Pkgsrc changes:
- Removed almost all warnings in MESSAGE.
Changes since version 0.21:
===========================
0.22 Mon Nov 15 2005 21:13:20
- Add public_decrypt, private_encrypt methods, contributed
by Paul G. Weiss <paul@weiss.name>
- Some changes to help builds on Redhat9
- Remove deprecated methods:
* the no-arg new constructor - use new_from_public_key,
new_from_private_key or Crypt::OpenSSL::RSA->generate_key instead
* load_public_key - use new_from_public_key
* load_private_key - use new_from_private_key
* generate_key as an instance method - use it as a class constructor
method instead.
* set_padding_mode - use use_no_padding, use_pkcs1_padding,
use_pkcs1_oaep_padding, or use_sslv23_padding instead.
* get_padding_mode
- Eliminate all(most all) memory leaks.
- fix email address
- Stop returning true from methods just to indicate success.
- Change default public exponent from 65535 to 65537
Pkgsrc changes:
none
Relevant changes since version 0.11:
=============================================
- Removed all use of strlen() in DSA.xs so signatures with nulls,
as commonly generated with sha1, could be signed/verified,
and added more tests
Pkgsrc changes:
- Removed dependency on p5-Math-Pari, p5-Crypt-Random, p5-Class-Loader.
Changes since version 0.12:
===========================
0.13 2005.05.26
- Rewrote to use Math::BigInt instead of Math::Pari, including patches
from Brad Fitzpatrick for a replacement for the isprime function
(both using pure Perl and an external gp program).
- Added optional Content argument to Crypt::DSA::Key->new, to specify
serialized Content to be deserialized.
- Added Signature serialization and deserialization of ASN.1-encoded
structures.
- Added ability to do key generation using an external openssl binary.
Thanks to Brad Fitzpatrick for the patch.
- Signature object now has better get/set acccessors.
- Use Module::Install instead of hand-coded Makefile.PL.
Pkgsrc changes:
- Removed (now unnecessary) patch-aa.
Changes since version 1.50:
===========================
1.57 Oct 20, 2005
* Updated POD documentation and added POD syntax and coverage
tests using Test::Pod and Pod::Coverage.
1.56 July 05, 2005
* Removed references to the mailing list and added support for
an optional commercial license.
1.55 February 18, 2005
* Fixed a bug ::DataFormat::i2osp(), wherein there was an encoding problem
when the most significant byte is 0x0100. Reported and patched by
<jbarkdull@yahoo.com> <rt.cpan.org: Bug #11495>
* Fixed warnings in t/15-benchmark.t
1.51 February 25, 2003
* In Crypt::RSA::encrypt() and decrypt() added a check to ensure the
blocksize is greater than 0. Blocksize can be smaller than 0 if the RSA
key modulus is too small for a particular encoding.
Changes since version 1.02:
======================================
There is no list of changes. Changes I found so far:
- Used htons() from netinet/in.h to simplify handling of different endianness
between platforms.
- Some changes in test.pl
Relevant changes since version 2.03:
====================================
des.h was renamed to _des.h in an attempt to solve the build-on-Solaris
problem.
all references to des_ were changed to _des_ since the 2.04 release didn't
seem to fix the problem on Solaris.
Relevant changes since version 1.13:
====================================
- fixed circular reference between Crypt::Random and Crypt::Random::Generator
causing 'Undefined subroutine' errors.
- Made "forbidden division t_REAL % t_INT" error disappear.
- Workaround for Math::Pari's serialization problem.
- Added a Uniform option to makerandom() and makerandom_itv() that
doesn't set the high bit of the generated random, and produces
a number uniformally distributed in the interval. Thanks to Len
Budney for pointing this out.
Relevant changes since version 2.08:
=====================================
- RandomIV in message header overrides manually-supplied -salt, as one
would expect it should.
- Added OpenSSL compatibility
- Salt and IV generators take advantage of /dev/urandom device, if available
- Added regression test for PCBC mode
- Fixed bug reported by Joshua Brown that caused certain length
strings to not encrypt properly if ending in a "0" character.
- Fixed Rijndael compat problems
From Jason White via PR pkg/32780
Changes:
Security bugs resolved in this release:
* CVE-2006-0225: scp (as does rcp, on which it is based) invoked a
subshell to perform local to local, and remote to remote copy
operations. This subshell exposed filenames to shell expansion
twice; allowing a local attacker to create filenames containing
shell metacharacters that, if matched by a wildcard, could lead
to execution of attacker-specified commands with the privilege of
the user running scp (Bugzilla #1094)
This is primarily a bug-fix release, only one new feature has been
added:
* Add support for tunneling arbitrary network packets over a
connection between an OpenSSH client and server via tun(4) virtual
network interfaces. This allows the use of OpenSSH (4.3+) to create
a true VPN between the client and server providing real network
connectivity at layer 2 or 3. This feature is experimental and is
currently supported on OpenBSD, Linux, NetBSD (IPv4 only) and
FreeBSD. Other operating systems with tun/tap interface capability
may be added in future portable OpenSSH releases. Please refer to
the README.tun file in the source distribution for further details
and usage examples.
Some of the other bugs resolved and internal improvements are:
* Reduce default key length for new DSA keys generated by ssh-keygen
back to 1024 bits. DSA is not specified for longer lengths and does
not fully benefit from simply making keys longer. As per FIPS 186-2
Change Notice 1, ssh-keygen will refuse to generate a new DSA key
smaller or larger than 1024 bits
* Fixed X forwarding failing to start when a the X11 client is executed
in background at the time of session exit (Bugzilla #1086)
* Change ssh-keygen to generate a protocol 2 RSA key when invoked
without arguments (Bugzilla #1064)
* Fix timing variance for valid vs. invalid accounts when attempting
Kerberos authentication (Bugzilla #975)
* Ensure that ssh always returns code 255 on internal error (Bugzilla
#1137)
* Cleanup wtmp files on SIGTERM when not using privsep (Bugzilla #1029)
* Set SO_REUSEADDR on X11 listeners to avoid problems caused by
lingering sockets from previous session (X11 applications can
sometimes not connect to 127.0.0.1:60xx) (Bugzilla #1076)
* Ensure that fds 0, 1 and 2 are always attached in all programs, by
duping /dev/null to them if necessary.
* Xauth list invocation had bogus "." argument (Bugzilla #1082)
* Remove internal assumptions on key exchange hash algorithm and output
length, preparing OpenSSH for KEX methods with alternate hashes.
* Ignore junk sent by a server before it sends the "SSH-" banner
(Bugzilla #1067)
* The manpages has been significantly improves and rearranged, in
addition to other specific manpage fixes:
#1037 - Man page entries for -L and -R should mention -g.
#1077 - Descriptions for "ssh -D" and DynamicForward should mention
they can specify "bind_address" optionally.
#1088 - Incorrect descriptions in ssh_config man page for
ControlMaster=no.
#1121 - Several corrections for ssh_agent manpages
* Lots of cleanups, including fixes to memory leaks on error paths
(Bugzilla #1109, #1110, #1111 and more) and possible crashes (#1092)
* Portable OpenSSH-specific fixes:
- Pass random seed during re-exec for each connection: speeds up
processing of new connections on platforms using the OpenSSH's
builtin entropy collector (ssh-rand-helper)
- PAM fixes and improvements:
#1045 - Missing option for ignoring the /etc/nologin file
#1087 - Show PAM password expiry message from LDAP on login
#1028 - Forward final non-query conversations to client
#1126 - Prevent user from being forced to change an expired
password repeatedly on AIX in some PAM configurations.
#1045 - Do not check /etc/nologin when PAM is enabled, instead
allow PAM to handle it. Note that on platforms using
PAM, the pam_nologin module should be used in sshd's
session stack in order to maintain past behaviour
- Portability-related fixes:
#989 - Fix multiplexing regress test on Solaris
#1097 - Cross-compile fixes.
#1096 - ssh-keygen broken on HPUX.
#1098 - $MAIL being set incorrectly for HPUX server login.
#1104 - Compile error on Tru64 Unix 4.0f
#1106 - Updated .spec file and startup for SuSE.
#1122 - Use _GNU_SOURCE define in favor of __USE_GNU, fixing
compilation problems on glibc 2.4
Change MAINTAINER to tech-pkg. Stop using PKGREVISION in DISTNAME.
Notable changes include:
* Postfix config has been changed so TLS is not used internally, that is
when communicating with scan-mail.pl. TLS can nevertheless be used
when communicating with the outside world on port 25.
* f-protd has been tweaked for better performance
* A bug in f-protd when using the 'id=' argument was fixed
* A format string bug in f-protd which could cause malformed xml report
was fixed
* f-prot-milter's logging changed to facilitate more useful error logs
* Fixed startup/shutdown routine for f-prot-milter in scan-mail.pl
* .wmf scanning improved
* A bug in the .hqx scanner on x86 cpu's was fixed
* A bug in the .msl scanner was fixed
* Fixed a bug in .cab and lzh handling
* A race issue with OLE documents was fixed.
- Only send TLS alert if there is one queued, fix a possible crash.
- Emit warning if prelude-failover problem arise.
- Improve error handling.
- Improve db plugin log option, "-" now mean stdout.
- Various bug fixes.
- Fix for filtering IDMEF field using the '!=' operator, which resulted in
filtering of events where the field did not exist (#129).
- Implement a "move" command in preludedb-admin.
- When SQL query logging is enabled, log the time taken to execute the query.
- Improve plugin API by making it opaque so that existing plugin don't break
if we add more SQL plugin function.
- Verbose error reporting, make the plugin error API viable for more drivers.
- Fix error reporting from perl and python bindings.
- Make libpreludedb header files c++ compiler friendly.
- Enforce listed IDMEF value ordering. IDMEF value were sometime unordered
because of an uninitialized list position problem.
- More TLS cleanup.
- Application can now report error without using specific prelude_client
error reporting function.
- More work and improved verbose error reporting.
- Fix compilation problem with prelude_error_is_verbose() (#130).
Compilation problem on NetBSD 1.6 and OpenBSD has been fixed so patch-ad
is deleted.
http://www.pdc.kth.se/heimdal/advisory/2006-02-06/
Changes in Heimdal 0.7.2
* Fix security problem in rshd that enable an attacker to overwrite
and change ownership of any file that root could write.
* Fix a DOS in telnetd. The attacker could force the server to crash
in a NULL de-reference before the user logged in, resulting in inetd
turning telnetd off because it forked too fast.
* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
exists in the keytab before returning success. This allows servers
to check if its even possible to use GSSAPI.
* Fix receiving end of token delegation for GSS-API. It still wrongly
uses subkey for sending for compatibility reasons, this will change
in 0.8.
* telnetd, login and rshd are now more verbose in logging failed and
successful logins.
* Bug fixes
> -server implementation development. I won't document it before it even works.
> -small bug corrected when connecting to sun ssh servers.
> -channel wierdness corrected (writing huge data packets)
> -channel_read_nonblocking added
> -channel bug where stderr wasn't correctly read fixed.
> -sftp_file_set_nonblocking added. It's now possible to have nonblocking SFTP IO
> -connect_status callback.
> -priv.h contains the internal functions, libssh.h the public interface
> -options_set_timeout (thx marcelo) really working.
> -tcp tunneling through channel_open_forward.
> -channel_request_exec()
> -channel_request_env()
> -ssh_get_pubkey_hash()
> -ssh_is_server_known()
> -ssh_write_known_host()
> -options_set_ssh_dir
> -how could this happen ! there weren't any channel_close !
> -nasty channel_free bug resolved.
> -removed the unsigned long all around the code. use only u8,u32 & u64.
> -it now compiles and runs under amd64 !
> -channel_request_exec()
> -channel_request_env()
> -ssh_get_pubkey_hash()
> -ssh_is_server_known()
> -ssh_write_known_host()
> -options_set_ssh_dir
> -how could this happen ! there weren't any channel_close !
> -nasty channel_free bug resolved.
> -removed the unsigned long all around the code. use only u8,u32 & u64.
> -it now compiles and runs under amd64 !
> -channel_request_pty_size
> -channel_change_pty_size
> -options_copy()
> -ported the doc to an HTML file.
> -small bugfix in packet.c
> -prefixed error constants with SSH_
> -sftp_stat, sftp_lstat, sftp_fstat. thanks Michel Bardiaux for the patch.
> -again channel number mismatch fixed.
> -fixed a bug in ssh_select making the select fail when a signal has been caught.
> -keyboard-interactive authentication working.
> Release 5.2
> ###########
> * Again again some fixed for the ssh2 module. This is the last try. If it
> finally does not work reliable, I am throwing out that library!
> Thanks to bykhe@mymail.ch for the patch
> * Added a new module: VMWare-Auth! Thanks to david.maciejak@gmail.com!
>
>
> Release 5.1
> ###########
> * Again some fixed for the ssh2 module. Sorry. And still it might not work
> in all occasions. The libssh is not as mature as we all wish it would be :-(
> * HYDRA_PROXY_AUTH was never used ... weird that nobody reported that. fixed.
> * Fixed bug in the base64 encoding function
> * Added an md5.h include which is needed since openssl 0.9.8
> * Added an enhacement to the FTP module, thanks to piotr_sobolewski@o2.pl
> * Fixed a bug when not using passwords and just -e n/s
>
>
> Release 5.0
> ###########
> ! THIS IS A THC - TAX - 10TH ANNIVERSARY RELEASE ! HAVE FUN !
> * Increadible speed-up for most modules :-)
> * Added module for PC-Anywhere, thanks to david.maciejak(at)kyxar.fr!
> * Added module for SVN, thanks to david.maciejak(at)kyxar.fr!
> * Added --disable-xhydra option to configure, thanks to david.maciejak(at)kyxar.
> fr!
> - he is becoming the top supporter :-)
> * Added module for SIP (VoIP), thanks to gh0st(at)staatsfeind.org
> * Added support for newer sap r/3 rfcsdk
> * Added check to the telnet module to work with Cisco AAA
> * Fix for the VNC module, thanks to xmag
> * Small enhancement to the mysql plugin by pjohnson(at)bosconet.org
>
>
> Release 4.7
> ###########
> * Updated ssh2 support to libssh v0.11 - you *must* use this version if
> you want to use ssh2! download from http://www.0xbadc0de.be/?part=libssh
> This hopefully fixes problems on/against Sun machines.
> After fixing, I also received a patch from david maciejak - thanks :-)
> * Added an attack module for rlogin and rsh, thanks to
> david.maciejak(at)kyxar.fr!
> * Added an attack module for the postgres database, thanks to
> diaul(at)devilopers.org! (and again: david maciejak sent on in as well)
> * JoMo-Kun sent in an update for his smbnt module. cool new features:
> win2k native mode, xp anonymous account detection, machine name as password
> * Hopefully made VNC 3.7 protocol versions to work. please report.
> * Switched http and https service module to http-head, http-get and
> https-get, https-head. Some web servers want HEAD, others only GET
> * An initial password for cisco-enable is now not required anymore. Some
> people had console access without password, so this was necessary.
> * Fixed a bug in xhydra which did not allow custom ports > 100
> ! Soon to come: v5.0 - some cool new features to arrive on your pentest
> machine!
- prelude-manager has been updated to check the loaded revocation
list, if available. This was needed since the recent prelude-adduser
addition allowing to create analyzer revocation list.
- Remove line size limitation on specified IDMEF-criteria.
- Remove all ancillary groups as well as setgid-ing.
- Fix idmef-criteria-filter option conflict.
- Fix a possible crash if no listen address is specified, but a
reverse relay is used.
- Much better error reporting.
Prelude-Manager is a high availability server that accepts secured
connections from distributed sensors or other managers and saves
received events to a media specified by the user (database, logfile,
mail, etc).
- More accurate error reporting in preludedb-admin.
- Fix NULL error in case the buffer is too small, truncate.
- Fix license notice, stating clearly that linking from a program
using a GPL compatible license is allowed. Required for Debian package
inclusion.
The PreludeDB Library provides an abstraction layer upon the type and
the format of the database used to store IDMEF alerts.
- Get rid of the 1024 characters per line limitation (defined as per
the syslog RFC), since LML is not limited to parsing input from syslog
anymore.
- Handle events in Clamav logging format as well as syslog.
- Abstracted Squid chain regex to allow parsing of data directly
from Squid log files.
- Introduced support for openhostapd.
- Began expanding rulesets with additional_data and vendor-specific
classification data.
- Various ruleset updates and bug fixes.
Prelude-LML is a signature based log analyzer monitoring logfile and
received syslog messages for suspicious activity. It handle events
generated by a large set of components, including but not limited to:
BigIP, Grsecurity, Honeyd, ipchains, Netfilter, ipfw, Nokia ipso,
Nagios, Norton Antivirus Corporate Edition, NTsyslog, PAM, Portsentry,
Postfix, Proftpd, ssh, etc.
- Some useful API addition.
- Much improved, verbose error reporting.
- Cleaned up TLS handling, various bugfix.
- In case an error occur when verifying the peer certificate,
notify the peer about the failure.
The Prelude Library is the glue that binds all aspects of Prelude
together. It is a library which enables Prelude components to
communicate with the Prelude Manager. It also makes it easy for third
party software to be made 'Prelude Aware' (able to communicate with
Prelude components). It provide common, useful features used by every
sensor.
sensors, managers, and a display console. This
is the manager. The Manager (there can be several
in an IDS network) accepts secured connections
from sensors and saves the alerts that Sensors
emit. This package installs the manager so that
mySql is used for alert storage.
This is one of several new Prelude packages.
sensors, managers, and a display console.
Prelude-lml is the log file analyzer. It scans
system log files and generates IDMEF alerts to
the prelude-manager based on signature rulesets.
This is one of sever new Prelude packages.
sensors, managers, and a display console. This
is Prelude DB Library. It allow the interface
allowing Prelude to use a DBMS for alert storage.
While libprelude support a choice of MySQL or
postgreSQL, this package uses MySQL because it
was nearly an order of magnitude faster during
test operation.
This is one of several new packages in the Prelude family.
sensors, managers, and a display console. LibPrelude
is the glue that binds all aspects of Prelude together.
LibPrelude is a library which enables Prelude
components to communicate in a standard IDMEF method.
This is one of several new packages in the Prelude family.
struct timeval on DragonFly. Use BSD_INSTALL_PROGRAM, removing
the unportable -r flag at the same time. Fix build with newer
OpenSSL versions by including openssl/sha.h explicitly.
/usr/pkg/include and /usr/include can appear in any order, PREFIX can be
!= /usr/pkg.
XXX Why this hack and not split + filter to remove the include pathes?
krb5-config then create one to use in the buildlink tree. Useful
for packages that expect krb5-config to exist to determine kerberos
existence/locations.
This addresses pr/32620, using the patch provided by Christian Gall.
Notable changes include:
* Fixed an endless loop encountered in a corrupted WMF sample.
* A bug in the ELF scanner could cause a crash.
* Using a symlink as a path element to f-protd could cause f-protd not to
start.
* A race issue with startproc (start-stop-daemon in LSB terms) could lead
to old DEF files being used by f-protd even after updates.
* UPX packed files could cause crash on Solaris/sparc.
* Better handling for corrupt mime files.
* A bug in MS office scanner on big-endian platforms was fixed.
* Anomy extended to do content-type fingerprinting which allows
scan-mail.pl to block attachments with false extension based on their
'real' extensions,
e.g. .wmf files claiming to be .jpg or .png files.
* A bug in scan-mail.pl's rc-script, which could cause problems in Debian
when shutting scan-mail.pl down, has been fixed.
* Tweaks and optimizations should improve scanning speed by appr. 15-40%
over previous releases.
* Engine version 3.16.10 will now try to scan zip files which falsly claim
to use 64-bit compression methods. 64 bit compression is not supported,
but the scanner will now try to scan those files using 32 bit methods.
* Improved handling of some types of corrupt files, which were previously
skipped with I/O error.
* A corrupt arj file could crash the scanner. This has been fixed.
* Fixed a bug in scan-mail.pl where attachments would sometimes be left in
quarantine.
* Trying to scan a device special file now results in non-zero exit code.
* Scanning of redirected stdin is now possible, e.g. 'f-prot /dev/fd/0 <
/path/to/file'
script not to find any system-installed compile_et.
(This should really be done by using our own PATH that doesn't include
any system paths, but we're not quite ready to do that yet.)
Patch submitted in PR 32598 by pancake <at> phreaker <dot> net
In other words:
- Add more checks and fixups on the engine.
- More keywords in wordlists database.
- Add new mode called 'silent mode'
- more charsets availables for gendict
- add some more examples
- add fine tuning for words in NEC=200
"extract" script for extraction. Many cases where a custom EXTRACT_CMD
simply copied the distfile into the work directory are no longer
needed. The extract script also hides differences between pax and
tar behind a common command-line interface, so we no longer need code
that's conditional on whether EXTRACT_USING is tar or pax.
** New API to access the TLS master secret.
When possible, you should use the TLS PRF functions instead.
** Improved handling when multiple libraries use GnuTLS at the same time.
Now gnutls_global_init() can be called multiple times, and
gnutls_global_deinit() will only deallocate the structure when it has
been called as many times as gnutls_global_init() was called.
** Added a self test of TLS resume functionality.
** Fix crash in TLS resume code, caused by TLS/IA changes.
** Add 'const' keywords in various places, from Frediano ZIGLIO.
** The code was indented again, including the external header files.
** API and ABI modifications:
New functions to retrieve the master secret value:
gnutls_session_get_master_secret
Add a 'const' keyword to existing API:
gnutls_x509_crq_get_challenge_password
Grab maintainership
From the ChangeLog (Summarised)
> * ike-backoff-patterns: Added backoff patterns for Netgear ProSafe
> and Netgear ADSL Firewall Router. Submitted by Paul Askew.
> * ike-scan.c, ike-scan.h, configure.ac: Added new --writepkttofile
> option. This option writes the output packet to the specified file
> rather than sending it to the remote host. It is intended for
> debugging and testing purposes, to allow the IKE packet to be
> easily checked. This option is not documented, because it is
> designed purely for testing.
> * check-packet: New test to check IKE scan packet data. Currently
> tests two sample packets: one default proposal, and one custom
> proposal.
> * ike-scan.c: Added --exchange option to allow the exchange field
> in the ISAKMP header to be set to arbitrary values.
> * ike-scan.c, isakmp.c: Added --hdrflags and --hdrmsgid options to
> allow Flags and MsgID fields in the ISAKMP header to be specified.
> * ike-scan.c: Added --cookie option to allow the initiator cookie in
> the ISAKMP header to be set to a static value.
> * ike-scan.c, isakmp.c: Add --spisize option to allow a random SPI
> of the specified size to be added to the proposal payload.
> * ike-vendor-ids: Added 16 new Vendor IDs, and revised some comments
> on existing entries.
> * ike-scan.c: Added --doi (-D) and --situation (-S) options to allow
> the DOI and Situation in the SA of the outbound packets to be changed
> from the default of DOI_IPSEC and SIT_IDENTITY_ONLY.
> * ike-scan.c: Added --protocol (-j) and --transid (-k) options to
> allow the proposal protocol and transform id of the outbound packets
> to be changed from the defaults.
> * ike-scan.c: Added --certreq (-C) option to add a
> CertificateRequest payload to the outgoing packet.
> * ike-scan.c: Added --headerlen (-L) option to allow the ISAKMP header
> length to be manually specified. Normally, ike-scan will
> automatically calculate the correct length; however, you can use this
> option if you want to use an incorrect length value instead.
> * ike-scan.c, isakmp.c: Added --mbz (-Z) option to allow the value for
> the reserved (MBZ) fields to be set to non-zero values. Doing so
> will make the outgoing packet non-RFC compliant.
> * ike-scan.c, isakmp.c: Added --headerver (-E) option to allow the
> version field in the ISAKMP header to be altered from the default of
> 0x10 (v1.0).
> * ike-scan.c: Added --bandwidth (-B) option to allow the outgoing
> bandwidth to be specified directly instead of using --interval.
> The --bandwidth option calculates the appropriate interval setting,
> taking into account the size of the packet.
> * ike-scan.c: Added --noncelen (-c) option to allow the length of the
> nonce data to be changed. This is only applicable to aggressive
> mode.
This fixes PR pkg/30290 by Nicolas Joly so the latest DAT files are working
again.
- Moved included DAT-files to shares/examples/uvscan/.
- Works with PKG_CONFIG=no.
- PDF manual included in share/doc/uvscan/.
- Some small improvements to update_dat.sh:
Option "-h" shows the available options.
All the "exit" statements use distinct values.
Fixed a small logic bug (-z vs. -n).
Changes according to McAfee's website:
- Includes technology to combat the latest and
future threats.
- Improved detection and cleaning.
- Support for many more Packed Executable formats
in which known malware is often re-packaged
for obfuscation purposes.
- Specific detection and reporting of files
compressed or packaged with known suspicious
applications.
- Enhancements to the emergency DAT file (EXTRA.DAT)
structure allowing a larger DAT file size.
- Enhancements to enable scanning of non-standard
ZIP archives.
Additionally, fix it to compile against openssl-0.9.7i, the
current pkgsrc version; due to its way of checking compatibility,
py-m2crypto is extremely picky about constness.
If this works with other versions too, just add them to the pattern.
Changes since 0.12/0.11
-------------------------
- Patches from Artur Frysiak. Thanks Artur.
= Allow using a passphrase callback in class SMIME.
= Added method get0_signers to class PKCS7, which retrieves signers'
certificates from a PKCS7 blob.
= Added methods as_pem and save_pem to class X509.
= Added file version.py.
= Allow SSL.Context.load_verify_locations to accept both 'cafile' and
'capath'.
- Fixed BIO.read() not reading until EOF. Thanks to Egil Muller
for suggestion.
- Honour 'mode' parameter in SSL.Connection.makefile. Thanks again to Egil
Muller.
- Roger Binns contributed epydoc-generated docs for M2Crypto. Thanks Roger.
- Peter Teniz contributed patches to create X.509 requests and certificates.
Thanks Peter.
- Updated Medusa to 0.54.
- Make various OpenSSL bignum functions (written long ago) available to Python.
long. PR#32378 by Stefan Krüger.
Changes:
Added PS4 and SHELLOPTS to the list of variables to remove from
the environment. (Already in pkgsrc)
Added JAVA_TOOL_OPTIONS to the list of variables to remove from
the environment.
Added PERLLIB, PERL5LIB and PERL5OPT to the list of variables to
remove from the environment. (Already in pkgsrc)
without affecting packages that are currently using it.
Packages which previously didn't set BUILDLINK_DEPMETHOD to neither "full" nor
"build" now set it to "full", but should be checked whether they really need it
(comment added). Packages which previously set it to "build" now don't set it
anymore.
Ok by jlam, wiz.
rather than PKG_FAIL_REASON, so that they provide useful error
messages in build logs, and so that they continue to work on platforms
where they aren't broken.
engine to search and process a database of security events generated by
various IDSes, firewalls, and network monitoring tools. The features currently
include:
o Query-builder and search interface for finding alerts matching
on alert meta information (e.g. signature, detection time) as well as
the underlying network evidence (e.g. source/destination address, ports,
payload, or flags).
o Packet viewer (decoder) will graphically display the layer-3 and
layer-4 packet information of logged alerts
o Alert management by providing constructs to logically group alerts
to create incidents (alert groups), deleting the handled alerts or
false positives, exporting to email for collaboration, or archiving of
alerts to transfer them between alert databases.
o Chart and statistic generation based on time, sensor, signature, protocol,
IP address, TCP/UDP ports, or classification
Add a MESSAGE about false-positive results on non-supported platforms
Helps to address PR# 31813 reported by Eric Mumpower
From the README:
02/22/2005 - Version 0.45 chkproc.c: better support for Linux
threads. New rootkit detected: Fu,
Kenga3, ESRK. New test: chkutmp. -n
option improvement. Minor bug fixes.
10/26/2005 - Version 0.46 chkproc.c: more fixes to better support
Linux threads. chkutmp.c: improved
execution speed. chkwtmp.c: segfault
fixed. New rootkit detected: rootedoor.
Mac OS X support added. Minor bug fixes.
10/28/2005 - Version 0.46a chkproc.c: bug fix for FreeBSD: chkproc
was sending a SIGXFSZ (kill -25) to init,
causing a reboot.
2005-11-30 Gisle Aas
Release 2.36
Fix documentation typo.
2005-11-26 Gisle Aas
Release 2.35
Forgot to incorporate fixes already applied to bleadperl :-(
- doc typo
- consting
- unused my_na
- USE_HEAP_INSTEAD_OF_STACK for Symbian
2005-11-26 Gisle Aas
Release 2.34
Document that it is now easy to generate different messages that produce the
same MD5 digest.
Use XSLoader; perl-5.6 is now required.
Tweaks to the processing of $? after running the test program.
* Version 1.3.2 (released 2005-12-15)
** GnuTLS now support TLS Inner application (TLS/IA).
This is per draft-funk-tls-inner-application-extension-01. This
functionality is added to libgnutls-extra, so it is licensed under the
GNU General Public License.
** New APIs to access the TLS Pseudo-Random-Function (PRF).
The PRF is used by some protocols building on TLS, such as EAP-PEAP
and EAP-TTLS. One function to access the raw PRF and one to access
the PRF seeded with the client/server random fields are provided.
Suggested by Jouni Malinen <jkmaline@cc.hut.fi>.
** New APIs to acceess the client and server random fields in a session.
These fields can be useful by protocols using TLS. Note that these
fields are typically used as input to the TLS PRF, and if this is your
intended use, you should use the TLS PRF API that use the
client/server random field directly. Suggested by Jouni Malinen
<jkmaline@cc.hut.fi>.
** Internal type cleanups.
The uint8, uint16, uint32 types have been replaced by uint8_t,
uint16_t, uint32_t. Gnulib is used to guarantee the presence of
correct types on platforms that lack them. The uint type have been
replaced by unsigned.
** API and ABI modifications:
New functions to invoke the TLS Pseudo-Random-Function (PRF):
gnutls_prf
gnutls_prf_raw
New functions to retrieve the session's client and server random values:
gnutls_session_get_server_random
gnutls_session_get_client_random
New function, to perform TLS/IA handshake:
gnutls_ia_handshake
New function to decide whether to do a TLS/IA handshake:
gnutls_ia_handshake_p
New functions to allocate a TLS/IA credential:
gnutls_ia_allocate_client_credentials
gnutls_ia_free_client_credentials
gnutls_ia_allocate_server_credentials
gnutls_ia_free_server_credentials
New functions to handle the AVP callback:
gnutls_ia_set_client_avp_function
gnutls_ia_set_client_avp_ptr
gnutls_ia_get_client_avp_ptr
gnutls_ia_set_server_avp_function
gnutls_ia_set_server_avp_ptr
gnutls_ia_get_server_avp_ptr
New functions, to toggle TLS/IA application phases:
gnutls_ia_require_inner_phase
New function to mix session keys with inner secret:
gnutls_ia_permute_inner_secret
Low-level API (used internally by gnutls_ia_handshake):
gnutls_ia_endphase_send
gnutls_ia_send
gnutls_ia_recv
New functions that can be used after successful TLS/IA negotiation:
gnutls_ia_generate_challenge
gnutls_ia_extract_inner_secret
Enum type with TLS/IA modes:
gnutls_ia_mode_t
Enum type with TLS/IA packet types:
gnutls_ia_apptype_t
Enum values for TLS/IA alerts:
GNUTLS_A_INNER_APPLICATION_FAILURE
GNUTLS_A_INNER_APPLICATION_VERIFICATION
New error codes, to signal when an application phase has finished:
GNUTLS_E_WARNING_IA_IPHF_RECEIVED
GNUTLS_E_WARNING_IA_FPHF_RECEIVED
New error code to signal TLS/IA verify failure:
GNUTLS_E_IA_VERIFY_FAILED
* Version 1.3.1 (released 2005-12-08)
** Support for DHE-PSK cipher suites has been added.
This method offers perfect forward secrecy.
** Fix gnutls-cli STARTTLS hang when SIGINT is sent too quickly, thanks to
Otto Maddox <ottomaddox@fastmail.fm> and Nozomu Ando <nand@mac.com>.
** Corrected a bug in certtool for 64 bit machines. Reported
by Max Kellermann <max@duempel.org>.
** New function to set a X.509 private key and certificate pairs, and/or
CRLs, from an PKCS#12 file, suggested by Emile van Bergen
<emile@e-advies.nl>.
The integrity of the PKCS#12 file is protected through a password
based MAC; public-key based signatures for integrity protection are
not supported. PKCS#12 bags may be encrypted using password derived
symmetric keys, public-key based encryption is not supported. The
PKCS#8 keys may be encrypted using passwords. The API use the same
password for all operations. We believe that any more flexibility
create too much complexity that would hurt overall security, but may
add more PKCS#12 related APIs if real-world experience indicate
otherwise.
** gnutls_x509_privkey_import_pkcs8 now accept unencrypted PEM PKCS#8 keys,
reported by Emile van Bergen <emile@e-advies.nl>.
This will enable "certtool -k -8" to parse those keys.
** Certtool now generate keys in unencrypted PKCS#8 format for empty passwords.
Use "certtool -p -8" and press press enter at the prompt. Earlier,
certtool would have encrypted the key using an empty password.
** Certtool now accept --password for --key-info and encrypted PKCS#8 keys.
Earlier it would have prompted the user for it, even if --password was
supplied.
** Added self test of PKCS#8 parsing.
Unencrypted and encrypted (pbeWithSHAAnd3-KeyTripleDES-CBC and
pbeWithSHAAnd40BitRC2-CBC) formats are tested. The test is in
tests/pkcs8.
** API and ABI modifications:
New function to set X.509 credentials from a PKCS#12 file:
gnutls_certificate_set_x509_simple_pkcs12_file
New gnutls_kx_algorithm_t enum type:
GNUTLS_KX_DHE_PSK
New API to return session data (better data types than
gnutls_session_get_data):
gnutls_session_get_data2
New API to set PSK Diffie-Hellman parameters:
gnutls_psk_set_server_dh_params
* Version 1.3.0 (2005-11-15)
** Support for TLS Pre-Shared Key (TLS-PSK) ciphersuites have been added.
This add several new APIs, see below. Read the updated manual for
more information. A new self test "pskself" has been added, that will
test this functionality.
** The session resumption data are now system independent.
** The code has been re-indented to conform to the GNU coding style.
** Removed the RIPEMD ciphersuites.
** Added a discussion of the internals of gnutls in manual.
** Fixes for Tru64 UNIX 4.0D that lack MAP_FAILED, from Albert Chin.
** Remove trailing comma in enums, for IBM C v6, from Albert Chin.
** Make sure config.h is included first in a few files, from Albert Chin.
** Don't use C++ comments ("//") as they are invalid, from Albert Chin.
** Don't install SRP programs and man pages if --disable-srp-authentication,
from Albert Chin.
** API and ABI modifications:
New gnutls_kx_algorithm_t key exchange type: GNUTLS_KX_PSK
New gnutls_credentials_type_t credential type:
GNUTLS_CRD_PSK
New credential types:
gnutls_psk_server_credentials_t
gnutls_psk_client_credentials_t
New functions to allocate PSK credentials:
gnutls_psk_allocate_client_credentials
gnutls_psk_free_client_credentials
gnutls_psk_free_server_credentials
gnutls_psk_allocate_server_credentials
New enum type for PSK key flags:
gnutls_psk_key_flags
New function prototypes for credential callback:
gnutls_psk_client_credentials_function
gnutls_psk_server_credentials_function
New function to set PSK username and key:
gnutls_psk_set_client_credentials
New function to set PSK passwd file:
gnutls_psk_set_server_credentials_file
New function to extract PSK user in server:
gnutls_psk_server_get_username
New functions to set PSK callback:
gnutls_psk_set_server_credentials_function
gnutls_psk_set_client_credentials_function
Use size_t instead of int for output size parameter:
gnutls_srp_base64_encode
gnutls_srp_base64_decode
incorrect field calculation for the second field if the first field is
numeric and there are only 2 fields total in the input record (line).
The buggy awk was in 2.99.* and early 3.99.*, and identifies itself as
awk version 20030729. However, not all awk's with this version number
exhibit the problem (so it could be related to a library used by awk).
Recent 3.99.* builds don't have this problem, and the awk versio on
them is also much more recent.
you think you might have read the openssl man pages one time too much for
your own sanity, you might like this package.
Certificate Service Provider is a perl wrapper around openssl that allows you
to run multiple simple certificate authorities (CAs). CSP is designed to be
simple (almost to a fault) and is ideally suited to small PKIs (< 1000
entities) where security is paramount. CSP is meant to be run on isolated,
offline computers while still allowing CRLs and certificate repositories to be
easily published.
The package includes a patch that lets the program run out-of-the-box,
without setting up CSPHOME and OPENSSL in the environment. Defining them
is of course still permitted.
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2005q4/000312.html
Noted by waldeck of hk2.uwaterloo.ca via pkgsrc-bugs.
Bump PKGREVISION.
Tested build on NetBSD and Linux. Tested dropbear server on NetBSD.
(This is during a freeze. Other stuff to be done later:
update to latest version. Install man pages. Mention "client" in
COMMENT and DESCR. Use CONF_FILES and sysconfdir. And maybe install the
"scp" tool also.)
Bugs fixed since 2.0.9:
* bug #1349326 "ulogd option does not work". There was a typo in the
class iptAdvancedDialog ( 'useULOG' instead of 'use_ULOG' )
* bug #1315892: "fwbuilder crashes on missing OS template" The GUI
crashed if user added new hostOS or firewall platform template under
resources/os or resources/platforms, then reinstalled the package (and
therefore lost their custom template files), then tried to open
firewall or host OS settings dialog for the object using new template.
* bug #1305933: "fwbuilder/Solaris: compilation errors". Another case of
implicit type conversion QString->string which does not compile on
systems with QT built w/o STL support.
* bug #1304878: fwbuilder: signal.h required (Solaris). Using
'AC_CHECK_HEADERS([signal.h])' in configure.in to check for the
appropriate #include.
* bug #1304764: "configure script: Sun make check fails". Need to use
${MAKE-make} instead of $ac_make when checking for GNU make.
* bug #1304785: "fwbuilder - Solaris has no libutil". Using better way
to check whether we need to link with libutil.
Bugs fixed in policy compiler for iptables since 2.0.9:
* bug #1342495: "SNAT with address range". Compiler used to print
warning "Adding virtual addresses for NAT is not supported for
address range" even if adding virtual addresses for NAT was turned off.
* bug #1313420: "OUTPUT chain is built wrong under certain conditions."
Rules that have firewall in SRC and DST, while DST has negation,
should be split so that the second generated rule goes into OUTPUT
chain rather than FORWARD
Change most pkgs to depend on either
emulators/suse_linux/Makefile.application (normal pkgs) or
Makefile.common (suse91 and suse themselves) to filter out Operating
Systems without Linux ABI support. Use CPU masks to limit the pkg to
supported platforms.
5.31 Mon Sep 5 00:52:42 MST 2005
- added standard tests for pod and pod-coverage checking
- inserted subtest to check for failure when using
unrecognized SHA algorithm
5.30 Sat Aug 20 16:46:08 MST 2005
- updated docs with recent NIST statement on SHA-1
-- advises use of larger and stronger hash functions
(i.e. SHA-224/256/384/512) for new developments
5.29 Sun Aug 14 04:48:34 MST 2005
- added explicit casts in "shaload" routine (ref. "ldvals")
-- thanks to E. Allen Smith for pointing out SGI compiler
warnings on IPxx-irix platforms
- updated docs with cautionary note about SHA-1
o A small bug was fixed in the check-updates.pl program where the updater
wouldn't find the DEF files to update.
o Bug in CHM mini-scanner which could lead to crashes was fixed
o f-prot-milter wouldn't run on Solaris 10 because of library issues
o Fixes an issue where the scanner would sometimes mis-identify .alr
files as base64 coded executables
o Fix where '-list' option to f-prot would not list the filenames of
text-based archives, such as MIME containers.
o Fix where certain executables would be mis-identified as UPX packed
o Fix where UTF8 coded text files would not be scanned
o Fix a crash issue when scanning .chm files containing strange header
values
o Updated error message when access is denied to files due to user
permission problems
o F-Prot 4.6.0 contains scanning engine version 3.16.7 which improves
detection capabilities significantly and improves several scanning
methods along with bugfixes.
MD4 Collision Generation
Faster implementation of techniques described in Cryptanalysis for
Hash Functions MD4 and RIPEMD, by Xiaoyun Wang, et al.
Average runtime on P4 1.6ghz - 5 seconds
MD5 Collision Generation
Faster implementation of techniques in How to Break MD5 and Other Hash
Functions, by Xiaoyun Wang, et al.
Old (Wang, et al.) average run time on IBM P690 supercomputer - 1 hour
New average run time on P4 1.6ghz PC - 45 minutes
Describe -K. Improve -i description. Sort options in SYNOPSIS. Remove
superfluous .Pp. Add EXIT STATUS section. Remove trailing whitespace.
Bump date for new -i.
the improved ALLOW_VULNERABILITIES support. This now has the ability to:
-p : Only check a single package
-i : Provide a list of vulnerabilities to ignore
-K : Specify an alternate pkg dbdir.
Bump the version to 0.40.
* Version 1.2.9 (2005-11-07)
- Documentation was updated and improved.
- RSA-MD2 is now supported for verifying digital signatures.
- Due to cryptographic advances, verifying untrusted X.509
certificates signed with RSA-MD2 or RSA-MD5 will now fail with a
GNUTLS_CERT_INSECURE_ALGORITHM verification output. For
applications that must remain interoperable, you can use the
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 or GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5
flags when verifying certificates. Naturally, this is not
recommended default behaviour for applications. To enable the
broken algorithms, call gnutls_certificate_set_verify_flags with the
proper flag, to change the verification mode used by
gnutls_certificate_verify_peers2.
- Make it possible to send empty data through gnutls_record_send,
to align with the send(2) API.
- Some changes in the certificate receiving part of handshake to prevent
some possible errors with non-blocking servers.
- Added numeric version symbols to permit simple CPP-based feature
tests, suggested by Daniel Stenberg <daniel@haxx.se>.
- The (experimental) low-level crypto alternative to libgcrypt used
earlier (Nettle) has been replaced with crypto code from gnulib.
This leads to easier re-use of these components in other projects,
leading to more review and simpler maintenance. The new configure
parameter --with-builtin-crypto replace the old --with-nettle, and
must be used if you wish to enable this functionality. See README
under "Experimental" for more information. Internally, GnuTLS has
been updated to use the new "Generic Crypto" API in gl/gc.h. The
API is similar to the old crypto/gc.h, because the gnulib code were
based on GnuTLS's gc.h.
- Fix compiler warning in the "anonself" self test.
- API and ABI modifications:
gnutls_x509_crt_list_verify: Added 'const' to prototype in <gnutls/x509.h>.
This doesn't reflect a change in behaviour,
so we don't break backwards compatibility.
GNUTLS_MAC_MD2: New gnutls_mac_algorithm_t value.
GNUTLS_DIG_MD2: New gnutls_digest_algorithm_t value.
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2,
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5: New gnutls_certificate_verify_flags values.
Use when calling
gnutls_x509_crt_list_verify,
gnutls_x509_crt_verify, or
gnutls_certificate_set_verify_flags.
GNUTLS_CERT_INSECURE_ALGORITHM: New gnutls_certificate_status_t value,
used when broken signature algorithms
is used (currently RSA-MD2/MD5).
LIBGNUTLS_VERSION_MAJOR,
LIBGNUTLS_VERSION_MINOR,
LIBGNUTLS_VERSION_PATCH,
LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS
version number, can be used for feature existence
tests.
