Bugfixes:
* Enforcer: Fixed a number of build warnings.
OpenDNSSEC 1.2.0rc3:
* Moved migration instructions to the file MIGRATION
Bugfixes:
* Bugreport #199: The previous DB schema change made the zone removal broken.
* Enforcer: When retiring old KSK, use TTL(ds) and not TTL(ksk).
* Enforcer: Minimize the set of DS RRs sent to DelegationSignerSubmitCommand.
* Enforcer: Replace tab with a space character in the DNSKEY printed to syslog.
* Enforcer: Fixed pontential format string bug.
* ods-ksmutil: Log to syslog when ds-seen changes a key to active/standby.
* Signer Engine: Don't be smart with RRSIG TTLs, the hsm will set them for you.
* Signer Engine: Set notify command for zone when receiving ods-signer update.
* Signer Engine: Update TTL of NSEC(3) records if SOA Minimum has changed
in KASP.
* Signer Engine: Now logs to the correct facility.
* Signer Engine: Also remove NSEC records when detecting changes in
signconf <Denial>
* Signer Engine: Dropped privileges before starting Zonefetcher.
OpenDNSSEC 1.2.0rc2:
Bugfixes:
* Signer Engine: Use the correct TTL for RRs after the $INCLUDE directive.
* Signer Engine: Also create new signature if TTL of RR has changed.
* Signer Engine: Drop old NSEC/NSEC3 records.
* ods-ksmutil: Fixed some memory leaks.
OpenDNSSEC 1.2.0rc1:
* New commandline option for the signer: ods-signer running.
* Allow connection to different MySQL ports in the Enforcer.
* Tone down and explain warning when converting M or Y to seconds
* ldns 1.6.7 is required for bugfixes
* dnsruby 1.51 is required for bugfixes
Bugfixes:
* Bugreport #187: ods-control signer start will return non-zero if start up
failed (uses ods-signer running).
* Narrow glue at the zone cut is allowed, do not consider it as occluded.
* Move zone fetcher output to correct input adapter file.
* Enforcer shared keys on zones with ShareKeys disabled.
* Make names of key states consistent.
* Signer Engine file descriptor leak fix on engine.sock.
* Set explicit "unlimited" repository capacity to prevent random integer being
read. Requires "ods-ksmutil update conf" to be run if using an existing
database.
* Fix issue with key generation creating too many keys Ticket #194.
* Bugreport #189: Auditor did not handle white-space-seperated substrings
for base64 text
* Bugreport #190: Auditor (and signer) does not handle case correctly
* Signer now silence stdout-output from the notify command
OpenDNSSEC 1.2.0b1:
* A new signer engine, written in c. Zones are maintained in memory, instead of
in files on disk.
* Removed the python and python-4suite-xml dependencies.
* Remove separate autoconf for libhsm/conf/enforcer.
* Add option to disable building the signer.
* Signer logs statistics just after outputting a new signed zone.
* libhsm will skip processing (and not create) any public keys if the
per repository option <SkipPublicKey/> is set.
* Keysharing improved - keys can now exist in different states on each zone
that the key is in use for.
* Backup prepare/commit/rollback added for 2-step backups without taking the
enforcer offline.
* Standby keys are now optional (default to 0) and should be considered
experimental.
Bugfixes:
* Fix semantics of refresh value in Signer Engine.
* Auditor handles chains of empty nonterminals correctly.
* Recalculate salt immediately if the saltlength is changed.
* libhsm connected to slot 0 if the token label was not found.
An error is now returned instead of connecting to the slot.
* Bugreport #102: Removed the obsoleted python-4suite-xml dependency.
* Fixed Known Issue: KSK rollover requires manual timing.
* Fixed Known Issue: Key rollover and reuse of signatures.
* Fixed Known Issue: Issue with sharing keys and adding zones.
* Fixed Known Issue: Quicksorter does not allow certain owner names
(Quicksorter is removed, signer now reads and sorts the zone).
What's new in Sudo 1.7.4p6?
* A bug has been fixed in the I/O logging support that could cause
visual artifacts in full-screen programs such as text editors.
* Allow more hash algorithms with the OpenPGP v2 card.
* The gpg-agent now tests for a new gpg-agent.conf on a HUP.
* Fixed output of "gpgconf --check-options".
* Fixed a bug where Scdaemon sends a signal to Gpg-agent running in
non-daemon mode.
* Fixed TTY management for pinentries and session variable update
problem.
What's new in Sudo 1.7.4p5?
* A bug has been fixed that would allow a command to be run without the
user entering a password when sudo's -g flag is used without the -u flag.
* If user has no supplementary groups, sudo will now fall back on checking
the group file explicitly, which restores historic sudo behavior.
* A crash has been fixed when sudo's -g flag is used without the -u flag
and the sudoers file contains an entry with no runas user or group listed.
* A bug has been fixed in the I/O logging support that could cause
visual artifacts in full-screen programs such as text editors,.
* A crash has been fixed when the Solaris project support is enabled
and sudo's -g flag is used without the -u flag.
* Sudo no longer exits with an error when support for auditing is
compiled in but auditing is not enabled.
* Fixed a bug introduced in sudo 1.7.3 where the ticket file was not
being honored when the "targetpw" sudoers Defaults option was enabled.
* The LOG_INPUT and LOG_OUTPUT tags in sudoers are now parsed correctly.
* A crash has been fixed in "sudo -l" when sudo is built with auditing
support and the user is not allowed to run any commands on the host.
* only use the last 8 chars of the key -- it's the more common use, and
the wotsap urls only use them now
* convert optional "mykey" to uppercase before matching
* print correct date (misuse of non-local vars)
* On DragonFly, rmd160.h exists and required functions are defined there,
but not in any library, so ignore it.
* On DragonFly and FreeBSD, MD5 and MD4 functions are in libmd.
Changes since 1.1:
** gsasl: Add --no-cb to disable use of TLS channel bindings.
** build: Use silent build rules via automake.
Use 'make V=99' to see the command lines used.
** Update gnulib files.
** gsasl: Support for TLS channel bindings.
Requires GnuTLS 2.11.4 or later for the gnutls_session_channel_binding
function. Used by the SCRAM-SHA-1-PLUS mechanism.
** doc: Mention new property GSASL_CB_TLS_UNIQUE and SCRAM-SHA-1-PLUS.
** tests: Added self-tests for SCRAM-SHA-1-PLUS.
** gsasl: Avoid fixed size buffers.
This caused problems on Windows where the BUFSIZ was too small for
some line lengths with GS2-KRB5.
** tests: Fix error strings to be more unique.
** doc: Added section on how to build with MIT Kerberos for Windows.
** doc: Added PDF version of API reference manual.
See doc/reference/gsasl.pdf.
** i18n: Updated translations.
Thanks to Benno Schulenberg.
** doc: Explain GS2-related changes.
** doc: GTK-DOC manual improved.
Now almost all symbols and types are explained.
** gsasl: Fix crash when getaddrinfo does not get a canonical name.
** gsasl: Improve error message when server rejects authentication.
** tests: Self checks are improved.
** gsasl: Improve application data throughput.
Patch from Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de> in
<http://thread.gmane.org/gmane.comp.gnu.gsasl.general/256>.
** Improve MinGW builds.
** doc: Fix doc/cyclo/ output.
** tests/crypto: Also test newly added SHA-1 interfaces.
** tests/scram: Also test GSASL_SCRAM_SALTED_PASSWORD case.
This code path triggered a crash in v1.3.
** i18n: Added Finnish translation.
Thanks to Jorma Karvonen <karvonen.jorma@gmail.com>.
** Experimental support for SCRAM-SHA-1 added.
Please test it but don't put it into production use, the RFC have not
been finalized yet. For this reason, the mechanism priority list is
such that SCRAM-SHA-1 will never be selected over any other mechanism
(including PLAIN, CRAM-MD5, and DIGEST-MD5). When it has been tested
further, we'll make SCRAM-SHA-1 the preferred mechanism after GSSAPI.
** gsasl: Fix libintl-related build errors on MinGW.
Tiny patch from "carlo.bramix" <carlo.bramix@libero.it>.
** doc: Typo fixes to manual.
Based on report by Marco Maggi <marco.maggi-ipsu@poste.it> in
<http://thread.gmane.org/gmane.comp.gnu.gsasl.general/222>.
** tests: Rewrite basic self test using modern API.
** tests: New self-test 'crypto' to increase code coverage.
** gsasl: Fix out of bounds write when in IMAP/SMTP mode.
Reported by Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de> in
<http://thread.gmane.org/gmane.comp.gnu.gsasl.general/230>.
** doc: Rewritten introduction material.
** doc: Improved sections for the info manual.
We now follow the advice given by the texinfo manual on which
directory categories to use. In particular, libgsasl moved from the
'GNU Libraries' section to the 'Software libraries' as GNU SASL, and
'Invoking gsasl' moved from 'GNU utilities' to 'Security'.
** examples: Removed unneeded 'ctx' parameter from client_authenticate.
** Building with many warning flags now requires --enable-gcc-warnings.
This avoids crying wolf for normal compiles.
** New configure parameters to set packaging specific information.
The parameters are --with-packager, --with-packager-version, and
--with-packager-bug-reports. See
<http://article.gmane.org/gmane.comp.lib.gnulib.bugs/17791> for more
details.
alternative from mk/jpeg.buildlink3.mk
This allows selection of an alternative jpeg library (namely the x86 MMX,
SSE, SSE2 accelerated libjpeg-turbo) via JPEG_DEFAULT=libjpeg-turbo, and
follows the current standard model for alternatives (fam, motif, fuse etc).
The mechanical edits were applied via the following script:
#!/bin/sh
for d in */*; do
[ -d "$d" ] || continue
for i in "$d/"Makefile* "$d/"*.mk; do
case "$i" in *.orig|*"*"*) continue;; esac
out="$d/x"
sed -e 's;graphics/jpeg/buildlink3\.mk;mk/jpeg.buildlink3.mk;g' \
-e 's;BUILDLINK_PREFIX\.jpeg;JPEGBASE;g' \
< "$i" > "$out"
if cmp -s "$i" "$out"; then
rm -f "$out"
else
echo "Edited $i"
mv -f "$i" "$i.orig" && mv "$out" "$i"
fi
done
done
2010-07-23 - 0.9.32.1
- Fixed missing header file resulting in compile errors
2010-07-23 - 0.9.32
- Added support for memory_limit > 2GB
- Fixed missing header file resulting in wrong php_combined_lcg()
prototype being used
- Improved random number seed generation more by adding /dev/urandom juice
2010-03-28 - 0.9.31
- Fix ZTS build of session.c
- Increased session identifier entropy by using /dev/urandom if available
2010-03-25 - 0.9.30
- Added line ending characters %0a and %0d to the list of
dangerous characters handled
by suhosin.server.encode and suhosin.server.strip
- Fixed crash bug with PHP 5.3.x and session module (due to
changed session globals struct)
- Added ! protection to PHP session serializer
- Fixed simulation mode now also affects (dis)allowed functions
- Fixed missing return (1); in random number generator replacements
- Fixed random number generator replacement error case behaviour
in PHP 5.3.x
- Fixed error case handling in function_exists() PHP 5.3.x
- Merged changes/fixes in import_request_variables()/extract()
from upstream PHP
- Fixed suhosin_header_handler to be PHP 5.3.x compatible
- Merge fixes and new features of PHP's file upload code to suhosin
The following changes have been made between John 1.7.5.1 and 1.7.6:
* Generic crypt(3) support (enabled with "--format=crypt") has been added for
auditing password hash types supported by the system but not yet supported by
John's own optimized cryptographic routines (such as "SHA-crypt" and SunMD5).
* Optional parallelization of the above has been implemented by means of OpenMP
along with glibc's crypt_r(3) or Solaris' MT-safe crypt(3C).
* Optional parallelization of John's own optimized code for the OpenBSD-style
Blowfish-based crypt(3) (bcrypt) hashes with OpenMP has been added.
* A more suitable version of 32-bit x86 assembly code for Blowfish is now
chosen on Core i7 and similar CPUs (when they happen to run a 32-bit build).
* More optimal DES S-box expressions for PowerPC with AltiVec (making use of
the conditional select operation) contributed by Dumplinger Boy (Dango-Chu)
have been integrated.
* The bitslice DES C source code has been reworked to allow for the use of
arbitrary SIMD intrinsics, which was previously only implemented for AltiVec
as a special case.
* Support for SSE2 and MMX intrinsics with bitslice DES (as an alternative to
the supplied assembly code) has been added (currently only enabled for SSE2 on
x86-64 when compiling with GCC 4.4+).
* Support for mixed-type longer virtual vectors (such as SSE2+MMX, SSE2+ALU,
AltiVec+ALU, and other combinations) with bitslice DES has been added (not
enabled by default yet, primarily intended for easy benchmarks on future CPUs,
with future compiler versions, with even more SIMD instruction sets, and with
different DES S-box expressions that might be available in the future).
* The obsolete 32-bit SPARC assembly implementation of DES has been dropped.
* The loader will now detect password hashes specified on a line on their own,
not only as part of an /etc/passwd or PWDUMP format file.
* When run in "--stdin" mode and reading candidate passwords from a terminal
(to be typed by the user), John will no longer mess with the terminal settings.
* John will now restore terminal settings not only on normal termination or
interrupt, but also when forcibly interrupted with two Ctrl-C keypresses.
The following changes have been made between John 1.7.5 and 1.7.5.1:
* A new numeric variable has been added to the word mangling rules engine:
"p" for position of the character last found with the "/" or "%" commands.
The following changes have been made between John 1.7.4.2 and 1.7.5:
* Support for the use of "--format" along with "--show" or "--make-charset" has
been added.
* The choice of .rec and .log filenames for custom session names has been made
more intuitive.
* Support for "\r" (character lists with repeats) and "\p0" (reference to the
immediately preceding character list/range) has been added to the word mangling
rules preprocessor.
* The undefined and undocumented behavior of some subtle word mangling rules
preprocessor constructs has been changed to arguably be more sensible.
* Some bugs were fixed, most notably JtR crashing on no password hashes loaded
(bug introduced in 1.7.4.2).
The following changes have been made between John 1.7.4 and 1.7.4.2:
* Major performance improvements for processing of very large password files
or sets of files, especially with salt-less or same-salt hashes, achieved
primarily through introduction of two additional hash table sizes (64K and 1M
entries), changes to the loader, and smarter processing of successful guesses
(to accommodate getting thousands of hashes successfully cracked per second).
* Many default buffer and hash table sizes have been increased and thresholds
for the use of hash tables lowered, meaning that John will now tend to use
more memory to achieve better speed (unless it is told not to with the
"--save-memory" option).
* Some previously missed common website passwords found on public lists of
"top N passwords" have been added to the bundled common passwords list.
* Some bugs introduced in 1.7.4 and affecting wordlist mode's elimination of
consecutive duplicate candidate passwords have been fixed.
The following changes have been made between John 1.7.3.4 and 1.7.4:
* Support for back-references and "parallel" ranges has been added to the
word mangling rules preprocessor.
* The notion of numeric variables (to be used for character positions
and substring lengths along with numeric constants supported previously)
has been introduced into the rules engine. Two pre-defined variables
("l" for initial or updated word's length and "m" for initial or
memorized word's last character position) and 11 user-defined variables
("a" through "k") have been added. Additionally, there's a new numeric
constant: "z" for "infinite" position or length.
* New rule commands have been added: "A" (append, insert, or prefix with a
string), "X" (extract a substring from memory and insert), "v" (subtract
and assign to a numeric variable).
* New rule reject flags have been added: ":" (no-op, for use along with the
"parallel" ranges feature of the preprocessor) and "p" (reject unless word
pair commands are allowed, for sharing of the same ruleset between "single
crack" and wordlist modes).
* Processing of word mangling rules has been made significantly faster in
multiple ways (caching of the current length, less copying of data, code
and data placement changes for better branch prediction and L1 cache usage,
compiler-friendly use of local variables, code micro-optimizations,
removal of no-op rule commands in an initial pass).
* The default rulesets for "single crack" and wordlist modes have been
revised to make use of the new features, for speed, to produce fewer
duplicates, and to attempt additional kinds of candidate passwords (such
as for years 2010 through 2019 with "year-based" rules).
* The idle priority emulation code has been optimized for lower overhead when
there appears to be no other demand for CPU time.
* The default for the Idle setting has been changed from N to Y.
The following changes have been made between John 1.7.3.1 and 1.7.3.4:
* "make check" has been implemented (for Unix-like systems only).
* The "--test" option will now take an optional argument - the duration of each
benchmark in seconds.
* Section .note.GNU-stack has been added to all assembly files to avoid the
stack area unnecessarily being made executable on Linux systems that use this
mechanism.
* Some very minor bugs that did not affect normal operation have been fixed.
* Some unimportant compiler warnings have been fixed, a source code comment has
been made more verbose and more complete.
* Version 2.10.4 (released 2010-12-06)
** gnutls-serv: Corrected a buffer overflow. Reported and patch by Tomas Mraz.
** libgnutls: Use ASN1_NULL when writing parameters for RSA signatures.
This makes us comply with RFC3279. Reported by Michael Rommel.
** libgnutls: Reverted default behavior for verification and
introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default
V1 trusted CAs are allowed, unless the new flag is specified.
** minitasn1: Updated to Libtasn1 2.9.
** API and ABI modifications:
No changes since last version.
* Noteworthy changes in release 2.9 (2010-12-06) [stable]
- tests: Link to gnulib to avoid build error related to 'rpl_ftello' on Solaris.
Reported by Dagobert Michelsen.
- doc: Fix bug reporting address to point at help-libtasn1@gnu.org.
- doc: Fix Returns: documentation in Texinfo. Reported by Jeffrey Walton.
- build: Update gnulib files.
Security fix
v1.35 2010.12.06
- if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be
verified as valid it will no longer fall back to VERIFY_NONE but throw
an error. Thanks to Salvatore Bonaccorso and Daniel Kahn Gillmor for
pointing out the problem, see also
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058
distfile anymore. Add DIST_SUBDIR to force re-download of the tarball, which
content has been modified.
While here, switch DEPENDS to py-crypto instead of py-amkCrypto.
Bump PKG_REVISION.
pkgsrc changes:
- add a patch to fix an hardcoded interpreter path
- add a patch to actually find gmp library.
- add CONFLICTS with py-amkCrypto, both have files in common.
upstream changes:
2.3
===
* Fix NameError when attempting to use deprecated getRandomNumber()
function.
* _slowmath: Compute RSA u parameter when it's not given to
RSA.construct. This makes _slowmath behave the same as _fastmath in
this regard.
* Make RSA.generate raise a more user-friendly exception message when
the user tries to generate a bogus-length key.
2.2
===
* Deprecated Crypto.Util.number.getRandomNumber(), which had confusing
semantics. It's been replaced by getRandomNBitInteger and
getRandomInteger. (Thanks: Lorenz Quack)
* Better isPrime() and getPrime() implementations that do a real
Rabin-Miller probabilistic primality test (not the phony test we did
before with fixed bases). (Thanks: Lorenz Quack)
* getStrongPrime() implementation for generating RSA primes.
(Thanks: Lorenz Quack)
* Support for importing and exporting RSA keys in DER and PEM format
(Thanks: Legrandin)
* Fix PyCrypto when floor division (python -Qnew) is enabled.
* When building using gcc, use -std=c99 for compilation. This should
fix building on FreeBSD and NetBSD.
OpenSSL version 0.9.8q released
===============================
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 0.9.8q of our open source toolkit for SSL/TLS. This new
OpenSSL version is a security and bugfix release. For a complete
list of changes, please see
http://www.openssl.org/source/exp/CHANGES.
The most significant changes are:
o Fix for security issue CVE-2010-4180
o Fix for CVE-2010-4252
0.50 Nov 21, 2010
- shell_quote in t/1_run.t was escaping '_' (bug report by
Andreas J. König)
- some typos corrected
- initial implementation of scp_cat
v1.34 2010.11.01
- schema http for certificate verification changed to
wildcards_in_cn=1, because according to rfc2818 this is valid and
also seen in the wild
- if upgrading socket from inet to ssl fails due to handshake problems
the socket gets downgraded, but is still open.
See https://rt.cpan.org/Ticket/Display.html?id=61466
- deprecate kill_socket, just use close()
2010-09-30 Gisle Aas <gisle@ActiveState.com>
Release 2.51
Florian Ragwitz (1):
Fix compilation with c++ compilers
Gisle Aas (1):
Fix repository specification in META.yml
2010-09-25 Gisle Aas <gisle@ActiveState.com>
Release 2.50
Chris 'BinGOs' Williams (1):
Amended tests to work with perl core.
Florian Ragwitz (3):
Attach context pointers using sv magic
Add failing test for thread cloning
Clone MD5 contexts on thread cloning
get_md5_ctx should never return anything but a valid pointer
Gisle Aas (1):
perl-5.6 no longer supported
Jesse Vincent (1):
Preserve utf8ness of argument [RT#44927]
LibTomCrypt is a fairly comprehensive, modular and portable
cryptographic toolkit that provides developers with a vast array of
well known published block ciphers, one-way hash functions, chaining
modes, pseudo-random number generators, public key cryptography and a
plethora of other routines. LibTomCrypt has been designed from the
ground up to be very simple to use. It has a modular and standard API
that allows new ciphers, hashes and PRNGs to be added or removed
without change to the overall end application. It features easy to
use functions and a complete user manual which has many source snippet
examples.
* Block Ciphers
* Blowfish
* XTEA
* RC5
* RC6
* SAFER+
* Rijndael (aka AES)
* Twofish
* SAFER (K64, SK64, K128, SK128)
* RC2
* DES, 3DES
* CAST5
* Noekeon
* Skipjack
* Anubis (with optional tweak as proposed by the developers)
* Khazad
* KASUMI
* SEED
* Chaining Modes
* ECB
* CBC
* OFB
* CFB
* CTR
* IEEE LRW mode
* F8 Chaining Mode
* One-Way Hash Functions
* MD2
* MD4
* MD5
* SHA-1
* SHA-224/256/384/512
* TIGER-192
* RIPE-MD 128/160/256/320
* WHIRLPOOL
* Message Authentication
* FIPS-198 HMAC (supports all hashes)
* CMAC, also known as OMAC1 (supports all ciphers)
* PMAC Authentication
* F9-MAC
* Pelican MAC
* Message Encrypt+Authenticate Modes
* EAX Mode
* OCB Mode
* CCM Mode (NIST spec)
* GCM Mode (IEEE spec)
* Pseudo-Random Number Generators
* Yarrow (based algorithm)
* RC4
* Support for /dev/random, /dev/urandom and the Win32 CSP RNG
* Fortuna
* SOBER-128
* Public Key Algorithms
* RSA (using PKCS #1 v1.5 and v2.1)
* ECC (EC-DSA X9.62 signatures, X9.63 EC-DH)
o With fast Fixed Point ECC support as well
o X9.63 import/export of public keys
* DSA (Users make their own groups)
* The math routines are pluggable which means you can use your own
math provider if you want.
* Other standards
* PKCS #1 (v1.5 and v2.1 padding)
* PKCS #5
* ASN.1 DER
OpenSSL version 0.9.8p released
===============================
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 0.9.8p of our open source toolkit for SSL/TLS. This new
OpenSSL version is a security and bugfix release which addresses
CVE-2010-3864. For a complete list of changes,
please see http://www.openssl.org/source/exp/CHANGES.
The PBC (Pairing-Based Cryptography) library is a free C library built
on the GMP library that performs the mathematical operations
underlying pairing-based cryptosystems.
It provides routines such as elliptic curve generation, elliptic curve
arithmetic and pairing computation.
The API is abstract enough that the PBC library can be used even if
the programmer possesses only an elementary understanding of pairings.
There is no need to learn about elliptic curves or much of number
theory. (The minimum requirement is some knowledge of cyclic groups
and properties of the pairing.)
Boneh-Lynn-Shacham short signatures
Hess identity-based signatures
Joux tripartite Diffie-Hellman
Paterson identity-based signatures
Yuan-Li identity-based authenticated key agreement
Zhang-Kim identity-based blind/ring signatures
Zhang-Safavi-Naini-Susilo signatures
Bug Fixes
* amavisd failed to start when spam scanning was disabled either
by @bypass_spam_checks_maps=(1) or by @spam_scanners=(), giving:
Can't locate object method "new" via package "Amavis::SpamControl"
As a workaround one could use a @spam_scanners=(undef) to disable spam
scanning;
* several decoders failed to propagate "Exceeded storage quota" exception,
so the protection of AV scanners against mail bombs was ineffective;
reported by Jorgen Lundman;
* milter usage (AM.PDP): verbatim header edits inserted a header body of
"1" instead of the correct string
* updated AV entry for BitDefender's bdscan to recognize tabs around
a colon in its output; contributed by Steve;
* fix parsing of a combined result from DSPAM (option --classify), as
earlier versions of DSPAM did not include a signature with a combined
result line; problem reported by Marijan Vidmar;
New Features
* provide a true SNMP agent and a MIB, facilitating monitoring the health
of a content filtering system, its performance and mail characteristics;
* a new AV interface to SMTP-based antivirus scanners;
* allow customizing SMTP-status response reason text for blocked messages;
* prevent inserting fake copies of certain important mail header fields
without breaking a DKIM signature;
Changes from previous version (20100601)
Changes to 3.99.13/20101104
+ fix up GNU autoconf framework to reflect new structure
+ add ability in netpgpkeys(1) and netpgp(1) to specify the cipher
(symmetric algorithm)
+ add the camellia cipher implementation from openssl as specified in RFC 5581
+ changes from Peter Pentchev to get rid of an exit(3) in library context
+ changes from Peter Pentchev for manual page hyphens
+ changes from Peter Pentchev to clean up after tests
+ changes from Arnaud Ysmal to avoid dereferencing possible NULL pointers
+ change from Arnaud Ysmal to clean up usage message in netpgpkeys(1)
+ avoid calling bzlib functions if they aren't present
+ when writing out the key as an ssh key, don't include the user id
information at the end, in-line with expectations about standard ssh
key formats
+ since the signing key changed its "menu line" entry from "pub" to
"signature", the offset of the key id moved 7 chars to the right, so
take this into consideration when generating new keys
+ allow the user specification of the secret key file as the
--sshkeyfile or -S argument, and check that the public key file exists
before trying to read it
Changes to 3.99.12/20100907
+ add a pretty print function mj_pretty(3) to libmj
+ added netpgp_write_sshkey(3) to libnetpgp
+ added pgp2ssh(1)
+ added preliminary support for ElGamal decryption, needed for DSA keys
as yet untested, unworking, and a WIP
+ add support for using all ssh keys, even those protected by a passphrase,
for decryption and signing. This rounds off ssh key file support in netpgp.
+ add a single character alias (-S file) for [--sshkeyfile file] to
netpgpkeys(1) and netpgp(1)
Changes to 3.99.11/20100809
+ update hkpd(8) to reflect the -S argument to hkpd(8)
+ add reachover Makefile support for hkpd(8) and hkpc(1)
+ regen autoconf with new version and date information
Changes to 3.99.10/20100809
+ check return value from option setting function in netpgpkeys(1)
+ be smarter when checking for a null id
+ add test for crap being returned when listing specific keys in netpgpkeys(1)
+ take the public key from the pubring, not the secring when exporting
keys
+ allow hkpd to serve ssh keys in pgp format
+ test on whether a seckey is needed, not on a userid needed, for ssh keys
Changes to 3.99.9/20100809
+ add single character options to netpgp(1) and netpgpkeys(1)
+ add -o long-option (=value)? to netpgp(1) and netpgpkeys(1)
+ save subkeys when parsing keys. when listing keys, note that the first
subkey is for encryption
+ rationalise birthtime/expiration timestamps into a single function
+ clean up some 64-bit (amd64) lint
Changes to 3.99.8/20100805
+ free a regular expression after using it
+ be a bit less typedef-happy when it's not needed
+ added minimalist JSON (libmj) to distribution
+ add a function in ops layer to construct JSON serialised text from keys
+ use json output from the library in netpgpkeys(1)
+ added check for alternative openssl location
Changes to 3.99.7/20100701
+ recognise ascii-armoured encrypted messages properly, in memory and
in files
+ fix a bug when printing out the public key when prompting for a secret
key
+ print error message and exit for now when trying to encrypt with a DSA key
+ fix bug reported by dyoung when trying to print out the encryption key
fingerprint
Changes to 3.99.6/20100701
+ make some synonyms for --ssh-keys
+ make proper defaults for home dir for ssh key files as well as pgp files
+ modify regression test script to ensure that ssh-keygen and netpgpkey's
idea of ssh keys are the same
+ return any error codes when reading ssh pub or private keys
Changes to 3.99.5/20100613
+ make ssh fingerprints (md5) match netpgp listing
+ use the more functional hexdump function from ssh2pgp in place of the
older hexdump function from openpgpsdk
+ pass hash type down from command line where needed
+ add test for netpgp/ssh key fingerprint matching
+ make netpgpkeys(1) take a --hash= option
=== 0.4.4 2010-10-31
* Fix LoadError rescue in tests: return can't be used in this context
(Hans de G raaff)
* HTTP headers should be strings. (seancribbs)
* ensure consumer uri gets set back to original config even if an error occurs
(Brian Finney)
* Yahoo uses & to split records in OAuth headers (Brian Finney)
* Added support for Rails 3 in client/action_controller_request (Pelle)
* fix: LDAP write on userPassword fails when chasing referral and cached
policy error is POLICY_ERROR_PASSWORD_EXPIRED
* fix: only request attributes that are actually used
* fix: canonicalize PAM_USER name
Noteworthy changes in version 1.4.11 (2010-10-18)
-------------------------------------------------
* Bug fixes and portability changes.
* Minor changes for better interoperability with GnuPG-2.
* Added mechanism CKM_RSA_X_509 (use Botan 1.9.7 to fix a bug
when verifying these signatures)
* The softhsm command now have the option --module <path>
To use a PKCS#11 library other than SoftHSM.
* The softhsm command now import all parts of the RSA key.
CKA_EXPONENT_1, CKA_EXPONENT_2, and CKA_COEFFICIENT is not needed
by SoftHSM but might be needed by other HSM:s.
* Ticket #163: softhsm-keyconv now support BIND format v1.3
* Write message to stderr when the config file cannot be found
* CKA_WRAP_WITH_TRUSTED was not handled correctly. But it has not
been a problem since wrapping is not supported.
* Set CKA_KEY_GEN_MECHANISM to CK_UNAVAILABLE_INFORMATION when
importing objects.
* C_GetInfo now returns CKR_CRYPTOKI_NOT_INITIALIZED if library
is not initialized.
* Force clean up if the app does not do C_Finalize (using auto_ptr)
* Limit the scope of the session objects to the owner application
* softhsm --optimize will clean up leftovers (session objects)
from applications that haven't closed down properly.
* Do not use CKF_HW, the mechanisms are not performed by a device.
* The ulMinKeySize and ulMaxKeySize are not used for the digesting
mechanisms, but we set them to zero for applications that forget
this.
* Used wrong buffer size for signatures. This was only a problem
for keys where (key size % 8 == 1), e.g. 1025 bit keys.
* C_Login now returns CKR_USER_ANOTHER_ALREADY_LOGGED_IN instead of
CKR_USER_TOO_MANY_TYPES
* Version 2.10.2 (released 2010-09-30)
** Use Libtool 2.2.10 to ease MinGW64 builds.
** libgnutls: Add new extended key usage ipsecIKE.
** libgnutls: Is now more liberal in the PEM decoding.
That is spaces and tabs are being skipped.
** libgnutls: Renamed NULL MAC to MAC-NULL to prevent clash with NULL cipher.
This prevented the usage of the TLS ciphersuites with NULL cipher.
See <http://thread.gmane.org/gmane.network.gnutls.general/2093>.
** libgnutls: The %COMPAT flag now allows larger records that violate the
TLS spec.
** libgnutls: Fix asynchronous API handling.
The code was clearing session hash data on EAGAIN. Problem reported
by Sjoerd Simons <sjoerd.simons@collabora.co.uk> and Vivek
Dasmohapatra <vivek@collabora.co.uk>. See
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4531>.
** gnutls-cli: Flush stdout/stderr before removing buffering.
Reported by Knut Anders Hatlen see
<http://savannah.gnu.org/support/?107481>.
* add tests
* Corrected a bogus array initialization.
* Effectively double-escaped the normalized params for inclusion in the
signature base as required by sections 9.1.1 and 9.1.3 of the OAuth 1.0
specification.
2010-09-20 -- pycryptopp v0.5.25
* make setup backwards-compatible to Python 2.4
* fix incompatibilities between setup script and older versions of darcsver
* don't attempt to compile Mac OS X extended attribute files (this fixes the build breaking)
* include a version number of the specific version of Crypto++ in extraversion.h
* small changes to docs
2010-09-18 -- pycryptopp v0.5.20
* fix bugs in assembly implementation of SHA-256 from Crypto++
* fix it to compile on *BSD (#39)
* improve doc strings
* add a quick start-up-self-test of SHA256 (#43)
* execute the quick start-up-self-tests of AES and SHA256 on module import
This module provides common interface to HMAC functionality. HMAC is a
kind of "Message Authentication Code" (MAC) algorithm whose standard
is documented in RFC2104. Namely, a MAC provides a way to check the
integrity of information transmitted over or stored in an unreliable
medium, based on a secret key.
Originally written by Daiki Ueno. Converted to a RubyGem by Geoffrey Grosenbach
LuaSec is a binding for OpenSSL library to provide TLS/SSL communication.
This version delegates to LuaSocket the TCP connection establishment
between the client and server. Then LuaSec uses this connection to start
a secure TLS/SSL session.
(Based on wip/luasec.)
pkgsrc changes:
- add license definition
Upstream changes:
0.15 Sun Sep 12 13:46:13 2010
- added crc64 support, #50064
Thanks to Anders Ossowicki <aowi@novozymes.com>
- added bit reversing per byte, #59575
Thanks to Joel Peshkin <joel@peshkin.net>
- clone method nwo copies content too
Thanks to Stefan Ochs <stefan.ochs@opentext.com>
* Install README.LDAP when "ldap" is enabled in PKG_OPTIONS.
* Fix build problem when "kerberos" is enabled in PKG_OPTIONS.
Bump PKGREVISION since default PLIST has changed.
* Fixed bug with DB_CHECKINODE
Version 0.15
* Added new grouped option
* Sort files in report by filename
* Added support for e2fsattrs attribute
* Added support for ftype attribute
* Bug fixes
relevant bugs) version:
Major changes between version 1.7.4p3 and 1.7.4p4:
* A potential security issue has been fixed with respect to the
handling of sudo's -g command line option when -u is also
specified. The flaw may allow an attacker to run commands as a
user that is not authorized by the sudoers file.
* A bug has been fixed where "sudo -l" output was incomplete if
multiple sudoers sources were defined in nsswitch.conf and there
was an error querying one of the sources.
* The log_input, log_output, and use_pty sudoers options now work
correctly on AIX. Previously, sudo would hang if they were
enabled.
* Fixed "make install" when sudo is built in a directory other
than the directory that holds the sources.
* The runas_default sudoers setting now works properly in a
per-command Defaults line.
* Suspending and resuming the bash shell when PAM is in use now
works properly. The SIGCONT signal was not being propagated to
the child process.
Major changes between version 1.7.4p2 and 1.7.4p3:
* A bug has been fixed where duplicate HOME environment variables
could be set when the env_reset setting was disabled and the
always_set_home setting was enabled in sudoers.
* The value of sysconfdir is now substituted into the path to the
sudoers.d directory in the installed sudoers file.
* Fixed compilation problems on Irix and other platforms.
* If multiple PAM "auth" actions are specified and the user enters
^C at the password prompt, sudo will now abort any subsequent
"auth" actions. Previously it was necessary to enter ^C once for
each "auth" action.
Major changes between version 1.7.4p1 and 1.7.4p2:
* Fixed a bug where sudo could spin in a cpu loop waiting for the
child process.
* Packaging fixes for sudo.pp to better handle patchlevels.
Major changes between version 1.7.4 and 1.7.4p1:
* Fix a bug introduced in sudo 1.7.3 that prevented the -k and -K
options from functioning when the tty_tickets sudoers option was
enabled.
* Sudo no longer prints a warning when the -k or -K options are
specified and the ticket file does not exist.
* Changes to the configure script to enable cross-compilation of
Sudo.
Major changes between version 1.7.3 and 1.7.4:
* Sudoedit will now preserve the file extension in the name of the
temporary file being edited. The extension is used by some
editors (such as emacs) to choose the editing mode.
* Time stamp files have moved from /var/run/sudo to either
/var/db/sudo, /var/lib/sudo or /var/adm/sudo. The directories
are checked for existence in that order. This prevents users
from receiving the sudo lecture every time the system reboots.
Time stamp files older than the boot time are ignored on systems
where it is possible to determine this.
* Ancillary documentation (README files, LICENSE, etc) is now
installed in a sudo documentation directory.
* Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile"
in ldap.conf.
* Defaults settings that are tied to a user, host or command may
now include the negation operator. For example:
Defaults:!millert lecture
will match any user but millert.
* The default PATH environment variable, used when no PATH variable
exists, now includes /usr/sbin and /sbin.
* Sudo now uses polypkg for cross-platform packing.
* On Linux, sudo will now restore the nproc resource limit before
executing a command, unless the limit appears to have been
modified by pam_limits. This avoids a problem with bash scripts
that open more than 32 descriptors on SuSE Linux, where
sysconf(_SC_CHILD_MAX) will return -1 when RLIMIT_NPROC is set
to RLIMIT_UNLIMITED (-1).
* Visudo will now treat an unrecognized Defaults entry as a parse
error (sudo will warn but still run).
* The HOME and MAIL environment variables are now reset based on
the target user's password database entry when the env_reset
sudoers option is enabled (which is the case in the default
configuration). Users wishing to preserve the original values
should use a sudoers entry like:
Defaults env_keep += HOME
to preserve the old value of HOME and
Defaults env_keep += MAIL
to preserve the old value of MAIL.
* The tty_tickets option is now on by default.
* Fixed a problem in the restoration of the AIX authdb registry
setting.
* If PAM is in use, wait until the process has finished before
closing the PAM session.
* Fixed "sudo -i -u user" where user has no shell listed in the
password database.
* When logging I/O, sudo now handles pty read/write returning ENXIO,
as seen on FreeBSD when the login session has been killed.
* Sudo now performs I/O logging in the C locale. This avoids
locale-related issues when parsing floating point numbers in the
timing file.
* Added support for Ubuntu-style admin flag dot files.
Major changes between version 1.7.2p8 and 1.7.3:
* Support for logging a command's input and output as well as the
ability to replay sessions. For more information, see the
documentation for the log_input and log_output Defaults options
in the sudoers manual. Also see the sudoreplay manual for
information on replaying I/O log sessions.
* The use_pty sudoers option can be used to force a command to be
run in a pseudo-pty, even when I/O logging is not enabled.
* On some systems, sudo can now detect when a user has logged out
and back in again when tty-based time stamps are in use.
Supported systems include Solaris systems with the devices file
system, Mac OS X, and Linux systems with the devpts filesystem
(pseudo-ttys only).
* On AIX systems, the registry setting in /etc/security/user is
now taken into account when looking up users and groups.
Sudo now applies the correct the user and group ids when running
a command as a user whose account details come from a different
source (e.g. LDAP or DCE vs. local files).
* Support for multiple sudoers_base and uri entries in ldap.conf.
When multiple entries are listed, sudo will try each one in the
order in which they are specified.
* Sudo's SELinux support should now function correctly when running
commands as a non-root user and when one of stdin, stdout or stderr
is not a terminal.
* Sudo will now use the Linux audit system with configure with the
--with-linux-audit flag.
* Sudo now uses mbr_check_membership() on systems that support it
to determine group membership. Currently, only Darwin (Mac OS X)
supports this.
* When the tty_tickets sudoers option is enabled but there is no
terminal device, sudo will no longer use or create a tty-based
ticket file. Previously, sudo would use a tty name of "unknown".
As a consequence, if a user has no terminal device, sudo will now
always prompt for a password.
* The passwd_timeout and timestamp_timeout options may now be
specified as floating point numbers for more granular timeout
values.
* Negating the fqdn option in sudoers now works correctly when sudo
is configured with the --with-fqdn option. In previous versions
of sudo the fqdn was set before sudoers was parsed.
* Update HOMEPAGE.
* Remove default value of GEM_BUILD.
=== 2.0.23 / 03 Jun 2010
* delay CHANNEL_EOF packet until output buffer is empty [Rich Lane]
Previously, calling #eof! after #send_data would result in the CHANNEL_EOF
packet being sent immediately, ahead of the data in the output buffer. Now
buffer becomes empty.
=== 2.0.22 / 20 Apr 2010
* Fix for: "Parsing the config errors out because it coerces the "1" into an integer and then tries to split it on spaces for multiple host checking." (http://net-ssh.lighthouseapp.com/projects/36253/tickets/10) [Lee Marlow]
=== 2.0.21 / 20 Mar 2010
* Fix for "IdentifyFile" in ~/.ssh/config does not work if no "Host" statement is given (http://net-ssh.lighthouseapp.com/projects/36253/tickets/9-identifyfile-in-sshconfig-does-not-work-if-no-host-statement-is-given#ticket-9-5) [xbaldauf, Delano Mandelbaum]
* Fix for client closes a forwarded connection, but the server is reading, net-ssh terminates with IOError socket closed (http://net-ssh.lighthouseapp.com/projects/36253/tickets/7) [Miklós Fazekas]
* Fix for client force closes (RST) a forwarded connection, but server is reading, net-ssh terminates with exception [Miklós Fazekas]
* Fix for server closes the sending side, the on_eof is not handled. [Miklós Fazekas]
* Removed Hanna dependency in Rakefile [Delano Mandelbaum]
=== 2.0.20 / 10 Feb 2010
* Support "ProxyCommand none" directive [Andy Lo-A-Foe]
=== 2.0.19 / 16 Jan 2010
* Support plus sign in sshconfig hostname [Jason Weathered]
=== 2.0.18 / 15 Jan 2010
* Fix related to #recv(1) to #readpartial change in 2.0.16 [Hans de Graaff, Delano Mandelbaum]
=== 2.0.17 / 14 Dec 2009
* Don't load net/ssh/authentication/pageant on Windows with Ruby 1.9 [Travis Reeder, Delano Mandelbaum]
* Use lang/ruby/gem.mk instead of misc/rubygems/rubygem.mk.
* Remove default value of GEM_BUILD.
=== 2.0.5 / 19 Aug 2010
* Fixed missing StringIO exception in download! [Toby Bryans, Delano Mandelbaum]
* Use lang/ruby/gem.mk instead of misc/rubygems/rubygem.mk.
* Remove default value of GEM_BUILD.
* Ajust new ruby package's framework.
=== 1.0.3 / 17 Aug 2010
* replace :sanitize_file_name with a call to String#shellescape [Sung Pae]
* Added gemspec file and removed echoe dependency [Miron Cuperman, Delano Mandelbaum]
* Removed Hanna dependency in Rakefile [Delano Mandelbaum]
pkgsrc changes:
- imported and added recommended dependency to Math::Random::MT
- moved List::MoreUtils to run dependencies
Upstream changes:
0.06 Tue Aug 31 15:37:15 JST 2010
* added a parameter 'provider' passed to Crypt::Random.
now you can avoid annoying device lock to set the value for example
to 'udevrandom' (means /dev/urandom), 'rand' etc.
pkgsrc changes:
- add informational dependency to core module Digest::MD5
Upstream changes:
Authen-SASL 2.15 -- Wed Jun 2 13:47:41 CDT 2010
* Makes sure that user callbacks are called [Yann Kerherve]
Authen-SASL 2.1401 -- Mon Mar 29 14:22:54 CDT 2010
* Add META.yml to release
pkgsrc changes:
- switch from gnupg-1 (more or less depreciated) to Crypt::OpenPGP and a
bunch of used encoders and digest modules
- use Module::Install::Bundled module type
- remove patch - works fine with current infrastructure for now
Upstream changes:
[Changes for 0.66 - Fri, 6 Sep 2010 22:51:37 +0200]
* Fix incompatibility with EU::Manifest 1.54 to 1.57
(Paul Howarth) (Closes RT#61124).
[Changes for 0.65 - Fri, 3 Sep 2010 21:38:02 +0200]
* Skip MYMETA (Alexandr Ciornii)
This is an updated version of the liboauth package in pkgsrc-wip by
Kamel Derouiche, modified by myself not to have nss, doxygen, perl and
graphviz pre-requisites.
OAuth (Open Authorization) is an open standard that allows users to
share their private resources (e.g. photos, videos, contact lists)
stored on one site with another site without having to hand out their
username and password.
OAuth allows users to hand out tokens instead of usernames and
passwords to their data hosted by a given service provider. Each
token grants access to a specific site (e.g. a video editing site)
for specific resources (e.g. just videos from a specific album) and
for a defined duration (e.g. the next 2 hours).
Thus OAuth allows a user to grant a third party site access to their
information stored with another service provider, without sharing
their access permissions or the full extent of their data.
OAuth is a service that is complementary to but distinct from OpenID.
liboauth is a collection of C functions implementing the OAuth
Core 1.0 standard API. liboauth provides basic functions to
escape and encode parameters according to OAuth specs and
offers high-level functions to sign requests or verify
signatures.
Necessary these days for twitter applications; useful for flickr and many
others...
* not using autogen.sh anymore, so remove some tools from USE_TOOLS.
* patch-ak does not effect anymore for above reason, add patch-ao for it.
this patch is required to avoid conflict with security/gnupg.
Bump PKGREVISION.
changes:
-bugfixes
-New command --passwd for GPG
-Make use of libassuan 2.0 which is available as a DSO
-The gpg-agent commands KILLAGENT and RELOADAGENT are now available
on all platforms
