=== 4.23.0 (2015-06-01)
* Make dataset.call_sproc(:insert) work in the jdbc adapter (flash-gordon) (#1013)
* Add update_refresh plugin, for refreshing a model instance when updating (jeremyevans)
* Add delay_add_association plugin, for delaying add_* method calls on new objects until after saving the object (jeremyevans)
* Add validate_associated plugin, for validating associated objects when validating the current object (jeremyevans)
* Make Postgres::JSONBOp#[] and #get_text return JSONBOp instances (jeremyevans) (#1005)
* Remove the fdbsql, jdbc/fdbsql, and openbase adapters (jeremyevans)
* Database#transaction now returns block return value if :rollback=>:always is used (jeremyevans)
* Allow postgresql:// connection strings as aliases to postgres://, for compatibility with libpq (jeremyevans) (#1004)
* Make Model#move_to in the list plugin handle out-of-range targets without raising an exception (jeremyevans) (#1003)
* Make Database#add_named_conversion_proc on PostgreSQL handle conversion procs for enum types (celsworth) (#1002)
=== 4.22.0 (2015-05-01)
* Deprecate the db2, dbi, fdbsql, firebird, jdbc/fdbsql, informix, and openbase adapters (jeremyevans)
* Avoid hash allocations and rehashes (jeremyevans)
* Don't silently ignore :jdbc_properties Database option in jdbc adapter (jeremyevans)
* Make tree plugin set reciprocal association for children association correctly (lpil, jeremyevans) (#995)
* Add Sequel::MassAssignmentRestriction exception, raised for mass assignment errors in strict mode (jeremyevans) (#994)
* Handle ODBC::SQL_BIT type as boolean in the odbc adapter, fixing boolean handling on odbc/mssql (jrgns) (#993)
* Make :auto_validations plugin check :default entry instead of :ruby_default entry for checking existence of default value (jeremyevans) (#990)
* Adapters should now set :default schema option to nil when adapter can determine that the value is nil (jeremyevans)
* Do not add a schema :max_length entry for a varchar(max) column on MSSQL (jeremyevans)
* Allow :default value for PostgreSQL array columns to be a ruby array when using the pg_array extension (jeremyevans) (#989)
* Add csv_serializer plugin for serializing model objects to and from csv (bjmllr, jeremyevans) (#988)
* Make Dataset#to_hash and #to_hash_groups handle single array argument for model datasets (jeremyevans)
* Handle Model#cancel_action in association before hooks (jeremyevans)
* Use a condition variable instead of busy waiting in the threaded connection pools on ruby 1.9+ (jeremyevans)
* Use Symbol#to_proc instead of explicit blocks (jeremyevans)
=== 4.21.0 (2015-04-01)
* Support :tsquery and :tsvector options in Dataset#full_text_search on PostgreSQL, for using existing tsquery/tsvector expressions (jeremyevans)
* Fix TinyTds::Error being raised when trying to cancel a query on a closed connection in the tinytds adapter (jeremyevans)
* Add GenericExpression#!~ for inverting =~ on ruby 1.9 (similar to inverting a hash) (jeremyevans) (#979)
* Add GenericExpression#=~ for equality, inclusion, and pattern matching (similar to using a hash) (jeremyevans) (#979)
* Add Database#add_named_conversion_proc on PostgreSQL to make it easier to add conversion procs for types by name (jeremyevans)
* Make Sequel.pg_jsonb return JSONBOp instances instead of JSONOp instances when passed other than Array or Hash (jeremyevans) (#977)
* Demodulize default root name in json_serializer plugin (janko-m) (#968)
* Make Database#transaction work in after_commit/after_rollback blocks (jeremyevans)
== v0.18.2 [2015-05-14] Michael Granger <ged@FaerieMUD.org>
Enhancements:
- Allow URI connection string (thanks to Chris Bandy)
Bugfixes:
- Speedups and fixes for PG::TextDecoder::Identifier and quoting behavior
- Revert addition of PG::Connection#hostaddr [#202].
- Fix decoding of fractional timezones and timestamps [#203]
- Fixes for non-C99 compilers
- Avoid possible symbol name clash when linking againt static libpq.
1.19 2015-05-31
- If you compared a DateTime object to an undef value, you might have received
a warning pointing to code inside DateTime.pm, instead of in your own
code. Fixed by Jason McIntosh. GH #7.
- The 30future-tz.t could fail if run at certain very specific times. This
should now be much less likely, unless a time zone being tested implements a
DST change at noon (which would even more insane than DST already is by a
huge factor). Reported by Karen Etheridge and diagnosed by Slaven Rezic. RT
#102925.
VERSION 6.50 2015-06-01
Bug fixes
Not really a bug, but 6.49 got a bunch of NYTprof data bundled with it
by mistake. It's been removed. RT 103252
Fixed a bug where information about whether a date was complete or
truncated was discarded. Jim Avera
Fixed a bug where SetDate with a zone alias failed.
Added the Format_MMMYYYY config variable to allow the truncated format
mmmYYYY to be parsed instead of mmmDDYY. David W. Morganwalp and RT 103142
Fixed Makefile.PL/Build.PL to correct for a change on perl on windows
which changes a module prereq requirement. Alexandr Ciornii
Time zone fixes
Newest zoneinfo data (tzdata 2015d)
Added aliases for older HP-UX time zones. RT 104141
Documentation fixes
Fixed URL for tzdata. Mohammad S Anwar
Better POD formats.
Fixed a documentation error. RT 103966
2.016 2015/06/02
- add flag X509_V_FLAG_TRUSTED_FIRST by default if available in OpenSSL
(since 1.02) and available with Net::SSLeay. RT#104759 (thanks GAAS)
- work around hanging prompt() with older perl in Makefile.PL RT#104731
- make t/memleak_bad_handshake.t work on cygwin and other systems having
/proc/pid/statm, see RT#104659
- add better debugging based on patch from H.Merijn Brand
The removed hunk is definitely wrong, but I can't figure out what it was
trying to do. I think the patch hunk was accidentally reintroduced in r1.4
after being correctly removed in r1.3.
The reason it is wrong is because it breaks later tests by introducing code
into confdefs.h. The following tests always break, because they have
duplicate main() definitions.
Build test on NetBSD works because the java support isn't in the suggested
options anyway.
Changelog:
New: Keep track of articles and videos with Pocket
New: Clean formatting for articles and blog posts with Reader View
New: Share the active tab or window in a Hello conversation
Fixed: A race condition that would cause Firefox to stop painting when switching tabs (bug 1067470)
Fixed: Fixed graphics performance when using the built-in VGA driver on Windows 7 (Bug 1165732)
to detect the platform.
Link-in the up to date copy of config.guess we provide as the version bundled
with the package is from 2002 and it causes bulkbuilds to hang due to waiting
for manual input if it doesn't recognise the platform.
This is a regularly-scheduled bugfix release.
archive: always use portable path component separators with subrepos
commands: hide formatter option as EXPERIMENTAL, not as DEPRECATED
context: don't complain about a matcher's subrepo paths in changectx.walk()
convert: properly pass null ids through .hgtags (issue4678)
extensions: clear aftercallbacks after execution (issue4646)
hgweb: bring back infinite scroll in shortlog of paper style
histedit: fix --continue when rules are finished
histedit: fix --edit-plan
histedit: fix keep during --continue
histedit: fix serializing of None backupfile
histedit: fix test-histedit-edit on vfat
localrepo: pass hook argument txnid to pretxnopen hooks
localrepo: rename hook argument from TXNID to txnid (BC)
localrepo: use correct argument name for pretxnclose hooks (BC)
match: explicitly naming a subrepo implies always() for the submatcher
mergecopies: avoid slowdown from linkrev adjustment (issue4680)
rebase: check that the bookmark is still valid when restoring (issue4669)
rebase: clear merge when aborting before any rebasing (issue4661)
revbranchcache: return uncached branchinfo for nullrev (issue4683)
revset: drop magic of fullreposet membership test (issue4682)
revset: id() called with 40-byte strings should give the same results as for short strings
revset: map postfix '%' to only() to optimize operand recursively (issue4670)
ssh: capture output with bundle2 again (issue4642)
templatekw: compare target context and its parent exactly (issue4690)
templater: do not process \-escapes at parsestring() (issue4290)
templater: fix crash by passing invalid object to date() function
templater: strictly parse leading backslashes of '{' (issue4569) (BC)
transaction: really fix _addbackupentry key usage (issue4684)
transaction: separate calculating TXNID from creating transaction object
transaction: use the proper variable in '_addbackupentry' (issue4684)
util.checkcase: don't abort on broken symlinks
Changes in 1.9.1.1:
- Fix for SUPEE-5344 (previously patched with an upstream patch in pkgsrc)
pkgsrc changes:
- Patch for multiple vulnerabilities (SUPEE-5994) with an upstream patch.
- Cache upstream patches on ftp.netbsd.org due to unreliable upstream.
- bug 145 "p7zip crashes while moving memory in MoveItems
Version 9.38
- patch 23 fixes "7z with unicode file name with surrogate pair is not handled well in Linux"
- bug 139 "password from commanline is visible in processes list"
Now the characters of the password are replaced with *.
- From Windows version of 7-zip
- bug138 If you extract the password with # program crashes
7z now supports long password in RAR 3 and 4.
Bitrot detection is a technique used to identify an ?insidious?
type of disk error where data is silently corrupted with no indication
from the disk to the storage software layer that an error has
occurred. When bitrot detection is enabled on a volume, gluster
performs signing of all files/objects in the volume and scrubs data
periodically for signature verification. All anomalies observed
will be noted in log files.
* Multi threaded epoll for performance improvements
Gluster 3.7 introduces multiple threads to dequeue and process more
requests from epoll queues. This improves performance by processing
more I/O requests. Workloads that involve read/write operations on
a lot of small files can benefit from this enhancement.
* Volume Tiering [Experimental]
Policy based tiering for placement of files. This feature will serve
as a foundational piece for building support for data classification.
Volume Tiering is marked as an experimental feature for this release.
It is expected to be fully supported in a 3.7.x minor release.
Trashcan
This feature will enable administrators to temporarily store deleted
files from Gluster volumes for a specified time period.
* Efficient Object Count and Inode Quota Support
This improvement enables an easy mechanism to retrieve the number
of objects per directory or volume. Count of objects/files within
a directory hierarchy is stored as an extended attribute of a
directory. The extended attribute can be queried to retrieve the
count.
This feature has been utilized to add support for inode quotas.
* Pro-active Self healing for Erasure Coding
Gluster 3.7 adds pro-active self healing support for erasure coded
volumes.
* Exports and Netgroups Authentication for NFS
This feature adds Linux-style exports & netgroups authentication
to the native NFS server. This enables administrators to restrict
access to specific clients & netgroups for volume/sub-directory
NFSv3 exports.
* GlusterFind
GlusterFind is a new tool that provides a mechanism to monitor data
events within a volume. Detection of events like modified files is
made easier without having to traverse the entire volume.
* Rebalance Performance Improvements
Rebalance and remove brick operations in Gluster get a performance
boost by speeding up identification of files needing movement and
a multi-threaded mechanism to move all such files.
* NFSv4 and pNFS support
Gluster 3.7 supports export of volumes through NFSv4, NFSv4.1 and
pNFS. This support is enabled via NFS Ganesha. Infrastructure changes
done in Gluster 3.7 to support this feature include:
- Addition of upcall infrastructure for cache invalidation.
- Support for lease locks and delegations.
- Support for enabling Ganesha through Gluster CLI.
- Corosync and pacemaker based implementation providing resource
monitoring and failover to accomplish NFS HA.
pNFS support for Gluster volumes and NFSv4 delegations are in beta
for this release. Infrastructure changes to support Lease locks and
NFSv4 delegations are targeted for a 3.7.x minor release.
* Snapshot Scheduling
With this enhancement, administrators can schedule volume snapshots.
* Snapshot Cloning
Volume snapshots can now be cloned to create a new writeable volume.
* Sharding [Experimental]
Sharding addresses the problem of fragmentation of space within a
volume. This feature adds support for files that are larger than
the size of an individual brick. Sharding works by chunking files
to blobs of a configurabe size.
Sharding is an experimental feature for this release. It is expected
to be fully supported in a 3.7.x minor release.
* RCU in glusterd
Thread synchronization and critical section access has been improved
by introducing userspace RCU in glusterd
* Arbiter Volumes
Arbiter volumes are 3 way replicated volumes where the 3rd brick
of the replica is automatically configured as an arbiter. The 3rd
brick contains only metadata which provides network partition
tolerance and prevents split-brains from happening.
Update to GlusterFS 3.7.1
* Better split-brain resolution
split-brain resolutions can now be also driven by users without
administrative intervention.
* Geo-replication improvements
There have been several improvements in geo-replication for stability
and performance.
* Minor Improvements
- Message ID based logging has been added for several translators.
- Quorum support for reads.
- Snapshot names contain timestamps by default.Subsequent access
to the snapshots should be done by the name listed in gluster
snapshot list
- Support for gluster volume get <volname> added.
- libgfapi has added handle based functions to get/set POSIX ACLs
based on common libacl structures.
- work around brain-damaged change in Python's poplib which causes
message retrieval errors if any line of a message has more than
2048 characters in it.
- restore link to moved Marc mailing list archive. Thanks: David
J. Weller-Fahy.
patch refresh grace of mkpatches
upstream notable changes list since the 3.2 to 3.3 branch point (excerpt
of the NEWS file):
* Version 3.3.15 (released 2015-05-03)
** libgnutls: gnutls_certificate_get_ours: will return the certificate even
if a callback was used to send it.
** libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by
Karthikeyan Bhargavan [GNUTLS-SA-2015-2].
** libgnutls: Check for invalid length in the X.509 version field. Without the check
certificates with invalid length would be detected as having an arbitrary
version. Reported by Hanno Böck.
** API and ABI modifications:
No changes since last version.
* Version 3.3.14 (released 2015-03-30)
** libgnutls: When retrieving OCTET STRINGS from PKCS #12 ContentInfo
structures use BER to decode them (requires libtasn1 4.3). That allows
to decode some more complex structures.
** libgnutls: When an end-certificate with no name is present and there
are CA name constraints, don't reject the certificate. This follows RFC5280
advice closely. Reported by Fotis Loukos.
** libgnutls: Fixed handling of supplemental data with types > 255.
Patch by Thierry Quemerais.
** libgnutls: Fixed double free in the parsing of CRL distribution points certificate
extension. Reported by Robert Święcki.
** libgnutls: Fixed a two-byte stack overflow in DTLS 0.9 protocol. That
protocol is not enabled by default (used by openconnect VPN).
** libgnutls: The maximum user data send size is set to be the same for
block and non-block ciphersuites. This addresses a regression with wine:
https://bugs.winehq.org/show_bug.cgi?id=37500
** libgnutls: When generating PKCS #11 keys, set CKA_ID, CKA_SIGN,
and CKA_DECRYPT when needed.
** libgnutls: Allow names with zero size to be set using
gnutls_server_name_set(). That will disable the Server Name Indication.
Resolves issue with wine: https://gitlab.com/gnutls/gnutls/issues/2
** API and ABI modifications:
No changes since last version.
* Version 3.3.13 (released 2015-02-25)
** libgnutls: Enable AESNI in GCM on x86
** libgnutls: Fixes in DTLS message handling
** libgnutls: Check certificate algorithm consistency, i.e.,
check whether the signatureAlgorithm field matches the signature
field inside TBSCertificate.
** gnutls-cli: Fixes in OCSP verification.
** API and ABI modifications:
No changes since last version.
* Version 3.3.12 (released 2015-01-17)
** libgnutls: When negotiating TLS use the lowest enabled version in
the client hello, rather than the lowest supported. In addition, do
not use SSL 3.0 as a version in the TLS record layer, unless SSL 3.0
is the only protocol supported. That addresses issues with servers that
immediately drop the connection when the encounter SSL 3.0 as the record
version number. See:
http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html
** libgnutls: Corrected encoding and decoding of ANSI X9.62 parameters.
** libgnutls: Handle zero length plaintext for VIA PadLock functions.
This solves a potential crash on AES encryption for small size plaintext.
Patch by Matthias-Christian Ott.
** libgnutls: In DTLS don't combine multiple packets which exceed MTU.
Reported by Andreas Schultz. https://savannah.gnu.org/support/?108715
** libgnutls: In DTLS decode all handshake packets present in a record
packet, in a single pass. Reported by Andreas Schultz.
https://savannah.gnu.org/support/?108712
** libgnutls: When importing a CA file with a PKCS #11 URL, simply
import the certificates, if the URL specifies objects, rather than
treating it as trust module.
** libgnutls: When importing a PKCS #11 URL and we know the type of
object we are importing, don't require the object type in the URL.
** libgnutls: fixed openpgp authentication when gnutls_certificate_set_retrieve_function2
was used by the server.
** guile: Fix compilation on MinGW. Previously only the static version of the
'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile.
** guile: Fix harmless warning during compilation of gnutls.scm
Initially reported at <https://bugzilla.redhat.com/show_bug.cgi?id=1177847>.
** certtool: --pubkey-info will also attempt to load a public key
from stdin.
** gnutls-cli: Added --starttls-proto option. That allows to specify a
protocol for starttls negotiation.
** API and ABI modifications:
No changes since last version.
* Version 3.3.11 (released 2014-12-11)
** libgnutls: Corrected regression introduced in 3.3.9 related to
session renegotiation. Reported by Dan Winship.
** libgnutls: Corrected parsing issue with OCSP responses.
** API and ABI modifications:
No changes since last version.
* Version 3.3.10 (released 2014-11-10)
** libgnutls: Refuse to import v1 or v2 certificates that contain
extensions.
** libgnutls: Fixes in usage of PKCS #11 token callback
** libgnutls: Fixed bug in gnutls_x509_trust_list_get_issuer() when used
with a PKCS #11 trust module and without the GNUTLS_TL_GET_COPY flag.
Reported by David Woodhouse.
** libgnutls: Removed superfluous random generator refresh on every call
of gnutls_deinit(). That reduces load and usage of /dev/urandom.
** libgnutls: Corrected issue in export of ECC parameters to X9.63 format.
Reported by Sean Burford [GNUTLS-SA-2014-5].
** libgnutls: When gnutls_global_init() is called for a second time, it
will check whether the /dev/urandom fd kept is still open and matches
the original one. That behavior works around issues with servers that
close all file descriptors.
** libgnutls: Corrected behavior with PKCS #11 objects that are marked
as CKA_ALWAYS_AUTHENTICATE.
** certtool: The default cipher for PKCS #12 structures is 3des-pkcs12.
That option is more compatible than AES or RC4.
** API and ABI modifications:
No changes since last version.
* Version 3.3.9 (released 2014-10-13)
** libgnutls: Fixes in the transparent import of PKCS #11 certificates.
Reported by Joseph Peruski.
** libgnutls: Fixed issue with unexpected non-fatal errors resetting the
handshake's hash buffer, in applications using the heartbeat extension
or DTLS. Reported by Joeri de Ruiter.
** libgnutls: When both a trust module and additional CAs are present
account the latter as well; reported by David Woodhouse.
** libgnutls: added GNUTLS_TL_GET_COPY flag for
gnutls_x509_trust_list_get_issuer(). That allows the function to be used
in a thread safe way when PKCS #11 trust modules are in use.
** libgnutls: fix issue in DTLS retransmission when session tickets
were in use; reported by Manuel Pégourié-Gonnard.
** libgnutls-dane: Do not require the CA on a ca match to be direct CA.
** libgnutls: Prevent abort() in library if getrusage() fails. Try to
detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work.
** guile: new 'set-session-server-name!' procedure; see the manual for
details.
** certtool: The authority key identifier will be set in a certificate only
if the CA's subject key identifier is set.
** API and ABI modifications:
No changes since last version.
* Version 3.3.8 (released 2014-09-18)
** libgnutls: Updates in the name constraints checks. No name constraints
will be checked for intermediate certificates. As our support for name
constraints is limited to e-mail addresses in DNS names, it is pointless
to check them on intermediate certificates.
** libgnutls: Fixed issues in PKCS #11 object listing. Previously multiple
object listing would fail completely if a single object could not be exported.
** libgnutls: Improved the performance of PKCS #11 object listing/retrieving,
by retrieving them in large batches. Report and suggestion by David
Woodhouse.
** libgnutls: Fixed issue with certificates being sanitized by gnutls prior
to signature verification. That resulted to certain non-DER compliant modifications
of valid certificates, being corrected by libtasn1's parser and restructured as
the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from
Codenomicon.
** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle
strings with embedded spaces and escaped commas.
** libgnutls: when comparing a CA certificate with the trusted list compare
the name and key only instead of the whole certificate. That is to handle
cases where a CA certificate was superceded by a different one with the same
name and the same key.
** libgnutls: when verifying a certificate against a p11-kit trusted
module, use the attached extensions in the module to override the CA's
extensions (that requires p11-kit 0.20.7).
** libgnutls: In DTLS prevent sending zero-size fragments in certain cases
of MTU split. Reported by Manuel Pégourié-Gonnard.
** libgnutls: Added gnutls_x509_trust_list_verify_crt2() which allows
verifying using a hostname and a purpose (extended key usage). That
enhances PKCS #11 trust module verification, as it can now check the purpose
when this function is used.
** libgnutls: Corrected gnutls_x509_crl_verify() which would always report
a CRL signature as invalid. Reported by Armin Burgmeier.
** libgnutls: added option --disable-padlock to allow disabling the padlock
CPU acceleration.
** p11tool: when listing tokens, list their type as well.
** p11tool: when listing objects from a trust module print any attached
extensions on certificates.
** API and ABI modifications:
gnutls_x509_crq_get_extension_by_oid2: Added
gnutls_x509_crt_get_extension_by_oid2: Added
gnutls_x509_trust_list_verify_crt2: Added
gnutls_x509_ext_print: Added
gnutls_x509_ext_deinit: Added
gnutls_x509_othername_to_virtual: Added
gnutls_pkcs11_obj_get_exts: Added
* Version 3.3.7 (released 2014-08-24)
** libgnutls: Added function to export the public key of a PKCS #11
private key. Contributed by Wolfgang Meyer zu Bergsten.
** libgnutls: Explicitly set the exponent in PKCS #11 key generation.
That improves compatibility with certain PKCS #11 modules. Contributed by
Wolfgang Meyer zu Bergsten.
** libgnutls: When generating a PKCS #11 private key allow setting
the WRAP/UNWRAP flags. Contributed by Wolfgang Meyer zu Bergsten.
** libgnutls: gnutls_pkcs11_privkey_t will always hold an open session
to the key.
** libgnutls: bundle replacements of inet_pton and inet_aton if not
available.
** libgnutls: initialize parameters variable on PKCS #8 decryption.
** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1
algorithms.
** libgnutls: gnutls_x509_crt_check_hostname() will follow the RFC6125
requirement of checking the Common Name (CN) part of DN only if there is
a single CN present in the certificate.
** libgnutls: The environment variable GNUTLS_FORCE_FIPS_MODE can be used
to force the FIPS mode, when set to 1.
** libgnutls: In DTLS ignore only errors that relate to unexpected packets
and decryption failures.
** p11tool: Added --info parameter.
** certtool: Added --mark-wrap parameter.
** danetool: --check will attempt to retrieve the server's certificate
chain and verify against it.
** danetool/gnutls-cli-debug: Added --app-proto parameters which can
be used to enforce starttls (currently only SMTP and IMAP) on the connection.
** danetool: Added openssl linking exception, to allow linking
with libunbound.
** API and ABI modifications:
GNUTLS_PKCS11_OBJ_ATTR_MATCH: Added
gnutls_pkcs11_privkey_export_pubkey: Added
gnutls_pkcs11_obj_flags_get_str: Added
gnutls_pkcs11_obj_get_flags: Added
* Version 3.3.6 (released 2014-07-23)
** libgnutls: Use inet_ntop to print IP addresses when available
** libgnutls: gnutls_x509_crt_check_hostname and friends will also check
IP addresses, and match documented behavior. Reported by David Woodhouse.
** libgnutls: DSA key generation in FIPS140-2 mode doesn't allow 1024
bit parameters.
** libgnutls: fixed issue in gnutls_pkcs11_reinit() which prevented tokens
being usable after a reinitialization.
** libgnutls: fixed PKCS #11 private key operations after a fork.
** libgnutls: fixed PKCS #11 ECDSA key generation.
** libgnutls: The GNUTLS_CPUID_OVERRIDE environment variable can be used to
explicitly enable/disable the use of certain CPU capabilities. Note that CPU
detection cannot be overriden, i.e., VIA options cannot be enabled on an Intel
CPU. The currently available options are:
0x1: Disable all run-time detected optimizations
0x2: Enable AES-NI
0x4: Enable SSSE3
0x8: Enable PCLMUL
0x100000: Enable VIA padlock
0x200000: Enable VIA PHE
0x400000: Enable VIA PHE SHA512
** libdane: added dane_query_to_raw_tlsa(); patch by Simon Arlott.
** p11tool: use GNUTLS_SO_PIN to read the security officer's PIN if set.
** p11tool: ask for label when one isn't provided.
** p11tool: added --batch parameter to disable any interactivity.
** p11tool: will not implicitly enable so-login for certain types of
objects. That avoids issues with tokens that require different login
types.
** certtool/p11tool: Added the --curve parameter which allows to explicitly
specify the curve to use.
** API and ABI modifications:
gnutls_certificate_set_x509_trust_dir: Added
gnutls_x509_trust_list_add_trust_dir: Added
* Version 3.3.5 (released 2014-06-26)
** libgnutls: Added gnutls_record_recv_packet() and gnutls_packet_deinit().
These functions provide a variant of gnutls_record_recv() that avoids
the final memcpy of data.
** libgnutls: gnutls_x509_crl_iter_crt_serial() was added as a
faster variant of gnutls_x509_crl_get_crt_serial() when coping with
very large structures.
** libgnutls: When the decoding of a printable DN element fails, then treat
it as unknown and print its hex value rather than failing. That works around
an issue in a TURKTRST root certificate which improperly encodes the
X520countryName element.
** libgnutls: gnutls_x509_trust_list_add_trust_file() will return the number
of certificates present in a PKCS #11 token when loading it.
** libgnutls: Allow the post client hello callback to put the handshake on
hold, by returning GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED.
** certtool: option --to-p12 will now consider --load-ca-certificate
** certtol: Added option to specify the PKCS #12 friendly name on command
line.
** p11tool: Allow marking a certificate copied to a token as a CA.
** API and ABI modifications:
GNUTLS_PKCS11_OBJ_FLAG_MARK_CA: Added
gnutls_x509_crl_iter_deinit: Added
gnutls_x509_crl_iter_crt_serial: Added
gnutls_record_recv_packet: Added
gnutls_packet_deinit: Added
gnutls_packet_get: Added
* Version 3.3.4 (released 2014-05-31)
** libgnutls: Updated Andy Polyakov's assembly code. That prevents a
crash on certain CPUs.
** API and ABI modifications:
No changes since last version.
* Version 3.3.3 (released 2014-05-30)
** libgnutls: Eliminated memory corruption issue in Server Hello parsing.
Issue reported by Joonas Kuorilehto of Codenomicon.
** libgnutls: gnutls_global_set_mutex() was modified to operate with the
new initialization process.
** libgnutls: Increased the maximum certificate size buffer
in the PKCS #11 subsystem.
** libgnutls: Check the return code of getpwuid_r() instead of relying
on the result value. That avoids issue in certain systems, when using
tofu authentication and the home path cannot be determined. Issue reported
by Viktor Dukhovni.
** libgnutls-dane: Improved dane_verify_session_crt(), which now attempts to
create a full chain. This addresses points from https://savannah.gnu.org/support/index.php?108552
** gnutls-cli: --dane will only check the end certificate if PKIX validation
has been disabled.
** gnutls-cli: --benchmark-soft-ciphers has been removed. That option cannot
be emulated with the implicit initialization of gnutls.
** certtool: Allow multiple organizations and organizational unit names to
be specified in a template.
** certtool: Warn when invalid configuration options are set to a template.
** ocsptool: Include path in ocsp request. This resolves#108582
(https://savannah.gnu.org/support/?108582), reported by Matt McCutchen.
** API and ABI modifications:
gnutls_credentials_get: Added
* Version 3.3.2 (released 2014-05-06)
** libgnutls: Added the 'very weak' certificate verification profile
that corresponds to 64-bit security level.
** libgnutls: Corrected file descriptor leak on random generator
initialization.
** libgnutls: Corrected file descriptor leak on PSK password file
reading. Issue identified using the Codenomicon TLS test suite.
** libgnutls: Avoid deinitialization if initialization has failed.
** libgnutls: null-terminate othername alternative names.
** libgnutls: gnutls_x509_trust_list_get_issuer() will operate correctly
on a PKCS #11 trust list.
** libgnutls: Several small bug fixes identified using valgrind and
the Codenomicon TLS test suite.
** libgnutls-dane: Accept a certificate using DANE if there is at least one
entry that matches the certificate. Patch by simon [at] arlott.org.
** libgnutls-guile: Fixed compilation issue.
** certtool: Allow exporting a CRL on DER format.
** certtool: The ECDSA keys generated by default use the SECP256R1 curve
which is supported more widely than the previously used SECP224R1.
** API and ABI modifications:
GNUTLS_PROFILE_VERY_WEAK: Added
* Version 3.3.1 (released 2014-04-19)
** libgnutls: Enforce more strict checks to heartbeat messages
concerning padding and payload. Suggested by Peter Dettman.
** libgnutls: Allow decoding PKCS #8 files with ECC parameters
from openssl.
** libgnutls: Several small bug fixes found by coverity.
** libgnutls: The conditionally available self-test functions
were moved to self-test.h.
** libgnutls: Fixed issue with the check of incoming data when two
different recv and send pointers have been specified. Reported and
investigated by JMRecio.
** libgnutls: Fixed issue in the RSA-PSK key exchange, which would
result to illegal memory access if a server hint was provided. Reported
by André Klitzing.
** libgnutls: Fixed client memory leak in the PSK key exchange, if a
server hint was provided.
** libgnutls: Corrected the *get_*_othername_oid() functions.
** API and ABI modifications:
No changes since last version.
* Version 3.3.0 (released 2014-04-10)
** libgnutls: The initialization of the library was moved to a
constructor. That is, gnutls_global_init() is no longer required
unless linking with a static library or a system that does not
support library constructors.
** libgnutls: static libraries are not built by default.
** libgnutls: PKCS #11 initialization is delayed to first usage.
That avoids long delays in gnutls initialization due to broken PKCS #11
modules.
** libgnutls: The PKCS #11 subsystem is re-initialized "automatically"
on the first PKCS #11 API call after a fork.
** libgnutls: certificate verification profiles were introduced
that can be specified as flags to verification functions. They
are enumerations in gnutls_certificate_verification_profiles_t
and can be converted to flags for use in a verification function
using GNUTLS_PROFILE_TO_VFLAGS().
** libgnutls: Added the ability to read system-specific initial
keywords, if they are prefixed with '@'. That allows a compile-time
specified configuration file to be used to read pre-configured priority
strings from. That can be used to impose system specific policies.
** libgnutls: Increased the default security level of priority
strings (NORMAL and PFS strings require at minimum a 1008 DH prime),
and set a verification profile by default. The LEGACY keyword is
introduced to set the old defaults.
** libgnutls: Added support for the name constraints PKIX extension.
Currently only DNS names and e-mails are supported (no URIs, IPs
or DNs).
** libgnutls: Security parameter SEC_PARAM_NORMAL was renamed to
SEC_PARAM_MEDIUM to avoid confusion with the priority string NORMAL.
** libgnutls: Added new API in x509-ext.h to handle X.509 extensions.
This API handles the X.509 extensions in isolation, allowing to parse
similarly formatted extensions stored in other structures.
** libgnutls: When generating DSA keys the macro GNUTLS_SUBGROUP_TO_BITS
can be used to specify a particular subgroup as the number of bits in
gnutls_privkey_generate; e.g., GNUTLS_SUBGROUP_TO_BITS(2048, 256).
** libgnutls: DH parameter generation is now delegated to nettle.
That unfortunately has the side-effect that DH parameters longer than
3072 bits, cannot be generated (not without a nettle update).
** libgnutls: Separated nonce RNG from the main RNG. The nonce
random number generator is based on salsa20/12.
** libgnutls: The buffer alignment provided to crypto backend is
enforced to be 16-byte aligned, when compiled with cryptodev
support. That allows certain cryptodev drivers to operate more
efficiently.
** libgnutls: Return error when a public/private key pair that doesn't
match is set into a credentials structure.
** libgnutls: Depend on p11-kit 0.20.0 or later.
** libgnutls: The new padding (%NEW_PADDING) experimental TLS extension has
been removed. It was not approved by IETF.
** libgnutls: The experimental xssl library is removed from the gnutls
distribution.
** libgnutls: Reduced the number of gnulib modules used in the main library.
** libgnutls: Added priority string %DISABLE_WILDCARDS.
** libgnutls: Added the more extensible verification function
gnutls_certificate_verify_peers(), that allows checking, in addition
to a peer's DNS hostname, for the key purpose of the end certificate
(via PKIX extended key usage).
** certtool: Timestamps for serial numbers were increased to 8 bytes,
and in batch mode to 12 (appended with 4 random bytes).
** certtool: When no CRL number is provided (or value set to -1), then
a time-based number will be used, similarly to the serial generation
number in certificates.
** certtool: Print the SHA256 fingerprint of a certificate in addition
to SHA1.
** libgnutls: Added --enable-fips140-mode configuration option (unsupported).
That option enables (when running on FIPS140-enabled system):
o RSA, DSA and DH key generation as in FIPS-186-4 (using provable primes)
o The DRBG-CTR-AES256 deterministic random generator from SP800-90A.
o Self-tests on initialization on ciphers/MACs, public key algorithms
and the random generator.
o HMAC-SHA256 verification of the library on load.
o MD5 is included for TLS purposes but cannot be used by the high level
hashing functions.
o All ciphers except AES are disabled.
o All MACs and hashes except GCM and SHA are disabled (e.g., HMAC-MD5).
o All keys (temporal and long term) are zeroized after use.
o Security levels are adjusted to the FIPS140-2 recommendations (rather
than ECRYPT).
** API and ABI modifications:
GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS: Added
gnutls_certificate_verify_peers: Added
gnutls_privkey_generate: Added
gnutls_pkcs11_crt_is_known: Added
gnutls_fips140_mode_enabled: Added
gnutls_sec_param_to_symmetric_bits: Added
gnutls_pubkey_export_ecc_x962: Added (replaces gnutls_pubkey_get_pk_ecc_x962)
gnutls_pubkey_export_ecc_raw: Added (replaces gnutls_pubkey_get_pk_ecc_raw)
gnutls_pubkey_export_dsa_raw: Added (replaces gnutls_pubkey_get_pk_dsa_raw)
gnutls_pubkey_export_rsa_raw: Added (replaces gnutls_pubkey_get_pk_rsa_raw)
gnutls_pubkey_verify_params: Added
gnutls_privkey_export_ecc_raw: Added
gnutls_privkey_export_dsa_raw: Added
gnutls_privkey_export_rsa_raw: Added
gnutls_privkey_import_ecc_raw: Added
gnutls_privkey_import_dsa_raw: Added
gnutls_privkey_import_rsa_raw: Added
gnutls_privkey_verify_params: Added
gnutls_x509_crt_check_hostname2: Added
gnutls_openpgp_crt_check_hostname2: Added
gnutls_x509_name_constraints_init: Added
gnutls_x509_name_constraints_deinit: Added
gnutls_x509_crt_get_name_constraints: Added
gnutls_x509_name_constraints_add_permitted: Added
gnutls_x509_name_constraints_add_excluded: Added
gnutls_x509_crt_set_name_constraints: Added
gnutls_x509_name_constraints_get_permitted: Added
gnutls_x509_name_constraints_get_excluded: Added
gnutls_x509_name_constraints_check: Added
gnutls_x509_name_constraints_check_crt: Added
gnutls_x509_crl_get_extension_data2: Added
gnutls_x509_crt_get_extension_data2: Added
gnutls_x509_crq_get_extension_data2: Added
gnutls_subject_alt_names_init: Added
gnutls_subject_alt_names_deinit: Added
gnutls_subject_alt_names_get: Added
gnutls_subject_alt_names_set: Added
gnutls_x509_ext_import_subject_alt_names: Added
gnutls_x509_ext_export_subject_alt_names: Added
gnutls_x509_crl_dist_points_init: Added
gnutls_x509_crl_dist_points_deinit: Added
gnutls_x509_crl_dist_points_get: Added
gnutls_x509_crl_dist_points_set: Added
gnutls_x509_ext_import_crl_dist_points: Added
gnutls_x509_ext_export_crl_dist_points: Added
gnutls_x509_ext_import_name_constraints: Added
gnutls_x509_ext_export_name_constraints: Added
gnutls_x509_aia_init: Added
gnutls_x509_aia_deinit: Added
gnutls_x509_aia_get: Added
gnutls_x509_aia_set: Added
gnutls_x509_ext_import_aia: Added
gnutls_x509_ext_export_aia: Added
gnutls_x509_ext_import_subject_key_id: Added
gnutls_x509_ext_export_subject_key_id: Added
gnutls_x509_ext_export_authority_key_id: Added
gnutls_x509_ext_import_authority_key_id: Added
gnutls_x509_aki_init: Added
gnutls_x509_aki_get_id: Added
gnutls_x509_aki_get_cert_issuer: Added
gnutls_x509_aki_set_id: Added
gnutls_x509_aki_set_cert_issuer: Added
gnutls_x509_aki_deinit: Added
gnutls_x509_ext_import_private_key_usage_period: Added
gnutls_x509_ext_export_private_key_usage_period: Added
gnutls_x509_ext_import_basic_constraints: Added
gnutls_x509_ext_export_basic_constraints: Added
gnutls_x509_ext_import_key_usage: Added
gnutls_x509_ext_export_key_usage: Added
gnutls_x509_ext_import_proxy: Added
gnutls_x509_ext_export_proxy: Added
gnutls_x509_policies_init: Added
gnutls_x509_policies_deinit: Added
gnutls_x509_policies_get: Added
gnutls_x509_policies_set: Added
gnutls_x509_ext_import_policies: Added
gnutls_x509_ext_export_policies: Added
gnutls_x509_key_purpose_init: Added
gnutls_x509_key_purpose_deinit: Added
gnutls_x509_key_purpose_set: Added
gnutls_x509_key_purpose_get: Added
gnutls_x509_ext_import_key_purposes: Added
gnutls_x509_ext_export_key_purposes: Added
gnutls_digest_self_test: Added (conditionally)
gnutls_mac_self_test: Added (conditionally)
gnutls_pk_self_test: Added (conditionally)
gnutls_cipher_self_test: Added (conditionally)
gnutls_global_set_mem_functions: Deprecated
