o Utilize textproc/expat/buildlink.mk.
o Install data file to ${LOCALBASE}/libdata/rats instead of ${LOCALBASE}/lib.
It seems that Changes isn't available but PHP support was added.
469) Older versions of BSDi have getifaddrs() but no freeifaddrs().
470) BSDi has a fake setreuid() as do certain versions of FreeBSD and NetBSD.
471) Ignore the return value of pam_setcred(). In Linux-PAM 0.75,
pam_setcred() will return PAM_PERM_DENIED even if the setcred function
of the module succeeds when pam_authenticate() has not been called.
472) Avoid giving PAM a NULL password response, use the empty string instead.
This avoids a log warning when the user hits ^C at the password prompt
when Linux-PAM is in use. This also prevents older versions of
Linux-PAM from dereferencing the NULL pointer.
473) The user's password was not zeroed after use when AIX authentication,
BSD authentication, FWTK or PAM was in use.
Sudo 1.6.5p2 released.
+ Set local $SIG{PIPE} = \&die before $ssl->connect()
to capture the "broken pipe" error associated with connecting
to a computer that is not running a SSL web server
+ Documented differences / conflicts between LWP proxy support
and Crypt::SSLeay which seems to be a source of confusion for users.
+ Added Net::SSL::get_peer_verify call so the warning header
from LWP that says:
Client-SSL-Warning: Peer certificate not verified
can be suppressed when HTTPS_CA_FILE & HTTPS_CA_DIR environment
variables are set to invoke peer certificate verification.
+ $ENV{HTTPS_DEBUG} activates Crypt::SSLeay specific debugging,
so one can debug from LWP:: calls without using ./net_ssl_test script
- removed exit from Makefile.PL
+ Streamlined *CA* patches so only in $CTX->set_verify()
which gets called every time now.
+ Throw error instead of return undef in Net::SSL->connect()
because we loose the errors otherwise.
- Turn SSL_MODE_AUTO_RETRY on so clients can survive
changes in SSLVerifyClient changes in the modssl connection
+ Integrated patches from Gamid Isayev for CA peer verification.
- Client certs weren't working correctly, setup certs earlier in connection
now, also create new CTX per request, so cert settings don't remain
sticky from one request to the next.
+ update ./net_ssl_test to do smart parsing of host, where
host can now be of the form http://www.nodeworks.com:443/
- local $@ in Net::SSL::DESTROY so we don't kill real errors
- return undef in Net::SSL::connect() instead of die() for better LWP
support & error handling.
+ alarm() on Unix platforms around ssl ctx connect, which can hang for
process for way too long when trying to connect to dead https SSL servers.
Fixes PR/15053 by Shell Hung.
467) Visudo could access memory that was already freed.
468) If the skey.access file denied use of plaintext passwords sudo
would exit instead of allowing the user to enter an S/Key.
Sudo 1.6.5p1 released.
Added --disable-root-mailer to CONFIGURE_ARGS better security.
Changes from 1.6.3p7 to 1.6.5 is attached bellow.
417) Visudo now checks for the existence of an editor and gives a sensible
error if it does not exist.
418) The path to the editor for visudo is now a colon-separated list of
allowable editors. If the user has $EDITOR set and it matches
one of the allowed editors that editor will be used. If not,
the first editor that actually exists is used.
419) Visudo now does its own fork/exec instead of calling system(3).
420) Allow special characters (including '#') to be embedded in pathnames
if quoted by a '\\'. The quoted chars will be dealt with by fnmatch().
Unfortunately, 'sudo -l' still prints the '\\'.
421) Added the always_set_home option.
422) Strip NLSPATH and PATH_LOCALE out from the environment to prevent
reading of protected files by a less privileged user.
423) Added support for BSD authentication and associated -a flag.
424) Added check for _innetgr(3) since NCR systems have this instead
of innetgr(3).
425) Added stay_setuid option for systems that have libraries that perform
extra paranoia checks in system libraries for setuid programs.
426) Environment munging is now done by hand. The environment is zeroed
upon sudo startup and a new environment is built before the command
is executed. This means we don't rely on getenv(3), putenv(3),
or setenv(3).
427) Added a class of environment variables that are only cleared if they
contain '/' or '%' characters.
428) Use stashed user_gid when checking against exempt gid since sudo
sets its gid to SUDOERS_GID, making getgid() return that, not the
real gid. Fixes problem with setting exempt group == SUDOERS_GID.
Fix from Paul Kranenburg.
429) Fixed file locking in visudo on NeXT which has a broken lockf().
Patch from twetzel@gwdg.de.
430) Regenerated configure script with autoconf-2.52 (required some
tweaking of configure.in and friends).
431) Added mail_badpass option to send mail when the user does not
authenticate successfully.
432) Added env_reset Defaults option to reset the environment to
a clean slate. Also implemented env_keep Defaults option
to specify variables to be preserved when resetting the
environment.
433) Added env_check and env_delete Defaults options to allow the admin
to modify the builtin list of environment variables to remove.
434) If timestamp_timeout < 0 then the timestamp never expires. This
allows users to manage their own timestamps and create or delete
them via 'sudo -v' and 'sudo -k' respectively.
435) Authentication routines that use sudo's tgetpass() now accept
^C or ^Z at the password prompt and sudo will act appropriately.
436) Added a check-only mode to visudo to check an existing sudoers
file for sanity.
437) Visudo can now edit an alternate sudoers file.
438) If sudo is configured with S/Key support and the system has
skeyaccess(3) use that to determine whether or not to allow
a normal Unix password or just S/Key.
439) Fixed CIDR handling in sudoers.
440) Fixed a segv if the local hostname is not resolvable and
the 'fqdn' option is set.
441) "listpw=never" was not having an effect for users who did not
appear in sudoers--now it does.
442) The --without-sendmail option now works on systems with
a /usr/include/paths.h file that defines _PATH_SENDMAIL.
443) Removed the "secure_path" Defaults option as it does not work and
cannot work until the parser is overhauled.
444) Added new -P flag and "preserve_groups" sudoers option to cause
sudo to preserve the group vector instead of setting it to that
of the target user. Previously, if the target user was root
the group vector was not changed. Now it is always changed unless
the -P flag or "preserve_groups" option was given.
445) If find_path() fails as root, try again as the invoking user (useful
for NFS). Idea from Chip Capelik.
446) Use setpwent()/endpwent() and its shadow equivalents to be sure
the passwd/shadow file gets closed.
447) Use getifaddrs(3) to get the list of network interfaces if it is
available.
448) Dump list of local IP addresses and environment variables to clear
when 'sudo -V' is run as root.
449) Reorganized the lexer a bit and added more states. Sudo now does a
better job of parsing command arguments in the sudoers file.
450) Wrap each call to syslog() with openlog()/closelog() since some
things (such as PAM) may call closelog(3) behind sudo's back.
451) The LOGNAME and USER environment variables are now set if the user
specified a target uid and that uid exists in the password database.
452) configure will no longer add the -g flag to CFLAGS by default.
453) Now call pam_setcreds() to setup creds for the target user when
PAM is in use. On Linux this often sets resource limits.
454) If "make install" is run by non-root and the destination dir
is writable, install things normally but don't set owner and mode.
455) The Makefile now supports installing in a shadow hierarchy
specified via the DESTDIR variable.
456) config.h.in is now generated by autoheader.
Sudo 1.6.4 released.
457) Move the call to rebuild_env() until after MODE_RESET_HOME is set.
Otherwise, the set_home option has no effect.
458) Fix use of freed memory when the "fqdn" flag is set. This was
introduced by the fix for the "segv when gethostbynam() fails" bug.
459) Add 'continue' statements to optimize the switch statement.
From Solar Designer.
Sudo 1.6.4p1 released.
460) Some special characters were not being escaped properly (e..g '\,')
in command line arguments and would cause a syntax error instead.
461) "sudo -l" would not work if the always_set_home option was set.
462) Added a configure option to disable use of POSIX saved IDs for
operating systems where these are broken.
463) The SHELL environment variable was preserved from the user's environment
instead of being reset based on the passwd database even when the
"env_reset" option was set.
Sudo 1.6.4p2 released.
464) Added a configure option to cause mail sent by sudo to be run as
the invoking user instead of root. Some people consider this to
be safer.
465) If the mailer is being run as root, use a hard-coded environment
that is not influenced in any way by the invoking user's environment.
466) Fixed the call to skeyaccess(). Patch from Phillip E. Lobbes.
Sudo 1.6.5 released.
* The list of keyservers is now read form the file "keyservers" in the
GPA configuration directory which by default is ~/.gnupg. The new
option keyserver may be used in the gpa.conf file to select the
default keyserver - it implictly adds this server to the list of
keyservers.
hierarchy. Whilst this is not desirable, it's the only way to get this
package to execute properly, since it makes assumptions about absolute
and relative paths, and expects its own versions of certain commands (md5,
file), so it's best to keep these off to one side.
Here is quote from README.
$Id: README,v 1.3 2001/11/18 19:00:06 majkl Exp $
'OpenSSL for Ruby' project
Copyright (C) 2001 Michal Rokos <m.rokos@sh.cvut.cz>
All rights reserved.
This program is licenced under the same licence as Ruby.
(See the file 'LICENCE'.)
[Done] (but not fully tested)
= OpenSSL config file parser (part) --- TO BE DROPPED? (any idea?)
= PKey:: RSA,DSA keys - new, load, export
= X509::Certificate - generating new certs, load, looking inside
= X509::CRL - load, new, looking inside
= X509::Name - new, export to_str, to_a, to_h (hash)
= X509::Revoked - new, looking inside (on parameters)
= X509::Store - new, import trusted certs and CRL, verifiing certs
= Digest::... - various hashes
= X509::Request - Cert requests
= X509::Attribute - as X509Request extensions (not tested)
= X509::Extension - to Certs, CRLs...
= X509::ExtensionMaker - for easy creating new Extensions
= Netscape::SPKI - for requests from NetscapeCommunicators
= Cipher::... - various ciphers
= basic PRNG functions (random generator) for OpenSSL module and class Random
= SSLSocket (merged Gotou Yuuzou's SSLsocket-Ruby project)
= PKCS7 (signing&data_verify is working, rest needs some testing)
[To-Do]
= check for memory leaking :-))
= cleaner code
= examples
= RubyUnit to be used!
= API documentation
= comments to sources!!!
= further functionality to existing
= Std. Extensions, Attributes to be made as Classes?
= AttributeFactory?
= add aliases to to_pem as s_dump s_load to support Marshal module
= CipherFactory?
= autogen random IVs for Ciphers
= safe BigNums
= PKCS12
= PKCS8
= HMAC
= ASN.1 ???
= BIO ???
= compat tests for RSA/DSA sign/encrypt
appropriate place. Pointed out in private mail by someone who wishes
to remain anonymous.
XXX The PLIST's location for these files needs to be fixed by someone
more knowledgable than me in these black arts.
- str[n]{cpy,cat} -> strl{cpy,cat}, sprintf -> snprintf
- strftime format fixes
- Don't hang waiting for select() with SIGTERM + no active SA
- Add UI option 'R' to trigger isakmpd reinit (same as SIGHUP)
...
http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/isakmpd/
* Added a "--local" option for removing the ${HOSTNAME} from the various
files that keychain creates. Handy for non-NFS users.
* Using the Bourne shell "type" builtin rather than using the external
"which" command. Should make things a lot more robust and slightly
faster.
* Solaris' "which" command outputs "no lockfile in..." to stdout rather
than stderr. A one-line fix (test the error condition) has been
applied.
* lockfile settings tweak
* If you stop making progress providing valid passphrases, it's three
strikes and you're out.
* Some private keys can't be "ssh-keygen -l -f"'d; this patch causes
keychain to look for the corresponding public key if the private
key doesn't work. Thanks Constantine!
* CYAN color misdefined; fixed.
* A "quiet mode" (--quiet) fix; I missed an "echo".
* Missed another "kill -9"; it's now gone.
TCT is a collection of programs by Dan Farmer and Wietse Venema for a
post-mortem analysis of a UNIX system after break-in.
Notable TCT components are the grave-robber tool that captures
information, the ils and mactime tools that display access patterns of
files dead or alive, the unrm and lazarus tools that recover deleted
files, and the findkey tool that recovers cryptographic keys from a
running process or from files.
WARNING
This software is not for the faint of heart. It is relatively
unpolished compared to the software that Dan and Wietse usually
release. TCT can spend a lot of time collecting data. And although
TCT collects lots of data, many analysis tools still need to be
written.
Based on patches provided in PR 15081 by frazee.23@osu.edu.
- Fixed a bug in the mcrypt extension, where list destructors were not
properly being allocated. (Sterling)
- Fixed bugs in the mcrypt extension that caused crashes. (Derick)
1.0.10 :
Changes by Michael Scheidell <scheidell@fdma.com> :
- Backported Nessus 1.1.x plugins changes in nessus-plugins
Changes by Renaud Deraison <deraison@nessus.org> :
- Minor fixes
- Format string bug fixed in protocol.c
smtp, pop3 and nntp in client mode were affected.
(stunnel clients could be attacked by malicious servers)
- Certificate chain can be supplied with -p option or in stunnel.pem.
- Problem with -r and -l options used together fixed.
- memmove() instead of memcpy() is used to move data in buffers.
- More detailed information about negotiated ciphers is printed.
- New ./configure options: "--enable-no-rsa" and "--enable-dh".
