- The following bugs have been fixed:
* Wireshark stops showing new packets but dumpcap keeps
writing them to the temp file. (Bug 9571)
* Wireshark 1.10.4 shuts down when promiscuous mode is
unchecked. (Bug 9577)
* Homeplug dissector bug: STATUS_ACCESS_VIOLATION: dissector
accessed an invalid memory address. (Bug 9578)
- Updated Protocol Support
GSM BSSMAP, GSM BSSMAP LE, GSM SMS, Homeplug, NAS-EPS, and SGSAP
- Bug Fixes
The following vulnerabilities have been fixed.
* wnpa-sec-2013-66
The SIP dissector could go into an infinite loop.
Discovered by Alain Botti. (Bug 9388)
Versions affected: 1.10.0 to 1.10.3, 1.8.0 to 1.8.11
CVE-2013-7112
* wnpa-sec-2013-67
The BSSGP dissector could crash. Discovered by Laurent
Butti. (Bug 9488)
Versions affected: 1.10.0 to 1.10.3
CVE-2013-7113
* wnpa-sec-2013-68
The NTLMSSP v2 dissector could crash. Discovered by Garming
Sam.
Versions affected: 1.10.0 to 1.10.3, 1.8.0 to 1.8.11
CVE-2013-7114
The following bugs have been fixed:
* "On-the-wire" packet lengths are limited to 65535 bytes.
(Bug 8808, ws-buglink:9390)
* Tx MCS set is not interpreted properly in WLAN beacon
frame. (Bug 8894)
* VoIP Graph Analysis window - some calls are black. (Bug
8966)
* Wireshark fails to decode single-line, multiple Contact:
URIs in SIP responses. (Bug 9031)
* epan/follow.c - Incorrect "bytes missing in capture file"
in "check_fragments" due to an unsigned int wraparound?.
(Bug 9112)
* gsm_map doesn't decode MAPv3 reportSM-DeliveryStatus
result. (Bug 9382)
* Incorrect NFSv4 FATTR4_SECURITY_LABEL value. (Bug 9383)
* Timestamp decoded for Gigamon trailer is not padded
correctly. (Bug 9433)
* SEL Fast Message Bug-fix for Signed 16-bit Integer Fast
Meter Messages. (Bug 9435)
* DNP3 Bug Fix for Analog Data Sign Bit Handling. (Bug
9442)
* GSM SMS User Data header fill bits are wrong when using a 7
bits ASCII / IA5 encoding. (Bug 9478)
* WCDMA RLC dissector cannot assemble PDUs with SNs skipped
and wrap-arounded. (Bug 9505)
* DTLS: fix buffer overflow in mac check. (Bug 9512)
* Correct data length in SCSI_DATA_IN packets (within
iSCSI). (Bug 9521)
* GSM SMS UDH EMS control expects 4 octets instead of 3 with
OPTIONAL 4th. (Bug 9550)
* Fix "decode as ..." for packet-time.c. (Bug 9563)
- Updated Protocol Support
ANSI IS-637-A, BSSGP, DNP3, DVB-BAT, DVB-CI, GSM MAP, GSM SMS,
IEEE 802.11, iSCSI, NFSv4, NTLMSSP v2, RLC, SEL FM, SIP, and Time
server into a router, but to allow engineers to control their BGP (rfc4271)
network easily. Think of it as Software Defined Networking for people with
"commodity" routers.
ExaBGP transform BGP (rfc4271) messages into friendly plain text or JSON
which can be easily manipulate by scripts.
It allows the creation of tools such as:
* advanced looking glass graphically display the routing of prefix
* high availability tool which automatically isolate broken services
* DDOS mitigation
* an anycasted server
(Note newer tw-1.0.2 has been released already, but it requires
recent tw-twitter 5.x.y which requires much more gems not in pkgsrc)
Changes from History.txt:
=== 0.5.2 2013-09-19
* do not show dialogue with "--yes" option
Originally packaged by Fredrik Pettai, updated by Nils Ratusznik and
requested with PR pkg/48436.
Spine, formally Cactid, is a poller for Cacti that primarily strives to be
as fast as possible. For this reason it is written in native C, makes use of
POSIX threads, and is linked directly against the net-snmp library for minmumal
SNMP polling overhead. Spine is a replacement for the default cmd.php poller
so you must decide if using Spine makes sense for your installation.
Changes since 3.6.21:
---------------------
o Jeremy Allison <jra@samba.org>
* BUG 10185: CVE-2013-4408: Correctly check DCE-RPC fragment length field.
o Stefan Metzmacher <metze@samba.org>
* BUG 10185: CVE-2013-4408: Correctly check DCE-RPC fragment length field.
o Noel Power <noel.power@suse.com>
* BUGs 10300, 10306: CVE-2012-6150: Fail authentication if user isn't
member of *any* require_membership_of specified groups.
Changes since 3.6.20:
---------------------
o Jeremy Allison <jra@samba.org>
* BUG 10139: Valid utf8 filenames cause "invalid conversion error"
messages.
* BUG 10167: s3-smb2 server: smb2 breaks "smb encryption = mandatory".
* BUG 10187: Missing talloc_free can leak stackframe in error path.
* BUG 10247: xattr: Fix listing EAs on *BSD for non-root users.
o Korobkin <korobkin+samba@gmail.com>
* BUG 10118: Raise debug level for being unable to open a printer.
o Volker Lendecke <vl@samba.org>
* BUG 10195: nsswitch: Fix short writes in winbind_write_sock.
o Arvid Requate <requate@univention.de>
* BUG 10267: Fix Windows 8 printing via local printer drivers.
o Andreas Schneider <asn@cryptomilk.org>
* BUG 10194: Make offline logon cache updating for cross child domain
group membership.
Changes since version 1.0.22:
- Check for writability when waiting for a socket to finish connecting.
- Don't send PING requests on connections which are not active yet.
- Fix segfault when Name = $HOST but $HOST is not set.
- Fix typos in the documentation.
- Modernize the build system.
- Get rid of the splay tree implementation.
- Add description of IffOneQueue and MaxTimeout to the info manual.
- Clean up child processes from proxy type exec.
I had a few bugs in 1.2 and I figured I'd just pack them up and
release again.
* Fix -import exit value
* Fix version number reported by serve
* Rename '.egg' file calypso.egg
Features:
* Implement max-udp-size config option, default 4096 with fix#524 for
nonEDNS0 queries.
* add unbound-control insecure_add and insecure_remove for the administration
of negative trust anchors.
* install copy of unbound-control.8 man page for unbound-control-setup.
* code improve for minimal responses, small speed increase.
* max include of 100.000 files (depth and globbed at one time).
This is to preserve system memory in bug cases, or endless cases.
* unbound.h header file has UNBOUND_VERSION_MAJOR define.
* get_option, set_option, unbound-checkconf -o and libunbound getoption() and
setoption() support cache-min-ttl and cache-max-ttl. Also log-time-ascii,
python-script, val-sig-skew-min and val-sig-skew-max. log-time-ascii takes
effect immediately. The others are mostly useful for libunbound users.
* configure --disable-flto option.
* streamtcp man page.
* Make reverse zones easier by documenting the nodefault statements
commented-out in the example config file.
Bug Fixes:
* committed libunbound version 4:1:2 for binary API updated in 1.4.20
* Fix for 2038, with time_t instead of uint32_t.
* Fix resolve of names that use a mix of public and private addresses.
* [bugzilla: 492 ] Fix endianness detection, revert to older lookup3.c
detection and put new detect lines after previous tests, to avoid
regressions but allow new detections to succeed.
And add detection for machine/endian.h to it.
* Fix queries leaking up for stubs and forwards, if the configured
nameservers all fail to answer.
* unbound-anchor review: BIO_write can return 0 successfully if it has
successfully appended a zero length string.
* Fix so that for a configuration line of include: "*.conf" it is not an
error if there are no files matching the glob pattern.
* own implementation of compat/snprintf.c.
* [bugzilla: 491 ] pick program name (0th argument) as syslog identity.
* Fixup snprintf return value usage, fixed libunbound_get_option.
* Robust checks on dname validity from rdata for dname compare.
* iana portlist update.
* Fix round-robin doesn't work with some Windows clients.
* [bugzilla: 500 ] use on non-initialised values on socket bind failures.
* [bugzilla: 499 ] use-after-free in out-of-memory handling code.
* Explain bogus and secure flags in libunbound more.
* Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply patch to it
to not fail when -Werror is also specified, from the autoconf-archives.
* Fixup manpage syntax.
* Fix for const string literals in C++ for libunbound.
* Squelch sendto-permission denied errors when the network is not connected,
to avoid spamming syslog.
* libunbound documentation on how to avoid openssl race conditions.
* [bugzilla: 512 ] NSS returned arrays out of setup function to be statics.
* [bugzilla: 516 ] dnssec lameness detection for answers that are improper.
* [bugzilla: 519 ] ub_ctx_delete may hang in some scenarios (libunbound).
* [bugzilla: 520 ] Errors found by static analysis
- Integrated NetBSD ioctl driver (modified) from Rui Paulo.
- Fixed buffer overflow in draw_rate, exposed in 64 sistems due
to extended precision in floating point values.
- Include Becker's changes for trend support and set trend support on by
default.
- Integrate FreeBSD's driver patch.
- Do not blink leds when an interface is offline
- Do not require 'link_up' in solaris_kstat (but use it if present),
since on OpenSolaris many nic drivers seem to be broken.
- Fix the installation path of wmndrc.
* Twisted now includes a HostnameEndpoint implementation which uses IPv4 and IPv6 in parallel, speeding up the connection by using whichever connects first (the 'Happy Eyeballs'/RFC 6555 algorithm).
* Improved support for Cancellable Deferreds by kaizhang, our GSoC student.
* Improved Twisted.Mail documentation by shira, our Outreach Program for Women intern.
* twistd now waits for the application to start successfully before exiting after daemonization.
* SSL server endpoint string descriptions now support the specification of chain certificates.
* Over 70 closed tickets since 13.1.0.
Upstream changes:
1.08 November 8, 2013
! #15703 add no_index for examples to prevent CPAN pollution [githumb.com/sergeyromanov]
1.07 November 7, 2013
! #89948 Remove warning when Content-Id is not present
These are security releases in order to address CVE-2013-4475 (ACLs are not checked on opening an alternate data stream on a file or directory) and CVE-2013-4476 (Private key in key.pem world readable).
--------------------------
Bugfixes:
* Improved zone loading error messages
* Correct control socket permissions
* Improved log syntax documentation
* Fixed wrong assertions in DDNS prerequisites checking
* Fixed processing of some malformed DNS packets
* Fixed notify messages being ignored in some cases
v1.3.2 - Sep 30, 2013
---------------------
Bugfixes:
* Configuration option for EDNS0 max UDP payload.
* Max UDP payload from EDNS0 affected TCP responses.
* Fixed build on SLE 10.
* knotc reload did not close files included from config.
Based on PR pkg/48320 by Nils Ratusznik.
Pkgsrc change:
* add startup script.
ChangeLog:
v1.15: 27JUL2013
Added --transparent option for transparent proxying.
See README for iptables magic and capability
management.
Fixed bug in sslh-select: if number of opened file
descriptor became bigger than FD_SETSIZE, bad things
would happen.
Fixed bug in sslh-select: if socket dropped while
defered_data was present, sslh-select would crash.
Increased FD_SETSIZE for Cygwin, as the default 64
is too low for even moderate load.
v1.14: 21DEC2012
Corrected OpenVPN probe to support pre-shared secret
mode (OpenVPN port-sharing code is... wrong). Thanks
to Kai Ellinger for help in investigating and
testing.
Added an actual TLS/SSL probe.
Added configurable --on-timeout protocol
specification.
Added a --anyprot protocol probe (equivalent to what
--ssl was).
Makefile respects the user's compiler and CFLAG
choices (falling back to the current values if
undefined), as well as LDFLAGS.
(Michael Palimaka)
Added "After" and "KillMode" to systemd.sslh.service
(Thomas Weißschuh).
Added LSB tags to etc.init.d.sslh
(Thomas Varis).
v1.13: 18MAY2012
Write PID file before dropping privileges.
Added --background, which overrides 'foreground'
configuration file setting.
Added example systemd service file from Archlinux in
scripts/
https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh
(Sébastien Luttringer)
v1.12: 08MAY2012
Added support for configuration file.
New protocol probes can be defined using regular
expressions that match the first packet sent by the
client.
sslh now connects timed out connections to the first
configured protocol instead of 'ssh' (just make sure
ssh is the first defined protocol).
sslh now tries protocols in the order in which they
are defined (just make sure sslh is the last defined
protocol).
v1.11: 21APR2012
WARNING: defaults have been removed for --user and
--pidfile options, update your start-up scripts!
No longer stop sslh when reverse DNS requests fail
for logging.
Added HTTP probe.
No longer create new session if running in
foreground.
No longer default to changing user to 'nobody'. If
--user isn't specified, just run as current user.
No longer create PID file by default, it should be
explicitely set with --pidfile.
No longer log to syslog if in foreground. Logs are
instead output to stderr.
The four changes above make it straightforward to
integrate sslh with systemd, and should help with
launchd.
v1.10: 27NOV2011
Fixed calls referring to sockaddr length so they work
with FreeBSD.
Try target addresses in turn until one works if
there are several (e.g. "localhost:22" resolves to
an IPv6 address and an IPv4 address and sshd does
not listen on IPv6).
Fixed sslh-fork so killing the head process kills
the listener processes.
Heavily cleaned up test suite. Added stress test
t_load script. Added coverage (requires lcov).
Support for XMPP (Arnaud Gendre).
Updated README.MacOSX (Aaron Madlon-Kay).
v1.9: 02AUG2011
WARNING: This version does not work with FreeBSD and
derivatives!
WARNING: Options changed, you'll need to update your
start-up scripts! Log format changed, you'll need to
update log processing scripts!
Now supports IPv6 throughout (both on listening and
forwarding)
Logs now contain IPv6 addresses, local forwarding
address, and resolves names (unless --numeric is
specified).
Introduced long options.
Options -l, -s and -o replaced by their long
counterparts.
Defaults for SSL and SSH options suppressed (it's
legitimate to want to use sslh to mux OpenVPN and
tinc while not caring about SSH nor SSL).
Bind to multiple addresses with multiple -p options.
Support for tinc VPN (experimental).
Numeric logging option.
v1.8: 15JUL2011
Changed log format to make it possible to link
connections to subsequent logs from other services.
Updated CentOS init.d script (Andre Krajnik).
Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not
propagated to the child process, so we set up signals after
the fork.) (François FRITZ)
Added -o "OpenVPN" and OpenVPN probing and support.
Added single-threaded, select(2)-based version.
Added support for "Bold" SSH clients (clients that speak first)
Thanks to Guillaume Ricaud for spotting a regression
bug.
Added -f "foreground" option.
Added test suite. (only tests connexions. No test for libwrap,
setsid, setuid and so on) and corresponding 'make
test' target.
Added README.MacOSX (thanks Aaron Madlon-Kay)
Documented use with proxytunnel and corkscrew in
README.
Security Fixes
Treat an all zero netmask as invalid when generating the localnets
acl. A Winsock library call on some Windows systems can return
an incorrect value for an interface's netmask, potentially
causing unexpected matches to BIND's built-in "localnets" Access
Control List. (CVE-2013-6230) [RT #34687]
Security Fixes
Treat an all zero netmask as invalid when generating the localnets
acl. A Winsock library call on some Windows systems can return
an incorrect value for an interface's netmask, potentially causing
unexpected matches to BIND's built-in "localnets" Access Control
List. (CVE-2013-6230) [RT #34687]
Security Fixes
Treat an all zero netmask as invalid when generating the localnets
acl. A Winsock library call on some Windows systems can return
an incorrect value for an interface's netmask, potentially causing
unexpected matches to BIND's built-in "localnets" Access Control
List. (CVE-2013-6230) [RT #34687]
* Image preview
* catch up Tumblr spec chane
* Fixes 100% CPU when network is disconnected.
* Fixes display past tweets in threads.
* Fixes rare crash handling list.
- Bug Fixes
The following vulnerabilities have been fixed.
* wnpa-sec-2013-61
The IEEE 802.15.4 dissector could crash. (Bug 9139)
Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10
CVE-2013-6336
* wnpa-sec-2013-62
The NBAP dissector could crash. Discovered by Laurent
Butti. (Bug 9168)
Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10
CVE-2013-6337
* wnpa-sec-2013-63
The SIP dissector could crash. (Bug 9228)
Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10
CVE-2013-6338
* wnpa-sec-2013-64
The OpenWire dissector could go into a large loop.
Discovered by Murali. (Bug 9248)
Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10
CVE-2013-6339
* wnpa-sec-2013-65
The TCP dissector could crash. (Bug 9263)
Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10
CVE-2013-6340
- The following bugs have been fixed:
* new_packet_list: EAP-TLS reassemble does not happen when
NEW_PACKET_LIST is toggled. (Bug 5349)
* TLS decryption fails with XMPP start_tls. (Bug 8871)
* Wrong Interpretation of GTS starting slot. (Bug 8946)
* "Follow TCP Stream" shows only the first HTTP req+res.
(Bug 9044)
* The value of SEND_TO_UE in the DIAMETER Gx dictionary for
Packet-Filter-Usage AVP is 0 instead of 1. (Bug 9126)
* Crash then try to delete the same entry (length range)
twice. (Bug 9129)
* Crash if wrong "packet lengths range" entered. (Bug
9130)
* Bssgp => SGSN-INVOKE-TRACE use the wrong function...
(Bug 9157)
* Minor correction to dissection of DLR frames in Ethernet/IP
dissector. (Bug 9186)
* WebSphere MQ V7 Bug Fix 8322 TSHM_EBCDIC. (Bug 9198)
* EDNS0 "Higher bits in extended RCODE" incorrectly decoded
in packet-dns.c. (Bug 9199)
* Files with pcap-ng Simple Packet Blocks can't be read.
(Bug 9200)
* Bug in RTP dissector if RTP extension is present. (Bug
9204)
* Improve "eHRPD Indicator" NVSE dissection in 3GPP2 A11
Registration Request. (Bug 9206)
* "make debian-package" fails, missing wsicon32.xpm. (Bug
9209)
* Fix typo in MODCOD list of DVB-S2 dissector. (Bug 9218)
* Ring buffer crash when tshark gets too far behind dumpcap.
(Bug 9258)
* PTP Dissector Wrongfully Reports Malformed Packet. (Bug
9262)
* Wireshark lua dissector unable to load for
media_type=application/octet-stream. (Bug 9296)
* Wireshark crash when dissecting packet with NTLMSSP.
(Bug 9299)
* Padding in uint64 field in DCERPC protocol wrongly
reported. (Bug 9300)
* DCERPC data_blobs are not correctly dissected when NDR64
encoding is used. (Bug 9301)
* Multiple PDUs in the same DCERPC packet are not correctly
decrypted. (Bug 9302)
* The tshark summary line doesn't display the frame number or
displays it sporadically. (Bug 9317)
* Bluetooth: SDP improvements and minor fixes. (Bug 9327)
* Duplicate IRC header field abbreviation breaks filter
(example: irc.response.command). (Bug 9360)
- Updated Protocol Support
3GPP2 A11, Bluetooth SDP, BSSGP, DCERPC, DCERPC NDR, DCERPC NT,
DIAMETER, DNS, DVB-S2, Ethernet, EtherNet/IP, H.225, IEEE
802.15.4, IRC, NBAP, NTLMSSP, OpenWire, PTP, RTP, SIP, TCP,
WiMax, and XMPP
e-mail address). Changes include:
* Shell.to_file: implement the append flag as documented
* The libraries netcamlbox and netmulticore are now only built
if completely supported.
* Porting netcamlbox and netmulticore to ocaml-4.01:
There are new implementations in OCaml for caml_modify and
caml_initialize that are incompatible with our usage here.
Fortunately, these symbols are now weak, and we can override
them. This is done in netsys.outofheap, and for the time being
we just use the old implementation from ocaml-4.00.
* Porting netsys to ocaml-4.01: O_CLOEXEC is now supported
if found
* Netsys_sem: fix for systems that don't have
Netsys_posix.sysconf_open_max (e.g. Win32).
* Http_fs: read method: fixing a problem with resent messages
* Http_client: better reaction after "100" responses
* Http_client: implementing verbose_response_header, and
verbose_response_contents again
* Uq_ssl: debugging of payload data (Uq_ssl.Debug.dump_data)
* Http_fs: fixing chunked encoding for PUT (this is already done
in Http_client)
* Nethttp: new function base_code
* Http_client: handling the case better that an unknown status
code is returned by the server. Before, [response_status] simply
raised [Not_found]. Now, the base status is returned instead.
* Extending ocamlrpcgen: It supports now six new directives,
_lowercase, _uppercase, _capitalize, _prefix, _equals,
and _tuple (see documentation).
Changes:
- Set default timing method to either gtod or abstime (#404)
- Fix IPv6 parsing of CIDR's (#405)
- Add support for preloading the memory cache (#410)
- Generate more useful error when packets are too small (#411)
- Update to libopts/Autogen 5.9.9 (#412)
- Ship Win32Readme.txt file (#413)
- Update copyright notice to 2010 (#416)
- Dramatically enhance --portmap option (#417)
- Update autotools (#423)
- Add support for printing statistics periodically during the run (#424)
- Warn user when pcap snaplen < 65535 (#425)
- Add 802.1q processing support tcpprep (#428)
- Link libnl when newer versions of libpcap require it (#397)
- Ship m4 directory (#398)
- Upgrade to latest autotools scripts (#400)
- Fix error message when running autogen.sh (#401)
- Added extensive IPv6 support to tcprewrite & tcpreplay-edit (#11)
- Add IPv6 fragroute support (#388)
- Add IPv6 decoding support to tcpprep (#11)
- Fix compile time error in err.h (#390)
- Add --endpoints support in tcpreplay-edit (#393)
Features:
* documented in doc/NSD-4-features. Change configuration without restart,
direct nameserver control with nsd-control, support a higher number of zones.
Higher performance (compared to NSD3).
* nsdc is gone. Use kill -HUP for reload (also checks if zonefiles have
changed and rereads them), and kill -TERM for quit. Or use nsd-control
for detailed control.
* cron job for nsdc patch is gone. nsd-control write creates zonefiles.
* nsd.db has a new format that compacts itself when it is changed,
thus nsdc patch is no longer necessary.
* nsd.db is memory mapped, NSD needs (part of) that mmap in ram.
* tcp-count can go above 1000; epoll/kqueue support with libevent.
* nsd-control reconfig for updates with no restart (zones, keys, ..)
* nsd-control-setup to create keys for nsd-control (enable nsd-control
with remote-control: yes in nsd.conf).
Changes since puf-0.93.2a:
1.0.0 (16 Oct 2005)
- Fixed command line parsing error that caused -d to be taken as -dc
- -r[+[+]] doesn't imply -p any more, but it advances -p to -pr[+[+]]
- The scope of URL-based switches can be limited with brackets now
- The file supplied to -i is now interpreted as a generic command file
with one command line switch (incl. argument) or URL per line
- Dropped SPEC format - use -O and the new -xy/-xyy switches instead
- $http_proxy is now obeyed if no proxies are specified with -y/-iy
- Scope of -O switch unified with other URL-based switches
- Made -O buffer output when dumping multiple sources to one target
- Added support for "-O -"
- Added -A, -R, -D, -Dl, -Dr, -xr, -xu, -xs, -xo and -xO switches
- Removed -xe switch
- -xE now enumerates per occurrence of -P
- Vast performance improvements of large downloads
- Automatically %-escape [invalid] spaces in URLs
- Various bug fixes
- Change of versioning scheme to something more reasonable
0.93.3 (20 May 2004)
- Don't retry after HTTP errors 403 and 404. Added -xT switch to
enforce the old behaviour (for some really broken servers)
- Don't spawn a separate process for every DNS lookup, but use a
pool of DNS helper processes instead
- Added -xh and -dc switches
- Fixed file corruption on CygWin
Add missing DEPENDS
Upstream changes:
0.11 2012-02-13
- needs to actually depend on Path::Class
0.10 2012-02-12
- Fix ::FileHandle on pre-5.14 perls
0.09 2012-02-12
- oops, missed rafl's upload, rerelease with the correct version number
pax -rw, the destination directory must exist. pax in NetBSD creates it if
not, pax in MirBSD complains. I read through all pkgsrc Makefiles that use
pax and added an entry to INSTALLATION_DIRS, or an INSTALL_DATA_DIR
invocation.
I did not test all the changes but they should be fairly safe. If you notice
any breakage because of this change, please contact me.
- Use USE_PHP_EXT_PATCHES in net/php-sockets.
- Make AI_V4MAPPED noop if platform dosen't have it.
It is poor assumption that AI_V4MAPPED is always defined and V4 mapped
address is always available.
Changes since version 1.0.13:
* Better optional argument handling.
* Set $NAME when calling host-up/down and subnet-up/down scripts.
* Don't echo broadcast packets back when Broadcast = direct.
* Update copyright notices.
* Fix combination of Mode = router and DeviceType = tap on Linux.
* Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
* Use /dev/tap0 by default on FreeBSD and NetBSD when using Mode = switch.
* Document how to load the tap driver on FreeBSD.
* Update THANKS file.
* Also clarify hostnames=[yes|no] in tinc.conf(5).
* Attribution for Vil Brekin and some code style cleanups.
* Don't ignore Makefile.am.
* Fix links in documenation.
* Attribution for Martin Schürrer.
* Add strict checks to hex to binary conversions.
* Clear connection options and status fields in free_connection_partially().
* Fix warnings from cppcheck.
* Clear Ethernet header when reading packets from a tun device.
* Clear status and options fields of unreachable nodes.
* Fix warnings from groff.
* Using alloca() for a constant sized buffer is very silly.
* Make sure PMTU discovery works in switch mode with VLAN tags.
* Mention in the manual that support for LZO and zlib can be disabled.
* Fix configure script help text for --enable options.
* Don't take the address of a variable whose scope is about to disappear.
* Send broadcast packets using a random socket, and properly support IPv6.
* Remove text saying you must have one of PrivateKey or PrivateKeyFile in tinc.conf.
* Fix support for tunemu on iOS devices.
* Make sure PriorityInheritance also works in switch mode.
* Detect increases in PMTU.
* Fix a compiler warning.
* Fix segmentation fault when trying to connect via a SOCKS5 proxy.
* Don't send proxy requests for incoming connections.
* Fix compiler warnings on Windows.
* Fix detection of rejected SOCKS5 proxy requests.
* Basic patch for android cross-compilation.
* Replace hard-code with new ScriptsInterpreter configuration property.
* Add basic .gitignore file, cleaning (most) files generated by autotools.
* Use __ANDROID__ define rather than dirty hard-code to allow android NDK cross-compilation.
* Android cross-compilation instructions.
* Output details of encryption errors
* Minor clarification, tinc.conf hostnames=[yes|no] variable only resolves names for logging purposes.
* Support :: in IPv6 Subnets.
* Remove newline from log message.
* Add support for systemd style socket activation.
* Allow environment variables to be used for Name.
* Allow broadcast packets to be sent directly instead of via the MST.
* Add basic support for SOCKS 4 and HTTP CONNECT proxies.
* Add support for SOCKS 5 proxies.
* Add support for proxying through an external command.
* Document new proxy types.
* Small fixes in proxy code.
* Fix compiler warnings.
* Fix crash when using Broadcast = direct.
* configure.in: fix AC_ARG_ENABLE and AC_ARG_WITH
* add (errnum) in front of windows error messages
* Always try next Address when an outgoing connection fails to authenticate.
* Allow a port to be specified in BindToAddress statements.
* Add support for multicast communication with UML/QEMU/KVM.
* Set default value of DecrementTTL to "no".
* Add #ifdefs in case not all platforms support IPv4 and IPv6 multicast.
* Allow scoped addresses to be used for IPv6 multicast socket.
* Fix compiler warnings.
* Fix return value type of vde_send().
* Fix some more compiler warnings.
* Document OpenBSD "ifconfig link0" and Linux "ip tuntap" commands.
* Fix return type of vde_recv() as well.
* Mark DecrementTTL option experimental.
* Prevent read_rsa_public_key() from returning an uninitialized RSA structure.
* Return false instead of void when there is an error.
* Fix compilation of VDE and UML interfaces.
* Add vde/device.c to the tarball.
* Fix a few small memory leaks.
* Allow linking with multiple device drivers.
* Set FD_CLOEXEC flag on all sockets.
* Allow multiple BindToAddress statements.
* Merge branch 'master' of black:tinc
* Send packets back using the same socket as they were received on.
* Allow setting DeviceType to tun or tap on Linux.
* Merge branch 'master' of black:tinc
* Only compile raw socket code when it is supported on that platform.
* Decrement TTL of incoming packets.
* Don't bind outgoing TCP sockets anymore.
* Rename connection_t *broadcast to everyone.
* Allow disabling of broadcast packets.
* Move initialization of char *priority up to prevent freeing an uninitialized pointer.
* Document the command line flag -o and provide --option as well.
* Fix a bug that caused tinc to ignore all but the last listening socket.
* Fix check for raw socket support.
* Pass index into listen_socket[] to handle_incoming_vpn_data().
* Add LocalDiscovery option which tries to detect peers on the local network.
* Don't send ICMP Time Exceeded messages for other Time Exceeded messages.
* Stricter checks against routing loops.
* Only use broadcast at the start of the PMTU discovery phase.
* Only log errors sending UDP packets when debug level >= 5.
* Accept Subnets passed with the -o option when StrictSubnets = yes.
* Add missing ICMP6 message type definitions.
* Make sure disabling old RSA keys works on Windows.
* Update copyright notices.
* Add missing ICMP message type definitions.
* Make code to detect two nodes with the same Name less triggerhappy.
* Flush output buffer in send_tcppacket().
* Use usleep() instead of sleep(), MinGW complained.
* Reorder checks for libraries to allow ./configure LDFLAGS=-static.
* Make return value of SetPriorityClass() behave the same as setpriority().
* Fix sparse warnings and add an extra sprinkling of const.
* Remove newlines from log messages.
* Remove a few unnecessary #includes.
* Attribution for Loïc Grenié.
* Improved --logfile option.
* Remove redundant @CFLAGS@ from AM_CFLAGS.
* Nearly tickless tinc.
* Fix reading configuration files that do not end with a newline. Again.
* Define WINVER before including any other header file on Windows.
* Use intptr_t instead of long to store a pointer.
* OpenSSL 1.0.0 compiled for 64 bit Windows requires linking with -lcrypt32.
* Fix all warnings when compiling with mingw64.
* Use strrchr() insteaad of rindex().
* Detect and prevent two nodes with the same Name being on the VPN simultaneously.
* Use 64 bit counters to keep track of bytes sent/received from the virtual network interface.
* Do not append an address to ANS_KEY messages if we don't know any address.
* Merge local host configuration with server configuration.
* Remove duplicate command-line option parsing.
* Attribution for Julien Muchembled.
* Attribution for Timothy Redaelli.
* Ensure there is a newline character before a PEM key is written.
* Abort disabling old PEM keys on I/O errors.
* Remove unused variables.
* Quit when there are too many consecutive errors on the tun/tap device.
* Read error counter must be static.
* Add short options -R and -U to the tincd(8) manpage.
* Don't use strlen() on a NULL pointer.
* Provide usleep() for Windows.
* Use variable length arrays instead of alloca().
* Fix warning message when setting SO_RCVBUF or SO_SNDBUF fails.
* Free replay window when freeing a node_t.
* Fix variable length array declaration.
* Attribution for Brandon Black.
* Use setpriority() instead of nice() on UNIX-like systems.
* Always send MTU probes at least once every PingInterval.
* Close all filedescriptors in Solaris close_device().
* Limit field width when scanning PID file.
* Replace bogus #else with #endif.
* Remove unused variables.
* Document the behavior of "-n."
* Update the manual.
* Update the NEWS.
* Proper check and dropin replacement for usleep().
* Fix typo spotted by Andrew Scheller.
* Add support for VDE through libvdeplug.
* Fix spurious misidentification of incoming UDP packets.
* Prevent anything from updating our own UDP address.
* Do not set indirect flag on edges from nodes with multiple addresses.
* Increase threshold for detecting two nodes with the same Name.
* Always use the default signal handler for ABRT signals.
* Check for EVP_EncryptInit_ex instead of SHA1_Version in OpenSSL.
* Update THANKS and copyright information.
* Ensure proper linking with OpenSSL with recent versions of MinGW.
* Include <inttypes.h> when using intptr_t.
* Experimental IFF_ONE_QUEUE support for Linux
* Configurable SO_RCVBUF/SO_SNDBUF for the UDP socket
* Configurable ReplayWindow size, zero disables
* Improved handling of queue-jumping packets on receive
* New '-o' option to configure server or hosts from command line
* Fix command-line '-o' option for host configuration
* Fix warnings showed using -D_FORTIFY_SOURCE=2
* Fix warnings under BSD
* Treat netname="." in a special way.
* DragonFlyBSD support
Changes since 3.6.18:
---------------------
o Jeremy Allison <jra@samba.org>
* BUG 5917: Make Samba work on site with Read Only Domain Controller.
o Christian Ambach <ambi@samba.org>
* BUG 8955: NetrServerPasswordSet2 timeout is too short.
o Günther Deschner <gd@samba.org>
* BUG 9899: Fix fallback to ncacn_np in cm_connect_lsat().
* BUG 9615: Fix fallback to ncacn_np in cm_connect_lsat().
* BUG 10127: Fix 'smbstatus' as non-root user.
o Volker Lendecke <vl@samba.org>
* BUG 8955: Give machine password changes 10 minutes of time.
* BUG 10106: Honour output buffer length set by the client for SMB2 GetInfo
requests.
* BUG 10114: Handle Dropbox (write-only-directory) case correctly in
pathname lookup.
o Karolin Seeger <kseeger@samba.org>
* BUG 10076: Fix variable list in man vfs_crossrename.
o Andreas Schneider <asn@samba.org>
* BUG 9994: s3-winbind: Do not delete an existing valid credential cache.
* BUG 10073: 'net ads join': Fix segmentation fault in
create_local_private_krb5_conf_for_domain.
o Richard Sharpe <realrichardsharpe@gmail.com>
* BUG 10097: MacOSX 10.9 will not follow path-based DFS referrals handed
out by Samba.
- Fix memory leak caused by latcp -d & llogin -d
- Loads of protocol fixes and speed enhancements
NOTE: There are known problems with DECserver 90L terminal servers
- Add better support for DS90L servers reverse LAT
- Fix REQID message in moprc so it works with more servers.
Based on PR pkg/48269 by Gianni D'Aprile, with various fixes and improvements.
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP),
released under the Apache license.
Based on PR pkg/48217 by Leonardo Taccari.
Changes:
v1.24 Mar 14 2010
- fixed another remotely triggerable NULL dereference in ip_fragment.c
- unofficial patch that enables tracking of already established TCP connections
- missing reset of some tcp_* variables upon nids_exit
- correct calculation of radiotap header
- compilation warning fixes with newer gcc
- use pcap_get_selectable_fd() instead of pcap_fileno()
OUTPUT CHANGES:
- Output numbers in 3-digit groups by default (e.g. 1,234,567). See the
--human-readable option for a way to turn it off. See also the daemon's
"log format" parameter and related command-line options (including
--out-format) for a modifier that can be used to request digit-grouping
or human-readable output in log escapes. (Note that log output is
unchanged by default.)
- The --list-only option is now affected by the --human-readable setting.
It will display digit groupings by default, and unit suffixes if higher
levels of readability are requested. Also, the column width for the size
output has increased from 11 to 14 characters when human readability is
enabled. Use --no-h to get the old-style output and column size.
- The output of the --progress option has changed: the string "xfer" was
shortened to "xfr", and the string "to-check" was shortened to "to-chk",
both designed to make room for the (by default) wider display of file
size numbers without making the total line-length longer. Also, when
incremental recursion is enabled, the string "ir-chk" will be used
instead of "to-chk" up until the incremental-recursion scan is done,
letting you know that the value to check and the total value will still
be increasing as new files are found.
- Enhanced the --stats output: 1) to mention how many files were created
(protocol >= 28), 2) to mention how many files were deleted (a new line
for protocol 31, but only output when --delete is in effect), and 3) to
follow the file-count, created-count, and deleted-count with a subcount
list that shows the counts by type. The wording of the transferred count
has also changed so that it is clearer that it is only a count of regular
files.
More...
1.80: 2012-02-26
-- FLV streaming plugin (Gosuke Miyashita <gosukenator@gmail.com>)
-- New Throttle plugin (Adam Thomason <thomason@reticulatedsplines.net>)
-- Force keepalives off when we haven't finished reading a request body, but we
are already sending a response. (Jonathan Steinert <hachi@kuiki.net>)
-- Add support for Content-MD5 checking on PUT requests to web server services.
(Eric Wong <normalperson@yhbt.net>)
-- Include an XFFExtras plugin that can add X-Forwarded-Port and X-Forwarded-Proto
headers to help proxy backends construct canonical URLs with less configuration.
(RT 60260) (Jonathan Steinert <hachi@kuiki.net>)
-- Fix perlbal-check's age calculation to get the maximum age of queues across all
Perlbals. (Abe Hassan <ahassan@saymedia.com>)
-- Add DEFAULT command to allow setting default values for later service tunables
(Mark Smith <mark@qq.is>)
-- Change IO::Socket::SSL version requirement error to reflect what we actually
require. (Jonathan Steinert <hachi@kuiki.net>)
-- Completely redo the deps list for perlbal. This addresses an issue exposed when
LWP was split into component modules (RT 68490) , plus other subtle issues we've
been ignoring or unaware of. (Jonathan Steinert <hachi@kuiki.net>)
-- Stop loading Storable, we don't use it (Jonathan Steinert <hachi@kuiki.net>)
-- Switch Devel::Peek to an optional requirement (Jonathan Steinert <hachi@kuiki.net>)
-- Change perlbal-check to use IO::Socket::INET, not just IO::Socket
(Jonathan Steinert <hachi@kuiki.net>)
-- Can use PERLBAL_REMOVE_FIELDS=1 to disable fields and improve performance
(Nicolas Rochelemagne <nicolas.rochelemagne@cpanel.net>)
-- Optimize handling of SET for bool values
(Nicolas Rochelemagne <nicolas.rochelemagne@cpanel.net>)
ryo-on, and myself.
cclive is a command line video extraction utility similar to clive
but with lower requirements. Its features are few and essential.
Supports Youtube, Googlevideo, Break, Liveleak, Sevenload, Evisortv
and Dailymotion.
0MQ version 3.2.4 stable, released on 2013/09/20
================================================
* LIBZMQ-84 (Windows) Assertion failed: Address already in use at signaler.cpp:80
* LIBZMQ-456 ZMQ_XPUB_VERBOSE does not propagate in a tree of XPUB/XSUB devices
* LIBZMQ-532 (Windows) critical section not released on error
* LIBZMQ-569 Detect OpenPGM 5.2 system library
* LIBZMQ-563 Subscribers sometimes stopped receiving messages (aka LIBZMQ-541)
* LIBZMQ-XXX Added support for Travis Continuous Integration
* LIBZMQ-XXX Several improvements to MSVC support
chrysn and Joe Nahmias have done a bunch of work on Calypso, and I even
managed to fix a couple of bugs. I've merged their stuff in and pushed
out a version 1.2 release this afternoon, along with an updated debian
package. A this point, all reported Debian bugs are closed (surely that
can't last through more than one release).
The only piece unmerged was the ForkingMixin stuff as that means that
each connection has to re-read the entire database at startup as there's
no persistent in-memory state. I'd love to figure out how to use the
ThreadingMixin instead, providing the same multi-session support along
with caching.
0.8 - Rainbow
=============
* New authentication and rights management modules (by Matthias Jordan)
* Experimental database storage
* Command-line option for custom configuration file (by Mark Adams)
* Root URL not at the root of a domain (by Clint Adams, Fabrice Bellet, Vincent Untz)
* Improved support for iCal, CalDAVSync, CardDAVSync, CalDavZAP and CardDavMATE
* Empty PROPFIND requests handled (by Christoph Polcin)
* Colon allowed in passwords
* Configurable realm message
0.62 (01/26/2013)
(dc) Add support for HTTP compression where available, enabled by default.
(cb) Add support for EAN to the US locale, as reported by Jacob Turino.
(cb) Add Spain and Italy locales, as implemented by Menno Blom.
(cb) Add some new departments in Amazon.co.jp, as implemented Naoya Ito.
Features:
* New config option "ip-transparent:" to allow NSD to bind to non local
addresses. Default no.
* Use IPV6 minimum MTU settings with TCP to reduce failures that are caused
by delays in learning working PMTU when communicating through a tunnel.
* Bugfix #496: Support for EUI48 and EUI64 RR types. Experimental,
turned off by default. Enable with --enable-draft-rrtypes.
* New config option "rrl-slip:" to set the average number of packets
discarded before we send back a truncated response.
* New config option "rrl-ipv4-prefix-length:" and "rrl-ipv6-prefix-length:"
to set the prefix lengths.
* Improved RRL logging, also print triggering query src address and QTYPE.
* Provide RRL documentation in nsd.conf.sample.
Bugfixes:
* Bugfix #357: Parent process waits until children closed down sockets,
to prevent NSD failing to bind to sockets when restarting.
* Bugfix #487: lookup3.c determine endianness for BSD systems.
* Bugfix #491: pick program name (0th argument) as syslog identity.
* Bugfix #494: Exit with return code 1 if socket code fails.
* Bugfix #495: Wrong bufsize in dname_to_string for root.
* Fix outgoing-interface: Don't fail if family is IPv6 but only IPv4
outgoing-interface is set, or vice versa.
* RRtypes ASFDB, RP, RT should not compress dnames.
* Check that zone directory is within chroot directory.
* Better XFR checking, fallback to AXFR (if allowed) if three malformed
XFR packets have been seen.
(CVE-2013-4854 and CVE-2013-3919 were already fixed in pkgsrc).
Security Fixes
Previously an error in bounds checking on the private type
'keydata' could be used to deny service through a deliberately
triggerable REQUIRE failure (CVE-2013-4854). [RT #34238]
Prevents exploitation of a runtime_check which can crash named
when satisfying a recursive query for particular malformed zones.
(CVE-2013-3919) [RT #33690]
New Features
Added Response Rate Limiting (RRL) functionality to reduce the
effectiveness of DNS as an amplifier for reflected denial-of-service
attacks by rate-limiting substantially-identical responses. [RT
#28130]
Feature Changes
rndc status now also shows the build-id. [RT #20422]
Improved OPT pseudo-record processing to make it easier to support
new EDNS options. [RT #34414]
"configure" now finishes by printing a summary of optional BIND
features and whether they are active or inactive. ("configure
--enable-full-report" increases the verbosity of the summary.)
[RT #31777]
Addressed compatibility issues with newer versions of Microsoft
Visual Studio. [RT #33916]
Improved the 'rndc' man page. [RT #33506]
'named -g' now no longer works with an invalid logging configuration.
[RT #33473]
The default (and minimum) value for tcp-listen-queue is now 10
instead of 3. This is a subtle control setting (not applicable
to all OS environments). When there is a high rate of inbound
TCP connections, it controls how many connections can be queued
before they are accepted by named. Once this limit is exceeded,
new TCP connections will be rejected. Note however that a value
of 10 does not imply a strict limit of 10 queued TCP connections
- the impact of changing this configuration setting will be
OS-dependent. Larger values for tcp-listen queue will permit
more pending tcp connections, which may be needed where there
is a high rate of TCP-based traffic (for example in a dynamic
environment where there are frequent zone updates and transfers).
For most production servers the new default value of 10 should
be adequate. [RT #33029]
Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e
with PKCS#11. [RT #33463]
Added logging messages on slave servers when they forward DDNS
updates to a master. [RT #33240]
Changed the logging category for RRL events from 'queries' to
'query-errors'. [RT #33540]
Bug Fixes
Fixed the "allow-query-on" option to correctly check the destination
address. [RT #34590]
Fix forwarding for forward only "zones" beneath automatic empty
zones. [RT #34583]
Fix DNSSEC auto maintenance so signatures can be removed from a
zone with only KSK keys for an algorithm. [RT #34439]
Fix DNSSEC auto maintenance so signatures from newly inactive
keys are removed (when publishing a new key while deactivating
another key at the same time). [RT #32178]
Remove bogus warning log message about missing signatures when
receiving a query for a SIG record. [RT #34600]
Fix Response Policy Zones on slave servers so new RPZ changes
take effect. [RT #34450]
Fix the "zone-statistics" option to work with the default
traditional statistics (not new "--enable-newstats" feature).
[RT #34466]
named could crash when deleting inline-signing zones with "rndc
delzone". [RT #34066]
Improved resistance to a theoretical authentication attack based
on differential timing. [RT #33939]
named was failing to answer queries during "rndc reload" [RT
#34098]
win32: Some executables had been omitted from the installer. [RT
#34116]
fixed a broken 'Invalid keyfile' error message in dnssec-keygen.
[RT #34045]
The build of BIND now installs isc/stat.h so that it's available
to /isc/file.h when building other applications that reference
these header files - for example dnsperf (see Debian bug ticket
#692467). [RT #33056]
Better handle failures building XML for stats channel responses.
[RT #33706]
Fixed a memory leak in GSS-API processing. [RT #33574]
Fixed an acache-related race condition that could cause a crash.
[RT #33602]
rndc now properly fails when given an invalid '-c' argument. [RT
#33571]
Fixed an issue with the handling of zero TTL records that could
cause improper SERVFAILs. [RT #33411]
Fixed a crash-on-shutdown race condition with DNSSEC validation.
[RT #33573]
Corrected the way that "rndc addzone" and "rndc delzone" handle
non-standard characters in zone names. [RT #33419]
Adjusted RRL behavior for recursive queries to defer rate-limiting
until after recursion is complete. Also uses correct rcode for
slipped NXDOMAIN responses. [RT #33604]
Previously, BIND could erroneously report a missing file
specification when using inline slave zones. [RT #33662]
(CVE-2013-4854 and CVE-2013-3919 were already fixed in pkgsrc.)
Security Fixes
Previously an error in bounds checking on the private type
'keydata' could be used to deny service through a deliberately
triggerable REQUIRE failure (CVE-2013-4854). [RT #34238]
Prevents exploitation of a runtime_check which can crash named
when satisfying a recursive query for particular malformed zones.
(CVE-2013-3919) [RT #33690]
Feature Changes
rndc status now also shows the build-id. [RT #20422]
Improved OPT pseudo-record processing to make it easier to support
new EDNS options. [RT #34414]
"configure" now finishes by printing a summary of optional BIND
features and whether they are active or inactive. ("configure
--enable-full-report" increases the verbosity of the summary.)
[RT #31777]
Addressed compatibility issues with newer versions of Microsoft
Visual Studio. [RT #33916]
Improved the 'rndc' man page. [RT #33506]
'named -g' now no longer works with an invalid logging configuration.
[RT #33473]
The default (and minimum) value for tcp-listen-queue is now 10
instead of 3. This is a subtle control setting (not applicable
to all OS environments). When there is a high rate of inbound
TCP connections, it controls how many connections can be queued
before they are accepted by named. Once this limit is exceeded,
new TCP connections will be rejected. Note however that a value
of 10 does not imply a strict limit of 10 queued TCP connections
- the impact of changing this configuration setting will be
OS-dependent. Larger values for tcp-listen queue will permit
more pending tcp connections, which may be needed where there
is a high rate of TCP-based traffic (for example in a dynamic
environment where there are frequent zone updates and transfers).
For most production servers the new default value of 10 should
be adequate. [RT #33029]
Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e
with PKCS#11. [RT #33463]
Added logging messages on slave servers when they forward DDNS
updates to a master. [RT #33240]
Bug Fixes
Fixed the "allow-query-on" option to correctly check the destination
address. [RT #34590]
Fix DNSSEC auto maintenance so signatures can be removed from a
zone with only KSK keys for an algorithm. [RT #34439]
Fix forwarding for forward only "zones" beneath automatic empty
zones. [RT #34583]
Fix DNSSEC auto maintenance so signatures from newly inactive
keys are removed (when publishing a new key while deactivating
another key at the same time). [RT #32178]
Remove bogus warning log message about missing signatures when
receiving a query for a SIG record. [RT #34600]
Fix Response Policy Zones on slave servers so new RPZ changes
take effect. [RT #34450]
Improved resistance to a theoretical authentication attack based
on differential timing. [RT #33939]
named was failing to answer queries during "rndc reload" [RT
#34098]
Fixed a broken 'Invalid keyfile' error message in dnssec-keygen.
[RT #34045]
The build of BIND now installs isc/stat.h so that it's available
to /isc/file.h when building other applications that reference
these header files - for example dnsperf (see Debian bug ticket
#692467). [RT #33056]
Better handle failures building XML for stats channel responses.
[RT #33706]
Fixed a memory leak in GSS-API processing. [RT #33574]
Fixed an acache-related race condition that could cause a crash.
[RT #33602]
rndc now properly fails when given an invalid '-c' argument. [RT
#33571]
Fixed an issue with the handling of zero TTL records that could
cause improper SERVFAILs. [RT #33411]
Fixed a crash-on-shutdown race condition with DNSSEC validation.
[RT #33573]
Corrected the way that "rndc addzone" and "rndc delzone" handle
non-standard characters in zone names. [RT #33419]
(CVE-2013-3919 is already fixed in pkgsrc).
Security Fixes
Prevents exploitation of a runtime_check which can crash named
when satisfying a recursive query for particular malformed zones.
(CVE-2013-3919) [RT #33690]
Feature Changes
rndc status now also shows the build-id. [RT #20422]
Improved OPT pseudo-record processing to make it easier to support
new EDNS options. [RT #34414]
"configure" now finishes by printing a summary of optional BIND
features and whether they are active or inactive. ("configure
--enable-full-report" increases the verbosity of the summary.)
[RT #31777]
Addressed compatibility issues with newer versions of Microsoft
Visual Studio. [RT #33916]
Improved the 'rndc' man page. [RT #33506]
'named -g' now no longer works with an invalid logging configuration.
[RT #33473]
The default (and minimum) value for tcp-listen-queue is now 10
instead of 3. This is a subtle control setting (not applicable
to all OS environments). When there is a high rate of inbound
TCP connections, it controls how many connections can be queued
before they are accepted by named. Once this limit is exceeded,
new TCP connections will be rejected. Note however that a value
of 10 does not imply a strict limit of 10 queued TCP connections
- the impact of changing this configuration setting will be
OS-dependent. Larger values for tcp-listen queue will permit
more pending tcp connections, which may be needed where there
is a high rate of TCP-based traffic (for example in a dynamic
environment where there are frequent zone updates and transfers).
For most production servers the new default value of 10 should
be adequate. [RT #33029]
Bug Fixes
Fixed the "allow-query-on" option to correctly check the destination
address. [RT #34590]
Fix forwarding for forward only "zones" beneath automatic empty
zones. [RT #34583]
Remove bogus warning log message about missing signatures when
receiving a query for a SIG record. [RT #34600]
Improved resistance to a theoretical authentication attack based
on differential timing. [RT #33939]
The build of BIND now installs isc/stat.h so that it's available
to /isc/file.h when building other applications that reference
these header files - for example dnsperf (see Debian bug ticket
#692467). [RT #33056]
Better handle failures building XML for stats channel responses.
[RT #33706]
Fixed a memory leak in GSS-API processing. [RT #33574]
Fixed an acache-related race condition that could cause a crash.
[RT #33602]
rndc now properly fails when given an invalid '-c' argument. [RT
#33571]
Fixed an issue with the handling of zero TTL records that could
cause improper SERVFAILs. [RT #33411]
Fixed a crash-on-shutdown race condition with DNSSEC validation.
[RT #33573]
(leaf package, mainly bugfixes, checked with MAINTAINER)
v3.0.717 (14 August 2013)
- (OS X only) Work around lack of clock_gettime().
- Fix crash due to str_appendf() not understanding %ld.
v3.0.716 (8 August 2013)
- Implement support for multiple capture interfaces.
- Support multiple local IPs on an interface.
- Only error out if we fail to create all HTTP sockets.
In particular, this helps on IPv6-incapable platforms.
- Use monotonic time over wall time where appropriate.
- Portability fixes for NetBSD and OpenBSD.
EM-Socksify: Transparent SOCKS support for any EventMachine protocol
Dealing with SOCKS proxies is pain. EM-Socksify provides a simple shim to
setup & negotiate a SOCKS5 connection for any EventMachine protocol. To add
SOCKS support, all you have to do is include the module and provide your
destination address.
changes:
-scripting improvements
-added lua scripting support to ncat
-hundreds of new OS and service detection signatures
-version scanning through a chain of proxies
-improved target specification
-performance enhancements and bug fixes
pkgsrc note: added "lua" option
approved by The Maintainer
freediameter (1.2.0) UNRELEASED; urgency=low
* Major changes in the logging system to be more syslog and production friendly
* New extension: dict_dcca_3gpp
* New extension: dict_dcca_starent (Starent DCCA vendor-specific AVPs)
* New extension: rt_ignore_dh (hide network topology by proxying Destination-Host).
* New extension: rt_load_balance (load balancer based on pending queue size).
* New extension: rt_busypeers. See doc/rt_busypeers.conf.sample.
* New extension: dbg_msg_timings. Measures timing of message operations.
* New extension: dbg_msg_dumps. Use to control hooks display.
* New API (fd_hook_*) for extensions to control messages logging & profiling
* New API (fd_stats_*) for extensions to monitor framework state (e.g. SNMP implem)
* API change: all the fd_*_dump functions now return malloc'd strings instead of logging directly.
* API change: callback parameter of fd_rt_out_register had its signature updated.
* Updated dbg_monitoring extension to use the new API
* New script to generate dictionary extensions from org file (see contrib/tools)
* New compilation option: WORKAROUND_ACCEPT_INVALID_VSAI to improve compatibility
with invalid Vendor-Specific-Application-Id AVPs received from some equipments (e.g. Cisco).
* New compilation option: DISABLE_PEER_EXPIRY for use in test environments.
* Extensions are now also searched in LD_LIBRARY_PATH.
* Copy Proxy-Info AVP automatically in new answers.
* Port value 0 allowed in configuration to disable local server (e.g. disable non-secure port).
* API change: fd_msg_send_timeout now takes a separate callback for timeout situation.
* Function changes: fd_msg_dump_* now split in three different type of output.
* New test testmesg_stress to measure message parser performance
* Fix termination of the framework to avoid failures.
* Fix invalid timespec value in peer PSM appearing randomly (leading to crash).
* Return DIAMETER_LOOP_DETECTED if local peer in the Route-Record list of a message.
* Allow running without TLS configuration.
* Upgraded SCTP code to comply with RFC 6458
* Using default secure Diameter port number 5658 as per RFC 6733
* Updated TLS code for performance improvements with new GNU TLS.
* Fix interlocking problem when large number of requests were failed over.
* New option in test_app.fdx extension for long messages payload.
* Performance improvement in message sending code path.
-- Sebastien Decugis <sdecugis@freediameter.net> Sat, 14 Sep 2013 18:08:07 +0800
---------------------
Bugfixes:
* Response with NSID contained extra bytes after reload
* List of remotes is scanned for longest prefix match
* Multipacket TSIG signatures for transfers
* Wrongly parsed TSIG key secret without quotes
* Removed autoconf checks for extended instruction sets
v1.3.0 - Aug 5, 2013
--------------------
Features:
* Defaults for CH TXT id.server,version.server (see doc)
Bugfixes:
* Progressive interval for bootstrap retry
* Transfers randomly cancelled
* Disabling RRL on reload
* Secondary groups not initialized when dropping privileges
* Responding to DS queries for names at or below delegation points
v1.3.0-rc5 - Jul 29, 2013
-------------------------
Features:
* Much faster bootstrap of many zones
Bugfixes:
* Removed deprecated 'knotc -w' option
* Slave ignores out-of-zone records in zone
* Support for obsolete types in zone transfers
* Slave zone file names fixes
* Long transfers being randomly dropped
v1.3.0-rc4 - Jul 15, 2013
-------------------------
Features:
* --with-configdir option for default config path
* Reintroducted 'pidfile' config option
Bugfixes:
* AXFR/IXFR subsystem performance improvements
* Rescheduling of AXFR in some cases
* RRSIGs not in the same section for DS records
* Log messages leaking to syslog
* 'knotc restart' option removed due to several limitations
v1.3.0-rc3 - Jun 28, 2013
-------------------------
Features:
* Utility to estimate memory consumption (see 'knotc memstats')
* PID file is not created when running on foreground
* UNIX sockets support for knotc
* Configurable 'rundir' and 'storage'
Bugfixes:
* IXFR with an arbitrary number of diffs
* Processing of knotc TSIG keyfile
* Atomic PID file writing, removed deprecated 'knotc start'
* Performance regression when RRSIGs came before covered RRs in AXFR
v1.3.0-rc2 - Jun 14, 2013
-------------------------
Bugfixes:
* Label compression related bug
* Proper resolution of some CNAME chains
* Unstable response rate in rare cases
* Several log messages
v1.3.0-rc1 - Jun 4, 2013
---------------------------
Features:
* Faster zone parser
* Full support for EUI and ILNP resource records
* Lower memory footprint for large zones
* No compilation of zones
* Improved scheduling of zone transfers
* Logging of serials and timing information for zone transfers
* Config: 'groups' keyword allowing to create groups of remotes
* Config: 'include' keyword allowing other file includes
* Client utilities: kdig, khost, knsupdate
* Server identification using TXT/CH queries (RFC 4892)
* Improved build scripts
* Improved dname compression and performance
Bugfixes:
* Fixed creating of PID file when dropping privileges
lldpd (0.7.6)
* Features:
+ Provide a way to build packages for OSX.
+ Add an option to update interface description with neighbor name.
* Fixes:
+ Compilation fix for OSX 10.6.
- Bug Fixes
The following vulnerabilities have been fixed.
* wnpa-sec-2013-54
The Bluetooth HCI ACL dissector could crash. Discovered by
Laurent Butti. (Bug 8827)
Versions affected: 1.10.0 to 1.10.1
* wnpa-sec-2013-55
The NBAP dissector could crash. Discovered by Laurent
Butti. (Bug 9005)
Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
* wnpa-sec-2013-56
The ASSA R3 dissector could go into an infinite loop.
Discovered by Ben Schmidt. (Bug 9020)
Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
* wnpa-sec-2013-57
The RTPS dissector could overflow a buffer. Discovered by
Ben Schmidt. (Bug 9019)
Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
* wnpa-sec-2013-58
The MQ dissector could crash. (Bug 9079)
Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
* wnpa-sec-2013-59
The LDAP dissector could crash. Versions affected: 1.10.0
to 1.10.1, 1.8.0 to 1.8.9
* wnpa-sec-2013-60
The Netmon file parser could crash. Discovered by G.
Geshev. (Bug 8742)
Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
- The following bugs have been fixed:
* Lua ByteArray:append() causes wireshark crash. (Bug
4461)
* Lua script can not get "data-text-lines" protocol data.
(Bug 5200)
* Lua: Trying to use Field.new("tcp.segments") to get
reassembled TCP data is failed. (Bug 5201)
* "Edit Interface Settings": "Capture Filter" combo box is
not populated across Wireshark sessions. (Bug 7278)
* PER normally small non-negative whole number decoding is
wrong when >= 64. (Bug 8841)
* Strange behavior of tree expand/collapse in packet details.
(Bug 8908)
* Incorrect parsing of IPFIX *IpTotalLength elements.
(Bug 8918)
* IO graph/advanced, max/min/summ error on frames with
multiple Diameter messages. (Bug 8980)
* pod2man error on reordercap.pod. (Bug 8982)
* SGI Nsym disambiguation is unconditionally displayed when
dissecting VHT. (Bug 8989)
* The Wireshark icon doesn't show up in OS X 10.5. (Bug
8993)
* Build fails if system Python is version 3+. (Bug 8995)
* SCSI dissector does not parse PERSISTENT RESERVE commands
correctly. (Bug 9012)
* SDP messages throws an assert. (Bug 9022)
* Wireshark fails to decode single-line, multiple Contact:
URIs in SIP responses. (Bug 9031)
* PN_MRP LinkUp Message is shown as LinkDown in info.
(Bug 9035)
* Dissector for EtherCAT: ADS highlighting in the Packet
Bytes Pane is incorrect. (Bug 9036)
* 802.11 HT Extended Capabilities B10 decode incorrect.
(Bug 9038)
* Wrong dissection of MSTI Root Identifiers for all MSTIs.
(Bug 9088)
* Weird malformed HTTP error. (Bug 9101)
* Warning for attempting to install 64-bit Wireshark on a
32-bit machine has an embedded "\n". (Bug 9103)
* Wireshark crashes when using "Export Specified Packets" >
"Displayed". (Bug 9106)
- Updated Protocol Support
ASN.1 PER, ASSA R3, Bluetooth HCI ACL, EtherCAT AMS, GTPv2,
HTTP, IEEE 802.11, IPFIX, ISDN SUP, LDAP, MQ, NBAP, Novell SSS,
PROFINET MRP, Radiotap, ROHC, RTPS, SCSI, SIP, and STP
- New and Updated Capture File Support
Microsoft Network Monitor, pcap-ng.
