* GnuTLS: compatibility with GnuTLS-3.4.2
* Nethttpd_plex: the post_add_hook was not called by accident
(since OCamlnet-4); this is now fixed.
* Nethtml: new option case_sensitive
* GnuTLS: initializing the library on-demand. This avoids that
/dev/random is kept open all the time since program start, and
works around incompatibilities with Netplex. (Thomas Calderon
found the problem.)
* GnuTLS: setting DH parameters on certificates (this was forgotten in
previous releases). (Thomas Calderon found the problem.)
* GnuTLS: supporting GnuTLS versions where SRP is disabled.
Supporting GnuTLS-3.4.
* OpenBSD build: fix linker option (Christopher Zimmermann)
* Equeue: There is a new method request_proxy_notification,
which is only used by Uq_engines.qseq_engine (but unfortunately
needs to appear in the public type of the object). This new
method permits that chains of Uq_engines.qseq_engine pairs
can now be arbitrarily long without consuming too much memory
and without the danger of getting stack overflows.
This fixes issues where notification chains got too long. In
particular, we saw a stack overflow when retrieving a video
stream via HTTP. The stream was sent with many chunks, resulting
in a long Uq_engines.qseq_engine chain.
Implementers of engines can simply define request_proxy_notification
as no-ops.
* Nethttp.set_content_range: this function generated an incorrect
header (the "bytes" word was missing). (Török Edwin)
* _oasis is generated from _oasis.in
* Netplex: the Netplex socket directory has a different default
if not specified in the config file.
* Netshm: the POSIX specifier has now two args
* IPv6: automatically enabled if there is a global IPv6 address
* Unicode tables: Moved them to a separate netunidata library.
This library needs to be linked in for getting access to the
tables (this is no longer the default).
* Renamings: Http_client, Ftp_client etc. => Nethttp_client,
Netftp_client
Mimestring => Netmime_string
Xdr => Netxdr
* Netmime: moved functions to Netmime_header and Netmime_channels
* Netmech_scram: Removed the check that passwords only consist of
ASCII chars. The user can now call Netsaslprep.saslprep.
* Removed: rpc-auth-dh, nethttpd-for-netcgi2
* Http_client: the authentication mechanisms are now encapsulated
in a first-class module HTTP_MECHANISM. So far, there is Digest
authentication in this form. The signature of HTTP_MECHANISM
is similar to SASL_MECHANISM.
Another visible change is that the insecure Basic authentication
is no longer enabled for non-TLS-secured connections. This can be
changed back by setting flags, though.
Some fixes in the design improve Digest authentication for proxy
connections.
* Netpop: implementating SASL authentication for POP3. Moved Netpop
into netclient.
* Netsmtp: implementing SASL authentication for SMTP. Moved Netsmtp
into netclient.
* Adding a framework for SASL, and a number of mechanisms
(PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1).
* fcgi/scgi/ajp connectors: exporting a handle_connection function,
and unifying existing such functions (Christopher Zimmermann)
* adding support for modular cryptography (symmetric ciphers and
digests)
* SCRAM is now implemented with the new crypto providers
* removing dependency on Cryptokit
* removed library netgssapi; now part of netsys/netstring
* removed library netmech-scram; now part of netstring
Ocamlnet-4 adds:
- new library netgss-system
- new library nettls-gnutls
- removed equeue-ssl and rpc-ssl
- X.500 modules Netasn1, Netdn, Netx509
- Crypto definitions Netsys_crypto_types, Netsys_crypto
- TLS modules Netsys_tls, Nettls_support
- Support for SASL and GSSAPI
- Moved many functions from Uq_engines to new modules in
the equeue library (Uq_client, Uq_server, Uq_multiplex,
Uq_transfer)
Changes:
####################### V 1.7.3.1:
security:
Socat security advisory 8
A stack overflow in vulnerability was found that can be triggered when
command line arguments (complete address specifications, host names,
file names) are longer than 512 bytes.
Successful exploitation might allow an attacker to execute arbitrary
code with the privileges of the socat process.
This vulnerability can only be exploited when an attacker is able to
inject data into socat's command line.
A vulnerable scenario would be a CGI script that reads data from clients
and uses (parts of) this data as hostname for a Socat invocation.
Test: NESTEDOVFL
Credits to Takumi Akiyama for finding and reporting this issue.
Socat security advisory 7
MSVR-1499
In the OpenSSL address implementation the hard coded 1024 bit DH p
parameter was not prime. The effective cryptographic strength of a key
exchange using these parameters was weaker than the one one could get by
using a prime p. Moreover, since there is no indication of how these
parameters were chosen, the existence of a trapdoor that makes possible
for an eavesdropper to recover the shared secret from a key exchange
that uses them cannot be ruled out.
Futhermore, 1024bit is not considered sufficiently secure.
Fix: generated a new 2048bit prime.
Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability
Research (MSVR) for finding and reporting this issue.
* Release 0.10.1 (21-Jan-2015)
** Packaging Fixes
This release fixes a version-string management failure when the "log
publisher" feature was used in a tree built from a release tarball (rather
than from a git checkout). This caused a unit test failure, as well as
operational failures when using `flogtool tail`. Thanks to Ramakrishnan
Muthukrishnan (vu3rdd) for the catch and the patch. (#248)
Changelog:
=============================
Release Notes for Samba 4.3.4
January 12, 2016
=============================
This is the latest stable release of Samba 4.3.
Changes since 4.3.3:
--------------------
o Michael Adam <obnox@samba.org>
* BUG 11619: doc: Fix a typo in the smb.conf manpage, explanation of idmap
config.
* BUG 11647: s3:smbd: Fix a corner case of the symlink verification.
o Jeremy Allison <jra@samba.org>
* BUG 11624: s3: libsmb: Correctly initialize the list head when keeping a
list of primary followed by DFS connections.
* BUG 11625: Reduce the memory footprint of empty string options.
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 11659: Update lastLogon and lastLogonTimestamp.
o Ralph Boehme <slow@samba.org>
* BUG 11065: vfs_fruit: Enable POSIX directory rename semantics.
* BUG 11466: Copying files with vfs_fruit fails when using vfs_streams_xattr
without stream prefix and type suffix.
* BUG 11645: smbd: Make "hide dot files" option work with "store dos
attributes = yes".
o Günther Deschner <gd@samba.org>
* BUG 11639: lib/async_req: Do not install async_connect_send_test.
o Stefan Metzmacher <metze@samba.org>
* BUG 11394: Crash: Bad talloc magic value - access after free.
o Rowland Penny <repenny241155@gmail.com>
* BUG 11613: samba-tool: Fix uncaught exception if no fSMORoleOwner
attribute is given.
o Karolin Seeger <kseeger@samba.org>
* BUG 11619: docs: Fix some typos in the idmap backend section.
* BUG 11641: docs: Fix typos in man vfs_gpfs.
o Uri Simchoni <uri@samba.org>
* BUG 11649: smbd: Do not disable "store dos attributes" on-the-fly.
[downloader/common] report_retry: Don't crash when retries is infinite
[cbsnews] Extract subtitles
[cbsnews] Simplify subtitles extraction and fix test
[arte:future] Fix extraction
[arte:future] Make duplicated test matching only
[arte:cinema] Add extractor
[nuevo] Generalize nuevo extractor and add support for trollvids
[nuevo] Simplify nuevo extractors
[ruleporn] Add new extractor
[nuevo] Improve thumbnail extraction
[ruleporn] Rework in terms of nuevo
[lovehomeporn] Add extractor
[SVTPlay] Add subtitle support
[svt] Improve subtitles extraction and add test
[options] Clarify language tags
[kanalplay] Use IETF language tag
[drtv] Use IETF language tag
Previously there were at least 5 different ways MACHINE_ARCH could be set,
some statically and some at run time, and in many cases these settings
differed, leading to issues at pkg_add time where there was conflict
between the setting encoded into the package and that used by pkg_install.
Instead, move to a single source of truth where the correct value based on
the host and the chosen (or default) ABI is determined in the bootstrap
script. The value can still be overridden in mk.conf if necessary, e.g.
for cross-compiling.
ABI is now set by default and if unset a default is calculated based on
MACHINE_ARCH. This fixes some OS, e.g. Linux, where the wrong default was
previously chosen.
As a result of the refactoring there is no need for LOWER_ARCH, with
references to it replaced by MACHINE_ARCH. SPARC_TARGET_ARCH is also
removed.
@PKG_SYSCONFDIR@ with hardcoded paths to /usr/pkg, possibly due to SUBST_STAGE
being set to post-patch. Revert that change, move SUBST_STAGE to
pre-configure, and perform some minor cleanup while here.
Bump PKGREVISION of all packages, ignoring pkglint's error that this shouldn't
be done in Makefile.common.
* Add -P, --printpidfile to print the pidfile dhcpcd will use to
stdout
* Fix a crash when a non active interface departs
* Add the -1, --oneshot option which causes dhcpcd to exit once an
interface has been configured
* Fix delegation activating interfaces
Security Fixes
* Specific APL data could trigger an INSIST. This flaw was discovered
by Brian Mitchell and is disclosed in CVE-2015-8704. [RT #41396]
* Named is potentially vulnerable to the OpenSSL vulnerabilty
described in CVE-2015-3193.
* Insufficient testing when parsing a message allowed records with an
incorrect class to be be accepted, triggering a REQUIRE failure
when those records were subsequently cached. This flaw is disclosed
in CVE-2015-8000. [RT #40987]
* Incorrect reference counting could result in an INSIST failure if a
socket error occurred while performing a lookup. This flaw is
disclosed in CVE-2015-8461. [RT#40945]
New Features
* None
Feature Changes
* Updated the compiled in addresses for H.ROOT-SERVERS.NET.
Bug Fixes
* Authoritative servers that were marked as bogus (e.g. blackholed in
configuration or with invalid addresses) were being queried anyway.
[RT #41321]
Security Fixes
* Specific APL data could trigger an INSIST. This flaw was discovered
by Brian Mitchell and is disclosed in CVE-2015-8704. [RT #41396]
* Certain errors that could be encountered when printing out or
logging an OPT record containing a CLIENT-SUBNET option could be
mishandled, resulting in an assertion failure. This flaw was
discovered by Brian Mitchell and is disclosed in CVE-2015-8705. [RT
#41397]
* Named is potentially vulnerable to the OpenSSL vulnerabilty
described in CVE-2015-3193.
* Insufficient testing when parsing a message allowed records with an
incorrect class to be be accepted, triggering a REQUIRE failure
when those records were subsequently cached. This flaw is disclosed
in CVE-2015-8000. [RT #40987]
* Incorrect reference counting could result in an INSIST failure if a
socket error occurred while performing a lookup. This flaw is
disclosed in CVE-2015-8461. [RT#40945]
New Features
* None.
Feature Changes
* Updated the compiled in addresses for H.ROOT-SERVERS.NET.
Bug Fixes
* Authoritative servers that were marked as bogus (e.g. blackholed in
configuration or with invalid addresses) were being queried anyway.
[RT #41321]
* Release 0.10.0 (15-Jan-2015)
** Compatibility Fixes
This release is compatible with Twisted-15.3.0 through 15.5.0. A change in
15.3.0 triggered a bug in Foolscap which produced a somewhat-infinite series
of log messages when run under `twistd`. This release fixes that bug, and
slightly changes the semantics of calling `log.msg()` with additional
parameters. (#244)
Foolscap no longer claims compatibility with python-2.6.x . Twisted-15.5.0
was the last release to offer 2.6 support, and subsequent releases actively
throw errors when run against 2.6, so we've turned off Foolscap's automated
testing for 2.6. It may remain compatible by accident for a while. (#245)
v0.8.1
Added localization support with translations for Czech, German and Slovak languages.
Fixes:
- Syncthing version of remote node not shown
- Missing definition causing UI problems and Appreport madness on Ubuntu (thanks @Newman101)
Other:
- Added --portable parameter to syncthing-gtk.exe on Windows.
- Updated syncthing-inotify version to 0.6.7
- Added support for download placeholders in Nautilus plugin
v0.8.0.0.1
Prelease for localization testing. May work. Probably.
Added localization support with translations for Czech, German and Slovak languages.
Fixes:
- Syncthing version of remote node not shown
- Missing definition causing UI problems and Appreport madness on Ubuntu (thanks @Newman101)
v0.8.0.1
Linux-only release. If you are on Windows, please, use v0.8
Fixes:
- Syncthing version of remote node not shown
- Missing definition causing UI problems, inotify bugs and Appreport madness on Ubuntu (thanks @Newman101)
v0.8
For Syncthing 0.12 and above
Additional fixes:
- No 'ignore' button on Unknown device message.
- Better support for non-ascii characters in user's home path on Windows
v0.7.6.2
Prerelease to test with Syncthing v0.12. Most likely working.
v0.7.6.1
Fixes:
- Typo in Windows installer description (thanks @DennisPS)
- Missing image definition causes crash with some GLib versions
v0.7.6
Fixes:
- window border disappearing (again) on Windows
- crash on too recent glib (#198)
- crash on too old glib (#201)
- inotify (filesystem watcher) not being aware of created directories
- Nautilus plugin ignoring some files until view is refreshed
v0.12.15
- Handle race within the job queue (#1263, @AudriusButkevicius)
- Improve API/GUI shutdown handling (#2694, @calmh)
- Don't crash on folder remove while pulling (#2705, @calmh)
This release uses code signing on Mac OS X.
v0.12.14
This is a security update. The Windows builds are now done using Go 1.6beta2, otherwise this is identical to v0.12.13.
v0.12.13
This build is a security update.
- Add support for themes (#1925, @AudriusButkevicius)
- Don't leak sendIndexes on disconnect (#2589, @calmh)
- Always run relaying when enabled (#2665, @calmh)
- Update 'Edit' menu to 'Action' menu (#2662, @kluppy)
v0.12.12
- Update kardianos/osext (#2650, @calmh)
- Change default max conflicts to 10 (#2604, @calmh)
- Don't conflict copy conflict copies (#2605, @calmh)
- Don't allow in use CSRF tokens to expire (#1008, @calmh)
- Add relaying to main settings dialog (#2433, @calmh)
- Don't resolve destination address until we need to (#2671, @calmh)
- More fine grained locking in discovery cache (#2667, @calmh)
- Added STNODEFAULTFOLDER envvar to skip default folder creation on new install (#1515, @nrm21)
v0.12.11
- Remove windows specialisation from osutil.GetLans (#2192, @AudriusButkevicius)
- Ensure loaded config is free of duplicate devices (#2627, @calmh)
- Show device ID QR code from edit dialog (#1494, @ironmig)
- Don't warn about failed ignores if folder unhealthy (#2630, @AudriusButkevicius)
- Detect nonstandard hash algo and stop folder (#2314, @calmh)
- Also build linux-arm64, linux-ppc64, linux-ppc64le (@calmh)
- Disallow adding duplicate device ID in GUI (@ironmig)
v0.12.10
- Don't crash on stat error in ensureDir (#2608, @calmh)
- Correctly set default logfile location on Windows (#2608, @calmh)
- Consider tempfile when checking for free space (#2598, @andersonvom)
- Update kardianos/osext (#1272, @calmh)
- Remove fixed footer at first media break (#2454, @andersonvom)
- Update mtime of config file before upgrading (#2509, @andersonvom)
- Correct GUI asset dir handling (#2621, @calmh)
v0.12.9
- Example GUI override address (#2530, @calmh)
- Additional output on insufficient error (#2580, @Zillode)
- Add command line option to open GUI (#2210, @andersonvom)
- Always exit via error select, making sure reader routine is exits (#2547, @AudriusButkevicius)
- Don't verify free space for files when folder MinDiskFreePct==0 (#2600, @calmh)
- Edit device after accepting new connection (#1929, @andersonvom)
v0.12.8
- Correct type assertion in verbose logger, restart (#2561, @calmh)
- Remove Android hacks (#2505, @calmh)
- upnp: Use a separate error for the error unmarshalling (@wkennington)
Patches provided by Matthew Luckie in PR pkg/50654.
ChangeLogs:
https://mailman.caida.org/pipermail/scamper-announce/2015-October/000004.htmlhttps://mailman.caida.org/pipermail/scamper-announce/2015-December/000005.htmlhttps://mailman.caida.org/pipermail/scamper-announce/2016-January/000006.html
tbit
* add support for initial congestion window (ICW) inferences
* add new tests to check response to packets that could have been
sent by a blind attacker
* add a TCP fast-open implementation, with both experimental
and official option values
* add support for testing HTTPS and BGP. drop FTP, DNS, and SMTP
* add sc_tbitblind driver that was used for IMC 2015 paper
trace
* add tx timestamp to hop records
* add dl option, to replace dlts option removed from scamper.
* process UDP responses, if a UDP probe method is used.
ping:
* add tcp-syn ping method.
* fix memory leak when payloads are specified in ping.
sc_ipiddump
* report IPID values from traceroute measurements, where available
* report the source IP address used to probe the destination
sc_filterpolicy:
* add a new scamper driver to test systems for congruent filtering policy
http://www.caida.org/tools/measurement/scamper/man/sc_filterpolicy.1.pdf
scamper:
* update scamper maximum PPS to 10,000 (from 1000). Its not 2002 anymore.
* bind to requested source port with UDP sockets.
* set SO_SNDBUF once, when a probe socket is created.
* remove dlts option which was only used by traceroute.
* drop divert socket from privsep, which was not used in scamper anywhere.
* shift socket creation glue from scamper_privsep.c to
scamper_udp4.c, scamper_icmp6.c, etc.
* fix memory leak when receiving TCP responses in tracelb.
* do not use the global address cache in tracelb: use a local one.
* in qsort with 3-way partition, do not compare items against
themselves.
* improve performance of warts_addr_t code
* use calloc instead of malloc() -> memset(0) on systems where calloc
is available.
* do not use the global address cache in ping: most responses are
either from the destination, or from the same IP address, so
optimize for that.
Changes since 4.3.3
! Update the bounds checking when receiving a packet.
Thanks to Sebastian Poehn from Sophos for the bug report and a suggested
patch.
[ISC-Bugs #41267]
1.1.1 - Second Law of Nature
============================
* Fix the owner_write rights rule
1.1 - Law of Nature
===================
One feature in this release is **not backward compatible**:
* Use the first matching section for rights (inspired from daald)
Now, the first section matching the path and current user in your custom rights
file is used. In the previous versions, the most permissive rights of all the
matching sections were applied. This new behaviour gives a simple way to make
specific rules at the top of the file independant from the generic ones.
Many **improvements in this release are related to security**, you should
upgrade Radicale as soon as possible:
* Improve the regex used for well-known URIs (by Unrud)
* Prevent regex injection in rights management (by Unrud)
* Prevent crafted HTTP request from calling arbitrary functions (by Unrud)
* Improve URI sanitation and conversion to filesystem path (by Unrud)
* Decouple the daemon from its parent environment (by Unrud)
Some bugs have been fixed and little enhancements have been added:
* Assign new items to corret key (by Unrud)
* Avoid race condition in PID file creation (by Unrud)
* Improve the docker version (by cdpb)
* Encode message and commiter for git commits
* Test with Python 3.5
add commandline option to genconfig.sh to set UPnP (UDA) version
advertise correct service and device versions when IGDv2 is enabled
fix action arguments for DeviceProtection service
fix event subscription renewal (include SID in response)
Google Cloud SDK contains tools and libraries that enable you to
easily create and manage resources on Google Cloud Platform,
including App Engine, Compute Engine, Cloud Storage, BigQuery,
Cloud SQL, and Cloud DNS.
This package contains bq, gcloud and gsutil commands.
