NEWS for the 2.4 release
This is a bugfix release only. It turned out ripemd160 in the
2.3 release was broken on all big-endian systems, due to a
missing include of config.h. nettle-2.4 fixes this.
The library is intended to be binary compatible with
nettle-2.2 and nettle-2.3. The shared library names are
libnettle.so.4.3 and libhogweed.so.2.1, with sonames still
libnettle.so.4 and libhogweed.so.2.
NEWS for the 2.3 release
* Support for the ripemd-160 hash function.
* Generates and installs nettle.pc and hogweed.pc files, for
use with pkg-config. Feedback appreciated. For projects
using autoconf, the traditional non-pkg-config ways of
detecting libraries, and setting LIBS and LDFLAGS, is still
recommended.
* Fixed a bug which made the testsuite fail in the GCM test on
certain platforms. Should not affect any documented features
of the library.
* Reorganization of the code for the various Merkle-Damg
hash functions. Some fields in the context structs for md4,
md5 and sha1 have been renamed, for consistency.
Applications should not peek inside these structs, and the
ABI is unchanged.
* In the manual, fixed mis-placed const in certain function
prototypes.
The library is intended to be binary compatible with
nettle-2.2. The shared library names are libnettle.so.4.2 and
libhogweed.so.2.1, with sonames still libnettle.so.4 and
libhogweed.so.2.
in its stable branch (ie firefox-6.0.2) too,
so deal with this in the mozilla-rootcerts script (this is not great -
it depends on syntactic details of the file where it should better
use checksums, but the perl script which is distributed with "curl"
works the same way),
and switch back to the certificate list in CVS HEAD
Changes from 1.35:
v1.44 2011.05.27
- fix invalid call to inet_pton in verify_hostname_of_cert when
identity should be verified as ipv6 address, because it contains
colon.
v1.43_1 2011.05.12
- try to make t/nonblock.t more stable, especially on Mac OS X
v1.43 2011.05.11
- fix t/nonblock.t
- stability improvements t/inet6.t
v1.42 2011.05.10
- add SSL_create_ctx_callback to have a way to adjust context on
creation. https://rt.cpan.org/Ticket/Display.html?id=67799
- describe problem of fake memory leak because of big session cache
and how to fix it, see https://rt.cpan.org/Ticket/Display.html?id=68073
v1.41 2011.05.09
- fix issue in stop_SSL where it did not issue a shutdown of the
SSL connection if it first received the shutdown from the other
side. Thanks to fencingleo[AT]gmail[DOT]com for reporting
- try to make t/nonblock.t more reliable, at least report the real
cause of ssl connection errors
v1.40 2011.05.02
- integrated patch from GAAS to get IDN support from URI.
https://rt.cpan.org/Ticket/Display.html?id=67676
v1.39_1 2011.05.02
- fix in exampel/async_https_server.
Thanks to DetlefPilzecker[AT]web[DOT]de for reporting
v1.39 2011.03.03
- fixed documentation of http verification: wildcards in cn is allowed
v1.38_1 2011.01.24
- close should undef _SSL_fileno, because the fileno is no longer
valid (SSL connection and socket are closed)
v1.38 2011.01.18
- fixed wildcards_in_cn setting for http (wrongly set in 1.34 to 1
instead of anywhere). Thanks to dagolden[AT]cpan[DOT]org for
reporting
https://rt.cpan.org/Ticket/Display.html?id=64864
v1.37 2010.12.09
- don't complain about invalid certificate locations if user explicitly
set SSL_ca_path and SSL_ca_file to undef. Assume that user knows what
he is doing and will work around the problems by itself.
http://rt.cpan.org/Ticket/Display.html?id=63741
v1.36 2010.12.08
- update documentation for SSL_verify_callback based on
https://rt.cpan.org/Ticket/Display.html?id=63743https://rt.cpan.org/Ticket/Display.html?id=63740
Mozilla::CA provides a copy of Mozilla's bundle of Certificate
Authority certificates in a form that can be consumed by modules and
libraries based on OpenSSL.
set in PKG_SYSCONFDIR variable, so it is passed down to Makefile.
Configuration final path ends up being etc/stunnel/stunnel/stunnel.conf,
which is wrong.
- New features
- New verify level 0 to request and ignore peer certificate. This
feature is useful with the new Windows GUI menu to save cached peer
certificate chains, as SSL client certificates are not sent by default.
- Manual page has been updated.
- Removed support for changing Windows Service name with "service" option.
- Hardcoded 2048-bit DH parameters are used as a fallback if DH parameters
are not provided in stunnel.pem.
- Default "ciphers" value updated to prefer ECDH:
"ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH".
- Default ECDH curve updated to "prime256v1".
- Removed support for temporary RSA keys (used in obsolete export ciphers).
- Bugfixes
- The -quiet commandline option was applied to *all* message boxes.
- Silent install (/S option) no longer attempts to create stunnel.pem.
* Version 2.12.9 (released 2011-08-21)
** libgnutls-extra: Replaced enumeration with unsigned
int, in openssl.h to make it identical to the 3.0.0 version.
This shouldn't introduce binary incompatibility.
** libgnutls: When asking for a PIN multiple times, the
flags in the callback were not being updated to reflect
for PIN low count or final try.
** API and ABI modifications:
GNUTLS_PKCS11_PIN_WRONG: New flag for PIN callback
NEWS for the 2.2 release
Licensing change:
* Relicensed as LGPL v2.1 or later (user's option).
* Replaced blowfish and serpent implementation. New code is
based on the LGPLed code in libgcrypt.
New features:
* Support for Galois/Counter Mode (GCM).
* New interface for enumerating (most) available algorithms,
contributed by Daniel Kahn Gillmor.
* New tool nettle-hash. Can generate hash digests using any
supported hash function, with output compatible with md5sum
and friends from GNU coreutils. Checking (like md5sum -c)
not yet implemented.
Bug fixes:
* The old serpent code had a byte order bug (introduced by
yours truly about ten years ago). New serpent implementation
does not interoperate with earlier versions of nettle.
* Fixed ABI-dependent libdir default for Linux-based systems
which do not follow the Linux File Hierarchy Standard, e.g.,
Debian GNU/Linux.
Optimizations:
* x86_64 implemention of serpent.
* x86_64 implemention of camellia.
* Optimized memxor using word rather than byte operations.
Both generic C and x86_64 assembler.
* Eliminated a memcpy for in-place CBC decrypt.
Miscellaneous:
* In command line tools, no longer support -? for requesting
help, since using it without shell quoting is a dangerous
habit. Use long option --help instead.
The shared library names are libnettle.so.4.1 and
libhogweed.so.2.1, with sonames libnettle.so.4 and
libhogweed.so.2.
* use perl5/module.mk and its stuff for perl module build
* using packlist, so PLIST entries for perl modules are not required.
* PKG_SYSCONFSUBDIR is handled automatically, no need to be in PLIST.
* fix substitute handling with USE_DESTDIR=yes.
Bump PKGREVISION.
What's new in Sudo 1.7.7
* I/O logging is now supported for commands run in background mode
(using sudo's -b flag).
* Group ownership of the sudoers file is now only enforced when
the file mode on sudoers allows group readability or writability.
* Visudo now checks the contents of an alias and warns about cycles
when the alias is expanded.
* If the user specifes a group via sudo's -g option that matches
the target user's group in the password database, it is now
allowed even if no groups are present in the Runas_Spec.
* "sudo -i command" now works correctly with the bash version
2.0 and higher. Previously, the .bash_profile would not be
sourced prior to running the command unless bash was built with
NON_INTERACTIVE_LOGIN_SHELLS defined.
* Multi-factor authentication is now supported on AIX.
* Added support for non-RFC 4517 compliant LDAP servers that require
that seconds be present in a timestamp, such as Tivoli Directory Server.
* If the group vector is to be preserved, the PATH search for the
command is now done with the user's original group vector.
* For LDAP-based sudoers, the "runas_default" sudoOption now works
properly in a sudoRole that contains a sudoCommand.
* Spaces in command line arguments for "sudo -s" and "sudo -i" are
now escaped with a backslash when checking the sudoers file.
* libgnutls: PKCS-11 back-end was replaced by p11-kit
* libgnutls: gcrypt: replaced occurences of gcry_sexp_nth_mpi (..., 0)
with gcry_sexp_nth_mpi (..., GCRYMPI_FMT_USG) to fix errors with 1.5.0.
* libgnutls: Verify that a certificate liste specified using
gnutls_certificate_set_x509_key*(), is sorted according to TLS specification
* libgnutls: Added GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED flag for
gnutls_x509_crt_list_import. It checks whether the list to be imported is
properly sorted.
* libgnutls: writev_emu: stop on the first incomplete write.
* libgnutls: Fix zlib handling in gnutls.pc.
* certtool: bug fixes in certificate request generation.
* API and ABI modifications: GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED:
New element in gnutls_certificate_import_flags
* Bug fix for newer versions of Libgcrypt.
* Support the SSH confirm flag and show SSH fingerprints in ssh
related pinentries.
* Improved dirmngr/gpgsm interaction for OCSP.
* Allow generation of card keys up to 4096 bit.
* A new flag may now be used to convey comments via assuan_transact.
* A new flag value may now be used to disable logging.
* The gpgcedev.c driver now provides a log device.
* It is now possible to overwrite socket and connect functions in
struct assuan_system_hooks.
* Fixed a bug affecting input strings with an odd number of
characters. Thanks to Ken T Takusagawa for the report.
* Cleaned up Makefile.PL.
* Removed magic svn keywords.
* Added author tests (xt/) and modified SYNOPSIS for all modules to
make them pass the compilation test.
* removed unnecessary loading of MIME::Base64 module
Changes 5.61:
* corrected bug in 'algorithm' method
* fixed -x option in Makefile.PL
-- not often used since it deliberately excludes all 64-bit SHA transforms
* addressed minor documentation oversights
Changes 5.60:
* added new SHA-512/224 and SHA-512/256 transforms
-- ref. NIST Draft FIPS 180-4 (February 2011)
* simplified shasum by removing duplicative text
* improved efficiency of Addfile
-- expensive -T test now occurs only in portable mode
Changes 5.50:
* adopted convention that '-' always means STDIN
-- actual filename '-' accessed as './-'
-- accords with behavior of sha1sum/md5sum
* corrected undefined subroutine oversight in shasum
-- inadvertent migration of _bail() from SHA.pm
