|
1 | 1 |
|
2 | | -Version: 24.??.24 |
| 2 | +Version: 24.09.24 |
3 | 3 | ### NOTE |
| 4 | + This release is a major redesign of some functionality of the project. |
| 5 | + |
| 6 | + * some legacy options have been removed |
| 7 | + * bugs fixed reported as [issue](https://github.com/OWASP/O-Saft/issues) |
| 8 | + * many bugs which occurred rarely (special combination of options) are fixed |
| 9 | + * using openssl for detecting ciphers must be enabled by options |
| 10 | + * handles openssl 3.x |
| 11 | + * handles DTLS 1.2 |
| 12 | + * Dockerfile build with openssl provided by alpine:3.20 (is default now) |
| 13 | + * Dockerfile builds image for Docker or Podman |
| 14 | + * new Dockerfile.openssl to build image with own openssl 1.0.2-chacha |
| 15 | + * new commands and options for o-saft-docker (supports Podman) |
| 16 | + * SBOM o-saft.rel added which contains SIDs and sha256sums |
| 17 | + * --v behaves as a simple "info"-option |
| 18 | + * tracing improved in general |
| 19 | + * improved INSTALL.sh with --check* options (for example checking SBOM) |
| 20 | + * usr/o-saft-standalone.pl mainly working without perl warnings |
| 21 | + * documentation addapted to changed and new functionality |
| 22 | + * more descriptive documentation according cipher, cipher ranges etc. |
| 23 | + |
4 | 24 | ### BUGFIX |
| 25 | + * usr/INSTALL-template.sh BF: must use literal TAB instead of \t in echo (problem in BusyBox) |
| 26 | + * usr/get-SIDs.sh: BF: using expr on STDIN improved (bug with BusyBox v1.36.1) |
| 27 | + * o-saft.pl: BF: check_dh() called if +logjam given (instead of +check) |
| 28 | + * o-saft.pl: BF: normalise command only, not assigned value (was a problem with +test* commands only) |
| 29 | + * o-saft.pl: BF: don't print command-line for option --help=gen* (used in make context only) |
| 30 | + * o-saft.pl: BF: print SSLv2 in "Ciphers: Summary" |
| 31 | + * o-saft.pl: BF: detect POODLE for TLSv1 (issue 146) |
| 32 | + * o-saft.pl: BF: +cbc, +edh, +adh check cipher suite constant names also (issue 144) |
| 33 | + * o-saft.pl: BF: avoid "Use of uninitialized value $v in scalar chomp .." (issue 14 |
| 34 | + * o-saft.pl: BF: avoid "Undefined subroutine &SSLinfo::do_ssl_open ..." for some cipher check commands like +cbs (issue 140) |
5 | 35 | * o-saft.pl: BF: print <<undef>> for unknown cipher suite found with +cipher |
6 | 36 | * o-saft.pl: BF: bare word after qr// removed (error in modern perl) |
| 37 | + * o-saft.tcl: BF: pass +commands and --option to o-saft.pl (issue 153)F: bare word after qr// removed (error in modern perl) |
| 38 | + * o-saft-docker: BF: argument hacker and usage do not need docker executable |
| 39 | + * lib/SSLhello.pm: BF: use binmode(.., ":raw") to avoid perl error: send() isn't allowed on :utf8 handles (in stand-alone mode) |
| 40 | + * lib/SSLinfo.pm: BF: avoid printing undefined value (issue 141) |
| 41 | + * lib/OTrace.pm: BF: use pre Perl 5.22 RegEx syntax (issue 142) |
| 42 | + * lib/OCfg.pm: BF: avoid Perl warning about regex match in hint() |
| 43 | + * lib/OCfg.pm: BF: 0x03005600 (TLS_FALLBACK_SCSV) added to 'range'->'rfc' |
| 44 | + * lib/OCfg.pm: BF: cipher_adh cipher_null added to cfg{need-chsckssl} (issue 140) |
| 45 | + * lib/OMan.pm: BF: use correct version when generating -cgi.html |
| 46 | + * lib/OMan.pm: BF: --help=command lists all commands from RC-file |
7 | 47 | * lib/OMan.pm: BF: bare word after qr// removed (error in modern perl) |
| 48 | + * HTML-table.awk: BF: HTML syntax corrected |
| 49 | + * HTML-simple.awk: BF: HTML syntax corrected |
| 50 | + * usr/XML-value.awk: BF: XML syntax corrected |
| 51 | + * usr/XML-attribute.awk: BF: XML syntax corrected |
| 52 | + * t/Makefile.mod: BF: definition of SRC.pm adapted to Makefile |
8 | 53 | * t/Makefile.testssl: ET: target examples corrected |
| 54 | + * usr/INSTALL-template.sh BF: special handling when called by make in own test directory |
| 55 | + * Makefile: BF: use ./$SRC.pl when generating own help files |
9 | 56 | ### CHANGES |
| 57 | + * usr/get-SIDs.sh: EF: check for gawk and md5sum; exit if missing |
| 58 | + * Dockerfile: EF: using docker BuildKit; OSAFT_VM_SRC_OSAFT can be local file |
| 59 | + * Dockerfile: EF: uses standard openssl |
| 60 | + * usr/INSTALL-template.sh ED: new documentation section CHECKS, UPDATES |
| 61 | + * usr/INSTALL-template.sh EF: allow all --check* option in container image |
| 62 | + * usr/INSTALL-template.sh EF: installation with --cgi improved |
| 63 | + * usr/INSTALL-template.sh EF: --install checks md5sum of installed files |
| 64 | + * usr/INSTALL-template.sh EF: --check=SIDs and --check=SID --changes implemented |
| 65 | + * usr/INSTALL-template.sh EF: --checkdev improved (checks execute permissions) |
| 66 | + * usr/INSTALL-template.sh EF: INSTALL.sh.lock implemented |
| 67 | + * usr/INSTALL-template.sh EF: each part of --check can be checked individually with --check* |
| 68 | + * usr/install_openssl.sh: EF: use Net-SSLeay-1.94.tar.gz |
| 69 | + * t/Makefile.dev: ET: TEST.tmpdir, TEST.tmp.rc added |
| 70 | + * t/Makefile.warnings: ET: TEST.tmp.rc removed (now in Makefile.inc) |
| 71 | + * t/Makefile.inc: ET: TEST.tmpdir, TEST.tmp.rc added |
| 72 | + * t/Makefile*: ET: all O-*.dir renamed to O-DIR.* |
| 73 | + * t/Makefile*: ET: option --trace-CLI removed; now passed via OSAFT_OPTIONS=--trace-CLI |
| 74 | + * t/Makefile: ET: target testcmd-test.internal improved |
| 75 | + * t/Makefile: ET: include Makefile.inst |
| 76 | + * t/Makefile: ET: do not set PATH in recursive makeT: option --trace-CLI removed; now passed via OSAFT_OPTIONS=--trace-CLI |
| 77 | + * Makefile: ET: podman.* targets added |
| 78 | + * Makefile: ET: target docker.test added |
| 79 | + * Makefile: ET: variable TEST.Makefiles completed |
| 80 | + * lib/Ciphers.pm: EF: is_valid_key() handles keys for internal use also |
| 81 | + * lib/OTrace.pm: EF: --trace print environment variables |
| 82 | + * lib/OTrace.pm: EF: use OCfg, use OData, use Ciphers (partial fix for issue 137) |
| 83 | + * lib/OData.pm: EF: use OCfg included; _init_checks_val() implemented (partial fix for issue 137) |
| 84 | + * lib/OCfg.pm: EF: resumption_psk added to cfg{data_hex} |
| 85 | + * lib/OCfg.pm: EF: h2-16 added for ALPN, NPN |
| 86 | + * lib/OCfg.pm: EF: define and export _dbx(); @EXPORT_OK improved; define warn(), hint() |
| 87 | + * lib/OCfg.pm: EF: cipherrange and cipherpattern 'openssl' added |
| 88 | + * lib/OCfg.pm: EF: some RegEx simplified |
| 89 | + * lib/OCfg.pm: EF: hint for Lucky13 added |
| 90 | + * lib/OCfg.pm: EF: initialisation and export improved (partial fix for issue 137) |
| 91 | + * lib/ODoc.pm: EF: use full qualified $OCfg:: (partial fix for issue 137) |
| 92 | + * lib/OMan.pm: EF: man_warnings() prints used file with --v |
| 93 | + * lib/OMan.pm: EF: --help=command lists internal defined summary commands also |
| 94 | + * lib/OMan.pm: EF: "use Ciphers" improved (partial fix for issue 137) |
| 95 | + * o-saft-docker: EF: option -name=pattern for kill operation added |
| 96 | + * o-saft-docker: EF: update implemented |
| 97 | + * o-saft-docker: EF: options -OSAFT_VM_SRC_OSAFT= and -OSAFT_VM_SHA_OSAFT= added |
| 98 | + * o-saft-docker: ED: documentation improved (note about xhost and xauth) |
| 99 | + * .o-saft.pl: ED: description improved; description added to all redefined commands |
| 100 | + * o-saft.tcl: EF: options --v behaves like in o-saft.pl |
| 101 | + * o-saft.tcl: EF: +info results are show as Text, not TK-table (issue 154) |
| 102 | + * o-saft.tcl: EF: "Start" button added to layout=tablet (for simple usage) |
| 103 | + * o-saft.tcl: EF: check for version number improved (hack for use of OSAFT_OPTIONS=--trace-CLI with make) |
| 104 | + * o-saft.pl: EF: EF: parsing commands and options unified |
| 105 | + * o-saft.pl: EF: _dbx() defined in OCfg.pm |
| 106 | + * o-saft.pl: EF: --cipherrange=openssl implemented |
| 107 | + * o-saft.pl: EF: -ciphermode= not supported for +cipher-dh |
| 108 | + * o-saft.pl: EF: own openssl instead of SSLinfo::do_openssl() for +cipher |
| 109 | + * o-saft.pl: EF: check Net::SSLeay<1.92 |
| 110 | + * o-saft.pl: EF: handle all --help* options/commands after reading all arguments |
| 111 | + * o-saft.pl: ED: texts improved for "Ciphers: Summary"; for --version output |
| 112 | + * o-saft.pl: EF: abort execution when using invalid/unknown ciphers with --cipher= |
| 113 | + * o-saft.pl: EF: individual _is_ssl_*() now in generic _is_vulnerable() and _is_compliant() |
| 114 | + * o-saft.pl: EF: --v prints info when OSAFT_CONFIG, OSAFT_OPTIONS used |
| 115 | + * o-saft.pl: EF: check ENV{'OSAFT_OPTIONS'} if command line should be printed |
| 116 | + * o-saft.pl: EF: use shebang -CADSio; descriptions according Unicode, UTF-8 and binmode() adapted |
| 117 | + * o-saft.pl: EF: use OCfg, use OData improved (partial fix for issue 137) |
10 | 118 | * o-saft.pl: EF: die() doesn't print line number; keep make targets *.log happy |
11 | 119 | * t/Makefile*: ED: _SID renamed to O-SID, _MYSELF* renamed to O-SELF* |
12 | 120 | * t/Makefile.inc: ET: make file simplified |
13 | 121 | * t/Makefile.docker: ET: variables and targets for mbedtls removed (now in Makefile.testssl*) |
14 | 122 | * t/Makefile.cipher: ET: new target testarg-cipher-+cipher---test-missing_ |
15 | 123 | * t/Makefile.cipher: ET: more targets for --cipher* options |
16 | 124 | * lib/OTrace.pm: EF: __trac() support data type "Regexp" |
| 125 | + * doc/help.txt: ED: section UPDATES added |
| 126 | + * doc/help.txt: ED: new section "Individual check values" |
| 127 | + * doc/help.txt: ED: description about checking/scanning ciphers improved |
| 128 | + * doc/help.txt: ED: documentation about warnings and hints improved |
| 129 | + * doc/help.txt: ED: more attacks added in section CHECKS |
| 130 | + * doc/help.txt: ED: description for POODLE improved |
| 131 | + * doc/help.txt: ED: KNOWN PROBLEM "Old, deprecated cipher suites" added |
17 | 132 | * doc/glossary.txt: ED: formal changes ; more acronyms added |
18 | | - * doc/rfc.txt: ED: more RFCs added |
| 133 | + * doc/rfc.txt: ED: more RFCs added; link for SSLv2 added |
| 134 | + * usr/gen_standalone.sh: EF: sequence of included files from lilb/ changed; formal changes |
19 | 135 | * usr/INSTALL-template.sh: EF: avoid error message if wish is missing |
20 | 136 | * o-saft.pl: EF: +version prints own unique SID |
21 | 137 | * o-saft-docker: EF: avoid errors if docker program missing |
22 | 138 | ### NEW |
| 139 | + * o-saft-docker: NF: kill command added |
| 140 | + * Dockerfile.openssl: NF: renamed from Dockerfile |
| 141 | + * t/Makefile.inst: NF: new Makefile.inst for testing INSTALL.sh |
| 142 | + * .o-saft.pl: NF: resumption_psk added |
| 143 | + * o-saft.pl: NF: check for BREACH vulnerability |
| 144 | + * lib/Cipher.pm: NF: is_adh(), is_cbc(), is_edh() implemented |
| 145 | + * lib/SSLinfo.pm: NF: exract HTTPS header Content-Encoding and Transfer-Encoding |
| 146 | + * lib/SSLinfo.pm: ED: internal %CST renamed to %SSLINFO to avoid name conflicts |
| 147 | + * lib/SSLinfo.pm: NF: resumption_psk implemented |
| 148 | + * lib/OData.pm: NF: data{resumption_psk} added |
| 149 | + * lib/OData.pm: NF: $data{https_content_enc} and $data{transfer_enc} add |
| 150 | + * lib/OCfg.pm: NF: new regex->BREACH |
23 | 151 | * lib/OCfg.pm: EF: cfg{cipherranges}{iana} added |
| 152 | + * t/Makefile.mod: NT: new targets testing Cipher::is_* added |
| 153 | + * t/Makefile.cipher: NT: new targets for cipher check command (like +adh) added |
24 | 154 |
|
25 | 155 | Version: 24.06.24 |
26 | 156 | ### NOTE |
@@ -60,6 +190,7 @@ Version: 24.06.24 |
60 | 190 | * usr/INSTALL-template.sh: EF: checking ancient files improved; checking ancient directories |
61 | 191 | * usr/INSTALL-template.sh: EF: accept environment variable OSAFT_Dir as installation directory |
62 | 192 | * usr/INSTALL-template.sh: EF: special handlicg for o-saft-docker |
| 193 | + * t/Makefile.dev: ET: targets for testing INSTALL.sh moved to Makefile.inst |
63 | 194 | * t/Makefile.cmd: ET: some targets use filter to remove random data in generated .log |
64 | 195 | * Makefile: EF: EXE.docker renamed to EXE.o_docker; EXE.docker=docker added |
65 | 196 | * Makefile: EF: target INSTALL.sh depends on Makefile.misc |
|
0 commit comments