Changelog:
Changes:
Added libssh2_userauth_publickey_frommemory()
Bug fixes:
wait_socket: wrong use of difftime()
userauth: Fixed prompt text no longer being copied to the prompts struct
mingw build: allow to pass custom CFLAGS
Let mansyntax.sh work regardless of where it is called from
Init HMAC_CTX before using it
direct_tcpip: Fixed channel write
WinCNG: fixed backend breakage
OpenSSL: caused by introducing libssh2_hmac_ctx_init
userauth.c: fix possible dereferences of a null pointer
wincng: Added explicit clear memory feature to WinCNG backend
openssl.c: fix possible segfault in case EVP_DigestInit fails
wincng: fix return code of libssh2_md5_init()
kex: do not ignore failure of libssh2_sha1_init()
scp: fix that scp_send may transmit not initialised memory
scp.c: improved command length calculation
nonblocking examples: fix warning about unused tvdiff on Mac OS X
configure: make clear-memory default but WARN if backend unsupported
OpenSSL: Enable use of OpenSSL that doesn't have DSA
OpenSSL: Use correct no-blowfish #define
kex: fix libgcrypt memory leaks of bignum
libssh2_channel_open: more detailed error message
wincng: fixed memleak in (block) cipher destructor
* fixed 'test' (-t) mode (kudos to Kai for noticing)
* fixed a bug in error message formatting when the original
file extension cannot be guessed (--verify mode)
* fixed a bug in key fingerprint formatting routine
* added missing buffer range check in buf_parse_bignum()
Changelog:
Version 5.20, 2015.07.09, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2d.
https://www.openssl.org/news/secadv_20150709.txt
* New features
- poll(2) re-enabled on MacOS X 10.5 and later.
- Xcode SDK is automatically used on MacOS X if no other
locally installed OpenSSL directory is found.
- The SSL library detection algorithm was made a bit smarter.
- Warnings about insecure authentication were modified to
include the name of the affected service section.
- A warning was added to stunnel.init if no pid file was
specified in the configuration file (thx to Peter Pentchev).
- Optional debugging symbols are included in the Win32 installer.
- Documentation updates (closes Debian bug #781669).
* Bugfixes
- Signal pipe reinitialization added to prevent turning the
main accepting thread into a busy wait loop when an external
condition breaks the signal pipe. This bug was found to
surface on Win32, but other platforms may also be affected.
- Fixed removing the disabled taskbar icon.
- Generated temporary DH parameters are used for configuration
reload instead of the static defaults.
- LSB compatibility fixes added to the stunnel.init script (thx
to Peter Pentchev).
- Fixed the manual page headers (thx to Gleydson Soares).
Version 5.19, 2015.06.16, urgency: MEDIUM:
* New features
- OpenSSL DLLs updated to version 1.0.2c.
- Added a runtime check whether COMP_zlib() method is implemented
in order to improve compatibility with the Debian OpenSSL build.
* Bugfixes
- Improved socket error handling.
- Cron thread priority on Win32 platform changed to
THREAD_PRIORITY_LOWEST to improve portability.
- Makefile bugfixes for stunnel 5.18 regressions.
- Fixed some typos in docs and scripts (thx to Peter Pentchev).
- Fixed a log level check condition (thx to Peter Pentchev).
Version 5.18, 2015.06.12, urgency: MEDIUM:
* New features
- OpenSSL DLLs updated to version 1.0.2b.
https://www.openssl.org/news/secadv_20150611.txt
- Added "include" configuration file option to include all
configuration file parts located in a specified directory.
- Log file is reopened every 24 hours. With "log = overwrite"
this feature can be used to prevent filling up disk space.
- Temporary DH parameters are refreshed every 24 hours, unless
static DH parameters were provided in the certificate file.
- Unique initial DH parameters are distributed with each release.
- Warnings are logged on potentially insecure authentication.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree:
removed RLE compression support, etc.
- Updated stunnel.spec (thx to Bill Quayle).
* Bugfixes
- Fixed handling of dynamic connect targets.
- Fixed handling of trailing whitespaces in the Content-Length
header of the NTLM authentication.
- Fixed --sysconfdir and --localstatedir handling (thx to
Dagobert Michelsen).
{perl>=5.16.6,p5-ExtUtils-ParseXS>=3.15}:../../devel/p5-ExtUtils-ParseXS
since pkgsrc enforces the newest perl version anyway, so they
should always pick perl, but sometimes (pkg_add) don't due to the
design of the {,} syntax.
No effective change for the above reason.
Ok joerg
**** 0.22 February 11, 2015
Fix: rt.cpan.org #101184
make siginception and sigexpiration available as time() values
Fix: rt.cpan.org #101183
wrong URL for blog in README
Fix: rt.cpan.org #83031
[RRSIG] lack of ECDSA support
***0.21 October 24, 2014
Fix: rt.cpan.org #99250
[RRSIG] validation fails when Signer's Name is upper case
Fix: rt.cpan.org #99106
Premature end of base64 data (in 14-misc.t test script)
***0.20 August 15, 2014
Fix: rt.cpan.org #97457
!hex! error when parsing NSEC3 with empty salt
***0.19 Jun 6, 2014
Remove inappropriate deprecation warning in DNSKEY.pm
***0.18 May 8, 2014
Recode RR implementations to provide Net::DNS 0.69+ interface.
Fix: rt.cpan.org #95034
Failure to parse NSEC3PARAM record with null salt
Fix: rt.cpan.org #81289
Failure to handle GOST DS records
***0.17 November 29, 2013
Fix: rt.cpan.org #90270
NSEC3->covered() should use case-insensitive comparisons
Fix: rt.cpan.org #79606
Lower case zone-name part with DNSKEY::privatename
Allow to specify algorithms with ::Private->new_rsa_private and
::Private->generate_rsa instead of assuming RSASHA1.
Fix: rt.cpan.org #55621
Specify license type (mit) in META.yml
Fix: rt.cpan.org #60269
Remove Digest::SHA1 prerequirement
Fix: rt.cpan.org #62387 & #63273
Typo fixes
Fix: rt.cpan.org #62386
Make Net::DNS::RR::DS::digtype method work
Fix: rt.cpan.org #62385
Do not compress Next Domain Name in NSEC rdata.
Fix: rt.cpan.org #61104
Spelling correction in DS.pm and fix of key2ds demo program
Fix: rt.cpan.org #60185
Make sure %main::SIG hash keeps its values when compiling Net::DNS::RR::SIG
in perl versions before 5.14. See also: rt.perl.org #76138
Fix: rt.cpan.org #64552 and rt.cpan.org #79606
Support for private-key-format v1.3
Fix: rt.cpan.org #75892
Do not canonicalize the "Next Domain Name" rdata field of a NSEC RR
for draft-ietf-dnsext-dnssec-bis-updates-17 compliance.
BUG FIX/FEATURE: validation of wildcard RRs now available. Duane
Wessels is acknowledged for submitting the initial code on which
this fix is based.
FIX: case sensitivity of ownername during DS generation
(Acknowledgements Jens Wagner)
Note that it currently doesn't build at all (AFAICT) so the mere fact
that it doesn't build on some buggix 0.9 release isn't indicative of
much.
If in the future there turn out to be platforms it really doesn't
build for, use BROKEN_ON_PLATFORM, or ONLY_FOR_PLATFORM if it'll
really never work as opposed to nobody feels like bothering to fix it.
Reported by @kusalananda on twitter, confirmed by comparing the output of sudo
-V as root between Apple bundled version & pkgsrc version.
It's not possible to use sudo from a unprivileged build as sudo expects to be
setuid to root so mark it as NOT_FOR_UNPRIVILEGED.
Reviewed by wiz@
pkgsrc change:
* tcp_wrappers support was removed from release 6.7, but add it refering
FreeBSD's ports.
* hpn-patch is also based on FreeBSD's ports.
Security
--------
* ssh(1): when forwarding X11 connections with ForwardX11Trusted=no,
connections made after ForwardX11Timeout expired could be permitted
and no longer subject to XSECURITY restrictions because of an
ineffective timeout check in ssh(1) coupled with "fail open"
behaviour in the X11 server when clients attempted connections with
expired credentials. This problem was reported by Jann Horn.
* ssh-agent(1): fix weakness of agent locking (ssh-add -x) to
password guessing by implementing an increasing failure delay,
storing a salted hash of the password rather than the password
itself and using a timing-safe comparison function for verifying
unlock attempts. This problem was reported by Ryan Castellucci.
For more information, please refer release announce.
http://www.openssh.com/txt/release-6.9http://www.openssh.com/txt/release-6.8http://www.openssh.com/txt/release-6.7
Noteworthy changes in version 0.9.5 (2015-07-01)
------------------------------------------------
* Replaced the internal Assuan and gpg-error code by the standard
libassuan and libgpg-error libraries.
* Add a new Emacs pinentry and use as fallback for GUI programs.
* gnome3: The use-password-manager checkbox does now work.
* Gtk: Improved fallback to curses feature.
* curses: Recognize DEL as backspace.
Noteworthy changes in version 0.9.7 (2014-12-12)
------------------------------------------------
* Support sending keys for GnuPG 2.1.
Noteworthy changes in version 0.9.6 (2014-11-21)
------------------------------------------------
* Support keyserver operations for GnuPG 2.1.
* Implement the IMPORT_FILES server command.
* New "Refresh Key" action in the key manager's context menu.
Noteworthy changes in version 0.9.5 (2014-09-01)
------------------------------------------------
* GPA now starts with the UI server enabled and tests on startup
whether such a server is already running to open that one instead
of launching a second instance.
* GPA is now aware of ECC keys.
* Improved detection of CMS objects (which are used by S/MIME) and
detached OpenPGP signatures.
* Allow import and export of X.509 certificates. Allow backup of
X.509 keys.
* The key creation date is now displayed in the key listing.
* Armored detached signature files are now created with an ".asc"
suffix and not with ".sig".
* The GnuPG home directory is now detected using the gpgconf tool.
* Added launch-gpa wrapper for Windows.
* Fixed several bugs leading to crashs.
Noteworthy changes in version 0.9.4 (2013-05-01)
------------------------------------------------
* Added scrollbars to the verification result window.
* Improved searching in the key listing.
* Now uses the native theme under Windows.
Noteworthy changes in version 0.9.3 (2012-08-08)
------------------------------------------------
* Allow searching in the keylist.
* Collected bug fixes.
Noteworthy changes in version 0.9.2 (2012-05-02)
------------------------------------------------
* Adjust server mode to modern Libassuan.
* Add options --enable-logging for W32.
* Add options --gpg-binary, --gpgsm-binary and --debug-edit-fsm.
* Properly process CMS data in the clipboard and with the server's
VERIFY_FILES and DECRYPT_FILES commands.
* Minor code cleanups.
Noteworthy changes in version 0.9.1 (2012-04-18)
------------------------------------------------
* The key selection dialogs for encryption and signing do not anymore
list expired, revoked or otherwise invalid keys.
* If no recipients are given to the server, a generic key selection
dialog is now used.
* Now works with Libassuan 2.x.
* The card manager now displays the ATR for an unknown card.
Noteworthy changes in version 0.9.0 (2009-06-20)
------------------------------------------------
* Added a smartcard manager.
* GPA now requires GnuPG-2.
* X.509 support is now always enabled.
* Major internal cleanups. More to follow soon.
Noteworthy changes in version 0.8.0 (2008-09-04)
------------------------------------------------
* Add basic UI server mode and option --daemon.
* GPA now supports direct crypto operations to and from the
clipboard, and features a simple text edit area as well.
* GPA supports manipulating the backend configuration through
gpg-conf.
* GPA has now basic support for X.509; use the command line switch
--cms to enable this.
* The default keyserver is now taken from gpg.conf and not from
gpa.conf.
Noteworthy changes in version 0.7.6 (2007-05-24)
------------------------------------------------
* Czech translation by Zdenek Hatas.
* Russian translation by Maxim Britov.
* Files may now be dropped onto the file manager window.
Noteworthy changes in version 0.7.5 (2007-02-26)
------------------------------------------------
* Allow setting a password if it was empty.
* Fixed changing of expiration date for non-C-99 systems.
* Fixed a crash while encrypting several files.
* Fixed a bug while encrypting to several keys.
Noteworthy changes in version 0.7.4 (2006-07-25)
------------------------------------------------
* Added icon to the Windows version.
* Other minor fixes.
Noteworthy changes in version 0.7.3 (2006-03-21)
------------------------------------------------
* Minor fixes.
Noteworthy changes in version 0.7.2 (2006-03-03)
------------------------------------------------
* The key generation wizard does not allow to set a comment anymore.
This is an advanced feature available in the advanced GUI version
of key generation.
* Bug fixes for the Windows target, in particular
internationalization and binary mode file handling.
Noteworthy changes in version 0.7.1 (2006-01-09)
------------------------------------------------
* When verifying the signature on a file, GPA now tries to find
detached signatures and asks the user whether to verify them.
* A "refresh" command was added to the keyring. So, if the keyring is
modified outside GPA (i.e. by reading emails with auto-key-retrieve
on), you can see the new keys without restarting GPA.
* A .desktop file for integration with the Gnome and KDE menus is now
distributed with the tarball.
* The GPA icon has been changed. The new icon is now used by all
windows when minimized (and on the window title if supported by the
window manager).
* It is again possible to do a build for Windows using the latest
glib version along with a glib patch as available in the gpg4win
package.
Noteworthy changes in version 1.5.5 (2015-06-08) [C24/A13/R4]
------------------------------------------------
* Fixed crash in key listings for user ids with a backslash.
* Fixed regression for GPGSM use with GnuPG < 2.1.
* Properly set signature summary for revoked OpenPGP keys.
Noteworthy changes in version 1.5.4 (2015-04-13) [C24/A13/R3]
------------------------------------------------
* Fixed a possible crash in the debug code.
* Fixed building for Windows with newer versions of Mingw.
Noteworthy changes in version 1.5.3 (2014-12-11) [C24/A13/R2]
-------------------------------------------------------------
* The export key functions do now return an error if used with the
latest GnuPG version.
Noteworthy changes in version 1.5.2 (2014-11-21) [C24/A13/R1]
-------------------------------------------------------------
* gpgme-tool is now installed.
* Fix external listing for modern keyservers.
* Minor other fixes.
Noteworthy changes in version 1.3.3 (2015-04-10) [C19/A11/R4]
------------------------------------------------
* Fixed an integer overflow in the DN decoder.
* Now returns an error instead of terminating the process for certain
bad BER encodings.
* Improved the parsing of utf-8 strings in DNs.
* Allow building with newer versions of Bison.
* Improvement building on Windows with newer versions of Mingw.
Noteworthy changes in version 2.2.1 (2015-05-12) [C5/A5/R1]
------------------------------------------------
* Documentation updates.
* Fixed building for Windows with newer versions of Mingw.
Noteworthy changes in version 2.2.0 (2014-12-11) [C5/A5/R0]
------------------------------------------------
* Added support for socket redirection.
* Interface changes relative to the 2.1.3 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
assuan_sock_set_sockaddr_un NEW.
Noteworthy changes in version 2.1.3 (2014-11-07) [C4/A4/R3]
------------------------------------------------
* Performance fix for Windows.
Noteworthy changes in version 2.1.2 (2014-08-17) [C4/A4/R2]
------------------------------------------------
* Fixed portability bugs for Solaris and AIX.
* Added support for ppc64le.
Noteworthy changes in version 2.1.1 (2013-06-24) [C4/A4/R1]
------------------------------------------------
* Limited support for 64 bit Windows. This is sufficient for use by
GpgEX.
Noteworthy changes in version 2.1.0 (2013-02-22)
------------------------------------------------
* Support for the nPth library.
* Add assuan_check_version and two version macros.
* Interface changes relative to the 2.0.3 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ASSUAN_SYSTEM_NPTH_IMPL NEW macro.
ASSUAN_SYSTEM_NPTH NEW macro.
__assuan_read NEW (private).
__assuan_write NEW (private).
__assuan_recvmsg NEW (private).
__assuan_sendmsg NEW (private).
__assuan_waitpid NEW (private).
ASSUAN_VERSION NEW macro.
ASSUAN_VERSION_NUMBER NEW macro.
assuan_check_version NEW.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
