<mike at ethmoid dot org>.
Package changes:
- the vicf script is not usable as is: patch it to make it obvious and
install it as an example.
- switch to requiring the auto* tools at build time.
- While I'm here claim stewardship (before completely removing it
from pkgsrc ?).
Changes in version 1.6.5:
- bug fixes including a security issue with link races.
- auto* tools update and commands installation directory change
(overridden by this package patch files to keep it the same as
previous versions and even cfengine 2.*)
XXX Threads support completely removed. From my humble experience it is
quite broken in cfengine 1.*. It is only used in cfd and when DCE support
is enabled: the latter is not activated in this package and if the former
really needs a performance/ability boost you should really consider
cfengine 2.*.
All in all you should not update but switch to cfengine2 package instead. ;)
* Expansion of $(dollar) broken in 1.6.0 - fixed
* Locking problem in cfd fixed. Problem causing access
denied while re-reading config files. MAXTRIES increased
for high volume services, was causing premature apoptosis.
dest= could not refer to a filename with spaces, fixed.
* Made recipient variables in client.c long instead of
size_t in rstat, for 64 bits. With %ld in scanf.
* Cfengine 1.6.0-1.6.3 introduces filters into processes
and files.
* 1.6.3 change from Berkeley DB2 to DB3 - not backward compatible!!!
Update Berkeley db with
cd build_unix
../dist/configure
make; make install
ln -s /usr/local/BerkeleyDB.3.2 /usr/local/BerkeleyDB
2000-06-13 David Masterson <David.Masterson@kla-tencor.com>
* 1.6.0.a2: re-released to Mark after stupid mistakes.
* src/Makefile.am (noinst_HEADERS): add cfparse.h
* Makefile.am (EXTRA_DIST): add acconfig.h
2000-06-12 David Masterson <David.Masterson@kla-tencor.com>
* 1.6.0.a2: released to Mark
* General: Attempted to convert to reincorporate all my Automake
stuff into the release.
2000-06-12 Mark Burgess <Mark.Burgess@hio.no>
* 1.6.0-alpha1: released
* General: Rewrite of DCE code by Transarc/IBM. Add elsedefine=
tag as complement to define=. CompressCommand action=compress in
files, tidy, compress=true for compressing files on the fly. Bug
in copy with size= fixed. Was ignored if file didn't exist.
Modules: in addition to setting classes, can return lines
=ENVVAR=value which sets cfengine environment variables. This
allows modules to set variables which can be inherited directly by
scripts.
2000-05-11 David Masterson <David.Masterson@kla-tencor.com>
* contrib/Makefile.am (pkgdata_SCRIPTS): change cfemacs.el to
cfengine.el in keeping with internal documentation. Also renamed
the file as well.
2000-05-08 David Masterson <David.Masterson@kla-tencor.com>
* Release: V1.6 released to Mark for verification.
* Everything: Many things have been changed and reorganized for
the shift to automake generated Makefiles. See the end of the
NEWS file for more information.
2000-04-24 David Masterson <David.Masterson@kla-tencor.com>
* ChangeLog: Created and initialized with old VERSION.DIFF
***************** Minor Version 5 ********************
KNOWN BUGS: linux, when making directories, ownership can perms can be wrong.
1.5.4
Added security message in checksum=md5 for cfengine if new files appear
Bug in class evaluation with multiple embedded groups fixed
Bug in file transfer could hang a server in special circumstances.
Bug in secure recursive copy (access denied incorrectly).
Type change, size is off_t in cfstat struct
Multiple define bug in copy: could cause endless loop
Thread counting error fixed in cfd
Required/disk suspicious warnings now cause classes to be defined
Resolver could delete substring lines
Extra measures against Denial of Service attacks on cfd, only one
instance of a host-IP may be connected at one time.
1) Multiple connections from the same host are refused by default
(before any recv())
2) A DenyConnectionsFrom list will prevent named IP adresses from connecting
(before any recv) or a general AllowConnectionsFrom mask...
3) If the thread table is full for more than five requests, cfd commits
suicide (apoptosis) to avoid resource usage by spamming.
The control variable "DenyConnectionsFrom = ( ip1 ip2 ... )" allows a list
of numerical IP masks to be specified, which cfd will deny connections from.
This can be used to prevent hanging connection attacks from malicous hosts
and other Denial of Service attacks.
e.g. cfd.conf
control:
AllowConnectionsFrom ( 128.39.89 )
DenyConnectionsFrom = ( 128.39.89.4 )
This is in addition to tcp wrapper stuff, but the TCP wrapper code cannot
protect against denial of service attacks.
typecheck=false in copy switches off error messages on type mismatch.
separately.
Just for posterity, here is how to replicate the problem:
(All this is going back to the maintainers)
#!/bin/sh
# Generates a 'from' directory, then runs cfengine to copy it into 'to'.
# The order of file creation in the from directory is significant -
# the 'bad' file must be picked up _after_ the 'subdir'.
# Obvious caveats about IRIX XFS notwithstanding.
TESTDIR=/tmp/cfenginetest
rm -rf $TESTDIR
mkdir -p $TESTDIR
cd $TESTDIR
# Generate cfengine.conf
cat > cfengine.conf <<END
control:
actionsequence = ( copy )
copy:
$TESTDIR/from
dest=$TESTDIR/to recurse=inf
END
# Generate 'from' directory
mkdir from
cd from
touch ok
mkdir subdir
touch bad
cd subdir
ln ../ok
ln ../bad
cd ../..
cfengine -v
echo
echo "Both 'ok' and 'bad' should have the same number of links (2) in both"
echo "'from' and 'to' directories. 'bad' will have 1 if bug is present."
echo
ls -l from to