--- 9.9.9-P5 released ---
4530. [bug] Change 4489 broke the handling of CNAME -> DNAME
in responses resulting in SERVFAIL being returned.
[RT #43779]
4528. [bug] Only set the flag bits for the i/o we are waiting
for on EPOLLERR or EPOLLHUP. [RT #43617]
4519. [port] win32: handle ERROR_MORE_DATA. [RT #43534]
4517. [security] Named could mishandle authority sections that were
missing RRSIGs triggering an assertion failure.
(CVE-2016-9444) [RT # 43632]
4510. [security] Named mishandled some responses where covering RRSIG
records are returned without the requested data
resulting in a assertion failure. (CVE-2016-9147)
[RT #43548]
4508. [security] Named incorrectly tried to cache TKEY records which
could trigger a assertion failure when there was
a class mismatch. (CVE-2016-9131) [RT #43522]
--- 9.10.4-P5 released ---
4530. [bug] Change 4489 broke the handling of CNAME -> DNAME
in responses resulting in SERVFAIL being returned.
[RT #43779]
4528. [bug] Only set the flag bits for the i/o we are waiting
for on EPOLLERR or EPOLLHUP. [RT #43617]
4519. [port] win32: handle ERROR_MORE_DATA. [RT #43534]
4517. [security] Named could mishandle authority sections that were
missing RRSIGs triggering an assertion failure.
(CVE-2016-9444) [RT # 43632]
4510. [security] Named mishandled some responses where covering RRSIG
records are returned without the requested data
resulting in a assertion failure. (CVE-2016-9147)
[RT #43548]
4508. [security] Named incorrectly tried to cache TKEY records which
could trigger a assertion failure when there was
a class mismatch. (CVE-2016-9131) [RT #43522]
- Fixed a corner case where depending on the order of events when installing
multiple packages (i.e. when installing packages with dependencies, some
of which might also use d2to1) we would end up calling the incorrect
Distribution class (the patched version from setuptools, where d2to1
needs to get to the unpatched version from distutils for some cases).
- Upgraded bundled copy of the ``six`` module to the current version
(1.9.0). This fixes incompatibility between d2to1 and other packages
that import different versions of ``six`` during their setup (the older
version of ``six`` had a habit of fighting with other ``six`` instances
over ``sys.modules``, which is fixed in newer versions).
- Upgraded to latest ``ez_setup.py`` so that the most up to date version
of setuptools will be correctly bootstrapped in the rare cases that it
is needed.
- Included some miscellaneous hacks to keep d2to1 working, nominally, with
Python 2.5 despite the broad move away from Python 2.5 support in the
Python community. The d2to1 v0.2.x releases will be the last to continue
Python 2.5 support, given that testing it has become more difficult (and
the overhead is probably no longer worth it).
Now depends on qt5-qt{tools,base}. From changes.txt:
Solarus 1.5.1 (2016-11-29)
__________________________
Engine changes
--------------
* Add Spanish translation of the launcher GUI (thanks Diarandor!).
* Fix registering quest to the launcher at quest install time (#948).
* Fix crash when a carried bomb explodes (#953).
* Fix crash when a scrolling teletransporter is incorrectly placed (#977).
* Fix crash when an entity has a wrong savegame variable type (#1008).
* Fix memory leak when creating lots of surfaces (#962).
* Fix cleanup of the quest files at exit.
* Fix error in sol.main.load_settings() when the file does not exist.
* Fix ground ignored after hero:unfreeze() or back to solid ground (#827).
* Fix entity:get_name() returning nil after the entity is removed (#954).
* Improve error messages of surface creations and conversions.
* Chests: set an initial value "entities/chest" to the sprite field.
Solarus launcher GUI changes
----------------------------
* Start the selected quest by pressing Return or double-clicking (#949).
Sample quest changes
--------------------
* The sample quest is now in a separate repository (#996).
__________________________
Solarus 1.5.0 (2016-07-27)
__________________________
Engine changes
--------------
* Add a launcher GUI to ease chosing a quest and setting options (#693).
* Rename the solarus_run executable to solarus-run.
* Add version number and symbolic links when building the library.
* Add a -lua-console option to run Lua code from the standard input.
* Remove the -win-console option, the preferred way is now to use a GUI.
* Add a -turbo option to run at full speed.
* Add a -lag option to simulate slower systems for debugging.
* Print when the main loop starts and stops.
* Print the Lua version at startup (#692).
* Outputs are now prefixed by [Solarus] and the current simulated time.
* Musics: Add support of custom OGG looping (#643).
* Maps: allow more than 3 layers (#445).
* Improve the performance of loading big maps (#854).
* Improve the performance of custom entity collisions.
* Improve the performance of collisions by using a quadtree.
* Entities far from the camera are no longer suspended.
* The hero no longer automatically jumps when arriving on water (#530).
* Destinations can now set to update or not the starting location (#819).
* Teletransporters on the side of the map now work on all layers (#850).
* Streams can now have a speed of zero (#496).
* Fix crash when main.lua has a syntax error.
* Fix crash with missing directions in sprites controlled by the engine (#864).
* Fix sprite:on_animation_finished() and others not working sometimes (#799).
* Fix error in sprite:set_animation() when the direction is missing (#937).
* Fix straight movement precision.
* Fix freeze when loading a map with tiles outside the limits (#875).
* Fix crash when trying to use a non-saved item (#889).
* Fix sword tapping sound still played when the game is suspended (#797).
* Fix hero:set_invincible() not working without duration (#805).
* Fix lifted item walking animation only accepting 3 frames (#645).
* Fix enemy:set_attack_consequence_sprite() with thrown items (#834).
* Fix custom_entity:set_can_traverse() for doors (#716).
* Fix custom_entity:set_can_traverse_ground() for some grounds (#794).
* Fix custom entity collisions missed for entities that do not move (#671, #883).
* Fix custom_entity:get_modified_ground() returning nothing.
* Fix custom_entity:on_ground_below_changed() not called (#738).
* Fix missing notifications in custom_entity:set_origin() (#880).
* Fix creating an entity with the same name as another one just removed (#795).
* Fix parallax scrolling for dynamic tiles (#816).
* Fix crash when a diagonal tile is not square (#837).
* Fix crash when the teletransporter after stairs is missing.
* Fix non-blocking stream turns after going south (#648).
* Fix text_surface:set_rendering_mode() not working (#833).
* Fix possible freeze when changing the position of a path finding entity.
* Fix circle_movement:set_initial_angle() not working (#721).
* Fix straight movement setting speed to zero when reaching obstacles (#633).
* Fix support of joypads with multiple axes.
* Fix sol.input.get_mouse_coordinates() ignoring the zoom factor (#734).
Lua API changes
---------------
Changes that introduce incompatibilities:
* Fix missing collision detections and entity notifications.
* chest:on_empty() is replaced by chest:on_opened(treasure) (#483).
* Enemy ranks no longer exist, set_hurt_style() needs to be called (#449).
* Items with amount now have a default max amount of 1000 (#688).
* New ability "jump_over_water" in game:get/set_ability(), off by default (#530).
* Fix hero state name "freezed", renamed it to "frozen" (#813).
* Fix map:get_entities() not returning the hero (#670).
* Fix map:create_custom_entity() not erroring when width/height are missing.
* map:get_camera_position() is now deprecated, use camera:get_bounding_box().
* map:move_camera() is now deprecated, use a camera movement instead.
* map:draw_sprite() is now deprecated, use map:draw_visual() instead (#661).
* Fix entity:set_enabled(true) delayed while it blocks the hero (#817).
* Fix brandished treasure sprite and shop treasure sprite not animated (#790).
* circle_movement:get/set_initial_angle() now use degrees (#721).
* Add ability to hide mouse cursor (#891).
Changes that do not introduce incompatibilities:
* Add a function sol.main.get_solarus_version() (#767).
* Add a function sol.main.get_quest_format().
* Add a function sol.main.get_type() (#744).
* Add a method game:set_suspended() (#845).
* Add methods map:get_min_layer() and map:get_max_layer() (#445).
* Add a method map:get_entities_by_type() (#796).
* Add a method map:get_entities_in_rectangle() (#142).
* Add a method map:draw_visual() to draw any drawable object (#661).
* Add a method map:get_camera() (the camera is now a map entity).
* Add methods map:set_world() and map:set_floor() (#656).
* map:get_entities() can now be called without parameter to get all entities.
* map:get_entities*() functions now give entities sorted in Z order (#779).
* Add an event entity:on_movement_started().
* Add a method entity:get_max_bounding_box() considering sprite boxes (#754).
* entity:get_center_position() now also returns the layer.
* Add a method entity:get_facing_position().
* Add a method entity:get_facing_entity() (#877).
* Add a method entity:get_ground_position() (#830).
* Add a method entity:get_ground_below() (#830).
* entity:set_optimization_distance() is now only a hint for the engine.
* entity:test_obstacles() now also works without parameters.
* entity:overlaps() now has an optional collision mode parameter (#748).
* Add entity:get_sprite() to all entities, with an optional name value (#669).
* Add a method entity:get_sprites() (#851).
* Add methods entity:bring_sprite_to_front/back() (#809).
* enemy/custom_entity:create_sprite() now take an optional name value.
* hero:save_solid_ground() can now take a function parameter (#667).
* Add a method hero:start_attack() (#821).
* Add methods npc:is/set_traversable() (#712).
* Add methods chest:get/set_treasure() (#664).
* Add an event chest:on_opened() with treasure info parameters (#483).
* Add methods dynamic_tile:get_pattern_id() and get_modified_ground() (#755).
* Add methods destination:get/set_starting_location_mode() (#819).
* Add a method switch:is_walkable() (#729).
* Add a method switch:is_locked().
* Add a method sprite:get_num_frames() (#818).
* Add methods sprite:get_size() and sprite:get_origin() (#823).
* sprite:set_animation() now takes an optional callback parameter (#861).
* Add a method surface:get_opacity() (#722).
* Add methods surface/text_surface/sprite:get/set_blending_mode (#930).
Data files format changes
-------------------------
* New directory logos to put the logo and icons of your quest, used in the GUI.
* Quest properties: New properties describing the quest, used in the GUI (#838).
* Quest properties: the title_bar property no longer exists, use title instead.
* Maps: New properties min_layer and max_layer (#445).
* Maps: Enemies no longer have a rank property (#449).
* Maps: New property starting_location_mode on destinations (#819).
* Maps: width and height of custom entities are now mandatory as documented.
* Dialogs: Allow empty texts.
Sample quest changes
--------------------
* Lots of new sprites and sounds from Diarandor.
__________________________
Solarus 1.4.5 (2015-11-22)
__________________________
Bug fixes for the 1.4 release.
* Fix file name not shown when there is an error in dialogs file (#718).
* Fix saving special characters in data files (#719).
* Fix sol.main.load_file() returning a string instead of nil on error (#730).
* Fix performance issue when sprites have huge frame delays (#723).
* Fix collisions triggered for removed entities (#710).
* Fix hero disappearing if lifting animation has less than 5 frames (#682).
* Fix collisions with diagonal dynamic tiles larger than 8x8 (#486).
* Fix path finding movement not working with NPCs (#708).
* Fix stuck on non-traversable dynamic tiles covered by traversables (#769).
* Fix collision detection of custom entities that do not move.
* Fix pickables with special movement falling in holes too early.
* Fix blocking streams not working when the hero's speed is greater (#488).
__________________________
Solarus 1.4.4 (2015-08-19)
__________________________
Bug fixes for the 1.4 release.
* Fix pickables falling in holes even when hooked (#740).
__________________________
Solarus 1.4.3 (2015-08-12)
__________________________
Bug fixes for the 1.4 release.
* Fix a compilation error with Mac OS X.
* Fix crash at exit when a surface has a movement with callback (#699).
* Fix crash when removing a custom entity (#690).
* Fix crash when a sprite file is missing or has no animation (#700).
* Fix crash when trying to remove a sprite already removed (#705).
* Fix crash when a custom entity collision or traversable test errors.
* Fix crash when changing hero sprites sometimes.
* Fix crash when sound buffers are full.
* Fix crash in map:get_ground() with out of bounds coordinates.
* Fix Lua error message saying "number expected" instead of "string expected".
* Fix game:set_command_keyboard/joypad_binding refusing parameters.
* Fix map scrolling not working if quest size is not a multiple of 5 (#701).
* Fix camera:move() ignoring separators.
* Fix entities already destroyed when map:on_finished() is called (#691).
* Fix entity:bring_to_front()/back() ignoring the order of obstacles.
* Fix hero stuck on blocks.
* Fix hero going backwards on ice sometimes.
* Fix custom_entity:set_can_traverse_ground() giving opposite result (#668).
* Fix enemy:immobilize() having no effect when already immobilized.
* Fix dying animation of flying and swimming enemies.
* Fix the position of the shadow of pickables when they move.
* Fix pickables not reacting to their ground (#655).
Overview of Changes in GTK+ 3.22.6
==================================
* Bugs fixed:
774534 776132 776187 776012 774784 776187 776306 775808 776524 776560
774534 input shape and opaque region not applied without begin_paint()/end_paint()
774784 Failed to get desktop session proxy is not an error!
775808 win32 maximized window is larger than the extended screen in dual monitor
776012 GtkFlowBox, GtkListBox: Don't emit signals etc. during destruction
776132 Mention the difference between gdk_window_create_similar_image_surface and...
776187 flowbox: Add gtk_flow_box_get_child_at_pos to gtk3
776306 flowbox: Sometimes emits child-activated during rubberband selection
776524 GtkAboutDialog: Fix formatting of example email address in html documentation
776560 icon-browser: window opens at very narrow size, only showing 1 column of icons
Fix GL checks to work better on OpenGL ES 2.0
Avoid a possible crash in ::activate-url handlers
scrolledwindow: Fix func summary being cut off in bindings using doxygen
* Translation updates:
German
Russian
Overview of Changes in GTK+ 3.22.5
==================================
* gtk3-demo now has an example for using PangoTabArray to create a multi-column layout
* Bug fixes:
771242 opening menu for certain types of GtkComboBox causes Gdk-CRITICAL assertion...
774114 Window shadows are repainted even if only the contents of the window change
774265 No tilt for wintab devices
774379 gdk: mingw64 builds segfault during initialization of Huion H610PRO wintab
774686 GtkMenu does not unref all GtkCheckMenuItem it creates
774695 GtkProgressbar needs full and empty classes
774699 list iteration regression causes odd-indexed devices to be ignored during l...
774743 GtkNotebook does not unref all GtkBuiltinIcon it creates
774760 inspector: ensure controller is a GtkGesture
774790 GtkTextHandle does not unref all GtkAdjustment it references
774893 Application font sizes scaling gets clamped to 1.00 when starting GtkInspector
774915 Destroying the parent of a subsurface causes _gdk_window_destroy_hierarchy:...
774917 [wayland] child subsurfaces need to be placed relative to their parent
774939 GtkLabelAccessible: Initialize link before setting parent
775212 GtkScaleButton does not unref all GtkAdjustment it references
775316 gtk_drag_source_set_icon_pixbuf references the pixbuf received once too much
775319 gdk_window_get_toplevel() fails to return the toplevel of a child subsurface
775525 gtk_flow_box_get_child_at_index shouldn't crash with an invalid index
* Translation updates:
Hungarian
Italian
Kazakh
Russian
Swedish
[ Amitai Schleier ]
* wrappers: Correctly escape quotes in git_wrapper_background_command
[ Simon McVittie ]
* git: use an explicit function parameter for the directory to work
in. Previously, we used global state that was not restored correctly
on catching exceptions, causing an unintended log message
"cannot chdir to .../ikiwiki-temp-working: No such file or directory"
with versions >= 3.20161229 when an attempt to revert a change fails
or is disallowed
* git: don't run "git rev-list ... -- -- ..." which would select the
wrong commits if a file named literally "--" is present in the
repository
* check_canchange: log "bad file name whatever", not literal string
"bad file name %s"
* t/git-cgi.t: fix a race condition that made the test fail
intermittently
* t/git-cgi.t: be more careful to provide a syntactically valid
author/committer name and email, hopefully fixing this test on
ci.debian.net
* templates, comments, passwordauth: use rel=nofollow microformat
for dynamic URLs
* templates: use rel=nofollow microformat for comment authors
* news: use Debian security tracker instead of MITRE for security
references. Thanks, anarcat
* Set package format to 3.0 (native)
* d/copyright: re-order to put more specific stanzas later, to get the
intended interpretation
* d/source/lintian-overrides: override obsolete-url-in-packaging for
OpenID Selector, which does not seem to have any more current URL
(and in any case our version is a fork)
* docwiki.setup: exclude TourBusStop from offline documentation.
It does not make much sense there.
* d/ikiwiki.lintian-overrides: override script-not-executable warnings
* d/ikiwiki.lintian-overrides: silence false positive spelling warning
for Moin Moin
* d/ikiwiki.doc-base: register the documentation with doc-base
* d/control: set libmagickcore-6.q16-3-extra as preferred
build-dependency, with virtual package libmagickcore-extra as an
alternative, to help autopkgtest to do the right thing
For full changes, please refer CHANGESLOG.md file.
* libgit2 v0.24.6 and libgit2 v0.25.1, January 9th, 2017
Includes two fixes, one performs extra sanitization for some edge cases in
the Git Smart Protocol which can lead to attempting to parse outside of the
buffer.
The second fix affects the certificate check callback. It provides a valid
parameter to indicate whether the native cryptographic library considered
the certificate to be correct. This parameter is always 1/true before these
releases leading to a possible MITM.
This does not affect you if you do not use the custom certificate callback
or if you do not take this value into account. This does affect you if you
use pygit2 or git2go regardless of whether you specify a certificate check
callback.
taca@ was right. UPDATE_GEMSPEC is better than the patch, and can be used
now since it was moved from gem.mk to rubyversion.mk. With this new version, rdoc is added, because the application breaks without it. Also, selenium-webdriver was downgraded to 2.53.4. Duplicate entries removed from PLIST. Changes are:
Defect #13622: "Clear" button in Spent Time Report tab also clears global filters
Defect #14658: Wrong activity timezone on user page
Defect #14817: Redmine loses filters after deleting a spent time
Defect #22034: Locked users disappear from project settings
Defect #23922: Time Entries context menu/bulk edit shows activities not available for the time entry's project
Defect #24000: z-index children menu should be greater than content
Defect #24092: bundler error: selenium-webdriver requires Ruby version >= 2.0.
Defect #24156: Redmine might create many AnonymousUser and AnonymousGroup entries
Defect #24274: Query totals and query buttons overlaps on small screens
Defect #24297: Show action not allowed for time entries in closed projects
Defect #24311: Project field disappears when target project disallows user to edit the project
Defect #24348: acts_as_versioned use old style (Rails 2.x) of method call for #all
Defect #24595: Unarchive link for a subproject of a closed project does not work
Defect #24646: X-Sendfile is missing in response headers
Defect #24693: Spent time on subtasks should also be reassigned when deleting an issue
Defect #24718: Prevent from reassigning spent time to an issue that is going to be deleted
Defect #24722: Error when trying to reassign spent time when deleting issues from different projects
Patch #24003: Catalan Translation
Patch #24004: Spanish & Spanish (PA) Translation
Patch #24062: Allow only vertical reorderingin sortable lists
Patch #24283: Validate length of string fields
Patch #24296: Add tablename to siblings query to prevent AmbiguousColumn errors
Features
- Improve parsing performance in case of keep-timestamp(no)
- TLS based transports will publish the peer's certificate in a set of
name-value pairs.
- Improve performance of the tcp() source, due to a bug, syslog-ng
attempted to apply position tracking to messages coming over a TCP
transport, which is used for file position tracking and causing
performance degradation.
- Make it possible to configure the listen-backlog() for any stream based
transports (unix-stream and tcp).
- Add a groupunset() rewrite rule that pairs up with groupset() but instead
of setting values it unsets them.
- Add support for Elastic Shield and SearchGuard
- kv-parser() is now able to cope with unquoted values with an embedded
space in them, it also trims whitespace from keys/values and is in
general more reliable in extracting key-value pairs from arbitrary log
messages.
- Improve performance for java based destinations.
- Add prefix() option to add-contextual-data()
Bugfixes
- Fix a potential crash in the file destination, in case it is a template
based filename and time-reap() is elapsed.
- Fix a potential ACK problem within syslog-ng that can cause input windows
to overflow queue sizes over time, effectively causing message drops that
shouldn't occur.
- Fix a heap corruption bug in the DNS cache, in case the maximum number of
DNS cache entries is reached.
- Fix timestamp for suppression messages.
- Fix add-contextual-data() to support CRLF line endings in its CSV input
files.
- Fixed key() option parsing in riemann() destinations.
- Find libsystemd-journal related functions in both libsystemd-journal.so
and libsystemd.so, as recent systemd versions bundled all systemd
related libs into the same library.
- Fixed the build-time detection of system-wide installed librabbitmq,
libmongoc and libcap.
- Fix the file source to repeatedly check for unexisting files, as a bug
caused syslog-ng to stop after two attempts previously.
- The performance testing tool "loggen" crashed if it was used to generate
messages on multiple threads over TLS. This was now fixed.
- Fix an issue in the syslog-parser() parser, so that timestamps parsed
earlier in the log path are properly overwritten.
- Due to a compilation issue, tcp-keepalive-time(), tcp-keepalive-intvl() and
tcp-keepalive-probes() were not working, now they are again.
- The --disable-shm-counters option is now passed to mongo-c-driver to work
around a minor security issue.
- Fix compilation issues on FreeBSD.
- Add support to month names in all caps in syslog timestamps. At least one
device seems to generate these.
- The options() option to java destination can now accept numbers and not
just strings.
- Fix a memory leak in the java destination driver, that may affect java
based destinations like ElasticSearch, Kafka & HDFS.
Other changes
- HDFS was updated to 2.7.3
- Elasticsearch was updated to 2.4.0
- Support was added for OpenSSL 1.1.x
* Version 3.5.8 (released 2016-01-09)
** libgnutls: Ensure that multiple calls to the gnutls_set_priority_*
functions will not leave the verification profiles field to an
undefined state. The last call will take precedence.
** libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned
by PKCS#8 decryption functions when an invalid key is provided. This
addresses regression on decrypting certain PKCS#8 keys.
** libgnutls: Introduced option to override the default priority string
used by the library. The intention is to allow support of system-wide
priority strings (as set with --with-system-priority-file). The
configure option is --with-default-priority-string.
** libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption.
This prevents crashes when decrypting malformed PKCS#8 keys.
** libgnutls: Fix crash on the loading of malformed private keys with certain
parameters set to zero.
** libgnutls: Fix double free in certificate information printing. If the PKIX
extension proxy was set with a policy language set but no policy specified,
that could lead to a double free.
** libgnutls: Addressed memory leaks in client and server side error paths
(issues found using oss-fuzz project)
** libgnutls: Addressed memory leaks in X.509 certificate printing error paths
(issues found using oss-fuzz project)
** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate
parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project)
** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing.
(issues found using oss-fuzz project)
** API and ABI modifications:
No changes since last version.
* Version 3.5.7 (released 2016-12-8)
** libgnutls: Include CHACHA20-POLY1305 ciphersuites in the SECURE128
and SECURE256 priority strings.
** libgnutls: Require libtasn1 4.9; this ensures gnutls will correctly
operate with OIDs which have elements that exceed 2^32.
** libgnutls: The DN decoding functions output the traditional DN format
rather than the strict RFC4514 compliant textual DN. This reverts the
3.5.6 introduced change, and allows applications which depended on the
previous format to continue to function. Introduced new functions which
output the strict format by default, and can revert to the old one using
a flag.
** libgnutls: Improved TPM key handling. Check authorization requirements
prior to using a key and fix issue on loop for PIN input. Patches by
James Bottomley.
** libgnutls: In all functions accepting UTF-8 passwords, ensure that
passwords are normalized according to RFC7613. When invalid UTF-8
passwords are detected, they are only tolerated for decryption.
This introduces a libunistring dependency on GnuTLS. A version of
libunistring is included in the library for the platforms that do
not ship it; it can be used with the '--with-included-unistring'
option to configure script.
** libgnutls: When setting a subject alternative name in a certificate
which is in UTF-8 format, it will transparently be converted to IDNA form
prior to storing.
** libgnutls: GNUTLS_CRT_PRINT_ONELINE flag on gnutls_x509_crt_print()
will print the SHA256 key-ID instead of a certificate fingerprint.
** libgnutls: enhance the PKCS#7 verification capabilities. In the case
signers that are not discoverable using the trust list or input, use
the stored list as pool to generate a trusted chain to the signer.
** libgnutls: Improved MTU calculation precision for the CBC ciphersuites
under DTLS.
** libgnutls: [added missing news entry since 3.5.0]
No longer tolerate certificate key usage violations for
TLS signature verification, and decryption. That is GnuTLS will fail
to connect to servers which incorrectly use a restricted to signing certificate
for decryption, or vice-versa. This reverts the lax behavior introduced
in 3.1.0, due to several such broken servers being available. The %COMPAT
priority keyword can be used to work-around connecting on these servers.
** certtool: When exporting a CRQ in DER format ensure no text data are
intermixed. Patch by Dmitry Eremin-Solenikov.
** certtool: Include the SHA-256 variant of key ID in --certificate-info
options.
** p11tool: Introduced the --initialize-pin and --initialize-so-pin
options.
** API and ABI modifications:
gnutls_utf8_password_normalize: Added
gnutls_ocsp_resp_get_responder2: Added
gnutls_x509_crt_get_issuer_dn3: Added
gnutls_x509_crt_get_dn3: Added
gnutls_x509_rdn_get2: Added
gnutls_x509_dn_get_str2: Added
gnutls_x509_crl_get_issuer_dn3: Added
gnutls_x509_crq_get_dn3: Added
* Version 3.5.6 (released 2016-11-04)
** libgnutls: Enhanced the PKCS#7 parser to allow decoding old
(pre-rfc5652) structures with arbitrary encapsulated content.
** libgnutls: Introduced a function group to set known DH parameters
using groups from RFC7919.
** libgnutls: Added more strict RFC4514 textual DN encoding and decoding.
Now the generated textual DN is in reverse order according to RFC4514,
and functions which generate a DN from strings such gnutls_x509_crt_set_*dn()
set the expected DN (reverse of the provided string).
** libgnutls: Introduced time and constraints checks in the end certificate
in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct()
functions.
** libgnutls: Set limits on the maximum number of alerts handled. That is,
applications using gnutls could be tricked into an busy loop if the
peer sends continuously alert messages. Applications which set a maximum
handshake time (via gnutls_handshake_set_timeout) will eventually recover
but others may remain in a busy loops indefinitely. This is related but
not identical to CVE-2016-8610, due to the difference in alert handling
of the libraries (gnutls delegates that handling to applications).
** libgnutls: Reverted the change which made the gnutls_certificate_set_*key*
functions return an index (introduced in 3.5.5), to avoid affecting programs
which explicitly check success of the function as equality to zero. In order
for these functions to return an index an explicit call to gnutls_certificate_set_flags
with the GNUTLS_CERTIFICATE_API_V2 flag is now required.
** libgnutls: Reverted the behavior of sending a status request extension even
without a response (introduced in 3.5.5). That is, we no longer reply to a
client's hello with a status request, with a status request extension. Although
that behavior is legal, it creates incompatibility issues with releases in
the gnutls 3.3.x branch.
** libgnutls: Delayed the initialization of the random generator at
the first call of gnutls_rnd(). This allows applications to load
on systems which getrandom() would block, without blocking until
real random data are needed.
** certtool: --get-dh-params will output parameters from the RFC7919
groups.
** p11tool: improvements in --initialize option.
** API and ABI modifications:
GNUTLS_CERTIFICATE_API_V2: Added
GNUTLS_NO_TICKETS: Added
gnutls_pkcs7_get_embedded_data_oid: Added
gnutls_anon_set_server_known_dh_params: Added
gnutls_certificate_set_known_dh_params: Added
gnutls_psk_set_server_known_dh_params: Added
gnutls_x509_crt_check_key_purpose: Added
* Version 3.5.5 (released 2016-10-09)
** libgnutls: enhanced gnutls_certificate_set_ocsp_status_request_file()
to allow importing multiple OCSP request files, one for each chain
provided.
** libgnutls: The gnutls_certificate_set_key* functions return an
index of the added chain. That index can be used either with
gnutls_certificate_set_ocsp_status_request_file(), or with
gnutls_certificate_get_crt_raw() and friends.
** libgnutls: Added SHA*, AES-GCM, AES-CCM and AES-CBC optimized implementations
for the aarch64 architecture. Uses Andy Polyakov's assembly code.
** libgnutls: Ensure proper cleanups on gnutls_certificate_set_*key()
failures due to key mismatch. This prevents leaks or double freeing
on such failures.
** libgnutls: Increased the maximum size of the handshake message hash.
This will allow the library to cope better with larger packets, as
the ones offered by current TLS 1.3 drafts.
** libgnutls: Allow to use client certificates despite them containing
disallowed algorithms for a session. That allows for example a client
to use DSA-SHA1 due to his old DSA certificate, without requiring him
to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).
** libgnutls: Reverted AESNI code on x86 to earlier version as the
latest version was creating position depending code. Added checks
in the CI to detect position depending code early.
** guile: Update code to the I/O port API of Guile >= 2.1.4
This makes sure the GnuTLS bindings will work with the forthcoming 2.2
stable series of Guile, of which 2.1 is a preview.
** API and ABI modifications:
gnutls_certificate_set_ocsp_status_request_function2: Added
gnutls_session_ext_register: Added
gnutls_session_supplemental_register: Added
GNUTLS_E_PK_INVALID_PUBKEY: Added
GNUTLS_E_PK_INVALID_PRIVKEY: Added
This is a regularly scheduled bugfix and improvement release recommended for all users.
Resolved issues:
#3846: Changing bandwidth rate limits now takes effect immediately without restart.
#3859: The event log (-audit) can now be directed to stderr for piping into another program.
#3584: A panic on folder listing at startup has been fixed.
#3857: On Windows, we now make sure to never descend into directory symlinks.
#3819: When a folder is deleted, the .stfolder marker is also removed. The ignore file and .stversions directory are retained, if present.
#3839: Several scenarios where a device would get stuck with "not a directory" errors are now handled again.
#3861: Third party copyrights in the about box are now more up to date.
Also:
Hashing performance has been improved again, after it was inadvertently reduced in v0.4.17.
this to build for NetBSD/powerpc:
* need a cast in one place (in the renamed patch)
* an overcautious assert() is incompatible with top/down VM layout in NetBSD
This still doesn't work on NetBSD/powerpc, though, and I ran out of time.
The build produces a mono-boehm.core file the first time through the build
(for some reason not the subsequent attempts, sigh!), and I have problems
reconstructing the CLI to run the mono-boehm executable under gdb, and the
core file says it got a segv in opendir() which must be nonsensical.
