you think you might have read the openssl man pages one time too much for
your own sanity, you might like this package.
Certificate Service Provider is a perl wrapper around openssl that allows you
to run multiple simple certificate authorities (CAs). CSP is designed to be
simple (almost to a fault) and is ideally suited to small PKIs (< 1000
entities) where security is paramount. CSP is meant to be run on isolated,
offline computers while still allowing CRLs and certificate repositories to be
easily published.
The package includes a patch that lets the program run out-of-the-box,
without setting up CSPHOME and OPENSSL in the environment. Defining them
is of course still permitted.
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2005q4/000312.html
Noted by waldeck of hk2.uwaterloo.ca via pkgsrc-bugs.
Bump PKGREVISION.
Tested build on NetBSD and Linux. Tested dropbear server on NetBSD.
(This is during a freeze. Other stuff to be done later:
update to latest version. Install man pages. Mention "client" in
COMMENT and DESCR. Use CONF_FILES and sysconfdir. And maybe install the
"scp" tool also.)
Bugs fixed since 2.0.9:
* bug #1349326 "ulogd option does not work". There was a typo in the
class iptAdvancedDialog ( 'useULOG' instead of 'use_ULOG' )
* bug #1315892: "fwbuilder crashes on missing OS template" The GUI
crashed if user added new hostOS or firewall platform template under
resources/os or resources/platforms, then reinstalled the package (and
therefore lost their custom template files), then tried to open
firewall or host OS settings dialog for the object using new template.
* bug #1305933: "fwbuilder/Solaris: compilation errors". Another case of
implicit type conversion QString->string which does not compile on
systems with QT built w/o STL support.
* bug #1304878: fwbuilder: signal.h required (Solaris). Using
'AC_CHECK_HEADERS([signal.h])' in configure.in to check for the
appropriate #include.
* bug #1304764: "configure script: Sun make check fails". Need to use
${MAKE-make} instead of $ac_make when checking for GNU make.
* bug #1304785: "fwbuilder - Solaris has no libutil". Using better way
to check whether we need to link with libutil.
Bugs fixed in policy compiler for iptables since 2.0.9:
* bug #1342495: "SNAT with address range". Compiler used to print
warning "Adding virtual addresses for NAT is not supported for
address range" even if adding virtual addresses for NAT was turned off.
* bug #1313420: "OUTPUT chain is built wrong under certain conditions."
Rules that have firewall in SRC and DST, while DST has negation,
should be split so that the second generated rule goes into OUTPUT
chain rather than FORWARD
Change most pkgs to depend on either
emulators/suse_linux/Makefile.application (normal pkgs) or
Makefile.common (suse91 and suse themselves) to filter out Operating
Systems without Linux ABI support. Use CPU masks to limit the pkg to
supported platforms.
5.31 Mon Sep 5 00:52:42 MST 2005
- added standard tests for pod and pod-coverage checking
- inserted subtest to check for failure when using
unrecognized SHA algorithm
5.30 Sat Aug 20 16:46:08 MST 2005
- updated docs with recent NIST statement on SHA-1
-- advises use of larger and stronger hash functions
(i.e. SHA-224/256/384/512) for new developments
5.29 Sun Aug 14 04:48:34 MST 2005
- added explicit casts in "shaload" routine (ref. "ldvals")
-- thanks to E. Allen Smith for pointing out SGI compiler
warnings on IPxx-irix platforms
- updated docs with cautionary note about SHA-1
o A small bug was fixed in the check-updates.pl program where the updater
wouldn't find the DEF files to update.
o Bug in CHM mini-scanner which could lead to crashes was fixed
o f-prot-milter wouldn't run on Solaris 10 because of library issues
o Fixes an issue where the scanner would sometimes mis-identify .alr
files as base64 coded executables
o Fix where '-list' option to f-prot would not list the filenames of
text-based archives, such as MIME containers.
o Fix where certain executables would be mis-identified as UPX packed
o Fix where UTF8 coded text files would not be scanned
o Fix a crash issue when scanning .chm files containing strange header
values
o Updated error message when access is denied to files due to user
permission problems
o F-Prot 4.6.0 contains scanning engine version 3.16.7 which improves
detection capabilities significantly and improves several scanning
methods along with bugfixes.
MD4 Collision Generation
Faster implementation of techniques described in Cryptanalysis for
Hash Functions MD4 and RIPEMD, by Xiaoyun Wang, et al.
Average runtime on P4 1.6ghz - 5 seconds
MD5 Collision Generation
Faster implementation of techniques in How to Break MD5 and Other Hash
Functions, by Xiaoyun Wang, et al.
Old (Wang, et al.) average run time on IBM P690 supercomputer - 1 hour
New average run time on P4 1.6ghz PC - 45 minutes
Describe -K. Improve -i description. Sort options in SYNOPSIS. Remove
superfluous .Pp. Add EXIT STATUS section. Remove trailing whitespace.
Bump date for new -i.
the improved ALLOW_VULNERABILITIES support. This now has the ability to:
-p : Only check a single package
-i : Provide a list of vulnerabilities to ignore
-K : Specify an alternate pkg dbdir.
Bump the version to 0.40.
* Version 1.2.9 (2005-11-07)
- Documentation was updated and improved.
- RSA-MD2 is now supported for verifying digital signatures.
- Due to cryptographic advances, verifying untrusted X.509
certificates signed with RSA-MD2 or RSA-MD5 will now fail with a
GNUTLS_CERT_INSECURE_ALGORITHM verification output. For
applications that must remain interoperable, you can use the
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 or GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5
flags when verifying certificates. Naturally, this is not
recommended default behaviour for applications. To enable the
broken algorithms, call gnutls_certificate_set_verify_flags with the
proper flag, to change the verification mode used by
gnutls_certificate_verify_peers2.
- Make it possible to send empty data through gnutls_record_send,
to align with the send(2) API.
- Some changes in the certificate receiving part of handshake to prevent
some possible errors with non-blocking servers.
- Added numeric version symbols to permit simple CPP-based feature
tests, suggested by Daniel Stenberg <daniel@haxx.se>.
- The (experimental) low-level crypto alternative to libgcrypt used
earlier (Nettle) has been replaced with crypto code from gnulib.
This leads to easier re-use of these components in other projects,
leading to more review and simpler maintenance. The new configure
parameter --with-builtin-crypto replace the old --with-nettle, and
must be used if you wish to enable this functionality. See README
under "Experimental" for more information. Internally, GnuTLS has
been updated to use the new "Generic Crypto" API in gl/gc.h. The
API is similar to the old crypto/gc.h, because the gnulib code were
based on GnuTLS's gc.h.
- Fix compiler warning in the "anonself" self test.
- API and ABI modifications:
gnutls_x509_crt_list_verify: Added 'const' to prototype in <gnutls/x509.h>.
This doesn't reflect a change in behaviour,
so we don't break backwards compatibility.
GNUTLS_MAC_MD2: New gnutls_mac_algorithm_t value.
GNUTLS_DIG_MD2: New gnutls_digest_algorithm_t value.
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2,
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5: New gnutls_certificate_verify_flags values.
Use when calling
gnutls_x509_crt_list_verify,
gnutls_x509_crt_verify, or
gnutls_certificate_set_verify_flags.
GNUTLS_CERT_INSECURE_ALGORITHM: New gnutls_certificate_status_t value,
used when broken signature algorithms
is used (currently RSA-MD2/MD5).
LIBGNUTLS_VERSION_MAJOR,
LIBGNUTLS_VERSION_MINOR,
LIBGNUTLS_VERSION_PATCH,
LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS
version number, can be used for feature existence
tests.
(The presence of this sync(2) call is somewhat suspect, given that the
call guarantees almost nothing in today's virtual memory implementations,
but it is left in for other OS's that do support it.)
${PREFIX}/share/examples/smtpd, the spool setup moved into a newly added
rc script. This also handles missing configurations files better, since
the old post-install would fail e.g. if no local time was configured.
Bump revision.
* keychain 2.6.1 (10 Oct 2005)
10 Oct 2005; Aron Griffis <agriffis@gentoo.org>:
Change "unset evalopt" to "evalopt=false" and run through *all* the regression
tests instead of just the new ones. *sigh*
* keychain 2.6.0 (10 Oct 2005)
10 Oct 2005; Aron Griffis <agriffis@gentoo.org>:
Add the --eval option which makes keychain startup easier. See the man-page
for examples. Get rid of the release notes from README, so now this file is
where changes are tracked.
Changes since version 2.0.6:
Version 2.0.9 -- This is a bug fix release
What's new:
* support for Cisco FWSM.
* Print comments on objects.
* Add "commit" menu item.
* Spanish translation has been added.
Bugs fixed in the GUI:
* bug #1254775: "RCS checkin fails on Windows when data file is too
big".
* bug #1226069: "Segfault: Drag&Drop between two instances".
* bugs #1233165: "Illegal Logging-Limit string" and #1287755: "i18n is
breaking iptables script".
* bug #1240205: "Iilegal --log-level Information".
* bug #1277129: "script is truncated when installed by the GUI running
on Mac".
Bugs fixed in policy compiler for PF:
* bug #1276083: "Destination NAT rules". Old restriction on "rdr" rules.
Version 2.0.8 -- This is a bug fix release
What's new:
* Improvements in the GUI:
* Included updated German translation by Hans Peter Dittler.
* Print RCS Log".
* Code changes to make the code compile and work on Solaris.
* Improvements in policy compilers for pf, ipf, ipfw:
* implemented support for subnets for backup ssh access for
pf,ipf,ipfw.
* Improvements in compiler for ipfw:
* using rule sets to atomically swap old and new rules.
* added "established" rule on top of the regular backup ssh access rule.
Bugs fixed in the Standard Objects library:
* bug #210518: 'Incorrect ending day in the standard object "weekends"'.
Bugs fixed in scripts and tools:
* bug #1200902: "fwb_compile_all does not work in 2.0".
Bugs fixed in GUI:
* bug #1072842: "fwbuilder: Solaris and forkpty".
* bug #1201406: "shutdown messages should be suppressed".
* bug #1204067: "incorrect timezone handling in RCS".
* bug #1207983: "incorrect size of "I" and "L" buttons in the group view
dialog".
* bug #1212121: "sudo shutdown doesn't work".
* bug #1212123: "executing file below /tmp as root".
* bug #1212179: "tool tips for TCP services cuts off some services".
* bug #1213361: "PF on FreeBSD-5.4R".
Bugs fixed in policy compiler for iptables:
* bug #191423: "Weekend Time restriction not created correctly".
* bug #1205665: "Error with summer time when compiling script".
* bug #1215279: "rate limiting rule logs everything".
Bugs fixed in policy compiler for ipfw:
* bug #1155351: "Remote install of FW rulset fails due to race
condition".
Version 2.0.7 -- This is a bug fix release
What's new:
* Improvements in the GUI:
* "Close" button should change is caption/title to "Install".
* "Search for IP Addresses".
* Support for SNMP operations has been added in Windows packages of
Firewall Builder.
* Improvements in built-in installer:
User can specify additional command line parameters for ssh that
built-in installer runs to access firewall.
* Improvements in compiler for ipfilter fwb_ipf:
Added support for dynamic addresses in ipfilter.
* Improvements in compiler for iptables fwb_ipt:
Generated iptables script sets default policies to DROP in all ipv6
filter chains.
Bugs fixed in GUI:
* bug #1151052: "Not external interfaces marked as external".
* bug #1151212: "Collapsed sub-objects shouldn't be added if they are
hidden".
* bug #1151243: "Maintain format of description text".
* bug #1155163: "print does not print group contents".
* bug #1172620: "Add tcp service object for icslap".
* bug #1184791: "can not copy/paste multiple objects into a group".
Bugs fixed in API:
* bug #1158870: "mutexes are not properly created on FreeBSD".
* bug #1151219: "New Host creation window is not well dimensioned".
* bug #1157976: "patches to make fwbuilder compile under NetBSD 1.6".
* bug #1173801: '"&" character in prolog/epilog'.
Bugs fixed in policy compiler for iptables fwb_ipt:
* bug #1123748: "busybox grep -E".
* bug #1160186: 'IPTables Compiler - Multiport Issue'.
* bug #1176890: "block IPv6".
* bug #1176890: "block IPv6".
* bug #1179103: 'compiled rules can not be installed'.
* bug #1181359: "Missing traling space in "INVALID state" syslog message".
* bug #1195201: "getaddr function return error ip address".
Bugs fixed in policy compiler for pf fwb_ipf:
* bug #1173067: "support for port ranges in NAT rules (ipfilter)".
* bug #1173064: "support for dynamic interfaces in ipfilter".
Bugs fixed in policy compiler for pf fwb_pf:
* bug #1176051: "incorrect rule generated for TCP service ftp-data".
in a publicly-exported structure was renamed from "private" to
"opt_private". This allows <krb5.h> to be used by C++ compilers.
Bump the PKGREVISION to 1.
for the "db4" option and just rely on the appropriate BDB_* settings
via bdb.buildlink3.mk. Also, we tweak the builtin.mk file so use
krb5-config, if it's available, to check the version of the built-in
heimdal. Patches patch-ab, patch-ae and patch-af have been sent back
upstream and will be incorporated into future Heimdal releases.
Changes between version 0.6.5 and version 0.7.1 include:
* Support for KCM, a process based credential cache
* Support CCAPI credential cache
* SPNEGO support
* AES (and the gssapi conterpart, CFX) support
* Adding new and improve old documentation
* Bug fixes
Give the audit-pacakges a "-d" option to download the vulnerabilities file
with downloaad-vulnerability-list before scanning the installed packages.
Update the documentation accordingly.
Get rid of some inconsistent style problems in the audit-packages script.
* Version 1.2.8 (2005-10-07)
- Libgcrypt 1.2.2 is required to fix a bug for forking GnuTLS servers.
- Don't install the auxilliary libexamples library used by the
examples in doc/examples/ on "make install", report and tiny patch
from Thomas Klausner
- If you pass a X.509 CA or PGP trust database to the command line
tool, it will now abort the connection if the server certificate
validation fails. Use the parameter --insecure to continue even
after certificate validation failures. Inspired from discussion
with Alexander Kotelnikov
- The test for socklen_t has been moved to gnulib.
- Link failures for duplicate or missing "program_name" symbol has been fixed,
patch from Martin Lambers
- The command line tool and the examples no longer uses mmap or bzero,
to make them more portable, patch from Martin Lambers
- Made the PKCS #12 API handle null passwords. Based on patch by
Anton Altaparmakov
- The GTK-DOC manual should build with current released tools.
(But a copy of the output is included, so the tools are not required.)
- API and ABI modifications:
No changes since last version.
No pkgsrc changes.
Changes since version 0.96:
===========================
v0.97
- Writes now correctly return errors. (Problem noted by
Dominique Quatravaux <dom at idealx.com>).
- CA paths now work without passing an empty SSL_ca_file
argument. (Problem found by Phil Pennock, <phil.pennock
at globnix.org>).
- IO::Socket::SSL now automatically passes Proto => tcp (if
not already specified) to IO::Socket::INET to work around
/etc/services files with udp entries listed first. (Fix
suggested by Phil Pennock).
- $socket->accept() now returns the peer address in array
context for better conformance with IO::Socket::INET.
However, if you were doing "map { $_->accept } (@sockets)",
or similar tricks, you will need to use "scalar" to get the
old behavior back. (Problem noted by Nils Sowen, <n.sowen
at kon.de>).
- IO::Socket::SSL should now properly block on reads larger
than the buffer size of Net::SSLeay. (Problem found by Eric
Jergensen, <eric at dvns.com>).
- IO::Socket::SSL should now send CA Certs (if necessary)
along with certificates. (Problem found by <roy at
momentous.ca>).
- Timeouts should now work, but be aware that if multiple
reads/writes are necessary to complete a connection, then
each one may have a separate timeout. (Request from
Dominique Quatravaux <dom at idealx.com>).
- In certain cases, start_SSL() would misplace a socket's
fileno, causing problems with starting SSL. This should now
be fixed. (Problem found by <russ at zerotech.net>).
- IO::Socket::SSL now requires a minimum of Net::SSLeay 1.21.
0.9.7h include fixing a shared library upgrade problem where openssl-0.9.7h
had a different ABI than previous 0.9.7 sub-revisions due to a changed
constant.
web applications (or a web application firewall). Operating as an Apache Web
server module or standalone, the purpose of ModSecurity is to increase web
application security, protecting web applications from known and unknown
attacks.
This package is for both Apache 1.x and Apache 2.x
SecPanel serves as a graphical user interface for managing and running
SSH (Secure Shell) and SCP (Secure Copy) connections. SecPanel is
written entirely in pure Tcl/Tk and does not need any extensions but
it requires version 8.x of Tcl and Tk.
DIRB is a Web Content Scanner. It looks for existing (and/or hidden)
Web Objects. It basically works by launching a dictionary based
attack against a web server and analizing the response.
DIRB comes with a set of preconfigured attack wordlists for easy usage
but you can use your custom wordlists. Also DIRB sometimes can be
used as a classic CGI scanner, but remember is a content scanner not a
vulnerability scanner.
DIRB main purpose is to help in professional web application auditing.
Specially in security related testing. It covers some holes not
covered by classic web vulnerability scanners. DIRB looks for
specific web objects that other generic CGI scanners can't look for.
It doesn't search vulnerabilities nor does it look for web contents
that can be vulnerables.
vulnerability triggered update due to CAN-2005-2969. Changes from
version 0.9.7f include:
o Fix SSL 2.0 Rollback, CAN-2005-2969
o Allow use of fixed-length exponent on DSA signing
o Default fixed-window RSA, DSA, DH private-key operations
o More compilation issues fixed.
o Adaptation to more modern Kerberos API.
o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin.
o Enhanced x86_64 assembler BIGNUM module.
o More constification.
o Added processing of proxy certificates (RFC 3820).
when the base PHP is compiled with openssl extension (e.g. ssl://, tls://
stream support, and couple others). These don't work when SSL support
is loaded via extension.
For this reason, make openssl extension unconditionally built-in
into the main PHP package, and g/c security/php-openssl.
Noteworthy changes in version 1.2.2 (2005-10-05}
------------------------------------------------
* Made the RNG immune against fork without exec.
* Minor changes to some function declarations. Buffer arguments are
now typed as void pointer. This should not affect any compilation.
* A bug in the definition of gcry_cipher_register has been fixed.
* Interface changes relative to the 1.2.1 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gcry_cipher_encrypt CHANGED: Arguments IN and OUT are now void*.
gcry_cipher_decrypt CHANGED: Arguments IN and OUT are now void*.
gcry_create_nonce CHANGED: Argument BUFFER is now void*.
gcry_md_ctl CHANGED: Argument BUFFER is now void*.
gcry_sexp_sprint CHANGED: Argument BUFFER is now void*.
gcry_mpi_scan CHANGED: Argument BUFFER is now void*.
gcry_cipher_register CHANGED: Argument ALGORITHM_ID is now int*.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pwsafe is a password database program for unix compatible with
Counterpane's win32 Password Safe software.
This is a major release. pwsafe now supports PasswordSafe 2.x
databases, exporting databases to text, and merging databases
together.
No pkgsrc changes.
Changes since version 1.10:
===========================
Release 1.12
Fix documentation typo. Patch by <steve@fisharerojo.org>.
Release 1.11
Make Digest->new("SHA-224") work. Patch by Mark Shelor
<shelor@cpan.org>.
* Version 1.2.7 (2005-09-09)
- The GNUTLS and GNUTLS-EXTRA libraries are now built with versioned symbols.
- Certtool now complains when reading out-of-range X.509 serial
numbers, suggested by Fran
- Certtool now uses the readline library (when available) when reading
X.509 serial numbers.
- Fixed build problems in getpass on uClibc and Mingw32 platforms.
- Fixed compile warning regarding socklen_t on Mingw32, reported by
Martin Lambers
- Fixed examples in doc/examples/, suggested by Fran
- Gnulib is now used for the core library, enabling future code cleanups.
- The gnutls-cli tool now use gnutls_certificate_verify_peers2,
suggested by Daniel Stenberg
- Doc fixes for gnutls_transport_set_push and gnutls_transport_set_pull.
- Minilibtasn1 is now 0.2.17 (removed optional use of C99 macros).
- Disable zlib support if zlib.h is not present.
- A number of internal cleanups.
- API and ABI modifications:
No changes since last version.
pkgsrc change: do not install libexamples (looks like a bug)
Noteworthy changes in version 0.5.8 (2005-08-31)
------------------------------------------------
* Added versioned symbols again.
* Improved searching for libz.
* Should build on platforms that lack "inline".
Some changes different from patches provided in that PR are:
- patch-aj, patch-aq, and patch-as not changed (they appeared to
be identical to previous patches)
- DragonFly support also added to configure script (patch-aa)
because compilation failed due to missing crypt
- and install-sysconf target removed from the installation target
in Makefile.in (patch-ah). Just let the pkgsrc framework install
this since it now will allow it to be removed correctly on
deinstall.
- use "pam" instead of "PAM" as option name in the post-install
target.
This removes patch-ai.
This also now uses openssh-4.2p1-hpn11.diff patch.
I didn't test with kerberos and hpn-patch options. I did test with
PAM on Linux. (The PR reported that kerberos and hpn-patch options
were tested for compiling.) I tested on NetBSD 2.0.2, Linux,
and DragonFly.
This includes two security fixes and several bug fixes and many
improvemens. The changes are listed at
http://www.mindrot.org/pipermail/openssh-unix-announce/2005-September/000083.htmlhttp://www.mindrot.org/pipermail/openssh-unix-announce/2005-May/000079.html
TODO: get some of these patches committed upstream.
* Release 2.5.3
Fix file descriptor leak when IP address lookup fails.
Fix problem with running a server in "reverse" mode and detached -- only
apparent on Windows.
Add "maxconnections" to alleviate DoS attack.
Check for target port 0 to avoid DoS.
Linux 64-bit port (a result of the "Linux on POWER" contest) courtesy of
Stew Benedict <stewb@linuxcontrol.net>. Use the "linux64" OS target.
Upgraded version of bzip2 and zlib.
no longer correct since update to libevent 1.x; it now uses libtool and
generates a shlib.
Remove the offending bl3 line, and bump all dependents' PKGREVISIONs, since
the binary pkg changes for any OS that doesn't have a sufficient builtin
libevent version (or the package has requested a non-builtin version).
the required -Rpath options or the openssl version will not be
correctly determined when using pkgsrc openssl.
- when running qmake as part of the configure stage, be sure to
run in the configure environment so that QMAKESPEC is picked up.
patch provided by eggert at macvaerk dot dtu dot dk
in PR 31127
changes:
Version 2.3.3 is a maintenance release over 2.3.2. Besides fixing known
problems and providing some optimizations, no new features were added.
If using SpamAssassin older than 3.1, an upgrade of either SA to 3.1,
or an upgrade of amavisd-new to 2.3.3 is recommended.
- privacy: add a safety fuse / workaround around calls to SA to detect
SA's failure (in SA versions before 3.1) to catch a failed exec() in a
forked process, which could produce runaway process clones. See SA bug
report #4370. An incident of a mail copy being delivered to unrelated
recipient reported by Joel Nimety;
- privacy: turn warning into a fatal error when a quarantine ID of a message
requested for a quarantine release does not match the requested mail_id;
- security: require minimal version 1.35 of Compress::Zlib to avoid
vulnerability in the zlib compression library;
- the dsn_cutoff_level should have been ignored if undefined according to
documentation, but was not, causing DSN to be suppressed regardless of
spam level; discovered by Gary V;
- ensure the banned check is not performed if all recipients agree
it is not needed, even in presence of $banned_namepath_re;
undesired behaviour (not strictly incorrect) reported by Joel Nimety;
- missing import of lookup_ip_acl in module Amavis::In::AMCL caused
failure in sendmail milter setup when using the new AM.PDP protocol;
reported by Mic And;
- document and explicitly define handling of syntactically invalid IP address
in lookup_ip_acl: it matches a zero-length-mask net, a constant lookup table,
or a hash entry with an undef key, but no other entries in IP lookup tables;
syntactically invalid IP addresses are now logged;
- fix parsing if IPv6 address in $notify_method and $forward_method in case
of dynamic destination override (the use of '*' in method fields);
- check during startup that $myhostname is a fully qualified domain name
(or 'localhost', if you must), and abort if it isn't, otherwise a non-FQDN
can end up in places where RFC 2822 does not allow it; if uname(3) does not
provide a FQDN, then an assignment to $myhostname must be done explicitly
in amavisd.conf;
- when quarantining to a single file in mbox format the 'From ...' line
needs an English date, regardless of current locale; fixed by globally
setting locale LC_TIME to "C";
- pass on the parameter BODY=8BITMIME on MAIL FROM when submitting to MTA
when original message reception indicated it is needed (RFC 1652).
Note that mail forwarding may now fail if the feeding MTA requests
BODY=8BITMIME SMTP service extension (or just passes data with msb set),
but the MTA on the output side does not allow the use of the BODY parameter
in SMTP. In case of Postfix this may only happen when receiving service
on port 10025 is misconfigured and does not announce ESMTP capability
and support for the SMTP service extension 8BITMIME;
- RFC 2554 requires auth_param to be xtext-encoded addr-spec (no angle
brackets) or "<>", not the xtext-encoded addr-spec enclosed in angle
brackets (when specifying submitter during authentication); fixed;
- apply some sanity limit on collected bad-header samples to ensure that
a grossly broken mail does not unnecessarily fill up memory;
- when sending recipient warnings for viruses, banned files, or bad headers,
recipient address must not be rfc2822-quoted twice; fixed;
- fix interpretation of $defang_all to really imply all; previously it only
affected clean messages;
- in quarantined mail the reported spam score in X-Spam-Status header field
now includes maximum of all by-recipient score boosts (less surprising
when soft-whitelisting through @score_sender_maps is in use); suggested
by Mike Cappella and Gary V;
- when a policy delegation protocol attribute "request" is not "AM.PDP"
(perhaps it is a Postfix policy delegation request) don't attempt to find
and open a mail file;
- do_ascii and do_unarj: set environment variable TMPDIR or a command line
temporary directory option to "$tempdir/parts" instead of $TEMPBASE
to minimize possible pollution of top level directory;
- don't abort even if amavisd.conf returns undef as a final value,
as long as there are no errors reading or interpreting it;
- if during 'amavisd stop' or 'amavisd reload' the old running daemon does
not go away for one minute after sending it a SIGTERM, use a bigger
hammer and send it a SIGKILL; suggested by Sven Riedel;
- extend LDAP lookups to allow multiple search attributes (multiple
occurrences of %m in a query); a patch by Michael Hall (and a similar
one by Matthias Bandemer);
- LDAP lookup on an empty envelope address (e.g. a null return path)
adds another lookup key "<>", as it is difficult if not impossible
to have LDAP attributes with empty string as a value; by Michael Hall;
- LDAP.schema: drop "MUST ( mail )" from objectclass 'amavisAccount';
suggested by Michael Hall;
- updated comments and documentation, most notably the README.chroot;
- contributed file Macintosh.tar.gz updated by Dale Walsh;
COMPATIBILITY
- replaced 'hits=' with 'score=' in inserted X-Spam-Status header field
(and in some internal log entries) for compatibility with a changed
default in SpamAssassin 3.1;
- insert X-Spam-Score header field for compatibility with SA (previously
insertion of this header field was commented-out because the information
is redundant, as the score already appears in X-Spam-Status);
OPTIMIZATION
- speed up sending a mail header or full defanged (rewritten) mail over SMTP
back to MTA by a factor of 4 by buffering header fields into large chunks
to avoid bottleneck in Net::Cmd::datasend, which has lots of overhead for
line-by-line writes. Previously slow writes mostly affected mail messages
with extreme header lengths (such as results of a broken mail loop), or
when delivering defanged messages, particularly at sites with large MTA
mail size limits, sometimes to a point of exceeding timeout limits;
reported by Dominik Weber and Ralf Hildebrandt;
- move subroutine lookup_ip_acl() and associated ip_to_vec() into its own
dedicated new package Amavis::Lookup::IP; provide a constructor to pre-parse
IP lookup tables to speed up IP lookups in lookup_ip_acl; prepare pre-parsed
commonly used IP lookup tables (@mynetworks_maps, @publicnetworks_maps,
@inet_acl);
- optimized reading loop in SMTP DATA state, receiving data is now about
35% faster when mail size limit is not enforced (which is a default);
no speedup when mail size limit _is_ enforced;
- cache results of evaluated macros during a single call to expand(),
as macro calls often come in pairs, like: [?%e||\[%e\] ]
or [? %#T ||, Tests: [%T|,]]; together with the above optimization in
pre-parsed IP lookups it shaves off 25% of time in preparing main log entry;
- set locale LC_TIME to "C" globally, avoid changing and restoring locale
for every log write and when generating RFC2822 timestamps;
- added an optimization note in README.sql about indexes and about
SELECT count(*) in MySQL with InnoDB; investigation by Paolo Cravero;
---------------------------------------------------------------------------
June 29, 2005
amavisd-new-2.3.2 release notes
INCOMPATIBILITY with 2.3.1 and earlier versions:
If running amavisd daemon in chroot please note:
Each child process now opens its own syslog connection or a file descriptor
to a log file, and no longer inherits a connection from its parent.
When running in chroot jail and logging to syslog, the syslog client
routines need syslogd socket to be present in the chroot subtree to be
able to establish a connection with syslogd, otherwise logging output
may be lost. Additional syslogd sockets (to be made available in the
jail) may be requested from the syslogd daemon, see its documentation.
This requirement is equivalent to the requirement of chrooted Postfix
services (see Postfix documentation file BASIC_CONFIGURATION_README).
BUG FIXES since 2.3.1:
- do not enforce $MAXFILES limit during top-level MIME decoding to avoid
tempfailing mail; MIME parts are still counted, so a limit exceeded may
still be reported during subsequent decoding, but this is handled more
gracefully and does not cause preserved temporary directories to be left
behind; reported by Marcin Lemanski; suggested by Stephane Lentz and
Robert LeBlanc (noted in the 2.0 release notes);
- use recv() instead of read() to get results from daemonized virus scanners
in an attempt to avoid a bogus Perl I/O status on some Linux installations
(reported by Sander Steffann); we now get a meaningful status codes like
ECONNRESET instead of a bogus EBADF (Bad file descriptor);
- ignore status ECONNRESET when reading results of a daemonized virus scanner
from a socket, specific to some Linux versions; thanks to Sander Steffann
for the initial report and extensive help in debugging the Perl problem;
- run_av and other similar code sections: replace line-by-line reads by
block-by-block reads wherever possible to avoid inappropriate status report
EBADF (Bad file descriptor) caused by Perl I/O bug when last line is not
terminated by a newline. The problem was affecting reading response from
some command line virus checkers; reported by Sander Steffann;
- ignore status EAGAIN when reading results on a pipe from a forked process;
the status EAGAIN seems to be an artifact of Perl I/O on some installations;
reported by several people to cause problems on FreeBSD with Perl 5.8.7
(but Perl 5.8.6 is fine); thanks to Bart Matterne for testing and feedback;
- allow one level of indirection when collecting %needed_protocols;
global setting $protocol='COURIER' did not work, a workaround was needed
with previous version, e.g.: $policy_bank{'QMQPqq'}={protocol=>'QMQPqq'};
reported by Nicklas Bondesson and Martin Orr;
- fix a bug (introduced with 2.3.0) in Courier and QMQPqq setups, where global
information about processed message wasn't always reset and could leak
into processing of a subsequent message; reported by Nicklas Bondesson;
- SQL: fix arguments in calls to last_insert_id(), failing under PostgreSQL
(MySQL didn't mind); pointed out by Henrik Krohns;
- if module SAVI is loaded, insist it is version 0.30 or later;
incompatibility with earlier versions reported by Andrzej Kukula;
- make use of the new Net::Server 0.88 hook run_n_children_hook() to
reload SAVI database; removes a need to apply SAVI patch to Net::Server;
the Net::Server hook was suggested by Paul B. Henson and others,
and incorporated into Net::Server 0.88 by Paul Seamons;
- reopen log file or syslog connection in each child process to make it use
its own file descriptor; also minimizes transients when syslogd is restarted
and its socket re-created, as reported by Les Ault. When running in chroot
please make sure a syslogd socket is also available in the chroot jail,
see README.chroot for syslogd options (and BASIC_CONFIGURATION_README
in Postfix documentation for the Postfix equivalent);
- close log file or syslog in forked process before exec, just to play nicely;
- do_lha: fix extracting archive member filename in case of broken archive
or empty name (avoid interpreting creation date as a file name);
do not increment OpsDecByLha counter for empty archives, which are
most likely not lha archives at all;
- obey $final_bad_header_destiny D_DISCARD or D_REJECT even for messages
with bad headers from mailing lists or with a null envelope sender (DSN);
previously such messages were passed; undesired behaviour reported
by Cami Sardinha.
Such messages are still let through with $final_bad_header_destiny set to
D_BOUNCE, as otherwise they will be lost because a bounce is suppressed
for null sender messages and for mail from mailing list. This behaviour
is retained for backwards compatibility, but may need to be reconsidered.
- fix regexp for extracting am_id from amavis-milter helper program requests;
- if fork/exec fails, try to commit suicide in forked process with
POSIX::_exit(1) first, before trying kill('KILL',$$) as a last resort;
- updated $log_templ example in amavisd.conf-sample to match the default;
pointed out by Gary V;
- further reduce a couple of more frequent Perl warnings about the use of
uninitialized values in expressions;
- pre-load additional Perl modules required by SA 3.1 plugins;
- require minimal versions of modules: Time::HiRes 1.49, Archive::Zip 1.14;
- replaced nonexistent variable @sa_spam_modifies_subj_maps by
@spam_modifies_subj_maps in commented-out example in amavisd.conf-sample;
noticed by Joachim Schoenberg;
LDAP CHANGES by Michael Hall:
All the LDAP changes are transparent to the user.
- rewritten some of the code similar to the restructuring of the SQL code
in version amavisd-new-2.3.0. A new package Amavisd::LDAP::Connection was
added which is a LDAP connection object, and the old connection-related code
in Amavis::Lookup::LDAP has been moved to the new package. Amavisd-new will
now try to reconnect (once) while processing a message, similar to SQL;
- added the ability to specify a '%d' (domain) token in the LDAP base DN;
based on idea from Alexander Wittig;
- updated default LDAP port based on whether SSL/TLS is being used or not;
based on idea from Timo Veith;
- updated the search code to query for multiple records and return the results
sorted in 'make_query_keys' order versus doing a query for each key.
As a result performance is enhanced, and the tweaks 'ldap_get_all', and
'use_query_keys' (recently added) are no longer applicable or needed
and have been removed;
- improved LDAP error reporting and misc changes to multivalued attributes;
- documentation changes (amavisd.conf-default, README.lookups);
MINOR IMPROVEMENTS:
- macro %c (commonly used in a log template) reports spam score no longer
as a single number, but as an explicit sum of a SA score and a by-sender
boost score (from @score_sender_maps) when boost score is nonzero;
suggested by Ed Walker;
- enhancement to amavisd-release: if its only command line argument is '-',
then read arguments from stdin, one release request per line, ignoring empty
lines; input lines have the same format as command line arguments, i.e.:
mail_file
mail_file secret_id
mail_file secret_id alt_recip1 alt_recip2 ...
- better handle cases where a persistent temporary file email.txt
as prepared by the SMTP server module gets replaced as a result
of some user program modification (e.g. when invoking altermime);
problems reported by Dinesh Shah and Leonardo Rodrigues;
Bcrypt is a cross platform file encryption utility. Encrypted files
are portable across all supported operating systems and processors.
Passphrases must be between 8 and 56 characters and are hashed
internally to a 448 bit key. However, all characters supplied are
significant. The stronger your passphrase, the more secure your data.
In addition to encrypting your data, bcrypt will by default overwrite
the original input file with random garbage three times before deleting
it in order to thwart data recovery attempts by persons who may gain
access to your computer.
- MiniLZO updated to version 2.01 and moved to separate directory.
- Collision between system LZO header files and MiniLZO header file fixed.
- Will now test for liblzo functionality in liblzo2 too.
- Minilibtasn1 is now 0.2.14 (no code changes).
- Some code changes to avoid GTK-DOC warnings.
- API and ABI modifications:
No changes since last version.
* Various build fixes, to make version info not say 0.5.5 any more.
Changes 0.5.6:
* Use libtool -export-symbols-regex instead of GNU ld script.
* Fix license with new FSF address.
* Test for socklen_t, needed for libgcrypt on some platforms.
* A few configure/build fixes.
* Don't use malloc.h.
- Fixed the autoconvert feature of cvm-vmailmgr to set the permissions
and ownership of the created password table to that of the original.
- Added a feature to all qmail-based modules to treat all domains as
local if $CVM_QMAIL_ASSUME_LOCAL is set.
changes:
-manpage added
-fix for BUG#210: use start_tls on referrals if configured to do so
-when handling new password policy control, only fall through to account
management module if a policy error was returned (CERT VU#778916)
pkgsrc change: use /etc/pam_ldap.conf as config file, to distinguish
from nss_ldap
- Added an "autoconvert" mode to cvm-vmailmgr, which converts encrypted
passwords to plain-text on successful authentication if
$VMAILMGR_AUTOCONVERT is set.
Okayed by lha@. I tested on Linux and DragonFly. I got this from
Joerg Sonnenberger.
On DragonFly, the configure errored like:
/usr/include/openssl/md5.h:110: error: syntax error before "size_t"
In file included from conftest.c:34:
/usr/include/openssl/sha.h:109: error: syntax error before "size_t"
This caused tests to break and it ended up building and installing libdes
and des.h, md4.h, and related headers.
So later libgssapi needed this libdes which was not buildlinked which
broke kdelibs3 build.
backslashes anymore. A single backslash is enough. Changed the
definition in all affected packages. For those that are not caught, an
additional check is placed into bsd.pkginstall.mk.
Here's an excerpt from the rather long RELEASE_NOTES included in the
distribution:
QUICK OVERVIEW:
Provides more flexible configuration of decoders. Allows recipients to have
individual banning rules. Assigns a long-term unique id to each message,
reducing clashes and facilitating retrieval of information. The daemon can
store information to a SQL database for logging, reporting and quarantine
retrieval, optionally storing entire message to a SQL database. File-based
quarantine can disperse files to 62 subdirectories. Provides a quarantine
release mechanism. Reconnects to SQL if connection is broken. Can skip
quarantining high-score spam. Compatibility with IPv6-enabled Postfix
is improved.
SECURITY:
- require minimal version 1.05 of Convert::UUlib to avoid a known security
problem in the underlying uulib (likely to be exploitable);
- src/racoon/dnssec.c: fix bogus test on function result
- src/racoon/isakmp.c: Improved in/out SA addresses check in
purge_remote()
- src/libipsec/{key_debug.c|pfkey.c|pfkey_dump.c}: de-lint, warnings
- src/racoon/privsep.c: Fixed a %d -> %zu in port_check()
