Changes for version 1.3.1:
* Cleaned up deprecation warnings
* Fixed SNMP::Integer#<=> method for Ruby 2.3.0 and later
* Removed artificial limit on number of non-repeaters for GetBulkRequest
* SNMP::BER module no longer pollutes global namespace
v2.1.23 (2018/09/20)
* use yaml for remapping; remove json transpose code (#177)
- use yaml for remapping; remove json transpose code
- temporarily revert cpe change on win2k3
* TELNET: Initial commit (#178)
* Add better support for Array networks/ArrayOS
v.2.1.22 - 2018.09.04
* New fingerprint coverage: apache_modules.xml #174
- Adds support for performing version detection of Apache modules in HTTP
Server headers.
- Client software calling Recog is expected to split an Apache banner based
on spaces and toss the individual values at Recog.
- This is a first pass, more work will be required to fully flesh this out.
* Improved coverage: http_servers.xml #175
- Leveraging Project Sonar data from 2018.08.13 has resulted in significant
(multiple millions) improvement of fingerprinting against that data set.
- hw.* values added where possible
* Minor FTP tweaks
v.2.1.22 - 2018.08.29
* New capability: CPE 2.3 data #172
- Added preliminary support for returning CPE 2.3 information via a new
fingerprint param named service.cpe23 which can be literal strings or
interpolated values.
Example:
<param pos="0" name="service.cpe23" value="cpe:/a:vmware:zimbra_desktop:1"/>
or
<param pos="0" name="service.cpe23" value="cpe:/a:vmware:zimbra_desktop:{service.version}"/>
- Software, other than Ruby Recog, that leverage the XML directly will need
to support interpolating the values in order to fully utilize this
capability.
- Future changes to enhance this capability and make creating interpolated
results easier are expected in the near future.
- See PR #172 for more details
* Misc fingerprint updates and changes, some of which were to support CPE
changes.
- Changed the use of 'F5 Labs' to 'F5' in multiple files #171
- Change certain Cisco PIX fingerprints from 'service.' to 'os.' #170
v.2.1.20 - 2018.06.27
* Compatibility: Adjustments to the regex of multiple fingerprints to remove
negative lookaheads and other contructs that Golang doesn't support. #162
v.2.1.19 - 2018.04.16
* Improved coverage: xml/smtp_banners.xml #160
- Note: Due to effort to cleanup description lines (remove duplicates,
remove multilines, provide context, standardize format) almost every value
for <description> has changed. This will impact the value returned as
matched with tools such as DAP.
- Project Sonar SMTP survey data was used to enhance and improve the
coverage. Full details and metrics can be found in #160
- Improved the accuracy and/or flexibility of multiple fingerprints.
- Changed ALL instances of flags="REG_ICASE" to an inline flag (?i:) in
order to make the regex compatible with more languages.
- Implemented fingerprint examples for those fingerprints where examples
could be found.
- This sometimes resulted in removing fingerprints that were actually
duplicates or trivially different.
- Reworked description values so as to remove examples and ensure that this
field is unique within the file as the value of description serves as an
identifier when processing fingerprints. Multiline descriptions were
reduced to single line where possible. Many descriptions were modified.
- Fixed multiple instances where captures where under/over capturing. For
example, some fingerprints would have captured the examples but the
examples were missing leading or ending spaces. Other fingerprints were
over-broad in what they would capture leading to fall positives or
misidentification.
- Fixed multiple instances where the portion of the version banner that was
captured was different between two products in the same family.
- Removed various real and example hostnames from examples and standardized
on 'foo.bar'
- Corrected system.time.format so as to match timestamp provided by service
- Reworked date regex for multiple matches to remove inadvertent requirement
for two digit day value when the banner included a single digit day.
2.0.4 (2018/03/29)
* Fix for exception bug
2.0.5 (2018/08/17)
* Fixed a bug in the Ping::HTTP class where it didn't reflect user_agent
setting to actual http request
* Fixed Ping::HTTP to support custom User-Agent
4.1:
Fix problem when socket fd is 0
Fix running on servers with disabled IPv6
Allow running "fping -h" or "--help" even when raw socket can't be opened
Fix build issue with FreeBSD and IPv6
Update bind912 to 9.12.2pl2 (BIND 9.12.2-P2).
--- 9.12.2-P2 released ---
5022. [doc] Update ms-self, ms-subdomain, krb5-self, and
krb5-subdomain documentation. [GL !708]
5015. [bug] Reloading all zones caused zone maintenance to cease
for inline-signed zones. [GL #435]
5014. [bug] Signatures loaded from the journal for the signed
version of an inline-signed zone were not scheduled for
refresh. [GL #482]
5013. [bug] A referral response with a non-empty ANSWER section was
inadvertently being treated as an error. [GL #390]
5004. [bug] 'rndc reconfig' could cause inline zones to stop
re-signing. [GL #439]
Update bind911 to 9.11.4pl2 (BIND 9.11.4-P2).
--- 9.11.4-P2 released ---
5022. [doc] Update ms-self, ms-subdomain, krb5-self, and
krb5-subdomain documentation. [GL !708]
5015. [bug] Reloading all zones caused zone maintenance to cease
for inline-signed zones. [GL #435]
5014. [bug] Signatures loaded from the journal for the signed
version of an inline-signed zone were not scheduled for
refresh. [GL #482]
Changes:
1.5.3
-----
- Added support for:
+ hentaicafe - https://hentai.cafe/ (#101)
+ bobx - http://www.bobx.com/dark/
- Added black-/whitelist options for post-processor modules
- Added support for tumblr inline videos (#102)
- Fixed extraction of smugmug albums without owner (#100)
- Fixed issues when using default config values with reddit extractors (#104)
- Fixed pagination for user favorites on sankaku (#106)
• Fixed a crash when processing deviantart journals (#108)
Recent new features:
- client: Add ClientConn.ResetConnectBackoff to force reconnections on
demand
- channelz: stage 4 - add security and socket option info with
appengine build tags
- ClientConn: add Target() returning target string
- balancer: add rpc method to PickOptions
- transport: set and respect HTTP/2 SETTINGS_MAX_HEADER_LIST_SIZE
- client: Implement gRFC A6: configurable client-side retry support
- grpc: update dial/server buffer options to support a "disable"
setting
- credentials/alts: Add AuthInfoFromContext utility API
- status: Introduce FromContextError convenience function
- server: export ServerTransportStreamFromContext for unary
interceptors to control headers/trailers
- metadata: Add Get, Set, and Append methods to metadata.MD
- server: add grpc.Method function for extracting method from context
- grpclb: cache SubConns for 10 seconds after it is removed from the
backendlist
- clientconn: add support for unix network in DialContext
- client: introduce WithDisableServiceConfig DialOption
- stickiness: add stickiness support
- channelz: provide channel level info for live program network issue
diagnosis/debugging
Upstream changes:
Features
- unbound-control auth_zone_reload _zone_ option rereads the zonefile.
- unbound-control auth_zone_transfer _zone_ option starts the probe
sequence for a master to transfer the zone from and transfers when
a new zone version is available.
- num.queries.tls counter for queries over TLS.
- log port number with err_addr logs.
- dns64-ignore-aaaa: config option to list domain names for which the
existing AAAA is ignored and dns64 processing is used on the A
record.
- Fix#4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass
if DNSSEC is not enabled. New option -R allows fallback from
resolv.conf to direct queries.
- Note RFC8162 support. SMIMEA record type can be read in by the
zone record parser.
- Patches from Jim Hague (Sinodun) for EDNS KeepAlive.
- Add config tcp-idle-timeout (default 30s). This applies to
client connections only; the timeout on TCP connections upstream
is unaffected.
- Add edns-tcp-keepalive and edns-tcp-keepalive timeout options
and implement option in client responses.
- Add delay parameter to streamtcp, -d secs.
To be used when testing idle timeout.
- Expose if a query (or a subquery) was ratelimited (not src IP
ratelimiting) to libunbound under 'ub_result.was_ratelimited'.
This also introduces a change to 'ub_event_callback_type' in
libunbound/unbound-event.h.
- Patch to implement tcp-connection-limit from Jim Hague (Sinodun).
This limits the number of simultaneous TCP client connections
from a nominated netblock.
- Fix#4142: unbound.service.in: improvements and fixes.
Add unit dependency ordering (based on systemd-resolved).
Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
about missing privileges during startup). Add 'AF_INET6' to
'RestrictAddressFamilies' (without it IPV6 can't work). From
Guido Shanahan.
- unbound-checkconf checks if modules exist and prints if they are
not compiled in the name of the wrong module.
- Patch for stub-no-cache and forward-no-cache options that disable
caching for the contents of that stub or forward, for when you
want immediate changes visible, from Bjoern A. Zeeb.
- Upgraded crosscompile script to include libunbound DLL in the
zipfile.
- Set libunbound to increase current, because the libunbound change
to the event callback function signature. That needs programs,
that use it, to recompile against the new header definition.
- log-servfail: yes prints log lines that say why queries are
returning SERVFAIL to clients.
- log-local-actions: yes option for unbound.conf that logs all the
local zone actions, a patch from Saksham Manchanda (Secure64).
- #4146: num.query.subnet and num.query.subnet_cache counters.
- #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This
gives access to reply information for the client's communication
point when the callback is called before the mesh state (modules).
Changes to C and Python's inplace_callback signatures were also
necessary.
- Set defaults to yes for a number of options to increase speed and
resilience of the server. The so-reuseport, harden-below-nxdomain,
and minimal-responses options are enabled by default. They used
to be disabled by default, waiting to make sure they worked. They
are enabled by default now, and can be disabled explicitly by
setting them to "no" in the unbound.conf config file. The reuseport
and minimal options increases speed of the server, and should be
otherwise harmless. The harden-below-nxdomain option works well
together with the recently default enabled qname minimisation, this
causes more fetches to use information from the cache.
- Added serve-expired-ttl and serve-expired-ttl-reset options.
Bug Fixes
- Windows example service.conf edited with more windows specific
configuration.
- #4108: systemd reload hang fix.
- Fix usage printout for unbound-host, hostname has to be last
argument on BSDs and Windows.
- Partial fix for permission denied on IPv6 address on FreeBSD.
- Fix that auth-zone master reply with current SOA serial does not
stop scan of masters for an updated zone.
- Fix that auth-zone does not start the wait timer without checking
if the wait timer has already been started.
- #4109: Fix that package config depends on python unconditionally.
- Patch, do not export python from pkg-config, from Petr Menšík.
- Fix checking for libhiredis printout in configure output.
- Fix typo on man page in ip-address description.
- Update libunbound/python/examples/dnssec_test.py example code to
also set the 20326 trust anchor for the root in the example code.
- Better documentation for unblock-lan-zones and insecure-lan-zones
config statements.
- Fix permission denied printed for auth zone probe random port nrs.
- Fix documentation ambiguity for tls-win-cert in tls-upstream and
forward-tls-upstream docs.
- iana port update.
- Fix round robin for failed addresses with prefer-ip6: yes
- Note in documentation that the cert name match code needs
OpenSSL 1.1.0 or later to be enabled.
- Fix to improve systemd socket activation code file descriptor
assignment.
- Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more
easily changed to adjust default rtt assumptions.
- Fix#4127 unbound -h does not list -p help.
- Print error if SSL name verification configured but not available
in the ssl library.
- Fix that ratelimit and ip-ratelimit are applied after reload of
changed config file.
- Resize ratelimit and ip-ratelimit caches if changed on reload.
- Fix#4129 unbound-control error message with wrong cert permissions
is too cryptic.
- Fix#4130: print text describing -dd and unbound-checkconf on
config file read error at startup, the errors may have been moved
away by the startup process.
- Fix#4131: for solaris, error YY_CURRENT_BUFFER undeclared.
- Fix use-systemd readiness signalling, only when use-systemd is yes
and not in signal handler.
- Fix#4135: 64-bit Windows Installer Creates Entries Under The
Wrong Registry Key, reported by Brian White.
- Fix man page, say that chroot is enabled by default.
- Sort out test runs when the build directory isn't the project
root directory.
- Error if EDNS Keepalive received over UDP.
- Correct and expand manual page entries for keepalive and idle timeout.
- Implement progressive backoff of TCP idle/keepalive timeout.
- Fix 'make depend' to work when build dir is not project root.
- Fix#4139: Fix unbound-host leaks memory on ANY.
- Fix to remove systemd sockaddr function check, that is not
always present. Make socket activation more lenient. But not
different when socket activation is not used.
- Fix#4136: insufficiency from mismatch of FLEX capability between
released tarball and build host. Fix to unconditionally call
destroy in daemon.c.
- Make capsforid fallback QNAME minimisation aware.
- document --enable-subnet in doc/README.
- Fix#4144: dns64 module caches wrong (negative) information.
- Fix that printout of error for cycle targets is a verbosity 4
printout and does not wrongly print it is a memory error.
- Fix segfault in auth-zone read and reorder of RRSIGs.
- Fix contrib/fastrpz.patch.
- Fix warning on compile without threads.
- print servfail info to log as error.
- added more servfail printout statements, to the iterator.
- Fix classification for QTYPE=CNAME queries when QNAME minimisation is
enabled.
- Fix only misc failure from log-servfail when val-log-level is not
enabled.
- Fix lintflags for lint on FreeBSD.
- Fix that a local-zone with a local-zone-type that is transparent
in a view with view-first, makes queries check for answers from the
local-zones defined outside of views.
2.7.2
- Update online cassette
- online api change: domain_id became simply domain name
2.7.1
- Remove route53 tests, boto recordings no longer work.
- Create a library unit test suite
- [Gehirn Web Service] fix 400 response on GET request
- Update setup.py adding cryptography to the setup.py file
- Use ImportError instead of subclass ModuleNotFoundError, which is
supported only by python 3.6
Add bind-9.12.2pl1 (BIND 9.12.2-P1) pacakge.
Note: named(8) requires writable permission to current directory when
start up or the directory specified by "directory" in options statement.
BIND, the Berkeley Internet Name Daemon, version 9 is a major rewrite
of nearly all aspects of the underlying BIND architecture. Some
of the important features of BIND-9 are:
- DNS Security
- IP version 6
- DNS Protocol Enhancements
- Views
- Multiprocessor Support
- Improved Portability Architecture
- Full NSEC3 support
- Automatic zone re-signing
- New update-policy methods tcp-self and 6to4-self
This package contains the BIND 9.12 release.
- named and related libraries have been substantially refactored for
improved query performance.
- Code implementing the name server query processing logic has been
moved into a new libns library.
- The DNS Response Policy Service API (DNSRPS) is now supported.
- Log file timestamps can now also be formatted in ISO 8601 (local)
or ISO 8601 (UTC) formats.
- Added support for the EDNS Padding and Keepalive options.
- 'new-zones-directory' option sets the location where the
configuration data for zones added by rndc addzone is stored.
- The default key algorithm in rndc-confgen is now hmac-sha256.
- filter-aaaa-on-v4 and filter-aaaa-on-v6 options are now available
by default without a configure option.
- The obsolete isc-hmac-fixup command has been removed.
Add bind9.11.4pl1 (BIND 9.11.4-P1) package.
Note: named(8) requires writable permission to current directory when
start up or the directory specified by "directory" in options statement.
BIND, the Berkeley Internet Name Daemon, version 9 is a major rewrite
of nearly all aspects of the underlying BIND architecture. Some
of the important features of BIND-9 are:
- DNS Security
- IP version 6
- DNS Protocol Enhancements
- Views
- Multiprocessor Support
- Improved Portability Architecture
- Full NSEC3 support
- Automatic zone re-signing
- New update-policy methods tcp-self and 6to4-self
This package contains the BIND 9.11 release.
- Catalog Zones, a new method for provisioning servers
- "dnstap", a fast and flexible method of capturing and logging
DNS traffic.
- "dyndb", a new API for loading zone data from an external database
- dnssec-keymgr, a new key mainenance utility
- mdig, an alternate version of dig utility
- And more...
Upstream changes:
mikutter 3.8.0
* create a search tab if at least one search spell is defined
* explicitly specify Addressable 2.5.2 or later
* twitter: warn if User Stream API is used
* update a default message of the status bar for 3.8
* thanks @4pk
* streaming: change file layout since UserStream gone
* remove UserStream settings
* remove UserStream code
* remove unexpected executable bits in some files
* thanks Izumi Tsutsui
* remove unused devel directory
4.1.24
================
FEATURES:
- #4102: control interface via local socket.
configure it with control-interface: "/path/nsd.ctl" The path
has to start with a / to separate it from an IP address.
The local socket does not use SSL, but unencrypted traffic, use
file and containing directory permissions to restrict access.
- configure --enable-systemd (needs pkg-config and libsystemd) can
be used to then use-systemd: yes in nsd.conf and have readiness
signalling with systemd.
- RFC8162 support, for record type SMIMEA.
BUG FIXES:
- Patch to fix openwrt for mac os build darwin detection in configure.
- Fix that first control-interface determines if TLS is used. Warn
when IP address interfaces are used without TLS.
- #4106: Fix that stats printed from nsd-control are recast from
unsigned long to unsigned (remote.c).
- Fix that type CAA (and URI) in the zone file can contain
dots when not in quotes.
- #4133: Fix that when IXFR contains a zone with broken NSEC3PARAM
chain, NSD leniently attempts to find a working NSEC3PARAM.
4.1.23
================
BUG FIXES:
- Fix NSD time sensitive TSIG compare vulnerability.
4.1.22
================
FEATURES:
- refuse-any sends truncation (+TC) in reply to ANY queries over UDP,
and allows TCP queries like normal.
- Use accept4 to speed up answer of TCP queries, on Linux, FreeBSD
and OpenBSD.
BUG FIXES:
- Fix nsec3 hash of parent and child co-hosted nsec3 enabled zones.
- Fix to use same condition for nsec3 hash allocation and free.
Improvements
- Split pdns_enable_unit_tests.
- Add a new max-udp-queries-per-round setting.
- Fix warnings reported by gcc 8.1.0.
- Tests: replace awk command by perl.
- Allow the snmp thread to retrieve statistics.
Bug Fixes
- Don’t account chained queries more than once.
- Make rec_control respect include-dir.
- Load lua scripts only in worker threads.
- Purge all auth/forward zone data including subtree.
Improvements
- Fix warnings reported by gcc 8.1.0.
- Make the gmysql backend future-proof.
- Initialize some missed qtypes.
Bug Fixes
- Avoid concurrent records/comments iteration from running out of
sync.
- Fix a crash in the API when adding records.
- pdns_control notify: handle slave without renotify properly.
- Reset the TSIG state between queries.
- Remove SOA-check backoff on incoming notify and fix lock handling.
- Fix an issue where updating a record via DNS-UPDATE in a child zone
that also exists in the parent zone, we would incorrectly apply the
update to the parent zone.
- Geoipbackend: check geoip_id_by_addr_gl and geoip_id_by_addr_v6_gl
return value.
Fix some pkglint warnings while here.
Wireshark 2.6.3 Release Notes
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2018-44[1]
• Bluetooth AVDTP dissector crash. Bug 14884[2]. CVE-2018-16058[3].
• wnpa-sec-2018-45[4]
• Bluetooth Attribute Protocol dissector crash. Bug 14994[5].
CVE-2018-16056[6].
• wnpa-sec-2018-46[7]
• Radiotap dissector crash. Bug 15022[8]. CVE-2018-16057[9].
The following bugs have been fixed:
• Wireshark Hangs on startup initializing external capture plugins.
Bug 14657[10].
• Qt: SCTP Analyse Association Dialog: Segmentation fault when
clicking twice the Filter Association button. Bug 14970[11].
• Incorrect presentation of dissected data item (NETMASK) in ISAKMP
dissector. Bug 14987[12].
• Decode NFAPI: CONFIG.request Error. Bug 14988[13].
• udpdump frame too long error. Bug 14989[14].
• ISDN - LAPD dissector broken since version 2.5.0. Bug 15018[15].
• ASTERIX Category 062 / 135 Altitude has wrong value. Bug
15030[16].
• Wireshark cannot decrypt SSL/TLS session if it was proxied over
HTTP tunnel. Bug 15042[17].
• TLS records in a HTTP tunnel are displayed as "Encrypted
Handshake Message". Bug 15043[18].
• BTATT Dissector: Temperature Measurement: Celsius and Fahrenheit
swapped. Bug 15058[19].
• Diameter AVP User Location Info, Mobile Network Code decoded not
correctly. Bug 15068[20].
• Heartbeat message "Info" displayed without comma separator. Bug
15079[21].
Updated Protocol Support
ASTERIX, Bluetooth, Bluetooth ATT, Bluetooth AVDTP, DHCP, DTLS,
E.212, FP, GSM A RR, HTTP, HTTP2, IEEE 802.11, ISAKMP, ISDN, K12,
NFAPI, Nordic BLE, PFCP, Radiotap, SSL, Steam IHS Discovery, and TLS
1.3
New and Updated Capture File Support
pcapng
New and Updated Capture Interfaces support
ciscodump, udpdump
3.36.0 (2018-08-27)
- Fix --site-manager command-line argument
- Fix potential crash with malformed directory listings
- Fix potential crash if opening/closing tabs or starting the queue while directories are being renamed or deleted
3.36.0-rc1 (2018-08-20)
+ Ask for explicit confirmation prior to falling back to insecure plaintext FTP if a server refuses to use TLS
+ Warn if an FTP server refuses TLS that is known from previous connections to be capable of TLS
Packaged for wip by esg@sdf.org.
Rename wip/taskd to net/taskserver to be consistent with time/taskwarrior.
The taskserver package provides a daemon to securely synchronize task data
over network.
