From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 8225 invoked by alias); 30 Mar 2009 07:37:13 -0000 Received: (qmail 25272 invoked by uid 22791); 29 Mar 2009 07:24:46 -0000 X-SWARE-Spam-Status: No, hits=-3.1 required=5.0 tests=AWL,BAYES_00,J_CHICKENPOX_55,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: sourceware.org From: Charles Wilson Date: Mon, 30 Mar 2009 07:37:00 -0000 Subject: [1.7] Updated: {tcp_wrappers/libwrap0/libwrap-devel}-7.6-20 To: cygwin-announce@cygwin.com Message-Id: <20090329072437.9E7182BC33@heartbeat1.messagingengine.com> Mailing-List: contact cygwin-announce-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-announce-owner@cygwin.com Reply-To: The Cygwin Mailing List Mail-Followup-To: cygwin-announce@cygwin.com X-SW-Source: 2009-03/txt/msg00083.txt.bz2 tcp_wrappers provides host-based access restrictions on tcp services: facilities for monitoring and filtering incoming requests for the SSHD, SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services. The package provides a tiny daemon wrapper program that can be installed without any changes to existing software or to existing configuration files. The wrappers report the name of the client host and of the requested service; the wrappers do not exchange information with the client or server applications, and impose no overhead on the actual conversation between the client and server applications. This is a bugfix release: corrects failure to access from localhost to services on localhost, when cygwin-1.7+Vista. [[ compiled using gcc-3.4.4-999 ]] This release is specific for cygwin-1.7. It differs significantly from the simultaneously-released tcp_wrappers-7.6-6 for cygwin-1.5. In addition to the usual (trivial) documentation differences, this cygwin-1.7-specific package supports IPv6, while the cygwin-1.5 package does not. Because of this, the /etc/defaults/etc/hosts.allow files also differ; the cygwin-1.5 version can not include the IPv6 localhost specification. (cygwin-1.7) ALL : localhost 127.0.0.1/32 [::1]/128 : ALLOW (cygwin-1.5) ALL : localhost 127.0.0.1/32 : ALLOW CHANGES (since 7.6-5) ======================== o Fork for cygwin-1.7 development (actually, this occured with tcp_wrappers-7.6-5). o Updated to latest debian patchset (r16 v. r15) o Added the following line to the default /etc/hosts.allow *before* the PARANOID entry: ALL : localhost 127.0.0.1/32 [::1]/128 : ALLOW This is required on cygwin-1.7+Vista, because + With Vista, you cannot disable IPv6 with regards to the loopback interface + IPv6 lookups for ::1 resolve to , not localhost + But DNS lookups for resolve to your assigned IP, not ::1 (or 127.0.0.1). + This causes the PARANOID rule to reject the connection + Thus, with cygwin-1.7+Vista, you can't (e.g.) 'ssh localhost' + Unless you add a rule such as above to hosts.allow. Note that this rule does no harm on non-Vista versions of windows (although the cygwin-1.5 libwrap0 doesn't understand [::1] IPv6 notation). The rule is also not a security hole, because incoming connections are always identified by an IP address that is NOT 127.0.0.1 nor [::1] (the internet refuses to route those IPs). So, these numeric addresses can never be spoofed, so it's okay to allow them. o Updated hint files A reminder for package maintainers and developers: STRONGSYMS: the cygwin versions of cygwrap-0.dll AND libwrap.a (that is, both the DLL and static library) explicitly provide int deny_severity int allow_severity symbols. This means that clients must NOT define their own versions of these symbols, as is the practice on *nix systems. Instead, clients should rely on the /declaration/ provided in tcpd.h: extern int deny_severity; extern int allow_severity; This may require code changes in clients that link against libwrap, but it was a necessary API change to enable DLL builds on cygwin. -- Charles Wilson volunteer tcp_wrappers maintainer for cygwin ==================================================================== To update your installation, click on the "Install Cygwin now" link on the http://cygwin.com/ web page. This downloads setup.exe to your system. Then, run setup and answer all of the questions. *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO *** If you want to unsubscribe from the cygwin-announce mailing list, look at the "List-Unsubscribe: " tag in the email header of this message. Send email to the address specified there. It will be in the format: cygwin-announce-unsubscribe-you=yourdomain.com@cygwin.com If you need more information on unsubscribing, start reading here: http://sources.redhat.com/lists.html#unsubscribe-simple Please read *all* of the information on unsubscribing that is available starting at this URL.