scheduled import of www/p5-Catalyst-Authentication-Store-Htpasswd,
which is recommended by the update of editors/p5-Padre-Plugin-Catalyst.
This module provides a convenient, object-oriented interface to Apache-style
.htpasswd files. It supports passwords encrypted via MD5, SHA1, and crypt,
as well as plain (cleartext) passwords. Additional fields after username
and password, if present, are accessible via the extra_info array.
5.48 Mon Jan 4 16:32:52 MST 2010
- fixed "shasum -a0" option (ref. rt.cpan.org #53319)
-- incorrectly accepted 0 as a valid algorithm
-- thanks to Zefram for patch
- updated URL for NIST test vectors
-- ref. files t/nistbit.t, t/nistbyte.t
-- thanks to Leon Brocard for patch
Version 4.29, 2009.12.02, urgency: MEDIUM:
* New features sponsored by Searchtech Limited http://www.astraweb.com/
- sessiond, a high performance SSL session cache was built for stunnel.
A new service-level "sessiond" option was added. sessiond is
available for download on ftp://stunnel.mirt.net/stunnel/sessiond/ .
stunnel clusters will be a lot faster, now!
* Bugfixes
- "execargs" defaults to the "exec" parameter (thx to Peter Pentchev).
- Compilation fixes added for AIX and old versions of OpenSSL.
- Missing "fips" option was added to the manual.
Version 4.28, 2009.11.08, urgency: MEDIUM:
* New features
- Win32 DLLs for OpenSSL 0.9.8l.
- Transparent proxy support on Linux kernels >=2.6.28.
See the manual for details.
- New socket options to control TCP keepalive on Linux:
TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL.
- SSL options updated for the recent version of OpenSSL library.
* Bugfixes
- A serious bug in asynchronous shutdown code fixed.
- Data alignment updated in libwrap.c.
- Polish manual encoding fixed.
- Notes on compression implementation in OpenSSL added to the manual.
pkgsrc changes:
- Adjusting license definition
Upstream changes:
1.08 - Wed Dec 9 18:20:22 2009
* Promoting development release to full release.
* This release mainly clarifies the licensing.
1.07_02 - Tue Nov 4 02:21:27 2008
* RT #40511: Give a better warning when you try to use tainted
data as an initialization vector. If anyone wants to use
tainted data, they can patch the code to accept it.
1.07_01 - Tue Oct 14 08:59:58 2008
* Clarify that these files are under the Lesser GNU Public License
(also known as the Library GNU Public License).
changes:
* The default for --include-cert is now to include all certificates
in the chain except for the root certificate.
* Numerical values may now be used as an alternative to the
debug-level keywords.
* The GPGSM --audit-log feature is now more complete.
* GPG now supports DNS lookups for SRV, PKA and CERT on W32.
* New GPGSM option --ignore-cert-extension.
* New and changed passphrases are now created with an iteration count
requiring about 100ms of CPU work.
Approved by agc@.
Changes between 0.9.8k and 0.9.8l [5 Nov 2009]
*) Disable renegotiation completely - this fixes a severe security
problem (CVE-2009-3555) at the cost of breaking all
renegotiation. Renegotiation can be re-enabled by setting
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
run-time. This is really not recommended unless you know what
you're doing.
[Ben Laurie]
* Not only interix-3, but also treat all interix release, allow to build on SUA.
* Gave up randomized image base, use 0x5e000000, as in mk/platform/Interix.mk.
It is workaround of PR 42369.
* Use -D_REENTRANT flags for threads.
* replace -Wl,soname= linker flags with -Wl,h, for Interix
Major changes between sudo 1.7.2p1 and 1.7.2p2:
* Fixed a a bug where the negation operator in a Cmnd_List
was not being honored.
* Sudo no longer produces a parse error when #includedir references
a directory that contains no valid filenames.
* The sudo.man.pl and sudoers.man.pl files are now included in
the distribution for people who wish to regenerate the man pages.
* Fixed the emulation of krb5_get_init_creds_opt_alloc() for MIT kerberos.
* When authenticating via PAM, set PAM_RUSER and PAM_RHOST early so
they can be used during authentication.
an "idea" option, but that was removed more than a year ago when it
got updated from 1.2 to 1.4
The patch was was used on gnupg2 in the "idea" case was just a four-line
memory initialization fix, there is no point in LICENSE restrictions
due to this, so I've pulled it in as regular patch so that it doesn't
get lost for the case someone fixes idea support in libgcrypt
(which isn't hard).
noticed by OBATA Akio per mail to pkgsrc-users.
This makes most sense to me since gnupg2 doesn't install a gpg-zip
intentionally. Since possible clients of gpg-zip should have a
dependency on gnupg1, we can't take over easily. Once we are sure
that gnupg2 can fully replace gnupg1, we might consider to install
eg symlinks gpg->gpg2 etc and make gnupg1 obsolete, but this needs
careful testing.
changes: many fixes and improvements
reviewed by John R. Shannon
pkgsrc notes:
-since S/MIME support is the biggest difference in functionality over
gnupg1, enable it per default -- my tests (with the s/mime plugin
of claws-mail) worked
-left the build against a private libassuan with GNU-pth support
alone for now, just updated libassuan to 1.0.5. We might build
pkgsrc/libassuan against pkgsrc/pth at some point, but this needs
to be checked for side effects. (As this pkg doesn't export a library
which might propagate the pth dependency, the possibility of
pthread-pth conflicts should be limited. Other uses of libassuan
need to be checked.)
changes:
* New option --url for the LOOKUP command and dirmngr-client.
* The LOOKUP command does now also consults the local cache. New
option --cache-only for it and --local for dirmngr-client.
* Port to Windows completed.
* Improved certificate chain construction.
* Support loading of PEM encoded CRLs via HTTP.
* Client based trust anchors are now supported.
* Configured certificates with the suffix ".der" are now also used.
* Libgcrypt 1.4 is now required.
reviewed by John R. Shannon
pkgsrc notes:
I've left the build against a private libassuan with GNU-pth support
alone for now, just updated libassuan to 1.0.5. We might build
pkgsrc/libassuan against pkgsrc/pth at some point, but this needs
to be checked for side effects. (As this pkg doesn't export a library
which might propagate the pth dependency, the possibility of
pthread-pth conflicts should be limited. Other uses of libassuan
need to be checked.)
Beiing here, support DESTDIR.
-don't pull in gnupg2's "gpgconf" if both gnupg1 and gnupg2 are installed
but we are building against gnupg1, this caused a build failure
-fix a selftest to work with gnupg2
Changes in version 2.28.2 are:
* Add license to reference documentation.
* Sent output of g_printerr to syslog.
* No error when can't unlock login keyring.
* Fix assertion when comparing attributes.
* Fix freeing of unallocated memory in test.
* Don't barf on certificates with unsupported algorithm.
* Fix some memory leaks.
[Changes for 0.61]
* Added "=encoding utf8" to POD to fix author name display.
No functional changes.
[Changes for 0.60]
* LICENSING CHANGE: This compilation and all individual files in it
are now under the nullary CC0 1.0 Universal terms:
To the extent possible under law, 唐鳳 has waived all copyright and
related or neighboring rights to Module-Signature.
* Updated Module::Install to 0.91, prompted by Florian Ragwitz.
0.42 Wed Sep 30 23:20:58 JST 2009
* Support for GPG2
0.41_01 Fri Sep 25 02:56:33 JST 2009
* Beginnings of support for GPG2
0.40_04 Tue Apr 21 19:50:12 JST 2009
* Use Any::Moose instead of Moose for Mouse celerity (Sartak)
0.40_1 Sat Nov 15 12:35:59 EST 2008
* [rt.cpan.org #40963] Replace Class::MethodMaker with Moose (Chris Prather)
Noteworthy changes in version 1.4.5 (2009-12-11)
------------------------------------------------
* Fixed minor memory leak in DSA key generation.
* No more switching to FIPS mode if /proc/version is not readable.
* Fixed a sigill during Padlock detection on old CPUs.
* Fixed a hang on some W2000 machines.
* Boosted SHA-512 performance by 30% on ia32 boxes and gcc 4.3;
SHA-256 went up by 25%.
Apart from infrastructure changes, there are the following functional ones:
+ Update to version 1.99.14/20091210
+ provide a new netpgp_match_list_keys(3) function to perform a
regular-expression based search of all the keys in the keyring. If no
pattern is specified to match, then all keys are returned.
+ provide a new netpgp_set_homedir(3) function, and use it to set the
home directory from the library, rather than individually in all the
programs which use the library
+ provide a new netpgp_incvar(3) function which will add a constant
increment (which may be negative) to the value of an internal
variable. This is primarily used for the verbosity level within the
library, and is again a movement of the function into the library from
the individual programs which use the library
+ move to the specification of an ssh key file by internal variable,
rather than the directory holding an ssh key file
+ autoconf infrastructure changes
+ take a hammer to the _GNU_SOURCE definitions problems
+ don't rely on strnlen(3) being present everywhere
+ add rudimentary support for ssh keys
+ add a netpgp library function - netpgp_get_key(3) - to print a
specific key
+ add functionality to call this function in netpgpkeys(1)
+ add test for netpgp_get_key
+ add a verbose switch to the tst script
+ add netpgp functions to expose the memory signing and verification
functions - netpgp_sign_memory(3) and netpgp_verify_memory(3)
+ coalesced signing and verification ops file functions
The seccure toolset implements a selection of asymmetric
algorithms based on elliptic curve cryptography (ECC). In
particular it offers public key encryption / decryption,
signature generation / verification and key establishment.
ECC schemes offer a much better key size to security ratio
than classical systems (RSA, DSA). Keys are short enough to
make direct specification of keys on the command line possible
(sometimes this is more convenient than the management of
PGP-like key rings). seccure builds on this feature and
therefore is the tool of choice whenever lightweight
asymmetric cryptography -- independent of key servers,
revocation certificates, the Web of Trust or even
configuration files -- is required.
collection - kudos to Jan Schaumann for pointing it out.
PAM module which permits authentication for arbitrary services
via ssh-agent. Written with sudo in mind, but like any auth
PAM module, can be used for for many purposes.
and "root" user-less platforms.
* replace one bash script shbang (for safe side, may bone shell is sufficient).
* fix PLIST for PR 40993.
add missing entries and back plist vars replaced for Darwin-apple excessively.
Bump PKGREVISION.
On SP initiated logout, the SP x509 certificate was included in the
HTTP redirect URL. First this was an SAML standard violation, and second
it inflated the URL beyond 2038 bytes, which is the maximum length for
IE7 and prior. As a result, SP initated single logout was broken with IE7
and prior versions.
changes:
-Support for the "aes128-ctr", "aes192-ctr", "aes256-ctr" ciphers
-Support for the "arcfour128" cipher
-Fix crash when server sends an invalid SSH_MSG_IGNORE message
1.) Use "hashlib" instead of "sha" module if possible.
2.) Use "subprocess" module instead of os.popen3().
Both changes tested with Python 2.4 and 2.6.
Pkgsrc-related improvements:
1.) Support "user-destdir" installation (no changes required).
2.) Set license to "gnu-gpl-v2".
3.) Reduce patches by recording the fact that the manual page gets
compressed automatically (which "pkgsrc" handles fine) instead
of trying to prevent that.
This is Crypt::ECB, a Perl-only implementation of the ECB mode. In
combination with a block cipher such as DES, IDEA or Blowfish, you can encrypt
and decrypt messages of arbitrarily long length. Though for security reasons
other modes than ECB such as CBC should be preferred. See textbooks on
cryptography if you want to know why.
In addition to this module you will need to install one or more of the
Crypt::DES, Crypt::IDEA, or Crypt::Blowfish modules.
changes:
-bugfixes
-API extensions
-documentation improvement
-The encoding of gpgme_data_t objects can affect the output encoding
of export, sign and encrypt operations now
-Using GPGME_KEYLIST_MODE_LOCAL combined with
GPGME_KEYLIST_MODE_EXTERN is now supported
0.9.0-beta8:
- Include spamhaus_drop.dat in the source distribution. Fix installation
issue (closes#364).
0.9.0-beta7:
- Initial SpamhausDrop plugin implementation, by
Wes Young <wes@barely3am.com> (closes#363)
- Do not discard --root parameters if prefix is absolute.
- Python 2.4 backward compatibility fixes.
- Handle plugin loading error gracefully.
- Improve WormPlugin accuracy, and make it carry a reference to the
initial event. The plugin used to alert when seeing an alert to a
given target, and this same alert going back to the source. This can
happen in a number of case (example: Netbios alert triggered by Snort)
As of now, the plugin will wait for the events to be repeated against
at least 5 differents hosts.
- Dshield CorrelationAlert now handle multiples events. Previously, we
used to generate a single Dshield CorrelationAlert for each events
where the source address would match the Dshield database. The plugin
now generate CorrelationAlert for multiples events received from the
same source.
* Version 2.8.5 (released 2009-11-02)
** libgnutls: In server side when resuming a session do not overwrite the
** initial session data with the resumed session data.
** libgnutls: Fix PKCS#12 encoding.
The error you would get was "The OID is not supported.". Problem
introduced for the v2.8.x branch in 2.7.6.
** guile: Compatibility with guile 2.x.
By Ludovic Courtes <ludovic.courtes@laas.fr>.
** tests: Fix expired cert in chainverify self-test.
** tests: Fix time bomb in chainverify self-test.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3925>.
** API and ABI modifications:
No changes since last version.
* Version 2.8.4 (released 2009-09-18)
** libgnutls: Enable Camellia ciphers by default.
** libgnutls: Make OpenPGP hostname checking work again.
The patch to resolve the X.509 CN/SAN issue accidentally broken
OpenPGP hostname comparison.
** libgnutls: When printing X.509 certificates, handle XMPP SANs better.
Reported by Howard Chu <hyc@symas.com> in
<https://savannah.gnu.org/support/?106975>.
** API and ABI modifications:
No changes since last version.
* gpgsigs:
+ Added patch from Roland Rosenfeld to support RIPEMD160 checksum.
(Closes: #533747).
+ Updated man page to mention support for SHA256 and RIPEMD160 checksum.
+ Made removal of nonexistent photos quiet by the use of the force option.
+ Updated generated tex file in latex mode so that it uses the grffile
package. This allows pdflatex to process our tex file assuming the photos
are previously converted to PDF. (Closes: #542478)
* caff: Updated check for the local-user keyids.
+ Moved the current check to a new function get_local_user_keys().
+ Warned the user if a local-user keyid is not listed as a keyid in
./caffrc. (Closes: #540165).
* gpgdir: New upstream release.
* gpg-mailkeys:
+ The charset for the text of the message is deduced from the charset used
by ~/.gpg-mailkeysrc and ~/.signature.
The text message is encoded in quoted printable and thus it requires a
new dependency on qprint in debian/control. (Closes: #545186)
+ Mentionned both the .gpg-mailkeysrc and .signature files in the manpage.
- fix the configuration path and file, so it can use the proper user:group
and the chroot
- fix some pkglint warnings regarding PKG_OPTIONS: 'pthread' => 'threads',
'libwrap' => 'tcpwrappers' (in accordance to mk/defaults/options.description)
Bump PKGREVISION.
Upstream changes:
v1.31 2009.09.25
- add and export constants for SSL_VERIFY_*
- set SSL_use_cert if cert is given and not SSL_server
- support alternative CRL file with SSL_crl_file thanks to patch of
w[DOT]phillip[DOT]moore[AT]gmail[DOT]com
- Fix references to the confdir.
- Fix headers so thirdparty apps can be built with pcsc-lite from pkgsrc.
- Some minor changes to fix pkglint warnings.
- Bump PKGREVISION.
- Use SWIG 1.3.39 to generate bindings code, fixes Prewikka compatibility
problem because of SWIG version mismatch between libprelude/libpreludedb
modules.
* USB code for BSD fixed by Emmanuel Dreyfus
* Add support for Rutoken S by Aktiv Co. / Aleksey Samsonov
* Plus some fixes to Info.plist (for users combining openct with pcsc-lite).
This update is quite delicate and I'm sure it'll break somewhere. So far
I've only been able to test it in NetBSD/amd64 and Mac OS X Leopard.
I'm bumping the dependency version in buildlink3.mk because the only package
using this seems to be Monotone, and I'll updating it right away.
Text::Password::Pronounceable v0.28 from PR pkg/42022 with some
modifications.
This module generates pronuceable passwords, based the the English digraphs by
D Edwards.
pkgsrc changes:
- Add commented license type
- Add Perl module type
Upstream changes:
changes from 0.04 to 0.05
-------------------------
* added doc() accessor to response types
* added better error handling with better error messages
* updated perldocs with new functionality and consistency fixes
* changed user-agent string to reflect module name
pkgsrc changes:
- Adding license definition
- Adjusting dependencies
Upstream changes:
1.16 2009.09.11
- Switching to production release
- Switching to non-development version
0.15_01 2009.02.13
- Updated to Module::Install 0.91
- Added a consistent $VERSION across the entire distro
- Removed the optional dependency on Convert::PEM for more
consistent downstream packaging (it was pointless to ask
since most people don't know what it is anyways).
- Data::Buffer has almost perfect CPAN Testers PASS, so always
install it (plus, SSH2 is common now).
- Added some missing dependencies to the Makefile.PL
- Removed the sign(1) and auto_install (which was dangerous)
- Removed all the magic repository tags that would change depending
on who was maintaining it.
- Adding missing test_requires for Test.pm and Test::More (I'll
migrate the remaining tests away from Test.pm next release)
- Merged the ToDo file into the POD
protocols. To use SASL, a protocol includes a command for identifying and
authenticating a user to a server and for optionally negotiating protection
of subsequent protocol interactions. If its use is negotiated, a security
layer is inserted between the protocol and the connection.
PAM provides a way to develop programs that are independent of
authentication scheme. These programs need "authentication modules" to be
attached to them at run-time in order to work. Which authentication module
is to be attached is dependent upon the local system setup and is at the
discretion of the local system administrator.
This package contains a SASL plugin and a PAM module that perform a crude
check on a SAML authentication assertion. The assertion signature and date
are verified, and access is granted on behalf ot the user taked for a
onfigurable attribute.
The only protection against replay attacks is the assertion validity dates
checks, this authentication is therefore secure only if the SAML
authentication assertion remains secret. The assertion has the same role
as a web cookie used for authentication.
PuTTY is a client program for the SSH, Telnet and Rlogin network protocols.
These protocols are all used to run a remote session on a computer, over a
network. PuTTY implements the client end of that session: the end at which
the session is displayed, rather than the end at which it runs.
Noteworthy changes in version 1.4.10 (2009-09-02)
-------------------------------------------------
* 2048 bit RSA keys are now generated by default. The default
hash algorithm preferences has changed to prefer SHA-256 over
SHA-1. 2048 bit DSA keys are now generated to use a 256 bit
hash algorithm
* Support v2 OpenPGP cards.
* The algorithm to compute the SIG_ID status has been changed to
match the one from 2.0.10.
* Improved file locking. Implemented it for W32.
* Fixed a memory leak which made imports of many keys very slow.
* Many smaller bug fixes.
* Support for the Camellia cipher (RFC-5581).
* Support for HKP keyservers over SSL ("HKPS").
in PKG_OPTIONS.apr-util/PKG_DEFAULT_OPTIONS.
USE_LANGUAGES should be set before including mk/apache.mk as it
(may) ends up including mk/compiler.mk.
This last file sets a default value of 'c' to USE_LANGUAGES and
then uses it to set PKG_CC, PKG_CXX and PKG_FC to "fail wrappers".
Hence the C++ compiler command ends up being wrapped by a "fail
script" thus breaks the build.
doesn't conflict with openssh.
Changes since 0.50:
0.52 - Wed 12 November 2008
- Add "netcat-alike" option (-B) to dbclient, allowing Dropbear to
tunnel standard input/output to a TCP port-forwarded remote host.
- Add "proxy command" support to dbclient, to allow using a spawned
process for IO rather than a direct TCP connection. eg
dbclient remotehost
is equivalent to
dbclient -J 'nc remotehost 22' remotehost
(the hostname is still provided purely for looking up saved host keys)
- Combine netcat-alike and proxy support to allow "multihop"
connections, with comma-separated host syntax. Allows running
dbclient user1@host1,user2@host2,user3@host3
to end up at host3 via the other two, using SSH TCP forwarding. It's
a bit like onion-routing. All connections are established from the
local machine. The comma-separated syntax can also be used for
scp/rsync, eg
rsync -a -e dbclient m@gateway,m2@host,martello:/home/matt/ ~/backup/
to bounce through a few hosts.
- Add -I "idle timeout" option (contributed by Farrell Aultman)
- Allow restrictions on authorized_keys logins such as restricting
commands to be run etc. This is a subset of those allowed by OpenSSH,
doesn't yet allow restricting source host.
- Use vfork() for scp on uClinux
- Default to PATH=/usr/bin:/bin for shells.
- Report errors if -R forwarding fails
- Add counter mode cipher support, which avoids some security problems
with the standard CBC mode.
- Support zlib@openssh.com delayed compression for client/server. It
can be required for the Dropbear server with the '-Z' option. This
is useful for security as it avoids exposing the server to attacks
on zlib by unauthenticated remote users, though requires client side
support.
- options.h has been split into options.h (user-changable) and
sysoptions.h (less commonly changed)
- Support "dbclient -s sftp" to specify a subsystem
- Fix a bug in replies to channel requests that could be triggered by
recent versions of PuTTY
0.51 - Thu 27 March 2008
- Make a copy of password fields rather erroneously relying on getwpnam()
to be safe to call multiple times
- If $SSH_ASKPASS_ALWAYS environment variable is set (and $SSH_ASKPASS is
as well) always use that program, ignoring isatty() and $DISPLAY
- Wait until a process exits before the server closes a connection, so
that an exit code can be sent. This fixes problems with exit codes not
being returned, which could cause scp to fail.
- Make Prelude-Manager thread backend independant.
- Add missing dlpreopening support for the SMTP plugin.
- Win32 compilation fixes.
- Various fixes and update.
Also various pkgsrc related fixes including DESTDIR support.
Changes in 0.9.17:
==================
- Do not provide an exhaustive list of unreachable linked alert, rather,
tell the user how many linked alert are not reachable any more.
- String encoding fixes, do not mix unicode and bytestring, and more
generally, use unicode for internal string storage. This fixes a lot
of possible exception with particular specific user input, or with
localization enabled.
- Inline filter didn't work as expected when viewing events starting
with a specific offset, because the offset keyword wasn't removed
from the generated link.
- Error handling improvement (back / retry button weren't always
working as expected).
- Fix exception when no protocol was available.
- Improve navigation button link (make the link cover the whole button).
Changes in 0.9.16:
==================
- Multiples advanced filter within the same column wouldn't display
correctly.
- Correctly restore input field when switching between advanced/simple
filter mode.
- Fix multiple bug that would results in inconsistant filtered "state"
and reset button.
- Using the classification simple filter now also trigger a search on
impact.completion.
- Fix multiple alert deletion checkbox, (#357).
- Various bug fixes.
Changes in 0.9.15:
==================
- Make it obvious when a column is filtered by replacing the old sober
star with a big "[filtered]" red marker. If the column filter is
saved, then the marker color will go from red to black.
- Once the user filtered a given field by clicking on it, deny further
click so that it is clear that the filter is currently active.
- Re-write the inline filter implementation using Cheetah + Jquery, in
place of generating an enormous amount of javascript code. This
drastically reduce the size of the events listing HTML page, and will
allow for much easier modification of the inline-filters.
- Only propose filter operator relevant to the selected path.
- Inline filter now present a single input field (with no path and
operator selection). Using this field, the user can filter on what is
seen in the associated column. For example, in the classification
column, the filter will trigger a search on classification.text,
classification.reference.name and classification.reference.origin.
There is also an [advanced] button allowing the user to specify both
the path and the operator.
- Implement a reset button in each inline filter column, that allow to
switch between different version of the filter: last saved filters,
default filters, or current filters.
- The user can now click an alert completion to set an inline filter on
the completion value.
- Clicking on a port / protocol now trigger a CSS menu allowing to
filter on the port and protocol information, or to get information
concerning this port / protocol.
- Clicking on a classification reference now trigger a CSS menu which
allow to filter on the reference, or to get more information
concerning it.
- Clicking on classification now add a filter on the selected
classification (previously, it would have unfolded aggregated alerts
for the selected entry, which is now done clicking the alert count).
- Until now, the default user that was automatically created by Prewikka
if there was no administrative user was "admin". As of now you can
define the initial administrative username and password from the
configuration file. (fix#289).
- Fix escaping for reference details URI parameters.
- Fix ModPython content-type handling.
- Invalid variable name, fix#339.
- Update to JQuery 1.3.2, and fit small JQuery API change.
- If the installed libprelude or libpreludedb version is too old,
Prewikka will require the user to upgrade. Currently, Prewikka depend
on libpreludedb 0.9.12, and libprelude 0.9.23.
- Fix IDMEFDatabase exception on empty criteria string (fixes#346).
- Analyzer retrieval fixes and speedup (fixes#350).
- Make the Prelude-LML UDP server IPv6 compatible.
- Implement 'idmef-alter' and 'idmef-alter-force' option, alloing
to include static values into IDMEF events generated using a given
format.
- New PPP/PPTPD/L2TP ruleset, by Alexander Afonyashin <firm <at> iname.com>,
with slight modification from Pierre Chifflier <p.chifflier <at> inl.fr>.
Close#340.
- Fix CISCO VPN ruleset so that the 'Authentication rejected' rule will
trigger even if the 'server' field does not contain a word (fix#328).
- Remove dos-style end-of-lines (Closes#338)
- Fixes possible off by one when parsing variable reference number, and
remove un-needed check that would always evaluate to TRUE.Thanks
Steve Grubb <sgrubb <at> redhat.com> for reporting this problem (and
running flexelint on the Prelude sources)!
- Update for libtool 2.x compatibility.
- This simplify the whole regular expression handling a lot, making the
code much easier to read, and fixing potential problem with ovector
assignement. This code should also improve performance by a small
factor.
- Change CISCO references urls to their new location, add CISCO ASA rule
to handle discarded tcp or udp packets.
- Various fixes and update.
- support for newer Python versions
- various bug fixes and security improvements
- moved from LGPL to MIT license
Based on the update by Christian Sturm in wip with additional fixes from
me.
* Version 2.8.3 (released 2009-08-13)
** libgnutls: Fix patch for NUL in CN/SAN in last release.
Code intended to be removed would lead to an read-out-bound error in
some situations. Reported by Tomas Hoger <thoger@redhat.com>. A CVE
code have been allocated for the vulnerability: [CVE-2009-2730].
** libgnutls: Fix rare failure in gnutls_x509_crt_import.
The function may fail incorrectly when an earlier certificate was
imported to the same gnutls_x509_crt_t structure.
** libgnutls-extra, libgnutls-openssl: Fix MinGW cross-compiling build
error.
** tests: Made self-test mini-eagain take less time.
** doc: Typo fixes.
** API and ABI modifications:
No changes since last version.
* Version 2.8.2 (released 2009-08-10)
** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields.
By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS
into 1) not printing the entire CN/SAN field value when printing a
certificate and 2) cause incorrect positive matches when matching a
hostname against a certificate. Some CAs apparently have poor
checking of CN/SAN values and issue these (arguable invalid)
certificates. Combined, this can be used by attackers to become a
MITM on server-authenticated TLS sessions. The problem is mitigated
since attackers needs to get one certificate per site they want to
attack, and the attacker reveals his tracks by applying for a
certificate at the CA. It does not apply to client authenticated TLS
sessions. Research presented independently by Dan Kaminsky and Moxie
Marlinspike at BlackHat09. Thanks to Tomas Hoger <thoger@redhat.com>
for providing one part of the patch. [GNUTLS-SA-2009-4].
** libgnutls: Fix return value of gnutls_certificate_client_get_request_status.
Before it always returned false. Reported by Peter Hendrickson
<pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3668>.
** libgnutls: Fix off-by-one size computation error in unknown DN printing.
The error resulted in truncated strings when printing unknown OIDs in
X.509 certificate DNs. Reported by Tim Kosse
<tim.kosse@filezilla-project.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3651>.
** libgnutls: Return correct bit lengths of some MPIs.
gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and
gnutls_dh_get_peers_public_bits. Before the reported value was
overestimated. Reported by Peter Hendrickson <pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3607>.
** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN.
Report and patch by Tim Kosse <tim.kosse@filezilla-project.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3671>
and
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3670>.
** libgnutls: Relax checking of required libtasn1/libgcrypt versions.
Before we required that the runtime library used the same (or more
recent) libgcrypt/libtasn1 as it was compiled with. Now we just check
that the runtime usage is above the minimum required. Reported by
Marco d'Itri <md@linux.it> via Andreas Metzler
<ametzler@downhill.at.eu.org> in <http://bugs.debian.org/540449>.
** minitasn1: Internal copy updated to libtasn1 v2.3.
** tests: Fix failure in "chainverify" because a certificate have expired.
** API and ABI modifications:
No changes since last version.
* Noteworthy changes in release 2.3 (2009-07-29) [stable]
- Libtasn1 is now an official GNU project.
- Solve build problem on Tru64 related to TRUE/FALSE.
- More careful decoding of OIDs.
- Fixed warning in ASN1.y.
- Use "Software libraries" info dircategory.
- Drop GPL/LGPL copies from the manual (not needed there).
- New configure parameters to set packaging specific information.
The parameters are --with-packager, --with-packager-version, and
--with-packager-bug-reports. See
<http://article.gmane.org/gmane.comp.lib.gnulib.bugs/17791> for more
details.
Shamir's Secret Sharing Scheme (SSSS) is an implementation of a
threshold scheme for sharing a secret between third parties, and
requiring a threshold of those parties to collaborate to reveal the
secret.
Taken from the Wikipedia article about Secret Sharing:
In cryptography, a secret sharing scheme is a method for
distributing a secret amongst a group of participants, each of
which is allocated a share of the secret. The secret can only
be reconstructed when the shares are combined together;
individual shares are of no use on their own.
Shamir's scheme is provable secure: in a (t,n) scheme one can prove
that it makes no difference whether an attacker has t-1 valid shares
at his disposal or none at all; as long as he has less than t shares,
there is no better option than guessing to find out the secret.
Changelog:
The following changes have been made between John 1.7.3 and 1.7.3.1:
* Corrected the x86 assembly files for building on Mac OS X.
* Merged in some generic changes from JtR Pro.
The following changes have been made between John 1.7.2 and 1.7.3:
* Two Blowfish-based crypt(3) hashes may now be computed in parallel for much
better performance on modern multi-issue CPUs with a sufficient number of
registers (e.g., x86-64).
* Bitslice DES assembly code for x86-64 has been converted to use
instruction pointer relative addressing (needed for Mac OS X support).
* New make targets: macosx-universal, macosx-x86-64, solaris-x86-64-cc,
solaris-x86-64-gcc, solaris-x86-sse2-cc, solaris-x86-sse2-gcc,
solaris-x86-mmx-cc, solaris-x86-mmx-gcc, solaris-x86-any-cc, linux-ia64;
other changes to the Makefile.
* Minor bug fixes.
* "DumbForce" and "KnownForce" external mode samples have been added to the
default john.conf.
pcsc-lite-1.5.5: Ludovic Rousseau
28 July 2009
- add the reader interface name if provided by the device
- SCardTransmit(): return SCARD_E_UNSUPPORTED_FEATURE if
SCARD_PROTOCOL_RAW is requested by unsupported
- SCardConnect() and SCardReconnect(): set dwActiveProtocol to
SCARD_PROTOCOL_UNDEFINED if SCARD_SHARE_DIRECT is used (conform to
MSDN). Contrary to Windows winscard behavior, the reader is accessed in
shared mode and not exclusive mode if SCARD_SHARE_DIRECT is used.
- SCardControl(): correctly check for buffer overflow (bug introduced in
pcsc-lite 1.5.4)
- some other minor improvements and bug corrections
New in OpenSC 0.11.9; 2009-07-29; Andreas Jellinghaus
* New rutoken_ecp driver by Aktiv Co. / Aleksey Samsonov
* Allow more keys/certificates/files etc. with entersafe tokens
* Updates pkcs11.h from scute fixing warnings
* Small fixes in rutoken driver
* Major update for piv driver with increased compatibility
1.3.11 - 28 July 2009, Ludovic Rousseau
- add support of Raritan D2CIM-DVUSB VM/CCID, Feitian SCR301,
Softforum XecureHSM, 2 Neowave Weneo tokens, Synnix STD200, Aktiv
Rutoken ECP, Alcor Micro SCR001, ATMEL AT91SC192192CT-USB,
Panasonic USB Smart Card Reader 7A-Smart, Gemalto GemProx DU and SU
- remove support of Reiner-SCT cyberJack pinpad(a) on request of
Reiner-SCT. You should user the Reiner-SCT driver instead
- define CFBundleName to CCIDCLASSDRIVER so that non class drivers
have a higher priority. Used by pcsc-lite 1.5.5 and up.
Add a --disable-class configure option so that the Info.plist does
not define a Class driver. Default is class driver.
- do not power up a card with a voltage not supported by the reader
- add support of PIN_PROPERTIES_STRUCTURE structure and
FEATURE_IFD_PIN_PROPERTIES
- adds support of FEATURE_MCT_READERDIRECT. Only the Kobil TriB@nk
reader supports this feature for now. This is used for the Secoder
functionality in connected mode.
- add support of a composite device. No change needed with libhal.
use --enable-composite-as-multislot on Mac OS X since libhal is
not available on Mac OS X or with libusb on Linux
- some minor bugs removed
Changes in 1.7.2p1 since 1.7.2:
===============================
* Fixed the expansion of the %h escape in #include file names introduced in
sudo 1.7.1.
Changes in 1.7.2 since 1.7.1:
=============================
* A new #includedir directive is available in sudoers. This can be used to
implement an /etc/sudo.d directory. Files in an includedir are not edited
by visudo unless they contain a syntax error.
* The -g option did not work properly when only setting the group (and not
the user). Also, in -l mode the wrong user was displayed for sudoers
entries where only the group was allowed to be set.
* Fixed a problem with the alias checking in visudo which could prevent
visudo from exiting.
* Sudo will now correctly parse the shell-style /etc/environment file format
used by pam_env on Linux.
* When doing password and group database lookups, sudo will only cache an
entry by name or by id, depending on how the entry was looked up.
Previously, sudo would cache by both name and id from a single lookup, but
this breaks sites that have multiple password or group database names that
map to the same uid or gid.
* User and group names in sudoers may now be enclosed in double quotes to
avoid having to escape special characters.
* BSM audit fixes when changing to a non-root uid.
* Experimental non-Unix group support. Currently only works with Quest
Authorization Services and allows Active Directory groups fixes for
Minix-3.
* For Netscape/Mozilla-derived LDAP SDKs the certificate and key paths may
be specified as a directory or a file. However, version 5.0 of the SDK
only appears to support using a directory (despite documentation to the
contrary). If SSL client initialization fails and the certificate or key
paths look like they could be default file name, strip off the last path
element and try again.
* A setenv() compatibility fix for Linux systems, where a NULL value is
treated the same as an empty string and the variable name is checked
against the NULL pointer.
tested with:
-1.0.0beta3 (which already identifies itself as 1.0.0)
-the snapshot in NetBSD-current (identifies itself as 1.1.0)
-the 0.9.8 we had in -current before
Upstream changes:
v1.27 2009.07.24
- changed possible local/utf-8 depended \w in some regex against more
explicit [a-zA-Z0-9_]. Fixed one regex, where it assumed, that service
names can't have '-' inside
- fixed bug https://rt.cpan.org/Ticket/Display.html?id=48131
where eli[AT]dvns[DOT]com reported warnings when perl -w was used.
While there made it more aware of errors in Net::ssl_write_all (return
undef not 0 in generic_write)
1.5.1 release provides some bug fixes and a fix for the recently announced
HMAC vulnerability in the XML Signature specification (CVE-2009-0217).
1.5.0 release provides more bug fixes, partial support for Inclusive
Canonicalization 1.1, and support for the Xerces 3.x official release and
32/64-bit portability APIs.
it, and it only has a potential to conflict with the real openssl
(bad things will happen if a program links or dlopen()s both)
bump PKGREVISION
(the bug fixed in the added patches is already fixed upstream, will
be in the next release)
Shared directories can now be created independently by the pacakges
needing them and will be removed automatically by pkg_delete when empty.
Packages needing empty directories can use the @pkgdir command in PLIST.
Discussed and ok'd in thread starting at
http://mail-index.netbsd.org/tech-pkg/2009/06/30/msg003546.html
Version 2.2 (released 2009-05-20)
- Change how the ASN1_API decorator is used in libtasn1.h, for GTK-DOC.
- Changed license of libtasn1.pc from GPLv3+ to LGPLv2.1+.
Reported by Jeff Cai <Jeff.Cai@Sun.COM>.
- Building with many warning flags now requires --enable-gcc-warnings.
- Some warnings fixed.
* Version 2.8.1 (released 2009-06-10)
** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cycle.
Forwarded by Martin von Gagern <Martin.vGagern@gmx.net> from
<http://bugs.gentoo.org/272388>.
** libgnutls: Fix PKCS#12 decryption from password.
The encryption key derived from the password was incorrect for (on
average) 1 in every 128 input for random inputs. Reported by "Kukosa,
Tomas" <tomas.kukosa@siemens-enterprise.com> in
<http://permalink.gmane.org/gmane.network.gnutls.general/1663>.
** API and ABI modifications:
No changes since last version.
Upstream changes:
0.36 Jul 8, 2009
- open2pty, open3 and open3pty where not handling transparent
options for open_ex, and other minor bugs
- pty handling in open_ex was broken
- expect sample added
- New features
- FIPS support was updated for openssl-fips 1.2.
- New priority failover strategy for multiple "connect" targets,
controlled with "failover=rr" (default) or "failover=prio".
- pgsql protocol negotiation by Marko Kreen <markokr@gmail.com>.
- Bugfixes
- Libwrap helper processes fixed to close standard
input/output/error file descriptors.
changes:
-Build fixes
-Fix problem with RSA key sizes that are not a multiple of 8.
This affected use of SSH keys in particular
-Fix crash related to secure memory
- Updating package for p5 module Net::DNS::SEC from 0.14nb1 to 0.15
- Adjusting / reordering dependencies according to META.yml
Upstream changes:
***0.15 December 31, 2008
Fix: digestbin not set when an empty value passed to hash.
Feature: Added DLV (rfcc 4431). The RR object is simply a clone of
the DS RR and inherits ... everything
Feature: Added NSEC3 and NSEC3PARAM support (RFC5155).
This adds Mime::Base32 to the module dependency list.
The RR type was still experimental at that time and is maintained
in Net::DNS::RR.
Fix: Test script recognizes change in Time::Local. Note that
Time::Local does not deal with dates beyond 03:14:07 UTC on
Tuesday, 19 January 2038. Therefore this code has a year 2038
problem.
Fix: DS create_from_hash now produces objects that can create
wireformat.
Other: minor changes to the debug statements
added t/05-rr.t (and identified a couple of bugs using it)
Fix: a few inconsistencies with respect to parsing of trailing dots.
During development the test signatures generated with the BIND tools
were re-generated in order to troubleshoot a bug that (most
probably) was caused by a version incompatibility between Net::DNS
and Net::DNS::SEC. Before release the original test from the 0.14
release were ran against this version too.
- Updating package for p5 module Crypt::RSA from 1.98nb1 to 1.99
- Setting license to ${PERL5_LICENSE} according to META.yml
- reordering dependencies (aplphabetic order, like in META.yml)
- Using Module::Install module type
Upstream changes:
- none noted -
- RT #37862 fixed
- RT #46577 fixed
Setting license to ${PERL5_LICENSE} (from module documentation)
Upstream changes:
0.35 Jun 30, 2009
- strict_mode was not working (bug report by wardmw@perlmonks)
- documentation correction (error reported by Kevin
Mulholland)
- Document that the SSH client bundled with your operative
system may not be good enough (report by Arun Rajamari).
- Add pointer to SSH::Batch in the docs
set license to ${PERL5_LICENSE} according to module's documentation (POD).
Upstream changes:
v1.26 2009.07.03
- SECURITY BUGFIX!
fix Bug in verify_hostname_of_cert where it matched only the prefix for
the hostname when no wildcard was given, e.g. www.example.org matched
against a certificate with name www.exam in it
Thanks to MLEHMANN for reporting
v1.25 2009.07.02
- t/nonblock.t: increase number of bytes written to fix bug with OS X 10.5
https://rt.cpan.org/Ticket/Display.html?id=47240
Include security fix for CVE-2008-2380 and requested by PR#41023
(approved by wiz@).
0.62.2
This release corrects a makefile compatibility problem with bash 4.
0.62.1
This release correct a couple of minor compiler warnings and errors.
* cryptpassword.c: Fix compiler warnings
* checkpasswordsha1.c: Fix compiler warnings.
* authldaplib.c (auth_ldap_enumerate): Fix typo.
0.62.0
This release adds support for additional hash functions, and an
update to the Postgres driver that removes potentional SQL injection
vulnerabilities in some circumstances.
* authpgsqllib.c: Use PQescapeStringConn() instead of removing all
apostrophes from query parameters. This fixes a potential SQL injection
vulnerability if the Postgres database uses a non-Latin locale.
* Added support for {SSHA}-encrypted passwords. Based on a patch
by Zou bin <zb@bisp.com>.
* Added support for {SHA512} hash function
- SCardGetStatusChange() works again. It was broken in some cases since
version 1.5.2
- detect buffer overflows if pcscd if used by a rogue client
- force access rights on /var/run/pcscd to be sure it can be used by a
libpcsclite client without privileges [SECURITY]
- create the PCSCLITE_EVENTS_DIR directory with the sticky bit so only
root or the owner of the event files can remove them
- if RFAddReader() fails with the libhal scheme then we try with the
(old) libusb scheme. This patch should allow proprietary drivers to
work even if pcsc-lite is compiled with libhal support.
- give a higher priority to a specific driver over the CCID Class
driver. This should allow proprietary drivers to be used instead of
libccid when possible
- some other minor improvements and bug corrections
- Updating package of p5 module Digest::MD5 from 2.38 to 2.39
- Setting license to ${PERL5_LICENSE} according to META.yaml
Upstream changes:
2009-06-09 - Release 2.39: Gisle Aas <gisle@ActiveState.com>
Nicholas Clark (2):
Get rid of the PERL_CORE hacks
Sync core: Rename ext/Digest/MD5 to ext/Digest-MD5
Jerry Hedden (1):
Handle non-numeric version numbers in ext/Digest/MD5/Makefile.PL
- Updating package of p5 module Digest from 1.15nb1 to 1.16
- Adjusting license according to documentation of Digest
Upstream changes:
2009-06-09 - Release 1.16: Gisle Aas <gisle@ActiveState.com>.
Gisle Aas (3):
For SHA-1 try Digest::SHA before tryign Digest::SHA1 as suggested by Adam Trickett
Support Digest->new("RIPEMD-160") as suggested by Zefram
Use 3-arg open for fewer surprises
Jarkko Hietaniemi (1):
Sync up with EBCDIC changes from core perl.
Changes since 20090531:
+ only prompt for a passphrase on the secret key if there is a passphrase
on the secret key
CHANGES 1.99.10 -> 1.99.11
+ address keys array from 0 with unsigned indices
+ print results to io->res stream - default to stderr, and set using
netpgp_setvar(..., "results", filename)
+ __ops_keyid()'s third arg was always the size of the keyid array - no need
to pass it
+ get rid of the excessive type-checking in packet-show-cast.h, which wasn't
necessary, and fold all the show routines into packet-show.c
+ introduce a generic __ops_new() and use it for some structure allocation
CHANGES 1.99.9 -> 1.99.10
+ fix a bug in decryption whereby a bad passphrase would cause a segmentation
violation
+ fix some regressions in key searching in the underlying find keys routines
+ add C++ declaration protection to the external interface in netpgp.h
+ split out the key management parts of netpgp(1) into netpgpkeys(1)
CHANGES 1.99.8 -> 1.99.9
+ make more use of __ops_io_t structure
+ addition of standalone, stripped-down netpgpverify utility
+ addition of test for --list-packets on an empty file
+ bring forward some simplifications from netpgpverify
+ some name changes
+ get rid of the increment and then decrement keycount around
accumulated data ("it's to do with counting")
+ then use unsigned integers for the size and counts for the
dynamic array of keys, and use the common dynamic array macros
for keys in a keyring
+ if it's a union, let's use it as a union, not a struct
+ modified documentation to correct the --list-packets command (sorry, ver)
+ add a new directory structure for both the distribution and the
reachover Makefiles. The autotest framework has been partially overhauled
but more TLC is needed here.
+ add a --pass-fd=n option so that external programs can provide the
passphrase on a file descriptor without going through the callback,
requested by joerg
* Version 2.8.0 (released 2009-05-27)
** doc: Fix gnutls_dh_get_prime_bits. Fix error codes and algorithm lists.
** Major changes compared to the v2.4 branch:
*** lib: Linker version scripts reduces number of exported symbols.
*** lib: Limit exported symbols on systems without LD linker scripts.
*** libgnutls: Fix namespace issue with version symbols.
*** libgnutls: Add functions to verify a hash against a certificate.
gnutls_x509_crt_verify_hash: ADDED
gnutls_x509_crt_get_verify_algorithm: ADDED
*** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6.
*** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'.
*** certtool: Query for multiple dnsName subjectAltName in interactive mode.
*** gnutls-cli: No longer accepts V1 CAs by default during X.509 chain verify.
*** gnutls-serv: No longer disable MAC padding by default.
*** gnutls-cli: Certificate information output format changed.
*** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5
*** and %VERIFY_ALLOW_X509_V1_CA_CRT.
*** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode.
*** libgnutls: gnutls_openpgp_crt_print supports oneline mode.
*** libgnutls: gnutls_handshake when sending client hello during a
rehandshake, will not offer a version number larger than the current.
*** libgnutls: New interface to get key id for certificate requests.
gnutls_x509_crq_get_key_id: ADDED.
*** libgnutls: gnutls_x509_crq_print will now also print public key id.
*** certtool: --verify-chain now prints results of using library verification.
*** libgnutls: Libgcrypt initialization changed.
*** libgnutls: Small byte reads via gnutls_record_recv() optimized.
*** gnutls-cli: Return non-zero exit code on error conditions.
*** gnutls-cli: Corrected bug which caused a rehandshake request to be ignored.
*** certtool: allow setting arbitrary key purpose object identifiers.
*** libgnutls: Change detection of when to use a linker version script.
Use --enable-ld-version-script or --disable-ld-version-script to
override auto-detection logic.
*** Fix warnings and build GnuTLS with more warnings enabled.
*** New API to set X.509 credentials from PKCS#12 memory structure.
gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED
*** Old libgnutls.m4 and libgnutls-config scripts removed.
Please use pkg-config instead.
*** libgnutls: Added functions to handle CRL extensions.
gnutls_x509_crl_get_authority_key_id: ADDED
gnutls_x509_crl_get_number: ADDED
gnutls_x509_crl_get_extension_oid: ADDED
gnutls_x509_crl_get_extension_info: ADDED
gnutls_x509_crl_get_extension_data: ADDED
gnutls_x509_crl_set_authority_key_id: ADDED
gnutls_x509_crl_set_number: ADDED
*** libgnutls: Added functions to handle X.509 extensions in Certificate
Requests.
gnutls_x509_crq_get_key_rsa_raw: ADDED
gnutls_x509_crq_get_attribute_info: ADDED
gnutls_x509_crq_get_attribute_data: ADDED
gnutls_x509_crq_get_extension_info: ADDED
gnutls_x509_crq_get_extension_data: ADDED
gnutls_x509_crq_get_key_usage: ADDED
gnutls_x509_crq_get_basic_constraints: ADDED
gnutls_x509_crq_get_subject_alt_name: ADDED
gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
gnutls_x509_crq_get_extension_by_oid: ADDED
gnutls_x509_crq_set_subject_alt_name: ADDED
gnutls_x509_crq_set_basic_constraints: ADDED
gnutls_x509_crq_set_key_usage: ADDED
gnutls_x509_crq_get_key_purpose_oid: ADDED
gnutls_x509_crq_set_key_purpose_oid: ADDED
gnutls_x509_crq_print: ADDED
gnutls_x509_crt_set_crq_extensions: ADDED
*** certtool: Print and set CRL and CRQ extensions.
*** minitasn1: Internal copy updated to libtasn1 v2.1.
*** examples: Now released into the public domain.
*** The Texinfo and GTK-DOC manuals were improved.
*** Several self-tests were added and others improved.
*** API/ABI changes in GnuTLS 2.8 compared to GnuTLS 2.6.x
No offically supported interfaces have been modified or removed. The
library should be completely backwards compatible on both the source
and binary level.
The shared library no longer exports some symbols that have never been
officially supported, i.e., not mentioned in any of the header files.
The symbols are:
_gnutls*
gnutls_asn1_tab
Normally when symbols are removed, the shared library version has to
be incremented. This leads to a significant cost for everyone using
the library. Because none of the above symbols have ever been
intended for use by well-behaved applications, we decided that the it
would be better for those applications to pay the price rather than
incurring problems on the majority of applications.
If it turns out that applications have been using unofficial
interfaces, we will need to release a follow-on release on the v2.8
branch to exports additional interfaces. However, initial testing
suggests that few if any applications have been using any of the
internal symbols.
Although not a new change compared to 2.6.x, we'd like to remind you
interfaces have been modified so that X.509 chain verification now
also checks activation/expiration times on certificates. The affected
functions are:
gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
gnutls_certificate_verify_peers: Likewise.
gnutls_certificate_verify_peers2: Likewise.
GNUTLS_CERT_NOT_ACTIVATED: ADDED.
GNUTLS_CERT_EXPIRED: ADDED.
GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.
This change in behaviour was made during the GnuTLS 2.6.x cycle, and
we gave our rationale for it in earlier release notes.
The following symbols have been added to the library:
gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED
gnutls_x509_crl_get_authority_key_id: ADDED
gnutls_x509_crl_get_extension_data: ADDED
gnutls_x509_crl_get_extension_info: ADDED
gnutls_x509_crl_get_extension_oid: ADDED
gnutls_x509_crl_get_number: ADDED
gnutls_x509_crl_set_authority_key_id: ADDED
gnutls_x509_crl_set_number: ADDED
gnutls_x509_crq_get_attribute_data: ADDED
gnutls_x509_crq_get_attribute_info: ADDED
gnutls_x509_crq_get_basic_constraints: ADDED
gnutls_x509_crq_get_extension_by_oid: ADDED
gnutls_x509_crq_get_extension_data: ADDED
gnutls_x509_crq_get_extension_info: ADDED
gnutls_x509_crq_get_key_id: ADDED.
gnutls_x509_crq_get_key_purpose_oid: ADDED
gnutls_x509_crq_get_key_rsa_raw: ADDED
gnutls_x509_crq_get_key_usage: ADDED
gnutls_x509_crq_get_subject_alt_name: ADDED
gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
gnutls_x509_crq_print: ADDED
gnutls_x509_crq_set_basic_constraints: ADDED
gnutls_x509_crq_set_key_purpose_oid: ADDED
gnutls_x509_crq_set_key_usage: ADDED
gnutls_x509_crq_set_subject_alt_name: ADDED
gnutls_x509_crt_get_verify_algorithm: ADDED
gnutls_x509_crt_set_crq_extensions: ADDED
gnutls_x509_crt_verify_hash: ADDED
The following interfaces have been added to the header files:
GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_VERSION.
GNUTLS_VERSION_MAJOR: ADDED, replaces LIBGNUTLS_VERSION_MAJOR.
GNUTLS_VERSION_MINOR: ADDED, replaces LIBGNUTLS_VERSION_MINOR.
GNUTLS_VERSION_PATCH: ADDED, replaces LIBGNUTLS_VERSION_PATCH.
GNUTLS_VERSION_NUMBER: ADDED, replaces LIBGNUTLS_VERSION_NUMBER.
GNUTLS_EXTRA_VERSION: ADDED, replaces LIBGNUTLS_EXTRA_VERSION.
The following interfaces have been deprecated:
LIBGNUTLS_VERSION: DEPRECATED.
LIBGNUTLS_VERSION_MAJOR: DEPRECATED.
LIBGNUTLS_VERSION_MINOR: DEPRECATED.
LIBGNUTLS_VERSION_PATCH: DEPRECATED.
LIBGNUTLS_VERSION_NUMBER: DEPRECATED.
LIBGNUTLS_EXTRA_VERSION: DEPRECATED.
* Version 2.7.14 (released 2009-05-26)
** libgnutls: Fix namespace issue with version symbol for libgnutls-extra.
The symbol LIBGNUTLS_EXTRA_VERSION were renamed to
GNUTLS_EXTRA_VERSION. The old symbol will continue to work but is
deprecated.
** Doc: Several typo fixes in documentation.
Reported by Peter Hendrickson <pdh@wiredyne.com>.
** API and ABI modifications:
GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_EXTRA_VERSION.
LIBGNUTLS_EXTRA_VERSION: DEPRECATED.
* Version 2.7.13 (released 2009-05-25)
** libgnutls: Fix version of some exported symbols in the shared library.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3576>.
** tests: Handle recently expired certificates in chainverify self-test.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3580>.
** API and ABI modifications:
No changes since last version.
* Version 2.7.12 (released 2009-05-20)
** gnutls-serv, gnutls-cli-debug: Make them work on Windows.
** tests/crq_key_id: Don't read entropy from /dev/random in self-test.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3570>.
** Fix build failures.
Missing sa_family_t and vsnprintf on IRIX. Reported by "Tom
G. Christensen" <tgc@jupiterrise.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3571>.
** minitasn1: Internal copy updated to libtasn1 v2.2.
GnuTLS should work fine with libtasn1 v1.x and that is still
supported.
** API and ABI modifications:
No changes since last version.
* Version 2.7.11 (released 2009-05-18)
** minitasn1: Fix build failure when using internal libtasn1.
Reported by "Tom G. Christensen" <tgc@jupiterrise.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3548>.
** libgnutls: Fix build failure with --disable-cxx.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3557>.
** gnutls-serv: Fix build failure for unportable NI_MAXHOST/NI_MAXSERV.
Reported by "Tom G. Christensen" <tgc@jupiterrise.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3560>
** Building with many warning flags now requires --enable-gcc-warnings.
This avoids crying wolf for normal compiles.
** API and ABI modifications:
No changes since last version.
* Version 2.7.10 (released 2009-05-13)
** examples: Now released into the public domain.
This makes the license of the example code compatible with more
licenses, including the (L)GPL.
** minitasn1: Internal copy updated to libtasn1 v2.1.
GnuTLS should work fine with libtasn1 v1.x and that is still
supported.
** libgnutls: Fix crash in signature verification
The fix for the CVE-2009-1415 problem wasn't merged completely.
** doc: Fixes for GTK-DOC output.
** API and ABI modifications:
No changes since last version.
* Version 2.7.9 (released 2009-05-11)
** doc: Fix strings in man page of gnutls_priority_init.
** doc: Fix tables of error codes and supported algorithms.
** Fix build failure when cross-compiled using MinGW.
** Fix build failure when LZO is enabled.
Reported by Arfrever Frehtes Taifersar Arahesis
<arfrever.fta@gmail.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3522>.
** Fix build failure on systems without AF_INET6, e.g., Solaris 2.6.
Reported by "Tom G. Christensen" <tgc@jupiterrise.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3524>.
** Fix warnings in self-tests.
** API and ABI modifications:
No changes since last version.
* Version 2.7.8 (released 2009-05-03)
** libgnutls: Fix DSA key generation.
Merged from stable branch. [GNUTLS-SA-2009-2] [CVE-2009-1416]
** libgnutls: Check expiration/activation time on untrusted certificates.
Merged from stable branch. Reported by Romain Francoise
<romain@orebokech.com>. This changes the semantics of
gnutls_x509_crt_list_verify, which in turn is used by
gnutls_certificate_verify_peers and gnutls_certificate_verify_peers2.
We add two new gnutls_certificate_status_t codes for reporting the new
error condition, GNUTLS_CERT_NOT_ACTIVATED and GNUTLS_CERT_EXPIRED.
We also add a new gnutls_certificate_verify_flags flag,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new
behaviour. [GNUTLS-SA-2009-3] [CVE-2009-1417]
** lib: Linker version scripts reduces number of exported symbols.
The linker version script now lists all exported ABIs explicitly, to
avoid accidentally exporting unintended functions. Compared to
before, most symbols beginning with _gnutls* are no longer exported.
These functions have never been intended for use by applications, and
there were no prototypes for these function in the public header
files. Thus we believe it is possible to do this without incrementing
the library ABI version which normally has to be done when removing an
interface.
** lib: Limit exported symbols on systems without LD linker scripts.
Before all symbols were exported. Now we limit the exported symbols
to (for libgnutls and libgnutls-extra) gnutls* and (for libgnutls)
_gnutls*. This is a superset of the actual supported ABI, but still
an improvement compared to before. This is implemented using Libtool
-export-symbols-regex. It is more portable than linker version
scripts.
** libgnutls: Incremented CURRENT/AGE libtool version to reflect new symbols.
This should have been done in the last release.
** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6.
Reported by Peter Hendrickson <pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3476>.
** doc: Improved sections for the info manual.
We now follow the advice given by the texinfo manual on which
directory categories to use. In particular, libgnutls moved from the
'GNU Libraries' section to the 'Software libraries' and the command
line tools moved from 'Network Applications' to 'System
Administration'.
** API and ABI modifications:
gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
gnutls_certificate_verify_peers: Likewise.
gnutls_certificate_verify_peers2: Likewise.
GNUTLS_CERT_NOT_ACTIVATED: ADDED.
GNUTLS_CERT_EXPIRED: ADDED.
GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.
* Version 2.7.7 (released 2009-04-20)
** libgnutls: Applied patch by Cedric Bail to add functions
gnutls_x509_crt_verify_hash() and gnutls_x509_crt_get_verify_algorithm().
** gnutls.pc: Add -ltasn1 to 'pkg-config --libs --static gnutls' output.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3467>.
** minitasn1: Internal copy updated to libtasn1 v1.8.
GnuTLS is also internally ready to be used with libtasn1 v2.0.
** doc: Fix build failure of errcodes/printlist.
Reported by Roman Bogorodskiy <novel@FreeBSD.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3435>.
** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'.
It is currently only used by the core library. This will enable a new
domain 'gnutls' for translations of the command line tools.
** Corrected possible memory corruption on signature verification failure.
Reported by Miroslav Kratochvil <exa.exa@gmail.com>
** API and ABI modifications:
gnutls_x509_crt_verify_hash: ADDED
gnutls_x509_crt_get_verify_algorithm: ADDED
* Version 2.7.6 (released 2009-02-27)
** certtool: Query for multiple dnsName subjectAltName in interactive mode.
This applies both to generating certificates and certificate requests.
** pkix.asn: Removed unneeded definitions to reduce memory usage.
** gnutls-cli: No longer accepts V1 CAs by default during X.509 chain verify.
Use --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT to permit V1 CAs to
be used for chain verification.
** gnutls-serv: No longer disable MAC padding by default.
Use --priority NORMAL:%COMPAT to disable MAC padding again.
** gnutls-cli: Certificate information output format changed.
The tool now uses libgnutls' functions to print certificate
information. This avoids code duplication.
** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5
** and %VERIFY_ALLOW_X509_V1_CA_CRT.
They can be used to override the default certificate chain validation
behaviour.
** libgnutls: Added %SSL3_RECORD_VERSION priority string that allows to
specify the client hello message record version. Used to overcome buggy
TLS servers. Report by Martin von Gagern.
** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode.
** libgnutls: gnutls_openpgp_crt_print supports oneline mode.
** doc: Update gnutls-cli and gnutls-serv --help output descriptions.
** API and ABI modifications:
No changes since last version.
* Version 2.7.5 (released 2009-02-06)
** libgnutls: Accept chains where intermediary certs are trusted.
Before GnuTLS needed to validate the entire chain back to a
self-signed certificate. GnuTLS will now stop looking when it has
found an intermediary trusted certificate. The new behaviour is
useful when chains, for example, contains a top-level CA, an
intermediary CA signed using RSA-MD5, and an end-entity certificate.
To avoid chain validation errors due to the RSA-MD5 cert, you can
explicitly add the intermediary RSA-MD5 cert to your trusted certs.
The signature on trusted certificates are not checked, so the chain
has a chance to validate correctly. Reported by "Douglas E. Engert"
<deengert@anl.gov> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.
** libgnutls: result_size in gnutls_hex_encode now holds
the size of the result. Report by John Brooks <special@dereferenced.net>.
** libgnutls: gnutls_handshake when sending client hello during a
rehandshake, will not offer a version number larger than the current.
Reported by Tristan Hill <stan@saticed.me.uk>.
** libgnutls: Permit V1 Certificate Authorities properly.
Before they were mistakenly rejected even though
GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT and/or
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT were supplied. Reported by
"Douglas E. Engert" <deengert@anl.gov> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.
** API and ABI modifications:
No changes since last version.
* Version 2.7.4 (released 2009-01-07)
** libgnutls: deprecate X.509 validation chains using MD5 and MD2 signatures.
This is a bugfix -- the previous attempt to do this from internal x509
certificate verification procedures did not return the correct value
for certificates using a weak hash. Reported by Daniel Kahn Gillmor
<dkg@fifthhorseman.net> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332>,
debugged and patch by Tomas Mraz <tmraz@redhat.com> and Daniel Kahn
Gillmor <dkg@fifthhorseman.net>.
** libgnutls: New interface to get key id for certificate requests.
Patch from David Marín Carreño <davefx@gmail.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3321>.
** libgnutls: gnutls_x509_crq_print will now also print public key id.
** certtool: --verify-chain now prints results of using library verification.
Earlier, certtool --verify-chain used its own validation algorithm
which wasn't guaranteed to give the same result as the libgnutls
internal validation algorithm. Now this command print a new final
line with header 'Chain verification output:' that contains the result
from using the internal verification algorithm on the same chain.
** tests: Add crq_key_id self-test of gnutls_x509_crq_get_key_id.
** API and ABI modifications:
gnutls_x509_crq_get_key_id: ADDED.
* Version 2.7.3 (released 2008-12-10)
** libgnutls: Fix chain verification for chains that ends with RSA-MD2 CAs.
Reported by Michael Kiefer <Michael-Kiefer@web.de> in
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507633> forwarded by
Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3309>.
** libgnutls: Libgcrypt initialization changed.
If libgcrypt has not already been initialized, GnuTLS will now
initialize libgcrypt with disabled secure memory. Initialize
libgcrypt explicitly in your application if you want to enable secure
memory. Before GnuTLS initialized libgcrypt to use GnuTLS's memory
allocation functions, which doesn't use secure memory, so there is no
real change in behaviour.
** libgnutls: Fix memory leak in PSK authentication.
Reported by Michael Weiser <michael@weiser.dinsnail.net> in
<http://permalink.gmane.org/gmane.network.gnutls.general/1465>.
** libgnutls: Small byte reads via gnutls_record_recv() optimized.
** certtool: Move gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0) call earlier.
It needs to be invoked before libgcrypt is initialized.
** gnutls-cli: Return non-zero exit code on error conditions.
** gnutls-cli: Corrected bug which caused a rehandshake request to be ignored.
** tests: Added chainverify self-test that tests X.509 chain verifications.
** API and ABI modifications:
No changes since last version.
* Version 2.7.2 (released 2008-11-18)
** libgnutls: Fix X.509 certificate chain validation error. [GNUTLS-SA-2008-3]
The flaw makes it possible for man in the middle attackers (i.e.,
active attackers) to assume any name and trick GNU TLS clients into
trusting that name. Thanks for report and analysis from Martin von
Gagern <Martin.vGagern@gmx.net>. [CVE-2008-4989]
Any updates with more details about this vulnerability will be added
to <http://www.gnu.org/software/gnutls/security.html>
** libgnutls: Fix namespace issue with version symbols.
The symbols LIBGNUTLS_VERSION, LIBGNUTLS_VERSION_MAJOR,
LIBGNUTLS_VERSION_MINOR, LIBGNUTLS_VERSION_PATCH, and
LIBGNUTLS_VERSION_NUMBER were renamed to GNUTLS_VERSION_NUMBER,
GNUTLS_VERSION_MAJOR, GNUTLS_VERSION_MINOR, GNUTLS_VERSION_PATCH, and
GNUTLS_VERSION_NUMBER respectively. The old symbols will continue to
work but are deprecated.
** certtool: allow setting arbitrary key purpose object identifiers.
** libgnutls: Fix detection of C99 macros, to make debug logging work again.
** libgnutls: Add missing prototype for gnutls_srp_set_prime_bits.
Reported by Kevin Quick <quick@sparq.org> in
<https://savannah.gnu.org/support/index.php?106454>.
** libgnutls-extra: Make building with LZO compression work again.
Build failure reported by Arfrever Frehtes Taifersar Arahesis
<arfrever.fta@gmail.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3194>.
** libgnutls: Change detection of when to use a linker version script.
Use --enable-ld-version-script or --disable-ld-version-script to
override auto-detection logic.
** doc: Change license on the manual to GFDLv1.3+.
** doc: GTK-DOC fixes for new splitted configuration system.
** doc: Texinfo stylesheet uses white background.
** tests: Add cve-2008-4989.c self-test.
Tests regressions of the GNUTLS-SA-2008-3 security problem, and the
follow-on problem with crashes on length 1 certificate chains.
** gnulib: Deprecated modules removed.
Modules include memchr and memcmp.
** Fix warnings and build GnuTLS with more warnings enabled.
** minitasn1: Internal copy updated to libtasn1 v1.7.
** API and ABI modifications:
gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED
GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_VERSION.
GNUTLS_VERSION_MAJOR: ADDED, replaces LIBGNUTLS_VERSION_MAJOR.
GNUTLS_VERSION_MINOR: ADDED, replaces LIBGNUTLS_VERSION_MINOR.
GNUTLS_VERSION_PATCH: ADDED, replaces LIBGNUTLS_VERSION_PATCH.
GNUTLS_VERSION_NUMBER: ADDED, replaces LIBGNUTLS_VERSION_NUMBER.
LIBGNUTLS_VERSION: DEPRECATED.
LIBGNUTLS_VERSION_MAJOR: DEPRECATED.
LIBGNUTLS_VERSION_MINOR: DEPRECATED.
LIBGNUTLS_VERSION_PATCH: DEPRECATED.
LIBGNUTLS_VERSION_NUMBER: DEPRECATED.
* Version 2.7.1 (released 2008-10-31)
** certtool: print a PKCS #8 key even if it is not encrypted.
** Old libgnutls.m4 and libgnutls-config scripts removed.
Please use pkg-config instead.
** Configuration system modified.
There is now a configure script in lib/ and libextra/ as well, because
gnulib works better with a config.h per gnulib directory.
** API and ABI modifications:
No changes since last version.
* Version 2.7.0 (released 2008-10-16)
** libgnutls: Added functions to handle CRL extensions.
** libgnutls: Added functions to handle X.509 extensions in Certificate
Requests.
** libgnutls: Improved error string for GNUTLS_E_AGAIN.
Suggested by "Lavrentiev, Anton (NIH/NLM/NCBI) [C]" <lavr@ncbi.nlm.nih.gov>.
** certtool: Print and set CRL and CRQ extensions.
** libgnutls-extra: Protect internal symbols with static.
Fixes problem when linking certtool statically. Tiny patch from Aaron
Ucko <ucko@ncbi.nlm.nih.gov>.
** libgnutls-openssl: fix out of bounds access.
Problem in X509_get_subject_name and X509_get_issuer_name. Tiny patch
from Thomas Viehmann <tv@beamnet.de>.
** libgnutlsxx: Define server_session::get_srp_username even if no SRP.
** tests: Make tests compile when using internal libtasn1.
Patch by ludo@gnu.org (Ludovic Courtès).
** Changed detection of libtasn1 and libgcrypt to avoid depending on *-config.
We now require a libgcrypt that has Camellia constants declared in
gcrypt.h, which means v1.3.0 or later.
** API and ABI modifications:
gnutls_x509_crl_get_authority_key_id: ADDED
gnutls_x509_crl_get_number: ADDED
gnutls_x509_crl_get_extension_oid: ADDED
gnutls_x509_crl_get_extension_info: ADDED
gnutls_x509_crl_get_extension_data: ADDED
gnutls_x509_crl_set_authority_key_id: ADDED
gnutls_x509_crl_set_number: ADDED
gnutls_x509_crq_get_key_rsa_raw: ADDED
gnutls_x509_crq_get_attribute_info: ADDED
gnutls_x509_crq_get_attribute_data: ADDED
gnutls_x509_crq_get_extension_info: ADDED
gnutls_x509_crq_get_extension_data: ADDED
gnutls_x509_crq_get_key_usage: ADDED
gnutls_x509_crq_get_basic_constraints: ADDED
gnutls_x509_crq_get_subject_alt_name: ADDED
gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
gnutls_x509_crq_get_extension_by_oid: ADDED
gnutls_x509_crq_set_subject_alt_name: ADDED
gnutls_x509_crq_set_basic_constraints: ADDED
gnutls_x509_crq_set_key_usage: ADDED
gnutls_x509_crq_get_key_purpose_oid: ADDED
gnutls_x509_crq_set_key_purpose_oid: ADDED
gnutls_x509_crq_print: ADDED
gnutls_x509_crt_set_crq_extensions: ADDED
Noteworthy changes in version 1.7 (2008-11-26)
----------------------------------------------
* Minor fixes and a few new error codes.
* Interface changes relative to the 1.6 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPG_ERR_NOT_OPERATIONAL NEW
GPG_ERR_NO_PASSPHRASE NEW
GPG_ERR_NO_PIN NEW
- EmThreats_link opens now in separate browser window -- Juergen Leising for Micah Gersten
- A new reference "[rule]" points now to base_local_rules.php,
which displays a particular rule for a given rules id (sid).
Prerequisite for this is that "local_rules_dir" in base_conf.php
points to an actually existing and readable/searchable directory which
contains the snort rules. Please note, that a web server
is usually NOT allowed to access any files outside of its
document root. Feature request by Chris Ryan, cf.
https://sourceforge.net/forum/message.php?msg_id=5310420https://sourceforge.net/forum/message.php?msg_id=5311517
-- Juergen Leising
- Update of base.spec; works with fedora 10 -- Juergen Leising
- I have applied two patches submitted by asavenkov
with regard to the oci8 driver (oracle 10), cf.
https://sourceforge.net/forum/message.php?msg_id=5795641https://sourceforge.net/forum/message.php?msg_id=5796556
-- Juergen Leising
- The "email-the-alerts"-variables were defined twice at different
locations in base_conf.php. Fixed this. -- Juergen Leising
- Emails from BASE containing one or more alerts include now a
"To:"-header, as well. Bug report no. 2234733 -- Juergen Leising
- $sort_order, once it has been chosen, survives now a possible "action",
even in base_stat_uaddr.php, base_stat_ports.php, base_stat_iplink.php,
base_stat_class.php and base_stat_sensor.php.
Bug no. 2234745. -- Juergen Leising
- The refresh-problem, when an "action" has been taken, is now fixed in
base_stat_uaddr.php, base_stat_ports.php, base_stat_iplink.php,
base_stat_class.php and base_stat_sensor.php, as well.
Bug no. 1681012. -- Juergen Leising
- I have corrected the way ICMP redirect messages are displayed
by BASE, inspired by Bruno G. San Alejo. -- Juergen Leising
- Several preprocessor events that did not get stored in the acid_event
table, so far, are now processed and displayed by BASE. This affects
all those preprocessors which have sig names that do NOT start with
a "spp_" prefix. -- Juergen Leising
- Fixed bug with archiving IP options. -- Juergen Leising
5/14/09 1.4.3 (gabi)
- XSS Flaws fixed in alert groups -- Kevin Johnson
- Possible SQL injection flaw fixed in AG -- Kevin Johnson
- XSS Flaws fixed in base_qry files -- Kevin Johnson
- Multiple XSS flaws fixed in citems -- Kevin Johnson
5/30/09 1.4.3.1 (zig)
- Multiple XSS flaws fixed in User and Role management -- Kevin Johnson
* Reading integrity protected data from server now works.
* The --quality-of-protection parameter now works.
* Only detect sufficiently recent GnuTLS versions.
Changes 1.0:
* New parameter --priority to specify GnuTLS priority strings.
* Print web page links in --help, per new GNU coding standard.
* New self-test for the gsasl_client_suggest_mechanism function.
* Modernize doxygen configuration.
* Use permissive license for man pages.
* Change license on the manual to GFDLv1.3+.
CHANGES 1.99.7 -> 1.99.8
+ get rid of __ops_malloc_passphrase() - strdup() works just as well
+ generalise __ops_seckey_forget() to become __ops_forget(), give it a size
parameter, and make it work on things other than secret keys (passphrases
for instance)
+ minor struct field enum renaming
+ minor function call renaming
+ add ops_io_t struct to hold pointers to IO streams, and pass it down
where necessary
CHANGES 1.99.6 -> 1.99.7
+ added to the regression tests
+ get rid of some magic constants, replace with more obvious names
+ zero out the memory used for a passphrase before freeing it in one place
CHANGES 1.99.5 -> 1.99.6
+ made --homedir=d consistent with POLS. Default is $HOME/.gnupg, and
if a directory is specified with --homedir=d, the directory containing
conf file and keyrings is taken to be "d".
CHANGES 1.99.4 -> 1.99.5
+ Luke Mewburn completely overhauled the auto tools infrastructure
+ changed signature (hah!) of some netpgp file management prototypes to
use const char * for file names and user ids, not char * - suggested by
christos
+ change some of the openpgpsdk display functions to return integer values,
and send those values back from the netpgp functions - suggested by
christos
+ rather than passing a shedload of variables to netpgp_init(), get rid
of them, and set variables using the netpgp_[gs]etvar() interface
+ replace some magic constants with descriptive names
+ use a netpgp variable to skip userid checks if necessary
+ add ability to allow coredumps via --coredumps if (a) you have taken
leave of your sanity, and (b) you have some magical persistent
storage which doesn't spare sectors, and (c) you know how to remove
a file securely
+ bumped library version on NetBSD to 1.0 for interface changes
Changes since previous version:
CHANGES 1.99.3 -> 1.99.4
+ get rid of some magic constants
+ revamped regression test script to count number of tests passed
+ made checkhash array in ops_seckey_t dynamic, rather than statically
allocated
+ made mdc array dynamic, and added a length field to mdc for future use
+ revamped usage message to match reality
+ made portable version again for the autoconfed package sources
+ add separate netpgpdigest.h file so that separate digest sizes can be
used without having to include "packet.h" in everything
CHANGES 1.99.2 -> 1.99.3
+ modified regression tests to make it easier to see status messages
+ modified --encrypt, --decrypt, --sign, and --clearsign as well as --cat
to respect the --output argument for the output file. Default behaviour
remains unchanged - if --output is not specified, standard file names
and suffixes apply. Note that --verify has not been changed - this is
for compatibility with gpg, POLA/POLS, and because --verify-cat/--cat
provides this behaviour
Get rid of a few TODO items that aren't needed.
CHANGES 1.99.1 -> 1.99.2
+ various minor cleanups
+ fix longstanding pasto where the key server preference packets are
displayed with the correct ptag information
+ up until now, there has been an asymmetry in the command line
options for netpgp(1) - whilst a file may have signature information
added to it with the "--sign" command, there has been no way to
retrieve the contents of the file without the signature. The new
"--cat" option does this (there are synonyms of "--verify-show" and
"--verify-cat") - the signature is verified, and if it matches, the
original contents of the file are sent to the output file (which
defaults to stdout, and can be set with the --output option on the
command line). If the signature does not match, there is no output,
and an EXIT_FAILURE code is returned.
+ revamped netpgp(1) to make it clear what commands are available, how
these commands relate to each other, and which commands take custom
options
CHANGES 1.0.0 -> 1.99.1
+ released and tagged version 1.0.0; development version now 1.99.1
+ get rid of some fields which are no longer needed
+ minor name changes
+ add mmapped field to ops_data_t struct to denote that the array needs an
munmap(2) and not a free(3)
+ add an __ops_mem_readfile() function, and use it for reading files.
The function does mmap(2), and then falls back to read(2) if that fails.
Retire unused __ops_fileread() which had an unusual interface
+ drop sign_detached() from netpgp.c down into signature.c as
__ops_sign_detached()
+ got rid of "local" header files. These aren't necessary since the openpgpsdk
code was modified to all be in the same directory
+ added netpgp_getvar() and netpgp_setvar(), and use them to get and set the
user id and hash algorithm preference
+ get rid of <stdbool.h> usage - I'm still not sure this is the way we should
be going long term, but the bool changes got integrated with the others,
and are there in cvs history if we want to resurrect them. Correct autoconf
accordingly. Bump netpgp minimus version, and autoconf-based date version.
+ updated documentation to reflect these changes
Commit the weekend's changes:
+ minor name changes
+ remove duplicated code (commented out) in packet-print.c
+ original code contained abstraction violations for hash size - fix them
+ get rid of some magic constants related to length of hash arrays
+ allow a choice of hash algorithms for the signature digest (rather
than hardcoding SHA1 - it is looking as though collisions are easier
to manufacture based on recent findings)
+ move default signature RSA hash algorithm to SHA256 (from SHA1). This is
passed as a string parameter from the high-level interface. We'll
revisit this later after a good way to specify the algorithm has been
found.
+ display the size of the keys in --list-packets
+ display the keydata prior to file decryption
+ add a --help option
+ if setrlimit exists, set the core dump size to be 0
(with thanks to mrg for the reference implementation)
+ get rid of __ops_start_cleartext_sig/__ops_start_msg_sig abstractions
and just "export" the __ops_start_sig function - the function is not
actually exported, just usable by other __ops functions
+ bump internal version number to 0.99.2, autoconf version to 20090506
+ prettify usage message output
Change some names to something a bit less obscure.
e.g. For some unfathomable reason, I find "__ops_write_mem_from_file" a bit
counterintuitive - replace that by "__ops_fileread"
+ __ops_packet_t -> __ops_subpacket_t
+ __ops_parser_content_t -> __ops_packet_t
+ rename some other long names
51 chars is the record function name length so far
+ preliminary moves to support detached signatures
as yet, incomplete
+ add back command line option to list packets in a signed or encrypted file
+ make __ops_parse() take an argument whether to print errors, and kill the
__ops_parse_and_print_errors() function
+ get rid of some assertions in the code - this is a library - about 100 to go
Make this code WARNS=4
Add an option to the netpgp command to produce a detached signature.
- Updating package for p5 module Digest::SHA1 from 2.11 to 2.12
Upstream changes:
2009-05-23 Release 2.12
Gisle Aas (6):
Get rid of the old CVS ids
Avoid "redefined" error for ULONG on Win64
Less optimizations on IRIX [RT#8999]
Clean up the 'git status' output
Mention that SHA-1 might be weak [RT#11880]
Ensure more stuff in the META.yml file [RT#40757]
Steve Peters (1):
Quiet warnings when compiled with -Wwrite-strings [RT#31915]
- Updating package for p5 module Crypt::Twofish from 2.12nb4 to 2.13
- Setting gnu-gpl-v2 as license
Upstream changes:
2.13 2009-05-11 Abhijit Menon-Sen <ams@toroid.org>
* Relicensed on request from the old Artistic License to "the same
terms as Perl itself" (i.e. new Artistic/GPL).
(No functional changes.)
pkgsrc change: add LICENSE.
What's new in Sudo 1.7.1?
* A new Defaults option "pwfeedback" will cause sudo to provide visual
feedback when the user is entering a password.
* A new Defaults option "fast_glob" will cause sudo to use the fnmatch()
function for file name globbing instead of glob(). When this option
is enabled, sudo will not check the file system when expanding wildcards.
This is faster but a side effect is that relative paths with wildcard
will no longer work.
* New BSM audit support for systems that support it such as FreeBSD
and Mac OS X.
* The file name specified with the #include directive may now include
a %h escape which is expanded to the short form of hostname.
* The -k flag may now be specified along with a command, causing the
user's timestamp file to be ignored.
* New support for Tivoli-based LDAP START_TLS, present in AIX.
* New support for /etc/netsvc.conf on AIX.
* The unused alias checks in visudo now handle the case of an alias
referring to another alias.
Changes since OpenSSH 5.1
=========================
Security:
* This release changes the default cipher order to prefer the AES CTR
modes and the revised "arcfour256" mode to CBC mode ciphers that are
susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".
* This release also adds countermeasures to mitigate CPNI-957037-style
attacks against the SSH protocol's use of CBC-mode ciphers. Upon
detection of an invalid packet length or Message Authentication
Code, ssh/sshd will continue reading up to the maximum supported
packet length rather than immediately terminating the connection.
This eliminates most of the known differences in behaviour that
leaked information about the plaintext of injected data which formed
the basis of this attack. We believe that these attacks are rendered
infeasible by these changes.
New features:
* Added a -y option to ssh(1) to force logging to syslog rather than
stderr, which is useful when running daemonised (ssh -f)
* The sshd_config(5) ForceCommand directive now accepts commandline
arguments for the internal-sftp server.
* The ssh(1) ~C escape commandline now support runtime creation of
dynamic (-D) port forwards.
* Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards.
(bz#1482)
* Support remote port forwarding with a listen port of '0'. This
informs the server that it should dynamically allocate a listen
port and report it back to the client. (bz#1003)
* sshd(8) now supports setting PermitEmptyPasswords and
AllowAgentForwarding in Match blocks
Bug and documentation fixes
* Repair a ssh(1) crash introduced in openssh-5.1 when the client is
sent a zero-length banner (bz#1496)
* Due to interoperability problems with certain
broken SSH implementations, the eow@openssh.com and
no-more-sessions@openssh.com protocol extensions are now only sent
to peers that identify themselves as OpenSSH.
* Make ssh(1) send the correct channel number for
SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
avoid triggering 'Non-public channel' error messages on sshd(8) in
openssh-5.1.
* Avoid printing 'Non-public channel' warnings in sshd(8), since the
ssh(1) has sent incorrect channel numbers since ~2004 (this reverts
a behaviour introduced in openssh-5.1).
* Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)
* Correct fail-on-error behaviour in sftp(1) batchmode for remote
stat operations. (bz#1541)
* Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
connections. (bz#1543)
* Avoid hang in ssh(1) when attempting to connect to a server that
has MaxSessions=0 set.
* Multiple fixes to sshd(8) configuration test (-T) mode
* Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418,
1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540
* Many manual page improvements.
