- Bux fix release
- Rollerd's -alwayssign flag logic had a critical error that could
have caused a zone to be signed with the wrong ZSK at particular
points of the ZSK key rolling process.
* Only use libyubikey when --with-cr is used.
* Set correct permissions on tempfile.
* YubiKey 2.2 contains a bug in challenge-response that makes it output the
same response to all challenges unless HMAC_LT64 is set. Add warnings to
ykpamcfg and a warning through conversate in the pam module. Keys programmed
like this should be reprogrammed with the HMAC_LT64 flag set.
* Implement option -ooath-id to easily set OATH token identifier.
* Fix numerous compiler warnings from clang. Thanks to
Clemens Lang <neverpanic@gmail.com>.
* ykclient: Add C++ namespace protection.
* Add multi-server support with curl_multi.
Enabled by default for YubiCloud servers.
Settable with the new library function set_template_urls() or
the urls parameter to ykclient_verify_otp_v2().
* Remove extra % in ykclient help.
* Add ca path option to ykclient, --ca.
Patch from Jay Kline <jay.kline.ctr@hpcmo.hpc.mil>.
* Make the nonce unique for consecutive calls to the same ykclient handle.
* Do url encoding of OTP before sending.
* Fix segfault on curl error.
Patch from Lee Hinman <lee.hinman.ctr@hpc.mil>
decentralized, and highly reliable synchronization. That means that a key
submitted to one SKS server will quickly be distributed to all key servers,
and even wildly out-of-date servers, or servers that experience spotty
connectivity, can fully synchronize with rest of the system.
* authpam.c (callback_pam): Call pam_end() after an authentication attempt.
* Makefile.am: Renamed authstaticlist.h to courierauthstaticlist.h, and
added it to the list of header files that 'make install' puts into
includedir.
* Fix gcc 4.6 warnings
* courier.spec.in: switch to systemd.
* Fix autoconf warnings.
* courier-authlib.spec: Make rmplint happy.
* Noteworthy changes in release 2.13 (2012-05-31) [stable]
- Updated fix for DER decoding issue to not depend on specific compilers.
- Updated DER decoding check to apply to short form integers as well.
This module provides a Perl API for the BSDs' arc4random(3) suite
of functions and adds a few high-level functions, such as the new
arc4random_uniform(3). The Perl functions are ithreads-safe (only
if threads::shared is required). Scalars can be tied to this pak-
kage, yielding uniformly distributed random numbers with an arbi-
trary upper bound on read access, contributing to the RC4 entropy
pool on write access. An exported global $RANDOM variable returns
15-bit unsigned random numbers, from [0; 32767], similar to mksh.
Furthermore, Perl's internal PRNG is seeded with entropy obtained
from the arc4random generator once on module load time.
Collection.
The is the Perl application bundle for ClusterSSH (a.k.a cssh), formally
a GNU tools based project.
ClusterSSH is a tool for making the same change on multiple servers at
the same time. The 'cssh' command opens an administration console and
an xterm to all specified hosts. Any text typed into the administration
console is replicated to all windows. All windows may also be typed into
directly.
This tool is intended for (but not limited to) cluster administration
where the same configuration or commands must be run on each node
within the cluster. Performing these commands all at once via this
tool ensures all nodes are kept in sync.
The OpenSSH LDAP Public Key patch provides an easy way of centralizing strong
user authentication by using an LDAP server for retrieving public keys instead
of ~/.ssh/authorized_keys.
from 0.52 to 0.57.
Upstream changes:
0.57 Dec 21, 2011
- quote equal sign
- do not quote commas
0.56_01 Dec 8, 2011
- rsync methods were failing when user was defined (bug report
by black_fire)
- detect when the destructor is being called from a different
thread (bug report by troy99 at PerlMonks)
- support for Net::OpenSSH::Gateway added
0.55 Dec 6, 2011
- solve regression from 0.53_03: rsync methods were broken
because the hostname was not being correctly removed from
the ssh command passed to rsync (bug report by Mithun
Ayachit)
0.54 Dec 4, 2011
- release as stable
0.53_05 Nov 23, 2011
- scp methods were broken when a user was given (bug report by
Andrew J. Slezak)
- add support for verbose option in scp methods
- implement parse_connections_opts
- solve bug related to expansion of HOST var when an IPv6
address was given
- move FACTORY docs to the right place
- add FAQ about running remote commands via sudo
- add sample for Net::Telnet integration
- add sample for sudo usage reading password from DATA
0.53_04 Sep 2, 2011
- add default_ssh_opts feature
- getpwuid may fail, check $home is defined before using it
- add FAQ entry about MaxSessions limit reached
- move FACTORY docs to the right place
0.53_03 Aug 18, 2011
- handling of default_std*_file was broken (bug report and
patch by Nic Sandfield)
- keep errors from opening default slave streams
- add Net::OpenSSH::ConnectionCache package
- add FACTORY hook
- place '--' in ssh command after host name
- add support for die_on_error
- add support for batch_mode feature
- typo in sample code corrected (reported by Fernando Sierra)
- using { stdin_data => [] } was generating warnings
0.53_02 Jul 12, 2011
- add support for custom login handlers
- remove SIG{__WARN__} localizations
0.53_01 May 15, 2011
- quoter and glob_quoter fully rewritten from scratch
- quoter was not handling "\n" correctly (bug report and work
around by Skeeve)
- minor doc improvements
security/p5-IO-Socket-SSL from 1.66 to 1.74.
Upstream changes:
v1.74 2012.05.13
- accept a version of SSLv2/3 as SSLv23, because older documentation
could be interpreted like this
v1.73 2012.05.11
- make test t/dhe.t hopefully work for more version of openssl
Thanks to paul[AT]city-fan[DOT]org for providing bug reports and
testing environment
v1.72 2012.05.10
- set DEFAULT_CIPHER_LIST to ALL:!LOW instead of HIGH:!LOW
Thanks to dcostas[AT]gmail[DOT]com for problem report
v1.71 2012.05.09
- 1.70 done right. Also don't disable SSLv2 ciphers, SSLv2 support is better
disabled by the default SSL_version of 'SSLv23:!SSLv2'
v1.70 2012.05.08
- make it possible to disable protols using SSL_version, make SSL_version
default to 'SSLv23:!SSLv2'
v1.69 2012.05.08
- re-added workaround in t/dhe.t
v1.68 2012.05.07
- remove SSLv2 from default cipher list, which makes failed tests after last
change work again, fix behvior for empty cipher list (use default)
v1.67 2012.05.07
- https://rt.cpan.org/Ticket/Display.html?id=76929
thanks to d[DOT]thomas[AT]its[DOT]uq[DOT]edu[DOT]au for reporting
- if no explicit cipher list is given it will now default to ALL:!LOW instead
of the openssl default, which usually includes weak ciphers like DES.
- new config key SSL_honor_cipher_order and documented how to use it to fight
BEAST attack.
from 0.17 to 0.18.
Upstream changes:
0.18 Sat Nov 12 23:09:05 2011
- added convenience wrappers for 'cont', #70672
- fixed few issues in xs code, #70674
- added openpgparmor support, #72387
This is a new major stable release. Brief changes compared to 1.6.x:
* SAML20 support following RFC 6595.
* OPENID20 support following RFC 6616.
* Added SMTP server examples (for e.g., SCRAM, SAML20, OPENID20).
* Various cleanups, portability and other bug fixes.
See the NEWS entries during the 1.7.x branch for details.
* libgnutls: When decoding a PKCS #11 URL the pin-source field is assumed to be
a file that stores the pin.
* libgnutls: Added strict tests in Diffie-Hellman and SRP key exchange public
keys.
* minitasn1: Upgraded to libtasn1 version 2.13 (pre-release).
2.6
===
* [CVE-2012-2417] Fix LP#985164: insecure ElGamal key generation.
(thanks: Legrandin)
In the ElGamal schemes (for both encryption and signatures), g is
supposed to be the generator of the entire Z^*_p group. However, in
PyCrypto 2.5 and earlier, g is more simply the generator of a random
sub-group of Z^*_p.
The result is that the signature space (when the key is used for
signing) or the public key space (when the key is used for encryption)
may be greatly reduced from its expected size of log(p) bits, possibly
down to 1 bit (the worst case if the order of g is 2).
While it has not been confirmed, it has also been suggested that an
attacker might be able to use this fact to determine the private key.
Anyone using ElGamal keys should generate new keys as soon as practical.
Any additional information about this bug will be tracked at
https://bugs.launchpad.net/pycrypto/+bug/985164
* Huge documentation cleanup (thanks: Legrandin).
* Added more tests, including test vectors from NIST 800-38A
(thanks: Legrandin)
* Remove broken MODE_PGP, which never actually worked properly.
A new mode, MODE_OPENPGP, has been added for people wishing to write
OpenPGP implementations. Note that this does not implement the full
OpenPGP specification, only the "OpenPGP CFB mode" part of that
specification.
https://bugs.launchpad.net/pycrypto/+bug/996814
* Fix: getPrime with invalid input causes Python to abort with fatal error
https://bugs.launchpad.net/pycrypto/+bug/988431
* Fix: Segfaults within error-handling paths
(thanks: Paul Howarth & Dave Malcolm)
https://bugs.launchpad.net/pycrypto/+bug/934294
* Fix: Block ciphers allow empty string as IV
https://bugs.launchpad.net/pycrypto/+bug/997464
* Fix DevURandomRNG to work with Python3's new I/O stack.
(thanks: Sebastian Ramacher)
* Remove automagic dependencies on libgmp and libmpir, let the caller
disable them using args.
* Many other minor bug fixes and improvements (mostly thanks to Legrandin)
* OPENDNSSEC-228: Signer Engine: Make 'ods-signer update' reload signconfs
even if zonelist has not changed.
* OPENDNSSEC-231: Signer Engine: Allow for Classless IN-ADDR.ARPA names
(RFC 2317).
* OPENDNSSEC-234: Enforcer: Add indexes for foreign keys in kasp DB. (sqlite
only, MySQL already has them.)
* OPENDNSSEC-246: Signer Engine: Warn if <Audit/> is in signer configuration,
but ods-auditor is not installed
* OPENDNSSEC-249: Enforcer: ods-ksmutil: If key export finds nothing to do
then say so rather than display nothing which might be misinterpreted.
Bugfixes:
* OPENDNSSEC-247: Signer Engine: TTL on NSEC(3) was not updated on SOA
Minimum change.
* OPENDNSSEC-253: Enforcer: Fix "ods-ksmutil zone delete --all"
* Increased performance by adding more indexes to the database.
* Describe the usage of SO and user PIN in the README.
Bugfixes:
* Detect if a C++ compiler is missing.
AuthCAS aims at providing a Perl API to Yale's Central Authentication System
(CAS). Only a basic Perl library is provided with CAS whereas AuthCAS is a
full object-oriented library.
Fix seuciry problem of CVE-2012-2337.
What's new in Sudo 1.7.9p1?
* Fixed a bug when matching against an IP address with an associated
netmask in the sudoers file. In certain circumstances, this
could allow users to run commands on hosts they are not authorized
for.
What's new in Sudo 1.7.9?
* Fixed a false positive in visudo strict mode when aliases are
in use.
* The line on which a syntax error is reported in the sudoers file
is now more accurate. Previously it was often off by a line.
* The #include and #includedir directives in sudoers now support
relative paths. If the path is not fully qualified it is expected
to be located in the same directory of the sudoers file that is
including it.
* visudo will now fix the mode on the sudoers file even if no changes
are made unless the -f option is specified.
* The "use_loginclass" sudoers option works properly again.
* For LDAP-based sudoers, values in the search expression are now
escaped as per RFC 4515.
* Fixed a race condition when I/O logging is not enabled that could
result in tty-generated signals (e.g. control-C) being received
by the command twice.
* If none of the standard input, output or error are connected to
a tty device, sudo will now check its parent's standard input,
output or error for the tty name on systems with /proc and BSD
systems that support the KERN_PROC_PID sysctl. This allows
tty-based tickets to work properly even when, e.g. standard
input, output and error are redirected to /dev/null.
* Fixed a bug where a pattern like "/usr/*" included /usr/bin/ in
the results, which would be incorrectly be interpreted as if the
sudoers file had specified a directory.
* "visudo -c" will now list any include files that were checked
in addition to the main sudoers file when everything parses OK.
* Users that only have read-only access to the sudoers file may
now run "visudo -c". Previously, write permissions were required
even though no writing is down in check-only mode.
What's new in Sudo 1.7.8p2?
* Fixed a crash in the monitor process on Solaris when NOPASSWD
was specified or when authentication was disabled.
The Cryptokit library for Objective Caml provides a variety of
cryptographic primitives that can be used to implement cryptographic
protocols in security-sensitive applications. The primitives provided
include:
Symmetric-key cryptography: AES, DES, Triple-DES, ARCfour, in ECB,
CBC, CFB and OFB modes. Public-key cryptography: RSA encryption and
signature; Diffie-Hellman key agreement. Hash functions and MACs:
SHA-1, MD5, and MACs based on AES and DES. Random number generation.
Encodings and compression: base 64, hexadecimal, Zlib compression.
Additional ciphers and hashes can easily be used in conjunction
with the library. In particular, basic mechanisms such as chaining
modes, output buffering, and padding are provided by generic classes
that can easily be composed with user-provided ciphers. More
generally, the library promotes a "Lego"-like style of constructing
and composing transformations over character streams.
OpenSSL CHANGES
_______________
Changes between 0.9.8w and 0.9.8x [10 May 2012]
*) Sanity check record length before skipping explicit IV in DTLS
to fix DoS attack.
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)
[Steve Henson]
*) Initialise tkeylen properly when encrypting CMS messages.
Thanks to Solar Designer of Openwall for reporting this issue.
[Steve Henson]
The Google Authenticator includes implementations of one-time passcode
generators for several mobile platforms as well as a pluggable
authentication module (PAM). One-time passcodes are generated using
open standards developed by the Initiative for Open Authentication
(OATH) (which is unrelated to OAuth).
These implementations support the HMAC-Based One-time Password (HOTP)
algorithm specified in RFC 4226 and the Time-based One-time Password
(TOTP) algorithm specified in RFC 6238.
Because upstream does not provide a distribution file (yet), I have
pre-packaged the sources myself as of today and uploaded them to
ftp.n.o under my own directory. This explains the 0.0 prefix in the
version number, because if upstream starts providing distfiles with
proper versioning, we don't want our date stamp to be "above" all
official versions.
tool that, in addition to basic syntactic and semantic zone checks,
includes DNSSEC signature verification and NSEC/NSEC3 chain validation,
as well a number of optional policy checks on the zone.
Security fix for CVS-2012-2131.
Changes between 0.9.8v and 0.9.8w [23 Apr 2012]
*) The fix for CVE-2012-2110 did not take into account that the
'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
int in OpenSSL 0.9.8, making it still vulnerable. Fix by
rejecting negative len parameter. (CVE-2012-2131)
[Tomas Hoger <thoger@redhat.com>]
=== 0.4.6 2012-04-21
* Fixed nested attributes in #normalize (Shaliko Usubov)
* Make use the path component of the :site parameter (Jonathon M. Abbott)
* Fixed post body's being dropped in 1.9 (Steven Hammond)
* Fixed PUT request handling (Anton Panasenko)
20120309
- Download the certdata from mozilla over SSL (John Joseph Bachir)
- CA updates:
Removes:
- Hellenic Academic and Research Institutions RootCA 2011
20120118
- CA updates:
Add:
- Security Communication RootCA2
- EC-ACC
- Hellenic Academic and Research Institutions RootCA 2011
Remove:
- Verisign Class 4 Public Primary Certification Authority - G2
- TC TrustCenter, Germany, Class 2 CA
- TC TrustCenter, Germany, Class 3 CA
v1.66 2012.04.16
- make it thread safer, thanks to bug report from vega[DOT]james[AT]gmail
[DOT]com, https://rt.cpan.org/Ticket/Display.html?id=76538
v1.65 2012.04.16
- added NPN (Next Protocol Negotiation) support based on patch from kmx
https://rt.cpan.org/Ticket/Display.html?id=76223
v1.64 2012.04.06
- clarify some behavior regarding hostname verfication.
Thanks to DOHERTY for reporting.
v1.63 2012.04.06
- applied patch of DOUGDUDE to ignore die from within eval to make tests
more stable on Win32, https://rt.cpan.org/Ticket/Display.html?id=76147
v1.62 2012.03.28
- small fix to last version
v1.61 2012.03.27
- call CTX_set_session_id_context so that servers session caching works with
client certificates too.
https://rt.cpan.org/Ticket/Display.html?id=76053
v1.60 2012.03.20
- don't make blocking readline if socket was set nonblocking, but return as
soon no more data are available
https://rt.cpan.org/Ticket/Display.html?id=75910
- fix BUG section about threading so that it shows package as thread safe
as long as Net::SSLeay >= 1.43 is used
https://rt.cpan.org/Ticket/Display.html?id=75749
v1.59 2012.03.08
- if SSLv2 is not supported by Net::SSLeay set SSL_ERROR with useful
message when attempting to use it.
- modify constant declarations so that 5.6.1 should work again
v1.58 2012.02.26
- fix t/dhe.t again to enable the workaround only for newer openssl
versions, because this would cause failures on older versions
v1.57 2012.02.26
- fix t/dhe.t for openssl 1.0.1 beta by forcing tlsv1, so that it does
not complain about the too small rsa key which it should not use anyway.
Thanks to paul[AT]city-fan[DOT]org for reporting.
https://rt.cpan.org/Ticket/Display.html?id=75165
v1.56 2012.02.22
- add automatic or explicit (via SSL_hostname) SNI support, needed for
multiple SSL hostnames with same IP. Currently only supported for the
client.
v1.55 2012.02.20
- work around IO::Sockets work around for systems returning EISCONN etc
on connect retry for non-blocking sockets by clearing $! if SUPER::connect
returned true.
https://rt.cpan.org/Ticket/Display.html?id=75101
Thanks for Manoj Kumar for reporting.
v1.54 2012.01.11
- return 0 instead of undef in SSL_verify_callback to fix unitialized
warnings. Thanks to d[DOT]thomas[AT]its[DOT]uq[DOT]edu[DOT]au for
reporting the bug and MIKEM for the fix.
https://rt.cpan.org/Ticket/Display.html?id=73629
v1.53 2011.12.11
- kill child in t/memleak_bad_hanshake.t if test fails
https://rt.cpan.org/Ticket/Display.html?id=73146
Thanks to CLEACH ofr reporting
v1.52 2011.12.07
- fix syntax error in t/memleak_bad_handshake.t
thanks to cazzaniga[DOT]sandro[AT]gmail[DOT]com for reporting
v1.51 2011.12.06
- disable t/memleak_bad_handshake.t on AIX, because it might hang
https://rt.cpan.org/Ticket/Display.html?id=72170
v1.50 2011.12.06
Thanks to HMBRAND for reporting and Rainer Tammer tammer[AT]tammer[DOT]net for
providing access to AIX system
v1.49 2011.10.28
- another regression for readline fix, this time it failed to return lines
at eof which don't end with newline. Extended t/readline.t to catch this
case and the fix for 1.48
Thanks to christoph[DOT]mallon[AT]gmx[DOT]de for reporting
v1.48 2011.10.26
- bugfix for readline fix in 1.45. If the pending data where false
(like '0') it failed to read rest of line.
Thanks to Victor Popov for reporting
https://rt.cpan.org/Ticket/Display.html?id=71953
v1.47 2011.10.21
- fix for 1.46 - check for mswin32 needs to be /i. Thanks to
Alexandr Ciornii for reporting
v1.46 2011.10.18
- disable test t/signal-readline.t on windows, because signals are
not relevant for this platform and test does not work.
https://rt.cpan.org/Ticket/Display.html?id=71699
v1.45 2011.10.12
- fix readline to continue when getting interrupt waiting for more
data. Thanks to kgc[AT]corp[DOT]sonic[DOT]net for reporting problem
5.71 Wed Feb 29 04:06:10 MST 2012
- prevented $! from getting clobbered in _bail() routine
-- thanks to Zefram for patch
- added example of BITS mode usage to shasum documentation
5.70 Wed Dec 14 02:32:10 MST 2011
- added BITS mode to addfile method and shasum
-- partial-byte inputs now possible via files/STDIN
-- allows shasum to check all 8074 NIST Msg vectors
-- previously required special programming
5.63 Tue Nov 8 02:36:42 MST 2011
- added code to allow very large data inputs all at once
-- previously limited to several hundred MB at a time
-- many thanks to Thomas Drugeon for his elegant patch
- removed outdated reference URLs from several test scripts
-- these URLs aren't essential, and often go stale
-- thanks to Leon Brocard for spotting this
-- ref. rt.cpan.org #68740
NEWS
====
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v:
o Fix for ASN1 overflow bug CVE-2012-2110
Changelog:
Version 4.53, 2012.03.19, urgency: MEDIUM:
* New features
- Added client-mode "sni" option to directly control the value of
TLS Server Name Indication (RFC 3546) extension.
- Added support for IP_FREEBIND socket option with a pached Linux kernel.
- Glibc-specific dynamic allocation tuning was applied to help unused memory
deallocation.
- Non-blocking OCSP implementation.
* Bugfixes
- Compilation fixes for old versions of OpenSSL (tested against 0.9.6).
- Usage of uninitialized variables fixed in exec+connect services.
- Occasional logging subsystem crash with exec+connect services.
- OpenBSD compilation fix (thx to Michele Orru').
- Session id context initialized with session name rather than a constant.
- Fixed handling of a rare inetd mode use case, where either stdin or stdout
is a socket, but not both of them at the same time.
- Fixed missing OPENSSL_Applink http://www.openssl.org/support/faq.html#PROG2
- Fixed crash on termination with FORK threading model.
- Fixed dead canary after configuration reload with open connections.
- Fixed missing file descriptors passed to local mode processes.
- Fixed required jmp_buf alignment on Itanium platform.
- Removed creating /dev/zero in the chroot jail on Solaris platform.
- Fixed detection of WSAECONNREFUSED Winsock error.
- Missing Microsoft.VC90.CRT.manifest added to Windows installer.
Version 4.52, 2012.01.12, urgency: MEDIUM:
* Bugfixes
- Fixed write closure notification for non-socket file descriptors.
- Removed a line logged to stderr in inetd mode.
- Fixed "Socket operation on non-socket" error in inetd mode on Mac OS X
platform.
- Removed direct access to the fields of the X509_STORE_CTX data structure.
Version 4.51, 2012.01.09, urgency: MEDIUM:
* New features
- Updated Win32 binary distribution OpenSSL DLLs to version 0.9.8s-fips.
- Updated Android binary OpenSSL to version 1.0.0f.
- Zlib support added to Win32 and Android binary builds.
- New "compression = deflate" global option to enable RFC 2246 compresion.
For compatibility with previous versions "compression = zlib" and
"compression = rle" also enable the deflate (RFC 2246) compression.
- Separate default ciphers and sslVersion for "fips = yes" and "fips = no".
- UAC support for editing configuration file with Windows GUI.
* Bugfixes
- Fixed exec+connect sections.
- Added a workaround for broken Android getaddrinfo():
http://stackoverflow.com/questions/7818246/segmentation-fault-in-getaddrinfo
Upstream changes:
## ssh 1.7.13 (2012-02-13)
* #5: Moved a `fcntl` import closer to where it's used to help avoid
`ImportError` problems on Windows platforms. Thanks to Jason Coombs for the
catch + suggested fix.
* #4: Updated implementation of WinPageant integration to work on 64-bit
Windows. Thanks again to Jason Coombs for the patch.
Remove devel/py-ctypes (only needed by and supporting python24).
Remove PYTHON_VERSIONS_ACCEPTED and PYTHON_VERSIONS_INCOMPATIBLE
lines that just mirror defaults now.
Miscellaneous cleanup while editing all these files.
KGpg is a simple interface for GnuPG, a powerful encryption utility. It
can help you set up and manage your keys, import and export keys, view key
signatures, trust status and expiry dates.
Upstream's version is 0.6.0.X, where X appears to be a large integer
in decimal that corresponds to a git sha1 has. Such large numbers
violate the assumption, true with just about every previous package,
that version number components will fit in an int --- code that
handles version numbers does not use a multiprecision integer library
like gmp. To address this, split the version into what would have
been the version under normal procedures (0.6.0), and put the bignum
into ${VERSION_EXCESSIVE}, allowing it be used in DISTNAME but not
PKGNAME.
* Noteworthy changes in release 2.12 (2012-03-19) [stable]
- Cleanup license headers.
- build: Update gnulib files.
- Corrected DER decoding issue (reported by Matthew Hall).
Added self check to detect the problem, see tests/Test_overflow.c.
This problem can lead to at least remotely triggered crashes, see
further analysis on the libtasn1 mailing list.
* Suppress the notice that the password is being changed because it's
expired if force_first_pass or use_first_pass is set in the password
stack, indicating that it's stacked with another module that's also
doing password changes. This is arguable, but without this change the
notification message of why the password is being changed shows up
confusingly in the middle of the password change interaction.
* Some old versions of Heimdal (0.7.2 in OpenBSD 4.9, specifically)
reportedly return KRB5KDC_ERR_KEY_EXP for accounts with expired
keys even if the supplied password is wrong. Work around this by
confirming that the PAM module can obtain tickets for kadmin/changepw
before returning a password expiration error instead of an invalid
password error.
* The location of the temporary root-owned ticket cache created during
the authentication process is now also controlled by the ccache_dir
option (but not the ccache option) rather than forced to be in /tmp.
This will allow system administrators to configure an alternative
cache directory so that pam-krb5 can continue working when /tmp is
full.
* Report more specific errors in syslog if authorization checks (such as
.k5login checks) fail.
* Pass a NULL principal to krb5_set_password with MIT client libraries
to prefer the older change password protocol for compatibility with
older KDCs. This is not necessary on Heimdal since Heimdal's
krb5_set_password tries both protocols.
* Improve logging and authorization checks when defer_pwchange is set
and a user authenticates with an expired password.
* When probing for Kerberos libraries, always add any supplemental
libraries found to that point to the link command. This will fix
configure failures on platforms without working transitive shared
library dependencies.
* Close some memory leaks where unparsed Kerberos principal names were
never freed.
* Restructure the code to work with OpenPAM's default PAM build
machinery, which exports a struct containing module entry points
rather than public pam_sm_* functions.
* In debug logging, report symbolic names for PAM flags on PAM function
entry rather than the numeric PAM flags. This helps with automated
testing and with debugging PAM problems on different operating
systems.
* Include <krb5/krb5.h> if <krb5.h> is missing, which permits finding
the header file on NetBSD systems.
* Replace the Kerberos compatibility layer with equivalent but
better-structured code from rra-c-util 4.0.
* Avoid krb5-config and use manual library probing if --with-krb5-lib or
--with-krb5-include were given to configure. This avoids having to
point configure at a nonexistent krb5-config to override its results.
* Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config in
configure, to avoid a conflict with the variable used by the Kerberos
libraries to find krb5.conf.
* Change references to Kerberos v5 to just Kerberos in the documentation.
* Update to rra-c-util 4.0
* Update to C TAP Harness 1.9
- Minor bug fix release
- Fix perl Validator module so it compiles after a header move
- Make all OSes use the new dnssec-check gui as they should have
1.12 (1/26/12)
- New Features:
- libval: - Made improvements to support IPv6,
added the ability to fetch IPv6 glue
- Fixed the EDNS0 fallback behavior.
- Tidied up the locking semantics in libval.
- Added support for hard-coding validator configuration
information that gets used in the absence of other
configuration data. This feature allows the
validator library to be self-contained in
environments where setting up configuration data at
specific locations in the file system is not always
feasible.
- The library has been ported to the Android OS
- rollerd: - Added support for phase-specific commands. This allows
the zone operator to customize processing of the rollerd
utility during different rollerd phases.
- Added support for zone groups. This allows a collection
of zones to be controlled as a group, rather each of
those zones individually.
- Improved the manner in which rollerd indexes the zones
being managed, with the significantly decreased access
times for rollerd's data files. This results in rollerd
being able to support a lot more zones with a single
rollerd instance.
- rollctl and the rollover GUI programs may have new
commands to allow for immediate termination of rollerd.
- apps - Added patch to enable local validation in NTP, with
the ability to handle a specific chicken and egg problem
related to the interdependency between DNSSEC and an
accurate system clock.
- Added a patch to enable DNSSEC validation in Qt
based applications
- dnssec-check - Completely rewritten GUI with many new features
- Now contains the ability to submit the results
to a central DNSSEC-Tools repository. The
results will be analyzed and published on a
regular basis. Please help us get started by
running dnssec-check on your networks! Note
that it explains that it only sends hashed IP
addresses to our servers and the reports
generated will be aggregation summaries of the
data collected.
- It now runs on both Android and Harmattan (N9) devices
- maketestzone - Now produces zones with wildcards and changes to
NSEC record signatures
- dnssec-nodes - parses unbound log files
- Initial work porting to Android
- dnssec-system-tray
- parses unbound log files
1.11 (9/30/11)
- New Features:
- libval: - Significant improvements and bug fixes to the
asynchronous support.
- Added asynchronous version of val_getaddr_info.
- Some reworking of the asynchronous API and callbacks.
Note the asynchronous api is still under development and
subject to changes that break backwards compatibility.
- rollerd: - Added an experimental time-based method for queuing
rollover operations. This original method (full list
of all zones) is the default queuing method, but the
new method can be used by editing the rollerd script.
rollctl and rollrec.pm were also modified to support
this change.
- Added support for merging a set of rollrec files.
rollctl and rollrec.pm were also modified to support
this change.
- dnssec-nodes - This graphical DNS debugging utility was greatly enhanced
- Now parses both bind and libval log files
- Multiple log files can be watched
- Node's represent multiple data sets
internally, which are independently displayed
and tracked.
- Added support for searching for and
highlighting DNS data and DNSSEC status
results
- dnssec-system-tray
- This utility can now report on BOGUS responses
detected in both libval and bind log files.
- Summary window revamped to group similar
messages together.
Plus many more minor features and bug fixes
* OPENDNSSEC-215: Signer Engine: Always recover serial from backup,
even if it is corrupted, preventing unnecessary serial decrementals.
* OPENDNSSEC-217: Enforcer: Tries to detect pidfile staleness, so that
the daemon will start after a power failure.
Bugfixes:
* ods-hsmutil: Fixed a small memory leak when printing a DNSKEY.
* OPENDNSSEC-216: Signer Engine: Fix duplicate NSEC3PARAM bug.
* OPENDNSSEC-218: Signer Engine: Prevent endless loop in case the locators
in the signer backup files and the HSM are out of sync.
* OPENDNSSEC-225: Fix problem with pid found when not existing.
* SUPPORT-21: HSM SCA 6000 in combination with OpenCryptoki can return RSA key
material with leading zeroes. DNSSEC does not allow leading zeroes in key
data. You are affected by this bug if your DNSKEY RDATA e.g. begins with
"BAABA". Normal keys begin with e.g. "AwEAA". OpenDNSSEC will now sanitize
incoming data before adding it to the DNSKEY. Do not upgrade to this version
if you are affected by the bug. You first need to go unsigned, then do the
upgrade, and finally sign your zone again. SoftHSM and other HSM:s will not
produce data with leading zeroes and the bug will thus not affect you.
OpenDNSSEC 1.3.6
* OPENDNSSEC-33: Signer Engine: Check HSM connection before use, attempt to
reconnect if it is not valid.
* OPENDNSSEC-178: Signer Engine: Instead of waiting an arbitrary amount of
time, let worker wait with pushing sign operations until the queue is
non-full.
* Signer Engine: Adjust some log messages.
Bugfixes:
* ods-control: Wrong exit status if Enforcer was already running.
* OPENDNSSEC-56: ods-ksmutil had the wrong option for config file in the
help usage text.
* OPENDNSSEC-207: Signer Engine: Fix communication from a process not
attached to a shell.
* OPENDNSSEC-209: Signer Engine: Make output file adapter atomic by writing
signed file to an intermediate file first.
* Update the README with information on moving the database
between different architectures.
Bugfixes:
* Fix the destruction order of the Singleton objects.
=== 2.3.0 / 11 Jan 2012
* Support for hmac-sha2 and diffie-hellman-group-exchange-sha256 [Ryosuke Yamazaki]
=== 2.2.2 / 04 Jan 2012
* Fixed: Connection hangs on ServerVersion.new(socket, logger) [muffl0n]
* Avoid dying when unsupported auth mechanisms are defined [pcn]
(Yes, that ridiculous version number really is what upstream calls it.)
No NEWS entry, but announcement includes:
2012-03-13 Zooko Wilcox-O'Hearn <zooko@zooko.com>
* src/pycryptopp/_version.py: release pycryptopp-0.6.0
* add Ed25519 signatures (#75)
* add XSalsa20 cipher (#40)
* switch from darcs to git for revision control
* pycryptopp version numbers now include a decimal encoding of *
* reorganize the source tree and the version number generation
* aesmodule.cpp: validate size of IV and throw exception if it
is not 16 (#70)
* fixed compile errors with gcc-4.7.0 (#78)
* fixed compile errors concerning "CryptoPP::g_nullNameValuePairs" (#77)
* suppress warnings from valgrind with new OpenSSL 1.0.1 on Fedora (#82)
* raise Python exception instead of uncaught C++ exception
(resulting in abort) when deserializing malformed RSA keys (#83)
* libgnutls: Corrections in record packet parsing.
* libgnutls: Fixes in SRP authentication.
* libgnutls: Added function to force explicit reinitialization of PKCS 11
modules. This is required on the child process after a fork.
* libgnutls: PKCS 11 objects that do not have ID no longer crash listing.
* API and ABI modifications: gnutls_pkcs11_reinit: Added
Changes between 0.9.8t and 0.9.8u [12 Mar 2012]
*) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
in CMS and PKCS7 code. When RSA decryption fails use a random key for
content decryption and always return the same error. Note: this attack
needs on average 2^20 messages so it only affects automated senders. The
old behaviour can be reenabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
an MMA defence is not necessary.
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
this issue. (CVE-2012-0884)
[Steve Henson]
*) Fix CVE-2011-4619: make sure we really are receiving a
client hello before rejecting multiple SGC restarts. Thanks to
Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
[Steve Henson]
from 1.42 to 1.45.
Upstream changes:
1.45 2012-02-25
Added mising doc for SESSION_cmp. Patch by paul.
1.44 2012-02-25
Added missing t/data/binary-test.file to MANIFEST
1.43 2012-02-24
Fixed some typos. Patched by Neil Bowers.
SSLeay.pm convenience functions now call Net::SSLeay::initialize that
initializes the SSL library at most once.
Patch from kmx to protect SSLeay_add_ssl_algorithms from multiple loads
and reentrancy in multi-threaded perls.
Patch from kmx to add reentrancy protection for callbacks in
multithreading.
Updated ppport.h, fixed some complaints from ppport.h
Fixed a problem with CTX_use_PKCS12_file on Windows, since the file was
not opened in binary mode. Reported by kmx.
Added resources line for SVN repository to Makefile. Suggested by kmx.
Fixed complaints unders some windows compilers about cast from pointer to integer of
different size. Suggested by kmx.
Added thread safety and dynamic locking. This should complete thread
safety work, making Net::SSLeay completely thread-safe. Patches by kind
assistance of kmx.
Improvements to openssl backwards compatibility. Now build with versions
back to 0.9.6. With extreme thanks to kmx.
Improvements to documentation, thanks to kmx.
SUMMARY OF NEWLY INTRODUCED FUNCTIONS:
- Net::SSLeay::initialize
- Net::SSLeay::SSLeay
- Net::SSLeay::SSLeay_version
- Net::SSLeay::SSLeay_version
- Net::SSLeay::ASN1_TIME_new
- Net::SSLeay::ASN1_TIME_free
- Net::SSLeay::ASN1_TIME_set
- Net::SSLeay::P_ASN1_TIME_get_isotime
- Net::SSLeay::P_ASN1_TIME_set_isotime
- Net::SSLeay::P_ASN1_TIME_put2string
- Net::SSLeay::OpenSSL_add_all_digests
- Net::SSLeay::P_EVP_MD_list_all
- Net::SSLeay::EVP_get_digestbyname
- Net::SSLeay::EVP_MD_type
- Net::SSLeay::EVP_MD_size
- Net::SSLeay::EVP_MD_CTX_md
- Net::SSLeay::EVP_MD_CTX_create
- Net::SSLeay::EVP_MD_CTX_destroy
- Net::SSLeay::EVP_DigestInit
- Net::SSLeay::EVP_DigestInit_ex
- Net::SSLeay::EVP_DigestUpdate
- Net::SSLeay::EVP_DigestFinal
- Net::SSLeay::EVP_DigestFinal_ex
- Net::SSLeay::EVP_Digest
- Net::SSLeay::SHA1
- Net::SSLeay::SHA256
- Net::SSLeay::SHA512
- Net::SSLeay::EVP_sha1
- Net::SSLeay::EVP_sha512
Fixed a problem with set_proxy where the password was not properly
set. The code to do this went missing at some stage. Reported by Ulrich
Weber via RT.
Further improvements to testing time functions.
Added t/local/37_asn1_time.t
Added various digest functions, documentation and tests
Removed debug from P_ASN1_TIME_get_isotime. Courtesy kmx.
Remove unnecessary warnings about Random number generator not
seeded. Courtesy kmx.
Fixed an error in 04_basic.t triggered if Test::Exception not present.
Added documentation for many CTX_ functions. Courtesy kmx.
Fixed mionor typos in SSLeay.xs. Courtesy kmx.
Moved documentation to new lib/Net/SSLeay.pod. Courtesy kmx.
Additions to documentation in pod. Courtesy kmx.
Fixed some incorrect return types from SSL_set_options
SSL_CTX_set_options. Courtesy kmx.
Further documentation in pod. Courtesy kmx.
Small fixes to XS code + one new trivial function SSL_CIPHER_get_name
And one more thing - 02_pod_coverage.t is turned ON passing all tests -
never ever allow a new function without at least a short doc. Courtesy
kmx.
Removed 2 unnecessary 'local $[;' from SSLeay.pm
Noteworthy changes in version 1.4.12 (2012-01-30)
-------------------------------------------------
* GPG now accepts a space separated fingerprint as a user ID.
This allows to copy and paste the fingerprint from the key
listing.
* Removed support for the original HKP keyserver which is not
anymore used by any site.
* Rebuild the trustdb after changing the option --min-cert-level.
* Improved JPEG detection.
* Included more VMS patches
* Made it easier to create an installer for Windows.
* Supports the 32 bit variant of the mingw-w64 toolchain.
* Made file locking more portable.
* Minor bug fixes.
Release Notes - Heimdal - Version Heimdal 1.5.2
Security fixes
- CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege
- Check that key types strictly match - denial of service
Release Notes - Heimdal - Version Heimdal 1.5.1
Bug fixes
- Fix building on Solaris, requires c99
- Fix building on Windows
- Build system updates
Release Notes - Heimdal - Version Heimdal 1.5
New features
- Support GSS name extensions/attributes
- SHA512 support
- No Kerberos 4 support
- Basic support for MIT Admin protocol (SECGSS flavor)
in kadmind (extract keytab)
- Replace editline with libedit
This is primarily a bugfix release.
* Fix an interaction in iprop that could cause spurious excess kadmind processes
when a kprop child fails.
Changes 1.8.5:
This is primarily a bugfix release.
* Fix MITKRB5-SA-2011-006 KDC denial of service vulnerabilities
[CVE-2011-1528 CVE-2011-1529 CVE-2011-4151].
Fixed incorrect documentation of how to enable CRL checking.
Fixed incorrect letter in Sebastien in Credits.
Reversed order of the Changes file to be reverse chronological.
Fixed a a compile error when building on Windows with MSVC6.
1.41
Fixed incorrect const signatures for 1.0 that were causing warnings.
Now have clean compile with 0.9.8a through 1.0.0.
1.40
Fixed incorrect argument type in call to SSL_set1_param
Fixed a number of issues with pointer sizes
Removed redundant pointer cast tests from t/
Added Perl version requirements to SSLeay.pm
1.39
Downgraded Module::Install to 0.93 since 1.01 was causing problems in
the Makefile.
1.38
- Fixed a problem with various symbols that only became available
in OpenSSL 0.9.8 such as X509_VERIFY_PARAM and X509_POLICY_NODE,
causing build failures with older versions of OpenSSL.
1.37
- Added X509_get_fingerprint, contributed by Thierry Walrant (with
minor changes die to the fact that stricmp is not avialable. Cert
types must be lowercase. Also added test to 07_sslecho.t
- Added suport for SSL_CTX_set1_param, SSL_set1_param,
selected X509_VERIFY_PARAM_* OBJ_* functions. Added new test
t/local/36_verify.t
- Fixed an uninitialized value warning in $Net::SSLeay::proxyauth
- Update so net-ssleay will compile if SSLV2 is not present.
- Fixed a problem where sslcat (and possibly other functions) expect
RSA keys and will not load DSA keys for client certificates.
- Removed SSL_CTX_v2_new and SSLv2_method() for OpenSSL 1.0 and later.
- Added CTX_use_PKCS12_file contributed by "Andrew A. Budkin".
2011-12-10 PuTTY 0.62 released
PuTTY 0.62 is out, containing only bug fixes from 0.61, in particular a security fix preventing passwords from being accidentally
retained in memory.
2011-11-27 PuTTY 0.62 pre-release builds available
PuTTY 0.61 had a few noticeable bugs in it (but nothing security-related), so we are planning to make a 0.62 release containing just bug
fixes. The Wishlist page lists the bugs that will be fixed by the 0.62 release. The Download page now contains pre-release snapshots of
0.62, which contain those bug fixes and should be otherwise stable. (The usual development snapshots, containing other development since
0.61, are also still available.)
2011-07-12 PuTTY 0.61 is released
PuTTY 0.61 is out, after over four years (sorry!), with new features, bug fixes, and compatibility updates for Windows 7 and various SSH
server software.
MUNGE (MUNGE Uid 'N' Gid Emporium) is an authentication service
for creating and validating credentials. It is designed to be
highly scalable for use in an HPC cluster environment. It allows
a process to authenticate the UID and GID of another local or
remote process within a group of hosts having common users and
groups. These hosts form a security realm that is defined by a
shared cryptographic key. Clients within this security realm can
create and validate credentials without the use of root
privileges, reserved ports, or platform-specific methods.
Upstream changes:
Not complete, the only info mentionned in the Changelog is this:
2011-01-16 -- pycryptopp v0.5.28
re-enable the ECDSA module, but please do not rely on it as it is expected to
change in backwards-incompatible ways in future releases several changes to the
build system to make it tidier and less error-prone -- see revision control
history for details
Upstream changes:
2011-09-02 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* Release 0.13
2011-06-12 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/crypto/pkey.c: Add the PKey.check method, mostly
implemented by Rick Dean, to verify the internal consistency of a
PKey instance.
2011-06-12 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/crypto/crypto.c: Fix the sign and verify functions so
they handle data with embedded NULs. Fix by David Brodsky
<lp:~lihalla>.
2011-05-20 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/ssl/connection.c, OpenSSL/test/test_ssl.py: Add a new
method to the Connection type, get_peer_cert_chain, for retrieving
the peer's certificate chain.
2011-05-19 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/crypto/x509.c, OpenSSL/test/test_crypto.py: Add a new
method to the X509 type, get_signature_algorithm, for inspecting
the signature algorithm field of the certificate. Based on a
patch from <lp:~okuda>.
2011-05-10 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/crypto/crypto.h: Work around a Windows/OpenSSL 1.0 issue
explicitly including a Windows header before any OpenSSL headers.
* OpenSSL/crypto/pkcs12.c: Work around an OpenSSL 1.0 issue by
explicitly flushing errors known to be uninteresting after calling
PKCS12_parse.
* OpenSSL/ssl/context.c: Remove SSLv2 support if the underlying
OpenSSL library does not provide it.
* OpenSSL/test/test_crypto.py: Support an OpenSSL 1.0 change from
MD5 to SHA1 by allowing either hash algorithm's result as the
return value of X509.subject_name_hash.
* OpenSSL/test/test_ssl.py: Support an OpenSSL 1.0 change from MD5
to SHA1 by constructing certificate files named using both hash
algorithms' results when testing Context.load_verify_locations.
* Support OpenSSL 1.0.0a.
2011-04-15 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/ssl/ssl.c: Add OPENSSL_VERSION_NUMBER, SSLeay_version
and related constants for retrieving version information about the
underlying OpenSSL library.
collection.
This is a library for making SSH2 connections (client or server). Emphasis
is on using SSH2 as an alternative to SSL for making secure connections
between python scripts. All major ciphers and hash methods are supported.
SFTP client and server mode are both supported too.
Upstream changes:
2.5
===
* Added PKCS#1 encryption schemes (v1.5 and OAEP). We now have
a decent, easy-to-use non-textbook RSA implementation. Yay!
* Added PKCS#1 signature schemes (v1.5 and PSS). v1.5 required some
extensive changes to Hash modules to contain the algorithm specific
ASN.1 OID. To that end, we now always have a (thin) Python module to
hide the one in pure C.
* Added 2 standard Key Derivation Functions (PBKDF1 and PBKDF2).
* Added export/import of RSA keys in OpenSSH and PKCS#8 formats.
* Added password-protected export/import of RSA keys (one old method
for PKCS#8 PEM only).
* Added ability to generate RSA key pairs with configurable public
exponent e.
* Added ability to construct an RSA key pair even if only the private
exponent d is known, and not p and q.
* Added SHA-2 C source code (fully from Lorenz Quack).
* Unit tests for all the above.
* Updates to documentation (both inline and in Doc/pycrypt.rst)
* All of the above changes were put together by Legrandin (Thanks!)
* Minor bug fixes (setup.py and tests).
avoid to include own alternative one in libskey,
or it cause some troubles on programs using setusercontext() and skey,
and setusercontext() is only required for bundled skeyaudit(1).
Bump PKGREVISION.
Changes:
0.21 Sat Aug 13, 2011 Mike McCauley
- Changes to TacacsPlus.pm to permit multiple servers to be specified in
new(). Patches provided by Paulo A Ferreira.
0.22 Wed Jan 18, 2012 Mike McCauley
- Fixed warning under perl 5.14
* Auditor: Include the zone name in the log messages.
* ldns 1.6.12 is required for bugfixes.
* ods-ksmutil: Suppress database connection information when no -v flag is
given.
* ods-enforcerd: Stop multiple instances of the enforcer running by checking
for the pidfile at startup. If you want to run multiple instances then a
different pidfile will need to be specified with the -P flag.
* ods-ksmutil: "zone delete" renames the signconf file; so that if the zone is
put back the signer will not pick up the old file.
* Signer Engine: Verbosity can now be set via conf.xml, default is 3.
Bugfixes:
* Bugfix OPENDNSSEC-174: Configure the location for conf.xml with --config
or -c when starting the signer.
* Bugfix OPENDNSSEC-192: Signer crashed on deleting NSEC3 for a domain that
becomes opt-out.
* Bugfix OPENDNSSEC-193: Auditor crashed with certain empty non-terminals.
* Signer Engine: A file descriptor for sockets with value zero is allowed.
* Signer Engine: Only log messages about a full signing queue in debug mode.
* Signer Engine: Fix time issues, make sure that the internal serial does
not wander off after a failed audit.
* Signer Engine: Upgrade ldns to avoid future problems on 32-bit platforms
with extra long signature expiration dates. More information in separate
announcement.
* The library is now installed in $libdir/softhsm/.
Bugfixes:
* Do not give a warning about the schema version if the token
has not been initialized yet.
* The tools now return the correct exit code.
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: Suhosin PHP Extension Transparent Cookie Encryption Stack
Buffer Overflow
Release Date: 2012/01/19
Last Modified: 2012/01/19
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Suhosin Extension <= 0.9.32.1
Severity: A possible stack buffer overflow in Suhosin extension's
transparent cookie encryption that can only be triggered
in an uncommon and weakened Suhosin configuration can lead
to arbitrary remote code execution, if the FORTIFY_SOURCE
compile option was not used when Suhosin was compiled.
Risk: Medium
Vendor Status: Suhosin Extension 0.9.33 was released which fixes this
vulnerability
Reference: http://www.suhosin.org/https://github.com/stefanesser/suhosin
OpenSSL CHANGES
_______________
Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
*) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
[Antonio Martin]
* Stop to treat NetBSD's sed as GNU sed, not full compatible.
* Then, no need to reset TOOLS_PLATFORM.gsed for NetBSD if USE_TOOLS+=gsed and
real GNU sed is required.
* In addition, convert simple USE_TOOLS+=gsed to conditionally, without NetBSD.
* convert {BUILD_,}DEPENDS+=gsed to USE_TOOLS, all tools from gsed are real gsed.
