Age | Commit message (Collapse) | Author | Files | Lines |
|
* Fix build on DragonFly.
* The patches regen.
Tested on DragonFly/i386 2.10.1 and NetBSD/i386 5.99.55.
|
|
Bugfixes:
* Bugfix #257: Error in ods-signerd, where a corrupted backup file results
in an invalid pointer free().
* Signer Engine: Mark that a zone has a valid signer configuration, after
recovering the zone from the backup files.
OpenDNSSEC 1.3.1
Bugfixes:
* Auditor: Fix 'ZSK in use too long' message to handle new signer behaviour.
* Bugfix #255: RHEL6 patch to contrib/opendnssec.spec. (Rick van Rein)
* Bugfix #256: Make sure argument in "ods-control signer" is not stripped off.
* Bugfix #259: ods-ksmutil: Prevent MySQL username or password being interpreted
by the shell when running "ods-ksmutil setup".
* Bugfix #260: "ods-ksmutil zone list" now handles empty zonelists.
* Enforcer: Unsigned comparison resulting in wrong error message.
* ods-ksmutil: fixed issue where first ds-seen command run on a zone would work,
but return an error code and not send a HUP to the enforcerd.
* Signer Engine: A threading issue occasionally puts the default validity
on NSEC(3) RRs and the denial validity on other RRs.
* Signer Engine: An update command could interrupt the signing process and the
zone would get missing signatures.
* Signer Engine: Fix an issue where some systems could not copy the zone file.
* Zonefetcher: Check inbound serial in transferred file, to prevent
redundant zone transfers.
|
|
* Can now read CKA_ALWAYS_AUTHENTICATE but does not use it.
* Encryption and decryption using CKM_RSA_PKCS.
* Support X.509 certificates. (Patch from Thomas Calderon)
* Updated backup instructions.
* Only a Security Officer can set CKA_TRUSTED to true.
* The softhsm tool can set the value of CKA_TRUSTED.
* Support Botan 1.10.0.
* Better signing performance with a single element cache for
the PK_Signer object.
* Document README.MinGW describes how to build on Windows.
(Text and patches contributed by Jaroslav Imrich)
Bugfixes:
* API changes in Botan created a namespace collision.
* API changes in Botan's state handling.
* BigInt::to_u32bit was accidently dropped in Botan. Adding it
as a compatibility function to SoftHSM.
* Better exception handling.
* CKF_USER_PIN_COUNT_LOW and CKF_SO_PIN_COUNT_LOW must be set
if an incorrect PIN has been entered at least once.
* Windows: Detect LoadLibrary.
* Windows: Set CRYPTOKI_EXPORTS.
* Windows: Load library correctly in softhsm.
* Windows: Compatibility function for getpass.
* Windows: Use _putenv and not setenv.
* Windows: Generate the DLL file.
* Windows: The softhsm tool will use the DLL file by default.
* Windows: Log to EventLog.
* Windows: Fix parsing of configuration file.
* Windows: The check program now links with a shared libgcc in order to
make the exceptions work.
Known issue:
* Firefox does improper setting of CKA_DERIVE attribute during PKCS#12
import. See https://bugzilla.mozilla.org/show_bug.cgi?id=515663
|
|
|
|
Take maintainership.
New in 2.1.25
-------------
* Make sure that a failed authorization doesn't preclude
further server-side SASL authentication attempts from working.
* Fixed a crash caused by aborted SASL authentication
and initiation of another one using the same SASL context.
* (Windows) Fixed the random number generator to actually produce random
output on each run.
* Be protective against calling sasl_server_step once authentication
has failed (multiple SASL plugins)
* Fixed several bugs in the mech_avail callback handling
in the server side code.
* Added support for channel bindings
* Added support for ordering SASL mechanisms by strength (on the client side),
or using the "client_mech_list" option.
* server_idle needs to obey server's SASL mechanism list from the server
context.
* Better server plugin API mismatch reporting
* Build:
- Updated config to the latest GNU snapshot
- Fixed SASL's libtool MacOS/X 64-bit file magic
* New SASL plugin: SCRAM
* New SASL plugin: GS2
* DIGEST-MD5 plugin:
- Allow DIGEST-MD5 plugin to be used for client-side and
server-side HTTP Digest, including running over non-persistent
connections (RFC 2617)
- Use the same username for reauthentication cache lookup and update
- Minimize the number of auxprop lookups in the server side DIGEST-MD5
plugin for the most common case when authentication and authorization
identities are the same.
- Updated digestmd5_server_mech_step2() to be more defensive against
empty client input.
- Fixed some memory leaks on failed plugin initialization.
Prevent potential race condition when freeding plugin state.
Set the freed reauthentication cache mutex to NULL, to make errors
due to mutex access after free more obvious.
- Test against broken UTF-8 based hashes if calculation using special
ISO-8859-1 code fails.
- Fixed an interop problem with some LDAP clients ignoring server
advertised realm and providing their own.
* GSSAPI plugin:
- Fix to build GSSAPI with Heimdal
- Properly set serveroutlen to 0 in one place.
Don't send empty challenge once server context establishment is done,
as this is in violation of the RFC 2222 and its successor.
- Don't send maxbuf, if no security layer can be established.
Added additional checks for buffer lengths.
* LDAPDB plugin:
- build fixes
New in 2.1.24
-------------
* Order advertised server-side SASL mechanisms per the specified 'mech_list'
option or by relative "strength"
* Make sure that sasl_set_alloc() has no effect once sasl_client_init()
or sasl_server_init() is called
* Fixed sasl_set_mutex() to disallow changing mutex management functions
once sasl_server_init()/sasl_client_init() is called (bug # 3083)
* Removed unused mutexes in lib/client.c and lib/server.c (bug # 3141)
* Added direct support for hashed password to auxprop API
* Don't treat a constraint violation as an error to store an auxprop property
* Extended libsasl (auxprop) to support user deletion
* Extended SASL auxprop_lookup to return error code
* Updated sasl_user_exists() so that it can handle passwordless accounts (e.g. disabled)
* (Windows) Free handles of shared libraries on Windows that were loaded
but are not SASL plugins (bug # 2089)
* Prevent freeing of common state on a subsequent call to _sasl_common_init.
Make sure that the last global callback always wins.
* Implemented sasl_client_done()/sasl_server_done()
* Added automatic hostname canonicalization inside libsasl
* Made sasl_config_init() public
* Strip trailing spaces from server config file option values (bug # 3139, bug # 3041)
* Fixed potential buffer overflow in saslautd_verify_password().
* Fixed segfault in dlclose() on HPUX
* Various bugfixes for 64bit platforms
* Fixed bug # 2895 (passing LF to sasl_decode64) in sample/sample-client.c,
sample/sample-server.c, utils/smtptest.c
* pluginviewer: Code cleanup, improved human readable messages
* Build:
- (Windows) Updated makefiles to build with VC 8.0 (VC++ 2005)
- (Windows) Added Windows64 build
- Updated to use .plugin extension on MacOS
- Changed 64bit HP-UX build to use .so for shared libraries
* saslauthd:
- Fixed bug counting double-quotes in username/password in
auth_rimap.c. Also fixed bug zeroing password.
- auth_krb.c: improved diagnostic in the k5support_verify_tgt() function.
- auth_sasldb.c: pid_file_lock is created with a mask of 644 instead of 0644
- auth_shadow.c: Define _XOPEN_SOURCE before including unistd.h,
so that crypt is correctly defined
- auth_getpwent.c: Fixed Solaris build
* SASLDB plugin:
- Fixed spurious 'user not found' errors caused by an attempt
to delete a non-existent property
- Added direct support for hashed password to auxprop API
- Sleepycat driver: Return SASL_NOUSER instead of SASL_FAIL when the database
file doesn't exist
- Ignore properties starting with '*' in the auxprop store function
* SQL plugin:
- Added support for SQLITE3
- Uninitialized variables can cause crash when the searched user is not found
- Added direct support for hashed password
- Ignore properties starting with '*' in the auxprop store function
* LDAPDB plugin:
- Added code to extend LDAPDB into a canon_user plugin in addition
to its existing auxprop plugin functionality
* PLAIN plugin:
- Advertise SASL_SEC_PASS_CREDENTIALS feature
* LOGIN plugin:
- Advertise SASL_SEC_PASS_CREDENTIALS feature
* DIGEST-MD5 plugin:
- Fixed a memory leak in the DIGEST-MD5 security layer
- Fixed memory leaks in client-side reauth and other places
- More detailed error reporting.
- Fixed parsing of challenges/responses with extra commas.
- Allow for multiple qop options from the server and require
a single qop option from the client.
* GSSAPI plugin:
- Check that params->serverFQDN is not NULL before using strlen on it
- Make auxprop lookup calls optional
* EXTERNAL plugin:
- Make auxprop lookup calls optional
* NTLM plugin:
- allow a comma separated list of servernames in 'ntlm_server' option
- Fixed crash in calculating NTv2 reponse
* OTP plugin:
- Don't use a stack variable for an OTP prompt (bug # 2822)
- Downgrade the failure to store OTP secret to debug level
* KERBEROS_V4 plugin:
- Make auxprop lookup calls optional
|
|
|
|
|
|
|
|
being right.
XXX: this patch should be split up, it contains more than one file.
|
|
Changes from previous:
- Remove and distrust DigiNotar
- Add Certinomis, Root CA Generalitat Valenciana, A-Trust-nQual-03 and TWCA
|
|
|
|
packages.
|
|
|
|
overriding the check.
|
|
http://people.freebsd.org/~tmclaugh/files/ssldump-aes.diff
|
|
3.0.1
- create raises an exception if the cost is higher than 31. GH #27
|
|
mailing list
bump PKGREV
|
|
changes: bugfixes
|
|
NEWS for the 2.4 release
This is a bugfix release only. It turned out ripemd160 in the
2.3 release was broken on all big-endian systems, due to a
missing include of config.h. nettle-2.4 fixes this.
The library is intended to be binary compatible with
nettle-2.2 and nettle-2.3. The shared library names are
libnettle.so.4.3 and libhogweed.so.2.1, with sonames still
libnettle.so.4 and libhogweed.so.2.
NEWS for the 2.3 release
* Support for the ripemd-160 hash function.
* Generates and installs nettle.pc and hogweed.pc files, for
use with pkg-config. Feedback appreciated. For projects
using autoconf, the traditional non-pkg-config ways of
detecting libraries, and setting LIBS and LDFLAGS, is still
recommended.
* Fixed a bug which made the testsuite fail in the GCM test on
certain platforms. Should not affect any documented features
of the library.
* Reorganization of the code for the various Merkle-Damg
hash functions. Some fields in the context structs for md4,
md5 and sha1 have been renamed, for consistency.
Applications should not peek inside these structs, and the
ABI is unchanged.
* In the manual, fixed mis-placed const in certain function
prototypes.
The library is intended to be binary compatible with
nettle-2.2. The shared library names are libnettle.so.4.2 and
libhogweed.so.2.1, with sonames still libnettle.so.4 and
libhogweed.so.2.
|
|
in its stable branch (ie firefox-6.0.2) too,
so deal with this in the mozilla-rootcerts script (this is not great -
it depends on syntactic details of the file where it should better
use checksums, but the perl script which is distributed with "curl"
works the same way),
and switch back to the certificate list in CVS HEAD
|
|
|
|
|
|
|
|
|
|
|
|
Changes from 1.35:
v1.44 2011.05.27
- fix invalid call to inet_pton in verify_hostname_of_cert when
identity should be verified as ipv6 address, because it contains
colon.
v1.43_1 2011.05.12
- try to make t/nonblock.t more stable, especially on Mac OS X
v1.43 2011.05.11
- fix t/nonblock.t
- stability improvements t/inet6.t
v1.42 2011.05.10
- add SSL_create_ctx_callback to have a way to adjust context on
creation. https://rt.cpan.org/Ticket/Display.html?id=67799
- describe problem of fake memory leak because of big session cache
and how to fix it, see https://rt.cpan.org/Ticket/Display.html?id=68073
v1.41 2011.05.09
- fix issue in stop_SSL where it did not issue a shutdown of the
SSL connection if it first received the shutdown from the other
side. Thanks to fencingleo[AT]gmail[DOT]com for reporting
- try to make t/nonblock.t more reliable, at least report the real
cause of ssl connection errors
v1.40 2011.05.02
- integrated patch from GAAS to get IDN support from URI.
https://rt.cpan.org/Ticket/Display.html?id=67676
v1.39_1 2011.05.02
- fix in exampel/async_https_server.
Thanks to DetlefPilzecker[AT]web[DOT]de for reporting
v1.39 2011.03.03
- fixed documentation of http verification: wildcards in cn is allowed
v1.38_1 2011.01.24
- close should undef _SSL_fileno, because the fileno is no longer
valid (SSL connection and socket are closed)
v1.38 2011.01.18
- fixed wildcards_in_cn setting for http (wrongly set in 1.34 to 1
instead of anywhere). Thanks to dagolden[AT]cpan[DOT]org for
reporting
https://rt.cpan.org/Ticket/Display.html?id=64864
v1.37 2010.12.09
- don't complain about invalid certificate locations if user explicitly
set SSL_ca_path and SSL_ca_file to undef. Assume that user knows what
he is doing and will work around the problems by itself.
http://rt.cpan.org/Ticket/Display.html?id=63741
v1.36 2010.12.08
- update documentation for SSL_verify_callback based on
https://rt.cpan.org/Ticket/Display.html?id=63743
https://rt.cpan.org/Ticket/Display.html?id=63740
|
|
|
|
Mozilla::CA provides a copy of Mozilla's bundle of Certificate
Authority certificates in a form that can be consumed by modules and
libraries based on OpenSSL.
|
|
|
|
to the recent discovery of false certificates from diginotar
(Recent versions from the source repository don't work, see the
comment in Makefile.)
|
|
set in PKG_SYSCONFDIR variable, so it is passed down to Makefile.
Configuration final path ends up being etc/stunnel/stunnel/stunnel.conf,
which is wrong.
|
|
a bunch of global variables.
|
|
=== 2.2.1 / 24 Aug 2011
* Do not prompt any passphrases before trying all identities from
agent. [musybite]
(see: http://net-ssh.lighthouseapp.com/projects/36253-net-ssh/tickets/30)
|
|
3.0.0 Aug 24, 2011
- Bcrypt C implementation replaced with a public domain implementation.
- License changed to MIT
|
|
|
|
- New features
- New verify level 0 to request and ignore peer certificate. This
feature is useful with the new Windows GUI menu to save cached peer
certificate chains, as SSL client certificates are not sent by default.
- Manual page has been updated.
- Removed support for changing Windows Service name with "service" option.
- Hardcoded 2048-bit DH parameters are used as a fallback if DH parameters
are not provided in stunnel.pem.
- Default "ciphers" value updated to prefer ECDH:
"ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH".
- Default ECDH curve updated to "prime256v1".
- Removed support for temporary RSA keys (used in obsolete export ciphers).
- Bugfixes
- The -quiet commandline option was applied to *all* message boxes.
- Silent install (/S option) no longer attempts to create stunnel.pem.
|
|
|
|
* Version 2.12.9 (released 2011-08-21)
** libgnutls-extra: Replaced enumeration with unsigned
int, in openssl.h to make it identical to the 3.0.0 version.
This shouldn't introduce binary incompatibility.
** libgnutls: When asking for a PIN multiple times, the
flags in the callback were not being updated to reflect
for PIN low count or final try.
** API and ABI modifications:
GNUTLS_PKCS11_PIN_WRONG: New flag for PIN callback
|
|
NEWS for the 2.2 release
Licensing change:
* Relicensed as LGPL v2.1 or later (user's option).
* Replaced blowfish and serpent implementation. New code is
based on the LGPLed code in libgcrypt.
New features:
* Support for Galois/Counter Mode (GCM).
* New interface for enumerating (most) available algorithms,
contributed by Daniel Kahn Gillmor.
* New tool nettle-hash. Can generate hash digests using any
supported hash function, with output compatible with md5sum
and friends from GNU coreutils. Checking (like md5sum -c)
not yet implemented.
Bug fixes:
* The old serpent code had a byte order bug (introduced by
yours truly about ten years ago). New serpent implementation
does not interoperate with earlier versions of nettle.
* Fixed ABI-dependent libdir default for Linux-based systems
which do not follow the Linux File Hierarchy Standard, e.g.,
Debian GNU/Linux.
Optimizations:
* x86_64 implemention of serpent.
* x86_64 implemention of camellia.
* Optimized memxor using word rather than byte operations.
Both generic C and x86_64 assembler.
* Eliminated a memcpy for in-place CBC decrypt.
Miscellaneous:
* In command line tools, no longer support -? for requesting
help, since using it without shell quoting is a dangerous
habit. Use long option --help instead.
The shared library names are libnettle.so.4.1 and
libhogweed.so.2.1, with sonames libnettle.so.4 and
libhogweed.so.2.
|
|
* use perl5/module.mk and its stuff for perl module build
* using packlist, so PLIST entries for perl modules are not required.
* PKG_SYSCONFSUBDIR is handled automatically, no need to be in PLIST.
* fix substitute handling with USE_DESTDIR=yes.
Bump PKGREVISION.
|
|
What's new in Sudo 1.7.7
* I/O logging is now supported for commands run in background mode
(using sudo's -b flag).
* Group ownership of the sudoers file is now only enforced when
the file mode on sudoers allows group readability or writability.
* Visudo now checks the contents of an alias and warns about cycles
when the alias is expanded.
* If the user specifes a group via sudo's -g option that matches
the target user's group in the password database, it is now
allowed even if no groups are present in the Runas_Spec.
* "sudo -i command" now works correctly with the bash version
2.0 and higher. Previously, the .bash_profile would not be
sourced prior to running the command unless bash was built with
NON_INTERACTIVE_LOGIN_SHELLS defined.
* Multi-factor authentication is now supported on AIX.
* Added support for non-RFC 4517 compliant LDAP servers that require
that seconds be present in a timestamp, such as Tivoli Directory Server.
* If the group vector is to be preserved, the PATH search for the
command is now done with the user's original group vector.
* For LDAP-based sudoers, the "runas_default" sudoOption now works
properly in a sudoRole that contains a sudoCommand.
* Spaces in command line arguments for "sudo -s" and "sudo -i" are
now escaped with a backslash when checking the sudoers file.
|
|
=== 2.2.0 / 16 Aug 2011
* Add support for forward a local UNIX domain socket to a remote
TCP socket. [Mark Imbriaco]
|
|
(patch-atomicio.c). Noted by wiz@ via private mail.
Bump PKGREVISION.
|
|
|
|
Perl implementation of Ron Rivests MD5 Algorithm.
|
|
stage removed a
-I/usr/include|-I/include)
line from a case statement.
Bump PKGREVISION.
|
|
|
|
|
|
* Ported to Windows CE.
* Detect GPG versions not supporting ---passwd.
|
|
* libgnutls: PKCS-11 back-end was replaced by p11-kit
* libgnutls: gcrypt: replaced occurences of gcry_sexp_nth_mpi (..., 0)
with gcry_sexp_nth_mpi (..., GCRYMPI_FMT_USG) to fix errors with 1.5.0.
* libgnutls: Verify that a certificate liste specified using
gnutls_certificate_set_x509_key*(), is sorted according to TLS specification
* libgnutls: Added GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED flag for
gnutls_x509_crt_list_import. It checks whether the list to be imported is
properly sorted.
* libgnutls: writev_emu: stop on the first incomplete write.
* libgnutls: Fix zlib handling in gnutls.pc.
* certtool: bug fixes in certificate request generation.
* API and ABI modifications: GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED:
New element in gnutls_certificate_import_flags
|