Fix more bugs in the LEFT JOIN flattening optimization. Ticket 7fde638e94287d2c.
Changes carried forward from version 3.19.1 (2017-05-24):
Fix a bug in the LEFT JOIN flattening optimization. Ticket cad1ab4cb7b0fc.
Remove a surplus semicolon that was causing problems for older versions of MSVC.
This is a Darwin-ported pinentry, which works natively without
pulling in gtk or qt4 dependencies. It is independent from the
original collection of pinentry tools, and grew its own code and
repository, although it still uses Assuan protocol internally (and
can therefore be integrated with gpg-agent and enigmail under Mac OS).
Note that it uses xcodebuild instead of autotools and generates an App.
I decided to copy over the .app as under libexec and rely on sh script
for invocation, App cannot be called through symlinks.
Description:
This is a collection of simple PIN or passphrase entry dialogs which
utilize the Assuan protocol as described by the aegypten project.
It provides programs for several graphical toolkits, such as GTK+ and
QT, as well as for the console, using curses.
This package is a port of the pinentry tool for Darwin.
This is a Darwin-ported pinentry, which works natively without
pulling in gtk or qt4 dependencies. It is independent from the
original collection of pinentry tools, and grew its own code and
repository, although it still uses Assuan protocol internally (and
can therefore be integrated with gpg-agent and enigmail under Mac OS).
Note that it uses xcodebuild instead of autotools and generates an App.
I decided to copy over the .app as under libexec and rely on sh script
for invocation, App cannot be called through symlinks.
Description:
This is a collection of simple PIN or passphrase entry dialogs which
utilize the Assuan protocol as described by the aegypten project.
It provides programs for several graphical toolkits, such as GTK+ and
QT, as well as for the console, using curses.
This package is a port of the pinentry tool for Darwin.
* auth: Use timing safe comparisons for everything related to
passwords. It's unlikely that these could have been used for
practical attacks, especially because Dovecot delays and flushes all
failed authentications in 2 second intervals. Also it could have
worked only when passwords were stored in plaintext in the passdb.
* master process sends SIGQUIT to all running children at shutdown,
which instructs them to close all the socket listeners immediately.
This way restarting Dovecot should no longer fail due to some
processes keeping the listeners open for a long time.
+ auth: Add passdb { mechanisms=none } to match separate passdb lookup
+ auth: Add passdb { username_filter } to use passdb only if user
matches the filter. See https://wiki2.dovecot.org/PasswordDatabase
+ dsync: Add dsync_commit_msgs_interval setting. It attempts to commit
the transaction after saving this many new messages. Because of the
way dsync works, it may not always be possible if mails are copied
or UIDs need to change.
+ imapc: Support imapc_features=search without ESEARCH extension.
+ imapc: Add imapc_features=fetch-bodystructure to pass through remote
server's FETCH BODY and BODYSTRUCTURE.
+ imapc: Add quota=imapc backend to use GETQUOTA/GETQUOTAROOT on the
remote server.
+ passdb imap: Add allow_invalid_cert and ssl_ca_file parameters.
+ If dovecot.index.cache corruption is detected, reset only the one
corrupted mail instead of the whole file.
+ doveadm mailbox status: Add "firstsaved" field.
+ director_flush_socket: Add old host's up/down and vhost count as parameters
- More fixes to automatically fix corruption in dovecot.list.index
- dsync-server: Fix support for dsync_features=empty-header-workaround
- imapc: Various bugfixes, including infinite loops on some errors
- IMAP NOTIFY wasn't working for non-INBOX if IMAP client hadn't
enabled modseq tracking via CONDSTORE/QRESYNC.
- fts-lucene: Fix it to work again with mbox format
- Some internal error messages may have contained garbage in v2.2.29
- mail-crypt: Re-encrypt when copying/moving mails and per-mailbox keys
are used. Otherwise the copied mails can't be opened.
- vpopmail: Fix compiling
This is a regularly scheduled stable release.
Resolved issues:
#3895: The layout of the global changes dialog is improved
#4123: Running as root or SYSTEM now triggers a warning recommending against it
#4127: Changing the theme no longer causes an HTTP error
#4143: The file paths in the failed files dialog are now correct on Windows
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* This release deprecates the sshd_config UsePrivilegeSeparation
option, thereby making privilege separation mandatory. Privilege
separation has been on by default for almost 15 years and
sandboxing has been on by default for almost the last five.
* The format of several log messages emitted by the packet code has
changed to include additional information about the user and
their authentication state. Software that monitors ssh/sshd logs
may need to account for these changes. For example:
Connection closed by user x 1.1.1.1 port 1234 [preauth]
Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
Affected messages include connection closure, timeout, remote
disconnection, negotiation failure and some other fatal messages
generated by the packet code.
* [Portable OpenSSH only] This version removes support for building
against OpenSSL versions prior to 1.0.1. OpenSSL stopped supporting
versions prior to 1.0.1 over 12 months ago (i.e. they no longer
receive fixes for security bugs).
Changes since OpenSSH 7.4
=========================
This is a bugfix release.
Security
--------
* ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
Note that the OpenSSH client disables CBC ciphers by default, sshd
offers them as lowest-preference options and will remove them by
default entriely in the next release. Reported by Jean Paul
Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of
Royal Holloway, University of London.
* sftp-client(1): [portable OpenSSH only] On Cygwin, a client making
a recursive file transfer could be maniuplated by a hostile server to
perform a path-traversal attack. creating or modifying files outside
of the intended target directory. Reported by Jann Horn of Google
Project Zero.
New Features
------------
* ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
algorithm lists, e.g. Ciphers=-*cbc. bz#2671
Bugfixes
--------
* sshd(1): Fix NULL dereference crash when key exchange start
messages are sent out of sequence.
* ssh(1), sshd(8): Allow form-feed characters to appear in
configuration files.
* sshd(8): Fix regression in OpenSSH 7.4 support for the
server-sig-algs extension, where SHA2 RSA signature methods were
not being correctly advertised. bz#2680
* ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
known_hosts processing. bz#2591 bz#2685
* ssh(1): Allow ssh to use certificates accompanied by a private key
file but no corresponding plain *.pub public key. bz#2617
* ssh(1): When updating hostkeys using the UpdateHostKeys option,
accept RSA keys if HostkeyAlgorithms contains any RSA keytype.
Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*
methods were enabled in HostkeyAlgorithms and not the old ssh-rsa
method. bz#2650
* ssh(1): Detect and report excessively long configuration file
lines. bz#2651
* Merge a number of fixes found by Coverity and reported via Redhat
and FreeBSD. Includes fixes for some memory and file descriptor
leaks in error paths. bz#2687
* ssh-keyscan(1): Correctly hash hosts with a port number. bz#2692
* ssh(1), sshd(8): When logging long messages to stderr, don't truncate
"\r\n" if the length of the message exceeds the buffer. bz#2688
* ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
line; avoid confusion over IPv6 addresses and shells that treat
square bracket characters specially.
* ssh-keygen(1): Fix corruption of known_hosts when running
"ssh-keygen -H" on a known_hosts containing already-hashed entries.
* Fix various fallout and sharp edges caused by removing SSH protocol
1 support from the server, including the server banner string being
incorrectly terminated with only \n (instead of \r\n), confusing
error messages from ssh-keyscan bz#2583 and a segfault in sshd
if protocol v.1 was enabled for the client and sshd_config
contained references to legacy keys bz#2686.
* ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683
* sshd(8): Fix Unix domain socket forwarding for root (regression in
OpenSSH 7.4).
* sftp(1): Fix division by zero crash in "df" output when server
returns zero total filesystem blocks/inodes.
* ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
encountered during key loading to more meaningful error codes.
bz#2522 bz#2523
* ssh-keygen(1): Sanitise escape sequences in key comments sent to
printf but preserve valid UTF-8 when the locale supports it;
bz#2520
* ssh(1), sshd(8): Return reason for port forwarding failures where
feasible rather than always "administratively prohibited". bz#2674
* sshd(8): Fix deadlock when AuthorizedKeysCommand or
AuthorizedPrincipalsCommand produces a lot of output and a key is
matched early. bz#2655
* Regression tests: several reliability fixes. bz#2654 bz#2658 bz#2659
* ssh(1): Fix typo in ~C error message for bad port forward
cancellation. bz#2672
* ssh(1): Show a useful error message when included config files
can't be opened; bz#2653
* sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page
(previously incorrectly) advertised. bz#2637
* sshd_config(5): Repair accidentally-deleted mention of %k token
in AuthorizedKeysCommand; bz#2656
* sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM; bz#2665
* ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
common 32-bit compatibility library directories.
* sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
response handling.
* ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted
keys. It was not possible to delete them except by specifying
their full physical path. bz#2682
Portability
-----------
* sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA
crypto coprocessor.
* sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg
inspection.
* ssh(1): Fix X11 forwarding on OSX where X11 was being started by
launchd. bz#2341
* ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that
contain non-printable characters where the codeset in use is ASCII.
* build: Fix builds that attempt to link a kerberised libldns. bz#2603
* build: Fix compilation problems caused by unconditionally defining
_XOPEN_SOURCE in wide character detection.
* sshd(8): Fix sandbox violations for clock_gettime VSDO syscall
fallback on some Linux/X32 kernels. bz#2142
BACKWARDS INCOMPATIBLE: Elliptic Curve signature verification no longer returns True on success. This brings it in line with the interface's documentation, and our intent. The correct way to use :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.verify` has always been to check whether or not :class:`~cryptography.exceptions.InvalidSignature` was raised.
BACKWARDS INCOMPATIBLE: Dropped support for macOS 10.7 and 10.8.
BACKWARDS INCOMPATIBLE: The minimum supported PyPy version is now 5.3.
Python 3.3 support has been deprecated, and will be removed in the next cryptography release.
Add support for providing tag during :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` finalization via :meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag`.
Fixed an issue preventing cryptography from compiling against LibreSSL 2.5.x.
Added :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.key_size` and :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.key_size` as convenience methods for determining the bit size of a secret scalar for the curve.
Accessing an unrecognized extension marked critical on an X.509 object will no longer raise an UnsupportedExtension exception, instead an :class:`~cryptography.x509.UnrecognizedExtension` object will be returned. This behavior was based on a poor reading of the RFC, unknown critical extensions only need to be rejected on certificate verification.
The CommonCrypto backend has been removed.
MultiBackend has been removed.
Whirlpool and RIPEMD160 have been deprecated.
--------------
- Fix regression: Pull request ``892`` prevented Werkzeug from correctly
logging the IP of a remote client behind a reverse proxy, even when using
`ProxyFix`.
- Fix a bug in `safe_join` on Windows.
* Support decimal franction for the interval prefix
* Suport highlighting by changing color and attributes
* Fix English from Preben Guldberg
* Improve manage from Preben Guldberg
S/MIME messages encrypted with gpgsm are sometimes not decodable by
other implementations. Discussion on gnupg-devel indicates that gpg
(via libksba) is incorrectly dropping leading zeros from the encrypted
session key. This commit adds a patch by Daiki Ueno from the
mailinglist that appears to improve interoperability. Upstream has
not yet applied it, but also has not said that it is wrong.
The expected use case for mosh is using ssh for authentication, by just
running "mosh username@host". No need to spawn mosh-server and -client
manually.
Fixes CVE-2017-1000367, local privilege escalation on linux.
What's new in Sudo 1.8.20p1
* Fixed "make check" when using OpenSSL or GNU crypt.
Bug #787.
* Fixed CVE-2017-1000367, a bug parsing /proc/pid/stat on Linux
when the process name contains spaces. Since the user has control
over the command name, this could potentially be used by a user
with sudo access to overwrite an arbitrary file on systems with
SELinux enabled. Also stop performing a breadth-first traversal
of /dev when looking for the device; only a hard-coded list of
directories are checked,
What's new in Sudo 1.8.20
* Added support for SASL_MECH in ldap.conf. Bug #764
* Added support for digest matching when the command is a glob-style
pattern or a directory. Previously, only explicit path matches
supported digest checks.
* New "fdexec" Defaults option to control whether a command
is executed by path or by open file descriptor.
* The embedded copy of zlib has been upgraded to version 1.2.11.
* Fixed a bug that prevented sudoers include files with a relative
path starting with the letter 'i' from being opened. Bug #776.
* Added support for command timeouts in sudoers. The command will
be terminated if the timeout expires.
* The SELinux role and type are now displayed in the "sudo -l"
output for the LDAP and SSSD backends, just as they are in the
sudoers backend.
* A new command line option, -T, can be used to specify a command
timeout as long as the user-specified timeout is not longer than
the timeout specified in sudoers. This option may only be
used when the "user_command_timeouts" flag is enabled in sudoers.
* Added NOTBEFORE and NOTAFTER command options to the sudoers
backend similar to what is already available in the LDAP backend.
* Sudo can now optionally use the SHA2 functions in OpenSSL or GNU
crypt instead of the SHA2 implementation bundled with sudo.
* Fixed a compilation error on systems without the stdbool.h header
file. Bug #778.
* Fixed a compilation error in the standalone Kerberos V authentication
module. Bug #777.
* Added the iolog_flush flag to sudoers which causes I/O log data
to be written immediately to disk instead of being buffered.
* I/O log files are now created with group ID 0 by default unless
the "iolog_user" or "iolog_group" options are set in sudoers.
* It is now possible to store I/O log files on an NFS-mounted
file system where uid 0 is remapped to an unprivileged user.
The "iolog_user" option must be set to a non-root user and the
top-level I/O log directory must exist and be owned by that user.
* Added the restricted_env_file setting to sudoers which is similar
to env_file but its contents are subject to the same restrictions
as variables in the invoking user's environment.
* Fixed a use after free bug in the SSSD backend when the fqdn
sudoOption is enabled and no hostname value is present in
/etc/sssd/sssd.conf.
* Fixed a typo that resulted in a compilation error on systems
where the killpg() function is not found by configure.
* Fixed a compilation error with the included version of zlib
when sudo was built outside the source tree.
* Fixed the exit value of sudo when the command is terminated by
a signal other than SIGINT. This was broken in sudo 1.8.15 by
the fix for Bug #722. Bug #784.
* Fixed a regression introduced in sudo 1.8.18 where the "lecture"
option could not be used in a positive boolean context, only
a negative one.
* Fixed an issue where sudo would consume stdin if it was not
connected to a tty even if log_input is not enabled in sudoers.
Bug #786.
* Clarify in the sudoers manual that the #includedir directive
diverts control to the files in the specified directory and,
when parsing of those files is complete, returns control to the
original file. Bug #775.
What's new in Sudo 1.8.19p2
* Fixed a crash in visudo introduced in sudo 1.8.9 when an IP address
or network is used in a host-based Defaults entry. Bug #766
* Added a missing check for the ignore_iolog_errors flag when
the sudoers plugin generates the I/O log file path name.
* Fixed a typo in sudo's vsyslog() replacement that resulted in
garbage being logged to syslog.
What's new in Sudo 1.8.19p1
* Fixed a bug introduced in sudo 1.8.19 that resulted in the wrong
syslog priority and facility being used.
What's new in Sudo 1.8.19
* New "syslog_maxlen" Defaults option to control the maximum size of
syslog messages generated by sudo.
* Sudo has been run against PVS-Studio and any issues that were
not false positives have been addressed.
* I/O log files are now created with the same group ID as the
parent directory and not the invoking user's group ID.
* I/O log permissions and ownership are now configurable via the
"iolog_mode", "iolog_user" and "iolog_group" sudoers Defaults
variables.
* Fixed configuration of the sudoers I/O log plugin debug subsystem.
Previously, I/O log information was not being written to the
sudoers debug log.
* Fixed a bug in visudo that broke editing of files in an include
dir that have a syntax error. Normally, visudo does not edit
those files, but if a syntax error is detected in one, the user
should get a chance to fix it.
* Warnings about unknown or unparsable sudoers Defaults entries now
include the file and line number of the problem.
* Visudo will now use the file and line number information about an
unknown or unparsable Defaults entry to go directly to the file
with the problem.
* Fixed a bug in the sudoers LDAP back-end where a negated sudoHost
entry would prevent other sudoHost entries following it from matching.
* Warnings from visudo about a cycle in an Alias entry now include the
file and line number of the problem.
* In strict mode, visudo will now use the file and line number
information about a cycle in an Alias entry to go directly to the
file with the problem.
* The sudo_noexec.so file is now linked with -ldl on systems that
require it for the wordexp() wrapper.
* Fixed linking of sudo_noexec.so on macOS systems where it must be
a dynamic library and not a module.
* Sudo's "make check" now includes a test for sudo_noexec.so
working.
* The sudo front-end now passes the user's umask to the plugin.
Previously the plugin had to determine this itself.
* Sudoreplay can now display the stdin and ttyin streams when they
are explicitly added to the filter list.
* Fixed a bug introduced in sudo 1.8.17 where the "all" setting
for verifypw and listpw was not being honored. Bug #762.
* The syslog priority (syslog_goodpri and syslog_badpri) can now
be negated or set to "none" to disable logging of successful or
unsuccessful sudo attempts via syslog.
What's new in Sudo 1.8.18p1
* When sudo_noexec.so is used, the WRDE_NOCMD flag is now added
if the wordexp() function is called. This prevents commands
from being run via wordexp() without disabling it entirely.
* On Linux systems, sudo_noexec.so now uses a seccomp filter to
disable execute access if the kernel supports seccomp. This is
more robust than the traditional method of using stub functions
that return an error.
What's new in Sudo 1.8.18
* The sudoers locale is now set before parsing the sudoers file.
If sudoers_locale is set in sudoers, it is applied before
evaluating other Defaults entries. Previously, sudoers_locale
was used when evaluating sudoers but not during the inital parse.
Bug #748.
* A missing or otherwise invalid #includedir is now ignored instead
of causing a parse error.
* During "make install", backup files are only used on HP-UX where
it is not possible to unlink a shared object that is in use.
This works around a bug in ldconfig on Linux which could create
links to the backup shared library file instead of the current
one.
* Fixed a bug introduced in 1.8.17 where sudoers entries with long
commands lines could be truncated, preventing a match. Bug #752.
* The fqdn, runas_default and sudoers_locale Defaults settings are
now applied before any other Defaults settings since they can
change how other Defaults settings are parsed.
* On systems without the O_NOFOLLOW open(2) flag, when the NOFOLLOW
flag is set, sudoedit now checks whether the file is a symbolic link
before opening it as well as after the open. Bug #753.
* Sudo will now only resolve a user's group IDs to group names
when sudoers includes group-based permissions. Group lookups
can be expensive on some systems where the group database is
not local.
* If the file system holding the sudo log file is full, allow
the command to run unless the new ignore_logfile_errors Defaults
option is disabled. Bug #751.
* The ignore_audit_errors and ignore_iolog_errors Defaults options
have been added to control sudo's behavior when it is unable to
write to the audit and I/O logs.
* Fixed a bug introduced in 1.8.17 where the SIGPIPE signal handler
was not being restored when sudo directly executes the command.
* Fixed a bug where "sudo -l command" would indicate that a command
was runnable even when denied by sudoers when using the LDAP or
SSSD backends.
* The match_group_by_gid Defaults option has been added to allow
sites where group name resolution is slow and where sudoers only
contains a small number of groups to match groups by group ID
instead of by group name.
* Fixed a bug on Linux where a 32-bit sudo binary could fail with
an "unable to allocate memory" error when run on a 64-bit system.
Bug #755
* When parsing ldap.conf, sudo will now only treat a '#' character
as the start of a comment when it is at the beginning of the
line.
* Fixed a potential crash when auditing is enabled and the audit
function fails with an error. Bug #756
* Norwegian Nynorsk translation for sudo from translationproject.org.
* Fixed a typo that broke short host name matching when the fqdn
flag is enabled in sudoers. Bug #757
* Negated sudoHost attributes are now supported by the LDAP and
SSSD backends.
* Fixed matching entries in the LDAP and SSSD backends when a
RunAsGroup is specified but no RunAsUser is present.
* Fixed "sudo -l" output in the LDAP and SSSD backends when a
RunAsGroup is specified but no RunAsUser is present.
