0MQ version 3.2.4 stable, released on 2013/09/20
================================================
* LIBZMQ-84 (Windows) Assertion failed: Address already in use at signaler.cpp:80
* LIBZMQ-456 ZMQ_XPUB_VERBOSE does not propagate in a tree of XPUB/XSUB devices
* LIBZMQ-532 (Windows) critical section not released on error
* LIBZMQ-569 Detect OpenPGM 5.2 system library
* LIBZMQ-563 Subscribers sometimes stopped receiving messages (aka LIBZMQ-541)
* LIBZMQ-XXX Added support for Travis Continuous Integration
* LIBZMQ-XXX Several improvements to MSVC support
chrysn and Joe Nahmias have done a bunch of work on Calypso, and I even
managed to fix a couple of bugs. I've merged their stuff in and pushed
out a version 1.2 release this afternoon, along with an updated debian
package. A this point, all reported Debian bugs are closed (surely that
can't last through more than one release).
The only piece unmerged was the ForkingMixin stuff as that means that
each connection has to re-read the entire database at startup as there's
no persistent in-memory state. I'd love to figure out how to use the
ThreadingMixin instead, providing the same multi-session support along
with caching.
0.8 - Rainbow
=============
* New authentication and rights management modules (by Matthias Jordan)
* Experimental database storage
* Command-line option for custom configuration file (by Mark Adams)
* Root URL not at the root of a domain (by Clint Adams, Fabrice Bellet, Vincent Untz)
* Improved support for iCal, CalDAVSync, CardDAVSync, CalDavZAP and CardDavMATE
* Empty PROPFIND requests handled (by Christoph Polcin)
* Colon allowed in passwords
* Configurable realm message
0.62 (01/26/2013)
(dc) Add support for HTTP compression where available, enabled by default.
(cb) Add support for EAN to the US locale, as reported by Jacob Turino.
(cb) Add Spain and Italy locales, as implemented by Menno Blom.
(cb) Add some new departments in Amazon.co.jp, as implemented Naoya Ito.
Features:
* New config option "ip-transparent:" to allow NSD to bind to non local
addresses. Default no.
* Use IPV6 minimum MTU settings with TCP to reduce failures that are caused
by delays in learning working PMTU when communicating through a tunnel.
* Bugfix #496: Support for EUI48 and EUI64 RR types. Experimental,
turned off by default. Enable with --enable-draft-rrtypes.
* New config option "rrl-slip:" to set the average number of packets
discarded before we send back a truncated response.
* New config option "rrl-ipv4-prefix-length:" and "rrl-ipv6-prefix-length:"
to set the prefix lengths.
* Improved RRL logging, also print triggering query src address and QTYPE.
* Provide RRL documentation in nsd.conf.sample.
Bugfixes:
* Bugfix #357: Parent process waits until children closed down sockets,
to prevent NSD failing to bind to sockets when restarting.
* Bugfix #487: lookup3.c determine endianness for BSD systems.
* Bugfix #491: pick program name (0th argument) as syslog identity.
* Bugfix #494: Exit with return code 1 if socket code fails.
* Bugfix #495: Wrong bufsize in dname_to_string for root.
* Fix outgoing-interface: Don't fail if family is IPv6 but only IPv4
outgoing-interface is set, or vice versa.
* RRtypes ASFDB, RP, RT should not compress dnames.
* Check that zone directory is within chroot directory.
* Better XFR checking, fallback to AXFR (if allowed) if three malformed
XFR packets have been seen.
(CVE-2013-4854 and CVE-2013-3919 were already fixed in pkgsrc).
Security Fixes
Previously an error in bounds checking on the private type
'keydata' could be used to deny service through a deliberately
triggerable REQUIRE failure (CVE-2013-4854). [RT #34238]
Prevents exploitation of a runtime_check which can crash named
when satisfying a recursive query for particular malformed zones.
(CVE-2013-3919) [RT #33690]
New Features
Added Response Rate Limiting (RRL) functionality to reduce the
effectiveness of DNS as an amplifier for reflected denial-of-service
attacks by rate-limiting substantially-identical responses. [RT
#28130]
Feature Changes
rndc status now also shows the build-id. [RT #20422]
Improved OPT pseudo-record processing to make it easier to support
new EDNS options. [RT #34414]
"configure" now finishes by printing a summary of optional BIND
features and whether they are active or inactive. ("configure
--enable-full-report" increases the verbosity of the summary.)
[RT #31777]
Addressed compatibility issues with newer versions of Microsoft
Visual Studio. [RT #33916]
Improved the 'rndc' man page. [RT #33506]
'named -g' now no longer works with an invalid logging configuration.
[RT #33473]
The default (and minimum) value for tcp-listen-queue is now 10
instead of 3. This is a subtle control setting (not applicable
to all OS environments). When there is a high rate of inbound
TCP connections, it controls how many connections can be queued
before they are accepted by named. Once this limit is exceeded,
new TCP connections will be rejected. Note however that a value
of 10 does not imply a strict limit of 10 queued TCP connections
- the impact of changing this configuration setting will be
OS-dependent. Larger values for tcp-listen queue will permit
more pending tcp connections, which may be needed where there
is a high rate of TCP-based traffic (for example in a dynamic
environment where there are frequent zone updates and transfers).
For most production servers the new default value of 10 should
be adequate. [RT #33029]
Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e
with PKCS#11. [RT #33463]
Added logging messages on slave servers when they forward DDNS
updates to a master. [RT #33240]
Changed the logging category for RRL events from 'queries' to
'query-errors'. [RT #33540]
Bug Fixes
Fixed the "allow-query-on" option to correctly check the destination
address. [RT #34590]
Fix forwarding for forward only "zones" beneath automatic empty
zones. [RT #34583]
Fix DNSSEC auto maintenance so signatures can be removed from a
zone with only KSK keys for an algorithm. [RT #34439]
Fix DNSSEC auto maintenance so signatures from newly inactive
keys are removed (when publishing a new key while deactivating
another key at the same time). [RT #32178]
Remove bogus warning log message about missing signatures when
receiving a query for a SIG record. [RT #34600]
Fix Response Policy Zones on slave servers so new RPZ changes
take effect. [RT #34450]
Fix the "zone-statistics" option to work with the default
traditional statistics (not new "--enable-newstats" feature).
[RT #34466]
named could crash when deleting inline-signing zones with "rndc
delzone". [RT #34066]
Improved resistance to a theoretical authentication attack based
on differential timing. [RT #33939]
named was failing to answer queries during "rndc reload" [RT
#34098]
win32: Some executables had been omitted from the installer. [RT
#34116]
fixed a broken 'Invalid keyfile' error message in dnssec-keygen.
[RT #34045]
The build of BIND now installs isc/stat.h so that it's available
to /isc/file.h when building other applications that reference
these header files - for example dnsperf (see Debian bug ticket
#692467). [RT #33056]
Better handle failures building XML for stats channel responses.
[RT #33706]
Fixed a memory leak in GSS-API processing. [RT #33574]
Fixed an acache-related race condition that could cause a crash.
[RT #33602]
rndc now properly fails when given an invalid '-c' argument. [RT
#33571]
Fixed an issue with the handling of zero TTL records that could
cause improper SERVFAILs. [RT #33411]
Fixed a crash-on-shutdown race condition with DNSSEC validation.
[RT #33573]
Corrected the way that "rndc addzone" and "rndc delzone" handle
non-standard characters in zone names. [RT #33419]
Adjusted RRL behavior for recursive queries to defer rate-limiting
until after recursion is complete. Also uses correct rcode for
slipped NXDOMAIN responses. [RT #33604]
Previously, BIND could erroneously report a missing file
specification when using inline slave zones. [RT #33662]
(CVE-2013-4854 and CVE-2013-3919 were already fixed in pkgsrc.)
Security Fixes
Previously an error in bounds checking on the private type
'keydata' could be used to deny service through a deliberately
triggerable REQUIRE failure (CVE-2013-4854). [RT #34238]
Prevents exploitation of a runtime_check which can crash named
when satisfying a recursive query for particular malformed zones.
(CVE-2013-3919) [RT #33690]
Feature Changes
rndc status now also shows the build-id. [RT #20422]
Improved OPT pseudo-record processing to make it easier to support
new EDNS options. [RT #34414]
"configure" now finishes by printing a summary of optional BIND
features and whether they are active or inactive. ("configure
--enable-full-report" increases the verbosity of the summary.)
[RT #31777]
Addressed compatibility issues with newer versions of Microsoft
Visual Studio. [RT #33916]
Improved the 'rndc' man page. [RT #33506]
'named -g' now no longer works with an invalid logging configuration.
[RT #33473]
The default (and minimum) value for tcp-listen-queue is now 10
instead of 3. This is a subtle control setting (not applicable
to all OS environments). When there is a high rate of inbound
TCP connections, it controls how many connections can be queued
before they are accepted by named. Once this limit is exceeded,
new TCP connections will be rejected. Note however that a value
of 10 does not imply a strict limit of 10 queued TCP connections
- the impact of changing this configuration setting will be
OS-dependent. Larger values for tcp-listen queue will permit
more pending tcp connections, which may be needed where there
is a high rate of TCP-based traffic (for example in a dynamic
environment where there are frequent zone updates and transfers).
For most production servers the new default value of 10 should
be adequate. [RT #33029]
Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e
with PKCS#11. [RT #33463]
Added logging messages on slave servers when they forward DDNS
updates to a master. [RT #33240]
Bug Fixes
Fixed the "allow-query-on" option to correctly check the destination
address. [RT #34590]
Fix DNSSEC auto maintenance so signatures can be removed from a
zone with only KSK keys for an algorithm. [RT #34439]
Fix forwarding for forward only "zones" beneath automatic empty
zones. [RT #34583]
Fix DNSSEC auto maintenance so signatures from newly inactive
keys are removed (when publishing a new key while deactivating
another key at the same time). [RT #32178]
Remove bogus warning log message about missing signatures when
receiving a query for a SIG record. [RT #34600]
Fix Response Policy Zones on slave servers so new RPZ changes
take effect. [RT #34450]
Improved resistance to a theoretical authentication attack based
on differential timing. [RT #33939]
named was failing to answer queries during "rndc reload" [RT
#34098]
Fixed a broken 'Invalid keyfile' error message in dnssec-keygen.
[RT #34045]
The build of BIND now installs isc/stat.h so that it's available
to /isc/file.h when building other applications that reference
these header files - for example dnsperf (see Debian bug ticket
#692467). [RT #33056]
Better handle failures building XML for stats channel responses.
[RT #33706]
Fixed a memory leak in GSS-API processing. [RT #33574]
Fixed an acache-related race condition that could cause a crash.
[RT #33602]
rndc now properly fails when given an invalid '-c' argument. [RT
#33571]
Fixed an issue with the handling of zero TTL records that could
cause improper SERVFAILs. [RT #33411]
Fixed a crash-on-shutdown race condition with DNSSEC validation.
[RT #33573]
Corrected the way that "rndc addzone" and "rndc delzone" handle
non-standard characters in zone names. [RT #33419]
(CVE-2013-3919 is already fixed in pkgsrc).
Security Fixes
Prevents exploitation of a runtime_check which can crash named
when satisfying a recursive query for particular malformed zones.
(CVE-2013-3919) [RT #33690]
Feature Changes
rndc status now also shows the build-id. [RT #20422]
Improved OPT pseudo-record processing to make it easier to support
new EDNS options. [RT #34414]
"configure" now finishes by printing a summary of optional BIND
features and whether they are active or inactive. ("configure
--enable-full-report" increases the verbosity of the summary.)
[RT #31777]
Addressed compatibility issues with newer versions of Microsoft
Visual Studio. [RT #33916]
Improved the 'rndc' man page. [RT #33506]
'named -g' now no longer works with an invalid logging configuration.
[RT #33473]
The default (and minimum) value for tcp-listen-queue is now 10
instead of 3. This is a subtle control setting (not applicable
to all OS environments). When there is a high rate of inbound
TCP connections, it controls how many connections can be queued
before they are accepted by named. Once this limit is exceeded,
new TCP connections will be rejected. Note however that a value
of 10 does not imply a strict limit of 10 queued TCP connections
- the impact of changing this configuration setting will be
OS-dependent. Larger values for tcp-listen queue will permit
more pending tcp connections, which may be needed where there
is a high rate of TCP-based traffic (for example in a dynamic
environment where there are frequent zone updates and transfers).
For most production servers the new default value of 10 should
be adequate. [RT #33029]
Bug Fixes
Fixed the "allow-query-on" option to correctly check the destination
address. [RT #34590]
Fix forwarding for forward only "zones" beneath automatic empty
zones. [RT #34583]
Remove bogus warning log message about missing signatures when
receiving a query for a SIG record. [RT #34600]
Improved resistance to a theoretical authentication attack based
on differential timing. [RT #33939]
The build of BIND now installs isc/stat.h so that it's available
to /isc/file.h when building other applications that reference
these header files - for example dnsperf (see Debian bug ticket
#692467). [RT #33056]
Better handle failures building XML for stats channel responses.
[RT #33706]
Fixed a memory leak in GSS-API processing. [RT #33574]
Fixed an acache-related race condition that could cause a crash.
[RT #33602]
rndc now properly fails when given an invalid '-c' argument. [RT
#33571]
Fixed an issue with the handling of zero TTL records that could
cause improper SERVFAILs. [RT #33411]
Fixed a crash-on-shutdown race condition with DNSSEC validation.
[RT #33573]
(leaf package, mainly bugfixes, checked with MAINTAINER)
v3.0.717 (14 August 2013)
- (OS X only) Work around lack of clock_gettime().
- Fix crash due to str_appendf() not understanding %ld.
v3.0.716 (8 August 2013)
- Implement support for multiple capture interfaces.
- Support multiple local IPs on an interface.
- Only error out if we fail to create all HTTP sockets.
In particular, this helps on IPv6-incapable platforms.
- Use monotonic time over wall time where appropriate.
- Portability fixes for NetBSD and OpenBSD.
EM-Socksify: Transparent SOCKS support for any EventMachine protocol
Dealing with SOCKS proxies is pain. EM-Socksify provides a simple shim to
setup & negotiate a SOCKS5 connection for any EventMachine protocol. To add
SOCKS support, all you have to do is include the module and provide your
destination address.
changes:
-scripting improvements
-added lua scripting support to ncat
-hundreds of new OS and service detection signatures
-version scanning through a chain of proxies
-improved target specification
-performance enhancements and bug fixes
pkgsrc note: added "lua" option
approved by The Maintainer
freediameter (1.2.0) UNRELEASED; urgency=low
* Major changes in the logging system to be more syslog and production friendly
* New extension: dict_dcca_3gpp
* New extension: dict_dcca_starent (Starent DCCA vendor-specific AVPs)
* New extension: rt_ignore_dh (hide network topology by proxying Destination-Host).
* New extension: rt_load_balance (load balancer based on pending queue size).
* New extension: rt_busypeers. See doc/rt_busypeers.conf.sample.
* New extension: dbg_msg_timings. Measures timing of message operations.
* New extension: dbg_msg_dumps. Use to control hooks display.
* New API (fd_hook_*) for extensions to control messages logging & profiling
* New API (fd_stats_*) for extensions to monitor framework state (e.g. SNMP implem)
* API change: all the fd_*_dump functions now return malloc'd strings instead of logging directly.
* API change: callback parameter of fd_rt_out_register had its signature updated.
* Updated dbg_monitoring extension to use the new API
* New script to generate dictionary extensions from org file (see contrib/tools)
* New compilation option: WORKAROUND_ACCEPT_INVALID_VSAI to improve compatibility
with invalid Vendor-Specific-Application-Id AVPs received from some equipments (e.g. Cisco).
* New compilation option: DISABLE_PEER_EXPIRY for use in test environments.
* Extensions are now also searched in LD_LIBRARY_PATH.
* Copy Proxy-Info AVP automatically in new answers.
* Port value 0 allowed in configuration to disable local server (e.g. disable non-secure port).
* API change: fd_msg_send_timeout now takes a separate callback for timeout situation.
* Function changes: fd_msg_dump_* now split in three different type of output.
* New test testmesg_stress to measure message parser performance
* Fix termination of the framework to avoid failures.
* Fix invalid timespec value in peer PSM appearing randomly (leading to crash).
* Return DIAMETER_LOOP_DETECTED if local peer in the Route-Record list of a message.
* Allow running without TLS configuration.
* Upgraded SCTP code to comply with RFC 6458
* Using default secure Diameter port number 5658 as per RFC 6733
* Updated TLS code for performance improvements with new GNU TLS.
* Fix interlocking problem when large number of requests were failed over.
* New option in test_app.fdx extension for long messages payload.
* Performance improvement in message sending code path.
-- Sebastien Decugis <sdecugis@freediameter.net> Sat, 14 Sep 2013 18:08:07 +0800
---------------------
Bugfixes:
* Response with NSID contained extra bytes after reload
* List of remotes is scanned for longest prefix match
* Multipacket TSIG signatures for transfers
* Wrongly parsed TSIG key secret without quotes
* Removed autoconf checks for extended instruction sets
v1.3.0 - Aug 5, 2013
--------------------
Features:
* Defaults for CH TXT id.server,version.server (see doc)
Bugfixes:
* Progressive interval for bootstrap retry
* Transfers randomly cancelled
* Disabling RRL on reload
* Secondary groups not initialized when dropping privileges
* Responding to DS queries for names at or below delegation points
v1.3.0-rc5 - Jul 29, 2013
-------------------------
Features:
* Much faster bootstrap of many zones
Bugfixes:
* Removed deprecated 'knotc -w' option
* Slave ignores out-of-zone records in zone
* Support for obsolete types in zone transfers
* Slave zone file names fixes
* Long transfers being randomly dropped
v1.3.0-rc4 - Jul 15, 2013
-------------------------
Features:
* --with-configdir option for default config path
* Reintroducted 'pidfile' config option
Bugfixes:
* AXFR/IXFR subsystem performance improvements
* Rescheduling of AXFR in some cases
* RRSIGs not in the same section for DS records
* Log messages leaking to syslog
* 'knotc restart' option removed due to several limitations
v1.3.0-rc3 - Jun 28, 2013
-------------------------
Features:
* Utility to estimate memory consumption (see 'knotc memstats')
* PID file is not created when running on foreground
* UNIX sockets support for knotc
* Configurable 'rundir' and 'storage'
Bugfixes:
* IXFR with an arbitrary number of diffs
* Processing of knotc TSIG keyfile
* Atomic PID file writing, removed deprecated 'knotc start'
* Performance regression when RRSIGs came before covered RRs in AXFR
v1.3.0-rc2 - Jun 14, 2013
-------------------------
Bugfixes:
* Label compression related bug
* Proper resolution of some CNAME chains
* Unstable response rate in rare cases
* Several log messages
v1.3.0-rc1 - Jun 4, 2013
---------------------------
Features:
* Faster zone parser
* Full support for EUI and ILNP resource records
* Lower memory footprint for large zones
* No compilation of zones
* Improved scheduling of zone transfers
* Logging of serials and timing information for zone transfers
* Config: 'groups' keyword allowing to create groups of remotes
* Config: 'include' keyword allowing other file includes
* Client utilities: kdig, khost, knsupdate
* Server identification using TXT/CH queries (RFC 4892)
* Improved build scripts
* Improved dname compression and performance
Bugfixes:
* Fixed creating of PID file when dropping privileges
lldpd (0.7.6)
* Features:
+ Provide a way to build packages for OSX.
+ Add an option to update interface description with neighbor name.
* Fixes:
+ Compilation fix for OSX 10.6.
- Bug Fixes
The following vulnerabilities have been fixed.
* wnpa-sec-2013-54
The Bluetooth HCI ACL dissector could crash. Discovered by
Laurent Butti. (Bug 8827)
Versions affected: 1.10.0 to 1.10.1
* wnpa-sec-2013-55
The NBAP dissector could crash. Discovered by Laurent
Butti. (Bug 9005)
Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
* wnpa-sec-2013-56
The ASSA R3 dissector could go into an infinite loop.
Discovered by Ben Schmidt. (Bug 9020)
Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
* wnpa-sec-2013-57
The RTPS dissector could overflow a buffer. Discovered by
Ben Schmidt. (Bug 9019)
Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
* wnpa-sec-2013-58
The MQ dissector could crash. (Bug 9079)
Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
* wnpa-sec-2013-59
The LDAP dissector could crash. Versions affected: 1.10.0
to 1.10.1, 1.8.0 to 1.8.9
* wnpa-sec-2013-60
The Netmon file parser could crash. Discovered by G.
Geshev. (Bug 8742)
Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
- The following bugs have been fixed:
* Lua ByteArray:append() causes wireshark crash. (Bug
4461)
* Lua script can not get "data-text-lines" protocol data.
(Bug 5200)
* Lua: Trying to use Field.new("tcp.segments") to get
reassembled TCP data is failed. (Bug 5201)
* "Edit Interface Settings": "Capture Filter" combo box is
not populated across Wireshark sessions. (Bug 7278)
* PER normally small non-negative whole number decoding is
wrong when >= 64. (Bug 8841)
* Strange behavior of tree expand/collapse in packet details.
(Bug 8908)
* Incorrect parsing of IPFIX *IpTotalLength elements.
(Bug 8918)
* IO graph/advanced, max/min/summ error on frames with
multiple Diameter messages. (Bug 8980)
* pod2man error on reordercap.pod. (Bug 8982)
* SGI Nsym disambiguation is unconditionally displayed when
dissecting VHT. (Bug 8989)
* The Wireshark icon doesn't show up in OS X 10.5. (Bug
8993)
* Build fails if system Python is version 3+. (Bug 8995)
* SCSI dissector does not parse PERSISTENT RESERVE commands
correctly. (Bug 9012)
* SDP messages throws an assert. (Bug 9022)
* Wireshark fails to decode single-line, multiple Contact:
URIs in SIP responses. (Bug 9031)
* PN_MRP LinkUp Message is shown as LinkDown in info.
(Bug 9035)
* Dissector for EtherCAT: ADS highlighting in the Packet
Bytes Pane is incorrect. (Bug 9036)
* 802.11 HT Extended Capabilities B10 decode incorrect.
(Bug 9038)
* Wrong dissection of MSTI Root Identifiers for all MSTIs.
(Bug 9088)
* Weird malformed HTTP error. (Bug 9101)
* Warning for attempting to install 64-bit Wireshark on a
32-bit machine has an embedded "\n". (Bug 9103)
* Wireshark crashes when using "Export Specified Packets" >
"Displayed". (Bug 9106)
- Updated Protocol Support
ASN.1 PER, ASSA R3, Bluetooth HCI ACL, EtherCAT AMS, GTPv2,
HTTP, IEEE 802.11, IPFIX, ISDN SUP, LDAP, MQ, NBAP, Novell SSS,
PROFINET MRP, Radiotap, ROHC, RTPS, SCSI, SIP, and STP
- New and Updated Capture File Support
Microsoft Network Monitor, pcap-ng.
