PuTTY is a client program for the SSH, Telnet and Rlogin network protocols.
These protocols are all used to run a remote session on a computer, over a
network. PuTTY implements the client end of that session: the end at which
the session is displayed, rather than the end at which it runs.
Noteworthy changes in version 1.4.10 (2009-09-02)
-------------------------------------------------
* 2048 bit RSA keys are now generated by default. The default
hash algorithm preferences has changed to prefer SHA-256 over
SHA-1. 2048 bit DSA keys are now generated to use a 256 bit
hash algorithm
* Support v2 OpenPGP cards.
* The algorithm to compute the SIG_ID status has been changed to
match the one from 2.0.10.
* Improved file locking. Implemented it for W32.
* Fixed a memory leak which made imports of many keys very slow.
* Many smaller bug fixes.
* Support for the Camellia cipher (RFC-5581).
* Support for HKP keyservers over SSL ("HKPS").
in PKG_OPTIONS.apr-util/PKG_DEFAULT_OPTIONS.
USE_LANGUAGES should be set before including mk/apache.mk as it
(may) ends up including mk/compiler.mk.
This last file sets a default value of 'c' to USE_LANGUAGES and
then uses it to set PKG_CC, PKG_CXX and PKG_FC to "fail wrappers".
Hence the C++ compiler command ends up being wrapped by a "fail
script" thus breaks the build.
doesn't conflict with openssh.
Changes since 0.50:
0.52 - Wed 12 November 2008
- Add "netcat-alike" option (-B) to dbclient, allowing Dropbear to
tunnel standard input/output to a TCP port-forwarded remote host.
- Add "proxy command" support to dbclient, to allow using a spawned
process for IO rather than a direct TCP connection. eg
dbclient remotehost
is equivalent to
dbclient -J 'nc remotehost 22' remotehost
(the hostname is still provided purely for looking up saved host keys)
- Combine netcat-alike and proxy support to allow "multihop"
connections, with comma-separated host syntax. Allows running
dbclient user1@host1,user2@host2,user3@host3
to end up at host3 via the other two, using SSH TCP forwarding. It's
a bit like onion-routing. All connections are established from the
local machine. The comma-separated syntax can also be used for
scp/rsync, eg
rsync -a -e dbclient m@gateway,m2@host,martello:/home/matt/ ~/backup/
to bounce through a few hosts.
- Add -I "idle timeout" option (contributed by Farrell Aultman)
- Allow restrictions on authorized_keys logins such as restricting
commands to be run etc. This is a subset of those allowed by OpenSSH,
doesn't yet allow restricting source host.
- Use vfork() for scp on uClinux
- Default to PATH=/usr/bin:/bin for shells.
- Report errors if -R forwarding fails
- Add counter mode cipher support, which avoids some security problems
with the standard CBC mode.
- Support zlib@openssh.com delayed compression for client/server. It
can be required for the Dropbear server with the '-Z' option. This
is useful for security as it avoids exposing the server to attacks
on zlib by unauthenticated remote users, though requires client side
support.
- options.h has been split into options.h (user-changable) and
sysoptions.h (less commonly changed)
- Support "dbclient -s sftp" to specify a subsystem
- Fix a bug in replies to channel requests that could be triggered by
recent versions of PuTTY
0.51 - Thu 27 March 2008
- Make a copy of password fields rather erroneously relying on getwpnam()
to be safe to call multiple times
- If $SSH_ASKPASS_ALWAYS environment variable is set (and $SSH_ASKPASS is
as well) always use that program, ignoring isatty() and $DISPLAY
- Wait until a process exits before the server closes a connection, so
that an exit code can be sent. This fixes problems with exit codes not
being returned, which could cause scp to fail.
- Make Prelude-Manager thread backend independant.
- Add missing dlpreopening support for the SMTP plugin.
- Win32 compilation fixes.
- Various fixes and update.
Also various pkgsrc related fixes including DESTDIR support.
Changes in 0.9.17:
==================
- Do not provide an exhaustive list of unreachable linked alert, rather,
tell the user how many linked alert are not reachable any more.
- String encoding fixes, do not mix unicode and bytestring, and more
generally, use unicode for internal string storage. This fixes a lot
of possible exception with particular specific user input, or with
localization enabled.
- Inline filter didn't work as expected when viewing events starting
with a specific offset, because the offset keyword wasn't removed
from the generated link.
- Error handling improvement (back / retry button weren't always
working as expected).
- Fix exception when no protocol was available.
- Improve navigation button link (make the link cover the whole button).
Changes in 0.9.16:
==================
- Multiples advanced filter within the same column wouldn't display
correctly.
- Correctly restore input field when switching between advanced/simple
filter mode.
- Fix multiple bug that would results in inconsistant filtered "state"
and reset button.
- Using the classification simple filter now also trigger a search on
impact.completion.
- Fix multiple alert deletion checkbox, (#357).
- Various bug fixes.
Changes in 0.9.15:
==================
- Make it obvious when a column is filtered by replacing the old sober
star with a big "[filtered]" red marker. If the column filter is
saved, then the marker color will go from red to black.
- Once the user filtered a given field by clicking on it, deny further
click so that it is clear that the filter is currently active.
- Re-write the inline filter implementation using Cheetah + Jquery, in
place of generating an enormous amount of javascript code. This
drastically reduce the size of the events listing HTML page, and will
allow for much easier modification of the inline-filters.
- Only propose filter operator relevant to the selected path.
- Inline filter now present a single input field (with no path and
operator selection). Using this field, the user can filter on what is
seen in the associated column. For example, in the classification
column, the filter will trigger a search on classification.text,
classification.reference.name and classification.reference.origin.
There is also an [advanced] button allowing the user to specify both
the path and the operator.
- Implement a reset button in each inline filter column, that allow to
switch between different version of the filter: last saved filters,
default filters, or current filters.
- The user can now click an alert completion to set an inline filter on
the completion value.
- Clicking on a port / protocol now trigger a CSS menu allowing to
filter on the port and protocol information, or to get information
concerning this port / protocol.
- Clicking on a classification reference now trigger a CSS menu which
allow to filter on the reference, or to get more information
concerning it.
- Clicking on classification now add a filter on the selected
classification (previously, it would have unfolded aggregated alerts
for the selected entry, which is now done clicking the alert count).
- Until now, the default user that was automatically created by Prewikka
if there was no administrative user was "admin". As of now you can
define the initial administrative username and password from the
configuration file. (fix#289).
- Fix escaping for reference details URI parameters.
- Fix ModPython content-type handling.
- Invalid variable name, fix#339.
- Update to JQuery 1.3.2, and fit small JQuery API change.
- If the installed libprelude or libpreludedb version is too old,
Prewikka will require the user to upgrade. Currently, Prewikka depend
on libpreludedb 0.9.12, and libprelude 0.9.23.
- Fix IDMEFDatabase exception on empty criteria string (fixes#346).
- Analyzer retrieval fixes and speedup (fixes#350).
- Make the Prelude-LML UDP server IPv6 compatible.
- Implement 'idmef-alter' and 'idmef-alter-force' option, alloing
to include static values into IDMEF events generated using a given
format.
- New PPP/PPTPD/L2TP ruleset, by Alexander Afonyashin <firm <at> iname.com>,
with slight modification from Pierre Chifflier <p.chifflier <at> inl.fr>.
Close#340.
- Fix CISCO VPN ruleset so that the 'Authentication rejected' rule will
trigger even if the 'server' field does not contain a word (fix#328).
- Remove dos-style end-of-lines (Closes#338)
- Fixes possible off by one when parsing variable reference number, and
remove un-needed check that would always evaluate to TRUE.Thanks
Steve Grubb <sgrubb <at> redhat.com> for reporting this problem (and
running flexelint on the Prelude sources)!
- Update for libtool 2.x compatibility.
- This simplify the whole regular expression handling a lot, making the
code much easier to read, and fixing potential problem with ovector
assignement. This code should also improve performance by a small
factor.
- Change CISCO references urls to their new location, add CISCO ASA rule
to handle discarded tcp or udp packets.
- Various fixes and update.
- support for newer Python versions
- various bug fixes and security improvements
- moved from LGPL to MIT license
Based on the update by Christian Sturm in wip with additional fixes from
me.
* Version 2.8.3 (released 2009-08-13)
** libgnutls: Fix patch for NUL in CN/SAN in last release.
Code intended to be removed would lead to an read-out-bound error in
some situations. Reported by Tomas Hoger <thoger@redhat.com>. A CVE
code have been allocated for the vulnerability: [CVE-2009-2730].
** libgnutls: Fix rare failure in gnutls_x509_crt_import.
The function may fail incorrectly when an earlier certificate was
imported to the same gnutls_x509_crt_t structure.
** libgnutls-extra, libgnutls-openssl: Fix MinGW cross-compiling build
error.
** tests: Made self-test mini-eagain take less time.
** doc: Typo fixes.
** API and ABI modifications:
No changes since last version.
* Version 2.8.2 (released 2009-08-10)
** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields.
By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS
into 1) not printing the entire CN/SAN field value when printing a
certificate and 2) cause incorrect positive matches when matching a
hostname against a certificate. Some CAs apparently have poor
checking of CN/SAN values and issue these (arguable invalid)
certificates. Combined, this can be used by attackers to become a
MITM on server-authenticated TLS sessions. The problem is mitigated
since attackers needs to get one certificate per site they want to
attack, and the attacker reveals his tracks by applying for a
certificate at the CA. It does not apply to client authenticated TLS
sessions. Research presented independently by Dan Kaminsky and Moxie
Marlinspike at BlackHat09. Thanks to Tomas Hoger <thoger@redhat.com>
for providing one part of the patch. [GNUTLS-SA-2009-4].
** libgnutls: Fix return value of gnutls_certificate_client_get_request_status.
Before it always returned false. Reported by Peter Hendrickson
<pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3668>.
** libgnutls: Fix off-by-one size computation error in unknown DN printing.
The error resulted in truncated strings when printing unknown OIDs in
X.509 certificate DNs. Reported by Tim Kosse
<tim.kosse@filezilla-project.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3651>.
** libgnutls: Return correct bit lengths of some MPIs.
gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and
gnutls_dh_get_peers_public_bits. Before the reported value was
overestimated. Reported by Peter Hendrickson <pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3607>.
** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN.
Report and patch by Tim Kosse <tim.kosse@filezilla-project.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3671>
and
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3670>.
** libgnutls: Relax checking of required libtasn1/libgcrypt versions.
Before we required that the runtime library used the same (or more
recent) libgcrypt/libtasn1 as it was compiled with. Now we just check
that the runtime usage is above the minimum required. Reported by
Marco d'Itri <md@linux.it> via Andreas Metzler
<ametzler@downhill.at.eu.org> in <http://bugs.debian.org/540449>.
** minitasn1: Internal copy updated to libtasn1 v2.3.
** tests: Fix failure in "chainverify" because a certificate have expired.
** API and ABI modifications:
No changes since last version.
* Noteworthy changes in release 2.3 (2009-07-29) [stable]
- Libtasn1 is now an official GNU project.
- Solve build problem on Tru64 related to TRUE/FALSE.
- More careful decoding of OIDs.
- Fixed warning in ASN1.y.
- Use "Software libraries" info dircategory.
- Drop GPL/LGPL copies from the manual (not needed there).
- New configure parameters to set packaging specific information.
The parameters are --with-packager, --with-packager-version, and
--with-packager-bug-reports. See
<http://article.gmane.org/gmane.comp.lib.gnulib.bugs/17791> for more
details.
Shamir's Secret Sharing Scheme (SSSS) is an implementation of a
threshold scheme for sharing a secret between third parties, and
requiring a threshold of those parties to collaborate to reveal the
secret.
Taken from the Wikipedia article about Secret Sharing:
In cryptography, a secret sharing scheme is a method for
distributing a secret amongst a group of participants, each of
which is allocated a share of the secret. The secret can only
be reconstructed when the shares are combined together;
individual shares are of no use on their own.
Shamir's scheme is provable secure: in a (t,n) scheme one can prove
that it makes no difference whether an attacker has t-1 valid shares
at his disposal or none at all; as long as he has less than t shares,
there is no better option than guessing to find out the secret.
Changelog:
The following changes have been made between John 1.7.3 and 1.7.3.1:
* Corrected the x86 assembly files for building on Mac OS X.
* Merged in some generic changes from JtR Pro.
The following changes have been made between John 1.7.2 and 1.7.3:
* Two Blowfish-based crypt(3) hashes may now be computed in parallel for much
better performance on modern multi-issue CPUs with a sufficient number of
registers (e.g., x86-64).
* Bitslice DES assembly code for x86-64 has been converted to use
instruction pointer relative addressing (needed for Mac OS X support).
* New make targets: macosx-universal, macosx-x86-64, solaris-x86-64-cc,
solaris-x86-64-gcc, solaris-x86-sse2-cc, solaris-x86-sse2-gcc,
solaris-x86-mmx-cc, solaris-x86-mmx-gcc, solaris-x86-any-cc, linux-ia64;
other changes to the Makefile.
* Minor bug fixes.
* "DumbForce" and "KnownForce" external mode samples have been added to the
default john.conf.
