OpenSSL CHANGES
_______________
Changes between 0.9.8n and 0.9.8o [01 Jun 2010]
*) Correct a typo in the CMS ASN1 module which can result in invalid memory
access or freeing data twice (CVE-2010-0742)
[Steve Henson, Ronald Moesbergen <intercommit@gmail.com>]
*) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more
common in certificates and some applications which only call
SSL_library_init and not OpenSSL_add_all_algorithms() will fail.
[Steve Henson]
*) VMS fixes:
Reduce copying into .apps and .test in makevms.com
Don't try to use blank CA certificate in CA.com
Allow use of C files from original directories in maketests.com
[Steven M. Schweda" <sms@antinode.info>]
+ avoid possible free() of new value passed to netpgp_setvar(),
with thanks to Anon Ymous.
+ netpgpkeys(1): print keys to stdout, not stderr - reported by Anon
Ymous.
+ fix DSA signatures and verification
+ simplify and shorten the internals of packet processing by getting rid of
the intermediate pseudo-abstraction layer, which detracted from understanding
and had no benefit whatsoever. Rename some enums and some definitions.
+ add some checking to new key generation, and don't try to read in
the keys after writing them - reported by Tyler Retzlaff
+ netpgpverify - avoid the separate codebase, and just use libnetpgp(3)
pkgsrc changes:
- patches/patch-aa no longer required
- Added LICENSE
Changelog:
ARC4 & CTR support, IP6 support, and various bug fixes (incl. an important
Windows random number generation fix)
2.2.91 - January 26th 2010
--------------------------
A new Perl binding, fix for backward compatibility with old versions of glib,
LassoLogout API is more robust since it does not need anymore for all SP logout
to finish to work, new macro lasso_list_add_new_xml_node, add support for
WS-Security UsernameToken (equivalent of poor man HTTP Digest Authentication),
make public internal APIs: lasso_session_add_assertion,
lasso_session_get_assertion and lasso_session_remove_assertion.
2.2.90 - January 18th 2010
--------------------------
Lots of internal changes and some external one too.
There is a new api to force, forbid or let Lasso sign messages, it is called
lasso_profile_set_signature_hint.
Big overhaul of the ID-WSF 1 and 2 codes, and of the SAML 2.0 profiles. Now all
SAML 2.0 profile use common internal functions from the lasso_saml20_profile_
namespace to handle bindings (SOAP,Redirect,POST,Artifact,PAOS). New internal
API to load SSL keys from many more formats from the public API.
In ID-WSF 2.0, Data Service Template has been simplified, we no more try to
apply queries, it is the responsability of the using code to handle them.
In bindings land, the file bindings/utils.py has been stuffed with utility
function to manipulate 'type' tuple, with are now used to transfer argument and
type description, their schema is (name, C-type, { dictionary of options } ),
they are now used everywhere in the different bindings. We support output
argument in PHP5, Python and Java, i.e. pointer of pointer arguments with are
written to in order to return multiple values. For language where the binding
convert error codes to exceptions (all of them now), the ouput value is
returned as the normal return value of the method, so only one output argument
is handled for now.
We now use GObject-introspection annotations in the documentation to transfer
to the binding generator the necessary metadata about the API (content of
lists, hashtables, wheter pointer are caller/callee owned, can be NULL or if
argument have a default value). The file bindings/override.xml is now
deprecated.
In documentation land, the main reference documentation was reorganizaed and
more symbols have been added to it. Many more functions are documented.
There is now tools to control the evolution of the ABI/API of Lasso.
Pkgsrc changes:
- placate pkglint
Upstream changes:
[Changes for 0.64 - Sun, 9 May 2010 00:50:11 +0200]
* Avoid creating gnupg configuration files for the user invoking Makefile.PL
(Closes RT#41978).
* Correctly detect the version of gnupg on cygwin and add tests for it
(Paul Fenwick) (Closes RT#39258).
- Addition of a "make clean" target. removal of runtests as it is currently
broken.
- New release process in Makefile and release.sh - keychain release tarball
will now contain pre-generated keychain, keychain.1 and keychain.spec so
that users do not need to run "make". Updated README.rst to refer to the
"source code" as a "release archive" since it contains both source code and
ready-to-go script and man page.
- GPG fix from Gentoo bug 203871; This fix will fix the issue with pinentry
starting in the background and not showing up in the terminal.
* keychain 2.7.0 (23 Oct 2009)
- lockfile() replacement from Parallels Inc. OpenVZ code, takelock() rewrite,
resulting in ~100 line code savings. Default lock timeout set to 5 seconds,
and now keychain will try to forcefully acquire the lock if the timeout
aborts, rather than simply failing and aborting.
- MacOS X/BSD improvements: fix sed call in Makefile for MacOS X and presumably
other *BSD environments. Rename COPYING to COPYING.txt + slight COPYING.txt
formatting change. Fixed POD errors (removed '=end').
- Disable "Identity added" messages when --quiet is specified.
(Gentoo bug #250328)
--help will print output to stdout (Gentoo bug #196060)
output cleanup and colorization changes - moving away from blue and over to
cyan as it displays better terminals with black background.
Also some additional colorization.
* keychain 2.6.9 (26 Jul 2009)
- Close Gentoo bug 222953 fix potential issues with GNU grep, Mac OS X color
fix when called with --eval.
- Perl 5.10 Makefile fix. Transition README to README.rst (reStructuredText).
Updated maintainership information.
Simplified default output
* Respect --disable-64bit
* Respect $DESTDIR for config files
* The binaries can now show the version number
* softhsm-keyconv could not handle --ttl properly
* Link softhsm static with libsofthsm
* Build libsofthsm.so without version number
* libsofthsm.so is now a loadable module
that manages the security of domain names on the Internet.
The project intends to drive adoption of Domain Name System Security Extensions
(DNSSEC) to further enhance Internet security.
Upstream changes:
v1.33 2010.03.17
- attempt to make t/memleak_bad_handshake.t more stable, it fails
for unknown reason on various systems
- fix hostname checking: an IP should only be checked against
subjectAltName GEN_IPADD, never against GEN_DNS or CN.
Thanks to rusch[AT]genua[DOT]de for bug report
* Noteworthy changes in release 2.6 (2010-04-20) [stable]
- Fix build failure on platforms without support for GNU LD version scripts.
- libtasn1: Simplified implementation of asn1_check_version.
- tests: Improved self-checks.
- Update gnulib files, fix many syntax-check nits, indent code,
fix license templates.
Changes since 0.0.8a:
- Decoder can now treat values of unknown types as opaque OctetString.
- Fix to Set/SetOf type decoder to handle uninitialized scalar SetOf
components correctly.
- API versioning mechanics retired (pyasn1.v1 -> pyasn1) what makes
it possible to zip-import pyasn1 sources (used by egg and py2exe).
- Allow any non-zero values in Boolean type BER decoder, as it's in
accordnance with the standard.
Sudo versions 1.7.2p6 and 1.6.9p22 are now available. These releases
fix a privilege escalation bug in the sudoedit functionality.
Summary:
A flaw exists in sudo's -e option (aka sudoedit) in sudo versions
1.6.8 through 1.7.2p5 that may give a user with permission to
run sudoedit the ability to run arbitrary commands. This bug
is related to, but distinct from, CVE 2010-0426.
Sudo versions affected:
1.6.8 through 1.7.2p5 inclusive.
k5start, and krenew are modified versions of kinit which add support
for running as a daemon to maintain a ticket cache, running a
command with credentials from a keytab and maintaining a ticket
cache until that command completes, obtaining AFS tokens (via an
external aklog) after obtaining tickets, and creating an AFS PAG
for a command. They are primarily useful in conjunction with
long-running jobs; for moving ticket handling code out of servers,
cron jobs, or daemons; and to obtain tickets and AFS tokens with
a single command.
- New features
- New service-level "libwrap" option for run-time control whether
/etc/hosts.allow and /etc/hosts.deny are used for access control.
Disabling libwrap significantly increases performance of stunnel.
- Log file reopen on USR1 signal was added.
- Graceful configuration reload with HUP signal on Unix
and with GUI on Windows.
- Bugfixes
- Inetd mode fixed
- Fixed a transfer() loop issue with SSLv2 connections.
- Fixed a "setsockopt IP_TRANSPARENT" warning with "local" option.
- Logging subsystem bugfixes and cleanup.
- Installer bugfixes for Vista and later versions of Windows.
- FIPS mode can be enabled/disabled at runtime.
either netcat or stunnel except that it is Kerberised. You can use
it to construct client/server applications while keeping the Kerberos
libraries out of your programs address space quickly and easily.
Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
*) When rejecting SSL/TLS records due to an incorrect version number, never
update s->server with a new major version number. As of
- OpenSSL 0.9.8m if 'short' is a 16-bit type,
- OpenSSL 0.9.8f if 'short' is longer than 16 bits,
the previous behavior could result in a read attempt at NULL when
receiving specific incorrect SSL/TLS records once record payload
protection is active. (CVE-2010-0740)
[Bodo Moeller, Adam Langley <agl@chromium.org>]
*) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
[Tomas Hoger <thoger@redhat.com>]
Upstream changes:
[Changes for 0.63 - Sun, 28 Mar 2010 04:46:27 +0100]
* Fix diagnostic message from Makefile.PL when the user dosn't have gnupg or
Crypt::OpenPGP (miyagawa).
[Changes for 0.62 - Tue, 23 Mar 2010 22:17:39 +0100]
* Change the default keyserver from the outdated pgp.mit.edu to
pool.sks-keyservers.net.
