IO::Socket provides a way to set a timeout on the socket, but the
timeout will be used only for connection, not for reading/writing
operations.
This module provides a way to set a timeout on read/write operations
on an IO::Socket instance, or any IO::Socket::* modules, like
IO::Socket::INET.
This VNC client makes use of the net/gtk-vnc library, providing a client
implemented with the Gtk+ toolkit. It is part of the DeforaOS desktop
environment.
* Save the initial working directory and change to it just before
running any scripts.
This avoids scripts putting files accidently where they shouldn't.
* Strip trailing dot from search and domain names.
* man page improvements.
Do not update xserver used, still 1.17.2.
Release notes:
TigerVNC 1.6.0 is now available. This release is mostly about fixing
various bugs and polishing existing features, but there are some
notable new things:
* Multi-head support in the Java viewer
* Better certificate handling in the Java viewer, including host
name verification
Upstream changes:
v0.4.6
* Fix multiple RPC error generation
* Add support for cancel-commit and persist param
* Add more examples
v0.4.5
* Add Huawei device support
* Add cli command support for hpcomware v7 devices
* Add H3C support, Support H3C CLI,Action,Get_bulk,Save,Rollback,etc.
* Add alcatel lucent support
* Rewrite multiple error handling
* Add coveralls support, with shield in README.md
* Set severity level to higher when multiple
* Simplify logging and multi-error reporting
* Keep stacktrace of errors
* Check for known hosts on hostkey_verify only
* Add check for device sending back null error_text
* Fix RPC.raise_mode
* Specifying hostkey_verify=False should not load_known_hosts
* Check the correct field on rpc-error element
v0.4.3
* Nexus exec_command operation
* Allow specifying multiple cmd elements in Cisco Nexus
* Update rpc for nested rpc-errors
* Prevent race condition in threading
* Prevent hanging in session close
v0.4.2
* Support for paramiko ProxyCommand via ~/.ssh/config parsing
* Add Juniper-specific commit operations
* Add Huawei devices support
* Tests/Travis support
* ioproc transport support for Juniper devices
* Update Cisco CSR device handler
* Many minor and major fixes
Upstream changes:
1.3.1:
* Bugfix: Not to suppress exception under Config util context manager.
1.3.0:
* Feature add: support "private" and "dynamic" database access #301#458.
* Feature enhancements:
- Support for Feature Velocity releases #442
- Multiple RPC support #338#453
- Merged Table/View pull requests from user. #441
- Facts gathering to raise only warning in case of exception #459
* Bugfixes:
- Raise RpcTimeoutError in commit_check #437
- Config load not throwing RpcTimeoutError #443#444
- Prevented AttributeError upon XML comment #448#447
- Facts gathering fix for QFX and other specific software releases #450#463
1.2.3:
* Bugfixes:
- Software upgrade for multi RE and multi VC #429
- single chassis (EX8208 1EA-2RE) software installation was broken.
- Facts gathering on VMx & Qfabric #313
- SCP & SW progress to print proper log messages #422, #421
- TXP facts broken #417
- Prefer explicitly defined ssh_private_key_file to sshconfig #418
* Feature ehnancements:
- Implement context manager for Device #433
- JSON as format option to RPC calls for Junos >= 14.2
- Merged Table/View pull requests from users.
1.2.2:
* Bugfixes:
- Suppress paramiko logger warnings #363
- A few places warnings similar to
No handlers could be found for logger "paramiko.transport"
would be displayed.
- Device password setter did not work #400
- dev.password = 'newpass'
- Facts gather for EX8200 standalone failing #402
- JSON dump of RPC XML failing when contents include XML comment #406
- SCP logger not enabled by default #362
1.2.1:
* Bugfixes:
- Unable to use get() multiple times with Tables
- Add increased timeout value for remote_checksum
- Ability to set options in CfgTable definition
- Domain Fact
- Put RPC inside try block
- Search inherited version of config
- Update support of swver fact for Junos 15.1
1.2.0:
* New features:
* Enhanced exception handling:
* XML Normalization Support:
* OpTables normalization
* Mixed Mode Virtual Chassis Upgrade Support
* Add sync, force_sync, full, detail to Config.commit(),
* Configuration Table Support
* Support for SSH ProxyCommand in SCP
* Set minimum paramiko version to 1.15.2
* Bugfixes:
- Facts
- MX Virtual Chassis
- All physical RE's are now accounted for in facts in the
format Device-RE => 'RE1-RE0'
- Master fact is same format as other VC systems.
- Domain
- Domain lookup now checks configuration first before attempting
to parse /etc/resolv.conf or /var/etc/resolv.conf
- 2RE
- Fixed false positive of 2RE on vc_capable systems
- StartShell root user
- Utils.start_shell now supports the user root
- utils.fs multiple RE support
- Fixed bug affecting multiple RE systems
- OpTables loading from XML files and objects
- OpTables were not properly loading when passing in a XML
file path or lxml object
1.1.2:
* Bugfixes:
- onbox Device()
1.1.1:
* Bugfixes:
- Device _auth_user overwritten after device open.
This was breaking SCP
1.1.0:
* New features:
* Enhanced Exception Handling
* Per execution timeout
* Serialization of Junos facts
* Composite table key support for missing XPATH
* Regex support for View boolean values
* OS Install force-host
* Added display_xml_rpc command
* ncclient proxycommand support
* Added support for pipe (union) operator in Table keys
* Format optional for configuration strings
* Bugfixes:
* JSON Output
- Views that had compound keys failed to dump.
- RPC command output failed to dump.
* FutureWarning
- Config utility would output a FutureWarning
1.0.2:
* Bugfixes:
* XML Templates not properly loading
* Templates without a file extension no longer assumed to be XML
Interoperation with syncthing-android is still very important, but
some have told me that they use syncthing among POSIXish systems
without android as a replacement for rsync/unison, more or less. Keep
the notion of deferring major upgrades to stay in sync with f-droid.
(This is in no way a complaint about the previous minor upgrade, which
was most welcome; it just caused me to look at this and notice my
previous text was too strong.)
CVS: ----------------------------------------------------------------------
CVS: CVSROOT cvs.NetBSD.org:/cvsroot
CVS: please use "PR category/123" to have the commitmsg appended to PR 123
v0.12.19
- Return "No such object in the index" when /rest/db/file gets
called on something that doesn't exist (@calmh)
- Swap the corsMiddleware and the csrfMiddleware to the unauthenticated
OPTIONS requests are first processed. (@letiemble)
- Report versioning usage in usage report (@calmh)
Changes:
v0.16
-----
* Completely revised HTTP2 implementation based on hyper-h2 (Thomas
Kriechbaumer)
* Export flows as cURL command, Python code or raw HTTP (Shadab Zafar)
* Fixed compatibility with the Android Emulator (Will Coster)
* Script Reloader: Inline scripts are reloaded automatically if modified
(Matthew Shao)
* Inline script hooks for TCP mode (Michael J. Bazzinotti)
* Add default ciphers to support iOS9 App Transport Security (Jorge
Villacorta)
* Basic Authentication for mitmweb (Guillem Anguera)
* Exempt connections from interception based on TLS Server Name Indication
(David Weinstein)
* Provide Python Wheels for faster installation
* Numerous bugfixes and minor improvements
Changes:
2.1.0 (2016-02-02)
------------------
**API Changes (Backward Compatible)**
- Added new ``InvalidTableIndex`` exception, a subclass of
``HPACKDecodingError``.
- Instead of throwing ``IndexError`` when encountering invalid encoded integers
HPACK now throws ``HPACKDecodingError``.
- Instead of throwing ``UnicodeDecodeError`` when encountering headers that are
not UTF-8 encoded, HPACK now throws ``HPACKDecodingError``.
- Instead of throwing ``IndexError`` when encountering invalid table offsets,
HPACK now throws ``InvalidTableIndex``.
- Added ``raw`` flag to ``decode``, allowing ``decode`` to return bytes instead
of attempting to decode the headers as UTF-8.
**Bugfixes**
- ``memoryview`` objects are now used when decoding HPACK, improving the
performance by avoiding unnecessary data copies.
The following security issues are fixed with this update:
* Resolve buffer overflow when handling "config" file requests (CVE-2016-2054)
* Restrict "config" files to regular files inside the $XYMONHOME/etc/ directory
(symlinks disallowed) (CVE-2016-2055). Also, require that the initial filename
end in '.cfg' by default
* Resolve shell command injection vulnerability in useradm and chpasswd CGIs
(CVE-2016-2056)
* Tighten permissions on the xymond BFQ used for message submission to restrict
access to the xymon user and group. It is now 0620. (CVE-2016-2057)
* Restrict javascript execution in current and historical status messages by
the addition of appropriate Content-Security-Policy headers to prevent XSS
attacks. (CVE-2016-2058)
* Fix CVE-2015-1430, a buffer overflow in the acknowledge.cgi script.
Thank you to Mark Felder for noting the impact and Martin Lenko
for the original patch.
* Mitigate CVE-2014-6271 (bash 'Shell shock' vulnerability) by
eliminating the shell script CGI wrappers
Please refer to
https://sourceforge.net/projects/xymon/files/Xymon/4.3.25/Changes/download
for further information on fixes and new features.
Baïkal 0.3.1 is now the recommended version of Baïkal. This release
fixes the most reported issues with Baikal, and also:
Upgrades sabre/dav from version 1.8 to 3.1.
Supports PHP 7.
Makes the minimum PHP version 5.5.
Adds support for calendar/addressbook export.
Adds support for WebDAV-Sync.
Upgrade instructions are here:
http://sabre.io/baikal/upgrade/
* Improve dailymotion embed detection
* strip http urls in smil manifest
* Improve base url construction
* Pass mpd base url to _parse_mpd_formats
* Allow bestvideo+bestaudio for any extractor
* Add direct mpd url test
* Improve multifeed videos extraction
Upstream changes:
* post by shotcut keys didn't work on certain conditions
* selected characters of tweet by mouse drag were not shown correctly
in some case
pkgsrc changes:
- remove unnecesary OVERRIDE_GEMSPEC for ruby-http
- add a new OVERRIDE_GEMSPEC for equalizer-0.0.11
(briefly tested with net/ruby-tw)
No CHANGELOG.md entry (and no announcement) in upstream.
(one notable change in github is "Update http dependency to ~> 1.0")
96.0.0 (2016/2/10)
Breaking Changes
Google App Engine
Google App Engine components updated to 1.9.32. Please visit the following release notes for details: Python - https://cloud.google.com/appengine/docs/python/release-notes Java - https://cloud.google.com/appengine/docs/java/release-notes
The gcloud preview app gen-config command now offers to automatically update the runtime field in app.yaml if necessary.
IAM
The gcloud beta iam command group has launched.
Emulators
The Pub/Sub emulator now supports Gzip-encoded requests.
Google Compute Engine
The gcloud compute copy-files|scp commands on Windows now treat path arguments with a drive prefix as local files.
Configurations
The config configurations delete command now takes multiple configuration names.
Containers
kubectl is updated to v1.1.7.
Bugfix on the gcloud container clusters get-credentials when run from a client without edit permissions.
Misc. Changes
The default floating point output format precision is 6. Exponent notation is used for abs(n) < 1e-04 and abs(n) >= 1e+09.
The arrow and page up/down/home/end keys now work in the Windows help pager.
95.0.0 (2016/2/3)
Breaking Changes
Use gcloud compute networks create --mode=legacy to create non-subnet networks.
Google Compute Engine
gcloud compute copy-files and gcloud compute ssh on Windows now use standard PuTTY plink.exe, pscp.exe and putty.exe. A standalone winkeygen.exe generates PuTTY and ssh compatible keys. The Windows PuTTY executables are up to date at version 0.66.
Google Compute Engine subnets
Added gcloud compute networks subnets.
Added --mode flag to gcloud compute networks create.
Added --subnet flag to gcloud compute instances create and gcloud compute instance-templates create.
Added --local-traffic-selector flag to gcloud compute vpn-tunnels create.
Google App Engine
Added support for streaming logs when the use_cloud_build=1 property is set.
Moved the nodejs install script into the docker image.
Projects
gcloud projects update|undelete|delete have been moved to beta.
gcloud --format
Added nested table formatting by --format="table(field1,listField2:format=FORMAT-STRING)" where FORMAT-STRING can be any format (json, table, ...). Try: gcloud compute instances list --format="table[box](name, disks:format='table[no-heading](deviceName:sort=1, kind)')"
Added list field aggregation formatting (similar to nested formatting) by --format="table(listField2:format=FORMAT-STRING)". When the main table has no columns each nested format is aggregated into a single list. Try: gcloud compute instances list --format="table(disks:format='table[box](deviceName:sort=1, kind)')"
94.0.0 (2016/1/27)
Google Compute Engine
Added gcloud alpha compute url-maps list-cache-invalidations command.
Google App Engine
Google App Engine components updated to 1.9.31. Please visit the following release notes for details: Python - https://cloud.google.com/appengine/docs/python/release-notes Java - https://cloud.google.com/appengine/docs/java/release-notes
Added --runtime flag to gcloud preview app gen-config to specify a runtime when a directory identifies as multiple runtimes. This flag can be used in conjunction with --custom.
Google Container Engine
gcloud container cluster describe and list commands now notify the user when their cluster versions are about to go out of support or are unsupported.
Google Cloud Logging
gcloud beta logging write and gcloud beta logging logs delete commands now use the V2beta1 API. The gcloud beta logging write command now uses the global resource descriptor (which translates to "custom.googleapis.com" service in V1).
Cloud Dataproc
gcloud beta dataproc clusters create now supports --tags and --metadata flags to set instance tags and metadata on all instances in the Dataproc cluster.
PubSub Emulator
A new --host flag can be used to specify the address the emulator should bind as. The flag can be left unspecified, set to "localhost", a hostname, or an explicit IP address.
Projects
Added commands get-iam-policy, set-iam-policy, add-iam-policy-binding, and remove-iam-policy-binding for the gcloud beta projects surface.
Added the gcloud projects list command that can be used to list projects.
93.0.0 (2016/1/20)
kubectrl upgraded to 1.1.4.
gcloud beta dataproc cluster create now supports --properties flag to set properties for installed packages.
Datastore emulator's DATASTORE_LOCAL_HOST environment variable changed to DATASTORE_EMULATOR_HOST.
gcloud source repos clone now supports --dry-run flag to show equivalent git command.
92.0.0 (2016/1/13)
Because of the rollback of 91.0.0, this release contains all of the changes from 91.0.0 in addition to the changes listed below.
Breaking Changes
gcloud preview app deploy
Changed deployments to set the deployed versions to receive all traffic for their modules by default.
To keep the old behavior (traffic split remains the same), use the --no-promote flag or run gcloud config set app/promote_by_default true.
Note that your old versions are still running, and must be stopped manually. This behavior will change in a future release.
Removed deprecated --set-default flag. Please use --promote instead.
gcloud preview app deploy: Removed deprecated --env-vars flag.
The output of the gcloud preview app modules list command has been changed to include the traffic split percentage instead of the 'default version' field.
Removed deprecated gcloud preview app modules cancel-deployment command.
This command is no longer necessary due to recent improvements in the Deployment API.
Removed deprecated gcloud preview app modules download command.
This command is no longer necessary due to recent improvements in the Deployment API.
Removed deprecated gcloud preview app run command. Please use dev_appserver.py instead.
Changed behavior of the --zone/-z flag in the gcloud dns record-sets command group. This flag can no longer precede the command. For instance, gcloud dns record-sets -z=mz list will not work, but gcloud dns record-sets list -z=mz will.
Changed --password-file option for sql instances set-root-password; password now does not include trailing newline from password file. This matches the documented behavior, but not the previous behavior. (Fixes https://code.google.com/p/google-cloud-sdk/issues/detail?id=419)
Removed meta/active_configuration from the results of gcloud config list since it is not a property that can be set. You can continue to use the gcloud config configurations commands to view and manage your configurations.
Cloud SDK
Added gcloud config proxy settings. Users can configure gcloud to use a proxy via the following settings:
gcloud config proxy/address
gcloud config proxy/password
gcloud config proxy/port
gcloud config proxy/type
gcloud config proxy/username
Added alpha and beta components to Debian packages.
Removed unused config properties: app/hosted_registry, app/host, app/admin_host, app/api_host.
Google Cloud Logging
Migrated to v2beta1 API release.
Moved gcloud beta logging sinks commands to v2beta1.
Added gcloud beta logging resource-descriptors command to display supported resources from various services.
Added gcloud beta logging read command to retrieve log entries using filters.
Google Container Engine
Added gcloud container clusters resize for resizing Container Engine clusters.
Added notifications when node upgrades are available to gcloud container cluster describe and list commands.
Google App Engine
Fixed bug where initial deployments using --image-url failed.
Changed gcloud preview app modules set_default command to use the App Engine Admin API.
Changed gcloud preview app modules list command to use the App Engine Admin API.
---------------------
2015-05-28 wimpunk
* [r183] ., release: Removing unneeded release directory
2015-03-23 wimpunk
* [r182] ddclient: Reverting to the old perl requirements like
suggested in #75
The new requirements were added when adding support for cloudflare. By the
simple fix suggested by Roy Tam we could revert the requirements which make
ddclient back usable on CentOS and RHEL.
* [r181] ddclient: ddclient: made json optional
As suggested in pull 7 on github by @abelbeck and @Bugsbane it is
better to make the
use of JSON related to the use of cloudflare.
* [r180] ddclient: ddclient: reindenting cloudflare
Indenting cloudflare according to the vim tags
* [r179] ddclient: ddclient: correction after duckdns merge
Correcting duckdns configuration after commit r178
* [r178] ddclient: Added simple support for Duckdns www.duckdns.org
Patch provided by gkranis on github.
Merge branch 'gkranis'
2015-03-21 wimpunk
* [r177] README.md: Added duckDNS to the README.md
* [r176] sample-etc_rc.d_init.d_ddclient.ubuntu: update ubuntu init.d script
Merge pull request #9 from gottaloveit/master
* [r175] Changelog, Changelog.old: Renamed Changelog to
Changelog.old
Avoiding conflicts on case insensitive filesystems
* [r174] ddclient: Add missing config line for CloudFlare
Merge pull request #19 from shikasta-net/fixes
* [r173] ddclient: Merge pull request #22 from reddyr/patch-1
loopia.se changed the "Current Address:" output string to "Current IP
Address:"
* [r172] ddclient: fixed missing ) for cloudflare service hash
Merge pull request #16 from adepretis/master
2015-01-20 wimpunk
* [r171] README.md, ddclient, sample-etc_ddclient.conf: Adding
support for google domain
Patch gently provided through github on
https://github.com/wimpunk/ddclient/pull/13
2014-10-08 wimpunk
* [r170] README.md, ddclient, sample-etc_ddclient.conf: Added
support for Cloudflare and multi domain support for namecheap
Pull request #7 from @roberthawdon
See https://github.com/wimpunk/ddclient/pull/7 for more info.
2014-09-09 wimpunk
* [r169] ddclient: Bugfix: allowing long username-password
combinations
Patch provided by @dirdi through github.
2014-08-20 wimpunk
* [r166] ddclient: Fixing bug #72: Account info revealed during
noip update
* [r165] ddclient: Interfaces can be named almost anything on
modern systems.
Patch provided by Stephen Couchman through github
2014-06-30 wimpunk
* [r164] ddclient: Only delete A RR, not any RR for the FQDN
Make the delete command specific to A RRs. This prevents ddclient
from deleting other RRs unrelated to the dynamic address, but on the
same FQDN. This can be specifically a problem with KEY RRs when using
SIG(0) instead of symmetric keys.
Reported by: Wellie Chao
Bug report: http://sourceforge.net/p/ddclient/bugs/71/Fixes#71
2014-06-02 wimpunk
* [r163] README.md, ddclient: Adding support for nsupdate.
Patch provided by Daniel Roethlisberger <daniel@roe.ch> through
github.
2014-04-29 wimpunk
* [r162] README.md, README.ssl, ddclient: Removed revision
information
Revision information isn't very usable when switching to git.
2014-03-20 wimpunk
* [r161] README.md, README.ssl, ddclient,
sample-etc_rc.d_init.d_ddclient.alpine: Added Alpine Linux init
script
Patch send by Tal on github.
* [r160] RELEASENOTE: Corrected release note
2013-12-26 wimpunk
* [r159] release/readme.txt: Commiting updated release information
* [r158] README.md, RELEASENOTE: Committing release notes and
readme information to trunk
--------------
Explicit ChangeLog not found, but diff src tells two options are
added, -Q and -V, ( -V vlan -Q priority )
-Q pri 802.1p priority to set. Should be used with 802.1Q (-V).
Defaults to 0.
-V num 802.1Q tag to add. Defaults to no VLAN tag.
-------------------
lft 3.71 / WhoB 3.71
----------------------
- WhoB: Autodetect input from STDIN (pipe) without '-f -'
- WhoB: Redirect some extraneous output to STDERR
lft 3.7 / WhoB 3.7
----------------------
- Added support for 4-byte ASNs
- Added support for whob reading bulk input from stdin using '-f -'
lft 3.6 / WhoB 3.6
----------------------
- Added support for 4-byte ASNs
lft 3.5 / WhoB 3.5
----------------------
- Roy T. provided DNS speed-ups
- Added GraphViz output option with -g
lft 3.35 / WhoB 3.5
----------------------
- Roy T. provided some clean-ups to avoid double free()s
- Bug fixes only
lft 3.33 / WhoB 3.5
----------------------
- Fixed free(sess->hostname) bug (segfault on unresolvable hostname)
- Improved error hanlding of pcap failures related to data link type
- Kurt's FreeBSD fix for pcap snprintf
- Bug fixes only
lft 3.32 / WhoB 3.5
----------------------
- Added support for several encapsulating protocols such as PPP
- no other changes
non-bloking descriptor after a poll(), don't loop forever on EAGAIN
as poll() may return POLLIN for a descriptor which doesn't have data
to be read. Bump PKGREVISION.
While there add user-destdir support.
ocaml.mk. It was becoming more trouble than it was worth: only a minority
of packages used it, and it only made Makefiles more confusing.
(I've left out some packages: these will be updated forthwith)
[youtube] added vcodec/acodec/abr for multiple itags
[utils] Add more items to mimetype2ext (#8293)
[utils] Reorder items in mimetype2ext alphabetically
[youtube] Prefer info from YouTube than _formats (#8293)
[common] Keep full codec name from m3u8 manifests
[facebook] Add shortcut and reformat _VALID_URL
[facebook:post] Add extractor (Closes#8321)
[vevo] extract all formats and bypass geo restriction
[vevo] extract metadata and formats from api if videoinfo is empty
[cspan] Fix clip/prog id extraction (#8317)
[vevo] fallback to youtube video only if vevo video is geo restricted
[cspan] Extract from path when no qualities (Closes#8317)
[instagram] Make description optional (Closes#8326)
[daum.net] Fixes#8331
[extractor/common] Auto calculate tbr when missing
[spankbang] Fix formats extraction
[spankbang] Fix title extraction (Closes#8329)
[extractor/common] detect media playlist in _extract_m3u8_formats
[cbsnews] extract all formats
[cbsnews] Remove unused import
[utils] fix dfxp2srt text extraction(fixes#8055)
[ndr:embed:base] Add missing ext for m3u8
[ok] Add support for mobile URLs (Closes#8345)
[bbc] Add another title regex (Closes#8340)
[bbc] Add another description regex
[bbc] Add test for #8147
[ffmpeg] fix adding metadata when using m3u8_native(fixes#8350)
[youtube:user] Require 'https?://' in the url (fixes#8356)
[azubu] Add extractor for live streams (closes#8343)
[cspan] Unescape path (Closes#8365)
[extractor/common] Restrict checks when auto calculating tbr
[espn] Improve video id extraction (Closes#8368)
[daum] Fix copy-paste mistake
[daum] Fix add view_count, comment_count to test
[daum.net] Move the request to ClipInfoXml.do
[daum.net] Support VodPlayer.swf URLs (closes#8173)
[daum] Add 'thumbnail' to all _TESTS
[facebook] Support alternative webpage form
[youtube] Move decrypt_sig out of _parse_dash_manifest
[daum.net] Support for playlists, user channels
[downloader/f4m] Prefer bootstrap url attribute over inline bootstrap
[matchtv] Add extractor (Closes#8313)
[options] Add missing closing parenthesis
[common] _parse_dash_manifest() from youtube.py
[downloader/fragment] Do not report total bytes estimation and eta
[downloader/f4m] Add live stream flag to context
[common] Modify _parse_dash_manifest for use in Facebook
[downloader/fragment] Remove superfluous whitespace
[facebook] Add support for DASH manifests
[youtube] Pass self._formats to _parse_dash_manifest
[common] Fix for youtube
[common] Prefer the manifest than formats_dict in determining codecs
[downloader/f4m] Do not update fragment list while test
[youtube] Remove '(v|a)codec': 'none' entries
[common] Rename to namespace
[common] Remove unused arguments
[common] Add _extract_dash_manifest_formats
[facebook] Add md5 for the test case with DASH
[generic] Add support for Limelight API
[limelight] fix format sorting and make m3u8 and f4m extraction
[npo] Add extension for m3u8
[viidea] Skip download for the test case requiring ffmpeg
[vgtv] Fix test_VGTV_2
[screenwavemedia] Fix HLS extension and test_TeamFour
[tv2] Fix test_TV2
[senateisvp] Fix test_SenateISVP and test_SenateISVP_1
[nrktv] Fix _TESTS
[nbc] Use NBC's id and fix _TESTS
[nba] Add ext for hls formats and fix test_NBA
[schooltv] Add extractor for SchoolTV playlists
[schooltv] Improve video id regex
[Gamekings] Fix url from .tv to .nl
[letv] Fix LetvCloud extraction
[Gamekings] Fix viewing of old videos
[youtube] Use authentication for entry list base extractor (Closes#8380)
[youtube] Filter duplicates in playlists base extractor
[test_youtube_lists] Fix TestYoutubeLists.test_youtube_course
[test_subtitles] Fix TestRaiSubtitles
[xuite] Replace the test case with my uploaded one
[FFmpegSubtitlesConvertorPP] delete old subtitle files (fixes#8382)
[youtube] Use 'orderedSet' instead of 'set' to preserve the order
[gamekings] Add MD5 back
[gamekings] add_ie
[gamekings] Stricter checks
[acast] Fix extraction
[acast] Remove ACastBaseIE
[allocine] Fix extraction of test_allocine_1 and update tests
[bpb] Fix extraction and update tests
[allocine] Use xpath_element
[vidzi] Fix extraction
[vidzi] Fix _TESTS
[YoutubeDL] Do not override ie_key in url_transparent
[kickstarter] Eliminate the warning message and add_ie
[kickstarter] Fix title and test_kickstarter
[daum] PEP8
[daum] Do not match a single URL with multiple info extractors
[daum] Update test_daum_1
[daum.net:user] Match more URLs (#1952)
[vk:uservideos] Improve _VALID_URL (Closes#8389)
[test_YoutubeDL] Fix test_youtube_format_selection
[ffmpeg] fix adding metadata when using --hls-prefer-native(#8350)
[utils] dfxp2srt: make TTMLPElementParser inherit from object
[cbsnews] add support for live videos(fixes#7010)
[srgssr] use flv as ext for rtmp formats
[README.md] Clarify unavailable sequences in output format
[kuwo] Check for georestriction
[generic] extract m3u8 formats when mpegurl content type detected
[youtube] fix subtitle extraction(fixes#8415)
[youtube] fix subtitle order
[test_subtitles] update youtube subtitles tests
[arte.tv:+7] Fix extraction (fixes#8427)
v0.12.17
- Handle null case for invalid ng-model value (#2392, @tpng)
- Use dialer in relay checks (#2732, @AudriusButkevicius)
Plus some minor line shuffling for pkglint
* GnuTLS: compatibility with GnuTLS-3.4.2
* Nethttpd_plex: the post_add_hook was not called by accident
(since OCamlnet-4); this is now fixed.
* Nethtml: new option case_sensitive
* GnuTLS: initializing the library on-demand. This avoids that
/dev/random is kept open all the time since program start, and
works around incompatibilities with Netplex. (Thomas Calderon
found the problem.)
* GnuTLS: setting DH parameters on certificates (this was forgotten in
previous releases). (Thomas Calderon found the problem.)
* GnuTLS: supporting GnuTLS versions where SRP is disabled.
Supporting GnuTLS-3.4.
* OpenBSD build: fix linker option (Christopher Zimmermann)
* Equeue: There is a new method request_proxy_notification,
which is only used by Uq_engines.qseq_engine (but unfortunately
needs to appear in the public type of the object). This new
method permits that chains of Uq_engines.qseq_engine pairs
can now be arbitrarily long without consuming too much memory
and without the danger of getting stack overflows.
This fixes issues where notification chains got too long. In
particular, we saw a stack overflow when retrieving a video
stream via HTTP. The stream was sent with many chunks, resulting
in a long Uq_engines.qseq_engine chain.
Implementers of engines can simply define request_proxy_notification
as no-ops.
* Nethttp.set_content_range: this function generated an incorrect
header (the "bytes" word was missing). (Török Edwin)
* _oasis is generated from _oasis.in
* Netplex: the Netplex socket directory has a different default
if not specified in the config file.
* Netshm: the POSIX specifier has now two args
* IPv6: automatically enabled if there is a global IPv6 address
* Unicode tables: Moved them to a separate netunidata library.
This library needs to be linked in for getting access to the
tables (this is no longer the default).
* Renamings: Http_client, Ftp_client etc. => Nethttp_client,
Netftp_client
Mimestring => Netmime_string
Xdr => Netxdr
* Netmime: moved functions to Netmime_header and Netmime_channels
* Netmech_scram: Removed the check that passwords only consist of
ASCII chars. The user can now call Netsaslprep.saslprep.
* Removed: rpc-auth-dh, nethttpd-for-netcgi2
* Http_client: the authentication mechanisms are now encapsulated
in a first-class module HTTP_MECHANISM. So far, there is Digest
authentication in this form. The signature of HTTP_MECHANISM
is similar to SASL_MECHANISM.
Another visible change is that the insecure Basic authentication
is no longer enabled for non-TLS-secured connections. This can be
changed back by setting flags, though.
Some fixes in the design improve Digest authentication for proxy
connections.
* Netpop: implementating SASL authentication for POP3. Moved Netpop
into netclient.
* Netsmtp: implementing SASL authentication for SMTP. Moved Netsmtp
into netclient.
* Adding a framework for SASL, and a number of mechanisms
(PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1).
* fcgi/scgi/ajp connectors: exporting a handle_connection function,
and unifying existing such functions (Christopher Zimmermann)
* adding support for modular cryptography (symmetric ciphers and
digests)
* SCRAM is now implemented with the new crypto providers
* removing dependency on Cryptokit
* removed library netgssapi; now part of netsys/netstring
* removed library netmech-scram; now part of netstring
Ocamlnet-4 adds:
- new library netgss-system
- new library nettls-gnutls
- removed equeue-ssl and rpc-ssl
- X.500 modules Netasn1, Netdn, Netx509
- Crypto definitions Netsys_crypto_types, Netsys_crypto
- TLS modules Netsys_tls, Nettls_support
- Support for SASL and GSSAPI
- Moved many functions from Uq_engines to new modules in
the equeue library (Uq_client, Uq_server, Uq_multiplex,
Uq_transfer)
Changes:
####################### V 1.7.3.1:
security:
Socat security advisory 8
A stack overflow in vulnerability was found that can be triggered when
command line arguments (complete address specifications, host names,
file names) are longer than 512 bytes.
Successful exploitation might allow an attacker to execute arbitrary
code with the privileges of the socat process.
This vulnerability can only be exploited when an attacker is able to
inject data into socat's command line.
A vulnerable scenario would be a CGI script that reads data from clients
and uses (parts of) this data as hostname for a Socat invocation.
Test: NESTEDOVFL
Credits to Takumi Akiyama for finding and reporting this issue.
Socat security advisory 7
MSVR-1499
In the OpenSSL address implementation the hard coded 1024 bit DH p
parameter was not prime. The effective cryptographic strength of a key
exchange using these parameters was weaker than the one one could get by
using a prime p. Moreover, since there is no indication of how these
parameters were chosen, the existence of a trapdoor that makes possible
for an eavesdropper to recover the shared secret from a key exchange
that uses them cannot be ruled out.
Futhermore, 1024bit is not considered sufficiently secure.
Fix: generated a new 2048bit prime.
Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability
Research (MSVR) for finding and reporting this issue.
* Release 0.10.1 (21-Jan-2015)
** Packaging Fixes
This release fixes a version-string management failure when the "log
publisher" feature was used in a tree built from a release tarball (rather
than from a git checkout). This caused a unit test failure, as well as
operational failures when using `flogtool tail`. Thanks to Ramakrishnan
Muthukrishnan (vu3rdd) for the catch and the patch. (#248)
Changelog:
=============================
Release Notes for Samba 4.3.4
January 12, 2016
=============================
This is the latest stable release of Samba 4.3.
Changes since 4.3.3:
--------------------
o Michael Adam <obnox@samba.org>
* BUG 11619: doc: Fix a typo in the smb.conf manpage, explanation of idmap
config.
* BUG 11647: s3:smbd: Fix a corner case of the symlink verification.
o Jeremy Allison <jra@samba.org>
* BUG 11624: s3: libsmb: Correctly initialize the list head when keeping a
list of primary followed by DFS connections.
* BUG 11625: Reduce the memory footprint of empty string options.
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 11659: Update lastLogon and lastLogonTimestamp.
o Ralph Boehme <slow@samba.org>
* BUG 11065: vfs_fruit: Enable POSIX directory rename semantics.
* BUG 11466: Copying files with vfs_fruit fails when using vfs_streams_xattr
without stream prefix and type suffix.
* BUG 11645: smbd: Make "hide dot files" option work with "store dos
attributes = yes".
o Günther Deschner <gd@samba.org>
* BUG 11639: lib/async_req: Do not install async_connect_send_test.
o Stefan Metzmacher <metze@samba.org>
* BUG 11394: Crash: Bad talloc magic value - access after free.
o Rowland Penny <repenny241155@gmail.com>
* BUG 11613: samba-tool: Fix uncaught exception if no fSMORoleOwner
attribute is given.
o Karolin Seeger <kseeger@samba.org>
* BUG 11619: docs: Fix some typos in the idmap backend section.
* BUG 11641: docs: Fix typos in man vfs_gpfs.
o Uri Simchoni <uri@samba.org>
* BUG 11649: smbd: Do not disable "store dos attributes" on-the-fly.
[downloader/common] report_retry: Don't crash when retries is infinite
[cbsnews] Extract subtitles
[cbsnews] Simplify subtitles extraction and fix test
[arte:future] Fix extraction
[arte:future] Make duplicated test matching only
[arte:cinema] Add extractor
[nuevo] Generalize nuevo extractor and add support for trollvids
[nuevo] Simplify nuevo extractors
[ruleporn] Add new extractor
[nuevo] Improve thumbnail extraction
[ruleporn] Rework in terms of nuevo
[lovehomeporn] Add extractor
[SVTPlay] Add subtitle support
[svt] Improve subtitles extraction and add test
[options] Clarify language tags
[kanalplay] Use IETF language tag
[drtv] Use IETF language tag
Previously there were at least 5 different ways MACHINE_ARCH could be set,
some statically and some at run time, and in many cases these settings
differed, leading to issues at pkg_add time where there was conflict
between the setting encoded into the package and that used by pkg_install.
Instead, move to a single source of truth where the correct value based on
the host and the chosen (or default) ABI is determined in the bootstrap
script. The value can still be overridden in mk.conf if necessary, e.g.
for cross-compiling.
ABI is now set by default and if unset a default is calculated based on
MACHINE_ARCH. This fixes some OS, e.g. Linux, where the wrong default was
previously chosen.
As a result of the refactoring there is no need for LOWER_ARCH, with
references to it replaced by MACHINE_ARCH. SPARC_TARGET_ARCH is also
removed.
@PKG_SYSCONFDIR@ with hardcoded paths to /usr/pkg, possibly due to SUBST_STAGE
being set to post-patch. Revert that change, move SUBST_STAGE to
pre-configure, and perform some minor cleanup while here.
Bump PKGREVISION of all packages, ignoring pkglint's error that this shouldn't
be done in Makefile.common.
* Add -P, --printpidfile to print the pidfile dhcpcd will use to
stdout
* Fix a crash when a non active interface departs
* Add the -1, --oneshot option which causes dhcpcd to exit once an
interface has been configured
* Fix delegation activating interfaces
Security Fixes
* Specific APL data could trigger an INSIST. This flaw was discovered
by Brian Mitchell and is disclosed in CVE-2015-8704. [RT #41396]
* Named is potentially vulnerable to the OpenSSL vulnerabilty
described in CVE-2015-3193.
* Insufficient testing when parsing a message allowed records with an
incorrect class to be be accepted, triggering a REQUIRE failure
when those records were subsequently cached. This flaw is disclosed
in CVE-2015-8000. [RT #40987]
* Incorrect reference counting could result in an INSIST failure if a
socket error occurred while performing a lookup. This flaw is
disclosed in CVE-2015-8461. [RT#40945]
New Features
* None
Feature Changes
* Updated the compiled in addresses for H.ROOT-SERVERS.NET.
Bug Fixes
* Authoritative servers that were marked as bogus (e.g. blackholed in
configuration or with invalid addresses) were being queried anyway.
[RT #41321]
Security Fixes
* Specific APL data could trigger an INSIST. This flaw was discovered
by Brian Mitchell and is disclosed in CVE-2015-8704. [RT #41396]
* Certain errors that could be encountered when printing out or
logging an OPT record containing a CLIENT-SUBNET option could be
mishandled, resulting in an assertion failure. This flaw was
discovered by Brian Mitchell and is disclosed in CVE-2015-8705. [RT
#41397]
* Named is potentially vulnerable to the OpenSSL vulnerabilty
described in CVE-2015-3193.
* Insufficient testing when parsing a message allowed records with an
incorrect class to be be accepted, triggering a REQUIRE failure
when those records were subsequently cached. This flaw is disclosed
in CVE-2015-8000. [RT #40987]
* Incorrect reference counting could result in an INSIST failure if a
socket error occurred while performing a lookup. This flaw is
disclosed in CVE-2015-8461. [RT#40945]
New Features
* None.
Feature Changes
* Updated the compiled in addresses for H.ROOT-SERVERS.NET.
Bug Fixes
* Authoritative servers that were marked as bogus (e.g. blackholed in
configuration or with invalid addresses) were being queried anyway.
[RT #41321]
* Release 0.10.0 (15-Jan-2015)
** Compatibility Fixes
This release is compatible with Twisted-15.3.0 through 15.5.0. A change in
15.3.0 triggered a bug in Foolscap which produced a somewhat-infinite series
of log messages when run under `twistd`. This release fixes that bug, and
slightly changes the semantics of calling `log.msg()` with additional
parameters. (#244)
Foolscap no longer claims compatibility with python-2.6.x . Twisted-15.5.0
was the last release to offer 2.6 support, and subsequent releases actively
throw errors when run against 2.6, so we've turned off Foolscap's automated
testing for 2.6. It may remain compatible by accident for a while. (#245)
v0.8.1
Added localization support with translations for Czech, German and Slovak languages.
Fixes:
- Syncthing version of remote node not shown
- Missing definition causing UI problems and Appreport madness on Ubuntu (thanks @Newman101)
Other:
- Added --portable parameter to syncthing-gtk.exe on Windows.
- Updated syncthing-inotify version to 0.6.7
- Added support for download placeholders in Nautilus plugin
v0.8.0.0.1
Prelease for localization testing. May work. Probably.
Added localization support with translations for Czech, German and Slovak languages.
Fixes:
- Syncthing version of remote node not shown
- Missing definition causing UI problems and Appreport madness on Ubuntu (thanks @Newman101)
v0.8.0.1
Linux-only release. If you are on Windows, please, use v0.8
Fixes:
- Syncthing version of remote node not shown
- Missing definition causing UI problems, inotify bugs and Appreport madness on Ubuntu (thanks @Newman101)
v0.8
For Syncthing 0.12 and above
Additional fixes:
- No 'ignore' button on Unknown device message.
- Better support for non-ascii characters in user's home path on Windows
v0.7.6.2
Prerelease to test with Syncthing v0.12. Most likely working.
v0.7.6.1
Fixes:
- Typo in Windows installer description (thanks @DennisPS)
- Missing image definition causes crash with some GLib versions
v0.7.6
Fixes:
- window border disappearing (again) on Windows
- crash on too recent glib (#198)
- crash on too old glib (#201)
- inotify (filesystem watcher) not being aware of created directories
- Nautilus plugin ignoring some files until view is refreshed
v0.12.15
- Handle race within the job queue (#1263, @AudriusButkevicius)
- Improve API/GUI shutdown handling (#2694, @calmh)
- Don't crash on folder remove while pulling (#2705, @calmh)
This release uses code signing on Mac OS X.
v0.12.14
This is a security update. The Windows builds are now done using Go 1.6beta2, otherwise this is identical to v0.12.13.
v0.12.13
This build is a security update.
- Add support for themes (#1925, @AudriusButkevicius)
- Don't leak sendIndexes on disconnect (#2589, @calmh)
- Always run relaying when enabled (#2665, @calmh)
- Update 'Edit' menu to 'Action' menu (#2662, @kluppy)
v0.12.12
- Update kardianos/osext (#2650, @calmh)
- Change default max conflicts to 10 (#2604, @calmh)
- Don't conflict copy conflict copies (#2605, @calmh)
- Don't allow in use CSRF tokens to expire (#1008, @calmh)
- Add relaying to main settings dialog (#2433, @calmh)
- Don't resolve destination address until we need to (#2671, @calmh)
- More fine grained locking in discovery cache (#2667, @calmh)
- Added STNODEFAULTFOLDER envvar to skip default folder creation on new install (#1515, @nrm21)
v0.12.11
- Remove windows specialisation from osutil.GetLans (#2192, @AudriusButkevicius)
- Ensure loaded config is free of duplicate devices (#2627, @calmh)
- Show device ID QR code from edit dialog (#1494, @ironmig)
- Don't warn about failed ignores if folder unhealthy (#2630, @AudriusButkevicius)
- Detect nonstandard hash algo and stop folder (#2314, @calmh)
- Also build linux-arm64, linux-ppc64, linux-ppc64le (@calmh)
- Disallow adding duplicate device ID in GUI (@ironmig)
v0.12.10
- Don't crash on stat error in ensureDir (#2608, @calmh)
- Correctly set default logfile location on Windows (#2608, @calmh)
- Consider tempfile when checking for free space (#2598, @andersonvom)
- Update kardianos/osext (#1272, @calmh)
- Remove fixed footer at first media break (#2454, @andersonvom)
- Update mtime of config file before upgrading (#2509, @andersonvom)
- Correct GUI asset dir handling (#2621, @calmh)
v0.12.9
- Example GUI override address (#2530, @calmh)
- Additional output on insufficient error (#2580, @Zillode)
- Add command line option to open GUI (#2210, @andersonvom)
- Always exit via error select, making sure reader routine is exits (#2547, @AudriusButkevicius)
- Don't verify free space for files when folder MinDiskFreePct==0 (#2600, @calmh)
- Edit device after accepting new connection (#1929, @andersonvom)
v0.12.8
- Correct type assertion in verbose logger, restart (#2561, @calmh)
- Remove Android hacks (#2505, @calmh)
- upnp: Use a separate error for the error unmarshalling (@wkennington)
Patches provided by Matthew Luckie in PR pkg/50654.
ChangeLogs:
https://mailman.caida.org/pipermail/scamper-announce/2015-October/000004.htmlhttps://mailman.caida.org/pipermail/scamper-announce/2015-December/000005.htmlhttps://mailman.caida.org/pipermail/scamper-announce/2016-January/000006.html
tbit
* add support for initial congestion window (ICW) inferences
* add new tests to check response to packets that could have been
sent by a blind attacker
* add a TCP fast-open implementation, with both experimental
and official option values
* add support for testing HTTPS and BGP. drop FTP, DNS, and SMTP
* add sc_tbitblind driver that was used for IMC 2015 paper
trace
* add tx timestamp to hop records
* add dl option, to replace dlts option removed from scamper.
* process UDP responses, if a UDP probe method is used.
ping:
* add tcp-syn ping method.
* fix memory leak when payloads are specified in ping.
sc_ipiddump
* report IPID values from traceroute measurements, where available
* report the source IP address used to probe the destination
sc_filterpolicy:
* add a new scamper driver to test systems for congruent filtering policy
http://www.caida.org/tools/measurement/scamper/man/sc_filterpolicy.1.pdf
scamper:
* update scamper maximum PPS to 10,000 (from 1000). Its not 2002 anymore.
* bind to requested source port with UDP sockets.
* set SO_SNDBUF once, when a probe socket is created.
* remove dlts option which was only used by traceroute.
* drop divert socket from privsep, which was not used in scamper anywhere.
* shift socket creation glue from scamper_privsep.c to
scamper_udp4.c, scamper_icmp6.c, etc.
* fix memory leak when receiving TCP responses in tracelb.
* do not use the global address cache in tracelb: use a local one.
* in qsort with 3-way partition, do not compare items against
themselves.
* improve performance of warts_addr_t code
* use calloc instead of malloc() -> memset(0) on systems where calloc
is available.
* do not use the global address cache in ping: most responses are
either from the destination, or from the same IP address, so
optimize for that.
Changes since 4.3.3
! Update the bounds checking when receiving a packet.
Thanks to Sebastian Poehn from Sophos for the bug report and a suggested
patch.
[ISC-Bugs #41267]
1.1.1 - Second Law of Nature
============================
* Fix the owner_write rights rule
1.1 - Law of Nature
===================
One feature in this release is **not backward compatible**:
* Use the first matching section for rights (inspired from daald)
Now, the first section matching the path and current user in your custom rights
file is used. In the previous versions, the most permissive rights of all the
matching sections were applied. This new behaviour gives a simple way to make
specific rules at the top of the file independant from the generic ones.
Many **improvements in this release are related to security**, you should
upgrade Radicale as soon as possible:
* Improve the regex used for well-known URIs (by Unrud)
* Prevent regex injection in rights management (by Unrud)
* Prevent crafted HTTP request from calling arbitrary functions (by Unrud)
* Improve URI sanitation and conversion to filesystem path (by Unrud)
* Decouple the daemon from its parent environment (by Unrud)
Some bugs have been fixed and little enhancements have been added:
* Assign new items to corret key (by Unrud)
* Avoid race condition in PID file creation (by Unrud)
* Improve the docker version (by cdpb)
* Encode message and commiter for git commits
* Test with Python 3.5
add commandline option to genconfig.sh to set UPnP (UDA) version
advertise correct service and device versions when IGDv2 is enabled
fix action arguments for DeviceProtection service
fix event subscription renewal (include SID in response)
Google Cloud SDK contains tools and libraries that enable you to
easily create and manage resources on Google Cloud Platform,
including App Engine, Compute Engine, Cloud Storage, BigQuery,
Cloud SQL, and Cloud DNS.
This package contains bq, gcloud and gsutil commands.
#mikutter 3.3.3
* update language po files
* fix of "crash on click of setting button" was missed
#mikutter 3.3.2
* Happy new year
* several crash issue
* crash on click of setting button on certain condition
* avoid use of lacacy methods deprecated by Ruby 2.3
#mikutter 3.3.1
* crash on UserStream process in some case
* crash on adding list
#mikutter 3.3.0
* use external libraries
* Delayer-Deferred
* Pluggaloid
* retweeted retweet
* liked retweet
* retweet with comments
* show icons for protected accounts
* add settings to show icons for verified accounts
* change method of counting a number of chars, to reflect URL conversion
* improvements of daemon mode
* notice function
* imrovements of support of some image services
Twitter-text gem provides text processing routines for Twitter Tweets.
The major reason for this is to unify the various auto-linking and
extraction of usernames, lists, hashtags and URLs.
NTP 4.2.8p5
Focus: Security, Bug fixes, enhancements.
Severity: MEDIUM
In addition to bug fixes and enhancements, this release fixes the
following medium-severity vulnerability:
* Small-step/big-step. Close the panic gate earlier.
References: Sec 2956, CVE-2015-5300
Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
4.3.0 up to, but not including 4.3.78
CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
Summary: If ntpd is always started with the -g option, which is
common and against long-standing recommendation, and if at the
moment ntpd is restarted an attacker can immediately respond to
enough requests from enough sources trusted by the target, which
is difficult and not common, there is a window of opportunity
where the attacker can cause ntpd to set the time to an
arbitrary value. Similarly, if an attacker is able to respond
to enough requests from enough sources trusted by the target,
the attacker can cause ntpd to abort and restart, at which
point it can tell the target to set the time to an arbitrary
value if and only if ntpd was re-started against long-standing
recommendation with the -g flag, or if ntpd was not given the
-g flag, the attacker can move the target system's time by at
most 900 seconds' time per attack.
Mitigation:
Configure ntpd to get time from multiple sources.
Upgrade to 4.2.8p5, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page
As we've long documented, only use the -g option to ntpd in
cold-start situations.
Monitor your ntpd instances.
Credit: This weakness was discovered by Aanchal Malhotra,
Isaac E. Cohen, and Sharon Goldberg at Boston University.
NOTE WELL: The -g flag disables the limit check on the panic_gate
in ntpd, which is 900 seconds by default. The bug identified by
the researchers at Boston University is that the panic_gate
check was only re-enabled after the first change to the system
clock that was greater than 128 milliseconds, by default. The
correct behavior is that the panic_gate check should be
re-enabled after any initial time correction.
If an attacker is able to inject consistent but erroneous time
responses to your systems via the network or "over the air",
perhaps by spoofing radio, cellphone, or navigation satellite
transmissions, they are in a great position to affect your
system's clock. There comes a point where your very best
defenses include:
Configure ntpd to get time from multiple sources.
Monitor your ntpd instances.
Other fixes:
* Coverity submission process updated from Coverity 5 to Coverity 7.
The NTP codebase has been undergoing regular Coverity scans on an
ongoing basis since 2006. As part of our recent upgrade from
Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
the newly-written Unity test programs. These were fixed.
* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org
* [Bug 2887] stratum -1 config results as showing value 99
- fudge stratum should only accept values [0..16]. perlinger@ntp.org
* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn.
* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray
* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
- applied patch by Christos Zoulas. perlinger@ntp.org
* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
- fixed data race conditions in threaded DNS worker. perlinger@ntp.org
- limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
- accept key file only if there are no parsing errors
- fixed size_t/u_int format clash
- fixed wrong use of 'strlcpy'
* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
- fixed several other warnings (cast-alignment, missing const, missing prototypes)
- promote use of 'size_t' for values that express a size
- use ptr-to-const for read-only arguments
- make sure SOCKET values are not truncated (win32-specific)
- format string fixes
* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki.
* [Bug 2967] ntpdate command suffers an assertion failure
- fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with
lots of clients. perlinger@ntp.org
* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
- changed stacked/nested handling of CTRL-C. perlinger@ntp.org
* Unity cleanup for FreeBSD-6.4. Harlan Stenn.
* Unity test cleanup. Harlan Stenn.
* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn.
* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn.
* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn.
* Quiet a warning from clang. Harlan Stenn.
* --noption requires an argument
* optimise the ARP BPF filter, thanks to Nate Karstens
* send gratuitous ARP each time we apply our IP address
* fix truncation of hostnames based on the short hostname option
* improve routing and address management by always loading all
interfaces, routes and addresses even for interfaces we are
not directly working on
* timezone, lookup-hostname, wpa_supplicant and YP hooks are no
longer installed by default but are installed to an example
directory
* fix compile on kFreeBSD
thanks to Christoph Egger for providing a temporary build host
* improve error logging of packet parsing
* fix ignoring routing messages generated by dhcpcd just before
forking
* fix handling of rapid commit messages (allow ACK after DISCOVER)
* add PROBE state so we can easily reject DHCP messages received
during the ARP probe phase
* fix CVE-2016-1503
* fix CVE-2016-1504
Changes:
Changes in libsoup from 2.53.1 to 2.53.2:
* Fixed up symbol visibility handling for mingw by copying
GLib's system [Ignacio Casal Quinteiro, #757146]
* Finally marked the old SoupSessionAsync and SoupSessionSync
methods as deprecated [Ignacio Casal Quinteiro, Dan Winship,
#757146]
* Added libsoup-2.4.deps for valac [Rico Tzschichholz]
* Make it possible to build from git without gtk-doc being
installed [Ignacio Casal Quinteiro]
* Updated translations:
Norwegian bokmål, Occitan
Changes in libsoup from 2.52.1 to 2.53.1:
* Really fixed build under MinGW for sure this time [Ignacio
Casal Quinteiro]
* Fixed SoupServer Web Sockets code so that the
SoupClientContext passed to a SoupServerWebsocketCallback is
fully usable (rather than crashing when you try to do most
things).
Changes in libsoup from 2.52.0 to 2.52.1:
* Fixed build under MinGW [Chun-wei Fan]
* Fixed build with --disable-introspection [#755389, Quentin
Glidic]
* Fixed HTTP authentication protection space handling for
files directly under the root directory. [#755617, Carlos
Garcia Campos]
* Fixed a warning when loading data from SoupCache while using
an authenticated proxy. [#756076, Carlos Garcia Campos]
* Updated translations:
German, Vietnamese
Changes in libsoup from 2.51.92 to 2.52.0:
* Removed duplicate test paths from tests/date so it will pass
with glib 2.46.0
Changes in libsoup from 2.51.90 to 2.51.92:
* Added g_autoptr() support for all libsoup types. [#754721,
Kalev Lember]
* Added a missing (allow-none) annotation to
soup_uri_normalize() [#754776, Jens Georg]
* Updated translations:
Polish
Changes in libsoup from 2.51.3 to 2.51.90:
* Added a new GVariant-based XMLRPC API, and deprecated the
old GValue-based API (along with the associated
GValue-manipulating utilities). [#746495, Xavier Claessens]
* Multiple build fixes for Visual Studio [#752952, Chun-wei Fan]
* Added VAPI generation [#750679, Daniel Espinosa]
* Fixed the mode bits on soup-cookie.c, which was previously
marked executable for some reason. [rh #1247285]
* Updated translations:
Norwegian bokmål, Portuguese, Thai, Turkish
Changes in libsoup from 2.50.0 to 2.51.3:
* Fixed "make check" in non-English locales [rh #1224989,
#749397]
* Fixed some compiler warnings [#748514, Philip Withnall]
* New/Updated translations:
Aragonese, Catalan, Occitan, Russian
changes is:
- http2 package replaces spdy. New interactive HTTP2 debugger, h2i.
- New context/ctxhttp for context-aware HTTP request handlers.
- New xsrftoken package for generating and checking XSRF tokens.
- Improved HTML5-capable HTML parser.
- BUG/MINOR: http rule: http capture 'id' rule points to a non existing id
- BUG/MINOR: server: check return value of fgets() in apply_server_state()
- BUG/MINOR: acl: don't use record layer in req_ssl_ver
- BUILD: freebsd: double declaration
- BUG/MEDIUM: lua: clean output buffer
- BUILD: check for libressl to be able to build against it
- DOC: lua-api/index.rst small example fixes, spelling correction.
- DOC: lua: architecture and first steps
- DOC: relation between timeout http-request and option http-buffer-request
- BUILD: Make deviceatlas require PCRE
- BUG: http: do not abort keep-alive connections on server timeout
- BUG/MEDIUM: http: switch the request channel to no-delay once done.
- BUG/MINOR: lua: don't force-sslv3 LUA's SSL socket
- BUILD/MINOR: http: proto_http.h needs sample.h
- BUG/MEDIUM: http: don't enable auto-close on the response side
- BUG/MEDIUM: stream: fix half-closed timeout handling
- CLEANUP: compression: don't allocate DEFAULT_MAXZLIBMEM without USE_ZLIB
- BUG/MEDIUM: cli: changing compression rate-limiting must require admin level
- BUG/MEDIUM: sample: urlp can't match an empty value
- BUILD: dumpstats: silencing warning for printf format specifier / time_t
- CLEANUP: proxy: calloc call inverted arguments
- MINOR: da: silent logging by default and displaying DeviceAtlas support if built.
- BUG/MEDIUM: da: stop DeviceAtlas processing in the convertor if there is no input.
- DOC: Edited 51Degrees section of README/ (cherry picked from commit a7bbdd955984f0d69812ff055cc145a338e76daa)
- BUG/MEDIUM: checks: email-alert not working when declared in defaults
- BUG/MINOR: checks: email-alert causes a segfault when an unknown mailers section is configured
- BUG/MINOR: checks: typo in an email-alert error message
- BUG/MINOR: tcpcheck: conf parsing error when no port configured on server and last rule is a CONNECT with no port
- BUG/MINOR: tcpcheck: conf parsing error when no port configured on server and first rule(s) is (are) COMMENT
- BUG/MEDIUM: http: fix http-reuse when frontend and backend differ
- DOC: prefer using http-request/response over reqXXX/rspXXX directives
- BUG/MEDIUM: config: properly adjust maxconn with nbproc when memmax is forced
- BUG/MEDIUM: peers: table entries learned from a remote are pushed to others after a random delay.
- BUG/MEDIUM: peers: old stick table updates could be repushed.
- CLEANUP: haproxy: using _GNU_SOURCE instead of __USE_GNU macro.
- MINOR: lua: service/applet can have access to the HTTP headers when a POST is received
- REORG/MINOR: lua: convert boolean "int" to bitfield
- BUG/MEDIUM: lua: Lua applets must not fetch samples using http_txn
- BUG/MINOR: lua: Lua applets must not use http_txn
- BUG/MEDIUM: lua: Forbid HTTP applets from being called from tcp rulesets
- BUG/MAJOR: lua: Do not force the HTTP analysers in use-services
- CLEANUP: lua: bad error messages
- DOC: lua: fix lua API
- DOC: mailers: typo in 'hostname' description
- DOC: compression: missing mention of libslz for compression algorithm
- BUILD/MINOR: regex: missing header
- BUG/MINOR: stream: bad return code
- DOC: lua: fix somme errors and add implicit types
While there, add better support for deviceatlas option, from David CARLIER.
2.0.1
* Support encoding of byte arrays, fixes#58.
* Fix encoding for headers and properties if using nested headers.
* Fix#30 (headers encoding other than ASCII-8BIT).
Wireshark is a network traffic analyzer, or "sniffer", for Unix and
Unix-like operating systems. It uses GTK+, a graphical user interface
library, and libpcap, a packet capture and filtering library.
The Wireshark distribution also comes with TShark, which is a
line-oriented sniffer (similar to Sun's snoop, or tcpdump) that uses the
same dissection, capture-file reading and writing, and packet filtering
code as Wireshark, and with editcap, which is a program to read capture
files and write the packets from that capture file, possibly in a
different capture file format, and with some packets possibly removed
from the capture.
This package tracks version 2 stable branch.
This package contains an updated and actively maintained version
of SocksiPy, with bug fixes and extra features.
It acts as a drop-in replacement to the socket module.
Features
* SOCKS proxy client for Python 2.6 - 3.x
* TCP and UDP both supported
* HTTP proxy client included but not supported or recommended (you
should use urllib2's or requests' own HTTP proxy interface)
Clean up and simplify Makefile.
Breaking changes in 3.6.0:
- Minimum required Erlang version is R16B03 for plain ("just TCP")
connections for all protocols and 17.5 for TLS ones (18.x is
recommended for both).
- .NET client now requires .NET 4.5.
- "Immediate" flag is removed from the .NET client (it hasn't been
supported by the server since RabbitMQ 3.0).
- Default subscription TTL in MQTT is now 24 hours.
- Server artifacts are now distributed as xz archives and not gz.
- Build system has been completely reworked and now uses erlang.mk.
3rd party plugins must be adapted to the new build system.
Key improvements in this release are:
- Lazy queues
- Much better queue synchronisation throughput
- Lower RAM use, tunable flow control
- Stronger password encryption with pluggable algorithms
- Development moved to GitHub; build system now uses erlang.mk
- Significant improvements to Web STOMP
- Experimental WinRT-compatible .NET client, SQL CLR compatibility
in the "regular" one
- Pagination in management UI
- More popular plugins now ship with the broker: rabbitmq_sharding
and rabbitmq_event_exchange, for example.
Full release notes:
https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_0
o Switch to using gtk-mac-bundler and jhbuild for building the OS X installer.
This promises to reduce a lot of the problems we've had with local paths and
dependencies using the py2app and macports build system. [Daniel Miller]
o The Windows installer is now built with NSIS 2.47 which features LoadLibrary
security hardening to prevent DLL hijacking and other unsafe use of temporary
directories. Thanks to Stefan Kanthak for reporting the issue to NSIS and to
us and the many other projects that use it.
o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and RPM)
to 1.0.2e.
o [Zenmap] [GH-235] Fix several failures to launch Zenmap on OS X. The new
build process eliminates these errors:
IOError: [Errno 2] No such file or directory: '/Applications/Zenmap.app/Contents/Resources/etc/pango/pangorc.in'
LSOpenURLsWithRole() failed for the application /Applications/Zenmap.app with error -10810.
o [NSE] [GH-254] Update the TLSSessionRequest probe in ssl-enum-ciphers to
match the one in nmap-service-probes, which was fixed previously to correct a
length calculation error. [Daniel Miller]
o [NSE] [GH-251] Correct false positives and unexpected behavior in http-*
scripts which used http.identify_404 to determine when a file was not found
on the target. The function was following redirects, which could be an
indication of a soft-404 response. [Tom Sellers]
o [NSE] [GH-241] Fix a false-positive in hnap-info when the target responds
with 200 OK to any request. [Tom Sellers]
o [NSE] [GH-244] Fix an error response in xmlrpc-methods when run against a
non-HTTP service. The expected behavior is no output. [Niklaus Schiess]
o [NSE] Fix SSN validation function in http-grep, reported by Bruce Barnett.
Changes:
4 December 2015: mitmproxy 0.15
* Support for loading and converting older dumpfile formats (0.13 and up)
* Content views for inline script (@chrisczub)
* Better handling of empty header values (Benjamin Lee/@bltb)
* Fix a gnarly memory leak in mitmdump
* A number of bugfixes and small improvements
Changes:
2.0.1 (2015-11-09)
------------------
Fixed a bug where the Python HPACK implementation would only emit header table
size changes for the total change between one header block and another, rather
than for the entire sequence of changes.
2.0.0 (2015-10-12)
------------------
Remove unused HPACKEncodingError.
Add the shortcut ability to import the public API (Encoder, Decoder, HPACKError,
HPACKDecodingError) directly, rather than from hpack.hpack.
=============================
Release Notes for Samba 4.3.3
December 16, 2015
=============================
This is a security release in order to address the following CVEs:
o CVE-2015-3223 (Denial of service in Samba Active Directory
server)
o CVE-2015-5252 (Insufficient symlink verification in smbd)
o CVE-2015-5299 (Missing access control check in shadow copy
code)
o CVE-2015-5296 (Samba client requesting encryption vulnerable
to downgrade attack)
o CVE-2015-8467 (Denial of service attack against Windows
Active Directory server)
o CVE-2015-5330 (Remote memory read in Samba LDAP server)
Please note that if building against a system libldb, the required
version has been bumped to ldb-1.1.24. This is needed to ensure
we build against a system ldb library that contains the fixes
for CVE-2015-5330 and CVE-2015-3223.
=======
Details
=======
o CVE-2015-3223:
All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
ldb versions up to 1.1.23 inclusive) are vulnerable to
a denial of service attack in the samba daemon LDAP server.
A malicious client can send packets that cause the LDAP server in the
samba daemon process to become unresponsive, preventing the server
from servicing any other requests.
This flaw is not exploitable beyond causing the code to loop expending
CPU resources.
o CVE-2015-5252:
All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to
a bug in symlink verification, which under certain circumstances could
allow client access to files outside the exported share path.
If a Samba share is configured with a path that shares a common path
prefix with another directory on the file system, the smbd daemon may
allow the client to follow a symlink pointing to a file or directory
in that other directory, even if the share parameter "wide links" is
set to "no" (the default).
o CVE-2015-5299:
All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to
a missing access control check in the vfs_shadow_copy2 module. When
looking for the shadow copy directory under the share path the current
accessing user should have DIRECTORY_LIST access rights in order to
view the current snapshots.
This was not being checked in the affected versions of Samba.
o CVE-2015-5296:
Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that
signing is negotiated when creating an encrypted client connection to
a server.
Without this a man-in-the-middle attack could downgrade the connection
and connect using the supplied credentials as an unsigned, unencrypted
connection.
o CVE-2015-8467:
Samba, operating as an AD DC, is sometimes operated in a domain with a
mix of Samba and Windows Active Directory Domain Controllers.
All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as
an AD DC in the same domain with Windows DCs, could be used to
override the protection against the MS15-096 / CVE-2015-2535 security
issue in Windows.
Prior to MS16-096 it was possible to bypass the quota of machine
accounts a non-administrative user could create. Pure Samba domains
are not impacted, as Samba does not implement the
SeMachineAccountPrivilege functionality to allow non-administrator
users to create new computer objects.
o CVE-2015-5330:
All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
ldb versions up to 1.1.23 inclusive) are vulnerable to
a remote memory read attack in the samba daemon LDAP server.
A malicious client can send packets that cause the LDAP server in the
samba daemon process to return heap memory beyond the length of the
requested value.
This memory may contain data that the client should not be allowed to
see, allowing compromise of the server.
The memory may either be returned to the client in an error string, or
stored in the database by a suitabily privileged user. If untrusted
users can create objects in your database, please confirm that all DN
and name attributes are reasonable.
Changes since 4.3.2:
--------------------
o Andrew Bartlett <abartlet@samba.org>
* BUG 11552: CVE-2015-8467: samdb: Match MS15-096 behaviour for
userAccountControl.
o Jeremy Allison <jra@samba.org>
* BUG 11325: CVE-2015-3223: Fix LDAP \00 search expression attack DoS.
* BUG 11395: CVE-2015-5252: Fix insufficient symlink verification (file
access outside the share).
* BUG 11529: CVE-2015-5299: s3-shadow-copy2: Fix missing access check on
snapdir.
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 11599: CVE-2015-5330: Fix remote read memory exploit in LDB.
o Stefan Metzmacher <metze@samba.org>
* BUG 11536: CVE-2015-5296: Add man in the middle protection when forcing
smb encryption on the client side.
Go packages now define a set of files to buildlink in their buildlink3.mk.
go-packages.mk no longer looks in ${PREFIX}/gopkg during the build. This
should also fix the spurious issues with rebuilds of .a files during bulk
builds of Go packages.
From https://rommie.caida.org/pipermail/scamper-announce/2015-August/000003.html
* provide the ability for scamper's control socket to bind to a
specific address. this allows external systems to contact and drive
scamper processes. a more secure solution will follow in a month or
two.
* when converting the source port of a control socket client to a
string, print it in host byte order rather than network byte order
* add a TBT (too-big-trick) option to ping, use it in sc_speedtrap. a
simple optimisation to send up to M packets to get N fragmented
responses.
* if an input list to sc_speedtrap contains the same IP address twice,
ignore the duplicate address, rather than crash later.
* use a quicksort with a 3-way partition. will make scamper more
efficient in many places.
* add sc_warts2csv for samknows
* fix sc_tracediff so that it doesn't crash if the two warts files
being compared traceroute to different sets of addresses. reported
by Job Snijders.
v3.0.719 (24 May 2015)
- Implement tracking of remote ports: shows which ports the host
is making outgoing connections to. Long time feature request.
- Bugfix: when the capture interface goes down, exit instead of
busy-looping forever.
- Fix "clock error" due to machine reboot.
- SIGUSR1 now resets the time and bytes reported on the graphs
page.
- Account for all IP protocols.
- Change the default ports_max to only twice the default
ports_keep.
Changelog:
elease 2.1.0 December 3rd 2015
GUI: Added a separate view for not synced items, ignores, errors
GUI: Improved upload/download progress UI (#3403, #3569)
Allowed sharing with ownCloud internal users and groups from Desktop
Changed files starting in .* to be considered hidden on all platforms (#4023)
Reflect read-only permissions in filesystem (#3244)
Blacklist: Clear on successful chunk upload (#3934)
Improved reconnecting after network change/disconnect (#4167#3969 ...)
Improved performance in Windows file system discovery
Removed libneon-based propagator. As a consequence, The client can no longer provide bandwith limiting on Linux-distributions where it is using Qt < 5.4
Performance improvements in the logging functions
Ensured that local disk space problems are handled gracefully (#2939)
Improved handling of checksums: transport validation, db (#3735)
For *eml-files don't reupload if size and checksum are unchanged (#3235)
Ensured 403 reply code is handled properly (File Firewall) (#3490)
Reduced number of PROPFIND requests to server(#3964)
GUI: Added Account toolbox widget to keep account actions (#4139)
Tray Menu: Added fixes for Recent Activity menu (#4093, #3969)
FolderMan: Fixed infinite wait on pause (#4093)
Renamed env variables to include unit (#2939)
FolderStatusModel: Attempt to detect removed undecided files (#3612)
SyncEngine: Don't whipe the white list if the sync was aborted (#4018)
Quota: Handle special negative value for the quota (#3940)
State app name in update notification (#4020)
PropagateUpload: Fixed double-emission of finished (#3844)
GUI: Ensured folder names which are excluded from sync can be clicked
Shell Integration: Dolphin support, requires KF 5.16 and KDE Application 15.12
FolderStatusModel: Ensured reset also if a folder was renamed (#4011)
GUI: Fixed accessiblity of remaing items in full settings toolbar (#3795)
Introduced the term "folder sync connection" in more places (#3757)
AccountSettings: Don't disable pause when offline (#4010)
Fixed handling of hidden files (#3980)
Handle download errors while resuming as soft errors (#4000)
SocketAPI: Ensured that the command isn't trimmed (#3297)
Shutdown socket API before removing the db (#3824)
GUI: Made "Keep" default in the delete-all dialog (#3824)
owncloudcmd: Introduced return code 0 for --version and --help
owncloudcmd: Added --max-sync-retries (#4037)
owncloudcmd: Don't do a check that file are older than 2s (#4160)
Fixed getting size for selective sync (#3986)
Re-added close button in the settings window (#3713)
Added abililty to handle storage limitations gracefully (#3736)
Updated 3rdparty dependencies: sqlite version 3.9.1
Organized patches to our base Qt version into admin/qt/patches
Plus: A lot of unmentioned improvements and fixes
to try to support passing a format and va_list pair as the data for a
custom printf format in its own private printf clone.
The offending code was unused and removed upstream in 2004, but the
initial import of our package in 2005 included, without explanation, a
patch reverting this. So the code has still been there, and (being
illegal) it has now stopped compiling with clang.
Delete the offending patch section. (And while here, add comments for
the rest of this patch.)
Changelog:
NEWS for rsync 3.1.2 (21 Dec 2015)
Protocol: 31 (unchanged)
Changes since 3.1.1:
SECURITY FIXES:
- Make sure that all transferred files use only path names from inside the
transfer. This makes it impossible for a malicious sender to try to make
the receiver use an unsafe destination path for a transferred file, such
as a just-sent symlink.
BUG FIXES:
- Change the checksum seed order in the per-block checksums. This prevents
someone from trying to create checksum blocks that match in sum but not
content.
- Fixed a with the per-dir filter files (using -FF) that could trigger an
assert failure.
- Only skip set_modtime() on a transferred file if the time is exactly
right.
- Don't create an empty backup dir for a transferred file that doesn't
exist yet.
- Fixed a bug where --link-dest and --xattrs could cause rsync to exit if
a filename had a matching dir of the same name in the alt-dest area.
- Allow more than 32 group IDs per user in the daemon's gid=LIST config.
- Fix the logging of %b & %c via --log-file (daemon logging was already
correct, as was --out-format='%b/%c').
- Fix erroneous acceptance of --info=5 & --debug=5 (an empty flag name is
not valid).
ENHANCEMENTS:
- Added "(DRY RUN)" info to the --debug=exit output line.
- Use usleep() for our msleep() function if it is available.
- Added a few extra long-option names to rrsync script, which will make
BackupPC happier.
- Made configure choose to use linux xattrs on netbsd (rather than not
supporting xattrs).
- Added -wo (write-only) option to rrsync support script.
- Misc. manpage tweaks.
DEVELOPER RELATED:
- Fixed a bug with the Makefile's use of INSTALL_STRIP.
- Improve a test in the suite that could get an erroneous timestamp error.
- Tweaks for newer versions of git in the packaging tools.
- Improved the m4 generation rules and some autoconf idioms.
Update during the freeze approved by jperkin@
(while strictly speaking net/youtube-dl is a leaf package there are various
possible consumers, e.g. multimedia/mpv)
Changes:
2015.12.18:
o Misc bugfixes and improvements (most user visible change is the fixes
for #7900 and #7901 that fixes extraction of various youtube videos)
2015.12.13
o New [funimation] extractor
o Misc bugfixes and improvements
2015.12.10:
o Misc bugfixes and improvements
--- 9.9.8-P2 released ---
4270. [security] Update allowed OpenSSL versions as named is
potentially vulnerable to CVE-2015-3193.
4261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
[RT #40556]
4260. [security] Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
4253. [security] Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]
--- 9.9.8-P1 (withdrawn) ---
--- 9.10.3-P2 released ---
4270. [security] Update allowed OpenSSL versions as named is
potentially vulnerable to CVE-2015-3193.
4261. [maint] H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
[RT #40556]
4260. [security] Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
4253. [security] Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]
--- 9.10.3-P1 (withdrawn) ---
Changes in version 0.2.7.6 - 2015-12-10
Tor version 0.2.7.6 fixes a major bug in entry guard selection, as
well as a minor bug in hidden service reliability.
o Major bugfixes (guard selection):
- Actually look at the Guard flag when selecting a new directory
guard. When we implemented the directory guard design, we
accidentally started treating all relays as if they have the Guard
flag during guard selection, leading to weaker anonymity and worse
performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
by Mohsen Imani.
o Minor features (geoip):
- Update geoip and geoip6 to the December 1 2015 Maxmind GeoLite2
Country database.
o Minor bugfixes (compilation):
- When checking for net/pfvar.h, include netinet/in.h if possible.
This fixes transparent proxy detection on OpenBSD. Fixes bug
17551; bugfix on 0.1.2.1-alpha. Patch from "rubiate".
- Fix a compilation warning with Clang 3.6: Do not check the
presence of an address which can never be NULL. Fixes bug 17781.
o Minor bugfixes (correctness):
- When displaying an IPv6 exit policy, include the mask bits
correctly even when the number is greater than 31. Fixes bug
16056; bugfix on 0.2.4.7-alpha. Patch from "gturner".
- The wrong list was used when looking up expired intro points in a
rend service object, causing what we think could be reachability
issues for hidden services, and triggering a BUG log. Fixes bug
16702; bugfix on 0.2.7.2-alpha.
- Fix undefined behavior in the tor_cert_checksig function. Fixes
bug 17722; bugfix on 0.2.7.2-alpha.
Security Fixes
* An incorrect boundary check in the OPENPGPKEY rdatatype could
trigger an assertion failure. This flaw is disclosed in
CVE-2015-5986. [RT #40286]
* A buffer accounting error could trigger an assertion failure when
parsing certain malformed DNSSEC keys.
This flaw was discovered by Hanno Böck of the Fuzzing Project, and
is disclosed in CVE-2015-5722. [RT #40212]
* A specially crafted query could trigger an assertion failure in
message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in
CVE-2015-5477. [RT #40046]
* On servers configured to perform DNSSEC validation, an assertion
failure could be triggered on answers from a specially configured
server.
This flaw was discovered by Breno Silveira Soares, and is disclosed
in CVE-2015-4620. [RT #39795]
New Features
* New quotas have been added to limit the queries that are sent by
recursive resolvers to authoritative servers experiencing
denial-of-service attacks. When configured, these options can both
reduce the harm done to authoritative servers and also avoid the
resource exhaustion that can be experienced by recursives when they
are being used as a vehicle for such an attack.
NOTE: These options are not available by default; use configure
--enable-fetchlimit to include them in the build.
+ fetches-per-server limits the number of simultaneous queries
that can be sent to any single authoritative server. The
configured value is a starting point; it is automatically
adjusted downward if the server is partially or completely
non-responsive. The algorithm used to adjust the quota can be
configured via the fetch-quota-params option.
+ fetches-per-zone limits the number of simultaneous queries
that can be sent for names within a single domain. (Note:
Unlike "fetches-per-server", this value is not self-tuning.)
Statistics counters have also been added to track the number of
queries affected by these quotas.
* An --enable-querytrace configure switch is now available to enable
very verbose query tracelogging. This option can only be set at
compile time. This option has a negative performance impact and
should be used only for debugging.
* EDNS COOKIE options content is now displayed as "COOKIE:
<hexvalue>".
Feature Changes
* Large inline-signing changes should be less disruptive. Signature
generation is now done incrementally; the number of signatures to
be generated in each quantum is controlled by
"sig-signing-signatures number;". [RT #37927]
* Retrieving the local port range from net.ipv4.ip_local_port_range
on Linux is now supported.
* Active Directory names of the form gc._msdcs.<forest> are now
accepted as valid hostnames when using the check-names option.
<forest> is still restricted to letters, digits and hyphens.
* Names containing rich text are now accepted as valid hostnames in
PTR records in DNS-SD reverse lookup zones, as specified in RFC
6763. [RT #37889]
Bug Fixes
* Asynchronous zone loads were not handled correctly when the zone
load was already in progress; this could trigger a crash in zt.c.
[RT #37573]
* A race during shutdown or reconfiguration could cause an assertion
failure in mem.c. [RT #38979]
* Some answer formatting options didn't work correctly with dig
+short. [RT #39291]
* Malformed records of some types, including NSAP and UNSPEC, could
trigger assertion failures when loading text zone files. [RT
#40274] [RT #40285]
* Fixed a possible crash in ratelimiter.c caused by NOTIFY messages
being removed from the wrong rate limiter queue. [RT #40350]
* The default rrset-order of random was inconsistently applied. [RT
#40456]
* BADVERS responses from broken authoritative name servers were not
handled correctly. [RT #40427]
Security Fixes
* An incorrect boundary check in the OPENPGPKEY rdatatype could
trigger an assertion failure. This flaw is disclosed in
CVE-2015-5986. [RT #40286]
* A buffer accounting error could trigger an assertion failure when
parsing certain malformed DNSSEC keys.
This flaw was discovered by Hanno Böck of the Fuzzing Project, and
is disclosed in CVE-2015-5722. [RT #40212]
* A specially crafted query could trigger an assertion failure in
message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in
CVE-2015-5477. [RT #40046]
* On servers configured to perform DNSSEC validation, an assertion
failure could be triggered on answers from a specially configured
server.
This flaw was discovered by Breno Silveira Soares, and is disclosed
in CVE-2015-4620. [RT #39795]
New Features
* New quotas have been added to limit the queries that are sent by
recursive resolvers to authoritative servers experiencing
denial-of-service attacks. When configured, these options can both
reduce the harm done to authoritative servers and also avoid the
resource exhaustion that can be experienced by recursives when they
are being used as a vehicle for such an attack.
NOTE: These options are not available by default; use configure
--enable-fetchlimit to include them in the build.
+ fetches-per-server limits the number of simultaneous queries
that can be sent to any single authoritative server. The
configured value is a starting point; it is automatically
adjusted downward if the server is partially or completely
non-responsive. The algorithm used to adjust the quota can be
configured via the fetch-quota-params option.
+ fetches-per-zone limits the number of simultaneous queries
that can be sent for names within a single domain. (Note:
Unlike "fetches-per-server", this value is not self-tuning.)
Statistics counters have also been added to track the number of
queries affected by these quotas.
* dig +ednsflags can now be used to set yet-to-be-defined EDNS flags
in DNS requests.
* dig +[no]ednsnegotiation can now be used enable / disable EDNS
version negotiation.
* An --enable-querytrace configure switch is now available to enable
very verbose query tracelogging. This option can only be set at
compile time. This option has a negative performance impact and
should be used only for debugging.
Feature Changes
* Large inline-signing changes should be less disruptive. Signature
generation is now done incrementally; the number of signatures to
be generated in each quantum is controlled by
"sig-signing-signatures number;". [RT #37927]
* The experimental SIT extension now uses the EDNS COOKIE option code
point (10) and is displayed as "COOKIE: <value>". The existing
named.conf directives; "request-sit", "sit-secret" and
"nosit-udp-size", are still valid and will be replaced by
"send-cookie", "cookie-secret" and "nocookie-udp-size" in BIND
9.11. The existing dig directive "+sit" is still valid and will be
replaced with "+cookie" in BIND 9.11.
* When retrying a query via TCP due to the first answer being
truncated, dig will now correctly send the COOKIE value returned by
the server in the prior response. [RT #39047]
* Retrieving the local port range from net.ipv4.ip_local_port_range
on Linux is now supported.
* Active Directory names of the form gc._msdcs.<forest> are now
accepted as valid hostnames when using the check-names option.
<forest> is still restricted to letters, digits and hyphens.
* Names containing rich text are now accepted as valid hostnames in
PTR records in DNS-SD reverse lookup zones, as specified in RFC
6763. [RT #37889]
Bug Fixes
* Asynchronous zone loads were not handled correctly when the zone
load was already in progress; this could trigger a crash in zt.c.
[RT #37573]
* A race during shutdown or reconfiguration could cause an assertion
failure in mem.c. [RT #38979]
* Some answer formatting options didn't work correctly with dig
+short. [RT #39291]
* Malformed records of some types, including NSAP and UNSPEC, could
trigger assertion failures when loading text zone files. [RT
#40274] [RT #40285]
* Fixed a possible crash in ratelimiter.c caused by NOTIFY messages
being removed from the wrong rate limiter queue. [RT #40350]
* The default rrset-order of random was inconsistently applied. [RT
#40456]
* BADVERS responses from broken authoritative name servers were not
handled correctly. [RT #40427]
* Several bugs have been fixed in the RPZ implementation:
+ Policy zones that did not specifically require recursion could
be treated as if they did; consequently, setting
qname-wait-recurse no; was sometimes ineffective. This has
been corrected. In most configurations, behavioral changes due
to this fix will not be noticeable. [RT #39229]
+ The server could crash if policy zones were updated (e.g. via
rndc reload or an incoming zone transfer) while RPZ processing
was still ongoing for an active query. [RT #39415]
+ On servers with one or more policy zones configured as slaves,
if a policy zone updated during regular operation (rather than
at startup) using a full zone reload, such as via AXFR, a bug
could allow the RPZ summary data to fall out of sync,
potentially leading to an assertion failure in rpz.c when
further incremental updates were made to the zone, such as via
IXFR. [RT #39567]
+ The server could match a shorter prefix than what was
available in CLIENT-IP policy triggers, and so, an unexpected
action could be taken. This has been corrected. [RT #39481]
+ The server could crash if a reload of an RPZ zone was
initiated while another reload of the same zone was already in
progress. [RT #39649]
+ Query names could match against the wrong policy zone if
wildcard records were present. [RT #40357]
While here, comment a patch.
Changes since 4.3.1:
--------------------
o Michael Adam <obnox@samba.org>
* BUG 11577: ctdb: Open the RO tracking db with perms 0600 instead of 0000.
o Jeremy Allison <jra@samba.org>
* BUG 11452: s3-smbd: Fix old DOS client doing wildcard delete - gives an
attribute type of zero.
* BUG 11565: auth: gensec: Fix a memory leak.
* BUG 11566: lib: util: Make non-critical message a warning.
* BUG 11589: s3: smbd: If EAs are turned off on a share don't allow an SMB2
create containing them.
* BUG 11615: s3: smbd: have_file_open_below() fails to enumerate open files
below an open directory handle.
o Ralph Boehme <slow@samba.org>
* BUG 11562: s4:lib/messaging: Use correct path for names.tdb.
* BUG 11564: async_req: Fix non-blocking connect().
o Volker Lendecke <vl@samba.org>
* BUG 11243: vfs_gpfs: Re-enable share modes.
* BUG 11570: smbd: Send SMB2 oplock breaks unencrypted.
* BUG 11612: winbind: Fix crash on invalid idmap configs.
o YvanM <yvan.masson@openmailbox.org>
* BUG 11584: manpage: Correct small typo error.
o Stefan Metzmacher <metze@samba.org>
* BUG 11327: dcerpc.idl: Accept invalid dcerpc_bind_nak pdus.
* BUG 11581: s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE()
clearer.
o Marc Muehlfeld <mmuehlfeld@samba.org>
* BUG 9912: Changing log level of two entries to DBG_NOTICE.
* BUG 11581: s3-smbd: Fix use after issue in smbd_smb2_request_dispatch().
o Noel Power <noel.power@suse.com>
* BUG 11569: Fix winbindd crashes with samlogon for trusted domain user.
* BUG 11597: Backport some valgrind fixes from upstream master.
o Andreas Schneider <asn@samba.org
* BUG 11563: Fix segfault of 'net ads (join|leave) -S INVALID' with
nss_wins.
o Tom Schulz <schulz@adi.com>
* BUG 11511: Add libreplace dependency to texpect, fixes a linking error on
Solaris.
* BUG 11512: s4: Fix linking of 'smbtorture' on Solaris.
o Uri Simchoni <uri@samba.org>
* BUG 11608: auth: Consistent handling of well-known alias as primary gid.
Changes since 4.3.0:
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 10252: s3: smbd: Fix our access-based enumeration on "hide unreadable"
to match Windows.
* BUG 10634: smbd: Fix file name buflen and padding in notify repsonse.
* BUG 11486: s3: smbd: Fix mkdir race condition.
* BUG 11522: s3: smbd: Fix opening/creating :stream files on the root share
directory.
* BUG 11535: s3: smbd: Fix NULL pointer bug introduced by previous 'raw'
* stream fix (bug #11522).
* BUG 11555: s3: lsa: lookup_name() logic for unqualified (no DOMAIN\
component) names is incorrect.
o Ralph Boehme <slow@samba.org>
* BUG 11535: s3: smbd: Fix a crash in unix_convert().
* BUG 11543: vfs_fruit: Return value of ad_pack in vfs_fruit.c.
* BUG 11549: s3:locking: Initialize lease pointer in
share_mode_traverse_fn().
* BUG 11550: s3:smbstatus: Add stream name to share_entry_forall().
* BUG 11555: s3:lib: Validate domain name in lookup_wellknown_name().
o Günther Deschner <gd@samba.org>
* BUG 11038: kerberos: Make sure we only use prompter type when available.
o Volker Lendecke <vl@samba.org>
* BUG 11038: winbind: Fix 100% loop.
* BUG 11053: source3/lib/msghdr.c: Fix compiling error on Solaris.
o Stefan Metzmacher <metze@samba.org>
* BUG 11316: s3:ctdbd_conn: make sure we destroy tevent_fd before closing
the socket.
* BUG 11515: s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging
related subdirs.
* BUG 11526: lib/param: Fix hiding of FLAG_SYNONYM values.
o Björn Jacke <bj@sernet.de>
* BUG 10365: nss_winbind: Fix hang on Solaris on big groups.
* BUG 11355: build: Use as-needed linker flag also on OpenBSD.
o Har Gagan Sahai <SHarGagan@novell.com>
* BUG 11509: s3: dfs: Fix a crash when the dfs targets are disabled.
o Andreas Schneider <asn@samba.org>
* BUG 11502: pam_winbind: Fix a segfault if initialization fails.
o Uri Simchoni <uri@samba.org>
* BUG 11528: net: Fix a crash with 'net ads keytab create'.
* BUG 11547: vfs_commit: set the fd on open before calling SMB_VFS_FSTAT.
* Changes in Wget 1.17.1
* Fix compile error when IPv6 is disabled or SSL is not present.
* Fix HSTS memory leak.
* Fix progress output in non-C locales.
* Fix SIGSEGV when -N and --content-disposition are used together.
* Add --check-certificate=quiet to tell wget to not print any warning about
invalid certificates.
Bitmessage is a P2P communications protocol used to send encrypted messages to
another person or to many subscribers. It is decentralized and trustless,
meaning that you need-not inherently trust any entities like root certificate
authorities. It uses strong authentication, which means that the sender of a
message cannot be spoofed, and it aims to hide "non-content" data, like the
sender and receiver of messages, from passive eavesdroppers like those running
warrantless wiretapping programs.
=========
FEATURES:
- support configure --with-dbfile="" for nodb mode by default, where
there is no binary database, but nsd reads and writes zonefiles.
- reuseport: no is the default, because the feature is not troublefree.
- configure --enable-ratelimit-default-is-off with --enable-ratelimit
to set the default ratelimit to disabled but available in nsd.conf.
- version: "string" option to set chaos version query reply string.
BUG FIXES:
- Fix zones updates from nsd parent event loop when there are a lot
of interfaces.
- portability fixes.
- patch from Doug Hogan for SSL_OP_NO_SSLvx options, for the new
defaults in the ssl libraries.
- updated contrib/nsd.spec, with new configure options.
- Allocate less memory for TSIG digest.
- Fix#721: Fix wrong error code (FORMERR) returned for unknown
opcode. NOTIMP expected.
- Fix zonec ttl mismatch printout to include more information.
- Fix TCP responses when REUSEPORT is in use by turning it off.
- Document default in manpage for rrl-slip, ip4 and 6 prefixlength.
- Explain rrl-slip better in documentation.
- Document that ratelimit qps and slip are updated in reconfig.
- Fix up defaults in manpage.
=============
Features:
- Fix#594. libunbound: optionally use libnettle for crypto.
Added --with-nettle for use with --with-libunbound-only.
- Implemented qname minimisation
Bug Fixes:
- Fix#712: unbound-anchor appears to not fsync root.key.
- Fix#714: Document config to block private-address for IPv4
mapped IPv6 addresses.
- portability, replace snprintf if return value broken
- portability fixes.
- detect libexpat without xml_StopParser function.
- isblank() compat implementation.
- patch from Doug Hogan for SSL_OP_NO_SSLvx options.
- Fix#716: nodata proof with empty non-terminals and wildcards.
- Fix#718: Fix unbound-control-setup with support for env
without HEREDOC bash support.
- ACX_SSL_CHECKS no longer adds -ldl needlessly.
- Change example.conf: ftp.internic.net to https://www.internic.net
- Fix for lenient accept of reverse order DNAME and CNAME.
- spelling fixes from Igor Sobrado Delgado.
- Fix that malformed EDNS query gets a response without malformed EDNS.
- Added assert on rrset cache correctness.
- Fix#720: add windows scripts to zip bundle,
and fix unbound-control-setup windows batch file.
- Fix for #724: conf syntax to read files from run dir (on Windows).
And fix PCA prompt for unbound-service-install.exe.
And add Changelog to windows binary dist.
- .gitignore for git users.
- iana portlist update.
- Removed unneeded whitespace from example.conf.
- Do not minimise forwarded requests.
0.5.25
* Change the TLD with only 1 rule from .cy to .bd.
* Update the eTLD database to 2015-09-29T17:22:03Z.
* Update the eTLD database to 2015-04-29T23:56:05Z.
* Alter licenses into a machine readable set of license names.
* Restrict i18n < 0.7.0 on ruby 1.8.
# Addressable 2.4.0
- support for 1.8.x dropped
- double quotes in a host now raises an error
- newlines in host will no longer get unescaped during normalization
- stricter handling of bogus scheme values
- stricter handling of encoded port values
- calling `require 'addressable'` will now load both the URI and Template files
- assigning to the `hostname` component with an `IPAddr` object is now supported
- assigning to the `origin` component is now supported
- fixed minor bug where an exception would be thrown for a missing ACE suffix
- better partial expansion of URI templates
**** 1.04 December 8, 2015
Fix rt.cpan.org #109183
Semantics of "retry" and "retrans" options has changed with 1.03
Fix rt.cpan.org #109152
Deprecated method make_query_packet breaks calling code
Fix rt.cpan.org #109135
Resolver behaves differently with long and short IPv6 address format
Fix rt.cpan.org #108745
Net::DNS::Resolver bgsend
syncthing upstream regularly breaks protocol compatibility. Define
that we will update when f-droid does and that testing against android
is required for major updates, in an attempt to avoid imposing pain on
users and also avoid having to have many versions. Take maintainership.
More or less discussed with tnn@ and jnemeth@.
Changes in version 0.2.7.5 - 2015-11-20
The Tor 0.2.7 release series is dedicated to the memory of Tor user
and privacy advocate Caspar Bowden (1961-2015). Caspar worked
tirelessly to advocate human rights regardless of national borders,
and oppose the encroachments of mass surveillance. He opposed national
exceptionalism, he brought clarity to legal and policy debates, he
understood and predicted the impact of mass surveillance on the world,
and he laid the groundwork for resisting it. While serving on the Tor
Project's board of directors, he brought us his uncompromising focus
on technical excellence in the service of humankind. Caspar was an
inimitable force for good and a wonderful friend. He was kind,
humorous, generous, gallant, and believed we should protect one
another without exception. We honor him here for his ideals, his
efforts, and his accomplishments. Please honor his memory with works
that would make him proud.
Tor 0.2.7.5 is the first stable release in the Tor 0.2.7 series.
The 0.2.7 series adds a more secure identity key type for relays,
improves cryptography performance, resolves several longstanding
hidden-service performance issues, improves controller support for
hidden services, and includes small bugfixes and performance
improvements throughout the program. This release series also includes
more tests than before, and significant simplifications to which parts
of Tor invoke which others.
(This release contains no code changes since 0.2.7.4-rc.)
Changes in version 0.2.7.4-rc - 2015-10-21
Tor 0.2.7.4-rc is the second release candidate in the 0.2.7 series. It
fixes some important memory leaks, and a scary-looking (but mostly
harmless in practice) invalid-read bug. It also has a few small
bugfixes, notably fixes for compilation and portability on different
platforms. If no further significant bounds are found, the next
release will the the official stable release.
o Major bugfixes (security, correctness):
- Fix an error that could cause us to read 4 bytes before the
beginning of an openssl string. This bug could be used to cause
Tor to crash on systems with unusual malloc implementations, or
systems with unusual hardening installed. Fixes bug 17404; bugfix
on 0.2.3.6-alpha.
o Major bugfixes (correctness):
- Fix a use-after-free bug in validate_intro_point_failure(). Fixes
bug 17401; bugfix on 0.2.7.3-rc.
o Major bugfixes (memory leaks):
- Fix a memory leak in ed25519 batch signature checking. Fixes bug
17398; bugfix on 0.2.6.1-alpha.
- Fix a memory leak in rend_cache_failure_entry_free(). Fixes bug
17402; bugfix on 0.2.7.3-rc.
- Fix a memory leak when reading an expired signing key from disk.
Fixes bug 17403; bugfix on 0.2.7.2-rc.
o Minor features (geoIP):
- Update geoip and geoip6 to the October 9 2015 Maxmind GeoLite2
Country database.
o Minor bugfixes (compilation):
- Repair compilation with the most recent (unreleased, alpha)
vesions of OpenSSL 1.1. Fixes part of ticket 17237.
- Fix an integer overflow warning in test_crypto_slow.c. Fixes bug
17251; bugfix on 0.2.7.2-alpha.
- Fix compilation of sandbox.c with musl-libc. Fixes bug 17347;
bugfix on 0.2.5.1-alpha. Patch from 'jamestk'.
o Minor bugfixes (portability):
- Use libexecinfo on FreeBSD to enable backtrace support. Fixes part
of bug 17151; bugfix on 0.2.5.2-alpha. Patch from Marcin Cieślak.
o Minor bugfixes (sandbox):
- Add the "hidserv-stats" filename to our sandbox filter for the
HiddenServiceStatistics option to work properly. Fixes bug 17354;
bugfix on tor-0.2.6.2-alpha. Patch from David Goulet.
o Minor bugfixes (testing):
- Add unit tests for get_interface_address* failure cases. Fixes bug
17173; bugfix on 0.2.7.3-rc. Patch by fk/teor.
- Fix breakage when running 'make check' with BSD make. Fixes bug
17154; bugfix on 0.2.7.3-rc. Patch by Marcin Cieślak.
- Make the get_ifaddrs_* unit tests more tolerant of different
network configurations. (Don't assume every test box has an IPv4
address, and don't assume every test box has a non-localhost
address.) Fixes bug 17255; bugfix on 0.2.7.3-rc. Patch by "teor".
- Skip backtrace tests when backtrace support is not compiled in.
Fixes part of bug 17151; bugfix on 0.2.7.1-alpha. Patch from
Marcin Cieślak.
o Documentation:
- Fix capitalization of SOCKS in sample torrc. Closes ticket 15609.
- Note that HiddenServicePorts can take a unix domain socket. Closes
ticket 17364.
Changes in version 0.2.7.3-rc - 2015-09-25
Tor 0.2.7.3-rc is the first release candidate in the 0.2.7 series. It
contains numerous usability fixes for Ed25519 keys, safeguards against
several misconfiguration problems, significant simplifications to
Tor's callgraph, and numerous bugfixes and small features.
This is the most tested release of Tor to date. The unit tests cover
39.40% of the code, and the integration tests (accessible with "make
test-full-online", requiring stem and chutney and a network
connection) raise the coverage to 64.49%.
o Major features (security, hidden services):
- Hidden services, if using the EntryNodes option, are required to
use more than one EntryNode, in order to avoid a guard discovery
attack. (This would only affect people who had configured hidden
services and manually specified the EntryNodes option with a
single entry-node. The impact was that it would be easy to
remotely identify the guard node used by such a hidden service.
See ticket for more information.) Fixes ticket 14917.
o Major features (Ed25519 keys, keypinning):
- The key-pinning option on directory authorities is now advisory-
only by default. In a future version, or when the AuthDirPinKeys
option is set, pins are enforced again. Disabling key-pinning
seemed like a good idea so that we can survive the fallout of any
usability problems associated with Ed25519 keys. Closes
ticket 17135.
o Major features (Ed25519 performance):
- Improve the speed of Ed25519 operations and Curve25519 keypair
generation when built targeting 32 bit x86 platforms with SSE2
available. Implements ticket 16535.
- Improve the runtime speed of Ed25519 signature verification by
using Ed25519-donna's batch verification support. Implements
ticket 16533.
o Major features (performance testing):
- The test-network.sh script now supports performance testing.
Requires corresponding chutney performance testing changes. Patch
by "teor". Closes ticket 14175.
o Major features (relay, Ed25519):
- Significant usability improvements for Ed25519 key management. Log
messages are better, and the code can recover from far more
failure conditions. Thanks to "s7r" for reporting and diagnosing
so many of these!
- Add a new OfflineMasterKey option to tell Tor never to try loading
or generating a secret Ed25519 identity key. You can use this in
combination with tor --keygen to manage offline and/or encrypted
Ed25519 keys. Implements ticket 16944.
- Add a --newpass option to allow changing or removing the
passphrase of an encrypted key with tor --keygen. Implements part
of ticket 16769.
- On receiving a HUP signal, check to see whether the Ed25519
signing key has changed, and reload it if so. Closes ticket 16790.
o Major bugfixes (relay, Ed25519):
- Avoid crashing on 'tor --keygen'. Fixes bug 16679; bugfix on
0.2.7.2-alpha. Reported by "s7r".
- Improve handling of expired signing keys with offline master keys.
Fixes bug 16685; bugfix on 0.2.7.2-alpha. Reported by "s7r".
o Minor features (client-side privacy):
- New KeepAliveIsolateSOCKSAuth option to indefinitely extend circuit
lifespan when IsolateSOCKSAuth and streams with SOCKS
authentication are attached to the circuit. This allows
applications like TorBrowser to manage circuit lifetime on their
own. Implements feature 15482.
- When logging malformed hostnames from SOCKS5 requests, respect
SafeLogging configuration. Fixes bug 16891; bugfix on 0.1.1.16-rc.
o Minor features (compilation):
- Give a warning as early as possible when trying to build with an
unsupported OpenSSL version. Closes ticket 16901.
- Fail during configure if we're trying to build against an OpenSSL
built without ECC support. Fixes bug 17109, bugfix on 0.2.7.1-alpha
which started requiring ECC.
o Minor features (geoip):
- Update geoip and geoip6 to the September 3 2015 Maxmind GeoLite2
Country database.
o Minor features (hidden services):
- Relays need to have the Fast flag to get the HSDir flag. As this
is being written, we'll go from 2745 HSDirs down to 2342, a ~14%
drop. This change should make some attacks against the hidden
service directory system harder. Fixes ticket 15963.
- Turn on hidden service statistics collection by setting the torrc
option HiddenServiceStatistics to "1" by default. (This keeps
track only of the fraction of traffic used by hidden services, and
the total number of hidden services in existence.) Closes
ticket 15254.
- Client now uses an introduction point failure cache to know when
to fetch or keep a descriptor in their cache. Previously, failures
were recorded implicitly, but not explicitly remembered. Closes
ticket 16389.
o Minor features (testing, authorities, documentation):
- New TestingDirAuthVote{Exit,Guard,HSDir}IsStrict flags to
explicitly manage consensus flags in testing networks. Patch by
"robgjansen", modified by "teor". Implements part of ticket 14882.
o Minor bugfixes (security, exit policies):
- ExitPolicyRejectPrivate now also rejects the relay's published
IPv6 address (if any), and any publicly routable IPv4 or IPv6
addresses on any local interfaces. ticket 17027. Patch by "teor".
Fixes bug 17027; bugfix on 0.2.0.11-alpha.
o Minor bug fixes (torrc exit policies):
- In torrc, "accept6 *" and "reject6 *" ExitPolicy lines now only
produce IPv6 wildcard addresses. Previously they would produce
both IPv4 and IPv6 wildcard addresses. Patch by "teor". Fixes part
of bug 16069; bugfix on 0.2.4.7-alpha.
- When parsing torrc ExitPolicies, we now warn for a number of cases
where the user's intent is likely to differ from Tor's actual
behavior. These include: using an IPv4 address with an accept6 or
reject6 line; using "private" on an accept6 or reject6 line; and
including any ExitPolicy lines after accept *:* or reject *:*.
Related to ticket 16069.
- When parsing torrc ExitPolicies, we now issue an info-level
message when expanding an "accept/reject *" line to include both
IPv4 and IPv6 wildcard addresses. Related to ticket 16069.
- In each instance above, usage advice is provided to avoid the
message. Resolves ticket 16069. Patch by "teor". Fixes part of bug
16069; bugfix on 0.2.4.7-alpha.
o Minor bugfixes (authority):
- Don't assign "HSDir" to a router if it isn't Valid and Running.
Fixes bug 16524; bugfix on 0.2.7.2-alpha.
- Downgrade log messages about Ed25519 key issues if they are in old
cached router descriptors. Fixes part of bug 16286; bugfix
on 0.2.7.2-alpha.
- When we find an Ed25519 key issue in a cached descriptor, stop
saying the descriptor was just "uploaded". Fixes another part of
bug 16286; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (control port):
- Repair a warning and a spurious result when getting the maximum
number of file descriptors from the controller. Fixes bug 16697;
bugfix on 0.2.7.2-alpha.
o Minor bugfixes (correctness):
- When calling channel_free_list(), avoid calling smartlist_remove()
while inside a FOREACH loop. This partially reverts commit
17356fe7fd96af where the correct SMARTLIST_DEL_CURRENT was
incorrectly removed. Fixes bug 16924; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (documentation):
- Advise users on how to configure separate IPv4 and IPv6 exit
policies in the manpage and sample torrcs. Related to ticket 16069.
- Fix the usage message of tor-resolve(1) so that it no longer lists
the removed -F option. Fixes bug 16913; bugfix on 0.2.2.28-beta.
- Fix an error in the manual page and comments for
TestingDirAuthVoteHSDir[IsStrict], which suggested that a HSDir
required "ORPort connectivity". While this is true, it is in no
way unique to the HSDir flag. Of all the flags, only HSDirs need a
DirPort configured in order for the authorities to assign that
particular flag. Patch by "teor". Fixed as part of 14882; bugfix
on 0.2.6.3-alpha.
o Minor bugfixes (Ed25519):
- Fix a memory leak when reading router descriptors with expired
Ed25519 certificates. Fixes bug 16539; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (linux seccomp2 sandbox):
- Allow bridge authorities to run correctly under the seccomp2
sandbox. Fixes bug 16964; bugfix on 0.2.5.1-alpha.
- Allow routers with ed25519 keys to run correctly under the
seccomp2 sandbox. Fixes bug 16965; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (open file limit):
- Fix set_max_file_descriptors() to set by default the max open file
limit to the current limit when setrlimit() fails. Fixes bug
16274; bugfix on tor- 0.2.0.10-alpha. Patch by dgoulet.
o Minor bugfixes (portability):
- Try harder to normalize the exit status of the Tor process to the
standard-provided range. Fixes bug 16975; bugfix on every version
of Tor ever.
- Check correctly for Windows socket errors in the workqueue
backend. Fixes bug 16741; bugfix on 0.2.6.3-alpha.
- Fix the behavior of crypto_rand_time_range() when told to consider
times before 1970. (These times were possible when running in a
simulated network environment where time()'s output starts at
zero.) Fixes bug 16980; bugfix on 0.2.7.1-alpha.
- Restore correct operation of TLS client-cipher detection on
OpenSSL 1.1. Fixes bug 14047; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (relay):
- Ensure that worker threads actually exit when a fatal error or
shutdown is indicated. This fix doesn't currently affect the
behavior of Tor, because Tor workers never indicates fatal error
or shutdown except in the unit tests. Fixes bug 16868; bugfix
on 0.2.6.3-alpha.
- Unblock threads before releasing the work queue mutex to ensure
predictable scheduling behavior. Fixes bug 16644; bugfix
on 0.2.6.3-alpha.
o Code simplification and refactoring:
- Change the function that's called when we need to retry all
downloads so that it only reschedules the downloads to happen
immediately, rather than launching them all at once itself. This
further simplifies Tor's callgraph.
- Move some format-parsing functions out of crypto.c and
crypto_curve25519.c into crypto_format.c and/or util_format.c.
- Move the client-only parts of init_keys() into a separate
function. Closes ticket 16763.
- Simplify the microdesc_free() implementation so that it no longer
appears (to code analysis tools) to potentially invoke a huge
suite of other microdesc functions.
- Simply the control graph further by deferring the inner body of
directory_all_unreachable() into a callback. Closes ticket 16762.
- Treat the loss of an owning controller as equivalent to a SIGTERM
signal. This removes a tiny amount of duplicated code, and
simplifies our callgraph. Closes ticket 16788.
- When generating an event to send to the controller, we no longer
put the event over the network immediately. Instead, we queue
these events, and use a Libevent callback to deliver them. This
change simplifies Tor's callgraph by reducing the number of
functions from which all other Tor functions are reachable. Closes
ticket 16695.
- Wrap Windows-only C files inside '#ifdef _WIN32' so that tools
that try to scan or compile every file on Unix won't decide that
they are broken.
- Remove the unused "nulterminate" argument from buf_pullup().
o Documentation:
- Recommend a 40 GB example AccountingMax in torrc.sample rather
than a 4 GB max. Closes ticket 16742.
- Include the TUNING document in our source tarball. It is referred
to in the ChangeLog and an error message. Fixes bug 16929; bugfix
on 0.2.6.1-alpha.
o Removed code:
- The internal pure-C tor-fw-helper tool is now removed from the Tor
distribution, in favor of the pure-Go clone available from
https://gitweb.torproject.org/tor-fw-helper.git/ . The libraries
used by the C tor-fw-helper are not, in our opinion, very
confidence- inspiring in their secure-programming techniques.
Closes ticket 13338.
- Remove the code that would try to aggressively flush controller
connections while writing to them. This code was introduced in
0.1.2.7-alpha, in order to keep output buffers from exceeding
their limits. But there is no longer a maximum output buffer size,
and flushing data in this way caused some undesirable recursions
in our call graph. Closes ticket 16480.
o Testing:
- Make "bridges+hs" the default test network. This tests almost all
tor functionality during make test-network, while allowing tests
to succeed on non-IPv6 systems. Requires chutney commit 396da92 in
test-network-bridges-hs. Closes tickets 16945 (tor) and 16946
(chutney). Patches by "teor".
- Autodetect CHUTNEY_PATH if the chutney and Tor sources are side-
by-side in the same parent directory. Closes ticket 16903. Patch
by "teor".
- Use environment variables rather than autoconf substitutions to
send variables from the build system to the test scripts. This
change should be easier to maintain, and cause 'make distcheck' to
work better than before. Fixes bug 17148.
- Add a new set of callgraph analysis scripts that use clang to
produce a list of which Tor functions are reachable from which
other Tor functions. We're planning to use these to help simplify
our code structure by identifying illogical dependencies.
- Add new 'test-full' and 'test-full-online' targets to run all
tests, including integration tests with stem and chutney.
- Make the test-workqueue test work on Windows by initializing the
network before we begin.
- New make target (make test-network-all) to run multiple applicable
chutney test cases. Patch from Teor; closes 16953.
- Unit test dns_resolve(), dns_clip_ttl() and dns_get_expiry_ttl()
functions in dns.c. Implements a portion of ticket 16831.
- When building Tor with testing coverage enabled, run Chutney tests
(if any) using the 'tor-cov' coverage binary.
- When running test-network or test-stem, check for the absence of
stem/chutney before doing any build operations.
Changes in version 0.2.7.2-alpha - 2015-07-27
This, the second alpha in the Tor 0.2.7 series, has a number of new
features, including a way to manually pick the number of introduction
points for hidden services, and the much stronger Ed25519 signing key
algorithm for regular Tor relays (including support for encrypted
offline identity keys in the new algorithm).
Support for Ed25519 on relays is currently limited to signing router
descriptors; later alphas in this series will extend Ed25519 key
support to more parts of the Tor protocol.
o Major features (Ed25519 identity keys, Proposal 220):
- All relays now maintain a stronger identity key, using the Ed25519
elliptic curve signature format. This master key is designed so
that it can be kept offline. Relays also generate an online
signing key, and a set of other Ed25519 keys and certificates.
These are all automatically regenerated and rotated as needed.
Implements part of ticket 12498.
- Directory authorities now vote on Ed25519 identity keys along with
RSA1024 keys. Implements part of ticket 12498.
- Directory authorities track which Ed25519 identity keys have been
used with which RSA1024 identity keys, and do not allow them to
vary freely. Implements part of ticket 12498.
- Microdescriptors now include Ed25519 identity keys. Implements
part of ticket 12498.
- Add support for offline encrypted Ed25519 master keys. To use this
feature on your tor relay, run "tor --keygen" to make a new master
key (or to make a new signing key if you already have a master
key). Closes ticket 13642.
o Major features (Hidden services):
- Add the torrc option HiddenServiceNumIntroductionPoints, to
specify a fixed number of introduction points. Its maximum value
is 10 and default is 3. Using this option can increase a hidden
service's reliability under load, at the cost of making it more
visible that the hidden service is facing extra load. Closes
ticket 4862.
- Remove the adaptive algorithm for choosing the number of
introduction points, which used to change the number of
introduction points (poorly) depending on the number of
connections the HS sees. Closes ticket 4862.
o Major features (onion key cross-certification):
- Relay descriptors now include signatures of their own identity
keys, made using the TAP and ntor onion keys. These signatures
allow relays to prove ownership of their own onion keys. Because
of this change, microdescriptors will no longer need to include
RSA identity keys. Implements proposal 228; closes ticket 12499.
o Major features (performance):
- Improve the runtime speed of Ed25519 operations by using the
public-domain Ed25519-donna by Andrew M. ("floodyberry").
Implements ticket 16467.
- Improve the runtime speed of the ntor handshake by using an
optimized curve25519 basepoint scalarmult implementation from the
public-domain Ed25519-donna by Andrew M. ("floodyberry"), based on
ideas by Adam Langley. Implements ticket 9663.
o Major bugfixes (client-side privacy, also in 0.2.6.9):
- Properly separate out each SOCKSPort when applying stream
isolation. The error occurred because each port's session group
was being overwritten by a default value when the listener
connection was initialized. Fixes bug 16247; bugfix on
0.2.6.3-alpha. Patch by "jojelino".
o Major bugfixes (hidden service clients, stability, also in 0.2.6.10):
- Stop refusing to store updated hidden service descriptors on a
client. This reverts commit 9407040c59218 (which indeed fixed bug
14219, but introduced a major hidden service reachability
regression detailed in bug 16381). This is a temporary fix since
we can live with the minor issue in bug 14219 (it just results in
some load on the network) but the regression of 16381 is too much
of a setback. First-round fix for bug 16381; bugfix
on 0.2.6.3-alpha.
o Major bugfixes (hidden services):
- When cannibalizing a circuit for an introduction point, always
extend to the chosen exit node (creating a 4 hop circuit).
Previously Tor would use the current circuit exit node, which
changed the original choice of introduction point, and could cause
the hidden service to skip excluded introduction points or
reconnect to a skipped introduction point. Fixes bug 16260; bugfix
on 0.1.0.1-rc.
o Major bugfixes (open file limit):
- The open file limit wasn't checked before calling
tor_accept_socket_nonblocking(), which would make Tor exceed the
limit. Now, before opening a new socket, Tor validates the open
file limit just before, and if the max has been reached, return an
error. Fixes bug 16288; bugfix on 0.1.1.1-alpha.
o Major bugfixes (stability, also in 0.2.6.10):
- Stop crashing with an assertion failure when parsing certain kinds
of malformed or truncated microdescriptors. Fixes bug 16400;
bugfix on 0.2.6.1-alpha. Found by "torkeln"; fix based on a patch
by "cypherpunks_backup".
- Stop random client-side assertion failures that could occur when
connecting to a busy hidden service, or connecting to a hidden
service while a NEWNYM is in progress. Fixes bug 16013; bugfix
on 0.1.0.1-rc.
o Minor features (directory authorities, security, also in 0.2.6.9):
- The HSDir flag given by authorities now requires the Stable flag.
For the current network, this results in going from 2887 to 2806
HSDirs. Also, it makes it harder for an attacker to launch a sybil
attack by raising the effort for a relay to become Stable to
require at the very least 7 days, while maintaining the 96 hours
uptime requirement for HSDir. Implements ticket 8243.
o Minor features (client):
- Relax the validation of hostnames in SOCKS5 requests, allowing the
character '_' to appear, in order to cope with domains observed in
the wild that are serving non-RFC compliant records. Resolves
ticket 16430.
- Relax the validation done to hostnames in SOCKS5 requests, and
allow a single trailing '.' to cope with clients that pass FQDNs
using that syntax to explicitly indicate that the domain name is
fully-qualified. Fixes bug 16674; bugfix on 0.2.6.2-alpha.
- Add GroupWritable and WorldWritable options to unix-socket based
SocksPort and ControlPort options. These options apply to a single
socket, and override {Control,Socks}SocketsGroupWritable. Closes
ticket 15220.
o Minor features (control protocol):
- Support network-liveness GETINFO key and NETWORK_LIVENESS event in
the control protocol. Resolves ticket 15358.
o Minor features (directory authorities):
- Directory authorities no longer vote against the "Fast", "Stable",
and "HSDir" flags just because they were going to vote against
"Running": if the consensus turns out to be that the router was
running, then the authority's vote should count. Patch from Peter
Retzlaff; closes issue 8712.
o Minor features (geoip, also in 0.2.6.10):
- Update geoip to the June 3 2015 Maxmind GeoLite2 Country database.
- Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database.
o Minor features (hidden services):
- Add the new options "HiddenServiceMaxStreams" and
"HiddenServiceMaxStreamsCloseCircuit" to allow hidden services to
limit the maximum number of simultaneous streams per circuit, and
optionally tear down the circuit when the limit is exceeded. Part
of ticket 16052.
o Minor features (portability):
- Use C99 variadic macros when the compiler is not GCC. This avoids
failing compilations on MSVC, and fixes a log-file-based race
condition in our old workarounds. Original patch from Gisle Vanem.
o Minor bugfixes (compilation, also in 0.2.6.9):
- Build with --enable-systemd correctly when libsystemd is
installed, but systemd is not. Fixes bug 16164; bugfix on
0.2.6.3-alpha. Patch from Peter Palfrader.
o Minor bugfixes (controller):
- Add the descriptor ID in each HS_DESC control event. It was
missing, but specified in control-spec.txt. Fixes bug 15881;
bugfix on 0.2.5.2-alpha.
o Minor bugfixes (crypto error-handling, also in 0.2.6.10):
- Check for failures from crypto_early_init, and refuse to continue.
A previous typo meant that we could keep going with an
uninitialized crypto library, and would have OpenSSL initialize
its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
when implementing ticket 4900. Patch by "teor".
o Minor bugfixes (hidden services):
- Fix a crash when reloading configuration while at least one
configured and one ephemeral hidden service exists. Fixes bug
16060; bugfix on 0.2.7.1-alpha.
- Avoid crashing with a double-free bug when we create an ephemeral
hidden service but adding it fails for some reason. Fixes bug
16228; bugfix on 0.2.7.1-alpha.
o Minor bugfixes (Linux seccomp2 sandbox):
- Use the sandbox in tor_open_cloexec whether or not O_CLOEXEC is
defined. Patch by "teor". Fixes bug 16515; bugfix on 0.2.3.1-alpha.
o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.10):
- Allow pipe() and pipe2() syscalls in the seccomp2 sandbox: we need
these when eventfd2() support is missing. Fixes bug 16363; bugfix
on 0.2.6.3-alpha. Patch from "teor".
o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.9):
- Fix sandboxing to work when running as a relay, by allowing the
renaming of secret_id_key, and allowing the eventfd2 and futex
syscalls. Fixes bug 16244; bugfix on 0.2.6.1-alpha. Patch by
Peter Palfrader.
- Allow systemd connections to work with the Linux seccomp2 sandbox
code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. Patch by
Peter Palfrader.
o Minor bugfixes (relay):
- Fix a rarely-encountered memory leak when failing to initialize
the thread pool. Fixes bug 16631; bugfix on 0.2.6.3-alpha. Patch
from "cypherpunks".
o Minor bugfixes (systemd):
- Fix an accidental formatting error that broke the systemd
configuration file. Fixes bug 16152; bugfix on 0.2.7.1-alpha.
- Tor's systemd unit file no longer contains extraneous spaces.
These spaces would sometimes confuse tools like deb-systemd-
helper. Fixes bug 16162; bugfix on 0.2.5.5-alpha.
o Minor bugfixes (tests):
- Use the configured Python executable when running test-stem-full.
Fixes bug 16470; bugfix on 0.2.7.1-alpha.
o Minor bugfixes (tests, also in 0.2.6.9):
- Fix a crash in the unit tests when built with MSVC2013. Fixes bug
16030; bugfix on 0.2.6.2-alpha. Patch from "NewEraCracker".
o Minor bugfixes (threads, comments):
- Always initialize return value in compute_desc_id in rendcommon.c
Patch by "teor". Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
- Check for NULL values in getinfo_helper_onions(). Patch by "teor".
Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
- Remove undefined directive-in-macro in test_util_writepid clang
3.7 complains that using a preprocessor directive inside a macro
invocation in test_util_writepid in test_util.c is undefined.
Patch by "teor". Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
o Code simplification and refactoring:
- Define WINVER and _WIN32_WINNT centrally, in orconfig.h, in order
to ensure they remain consistent and visible everywhere.
- Remove some vestigial workarounds for the MSVC6 compiler. We
haven't supported that in ages.
- The link authentication code has been refactored for better
testability and reliability. It now uses code generated with the
"trunnel" binary encoding generator, to reduce the risk of bugs
due to programmer error. Done as part of ticket 12498.
o Documentation:
- Include a specific and (hopefully) accurate documentation of the
torrc file's meta-format in doc/torrc_format.txt. This is mainly
of interest to people writing programs to parse or generate torrc
files. This document is not a commitment to long-term
compatibility; some aspects of the current format are a bit
ridiculous. Closes ticket 2325.
o Removed features:
- Tor no longer supports copies of OpenSSL that are missing support
for Elliptic Curve Cryptography. (We began using ECC when
available in 0.2.4.8-alpha, for more safe and efficient key
negotiation.) In particular, support for at least one of P256 or
P224 is now required, with manual configuration needed if only
P224 is available. Resolves ticket 16140.
- Tor no longer supports versions of OpenSSL before 1.0. (If you are
on an operating system that has not upgraded to OpenSSL 1.0 or
later, and you compile Tor from source, you will need to install a
more recent OpenSSL to link Tor against.) These versions of
OpenSSL are still supported by the OpenSSL, but the numerous
cryptographic improvements in later OpenSSL releases makes them a
clear choice. Resolves ticket 16034.
- Remove the HidServDirectoryV2 option. Now all relays offer to
store hidden service descriptors. Related to 16543.
- Remove the VoteOnHidServDirectoriesV2 option, since all
authorities have long set it to 1. Closes ticket 16543.
o Testing:
- Document use of coverity, clang static analyzer, and clang dynamic
undefined behavior and address sanitizers in doc/HACKING. Include
detailed usage instructions in the blacklist. Patch by "teor".
Closes ticket 15817.
- The link authentication protocol code now has extensive tests.
- The relay descriptor signature testing code now has
extensive tests.
- The test_workqueue program now runs faster, and is enabled by
default as a part of "make check".
- Now that OpenSSL has its own scrypt implementation, add an unit
test that checks for interoperability between libscrypt_scrypt()
and OpenSSL's EVP_PBE_scrypt() so that we could not use libscrypt
and rely on EVP_PBE_scrypt() whenever possible. Resolves
ticket 16189.
v0.12.7:
Filenames added to audit log in the LocalIndexUpdated event (#2549, @nrm21)
staticClient.connect(): don't handshake twice (fixes#2547, #2548) (@canton7)
Fix STTRACE=http (it should use the http debug logger) (@calmh)
Twisted Core 15.5.0 (2015-11-28)
================================
This is the last Twisted release where Python 2.6 is supported, on any
platform. Python 3.5 (on POSIX) support has been added.
This release introduces changes that are required for Conch's SSH
implementation to work with OpenSSH 6.9+ servers.
Features
--------
- twisted.python.url is a new abstraction for URLs, supporting RFC
3987 IRIs. (#5388)
- twisted.python.logfile is now ported to Python 3. (#6749)
- twisted.python.zippath has been ported to Python 3. (#6917)
- twisted.internet.ssl.CertificateOptions and
twisted.internet.ssl.optionsForClientTLS now take a
acceptableProtocols parameter that enables negotiation of the next
protocol to speak after the TLS handshake has completed. This field
advertises protocols over both NPN and ALPN. Also added new
INegotiated interface for TLS interfaces that support protocol
negotiation. This interface adds a negotiatedProtocol property that
reports what protocol, if any, was negotiated in the TLS handshake.
(#7860)
- twisted.python.urlpath.URLPath now operates correctly on Python 3,
using bytes instead of strings, and introduces the fromBytes
constructor to assist with creating them cross-version. (#7994)
- twisted.application.strports is now ported to Python 3. (#8011)
- twistd (the Twisted Daemon) is now ported to Python 3. (#8012)
- Python 3.5 is now supported on POSIX platforms. (#8042)
- twisted.internet.serialport is now ported on Python 3. (#8099)
Bugfixes
--------
- twisted.logger.formatEvent now can format an event if it was
flattened (twisted.logger.eventAsJSON does this) and has text after
the last replacement field. (#8003)
- twisted.cred.checkers.FilePasswordDB now logs an error if the
credentials db file does not exist, no longer raises an unhandled
error. (#8028)
- twisted.python.threadpool.ThreadPool now properly starts enough
threads to do any work scheduled before ThreadPool.start() is
called, such as when work is scheduled in the reactor via
reactor.callInThread() before reactor.run(). (#8090)
Improved Documentation
----------------------
- Twisted Development test standard documentation now contain
information about avoiding test data files. (#6535)
- The documentation for twisted.internet.defer.DeferredSemaphore now
describes the actual usage for limit and tokens instance
attributes. (#8024)
Deprecations and Removals
-------------------------
- twisted.python._initgroups, a C extension, has been removed and
stdlib support is now always used instead. (#5861)
- Python 2.6 is no longer supported. (#8017)
- twisted.python.util.OrderedDict is now deprecated, and uses of it
in Twisted are replaced with collections.OrderedDict. (#8051)
- twisted.persisted.sob.load, twisted.persisted.sob.loadValueFromFile
and twisted.persisted.sob.Persistent.save() are now deprecated when
used with a passphrase. The encyption used by these methods are
weak. (#8081)
- twisted.internet.interfaces.IStreamClientEndpointStringParser has
been removed and Twisted will no longer use parsers implementing
this interface. (#8094)
Other
-----
- #5976, #6628, #6894, #6980, #7228, #7693, #7731, #7997, #8046,
#8054, #8056, #8060, #8063, #8064, #8068, #8072, #8091, #8095,
#8096, #8098, #8106
Twisted Conch 15.5.0 (2015-11-18)
=================================
Features
--------
- twisted.conch.ssh now supports the diffie-hellman-group-exchange-
sha256 key exchange algorithm. (#7672)
- twisted.conch.ssh now supports the diffie-hellman-group14-sha1 key
exchange algorithm. (#7717)
- twisted.conch.ssh.transport.SSHClientTransport now supports Diffie-
Hellman key exchange using MSG_KEX_DH_GEX_REQUEST as described in
RFC 4419. (#8100)
- twisted.conch.ssh now supports the hmac-sha2-256 and hmac-sha2-512
MAC algorithms. (#8108)
Deprecations and Removals
-------------------------
- twisted.conch.ssh.keys.objectType is now deprecated. Use
twisted.conch.ssh.keys.Key.sshType. (#8080)
- twisted.conch.ssh.transport.SSHClientTransport no longer supports
Diffie-Hellman key exchange using MSG_KEX_DH_GEX_REQUEST_OLD for
pre RFC 4419 servers. (#8100)
Twisted Web 15.5.0 (2015-11-18)
================================
Features
--------
- twisted.web.http.Request.addCookie now supports the httpOnly
attribute which when set on cookies prevents the browser exposing
it through channels other than HTTP and HTTPS requests (i.e. they
will not be accessible through JavaScript). (#5911)
- twisted.web.client.downloadPage is now ported to Python 3. (#6197)
- twisted.web.client.Agent is now ported to Python 3. (#7407)
- twisted.web.tap (ran when calling `twistd web`) has now been ported
to Python 3. Not all features are enabled -- CGI, WSGI, and
distributed web serving will be enabled in their respective tickets
as they are ported. (#8008)
Bugfixes
--------
- twisted.web.client.URI now supports IPv6 addresses. Previously this
would mistake the colons used as IPv6 address group separators as
the start of a port specification. (#7650)
- twisted.web.util's failure template has been moved inline to work
around Python 3 distribution issues. (#8047)
- twisted.web.http.Request on Python 3 now handles multipart/form-
data requests correctly. (#8052)
Other
-----
- #8016, #8070
Twisted Words 15.5.0 (2015-11-18)
=================================
Features
--------
- twisted.words.protocol.irc.IRC now has a sendCommand() method which
can send messages with tags. (#6667)
Other
-----
- #8015, #8097
v0.12.6
@calmh calmh released this 3 days ago · 6 commits to master since this release
Allow #urPreview to scroll in the browser (#2537, @canton7)
Fix deleting folders on WinXP (#2522, @buinsky)
New key for discovery-*-3
Handle backoff on discovery
v0.12.5
@calmh calmh released this 6 days ago · 17 commits to master since this release
Update osext dependency (#1272, @calmh)
Compact database on startup (#2400, @calmh)
Don't chmod in Atomic on android (#2472, @kluppy)
Fix symlinks (#2524, @AudriusButkevicius)
Generate ECDSA keys instead of RSA (#2523, @calmh)
Take timeout into account when dialing (#2521, @AudriusButkevicius)
Improve upgrade error messages (#2510, @plouj)
* dhcpcd will now configure chrony if installed and ntp isn't
* dhcpcd no longer attempts temporary address management on Linux
* replace the SixRD decode function with a generic definition
* try harder to ensure only 1 lladdr exists per interface on BSD
* kFreeBSD compiles once more, thanks to JS Junior
* change IPv6 routes on MTU change
* -p works with -x on an already running process started without -p
* fix TEST for IPv4LL
* Correct size allocation for prefix delegation, thanks to Jade
* Add an option to enable DHCPv6 Information Request without the
need for dhcpcd to recieve an IPv6 Router Advertisement with the
Other Configuration bit set.
* Introduce the optional option type, which allows embedded options
to be optional
* Mark our logger function as sysloglike because we enjoy using %m
* Don't check link state if not instruted to before working out if
we can fork early or not.
* Add a -N --renew option to renew any existing address early
* Obey the hostname_short option even for configured FQDN hostnames
* -U, --dumplease now works with standard input.
It no longer works with a filename.
* If dumping leases, skip authentication and address expiry checks
* Fix adding host routes via a gateway on Linux
* Fix adding static routes via a gateway on BSD
* Always send LOG_DEBUG to syslog(3) even if we are in quiet mode.
It's upto syslog to filter it.
* If testing or dumping leases, don't send to syslog only
stdout/stderr.
Packaged in pkgsrc-wip by Aleksej Lebedev.
Fixes PR pkg/50471.
Megatools is a collection of programs for accessing Mega service from a command
line of your desktop or server.
Megatools allow you to copy individual files as well as entire directory trees
to and from the cloud. You can also perform streaming downloads for example to
preview videos and audio files, without needing to download the entire file.
Mega website can be found at mega.co.nz.
Changes:
2015.11.24
----------
o Misc bug fixes and improvements
2015.11.23
----------
o Misc bug fixes and improvements (most user visible change are fixes for
youtube extractor)
2015.11.21
----------
o Misc bug fixes and improvements
2015.11.19
----------
o Misc bug fixes and improvements
2015.11.18
----------
o Add extractor for dplay
o Misc bug fixes and improvements
2015.11.15
----------
o Misc bug fixes and improvements
2015.11.13
----------
o Add extractor for vidto
o Misc bug fixes and improvements
NB: 0.12.x is not compatible with 0.11.x. F-droid has a version that
is now interoperable with 0.12, vs 0.11. Upstream changes:
0.12.4:
Warn the user if they're running with an insecure looking setup (#2139, @calmh)
Add remaining scanning time (#2484, @calmh)
Handle sparse files (#245, @calmh)
Improved relay handling (@AudriusButkevicius)
0.12.3:
Fix address list in DeviceDiscovered, add debug prints (#2444, @calmh)
Audit logins with new LoginAttempt event (#2377, @tylerbrazier)
More local discovery URL debugging (#2444, @calmh)
Made upgrade-system smarter (#2446, @Stefan-Code)
Remove folder without restart (#2262, @calmh)
Don't dirty blockmap key between lookups (#2455, @calmh)
0.12.2:
Change a discovery server certificate
Fix "INFO: bug: uncached path call" log output on first startup
0.12.1:
Actually do negative caching on failed discovery lookups (#2434, @calmh)
The find-prefix infrastructure was required in a pkgviews world where
packages installed from pkgsrc could have different installation
prefixes, and this was a way for a dependency prefix to be determined.
Now that pkgviews has been removed there is no longer any need for the
overhead of this infrastructure. Instead we use BUILDLINK_PREFIX.pkg
for dependencies pulled in via buildlink, or LOCALBASE/PREFIX where the
dependency is coming from pkgsrc.
Provides a reasonable performance win due to the reduction of `pkg_info
-qp` calls, some of which were redundant anyway as they were duplicating
the same information provided by BUILDLINK_PREFIX.pkg.
Baikal offers ubiquitous and synchronized access to your calendars
and address books over CalDAV and CardDAV. Baikal implements the
current IETF recommendation drafts of these industry standards for
centralized calendar and address book collections.
* Changes in Wget 1.17
** Remove FTP passive to active fallback due to privacy concerns.
** Add support for --if-modified-since.
** Add support for metalink through --input-metalink and --metalink-over-http.
** Add support for HSTS through --hsts and --hsts-file.
** Add option to restrict filenames under VMS.
** Add support for --rejected-log which logs to a separate file the reasons why
URLs are being rejected and some context around it.
** Add support for FTPS.
** Do not download/save file on error when --spider enabled
** Add --convert-file-only option. This option converts only the
filename part of the URLs, leaving the rest of the URLs untouched.
GStreamer 1.6.1 Release Notes
The GStreamer team is proud to announce the first bugfix release in the stable 1.6 release series of your favourite cross-platform multimedia framework!
This release only contains bugfixes and it is safe to update from 1.6.0. For a full list of bugfixes see Bugzilla.
See http://gstreamer.freedesktop.org/releases/1.6/ for the latest version of this document.
Last updated: Friday 30 October 2015, 14:00 UTC (log)
Major bugfixes
Crashes in the gst-libav encoders were fixed
More DASH-IF test streams are working now
Live DASH, HLS and MS SmoothStreaming streams work more reliable and other fixes for the adaptive streaming protocols
Reverse playback works with scaletempo to keep the audio pitch
Correct stream-time is reported for negative applied_rate
SRTP packet validation during decoding does not reject valid packets anymore
Fixes for audioaggregator and aggregator to start producing output at the right time, and e.g. not outputting lots of silence in the beginning
gst-libav's internal ffmpeg snapshot was updated to 2.8.1
cerbero has support for Mac OS X 10.11 (El Capitan)
Various memory leaks were fixed, including major leaks in playbin, playsink and decodebin
Various GObject-Introspection annotation fixes for bindings
and many, many more
GStreamer 1.6 Release Notes
The GStreamer team is proud to announce a new major feature release in the stable 1.x API series of your favourite cross-platform multimedia framework!
This release has been in the works for more than a year and is packed with new features, bug fixes and other improvements.
See http://gstreamer.freedesktop.org/releases/1.6/ for the latest version of this document.
Highlights
Stereoscopic 3D and multiview video support
Trick mode API for key-frame only fast-forward/fast-reverse playback etc.
Improved DTS (decoding timestamp) vs. PTS (presentation timestamp) handling to account for negative DTS
New GstVideoConverter API for more optimised and more correct conversion of raw video frames between all supported formats, with rescaling
v4l2src now supports renegotiation
v4l2transform can now do scaling
V4L2 Element now report Colorimetry properly
Easier chunked recording of MP4, Matroska, Ogg, MPEG-TS: new splitmuxsink and multifilesink improvements
Content Protection signalling API and Common Encryption (CENC) support for DASH/MP4
Many adaptive streaming (DASH, HLS and MSS) improvements
New PTP and NTP network client clocks and better remote clock tracking stability
High-quality text subtitle overlay at display resolutions with glimagesink or gtkglsink
RECORD support for the GStreamer RTSP Server
Retransmissions (RTX) support in RTSP server and client
RTSP seeking support in client and server has been fixed
RTCP scheduling improvements and reduced size RTCP support
MP4/MOV muxer acquired a new "robust" mode of operation which attempts to keep the output file in a valid state at all times
Live mixing support in aggregator, audiomixer and compositor was improved a lot
compositor now also supports rescaling of inputs streams on the fly
New audiointerleave element with proper input synchronisation and live input support
Blackmagic Design DeckLink capture and playback card support was rewritten from scratch; 2k/4k support; mode sensing
KLV metadata support in RTP and MPEG-TS
H.265 video encoder (x265), decoders (libav, libde265) and RTP payloader and depayloaders
New DTLS plugin and SRTP/DTLS support
OpenGL3 support, multiple contexts and context propagation, 3D video, transfer/conversion separation, subtitle blending
New OpenGL-based QML video sink, Gtk GL video sink, CoreAnimation CAOpenGLLayerSink video sink
gst-libav switched to ffmpeg as libav-provider, gains support for 3D/multiview video, trick modes, and the CAVS codec
GstHarness API for unit tests
gst-editing-services got a completely new ges-launch-1.0 interface, improved mixing support and integration into gst-validate
gnonlin has been deprecated in favor of nle (Non Linear Engine) in gst-editing-services
gst-validate has a new plugin system, an extensive default testsuite, support for concurrent test runs and valgrind support
cerbero build tool for SDK binary packages gains new 'bundle-source' command
Various improvements to the Android, iOS, OS X and Windows platform support
Full log at
http://gstreamer.freedesktop.org/releases/1.6/
Changes:
* netlib: Refactored HTTP protocol handling code
* netlib: ALPN support
* netlib: fixed a bug in the optional certificate verification.
* netlib: Initial Python 3.5 support (this is the first prerequisite for
3.x support in mitmproxy)
ChangeLog (only stable versions):
2015/11/03 : 1.6.2
- BUILD: ssl: fix build error introduced in commit 7969a3 with OpenSSL < 1.0.0
- DOC: fix a typo for a "deviceatlas" keyword
- FIX: small typo in an example using the "Referer" header
- BUG/MEDIUM: config: count memory limits on 64 bits, not 32
- BUG/MAJOR: dns: first DNS response packet not matching queried hostname may lead to a loop
- BUG/MINOR: dns: unable to parse CNAMEs response
- BUG/MINOR: examples/haproxy.init: missing brace in quiet_check()
- DOC: deviceatlas: more example use cases.
- BUG/BUILD: replace haproxy-systemd-wrapper with $(EXTRA) in install-bin.
- BUG/MAJOR: http: don't requeue an idle connection that is already queued
- DOC: typo on capture.res.hdr and capture.req.hdr
- BUG/MINOR: dns: check for duplicate nameserver id in a resolvers section was missing
- CLEANUP: use direction names in place of numeric values
- BUG/MEDIUM: lua: sample fetches based on response doesn't work
2015/10/20 : 1.6.1
- DOC: specify that stats socket doc (section 9.2) is in management
- BUILD: install only relevant and existing documentation
- CLEANUP: don't ignore debian/ directory if present
- BUG/MINOR: dns: parsing error of some DNS response
- BUG/MEDIUM: namespaces: don't fail if no namespace is used
- BUG/MAJOR: ssl: free the generated SSL_CTX if the LRU cache is disabled
- MEDIUM: dns: Don't use the ANY query type
2015/10/13 : 1.6.0
- BUG/MINOR: Handle interactive mode in cli handler
- DOC: global section missing parameters
- DOC: backend section missing parameters
- DOC: stats paramaters available in frontend
- MINOR: lru: do not allocate useless memory in lru64_lookup
- BUG/MINOR: http: Add OPTIONS in supported http methods (found by find_http_meth)
- BUG/MINOR: ssl: fix management of the cache where forged certificates are stored
- MINOR: ssl: Release Servers SSL context when HAProxy is shut down
- MINOR: ssl: Read the file used to generate certificates in any order
- MINOR: ssl: Add support for EC for the CA used to sign generated certificates
- MINOR: ssl: Add callbacks to set DH/ECDH params for generated certificates
- BUG/MEDIUM: logs: fix time zone offset format in RFC5424
- BUILD: Fix the build on OSX (htonll/ntohll)
- BUILD: enable build on Linux/s390x
- BUG/MEDIUM: lua: direction test failed
- MINOR: lua: fix a spelling error in some error messages
- CLEANUP: cli: ensure we can never double-free error messages
- BUG/MEDIUM: lua: force server-close mode on Lua services
- MEDIUM: init: support more command line arguments after pid list
- MEDIUM: init: support a list of files on the command line
- MINOR: debug: enable memory poisonning to use byte 0
- BUILD: ssl: fix build error introduced by recent commit
- BUG/MINOR: config: make the stats socket pass the correct proxy to the parsers
- MEDIUM: server: implement TCP_USER_TIMEOUT on the server
- DOC: mention the "namespace" options for bind and server lines
- DOC: add the "management" documentation
- DOC: move the stats socket documentation from config to management
- MINOR: examples: update haproxy.spec to mention new docs
- DOC: mention management.txt in README
- DOC: remove haproxy-{en,fr}.txt
- BUILD: properly report when USE_ZLIB and USE_SLZ are used together
- MINOR: init: report use of libslz instead of "no compression"
- CLEANUP: examples: remove some obsolete and confusing files
- CLEANUP: examples: remove obsolete configuration file samples
- CLEANUP: examples: fix the example file content-sw-sample.cfg
- CLEANUP: examples: update sample file option-http_proxy.cfg
- CLEANUP: examples: update sample file ssl.cfg
- CLEANUP: tests: move a test file from examples/ to tests/
- CLEANUP: examples: shut up warnings in transparent proxy example
- CLEANUP: tests: removed completely obsolete test files
- DOC: update ROADMAP to remove what was done in 1.6
- BUG/MEDIUM: pattern: fixup use_after_free in the pat_ref_delete_by_id
Tests don't run through because of
===> Testing for py27-gevent-1.0.2
Traceback (most recent call last):
File "testrunner.py", line 2, in <module>
import six
File "/scratch/net/py-gevent/work/gevent-1.0.2/greentest/six.py", line 2, in <module>
from gevent.hub import PY3
ImportError: No module named gevent.hub
*** Error code 1
Release 1.0.2
-------------
- Fix LifoQueue.peek() to return correct element. PR #456. Patch by Christine Spang.
- Upgrade to libev 4.19
- Remove SSL3 entirely as default TLS protocol
- Import socket on Windows (closes#459)
- Fix C90 syntax error (PR #449)
- Add compatibility with Python 2.7.9's SSL changes. Issue #477.
The changelog only goes as far back as 3.1. Major changes are:
- Mac OS X port
- Provide minimal interface information on BSD
- Fixes for all defects identified by coverity
- Fix accuracy issue on total rate calculation
- Better example config file
- Only initialize curses module if actually used
- Bugfixes
Also saner build system and new source code location (github).
Changelog:
Release 2.0.2 October 22nd 2015
csync_file_stat_s: Save a bit of memory
Shibboleth: Add our base user agent to WebKit
SelectiveSync: Increase folder list timeout to 60
Propagation: Try another sync on 423 Locked (#3387)
Propagation: Make 423 Locked a soft error (#3387)
Propagation: Reset upload blacklist if a chunk succeeds
Application: Fix crash on early shutdown (#3898)
Linux: Don't show settings dialog always when launched twice (#3273, #3771, #3485)
win32 vio: Add the OPEN_REPARSE_POINTS flag to the CreateFileW call. (#3813)
AccountSettings: only expand root elements on single click.
AccountSettings: Do not allow to expand the folder list when disconnected.
Use application SHORT name for the name of the MacOSX pkg file (ownBrander).
FolderMan: Fix for removing a syncing folder (#3843)
ConnectionMethodDialog: Don't be insecure on close (#3863)
Updater: Ensure folders are not removed (#3747)
Folder settings: Ensure path is cleaned (#3811)
Propagator: Simplify sub job finished counting (#3844)
Share dialog: Hide settings dialog before showing (#3783)
UI: Only expand 1 level in folder list (#3585)
UI: Allow folder expanding from button click (#3585)
UI: Expand folder treeview on single click (#3585)
GUI: Change tray menu order (#3657)
GUI: Replace term "sign in" with "Log in" and friends.
SetupPage: Fix crash caused by uninitialized Account object.
Use a themable WebDAV path all over.
Units: Back to the "usual" mix units (JEDEC standard).
csync io: Full UNC path support on Win (#3748)
Tray: Don't use the tray workaround with the KDE theme (#3706, #3765)
ShareDialog: Fix folder display (#3659)
AccountSettings: Restore from legacy only once (#3565)
SSL Certificate Error Dialog: show account name (#3729)
Tray notification: Don't show a message about modified folder (#3613)
PropagateLocalRemove: remove entries from the DB even if there was an error.
Settings UI improvements (eg. #3713, #3721, #3619 and others)
Folder: Do not create the sync folder if it does not exist (#3692)
Shell integration: don't show share menu item for top level folders
Tray: Hide while modifying menus (#3656, #3672)
AddFolder: Improve remote path selection error handling (#3573)
csync_update: Use excluded_traversal() to improve performance (#3638)
csync_excluded: Add fast _traversal() function (#3638)
csync_exclude: Speed up significantly (#3638)
AccountSettings: Adjust quota info design (#3644, #3651)
Adjust buttons on remove folder/account questions (#3654)
Release 2.0.1 September 1st 2015
AccountWizard: fix when the theme specifies an override URL (#3699)
Release 2.0.0 August 25th 2015
Add support for multiple accounts (#3084)
Do not sync down new big folders from server without users consent (#3148)
Integrate Selective Sync into the default UI
OS X: Support native finder integration for 10.10 Yosemite (#2340)
Fix situation where client would not reconnect after timeout (#2321)
Use SI units for the file sizes
Improve progress reporting during sync (better estimations, show all files, show all bandwidth)
Windows: Support paths >255 characters (#57) by using Windows API instead of POSIX API
Windows, OS X: Allow to not sync hidden files (#2086)
OS X: Show file name in UI if file has invalid UTF-8 in file name
Sharing: Make use of Capability API (#3439)
Sharing: Do not allow sharing the root folder (#3495)
Sharing: Show thumbnail
Client Updater: Check for updates periodically, not only once per run (#3044)
Windows: Remove misleading option to remove sync data (#3461)
Windows: Do not provoke AD account locking if password changes (#2186)
Windows: Fix installer when installing unprivileged (#2616, #2568)
Quota: Only refresh from server when UI is shown
SSL Button: Show more information
owncloudcmd: Fix --httpproxy (#3465)
System proxy: Ask user for credentials if needed
Several fixes and performance improvements in the sync engine
Network: Try to use SSL session tickets/identifiers. Check the SSL button to see if they are used.
Bandwidth Throttling: Provide automatic limit setting for downloads (#3084)
Systray: Workaround for issue with Qt 5.5.0 (#3656)
