Bug Fixes
The following vulnerabilities have been fixed:
* [1]wnpa-sec-2017-13
WBMXL dissector infinite loop ([2]Bug 13477, [3]Bug 13796)
[4]CVE-2017-7702, cve-idlink:CVE-2017-11410[] Note: This is an
update for a fix in Wireshark 2.2.6 and 2.0.12.
* [5]wnpa-sec-2017-28
openSAFETY dissector memory exhaustion ([6]Bug 13649, [7]Bug 13755)
[8]CVE-2017-9350, [9]CVE-2017-11411 Note: This is an update for a
fix in Wireshark 2.2.7.
* [10]wnpa-sec-2017-34
AMQP dissector crash. ([11]Bug 13780) [12]CVE-2017-11408
* [13]wnpa-sec-2017-35
MQ dissector crash. ([14]Bug 13792) [15]CVE-2017-11407
* [16]wnpa-sec-2017-36
DOCSIS infinite loop. ([17]Bug 13797) [18]CVE-2017-11406
The following bugs have been fixed:
* Y.1711 dissector reverses defect type order. ([19]Bug 8292)
* Packet list keeps scrolling back to selected packet while names are
being resolved. ([20]Bug 12074)
* [REGRESSION] Export Objects do not show files from a SMB2 capture.
([21]Bug 13214)
* LTE RRC: lte-rrc.q_RxLevMin filter fails on negative values.
([22]Bug 13481)
* Hexpane showing in proportional font again. ([23]Bug 13638)
* Regression in SCCP fragments handling. ([24]Bug 13651)
* TCAP SRT incorrectly matches TC_BEGINs and TC_ENDs. ([25]Bug 13739)
* Dissector for WSMP (IEEE 1609.3) not current. ([26]Bug 13766)
* RANAP: possible issue in the heuristic code. ([27]Bug 13770)
* [oss-fuzz] UBSAN: shift exponent 35 is too large for 32-bit type
int in packet-btrfcomm.c:314:37. ([28]Bug 13783)
* RANAP: false positives on heuristic algorithm. ([29]Bug 13791)
* Automatic name resolution not saved to PCAP-NG NRB. ([30]Bug 13798)
* DAAP dissector dissect_daap_one_tag recursion stack exhausted.
([31]Bug 13799)
* Malformed DCERPC PNIO packet decode, exception handler invalid
poionter reference. ([32]Bug 13811)
* It seems SPVID was decoded from wrong field. ([33]Bug 13821)
* README.dissectors: Add notes about predefined string structures not
available to plugin authors. ([34]Bug 13828)
* Statistics->Packet Lengths doesn't display details for 5120 or
greater. ([35]Bug 13844)
* cmake/modules/FindZLIB.cmake doesn't find inflatePrime. ([36]Bug
13850)
* BGP: incorrect decoding COMMUNITIES whose length is larger than
255. ([37]Bug 13872)
Updated Protocol Support
AMQP, BGP, BSSMAP, BT RFCOMM, DAAP, DOCSIS, E.212, FDDI, GSM A GM, GSM
BSSMAP, IEEE 802.11, IP, ISIS LSP, LTE RRC, MQ, OpenSafety, OSPF,
PROFINET IO, RANAP, SCCP, SGSAP, SMB2, TCAP, TCP, UMTS FP, UMTS RLC,
WBXML, WSMP, and Y.1711
Changes in version 0.3.0.10 - 2017-08-02
Tor 0.3.0.10 backports a collection of small-to-medium bugfixes
from the current Tor alpha series. OpenBSD users and TPROXY users
should upgrade; others are probably okay sticking with 0.3.0.9.
o Major features (build system, continuous integration, backport from 0.3.1.5-alpha):
- Tor's repository now includes a Travis Continuous Integration (CI)
configuration file (.travis.yml). This is meant to help new
developers and contributors who fork Tor to a Github repository be
better able to test their changes, and understand what we expect
to pass. To use this new build feature, you must fork Tor to your
Github account, then go into the "Integrations" menu in the
repository settings for your fork and enable Travis, then push
your changes. Closes ticket 22636.
o Major bugfixes (linux TPROXY support, backport from 0.3.1.1-alpha):
- Fix a typo that had prevented TPROXY-based transparent proxying
from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha.
Patch from "d4fq0fQAgoJ".
o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
- Avoid an assertion failure bug affecting our implementation of
inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
handling of "0xfoo" differs from what we had expected. Fixes bug
22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
o Minor features (backport from 0.3.1.5-alpha):
- Update geoip and geoip6 to the July 4 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (bandwidth accounting, backport from 0.3.1.2-alpha):
- Roll over monthly accounting at the configured hour and minute,
rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1.
Found by Andrey Karpov with PVS-Studio.
o Minor bugfixes (compilation warnings, backport from 0.3.1.5-alpha):
- Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug 22915;
bugfix on 0.2.8.1-alpha.
- Fix warnings when building with libscrypt and openssl scrypt
support on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha.
- When building with certain versions of the mingw C header files,
avoid float-conversion warnings when calling the C functions
isfinite(), isnan(), and signbit(). Fixes bug 22801; bugfix
on 0.2.8.1-alpha.
o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
- Backport a fix for an "unused variable" warning that appeared
in some versions of mingw. Fixes bug 22838; bugfix on
0.2.8.1-alpha.
o Minor bugfixes (coverity build support, backport from 0.3.1.5-alpha):
- Avoid Coverity build warnings related to our BUG() macro. By
default, Coverity treats BUG() as the Linux kernel does: an
instant abort(). We need to override that so our BUG() macro
doesn't prevent Coverity from analyzing functions that use it.
Fixes bug 23030; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (directory authority, backport from 0.3.1.1-alpha):
- When rejecting a router descriptor for running an obsolete version
of Tor without ntor support, warn about the obsolete tor version,
not the missing ntor key. Fixes bug 20270; bugfix on 0.2.9.3-alpha.
o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.5-alpha):
- Avoid a sandbox failure when trying to re-bind to a socket and
mark it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.
o Minor bugfixes (unit tests, backport from 0.3.1.5-alpha)
- Fix a memory leak in the link-handshake/certs_ok_ed25519 test.
Fixes bug 22803; bugfix on 0.3.0.1-alpha.
api-change:batch: Update batch command to latest version
api-change:cloudhsmv2: Update cloudhsmv2 command to latest version
api-change:efs: Update efs command to latest version
api-change:ssm: Update ssm command to latest version
api-change:storagegateway: Update storagegateway command to latest version
api-change:mgh: Update mgh command to latest version
api-change:glue: Update glue command to latest version
1.11.133
api-change:ec2: Update ec2 command to latest version
api-change:cognito-idp: Update cognito-idp command to latest version
api-change:codedeploy: Update codedeploy command to latest version
api-change:cloudhsmv2: Update cloudhsmv2 client to latest version
api-change:ssm: Update ssm client to latest version
api-change:glue: Update glue client to latest version
api-change:mgh: Update mgh client to latest version
api-change:efs: Update efs client to latest version
api-change:storagegateway: Update storagegateway client to latest version
api-change:batch: Update batch client to latest version
1.6.0
api-change:ec2: Update ec2 client to latest version
feature:retries: Add ability to configure the maximum amount of retry attempts a client call can make.
api-change:cognito-idp: Update cognito-idp client to latest version
api-change:codedeploy: Update codedeploy client to latest version
2017-08-14 - libfilezilla 0.10.1 released
Bugfixes and minor changes:
MSW: Improve handling of reparse points in fz::local_filesys
2017-07-10 - libfilezilla 0.10.0 released
New features:
Added fz::percent_encode and fz::percent_encode
Added fz::uri and fz::query_string
Added fz::less_insensitive_ascii for case-insensitive strings in maps
Bugfixes and minor changes:
Moved encoding functions from string.hpp to encode.hpp
Use pkg-config instead of cppunit-config to look for cppunit.
Changes in libsoup from 2.58.1 to 2.58.2:
* CVE-2017-2885: Fixed a chunked decoding buffer overrun that
could be exploited against either clients or servers.
[#785774]
Changes in libsoup from 2.58.0 to 2.58.1:
* Reverts a change to SoupSession to close all open
connections when the :proxy-resolver property is changed
[#777326; this change was made in 2.58.0 but accidentally
left out of the NEWS for that release]; although that
behavior made :proxy-resolver more consistent with
:proxy-uri, it ended up breaking Evolution EWS. [#781590]
* Fixed undefined behavior in tests/header-parsing that could
make the test spuriously fail. [#777258]
* Updates to the configure tests for Apache for use in tests/:
* Dropped support for Apache 2.2
* Changed PHP support from PHP 5 to PHP 7
* mod_unixd can now be either built-in or dynamically
loaded [#776478]
* Updated translations:
Turkish
Changes in libsoup from 2.57.1 to 2.58.0:
* Fix authentication issues when the SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE
flag is used. [#778497, #777936, Carlos Garcia Campos]
* MSVC build improvements (Chun-wei Fan)
* Updated translations:
Basque, Belarusian, Brazilian Portuguese, Chinese (Taiwan), Danish,
French, Galician, Greek, Indonesian, Italian, Korean, Latvian,
Lithuanian, Norwegian bokmål, Russian, Serbian, Slovak, Slovenian,
Spanish, zh_CN
Changes in libsoup from 2.56.0 to 2.57.1:
* Added SoupWebsocketConnection:keepalive-interval, to make a
connection send regular pings. [#773253, Ignacio Casal
Quinteiro]
* Added soup_auth_manager_clear_cached_credentials() and
SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE, to allow greater control
over the use of cached HTTP auth credentials. [#774031,
#774033, Carlos Garcia Campos]
* Fixed the use of SoupSession:proxy-uri values containing
passwords. [#772932, Jonathan Lebon]
* Various minor WebSocket fixes [Ignacio Casal Quinteiro]:
* Avoid sending data after we start closing the
connection [#774957]
* Do not log a critical if the peer sends an invalid
close status code
* Log a debug message when a "pong" is received
* Fixed introspection of
soup_message_headers_get_content_range() [Jasper St. Pierre]
* Replaced Vala [Deprecated] annotations with [Version] to
avoid build warnings [#773177, Evan Nemerson]
* MSVC build improvements (Chun-wei Fan)
* Updated error/message strings to use Unicode punctuation.
[#772217, Piotr Drąg]
* Updated translations:
Czech, Friulian, German, Hebrew, Hungarian,
Norwegian bokmål, Polish, Swedish
Changes in libsoup from 2.55.90 to 2.56.0:
* Added SoupWebsocketConnection:max-incoming-payload-size
property, to override the default maximum incoming payload
size. [#770022, Ignacio Casal Quinteiro]
* Added soup-version.h symbols (in particular
soup_check_version()) to introspection. [#771439, Rico
Tzschichholz]
* Updated the copy of the public suffix list used by SoupTLD
[#769650, Michael Catanzaro]
* Updated translations:
British English, Greek, Polish
Changes in libsoup from 2.54.1 to 2.55.90:
* Removed support for SSLv3 fallback; sites that reject TLS
1.x handshakes will now just fail with an error. (Firefox
and Chrome have both already switched to this behavior.)
[#765940, Dan Winship]
* Fixed the parsing of <double>s in the new GVariant-based
XMLRPC code. [#767707, Dan Winship]
* Fixed soup_server_set_ssl_cert_file(), which was added in
2.48 but didn't actually work... [patch on libsoup-list from
Sean DuBois]
* Added GObject properties to SoupLogger to make it
bindings-friendly. [#768053, Jonh Wendell]
* Fixed build error on FreeBSD [#765376, Ting-Wei Lan]
* Fixed build with certain new versions of glibc that define
"EOF" as a macro. [#768731, Philip Withnall]
* Updated m4/ax_code_coverage.m4 with support for lcov 1.12
[Philip Withnall]
* Updated po files for future gettext versions [Piotr Drąg]
* New/updated translations:
Occitan, Scottish Gaelic
v0.14.36
This is an unscheduled release to fix a bug that slipped through the cracks in 0.14.34 & 0.14.35.
Resolved issues:
#4297: Folders paths are no longer reset when editing a folder without a label
v0.14.35
This is an unscheduled release in panic mode to fix a significant problem in 0.14.34.
Resolved issues in 0.14.35:
#4288: Symlinks are deleted from versioned folders on startup
Resolved issues in 0.14.34:
#2157: The new folder dialog now suggests a default path. Adjustable via advanced config defaultFolderPath.
#4272: The build script no longer sets -installsuffix by default.
#4286: Prevents a vulnerability that allows file overwrite via versioned symlinks
Note that the last issue is a security vulnerability. Symlinks on Windows are not supported and have not been created by Syncthing for a while. Nonetheless, if you use symlinks on Windows and Syncthing versioning you may have symlinks in your versioning directory from earlier versions. You must remove these manually. Syncthing can not remove them automatically because there are other things that look to us like symlinks but are not - deduplicated files, primarily. (This is one of the reasons symlinks are not supported on Windows.)
On other platforms the versioning directory is cleaned from symlinks as part of the upgrade.
v0.14.34-rc.1
This is a release candidate for v0.14.34.
Resolved issues:
#2157: The new folder dialog now suggests a default path. Adjustable via advanced config defaultFolderPath.
#4272: The build script no longer sets -installsuffix by default.
v0.14.33
This is a regularly scheduled stable release.
Resolved issues:
#4188: Relative version paths are now correctly relative to the folder path
#4227: Remote devices now show bytes remaining to sync
#4249: Editing ignore patterns no longer incorrectly shows included patterns
v0.14.33-rc.1
This is a release candidate for v0.14.33.
Resolved issues:
#4188: Relative version paths are now correctly relative to the folder path
#4227: Remote devices now show bytes remaining to sync
#4249: Editing ignore patterns no longer incorrectly shows included patterns
v0.14.32
This is a regularly scheduled stable release.
Resolved issues:
#4157: "Nearby devices" are now shown in the add device dialog, avoiding the need to type their device ID.
#4219: Folders that were once ignored in a sharing request now actualproperly when later added manually.
v0.14.32-rc.2
This is a release candidate for v0.14.32.
v0.14.32-rc.1
This is a release candidate fo14.31:
#4157: "Nearby devices" are now shown in the add device dialog, avoiding the need to type their device ID.
#4219: Folders that were once ignored in a sharing request now actually work properly when later added manually.
This package installs a binary that is setuid-executable to the
"smmsp" user and it also needs to be owned by the "nagios" group.
Add hooks to create these users and groups in the package install
scripts when the binary package is installed.
Bump the PKGREVISION due to changes in the package install scripts.
The rss-newsfeed.html file was removed in the update to version
4.3.2, so we no longer need to change ownership and permissions on
the file after installation.
Arguably, nagios-base should have a postinstall check for the
rss-newsfeed.* files and remove them, as they were removed in
version 4.3.2 due to security concerns.
* Improve compatibility with GNU Hurd
* Fixed 2286 - improve CMake on Windows documentation
* Fixed 1235 - improved compatibility with mingw64
* Improve zmq_proxy documentation to state it can return ETERM as well
* Fixed 1442 - SO_NOSIGPIPE and connection closing by peer race condition
* Improve CMake functionality on Windows: ZeroMQConfig.cmake generation CPack
option, correct static library filename, ship FindSodium.cmake in tarball
* Fixed 2228 - setting HWM after connect on inproc transport leads to infinite
HWM
* Add support for Visual Studio 2017
* New DRAFT (see NEWS for 4.2.0) zmq_has option "draft" option that returns
true if the library was built with DRAFT enabled. Useful for FFI bindings.
See doc/zmq_has.txt for more information
* Fixed 2321 - zmq_z85_decode does not validate its input. The function has
been fixed to correctly follow RFC32 and return NULL if the input is invalid
* Fixed 2323 - clock_t related crash on Apple iOS 9.3.2 and 9.3.5
* Fixed 1801 - OSX: Cmake installs libzmq in a weird PATH
* Fixed potential divide by zero in zmq::lb_t::sendpipe
* Improve compatibility with OpenIndiana by skipping epoll and using poll/select
* Fix IPv4-in-IPv6 mapped addresses parsing error
Changes from release notes.
Features
* zone parser parses type AVC (it has TXT format).
* Fix#1272: use writev to put tcp length field
with data for outgoing zone transfer requests.
Bugfixes
* Fix potential null pointer in nsec3 adjustment tree.
* Fix text format of deletes for CDS and CDNSKEY,
single 0 to represent empty base64 or hex string.
https://github.com/Kozea/Radicale/issues/675#issuecomment-320029350
* override folder for storing local collections, from
/var/lib/radicale/collections to ${PREFIX}/share/radicale/collections
Update Radicale2 to 2.1.4
2.1.4 - Wild Radish
-------------------
This feature is not compatible with the 1.x.x versions. See
http://radicale.org/1to2/ if you want to switch from 1.x.x to
2.x.x.
* Fix incorrect time range matching and calculation for some edge-cases with
rescheduled recurrences
* Fix owner property
2.1.3 - Wild Radish
-------------------
This feature is not compatible with the 1.x.x versions. See
http://radicale.org/1to2/ if you want to switch from 1.x.x to
2.x.x.
* Enable timeout for SSL handshakes and move them out of the main thread
* Create cache entries during upload of items
* Stop built-in server on Windows when Ctrl+C is pressed
* Prevent slow down when multiple requests hit a collection during cache warm-up
2.1.2 - Wild Radish
-------------------
This feature is not compatible with the 1.x.x versions. See
http://radicale.org/1to2/ if you want to switch from 1.x.x to
2.x.x.
* Remove workarounds for bugs in VObject < 0.9.5
* Error checking of collection tags and associated components
* Improve error checking of uploaded collections and components
* Don't delete empty collection properties implicitly
* Improve logging of VObject serialization
Set PKG_SYSCONFSUBDIR where appropriate, and use {MAKE,OWN}_DIRS to
create the directory tree under ${PKG_SYSCONFDIR} instead of using
INSTALLATION_DIRS.
Bump the PKGREVISION of packages that changed due to changes in the
package install scripts.
Ensure that the ${NAGIOS_GROUP} group is created before the package
files are installed since the plugin binary must be made setgid to
that group.
Bump the PKGREVISIONs of these plugin packages due to package
install scripts being added.
-------------------------------------------------------------------
Ensure that the ${NAGIOS_GROUP} group is created before the package
files are installed since the binary must be made setgid to that
group.
Bump the PKGREVISON due to package install scripts being added.
* Ensure that ${PKG_SYSCONFDIR}/objects is created at package
installation time by adding it to OWN_DIRS.
* Don't explicitly add ${DESTDIR} to files listed in SPECIAL_PERMS
since it is automatically added by the pkgsrc infrastructure if
needed.
* It's "${DESTDIR}${PREFIX}", not "${DESTDIR}/${PREFIX}" -- avoid
having double slashes in pathnames for correctness.
Bump the PKGREVISION due to fixes in the package install scripts.
-------------------------------------------------------------------
Set PKG_SYSCONFSUBDIR to "knot" to have all of the config files
located in the "knot" subdirectory of ${PKG_SYSCONFBASE}.
Pass ${PKG_SYSCONFBASE} to the configure script since the package's
build infrastructure automatically appends "/knot" to the value
passed in through --sysconfdir.
Remove ${PKG_SYSCONFDIR} from INSTALLATION_DIRS since it is
automatically created by the package install script.
Bump the PKGREVISION due to changes in the package install scripts.
There is no REQUIRE_DIRS used by pkgsrc. I think that REQD_DIRS
was meant to be used; however, REQD_DIRS is also the wrong way to
create the config directory.
Set PKG_SYSCONFSUBDIR to "streaming" to automatically create
${PKG_SYSCONFBASE}/streaming during package installation, and
consistently use ${PKG_SYSCONFDIR} within the package Makefile to
refer to the config directory path.
Bump the PKGREVISION due to the changes in the resulting package
scripts.
- Collapse redundant code for invoking service-specific rc.d scripts.
- Don't try to run a service's rc.d script if it isn't enabled in rc.conf.
- Prefix "nb" to procnames.
Bump version.
o Updated the bundled Npcap from 0.91 to 0.93, fixing several issues
with installation and compatibility with the Windows 10 Creators Update.
o NSE scripts now have complete SSH support via libssh2,
including password brute-forcing and running remote commands, thanks to the
combined efforts of three Summer of Code students.
o Added 14 NSE scripts from 6 authors, bringing the total up to 579!
They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
+ ftp-syst sends SYST and STAT commands to FTP servers to get system version
and connection information.
+ http-vuln-cve2017-8917 checks for an SQL injection vulnerability affecting
Joomla! 3.7.x before 3.7.1.
+ iec-identify probes for the IEC 60870-5-104 SCADA protocol.
+ openwebnet-discovery retrieves device identifying information and
number of connected devices running on openwebnet protocol.
+ puppet-naivesigning checks for a misconfiguration in the Puppet CA where
naive signing is enabled, allowing for any CSR to be automatically signed.
+ smb-protocols discovers if a server supports dialects NT LM 0.12
(SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old
smbv2-enabled script.
+ smb2-capabilities lists the supported capabilities of SMB2/SMB3
servers.
+ smb2-time determines the current date and boot date of SMB2
servers.
+ smb2-security-mode determines the message signing configuration of
SMB2/SMB3 servers.
+ smb2-vuln-uptime attempts to discover missing critical patches in
Microsoft Windows systems based on the SMB2 server uptime.
+ ssh-auth-methods lists the authentication methods offered by an SSH server.
+ ssh-brute performs brute-forcing of SSH password credentials.
+ ssh-publickey-acceptance checks public or private keys to see if they could
be used to log in to a target. A list of known-compromised key pairs is
included and checked by default.
+ ssh-run uses user-provided credentials to run commands on targets via SSH.
o Removed smbv2-enabled, which was incompatible with the new SMBv2/3
improvements. It was fully replaced by the smb-protocols script.
o Added Datagram TLS (DTLS) support to Ncat in connect (client)
mode with --udp --ssl. Also added Application Layer Protocol Negotiation
(ALPN) support with the --ssl-alpn option.
o Updated the default ciphers list for Ncat and the secure ciphers list for
Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
ciphersuites, anonymous ECDH suites were being allowed.
o Fix ndmp-version and ndmp-fs-info when scanning Veritas Backup
Exec Agent 15 or 16.
o Added wildcard detection to dns-brute. Only hostnames that
resolve to unique addresses will be listed.
o FTP scripts like ftp-anon and ftp-brute now correctly handle
TLS-protected FTP services and use STARTTLS when necessary.
o Function url.escape no longer encodes so-called "unreserved"
characters, including hyphen, period, underscore, and tilde, as per RFC 3986.
o Function http.pipeline_go no longer assumes that persistent
connections are supported on HTTP 1.0 target (unless the target explicitly
declares otherwise), as per RFC 7230.
o The HTTP response object has a new member, version, which
contains the HTTP protocol version string returned by the server, e.g. "1.0".
o Fix handling of the objectSID Active Directory attribute
by ldap.lua.
o Fix line endings in the list of Oracle SIDs used by oracle-sid-brute.
Carriage Return characters were being sent in the connection packets, likely
resulting in failure of the script.
o http-useragent-checker now checks for changes in HTTP status
(usually 403 Forbidden) in addition to redirects to indicate forbidden User
Agents.
Pkgsrc changes:
* The hosting of radsecproxy has changed to nordu.net.
Upstream changes:
2017-08-02 1.6.9
Misc:
- Use a listen(2) backlog of 128 (RADSECPROXY-72).
Bug fixes:
- Don't follow NULL the pointer at debug level 5 (RADSECPROXY-68).
- Completely reload CAs and CRLs with cacheExpiry (RADSECPROXY-50).
- Tie Access-Request log lines to response log lines (RADSECPROXY-60).
- Fix a couple of memory leaks and NULL ptr derefs in error cases.
- Take lock on realm refcount before updating it (RADSECPROXY-77).
2016-09-21 1.6.8
Bug fixes:
- Stop waiting on writable when reading a TCP socket.
- Stomp less on the memory of other threads (RADSECPROXY-64).
2016-03-14 1.6.7
Enhancements (security):
- Negotiate TLS1.1, TLS1.2 and DTLS1.2 when possible, client and
server side. Fixes RADSECPROXY-62.
Enhancements:
- Build HTML documentation properly.
api-change:config: Update config command to latest version
api-change:codedeploy: Update codedeploy command to latest version
api-change:pinpoint: Update pinpoint command to latest version
api-change:ses: Update ses command to latest version
1.11.128
api-change:ssm: Update ssm command to latest version
api-change:inspector: Update inspector command to latest version
api-change:ses: Update ses client to latest version
api-change:pinpoint: Update pinpoint client to latest version
api-change:codedeploy: Update codedeploy client to latest version
api-change:config: Update config client to latest version
1.5.91
api-change:ssm: Update ssm client to latest version
api-change:inspector: Update inspector client to latest version
Bug fixes
- Use the incoming ECS for cache lookup if use-incoming-edns-subnet is
set
- when making a netmask from a comboaddress, we neglected to zero the
port. This could lead to a proliferation of netmasks.
- Don't take the initial ECS source for a scope one if EDNS is off
- also set d_requestor without Lua: the ECS logic needs it
- Fix IXFR skipping the additions part of the last sequence
- Treat requestor's payload size lower than 512 as equal to 512
- make URI integers 16 bits, fixes ticket #5443
- unbreak quoting
Improvements
- EDNS Client Subnet becomes compatible with the packet cache, using
the existing variable answer facility.
- Remove just enough entries from the cache, not one more than asked
- Move expired cache entries to the front so they are expunged
- changed IPv6 addr of b.root-servers.net
- e.root-servers.net has IPv6 now
- hello decaf signers (ED25519 and ED448)
- don't use the libdecaf ed25519 signer when libsodium is enabled
(Kees Monshouwer)
- do not hash the message in the ed25519 signer (Kees Monshouwer)
- Disable use-incoming-edns-subnet by default
Here is release note except security (already fixed by bind-9.9.10pl3, BIND
9.9.10-P3).
Release Notes for BIND Version 9.9.11
Introduction
This document summarizes significant changes since the last production
release of BIND on the corresponding major release branch. Please see
the CHANGES file for a further list of bug fixes and other changes.
Download
The latest versions of BIND 9 software can always be found at
http://www.isc.org/downloads/. There you will find additional
information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
New DNSSEC Root Key
ICANN is in the process of introducing a new Key Signing Key (KSK) for
the global root zone. BIND has multiple methods for managing DNSSEC
trust anchors, with somewhat different behaviors. If the root key is
configured using the managed-keys statement, or if the pre-configured
root key is enabled by using dnssec-validation auto, then BIND can keep
keys up to date automatically. Servers configured in this way should
have begun the process of rolling to the new key when it was published
in the root zone in July 2017. However, keys configured using the
trusted-keys statement are not automatically maintained. If your server
is performing DNSSEC validation and is configured using trusted-keys,
you are advised to change your configuration before the root zone
begins signing with the new KSK. This is currently scheduled for
October 11, 2017.
This release includes an updated version of the bind.keys file
containing the new root key. This file can also be downloaded from
https://www.isc.org/bind-keys .
Windows XP No Longer Supported
As of BIND 9.9.11, Windows XP is no longer a supported platform for
BIND, and Windows XP binaries are no longer available for download from
ISC.
Feature Changes
* Threads in named are now set to human-readable names to assist
debugging on operating systems that support that. Threads will have
names such as "isc-timer", "isc-sockmgr", "isc-worker0001", and so
on. This will affect the reporting of subsidiary thread names in ps
and top, but not the main thread. [RT #43234]
* DiG now warns about .local queries which are reserved for Multicast
DNS. [RT #44783]
Bug Fixes
* Fixed a bug that was introduced in an earlier development release
which caused multi-packet AXFR and IXFR messages to fail validation
if not all packets contained TSIG records; this caused
interoperability problems with some other DNS implementations. [RT
#45509]
* Semicolons are no longer escaped when printing CAA and URI records.
This may break applications that depend on the presence of the
backslash before the semicolon. [RT #45216]
* AD could be set on truncated answer with no records present in the
answer and authority sections. [RT #45140]
End of Life
BIND 9.9 (Extended Support Version) will be supported until at least
June, 2018. https://www.isc.org/downloads/software-support-policy/
Here is release note except security (already fixed by bind-9.10.5pl3, BIND
9.10.5-P3).
Release Notes for BIND Version 9.10.6
Introduction
This document summarizes changes since the last production release on
the BIND 9.10 branch. Please see the CHANGES file for a further list of
bug fixes and other changes.
Download
The latest versions of BIND 9 software can always be found at
http://www.isc.org/downloads/. There you will find additional
information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
New DNSSEC Root Key
ICANN is in the process of introducing a new Key Signing Key (KSK) for
the global root zone. BIND has multiple methods for managing DNSSEC
trust anchors, with somewhat different behaviors. If the root key is
configured using the managed-keys statement, or if the pre-configured
root key is enabled by using dnssec-validation auto, then BIND can keep
keys up to date automatically. Servers configured in this way should
have begun the process of rolling to the new key when it was published
in the root zone in July 2017. However, keys configured using the
trusted-keys statement are not automatically maintained. If your server
is performing DNSSEC validation and is configured using trusted-keys,
you are advised to change your configuration before the root zone
begins signing with the new KSK. This is currently scheduled for
October 11, 2017.
This release includes an updated version of the bind.keys file
containing the new root key. This file can also be downloaded from
https://www.isc.org/bind-keys .
Windows XP No Longer Supported
As of BIND 9.10.6, Windows XP is no longer a supported platform for
BIND, and Windows XP binaries are no longer available for download from
ISC.
Feature Changes
* dig +ednsopt now accepts the names for EDNS options in addition to
numeric values. For example, an EDNS Client-Subnet option could be
sent using dig +ednsopt=ecs:.... Thanks to John Worley of Secure64
for the contribution. [RT #44461]
* Threads in named are now set to human-readable names to assist
debugging on operating systems that support that. Threads will have
names such as "isc-timer", "isc-sockmgr", "isc-worker0001", and so
on. This will affect the reporting of subsidiary thread names in ps
and top, but not the main thread. [RT #43234]
* DiG now warns about .local queries which are reserved for Multicast
DNS. [RT #44783]
Bug Fixes
* Fixed a bug that was introduced in an earlier development release
which caused multi-packet AXFR and IXFR messages to fail validation
if not all packets contained TSIG records; this caused
interoperability problems with some other DNS implementations. [RT
#45509]
* Semicolons are no longer escaped when printing CAA and URI records.
This may break applications that depend on the presence of the
backslash before the semicolon. [RT #45216]
* AD could be set on truncated answer with no records present in the
answer and authority sections. [RT #45140]
End of Life
The end of life for BIND 9.10 is yet to be determined but will not be
before BIND 9.12.0 has been released for 6 months.
https://www.isc.org/downloads/software-support-policy/
Core
[YoutubeDL] Improve default format specification (#13704)
[YoutubeDL] Do not override id, extractor and extractor_key for
url_transparent entities
[extractor/common] Fix playlist_from_matches
Extractors
[itv] Fix production id extraction (#13671, #13703)
[vidio] Make duration non fatal and fix typo
[mtv] Skip missing video parts (#13690)
[sportbox:embed] Fix extraction
[npo] Add support for npo3.nl URLs (#13695)
[dramafever] Remove video id from title (#13699)
[egghead:lesson] Add support for lessons (#6635)
[funnyordie] Extract more metadata (#13677)
[youku:show] Fix playlist extraction (#13248)
[dispeak] Recognize sevt subdomain (#13276)
[adn] Improve error reporting (#13663)
[crunchyroll] Relax series and season regex (#13659)
[spiegel:article] Add support for nexx iframe embeds (#13029)
[nexx:embed] Add support for iframe embeds
[nexx] Improve JS embed extraction
[pearvideo] Add support for pearvideo.com (#13031)
This perl module will search the MusicBrainz database through their
web service and return objects with the found data.
This package contains the old 0.x branch of the package, using v1
of the MusicBrainz API.
Bug #5196 - Some keys on Korean and Japanese keyboards have the same keycode
Bug #5578 - Pressing Hangul key results in alt+'a'
Bug #5785 - Can't switch screens when cursor is in a corner
Bug #3197 - Linux: switchDoubleTap option is not working
Bug #4477 - Linux: Mouse buttons higher than id 10 result in crash
Bug #5832 - Linux: Screen size misdetected on multi-monitor display
Enhancement #4504 - Improved Korean language description
Enhancement #5525 - Added support for precise screen positioning in config file
api-change:ec2: Update ec2 command to latest version
api-change:appstream: Update appstream command to latest version
1.11.123
api-change:emr: Update emr command to latest version
1.11.122
api-change:budgets: Update budgets command to latest version
api-change:appstream: Update appstream client to latest version
api-change:ec2: Update ec2 client to latest version
1.5.86
api-change:emr: Update emr client to latest version
1.5.85
api-change:budgets: Update budgets client to latest version
- Configuration: CELERY_SEND_EVENTS instead of CELERYD_SEND_EVENTS for 3.1.x compatibility
- App: Restore behavior so Broadcast queues work.
- Sphinx: Make appstr use standard format
- App: Make id, name always accessible from logging.Formatter via extra
- Worker: Add worker_shutting_down signal
- PyPy: Support PyPy version 5.8.0
- Results: Elasticsearch: Fix serializing keys
- Canvas: Deserialize all tasks in a chain
- Systemd: Recover loglevel for ExecStart in systemd config
- Sphinx: Use the Sphinx add_directive_to_domain API.
- App: Pass properties to before_task_publish signal
- Results: Add SSL option for Redis backends
- Beat: celery.schedule.crontab: fix reduce
- State: Fix celery issues when using flower REST API
- Results: Elasticsearch: Fix serializing document id.
- Beat: Make shallow copy of schedules dictionary
- Beat: Populate heap when periodic tasks are changed
- Task: Allow class methods to define tasks
- Platforms: Always return boolean value when checking if signal is supported.
- Canvas: Avoid duplicating chains in chords
- Canvas: Lookup task only if list has items
- Results: Allow unicode message for exception raised in task
- Python3: Support for Python 3.6
- App: Fix retried tasks with expirations
- * Fixes items format route in docs
- Utils: Fix maybe_make_aware
- Task: Fix task ETA issues when timezone is defined in configuration
- Concurrency: Consumer does not shutdown properly when embedded in gevent application
- Canvas: Fix 3725: Task replaced with group does not complete
- Task: Correct order in chains with replaced tasks
- Result: Enable synchronous execution of sub-tasks
- Task: Fix request context for blocking task apply (added hostname)
- Utils: Fix task argument handling
- Beat: Provide a transparent method to update the Scheduler heap
- Beat: Specify default value for pidfile option of celery beat.
- Results: Elasticsearch: Stop generating a new field every time when a new result is being put
- Results: Elasticsearch now reuses fields when new results are added.
- Results: Fixed MongoDB integration when using binary encodings
- Worker: Making missing ``*args`` and ``kwargs`` in Task protocol 1
return empty value in protocol 2.
- App: Fixed :exc:`TypeError` in AMQP when using deprecated signal
- Beat: Added a transparent method to update the scheduler heap.
- Task: Fixed handling of tasks with keyword arguments on Python 3
- Task: Fixed request context for blocking task apply by adding missing
hostname attribute.
- Task: Added option to run subtasks synchronously with
``disable_sync_subtasks`` argument.
- App: Fixed chaining of replaced tasks.
- Canvas: Fixed bug where replaced tasks with groups were not completing
- Worker: Fixed problem where consumer does not shutdown properly when
embedded in a gevent application.
- Results: Added support for using AWS DynamoDB as a result backend.
- Testing: Added caching on pip installs.
- Worker: Prevent consuming queue before ready on startup.
- App: Fixed task ETA issues when timezone is defined in configuration
- Utils: ``maybe_make_aware`` should not modify datetime when it is
already timezone-aware.
- App: Fixed retrying tasks with expirations.
- Results: Allow unicode message for exceptions raised in task
- Canvas: Fixed :exc:`IndexError` raised when chord has an empty header.
- Canvas: Avoid duplicating chains in chords.
- Utils: Allow class methods to define tasks.
- Beat: Populate heap when periodic tasks are changed.
- Results: Added support for Elasticsearch backend options settings.
- Events: Ensure ``Task.as_dict()`` works when not all information about
task is available.
- Schedules: Fixed pickled crontab schedules to restore properly.
- Results: Added SSL option for redis backends
1.7.7. It fixes some major issues, a memory leak in the compression code, a
segfault when you dump a map on the CLI while trying to remove an entry and a
bug introduced by a fix in 1.7.5 that causes haproxy to ignore "timeout
http-keep-alive".
go14 has no relro support AFAICT.
go-1.8.3 has if you use -buildmode=pie, but it claims it's not supported
on Linux.
Disable relro checking for go packages until bsiegert has time to
look at this.
- SQS: Added support for long-polling on all supported queries. Fixed bug
causing error on parsing responses with no retrieved messages from SQS.
- Async hub: Fixed potential infinite loop while performing todo tasks
- Qpid: Fixed bug where messages could have duplicate ``delivery_tag``
- MongoDB: Fixed problem with using ``readPreference`` option at pymongo 3.x.
- Re-added support for :pypi:``SQLAlchemy``
- SQS: Fixed bug where hostname would default to ``localhost`` if not specified
in settings.
- Redis: Added support for reading password from transport URL
- RabbitMQ: Ensured safer encoding of queue arguments.
- Added fallback to :func:``uuid.uuid5`` in :func:``generate_oid`` if
:func:``uuid.uuid3`` fails.
- Fixed race condition and innacurrate timeouts for
:class:``kombu.simple.SimpleBase``
- Zookeeper: Fixed last chroot character trimming
- RabbitMQ: Fixed bug causing an exception when attempting to close an
already-closed connection
- Removed deprecated use of StopIteration in generators and invalid regex
escape sequence.
- Added Python 3.6 to CI testing.
- SQS: Allowed endpoint URL to be specified in the boto3 connection.
- SQS: Added support for Python 3.4.
- SQS: ``kombu[sqs]`` now depends on :pypi:`boto3` (no longer using
:pypi:`boto)`.
- Adds support for Python 3.4+
- Adds support for FIFO queues
- Avoids issues around a broken endpoints file
- Zookeeper: Added support for delaying task with Python 3.
- SQS: Fixed bug where :meth:`kombu.transport.SQS.drain_events` did not support
callback argument
- Fixed bug around modifying dictionary size while iterating over it
- etcd: Added handling for :exc:`EtcdException` exception rather than
:exc:`EtcdError`.
- Included PID in sslserver + sslhandle abend logs in case of SSL failure.
- Removed references to 'gcc' and used 'cc' instead.
- New build with better error log for ssl abends.
Port to Jbuilder (#65 @vbmithr @avsm). There should be no observable changes,
except that Ipaddr_unix is now in a separate subdirectory. This means that
packages that implicitly depended on the module without including the
ocamlfind ipaddr.unix package may now fail. Just adding the ocamlfind
dependency will fix it, and is backwards compatible with older Ipaddr
releases.
Minimum version of OCaml required is now 4.03.0 (formerly was 4.02.2), due to
the use of recent ppx_sexp_conv with Jbuilder also having that as the minimum
supported compiler version.
Fix README rendering.
2.1.1
Restored use of ``portend.client_host`` during
``assert_free`` check on Windows, fixing check
when the bind address is *ADDR_ANY.
2.1
Use tempora.timing.Timer from tempora 1.8, replacing
boilerplate code in occupied and free functions.
2.0
Removed ``portend._getaddrinfo`` and its usage in
``Checker.assert_free``.
Dropped support for Python 2.6.
api-change:cognito-idp: Update cognito-idp command to latest version
api-change:lambda: Update lambda command to latest version
1.11.120
api-change:ec2: Update ec2 command to latest version
api-change:discovery: Update discovery command to latest version
api-change:marketplacecommerceanalytics: Update marketplacecommerceanalytics command to latest version
bugfix:Cloudformation: Fix a bug causing json templates containing tabs to fail to parse.
api-change:lambda: Update lambda client to latest version
bugfix:Paginator: Fixed a bug causing running build_full_results multiple times to incorrectly generate the NextToken value.
api-change:cognito-idp: Update cognito-idp client to latest version
1.5.83
api-change:discovery: Update discovery client to latest version
api-change:ec2: Update ec2 client to latest version
api-change:marketplacecommerceanalytics: Update marketplacecommerceanalytics client to latest version
versions.
youtube-dl versions are (strftime(3)-ese, except for optional part):
`%Y.%m.%d[.<i>]'. Preserve the `.<i>' optional part (without accidently
deleting the dot!) for PKGNAME.
Common
- [AWS] Update prices and fix some region names
- Fix bug in utils.decorators wrap exception method, used by vsphere driver
- Use PyTest as the unit testing runner
- Use of LXML is now disabled by defalt, use libcloud.utils.py3.DEFAULT_LXML = True to reenable. LXML has compatibility
issues with a number of drivers and etree is a standard package
- Switch RawResponse class to use content body instead of text body, up to 10x performance improvement for methods like StorageDriver.download_object
- Document the 'target' configuration directive.
- Merging OS-specific networking code to reduce LOCs and the
sea of #ifdefs.
- Added 50ms timeout to pcap_open_live() to reduce CPU usage
on network-heavy hosts. Pcap recommends we not use zero.
0.6:
- Cleanup: Don't null-check before free
- Cleanup: Consolidate flag-check logic
- Accept single-knock sequences
- Introduce a 'target' configuration directive, enabling
knockd to react to connect attempts to a target host.
Useful in cases where knockd is on a router and you want
to send a target a wakeup packet.
Core
[YoutubeDL] Don't expand environment variables in meta fields
Extractors
[spiegeltv] Delegate extraction to nexx extractor
[nexx] Add support for nexx.cloud
[generic] Fix rutube embeds extraction
[karrierevideos] Fix title extraction
[youtube] Don't capture YouTube Red ad for creator meta field
[slideshare] Fix extraction
[5tv] Add another video URL pattern
[drtv] Make HLS and HDS extraction non fatal
[ted] Fix subtitles extraction
[vine] Make sure the title won't be empty
[twitter] Support HLS streams in vmap URLs
[periscope] Support pscp.tv URLs in embedded frames
[twitter] Extract mp4 urls via mobile API
[niconico] Fix authentication error handling
[giantbomb] Extract m3u8 formats
[vlive:playlist] Add support for playlists
gevent.httplib support was removed in gevent 1.0, geventhttpclient now provides
that missing functionality.
geventhttpclient uses a fast http parser, written in C, originating from nginx,
extracted and modified by Joyent.
geventhttpclient has been specifically designed for high concurrency, streaming
and support HTTP 1.1 persistent connections. More generally it is designed for
efficiently pulling from REST APIs and streaming APIs like Twitter's.
Safe SSL support is provided by default. geventhttpclient depends on the
certifi CA Bundle. This is the same CA Bundle which ships with the Requests
codebase, and is derived from Mozilla Firefox's canonical set.
- Testing on Python 3.5 now uses Python 3.5.3 due to SSL changes. See
:issue:`943`.
- Linux CI has been updated from Ubuntu 12.04 to Ubuntu 14.04 since
the former has reached EOL.
- Linux CI now tests on PyPy2 5.7.1, updated from PyPy2 5.6.0.
- Linux CI now tests on PyPy3 3.5-5.7.1-beta, updated from PyPy3
3.3-5.5-alpha.
- Python 2 sockets are compatible with the ``SOCK_CLOEXEC`` flag found
on Linux. They no longer pass the socket type or protocol to
``getaddrinfo`` when ``connect`` is called. Reported in :issue:`944`
by Bernie Hackett.
- Replace ``optparse`` module with ``argparse``. See :issue:`947`.
- Update to version 1.3.1 of ``tblib`` to fix :issue:`954`,
reported by ml31415.
- Fix the name of the ``type`` parameter to
:func:`gevent.socket.getaddrinfo` to be correct on Python 3. This
would cause callers using keyword arguments to raise a :exc:`TypeError`.
Reported in :issue:`960` by js6626069. Likewise, correct the
argument names for ``fromfd`` and ``socketpair`` on Python 2,
although they cannot be called with keyword arguments under CPython.
.. note:: The ``gethost*`` functions take different argument names
under CPython and PyPy. gevent follows the CPython
convention, although these functions cannot be called with
keyword arguments on CPython.
- The previously-singleton exception objects ``FileObjectClosed`` and
``cancel_wait_ex`` were converted to classes. On Python 3, an
exception object is stateful, including references to its context
and possibly traceback, which could lead to objects remaining alive
longer than intended.
- Make sure that ``python -m gevent.monkey <script>`` runs code in the
global scope, not the scope of the ``main`` function.
api-change:apigateway: Update apigateway command to latest version
api-change:ec2: Update ec2 command to latest version
api-change:lex-models: Update lex-models command to latest version
api-change:ec2: Update ec2 client to latest version
api-change:apigateway: Update apigateway client to latest version
api-change:lex-models: Update lex-models client to latest version
- Fix random delays in task execution.
- Calling ``conn.collect()`` multiple times will no longer raise an ``AttributeError`` when no channels exist.
- Fix compatibility code for Python 2.7.6.
- When running in Windows, py-amqp will no longer use the unsupported TCP option TCP_MAXSEG.
- Added support for setting the SNI hostname header.
- Authentication mechanisms were refactored to be more modular. GSSAPI authentication is now supported.
- Do not reconnect on collect.
bugfix:Aliases: Properly quote alias parameters that have spaces in them.
api-change:swf: Update swf command to latest version
api-change:autoscaling: Update autoscaling command to latest version
enhancement:Cloudformation: Reduce polling delay for cloudformation deploy.
enhancement:SSM: Added a paginator for describe_parameters.
enchancement:Organizations: Added paginators for Organizations.
enhancement:IoT: Add paginators for IoT.
api-change:swf: Update swf client to latest version
api-change:autoscaling: Update autoscaling client to latest version
enhancement:Athena: Added paginators for Athena.
* mirror: improved performance of --scan-all-first for big trees.
* mirror: new --flat option to flatten the target directory structure.
* mmv: new command for file moving; redirect mv to mmv in certain cases.
* fixed compilation with newer openssl (1.1.0 and later).
* du: allow multiple --exclude options to be combined.
* new setting cmd:nullglob for `glob' command prefix.
* http: use proppatch to set last-modified property.
* new settings net:connection-limit-timer and ftp:too-many-re.
* ftp: dynamically ajust connection limit.
* ftp: fixed core dump on LINK/SYMLINK when the command is not supported.
* get1: fixed -o option.
* sftp,fish: connect-program setting is now passed to the shell for execution.
* get/mget/put/mput: add -P option for parallel transfers and long options.
* appimage: new make target for making an AppImage file.
* fixed "local glob".
aria2 1.32.0
============
Release Note
------------
This release fixes several minor bugs, and spelling mistakes.
Changes
-------
* Clarify --max-concurrent-downloads option
GH-833
* Fix compile error with toolchain which lacks IPV6_TCLASS
GH-895
* Log directed URI in notice log level
GH-884
* Fix typo
Patch from Tse Kit Yam
GH-879, GH-899
* Spelling fixes
Patch from klemens
GH-870
* Remove unused Android parts
These parts where unused after merging
https://github.com/aria2/aria2/pull/736
Patch from Fredrik Fornwall
GH-868
* Save control file early
GH-859
* Update links in Dockerfile.raspberrypi
Some links used in Dockerfile.raspberrypi are not accessible
anymore, because they were pointing to old versions of some source
packages and new versions were released. This commit fixes this by
changing the links to point to the newest versions.
Patch from Michał Leśniewski
GH-860
* Propagate disk full error on pre-allocation to last error code
GH-856
Features:
* Implemented trust anchor signaling using key tag query.
* unbound-checkconf -o allows query of dnstap config variables. Also unbound-control get_option. Also for dnscrypt.
* unbound.h exports the shm stats structures. They use type long long and no ifdefs, and ub_ before the typenames.
* Implemented opportunistic IPsec support module (ipsecmod).
* Added redirect-bogus.patch to contrib directory.
* Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
* renumbering B-Root's IPv6 address to 2001:500:200::b.
* Fix 1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
* Fix 1277: disable domain ratelimit by setting value to 0.
* Added fastrpz patch to contrib
Bug Fixes:
* Added ECS unit test (from Manu Bretelle).
* ECS documentation fix (from Manu Bretelle).
* Fix 1252: more indentation inconsistencies.
* Fix 1253: unused variable in edns-subnet/addrtree.c:getbit().
* Fix 1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
* iana portlist update
* Based on 1257: check parse limit before t increment in sldns RR string parse routine.
* Fix 1258: Windows 10 X64 unbound 1.6.2 service will not start. and fix that 64bit getting installed in C:\Program Files (x86).
* Fix 1259: "--disable-ecdsa" argument overwritten by "ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
* iana portlist update
* Added test for leak of stub information.
* Fix sldns wire2str printout of RR type CAA tags.
* Fix sldns int16_data parse.
* Fix sldns parse and printout of TSIG RRs.
* sldns SMIMEA and AVC definitions, same as getdns definitions.
* Fix tcp-mss failure printout text.
* Set SO_REUSEADDR on outgoing tcp connections to fix the bind before connect limited tcp connections. With the option tcp connections can share the same source port (for different destinations).
* Add 'c' to getopt() in testbound.
* Adjust servfail by iterator to not store in cache when serve-expired is enabled, to avoid overwriting useful information there.
* Fix queries for nameservers under a stub leaking to the internet.
* document trust-anchor-signaling in example config file.
* updated configure, dependencies and flex output.
* better module memory lookup, fix of unbound-control shm names for module memory printout of statistics.
* Fix type AVC sldns rrdef.
* Some whitespace fixup.
* Fix 1265: contrib/unbound.service contains hardcoded path.
* Fix 1265 to use /bin/kill.
* Fix 1267: Libunbound validator/val_secalgo.c uses obsolete APIs, and compatibility with BoringSSL.
* Fix 1268: SIGSEGV after log_reopen.
* exec_prefix is by default equal to prefix.
* printout localzone for duplicate local-zone warnings.
* Fix assertion for low buffer size and big edns payload when worker overrides udpsize.
* Support for openssl EVP_DigestVerify.
* Fix 1269: inconsistent use of built-in local zones with views.
* Add defaults for new local-zone trees added to views using unbound-control.
* Fix 1273: cachedb.c doesn't compile with -Wextra.
* If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
* Also use global local-zones when there is a matching view that does not have any local-zone specified.
* Fix fastopen EPIPE fallthrough to perform connect.
* Fix 1274: automatically trim chroot path from dnscrypt key/cert paths (from Manu Bretelle).
* Fix 1275: cached data in cachedb is never used.
* Fix that unbound-control can set val_clean_additional and val_permissive_mode.
* Add dnscrypt XChaCha20 tests.
* Detect chacha for dnscrypt at configure time.
* dnscrypt unit tests with chacha.
* Added domain name based ECS whitelist.
* Fix 1278: Incomplete wildcard proof.
* Fix 1279: Memory leak on reload when python module is enabled.
* Fix 1280: Unbound fails assert when response from authoritative contains malformed qname. When 0x20 caps-for-id is enabled, when assertions are not enabled the malformed qname is handled correctly.
* More fixes in depth for buffer checks in 0x20 qname checks.
* Fix stub zone queries leaking to the internet for harden-referral-path ns checks.
* Fix query for refetch_glue of stub leaking to internet.
* Fix 1301: memory leak in respip and tests.
* Free callback in edns-subnetmod on exit and restart.
* Fix memory leak in sldns_buffer_new_frm_data.
* Fix memory leak in dnscrypt config read.
* Fix dnscrypt chacha cert support ifdefs.
* Fix dnscrypt chacha cert unit test escapes in grep.
* Fix to unlock view in view test.
* Fix warning in pythonmod under clang compiler.
* Fix lintian typo.
* Fix 1316: heap read buffer overflow in parse_edns_options.
If a recursive download operation is also requested with delete mode, attempt to remove empty directories after all files have completed successfully.
No longer trying to utime() after every single block on downloads, which could cause noticable performance degradation when the local filesystem was not local.
Changed behavior of resuming downloads where the timestamp wasn't preserved (because of the utime change, above). The new behavior is to resume the download when the local copy has a recent timestamp (less than a week).
You can now disable use of MFMT like you could similarly disable SITE UTIME (e.g., "-o noMFMT" and "-o noSITE_UTIME").
Now able to use sendfile() for uploads, on Linux/FreeBSD/Mac. Progress reports work too, with a small performance penalty. Ncftpput has a "-s" option to toggle whether it is used (defaults to on in ncftpput and ncftpbatch, off in ncftp).
Ncftpbatch/spooler now use larger buffers for pathnames, allowing for deeper directory trees.
Ncftpbatch/spooler now interpret a received SIGUSR1 as a hint to exit when the current file has finished.
Ncftpbatch/spooler now interpret a received SIGUSR2 to request it to stop sleeping and recheck the queue immediately.
Ncftpbatch/spooler's spool files now allow for you to specify that the local and/or remote file be renamed after a successful transfer.
Ncftpbatch/spooler now a little less chatty by reducing the number of PWD/CWD operations.
Ncftpbatch/spooler now log some xfer stats in its general log file, and ncftpspooler has a new "-x" option to specify a separate xfer log file.
Ncftpbatch/spooler now use a larger default maximum for its log file (10 MiB rather than 200 kB), and ncftpspooler has an -O command line option that can set this limit. Use "-O 0" for no maximum.
Ncftpbatch/spooler now try to present time in local timezone rather than UTC where possible.
Ncftpbatch/spooler now support multiple items per transaction (spool) file.
mirror: fixed coredump when source directory does not exist.
mirror: don't create target directory if can't enter to the source directory.
ftp: fixed a rare hang when a NOOP was sent between "transfer ok" reply and EOF on data socket.
fixed xfer:log setting (compatibility alias).
ftp: don't use EPSV with a proxy.
--- 9.9.10-P3 released ---
4647. [bug] Change 4643 broke verification of TSIG signed TCP
message sequences where not all the messages contain
TSIG records. These may be used in AXFR and IXFR
responses. [RT #45509]
--- 9.10.5-P3 released ---
4647. [bug] Change 4643 broke verification of TSIG signed TCP
message sequences where not all the messages contain
TSIG records. These may be used in AXFR and IXFR
responses. [RT #45509]
pkgsrc changes:
- update dependencies per upstream Gemfile
Upstream changes:
- update twitter-text
- support the latest memoist
- fix crash with ruby-gnome2 3.1.1 or prior on opening profile tab
- wrong titles in Twitter Search Model and Web model
Version 1.1.13
- Add XEP-0357 to supported extensions list
Version 1.1.12
- Support XEP-0357: Push Notifications
Version 1.1.11
- Use fast_xml-1.1.23
- Use stringprep-1.0.9
Version 1.1.10
- Add jid support in muc_unsubscribe and muc_subscribe
- Add ?stanza_type, ?stanza_from and ?stanza_to macros
- Remove unused p1_stream extension
- Clarify the library's main idea
- Encode/decode muc_unsubscribe JIDs
- Add support for HTTP File Upload, version 0.3.0
- Makefile: Add dependencies for spec/xdata targets
- Add nif function jid:string_to_usr and use it
- Fix return value from xmpp:start
- Make multiple calls to jid:start() not generate nif reload error
api-change:kinesis: Update kinesis command to latest version
api-change:kms: Update kms command to latest version
api-change:ssm: Update ssm command to latest version
api-change:ds: Update ds command to latest version
This release addresses a few S3 related bugs as well as a bug with the recent endpoint heuristics feature.
Changes
* Fix generate_url() AttributeError when using anonymous connections
* Use RegionInfo by default with heuristics
* Allow specifying s3 host from boto config file.
api-change:kinesis: Update kinesis client to latest version
api-change:kms: Update kms client to latest version
api-change:ds: Update ds client to latest version
api-change:ssm: Update ssm client to latest version
Inetutils is a collection of common network programs. It includes:
* An ftp client and server.
* A telnet client and server.
* An rsh client and server.
* An rlogin client and server.
* A tftp client and server.
* And much more...
Most of them are improved versions of programs originally from BSD.
Some others are original versions, written from scratch.
+ Added: copas.running flag
+ Fixed: fix for http request #53 (Peter Melnichenko)
+ Added: extra parameter keep_open for the removeserver()
method (Hisham Muhammad)
+ Change: tweaked makefile with a DESTDIR variable (Richard
Leitner)
Clean up the package a little, and merge in patches from the shared
nagios-plugin-* packages to avoid duplication. Changes since 2.0.3:
2.2.1 2017-04-19
FIXES
check_users: not accepting zero as the threshold
check_http: reports warning where it should report ok with -e
check_snmp: does not work with -6 --ipv6 flags
check_swap: threshold calculation in bytes requires subtracting 65
check_uptime: fixed backward help text for thresholds
check_http: Don’t prematurely report success when checking HTTP TLS cert validity
check_http: fix parsing the last header
check_mailq: Fix for Postfix and better Sudo Checking
configure.ac: Fix spelling error
check_ntp_peer: requires newline when there is a socket timeout (fix in netutils.c)
check_users: segmentation fault if both thresholds are not provided
check_dns: DNS CRITICAL - expected ‘{hostname}.’ but got 'name = {hostname}.'
check_mailq: Nullmailer Regex is not working for Ubuntu 16.04
check_swap: Downstream Fedora patch: Prevent check_swap from returning OK, if no swap activated
Building RPMs on Amazon Linux - Add 'install-root' on line 165 of spec file
2.2.0 2017-01-19
ENHANCEMENTS
check_flexlm: if `-F <license file>` is not specified, will use `LM_LICENSE_FILE` environment var
check_load: Added per cpu load average message
check_smtp: add -L flag to support LMTP (LHLO instead of HELO/EHLO)
FIXES
check_http: -e breaks -f
check_mrtg: Add state to status output
check_ping: ping runs 30 times when host is down
check_icmp: does not have the -p argument in the help
check_dns: Segfaulting with timeout > 26 sec
check_disk: missing -lrt on Solaris
check_http: segmentation fault
check_http: help text update for virtual hosts
check_snmp: Thresholds were being shown twice
check_hpjd: some jd 610 cards have a false flag that printer is offline
check_http: Handle reference redirect like //www.site.org/test
check_disk: alerts issued too soon
fix: Allocator sizeof operand mismatch
fix: Dead assignment
Shellcheck: fix most of the shellcheck warnings.
check_ntp: touch ntp servers at most once every seconds
check_dns: authoritative test (-A) is broken
check_dns: reports TXT records incorrectly
check_file_age: does not handle filenames WITHOUT space!
de,fr.po: fix syntax errors end-of-line within string
lib/parse_ini.c: fix gcc warning: implicit declaration of function ‘idpriv_temp_drop’ and ‘idpriv_temp_restore’
add openssl 1.1 support
2.1.4 2016-11-17
FIXES
check_http: Don't include default Accept header if one is provided
check_disk: added "fuse.gvfsd-fuse" to list of fs types to ignore
check_http: Fixed non-text chunked-encoded decoding
check_http: segmentation fault (FreeBSD)
check_dns: Update IF_RECORD to not erase query_found
check_http: SSL Certificate check returns 12:00:00AM <local timezone>
check_http: -u is misleading. Changed help text
check_file_age: does not handle filenames with space
check_snmp: units label option outputs the label in the incorrect location
plugins-root/check_dhcp.c: fix a potential segfault
check_users: not correctly detecting thresholds
2.1.3 2016-09-12
ENHANCEMENTS
SNI support in check_tcp (ddbilik)
check_disk_smb.pl: add support for -k for kerberos authentication
check_file_age.c: allow wildcard matching
FIXES
check_tcp.c: tools/build_perl_modules hardcodes the perl used
check_game.c: reports ping as number of players (Jason Rivers)
fix some gcc5 warnings (Mario Trangoni)
check_cluster.c: Update wording in comments (Troy Lea)
check_nagios.c: could not locate a running nagios process
check_swap.c: does not accept threshold of zero
check_swap.c: uses inconsistent checks on negative thresholds
check_snmp.c: --offset does not appear to do anything (Troy Lea)
sslutils.c: output has first line of "SSL Version: xxxxxx"
effects anything using sslutils including check_http, check_dhcp
and others
utils_cmd.c: when using ssh (or check-by-ssh) with ControlMaster/ControlPersist,
nagios times out the first time and one gets zombie processes (Gordon Messmer)
2.1.2 2016-08-01
SECURITY FIXES
ENHANCEMENTS
check_snmp's performance data now also includes warning/critical
thresholds
New check_snmp "-N" option to specify SNMPv3 context name
New check_nt "-l" parameters: seconds|minutes|hours|days
New check_mailq -s option which tells the plugin to use sudo(8)
New -W/-C option for check_ldap to check number of entries (Gerhard Lausser)
The check_http -S/--ssl option now accepts the arguments "1.1" and "1.2"
to force TLSv1.1 and TLSv1.2 connections, respectively
The check_http -S/--ssl option now allows for specifying the desired
protocol with a "+" suffix to also accept newer versions
New check_disk "-v" option to show troubled partition in verbose mode
check_log.sh: Added a parameter -w (--max_warning) defining upper value to return a warning code
check_ldap: Add support for LDAP URIs.
check_file_age: Provide performance data
check_by_ssh: added --hostname support
check_ifstatus.pl: Add check_ifstatus option to ignore interfaces by name
check_snmp: Introduce support for SNMPv3 context using "-N" option
check_snmp.c: Added IPv6 support
check_http: Added support for checking SSL-Websites through Proxies
FIXES
check_dig can now also use "drill" instead of "dig"
check_dig honor the -4 and -6 switches
check_ntp_peer: do not use uninitialized results for max state
check_log.sh, check_oracle.sh, check_sensors.sh: Setting PATH at first
check_log.sh: droping path from basename while evaluating PROGNAME
check_tcp: Fix check_jabber to work with Openfire servers
check_ifstatus.pl: Fix "-n" and "-u" options to ignore if either is set, not just both
check_mrtgtraf: Fix perfdata to comply with perfdata UOM definition
check_real, check_ntp: fix null termination
check_apt: fix memset
check_ssh: change warning to critical for protocal/version errors
utils_cmd.c: avoid a segfault, if ulimit is set to unlimited
utils_cmd.c: make constants from maxfd values
configure.ac: Added particular ps command for HP-UX
check_disk: Fix pthread start routine type
check_http: Make header_value() and chunked-encoding decoding more robust
check_http: fix Host header if explicitly set with -k
sslutils.c: Forcing furter restriction of ciphers for current security concerns
check_nagios, check_procs: Enable check_proc to monitor processes in PID name-spaced environments.
check_dhcp.c: use /dev/urandom if available
check_http.c: Don't decode page if it's not there
check_disk.c: Prevent large tide values from truncation
pst3.c: Fix for unclosed filehandle in pst3 on Solaris
check_snmp: Timeticks are not being parsed correctly before performance data
multiple *.h files: standardized header include fences
multiple plugins/*.c files: fix unsafe signal handling
sslutils.c: Fix compilation with GnuTLS which doesn't provide SSL_CTX_check_private_key()
check_mailq.pl: fixed mailer names
check_swap.c: Improving output when swap space has zero size
check_icmp.c: Use kernel reception time on ICMP packets to compute rtt.
check_icmp.c: make use of MSG_CONFIRM optional
check_ldap.c: add counting of entries to check_ldap
utils.c: add sperfdata() function which can handle threshold ranges
sslutils.c: Check if OpenSSL supports SSLv3.
check_dhcp.c: Fixes segfaults when running via monitoring worker (off-by-one)
check_fping.c: autodetect ipv6 addresses
sslutils.c: optimize output if certificate expires in less then 24h
check_smtp.c: Let "-D" option imply "-S". Also QUIT SMTP connection when "-D" is used
check_smtp.c: modified SSL check for use with -e
check_tcp.c: Validate sent data size
check_dns.c: conditional assignment
check_dns.c: macro querytypes and auto cnames
utils_cmd.c, utils_base.c: Multiple resource leaks
check_http.c: Increase MAX_RE_SIZE from 256 to 2048
check_procs.c: Changed the ps command args from axwo to axwwo allowing for longer output
check_http.c: Allow a server to reply using only 'HTTP/1.x 200 OK' and a
body, with no headers
check_nt.c: check_nt does not correctly report a DNS entry it cannot resolve
check_dhcp.c: check_dhcp broken on BSD
TESTS
check_procs.t: Add delay after forking in test to avoid race condition
test.pl.in: Use "C" locale when running test suite
check_http.t: Adjust date strings to the now-localized output
check_dns.t - Fix Perl Warning. perl doesn't understand /d within "".
check_snmp.t: skip extented snmp tests if snmpd has no perl support
check_snmp.t: fix snmp test for included threshold
check_http.t: fix tests for certificates expire date with seconds
check_http.t: add faketime based tests for check_http
LOCALIZATION
2.1.0 30th July 2015
SECURITY FIXES
ssl_utils.c - Disable SSLv3 & SSLv2 autonegotiation by default to limit poodle and other weak cipher attacks (sreinhardt)
ENHANCEMENTS
Timeout States Implemented - Plugins that support a timeout state will now also support specifying the exit state in case of timeout with the syntax -t <timeout>:<state> (abrist)
Perl plugins now use FindBin for path discovery, obsoleting the nasty AWK script (evgeni, abrist)
check_http.c - Added support for chunked transfer-encoding (koenwtje, dermoth, sreinhardt)
check_radius.c - Added support for the FreeRADIUS Client library (weiss)
check_snmp.c - Added thresholds to performance data (seemuellera)
check_snmp.c - Added new option (-N) for SNMPv3 context (Johannes Engel)
check_snmp.c - Added IPv6 support (abrist)
check_ldap.c - Added a new option (-U) for LDAP URI support (qris)
check_ifstatus.pl - Added new option (-n) to exclude interfaces (peelman, weiss)
check_file_age.pl - Performance data output added (hggh)
check_mailq.pl - Now supports sudo (Christopher Schultz, weiss)
check_log.sh - Added a new option (-w) defining upper value to return a warning code (arvanus)
FIXES
check_by_ssh.c - Added --hostname support (sni)
check_dbi.c - Spelling corrections (sreinhardt)
check_dig.c - Fixed to work with dig/drill tools and ip version switch is now respected (abgandar)
check_disk.c - Fix for hanging filesystems (Gerhard Lausser)
check_disk.c - Partitions in problem state now reported in verbose mode (waja)
check_disk.c - Prevent large tide values from truncation (JesperForsberg)
check_dns.c - Server specific fixes and other cleanup (sreinhardt)
check_http.c - Some small changes for readability (koenwtje)
check_mrtgtraf.c - Added verbose output (sreinhardt)
check_mrtgtraf.c - Perfdata now complies with UOM definition (Bobzikwick)
check_ntp_peer.c - No longer uses uninitialized results for max state (sni)
check_procs.c - Rare race condition fixed (Mikael Falkvidd)
check_ssh.c - Now exits with CRITICAL when version/protocol string check fails to match (sni)
check_tcp.c - Help description of escape characters now correct (Sebastian Herbszt)
check_tcp.c - Fix to support Openfire servers with check_jabber (weiss)
check_ups.c - Spelling corrections (sreinhardt)
pst3.c - Fix for unclosed file handle in pst3 on Solaris (jwinkle01)
plugins-scripts/*.sh - Trusted path fixes (waja)
netutils.h - Decreased max path to 104 bytes to compensate for BSD paths (sreinhardt)
configure.ac - Fix for HP-UX ps command (Tontonitch)
lib/utils_cmd.c - Fix for potential segfault when ulimits are set to unlimited (nafets)
lib/parse_ini.c - Many small fixes from coverity scans and the community (sreinhardt, weiss)
lib/util_base.c - Code cleanup (sreinhardt)
lib/utils_base.c - Add EIUD to state retention path for multi-user permissions support (sreinhardt)
po/* - Spelling corrections (sreinhardt)
Multiple resource leaks fixed (sreinhardt)
Many other small fixes and cleanup caught by coverity (multiple contributors)
TESTS
Many small fixes to tests (multiple contributors)
LOCALIZATION
Many small fixes for locales and localizations (multiple contributors)
This package was last updated in 2004, since then it has changed maintainers
and looks quite different. An incomplete changelog is as follows:
Version 1.3.1 NOV ??
Complete rewrite of the TCP state machine, now handles flows larger
than 4GiB.
Version 1.3.0 SEP 30 2012
Release for end of FY2012, includes bug fixes, better support for
autoconf, DFXML standardizations, and the ability to compile under
mingw for Windows (that was a LOT of work).
Version 1.2.7 May 24 2012 (GIT)
Version 1.2.7 offers two significant features over previous versions
relating to the processing of the -r and the new -R options.
-r file1.pcap - This option specifies a pcap file to be read.
New with version 1.2.7, the -r flag may be
repeated any number of times.
-R file0.pcap - This option, new with version 1.2.7, allows a file
to be specified that was captured in time *before*
the file specified with -r. This option allows TCP
sessions that started in file0.pcap and which
continued into file1.pcap to be properly
started. This option is useful when some external
process makes packet capture files at regular
intervals and then the files are reassembled
later. Typically these files result from tcpdump run
with the -w or -C options.
Version 1.2 March 15 2012 (SVN )
Version 1.2 is the first to include post-processing of TCP connections
integrated directly into the tcpflow program itself. post-processing
is optional and is performed on a per-connection basis when the
connection is closed.
The following post-processing method methods are currently defined.
-FM - Compute the MD5 hash value of every stream on close. Currently
MD5 hashes are only computed for TCP streams that contain
packets transmitted contigiously. -FM processing can happen
even when output is suppressed. The MD5 is written into the
DFXML file.
-AH - Detect Email/HTTP responses and separate headers from
body. This requires that the output files be captured.
If the output file is
208.111.153.175.00080-192.168.001.064.37314,
Then the post-processing will create the files:
208.111.153.175.00080-192.168.001.064.37314-HTTP
208.111.153.175.00080-192.168.001.064.37314-HTTPBODY
If the HTTPBODY was compressed with GZIP, you may get a
third file as well:
208.111.153.175.00080-192.168.001.064.37314-HTTPBODY-GZIP
Additional information about these streams, such as their MD5
hash value, is also written to the DFXML file
Version 1.1.0 19 January 2012 (SVN 8118)
Version 1.1 represents a significant rewrite of tcpflow. All users are
encouraged to upgrade.
Significant changes include:
* Entire code base migrated to C++ ; code generally
improved. tcpflow's original hash table has been replaced with a
tr1::unordered_map which should offer significantly more
scalability.
* tcpflow now automatically expires out old connections. This finally
end the program's memory-hogging problem. (You can disable this
behavior with -P, which makes tcpflow run faster because it never
cleans up after itself. That's fine if you are working with less
than a million connections.)
* Multiple connections with the same (source/destination) are now
detected and stored in different files. This is significant, as the
previous implementation would make a single file 1-2GB in length if
you the same host/port pairs with two different flows. Additional
files have the same filename and a "c0001", "c0002" appended.
* Filenames may now be prefixed with either the ISO8601 time or a Unix
timestamp indicating the time that the connection was first seen.
* tcpflow will now save a DFXML file containing information for each
flow that it reconstructs.
* The following new options are now implemented:
-o outdir --- now works (previously was not implemented)
-X xmfile --- now reports execution results in a DFXML
file. (Version 1.1 will include complete notion in the
XML file of every TCP connection as a DFXML <fileobject>
-Fc --- Every file has the 'cXXXX' postfix, rather than just
the files with duplicate source/destination.
-Ft --- Every file has the <time_t>T prefix.
-FT --- Every file has an ISO8601 time prefix,
e.g. 2012-01-01T09:45:15Z
-mNNNN --- Specifies the minimum number of bytes that need to be
skipped in a TCP connection before a new
-Lname --- use the named semaphore 'name' to prevent multiple
tcpflow processes printing to standard output from
overprinting each other.
-P --- do not prune the tcp connection table.
Other improvements include:
* Support for IPv6
* Support for VLANs
* The default filter which was causing problems under MacOS has been
removed.
Version 1.0.4 November 24, 2011
* Default fitler changed to ""; previous default filter was causing
problems on macs.
Version 1.0.2 September 30, 2011
* IPv6 code added
Version 1.0.0 January 2011
* Updated to support VLANs. VLAN packets are marked by hex 0x8100
following the destination and source mac addresses, followed by the
16-bit VLAN address, followed by 0x0800 marking the beginning of the
traditional IP header.
Version 0.30 October 2007
* Simson Garfinkel <simsong@acm.org> is now the maintainer of this
package
* Modified to set the time of each tcpflow with the time of the first
packet.
* Created a regression test, so "make check" and "make distcheck" now
work.
* Updated to modern autoconf tools.
Xandikos is a lightweight yet complete CardDAV/CalDAV server that
backs onto a Git repository.
Xandikos takes its name from the name of the March month in the
ancient Macedonian calendar, used in Macedon in the first millennium
BC.
**** 1.11 Jun 26, 2017
Fix rt.cpan.org #122138
Send a UDP query with udppacketsize=512
Feature
Extract default resolver configuration from OS/390 MVS datasets.
Thanks to Sandra Carroll and Yaroslav Kuzmin for their assistance.
- BUG/MINOR: Wrong peer task expiration handling during synchronization processing.
- BUG/MEDIUM: http: Drop the connection establishment when a redirect is performed
- BUG/MEDIUM: cfgparse: Check if tune.http.maxhdr is in the range 1..32767
- DOC: fix references to the section about the unix socket
- BUG/MINOR: haproxy/cli : fix for solaris/illumos distros for CMSG* macros
- BUG/MINOR: log: pin the front connection when front ip/ports are logged
1.7.6:
- DOC: changed "block"(deprecated) examples to http-request deny
- DOC: add few comments to examples.
- DOC: update sample code for PROXY protocol
- DOC: mention lighttpd 1.4.46 implements PROXY
- DOC: stick-table is available in frontend sections
- BUG/MINOR: dns: Wrong address family used when creating IPv6 sockets.
- BUG/MINOR: config: missing goto out after parsing an incorrect ACL character
- BUG/MINOR: arg: don't try to add an argument on failed memory allocation
- BUG/MEDIUM: arg: ensure that we properly unlink unresolved arguments on error
- BUG/MEDIUM: acl: don't free unresolved args in prune_acl_expr()
- MINOR: lua: ensure the memory allocator is used all the time
- CLEANUP: logs: typo: simgle => single
- BUG/MEDIUM: acl: proprely release unused args in prune_acl_expr()
- BUG/MAJOR: Use -fwrapv.
- BUG/MINOR: server: don't use "proxy" when px is really meant.
- BUG/MINOR: server: missing default server 'resolvers' setting duplication.
- DOC: add layer 4 links/cross reference to "block" keyword.
- DOC: errloc/errorloc302/errorloc303 missing status codes.
- BUG/MEDIUM: lua: memory leak
- MEDIUM: config: don't check config validity when there are fatal errors
- BUG/MINOR: hash-balance-factor isn't effective in certain circumstances
- MINOR/DOC: lua: just precise one thing
- BUG/MINOR: http: Fix conditions to clean up a txn and to handle the next request
- DOC: update RFC references
- BUG/MINOR: checks: don't send proxy protocol with agent checks
- BUG/MAJOR: dns: Broken kqueue events handling (BSD systems).
- BUG/MEDIUM: lua: segfault if a converter or a sample doesn't return anything
- BUG/MINOR: Makefile: fix compile error with USE_LUA=1 in ubuntu16.04
- BUG/MAJOR: http: call manage_client_side_cookies() before erasing the buffer
- BUG/MINOR: buffers: Fix bi/bo_contig_space to handle full buffers
- BUG/MINOR: acls: Set the right refflag when patterns are loaded from a map
- BUG/MINOR: http/filters: Be sure to wait if a filter loops in HTTP_MSG_ENDING
- BUG/MEDIUM: peers: Peers CLOSE_WAIT issue.
- BUG/MAJOR: server: Segfault after parsing server state file.
- BUG/MEDIUM: unix: never unlink a unix socket from the file system
- scripts: create-release pass -n to tail
- SCRIPTS: create-release: enforce GIT_COMMITTER_{NAME|EMAIL} validity
Changes in version 0.3.0.9 - 2017-06-29
Tor 0.3.0.9 fixes a path selection bug that would allow a client
to use a guard that was in the same network family as a chosen exit
relay. This is a security regression; all clients running earlier
versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or
0.3.1.4-alpha.
This release also backports several other bugfixes from the 0.3.1.x
series.
o Major bugfixes (path selection, security, backport from 0.3.1.4-alpha):
- When choosing which guard to use for a circuit, avoid the exit's
family along with the exit itself. Previously, the new guard
selection logic avoided the exit, but did not consider its family.
Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2016-
006 and CVE-2017-0377.
o Major bugfixes (entry guards, backport from 0.3.1.1-alpha):
- Don't block bootstrapping when a primary bridge is offline and we
can't get its descriptor. Fixes bug 22325; fixes one case of bug
21969; bugfix on 0.3.0.3-alpha.
o Major bugfixes (entry guards, backport from 0.3.1.4-alpha):
- When starting with an old consensus, do not add new entry guards
unless the consensus is "reasonably live" (under 1 day old). Fixes
one root cause of bug 22400; bugfix on 0.3.0.1-alpha.
o Minor features (geoip):
- Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (voting consistency, backport from 0.3.1.1-alpha):
- Reject version numbers with non-numeric prefixes (such as +, -, or
whitespace). Disallowing whitespace prevents differential version
parsing between POSIX-based and Windows platforms. Fixes bug 21507
and part of 21508; bugfix on 0.0.8pre1.
o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.4-alpha):
- Permit the fchmod system call, to avoid crashing on startup when
starting with the seccomp2 sandbox and an unexpected set of
permissions on the data directory or its contents. Fixes bug
22516; bugfix on 0.2.5.4-alpha.
o Minor bugfixes (defensive programming, backport from 0.3.1.4-alpha):
- Fix a memset() off the end of an array when packing cells. This
bug should be harmless in practice, since the corrupted bytes are
still in the same structure, and are always padding bytes,
ignored, or immediately overwritten, depending on compiler
behavior. Nevertheless, because the memset()'s purpose is to make
sure that any other cell-handling bugs can't expose bytes to the
network, we need to fix it. Fixes bug 22737; bugfix on
0.2.4.11-alpha. Fixes CID 1401591.
