| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
for his ne7ssh package. As discussed on pkgsrc-wip-discuss
list.
|
|
|
|
Relevant changes since version 1.1:
===================================
No useful list of changes provided. "diff" shows mainly internal cleanup.
|
|
insterested.
|
|
Changes since version 1.02:
======================================
There is no list of changes. Changes I found so far:
- Used htons() from netinet/in.h to simplify handling of different endianness
between platforms.
- Some changes in test.pl
|
|
Relevant changes since version 2.03:
====================================
des.h was renamed to _des.h in an attempt to solve the build-on-Solaris
problem.
all references to des_ were changed to _des_ since the 2.04 release didn't
seem to fix the problem on Solaris.
|
|
Relevant changes since version 1.02:
=====================================
1.03 22 May 2005
- make it work in taintmode
|
|
Relevant changes since version 1.13:
====================================
- fixed circular reference between Crypt::Random and Crypt::Random::Generator
causing 'Undefined subroutine' errors.
- Made "forbidden division t_REAL % t_INT" error disappear.
- Workaround for Math::Pari's serialization problem.
- Added a Uniform option to makerandom() and makerandom_itv() that
doesn't set the high bit of the generated random, and produces
a number uniformally distributed in the interval. Thanks to Len
Budney for pointing this out.
|
|
Relevant changes since version 2.08:
=====================================
- RandomIV in message header overrides manually-supplied -salt, as one
would expect it should.
- Added OpenSSL compatibility
- Salt and IV generators take advantage of /dev/urandom device, if available
- Added regression test for PCBC mode
- Fixed bug reported by Joshua Brown that caused certain length
strings to not encrypt properly if ending in a "0" character.
- Fixed Rijndael compat problems
|
|
From Jason White via PR pkg/32780
Changes:
Security bugs resolved in this release:
* CVE-2006-0225: scp (as does rcp, on which it is based) invoked a
subshell to perform local to local, and remote to remote copy
operations. This subshell exposed filenames to shell expansion
twice; allowing a local attacker to create filenames containing
shell metacharacters that, if matched by a wildcard, could lead
to execution of attacker-specified commands with the privilege of
the user running scp (Bugzilla #1094)
This is primarily a bug-fix release, only one new feature has been
added:
* Add support for tunneling arbitrary network packets over a
connection between an OpenSSH client and server via tun(4) virtual
network interfaces. This allows the use of OpenSSH (4.3+) to create
a true VPN between the client and server providing real network
connectivity at layer 2 or 3. This feature is experimental and is
currently supported on OpenBSD, Linux, NetBSD (IPv4 only) and
FreeBSD. Other operating systems with tun/tap interface capability
may be added in future portable OpenSSH releases. Please refer to
the README.tun file in the source distribution for further details
and usage examples.
Some of the other bugs resolved and internal improvements are:
* Reduce default key length for new DSA keys generated by ssh-keygen
back to 1024 bits. DSA is not specified for longer lengths and does
not fully benefit from simply making keys longer. As per FIPS 186-2
Change Notice 1, ssh-keygen will refuse to generate a new DSA key
smaller or larger than 1024 bits
* Fixed X forwarding failing to start when a the X11 client is executed
in background at the time of session exit (Bugzilla #1086)
* Change ssh-keygen to generate a protocol 2 RSA key when invoked
without arguments (Bugzilla #1064)
* Fix timing variance for valid vs. invalid accounts when attempting
Kerberos authentication (Bugzilla #975)
* Ensure that ssh always returns code 255 on internal error (Bugzilla
#1137)
* Cleanup wtmp files on SIGTERM when not using privsep (Bugzilla #1029)
* Set SO_REUSEADDR on X11 listeners to avoid problems caused by
lingering sockets from previous session (X11 applications can
sometimes not connect to 127.0.0.1:60xx) (Bugzilla #1076)
* Ensure that fds 0, 1 and 2 are always attached in all programs, by
duping /dev/null to them if necessary.
* Xauth list invocation had bogus "." argument (Bugzilla #1082)
* Remove internal assumptions on key exchange hash algorithm and output
length, preparing OpenSSH for KEX methods with alternate hashes.
* Ignore junk sent by a server before it sends the "SSH-" banner
(Bugzilla #1067)
* The manpages has been significantly improves and rearranged, in
addition to other specific manpage fixes:
#1037 - Man page entries for -L and -R should mention -g.
#1077 - Descriptions for "ssh -D" and DynamicForward should mention
they can specify "bind_address" optionally.
#1088 - Incorrect descriptions in ssh_config man page for
ControlMaster=no.
#1121 - Several corrections for ssh_agent manpages
* Lots of cleanups, including fixes to memory leaks on error paths
(Bugzilla #1109, #1110, #1111 and more) and possible crashes (#1092)
* Portable OpenSSH-specific fixes:
- Pass random seed during re-exec for each connection: speeds up
processing of new connections on platforms using the OpenSSH's
builtin entropy collector (ssh-rand-helper)
- PAM fixes and improvements:
#1045 - Missing option for ignoring the /etc/nologin file
#1087 - Show PAM password expiry message from LDAP on login
#1028 - Forward final non-query conversations to client
#1126 - Prevent user from being forced to change an expired
password repeatedly on AIX in some PAM configurations.
#1045 - Do not check /etc/nologin when PAM is enabled, instead
allow PAM to handle it. Note that on platforms using
PAM, the pam_nologin module should be used in sshd's
session stack in order to maintain past behaviour
- Portability-related fixes:
#989 - Fix multiplexing regress test on Solaris
#1097 - Cross-compile fixes.
#1096 - ssh-keygen broken on HPUX.
#1098 - $MAIL being set incorrectly for HPUX server login.
#1104 - Compile error on Tru64 Unix 4.0f
#1106 - Updated .spec file and startup for SuSE.
#1122 - Use _GNU_SOURCE define in favor of __USE_GNU, fixing
compilation problems on glibc 2.4
|
|
Change MAINTAINER to tech-pkg. Stop using PKGREVISION in DISTNAME.
Notable changes include:
* Postfix config has been changed so TLS is not used internally, that is
when communicating with scan-mail.pl. TLS can nevertheless be used
when communicating with the outside world on port 25.
* f-protd has been tweaked for better performance
* A bug in f-protd when using the 'id=' argument was fixed
* A format string bug in f-protd which could cause malformed xml report
was fixed
* f-prot-milter's logging changed to facilitate more useful error logs
* Fixed startup/shutdown routine for f-prot-milter in scan-mail.pl
* .wmf scanning improved
* A bug in the .hqx scanner on x86 cpu's was fixed
* A bug in the .msl scanner was fixed
* Fixed a bug in .cab and lzh handling
* A race issue with OLE documents was fixed.
|
|
on DragonFly. Bump revision.
|
|
fixes possible DOS (crash by invalid DER input) "GNUTLS-SA-2006-1"
|
|
- Only send TLS alert if there is one queued, fix a possible crash.
- Emit warning if prelude-failover problem arise.
- Improve error handling.
- Improve db plugin log option, "-" now mean stdout.
- Various bug fixes.
|
|
- Fix for filtering IDMEF field using the '!=' operator, which resulted in
filtering of events where the field did not exist (#129).
- Implement a "move" command in preludedb-admin.
- When SQL query logging is enabled, log the time taken to execute the query.
- Improve plugin API by making it opaque so that existing plugin don't break
if we add more SQL plugin function.
- Verbose error reporting, make the plugin error API viable for more drivers.
- Fix error reporting from perl and python bindings.
- Make libpreludedb header files c++ compiler friendly.
- Enforce listed IDMEF value ordering. IDMEF value were sometime unordered
because of an uninitialized list position problem.
|
|
- More TLS cleanup.
- Application can now report error without using specific prelude_client
error reporting function.
- More work and improved verbose error reporting.
- Fix compilation problem with prelude_error_is_verbose() (#130).
Compilation problem on NetBSD 1.6 and OpenBSD has been fixed so patch-ad
is deleted.
|
|
http://www.pdc.kth.se/heimdal/advisory/2006-02-06/
Changes in Heimdal 0.7.2
* Fix security problem in rshd that enable an attacker to overwrite
and change ownership of any file that root could write.
* Fix a DOS in telnetd. The attacker could force the server to crash
in a NULL de-reference before the user logged in, resulting in inetd
turning telnetd off because it forked too fast.
* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
exists in the keytab before returning success. This allows servers
to check if its even possible to use GSSAPI.
* Fix receiving end of token delegation for GSS-API. It still wrongly
uses subkey for sending for compatibility reasons, this will change
in 0.8.
* telnetd, login and rshd are now more verbose in logging failed and
successful logins.
* Bug fixes
|
|
|
|
ENOTSUP is not defined.
|
|
|
|
|
|
Botan (formerly OpenCL) aims to be a portable, easy to use, and efficient
C++ crypto library. It currently supports the following algorithms:
Public Key Algorithms: Diffie-Hellman, DSA, ElGamal, Nyberg-Rueppel,
Rabin-Williams, RSA
Block Ciphers: Blowfish, CAST256, CAST5, CS-Cipher, DES, GOST, IDEA,
Lion, Luby-Rackoff, MISTY1, RC2, RC5, RC6, Rijndael, SAFER-SK128,
Serpent, SHARK, Skipjack, Square, TEA, Threeway, Twofish, XTEA
Stream Ciphers: ARC4, ISAAC, SEAL
Hash Functions: HAVAL, MD2, MD4, MD5, RIPEMD-128, RIPEMD-160, SHA-1,
SHA2-256, SHA2-512, Tiger, Whirlpool
MACs: EMAC, HMAC, MD5-MAC, ANSI X9.19 MAC
Misc: Adler32, CRC24, CRC32, Randpool, X9.17 RNG
Cipher Modes: CBC w/ Padding, CTS, CFB, OFB, Counter
Packaged by Aleksandar Simic <asimic@gmail.com>.
|
|
|
|
> -server implementation development. I won't document it before it even works.
> -small bug corrected when connecting to sun ssh servers.
> -channel wierdness corrected (writing huge data packets)
> -channel_read_nonblocking added
> -channel bug where stderr wasn't correctly read fixed.
> -sftp_file_set_nonblocking added. It's now possible to have nonblocking SFTP IO
> -connect_status callback.
> -priv.h contains the internal functions, libssh.h the public interface
> -options_set_timeout (thx marcelo) really working.
> -tcp tunneling through channel_open_forward.
> -channel_request_exec()
> -channel_request_env()
> -ssh_get_pubkey_hash()
> -ssh_is_server_known()
> -ssh_write_known_host()
> -options_set_ssh_dir
> -how could this happen ! there weren't any channel_close !
> -nasty channel_free bug resolved.
> -removed the unsigned long all around the code. use only u8,u32 & u64.
> -it now compiles and runs under amd64 !
> -channel_request_exec()
> -channel_request_env()
> -ssh_get_pubkey_hash()
> -ssh_is_server_known()
> -ssh_write_known_host()
> -options_set_ssh_dir
> -how could this happen ! there weren't any channel_close !
> -nasty channel_free bug resolved.
> -removed the unsigned long all around the code. use only u8,u32 & u64.
> -it now compiles and runs under amd64 !
> -channel_request_pty_size
> -channel_change_pty_size
> -options_copy()
> -ported the doc to an HTML file.
> -small bugfix in packet.c
> -prefixed error constants with SSH_
> -sftp_stat, sftp_lstat, sftp_fstat. thanks Michel Bardiaux for the patch.
> -again channel number mismatch fixed.
> -fixed a bug in ssh_select making the select fail when a signal has been caught.
> -keyboard-interactive authentication working.
|
|
> Release 5.2
> ###########
> * Again again some fixed for the ssh2 module. This is the last try. If it
> finally does not work reliable, I am throwing out that library!
> Thanks to bykhe@mymail.ch for the patch
> * Added a new module: VMWare-Auth! Thanks to david.maciejak@gmail.com!
>
>
> Release 5.1
> ###########
> * Again some fixed for the ssh2 module. Sorry. And still it might not work
> in all occasions. The libssh is not as mature as we all wish it would be :-(
> * HYDRA_PROXY_AUTH was never used ... weird that nobody reported that. fixed.
> * Fixed bug in the base64 encoding function
> * Added an md5.h include which is needed since openssl 0.9.8
> * Added an enhacement to the FTP module, thanks to piotr_sobolewski@o2.pl
> * Fixed a bug when not using passwords and just -e n/s
>
>
> Release 5.0
> ###########
> ! THIS IS A THC - TAX - 10TH ANNIVERSARY RELEASE ! HAVE FUN !
> * Increadible speed-up for most modules :-)
> * Added module for PC-Anywhere, thanks to david.maciejak(at)kyxar.fr!
> * Added module for SVN, thanks to david.maciejak(at)kyxar.fr!
> * Added --disable-xhydra option to configure, thanks to david.maciejak(at)kyxar.
> fr!
> - he is becoming the top supporter :-)
> * Added module for SIP (VoIP), thanks to gh0st(at)staatsfeind.org
> * Added support for newer sap r/3 rfcsdk
> * Added check to the telnet module to work with Cisco AAA
> * Fix for the VNC module, thanks to xmag
> * Small enhancement to the mysql plugin by pjohnson(at)bosconet.org
>
>
> Release 4.7
> ###########
> * Updated ssh2 support to libssh v0.11 - you *must* use this version if
> you want to use ssh2! download from http://www.0xbadc0de.be/?part=libssh
> This hopefully fixes problems on/against Sun machines.
> After fixing, I also received a patch from david maciejak - thanks :-)
> * Added an attack module for rlogin and rsh, thanks to
> david.maciejak(at)kyxar.fr!
> * Added an attack module for the postgres database, thanks to
> diaul(at)devilopers.org! (and again: david maciejak sent on in as well)
> * JoMo-Kun sent in an update for his smbnt module. cool new features:
> win2k native mode, xp anonymous account detection, machine name as password
> * Hopefully made VNC 3.7 protocol versions to work. please report.
> * Switched http and https service module to http-head, http-get and
> https-get, https-head. Some web servers want HEAD, others only GET
> * An initial password for cisco-enable is now not required anymore. Some
> people had console access without password, so this was necessary.
> * Fixed a bug in xhydra which did not allow custom ports > 100
> ! Soon to come: v5.0 - some cool new features to arrive on your pentest
> machine!
|
|
Remove obsolete ssh2-nox11 package.
Replaces PR 32716 by Tracy Di Marco White.
|
|
|
|
from working.
|
|
- prelude-manager has been updated to check the loaded revocation
list, if available. This was needed since the recent prelude-adduser
addition allowing to create analyzer revocation list.
- Remove line size limitation on specified IDMEF-criteria.
- Remove all ancillary groups as well as setgid-ing.
- Fix idmef-criteria-filter option conflict.
- Fix a possible crash if no listen address is specified, but a
reverse relay is used.
- Much better error reporting.
Prelude-Manager is a high availability server that accepts secured
connections from distributed sensors or other managers and saves
received events to a media specified by the user (database, logfile,
mail, etc).
|
|
- More accurate error reporting in preludedb-admin.
- Fix NULL error in case the buffer is too small, truncate.
- Fix license notice, stating clearly that linking from a program
using a GPL compatible license is allowed. Required for Debian package
inclusion.
The PreludeDB Library provides an abstraction layer upon the type and
the format of the database used to store IDMEF alerts.
|
|
- Get rid of the 1024 characters per line limitation (defined as per
the syslog RFC), since LML is not limited to parsing input from syslog
anymore.
- Handle events in Clamav logging format as well as syslog.
- Abstracted Squid chain regex to allow parsing of data directly
from Squid log files.
- Introduced support for openhostapd.
- Began expanding rulesets with additional_data and vendor-specific
classification data.
- Various ruleset updates and bug fixes.
Prelude-LML is a signature based log analyzer monitoring logfile and
received syslog messages for suspicious activity. It handle events
generated by a large set of components, including but not limited to:
BigIP, Grsecurity, Honeyd, ipchains, Netfilter, ipfw, Nokia ipso,
Nagios, Norton Antivirus Corporate Edition, NTsyslog, PAM, Portsentry,
Postfix, Proftpd, ssh, etc.
|
|
- Some useful API addition.
- Much improved, verbose error reporting.
- Cleaned up TLS handling, various bugfix.
- In case an error occur when verifying the peer certificate,
notify the peer about the failure.
The Prelude Library is the glue that binds all aspects of Prelude
together. It is a library which enables Prelude components to
communicate with the Prelude Manager. It also makes it easy for third
party software to be made 'Prelude Aware' (able to communicate with
Prelude components). It provide common, useful features used by every
sensor.
|
|
to conditionalize it for OpenSSL 0.9.8 and newer.
|
|
|
|
* Bug fixes
|
|
prelude-manager, and py-prewikka.
|
|
sensors, managers, and a display console. This
is the display console.
This is one of several new Prelude packages.
|
|
sensors, managers, and a display console. This
is the manager. The Manager (there can be several
in an IDS network) accepts secured connections
from sensors and saves the alerts that Sensors
emit. This package installs the manager so that
mySql is used for alert storage.
This is one of several new Prelude packages.
|
|
sensors, managers, and a display console.
Prelude-lml is the log file analyzer. It scans
system log files and generates IDMEF alerts to
the prelude-manager based on signature rulesets.
This is one of sever new Prelude packages.
|
|
sensors, managers, and a display console. This
is Prelude DB Library. It allow the interface
allowing Prelude to use a DBMS for alert storage.
While libprelude support a choice of MySQL or
postgreSQL, this package uses MySQL because it
was nearly an order of magnitude faster during
test operation.
This is one of several new packages in the Prelude family.
|
|
sensors, managers, and a display console. LibPrelude
is the glue that binds all aspects of Prelude together.
LibPrelude is a library which enables Prelude
components to communicate in a standard IDMEF method.
This is one of several new packages in the Prelude family.
|
|
|
|
|
|
struct timeval on DragonFly. Use BSD_INSTALL_PROGRAM, removing
the unportable -r flag at the same time. Fix build with newer
OpenSSL versions by including openssl/sha.h explicitly.
|
|
|
|
got patched anyway. Add DragonFly. Nuke some more prototypes in files
already touched.
|
|
/usr/pkg/include and /usr/include can appear in any order, PREFIX can be
!= /usr/pkg.
XXX Why this hack and not split + filter to remove the include pathes?
|
