The pam_mkhomedir module provides the means for automatic creation of
home directories upon login, if necessary. Key Benefits are:
* Uses the Pluggable Authentication Module API defined in OSF DCE RFC 86.0.
* Removes the need to pre-create user home directories.
The software is distributed under the terms of the 2.5-clause BSD license.
The pam_mkhomedir module provides the means for automatic creation of
home directories upon login, if necessary. Key Benefits are:
* Uses the Pluggable Authentication Module API defined in OSF DCE RFC 86.0.
* Removes the need to pre-create user home directories.
The software is distributed under the terms of the 2.5-clause BSD license.
The pam_mkhomedir module provides the means for automatic creation of
home directories upon login, if necessary. Key Benefits are:
* Uses the Pluggable Authentication Module API defined in OSF DCE RFC 86.0.
* Removes the need to pre-create user home directories.
The software is distributed under the terms of the 2.5-clause BSD license.
* pkgsrc change: relax restriction to kerberos package.
What's new in Sudo 1.7.0?
* Rewritten parser that converts sudoers into a set of data structures.
This eliminates a number of ordering issues and makes it possible to
apply sudoers Defaults entries before searching for the command.
It also adds support for per-command Defaults specifications.
* Sudoers now supports a #include facility to allow the inclusion of other
sudoers-format files.
* Sudo's -l (list) flag has been enhanced:
o applicable Defaults options are now listed
o a command argument can be specified for testing whether a user
may run a specific command.
o a new -U flag can be used in conjunction with "sudo -l" to allow
root (or a user with "sudo ALL") list another user's privileges.
* A new -g flag has been added to allow the user to specify a
primary group to run the command as. The sudoers syntax has been
extended to include a group section in the Runas specification.
* A uid may now be used anywhere a username is valid.
* The "secure_path" run-time Defaults option has been restored.
* Password and group data is now cached for fast lookups.
* The file descriptor at which sudo starts closing all open files is now
configurable via sudoers and, optionally, the command line.
* Visudo will now warn about aliases that are defined but not used.
* The -i and -s command line flags now take an optional command
to be run via the shell. Previously, the argument was passed
to the shell as a script to run.
* Improved LDAP support. SASL authentication may now be used in
conjunction when connecting to an LDAP server. The krb5_ccname
parameter in ldap.conf may be used to enable Kerberos.
* Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
to specify the sudoers order. E.g.:
sudoers: ldap files
to check LDAP, then /etc/sudoers. The default is "files", even
when LDAP support is compiled in. This differs from sudo 1.6
where LDAP was always consulted first.
* Support for /etc/environment on AIX and Linux. If sudo is run
with the -i flag, the contents of /etc/environment are used to
populate the new environment that is passed to the command being
run.
* If no terminal is available or if the new -A flag is specified,
sudo will use a helper program to read the password if one is
configured. Typically, this is a graphical password prompter
such as ssh-askpass.
* A new Defaults option, "mailfrom" that sets the value of the
"From:" field in the warning/error mail. If unspecified, the
login name of the invoking user is used.
* A new Defaults option, "env_file" that refers to a file containing
environment variables to be set in the command being run.
* A new flag, -n, may be used to indicate that sudo should not
prompt the user for a password and, instead, exit with an error
if authentication is required.
* If sudo needs to prompt for a password and it is unable to disable
echo (and no askpass program is defined), it will refuse to run
unless the "visiblepw" Defaults option has been specified.
* Prior to version 1.7.0, hitting enter/return at the Password: prompt
would exit sudo. In sudo 1.7.0 and beyond, this is treated as
an empty password. To exit sudo, the user must press ^C or ^D
at the prompt.
* visudo will now check the sudoers file owner and mode in -c (check)
mode when the -s (strict) flag is specified.
* Publish GCRY_MODULE_ID_USER and GCRY_MODULE_ID_USER_LAST constants.
This functionality has been in Libgcrypt since 1.3.0.
* MD5 may now be used in non-enforced fips mode.
* Fixed HMAC for SHA-384 and SHA-512 with keys longer than 64 bytes.
* In fips mode, RSA keys are now generated using the X9.31 algorithm
and DSA keys using the FIPS 186-2 algorithm.
* The transient-key flag is now also supported for DSA key
generation. DSA domain parameters may be given as well.
- Bugfix release, forward and backward compatible with 2.0.0
- Ability to build as a Mac framework (and build this way by default)
- On non-Mac Unix, the pkgconfig file is always qca2.pc, even in debug
mode
- Certificates containing wildcards are now matched properly
- DirWatch/FileWatch now work
- Keystore writes now work
- Don't delete objects in their event handler (prevents Qt 4.4 warnings)
- Fix potential hang with TLS in server mode
- Windows version can be configured/installed using paths with spaces
Upstream changes:
Authen-SASL 2.12 -- Mon Jun 30 21:35:21 CDT 2008
Enhancements
* GSSAPI implement protocol according to RFC, but by default,
remain compatible with cyrus sasl lib
* DIGEST-MD5 implement channel encryption layer
Changes between 0.9.8i and 0.9.8j [07 Jan 2009]
*) Properly check EVP_VerifyFinal() and similar return values
(CVE-2008-5077).
*) Allow the CHIL engine to be loaded, whether the application is
multithreaded or not. (This does not release the developer from the
obligation to set up the dynamic locking callbacks.)
*) Use correct exit code if there is an error in dgst command.
*) Tweak Configure so that you need to say "experimental-jpake" to enable
JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
*) Add experimental JPAKE support, including demo authentication in
s_client and s_server.
*) Set the comparison function in v3_addr_canonize().
*) Add support for XMPP STARTTLS in s_client.
*) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
to ensure that even with this option, only ciphersuites in the
server's preference list will be accepted. (Note that the option
applies only when resuming a session, so the earlier behavior was
just about the algorithm choice for symmetric cryptography.)
Changes between 0.9.8h and 0.9.8i [15 Sep 2008]
*) Fix a state transitition in s3_srvr.c and d1_srvr.c
(was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
*) The fix in 0.9.8c that supposedly got rid of unsafe
double-checked locking was incomplete for RSA blinding,
addressing just one layer of what turns out to have been
doubly unsafe triple-checked locking.
So now fix this for real by retiring the MONT_HELPER macro
in crypto/rsa/rsa_eay.c.
*) Various precautionary measures:
- Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
- Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
(NB: This would require knowledge of the secret session ticket key
to exploit, in which case you'd be SOL either way.)
- Change bn_nist.c so that it will properly handle input BIGNUMs
outside the expected range.
- Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
builds.
*) Allow engines to be "soft loaded" - i.e. optionally don't die if
the load fails. Useful for distros.
*) Add support for Local Machine Keyset attribute in PKCS#12 files.
*) Fix BN_GF2m_mod_arr() top-bit cleanup code.
*) Expand ENGINE to support engine supplied SSL client certificate functions.
This work was sponsored by Logica.
*) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
keystores. Support for SSL/TLS client authentication too.
Not compiled unless enable-capieng specified to Configure.
This work was sponsored by Logica.
*) Fix bug in X509_ATTRIBUTE creation: dont set attribute using
ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
attribute creation routines such as certifcate requests and PKCS#12
files.
network security scanner with associated tools like a graphical
user front-end. The core component is a server with a set of network
vulnerability tests (NVTs) to detect security problems in remote
systems and applications.
amavisd-new-2.6.2 release notes
MAIN NEW FEATURES SUMMARY
- bounce killer: improved detection of nonstandard bounces;
- bounces to be killed no longer waste SpamAssassin time;
- tool to convert dkim-filter keysfile into amavisd configuration;
- compatibility with SpamAssassin 3.3 (CVS head) regained;
- rewritten and expanded documentation section on DKIM signing and
verification in amavisd-new-docs.html;
COMPATIBILITY WITH 2.6.1
- apart from small differences in logging and notifications, the
version 2.6.2 is compatible with 2.6.1, with its configuration file
and its environment;
- virus scanner entries were updated (as described below, most notably by
adding a regexp flag m), so be sure to update existing configuration file;
updated virus scanner entries can be used with 2.6.1 too;
- the %sql_clause default has changed in detail (see below), if its value
is overridden in a configuration file the setting may need updating;
See full release notes:
http://www.ijs.si/software/amavisd/release-notes.txt
