Bug Fixes
The following vulnerabilities have been fixed:
* [1]wnpa-sec-2017-13
WBMXL dissector infinite loop ([2]Bug 13477, [3]Bug 13796)
[4]CVE-2017-7702, cve-idlink:CVE-2017-11410[] Note: This is an
update for a fix in Wireshark 2.2.6 and 2.0.12.
* [5]wnpa-sec-2017-28
openSAFETY dissector memory exhaustion ([6]Bug 13649, [7]Bug 13755)
[8]CVE-2017-9350, [9]CVE-2017-11411 Note: This is an update for a
fix in Wireshark 2.2.7.
* [10]wnpa-sec-2017-34
AMQP dissector crash. ([11]Bug 13780) [12]CVE-2017-11408
* [13]wnpa-sec-2017-35
MQ dissector crash. ([14]Bug 13792) [15]CVE-2017-11407
* [16]wnpa-sec-2017-36
DOCSIS infinite loop. ([17]Bug 13797) [18]CVE-2017-11406
The following bugs have been fixed:
* Y.1711 dissector reverses defect type order. ([19]Bug 8292)
* Packet list keeps scrolling back to selected packet while names are
being resolved. ([20]Bug 12074)
* [REGRESSION] Export Objects do not show files from a SMB2 capture.
([21]Bug 13214)
* LTE RRC: lte-rrc.q_RxLevMin filter fails on negative values.
([22]Bug 13481)
* Hexpane showing in proportional font again. ([23]Bug 13638)
* Regression in SCCP fragments handling. ([24]Bug 13651)
* TCAP SRT incorrectly matches TC_BEGINs and TC_ENDs. ([25]Bug 13739)
* Dissector for WSMP (IEEE 1609.3) not current. ([26]Bug 13766)
* RANAP: possible issue in the heuristic code. ([27]Bug 13770)
* [oss-fuzz] UBSAN: shift exponent 35 is too large for 32-bit type
int in packet-btrfcomm.c:314:37. ([28]Bug 13783)
* RANAP: false positives on heuristic algorithm. ([29]Bug 13791)
* Automatic name resolution not saved to PCAP-NG NRB. ([30]Bug 13798)
* DAAP dissector dissect_daap_one_tag recursion stack exhausted.
([31]Bug 13799)
* Malformed DCERPC PNIO packet decode, exception handler invalid
poionter reference. ([32]Bug 13811)
* It seems SPVID was decoded from wrong field. ([33]Bug 13821)
* README.dissectors: Add notes about predefined string structures not
available to plugin authors. ([34]Bug 13828)
* Statistics->Packet Lengths doesn't display details for 5120 or
greater. ([35]Bug 13844)
* cmake/modules/FindZLIB.cmake doesn't find inflatePrime. ([36]Bug
13850)
* BGP: incorrect decoding COMMUNITIES whose length is larger than
255. ([37]Bug 13872)
Updated Protocol Support
AMQP, BGP, BSSMAP, BT RFCOMM, DAAP, DOCSIS, E.212, FDDI, GSM A GM, GSM
BSSMAP, IEEE 802.11, IP, ISIS LSP, LTE RRC, MQ, OpenSafety, OSPF,
PROFINET IO, RANAP, SCCP, SGSAP, SMB2, TCAP, TCP, UMTS FP, UMTS RLC,
WBXML, WSMP, and Y.1711
Changes in version 0.3.0.10 - 2017-08-02
Tor 0.3.0.10 backports a collection of small-to-medium bugfixes
from the current Tor alpha series. OpenBSD users and TPROXY users
should upgrade; others are probably okay sticking with 0.3.0.9.
o Major features (build system, continuous integration, backport from 0.3.1.5-alpha):
- Tor's repository now includes a Travis Continuous Integration (CI)
configuration file (.travis.yml). This is meant to help new
developers and contributors who fork Tor to a Github repository be
better able to test their changes, and understand what we expect
to pass. To use this new build feature, you must fork Tor to your
Github account, then go into the "Integrations" menu in the
repository settings for your fork and enable Travis, then push
your changes. Closes ticket 22636.
o Major bugfixes (linux TPROXY support, backport from 0.3.1.1-alpha):
- Fix a typo that had prevented TPROXY-based transparent proxying
from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha.
Patch from "d4fq0fQAgoJ".
o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
- Avoid an assertion failure bug affecting our implementation of
inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
handling of "0xfoo" differs from what we had expected. Fixes bug
22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
o Minor features (backport from 0.3.1.5-alpha):
- Update geoip and geoip6 to the July 4 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (bandwidth accounting, backport from 0.3.1.2-alpha):
- Roll over monthly accounting at the configured hour and minute,
rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1.
Found by Andrey Karpov with PVS-Studio.
o Minor bugfixes (compilation warnings, backport from 0.3.1.5-alpha):
- Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug 22915;
bugfix on 0.2.8.1-alpha.
- Fix warnings when building with libscrypt and openssl scrypt
support on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha.
- When building with certain versions of the mingw C header files,
avoid float-conversion warnings when calling the C functions
isfinite(), isnan(), and signbit(). Fixes bug 22801; bugfix
on 0.2.8.1-alpha.
o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
- Backport a fix for an "unused variable" warning that appeared
in some versions of mingw. Fixes bug 22838; bugfix on
0.2.8.1-alpha.
o Minor bugfixes (coverity build support, backport from 0.3.1.5-alpha):
- Avoid Coverity build warnings related to our BUG() macro. By
default, Coverity treats BUG() as the Linux kernel does: an
instant abort(). We need to override that so our BUG() macro
doesn't prevent Coverity from analyzing functions that use it.
Fixes bug 23030; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (directory authority, backport from 0.3.1.1-alpha):
- When rejecting a router descriptor for running an obsolete version
of Tor without ntor support, warn about the obsolete tor version,
not the missing ntor key. Fixes bug 20270; bugfix on 0.2.9.3-alpha.
o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.5-alpha):
- Avoid a sandbox failure when trying to re-bind to a socket and
mark it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.
o Minor bugfixes (unit tests, backport from 0.3.1.5-alpha)
- Fix a memory leak in the link-handshake/certs_ok_ed25519 test.
Fixes bug 22803; bugfix on 0.3.0.1-alpha.
api-change:batch: Update batch command to latest version
api-change:cloudhsmv2: Update cloudhsmv2 command to latest version
api-change:efs: Update efs command to latest version
api-change:ssm: Update ssm command to latest version
api-change:storagegateway: Update storagegateway command to latest version
api-change:mgh: Update mgh command to latest version
api-change:glue: Update glue command to latest version
1.11.133
api-change:ec2: Update ec2 command to latest version
api-change:cognito-idp: Update cognito-idp command to latest version
api-change:codedeploy: Update codedeploy command to latest version
api-change:cloudhsmv2: Update cloudhsmv2 client to latest version
api-change:ssm: Update ssm client to latest version
api-change:glue: Update glue client to latest version
api-change:mgh: Update mgh client to latest version
api-change:efs: Update efs client to latest version
api-change:storagegateway: Update storagegateway client to latest version
api-change:batch: Update batch client to latest version
1.6.0
api-change:ec2: Update ec2 client to latest version
feature:retries: Add ability to configure the maximum amount of retry attempts a client call can make.
api-change:cognito-idp: Update cognito-idp client to latest version
api-change:codedeploy: Update codedeploy client to latest version
2017-08-14 - libfilezilla 0.10.1 released
Bugfixes and minor changes:
MSW: Improve handling of reparse points in fz::local_filesys
2017-07-10 - libfilezilla 0.10.0 released
New features:
Added fz::percent_encode and fz::percent_encode
Added fz::uri and fz::query_string
Added fz::less_insensitive_ascii for case-insensitive strings in maps
Bugfixes and minor changes:
Moved encoding functions from string.hpp to encode.hpp
Use pkg-config instead of cppunit-config to look for cppunit.
Changes in libsoup from 2.58.1 to 2.58.2:
* CVE-2017-2885: Fixed a chunked decoding buffer overrun that
could be exploited against either clients or servers.
[#785774]
Changes in libsoup from 2.58.0 to 2.58.1:
* Reverts a change to SoupSession to close all open
connections when the :proxy-resolver property is changed
[#777326; this change was made in 2.58.0 but accidentally
left out of the NEWS for that release]; although that
behavior made :proxy-resolver more consistent with
:proxy-uri, it ended up breaking Evolution EWS. [#781590]
* Fixed undefined behavior in tests/header-parsing that could
make the test spuriously fail. [#777258]
* Updates to the configure tests for Apache for use in tests/:
* Dropped support for Apache 2.2
* Changed PHP support from PHP 5 to PHP 7
* mod_unixd can now be either built-in or dynamically
loaded [#776478]
* Updated translations:
Turkish
Changes in libsoup from 2.57.1 to 2.58.0:
* Fix authentication issues when the SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE
flag is used. [#778497, #777936, Carlos Garcia Campos]
* MSVC build improvements (Chun-wei Fan)
* Updated translations:
Basque, Belarusian, Brazilian Portuguese, Chinese (Taiwan), Danish,
French, Galician, Greek, Indonesian, Italian, Korean, Latvian,
Lithuanian, Norwegian bokmål, Russian, Serbian, Slovak, Slovenian,
Spanish, zh_CN
Changes in libsoup from 2.56.0 to 2.57.1:
* Added SoupWebsocketConnection:keepalive-interval, to make a
connection send regular pings. [#773253, Ignacio Casal
Quinteiro]
* Added soup_auth_manager_clear_cached_credentials() and
SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE, to allow greater control
over the use of cached HTTP auth credentials. [#774031,
#774033, Carlos Garcia Campos]
* Fixed the use of SoupSession:proxy-uri values containing
passwords. [#772932, Jonathan Lebon]
* Various minor WebSocket fixes [Ignacio Casal Quinteiro]:
* Avoid sending data after we start closing the
connection [#774957]
* Do not log a critical if the peer sends an invalid
close status code
* Log a debug message when a "pong" is received
* Fixed introspection of
soup_message_headers_get_content_range() [Jasper St. Pierre]
* Replaced Vala [Deprecated] annotations with [Version] to
avoid build warnings [#773177, Evan Nemerson]
* MSVC build improvements (Chun-wei Fan)
* Updated error/message strings to use Unicode punctuation.
[#772217, Piotr Drąg]
* Updated translations:
Czech, Friulian, German, Hebrew, Hungarian,
Norwegian bokmål, Polish, Swedish
Changes in libsoup from 2.55.90 to 2.56.0:
* Added SoupWebsocketConnection:max-incoming-payload-size
property, to override the default maximum incoming payload
size. [#770022, Ignacio Casal Quinteiro]
* Added soup-version.h symbols (in particular
soup_check_version()) to introspection. [#771439, Rico
Tzschichholz]
* Updated the copy of the public suffix list used by SoupTLD
[#769650, Michael Catanzaro]
* Updated translations:
British English, Greek, Polish
Changes in libsoup from 2.54.1 to 2.55.90:
* Removed support for SSLv3 fallback; sites that reject TLS
1.x handshakes will now just fail with an error. (Firefox
and Chrome have both already switched to this behavior.)
[#765940, Dan Winship]
* Fixed the parsing of <double>s in the new GVariant-based
XMLRPC code. [#767707, Dan Winship]
* Fixed soup_server_set_ssl_cert_file(), which was added in
2.48 but didn't actually work... [patch on libsoup-list from
Sean DuBois]
* Added GObject properties to SoupLogger to make it
bindings-friendly. [#768053, Jonh Wendell]
* Fixed build error on FreeBSD [#765376, Ting-Wei Lan]
* Fixed build with certain new versions of glibc that define
"EOF" as a macro. [#768731, Philip Withnall]
* Updated m4/ax_code_coverage.m4 with support for lcov 1.12
[Philip Withnall]
* Updated po files for future gettext versions [Piotr Drąg]
* New/updated translations:
Occitan, Scottish Gaelic
v0.14.36
This is an unscheduled release to fix a bug that slipped through the cracks in 0.14.34 & 0.14.35.
Resolved issues:
#4297: Folders paths are no longer reset when editing a folder without a label
v0.14.35
This is an unscheduled release in panic mode to fix a significant problem in 0.14.34.
Resolved issues in 0.14.35:
#4288: Symlinks are deleted from versioned folders on startup
Resolved issues in 0.14.34:
#2157: The new folder dialog now suggests a default path. Adjustable via advanced config defaultFolderPath.
#4272: The build script no longer sets -installsuffix by default.
#4286: Prevents a vulnerability that allows file overwrite via versioned symlinks
Note that the last issue is a security vulnerability. Symlinks on Windows are not supported and have not been created by Syncthing for a while. Nonetheless, if you use symlinks on Windows and Syncthing versioning you may have symlinks in your versioning directory from earlier versions. You must remove these manually. Syncthing can not remove them automatically because there are other things that look to us like symlinks but are not - deduplicated files, primarily. (This is one of the reasons symlinks are not supported on Windows.)
On other platforms the versioning directory is cleaned from symlinks as part of the upgrade.
v0.14.34-rc.1
This is a release candidate for v0.14.34.
Resolved issues:
#2157: The new folder dialog now suggests a default path. Adjustable via advanced config defaultFolderPath.
#4272: The build script no longer sets -installsuffix by default.
v0.14.33
This is a regularly scheduled stable release.
Resolved issues:
#4188: Relative version paths are now correctly relative to the folder path
#4227: Remote devices now show bytes remaining to sync
#4249: Editing ignore patterns no longer incorrectly shows included patterns
v0.14.33-rc.1
This is a release candidate for v0.14.33.
Resolved issues:
#4188: Relative version paths are now correctly relative to the folder path
#4227: Remote devices now show bytes remaining to sync
#4249: Editing ignore patterns no longer incorrectly shows included patterns
v0.14.32
This is a regularly scheduled stable release.
Resolved issues:
#4157: "Nearby devices" are now shown in the add device dialog, avoiding the need to type their device ID.
#4219: Folders that were once ignored in a sharing request now actualproperly when later added manually.
v0.14.32-rc.2
This is a release candidate for v0.14.32.
v0.14.32-rc.1
This is a release candidate fo14.31:
#4157: "Nearby devices" are now shown in the add device dialog, avoiding the need to type their device ID.
#4219: Folders that were once ignored in a sharing request now actually work properly when later added manually.
This package installs a binary that is setuid-executable to the
"smmsp" user and it also needs to be owned by the "nagios" group.
Add hooks to create these users and groups in the package install
scripts when the binary package is installed.
Bump the PKGREVISION due to changes in the package install scripts.
The rss-newsfeed.html file was removed in the update to version
4.3.2, so we no longer need to change ownership and permissions on
the file after installation.
Arguably, nagios-base should have a postinstall check for the
rss-newsfeed.* files and remove them, as they were removed in
version 4.3.2 due to security concerns.
* Improve compatibility with GNU Hurd
* Fixed 2286 - improve CMake on Windows documentation
* Fixed 1235 - improved compatibility with mingw64
* Improve zmq_proxy documentation to state it can return ETERM as well
* Fixed 1442 - SO_NOSIGPIPE and connection closing by peer race condition
* Improve CMake functionality on Windows: ZeroMQConfig.cmake generation CPack
option, correct static library filename, ship FindSodium.cmake in tarball
* Fixed 2228 - setting HWM after connect on inproc transport leads to infinite
HWM
* Add support for Visual Studio 2017
* New DRAFT (see NEWS for 4.2.0) zmq_has option "draft" option that returns
true if the library was built with DRAFT enabled. Useful for FFI bindings.
See doc/zmq_has.txt for more information
* Fixed 2321 - zmq_z85_decode does not validate its input. The function has
been fixed to correctly follow RFC32 and return NULL if the input is invalid
* Fixed 2323 - clock_t related crash on Apple iOS 9.3.2 and 9.3.5
* Fixed 1801 - OSX: Cmake installs libzmq in a weird PATH
* Fixed potential divide by zero in zmq::lb_t::sendpipe
* Improve compatibility with OpenIndiana by skipping epoll and using poll/select
* Fix IPv4-in-IPv6 mapped addresses parsing error
Changes from release notes.
Features
* zone parser parses type AVC (it has TXT format).
* Fix#1272: use writev to put tcp length field
with data for outgoing zone transfer requests.
Bugfixes
* Fix potential null pointer in nsec3 adjustment tree.
* Fix text format of deletes for CDS and CDNSKEY,
single 0 to represent empty base64 or hex string.
https://github.com/Kozea/Radicale/issues/675#issuecomment-320029350
* override folder for storing local collections, from
/var/lib/radicale/collections to ${PREFIX}/share/radicale/collections
Update Radicale2 to 2.1.4
2.1.4 - Wild Radish
-------------------
This feature is not compatible with the 1.x.x versions. See
http://radicale.org/1to2/ if you want to switch from 1.x.x to
2.x.x.
* Fix incorrect time range matching and calculation for some edge-cases with
rescheduled recurrences
* Fix owner property
2.1.3 - Wild Radish
-------------------
This feature is not compatible with the 1.x.x versions. See
http://radicale.org/1to2/ if you want to switch from 1.x.x to
2.x.x.
* Enable timeout for SSL handshakes and move them out of the main thread
* Create cache entries during upload of items
* Stop built-in server on Windows when Ctrl+C is pressed
* Prevent slow down when multiple requests hit a collection during cache warm-up
2.1.2 - Wild Radish
-------------------
This feature is not compatible with the 1.x.x versions. See
http://radicale.org/1to2/ if you want to switch from 1.x.x to
2.x.x.
* Remove workarounds for bugs in VObject < 0.9.5
* Error checking of collection tags and associated components
* Improve error checking of uploaded collections and components
* Don't delete empty collection properties implicitly
* Improve logging of VObject serialization
Set PKG_SYSCONFSUBDIR where appropriate, and use {MAKE,OWN}_DIRS to
create the directory tree under ${PKG_SYSCONFDIR} instead of using
INSTALLATION_DIRS.
Bump the PKGREVISION of packages that changed due to changes in the
package install scripts.
Ensure that the ${NAGIOS_GROUP} group is created before the package
files are installed since the plugin binary must be made setgid to
that group.
Bump the PKGREVISIONs of these plugin packages due to package
install scripts being added.
-------------------------------------------------------------------
Ensure that the ${NAGIOS_GROUP} group is created before the package
files are installed since the binary must be made setgid to that
group.
Bump the PKGREVISON due to package install scripts being added.
* Ensure that ${PKG_SYSCONFDIR}/objects is created at package
installation time by adding it to OWN_DIRS.
* Don't explicitly add ${DESTDIR} to files listed in SPECIAL_PERMS
since it is automatically added by the pkgsrc infrastructure if
needed.
* It's "${DESTDIR}${PREFIX}", not "${DESTDIR}/${PREFIX}" -- avoid
having double slashes in pathnames for correctness.
Bump the PKGREVISION due to fixes in the package install scripts.
-------------------------------------------------------------------
Set PKG_SYSCONFSUBDIR to "knot" to have all of the config files
located in the "knot" subdirectory of ${PKG_SYSCONFBASE}.
Pass ${PKG_SYSCONFBASE} to the configure script since the package's
build infrastructure automatically appends "/knot" to the value
passed in through --sysconfdir.
Remove ${PKG_SYSCONFDIR} from INSTALLATION_DIRS since it is
automatically created by the package install script.
Bump the PKGREVISION due to changes in the package install scripts.
There is no REQUIRE_DIRS used by pkgsrc. I think that REQD_DIRS
was meant to be used; however, REQD_DIRS is also the wrong way to
create the config directory.
Set PKG_SYSCONFSUBDIR to "streaming" to automatically create
${PKG_SYSCONFBASE}/streaming during package installation, and
consistently use ${PKG_SYSCONFDIR} within the package Makefile to
refer to the config directory path.
Bump the PKGREVISION due to the changes in the resulting package
scripts.
- Collapse redundant code for invoking service-specific rc.d scripts.
- Don't try to run a service's rc.d script if it isn't enabled in rc.conf.
- Prefix "nb" to procnames.
Bump version.
o Updated the bundled Npcap from 0.91 to 0.93, fixing several issues
with installation and compatibility with the Windows 10 Creators Update.
o NSE scripts now have complete SSH support via libssh2,
including password brute-forcing and running remote commands, thanks to the
combined efforts of three Summer of Code students.
o Added 14 NSE scripts from 6 authors, bringing the total up to 579!
They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
+ ftp-syst sends SYST and STAT commands to FTP servers to get system version
and connection information.
+ http-vuln-cve2017-8917 checks for an SQL injection vulnerability affecting
Joomla! 3.7.x before 3.7.1.
+ iec-identify probes for the IEC 60870-5-104 SCADA protocol.
+ openwebnet-discovery retrieves device identifying information and
number of connected devices running on openwebnet protocol.
+ puppet-naivesigning checks for a misconfiguration in the Puppet CA where
naive signing is enabled, allowing for any CSR to be automatically signed.
+ smb-protocols discovers if a server supports dialects NT LM 0.12
(SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old
smbv2-enabled script.
+ smb2-capabilities lists the supported capabilities of SMB2/SMB3
servers.
+ smb2-time determines the current date and boot date of SMB2
servers.
+ smb2-security-mode determines the message signing configuration of
SMB2/SMB3 servers.
+ smb2-vuln-uptime attempts to discover missing critical patches in
Microsoft Windows systems based on the SMB2 server uptime.
+ ssh-auth-methods lists the authentication methods offered by an SSH server.
+ ssh-brute performs brute-forcing of SSH password credentials.
+ ssh-publickey-acceptance checks public or private keys to see if they could
be used to log in to a target. A list of known-compromised key pairs is
included and checked by default.
+ ssh-run uses user-provided credentials to run commands on targets via SSH.
o Removed smbv2-enabled, which was incompatible with the new SMBv2/3
improvements. It was fully replaced by the smb-protocols script.
o Added Datagram TLS (DTLS) support to Ncat in connect (client)
mode with --udp --ssl. Also added Application Layer Protocol Negotiation
(ALPN) support with the --ssl-alpn option.
o Updated the default ciphers list for Ncat and the secure ciphers list for
Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
ciphersuites, anonymous ECDH suites were being allowed.
o Fix ndmp-version and ndmp-fs-info when scanning Veritas Backup
Exec Agent 15 or 16.
o Added wildcard detection to dns-brute. Only hostnames that
resolve to unique addresses will be listed.
o FTP scripts like ftp-anon and ftp-brute now correctly handle
TLS-protected FTP services and use STARTTLS when necessary.
o Function url.escape no longer encodes so-called "unreserved"
characters, including hyphen, period, underscore, and tilde, as per RFC 3986.
o Function http.pipeline_go no longer assumes that persistent
connections are supported on HTTP 1.0 target (unless the target explicitly
declares otherwise), as per RFC 7230.
o The HTTP response object has a new member, version, which
contains the HTTP protocol version string returned by the server, e.g. "1.0".
o Fix handling of the objectSID Active Directory attribute
by ldap.lua.
o Fix line endings in the list of Oracle SIDs used by oracle-sid-brute.
Carriage Return characters were being sent in the connection packets, likely
resulting in failure of the script.
o http-useragent-checker now checks for changes in HTTP status
(usually 403 Forbidden) in addition to redirects to indicate forbidden User
Agents.
Pkgsrc changes:
* The hosting of radsecproxy has changed to nordu.net.
Upstream changes:
2017-08-02 1.6.9
Misc:
- Use a listen(2) backlog of 128 (RADSECPROXY-72).
Bug fixes:
- Don't follow NULL the pointer at debug level 5 (RADSECPROXY-68).
- Completely reload CAs and CRLs with cacheExpiry (RADSECPROXY-50).
- Tie Access-Request log lines to response log lines (RADSECPROXY-60).
- Fix a couple of memory leaks and NULL ptr derefs in error cases.
- Take lock on realm refcount before updating it (RADSECPROXY-77).
2016-09-21 1.6.8
Bug fixes:
- Stop waiting on writable when reading a TCP socket.
- Stomp less on the memory of other threads (RADSECPROXY-64).
2016-03-14 1.6.7
Enhancements (security):
- Negotiate TLS1.1, TLS1.2 and DTLS1.2 when possible, client and
server side. Fixes RADSECPROXY-62.
Enhancements:
- Build HTML documentation properly.
api-change:config: Update config command to latest version
api-change:codedeploy: Update codedeploy command to latest version
api-change:pinpoint: Update pinpoint command to latest version
api-change:ses: Update ses command to latest version
1.11.128
api-change:ssm: Update ssm command to latest version
api-change:inspector: Update inspector command to latest version
api-change:ses: Update ses client to latest version
api-change:pinpoint: Update pinpoint client to latest version
api-change:codedeploy: Update codedeploy client to latest version
api-change:config: Update config client to latest version
1.5.91
api-change:ssm: Update ssm client to latest version
api-change:inspector: Update inspector client to latest version
Bug fixes
- Use the incoming ECS for cache lookup if use-incoming-edns-subnet is
set
- when making a netmask from a comboaddress, we neglected to zero the
port. This could lead to a proliferation of netmasks.
- Don't take the initial ECS source for a scope one if EDNS is off
- also set d_requestor without Lua: the ECS logic needs it
- Fix IXFR skipping the additions part of the last sequence
- Treat requestor's payload size lower than 512 as equal to 512
- make URI integers 16 bits, fixes ticket #5443
- unbreak quoting
Improvements
- EDNS Client Subnet becomes compatible with the packet cache, using
the existing variable answer facility.
- Remove just enough entries from the cache, not one more than asked
- Move expired cache entries to the front so they are expunged
- changed IPv6 addr of b.root-servers.net
- e.root-servers.net has IPv6 now
- hello decaf signers (ED25519 and ED448)
- don't use the libdecaf ed25519 signer when libsodium is enabled
(Kees Monshouwer)
- do not hash the message in the ed25519 signer (Kees Monshouwer)
- Disable use-incoming-edns-subnet by default
Here is release note except security (already fixed by bind-9.9.10pl3, BIND
9.9.10-P3).
Release Notes for BIND Version 9.9.11
Introduction
This document summarizes significant changes since the last production
release of BIND on the corresponding major release branch. Please see
the CHANGES file for a further list of bug fixes and other changes.
Download
The latest versions of BIND 9 software can always be found at
http://www.isc.org/downloads/. There you will find additional
information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
New DNSSEC Root Key
ICANN is in the process of introducing a new Key Signing Key (KSK) for
the global root zone. BIND has multiple methods for managing DNSSEC
trust anchors, with somewhat different behaviors. If the root key is
configured using the managed-keys statement, or if the pre-configured
root key is enabled by using dnssec-validation auto, then BIND can keep
keys up to date automatically. Servers configured in this way should
have begun the process of rolling to the new key when it was published
in the root zone in July 2017. However, keys configured using the
trusted-keys statement are not automatically maintained. If your server
is performing DNSSEC validation and is configured using trusted-keys,
you are advised to change your configuration before the root zone
begins signing with the new KSK. This is currently scheduled for
October 11, 2017.
This release includes an updated version of the bind.keys file
containing the new root key. This file can also be downloaded from
https://www.isc.org/bind-keys .
Windows XP No Longer Supported
As of BIND 9.9.11, Windows XP is no longer a supported platform for
BIND, and Windows XP binaries are no longer available for download from
ISC.
Feature Changes
* Threads in named are now set to human-readable names to assist
debugging on operating systems that support that. Threads will have
names such as "isc-timer", "isc-sockmgr", "isc-worker0001", and so
on. This will affect the reporting of subsidiary thread names in ps
and top, but not the main thread. [RT #43234]
* DiG now warns about .local queries which are reserved for Multicast
DNS. [RT #44783]
Bug Fixes
* Fixed a bug that was introduced in an earlier development release
which caused multi-packet AXFR and IXFR messages to fail validation
if not all packets contained TSIG records; this caused
interoperability problems with some other DNS implementations. [RT
#45509]
* Semicolons are no longer escaped when printing CAA and URI records.
This may break applications that depend on the presence of the
backslash before the semicolon. [RT #45216]
* AD could be set on truncated answer with no records present in the
answer and authority sections. [RT #45140]
End of Life
BIND 9.9 (Extended Support Version) will be supported until at least
June, 2018. https://www.isc.org/downloads/software-support-policy/
Here is release note except security (already fixed by bind-9.10.5pl3, BIND
9.10.5-P3).
Release Notes for BIND Version 9.10.6
Introduction
This document summarizes changes since the last production release on
the BIND 9.10 branch. Please see the CHANGES file for a further list of
bug fixes and other changes.
Download
The latest versions of BIND 9 software can always be found at
http://www.isc.org/downloads/. There you will find additional
information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
New DNSSEC Root Key
ICANN is in the process of introducing a new Key Signing Key (KSK) for
the global root zone. BIND has multiple methods for managing DNSSEC
trust anchors, with somewhat different behaviors. If the root key is
configured using the managed-keys statement, or if the pre-configured
root key is enabled by using dnssec-validation auto, then BIND can keep
keys up to date automatically. Servers configured in this way should
have begun the process of rolling to the new key when it was published
in the root zone in July 2017. However, keys configured using the
trusted-keys statement are not automatically maintained. If your server
is performing DNSSEC validation and is configured using trusted-keys,
you are advised to change your configuration before the root zone
begins signing with the new KSK. This is currently scheduled for
October 11, 2017.
This release includes an updated version of the bind.keys file
containing the new root key. This file can also be downloaded from
https://www.isc.org/bind-keys .
Windows XP No Longer Supported
As of BIND 9.10.6, Windows XP is no longer a supported platform for
BIND, and Windows XP binaries are no longer available for download from
ISC.
Feature Changes
* dig +ednsopt now accepts the names for EDNS options in addition to
numeric values. For example, an EDNS Client-Subnet option could be
sent using dig +ednsopt=ecs:.... Thanks to John Worley of Secure64
for the contribution. [RT #44461]
* Threads in named are now set to human-readable names to assist
debugging on operating systems that support that. Threads will have
names such as "isc-timer", "isc-sockmgr", "isc-worker0001", and so
on. This will affect the reporting of subsidiary thread names in ps
and top, but not the main thread. [RT #43234]
* DiG now warns about .local queries which are reserved for Multicast
DNS. [RT #44783]
Bug Fixes
* Fixed a bug that was introduced in an earlier development release
which caused multi-packet AXFR and IXFR messages to fail validation
if not all packets contained TSIG records; this caused
interoperability problems with some other DNS implementations. [RT
#45509]
* Semicolons are no longer escaped when printing CAA and URI records.
This may break applications that depend on the presence of the
backslash before the semicolon. [RT #45216]
* AD could be set on truncated answer with no records present in the
answer and authority sections. [RT #45140]
End of Life
The end of life for BIND 9.10 is yet to be determined but will not be
before BIND 9.12.0 has been released for 6 months.
https://www.isc.org/downloads/software-support-policy/
