* Log the address IPv4LL defends
* PREINIT, UNKNOWN and CARRIER are not either up nor down states
* ARP code re-written to allow for many ARP states
* IPv4LL address is now pseudo random based on HW address instead
of really random as per RFC 3927 Section 2.1
* If not doing DHCP or DHCP6, disable the DNS requirement in the RA
to fork.
* Treat IPv4LL as fallback and start DHCP discovery even if the prior
lease was IPv4LL when rebooting.
* When we transition from REQUEST to DISCOVER in a reboot,
start IPv4LL at the same time as discover to ensure we have an
address quicker.
* Improve handling of the IPv6LL address at startup
* Support old Linux kernels where IFLA_AF_SPEC may not exist
* When stopping interfaces, skip past pseudo interfaces instead
of finding the master as only the masters are sorted correctly
Added another mirror site, http://cflags.cc/roy/dhcpcd
Upstream changes:
2.06 2014-07-01T10:01:44Z
commit 8259d5eb28919bc766c8b500151d5be7e944b7f2
Author: Petr P.sa. <ppisar@redhat.com>
Date: Fri Jun 27 13:37:20 2014 +0200
Wait infinitely if max_wait is negative
The t/12_pass_wait_port_options.t will fail if the server process does not
start listening in max_wait limit. This can happen if the host is
loaded or just if the scheduler decides to postpone the process.
This patch adds possibility to wait infitely by passing a negative
max_wait value to the Test::TCP object and it changes the
t/12_pass_wait_port_options.t test to use this feature.
https://github.com/tokuhirom/Test-TCP/issues/28
Signed-off-by: Petr P.sa. <ppisar@redhat.com>
2.05 2014-06-24T00:49:45Z
- Release again with latest minil.
2.04 2014-06-23T23:42:28Z
- Release.
2.03_02 2014-06-23T23:37:07Z
- Release to CPAN.
2.03_01 2014-06-23T23:34:38Z
- Switch to ExtUtils::MakeMaker.
2.03 2014-06-23T10:18:53Z
- Re-packaging with Minilla v2.0.0-TRIAL
2.02 2013-10-30T03:22:39Z
- Fixed fork(2) error handling.
(tokuhirom)
2.01 2013-09-22T04:13:53Z
[Changes from MITHALDU (Christian Walde)]
- test waitport argument by running full code-chain, not with partial mocking
- The partial mocks cause stuck forks on win32 at times, causing the test to
hang. With the full code chain present the test runs reliably
Bring over changes from source of truth in othersrc/usr.bin/tnftp
Changes since previous version:
-This is tnftp version 20141031.
+This is tnftp version 20141104.
+
+Changes in tnftp from 20141031 to 20141104:
+
+ Portability fixes.
With thanks to lukem for the nudge
**** 0.81 Oct 29, 2014
Fix rt.cpan.org #99571
AXFR BADSIG failures
Fix rt.cpan.org #99531
Resolver doc error - when is a 'bug' a 'bug'? [TSIG verification]
Fix rt.cpan.org #99528
TSIG::create fails with some filenames
Fix rt.cpan.org #99527
Random errors... [declaration with statement modifier]
Fix rt.cpan.org #99429
Infinite recursion in Net::DNS::Resolver::Recurse::send when
following certain delegations with empty-non terminals.
Fix rt.cpan.org #99320
Net::DNS::ZoneFile bug in "$ORIGIN ."
* Release as "tnftp 20141031".
* Merge NetBSD usr.bin/ftp from 20130220 to 20141026:
- Don't pay attention to special characters if they don't
come from the command line (from jmcneill).
Fixes CVE-2014-8517.
- pr/34796: Hauke Fath: ftp does not timeout on http fetches.
Sun May 5 13:51:47 UTC 2013 lukem
* Release as "tnftp 20130505"
* Implement --enable-ssl (and --with-openssl) to enable
https:// fetch support.
* Merge NetBSD ftp from 20090520 to 20130220. Changes:
- https:// support.
NetBSD problem report 47276 from NONAKA Kimihiro.
- Allow -R to restart non-existent ftp:// URIs.
- Don't assume AF_INET support is available.
FreeBSD problem report 162661.
- Parse HTTP 'Date' entries in the `C' locale rather than the
user's.
NetBSD problem report 42917 from KAMADA Ken'ichi.
- Improve error handling when parsing of URI scheme.
- Silence connection warnings to multi-homed hosts in
non-verbose mode.
- Fix compile warnings.
- In ftpvis(), prevent incomplete escape sequences at end of
dst, and ensure NUL-termination of dst.
Fix from Uwe Stuehler and Stefan Sperling, via Marc Balmer.
- When using the response to SYST to decide whether to
default to 'binary' be a lot less specific.
* Replace glob with newer copy from NetBSD that does not suffer
from DoS exhaustion attacks.
Fix in NetBSD from Maksymilian Arciemowicz. See CVE-2011-0418
Tue Jan 12 06:58:15 UTC 2010 lukem
* Release as "tnftp 20100108"
* Rename onoff() argument "bool" to "val".
Tue Jan 5 09:12:01 UTC 2010 lukem
* If ARG_MAX isn't defined, use the result from sysconf(_SC_ARG_MAX).
Fixes build when using newer glibc.
* Add libnetbsd.la to the LIBADD for libedit.
Fix provided by Adam Sampson.
Mon Jan 4 06:28:07 UTC 2010 lukem
* Distribute various files not shipped by default automake rules,
to use 'make dist' instead of 'cvs export'.
Wed Dec 30 00:12:47 UTC 2009 lukem
* Release as "tnftp 20091122"
Sun Nov 15 10:14:44 UTC 2009 lukem
* Merge NetBSD ftp from 20090520 to 20090915. Change:
- Rename internal getline() to get_line() to avoid
conflict with libc with former.
- Avoid a NULL dereference in an error message.
Sat Nov 14 09:21:19 UTC 2009 lukem
* Convert to automake & libtool.
Sat Jun 6 07:17:38 UTC 2009 lukem
* Release as "tnftp 20090606"
Fri May 22 01:11:15 UTC 2009 lukem
* configure fixes:
- Add the time.h headers to accheck_includes, for the strptime check.
- Remove the check for el_init in libedit; we're always replacing
the library and the presence of strvis() in some versions
confuses other checks.
Wed May 20 13:47:43 UTC 2009 lukem
* Release as "tnftp 20090520"
* Merge NetBSD ftp from 20070722 to 20090520. Changes:
- Only attempt to el_parse() a command unknown by the default
parser if editing is enabled.
Fixes pr 38589.
- Turn off the alarmtimer before resetting the SIGALRM handler
back to SIG_DFL.
Fixes pr 35630.
- Add epsv6 and epsv to disable extended passive mode for ipv6 or
both ipv4 and ipv6 respectively. This hack is due to our
friends a Juniper Networks who break epsv in ipv6.
Should be fixed in ScreenOS 6.2.X.
- Improve parsing of chunked transfer chunks per RFC2616:
- more stringent chunk-size parsing
- ignore optional trailing ';chunk-ext' stuff, instead of barfing
- detect EOF before final \r\n.
- Use the service name to getaddrinfo() (along with the host
name), so that features such as DNS Service Discovery have a
better chance of working.
Display the service name in various status & error messages.
- Don't getservbyname() the :port component of a URL; RFC 3986
says it's just an unsigned number, not a service name.
- Fix numerous WARNS=4 issues (-Wcast-qual -Wsign-compare).
- Fix -Wshadow issues
- Update copyrights
- Remove clause 3 and 4 from TNF licenses
- Rename HAVE_STRUCT_SOCKADDR_SA_LEN to
HAVE_STRUCT_SOCKADDR_IN_SIN_LEN to accurately reflect the
structure member being used.
- Use AF_INET instead of AF_UNSPEC as the default family if
!defined(INET6).
* configure improvements:
- Style tweaks.
- Use AC_LANG_PROGRAM() instead of AC_LANG_SOURCE()
- Add a check for strptime() requiring separators between
conversions, and use our replacement one if it does.
Sat Dec 20 15:28:24 UTC 2008 lukem
* configure improvements:
- Move IPv6 check from tnftp.h to configure.ac (as per tnftpd).
- Rework option descriptions.
- Highlight when tests are for a specific option.
- Move configuration results to the end of the file.
- Display $prefix in configure results.
Fri Aug 15 03:03:36 UTC 2008 lukem
* Add a "Configuration results" display at the end of configure.
Cosmetic tweaks.
Fri Feb 29 09:45:56 UTC 2008 lukem
* Support @EXEEXT@ for Cygwin (etc).
* Release as "tnftp 20141031".
* Merge NetBSD usr.bin/ftp from 20130220 to 20141026:
- Don't pay attention to special characters if they don't
come from the command line (from jmcneill).
Fixes CVE-2014-8517.
- pr/34796: Hauke Fath: ftp does not timeout on http fetches.
Sun May 5 13:51:47 UTC 2013 lukem
* Release as "tnftp 20130505"
* Implement --enable-ssl (and --with-openssl) to enable
https:// fetch support.
* Merge NetBSD ftp from 20090520 to 20130220. Changes:
- https:// support.
NetBSD problem report 47276 from NONAKA Kimihiro.
- Allow -R to restart non-existent ftp:// URIs.
- Don't assume AF_INET support is available.
FreeBSD problem report 162661.
- Parse HTTP 'Date' entries in the `C' locale rather than the
user's.
NetBSD problem report 42917 from KAMADA Ken'ichi.
- Improve error handling when parsing of URI scheme.
- Silence connection warnings to multi-homed hosts in
non-verbose mode.
- Fix compile warnings.
- In ftpvis(), prevent incomplete escape sequences at end of
dst, and ensure NUL-termination of dst.
Fix from Uwe Stuehler and Stefan Sperling, via Marc Balmer.
- When using the response to SYST to decide whether to
default to 'binary' be a lot less specific.
* Replace glob with newer copy from NetBSD that does not suffer
from DoS exhaustion attacks.
Fix in NetBSD from Maksymilian Arciemowicz. See CVE-2011-0418
Tue Jan 12 06:58:15 UTC 2010 lukem
* Release as "tnftp 20100108"
* Rename onoff() argument "bool" to "val".
Tue Jan 5 09:12:01 UTC 2010 lukem
* If ARG_MAX isn't defined, use the result from sysconf(_SC_ARG_MAX).
Fixes build when using newer glibc.
* Add libnetbsd.la to the LIBADD for libedit.
Fix provided by Adam Sampson.
Mon Jan 4 06:28:07 UTC 2010 lukem
* Distribute various files not shipped by default automake rules,
to use 'make dist' instead of 'cvs export'.
Wed Dec 30 00:12:47 UTC 2009 lukem
* Release as "tnftp 20091122"
Sun Nov 15 10:14:44 UTC 2009 lukem
* Merge NetBSD ftp from 20090520 to 20090915. Change:
- Rename internal getline() to get_line() to avoid
conflict with libc with former.
- Avoid a NULL dereference in an error message.
Sat Nov 14 09:21:19 UTC 2009 lukem
* Convert to automake & libtool.
Sat Jun 6 07:17:38 UTC 2009 lukem
* Release as "tnftp 20090606"
Fri May 22 01:11:15 UTC 2009 lukem
* configure fixes:
- Add the time.h headers to accheck_includes, for the strptime check.
- Remove the check for el_init in libedit; we're always replacing
the library and the presence of strvis() in some versions
confuses other checks.
Wed May 20 13:47:43 UTC 2009 lukem
* Release as "tnftp 20090520"
* Merge NetBSD ftp from 20070722 to 20090520. Changes:
- Only attempt to el_parse() a command unknown by the default
parser if editing is enabled.
Fixes pr 38589.
- Turn off the alarmtimer before resetting the SIGALRM handler
back to SIG_DFL.
Fixes pr 35630.
- Add epsv6 and epsv to disable extended passive mode for ipv6 or
both ipv4 and ipv6 respectively. This hack is due to our
friends a Juniper Networks who break epsv in ipv6.
Should be fixed in ScreenOS 6.2.X.
- Improve parsing of chunked transfer chunks per RFC2616:
- more stringent chunk-size parsing
- ignore optional trailing ';chunk-ext' stuff, instead of barfing
- detect EOF before final \r\n.
- Use the service name to getaddrinfo() (along with the host
name), so that features such as DNS Service Discovery have a
better chance of working.
Display the service name in various status & error messages.
- Don't getservbyname() the :port component of a URL; RFC 3986
says it's just an unsigned number, not a service name.
- Fix numerous WARNS=4 issues (-Wcast-qual -Wsign-compare).
- Fix -Wshadow issues
- Update copyrights
- Remove clause 3 and 4 from TNF licenses
- Rename HAVE_STRUCT_SOCKADDR_SA_LEN to
HAVE_STRUCT_SOCKADDR_IN_SIN_LEN to accurately reflect the
structure member being used.
- Use AF_INET instead of AF_UNSPEC as the default family if
!defined(INET6).
* configure improvements:
- Style tweaks.
- Use AC_LANG_PROGRAM() instead of AC_LANG_SOURCE()
- Add a check for strptime() requiring separators between
conversions, and use our replacement one if it does.
Sat Dec 20 15:28:24 UTC 2008 lukem
* configure improvements:
- Move IPv6 check from tnftp.h to configure.ac (as per tnftpd).
- Rework option descriptions.
- Highlight when tests are for a specific option.
- Move configuration results to the end of the file.
- Display $prefix in configure results.
Fri Aug 15 03:03:36 UTC 2008 lukem
* Add a "Configuration results" display at the end of configure.
Cosmetic tweaks.
Fri Feb 29 09:45:56 UTC 2008 lukem
* Support @EXEEXT@ for Cygwin (etc).
* Release as "tnftp 20141031".
* Merge NetBSD usr.bin/ftp from 20130220 to 20141026:
- Don't pay attention to special characters if they don't
come from the command line (from jmcneill).
Fixes CVE-2014-8517.
- pr/34796: Hauke Fath: ftp does not timeout on http fetches.
Sun May 5 13:51:47 UTC 2013 lukem
* Release as "tnftp 20130505"
* Implement --enable-ssl (and --with-openssl) to enable
https:// fetch support.
* Merge NetBSD ftp from 20090520 to 20130220. Changes:
- https:// support.
NetBSD problem report 47276 from NONAKA Kimihiro.
- Allow -R to restart non-existent ftp:// URIs.
- Don't assume AF_INET support is available.
FreeBSD problem report 162661.
- Parse HTTP 'Date' entries in the `C' locale rather than the
user's.
NetBSD problem report 42917 from KAMADA Ken'ichi.
- Improve error handling when parsing of URI scheme.
- Silence connection warnings to multi-homed hosts in
non-verbose mode.
- Fix compile warnings.
- In ftpvis(), prevent incomplete escape sequences at end of
dst, and ensure NUL-termination of dst.
Fix from Uwe Stuehler and Stefan Sperling, via Marc Balmer.
- When using the response to SYST to decide whether to
default to 'binary' be a lot less specific.
* Replace glob with newer copy from NetBSD that does not suffer
from DoS exhaustion attacks.
Fix in NetBSD from Maksymilian Arciemowicz. See CVE-2011-0418
Tue Jan 12 06:58:15 UTC 2010 lukem
* Release as "tnftp 20100108"
* Rename onoff() argument "bool" to "val".
Tue Jan 5 09:12:01 UTC 2010 lukem
* If ARG_MAX isn't defined, use the result from sysconf(_SC_ARG_MAX).
Fixes build when using newer glibc.
* Add libnetbsd.la to the LIBADD for libedit.
Fix provided by Adam Sampson.
Mon Jan 4 06:28:07 UTC 2010 lukem
* Distribute various files not shipped by default automake rules,
to use 'make dist' instead of 'cvs export'.
Wed Dec 30 00:12:47 UTC 2009 lukem
* Release as "tnftp 20091122"
Sun Nov 15 10:14:44 UTC 2009 lukem
* Merge NetBSD ftp from 20090520 to 20090915. Change:
- Rename internal getline() to get_line() to avoid
conflict with libc with former.
- Avoid a NULL dereference in an error message.
Sat Nov 14 09:21:19 UTC 2009 lukem
* Convert to automake & libtool.
Sat Jun 6 07:17:38 UTC 2009 lukem
* Release as "tnftp 20090606"
Fri May 22 01:11:15 UTC 2009 lukem
* configure fixes:
- Add the time.h headers to accheck_includes, for the strptime check.
- Remove the check for el_init in libedit; we're always replacing
the library and the presence of strvis() in some versions
confuses other checks.
Wed May 20 13:47:43 UTC 2009 lukem
* Release as "tnftp 20090520"
* Merge NetBSD ftp from 20070722 to 20090520. Changes:
- Only attempt to el_parse() a command unknown by the default
parser if editing is enabled.
Fixes pr 38589.
- Turn off the alarmtimer before resetting the SIGALRM handler
back to SIG_DFL.
Fixes pr 35630.
- Add epsv6 and epsv to disable extended passive mode for ipv6 or
both ipv4 and ipv6 respectively. This hack is due to our
friends a Juniper Networks who break epsv in ipv6.
Should be fixed in ScreenOS 6.2.X.
- Improve parsing of chunked transfer chunks per RFC2616:
- more stringent chunk-size parsing
- ignore optional trailing ';chunk-ext' stuff, instead of barfing
- detect EOF before final \r\n.
- Use the service name to getaddrinfo() (along with the host
name), so that features such as DNS Service Discovery have a
better chance of working.
Display the service name in various status & error messages.
- Don't getservbyname() the :port component of a URL; RFC 3986
says it's just an unsigned number, not a service name.
- Fix numerous WARNS=4 issues (-Wcast-qual -Wsign-compare).
- Fix -Wshadow issues
- Update copyrights
- Remove clause 3 and 4 from TNF licenses
- Rename HAVE_STRUCT_SOCKADDR_SA_LEN to
HAVE_STRUCT_SOCKADDR_IN_SIN_LEN to accurately reflect the
structure member being used.
- Use AF_INET instead of AF_UNSPEC as the default family if
!defined(INET6).
* configure improvements:
- Style tweaks.
- Use AC_LANG_PROGRAM() instead of AC_LANG_SOURCE()
- Add a check for strptime() requiring separators between
conversions, and use our replacement one if it does.
Sat Dec 20 15:28:24 UTC 2008 lukem
* configure improvements:
- Move IPv6 check from tnftp.h to configure.ac (as per tnftpd).
- Rework option descriptions.
- Highlight when tests are for a specific option.
- Move configuration results to the end of the file.
- Display $prefix in configure results.
Fri Aug 15 03:03:36 UTC 2008 lukem
* Add a "Configuration results" display at the end of configure.
Cosmetic tweaks.
Fri Feb 29 09:45:56 UTC 2008 lukem
* Support @EXEEXT@ for Cygwin (etc).
2.15 - 09/06/2013
-----------------
- Now compiles on HP-UX (Grant Byers)
- Added support for IPv6 (Leo Baltus, Eric Stanley)
2.14 - 12/21/2012
-----------------
- Added configure option to allow bash command substitutions, disabled by default [bug #400] (Eric Stanley)
- Patched to shutdown SSL connection completely (Jari Takkala)
- Added SRC support on AIX (Thierry Bertaud)
- Updated RPM SPEC file to support creating RPMs on AIX (Eric Stanley)
- Updated logging to support compiling on AIX (Eric Stanley)
2.13 - 11/11/2011
-----------------
- Applied Kaspersky Labs supplied patch for extending allowed_hosts (Konstantin Malov)
- Fixed bug in allowed_hosts parsing (Eric Stanley)
- Updated to support compiling on Solaris 10 (thanks to Kevin Pendleton)
* Discard NAT-PMP packets coming from the WAN
* small modifications to compile with exotic C libraries
* add comments in miniupnpd.conf regarding security
* DeletePortMapping now checks for client IP in Securemode
* Various fixes :
e->ipv6.flags |= IP6T_F_PROTO; (netfilter)
fix natpmp.c byte order conversion
add small delay before SSDP response to prevent flooding
changes:
** No longer create local symbolic links by default.
Closes CVE-2014-4877.
** Use libpsl for verifying cookie domains. (not in pkgsrc yet)
** Default progress bar output changed.
** Introduce --show-progress to force display the progress bar.
** Introduce --no-config. The wgetrc files will not be read.
** Introduce --start-pos to allow starting downloads from a
specified position.
** Fix a problem with ISA Server Proxy and keep-alive connections.
Changelog:
2014-09-26 Dustin Lundquist <dustin@null-ptr.net>
0.3.6 release
* Improve logging:
Fix negative connection duration in access log
Include log rotate script
Reopen log files on SIGHUP
Share file handle to same log file between listeners
Avoid unnecessary reconnection to syslog socket
Cache timestamp string for current second
* Man page
* Packaging improvements:
passes lintian and rpm-lint
2014-08-13 Dustin Lundquist <dustin@null-ptr.net>
0.3.5 release
* Configuration reloading on SIGHUP
* SSL 2.0 connection handling: do not treat as an error, use fallback
address if configured.
* Fix buffer_coalesce error
* Spawn privileged child to bind sockets to privileged ports on reload
* Add -V flag to return sniproxy version
* Use libev for timestamps to improve portability
* Include several for BSD compatibility
* Large file support (for log files)
* Use RTF_PINNED when deleting routes when available
Allows dhcpcd to control IPv4 routing on newer FreeBSDs
* Don't work on bridge, or ptp interfaces unless explicitly told
* Poll for IFF_RUNNING again but avoid constantly sending IFF_UP
(should now fix all carrier problems on BSD virtual interfaces)
* Don't crash when processing IPv6 route calls from the kernel
when IPv6 resources have been disabled in dhcpcd
* Allow the same IP address to be shared across different interfaces
Interface with the lowest metric gets the IP address, will move
to the next highest if dropped (interface departs, carrier drops, etc)
* Use correct interface gateway on FreeBSD, removes need for linkaddr.c
on kFreeBSD
* Delegated prefix addresses are now reported via DELEGATE6
* Fix copying the correct timezone file
* Work better with unknown delegated prefix lengths
* Move IPv4LL and ARP to the DHCP eloop queue to fix timing issues
* Add IA PD documentation update from christos@netbsd.org
Security Fixes
A query specially crafted to exploit a defect in EDNS option
processing could cause named to terminate with an assertion
failure, due to a missing isc_buffer_availablelength() check
when formatting packet contents for logging. For more information,
see the security advisory at https://kb.isc.org/article/AA-01166/.
[CVE-2014-3859] [RT #36078]
A programming error in the prefetch feature could cause named
to crash with a "REQUIRE" assertion failure in name.c. For more
information, see the security advisory at
https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899]
New Features
Support for CAA record types, as described in RFC 6844 "DNS
Certification Authority Authorization (CAA) Resource Record",
was added. [RT#36625] [RT #36737]
Disallow "request-ixfr" from being specified in zone statements
where it is not valid (it is only valid for slave and redirect
zones) [RT #36608]
Support for CDS and CDNSKEY resource record types was added. For
details see the proposed Informational Internet-Draft "Automating
DNSSEC Delegation Trust Maintenance" at
http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14.
[RT #36333]
Added version printing options to various BIND utilities. [RT #26057]
[RT #10686]
Optionally allows libseccomp-based (secure computing mode)
system-call filtering on Linux. This sandboxing mechanism may
be used to isolate "named" from various system resources. Use
"configure --enable-seccomp" at build time to enable it. Thank you
to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347]
Feature Changes
"geoip asnum" ACL elements would not match unless the full
organization name was specified. They can now match against the
AS number alone (e.g., AS1234). [RT #36945]
Adds RPZ SOA to the additional section of responses to clearly
indicate the use of RPZ in a manner that is intended to avoid
causing issues for downstream resolvers and forwarders [RT #36507]
rndc now gives distinct error messages when an unqualified zone
name matches multiple views vs. matching no views [RT #36691]
Improves the accuracy of dig's reported round trip times. [RT #36611]
When an SPF record exists in a zone but no equivalent TXT record
does, a warning will be issued. The warning for the reverse
condition is no longer issued. See the check-spf option in the
documentation for details. [RT #36210]
Aging of smoothed round-trip time measurements is now limited
to no more than once per second, to improve accuracy in selecting
the best name server. [RT #32909]
DNSSEC keys that have been marked active but have no publication
date are no longer presumed to be publishable. [RT #35063]
Bug Fixes
The Makefile in bin/python was changed to work around a bmake
bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**)
Corrected bugs in the handling of wildcard records by the DNSSEC
validator: invalid wildcard expansions could be treated as valid
if signed, and valid wildcard expansions in NSEC3 opt-out ranges
had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]
An assertion failure could occur if a route event arrived while
shutting down. [RT #36887]
When resigning, dnssec-signzone was removing all signatures from
delegation nodes. It now retains DS and (if applicable) NSEC
signatures. [RT #36946]
The AD flag was being set inappopriately on RPZ responses. [RT #36833]
Updates the URI record type to current draft standard,
draft-faltstrom-uri-08, and allows the value field to be zero
length [RT #36642] [RT #36737]
On some platforms, overhead from DSCP tagging caused a performance
regression between BIND 9.9 and BIND 9.10. [RT #36534]
RRSIG sets that were not loaded in a single transaction at start
up were not being correctly added to re-signing heaps. [RT #36302]
Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]
Fixed a bug where some updated policy zone contents could be
ignored due to stale RPZ summary information [RT #35885]
A race condition could cause a crash in isc_event_free during
shutdown. [RT #36720]
Addresses some problems with unrecoverable lookup failures. [RT #36330]
Addresses a race condition issue in dispatch. [RT #36731]
acl elements could be miscounted, causing a crash while loading
a config [RT #36675]
Corrects a deadlock between view.c and adb.c. [RT #36341]
liblwres wasn't properly handling link-local addresses in
nameserver clauses in resolv.conf. [RT #36039]
Disable the GCC 4.9 "delete null pointer check" optimizer option,
and refactor dns_rdataslab_fromrdataset() to separate out the
handling of an rdataset with no records. This fixes problems
when using GNU GCC 4.9.0 where its compiler code optimizations
may cause crashes in BIND. For more information, see the operational
advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]
Fixed a bug that could cause repeated resigning of records in
dynamically signed zones. [RT #35273]
Fixed a bug that could cause an assertion failure after forwarding
was disabled. [RT #35979]
Fixed a bug that caused GeoIP ACLs not to work when referenced
indirectly via named or nested ACLs. [RT #35879]
FIxed a bug that could cause problems with cache cleaning when
SIT was enabled. [RT #35858]
Fixed a bug that caused SERVFAILs when using RPZ on a system
configured as a forwarder. [RT #36060]
Worked around a limitation in Solaris's /dev/poll implementation
that could cause named to fail to start when configured to use
more sockets than the system could accomodate. [RT #35878]
Fixed a bug that could cause an assertion failure when inserting
and deleting parent and child nodes in a response-policy zone.
[RT #36272]
New Features
Support for CAA record types, as described in RFC 6844 "DNS
Certification Authority Authorization (CAA) Resource Record",
was added. [RT#36625] [RT #36737]
Disallow "request-ixfr" from being specified in zone statements
where it is not valid (it is only valid for slave and redirect
zones) [RT #36608]
Support for CDS and CDNSKEY resource record types was added. For
details see the proposed Informational Internet-Draft "Automating
DNSSEC Delegation Trust Maintenance" at
http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14.
[RT #36333]
Added version printing options to various BIND utilities. [RT #26057]
[RT #10686]
On Windows, enable the Python tools "dnssec-coverage" and
"dnssec-checkds". [RT #34355]
Added a "no-case-compress" ACL, which causes named to use
case-insensitive compression (disabling change #3645) for specified
clients. (This is useful when dealing with broken client
implementations that use case-sensitive name comparisons, rejecting
responses that fail to match the capitalization of the query
that was sent.) [RT #35300]
Feature Changes
Adds RPZ SOA to the additional section of responses to clearly
indicate the use of RPZ in a manner that is intended to avoid
causing issues for downstream resolvers and forwarders [RT #36507]
rndc now gives distinct error messages when an unqualified zone
name matches multiple views vs. matching no views [RT #36691]
Improves the accuracy of dig's reported round trip times. [RT #36611]
The Windows installer now places files in the Program Files area
rather than system services. [RT #35361]
When an SPF record exists in a zone but no equivalent TXT record
does, a warning will be issued. The warning for the reverse
condition is no longer issued. See the check-spf option in the
documentation for details. [RT #36210]
"named" will now log explicitly when using rndc.key to configure
command channel. [RT #35316]
The default setting for the -U option (setting the number of UDP
listeners per interface) has been adjusted to improve performance.
[RT #35417]
Aging of smoothed round-trip time measurements is now limited
to no more than once per second, to improve accuracy in selecting
the best name server. [RT #32909]
DNSSEC keys that have been marked active but have no publication
date are no longer presumed to be publishable. [RT #35063]
Bug Fixes
The Makefile in bin/python was changed to work around a bmake
bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**)
Corrected bugs in the handling of wildcard records by the DNSSEC
validator: invalid wildcard expansions could be treated as valid
if signed, and valid wildcard expansions in NSEC3 opt-out ranges
had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]
When resigning, dnssec-signzone was removing all signatures from
delegation nodes. It now retains DS and (if applicable) NSEC
signatures. [RT #36946]
The AD flag was being set inappopriately on RPZ responses. [RT #36833]
Updates the URI record type to current draft standard,
draft-faltstrom-uri-08, and allows the value field to be zero
length [RT #36642] [RT #36737]
RRSIG sets that were not loaded in a single transaction at start
up were not being correctly added to re-signing heaps. [RT #36302]
Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]
A race condition could cause a crash in isc_event_free during
shutdown. [RT #36720]
Addresses a race condition issue in dispatch. [RT #36731]
acl elements could be miscounted, causing a crash while loading
a config [RT #36675]
Corrects a deadlock between view.c and adb.c. [RT #36341]
liblwres wasn't properly handling link-local addresses in
nameserver clauses in resolv.conf. [RT #36039]
Buffers in isc_print_vsnprintf were not properly initialized
leading to potential overflows when printing out quad values.
[RT #36505]
Don't call qsort() with a null pointer, and disable the GCC 4.9
"delete null pointer check" optimizer option. This fixes problems
when using GNU GCC 4.9.0 where its compiler code optimizations
may cause crashes in BIND. For more information, see the operational
advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]
Fixed a bug that could cause repeated resigning of records in
dynamically signed zones. [RT #35273]
Fixed a bug that could cause an assertion failure after forwarding
was disabled. [RT #35979]
Fixed a bug that caused SERVFAILs when using RPZ on a system
configured as a forwarder. [RT #36060]
Worked around a limitation in Solaris's /dev/poll implementation
that could cause named to fail to start when configured to use
more sockets than the system could accomodate. [RT #35878]
Changes since 4.3.1rc1
- None
Changes since 4.3.1b1
- Modify the linux and openwrt dhclient scripts to process information
from a stateless request. Thanks to Jiri Popelka at Red Hat for the
bug report and patch.
[ISC-Bugs 36102]
- Remove more unused RCSID tags. These weren't noticed in 4.3 as
the code isn't used anymore but we remove them here to keep the
code consistent across versions.
[ISC-Bugs #36451]
libnice 0.1.8 (2014-10-09)
==========================
Added FIN-ACK behavior in the PseudoTCP
ICE-TCP, both standard mode and Microsoft compatible
Microsoft compatible TURN-TCP
API: nice_address_equal_no_port() to compare NiceAddresses ignoring the port
API: nice_agent_get_component_state() to get the current component state
API: agent:keepalive-conncheck to make the agent use conncheck as keepalives
and fail the connection if there is no answer
API: agent:ice-tcp, agent:udp-tcp to control ICE-UDP vs ICE-TCP behaviours
API: agent:bytestream-tcp to know if the send/receives in reliable mode create full packets or not
API: New signals agent::new-selected-pair-full, agent::new-candidate-full,
agent::new-remote-candidate-full which include the NiceCandidates directly
API: Deprecated agent::new-selected-pair and agent::new-candidate and
agent::new-remote-candidate signals
Now all signals are emitted at the function return time
* netstring-pcre: removing dependency on camlp4 (an oversight).
* Fixing bad format strings (Damien Doligez)
* Windows: various fixes, including int sizes for 64-bit Windows,
the invocation of cppo, and CR characters. Also, unixsupport.h
is now used instead of declaring the prototypes directly.
(Andreas Hauptmann)
* C99: use int64_t instead of int64 in C code. The latter is gone
in OCaml-4.02. (Richard Jones)
* Build: no longer requiring camlp4 (as it is not distributed with
ocaml-4.02)
* Fixing some unit tests
* Netexn: new exception representation in ocaml-4.02
* Build: renaming file for a configure test to avoid a
naming conflict (Richard Jones)
* Https_client and aggressive connection caching: In previous
versions there was a problem with the reinitialization of the
SSL socket when a former connection was reused. The fix requires
an API change of connection_cache: The SSL socket can now be
stored with the inactive connection.
* Http_client: fixing a bug with connection caching: Address
resolution was not taken into account for computing the key
in the connection cache.
* ssl_exts_stubs.c: releasing global lock on shutdown error
(T<F6>r<F6>k Edwin)
* Uq_ssl: Fix error path when SSL connection fails during the
handshake
0.7.10 [2014-07-21 18:06:54 +0200]:
- [87ebf13df38c] NEWS: add a word about json-c library support (Vincent Bernat)
- [5dcd280d1267] lldpcli: fix jansson implementation of the JSON output (Vincent Bernat)
- [71542b4ec734] configure: if --with-json, default to jansson implementation (Vincent Bernat)
- [368daef3d649] cdp: complete manual page with CDP-related options (Vincent Bernat)
- [611aba00053c] cdp: Make it possible to enable CDPv2 without enabling CDPv1 (Michel Stam)
- [5d8f75fe9fdc] lldpcli: Add json description to lldpcli usage (Michel Stam)
- [619c379964fd] cdp: Add power requirement to CDPv2 frames (Michel Stam)
- [8ff14a6d117e] lldpcli: Add support for JSON-C (Michel Stam)
- [62d6f99d2d17] lldpcli: make complete command work on privleged commands as well (Vincent Bernat)
- [314f382a5093] lldpcli: provide a hidden complete command for shell completion (Vincent Bernat)
- [e13945c02c44] lldpcli: change how privileged commands are declared (Vincent Bernat)
- [40df69956ad0] lldpcli: reformat a bit bash completion to be more readable (Vincent Bernat)
- [ecd41283aa58] priv: avoid a socket leak when interface is already in promisc (Vincent Bernat)
- [ba908c4eedaa] snmp: avoid deferencing a pointer when it may be NULL (Vincent Bernat)
- [5317a14a3f0e] dcbx tlv recd are printed as log_debug (Sam Tannous)
- [7efa65c16ec7] lldpcli: use protocol map from liblldpctl to select protocol (Vincent Bernat)
- [baaa96d1530c] lldpcli: document `-u` argument in synopsis (Vincent Bernat)
- [494264f0f831] lldpcli: add display filter to show nbrs running specific protocols (Sam Tannous)
- [e147917d5257] lib: update liblldpctl versioning (Vincent Bernat)
- [1fa64c11d337] Add call to process more messages from data already read. (Sam Tannous)
- [0469161dd554] Add error code to the multicast address add/delete failure msg (Sam Tannous)
- [4f670a1e8ace] Move interface update msg to debug level (Sam Tannous)
- [003620d3104b] Add ignore handler for SIGHUP in lldpcli (Sam Tannous)
- [aef05ae38c63] This patch adds bash completion for lldpcli. (Sam Tannous)
- [ea51049df882] snmp: use poll() to wait for AgentX socket to be ready (Vincent Bernat)
- [dc6436adb4db] snmp: preserve previous flags when making AgentX socket non-blocking (Vincent Bernat)
- [b93e39a16736] make agentx socket non-blocking (Sam Tannous)
- [ad21b578b215] Make "too many neighbors for port" msg appear less frequently (Sam Tannous)
- [aca48e4ba570] lldpd: Fix netlink notification group for address changes (Sam Tannous)
- [b0b8841b0b42] Increase event buffer (Sam Tannous)
- [e595efb4c177] log: info messages should be logged on syslog but not on first debug level (Vincent Bernat)
- [254e5134d933] lldpd: fix log_info (Sam Tannous)
- [5e23c6b99bd3] NEWS: credit seccomp fix (Vincent Bernat)
- [d64549384f6f] lldpd: fix use of NULL in execl* (Vincent Bernat)
- [d769cdb235cc] Merge pull request #70 from chutz/seccomp-whitelist (Vincent Bernat)
- [285b33afd0da] lldpd: whitelist sendto, poll, recvmsg and readv in seccomp sandbox (Patrick McLean)
- [1059a20e7e2d] NEWS: add a word about ability to disable LLDP (Vincent Bernat)
- [b8a802bc7d8a] lldpd: fix how LLDP can be disabled (Vincent Bernat)
- [806eaef4832a] cdp: don't expect and off-by-one checksum (Vincent Bernat)
- [a5a60bbf97ed] frame: fix CDP checksum (udbxtd2008)
- [f4da5f84837c] README: document the new promisc interface in README as well (Vincent Bernat)
- [0a6f3866b830] lldpcli: give more details in the manual page about promiscuous mode (Vincent Bernat)
- [f84199ddf6c9] lldpcli: add an option to enable promisc mode on managed interfaces (Vincent Bernat)
- [ace524261458] priv: don't output rc status twice when unable to open socket (Vincent Bernat)
- [50724a52606f] README: more about Cisco sending LLDP frames on VLAN 1 (Vincent Bernat)
- [af5f56616c7f] osx: update version to 0.7.9 (Vincent Bernat)
