| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
to pass make flags to bmake.
|
|
Updated to OpenBSD 3.7 pf:
* Support limiting TCP connections by establishment rate, automatically
adding flooding IP addresses to tables and flushing states
(max-src-conn-rate, overload <table>, flush global).
* Improved functionality of tags (tag and tagged for translation rules,
tagging of all packets matching state entries).
* Improved diagnostics (error messages and additional counters from pfctl -si).
* New keyword set skip on to skip filtering on arbitrary interfaces,
like loopback.
* Several bugfixes improving stability.
ALTQ is now also supported by using the option 'altq', see the homepage
for information about how to apply the kernel patch.
Approved by: Thomas Klausner <wiz@NetBSD.org>
|
|
Multiple bug fixes, the most important being NAT-T now working with
multiple endpoints behind the same NAT.
|
|
specifically, check in /usr/lib${ABI}, since it's possible that
on multi-ABI platforms only one version is installed, in which case we'd
need to build and install the other from pkgsrc.
|
|
options framework. Rename PKG_OPTIONS.* to PKG_BUILD_OPTIONS.*.
|
|
caches variable definitions that were computed by make. These variables
are specified by listing them in MAKE_VARS, e.g.,
.if !defined(FOO)
FOO!= very_time_consuming_command
.endif
MAKE_VARS+= FOO
bsd.pkg.mk will include only the one generated during the most recent
phase. A particular phase's makevars.mk file consists of variable
definitions that are a superset of all of the ones produced in previous
phases of the build.
The caching is useful because bsd.pkg.mk invokes make recursively,
which in the example above has the potential to run the very time-consuming
command each time unless we cause FOO to be defined for the sub-make
processes. We don't cache via MAKE_FLAGS because MAKE_FLAGS isn't
consistently applied to every invocation of make, and also because
MAKE_FLAGS can overflow the maximum length of a make variable very
quickly if we add many values to it.
One important and desirable property of variables cached via MAKE_VARS
is that they only apply to the current package, and not to any
dependencies whose builds may have been triggered by the current
package.
The makevars.mk files are generated by new targets fetch-vars,
extract-vars, patch-vars, etc., and these targets are built during
the corresponding real-* target to ensure that they are being invoked
with PKG_PHASE set to the proper value.
Also, remove the variables cache file that bsd.wrapper.mk was generating
since the new makevars.mk files provide the same functionality at a
higher level. Change all WRAPPER_VARS definitions that were used by
the old wrapper-phase cache file into MAKE_VARS definitions.
|
|
package because PKG_OPTION.<pkg> could contain negative options, which
are never part of PKG_OPTIONS. Instead, use the show-var target to
display the value. We cache it in WRAPPER_VARS and in MAKE_FLAGS to
prevent reinvoking the show-var target recursively.
|
|
|
|
|
|
|
|
by David Ferlier with minor changes by me.
This is a module that allows people to login to PAM aware applications
by authenticating to a MySQL db. Now configurable in terms of which
host the database reside upon, which table and username and password
column to interrogate.
|
|
is enabled.
(Noticed in K. Walfridsson's NetBSD 3.0_BETA/x86_64 bulk build results
which were reviewed by wiz.)
|
|
|
|
no longer a custom option.
Add rc.d scripts to the PLIST.
|
|
INSTALL_SCRIPT step and set RCD_SCRIPTS=dirmngr instead?"
|
|
And always is defined as share/examples/rc.d
which was the default before.
This rc.d scripts are not automatically added to PLISTs now also.
So add to each corresponding PLIST as required.
This was discussed on tech-pkg in late January and late April.
Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere
and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
|
|
|
|
* Version 1.2.3
- Corrected bug in record packet parsing that could lead
to a denial of service attack.
- Corrected bug in RSA key export. Previously exported keys
can be fixed using certtool. Use certtool -k <infile >outfile
- API and ABI modifications:
gnutls_x509_privkey_fix(): Add.
* Version 1.2.2 (2005-04-25)
- gnutls_error_to_alert() now considers
GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET.
- Fixed error in session resuming that could cause a crash in a session.
- Fixed pkcs12 friendly name and local key identifier decoding.
- Internal cleanups, removed duplicate typedef/struct definitions,
and made source code include external include file, to check
function prototypes during compile time.
- API and ABI modifications:
No changes since last version. At least not intentional, but due
to the include header changes, there may be inadvertant changes,
please let us know if you find any.
|
|
explicitely so that it os not autodetected on -current
|
|
|
|
security/lsh at 1.4.3.
lsh-2.0.1 has interoperability problems with openssh servers
(always gets "Invalid server signature" errors).
lsh-1.4.3 is not affected by CAN-2003-0826. Add a patch to address
CAN-2005-0814 and bump PKGREVISION.
|
|
|
|
|
|
changes:
- Makefile no longer appends 'static' to statically linked binaries
- Add optional SSH_ASKPASS support to the client
- Respect HOST_LOOKUP option
- Fix accidentally removed "return;" statement which was removed in 0.44
(causing clients which sent an empty terminal-modes string to fail to
connect - including pssh, ssh.com, danger hiptop). (patches
independently from Paul Fox, David Horwitt and Sven-Ola Tuecke)
- Read "y/n" response for fingerprints from /dev/tty directly so that dbclient
will work with scp.
|
|
|
|
News for the 2.0.1 release
Fixed denial of service bug in lshd.
Fixed a bug in lsh-make-seed, which could make the program go
into an infinite loop on read errors.
lsh now asks for passwords also in quite (-q) mode, as
described in the manual.
Control character filtering used to sometimes consider newline
as a dangerous control character. Now newlines should be
displayed normally.
Removed support for the non-standard alias
"diffie-hellman-group2-sha1". The standardized name is for
this key exchange method is "diffie-hellman-group14-sha1".
News for the 2.0 release
Several programs have new default behaviour:
* lshd enables X11 forwarding by default (lsh still does not).
* lsh-keygen generates RSA rather than DSA keys by default.
* lsh-writekey encrypts the private key by default, using
aes256-cbc. Unless the --server flag is used.
Improved the lcp script. It is now installed by default.
Implemented the client side of "keyboard-interactive" user
authentication.
Support keyexchange with
diffie-hellman-group14-sha1/diffie-hellman-group2-sha1 (the
standardized name is at the moment not decided).
Fixes to the utf8 encoder, and in particular interactions
between utf8 and control character filtering.
News for the 1.5.5 release
Added SOCKS-style proxying to lsh and lshg. See the new -D
command line option. Supports both SOCKS-4 and SOCKS-5.
The lsh client no longer sets its stdio file descriptors into
non-blocking mode, which should avoid a bunch of problems. As
a consequence, the --cvs-workaround command line option has
been deleted.
In the user lookup code, lshd now ignores the shadow database
if getspnam returns NULL.
In the server pty setup code, use the group "system" as a
fallback if the group "tty" doesn't exist. This is the case on
AIX. (There are however more problems on AIX, which makes it
uncertain that lshd will work out of the box).
Deleted the --ssh1-fallback option for lshd. I hope ssh1 is
dead by now; if it isn't, you have to run ssh1d and lshd on
different ports.
Deleted code for bug-compatibility with ancient versions of
Datafellow's SSH2. There are zero bug-compatibility hacks in
this version.
News for the 1.5.4 release
Added logging of tcpip-forward requests.
Includes nettle-1.9, which have had some portability fixes and
optimizations. In particular, arcfour on x86 should be much
faster.
Implemented flow control on the raw ssh connection. Enforce
limits on the amount of buffered data waiting to be written to
the socket.
Moved all destructive string operations to a separate file
lsh_string.c, which has exclusive rights of accessing string
internals. Should make the code more robust, as buffer size
and index calculations elsewhere in the code should hit an
assert in lsh_string.c before doing damage.
Some general simplification and cleanup of the code.
News for the 1.5.3 release
Fixed heap buffer overrun with potential remote root
compromise. Initial bug report by Bennett Todd.
Fixed a similar bug in the check for channel number allocation
failure in the handling of channel_open, and in the
experimental client SRP code.
lshd now has an experimental mode similar to telnet, where it
accepts the 'none' authentication method and automatically
disables services such as X and TCP forwarding. This can be
useful in environment where it's required that /bin/login or
some other program handle authentication and session setup
(e.g. handle security contexts and so on).
News for the 1.5.2 release
Encrypted private keys works again.
New client escape sequence RET ~ ?, which lists all available
escape sequences. Also fixed the werror functions so that they
use \r\n to terminate lines when writing to a tty in raw mode.
Implemented handling of multiple --interface options to lshd.
As a side effect, The -p option must now be given before
--interface to have any effect.
Connecting to machines with multiple IP-adresses is smarter,
it connects to a few addresses at a time, in parallel.
Fixed a file descriptor leak in the server tcpip forwarding
code.
Lots of portability fixes.
News for the 1.5.1 release
Incompatible change to key format, to comply with the current
spki structure draft. You can use the script lsh-upgrade to
copy and convert the information in the old .lsh/known-hosts
to the new file .lsh/host-acls. The new code uses libspki.
Fixed IPv6 bug reported by Simon Kowallik.
lshd now does the equivalence of ulimit -n unlimited, this is
inherited by processes started upon client requests. If you
don't want this, you should use /etc/{profile,login,whatever}
to set limits for your users. Do note that PAM-based solutions
will NOT work as PAM is used from a separate process that
terminates as soon as the authentication is finished (this of
course goes for environment variables too).
lsh and and lshg now parses options from LSHFLAGS and
LSHGFLAGS, these are parsed before and can be overridden by
the command line.
News for the 1.5 release
Implemented the server side of X11 forwarding. Try lshd
--x11-forward. There's one known bug: The server may start
sending data on the session channel (typically your first
shell prompt) before it has sent the reply to the client's
"shell" or "exec" request. lsh will complain about, and ignore
that data.
As part of the X11 hacking, the socket code have been
reorganized.
Deleted one of the ipv6 configure tests. Now lsh will happily
build ipv6 support even if ipv6 is not available at run-time
on the build machine.
Fixed bug preventing -c none from working.
Another bug fix, call setsid even in the non-pty case.
Various bug fixes.
|
|
|
|
We don't need this any longer -- it's now default.
|
|
|
|
|
|
|
|
services even if they are not listening on the default port by creating
a bogus-communication.
This is amap-5.0
|
|
|
|
following GNUPG recomendations: "Note that GnuPG 1.4 and 1.9 are not yet
in sync and thus features and bug fixes done in 1.4 are not available
in 1.9. *Please keep on using 1.4.x for OpenPGP*; 1.9.x and 1.4.x may
be installed simultaneously."
|
|
GnuPG 1.9 is the development version of GnuPG; it is based on some old
GnuPG 1.3 code and the previous NewPG package. It will eventually
lead to a GnuPG 2.0 release. Note that GnuPG 1.4 and 1.9 are not yet
in sync and thus features and bug fixes done in 1.4 are not available
in 1.9. *Please keep on using 1.4.x for OpenPGP*; 1.9.x and 1.4.x may
be installed simultaneously.
You should use GnuPG 1.9 if you want to use the gpg-agent or gpgsm
(the S/MIME variant of gpg). The gpg-agent is also helpful when using
the stable gpg version 1.4 (as well as the old 1.2 series).
This is mainly a bug fix release but comes with some new features as
well:
* gpg-agent does now support the ssh-agent protocol and thus allows
to use the pinentry as well as the OpenPGP smartcard with ssh.
* New tool gpg-connect-agent as a general client for the gpg-agent.
* New tool symcryptrun as a wrapper for certain encryption tools.
* The gpg tool is not anymore build by default because those gpg
versions available in the gnupg 1.4 series are far more matured.
|
|
|
|
for S/MIME capability involving gnupg-devel and dirmngr also. The
changes to this pkg are bug fixes.
|
|
package. Also please pkglint. Changes in heimdal 0.6.4 include:
* fix vulnerabilities in telnet
* rshd: encryption without a separate error socket should now work
* telnet now uses appdefaults for the encrypt and forward/forwardable
settings
* bug fixes
|
|
|
|
|
|
OWN_DIRS was incorrectly used (did not work when PKG_CONFIG=no).
INSTALLATION_DIRS creates the directories now and the PLIST removes them.
Needs at least net/p5-Net-DNS 0.44 (see changes below).
--
Changes since 0.11
==================
FEAT: Added utility function key_difference() to Net::DNS::SEC. See
perlpod for details. I needed this in other software and
figured they are generic enough to make them available
through this module.
FEAT: Modified some functions to use DNSKEY and RRSIG instead off
KEY and SIG.
- Net::DNS::Keyset now uses DNSKEY and RRSIG.
- the demo function getkeyset.pl now uses DNSKEY too.
FEAT: Added the possibility to create a keyset out of two arrays of
dnskey and rrsig object.
FEAT: Added some helperfunctions to Net::DNS::SEC::Private to read X509
formated private keys and dump them into bind format.
This functionality has not been tested well.
BUG : When reading a RRSIG from a packet the signame would not have
a trailing dot.
FEAT: Removed critical dependency on bubblebabble. It is available to
DS if installed but not critically dependend.
BUG: - Fixed minor in signing unknown RR types.
FEAT: - Prelimanary support for draf-ietf-dnssec-nsec-rdata-02. This
depends on support for unknown RR types (Net::DNS version
0.44)
FEAT: - To be able to deal with argument supplied as either mnemonics or
by value the Net::DNS::SEC::argument method was created. It can
be used as a class method but it is also inherited by
Net::DNS::RR::RRSIG and Net::DNS::RR::DNSKEY.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
On NetBSD, there's a more elegant way using PAM nowadays, too.
Ok'd by wennmach@.
|
|
|
