don't know why this didn't originally work as it should, but I've
just tested it with gcc3 and Forte 8 on Solaris and I couldn't make
it fail.
fixes coredump problem on Solaris observed by some, and also
PR pkg/23120 from Alex Gerasimoff.
bump PKGREVISION to differentiate between broken and unbroken
package.
No changelog available, but many bugs fixed, and these sources will
compile with gcc-3.3.1 (well, after I tweaked them). With thanks to
Christoph Badura for most of this work, I merely did the gcc-3.3.1
patching.
convert to use buildlink2 and include libpcap/buildlink2.mk to handle this
correctly. Also fix network library problems on Solaris. From pkg/22915
by Jonathan Perkin.
2) Fix the SunOS makefile, which isn't complete. Tidy up while here.
3) Re-order COMMENT/HOMEPAGE to appease pkglint.
provided by Jonathan Perkin in PR 22916.
'echo | xargs echo' on NetBSD and Solaris...
Workaround this in post-extract target's 'rm' by adding a '-f' argument
to it.
XXX Current upstream tarball does not have .orig files, I could have
removed this post-extract target...
Changes between 0.9.6j and 0.9.6k [30 Sep 2003]
*) Fix various bugs revealed by running the NISCC test suite:
Stop out of bounds reads in the ASN1 code when presented with
invalid tags (CAN-2003-0543 and CAN-2003-0544).
If verify callback ignores invalid public key errors don't try to check
certificate signature with the NULL public key.
[Steve Henson]
*) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
if the server requested one: as stated in TLS 1.0 and SSL 3.0
specifications.
[Steve Henson]
*) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
extra data after the compression methods not only for TLS 1.0
but also for SSL 3.0 (as required by the specification).
[Bodo Moeller; problem pointed out by Matthias Loepfe]
*) Change X509_certificate_type() to mark the key as exported/exportable
when it's 512 *bits* long, not 512 bytes.
[Richard Levitte]
Changes between 0.9.6i and 0.9.6j [10 Apr 2003]
*) Countermeasure against the Klima-Pokorny-Rosa extension of
Bleichbacher's attack on PKCS #1 v1.5 padding: treat
a protocol version number mismatch like a decryption error
in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
[Bodo Moeller]
*) Turn on RSA blinding by default in the default implementation
to avoid a timing attack. Applications that don't want it can call
RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
They would be ill-advised to do so in most cases.
[Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
*) Change RSA blinding code so that it works when the PRNG is not
seeded (in this case, the secret RSA exponent is abused as
an unpredictable seed -- if it is not unpredictable, there
is no point in blinding anyway). Make RSA blinding thread-safe
by remembering the creator's thread ID in rsa->blinding and
having all other threads use local one-time blinding factors
(this requires more computation than sharing rsa->blinding, but
avoids excessive locking; and if an RSA object is not shared
between threads, blinding will still be very fast).
[Bodo Moeller]
Changes between 0.9.6h and 0.9.6i [19 Feb 2003]
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
via timing by performing a MAC computation even if incorrrect
block cipher padding has been found. This is a countermeasure
against active attacks where the attacker has to distinguish
between bad padding and a MAC verification error. (CAN-2003-0078)
[Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
Martin Vuagnoux (EPFL, Ilion)]
Changes between 0.9.6g and 0.9.6h [5 Dec 2002]
*) New function OPENSSL_cleanse(), which is used to cleanse a section of
memory from it's contents. This is done with a counter that will
place alternating values in each byte. This can be used to solve
two issues: 1) the removal of calls to memset() by highly optimizing
compilers, and 2) cleansing with other values than 0, since those can
be read through on certain media, for example a swap space on disk.
[Geoff Thorpe]
*) Bugfix: client side session caching did not work with external caching,
because the session->cipher setting was not restored when reloading
from the external cache. This problem was masked, when
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
(Found by Steve Haslam <steve@araqnid.ddts.net>.)
[Lutz Jaenicke]
*) Fix client_certificate (ssl/s2_clnt.c): The permissible total
length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
[Zeev Lieber <zeev-l@yahoo.com>]
*) Undo an undocumented change introduced in 0.9.6e which caused
repeated calls to OpenSSL_add_all_ciphers() and
OpenSSL_add_all_digests() to be ignored, even after calling
EVP_cleanup().
[Richard Levitte]
*) Change the default configuration reader to deal with last line not
being properly terminated.
[Richard Levitte]
*) Change X509_NAME_cmp() so it applies the special rules on handling
DN values that are of type PrintableString, as well as RDNs of type
emailAddress where the value has the type ia5String.
[stefank@valicert.com via Richard Levitte]
*) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
the bitwise-OR of the two for use by the majority of applications
wanting this behaviour, and update the docs. The documented
behaviour and actual behaviour were inconsistent and had been
changing anyway, so this is more a bug-fix than a behavioural
change.
[Geoff Thorpe, diagnosed by Nadav Har'El]
*) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
(the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
[Bodo Moeller]
*) Fix initialization code race conditions in
SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(),
SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(),
SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(),
TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(),
ssl2_get_cipher_by_char(),
ssl3_get_cipher_by_char().
[Patrick McCormick <patrick@tellme.com>, Bodo Moeller]
*) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
the cached sessions are flushed, as the remove_cb() might use ex_data
contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
(see [openssl.org #212]).
[Geoff Thorpe, Lutz Jaenicke]
*) Fix typo in OBJ_txt2obj which incorrectly passed the content
length, instead of the encoding length to d2i_ASN1_OBJECT.
[Steve Henson]
patch provided in PR 22939 by Adrian Portelli
Version 2.0.2:
--------------
Cleanup of the RST mess in p0fr.fp and p0f.c parser.
Added isprint() text preview for -x mode.
[BUG] Fixed packet size reporting and matching for packets over 255 bytes
(_u8 -> _u16).
Extended RST+ACK to also cover plain RST, added some sane explanations
of the purpose of each mode. Clarification of the RST vs RST+ACK
occurences; test/sendack.c added.
Added -R option for RST+ACK fingerprinting. Created an empty database.
Moved databases from /etc to /etc/p0f/
Windows memory leak mystery solved.
No longer using pcap timeouts for anything. They suck. I first wanted
to use SIGALRM with no SA_RESTART, but it's broken on Linux on this
particular syscall. Fortunately, I spotted an mis-documented pcap_fileno and can now use select(). I just hope it won't break.
Note to self: despite of the documentation saying pcap_open_live with
timeout 0 will simply never timeout (which is irrelevant for
pcap_loop anyway), it does not work on FreeBSD, inhibiting all packet
processing instead. Works fine on Linux. Go figure.
Some minor p0fq fixes to prevent warnings.
Added some SYN+ACK signatures from rfp (p0fa.fp). Hooray!
p0fa.fp is now official. Moved from test/ to ., etc. README updated.
[BUG] Fixed the default TTL for IRIX and Tru64 (60), added a note to
p0f.fp, fixed TTL checker to also support %30 values.
[BUG] Fixed query mode lookup. The old code didn't handle reverse
lookups properly.
Masquerade scoring data is now available via the query interface.
P0fq utility updated to handle this.
Dropped /bin/bash from p0frep, /bin/sh would suffice.
Added a new -c option for -M and -Q cache size scaling, packet ratio
information on Ctrl-C to help estimate the right parameter.
Extra masquerade detection flags: -T for threshold, -V for detailed
flag breakdown; masquerade reporting now recognizes -r.
The new -w option writes all matching packets to a pcap file (regardless
of -K and -U settings).
Added -M option (unix only until p0f-query.c gets ported). This option
enables advanced masquerade detection based on the cyclic buffer
used by -Q. Added - signature flag to the config file. Some
documentation for the new functionality.
[BUG] Cleaned up the -K and -U semantics with -Q.
Replaced some single-character printfs with putchars in signature
reporting code (should be a tad faster). Added signature check
reporting, generic signature count and some other minor tweaks.
The new -x option provides a hexadecimal TCP/IP packet dump. Useful
when comparing two colliding fingerprints to find some differences
not covered by the current quirks set.
PPPoE interface is now handled correctly on NetBSD.
Added a shoddy manpage and updated makefiles.
Removed E quirk and added E to the regular options; removed needless EOL
append code from the parser. Breaks the old signature format in some
rare cases, but the old quirk is still recognized, and the user will be
advised to change it.
[BUG] Fixed ? option parsing bug that prevented RISC OS signature from
working (and would prevent all ? signatures from working, should there
be any other ;-).
New signatures and other database additions, of course.
[BUG] Fixed a very minor parser bug that could cause it to loop over
an unknown option with a declared length of zero. This is not a DoS
condition, because the parser would quit the loop after parsing max. 16
options anyway.
Most important chcanges: security relevant bug fixes in new PAM authentication code
Changes since OpenSSH 3.7.1p1:
==============================
* This release disables PAM by default. To enable it, set "UsePAM yes" in
sshd_config. Due to complexity, inconsistencies in the specification and
differences between vendors' PAM implementations we recommend that PAM
be left disabled in sshd_config unless there is a need for its use.
Sites using only public key or simple password authentication usually
have little need to enable PAM support.
* This release now requires zlib 1.1.4 to build correctly. Previous
versions have security problems.
* Fix compilation for versions of OpenSSL before 0.9.6. Some cipher modes
are not supported for older OpenSSL versions.
* Fix compilation problems on systems with a missing or lacking inet_ntoa()
function.
* Workaround problems related to unimplemented or broken setresuid/setreuid
functions on several platforms.
* Fix compilation on older OpenBSD systems.
* Fix handling of password-less authentication (PermitEmptyPasswords=yes)
that has not worked since the 3.7p1 release.
The Darwin compile time configuration is easy to write, but I don't have a
Darwin box handy, and so the tw.conf.darwin is a bit difficult to write as
there tend to be a few non-standard paths.
In response to PR 22362.
# OpenSSH 3.7x currently does *not* work on IRIX!
# To compile, we would need to remove the extraneous inclusion of the
# ``inet_ntoa.h'' header in openbsd-compat/inet_ntoa.c, but even though
# sshd will not work: It seems the connection is closed by the daemon
# when it tries to spawn off a child to handle the incoming connection
#
# If you need the latest security patches for your openssh, I'm afraid you'll
# have to apply them by hand to the 3.6.1p2 version.
(Now wouldn't it be nice if we had a NOT_FOR_PLATFORM_REASON that is displayed
automatically?)
Large number of changes since 3.6.1p2, the most pertinent being:
* do not expand buffer before attempting to reallocate it (buffer.c)
note that NetBSD-current already includes this fix.
other changes include:
* portability fixes
* regression test fixes
* add GSSAPI support and remove kerberos support from ssh1, retaining
kerberos passwd auth for ssh1 and 2
* man page fixes
* general bug fixes
see the ChangeLog for full details.
Inspired by FreeBSD "ports".
Fix the PLISTs accordingly.
Also, while at it, remove now obsolete compileall.py calls in post-install
targets and insure that extension.mk is in included before builinlinks of
other Python modules.
Discussed with/ok'ed by drochner@.
include:
- Better opened() behavior when sockets close unexpectedly.
- Added support for WeakRef and Scalar::Util to allow
IO::Socket::SSL objects to auto-destroy themselves when
they go out of scope.
- Added croak()ing for unimplemented send() and recv() methods
so they are not accidentally used to transmit unencrypted
data. The Perl builtin functions cannot be reliably trapped
and are still dangerous, a fact that the POD now reflects
- Changed accept() to use inherited accept() instead of
IO::Socket::accept, so that IPv6 inheritance is possible.
- Added options to import() so that a user could specify
IPv6 or IPv4 mode of operation.
- new features: http and raw tcp support
- fixed apparent STDIO vs. sysread bug in proxy connect
- added tcpecho.pl and tcpcat.pl to MANIFEST
- fixed some further bugs with TCP read all, etc.
- fixed some const char pointer warnings
Don't assume PerlIO_read() works like fread() even though
it was documented like that for perl 5.6. It returns negative
on read failure.
The $md5->addfile method now croaks if it discovers
errors on the handle after reading from it. This should
make it more difficult to end up with the wrong digest
just because you are to lazy to check the error status
on your file handles after reading from them.
Improved documentation.
Don't assume PerlIO_read() works like fread() even though
it was documented like that for perl 5.6. It returns negative
on read failure.
Implemented sha1_transform, required to implement NIST FIPS 186-2.
Make it build on 64-bit platforms with 32-bit longs.
Sync up with the Digest::MD5 implementation:
- added clone method
- addfile croaks if it can't read
- the sha1*() functions warn if called as method
or with reference arguments.
USE_GCC2 or USE_GCC3 where appropriate.
the functionality of the old gcc.buildlink2.mk has been rolled into
compiler.mk now, which is automatically used.
more changes to come later...
just setting BUILDLINK_DEPENDS.openssl. USE_OPENSSL_VERSION wasn't
actually needed here anyway since the minimum version allowed by
openssl/buildlink2.mk exceeded the version requested here.
from webpage:
>v2 is a significantly more accurate, precise and faster brother of the original
>proof-of-concept tool I released in 2000. P0f v1 is largely obsolete...
SASL is a generic mechanism for authentication used by several
network protocols. Authen::SASL provides an implementation
framework that all protocols should be able to share.
The XS framework makes calls into the existing libsasl.so
shared library to perform SASL client connection functionality,
including loading existing shared library mechanisms.
Authen::SASL::Cyrus implements XS SASL Authentication.
Packages provided by Quentin Garnier via pkgsrc-wip.
SASL is a generic mechanism for authentication used by several
network protocols. Authen::SASL provides an implementation
framework that all protocols should be able to share.
The included plugin Authen::SASL::Perl implements several of
these protocols (DIGEST-MD5, CRAM-MD5, ANONYMOUS, EXTERNAL,
LOGIN and PLAIN).
Package provided by Quentin Garnier via pkgsrc-wip.
Changes from previous version:
+ rely on an embedded sha1 digest to tell whether the vulnerabilities
file has been damaged in transit or received successfully, rather than
trusting that the file will not grow smaller
+ use the new filename "pkg-vulnerabilities"
+ use definitions from defs.${OPSYS}.mk in the download-vulnerability-list
script
+ at installation time, don't rely on "ln -sf" to DTRT - explicitly call
"rm -f" before attempting the symbolc link
With thanks to seb@ for testing.
Based on pr pkg/22356 by Adrian Portelli.
Changes since 2.0.6a:
. changes by Renaud Deraison (deraison@cvs.nessus.org)
- Fixed bad performances issues when pinging dead hosts
- Fixed a bug which would prevent to store items larger than 2kb in the KB
- NFS and SMB file-related functions completed (open, read and cwd are
implemented)
- Plugins support for Windows 2003
- Network IPs can now be evenly sliced instead of being scanned
sequentially
- User-definable source-IP(s) for the checks (nessusd -S)
- Fixed a possible message corruption problem if a plugin was to send a too
long message back to nessusd
- Fixed a possible plugin corruption problem when the client overwrites
existing plugins
- Fixed various false positives and wording issues in several plugins
Some highlights of changes since 4.2.3:
* PCRE updated to 4.3, GD to 2.0.15
* improved Apache2 support
* much improved stream & URL wrapper support, output compression support
* added CLI (Command Line Interface) SAPI
* debug_backtrace() backported from ZendEngine2
* faster build system
* huge number of other bug fixes and improvements
Packaging changes:
* 'pcre', 'xml', and 'session' modules folded back into main package -
'pcre' and 'xml' is required by PEAR, and 'session' is just too essential
to be separate
* 'gd' module now uses bundled PHP GD library, which is better integrated
* PHP modules use shared distinfo when possible to ease future PHP updates
* ${PREFIX}/bin/php is now CLI version, ${PREFIX}/libexec/cgi-big/php
remains CGI version
USE_PKGINSTALL is "YES". bsd.pkg.install.mk will no longer automatically
pick up a INSTALL/DEINSTALL script in the package directory and assume that
you want it for the corresponding *_EXTRA_TMPL variable.
for a possessive (like her, his, whose, their, and its).
Note that I didn't check for proper use of "its" (when it should
be "it is" or "it has" instead).
I also saw over 15 other grammar or punctuation problems, but not
fixed in this commit.
* New "--gnupg" option (set by default) that disables --openpgp,
and the various --pgpX emulation options. This replaces
--no-openpgp, and --no-pgpX, and also means that GnuPG has
finally grown a --gnupg option to make GnuPG act like GnuPG.
* A number of portability changes to make building GnuPG on
less-common platforms easier.
* Romanian translation.
* Two new %-expandos for use in notation and policy URLs. "%g"
expands to the fingerprint of the key making the signature
(which might be a subkey), and "%p" expands to the fingerprint
of the primary key that owns the key making the signature.
* New "tru" record in --with-colons --list-keys listings. It
shows the status of the trust database that was used to
calculate the key validity in the listings. See doc/DETAILS for
the specifics of this.
* New REVKEYSIG status tag for --status-fd. It indicates a valid
signature that was issued by a revoked key. See doc/DETAILS for
the specifics of this.
an operating system does not have a 'make' (ie only bmake), or if the OS
supplied 'make' is sufficiently broken (Irix), this will cause the build to
fail (interestingly enough apparently only if build as a dependency, not
if build from this directory).
Patch Makefiles to use @MAKE@, which then, after patching, is substituted with
the actual ${MAKE} (can't use "MAKE= ${MAKE} -f Makefile.ssl").
While here, tweak Irix configure a bit.
No documentation is given for changes.
- improved portability; proper checking for libwrap.
- add hosts_allow, hosts_deny and hosts_ctl methods.
It should fix macppc bulk build problem. This packge was broken since
ruby-tcpwrap-0.3's distfile's contet was changed.
Instead of using the number of bytes to determine whether or not the
file has shrunk, use the number of lines. This will allow for
spelling corrections, login name of committers being shorter than
others, etc. This is a temporary measure until a better distribution
mechanism is used. Suggested by David Brownlee.
The search for a small Secure Shell server to fit on a laptop with 4
megs ram and no hard disk was fruitless, so Matt Johnston decided to
write his own, and Dropbear is the result. It implements various
features of the SSH 2 protocol, including X11 and Authentication Agent
forwarding. Dropbear is Open Source software, distributed under a
MIT-style license.
Features
* A small memory footprint - Dropbear can compile to a 110kB
statically linked binary with uClibc (and only minimal options
selected).
* Implements X11 forwarding, and authentication-agent forwarding
for OpenSSH clients
* Compatible with OpenSSH ~/.ssh/authorized_keys public key
authentication
* Features can easily be disabled when compiling to save space.
* Preliminary TCP forwarding support (-L style only)
changes:
Fix build on NetBSD-current with OpenSSL 0.9.7.
New in 2.1.15
-------------
* Fix a number of build issues
* Add a doc/components.html that hopefully describes how things
interact better.
New in 2.1.14
-------------
* OS X 10.2 support
* Support for the Sun SEAM GSSAPI implementation
* Support for MySQL 4
* A number of build fixes
* Other minor bugfixes
OK'ed by chris@
Previous versions have a security issue. Please update!
Thanks to gendalia@ for testing.
Changes since version 3.2.2:
2003-05-09 Sami J. Lehtinen <sjl@ssh.com>
* ssh-3.2.5.
* Fixed a critical security bug with RSA signature
verification. Mitigating factors: DSA is used by default (not
vulnerable). Also, the attack requires that attacker has the
public key and the attacker needs to precompute the signature
data so, that it looks like a valid PKCS#1 signature. This is a
non-trivial task to perform without the private
key. Nonetheless, all users should update their servers and
clients as soon as convenient. Workarounds are to not use RSA
keys as host keys (though connecting to existing hosts with RSA
hostkeys poses a serious risk with a vulnerable client), and
disabling publickey authentication. Update your clients and
servers.
2003-04-22 Sami J. Lehtinen <sjl@ssh.com>
* ssh-3.2.4.
* sshd2: Binary (generated by us) is tagged as a "supported
binary" for SecurID. (no actual code changes)
* Previous: ssh-3.2.3.1.
2003-02-06 Sami J. Lehtinen <sjl@ssh.com>
* sftp2 (etc): Fixed a bug with readline jamming when pressing
backspace (etc) on AIX and some other platforms.
2003-01-12 Sami J. Lehtinen <sjl@ssh.com>
* ssh-3.2.3.
2003-01-03 Sami J. Lehtinen <sjl@ssh.com>
* scp2: Removed broken special handling for SIGHUP, so that
"nohup" can again work.
* ssh2: Check whether we should ignore SIGQUIT, SIGINT, and do so,
if necessary. Thanks for J. Schilling for pointing this one out.
* ssh-add2: Make sure fgets() from pipe to ssh-askpass2 recovers
from if interrupted by signal, i.e. SIGCHLD.
* ssh2 (lib/sshsession/sshtty.c): As entry above, but for tcsetattr().
* During "make install", use default size of key instead of hardcoded
1024 when generating hostkey.
2002-12-18 Sami J. Lehtinen <sjl@ssh.com>
* scp2,sftp2: Print progress output to stdout, to make it
distinguishable from errors in cron jobs etc.
2002-12-17 Sami J. Lehtinen <sjl@ssh.com>
* apps/ssh/sshchsession.c: Fixed a bug which caused sshd2 child
server to jam occasionally after logging an event, if nsswitch had
been configured to use LDAP.
2002-12-13 Sami J. Lehtinen <sjl@ssh.com>
* sshd2: Previous (by Tomi Mickelsson): Fixed a bug where
specifying a local forwarding endpoint as an IP-address which was
unresolvable would result in a crash.
2002-12-12 Sami J. Lehtinen <sjl@ssh.com>
* scp2: Fixed a bug/missing feature from scp2. It now reports
information also when run when there is no tty. Also implemented
--statistics=[no,yes,simple], where "yes" is old-style, "no" is
analogous to "-Q" command-line option, and "simple" is the way
the statistics are printed when there is no tty (no intermittent
reporting, file size, transfer time and full file name are printed
after the transfer for the specific file is finished).
2002-12-11 Sami J. Lehtinen <sjl@ssh.com>
* ssh-keygen2: respect "-P" and "-p" options when converting
ssh1-keys.
2002-12-10 Sami J. Lehtinen <sjl@ssh.com>
* lib/sshutil/sshcore/sshdebug.c: Fixed a compilation problem
manifested on older AIX and debugging enabled (as is default).
* scp2: You can now specify the newline convention when using the
"-a" option. See manual page scp2(1).
2002-11-08 Sami J. Lehtinen <sjl@ssh.com>
* Removed ssh-pubkeymgr and ssh-chrootmgr from the distribution
(they didn't work too well).
* apps/ssh/lib/sshproto/trcommon.c: Fixed a crash if hostkey
algorithms or kex-methods couldn't be negotiated.
2002-11-05 Sami J. Lehtinen <sjl@ssh.com>
* lib/sshapputil/sshuserfile.c: Changed to use
lib/sshsession/sigchld.c, instead of using wait() directly. This
fixes the bug where the number of connections would slowly rise to
the maximum when using MaxConnections and tcp-wrappers (it was a
race-condition).
* lib/sshsession/sigchld.c: Sigchld now keeps a list of recently
exited children. This fixes a race condition, where the child
process could exit before the mother process had registered a
handler for it.
* lib/sshsession: Fixed NetBSD 1.6 compilation. Also, NetBSD 1.6
supports openpty style ptys, so fixed check to actually detect
them on NetBSD. Don't use utmpx on NetBSD, as it doesn't seem to
work (at least not in the way we use it).
* lib/sshsession/sshunixuser.c: Make sure we have room for the
NULL pointer in the groups array.
* ssh2 (ssh1-emulation): Fixed a bug, which in some cases caused
an assertion failure later.
2002-10-29 Sami J. Lehtinen <sjl@ssh.com>
* configure: Added /usr/X11R6/bin and /usr/X11/bin to search PATH
for xauth to ease installation on pristine systems.
2002-10-22 Sami J. Lehtinen <sjl@ssh.com>
* lib/sshutil/sshnet/sshtcp.c: (by Tomi Ollila) Fixed a bug with
SOCKS handling.
2002-10-01 Sami J. Lehtinen <sjl@ssh.com>
* lib/sshutil/sshpacketstream/sshpacketwrapper.c: (by Tomi Kause)
Fixed a latent (in ssh2) bug, when writing to the stream from the
received_cb.
* lib/sshutil/sshnet/sshsocks.c: (by Tomi Ollila) Decode
ipv6-mapped-ipv4-addresses when doing SOCKS4, as SOCKS4 only
supports plain ipv4-addresses.
* scp2: Implemented --overwrite, which controls whether to
overwrite the destination file(s). Default is "yes",
i.e. to overwrite.
* scp2: Implemented interactive mode, i.e. you can make scp2
prompt you whether to overwrite an existing destination
file. Works by giving --interactive (-I) on the command-line.
2002-08-15 Sami J. Lehtinen <sjl@ssh.com>
* sshd2: Fixed a bug with originator-pat with ForwardACLs.
2002-08-02 Sami J. Lehtinen <sjl@ssh.com>
* scp2, sftp2: Fixed a bug, which caused file transfer to stall,
if trying to transfer a zero sized file with ascii transfer
(newline mangling).
2002-07-21 Sami J. Lehtinen <sjl@ssh.com>
* sftp2: Added option "S" and "r" to "ls" (for sorting by size and
reversing the sort order, respectively).
* sftp2: "ls" works much better now. Tab completion understand
directories (appends a '/', for easier directory traversal).
* sftp2, scp2: Extensive rewrite of SshFileCopy, and as a
consequence, of both scp2 and sftp2 core functionality.
2002-06-13 Sami J. Lehtinen <sjl@ssh.com>
* ssh2: Fixed a bug with one-shot forwarding.
3.0.0:
- Cleaned up installed header files.
- Modified the API so that all keys can be passed as arrays of bytes.
- Modified the API so that all key sizes are given in bits.
- Modified the multi-precision integer library to work better on 64-bit
machines.
- Modified the assembly source generation mechanism, employing the m4
macro processor.
- Added multi-precision integer vectorized assembler routines for
Itanium.
- Added multi-precision integer assembler routines for PowerPC 64-bit.
- Added multi-precision integer assembler routines for Alpha.
- Added multi-precision integer assembler routines for Opteron.
- Added multi-precision integer assembler routines for IBM zSeries 64-bit.
- Added multi-precision integer assembler routines for M68K.
- Added Jeff Johnson's python bindings.
- Added new unit tests.
- Added new benchmarking programs.
2.3.0pre:
- Modified the header files so that the library now uses self-contained
autoconf-generated configuration files; a program employing BeeCrypt can
now use the symbols already tested and defined instead of having to
regenerate them (thus also eliminating the risk of inconsistencies).
- Added the AES algorithm, with assembler routines for i586 and powerpc.
- Added the DSA signature algorithm.
- Added PowerPC assembler routines for blowfish.
- Added Pentium4 SSE2 assembler multiplication routines.
- Fixed the RSA CRT algorithm.
- Fixed the gas/i386 mp32even and mp32odd routines.
- Fixed a bug in modular inverse computation; thanks to Jeff Johnson of
RedHat for pointing this out.
- Fixed a bug in testing the result of a gcd operation in the mp32prndconone
routine.
- Fixed an ugly bug in base64 decoding.
- Fixed compatibility with the latest automake & autoconf versions.
- Replaces CPU optimization mechanism in configure script.
BeeCrypt is an open source cryptography library that contains highly
optimized C and assembler implementations of many well-known algorithms
including Blowfish, MD5, SHA-1, Diffie-Hellman, and ElGamal.
Unlike some other crypto libraries, BeeCrypt is not designed to solve
one specific problem, like file encryption, but to be a general purpose
toolkit which can be used in a variety of applications.
There are also no patent or royalty issues associated with BeeCrypt, and
it is released under the GNU LGPL license, which means it can used for
free in both open source and closed source commercial projects.
explained in the "Advanced Topics" part of the SWIG documentation
(as currently built - w/o python version dependency, it is broken anyway)
we just need a build dependency on swig-build
using RCD_SCRIPTS to handle generation and installation of the rc.d script.
Convert the rc.d script to the rc.subr framework too.
Bump PKGREVISION to 1.
was commented out because it didn't work with recent openssh, is now fiexed
and commented back in). This support is conditional on ${KERBEROS} being
set, and currently enables support for both kerberos 4 and 5. This should
be refined.
This has been tested and confirmed on -current and 1.6. Testing on other
platforms (if any? solaris?) in which we support kerberos in pkgsrc should
be done.
20030430 of the GSSAPI patches from
http://www.sxw.org.uk/computing/patches/openssh.html
. From the site:
The patches on this page are concerned with adding support for
authenticating users via their Kerberos credentials, and allowing
authenticated users to forward their credentials to a remote
machine over ssh.
These patches are against various versions of the OpenSSH portable
code. SSH has both a legacy protocol version 1, and a newer,
protocol version 2 (which is being standardised in the IETF).
Techniques exist for performing Kerberos authentication over both
protocols, and GSSAPI authentication over protocol version 2.
In this package standard ssh support for kerberos versions 4 and 5 is kept
for version 1 of the ssh protocol (openssh does not support kerberos 4 in
ssh protocol version 2).
These patches, which provide a much more thorough implementation of kerberos
5 support than that shipped with openssh, are pkg'ed here with an eye toward
evaluation of their usefullness for inclusion in the base os.
- Added keychain man page
- Fixed bugs with displaying colors for keychain --help
- Added a $grepopts to fix the grepping for a pid on cygwin
- Added a TODO document color fix based on submission by Luke Holden
Changes:
2003-03-09 Gisle Aas <gisle@ActiveState.com>
Release 2.24
Don't let the $^W test get confused by lexical warnings.
Sync up with bleadperl; safer patchlevel include.
2003-01-18 Gisle Aas <gisle@ActiveState.com>
Release 2.23
Override INSTALLDIRS for 5.8 as suggested by
Guido Ostkamp <Guido.Ostkamp@t-online.de>.
Changelog:
1.8.3 (Feb 6, 2003)
- Lots of new signatures
- URL's for papers and sites with information on fingerprinting.
- Information on the windows/Cygwin port. .exe for 1.8.3 will
show up soon.
1.8.2.2 (May 13, 2002)
- Rechecked version numbers. (Bill)
- Mysql cleanup and integration
- Mysql quickstart (Marion)
1.8.2.1 (May 12, 2002)
- Mysql Support Added (Evrim ULU <evrim@core.gen.tr>)
- FPS Buffer Length increased from 120 to 150 (Evrim)
- p0f-mysql.conf config file added for mysql connectivity (Evrim)
- parser for p0f.fp was corrected. It was including
wwww:ttt: ... line in the comments. (Evrim)
- mysql/db.sql file is included for creation of db tables (Evrim)
- Makefile.mysql is added - no gnu autoconf support yet. (Evrim)
- New RedHat 7.0 Beta Fischer FP added. (Evrim)
- Max fingerprints raised to 5000 for the moresigs project. (Bill)
- ad hoc fix build problem on NetBSD current.
- changes from 0.1.2a:
Tue, 10 Dec 2002 02:32:54 -0900 -- GOTOU Yuuzou <gotoyuzo@notwork.org>
* ossl-0.1.3 released
Mon, 9 Dec 2002 22:26:15 -0900 -- GOTOU Yuuzou <gotoyuzo@notwork.org>
* x509name.c: let initialize() give a Array instead of a Hash.
to_a is implemented and to_h is deprecated.
* openssl.rb: X509::Name is refined.
Mon, 9 Dec 2002 20:21:32 -0900 -- GOTOU Yuuzou <gotoyuzo@notwork.org>
* ossl.c: use ruby_unsetenv() instead of unsetenv().
* ssl.c: the return value of SSL_read/SSL_write is int (not size_t).
This fix is suggested by matz. ([ruby-list:36721])
Mon, 28 Oct 2002 10:39:43 +0100 -- Michal Rokos <m.rokos@sh.cvut.cz>
* LICENCE: update to latest Ruby's
* extconf.rb: fix to make it work under Ruby 1.7.3
* pkey.c: fix MACRO
* ChangeLog: changed style
since there is a problem with aide-0.9 which results in it sending an
email warning on every run of the scanner. Whilst this version may
have other problems (it believes opendir(3)'s output, IIRC), it does
keep quiet about them.
aide-0.6 creates a database from the regular expression rules that it finds
from the config file. Once this database is initialized it can be
used to verify the integrity of the files. It has several message
digest algorithms (md5,sha1,rmd160,tiger,haval,etc.) that are used to
check the integrity of the file. More algorithms can be added with
relative ease. All of the usual file attributes can also be checked
for inconsistencies. It can read databases from older or newer
versions. See the manual pages within the distribution for further
info. There is also a beginning of a manual at
http://www.cs.tut.fi/~rammer/aide/manual.html
Changes (from 0.49) :
- fixed build problem for OpenSSL 0.9.6 and some builds
of perl 5.8.x which resulted in make error:
/usr/include/openssl/des.h:193: parse error before '&' token"
Thanks to Rob Brown for submitting a similar patch to cover
this problem
- bug fix from Dongqiang Bai when server using proxy cannot
resolve host name being connected to
- Added c:/openssl in default search path on win32 machines
which is the recommended installation area in the openssl dist
- Added patch from Pavel Hlavnicka for freeing memory leaks
from SSL_CTX_use_pkcs12_file() whose functionality is triggered
by the $ENV{HTTPS_PKCS12_*} settings
- Added alarm() during Net::SSL->read() to honor socket timeout
setting for more robust applications. read()
will die_with_error() which in consistent with previous
semantics used during SSL read() failure
Thanks to Pavel Hlavnicka for prompting this change.
- Removed code that supported versions of SSLeay before version 0.8
I believe SSLeay v.8 was released back in 1998
- Added patch from Devin Heitmueller so that initial random seed
would be taken from /dev/urandom if available via RAND_load_file
API
Changes :
1.22
- proxy auth fix from Bill.Muller@@ubsw_..com
- RAND patch from Toni Andjelkovic <toni@soth._at>
1.23
- some minor tweaks by many, mainly for RH build
- memory leak and cleanup patches from
Marian Jancar <mjancar@suse._cz>
now and not NetBSD-*-arm32. Changes include one or more of:
- Change MACHINE_ARCH == arm32 to also match arm
- Where ONLY_FOR_PLATFORM includes NetBSD-*-arm32, add NetBSD-*-arm
- Where BROKEN or worked around for arm gcc bugs, set USE_GCC3
The last may shake out a few more broken packages the next bulk build.
- (djm) Add back radix.o (used by AFS support), after it went missing from
Makefile many moons ago
- (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer
- (djm) Fix blibpath specification for AIX/gcc
- (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org
(This last fix makes this compile on IRIX again.)
Also, add dependency on Perl instead of noting it in message, and use
REPLACE_PERL.
PHP frontend not included in this package.
Changes:
apg-2.1.0
Some code cleanup.
apg-2.1.0b1
Option [-E char_string] now works for pronounceable
password generation too (see apg(1), apgd(8)).
apg-2.1.0b0
Added new option [-e char_string] that allow to exclude some
characters from password generation process.
(works only for random password generation yet)
apg-2.1.0a0
Added support for /dev/arandom for OpenBSD
apg-2.1.0a0
Fixed some typing errors in the man pages
System getopt() replaced with own apg_getopt().
All calls of bcopy() and bzero() replaced with memcpy() and memset().
Changed documentation.
PRNG algorithm changed to use PID as an element of initial seed.
Redesigned PHP frontend. Added support for German language.
Implemented password quality ckeck based on filter. Now you can enforce
APG to generate passwords that must contain numbers, special characters etc.
Removed support for old style password generation mode definition.
apg-2.0.0final
Changed PHP frontend to work with PHP safe-mode.
Version numbers of apg, apgd, apgbfm, apgonline changed to 2.0.0final.
apg-2.0.0b1
Fixed error that has forced user to set world-write privileges on
Bloom-filter file. (Thanks to Mike Robbins)
Fixed PHP frontend to clean-up generated HTML code.
(Thanks to Mike Robbins)
apg-2.0.0b0
Some code style fixes.
Support for "special" symbol-set usage for password generation
in pronounceable mode (S mode).
Support for "resticted special" symbol-set usage for password generation
in pronounceable mode (R mode).
New style of hyphenated password output for pronounceable
password generation mode.
apg-2.0.0a3
Better error handling in apgbfm.
Added -q option for apgbfm and apg (quiet mode).
Added PHP frontend for APG.
apg-2.0.0a2
Added support for SHA1 algorithm used for random numbers and hash
generation.
Hash function used in apgbfm changed to SHA1.
Added info to APG_TIPS file.
apg-2.0.0a1 (not published)
Finaly fixed some warnings during compilation process.
Added support for OpenBSD.
Added info to APG_TIPS file.
apg-2.0.0a0
Added new algorithm (-b option) to check generated passwords
quality (Bloom filter).
Added utility apgbfm to manage Bloom filter.
Some code style fixes.
Added APG_TIPS file in documentation.
- Cleared up some ambiguous syntax (grid -column instead of -col)
- Added a workaround for a bug in Tcl/Tk 8.4.0, which crashes on selection
requests when a handler is registered without a type. Thanks to Roberto
Ugoccioni for both of these patches!
This also includes changes offered in pr pkg/18734 and pr pkg/20796
submitted by Adrian Portelli. Thanks & Sorry that it took that long to
pick them up.
2.0.6 :
. changes by Renaud Deraison (deraison@cvs.nessus.org)
- Support for the keyword 'default' as a port range in nmap_wrapper.nes
- Fixed a zombie issue in nmap_wrapper.nes
- Fixed various issues which could allow a NASL script to crash the
NASL interpretor
- Improved the process management in find_services.nes
2.0.5 :
. changes by Renaud Deraison (deraison@cvs.nessus.org)
- Fixed a rare race condition which may make the scan hang
- Fixed SMB related issues
- Entering "default" as the port range will make nessusd scan the ports
listed in the Nessus services file.
- Even more sigs in find_services.nes
. changes by Julien Bordet (zejames@greyhats.org)
- Added over 3,000 signatures to smtpscan.nasl (thanks to the data
provided by the Nessus team)
2.0.4 :
. changes by Renaud Deraison (deraison@cvs.nessus.org)
- fixed the SIGCHLD handler which would not work properly and leave zombies
on the system
- fixed a race condition when testing a great number of hosts which would
cause a testing process to slow down a whole audit or even hang it
totally
- When a great number of host names is passed to nessusd as a target, they
are resolved by chunks of 64 instead of trying to resolve everything then
starting the test
- RedHat 9 support (in spite of their attempt to make their distro incompatible
with everyone else)
. changes by Gabriel L. Somlo <somlo@acns.colostate.edu>
- The nessus can save the reports to stdout and read them from stdin
2.0.3 :
- fixed a compilation error which would prevent find_services from working
properly
2.0.2 :
. changes by Michel Arboi (arboi@alussinan.org)
- NASL port of smtpscan (original Perl program by Julien Bordet)
- Nasty bug made loop stop prematurely on rare cases
. changes by Renaud Deraison (deraison@cvs.nessus.org)
- Re-wrote webmirror.nasl from scratch. The new version has a real parser
built-in and is much faster
- Added checks for older Microsoft Advisories
- SMB plugins now use NTMLv1 authentication, ie: they don't send passwords
in clear text over the network any more
- Added new crypto functions, taken from samba, in libnasl/
- Repaired detached scans
- Fixed IP ranges notation (10.1.1-9.1-254 did not work any more)
- Minor bug fixes and enhancements : #234, #233, #230, #229, #228, #225, #222,
#220, #218, #217, #216, #215, #213, #212, #211, #207, #206, #205
- nessus-update-plugins properly calls chown under FreeBSD, no matter how
many plugins there are
- find_services.nes recognizes even more protocols
. changes by Xueyong Zhi <zhi@mail.eecis.udel.edu>
- Added NTLMv2 authentication
. changes by Frank Migge (frank.migge@oracle.com)
- nessus-mkcert-client creates the auth/rules file properly
2.0.1 :
. changes by Renaud Deraison (deraison@cvs.nessus.org)
- Minor bugfixes (bugs #180, #183, #185, #188, #189, #195, #197, #202, #203, #204)
- Fixed the "pink" graphical report issue
- Added http keep-alive support in the CGI related plugins
- Fixed a bug in the function get_kb_list() which would not always work
properly
- Fixed an issue where in some situations, some HTTP services would not
be tested for flaws if they have not been port-scanned first
- Added new signatures in find_services.nes
. changes by Stephen Friedl (steve@unixwiz.net)
- Fixed bugs and warnings in nessus-libraries
2.0.0 :
. changes by Michel Arboi (arboi@alussinan.org)
- NASL2 : Implement >!< "strings don't match" operator
- NASL2 : fixed a vicious case of freed memory copy.
. changes by Renaud Deraison (deraison@cvs.nessus.org)
- Fixed a small bug in the plugin scheduler
- Ported to IRIX
- Several small bugfixes
. changes by Xueyong Zhi <zhi@mail.eecis.udel.edu>
- Added nmap_osfingerprint
1.3.4 :
. changes by Renaud Deraison (deraison@cvs.nessus.org)
- Re-written the process manager for the hosts
- Lots of bugfixes in the plugins text store manager
- New port scanner "synscan" which uses the RTT of the packets to do
its job.
- Fixed several small issues in nasl and nessusd (bug fixes, code cleanup)
- Added cryptographic hashing functions in NASL
- Added the function get_kb_list() which returns the content of a KB
without forking the plugin
- Updated the manpages of nessusd and nasl
. changes by Michel Arboi (arboi@alussinan.org)
- Fixed scanner_get_port() when running in standalone mode
- Fixed possible uninitiliazed memory issues in libnasl
- Started to write the NASL2 reference guide (to be found in libnasl/doc/)
1.3.3 :
. changes by Michel Arboi (arboi@alussinan.org)
- Implement bit xor, logical & aithmetic right shift, power
- Fix operator precedence
- Added new NASL functions
. changes by Renaud Deraison (deraison@cvs.nessus.org)
- The plugin texts are not loaded in memory any more, thus reducing
the consumption of the nessus daemon of two megs. This also speeds up
the loading of nessusd.
- Fixed a bug in the plugins scheduler (if optimizations were enabled,
the scan would sometime hang)
- Added a new NASL function (int())
- Fixed strings substraction to handle null values properly
- find_services.nes runs in parallel mode, for improved speed
- new plugin (synscan) which should perform well against firewalled
hosts (computes the RTT before the scan)
1.3.2 :
. changes by Renaud Deraison (deraison@cvs.nessus.org)
- Added fixes so that nessus-core/nessusd/pluginscheduler.c compiles with
the latest version of GCC
- Fixed a bug in nessus-libraries/libnessus/bpf_share.c : a timer would not
be reset, causing plugins which call bpf_next() to sometimes crash
- Set the timer of bpf_share.c to a much lower value, thus making it work
much better
- Improved tcp_ping()
- Fixed two bugs in the plugins scheduler :
- If the option "enable dependencies at runtime" is set,
it would enable ALL the plugins which are depended on, instead
of only those we use ;
- In some cases, it may terminate too early, thus preventing a scan
from being complete
- DESTDIR support
1.3.1 :
. changes by Renaud Deraison (deraison@cvs.nessus.org)
- Rewrote the plugins scheduler (which determines the order in which
the plugins are to be launched). The new one is much more efficient
but as a result, it is not possible to accurately determine the
order in which the plugins will be ran, so the 'plugin name' in
the client is now totally bogus
- Fixed various issues with NASL scripts so that they work better
with NASL2
- Fixed bugs relative to the creation of icmp and udp packets in nasl
- Fixed some fatal bugs in the bpf sharer
- NASL scripts do not read /dev/urandom any more, and use time() as a
random seed instead. As a result, the loading and execution of nasl
scripts if faster on systems where /dev/urandom can be blocking
- Fixed the tcp NIDS evasion techniques on BSD systems
- Full support for Bugtraq IDs
- The HTML reports add links for URLs, and show the ID number of
the plugin that issues the report.
- Speed up the calls to arg_get_value() by using a hash of the name
being searched for.
- Changed the licence of NASL2 to the GPLv2 (with the consent of Michel Arboi)
. changes by Michel Arboi (arboi@alussinan.org)
- Better handling of the arrays in NASL2
. changes by Erik Anderson (eanders@carmichaelsecurity.com)
- CVE and bugtraq cross references
. changes by Jay (jay@kinetic.org)
- Fixed multiple typos in the plugins
. changes by Javier Fernandez-Sanguino (jfernandez@germinus.com)
- Nessus now ships Hydra 2.2
- Fixed various compilation scritps (see bug#63)
1.3.0 :
. changes by Michel Arboi (arboi@alussinan.org)
- Use our own nessus-services file (re-generated at first start to include
/etc/services and nmap-services)
- Added new families of plugins (ACT_KILL_HOST and ACT_END)
- Rewrote libnasl
. changes by Renaud Deraison (deraison@cvs.nessus.org)
- The 'cancel' button of several file selection dialogs is now working
- Optimized several plugins :
- Web-related checks now use http_recv() instead of recv()
- open_priv_sock_tcp() has a lower timeout
- RPC related checks now use get_rpc_port(), a function equivalent
to libc's getrpcport() but with a much smaller timeout
- Decreased the default value of checks_read_timeout from 15 to 5
- Fixed a bug in the plugin selection GUI which would not refresh
the list of plugins of a given family properly (bug#3)
- Fixed memory leaks in NASL
- Fixed a bug in nessusd which would make it leak memory when receiving a SIGHUP
(bug#10)
- Fixed a compatibility problem with Nmap 3.10ALPHA (bug#11)
- Nessus now accepts nmap's U: and T: notation for the port range (bug#5)
- Helped Michel Arboi to give the last touches to the new libnasl
. changes by Erik Anderson (eanders@pobox.com)
- Added CVE and BID links, added urls and removed dead links from the plugins
. changes by Michel Scheidell (scheidell@secnap.net)
- Improved several SMB-related checks
. changes by Rodolfo Baader (rbaader@activesec.biz)
- Quotes and apostrophes are properly escaped in the XML output report
Changes in 0.7.3:
* More key loading optimizations
* Import and Export dialogs now use the clipboard instead of a text view
* Nautilus component that provides a context menu for crypto operations
* Removed Tools menu in favor of nautilus component
* PGP gconf schemas in /desktop/pgp
* Depends on gnome-mime-data for mime types
* Widgets no longer insensitive during progress operations
* Key edit dialogs are key modal so operations do not conflict
* Can do concurrent operations, except for editing the same key
* Can sign, export, and delete multiple keys
* Export dialog has a default filename
* Control center capplet for configuring pgp
* Can select keys & do operations while keys are loading
Changes in 0.7.2:
* GConf notification for preferences and ui settings
* More gnome preferences
* More listing improvements and optimizations for large key rings
* Key properties now a property window
* Owner trust values are restricted based on key type
* Key manager toolbar preferences
* General interface updates
* Nicer passphrase entry dialog
* Nicer change passphrase dialog
* More columns available in key-manager, can customize which ones are shown,
and each column is sortable
* Main window not completely insensitive during progress and startup
* Key Properties shows a formatted fingerprint, tabs are scrollable
* Recipients allows multiple selection, has statusbars to show number selected
* Can expand and collapse all rows in key-manager
* Changed File menu to Key menu
* Added context menu for keys
* Added buttons/menu items for possible, but not-yet-implemented features
* Sign an entire key
* Add a revoker to a key
* Bug fix when setting Ascii Armor Preferences
* Removed File Manager, replaced with file operations in Tools
* Key pairs initially listed first
* Performance improvements with large key rings, especially in loading
preferences
* Progress display at startup for listing of keys
* Can delete subkeys of non key-pairs
* General interface cleanups
From the change log:
- Changed the fileno() function to support returning the fileno
of server sockets. (Problem found by Roland Giersig
<RGiersig at cpan org>).
- Fixed SSL_version incorrectly defaulting to SSLv2 (patch from
Roland Alder <roland.alder at celeris ch>).
- improved DESCRiption (and spelling fixed)
- more MASTER_SITES
- improved COMMENT
- variable for enabling --with-libcrack
- install limits.conf if under Linux
- make sure it doesn't have an interactive configuration
The directory ${PKGVULNDIR)} holding the 'vulnerabilities' file
which default value is determined at configure time can now be
overridden at runtime from the environment.
As a side effect the strings substituted at configure time in
files/{audit-packages,download-vulnerability-list} are now of the
form '@VAR@' and not '${VAR}'.
GnuTLS is a portable ANSI C based library which implements the TLS 1.0 and SSL
3.0 protocols. The library does not include any patented algorithms and is
available under the GNU Lesser GPL license.
Important features of the GnuTLS library include:
- Thread safety
- Support for both TLS 1.0 and SSL 3.0 protocols
- Support for both X.509 and OpenPGP certificates
- Support for basic parsing and verification of certificates
- Support for SRP for TLS authentication
- Support for TLS Extension mechanism
- Support for TLS Compression Methods
Additionaly GnuTLS provides an emulation API for the widely used OpenSSL
library, to ease integration with existing applications.
Package provided by Juan RP via pkgsrc-wip with modifications by me.
libtasn1 library was developed for ASN1 (Abstract Syntax Notation One)
structures management.
The main features of this library are:
- on-line ASN1 structure management that does
not require any C code file generation;
- off-line ASN1 structure management with C code
file generation containing an array;
- DER (Distinguish Encoding Rules) encoding;
- no limits for INTEGER and ENUMERATED values
Package provided bu Juan RP via pkgsrc-wip with some modifications by me.
OpenCDK (Open Crypto Development Kit) provides basic parts of the OpenPGP
message format. The aim of the library is *not* to replace any available
OpenPGP version. There will be no real support for key management (sign,
revoke, alter preferences, ...) and some other parts are only rudimentary
available. The main purpose is to handle and understand OpenPGP packets and
to use basic operations. For example to encrypt/decrypt or to sign/verify
and packet routines.
Provided by Juan RP via pkgsrc-wip with some modifications by me.
Based on a patch sent by Juan RP via PR pkg/21559.
Changes:
- DESCR has 80 columns
- style nits
1.1.12:
=======
- gcry_pk_sign, gcry_pk_verify and gcry_pk_encrypt can now handle an optional
pkcs1 flags parameter in the S-expression. A similar flag may be passed to
gcry_pk_decrypt but it is only syntactically implemented.
- New convenience macro gcry_md_get_asnoid.
- There is now some real stuff in the manual.
Based on a patch sent by Hiramatsu Yoshifumi via PR pkg/21540.
Changes:
- fix all installed scripts
- simplify installation
- DESCR has 80 columns
- style nits
20021111.1:
===========
- alerts with original packet included now have both sets of ports and first
set of IPs as links
- added -obfuscateip option to change the IP addresses in alerts to randomly
(but consistently) chosen alternates (not presently available for database
input)
- Updated parsing for Snort 1.9.0 full alert files
- new-style Spade reports now processed (Spade version 021008.1 and on)
- spp_portscan2 log files now processed (these entries are displayed somewhat
prettified)
- updated linking to ICMP log files; this involved updates for new ICMP header
format in Snort 1.9.0
- more robust recognition of non-packet alerts in different formats(these get
ignored)
- clarified warning about unknown ICMP type text and added repeat warning
suppression (you'll now only get a warning about a particular string twice)
- SnortSnarf will now ignore lines beginning with '#' between alerts, so you
can use that to begin a comment
509) Fixed a typo that caused a compilation error on Heimdal.
510) Darwin (MacOS X) doesn't have a real setreuid() system call.
511) Fixed a problem with large numbers of environment variables.
Security problem is reported on bugtraq.
http://www.securityfocus.com/archive/1/320444/2003-05-02/2003-05-08/0
2003-05-01 Werner Koch <wk@gnupg.org>
Released 1.2.2.
2003-04-30 David Shaw <dshaw@jabberwocky.com>
* NEWS: Note trust bug fix.
2003-04-29 David Shaw <dshaw@jabberwocky.com>
* NEWS: Add note about TIGER being dropped from OpenPGP.
* README: Add note about the HP/UX inline problem. Fix all URLs
to point to the right place in the reorganized gnupg.org web
pages. Some minor language fixes.
2003-04-27 David Shaw <dshaw@jabberwocky.com>
* NEWS: Add sig version, pk algo, hash algo, and sig class to
VALIDSIG.
* BUGS: Fix bug reporting URL.
2003-04-24 Werner Koch <wk@gnupg.org>
* configure.ac (ALL_LINGUAS): Added Hungarian translation by Nagy
Ferenc László.
2003-04-23 David Shaw <dshaw@jabberwocky.com>
* configure.ac: "TIGER" -> "TIGER/192".
* README: Put back proper copyright line.
2003-04-16 Werner Koch <wk@gnupg.org>
Released 1.2.2rc2.
2003-04-15 Werner Koch <wk@gnupg.org>
* configure.ac (ALL_LINGUAS): Add Slovak translation.
* configure.ac (HAVE_DOSISH_SYSTEM): New automake conditional.
* acinclude.m4 (GNUPG_CHECK_ENDIAN): Fixed quoting of r.e. using
quadrigraphs.
2003-04-08 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Big warning that TIGER is being removed from the
standard.
2003-04-08 Werner Koch <wk@gnupg.org>
* Makefile.am (EXTRA_DIST): Add autogen.sh wrapper which is
useful for some cross-compiling targets.
2003-04-07 David Shaw <dshaw@jabberwocky.com>
* acinclude.m4: Fix URL to faqprog.pl.
* README: Add --enable-sha512 switch and update version number and
copyright date.
* NEWS: Add note about SHA-256/384/512.
2003-03-24 Werner Koch <wk@gnupg.org>
* configure.ac: Test for ranlib and ar.
2003-03-12 Werner Koch <wk@gnupg.org>
* acinclude.m4 (GNUPG_CHECK_ENDIAN): When crosscompiling assume
little only for Intel CPUs.
2003-02-19 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Define @CAPLIBS@ to link in -lcap if we are using
capabilities.
2003-02-11 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Add --enable-sha512 switch to add SHA384/512
support.
2003-02-06 David Shaw <dshaw@jabberwocky.com>
* configure.ac: Do not set GNUPG_LIBEXECDIR in ./configure, so
that makefiles can override it.
2003-02-02 David Shaw <dshaw@jabberwocky.com>
* configure.ac (ALL_LINGUAS): Needs to be on one line to avoid
problems during ./configure.
* NEWS: Note new --with-colons disabled key flag and new "revuid"
command.
2003-01-07 Werner Koch <wk@gnupg.org>
Released 1.2.2rc1.
* configure.ac (ALL_LINGUAS): Added fi and zh_TW.
2003-01-06 David Shaw <dshaw@jabberwocky.com>
* NEWS: Add notes about disabled keys and trustdb tweaks.
2002-12-04 David Shaw <dshaw@jabberwocky.com>
* NEWS: Add note about convert-from-106 script.
2002-11-25 David Shaw <dshaw@jabberwocky.com>
* NEWS: Add notes about notation names and '@', the "--trust-model
always" option, and non-optimized memory wiping.
2002-11-09 Werner Koch <wk@gnupg.org>
* configure.ac: Check for ctermid().
2002-10-31 David Shaw <dshaw@jabberwocky.com>
* Makefile.am: Put gnupg.spec in the root directory so rpm -ta
works.
* configure.ac: Add a check for volatile.
