| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
dead upstream, youtube downloaders need regular updating
|
|
Last release from 1999, no upstream, does not build with current libpcap.
|
|
Abandoned upstream, project has been archived.
|
|
Wireshark 3.6.3 Release Notes
What’s New
Bug Fixes
The following bugs have been fixed:
• Fuzz job crash output: fuzz-2022-01-19-7399.pcap Issue 17894[1].
• TLS dissector incorrectly reports JA3 values Issue 17942[2].
• "Wiki Protocol page" in packet details menu is broken - wiki
pages not migrated to GitLab? Issue 17944[3].
• Dissector bug, protocol PFCP display Flow Description IE value
error in Additional Flow Description of PFD Management Request
Message Issue 17951[4].
• Bluetooth: Fails to open Log file for SCO connection Issue
17964[5].
• Fuzz job crash output: fuzz-2022-03-07-10896.pcap Issue 17984[6].
• libwiretap: Save as ERF causes segmentation fault Issue 17989[7].
• HTTP server returning multiple early hints shows too many
responses in "Follow HTTP Stream" Issue 18006[8].
New and Updated Features
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
CSN.1, HTTP, IEEE 802.11, NTLM SSP, PFCP, PKTLOG, SSDP, TLS, and USB
HID
New and Updated Capture File Support
pcap and pcapng
New File Format Decoding Support
There is no new or updated file format support in this release.
|
|
0.14.4 (2022-02-23)
- Update type hints for pyright
0.14.3 (2022-02-15)
- Add type hints
|
|
ntopng 5.2 (February 2022)
Breakthroughs
* New ClickHouse support for storing historical data, replacing nIndex support (data migration available)
* Advanced Historical Flow Explorer, with the ability to define custom queries using JSON-based configurations
* New Historical Data Analysis page (including Score, Applications, Alerts, AS analysis), with the ability to define custom reports with charts
* Enhanced drill down from charts and historical flow data and alerts to PCAP data
* nEdge support for Ubuntu 20
* Enhanced support for Observation Points
Improvements
* Improve CPU utilization and memory footprint
* Improve historical data retention management for flows and timeseries
* Improve periodic activities handling, with support for strict and relaxed (delayed) tasks
* Improve filtering and analysis of the historical flows
* Improve alert explorer and filtering
* Improve Enterprise dashboard look and feel
* Improve the speedtest support and servers selection
* Improve support for ping and continuous ping (ICMP) for active monitoring
* Improve flow-direction handling
* Improve localization (including DE and IT translations)
* Improve IPS policies management
* Add IPS activities logging (e.g. block, unblock)
* Improve SNMP support
* Optimize polling of SNMP devices
* Improve SNMP v3 support
* Add more information including version
* Stateful SNMP alert to detect too many MACs on non-trunk
* Perform fat MIBs poll on average every 15 minutes
* Add preference to disable polling of SNMP fat MIBs
* Add more information to the historical flow data, including Latency, AS, Observation Points, SNMP interface, Host Pools
* Add detailed view of historical flows and alerts
* Add support for nProbe field L7_INFO
* Add ICMP flood alert
* Add Checks exclusion settings for subnets and for hosts and domains globally
* Add CDP support
* Add more regression tests
* Add support for obsolete client SSH version
* Add support for ERSPAN version 2 (type III)
* Add support for all the new nDPI Flow Risks added in nDPI 4.2
* Add extra info to service and periodicity map hosts
* Add Top Sites check
* REST API
* Getter for the bridge MIB
* Getter for LLDP adjacencies
* Check for BPF filters
* Score charts timeseries and analysis
Changes
* Encapsulated traffic is accounted for the lenght of the encapsulated packet and not of the original packet
* Remove nIndex support, including the flow explorer
* Remove MySQL historical flow explorer (export only)
* Hide LDAP password from logs
Fixes
* Fix a few memory leaks, double free, buffer overflow and invalid memory access
* Fix SQLite initialization
* Fix support for fragmented packets
* Fix IP validation in modals
* Fix netplan configuration manager
* Fix blog notifications
* Fix time range picker to support all browsers
* Fix binary application transfer name in alerts
* Fix glitches in chart drag operations
* Fix pools edit/remove
* Fix InfluxDB timeseries export
* Fix ELK memory leak
* Fix TLS version for obsolete TLS alerts when collecting flows
* Fix fields conversion in timeseries charts filters
* Fix some invalid nProbe field mapping
* Fix hosts Geomap
* Fix slow shutdown termination
* Fix wrong Call-ID 0 with RTP streams with no SIP stream associated
* Fix ping support for FreeBSD
* Fix active monitoring interface list
* Fix host names not always shown
* Fix host pools stats
* Fix UTF8 encoding issues in localization tools
* Fix time/timezone in forwarded syslog messages
* Fix unknown process alert
* Fix nil DOM javascript error
* Fix country not always shown in flow alerts
* Fix non-initialized traffic profiles
* Fix traffic profiles not working over ZMQ
* Fix syslog collection
* Fix async SNMP calls blocking the execution
* Fix CPU stats timeseries
* Fix InfluxDB attempts to alwa re-create retention policies
* Fix REST API ts.lua returning 24h data
* Fix processing of DNS packets under certain conditions
* Fix invalid space in SNMP Hostnames
* Fix REST API incompat. (/get/alert/severity/counters.lua, /get/alert/type/counters.lua)
* Fix map layout not saved correctly
* Fix LLDP topology for Juniper routers
* Fix not authorized error when editing SNMP devices
* Fix double 95perc, splitted avg and 95perc in sent/rcvd in charts
* Fix inconsistent local/remote timeseries
* Fix Risks generation in IPS policy configuration
* Fix deletion of sub-interface
* Fix deadline not honored when monitoring SNMP devices
* Fix traffic profiles on L7 protocols
* Fix TCP connection refused check
* Fix failures when the DB is not reacheable
* Fix segfault with View interfaces
* Fix hosts wrongly detected as Local
* Fix missing throughputs in countries
Misc
* Enforces proxy exclusions with env var `no_proxy`
* Move Lua engine to 5.4
* Major code review and cleanup
nEdge
* Add support for Ubuntu 20
* Add ability to logout when using the Captive Portal
* Add per egress interface stats and timeseries
* Add active DHCP leases in UI and REST API
* Add daily/weekly/monthly quotas
* Add service and periodicity maps and alerts
* Fix Captive Portal not working due to invalid allowed interface
* Fix addition of static DHCP leases
* Fix factory reset
* Fix reboot button
ntopng 5.0 (August 2021)
Breakthroughs
* Advanced alerts engine with security features, including the detection of [attackers and victims](https://www.ntop.org/ntopng/how-attackers-and-victims-detection-works-in-ntopng/)
* Integration of 30+ [nDPI security risks](https://www.ntop.org/ndpi/how-to-spot-unsafe-communications-using-ndpi-flow-risk-score/)
* Generation of the `score` [indicator of compromise](https://www.ntop.org/ntopng/what-is-score-and-how-it-can-drive-you-towards-network-issues/) for hosts, interfaces and other network elements
* Ability to collect flows from hundredths of routers by means of [observation points](https://www.ntop.org/nprobe/collecting-flows-from-hundred-of-routers-using-observation-points/)
* Anomaly detection based on Double Exponential Smoothing (DES) to uncover possibly suspicious behaviors in the traffic and in the score
* Encrypted Traffic Analysis (ETA) with special emphasis on the TLS to uncover self-signed, expired, invalid certificates and other issues
New features
* Ability to configure alert exclusions for individual hosts to mitigate false positives
* FreeBSD / OPNsense / pfSense [packages](https://packages.ntop.org/)
* Ability to see the TX/RX traffic breakdown both for physical interfaces and when receiving traffic from nProbe
* Add support for ECS when exporting to Syslog
* Improved TCP analysis, including analysis of TCP flows with zero window and low goodput
* Ability to send alerts to Slack
* Implementation of a token-based REST API access
Improvements
* Reworked the execution of hosts and flows checks (formerly user scripts), yielding a reduced CPU load of about 50%
* Improved 100Kfps+ [NetFlow/sFlow collection performance](https://www.ntop.org/nprobe/netflow-collection-performance-using-ntopng-and-nprobe/)
* Drilldown of [nIndex](https://www.ntop.org/guides/ntopng/advanced_features/flows_dump.html#nindex) historical flows much more flexible
* Migration to Bootstrap 5
* Check malicious JA3 signatures against all TLS-based protocols
* Reworked Doh/DoT handling
Fixes
* Fixes SSRF and stored-XSS injected with malicious SSDP responses
* Fixes several leaks in NetworkInterface
Notes
* To ensure optimal performance and scalability and to prevent uneven resource utilization, the maximum number of interfaces handled by a single ntopng instance has been reduced to
* 16 (Enterprise M)
* 32 (Enterprise L)
* 8 (all other versions)
* REST API v1/ is deprecated and will be dropped in the next stable release in favor of REST API v2/
* The old alerts dashboard has been removed and replaced by an advanced alerts drilldown page with integrated charts
|
|
nDPI4.2 (Feb 2022)
New Features
- Add a "confidence" field indicating the reliability of the classification
- Add risk exceptions for services and domain names via ndpi_add_domain_risk_exceptions()
- Add ability to report whether a protocol is encrypted
New Supported Protocols and Services
- Add protocol detection for:
- Badoo
- Cassandra
- EthernetIP
Improvements
- Reduce memory footprint
- Improve protocol detection for:
- BitTorrent
- ICloud Private Relay
- IMAP, POP3, SMTP
- Log4J/Log4Shell
- Microsoft Azure
- Pandora TV
- RTP
- RTSP
- Salesforce
- STUN
- Whatsapp
- QUICv2
- Zoom
- Add flow risk:
- NDPI_CLEAR_TEXT_CREDENTIALS
- NDPI_POSSIBLE_EXPLOIT (Log4J)
- NDPI_TLS_FATAL_ALERT
- NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE
- Update WhatsAPP and Instagram addresses
- Update the list of default ports for QUIC
- Update WindowsUpdate URLs
- Add support for the .goog Google TLD
- Add googletagmanager.com
- Add bitmaps and API for handling compressed bitmaps
- Add JA3 in risk exceptions
- Add entropy calculation to check for suspicious (encrypted) payload
- Add extraction of hostname in SMTP
- Add RDP over UDP dissection
- Add support for TLS over IPV6 in Subject Alt Names field
- Improve JSON and CSV serialization
- Improve IPv6 support for almost all dissectors
- Improve CI and unit tests, add arm64, armhf and s390x as part of CI
- Improve WHOIS detection, reduce false positives
- Improve DGA detection for skipping potential DGAs of known/popular domain names
- Improve user agent analysis
- Reworked HTTP protocol dissection including HTTP proxy and HTTP connect
Changes
- TLS obsolete protocol is set when TLS < 1.2 (used to be 1.1)
- Numeric IPs are not considered for DGA checks
- Differentiate between standard Amazon stuff (i.e market) and AWS
- Remove Playstation VUE protocol
- Remove pandora.tv from Pandora protocol
- Remove outdated SoulSeek dissector
Fixes
- Fix race conditions
- Fix dissectors to be big-endian friendly
- Fix heap overflow in realloc wrapper
- Fix errors in Kerberos, TLS, H323, Netbios, CSGO, Bittorrent
- Fix wrong tuple comparison
- Fix ndpi_serialize_string_int64
- Fix Grease values parsing
- Fix certificate mismatch check
- Fix null-dereference read for Zattoo with IPv6
- Fix dissectors initialization for XBox, Diameter
- Fix confidence for STUN classifications
- Fix FreeBSD support
- Fix old GQUIC versions on big-endian machines
- Fix aho-corasick on big-endian machines
- Fix DGA false positive
- Fix integer overflow for QUIC
- Fix HTTP false positives
- Fix SonarCloud-CI support
- Fix clashes setting the hostname on similar protocols (FTP, SMTP)
- Fix some invalid TLS guesses
- Fix crash on ARM (Raspberry)
- Fix DNS (including fragmented DNS) dissection
- Fix parsing of IPv6 packets with extension headers
- Fix extraction of Realm attribute in STUN
- Fix support for START-TLS sessions in FTP
- Fix TCP retransmissions for multiple dissectors
- Fix DES initialisation
- Fix Git protocol dissection
- Fix certificate mismatch for TLS flows with no client hello observed
- Fix old versions of GQUIC on big-endian machines
Misc
- Add tool for generating automatically the Azure IP list
nDPI 4.0 (July 2021)
New Features
- Add API for computing RSI (Relative Strenght Index)
- Add GeoIP support
- Add fragments management
- Add API for jitter calculation
- Add single exponential smoothing API
- Add timeseries forecasting support implementing Holt-Winters with confidence interval
- Add support for MAC to radi tree and expose the full API to applications
- Add JA3+, with ALPN and elliptic curve
- Add double exponential smoothing implementation
- Extended API for managing flow risks
- Add flow risk score
- New flow risks:
- Desktop or File Sharing Session
- HTTP suspicious content (useful for tracking trickbot)
- Malicious JA3
- Malicious SHA1
- Risky domain
- Risky AS
- TLS Certificate Validity Too Long
- TLS Suspicious Extension
New Supported Protocols and Services
- New protocols:
- AmongUs
- AVAST SecureDNS
- CPHA (CheckPoint High Availability Protocol)
- DisneyPlus
- DTLS
- Genshin Impact
- HP Virtual Machine Group Management (hpvirtgrp)
- Mongodb
- Pinterest
- Reddit
- Snapchat VoIP calls
- Tumblr
- Virtual Asssitant (Alexa, Siri)
- Z39.50
- Add protocols to HTTP as subprotocols
- Add detection of TLS browser type
- Add connectionless DCE/RPC detection
Improvements
- 2.5x speed bump. Example ndpiReader with a long mixed pcap
v3.4 - nDPI throughput: 1.29 M pps / 3.35 Gb/sec
v4.0 - nDPI throughput: 3.35 M pps / 8.68 Gb/sec
- Improve detection/dissection of:
- AnyDesk
- DNS
- Hulu
- DCE/RPC (avoid false positives)
- dnscrypt
- Facebook (add new networks)
- Fortigate
- FTP Control
- HTTP
- Fix user-agent parsing
- Fix logs when NDPI_ENABLE_DEBUG_MESSAGES is defined
- IEC104
- IEC60870
- IRC
- Netbios
- Netflix
- Ookla speedtest (detection over IPv6)
- openspeedtest.com
- Outlook / MicrosoftMail
- QUIC
- update to draft-33
- improve handling of SNI
- support for fragmented Client Hello
- support for DNS-over-QUIC
- RTSP
- RTSP via HTTP
- SNMP (reimplemented)
- Skype
- SSH
- Steam (Steam Datagram Relay - SDR)
- STUN (avoid false positives, improved Skype detection)
- TeamViewer (add new hosts)
- TOR (update hosts)
- TLS
- Certificate Subject matching
- Check for common ALPNs
- Reworked fingerprint calculation
- Fix extraction for TLS signature algorithms
- Fix ClientHello parsing
- UPnP
- wireguard
- Improve DGA detection
- Improve JA3
- Improve Mining detection
- Improve string matching algorithm
- Improve ndpi_pref_enable_tls_block_dissection
- Optimize speed and memory size
- Update ahocorasick library
- Improve subprotocols detection
Fixes
- Fix partial application matching
- Fix multiple segfault and leaks
- Fix uninitialized memory use
- Fix release of patterns allocated in ndpi_add_string_to_automa
- Fix return value of ndpi_match_string_subprotocol
- Fix setting of flow risks on 32 bit machines
- Fix TLS certificate threshold
- Fix a memory error in TLS JA3 code
- Fix false positives in Z39.50
- Fix off-by-one memory error for TLS-JA3
- Fix bug in ndpi_lru_find_cache
- Fix invalid xbox and playstation port guesses
- Fix CAPWAP tunnel decoding
- Fix parsing of DLT_PPP datalink type
- Fix dissection of QUIC initial packets coalesced with 0-RTT one
- Fix parsing of GTP headers
- Add bitmap boundary checks
Misc
- Update download category name
- Update category labels
- Renamed Skype in Skype_Teams (the protocol is now shared across these apps)
- Add IEC analysis wireshark plugin
- Flow risk visualization in Wireshark
- ndpiReader
- add statistics about nDPI performance
- fix memory leak
- fix collecting of risks statistics
- Move installed libraries from /usr/local to /usr
- Improve NDPI_API_VERSION generation
- Update ndpi_ptree_match_addr prototype
|
|
|
|
|
|
|
|
Successor ntopng is already in pkgsrc.
Ok adam@
|
|
|
|
a result of running mkpatches after 'make configure'.
|
|
Security update - from upstream's release nites:
Changes in 3.1.13
~~~~~~~~~~~~~~~~~
* FIX: CVE-2021-31439
* FIX: CVE-2022-23121
* FIX: CVE-2022-23123
* FIX: CVE-2022-23122
* FIX: CVE-2022-23125
* FIX: CVE-2022-23124
* FIX: CVE-2022-0194
* FIX: afpd: make a variable declaration a definition
* UPD: Remove bundled libevent
|
|
Changes since 4.15.5
--------------------
* BUG 14169: Renaming file on DFS root fails with
NT_STATUS_OBJECT_PATH_NOT_FOUND.
* BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2
objects with same lease key.
* BUG 14938: NT error code is not set when overwriting a file during rename
in libsmbclient.
* BUG 14996: Fix ldap simple bind with TLS auditing.
* BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted
server.
* BUG 14979: Problem when winbind renews Kerberos.
* BUG 8691: pam_winbind will not allow gdm login if password about to expire.
* BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or special file.
* BUG 13631: DFS fix for AIX broken.
* BUG 14974: Solaris and AIX acl modules: wrong function arguments.
* BUG 7239: Function aixacl_sys_acl_get_file not declared / coredump.
* BUG 14900: Regression: Samba 4.15.2 on macOS segfaults intermittently
during strcpy in tdbsam_getsampwnam.
* BUG 14989: Fix a use-after-free in SMB1 server.
* BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with
gnutls_aead_cipher_decrypt() from gnutls before 3.5.2.
* BUG 14984: changing the machine password against an RODC likely destroys
the domain join.
* BUG 14993: authsam_make_user_info_dc() steals memory from its struct
ldb_message *msg argument.
* BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
* BUG 14967: Samba autorid fails to map AD users if id rangesize fits in the
id range only once.
|
|
Upstream changes:
0.99
- Client API doesn't check corrupted download anymore (using ETag == MD5)
- fix broken Client::Object->head method (#112) (thanks Mortivor and fkoyer)
- Support ranged download (#113) (thanks fkoyer)
|
|
Upstream changes:
2021-12-10 Shlomi Fish <shlomif@shlomifish.org>
* Deprecate in favour of L<IO::Socket::IP> .
* New Release IO-Socket-INET6-2.73
|
|
Upstream changes:
1.160000 2022-02-01 11:41:36-07:00 America/Denver
- Preserve incremental version release numbers.
The previous release number can be consider being
lower than 1.151940
1.16 2022-01-28 16:29:44-07:00 America/Denver
- Add Kosovo to the list of supported countries
- Add get_all_countries helper
- Remove Memoize dependency and make Faster faster
|
|
2.0.3
Fix anyio exception handling
2.0.2
Fixed 14 anyio.BrokenResourceError has no attribute 'strerror'
2.0.1
?
2.0.0
Added anyio backend
Added new (v2) API for sync and trio backends
The code base has been completely redesigned
|
|
0.38.4
Fix IP Address updates when hostname is uppercase
|
|
OpenVPN 2.5.6.
This is mostly a bugfix release including one security fix ("Disallow multiple deferred authentication plug-ins.", CVE: 2022-0547).
|
|
--- 9.16.27 released ---
5818. [security] A synchronous call to closehandle_cb() caused
isc__nm_process_sock_buffer() to be called recursively,
which in turn left TCP connections hanging in the
CLOSE_WAIT state blocking indefinitely when
out-of-order processing was disabled. (CVE-2022-0396)
[GL #3112]
|
|
--- 9.11.37 released ---
5817. [security] The rules for acceptance of records into the cache
have been tightened to prevent the possibility of
poisoning if forwarders send records outside
the configured bailiwick. (CVE-2021-25220) [GL #2950]
|
|
GitHub CLI 2.6.0
Repo Search
@samcoe is working on a new command, gh search! In this release it's shipping
with just support for repository searching. Results can then be processed with
--jq or fillter columns with --json and filters are expressed with flags like
--topic or --license.
Try it out with something like: gh search repos --language=go
--good-first-issues=">=10"!
Rerun failed jobs
gh run rerun has been augmented with two new flags: --failed and --job by @cdb.
You can now selectively rerun just failed jobs from a given workflow run!
Running gh run rerun --failed will prompt you to select a run to work with.
Codespaces Updates
* Allow Editing Codespaces
* Updates wording for codespaces accept permissions flow
* Add VSCS Target to gh cs list
* Adds internal codespace developer flags
* Add --profile option to gh cs cp
Other New Features
* add interactive repository edit functionality
* Support setting Dependabot secrets
* Add version to extension list command
* after merge, switch to base branch if available
Bugfixes
* pr close skips deleting local branch if not in a git repo
* pr checks: fix error message when no checks were found
* Fixed permission for workflow
GitHub CLI 2.5.2
ls alias now available for all commands
All places where a list subcommand is defined now support an ls alias, so gh pr
ls to your heart's content.
Better handling of oauth scopes
Thanks to @mario-campos we now properly understand implied auth scopes, fixing
some instances where gh insisted you needed additional scopes when you did not.
Other Bugfixes
* Fix HexToRGB panic
Other Changes
* Support filtering PRs authored
* gh auth login: added flags to partially automate flow
* Codespaces Create: Allow Accepting Permissions
GitHub CLI 2.5.1
New features
* Add display name to codespaces prompts and JSON output
* Add pr checks --watch flag
Fixes
* auth login --with-token: fix authenticating git operations
* release create: respect discussion category when creating a release with
assets
* gist create: handle Windows-style file paths
* release create: warn about unpushed local git tag
* Ignore EPIPE errors when writing to a closed pager
* Rotate our Windows code-signing certificates
Documentation fixes
* repo edit: clarify passing false for boolean flags
* Spelling correction in error message
GitHub CLI 2.5.0
New Features
* Add codespace ssh --config to generate OpenSSH host configuration for your
codespaces
* Add release delete-asset to delete an asset from a release
* Add repo deploy-key commands to manage deploy keys for a repository
* Improve the interactive issue/pull request assignee prompt
* auth login/refresh: allow non-interactive flow
* auth git-credential: add ability to authenticate git operations for gist
repositories
* gist edit: add ability to edit gist description
* gist edit: enable editing file contents via standard input
* pr status: show number of approvals
* repo fork: add ability to define the name of the fork repository on GitHub
* run list: add branch and actor filters
* run view: include job ID parameter in the suggested command invocation
* api: do not apply jq filters or render templates for HTTP error responses
* pr create: fetch pull request template contents via the API
* codespace create: provide repo suggestions after typing a few characters
and pressing Tab
Fixes
* release create: bring back interactive option to create a release from an
annotated tag
* workflow enable: allow enabling a workflow that was disabled due to
inactivity
* extension install: update wording for extensions that cannot be installed
* api: respect GH_REPO when substituting {owner}/{repo}
* issue list: fix filtering issues
* pr create: fix creating pull requests from numerical branch names
* repo fork: respect explicitly configured git_protocol when adding a git
remote for a fork
* pr checks: avoid reporting results of stale check runs
* secret set: trim trailing newlines when passing secret values via standard
input
* Preserve hard line breaks in rendered Markdown
* Handle SAML enforcement challenge from the server
* Add retry functionality to the Codespaces API client
* Add GH_HOST to hosts list if set in the environment
* Standardize pager output across commands
* Fix error message when running external commands
Other Changes
* Improve Survey stubber for tests
* Add Alpine Linux install docs
* Amend location of GPG key file
* Fix flaky Liveshare session test
* Add consistent punctuation in command usages
* Add install instructions for Void Linux
GitHub CLI 2.4.0
New features
* Add repo edit command
* release create: add --generate-notes functionality
* release create: add interactive mode to choose a tag name
* pr merge: allow editing commit subject
* secret set: allow importing secrets from a dotenv file
* run list/view: add --json export functionality
* Refresh man pages
* Add installation instructions for pkgsrc
Fixes
* pr view: ensure that PR reviews are always rendered in --comments mode
* api: handle HTTP 409 error message from the server
* issue edit: fix race condition when updating labels
* browse: support --commit with the repo override flag
* repo create: fix printing repo URL in no-TTY mode
* repo sync: use the new merge-upstream API if available
* run: display and treat "Cancelled" status as a failure
* extension upgrade: an already up-to-date extension should not a produce a
failure
* Avoid showing non-open PRs as related to the default branch
* git remotes: fix treating ssh.github.com as a github.com host
|
|
7.1.5:
Add AssumeRoleWithCertificate credential provider.
7.1.4:
docs: fix typo in object_lock config function name
fix progress bar division by zero error
Add policy unset method to minio admin
fix: lint checks and enable MINIO_CI_CD=1 for functional tests
|
|
0.9.1
Fix php 7.2+ support
0.9.0
Support for php 8.1
No longer supports php 7.1
Ships with sabre/dav 4.3.0
|
|
|
|
Internet Systems Consortium DHCP Distribution
Version 4.4.3
9 March 2022
Release Notes
NEW FEATURES
Please note that that ISC DHCP is licensed under the Mozilla Public
License, MPL 2.0. Please see https://www.mozilla.org/en-US/MPL/2.0/ to read
the MPL 2.0 license terms.
NOTE: The client and relay components are now End-Of-Life.
4.4.3 is the final release for those components.
For information on how to install, configure, and run this software, as
well as how to find documentation and report bugs, please consult the
README file.
ISC DHCP uses the standard GNU configure command for installation. Please review the
output of `./configure --help` to see what options are available.
The system has only been tested on Linux and FreeBSD, and may not work on
other platforms. Please subscribe to the dhcp-users mailing list at
https://lists.isc.org/mailman/listinfo/dhcp-users and report any problems
and/or suggested fixes to dhcp-users@lists.isc.org.
ISC DHCP is open source software maintained by Internet Systems
Consortium. This product includes cryptographic software written
by Eric Young (eay@cryptsoft.com).
Changes since 4.4.2-P1 (New Features)
- Two new OMAPI function calls were added, `dhcpctl_timed_connect()`
and `dhcpctl_timed_wait_for_completion()`. These provide timed
versions of creating a connection and waiting for an operation
to complete.
[GitLab #76]
- The BIND libraries have been updated to the latest version, 9.11.36. This fixes a number
of compilation issues on various systems, including OpenWRT. Thanks to
Philip Prindeville for testing on OpenWRT.
[GitLab #218, #171, #180, #192]
- Support was added for the new DHCPv4 option v6-only-preferred, specified
in RFC 8925. A new reason code, V6ONLY, was added to the client script
and the client Linux script sample was updated.
[GitLab #132]
Changes since 4.4.2-P1 (Bug Fixes)
- Minor corrections were made to allow compilation under gcc 10.
[GitLab #117]
- The logic in dhclient that causes it to decline DHCPv4 leases if the
client script exits abnormally (i.e. crashes) has been corrected.
[GitLab #123]
- The limit on the size of a lease file that can be loaded at startup
is now only enforced on 32-bit systems.
[GitLab #92]
- The PRNG initialization has been improved. It now uses the configure flag
`--with-randomdev=PATH`, which specifies the device from which to read the
initial seed. That is typically `/dev/random` (the default value) or
`/dev/urandom`, but may be specified otherwise on the local system. The old
behavior can be forced by disabling this feature (`--with-randomdev=no`).
If the initialization is disabled or reading from the random device fails,
the previous algorithm (retrieve the last four bytes of hardware addresses
from all network interfaces that have them, and use the current time and
process ID) is used.
[GitLab #197]
- A minor dhclient code fix was made to remove compilation warnings.
[GitLab #190]
- The hard-coded MD5 algorithm name was removed in OMAPI connection logic.
Previously, using any other algorithm via a key-algorithm statement would
allow OMAPI connections to be made, but subsequent actions such as updating
an object would fail.
[GitLab #148]
- The parallel build has been improved. Thanks to Sergei Trofimovich for
the patch. The parallel build is still experimental, as officially the
BIND 9 code does not support the parallel build for libraries.
[GitLab #91]
- Handling of LDAP options (`ldap-gssapi-principal` and `ldap-gssapi-keytab`)
has been improved. This is contributed code that has not been tested by ISC. Thank
you to Petr Mensik and Pavel Zhukov for the patches!
[GitLab !56,!75]
- It is now possible to use `option -g ipaddr` in the dhcrelay to replace the giaddr sent to
clients with the given ipaddr, to work around bogus clients like Solaris 11
grub which use giaddr instead of the announced router (3) to set up their
default route. Thanks to Jens Elkner for the patch!
[GitLab #223, !86, !92]
|
|
Probably the patch should just be deleted as we don't use the install
method. Upstream already has a makefile cleanup issue:
https://github.com/bcpierce00/unison/issues/651
|
|
|
|
During the 2.51 branch, upstream decided that unison will have
backwards compatibility, so that there is no longer any reason to run
old versions. With 2.52, not only can it interop with 2.51 (and
2.48!), but it does not need to have matching ocaml version when
interoperating with other 2.52.x or newer. Thus, unison will now have
a single version in pkgsrc, and this is expected to continue.
|
|
## Changes in 2.52.0
Released 2022-03-12
* Feature negotiation, compatible wtih 2.51.
* New archive format (independent of ocaml version, based on umarshal)
Upgrade is automatic.
* New wire protocol (independent of ocaml version, based on umarshal)
New protocol is used if both sides are >= 2.52.0.
* Compatibility with 2.48
* Support for unix-domain sockets
* Many bugfixes and minor improvements
* ocaml compatibility is now >= 4.01
* NEWS is now in NEWS.md and not in the manual
|
|
|
|
- Fix issue with function keys on macOS
- Configure scroll direction on a per-computer basis
|
|
Changelog:
1.4.25
appindicator or ayatana-appindicator is now optional, -DHAVE_LIBAPPINDICATOR=OFF will disable the Remmina system tray icon.
pyhoca-cli is needed for the X2Go plugin, -DWITH_X2GO=ON
NX, XDMCP and ST have been removed
Use -DWITH_FREERDP3=ON if you are using the FreeRDP master branch
libsodium is needed to build Remmina.
webkit2gtk3 is needed to build the WWW plugin.
-DWITH_KF5WALLET=ON is a new config option needed for the KWallet plugin (and the required kf5wallet libraries to build it).
News can be turned off with -DWITH_NEWS=OFF\
gtk-vnc is needed for the VNC plugin for GNOME and KVM, -DWITH_GVNC=ON
List of changes:
kiosk: Drop GNOME MediaKeys plugin !2377 @jbicha
Honour soft links target in SFTP !2379 @antenore
Optional close confirmation !2380 @antenore
Fix some build warnings !2382 @donoban
Fix manpages !2378 @Fantu
Snap cleanup + kwallet support !2381 @antenore
Deprecations and amend g_date_time_format_iso8601 !2383 @antenore
Fixes to snap build !2384 @giox069
Removing dependencies that are available as extensions !2385 @antenore
FreeRDP_OffscreenSupportLevel is of type UINT32 !2386 @akallabeth
Minor fixes !2387 @antenore
Get the right value for FreeRDP_AutoReconnectMaxRetries !2388 @antenore
1.4.24
appindicator or ayatana-appindicator is now optional, -DHAVE_LIBAPPINDICATOR=OFF will disable the Remmina system tray icon.
pyhoca-cli is needed for the X2Go plugin, -DWITH_X2GO=ON
NX, XDMCP and ST have been removed
Use -DWITH_FREERDP3=ON if you are using the FreeRDP master branch
libsodium is needed to build Remmina.
webkit2gtk3 is needed to build the WWW plugin.
-DWITH_KF5WALLET=ON is a new config option needed for the KWallet plugin (and the required kf5wallet libraries to build it).
News can be turned off with -DWITH_NEWS=OFF\
gtk-vnc is needed for the VNC plugin for GNOME and KVM, -DWITH_GVNC=ON
List of changes:
Contribution section added to issue template !2365 @kingu
Language of VNC encoding cleaned up !2367 @kingu
Remmina Hardening and Compliance !2366 @antenore
Remmina_preferences language reworked !2368 @kingu
Thanks 2021 !2371 @kingu
Resolve "Follow-up from "Remmina_preferences language reworked"" !2369 @antenore
Encryption level language reworked !2372 @kingu
Issue 2122 : Confirm on close of window !2374 @emmguyot
Adding flush and cairo clean up !2375 @antenore
|
|
|
|
Upstream changes are one bug fix primarily affecting Windows and
non-relevant changes in opam packaging.
|
|
3.58.0 (2022-02-11)
- More detailed error messages if an XML file known to exist cannot be opened
3.58.0-rc1 (2022-02-03)
+ Negotiate custom ALPN with FileZilla Server >=1.3.0 during TLS handshake to save some roundtrips during connection establishment
+ Prepare FileZilla to support TOTP-based 2FA authentication on future FileZilla Server versions
- Made downloading updates more robust if the network connection is unreliable
- Updated to libfilezilla 0.36.0
|
|
* Noteworthy changes in release 1.21.3 (2022-02-26)
** Fix computation of total bytes downloaded during FTP trasnfers (#61277)
** Add option to select TLS 1.3 on the command line
** Fix HSTS build issues on some 64-bit big-endian systems
** Hide password during status report in --no-verbose
** Remove a sprurious print statement that showed up even during --quiet
** Some more cleanups and bug-fixes
|
|
This is a security release in order to address the following defects:
o CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target
of a symlink exists.
https://www.samba.org/samba/security/CVE-2021-44141.html
o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
https://www.samba.org/samba/security/CVE-2021-44142.html
o CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks.
https://www.samba.org/samba/security/CVE-2022-0336.html
|
|
This includes a patch (already posted upstream) to fix updated Samba on
NetBSD's /proc, so the upgrade is not blocked anymore.
Release notes for 4.15:
EW FEATURES/CHANGES
====================
VFS
---
The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships
with a modernized VFS designed for the post SMB1 world.
For details please refer to the documentation at source3/modules/The_New_VFS.txt
or visit the <https://wiki.samba.org/index.php/The_New_VFS>.
Bind DLZ: add the ability to set allow/deny lists for zone transfer clients
---------------------------------------------------------------------------
Up to now, any client could use a DNS zone transfer request to the
bind server, and get an answer from Samba. Now the default behaviour
will be to deny those request. Two new options have been added to
manage the list of authorized/denied clients for zone transfer
requests. In order to be accepted, the request must be issued by a
client that is in the allow list and NOT in the deny list.
"server multi channel support" no longer experimental
-----------------------------------------------------
This option is enabled by default starting with 4.15 (on Linux and FreeBSD).
Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
to use this feature on Linux and FreeBSD for now.
samba-tool available without the ad-dc
--------------------------------------
The 'samba-tool' command is now available when samba is configured
"--without-ad-dc". Not all features will work, and some ad-dc specific options
have been disabled. The 'samba-tool domain' options, for example, are limited
when no ad-dc is present. Samba must still be built with ads in order to enable
'samba-tool'.
Improved command line user experience
-------------------------------------
Samba utilities did not consistently implement their command line interface. A
number of options were requiring to specify values in one tool and not in the
other, some options meant different in different tools.
These should be stories of the past now. A new command line parser has been
implemented with sanity checking. Also the command line interface has been
simplified and provides better control for encryption, signing and kerberos.
Previously many tools silently ignored unknown options. To prevent unexpected
behaviour all tools will now consistently reject unknown options.
Also several command line options have a smb.conf variable to control the
default now.
All tools are now logging to stderr by default. You can use "--debug-stdout" to
change the behavior. All servers will log to stderr at early startup until logging
is setup to go to a file by default.
### Common parser:
Options added:
--client-protection=off|sign|encrypt
Options renamed:
--kerberos -> --use-kerberos=required|desired|off
--krb5-ccache -> --use-krb5-ccache=CCACHE
--scope -> --netbios-scope=SCOPE
--use-ccache -> --use-winbind-ccache
Options removed:
-e|--encrypt
-C removed from --use-winbind-ccache
-i removed from --netbios-scope
-S|--signing
### Duplicates in command line utils
ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch:
-e is still available as an alias for --editor,
as it used to be.
-s is no longer reported as an alias for --configfile,
it never worked that way as it was shadowed by '-s' for '--scope'.
ndrdump:
-l is not available for --load-dso anymore
net:
-l is not available for --long anymore
sharesec:
-V is not available for --viewsddl anymore
smbcquotas:
--user -> --quota-user
nmbd:
--log-stdout -> --debug-stdout
smbd:
--log-stdout -> --debug-stdout
winbindd:
--log-stdout -> --debug-stdout
Scanning of trusted domains and enterprise principals
-----------------------------------------------------
As an artifact from the NT4 times, we still scanned the list of trusted domains
on winbindd startup. This is wrong as we never can get a full picture in Active
Directory. It is time to change the default value to "No". Also with this change
we always use enterprise principals for Kerberos so that the DC will be able
to redirect ticket requests to the right DC. This is e.g. needed for one way
trusts. The options `winbind use krb5 enterprise principals` and
`winbind scan trusted domains` will be deprecated in one of the next releases.
Support for Offline Domain Join (ODJ)
-------------------------------------
The net utility is now able to support the offline domain join feature
as known from the Windows djoin.exe command for many years. Samba's
implementation is accessible via the 'net offlinejoin' subcommand. It
can provision computers and request offline joining for both Windows
and Unix machines. It is also possible to provision computers from
Windows (using djoin.exe) and use the generated data in Samba's 'net'
utility. The existing options for the provisioning and joining steps
are documented in the net(8) manpage.
'samba-tool dns zoneoptions' for aging control
----------------------------------------------
The 'samba-tool dns zoneoptions' command can be used to turn aging on
and off, alter the refresh and no-refresh periods, and manipulate the
timestamps of existing records.
To turn aging on for a zone, you can use something like this:
samba-tool dns zoneoptions --aging=1 --refreshinterval=306600
which turns on aging and ensures no records less than five years old
are aged out and scavenged. After aging has been on for sufficient
time for records to be renewed, the command
samba-tool dns zoneoptions --refreshinterval=168
will set the refresh period to the standard seven days. Using this two
step process will help prevent the temporary loss of dynamic records
if scavenging happens before their first renewal.
Marking old records as static or dynamic with 'samba-tool'
----------------------------------------------------------
A bug in Samba versions prior to 4.9 meant records that were meant to
be static were marked as dynamic and vice versa. To fix the timestamps
in these domains, it is possible to use the following options,
preferably before turning aging on.
--mark-old-records-static
--mark-records-dynamic-regex
--mark-records-static-regex
The "--mark-old-records-static" option will make records older than the
specified date static (that is, with a zero timestamp). For example,
if you upgraded to Samba 4.9 in November 2018, you could use ensure no
old records will be mistakenly interpreted as dynamic using the
following option:
samba-tool dns zoneoptions --mark-old-records-static=2018-11-30
Then, if you know that that will have marked some records as static
that should be dynamic, and you know which those are due to your
naming scheme, you can use commands like:
samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop'
where '\w+-desktop' is a perl-compatible regular expression that will
match 'bob-desktop', 'alice-desktop', and so on.
These options are deliberately long and cumbersome to type, so people
have a chance to think before they get to the end. You can make a
mess if you get it wrong.
All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n"
argument that allows you to inspect the likely results before going
ahead.
NOTE: for aging to work, you need to have "dns zone scavenging = yes"
set in the smb.conf of at least one server.
DNS tombstones are now deleted as appropriate
---------------------------------------------
When all the records for a DNS name have been deleted, the node is put
in a tombstoned state (separate from general AD object tombstoning,
which deleted nodes also go through). These tombstones should be
cleaned up periodically. Due to a conflation of scavenging and
tombstoning, we have only been deleting tombstones when aging is
enabled.
If you have a lot of tombstoned DNS nodes (that is, DNS names for
which you have removed all the records), cleaning up these DNS
tombstones may take a noticeable time.
DNS tombstones use a consistent timestamp format
------------------------------------------------
DNS records use an hours-since-1601 timestamp format except for in the
case of tombstone records where a 100-nanosecond-intervals-since-1601
format is used (this latter format being the most common in Windows).
We had mixed that up, which might have had strange effects in zones
where aging was enabled (and hence tombstone timestamps were used).
samba-tool dns update and RPC changes
-------------------------------------
The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools
to manipulate dns records on the remote server. A bug in Samba meant
it was not possible to update an existing DNS record to change the
TTL. The general behaviour of RPC updates is now closer to that of
Windows.
'samba-tool dns update' is now a bit more careful in rejecting and
warning you about malformed IPv4 and IPv6 addresses.
CVE-2021-3671: Crash in Heimdal KDC and updated security release policy
-----------------------------------------------------------------------
An unuthenticated user can crash the AD DC KDC by omitting the server
name in a TGS-REQ. Per Samba's updated security process a specific
security release was not made for this issue as it is a recoverable
Denial Of Service.
See https://wiki.samba.org/index.php/Samba_Security_Proces
samba-tool domain backup offline with the LMDB backend
------------------------------------------------------
samba-tool domain backup offline, when operating with the LMDB backend
now correctly takes out locks against concurrent modification of the
database during the backup. If you use this tool on a Samba AD DC
using LMDB, you should upgrade to this release for safer backups.
REMOVED FEATURES
================
Tru64 ACL support has been removed from this release. The last
supported release of Tru64 UNIX was in 2012.
NIS support has been removed from this release. This is not
available in Linux distributions anymore.
The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9,
which have been out of support since 2018.
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
client use kerberos New desired
client max protocol Values Removed
client min protocol Values Removed
client protection New default
client smb3 signing algorithms New see man smb.conf
client smb3 encryption algorithms New see man smb.conf
preopen:posix-basic-regex New No
preopen:nomatch_log_level New 5
preopen:match_log_level New 5
preopen:nodigits_log_level New 1
preopen:founddigits_log_level New 3
preopen:reset_log_level New 5
preopen:push_log_level New 3
preopen:queue_log_level New 10
server max protocol Values Removed
server min protocol Values Removed
server multi channel support Changed Yes (on Linux and FreeBSD)
server smb3 signing algorithms New see man smb.conf
server smb3 encryption algorithms New see man smb.conf
winbind use krb5 enterprise principals Changed Yes
winbind scan trusted domains Changed No
Release notes for 4.14:
NEW FEATURES/CHANGES
====================
Here is a copy of a clarification note added to the Samba code
in the file: VFS-License-clarification.txt.
--------------------------------------------------------------
A clarification of our GNU GPL License enforcement boundary within the Samba
Virtual File System (VFS) layer.
Samba is licensed under the GNU GPL. All code committed to the Samba
project or that creates a "modified version" or software "based on" Samba must
be either licensed under the GNU GPL or a compatible license.
Samba has several plug-in interfaces where external code may be called
from Samba GNU GPL licensed code. The most important of these is the
Samba VFS layer.
Samba VFS modules are intimately connected by header files and API
definitions to the part of the Samba code that provides file services,
and as such, code that implements a plug-in Samba VFS module must be
licensed under the GNU GPL or a compatible license.
However, Samba VFS modules may themselves call third-party external
libraries that are not part of the Samba project and are externally
developed and maintained.
As long as these third-party external libraries do not use any of the
Samba internal structure, APIs or interface definitions created by the
Samba project (to the extent that they would be considered subject to the GNU
GPL), then the Samba Team will not consider such third-party external
libraries called from Samba VFS modules as "based on" and/or creating a
"modified version" of the Samba code for the purposes of GNU GPL.
Accordingly, we do not require such libraries be licensed under the GNU GPL
or a GNU GPL compatible license.
VFS
---
The effort to modernize Samba's VFS interface has reached a major milestone with
the next release Samba 4.14.
For details please refer to the documentation at source3/modules/The_New_VFS.txt or
visit the <https://wiki.samba.org/index.php/The_New_VFS>.
Printing
--------
Publishing printers in AD is more reliable and more printer features are
added to the published information in AD. Samba now also supports Windows
drivers for the ARM64 architecture.
Client Group Policy
-------------------
This release extends Samba to support Group Policy functionality for Winbind
clients. Active Directory Administrators can set policies that apply Sudoers
configuration, and cron jobs to run hourly, daily, weekly or monthly.
To enable the application of Group Policies on a client, set the global
smb.conf option 'apply group policies' to 'yes'. Policies are applied on an
interval of every 90 minutes, plus a random offset between 0 and 30 minutes.
Policies applied by Samba are 'non-tattooing', meaning that changes can be
reverted by executing the `samba-gpupdate --unapply` command. Policies can be
re-applied using the `samba-gpupdate --force` command.
To view what policies have been or will be applied to a system, use the
`samba-gpupdate --rsop` command.
Administration of Samba policy requires that a Samba ADMX template be uploaded
to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is
provided as a convenient method for adding this policy. Once uploaded, policies
can be modified in the Group Policy Management Editor under Computer
Configuration/Policies/Administrative Templates. Alternatively, Samba policy
may be managed using the `samba-tool gpo manage` command. This tool does not
require the admx templates to be installed.
Python 3.6 or later required
----------------------------
Samba's minimum runtime requirement for python was raised to Python
3.6 with samba 4.13. Samba 4.14 raises this minimum version to Python
3.6 also to build Samba. It is no longer possible to build Samba
(even just the file server) with Python versions 2.6 and 2.7.
As Python 2.7 has been End Of Life upstream since April 2020, Samba
is dropping ALL Python 2.x support in this release.
Miscellaneous samba-tool changes
--------------------------------
The 'samba-tool' subcommands to manage AD objects (e.g. users, computers and
groups) now consistently use the "add" command when adding a new object to
the AD. The previous deprecation warnings when using the 'add' commands
have been removed. For compatibility reasons, both the 'add' and 'create'
commands can be used now.
Users, groups and contacts can now be renamed with the respective rename
commands.
Locked users can be unlocked with the new 'samba-tool user unlock' command.
The 'samba-tool user list' and 'samba-tool group listmembers' commands
provide additional options to hide expired and disabled user accounts
(--hide-expired and --hide-disabled).
CTDB CHANGES
============
* The NAT gateway and LVS features now uses the term "leader" to refer
to the main node in a group through which traffic is routed and
"follower" for other members of a group. The command for
determining the leader has changed to "ctdb natgw leader" (from
"ctdb natgw master"). The configuration keyword for indicating that
a node can not be the leader of a group has changed to
"follower-only" (from "slave-only"). Identical changes were made
for LVS.
* Remove "ctdb isnotrecmaster" command. It isn't used by CTDB's
scripts and can be checked by users with "ctdb pnn" and "ctdb
recmaster".
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
smb encrypt Removed
async dns timeout New 10
client smb encrypt New default
honor change notify privilege New No
smbd force process locks New No
server smb encrypt New default
|
|
|
|
|
