Age | Commit message (Collapse) | Author | Files | Lines |
|
Some pkg related changes by me.
Changes since 1.0.4:
* WARNING: The semantics of --verify have changed to address a
problem with detached signature detection. --verify now ignores
signed material given on stdin unless this is requested by using
a "-" as the name for the file with the signed material. Please
check all your detached signature handling applications and make
sure that they don't pipe the signed material to stdin without
using a filename together with "-" on the the command line.
* WARNING: Corrected hash calculation for input data larger than
512M - it was just wrong, so you might notice bad signature in
some very big files. It may be wise to keep an old copy of
GnuPG around.
* Secret keys are no longer imported unless you use the new option
--allow-secret-key-import. This is a kludge and future versions will
handle it in another way.
* New command "showpref" in the --edit-key menu to show an easier
to understand preference listing.
* There is now the notation of a primary user ID. For example, it
is printed with a signature verification as the first user ID;
revoked user IDs are not printed there anymore. In general the
primary user ID is the one with the latest self-signature.
* New --charset=utf-8 to bypass all internal conversions.
* Large File Support (LFS) is now working.
* New options: --ignore-crc-error, --no-sig-create-check,
--no-sig-cache, --fixed_list_mode, --no-expensive-trust-checks,
--enable-special-filenames and --use-agent. See man page.
* New command --pipemode, which can be used to run gpg as a
co-process. Currently only the verification of detached
signatures are working. See doc/DETAILS.
* Rewritten key selection code so that GnuPG can better cope with
multiple subkeys, expire dates and so. The drawback is that it
is slower.
* A whole lot of bug fixes.
* The verification status of self-signatures are now cached. To
increase the speed of key list operations for existing keys you
can do the following in your GnuPG homedir (~/.gnupg):
$ cp pubring.gpg pubring.gpg.save && $ gpg --export-all >x && \
rm pubring.gpg && gpg --import x
Only v4 keys (i.e not the old RSA keys) benefit from this caching.
* New translations: Estonian, Turkish.
|
|
several new viruses.
|
|
|
|
|
|
conditional patch hack.
|
|
|
|
|
|
are included.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
replace security/py-crypto (which isn't python-2.0-ready, and failed the
last dozen bulk builds for that reason).
Some help provided by Ty Sarna -- thanks!
|
|
Fixes bulk build problem.
|
|
dependency from libperl-5.* to libperl>=${PERL5_REQD}.
|
|
both the original MASTER_SITE and the Austrian ftp.netbsd.org mirror
matched the MD5 recorded for the package.
|
|
|
|
|
|
Network Traffic Meter - the implementation of the
Internet Accounting Architecture (RFC 2063 and RFC 2064).
Fixes pkg/12647 by Dave Burgess <burgess@neonramp.com>
|
|
Fix a problem which occurs if the vulnerability list does not already exist.
This fixes PR 12763 from Brian de Alwis (bsd@cs.ubc.ca), albeit in a
slightly different manner. (I also added a check for the existence of
the new vulnerabilities file, in case it was not downloaded for some
reason).
|
|
Incorporates the following changes from Anne Bennett
(anne@alcor.concordia.ca) in PR 12538:
(1) Running download-vulnerability-list as it stands from cron will
spam the sysadmin with ftp output. Easy to fix: redirect output
to /dev/null as per the example in pkg/MESSAGE. Problem: now
we lose some error messages as well. Patch: make sure error
complaints in that script are spouted to STDERR, not STDOUT.
(3) Minor readability issue: set the source location for the
vulnerability list in a variable at the top of the script.
(4) PR 12457 reported that audit-packages complained spuriously
when the vulnerability list had not been updated in over a
week, and suggested touching it as a solution. This loses
the information of when the file was really last updated.
I'd prefer to always "mv" the new file into place, and use
mtime instead of ctime in the file freshness test.
I did this part of the PR differently, as I was worried about
incomplete vulnerability lists being downloaded, and overwriting an
existing vulnerability list:
(2) ftp failure in download-vulnerability-list is not being detected
properly by the current "${FETCH_CMD} .. || (complain; exit 1)"
test. Patch: test for a non-zero vulnerability file instead.
Don't forget to remove any zero-length droppings, if any.
We know that the vulnerability list size will increase, and not
decrease, so test the size of the newly-downloaded file. If the new
file is smaller than the existing file, then a bad transfer has taken
place - log this fact, and remove the new list.
|
|
should fix brokenness in bulk-builds. As usual, changes include the
detection of several new viruses.
|
|
is not available in *BSD integrated KAME IPsec tree.
|
|
|
|
|
|
Wed Apr 11 18:52:26 JST 2001 sakane@ydc.co.jp
* racoon:
Supported to get a certificate from DNS CERT RR.
Also getcertsbyname() is implemented In order to get CERT RRs.
This function can use lwres.a if HAVE_LWRES is defined when racoon
is compiled.
XXX need more local test and interoperability test.
XXX should be arranged too many certificate stuff in racoon.conf.
2001-04-10 Jason R. Thorpe <thorpej@zembu.com>
* racoon/pfkey.c: pk_recvacquire(): Make sure the phase1
and phase2 handlers are unbound before the phase 2 handler
is deleted.
* racoon/isakmp.c: ph1_main(), quick_main(): Add the message
to the received-list before processing to ensure the packet
isn't processed twice in case of an error.
isakmp_post_acquire(): Don't unbind the phase1/phase2 handlers;
let the caller do it.
isakmp_newcookie(): Plug memory leaks.
From George Yang <gyang@zembu.com>.
* racoon/ipsec_doi.c: get_ph2approvalx(): When we find a
matching saprop, make sure to flushsaprop(pr0), as the returned
saprop is a copy. Fixes a memory leak.
From George Yang <gyang@zembu.com>.
* racoon/isakmp_quick.c: quick_r2send(): Make sure to vfree(data)
if we fail to allocate a new body. Fixes a memory leak.
From George Yang <gyang@zembu.com>.
Fri Apr 6 23:25:19 JST 2001 sakane@ydc.co.jp
* racoon:
implemented to generate the policy in the responder side automatically.
If the responder does not have any policy in SPD during phase 2
negotiation, and the directive is set on, then racoon will choice
the first proposal in the SA payload from the initiator, and generate
policy entries from the proposal. This function is for the responder,
and ignored in the initiator case.
XXX should be checked tunnel mode case.
2001-04-04 Jason R. Thorpe <thorpej@zembu.com>
* racoon: Add support for the Dmalloc debugging malloc
library. This library gives very nice memory usage
statistics and leak information.
Wed Apr 4 22:47:27 JST 2001 sakane@ydc.co.jp
* racoon:
support scopeid. base code was from <Francis.Dupont@enst-bretagne.fr>.
it should be considered more.
2001-04-03 Jason R. Thorpe <thorpej@zembu.com>
* racoon: Better integration of debugging malloc libraries.
Use wrapper macros (racoon_{malloc,calloc,free,realloc}())
so that debugging malloc implementations can get file/line
info, and also put traditional malloc/calloc/free/realloc
stubs in the main program so that libraries linked with
racoon get the debugging allocators, as well.
2001-03-26 Jason R. Thorpe <thorpej@zembu.com>
* racoon/isakmp_ident.c: ident_ir2sendmx(): plug memory
leak -- gsstoken wasn't being freed at function exit.
2001-03-26 Jason R. Thorpe <thorpej@zembu.com>
* racoon: Changes to Vendor ID payload handling. Determine
which VID we will send on a per-proposal basis; we may need
to send a different one for each proposal depending on the
proposal contents (e.g. GSSAPI auth method). We no longer
set the Vendor ID in the localconf.
When matching the Vendor ID in check_vendorid(), use a table
of known Vendor IDs, and return the index, and maintain a list
of extensions that vendors implement (e.g. GSSAPI auth method).
XXX We have a slight hack to recognize the Windows 2000 Vendor
ID. Need to clarify with the Microsoft IPsec guys.
In Aggressive Mode, as responder, when sending first
response, make sure to include a Vendor ID payload.
In Main Mode, as responder, when sending first response,
make sure to include a Vendor ID payload.
XXX Still more Vendor ID processing fixes to go. And
GSSAPI auth doesn't interoperate with Windows 2000 yet.
Thu Mar 22 08:06:30 JST 2001 sakane@ydc.co.jp
* racoon:
fixed to parse modp1536 of DH group. reported by <shigeru@iij.ad.jp>
Thu Mar 22 04:56:57 JST 2001 sakane@ydc.co.jp
* racoon/policy.c:
fixed to compare between policies when the responder decides to
accept the proposal or not. the upper layer protocol is represented
by 0 in ID payload.
Thu Mar 22 01:45:32 JST 2001 sakane@ydc.co.jp
* racoon:
fixed potencial of a buffer overrun when adding a ID payload to
the ISAKMP payload. It happened when policy is both to use IPSec
transport mode and not to specify a transport protocol.
reported by <cs@purdue.edu>.
Thu Mar 15 20:39:03 JST 2001 sakane@ydc.co.jp
* racoon:
- fixed a phase 2 handler deletion. racoon will delete a phase2
handler immediately when hard lifetime expires.
- check a unit of the timer in the configuration file.
2001-03-06 Jason R. Thorpe <thorpej@zembu.com>
* kame/racoon/schedule.c: Implement sched_scrub_param(),
which kills all scheduler work queue entries which a
specified parameter.
* kame/racoon/handler.c: Use sched_scrub_param() to make
sure no references to a handler exist when it is freed.
2001-03-05 Jason R. Thorpe <thorpej@zembu.com>
* kame/racoon/gssapi.c: Use GSS_C_MECH_CODE when reporting
GSSAPI errors.
2001-03-05 Jason R. Thorpe <thorpej@zembu.com>
* kame/racoon/handler.c: Implement deleteallph2(), which
deletes all Phase 2 handlers for a given src/dst/proto.
* kame/racoon/isakmp_inf.c: When processing INITIAL-CONTACT,
try to use the SADB_DELETE `delete all' extension and
deleteallph2() before doing it The Hard Way. For both The
Easy Way and The Hard Way, make sure we only delete SAD entries
for SATYPEs that we manage.
* kame/racoon/pfkey.c: Use a table of SATYPEs that we manage,
and use that table to initialize our PF_KEY state.
Thu Feb 22 10:08:27 JST 2001 sakane@ydc.co.jp
* racoon:
fixed to check the outbound policy when the responder received the
1st packet in phase 2. the tunnel mode and the transport specified
the pair of IP addresses of the end of the SA had failed.
|
|
|
|
run "make makepatchsum", so that patch digests get calculated properly.
!!!This needs to be fixed properly to fit in with pkgsrc infrastructure.!!!
|
|
+ move the patch digest/checksum values from files/patch-sum to distinfo
|
|
base system
|
|
cyrus-imapd. kth-krb4 thus no longer conflicts with cyrus-imapd.
|
|
Detected by pkgconflict.
|
|
0.08 2001/04/12
* Fixing IV length.
Stefan H. Holek <stefan@epy.co.at>
disastry@saiknes.lv
* Skipping the tail of armor.
Stefan H. Holek <stefan@epy.co.at>
|
|
From Lex Wennmacher's pkgconflict results.
|
|
|
|
applications again.
- Fix patch sum for Solaris.
|
|
in PR pkg/12569.
Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6:
o Some documentation for BIO and SSL libraries.
o Enhanced chain verification using key identifiers.
o New sign and verify options to 'dgst' application.
o Support for DER and PEM encoded messages in 'smime' application.
o New 'rsautl' application, low level RSA utility. [*]
o MD4 now included.
o Bugfix for SSL rollback padding check.
o Support for external crypto devices [1].
o Enhanced EVP interface.
[1] The support for external crypto devices is currently a separate
distribution. See the file README.ENGINE.
[*] Not installed with the package.
|
|
that USE_PERL implies, as the core functionality of this package does not
depend on perl. The user can always install perl later, to format the "pod"
docs or to run the installed scripts.
|
|
416) Fix negation of path-type Defaults entries in a boolean context.
|
|
o fix for address generation problems for networks with more than 64,000 adresses
o new option that causes a different log message on the scanned machines.
|
|
|
|
|
|
|
|
0.07 2001/04/05
* New scheme to handle partial bodies.
* Sophisticated buffering mechanism. No temporary files are created.
* Creating pgpdump.1.
Stefan H. Holek <stefan@epy.co.at> kindly contributes the followings:
* Fixed keyserver preferences (can be >1 octet)
* Changed display of time fields to include timezone information
* Added -u flag to display time fields in UTC instead of the local
timezone (PGP time fields == seconds since 00:00:00, January 1,
1970, UTC)
* Fixed key and signature expiration time calculations
(expiration time == seconds since creation time)
* Added capability to read from stdin when no file is specifed on the
commandline
* Implemented missing subpackets
- revocation_key
- reason_for_revocation
- key_flags
- signer_user_id (not tested)
- notation_data (not tested)
|
|
Pointed out in PR 12546 by Martti Kuparinen <martti.kuparinen@iki.fi>
|
|
openbsd sbin/isakmpd/x509.c 1.46 -> 1.47
|
|
(isakmpd-20010403.tar.gz is placed into ftp.netbsd.org LOCAL_PORTS directory).
major changes from source-changes@openbsd mailing list:
use the hash algorithm found in original certificate for the signature
after it has been patched. from angelos@
For the GETSPI PFKEY message, use the sequence number from the ACQUIRE
message.
Make DES a feature, so isakmpd can compile on Linux (most of the fixed
by newsham@lava.net)
x509 verified to work on NetBSD now
|