| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
pkgsrc 1.6 branch.
Requested by Takahiro Kambe <taca@sky.yamashina.kyoto.jp>
> Date: Sat, 31 Aug 2002 02:48:23 +0300 (EEST)
> From: Takahiro Kambe <taca@netbsd.org>
>
> Module Name: pkgsrc
> Committed By: taca
> Date: Fri Aug 30 23:48:23 UTC 2002
>
> Modified Files:
> pkgsrc/security/ruby-openssl: Makefile distinfo
>
> Log Message:
> Update ruby-openssl pacakge to 0.1.2.1(0.1.2a).
> It should be fixed in error of bulk build, too.
|
|
1.3 pkgsrc/security/tripwire/distinfo
1.3 pkgsrc/security/tripwire/patches/patch-ac
onto the 1.6 pkgsrc branch.
Requested by Stoned Elipot.
> From: Stoned Elipot <seb@netbsd.org>
> Date: Tue, 20 Aug 2002 20:19:36 +0300 (EEST)
>
> Module Name: pkgsrc
> Committed By: seb
> Date: Tue Aug 20 17:19:35 UTC 2002
>
> Modified Files:
> pkgsrc/security/tripwire: distinfo
> pkgsrc/security/tripwire/patches: patch-ac
>
> Log Message:
> Fix sparc64 build by patching sigs/sha/sha.c like the revision 1.6 of
> basesrc/lib/libc/hash/sha1.c.
|
|
the checksum.
Requested by Frederick Bruckman.
> From: fredb@netbsd.org (Frederick Bruckman)
> Date: 19 Aug 2002 18:34:57 GMT
>
> Module Name: pkgsrc
> Committed By: fredb
> Date: Mon Aug 19 18:34:56 UTC 2002
>
> Modified Files:
> pkgsrc/security/openssl: distinfo
> pkgsrc/security/openssl/patches: patch-ac
>
> Log Message:
> Let build on sparc v7.
|
|
Requested by Thomas Klausner.
> Date: Mon, 19 Aug 2002 18:17:57 +0300 (EEST)
> From: Thomas Klausner <wiz@netbsd.org>
>
> Module Name: pkgsrc
> Committed By: wiz
> Date: Mon Aug 19 15:17:56 UTC 2002
>
> Modified Files:
> pkgsrc/security/openssl: Makefile
>
> Log Message:
> Compile no-shared on 1.4.x. This makes the package install and work for me
> on 1.4.2/i386. Approved by agc.
> Date: Mon, 19 Aug 2002 19:00:07 +0300 (EEST)
> From: Thomas Klausner <wiz@netbsd.org>
>
> Module Name: pkgsrc
> Committed By: wiz
> Date: Mon Aug 19 16:00:07 UTC 2002
>
> Modified Files:
> pkgsrc/security/openssl: Makefile
>
> Log Message:
> Fix a comment, and improve pattern to also work on netbsd-1-4.
|
|
|
|
Gleaned from apache's startup script.
|
|
|
|
on 1.4.2/i386. Approved by agc.
|
|
Changes :
- further fixes for Net::SSLeay::Handle from jbowlin@@_linklint.org
- applied minor patch by Mark Veltzer <mark@@veltzer._org> to Makefile.PL
- Added SSL_peek patch to ssl_read_until from
Peter Behroozi <peter@@fhpwireless_.com> --Sampo
- Improved Windows instructions per Marcel Bucher <marcle@bucher._cc>
|
|
|
|
the in-tree openssl is < 0.9.6f, a previous package build has installed
the openssl-0.9.6g package, but the BUILDLINK_DEPENDS.openssl value is
not initialised, so that the package infrastructure tries to build and
install the openssl-0.9.6g package again.
|
|
problems for Solaris. Instead, handle patch for NetBSD-1.4.2 specially.
|
|
|
|
|
|
|
|
|
|
|
|
NetBSD-patched codebase won't apply cleanly (or at all) without the NetBSD
patch. Therefore, remove the `.if ${OS}' condition for applying the patch,
so Solaris and Darwin start with the same codebase. Fix as needed.
|
|
|
|
a stunning DoS vulnerability, fixed in 0.9.6f:
*) Use proper error handling instead of 'assertions' in buffer
overflow checks added in 0.9.6e. This prevents DoS (the
assertions could call abort()).
[Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller]
Regenerate the netbsd patch. This is now a clean diff against the
vendor tag, with version-number-only changes elided.
Partially revert "crypto/dist/openssl/crypto/rand/randfile.c", version
1.4 (via additional pkgsrc patch), to give this a shot to compile on
NetBSD-1.4.2 and earlier, which had no strlcpy() or strlcat().
Assemble the shared library without "-Bsymbolic", mainly to give this
a shot at linking on NetBSD-a.out (untested).
|
|
platform.
|
|
${LOCALBASE}/bin/perl.
* Refer to the make program used to drive the build and installation as
"${MAKE_PROGRAM}".
* Instead of explicitly setting PKG_SYSCONFBASE=/etc, use the pkg-specific
override PKG_SYSCONFDIR.openssl, and optionally set it so that the
user still has the option of overriding its value.
* Use bsd.pkg.install.mk to install the default config file (openssl.cnf)
and to create and remove the extra config directories. This lets us
reemove the extra lines in PLIST that do the same thing.
|
|
between platforms.
|
|
While here, update MASTER_SITES, all the previous ones were not carrying
the file anymore.
|
|
|
|
and don't actually work.
|
|
out-of-date very frequently, and it's sole purpose seems to be to provide
the uvscan package with the update_dat script so that uvscan can keep
up-to-date with the latest virus definitions.
A MESSAGE file has been added to security/uvscan that recommends running
"update_dat" to update the virus definitions database to the most recent
version after installation. The update_dat script has also been rewritten
to allow the new syntax "update -f <DATFILE>" to update from an already-
downloaded DATFILE, so users will still be able to do bulk downloads to
removable media on a machine with a fat connection and be able to compile
and install a usable uvscan package on another machine.
Bump the PKGREVISION on uvscan to 1 and mark the CONFLICT with the obsolete
uvscan-dat packages.
|
|
|
|
|
|
libc functions which use varargs and printf-style formatting
operators. In many situations these can cause security vulnerabilities
in the application if it runs with privileges (setugid, or listening
to a network socket, etc).
An example of the kind of situation pscan looks for is the following:
variable = "%s"; /* or malicious user input */
sprintf(buffer, variable); /* BAD! */
WWW: http://www.striker.ottawa.on.ca/~aland/pscan/
|
|
|
|
This package provides Secure Shell client and server for V.2 SSH protocol
from SSH Communications Security.
Based on PR 15358 from Greg A. Woods <woods@planix.com>.
|
|
includes (i.e NetBSD-1.4.3). Problem pointed out by Amitai Schlair.
|
|
and also changes the ABI of "libcrypto" and "libssl". (So the shared
library majors and buildlink requirements are bumped, too.) The code
base is now synced perfectly with NetBSD HEAD and netbsd-1-6 branches
as of 2002-08-04, the optimization levels are reduced to "-O2", but
I've retained some of the processor optimization flags and different code
path #defines in the "Configure" script, just to keep things interesting.
The default "certs" directory on NetBSD is now "/etc/openssl/certs", to
give continuity to those who find themselves using the package system's
"openssl" after upgrading a package that formerly used the base system's.
[Suggested by itojun.] The best way to avoid such problems, however, is
to upgrade your base system *first*.
I'm making use of the new and improved build system as much as possible.
This gives us a cleaner way to make shared libraries and real man pages,
but loses many of the symlinks to the openssl binary.
I've culled items from the "CHANGES" file that appear to have security
implications or are particularly interesting for NetBSD users, below.
My comments are marked off with '===>'.
===> This is from the netbsd-20020804-patch
*) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
and get fix the header length calculation.
[Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
Alon Kantor <alonk@checkpoint.com> (and others),
Steve Henson]
Changes between 0.9.6d and 0.9.6e [30 Jul 2002]
*) New option
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
that was added in OpenSSL 0.9.6d.
As the countermeasure turned out to be incompatible with some
broken SSL implementations, the new option is part of SSL_OP_ALL.
SSL_OP_ALL is usually employed when compatibility with weird SSL
implementations is desired (e.g. '-bugs' option to 's_client' and
's_server'), so the new option is automatically set in many
applications.
[Bodo Moeller]
*) Changes in security patch:
Changes marked "(CHATS)" were sponsored by the Defense Advanced
Research Projects Agency (DARPA) and Air Force Research Laboratory,
Air Force Materiel Command, USAF, under agreement number
F30602-01-2-0537.
*) Add various sanity checks to asn1_get_length() to reject
the ASN1 length bytes if they exceed sizeof(long), will appear
negative or the content length exceeds the length of the
supplied buffer.
[Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
*) Assertions for various potential buffer overflows, not known to
happen in practice.
[Ben Laurie (CHATS)]
*) Various temporary buffers to hold ASCII versions of integers were
too small for 64 bit platforms. (CAN-2002-0655)
[Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
*) Remote buffer overflow in SSL3 protocol - an attacker could
supply an oversized session ID to a client. (CAN-2002-0656)
[Ben Laurie (CHATS)]
*) Remote buffer overflow in SSL2 protocol - an attacker could
supply an oversized client master key. (CAN-2002-0656)
[Ben Laurie (CHATS)]
Changes between 0.9.6c and 0.9.6d [9 May 2002]
*) Implement a countermeasure against a vulnerability recently found
in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
before application data chunks to avoid the use of known IVs
with data potentially chosen by the attacker.
[Bodo Moeller]
Changes between 0.9.6a and 0.9.6b [9 Jul 2001]
*) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
PRNG state recovery was possible based on the output of
one PRNG request appropriately sized to gain knowledge on
'md' followed by enough consecutive 1-byte PRNG requests
to traverse all of 'state'.
1. When updating 'md_local' (the current thread's copy of 'md')
during PRNG output generation, hash all of the previous
'md_local' value, not just the half used for PRNG output.
2. Make the number of bytes from 'state' included into the hash
independent from the number of PRNG bytes requested.
The first measure alone would be sufficient to avoid
Markku-Juhani's attack. (Actually it had never occurred
to me that the half of 'md_local' used for chaining was the
half from which PRNG output bytes were taken -- I had always
assumed that the secret half would be used.) The second
measure makes sure that additional data from 'state' is never
mixed into 'md_local' in small portions; this heuristically
further strengthens the PRNG.
[Bodo Moeller]
*) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
when fixing the server behaviour for backwards-compatible 'client
hello' messages. (Note that the attack is impractical against
SSL 3.0 and TLS 1.0 anyway because length and version checking
means that the probability of guessing a valid ciphertext is
around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
paper.)
Before 0.9.5, the countermeasure (hide the error by generating a
random 'decryption result') did not work properly because
ERR_clear_error() was missing, meaning that SSL_get_error() would
detect the supposedly ignored error.
Both problems are now fixed.
[Bodo Moeller]
Changes between 0.9.6 and 0.9.6a [5 Apr 2001]
===> This is our ABI change.
*) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes
with des_encrypt() defined on some operating systems, like Solaris
and UnixWare.
[Richard Levitte]
*) Don't use getenv in library functions when run as setuid/setgid.
New function OPENSSL_issetugid().
[Ulf Moeller]
*) Store verify_result within SSL_SESSION also for client side to
avoid potential security hole. (Re-used sessions on the client side
always resulted in verify_result==X509_V_OK, not using the original
result of the server certificate verification.)
[Lutz Jaenicke]
===> package doesn't doesn't do this. We'll bump major versions
===> as necessary.
*) Make sure that shared libraries get the internal name engine with
the full version number and not just 0. This should mark the
shared libraries as not backward compatible. Of course, this should
be changed again when we can guarantee backward binary compatibility.
[Richard Levitte]
*) Rework the system to generate shared libraries:
- Make note of the expected extension for the shared libraries and
if there is a need for symbolic links from for example libcrypto.so.0
to libcrypto.so.0.9.7. There is extended info in Configure for
that.
- Make as few rebuilds of the shared libraries as possible.
- Still avoid linking the OpenSSL programs with the shared libraries.
- When installing, install the shared libraries separately from the
static ones.
|
|
|
|
later correctly used with the @dirrm prefix to be removed, but having
a second one here cause some problems while removing the package.
|
|
|
|
possibly on its mirrors is obviously infected with a trojan. The file
on "ftp.netbsd.org" is safe.
|
|
after consulting with Todd. Any volunteers for any of these packages?
|
|
|
|
plaintext password authentication for Cyrus SASL. This will allow daemons
_not_ running as root to perform SASL PLAIN authentication (including
getpwent and PAM). Bump PKGREVISION to 1.
|
|
pam_smbpass distributed with the samba-2.2.5 sources.
|
|
and merge their patch collections. These two packages are built from the
same source tree, and updates to the main distfile should be shared by
both packages.
|
|
|
|
Winbind uses a UNIX implementation of Microsoft RPC calls, Pluggable
Authentication Modules, and the Name Service Switch to allow Windows NT
domain users to appear and operate as UNIX users on a UNIX machine.
Users and groups are allocated as they are resolved to a range of user and
group ids specified by the administrator of the Samba system.
Currently, the nsswitch module doesn't work on NetBSD as NetBSD doesn't
support dynamically loadable nsdispatch callbacks. However, the
pam_winbind.so module may (quite usefully) be used to authenticate against
a domain controller for a Windows domain via the NT user authentication
protocol.
This package currently tracks the winbind components from the Samba 2.2.x
releases, but may be used in conjunction with older Samba 2.0.x releases
as well.
|
|
via Fink.
|
|
|
|
|
|
|
|
This is the port of S/key implementation from OpenBSD source tree
to Solaris, Linux, *BSD, AIX and probably other *NIX systems.
This port consists of the introduction of autoconf support and
replacement of OpenBSD library functions that are (regrettably)
absent from other unices.
This package provides skey support for other packages on non-NetBSD
systems, and is marked ONLY_FOR_PLATFORM SunOS right now.
|
