Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
Changes:
0.21 Sat Aug 13, 2011 Mike McCauley
- Changes to TacacsPlus.pm to permit multiple servers to be specified in
new(). Patches provided by Paulo A Ferreira.
0.22 Wed Jan 18, 2012 Mike McCauley
- Fixed warning under perl 5.14
|
|
|
|
used, force it to be an empty (i.e no suffix).
|
|
|
|
* Auditor: Include the zone name in the log messages.
* ldns 1.6.12 is required for bugfixes.
* ods-ksmutil: Suppress database connection information when no -v flag is
given.
* ods-enforcerd: Stop multiple instances of the enforcer running by checking
for the pidfile at startup. If you want to run multiple instances then a
different pidfile will need to be specified with the -P flag.
* ods-ksmutil: "zone delete" renames the signconf file; so that if the zone is
put back the signer will not pick up the old file.
* Signer Engine: Verbosity can now be set via conf.xml, default is 3.
Bugfixes:
* Bugfix OPENDNSSEC-174: Configure the location for conf.xml with --config
or -c when starting the signer.
* Bugfix OPENDNSSEC-192: Signer crashed on deleting NSEC3 for a domain that
becomes opt-out.
* Bugfix OPENDNSSEC-193: Auditor crashed with certain empty non-terminals.
* Signer Engine: A file descriptor for sockets with value zero is allowed.
* Signer Engine: Only log messages about a full signing queue in debug mode.
* Signer Engine: Fix time issues, make sure that the internal serial does
not wander off after a failed audit.
* Signer Engine: Upgrade ldns to avoid future problems on 32-bit platforms
with extra long signature expiration dates. More information in separate
announcement.
|
|
* The library is now installed in $libdir/softhsm/.
Bugfixes:
* Do not give a warning about the schema version if the token
has not been initialized yet.
* The tools now return the correct exit code.
|
|
Too many changes to list. The master site has moved too:
-HOMEPAGE= http://sandbox.rulemaker.net/ngps/m2/
+HOMEPAGE= http://chandlerproject.org/bin/view/Projects/MeTooCrypto
-MASTER_SITES= http://sandbox.rulemaker.net/ngps/Dist/
+MASTER_SITES= http://pypi.python.org/packages/source/M/M2Crypto/
|
|
|
|
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: Suhosin PHP Extension Transparent Cookie Encryption Stack
Buffer Overflow
Release Date: 2012/01/19
Last Modified: 2012/01/19
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Suhosin Extension <= 0.9.32.1
Severity: A possible stack buffer overflow in Suhosin extension's
transparent cookie encryption that can only be triggered
in an uncommon and weakened Suhosin configuration can lead
to arbitrary remote code execution, if the FORTIFY_SOURCE
compile option was not used when Suhosin was compiled.
Risk: Medium
Vendor Status: Suhosin Extension 0.9.33 was released which fixes this
vulnerability
Reference: http://www.suhosin.org/
https://github.com/stefanesser/suhosin
|
|
|
|
OpenSSL CHANGES
_______________
Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
*) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
[Antonio Martin]
|
|
|
|
|
|
GNU_CONFIGURE_LIBDIR or GNU_CONFIGURE_LIBSUBDIR.
|
|
changes: bugfixes
|
|
|
|
* Stop to treat NetBSD's sed as GNU sed, not full compatible.
* Then, no need to reset TOOLS_PLATFORM.gsed for NetBSD if USE_TOOLS+=gsed and
real GNU sed is required.
* In addition, convert simple USE_TOOLS+=gsed to conditionally, without NetBSD.
* convert {BUILD_,}DEPENDS+=gsed to USE_TOOLS, all tools from gsed are real gsed.
|
|
BUILD_DEPENDS on bison to USE_TOOLS=bison. The minimum bison version
required in mk/tools/bison.mk is good enough for all of them.
|
|
|
|
* Build fixes from Linus Nordberg and Arno Hautala.
* Update gnulib files.
|
|
Change from previous:
---------------------
20111025
- Do not add CA's only trusted for email and/or code signing (RT#70967)
(if you need that, please let us know and we can see about putting it
in as an option)
|
|
|
|
(just added DESTDIR support)
|
|
versions of libcrypto in sshd. This can happen if OpenSSH is linked with
pkgsrc's OpenSSL and if using nss_ldap, which pulls base-system OpenSSL
through kerberos libraries. One needs to disable the krb5 of nss_ldap
in order to fix that.
|
|
|
|
Bump PKGREVISION
|
|
OpenSSL CHANGES
_______________
Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
*) Nadhem Alfardan and Kenny Paterson have discovered an extension
of the Vaudenay padding oracle attack on CBC mode encryption
which enables an efficient plaintext recovery attack against
the OpenSSL implementation of DTLS. Their attack exploits timing
differences arising during decryption processing. A research
paper describing this attack can be found at:
http://www.isg.rhul.ac.uk/~kp/dtls.pdf
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
<seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
for preparing the fix. (CVE-2011-4108)
[Robin Seggelmann, Michael Tuexen]
*) Stop policy check failure freeing same buffer twice. (CVE-2011-4109)
[Ben Laurie, Kasper <ekasper@google.com>]
*) Clear bytes used for block padding of SSL 3.0 records.
(CVE-2011-4576)
[Adam Langley (Google)]
*) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)
[Adam Langley (Google)]
*) Prevent malformed RFC3779 data triggering an assertion failure.
Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
[Rob Austein <sra@hactrn.net>]
*) Fix ssl_ciph.c set-up race.
[Adam Langley (Google)]
*) Fix spurious failures in ecdsatest.c.
[Emilia Käóper (Google)]
*) Fix the BIO_f_buffer() implementation (which was mixing different
interpretations of the '..._len' fields).
[Adam Langley (Google)]
*) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
threads won't reuse the same blinding coefficients.
This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
lock to call BN_BLINDING_invert_ex, and avoids one use of
BN_BLINDING_update for each BN_BLINDING structure (previously,
the last update always remained unused).
[Emilia Käóper (Google)]
*) Fix SSL memory handling for (EC)DH ciphersuites, in particular
for multi-threaded use of ECDH.
[Adam Langley (Google)]
*) Fix x509_name_ex_d2i memory leak on bad inputs.
[Bodo Moeller]
*) Add protection against ECDSA timing attacks as mentioned in the paper
by Billy Bob Brumley and Nicola Tuveri, see:
http://eprint.iacr.org/2011/232.pdf
[Billy Bob Brumley and Nicola Tuveri]
Changes between 0.9.8q and 0.9.8r [8 Feb 2011]
*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
[Neel Mehta, Adam Langley, Bodo Moeller (Google)]
*) Fix bug in string printing code: if *any* escaping is enabled we must
escape the escape character (backslash) or the resulting string is
ambiguous.
[Steve Henson]
Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
*) Disable code workaround for ancient and obsolete Netscape browsers
and servers: an attacker can use it in a ciphersuite downgrade attack.
Thanks to Martin Rex for discovering this bug. CVE-2010-4180
[Steve Henson]
*) Fixed J-PAKE implementation error, originally discovered by
Sebastien Martini, further info and confirmation from Stefan
Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
[Ben Laurie]
|
|
PR#45765.
Bump PKGREVISION of cy2-gssapi plugin package.
|
|
When an encryption key is supplied via the TELNET protocol, its length
is not validated before the key is copied into a fixed-size buffer.
|
|
|
|
actually seem to change anything (with gsed).
|
|
build dependence on gsed.
Bump PKGREVISION.
|
|
|
|
Note: pinentry may need INCOMPAT_CURSES to be set for some platforms.
|
|
When an encryption key is supplied via the TELNET protocol, its length
is not validated before the key is copied into a fixed-size buffer.
This is a remote root exploit that is being actively exploited in the wild.
|
|
|
|
with it.
|
|
|
|
|
|
Remove line from distinfo for non-existing patch.
I guess the non-existing patch might have fixed it up, but as it's not
there....
|
|
|
|
|
|
Bump PKGREVISION
|
|
Bump PKGREVISION
|
|
1) Update two configuration files to include DragonFly, which results in
additional generated files.
2) Update PLIST.DragonFly (it was wrong in any case)
|
|
Drop ${PHP_BASE_VARS} from PKGVERSION by default.
It used to be required to support multiple php version.
But after PHP version based ${PHP_PKG_PREFIX} was introduced,
such trick is not required anymore.
In addition to this, such version name schme invokes unwanted version bump
when base php version is bumped, plus, such version scheme is hard to
use for DEPENDS pattern.
To avoid downgrading of package using such legacy version scheme,
PECL_LEGACY_VERSION_SCHEME is introduced.
If it is defined, current version scheme is still used for currently
supported PHP version (5 and 53), but instead of ${PHP_BASE_VARS},
current fixed PHP base version in pkgsrc is used to avoid unwanted version bump
from update of PHP base package.
With newer PHP (54, or so on), new version scheme will be used if
it is defined.
This trick will not be required and should be removed after php5 and php53 will
be gone away from pkgsrc.
|
|
DragonFly in on OpenSSL 1.0 and this package wasn't building due to the
missing MD5 digest that no longer builds by default on the latest versions
of OpenSSL. FreeBSD already ran into this and patched qca-ossl, and this
ports their fix to pkgsrc.
|
|
Bump PKGREVISION
|