- out of bounds write in NSIS bzip2 library
- improvements to the zip bomb mitigations added in 0.101.3, there is now
a maximum scan time limit, defaulting to 2 minutes
* Support for UNIX domain socket connections. A backend endpoint can now
be specified as a UNIX domain socket, via backend = "/path/to/socket".
* New configuration file settings pem-dir and pem-dir-glob. pem-dir can
be used to specify a directory for loading certificates, without
specifying each file individually.
* Support for TLS 1.3. Thanks to Lasse Karstensen.
* Fixed a bug that would cause a crash on reload if ocsp-dir was changed.
* Add log-level. This supersedes the previous quiet setting,
which is now deprecated.
* Add proxy-tlv. This enables extra reporting of cipher and protocol as
part of the PROXYv2 protocol.
* Drop TLSv1.1 from the default TLS protocols list.
Use Python 3 during build and make tests depend on the current version while
here.
py-Rijndael is python2-only, has no consumers, and hasn't been
updated since 2009
py-crack is python2-only, has no consumers, and hasn't been updated
since 2009
py-cryptkit is python2-only, has no consumers, and hasn't been updated
since it was imported in 2002
OK sthen@
on i386; link with -Wl,-z,notext for now (this knocks out a large chunk
of the ports tree). ok aja@
ld: error: can't create dynamic relocation R_386_32 against symbol: _gnutls_x86_cpuid_s in readonly segment; recompile object files with -fPIC or pass '-Wl,-z,notext' to allow text relocations in the output
angrop is a tool to automatically generate ROP chains.
It is built on top of angr's symbolic execution engine, and uses constraint
solving for generating chains and understanding the effects of gadgets.
angrop should support all the architectures supported by angr, although more
testing needs to be done.
Typically, it can generate rop chains (especially long chains) faster than
humans.
It includes functions to generate chains which are commonly used in exploitation
and CTF's, such as setting registers, and calling functions.
join work with and ok kn@
OpenBSD. This is based on a pull request from Jeremy O'Brien at
https://github.com/NationalSecurityAgency/ghidra/pull/490 and the Ghidra
build guide at
https://github.com/NationalSecurityAgency/ghidra/blob/master/DevGuide.md .
In addition, I have made these changes to make Ghidra work better as an OpenBSD
port:
1. I removed the explicit check for Gradle 5.0 because I was able to build
Ghidra with latest versions of Gradle. At the time of commit, our
java/gradle port is 5.5.1 which is the latest version of Gradle.
2. By default, the Ghidra build process tries to fetch dependent files on demand
while building. This will cause the build to fail if the port is built using
the _pbuild user. To fix this, I made the port fetch all the dependent .jar
files prior to building. I also used gradle's --offline flag which
explicitly tells gradle to "Execute the build without accessing network
resources".
3. To prevent the build process from touching $HOME, I made gradle use
${WRKDIR}/gradle as its home and also modified GHelpBuilder.java
(the program that builds help files during build) to log to ${WRKDIR}
instead of $HOME/.ghidra.
4. One of the Gradle scripts (ip.gradle) scans the Ghidra source tree so
I had to explicitly tell it to exclude *.orig and *.beforesubst.
help from bentley@ and Jeremy O'Brien
ok bentley@ rpointel@ (maintainer)
If somebody is removed who actually wants maintainer and either
didn't receive the mail, or didn't bother to reply to it, they are
free to send a diff to reinstate.
ok sthen@, jca@
Minisign is a dead simple tool to sign files and verify signatures.
It is portable, lightweight, and uses the highly secure Ed25519 public-key
signature system.
Signatures written by minisign can be verified using OpenBSD's signify tool:
public key files and signature files are compatible. However, minisign uses
a slightly different format to store secret keys.
Minisign signatures include trusted comments in addition to untrusted
comments. Trusted comments are signed, thus verified, before being
displayed. This adds two lines to the signature files, that signify
silently ignores.
ok sthen@
internal replacement function. Following the changes to make realpath(3) use the
__realpath() syscall these no longer detect broken realpath i.e. produce different
code. Bump REVISION to ensure that users get the new version.
