that we can now take advantage of AES-NI support in modern processors to significantly
increase performance.
Miscellaneous pkgsrc changes:
- Remove unnecessary warning message on Solaris.
- Fix RPATH for libgost.so.
- MD2 support is optional, enabled by default for compatability.
Changes between 0.9.8x and 0.9.8y [5 Feb 2013]
*) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
This addresses the flaw in CBC record processing discovered by
Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
at: http://www.isg.rhul.ac.uk/tls/
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
Emilia Käsper for the initial patch.
(CVE-2013-0169)
[Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
*) Return an error when checking OCSP signatures when key is NULL.
This fixes a DoS attack. (CVE-2013-0166)
[Steve Henson]
*) Call OCSP Stapling callback after ciphersuite has been chosen, so
the right response is stapled. Also change SSL_get_certificate()
so it returns the certificate actually sent.
See http://rt.openssl.org/Ticket/Display.html?id=2836.
(This is a backport)
[Rob Stradling <rob.stradling@comodo.com>]
*) Fix possible deadlock when decoding public keys.
[Steve Henson]
(We need to keep the old numbering syntax to make versions compare
correctly.)
There are only two consumers in pkgsrc; one of them (remmina and
remmina-plugins) actually needed library version 0.4 or later, and
didn't build the ssh/sftp/nx plugins without. Hydra is also supposed
to build with 0.4.x and later.)
Upstream changelogs:
0.5.4:
CVE-2013-0176 - NULL dereference leads to denial of service
Fixed several NULL pointer dereferences in SSHv1.
Fixed a free crash bug in options parsing.
and for completeness 0.5.3:
This is an important SECURITY and maintenance release in
order to address CVE-2012-4559, CVE-2012-4560, CVE-2012-4561
and CVE-2012-4562.
CVE-2012-4559 - Fix multiple double free() flaws
CVE-2012-4560 - Fix multiple buffer overflow flaws
CVE-2012-4561 - Fix multiple invalid free() flaws
CVE-2012-4562 - Fix multiple improper overflow checks
(...)
Suggested by Noud de Brouwer in wip/libssh and PR pkg/47518, but needed
some changes to PLIST as well as to make "pkg_admin audit" and updates
compare correctly.
(We need to keep the old numbering syntax to make versions compare
correctly.)
There are only two consumers in pkgsrc; one of them (remmina and
remmina-plugins) actually needed library version 0.4 or later, and
didn't build the ssh/sftp/nx plugins without. Hydra is also supposed
to build with 0.4.x and later.)
Upstream changelogs:
0.5.4:
CVE-2013-0176 - NULL dereference leads to denial of service
Fixed several NULL pointer dereferences in SSHv1.
Fixed a free crash bug in options parsing.
and for completeness 0.5.3:
This is an important SECURITY and maintenance release in
order to address CVE-2012-4559, CVE-2012-4560, CVE-2012-4561
and CVE-2012-4562.
CVE-2012-4559 - Fix multiple double free() flaws
CVE-2012-4560 - Fix multiple buffer overflow flaws
CVE-2012-4561 - Fix multiple invalid free() flaws
CVE-2012-4562 - Fix multiple improper overflow checks
(...)
(We need to keep the old numbering syntax to make versions compare
correctly.)
There are only two consumers in pkgsrc; one of them (remmina and
remmina-plugins) actually needed library version 0.4 or later, and
didn't build the ssh/sftp/nx plugins without. Hydra is also supposed
to build with 0.4.x and later.)
Upstream changelogs:
0.5.4:
CVE-2013-0176 - NULL dereference leads to denial of service
Fixed several NULL pointer dereferences in SSHv1.
Fixed a free crash bug in options parsing.
and for completeness 0.5.3:
This is an important SECURITY and maintenance release in
order to address CVE-2012-4559, CVE-2012-4560, CVE-2012-4561
and CVE-2012-4562.
CVE-2012-4559 - Fix multiple double free() flaws
CVE-2012-4560 - Fix multiple buffer overflow flaws
CVE-2012-4561 - Fix multiple invalid free() flaws
CVE-2012-4562 - Fix multiple improper overflow checks
(...)
Suggested by Noud de Brouwer in wip/libssh and PR pkg/47518, but needed
some changes to PLIST as well as to make "pkg_admin audit" and updates
compare correctly.
(We need to keep the old numbering syntax to make versions compare
correctly.)
There are only two consumers in pkgsrc; one of them (remmina and
remmina-plugins) actually needed library version 0.4 or later, and
didn't build the ssh/sftp/nx plugins without. Hydra is also supposed
to build with 0.4.x and later.)
Upstream changelogs:
0.5.4:
CVE-2013-0176 - NULL dereference leads to denial of service
Fixed several NULL pointer dereferences in SSHv1.
Fixed a free crash bug in options parsing.
and for completeness 0.5.3:
This is an important SECURITY and maintenance release in
order to address CVE-2012-4559, CVE-2012-4560, CVE-2012-4561
and CVE-2012-4562.
CVE-2012-4559 - Fix multiple double free() flaws
CVE-2012-4560 - Fix multiple buffer overflow flaws
CVE-2012-4561 - Fix multiple invalid free() flaws
CVE-2012-4562 - Fix multiple improper overflow checks
(...)
5.81 Mon Jan 14 05:17:08 MST 2013
- corrected load subroutine (SHA.pm) to prevent double-free
-- Bug #82655: Security issue - segfault
-- thanks to Victor Efimov and Nicholas Clark
for technical expertise and suggestions
5.80 Mon Dec 10 14:15:26 MST 2012
- obtained noticeable speedup on Intel/gcc
-- by setting -O1 and -fomit-frame-pointer
-- SHA-1 about 63% faster, SHA-2 improves 11-20%
5.74 Sat Nov 24 03:10:18 MST 2012
- handle wide-string input by converting to bytes first
-- viz. use SvPVbyte instead of SvPV in SHA.xs
-- thanks to Eric Brine for summary and code
5.73 Wed Oct 31 04:32:44 MST 2012
- provided workaround for DEC compiler bug (ref. Makefile.PL)
New Win32 features
FIPS module updated to version 2.0.
OpenSSL DLLs updated to version 1.0.1c.
zlib DLL updated to version 1.2.7.
Engine DLLs added: 4758cca, aep, atalla, capi, chil, cswift, gmp, gost, nuron, padlock, sureware, ubsec.
Other new features
"session" option renamed to more readable "sessionCacheTimeout". The old name remains accepted for backward compatibility.
New service-level "sessionCacheSize" option to control session cache size.
New service-level option "reset" to control whether TCP RST flag is used to indicate errors. The default value is "reset = yes".
New service-level option "renegotiation" to disable SSL renegotiation. This feature is based on a public-domain patch by Janusz Dziemidowicz.
New FreeBSD socket options: IP_FREEBIND, IP_BINDANY, IPV6_BINDANY (thx to Janusz Dziemidowicz).
New parameters to configure TLS v1.1/v1.2 with OpenSSL version 1.0.1 or higher (thx to Henrik Riomar).
Bugfixes
Fixed "Application Failed to Initialize Properly (0xc0150002)" error.
Fixed missing SSL state debug log entries.
Fixed a race condition in libwrap code resulting in random stalls (thx to Andrew Skalski).
Session cache purged at configuration file reload to reduce memory leak. Remaining leak of a few kilobytes per section is yet to be fixed.
Fixed regression bug in "transparent = destination" functionality (thx to Stefan Lauterbach). This bug was introduced in stunnel 4.51.
"transparent = destination" is now a valid endpoint in inetd mode.
"delay = yes" fixed to work even if specified *after* "connect" option.
Multiple "connect" targets fixed to also work with delayed resolver.
The number of resolver retries of EAI_AGAIN error has been limited to 3 in order to prevent infinite loops.
Fix some directory owner/group rights and take over maintainership as I
use it almost daily.
-Add support of
. SCR3310-NTTCom USB (was removed in version 1.4.6)
. Inside Secure VaultIC 420 Smart Object
. Inside Secure VaultIC 440 Smart Object
- Wait up to 3 seconds for reader start up
- Add support of new PC/SC V2 part 10 properties:
. dwMaxAPDUDataSize
. wIdVendor
. wIdProduct
- Use helper functions from libPCSCv2part10 to parse the PC/SC v2
part 10 features
1.4.7:
-Add support of
. ACS ACR101 ICC Reader
. ACS CryptoMate64
. Alcor Micro AU9522
. Bit4id CKey4
. Bit4id cryptokey
. Bit4id iAM
. Bit4id miniLector
. Bit4id miniLector-s
. CCB eSafeLD
. Gemalto Ezio Shield Branch
. KOBIL Systems IDToken
. NXP PR533
- KOBIL Systems IDToken special cases:
. Give more time (3 seconds instead of 2) to the reader to answer
. Hack for the Kobil IDToken and Geman eID card. The German eID
card is bogus and need to be powered off before a power on
. Add Reader-Info-Commands special APDU/command
- Manufacturer command
- Product name command
- Firmware version command
- Driver version command
- Use auto suspend for CCID devices only (Closes Alioth bug
[#313445] "Do not activate USB suspend for composite devices:
keyboard")
- Fix some error management in the T=1 TPDU state machine
- some minor bugs removed
- some minor improvements added
1.4.6:
-Add support of
. Avtor SC Reader 371
. Avtor SecureToken
. DIGIPASS KEY 202
. Fujitsu SmartCase KB SCR eSIG
. Giesecke & Devrient StarSign CUT
. Inside Secure VaultIC 460 Smart Object
. Macally NFC CCID eNetPad reader
. OmniKey 6321 USB
. SCM SDI 011
. Teridian TSC12xxF
. Vasco DIGIPASS KEY 101
- Remove support of readers without a USB CCID descriptor file
. 0x08E6:0x34C1:Gemalto Ezio Shield Secure Channel
. 0x08E6:0x34C4:Gemalto Ezio Generic
. 0x04E6:0x511A:SCM SCR 3310 NTTCom
. 0x0783:0x0008:C3PO LTC32 USBv2 with keyboard support
. 0x0783:0x9002:C3PO TLTC2USB
. 0x047B:0x020B:Silitek SK-3105
- Disable SPE for HP USB CCID Smartcard Keyboard. The reader is
bogus and unsafe.
- Convert "&" in a reader name into "&" to fix a problem on Mac OS X
- Fix a problem with ICCD type A devices. We now wait for device ready
- Secure PIN Verify and PIN Modify: set the minimum timeout to 90
seconds
- Add support of wIdVendor and wIdProduct properties
- Add support of dwMaxAPDUDataSize
- Add support of Gemalto firmware features
- some minor bugs removed
- Fix a problem when a reader is unplugged (and the reader is still in use)
pcsc-lite-1.8.6:
- Fix a problem when only serial drivers are used (no hotplug/USB
driver)
- increase log buffer size from 160 to 2048. Some "long" log lines where
truncated.
- Fix redirection of stdin, stdout and stderr to /dev/null when pcscd is
started as a daemon (default)
- Some other minor improvements and bug corrections
pcsc-lite-1.8.5:
- Fix crash when a reader is unplugged while pcscd is in the middle of a
PC/SC function
- SCardBeginTransaction(): fix a bug introduced in version 1.8.4
related to sharing
- Some other minor improvements and bug corrections
pcsc-lite-1.8.4:
- Add [ and ] in the list of accepted characters for a reader name
- truncates the reader name if it is too long instead of rejecting the
reader
- The restriction to have to call SCardEstablishContext() in each thread
has been removed. Threads could now share a PC/SC context.
- Fix compiler failure for static driver
- Update IFDHandler API Doxygen regarding the "libusb-1.0" naming scheme
- Some other minor improvements and bug corrections
pcsc-lite-1.8.3:
- ignore directories and hidden (.*) files when parsing a configuration
directory (like /etc/reader.conf.d/)
- add Mac OS X for PC/SC spy tool
- fix a bug in PC/SC spy tool when loading of the real library fails
- add PCSCv2_PART10_PROPERTY_dwMaxAPDUDataSize,
PCSCv2_PART10_PROPERTY_wIdVendor and PCSCv2_PART10_PROPERTY_wIdProduct
from PC/SC v2 part 10 release 2.02.09 (not yet published)
- Some other minor improvements and bug corrections
pcsc-lite-1.8.2:
- rename pcsc-spy.py to pcsc-spy and install it as a normal binary (in
/usr/local/bin by default)
- write a pcsc-spy.1 manpage
- fix a bug with a multi-slot reader
- Info.plist parser: avoid a buffer read overflow in & management
- Some Doxygen improvements
pcsc-lite-1.8.1:
- Distribute missing files from src/spy/
pcsc-lite-1.8.0:
- PC/SC spy tool
- Support systemd socket activation (the auto start of pcscd from the
library has been removed. Use systemd instead)
- SCardGetStatusChange(): check all the readers are already known and
return SCARD_E_UNKNOWN_READER if a reader name is not present.
Windows XP has this behavior.
- SCardEstablishContext(): Invalidate all the handles in the son after a
fork
- Add define of FEATURE_EXECUTE_PACE from PCSC v2 Part 10 Amendment 1
2011-06-03
- Fix some memory leaks reported by Coverity
- Enable silent build by default
- log_line(): correctly calculate delta time when no color is used
The update of last_time was only done in case of colorization
(LogDoColor). So on unsupported consoles the time was wrong.
- log_xxd_always(): Use a variable-length array
The debug message buffer is no more with a fixed size (around 600
bytes of buffer to log) but uses a variable-length array.
It is now possible to log extended APDU of 64kB.
The variable-length array feature is available in GCC in C90 mode and
is mandatory in C99 standard.
- Some other minor improvements and bug corrections
Fixes CVE-2012-6085
Upstream Changes:
* Add support for the old cipher algorithm IDEA.
* Minor bug fixes.
* Small changes to better cope with future OpenPGP and GnuPG
features.
* added totals method
* added a note about repeat authorizations
* added documatation about pin-based flow
* fixed textile formating
* using the https endpoint for all oauth negotiation
* made the api host and version configurable
* wrapping the json parse error so you can programatically acces the response
* added configurable search host
