| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
News for the 2.0.1 release
Fixed denial of service bug in lshd.
Fixed a bug in lsh-make-seed, which could make the program go
into an infinite loop on read errors.
lsh now asks for passwords also in quite (-q) mode, as
described in the manual.
Control character filtering used to sometimes consider newline
as a dangerous control character. Now newlines should be
displayed normally.
Removed support for the non-standard alias
"diffie-hellman-group2-sha1". The standardized name is for
this key exchange method is "diffie-hellman-group14-sha1".
News for the 2.0 release
Several programs have new default behaviour:
* lshd enables X11 forwarding by default (lsh still does not).
* lsh-keygen generates RSA rather than DSA keys by default.
* lsh-writekey encrypts the private key by default, using
aes256-cbc. Unless the --server flag is used.
Improved the lcp script. It is now installed by default.
Implemented the client side of "keyboard-interactive" user
authentication.
Support keyexchange with
diffie-hellman-group14-sha1/diffie-hellman-group2-sha1 (the
standardized name is at the moment not decided).
Fixes to the utf8 encoder, and in particular interactions
between utf8 and control character filtering.
News for the 1.5.5 release
Added SOCKS-style proxying to lsh and lshg. See the new -D
command line option. Supports both SOCKS-4 and SOCKS-5.
The lsh client no longer sets its stdio file descriptors into
non-blocking mode, which should avoid a bunch of problems. As
a consequence, the --cvs-workaround command line option has
been deleted.
In the user lookup code, lshd now ignores the shadow database
if getspnam returns NULL.
In the server pty setup code, use the group "system" as a
fallback if the group "tty" doesn't exist. This is the case on
AIX. (There are however more problems on AIX, which makes it
uncertain that lshd will work out of the box).
Deleted the --ssh1-fallback option for lshd. I hope ssh1 is
dead by now; if it isn't, you have to run ssh1d and lshd on
different ports.
Deleted code for bug-compatibility with ancient versions of
Datafellow's SSH2. There are zero bug-compatibility hacks in
this version.
News for the 1.5.4 release
Added logging of tcpip-forward requests.
Includes nettle-1.9, which have had some portability fixes and
optimizations. In particular, arcfour on x86 should be much
faster.
Implemented flow control on the raw ssh connection. Enforce
limits on the amount of buffered data waiting to be written to
the socket.
Moved all destructive string operations to a separate file
lsh_string.c, which has exclusive rights of accessing string
internals. Should make the code more robust, as buffer size
and index calculations elsewhere in the code should hit an
assert in lsh_string.c before doing damage.
Some general simplification and cleanup of the code.
News for the 1.5.3 release
Fixed heap buffer overrun with potential remote root
compromise. Initial bug report by Bennett Todd.
Fixed a similar bug in the check for channel number allocation
failure in the handling of channel_open, and in the
experimental client SRP code.
lshd now has an experimental mode similar to telnet, where it
accepts the 'none' authentication method and automatically
disables services such as X and TCP forwarding. This can be
useful in environment where it's required that /bin/login or
some other program handle authentication and session setup
(e.g. handle security contexts and so on).
News for the 1.5.2 release
Encrypted private keys works again.
New client escape sequence RET ~ ?, which lists all available
escape sequences. Also fixed the werror functions so that they
use \r\n to terminate lines when writing to a tty in raw mode.
Implemented handling of multiple --interface options to lshd.
As a side effect, The -p option must now be given before
--interface to have any effect.
Connecting to machines with multiple IP-adresses is smarter,
it connects to a few addresses at a time, in parallel.
Fixed a file descriptor leak in the server tcpip forwarding
code.
Lots of portability fixes.
News for the 1.5.1 release
Incompatible change to key format, to comply with the current
spki structure draft. You can use the script lsh-upgrade to
copy and convert the information in the old .lsh/known-hosts
to the new file .lsh/host-acls. The new code uses libspki.
Fixed IPv6 bug reported by Simon Kowallik.
lshd now does the equivalence of ulimit -n unlimited, this is
inherited by processes started upon client requests. If you
don't want this, you should use /etc/{profile,login,whatever}
to set limits for your users. Do note that PAM-based solutions
will NOT work as PAM is used from a separate process that
terminates as soon as the authentication is finished (this of
course goes for environment variables too).
lsh and and lshg now parses options from LSHFLAGS and
LSHGFLAGS, these are parsed before and can be overridden by
the command line.
News for the 1.5 release
Implemented the server side of X11 forwarding. Try lshd
--x11-forward. There's one known bug: The server may start
sending data on the session channel (typically your first
shell prompt) before it has sent the reply to the client's
"shell" or "exec" request. lsh will complain about, and ignore
that data.
As part of the X11 hacking, the socket code have been
reorganized.
Deleted one of the ipv6 configure tests. Now lsh will happily
build ipv6 support even if ipv6 is not available at run-time
on the build machine.
Fixed bug preventing -c none from working.
Another bug fix, call setsid even in the non-pty case.
Various bug fixes.
|
|
|
|
|
|
0.11.7.3:
A serious bug in naim's HTML rendering engine has been identified and
corrected. Additionally, changes to the packaging have reduced the source
tarball size from 529 kB in 0.11.7.2 to 452 kB for 0.11.7.3. naim now
completely passes "make distcheck", and distcheck is used to create source
tarballs. FireTalk now allows you to send messages to the :RAW target before
signing on, to allow passwords to be sent to the server during signon. The
IRC driver now handles /names replies from servers that use non-standard
status identifiers (such as those who implement "halfop" and other
statuses). The UI includes code to suppress duplicate messages and redundant
message targets. The embedded Libtool was upgraded to match the stock 1.5.10
release. A new "proto_user_onlineval" chain was added to allow module
authors to track buddy online status.
0.11.7.3.1:
On some systems, naim's build system was unable to generate a list of
special characters to read, which caused naim to interpret the Home key as
Ŋ, etc. naim's build system has been changed to work around the issue.
No other changes have been made since 0.11.7.3.
|
|
|
|
you can specify wanting individual tools from that package.
|
|
filter out dependencies that have already been added.
|
|
buildlink terminology for the same concept.
|
|
|
|
|
|
|
|
trust the user.
|
|
|
|
|
|
|
|
- Fix ln => ${LN} in MESSAGE
- From the ChangeLog:
> o Slightly improved modifysid/template documentation and examples.
> For example, added a new template to disable a SID but only if it has
> a specific revision number so you can disable a rule temporarily and
> automatically start using it again if it becomes updated. Thanks to
> Russell Fulton for this suggestion.
> o Suppress warnings about non-matching modifysid expressions when
> running in super quiet mode (-Q).
> o Permit .tgz suffix for rules archive.
> o Permit filename as argument to modifysid (and use_template) to apply
> a substitution expression on all rules in the specified files(s).
> o You can now download multiple rules archives from different URLs at
> the same time, either by specifying several -u <url> on the command
> line or by using several url=<url> directives in the Oinkmaster
> configuration file(s). See the default oinkmaster.conf and the FAQ
> for more information.
> o Many updates to the FAQ, especially regarding how to update rules
> from multiple sources. Also added info about how to use Oinkmaster
> after Sourcefire changed the license of the rules.
> o Because of the license change, no URL is specified in the default
> oinkmaster.conf anymore. You will have to follow the instructions
> in there and activate the requested URL(s).
> o modifysid/use_template statements of all types will now be processed
> in the exact order as specified in the config file. Previously, all
> the wildcards were processed last.
> o Slightly improved error handling when running under Windows.
> o Removed some useless buttons and changed default URL list in the GUI.
> o Misc other minor fixes.
|
|
|
|
- Remove old patch-ai
- From the ChangeLog:
> The bug fixes in 8.13.3 for connection handling uncovered a
> different error which could result in connections that
> stay in CLOSE_WAIT state due to a variable that was not
> properly initialized. Problem noted by Michael Sims.
> Deal with empty hostnames in hostsignature(). This bug could lead
> to an endless loop when doing LMTP deliveries to another
> host. Problem first reported by Martin Lathoud and
> tracked down by Gael Roualland.
> Make sure return parameters are initialized in getmxrr(). Problem
> found by Gael Roualland using valgrind.
> If shared memory is used and the RunAsUser option is set, then the
> owner and group of the shared memory segment is set to
> the ids specified RunAsUser and the access mode is set
> to 0660 to allow for updates by sendmail processes.
> The number of queue entries that is (optionally) kept in shared
> memory was wrong in some cases, e.g., envelope splitting
> and bounce generation.
> Undo a change made in 8.13.0 to silently truncate long strings
> in address rewriting because the message can be triggered
> for header checks where long strings are legitimate.
> Problem reported by Mary Verge DeSisto, and tracked
> down with the help of John Beck of Sun Microsystems.
> The internal stab map did not obey the -m flag. Patch from
> Rob McMahon of Warwick University, England.
> The socket map did not obey the -f flag. Problem noted by
> Dan Ringdahl, forwarded by Andrzej Filip.
> The addition of LDAP recursion in 8.13.0 broke enforcement of
> the LDAP map -1 argument which tells the MTA to only
> return success if and only if a single LDAP match is found.
> Add additional error checks in the MTA for milter communication
> to avoid a possible segmentation fault. Based on patch
> by Joe Maimon.
> Do not trigger an assertion if X509_digest() returns success but
> does not assign a value to its output parameter. Based
> on patch by Brian Kantor.
> Add more checks when resetting internal AUTH data (applies only
> to Cyrus SASL version 2). Otherwise an SMTP session might
> be dropped after an AUTH failure.
> Portability:
> Add LA_LONGLONG as valid LA_TYPE type for systems that use
> "long long" to read load average data, e.g.,
> AIX 5.1 in 32 bit mode. Note: this has to be set
> "by hand", it is not (yet) automatically detected.
> Problem noted by Burak Bilen.
> Use socklen_t for accept(), etc. on AIX 5.x. This should
> fix problems when compiling in 64 bit mode.
> Problem first reported by Harry Meiert of
> University of Bremen.
|
|
|
|
- Fix /var => ${VARBASE}
- Changes Include:
> * Issues with suppressing sfPortscan Open Ports have been fixed.
>
> * Added a new mini-preprocessor to catch the X-Link2State
> vulnerability. This preprocessor can be configured to drop the
> offending connection when in Inline-mode. Please read snort.conf or
> the snort manual for more details. This preprocessor is enabled by
> default in snort.conf.
|
|
|
|
with the check.
|
|
pkgsrc perl, and it isn't really like any of the other tools that we
replace based on a system-/pkgsrc-supplied distinction.
|
|
the changes script.
|
|
Where bootstrap installs these tools, they should be considered system-
supplied since pkgsrc won't be providing replacements for them.
bootstrap.mk encapulates the information from the bootstrap script. It
should eventually go away after the bootstrap script has been taught to
write out the correct TOOLS_PLATFORM.* entries to the example mk.conf
file.
|
|
freeciv-server-2.0.1, freeciv-share-2.0.1, gnutls-1.2.2, hugs-200503
[pkg/30071], leafnode-1.11.1, libtool-1.5.16, mathomatic-12.3,
snd-7.12.
- p5-Tree-Simple.
|
|
under the same namespace as the other parts of the new tools framework.
|
|
"yacc" when both are specified. Also add comments to note other
instances where we override other tools: gsed & sed, gawk & awk, gm4 & m4.
|
|
|
|
required.
|
|
|
|
been placed in the various tools.${OPSYS}.mk files using PLATFORM_TOOL.*
definitions.
|
|
|
|
|
|
|
|
it as a system-supplied sed.
|
|
|
|
These were culled from pkgsrc/mk/${OPSYS}.mk. These files should only be
listing utilities that aren't installed by pkgsrc.
|
|
archivers/pax and pkgtools/mtree fall in this category since they are
usually installed by pkgsrc bootstrap.
|
|
PKGREVISION bump because most people won't care.
|
|
|
|
* Bug fixes
|
