Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
using it because it only supports SSHv1 and has stopped distribution
of the source tarball.
|
|
- Improve database performance by reducing the number of query. (Paul Robert Marino)
- Activate CleanOutput filtering (lot of escaping fixes).
- More action logging.
- Bug fixes with the error pages Back/Retry buttons.
- Fix error on group by user (#191).
- Fix template compilation error with Cheetah version 2 (#184).
|
|
- Fix a startup problem on system with different address of different family
mapping to the same IP.
- Fix for system using the GnuLib poll replacement modules. The module was
broken when used in conjunction with server socket.
- Various portability fixes
|
|
- Various portability fixes.
- Introduce Cisco ASA IPS module support.
- Introduce yum support.
- Introduce Cacti thold plugin support.
- Introduce Microsoft Cluster Service support.
- Honeyd rules update and improvement.
- Updated NAVCE rules; modified ClamAV rules for consistency.
- Improve NTSyslog ruleset.
- Added rule to ignore LML's "could not match prefix" log entries.
- Fix format problem with Apache logs from western hemisphere (- versus
+ TZ).
- Fix Squid process exited rule (#185).
|
|
- Fix preludedb-admin copy/move operations
- Fix a Python binding memory leak upon alert list deletion.
- Various bugfixes.
- Various portability fixes.
|
|
|
|
Patch provided by Sergey Svishchev in private mail.
|
|
From Sergey Svishchev in private mail.
|
|
|
|
1.07 - Wed 22 Feb 06 08:57:02 UTC
added || defined(__hpux) to idea.h to cope with
HPUX 11.11 w/ANSI C compiler per RT ticket 17796
1.08 - Fri 21 Apr 06 10:40:52 UTC
added || defined(WIN32) to idea.h
added ifdef for WIN32 to _idea.c
Thanks to Carl Franks for the pach contributions
per RT ticket 18811
Updated README - added additional known-good platforms
Updated COPYRIGHT
|
|
0.14 2006.05.08
- Win32 fixes: use Data::Random as a fallback in make_random, better
support for locating openssl. Thanks to CFRANKS for the patch.
- Makefile.PL update, to the latest Module::Install. Thanks to Adam
Kennedy for the patch.
|
|
1.04 1 Jul 2006
- removed broken CBC test
|
|
- Fix a crash with Python bindings upon signal reception (Fix #200).
- New --with-system-ltdl configure switch. The default is now to use the
system wide ltdl library if it is available, unless specified otherwise
(Fix #199).
- Prevent NULL pointer dereference if no permission is specified after the
permission type (Fix #197).
- Upon IDMEFCriteria parsing error, recover from broken parser stater (Fix #195).
- Detailed error reporting on IDMEFCriteria parsing error.
- Fix string and possible criteria leak on IDMEFCriteria syntax error.
- Prefer anonymous authentication rather than SRP. We do this because there
are compatibility issue with SRP between different GnuTLS version
(Should fix #187).
- When dumping AdditionalData of type byte-string to string, encode the data using base64.
|
|
|
|
bump PKGREVISION
|
|
- 8/5/2006 1.2.7 (karen)
- Improved HTML <table> output in "base_qry_alert.php" -- Jonathan W Miner
- Remove message when 0 alerts -- Jonathan W Miner
- PrintBase64PacketPayload fix for payload lenght modulo = 0 -- Juergen Leising
- Added empty function to ProtocolFieldCriteria -- Kevin Johnson
- Fixed issue if sig_gid was empty -- Valter Santos
- Added SnortUnified, a perl replacement for Barnyard -- Jason Brvenik
- Updated base-rss.php -- Dan Michitsch
|
|
Changes (new this version)
Added -404 option to specify a "404 string" on the command line
Added plugin to chek for PUT and DELETE
Additional checks for HTTP methods
Additional checks for headers
Other bugfixes, please see the CHANGES file for more details
|
|
|
|
|
|
Patch provided by MAINTAINER, Julian Dunn in PR 35578.
---------------------------------------------------------------------------
January 30, 2007
amavisd-new-2.4.5 release notes
SECURITY
- Recommended version of Convert::UUlib is 1.08 or higher
to avoid processing of uninitialized data containing 'random' garbage.
Note that a security hole in uulib which comes with Convert::UUlib 1.04
and older is now (as of 2006-12-05) known to be exploitable:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1349
credits to Jean-Sebastien Guay-Leroux;
- p0f-analyzer.pl will no longer reply to queries coming from low-numbered
UDP ports below 1024 or from nfsd port 2049, and will ignore queries
with nonce longer than 1024 character or containing characters outside
of \040-\177 range to limit its usefulness as a potential reflector
for an attacker from internal networks.
INCOMPATIBLE CHANGE WITH 2.4.4
- p0f-analyzer.pl now only binds to a loopback interface by default, instead
of to all interfaces; change $bind_addr in p0f-analyzer.pl to '0.0.0.0'
if p0f-analyzer.pl is running on a different host from amavisd or from
other querying clients; suggested by Shaun T. Erickson and Mario Liehr;
BUG FIXES
- let p0f-analyzer.pl exit when a pipe on stdin is closed (e.g. when p0f
is killed or crashes), instead of entering a tight loop; reported by
Justin Piszcz and Henrik Krohns;
- hard-blacklisting no longer skips quarantining when
$spam_quarantine_cutoff_level is undefined (or is an empty string);
- restart timer after Sophie times out; previously the next attempt
would run with no time limit; reported by Nick Leverton and
Nicklas Bondesson;
- fixed AM.PDP code to always provide smtp-quoted form in angle brackets
in delrcpt and addrcpt attributes of a response, i.e. in the same form
as was received in sender and recipient attributes;
- fix error reporting in open_on_specific_fd when POSIX::dup2 fails;
thanks to Chris (decoder);
- fix signal handling in read_snmp_variables() and register_proc(),
a signal could previously get lost (not re-signaled) if it occurred
within these subroutines;
- fixed get_body_digest which incorrectly determined 7- or 8-bitness
of mail header and body, setting body_type incorrectly (with only
cosmetic ill-effects);
- AM.PDP protocol: ensure proper address form is used in server response
attributes 'delrcpt' and 'addrcpt': the same form should be used as
in 'sender' and 'recipient' attributes. The attribute value syntax is
specified in RFC 2821 as 'Reverse-path' (i.e. smtp-quoted form, enclosed
in <>); previously enclosing angle brackets were missing in a server reply;
- documentation - amavisd.conf-default incorrectly stated that a default
value for $prepend_header_fields_hdridx is 1; actually the default is 0
as correctly indicated in release notes; reported by Jo Rhett;
OTHER
- qmail interfacing notice:
MTA timeout for waiting on results from amavisd should be longer than
$child_timeout (8 minutes by default) with some margin, setting MTA timeout
to 15 or 20 minutes is usual. With qmail however the QMQP code in qmail
has hard-coded timeouts set, 10 seconds for connect and 60 seconds for
read/write. If amavisd processing takes longer than 60 seconds, the MTA
drops connection and retries later, yet amavisd continues processing
and eventually delivers a mail (with each MTA retry), causing repeated
deliveries of the same message. The following patch by Eric Huss on
the www.qmail.org page: http://www.ehuss.org/qmail/qmqpc-timeout.tar.gz
should be applied to qmail when interfacing it to a post-queue content
filter. Problem researched by Nicklas Bondesson;
- better timeout handling in interface code to daemonized virus scanners
like clamd, Sophie, Trophie: allow short time (10 s) for connect and
for sending a request, then allow normal (long) time to collect results;
keep evidence of the initial deadline on retries;
- prefer '7bit' as Content-Transfer-Encoding when attaching original message
or its headers (message/rfc822 or text/rfc822-headers) to DSN or to a
defanged mail, and only specify '8bit' when necessary;
- remove protecting the $ and @ characters in second argument
of a regexp selector macro, it is unnecessary and confusing;
- sanitize Message-ID and Resent-Message-ID header field bodies in
macros %m, %r and header_field by providing angle brackets if missing
to facilitate log parsing (angle brackets are RFC 2822 required syntax
and are semantically not part of a message id);
- updated $map_full_type_to_short_type_re to avoid mapping file(1) result
'MS-DOS executable (built-in)' to types 'exe-ms' and 'exe'; the file(1)
utility generously declares any text file starting with LZ to be a
'MS-DOS executable (built-in)'; thanks to Noel Jones, Jakob Curdes
and Clifton Royston for troubleshooting;
- add X-Spam-* header fields to quarantined mail if spam score is at or
above tag_level. Previously message needed to be recognized as spammy
or spam (tag2 or kill level) in order to receive spam header fields
in quarantined copy. This also makes it more consistent with adding
such header fields to passed mail; suggested by Michael Gaskins;
- add X-Amavis-OS-Fingerprint header field to quarantined mail;
- header field X-Spam-Score in a passed or quarantined mail now reflects
score boost even when SA score is unknown (e.g. when SA was not called),
and reflects white and blacklisting by pushing score to 0 or 64, to
make it consistent with a bar size in X-Spam-Level header field;
- resignal "timed out" after (almost) every eval {} which has no subsequent
call to prolong_timer() to ensure we do not continue running with
disabled timer. Exceptions are DESTROY and END handlers, and code which
handles timer in some other way (e.g. by keeping evidence of a deadline);
- for the purpose of looking up client IP address in @mynetworks_maps,
treat unknown/unavailable IP address as 0.0.0.0; this allows treating
directly submitted mail on the MTA host (not submitted through SMTP) as
coming from IP address 0.0.0.0 (i.e. "This" Network - according to RFC 1700);
Note that this is indistinguishable from other reasons when IP address
is not made available to amavisd, e.g. when smtp_send_xforward_command
option in Postfix smtp service is not enabled, which is why the default
setting of @mynetworks does not include a 0.0.0.0/8 network to prevent
falsely loading a MYNETS policy bank.
One should add 0.0.0.0/8 to a @mynetworks list only when XFORWARD is known
to work and if some software on the MTA host is submitting its mail to MTA
directly, e.g. through a sendmail command, and MYNETS policy bank loading
is needed for proper processing of such mail;
- report a more informative message when a file(1) utility fails to produce
useful results: joins exit status with a parsing report into one message;
thanks to Andres, whose file(1) utility was crashing with SEGV;
- consistency: rearrange implicitly adding $X_HEADER_TAG to a hash
%allowed_added_header_fields so that it is possible to turn off
insertion of $X_HEADER_TAG header field by turning off associated key in
%allowed_added_header_fields even when $X_HEADER_TAG is explicitly defined;
- let %allowed_added_header_fields also control insertion of header fields
into quarantined message;
- amavisd-nanny now displays a title line indicating the semantics of columns;
- Courier patch: ensure the information is stored to newly introduced
recip_addr_smtp and sender_smtp object attributes, which are needed
to preserve pristine address forms for DSN and ORCPT use and for logging;
a patch by Martin Orr;
- qmqpqq (qmail): ensure the information is stored to newly introduced
recip_addr_smtp and sender_smtp object attributes;
- qmail patch now activates line-by-line sending to qmail to avoid qmail bug
('bare LF' reported when CR and LF are separated by a TCP packet boundary);
- tighten a regexp on matching a p0f fingerprint for Windows XP to avoid
matching 'Windows XP SP1+, 2000 SP3'; suggested by Michael Scheidell;
- updated AV entry for CentralCommand Vexira (vascan):
removed hard-coded option '--vdb'; by Brian Wong;
- internal: move code dealing with a SA call to a dedicated
subroutine call_spamassassin;
- internal: provide new routines to collect scalar and structured results
from a subprocess (collect_results, collect_results_structured) and
take advantage of them in decoding, in AV and in dspam interface routines,
unifying code and providing results size sanity limit and consistent
killing of runaway external programs;
- experimental: taking advantage of the above, make it possible to run SA in
a spawned process, requested by setting a new config variable $sa_spawned
to true (it is off by default); benefits are that a mainstream child process
can not be brought down by potential processing problems in SA or its
external modules, and timeouts are handled cleanly by a calling process;
downside is an increase of process count (worst case: doubled), with
corresponding increase in memory footprint, plus about 20 .. 30 ms
of additional processing time for each call to SA;
- added a tuning tip on buffer sizes to README.sql for MySQL with InnoDB,
by Wayne Smith;
- updated URL of Sophie AV scanner;
|
|
Noteworthy changes in version 0.5.13 (2007-02-01)
------------------------------------------------
* Fixed shared library for newly added APIs in last release.
* Add -no-undefined to LDFLAGS, to make opencdk build under mingw32.
* Add AC_LIBTOOL_WIN32_DLL to configure.ac, which is required for
* libtool to behave correctly for cross-compiles to mingw32.
* Use gnulib for mingw32 support.
Noteworthy changes in version 0.5.12 (2007-02-01)
------------------------------------------------
* Add new API to extract public/secret OpenPGP key to S-expr.
The functions are cdk_pubkey_to_sexp and cdk_seckey_to_sexp. Patch by
Mario Lenz <mario.lenz@gmx.net>.
* Autoconf 2.60 and automake 1.10 are now required.
* Doc fixes.
|
|
This is maintenance release to fix build problems found after the
release of 2.0.1. There are also some minor enhancements.
|
|
|
|
OpenBSD.
Changes:
The following changes have been made between John 1.7.1 and 1.7.2:
* Bitslice DES assembly code for x86-64 making use of the 64-bit mode
extended SSE2 with 16 XMM registers has been added for better performance
at DES-based crypt(3) hashes with x86-64 builds on AMD processors.
* New make target for FreeBSD/x86-64.
The following changes have been made between John 1.7.0.2 and 1.7.1:
* Bitslice DES code for x86 with SSE2 has been added for better performance
at DES-based crypt(3) hashes on Pentium 4 and SSE2-capable AMD processors.
* Assorted high-level changes have been applied to improve performance
on current x86-64 processors.
* New make target for NetBSD/SPARC64.
* Minor source code cleanups.
|
|
Noteworthy changes in version 1.2.4 (2007-02-01)
------------------------------------------------
* Fixed a bug in the memory allocator which could have been the
reason for some of non-duplicable bugs.
* Other minor bug fixes.
|
|
v1.02
- added some info to BUGS and to BUGS section of pod
- added TELL and BINMODE to IO::Socket::SSL::SSL_HANDLE, even
if they do nothing useful.
- all tests allocate now the ports dynamically, so there should
be no longer a conflict with open ports on the system where
the tests run
v1.01
- work around Bug in Net::HTTPS where it defines sub blocking
as {}, e.g. force scalar context when calling sub blocking
(in IO::Socket::SSL::write)
see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=383106
v1.0
- fix depreciated and practically undocumented function
get_peer_certificate so that LWP Net::HTTPS works again
- set arg 'Blocking' while calling SUPER::configure only
if it was set by the caller to work around Problem in LWP
Net::HTTPS
|
|
|
|
requested.
|
|
|
|
ftp://asim.lip6.fr/outgoing/packages/i386/3.1/20070114.1132/broken.html
(latest 3.1/i386 bulk build of 2006Q4).
Feel free to fix them...
|
|
|
|
|
|
|
|
Bump PKGREVISION.
|
|
* Major changes in 0.0.10
** Support GnuPG versions older than 1.4.3
** Provide a minor-mode to encrypt/sign mails
* Major changes in 0.0.9
** epa.el usablity improvements.
*** M-x epa-encrypt-region specifies --armor & --textmode by default
*** M-x epa-sign-region and M-x epa-sign-file create a cleartext signature by
default
*** Region based commands now determine the coding-system used to
encode the plain text
*** Fingerprints are pretty-printed
*** New user option epa-protocol to use the S/MIME.
** Support XEmacs compiled with --with-mule=no --with-file-coding=no.
|
|
a) Experimental IKEv2 support (--ikev2)
b) RFC 3947 NAT traversal support (--nat-t)
c) Source IP spoofing (--sourceip) - Requires raw sockets.
d) Nortel proprietary pre-shared key cracking support.
e) psk-crack can read dictionary files from stdin (--dictionary=-)
f) Backoff patterns may contain only a single packet.
g) Two new packet display options: --timestamp and --shownum
h) ike-scan now uses the Mersenne twister PRNG, with new --randomseed option.
i) --rcookie option allows the responder cookie to be specified in outgoing packets.
j) Several new backoff patterns and vendor IDs added.
k) ike-scan wiki launched: http://www.nta-monitor.com/wiki/
|
|
ready included with that release of OpenSSH, but in fact it is not)
* removed hacks.mk which is no longer necessary with that version of OpenSSH
|
|
|
|
Package was incorectly auto detecting postgres and attempting to compile
postgres plugin. Force package to skip compilation of postgres plugin.
|
|
Update to 1.2.8 (formerly in devel/apr1), no longer build from the
httpd distfile.
devel/rapidsvn:
devel/subversion-base:
parallel/ganglia-monitor-core:
security/hydra:
www/apache2:
Use devel/apr0.
www/apache22:
Use devel/apr and devel/apr-util.
|
|
Bump PKGREVISION.
|
|
Bump package revision because of this fix.
|
|
/var/run/stunnel.pid
|
|
According to the gnutls maintainer, the C++ compiler on Darwin is
probably broken.
|
|
* Version 1.6.1 (released 2006-12-28)
** Fix the list of trusted CAs that server's send to clients.
Before, the list contained issuer DN's instead of subject DN's of the
trusted CAs. Reported by Max Kellermann
** Fix gnutls_certificate_set_x509_crl to initialize the CRL before using it.
Reported by Max Kellermann
** Encode UID fields in DN's as DirectoryString.
Before GnuTLS encoded and parsed UID fields as IA5String. This was
incorrect, it should have used DirectoryString. Now it will use
DirectoryString for the UID field, but for backwards compatibility it
will also accept IA5String UID's. Reported by Max Kellermann
** Fix ./configure failure with non-GCC compilers.
This fixes the following error message:
configure: error: conditional "HAVE_LD_OUTPUT_DEF" was never defined.
Reported by "Michael C. Vergallen"
* Version 1.6.0 (released 2006-11-17)
** No changes since 1.5.5.
The major changes compared to the 1.4.x branch are:
*** A GnuTLS C++ library is part of the official distribution.
Currently there are no examples or documentation, but hopefully this
will change. See gnutlsxx.h for the API.
*** Windows is a supported platform.
There are, however, two know bugs. One is related to select() in
command line tools (not, nota bene, in the library), the other is a
problem with libgcrypt that causes delays. Help is needed to resolve
those issues, so we feel we can't delay the release because of this.
*** New APIs for custom push/pull function error reporting.
The new APIs are gnutls_transport_set_errno and
gnutls_transport_set_global_errno. See the release notes for version
1.5.4 for more information.
*** Self tests are run under valgrind, if available. See --disable-valgrind.
|
|
Accurate changes are unknown.
Bump PKGREVISION.
|
|
is able to scan much larger directories. :)
PKGREVISION++
|
|
Addresses PR pkg/34252 by Matthias Petermann.
Also delint a bit.
|