summary refs log tree commit diff stats
path: root/libotr/libotr-4.1.1/NEWS
diff options
context:
space:
mode:
Diffstat (limited to 'libotr/libotr-4.1.1/NEWS')
-rw-r--r--libotr/libotr-4.1.1/NEWS273
1 files changed, 273 insertions, 0 deletions
diff --git a/libotr/libotr-4.1.1/NEWS b/libotr/libotr-4.1.1/NEWS
new file mode 100644
index 0000000..1be7466
--- /dev/null
+++ b/libotr/libotr-4.1.1/NEWS
@@ -0,0 +1,273 @@
+9 Mar 2016:
+- Release 4.1.1
+- Fix an integer overflow bug that can cause a heap buffer overflow (and
+  from there remote code execution) on 64-bit platforms
+- Fix possible free() of an uninitialized pointer
+- Be stricter about parsing v3 fragments
+- Add a testsuite ("make check" to run it), but only on Linux for now,
+  since it uses Linux-specific features such as epoll
+- Fix a memory leak when reading a malformed instance tag file
+- Protocol documentation clarifications
+
+21 Oct 2014:
+- Release 4.1.0
+- Modernized autoconf build system
+- Use constant-time comparisons where needed
+- Use gcrypt secure memory allocation
+- Correctly reject attempts to fragment a message into too many pieces
+- Fix a missing opdata when sending message fragments
+- Don't lose the first user message when REQUIRE_ENCRYPTION is set
+- Fix some memory leaks
+- Correctly check for children contexts' state when forgetting a context
+- API Changes:
+  - Added API functions otrl_context_find_recent_instance and
+    otrl_context_find_recent_secure_instance.
+
+24 Aug 2012:
+- Release 4.0.0
+- Support v3 of the OTR protocol
+- The main new feature: sensibly handle the case where a user is logged
+  in multiple times to the same IM account
+- API changes:
+  - instance tags, to support multiple simultaneous logins
+  - support for asynchronous private key generation
+  - the ability to provide an "extra" symmetric key to applications
+    (with forward secrecy)
+  - applications can supply a formation conversion callback if they do
+    not natively use XHTML-style UTF8 markup
+  - error messages formerly provided by libotr are now handled using
+    callbacks to the application, for better i18n support
+  - otrl_message_sending now handles message fragmentation internally
+
+27 May 2008:
+- Added support for one-way authentication using an explicit question,
+  based on the SOUPS 2008 user study.
+
+1 Aug 2007:
+- Released 3.1.0
+
+24 Jul 2007:
+- Added fragmentation support for large messages
+- Added new method for buddy authentication which does not require the
+  (explicit) use of fingerprints.
+
+02 Nov 2005:
+- Released 3.0.0
+
+16 Oct 2005:
+- Major overhaul with implementation of version 2 of the protocol.
+
+24 Jun 2005:
+- Remove the "confirm_fingerprint" callback which requires the user to
+  acknowledge the new fingerprint before it can be used.  Replace it
+  with a "new_fingerprint" callback which merely informs the user that a
+  new fingerprint has been received.
+- Allow the app to set a "trust level" for fingerprints.  This is an
+  arbitrary string, intended to indicate whether (or possibly by what
+  means) the user has verified that this fingerprint is accurate.
+- Clarify that, if the user requests to see the secure session id in
+  the middle of the conversation, the value displayed should be the one
+  calculated at the time the private connection was established (the
+  last Key Exchange Message that caused a rekeying), _not_ the DH secure
+  id calculated from DH keys in more recent Data Messages.
+
+03 May 2005:
+- Released 2.0.2
+
+16 Feb 2005:
+- Released 2.0.1
+- Don't send encrypted messages to a buddy who has disconnected his
+  private connection with us.
+- Don't show the user the "the last message was resent" notice if the
+  message has never actually been sent before.
+- Fix a crash bug that happened when messages were retransmitted under
+  certain circumstances.
+
+08 Feb 2005:
+- Released 2.0.0
+- Keep track of whether a given message is eligible for retransmission
+
+02 Feb 2005:
+- Released 1.99.0, the first preview release of 2.0.0
+
+31 Jan 2005:
+- Machine-readable records can now be attached to Data Messages inside
+  the private channel.
+
+30 Jan 2005:
+- New OtrlUserState datatype encapsulates private keys and known
+  fingerprints, instead of having a single global list.
+- Added libotr.m4 for helping to autoconfiscate packages that use
+  libotr.
+- Resend the last message if it caused a re-keying.
+- New OtrlPolicy datatype allows you to specify a per-connection OTR
+  policy: never use OTR, OTR only if manually requested, automatically
+  start OTR if possible, refuse to *not* use OTR.
+- New callbacks: display_otr_message, policy, is_logged_in
+
+22 Jan 2005:
+- Released 1.0.4
+- Log, but otherwise ignore, unrecognized OTR messages.
+- Initial autoconfiscation, thanks to Greg Troxel <gdt@ir.bbn.com>. 
+
+18 Jan 2005:
+- Released 1.0.3
+- Split gaim-otr and libotr into separate packages.
+
+13 Jan 2005:
+- Generate private keys automatically, if needed.  Show a Please Wait
+  dialog while this is happening.
+- We may as well try to use the "tag" method of checking for OTR, even
+  when we don't already know a fingerprint for the correspondent.
+- Add version checking to the otrl_init() call.
+
+12 Jan 2005:
+- Refactored the logic parts of gaim-otr into libotr, so they can be
+  shared by other libotr-enabled apps.
+
+21 Dec 2004:
+- Released 1.0.2
+- If a Man-in-the-Middle steals both Alice's and Bob's DSA private keys,
+  he can perform a birthday attack to try to get his session id with
+  each end to match.  Since the session id was only 64 bits long, his
+  work was only 2^32, which is not enough.  We now make the session id
+  the whole SHA-1 hash, instead of truncating it.
+- Made otr_sesskeys output the calculated public key as well, for added
+  ease of forging messages when you don't know any plaintext.
+
+14 Dec 2004:
+- Released 1.0.1
+- Added a more sensible error message in the event that we receive our
+  own OTR Key Exchange messages.
+- If we're about to send a plaintext message to a correspondent for whom
+  we've got a fingerprint, append a special (whitespace) OTR tag
+  sequence.  The other side (if in fact running OTR) will recognize it
+  and start a Key Exchange.
+
+12 Dec 2004:
+- Released 1.0.0
+
+11 Dec 2004:
+- OTR button now gets sensitized and desensitized along with the other
+  buttons in the conversation window when you log in and out of
+  accounts.
+
+10 Dec 2004:
+- Released 0.9.9rc2
+- Heartbeats now only get sent if (1) we have just received a message,
+  and (2) we haven't sent one to that user in over a minute.
+
+09 Dec 2004:
+- Back out of the sending of heartbeats.  They were causing too many
+  problems.  It seems some networks don't let buddies know when you
+  log out, and then you get a dialog box "unable to send message" each
+  minute.  :-(
+
+08 Dec 2004:
+- Released 0.9.9rc1
+- Removed the 100 private connection limit, by not using a fixed amount
+  of secure memory.  Unfortuantely, this means that *no* memory is
+  pinned any more, but pinning only ever happened before in the unlikely
+  event you ran gaim as root.
+- Changed the "Private connection with (username) refreshed" dialog at
+  Paul's request so that it's no longer in "scary" "evil" bold, and
+  rephrased it so it's less likely to be misread as "refused" instead of
+  "refreshed".  ;-)
+- We now send heartbeats (OTR Data Messages with an empty message part)
+  once a minute, to anyone we're confident is still online.  If both
+  sides are doing this, then keys get rotated regularly, even if one
+  or both sides aren't actively typing.  This aids perfect forward
+  secrecy.
+
+04 Dec 2004:
+- Fixed a bug wherein multi-person chat windows would get the OTR button
+  in their button bar if the OTR plugin was enabled when one of them was
+  active.
+
+03 Dec 2004:
+- Released 0.9.1
+
+02 Dec 2004:
+- Clicking "OTR: Private" when you're already private will display an
+  info dialog letting you know the connection was refreshed (assuming it
+  actually is; if the other side isn't running OTR at all, the dialog
+  doesn't show, and if the other side had lost its private connection, a
+  new one will be established, with the "new private connection" dialog
+  displayed to each side (as before)).
+- The toolip for "OTR: Private" is now "Refresh the private connection".
+- "make install" now depends on "make all".
+- Added man page for OTR toolkit programs
+- Log a debug message when we receive and discard a heartbeat
+
+1 Dec 2004:
+- Fixed the Makefiles so that "make clean" also removes the binaries
+- Fixed the Makefiles so that they install into DESTDIR
+- Added packaging/debian
+
+30 Nov 2004:
+- Released 0.9.0
+- Included the OTR Messaging Toolkit.  See the README for details.
+
+28 Nov 2004:
+- Finished the Protocol document
+- Changed the name of the plugin binary from "otr-plugin.so" to
+  "gaim-otr.so".  *** NOTE: this means you'll have to (1) remove the
+  old otr-plugin.so file from your plugins directory, and (2) re-enable
+  the Off-the-Record Messaging plugin in the Preferences panel.
+- Included MAC keys used to create messages in the revealed MAC section
+  of the Data message, in addition to MAC keys used to verify messages.
+- Set all exported symbols to start with otrl_ (for the library) or
+  otrg_ (for the gaim plugin), in preparation for moving the pieces
+  into their own directories.
+- If we receive a Data message with no actual message in it, don't
+  display it to the user.  This may eventually be useful for doing
+  "heartbeat" key rotations.
+- Separated libotr and gaim-otr into their own directories.
+
+27 Nov 2004:
+- Switched from using gaim_notify_* to a slightly modified version that
+  doesn't grab the focus
+
+26 Nov 2004:
+- Put all the cipher operations in secure memory.  This makes each
+  private connection take 9472 bytes of secure memory, so we up the
+  available amount of secure memory to 100 times that.  Eventually,
+  we'd like to make this dynamically grow.
+
+25 Nov 2004:
+- Released 0.8.3
+- Don't put the DSA keys in libgcrypt secure memory, since (a) we read
+  them off disk anyway, and (b) we want to avoid running out of secure
+  memory.
+- Removed the "Do you want to start a private conversation" dialogs when
+  one side in encrypted and the other side isn't, and instead just try
+  to start one if we know for sure the other side supports it.
+- Sped up the DH computations by using a 320-bit exponent.
+
+23 Nov 2004:
+- Released 0.8.2
+- There was a crash if you received an OTR Query before setting up a
+  private key.  Fixed.
+- The fingerprint in the UI is now selectable, for cut/paste.
+- *** Protocol change.  We're no longer backward compatible.
+  - The "revealed MAC keys" moved out of the MAC'd region of the data
+    packet.  It's not wrong where it is, but it's more obviously
+    correct in the new place.
+
+22 Nov 2004:
+- Released 0.8.1
+- Jabber wasn't working, for two reasons:
+  - it sticks <tags>...</tags> around the message
+  - it refers to the same user by multiple names; e.g. "user@jabber.org"
+    vs. "user@jabber.org/Gaim"
+  Both are now fixed: we look for the OTR message anywhere in the packet
+  now, not just at the beginning, and we normalize all usernames.
+- Each account now has its own private key / fingerprint
+  - This is so you don't automatically leak the information that the
+    accounts are owned by the same person
+- There's a better indicator of private / not private status in the
+  conversation window, which you can click to start the private
+  communication.
+
+21 Nov 2004:
+- Initial 0.8.0 release
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-09-22 06:33:49 +0000