- Improve error reporting with the central option interface.
- Fix a bug when comparing IDMEF object with optional fields.
- Fix a problem with the logger, where large log entry wouldn't be
logged.
Mac OS X. This is harmless under recent versions of Mac OS X where
"libdl.dylib" is symbolic link to "libSystem.dylib". And it is necessary
under old versions of Mac OS X (Jaguar and older) where we need the
"libdl.dylib" from the "dlcompat" package.
This should finally fix PR pkg/36086 by John D. Baker.
Changes since 2.1.7 are:
Version 2.1.10
Improvements and bug fixes in the GUI
* fixed bug #1661140: "built-in installer broken in 2.1.9 for PF".
Installer incorrectly set name for files it copied to the firewall if
generated configuration consisted of several files. Affected platforms
are PF and ipfilter because normally for these platforms compiler
generates two files.
* fixed bug #1659832: "No compile with QT without STL support"
* a workaround for the bug 1629461: "Policy tabs do not scroll @ window
extent on OSX". The tab widget used to show policy, nat, routing and
policy branch rulesets does not switch to a "folded" mode on Mac OS X
when it needs to show more tabs that fit in the window. Since I can't
figure out a way to force it to do that, I am dropping "Policy/" from
the tab titles for branches to make them shorter. This will help users
with policies with many branches, however it does not solve the
problem because as they keep adding branches, at some point they won't
fit in the window again.
* added an item "Where used" to the context menu associated with objects
in rules
Version 2.1.9
Improvements and bug fixes in the GUI
* New feature: new operation "Tools/Find Conflicting Objects in Two Data
Files". This operation inspects two data files (either .fwb or .fwl)
and finds conflicting objects. Conflicting objects have the same
internal ID but different attributes. Two data files can not be
merged, or one imported into another, if they contain such objects.
This operation also helps identify changes made to objects in two
copies of the same data file. This operation does not find objects
present in one file but not in the other, such objects present no
problem for merge or import operations. This operation works with two
external files, neither of which needs to be opened in the program.
Currently opened data file is not affected by this operation and
objects in the tree do not change. In the process of this operation
user is presented with series of dialogs showing conflicting objects
side by side. In the end the program can generate report and write it
to a text file.
* installOptionsDialog was too large and did not fit on some laptop
screens. Doing tricks to make sure the dialog properly resized after
unused GUI elements are hidden.
* bug #1629521: "can't delete empty chain/policy tab"
* bug #1619842: "prolog "script editor" opens behind other windows"
* bug #1620206: "RuleOptions' "Apply" button greyed-out until menu
selection"
* bug 1619930: "Prolog tab's ScriptEditor's import fails to overwrite"
* bug #1617501:"Install fails after compile". The GUI got confused when
user enter full path to the policy file in the "Output file name"
input field in the "Compiler" tab of firewall object dialog. Making
sure we always strip directory path from the file name if user
specified full path for the policy file in the "Output file name"
input field in the "Compiler" tab of firewall object dialog. Need to
strip path when macro "%FWSCRIPT%" is substituted in installation
scriptlets and in some other places.
* "Apply" and "Close" buttons in the objct editor panel should be of
fixed size horizontally
* bug #1624577: "group window doesn't stay open on multiple-adds". Using
special flag to tell ObjectTreeView that it should ignore
MouseReleaseEvent it gets after d&d operation, so it wont switch
object in the editor panel. Note the bug triggered only on Mac OS X.
* bug (no num.): GUI used show fanthom 'Policy', 'NAT' and 'Routing'
tabs when user deleted objects from the Deleted Objects library,
provided some of these objects were previously deleted firewalls.
* bug #1620284: "conflict when adding library to Preferences/Libraries".
When the user tried to add a library to the list in
Preferemces/Libraries when a data file with the same object library
was loaded, the GUI detected the conflict and showed error dialog.
* bug #1650369: "[patch] please add support for GNU/kFreeBSD". Applied
patch to make code compile on kFreeBSD.
Compiler for iptables
* bug #1623338: "Can not disable rules in a branch". Compiler for
iptables ignored flag 'disabled' on rules in a branch.
* bug #1623113: 'connlimit fails in compiled "address table" rules'
Module connlimit can only be used in iptables rules matching TCP
services. Such iptables commands have "-p tcp" and/or "-m tcp"
options. If a rule in fwbuilder uses TCP Service and connlimit option
and has multiple objects in src and dst, optimizer used to split it to
minimize matches. It however preserved connlimit option in all
subrules, even though some of them did not have TCP service after the
split. This lead to generation of incorrect iptables commands.
* bug #1620925: "compile-time AddressTable object with empty file".
Compile-time AddressTable object that uses file with no addresses
should be treated as an empty group according to the "Ignore empty
groups" option.
* bug #1618381: "CLASSIFY/MARK are non-terminating". This bug report in
fact reported several problems.
* For action Branch with option to add branching rule to the mangle
table: we now generate rules in PREROUTING, POSTROUTING, INPUT,
OUTPUT and FORWARD chains. This is because some targets can only
work in PREROUTING or POSTROUTING chains but we do not know what
rules will user put in the branch. So we need to branch in all
chains
* For rules in mangle table with direction set to Inbound or
Outbound force chain to PREROUTING or POSTROUTING respectively
early. This eliminates duplicates such as the same rule in
PREROUTING and INPUT chains. Also since most (all?) targets that
require mangle table go into either PREROUTING or POSTROUTING
chains, it should be enough to use these two chains.
* Non-terminating rules shadow each other "backwards", that is more
general rule shadows other rules _above_ it. Added flag 'reverse'
to the method find_more_general_rule and added new rule processor
DetectShadowingForNonTerminatingRules that finds such cases of
'reverse' shadowing. Using it for rules in the mangle table for
iptables.
* Adding iptables rule with target ACCEPT to emulate terminating
behavior for Tag and Classify actions. Emulation is controlled by
a global option in the "Compiler" tab of the firewall properties
dialog (default is "off"). This means emulation can be turned on
and off for all rules that might require it at once. It is
impossible to mix such rules with terminating and
non-termninating behavior. The reason for this is that shadowing
detection algorithm can only work with either terminating or
non-terminating rules, not with the mix.
* bug #1628989: "run-time-loaded rules don't accept ";" as line comment"
* bug #1632054: "Runtime AddressObjects FAIL to load if "Name:" contains
"."". Compiler checks if the name of the run-time AddressTable object
contains characters that have special meaning in sheel and relaces
them with '_' when it generates the name of the temporary shell
variable.
* bug (no num.): data files used for run-time AddressTable objects can
have empty lines, the script should skip them.
Firewall Builder Release Notes
Version 2.1.8
Installation
Optinon poll ran on the fwbuilder-discussion mailing list showed that
majority of users are not interested in ability to install and run both
fwbuilder 2.0 and 2.1 on the same machine at the same time. Hence we are
reverting to the old naming schema without suffix '21' for the binaries
and man pages in this release.
Improvements and bug fixes in the GUI
* The user can search for objects using regular expressions matching
their names or attributes.
* Fixed bug #1592130: "Policy Chaining Issues". The GUI should properly
display nested branch rulesets. The user can create policy branches
within other branches.
All compilers
* Fixed bug #1590746 "problem with using "DNS Names" objects on MS
Windows". Compiler failed to convert DNSName objects set to resolve at
compile time into IP addresses.
Compiler for iptables
* fixed bug #1593221: "iptables filtering bridge problem - PHYSDEV: no
physdev opti..." Some times rules were generated with "-m physdev" but
witout "--physdev-in" or "--physdev-out" options.
Compiler for Cisco PIX
* fixed a bug (no num, support req. #1604103: "fwb_pix policy compiler
dies when SNMP or NTP hosts defined". Compiler did not print error
message when it could not find an interface with network zone matching
IP address of NTP or SNMP server (it just printed the address without
explanation of what went wrong)
* Experimental utility fwb_pix_diff has been added to the package. This
utility takes two PIX configurations on the command line and produces
the 'diff' that consists of a set of commands that should bring the
firewall from the state defined by the first config to the state
defined by the second. Only PIX 7.0 is supported. This utility will be
incorporated into policy installer in the future to make policy
updates simpler and faster, especially when small changes are made to
the large set of access lists and nat rules.
Pkgsrc changes:
- Added CHECK_INTERPRETER_SKIP patterns to stop complaints about
non-existing "/usr/bin/perl" interpreter.
Changes since version 1.57:
===========================
1.58 Dec 21, 2006
* We turn on binmode() on filehandles when reading and writing
keys from disk, so allow safe exchange of SSH private keys
from Windows and *nix systems. Thanks to Ulisses Gomes
<ulisses@ibiz.com.br> for pointing this out.
* Include a copy of the GPL in the distribution. This addresses
bug #18771. (http://rt.cpan.org/Public/Bug/Display.html?id=18771)
* Removed warnings from t/15-benchmark.t
this fixes the same problem which was fixed by gpg-1.4.7: depending
on use, additional text could get through undetected
this gpgme uses gpg in a save way -- since we have gpg-1.4.7 in pkgsrc
this is kindo belt-and-suspender, but anyway...
Changes in version 0.8 are:
* Translations
Changes in version 0.7.92 are:
* Fix build by including sys/types.h
* In gnome_keyring_free() don't crash on NULL parameter.
Changes in version 0.7.91 are:
* Add method for library to discover daemon via DBus. Adds soft
DBus dependency.
* Fixes for building on kFreeBSD.
Changes in version 0.7.3 are:
* Fix endless loop when creating a keyring and a file by that name
already exists.
* Fix crasher when deleting session keyring.
* Fix crasher when doing find operation with NULL attribute string.
* Sync files to disk after writing to keyring.
Changes in version 0.7.2 are:
* Don't have multiple password dialogs presented for the same
keyring
Changes in version 0.7.1 are:
* Added GNOME_KEYRING_ITEM_APPLICATION_SECRET which allows an item
to be for a single application only with strict access controls.
* New function gnome_keyring_item_get_info_full(_sync) which allow
retrieval of item meta data without the secret, thus not incurring
an ACL prompt.
* Translation updates
Provided by MAINTAINER, Jaap Boender in PR 35942.
CHANGES:
0.4.1 (2007-02-21)
=====
* file_descr_of_socket is not marked as deprecated anymore.
* Patched the Makefile to be compatible with FreeBSD (thanks Jaap Boender).
* Explicitely link with libcrypto since we use it. Compilation should now work
on Mac OS X too (thanks Janne Hellsten).
Changes since OpenSSH 4.5:
============================
* sshd now allows the enabling and disabling of authentication
methods on a per user, group, host and network basis via the
Match directive in sshd_config.
* The following bugs have been fixed in this release:
- Clear SIGALRM when restarting due to SIGHUP. Prevents stray
signal from taking down sshd if a connection was pending at
the time SIGHUP was received
- sftp returned a zero exit status when upload failed due to write
errors (bugzilla #1252)
- fixed an inconsistent check for a terminal when displaying scp
progress meter (bugzilla #1265)
- Parsing of time values in Match blocks was incorrectly applied
to the global configuration (bugzilla #1275)
- Allow multiple forwarding options to work when specified in a
PermitOpen directive (bugzilla #1267)
- Interoperate with ssh.com versions that do not support binding
remote port forwarding sessions to a hostname (bugzilla #1019)
* Portable OpenSSH bugs fixed:
- "hang on exit" when background processes are running at the time
of exit on a ttyful/login session (bugzilla #52)
- Fix typos in the ssh-rand-helper(8) man page (bugzilla #1259)
- Check that some SIG records have been returned in getrrsetbyname
(bugzilla #1281)
- Fix contrib/findssl for platforms that lack "which" (bugzilla
#1237)
- Work around bug in OpenSSL 0.9.8e that broke aes256-ctr,
aes192-ctr, arcfour256 (bugzilla #1291)
Fix a typo in options.mk
23 Feb 2006 - 2.1.0
-------------------
* Removed the "Connection reset by peer" message, which has nothing
to do with us. Actually the message was downgraded from ERROR to
NOTICE so it will still appear in the debug log.
* Removed the (harmless) message mentioning LAST_UPDATE_TIME missing.
* It was not possible to remove a rule placed in phase 4 using
SecRuleRemoveById or SecRuleRemoveByMsg. Fixed.
* Fixed a problem with incorrectly setting requestBodyProcessor using
the ctl action.
* Bundled Core Rules 2.1-1.3.2b4.
* Updates to the reference manual.
* Reversed the return values of @validateDTD and @validateSchema, to
make them consistent with other operators.
* Added a few helpful debug messages in the XML validation area.
* Updates to the reference manual.
* Fixed the validateByteRange operator.
* Default value for the status action is now 403 (as it was supposed to
be but it was effectively 500).
* Rule exceptions (removing using an ID range or an regular expression)
is now applied to the current context too. (Previously it only worked
on rules that are inherited from the parent context.)
* Fix of a bug with expired variables.
* Fixed regular expression variable selectors for many collections.
* Performance improvements - up to two times for real-life work loads!
* Memory consumption improvements (not measured but significant).
* The allow action did not work in phases 3 and 4. Fixed.
* Unlocked collections GLOBAL and RESOURCE.
* Added support for variable expansion in the msg action.
* New feature: It is now possible to make relative changes to the
audit log parts with the ctl action. For example: "ctl:auditLogParts=+E".
* New feature: "tag" action. To be used for event categorisation.
* XML parser was not reporting errors that occured at the end
of XML payload.
* Files were not extracted from request if SecUploadKeepFiles was
Off. Fixed.
* Regular expressions that are too long are truncated to 256
characters before used in error messages. (In order to keep
the error messages in the log at a reasonable size.)
* Fixed the sha1 transformation function.
* Fixed the skip action.
* Fixed REQUEST_PROTOCOL, REMOTE_USER, and AUTH_TYPE.
* SecRuleEngine did not work in child configuration contexts
(e.g. <Location>).
* Fixed base64Decode and base64Encode.
15 Nov 2006 - 2.0.4
-------------------
* Fixed the "deprecatevar" action.
* Decreasing variable values did not work.
* Made "nolog" do what it is supposed to do - cause a rule match to
not be logged. Also "nolog" now implies "noauditlog" but it's
possible to follow "nolog" with "auditlog" and have the match
not logged to the error log but logged to the auditlog. (Not
something that strikes me as useful but it's possible.)
* Relative paths given to SecDataDir will now be treated as relative
* Decreasing variable values did not work.
* Made "nolog" do what it is supposed to do - cause a rule match to
not be logged. Also "nolog" now implies "noauditlog" but it's
possible to follow "nolog" with "auditlog" and have the match
not logged to the error log but logged to the auditlog. (Not
something that strikes me as useful but it's possible.)
* Relative paths given to SecDataDir will now be treated as relative
to the Apache server root.
* Added checks to make sure only correct actions are specified in
SecDefaultAction (some actions are required, some don't make any
sense) and in rules that are not chain starters (same). This should
make the unhelpful "Internal Error: Failed to add rule to the ruleset"
message go away.
* Fixed the problem when "SecRuleInheritance Off" is used in a context
with no rules defined.
* Fixed a problem of lost input (request body) data on some redirections,
for example when mod_rewrite is used.
Changes since 0.58:
* PuTTY can now connect to local serial ports as well as making
network connections.
* Windows PuTTY now supports "local proxying", where a network
connection is replaced by a local command. (Unix PuTTY has
supported this since it was first released in 0.54.) Also, Plink
has gained a "-nc" mode where the primary channel is replaced by
an SSH tunnel, which makes it particularly useful as the local
command to run.
* Improved speed of SSH on Windows (particularly SSH-2 key exchange
and public-key authentication).
* Improved SFTP throughput.
* Various cryptographic improvements in SSH-2, including SDCTR
cipher modes, a workaround for a weakness in CBC cipher modes, and
Diffie-Hellman group exchange with SHA-256.
* Support for the Arcfour cipher in SSH-2.
* Support for sending terminal modes in SSH.
* When Pageant is running and an SSH key is specified in the
configuration, PuTTY will now only try Pageant authentication with
that key. This gets round a problem where some servers would only
allow a limited number of keys to be offered before disconnecting.
* Support for SSH-2 password expiry mechanisms, and various other
improvements and bugfixes in authentication.
* A change to the SSH-2 password camouflage mechanism in 0.58 upset
some Cisco servers, so we have reverted to the old method.
* The Windows version now comes with documentation in HTML Help
format. (Windows Vista does not support the older WinHelp format.
However, we still provide documentation in that format, since
Win95 does not support HTML Help.)
* On Windows, when pasting as RTF, attributes of the selection such
as colours and formatting are also pasted.
* Ability to configure font quality on Windows (including
antialiasing and ClearType).
* The terminal is now restored to a sensible state when reusing a
window to restart a session.
* We now support an escape sequence invented by xterm which lets the
server clear the scrollback (CSI 3 J). This is useful for
applications such as terminal locking programs.
* Improvements to the Unix port:
+ now compiles cleanly with GCC 4
+ now has a configure script, and should be portable to more
platforms
* Bug fix: 0.58 utterly failed to run on some installations of
Windows XP.
* Bug fix: PSCP and PSFTP now support large files (greater than 4
gigabytes), provided the underlying operating system does too.
* Bug fix: PSFTP (and PSCP) sometimes ran slowly and consumed lots
of CPU when started directly from Windows Explorer.
* Bug fix: font linking (the automatic use of other fonts on the
system to provide Unicode characters not present in the selected
one) should now work again on Windows, after being broken in 0.58.
(However, it unfortunately still won't work for Arabic and other
right-to-left text.)
* Bug fix: if the remote server saturated PuTTY with data, PuTTY
could become unresponsive.
* Bug fix: certain large clipboard operations could cause PuTTY to
crash.
* Bug fix: SSH-1 connections tended to crash, particularly when
using port forwarding.
* Bug fix: SSH Tectia Server would reject SSH-2 tunnels from PuTTY
due to a malformed request.
* Bug fix: SSH-2 login banner messages were being dropped silently
under some circumstances.
* Bug fix: the cursor could end up in the wrong place when a
server-side application used the alternate screen.
* Bug fix: on Windows, PuTTY now tries harder to find a suitable
place to store its random seed file PUTTY.RND (previously it was
tending to end up in C:\ or C:\WINDOWS).
* Bug fix: IPv6 should now work on Windows Vista.
* Numerous other bugfixes, as usual.
This fixes the issue that, when "options edns0" is turned on (usually in
/etc/resolv.conf), ssh doesn't see it, and thus fails to request a DNSSEC
response, which in turn leads to SSHFP records being considered insecure.
Crypt::GeneratePassword generates random passwords that are (more
or less) pronounceable. Unlike Crypt::RandPasswd, it doesn't use
the FIPS-181 NIST standard, which is proven to be insecure. It does
use a similar interface, so it should be a drop-in replacement in
most cases.
If you want to use passwords from a different language than english,
you can use one of the packaged alternate unit tables or generate
your own.
Version 0.3.9 (released 2007-03-02)
- In generated code, config.h is pulled in if HAVE_CONFIG_H.
- Development changes: changed from CVS to GIT as an experiment.
I push my changes to <http://repo.or.cz/w/libtasn1.git>.
- Autoconf 2.61 and automake 1.10 is required.
Version 0.3.8 (released 2006-11-16)
- Fix reading of binary files in asn1Decoding, for Windows.
Version 0.3.7 (released 2006-10-19)
- When asn1_der_coding encoded a TYPE_NULL and the output buffer is
NULL, it would not increment the counter properly, so the size of
the required buffer would be off by one. Fixed. Reported by
Stephen Wrobleski <steve@localtoast.org>.
- Fix configure to respect user-definable flags. Reported by "Diego
'Flameeyes' Pettenò" <flameeyes@gentoo.org>.
- The --help and --version outputs from the tools have been improved.
Version 0.3.6 (released 2006-08-13)
- Fix man pages to use \- instead of - for negative signs (as in "-1").
- Add -I's when building in src/, so that unistd.h etc is found on
systems that doesn't have them.
- Valgrind isn't used for cross-compilation by default, and there is
also --disable-valgrind-tests to unconditionally disable it.
- Valgrind is invoked without parameters, put things you like into
~/.valgrindrc instead.
This fixes a security problem which is rather an application issue:
The user wasn't notified about additional text (not covered by the
signature) unless the --status-fd flag is used.
Patches from Matthias Drochner (thanks !)
Version 2.0.8:
-------------
More fingerprints, signature cleanup.
p0fping.c and diagnostic queries added.
Socket ownership fix when dropping privs.
Some -O signatures.
Version 2.0.7:
--------------
Added -0 mode for port 0 wildcards in queries.
Added -e option to make p0f work on some boxes.
HDLC support added.
New fingerprints, including Windows Vista betas.
[BUG] Fixed timezone in logs after chroot().
[BUG] Unlikely command-line overflow with VLANs fixed.
Version 2.0.6:
--------------
[BUG] Fixed pcap naming madness.
Support for Cygwin.
More signatures. Plenty of -A sigs from Ryan Kruse.
[BUG] Fix to a command-line parsing snafu with sprintf; shame on me ;-)
Timestamps in masquerade detection.
Write PID to /var/run/p0f.pid
TLS Lite is a free python library that implements SSL 3.0, TLS 1.0,
and TLS 1.1. TLS Lite supports non-traditional authentication methods
such as SRP, shared keys, and cryptoIDs in addition to X.509
certificates. TLS Lite is pure Python, however it can access OpenSSL,
cryptlib, pycrypto, and GMPY for faster crypto operations. TLS Lite
integrates with httplib, xmlrpclib, poplib, imaplib, smtplib,
SocketServer, asyncore, and Twisted.
