* Install config files by CONF_FILES instead of install directly.
* Correct path of tools and config in sample config files and a manual page.
* Add DESTDIR support.
Bump PKGREVISION.
rc5, and replace with {idea,mdc2,rc5}-nonlicense. Because pkgsrc does
not yet handle multiple licenses, set LICENSE to
openssl-patented-algorithms-nonlicense.
Major changes since Sudo 1.6.9p9:
o Moved LDAP options into a table for simplified parsing/setting.
o Fixed a problem with how some LDAP options were being applied.
o Added support for connecting directly to LDAP servers via SSL/TLS
for servers that don't support the start_tls extension.
Changes:
Update to version 1.7.1. Changes:
v1.7.1 (Amy) 10jun07
--------------------
* windows SSH agent support can use the 'ctypes' module now if 'win32all' is
not available [patch from alexander belchenko]
* SFTPClient.listdir_attr() now preserves the 'longname' field [patch from
wesley augur]
* SFTPClient.get_channel() API added
* SSHClient constuctor takes an optional 'timeout' parameter [patch from
james bardin]
v1.7 (zubat) 18feb07
--------------------
* added x11 channel support (patch from david guerizec)
* added reverse port forwarding support
* (bug 75370) raise an exception when contacting a broken SFTP server
* (bug 80295) SSHClient shouldn't expand the user directory twice when reading
RSA/DSS keys
* (bug 82383) typo in DSS key in SSHClient
* (bug 83523) python 2.5 warning when encoding a file's modification time
* if connecting to an SSH agent fails, silently fallback instead of raising
an exception
v1.6.4 (yanma) 19nov06
----------------------
* fix setup.py on osx (oops!)
* (bug 69330) check for the existence of RSA/DSA keys before trying to open
them in SFTPClient
* (bug 69222) catch EAGAIN in socket code to workaround a bug in recent
Linux 2.6 kernels
* (bug 70398) improve dict emulation in HostKeys objects
* try harder to make sure all worker threads are joined on Transport.close()
v1.6.3 (xatu) 14oct06
---------------------
* fixed bug where HostKeys.__setitem__ wouldn't always do the right thing
* fixed bug in SFTPClient.chdir and SFTPAttributes.__str__ [patch from
mike barber]
* try harder not to raise EOFError from within SFTPClient
* fixed bug where a thread waiting in accept() could block forever if the
transport dies [patch from mike looijmans]
v1.6.2 (weedle) 16aug06
-----------------------
* added support for "old" group-exchange server mode, for compatibility
with the windows putty client
* fixed some more interactions with SFTP file readv() and prefetch()
* when saving the known_hosts file, preserve the original order [patch from
warren young]
* fix a couple of broken lines when exporting classes (bug 55946)
v1.6.1 (vulpix) 10jul06
-----------------------
* more unit tests fixed for windows/cygwin (thanks to alexander belchenko)
* a couple of fixes related to exceptions leaking out of SFTPClient
* added ability to set items in HostKeys via __setitem__
* HostKeys now retains order and has a save() method
* added PKey.write_private_key and PKey.from_private_key
v1.6 (umbreon) 10may06
----------------------
* pageant support on Windows thanks to john arbash meinel and todd whiteman
* fixed unit tests to work under windows and cygwin (thanks to alexander
belchenko for debugging)
* various bugfixes/tweaks to SFTP file prefetch
* added SSHClient for a higher-level API
* SFTP readv() now yields results as it gets them
* several APIs changed to throw an exception instead of "False" on failure
Major changes since Sudo 1.6.9p8:
o The ALL command in sudoers now implies SETENV permissions.
o The command search is now performed using the target user's
auxiliary group vector, not just the target's primary group.
o When determining if the PAM prompt is the default "Password: ",
compare the localized version if possible.
o New passprompt_override option in sudoers to cause sudo's prompt
to be used in all cases. Also set when the -p flag is used.
Changes since 5.2.1:
5.2.2 - added SHA-224
- put SHA-256, SHA-384, SHA-512, RSASSA-PSS into DLL
5.2.3 - fixed issues with FIPS algorithm test vectors
- put RSASSA-ISO into DLL
5.3 - ported to MSVC 2005 with support for x86-64
- added defense against AES timing attacks, and more AES test vectors
- changed StaticAlgorithmName() of Rijndael to "AES", CTR to "CTR"
5.4 - added Salsa20
- updated Whirlpool to version 3.0
- ported to GCC 4.1, Sun C++ 5.8, and Borland C++Builder 2006
5.5 - added VMAC and Sosemanuk (with x86-64 and SSE2 assembly)
- improved speed of integer arithmetic, AES, SHA-512, Tiger, Salsa20,
Whirlpool, and PANAMA cipher using assembly (x86-64, MMX, SSE2)
- optimized Camellia and added defense against timing attacks
- updated benchmarks code to show cycles per byte and to time key/IV setup
- started using OpenMP for increased multi-core speed
- enabled GCC optimization flags by default in GNUmakefile
- added blinding and computational error checking for RW signing
- changed RandomPool, X917RNG, GetNextIV, DSA/NR/ECDSA/ECNR to reduce
the risk of reusing random numbers and IVs after virtual machine state
rollback
- changed default FIPS mode RNG from AutoSeededX917RNG<DES_EDE3> to
AutoSeededX917RNG<AES>
- fixed PANAMA cipher interface to accept 256-bit key and 256-bit IV
- moved MD2, MD4, MD5, PanamaHash, ARC4, WAKE_CFB into the namespace "Weak"
- removed HAVAL, MD5-MAC, XMAC
5.5.1 - fixed VMAC validation failure on 32-bit big-endian machines
5.5.2 - ported x64 assembly language code for AES, Salsa20, Sosemanuk, and Panama
to MSVC 2005 (using MASM since MSVC doesn't support inline assembly on x64)
- fixed Salsa20 initialization crash on non-SSE2 machines
- fixed Whirlpool crash on Pentium 2 machines
- fixed possible branch prediction analysis (BPA) vulnerability in
MontgomeryReduce(), which may affect security of RSA, RW, LUC
- fixed link error with MSVC 2003 when using "debug DLL" form of runtime library
- fixed crash in SSE2_Add on P4 machines when compiled with
MSVC 6.0 SP5 with Processor Pack
- added support for newly released compilers: MSVC 2008, GCC 4.2, Sun CC 5.9,
Intel C++ Compiler 10.0, and Borland C++Builder 2007
changes:
-build fixes (not relevant to pkgsrc)
* Don't print out a warning message in applications using
libgnome-keyring when non-pageable memory cannot be allocated.
Noteworthy changes in version 0.6.6 (2007-11-15)
------------------------------------------------
* Slightly adjust the stream code.
The check for fflush is omitted because the return
value might be undefined. This fixes a problem reported
from the NetBSD team.
* Don't use __inline__ in src/cipher.c (breaks on Sun CC).
0.57 2007-09-17 20:45:20 UTC
- Honour both $ENV{NO_PROXY} and $ENV{no_proxy} in
Net::SSL::proxy_connect_helper. (Bug #29371 reported by Jan Dubois).
- $@ construction used in Net::SSL::connect was messed up, which could
lead to sub-optimal error reporting. (Bug #29372 reported by Jan
Dubois).
- Ensure no proxification is used in t/01-connect.t (which might be the
reason for all the spurious smoke failures). Bug #29373 reported by,
you guessed it, Jan Dubois).
- Silence a dubious fopen() warning in SSLeay.xs.
- s/Netware/NetWare/ in Net/SSL.pm platform check
- Improvements to Makefile.PL for dealing with platforms where openssl
is installed with ./include and ./lib as sibling directories rather
than child directories. This should allow the code to configure and
build "out of the box" on Solaris (and probably other proprietary
platforms).
- Don't carp in LICENSE key addition code in Makefile.PL
0.56_01 2007-08-09 21:59:47 UTC
- Various improvements to the Win32 configure code in Makefile.PL,
based on CPAN tickets #28431 and #28432, by Guenter Knauf,
notably to allow static linking and OpenSSL living in a relative
directory.
- Net::SSL: alarm() is not implemented on Netware platform, so don't
try to set one there. (Guenter Knauf).
- Should build on Solaris correctly (bug fix in include dir
specification). Based on fix suggested in CPAN bug #28680.
0.56 2007-07-10 19:08:20 UTC
- Purely a documentation issue raised by CPAN bug #27935. Users
of previous versions do not need to upgrade.
* Version 2.0.4 (released 2007-11-16)
** Corrected bug in decompression of expanded compression data.
** API and ABI modifications:
No changes since last version.
- Update to Spanish -- David Gil
- Bug 1750697 base_header() is undefined fixed -- Juergen and Kevin Johnson
- Bug 1680965 sans lookup fails -- Jordan Wiens
- Updated Chinese language file -- Randy
- Added Sean Muller as the Project Manager -- Kevin Johnson
- Fixed error in contrib/base-rss.php -- Dan
- Added INSTALL and INSTALL.rtf files to docs directory -- Sean Muller
- Bug 1801192 XSS bug in BASE fixed -- Kevin Johnson and Sean Muller
- Bug 1760615 Sort order ignored -- Kevin Johnson and Jordan Weins
* Version 2.0.3 (released 2007-11-10)
** This version backports several fixes from the 2.1.x branch.
** Fixed PKCS #3 parameter export.
** Added gnutls_record_disable_padding() to allow servers talking to
buggy clients that complain if the TLS 1.0 record protocol padding is
used.
** Introduced gnutls_session_enable_compatibility_mode() to allow enabling
all supported compatibility options (like disabling padding).
** Corrected bug which did not allow a server to run without supporting
certificates.
** API and ABI modifications:
gnutls_session_enable_compatibility_mode: ADDED
gnutls_record_disable_padding: ADDED
Add LICENSE, commented out; it contains both LGPL-2.1 and GPL2 code.
Noteworthy changes in version 0.6.5 (2007-10-27)
------------------------------------------------
* Cleanups for the key export and import functionality.
* Clarified the semantic of cdk_pk_check_sigs.
* Now the by usage keydb function correctly finds the
self signature.
patch-aa provided by drochner@; sent upstream, will be in next release.
Changes:
* Fixed encryption problem if duplicate certificates are in the
keybox.
* Add new options min-passphrase-nonalpha, check-passphrase-pattern,
enforce-passphrase-constraints and max-passphrase-days to
gpg-agent.
* Add command --check-components to gpgconf. Gpgconf now uses the
installed versions of the programs and does not anymore search via
PATH for them.
* The option --ocsp-signer may now take a filename to allow several
certificates to be valid signers for the default responder.
* New option --ocsp-max-period and improved the OCSP time checks.
* New option --force-default-signer for dirmngr-client.
version 1.0.3:
* New functions assuan_process_done and assuan_inquire_ext to support
external event loops.
* Changed the license of the library code back to LGPLv2.1 to support
a bunch of GPLv2(only) software which does not allow the use of
LGPLv3.
* Assorted bug fixed and code cleanups.
Major changes since Sudo 1.6.9p7:
o Fixed a bug where a sudoers entry with no runas user specified
was treated differently from a line with the default runas user
explicitly specified.
This switches to the new gnome-2.20 branch.
(While this is not part of the "platform" subset formally, it is used
by platform -- this looks like an inconsistency in gnome packaging.)
- Only perform additional database request when using Sensor localtime:
this bring a performance improvement of about 36% on aggregated query,
when using either frontend localtime (the default), or UTC time.
- JQuery support: Port most of the javascript code to make use of JQuery.
Add show/hide effect to CSS popup. More filtering functionality in the
SensorListing view.
- Cleanup the Authentication class, so that uper Prewikka layer can act
depending whether the backend support user creation / deletion. Anonymous
authentication is nowa plugin.
- Better integration of CGI authentication allowing user listing and deletion.
- Report template exception directly to the user.
- Fix exception if an alert analyzer name is empty.
- Fix problem when adding new Prewikka users (#262).
- Fix exception when user has no permission set.
- When changing password, we didn't try to match an empty 'current password'
(which is a minor issue since the user is already authenticated). Thanks
to Helmut Azbest <helmut.azbest@gmail.com> for the fix.
- Fix a typo making mod_python use the parent method (patch from
Helmut Azbest <helmut.azbest@gmail.com>).
- In the configuration file, recognize section even if there are whitespace
at the beginning of the line.
- Localization fixes, by Sebastien Tricaud <toady@gscore.org>, and
Bjoern Weiland.
- Make threshold act like a real threshold: pass every Nth events
in the defined amount of seconds.
- Allow mixing Limit and Threshold.
- Do not share the tresholding hash accross thresholding plugin instance:
previously, the shared hash would result in strange thresholding plugin
behavior if you had several instance of thresholding loaded.
- Various bug fixes concerning plugin instance un-subscribtion (unsubscribtion
of certain plugin was not triggered).
- Implement prelude-admin list [-l] command, which provide the ability to list
existing profile name, permission, registration permission, analyzerID, and
Issuer analyzerid.
- Implement multiple analyzer deletion in prelude-admin.
- Correct printing of IDMEF time field using non local GMT offset.
- Patch to avoid struct typespec redefinition, due to variable mispelling.
This fixes a compilation problem on OpenBSD 3.8.
- Various bug fixes.
Whitespace steganography
The program snow is used to conceal messages in ASCII text by
appending whitespace to the end of lines. Because spaces and tabs are
generally not visible in text viewers, the message is effectively
hidden from casual observers. And if the built-in encryption is used,
the message cannot be read even if it is detected.
What's in a name?
snow exploits the steganographic nature of whitespace. Locating
trailing whitespace in text is like finding a polar bear in a
snowstorm (which, by the way, explains the logo). And it uses the ICE
encryption algorithm, so the name is thematically consistent.
pkgsrc change: added DESTDIR support.
Major changes since Sudo 1.6.9p6:
o Reverted back to to using TCSAFLUSH instead of TCSADRAIN when
turning off echo during password reading.
o Fixed a configure bug that was preventing the addition of -lutil for
login.conf support on FreeBSD and NetBSD.
o Added a configure check for struct in6_addr since some systems
define AF_INET6 but have no real IPv6 support.
* Version 2.0.2 (released 2007-10-17)
** TLS authorization support removed.
This technique may be patented in the future, and it is not of crucial
importance for the Internet community. After deliberation we have
concluded that the best thing we can do in this situation is to
encourage society not to adopt this technique. We have decided to
lead the way with our own actions.
** certtool: Fixed data corruption when using --outder.
** Fix configure-time Guile detection.
** API and ABI modifications:
GNUTLS_SUPPLEMENTAL_USER_MAPPING_DATA: ADDED. To avoid that the
gnutls_supplemental_data_format_type_t enum type becomes empty.
* Version 2.0.1 (released 2007-09-20)
** New directory doc/credentials/ with test credentials.
This collects the test credentials from the web page and from src/.
The script gnutls-http-serv has also been moved to that directory.
** Update SRP extension type and cipher suite with official IANA values.
This breaks backwards compatibility with SRP in older versions of
GnuTLS, but this is intentional to speed up the adoption of the
official values. The old values we used were incorrect.
** Guile: Fix `x509-certificate-dn-oid'
** API and ABI modifications:
No changes since last version.
1.30 2006.03.17
- Fix for local *READ/*WRITE tie problem in open2 function (Bas van
Sisseren).
- Add back 'use IO::Socket' to fix 'Can't locate object method "blocking"
via package "IO::Handle"' error (rt.cpan.org #15102).
- Allow "The socket is already in use" as well as "Address already in use"
to detect port already in use (for AIX, rt.cpan.org #16301).
- Use sysread (not <>) to read the version string to avoid mixing read
types and allow pre-version data (fix by Denis Bider, rt.cpan.org #14812).
- Fix warnings on empty hostfile lines (fix by JOHANL, rt.cpan.org #13750).
- Get the user's home directory from getpwuid() if the HOME environment
variable isn't set (rt.cpan.org #13434).
manage your passwords in a secure way. You can put all your passwords in one
database, which is locked with one master key or a key-disk. So you only have
to remember one single master password or insert the key-disk to unlock the
whole database. The databases are encrypted using the best and most secure
encryption algorithms currently known (AES and Twofish).
- Fixed base_conf_contents.php to include colored alerts -- Jonathan W Miner
- Fixed base_main.php to remove an extra table and repair two column display -- Jonathan W Miner
- Added exit() to the redirect to fix security hole -- Jon Hart
- removed fpdf file to save room since we are not using them. -- Kevin Johnson
- Fixed bug #1723928 Top Right, Database and User not shown -- Kevin Johnson
- Added base_header wrapper, please use it instead of header if you're not sure -- GaRaGeD
- Fixed Bug #1675094 snort signature information links broken (really a hack!) -- Kevin Johnson
- Fixed Bug #1689885 Maybe need count(DISTINCT ip_src) to sort by IP correctly -- Kevin Johnson
- Fixed Bug #1649659 Use of archive DB seems broken in "karen" release -- Kevin Johnson
- Cleaned a warning -- Marek Cruz
- Spanish install guide -- Daniel Medianero
v1.11
- fixed errors in accept_SSL which would work when called from start_SSL
but not from accept
v1.10
- start_SSL, accept_SSL and connect_SSL have argument for Timeout
so that the SSL handshake will not block forever. Only used if the
socket is blocking. If not set the Timeout value from the underlying
IO::Socket is used
include:
* MYSQL_CHARACTER_SET option.
* Allow underscores, colons and plusses, in account names.
* Add {MD5RAW} hash method.
* Fix runtime problems with hardcoded file descriptors in the daemon
code by using OPEN_MAX instead.
Patch provided by Jukka Salmi in PR 37056.
These features are new in beta 0.60 (released 2007-04-29):
* Pressing Ctrl+Break now sends a serial break signal. (The previous behaviour
can still be obtained with Ctrl+C.)
* Serial ports higher than COM9 now no longer need a leading \\.\.
* You can now store a host name in the Default Settings.
* Bug fix: serial connections and local proxies should no longer crash all the
time.
* Bug fix: configuring the default connection type to serial should no longer
cause the configuration dialog to be skipped on startup.
* Bug fix: "Unable to read from standard input" should now not happen, or if it
still does it should produce more detailed diagnostics.
* Bug fix: fixed some malformed SSH-2 packet generation.
* Other minor bug fixes.
Major changes since Sudo 1.6.9p5:
o Worked around bugs in the session support of some PAM implementations.
The full tty path is now passed to PAM as well.
o Sudo now only prints the password prompt if the process is in the
foreground.
o inttypes.h is now included when appropriate if it is present.
o Simplified alias allocation in the parser.
This package provides a script which can be used to extract the root
CA certificates distributed by the Mozilla Project into the current
working directory and to rehash the existing certificates. The directory
can be used by most SSL-aware programs that expect a "CA certificate
path".
v1.09
- new method stop_SSL as opposite of start_SSL based on a idea
of Bron Gondwana <brong[AT]fastmail[DOT]fm>
To support this method the SSL_shutdown handling had to be
fixed, e.g. in close a proper unidirectional shutdown
should be done while in stop_SSL a bidirectional shutdown
- try to make it clearer that thread support is buggy
617) Fixed a bug in the IP address matching introduced by the IPV6 merge.
618) For "visudo -f file" we now use the permissions of the original file
and not the hard-coded sudoers owner/group/mode. This makes
it possible to use visudo with a revision control system.
619) Fixed sudoedit when used on a non-existent file.
620) Regenerated configure using autoconf 2.6.1 and libtool 1.5.24.
621) Groups and netgroups are now valid in an LDAP sudoRunas statement.
and to support the "inet6" option instead.
Remaining usage of USE_INET6 was solely for the benefit of the scripts
that generate the README.html files. Replace:
BUILD_DEFS+= USE_INET6
with
BUILD_DEFS+= IPV6_READY
and teach the README-generation tools to look for that instead.
This nukes USE_INET6 from pkgsrc proper. We leave a tiny bit of code
to continue to support USE_INET6 for pkgsrc-wip until it has been nuked
from there as well.
built with support for threads. This is done by adding the following
line to the package Makefile before the inclusion of openssl/buildlink3.mk:
USE_FEATURES.openssl= threads
The openssl/builtin.mk file is also adjusted to detect whether or not
the built-in OpenSSL was built with support for threads and the result
is used accordingly to determine whether or not a pkgsrc OpenSSL is
needed.
Changes since OpenSSH 4.6:
============================
Security bugs resolved in this release:
* Prevent ssh(1) from using a trusted X11 cookie if creation of an
untrusted cookie fails; found and fixed by Jan Pechanec.
Other changes, new functionality and fixes in this release:
* sshd(8) in new installations defaults to SSH Protocol 2 only.
Existing installations are unchanged.
* The SSH channel window size has been increased, and both ssh(1)
sshd(8) now send window updates more aggressively. These improves
performance on high-BDP (Bandwidth Delay Product) networks.
* ssh(1) and sshd(8) now preserve MAC contexts between packets, which
saves 2 hash calls per packet and results in 12-16% speedup for
arcfour256/hmac-md5.
* A new MAC algorithm has been added, UMAC-64 (RFC4418) as
"umac-64@openssh.com". UMAC-64 has been measured to be
approximately 20% faster than HMAC-MD5.
* A -K flag was added to ssh(1) to set GSSAPIAuthentication=Yes
* Failure to establish a ssh(1) TunnelForward is now treated as a
fatal error when the ExitOnForwardFailure option is set.
* ssh(1) returns a sensible exit status if the control master goes
away without passing the full exit status. (bz #1261)
* The following bugs have been fixed in this release:
- When using a ProxyCommand in ssh(1), set the outgoing hostname with
gethostname(2), allowing hostbased authentication to work (bz #616)
- Make scp(1) skip FIFOs rather than hanging (bz #856)
- Encode non-printing characters in scp(1) filenames.
these could cause copies to be aborted with a "protocol error"
(bz #891)
- Handle SIGINT in sshd(8) privilege separation child process to
ensure that wtmp and lastlog records are correctly updated
(bz #1196)
- Report GSSAPI mechanism in errors, for libraries that support
multiple mechanisms (bz #1220)
- Improve documentation for ssh-add(1)'s -d option (bz #1224)
- Rearrange and tidy GSSAPI code, removing server-only code being
linked into the client. (bz #1225)
- Delay execution of ssh(1)'s LocalCommand until after all forwadings
have been established. (bz #1232)
- In scp(1), do not truncate non-regular files (bz #1236)
- Improve exit message from ControlMaster clients. (bz #1262)
- Prevent sftp-server(8) from reading until it runs out of buffer
space, whereupon it would exit with a fatal error. (bz #1286)
* Portable OpenSSH bugs fixed:
- Fix multiple inclusion of paths.h on AIX 5.1 systems. (bz #1243)
- Implement getpeereid for Solaris using getpeerucred. Solaris
systems will now refuse ssh-agent(1) and ssh(1) ControlMaster
clients from different, non-root users (bz #1287)
- Fix compilation warnings by including string.h if found. (bz #1294)
- Remove redefinition of _res in getrrsetbyname.c for platforms that
already define it. (bz #1299)
- Fix spurious "chan_read_failed for istate 3" errors from sshd(8),
a side-effect of the "hang on exit" fix introduced in 4.6p1.
(bz #1306)
- pam_end() was not being called if authentication failed (bz #1322)
- Fix SELinux support when SELinux is in permissive mode. Previously
sshd(8) was treating SELinux errors as always fatal. (bz #1325)
- Ensure that pam_setcred(..., PAM_ESTABLISH_CRED) is called before
pam_setcred(..., PAM_REINITIALIZE_CRED), fixing pam_dhkeys.
(bz #1339)
- Fix privilege separation on QNX - pre-auth only, this platform does
not support file descriptior passing needed for post-auth privilege
separation. (bz #1343)
- BUGFIX: Correct several small signedness and initialization bugs
discovered during review by the NetBSD team.
- BUGFIX: Modify gendoc.pl to sort cross-references in dictionary
order within each section.
- ENHANCE: if a policy specifies a relative module path,
prepend the
module directory so we never call dlopen(3) with a relative
path.
- ENHANCE: add a pam.conf(5) manual page.
While an update to a .0 version is somehow risky, it finishes the
unfortunate state that the pkgsrc gnutls didn't work with the pkgsrc
opencdk, which I wouldn't like to go into the next stable branch.
Release candidates have worked for me, and there is some time left
before the Q3 branch, so I'm confident.
changes:
* Support for external RSA/DSA signing for TLS client authentication
-many X.509 enhancements
Support for Supplemental handshakes messages (RFC 4680)
* Support for TLS authorization extension (draft-housley-tls-authz-extns-07)
* Improve logic of gnutls_set_default_priority()
* New APIs to enumerate supported algorithms in the library
* Certtool can export more than one certificate to PKCS#12
* Several message translation improvements
* Improved manual
* Many bugfixes and minor improvements
changes:
- Add DROPBEAR_PASSWORD environment variable to specify a dbclient password
- Use /dev/urandom by default, since that's what everyone does anyway
- Exit with an exit code of 1 if dropbear can't bind to any ports
- Improve network performance and add a -W <receive_window> argument for
adjusting the tradeoff between network performance and memory consumption
- Fix a problem where reply packets could be sent during key exchange,
in violation of the SSH spec. This could manifest itself with connections
being terminated after 8 hours with new TCP-forward connections being
established
- Add -K <keepalive_time> argument, ensuring that data is transmitted
over the connection at least every N seconds
- dropbearkey will no longer generate DSS keys of sizes other than 1024
bits, as required by the DSS specification. (Other sizes are still
accepted for use to provide backwards compatibility)
(I didn't adopt the libtool change for now because it is not clear for
be whether that PAM modules is useful for non-NetBSD.)
-block SIGCHLD while the forked helper process is running, so that a
calling process with a SIGCHLD handler won't steal the exit status
which is used to report success of the authentication.
This makes the "dropbear" ssh server usable if started with user
privileges.
bump revision to 1.1
- Fix for new libprelude (0.9.15) runtime warning.
- Add documentation for SQLite3 in the template configuration file
(Sébastien Tricaud <toady at gscore.org>).
- Source and Target now use a 16 bits index (required for CorrelationAlert with
large number of source/target). CorrelationAlert Alertident now use a 32 bits
index (required to link large number of Alert together).
- Fix compilation on system without ENOTSUP (fix#227):
Include modified patch from Alexandre Anriot <aanriot@atlantilde.com>.
conversions preventing PostgreSQL to use indexes (fix#225).
- [preludedb-admin] Use separate alert / heartbeat command: this is done to
have a coherent implementation of the --offset and --count command line
options.
- [preludedb-admin] Fix --offset with the load command.
- [preludedb-admin] Give the delete table a decent size, should speedup the
delete command.
- [documentation] preludedb-admin manpage (fix#230), by Pierre Chifflier
<chifflier@inl.fr>.
- Make SSH rules IPv6 compliants, allowing to merge old
IPv6 only rules with IPv4 rules. Some additional minor
bug fixes (fix#232).
- Fix incorrect target user assignment, as well as incorrect
PCRE reference in assessment.impact.description
(Paul Robert Marino <prmarino1@gmail.com>) (fix#232).
- CISCO router acl lists can now use names instead of numbers. This made
rule id=500 in cisco-router.rules fail to alert on packet denys on newer
cisco devices (Paul Robert Marino <prmarino1@gmail.com>).
- Fix Apache formating when Apache logname or user is set
(Robin Gruyters <r.gruyters@yirdis.nl> and <andre@vandervlies.xs4all.nl>)
(fix#229).
- Invalid user.user_id(0).name assignement in SSH rule 1913
(Scott Olihovik <skippylou@gmail.com>) (fix#243).
- Various bug fixes and minor improvements.
- Fix build error on system that use native awk implementation in place of GNU awk
(Pierre Chifflier <chifflier at inl.fr>), fix#256.
- Avoid a prelude-string fatal assertion, by denying copy/cloning of an empty
prelude-string.
- Correction to the 'prelude-admin send' help message.
- Convert prelude-string to use prelude_return_if_fail() in place of prelude_log().
on tech-pkg.
Noteworthy changes in version 2.0.6 (2007-08-16)
------------------------------------------------
* GPGSM does now grok --default-key.
* GPGCONF is now aware of --default-key and --encrypt-to.
* GPGSM does again correctly print the serial number as well the the
various keyids. This was broken since 2.0.4.
* New option --validation-model and support for the chain-model.
* Improved Windows support.
libident 0.32
--------------
# A serious portability fix for *BSD and Solaris was submitted by:
Nicolas Rachinsky <nicolas@rachinsky.de>.
# Build of sample programs ("testers") was fixed.
libident 0.31
--------------
# libtool is used instead of ranlib, so that a shared library can be built
automatically if the OS supports it.
libident 0.30
--------------
# This new release is meant to provide Internet Protocol version independant
support: libident can now handles IPv6 addresses and perform queries over
IPv6, as well as IPv4. The IP version is selected automatically.
# I also have ported the library to the GNU autotools (autoconf & automake),
and removed support for non ANSI C platforms. If you use such an old system,
do NOT update. It doesn't support IPv6 anyway.
XXX This package is out of date and should be updated. It doesn't work
XXX on current versions of NetBSD due to the silly way it detects the
XXX the running OS and tries to figure out the corresponding binary.
* Remove unncessary dependency on netbsd32_compat16 on NetBSD/amd64.
This package installs statically linked binaries, so there is no
need for any shared libraries or ld.elf_so to run fprot.
* Stop pretending to support non-NetBSD platforms -- the build and
install targets bear no relation to the extracted distfiles on Linux
or Solaris. Support will be re-added in the fullness of time.
pkgsrc change:
Make these options mutual exclusive: kerberos pam skey.
(Really, combinations of kerberos and pam, pam and skey are conflicts.)
CHANGES:
609) Worked around a bug ins some PAM implementations that caused a crash
when no tty was present.
610) Fixed a crash on some platforms in the error logging function.
611) Documentation improvements.
Sudo 1.6.9p1 released.
612) Fixed updating of the saved environment when the environ pointer
gets changed out from underneath us.
Sudo 1.6.9p2 released.
613) Fixed a bug related to supplemental group matching introduced
in 1.6.9.
Sudo 1.6.9p3 released.
614) Added IPv6 support from YOSHIFUJI Hideaki.
615) Fixed sudo_noexec installation path.
616) Fixed a K&R compilation error.
Sudo 1.6.9p4 released.
include:
* authpipe.c (auth_pipe_pre): Fix leak when authpipe module is
enabled, but the actual authpipe script/external prog is not
installed.
* authmysqlrc: Implement SSL-encrypted MySQL connections
* authldaplib.c (l_simple_bind_s): Fix anon binds.
* authldaplib.c (auth_ldap_enumerate): Fix LDAP account enumeration
* userdb/makeuserdb.in: Added the -f option to makeuserdb
* authldaplib.c: Try to recover when the LDAP server closes the
persistent socket, for inactivity.
* Switched license to GPLv3.
* Fixed bug when using the --p12-charset without --armor.
* The command --gen-key may now be used instead of the
gpgsm-gencert.sh script.
* Changed key generation to reveal less information about the
machine. Bug fixes for gpg2's card key generation.
- Update configuration template, add documentation for Prelude
generic TCP options.
- Implement modified patch from Pierre Chifflier <chifflier@inl.fr>
to fix the example log path (fix#224).
- Move IDMEF message normalization in the scheduler, rather than
doing it upon reception. This remove some load from the server
and allow Prelude-Manager own IDMEF messages to go through the
normalizer path.
- Implement heartbeat->analyzer normalization.
- Improve IPv4 / IPv6 address normalization.
IPv4 mapped IPv6 addresses are now mapped back to IPv4.
Additionally, the Normalize plugin now provide two additionals option:
ipv6-only: Map any incoming IPv4 address to IPv6.
keep-ipv4-mapped-ipv6: do not map IPv4 mapped IPv6 addresses back to IPv4.
- Make a difference between exceptional report plugin failure (example:
a single message couldn't be processed) and "global" plugin failure
(example: database server is down). We use a different failover for
'exceptional' failure, so that we don't try to reinsert a bogus message
(fix#247).
- Start of a Prelude-Manager manpages (#236).
- Various bug fixes.
- Ability to use regular expressions in plugins.rules to define
monitored sources, this can be very useful when combined to file
globing.
- [SPEEDUP] When the "*" keyword is used, the data is passed to the
upper layer without trying to match anything.
- Fix NULL pointer dereference when a rule reference an existing,
but empty context (fix#226).
- Remove deprecated use of prelude_client_print_setup_error(),
directly handled via prelude_perror().
- Make the log parser more robust.
- Implement an Auto-Refresh system (fix#231). (including code from
Paul Robert Marino <prmarino1@gmail.com>).
- Ability to filter on missing/offline/online/unknown agents. Make more easier
to read each agent status in collapsed mode.
- Fix filter load/save/delete issue with translation.
- New 'My account' tabs, under the Settings section (fix#241).
- New messageid and analyzerid parameters, allowing link to a Prewikka alert
from an external tool (previously required a database query in order to
retrieve the database event id).
- Don't redirect to user listing once an user preference are recorded. Fix
changing of another user language by an user with PERM_USER_MANAGEMENT.
Display target user language rather than current user language.
- Improve the timeline control table layout.
- Fix translation of string possibly using plural.
http://denyhosts.sourceforge.net/
DenyHosts is a script intended to be run by system administrators
to help thwart SSH server attacks (also known as dictionary based
attacks and brute force attacks).
In short, it does this by monitoring your syslog output for failed
login attempts and tweaking /etc/hosts.deny accordingly, and it can
optionally send and fetch lists of ssh probers from a central server.
Thanks to joerg@ for review and corrections.
* Major changes in 0.0.14
** epa-file can handle remote files over Tramp.
** Workaround for a face initialization bug of GNU Emacs.
** Follow the face naming convention of GNU Emacs.
* Major changes in 0.0.13
** epa-file bug fixes.
*** Fixed a compatibility bug on XEmacs 21.5.
*** Do not mark the buffer as modified.
* Major changes in 0.0.12
** epa-file.el usability improvements.
*** Ask recipients only the first time.
*** Respect epa-armor and epa-textmode.
*** Customizing epa-file-name-regexp now works.
*** Backup files for "*.gpg" are also encrypted.
* Major changes in 0.0.11
** Include the EasyPG Assistant user's manual
** Decode user-id's encoded in UTF-8 with "%" or "\" escape
** If a user attempt to encrypt data to an untrusted recipient, EasyPG
prompt the key-id (it requires GnuPG version 2.0.2 or later)
** epa-file.el turns off auto-saving by default
binary-only packages that require binary "emulation" on the native
operating system. Please see pkgsrc/mk/emulator/README for more
details.
* Teach the plist framework to automatically use any existing
PLIST.${EMUL_PLATFORM} as part of the default PLIST_SRC definition.
* Convert all of the binary-only packages in pkgsrc to use the
emulator framework. Most of them have been tested to install and
deinstall correctly. This involves the following cleanup actions:
* Remove use of custom PLIST code and use PLIST.${EMUL_PLATFORM}
more consistently.
* Simplify packages by using default INSTALL and DEINSTALL scripts
instead of custom INSTALL/DEINSTALL code.
* Remove "SUSE_COMPAT32" and "PKG_OPTIONS.suse" from pkgsrc.
Packages only need to state exactly which emulations they support,
and the framework handles any i386-on-x86_64 or sparc-on-sparc64
uses.
* Remove "USE_NATIVE_LINUX" from pkgsrc. The framework will
automatically detect when the package is installing on Linux.
Specific changes to packages include:
* Bump the PKGREVISIONs for all of the suse100* and suse91* packages
due to changes in the +INSTALL/+DEINSTALL scripts used in all
of the packages.
* Remove pkgsrc/emulators/suse_linux, which is unused by any
packages.
* cad/lc -- remove custom code to create the distinfo file for
all supported platforms; just use "emul-fetch" and "emul-distinfo"
instead.
* lang/Cg-compiler -- install the shared libraries under ${EMULDIR}
instead of ${PREFIX}/lib so that compiled programs will find
the shared libraries.
* mail/thunderbird-bin-nightly -- update to latest binary
distributions for supported platforms.
* multimedia/ns-flash -- update Linux version to 9.0.48 as the
older version is no longer available for interactive fetch.
* security/uvscan -- set LD_LIBRARY_PATH explicitly so that
it's not necessary to install library symlinks into
${EMULDIR}/usr/local/lib.
* www/firefox-bin-flash -- update Linux version to 9.0.48 as the
older version is no longer available for interactive fetch.
