summaryrefslogtreecommitdiff
path: root/security
AgeCommit message (Collapse)AuthorFilesLines
2010-12-20Set LICENSE.wiz1-1/+2
2010-12-20Set LICENSE.wiz1-1/+2
2010-12-19Update php-suhosin pacakge to 0.9.32.1.taca2-7/+7
2010-07-23 - 0.9.32.1 - Fixed missing header file resulting in compile errors 2010-07-23 - 0.9.32 - Added support for memory_limit > 2GB - Fixed missing header file resulting in wrong php_combined_lcg() prototype being used - Improved random number seed generation more by adding /dev/urandom juice 2010-03-28 - 0.9.31 - Fix ZTS build of session.c - Increased session identifier entropy by using /dev/urandom if available 2010-03-25 - 0.9.30 - Added line ending characters %0a and %0d to the list of dangerous characters handled by suhosin.server.encode and suhosin.server.strip - Fixed crash bug with PHP 5.3.x and session module (due to changed session globals struct) - Added ! protection to PHP session serializer - Fixed simulation mode now also affects (dis)allowed functions - Fixed missing return (1); in random number generator replacements - Fixed random number generator replacement error case behaviour in PHP 5.3.x - Fixed error case handling in function_exists() PHP 5.3.x - Merged changes/fixes in import_request_variables()/extract() from upstream PHP - Fixed suhosin_header_handler to be PHP 5.3.x compatible - Merge fixes and new features of PHP's file upload code to suhosin
2010-12-17Backported security fix from Version 1.6.6 of pcsc-lite. The fix bounds theshannonjr3-3/+22
value of a pointer, prior to a memcpy(), to prevent a buffer overflow.
2010-12-17Bump PKGREVISION from icu shlib major bump.obache3-6/+6
2010-12-16add patch from upstream to protect for possible buffer overflows fromdrochner6-2/+68
rogue cards (SA42658)
2010-12-15Explicitly pass "--cpu=i386" when MACHINE_ARCH is i386 in order forriz1-1/+2
this to build properly under Mac OS X "Snow Leopard" on a 64-bit host. Fixes PR pkg/44191 by me.
2010-12-13Get this close to build under Mac OS X by removing some horrible usetron2-1/+139
of the C pre-processor.
2010-12-13Add TEST_TARGET.wiz1-1/+2
2010-12-13Update to 1.7.6:wiz4-40/+28
The following changes have been made between John 1.7.5.1 and 1.7.6: * Generic crypt(3) support (enabled with "--format=crypt") has been added for auditing password hash types supported by the system but not yet supported by John's own optimized cryptographic routines (such as "SHA-crypt" and SunMD5). * Optional parallelization of the above has been implemented by means of OpenMP along with glibc's crypt_r(3) or Solaris' MT-safe crypt(3C). * Optional parallelization of John's own optimized code for the OpenBSD-style Blowfish-based crypt(3) (bcrypt) hashes with OpenMP has been added. * A more suitable version of 32-bit x86 assembly code for Blowfish is now chosen on Core i7 and similar CPUs (when they happen to run a 32-bit build). * More optimal DES S-box expressions for PowerPC with AltiVec (making use of the conditional select operation) contributed by Dumplinger Boy (Dango-Chu) have been integrated. * The bitslice DES C source code has been reworked to allow for the use of arbitrary SIMD intrinsics, which was previously only implemented for AltiVec as a special case. * Support for SSE2 and MMX intrinsics with bitslice DES (as an alternative to the supplied assembly code) has been added (currently only enabled for SSE2 on x86-64 when compiling with GCC 4.4+). * Support for mixed-type longer virtual vectors (such as SSE2+MMX, SSE2+ALU, AltiVec+ALU, and other combinations) with bitslice DES has been added (not enabled by default yet, primarily intended for easy benchmarks on future CPUs, with future compiler versions, with even more SIMD instruction sets, and with different DES S-box expressions that might be available in the future). * The obsolete 32-bit SPARC assembly implementation of DES has been dropped. * The loader will now detect password hashes specified on a line on their own, not only as part of an /etc/passwd or PWDUMP format file. * When run in "--stdin" mode and reading candidate passwords from a terminal (to be typed by the user), John will no longer mess with the terminal settings. * John will now restore terminal settings not only on normal termination or interrupt, but also when forcibly interrupted with two Ctrl-C keypresses. The following changes have been made between John 1.7.5 and 1.7.5.1: * A new numeric variable has been added to the word mangling rules engine: "p" for position of the character last found with the "/" or "%" commands. The following changes have been made between John 1.7.4.2 and 1.7.5: * Support for the use of "--format" along with "--show" or "--make-charset" has been added. * The choice of .rec and .log filenames for custom session names has been made more intuitive. * Support for "\r" (character lists with repeats) and "\p0" (reference to the immediately preceding character list/range) has been added to the word mangling rules preprocessor. * The undefined and undocumented behavior of some subtle word mangling rules preprocessor constructs has been changed to arguably be more sensible. * Some bugs were fixed, most notably JtR crashing on no password hashes loaded (bug introduced in 1.7.4.2). The following changes have been made between John 1.7.4 and 1.7.4.2: * Major performance improvements for processing of very large password files or sets of files, especially with salt-less or same-salt hashes, achieved primarily through introduction of two additional hash table sizes (64K and 1M entries), changes to the loader, and smarter processing of successful guesses (to accommodate getting thousands of hashes successfully cracked per second). * Many default buffer and hash table sizes have been increased and thresholds for the use of hash tables lowered, meaning that John will now tend to use more memory to achieve better speed (unless it is told not to with the "--save-memory" option). * Some previously missed common website passwords found on public lists of "top N passwords" have been added to the bundled common passwords list. * Some bugs introduced in 1.7.4 and affecting wordlist mode's elimination of consecutive duplicate candidate passwords have been fixed. The following changes have been made between John 1.7.3.4 and 1.7.4: * Support for back-references and "parallel" ranges has been added to the word mangling rules preprocessor. * The notion of numeric variables (to be used for character positions and substring lengths along with numeric constants supported previously) has been introduced into the rules engine. Two pre-defined variables ("l" for initial or updated word's length and "m" for initial or memorized word's last character position) and 11 user-defined variables ("a" through "k") have been added. Additionally, there's a new numeric constant: "z" for "infinite" position or length. * New rule commands have been added: "A" (append, insert, or prefix with a string), "X" (extract a substring from memory and insert), "v" (subtract and assign to a numeric variable). * New rule reject flags have been added: ":" (no-op, for use along with the "parallel" ranges feature of the preprocessor) and "p" (reject unless word pair commands are allowed, for sharing of the same ruleset between "single crack" and wordlist modes). * Processing of word mangling rules has been made significantly faster in multiple ways (caching of the current length, less copying of data, code and data placement changes for better branch prediction and L1 cache usage, compiler-friendly use of local variables, code micro-optimizations, removal of no-op rule commands in an initial pass). * The default rulesets for "single crack" and wordlist modes have been revised to make use of the new features, for speed, to produce fewer duplicates, and to attempt additional kinds of candidate passwords (such as for years 2010 through 2019 with "year-based" rules). * The idle priority emulation code has been optimized for lower overhead when there appears to be no other demand for CPU time. * The default for the Idle setting has been changed from N to Y. The following changes have been made between John 1.7.3.1 and 1.7.3.4: * "make check" has been implemented (for Unix-like systems only). * The "--test" option will now take an optional argument - the duration of each benchmark in seconds. * Section .note.GNU-stack has been added to all assembly files to avoid the stack area unnecessarily being made executable on Linux systems that use this mechanism. * Some very minor bugs that did not affect normal operation have been fixed. * Some unimportant compiler warnings have been fixed, a source code comment has been made more verbose and more complete.
2010-12-12Update to 2.10.4:wiz2-6/+6
* Version 2.10.4 (released 2010-12-06) ** gnutls-serv: Corrected a buffer overflow. Reported and patch by Tomas Mraz. ** libgnutls: Use ASN1_NULL when writing parameters for RSA signatures. This makes us comply with RFC3279. Reported by Michael Rommel. ** libgnutls: Reverted default behavior for verification and introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default V1 trusted CAs are allowed, unless the new flag is specified. ** minitasn1: Updated to Libtasn1 2.9. ** API and ABI modifications: No changes since last version.
2010-12-12Update to 2.9:wiz2-6/+6
* Noteworthy changes in release 2.9 (2010-12-06) [stable] - tests: Link to gnulib to avoid build error related to 'rpl_ftello' on Solaris. Reported by Dagobert Michelsen. - doc: Fix bug reporting address to point at help-libtasn1@gnu.org. - doc: Fix Returns: documentation in Texinfo. Reported by Jeffrey Walton. - build: Update gnulib files.
2010-12-07Update security/p5-IO-Socket-SSL to 1.35gls2-6/+6
Security fix v1.35 2010.12.06 - if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be verified as valid it will no longer fall back to VERIFY_NONE but throw an error. Thanks to Salvatore Bonaccorso and Daniel Kahn Gillmor for pointing out the problem, see also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058
2010-12-06Direct MASTER_SITES to pypi.org, as the original MASTER_SITE doesn't host thegls2-8/+10
distfile anymore. Add DIST_SUBDIR to force re-download of the tarball, which content has been modified. While here, switch DEPENDS to py-crypto instead of py-amkCrypto. Bump PKG_REVISION.
2010-12-05Detect builtin MIT Kerberos on Mac OS X 10.6.xadam1-2/+3
2010-12-05Update py-crypto to version 2.3gls6-14/+62
pkgsrc changes: - add a patch to fix an hardcoded interpreter path - add a patch to actually find gmp library. - add CONFLICTS with py-amkCrypto, both have files in common. upstream changes: 2.3 === * Fix NameError when attempting to use deprecated getRandomNumber() function. * _slowmath: Compute RSA u parameter when it's not given to RSA.construct. This makes _slowmath behave the same as _fastmath in this regard. * Make RSA.generate raise a more user-friendly exception message when the user tries to generate a bogus-length key. 2.2 === * Deprecated Crypto.Util.number.getRandomNumber(), which had confusing semantics. It's been replaced by getRandomNBitInteger and getRandomInteger. (Thanks: Lorenz Quack) * Better isPrime() and getPrime() implementations that do a real Rabin-Miller probabilistic primality test (not the phony test we did before with fixed bases). (Thanks: Lorenz Quack) * getStrongPrime() implementation for generating RSA primes. (Thanks: Lorenz Quack) * Support for importing and exporting RSA keys in DER and PEM format (Thanks: Legrandin) * Fix PyCrypto when floor division (python -Qnew) is enabled. * When building using gcc, use -std=c99 for compilation. This should fix building on FreeBSD and NetBSD.
2010-12-03add fix for CVE-2010-1323 fromtez6-3/+108
http://web.mit.edu/kerberos/advisories/2010-007-patch-r15.txt
2010-12-03Update openssl package to 0.9.8q.taca2-6/+7
OpenSSL version 0.9.8q released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8q of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. The most significant changes are: o Fix for security issue CVE-2010-4180 o Fix for CVE-2010-4252
2010-12-02Update to 0.9.4: no list of changes found.wiz2-7/+6
2010-12-02Update to 2.0.3. List of changes not found.wiz2-7/+6
2010-12-02Update to 0.50:wiz2-6/+6
0.50 Nov 21, 2010 - shell_quote in t/1_run.t was escaping '_' (bug report by Andreas J. König) - some typos corrected - initial implementation of scp_cat
2010-12-02Update to 1.34:wiz2-7/+6
v1.34 2010.11.01 - schema http for certificate verification changed to wildcards_in_cn=1, because according to rfc2818 this is valid and also seen in the wild - if upgrading socket from inet to ssl fails due to handshake problems the socket gets downgraded, but is still open. See https://rt.cpan.org/Ticket/Display.html?id=61466 - deprecate kill_socket, just use close()
2010-12-02Update to 2.51:wiz2-7/+6
2010-09-30 Gisle Aas <gisle@ActiveState.com> Release 2.51 Florian Ragwitz (1): Fix compilation with c++ compilers Gisle Aas (1): Fix repository specification in META.yml 2010-09-25 Gisle Aas <gisle@ActiveState.com> Release 2.50 Chris 'BinGOs' Williams (1): Amended tests to work with perl core. Florian Ragwitz (3): Attach context pointers using sv magic Add failing test for thread cloning Clone MD5 contexts on thread cloning get_md5_ctx should never return anything but a valid pointer Gisle Aas (1): perl-5.6 no longer supported Jesse Vincent (1): Preserve utf8ness of argument [RT#44927]
2010-12-02Update to 0.16:wiz2-7/+6
0.16 Wed Sep 29 08:11:42 2010 - fixed crc64 support for non-xs case, #61490, #61491
2010-11-30Fixes build with OPENSSL_NO_MD2.obache4-1/+152
2010-11-29update to 2.30.1drochner3-15/+17
This switches to the gnome-2.32 release branch. (compile-tested only; the old version didn't build anymore)
2010-11-28update to 2.32.0drochner3-21/+26
This switches to the gnome-2.32 release branch.
2010-11-28Install manpages in man/, not share/man/shattered4-8/+25
2010-11-27add and enable libtomcryptagc1-1/+2
2010-11-27Import libtomcrypt (version 1.17) into the packages collection.agc6-0/+180
LibTomCrypt is a fairly comprehensive, modular and portable cryptographic toolkit that provides developers with a vast array of well known published block ciphers, one-way hash functions, chaining modes, pseudo-random number generators, public key cryptography and a plethora of other routines. LibTomCrypt has been designed from the ground up to be very simple to use. It has a modular and standard API that allows new ciphers, hashes and PRNGs to be added or removed without change to the overall end application. It features easy to use functions and a complete user manual which has many source snippet examples. * Block Ciphers * Blowfish * XTEA * RC5 * RC6 * SAFER+ * Rijndael (aka AES) * Twofish * SAFER (K64, SK64, K128, SK128) * RC2 * DES, 3DES * CAST5 * Noekeon * Skipjack * Anubis (with optional tweak as proposed by the developers) * Khazad * KASUMI * SEED * Chaining Modes * ECB * CBC * OFB * CFB * CTR * IEEE LRW mode * F8 Chaining Mode * One-Way Hash Functions * MD2 * MD4 * MD5 * SHA-1 * SHA-224/256/384/512 * TIGER-192 * RIPE-MD 128/160/256/320 * WHIRLPOOL * Message Authentication * FIPS-198 HMAC (supports all hashes) * CMAC, also known as OMAC1 (supports all ciphers) * PMAC Authentication * F9-MAC * Pelican MAC * Message Encrypt+Authenticate Modes * EAX Mode * OCB Mode * CCM Mode (NIST spec) * GCM Mode (IEEE spec) * Pseudo-Random Number Generators * Yarrow (based algorithm) * RC4 * Support for /dev/random, /dev/urandom and the Win32 CSP RNG * Fortuna * SOBER-128 * Public Key Algorithms * RSA (using PKCS #1 v1.5 and v2.1) * ECC (EC-DSA X9.62 signatures, X9.63 EC-DH) o With fast Fixed Point ECC support as well o X9.63 import/export of public keys * DSA (Users make their own groups) * The math routines are pluggable which means you can use your own math provider if you want. * Other standards * PKCS #1 (v1.5 and v2.1 padding) * PKCS #5 * ASN.1 DER
2010-11-26update to 1.1.0drochner2-6/+6
change: New functions to fix a leak in dirmngr
2010-11-26update to 2.10.3drochner3-20/+6
changes: bugfixes
2010-11-26update to 1.10drochner2-6/+6
change: 3 error codes added
2010-11-18define missing PKGCONFIG_OVERRIDE.obache1-1/+5
2010-11-17Update security/openssl package to 0.9.8p.taca3-22/+6
OpenSSL version 0.9.8p released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8p of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release which addresses CVE-2010-3864. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES.
2010-11-16update to 2.32.0drochner3-8/+14
This switches to the gnome-2.32 release branch.
2010-11-16Changes 186:adam3-108/+13
* fix for BUG-424: build fails on Darwin
2010-11-15PKGREVISION bumps for changes to gtk2, librsvg, libbonobo and libgnomeabs25-50/+50
2010-11-14Shlib major bumped from 3 to 4 at update of ImageMagick-6.6.4.1.obache1-2/+2
Bump ABI_DEPENDS (and recursive bump).
2010-11-13Follow HTTP redirects to new HOMEPAGEs and/or MASTER_SITES.shattered3-6/+6
2010-11-11reset maintainer, he does not use this package anymore.obache1-2/+2
2010-11-10pkglint fixesadam3-15/+12
2010-11-09add and enable libpbcagc1-1/+2
2010-11-09Initial import of security/libpbc-0.5.10 into the Packages Collection.agc4-0/+70
The PBC (Pairing-Based Cryptography) library is a free C library built on the GMP library that performs the mathematical operations underlying pairing-based cryptosystems. It provides routines such as elliptic curve generation, elliptic curve arithmetic and pairing computation. The API is abstract enough that the PBC library can be used even if the programmer possesses only an elementary understanding of pairings. There is no need to learn about elliptic curves or much of number theory. (The minimum requirement is some knowledge of cyclic groups and properties of the pairing.) Boneh-Lynn-Shacham short signatures Hess identity-based signatures Joux tripartite Diffie-Hellman Paterson identity-based signatures Yuan-Li identity-based authenticated key agreement Zhang-Kim identity-based blind/ring signatures Zhang-Safavi-Naini-Susilo signatures
2010-11-08Changes 2.6.4:adam2-18/+18
Bug Fixes * amavisd failed to start when spam scanning was disabled either by @bypass_spam_checks_maps=(1) or by @spam_scanners=(), giving: Can't locate object method "new" via package "Amavis::SpamControl" As a workaround one could use a @spam_scanners=(undef) to disable spam scanning; * several decoders failed to propagate "Exceeded storage quota" exception, so the protection of AV scanners against mail bombs was ineffective; reported by Jorgen Lundman; * milter usage (AM.PDP): verbatim header edits inserted a header body of "1" instead of the correct string * updated AV entry for BitDefender's bdscan to recognize tabs around a colon in its output; contributed by Steve; * fix parsing of a combined result from DSPAM (option --classify), as earlier versions of DSPAM did not include a signature with a combined result line; problem reported by Marijan Vidmar; New Features * provide a true SNMP agent and a MIB, facilitating monitoring the health of a content filtering system, its performance and mail characteristics; * a new AV interface to SMTP-based antivirus scanners; * allow customizing SMTP-status response reason text for blocked messages; * prevent inserting fake copies of certain important mail header fields without breaking a DKIM signature;
2010-11-07Update netpgp to 20101107.agc2-6/+6
Changes since previous version: + fixes for GNU autoconf/automake infrastructure + Elgamal encryption and decryption (for DSA keys) is now supported
2010-11-06Update netpgp to version 20101105 - fixes for autoconf and automakeagc3-7/+9
2010-11-05Update netpgp to version 3.99.13/20101104agc1-2/+2
Changes from previous version (20100601) Changes to 3.99.13/20101104 + fix up GNU autoconf framework to reflect new structure + add ability in netpgpkeys(1) and netpgp(1) to specify the cipher (symmetric algorithm) + add the camellia cipher implementation from openssl as specified in RFC 5581 + changes from Peter Pentchev to get rid of an exit(3) in library context + changes from Peter Pentchev for manual page hyphens + changes from Peter Pentchev to clean up after tests + changes from Arnaud Ysmal to avoid dereferencing possible NULL pointers + change from Arnaud Ysmal to clean up usage message in netpgpkeys(1) + avoid calling bzlib functions if they aren't present + when writing out the key as an ssh key, don't include the user id information at the end, in-line with expectations about standard ssh key formats + since the signing key changed its "menu line" entry from "pub" to "signature", the offset of the key id moved 7 chars to the right, so take this into consideration when generating new keys + allow the user specification of the secret key file as the --sshkeyfile or -S argument, and check that the public key file exists before trying to read it Changes to 3.99.12/20100907 + add a pretty print function mj_pretty(3) to libmj + added netpgp_write_sshkey(3) to libnetpgp + added pgp2ssh(1) + added preliminary support for ElGamal decryption, needed for DSA keys as yet untested, unworking, and a WIP + add support for using all ssh keys, even those protected by a passphrase, for decryption and signing. This rounds off ssh key file support in netpgp. + add a single character alias (-S file) for [--sshkeyfile file] to netpgpkeys(1) and netpgp(1) Changes to 3.99.11/20100809 + update hkpd(8) to reflect the -S argument to hkpd(8) + add reachover Makefile support for hkpd(8) and hkpc(1) + regen autoconf with new version and date information Changes to 3.99.10/20100809 + check return value from option setting function in netpgpkeys(1) + be smarter when checking for a null id + add test for crap being returned when listing specific keys in netpgpkeys(1) + take the public key from the pubring, not the secring when exporting keys + allow hkpd to serve ssh keys in pgp format + test on whether a seckey is needed, not on a userid needed, for ssh keys Changes to 3.99.9/20100809 + add single character options to netpgp(1) and netpgpkeys(1) + add -o long-option (=value)? to netpgp(1) and netpgpkeys(1) + save subkeys when parsing keys. when listing keys, note that the first subkey is for encryption + rationalise birthtime/expiration timestamps into a single function + clean up some 64-bit (amd64) lint Changes to 3.99.8/20100805 + free a regular expression after using it + be a bit less typedef-happy when it's not needed + added minimalist JSON (libmj) to distribution + add a function in ops layer to construct JSON serialised text from keys + use json output from the library in netpgpkeys(1) + added check for alternative openssl location Changes to 3.99.7/20100701 + recognise ascii-armoured encrypted messages properly, in memory and in files + fix a bug when printing out the public key when prompting for a secret key + print error message and exit for now when trying to encrypt with a DSA key + fix bug reported by dyoung when trying to print out the encryption key fingerprint Changes to 3.99.6/20100701 + make some synonyms for --ssh-keys + make proper defaults for home dir for ssh key files as well as pgp files + modify regression test script to ensure that ssh-keygen and netpgpkey's idea of ssh keys are the same + return any error codes when reading ssh pub or private keys Changes to 3.99.5/20100613 + make ssh fingerprints (md5) match netpgp listing + use the more functional hexdump function from ssh2pgp in place of the older hexdump function from openpgpsdk + pass hash type down from command line where needed + add test for netpgp/ssh key fingerprint matching + make netpgpkeys(1) take a --hash= option
2010-11-03nss_ldap and pam-ldap now share the same configuration filesadam4-26/+20
2010-11-02Depend on zlib -- this package won't build without it.shattered1-1/+2