- ENHANCE: When executing a chain, require at least one service
function to succeed. This mitigates fail-open scenarios caused by
misconfigurations or missing modules.
- ENHANCE: Make sure to overwrite buffers which may have contained an
authentication token when they're no longer needed.
- BUGFIX: Under certain circumstances, specifying a non-existent
module (or misspelling the name of a module) in a policy could
result in a fail-open scenario. (CVE-2014-3879)
- FEATURE: Add a search path for modules. This was implemented in
Nummularia but inadvertently left out of the release notes.
- BUGFIX: The is_upper() predicate only accepted the letter A as an
upper-case character instead of the entire A-Z range. As a result,
service and module names containing upper-case letters other than A
would be rejected.
Summary of changes in tzdata2014i (2014-10-21 22:04:57 -0700):
* Pacific/Fiji will observe DST from 2014-11-02 02:00 to 2015-01-18 03:00.
Guess that future years will use a similar pattern.
* A new Zone Pacific/Bougainville, for the part of Papua New Guinea
that plans to switch from UTC+10 to UTC+11 on 2014-12-28 at 02:00.
* Since Belarus is not changing its clocks even though Moscow is,
the time zone abbreviation in Europe/Minsk is changing from FET
to its more-traditional value MSK on 2014-10-26 at 01:00.
* The new abbreviation IDT stands for the pre-1976 use of UT+8 in
Indochina, to distinguish it better from ICT (UT+7).
* Many time stamps have been corrected for Asia/Ho_Chi_Minh before 1976.
Asia/Ho_Chi_Minh has been added to zone1970.tab, since
north and south Vietnam disagreed after our 1970 cutoff.
* Asia/Phnom_Penh and Asia/Vientiane have been turned into links, as
they differed from existing zones only for pre-1970 time stamps.
* Changes affecting commentary.
* dnsmasq subscriber no longer moans if it hasn't written a pidfile
* Ensure that name_server_blacklist works for more than one option.
Thanks to Frederic Barthelery.
* unbound_insecure can disable DNSSEC for all domains processed.
* local_nameservers now defaults to
127.* 0.0.0.0 255.255.255.255 ::1
and is used instead of a hard coded list.
* Allow the disabling of resolvconf or optionally an individual
subscriber.
* Don't wait around trying to create a lock if we don't have
permission.
* resolv_conf_passthrough=NULL will update resolv.conf to match
only what is configured in resolvconf.conf and ignore any
interface configuration.
