called. Also include pthread.buildlink3.mk directly.
- With the update of qt3-tools to use the libtool mode of qmake, it is
unnecessary to install files manually; "make install" just works.
Bump PKGREVISION.
Pkgsrc changes:
- The new release includes the patch by Peter Behroozi (already contained
in Peter's unofficial release 1.26) that adds get1_session() for session
caching.
- Reverted to using MASTER_SITE_PERL_CPAN
Changes since version 1.25:
===========================
1.30 21.12.2005
- Fixed the MD5 function for hashsums containing \0
- Fixed some compile warnings with recent gcc.
- Fixed do_httpx3:
+ Don't add additional Host: headers if it's already given
+ Omit the :$port suffix for standard ports
+ Thanks to ivan-cpan-rt@420.am
- Limit the chunk size when reading with tcp_read_all to 0x1000.
This fixes various rt tickets.
- Added patch to allow session caching
- Mike McCauley and Florian Ragwitz maintain this module now
Pkgsrc changes:
none
Changes since version 2.15:
===========================
2.17 Mon Jan 9 18:22:51 EST 2006
-IMPORTANT NOTE: Versions of this module prior to 2.17 were incorrectly
using 8 byte IVs when generating the old-style RandomIV style header
(as opposed to the new-style random salt header). This affects data
encrypted using the Rijndael algorithm, which has a 16 byte blocksize,
and is a significant security issue.
The bug has been corrected in versions 2.17 and higher by making it
impossible to use 16-byte block ciphers with RandomIV headers. You may
still read legacy encrypted data by explicitly passing the
-insecure_legacy_decrypt option to Crypt::CBC->new().
-The salt, iv and key are now reset before each complete encryption
cycle. This avoids inadvertent reuse of the same salt.
-A new -header option has been added that allows you to select
among the various types of headers, and avoids the ambiguity
of having multiple interacting options.
-A new random_bytes() method provides access to /dev/urandom on
suitably-equipped hardware.
2.16 Tue Dec 6 14:17:45 EST 2005
- Added two new options to new():
-keysize => <bytes> Force the keysize -- useful for Blowfish
-blocksize => <bytes> Force the blocksize -- not known to be useful
("-keysize=>16" is necessary to decrypt OpenSSL messages encrypted
with Blowfish)
(so lsh2 and lsh DESCRiptions are different.)
Also uppercase ssh2 to SSH2.
TODO: anyone want to document features or differences between
these two packages?
Changes:
- Remove trailing space from regex we get from plugins.rules (this fix
a match problem on log entry that didn't contain any space).
- Add --user / --group option to drop privilege. However, make sure it is
not allowed to open file that the target user can not read, because it
would lead to failure when trying to re-open the logfile after a rotation.
- Signal handling improvement.
- Fix priority for --quiet option.
- Use newer libprelude IDMEF_LIST_APPEND/IDMEF_LIST_PREPEND addition.
- Add unhandled arguments warning.
Changes:
- Fix PostgreSQL plugin compilation problem.
- Update database schema: enforce that AdditionalData data field is not NULL.
- Improve Swig basic type mapping situation regarding to the target architecture.
- Fix query time calculation.
Changes:
- Fix an issue with system using both IP v4 and v6 interfaces which
doesn't allow binding both 0.0.0.0 and :: .
- Add autoconf detection for libgcrypt: this fix a build issue for
distribution shipping with broken libgnutls-config script.
- Generate Perl and Python bindings for the prelude-timer API.
- Fix for upcoming plugin that doesn't provide an activation option.
- Various bug fixes.
Pkgsrc changes:
- Rewrote patch-aa to be specific to NetBSD.
Changes since version 0.02:
===========================
- generate more efficient code with gcc-3.4 and later.
* Files containing several signed messages are not allowed any
longer as there is no clean way to report the status of such
files back to the caller. To partly revert to the old behaviour
the new option --allow-multisig-verification may be used.
- Error messages are now translated using GNU Gettext.
- The function gnutls_x509_crt_to_xml now return an internal error.
This means that the code to convert X.509 certificates to XML format
does not work any more. The reason is that the function called
libtasn1 internal functions. It seems unclean for libtasn1 to export
the APIs needed here. Instead it would be better to implement XML
support inside libtasn1 properly. If you need this functionality
strongly, please consider looking into implementing this suggested
approach instead. As a workaround, you may also modify lib/x509/xml.c
(change '#if 1' to '#if 0') and build using --with-included-libtasn1.
- Doc fixes to explain that gnutls_record_send can block.
- gnutls-cli can now recognize services and port numbers with the -p option.
- Support constant size bit strings, as in 'BIT STRING (SIZE(42))'.
Reported by Cyril Holweck <cyril.holweck@q-free.com>.
- Add two more APIs required by GnuTLS.
- New public APIs:
asn1_find_node function
asn1_copy_node
Let the caff package install other gpg related tools
- pgp-clean: removes all non-self signatures from key
- pgp-fixkey: removes broken packets from keys
- gpg-mailkeys: simply mail out a signed key to its owner
- gpg-key2ps: generate PostScript file with fingerprint paper strips
- gpglist: show who signed which of your UIDs
- gpgsigs: annotates list of GnuPG keys with already done signatures
- keylookup: ncurses wrapper around gpg --search
Fix hardcoded path in man pages
caff is a script that helps you in keysigning. It takes a list of
keyids on the command line, fetches them from a keyserver and calls
GnuPG so that you can sign it. It then mails each key to all its
email addresses - only including the one UID that we send to in each
mail.
Features:
* Easy to setup.
* Attaches only the very UID that we send to in the mail.
* Prunes the key from all signatures that are not self sigs and
not done by you, thereby greatly reducing the size of mails.
* Sends the mail encrypted if possible, will warn before sending
unencrypted mail (sign only keys)
* Creates proper PGP MIME messages.
* Uses separate GNUPGHOME for all its operations.
From NEWS:
Version 0.7-RC1 2006/1/10 <moriyoshi@users.sourceforge.net>
* Add a option "disconnect_every_op" option that forces pam_mysql to
disconnect from the database every operation (PR #1325395). -moriyoshi
* Use geteuid() instead of getuid() to check if the current user is authorized
to change the password (PR #1338667). -moriyoshi
* Allow root (uid=0) to change the passwords of other users without their old
password. -moriyoshi
Version 0.7-pre3 2005/9/29 <moriyoshi@users.sourceforge.net>
* Changed handling of the "where" option to not escape meta characters
(PR #1261484). -moriyoshi
* Overhauled the SQL logging facility (PR #1256243). -moriyoshi
* Added logrhostcolumn (log.rhost_column) option that enables you to log the
value of the "rhost" item specified by the application. -moriyoshi
* Fixed possible security flaw (though not considered to be severe). -moriyoshi
* Fixed memory leaks spotted when "config_file" option is used. -moriyoshi
* Fixed try_first_pass behaviour. -moriyoshi
* Changed option parsing behaviour so "=" following each option name is not
needed. -moriyoshi
Version 0.7-pre2 2005/9/18 <moriyoshi@users.sourceforge.net>
* Changed column name handling to not escape meta characters. Now you can
specify an expression to every XXXcolumn variable like "CONCAT(a, b, c)".
-moriyoshi
* Supported SHA1 hash (PR #1117036). -moriyoshi, alexeen
* Supported use_first_pass and try_first_pass options. -moriyoshi
Version 0.7-pre1 2005/6/13 <moriyoshi@users.sourceforge.net>
* Support for NSS-mysql style configuration file which is inspired
by the Florian's work. -moriyoshi
Version 0.6.2 2005/9/29 <moriyoshi@users.sourceforge.net>
* Overhauled the SQL logging facility (PR #1256243). -moriyoshi
* Fixed possible security flaw (though not considered to be severe). -moriyoshi
Version 0.6.1 2005/9/18 <moriyoshi@users.sourceforge.net>
* Added use_323_passwd option that allows you to use an encryption function
used in the old MySQL versions (3.23.x). -moriyoshi, Daniel Renaud
* Fixed account management code that wouldn't work at all :-p -moriyoshi
* Included pam_mysql.spec to the tarball by default. This enables you to
make a RPM with the following oneliner: (rpmbuild -tb pam_mysql.tar.gz).
-moriyoshi
* Fixed compile failure that occurs with the old mysql_config (< 4.0.16).
-moriyoshi
* Fixed compile failure on Solaris when --with-openssl is specified to the
configure script.
Version 0.6 2005/6/13 <moriyoshi@users.sourceforge.net>
* Adopted autoconf / automake for build system. -moriyoshi
* Portable MD5 support by using OpenSSL / Cyrus-SASL. -moriyoshi
* MySQL library detection. -moriyoshi
* Added RPM spec file. -moriyoshi
* Tidied up the entire code for security and maintainability. -moriyoshi
* Modified log output to be more verbose. -moriyoshi
* Changed log facility type to LOG_AUTHPRIV as per the recommendation in
the PAM documentation. -moriyoshi
* Added support for unix socket and non-default ports. -moriyoshi
* Added account management and authentication token alteration code. -moriyoshi
* Remove default values for string parameters for the sake of performance.
-moriyoshi
* Enhanced SQL logging function to log session state as well. -moriyoshi
* Solaris support. -moriyoshi
makeinfo if no native makeinfo executable exists. Honor TEXINFO_REQD
when determining whether the native makeinfo can be used.
* Remove USE_MAKEINFO and replace it with USE_TOOLS+=makeinfo.
* Get rid of all the "split" argument deduction for makeinfo since
the PLIST module already handles varying numbers of split info files
correctly.
NOTE: Platforms that have "makeinfo" in the base system should check
that the makeinfo entries of pkgsrc/mk/tools.${OPSYS}.mk are
correct.
developer is officially maintaining the package.
The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list). Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
Changes:
* libpreludedb-0.9.5.1:
- Correctly read database schema version.
* libpreludedb-0.9.5:
- Fix important memory leak in Python bindings, Prewikka should end-up
consuming way less memory than it used to.
- Fix PostgreSQL plugin compilation problem.
- Fix for preludedb-admin --count handling when --offset was used.
- Provide more information in preludedb-admin error message.
- Various cleanup.
Changes:
* libprelude-0.9.6.1:
- Flex generated file build fix for FreeBSD / NetBSD.
* libprelude-0.9.6:
- Implement workaround for buggy libtool that will fail
looking up symbol with preopening enabled in case the
libtool archive is missing. Lot of distribution package
seem to suffer from this.
- idmef-path API improvement, allow user to specify negative
index to address the list in reverse. Developer are now
supposed to use IDMEF_LIST_APPEND (in place of index -1) and
IDMEF_LIST_PREPEND (in place of 0) on listed object operation.
- idmef-path API improvement: support for (<<) and (>>) listed
object index, meaning to prepend the object / to append it,
as well as (*) meaning to retrieve all object from a list. This
deprecate the usage of (-1) previously used for appending.
- Fix deconnection problem in client reading mode.
- Improve option parsing: option value can now be provided using
--option=value. This format is now a requirement for option that
use an optional argument. Provide arguments information in the
option help.
- Fix deadlock on asynchronous prelude-client destruction.
- Definitely fix the problem where prelude-adduser will, on some system,
listen to Ipv6 IP address as the default: we now bind every address
returned by getaddrinfo().
- Fix crash in case of successive call to prelude_init(), prelude_deinit(),
then prelude_init() again.
- Introduce --passwd and --passwd-file option for prelude-adduser
register and registration-server mode, allowing to specify one shot
password on the command line, from a file, or from stdin.
- Verbose error handling for prelude-adduser.
- Fix perl bindings, make them more robust by adding type checking, and fix
memory leak.
- Fix parsing of string based broken down time criterion.
- Handle configuration file containing \r.
- Fix prelude_read_multiline2() return value (fix Prelude-Manager
idmef-criteria-filter plugin).
- Fix a bug in per thread error handling code which resulted in NULL
error to be returned in case an application thread exited.
- Various bug fixes.
Version 0.3.0
- Export DER utility functions, mostly so that GnuTLS can avoid using
libtasn1 internals.
- The _asn1* symbols are not exported in the shared library file (when
using GNU ld).
- The library can now be built using Visual Studio, and the project
files are included in windows/.
- New public APIs:
asn1_get_tag_der
asn1_octet_der
asn1_get_octet_der
asn1_bit_der
asn1_get_bit_der
asn1_get_length_der
asn1_length_der
and NetBSD-current which caused serius lossage:
depend on librfuncs>=1.0.7nb1 which implements NetBSD-current's
behaviour, change the patch to _gpgme_getenv() accordingly,
and bump PKGREVISION
New features include:
* Statistics Collector: A daemon that can process netflow-like information
exported by several Honeyd instances and do computations on the data - see
live data.
* Improved Subsystems: Improved support for subsystems permits running more
complicated UNIX applications like mwcollect as a subsystem for Honeyd.
* Proxy and SMTP subsystems: Example subsystems to simulate open proxies and
mail relays. These subsystems are written with performance in mind and have
no problem in keeping up with a busy network.
Bugfixes include:
A bug in Honeyd's IP reassembly code allows adversaries to remotely fingerprint
honeypots. Thanks to Jon Oberheide for finding the bug; see adv.2006-01 for
more information
Pkgsrc changes:
- Removed almost all warnings in MESSAGE.
Changes since version 0.21:
===========================
0.22 Mon Nov 15 2005 21:13:20
- Add public_decrypt, private_encrypt methods, contributed
by Paul G. Weiss <paul@weiss.name>
- Some changes to help builds on Redhat9
- Remove deprecated methods:
* the no-arg new constructor - use new_from_public_key,
new_from_private_key or Crypt::OpenSSL::RSA->generate_key instead
* load_public_key - use new_from_public_key
* load_private_key - use new_from_private_key
* generate_key as an instance method - use it as a class constructor
method instead.
* set_padding_mode - use use_no_padding, use_pkcs1_padding,
use_pkcs1_oaep_padding, or use_sslv23_padding instead.
* get_padding_mode
- Eliminate all(most all) memory leaks.
- fix email address
- Stop returning true from methods just to indicate success.
- Change default public exponent from 65535 to 65537
Pkgsrc changes:
none
Relevant changes since version 0.11:
=============================================
- Removed all use of strlen() in DSA.xs so signatures with nulls,
as commonly generated with sha1, could be signed/verified,
and added more tests
Pkgsrc changes:
- Removed dependency on p5-Math-Pari, p5-Crypt-Random, p5-Class-Loader.
Changes since version 0.12:
===========================
0.13 2005.05.26
- Rewrote to use Math::BigInt instead of Math::Pari, including patches
from Brad Fitzpatrick for a replacement for the isprime function
(both using pure Perl and an external gp program).
- Added optional Content argument to Crypt::DSA::Key->new, to specify
serialized Content to be deserialized.
- Added Signature serialization and deserialization of ASN.1-encoded
structures.
- Added ability to do key generation using an external openssl binary.
Thanks to Brad Fitzpatrick for the patch.
- Signature object now has better get/set acccessors.
- Use Module::Install instead of hand-coded Makefile.PL.
Pkgsrc changes:
- Removed (now unnecessary) patch-aa.
Changes since version 1.50:
===========================
1.57 Oct 20, 2005
* Updated POD documentation and added POD syntax and coverage
tests using Test::Pod and Pod::Coverage.
1.56 July 05, 2005
* Removed references to the mailing list and added support for
an optional commercial license.
1.55 February 18, 2005
* Fixed a bug ::DataFormat::i2osp(), wherein there was an encoding problem
when the most significant byte is 0x0100. Reported and patched by
<jbarkdull@yahoo.com> <rt.cpan.org: Bug #11495>
* Fixed warnings in t/15-benchmark.t
1.51 February 25, 2003
* In Crypt::RSA::encrypt() and decrypt() added a check to ensure the
blocksize is greater than 0. Blocksize can be smaller than 0 if the RSA
key modulus is too small for a particular encoding.
Changes since version 1.02:
======================================
There is no list of changes. Changes I found so far:
- Used htons() from netinet/in.h to simplify handling of different endianness
between platforms.
- Some changes in test.pl
Relevant changes since version 2.03:
====================================
des.h was renamed to _des.h in an attempt to solve the build-on-Solaris
problem.
all references to des_ were changed to _des_ since the 2.04 release didn't
seem to fix the problem on Solaris.
Relevant changes since version 1.13:
====================================
- fixed circular reference between Crypt::Random and Crypt::Random::Generator
causing 'Undefined subroutine' errors.
- Made "forbidden division t_REAL % t_INT" error disappear.
- Workaround for Math::Pari's serialization problem.
- Added a Uniform option to makerandom() and makerandom_itv() that
doesn't set the high bit of the generated random, and produces
a number uniformally distributed in the interval. Thanks to Len
Budney for pointing this out.
Relevant changes since version 2.08:
=====================================
- RandomIV in message header overrides manually-supplied -salt, as one
would expect it should.
- Added OpenSSL compatibility
- Salt and IV generators take advantage of /dev/urandom device, if available
- Added regression test for PCBC mode
- Fixed bug reported by Joshua Brown that caused certain length
strings to not encrypt properly if ending in a "0" character.
- Fixed Rijndael compat problems
From Jason White via PR pkg/32780
Changes:
Security bugs resolved in this release:
* CVE-2006-0225: scp (as does rcp, on which it is based) invoked a
subshell to perform local to local, and remote to remote copy
operations. This subshell exposed filenames to shell expansion
twice; allowing a local attacker to create filenames containing
shell metacharacters that, if matched by a wildcard, could lead
to execution of attacker-specified commands with the privilege of
the user running scp (Bugzilla #1094)
This is primarily a bug-fix release, only one new feature has been
added:
* Add support for tunneling arbitrary network packets over a
connection between an OpenSSH client and server via tun(4) virtual
network interfaces. This allows the use of OpenSSH (4.3+) to create
a true VPN between the client and server providing real network
connectivity at layer 2 or 3. This feature is experimental and is
currently supported on OpenBSD, Linux, NetBSD (IPv4 only) and
FreeBSD. Other operating systems with tun/tap interface capability
may be added in future portable OpenSSH releases. Please refer to
the README.tun file in the source distribution for further details
and usage examples.
Some of the other bugs resolved and internal improvements are:
* Reduce default key length for new DSA keys generated by ssh-keygen
back to 1024 bits. DSA is not specified for longer lengths and does
not fully benefit from simply making keys longer. As per FIPS 186-2
Change Notice 1, ssh-keygen will refuse to generate a new DSA key
smaller or larger than 1024 bits
* Fixed X forwarding failing to start when a the X11 client is executed
in background at the time of session exit (Bugzilla #1086)
* Change ssh-keygen to generate a protocol 2 RSA key when invoked
without arguments (Bugzilla #1064)
* Fix timing variance for valid vs. invalid accounts when attempting
Kerberos authentication (Bugzilla #975)
* Ensure that ssh always returns code 255 on internal error (Bugzilla
#1137)
* Cleanup wtmp files on SIGTERM when not using privsep (Bugzilla #1029)
* Set SO_REUSEADDR on X11 listeners to avoid problems caused by
lingering sockets from previous session (X11 applications can
sometimes not connect to 127.0.0.1:60xx) (Bugzilla #1076)
* Ensure that fds 0, 1 and 2 are always attached in all programs, by
duping /dev/null to them if necessary.
* Xauth list invocation had bogus "." argument (Bugzilla #1082)
* Remove internal assumptions on key exchange hash algorithm and output
length, preparing OpenSSH for KEX methods with alternate hashes.
* Ignore junk sent by a server before it sends the "SSH-" banner
(Bugzilla #1067)
* The manpages has been significantly improves and rearranged, in
addition to other specific manpage fixes:
#1037 - Man page entries for -L and -R should mention -g.
#1077 - Descriptions for "ssh -D" and DynamicForward should mention
they can specify "bind_address" optionally.
#1088 - Incorrect descriptions in ssh_config man page for
ControlMaster=no.
#1121 - Several corrections for ssh_agent manpages
* Lots of cleanups, including fixes to memory leaks on error paths
(Bugzilla #1109, #1110, #1111 and more) and possible crashes (#1092)
* Portable OpenSSH-specific fixes:
- Pass random seed during re-exec for each connection: speeds up
processing of new connections on platforms using the OpenSSH's
builtin entropy collector (ssh-rand-helper)
- PAM fixes and improvements:
#1045 - Missing option for ignoring the /etc/nologin file
#1087 - Show PAM password expiry message from LDAP on login
#1028 - Forward final non-query conversations to client
#1126 - Prevent user from being forced to change an expired
password repeatedly on AIX in some PAM configurations.
#1045 - Do not check /etc/nologin when PAM is enabled, instead
allow PAM to handle it. Note that on platforms using
PAM, the pam_nologin module should be used in sshd's
session stack in order to maintain past behaviour
- Portability-related fixes:
#989 - Fix multiplexing regress test on Solaris
#1097 - Cross-compile fixes.
#1096 - ssh-keygen broken on HPUX.
#1098 - $MAIL being set incorrectly for HPUX server login.
#1104 - Compile error on Tru64 Unix 4.0f
#1106 - Updated .spec file and startup for SuSE.
#1122 - Use _GNU_SOURCE define in favor of __USE_GNU, fixing
compilation problems on glibc 2.4
Change MAINTAINER to tech-pkg. Stop using PKGREVISION in DISTNAME.
Notable changes include:
* Postfix config has been changed so TLS is not used internally, that is
when communicating with scan-mail.pl. TLS can nevertheless be used
when communicating with the outside world on port 25.
* f-protd has been tweaked for better performance
* A bug in f-protd when using the 'id=' argument was fixed
* A format string bug in f-protd which could cause malformed xml report
was fixed
* f-prot-milter's logging changed to facilitate more useful error logs
* Fixed startup/shutdown routine for f-prot-milter in scan-mail.pl
* .wmf scanning improved
* A bug in the .hqx scanner on x86 cpu's was fixed
* A bug in the .msl scanner was fixed
* Fixed a bug in .cab and lzh handling
* A race issue with OLE documents was fixed.
- Only send TLS alert if there is one queued, fix a possible crash.
- Emit warning if prelude-failover problem arise.
- Improve error handling.
- Improve db plugin log option, "-" now mean stdout.
- Various bug fixes.
- Fix for filtering IDMEF field using the '!=' operator, which resulted in
filtering of events where the field did not exist (#129).
- Implement a "move" command in preludedb-admin.
- When SQL query logging is enabled, log the time taken to execute the query.
- Improve plugin API by making it opaque so that existing plugin don't break
if we add more SQL plugin function.
- Verbose error reporting, make the plugin error API viable for more drivers.
- Fix error reporting from perl and python bindings.
- Make libpreludedb header files c++ compiler friendly.
- Enforce listed IDMEF value ordering. IDMEF value were sometime unordered
because of an uninitialized list position problem.
- More TLS cleanup.
- Application can now report error without using specific prelude_client
error reporting function.
- More work and improved verbose error reporting.
- Fix compilation problem with prelude_error_is_verbose() (#130).
Compilation problem on NetBSD 1.6 and OpenBSD has been fixed so patch-ad
is deleted.
http://www.pdc.kth.se/heimdal/advisory/2006-02-06/
Changes in Heimdal 0.7.2
* Fix security problem in rshd that enable an attacker to overwrite
and change ownership of any file that root could write.
* Fix a DOS in telnetd. The attacker could force the server to crash
in a NULL de-reference before the user logged in, resulting in inetd
turning telnetd off because it forked too fast.
* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
exists in the keytab before returning success. This allows servers
to check if its even possible to use GSSAPI.
* Fix receiving end of token delegation for GSS-API. It still wrongly
uses subkey for sending for compatibility reasons, this will change
in 0.8.
* telnetd, login and rshd are now more verbose in logging failed and
successful logins.
* Bug fixes
> -server implementation development. I won't document it before it even works.
> -small bug corrected when connecting to sun ssh servers.
> -channel wierdness corrected (writing huge data packets)
> -channel_read_nonblocking added
> -channel bug where stderr wasn't correctly read fixed.
> -sftp_file_set_nonblocking added. It's now possible to have nonblocking SFTP IO
> -connect_status callback.
> -priv.h contains the internal functions, libssh.h the public interface
> -options_set_timeout (thx marcelo) really working.
> -tcp tunneling through channel_open_forward.
> -channel_request_exec()
> -channel_request_env()
> -ssh_get_pubkey_hash()
> -ssh_is_server_known()
> -ssh_write_known_host()
> -options_set_ssh_dir
> -how could this happen ! there weren't any channel_close !
> -nasty channel_free bug resolved.
> -removed the unsigned long all around the code. use only u8,u32 & u64.
> -it now compiles and runs under amd64 !
> -channel_request_exec()
> -channel_request_env()
> -ssh_get_pubkey_hash()
> -ssh_is_server_known()
> -ssh_write_known_host()
> -options_set_ssh_dir
> -how could this happen ! there weren't any channel_close !
> -nasty channel_free bug resolved.
> -removed the unsigned long all around the code. use only u8,u32 & u64.
> -it now compiles and runs under amd64 !
> -channel_request_pty_size
> -channel_change_pty_size
> -options_copy()
> -ported the doc to an HTML file.
> -small bugfix in packet.c
> -prefixed error constants with SSH_
> -sftp_stat, sftp_lstat, sftp_fstat. thanks Michel Bardiaux for the patch.
> -again channel number mismatch fixed.
> -fixed a bug in ssh_select making the select fail when a signal has been caught.
> -keyboard-interactive authentication working.
> Release 5.2
> ###########
> * Again again some fixed for the ssh2 module. This is the last try. If it
> finally does not work reliable, I am throwing out that library!
> Thanks to bykhe@mymail.ch for the patch
> * Added a new module: VMWare-Auth! Thanks to david.maciejak@gmail.com!
>
>
> Release 5.1
> ###########
> * Again some fixed for the ssh2 module. Sorry. And still it might not work
> in all occasions. The libssh is not as mature as we all wish it would be :-(
> * HYDRA_PROXY_AUTH was never used ... weird that nobody reported that. fixed.
> * Fixed bug in the base64 encoding function
> * Added an md5.h include which is needed since openssl 0.9.8
> * Added an enhacement to the FTP module, thanks to piotr_sobolewski@o2.pl
> * Fixed a bug when not using passwords and just -e n/s
>
>
> Release 5.0
> ###########
> ! THIS IS A THC - TAX - 10TH ANNIVERSARY RELEASE ! HAVE FUN !
> * Increadible speed-up for most modules :-)
> * Added module for PC-Anywhere, thanks to david.maciejak(at)kyxar.fr!
> * Added module for SVN, thanks to david.maciejak(at)kyxar.fr!
> * Added --disable-xhydra option to configure, thanks to david.maciejak(at)kyxar.
> fr!
> - he is becoming the top supporter :-)
> * Added module for SIP (VoIP), thanks to gh0st(at)staatsfeind.org
> * Added support for newer sap r/3 rfcsdk
> * Added check to the telnet module to work with Cisco AAA
> * Fix for the VNC module, thanks to xmag
> * Small enhancement to the mysql plugin by pjohnson(at)bosconet.org
>
>
> Release 4.7
> ###########
> * Updated ssh2 support to libssh v0.11 - you *must* use this version if
> you want to use ssh2! download from http://www.0xbadc0de.be/?part=libssh
> This hopefully fixes problems on/against Sun machines.
> After fixing, I also received a patch from david maciejak - thanks :-)
> * Added an attack module for rlogin and rsh, thanks to
> david.maciejak(at)kyxar.fr!
> * Added an attack module for the postgres database, thanks to
> diaul(at)devilopers.org! (and again: david maciejak sent on in as well)
> * JoMo-Kun sent in an update for his smbnt module. cool new features:
> win2k native mode, xp anonymous account detection, machine name as password
> * Hopefully made VNC 3.7 protocol versions to work. please report.
> * Switched http and https service module to http-head, http-get and
> https-get, https-head. Some web servers want HEAD, others only GET
> * An initial password for cisco-enable is now not required anymore. Some
> people had console access without password, so this was necessary.
> * Fixed a bug in xhydra which did not allow custom ports > 100
> ! Soon to come: v5.0 - some cool new features to arrive on your pentest
> machine!
- prelude-manager has been updated to check the loaded revocation
list, if available. This was needed since the recent prelude-adduser
addition allowing to create analyzer revocation list.
- Remove line size limitation on specified IDMEF-criteria.
- Remove all ancillary groups as well as setgid-ing.
- Fix idmef-criteria-filter option conflict.
- Fix a possible crash if no listen address is specified, but a
reverse relay is used.
- Much better error reporting.
Prelude-Manager is a high availability server that accepts secured
connections from distributed sensors or other managers and saves
received events to a media specified by the user (database, logfile,
mail, etc).
- More accurate error reporting in preludedb-admin.
- Fix NULL error in case the buffer is too small, truncate.
- Fix license notice, stating clearly that linking from a program
using a GPL compatible license is allowed. Required for Debian package
inclusion.
The PreludeDB Library provides an abstraction layer upon the type and
the format of the database used to store IDMEF alerts.
- Get rid of the 1024 characters per line limitation (defined as per
the syslog RFC), since LML is not limited to parsing input from syslog
anymore.
- Handle events in Clamav logging format as well as syslog.
- Abstracted Squid chain regex to allow parsing of data directly
from Squid log files.
- Introduced support for openhostapd.
- Began expanding rulesets with additional_data and vendor-specific
classification data.
- Various ruleset updates and bug fixes.
Prelude-LML is a signature based log analyzer monitoring logfile and
received syslog messages for suspicious activity. It handle events
generated by a large set of components, including but not limited to:
BigIP, Grsecurity, Honeyd, ipchains, Netfilter, ipfw, Nokia ipso,
Nagios, Norton Antivirus Corporate Edition, NTsyslog, PAM, Portsentry,
Postfix, Proftpd, ssh, etc.
- Some useful API addition.
- Much improved, verbose error reporting.
- Cleaned up TLS handling, various bugfix.
- In case an error occur when verifying the peer certificate,
notify the peer about the failure.
The Prelude Library is the glue that binds all aspects of Prelude
together. It is a library which enables Prelude components to
communicate with the Prelude Manager. It also makes it easy for third
party software to be made 'Prelude Aware' (able to communicate with
Prelude components). It provide common, useful features used by every
sensor.
sensors, managers, and a display console. This
is the manager. The Manager (there can be several
in an IDS network) accepts secured connections
from sensors and saves the alerts that Sensors
emit. This package installs the manager so that
mySql is used for alert storage.
This is one of several new Prelude packages.
sensors, managers, and a display console.
Prelude-lml is the log file analyzer. It scans
system log files and generates IDMEF alerts to
the prelude-manager based on signature rulesets.
This is one of sever new Prelude packages.
sensors, managers, and a display console. This
is Prelude DB Library. It allow the interface
allowing Prelude to use a DBMS for alert storage.
While libprelude support a choice of MySQL or
postgreSQL, this package uses MySQL because it
was nearly an order of magnitude faster during
test operation.
This is one of several new packages in the Prelude family.
sensors, managers, and a display console. LibPrelude
is the glue that binds all aspects of Prelude together.
LibPrelude is a library which enables Prelude
components to communicate in a standard IDMEF method.
This is one of several new packages in the Prelude family.
struct timeval on DragonFly. Use BSD_INSTALL_PROGRAM, removing
the unportable -r flag at the same time. Fix build with newer
OpenSSL versions by including openssl/sha.h explicitly.
/usr/pkg/include and /usr/include can appear in any order, PREFIX can be
!= /usr/pkg.
XXX Why this hack and not split + filter to remove the include pathes?
krb5-config then create one to use in the buildlink tree. Useful
for packages that expect krb5-config to exist to determine kerberos
existence/locations.
This addresses pr/32620, using the patch provided by Christian Gall.
Notable changes include:
* Fixed an endless loop encountered in a corrupted WMF sample.
* A bug in the ELF scanner could cause a crash.
* Using a symlink as a path element to f-protd could cause f-protd not to
start.
* A race issue with startproc (start-stop-daemon in LSB terms) could lead
to old DEF files being used by f-protd even after updates.
* UPX packed files could cause crash on Solaris/sparc.
* Better handling for corrupt mime files.
* A bug in MS office scanner on big-endian platforms was fixed.
* Anomy extended to do content-type fingerprinting which allows
scan-mail.pl to block attachments with false extension based on their
'real' extensions,
e.g. .wmf files claiming to be .jpg or .png files.
* A bug in scan-mail.pl's rc-script, which could cause problems in Debian
when shutting scan-mail.pl down, has been fixed.
* Tweaks and optimizations should improve scanning speed by appr. 15-40%
over previous releases.
* Engine version 3.16.10 will now try to scan zip files which falsly claim
to use 64-bit compression methods. 64 bit compression is not supported,
but the scanner will now try to scan those files using 32 bit methods.
* Improved handling of some types of corrupt files, which were previously
skipped with I/O error.
* A corrupt arj file could crash the scanner. This has been fixed.
* Fixed a bug in scan-mail.pl where attachments would sometimes be left in
quarantine.
* Trying to scan a device special file now results in non-zero exit code.
* Scanning of redirected stdin is now possible, e.g. 'f-prot /dev/fd/0 <
/path/to/file'
script not to find any system-installed compile_et.
(This should really be done by using our own PATH that doesn't include
any system paths, but we're not quite ready to do that yet.)
Patch submitted in PR 32598 by pancake <at> phreaker <dot> net
In other words:
- Add more checks and fixups on the engine.
- More keywords in wordlists database.
- Add new mode called 'silent mode'
- more charsets availables for gendict
- add some more examples
- add fine tuning for words in NEC=200
"extract" script for extraction. Many cases where a custom EXTRACT_CMD
simply copied the distfile into the work directory are no longer
needed. The extract script also hides differences between pax and
tar behind a common command-line interface, so we no longer need code
that's conditional on whether EXTRACT_USING is tar or pax.
** New API to access the TLS master secret.
When possible, you should use the TLS PRF functions instead.
** Improved handling when multiple libraries use GnuTLS at the same time.
Now gnutls_global_init() can be called multiple times, and
gnutls_global_deinit() will only deallocate the structure when it has
been called as many times as gnutls_global_init() was called.
** Added a self test of TLS resume functionality.
** Fix crash in TLS resume code, caused by TLS/IA changes.
** Add 'const' keywords in various places, from Frediano ZIGLIO.
** The code was indented again, including the external header files.
** API and ABI modifications:
New functions to retrieve the master secret value:
gnutls_session_get_master_secret
Add a 'const' keyword to existing API:
gnutls_x509_crq_get_challenge_password
