| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
* Added new "IdentitiesOnly" option to ssh(1), which specifies that it should
use keys specified in ssh_config, rather than any keys in ssh-agent(1)
* Make sshd(8) re-execute itself on accepting a new connection. This security
measure ensures that all execute-time randomisations are reapplied for each
connection rather than once, for the master process' lifetime. This includes
mmap and malloc mappings, shared library addressing, shared library mapping
order, ProPolice and StackGhost cookies on systems that support such things
* Add strict permission and ownership checks to programs reading ~/.ssh/config
NB ssh(1) will now exit instead of trying to process a config with poor
ownership or permissions
* Implemented the ability to pass selected environment variables between the
client and the server. See "AcceptEnv" in sshd_config(5) and "SendEnv" in
ssh_config(5) for details
* Added a "MaxAuthTries" option to sshd(8), allowing control over the maximum
number of authentication attempts permitted per connection
* Added support for cancellation of active remote port forwarding sessions.
This may be performed using the ~C escape character, see "Escape Characters"
in ssh(1) for details
* Many sftp(1) interface improvements, including greatly enhanced "ls" support
and the ability to cancel active transfers using SIGINT (^C)
* Implement session multiplexing: a single ssh(1) connection can now carry
multiple login/command/file transfer sessions. Refer to the "ControlMaster"
and "ControlPath" options in ssh_config(5) for more information
* The sftp-server has improved support for non-POSIX filesystems (e.g. FAT)
* Portable OpenSSH: Re-introduce support for PAM password authentication, in
addition to the keyboard-interactive driver. PAM password authentication
is less flexible, and doesn't support pre-authentication password expiry but
runs in-process so Kerberos tokens, etc are retained
* Improved and more extensive regression tests
* Many bugfixes and small improvements
|
|
- SECURITY: Don't try to free() uninitialised variables in DSS verification
code. Thanks to Arne Bernin for pointing out this bug. This is possibly
exploitable, all users with DSS and pubkey-auth compiled in are advised to
upgrade.
- Clean up agent forwarding socket files correctly, patch from Gerrit Pape.
- Don't go into an infinite loop when portforwarding to servers which don't
send any initial data/banner. Patch from Nikola Vladov
- Fix for network vs. host byte order in logging remote TCP ports, also
from Gerrit Pape.
- Initialise many pointers to NULL, for general safety. Also checked cleanup
code for mp_ints (related to security issues above).
|
|
directory. Bump PKGREVISION to 4. From Ryo HAYASAKA in PR pkg/26808.
|
|
|
|
intended transformation: use "rm" to remove an option, "rmdir" to remove
all options containing a path starting with a given directory name, and
"rename" to rename options to something else.
|
|
|
|
|
|
changes:
-bugfixes
-adds some limits to the verification functions to avoid denial of
service attacks
-selftests added
|
|
changes:
Severeal cleanups and Libgcrypt 1.2.0 adjustments.
|
|
which are the full option names used to set rpath directives for the
linker and the compiler, respectively. In places were we are invoking
the linker, use "${LINKER_RPATH_FLAG} <path>", where the space is
inserted in case the flag is a word, e.g. -rpath. The default values
of *_RPATH_FLAG are set by the compiler/*.mk files, depending on the
compiler that you use. They may be overridden on a ${OPSYS}-specific
basis by setting _OPSYS_LINKER_RPATH_FLAG and _OPSYS_COMPILER_RPATH_FLAG,
respectively. Garbage-collect _OPSYS_RPATH_NAME and _COMPILER_LD_FLAG.
|
|
|
|
* Updated the included gettext. This also fixes the installation
problem from 1.2.5
* Fixed a race condition possibly leading to deleted keys.
|
|
Fix build with recent libtool. Not bumping PKGREVISION, it's in the flow
of current PLIST fixes and such...
|
|
|
|
|
|
adds two new options, ldap and pam.
Changes:
* Sudo now supports storing sudoers info in LDAP (optionally using TLS).
* There is a new -e option to edit files the with uid of the invoking
user. This makes it possible to give users to ability to safely edit
files without the possibility of editing other files or running commands
as the target user. If sudo is run as "sudoedit" the -e flag is implied.
* A new tag, NOEXEC, will prevent a dynamically-linked program being run
by sudo from executing another program (think shell escapes). Because
this uses LD_PRELOAD it has no effect on static binaries.
* A uid specified in sudoers now matches the user specified by the -u flag
even if the -u flag specified a name, not a uid.
* Added a -i option to simulate an initial login similar to "su -".
* If sudo is used to run as root shell, further sudo commands will be logged
as run by the user specified by the SUDO_USER environment variable. In -e
mode (sudoedit), SUDO_USER is used to determine what user to run the editor
when the real uid is 0.
* The sudoers file is now parsed as the runas user in all cases instead of
root. This fixes some issues with running NFS-mounted commands.
* If the target user == invoking user a password is no longer required.
* Sudo now produces a sensible error message when the targetpw Defaults option
is set and a non-existent uid is specified via the -u option.
* A negated user/uid in a runas list is now treated the same as a negated
command and overrides a previously allowed entry.
* PAM support now uses Use pam_acct_mgmt() to check for disabled accounts.
* Added a check in visudo for runas_default being used before it was set.
* Fixed several issues when closing all open descriptors. Sudo now uses
closefrom() if it exists, otherwise it uses /proc/$$/fd if that exists
with a fallback of closing all possible descriptors.
* Quoting globbing characters with a backslash now works as documented.
* Fixed a problem on FreeBSD (and perhaps others) when the user is only
listed in NIS (not master.passwd) and netgroups are used in the
master.passwd file.
* The username in a log entry is no longer truncated at 8 characters.
* Added a "sudo_lecture" option that can point to a file containing a
custom lecture.
* The timeout for password reading is now done via alarm(), not select().
* /tmp/.odus is no longer used for timestamps by default.
* Sudo now works on the nsr-tandem-nsk platform.
* Fixed the --with-stow configure option.
* TIS fwtk authentication now supports fwtk 2.0 and higher.
* Added Stan Lee / Uncle Ben quote to the lecture from RedHat.
* Added the --with-pc-insults configure to replace politically incorrect
insults with other ones.
|
|
into the bsd.options.mk framework. Instead of appending to
${PKG_OPTIONS_VAR}, it appends to PKG_DEFAULT_OPTIONS. This causes
the default options to be the union of PKG_DEFAULT_OPTIONS and any
old USE_* and FOO_USE_* settings.
This fixes PR pkg/26590.
|
|
|
|
Noteworthy changes in version 0.9.0 (unreleased)
------------------------------------------------
* The type gpgme_key_t has now a new field keylist_mode that contains
the keylist mode that was active at the time the key was retrieved.
* The type gpgme_decrypt_result_t has a new field "wrong_key_usage"
that contains a flag indicating that the key should not have been
used for encryption.
* Verifying a signature of a revoked key gives the correct result now
(GPG_ERR_CERT_REVOKED error code).
* Clarified that the error code GPG_ERR_NO_DATA from the decrypt &
verify operations still allows you to look at the signature
verification result.
* Clarified that patterns in keylisting operations have an upper
limit, and thus are not suited to list many keys at once by their
fingerprint. Also improve the error message if the pattern is too
long for the CMS protocol to handle.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgme_key_t EXTENDED: New field keylist_mode.
gpgme_decrypt_result_t EXTENDED: New field wrong_key_usage.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Set the 0.9.0 versions as BUILDLINK_DEPENDS in the buildlink3.mk for the
library major version changes.
|
|
Noteworthy changes in version 0.4.7 (2004-04-29)
------------------------------------------------
* Correctly initialize the fields expired, revoked, invalid, and
disabled in the gpgme_key_t structures.
* A bug fix: The flag wrong_key_usage of gpgme_signature_t was
accidently of type int instead unsigned int.
Noteworthy changes in version 0.4.6 (2004-04-06)
------------------------------------------------
* Bug fixes
Noteworthy changes in version 0.4.5 (2004-03-07)
------------------------------------------------
* GPGME is now compiled with LFS (large file support) by default.
* New key listing mode GPGME_KEYLIST_MODE_VALIDATE for validation of
the listed keys.
* New interface gpgme_cancel() that can be used to cancel
asynchronous operations.
Noteworthy changes in version 0.4.4 (2004-01-12)
------------------------------------------------
* The member "class" in gpgme_key_sig_t and gpgme_new_signature_t has
been renamed to "sig_class", to avoid clash with C++ compilers. In
the C API, the old name "class" has been preserved for backwards
compatibility, but is deprecated.
|
|
|
|
- ok'ed snj@/wiz@
From the ChangeLog:
Supports open proxy detection.
High performance by using libevent.
|
|
- Replace SED with SUBST.*
- Improve DESCR
- ok'ed snj@/wiz@
From the Changelog:
Verison 2.0.4:
--------------
More signatures.
Improved documentation, mentions of p0f_db, etc.
[BUG] Fixed a minor problem with installation on systems w/o /usr/man/.
[BUG] Fixed a DLT_NULL problem, added a new loopback signature.
Multiple timestamp options, timestamps now read from pcap dumps.
Sync with new Windows port code.
[BUG] Fixed one-line reporting for masquerade detection.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
explicitly add only those plugins for SASL support for servers that
won't let us exclude any found SASL plugins. Also, don't bother
building the static library since the static library is useless until
the build mechanism is fixed by the Cyrus maintainers.
Bump the PKGREVISION.
|
|
- Add Python support
- Include an extra library on Linux to fix builds on some distros.
Last two issues submitted by Roland Illig in PR# 26620
|
|
|
|
Hydan steganographically conceals a message into an application. It
exploits redundancy in the i386 instruction set by defining sets of
functionally equivalent instructions. It then encodes information in
machine code by using the appropriate instructions from each set.
Features:
- Application filesize remains unchanged
- Message is blowfish encrypted with a user-supplied
passphrase before being embedded
- Encoding rate: 1/110
Primary uses for Hydan:
- Covert Communication: embedding data into binaries creates a
covert channel that can be used to exchange secret messages.
- Signing: a program's cryptographic signature can be embedded
into itself. The recipient of the binary can then verify
that it has not been tampered with (virus or trojan), and is
really from who it claims to be from. This check can be
built into the OS for user transparency.
- Watermarking: a watermark can be embedded to uniquely
identify binaries for copyright purposes, or as part of a DRM
scheme. Note: this usage is not recommended as Hydan
implements fragile watermarks.
|
|
|
|
|
|
same as Linux-PAM, but it's close enough for the purposes of compiling
programs.
|
|
|
|
|
|
Changes in 2.2.10:
A buffer overrun has been located in the code used to support
the 'mangling method = hash' smb.conf option. Affected Samba
2.2 installations can avoid this possible security bug by using
the hash2 mangling method. Server installations requiring
the hash mangling method are encouraged to upgrade to Samba v2.2.10
or v3.0.5.
Changes in 2.2.9:
This is a maintenance release of Samba 2.2.8a to address the
problem with user password changes after applying the Microsoft
hotfix described in KB828741 to Windows NT 4.0/200x/XP clients.
Also updated dependant packages pam-smbpass and winbind.
|
|
|
|
|
|
then we avoid hitting the disk if we don't need to.
|
|
|
|
is "/usr", what we really want to check is if the pam_appl.h header found
is within the ${LOCALBASE} hierarchy, which implies that it's a
pkgsrc-controlled file, and hence not built-in.
|
|
|
|
amavisd-new is an interface between message transfer agent (MTA) and
one or more content checkers, e.g. virus scanners, SpamAssassin, etc.
It is a performance-enhanced and feature-enriched version of amavisd
(which in turn is a daemonized version of AMaViS or amavis-perl).
amavisd-new is normally positioned at or near a central mailer, not
necessarily where user's mailboxes and final delivery takes place. If
you are looking for fully per-user configurable and/or low-message-rate
solution to be placed at the final stage of mail delivery (e.g. called
from procmail), there may be other solutions more appropriate for your
needs.
Package created and maintained by Julian Dunn in pkgsrc-wip.
|
|
can be used to create shared libraries _and_ be linked into a statically
linked program. Instead of trying to hack libtool to do this, just
accept the fact and do what you want another way!
Remove the ugly hack in sasldb/Makefile.am that regenerated the static
archive from the non-PIC object files. While this was fine for linking
into programs, it breaks things when you link this into the sasldb
plugin. Leaving it the other way, where the static archive from the
PIC object files, is also unacceptable because there are potential
problems on some platforms when linking an archive of of PIC objects
into an executable. The solution: let the static archive contain PIC
objects and be used to link into the sasldb plugin, but for the programs
in the utils directory, explicitly add the non-PIC object files listed
in $(SASL_DB_BACKEND_STATIC) to the files used to generate the programs.
This is easy because SASL_DB_BACKEND_STATIC is already generated
properly by config/sasldb.m4, so make use if it.
This should fix problems with using Cyrus SASL on non-i386 platforms
noted in PR pkg/26492 by Matt Dainty. Bump the PKGREVISION.
|
|
that /usr/include/security/pam_appl.h means that PAM is builtin.
(This is so a dependency can be registered correctly.)
|
|
|
