year-based" rules).
* The idle priority emulation code has been optimized for lower overhead when
there appears to be no other demand for CPU time.
* The default for the Idle setting has been changed from N to Y.
The following changes have been made between John 1.7.3.1 and 1.7.3.4:
* "make check" has been implemented (for Unix-like systems only).
* The "--test" option will now take an optional argument - the duration of each
benchmark in seconds.
* Section .note.GNU-stack has been added to all assembly files to avoid the
stack area unnecessarily being made executable on Linux systems that use this
mechanism.
* Some very minor bugs that did not affect normal operation have been fixed.
* Some unimportant compiler warnings have been fixed, a source code comment has
been made more verbose and more complete.
* Version 2.10.4 (released 2010-12-06)
** gnutls-serv: Corrected a buffer overflow. Reported and patch by Tomas Mraz.
** libgnutls: Use ASN1_NULL when writing parameters for RSA signatures.
This makes us comply with RFC3279. Reported by Michael Rommel.
** libgnutls: Reverted default behavior for verification and
introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default
V1 trusted CAs are allowed, unless the new flag is specified.
** minitasn1: Updated to Libtasn1 2.9.
** API and ABI modifications:
No changes since last version.
* Noteworthy changes in release 2.9 (2010-12-06) [stable]
- tests: Link to gnulib to avoid build error related to 'rpl_ftello' on Solaris.
Reported by Dagobert Michelsen.
- doc: Fix bug reporting address to point at help-libtasn1@gnu.org.
- doc: Fix Returns: documentation in Texinfo. Reported by Jeffrey Walton.
- build: Update gnulib files.
Security fix
v1.35 2010.12.06
- if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be
verified as valid it will no longer fall back to VERIFY_NONE but throw
an error. Thanks to Salvatore Bonaccorso and Daniel Kahn Gillmor for
pointing out the problem, see also
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058
distfile anymore. Add DIST_SUBDIR to force re-download of the tarball, which
content has been modified.
While here, switch DEPENDS to py-crypto instead of py-amkCrypto.
Bump PKG_REVISION.
pkgsrc changes:
- add a patch to fix an hardcoded interpreter path
- add a patch to actually find gmp library.
- add CONFLICTS with py-amkCrypto, both have files in common.
upstream changes:
2.3
===
* Fix NameError when attempting to use deprecated getRandomNumber()
function.
* _slowmath: Compute RSA u parameter when it's not given to
RSA.construct. This makes _slowmath behave the same as _fastmath in
this regard.
* Make RSA.generate raise a more user-friendly exception message when
the user tries to generate a bogus-length key.
2.2
===
* Deprecated Crypto.Util.number.getRandomNumber(), which had confusing
semantics. It's been replaced by getRandomNBitInteger and
getRandomInteger. (Thanks: Lorenz Quack)
* Better isPrime() and getPrime() implementations that do a real
Rabin-Miller probabilistic primality test (not the phony test we did
before with fixed bases). (Thanks: Lorenz Quack)
* getStrongPrime() implementation for generating RSA primes.
(Thanks: Lorenz Quack)
* Support for importing and exporting RSA keys in DER and PEM format
(Thanks: Legrandin)
* Fix PyCrypto when floor division (python -Qnew) is enabled.
* When building using gcc, use -std=c99 for compilation. This should
fix building on FreeBSD and NetBSD.
OpenSSL version 0.9.8q released
===============================
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 0.9.8q of our open source toolkit for SSL/TLS. This new
OpenSSL version is a security and bugfix release. For a complete
list of changes, please see
http://www.openssl.org/source/exp/CHANGES.
The most significant changes are:
o Fix for security issue CVE-2010-4180
o Fix for CVE-2010-4252
0.50 Nov 21, 2010
- shell_quote in t/1_run.t was escaping '_' (bug report by
Andreas J. König)
- some typos corrected
- initial implementation of scp_cat
v1.34 2010.11.01
- schema http for certificate verification changed to
wildcards_in_cn=1, because according to rfc2818 this is valid and
also seen in the wild
- if upgrading socket from inet to ssl fails due to handshake problems
the socket gets downgraded, but is still open.
See https://rt.cpan.org/Ticket/Display.html?id=61466
- deprecate kill_socket, just use close()
2010-09-30 Gisle Aas <gisle@ActiveState.com>
Release 2.51
Florian Ragwitz (1):
Fix compilation with c++ compilers
Gisle Aas (1):
Fix repository specification in META.yml
2010-09-25 Gisle Aas <gisle@ActiveState.com>
Release 2.50
Chris 'BinGOs' Williams (1):
Amended tests to work with perl core.
Florian Ragwitz (3):
Attach context pointers using sv magic
Add failing test for thread cloning
Clone MD5 contexts on thread cloning
get_md5_ctx should never return anything but a valid pointer
Gisle Aas (1):
perl-5.6 no longer supported
Jesse Vincent (1):
Preserve utf8ness of argument [RT#44927]
LibTomCrypt is a fairly comprehensive, modular and portable
cryptographic toolkit that provides developers with a vast array of
well known published block ciphers, one-way hash functions, chaining
modes, pseudo-random number generators, public key cryptography and a
plethora of other routines. LibTomCrypt has been designed from the
ground up to be very simple to use. It has a modular and standard API
that allows new ciphers, hashes and PRNGs to be added or removed
without change to the overall end application. It features easy to
use functions and a complete user manual which has many source snippet
examples.
* Block Ciphers
* Blowfish
* XTEA
* RC5
* RC6
* SAFER+
* Rijndael (aka AES)
* Twofish
* SAFER (K64, SK64, K128, SK128)
* RC2
* DES, 3DES
* CAST5
* Noekeon
* Skipjack
* Anubis (with optional tweak as proposed by the developers)
* Khazad
* KASUMI
* SEED
* Chaining Modes
* ECB
* CBC
* OFB
* CFB
* CTR
* IEEE LRW mode
* F8 Chaining Mode
* One-Way Hash Functions
* MD2
* MD4
* MD5
* SHA-1
* SHA-224/256/384/512
* TIGER-192
* RIPE-MD 128/160/256/320
* WHIRLPOOL
* Message Authentication
* FIPS-198 HMAC (supports all hashes)
* CMAC, also known as OMAC1 (supports all ciphers)
* PMAC Authentication
* F9-MAC
* Pelican MAC
* Message Encrypt+Authenticate Modes
* EAX Mode
* OCB Mode
* CCM Mode (NIST spec)
* GCM Mode (IEEE spec)
* Pseudo-Random Number Generators
* Yarrow (based algorithm)
* RC4
* Support for /dev/random, /dev/urandom and the Win32 CSP RNG
* Fortuna
* SOBER-128
* Public Key Algorithms
* RSA (using PKCS #1 v1.5 and v2.1)
* ECC (EC-DSA X9.62 signatures, X9.63 EC-DH)
o With fast Fixed Point ECC support as well
o X9.63 import/export of public keys
* DSA (Users make their own groups)
* The math routines are pluggable which means you can use your own
math provider if you want.
* Other standards
* PKCS #1 (v1.5 and v2.1 padding)
* PKCS #5
* ASN.1 DER
OpenSSL version 0.9.8p released
===============================
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 0.9.8p of our open source toolkit for SSL/TLS. This new
OpenSSL version is a security and bugfix release which addresses
CVE-2010-3864. For a complete list of changes,
please see http://www.openssl.org/source/exp/CHANGES.
