Commit graph

6891 commits

Author SHA1 Message Date
ryoon
5a6b4a564e Update to 20130114
Changelog:
20130114
  - New certificate: "T-TeleSec GlobalRoot Class 3"
2013-04-21 11:36:38 +00:00
hiramatsu
3e15ada673 Update p5-IO-Socket-SSL to 1.86.
Changes from previous:
----------------------
v1.86 2013.04.17
- RT#84686 - don't complain about SSL_verify_mode is SSL_reuse_ctx,
  thanks to CLEACH
v1.85 2013.04.14
- probe for available modules with local __DIE__ and __WARN__handlers.
  fixes RT#84574, thanks to FRAZER
- fix warning, when IO::Socket::IP is installed and inet6 support gets explictly
  requested. RT#84619, thanks to Prashant[DOT]Tekriwal[AT]netapp[DOT]com
v1.84 2013.02.15
- disabled client side SNI for openssl version < 1.0.0 because of RT#83289
- added functions can_client_sni, can_server_sni, can_npn to check avaibility
  of SNI and NPN features. Added more documentation for SNI and NPN.
v1.83_1 2013.02.14
- seperated documention of non-blocking I/O from error handling
- changed and documented behavior of readline to return the read
  data on EAGAIN/EWOULDBLOCK in case of non-blocking socket.
  See https://github.com/noxxi/p5-io-socket-ssl/issues/1, thanks to
  mytram
v1.83 2013.02.03
- Server Name Indication (SNI) support on the server side, inspired by
  patch provided by karel[DOT]miko[AT]gmail[DOT]com.
  https://rt.cpan.org/Ticket/Display.html?id=82761
- reworked part of the documentation, like providing better examples.
v1.82 2013.01.28
- sub error sets $SSL_ERROR etc only if there really is an error,
  otherwise it will keep the latest error. This causes
  IO::Socket::SSL->new.. to report the correct problem, even if
  the problem is deeper in the code (like in connect)
- correct spelling, rt#8270. Thanks to ETHER
v1.81 2012.12.06
- deprecated set_ctx_defaults, new name ist set_defaults (but old name
  still available)
- changed handling of default path for SSL_(ca|cert|key)* keys: either
  if one of these keys is user defined don't add defaults for the
  others, e.g.  don't mix user settings and defaults
- cleaner handling of module defaults vs. global settings vs. socket
  specific settings. Global and socket specific settings are both
  provided by the user, while module defaults not.
- make IO::Socket::INET6 and IO::Socket::IP specific tests run both,
  even if both modules are installed by faking a failed load of the
  other module.
v1.80 2012.11.30
- removed some warnings in test (missing SSL_verify_mode => 0) which
  caused tests to hang on Windows.
  https://rt.cpan.org/Ticket/Display.html?id=81493
v1.79 2012.11.25
- prepare transition to a more secure default for SSL_verify_mode.
  The use of the current default SSL_VERIFY_NONE will cause a big warning
  for clients, unless SSL_verify_mode was explicitly set inside the
  application to this insecure value.
  In the near future the default will be SSL_VERIFY_PEER, and thus
  causing verification failures in unchanged applications.
v1.78 2012.11.25
- use getnameinfo instead of unpack_sockaddr_in6 to get PeerAddr and
  PeerPort from sockaddr in _update_peer, because this provides scope
  too. Thanks to bluhm[AT]genua[DOT]de.
- work around systems which don't defined AF_INET6
  https://rt.cpan.org/Ticket/Display.html?id=81216
  Thanks to GAAS for reporting
2013-04-19 09:12:50 +00:00
hiramatsu
fc3e5a07b9 Update Net-SSLeay to 1.54.
Changes from previous:
----------------------
1.54 2013-03-23
     t/data/testcert_cdp.crt.pem_dump and t/data/testcert_cdp.crt.pem were
     missing from MANIFEST.
     Added MANIFEST to svn
     Improvement to test 07_sslecho.t so that if set_cert_and_key fails we
     can tell why.

1.53 2013-03-22
     Added support for SSL_export_keying_material where present (ie in OpenSSL
     1.0.1 and later).
     Changed t/handle/external/50_external.t to use www.airspayce.com instead of
     perldition.org, who no longer have an https server.
     Patch to fix a crash: P_X509_get_crl_distribution_points on an
     X509 certificate with values in the CDP extension which do not have an
     ia5 string will cause a segmentation fault when accessed. Patch from
     Robert Duncan.
     Change in t/local/32_x509_get_cert_info.t to not use
     Net::SSLeay::ASN1_INTEGER_get, since it works differntly on 32 and 64 bit platforms.
     Updated author and distribution location details to airspayce.com

1.52 2013-01-09
     Rebuild package with gnu format tar, to prevent problems with unpacking
     on other systems such as old Solaris,

1.51 2012-12-14
     Fixed a problem where SSL_set_SSL_CTX is not available with
     OpenSSL < 0.9.8f. Reported by Paul.

1.50 2012-12-13
     Fixed a problem where t/handle/external/50_external.t would crash if any
     of the test sites were not contactable.
     Now builds on VMS. Patch kindly supplied by Craig A. Berry.
     Fixed a few compiler warnings in SSLeay.xs.  Most of them
     are just signed/unsigned pointer mismatches but there is one that actually
     fixes returning what would be an arbitrary value off the stack from
     get_my_thread_id if it happened to be called in a non-threaded build.
     Patch kindly supplied by Craig A. Berry.
     Added README.VMS, contributed by Craig A. Berry.
     Added SSL_set_tlsext_host_name, SSL_get_servername,
     SSL_get_servername_type, SSL_CTX_set_tlsext_servername_callback for
     server side Server Name Indication (SNI) support. Patched by kmx.
     Further mods for VMS building supplied by Craig A. Berry.
     Fixed a problem with C++ comments preventing builds on AIX and
     HPUX. Patched by Gisle Aas.
     perdition.org not available for tests, changed to www.airspayce.com
     Added SSL_FIPS_mode_set
     Improvements to test suite so it succeeds with and without FIPS mode
     enabled. Patch supplied by Petr Pisar.
     Added documentation, warning not to pass UTF-8 data in the content
     argument to post_https. Reported by Jason Terry.
2013-04-19 07:21:48 +00:00
agc
4eee30ee8e Update security/ipv6-toolkit from version 1.3.3 to 1.3.4
Changes from previous version:
   * IPv6-host tracking support in the scan6 tool.
   * A new tool, address6, to analyze IPv6 addresses
   * Minor bug fixes
   * PDF manual pages have been removed
   * additional manual pages

pkgsrc changes:
   * patch to avoid "uninitialised variable" warning from compiler
2013-04-18 04:23:17 +00:00
marino
dde87e2b40 security/otptool: pkg/47282: Upgrade to version 1.1.16
This package was upgraded to enable building on DragonFly.  It was
using the -r gnu sed option which DragonFly doesn't support, but
this was fixed for version 1.1.15 per pkg/47282.

Additional changes include:
Version 1.1.6 (r131) released 2 Apr 2013
    - Detect errors when writing to the new users.txt file
    - Fix (harmless) bug where new users.txt file was not being closed
    - Add -Werror configure flag to fail on compiler warnings
Version 1.1.5 (r124) released 29 Nov 2012
    - Allow building on systems without strptime(3) (e.g., Windows)
    - Add support for Apache 2.4.x
2013-04-17 13:36:19 +00:00
dholland
bb056accd3 Add some additional urls as comments under HOMEPAGE. 2013-04-14 00:57:08 +00:00
ghen
e3ba207887 Hand in maintainership. 2013-04-13 07:55:01 +00:00
joerg
f86cd7c633 Minor fallout from libtool update. 2013-04-12 13:45:47 +00:00
drochner
1e64f5cc7e remove obsolete patch, fixes build on DragonFly, from David Shao
per PR pkg/47735
2013-04-11 17:08:38 +00:00
drochner
701ea9616a update to 1.10.1
changes: minor fixes
2013-04-11 16:28:50 +00:00
drochner
6f72064e3c update to 1.5.1
changes: minor fixes
2013-04-10 15:17:55 +00:00
drochner
06f237650f update to 3.0.29
changes: minor fixes
2013-04-10 15:09:10 +00:00
tonnerre
fcf4497144 Add ruby-shadow to the security/ Makefile. 2013-04-10 09:26:25 +00:00
tonnerre
e392fee90c Import the ruby-shadow Ruby gem, version 2.2.0, into pkgsrc.
This module provides access to shadow passwords on Linux, Solaris
and BSD like systems (falsely called OSX).
2013-04-10 09:25:21 +00:00
rodent
b65af7be2b Remove "Trailing empty lines." and/or "Trailing white-space." 2013-04-08 11:17:08 +00:00
rodent
6b46c62d2e Edited DESCR in the case of:
File too long (should be no more than 24 lines).
 Line too long (should be no more than 80 characters).
 Trailing empty lines.
 Trailing white-space.
Trucated the long files as best as possible while preserving the most info
contained in them.
2013-04-07 20:49:31 +00:00
rodent
9e8537cdd2 "Each sed command should appear in an assignment of its own." 2013-04-06 21:07:31 +00:00
rodent
942aad2e6a Resolves:
"INFO_FILES should be set to YES or yes."
"Packages that install info files should set INFO_FILES."
Makefile and PLIST warning, respectively.
2013-04-06 20:27:16 +00:00
rodent
cdadf8804e 'You can use "foo" instead of "${WRKSRC}/foo".' 2013-04-06 15:46:33 +00:00
rodent
e5b2fdbc78 'Please use ${ECHO} instead of "echo".'
'Please use ${ECHO_N} instead of "echo -n".'
2013-04-06 14:58:18 +00:00
rodent
315c4801a4 "Packages that install libtool libraries should define USE_LIBTOOL." 2013-04-06 14:22:39 +00:00
rodent
76e83cbf5c Various MASTER_SITES-related fixes. 2013-04-06 14:09:32 +00:00
rodent
dea2f05b46 ".for variable names should not contain uppercase letters" 2013-04-06 13:24:18 +00:00
obache
3d31ddfc09 prevent to reorder libcrypt and libcrypto for Cygwin,
it break to build openssl module for ruby193.
2013-04-03 11:56:20 +00:00
markd
8fb20f3b97 remove ksecrets 2013-04-03 10:57:07 +00:00
markd
ea97be746d Update to KDE SC 4.10.2
bugfixes, other quality improvements, new and improved KDE Applications
2013-04-03 10:51:43 +00:00
joerg
b4454d60ab Just build the shared module, but let libtool install it. 2013-04-01 12:23:52 +00:00
joerg
d87f24e15b Use res_sym on NetBSD. 2013-04-01 12:21:54 +00:00
joerg
8fa525b8d4 Fix type mismatch to allow build with Clang.
From PR 47705 by KAMADA Ken'ichi.
2013-03-29 13:52:45 +00:00
joerg
53b55e2894 Forward declaration must not be qualified with a namespace. Adjust. 2013-03-28 21:43:05 +00:00
joerg
c2aac8d63f Don't try to use weak aliases. 2013-03-24 16:48:17 +00:00
joerg
25ee94139c Fix build with Clang and as unprivileged user. 2013-03-24 16:47:47 +00:00
sbd
162cfe1e7b Add pthread buildlink. 2013-03-18 10:14:57 +00:00
asau
85207e11ba + pam-pgsql 2013-03-17 13:55:58 +00:00
asau
f01df1b718 Import pam-pgsql version 0.7.3.1 as security/pam-pgsql
Packaged by Matthew Bauer <matthew.justin.bauer@gmail.com> during Google Code-In.

PAM module to authenticate using a PostgreSQL database.
2013-03-17 13:52:38 +00:00
pettai
42bf3c5037 Version 2.0.2 (released 2013-01-08)
* oathtool: Base32 decoding of keys are now more liberal in what accepts.
  It can now accept keys on the "gr6d 5br7 25s6 vnck v4vl hlao re"
  format, i.e., base32 data delimited using SPC and without padding.
  The old proper base32 format is still supported.
* liboath: oath_base32_decode now ignores SPC and adds pad characters.
* liboath: If password in usersfile is + then ignore supplied password.
  This enables the pam_oath module to be used with external password
  verification.  Based on patch from Ilkka Virta <itvirta@iki.fi>.
* tests: Fixed expiry date of some certificates used in the test suite.
  The last release would only complete 'make check' during a 30 day window.
* API and ABI is backwards compatible with the previous version.

Version 2.0.1 (released 2012-10-24)

* libpskc, pskctool: Support sign and verify of PSKC data using XML DigSig.
* libpskc: XML Schema validation modified.
  The entire PSKC schema is now supported (before the XML Digital
  Signatures and Encryption parts were removed).  The code now assumes
  that the schema is available in the local XML catalog.  Thanks to Liam
  Quin for hints about XML catalogs.
* pskctool: the --check (-c) parameter was renamed to --info (-i).
* API and ABI is backwards compatible with the previous version.

Version 2.0.0 (released 2012-10-10)

* libpskc, pskctool: New components.
  The OATH Toolkit now supports the Portable Symmetric Key Container
  (PSKC) data format specified in RFC 6030 for dealing with key
  provisioning.  There is a new low-level library libpskc for managing
  PSKC data for application developers and a new command line tool
  pskctool for interacting with PSKC data for users.  The PSKC
  functionality depends on Libxml2 <http://xmlsoft.org/>.  It can be
  disabled unconditionally using the ./configure-parameter
  --disable-pskc.
* liboath: Add manpages for library API.
* API and ABI is backwards compatible with the previous version.
2013-03-16 20:52:38 +00:00
pettai
ea370de010 Version 2.13 (released 2013-03-01)
* Fix a bug in the version check to support major version > 2 (neo).
  Patch from https://github.com/wwest4

* Give ykpamcfg an option for specifying path.
2013-03-16 20:19:02 +00:00
pettai
7fc4e03950 Version 1.11.3 (released 2013-01-09)
* Fixup of broken release.

Version 1.11.2 (released 2013-01-09)

* Fix a bug where writing a NDEF with unknown prefix ended up writing invalid
  data to the YubiKey NEO. Wrote prefix as 0x24 instead of 0x00.
* Don't allow opening a YubiKey if there's more than one present in the system.
* Fix shared linking of ykinfo and ykchalresp.

Version 1.11.1 (released 2012-12-21)

* Implement ykusb_strerror() on windows.
* Fix a bug where a YubiKey would fail to be recognized if there was
  another device from Yubico (vendor id 1050) inserted and looked at
  before in the device chain.
* Fix a bug where you could only set 8 bytes of the public id with
  the command line tool, now all 16 bytes can be set.
* Documentation updates and fixes.

Version 1.11.0 (released 2012-12-12)

* Added version symbols and functions.
  The header file is "ykpers-version.h" and it contains the following
  symbols and functions: YKPERS_VERSION_STRING, YKPERS_VERSION_NUMBER,
  YKPERS_VERSION_MAJOR, YKPERS_VERSION_MINOR, YKPERS_VERSION_PATCH,
  ykpers_check_version.

Version 1.10.0 (released 2012-12-11)

* Support for the new productId of the production Neo.
  Has ProducId 0x110, 0x111 or 0x112 depending on mode (see the notes about
  -m and device_config).
* Add support for SLOT_NDEF2.
  Use SLOT_NDEF to emit slot 1 as NDEF or SLOT_NDEF2 to emit slot 2.
  This also adds the function yk_write_ndef2() that takes a slot parameter.
* Add -m flag for ykpersonalize, set usb mode of YubiKey NEO.
  0 means pure YubiKey mode, 1 means pure CCID mode and 2 means YubiKey/CCID
  composite mode. Add 80 to set EJECT_FLAG.
  To use this with the api, see the functions:
  ykp_alloc_device_config(), ykp_free_device_config(), ykp_set_device_mode(),
  ykp_set_device_chalresp_timeout(), ykp_set_device_autoeject_time() and
  yk_write_device_config().
* Add -S flag for ykpersonalize, set the scanmap of the YubiKey NEO.
  Take an 90 character string describing 45 scancodes. See man page for more
  info. To use this with the api see yk_write_scan_map().
* In the api add ykp_ndef_as_text() to export the text from a YK_NDEF structure.
* Higher timeout for configuration writes as in particular swap can take
  longer than 600 ms.
2013-03-16 20:07:29 +00:00
pettai
cb68420a67 Version 1.10 (released 2013-03-12)
* Added ./configure --enable-gcc-warnings to enable a lot of warnings.

* Warning fixes, build fixes etc.
2013-03-16 19:56:07 +00:00
jym
58a1bcfe12 Add stud to Makefile. 2013-03-16 19:42:34 +00:00
jym
67372736ca Import stud-0.3pl53.
Description:

stud is a network proxy that terminates TLS/SSL connections and forwards
the unencrypted traffic to some backend. It's designed to handle 10s
of thousands of connections efficiently on multicore machines.
stud has very few features. It is designed to be paired with an
intelligent backend like haproxy or nginx.
2013-03-16 19:41:35 +00:00
obache
56c5a98f26 fixes HOMEPAGE url. 2013-03-16 12:52:10 +00:00
agc
91e7adffd5 Update netpgpverify, the standalone PGP signature verification utility, to
latest 20130316 sources.

Changes since previous version:

+ this version is completely standalone, and relies on no external
libraries (other than libc)

+ updated man page to reflect reality

+ minor configure script added
2013-03-16 07:32:34 +00:00
obache
778bed8bfb Bump PKGREVISION from default PHP version change to 5.4. 2013-03-16 07:21:18 +00:00
pettai
860fbe4875 Updated to 0.23
- Fixed problems in low level read_data() function triggered when an
     incorrect key is used with some Tacacs+ servers, resulting in a 0-length
     read(), causing a seg
     fault on some platforms, and a very slow exit on others. This problem
     appears to have been in tac_client ever since I inherited this library.
2013-03-15 23:58:44 +00:00
pettai
d350d6b234 zkt 1.1.2
* bug   Fixed bug introduced by changes on inc_soa_serial()

zkt 1.1.1

* bug   Error fixed in zkt-conf in parsing the version number
* misc  inc_soa_serial() now returns 0 on success
* bug   Fixed bug in inc_serial()
        The zone file wasn't closed on succesful change of the soa record.
        Many thanks to Frederik Soderblom for fixing this.
2013-03-15 23:34:44 +00:00
wiz
c9fd9bff6e Update to 1.11:
Noteworthy changes in version 1.11 (2013-02-25)
-----------------------------------------------

 * New error source GPG_ERR_SOURCE_ASSUAN for Libassuan related
   errors.

 * New macros GPG_ERROR_VERSION and GPG_ERROR_VERSION_NUMBER.  New
   function gpg_error_check_version.

 * Interface changes relative to the 1.10 release:
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 GPG_ERR_NO_KEYSERVER          NEW.
 GPG_ERR_INV_CURVE             NEW.
 GPG_ERR_UNKNOWN_CURVE         NEW.
 GPG_ERR_DUP_KEY               NEW.
 GPG_ERR_AMBIGUOUS             NEW.
 GPG_ERR_SOURCE_ASSUAN         NEW.
 gpg_error_check_version       NEW.
 GPG_ERROR_VERSION             NEW.
 GPG_ERROR_VERSION_NUMBER      NEW.
2013-03-15 22:06:01 +00:00
wiz
dbdf06fae8 Update to 1.6:
2012-Nov-25 - v1.6 - Hide passwords (red on red) in the show
command unless the -f option is given. Added the --readonly command
line option. Added support for multi-line notes/comments; input
ends on a line holding a single ".".
2013-03-15 21:24:34 +00:00
wiz
fe791b669f Update to 2.21:
Changes from 2.20.1 to 2.21:

New Features:

    Generic CSV importer: a group separator can be specified now (for importing group trees).
    Internal data viewer: added hex viewer mode (which is now the default for unknown data types).
    In the 'Show Entries by Tag' menu, the number of entries having a specific tag is now shown right of the tag.
    In the 'Add Tag' menu, a tag is now disabled if all selected entries already have this tag.
    Auto-Type: added support for right modifier keys.
    Added special key codes: {WIN}, {LWIN}, {RWIN}, {APPS}, {NUMPAD0} to {NUMPAD9}.
    Interleaved sending of keys is now prevented by default (if you e.g. have an auto-type sequence that triggers another auto-type, enable the new option 'Allow interleaved sending of keys' in 'Tools' -> 'Options' -> tab 'Advanced').
    Added '-auto-type-selected' command line option (other running KeePass instances perform auto-type for the currently selected entry).
    Added option to additionally show references when showing dereferenced data (enabled by default).
    The selection in a secure edit control is now preserved when unhiding and hiding the content.
    The auto-type association editing dialog now does not hang anymore when a window of any other application hangs.
    When an application switches from the secure desktop to a different desktop, KeePass now shows a warning message box; clicking [OK] switches back to the secure desktop.
    Added 'OK'/'Cancel' buttons in the icon picker dialog.
    Added support for importing LastPass 2.0.2 CSV files.
    KeePass now shows an error message when the user accidentally attempts to use a database file as key file.
    Added support for UTF-16 surrogate pairs.
    Added UTF-8 BOM support for version information files.
    The KeePass version is now also shown in the components list in the 'About' dialog.
    File operations are now context-independent (this e.g. makes it possible to use the 'Activate database' trigger action during locking).
    Plugins can now register their placeholders to be shown in the auto-type item editing dialog.
    Plugins can now subscribe to IO access events.
    Added workaround for .NET bug 694242; status dialogs now scale properly with the DPI resolution.
    Added workaround for Mono DataGridView.EditMode bug.
    Added workaround for Mono bug 586901; high Unicode characters in rich text boxes are displayed properly now.

Improvements / Changes:

    When the main window UI is being unblocked, the focus is not reset anymore, if a primary control has the focus.
    When opening the icon picker dialog, KeePass now ensures that the currently selected icon is visible.
    Internal data viewer: improved visibility updating.
    The e-mail box icon by default is not inherited by new entries anymore.
    The database is now marked as modified when auto-typing a TAN entry.
    Enhanced AnyPassword importer to additionally support CSV files exported by AnyPassword Pro 1.07.
    Enhanced Password Safe XML importer (KeePass tries to fix the broken XML files exported by Password Safe 3.29 automatically).
    IO credentials can be loaded over IPC now.
    Enhanced user switch detection.
    Even when an exception occurs, temporary files created during KDB exports are now deleted immediately.
    Improved behavior on Unix-like systems when the operating system does not grant KeePass access to the temporary directory.
    Improved critical sections that are not supposed to be re-entered by the same thread.
    Improved secure desktop name generation.
    When a dialog is closed, references within the global client image list to controls (event handlers) are removed now.
    .NET 4.5 is now preferred, if installed.
    PLGX plugins are now preferably compiled using the .NET 4.5 compiler, if KeePass is currently running under the 4.5 CLR.
    Updated KB links.
    Changed naming of translation files.
    The installer now always overwrites the KeePassLibC 1.x support libraries.
    Upgraded installer.
    Various code optimizations.
    Minor other improvements.

Bugfixes:

    When locking multiple databases and cancelling a 'Save Changes?' dialog, the UI is now updated correctly.
    '&' characters in dynamic menu texts, in dialog banner texts, in image combobox texts, in text box prompts and in tooltips are now displayed properly.
2013-03-15 21:21:07 +00:00
wiz
086c2cec33 Update HOMEPAGE. 2013-03-15 21:09:56 +00:00
wiz
e9723a9043 Update HOMEPAGE. 2013-03-15 20:58:31 +00:00
drochner
c04ade8bb8 update to 2.6
changes:
-support for PKCS #5 PBKDF2, SHA3, GOST R 34.11-94
-bugfixes
-minor improvements
2013-03-15 18:22:03 +00:00
drochner
d2d9b52ac0 update to 1.3.0
changes:
-licensing change: gplv3 -> lgplv3 + gplv2
-minor fixes
2013-03-15 18:17:55 +00:00
bsiegert
d35d58370a Add a new subcommand "mozilla-rootcerts install" that unpacks and installs
the certificates with a single command.

ok gdt, wiz
2013-03-15 16:14:55 +00:00
wen
bed231cac5 Update to 1.8
Upstream changes:
*** 200?/??/?? Version 1.6

Fixed example output in doc in MD4.pm. Reported by jbwaters@gmail.com.

*** 2013/03/14 Version 1.7
Removed defunct code that caused incorrect error message when building on 64 bit platforms, patch by
zefram

*** 2013/03/14 Version 1.8
Fixed a test error in files.t. Corrected the comment to do with the reason in
verison 1.7
2013-03-15 15:09:55 +00:00
fhajny
4900d3dd39 Substitute the openssl tool path in a different manner, so that pkgsrc
openssl will be used if not builtin. Fixes problem with incorrect cert
hashes generated on (at least) SunOS.
2013-03-15 12:36:25 +00:00
adam
4996bdc498 Changes 0.97.7:
This is a bugfix release.
2013-03-15 08:48:37 +00:00
wiz
eda88483da - py-ssh. 2013-03-15 07:34:27 +00:00
dsainty
b7c08af12a Remove a couple of commented unused lines 2013-03-15 03:47:51 +00:00
dsainty
ce50d794fd Mention that ZoneMinder benefits dramatically from using libjpeg-turbo. 2013-03-15 02:56:56 +00:00
dsainty
a6d86dc85e SUBDIR+=zoneminder 2013-03-15 02:05:03 +00:00
dsainty
a3fb90e3ec How to get started setting up ZoneMinder. 2013-03-15 02:03:36 +00:00
dsainty
bd57156699 ZoneMinder version 1.25.0:
ZoneMinder is intended for use in single or multi-camera video security
applications, including commercial or home CCTV, theft prevention and child,
family member or home monitoring and other domestic care scenarios such as
nanny cam installations.  It supports capture, analysis, recording, and
monitoring of video data coming from one or more video or network cameras
attached to a system.  ZoneMinder also support web and semi-automatic control
of Pan/Tilt/Zoom cameras using a variety of protocols.  It is suitable for use
as a DIY home video security system and for commercial or professional video
security and surveillance.  It can also be integrated into a home automation
system via X.10 or other protocols.
2013-03-15 02:01:46 +00:00
gls
76705e76f1 security/py-ssh is dead upstream.
As mentionned on the upstream page (https://github.com/bitprophet/ssh):

"This library started life as a fork of Paramiko but has now been
fully been merged back upstream.
As such, 'ssh' is defunct and will receive no future releases or
attention: please change your dependencies back to Paramiko,
and file any feature requests or bugfixes over on Paramiko's tracker."
2013-03-14 21:45:43 +00:00
taca
3ab3c8579c Update F-PROT Antivirus packages to 6.2.3.
F-PROT Antivirus for Unix, version 6.2.3

* Fixed a problem with multiple connections in fpscand.
* Startup scripts have been tuned and improved.
* fpscand now overrides the loglevel when run in foreground mode, forces
  it to 7 (DEBUG).
* scan-mail.pl had trouble with multiple instances and temporary file cleanup,
  this had been fixed.
* The installer now has the wrapper script option for fpscan as default.
2013-03-14 16:35:32 +00:00
tez
2d78756888 Fix build on Solaris
(per http://old.nabble.com/Re%3A-build-problem-p34365918.html)
2013-03-14 13:53:18 +00:00
wen
f0ba0c7174 Updated to 5.84
Upstream changes:
5.84  Sat Mar  9 17:36:08 MST 2013
	- untweaked Makefile.PL to remove dependencies of SHA.c
		-- dependencies were breaking builds on VMS
		-- retaining dependencies provides too little benefit
			for cost of portable workaround

5.83  Mon Mar  4 08:12:00 MST 2013
	- removed code for standalone C operation (no longer used)
		-- eliminates need for external symbols
		-- consolidates SHA and HMAC code
		-- reduces size of object files
		-- thanks to Marc Lehmann for suggestions
	- tweaked Makefile.PL to show dependencies of SHA.c

5.82  Thu Jan 24 04:54:12 MST 2013
	- introduced workaround to SvPVbyte bug in Perl 5.6
		-- module behavior now consistent under all Perls 5.6+
			-- ref: new test script t/unicode.t
		-- SHA routines now always croak on wide chars (5.6+)
	- removed "static" message schedules from C code
		-- default "auto" is now just as fast
		-- thread-safe option (-t) no longer necessary
			-- still allowed, but ignored
		-- simplifies source and header files
			-- eliminates SHA_STO_CLASS and SHA_THREAD_SAFE
			-- ref. Bug #82784
		-- thanks to Steve Hay for initial patch
	- provided documentation to describe Unicode handling
		-- ref: Bug #82378
	- updated documentation of NIST statement on SHA-1
2013-03-13 14:56:35 +00:00
adam
6abc9286d7 Changes 1.10.4:
This is a bugfix release.
Fix null PKINIT pointer dereference vulnerabilities [CVE-2012-1016, CVE-2013-1415]
Prevent the KDC from returning a host-based service principal referral to the local realm.
2013-03-13 12:35:40 +00:00
obache
4b38161ba2 Convert SASL_DBTYPE variable to option framework, and add gdbm support.
Fixes db name extension in DEINSTALL script for other than ndbm.

Bump PKGREVISION.
2013-03-13 03:31:40 +00:00
agc
68905e82a9 Update security/ipv6-toolkit to version 1.3.3
This minor update incorporates the "--tgt-known-iids" option, which
	can be used to track systems across networks, even if they employ the
	so-called "Privacy Address" (and yes, that includes Microsoft Windows
	systems).
2013-03-12 20:32:00 +00:00
gdt
1a49b7c421 Update to 1.10.0.
Upstream appears to have no changelog or NEWS; the included README is
about changes in 1.8.0.  Browsing github makes this look like minor
features and bugfixes.
2013-03-09 15:46:57 +00:00
taca
2d087ee127 Use OVERRIDE_GEMSPEC instead of modifying gemspec file. 2013-03-07 17:08:16 +00:00
pettai
29fb3122bc Added log2timeline 2013-03-06 22:54:51 +00:00
pettai
363a7ed7f1 log2timeline is a framework built to automatically create a super
timeline using information found within various log files and other
files that contain timestamps.  The tool can be used to augment
traditional timeline analysis where the focus has generally been on
solely the timestamps found within the filesystem itself.
The tool is also capable of outputting into various formats that
can be used to either import into analysis tools or to read directly
using whatevery suits you (spreadsheet/vim/less/...)
2013-03-06 22:51:19 +00:00
jym
a1ae535f4d Update stunnel to 4.55. Critical update that fixes CVE-2013-1762.
Changelog:

Version 4.55, 2013.03.03, urgency: HIGH:

    Security bugfix
        OpenSSL updated to version 1.0.1e in Win32/Android builds.
        Buffer overflow vulnerability fixed in the NTLM authentication of the CONNECT protocol negotiation. See https://www.stunnel.org/CVE-2013-1762.html for details.
    New features
        SNI wildcard matching in server mode.
        Terminal version of stunnel (tstunnel.exe) build for Win32.
    Bugfixes
        Fixed write half-close handling in the transfer() function (thx to Dustin Lundquist).
        Fixed EAGAIN error handling in the transfer() function (thx to Jan Bee).
        Restored default signal handlers before execvp() (thx to Michael Weiser).
        Fixed memory leaks in protocol negotiation (thx to Arthur Mesh).
        Fixed a file descriptor leak during configuration file reload (thx to Arthur Mesh).
        Closed SSL sockets were removed from the the transfer() c->fds poll.
        Minor fix in handling exotic inetd-mode configurations.
        WCE compilation fixes.
        IPv6 compilation fix in protocol.c.
        Windows installer fixes.
2013-03-06 22:50:31 +00:00
shattered
bd3ece5e1b Update to 2.21. Changes:
- Added google search for indexable directories
- Changed X scan debug output so it won't give output all the time
- Fixed major bug in googlescan
- Added sendmail < 8.12.9 check
2013-03-03 11:15:11 +00:00
joerg
992861375f Fix inline use. 2013-03-03 01:09:34 +00:00
wiz
a8730d5aa1 Bump PKGREVISION for mysql default change to 55. 2013-03-02 20:33:21 +00:00
joerg
fd3ae05c0f Flatten a variable size union to a alloca'd buffer. 2013-03-02 17:57:53 +00:00
joerg
a1d03e1ea6 Use vector instead of variable length array of non-POD type. 2013-03-02 17:57:08 +00:00
tron
19fd9a3b46 Reset maintainer to "pkgsrc-users@NetBSD.org". 2013-03-02 10:44:33 +00:00
agc
758c4c3f18 The distfile changed on the master site after the original digest was
created, so put the new version of the distfile into a DIST_DUBDIR.

New distfile has been verified to contain the pkgsrc patch -- which actually
caused the change in the distfile.
2013-03-02 07:52:40 +00:00
kim
41dc73c1f8 Upgrade to address CVE-2013-1775
What's new in Sudo 1.7.10p7?

 * A time stamp file with the date set to the epoch by "sudo -k"
   is now completely ignored regardless of what the local clock is
   set to.  Previously, if the local clock was set to a value between
   the epoch and the time stamp timeout value, a time stamp reset
   by "sudo -k" would be considered current.

What's new in Sudo 1.7.10p6?

 * The tty-specific time stamp file now includes the session ID
   of the sudo process that created it.  If a process with the same
   tty but a different session ID runs sudo, the user will now be
   prompted for a password (assuming authentication is required for
   the command).

What's new in Sudo 1.7.10p5?

 * On systems where the controlling tty can be determined via /proc
   or sysctl(), sudo will no longer fall back to using ttyname()
   if the process has no controlling tty.  This prevents sudo from
   using a non-controlling tty for logging and time stamp purposes.

What's new in Sudo 1.7.10?

 * If the user is a member of the "exempt" group in sudoers, they
   will no longer be prompted for a password even if the -k flag
   is specified with the command.  This makes "sudo -k command"
   consistent with the behavior one would get if the user ran "sudo
   -k" immediately before running the command.

 * The sudoers file may now be a symbolic link.  Previously, sudo
   would refuse to read sudoers unless it was a regular file.

 * The user/group/mode checks on sudoers files have been relaxed.
   As long as the file is owned by the sudoers uid, not world-writable
   and not writable by a group other than the sudoers gid, the file
   is considered OK.  Note that visudo will still set the mode to
   the value specified at configure time.

 * /etc/environment is no longer read directly on Linux systems
   when PAM is used.  Sudo now merges the PAM environment into the
   user's environment which is typically set by the pam_env module.

 * The initial evironment created when env_reset is in effect now
   includes the contents of /etc/environment on AIX systems and the
   "setenv" and "path" entries from /etc/login.conf on BSD systems.

 * On systems with an SVR4-style /proc file system, the /proc/pid/psinfo
   file is now uses to determine the controlling terminal, if possible.
   This allows tty-based tickets to work properly even when, e.g.
   standard input, output and error are redirected to /dev/null.

 * The sudoreplay command can now properly replay sessions where
   no tty was present.

 * Fixed a race condition that could cause sudo to receive SIGTTOU
   (and stop) when resuming a shell that was run via sudo when I/O
   logging (and use_pty) is not enabled.
2013-03-01 14:24:57 +00:00
agc
4d43c1efb4 Provide a buildlink file for libsodium 2013-02-28 15:47:41 +00:00
agc
cddae7f603 add and enable libsodium 2013-02-28 15:44:23 +00:00
agc
10e57911b8 Import libsodium-0.3 into the Packages Collection. Provided by csosstudy E.
in PR 47600.

	NaCl (pronounced "salt") is a new easy-to-use high-speed
	software library for network communication, encryption, decryption,
	signatures, etc.

	NaCl's goal is to provide all of the core operations needed to
	build higher-level cryptographic tools.

	libsodium is a library for network communication, encryption,
	decryption, signatures, etc.

	libsodium is a portable, cross-compilable, installable,
	packageable, API-compatible version for NaCl.

One minor change was to take the "check" target out of the post-build
state and put it into the TEST_TARGET definition.
2013-02-28 15:43:25 +00:00
tez
6d317fd07b Add patch for CVE-2013-1415 (SA52390) 2013-02-28 14:19:36 +00:00
joerg
348b2d57f2 Fix linking fdpassing. 2013-02-26 11:00:59 +00:00
agc
e73aa3340e Add ane enable netpgpverify 2013-02-23 21:12:54 +00:00
agc
ed05475ec5 Initial import of netpgpverify-20120928 into the Packages Collection
netpgpverify is a standalone program to verify a PGP signature
	on a file or document. Both RSA and DSA signatures are supported,
	as are binary and document signatures.

	netpgpverify is compliant with RFC 4880.

netpgpverify is a small frontend for libnetpgpverify, to allow PGP digital
signatures to be verified from the command line.
2013-02-23 21:11:56 +00:00
agc
9c7f6bcaff Add and enable libnetpgpverify 2013-02-23 21:05:27 +00:00
agc
1154af4361 Initial import of libnetpgpverify-20120928, a library to verify PGP
signatures.

This library has no pre-requisites other than -lz and -lbz2.

	This is libnetpgpverify, a standalone library to verify PGP
	signatures.

	It uses its own internal MPI/BIGNUM functions, which are a vastly
	cut-down version of libtommath.  For this reason, utilities and other
	libraries can embed PGP signature verification, using a BSD-licensed
	library.
2013-02-23 21:04:26 +00:00
shattered
088e18038c Update homepage URLs. 2013-02-22 19:59:05 +00:00
pettai
78e9163195 OpenDNSSEC 1.3.13 - 2013-02-20
Bugfixes:
* OPENDNSSEC-388: Signer Engine: Internal serial should take into account
  the inbound serial.
* OPENDNSSEC-242: Signer Engine: Could get stuck on load signconf while
  signconf was not changed.
* Signer Engine: Fixed locking and notification on the drudge work queue,
  signals could be missed so that drudgers would stall when there was work to
  be done.
2013-02-21 15:51:17 +00:00
dholland
384132a8a7 Revbump all elisp packages after emacs changes. 2013-02-17 19:17:55 +00:00
agc
5e5b85326e Update ipv6-toolkit from 1.3beta to 1.3
Changes since previous version:

+ Minor documentation updates
+ gmake no longer needed to build
+ updated patch - still needed to quieten compiler for ctype warnings
  (reported upstream)
2013-02-16 22:39:46 +00:00
wiz
48ead00e71 Fix incorrect expansion (use PYPKGPREFIX instead of hardcoded py27) 2013-02-16 12:07:26 +00:00
wiz
d1b820f37b Recursive bump for png-1.6. 2013-02-16 11:18:58 +00:00
obache
07659b9b8d recursive bump from boost-lib shlib update. 2013-02-15 11:53:59 +00:00
schmonz
81f1451599 Update to 1.7.1. From the changelog:
* Fix autoconf issues...
2013-02-14 19:48:04 +00:00
taca
3231eb3717 Oops, forgot to "cvs rm" an obsolete patch file.
Thanks to wiz@ noted via mail.
2013-02-13 15:09:48 +00:00
taca
e7d146917c Update OpenSSL to 1.0.1e. ("Corrected fix" was already incorporated in pkgsrc.)
OpenSSL version 1.0.1e released
===============================

OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/

The OpenSSL project team is pleased to announce the release of
version 1.0.1e of our open source toolkit for SSL/TLS. This new
OpenSSL version is a new feature release. For a complete
list of changes, please see

    http://www.openssl.org/source/exp/CHANGES.

The most significant changes are:

   o Corrected fix for CVE-2013-0169
2013-02-13 14:35:19 +00:00
drochner
6a030026bf update to 3.0.28
changes: bugfixes

This prevents the recent TLS CBC padding timing attack (CVE-2013-1619).
2013-02-12 13:16:25 +00:00
agc
81747b07f2 Fix the package name to reflect that this is version 1.3beta 2013-02-11 07:22:29 +00:00
agc
ced65a02fb Add and enable ipv6-toolkit 2013-02-11 06:56:32 +00:00
agc
96464e2c63 Initial import of the SI6 ipv6-toolkit, a security assessment and
troubleshooting package for ipv6, into the Packages Collection. This is version
1.3b.

	The SI6 Networks' IPv6 toolkit is a set of IPv6
	security/trouble-shooting tools, that can send arbitrary IPv6-based
	packets.

	flow6:	A tool to perform a security asseessment of the IPv6 Flow Label.
	frag6:  A tool to perform IPv6 fragmentation-based attacks and to
		perform a security assessment of a number of fragmentation-related
		aspects.
	icmp6:	A tool to perform attacks based on ICMPv6 error messages.
	jumbo6:	A tool to assess potential flaws in the handling of IPv6 Jumbograms.
	na6:	A tool to send arbitrary Neighbor Advertisement messages.
	ni6:	A tool to send arbitrary ICMPv6 Node Information messages, and
		assess possible flaws in the processing of such packets.
	ns6:	A tool to send arbitrary Neighbor Solicitation messages.
	ra6:	A tool to send arbitrary Router Advertisement messages.
	rd6:	A tool to send arbitrary ICMPv6 Redirect messages.
	rs6:	A tool to send arbitrary Router Solicitation messages.
	scan6:	An IPv6 address scanning tool.
	tcp6:	A tool to send arbitrary TCP segments and perform a variety of
		TCP-based attacks.
2013-02-11 06:55:05 +00:00
taca
4235ca219d Depends on rubygems when ruby's version is 1.8.7.
Bump PKGREVISION.
2013-02-11 05:01:13 +00:00
taca
77111f2512 Update ruby-net-ssh-gateway to 1.2.0.
=== 1.2.0 / 06 Feb 2013

* Added public cert. All gem releases are now signed. See INSTALL in readme.
2013-02-11 02:08:16 +00:00
taca
7b1f7d8b7b Update ruby-net-sftp to 2.1.1.
=== 2.1.0 / 06 Feb 2013

* Added public cert. All gem releases are now signed. See INSTALL in readme.
* Remove self-require, it causes a warning in Ruby 1.9.2. [jbarnette]
* Allow for upload to use the filename of the local file by default [czarneckid]
* Properly handle receiving less data than requested. [thedarkone]
* Added option to create directory on directory upload [Pablo Merino]
* Remove a warnings in tests [kachick]
2013-02-11 02:07:37 +00:00
taca
03ec5b4a4e Update ruby-net-scp to 1.1.0.
=== 1.1.0 / 06 Feb 2013

* Added public cert. All gem releases are now signed. See INSTALL in readme.
2013-02-11 02:07:09 +00:00
taca
5ec83cfe44 Update ruby-net-ssh to 2.6.5.
=== 2.6.5 / 06 Feb 2013

* Fixed path in gemspec [thanks priteau]

=== 2.6.4 / 06 Feb 2013

* Added license info to gemspec [jordimassaguerpla]
* Added public cert. All gem releases are now signed.


=== 2.6.3 / 10 Jan 2013

* Small doc fix and correct error class for PKey::EC key type [Andreas Wolff]
* Improve test dependencies [Kenichi Kamiya]
2013-02-11 02:06:29 +00:00
ryoon
9bef86f5fd Bump PKGREVISION from audio/jack. 2013-02-09 22:11:28 +00:00
wiz
fbe27aee2e Remove obsolete sentence about idea. 2013-02-09 15:49:55 +00:00
jperkin
74d287ece9 Fix NetBSD/amd64 build. 2013-02-08 15:58:02 +00:00
jperkin
5d16921570 Apply upstream patch to fix data corruption.
Bump PKGREVISION.
2013-02-08 14:11:08 +00:00
wiz
b9d372dacd Revert API depends change, not needed.
Ok jperkin.
2013-02-07 11:30:57 +00:00
tron
6e639d6ed3 Reduce minium required OpenSSL version to 1.0.1c (instead of 1.0.1d) which
is what NetBSD 6.0* ships with.

The minimum ABI version was incorrect anyway and a result of an unnecessary
revision bump of the "openssl" package.
2013-02-07 10:22:57 +00:00
jperkin
becd113253 PKGREVISION bumps for the security/openssl 1.0.1d update. 2013-02-06 23:20:50 +00:00
jperkin
3dcd343e26 Update OpenSSL to 1.0.1d. Changes are far too numerous to list, the main one being
that we can now take advantage of AES-NI support in modern processors to significantly
increase performance.

Miscellaneous pkgsrc changes:

 - Remove unnecessary warning message on Solaris.
 - Fix RPATH for libgost.so.
 - MD2 support is optional, enabled by default for compatability.
2013-02-06 21:40:33 +00:00
jperkin
73dedd67c2 PKGREVISION bumps for net/libpcap update. 2013-02-06 19:30:54 +00:00
taca
066fb95196 Update openssl to 0.9.8y.
Changes between 0.9.8x and 0.9.8y [5 Feb 2013]

  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.

     This addresses the flaw in CBC record processing discovered by
     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
     at: http://www.isg.rhul.ac.uk/tls/

     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
     Security Group at Royal Holloway, University of London
     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
     Emilia Käsper for the initial patch.
     (CVE-2013-0169)
     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]

  *) Return an error when checking OCSP signatures when key is NULL.
     This fixes a DoS attack. (CVE-2013-0166)
     [Steve Henson]

  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
     the right response is stapled. Also change SSL_get_certificate()
     so it returns the certificate actually sent.
     See http://rt.openssl.org/Ticket/Display.html?id=2836.
     (This is a backport)
     [Rob Stradling <rob.stradling@comodo.com>]

  *) Fix possible deadlock when decoding public keys.
     [Steve Henson]
2013-02-05 15:54:30 +00:00
wiz
23bfa90cfb Update HOMEPAGE and remove commented-out sf MASTER_SITE.
From Bug Hunting.
2013-02-03 12:37:40 +00:00
jperkin
aa056b4497 Bump libssh dependency. Fixes bulk builds. 2013-02-02 01:18:03 +00:00
wiz
bd06e1cb46 Reset MAINTAINER/OWNER (became observers) 2013-02-01 22:21:05 +00:00
is
ee9abb69fa Make pkg_info show the upstream version, for comparison to advisories etc. 2013-02-01 21:55:55 +00:00
is
4431c09043 fix typo 2013-02-01 21:50:45 +00:00
is
693f205dd5 Commit missing file, and fix the version gate. Thanks to Noud de Brouwer
for beta-testing the package.
2013-02-01 16:47:51 +00:00
is
55ec1ecd6f Update libssh to (upstream) 0.5.4 == (our) 0.54.
(We need to keep the old numbering syntax to make versions compare
correctly.)

There are only two consumers in pkgsrc; one of them (remmina and
remmina-plugins) actually needed library version 0.4 or later, and
didn't build the ssh/sftp/nx plugins without. Hydra is also supposed
to build with 0.4.x and later.)

Upstream changelogs:

0.5.4:
        CVE-2013-0176 - NULL dereference leads to denial of service
        Fixed several NULL pointer dereferences in SSHv1.
        Fixed a free crash bug in options parsing.

and for completeness 0.5.3:

        This is an important SECURITY and maintenance release in
        order to address CVE-2012-4559, CVE-2012-4560, CVE-2012-4561
        and CVE-2012-4562.

        CVE-2012-4559 - Fix multiple double free() flaws
        CVE-2012-4560 - Fix multiple buffer overflow flaws
        CVE-2012-4561 - Fix multiple invalid free() flaws
        CVE-2012-4562 - Fix multiple improper overflow checks

        (...)

Suggested by Noud de Brouwer in wip/libssh and PR pkg/47518, but needed
some changes to PLIST as well as to make "pkg_admin audit" and updates
compare correctly.
2013-02-01 13:33:49 +00:00
is
455b7247c1 Update libssh to (upstream) 0.5.4 == (our) 0.54.
(We need to keep the old numbering syntax to make versions compare
correctly.)

There are only two consumers in pkgsrc; one of them (remmina and
remmina-plugins) actually needed library version 0.4 or later, and
didn't build the ssh/sftp/nx plugins without. Hydra is also supposed
to build with 0.4.x and later.)

Upstream changelogs:

0.5.4:
	CVE-2013-0176 - NULL dereference leads to denial of service
	Fixed several NULL pointer dereferences in SSHv1.
	Fixed a free crash bug in options parsing.

and for completeness 0.5.3:

	This is an important SECURITY and maintenance release in
	order to address CVE-2012-4559, CVE-2012-4560, CVE-2012-4561
	and CVE-2012-4562.

	CVE-2012-4559 - Fix multiple double free() flaws
	CVE-2012-4560 - Fix multiple buffer overflow flaws
	CVE-2012-4561 - Fix multiple invalid free() flaws
	CVE-2012-4562 - Fix multiple improper overflow checks

	(...)
2013-02-01 13:33:48 +00:00
is
2ae067baf6 Update libssh to (upstream) 0.5.4 == (our) 0.54.
(We need to keep the old numbering syntax to make versions compare
correctly.)

There are only two consumers in pkgsrc; one of them (remmina and
remmina-plugins) actually needed library version 0.4 or later, and
didn't build the ssh/sftp/nx plugins without. Hydra is also supposed
to build with 0.4.x and later.)

Upstream changelogs:

0.5.4:
        CVE-2013-0176 - NULL dereference leads to denial of service
        Fixed several NULL pointer dereferences in SSHv1.
        Fixed a free crash bug in options parsing.

and for completeness 0.5.3:

        This is an important SECURITY and maintenance release in
        order to address CVE-2012-4559, CVE-2012-4560, CVE-2012-4561
        and CVE-2012-4562.

        CVE-2012-4559 - Fix multiple double free() flaws
        CVE-2012-4560 - Fix multiple buffer overflow flaws
        CVE-2012-4561 - Fix multiple invalid free() flaws
        CVE-2012-4562 - Fix multiple improper overflow checks

        (...)

Suggested by Noud de Brouwer in wip/libssh and PR pkg/47518, but needed
some changes to PLIST as well as to make "pkg_admin audit" and updates
compare correctly.
2013-02-01 13:33:48 +00:00
is
2776e9a639 Update libssh to (upstream) 0.5.4 == (our) 0.54.
(We need to keep the old numbering syntax to make versions compare
correctly.)

There are only two consumers in pkgsrc; one of them (remmina and
remmina-plugins) actually needed library version 0.4 or later, and
didn't build the ssh/sftp/nx plugins without. Hydra is also supposed
to build with 0.4.x and later.)

Upstream changelogs:

0.5.4:
	CVE-2013-0176 - NULL dereference leads to denial of service
	Fixed several NULL pointer dereferences in SSHv1.
	Fixed a free crash bug in options parsing.

and for completeness 0.5.3:

	This is an important SECURITY and maintenance release in
	order to address CVE-2012-4559, CVE-2012-4560, CVE-2012-4561
	and CVE-2012-4562.

	CVE-2012-4559 - Fix multiple double free() flaws
	CVE-2012-4560 - Fix multiple buffer overflow flaws
	CVE-2012-4561 - Fix multiple invalid free() flaws
	CVE-2012-4562 - Fix multiple improper overflow checks

	(...)
2013-02-01 13:33:48 +00:00
jperkin
c3a27bbb2c Fix the first master site. 2013-02-01 13:13:22 +00:00
hans
6767f272e2 Use LIBABISUFFIX when creating the .pc files to make builtin openssl
work on 64bit SunOS and possibly others.
2013-02-01 12:34:15 +00:00
wiz
45f7f4801f Update mozilla root certificates to 20121229 version. 2013-01-31 09:39:00 +00:00
wiz
fc72743c12 automake-1.13 compat. 2013-01-26 23:11:13 +00:00
wiz
b9abce0be5 Fix for automake-1.13. 2013-01-26 22:02:06 +00:00
adam
f4c3b89da7 Revbump after graphics/jpeg and textproc/icu 2013-01-26 21:36:13 +00:00
wiz
1506ee79da Fix build with automake-1.13. 2013-01-23 17:26:27 +00:00
riz
3c49e35bd9 Set up PLIST_VARS for ppc and arm, and use them to point out that arm
doesn't have hardware timer support, so gets one less file installed.

Package builds on evbarm now.
2013-01-23 16:45:27 +00:00
rhaen
3f8c8e9872 - updated to 2.15
ChangeLog:

2.15    2012-09-07      Abhijit Menon-Sen <ams@toroid.org>

    * Include 'strict' in PREREQ_PM to silence cpantesters. No
      functional changes.
2013-01-23 10:25:06 +00:00
drochner
493b718e01 wants to use pkg-config 2013-01-15 11:29:21 +00:00
drochner
de3d2f7e3e add patch from upstream to fix possible keyring corruption
on import of corrupted keys (CVE-2012-6085), bump PKGREV
from "Bug Hunting" per PR pkg/47442
2013-01-15 11:21:50 +00:00
wiz
5f87e1e66e Update to 5.81:
5.81  Mon Jan 14 05:17:08 MST 2013
	- corrected load subroutine (SHA.pm) to prevent double-free
		-- Bug #82655: Security issue - segfault
		-- thanks to Victor Efimov and Nicholas Clark
			for technical expertise and suggestions

5.80  Mon Dec 10 14:15:26 MST 2012
	- obtained noticeable speedup on Intel/gcc
		-- by setting -O1 and -fomit-frame-pointer
		-- SHA-1 about 63% faster, SHA-2 improves 11-20%

5.74  Sat Nov 24 03:10:18 MST 2012
	- handle wide-string input by converting to bytes first
		-- viz. use SvPVbyte instead of SvPV in SHA.xs
		-- thanks to Eric Brine for summary and code

5.73  Wed Oct 31 04:32:44 MST 2012
	- provided workaround for DEC compiler bug (ref. Makefile.PL)
2013-01-15 10:47:15 +00:00
bouyer
1d78aa3458 Add p5-Authen-Simple 2013-01-14 14:44:29 +00:00
bouyer
73c1400f37 Import security/p5-Authen-Simple version 0.5
Simple and consistent framework for authentication.
2013-01-14 14:43:55 +00:00
riz
82693b6ea5 Detect arm MACHINE_ARCH, and set --cpu accordingly, so it can build
on NetBSD ARM platforms.  Tested on my Sheevaplug.

XXX will probably need similar treatment for mips and sh3.
2013-01-12 20:52:27 +00:00
jperkin
a2f14df810 Switch HPN patch site to the one FreeBSD uses, upstream have hidden it
behind a session-based page.
2013-01-11 12:41:16 +00:00
joerg
81775e6ac4 Explicitly include sys/vmmeter.h on NetBSD now. 2013-01-11 00:06:21 +00:00
joerg
cb8bd56423 Match pcap_handler. Add missing includes. 2013-01-11 00:05:53 +00:00
jym
12c2e784d4 Update to 4.54. Changelog:
New Win32 features
        FIPS module updated to version 2.0.
        OpenSSL DLLs updated to version 1.0.1c.
        zlib DLL updated to version 1.2.7.
        Engine DLLs added: 4758cca, aep, atalla, capi, chil, cswift, gmp, gost, nuron, padlock, sureware, ubsec.

Other new features
        "session" option renamed to more readable "sessionCacheTimeout". The old name remains accepted for backward compatibility.
        New service-level "sessionCacheSize" option to control session cache size.
        New service-level option "reset" to control whether TCP RST flag is used to indicate errors. The default value is "reset = yes".
        New service-level option "renegotiation" to disable SSL renegotiation. This feature is based on a public-domain patch by Janusz Dziemidowicz.
        New FreeBSD socket options: IP_FREEBIND, IP_BINDANY, IPV6_BINDANY (thx to Janusz Dziemidowicz).
        New parameters to configure TLS v1.1/v1.2 with OpenSSL version 1.0.1 or higher (thx to Henrik Riomar).

Bugfixes
        Fixed "Application Failed to Initialize Properly (0xc0150002)" error.
        Fixed missing SSL state debug log entries.
        Fixed a race condition in libwrap code resulting in random stalls (thx to Andrew Skalski).
        Session cache purged at configuration file reload to reduce memory leak. Remaining leak of a few kilobytes per section is yet to be fixed.
        Fixed regression bug in "transparent = destination" functionality (thx to Stefan Lauterbach). This bug was introduced in stunnel 4.51.
        "transparent = destination" is now a valid endpoint in inetd mode.
        "delay = yes" fixed to work even if specified *after* "connect" option.
        Multiple "connect" targets fixed to also work with delayed resolver.
        The number of resolver retries of EAI_AGAIN error has been limited to 3 in order to prevent infinite loops.

Fix some directory owner/group rights and take over maintainership as I
use it almost daily.
2013-01-08 23:45:39 +00:00
pettai
a37b3082fb back out unnecessary rev bump. 2013-01-08 22:51:39 +00:00
wiz
a4eb049219 Fix idea on big-endian hosts.
From http://bugs.g10code.com/gnupg/issue1461

Reported by tez.

Bump PKGREVISION.
2013-01-07 21:53:53 +00:00
wiz
6a4a8f349c Remove obsolete line. Noted by tez. 2013-01-07 21:47:32 +00:00
wiz
a235034233 Remove a superfluous line (hi tron!) 2013-01-07 21:47:01 +00:00
pettai
f611dfd64a Updated buildlink3.mk to newer API version 2013-01-07 19:33:22 +00:00
wiz
0517f8408c Remove idea option -- included in standard distfile now. 2013-01-07 12:26:56 +00:00
tron
d6f0e1a9cc Re-add checksums for "idea.c.gz" which got removed during the last update. 2013-01-07 08:17:43 +00:00
pettai
2fb1f4292f 1.4.8:
-Add support of
       . SCR3310-NTTCom USB (was removed in version 1.4.6)
       . Inside Secure VaultIC 420 Smart Object
       . Inside Secure VaultIC 440 Smart Object
    - Wait up to 3 seconds for reader start up
    - Add support of new PC/SC V2 part 10 properties:
        . dwMaxAPDUDataSize
        . wIdVendor
        . wIdProduct
    - Use helper functions from libPCSCv2part10 to parse the PC/SC v2
      part 10 features

1.4.7:
    -Add support of
       . ACS ACR101 ICC Reader
       . ACS CryptoMate64
       . Alcor Micro AU9522
       . Bit4id CKey4
       . Bit4id cryptokey
       . Bit4id iAM
       . Bit4id miniLector
       . Bit4id miniLector-s
       . CCB eSafeLD
       . Gemalto Ezio Shield Branch
       . KOBIL Systems IDToken
       . NXP PR533
    - KOBIL Systems IDToken special cases:
       . Give more time (3 seconds instead of 2) to the reader to answer
       . Hack for the Kobil IDToken and Geman eID card. The German eID
         card is bogus and need to be powered off before a power on
       . Add Reader-Info-Commands special APDU/command
         - Manufacturer command
         - Product name command
         - Firmware version command
         - Driver version command
    - Use auto suspend for CCID devices only (Closes Alioth bug
      [#313445] "Do not activate USB suspend for composite devices:
      keyboard")
    - Fix some error management in the T=1 TPDU state machine
    - some minor bugs removed
    - some minor improvements added

1.4.6:
    -Add support of
       . Avtor SC Reader 371
       . Avtor SecureToken
       . DIGIPASS KEY 202
       . Fujitsu SmartCase KB SCR eSIG
       . Giesecke & Devrient StarSign CUT
       . Inside Secure VaultIC 460 Smart Object
       . Macally NFC CCID eNetPad reader
       . OmniKey 6321 USB
       . SCM SDI 011
       . Teridian TSC12xxF
       . Vasco DIGIPASS KEY 101
    - Remove support of readers without a USB CCID descriptor file
       . 0x08E6:0x34C1:Gemalto Ezio Shield Secure Channel
       . 0x08E6:0x34C4:Gemalto Ezio Generic
       . 0x04E6:0x511A:SCM SCR 3310 NTTCom
       . 0x0783:0x0008:C3PO LTC32 USBv2 with keyboard support
       . 0x0783:0x9002:C3PO TLTC2USB
       . 0x047B:0x020B:Silitek SK-3105
    - Disable SPE for HP USB CCID Smartcard Keyboard. The reader is
      bogus and unsafe.
    - Convert "&" in a reader name into "&amp;" to fix a problem on Mac OS X
    - Fix a problem with ICCD type A devices. We now wait for device ready
    - Secure PIN Verify and PIN Modify: set the minimum timeout to 90
      seconds
    - Add support of wIdVendor and wIdProduct properties
    - Add support of dwMaxAPDUDataSize
    - Add support of Gemalto firmware features
    - some minor bugs removed
2013-01-06 16:10:39 +00:00
pettai
c845c78658 pcsc-lite-1.8.7:
- Fix a problem when a reader is unplugged (and the reader is still in use)

pcsc-lite-1.8.6:
- Fix a problem when only serial drivers are used (no hotplug/USB
  driver)
- increase log buffer size from 160 to 2048. Some "long" log lines where
  truncated.
- Fix redirection of stdin, stdout and stderr to /dev/null when pcscd is
  started as a daemon (default)
- Some other minor improvements and bug corrections

pcsc-lite-1.8.5:
- Fix crash when a reader is unplugged while pcscd is in the middle of a
  PC/SC function
- SCardBeginTransaction(): fix a bug introduced in version 1.8.4
  related to sharing
- Some other minor improvements and bug corrections

pcsc-lite-1.8.4:
- Add [ and ] in the list of accepted characters for a reader name
- truncates the reader name if it is too long instead of rejecting the
  reader
- The restriction to have to call SCardEstablishContext() in each thread
  has been removed. Threads could now share a PC/SC context.
- Fix compiler failure for static driver
- Update IFDHandler API Doxygen regarding the "libusb-1.0" naming scheme
- Some other minor improvements and bug corrections

pcsc-lite-1.8.3:
- ignore directories and hidden (.*) files when parsing a configuration
  directory (like /etc/reader.conf.d/)
- add Mac OS X for PC/SC spy tool
- fix a bug in PC/SC spy tool when loading of the real library fails
- add PCSCv2_PART10_PROPERTY_dwMaxAPDUDataSize,
  PCSCv2_PART10_PROPERTY_wIdVendor and PCSCv2_PART10_PROPERTY_wIdProduct
  from PC/SC v2 part 10 release 2.02.09 (not yet published)
- Some other minor improvements and bug corrections

pcsc-lite-1.8.2:
- rename pcsc-spy.py to pcsc-spy and install it as a normal binary (in
  /usr/local/bin by default)
- write a pcsc-spy.1 manpage
- fix a bug with a multi-slot reader
- Info.plist parser: avoid a buffer read overflow in &amp; management
- Some Doxygen improvements

pcsc-lite-1.8.1:
- Distribute missing files from src/spy/

pcsc-lite-1.8.0:
- PC/SC spy tool
- Support systemd socket activation (the auto start of pcscd from the
  library has been removed. Use systemd instead)
- SCardGetStatusChange(): check all the readers are already known and
  return SCARD_E_UNKNOWN_READER if a reader name is not present.
  Windows XP has this behavior.
- SCardEstablishContext(): Invalidate all the handles in the son after a
  fork
- Add define of FEATURE_EXECUTE_PACE from PCSC v2 Part 10 Amendment 1
  2011-06-03
- Fix some memory leaks reported by Coverity
- Enable silent build by default
- log_line(): correctly calculate delta time when no color is used
  The update of last_time was only done in case of colorization
  (LogDoColor). So on unsupported consoles the time was wrong.
- log_xxd_always(): Use a variable-length array
  The debug message buffer is no more with a fixed size (around 600
  bytes of buffer to log) but uses a variable-length array.
  It is now possible to log extended APDU of 64kB.
  The variable-length array feature is available in GCC in C90 mode and
  is mandatory in C99 standard.
- Some other minor improvements and bug corrections
2013-01-06 16:02:21 +00:00
spz
6c6cc3567e update of gnupg
Fixes CVE-2012-6085

Upstream Changes:
    * Add support for the old cipher algorithm IDEA.

    * Minor bug fixes.

    * Small changes to better cope with future OpenPGP and GnuPG
      features.
2013-01-06 14:50:47 +00:00
obache
26cad1ebdb Update ruby-simple_oauth to 0.2.0.
* Fix "URI.escape is obsolete" warnings on Ruby>=1.9
* Alias encode to escape and decode to unescape
2013-01-05 05:23:15 +00:00
sbd
5070c0f153 Disable-libudev as pkg-config can not find libudev.pc. 2013-01-02 07:02:53 +00:00
bsiegert
f4e5cfe47e Add #ifdef __OpenBSD__ to some of the patches, to fix compilation on
OpenBSD and MirBSD.

Freeze exception granted by wiz.
2012-12-27 21:04:11 +00:00
joerg
7c675ec6ba Disable integrated assembler with Clang, it doesn't like some of the
Intel assembler parts.
2012-12-24 21:15:32 +00:00
obache
bcab4977d5 Update ruby-twitter_oauth to 0.4.4.
* added totals method
* added a note about repeat authorizations
* added documatation about pin-based flow
* fixed textile formating
* using the https endpoint for all oauth negotiation
* made the api host and version configurable
* wrapping the json parse error so you can programatically acces the response
* added configurable search host
2012-12-23 07:09:36 +00:00
joerg
5130b62dec Rpath is a linker flag, so use -Wl. 2012-12-22 20:03:06 +00:00
joerg
d1262b44af Fix template look up. Don't declare constants with non-default
constructor.
2012-12-22 02:29:36 +00:00
joerg
9927d30623 Ensure correct initialisation. Bump revision. 2012-12-22 02:27:56 +00:00
joerg
71c9ae45d2 sasl.h needs stddef.h to be self-contained. Bump revision. 2012-12-20 22:52:37 +00:00
joerg
65299f0f53 Uses libtool 2012-12-20 21:38:46 +00:00
ryoon
7c423ceba8 Fix build.
docbook-xsl is also needed.
Thank you, joerg@ again.
2012-12-19 13:29:25 +00:00
obache
741d37e2bf Note upstream bug report. 2012-12-19 10:46:55 +00:00
wen
3a64d68dc4 Update to 2.32
Upstream changes:
2.32    Fri Dec 14 14:20:17 EST 2012
	- Fixes "Taint checks are turned on and your key is tainted" error when autogenerating salt and IV.
2012-12-19 03:22:17 +00:00
marino
7f8208557f security/libsecret: USE_TOOLS+= msgfmt 2012-12-18 21:53:30 +00:00
taca
38cf43c4c6 Update ruby-net-ssh to 2.6.2.
=== 2.6.0 / 19 Sep 2012

* Use OpenSSL::PKey.read to read arbitrary private key. [nagachika]
* Check availability of UNIXSocket and UNIXServer for Windows [Nobuhiro IMAI]
* Bump version to 2.5.3 and depend on newer jruby-pageant version for Java 1.5 compat. [arturaz]
* Implementation of the "none"-authentication method [dubspeed]
* Add class for stricter host key verification [Andy Brody]
2012-12-17 13:11:29 +00:00
obache
64deda1dc9 recursive bump from cyrus-sasl libsasl2 shlib major bump. 2012-12-16 01:51:57 +00:00
obache
32218a8e0a Update cyrus-sasl to 2.1.26.
New in 2.1.26
-------------

* Modernize SASL malloc/realloc callback prototypes
* Added sasl_config_done() to plug a memory leak when using an application
  specific config file
* Fixed PLAIN/LOGIN authentication failure when using saslauthd
  with no auxprop plugins (bug # 3590).
* unlock the mutex in sasl_dispose if the context was freed by another thread
* MINGW32 compatibility patches
* Fixed broken logic in get_fqhostname() when abort_if_no_fqdn is 0
* Fixed some memory leaks in libsasl
* GSSAPI plugin:
 - Fixed a segfault in gssapi.c introduced in 2.1.25.
 - Code refactoring
 - Added support for GSS-SPNEGO SASL mechanism (Unix only), which is also
   HTTP capable
* GS2 plugin:
 - Updated GS2 plugin not to lose minor GSS-API status codes on errors
* DIGEST-MD5 plugin:
 - Correctly send "stale" directive to prevent clients from (re)promtping
   for password
 - Better handling of HTTP reauthentication cases
 - fixed some memory leaks
* SASLDB plugin:
 - Added support for BerkleyDB 5.X or later
* OTP plugin:
 - Removed calling of EVP_cleanup() on plugin shutdown in order to prevent
   TLS from failing in calling applications
* SRP plugin:
 - Removed calling of EVP_cleanup() on plugin shutdown in order to prevent
   TLS from failing in calling applications
* saslauthd:
 - auth_rimap.c: qstring incorrectly appending the closing double quote,
   which might be causing crashes
 - auth_rimap.c: read the whole IMAP greeting
 - better error reporting from some drivers
 - fixed some memory leaks
2012-12-16 01:36:43 +00:00
manu
c675b006aa Fix double free in patch for libxml 2.9.0 support 2012-12-15 15:29:28 +00:00
ryoon
35263110cb Bump PKGREVISION from devel/nss 3.14.0. 2012-12-15 10:36:18 +00:00
marino
9be7653187 security/racoon2: Fix variable set but not used errors
With -Werror set on this package, racoon2 would not build with gcc4.6+
2012-12-15 08:10:59 +00:00
pettai
f1b9e4f675 bump revision 2012-12-15 01:13:59 +00:00
pettai
c3405d3c7f Build fix for a more modern pcsc-lite. 2012-12-15 01:07:17 +00:00
pettai
23c16fac6b 1.4.21
- Do not log the time every second on "old" PC/SC without support of
      \\?PnP?\Notification like on Mac OS X.
    - 79 new ATRS
    - minor fixes

1.4.20 - 16 June 2012, Ludovic ROUSSEAU
    - Makefile: Add arguments to CFLAGS instead of overwritting them
    - 3 new ATRs

1.4.19
    - ATR_analysis: use XDG_CACHE_HOME env variable
      The smartcard_list.txt file is now searched in ~/.cache/ by default
    - 115 new ATRs

1.4.18
    - gscriptor: Display hex dumps in lines of 16 bytes instead of 17
    - gscriptor: Display bytes of value 0x20 as ' ' instead of '.'
    - scriptor: Display lines of 16 bytes instead of 24
    - 223 new ATRs
    - pcsc_scan: Correctly detect reader Plug and Play support

1.4.17
    - 153 new ATRs
    - Allow to build with pcsc-lite >= 1.6.2

1.4.16
    - 153 new ATR
    - pcsc_scan.c: check for PnP support at run time instead of using a
      #define
    - ATR_analysis: use curl instead of wget on Darwin
    - gscriptor: ReaderConfig(): escape metacharacters []() in
      the reader name when using reader name as a pattern matching
2012-12-15 00:53:26 +00:00
pettai
5f712c6949 A major version bump gives a long changelog...
1.4.5:
    - Add support of Alcor Micro AU9540, Ubisys 13.56MHz RFID (CCID),
      BIFIT USB-Token iBank2key, BIFIT iBank2Key, Gemalto Ezio Shield
      PinPad reader, Gemalto SA .NET Dual, Precise Sense MC reader (with
      fingerprint), SDS DOMINO-Key TWIN Pro
    - Add support of bPPDUSupport and FEATURE_CCID_ESC_COMMAND
    - SCARD_ATTR_VENDOR_NAME and SCARD_ATTR_VENDOR_IFD_VERSION are not
      the vendor name and version of the driver but of the IFD:
      InterFace Device i.e. the smart card reader.  We then return the
      USB iManufacturer string as SCARD_ATTR_VENDOR_NAME and USB
      bcdDevice as SCARD_ATTR_VENDOR_IFD_VERSION
    - reduce binary size bu removing unused features from simclist
    - Fix some warnings reported bu Coverity

1.4.4:
    - Add support of Gemalto Ezio Shield, Gemalto Ezio CB+, Gemalto Ezio
      Shield Secure Channel, Gemalto Ezio Shield PinPad and Gemalto Ezio
      Generic
    - Activate USB automatic power suspend. The Linux kernel should
      power off the reader automatically if it is not used (pcscd is not
      running).
    - Add support of TLV Properties wLcdMaxCharacters and wLcdMaxLines.
      They just duplicate wLcdLayout
    - some minor bugs removed

1.4.3:
    - Add support of Neowave Weneo, Vasco DIGIPASS 920, SCM SCL011,
      Feitian ePass2003 readers
    - use :libudev: instead of :libhal: naming scheme.
    - Do not install RSA_SecurID_getpasswd and Kobil_mIDentity_switch
      and the associated documentation.
    - the Secure Pin Entry of the HP USB Smart Card Keyboard is bogus so
      disable it
    - some minor bugs removed

1.4.2:
    - Add support of Feitian SCR310 reader (also known as 301v2), ACS
      APG8201 PINhandy 1, Oberthur ID-ONE TOKEN SLIM v2, new Neowave
      Weneo token, Vasco DIGIPASS KEY 860, Vasco DIGIPASS KEY 200,
      Xiring Leo v2, Xiring MyLeo, Aktiv Rutoken lite readers
    - Add back support of "bogus" Oz776, REINER SCT and BLUDRIVE II
    - Ease detection of OpenCT by pcsc-lite
    - disable use of interrupt card events for multi slots readers (the
      algorithm is bogus and can't be used)
    - fix minor problems detected by the clang tool
    - some minor bugs removed

1.4.1:
    - Add support of Gemalto Smart Guardian (SG CCID), ReinerSCT
      cyberJack RFID basis, Akasa AK-CR-03, BZH uKeyCI800-K18, Free
      Software Initiative of Japan Gnuk token readers
    - Remove O2 Micro Oz776 and Blutronics Bludrive II CCID since they
      are no more supported since version 1.4.0
    - SecurePINVerify() & SecurePINModify(): Accept big and little
      endian byte orders for multibytes fields. The application
      should not use HOST_TO_CCID_16() and HOST_TO_CCID_32() any more
      and just use the normal byte order of the architecture.
    - Need pcsc-lite 1.6.5 for TAG_IFD_POLLING_THREAD_WITH_TIMEOUT
    - Add --enable-embedded (default is no) to build libccid for an
      embedded system.  This will activate the NO_LOG option to disable
      logging and limit RAM and disk consumption.
    - Remove --enable-udev option since it is not used anymore with
      libhal. The udev rules file is now used to change the access
      rights of the device and not send a hotplug signal to pcscd.
      See http://ludovicrousseau.blogspot.com/2010/09/pcscd-auto-start.html
    - some minor bugs removed

1.4.0:
    - add support of Kingtrust Multi-Reader, Dectel CI692, Todos CX00,
      C3PO LTC36, ACS AET65, Broadcom 5880, Tianyu Smart Card Reader,
      Gemalto Hybrid Smartcard Reader
    - Add support of the SCM SDI 010 again. At least the contact
      interface can be used.
    - Use libusb-1.0 instead of libusb-0.1
    - add support of TAG_IFD_STOP_POLLING_THREAD and use of the
      asynchronous libusb API to be able to stop a transfer.
    - Request pcsc-lite 1.6.2 minimum (instead of 1.6.0) to have
      TAG_IFD_STOP_POLLING_THREAD defined
    - The O2MICRO OZ776 patch (for OZ776, OZ776_7772, REINER_SCT and
      BLUDRIVEII_CCID) is no more supported with libusb-1.0
    - correctly get the IFSC from the ATR (ATR parsing was not always
      correct)
    - some minor bugs removed
2012-12-15 00:29:31 +00:00
pettai
c784b73a30 bump reversion 2012-12-14 23:54:43 +00:00
pettai
caf15c6c69 A major version bump gives a long changelog...
1.7.4:
- Fix a stupid bug from the previous version. T=1 cards were not
  working.

1.7.3:
- COPYING: Add my name as copyright holder
- hotplug libudev: support libudev >= 171
- hotplug libusb: Fix a memory leak
- pcscd: exit immediately in case of SIGTERM
  Closes Debian bug #620305 "pcscd slows down shutdown/restart"
- Send logs to stdout instead of stderr
  It is now possible to use tee(1) to redirect logs in a file without
  first redirecting stderr to stdout
- Add command line option -T, --color: force use of colored logs
  The idea is to have colored logs even if they are redirected to a file
  or a pipe.
- Define g_rgSCardT?Pci as const structures to be more Windows like
  I do not expect a regression or compilation problem in WinSCard API
  users but how knows...
- log at level PCSC_LOG_DEBUG instead of PCSC_LOG_ERROR to avoid filling
  the system log file
- Remove the deprecated define FEATURE_MCT_READERDIRECT (replaced by
  FEATURE_MCT_READER_DIRECT)
- better Hurd support
- some other minor improvements and bug corrections

1.7.2:
- fix a crash if a specific driver fails to work and no class driver is
  available

1.7.1
- use libudev only on Linux and libusb elsewhere. The configuration now
  works by default on GNU/kFreeBSD systems
- Try to use a (CCID) class driver if a specific driver fails to use the
  reader.
- fix a potential crash

1.7.0:
- use libudev instead of (the deprecated) libhal

1.6.7:
- better Mac OS X support
- Fix Alioth bug [#312960] SCardDisconnect when other context has transaction
- add support of multi-interfaces readers with libusb and not just libhal
- add a API tracing feature in the client side (#define DO_TRACE)
- allow the use of tracing and profiling features from different
  application threads
- fix a problem with a multi-slots reader
- fix minor problems detected by the clang tool
- some other minor improvements and bug corrections

1.6.6:
- SCardGetStatusChange(): fix a bug on 64-bits systems
- Fix another bug because of a regression in internal list manager

1.6.5:
- Power on the card _only_ if an application requests a connection.
  You can disable the feature using DISABLE_ON_DEMAND_POWER_ON in
  src/pcscd.h.in
  If DISABLE_AUTO_POWER_ON is defined then do not automatically power on
  the card. The card will be powered on on the first SCardConnect()
  See http://ludovicrousseau.blogspot.com/2010/10/card-auto-power-on-and-off.html
- SCardReconnect(): return SCARD_E_NO_SMARTCARD when card is removed and
  SCARD_W_UNRESPONSIVE_CARD when card is unresponsive instead of
  SCARD_E_PROTO_MISMATCH
- Install pcscd as sgid pcscd instead of suid root
  See http://ludovicrousseau.blogspot.com/2010/09/pcscd-auto-start.html
- SCardSetTimeout() is no more provided. This function is not provided
  by Microsoft and is deprecated since 2004 in pcsc-lite.
- SCardCancelTransaction() is no more provided. This function is not
  provided by Microsoft and is deprecated since 2005 in pcsc-lite.
- Parsing the CCID Info.plist (159 readers supported) was, on a i386
  machine, done in 264306 #s and is now done 5547 #s => gain x47 or 4600%
  See http://ludovicrousseau.blogspot.com/2010/08/ram-and-cpu-improvements-in-pcsc-lite.html
- It is now possible to configure the local socket name to use using the
  environment variable PCSCLITE_CSOCK_NAME
  See http://ludovicrousseau.blogspot.com/2010/11/pcsc-client-and-server-on-two-different.html
- Wait until all connected readers have a chance to power up a possibly
  inserted card before accepting clients.
- restrict pcscd features when not run by root (so using suid): APDU
  logging or setting parameters are disabled for example
- fix compilation problem on kfreebsd-* systems
- PCSC/reader.h: HOST_TO_CCID_16() and HOST_TO_CCID_32() are now
  identity functions
  Since libccid 1.4.1 (revision 5252) the byte order is no more important
- If you want to use IFDHCreateChannel() instead of
  IFDHCreateChannelByName() then do not use any DEVICENAME line in the
  configuration file. IFDHCreateChannel() will then be called with the
  CHANNELID parameter.
- the CHANNELID parameter can also be a decimal number.
- Remove the support of IFDHandler v1 API. I don't know any driver using
  this API.
  See http://ludovicrousseau.blogspot.com/2010/10/ifdhandler-version-1-support-removed.html
- avoids a buffer overflow with badly formed ATR
- some other minor improvements and bug corrections

1.6.4:
- Do not use sysconfdir as configuration directory but
  "${sysconfdir}/reader.conf.d" instead.
  Use --enable-confdir=DIR if you want to set a specific value without
  the "reader.conf.d" appended.

1.6.3:
- "/reader.conf.d" is only appended to sysconfdir if no value of
  sysconfdir is provided
- Define LPSCARD_READERSTATE since this is used in the MSDN prototype.
  Use LPSCARD_READERSTATE in winscard.h instead of (SCARD_READERSTATE *)
  to mimic the MSDN API.
- fix a pcscd crash when the application uses a PCSC handle after a
  fork. The crash was with openvpn.
- some other minor improvements and bug corrections

1.6.2:
- implement a "Forced suicide" mechanism.
  After 3 Ctrl-C without much reaction from pcscd (in fact the drivers)
  we force the suicide. Sometimes libusb is blocked in a kind of
  dead-lock and kill -9 was the only option.
- Add support of TAG_IFD_STOP_POLLING_THREAD to request the stop of the
  driver polling function.
- Avoid a division by 0. Closes [#312555] "simclist bug in pcsc-lite"
- if pcscd is stared by libpcsclite then close all file handles except
  stdin, stdout and stderr so that pcscd does not confiscate ressources
  allocated by the application
- in case of auto exit create a new session so that Ctrl-C on the
  application will not also quit pcscd
- src/hotplug_libusb.c: port from libusb-0.1 to libusb-1.0
- default configuration is now $sysconfdir/reader.conf.d
- fix crash with empty config dir
- src/PCSC/winscard.h: Remove definitions of SCARD_READERSTATE_A
  PSCARD_READERSTATE_A and LPSCARD_READERSTATE_A types
- some other minor improvements and bug corrections

1.6.1:
- SCardControl(): do not check for card events since we are talking to
  the reader not the card. A smart card removal should not make
  SCardControl() fail with SCARD_W_REMOVED_CARD
- pcscd do not timeout any more after 2 minutes of inactivity. If the
  other side of the socket dies we will get an error from the kernel.
  The problem was that if a client does nothing during
  PCSCLITE_READ_TIMEOUT (120 seconds by default) then pcscd considers it
  as a dead client and closes the connection. I guess this problem was
  present since the first version of pcsc-lite but nobody complained
  before.
- pcscd: do not return before most of the initialisation are done
  correctly. The idea is that pcscd can return an error code if the
  daemon fails to start correctly (hald not started for example).
  Before the patch pcscd became a daemon, then returned 0 (success) and
  then continued with the initialisation. If the initialisation failed
  it was too late to return an error code. The /etc/init.d/pcscd script
  was not aware of the failure.
  Closes https://bugzilla.redhat.com/show_bug.cgi?id=580321
  "/usr/sbin/pcscd exit codes broken"
- src/hotplug_libusb.c: Add a synchronisation so that if pcscd is auto
  started the initial reader list is available before the server takes
  commands from clients.
  Before the change early calls of SCardListReaders() returned an empty
  list of readers even if a reader was connected.
- SCardConnect() & SCardReconnect(): do not reset the cardProtocol in
  SCARD_SHARE_DIRECT case since the card have _not_ been reseted. A new
  PPS negociation would fail.
- Do not install files in /etc any more. Serial drivers are rare now.
- Avoids a crash if a client sends a unknown command.
- some other minor improvements and bug corrections

1.6.0:
- redesign the client/server communication:
  * no more shared memory used (allow pcscd and libpcsclite1.so to be on
  different computer and talk over a network)
  * no more difference between short and extended APDU
  * no more use of a /var/run/pcscd/pcscd.events/ directory. events are
  sent through the socket
  * simpler command format between client and server
  The side effect is that you are not able to mix an old pcscd with a
  new libpcsclite1.so or the reverse. SCardEstablishContext() will fail
  unless you update both sides of the communication.
- Use lists instead of fixed size arrays to store handles.
  It is now possible to have:
  - 200 simultaneous PC/SC clients instead of 16
  - 200 SCardConnect per client instead of 16
  - 200 clients per reader instead of 16
  The default value of 200 can be changed by giving an argument to pcscd
  --max-thread --max-card-handle-per-thread --max-card-handle-per-reader
- Make SCardReconnect(), SCardStatus() and SCardTransmit() block instead
  of returning SCARD_E_SHARING_VIOLATION immediately. These functions
  will then behave like on Windows.
  This can happen if these functions are called when the reader is
  locked by a PCSC transaction
  (SCardBeginTransaction/SCardEndTransaction).
  You can define the environment variable PCSCLITE_NO_BLOCKING to use
  the old behavior.
  http://archives.neohapsis.com/archives/dev/muscle/2010-q1/0041.html
- SCardEstablishContext(): try to start the pcscd daemon if not already
  running.
  . pcscd will suicide itself after 60 seconds of inactivity if it is
  started using --auto-exit. This is the default behavior when pcscd is
  started by libpcsclite
  . Set PCSCLITE_PCSCD_ARGS with the argument you want to pass to pcscd in
  autostart Only one argument is passed. The space character is not a
  separator. example: export PCSCLITE_PCSCD_ARGS=-dfa
- SCardListReaders(): can use SCARD_AUTOALLOCATE
- SCardGetAttrib(): return SCARD_E_INSUFFICIENT_BUFFER if the driver
  returns IFD_ERROR_INSUFFICIENT_BUFFER
  . add support of SCARD_ATTR_DEVICE_FRIENDLY_NAME as it is better
  implemented in pcscd (it knows the friendly name)
- SCardGetStatusChange(): Calling with cReaders == 0 will now just
  return SCARD_S_SUCCESS
  . Use the special reader name "\\?PnP?\Notification" to wait for a
  reader event notification
- SCardTransmit(): do not limit the minimum size of an APDU to 4 bytes.
  non ISO 7816-4 compliant cards (like Mifare DESFIRE) may use shorter
  commands
- SCardStatus(): returns SCARD_E_SHARING_VIOLATION if the reader is
  already used More conform to Windows
- PCSC/reader.h: update sruct PIN_PROPERTIES_STRUCTURE to be conform
  with Revision 2.02.06, April 2009 of PCSCv2 part 10 Fields
  wLcdMaxCharacters and wLcdMaxLines have been removed
  . rename FEATURE_MCT_READERDIRECT in FEATURE_MCT_READER_DIRECT to be
  conform with ch. 2.3 of PCSC v2 part 10
  . add FEATURE_GET_TLV_PROPERTIES and FEATURE_CCID_ESC_COMMAND from
  PC/SC part 10 v2.02.07 March 2010
  . Add PCSCv2_PART10_PROPERTY_* defines
- SCardControl() return SCARD_E_UNSUPPORTED_FEATURE if the driver
  returned IFD_ERROR_NOT_SUPPORTED or IFD_NOT_SUPPORTED This is used to
  separate an unsupported value of ControlCode from a general error
- Use the standard --sysconfdir=DIR ($prefix/etc by default) instead of
  --enable-confdir=DIR for defining the directory containing reader.conf
- remove SCF support (PC/SC over Smart Card Framework). I never used
  this feature and SCF is now dead and replaced by JSR 268
  (javax.smartcardio)
- Better handling of PCSCLITE_STATIC_DRIVER as can be used on platforms
  using #Clinux (without dynamic loader).  This is used to statically
  link the reader driver to pcscd. Since the link is static you must
  define the IFDHandler API version at compilation time. Either define
  IFDHANDLERv1, IFDHANDLERv2 or IFDHANDLERv3
- Use dynamic instead of static allocation for the driver library
  filename. The filename is no more limited to 100 characters.
  Closes: [#312332] MAX_LIBNAME too short?
- force the return codes SCARD_* to be long since the SCard* functions
  return a LONG type
- Add the ability to parse all the configuration files of a directory
  instead of just one configuration file. update-reader.conf is then now
  obsolete.
- Add --enable-embedded (default is no) to build pcsc-lite for an
  embedded system. This will activate the NO_LOG option to disable
  logging and limit RAM and disk consumption.
- If NO_LOG is defined then no log are displayed. The idea is to limit
  the binaries size on disk and RAM consumption at execution time.
  With NO_LOG defined we gain 26% (17 kB) for the .text segment of pcscd
  and 15% (4 kB) for the .text segment of libpcsclite.so (for i386)
- Define a minimal pcsc_stringify_error() if NO_LOG is defined. Only the
  error code in hex is displayed in this case.
  Gain: 2kB of .text (10%) for libpcsclite
- Add --disable-serial and --disable-usb options
  --disable-serial removes support of /etc/reader.conf gain: 8.0kB of
  .text (12%) and 160 bytes of .bss (4%) for pcscd
  --disable-usb removes support of USB hotplug gain: 9.7kB of .text
  (14%) and 960 bytes of .bss (23%) for pcscd
  If you use both options (and use a static driver configuration) gain:
  17.7kB of .text (26%) and 1152 bytes of .bss (28%) for pcscd
- Better support of Android
- some other minor improvements and bug corrections
2012-12-14 23:50:33 +00:00
wiz
edb6c0ce45 - ssh2. 2012-12-12 22:44:19 +00:00
gendalia
fbcd99dde7 "Hygiene demands it."
Sources are from 2003, current tectia client/server has vulnterabilities,
there are no security eyes on this version.
2012-12-12 22:04:42 +00:00
ryoon
b7ac758854 Fix build.
For man pages generation, xsltproc from textproc/libxslt is needed.

Thank you, joerg@.
2012-12-12 16:04:16 +00:00
gdt
73de6a6944 +polarssl 2012-12-11 23:31:16 +00:00
gdt
7451fffa94 Import polarssl-1.2.0 as security/polarssl.
PolarSSL is an SSL library written in ANSI C. PolarSSL makes it easy for
developers to include cryptographic and SSL/TLS capabilities in their
(embedded) products with as little hassle as possible. It is designed to be
readable, documented, tested, loosely coupled and portable.

This package includes headers/libs only, not the demo programs.

PolarSSL is GPLv2, but offers exceptions to be distributed with other works
licensed as Apache, BSD, CC0, EUPL, LGPL, ISC, WTFPL, X11, zlib/libpng.
2012-12-11 23:29:27 +00:00
pettai
266379a004 OpenDNSSEC 1.3.12 - 2012-12-03
Bugfixes:
* SUPPORT-42: ./configure fails on FreeBSD (or if ldns is not installed in a
  directory in the default search path of the complier).
* OpenDNSSEC does not compile against ldns 1.6.16 on platforms that rely on
  the OpenDNSSEC implementation of strlcpy/cat
2012-12-05 20:03:59 +00:00
gdt
3be8dced47 Update to 0.6.20.
New in 0.6.20; 2010-02-16; Andreas Jellinghaus
* Modify Rutoken S binary interfaces by Aktiv Co.
* Makefiles fixed in doc/ directory

New in 0.6.19; 2010-01-07; Andreas Jellinghaus
* update on udev rules. Please now use udev instead of hal,
  as distributions are deprecating hal in favor for udev.
* Thanks to Daniel Kahn Gillmor for testing on debian.
2012-12-03 21:12:48 +00:00
gdt
dff894e049 Make cardreader package choice an option group.
No functional change, other than building with both or neither
cardreader package will error from the options framework instead of at
configure time.
2012-12-03 20:23:15 +00:00
gdt
68ebc234db Merge Makefile.common into Makefile, because opensc-signer is gone.
This does not make any functional changes - it is just rearranging and
comments.
2012-12-03 20:14:14 +00:00
ryoon
d0a3af16f5 Add libsecret 2012-11-30 15:50:31 +00:00
ryoon
33d760afe8 Import libsecret-0.12 as security/libsecret.
libsecret is a library for storing and retrieving passwords and
other secrets. It communicates with the "Secret Service" using
DBus. gnome-keyring and ksecretservice are both implementations of
a Secret Service.
2012-11-30 15:49:47 +00:00
gdt
aae9e42a51 Update to 0.12.2.
Thanks to manu@ for testing and resolving pcsc-lite ptthread leakage
problems.

Note that pcsc-lite and openct should be an options group.

Disable some obsolete CONFIGURE_ARGS.

Work around assumption that either getopt_long_only is present or
allgetopt functions must be provided.

Finnish EID patches have been applied upstream (from whence they came,
perhaps).

From upstream NEWS:

Complete change history is available online:
http://www.opensc-project.org/opensc/timeline

New in 0.12.2; 2011-07-15
* Builds are now silent by default when OpenSC is built from source on Unix.
* Using --wait with command line tools works with 64bit Linux again.
* Greatly improved OpenPGP card support, including OpenPGP 2.0 cards
  like the one found in German Privacy Foundation CryptoStick.
* Fixed support for FINeID cards issued after 01.03.2011 with 2048bit keys.
* #256: Fixed support for TCOS cards (broken since 0.12.0).
* Added support for IDKey-cards to TCOS3 driver.
* #361: Improved PC/SC driver to fetch the maximum PIN sizes from the open
  source CCID driver. This fixes the issue for Linux/OSX with recent driver.
* WindowsInstaller now installs only static DLL-s (PKCS#11, minidriver) to
  system folder.
* Fix FINeID cards for organizations.
* Several smaller bugs and compiler warnings fixed.

New in 0.12.1; 2011-05-17
* New card driver: IAS/ECC 1.0.1
* rutoken-tool has been deprecated and removed.
* eidenv and piv-tool utilities now have manual pages.
* pkcs11-tool now requires the use of --module parameter.
* All tools can now use an ATR as an argument to --reader, to skip to the
  card with given ATR.
* opensc-tool -l with -v now shows information about the inserted cards.
* Creating files have an enforced upper size limit, 64K
* Support for multiple PKCS#15 applications with different AID-s.
  PKCS#15 applications can be listed with pkcs15-tool --list-applications.
  Binding to a specific AID with PKCS#15 tools can be done with --aid.
* Hex strings (like card ATR or APDU-s) can now be separated by space, in
  addition to colons.
* Pinpad readers known to be bogus are now ignored by OpenSC. At the moment
  only "HP USB Smart Card Keyboard" is disabled.
* Windows installer is now distributed as a statically built MSI, for both
  x86 and x64.
* Numerous compiler warnings, unused code and internal bugs have been
  eliminated.

New in 0.12.0; 2010-12-22
* OpenSC uses a single reader driver, specified at compile time.
* New card driver: Italian eID (CNS) by Emanuele Pucciarelli.
* New card driver: Portuguese eID by João Poupino.
* New card driver: westcos by François Leblanc.
* pkcs11-tool can use a slot based on ID, label or index in the slot list.
* PIN flags are updated from supported cards when C_GetTokenInfo is called.
* Support for CardOS 4.4 cards added.
* Fature to exclude readers from OpenSC PKCS#11 via "ignored_readers"
  configuration file entry.
* #229: Support semi-automatic fixes to cards personalized with older and
  broken OpenSC versions.
* Software keys removed from pkcs15-init and the PKCS#11 module. OpenSC
  can either generate keys on card or import plaintext keys to the card, but
  will never generate plaintext key material in software by itself.
  All traces of a software token (PKCS#15 Section 7) shall be removed.
* Updates to PC/SC driver to build with pcsc-lite >= 1.6.2
* Build script for a binary Mac OS X installer for 10.5 and 10.6 systems.
  Binary installer includes OpenSC.tokend for platform integration.
  10.6 installer includes engine_pkcs11.
* Modify Rutoken S binary interfaces by Aktiv Co.
* Support GOST R 34.10-2001 and GOST R 34.11-94 by Aktiv Co.
* CardOS driver now emulates sign on rsa keys with sign+decrypt usage
  with padding and decrypt(). This is compatible with old cards and
  card initialized by Siemens software. Removed "--split-key" option,
  as it is no longer needed.
* Improved debugging support: debug level 3 will show everything
  except of ASN1 and card matching debugging (usualy not needed).
* Massive changes to libopensc. This library is now internal, only
  used by opensc-pkcs11.so and command line tools. Header files are
  no longer installed, library should not be used by other applications.
  Please use generic PKCS#11 interface instead.
* #include file statements cleaned up: first include "config.h", then
  system headers, then additional libraries, then headers in opensc
  (but from other directories), then header files from same directory.
  Fix path to reference headers, remove src/include/ directory.
* Various source code fixes and improvements.
* OpenSC now depends on xsltproc utility and docbook-xsl to build docs and man
* Remove iconv dependency. EstEID driver now uses the commonName from the
  certificate for card label.
* Possibility to change the default behavior for card resets via
  opensc.conf.
2012-11-30 14:44:34 +00:00
gdt
dd776821c8 Don't pass pthread flags to depending packages.
This is necessary to avoid making opensc threaded, since then it can't
be dlopened by a non-threaded program.

Add patch comments.

Set LICENSE (modified-bsd, verified via wdiff).

This change is almost entirely due to manu@.
2012-11-30 14:28:55 +00:00
adam
eb1cd321a1 patch-gssftp_ftp_ftp_var.h rewritten 2012-11-29 07:31:02 +00:00
gdt
77eb9625e6 Remove obsolete package opensc-signer.
Upstream has removed the code that this package uses, as upstream
believes there are no users.

(Proposed on pkgsrc-users with no objections.)
2012-11-29 00:51:28 +00:00
gdt
daf47c4a3e -opensc-signer, about to be removed. 2012-11-29 00:49:31 +00:00
gls
cbd2ef34b3 Update security/py-paramiko to 1.9.0.
Fix a tyop in DESCR.

Upstream changes:
-----------------

v1.9.0 (6th Nov 2012)
---------------------

* #97 (with a little #93): Improve config parsing of `ProxyCommand` directives
  and provide a wrapper class to allow subprocess-driven proxy commands to be
  used as `sock=` arguments for `SSHClient.connect`.
* #77: Allow `SSHClient.connect()` to take an explicit `sock` parameter
  overriding creation of an internal, implicit socket object.
* Thanks in no particular order to Erwin Bolwidt, Oskari Saarenmaa, Steven
  Noonan, Vladimir Lazarenko, Lincoln de Sousa, Valentino Volonghi, Olle
  Lundberg, and Github user `@acrish` for the various and sundry patches
  leading to the above changes.

v1.8.1 (6th Nov 2012)
---------------------

* #90: Ensure that callbacks handed to `SFTPClient.get()` always fire at least
  once, even for zero-length files downloaded. Thanks to Github user `@enB` for
  the catch.
* #85: Paramiko's test suite overrides
  `unittest.TestCase.assertTrue/assertFalse` to provide these modern assertions
  to Python 2.2/2.3, which lacked them. However on newer Pythons such as 2.7,
  this now causes deprecation warnings. The overrides have been patched to only
  execute when necessary. Thanks to `@Arfrever` for catch & patch.


v1.8.0 (3rd Oct 2012)
---------------------

* #17 ('ssh' 28): Fix spurious `NoneType has no attribute 'error'` and similar
  exceptions that crop up on interpreter exit.
* 'ssh' 32: Raise a more useful error explaining which `known_hosts` key line was
  problematic, when encountering `binascii` issues decoding known host keys.
  Thanks to `@thomasvs` for catch & patch.
* 'ssh' 33: Bring `ssh_config` parsing more in line with OpenSSH spec, re: order of
  setting overrides by `Host` specifiers. Specifically, the overrides now go by
  file order instead of automatically sorting by `Host` value length. In
  addition, the first value found per config key (e.g. `Port`, `User` etc)
  wins, instead of the last. Thanks to Jan Brauer for the contribution.
* 'ssh' 36: Support new server two-factor authentication option
  (`RequiredAuthentications2`), at least re: combining key-based & password
  auth. Thanks to Github user `bninja`.
* 'ssh' 11: When raising an exception for hosts not listed in
  `known_hosts` (when `RejectPolicy` is in effect) the exception message was
  confusing/vague. This has been improved somewhat. Thanks to Cal Leeming for
  highlighting the issue.
* 'ssh' 40: Fixed up & expanded EINTR signal handling. Thanks to Douglas Turk.
* 'ssh' 15: Implemented parameter substitution in SSHConfig, matching the
  implementation of `ssh_config(5)`. Thanks to Olle Lundberg for the patch.
* 'ssh' 24: Switch some internal type checking to use `isinstance` to help prevent
  problems with client libraries using subclasses of builtin types. Thanks to
  Alex Morega for the patch.
* Fabric #562: Agent forwarding would error out (with `Authentication response
  too long`) or freeze, when more than one remote connection to the local agent
  was active at the same time. This has been fixed. Thanks to Steven McDonald
  for assisting in troubleshooting/patching, and to GitHub user `@lynxis` for
  providing the final version of the patch.
* 'ssh' 5: Moved a `fcntl` import closer to where it's used to help avoid
  `ImportError` problems on Windows platforms. Thanks to Jason Coombs for the
  catch + suggested fix.
* 'ssh' 4: Updated implementation of WinPageant integration to work on 64-bit
  Windows. Thanks again to Jason Coombs for the patch.
* Added an IO loop sleep() call to avoid needless CPU usage when agent
  forwarding is in use.
* Handful of internal tweaks to version number storage.
* Updated `setup.py` with `==dev` install URL for `pip` users.
* Updated `setup.py` to account for packaging problems in PyCrypto 2.4.0
* Added an extra `atfork()` call to help prevent spurious RNG errors when
  running under high parallel (multiprocess) load.
* Merge PR #28: https://github.com/paramiko/paramiko/pull/28 which adds a
  ssh-keygen like demo module. (Sofian Brabez)

v1.7.7.2 16may12
----------------
  * Merge pull request #63: https://github.com/paramiko/paramiko/pull/63 which
    fixes exceptions that occur when re-keying over fast connections. (Dwayne
    Litzenberger)
2012-11-27 22:13:32 +00:00
pettai
726d20d2bc SoftHSM 1.3.4 - 2012-11-24
* SOFTHSM-28: Support RSASSA-PSS signature scheme.
* SOFTHSM-29: The default location of the token database is
  now $localstatedir/lib/softhsm/.
2012-11-26 11:29:01 +00:00
joerg
4ec4d77cad Fix missing prototypes and return values and other goodies, so that it
passes -Werror with clang.
2012-11-23 12:30:01 +00:00
drochner
a95b523806 make provided/required versions match exactly - it seems that newer
tcl versions are more strict about this, should fix PR pkg/47186
by Joern Clausen
bump PKGREV
being here, set LICENSE (same as tcl)
2012-11-23 12:27:03 +00:00
gdt
0776673a99 Update to 1.10.
Change MASTER_SITE, and therefore fetch with curl.
Specify C99, after guessing that from warnings.
Enable extra warnings (reported upstream).

2012-02-29 - Version 1.10

 * PolarSSL crypto engine by Adriaan de Jong
 * build: --disable-crypto-engine-win32 renamed to --disable-crypto-engine-cryptoapi
 * api: PKCS11H_FEATURE_MASK_ENGINE_CRYPTO_WIN32 renamed to
   PKCS11H_FEATURE_MASK_ENGINE_CRYPTO_CRYPTOAPI.
 * api: PKCS11H_ENGINE_CRYPTO_WIN32 renamed to
   PKCS11H_ENGINE_CRYPTO_CRYPTOAPI

2011-08-16 - Version 1.09

 * Do not retry if CKR_BUFFER_TOO_SMALL and none NULL target.
 * Fixup OpenSSL engine's rsa_priv_enc to use RSA size output buffer.
2012-11-22 00:31:04 +00:00
gdt
ab17ccddf6 Take maintainership. 2012-11-21 23:32:35 +00:00
pettai
7582a13fae Version 1.9.0 (released 2012-11-08)
* ykinfo: New tool to print information about YubiKey.
* ykpersonalize: Add -z flag to zap configuration on YubiKey.
* Fix PBKDF2 implementation.
2012-11-19 11:40:27 +00:00
joerg
f59341cc1d Mark a function void that never returns a value. Provide proper return
values if in non-void functions.
2012-11-19 03:03:42 +00:00
asau
e74da60860 Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days. 2012-11-18 02:25:37 +00:00
sbd
22b42224de When getting a file basename strip any leading directories. 2012-11-15 03:32:00 +00:00
pettai
8e2418cca1 OpenDNSSEC 1.3.11
* OPENDNSSEC-330: NSEC3PARAM TTL should be set to zero.

Bugfixes:
* OPENDNSSEC-306: Cant delete zone until Enforcer made signerconf.
* OPENDNSSEC-281: Commandhandler sometimes unresponsive.
* OPENDNSSEC-299: ods-ksmutil <enter> now includes policy import
* OPENDNSSEC-300: ods-ksmutil policy purge documented with a warning
* OPENDNSSEC-338: ods-ksmutil: fix zone delete on MySQL (broken by SUPPORT-27)
* OPENDNSSEC-342: Auditor comparisons made case-insensitive
* OPENDNSSEC-345: ods-ksmutil: use ods-control to HUP the enforcerd process
2012-11-13 16:32:25 +00:00
pettai
257da399e8 Added otptool 2012-11-10 22:16:40 +00:00
pettai
1cff652e1d Otptool is a client utility for two-factor authentication using one-time
passwords (OTP) generated via the HOTP/OATH algorithm defined in RFC 4226.
2012-11-10 22:13:47 +00:00
pettai
c31c20c66d Version 1.8.2 (released 2012-10-17)
* Add udev rules files to packed distribution.

Version 1.8.1 (released 2012-10-17)

* Memory leak fixes and potential crash fixes in osx backend.
* Error reporting fixes in osx backend, reporting correct errors and
  better errors.
* Provide new another udev permissions file that works on udev version
  greater than 188. Autodetects from configure which to use.
* Add new binary ykinfo, can be used to get serial number, version and
  touch level from a YubiKey.

Version 1.8.0 (released 2012-09-28)

* Added ./configure --enable-gcc-warnings to enable a lot of warnings.
* Added Continuous integration at travis-ci
  (http://travis-ci.org/#!/Yubico/yubikey-personalization)
* Added yk_challenge_response() function for doing challenge response
  with a key.
* Fixed functions for NDEF writing, adding:
  ykp_ndef_alloc(), ykp_ndef_free() and ykp_set_ndef_access_code()
  also providing compatible name YK_NDEF in ykcore.h and exporting
  yk_write_ndef() there.
  Change return values from ndef_construct_*() functions to make them
  consistent with the rest of the library.
* Fixed a crash bug when the library was called from different threads.
* Check return code from libusb_init() so we avoid crashing there.
  Also use a usb context instead of relying on default.
* Fix numerous warnings.
* Fix compilation in MSVC2010.

Version 1.7.0 (released 2012-06-07)

* Add support for new features in YubiKey 2.3:
  ALLOW_UPDATE flag that allows updating of configuration in slots.
  Update command (-u) to do update of existing config.
  Swap command (-x) to swap contents of two updatable slots
  DORMANT flag that's settable/removable if ALLOW_UPDATE is set
  USE_NUMERIC_KEYPAD flag for sending the OATH OTP using keypad scan codes
  instead
  FAST_TRIG flag for faster triggering of slot one if slot two is empty
* Change the library around some to make the 2.3 features available.
  Use ykp_alloc() instead of ykp_create_config().
  Use ykp_configure_version() instead of ykp_configure_for() to set the version.
  Use ykp_configure_command() instead of ykp_configure_for() to set slot.
  Use yk_write_command() instead of yk_write_config().
  The new commands doesn't set any default configuration at all.
* Add library support for the YubiKey NEO beta
  ykp_construct_ndef_uri() for preparing a URI to write.
  ykp_construct_ndef_text() for preparing a text to write.
  yk_write_ndef() to write the constructed NDEF.
* Add support for the YubiKey NEO beta
  Writing NDEF URI with -n http://example.com/foo/
  Writing NDEF Text record with -t example
2012-11-10 20:53:43 +00:00
pettai
f538cf4333 Version 2.9 (released 2012-08-07)
* Compability with curl versions before 7.20.
* Fix signature checking on ARM (at least).
2012-11-10 19:17:26 +00:00
pettai
31d5b7b05d Version 1.12.6 (released 2012-09-04)
* liboath: The usersfile is now fflush'ed and fsync'ed.
* liboath: A memory leak fixed.
* oathtool: The --counter parameter now works on 32-bit platforms.
* API and ABI is backwards compatible with the previous version.
  OATH_FILE_FLUSH_ERROR: Added.
  OATH_FILE_SYNC_ERROR: Added.
  OATH_FILE_CLOSE_ERROR: Added.
  OATH_LAST_ERROR: Added.

Version 1.12.5 (released 2012-08-19)

* oathtool: The --counter parameter now supports larger values.
  Before it used an 'int' type and now it uses a 'longlong' type.
  Needed for eSecuTech tokens as they use a 64-bit value for their
  initial counter. see <https://savannah.nongnu.org/support/?108114>.
* Added gnulib self-tests.
* API and ABI is backwards compatible with the previous version.

Version 1.12.4 (released 2012-06-17)

* liboath: Usersfile code handles multiple lines for a single user.
  This can be used when a single user carries multiple tokens (with
  different OATH secrets) and any of them should be permitted.
* API and ABI is backwards compatible with the previous version.

Version 1.12.3 (released 2012-05-31)

* pam_oath: Fix "try_first_pass".
* API and ABI is backwards compatible with the previous version.

Version 1.12.2 (released 2012-04-04)

* liboath: usersfile function now works on FreeBSD.
* tests: liboath usersfile self-test is skipped if there is no datefudge.
* API and ABI is backwards compatible with the previous version.

Version 1.12.1 (released 2012-04-01)

* liboath, oathtool: Base32 decoding now permit lowercase characters.
* API and ABI is backwards compatible with the previous version.

Version 1.12.0 (released 2012-04-01)

* oathtool: Added --base32 parameter to decode base32 keys.
* oathtool: Verbose output (-v) now print key data in base32 format too.
* liboath: Added base32 functions.  Added hex encoding function.
  The new APIs are oath_bin2hex, oath_base32_decode, and
  oath_base32_encode.
* liboath: Gnulib's snprintf is used for better portability.
  The system snprintf is known to have bugs on some systems, see the
  Gnulib manual for more information.
* API and ABI is backwards compatible with the previous version.
  oath_bin2hex: New function.
  oath_base32_decode: New function.
  oath_base32_encode: New function.
  OATH_INVALID_BASE32: New error code.
  OATH_BASE32_OVERFLOW: New error code.
  OATH_MALLOC_ERROR: New error code.
2012-11-10 18:07:44 +00:00
pettai
156040d6da 1.1.4
- Fix X-HKP-Results-Count so that limit=0 returns no results, but include
    the header, to let a client poll for how many results exist, without
    retrieving any. See:
    http://lists.nongnu.org/archive/html/sks-devel/2010-11/msg00015.html
  - Add UPGRADING document to explain upgrading Berkeley DB without
    rebuilding. System bdb versions often change with new SKS releases
    for .deb and .rpm distros.
  - Cleanup build errors for bdb/bdb_stubs.c. Patch from Mike Doty
  - Update cryptokit from version 1.0 to 1.5 without requiring OASIS
    build system or other additional dependencies
  - build, fastbuild, & pbuild fixed to ignore signals USR1 and USR2
  - common.ml and reconSC.ml were using different values for minumimum
    compatible version. This has been fixed.
  - Added new server mime-types, and trying another default document (Issue 6)
    In addition to the new MIME types added in 1.1.[23], the server now
    looks over a list and and serves the first index file that it finds
    Current list: index.html, index.htm, index.xhtml, index.xhtm, index.xml.
  - options=mr now works on get as well as (v)index operations. This is
    described in http://tools.ietf.org/html/draft-shaw-openpgp-hkp-00
    sections 3.2.1.1. and 5.1.
  - Updated copyright notices in source files
  - Added sksclient tool, similar to old pksclient
  - Add no-cache instructions to HTTP response (in order for reverse proxies
    not to cache the output from SKS)
  - Use unique timestamps for keydb to reduce occurrances of Ptree corruption.
  - Added Interface specifications (.mli files) for modules that were missing
    them
  - Yaron pruned some no longer needed source files from the tree.
  - Improved the HTTP status and HTTP error codes returned for various
    situations and added checks for more error conditions.
  - Add a suffix to version (+) indicating non-release or development builds
  - Add an option to specify the contact details of the server administrator
    that shows in the status page of the server. The information is in the
    form of an OpenPGP KeyID and set by server_contact: in sksconf
  - Add a `sks version` command to provide information on the setup.
  - Added configuration settings for the remaining database table files. If
    no pagesize settings are in sksconf, SKS will use 2048 bytes for key
    and 512 for ptree. The remainining files' pagesize will be set by BDB
    based on the filesystem settings, typically this is 4096 bytes.
    See sampleConfig/sksconf.typical for settings recommended by db_tuner.
  - Makefile: Added distclean target. Dropped autogenerated file from VCS.
  - Allow tuning BDB environment before creation in [fast]build and pbuild.
    If DB_CONFIG exists in basedir, copy it to DB dir before DB creation.
    Preference is given to DB_CONFIG.KDB and DB_CONFIG.PTree over DB_CONFIG.
  - Add support for Elliptic Curve Public keys (ECDSA, ECDH)
  - Add check if an upload is a revocation certificate, and if it is,
    produce an error message tailored for this.

1.1.3
  - Makefile fix for 'make dep' if .depend does not exist. Issue #4
  - Makefile fix: sks and sks_add_mail fail to link w/o '-ccopt -pg'
    Issue #23
  - Added -disable_mailsync and -disable_log_diffs to sks.pod
  - Added file extensions .css, .jpeg, .htm, .es, .js, .xml, .shtml, .xhtm,
    .xhtml and associated MIME types to server code. Part of Issue #6
  - Added sample configuration files in sampleConfig directory
  - Added sample web page files in sampleWeb directory. Issues #7, 9, 19
  - Allow requests for non-official options hget, hash, status, & clean to
    be preceded by '-x'. Closes issues #10, 11, 13, & 14.
  - Allow &search with long subkey ID (16 digit) and subkey fingerprint
    subkey lookup was failing with other than a short key ID. However,
    public key lookup was working with short and long key ID and fingerprints.
    This patch makes subkey lookup behave the same as full key lookup.
    http://lists.gnupg.org/pipermail/gnupg-users/2012-January/043495.html
  - Patch recon script so that POST includes HTTP version number.
2012-11-10 14:24:44 +00:00
manu
e12e7d7167 Update crudesaml to 1.4: fix build problems 2012-11-08 08:48:13 +00:00
wiz
8106bbc336 Bump PKGREVISION for patch replacements. 2012-11-07 21:07:51 +00:00
wiz
6c79a95d8c Use upstream version of dlerror() fix. 2012-11-07 21:07:37 +00:00
joerg
c232a178b7 Don't use nested functions. Bump revision. 2012-11-07 15:31:23 +00:00
wiz
1a62863a79 Remove it-seems-unneeded FreeBSD changes that were long commented out. 2012-11-07 12:24:39 +00:00
wiz
cc77ede427 Use just committed upstream change addressing c99 inline semantics. 2012-11-07 12:23:23 +00:00
wiz
8cac6c6f82 + kpcli 2012-11-07 10:32:44 +00:00
wiz
a7adefc632 Import kpcli-1.5 as security/kpcli.
A command line interface (interactive shell) to work with KeePass
1.x and 2.x database files.
2012-11-07 10:32:30 +00:00
wiz
7eb6ad50a5 + p5-File-KeePass 2012-11-07 10:24:05 +00:00
wiz
81286bf5c5 Import p5-File-KeePass-2.03 as security/p5-File-KeePass.
File::KeePass gives access to KeePass version 1 (kdb) and version
2 (kdbx) databases.

The version 1 and version 2 databases are very different in
construction, but the majority of information overlaps and many
algorithms are similar. File::KeePass attempts to iron out as many
of the differences.

File::KeePass gives nearly raw data access. There are a few utility
methods for manipulating groups and entries. More advanced manipulation
can easily be layered on top by other modules.

File::KeePass is only used for reading and writing databases and
for keeping passwords scrambled while in memory. Programs dealing
with UI or using of auto-type features are the domain of other
modules on CPAN. File::KeePass::Agent is one example.
2012-11-07 10:23:32 +00:00
drochner
7200cc5463 update to 3.0.25
changes:
--bugfixes
-added an OCSP function
2012-11-06 19:01:36 +00:00
abs
64d8a9d377 Add .include "../../devel/zlib/buildlink3.mk"
Needed on at least CentOS 6.3
2012-11-05 15:03:14 +00:00
pettai
e8f5d0cb4a Added py-Des 2012-11-04 21:58:29 +00:00
pettai
0e7a78c2ad This is a pure python implementation of the DES encryption algorithm.
It is in pure python to avoid portability issues, since most DES
implementations are programmed in C (for performance reasons).

Triple DES class is also implemented, utilising the DES base. Triple DES
is either DES-EDE3 with a 24 byte key, or DES-EDE2 with a 16 byte key.
See the "About triple DES" section below more info on this algorithm.

The code below is not written for speed or performance, so not for those
needing a fast des implementation, but rather a handy portable solution
ideal for small usage.
2012-11-04 21:57:11 +00:00
joerg
d7aec867fe Don't order function pointers directly. Don't use non-literals as format
strings. Fix return type of intermediate used for return value of
wcrtomb.
2012-11-01 19:32:44 +00:00
wiz
76a8d9ee20 Update HOMEPAGE, from diro@nixsyspaus.org in PR 47148. 2012-10-31 22:45:47 +00:00
wen
834089b7e6 Update to 2.31
Upstream changes:
2.31    Tue Oct 30 07:03:40 EDT 2012
	- Fixes to regular expressions to avoid rare failures to
          correctly strip padding in decoded messages.
        - Add padding type = "none".
        - Both fixes contributed by Bas van Sisseren.
2012-10-30 14:35:37 +00:00
markd
c929595f7b Update to 0.4.3
4+ years worth of patches.
2012-10-28 02:00:50 +00:00
wiz
81a321a361 + KeePass. 2012-10-27 22:19:01 +00:00
wiz
787b9e1c3a Import KeePass-2.20.1 as security/KeePass.
Today you need to remember many passwords. You need a password for
the Windows network logon, your e-mail account, your website's FTP
password, online passwords (like website member account), etc. etc.
etc. The list is endless. Also, you should use different passwords
for each account. Because if you use only one password everywhere
and someone gets this password you have a problem... A serious
problem. The thief would have access to your e-mail account, website,
etc. Unimaginable.

KeePass is a free open source password manager, which helps you to
manage your passwords in a secure way. You can put all your passwords
in one database, which is locked with one master key or a key file.
So you only have to remember one single master password or select
the key file to unlock the whole database. The databases are
encrypted using the best and most secure encryption algorithms
currently known (AES and Twofish).
2012-10-27 22:18:50 +00:00
wiz
0a9e42828d Add comments to patches. 2012-10-27 17:39:12 +00:00
joerg
eec1865445 Use void for a few functions that need it. 2012-10-26 20:24:19 +00:00
joerg
e11169fee0 Allow unprivileged build on NetBSD, if bind is in base. 2012-10-24 16:05:15 +00:00
manu
e69b457213 Restore opensc-pkcs11.so functionnality on NetBSD-6.0. libpthread shall
not be loaded by dlopen(), therefore we remove the useless dependency on
-lpthread
2012-10-24 09:01:40 +00:00
manu
e5cd2cc7aa Restore opensc-pkcs11.so functionnality on NetBSD-6.0. libpthread shall
not be loaded by dlopen(), therefore we remove the useless dependency on
-lpthread
2012-10-24 08:33:51 +00:00
asau
1a433eae91 Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days. 2012-10-23 18:16:19 +00:00
manu
c6fc7dbcf6 Upgrade to lasso 2.3.6 in order to completely fix the libxml 2.9 dependency
ChangeLog Since 2.3.5:
 * fix a bug when receiving a signature using the InclusiveNamespaces
   PrefixList by copying namespace declaration from upper level at the level of
   the signed node.
 * fix compilation warning on recent version of GCC
2012-10-23 18:16:15 +00:00
schmonz
34a76f57a2 Restore INSTALLATION_DIRS and krb5.buildlink3.mk, lost in previous.
Indent while here.
2012-10-23 13:02:08 +00:00
elric
91a44af1fa Update to knc 1.7. 2012-10-23 06:04:28 +00:00
wiz
bf2203469a Update to 1.49:
1.49 2012-09-25
     Fixed problem where on some platforms test t/local/07_tcpecho.t would
     bail out if it could not bind port 1212. Now now tries a number of ports to bind to until
     successful.
     Improvements to  unsigned casting contributed by Reini Urban.
     Improvements to Net::SSLeay::read to make it easier to use with non-blocking IO:
      contributed by James Marshall:  It modifies
      Net::SSLeay::read() to return the result from SSL_read() as the second
      return value, if Net::SSLeay::read() is called in list context.  Its
      behavior should be unchanged if called in scalar or void context.  This
      result code seems to be required for full support of non-blocking I/O,
      since users need to handle SSL_ERR_WANT_READ, SSL_ERROR_WANT_WRITE, etc.
      Fixed a problem where t/local/kwalitee.t fails with
       Module::CPANTS::Analyse 0.86. Patch from Paul.
      Fixed a number of typos patched by Giles.
      Fixed a compiler warning from Compiling with gcc-4.4 and -Wall, patched by Giles.
      Fixed problems with get_https4: documentation was wrong, $header_ref was
       not correctly set and $server_cert was not returned.
      Fixed a problem that could cause a Perl exception about no blength
      method on undef. Reported by "Stephen J. Smith via RT". https://rt.cpan.org/Ticket/Display.html?id=79309
      Added documentation about how to mitigatxe various SSL/TLS
     vulnerabilities.
     Fixed problem reported by Mike Doherty: SSL_MODE_* are defined in ssl.h,
     and should be available as constants, but I do not see them listed in constants.h
2012-10-21 22:28:16 +00:00
wiz
ca6e77764b Update to 20120823. Replace interpreter in installed file.
20120823
  - Fix test (RT#79129, reported by Sinan Unur)

20120822
  - Add mk-ca-bundle.pl from git repository to distribution.
  - Add new/additional certificates from the following CAs: Verisign,
    UTN-USER, UTN USERFirst, Sonera, NetLock Qualified, SwissSign
    Platinum, S-TRUST, ComSign, Actalis, Trustis, StartCom, Buypass.
2012-10-21 22:25:19 +00:00