When eval'ing RESTARTCMD don't field split it, only to join the words
again (by eval) - that converts newlines and tabs to spaces, and the
first of those causes sh syntax errors with the way that the various
RESTARTCMDs are now written (but it was always dangerous, as filename
expansions could also have happened, which is not wanted, I believe.)
Also correct a translation error.
(4.2.8p12) 2018/08/14 Released by Harlan Stenn <stenn@ntp.org>
* [Sec 3505] CVE-2018-12327 - Arbitrary Code Execution Vulnerability
- fixed stack buffer overflow in the openhost() command-line call
of NTPQ/NTPDC <perlinger@ntp.org>
* [Sec 3012] noepeer tweaks. <stenn@ntp.org>
* [Bug 3521] Fix a logic bug in the INVALIDNAK checks. <stenn@ntp.org>
* [Bug 3509] Add support for running as non-root on FreeBSD, Darwin,
other TrustedBSD platforms
- applied patch by Ian Lepore <perlinger@ntp.org>
* [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org>
- changed interaction with SCM to signal pending startup
* [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org>
- rework of ntpq 'nextvar()' key/value parsing
* [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org>
- applied patch by Gerry Garvey (with mods)
* [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org>
- applied patch by Gerry Garvey (with mods)
* [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org>
- applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though
* [Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3471] Check for openssl/[ch]mac.h. HStenn.
- add #define ENABLE_CMAC support in configure. HStenn.
* [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org>
* [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org>
- patch by Stephen Friedl
* [Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org>
- fixed IO redirection and CTRL-C handling in ntq and ntpdc
* [Bug 3465] Default TTL values cannot be used <perlinger@ntp.org>
* [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org>
- initial patch by Hal Murray; also fixed refclock_report() trouble
* [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. <stenn@ntp.org>
* [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer
- According to Brooks Davis, there was only one location <perlinger@ntp.org>
* [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey,
with modifications
New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c.
* [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org>
- applied patch by Miroslav Lichvar
* [Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov.
* [Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org>
- integrated patch by Reinhard Max
* [Bug 2821] minor build issues <perlinger@ntp.org>
- applied patches by Christos Zoulas, including real bug fixes
* html/authopt.html: cleanup, from <stenn@ntp.org>
* ntpd/ntpd.c: DROPROOT cleanup. <stenn@ntp.org>
* Symmetric key range is 1-65535. Update docs. <stenn@ntp.org>
* html/authentic.html: cleanup, from <stenn@ntp.org>
commit 1bd0e85c3ce7f6946f5cd4e18e7b45d50767412f
Author: popcornmix <popcornmix@gmail.com>
Date: Mon Sep 17 14:39:10 2018 +0100
Tested by Jun Ebihara as discussed on port-arm
--
redo mknative-gcc for all ports. main changes include:
- "#define HAVE_CC_TLS 1" for most/all ports, thanks maya@
- "#define _GLIBCXX_HAVE_LDEXPL 1" and "#define _GLIBCXX_HAVE_TGMATH_H 1"
for many ports
- arm64 and amd64 had a broken c++config.h that disabled many things
- configargs.h has more normalisation
- ppc64 has a few things fixed, must have missed several mknative rounds
--
regen to pull out INTERNAL_CFLAGS.
--
pull -DHAVE_CC_TLS out of $(INTERNAL_CFLAGS) if it is there, and add
it to CPPFLAGS.
this fixes PR#53567 for me.
- "#define HAVE_CC_TLS 1" for most/all ports, thanks maya@
- "#define _GLIBCXX_HAVE_LDEXPL 1" and "#define _GLIBCXX_HAVE_TGMATH_H 1"
for many ports
- arm64 and amd64 had a broken c++config.h that disabled many things
- configargs.h has more normalisation
- ppc64 has a few things fixed, must have missed several mknative rounds
Changes from version 4.0.0 to version 4.0.1:
- Bug fixes (see ChangeLog file), in particular in mpfr_div_ui, which
could yield an incorrectly rounded result to nearest when using
different precisions; this bug had been present since the introduction
of mpfr_div_ui, and in MPFR 4.0.0, it was affecting mpfr_div too.
Changes from versions 3.1.* to version 4.0.0:
- Partial support of MPFR_RNDF (faithful rounding).
- New functions: mpfr_fpif_export and mpfr_fpif_import to export and import
numbers in a floating-point interchange format, independent both on the
number of bits per word and on the endianness.
- New function mpfr_fmodquo to return the low bits of the quotient
corresponding to mpfr_fmod.
- New functions mpfr_flags_clear, mpfr_flags_set, mpfr_flags_test,
mpfr_flags_save and mpfr_flags_restore to operate on groups of flags.
- New functions mpfr_set_float128 and mpfr_get_float128 to convert from/to
the __float128 type (requires --enable-float128 and compiler support).
- New functions mpfr_buildopt_float128_p and mpfr_buildopt_sharedcache_p.
- New functions mpfr_rint_roundeven and mpfr_roundeven, completing the
other similar round-to-integer functions for rounding to nearest with
the even-rounding rule.
- New macro mpfr_round_nearest_away to add partial emulation of the
rounding to nearest-away (as defined in IEEE 754-2008).
- New functions mpfr_nrandom and mpfr_erandom to generate random numbers
following normal and exponential distributions respectively.
- New functions mpfr_fmma and mpfr_fmms to compute a*b+c*d and a*b-c*d.
- New function mpfr_rootn_ui, similar to mpfr_root, but agreeing with the
rootn function of the IEEE 754-2008 standard.
- New functions mpfr_log_ui to compute the logarithm of an integer,
mpfr_gamma_inc for the incomplete Gamma function.
- New function mpfr_beta for the Beta function (incomplete, experimental).
- New function mpfr_get_q to convert a floating-point number into rational.
- Dropped K&R C compatibility.
- Major speedup in mpfr_add, mpfr_sub, mpfr_mul, mpfr_div and mpfr_sqrt when
all operands have the same precision and this precision is less than twice
the number of bits per word, e.g., less than 128 on a 64-bit computer.
- Speedup by a factor of almost 2 in the double <--> mpfr conversions
(mpfr_set_d and mpfr_get_d).
- Speedup in mpfr_log1p and mpfr_atanh for small arguments.
- Speedup in the mpfr_const_euler function (contributed by Fredrik Johansson),
in the computation of Bernoulli numbers (used in mpfr_gamma, mpfr_li2,
mpfr_digamma, mpfr_lngamma and mpfr_lgamma), in mpfr_div, in mpfr_fma
and mpfr_fms.
These functions are defined on unsigned int. The generic name
min/max should not silently truncate to 32 bits on 64-bit systems.
This is purely a name change -- no functional change intended.
HOWEVER! Some subsystems have
#define min(a, b) ((a) < (b) ? (a) : (b))
#define max(a, b) ((a) > (b) ? (a) : (b))
even though our standard name for that is MIN/MAX. Although these
may invite multiple evaluation bugs, these do _not_ cause integer
truncation.
To avoid `fixing' these cases, I first changed the name in libkern,
and then compile-tested every file where min/max occurred in order to
confirm that it failed -- and thus confirm that nothing shadowed
min/max -- before changing it.
I have left a handful of bootloaders that are too annoying to
compile-test, and some dead code:
cobalt ews4800mips hp300 hppa ia64 luna68k vax
acorn32/if_ie.c (not included in any kernels)
macppc/if_gm.c (superseded by gem(4))
It should be easy to fix the fallout once identified -- this way of
doing things fails safe, and the goal here, after all, is to _avoid_
silent integer truncations, not introduce them.
Maybe one day we can reintroduce min/max as type-generic things that
never silently truncate. But we should avoid doing that for a while,
so that existing code has a chance to be detected by the compiler for
conversion to uimin/uimax without changing the semantics until we can
properly audit it all. (Who knows, maybe in some cases integer
truncation is actually intended!)
Sunday, June 24, 2018, by mcr@sandelman.ca
Summary for 1.9.0 libpcap release
Added testing system to libpcap, independent of tcpdump
Changes to how pcap_t is activated
Adding support for Large stream buffers on Endace DAG cards
Changes to BSD 3-clause license to 2-clause licence
Additions to TCP header parsing, per RFC3168
Add CMake build process (extensive number of changes)
Assign a value for OpenBSD DLT_OPENFLOW.
Support setting non-blocking mode before activating.
Extensive build support for Windows VS2010 and MINGW (many many changes, over many months)
Added RPCAPD support when --enable-remote (default no)
Add the rpcap daemon source and build instructions.
Put back the greasy "save the capture filter string so we can tweak it"
hack, that keeps libpcap from capturing rpcap traffic.
Fixes for captures on MacOS, utun0
fixes so that non-AF_INET addresses, are not ==AF_INET6 addresses.
Add a linktype for IBM SDLC frames containing SNA PDUs.
pcap_compile() in 1.8.0 and later is newly thread-safe.
bound snaplen for linux tpacket_v2 to ~64k
Make VLAN filter handle both metadata and inline tags
D-Bus captures can now be up to 128MB in size
Added LORATAP DLT value
Added DLT_VSOCK for http://qemu-project.org/Features/VirtioVsock
probe_devices() fixes not to overrun buffer for name of device
Add linux-specific pcap_set_protocol_linux() to allow specifying a specific capture protocol.
RDMA sniffing support for pcap
Add Nordic Semiconductor Bluetooth LE sniffer link-layer header type.
fixes for reading /etc/ethers
Make it possible to build on Windows without packet.dll.
Add tests for large file support on UN*X.
Solaris fixes to work with 2.8.6
configuration test now looks for header files, not capture devices present
Fix to work with Berkeley YACC.
fixes for DragonBSD compilation of pcap-netmap.c
Clean up the ether_hostton() stuff.
Add an option to disable Linux memory-mapped capture support.
Add DAG API support checks.
Add Septel, Myricom SNF, and Riverbed TurboCap checks.
Add checks for Linux USB, Linux Bluetooth, D-Bus, and RDMA sniffing support.
Add a check for hardware time stamping on Linux.
Don't bother supporting pre-2005 Visual Studio.
Increased minimum autoconf version requirement to 2.64
Add DLT value 273 for XRA-31 sniffer
Clean up handing of signal interrupts in pcap_read_nocb_remote().
Use the XPG 4.2 versions of the networking APIs in Solaris.
Fix, and better explain, the "IPv6 means IPv6, not IPv4" option setting.
Explicitly warn that negative packet buffer timeouts should not be used.
rpcapd: Add support inetd-likes, including xinetd.conf, and systemd units
Rename DLT_IEEE802_15_4 to DLT_IEEE802_15_4_WITHFCS.
Add DISPLAYPORT AUX link type
Remove the sunos4 kernel modules and all references to them.
Add more interface flags to pcap_findalldevs().
Summary for 1.9.0 libpcap release (to 2017-01-25 by guy@alum.mit.edu)
Man page improvements
Fix Linux cooked mode userspace filtering (GitHub pull request #429)
Fix compilation if IPv6 support not enabled
Fix some Linux memory-mapped capture buffer size issues
Don't fail if kernel filter can't be set on Linux (GitHub issue
#549)
Improve sorting of interfaces for pcap_findalldevs()
Don't list Linux usbmon devices if usbmon module isn't loaded
Report PCAP_ERROR_PERM_DENIED if no permission to open Linux usbmon
devices
Fix DLT_ type for Solaris IPNET devices
Always return an error message for errors finding DAG or Myricom
devices
If possible, don't require that a device be openable when
enumerating them for pcap_findalldevs()
Don't put incompletely-initialized addresses in the address list for
When finding Myricom devices, update description for regular
interfaces that are Myricom devices and handle SNF_FLAGS=0x2(port
aggregation enabled)
Fix compilation error in DAG support
Fix issues with CMake configuration
Add support for stream buffers larger than 2GB on newer DAG cards
Remove support for building against DAG versions without STREAMS
support (before dag-3.0.0 2007)
19 June 2018: Wouter
- Fix for unbound-control on Windows and set TCP socket parameters
more closely.
- Fix windows unbound-control no cert bad file descriptor error.
18 June 2018: Wouter
- Fix that control-use-cert: no works for 127.0.0.1 to disable certs.
- Fix unbound-checkconf for control-use-cert.
15 June 2018: Wouter
- tag for 1.7.3rc1.
14 June 2018: Wouter
- #4103: Fix that auth-zone does not insist on SOA record first in
file for url downloads.
- Fix that first control-interface determines if TLS is used. Warn
when IP address interfaces are used without TLS.
- Fix nettle compile.
12 June 2018: Ralph
- Don't count CNAME response types received during qname minimisation as
query restart.
12 June 2018: Wouter
- #4102 for NSD, but for Unbound. Named unix pipes do not use
certificate and key files, access can be restricted with file and
directory permissions. The option control-use-cert is no longer
used, and ignored if found in unbound.conf.
- Rename tls-additional-ports to tls-additional-port, because every
line adds one port.
- Fix buffer size warning in unit test.
- remade dependencies in the Makefile.
6 June 2018: Wouter
- Patch to fix openwrt for mac os build darwin detection in configure.
5 June 2018: Wouter
- Fix crash if ratelimit taken into use with unbound-control
instead of with unbound.conf.
4 June 2018: Wouter
- Fix deadlock caused by incoming notify for auth-zone.
- tag for 1.7.2rc1, became 1.7.2 release on 11 June 2018,
trunk is 1.7.3 in development from this point.
- #4100: Fix stub reprime when it becomes useless.
1 June 2018: Wouter
- Rename additional-tls-port to tls-additional-ports.
The older name is accepted for backwards compatibility.
30 May 2018: Wouter
- Patch from Syzdek: Add ability to ignore RD bit and treat all
requests as if the RD bit is set.
29 May 2018: Wouter
- in compat/arc4random call getentropy_urandom when getentropy fails
with ENOSYS.
- Fix that fallback for windows port.
28 May 2018: Wouter
- Fix windows tcp and tls spin on events.
- Add routine from getdns to add windows cert store to the SSL_CTX.
- tls-win-cert option that adds the system certificate store for
authenticating DNS-over-TLS connections. It can be used instead
of the tls-cert-bundle option, or with it to add certificates.
25 May 2018: Wouter
- For TCP and TLS connections that don't establish, perform address
update in infra cache, so future selections can exclude them.
- Fix that tcp sticky events are removed for closed fd on windows.
- Fix close events for tcp only.
24 May 2018: Wouter
- Fix that libunbound can do DNS-over-TLS, when configured.
- Fix that windows unbound service can use DNS-over-TLS.
- unbound-host initializes ssl (for potential DNS-over-TLS usage
inside libunbound), when ssl upstream or a cert-bundle is configured.
23 May 2018: Wouter
- Use accept4 to speed up incoming TCP (and TLS) connections,
available on Linux, FreeBSD and OpenBSD.
17 May 2018: Ralph
- Qname minimisation default changed to yes.
15 May 2018: Wouter
- Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
11 May 2018: Wouter
- Fix contrib/libunbound.pc for libssl libcrypto references,
from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914
7 May 2018: Wouter
- Fix windows to not have sticky TLS events for TCP.
- Fix read of DNS over TLS length and data in one read call.
- Fix mesh state assertion failure due to callback removal.
3 May 2018: Wouter
- Fix that configure --with-libhiredis also turns on cachedb.
- Fix gcc 8 buffer warning in testcode.
- Fix function type cast warning in libunbound context callback type.
2 May 2018: Wouter
- Fix fail to reject dead peers in forward-zone, with ssl-upstream.
1 May 2018: Wouter
- Fix that unbound-control reload frees the rrset keys and returns
the memory pages to the system.
30 April 2018: Wouter
- Fix spelling error in man page and note defaults as no instead of
off.
26 April 2018: Wouter
- Fix for crash in daemon_cleanup with dnstap during reload,
from Saksham Manchanda.
- Also that for dnscrypt.
- tag for 1.7.1rc1 release. Became 1.7.1 release on 3 May, trunk
is from here 1.7.2 in development.
25 April 2018: Ralph
- Fix memory leak when caching wildcard records for aggressive NSEC use
24 April 2018: Wouter
- Fix contrib/fastrpz.patch for this release.
- Fix auth https for libev.
24 April 2018: Ralph
- Added root-key-sentinel support
23 April 2018: Wouter
- makedist uses bz2 for expat code, instead of tar.gz.
- Fix#4092: libunbound: use-caps-for-id lacks colon in
config_set_option.
- auth zone http download stores exact copy of downloaded file,
including comments in the file.
- Fix sldns parse failure for CDS alternate delete syntax empty hex.
- Attempt for auth zone fix; add of callback in mesh gets from
callback does not skip callback of result.
- Fix cname classification with qname minimisation enabled.
- list_auth_zones unbound-control command.
20 April 2018: Wouter
- man page documentation for dns-over-tls forward-addr '#' notation.
- removed free from failed parse case.
- Fix#4091: Fix that reload of auth-zone does not merge the zonefile
with the previous contents.
- Delete auth zone when removed from config.
19 April 2018: Wouter
- Can set tls authentication with forward-addr: IP#tls.auth.name
And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
such as forward-addr: 9.9.9.9@853#dns.quad9.net or
1.1.1.1@853#cloudflare-dns.com
- Fix#658: unbound using TLS in a forwarding configuration does not
verify the server's certificate (RFC 8310 support).
- For addr with #authname and no @port notation, the default is 853.
18 April 2018: Wouter
- Fix auth-zone retry timer to be on schedule with retry timeout,
with backoff. Also time a refresh at the zone expiry.
17 April 2018: Wouter
- auth zone notify work.
- allow-notify: config statement for auth-zones.
- unit test for allow-notify
16 April 2018: Wouter
- Fix auth zone target lookup iterator.
- auth zone notify with prefix
- auth zone notify work.
13 April 2018: Wouter
- Fix for max include depth for authzones.
- Fix memory free on fail for $INCLUDE in authzone.
- Fix that an internal error to look up the wrong rr type for
auth zone gets stopped, before trying to send there.
- auth zone notify work.
10 April 2018: Ralph
- num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
statistics counters.
10 April 2018: Wouter
- documentation for low-rtt and low-rtt-pct.
- auth zone notify work.
9 April 2018: Wouter
- Fix that flush_zone sets prefetch ttl expired, so that with
serve-expired enabled it'll start prefetching those entries.
- num.query.authzone.up and num.query.authzone.down statistics counters.
- Fix downstream auth zone, only fallback when auth zone fails to
answer and fallback is enabled.
- Accept both option names with and without colon for get_option
and set_option.
- low-rtt and low-rtt-pct in unbound.conf enable the server selection
of fast servers for some percentage of the time.
5 April 2018: Wouter
- Combine write of tcp length and tcp query for dns over tls.
- nitpick fixes in example.conf.
- Fix above stub queries for type NS and useless delegation point.
- Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
tls_choose_sigalg routine does not allow the ciphers for the pipe,
so use TLSv1.2.
- ED448 support.
3 April 2018: Wouter
- Fix#4043: make test fails due to v6 presentation issue in macOS.
- Fix unable to resolve after new WLAN connection, due to auth-zone
failing with a forwarder set. Now, auth-zone is only used for
answers (not referrals) when a forwarder is set.
29 March 2018: Ralph
- Check "result" in dup_all(), by Florian Obser.
23 March 2018: Ralph
- Fix unbound-control get_option aggressive-nsec
21 March 2018: Ralph
- Do not use cached NSEC records to generate negative answers for
domains under DNSSEC Negative Trust Anchors.
19 March 2018: Wouter
- iana port update.
16 March 2018: Wouter
- corrected a minor typo in the changelog.
- move htobe64/be64toh portability code to cachedb.c.
15 March 2018: Wouter
- Add --with-libhiredis, unbound support for a new cachedb backend
that uses a Redis server as the storage. This implementation
depends on the hiredis client library (https://redislabs.com/lp/hiredis/).
And unbound should be built with both --enable-cachedb and
--with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
should exist). Patch from Jinmei Tatuya (Infoblox).
- Fix#3817: core dump happens in libunbound delete, when queued
servfail hits deleted message queue.
- Create additional tls service interfaces by opening them on other
portnumbers and listing the portnumbers as additional-tls-port: nr.
13 March 2018: Wouter
- Fix typo in documentation.
- Fix#3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
flushed with serve-expired on.
12 March 2018: Wouter
- Added documentation for aggressive-nsec: yes.
- tag 1.7.0rc3. That became the 1.7.0 release on 15 Mar, trunk
now has 1.7.1 in development.
- Fix#3727: Protocol name is TLS, options have been renamed but
documentation is not consistent.
- Check IXFR start serial.
9 March 2018: Wouter
- Fix#3598: Fix swig build issue on rhel6 based system.
configure --disable-swig-version-check stops the swig version check.
8 March 2018: Wouter
- tag 1.7.0rc2.
7 March 2018: Wouter
- Fixed contrib/fastrpz.patch, even though this already applied
cleanly for me, now also for others.
- patch to log creates keytag queries, from A. Schulze.
- patch suggested by Debian lintian: allow to -> allow one to, from
A. Schulze.
- Attempt to remove warning about trailing whitespace.
6 March 2018: Wouter
- Reverted fix for #3512, this may not be the best way forward;
although it could be changed at a later time, to stay similar to
other implementations.
- svn trunk contains 1.7.0, this is the number for the next release.
- Fix for windows compile.
- tag 1.7.0rc1.
5 March 2018: Wouter
- Fix to check define of DSA for when openssl is without deprecated.
- iana port update.
- Fix#3582: Squelch address already in use log when reuseaddr option
causes same port to be used twice for tcp connections.
27 February 2018: Wouter
- Fixup contrib/fastrpz.patch so that it applies.
- Fix compile without threads, and remove unused variable.
- Fix compile with staticexe and python module.
- Fix nettle compile.
22 February 2018: Ralph
- Save wildcard RRset from answer with original owner for use in
aggressive NSEC.
21 February 2018: Wouter
- Fix#3512: unbound incorrectly reports SERVFAIL for CAA query
when there is a CNAME loop.
- Fix validation for CNAME loops. When it detects a cname loop,
by finding the cname, cname in the existing list, it returns
the partial result with the validation result up to then.
- more robust cachedump rrset routine.
19 February 2018: Wouter
- Fix#3505: Documentation for default local zones references
wrong RFC.
- Fix#3494: local-zone noview can be used to break out of the view
to the global local zone contents, for queries for that zone.
- Fix for more maintainable code in localzone.
16 February 2018: Wouter
- Fixes for clang static analyzer, the missing ; in
edns-subnet/addrtree.c after the assert made clang analyzer
produce a failure to analyze it.
13 February 2018: Ralph
- Aggressive NSEC tests
13 February 2018: Wouter
- tls-cert-bundle option in unbound.conf enables TLS authentication.
- iana port update.
12 February 2018: Wouter
- Unit test for auth zone https url download.
12 February 2018: Ralph
- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
- Processed aggressive NSEC code review remarks Wouter
8 February 2018: Ralph
- Aggressive use of NSEC implementation. Use cached NSEC records to
generate NXDOMAIN, NODATA and positive wildcard answers.
8 February 2018: Wouter
- iana port update.
- auth zone url config.
5 February 2018: Wouter
- Fix#3451: dnstap not building when you have a separate build dir.
And removed protoc warning, set dnstap.proto syntax to proto2.
- auth-zone provides a way to configure RFC7706 from unbound.conf,
eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
fallback-enabled: yes and masters or a zonefile with data.
2 February 2018: Wouter
- Fix unfreed locks in log and arc4random at exit of unbound.
- unit test with valgrind
- Fix lock race condition in dns cache dname synthesis.
- lock subnet new item before insertion to please checklocks,
no modification of critical regions outside of lock region.
1 February 2018: Wouter
- fix unaligned structure making a false positive in checklock
unitialised memory.
29 January 2018: Ralph
- Use NSEC with longest ce to prove wildcard absence.
- Only use *.ce to prove wildcard absence, no longer names.
25 January 2018: Wouter
- ltrace.conf file for libunbound in contrib.
23 January 2018: Wouter
- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
for startup scripts to get the full pathname(s) of anchor file(s).
- Print fatal errors about remote control setup before log init,
so that it is printed to console.
22 January 2018: Wouter
- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
also recognized and means the same. Also for tls-port,
tls-service-key, tls-service-pem, stub-tls-upstream and
forward-tls-upstream.
- Fix#3397: Fix that cachedb could return a partial CNAME chain.
- Fix#3397: Fix that when the cache contains an unsigned DNAME in
the middle of a cname chain, a result without the DNAME could
be returned.
6 August 2018: Wouter
- tag for 4.1.24 release.
30 July 2018: Wouter
- Tag for NSD 4.1.23 release, trunk is 4.1.24, includes
fix NSD time sensitive TSIG compare vulnerability.
- Fix checkconf test for use-systemd option.
25 July 2018: Wouter
- #4133: Fix that when IXFR contains a zone with broken NSEC3PARAM
chain, NSD leniently attempts to find a working NSEC3PARAM.
23 July 2018: Wouter
- Remove socket activation from systemd code, it was reported as
not useful to enable. The readiness signalling is still there,
and can be enabled with use-systemd: yes.
- Only call sd_notify from systemd when use-systemd is yes.
6 July 2018: Wouter
- RFC8162 support, for record type SMIMEA.
- Fix that type CAA (and URI) in the zone file can contain
dots when not in quotes.
26 June 2018: Wouter
- configure --enable-systemd (needs pkg-config and libsystemd) can
be used to then use-systemd: yes in nsd.conf and use socket
activation and readiness signalling with systemd.
19 June 2018: Wouter
- #4106: Fix that stats printed from nsd-control are recast from
unsigned long to unsigned (remote.c).
14 June 2018: Wouter
- Fix that first control-interface determines if TLS is used. Warn
when IP address interfaces are used without TLS.
12 June 2018: Wouter
- #4102: control interface via local socket.
configure it with control-interface: "/path/nsd.ctl" The path
has to start with a / to separate it from an IP address.
The local socket does not use SSL, but unencrypted traffic, use
file and containing directory permissions to restrict access.
6 June 2018: Wouter
- Patch to fix openwrt for mac os build darwin detection in configure.
4 June 2018: Wouter
- tag for 4.1.22rc1. Became 4.1.22 on 11 June, trunk is 4.1.23 in
development from this point.
31 May 2018: Wouter
- Fix to use same condition for nsec3 hash allocation and free.
23 May 2018: Wouter
- Use accept4 to speed up answer of TCP queries, on Linux and FreeBSD
and OpenBSD.
22 May 2018: Wouter
- Fix nsec3 hash of parent and child co-hosted nsec3 enabled zones.
15 May 2018: Wouter
- Fix memory free in unit test.
14 May 2018: Wouter
- Tag for 4.1.21 release.
- trunk has 4.1.22 in development.
- refuse-any sends truncation (+TC) in reply to ANY queries over UDP,
and allows TCP queries like normal.
7 May 2018: Wouter
- Tag for 4.1.21rc1 release.
4 May 2018: Wouter
- Fix#4093: Release notes not using 2018.
3 May 2018: Wouter
- Fix buffer size warnings from compiler on filename lengths.
26 April 2018: Wouter
- lower memory usage for tcp connections, so tcp-count can be higher.
- Fix checkconf test for refuse-any option.
3 April 2018: Wouter
- refuse-any nsd.conf option that refuses queries of type ANY.
5 March 2018: Wouter
- Fix#3562: explain build error when flex missing.
20 February 2018: Wouter
- For more clang warnings
- Fix spelling error in xfr-inspect.
19 February 2018: Wouter
- Fix for clang analysis complaints.
15 February 2018: Wouter
- --enable-memclean cleans up memory for use with memory checkers,
eg. valgrind.
- Fix unused variable warnings from clang analyzer.
14 February 2018: Wouter
- updated RELNOTES for upcoming release.
- tag 4.1.20rc1, became release on 20 feb, trunk has 4.1.21 in
development.
9 February 2018: Wouter
- make depend: updated the make dependencies in the Makefile.
8 February 2018: Wouter
- Fix memory leak when rehashing nsec3 after axfr or zonefile read,
in the selectively allocated precompiled nsec3 hashes.
6 February 2018: Wouter
- Fix memory leak in zone file read of unknown rr formatted RRs.
* Don't use IP_PKTINFO on NetBSD-7 as it's incomplete.
* Workaround RTM_NEWADDR sending the wrong broadcast address
on NetBSD-7.
* Silence diagnostics if an address vanishes when reading
it's flags on all BSD's.
* Misc compiler warnings fixed.
When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC
flag set, the data field was decrypted first without verifying the MIC. When
the dta field was encrypted using RC4, for example, when negotiating TKIP as
a pairwise cipher, the unauthenticated but decrypted data was subsequently
processed. This opened wpa_supplicant(8) to abuse by decryption and recovery
of sensitive information contained in EAPOL-Key messages.
See https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
for a detailed description of the bug.
XXX: pullup-8
should remain the state forever IMO) compat_recallocarray.c
And now that compat_recallocarray() is in libmandoc we no longer
need to manually add its source to mandoc (either the full, or the
tools builds).
as libmandoc/mandoc-validate.c
And as we do not have recallocarray() in libc, we need the compat
source file for the full build, as well as for tools builds.
This file lists the most important changes in the mandoc.bsd.lv distribution.
Changes in version 1.14.4, released on August 8, 2018
--- MAJOR NEW FEATURES ---
* In ASCII output, render mathematical symbols and greek letters
as transliterations conveying the characters' meanings rather
than trying to imitate their shape. Consequently, such characters
can now be used in portable manual pages. All the same, please
limit their use to contexts where they really matter, for example
when showing complicated mathematical formulae.
* First steps towards better support for small screens in HTML
output (responsive design): avoid most style= attributes, in
particular all hard-coded indentations and column widths, and
provide a better mandoc.css style sheet with a @media query,
using em units throughout, and avoiding redundancy in selectors.
* Better HTML output with some more fitting HTML elements, eliminating
needless class= attributes, and avoiding various HTML syntax errors
(element nesting, URL-fragment syntax, duplicate id= attributes).
--- MINOR NEW FEATURES ---
* When a man(1) argument contains a slash, imply -l like in man-db.
* Use TIOCGWINSZ to reduce the default -Owidth and -Oindent during
interactive use on terminals narrower than 79 columns.
* Generated PostScript files are now more than 50% smaller.
* Terminal rendering of eqn(7) is improved in several respects.
* Simplified and nicer output from the mdoc(7) .Lk macro, formatting
all links in-line, even long ones.
* roff(7) \n+ and \n- numerical register auto-increment and -decrement
* roff(7) .nr optional third argument (auto-increment step size)
* Autodetect in ./configure whether the compiler can use -W and -static,
allowing to build on Solaris 10 and 11 without any configure.local.
--- RELIABILITY BUGFIXES ---
* Only activate UTF-8 output when the user really selected UTF-8,
not some other multibyte character encoding.
* Prevent excessive .ll arguments from generating infinite output.
* Fix out of bounds accesses to parse buffers that could happen when
using renamed or user defined macros after roff(7) conditionals.
* Avoid an assertion failure in certain .Bl -column lists.
* Avoid a NULL pointer access on deroff() failure after '.SS ""'.
* Fix a segfault that could be triggered by two invalid .Dt macros.
* Fix two syntax errors in generated PDF files.
* Properly state the page size in generated PostScript files.
* Close a memory leak caused by missing gzclose(3).
* Fix misformatting of man(7) documents lacking .SH macros
in PostScript and PDF output.
* And many minor bugfixes.
--- THANKS TO ---
* Marc Espie (OpenBSD) for implementing the size reduction of
PostScript files, one additional patch for code simplification,
and two bug reports.
* Theo Buehler (OpenBSD) for a bugfix patch,
and Theo de Raadt (OpenBSD) for checking it.
* John Gardner for more than a dozen suggestions regarding HTML output.
* Mike Williams for teaching me how to use %%DocumentMedia and
setpagedevice in PostScript files.
* Werner Lemberg (groff) for feedback on mdoc(7) language changes.
* Colin Watson (man-db) for feedback on man-db semantics.
* Jason McIntyre (OpenBSD) for lots of feedback and suggestions
on diagnostic messages and on the documentation.
* Thomas Klausner (NetBSD) for suggesting two new style messages
and one new feature, for two bug reports, and for release testing.
* Leah Neukirchen (Void Linux) for suggesting a new style message,
five bug reports, and release testing.
* Anthony Bentley (OpenBSD) for reporting multiple bugs and missing
features.
* Paul Irofti (OpenBSD) and Nate Bargmann for suggesting new features.
* Michael Stapelberg (Debian) for bug reports and release testing.
* Christian Weisgerber, Jonathan Gray, Stuart Henderson,
Ted Unangst (OpenBSD), Takeshi Nakayama (NetBSD),
Anton Lazarov, Jakub Klinkovsky, Jan Stary, Jesper Wallin,
Will Backmam, and Wolfgang Mueller for bug reports.
* Sevan Janiyan (NetBSD) for additions to lib.in.
* George Brown for suggesting code simplifications.
* David Coppa, Igor Sobrado (OpenBSD), and Alexander Kuleshov
for documentation improvements.
* Laura Morales and Raf Czlonka for questions resulting in better
documentation.
* Yuri Pankov (illumos) for release testing.
Changes in version 1.14.3, released on August 5, 2017
--- BUG FIXES ---
* man(7): Do not crash with out-of-bounds read access to a constant
array if .sp or a blank line immediately precedes .SS or .SH.
* mdoc(7): Do not crash with out-of-bounds read access to a constant
array if .sp or a blank line precede the first .Sh macro.
* tbl(7): Ignore explicitly specified negative column widths rather than
wrapping around to huge numbers and risking memory exhaustion.
* man(1): No longer use names that only occur in the SYNOPSIS section.
Gets rid of some surprising behaviour and bogus warnings.
--- THANKS TO ---
Leah Neukirchen (Void Linux), Markus Waldeck (Debian),
Peter Bui (nd.edu), and Yuri Pankov (illumos) for bug reports.
Changes in version 1.14.2, released on July 28, 2017
--- MAJOR NEW FEATURES ---
* New mdoc(7) -Tmarkdown output mode.
* For -Thtml, implement internal hyperlinks pointing to authoritative
definitions of various syntax elements, similar to the ctags(1)-like
less(1) :t internal searching in terminal mode.
* Provide a superset of the functionality of the former mdoclint(1)
utility and a new -Wstyle message level with several new messages,
including validity checking of .Xr cross references.
* tbl(7): Implement automatic line breaking inside individual table
cells, and several other formatting improvements.
* eqn(7): Complete rewrite of the lexer, resulting in several bugfixes.
* Continue parser unification, in particular allowing generation
of syntax tree nodes on the roff(7) level, allowing implementation
of many additional roff requests.
--- REMOVED FUNCTIONALITY ---
* Delete the manpage(1) utility. It was never enabled in any release.
* Delete the -Txhtml command line option. It has been an obsolete
alias for the -Thtml output mode for more than two years.
--- MINOR NEW FEATURES ---
* -Tlint now puts parser messages on stdout instead of stderr,
making commands like "man -l -Tlint *.1" useful.
* mdoc(7): Various .Lk formatting improvements.
* mdoc(7) -Thtml: Better CSS for .Bl lists.
* man(7): Implement the .MT/.ME block macro (mailto hyperlink).
* man(7): Implement the .DT macro (restore default tab positions).
* man(7): Improved support for manuals generated with reStructuredText
by partial support for the \n[an-margin] number register.
* man(7) -Thtml: Support deep linking to .SH and .SS headers.
* tbl(7): Implement the "allbox" table option.
* tbl(7): Implement the column spacing and the 'w' (minimum column
width) layout modifiers.
* tbl(7): Significant improvements of the manual page.
* eqn(7): Much improved font selection, including recognition of
well-known function names, and a few other formatting improvements.
* eqn(7) -Thtml: Use <mn> and <mo> in addition to <mi>.
* roff(7): Implement the .ce (centering), .mc (margin character),
.rj (right justify), .ta (define tab stops), .ti (temporary indent),
.als (macro alias), .ec and .eo (escape character control),
.po (page offset), and .rn (macro rename) requests.
* roff(7) .am: Implement appending to mdoc(7) and man(7) macros.
* roff(7): implement the \h (horizontol motion), \l (horizontal
line drawing), and \p (break output line) escape sequences,
and also several additional character escape sequences.
* roff(7): Implement the 'd' conditional (macro or string defined).
* man.cgi(8) now uses pledge(2), too.
* regress.pl(1): simpler user interface, better summary output,
simpler code, and no more recursion.
--- THANKS TO ---
* Anthony Bentley (OpenBSD) for the implementation of .MT/.ME,
reports of many bugs and missing features, and suggestions
for a number of feature and documentation improvements.
* Sebastien Marie (OpenBSD) for two source code patches and
for some useful discussions.
* Florian Obser (OpenBSD) for a bugfix patch and a bug report.
* Jonathan Gray (OpenBSD) for several bug reports from afl(1)
and several more from static analysis tools.
* Theo Buehler (OpenBSD) for several bug reports, most from afl(1).
* Jason McIntyre (OpenBSD) for many useful discussions about a
wide variety of topics, lots of continuous testing, a number of
bug reports, and some suggestions for messages and documentation.
* Thomas Klausner (NetBSD) for lots of help while migrating
mdoclint(1) functionality to mandoc -Tlint, for suggesting
several useful new messages, and for release testing.
* Reyk Floeter (OpenBSD) and Vsevolod Stakhov (FreeBSD) for
suggesting a markdown output mode.
* Thomas Guettler for suggesting -Thtml internal hyperlinks.
* Yuri Pankov (Illumos) for inspiring new warning messages and
for extensive release testing.
* Anton Lindqvist and TJ Townsend (both OpenBSD) and Jan Stary
for multiple bug reports.
* Leah Neukirchen (Void Linux) for bug reports and release testing.
* Michael Stapelberg (Debian) for suggesting feature improvements
and for release testing.
* Martin Natano and Theo de Raadt (both OpenBSD), Andreas Voegele,
Gabriel Guzman, Gonzalo Tornaria, Markus Waldeck, and Raf Czlonka
for bug reports.
* Antoine Jacoutot (OpenBSD) and Steffen Nurpmeso for suggesting
feature improvements.
* Dag-Erling Smoergrav (FreeBSD) for inspiring new warning messages.
* Ted Unangst and Marc Espie (OpenBSD) for providing useful ideas.
* Svyatoslav Mishyn (Crux Linux) for release testing.
* Carsten Kunze (Heirloom roff) for help keeping mandoc and groff
compatible and for committing some of my patches to groff.
now out of support. The changes since our last version imported
(9.10.7) version are too big to include inline here; please consult
the CHANGES file in this directory.
nvi-m17n by itojun.
If imctrl option is set, input method is controlled by using escape
sequences compatible to Tera Term and RLogin. The state of input method in
commands specified by imkey option is saved and restored automatically.
Input method is then deactivated on returning to command mode.
Do modulus using unsigned arith, and then convert the result to
int, rather than converting the arc4random() result to int (which
might be negative) and performing a modulus on that (with a
potentially negative answer).
This currently results in most binaries being broken. Give more time to
debug without -current being badly broken.
The reverted commit message was:
PT_PHDR is useful without PT_INTERP, i.e. for static PIE. It removes the
need for platform-specific computations of _DYNAMIC and friends.
ok martin, mrg
christos