PolicyKit is an application-level toolkit for defining and handling the
policy that allows unprivileged processes to speak to privileged processes:
It is a framework for centralizing the decision making process with respect
to granting access to privileged operations for unprivileged applications.
PolicyKit is specifically targeting applications in rich desktop environments
on multi-user UNIX-like operating systems. It does not imply or rely on any
exotic kernel features.
This package provides a D-Bus session bus service for bringing up
authentication dialogs used for obtaining privileges.
PolicyKit is an application-level toolkit for defining and handling the
policy that allows unprivileged processes to speak to privileged processes:
It is a framework for centralizing the decision making process with respect
to granting access to privileged operations for unprivileged applications.
PolicyKit is specifically targeting applications in rich desktop environments
on multi-user UNIX-like operating systems. It does not imply or rely on any
exotic kernel features.
against recent openpam headers produce non functioning pam_ldap.so
on NetBSD 4.99.47(?) or more recent systems.
There's something really fishy in the headers...
Pkgsrc changes:
o Adapt patch-aa, still needed for non-hanging tests...
Upstream changes:
1.33 2008.10.21
- Fix open() calls (rt.cpan.org #40020)
- Fix non-shell problem (rt.cpan.org #39980)
- Allow full agent forwarding (rt.cpan.org #32190)
- Handle hashed known_hosts files (Greg Sabino Mullane, rt.cpan.org #25175)
1.32 2008.10.16
- Add IO::Handle to Perl.pm (rt.cpan.org #40057, #35985)
- Minor test cleanups.
1.31 2008.10.02
- New co-maintainer, Greg Sabino Mullane (TURNSTEP).
- Prevent t/03-packet.t from hanging due to high file descriptor.
(altblue at n0i.net, rt.cpan.org #6101)
- Skip some tests if Math::GMP not installed (e.g. from choosing only
protocol 2 in Makefile.PL) (Greg Sabino Mullane, reported in
rt.cpan.org #25152)
- If ENV{HOME} is not set, use getpwuid. If both fail and the dir
is needed, we croak. (Greg Sabino Mullane, expanded from patch
by dgehl at inverse.ca in rt.cpan.org #25174)
- Fix incorrect logical/bitwise AND mixup (Peter.Haydon at uk.fujitsu.com,
rt.cpan.org #31490)
- Allow empty stdin for SSH2 (rcp at rcable.co.uk, rt.cpan.org #32730)
- Adjust terminal dimensions dynamically if Term::ReadKey is available
(john at sackheads.org, rt.cpan.org #34874)
Authen::PluggableCaptcha is a fully modularized and extensible
system for making Pluggable Catpcha (Completely Automated Public
Turing Test to Tell Computers and Humans Apart) tests.
Pluggable? All Captcha objects are instantiated and interfaced via
the main module, and then manipulated to require various submodules
as plug-ins.
Authen::PluggableCaptcha borrows from the functionality in
Apache::Session::Flex.
* Version 2.6.2 (released 2008-11-12)
** libgnutls: Fix crash in X.509 validation code for self-signed certificates.
The patch to fix the security problem GNUTLS-SA-2008-3 introduced a
problem for certificate chains that contained just one self-signed
certificate. Reported by Michael Meskes <meskes@debian.org> in
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505279>.
** API and ABI modifications:
No changes since last version.
Changes since 0.0.14:
* epa-mail-encrypt now skips unusable keys.
* epa-file now uses canonical file names as keys for passphrase cache.
* Fixed a load-error of epa on XEmacs.
* epa-file bug fixes.
* Prepare auto-mode-alist to strip .gpg suffix when choosing major-modes.
* Don't signal an error when opening a nonexistent file via Tramp.
* epa-verify-region now decodes the plaintext with
coding-system-for-read or one saved as epa-coding-system-used.
* Version 2.6.1 (released 2008-11-10)
** libgnutls: Fix X.509 certificate chain validation error. [GNUTLS-SA-2008-3]
The flaw makes it possible for man in the middle attackers (i.e.,
active attackers) to assume any name and trick GNU TLS clients into
trusting that name. Thanks for report and analysis from Martin von
Gagern <Martin.vGagern@gmx.net>. [CVE-2008-4989]
Any updates with more details about this vulnerability will be added
to <http://www.gnu.org/software/gnutls/security.html>
** libgnutls: Add missing prototype for gnutls_srp_set_prime_bits.
Reported by Kevin Quick <quick@sparq.org> in
<https://savannah.gnu.org/support/index.php?106454>.
** libgnutls-extra: Protect internal symbols with static.
Fixes problem when linking certtool statically. Tiny patch from Aaron
Ucko <ucko@ncbi.nlm.nih.gov>.
** libgnutls-openssl: Fix patch against X509_get_issuer_name.
It incorrectly returned the subject DN instead of issuer DN in v2.6.0.
Thanks to Thomas Viehmann <tv@beamnet.de> for report.
** certtool: Print a PKCS #8 key even if it is not encrypted.
** tests: Make tests compile when using internal libtasn1.
Patch by ludo@gnu.org (Ludovic Courtès).
** API and ABI modifications:
No changes since last version.
for all autoconf definitions that pollute namespace. Additionally,
I've prepared a distribution patch from FreeBSD ports which
fixes many memory leaks (see comment in patch).
PKGREVISION++
Eksblowfish is a variant of the Blowfish cipher, modified to make
the key setup very expensive. ("Eks" stands for "expensive key
schedule".) This doesn't make it significantly cryptographically
stronger, but is intended to hinder brute-force attacks. It also
makes it unsuitable for any application requiring key agility. It
was designed by Niels Provos and David Mazieres for password hashing
in OpenBSD. See Crypt::Eksblowfish::Bcrypt for the hash algorithm.
See Crypt::Eksblowfish::Blowfish for the unmodified Blowfish cipher.
Eksblowfish is a parameterised (family-keyed) cipher. It takes a
cost parameter that controls how expensive the key scheduling is.
It also takes a family key, known as the "salt". Cost and salt
parameters together define a cipher family. Within each family, a
key determines an encryption function in the usual way. See
Crypt::Eksblowfish::Family for a way to encapsulate an Eksblowfish
cipher family.
* gsasl: Don't use poll with POLLOUT to avoid busy-waiting.
* doc: Error codes are now extracted using official library APIs.
* doc: Included cyclomatic code complexity charts of the library code.
* tests: Add self test of obsolete base64 functions.
* Update gnulib files. Improves Windows compatibility.
Some highlights:
Bug #1680965 sans lookup fails -- Jordan Wiens
Fixed index.php redirect -- Kevin Johnson for Terry Burton
Added Worldmap feature -- Juergen Leising
Added Vendor MAC Map -- Juergen Leising
Increased memory limit from 50 to 128 MB in base_graph_common.php
Fixed "Select Signature from List" in the query form -- Juergen Leising
Newly generated coordinates file world_map6.txt. -- Juergen Leising
See docs/CHANGELOG for all the details
for IDN and inet6 support.
v.17 2008.10.13
- no code changes, publish v.16_3 as v.17 because it looks better
than v.16
- document win32 behavior regarding non-blocking and timeouts
v.16_3 2008.09.25
- fix t/nonblock.t with workaround for problems with
IO::Socket::INET on some systems (Mac,5.6.2) where it cannot do
nonblocking connect and leaves socket blocked.
- make some tests less verbose by fixing diag in t/testlib.t
(send output to STDOUT not STDERR and prefix with '#')
v.16_2 2008.09.24
- work around Bug in IO::Socket::INET6 on BSD systems
http://rt.cpan.org/Ticket/Display.html?id=39550
by setting Domain based on PeerAddr
Thanks to srezic for report and support
- remove tests of recv/send from t/core.t. Might badly interact
with SSL handshake and cause crashes as seen on OS X 10.4
v.16_1 2008.09.19
- better support for IPv6:
- IPv6 is enabled by default if IO::Socket::INET6 is available
- t/inet6.t for basic tests
--
pakchois is just another PKCS#11 wrapper library. pakchois aims to
provide a thin wrapper over the PKCS#11 interface.
The goals are:
1) to offer a modern* object-oriented C interface wrapper for PKCS#11.
2) to not hide or abstract away any details of the PKCS#11 interface
itself except where absolutely necessary.
3) to handle the details of loading DSOs
4) to allow the caller to avoid caring about where on the system
PKCS#11 modules might be stored, or exactly how they are named.
5) to avoid any dependency on a particular cryptography toolkit.
Existing PKCS#11 wrapper libraries solutions differ in at least one of
the above goals.
*: "modern" being a euphemism for not using process-global state,
having a sane symbol namespace, etc.
patch-ag and patch-ah fix void functions that attempt to return the result
of calling a void function.
patch-ai conditionally includes <sys/inttypes.h> to pick up uint32_t
is incorrect because:
1) _gcry_rngfips_deinit_external_test() is void function
2) the calling function, random, is declared void
The unpatched code will not compile with Sun compiler.
Seahorse is a GNOME front-end for GnuGP. It can be used for signing,
encrypting, verifying and decrypting text and files. The text can be
taken from the clipboard, or written directly in the little editor it
has. Seahorse is also a keymanager, which can be used to edit almost
all the properties of the keys stored in your keyrings.
This package contains various plugins for Seahorse.
tools moved to the new seahorse-plugins package.
seahorse 2.24.1
---------------
* Fix problems with seahorse crashing when searching for
remote keys. [Adam Schreiber]
* Build fixes on Solaris [Jeff Cai]
* Fix selection of keys in libcryptui. [Philip Withnall]
* I18n fixes. [Adam Schreiber]
seahorse 2.24.0
---------------
* Some tweaks to the password prompt window, including allowing
minimizing to release the keyboard grab.
* Fix compiler warnings for gcc 4.3.
* Return a 'cancelled' error when from the daemon crypto dbus
methods when a user cancels out of a password prompt.
* Show revoked subkeys properly in details view of PGP keys.
* Fix problem deleting SSH keys.
* Fix dialog prompt column widths, and elipsize long text in
key listing. [Adam Schreiber]
* Fix problem with 'no keys available' when trying to sign a
PGP key from within the key manager.
* Add 'exportable' flag to objects/keys and don't enable export
UI if selected objects are not exportable.
* Build fixes [Joe Orton, Adam Schreiber]
* Crash and other fixes. [Christian Persch]
seahorse 2.23.92
----------------
* Fix crash when changing a stored Gnome Keyring password.
* Fix certain crashes on syncing, searching and other operations.
* Fix dumb 'Couldn't import keys' error message when success.
seahorse 2.23.91
----------------
* Fix copying keys to the clipboard. [Adam Schreiber]
* Fix double free crash when importing keys.
* Fix crasher when deleting a key.
* Don't add extra null bytes to SSH authorized_keys and
similar files. [Adam Schreiber]
* Documentation fixes. [Adam Schreiber]
* Don't repeatedly load gnome-keyring items. [Adam Schreiber]
* Make help button in 'First Time Options' work proprely. [Adam Schreiber]
* Better wording for options in PGP key dialogs. [Adam Schreiber]
seahorse 2.23.90
----------------
* Icon makeover. [Michael Monreal]
seahorse 2.23.6
---------------
* Initial PKCS#11 certificate listing implementation.
* Internal code refactoring.
* Fix problems with reference counting on operations.
* Use base64 functions in glib, rather than rolling our own.
* Don't use deprecated LDAP functions. [Adam Schreiber]
* String operation fixes. [Adam Schreiber]
* Build fixes [Jeff Cai]
seahorse 2.23.5
---------------
* Fix importing keys from key servers [Mackenzie Morgan]
* Factor out seahorse-plugins to a different module.
* Add XDS drag and drop support.
* Remove gnome-vfs dependency and use gio instead.
* Return key id of signer from DBus service even when key
is not found locally [Adam Schreiber]
* Refactor UI code internally into modules.
* Remove hard GPG and GPGME dependency.
* Replace signer drop down in key chooser with just a check
button when only one secret key exists. [Adam Schreiber]
* Set sync button insensitive when no server is selected.
[Adam Schreiber]
* Test for secure memory before using it. [Coleman Kane]
* Change trust model used to match GPG's. [Adam Schreiber]
* Remove libgnome and libgnomeui dependencies. [Saleem Abdulrasool]
* Grab keyboard focus when prompting for password.
[Josselin Mouette]
* Use the vala programming language for some code.
* Add initial infrastructure for PKCS#11 key/certificate support.
* Save and load window sizes from gconf. [Adam Schreiber]
* Build fixes [Brian Cameron, Saleem Abdulrasool, Alexis Ballier,
Christian Persch, Rodrigo Moya]
ASN1-encoded files (DER, BER, PER, etc.) in Python. ASN1 is the Abstract
Syntax Notation version 1, as defined by the International Telecommunication
Union (ITU).
to trigger/signal a rebuild for the transition 5.8.8 -> 5.10.0.
The list of packages is computed by finding all packages which end
up having either of PERL5_USE_PACKLIST, BUILDLINK_API_DEPENDS.perl,
or PERL5_PACKLIST defined in their make setup (tested via
"make show-vars VARNAMES=...").
- Fix log file permission error, that could happen thought the user
Prelude-LML was running as could access the file (#291).
- ModSecurity ruleset update, by Dan Kopecek <dkopecek@redhat.com>:
provides much more descriptive classification.text, add regexps for
[file ..], [line ...], [tag ...] fields and fine tune targets/types
(#321).
- Deprecate Gamin/FAM support in favor of libev: the previous
implementation had problem on SELinux enabled system due to Gamin server
startup being triggered by other program, and thus using improper role
for Prelude-LML.
(#326).
- Improved polling architecture by using Operating System specific
backend when possible.
- We now monitor files that are not immediately available for reading on
startup: once the file can be monitored, libev provide us with a
notification.
- Fix an assertion warning upon sensor start in case the address
for the local machine could not be found.
- Consistency rework of EasyBindings IDMEFCriteria API.
- Add refcount support for prelude_client_t and
prelude_client_profile_t, and update EasyBindings destructor to use
them.
- Fix a bug where EasyBindings would be built although they were not
enabled.
- Fix path issue in case libprelude was configured with specific path
outside of $prefix (fix#319).
* libgnutls: Correct printing and parsing of IPv6 addresses.
* libgnutls-openssl: fix out of bounds access.
* certtool: Use inet_pton for parsing IPv6 addresses.
* Added API to replace and update the crypto backend.
* certtool: can add several subject alternative names via template file.
* opencdk: Parse (but not decrypt) encrypted secret keys.
* more...
* libwrap related fixes, better debugging messages, MS Visual C++ support
Changes 4.25:
* delay libwrap process spawning after dropping privs, other improvements
* Try to auto-initialize Libgcrypt to minimize the effect of
applications not doing that correctly. This is not a perfect
solution but given that many applicationion would totally fail
without such a hack, we try to help at least with the most common
cases. Folks, please read the manual to learn how to properly
initialize Libgcrypt!
* Auto-initialize the secure memory to 32k instead of aborting the
process.
* Log fatal errors via syslog.
* Changed the name and the semantics of the fips mode config file.
* Add convenience macro gcry_fips_mode_active.
* More self-tests.
* Documentation cleanups.
* Fixed a build problem under Windows.
Changes 1.5:
* Minor build system fixes.
* Updated gettext. Removed included gettext copy.
* gpg-error has a new option --version.
Need to BUILDLINK_ABI_DEPENDS on the 2.2.11 versions of the libraries.
Bump PKGREVISION wholesale to disambiguate the fixed packages from the botched
ones and depend on them.
Use GPLed version of the plugins instead of the non-free version.
While here fix permissions of PKG_SYSCONFDIR in nessus-core/Makefile.
Use ./configure as one is now supplied
libmxl2 is no longer optional but curl is
Rename doc/eg dirs from ap-security to ap-modsecurity
* Allow for disabling request body limit checks in phase:1
* Now log XML parsing/validation warnings and errors to be in the debug log
at levels 3 and 4, respectivly.
* Transformation caching has been deprecated, and is now off by default. We
now advise against using transformation caching in production.
* Improve request body processing error messages.
Any many more . . . see CHANGES for all the details
Don't call pkg_info to get the installed Emacs version; always use the
version matching EMACS_TYPE set by users. Be DEPENDS to it. This should
address pkg/37146 by Aleksey Cheusov.
While here convert some emacs lisp packages to user-destdir.
v1.16
- change code for SSL_check_crl to use X509_STORE_set_flags instead of
X509_STORE_CTX_set_flags based on bug report from
<tjtoocool[AT]phreaker[DOT]net >
- change opened() to report -1 if the IO::Handle is open, but the
SSL connection failed, needed with HTTP::Daemon::SSL which will send
an error mssage over the unencrypted socket
only suggest pthread option when native pthread exists.
We cannot use pthread.buildlink3.mk to just detect if suituable pthread
implementation exist or not.
Avoid unwanted dependency on pthread package when no native pthread and
pthread option off.
* Move inclusion of seculity/tcp_wappers/buildlink3.mk to rightful place in
options.mk.
Avoid unwanted dependency on tcp_wrappers when libwrap option off.
* Remove deprecated(?) --with-tcp-wrappers from CONFIGURE_ARGS.
* Remove --enable-libwrap from CONFIGURE_ARGS even if require tcp_wrappers.
It affect not only check of existence of tcp_wappers but also blow off
needful addition of -lwrap to LIBS.
Fixes PR 39635
* In dsniff-nox11/Makefile, add a post-configure target to move
missing/sys/queue.h out of the way if the configure script
found a real sys/queue.h.
* Add patches to #include <string.h> in some files where I noticed warnings.
Bump PKGREVISION for both dsniff and dsniff-nox11.
finally. While here, fix PLIST and depkglint a bit. Also, fix the horrid
abuse of libtool.
Changes since 0.60.2:
* courier-authlib.spec: Dummy provides: for symlinks, to allow upgrade
with older packages that require <libname>.so.0.
* Makefile.am: Switch to versionless shared libraries.
Install all shared libraries just as <libname>.so. make install manually
removes *.so.0.0 files that were left over from previous versions,
and installs a temporary *.so.0 symlink to *.so, for temporary
binary ABI compatibility with 0.60. The symlinks will be removed in
0.62.
* Cleanup: always compile md5, sha* and hmac stuff, and remove all
conditionally-compiled cruft. Move SASL list to an internal header.
Add client-side support for AUTH EXTERNAL.
* authsasl.c (auth_sasl_ex): auth_sasl_ex() supercedes auth_sasl(),
invokes auth_sasl() for non-EXTERNAL SASL methods, implements EXTERNAL
by going through the motions, then setting up a dummy authentication
request.
* authdaemon.c (auth_generic): Check for the dummy EXTERNAL
authentication request, and handle it by invoking auth_getuserinfo(),
rather than sending it down the pipe. This avoid having to implement
a stub in every authentication module.
* authmysqllib.c: Use mysql_set_character_set() instead of SET NAMES
* authmysqllib.c: Fix domain-less queries.
* Makefile: Drop the unmaintained authvchkpw module.
* authmysqllib.c: Cleanup. Use mysql_real_escape_string instead of
crude filtering.
* Makefile.am: Use _LIBADD properly.
* configure.in: More portability fixes.
Packages Collection.
The Perl 5 module Authen::CAS::Client provides a simple interface
for authenticating users using JA-SIG's CAS protocol. Both CAS v1.0
and v2.0 are supported.
Changes from OpenSSH 5.0 is huge to write here, please refer its
release note: http://www.openssh.com/txt/release-5.1.
I quote only Security section from the release note.
Security:
* sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly
other platforms) when X11UseLocalhost=no
When attempting to bind(2) to a port that has previously been bound
with SO_REUSEADDR set, most operating systems check that either the
effective user-id matches the previous bind (common on BSD-derived
systems) or that the bind addresses do not overlap (Linux and
Solaris).
Some operating systems, such as HP/UX, do not perform these checks
and are vulnerable to an X11 man-in-the-middle attack when the
sshd_config(5) option X11UseLocalhost has been set to "no" - an
attacker may establish a more-specific bind, which will be used in
preference to sshd's wildcard listener.
Modern BSD operating systems, Linux, OS X and Solaris implement the
above checks and are not vulnerable to this attack, nor are systems
where the X11UseLocalhost has been left at the default value of
"yes".
Portable OpenSSH 5.1 avoids this problem for all operating systems
by not setting SO_REUSEADDR when X11UseLocalhost is set to no.
This vulnerability was reported by sway2004009 AT hotmail.com.
Upstream changes:
1.07 - Fri Aug 15 16:53:36 2008
* Fixed the odd character problems in some of the files
* No need to upgrade if you already have this installed
1.06_03 - Sun Jun 22 11:32:46 2008
* Trying the __sgi definition. If this doesn't make things
blow up, this release will get bumped to 1.07.
1.06_02 - Thu Jun 19 11:55:21 2008
* Removed wide chars from the header file. Some compilers
like to complain about things that are wrong. :(
1.06_01 - Wed Jun 18 09:37:34 2008
This is a test of a fix for Irix.
1.06_01 - Wed Jun 4 19:18:57 2008
* This is a test of a fix for Irix.
* Rewrite to use poll instead of select.
* Improve Windows installation instructions in the manual.
* tests: New self test of gsasl_mechanism_name function.
This is not acceptable for us. Instead, we patch to use libtool.
The included test passes.
Changes since 1.0.3:
* Minor fixes.
* Build library for GNU/Linux as PIC [**but we use libtool**]
* New hook feature to enhance the internal I/O functions.
v1.15
- change internal behavior when SSL handshake failed (like when verify
callback returned an error) in the hope to fix spurios errors in
t/auto_verify_hostname.t
- Make this compile on amd64
- Don't silently look for libraries when we don't need them. This should fix
PR 39318
- Add missing depends on apr
Release 5.4
###########
* Fixes to the http modules as some Apache installations are picky
* The MySQL module also works with mysqld-5.0, updated
* Added AS/400 return code checks to pop3 module
* Fixed memory leaks in the http-form module.
* Implemented a proposal by Jean-Baptiste.BEAUFRETON (at) turbomeca.fr to
check for "530 user unknown" message in the ftp module
* Added a performance patch by alejandro.mendiondo (at) baicom.com. This one
needs stability testing!
* Beautification to remove compiler warnings of modern gcc
- preludedb-admin has a bew 'count' command, printing the result of a
COUNT() on the database.
- preludedb-admin work on smaller set of data, to prevent large
retrieval error (fix#220, refs #305).
- preludedb-admin handling of interrupted transaction was improved.
- Fix MySQL and SQLite MacOSX detection, by
Uwe Schwartz <usx303 at googlemail.com>. (fix#296).
ModSecurity ruleset rewrite, by Peter Vrabec <pvrabec@redhat.com> and
Dan Kopecek <dkopecek@redhat.com>. This ruleset handle ModSecurity 2.0
output. (Fix#216).
- New rulesets for FreeBSD su attempts, by Alexander Afonyashin <firm@iname.com>
(Fix#304).
- Add additional format to the default configuration to deal with apache
error_log file format, by Alexander Afonyashin <firm@iname.com> (Fix#307).
- Normalize some classification: introduce Remote Login, and
Credentials Change. Cleanup SSH ruleset, and remove duplicated rules.
- EasyBindings inclusion! EasyBindings provide simple C++, Python,
Perl, Ruby, and Lua bindings for using libprelude. They are still
considered experimental, thus you need to use (--enable-easy-bindings)
to activate them. Thanks to Sebastien Tricaud <toady@inl.fr> and
Pierre Chifflier <p.chifflier@inl.fr> for their contribution to this
project!
- Use automake/autoconf for building/installing Python extension.
- Fix 0.9.18 regression (alert created with empty CreateTime).
- Implement reference counting for the idmef-criteria and
prelude-connection API.
- Automatic casting when setting IDMEF Value to a field that is of
different type. Until now, if an user tried to set a path of a
specific type with an idmef_value_t object containing another type,
idmef_path_set() would return an error.
- Various bug fixes.
Based on PR 39222 by Jens Rehsack.
This module implements a wrapper around OpenSSL. Specifically, it wraps the
methods related to the US Government's Advanced Encryption Standard (the
Rijndael algorithm).
This module is compatible with Crypt::CBC (and likely other modules that
utilize a block cipher to make a stream cipher).
This module is an alternative to the implementation provided by Crypt::Rijndael
which implements AES itself. In contrast, this module is simply a wrapper
around the OpenSSL library.
The Crypt::Rijndael implementation seems to produce inaccurate results on
64-bit x86 machines. By using OpenSSL, this module aims to avoid architecture
specific problems, allowing the OpenSSL maintainers to overcome such issues.
This is the RIPE NCC DNSSEC Key Management tools, described at
https://www.ripe.net/projects/disi/dnssec_maint_tool/
This class implements an interface to a database of private keys used
during DNSSEC administration.
This package includes some diffs to the self-tests, so that they pass.
0.22 Mo Mai 29 21:15:17 CEST 2006
- Bugfixs
0.23 Mi Aug 2 15:48:19 UTC 2006
- Re-added support of MIT Kerberos 1.2.x
0.24 Wed, 21 Feb 2007 20:59:39 +0100
- Changed tests as an answer to FAIL 413320
0.25 So 3. Feb 20:18:16 UTC 2008
- Enhancement to use OpenSolaris/Solaris 10 native gss library
0.26 Fr 15. Feb 22:32:10 UTC 2008
- modified Makefile.PL to trigger no FAIL testreports
in case of missing prerequirements.
Pkgsrc changes:
o Change MAINTAINER to pkgsrc-users@ as per communication with maintainer
Upstream changes:
Authen-SASL 2.11 -- Mon Apr 21 10:23:19 CDT 2008
Enhancements
* implement securesocket() in the ::Perl set of plugins
Bug Fixes
* fix parsing challenges from GnuSASL
* update tests for DIGEST-MD5
* New test from Phil Pennock for testing final server response
Changes since the 0.6 branch:
0.7.1 - 23 July 2008
o Fixes a memory leak when invalid proposal received
o Some fixes in DPD
o do not set default gss id if xauth is used
o fixed hybrid enabled builds
o fixed compilation on FreeBSD8
o cleanup in network port value manipulation
o gets ports from SADB_X_EXT_NAT_T_[SD]PORT if present in purge_ipsec_sp
i()
o Generates a log if cert validation has been disabled by configuration
o better handling for pfkey socket read errors
o Fixes in yacc / bison stuff
o new plog() macro (reduced CPU usage when logging is disabled)
o Try to works better with huge SPD/SAD
o Corrected modecfg option syntax
o Many other various fixes...
0.7 - 09 August 2007
o Xauth with pre-shared key PSK
o Xauth with certificates
o SHA2 support
o pkcs7 support
o system accounting (utmp)
o Darwin support
o configuration can be reloaded
o Support for UNIQUE generated policies
o Support for semi anonymous sainfos
o Support for ph1id to remoteid matching
o Plain RSA authentication
o Native LDAP support for Xauth and modecfg
o Group membership checks for Xauth and sainfo selection
o Camellia cipher support
o IKE Fragment force option
o Modecfg SplitNet attribute support
o Modecfg SplitDNS attribute support ( server side )
o Modecfg Default Domain attribute support
o Modecfg DNS/WINS server multiple attribute support
v1.14
- added support for verification of hostname from certificate
including subjectAltNames, support for IDN etc based on patch and
input from christopher[AT]odenbachs[DOT]de and
achim[AT]grolmsnet[DOT]de.
It is also possible to get more information from peer_certificate
based on this patch. See documentation for peer_certificate and
verify_hostname
- automatic verification of hostnames with SSL_verifycn_scheme and
SSL_verifycn_name
- global setting of default context options like SSL_verifycn_scheme,
SSL_verify_mode with set_ctx_defaults
- fix import of inet4,inet6 which got broken within 1.13_X.
Thanks to <at[AT]altlinux[DOT]ru> for bugreport and patch
- clarified and enhanced debugging supppport based on bugreport
http://rt.cpan.org/Ticket/Display.html?id=32960
- put information into README regarding the supported and recommanded
version of Net::SSLeay
1.35 25.07.208
- Fix test plan for autoload.t if Test::Exception isn't available.
- Skip rsa_generate_key.t if Test::Exception isn't available.
1.34 24.07.2008
- Fixed problem with X509_get_subjectAltNames, where some types of Alt
Name (eg DIRNAMEs) were not properly handled, resulting in seg faults.
Reported by Achim Grolms.
- Added support for ENGINE_load_builtin_engines and
ENGINE_register_all_complete in order to enable built-in OpenSSL
crypto engines for hardware acceleration etc.
- Added support for ENGINE_by_id and ENGINE_set_default, required
to enable Sun crypto acceleration
1.33_01 14.02.2008
- Fixed a compile problem with inc_paths /usr/kerberos/include
in inc/Module/Install/PRIVATE/Net/SSLeay.pm. Reported by "J. Nick
Koston via RT"
- Added optional support for SSL_set_hello_extension,
SSL_set_session_secret_cb to support various extension patches from
a patch to openssl-0.9.9-dev contributed by Jouni Malinen.
See wpa_supplicant/patches/openssl-0.9.9-session-ticket.patch in the
latest (git) version 0.6 and later of wpa_suplicant at
http://hostap.epitest.fi/. These additions are ifdefed to
SSL_F_SSL_SET_HELLO_EXTENSION which is added by the patch
Tested with openssl-SNAP-20070816.
- Added SSL_SESSION_set_master_key and SSL_get_keyblock_size.
- Added all SSL_OP_* options flags present in 0.9.9
- Fixed a bug in SSL_set_tmp_dh
- Doc improvements in README.Win32
- Fixed a problem with proxy connections: open_proxy_tcp_connection
was stopping after the first \n from teh proxy,
but instead should have looked for
$CRLF . $CRLF to find the beginning of the SSL content
- Fixed missing / on /usr/kerberos/include, reported by several people
- removed bacus.pt from host list in t/handle/external/10_destroy.t,
since it seems no longer to respond. Reported by tco2.
- changed t/handle/external/10_destroy.t so this list of URIs to be
tested can be configured with environment variable SSLEAY_URIS, a
colon separated list of host names. Suggested by tco2.
- changed t/handle/external/50_external.t and t/external/08_external.t
so this list of sites to be
tested can be configured with environment variable SSLEAY_SITES, a
colon separated list of host names. Suggested by tco2.
- Fixed doucumentation in README of how to use OPENSSL_PREFIX
environment variable to control the location of openssl. Reported by
"Quanah Gibson-Mount via RT".
- Don't use Module::Installs auto_install.
- Bind NID_ and GEN_ constants.
- Default to not running external tests.
sshfp is a small utility that generates RFC4255 SSHFP DNS records
based on the public keys stored in a known_hosts file or obtained by
using ssh-keyscan. If the nameserver of the domain allows zone
tranfers (AXFR), an entire domain can be processed for all its A
records. These can then be easilly added to a zone, and then secured
by DNSSEC.
Changes:
** libgnutls: Fix local crash in gnutls_handshake. [GNUTLS-SA-2008-2]
** libgnutls: Fix memory leaks when doing a re-handshake.
** Fix compiler warnings.
** Fix ordering of -I's to avoid opencdk.h conflict with system headers.
** srptool: Fix a problem where --verify check does not succeed.
Pkgsrc changes:
o Change to use CPAN as distribution source
o Change HOMEPAGE to use search.cpan.org; leave old
HOMEPAGE pointing to sourceforge commented-out
Upstream changes:
0.36 Mon Aug 13 12:16:38 EDT 2007
* [rt.cpan.org #28814] - Performance improvement
from mehradek (Radoslaw Zielinski)
-use English;
+use English qw( -no_match_vars );
0.35 Fri Apr 20 12:33:53 EDT 2007 - Jesse Vincent <jesse@bestpractical.com>
* New Maintainer: Jesse Vincent <jesse@bestpractical.com> took over
maintenance of this module.
* Removed test key expiry dates. (Fixes
http://rt.cpan.org/Ticket/Display.html?id=17618)
* Applied secret key output patch for modern GPG from
http://rt.cpan.org/Ticket/Display.html?id=17619
* Applied patch to support 'tru' record types from
(http://search.cpan.org/src/JRED/Mail-GPG-1.0.6/patches/)
0.07 Thu Jul 23 10:31:33 2008
- rt 34703
- argument logic before filehandle fetch so that they'll apply
- read small chunk of file handles instead if readline() to
avoid various issues
Pkgsrc changes:
o Added full list of dependencies, from Makefile.PL.
Upstream changes:
0.04 Sun Jun 15 16:22:32 JST 2008
* fixed a bug caused memory greediness with too long strings :<
* improved internal code for PAUSE.
0.03 Sat Jun 14 19:17:30 JST 2008
* added support for Math::Random::MT::Perl.
* switched to Module::Build.
* cleaned up test scripts.
* added 'binary' option to rndpassword.
Based on maintainer update request in PR 39196.
There are a lot of changes and some incompatabilities with 2.5.3
(current version in pkgsrc) particularly as respects SQL schema.
Consult vendor's releases notes for more detail:
http://www.ijs.si/software/amavisd/release-notes.txt
- no complete ChangeLog from upstream -
ChangeLog:
2000-03-13 Gisle Aas <gisle@ActiveState.com>
Release 2.01
Broken out of the Digest-MD5-2.12 distribution and made into
a separate dist.
events received by Prelude. Several isolated alerts, generated from
different probes, can thus trigger a single correlation alert should the
events be related. This correlation alert then appears within the
Prewikka interface and indicates the potential target information via
the set of correlation rules.
- Improve thread safety when evicting events to disk.
- Handle IDMEF message version tag, which will be used in upcoming
libprelude version.
- Add support for newer GnuTLS 2.2.0 session priority functions. When
the option is available, the user might specify TLS settings through
the "tls-options" configuration entry.
- Fix a possible crash upon destruction of a bufpool that is writing to
a failover.
- Correct strtoul() error checking, when verifying scheduler options.
- Add support for newer GnuTLS 2.2.0 session priority functions. When
the option is available, the user might specify TLS settings through
the "tls-options" configuration entry.
- Workaround a GnuTLS issue where the client wouldn't be able
to negotiate a supported compression protocol with the server (#299).
- Implement variable substitution in Prelude configuration files.
- Allow IDMEF criteria with multiples values for a single path,
as can be seen in the following example:
alert.classification.text = (A || B || C || D)
- Implement negation of idmef-criteria, allowing to write criteria like:
! (alert.classification.text = A || alert.classification.text = B)
- Fix an IDMEF-Criteria matching problem, where the match function would
not attempt to match a OR after multiple consecutive AND that failed.
Thanks Alexander Afonyashin <firm(at)iname.com> for pointing out the
problem.
- Never use non-pointer field, always use the "required" keyword. Fix
API consistency issue, that could lead to unexpected behavior.
- Fix multiples problem with prelude_read_multiline /
prelude_read_multiline2,
(fix a problem with prelude-manager idmef-criteria that wouldn't read
external ruleset).
- Error out if GnuTLS initialization fail.
Pkgsrc changes:
- none
Changes since version 1.58:
===========================
1.98 Jul 08, 2008
* Precedence bug in Public::write() and Private::write()
(http://rt.cpan.org/Public/Bug/Display.html?id=37489)
Thanks to HRAFNKELL for reporting this!
1.96 Jul 06, 2008
* Set the version numbers in modules to $Crypt::RSA::Version::VERSIOn
1.95 Jul 06, 2008
* Remove STDERR error output in Crypt::RSA::SS::PSS.
(http://rt.cpan.org/Public/Bug/Display.html?id=29048)
* Allow symmetric cipher specification in Crypt::RSA::Key.
(http://rt.cpan.org/Public/Bug/Display.html?id=27929)
* Fix bug in AUTOLOAD.
(http://rt.cpan.org/Public/Bug/Display.html?id=26028)
* Use Module::Install instead of ExtUtils::MakeMaker
* Consolidate versioning to module version in Crypt::RSA::Version
(which is the reason for the version # jump)
* "use base" instead of @ISA
* "use FindBin" instead of the literal "lib" - this is safer.
Pkgsrc changes:
- none
Changes since version 1.21:
===========================
1.24 (Tue Jul 15 14:35:35 EDT 2008)
- Remove references to Artistic License from README.
1.23 (Tue Jul 15 05:18:37 EDT 2008)
- Applied patch from ANDK@cpan.org to avoid failures in reforgy.t
[http://rt.cpan.org/Ticket/Display.html?id=27585]
- Turned off warnings in the test suite. It is supposed to generate
warnings but it freaks out people.
- License changed to Artistic 2.0 | GPL for Fedora folks.
Pkgsrc changes:
- none
Changes since version 2.24:
===========================
2.29 Tue Apr 22 10:22:37 EDT 2008
- Fixed errors that occurred when encrypting/decrypting utf8 strings
in Perl's more recent than 5.8.8.
2.28 Mon Mar 31 10:46:25 EDT 2008
- Fixed bug in onesandzeroes test that causes it to fail with
Rijndael module is not installed.
2.27 Fri Mar 28 10:13:32 EDT 2008
- When taint mode is turned on and user is using a tainted key,
explicitly check tainting of key in order to avoid "cryptic"
failure messages from some crypt modules.
2.26 Thu Mar 20 16:41:23 EDT 2008
- Fixed onezeropadding test, which was not reporting its test count
properly.
2.25 Fri Jan 11 15:26:27 EST 2008
- Fixed failure of oneandzeroes padding when plaintext size is
an even multiple of blocksize.
- Added new "rijndael_compat" padding method, which is compatible
with the oneandzeroes padding method used by Crypt::Rijndael in
CBC mode.
Pkgsrc changes:
- none
Changes since version 5.45:
===========================
5.47 Wed Apr 30 04:00:54 MST 2008
- modified Makefile.PL to install in core for Perls >= 5.10
-- thanks to Jerry Hedden for patch
- changed from #include <> to #include "" in SHA.xs
-- some platforms not able to find SHA source files
-- thanks to Alexandr Ciornii for testing
- moved .pm file to appropriate lib directory
- minor addition to META.yml
5.46 Wed Apr 9 05:04:00 MST 2008
- modified Addfile to recognize leading and trailing
whitespace in filenames (ref. rt.cpan.org #34690)
- minor C source code modification (ref. hmac.c)
- use const in sha.c for clean builds with -Wwrite-strings
-- thanks to Robin Barker for patch
(I didn't try whether it still works on 4.0. Would be nice if
someone did it.)
-supply an example pam.conf file
-slow down to avoid abuse, better cleanup in error cases, more paranoia
thanks to Joerg for suggestions
- fixed dependencies (required)
ChangeLog:
1.06 - Wed Apr 23 13:14:34 2008
* This release has a compiler-bug workaround for Sun C 5.9
identified by Andy Armstrong. No, really, it was a compiler
bug: http://in.opensolaris.org/jive/thread.jspa?threadID=53641&tstart=0
* You don't need to upgrade if you already have 1.05.
Changelog:
0.11 Wed Oct 31 20:26:13 2007
- fixed __reflect error
0.12 Sat Nov 3 10:11:42 2007
- Debug output removed
0.13 Sun Nov 4 11:22:54 2007
- fixed tests
0.14 Mon Nov 5 08:10:11 2007
- fixed __reflect error in non XS part
