Latest release. Many bugs have been fixed, including possibly security
relevant ones. This long overdue update has been postponed because of
binutils-2.17 ld(1) bugs in version scripts handling. The issue is not
fixed but at least worked around.
The SHARED_LIBS handling is a bit ugly because of the .cpython-XY tag added
to some libraries names.
Tests by Ian (co-maintainer)
znc provides its own version SSL_SESSION_get0_cipher() for LibreSSL.
This no longer compiles with an opaque SSL_SESSION struct. The
function was added to libssl and will be available from LibreSSL 3.4.0.
discussed with Aisha Tammy (maintainer)
- private key format has been udpated and now uses Argon2
- new algorithms; Curve448 kex, Ed448 pub keys, SHA-2 RSA variants
- pageant permits loading an encrypted private key and only giving the
passphrase later when it's used
https://lists.tartarus.org/pipermail/putty-announce/2021/000031.html
Use OpenSSL 1.1.1 code path that uses SSL_CTX_up_ref() instead of
handrolling it. This way mosquitto will continue to build after
an upcoming libssl bump.
Executables were installed mode 774 owned by root:bin. We need to use
mode 775 (o+x), otherwise nagios which runs as user _nagios complains:
Error: failed to access() /usr/local/bin/nagios: Permission denied
Error: Spawning workers will be impossible. Aborting.
Solution discussed and found together with sthen and tb.
ok sthen@ tb@
- no need to disable SSLv2 and SSLv3
- no need to initialize the libraries explicitly anymore
- remove incomplete uninit code
- use TLS_method() instead of SSLv23_client_method()
from Brad
this please test and report back if you see problems; in the run-up
to OpenBSD 6.9 we dropped back to 9.16.10 due to problems in interim
releases
CVE-2021-25214: A broken inbound incremental zone update (IXFR)
can cause named to terminate unexpectedly
https://kb.isc.org/docs/cve-2021-25214
CVE-2021-25215: An assertion check can fail while answering queries for
DNAME records that require the DNAME to be processed to resolve itself
https://kb.isc.org/docs/cve-2021-25215
CVE-2021-25216: A second vulnerability in BIND's GSSAPI security policy
negotiation can be targeted by a buffer overflow attack
https://kb.isc.org/docs/cve-2021-25216
When missing, samba builds pytdb support using its bundled copy of tdb,
and installs it in WRKINST, as shown by update-plist. samba runs fine
with the py-tdb package registered in its RUN_DEPENDS, but this is not
what was intended. Consistently use libtdb and py-tdb from databases/tdb.
