* Not only interix-3, but also treat all interix release, allow to build on SUA.
* Gave up randomized image base, use 0x5e000000, as in mk/platform/Interix.mk.
It is workaround of PR 42369.
* Use -D_REENTRANT flags for threads.
* replace -Wl,soname= linker flags with -Wl,h, for Interix
Major changes between sudo 1.7.2p1 and 1.7.2p2:
* Fixed a a bug where the negation operator in a Cmnd_List
was not being honored.
* Sudo no longer produces a parse error when #includedir references
a directory that contains no valid filenames.
* The sudo.man.pl and sudoers.man.pl files are now included in
the distribution for people who wish to regenerate the man pages.
* Fixed the emulation of krb5_get_init_creds_opt_alloc() for MIT kerberos.
* When authenticating via PAM, set PAM_RUSER and PAM_RHOST early so
they can be used during authentication.
an "idea" option, but that was removed more than a year ago when it
got updated from 1.2 to 1.4
The patch was was used on gnupg2 in the "idea" case was just a four-line
memory initialization fix, there is no point in LICENSE restrictions
due to this, so I've pulled it in as regular patch so that it doesn't
get lost for the case someone fixes idea support in libgcrypt
(which isn't hard).
noticed by OBATA Akio per mail to pkgsrc-users.
This makes most sense to me since gnupg2 doesn't install a gpg-zip
intentionally. Since possible clients of gpg-zip should have a
dependency on gnupg1, we can't take over easily. Once we are sure
that gnupg2 can fully replace gnupg1, we might consider to install
eg symlinks gpg->gpg2 etc and make gnupg1 obsolete, but this needs
careful testing.
changes: many fixes and improvements
reviewed by John R. Shannon
pkgsrc notes:
-since S/MIME support is the biggest difference in functionality over
gnupg1, enable it per default -- my tests (with the s/mime plugin
of claws-mail) worked
-left the build against a private libassuan with GNU-pth support
alone for now, just updated libassuan to 1.0.5. We might build
pkgsrc/libassuan against pkgsrc/pth at some point, but this needs
to be checked for side effects. (As this pkg doesn't export a library
which might propagate the pth dependency, the possibility of
pthread-pth conflicts should be limited. Other uses of libassuan
need to be checked.)
changes:
* New option --url for the LOOKUP command and dirmngr-client.
* The LOOKUP command does now also consults the local cache. New
option --cache-only for it and --local for dirmngr-client.
* Port to Windows completed.
* Improved certificate chain construction.
* Support loading of PEM encoded CRLs via HTTP.
* Client based trust anchors are now supported.
* Configured certificates with the suffix ".der" are now also used.
* Libgcrypt 1.4 is now required.
reviewed by John R. Shannon
pkgsrc notes:
I've left the build against a private libassuan with GNU-pth support
alone for now, just updated libassuan to 1.0.5. We might build
pkgsrc/libassuan against pkgsrc/pth at some point, but this needs
to be checked for side effects. (As this pkg doesn't export a library
which might propagate the pth dependency, the possibility of
pthread-pth conflicts should be limited. Other uses of libassuan
need to be checked.)
Beiing here, support DESTDIR.
-don't pull in gnupg2's "gpgconf" if both gnupg1 and gnupg2 are installed
but we are building against gnupg1, this caused a build failure
-fix a selftest to work with gnupg2
Changes in version 2.28.2 are:
* Add license to reference documentation.
* Sent output of g_printerr to syslog.
* No error when can't unlock login keyring.
* Fix assertion when comparing attributes.
* Fix freeing of unallocated memory in test.
* Don't barf on certificates with unsupported algorithm.
* Fix some memory leaks.
[Changes for 0.61]
* Added "=encoding utf8" to POD to fix author name display.
No functional changes.
[Changes for 0.60]
* LICENSING CHANGE: This compilation and all individual files in it
are now under the nullary CC0 1.0 Universal terms:
To the extent possible under law, 唐鳳 has waived all copyright and
related or neighboring rights to Module-Signature.
* Updated Module::Install to 0.91, prompted by Florian Ragwitz.
0.42 Wed Sep 30 23:20:58 JST 2009
* Support for GPG2
0.41_01 Fri Sep 25 02:56:33 JST 2009
* Beginnings of support for GPG2
0.40_04 Tue Apr 21 19:50:12 JST 2009
* Use Any::Moose instead of Moose for Mouse celerity (Sartak)
0.40_1 Sat Nov 15 12:35:59 EST 2008
* [rt.cpan.org #40963] Replace Class::MethodMaker with Moose (Chris Prather)
Noteworthy changes in version 1.4.5 (2009-12-11)
------------------------------------------------
* Fixed minor memory leak in DSA key generation.
* No more switching to FIPS mode if /proc/version is not readable.
* Fixed a sigill during Padlock detection on old CPUs.
* Fixed a hang on some W2000 machines.
* Boosted SHA-512 performance by 30% on ia32 boxes and gcc 4.3;
SHA-256 went up by 25%.
Apart from infrastructure changes, there are the following functional ones:
+ Update to version 1.99.14/20091210
+ provide a new netpgp_match_list_keys(3) function to perform a
regular-expression based search of all the keys in the keyring. If no
pattern is specified to match, then all keys are returned.
+ provide a new netpgp_set_homedir(3) function, and use it to set the
home directory from the library, rather than individually in all the
programs which use the library
+ provide a new netpgp_incvar(3) function which will add a constant
increment (which may be negative) to the value of an internal
variable. This is primarily used for the verbosity level within the
library, and is again a movement of the function into the library from
the individual programs which use the library
+ move to the specification of an ssh key file by internal variable,
rather than the directory holding an ssh key file
+ autoconf infrastructure changes
+ take a hammer to the _GNU_SOURCE definitions problems
+ don't rely on strnlen(3) being present everywhere
+ add rudimentary support for ssh keys
+ add a netpgp library function - netpgp_get_key(3) - to print a
specific key
+ add functionality to call this function in netpgpkeys(1)
+ add test for netpgp_get_key
+ add a verbose switch to the tst script
+ add netpgp functions to expose the memory signing and verification
functions - netpgp_sign_memory(3) and netpgp_verify_memory(3)
+ coalesced signing and verification ops file functions
The seccure toolset implements a selection of asymmetric
algorithms based on elliptic curve cryptography (ECC). In
particular it offers public key encryption / decryption,
signature generation / verification and key establishment.
ECC schemes offer a much better key size to security ratio
than classical systems (RSA, DSA). Keys are short enough to
make direct specification of keys on the command line possible
(sometimes this is more convenient than the management of
PGP-like key rings). seccure builds on this feature and
therefore is the tool of choice whenever lightweight
asymmetric cryptography -- independent of key servers,
revocation certificates, the Web of Trust or even
configuration files -- is required.
collection - kudos to Jan Schaumann for pointing it out.
PAM module which permits authentication for arbitrary services
via ssh-agent. Written with sudo in mind, but like any auth
PAM module, can be used for for many purposes.
and "root" user-less platforms.
* replace one bash script shbang (for safe side, may bone shell is sufficient).
* fix PLIST for PR 40993.
add missing entries and back plist vars replaced for Darwin-apple excessively.
Bump PKGREVISION.
On SP initiated logout, the SP x509 certificate was included in the
HTTP redirect URL. First this was an SAML standard violation, and second
it inflated the URL beyond 2038 bytes, which is the maximum length for
IE7 and prior. As a result, SP initated single logout was broken with IE7
and prior versions.
changes:
-Support for the "aes128-ctr", "aes192-ctr", "aes256-ctr" ciphers
-Support for the "arcfour128" cipher
-Fix crash when server sends an invalid SSH_MSG_IGNORE message
1.) Use "hashlib" instead of "sha" module if possible.
2.) Use "subprocess" module instead of os.popen3().
Both changes tested with Python 2.4 and 2.6.
Pkgsrc-related improvements:
1.) Support "user-destdir" installation (no changes required).
2.) Set license to "gnu-gpl-v2".
3.) Reduce patches by recording the fact that the manual page gets
compressed automatically (which "pkgsrc" handles fine) instead
of trying to prevent that.
This is Crypt::ECB, a Perl-only implementation of the ECB mode. In
combination with a block cipher such as DES, IDEA or Blowfish, you can encrypt
and decrypt messages of arbitrarily long length. Though for security reasons
other modes than ECB such as CBC should be preferred. See textbooks on
cryptography if you want to know why.
In addition to this module you will need to install one or more of the
Crypt::DES, Crypt::IDEA, or Crypt::Blowfish modules.
changes:
-bugfixes
-API extensions
-documentation improvement
-The encoding of gpgme_data_t objects can affect the output encoding
of export, sign and encrypt operations now
-Using GPGME_KEYLIST_MODE_LOCAL combined with
GPGME_KEYLIST_MODE_EXTERN is now supported
0.9.0-beta8:
- Include spamhaus_drop.dat in the source distribution. Fix installation
issue (closes#364).
0.9.0-beta7:
- Initial SpamhausDrop plugin implementation, by
Wes Young <wes@barely3am.com> (closes#363)
- Do not discard --root parameters if prefix is absolute.
- Python 2.4 backward compatibility fixes.
- Handle plugin loading error gracefully.
- Improve WormPlugin accuracy, and make it carry a reference to the
initial event. The plugin used to alert when seeing an alert to a
given target, and this same alert going back to the source. This can
happen in a number of case (example: Netbios alert triggered by Snort)
As of now, the plugin will wait for the events to be repeated against
at least 5 differents hosts.
- Dshield CorrelationAlert now handle multiples events. Previously, we
used to generate a single Dshield CorrelationAlert for each events
where the source address would match the Dshield database. The plugin
now generate CorrelationAlert for multiples events received from the
same source.
* Version 2.8.5 (released 2009-11-02)
** libgnutls: In server side when resuming a session do not overwrite the
** initial session data with the resumed session data.
** libgnutls: Fix PKCS#12 encoding.
The error you would get was "The OID is not supported.". Problem
introduced for the v2.8.x branch in 2.7.6.
** guile: Compatibility with guile 2.x.
By Ludovic Courtes <ludovic.courtes@laas.fr>.
** tests: Fix expired cert in chainverify self-test.
** tests: Fix time bomb in chainverify self-test.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3925>.
** API and ABI modifications:
No changes since last version.
* Version 2.8.4 (released 2009-09-18)
** libgnutls: Enable Camellia ciphers by default.
** libgnutls: Make OpenPGP hostname checking work again.
The patch to resolve the X.509 CN/SAN issue accidentally broken
OpenPGP hostname comparison.
** libgnutls: When printing X.509 certificates, handle XMPP SANs better.
Reported by Howard Chu <hyc@symas.com> in
<https://savannah.gnu.org/support/?106975>.
** API and ABI modifications:
No changes since last version.
* gpgsigs:
+ Added patch from Roland Rosenfeld to support RIPEMD160 checksum.
(Closes: #533747).
+ Updated man page to mention support for SHA256 and RIPEMD160 checksum.
+ Made removal of nonexistent photos quiet by the use of the force option.
+ Updated generated tex file in latex mode so that it uses the grffile
package. This allows pdflatex to process our tex file assuming the photos
are previously converted to PDF. (Closes: #542478)
* caff: Updated check for the local-user keyids.
+ Moved the current check to a new function get_local_user_keys().
+ Warned the user if a local-user keyid is not listed as a keyid in
./caffrc. (Closes: #540165).
* gpgdir: New upstream release.
* gpg-mailkeys:
+ The charset for the text of the message is deduced from the charset used
by ~/.gpg-mailkeysrc and ~/.signature.
The text message is encoded in quoted printable and thus it requires a
new dependency on qprint in debian/control. (Closes: #545186)
+ Mentionned both the .gpg-mailkeysrc and .signature files in the manpage.
- fix the configuration path and file, so it can use the proper user:group
and the chroot
- fix some pkglint warnings regarding PKG_OPTIONS: 'pthread' => 'threads',
'libwrap' => 'tcpwrappers' (in accordance to mk/defaults/options.description)
Bump PKGREVISION.
Upstream changes:
v1.31 2009.09.25
- add and export constants for SSL_VERIFY_*
- set SSL_use_cert if cert is given and not SSL_server
- support alternative CRL file with SSL_crl_file thanks to patch of
w[DOT]phillip[DOT]moore[AT]gmail[DOT]com
- Fix references to the confdir.
- Fix headers so thirdparty apps can be built with pcsc-lite from pkgsrc.
- Some minor changes to fix pkglint warnings.
- Bump PKGREVISION.
- Use SWIG 1.3.39 to generate bindings code, fixes Prewikka compatibility
problem because of SWIG version mismatch between libprelude/libpreludedb
modules.
* USB code for BSD fixed by Emmanuel Dreyfus
* Add support for Rutoken S by Aktiv Co. / Aleksey Samsonov
* Plus some fixes to Info.plist (for users combining openct with pcsc-lite).
This update is quite delicate and I'm sure it'll break somewhere. So far
I've only been able to test it in NetBSD/amd64 and Mac OS X Leopard.
I'm bumping the dependency version in buildlink3.mk because the only package
using this seems to be Monotone, and I'll updating it right away.
Text::Password::Pronounceable v0.28 from PR pkg/42022 with some
modifications.
This module generates pronuceable passwords, based the the English digraphs by
D Edwards.
pkgsrc changes:
- Add commented license type
- Add Perl module type
Upstream changes:
changes from 0.04 to 0.05
-------------------------
* added doc() accessor to response types
* added better error handling with better error messages
* updated perldocs with new functionality and consistency fixes
* changed user-agent string to reflect module name
pkgsrc changes:
- Adding license definition
- Adjusting dependencies
Upstream changes:
1.16 2009.09.11
- Switching to production release
- Switching to non-development version
0.15_01 2009.02.13
- Updated to Module::Install 0.91
- Added a consistent $VERSION across the entire distro
- Removed the optional dependency on Convert::PEM for more
consistent downstream packaging (it was pointless to ask
since most people don't know what it is anyways).
- Data::Buffer has almost perfect CPAN Testers PASS, so always
install it (plus, SSH2 is common now).
- Added some missing dependencies to the Makefile.PL
- Removed the sign(1) and auto_install (which was dangerous)
- Removed all the magic repository tags that would change depending
on who was maintaining it.
- Adding missing test_requires for Test.pm and Test::More (I'll
migrate the remaining tests away from Test.pm next release)
- Merged the ToDo file into the POD
protocols. To use SASL, a protocol includes a command for identifying and
authenticating a user to a server and for optionally negotiating protection
of subsequent protocol interactions. If its use is negotiated, a security
layer is inserted between the protocol and the connection.
PAM provides a way to develop programs that are independent of
authentication scheme. These programs need "authentication modules" to be
attached to them at run-time in order to work. Which authentication module
is to be attached is dependent upon the local system setup and is at the
discretion of the local system administrator.
This package contains a SASL plugin and a PAM module that perform a crude
check on a SAML authentication assertion. The assertion signature and date
are verified, and access is granted on behalf ot the user taked for a
onfigurable attribute.
The only protection against replay attacks is the assertion validity dates
checks, this authentication is therefore secure only if the SAML
authentication assertion remains secret. The assertion has the same role
as a web cookie used for authentication.
PuTTY is a client program for the SSH, Telnet and Rlogin network protocols.
These protocols are all used to run a remote session on a computer, over a
network. PuTTY implements the client end of that session: the end at which
the session is displayed, rather than the end at which it runs.
Noteworthy changes in version 1.4.10 (2009-09-02)
-------------------------------------------------
* 2048 bit RSA keys are now generated by default. The default
hash algorithm preferences has changed to prefer SHA-256 over
SHA-1. 2048 bit DSA keys are now generated to use a 256 bit
hash algorithm
* Support v2 OpenPGP cards.
* The algorithm to compute the SIG_ID status has been changed to
match the one from 2.0.10.
* Improved file locking. Implemented it for W32.
* Fixed a memory leak which made imports of many keys very slow.
* Many smaller bug fixes.
* Support for the Camellia cipher (RFC-5581).
* Support for HKP keyservers over SSL ("HKPS").
in PKG_OPTIONS.apr-util/PKG_DEFAULT_OPTIONS.
USE_LANGUAGES should be set before including mk/apache.mk as it
(may) ends up including mk/compiler.mk.
This last file sets a default value of 'c' to USE_LANGUAGES and
then uses it to set PKG_CC, PKG_CXX and PKG_FC to "fail wrappers".
Hence the C++ compiler command ends up being wrapped by a "fail
script" thus breaks the build.
doesn't conflict with openssh.
Changes since 0.50:
0.52 - Wed 12 November 2008
- Add "netcat-alike" option (-B) to dbclient, allowing Dropbear to
tunnel standard input/output to a TCP port-forwarded remote host.
- Add "proxy command" support to dbclient, to allow using a spawned
process for IO rather than a direct TCP connection. eg
dbclient remotehost
is equivalent to
dbclient -J 'nc remotehost 22' remotehost
(the hostname is still provided purely for looking up saved host keys)
- Combine netcat-alike and proxy support to allow "multihop"
connections, with comma-separated host syntax. Allows running
dbclient user1@host1,user2@host2,user3@host3
to end up at host3 via the other two, using SSH TCP forwarding. It's
a bit like onion-routing. All connections are established from the
local machine. The comma-separated syntax can also be used for
scp/rsync, eg
rsync -a -e dbclient m@gateway,m2@host,martello:/home/matt/ ~/backup/
to bounce through a few hosts.
- Add -I "idle timeout" option (contributed by Farrell Aultman)
- Allow restrictions on authorized_keys logins such as restricting
commands to be run etc. This is a subset of those allowed by OpenSSH,
doesn't yet allow restricting source host.
- Use vfork() for scp on uClinux
- Default to PATH=/usr/bin:/bin for shells.
- Report errors if -R forwarding fails
- Add counter mode cipher support, which avoids some security problems
with the standard CBC mode.
- Support zlib@openssh.com delayed compression for client/server. It
can be required for the Dropbear server with the '-Z' option. This
is useful for security as it avoids exposing the server to attacks
on zlib by unauthenticated remote users, though requires client side
support.
- options.h has been split into options.h (user-changable) and
sysoptions.h (less commonly changed)
- Support "dbclient -s sftp" to specify a subsystem
- Fix a bug in replies to channel requests that could be triggered by
recent versions of PuTTY
0.51 - Thu 27 March 2008
- Make a copy of password fields rather erroneously relying on getwpnam()
to be safe to call multiple times
- If $SSH_ASKPASS_ALWAYS environment variable is set (and $SSH_ASKPASS is
as well) always use that program, ignoring isatty() and $DISPLAY
- Wait until a process exits before the server closes a connection, so
that an exit code can be sent. This fixes problems with exit codes not
being returned, which could cause scp to fail.
- Make Prelude-Manager thread backend independant.
- Add missing dlpreopening support for the SMTP plugin.
- Win32 compilation fixes.
- Various fixes and update.
Also various pkgsrc related fixes including DESTDIR support.
Changes in 0.9.17:
==================
- Do not provide an exhaustive list of unreachable linked alert, rather,
tell the user how many linked alert are not reachable any more.
- String encoding fixes, do not mix unicode and bytestring, and more
generally, use unicode for internal string storage. This fixes a lot
of possible exception with particular specific user input, or with
localization enabled.
- Inline filter didn't work as expected when viewing events starting
with a specific offset, because the offset keyword wasn't removed
from the generated link.
- Error handling improvement (back / retry button weren't always
working as expected).
- Fix exception when no protocol was available.
- Improve navigation button link (make the link cover the whole button).
Changes in 0.9.16:
==================
- Multiples advanced filter within the same column wouldn't display
correctly.
- Correctly restore input field when switching between advanced/simple
filter mode.
- Fix multiple bug that would results in inconsistant filtered "state"
and reset button.
- Using the classification simple filter now also trigger a search on
impact.completion.
- Fix multiple alert deletion checkbox, (#357).
- Various bug fixes.
Changes in 0.9.15:
==================
- Make it obvious when a column is filtered by replacing the old sober
star with a big "[filtered]" red marker. If the column filter is
saved, then the marker color will go from red to black.
- Once the user filtered a given field by clicking on it, deny further
click so that it is clear that the filter is currently active.
- Re-write the inline filter implementation using Cheetah + Jquery, in
place of generating an enormous amount of javascript code. This
drastically reduce the size of the events listing HTML page, and will
allow for much easier modification of the inline-filters.
- Only propose filter operator relevant to the selected path.
- Inline filter now present a single input field (with no path and
operator selection). Using this field, the user can filter on what is
seen in the associated column. For example, in the classification
column, the filter will trigger a search on classification.text,
classification.reference.name and classification.reference.origin.
There is also an [advanced] button allowing the user to specify both
the path and the operator.
- Implement a reset button in each inline filter column, that allow to
switch between different version of the filter: last saved filters,
default filters, or current filters.
- The user can now click an alert completion to set an inline filter on
the completion value.
- Clicking on a port / protocol now trigger a CSS menu allowing to
filter on the port and protocol information, or to get information
concerning this port / protocol.
- Clicking on a classification reference now trigger a CSS menu which
allow to filter on the reference, or to get more information
concerning it.
- Clicking on classification now add a filter on the selected
classification (previously, it would have unfolded aggregated alerts
for the selected entry, which is now done clicking the alert count).
- Until now, the default user that was automatically created by Prewikka
if there was no administrative user was "admin". As of now you can
define the initial administrative username and password from the
configuration file. (fix#289).
- Fix escaping for reference details URI parameters.
- Fix ModPython content-type handling.
- Invalid variable name, fix#339.
- Update to JQuery 1.3.2, and fit small JQuery API change.
- If the installed libprelude or libpreludedb version is too old,
Prewikka will require the user to upgrade. Currently, Prewikka depend
on libpreludedb 0.9.12, and libprelude 0.9.23.
- Fix IDMEFDatabase exception on empty criteria string (fixes#346).
- Analyzer retrieval fixes and speedup (fixes#350).
- Make the Prelude-LML UDP server IPv6 compatible.
- Implement 'idmef-alter' and 'idmef-alter-force' option, alloing
to include static values into IDMEF events generated using a given
format.
- New PPP/PPTPD/L2TP ruleset, by Alexander Afonyashin <firm <at> iname.com>,
with slight modification from Pierre Chifflier <p.chifflier <at> inl.fr>.
Close#340.
- Fix CISCO VPN ruleset so that the 'Authentication rejected' rule will
trigger even if the 'server' field does not contain a word (fix#328).
- Remove dos-style end-of-lines (Closes#338)
- Fixes possible off by one when parsing variable reference number, and
remove un-needed check that would always evaluate to TRUE.Thanks
Steve Grubb <sgrubb <at> redhat.com> for reporting this problem (and
running flexelint on the Prelude sources)!
- Update for libtool 2.x compatibility.
- This simplify the whole regular expression handling a lot, making the
code much easier to read, and fixing potential problem with ovector
assignement. This code should also improve performance by a small
factor.
- Change CISCO references urls to their new location, add CISCO ASA rule
to handle discarded tcp or udp packets.
- Various fixes and update.
- support for newer Python versions
- various bug fixes and security improvements
- moved from LGPL to MIT license
Based on the update by Christian Sturm in wip with additional fixes from
me.
* Version 2.8.3 (released 2009-08-13)
** libgnutls: Fix patch for NUL in CN/SAN in last release.
Code intended to be removed would lead to an read-out-bound error in
some situations. Reported by Tomas Hoger <thoger@redhat.com>. A CVE
code have been allocated for the vulnerability: [CVE-2009-2730].
** libgnutls: Fix rare failure in gnutls_x509_crt_import.
The function may fail incorrectly when an earlier certificate was
imported to the same gnutls_x509_crt_t structure.
** libgnutls-extra, libgnutls-openssl: Fix MinGW cross-compiling build
error.
** tests: Made self-test mini-eagain take less time.
** doc: Typo fixes.
** API and ABI modifications:
No changes since last version.
* Version 2.8.2 (released 2009-08-10)
** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields.
By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS
into 1) not printing the entire CN/SAN field value when printing a
certificate and 2) cause incorrect positive matches when matching a
hostname against a certificate. Some CAs apparently have poor
checking of CN/SAN values and issue these (arguable invalid)
certificates. Combined, this can be used by attackers to become a
MITM on server-authenticated TLS sessions. The problem is mitigated
since attackers needs to get one certificate per site they want to
attack, and the attacker reveals his tracks by applying for a
certificate at the CA. It does not apply to client authenticated TLS
sessions. Research presented independently by Dan Kaminsky and Moxie
Marlinspike at BlackHat09. Thanks to Tomas Hoger <thoger@redhat.com>
for providing one part of the patch. [GNUTLS-SA-2009-4].
** libgnutls: Fix return value of gnutls_certificate_client_get_request_status.
Before it always returned false. Reported by Peter Hendrickson
<pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3668>.
** libgnutls: Fix off-by-one size computation error in unknown DN printing.
The error resulted in truncated strings when printing unknown OIDs in
X.509 certificate DNs. Reported by Tim Kosse
<tim.kosse@filezilla-project.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3651>.
** libgnutls: Return correct bit lengths of some MPIs.
gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and
gnutls_dh_get_peers_public_bits. Before the reported value was
overestimated. Reported by Peter Hendrickson <pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3607>.
** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN.
Report and patch by Tim Kosse <tim.kosse@filezilla-project.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3671>
and
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3670>.
** libgnutls: Relax checking of required libtasn1/libgcrypt versions.
Before we required that the runtime library used the same (or more
recent) libgcrypt/libtasn1 as it was compiled with. Now we just check
that the runtime usage is above the minimum required. Reported by
Marco d'Itri <md@linux.it> via Andreas Metzler
<ametzler@downhill.at.eu.org> in <http://bugs.debian.org/540449>.
** minitasn1: Internal copy updated to libtasn1 v2.3.
** tests: Fix failure in "chainverify" because a certificate have expired.
** API and ABI modifications:
No changes since last version.
* Noteworthy changes in release 2.3 (2009-07-29) [stable]
- Libtasn1 is now an official GNU project.
- Solve build problem on Tru64 related to TRUE/FALSE.
- More careful decoding of OIDs.
- Fixed warning in ASN1.y.
- Use "Software libraries" info dircategory.
- Drop GPL/LGPL copies from the manual (not needed there).
- New configure parameters to set packaging specific information.
The parameters are --with-packager, --with-packager-version, and
--with-packager-bug-reports. See
<http://article.gmane.org/gmane.comp.lib.gnulib.bugs/17791> for more
details.
Shamir's Secret Sharing Scheme (SSSS) is an implementation of a
threshold scheme for sharing a secret between third parties, and
requiring a threshold of those parties to collaborate to reveal the
secret.
Taken from the Wikipedia article about Secret Sharing:
In cryptography, a secret sharing scheme is a method for
distributing a secret amongst a group of participants, each of
which is allocated a share of the secret. The secret can only
be reconstructed when the shares are combined together;
individual shares are of no use on their own.
Shamir's scheme is provable secure: in a (t,n) scheme one can prove
that it makes no difference whether an attacker has t-1 valid shares
at his disposal or none at all; as long as he has less than t shares,
there is no better option than guessing to find out the secret.
Changelog:
The following changes have been made between John 1.7.3 and 1.7.3.1:
* Corrected the x86 assembly files for building on Mac OS X.
* Merged in some generic changes from JtR Pro.
The following changes have been made between John 1.7.2 and 1.7.3:
* Two Blowfish-based crypt(3) hashes may now be computed in parallel for much
better performance on modern multi-issue CPUs with a sufficient number of
registers (e.g., x86-64).
* Bitslice DES assembly code for x86-64 has been converted to use
instruction pointer relative addressing (needed for Mac OS X support).
* New make targets: macosx-universal, macosx-x86-64, solaris-x86-64-cc,
solaris-x86-64-gcc, solaris-x86-sse2-cc, solaris-x86-sse2-gcc,
solaris-x86-mmx-cc, solaris-x86-mmx-gcc, solaris-x86-any-cc, linux-ia64;
other changes to the Makefile.
* Minor bug fixes.
* "DumbForce" and "KnownForce" external mode samples have been added to the
default john.conf.
pcsc-lite-1.5.5: Ludovic Rousseau
28 July 2009
- add the reader interface name if provided by the device
- SCardTransmit(): return SCARD_E_UNSUPPORTED_FEATURE if
SCARD_PROTOCOL_RAW is requested by unsupported
- SCardConnect() and SCardReconnect(): set dwActiveProtocol to
SCARD_PROTOCOL_UNDEFINED if SCARD_SHARE_DIRECT is used (conform to
MSDN). Contrary to Windows winscard behavior, the reader is accessed in
shared mode and not exclusive mode if SCARD_SHARE_DIRECT is used.
- SCardControl(): correctly check for buffer overflow (bug introduced in
pcsc-lite 1.5.4)
- some other minor improvements and bug corrections
New in OpenSC 0.11.9; 2009-07-29; Andreas Jellinghaus
* New rutoken_ecp driver by Aktiv Co. / Aleksey Samsonov
* Allow more keys/certificates/files etc. with entersafe tokens
* Updates pkcs11.h from scute fixing warnings
* Small fixes in rutoken driver
* Major update for piv driver with increased compatibility
1.3.11 - 28 July 2009, Ludovic Rousseau
- add support of Raritan D2CIM-DVUSB VM/CCID, Feitian SCR301,
Softforum XecureHSM, 2 Neowave Weneo tokens, Synnix STD200, Aktiv
Rutoken ECP, Alcor Micro SCR001, ATMEL AT91SC192192CT-USB,
Panasonic USB Smart Card Reader 7A-Smart, Gemalto GemProx DU and SU
- remove support of Reiner-SCT cyberJack pinpad(a) on request of
Reiner-SCT. You should user the Reiner-SCT driver instead
- define CFBundleName to CCIDCLASSDRIVER so that non class drivers
have a higher priority. Used by pcsc-lite 1.5.5 and up.
Add a --disable-class configure option so that the Info.plist does
not define a Class driver. Default is class driver.
- do not power up a card with a voltage not supported by the reader
- add support of PIN_PROPERTIES_STRUCTURE structure and
FEATURE_IFD_PIN_PROPERTIES
- adds support of FEATURE_MCT_READERDIRECT. Only the Kobil TriB@nk
reader supports this feature for now. This is used for the Secoder
functionality in connected mode.
- add support of a composite device. No change needed with libhal.
use --enable-composite-as-multislot on Mac OS X since libhal is
not available on Mac OS X or with libusb on Linux
- some minor bugs removed
Changes in 1.7.2p1 since 1.7.2:
===============================
* Fixed the expansion of the %h escape in #include file names introduced in
sudo 1.7.1.
Changes in 1.7.2 since 1.7.1:
=============================
* A new #includedir directive is available in sudoers. This can be used to
implement an /etc/sudo.d directory. Files in an includedir are not edited
by visudo unless they contain a syntax error.
* The -g option did not work properly when only setting the group (and not
the user). Also, in -l mode the wrong user was displayed for sudoers
entries where only the group was allowed to be set.
* Fixed a problem with the alias checking in visudo which could prevent
visudo from exiting.
* Sudo will now correctly parse the shell-style /etc/environment file format
used by pam_env on Linux.
* When doing password and group database lookups, sudo will only cache an
entry by name or by id, depending on how the entry was looked up.
Previously, sudo would cache by both name and id from a single lookup, but
this breaks sites that have multiple password or group database names that
map to the same uid or gid.
* User and group names in sudoers may now be enclosed in double quotes to
avoid having to escape special characters.
* BSM audit fixes when changing to a non-root uid.
* Experimental non-Unix group support. Currently only works with Quest
Authorization Services and allows Active Directory groups fixes for
Minix-3.
* For Netscape/Mozilla-derived LDAP SDKs the certificate and key paths may
be specified as a directory or a file. However, version 5.0 of the SDK
only appears to support using a directory (despite documentation to the
contrary). If SSL client initialization fails and the certificate or key
paths look like they could be default file name, strip off the last path
element and try again.
* A setenv() compatibility fix for Linux systems, where a NULL value is
treated the same as an empty string and the variable name is checked
against the NULL pointer.
tested with:
-1.0.0beta3 (which already identifies itself as 1.0.0)
-the snapshot in NetBSD-current (identifies itself as 1.1.0)
-the 0.9.8 we had in -current before
Upstream changes:
v1.27 2009.07.24
- changed possible local/utf-8 depended \w in some regex against more
explicit [a-zA-Z0-9_]. Fixed one regex, where it assumed, that service
names can't have '-' inside
- fixed bug https://rt.cpan.org/Ticket/Display.html?id=48131
where eli[AT]dvns[DOT]com reported warnings when perl -w was used.
While there made it more aware of errors in Net::ssl_write_all (return
undef not 0 in generic_write)
1.5.1 release provides some bug fixes and a fix for the recently announced
HMAC vulnerability in the XML Signature specification (CVE-2009-0217).
1.5.0 release provides more bug fixes, partial support for Inclusive
Canonicalization 1.1, and support for the Xerces 3.x official release and
32/64-bit portability APIs.
