| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
Adds features for Google Cloud Storage.
Changes:
* Loosen requirements for ID field in PROJECT_PRIVATE_RE.
* Populate storage class from HEAD Object responses
|
|
|
|
Changes since previous version:
* New features:
* Change website URLs from http://mosh.mit.edu to
https://mosh.org. (Keith Winstein)
* Add --no-ssh-pty option for Dropbear compatibility and
other issues.
* Switch to semantic versioning, making this version 1.3.0
instead of 1.2.7.
* Platform support:
* Added nonce-incrementing test. (Keith Winstein)
* Add build-source-package.sh for Debian. (Keith Winstein)
* Fix CPPFLAGS handling possibly causing curses detection
failure. (John Hood)
* Add an Appveyor/Cygwin CI build.
* Improve warning-flags detection for 'make distcheck'. (John Hood)
* Improve robustness of regression tests. (John Hood)
* Support OpenBSD pledge() sandboxing. (John Hood)
* Use backward-compatible name for AES in
AppleCommonCrypto, fixing builds with older OS X SDKs. (John Hood)
* Detect clock_gettime() and CLOCK_MONOTONIC carefully,
fixing OS X 10.12 + Xcode 7.3 builds. (John Hood)
* Support older versions of Perl, back to 5.10, fixing
RHEL 5 builds. (Anders Kaseorg)
* Add a Travis OS X CI and release build. (John Hood)
* Add --help and --version, enabling Automake's
'std-options' checks. (Anders Kaseorg)
* Add a simple smoke test not requiring tmux, to help
validate builds on older platforms including RHEL 5. (Anders Kaseorg)
* Check for presence of clock_gettime() for OS X, where
the symbol may not be resolved on older OS X versions. (John
Hood)
* Fix a memory alignment issue in OCB with ARM/Neon. (Carlos Cabanero)
* Mosh now runs correctly on Bash for Windows with Windows 10
Insider builds 15002 and higher. (No change in Mosh)
* Other minor platform compatibility fixes for Mosh
sources and tests. (John Hood)
* Bug fixes:
* Work around a pty buffering issue causing failed
connections on FreeBSD 11, or with Dropbear. (John Hood)
* Restore '-p 0' option for OS-selected UDP port bindings. (John Hood)
* Shell hygiene fixes, including better quoting of
pathnames. (Anders Kaseorg)
* Fix typos in project docs. (Jakub Wilk)
* Fix excess newlines on mosh client startup/shutdown. (John Hood)
* Exit gracefully, closing session, on pty write or ioctl failure. (John Hood)
* Fix two bugs that caused mosh-server to consume
excessive CPU in certain circumstances. (John Hood)
* Fix bug that caused text copied from mosh-client to
paste as long lines joined by spaces. (John Hood)
* Documentation improvements. (chenxiaoqino, Ashish Gupta)
* Use getuid(), not geteuid(), for correct getpw* lookups. (John Hood)
|
|
Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client's IP address changes (Peer-ID). Also, the new --tls-crypt feature can be used to increase users' connection privacy.
Compared to OpenVPN 2.4.1 there are several bugfixes and small enhancements. A summary of the changes is available in Changes.rst.
|
|
|
|
Pkgsrc changes:
* Adapt PLIST, new .so installed.
Upstream changes:
Changes since 4.6.3:
---------------------
o Volker Lendecke <vl@samba.org>
* BUG 12780: CVE-2017-7494: Avoid remote code execution from a writable
share.
Changes since 4.6.2:
--------------------
o Michael Adam <obnox@samba.org>
* BUG 12743: s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots
from shares with GlusterFS backend.
o Jeremy Allison <jra@samba.org>
* BUG 12559: Fix for Solaris C compiler.
* BUG 12628: s3: locking: Update oplock optimization for the leases era.
* BUG 12693: Make the Solaris C compiler happy.
* BUG 12695: s3: libgpo: Allow skipping GPO objects that don't have the
expected LDAP attributes.
* BUG 12747: Fix buffer overflow caused by wrong use of getgroups.
o Hanno Boeck <hanno@hboeck.de>
* BUG 12746: lib: debug: Avoid negative array access.
* BUG 12748: cleanupdb: Fix a memory read error.
o Ralph Boehme <slow@samba.org>
* BUG 7537: streams_xattr and kernel oplocks results in
NT_STATUS_NETWORK_BUSY.
* BUG 11961: winbindd: idmap_autorid allocates ids for unknown SIDs from
other backends.
* BUG 12565: vfs_fruit: Resource fork open request with
flags=O_CREAT|O_RDONLY.
* BUG 12615: manpages/vfs_fruit: Document global options.
* BUG 12624: lib/pthreadpool: Fix a memory leak.
* BUG 12727: Lookup-domain for well-known SIDs on a DC.
* BUG 12728: winbindd: Fix error handling in rpc_lookup_sids().
* BUG 12729: winbindd: Trigger possible passdb_dsdb initialisation.
o Alexander Bokovoy <ab@samba.org>
* BUG 12611: credentials_krb5: use gss_acquire_cred for client-side GSSAPI
use case.
* BUG 12690: lib/crypto: Implement samba.crypto Python module for RC4.
o Amitay Isaacs <amitay@gmail.com>
* BUG 12697: ctdb-readonly: Avoid a tight loop waiting for revoke to
complete.
* BUG 12723: ctdb_event monitor command crashes if event is not specified.
* BUG 12733: ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'.
o Volker Lendecke <vl@samba.org>
* BUG 12558: smbd: Fix smb1 findfirst with DFS.
* BUG 12610: smbd: Do an early exit on negprot failure.
* BUG 12699: winbindd: Fix substitution for 'template homedir'.
o Stefan Metzmacher <metze@samba.org>
* BUG 12554: s4:kdc: Disable principal based autodetected referral detection.
* BUG 12613: idmap_autorid: Allocate new domain range if the callers knows
the sid is valid.
* BUG 12724: LINKFLAGS_PYEMBED should not contain -L/some/path.
* BUG 12725: PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for
trusted domain.
* BUG 12731: rpcclient: Allow -U'OTHERDOMAIN\user' again.
o Christof Schmitt <cs@samba.org>
* BUG 12725: winbindd: Fix password policy for pam authentication.
o Andreas Schneider <asn@samba.org>
* BUG 12554: s3:gse: Correctly handle external trusts with MIT.
* BUG 12611: auth/credentials: Always set the realm if we set the principal
from the ccache.
* BUG 12686: replace: Include sysmacros.h.
* BUG 12687: s3:vfs_expand_msdfs: Do not open the remote address as a file.
* BUG 12704: s3:libsmb: Only print error message if kerberos use is forced.
* BUG 12708: winbindd: Child process crashes when kerberos-authenticating
a user with wrong password.
o Uri Simchoni <uri@samba.org>
* BUG 12715: vfs_fruit: Office document opens as read-only on macOS due to
CNID semantics.
* BUG 12737: vfs_acl_xattr: Fix failure to get ACL on Linux if memory is
fragmented.
|
|
https://bugzilla.samba.org/show_bug.cgi?id=12780 (non-public)
from
https://www.samba.org/samba/ftp/patches/security/samba-4.6.3-4.5.9-4.4.13-CVE-2017-7494.patch
Should fix CVE-2017-7494.
Bump PKGREVISION.
|
|
The previous version in pkgsrc had a critical bug where status would not
update and nagios log "wproc: Core Worker seems to be choked". More
details at http://tracker.nagios.org/view.php?id=642
Here is the complete Changelog
4.3.2 - xxxx-xx-xx
------------------
FIXED
* Every 15sec /var/log/messages is flooded with "nagios: set_environment_var" (John Frickson)
* Changed release date to ISO format (yyyy-mm-dd) (John Frickson)
* `make all` fails if unzip is not installed (John Frickson)
* Quick Search no longer allows search by Alias (John Frickson)
* flexible downtime on a service immediately turns off notifications (John Frickson)
* Fix to allow url_encode to be called twice (Z. Liu)
* Update timeperiods.cfg.in (spelling) (Parth Laxmikant Kolekar)
* Spelling fixes (Josh Soref)
* Vent command pipe before remove to avoid deadlocks on writing end (Kai Kunstmann)
* CGI utility cgiutil.c does not process relative config file path names properly (John Frickson)
* xdata/xodtemplate.c bug in option-deprecation code (John Frickson)
* Wildcard searching causes service status links to not work properly (John Frickson)
* Quick search with no hits shows a permission denied error (John Frickson)
* Setting a service as its own parent is not caught by the sanity checker (-v) and causes a segfault (John Frickson)
4.3.1 - 2017-02-23
------------------
FIXES
* Service hard state generation and host hard or soft down status (John Frickson)
* Comments are duplicated through Nagios reload (John Frickson)
* host hourly value is incorrectly dumped as json boolean (John Frickson)
* Bug - Quick Search no longer allows search by IP (John Frickson)
* Config: status_update_interval can not be set to 1 (John Frickson)
* Check attempts not increasing if nagios is reloaded (John Frickson)
* nagios hangs on reload while sending external command to cmd file (John Frickson)
* Feature Request: return code xxx out of bounds - include message as well (John Frickson)
4.3.0 - 2017-02-21
------------------
SECURITY FIXES
* Fix for CVE-2016-6209 - The "corewindow" parameter (as in
http://localhost/nagios?corewindow=www.somewhere.com) has been disabled by
default. See the UPGRADING document for how to enable it. (John Frickson)
FIXES
* Fix early event scheduling (pmalek / John Frickson)
* on-demand host checks triggered by service checks cause attempt number increments (fredericve)
* Service notification not being send when host is in soft down state (John Frickson)
* configure does not error if no perl installed on CentOS 7 (John Frickson)
* failed passive requests leave .ok files in checkresults dir (caronc)
* Services don't show in status.cgi if "noheader" specified (John Frickson)
* Standardized check interval config file names (John Frickson)
* "Event Log" (showlog.cgi) could not open log file (John Frickson)
* "nagios_check_command" has been deprecated since v3.0. Last vestiges removed (John Frickson)
ENHANCEMENTS
* Added new flag to cgi.cfg: tac_cgi_hard_only to show only HARD states (John Frickson)
* Add broker-event for the end of a timed event (NEBTYPE_TIMEDEVENT_END) (John Frickson)
* There is no Macro to retrieve addresses of hostgroup members (now $HOSTGROUPMEMBERADDRESSES$) (John Frickson)
* Add "Page Tour" videos to several of the core web pages (John Frickson)
* Added a login page, and a `Logoff` links (John Frickson)
* On the status map, the host name will be colored if services are not all OK. (John Frickson)
* Added "Clear flapping state" command on host and services detail pages. (John Frickson)
* User-entered comment now displays below generated comment for downtime (John Frickson)
4.2.4 - 2016-12-07
------------------
SECURITY FIXES
* Fixed another root privilege escalation (CVE-2016-9566) Thanks for bringing this
to our attention go to Dawid Golunski (http://legalhackers.com).
4.2.3 - 2016-11-21
-------------------
SECURITY FIXES
* Fixed a root privilege escalation (CVE-2016-8641) (John Frickson)
FIXES
* external command during reload doesn't work (John Frickson)
* Nagios provides no error condition as to why it fails on the verify for serviceescalation (John Frickson)
* No root group in FreeBSD and Apple OS X (John Frickson)
* jsonquery.html doesn't display scheduled_time_ok correctly (John Frickson)
* daemon_dumps_core=1 has no effect on Linux when Nagios started as root (John Frickson)
* Configuration check in hostgroup - misspelled hostname does not error (John Frickson)
* contacts or contact_groups directive with no value should not be allowed (John Frickson)
* Compile 64-bit on SPARC produces LD error (John Frickson)
* HOSTSTATEID returns 0 even if host does not exist (John Frickson)
* Submitting UNREACHABLE passive result for host sets it as DOWN if the host has no parents (John Frickson)
* nagios: job XX (pid=YY): read() returned error 11 (changed from LOG_ERR to LOG_NOTICE) (John Frickson)
* Fix for quick search not showing services if wildcard used (John Frickson)
4.2.2 - 2016-10-24
------------------
SECURITY FIXES
* There was a fix to vulnerability CVE-2008-4796 in the 4.2.0 release on
August 1, 2016. The fix was apparently incomplete, as there was still a
problem. However, we are now getting all RSS feeds using AJAX calls
instead of the (outdated) MagpieRSS package. Thanks for bringing this to
our attention go to Dawid Golunski (http://legalhackers.com).
ENHANCEMENTS
* Update status.c to display passive check icon for hosts when passive checks
are enabled and actives disabled (John Frickson)
FIXES
* Fix permissions for Host Groups reports (status.cgi) (Patrik Halfar)
* Service Parents does not appear to be functioning as intended (lev)
* Availability report mixes up scheduled and unscheduled warning percentages (Helmut Mikulcik)
* Invalid values for saved_stamp in compute_subject_downtime_times() (John Frickson)
* Remove deprecated "framespacing" (John Frickson)
* The nagios tarball contains two identical jquery copies (John Frickson)
* extinfo.cgi does not set content-type (most cgi's don't) (John Frickson)
* Timeperiods are corrupted by external command CHANGE_SVC_CHECK_TIMEPERIOD (xoubih)
* Quick search doesn't show hosts without services (service status detail page) (John Frickson)
* In host/services details view, if exactly 100 entries would not show last one (John Frickson)
* nagios host URL parameter for NEW map doesn`t work - Network Map for All Hosts (John Frickson)
* next_problem_id is improperly initialized (gherteg)
* Passive problems not showing as "unhandled" (John Frickson)
* September reported as Sept instead of Sep (Rostislav Opočenský)
* Notifications are not sent for active alerts after scheduled downtime ends (John Frickson)
* Nagios 4.2.0 not working on Solaris (John Frickson)
* install-exfoliation and install-classicui don't work FreeBSD and Mac OS X (John Frickson)
* Updated makefile to delete some no-longer-needed files (John Frickson)
4.2.1 - 2016-09-06
------------------
FIXES
* Fix undefined variable php error (John Frickson)
* Links on the sidebar menu under 'Problems' are indented too far (John Frickson)
* Using $ARGn$ Macros in perfdata (John Frickson)
* using a wildcard in search returns service status total all zero's (John Frickson)
* read_only does not take priority (deppy)
* Running nagios -v on 4.2.0 takes 90+ seconds (John Frickson)
* Bare "make" invoked in subtarget (mjo)
* Theme images/stylesheets installed with inconsistent permissions (mjo / John Frickson)
* Missing Image for Host and Service State Trends in Availability Report (nichokap / John Frickson)
* Maintain non-persistent comments through reload (John Frickson)
* Servicegroup availability report ignores includesoftstates in service report links (PriceChild)
* error: format not a string literal and no format arguments (Karsten Weiss)
* Synced config.guess and config.sub with GNU (Zakhar Kleyman)
4.2.0 - 2016-08-01
------------------
SECURITY FIXES
* Fixed vulnerability CVE-2008-4796 (John Frickson)
* Fixed vulnerability CVE-2013-4214 (John Frickson)
* web interface vulnerable to Cross-Site Request Forgery attacks (John Frickson)
ENHANCEMENTS
* Increase socket queue length for listen()
* Added host name to the website page title (leres / John Frickson)
* Added additional icons for NetBSD and SuSE (John Frickson)
* The new Status Map will now use cgi.cfg options (John Frickson)
default_statusmap_layout will default to "6" for the new map
* The new Status Map will now show some valid values in the popup for "Nagios Process" (John Frickson)
FIXES
* Network outage view without access to all hosts (John Frickson)
* Core workers looping (John Frickson)
* service query returns duplicate host_name and description fields in the returned data (John Frickson)
* HTML output of plug-ins is parsed in wrong way => webgui unusable (John Frickson)
* Command worker fails to handle SIGPIPE
* "View Status" links under "Map" broken in Nagios Core Version 4.1.1 (John Frickson)
* Can't send big buffer - wproc: Core Worker seems to be choked (velripn / John Frickson)
* Too big CPU load on FreeBSD and other systems using poll() interface (cejkar)
* Flexible downtime recorded as unscheduled downtime (John Frickson)
* Service Flexible downtimes produce 1 notification before entering (John Frickson)
* Once you "set flap_detection_enabled 0" it should remove flapping state from the host/services page (John Frickson)
* New map doesn't finish loading if a logo image is not found (John Frickson)
* Extraneous Div end tag in map.html (Scott Wilkerson)
* Issue with "Problems" section (John Frickson)
* Status Map icons and online/offline status dots disappear in IE11 (John Frickson)
* New network map overlays the nagios process with objects (John Frickson)
* Added Default-Start and Default-Stop to the init script (John Frickson)
* Compile / logging issues with BSD 6
* Related to above, Fixed a lot of incorrectly handled time_t's in *printf's (John Frickson)
* New map not working for RU locale (actually, most locales) (John Frickson)
* Replaced all instances of signal() with sigaction() + blocking (John Frickson)
* UTF-8 characters like german ä are not processed properly by function url_encode (John Frickson)
* nagios worker processes can hog CPU (huxley / John Frickson)
* custom time periods that include special characters were not being handled in reports (John Frickson)
* Fixed init script to wait up to 90 seconds then kill the nagios process (John Frickson)
* No Host Groups results in wrong error message (John Frickson)
* Setup Nagios users to view specific host is not working in the new network map (John Frickson)
* statusjson.cgi fails glibc realloc truncate response output (John Frickson)
* Report Time Period does not work if an @ character is in the timeperiod name (John Frickson)
* State History does not use actual plugin long_output (John Frickson)
* Time period corruption (xoubih)
* Tactical Overview - Disabled Flap Detection Link (John Frickson)
4.1.1 - 08/19/2015
------------------
FIXES
* CGI Could not read object configuration data (broken by error in 4.1.0)
* exclude (!) not working (broken by mis-applied fix for 4.1.0)
4.1.0 - 08/18/2015
------------------
ENHANCEMENTS
* Promoted JSON CGIs to released status (Eric Stanley)
* New graphical CGI displays: statusmap, trends, histogram (Eric Stanley)
* Make sticky status for acks and comments configurable enhancement #20 (Trevor McDonald / Scott Wilkerson)
* Add host_down_disable_service_checks directive to nagios.cfg #44 (Trevor McDonald / Scott Wilkerson)
* httpd.conf doesn't support Apache versions > 2.3 (DanielB / John Frickson)
FIXES
* Fix for not all service dependencies created (John Frickson)
* Fix SIGSEGV with empty custom variable (orbis / John Frickson)
* Fix contact macros in environment variables (dvoryanchikov)
* Fixed host's current attempt goes to 1 after going to hard state (John Frickson)
* Fixed two bugs/problems: Replace use of %zd in base/utils.c & incorrect va_start() in cgi/jsonutils.c (Peter Eriksson)
* Fixed: Let remove_specialized actually remove all workers (Phil Mayers)
* Fixed log file spam caused when using perfdata command directives in nagios.cfg (shashikanthbussa)
* Fixed off-by-one error in bounds check leads to segfault (Phil Mayers)
* Added links for legacy graphical displays (Eric Stanley)
* Update embedded URL's to https versions of Nagios websites (scottwilkerson)
* Fixed doxygen comments to work with latest doxygen 1.8.9.1 #30 (Trevor McDonald)
* Fixed makefile target "html" to PHONY to fix GitHub issue #28 (Trevor McDonald)
* Fixed typo as per GitHub issue #27 (Trevor McDonald)
* Fixed jsonquery.php 404 not found error, and disabled Send Query button until form populates #43 (Scott Wilkerson)
* Fixed linking in Tactical Overview for several of the Host entries in Featured section #48 (Scott Wilkerson)
* Fixed passing limit and sort options to pagination and sort links #42 (Scott Wilkerson)
* Added form field for icon URL and clean-up when it changes in CGI Status Map. (Eric Stanley)
* Added options to cgi.cfg to uncheck sticky and send when acknowledging a problem (Trevor McDonald)
* Low impact changes to automate the generation of RPMs from nagios.spec file. (T.J. Yang)
* Update index.php (Trevor McDonald)
* Fixed escaping of corewindow parameter to account for possible XSS injection (Scott Wilkerson)
* Typo correction (T.J. Yang)
* Make getCoreStatus respect cgi_base_url (Moritz Schlarb)
* Adjusted map layout to work within frames (Eric Stanley)
* Fixed map displays are now the full size of browser window (Eric Stanley)
* Fixed labels and icons on circular markup no longer scale on zoom (Eric Stanley)
* Got all maps except circular markup working with icons (Eric Stanley)
* Fixes to make legacy CGIs work again. (Eric Stanley)
* Fixes to make all/html target tolerant of being run multiple times (Eric Stanley)
* For user-supplied maps, converted node group to have transform (Eric Stanley)
* Fixed issue transitioning from circular markup map to other maps (Eric Stanley)
* Fix displayForm to trigger on the button press (Scott Wilkerson)
* Fix fo getBBox crash on Firefox (Eric Stanley)
* Fixed map now resets zoom when form apply()'d (Eric Stanley)
* Fixed so close box on dialogs actually closes dialog (Eric Stanley)
* Corrected directive in trends display (Eric Stanley)
* Fixed minor issue with link in trends links (Eric Stanley)
* Fixed issue with map displaying on Firefox (Eric Stanley)
* Added exclusions for ctags generation (Eric Stanley)
* Update map-popup.html (Scott Wilkerson)
* Initial commit of new graphical CGIs (Eric Stanley)
* Fixed Github bug #18 - archivejson.cgi returns wrong host for state change query (Eric Stanley)
* Status JSON: Added next_check to service details (Eric Stanley)
* Fixed escaping of keys for scalar values in JSON CGIs (Eric Stanley)
* build: Include <sys/loadavg.h> if it exists. (Eric J. Mislivec)
* lib-tests: test-io{cache|broker} need -lsocket to link. (Eric J. Mislivec)
* lib-tests: test-runcmd assumes GNU echo. (Eric J. Mislivec)
* lib-tests: Signal handlers don't return int on most platforms, and using a cast was the wrong way to resolve this. (Eric J. Mislivec)
* Fix some type/format mismatch warnings for pid_t. (Eric J. Mislivec)
* Fix build on Solaris. (Eric J. Mislivec)
* runcmd: Fix build when we don't HAVE_SETENV. (Eric J. Mislivec)
* Fixed checkresult output processing (Eric Mislivec)
* Corrected escaping of long output macros (Eric Mislivec)
* Fixed null pointer dereferences in archive JSON (Eric Stanley)
* Fixed memory overwrite issue in JSON string escaping (Eric Stanley)
* JSON CGI: Now escaping object and array keys (Eric Stanley)
KNOWN ISSUES
* New map does not account for multiple parents, leaving "legacy" map as an option in the menu
|
|
|
|
|
|
Changelog:
- Media attached to tweets can be downloaded using Right Click
and selecting "save as"
- Profiles use the profile background color set in the Twitter
settings if no banner is set
- The tweet compose window now features a "favorite image" view that
allows users to save often sent images and quickly add them to tweets
- The media dialog now shows Previous/Next buttons to quickly switch
between multiple media attachments of a tweet>
- The Vine support has been removed since the project is discontinued
- Allow text selection in Direct Messages
- New --account parameter allows opening the window for the given
account only
- Support tweets with up to 50 replied-to users.
- Add back verified icons next to user avatars
- Redesigned account creation UI
- Tons of bug fixes
|
|
|
|
* fix redirect-gateway behaviour when an IPv4 default route does not exist
* Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
* Check for errors in the return value of GetModuleFileNameW()
* Fix gateway detection with OpenBSD routing domains
|
|
RCD_SCRIPT_WRK.<script> was set previously to prevent a name conflict
with ${WRKSRC} because in the past, it defaulted to ${WRKDIR}/<script>.
This has since been changed to default to ${WRKDIR}/.rc.d/<script> to
prevent unintended name collisions, which makes this definition no longer
needed.
|
|
Incompatible Changes
- fping and fping6 unification
- Option -n, not the same as -d anymore
- Discarding of late packets
- No restrictions by default
- Default interval (-i) changed from 25ms to 10ms
New features
- Unified 'fping' and 'fping6' into one binary
- Long option names for all options
- IPv6 enabled by default
- New option -4 to force IPv4
- New option -6 to force IPv6
- Keep original name if a hostname is given with -n/--name
- Option -d/--rdns now always does a rdns-lookup, even for names, as '-n' was doing until now
- Enforce -t timeout on reply packets, by discarding late packets
- Auto-adjust timeout for -c/-C/-l mode to value of -p
Bugfixes and other changes
- -i/-p restrictions disabled by default (enable with --enable-safe-limits)
- Default interval -i changed from 25ms to 10ms
- Fix compatibility issue with GNU Hurd
- A C99 compiler is now required
- Option parsing with optparse (https://github.com/skeeto/optparse)
- New changelog file format
|
|
Included ucspi-ssl-0.70_ucspitls-0.6.patch (STARTTLS support)
originally designed and provided by Scott Gifford (FEH).
Added Certchain support for sslserver and sslclient (FEH).
Integration and added man-pages (FEH).
Synced with ucspi-tcp6-0.95.
Fixed integration bug in ssl_very.c.
Included patches from Peter Conrad.
Bug fix in sslserver. Several small
corrections.
Fix for large X509 serial numbers on x86 (tx. Peter Conrad).
SAN DNSname has precedence over CN in subject.
Re-edited man pages and rts tests.
Added IPv6 support (tx. to Felix von Leitner and Brandon Turner).
UI: Changed sslserver client cert call from '-i/-I' to '-z/-Z'
for compatibility reasons.
Added '-4/-6' support for client scripts.
Added output environment variables TCP6* for sslserver.
sslperl, sslhandle, and sslprint are not IPv6 ready yet.
Added IPv6 capabilities to sslhandle, sslprint, sslperl.
Changed verification of X.509 certs.
Removed obsolete socket_4 calls in sslserver.
Streamlined code with ucspi-tcp6-1.00.
Supplied new certs with customized SAN.
Make rts working (at least some how).
Added support for personalized client certs.
New option '-m' in sslserver, complementing '-z'.
CCAFILE='-' disables client cert request.
Added verbose log output for SSL connection informations.
Fixed wrongly nested CONNECT error code for sslclient.c
producing wrong warning messages while connecting to
an IPv4 address.
Added call of '-ldl' in ssl.lib.
Mitigation of SSL connection hanging during
coincident change of daylight-saving settings.
Fixed bug in sslserver's dnsip lookup in case of paranoid settings
and additonal existance of IPv6 AAAA records for incoming IPv4 connection.
Serveral fixes from 'troy@' included to cope with compiler errors and
to solve a bug in function getbitasaddress in ip4_bit.c (= ucspi-tcp6-1.02).
Reordered conf-* variables in main dir to allow easier generation of
packages (i.e. RPM). Fixed script to identify different HW architecture
and OS. This version works in 32 bit mode on Raspian Linux / RasPi 7.
Added ECDH capabilites (tx to Frank Bergmann for the patches).
Added compatibility with LibreSSL.
Fixed missing negative return call treatment from 'poll' (tx Frank Bergmann).
Tentative 'emake' fix for Gentoo build.
Added OpenSSL 1.1 tweaks -- works under Debian (9) 'Stretch'.
|
|
fixes DoSses: CVE-2017-7478 CVE-2017-7479
fixes PR pkg/52044
relevant excerpt of ChangeLog:
OpenVPN Change Log
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
2017.05.11 -- Version 2.3.15
David Sommerseth (5):
dev-tools: Added script for updating copyright years in files
Update copyrights
docs: Further improve --reneg-bytes and SWEET32 information
git: Merge .gitignore files into a single file
Make --cipher/--auth none more explicit on the risks
Gert Doering (1):
Document --proto udp6, tcp6, etc.
Julien Muchembled (1):
Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset
Steffan Karger (6):
Add missing includes in error.h
cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
Document that OpenVPN 2.3 does not check the CRL signature
Introduce and use secure_memzero() to erase secrets
Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
Don't assert out on receiving too-large control packets (CVE-2017-7478)
2016.12.06 -- Version 2.3.14
Christian Hesse (1):
update year in copyright message
David Sommerseth (1):
Document the --auth-token option
Gert Doering (2):
Repair topology subnet on FreeBSD 11
Repair topology subnet on OpenBSD
Lev Stipakov (1):
Drop recursively routed packets
Selva Nair (4):
Support --block-outside-dns on multiple tunnels
When parsing '--setenv opt xx ..' make sure a third parameter is present
Map restart signals from event loop to SIGTERM during exit-notification wait
Correctly state the default dhcp server address in man page
Steffan Karger (1):
Clean up format_hex_ex()
2016.11.02 -- Version 2.3.13
Arne Schwabe (2):
Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
David Sommerseth (4):
t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
t_client.sh: Add support for Kerberos/ksu
t_client.sh: Improve detection if the OpenVPN process did start during tests
t_client.sh: Add prepare/cleanup possibilties for each test case
Gert Doering (5):
Do not abort t_client run if OpenVPN instance does not start.
Fix t_client runs on OpenSolaris
make t_client robust against sudoers misconfiguration
add POSTINIT_CMD_suf to t_client.sh and sample config
Fix --multihome for IPv6 on 64bit BSD systems.
Ilya Shipitsin (1):
skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
Lev Stipakov (2):
Exclude peer-id from pulled options digest
Fix compilation in pedantic mode
Samuli Seppänen (1):
Automatically cache expected IPs for t_client.sh on the first run
Steffan Karger (6):
Fix unittests for out-of-source builds
Make gnu89 support explicit
cleanup: remove code duplication in msg_test()
Update cipher-related man page text
Limit --reneg-bytes to 64MB when using small block ciphers
Add a revoked cert to the sample keys
2016.08.23 -- Version 2.3.12
Arne Schwabe (2):
Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
Move ASSERT so external-key with OpenSSL works again
David Sommerseth (3):
Only build and run cmocka unit tests if its submodule is initialized
Another fix related to unit test framework
Remove NOP function and callers
Dorian Harmans (1):
Add CHACHA20-POLY1305 ciphersuite IANA name translations.
Ivo Manca (1):
Plug memory leak in mbedTLS backend
Jeffrey Cutter (1):
Update contrib/pull-resolv-conf/client.up for no DOMAIN
Jens Neuhalfen (2):
Add unit testing support via cmocka
Add a test for auth-pam searchandreplace
Josh Cepek (1):
Push an IPv6 CIDR mask used by the server, not the pool's size
Leon Klingele (1):
Add link to bug tracker
Samuli Seppänen (2):
Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
Clarify the fact that build instructions in README are for release tarballs
Selva Nair (4):
Make error non-fatal while deleting address using netsh
Make block-outside-dns work with persist-tun
Ignore SIGUSR1/SIGHUP during exit notification
Promptly close the netcmd_semaphore handle after use
Steffan Karger (4):
Fix polarssl / mbedtls builds
Don't limit max incoming message size based on c2->frame
Fix '--cipher none --cipher' crash
Discourage using 64-bit block ciphers
|
|
|
|
|
|
|
|
Snort 2.9 introduces the DAQ, or Data Acquisition library, for packet I/O. The
DAQ replaces direct calls to libpcap functions with an abstraction layer that
facilitates operation on a variety of hardware and software interfaces without
requiring changes to Snort. It is possible to select the DAQ type and mode
when invoking Snort to perform pcap readback or inline operation, etc. The
DAQ library may be useful for other packet processing applications and the
modular nature allows you to build new modules for other platforms.
|
|
Fixes a bug where a recently added module was not added to setup.py.
|
|
This is a regularly scheduled stable release.
Resolved issues:
#1879: It is now possible to create custom event subscriptions via the REST API.
#2250: Removing large folders now uses less memory.
#3307: The minimum disk space (per folder and for the home disk) can now be set to an absolute value.
#3965: Pausing or reconfiguring a folder will no longer start extra scans. Pausing a folder stops scanning.
#3996: Ignore patterns can now be set at folder creation time, and for paused folders.
#4020: It is no longer possible to configure the GUI/API to listen on a privileged port using the standard settings dialog.
#4096: The device allowed subnet list can now include negative ("!") entries to disallow subnets.
#4112: Doing "Override changes" now uses less memory.
|
|
* Fix "Segment not available from server" errors
* The --cache-init option. Use --cache-rebuild instead when upgrading.
* The SRT subtitles produced by get_iplayer now include <font> tags to
preserve the colour information from the TTML originals.
* get_iplayer now supports the BBC "bidi" CDN, so additional streams
are available for TV programmes.
* hvf modes (the default) for TV programmes will now produce files
with 320k audio, if available. 320k audio is not available for hls
or dvf modes.
Full release notes available fromt:
https://github.com/get-iplayer/get_iplayer/wiki/release301
|
|
**** 1.10 May 5, 2017
Fix rt.cpan.org #120748
Net::DNS::Resolver::MSWin32 critical issue
Thanks to Dmytro Zagashev for his valuable assistence during
the investigation which exposed five distinct issues.
Feature rt.cpan.org #18819
Perl 5.22.0 puts EBCDIC character encoding back on the agenda.
Thanks to Yaroslav Kuzmin for successful test build on os390.
|
|
Core
+ [extractor/common] Respect Width and Height attributes in ISM manifests
+ [postprocessor/metadatafromtitle] Add support regular expression syntax for
--metadata-from-title (#13065)
Extractor
+ [mediaset] Add support for video.mediaset.it (#12708, #12964)
* [orf:radio] Fix extraction (#11643, #12926)
* [aljazeera] Extend URL regular expression (#13053)
* [imdb] Relax URL regular expression (#13056)
+ [francetv] Add support for mobile.france.tv (#13068)
+ [upskill] Add support for upskillcourses.com (#13043)
* [thescene] Fix extraction (#13061)
* [condenast] Improve embed support
* [liveleak] Fix extraction (#12053)
+ [douyu] Support Douyu shows (#12228)
* [myspace] Improve URL regular expression (#13040)
* [adultswim] Use desktop platform in assets URL (#13041)
version 2017.05.09
Core
* [YoutubeDL] Force --restrict-filenames when no locale is set on all python
versions (#13027)
Extractors
* [francetv] Adapt to site redesign (#13034)
+ [packtpub] Add support for authentication (#12622)
* [drtv] Lower preference for SignLanguage formats (#13013, #13016)
+ [cspan] Add support for brightcove live embeds (#13028)
* [vrv] Extract DASH formats and subtitles
* [funimation] Fix authentication (#13021)
* [adultswim] Fix extraction (#8640, #10950, #11042, #12121)
+ Add support for Adobe Pass authentication
+ Add support for live streams
+ Add support for show pages
* [turner] Extract thumbnail, is_live and strip description
+ [nonktube] Add support for nonktube.com (#8647, #13024)
+ [nuevo] Pass headers to _extract_nuevo
* [nbc] Improve extraction (#12364)
version 2017.05.07
Common
* [extractor/common] Fix typo in _extract_akamai_formats
+ [postprocessor/ffmpeg] Embed chapters into media file with --add-metadata
+ [extractor/common] Introduce chapters meta field
Extractors
* [youtube] Fix authentication (#12820, #12927, #12973, #12992, #12993, #12995,
#13003)
* [bilibili] Fix video downloading (#13001)
* [rmcdecouverte] Fix extraction (#12937)
* [theplatform] Extract chapters
* [bandcamp] Fix thumbnail extraction (#12980)
* [pornhub] Extend URL regular expression (#12996)
+ [youtube] Extract chapters
+ [nrk] Extract chapters
+ [vice] Add support for ooyala embeds in article pages
+ [vice] Support vice articles (#12968)
* [vice] Fix extraction for non en_us videos (#12967)
* [gdcvault] Fix extraction for some videos (#12733)
* [pbs] Improve multipart video support (#12981)
* [laola1tv] Fix extraction (#12880)
+ [cda] Support birthday verification (#12789)
* [leeco] Fix extraction (#12974)
+ [pbs] Extract chapters
* [amp] Imporove thumbnail and subtitles extraction
* [foxsports] Fix extraction (#12945)
- [coub] Remove comment count extraction (#12941)
|
|
Tor 0.3.0.7 fixes a medium-severity security bug in earlier versions
of Tor 0.3.0.x, where an attacker could cause a Tor relay process to
exit. Relays running earlier versions of Tor 0.3.0.x should upgrade;
clients are not affected.
o Major bugfixes (hidden service directory, security):
- Fix an assertion failure in the hidden service directory code,
which could be used by an attacker to remotely cause a Tor relay
process to exit. Relays running earlier versions of Tor 0.3.0.x
should upgrade. This security issue is tracked as TROVE-2017-002.
Fixes bug 22246; bugfix on 0.3.0.1-alpha.
o Minor features:
- Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
Country database.
o Minor features (future-proofing):
- Tor no longer refuses to download microdescriptors or descriptors
if they are listed as "published in the future". This change will
eventually allow us to stop listing meaningful "published" dates
in microdescriptor consensuses, and thereby allow us to reduce the
resources required to download consensus diffs by over 50%.
Implements part of ticket 21642; implements part of proposal 275.
o Minor bugfixes (Linux seccomp2 sandbox):
- The getpid() system call is now permitted under the Linux seccomp2
sandbox, to avoid crashing with versions of OpenSSL (and other
libraries) that attempt to learn the process's PID by using the
syscall rather than the VDSO code. Fixes bug 21943; bugfix
on 0.2.5.1-alpha.
|
|
2.1.4
- Improve error handling in dnsmadeeasy provider
2.1.3
- Switch print to logging
- Organize imports as documented in PEP-8
|
|
|
|
entries.
XXX: Probably `share/examples/rc.d/tor' entry should not be in PLIST,
XXX: but we can wait for the next tor update in order to get rid of it.
|
|
It should fix a build with PKG_OPTIONS.tor=-doc.
|
|
|
|
--------------------------------
Common
~~~~~~
- Fix OpenStack drivers not correctly setting URLs when used with identity API, would default to 127.0.0.1 and service
catalog URLs were not adhered to.
- Fix Aliyun ECS, Load balancer and storage adapters when using unicode UTF-8 characters in the names of resources
in 2.0.0rc2 < it would fail as a MalformedResponseError, Python 2.7 element tree was raising a unicode error
- Refactor the test classes to use the full libcloud.http and libcloud.common.base modules, with Connection,
Response all used with requests_mock. This increases our test coverages and catches bugs in drivers' custom
parse_body and auth modules
- Rename libcloud.httplib_ssl to libcloud.http now that we don't use httplib
|
|
* Default to use VLANID>0 for IAID instead of MAC address
* BSD: Add support for RTA_LABEL
* Stop sharing the DHCPv6 port in master mode with other processes
* Fix some prefix delegation issues when the carrier drops or
addresses become stale
* Fix a crash when starting dhcpcd with -n
* Fix test for preferring a fake lease over a real one
* Show to real address lifetimes being added when adding IPv6
addresses
* Install dhcpcd-definitions.conf to the correct directory
* Restore the -G, --nogateway option
|
|
|
|
2017-04-26 Dustin Lundquist <dustin@null-ptr.net>
0.5.0 Release
* Transparent proxy support
* Use accept4() on Linix
* Run as group specified in config
|
|
|
|
|
|
Changelog:
Apr 25, 2017
Features
zone parser can parse acronyms for algorithms ED25519 and ED448.
Fix 1243: Option to make NSD emit really minimal responses, minimal-responses: yes in nsd.conf.
Bugfixes
Calculate new udb index after growing the array, fix from Chaofeng Liu.
Fix missing _t to _type conversion for disable-radix-tree option.
Printout serial error with hint it may be too big.
Fix 1228: OpenSSL include is not guarded with HAVE_SSL
Patch for expire state in multi-master when masters includes broken master, from Manabu Sonoda.
minor manpage fix.
|
|
Changes in version 0.3.0.6 - 2017-04-26
Tor 0.3.0.6 is the first stable release of the Tor 0.3.0 series.
With the 0.3.0 series, clients and relays now use Ed25519 keys to
authenticate their link connections to relays, rather than the old
RSA1024 keys that they used before. (Circuit crypto has been
Curve25519-authenticated since 0.2.4.8-alpha.) We have also replaced
the guard selection and replacement algorithm to behave more robustly
in the presence of unreliable networks, and to resist guard-
capture attacks.
This series also includes numerous other small features and bugfixes,
along with more groundwork for the upcoming hidden-services revamp.
Per our stable release policy, we plan to support the Tor 0.3.0
release series for at least the next nine months, or for three months
after the first stable release of the 0.3.1 series: whichever is
longer. If you need a release with long-term support, we recommend
that you stay with the 0.2.9 series.
Below are the changes since 0.2.9.10. For a list of only the changes
since 0.3.0.5-rc, see the ChangeLog file.
o Major features (directory authority, security):
- The default for AuthDirPinKeys is now 1: directory authorities
will reject relays where the RSA identity key matches a previously
seen value, but the Ed25519 key has changed. Closes ticket 18319.
o Major features (guard selection algorithm):
- Tor's guard selection algorithm has been redesigned from the
ground up, to better support unreliable networks and restrictive
sets of entry nodes, and to better resist guard-capture attacks by
hostile local networks. Implements proposal 271; closes
ticket 19877.
o Major features (next-generation hidden services):
- Relays can now handle v3 ESTABLISH_INTRO cells as specified by
prop224 aka "Next Generation Hidden Services". Service and clients
don't use this functionality yet. Closes ticket 19043. Based on
initial code by Alec Heifetz.
- Relays now support the HSDir version 3 protocol, so that they can
can store and serve v3 descriptors. This is part of the next-
generation onion service work detailled in proposal 224. Closes
ticket 17238.
o Major features (protocol, ed25519 identity keys):
- Clients now support including Ed25519 identity keys in the EXTEND2
cells they generate. By default, this is controlled by a consensus
parameter, currently disabled. You can turn this feature on for
testing by setting ExtendByEd25519ID in your configuration. This
might make your traffic appear different than the traffic
generated by other users, however. Implements part of ticket
15056; part of proposal 220.
- Relays now understand requests to extend to other relays by their
Ed25519 identity keys. When an Ed25519 identity key is included in
an EXTEND2 cell, the relay will only extend the circuit if the
other relay can prove ownership of that identity. Implements part
of ticket 15056; part of proposal 220.
- Relays now use Ed25519 to prove their Ed25519 identities and to
one another, and to clients. This algorithm is faster and more
secure than the RSA-based handshake we've been doing until now.
Implements the second big part of proposal 220; Closes
ticket 15055.
o Major features (security):
- Change the algorithm used to decide DNS TTLs on client and server
side, to better resist DNS-based correlation attacks like the
DefecTor attack of Greschbach, Pulls, Roberts, Winter, and
Feamster. Now relays only return one of two possible DNS TTL
values, and clients are willing to believe DNS TTL values up to 3
hours long. Closes ticket 19769.
o Major bugfixes (client, onion service, also in 0.2.9.9):
- Fix a client-side onion service reachability bug, where multiple
socks requests to an onion service (or a single slow request)
could cause us to mistakenly mark some of the service's
introduction points as failed, and we cache that failure so
eventually we run out and can't reach the service. Also resolves a
mysterious "Remote server sent bogus reason code 65021" log
warning. The bug was introduced in ticket 17218, where we tried to
remember the circuit end reason as a uint16_t, which mangled
negative values. Partially fixes bug 21056 and fixes bug 20307;
bugfix on 0.2.8.1-alpha.
o Major bugfixes (crash, directory connections):
- Fix a rare crash when sending a begin cell on a circuit whose
linked directory connection had already been closed. Fixes bug
21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett.
o Major bugfixes (directory authority):
- During voting, when marking a relay as a probable sybil, do not
clear its BadExit flag: sybils can still be bad in other ways
too. (We still clear the other flags.) Fixes bug 21108; bugfix
on 0.2.0.13-alpha.
o Major bugfixes (DNS):
- Fix a bug that prevented exit nodes from caching DNS records for
more than 60 seconds. Fixes bug 19025; bugfix on 0.2.4.7-alpha.
o Major bugfixes (IPv6 Exits):
- Stop rejecting all IPv6 traffic on Exits whose exit policy rejects
any IPv6 addresses. Instead, only reject a port over IPv6 if the
exit policy rejects that port on more than an IPv6 /16 of
addresses. This bug was made worse by 17027 in 0.2.8.1-alpha,
which rejected a relay's own IPv6 address by default. Fixes bug
21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.
o Major bugfixes (parsing):
- Fix an integer underflow bug when comparing malformed Tor
versions. This bug could crash Tor when built with
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
0.2.9.8, which were built with -ftrapv by default. In other cases
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
on 0.0.8pre1. Found by OSS-Fuzz.
- When parsing a malformed content-length field from an HTTP
message, do not read off the end of the buffer. This bug was a
potential remote denial-of-service attack against Tor clients and
relays. A workaround was released in October 2016, to prevent this
bug from crashing Tor. This is a fix for the underlying issue,
which should no longer matter (if you applied the earlier patch).
Fixes bug 20894; bugfix on 0.2.0.16-alpha. Bug found by fuzzing
using AFL (http://lcamtuf.coredump.cx/afl/).
o Major bugfixes (scheduler):
- Actually compare circuit policies in ewma_cmp_cmux(). This bug
caused the channel scheduler to behave more or less randomly,
rather than preferring channels with higher-priority circuits.
Fixes bug 20459; bugfix on 0.2.6.2-alpha.
o Major bugfixes (security, also in 0.2.9.9):
- Downgrade the "-ftrapv" option from "always on" to "only on when
--enable-expensive-hardening is provided." This hardening option,
like others, can turn survivable bugs into crashes--and having it
on by default made a (relatively harmless) integer overflow bug
into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001);
bugfix on 0.2.9.1-alpha.
o Minor feature (client):
- Enable IPv6 traffic on the SocksPort by default. To disable this,
a user will have to specify "NoIPv6Traffic". Closes ticket 21269.
o Minor feature (fallback scripts):
- Add a check_existing mode to updateFallbackDirs.py, which checks
if fallbacks in the hard-coded list are working. Closes ticket
20174. Patch by haxxpop.
o Minor feature (protocol versioning):
- Add new protocol version for proposal 224. HSIntro now advertises
version "3-4" and HSDir version "1-2". Fixes ticket 20656.
o Minor features (ciphersuite selection):
- Allow relays to accept a wider range of ciphersuites, including
chacha20-poly1305 and AES-CCM. Closes the other part of 15426.
- Clients now advertise a list of ciphersuites closer to the ones
preferred by Firefox. Closes part of ticket 15426.
o Minor features (controller):
- Add "GETINFO sr/current" and "GETINFO sr/previous" keys, to expose
shared-random values to the controller. Closes ticket 19925.
- When HSFETCH arguments cannot be parsed, say "Invalid argument"
rather than "unrecognized." Closes ticket 20389; patch from
Ivan Markin.
o Minor features (controller, configuration):
- Each of the *Port options, such as SocksPort, ORPort, ControlPort,
and so on, now comes with a __*Port variant that will not be saved
to the torrc file by the controller's SAVECONF command. This
change allows TorBrowser to set up a single-use domain socket for
each time it launches Tor. Closes ticket 20956.
- The GETCONF command can now query options that may only be
meaningful in context-sensitive lists. This allows the controller
to query the mixed SocksPort/__SocksPort style options introduced
in feature 20956. Implements ticket 21300.
o Minor features (diagnostic, directory client):
- Warn when we find an unexpected inconsistency in directory
download status objects. Prevents some negative consequences of
bug 20593.
o Minor features (directory authorities):
- Directory authorities now reject descriptors that claim to be
malformed versions of Tor. Helps prevent exploitation of
bug 21278.
- Reject version numbers with components that exceed INT32_MAX.
Otherwise 32-bit and 64-bit platforms would behave inconsistently.
Fixes bug 21450; bugfix on 0.0.8pre1.
o Minor features (directory authority):
- Add a new authority-only AuthDirTestEd25519LinkKeys option (on by
default) to control whether authorities should try to probe relays
by their Ed25519 link keys. This option will go away in a few
releases--unless we encounter major trouble in our ed25519 link
protocol rollout, in which case it will serve as a safety option.
o Minor features (directory cache):
- Relays and bridges will now refuse to serve the consensus they
have if they know it is too old for a client to use. Closes
ticket 20511.
o Minor features (ed25519 link handshake):
- Advertise support for the ed25519 link handshake using the
subprotocol-versions mechanism, so that clients can tell which
relays can identity themselves by Ed25519 ID. Closes ticket 20552.
o Minor features (entry guards):
- Add UseEntryGuards to TEST_OPTIONS_DEFAULT_VALUES in order to not
break regression tests.
- Require UseEntryGuards when UseBridges is set, in order to make
sure bridges aren't bypassed. Resolves ticket 20502.
o Minor features (fallback directories):
- Allow 3 fallback relays per operator, which is safe now that we
are choosing 200 fallback relays. Closes ticket 20912.
- Annotate updateFallbackDirs.py with the bandwidth and consensus
weight for each candidate fallback. Closes ticket 20878.
- Display the relay fingerprint when downloading consensuses from
fallbacks. Closes ticket 20908.
- Exclude relays affected by bug 20499 from the fallback list.
Exclude relays from the fallback list if they are running versions
known to be affected by bug 20499, or if in our tests they deliver
a stale consensus (i.e. one that expired more than 24 hours ago).
Closes ticket 20539.
- Make it easier to change the output sort order of fallbacks.
Closes ticket 20822.
- Reduce the minimum fallback bandwidth to 1 MByte/s. Part of
ticket 18828.
- Require fallback directories to have the same address and port for
7 days (now that we have enough relays with this stability).
Relays whose OnionOO stability timer is reset on restart by bug
18050 should upgrade to Tor 0.2.8.7 or later, which has a fix for
this issue. Closes ticket 20880; maintains short-term fix
in 0.2.8.2-alpha.
- Require fallbacks to have flags for 90% of the time (weighted
decaying average), rather than 95%. This allows at least 73% of
clients to bootstrap in the first 5 seconds without contacting an
authority. Part of ticket 18828.
- Select 200 fallback directories for each release. Closes
ticket 20881.
o Minor features (fingerprinting resistence, authentication):
- Extend the length of RSA keys used for TLS link authentication to
2048 bits. (These weren't used for forward secrecy; for forward
secrecy, we used P256.) Closes ticket 13752.
o Minor features (geoip):
- Update geoip and geoip6 to the April 4 2017 Maxmind GeoLite2
Country database.
o Minor features (geoip, also in 0.2.9.9):
- Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
Country database.
o Minor features (infrastructure):
- Implement smartlist_add_strdup() function. Replaces the use of
smartlist_add(sl, tor_strdup(str)). Closes ticket 20048.
o Minor features (linting):
- Enhance the changes file linter to warn on Tor versions that are
prefixed with "tor-". Closes ticket 21096.
o Minor features (logging):
- In several places, describe unset ed25519 keys as "<unset>",
rather than the scary "AAAAAAAA...AAA". Closes ticket 21037.
o Minor features (portability, compilation):
- Autoconf now checks to determine if OpenSSL structures are opaque,
instead of explicitly checking for OpenSSL version numbers. Part
of ticket 21359.
- Support building with recent LibreSSL code that uses opaque
structures. Closes ticket 21359.
o Minor features (relay):
- We now allow separation of exit and relay traffic to different
source IP addresses, using the OutboundBindAddressExit and
OutboundBindAddressOR options respectively. Closes ticket 17975.
Written by Michael Sonntag.
o Minor features (reliability, crash):
- Try better to detect problems in buffers where they might grow (or
think they have grown) over 2 GB in size. Diagnostic for
bug 21369.
o Minor features (testing):
- During 'make test-network-all', if tor logs any warnings, ask
chutney to output them. Requires a recent version of chutney with
the 21572 patch. Implements 21570.
o Minor bugfix (control protocol):
- The reply to a "GETINFO config/names" request via the control
protocol now spells the type "Dependent" correctly. This is a
breaking change in the control protocol. (The field seems to be
ignored by the most common known controllers.) Fixes bug 18146;
bugfix on 0.1.1.4-alpha.
- The GETINFO extra-info/digest/<digest> command was broken because
of a wrong base16 decode return value check, introduced when
refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha.
o Minor bugfix (logging):
- Don't recommend the use of Tor2web in non-anonymous mode.
Recommending Tor2web is a bad idea because the client loses all
anonymity. Tor2web should only be used in specific cases by users
who *know* and understand the issues. Fixes bug 21294; bugfix
on 0.2.9.3-alpha.
o Minor bugfixes (bug resilience):
- Fix an unreachable size_t overflow in base64_decode(). Fixes bug
19222; bugfix on 0.2.0.9-alpha. Found by Guido Vranken; fixed by
Hans Jerry Illikainen.
o Minor bugfixes (build):
- Replace obsolete Autoconf macros with their modern equivalent and
prevent similar issues in the future. Fixes bug 20990; bugfix
on 0.1.0.1-rc.
o Minor bugfixes (certificate expiration time):
- Avoid using link certificates that don't become valid till some
time in the future. Fixes bug 21420; bugfix on 0.2.4.11-alpha
o Minor bugfixes (client):
- Always recover from failures in extend_info_from_node(), in an
attempt to prevent any recurrence of bug 21242. Fixes bug 21372;
bugfix on 0.2.3.1-alpha.
- When clients that use bridges start up with a cached consensus on
disk, they were ignoring it and downloading a new one. Now they
use the cached one. Fixes bug 20269; bugfix on 0.2.3.12-alpha.
o Minor bugfixes (code correctness):
- Repair a couple of (unreachable or harmless) cases of the risky
comparison-by-subtraction pattern that caused bug 21278.
o Minor bugfixes (config):
- Don't assert on startup when trying to get the options list and
LearnCircuitBuildTimeout is set to 0: we are currently parsing the
options so of course they aren't ready yet. Fixes bug 21062;
bugfix on 0.2.9.3-alpha.
o Minor bugfixes (configuration):
- Accept non-space whitespace characters after the severity level in
the `Log` option. Fixes bug 19965; bugfix on 0.2.1.1-alpha.
- Support "TByte" and "TBytes" units in options given in bytes.
"TB", "terabyte(s)", "TBit(s)" and "terabit(s)" were already
supported. Fixes bug 20622; bugfix on 0.2.0.14-alpha.
o Minor bugfixes (configure, autoconf):
- Rename the configure option --enable-expensive-hardening to
--enable-fragile-hardening. Expensive hardening makes the tor
daemon abort when some kinds of issues are detected. Thus, it
makes tor more at risk of remote crashes but safer against RCE or
heartbleed bug category. We now try to explain this issue in a
message from the configure script. Fixes bug 21290; bugfix
on 0.2.5.4-alpha.
o Minor bugfixes (consensus weight):
- Add new consensus method that initializes bw weights to 1 instead
of 0. This prevents a zero weight from making it all the way to
the end (happens in small testing networks) and causing an error.
Fixes bug 14881; bugfix on 0.2.2.17-alpha.
o Minor bugfixes (crash prevention):
- Fix an (currently untriggerable, but potentially dangerous) crash
bug when base32-encoding inputs whose sizes are not a multiple of
5. Fixes bug 21894; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (dead code):
- Remove a redundant check for PidFile changes at runtime in
options_transition_allowed(): this check is already performed
regardless of whether the sandbox is active. Fixes bug 21123;
bugfix on 0.2.5.4-alpha.
o Minor bugfixes (descriptors):
- Correctly recognise downloaded full descriptors as valid, even
when using microdescriptors as circuits. This affects clients with
FetchUselessDescriptors set, and may affect directory authorities.
Fixes bug 20839; bugfix on 0.2.3.2-alpha.
o Minor bugfixes (directory mirrors):
- Allow relays to use directory mirrors without a DirPort: these
relays need to be contacted over their ORPorts using a begindir
connection. Fixes one case of bug 20711; bugfix on 0.2.8.2-alpha.
- Clarify the message logged when a remote relay is unexpectedly
missing an ORPort or DirPort: users were confusing this with a
local port. Fixes another case of bug 20711; bugfix
on 0.2.8.2-alpha.
o Minor bugfixes (directory system):
- Bridges and relays now use microdescriptors (like clients do)
rather than old-style router descriptors. Now bridges will blend
in with clients in terms of the circuits they build. Fixes bug
6769; bugfix on 0.2.3.2-alpha.
- Download all consensus flavors, descriptors, and authority
certificates when FetchUselessDescriptors is set, regardless of
whether tor is a directory cache or not. Fixes bug 20667; bugfix
on all recent tor versions.
o Minor bugfixes (documentation):
- Update the tor manual page to document every option that can not
be changed while tor is running. Fixes bug 21122.
o Minor bugfixes (ed25519 certificates):
- Correctly interpret ed25519 certificates that would expire some
time after 19 Jan 2038. Fixes bug 20027; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (fallback directories):
- Avoid checking fallback candidates' DirPorts if they are down in
OnionOO. When a relay operator has multiple relays, this
prioritizes relays that are up over relays that are down. Fixes
bug 20926; bugfix on 0.2.8.3-alpha.
- Stop failing when OUTPUT_COMMENTS is True in updateFallbackDirs.py.
Fixes bug 20877; bugfix on 0.2.8.3-alpha.
- Stop failing when a relay has no uptime data in
updateFallbackDirs.py. Fixes bug 20945; bugfix on 0.2.8.1-alpha.
o Minor bugfixes (hidden service):
- Clean up the code for expiring intro points with no associated
circuits. It was causing, rarely, a service with some expiring
introduction points to not open enough additional introduction
points. Fixes part of bug 21302; bugfix on 0.2.7.2-alpha.
- Resolve two possible underflows which could lead to creating and
closing a lot of introduction point circuits in a non-stop loop.
Fixes bug 21302; bugfix on 0.2.7.2-alpha.
- Stop setting the torrc option HiddenServiceStatistics to "0" just
because we're not a bridge or relay. Instead, we preserve whatever
value the user set (or didn't set). Fixes bug 21150; bugfix
on 0.2.6.2-alpha.
o Minor bugfixes (hidden services):
- Make hidden services check for failed intro point connections,
even when they have exceeded their intro point creation limit.
Fixes bug 21596; bugfix on 0.2.7.2-alpha. Reported by Alec Muffett.
- Make hidden services with 8 to 10 introduction points check for
failed circuits immediately after startup. Previously, they would
wait for 5 minutes before performing their first checks. Fixes bug
21594; bugfix on 0.2.3.9-alpha. Reported by Alec Muffett.
- Stop ignoring misconfigured hidden services. Instead, refuse to
start tor until the misconfigurations have been corrected. Fixes
bug 20559; bugfix on multiple commits in 0.2.7.1-alpha
and earlier.
o Minor bugfixes (IPv6):
- Make IPv6-using clients try harder to find an IPv6 directory
server. Fixes bug 20999; bugfix on 0.2.8.2-alpha.
- When IPv6 addresses have not been downloaded yet (microdesc
consensus documents don't list relay IPv6 addresses), use hard-
coded addresses for authorities, fallbacks, and configured
bridges. Now IPv6-only clients can use microdescriptors. Fixes bug
20996; bugfix on b167e82 from 19608 in 0.2.8.5-alpha.
o Minor bugfixes (memory leak at exit):
- Fix a small harmless memory leak at exit of the previously unused
RSA->Ed identity cross-certificate. Fixes bug 17779; bugfix
on 0.2.7.2-alpha.
o Minor bugfixes (onion services):
- Allow the number of introduction points to be as low as 0, rather
than as low as 3. Fixes bug 21033; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (portability):
- Use "OpenBSD" compiler macro instead of "OPENBSD" or "__OpenBSD__".
It is supported by OpenBSD itself, and also by most OpenBSD
variants (such as Bitrig). Fixes bug 20980; bugfix
on 0.1.2.1-alpha.
o Minor bugfixes (portability, also in 0.2.9.9):
- Avoid crashing when Tor is built using headers that contain
CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel
without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix
on 0.2.9.1-alpha.
- Fix Libevent detection on platforms without Libevent 1 headers
installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (relay):
- Avoid a double-marked-circuit warning that could happen when we
receive DESTROY cells under heavy load. Fixes bug 20059; bugfix
on 0.1.0.1-rc.
- Honor DataDirectoryGroupReadable when tor is a relay. Previously,
initializing the keys would reset the DataDirectory to 0700
instead of 0750 even if DataDirectoryGroupReadable was set to 1.
Fixes bug 19953; bugfix on 0.0.2pre16. Patch by "redfish".
o Minor bugfixes (testing):
- Fix Raspbian build issues related to missing socket errno in
test_util.c. Fixes bug 21116; bugfix on 0.2.8.2. Patch by "hein".
- Remove undefined behavior from the backtrace generator by removing
its signal handler. Fixes bug 21026; bugfix on 0.2.5.2-alpha.
- Use bash in src/test/test-network.sh. This ensures we reliably
call chutney's newer tools/test-network.sh when available. Fixes
bug 21562; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (tor-resolve):
- The tor-resolve command line tool now rejects hostnames over 255
characters in length. Previously, it would silently truncate them,
which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
Patch by "junglefowl".
o Minor bugfixes (unit tests):
- Allow the unit tests to pass even when DNS lookups of bogus
addresses do not fail as expected. Fixes bug 20862 and 20863;
bugfix on unit tests introduced in 0.2.8.1-alpha
through 0.2.9.4-alpha.
o Minor bugfixes (util):
- When finishing writing a file to disk, if we were about to replace
the file with the temporary file created before and we fail to
replace it, remove the temporary file so it doesn't stay on disk.
Fixes bug 20646; bugfix on 0.2.0.7-alpha. Patch by fk.
o Minor bugfixes (Windows services):
- Be sure to initialize the monotonic time subsystem before using
it, even when running as an NT service. Fixes bug 21356; bugfix
on 0.2.9.1-alpha.
o Minor bugfixes (Windows):
- Check for getpagesize before using it to mmap files. This fixes
compilation in some MinGW environments. Fixes bug 20530; bugfix on
0.1.2.1-alpha. Reported by "ice".
o Code simplification and refactoring:
- Abolish all global guard context in entrynodes.c; replace with new
guard_selection_t structure as preparation for proposal 271.
Closes ticket 19858.
- Extract magic numbers in circuituse.c into defined variables.
- Introduce rend_service_is_ephemeral() that tells if given onion
service is ephemeral. Replace unclear NULL-checkings for service
directory with this function. Closes ticket 20526.
- Refactor circuit_is_available_for_use to remove unnecessary check.
- Refactor circuit_predict_and_launch_new for readability and
testability. Closes ticket 18873.
- Refactor code to manipulate global_origin_circuit_list into
separate functions. Closes ticket 20921.
- Refactor large if statement in purpose_needs_anonymity to use
switch statement instead. Closes part of ticket 20077.
- Refactor the hashing API to return negative values for errors, as
is done as throughout the codebase. Closes ticket 20717.
- Remove data structures that were used to index or_connection
objects by their RSA identity digests. These structures are fully
redundant with the similar structures used in the
channel abstraction.
- Remove duplicate code in the channel_write_*cell() functions.
Closes ticket 13827; patch from Pingl.
- Remove redundant behavior of is_sensitive_dir_purpose, refactor to
use only purpose_needs_anonymity. Closes part of ticket 20077.
- The code to generate and parse EXTEND and EXTEND2 cells has been
replaced with code automatically generated by the
"trunnel" utility.
o Documentation (formatting):
- Clean up formatting of tor.1 man page and HTML doc, where <pre>
blocks were incorrectly appearing. Closes ticket 20885.
o Documentation (man page):
- Clarify many options in tor.1 and add some min/max values for
HiddenService options. Closes ticket 21058.
o Documentation:
- Change '1' to 'weight_scale' in consensus bw weights calculation
comments, as that is reality. Closes ticket 20273. Patch
from pastly.
- Clarify that when ClientRejectInternalAddresses is enabled (which
is the default), multicast DNS hostnames for machines on the local
network (of the form *.local) are also rejected. Closes
ticket 17070.
- Correct the value for AuthDirGuardBWGuarantee in the manpage, from
250 KBytes to 2 MBytes. Fixes bug 20435; bugfix on 0.2.5.6-alpha.
- Include the "TBits" unit in Tor's man page. Fixes part of bug
20622; bugfix on 0.2.5.1-alpha.
- Small fixes to the fuzzing documentation. Closes ticket 21472.
- Stop the man page from incorrectly stating that HiddenServiceDir
must already exist. Fixes 20486.
- Update the description of the directory server options in the
manual page, to clarify that a relay no longer needs to set
DirPort in order to be a directory cache. Closes ticket 21720.
o Removed features:
- The AuthDirMaxServersPerAuthAddr option no longer exists: The same
limit for relays running on a single IP applies to authority IP
addresses as well as to non-authority IP addresses. Closes
ticket 20960.
- The UseDirectoryGuards torrc option no longer exists: all users
that use entry guards will also use directory guards. Related to
proposal 271; implements part of ticket 20831.
o Testing:
- Add tests for networkstatus_compute_bw_weights_v10.
- Add unit tests circuit_predict_and_launch_new.
- Extract dummy_origin_circuit_new so it can be used by other
test functions.
- New unit tests for tor_htonll(). Closes ticket 19563. Patch
from "overcaffeinated".
- Perform the coding style checks when running the tests and fail
when coding style violations are found. Closes ticket 5500.
|
|
Changes:
version 2017.05.01
Core
+ [extractor/common] Extract view count from JSON-LD
* [utils] Improve unified_timestamp
+ [utils] Add video/mp2t to mimetype2ext
* [downloader/external] Properly handle live stream downloading cancellation
(#8932)
+ [utils] Add support for unicode whitespace in clean_html on python 2 (#12906)
Extractors
* [infoq] Make audio format extraction non fatal (#12938)
* [brightcove] Allow whitespace around attribute names in embedded code
+ [zaq1] Add support for zaq1.pl (#12693)
+ [xvideos] Extract duration (#12828)
* [vevo] Fix extraction (#12879)
+ [noovo] Add support for noovo.ca (#12792)
+ [washingtonpost] Add support for embeds (#12699)
* [yandexmusic:playlist] Fix extraction for python 3 (#12888)
* [anvato] Improve extraction (#12913)
* Promote to regular shortcut based extractor
* Add mcp to access key mapping table
* Add support for embeds extraction
* Add support for anvato embeds in generic extractor
* [xtube] Fix extraction for older FLV videos (#12734)
* [tvplayer] Fix extraction (#12908)
version 2017.04.28
Core
+ [adobepass] Use geo verification headers for all requests
- [downloader/fragment] Remove assert for resume_len when no fragments
downloaded
+ [extractor/common] Add manifest_url for explicit group rendition formats
* [extractor/common] Fix manifest_url for m3u8 formats
- [extractor/common] Don't list master m3u8 playlists in format list (#12832)
Extractor
* [aenetworks] Fix extraction for shows with single season
+ [go] Add support for Disney, DisneyJunior and DisneyXD show pages
* [youtube] Recognize new locale-based player URLs (#12885)
+ [streamable] Add support for new embedded URL schema (#12844)
* [arte:+7] Relax URL regular expression (#12837)
|
|
|
|
|
|
more easily with the existing substituion in Makefile (which initially
had only been used for the Sunpro compiler).
|
|
|
|
|
|
2.1.2
- Initial implementation of a provider for PowerDNS
2.1.1
- Changes to testing framework
|
|
Changes:
version 2017.04.26
Core
* Introduce --keep-fragments for keeping fragments of fragmented download
on disk after download is finished
* [YoutubeDL] Fix output template for missing timestamp (#12796)
* [socks] Handle cases where credentials are required but missing
* [extractor/common] Improve HLS extraction (#12211)
- Extract m3u8 parsing to separate method
- Improve rendition groups extraction
- Build stream name according stream GROUP-ID
- Ignore reference to AUDIO group without URI when stream has no CODECS
- Use float for scaled tbr in _parse_m3u8_formats
* [utils] Add support for TTML styles in dfxp2srt
* [downloader/hls] No need to download keys for fragments that have been
already downloaded
* [downloader/fragment] Improve fragment downloading
- Resume immediately
- Don't concatenate fragments and decrypt them on every resume
- Optimize disk storage usage, don't store intermediate fragments on disk
- Store bookkeeping download state file
+ [extractor/common] Add support for multiple getters in try_get
+ [extractor/common] Add support for video of WebPage context in _json_ld
(#12778)
+ [extractor/common] Relax JWPlayer regular expression and remove
duplicate URLs (#12768)
Extractors
* [iqiyi] Fix extraction of Yule videos
* [vidio] Improve extraction and sort formats
+ [brightcove] Match only video elements with data-video-id attribute
* [iqiyi] Fix playlist detection (#12504)
- [azubu] Remove extractor (#12813)
* [porn91] Fix extraction (#12814)
* [vidzi] Fix extraction (#12793)
+ [amp] Extract error message (#12795)
+ [xfileshare] Add support for gorillavid.com and daclips.com (#12776)
* [instagram] Fix extraction (#12777)
+ [generic] Support Brightcove videos in <iframe> (#12482)
+ [brightcove] Support URLs with bcpid instead of playerID (#12482)
* [brightcove] Fix _extract_url (#12782)
+ [odnoklassniki] Extract HLS formats
version 2017.04.17
Extractors
* [limelight] Improve extraction LimelightEmbeddedPlayerFlash media embeds and
add support for channel and channelList embeds
* [generic] Extract multiple Limelight embeds (#12761)
+ [itv] Extract series metadata
* [itv] Fix RTMP formats downloading (#12759)
* [itv] Use native HLS downloader by default
+ [go90] Extract subtitles (#12752)
+ [go90] Extract series metadata (#12752)
version 2017.04.16
Core
* [YoutubeDL] Apply expand_path after output template substitution
+ [YoutubeDL] Propagate overridden meta fields to extraction results of type
url (#11163)
Extractors
+ [generic] Extract RSS entries as url_transparent (#11163)
+ [streamango] Add support for streamango.com (#12643)
+ [wsj:article] Add support for articles (#12558)
* [brightcove] Relax video tag embeds extraction and validate ambiguous embeds'
URLs (#9163, #12005, #12178, #12480)
+ [udemy] Add support for react rendition (#12744)
version 2017.04.15
Extractors
* [youku] Fix fileid extraction (#12741, #12743)
version 2017.04.14
Core
+ [downloader/hls] Add basic support for EXT-X-BYTERANGE tag (#10955)
+ [adobepass] Improve Comcast and Verison login code (#10803)
+ [adobepass] Add support for Verizon (#10803)
Extractors
+ [aenetworks] Add support for specials (#12723)
+ [hbo] Extract HLS formats
+ [go90] Add support for go90.com (#10127)
+ [tv2hu] Add support for tv2.hu (#10509)
+ [generic] Exclude URLs with xml ext from valid video URLs (#10768, #11654)
* [youtube] Improve HLS formats extraction
* [afreecatv] Fix extraction for videos with different key layout (#12718)
- [youtube] Remove explicit preference for audio-only and video-only formats in
order not to break sorting when new formats appear
* [canalplus] Bypass geo restriction
version 2017.04.11
Extractors
* [afreecatv] Fix extraction (#12706)
+ [generic] Add support for <object> YouTube embeds (#12637)
* [bbccouk] Treat bitrate as audio+video bitrate in media selector
+ [bbccouk] Skip unrecognized formats in media selector (#12701)
+ [bbccouk] Add support for https protocol in media selector (#12701)
* [curiositystream] Fix extraction (#12638)
* [adn] Update subtitle decryption key
* [chaturbate] Fix extraction (#12665, #12688, #12690)
|
|
This is a regularly scheduled stable release.
Resolved issues since v0.14.26:
#219: Devices can now have a list of allowed subnets (advanced config)
#234: The transfer rate units can now be changed by clicking on the value
#1819: UI text explaining "Introducer" is improved
#2267: Advanced config editor can now edit lists of things
#2519: Directories created for new folders now obey the user umask setting (on Unixes)
#4053: Incoming index updates are consistency checked better
|
