Bump openvpn-acct-wtmpx to add its licence and to take into account the
new location of plugin directory
Significant changes since 2.2.x:
* Full IPv6 support
* SSL layer modularised, enabling easier implementation for other SSL
libraries
* PolarSSL support as a drop-in replacement for OpenSSL
* New plug-in API providing direct certificate access, improved logging API
and easier to extend in the future
* Added 'dev_type' environment variable to scripts and plug-ins - which
is set to 'TUN' or 'TAP'
* New feature: --management-external-key - to provide access to the
encryption keys via the management interface
* New feature: --x509-track option, more fine grained access to X.509
fields in scripts and plug-ins
* New feature: --client-nat support
* New feature: --mark which can mark encrypted packets from the tunnel,
suitable for more advanced routing and firewalling
* New feature: --management-query-proxy - manage proxy settings via the
management interface (supercedes --http-proxy-fallback)
* New feature: --stale-routes-check, which cleans up the internal
routing table
* New feature: --x509-username-field, where other X.509v3 fields can be
used for the authentication instead of Common Name
* Improved client-kill management interface command
* Improved UTF-8 support - and added --compat-names to provide backwards
compatibility with older scripts/plug-ins
* Improved auth-pam with COMMONNAME support, passing the certificate's
common name in the PAM conversation
* More options can now be used inside <connection> blocks
* Completely new build system, enabling easier cross-compilation and
Windows builds
* Much of the code has been better documented
* Many documentation updates
* Plenty of bug fixes and other code clean-ups
Features:
* Support for ILNP RR types: NID, L32, L64, LP (RFC6742).
* RRL, --enable-ratelimit at configure time and config options.
* TSIG initialization only fails when there is no digest found at all.
Bugfixes:
* Bugfix #478: Declaration after statement (for gcc 2.95).
* Bugfix #483: Better error message in case of TSIG error.
* Bugfix #485: TTL should not be greater than 2^31 - 1.
* Fix RCODE when CNAME loop final answer does not exist, should
return NXDOMAIN as stated by RFC 6604.
* Fix --disable-full-prehash bug, where after multiple incoming
IXFRs, NSEC3 can be removed unjustified.
Summary for 4.3.0 tcpdump release
fixes for forces: SPARSE data (per RFC 5810)
some more test cases added
updates to documentation on -l, -U and -w flags.
Fix printing of BGP optional headers.
Tried to include DLT_PFSYNC support, failed due to headers required.
added TIPC support.
Fix LLDP Network Policy bit definitions.
fixes for IGMPv3's Max Response Time: it is in units of 0.1 second.
SIGUSR1 can be used rather than SIGINFO for stats
permit -n flag to affect print-ip for protocol numbers
ND_OPT_ADVINTERVAL is in milliseconds, not seconds
Teach PPPoE parser about RFC 4638
Summary for 4.2.1 tcpdump release
Only build the Babel printer if IPv6 is enabled.
Support Babel on port 6696 as well as 6697.
Include ppi.h in release tarball.
Include all the test files in the release tarball, and don't
"include" test files that no longer exist.
Don't assume we have <rpc/rpc.h> - check for it.
Support "-T carp" as a way of dissecting IP protocol 112 as CARP
rather than VRRP.
Support Hilscher NetAnalyzer link-layer header format.
Constify some pointers and fix compiler warnings.
Get rid of never-true test.
Fix an unintended fall-through in a case statement in the ARP
printer.
Fix several cases where sizeof(sizeof(XXX)) was used when just
sizeof(XXX) was intended.
Make stricter sanity checks in the ES-IS printer.
Get rid of some GCCisms that caused builds to fai with compilers
that don't support them.
Fix typo in man page.
Added length checks to Babel printer.
Summary for 4.2.+
merged 802.15.4 decoder from Dmitry Eremin-Solenikov <dbaryshkov
at gmail dot com>
updates to forces for new port numbers
Use "-H", not "-h", for the 802.11s option. (-h always help)
Better ICMPv6 checksum handling.
add support for the RPKI/Router Protocol, per -ietf-sidr-rpki-rtr-12
get rid of uuencoded pcap test files, git can do binary.
sFlow changes for 64-bit counters.
fixes for PPI packet header handling and printing.
Add DCB Exchange protocol (DCBX) version 1.01.
Babel dissector, from Juliusz Chroboczek and Grégoire Henry.
improvements to radiotap for rate values > 127.
Many improvements to ForCES decode, including fix SCTP TML port
updated RPL type code to RPL-17 draft
Improve printout of DHCPv6 options.
added support and test case for QinQ (802.1q VLAN) packets
Handle DLT_IEEE802_15_4_NOFCS like DLT_IEEE802_15_4.
Build fixes for Sparc and other machines with alignment restrictions.
Merged changes from Debian package.
PGM: Add ACK decoding and add PGMCC DATA and FEEDBACK options.
Build fixes for OSX (Snow Leopard and others)
Add support for IEEE 802.15.4 packets
Summary for 4.1.2 tcpdump release
If -U is specified, flush the file after creating it, so it's
not zero-length
Fix TCP flags output description, and some typoes, in the man
page
Add a -h flag, and only attempt to recognize 802.11s mesh
headers if it's set
When printing the link-layer type list, send *all* output to
stderr
Include the CFLAGS setting when configure was run in the
compiler flags
Summary for 1.3.0 libpcap release
Handle DLT_PFSYNC in {FreeBSD, other *BSD+Mac OS X, other}.
Linux: Don't fail if netfilter isn't enabled in the kernel.
Add new link-layer type for NFC Forum LLCP.
Put the CANUSB stuff into EXTRA_DIST, so it shows up in the release tarball.
Add LINKTYPE_NG40/DLT_NG40.
Add DLT_MPEG_2_TS/LINKTYPE_MPEG_2_TS for MPEG-2 transport streams.
[PATCH] Fix AIX-3.5 crash with read failure during stress
AIX fixes.
Introduce --disable-shared configure option.
Added initial support for canusb devices.
Include the pcap(3PCAP) additions as 1.2.1 changes.
many updates to documentation: pcap.3pcap.in
Improve 'inbound'/'outbound' capture filters under Linux.
Note the cleanup of handling of new DLT_/LINKTYPE_ values.
On Lion, don't build for PPC.
For mac80211 devices we need to clean up monitor mode on exit.
Summary for 1.2.1 libpcap release
Update README file.
Fix typoes in README.linux file.
Clean up some compiler warnings.
Fix Linux compile problems and tests for ethtool.h.
Treat Debian/kFreeBSD and GNU/Hurd as systems with GNU
toolchains.
Support 802.1 QinQ as a form of VLAN in filters.
Treat "carp" as equivalent to "vrrp" in filters.
Fix code generated for "ip6 protochain".
Add some new link-layer header types.
Support capturing NetFilter log messages on Linux.
Clean up some error messages.
Turn off monitor mode on exit for mac80211 interfaces on Linux.
Fix problems turning monitor mode on for non-mac80211 interfaces
on Linux.
Properly fail if /sys/class/net or /proc/net/dev exist but can't
be opened.
Fail if pcap_activate() is called on an already-activated
pcap_t, and add a test program for that.
Fix filtering in pcap-ng files.
Don't build for PowerPC on Mac OS X Lion.
Simplify handling of new DLT_/LINKTYPE_ values.
Expand pcap(3PCAP) man page.
Summary for 1.2 libpcap release
All of the changes listed below for 1.1.1 and 1.1.2.
Changes to error handling for pcap_findalldevs().
Fix the calculation of the frame size in memory-mapped captures.
Add a link-layer header type for STANAG 5066 D_PDUs.
Add a link-layer type for a variant of 3GPP TS 27.010.
Noted real nature of LINKTYPE_ARCNET.
Add a link-layer type for DVB-CI.
Fix configure-script discovery of VLAN acceleration support.
see http://netoptimizer.blogspot.com/2010/09/tcpdump-vs-vlan-tags.html
Linux, HP-UX, AIX, NetBSD and OpenBSD compilation/conflict fixes.
Protect against including AIX 5.x's <net/bpf.h> having been included.
Add DLT_DBUS, for raw D-Bus messages.
Treat either EPERM or EACCES as "no soup for you".
Changes to permissions on DLPI systems.
Add DLT_IEEE802_15_4_NOFCS for 802.15.4 interfaces.
own build docs), this actually makes remmina offer ssh and sftp, and makes
the NX plugin build. Thus bumping revision.
XXX TODO:
XXX - RDP still isn't offered in the menu.
XXX - upstream package is 1.0
Thanks to Noud Brouwer for the original libssh-0.5.4 package from
pkgsrc-wip, which was used as security/libssh with some corrections.
- Bug Fixes
The following vulnerabilities have been fixed.
o wnpa-sec-2013-01
Infinite and large loops in the Bluetooth HCI, CSN.1, DCP-ETSI
DOCSIS CM-STAUS, IEEE 802.3 Slow Protocols, MPLS, R3, RTPS,
SDP, and SIP dissectors. Reported by Laurent Butti. (Bugs
8036, 8037, 8038, 8040, 8041, 8042, 8043, 8198, 8199, 8222)
Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
GENERIC-MAP-NOMATCH
o wnpa-sec-2013-02
The CLNP dissector could crash. Discovered independently by
Laurent Butti and the Wireshark development team. (Bug 7871)
Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
GENERIC-MAP-NOMATCH
o wnpa-sec-2013-03
The DTN dissector could crash. (Bug 7945)
Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
GENERIC-MAP-NOMATCH
o wnpa-sec-2013-04
The MS-MMC dissector (and possibly others) could crash. (Bug
8112)
Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
GENERIC-MAP-NOMATCH
o wnpa-sec-2013-05
The DTLS dissector could crash. Discovered by Laurent Butti.
(Bug 8111)
Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
GENERIC-MAP-NOMATCH
o wnpa-sec-2013-06
The ROHC dissector could crash. (Bug 7679)
Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
GENERIC-MAP-NOMATCH
o wnpa-sec-2013-07
The DCP-ETSI dissector could corrupt memory. Discovered by
Laurent Butti. (Bug 8213)
Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
GENERIC-MAP-NOMATCH
o wnpa-sec-2013-08
The Wireshark dissection engine could crash. Discovered by
Laurent Butti. (Bug 8197)
Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
GENERIC-MAP-NOMATCH
o wnpa-sec-2013-09
The NTLMSSP dissector could overflow a buffer. Discovered by
Ulf Härnhammar. (Bug X)
Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
GENERIC-MAP-NOMATCH
- The following bugs have been fixed:
o SNMPv3 Engine ID registration. (Bug 2426)
o Wrong decoding of gtp.target identification. (Bug 3974)
o Reassemble.c leaks memory for GLIB > 2.8. (Bug 4141)
o Wireshark crashes when starting due to out-of-date plugin left
behind from earlier installation. (Bug 7401)
o Failed to dissect TLS handshake packets. (Bug 7435)
o ISUP dissector problem with empty Generic Number. (Bug 7632)
o Illegal character is used in temporary capture file name. (Bug
7877)
o Lua code crashes wireshark after update to 1.8.3. (Bug 7976)
o Timestamp info is not saved correctly when writing DOS Sniffer
files. (Bug 7998)
o 1.8.3 Wireshark User's Guide version is 1.6. (Bug 8009)
o Core dumped when the file is closed. (Bug 8022)
o LPP is misspelled in APDU parameter in
e-CIDMeasurementInitiation request for LPPA message. (Bug
8023)
o Wrong packet bytes are selected for ISUP CUG binary code. (Bug
8035)
o Decodes FCoE Group Multicast MAC address as Broadcom MAC
address. (Bug 8046)
o The SSL dissector stops decrypting the SSL conversation with
Malformed Packet:SSL error messages. (Bug 8075)
o Unable to Save/Apply [Unistim Port] in Preferences. (Bug 8078)
o Some Information Elements in GTPv2 are not dissected
correctly. (Bug 8079)
o Wrong bytes highlighted with "Find Packet...". (Bug 8085)
o 3GPP ULI AVP. SAI is not correctly decoded. (Bug 8098)
o Wireshark does not show "Start and End Time" information for
Cisco Netflow/IPFIX with type 154 to 157. (Bug 8105)
o GPRS Tunnel Protocoll GTP Version 1 does not decode DAF flag
in Common Flags IE. (Bug 8193)
o Wrong parcing of ULI of gtpv2 messages - errors in SAC, RAC &
ECI. (Bug 8208)
o Version Number in EtherIP dissector. (Bug 8211)
o Warn Dissector bug, protocol JXTA. (Bug 8212)
o Electromagnetic Emission Parser parses field Event Id as
Entity Id. (Bug 8227)
- Updated Protocol Support
ANSI IS-637-A, ASN.1 PER, AX.25, Bluetooth HCI, CLNP, CSN.1,
DCP-ETSI, DIAMETER, DIS PDU, DOCSIS CM-STATUS, DTLS, DTN, EtherIP,
Fibre Channel, GPRS, GTP, GTPv2, HomePlug AV, IEEE 802.3 Slow,
IEEE 802.15.4, ISUP, JXTA, LAPD, LPPa, MPLS, MS-MMC, NAS-EPS,
NTLMSSP, ROHC, RSL, RTPS, SDP, SIP, SNMP, SSL
- New and Updated Capture File Support
DOS Sniffer
The Tor Project ceased to recommend privoxy years ago; the only way
they recommend browsing the web is through the Tor Browser Bundle,
which Someone^TM ought to find some way to package up.
==============================
Release Notes for Samba 3.6.12
January 30, 2013
==============================
This is a security release in order to address
CVE-2013-0213 (Clickjacking issue in SWAT) and
CVE-2013-0214 (Potential XSRF in SWAT).
o CVE-2013-0213:
All current released versions of Samba are vulnerable to clickjacking in the
Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into
a malicious web page via a frame or iframe and then overlaid by other content,
an attacker could trick an administrator to potentially change Samba settings.
In order to be vulnerable, SWAT must have been installed and enabled
either as a standalone server launched from inetd or xinetd, or as a
CGI plugin to Apache. If SWAT has not been installed or enabled (which
is the default install state for Samba) this advisory can be ignored.
o CVE-2013-0214:
All current released versions of Samba are vulnerable to a cross-site
request forgery in the Samba Web Administration Tool (SWAT). By guessing a
user's password and then tricking a user who is authenticated with SWAT into
clicking a manipulated URL on a different web page, it is possible to manipulate
SWAT.
In order to be vulnerable, the attacker needs to know the victim's password.
Additionally SWAT must have been installed and enabled either as a standalone
server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has
not been installed or enabled (which is the default install state for Samba)
this advisory can be ignored.
Changes since 3.6.11:
--------------------
o Kai Blin <kai@samba.org>
* BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.
* BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT.
==============================
Release Notes for Samba 3.5.21
January 30, 2013
==============================
This is a security release in order to address
CVE-2013-0213 (Clickjacking issue in SWAT) and
CVE-2013-0214 (Potential XSRF in SWAT).
o CVE-2013-0213:
All current released versions of Samba are vulnerable to clickjacking in the
Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into
a malicious web page via a frame or iframe and then overlaid by other content,
an attacker could trick an administrator to potentially change Samba settings.
In order to be vulnerable, SWAT must have been installed and enabled
either as a standalone server launched from inetd or xinetd, or as a
CGI plugin to Apache. If SWAT has not been installed or enabled (which
is the default install state for Samba) this advisory can be ignored.
o CVE-2013-0214:
All current released versions of Samba are vulnerable to a cross-site
request forgery in the Samba Web Administration Tool (SWAT). By guessing a
user's password and then tricking a user who is authenticated with SWAT into
clicking a manipulated URL on a different web page, it is possible to manipulate
SWAT.
In order to be vulnerable, the attacker needs to know the victim's password.
Additionally SWAT must have been installed and enabled either as a standalone
server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has
not been installed or enabled (which is the default install state for Samba)
this advisory can be ignored.
Changes since 3.5.20:
---------------------
o Kai Blin <kai@samba.org>
* BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.
* BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT.
Also bump PKGREVISION for a few packages using it.
The packages I did this for:
net/yaz
lang/parrot
misc/openoffice3 (where I noticed the run-time failure due to missing shared library)
www/webkit-gtk
sysutils/open-vm-tools
inputmethod/ibus-qt
I didn't do this recursively or for all packages using icu
since I didn't know if they used the shared library directly,
some use was optional. The list of packages I didn't touch:
devel/devhelp
databases/idzebra
databases/sqlite3
devel/gnustep-base/
finance/gnucash
games/openttd
graphics/shotwell
lang/mono
meta-pkgs/boost
misc/calibre
misc/libreoffice
news/tin
textproc/php-intl
www/deforaos-surfer
www/epiphany
www/liferea-current
www/midori
================
Changes in PyZMQ
================
2.2.0.1
=======
This is a tech-preview release, to try out some new features.
It is expected to be short-lived, as there are likely to be issues to iron out,
particularly with the new pip-install support.
Experimental New Stuff
----------------------
These features are marked 'experimental', which means that their APIs are not set in stone,
and may be removed or changed in incompatible ways in later releases.
Threadsafe ZMQStream
********************
With the IOLoop inherited from tornado, there is exactly one method that is threadsafe:
:meth:`.IOLoop.add_callback`. With this release, we are trying an experimental option
to pass all IOLoop calls via this method, so that ZMQStreams can be used from one thread
while the IOLoop runs in another. To try out a threadsafe stream:
.. sourcecode:: python
stream = ZMQStream(socket, threadsafe=True)
pip install pyzmq
*****************
PyZMQ should now be pip installable, even on systems without libzmq.
In these cases, when pyzmq fails to find an appropriate libzmq to link against,
it will try to build libzmq as a Python extension.
This work is derived from `pyzmq_static <https://github.com/brandon-rhodes/pyzmq-static>`_.
To this end, PyZMQ source distributions include the sources for libzmq (2.2.0) and libuuid (2.21),
both used under the LGPL.
zmq.green
*********
The excellent `gevent_zeromq <https://github.com/traviscline/gevent_zeromq>`_ socket
subclass which provides `gevent <http://www.gevent.org/>`_ compatibility has been merged as
:mod:`zmq.green`.
.. seealso::
:ref:`zmq_green`
Bugs fixed
----------
* TIMEO sockopts are properly included for libzmq-2.2.0
* avoid garbage collection of sockets after fork (would cause ``assert (mailbox.cpp:79)``).
2.2.0
=====
Some effort has gone into refining the pyzmq API in this release to make it a model for
other language bindings. This is principally made in a few renames of objects and methods,
all of which leave the old name for backwards compatibility.
.. note::
As of this release, all code outside ``zmq.core`` is BSD licensed (where
possible), to allow more permissive use of less-critical code and utilities.
Name Changes
------------
* The :class:`~.Message` class has been renamed to :class:`~.Frame`, to better match other
zmq bindings. The old Message name remains for backwards-compatibility. Wherever pyzmq
docs say "Message", they should refer to a complete zmq atom of communication (one or
more Frames, connected by ZMQ_SNDMORE). Please report any remaining instances of
Message==MessagePart with an Issue (or better yet a Pull Request).
* All ``foo_unicode`` methods are now called ``foo_string`` (``_unicode`` remains for
backwards compatibility). This is not only for cross-language consistency, but it makes
more sense in Python 3, where native strings are unicode, and the ``_unicode`` suffix
was wedded too much to Python 2.
Other Changes and Removals
--------------------------
* ``prefix`` removed as an unused keyword argument from :meth:`~.Socket.send_multipart`.
* ZMQStream :meth:`~.ZMQStream.send` default has been changed to `copy=True`, so it matches
Socket :meth:`~.Socket.send`.
* ZMQStream :meth:`~.ZMQStream.on_err` is deprecated, because it never did anything.
* Python 2.5 compatibility has been dropped, and some code has been cleaned up to reflect
no-longer-needed hacks.
* Some Cython files in :mod:`zmq.core` have been split, to reduce the amount of
Cython-compiled code. Much of the body of these files were pure Python, and thus did
not benefit from the increased compile time. This change also aims to ease maintaining
feature parity in other projects, such as
`pyzmq-ctypes <https://github.com/svpcom/pyzmq-ctypes>`_.
New Stuff
---------
* :class:`~.Context` objects can now set default options when they create a socket. These
are set and accessed as attributes to the context. Socket options that do not apply to a
socket (e.g. SUBSCRIBE on non-SUB sockets) will simply be ignored.
* :meth:`~.ZMQStream.on_recv_stream` has been added, which adds the stream itself as a
second argument to the callback, making it easier to use a single callback on multiple
streams.
* A :attr:`~Frame.more` boolean attribute has been added to the :class:`~.Frame` (née
Message) class, so that frames can be identified as terminal without extra queires of
:attr:`~.Socket.rcvmore`.
Experimental New Stuff
----------------------
These features are marked 'experimental', which means that their APIs are not
set in stone, and may be removed or changed in incompatible ways in later releases.
* :mod:`zmq.web` added for load-balancing requests in a tornado webapp with zeromq.
This plugin for the agent provides two tasks that were previously distributed
separatly:
* the NetDiscovery task allows the agent to scan the network to find remote
devices, through nmap, NetBios or SNMP, and to identify them
* the NetInventory task allows the agent to extract various informations from
a remote device through SNMP protocol
The FusionInventory agent is a generic management agent. It can perform a
certain number of tasks, according to its own execution plan, or on behalf of a
GLPI server with fusioninventory plugin, acting as a control point.
Two of these tasks are included in agent source distribution, local inventory
and wake on lan. Other tasks are distributed separatly, excepted for binary
distributions where they are bundled together.
