Postfix stable release 2.8.4 is available. This contains fixes and
workarounds that were already included with the Postfix 2.9
experimental release. Where applicable these fixes will also be
made available for the legacy releases Postfix 2.5..2.7.
* Performance: a high load of DSN success notification requests
could slow down the queue manager. Solution: make the trace
client asynchronous, just like the bounce and defer clients.
* The local(8) delivery agent ignored table lookup errors in
mailbox_command_maps, mailbox_transport_maps, fallback_transport_maps
and (while bouncing mail to alias) alias owner lookup.
* Workaround: dbl.spamhaus.org rejects lookups with "No IP
queries" even if the name has an alphanumerical prefix. We
play safe, and skip both RHSBL and RHSWL queries for names
ending in a numerical suffix.
* The "sendmail -t" command reported "protocol error" instead
of "file too large", "no space left on device" etc.
* The Postfix Milter client reported a temporary error instead
of "file too large" in three cases.
* Linux kernel version 3 support. Linus Torvalds has reset the
counters for reasons not related to changes in code.
You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.
- New Features:
- New Apps: (see the validator/apps directory for details)
- dnssec-check: check dnssec support from your ISP
- dnssec-nodes: graphically displays a DNS
hierarchy, color coded by each node's DNSSEC status
- dnssec-system-tray: displays pop-up
notifications when a libval-enabled application
triggers a DNSSEC error
- lookup: a graphical DNS lookup utility that
displays the results in a hierarchical tree and
color codes the window according to DNSSEC status
- libval: - Added support for building on Windows.
- added support for falling back to recursion when
the caching name server does not appear to
support DNSSEC. This also works as a mechanism
to work around poisoned or misbehaving cache.
- Significant improvements to the the asynchronous support.
- lsdnssec: - Improvements to lsdnssec to display different
output depending on whether a zone is a
stand-alone zone or under control of rollerd.
- nagios: - Plugins for the nagios monitoring system which
enable monitoring of zone rollerover states.
- firefox: - Improved patches that work with the most recent firefox
Plus many more minor features and bug fixes
1.9:
- New Features:
- lsdnssec: - Added a new flag (-p) to show only zones in a
particular rollerd phase.
- fixed bugs to align timing output with rollerd.
- rollerd: - Added a -logtz flag for logging timezones
- fixed bugs related to the -alwayssign flag.
- zonesigner's path is taken from the config file.
- rollctl: - Added -rollall and -rollzone options.
- zonesigner: - Assumes keys need to be generated for new zones
(Assumes -genkeys option was given if a keyrec file
can't be found.)
- Exits with unique exit codes if a failure occurs.
("zonesigner -xc CODE" can lookup a description for it.")
- Added the -phase option so rollover options could be
more easily specified.
- lights: - A simple GUI to check the status of rollover states
- blinkenlights:- Added hide/show commands for rollrec names and zone
names, for split-zone support
- cleankrf: - Fixed deletion of obsolete set keyrecs.
- GUI commands: - Fixed how the Exit command works so they don't coredump.
- libsres
& libval: - New beta support for issuing asynchronous requests.
This can speed up queries by up to 4 times if used.
(see example code in validator/apps/validator_selftest.c)
- NSEC3, DLV and IPv6 are enabled by default.
- improved logging and logging-callback support.
- drawvalmap - Can output PNG files now
- Packaging:
- Our download page now allows you to download
the C validator libraries independently of the
full DNNSEC-Tools tool-suite.
- Many bugs were also fixed in the 240+ changes.
* fixed a coredump in torrent on linux with a ppp interface.
* translation updated (ru).
Version 4.3.0 - 2011-06-17
* new command `attach' to control a backgrounded lftp.
* automatically fill torrent:ipv6 setting.
* slightly improved torrent status display.
* fixed reconnect interval (it was sometimes uninitialized).
* several fixes for the case of cmd:parallel>1
* In mimedefang.c, truncate overlong responses from the multiplexor. Also sanitize replies so "\r" doesn't get fed to smfi_setmlreply.
* If a slave process replies with a very long reply, have the multiplexor consume (and discard) the excess input so the multiplexor-to-slave protocol does not become de-synchronized.
* When mimedefang becomes a daemon, have it wait for a "go/no-go" message from the child before exiting. This should eliminate race conditions whereby the MTA starts before the milter socket is present.
* Avoid run-time errors from Unix::Syslog on some platforms.
Bug Fixes:
* removed ldns-src tarball inside the unbound tarball.
* [bugzilla: 395 ]
fix that id bits of other query may leak out under conditions
* fix replyaddr count wrong after jostled queries, which leads to eventual starvation where the daemon has no replyaddrs left to use.
* fix that the listening socket is not closed when too many remote control connections are made at the same time.
* version number in example config file.
* fix that --enable-static-exe does not complain about it unknown.
* iana portlist updated
1.4.11:
Features:
* log-queries: yesno option, default is no, prints querylog.
* ignore-cd-flag: yesno to provide dnssec to legacy servers.
* Use -flto compiler flag for link time optimization, if supported.
* unbound-control has version number in the header, and uses port number registered with IANA, 8953.
Bug Fixes:
* Fix Makefile for U in environment, since wrong U is more common than deansification necessity.
* defense in depth against the assertion failure bug fixed in 1.4.10, an error is printed to log instead of an assertion failure.
* [bugzilla: 386 ]
--enable-allsymbols option links all binaries to libunbound and reduces install size significantly.
* Fix TTL of SOA so negative TTL is separately cached from normal TTL.
* configure created with newer autoconf 2.66.
* [bugzilla: 378 ]
Fix that configure checks for ldns_get_random presence.
* queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators.
* val-override-date: -1 ignores dates entirely, for NTP usage.
* harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec.
* statistics-interval prints the number of jostled queries to log.
* IPv6 service address for d.root-servers.net (2001:500:2D::D).
* updated ldns tarball to 1.6.10rc2 snapshot
* iana portlist updated.
* New example tool added: ldns-gen-zone.
* bugfix #359: Serial-arithmetic for the inception and expiration
fields of a RRSIG and correctly converting them to broken-out time
information.
* bugfix #364: Slight performance increase of ldns-verifyzone.
* bugfix #367: Fix to allow glue records with the same name as the
delegation.
* Fix ldns-verifyzone to allow NSEC3-less records for NS rrsets *and*
glue when the zone is opt-out.
* bugfix #376: Adapt ldns_nsec3_salt, ldns_nsec3_iterations,
ldns_nsec3_flags and ldns_nsec3_algorithm to work for NSEC3PARAMS too.
* pyldns memory leaks fixed by Bedrich Kosata (at the cost of a bit
performance)
* Better handling of reference variables in ldns_rr_new_frm_fp_l from
pyldns, with a very nice generator function by Bedrich Kosata.
* Decoupling of the rdfs in rrs in the python wrappers to enable
the python garbage collector by Bedrich Kosata.
* bugfix #380: Minimizing effect of discrepancies in sizeof(bool) at
build time and when used.
* bugfix #383: Fix detection of empty nonterminals of multiple labels.
* Fixed the ommission of rrsets in nsec(3)s and rrsigs to all occluded
names (in stead of just the ones that contain glue only) and all
occluded records on the delegation points (in stead of just the glue).
* Clarify the operation of ldns_dnssec_mark_glue and the usage of
ldns_dnssec_node_next_nonglue functions in the documentation.
* Added function ldns_dnssec_mark_and_get_glue as an real fast
alternative for ldns_zone_glue_rr_list.
* Fix parse buffer overflow for max length domain names.
* Fix Makefile for U in environment, since wrong U is more common than
deansification necessity.
* Include simple-dnskey-mailer-plugin in dist.
* Enforcer: Change message about KSK retirement to make it less confusing.
Bugfixes:
* ods-control: If the Enforcer did not close down, you entered an infinite loop.
* Signer Engine: Fix log message typos.
* Signer Engine: Fix crash where ods-signer update
* Signer Engine: Also replace DNSKEYs if <DNSKEY><TTL> has changed in policy.
* Zonefetcher: Sometimes invalid 'Address already in use' occurred.
* Bugfix #247: Fixes bug introduced by bugfix #242.
OpenDNSSEC 1.3.0rc3
* Do not distribute trang.
Bugfixes:
* Fix test for java executable and others.
* Auditor: Fix delegation checks.
* Bugfix #242: Race condition when receiving multiple NOTIFIES for a zone.
* ods-kaspcheck: Do not expect resalt in NSEC policy.
* Signer Engine: Ifdef a header file.
* Signer Engine: The default working directory was not specified.
* Signer Engine: Handle stdout console output throttling that would
truncate daemon output intermittently.
OpenDNSSEC 1.3.0.rc2
* Match the names of the signer pidfile and enforcer pidfile.
* Include check for resign < resalt in ods-kaspcheck.
Bugfixes:
* Bugfix #231: Fix MySQL version check.
* ods-ksmutil: Update now sends a HUP to the enforcerd.
* Signer Engine: Fix assertion failure if zone was just added.
* Signer Engine: Don't hsm_close() on setup error.
* Signer Engine: Fix race condition bug when doing a single run.
* Signer Engine: In case of failure, also mark zone processed (single run).
* Signer Engine: Don't leak backup file descriptor.
* signconf.rnc now allows NSEC3 Iterations of 0
OpenDNSSEC 1.3.0rc1
* <SkipPublicKey/> is enabled for SoftHSM in the default configuration.
It improves the performance by only using the private key objects.
* Document the <RolloverNotification> tag in conf.xml.
Bugfixes:
* Bugfix #221: Segmentation Fault on schedule.c:232
* Enforcer: 'make check' now works.
* Enforcer: Fixed some memory leaks in the tests.
* Signer Engine: Coverity report fixes some leaks and thread issues.
* Signer Engine: Now logs to the correct facility again.
OpenDNSSEC 1.3.0b1
* Support for signing the root. Use the zone name "."
* Enforcer: Stop import of policy if it is not consistent.
* ods-signer: The queue command will now also show what tasks the workers
are working on.
* Signer Engine: Just warn if occluded zone data was found, don't stop signing p
rocess.
* Signer Engine: Simpler serial maintenance, reduces the number of conflicts.
Less chance to hit a 'cannot update: serial too small' error message.
* Signer Engine: Simpler NSEC(3) maintenance.
* Signer Engine: Temperate the number of backup files.
* Signer Engine: Set number of <SignerThreads> in conf.xml to
get peak performance from HSMs that can handle multiple threads.
Bugfixes:
* Bugreport #139: ods-auditor fails on root zone.
* Bugreport #198: Zone updates ignored?
* Replace tab with white-space when writing to syslog.
* Signer Engine: Do not block update command while signing.
==============================
Release Notes for Samba 3.3.16
July 26, 2011
==============================
This is a security release in order to address
CVE-2011-2522 (Cross-Site Request Forgery in SWAT) and
CVE-2011-2694 (Cross-Site Scripting vulnerability in SWAT).
o CVE-2011-2522:
The Samba Web Administration Tool (SWAT) in Samba versions
3.0.x to 3.5.9 are affected by a cross-site request forgery.
o CVE-2011-2694:
The Samba Web Administration Tool (SWAT) in Samba versions
3.0.x to 3.5.9 are affected by a cross-site scripting
vulnerability.
Please note that SWAT must be enabled in order for these
vulnerabilities to be exploitable. By default, SWAT
is *not* enabled on a Samba install.
Changes since 3.3.15
--------------------
o Kai Blin <kai@samba.org>
* BUG 8289: SWAT contains a cross-site scripting vulnerability.
* BUG 8290: CSRF vulnerability in SWAT.
==============================
Release Notes for Samba 3.5.10
July 26, 2011
==============================
This is a security release in order to address
CVE-2011-2522 (Cross-Site Request Forgery in SWAT) and
CVE-2011-2694 (Cross-Site Scripting vulnerability in SWAT).
o CVE-2011-2522:
The Samba Web Administration Tool (SWAT) in Samba versions
3.0.x to 3.5.9 are affected by a cross-site request forgery.
o CVE-2011-2694:
The Samba Web Administration Tool (SWAT) in Samba versions
3.0.x to 3.5.9 are affected by a cross-site scripting
vulnerability.
Please note that SWAT must be enabled in order for these
vulnerabilities to be exploitable. By default, SWAT
is *not* enabled on a Samba install.
Changes since 3.5.9:
--------------------
o Kai Blin <kai@samba.org>
* BUG 8289: SWAT contains a cross-site scripting vulnerability.
* BUG 8290: CSRF vulnerability in SWAT.
darktable is a photography workflow application: a virtual lighttable
and darkroom for photographers: it manages your digital negatives
in a database and lets you view them through a zoomable lighttable.
it also enables you to develop raw images and enhance them.
libvirt is:
+ A toolkit to interact with the virtualization capabilities of recent
versions of operating systems, see our project goals for details.
+ A long term stable C API
+ A set of bindings for common languages
+ A CIM provider for the DMTF virtualization schema
+ A QMF agent for the AMQP/QPid messaging system
libvirt supports:
+ The KVM/QEMU Linux hypervisor
+ The Xen hypervisor
+ The LXC Linux container system
+ The OpenVZ Linux container system
+ The User Mode Linux paravirtualized kernel
+ The VirtualBox hypervisor
+ The VMware ESX and GSX hypervisors
+ The VMware Workstation and Player hypervisors
+ Virtual networks using bridging, NAT, VEPA and VN-LINK.
+ Storage on IDE/SCSI/USB disks, FibreChannel, LVM, iSCSI, NFS and filesystems
libvirt provides:
+ Remote management using TLS encryption and x509 certificates
+ Remote management authenticating with Kerberos and SASL
+ Local access control using PolicyKit
+ Zero-conf discovery using Avahi multicast-DNS
+ Management of virtual machines, virtual networks and storage
I'm fairly sure that the NetBSD part of the bridging code still needs
some more work, but I'll leave that as an exercise for someone more
versed in it than I am.
ClamAV 0.97.2 fixes problems with the bytecode engine, Safebrowsing detection,
hash matcher, and other minor issues. Please see the ChangeLog file for
details.
Upstream changes:
- Core
+ Parrot_PMC_destroy, Parrot_PMC_mark and Parrot_PMC_invoke were removed from
the public extension API.
+ PAST now has PAST::Stmt node types, supports reusable temporary registers.
+ Test coverage of the embedding and extending interface is now at least 95%.
+ A snapshot of Winxed is now included in Parrot core to facilitate writing
core Parrot tools from a higher level language than PIR.
- Languages
+ Winxed
- Improved compile time scope search.
- Added 'using namespace' statement.
- Compiler classes and functions now live in the Winxed;Compiler namespace.
- Tests
+ The Parrot test suite harness now understands the HARNESS_TIMER
environment variable. Setting it to a true value will show timing results
for a test run.
+ IPv6 tests are now parallel testing friendly.
2011-07-18 Tadamasa Teranishi <yw3t-trns@asahi-net.or.jp>
* configure.in: Bumped version number to to 2.0.21.
* configure.in (LTVERSION): Set "8:3:1".
* man: update.
* namazu.cgi:
Fix IE6,7 cross-site scripting problem.
* tests, pltests:
Add New Tests.
make check have passed by changing '$WATATI = ;' lines in pl/conf.pl
for LANG=ja, except $MECAB is set.
