USE_TOOLS and any of "autoconf", "autoconf213", "automake" or
"automake14". Also, we don't need to call the auto* tools via
${ACLOCAL}, ${AUTOCONF}, etc., since the tools framework takes care
to symlink the correct tool to the correct name, so we can just use
aclocal, autoconf, etc.
Several changes are involved since they are all interrelated. These
changes affect about 1000 files.
The first major change is rewriting bsd.builtin.mk as well as all of
the builtin.mk files to follow the new example in bsd.builtin.mk.
The loop to include all of the builtin.mk files needed by the package
is moved from bsd.builtin.mk and into bsd.buildlink3.mk. bsd.builtin.mk
is now included by each of the individual builtin.mk files and provides
some common logic for all of the builtin.mk files. Currently, this
includes the computation for whether the native or pkgsrc version of
the package is preferred. This causes USE_BUILTIN.* to be correctly
set when one builtin.mk file includes another.
The second major change is teach the builtin.mk files to consider
files under ${LOCALBASE} to be from pkgsrc-controlled packages. Most
of the builtin.mk files test for the presence of built-in software by
checking for the existence of certain files, e.g. <pthread.h>, and we
now assume that if that file is under ${LOCALBASE}, then it must be
from pkgsrc. This modification is a nod toward LOCALBASE=/usr. The
exceptions to this new check are the X11 distribution packages, which
are handled specially as noted below.
The third major change is providing builtin.mk and version.mk files
for each of the X11 distribution packages in pkgsrc. The builtin.mk
file can detect whether the native X11 distribution is the same as
the one provided by pkgsrc, and the version.mk file computes the
version of the X11 distribution package, whether it's built-in or not.
The fourth major change is that the buildlink3.mk files for X11 packages
that install parts which are part of X11 distribution packages, e.g.
Xpm, Xcursor, etc., now use imake to query the X11 distribution for
whether the software is already provided by the X11 distribution.
This is more accurate than grepping for a symbol name in the imake
config files. Using imake required sprinkling various builtin-imake.mk
helper files into pkgsrc directories. These files are used as input
to imake since imake can't use stdin for that purpose.
The fifth major change is in how packages note that they use X11.
Instead of setting USE_X11, package Makefiles should now include
x11.buildlink3.mk instead. This causes the X11 package buildlink3
and builtin logic to be executed at the correct place for buildlink3.mk
and builtin.mk files that previously set USE_X11, and fixes packages
that relied on buildlink3.mk files to implicitly note that X11 is
needed. Package buildlink3.mk should also include x11.buildlink3.mk
when linking against the package libraries requires also linking
against the X11 libraries. Where it was obvious, redundant inclusions
of x11.buildlink3.mk have been removed.
* Version 1.2.4 (2005-05-28)
- Corrected some bugs that could affect 64 bit systems.
- Some corrections in the header files to include the prototype
of memmem properly (affected 64 bit systems). Report and patch
by Yoann Vandoorselaere <yoann@prelude-ids.org>.
- Introduced the --fix-key option to certtool, which can be used to
regenerate the (optional) parameters in a private key. It should
be used together with --key-info.
- Corrected a bug in certificate chain verification that could lead
to marking a trusted chain as non trusted, if the last certificate in
the chain was a self signed one.
- Gnulib portability files were updated.
- License were updated to reflect new FSF address.
This still works on NetBSD (1.6.2 tested) but also fixes the include error
on Linux (Debian 3 tested) and Solaris (9 tested).
Although DragonFlyBSD, FreeBSD and OpenBSD should work as before I have
not tried to build the package there.
Feedback whether it builds/works on Darwin/MacOS is also welcome.
Changes from previous pkgsrc version 2.1.0 include:
apg-2.2.3
Fixed version info (-v).
apg-2.2.2
Fixed permissions for source distribution.
apg-2.2.1
Changed manpages of apg and apgd.
apg-2.2.0
Added polish translation for APG PHP frontend.
Added option -p (see apg(1) apgd(8)).
Added option -t (see apg(1) apgd(8)).
Added option -l (see apg(1)).
Changed format of the bloom-filter file. Added
converter utility to convert old format to the
new one (bfconvert).
Added option -i (see apgbfm(1)).
Fixed some bugs.
Some compatibility changes.
Changed default apg options.
Update provided by Leonard Schmidt <lems@gmx.net> in PR#30345, thanks!
and extra pam file was not included in +CONTENTS.
So moved the include of options.mk to after the PLIST_SRC and
MESSAGE_SRC are defined as empty.
(MESSAGE_SRC is redefined if Interix and if PAM PKG_OPTION was enabled
then this still needs to be fixed.)
seahorse 0.7.8
--------------
* HKP key server support.
* Reworked drag-and-drop. Now works between Seahorse windows.
* Added a dialog for adding key servers simply and correctly.
* Add option to agent 'Authorize' window to turn off prompting
for authorization [Adam Schriber]
* Handle empty passwords properly in agent [Adam Schreiber]
* Keep agent window on top [Adam Schreiber]
* Removed libeel dependency.
* Better keyboard handling in the recipients dialog.
* Fix some rare gnome-vfs problems.
* Many smaller bug fixes.
seahorse 0.7.7
--------------
* Working keyserver sync (including upload) support.
* Compatibility with GNOME 2.10.
* Nautilus plugin now works with Nautilus 2.10 [Fernando Herrera]
* Cleaned up and simplified columns in the Key Manager.
* Fix problems with entering expiry dates.
* Remove 'Text Mode' option. Clarify 'ASCII Armor' option.
* Removed lots of 'jargon' from the interface.
* Can now drag keys from a key list to nautilus.
* Many smaller bug fixes.
seahorse 0.7.6
--------------
* Compatible with GPG 1.4
* Initial LDAP key server searching and importing support.
* Show descriptive icons (eg: secret, public keys) in the main
Key Manager window. [Adam Schreiber]
* Monitor keyring and refresh key list automatically across
processes, such as gedit plugin, recipient selection etc...
* Decryption 'Open With' in nautilus for PGP encrypted and
signed files. [Adam Schreiber]
* Added Backup Keyrings functionality. [Adam Schreiber]
* Prompt for signer when no default key is selected.
* Display UIDs properly in the seahorse-agent status window.
* Allow selection of a signing key in the Recipients dialog.
* More usable HIG friendly Key Properties dialog [Jim Pharis]
* Fix problems with 0 length files being created on error.
* Gnome HIG compliancy fixes
* Allow deletion of UIDs from the Key Manager window.
* Show all UIDs in the Recipient selection dialog.
* Prompt before overwriting files.
* More efficient operations on large files.
* Enable gedit plugin by default.
* Many smaller bug fixes.
> Some highlights in this release:
>
> - Previously unreleased exploits (20 others added since 2.3)
> + Solaris KCMS Arbitary File Read
> + Solaris snmpXdmid AddComponent Overflow
> + Metasploit Framework Payload Handler
> + Microsoft Message Queueing Service MSO5-017
> + Minishare 1.41 Buffer Overflow
>
> - Addition of the new SunRPC and XDR Perl API
> + Allows for clean RPC exploit development
> + Used by two new exploit modules (KCMS and snmpXdmid)
> + Updated sadmind exploit uses the new API
>
> - Includes the new win32 PassiveX payload system
> + Loads an arbitary ActiveX through Internet Explorer
> + PassiveX payload loads the next stage over HTTP
> + HTTP transport emulates a standard TCP connection
> + Interact with cmd.exe, VNC, or Meterpreter over HTTP
> + Uses Internet Explorer settings for proxy access
> + Fully-functional on systems with Internet Explorer 6
> + Extensive documentation is available online:
> * http://www.uninformed.org/?v=1&a=3&t=pdf
>
> - Stability improvements and numerous bugs fixes
> + The msfweb interface is slightly less of a memory pig
> + Many exploits have been updated and improved
> + New external references added to the exploit modules
>
> - General improvements to the payload system
> + Brand new "shelldemo" binary for the impurity stager
> + Size reductions to win32_bind, win32_reverse, and others
> + Can now make standalone executables with msfpayload
> + Interact with metasploit payloads via payload_handler.pm
Apparently, for as of yet undetermined reasons, gawk as built on IRIX
under pkgsrc croaks on regular expressions including a
combination of alpha- and numerical matches, such as the rather
trivial /^[ \t]*[0-9]+/
Let's use the system's AWK (ie nawk) for this package to avoid
breaking hundreds of dependents.
Speculation: somehow the regular expression library used to build
gawk conflicts with the systems regular expression library or
some such.
Note: gawk from SGIs freeware collection depends on expat -- why
is that? Does that have anything to do with anything?
of the example config files through to sub-make processes. Since
courier-authlib uses GNU automake, we need to set AM_MAKEFLAGS to the
correct value. This fixes the installation of the *.dist files into
${PREFIX}/share/examples/courier-authlib.
Updated to OpenBSD 3.7 pf:
* Support limiting TCP connections by establishment rate, automatically
adding flooding IP addresses to tables and flushing states
(max-src-conn-rate, overload <table>, flush global).
* Improved functionality of tags (tag and tagged for translation rules,
tagging of all packets matching state entries).
* Improved diagnostics (error messages and additional counters from pfctl -si).
* New keyword set skip on to skip filtering on arbitrary interfaces,
like loopback.
* Several bugfixes improving stability.
ALTQ is now also supported by using the option 'altq', see the homepage
for information about how to apply the kernel patch.
Approved by: Thomas Klausner <wiz@NetBSD.org>
specifically, check in /usr/lib${ABI}, since it's possible that
on multi-ABI platforms only one version is installed, in which case we'd
need to build and install the other from pkgsrc.
caches variable definitions that were computed by make. These variables
are specified by listing them in MAKE_VARS, e.g.,
.if !defined(FOO)
FOO!= very_time_consuming_command
.endif
MAKE_VARS+= FOO
bsd.pkg.mk will include only the one generated during the most recent
phase. A particular phase's makevars.mk file consists of variable
definitions that are a superset of all of the ones produced in previous
phases of the build.
The caching is useful because bsd.pkg.mk invokes make recursively,
which in the example above has the potential to run the very time-consuming
command each time unless we cause FOO to be defined for the sub-make
processes. We don't cache via MAKE_FLAGS because MAKE_FLAGS isn't
consistently applied to every invocation of make, and also because
MAKE_FLAGS can overflow the maximum length of a make variable very
quickly if we add many values to it.
One important and desirable property of variables cached via MAKE_VARS
is that they only apply to the current package, and not to any
dependencies whose builds may have been triggered by the current
package.
The makevars.mk files are generated by new targets fetch-vars,
extract-vars, patch-vars, etc., and these targets are built during
the corresponding real-* target to ensure that they are being invoked
with PKG_PHASE set to the proper value.
Also, remove the variables cache file that bsd.wrapper.mk was generating
since the new makevars.mk files provide the same functionality at a
higher level. Change all WRAPPER_VARS definitions that were used by
the old wrapper-phase cache file into MAKE_VARS definitions.
package because PKG_OPTION.<pkg> could contain negative options, which
are never part of PKG_OPTIONS. Instead, use the show-var target to
display the value. We cache it in WRAPPER_VARS and in MAKE_FLAGS to
prevent reinvoking the show-var target recursively.
by David Ferlier with minor changes by me.
This is a module that allows people to login to PAM aware applications
by authenticating to a MySQL db. Now configurable in terms of which
host the database reside upon, which table and username and password
column to interrogate.
And always is defined as share/examples/rc.d
which was the default before.
This rc.d scripts are not automatically added to PLISTs now also.
So add to each corresponding PLIST as required.
This was discussed on tech-pkg in late January and late April.
Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere
and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
* Version 1.2.3
- Corrected bug in record packet parsing that could lead
to a denial of service attack.
- Corrected bug in RSA key export. Previously exported keys
can be fixed using certtool. Use certtool -k <infile >outfile
- API and ABI modifications:
gnutls_x509_privkey_fix(): Add.
* Version 1.2.2 (2005-04-25)
- gnutls_error_to_alert() now considers
GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET.
- Fixed error in session resuming that could cause a crash in a session.
- Fixed pkcs12 friendly name and local key identifier decoding.
- Internal cleanups, removed duplicate typedef/struct definitions,
and made source code include external include file, to check
function prototypes during compile time.
- API and ABI modifications:
No changes since last version. At least not intentional, but due
to the include header changes, there may be inadvertant changes,
please let us know if you find any.
security/lsh at 1.4.3.
lsh-2.0.1 has interoperability problems with openssh servers
(always gets "Invalid server signature" errors).
lsh-1.4.3 is not affected by CAN-2003-0826. Add a patch to address
CAN-2005-0814 and bump PKGREVISION.
changes:
- Makefile no longer appends 'static' to statically linked binaries
- Add optional SSH_ASKPASS support to the client
- Respect HOST_LOOKUP option
- Fix accidentally removed "return;" statement which was removed in 0.44
(causing clients which sent an empty terminal-modes string to fail to
connect - including pssh, ssh.com, danger hiptop). (patches
independently from Paul Fox, David Horwitt and Sven-Ola Tuecke)
- Read "y/n" response for fingerprints from /dev/tty directly so that dbclient
will work with scp.
News for the 2.0.1 release
Fixed denial of service bug in lshd.
Fixed a bug in lsh-make-seed, which could make the program go
into an infinite loop on read errors.
lsh now asks for passwords also in quite (-q) mode, as
described in the manual.
Control character filtering used to sometimes consider newline
as a dangerous control character. Now newlines should be
displayed normally.
Removed support for the non-standard alias
"diffie-hellman-group2-sha1". The standardized name is for
this key exchange method is "diffie-hellman-group14-sha1".
News for the 2.0 release
Several programs have new default behaviour:
* lshd enables X11 forwarding by default (lsh still does not).
* lsh-keygen generates RSA rather than DSA keys by default.
* lsh-writekey encrypts the private key by default, using
aes256-cbc. Unless the --server flag is used.
Improved the lcp script. It is now installed by default.
Implemented the client side of "keyboard-interactive" user
authentication.
Support keyexchange with
diffie-hellman-group14-sha1/diffie-hellman-group2-sha1 (the
standardized name is at the moment not decided).
Fixes to the utf8 encoder, and in particular interactions
between utf8 and control character filtering.
News for the 1.5.5 release
Added SOCKS-style proxying to lsh and lshg. See the new -D
command line option. Supports both SOCKS-4 and SOCKS-5.
The lsh client no longer sets its stdio file descriptors into
non-blocking mode, which should avoid a bunch of problems. As
a consequence, the --cvs-workaround command line option has
been deleted.
In the user lookup code, lshd now ignores the shadow database
if getspnam returns NULL.
In the server pty setup code, use the group "system" as a
fallback if the group "tty" doesn't exist. This is the case on
AIX. (There are however more problems on AIX, which makes it
uncertain that lshd will work out of the box).
Deleted the --ssh1-fallback option for lshd. I hope ssh1 is
dead by now; if it isn't, you have to run ssh1d and lshd on
different ports.
Deleted code for bug-compatibility with ancient versions of
Datafellow's SSH2. There are zero bug-compatibility hacks in
this version.
News for the 1.5.4 release
Added logging of tcpip-forward requests.
Includes nettle-1.9, which have had some portability fixes and
optimizations. In particular, arcfour on x86 should be much
faster.
Implemented flow control on the raw ssh connection. Enforce
limits on the amount of buffered data waiting to be written to
the socket.
Moved all destructive string operations to a separate file
lsh_string.c, which has exclusive rights of accessing string
internals. Should make the code more robust, as buffer size
and index calculations elsewhere in the code should hit an
assert in lsh_string.c before doing damage.
Some general simplification and cleanup of the code.
News for the 1.5.3 release
Fixed heap buffer overrun with potential remote root
compromise. Initial bug report by Bennett Todd.
Fixed a similar bug in the check for channel number allocation
failure in the handling of channel_open, and in the
experimental client SRP code.
lshd now has an experimental mode similar to telnet, where it
accepts the 'none' authentication method and automatically
disables services such as X and TCP forwarding. This can be
useful in environment where it's required that /bin/login or
some other program handle authentication and session setup
(e.g. handle security contexts and so on).
News for the 1.5.2 release
Encrypted private keys works again.
New client escape sequence RET ~ ?, which lists all available
escape sequences. Also fixed the werror functions so that they
use \r\n to terminate lines when writing to a tty in raw mode.
Implemented handling of multiple --interface options to lshd.
As a side effect, The -p option must now be given before
--interface to have any effect.
Connecting to machines with multiple IP-adresses is smarter,
it connects to a few addresses at a time, in parallel.
Fixed a file descriptor leak in the server tcpip forwarding
code.
Lots of portability fixes.
News for the 1.5.1 release
Incompatible change to key format, to comply with the current
spki structure draft. You can use the script lsh-upgrade to
copy and convert the information in the old .lsh/known-hosts
to the new file .lsh/host-acls. The new code uses libspki.
Fixed IPv6 bug reported by Simon Kowallik.
lshd now does the equivalence of ulimit -n unlimited, this is
inherited by processes started upon client requests. If you
don't want this, you should use /etc/{profile,login,whatever}
to set limits for your users. Do note that PAM-based solutions
will NOT work as PAM is used from a separate process that
terminates as soon as the authentication is finished (this of
course goes for environment variables too).
lsh and and lshg now parses options from LSHFLAGS and
LSHGFLAGS, these are parsed before and can be overridden by
the command line.
News for the 1.5 release
Implemented the server side of X11 forwarding. Try lshd
--x11-forward. There's one known bug: The server may start
sending data on the session channel (typically your first
shell prompt) before it has sent the reply to the client's
"shell" or "exec" request. lsh will complain about, and ignore
that data.
As part of the X11 hacking, the socket code have been
reorganized.
Deleted one of the ipv6 configure tests. Now lsh will happily
build ipv6 support even if ipv6 is not available at run-time
on the build machine.
Fixed bug preventing -c none from working.
Another bug fix, call setsid even in the non-pty case.
Various bug fixes.
following GNUPG recomendations: "Note that GnuPG 1.4 and 1.9 are not yet
in sync and thus features and bug fixes done in 1.4 are not available
in 1.9. *Please keep on using 1.4.x for OpenPGP*; 1.9.x and 1.4.x may
be installed simultaneously."
GnuPG 1.9 is the development version of GnuPG; it is based on some old
GnuPG 1.3 code and the previous NewPG package. It will eventually
lead to a GnuPG 2.0 release. Note that GnuPG 1.4 and 1.9 are not yet
in sync and thus features and bug fixes done in 1.4 are not available
in 1.9. *Please keep on using 1.4.x for OpenPGP*; 1.9.x and 1.4.x may
be installed simultaneously.
You should use GnuPG 1.9 if you want to use the gpg-agent or gpgsm
(the S/MIME variant of gpg). The gpg-agent is also helpful when using
the stable gpg version 1.4 (as well as the old 1.2 series).
This is mainly a bug fix release but comes with some new features as
well:
* gpg-agent does now support the ssh-agent protocol and thus allows
to use the pinentry as well as the OpenPGP smartcard with ssh.
* New tool gpg-connect-agent as a general client for the gpg-agent.
* New tool symcryptrun as a wrapper for certain encryption tools.
* The gpg tool is not anymore build by default because those gpg
versions available in the gnupg 1.4 series are far more matured.
package. Also please pkglint. Changes in heimdal 0.6.4 include:
* fix vulnerabilities in telnet
* rshd: encryption without a separate error socket should now work
* telnet now uses appdefaults for the encrypt and forward/forwardable
settings
* bug fixes
OWN_DIRS was incorrectly used (did not work when PKG_CONFIG=no).
INSTALLATION_DIRS creates the directories now and the PLIST removes them.
Needs at least net/p5-Net-DNS 0.44 (see changes below).
--
Changes since 0.11
==================
FEAT: Added utility function key_difference() to Net::DNS::SEC. See
perlpod for details. I needed this in other software and
figured they are generic enough to make them available
through this module.
FEAT: Modified some functions to use DNSKEY and RRSIG instead off
KEY and SIG.
- Net::DNS::Keyset now uses DNSKEY and RRSIG.
- the demo function getkeyset.pl now uses DNSKEY too.
FEAT: Added the possibility to create a keyset out of two arrays of
dnskey and rrsig object.
FEAT: Added some helperfunctions to Net::DNS::SEC::Private to read X509
formated private keys and dump them into bind format.
This functionality has not been tested well.
BUG : When reading a RRSIG from a packet the signame would not have
a trailing dot.
FEAT: Removed critical dependency on bubblebabble. It is available to
DS if installed but not critically dependend.
BUG: - Fixed minor in signing unknown RR types.
FEAT: - Prelimanary support for draf-ietf-dnssec-nsec-rdata-02. This
depends on support for unknown RR types (Net::DNS version
0.44)
FEAT: - To be able to deal with argument supplied as either mnemonics or
by value the Net::DNS::SEC::argument method was created. It can
be used as a class method but it is also inherited by
Net::DNS::RR::RRSIG and Net::DNS::RR::DNSKEY.
SSH implementation by the mean of a library. The complete control of the
client is made by the programmer.
With libssh, you can remotely execute programs, transfer files, use a
secure and transparent tunnel for your remote programs. With its Secure
FTP implementation, you can play with remote files easily, without
third-party programs others than libcrypto (from openssl).
* Merged Athena telnetd changes for creating a new option for requiring
encryption.
* Add implementation of the RPCSEC_GSS authentication flavor to the RPC
library.
* The kadmind4 backwards-compatibility admin server and the v5passwdd
backwards-compatibility password-changing server have been removed.
* Thread safety for krb5 libraries.
* Yarrow code now uses AES.
* Merged Athena changes to allow ftpd to require encrypted passwords.
* Incorporate gss_krb5_set_allowable_enctypes() and
gss_krb5_export_lucid_sec_context(), which are needed for NFSv4.
* Fix heap buffer overflow in password history mechanism.
[MITKRB5-SA-2004-004]
Noteworthy changes in version 1.0.2 (2004-12-28)
------------------------------------------------
* Changed the license of the library to the GNU Lesser General Public
License (LGPL), version 2.1 or later.
* Version 1.2.1 (2005-04-04)
- gnutls_bye() will no longer fail when RDWR is used and application
data are available for reading.
- Added more strict checks for the SRP parameters (g,n), when they
are not in the included list.
- Added warning to certtool when MD5 is being used for digital
signatures.
- Optimizations ("-O2 -finline-functions") are not enabled by default,
instead the standard autoconf defaults are used. Use `./configure
CFLAGS="-O2 -finline-functions"' to get the old optimizations.
- Added the option --get-dh-params to certtool, in order to get the
included in the library primes and generators.
- Improved the semantics of GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, to
allow only trusted Version 1 CAs and introduced
GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT which has the old semantics.
- Nettle self tests now build properly, reported by Pierre
- Eliminated some memory leaks in DHE and RSA-EXPORT cipher suites.
Reported by Yoann Vandoorselaere
- Added the functions:
gnutls_x509_crt_list_import(),
gnutls_x509_crq_get_attribute_by_oid(),
gnutls_x509_crq_set_attribute_by_oid() and
gnutls_x509_crt_set_extension_by_oid().
- If the library has been compiled with features disabled, a warning is
issued during the compilation of any program.
Changes:
# Wildcards (mput/mget) and recursive file transfer in PSFTP.
# You can now save your session details from the Change Settings
dialog box, after you've started your session.
# Various improvements to Unicode support, including:
* support for right-to-left and bidirectional text (Arabic,
Hebrew etc). Thanks to arabeyes.org for design and most of
the implementation.
* support for Arabic text shaping, again thanks to arabeyes.org.
* support for Unicode combining characters.
# Support for the xterm 256-colour control sequences.
# Port forwardings can now be reconfigured in mid-session.
# Support for IPv6. Thanks to unfix.org for having patiently maintained
the patch for this until we were finally ready to integrate it.
# More configurability and flexibility in SSH-2 key exchange. In
particular, PuTTY can now initiate repeat key exchange during the
session, which means that if your server doesn't initiate it (OpenSSH
is known not to bother) you can still have the cryptographic benefits.
# Bug fix: display artefacts caused by characters overflowing their
character cell should now all be gone. (This would probably have
bothered Windows ClearType users more than anyone else.)
# Bug fix: keepalives are now supported everywhere. (Previously they
were supported by Windows GUI PuTTY, but were missing in Plink, PSFTP
and the Unix port.)
# Miscellaneous improvements for CJK/IME users; many thanks to Hung-Te
Lin for assistance.
- Grab maintainership
- Use SUBST_SED framework replacing patch-aa
- Change HOMEPAGE for project
- Origional update submitted by Dave Tyson in PR# 29753, thanks !
> * Changed hard coded reference links to the Snort.org SID database to
> reflect changes to snort.org - MFR
Changes:
557) Added a set of missing braces needed for MacOS X / Darwin.
558) Define LDAP_OPT_SUCCESS for those without it.
559) Warn if the user tries to use the -u option when not running a command.
560) Better PAM error handling and messages.
561) Fixed setting of $USER when env_reset is enabled.
PuTTY 0.57, released today, fixes two security holes which can
allow a malicious SFTP server to execute code of its choice on a
PSCP or PSFTP client connecting to it. We recommend everybody
upgrade to 0.57 as soon as possible.
tracked the Cyrus SASL 1.5.x releases, which are no longer maintained.
Adjust packages to use security/cyrus-sasl2 instead for SASL support.
This closes PR pkg/28218 and PR pkg/29736.
by other package Makefiles, and with the deprecation of USE_BUILDLINK3
support in the infrastructure files, these had the potential to break
existing packages.
The files in this archive are example systrace policy files,
which can be used to raise the security levels of your
computer by using the systrace(1) utility. These example
policies can be used as a base for custom policies, or as
learning material.
the courier Makefile adds it to all of the flags again. This avoids
situations where you end up with a flag that looks like "-Wl,-Wl,...".
This should fix the problem noted in pkg/29777.
Pkgsrc changes from version 0.9.7e include:
*) Install the man pages with names that are less likely to collide
with other packages' man pages.
*) Support PKG_OPTIONS of "idea", "mdc2" and "rc5" to allow building
with patented algorithms. By default, this package still builds
without patented algorithms.
Major changes from version 0.9.7e include:
*) Prompt for pass phrases when appropriate for PKCS12 input format.
*) Back-port of selected performance improvements from development
branch, as well as improved support for PowerPC platforms.
*) Add lots of checks for memory allocation failure, error codes to indicate
failure and freeing up memory if a failure occurs.
*) Add new -passin argument to dgst.
*) Make an explicit check during certificate validation to see that
the CA setting in each certificate on the chain is correct.
Noteworthy changes in version 1.4.1 (2005-03-15)
------------------------------------------------
* New --rfc2440-text option which controls how text is handled in
signatures. This is in response to some problems seen with
certain PGP/MIME mail clients and GnuPG version 1.4.0. More
details about this are available at
<http://lists.gnupg.org/pipermail/gnupg-users/2005-January/024408.html>.
* New "import-unusable-sigs" and "export-unusable-sigs" tags for
--import-options and --export-options. These are off by
default, and cause GnuPG to not import or export key signatures
that are not usable (e.g. expired signatures).
* New experimental HTTP, HTTPS, FTP, and FTPS keyserver helper
that uses the cURL library <http://curl.haxx.se> to retrieve
keys. This is disabled by default, but may be enabled with the
configure option --with-libcurl. Without this option, the
existing HTTP code is used for HTTP, and HTTPS, FTP, and FTPS
are not supported.
[enabled with the "curl" option for the package]
* When running a --card-status or --card-edit and a public key is
available, missing secret key stubs will be created on the fly.
Details of the key are listed too.
* The implicit packet dumping in double verbose mode is now sent
to stderr and not to stdout.
* Added countermeasures against the Mister/Zuccherato CFB attack
<http://eprint.iacr.org/2005/033>.
* Add new --edit-key command "bkuptocard" to allow restoring a
card key from a backup.
* The "fetch" command of --card-edit now retrieves the key using
the default keyserver if no URL has been stored on the card.
* New configure option --enable-noexecstack.
Also, gpgkeys_mailto is not installed any longer, dropping the
dependency on perl.
version 0.54 include:
* authsystem.passwd.in: Explicitly set LC_ALL to en_US
* SASL: Added CRAM-SHA256 authentication method (experimental).
* courierauthdebug.h: Macro dprintf conflicts with new glibc.
Version 4.5.4 is a bugfix release.
Fixed a string error in the updater.
Fixed a race condition in f-protd where f-protd would report
'Bad file number' on accept() under high loads.
Fixed a crash issue with malformed word macros.
Fixed a memory corruption in the x86 emulation code.
Modified check-updates.pl to automatically detect f-prot version number.
5.2 - merged in changes for 5.01 - 5.0.4
- added support for using encoding parameters and key derivation parameters
with public key encryption (implemented by OAEP and DL/ECIES)
- added Camellia, SHACAL-2, Two-Track-MAC, Whirlpool, RIPEMD-320,
RIPEMD-128, RIPEMD-256, Base-32 coding
- added ThreadUserTimer for timing thread CPU usage
- added option for password-based key derivation functions
to iterate until a mimimum elapsed thread CPU time is reached
- added option (on by default) for DEFLATE compression to detect
uncompressible files and process them more quickly
- improved compatibility and performance on 64-bit platforms,
including Alpha, IA-64, x86-64, PPC64, Sparc64, and MIPS64
- fixed ONE_AND_ZEROS_PADDING to use 0x80 instead 0x01 as padding.
- fixed encoding/decoding of PKCS #8 privateKeyInfo to properly
handle optional attributes
5.2.1 - fixed bug in the "dlltest" DLL testing program
- fixed compiling with STLport using VC .NET
- fixed compiling with -fPIC using GCC
- fixed compiling with -msse2 on systems without memalign()
- fixed inability to instantiate PanamaMAC
- fixed problems with inline documentation
support is built into courier-authlib -- -lintl is only needed by the
authpgsql authentication module. This avoids problems when linking
clients with -lcourierauth and the linker thinks -lintl is needed when
it really doesn't. Bump the PKGREVISION to 3.
*before* a BSD-with-advertising license was added to their diffs, and other
work done personally by me.
sshd now works. Most permissions checks work properly. Privsep is off by
default, and the sshd user is not created, on Interix until some problems
with privsep are fixed (perhaps by abstracting the auth functionality out
to openpam).
Fixes from Christoph Badura, who tested on gnupg-1.2.
This new version works with gnupg-1.4.0 as well as older versions of gpg,
and uses the --list-sigs argument as well as the --with-colons arguments
to gpg.
package builds and works correctly. This approach was taken prior to
this change. The is a problem because pth installs pthread.h in
${LOCALBASE}/include. This causes problems for things like Ada tasking
that depend on native pthreads when also linking against libraries in
pkgsrc (eg., gmp).
This change solve the problem by building a static pth library locally
and linking against it.
* Fixed bug which caused hostnames containing hyphens to fail with an error.
* Improved mapping of ID numbers to names in decode. This allows sparse IDs
ranges (e.g. 1,2,3,65000) to be supported, which means that we can now decode
XAUTH authentication method amongst other things.
* Added SO_BROADCAST option to UDP socket to allow sending to broadcast
addresses. Previously this gave a permission denied error.
* Version 0.2.5 (released 2005-02-08)
** Added self test of EXTERNAL mechanism.
** Vietnamese translation added, thanks to Clytie Siddall.
* Version 0.2.4 (released 2005-01-01)
** The CRAM-MD5 mechanism is now preferred over DIGEST-MD5.
This decision was based on recent public research that suggest MD5 is
broken, while HMAC-MD5 not immediately compromised, and the lack of
public analysis on what consequences the MD5 break have for
DIGEST-MD5. Support for CRAM-SHA1 is under investigation, to enable
users to avoid MD5 completely
** Fixed a bug that prevented SMTP client from working.
** New configure option --disable-obsolete to remove backwards compatibility.
This is mostly intended to be used when compiling for platforms with
constrained memory/space resources.
** DIGEST-MD5 rewritten and enabled by default (see lib/NEWS for details).
** Command line tool now query for realm, hostname and service name properly.
** Documentation updates and improvements.
** Self test improvements.
** Update of gnulib files.
The main change is support for printing policies and NAT rules for
firewall objects. Also improvments in the iptables compiler and lots
of bug fixes, to numerous to mentions. See the release notes at:
http://www.fwbuilder.org/archives/cat_release_notes.html#000185
Firewall Builder is a multi-platform firewall configuration and
management tool. It consists of a GUI and a set of policy compilers for
various firewall platforms. Firewall Builder uses an object-oriented
approach, it helps administrators maintain a database of network
objects and allows policy editing using simple drag-and-drop
operations. Firewall Builder currently supports
iptables,
IP Filter,
ipfw,
OpenBSD PF, and
Cisco PIX
fwbuilder provides the GUI frontend and the policy compilers.
useful.
Firewall Builder is a multi-platform firewall configuration and
management tool. It consists of a GUI and a set of policy compilers for
various firewall platforms. Firewall Builder uses an object-oriented
approach, it helps administrators maintain a database of network
objects and allows policy editing using simple drag-and-drop
operations. Firewall Builder currently supports
iptables,
IP Filter,
ipfw,
OpenBSD PF, and
Cisco PIX
libfwbuilder provides the back-end functionality in a library.
Cross-platform fix for checksumming code. This is
*incompatible* with version 2.5.1. As a temporary
workaround, setting "bugcompatibility 251" will maintain
compatibility with release 2.5.1 for little-endian platforms
(e.g. Intel). This will be removed from the final production
release.
Upgrade to Inno Setup 4.
More documentation fixes.
Increased the default thread stack size to 64k and
added "threadstacksize" for debug/test purposes.
Fix handling of HTTP/1.1 responses from proxies.
Added acceptconnecttimeout (supersedes "connecttimeout")
along with connectattempts, serverconnecttimeout and
targetconnecttimeout.
Fixed bug with "clienthost" not being honoured when Zebedee
was used as a service.
Nessus 2.2.3 contains a new option called "silent dependencies" which can be
used to filter out the noise generated by some plugins not directly enabled by
the user. It also contains a slightly more intuitive GUI which now contains
a "Credentials" tab to put Windows and SSH usernames and passwords.
* Add "pmfiles.dat" to legacy manifest_skip routine to accomodate
early Win32 hacks. Reported by Steve Hay via Michael Schwern.
[Changes for 0.43 - 2004-12-16]
* Updated t/0-signature.t to be more friendly with Test::More;
contributed by Michael Schwern.
* Add $Timeout (default 3 seconds) to control the timeout for
probing connections to the key server.
* Take account of the .ts files produced by newer MakeMakers
in the suggested MANIFEST.SKIP list.
[Changes for 0.42 - 2004-11-20]
* Move under SVK version control management; ditch keyword tags.
* Michael Schwern pointed out that during development, the
"signature.t" file would keep failing.
* Documented how to generate SIGNATURE files as part of "make dist",
for Module::Install, ExtUtils::MakeMaker and Module::Build users .
We are pleased to announce the availability of GnuTLS 1.2.0!
This release is the result of the 23 development releases made on the
development branch (1.1.x).
Major changes compared to the 1.0 branch include:
* Moved SRP password authentication from the GnuTLS-extra library
(licensed under GPL) to the core library (licensed under LGPL).
* The API has been cleaned up, and data types now use a '_t' suffix.
* Fixes to handle denial of service problem when verifying long
certificate chains.
* The manual has been converted to Texinfo and is consequently
available in many formats, see:
<http://josefsson.org/gnutls/manual/>
* A reference API manual has been added, and is available in HTML and
DevHelp formats, thanks to GTK-DOC, see:
<http://josefsson.org/gnutls/reference/gnutls-gnutls.html>
The 1.2.0 version is intended to be stable, and to be a drop-in
replacement of the stable 1.0.x branch.
We encourage developers to move to the 1.2 branch as soon as possible,
since we will now spend less time improving version 1.0.x.
We are not planning to open a 1.3 development branch soon, because
there are no plans to start work on any major new feature today.
Instead, we will continue to carefully improve the quality of this
release over time.
Improving GnuTLS is costly, but you can help! We are looking for
organizations that find GnuTLS useful and wish to contribute back.
You can contribute by reporting bugs, improve the software, or donate
money or equipment.
- Makefile's error messages now correct if output is
redirected (patch from Ilya Zakharevich).
- Non-blocking connects/accepts now work (Problem found by
Uri Guttman).
- new_from_fd() now works.
- getline() and <> in scalar context now return undef
instead of '' when the read failed. (Problem found by
Christian Gilmore).
- Broken pipe signals are now ignored during socket close
to prevent a SSL shutdown message from killing the parent
program. (Problem found by Christian Gilmore).
- Tests should proceed much more quickly, and a semi-race was
fixed, meaning that on slow machines the tests should be
more reliable.
- Check for Scalar::Util and Weakref now uses default
$SIG{__DIE__} instead of a potentially user-altered one
(suggestion from Olaf Schneider). This only applies to Perl 5.6.0 & above.
- Session caching support (patch from Marko Asplund).
- set_default_context() added to alter the behavior of
modules that use IO::Socket::SSL from the main program.
- get_ssl_object() renamed to _get_ssl_object() to reflect
the fact that it's only supposed to be used internally
(not that you should have cared, of course).
- Added patch for Net::SSLeay to take advantage of
client-side session caching. (i.e. use 1.26 of Net-SSLeay)
cache file by default; one of them is that recursion isn't re-parsing
the values correctly (and hosing up on multiple spaces in things like
CPPFLAGS). Amusingly enough, this hosage does not happen with a site
cache file such as the one generated by autoswc.
The switch to using :Q on these variables tripped over this stupidity bug,
so turn off the Cyrus configure.in stupidity where it tries to force use
of a cache file.
Fixes PR pkg/29375 and PR pkg/29380.
In download-vulnerability-list, first set the PKGVULNDIR, then create
the directory if it doesn't already exist.
Pointed out by Geert Hendrickx on tech-pkg@
The Courier authentication library provides authentication services for
other Courier applications. In this context, the term "authentication"
refers to the following functions:
1. Take a userid or a loginid, and a password. Determine whether the
loginid and the password are valid.
2. Given a userid, obtain the following information about the userid:
A. The account's home directory.
B. The numeric system userid and groupid that owns all files
associated with this account.
C. The location of the account's maildir.
D. Any maildir quota defined for this account. See the Courier
documentation for more information on maildir quotas.
E. Other miscellaneous account-specific options.
3. Change the password associated with a loginid.
4. Obtain a complete list of all loginids.
20040210 (Eelgrass) include:
- BUGFIX: Correct numerous markup errors, invalid cross-references,
and other issues in the manual pages, with kind assistance from
Ruslan Ermilov <ru@freebsd.org>.
- BUGFIX: Avoid multiple evaluation of macro arguments in ENTERX()
and RETURNX() macros.
- BUGFIX: Remove an unnecessary and non-portable pointer cast in
pam_get_data(3).
- BUGFIX: Fix identical typos in PAM_ACCT_EXPIRED case in
pam_strerror(3) and gendoc.pl.
- ENHANCE: Minor overhaul of the autoconf / build system.
- ENHANCE: Add openpam_free_envlist(3).
This addresses PR#29271.
Changes include:
Version 4.5.3 adds a new commandline switch to f-protd, '-fullreport'
and new possible summary codes (see man page for details).
Version 4.5.2 is a bugfix release; f-protd would misidentify .pdf files
and block them from being delivered.
Version 4.5.1 is a bugfix release to fix a bug in scan-mail.pl where
scan-mail.pl would exit after first scan request on some unix platforms,
because of differing signal mechanism between BSD and SysV
Version 4.5.0 contains various bugfixes and improvements to the
documentation and software.
o check-updates.pl has been modified. It now identifies itself with a
unique user-agent string containing information on OS, kernel and
architecture.
o contains a major overhaul of the virus scanning engine
(new engine version 3.16.1). These changes improve its
detection capabilities. The engine can now better detect and
handle executable packers, often used by malware authors to conceal
malicious code.
o includes a more generic JPEG GDI+ exploit detection
o includes EMF/WMF image format exploit detection
o encrypted executables inside archives are now reported as
"could be a suspicious file (encrypted program in archive)",
previously reported as "could be a security risk".
o The argument switch "-archive" has been changed to support the form
"-archive=n" where n is a non-negative integer. This causes f-prot
to scan only n levels deep into nested archives of supported types in
order to protect against 'arhcive-bombs'.
The old form "-archive" is still supported, although depreciated, and
implies n==5. See the man page for details.
o Minor modifications in the DTD for the f-prot daemon XML.
o Bugfix where f-prot would return IO_ERROR when attempting to scan
unsupported partial archive files, e.g. .z01 files
o Improved RAR support. F-Prot fully supports rar versions 1.5, 2.0 and
2.6 and partially supports rar 2.9 (doesn't support RAR Virtual
Machine and the PPM model features)
within NetBSD-current's bsd.own.mk, which conflicts with its usage in
pkgsrc. The package that use USE_PAM have been converted to use the
bsd.options.mk framework. This should fix PR pkg/29257.
Don't accidentally inherit a forwarded agent when
inheritwhich=local-once. Move the --stop warning after the version
splash.
Add inheritance support via --inherit. Add parameters to --stop for
more control. Change the default behavior of keychain to inherit if
there's no keychain agent running ("--inherit local-once"), and
refrain from killing other agents unless "--stop others" is
specified.
Release notes:
December 22, 2004
amavisd-new-2.2.1 release notes
SECURITY:
- add support for the pax(1) archive decoder, which can handle tar/cpio/pax
archives (including legacy format variants). Due to limitations in cpio
(and in Archive::Tar), for security reasons it is preferred to decode
such archives with pax and no longer with cpio; please add a line:
$pax = 'pax';
to amavisd.conf and verify that the program pax is installed on the system
(and in the jail if running in chroot);
- perform additional tests at startup time on the proper protection
of the configuration file;
- add file name extensions wmf, emf and grp to the example list of
banned extension, according to recent Microsoft security bulletins;
suggested by Stephane Lentz;
- introduces 'clean but inconclusive' av scanner result to avoid a specialized
or quick partial av scanner like jpeg checker to claim mail is clean
when all other general purpose av scanners fail (see below);
INCOMPATIBILITY:
- removed some legacy $*_ldap variables, as they are no longer needed;
These variables were still declared but ignored in 2.2.0 for compatibility
with older amavisd.conf files. Such variables need to be removed from
the amavisd.conf if they are still present there from older versions,
otherwise Perl will complain with 'Global symbol ... requires explicit
package name";
OTHER FIXES:
- files_to_scan and decompose_mail are now able to remove unexpected
directories which may have been left behind by some failed decoding
and were causing temporary failures and mail delivery retries;
error recovery problem after failed unarj reported by Ralf Hildebrandt;
- error recovery code in files_to_scan and rmdir_recursively now tries to
change protection on directories and files, and retry if the first attempt
to access them fails because of denied permission;
- pre-load some additional Perl modules needed by SA when running in chroot;
- add module Net::LDAP::Search to a list of pre-fetched modules;
omission pointed out by Paul Jacobson;
- when quarantining is disabled by keeping $QUARANTINEDIR undefined,
the log entry and administrator notification message inappropriately
suggested that mail was quarantined, which in fact (appropriately)
it was not. Setting $QUARANTINEDIR='' did work as expected.
Reported by Sascha Lucas;
- avoid the use of Encode::is_utf8 due to a Perl bug (still present in 5.8.5)
where Encode::is_utf8 on tainted utf8 character string produces false;
- modify safe_encode() to guarantee the result is a string of octets,
not a string of UTF-8 characters; it saves some unnecessary work in
further processing and keeps MIME::Entity from UTF swamp when running
in chroot; problem pointed out by Branko F. Gracnar;
- avoid braindead Perl default where an empty regexp implies the last
successfully matched regexp, which (if not being very careful) brings in
some completely unrelated last-executed regular expression;
- change kill 'TERM' into kill 'KILL' when a forked process within run_command
and run_command_consumer gets into deep trouble, to avoid exit handlers
being invoked in the subprocess (which could lead to two processes trying
to clean the same set of temporary files);
- in an old sendmail setup using the amavis(.c) helper program without
LDA arguments, avoid inappropriate warning:
"WARN: no recips left (forgot to set $forward_method=undef using milter?)
and return status 0 instead of 99 when message is to be blocked, as the
helper program amavis(.c) does not recognize status 99 in this situation
and inappropriately passed it on to sendmail; reported by The Mindflayer;
- the @bypass_header_checks_maps is now able to also bypass the bad header
checks as provided by MIME::Parser; inconsitency reported by CRivera;
- avoid some Perl warning messages; thanks to Bill Landry;
CHANGES AND MINOR NEW FEATURES:
- add configuration variable @newvirus_admin_maps (and $newvirus_admin,
along with corresponding SQL field 'newvirus_admin') which works like
the existing @virus_admin_maps (and $virus_admin), except that it sends
virus administrator notification to specified e-mail address only for newly
encountered viruses which have not yet been encountered since the amavisd
startup. It makes use of by-virusname counters in the SNMP counters
database. If more than one child process starts working on infected
message containing a not-yet-accounted-for virus, there might be more
than one 'first time' notification, this is not a malfunction. Both
the @newvirus_admin_maps and the @virus_admin_maps may be enabled,
each (possibly both) would receive their notifications as appropriate.
A useful setting is to globally enable only the new virus notifications,
and additionally enable _all_ administrator notifications for internally
originating mail only (by the use of policy banks);
- provide separate configuration variables @banned_admin_maps and
@bad_header_admin_maps, along with corresponding SQL fields
'banned_admin' and 'bad_header_admin'; their function was previously
covered by @virus_admin_maps, which now only still controls administrator
notifications in case of viruses;
- introduces 'clean but inconclusive' av scanner result to avoid a specialized
or quick partial av scanner like jpeg checker to claim mail is clean
when all other general purpose av scanners fail:
in av scanner entries (lists @av_scanners and @av_scanners_backup) give
an extended meaning to undefined fourth argument (the 'match for clean'
list or regexp). The interpretation of the fourth argument is now:
4. an array ref of av scanner exit status values, or a regexp (to be
matched against scanner output), indicating NO VIRUSES found;
a special case is a value undef, which does not claim file to be clean
(i.e. it never matches, similar to []), but suppresses a failure warning;
to be used when the result is inconclusive (useful for specialized and
quick partial scanners such as jpeg checker);
Also modified example jpeg checker entry in amavisd.conf accordingly.
- NOD32 av scanner: changed @av_scanners entry to match the new version
of the scanner; thanks to Nejc Skoberne;
- added @av_scanners entry for File::Scan;
- when preparing a SQL SELECT clause for white/blacklisting lookup,
take into account a relative position of ? and %k in the
$sql_select_white_black_list template to improve flexibility
of specifying the clause; suggested by Matt Petteys;
- reduce the log level of some more common and harmless log messages;
- macro %p and the log entry now reports full policy bank path,
not just the last loaded policy bank name;
- added LDAP attributes amavisWarnVirusRecip, amavisWarnBannedRecip,
and amavisWarnBadHeaderRecip; by Joel Nimety and Michael Hall;
- renamed LDAP attribute name amavisSpamModifiesSubject to
amavisSpamModifiesSubj in order to match the documented LDAP schema;
noticed by Kees Bos, patch by Michael Hall;
- add support for ripOLE decoder, which attempt to extract embedded documents
from MS OLE documents (MS Office) (http://www.pldaniels.com/ripole/,
by Paul L Daniels)); ripOLE is still experimental/alpha code;
To be make amavisd-new find the installed program 'ripole', add the:
$ripole = 'ripole';
to the amavisd.conf; suggested by David Wilson and Noel Jones;
- allow multiple occurrences of command line option: -c config_file
and execute the provided configuration files one after the other;
based on a subset of functionality provided as a patch by Davor Ocelic;
- a slight improvement (in default $map_full_type_to_short_type_re)
in classifying mpeg and some other multimedia files;
- several minor code cleanups;
- add a recommendation by Daniel J McDonald to a documentation file INSTALL:
If different UID is preferred for an AV scanner, a solution for
ClamAV is to add user clamav to the amavis group, and then add
AllowSupplementaryGroups to clamd.conf;
- enclosed a simple demonstrational Perl program amavis.pl, which is
functionally much like the amavis.c helper program, but talks the new
AM.PDP protocol with the amavisd daemon. See README.protocol for the
description of AM.PDP protocol. To be placed in amavisd.conf:
$protocol='AM.PDP'; $unix_socketname='/var/amavis/amavisd.sock';
Usage: amavis.pl sender recip1 recip2 ... < message.txt
- documentation updates;
verision of libnet <= 1.0.1b. This will prevent the case where the user
has installed the libnet 1.1.x branch and then tries to install an application
that is not compatible with the 1.1.x tree.
Over time the list of these applications that require the 1.0.x branch
will be reduced as they are updated to later versions that support the
libnet 1.1.x branch.
This addresses PR# 29056 opened by diro (at) nixsys.bz, thanks for the PR !
- Version number in libtasn1.h updated properly.
Changes 0.2.12:
- Manual converted to Texinfo format.
- Manual in GTK-DOC and DevHelp formats added.
- Man pages for all functions added.
- Various internal cleanups.
python*-pth packages into meta-packages which will install the non-pth
packages. Bump PKGREVISIONs on the non-pth versions to propagate the
thread change, but leave the *-pth versions untouched to not affect
existing installations.
Sync all PYTHON_VERSIONS_AFFECTED lines in package Makefiles.
This is basically bug fix release, but official changes aren't provided
yet. Please refer ChangeLog.
Here is pkgsrc changes:
o Set RUBY_HAS_ARCHLIB=yes for Ruby packages including archtecture depending
extention library in order to depend more specific Ruby.
o Now install database for ri(1). Fix PR pkg/28566.
o Net::IMAP
* lib/net/imap.rb (u8tou16): fixed typo. fixed: [ruby-list:40546]
o NKF:
* ext/nkf/nkf-utf8/nkf.c (reinit): should initialize all static
variables. fixed: [ruby-list:40445]
* ext/nkf/lib/kconv.rb (Kconv::RegexpEucjp): second byte is up to
0xfe.
* ext/nkf/lib/kconv.rb (Kconv#kconv): should handle UTF8 and UTF16
properly.
o WEBrick
* lib/webrick/httpauth/htpasswd.rb (WEBrick::Htpasswd#reload):
raise NotImplementedError if password is encrypted by digest
algorithms. This patch is contributed by sheepman. [ruby-list:40467]
* lib/webrick/httpauth/digestauth.rb
(WEBrick::HTTPAuth::DigestAuth#_authenticate): fix digest calculation.
This patch is contributed by sheepman. [ruby-list:40482]
* lib/webrick/{httpauth.rb,httpauth/basicauth.rb,httpproxy.rb}: use
pack/unpack-template char "m" instead of lib/base64.rb to do base64
encoding/decoding. fixed: [ruby-dev:25336]
TLS (aka SSL) Channel - can be layered on any bi-directional Tcl_Channel.
Both client and server-side sockets are possible, and this code should work
on any platform as it uses a generic mechanism for layering on SSL and Tcl.
script to avoid bizarre quoting problems within the configure script.
This also fixes the definition of SYSCONFDIR in the compiled library.
Bump the PKGREVISION to 1.
TLS (aka SSL) Channel - can be layered on any bi-directional Tcl_Channel.
Both client and server-side sockets are possible, and this code should work
on any platform as it uses a generic mechanism for layering on SSL and Tcl.
Changes:
* Updated the ALTQ patch, now works correctly on NetBSD 2.0 release.
Thanks to Miles Nordin for helping and testing.
* Write struct "pcap_sf_pkthdr" instead of "pcap_pkthdr". Fixes
an LP64 specific problem with reading the pflog with tcpdump(8).
* Applied patch to pf.c from OPENBSD_3_6 branch:
ICMP state entries use the ICMP ID as port for the unique state key. When
checking for a usable key, construct the key in the same way. Otherwise,
a colliding key might be missed or a state insertion might be refused even
though it could be inserted. The second case triggers the endless loop
fixed by 1.474, possibly allowing a NATed LAN client to lock up the kernel.
Report and test data by Srebrenko Sehic.
* Applied patch to pf_lkm.c from NetBSD HEAD:
pfil4_wrapper: clear M_CANFASTFWD which is not compatible with pf.
* Applied patch to pf_ioctl.c from OPENBSD_3_6 branch:
replace finer-grained spl locking in pfioctl() with a single broad lock
around the entire body. this resolves the (misleading) panics in
pf_tag_packet() during heavy ioctl operations (like when using authpf)
that occur because softclock can interrupt ioctl on i386 since SMP.
* Applied patch to pf.c from OPENBSD_3_6 branch:
IPv6 packets can contain headers (like options) before the TCP/UDP/ICMP6
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing
the header chain. In the case where headers are skipped, the protocol
checksum verification used the wrong length (included the skipped headers),
leading to incorrectly mismatching checksums. Such IPv6 packets with
headers were silently dropped. Reported by Bernhard Schmidt.
* Applied patch to pfctl_optimize.c from OPENBSD_3_6 branch:
&&/|| inversion would try to merge IP addresses with non-addresses into a
single table causing a ruleset load error and eventually a double-free.
* Applied patch to pf.c from OPENBSD_3_6 branch:
Initialise init_addr in pf_map_addr() in the PF_POOL_ROUNDROBIN,
prevents a possible endless loop in pf_get_sport() with 'static-port'
* Fix to if_events.diff from Miles Nordin <carton at Ivy dot NET>:
Call free after removing the element from the list, not before.
Fixes panic with "unaligned access" on Alpha.
changes:
-IPv6 support
-client added
-bugfixes
XXX dropbear wants to use /dev/random per default now which makes it
unusable on systems w/o entropy source. I've patched it back to
/dev/urandom. There might be security concerns.
when other source files depend on fd_set being defined in a local header.
(Required on Interix, which does not expose <sys/select.h>/<sys/time.h>
automagically via other system headers as some OS's do by default.)
because:
- its behaviour changes between releases
- it uses build-host specific instructions where possible,
specifically on >= Solaris 9 update 6 and Sun Studio 9 (sse, sse2)
this breaks using the binary pkg when installed on systems with a
less capable processor. instead, just use -xO5 so the binary pkg will
work everywhere.
to regenerate some documentation files, but the regen is unnecessary.
Fix the post-tools target that created a dummy perl -- it was failing
because ${TRUE} may not be an actual executable (it could be a shell
builtin) and thus symlinking to it may not work.
- Complete overhaul of the Framework payload collection
+ Win32 ordinal-stagers are now included (92-byte reverse connect)
+ A handful of new sparc payloads have been added (sol, linux, bsd)
+ Reliability problems have been resolved in bsd, linux, and win32
+ New udp-based linux shell stagers and shell payloads
+ New size-optimized Mac OS X encoders and payloads
- Includes the win32 version of the Meterpreter
+ Dynamically load new features over the network w/o disk access
+ In-memory dll injection of the basic meterpreter shell
+ Current extensions include Fs, Process, Net, and Sys
+ Extensive documentation is available online:
* http://metasploit.com/projects/Framework/docs/meterpreter.pdf
- Complete rewrite of the 'msfweb' user interface
+ Generate and encode stand-alone shellcode from the web interface
+ The interface is skinnable and includes three different themes
+ Streaming HTTP is used to provide a 100% web-based shell
+ Ability to set advanced options in the web interface
- Massive speed enhancements in msfconsole and msfweb
+ Snappier response and quicker load times on older systems
+ Optimizations made to various sort/search algorithms
+ Modules are no longer reloaded after each exploit
- New exploits
+ Microsoft WINS Service Memory Overwrite (MS04-045)
+ Samba trans2open() Buffer Overflow (Mac OS X)
+ 4D WebSTAR FTP Server Buffer Overflow (Mac OS X)
+ Veritas Name Service Registration Buffer Overflow
+ AOL Instant Messenger 'goaway' Buffer Overflow
+ IPSwitch IMail IMAPD 'delete' Buffer Overflow
+ Seattle Labs Mail Server POP3 Buffer Overflow
+ UoW IMAPD Buffer Overflow (sparc, ia32)
+ IRIX lpdsched Remote Command Execution
+ CDE dtspcd Buffer Overflow (Solaris)
+ IIS 4.0 ism.dll HTR Buffer Overflow
+ IIS w3who.dll ISAPI Buffer Overflow