| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
(NetBSD's implementation of recvmmsg() is not 100% with the Linux version)
|
|
===========================
Bugfixes:
---------
- Do not reload expired zones on 'knotc reload' and server startup
- Fix rare race-condition in event scheduling causing delayed event execution
- Fix skipping of non-authoritative nodes in NSEC proofs
- Fix TC flag setting in RRL slipped answers
- Disable domain name compression for root label
- Log via journald only when running under systemd
- Fix CNAME following when quering for NSEC RR type
- Fix refreshing of DNSSEC signatures for zone keys
- Fix binding an unavailable IPv6 address on Linux (IP_FREEBIND)
- Fix infinite loop in knotc zonestatus and memstats
- Fix memory leak in configuration on server shutdown
- Fix broken dnsproxy module
- Fix DNSSEC KASP timestamps parsing in strict POSIX environment
- fix multi value parsing on big-endian
- Adapt to Nettle 3 API break causing base64 decoding failures on big-endian
Features:
---------
- Add 'keymgr zone key ds' to show key's DS record
- Add 'keymgr tsig generate' to generate TSIG keys
- Add query module scoping to process either all queries or zone queries only
- Add support for file name globbing in config file includes
- Add 'request-edns-option' config option to add custom EDNS0 option into
server initiated queries
Improvements:
-------------
- Send minimal responses (remove NS from Authority section for NOERROR)
- Update persistent timers only on shutdown for better performance
- Allow change of RR TTL over DDNS
- Documentation fixes, updates, and improvements in formatting
- Install yparser and zscanner header files
- Improve lookup of libsystemd build dependencies
- Fix compilation warnings in endian conversion functions on OpenBSD
Knot DNS 2.0.0 (2015-06-26)
===========================
Bugfixes:
---------
- Fix lost NOTIFY message if received during zone transfer
- Disable fast zone parser when compiled in Clang (workaround for Clang bug)
- kdig: Record correct dnstap SocketProtocol when retrying over TCP
- kdig: Hide TSIG section with +noall
- Do not set AA flag for AXFR/IXFR queries
Features:
---------
- DNSSEC: separate library, switch to GnuTLS, new utilities
- DNSSEC: basic KASP support (generate initial keys, ZSK rollover)
- Configuration: New text format in YAML, binary store in LMDB
- Zone parser: Split long TXT/SPF strings into multiple strings
- kdig: Add generic dump style option (+generic)
- Try all master servers in multi-master environment
- Improved remotes and ACLs (multiple addresses, multiple keys)
- Basic support for zone file patterns (%s to substitute zone name)
- Disable zone file synchronization by setting 'zonefile_sync' to '-1'
- knsupdate: Add input prompt in interactive mode and 'quit' command
- knsupdate: Allow TSIG algorithm specification in interactive prompt
Improvements:
-------------
- Zone dump: Do not write class for SOA record (unified with other RR types)
- Zone dump: Do not write master server address into the zone file
- Documentation: Manual pages are included in HTML and PDF
|
|
All dylibs get their -install_name set to ${PREFIX}/lib/libname.lib,
but plugins go in different directories which causes the check to misfire.
|
|
This is similar to tcptraceroute, but for IPv6.
This is the version from 1.0.3 of the NDisc6 package.
|
|
|
|
pkgsrc change:
* Remove duplicated HTML documents.
* Install some addtional documents.
Changes are too many to write here, please refer NEWS files and this
release fixes security problems.
October 2015 NTP Security Vulnerability Announcement (Medium)
NTF's NTP Project has been notified of the following 13 low- and
medium-severity vulnerabilities that are fixed in ntp-4.2.8p4, released on
Wednesday, 21 October 2015:
* Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric association
authentication bypass via crypto-NAK (Cisco ASIG)
* Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch instead of returning
FAIL on some bogus values (IDA)
* Bug 2921 CVE-2015-7854 Password Length Memory Corruption
Vulnerability. (Cisco TALOS)
* Bug 2920 CVE-2015-7853 Invalid length data provided by a custom refclock
driver could cause a buffer overflow. (Cisco TALOS)
* Bug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption
Vulnerability. (Cisco TALOS)
* Bug 2918 CVE-2015-7851 saveconfig Directory Traversal
Vulnerability. (OpenVMS) (Cisco TALOS)
* Bug 2917 CVE-2015-7850 remote config logfile-keyfile. (Cisco TALOS)
* Bug 2916 CVE-2015-7849 trusted key use-after-free. (Cisco TALOS)
* Bug 2913 CVE-2015-7848 mode 7 loop counter underrun. (Cisco TALOS)
* Bug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. (Tenable)
* Bug 2902 : CVE-2015-7703 configuration directives "pidfile" and "driftfile"
should only be allowed locally. (RedHat)
* Bug 2901 : CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should
validate the origin timestamp field. (Boston University)
* Bug 2899 : CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey
data packet length checks. (Tenable)
The only generally-exploitable bug in the above list is the crypto-NAK bug,
which has a CVSS2 score of 6.4.
Additionally, three bugs that have already been fixed in ntp-4.2.8 but were
not fixed in ntp-4.2.6 as it was EOL'd have a security component, but are all
below 1.8 CVSS score, so we're reporting them here:
* Bug 2382 : Peer precision < -31 gives division by zero
* Bug 1774 : Segfaults if cryptostats enabled when built without OpenSSL
* Bug 1593 : ntpd abort in free() with logconfig syntax error
|
|
This is a security release fixing CVE-2015-5230.
Bug fixes:
- Avoid superfluous backend recycling
- Removal of dnsdist from the authoritative server distribution
- Add EDNS unknown version handling and tests EDNS unknown version handling
Improvements:
- Update YaHTTP to v0.1.7
- Make trailing/leading spaces stand out in pdnssec check_zone
- GCC 5.2 support and sync boost.m4 macro with upstream
- Log answer packets only if log-dns-details is enabled
|
|
=============
Features:
* Default for ssl-port is port 853, the temporary port assignment for
secure domain name system traffic. If you used to rely on the older default
of port 443, you have to put a clause in unbound.conf for that. The new
value is likely going to be the standardised port number for this traffic.
* ANY responses include DNAME records if present,
as per Evan Hunt's remark in dnsop.
Bug Fixes:
* Fix segfault in the dns64 module in the formaterror error path.
* Fix manpage to suggest using SIGTERM to terminate the server.
* iana portlist update.
Unbound 1.5.5
=============
Features:
* Change default of harden-algo-downgrade to off.
This is lenient for algorithm rollover.
* Added permit-small-holddown config to debug fast 5011 rollover.
* Allow certificate chain files to allow for intermediate certificates.
* Enable ECDHE for servers. Where available, use SSL_CTX_set_ecdh_auto()
for TLS-wrapped server configurations to enable ECDHE. Otherwise,
manually offer curve p256. Client connections should automatically
use ECDHE when available.
* [bugzilla: 699 ] Feature --enable-pie option to that builds PIE binary.
* [bugzilla: 700 ] Feature --enable-relro-now option that enables full
read-only relocation.
* [bugzilla: 702 ] New IPs for for h.root-servers.net.
Bug Fixes:
* [bugzilla: 681 ] Fix setting forwarders with unbound-control forward
implicitly turns on forward-first.
* [bugzilla: 690 ] Fix that reload fails when so-reuseport is yes
after changing num-threads.
* please afl-gcc (llvm) for uninitialised variable warning.
* Fix mktime in unbound-anchor not using UTC.
* Fix 5011 anchor update timer after reload.
* 5011 implementation does not insist on all algorithms,
when harden-algo-downgrade is turned off.
* Document in the manual more text about configuring locally served zones.
* Document that local-zone nodefault matches exactly and transparent can
be used to release a subzone.
* [bugzilla: 694 ] Fix that configure script does not detect LibreSSL 2.2.2
* Fix deadlock for local data add and zone add when unbound-control
list_local_data printout is interrupted.
* [bugzilla: 697 ] Fix get PY_MAJOR_VERSION failure at configure for
python 2.4 to 2.6.
* changed windows setup compression to be more transparent.
* Fix config globbed include chroot treatment, this fixes reload of globs.
* [bugzilla: 705 ] Fix ub_ctx_set_fwd() return value mishandled on windows.
* Fix minor error in unbound.conf.5.in.
* Fix unbound.conf(5) access-control description for precedence and default.
* Fix unbound-control flush that does not succeed in removing data.
* MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution failures.
* iana portlist update.
|
|
=========
BUG FIXES:
- Fix #701: Fix that AD=1 set in a BADVERS response.
- Fix typo in zonec.c inside error message.
- Fix #711: Document that debug-mode yes is used for staying
attached to the supervisor console.
- Document verbosity 3 prints more information.
- nsd-checkconf warns for master zones with no zonefile statement.
- Fix start failure when many file descriptors are in use.
- The servfail rcode is not printed with a space in the middle.
- print failed token for config syntax error or parse error.
|
|
|
|
What's New
Bug Fixes
The following vulnerabilities have been fixed.
* [1]wnpa-sec-2015-30
Pcapng file parser crash. Discovered by Dario Lombardo and Shannon
Sabens. ([2]Bug 11455) [3]CVE-2015-7830
The following bugs have been fixed:
* Last Address field for IPv6 RPL routing header is interpreted
incorrectly. ([4]Bug 10560)
* Comparing two capture files crashes Wireshark when navigating the
results. ([5]Bug 11098)
* 802.11 frame is not correctly dissected if it contains HT Control.
([6]Bug 11351)
* GVCP bit-fields not updated. ([7]Bug 11442)
* Tshark crash when specifying ssl.keys_list on CLI. ([8]Bug 11443)
* pcapng: SPB capture length is incorrectly truncated if IDB snaplen
= 0. ([9]Bug 11483)
* pcapng: NRB IPv4 address is endian swapped but shouldn't be.
([10]Bug 11484)
* pcapng: NRB with options causes file read failure. ([11]Bug 11485)
* pcapng: ISB without if_drop option is shown as max value. ([12]Bug
11489)
* UNISTIM dissector - Message length not included in offset for
"Select Adjustable Rx Volume". ([13]Bug 11497)
Updated Protocol Support
DIAMETER, GVCP, IEEE 802.11, IPv6, and UNISTIM
|
|
approved by wiz@
|
|
* get format_id from video file ext
* check for the offline error page
* treat the offline error as an expected ExtractorError
* Look for sm4:video:embed
* Add _extract_url
* Use _extract_url for mtvservices
|
|
- Erlang 18.1 compatibility.
- Prevent EACCESS errors on Windows when queue journal is cleared.
- When multiple authorization backends are used, user tags from all
of them should be preserved.
- Force a (per-queue, not global) GC when a queue pages messages
to disk.
- MQTT Plugin: Queues used by QoS 1 subscriptions are no longer
deleted when the only subscriber disconnects.
- STOMP Plugin: Trailing new line character now can be optional.
|
|
- Win32: Use WSAEWOULDBLOCK instead of EWOULDBLOCK on Win32 (win32
clients would fail to connect)
- Lib: if channel_max is 0 use server's channel_max
- Lib: fix build on OpenBSD
|
|
RPKI to Router Protocol: Fix Segmentation Faults and other problems
RPKI to Router Protocol: print strings with fn_printn()
wb: fix some bounds checks
|
|
Include fix for GitHub issue 424 -- out of tree builds.
|
|
Release Note
------------
This release fixes the bug that progress summary is not shown timely.
Changes
-------
* Fix bug that progress summary is not shown timely
|
|
OpenConnect v7.06 (PGP signature) — 2015-03-17
Fix openconnect.pc breakage after liboath removal.
Refactor Juniper Network Connect receive loop.
Fix some memory leaks.
Add Bosnian translation.
OpenConnect v7.05 (PGP signature) — 2015-03-10
Fix alignment issue which broke LZS compression on ARM etc.
Support HTTP authentication to servers, not just proxies.
Work around Yubikey issue with non-ASCII passphrase set on pre-KitKat Android.
Add SHA256/SHA512 support for OATH.
Remove liboath dependency.
Support DTLS v1.2 and AES-GCM with OpenSSL 1.0.2.
Add OpenSSL 1.0.2 to known-broken releases (RT#3703, RT#3711).
Fix build with OpenSSL HEAD (OpenSSL 1.1.x).
Preliminary support for Juniper SSL VPN.
|
|
Why this didn't surface before is anyone's guess. Bump rev.
|
|
|
|
version 0.9.6.
A list of changes is not availabe unfortunately.
|
|
|
|
version of hoe.
Bump PKGREVISION.
|
|
could not be disabled.
Bump PKGREVISION
|
|
docs: remove very basic git usage info
docs: remove todo items that will never happen
output: remove empty element from xml
add touched addresses counts to xml and json reports
add xml format check
improve html output
add hint about configure options to README
man: fix character class change
gitignore: update gnulib file list
|
|
- Add -x xferbufsize to set xferbuf size.
- Add Server Name Indication (SNI) support for https.
- Increase buffer limit used for response handling.
|
|
5.15.0
------
* [`NullObject#as_json` returns 'null'](https://github.com/sferik/twitter/commit/2979e703c09a45f012cb2c5b2d6663bf1f4d3351) ([@lukevmorris](https://twitter.com/lukevmorris))
* [Add methods to get to parameters of quoted tweet](https://github.com/sferik/twitter/commit/afd41a3e36cc94194a2110ba9adce13486ced9fd) ([@couhie](https://twitter.com/couhie))
* [Add additional mime_types for multi-part upload](https://github.com/sferik/twitter/commit/947fcdc9f7348f267d74933ffa43d191cf248a9c)
* [Fix bug where flat_pmap can return nil](https://github.com/sferik/twitter/commit/e22a5601ec702632510b3e983e50929ceb334b95)
* [Add new error codes](https://github.com/sferik/twitter/commit/1ce6b2f02d0f5f78435ee898e8f5b6d3db18d6f1)
|
|
pkgsrc change: update HOMEPAGE.
* fix: catch CONNECTError exceptions too.
|
|
|
|
GTK3 & python based GUI for Syncthing.
|
|
Syncthing replaces proprietary sync and cloud services with something open,
trustworthy and decentralized.
Features include:
- web admin console
- directory watcher
- authentication with x509 certificates
- node discovery
- written in "go"
|
|
* Release 0.9.1 (21-Sep-2015)
Point release to deal with PyPI upload problems. No code changes.
* Release 0.9.0 (21-Sep-2015)
** Plugins for Connection Handlers (#236)
New types of connection hints can now be used, by installing a suitable
connection handler into the Tub. These hints could point to I2P servers or
Tor hidden-service (.onion) addresses. The built-in TCP handler can be
replaced entirely to protect a client's IP address by routing all connections
through Tor. Implementation of these plugins are left as exercise for the
reader: Foolscap only provides the built-in "DefaultTCP" handler. See
doc/connection-handlers.rst for details.
** Shared Listeners are removed (#239)
Until this version, it was possible to create a single Listener that serviced
multiple Tubs (by passing the Listener returned from `l=tubA.listenOn(where)`
into `tubB.listenOn(l)`). This seemed useful a long time ago, but in fact was
not, and the implementation caused irreparable problems that were exposed
while testing the new connection handlers. So support for shared Listeners
has been removed: Tubs can still use multiple Listeners, but each Listener
now services at most one Tub. In particular, `Tub.listenOn()` now only
accepts a string, not a Listener instance.
Note that relays and redirects are still on the roadmap, but neither feature
requires sharing a Listener between multiple local Tubs.
** Extended-Form Connection Hints are removed
Support for extended-form connection hints has been removed. These were hints
with explicit key names like "tcp:host=example.org:port=12345", or
"tcp:example.org:timeout=30". They were added in the 0.7.0 release, but since
then we've realized that this is power that should not be granted to external
FURL providers.
The parser now only accepts "tcp:example.org:12345" and "example.org:12345".
Foolscap has never particularly encouraged applications to call
Tub.setLocation() with anything other than these two forms, so we do not
expect any compatibility problems.
** Option to Disable Gifts (#126)
"Gifts", more precisely known as "third-party reference introductions", occur
when one Tub sends you a message that includes a reference to some object on
a third Tub. This allows references to be passed around transparently,
without regard to which Tub they live on (yours, mine, or theirs), but allows
other Tubs to cause you to create network connections to hosts and ports of
their choosing. If this bothers you, the new `tub.setOption("accept-gifts",
False)` option instructs your Tub to reject these third-party references,
causing the calls that used them to signal a Violation error instead.
** Unreachable Tubs now fully supported (#208)
Unreachable "client-only" Tubs can be created by simply not calling either
`tub.listenOn()` nor `tub.setLocation()`. These Tubs can make outbound
connections, but will not accept inbound ones. `tub.registerReference()` will
throw an error, and Gifts delivered to third parties will not work.
Previous versions suggested using `tub.setLocation("")`: this is no longer
recommended.
** new util.allocate_tcp_port() function
To support a future deprecation of `Tub.listenOn("tcp:0")`, the new
allocate_tcp_port() function was added to return (synchronously) a
currently-unused TCP port integer. This can be used during app configuration
to decide on a listening port, which can then be passed into
`Tub.listenOn("tcp:%d" % portnum)`. This may allow Tub.setLocation() to be
called *before* the reactor is started, simplifying application startup code
(this also requires a suitable hostname or IP address, which is a separate
issue).
** Packaging/Dependency Changes
Foolscap now requires Twisted 10.1.0 or newer, to use Endpoints and
connection handler plugins.
Foolscap's logging system (specifically the twisted-to-foolscap bridge) is
now compatible with Twisted-15.2.0. The previous version had problems with
the new contents of twisted.logger's "eventDict" objects. (#235)
|
|
**** 1.02 September 16, 2015
Fix rt.cpan.org #107052
suppress messages: Can't locate Net/DNS/Resolver/linux.pm
Fix rt.cpan.org #106916
Dependency on MIME::Base32 makes Net::DNS not installable on MSWin32
Fix rt.cpan.org #106565
Net::DNS::Resolver::Recurse and IPv6 Reverse DNS
Fix rt.cpan.org #105808
Version test for Pod::Test is broken
|
|
Thanks to wiz@ for pointing it out;
|
|
cleanup UPNP_VERSION macro / add UPNP_VERSION_MAJOR, UPNP_VERSION_MINOR
Dont use packed structs anymore to read/write PCP messages
|
|
Upstream changes:
2.14 2015-09-29T22:36:44Z
- Fix race condition in t/10_oo.t(exodist)
2.13 2015-07-24T02:30:17Z
- check whether the OS implements IPV6_V6ONLY before using it
2.12 2015-05-18T08:14:30Z
- Fixed spelling mistake
(Reported by gregor herrmann)
2.11 2015-04-07T00:07:25Z
- declare IO::Socket::IP as dependency #36
2.10 2015-04-06T19:23:43Z
- ensure the test object is DESTROYed when Net::EmptyPort::empty_port exits https://rt.cpan.org/Public/Bug/Display.html?id=103299
2.09 2015-04-02T21:55:18Z
- fix tests running for a long time on systems that do not support IPv6 #35
2.08 2015-04-02T04:04:33Z
- add `host` argument to various functions for binding to arbitrary address (incl. IPv6) #33
- add function `Net::EmptyPort::can_bind` #34
|
|
|
|
|
|
|
|
redistribution. Equivalent functionality is provided by the free net/dante
package (or even "ssh -D" for simple use cases)
|
|
This update is just about build fix
|
|
* Typo's, thanks to Herbert Parentes Fortes Neto
* Clarify that private_interfaces="*" will not forward the root zone
* Change from bzip2 to xz for builiding the source tarball
* ensure that domain-insecure always appears in a server clause for
the unbound subscriber
|
|
Changelog:
=============================
Release Notes for Samba 4.3.0
September 8, 2015
=============================
This is the first stable release of Samba 4.3.
UPGRADING
=========
Read the "New FileChangeNotify subsystem" and "smb.conf changes" sections
(below).
NEW FEATURES
============
Logging
-------
The logging code now supports logging to multiple backends. In
addition to the previously available syslog and file backends, the
backends for logging to the systemd-journal, lttng and gpfs have been
added. Please consult the section for the 'logging' parameter in the
smb.conf manpage for details.
Spotlight
---------
Support for Apple's Spotlight has been added by integrating with Gnome
Tracker.
For detailed instructions how to build and setup Samba for Spotlight,
please see the Samba wiki: <https://wiki.samba.org/index.php/Spotlight>
New FileChangeNotify subsystem
------------------------------
Samba now contains a new subsystem to do FileChangeNotify. The
previous system used a central database, notify_index.tdb, to store
all notification requests. In particular in a cluster this turned out
to be a major bottleneck, because some hot records need to be bounced
back and forth between nodes on every change event like a new created
file.
The new FileChangeNotify subsystem works with a central daemon per
node. Every FileChangeNotify request and every event are handled by an
asynchronous message from smbd to the notify daemon. The notify daemon
maintains a database of all FileChangeNotify requests in memory and
will distribute the notify events accordingly. This database is
asynchronously distributed in the cluster by the notify daemons.
The notify daemon is supposed to scale a lot better than the previous
implementation. The functional advantage is cross-node kernel change
notify: Files created via NFS will be seen by SMB clients on other
nodes per FileChangeNotify, despite the fact that popular cluster file
systems do not offer cross-node inotify.
Two changes to the configuration were required for this new subsystem:
The parameters "change notify" and "kernel change notify" are not
per-share anymore but must be set globally. So it is no longer
possible to enable or disable notify per share, the notify daemon has
no notion of a share, it only works on absolute paths.
New SMB profiling code
----------------------
The code for SMB (SMB1, SMB2 and SMB3) profiling uses a tdb instead
of sysv IPC shared memory. This avoids performance problems and NUMA
effects. The profile stats are a bit more detailed than before.
Improved DCERPC man in the middle detection for kerberos
--------------------------------------------------------
The gssapi based kerberos backends for gensec have support for
DCERPC header signing when using DCERPC_AUTH_LEVEL_PRIVACY.
SMB signing required in winbindd by default
-------------------------------------------
The effective value for "client signing" is required
by default for winbindd, if the primary domain uses active directory.
Experimental NTDB was removed
-----------------------------
The experimental NTDB library introduced in Samba 4.0 has been
removed again.
Improved support for trusted domains (as AD DC)
-----------------------------------------------
The support for trusted domains/forests has improved a lot.
samba-tool got "domain trust" subcommands to manage trusts:
create - Create a domain or forest trust.
delete - Delete a domain trust.
list - List domain trusts.
namespaces - Manage forest trust namespaces.
show - Show trusted domain details.
validate - Validate a domain trust.
External trusts between individual domains work in both ways
(inbound and outbound). The same applies to root domains of
a forest trust. The transitive routing into the other forest
is fully functional for kerberos, but not yet supported for NTLMSSP.
While a lot of things are working fine, there are currently a few limitations:
- Both sides of the trust need to fully trust each other!
- No SID filtering rules are applied at all!
- This means DCs of domain A can grant domain admin rights
in domain B.
- It's not possible to add users/groups of a trusted domain
into domain groups.
SMB 3.1.1 supported
-------------------
Both client and server have support for SMB 3.1.1 now.
This is the dialect introduced with Windows 10, it improves the secure
negotiation of SMB dialects and features.
There's also a new optinal encryption algorithm aes-gcm-128,
but for now this is only selected as fallback and aes-ccm-128
is preferred because of the better performance. This might change
in future versions when hardware encryption will be supported.
See https://bugzilla.samba.org/show_bug.cgi?id=11451.
New smbclient subcommands
-------------------------
- Query a directory for change notifications: notify <dir name>
- Server side copy: scopy <source filename> <destination filename>
New rpcclient subcommands
-------------------------
netshareenumall - Enumerate all shares
netsharegetinfo - Get Share Info
netsharesetinfo - Set Share Info
netsharesetdfsflags - Set DFS flags
netfileenum - Enumerate open files
netnamevalidate - Validate sharename
netfilegetsec - Get File security
netsessdel - Delete Session
netsessenum - Enumerate Sessions
netdiskenum - Enumerate Disks
netconnenum - Enumerate Connections
netshareadd - Add share
netsharedel - Delete share
New modules
-----------
idmap_script - see 'man 8 idmap_script'
vfs_unityed_media - see 'man 8 vfs_unityed_media'
vfs_shell_snap - see 'man 8 vfs_shell_snap'
New sparsely connected replia graph (Improved KCC)
--------------------------------------------------
The Knowledge Consistency Checker (KCC) maintains a replication graph
for DCs across an AD network. The existing Samba KCC uses a fully
connected graph, so that each DC replicates from all the others, which
does not scale well with large networks. In 4.3 there is an
experimental new KCC that creates a sparsely connected replication
graph and closely follows Microsoft's specification. It is turned off
by default. To use the new KCC, set "kccsrv:samba_kcc=true" in
smb.conf and let us know how it goes. You should consider doing this
if you are making a large new network. For small networks there is
little benefit and you can always switch over at a later date.
Configurable TLS protocol support, with better defaults
-------------------------------------------------------
The "tls priority" option can be used to change the supported TLS
protocols. The default is to disable SSLv3, which is no longer
considered secure.
Samba-tool now supports all 7 FSMO roles
-------------------------------------------------------
Previously "samba-tool fsmo" could only show, transfer or seize the
five well-known FSMO roles:
Schema Master
Domain Naming Master
RID Master
PDC Emulator
Infrastructure Master
It can now also show, transfer or seize the DNS infrastructure roles:
DomainDnsZones Infrastructure Master
ForestDnsZones Infrastructure Master
CTDB logging changes
--------------------
The destination for CTDB logging is now set via a single new
configuration variable CTDB_LOGGING. This replaces CTDB_LOGFILE and
CTDB_SYSLOG, which have both been removed. See ctdbd.conf(5) for
details of CTDB_LOGGING.
CTDB no longer runs a separate logging daemon.
CTDB NFS support changes
------------------------
CTDB's NFS service management has been combined into a single 60.nfs
event script. This updated 60.nfs script now uses a call-out to
interact with different NFS implementations. See the CTDB_NFS_CALLOUT
option in the ctdbd.conf(5) manual page for details. A default
call-out is provided to interact with the Linux kernel NFS
implementation. The 60.ganesha event script has been removed - a
sample call-out is provided for NFS Ganesha, based on this script.
The method of configuring NFS RPC checks has been improved. See
ctdb/config/nfs-checks.d/README for details.
Improved Cross-Compiling Support
--------------------------------
A new "hybrid" build configuration mode is added to improve
cross-compilation support.
A common challenge in cross-compilation is that of obtaining the results
of tests that have to run on the target, during the configuration
phase of the build. The Samba build system already supports the following
means to do so:
- Executing configure tests using the --cross-execute parameter
- Obtaining the results from an answers file using the --cross-answers
parameter
The first method has the drawback of inaccurate results if the tests are
run using an emulator, or a need to be connected to a running target
while building, if the tests are to be run on an actual target. The
second method presents a challenge of figuring out the test results.
The new hybrid mode runs the tests and records the result in an answer file.
To activate this mode, use both --cross-execute and --cross-answers in the
same configure invocation. This mode can be activated once against a
running target, and then the generated answers file can be used in
subsequent builds.
Also supplied is an example script that can be used as the
cross-execute program. This script copies the test to a running target
and runs the test on the target, obtaining the result. The obtained
results are more accurate than running the test with an emulator, because
they reflect the exact kernel and system libraries that exist on the
target.
Improved Sparse File Support
----------------------------
Support for the FSCTL_SET_ZERO_DATA and FSCTL_QUERY_ALLOCATED_RANGES
SMB2 requests has been added to the smbd file server.
This allows for clients to deallocate (hole punch) regions within a
sparse file, and check which portions of a file are allocated.
######################################################################
Changes
#######
smb.conf changes
----------------
Parameter Name Description Default
-------------- ----------- -------
logging New (empty)
msdfs shuffle referrals New no
smbd profiling level New off
spotlight New no
tls priority New NORMAL:-VERS-SSL3.0
use ntdb Removed
change notify Changed to [global]
kernel change notify Changed to [global]
client max protocol Changed default SMB3_11
server max protocol Changed default SMB3_11
Removed modules
---------------
vfs_notify_fam - see section 'New FileChangeNotify subsystem'.
KNOWN ISSUES
============
Currently none.
CHANGES SINCE 4.2.0rc4
======================
o Andrew Bartlett <abartlet@samba.org>
* Bug 10973: No objectClass found in replPropertyMetaData on ordinary
objects (non-deleted)
* Bug 11429: Python bindings don't check integer types
* Bug 11430: Python bindings don't check array sizes
o Ralph Boehme <slow@samba.org>
* Bug 11467: Handling of 0 byte resource fork stream
o Volker Lendecke <vl@samba.org>
* Bug 11488: AD samr GetGroupsForUser fails for users with "()" in
their name
o Stefan Metzmacher <metze@samba.org>
* Bug 11429: Python bindings don't check integer types
o Matthieu Patou <mat@matws.net>
* Bug 10973: No objectClass found in replPropertyMetaData on ordinary
objects (non-deleted)
CHANGES SINCE 4.2.0rc3
======================
o Ralph Boehme <slow@samba.org>
* Bug 11444: Crash in notify_remove caused by change notify = no
o Günther Deschner <gd@samba.org>
* Bug 11411: smbtorture does not build when configured --with-system-mitkrb5
o Volker Lendecke <vl@samba.org>
* Bug 11455: fix recursion problem in rep_strtoll in lib/replace/replace.c
* Bug 11464: xid2sid gives inconsistent results
* Bug 11465: ctdb: Fix the build on FreeBSD 10.1
o Roel van Meer <roel@1afa.com>
* Bug 11427: nmbd incorrectly matches netbios names as own name
o Stefan Metzmacher <metze@samba.org>
* Bug 11451: Poor SMB3 encryption performance with AES-GCM
* Bug 11458: --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't
disable ldb build and install
o Andreas Schneider <asn@samba.org>
* Bug 9862: Samba "map to guest = Bad uid" doesn't work
CHANGES SINCE 4.3.0rc2
======================
o Andrew Bartlett <abartlet@samba.org>
* Bug 11436: samba-tool uncaught exception error
* Bug 10493: revert LDAP extended rule 1.2.840.113556.1.4.1941
LDAP_MATCHING_RULE_IN_CHAIN changes
o Ralph Boehme <slow@samba.org>
* Bug 11278: Stream names with colon don't work with
fruit:encoding = native
* Bug 11426: net share allowedusers crashes
o Amitay Isaacs <amitay@gmail.com>
* Bug 11432: Fix crash in nested ctdb banning
* Bug 11434: Cannot build ctdbpmda
* Bug 11431: CTDB's eventscript error handling is broken
o Stefan Metzmacher <metze@samba.org>
* Bug 11451: Poor SMB3 encryption performance with AES-GCM (part1)
* Bug 11316: tevent_fd needs to be destroyed before closing the fd
o Arvid Requate <requate@univention.de>
* Bug 11291: NetApp joined to a Samba/ADDC cannot resolve SIDs
o Martin Schwenke <martin@meltin.net>
* Bug 11432: Fix crash in nested ctdb banning
CHANGES SINCE 4.3.0rc1
======================
o Jeremy Allison <jra@samba.org>
* BUG 11359: strsep is not available on Solaris
o Björn Baumbach <bb@sernet.de>
* BUG 11421: Build with GPFS support is broken
o Justin Maggard <jmaggard@netgear.com>
* BUG 11320: "force group" with local group not working
o Martin Schwenke <martin@meltin.net
* BUG 11424: Build broken with --disable-python
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
|
|
Changes are too many to write here, please refer RELNOTES file.
|
|
* Fix preview of Instagram images
* Allow uppercase extensions on preview of image URLs
* Fix error on fetching private or protected users' lists
when multiple accounts are registered and selected account
doesn't have privileges to access the private lists
* Reduce Twitter API requests to get lists
|
|
but yajl-ruby. Fix run time problem of ruby-tw.
Bump PKGREVISION.
|
|
Avoid using rubyforge.org since it stopped most of services.
|
|
Add LICENSE
Upstream changes:
maradns-2.0.13:
This is the stable release of MaraDNS.
Two non-critical buffer overflows from ParseMaraRc fixed. One can never be exploited; the other one can only be exploted by the (usually) root user by writing to the system mararc file.
Deadwood updated to 3.2.09
(2015-09-25)
maradns-2.0.12:
This is the stable release of MaraDNS.
Security fix for improper free() in zoneserver
Deadwood updated to 3.2.08
Zone transfers now work with newer versions of dig
Documentation updates
(2015.08.19)
maradns-2.0.11:
This is the stable release of MaraDNS.
Deadwood updated to 3.2.07
(2015.01.30)
maradns-2.0.10:
This is the stable release of MaraDNS.
Deadwood updated to 3.2.06
Zoneserver now compiles and runs in Cygwin (so Windows users can have DNS-over-TCP support).
(2015.01.24)
maradns-2.0.09:
This is the stable release of MaraDNS.
Deadwood updated to 3.2.05
Startup scripts are now chkconfig-compatible
(2014.02.12)
maradns-2.0.08:
This is the stable release of MaraDNS.
Deadwood updated to 3.2.04
Make DNS packet compression case-insensitive
Attach IPv6 glue to NS and MX records when MaraDNS is compiled for IPv6
Remove warning when MaraDNS is compiled for IPv6
Remove warning when compiling getzone.c
(2014.01.14)
maradns-2.0.07d:
This is the stable release of MaraDNS.
Deadwood updated to 3.2.03d to patch security hole discussed at samiam.org/blog/20131202.html
(2013.12.02)
maradns-2.0.07c:
This is the stable release of MaraDNS.
Seven-line fix to Deadwood to fix resolution problem; more details in blog
(2013.07.20; declared stable 2013.09.20)
maradns-2.0.07b:
This is the stable release of MaraDNS.
One-line fix to Deadwood to fix resolution problem
(2013.04.23; declared stable 2013.06.22)
maradns-2.0.07:
This is the stable release of MaraDNS.
MaraDNS updated for CentOS 6
Deadwood updated to 3.2.03
GPG key updated
Installs and tests pass in new CentOS install
(2013.01.20)
maradns-2.0.06:
This is a stable release of MaraDNS.
Deadwood updated to 3.2.02
(2012.03.11)
|
