zorp 3.0.8
	Thu, 03 Nov 2005 09:57:24 +0100

	Changes since 3.0.7

	Core:
	  * Fixed a possible Python traceback whenever a ZoneListener or
            CSZoneListener referred to a non-existant service.
          * Clarified some satyr log messages.
	  * Fixed possible memory leaks in Satyr authentication.
          * Fixed a possible deadlock in processing UDP traffic.
          * Added support for changing the Satyr connection timeout,
            previously a value of 60 seconds was hard-coded.
          * Added round_robin parameter to FailoverChainer to make it
            possible to explicitly speicify round-robin and failover
            behaviour when establishing server connections.
          * Fixed umbrella behaviour for zones which had no inbound or
            outbound service list.

	zorpctl:
          * Fixed a possible segmentation fault in "zorpctl szig".

	Ftp:
	  * Added a log message about rejected login attempts for
            anonymous-only FTP connections.
          * Fixed a possible memory leak active data connection establishment.
	  * Fixed a possible deadlock in data session initiation.

	Ldap:
	  * Fixed a possible parse error in long SEARCH requests.

	Pssl:
          * Changed all cipher suites to explicitly disallow
            not-authenticating algorithms such as anonymous-DH.
          * Fixed timeout processing during SSL handshake.
          * Added new handshake_timeout parameter to control the timeout
            used during SSL handshake.

	Imap:
	  * Fixed a problem causing the proxy to never exit on connection
	    timeout.
	  * Fixed IMAP folder name validation to accept accented characters.
          * Fixed a possible memory leak.
	  * Fixed verbosity level for some log messages.
	  * Fixed capability filtering in untagged OK responses.
	  * Fixed a possible segmentation fault in processing requests
            containing literals exceeding max_literal_count.

	Http:
	  * Added countermeasures for various request/response smuggling attacks.
          * Fixed an interoperability problem to automatically reconnect when the
            server drops the connection while to proxy is waiting for the client.

	Smtp:
	  * Added reporting of the server message ID in the SMTP accounting
            message.
          * Added 500/501/421 as valid responses to all SMTP commands,
            previously these responses were converted to "500 Invalid
            command" by the proxy.

	Rsh:
	  * Changed proxy behaviour not to wait for 30 seconds for the
            standard error connection once the main RSH connection was
            terminated by the server.

	VBuster:
	  * Reject module loading if the VBuster engine cannot be initialized
            (like in the case of missing database).

zorp 3.0.7
	Mon, 19 Sep 2005 10:59:38 +0200

	Changes since 3.0.6

	Core:
	  * Added a more specific error reporting to Satyr authentication.

	Mime:
	  * Fixed a bug in base64 encoder possibly causing trimmed MIME
	    objects.

zorp 3.0.6
	Wed, 17 Aug 2005 16:31:13 +0200

        Changes since 3.0.5

        Core:
          * Fixed a confusing message about an invalid ToS value when
            secondary sessions are used.
          * Fixed a possibly unhandled Python exception in FailoverChainer
            when no state timeout was specified.
          * Fixed a race condition possibly causing segmentation fault when
            the child proxy was communicating with its parent while that was being
            destroyed. The window of the race was very small, the problem
            occurs with large amounts of traffic only.

        Pssl:
          * Fixed a possible memory leak in Certificate Revocation List
            validation.

        Mime:
          * Improved robustness of the base64 decoder to handle
            whitespace within base64 encoded data.
          * Fixed a memory allocation problem possibly causing a segmentation
            fault when receiving a syntactically incorrect message.

        Http:
          * Changed the default value for max_chunk_length to unlimited, as
            the previous limit of 256kB caused interoperability problems
            with various web servers/applications.
          * Fixed a possible problem in reconnection handling, causing data
            transfer timeouts for POST requests.

        Telnet:
          * Fixed a problem in processing multi-byte telnet sequences
            occurring on the buffer boundary.

        Imap:
          * Fixed a possible segmentation fault problem in authentication
            message handling.

        VBuster:
          * The vbupgrade script automatically removes the installed engine
            and database packages from the apt cache.
          * Fixed the processing of the 'scan_method' and
            'heuristic_sensitivity' attributes making it possible to set
            them to any VBuster supported values.

zorp 3.0.5
	Tue, 07 Jun 2005 16:14:36 +0200

	Changes since 3.0.4

	Core:
	  * Fixed an Authentication cache problem where an authenticated
	    service would work without a cache although one was specified.
	  * Added the command line option --log-escape which enables the
	    filtering of non-printable characters in the log file.

	zorpctl:
	  * Manpage of zorpctl.conf updated.

	Ftp:
	  * Added ToS value propagation to the data channel.

	Http:
	  * Accept non-ASCII characters in URLs and reencode them using the
            standard URL encoding scheme.
	  * Removed some special characters from the set of escaped
            characters in HTTP URL filenames.

	Mime:
	  * Fixed a bug in error detection which caused messages to be sent to
	    quarantine by mistake.
	  * Fixed a problem which caused 100% processor usage while the
            message was being virus scanned.

	Nntp:
	  * Added support to send NNTP messages to stacked proxies..

	SQLNet:
	  * Fixed a possible interoperability problem with Oracle9 and 10
	    which was triggered if the CONNECT data exceeded 198 bytes but
	    was below 231.
	  * Added a new attribute named split_connect_threshold to control
	    connect packet splitting.

zorp 3.0.4
	Thu, 07 Apr 2005 12:42:41 +0200

	Changes since 3.0.3

	  Core:
	    * Added the possibility to change verbosity level and logspec
	      at runtime.
	    * Fixed a confusing log message about failed authorization.
	    * Fixed the connection setup to satyr when the satyr port number
	      is explicitly specified.
	    * Changed the behaviour of FailoverChainer: when all the targets
	      fail during the cache timeout, the chainer does not wait until
	      the timeout expires, but re-checks the targets immediately.
	    * Warning message printed to the console if zorp runs with a demo
	      license.
	    * Fixed source port selection when forge_port parameter of Routers
	      are set to Z_PORT_GROUP
	    * Fixed InbandAuthentication caching problem.
	    * Added an easier to use interface to access attributes exported
	      by parent proxies.
	    * Fixed a possible segmentation fault in the DNS resolving
	    * Introduced a new memory management subsystem called the blob
	      system. It is a globally sized pool of blobs stored either in
	      RAM or on disk which is to be used as a temporary storage for
	      non-streamable objects like MIME envelopes and virus scanned
	      objects.
	    * Added quarantine checking utility to ensure that the storage
	      requirements of the quarantine are bounded. For details see
	      the manpage zorpqc(1).

	  zorpctl:
	    * Added new command to control Zorp log settings.
	    * Various usability fixes (report errors when instances.conf
	      cannot be opened, handle invalid arguments in instances.conf,
	      clarified some log messages).
	    * zorpctl now checks whether it could start/stop the specified Zorp
              instance or not by waiting while Zorp starts up or shuts down
              which slows down zorpctl processing. For timing parameters
              check the manpage for zorpctl.conf(5).

	  Ftp:
	    * ALLO parameter checking is stricter now.

	  Http:
	    * Fixed the usage of content-length hinting when the MIME
	      headers are sent to the stacked proxy.
	    * Make it easier to change and query header information during
	      request processing in the policy layer.
	    * Fixed Transfer-Encoding header processing for HTTP uploads
              when a stacked proxy is used.
	    * Added URL canonicalization to change various different
              encodings of the same URL to a common format.
            * Support for the FTP protocol in non-transparent mode.
	    * Fixed possible "Invalid file descriptor" error messages.
	    * Added new use_default_port_in_transparent_mode attribute which
	      forces the use of default_port in server address hints in
	      transparent mode.

	  Imap:
	    * Fixed handling the tagged form of the IMAP CAPABILITY
	      response.
	    * Ignore case when comparing capability names.
	    * Changed to use the blob subsystem.

	  Mime:
	    * Changed to use the blob subsystem.
	    * Intoduced header manipulation (remove, add, change).
	    * Added the possibility to append a constant MIME object into every
	      message.
	    * Added a new attribute named "permit_empty_headers" which
	      instructs the proxy to take the first line as the message body
	      provided it cannot be parsed as a header.

	  Pssl:
	    * Fixed a problem in proxy startup, affects the GPLd version only.
	    * Fixed IOError handling during KeyBridge initialization, keys
	      not present at the specified location will be reported with a
	      nice error message instead of a backtrace.
	    * Fixed a typo which prevents using server-side key generation
	      feature.
	    * Added the possibility to use password encrypted private keys.

	  Smtp:
	    * Extension identifiers are accepted also in mixed case.
	    * Added some more detail to "Copying request" messages
	    * Added the possibility to cut long server answers instead of
	      just aborting the connection.

	  Pop3:
	    * Fixed a possible missing linefeed in some rare situations.
	    * Added support for the AUTH command.
	    * Updated documentation.

	  VBuster:
	    * The upgrade script handles correctly when the upgrading the
	      engine is disabled via configuration but a new version is
	      available.
	    * VBuster proxy is now able to do quarantining on its own.
	    * Added the possibility to control the maximum compression ratio and
	      uncompressed size of archives which are virus checked to avoid
	      archive bombing.
	    * Added some more possible error codes to make changing the
	      "error" policy easier.
	    * Improved log messages.

zorp 3.0.3
	Wed, 22 Dec 2004 10:13:37 +0100

	Changes since 3.0.2

	  Core:
	    * Fixed Solaris packaging problem, configuration files such as
	      zorpctl.conf are not overwritten by default.
	    * Fixed FailoverChainer to work correctly when the preferred
	      source address was specified by the router. (e.g.
	      forge_addr/forge_port was set)
	    * Fixed possible segmentation fault when the keys used for
	      authenticating the ZAS SSL channels were not readable. 
	    * Added the possibility to specify certificate verification
	      depth to ZAS connections.
	    * Fixed possible deadlock in UDP proxying.
	    * Fixed non-transparent UDP proxying problem triggered by for
	      example ICMP port unreachable.
	    * Fixed NATPolicy cacheable attribute setting, it was always set
	      to TRUE regardless what the administrator specified.
	    * Added authorization failure reporting to satyr, previously a
	      successfully authenticated but unauthorized connections were
	      first accepted (Satyr reported authentication success), and
	      then rejected by closing the proxied connection. This confused
	      some users.
	    * Updated man pages.

	  zorpctl:
	    * Improved error reporting, the errors during the performed
	      action are accumulated and reported when zorpctl exits to make
	      the output more readable.
	    * Increased default per-thread file limit to 64 as VBuster might
	      use a lot of file descriptors for temporary files.
	    * Renamed APPEND_ARGS zorpctl option to ZORP_APPEND_ARGS (old
	      name also works), also added ZORPCTL_APPEND_ARGS to make it
	      possible to specify options for zorpctl globally.
	    * Fixed CHECK_PERMS processing to check proper permissions for
	      the /etc/zorp directory.
	    * Added AUTH_RESTART_DELAY option which specifies the number of
	      seconds to wait before Zorp is restarted.
	    * Improved Zorp restart code, in addition of Zorp exiting due to
	      signals it is also restarted when it exits with a non-zero
	      return code.

	  VBuster:
	    * Made some improvements in vbuster upgrade script logging. 
	    * Added logrotation to /var/log/vbuster.log
	    * Fixed a possible scanning error when the object is
	      swapped to disk.
	    * Added FTPOVERHTTPPROXY option to vbuster.options.
	    * Added configurable error handling to the proxy to make it
	      possible to cleanly handle bad and/or password protected
	      archive files.
	    * Clarified and unified virus scanning result messages.

	  Lp:
	    * Cleaned up log messages.

	  Nntp:
	    * Cleaned up log messages.

	  Pssl:
	    * Added support for PSSL_VERIFY_OPTIONAL_TRUSTED which only
	      accepts trusted certificates, but does not require the peer to
	      specify one. The old PSSL_VERIFY_OPTIONAL is was renamed to
	      PSSL_VERIFY_OPTIONAL_UNTRUSTED while keeping the old name for
	      compatibility.
	    * Added permit_invalid_certificates attribute which turns of
	      UNTRUSTED certificate validation completely, e.g. it accepts
	      any certificate even if it is expired.
	    * Fixed problem with the communication to sites which optionally
	      asked for certificates.

	  Smtp:
	    * Removed trailing spaces from MAIL commands containing ESMTP
	      extensions, as some MTAs complained about them.
	    * Fixed the default values for max_request_length &
	      max_response_length to match documentation. (512 instead of
	      the previous 256 as required by the RFC)
	    * Added support for the unconnected_response_code attribute
	      which specifies what response to return when the proxy is
	      unable to connect to the server. The value defaults to 554 as
	      this was the previous behaviour of the proxy, however it is
	      known to cause some problems with various MTAs so it might be
	      changed to 421 in the future.
	    * Clarified a couple of log messages.
	    * Fixed SmtpInvalidRecipientMatcher to avoid possible fd leak.
	    * Added 550 as a permitted response to the DATA command.

	  Http:
	    * Changed CONNECT handling to use the original client request if
	      parent proxy is used. This changes makes it possible to allow
	      the upstream proxy to do authentication.
	    * Added a couple of missing log messages in various error
	      scenarios.
	    * Added workaround for some buggy browsers which send a CRLF
	      after their POST request and become confused when the proxy
	      closes the connection without fetching these extra bytes.

zorp 3.0.2
	Thu, 28 Oct 2004 09:56:26 +0100

	Changes since 3.0.1

	  Core:
	    * Fixed performance problems in non-transparent HTTP proxying,
	      DNS lookups are unserialized as the memory leak preventing
	      this was fixed in libc (from 2.2.5-11.5zorpos1).
	    * Fixed a bug in FailoverChainer which prevented it from working
	      when timeout was not specified.
	    * Fixed a compatibility problem with 2.1: startUp and shutDown
	      functions were renamed to their lower case equivalent in
	      earlier 3.0.x releases and compatibility was not ensured, this
	      was fixed.
	    * Fixed a possible problem which may cause incoming lines to
	      be interpreted as two separate lines during data transfer.
	    * Zorp refuses to start if the autobind IP address is not
	      available.
	    * Added a Z_ERROR verdict to the proxy decision logic which
	      makes it possible to soft-fail a transaction when the stacked
	      proxy detects some non-protocol specific failure (for example
	      virus scanning is unable to load its database).
	    * Added connection Type of Service support, the value of the 
	      TOS byte is propagated from the client to the server side
	      connections.
	    * Added some more details to some log messages, and tuned the
	      verbosity level in some cases.

	  Ftp:
	    * Fixed a dead-lock in EPSV command introduced in 3.0.1

	  Http:
	    * Introduced a new option to keep the client connection
	      persistent even if the server requests the connection to
	      close.

	  Nntp:
	    * Fixed a bug which caused rejecting command lines with trailing
	      whitespaces.

	  Smtp:
	    * Fixed a bug in recipients tracking, email addresses not
	      accepted by the server are not reported as successful
	      recipients in the SMTP accounting message.
	    * Added support for Z_ERROR verdict returned by stacked proxies,
	      it returns a temporary- instead of a persistent failure to
	      the client when the proxy reports some non-protocol specific
	      failure.
	    * SmtpInvalidRecipientMatcher automatically detects the
	      method to verify the validity of an email address. It always
	      tries VRFY first (unless force_delivery_attempt is TRUE),
	      and falls back to mail sending automatically if the target
	      does not support VRFY.

	  Pssl:
	    * Implement online key generation to fake the identity of the
	      other side.
	      
	  Telnet:
	    * Added support for the EOR option to TelnetProxy &
	      TelnetProxyStrict

	  VBuster:
	    * Encrypted archives are not rejected.
	    * Fixed a bug which could result in dropping the first part 
	      of the file.

zorp 3.0.1
	Thu, 16 Sep 2004 19:03:49 +0200

	Changes since 3.0.0

	  Core:
	    * Fixed a timeout in core transfer code which triggered timeouts
	      in the SMTP proxy when delivering mails.
	    * Added a more detailed error message if no matching zone can be
	      found for an IP address.
	    * Fixed UDP packet handling when packet size is more than 1500
	      bytes.
	    * Fixed a race condition in ZAS authentication (might cause
	      SIGSEGV).
	    * Added a more detailed error message if the specified Zorp
	      instance could not be found in the policy file.

	  Ftp:
	    * More detailed messages about data connections.
	  
	  Http:
	    * Fixed a HTTP/0.9 interoperability problem when using virus
	      stacking in HTTP.
	    * New attributes (request_mime_type and response_miem_type)
	      which contain the MIME type of the entity to be
	      transferrred.
	    * Moved the "postfilter" header logging to a later stage in
	      processing to make it absolutely sure that it matches the
	      actually sent headers.
	  
	  Mime:
	    * Fixed two possible cases which resulted in a lot of "Error
	      decoding data" messages to be printed.
	      
	  Pop3:
	    * Fixed an erroneous extra error message sent to the client, 
	      when the stacked proxy rejected the mail content, and
	      some data had already been sent.
	  
	  Smtp:
	    * Fixed an erroneous 500 response in response to an EOF sent by
	      the client.
	    * Fail nicely if an error occurs in SmtpInvalidRecipientMatcher.
	      (ie. cannot connect to server)
	  
	  Telnet:
	    * Added a possibility to specify telnet command negotiation
	      options.

	  VBuster:
	    * New script to automatically get updated versions of virus
	      database.
	    * Start virus scanning only after the full object was
	      downloaded and not while being downloaded, because the number
	      of parallel virus scanning is limited.
	    * Reject everything if virus database could not be loaded,
	      unless vdb_error_soft_fail has been set.
	    * Fixed content-length hinting for oversized files, this caused
	      possible content corruption when used in the HTTP proxy.

zorp 3.0.0
	Fri, 16 Jul 2004 15:10:42 +0200

	Changes since 3.0beta3	
	
	  Core: 
	    * Fixed setting the default stack-limit (might cause SIGSEGV with 
	      pre-2.4 kernels).
	    * Fixed ugly warning messages when a proxy initiated two 
	      connections to the same server host.
	    * Fixed authentication problems after the authentication server
	      was restarted.
	    * Fixed a possible segmentation fault caused by a race condition in the
	      authentication code.
	    * Fixed a possible segmentation fault, usually triggerred by a loaded
	      FTP proxy.
	    * Fixed thread average calculation in SZIG.

	  Pop3:
	    * Fixed a possible mail retrieval problem.
	    * Fixed handling messages containing NUL messages, these messages
	      were previously rejected.
	    
	  Smtp:
	    * Fixed handling messages containing NUL characters in mail messages, 
	      these messages were previously rejected.
	    * Added a new SmtpValidRecipientMatcher class, which allows
	      filtering the accepted recipients in the SMTP proxy based on
	      the responses of a third SMTP server.
	    
	  Ftp: 
	    * Fixed a possible "Internal error" condition which caused data
	      connection establishment to fail.
	  
	  Http:
	    * Fixed a possible "Proxy-Connection" header duplication.
	    * Added Content-Length hinting, to avoid changing the
	      transfer mode to "chunked" mode when possible when content
	      checking is performed.
	    * Does not touch the headers returned to a HEAD request, even if
	      we would change to chunked mode, some clients are confused when
	      a HEAD response does not contain a Content-Length field.
	    * Added the possibility to allow both the "Connection" and
	      "Proxy-Connection" header to be present, controllable by the
	      permit_both_connection_headers attribute (defaults to FALSE)
	  
	  VBuster:
	    * Added an automatic cron job to automatically ret
	    * Introduced some global variables to change the default location
	      of the virus database (substitutes the now defunct
	      /etc/vbuster.cfg file).
