--- tcp-wrappers-7.6.dbs.orig/extra/safe_finger.8 +++ tcp-wrappers-7.6.dbs/extra/safe_finger.8 @@ -0,0 +1,34 @@ +.TH SAFE_FINGER 8 "21th June 1997" Linux "Linux Programmer's Manual" +.SH NAME +safe_finger \- finger client wrapper that protects against nasty stuff +from finger servers +.SH SYNOPSIS +.B safe_finger [finger_options] +.SH DESCRIPTION +The +.B safe_finger +command protects against nasty stuff from finger servers. Use this +program for automatic reverse finger probes from the +.B tcp_wrapper +.B (tcpd) +, not the raw finger command. The +.B safe_finger +command makes sure that the finger client is not run with root +privileges. It also runs the finger client with a defined PATH +environment. +.B safe_finger +will also protect you from problems caused by the output of some +finger servers. The problem: some programs may react to stuff in +the first column. Other programs may get upset by thrash anywhere +on a line. File systems may fill up as the finger server keeps +sending data. Text editors may bomb out on extremely long lines. +The finger server may take forever because it is somehow wedged. +.B safe_finger +takes care of all this badness. +.SH SEE ALSO +.BR hosts_access (5), +.BR hosts_options (5), +.BR tcpd (8) +.SH AUTHOR +Wietse Venema, Eindhoven University of Technology, The Netherlands. + --- tcp-wrappers-7.6.dbs.orig/extra/try-from.8 +++ tcp-wrappers-7.6.dbs/extra/try-from.8 @@ -0,0 +1,28 @@ +.TH TRY-FROM 8 "21th June 1997" Linux "Linux Programmer's Manual" +.SH NAME +try-from \- test program for the tcp_wrapper +.SH SYNOPSIS +.B try-from +.SH DESCRIPTION +The +.B try-from +command can be called via a remote shell command to find out +if the hostname and address are properly recognized +by the +.B tcp_wrapper +library, if username lookup works, and (SysV only) if the TLI +on top of IP heuristics work. Diagnostics are reported through +.BR syslog (3) +and redirected to stderr. + +Example: + +rsh host /some/where/try-from + +.SH SEE ALSO +.BR hosts_access (5), +.BR hosts_options (5), +.BR tcpd (8) +.SH AUTHOR +Wietse Venema, Eindhoven University of Technology, The Netherlands. + --- tcp-wrappers-7.6.dbs.orig/debian/po/templates.pot +++ tcp-wrappers-7.6.dbs/debian/po/templates.pot @@ -0,0 +1,69 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-05-22 13:08+0200\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "Should tcpd setup paranoid hosts.allow and hosts.access?" +msgstr "" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"/etc/hosts.allow and /etc/hosts.deny will be setup since you do not have " +"have any of these files yet. You can either have a generic and permissive " +"configuration which will allow any incoming connection or a paranoid " +"configuration which will not allow remote connections regardless of where " +"they originate from." +msgstr "" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"The second option, even if more secure, will block out all communication, " +"including, for example, remote administration. So if you need this don't " +"choose it." +msgstr "" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Regardless of which option you select you can always manually edit both " +"files to suit your needs, for this, review the hosts_access(5) manpage. " +"This might include giving remote access of services to legitimate hosts." +msgstr "" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Notice this only applies to internet services that use the libwrap library. " +"Remote connections will still be possible to services that do not use this " +"library, consider using firewall rules to block access to these." +msgstr "" --- tcp-wrappers-7.6.dbs.orig/debian/po/da.po +++ tcp-wrappers-7.6.dbs/debian/po/da.po @@ -0,0 +1,85 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans# +# Developers do not need to manually edit POT or PO files. +# Claus Hindsgaul , 2004. +# +msgid "" +msgstr "" +"Project-Id-Version: da\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-05-22 13:08+0200\n" +"PO-Revision-Date: 2004-05-26 21:28+0200\n" +"Last-Translator: Claus Hindsgaul \n" +"Language-Team: Danish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-1\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.3.1\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "Should tcpd setup paranoid hosts.allow and hosts.access?" +msgstr "Skal tcpd stte paranoide hosts.allow og hosts.access op?" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"/etc/hosts.allow and /etc/hosts.deny will be setup since you do not have " +"have any of these files yet. You can either have a generic and permissive " +"configuration which will allow any incoming connection or a paranoid " +"configuration which will not allow remote connections regardless of where " +"they originate from." +msgstr "" +"Filerne /etc/hosts. allow og /etc/hosts.deny vil blive sat op op, da du " +"ikke har nogen af disse filer i forvejen. Du kan enten f en generel og " +"tolerent opstning, som vil tillade alle indkommende forbindelser eller " +"en paranoid opstning, der ikke vil tillade forbindelser udefra uanset " +"hvorfra de kommer." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"The second option, even if more secure, will block out all communication, " +"including, for example, remote administration. So if you need this don't " +"choose it." +msgstr "" +"Selvom den sidste mulighed er den sikreste, vil den blokere for al " +"kommunikation som f.eks. fjernadministration. S hvis du har brug for " +"fjernadministration o.lign. skal du ikke vlge den." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Regardless of which option you select you can always manually edit both " +"files to suit your needs, for this, review the hosts_access(5) manpage. " +"This might include giving remote access of services to legitimate hosts." +msgstr "" +"Uanset hvilken indstilling du vlger, kan du altid redigere begge filer " +"efter behov. Se manualsiden hosts_access(5) for oplysninger om dette. Her " +"kan du give fjernadgang til bestemte services fra bestemte maskiner." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Notice this only applies to internet services that use the libwrap library. " +"Remote connections will still be possible to services that do not use this " +"library, consider using firewall rules to block access to these." +msgstr "" +"Bemrk at dette kun glder internet-services, der benytter libwrap-" +"biblioteket. Forbindelser udefra til services, der ikke benytter dette " +"bibliotek, vil stadig kunne lade sig gre. Du br overveje at benytte en " +"brandmur til at blokere adgangen til sdanne services." + --- tcp-wrappers-7.6.dbs.orig/debian/po/de.po +++ tcp-wrappers-7.6.dbs/debian/po/de.po @@ -0,0 +1,85 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-05-22 13:08+0200\n" +"PO-Revision-Date: 2004-06-11 21:20-0200\n" +"Last-Translator: Helge Kreutzmann \n" +"Language-Team: de \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-15\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "Should tcpd setup paranoid hosts.allow and hosts.access?" +msgstr "Soll tcpd paranoide hosts.allow und hosts.access einrichten?" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"/etc/hosts.allow and /etc/hosts.deny will be setup since you do not have " +"have any of these files yet. You can either have a generic and permissive " +"configuration which will allow any incoming connection or a paranoid " +"configuration which will not allow remote connections regardless of where " +"they originate from." +msgstr "" +"/etc/hosts.allow und /etc/hosts.deny werden eingerichtet, da Sie noch keine " +"der Dateien haben. Sie knnen entweder eine generische und freizgige " +"Konfiguration, die jede eingehende Verbindungen erlaubt, erhalten oder eine " +"paranoide Konfiguration, die keine eingehende Verbindung erlaubt, egal von " +"woher sie kommt." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"The second option, even if more secure, will block out all communication, " +"including, for example, remote administration. So if you need this don't " +"choose it." +msgstr "" +"Die zweite Option, selbst wenn sie sicherer ist, wird alle Kommunikation " +"blockieren, darunter, beispielsweise, Administration aus der Ferne. Falls Sie " +"dies bentigen, whlen Sie daher diese Option nicht." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Regardless of which option you select you can always manually edit both " +"files to suit your needs, for this, review the hosts_access(5) manpage. " +"This might include giving remote access of services to legitimate hosts." +msgstr "" +"Unabhngig davon, welche Option Sie auswhlen, knnen Sie immer beide Dateien " +"manuell editieren, um Sie Ihren Bedrfnissen anzupassen; schlagen Sie hierzu " +"in der hosts_access(5) Handbuchseite nach. Dies knnte die Freigabe an " +"legitime Rechner fr Zugriff von auen auf Dienste beinhalten." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Notice this only applies to internet services that use the libwrap library. " +"Remote connections will still be possible to services that do not use this " +"library, consider using firewall rules to block access to these." +msgstr "" +"Beachten Sie, da dies nur auf Internet-Dienste zutrifft, die die libwrap-" +"Bibliothek verwenden. Zugriff von auen wird weiterhin auf Dienste, die i" +"diese Bibliothek nicht verwenden, mglich sein, denken Sie ber den Einsatz " +"von Firewall-Regeln nach, um Zugriff auf diese zu blockieren." --- tcp-wrappers-7.6.dbs.orig/debian/po/cs.po +++ tcp-wrappers-7.6.dbs/debian/po/cs.po @@ -0,0 +1,80 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: tcp-wrappers\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-05-22 13:08+0200\n" +"PO-Revision-Date: 2004-05-29 16:41+0200\n" +"Last-Translator: Miroslav Kure \n" +"Language-Team: Czech \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-2\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "Should tcpd setup paranoid hosts.allow and hosts.access?" +msgstr "M tcpd nastavit hosts.allow a hosts.deny paranoidnm zpsobem?" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"/etc/hosts.allow and /etc/hosts.deny will be setup since you do not have " +"have any of these files yet. You can either have a generic and permissive " +"configuration which will allow any incoming connection or a paranoid " +"configuration which will not allow remote connections regardless of where " +"they originate from." +msgstr "" +"Protoe zatm neexistuj, tcpd vytvo soubory /etc/hosts.allow a /etc/hosts." +"deny. Mete mt bu obecn a oteven nastaven, kter povol pchoz " +"spojen, nebo nastaven paranoidn, kter zake veker vzdlen spojen." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"The second option, even if more secure, will block out all communication, " +"including, for example, remote administration. So if you need this don't " +"choose it." +msgstr "" +"Druh volba je sice bezpenj, ale na druhou stranu tak zablokuje " +"vekerou komunikaci vetn nap. vzdlen sprvy. Potebujete-li vzdlenou " +"sprvu, tuto monost zamtnte." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Regardless of which option you select you can always manually edit both " +"files to suit your needs, for this, review the hosts_access(5) manpage. " +"This might include giving remote access of services to legitimate hosts." +msgstr "" +"Nezvisle na tom, kterou volbu si vyberete, vdycky mete oba soubory " +"upravit run a pizpsobit si je podle poteb, napklad povolit spojen " +"pro urit sluby. Vce viz manlov strnka hosts_access(5). " + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Notice this only applies to internet services that use the libwrap library. " +"Remote connections will still be possible to services that do not use this " +"library, consider using firewall rules to block access to these." +msgstr "" +"Nezapomete, e toto nastaven se vztahuje pouze na programy, kter " +"vyuvaj knihovnu libwrap. Chcete-li blokovat i vzdlen spojen na sluby, " +"kter knihovnu libwrap nepouvaj, zvate pouit firewallu." --- tcp-wrappers-7.6.dbs.orig/debian/po/fr.po +++ tcp-wrappers-7.6.dbs/debian/po/fr.po @@ -0,0 +1,85 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: tcp-wrappers 7.6.dbs-4\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-05-22 13:08+0200\n" +"PO-Revision-Date: 2004-05-25 18:01+0200\n" +"Last-Translator: Olivier Gauwin \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=iso-8859-1\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "Should tcpd setup paranoid hosts.allow and hosts.access?" +msgstr "Faut-il configurer hosts.allow et hosts.access en mode paranoaque?" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"/etc/hosts.allow and /etc/hosts.deny will be setup since you do not have " +"have any of these files yet. You can either have a generic and permissive " +"configuration which will allow any incoming connection or a paranoid " +"configuration which will not allow remote connections regardless of where " +"they originate from." +msgstr "" +"Les fichiers /etc/hosts.allow et /etc/hosts.deny vont tre mis en place car " +"aucun d'eux n'existe pour l'instant. Vous pouvez choisir entre une " +"configuration permissive gnrique qui autorise toutes les connexions " +"entrantes, et une configuration paranoaque qui refuse toute connexion de " +"l'extrieur quelle qu'en soit l'origine." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"The second option, even if more secure, will block out all communication, " +"including, for example, remote administration. So if you need this don't " +"choose it." +msgstr "" +"La seconde option, mme si elle est plus sre, bloquera toutes les " +"communications, y compris, par exemple, celles utilises pour " +"l'administration distance. Donc, si vous en avez besoin, vous ne devez pas " +"la choisir." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Regardless of which option you select you can always manually edit both " +"files to suit your needs, for this, review the hosts_access(5) manpage. " +"This might include giving remote access of services to legitimate hosts." +msgstr "" +"Indpendamment de l'option choisie, vous pouvez toujours modifier vous-mme " +"ces deux fichiers pour qu'ils correspondent vos besoins. Pour cela, " +"veuillez consulter la page de manuel hosts_access(5). Vous pourrez, par " +"exemple, autoriser l'accs aux services pour certaines machines." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Notice this only applies to internet services that use the libwrap library. " +"Remote connections will still be possible to services that do not use this " +"library, consider using firewall rules to block access to these." +msgstr "" +"Veuillez noter que cela s'applique uniquement aux services Internet " +"utilisant la bibliothque libwrap. Les connexions de l'extrieur des " +"services n'utilisant pas cette bibliothque seront toujours possibles. Pour " +"en refuser l'accs, veuillez utiliser des rgles de pare-feu." --- tcp-wrappers-7.6.dbs.orig/debian/po/gl.po +++ tcp-wrappers-7.6.dbs/debian/po/gl.po @@ -0,0 +1,83 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: tcpwrappers\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-05-22 13:08+0200\n" +"PO-Revision-Date: 2006-04-07 16:18+0200\n" +"Last-Translator: Jacobo Tarrio \n" +"Language-Team: Galician \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "Should tcpd setup paranoid hosts.allow and hosts.access?" +msgstr "¿Quere que tcpd configure un hosts.allow e hosts.access paranoicos?" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"/etc/hosts.allow and /etc/hosts.deny will be setup since you do not have " +"have any of these files yet. You can either have a generic and permissive " +"configuration which will allow any incoming connection or a paranoid " +"configuration which will not allow remote connections regardless of where " +"they originate from." +msgstr "" +"Como non ten estes ficheiros, hanse crear /etc/hosts.allow e /etc/hosts." +"deny. Pode ter unha configuración xenérica e permisiva que ha permitir " +"calquera conexión entrante ou unha configuración paranoica que non permitirá " +"conexións remotas independentemente da súa procedencia." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"The second option, even if more secure, will block out all communication, " +"including, for example, remote administration. So if you need this don't " +"choose it." +msgstr "" +"A segunda opción, aínda que sexa máis segura, ha bloquear tódalas conexións, " +"o que inclúe, por exemplo, a administración remota. Así que se non o " +"precisa, non a seleccione." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Regardless of which option you select you can always manually edit both " +"files to suit your needs, for this, review the hosts_access(5) manpage. " +"This might include giving remote access of services to legitimate hosts." +msgstr "" +"Independentemente da opción que escollera sempre pode editar ámbolos dous " +"ficheiros a man para os axustar ás súas necesidades. Para facelo revise a " +"páxina man de hosts_access(5). Por exemplo, pode facelo para dar acceso " +"remoto ás máquinas que o teñan que ter." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Notice this only applies to internet services that use the libwrap library. " +"Remote connections will still be possible to services that do not use this " +"library, consider using firewall rules to block access to these." +msgstr "" +"Teña en conta que isto só serve para servizos de Internet que empreguen a " +"biblioteca libwrap. As conexións remotas aínda han ser posibles para os " +"servizos que non empregan esta biblioteca; pense en empregar regras de " +"cortalumes para bloquear o acceso a estes servizos." --- tcp-wrappers-7.6.dbs.orig/debian/po/ja.po +++ tcp-wrappers-7.6.dbs/debian/po/ja.po @@ -0,0 +1,75 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-05-22 13:08+0200\n" +"PO-Revision-Date: 2004-05-25 21:13+0900\n" +"Last-Translator: Kenshi Muto \n" +"Language-Team: Japanese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=EUC-JP\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "Should tcpd setup paranoid hosts.allow and hosts.access?" +msgstr "hosts.allow hosts.access tcpd 򸷽Ťˤޤ?" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"/etc/hosts.allow and /etc/hosts.deny will be setup since you do not have " +"have any of these files yet. You can either have a generic and permissive " +"configuration which will allow any incoming connection or a paranoid " +"configuration which will not allow remote connections regardless of where " +"they originate from." +msgstr "ޤե뤬¸ߤʤС/etc/hosts.allow /etc/hosts.deny 򥻥åȥåפޤ٤Ƥ³Ĥ̵ޤϤ줬ɤ褿Τ鷺⡼³Ĥʤ paranoid ΤɤĤȤǤޤ" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"The second option, even if more secure, will block out all communication, " +"including, for example, remote administration. So if you need this don't " +"choose it." +msgstr "2 Ĥϡꥻ奢Ǥ(ȤХ⡼ȴޤ) ٤Ƥ³֥åޤ⡼ȴΤ褦ʤΤɬפǤС򤷤ʤۤ褤Ǥ礦" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Regardless of which option you select you can always manually edit both " +"files to suit your needs, for this, review the hosts_access(5) manpage. " +"This might include giving remote access of services to legitimate hosts." +msgstr "" +"򤷤ΤȤ̵طˡξΥեϤʤɬפ˱ƾ˼ưԽ" +"Ǥޤ (hosts_access(5) man ڡ򻲾ȤƤ)ʥۥȤ˥" +"ؤΥ⡼ȥͿȤäȤޤޤޤ" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Notice this only applies to internet services that use the libwrap library. " +"Remote connections will still be possible to services that do not use this " +"library, consider using firewall rules to block access to these." +msgstr "" +" libwrap 饤֥Ȥ󥿡ͥåȥӥΤߤŬѤ뤳Ȥ" +"դƤΥ饤֥ȤʤӥؤΥ⡼³Ϥޤǽ" +"ΤǡؤΥ֥åեΥ롼褯ͤƤ" +"" --- tcp-wrappers-7.6.dbs.orig/debian/po/it.po +++ tcp-wrappers-7.6.dbs/debian/po/it.po @@ -0,0 +1,82 @@ +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# Developers do not need to manually edit POT or PO files. +# +# +msgid "" +msgstr "" +"Project-Id-Version: tcp-wrappers 7.6.dbs-4\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-05-22 13:08+0200\n" +"PO-Revision-Date: 2004-08-29 18:53+0200\n" +"Last-Translator: Marco d'Itri \n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=iso-8859-15\n" +"Content-Transfer-Encoding: 8bit" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "Should tcpd setup paranoid hosts.allow and hosts.access?" +msgstr "Configurare hosts.allow e hosts.access in modo paranoico?" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"/etc/hosts.allow and /etc/hosts.deny will be setup since you do not have " +"have any of these files yet. You can either have a generic and permissive " +"configuration which will allow any incoming connection or a paranoid " +"configuration which will not allow remote connections regardless of where " +"they originate from." +msgstr "" +"Poich non esistono ancora, i file /etc/hosts.allow e /etc/hosts.deny " +"saranno creati. Si pu scegliere tra una configurazione generica e " +"permissiva che permetta qualsiasi connessione in ingresso e una " +"paranoica che non permetta nessuna connessione remota indipentemente " +"dalla sua origine." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"The second option, even if more secure, will block out all communication, " +"including, for example, remote administration. So if you need this don't " +"choose it." +msgstr "" +"La seconda opzione, anche se pi sicura, bloccher ogni comunicazione, " +"comprese, per esempio, quelle necessarie all'amministrazione remota." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Regardless of which option you select you can always manually edit both " +"files to suit your needs, for this, review the hosts_access(5) manpage. " +"This might include giving remote access of services to legitimate hosts." +msgstr "" +"Indipendentemente dall'opzione scelta, sempre possibile modificare " +"manualmente entrambi i file secondo le proprie necessit. Per ulteriori " +"informazioni consultare la man page hosts_access(5). Questo comprende " +"dare accesso remoto ai servizi da host legittimi." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Notice this only applies to internet services that use the libwrap library. " +"Remote connections will still be possible to services that do not use this " +"library, consider using firewall rules to block access to these." +msgstr "" +"Notare che questo si applica solo ai servizi che usano la libreria libwrap. " +"Sar comunque possibile connettersi da remoto ai servizi che non la usano. " +"Si consideri di usare delle regole del firewall per bloccare l'accesso a " +"questi ultimi." + --- tcp-wrappers-7.6.dbs.orig/debian/po/nl.po +++ tcp-wrappers-7.6.dbs/debian/po/nl.po @@ -0,0 +1,54 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: tcp-wrappers 7.6.dbs-5\n" +"POT-Creation-Date: 2004-05-22 13:08+0200\n" +"PO-Revision-Date: 2004-08-01 18:40+0100\n" +"Last-Translator: Luk Claes \n" +"Language-Team: Debian l10n Dutch \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=iso-8859-1\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "Should tcpd setup paranoid hosts.allow and hosts.access?" +msgstr "Moet tcpd paranoia zijn betreffende hosts.allow en hosts.access?" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "/etc/hosts.allow and /etc/hosts.deny will be setup since you do not have have any of these files yet. You can either have a generic and permissive configuration which will allow any incoming connection or a paranoid configuration which will not allow remote connections regardless of where they originate from." +msgstr "/etc/hosts.allow en /etc/hosts.deny zullen worden aangemaakt omdat u nog geen van deze bestanden heeft. U kunt ofwel een algemene en permissieve configuratie hebben die alle inkomende verbindingen toelaat, ofwel een paranoia configuratie die geen inkomende verbindingen toelaat ongeacht waar ze vandaan komen." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "The second option, even if more secure, will block out all communication, including, for example, remote administration. So if you need this don't choose it." +msgstr "De tweede optie, zelfs als ze veiliger is, zal alle communicatie blokkeren, inclusief bij voorbeeld 'remote' beheer. Dus als u dit nodig hebt, kies dit dan niet." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "Regardless of which option you select you can always manually edit both files to suit your needs, for this, review the hosts_access(5) manpage. This might include giving remote access of services to legitimate hosts." +msgstr "Ongeacht welke optie u selecteert, u kan beide bestanden altijd handmatig wijzigen om aan uw behoeften te voldoen, bekijk hiervoor de hosts_access(5)-manpagina. Dit kan betekenen dat u toegang verleent of diensten aanbiedt aan legitieme hosts." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "Notice this only applies to internet services that use the libwrap library. Remote connections will still be possible to services that do not use this library, consider using firewall rules to block access to these." +msgstr "Merk op dat dit enkel geldt voor internetdiensten die de libwrap-bibliotheek gebruiken. 'Remote' verbindingen met diensten die deze bibliotheek niet gebruiken, zullen nog altijd mogelijk zijn, overweeg om firewall-regels te gebruiken om deze toegang te blokkeren." + --- tcp-wrappers-7.6.dbs.orig/debian/po/pt.po +++ tcp-wrappers-7.6.dbs/debian/po/pt.po @@ -0,0 +1,75 @@ +# Portuguese translation for tcp-wrappers +# Luís Matos , 2005 +# +msgid "" +msgstr "" +"Project-Id-Version: tcp-wrappers 7.6.dbs-8\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-05-22 13:08+0200\n" +"PO-Revision-Date: 2006-01-15 18:20+0000\n" +"Last-Translator: Luis Matos \n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "Should tcpd setup paranoid hosts.allow and hosts.access?" +msgstr "Deverá o tcpd configurar o hosts.allow e o hosts.access de forma paranoica?" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"/etc/hosts.allow and /etc/hosts.deny will be setup since you do not have " +"have any of these files yet. You can either have a generic and permissive " +"configuration which will allow any incoming connection or a paranoid " +"configuration which will not allow remote connections regardless of where " +"they originate from." +msgstr "" +"Os /etc/hosts.allow e /etc/hosts.deny serão configurados, uma vez que " +"ainda não possui qualquer um destes ficheiros. Pode ter uma configuração " +"genérica, ou permissiva onde irá permitir qualquer ligação ou uma " +"configuração paranoica que não irá permitir ligações remotas venham elas " +"de onde vierem." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"The second option, even if more secure, will block out all communication, " +"including, for example, remote administration. So if you need this don't " +"choose it." +msgstr "" +"A segunda opção, mesmo que mais segura, bloqueará todas as comunicações, " +"incluindo, por exemplo, administração remota. Se precisa disso, então não " +"seleccione esta opção." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Regardless of which option you select you can always manually edit both " +"files to suit your needs, for this, review the hosts_access(5) manpage. " +"This might include giving remote access of services to legitimate hosts." +msgstr "" +"Qualquer das opções que seleccione, pode sempre editar manualmente " +"ambos os ficheiros para servir as suas necessidades, devendo, para tal, " +"consultar a manpage hosts_access(5)." +"Isto pode incluir dar acesso remoto a serviços a hosts legítimos." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Notice this only applies to internet services that use the libwrap library. " +"Remote connections will still be possible to services that do not use this " +"library, consider using firewall rules to block access to these." +msgstr "" +"Atenção que isto só se aplica a serviços de internet que utilizam a " +"biblioteca libwrap." +"As ligações remotas podem ainda ser possíveis para serviços que não utilizem " +"a referida biblioteca, considere a utilização de regras de firewall para " +"bloquear o acesso dessas." --- tcp-wrappers-7.6.dbs.orig/debian/po/ru.po +++ tcp-wrappers-7.6.dbs/debian/po/ru.po @@ -0,0 +1,76 @@ +# translation of tcp-wrappers_7.6.dbs-9_ru.po to Russian +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans# +# Developers do not need to manually edit POT or PO files. +# Yuriy Talakan' , 2006. +# +msgid "" +msgstr "" +"Project-Id-Version: tcp-wrappers_7.6.dbs-9_ru\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-05-22 13:08+0200\n" +"PO-Revision-Date: 2006-05-14 22:46+1000\n" +"Last-Translator: Yuriy Talakan' \n" +"Language-Team: Russian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.9.1\n" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "Should tcpd setup paranoid hosts.allow and hosts.access?" +msgstr "Должен tcpd установить параноидальные hosts.allow и hosts.access?" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"/etc/hosts.allow and /etc/hosts.deny will be setup since you do not have " +"have any of these files yet. You can either have a generic and permissive " +"configuration which will allow any incoming connection or a paranoid " +"configuration which will not allow remote connections regardless of where " +"they originate from." +msgstr "Будут установлены /etc/hosts.allow и /etc/hosts.deny, поскольку у вас еще нет ни одного из них. Вы можете выбрать либо общую и разрешительную настройку, которая позволит любое входящее соединение, либо параноидальную настройку, которая не позволит удаленные соединения, независимо от того, откуда они инициированы." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"The second option, even if more secure, will block out all communication, " +"including, for example, remote administration. So if you need this don't " +"choose it." +msgstr "" +"Второй вариант, хотя и более безопасный, заблокирует все соединения, " +"включая, например, удаленное администрирование. Так что, если оно вам нужно, не выбирайте этот вариант." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Regardless of which option you select you can always manually edit both " +"files to suit your needs, for this, review the hosts_access(5) manpage. " +"This might include giving remote access of services to legitimate hosts." +msgstr "" +"Независимо от того, какой вариант вы выбрали, вы всегда можете вручную отредактировать оба файла под ваши нужды, для этого просмотрите man-страницу hosts_access(5). " +"Это может включать разрешение удаленного доступа к сервисам для доверенных машин." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Notice this only applies to internet services that use the libwrap library. " +"Remote connections will still be possible to services that do not use this " +"library, consider using firewall rules to block access to these." +msgstr "" +"Учтите, что это применимо только к сервисам интернет, которые используют библиотеку libwrap. " +"Удаленные соединения к сервисам, которые не используют данную библиотеку, все еще будут возможны, подумайте об использовании правил firewall для блокирования доступа к ним." + --- tcp-wrappers-7.6.dbs.orig/debian/po/sv.po +++ tcp-wrappers-7.6.dbs/debian/po/sv.po @@ -0,0 +1,68 @@ +msgid "" +msgstr "" +"Project-Id-Version: tcp-wrappers 7.6.dbs-8\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-05-22 13:08+0200\n" +"PO-Revision-Date: 2005-10-13 09:41+0200\n" +"Last-Translator: Daniel Nylander \n" +"Language-Team: Swedish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=iso-8859-1\n" +"Content-Transfer-Encoding: 8bit" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "Should tcpd setup paranoid hosts.allow and hosts.access?" +msgstr "Ska tcpd stta upp en paranoid version av filerna hosts.allow och hosts.access?" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"/etc/hosts.allow and /etc/hosts.deny will be setup since you do not have " +"have any of these files yet. You can either have a generic and permissive " +"configuration which will allow any incoming connection or a paranoid " +"configuration which will not allow remote connections regardless of where " +"they originate from." +msgstr "" +"Filerna /etc/hosts.allow och /etc/hosts.deny kommer att sttas upp eftersom du inte " +"har dom. Du kan antingen ha en generisk och tolerant konfiguration som tillter alla " +"inkommande anslutningar eller en paranoid konfiguration som inte tillter ngon " +"extern anslutning oavsett vad de kommer frn." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"The second option, even if more secure, will block out all communication, " +"including, for example, remote administration. So if you need this don't " +"choose it." +msgstr "" +"Det andra alternativet, ven mer sker, kommer att blockera ute all kommunikation " +"inkluderat, till exempel, fjrradministration. S om du behver detta, vlj det d inte." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Regardless of which option you select you can always manually edit both " +"files to suit your needs, for this, review the hosts_access(5) manpage. " +"This might include giving remote access of services to legitimate hosts." +msgstr "" +"Oavsett vilken instllning fr vljer kan du alltid manuellt ndra dessa bda filer " +"fr att passa dina behov, fr att gra detta, ta en titt p manualsidan hosts_access(5). " +"Detta kan till exempel vara att ge extern tillgng till tjnster fr legitima vrdmaskiner." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Notice this only applies to internet services that use the libwrap library. " +"Remote connections will still be possible to services that do not use this " +"library, consider using firewall rules to block access to these." +msgstr "" +"Notera att detta bara gller fr Internettjnster som anvnder biblioteket libwrap. " +"Fjrranslutningar kommer fortfarande vara mjliga till tjnster som inte anvnder " +"detta bibliotek, tnk p att anvnda en brandvgg fr att blockera dessa anslutningar." + --- tcp-wrappers-7.6.dbs.orig/debian/po/tr.po +++ tcp-wrappers-7.6.dbs/debian/po/tr.po @@ -0,0 +1,78 @@ +# Turkish translation of tcpd. +# This file is distributed under the same license as the tcpd package. +# Recai Oktaş , 2004. +# +msgid "" +msgstr "" +"Project-Id-Version: tcpd\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-05-22 13:08+0200\n" +"PO-Revision-Date: 2004-05-10 16:43+0300\n" +"Last-Translator: Recai Oktaş \n" +"Language-Team: Turkish\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "Should tcpd setup paranoid hosts.allow and hosts.access?" +msgstr "Tcpd, hosts.allow ve hosts.access'i paranoya seviyesinde ayarlasın mı?" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +#, fuzzy +msgid "" +"/etc/hosts.allow and /etc/hosts.deny will be setup since you do not have " +"have any of these files yet. You can either have a generic and permissive " +"configuration which will allow any incoming connection or a paranoid " +"configuration which will not allow remote connections regardless of where " +"they originate from." +msgstr "" +"Henüz bu dosyalardan herhangi birine sahip olmadığınızdan tcpd, /etc/hosts." +"allow ve /etc/hosts.deny dosyalarını ayarlayacak. Bu ayarın genel amaçlı ve " +"gelen her bağlantıya izin verecek şekilde veya kaynağı ayırt edilmeksizin " +"uzaktan yapılan bütün bağlantıları reddecek şekilde paranoya seviyesinde " +"yapılmasını seçebilirsiniz." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +#, fuzzy +msgid "" +"The second option, even if more secure, will block out all communication, " +"including, for example, remote administration. So if you need this don't " +"choose it." +msgstr "" +"İkinci seçenek daha güvenli olmakla birlikte, uzaktan sistem yönetimi de " +"dahil, bütün iletişimi bloke edecektir. Uzaktan sistem yönetimine " +"ihtiyacınız varsa, öntanımlı seçeneği değiştirmeyin." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Regardless of which option you select you can always manually edit both " +"files to suit your needs, for this, review the hosts_access(5) manpage. " +"This might include giving remote access of services to legitimate hosts." +msgstr "" +"Hangi seçeneği seçerseniz seçin, her iki dosyayı da ihtiyaçlarınıza uygun " +"şekilde elle düzenlemeniz her zaman mümkündür. Bu işlem için hosts_access(5) " +"kılavuz sayfasına göz atın. Yapılabilecek ayarlar arasında, hizmetlere " +"uzaktan erişim izninin yetkilendirilmiş makinelere verilmesi de bulunabilir." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Notice this only applies to internet services that use the libwrap library. " +"Remote connections will still be possible to services that do not use this " +"library, consider using firewall rules to block access to these." +msgstr "" +"Tcpd üzerinden sağlanan erişim denetiminin sadece libwrap kitaplığını " +"kullanan Internet hizmetleri için geçerli olduğunu unutmayın. Bu kitaplığı " +"kullanmayan hizmetlere uzaktan erişim hâlâ mümkün olacaktır. Bu hizmetlere " +"erişimi engellemek için bir güvenlik duvarı (firewall) kullanmayı " +"düşünebilirsiniz." --- tcp-wrappers-7.6.dbs.orig/debian/po/vi.po +++ tcp-wrappers-7.6.dbs/debian/po/vi.po @@ -0,0 +1,61 @@ +# Vietnamese translation for tcp-wrappers. +# Copyright © 2005 Free Software Foundation, Inc. +# Clytie Siddall , 2005. +# +msgid "" +msgstr "" +"Project-Id-Version: tcp-wrappers 7.6.dbs-8\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-05-22 13:08+0200\n" +"PO-Revision-Date: 2005-07-28 21:04+0930\n" +"Last-Translator: Clytie Siddall \n" +"Language-Team: Vietnamese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0\n" +"X-Generator: LocFactoryEditor 1.2.2\n" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "Should tcpd setup paranoid hosts.allow and hosts.access?" +msgstr "Trình nền tcpd nên thiết lập hai tập tin bảo vệ « hosts.allow » (cho phép máy) và « hosts.access » (truy cập máy) không?" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"/etc/hosts.allow and /etc/hosts.deny will be setup since you do not have " +"have any of these files yet. You can either have a generic and permissive " +"configuration which will allow any incoming connection or a paranoid " +"configuration which will not allow remote connections regardless of where " +"they originate from." +msgstr "Sẽ thiết lập hai tập tin bảo vệ « /etc/hosts.allow » (cho phép máy) và « /etc/hosts.deny » (từ chối máy) vì bạn chưa có. Hai tập tin này cho phép bạn cấu hình hoặc một cách chung cho phép mọi người kết nối đến mày này, hoặc một cách cẩn thận không cho phép kết nối nào." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"The second option, even if more secure, will block out all communication, " +"including, for example, remote administration. So if you need this don't " +"choose it." +msgstr "Mặc dù tùy chọn thứ hai là bảo mật hơn, nó ngăn cản mọi cách truyền, gồm (lấy thí dụ) quản lý từ xa. Nếu bạn cần khả năng này thì đừng chọn tùy chọn thứ hai." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Regardless of which option you select you can always manually edit both " +"files to suit your needs, for this, review the hosts_access(5) manpage. " +"This might include giving remote access of services to legitimate hosts." +msgstr "Tất nhiên, bạn vẫn còn có thể sửa đổi mỗi tập tin theo sự cần của bạn. Hãy xem trang hướng dẫn (man) « hosts_access(5) » để tìm cách sửa đổi, thí dụ cách cho phép máy nào đó truy cập dịch vụ." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Notice this only applies to internet services that use the libwrap library. " +"Remote connections will still be possible to services that do not use this " +"library, consider using firewall rules to block access to these." +msgstr "Hãy ghi chú rằng thông tin này áp dụng chỉ vào dịch vụ dùng thư viên « libwrap » thôi. Dịch vụ không dùng thư viên này sẽ vẫn còn có thể kết nối từ xa: bạn hãy sử dụng quy tắc loại bức tường lửa để từ chối chúng." --- tcp-wrappers-7.6.dbs.orig/debian/po/POTFILES.in +++ tcp-wrappers-7.6.dbs/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] tcpd.templates --- tcp-wrappers-7.6.dbs.orig/debian/po/pt_BR.po +++ tcp-wrappers-7.6.dbs/debian/po/pt_BR.po @@ -0,0 +1,85 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: tcp-wrappers\n" +"Report-Msgid-Bugs-To: debian-l10n-portuguese@lists.debian.org\n" +"POT-Creation-Date: 2004-05-22 13:08+0200\n" +"PO-Revision-Date: 2004-12-04 16:21-0300\n" +"Last-Translator: Andr Lus Lopes \n" +"Language-Team: Debian-BR Project \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-1\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "Should tcpd setup paranoid hosts.allow and hosts.access?" +msgstr "" +"O tcpd deve configurar o hosts.allow e o hosts.deny de modo paranico ?" + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"/etc/hosts.allow and /etc/hosts.deny will be setup since you do not have " +"have any of these files yet. You can either have a generic and permissive " +"configuration which will allow any incoming connection or a paranoid " +"configuration which will not allow remote connections regardless of where " +"they originate from." +msgstr "" +"Os arquivos /etc/hosts.allow e /etc/hosts.deny sero configurados, uma " +"vez que voc ainda no possui nenhum desses arquivos. Voc pode optar " +"por uma configurao genrica e permissiva, a qual permitir qualquer " +"conexo entrante, ou por uma configurao paranica, a qual no permitir " +"conexes remotas independente de onde as mesmas se originam." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"The second option, even if more secure, will block out all communication, " +"including, for example, remote administration. So if you need this don't " +"choose it." +msgstr "" +"A segunda opo, apesar de ser mais segura, ir bloquear toda a " +"comunicao, inclundo, por exemplo, administrao remota. Portanto, " +"caso voc precise desse suporte, no opte por esse tipo de configurao." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Regardless of which option you select you can always manually edit both " +"files to suit your needs, for this, review the hosts_access(5) manpage. " +"This might include giving remote access of services to legitimate hosts." +msgstr "" +"Independente de qual opo voc selecionar, voc poder sempre editar " +"manualmente ambos os arquivos para que os mesmos se adequem a suas " +"necessidades. Para isso, consulte a pgina de manual host_access(5). " +"Isso pode incluir fornecer acesso remoto a servios para hosts legtimos." + +#. Type: boolean +#. description +#: ../tcpd.templates:4 +msgid "" +"Notice this only applies to internet services that use the libwrap library. " +"Remote connections will still be possible to services that do not use this " +"library, consider using firewall rules to block access to these." +msgstr "" +"Atente para o fato de que isso se aplica somente a servios Internet que " +"utilizam a biblioteca libwrap. Conexes remotas ainda sero possveis para " +"servios que no utilizam essa biblioteca. Considere utilizar regras de " +"firewall para bloquear o acesso aos mesmos." --- tcp-wrappers-7.6.dbs.orig/debian/libwrap0-dev.install +++ tcp-wrappers-7.6.dbs/debian/libwrap0-dev.install @@ -0,0 +1,2 @@ +tcpd.h /usr/include/ +libwrap.a /usr/lib/ --- tcp-wrappers-7.6.dbs.orig/debian/tcpd.dirs +++ tcp-wrappers-7.6.dbs/debian/tcpd.dirs @@ -0,0 +1,3 @@ +usr/sbin +usr/share/man/man5 +usr/share/man/man8 --- tcp-wrappers-7.6.dbs.orig/debian/control +++ tcp-wrappers-7.6.dbs/debian/control @@ -0,0 +1,55 @@ +Source: tcp-wrappers +Section: net +Priority: important +Maintainer: Ubuntu Core Developers +XSBC-Original-Maintainer: Anthony Towns +Uploaders: Anthony Towns , Marco d'Itri +Build-Depends: debhelper (>= 4), po-debconf +Standards-Version: 3.7.2.1 + +Package: tcpd +Architecture: any +Priority: important +Depends: ${shlibs:Depends}, ${misc:Depends} +Replaces: libwrap0 (<< 7.6-8) +Conflicts: netbase (<< 3.16-1) +Description: Wietse Venema's TCP wrapper utilities + Wietse Venema's network logger, also known as TCPD or LOG_TCP. + . + These programs log the client host name of incoming telnet, + ftp, rsh, rlogin, finger etc. requests. Security options are: + access control per host, domain and/or service; detection of + host name spoofing or host address spoofing; booby traps to + implement an early-warning system. + +Package: libwrap0 +Section: libs +Priority: important +Architecture: any +Depends: ${shlibs:Depends} +Recommends: tcpd +Conflicts: netbase (<< 3.16-1) +Description: Wietse Venema's TCP wrappers library + Wietse Venema's network logger, also known as TCPD or LOG_TCP. + . + These programs log the client host name of incoming telnet, + ftp, rsh, rlogin, finger etc. requests. Security options are: + access control per host, domain and/or service; detection of + host name spoofing or host address spoofing; booby traps to + implement an early-warning system. + +Package: libwrap0-dev +Section: libdevel +Priority: optional +Architecture: any +Depends: libwrap0 (= ${Source-Version}) +Provides: libwrap-dev +Conflicts: libwrap-dev, netbase (<< 3.16-1) +Description: Wietse Venema's TCP wrappers library, development files + Wietse Venema's network logger, also known as TCPD or LOG_TCP. + . + These programs log the client host name of incoming telnet, + ftp, rsh, rlogin, finger etc. requests. Security options are: + access control per host, domain and/or service; detection of + host name spoofing or host address spoofing; booby traps to + implement an early-warning system. --- tcp-wrappers-7.6.dbs.orig/debian/sys-build.mk +++ tcp-wrappers-7.6.dbs/debian/sys-build.mk @@ -0,0 +1,167 @@ +#!/usr/bin/make -f +# Separate tarball/patch build system by Adam Heath + +# The magic targets that you need to concern yourself with are: +# +# source.build: Unpacks upstream tarballs, optionally applies patches +# to fix the upstream patches, then applies upstream +# patches. +# source.make: Applies debian patches. +# source.clean: Cleans the build directory, then unfixes the upstream +# patches. +# source.compile: Will compile the source for you. Please check +# debian/scripts/vars. +# source.cmd: When calling this target, if you define a variable +# SOURCE_CMD, it will run that command in the build +# tree. +# make-diff: Generates debian.diff in the current directory which +# contains all edits that are currently in the build +# tree. +# +# Nothing in this file should require any editting. Please look at +# debian/scripts/vars for things to change for the local environment. +# +# debian/rules target command +# ---------------------------------------------------------------- +# clean: $(MAKE) -f debian/sys-build.mk source.clean +# build: $(MAKE) -f debian/sys-build.mk source.compile +# for simple systems. +# build: $(MAKE) -f debian/sys-build.mk source.make +# and, in the rules file, you can +# build the targets you want. +SHELL=/bin/bash +ifndef NOISY +.SILENT: +endif + +include debian/scripts/vars +# remove quotes +DIFF_EXCLUDE:=$(patsubst %,-x %,$(shell echo $(DIFF_EXCLUDE))) + +ifdef TAR_DIR +BUILD_TREE=$(SOURCE_DIR)/$(TAR_DIR) +else +BUILD_TREE=$(SOURCE_DIR) +endif + +SOURCE_CMD=: + +ifdef CLEAN_IGNORE + CLEAN_CMD=- + CLEAN_SH= +else + CLEAN_CMD= + CLEAN_SH= +endif +ifndef CLEAN_TARGET + CLEAN_TARGET=clean +endif + +foo: + echo $(DIFF_EXCLUDE) + +make-diff: + mv $(BUILD_TREE) bak + $(MAKE) -f debian/sys-build.mk source.clean + $(MAKE) -f debian/sys-build.mk source.make + mv $(BUILD_TREE) $(BUILD_TREE).orig + mv bak $(BUILD_TREE) + +ifdef TAR_DIR +ifdef CLEAN_TARGET_EXTERNAL + $(CLEAN_CMD)$(MAKE) -f debian/rules $(CLEAN_TARGET_EXTERNAL) +else + $(CLEAN_CMD)$(MAKE) -C $(BUILD_TREE) $(CLEAN_TARGET) +endif + -(cd $(SOURCE_DIR);diff -ruNp $(TAR_DIR).orig $(TAR_DIR) $(DIFF_EXCLUDE)) > debian.diff +else +ifdef CLEAN_TARGET_EXTERNAL + $(CLEAN_CMD)$(MAKE) -f debian/rules $(CLEAN_TARGET_EXTERNAL) +else + $(CLEAN_CMD)for a in $(BUILD_TREE)/*;do $(MAKE) -C $$a $(CLEAN_TARGET);done +endif + -(diff -ruN $(BUILD_TREE).orig $(BUILD_TREE) $(DIFF_EXCLUDE)) > debian.diff + if [ ! -s debian.diff ];then\ + rm debian.diff;\ + fi +endif + rm -rf $(BUILD_TREE).orig + +patchapply: $(STAMP_DIR)/patchapply +$(STAMP_DIR)/patchapply: $(STAMP_DIR)/source.build $(STAMP_DIR) + $(SHELL) debian/scripts/lib patch.apply + touch $@ + rm -f $(STAMP_DIR)/patchunapply + +patchunapply: $(STAMP_DIR)/patchunapply +$(STAMP_DIR)/patchunapply: $(STAMP_DIR)/source.build $(STAMP_DIR) + $(SHELL) debian/scripts/lib patch.unapply + touch $@ + rm -f $(STAMP_DIR)/patchapply + +.export: SOURCE_TREE + +# +# The rules that really do the work all start with $(STAMPDIR) +# This little trick allows us to use stamp files to keep us from +# having to rerun long targets over and over. It also puts +# all stamp files in one place, for easy cleaning. +# +# If a stampdir rule depends on something else, be sure it is +# another stampdir rule. Depending on base rule won't work. +# + +source.build: $(STAMP_DIR)/source.build +STAMP_DIR_TARGETS+= $(STAMP_DIR)/source.build +$(STAMP_DIR)/source.build: $(STAMP_DIR)/source.unpack $(STAMP_DIR)/source.patch $(STAMP_DIR) + touch $@ + +source.make: $(STAMP_DIR)/source.make +STAMP_DIR_TARGETS+= $(STAMP_DIR)/source.make +$(STAMP_DIR)/source.make: $(STAMP_DIR)/source.build $(STAMP_DIR)/patchapply $(STAMP_DIR) + touch $@ + +source.unpack: $(STAMP_DIR)/source.unpack +STAMP_DIR_TARGETS+= $(STAMP_DIR)/source.unpack +$(STAMP_DIR)/source.unpack: $(STAMP_DIR) + $(SHELL) debian/scripts/source.unpack + touch $@ + +source.patch: $(STAMP_DIR)/source.patch +STAMP_DIR_TARGETS+= $(STAMP_DIR)/source.patch +$(STAMP_DIR)/source.patch: $(STAMP_DIR)/source.unpack $(STAMP_DIR)/fix.source.patch $(STAMP_DIR) + $(SHELL) debian/scripts/lib source.patch + touch $@ + +fix.source.patch: $(STAMP_DIR)/fix.source.patch +STAMP_DIR_TARGETS+= $(STAMP_DIR)/fix.source.patch +$(STAMP_DIR)/fix.source.patch: $(STAMP_DIR) + $(SHELL) debian/scripts/lib fix.source.patch + touch $@ + +unfix.source.patch: $(STAMP_DIR)/unfix.source.patch +STAMP_DIR_TARGETS+= $(STAMP_DIR)/unfix.source.patch +$(STAMP_DIR)/unfix.source.patch: $(STAMP_DIR) + $(SHELL) debian/scripts/lib unfix.source.patch + touch $@ + +source.compile: $(STAMP_DIR)/source.compile +STAMP_DIR_TARGETS+= $(STAMP_DIR)/source.compile +$(STAMP_DIR)/source.compile: $(STAMP_DIR)/source.make $(STAMP_DIR) + $(MAKE) -C $(BUILD_TREE) $(BUILD_TARGET) + touch $@ + +source.command: + (cd $(BUILD_TREE); $(SOURCE_CMD)) + +DIR_TARGETS+=$(STAMP_DIR) +$(STAMP_DIR_TARGETS): $(STAMP_DIR) + +$(DIR_TARGETS)/: + mkdir -p $@ + +source.clean: unfix.source.patch + $(SHELL) debian/scripts/lib source.clean + rm -f $(STAMP_DIR_TARGETS) + rm -rf $(STAMP_DIR) + $(MAKE) -C debian/scripts clean --- tcp-wrappers-7.6.dbs.orig/debian/tcpd.links +++ tcp-wrappers-7.6.dbs/debian/tcpd.links @@ -0,0 +1,2 @@ +usr/share/man/man5/hosts_access.5 usr/share/man/man5/hosts.allow.5 +usr/share/man/man5/hosts_access.5 usr/share/man/man5/hosts.deny.5 --- tcp-wrappers-7.6.dbs.orig/debian/rules +++ tcp-wrappers-7.6.dbs/debian/rules @@ -0,0 +1,86 @@ +#!/usr/bin/make -f +SHELL+= -e + +include debian/scripts/vars + +BUILD_DIR := $(SOURCE_DIR)/$(TAR_DIR) +B := $(BUILD_DIR) +D := $(CURDIR)/debian/tcpd +W := $(CURDIR)/debian/libwrap0 +WD := $(CURDIR)/debian/libwrap0-dev + + +DEB_BUILD_ARCH := $(shell dpkg --print-installation-architecture) +ifeq ($(filter-out hurd-%,$(DEB_BUILD_ARCH)),) + DEB_BUILD_GNU_SYSTEM := gnu +else + DEB_BUILD_GNU_SYSTEM := linux +endif + + +all: build + +diff: + $(MAKE) -f debian/sys-build.mk make-diff + +clean: + dh_testdir + $(MAKE) -f debian/sys-build.mk source.clean + dh_clean + +# target used by the maintainer +source: + $(MAKE) -f debian/sys-build.mk source.build + +unpack: $(STAMP_DIR)/unpack +$(STAMP_DIR)/unpack: + $(MAKE) -f debian/sys-build.mk source.make + touch $@ + +build: $(STAMP_DIR)/build +$(STAMP_DIR)/build: $(STAMP_DIR)/unpack + dh_testdir + NOISY=1 \ + $(MAKE) -f debian/sys-build.mk source.command SOURCE_CMD=" \ + $(MAKE) $(DEB_BUILD_GNU_SYSTEM) \ + " + touch $@ + +binary-arch: checkroot $(STAMP_DIR)/build + dh_testdir + dh_clean -k + + dh_installdirs -a + dh_install -a --sourcedir=$B + + dh_installdocs $(addprefix $B/,README README.NIS) + dh_installchangelogs -a $B/CHANGES + dh_installman -p tcpd extra/try-from.8 extra/safe_finger.8 \ + $(addprefix $B/,tcpd.8 tcpdchk.8 tcpdmatch.8 hosts_access.5 \ + hosts_options.5) + dh_installman -p libwrap0-dev $B/hosts_access.3 + dh_link -a + + cp $B/shared/libwrap.so.0.7.6 $W/lib/ + ln -s libwrap.so.0.7.6 $W/lib/libwrap.so.0 + + ln -s /lib/libwrap.so.0 $(WD)/usr/lib/libwrap.so + + dh_link -a + dh_strip -a + dh_compress -a + dh_fixperms -a + dh_installdebconf -a + dh_makeshlibs -a + dh_installdeb -a + dh_shlibdeps -a + dh_gencontrol -a + dh_md5sums -a + dh_builddeb -a + +binary: binary-arch + +checkroot: + test root = "`whoami`" + +.PHONY: build clean binary-indep binary-arch binary --- tcp-wrappers-7.6.dbs.orig/debian/libwrap0.shlibs +++ tcp-wrappers-7.6.dbs/debian/libwrap0.shlibs @@ -0,0 +1 @@ +libwrap 0 libwrap0 --- tcp-wrappers-7.6.dbs.orig/debian/scripts/lib +++ tcp-wrappers-7.6.dbs/debian/scripts/lib @@ -0,0 +1,198 @@ +#!/bin/sh +if [ $(basename $0) = lib ];then + make -C debian/scripts sh.vars + . debian/scripts/sh.vars +fi +fetchmsg() { + local msg + msg=$1;shift + eval echo $(sed -ne "s/^$(BASENAME):$msg://p" debian/scripts/messages) +} +START() { + echo -n "$(fetchmsg START "$@") " +} +OK() { + fetchmsg OK "$@" +} +FAILED() { + fetchmsg FAILED "$@" +} +ALREADY_DONE() { + fetchmsg ALREADY_DONE "$@" +} + +BASENAME() { + local base + if [ "$cmd" ];then + base=$cmd + else + base=${0##*/} + fi + if [ x$base = x ];then + echo "Danger, Will Robinson, Danger!" 1>&2 + echo "Bash is very confused." 1>&2 + exit 1 + fi + if [ x$base = xlib ];then + echo "You can't call this directly." 1>&2 + echo "This is a library that should be sourced." 1>&2 + exit 1 + fi + echo $base +} +file2cat() { + $(decompress_prog $1) $1 +} +debug() { + echo "$@" + eval "$@" +} +decompress_prog() { + local which + which="cat" + [ $1 != ${1%.tgz} -o $1 != ${1%.gz} -o $1 != ${1%.Z} ] && which="gunzip -c" + [ $1 != ${1%.bz2} ] && which="bunzip2 -c" + [ $1 != ${1%.bz} ] && which="bunzip -c" + echo $which +} +compress_ext() { + local which + which="" + [ $1 != ${1%.gz} ] && which=gz + [ $1 != ${1%.Z} ] && which=Z + [ $1 != ${1%.bz2} ] && which=bz2 + [ $1 != ${1%.bz} ] && which=bz + echo $which +} +filetype_detect() { + local which f + which="" + f=$(echo "$1" | sed 's|:::.*||') + [ $f != ${f%.jar} ] && which=jarfile + [ $f != ${f%.zip} ] && which=zipfile + [ $f != ${f%.tgz} ] && which=tarball + [ $f != ${f%.tar.$(compress_ext $f)} ] && which=tarball + [ $f != ${f%.tar} ] && which=tarball + [ $f != ${f%.diff.$(compress_ext $f)} -o $1 != ${1%.patch.$(compress_ext $1)} ] && which=patch + [ $f != ${f%.diff} -o $1 != ${1%.patch} ] && which=patch + [ $f != ${f%.dsc} ] && which=dsc + echo $which +} +extract_tar() { + local which file dir curd + dir="$1" + shift + curd=$(pwd) + while [ $# -gt 0 ];do + file="$1" + [ "$file" = "${1#/}" ] && file="$curd/$file" + case "$(filetype_detect $file)" in + "jarfile") (cd $dir;fastjar -xf $file);; + "zipfile") (cd $dir;miniunzip -x $file);; + "tarball") $(decompress_prog $file) $file | (cd $dir;tar xvf -);; + *) echo "unsupported tarball";; + esac + shift + done +} + +do.patching() { + filetmpl=\$d/\$f + reversesort="" + reversepatch="" + + case "$cmd" in + source.patch) + mkdir -p $SOURCE_DIR/$TAR_DIR + patch_dirs="$SRC_PATCH_DIR $SRC_ADD_PATCH_DIR" + stampfiletmpl=\$STAMP_DIR/\$d/\$f + logtmpl=\$STAMP_DIR/log/\$d/\$f + dirprep="\$STAMP_DIR/log/\$d \$STAMP_DIR/\$d" + patchapplydirtmpl=\$SOURCE_DIR/\$TAR_DIR + ;; + patch.apply) + mkdir -p $SOURCE_DIR/$TAR_DIR $STAMP_DIR/patches + patch_dirs="$PATCH_DIR $ADD_PATCH_DIR" + stampfiletmpl=\$STAMP_DIR/patches/\$f + logtmpl=\$STAMP_DIR/log/\$d/\$f + dirprep=\$STAMP_DIR/log/\$d + patchapplydirtmpl=\$SOURCE_DIR/\$TAR_DIR + ;; + fix.source.patch) + if [ "$DBS_UNIFIED" -o ! -e debian/fixpatch ];then + exit + fi + mkdir -p $STAMP_DIR/fixpatch + patch_dirs=debian/fixpatch + stampfiletmpl="$STAMP_DIR/fixpatch/\$(basename \$f)" + logtmpl=\$STAMP_DIR/log/fixpatch/\$f + dirprep=\$STAMP_DIR/log/fixpatch + patchapplydirtmpl=upstream + ;; + unfix.source.patch) + if [ "$DBS_UNIFIED" -o ! -e debian/fixpatch ];then + exit + fi + mkdir -p $STAMP_DIR/fixpatch + patch_dirs=debian/fixpatch + stampfiletmpl="$STAMP_DIR/fixpatch/\$(basename \$f)" + logtmpl=\$STAMP_DIR/log/fixpatch/\$f + dirprep=\$STAMP_DIR/log/fixpatch + patchapplydirtmpl=upstream + reversesort=-r + reversepatch=-R + ;; + esac + for d in $patch_dirs;do + if [ ! -d $d ];then + continue + fi + eval mkdir -p $dirprep + for f in `(cd $d >/dev/null;find -type f ! -name 'chk-*' 2>/dev/null )|sort $reversesort`;do + eval stampfile=$stampfiletmpl + eval log=$logtmpl + eval file=$filetmpl + eval patchapplydir=$patchapplydirtmpl + if [ ! -e $stampfile ];then + START $file + if file2cat $file | (cd $patchapplydir;patch -p1 $reversepatch) > $log;then + OK $file + touch $stampfile + else + FAILED $file + exit 1 + fi + else + ALREADY_DONE $file + fi + done + done + +} +# +# External api functions. +# + +source.clean() { + if [ "$DBS_UNIFIED" ];then + exit + fi + rm -rf $SOURCE_DIR $STAMP_DIR/upstream $STAMP_DIR/patches + rm -f $STAMP_DIR/{source.{clean,build,make}} + return +if [ x$SOURCE_DIR = x ];then + files=`find -type f -maxdepth 1 -mindepth 1` + dirs=`find -type d -maxdepth 1 -mindepth 1 ! -name 'debian' ! -name 'upstream'` + echo files=\"$files\" + echo dirs=\"$dirs\" +fi + +} +source.patch() { cmd=source.patch; do.patching; } +fix.source.patch() { cmd=fix.source.patch; do.patching; } +unfix.source.patch() { cmd=unfix.source.patch; do.patching; } +patch.apply() { cmd=patch.apply; do.patching; } + +if [ $(basename $0) = lib ];then + $1 +fi --- tcp-wrappers-7.6.dbs.orig/debian/scripts/vars +++ tcp-wrappers-7.6.dbs/debian/scripts/vars @@ -0,0 +1,31 @@ +# This file is NOT a shell script. +# +# This file gets included by both debian/rules (make) AND the scripts in +# debian/scripts (bash) +# + +# Where to cd to to unpack all the tarballs. +SOURCE_DIR=build-tree +# For a single pkg, this is the directory that is embedded in the tarball. +# For multiple pkgs, this is null. +TAR_DIR=tcp_wrappers_7.6 +# Where to place all the stamp files. This directory can be removed, and +# all the targets will then be rerun. +STAMP_DIR=debian/stampdir +# When sys-build.mk is used to build the source, this is the target(s) to +# run. +BUILD_TARGET= +# When cleaning the source, during diff generation, if this is set, this +# target will be called in debian/rules. This allows for pkgs that have +# complicated cleaning rules. +#CLEAN_TARGET_EXTERNAL=extra-clean +# Whether to die if the source cleaning fails. +CLEAN_IGNORE=yes +# The clean target to run. Defaults to clean. +#CLEAN_TARGET=maintainer-clean +# Files to exclude from the diff. +DIFF_EXCLUDE="" +# Where the patches are located(duh!). +PATCH_DIR=debian/patches +SRC_PATCH_DIR=upstream/patches +SRC_TAR_DIR=upstream/tarballs --- tcp-wrappers-7.6.dbs.orig/debian/scripts/Makefile +++ tcp-wrappers-7.6.dbs/debian/scripts/Makefile @@ -0,0 +1,11 @@ +#!/usr/bin/make -f +all: sh.vars mk.vars + +clean: + rm -f sh.vars mk.vars + +mk.vars: vars.build vars + $(SHELL) vars.build vars make > $@ +sh.vars: vars.build vars + $(SHELL) vars.build vars shell > $@ + --- tcp-wrappers-7.6.dbs.orig/debian/scripts/messages +++ tcp-wrappers-7.6.dbs/debian/scripts/messages @@ -0,0 +1,29 @@ +fix.source.patch:START:"Fixing upstream patch $1" +fix.source.patch:OK:"successful." +fix.source.patch:FAILED:"failed!" +fix.source.patch:ALREADY_DONE:"upstream patch fixup $1 already applied!" + +unfix.source.patch:START:"Unfixing upstream patch $1 +unfix.source.patch:OK:"successful." +unfix.source.patch:FAILED:"failed! +unfix.source.patch:ALREADY_DONE:"upstream patch fixup $1 already reversed!" + +patch.unapply:START:"Reversing patch $1" +patch.unapply:OK:"successful." +patch.unapply:FAILED:"failed!" +patch.unapply:ALREADY_DONE:"Patch $1 not applied!" + +patch.apply:START:"Applying patch $1" +patch.apply:OK:"successful." +patch.apply:FAILED:"failed!" +patch.apply:ALREADY_DONE:"Patch $1 already applied!" + +source.patch:START:"Applying upstream patch $1" +source.patch:OK:"successful." +source.patch:FAILED:"failed!" +source.patch:ALREADY_DONE:"upstream patch $1 already applied!" + +source.unpack:START:"Extracting upstream tarball $1" +source.unpack:OK:"successful." +source.unpack:FAILED:"failed!" +source.unpack:ALREADY_DONE:"upstream tarball $1 already extracted!" --- tcp-wrappers-7.6.dbs.orig/debian/scripts/getglibcversion +++ tcp-wrappers-7.6.dbs/debian/scripts/getglibcversion @@ -0,0 +1,56 @@ +#!/bin/sh +# GNU C library version detection shell script. +# Copyright 1999 Branden Robinson. +# Licensed under the GNU General Public License, version 2. See the file +# /usr/share/common-licenses/GPL or . + +# This script probably makes about a billion too many assumptions, but it's +# better than hardcoding the glibc version on a per-architecture basis. + +set -e + +usage () { + echo "Usage: getglibcversion [option]" + echo " Where [option] may be one of:" + echo " --major return major version only" + echo " --minor return minor version only" + echo " --point return ittybitty version only" + echo "With no option, returns major.minor.ittybitty ."; +} + +case $# in + 0) ;; + 1) case $1 in + --help) usage + exit 0 ;; + --major) RETURN=1 ;; + --minor) RETURN=2 ;; + --point) RETURN=3 ;; + *) exec 1>&2 + usage + exit 1 ;; + esac ;; + *) exec 1>&2 + usage + exit 1 ;; +esac + +LIBCLIST=$(cd /lib && ls libc-*.so) + +case $(echo $LIBCLIST | wc -l | awk '{print $1}') in + 0) echo "No GNU C library found! Aborting." >&2 + exit 1 ;; + 1) ;; + *) echo "Multiple versions of GNU C library found! Aborting." >&2 + exit 1 ;; +esac + +LIBCVERSION=$(echo $LIBCLIST | sed 's/libc-//;s/\.so//') + +if [ -z $RETURN ]; then + echo $LIBCVERSION +else + echo $LIBCVERSION | cut -d. -f$RETURN +fi + +exit 0 --- tcp-wrappers-7.6.dbs.orig/debian/scripts/source.unpack +++ tcp-wrappers-7.6.dbs/debian/scripts/source.unpack @@ -0,0 +1,32 @@ +#!/bin/sh +make -C debian/scripts sh.vars +. debian/scripts/sh.vars +. debian/scripts/lib + +mkdir -p $STAMP_DIR/upstream/tarballs/ $SOURCE_DIR +if [ ! -z "$SRC_TAR_DIR" -a -d "$SRC_TAR_DIR" ];then + files=$(find $SRC_TAR_DIR -type f|sort) +else + VER=$(dpkg-parsechangelog 2>&1|egrep ^Version|cut -d " " -f 2|cut -d "-" -f 1) + SRC=$(dpkg-parsechangelog 2>&1|egrep ^Source|cut -d " " -f 2-) + files=../${SRC}_${VER}.orig.tar.gz +fi +for f in $files;do + stampfile=$STAMP_DIR/upstream/tarballs/`basename $f` + if [ ! -e $stampfile ];then + START $f + if extract_tar ${SOURCE_DIR:-.} $f > $stampfile.log;then + if [ x$SOURCE_DIR = x ];then + mkdir -p $STAMP_DIR/upstream/files/tarballs + cp $stampfile.log $STAMP_DIR/upstream/files/tarballs/`basename $f`.list + fi + OK $f + touch $stampfile + else + FAILED $f + exit 1 + fi + else + ALREADY_DONE $f + fi +done --- tcp-wrappers-7.6.dbs.orig/debian/scripts/archmap +++ tcp-wrappers-7.6.dbs/debian/scripts/archmap @@ -0,0 +1,22 @@ +#!/bin/sh +# i486 i386 i486 i586 pentium pentiumpro +if [ $(basename $0) = archmap ];then + if [ -z $1 ];then + arch=$(dpkg --print-gnu-build-architecture) + else + arch=$1 + fi +else + if [ -z $arch ];then + arch=$(dpkg --print-gnu-build-architecture) + fi +fi +set -- $(egrep ".* $arch( .*|$)" debian/scripts/archmap) +if [ -z $2 ];then + arch=$arch +else + arch=$2 +fi +if [ $(basename $0) = archmap ];then + echo $arch +fi --- tcp-wrappers-7.6.dbs.orig/debian/scripts/vars.build +++ tcp-wrappers-7.6.dbs/debian/scripts/vars.build @@ -0,0 +1,17 @@ +#!/usr/bin/make -f + +sed_cmd='' +cat $1 | while read REPLY; do + case "$REPLY" in + \#*|"") continue;; + *) + var=$(echo $REPLY|sed 's/\([^=]*\)=.*/\1/') + eval $REPLY + if [ $2 = "make" ]; then + eval echo "$var=\$$var" + else + eval echo "$var=\\\"\$$var\\\"" + fi + ;; + esac +done --- tcp-wrappers-7.6.dbs.orig/debian/changelog +++ tcp-wrappers-7.6.dbs/debian/changelog @@ -0,0 +1,275 @@ +tcp-wrappers (7.6.dbs-11ubuntu0.1) feisty-security; urgency=low + + * SECURITY UPDATE: some services not being correctly blocked. + * Adjusted debian/patches/match_port to allow empty source info. + * References + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405342 + + -- Kees Cook Wed, 29 Aug 2007 10:01:45 -0700 + +tcp-wrappers (7.6.dbs-11build1) feisty; urgency=low + + * Rebuild for changes in the amd64 toolchain. + + -- Matthias Klose Mon, 5 Mar 2007 01:26:42 +0000 + +tcp-wrappers (7.6.dbs-11) unstable; urgency=medium + + * Fixed the port number matching. (Closes: #384289) + + -- Marco d'Itri Wed, 23 Aug 2006 19:31:06 +0200 + +tcp-wrappers (7.6.dbs-10) unstable; urgency=low + + * Added support to match servers by port number. (Closes: #377154) + * Fixed the check for hosts.{allow,deny} in postinst. (Closes: #374819) + * New debconf translations: gl, ru. (Closes: #361265, #367215, #373962) + + -- Marco d'Itri Thu, 17 Aug 2006 20:47:40 +0200 + +tcp-wrappers (7.6.dbs-9) unstable; urgency=low + + * Updated patch siglongjmp: actually save the signals mask on jumps + to prevent blocking SIGALRM on unsuspecting calling programs. + Fix contributed by Ian Jackson of Ubuntu. (Closes: #354855) + * Updated patch sig_fix with a fix from the Red Hat package. + * New patch aclexec: adds the aclexec command and its documentation. + (Closes: #17798) + * New patch 01_man_typos: fixes some man pages typos. (Closes: #344127) + * New patch fix_warnings: fixes misc compilation warnings. + * New debconf translations: pt, sv, vi. (Closes: #348442, #333495, #320320) + + -- Marco d'Itri Thu, 2 Mar 2006 00:01:59 +0100 + +tcp-wrappers (7.6.dbs-8) unstable; urgency=medium + + * Fixed postinst to source /usr/share/debconf/confmodule at top level, or + $@ will be reset when it re-executes $0. (Closes: #299129) + + -- Marco d'Itri Sat, 12 Mar 2005 01:00:14 +0100 + +tcp-wrappers (7.6.dbs-7) unstable; urgency=medium + + * Updated patch siglongjmp: explicitly pass the second argument 0 to + sigsetjmp(). + * Updated patch rfc931.diff: fix the prototypes for Hurd. (Closes: #289075) + * Updated patch 01_man_portability: add a reference for hosts_options(5). + (Closes: #298570) + * New debconf translations: nl, pt_BR. (Closes: #272481, #284226) + * New patch expand_remote_port: add a %-espansion for the remote port + number. (Closes: #279695) + + -- Marco d'Itri Wed, 9 Mar 2005 18:22:37 +0100 + +tcp-wrappers (7.6.dbs-6) unstable; urgency=medium + + * New patch restore_sigalarm correctly restores the SIGALARM handler after + it has been modified by libwrap functions. Extracted from the upstream + package tcp_wrappers_7.6-ipv6.4.tar.gz. (Closes: #268467) + * New debconf translation: it. + + -- Marco d'Itri Sun, 29 Aug 2004 18:43:11 +0200 + +tcp-wrappers (7.6.dbs-5) unstable; urgency=high + + * Updated debconf translations: ja, fr, da, cs, de. + (Closes: #250846, #250881, #251086, #251680, #254019) + + -- Marco d'Itri Wed, 28 Jul 2004 00:56:18 +0200 + +tcp-wrappers (7.6.dbs-4) unstable; urgency=medium + + * Fixed the text of the debconf template. (Closes: #248262) + * New template translations: tr fr da cs. + (Closes: #248312, #248690, #248821, #249259) + * Removed a bashism (posh sucks and is a waste of our time). + (Closes: #247384) + + -- Marco d'Itri Sat, 22 May 2004 12:55:16 +0200 + +tcp-wrappers (7.6.dbs-3) unstable; urgency=high + + * Updated patch 13_shlib_weaksym to add back to tcpd.h some #includes + lost in 7.6.dbs-1. (Closes: #244659, #246675) + Post-sarge a new tcpd.h to be used by other programs should be written. + * New template translation: ja. (Closes: #246441) + + -- Marco d'Itri Sun, 2 May 2004 15:11:20 +0200 + +tcp-wrappers (7.6.dbs-2) unstable; urgency=medium + + * Uploaded to unstable. + * New patches: man_fromhost and 15_match_clarify to clarify documention. + (Closes: #162146, #226930) + * Close the bugs fixed by the last upload. + (Closes: #20030, #163346, #179707, #184489, #205368, #179708, #205532) + (Closes: #62145, #65390, #76378) + + -- Marco d'Itri Sun, 25 Apr 2004 12:18:13 +0200 + +tcp-wrappers (7.6.dbs-1) experimental; urgency=low + + * Source package converted to DBS. + * Switced back from the source patched by Casper Dik to the official + tree, because it's the one other distributions are using and this will + allow fixing some bugs. IPv6 support is provided by the 10_usagi-ipv6 + and 11_usagi_fix patches, which are tcp_wrappers.usagi-ipv6.patch and + tcp_wrappers.ume-ipv6.patch from the Red Hat package. + (Closes: #20030, #163346, #179707, #184489, #205368) + * Removed bogus dependency on libc6-dev. (Closes: #179708) + * Use : with chown. (Closes: #205532) + * Added a debconf question to deny access to everything by default. + Patch by Javier Fernández-Sanguino Peña. (Closes: #62145) + * New patch 05_wildcard_matching (tcp_wrappers-7.6-bug17847.patch from + the Red Hat package) to add support for wildcard matching on hostnames. + * New patch 06_fix_gethostbyname (tcp_wrappers-7.6-fixgethostbyname.patch + from the Red Hat package) to fix handling of hostnames with a trailing + dot. (Closes: #65390) + * New patch sig_fix (tcp_wrappers-7.6-sig.patch from the Red Hat package). + + -- Marco d'Itri Sat, 10 Apr 2004 20:46:54 +0200 + +tcp-wrappers (7.6-ipv6.1-3) unstable; urgency=low + + * Fixed CIDR-style netmasks on little endian architectures. + * Added links for hosts.allow(5) and hosts.deny(5) (Closes: #156819). + + -- Marco d'Itri Wed, 4 Sep 2002 22:52:20 +0200 + +tcp-wrappers (7.6-ipv6.1-2) unstable; urgency=low + + * Moved to main (Closes: #110672, #123057, #137843, #141130, #141132). + + -- Marco d'Itri Mon, 12 Aug 2002 02:47:31 +0200 + +tcp-wrappers (7.6-ipv6.1-1) experimental; urgency=low + + * New upstream source with IPv6 support by Casper Dik. + * Removed README.IRIX. Other README.* files moved from tcpd-dev to tcpd. + * Fixed libwrap0.postinst to call ldconfig only at configuration time. + * Removed references to /usr/doc/ from /etc/hosts.* (Closes: #123057). + * Removed references to tlid and tlid.conf from man pages (Closes: #141130). + * Documented in tcpd.8 the existence of libwrap (Closes: #141132). + * Added a list of programs linked to libwrap (Closes: #137843). + + -- Marco d'Itri Wed, 31 Jul 2002 19:30:21 +0200 + +tcp-wrappers (7.6-9) unstable; urgency=low + + * Include changes from NMUs, fixing C++ compilation. Thanks to Matthew + Wilcox and Ryan Murray. (Closes: Bug#100891, Bug#105874) + + * Fix paths in man pages. (Closes: Bug#44575, Bug#110890) + * Make symlinks for manpages as well as having multiple entries in the NAME + section. (Closes: Bug#99581) + + -- Anthony Towns Sun, 18 Nov 2001 00:24:50 +1000 + +tcp-wrappers (7.6-8.3) unstable; urgency=low + + * NMU. + * tcpd.h: define __P() ourselves; sys/cdefs.h doesn't appear to be standard, + and the glibc version adds __throw to the prototypes. + + -- Ryan Murray Sun, 30 Sep 2001 23:06:24 -0700 + +tcp-wrappers (7.6-8.2) unstable; urgency=low + + * NMU. + * tcpd.h: include and to define some structs + which are used by the new prototypes. Also prevent against multiple + inclusion. Patch courtesy of John Daily. + + -- Matthew Wilcox Mon, 16 Jul 2001 12:28:54 -0600 + +tcp-wrappers (7.6-8.1) unstable; urgency=low + + * NMU approved by Anthony Towns. + * tcpd.h: use __P() to prototype the functions, allowing use from c++. + * scaffold.c: Fix bug detected by above change. For patch, see bug + #100891 + + -- Matthew Wilcox Fri, 29 Jun 2001 19:19:28 -0600 + +tcp-wrappers (7.6-8) unstable; urgency=low + + * debian/copyright: Update license. (Closes: Bug#99719) + * debian/control: Added Build-Depends, and bumped Standards-Version. + (Closes: Bug#89084) + * debian/rules: Change PWD to CURDIR. (Closes: Bug#45175) + + * debian/tcpd.postinst: Update reference to portmapper.txt.gz in + hosts.deny, hosts.allow. (Closes: Bug#77181) + * debian/tcpd.postinst: Comment out ALL: PARANOID from hosts.deny. + (Closes: Bug#62372, Bug#55528) + + * Move hosts_access(5) and hosts_options(5) to tcpd.deb. + + * Get rid of dh_suidregister. + + -- Anthony Towns Fri, 8 Jun 2001 20:14:46 +1000 + +tcp-wrappers (7.6-7) unstable; urgency=low + + * Fix here document in tcpd postinst (Closes: Bug#75309) + * Fix apostrophes in tcpd(8), hosts_access(5) and hosts_options(5) + manpages (Closes: Bug#75654, Bug#75656) + * libwrap0 has a weak allow_severity symbol since 7.6-4 (Closes: Bug#51210) + * Change "tcpd.h" to in hosts_access(3) manpage. (Closes: Bug#63526) + * tcpd.h seems to be correct (Closes: Bug#65543) + + -- Anthony Towns Tue, 26 Dec 2000 15:22:32 +1000 + +tcp-wrappers (7.6-6) unstable; urgency=low + + * Use $(CC) to build shared libraries instead of $(LD). Important for + getting magical start files or something. (Closes: Bug#71940) + + -- Anthony Towns Mon, 18 Sep 2000 11:58:29 -0700 + +tcp-wrappers (7.6-5) unstable; urgency=low + + * Move /etc/hosts.allow and /etc/hosts.deny from netbase into the + tcpd package. Generate them in postinst rather than have them as + conffiles. + + -- Anthony Towns Sun, 16 Jul 2000 11:51:39 +1000 + +tcp-wrappers (7.6-4) frozen unstable; urgency=high + + * Actually compile in the weak_symbols. Thanks to Tomas Ogren for + working out where things were going wrong. (Closes: Bug#57780, + Bug#55824) + + -- Anthony Towns Fri, 11 Feb 2000 15:52:44 +1000 + +tcp-wrappers (7.6-3) frozen unstable; urgency=medium + + * Define hosts_ctl in tcpd.h (Closes: Bug#55265, Bug#53887) + + -- Anthony Towns Tue, 25 Jan 2000 11:14:33 +1000 + +tcp-wrappers (7.6-2) unstable; urgency=low + + * Move libwrap0 to /lib (Closes: Bug#52534) + + * Make weak symbols for allow_severity and deny_severity + (Closes: Bug#44542) + * Adjust shlibs file to require libwrap0 (>= 7.6-1.1) thanks to + the above (Closes: Bug#51217) + + * Change how the Hurd is handled, thanks to Marcus Brinkmann + (Closes: Bug#44408) + + * Add support for `ftp' severity specifier. (Closes: Bug#53575) + + * Add -D_REENTRANT when compiling. + + -- Anthony Towns Sun, 29 Aug 1999 00:08:36 +1000 + +tcp-wrappers (7.6-1) unstable; urgency=low + + * Initial Release. + * Split from netbase. + + -- Anthony Towns Tue, 10 Aug 1999 12:06:33 +1000 --- tcp-wrappers-7.6.dbs.orig/debian/libwrap0-dev.dirs +++ tcp-wrappers-7.6.dbs/debian/libwrap0-dev.dirs @@ -0,0 +1,3 @@ +usr/lib +usr/include +usr/share/man/man3 --- tcp-wrappers-7.6.dbs.orig/debian/libwrap0.dirs +++ tcp-wrappers-7.6.dbs/debian/libwrap0.dirs @@ -0,0 +1 @@ +lib --- tcp-wrappers-7.6.dbs.orig/debian/tcpd.config +++ tcp-wrappers-7.6.dbs/debian/tcpd.config @@ -0,0 +1,13 @@ +#!/bin/sh -e + +# Only ask about the configuration if there are no hosts.{allow,deny} files + +if [ ! -e /etc/hosts.allow ] && [ ! -e /etc/hosts.deny ]; then + . /usr/share/debconf/confmodule + db_input medium tcpd/paranoid-mode || true + db_go +fi + +#DEBHELPER# + +exit 0 --- tcp-wrappers-7.6.dbs.orig/debian/compat +++ tcp-wrappers-7.6.dbs/debian/compat @@ -0,0 +1 @@ +4 --- tcp-wrappers-7.6.dbs.orig/debian/README.Debian +++ tcp-wrappers-7.6.dbs/debian/README.Debian @@ -0,0 +1,70 @@ +tcp_wrappers for Debian +----------------------- + +Extensions: +----------- + +There are a number of Debian specific changes to TCP wrappers: + + * libwrap.so.0 is available for dynamic linking. + + * You can blacklist a whole bunch of hosts at once by specifying a + file that contains a list of those hosts instead of just naming + a host. See the hosts_access(5) manpage. + + * You can allow or disallow access to a service depending on the + exit status of a program. See the hosts_access(5) manpage. + + * CIDR support in hosts_access(5) functions. + + * %r and %R parameters in hosts_access(5) functions. + + * Servers can be matched by port number other than by process name. + + * IPv6 support. + +Library versioning: +------------------- + +TCP wrappers isn't distributed as a shared library upstream, so the +versioning scheme used for TCP wrappers may not match Linux's library +versioning schme. Hence, libwrap has a soname of libwrap0 (version 7.6), +instead of libwrap7 (version 6). + +Build options: +-------------- + +STYLE = "-DPROCESS_OPTIONS -DACLEXEC" + + Debian TCP Wrappers use the extended syntax for /etc/hosts.allow + and /etc/hosts.deny. This particularly affects spawning other + commands on connections, see the hosts_options(5) manpage for + more details. + +FACILITY = LOG_DAEMON +SEVERITY = LOG_INFO + + TCP Wrappers logs as daemon.info (rather than mail.info). + +BUGS = + + Linux has no bugs. :) + +VSYSLOG = + + libc6 has vsyslog built in. + +UMASK = -DDAEMON_UMASK=022 +NETGROUP = -DNETGROUP + +RFC931_TIMEOUT = 10 +ACCESS = -DHOSTS_ACCESS +TABLES = -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.al +low\" +KILL_OPT = -DKILL_IP_OPTIONS + +EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" + +The options ALWAYS_RFC931, ALWAYS_HOSTNAME and PARANOID have not been +enabled because these features can be enabled at runtime. The option +APPEND_DOT is not enabled because of compatibility reasons. --- tcp-wrappers-7.6.dbs.orig/debian/patches/01_man_typos +++ tcp-wrappers-7.6.dbs/debian/patches/01_man_typos @@ -0,0 +1,24 @@ +diff -ruNp tcp_wrappers_7.6.orig/tcpdchk.8 tcp_wrappers_7.6/tcpdchk.8 +--- tcp_wrappers_7.6.orig/tcpdchk.8 2006-03-01 18:53:48.000000000 +0100 ++++ tcp_wrappers_7.6/tcpdchk.8 2006-03-01 18:53:43.000000000 +0100 +@@ -1,7 +1,7 @@ + .TH TCPDCHK 8 + .SH NAME + tcpdchk \- tcp wrapper configuration checker +-.SH SYNOPSYS ++.SH SYNOPSIS + tcpdchk [-a] [-d] [-i inet_conf] [-v] + .SH DESCRIPTION + .PP +diff -ruNp tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8 +--- tcp_wrappers_7.6.orig/tcpdmatch.8 2006-03-01 18:53:48.000000000 +0100 ++++ tcp_wrappers_7.6/tcpdmatch.8 2006-03-01 18:53:34.000000000 +0100 +@@ -1,7 +1,7 @@ + .TH TCPDMATCH 8 + .SH NAME + tcpdmatch \- tcp wrapper oracle +-.SH SYNOPSYS ++.SH SYNOPSIS + tcpdmatch [-d] [-i inet_conf] daemon client + .sp + tcpdmatch [-d] [-i inet_conf] daemon[@server] [user@]client --- tcp-wrappers-7.6.dbs.orig/debian/patches/15_match_clarify +++ tcp-wrappers-7.6.dbs/debian/patches/15_match_clarify @@ -0,0 +1,12 @@ +diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 +--- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-25 12:17:59.000000000 +0200 ++++ tcp_wrappers_7.6/hosts_access.5 2004-04-25 12:17:53.000000000 +0200 +@@ -89,6 +89,8 @@ + bitwise AND of the address and the `mask\'. For example, the net/mask + pattern `131.155.72.0/255.255.254.0\' matches every address in the + range `131.155.72.0\' through `131.155.73.255\'. ++`255.255.255.255\' is not a valid mask value, so a single host can be ++matched just by its IP. + .IP \(bu + An expression of the form `n.n.n.n/mm' is interpreted as a + `net/masklength' pair, where `mm' is the number of consecutive `1' --- tcp-wrappers-7.6.dbs.orig/debian/patches/13_shlib_weaksym +++ tcp-wrappers-7.6.dbs/debian/patches/13_shlib_weaksym @@ -0,0 +1,253 @@ +diff -ruN tcp_wrappers_7.6.orig/Makefile tcp_wrappers_7.6/Makefile +--- tcp_wrappers_7.6.orig/Makefile 2004-05-02 15:37:59.000000000 +0200 ++++ tcp_wrappers_7.6/Makefile 2004-05-02 15:31:09.000000000 +0200 +@@ -150,15 +150,15 @@ + + linux: + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ +- LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \ ++ LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \ + NETGROUP="-DNETGROUP" TLI= VSYSLOG= BUGS= \ +- EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all ++ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all + + gnu: + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ +- LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \ ++ LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \ + NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= \ +- EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR" all ++ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT" all + + # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x. + hpux hpux8 hpux9 hpux10: +@@ -713,7 +713,22 @@ + + LIB = libwrap.a + +-all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk ++shared/%.o: %.c ++ $(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@ ++ ++SOMAJOR = 0 ++SOMINOR = 7.6 ++ ++SHLIB = shared/libwrap.so.$(SOMAJOR).$(SOMINOR) ++SHLIBSOMAJ = shared/libwrap.so.$(SOMAJOR) ++SHLIBSO = shared/libwrap.so ++SHLIBFLAGS = -Lshared -lwrap ++ ++SHLINKFLAGS = -shared -Xlinker -soname -Xlinker libwrap.so.$(SOMAJOR) -lc $(LIBS) ++SHCFLAGS = -fPIC -shared -D_REENTRANT ++SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ)); ++ ++all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB) + + # Invalidate all object files when the compiler options (CFLAGS) have changed. + +@@ -731,27 +746,33 @@ + $(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ) + -$(RANLIB) $(LIB) + +-tcpd: tcpd.o $(LIB) +- $(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS) ++$(SHLIB): $(SHLIB_OBJ) ++ rm -f $(SHLIB) ++ $(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ) ++ ln -sf $(notdir $(SHLIB)) $(SHLIBSOMAJ) ++ ln -sf $(notdir $(SHLIBSOMAJ)) $(SHLIBSO) ++ ++tcpd: tcpd.o $(SHLIB) ++ $(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS) + + miscd: miscd.o $(LIB) + $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS) + +-safe_finger: safe_finger.o $(LIB) +- $(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS) ++safe_finger: safe_finger.o $(SHLIB) ++ $(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS) + + TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o + +-tcpdmatch: $(TCPDMATCH_OBJ) $(LIB) +- $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS) ++tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB) ++ $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS) + +-try-from: try-from.o fakelog.o $(LIB) +- $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS) ++try-from: try-from.o fakelog.o $(SHLIB) ++ $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS) + + TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o + +-tcpdchk: $(TCPDCHK_OBJ) $(LIB) +- $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS) ++tcpdchk: $(TCPDCHK_OBJ) $(SHLIB) ++ $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS) + + shar: $(KIT) + @shar $(KIT) +@@ -767,7 +788,9 @@ + + clean: + rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \ ++ libwrap*.so* \ + cflags ++ rm -rf shared/ + + tidy: clean + chmod -R a+r . +@@ -913,5 +936,6 @@ + update.o: mystdarg.h + update.o: tcpd.h + vfprintf.o: cflags ++weak_symbols.o: tcpd.h + workarounds.o: cflags + workarounds.o: tcpd.h +diff -ruN tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h +--- tcp_wrappers_7.6.orig/tcpd.h 2004-05-02 15:37:59.000000000 +0200 ++++ tcp_wrappers_7.6/tcpd.h 2004-05-02 15:37:49.000000000 +0200 +@@ -4,6 +4,15 @@ + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + ++#ifndef _TCPWRAPPERS_TCPD_H ++#define _TCPWRAPPERS_TCPD_H ++ ++/* Need definitions of struct sockaddr_in and FILE. */ ++#include ++#include ++ ++__BEGIN_DECLS ++ + /* Structure to describe one communications endpoint. */ + + #define STRING_LENGTH 128 /* hosts, users, processes */ +@@ -29,10 +38,10 @@ + char pid[10]; /* access via eval_pid(request) */ + struct host_info client[1]; /* client endpoint info */ + struct host_info server[1]; /* server endpoint info */ +- void (*sink) (); /* datagram sink function or 0 */ +- void (*hostname) (); /* address to printable hostname */ +- void (*hostaddr) (); /* address to printable address */ +- void (*cleanup) (); /* cleanup function or 0 */ ++ void (*sink) (int); /* datagram sink function or 0 */ ++ void (*hostname) (struct host_info *); /* address to printable hostname */ ++ void (*hostaddr) (struct host_info *); /* address to printable address */ ++ void (*cleanup) (struct request_info *); /* cleanup function or 0 */ + struct netconfig *config; /* netdir handle */ + }; + +@@ -70,20 +79,27 @@ + #define fromhost sock_host /* no TLI support needed */ + #endif + +-extern int hosts_access(); /* access control */ +-extern void shell_cmd(); /* execute shell command */ +-extern char *percent_x(); /* do % expansion */ +-extern void rfc931(); /* client name from RFC 931 daemon */ +-extern void clean_exit(); /* clean up and exit */ +-extern void refuse(); /* clean up and exit */ +-extern char *xgets(); /* fgets() on steroids */ +-extern char *split_at(); /* strchr() and split */ +-extern unsigned long dot_quad_addr(); /* restricted inet_addr() */ ++extern int hosts_access(struct request_info *request); /* access control */ ++extern void shell_cmd(char *); /* execute shell command */ ++extern char *percent_x(char *, int, char *, struct request_info *); ++ /* do % expansion */ ++extern void rfc931(struct sockaddr *, struct sockaddr *, char *); ++ /* client name from RFC 931 daemon */ ++extern void clean_exit(struct request_info *); /* clean up and exit */ ++extern void refuse(struct request_info *); /* clean up and exit */ ++extern char *xgets(char *, int, FILE *); /* fgets() on steroids */ ++extern char *split_at(char *, int); /* strchr() and split */ ++extern unsigned long dot_quad_addr(char *); /* restricted inet_addr() */ + + /* Global variables. */ + ++#ifdef HAVE_WEAKSYMS ++extern int allow_severity __attribute__ ((weak)); /* for connection logging */ ++extern int deny_severity __attribute__ ((weak)); /* for connection logging */ ++#else + extern int allow_severity; /* for connection logging */ + extern int deny_severity; /* for connection logging */ ++#endif + extern char *hosts_allow_table; /* for verification mode redirection */ + extern char *hosts_deny_table; /* for verification mode redirection */ + extern int hosts_access_verbose; /* for verbose matching mode */ +@@ -98,6 +114,8 @@ + #ifdef __STDC__ + extern struct request_info *request_init(struct request_info *,...); + extern struct request_info *request_set(struct request_info *,...); ++extern int hosts_ctl(char *daemon, char *client_name, char *client_addr, ++ char *client_user); + #else + extern struct request_info *request_init(); /* initialize request */ + extern struct request_info *request_set(); /* update request structure */ +@@ -121,20 +139,23 @@ + * host_info structures serve as caches for the lookup results. + */ + +-extern char *eval_user(); /* client user */ +-extern char *eval_hostname(); /* printable hostname */ +-extern char *eval_hostaddr(); /* printable host address */ +-extern char *eval_hostinfo(); /* host name or address */ +-extern char *eval_client(); /* whatever is available */ +-extern char *eval_server(); /* whatever is available */ ++extern char *eval_user(struct request_info *); /* client user */ ++extern char *eval_hostname(struct host_info *); /* printable hostname */ ++extern char *eval_hostaddr(struct host_info *); /* printable host address */ ++extern char *eval_hostinfo(struct host_info *); /* host name or address */ ++extern char *eval_client(struct request_info *);/* whatever is available */ ++extern char *eval_server(struct request_info *);/* whatever is available */ + #define eval_daemon(r) ((r)->daemon) /* daemon process name */ + #define eval_pid(r) ((r)->pid) /* process id */ + + /* Socket-specific methods, including DNS hostname lookups. */ + +-extern void sock_host(); /* look up endpoint addresses */ +-extern void sock_hostname(); /* translate address to hostname */ +-extern void sock_hostaddr(); /* address to printable address */ ++/* look up endpoint addresses */ ++extern void sock_host(struct request_info *); ++/* translate address to hostname */ ++extern void sock_hostname(struct host_info *); ++/* address to printable address */ ++extern void sock_hostaddr(struct host_info *); + #define sock_methods(r) \ + { (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; } + +@@ -182,7 +203,7 @@ + * behavior. + */ + +-extern void process_options(); /* execute options */ ++extern void process_options(char *, struct request_info *);/* execute options */ + extern int dry_run; /* verification flag */ + + /* Bug workarounds. */ +@@ -221,3 +242,7 @@ + #define strtok my_strtok + extern char *my_strtok(); + #endif ++ ++__END_DECLS ++ ++#endif +diff -ruN tcp_wrappers_7.6.orig/weak_symbols.c tcp_wrappers_7.6/weak_symbols.c +--- tcp_wrappers_7.6.orig/weak_symbols.c 1970-01-01 01:00:00.000000000 +0100 ++++ tcp_wrappers_7.6/weak_symbols.c 2004-05-02 15:31:09.000000000 +0200 +@@ -0,0 +1,11 @@ ++ /* ++ * @(#) weak_symbols.h 1.5 99/12/29 23:50 ++ * ++ * Author: Anthony Towns ++ */ ++ ++#ifdef HAVE_WEAKSYMS ++#include ++int deny_severity = LOG_WARNING; ++int allow_severity = SEVERITY; ++#endif --- tcp-wrappers-7.6.dbs.orig/debian/patches/06_fix_gethostbyname +++ tcp-wrappers-7.6.dbs/debian/patches/06_fix_gethostbyname @@ -0,0 +1,30 @@ +* Mon Feb 5 2001 Preston Brown +- fix gethostbyname to work better with dot "." notation (#16949) + +--- tcp_wrappers_7.6/socket.c.fixgethostbyname Fri Mar 21 13:27:25 1997 ++++ tcp_wrappers_7.6/socket.c Mon Feb 5 14:09:40 2001 +@@ -52,7 +52,8 @@ + char *name; + { + char dot_name[MAXHOSTNAMELEN + 1]; +- ++ struct hostent *hp; ++ + /* + * Don't append dots to unqualified names. Such names are likely to come + * from local hosts files or from NIS. +@@ -61,8 +62,12 @@ + if (strchr(name, '.') == 0 || strlen(name) >= MAXHOSTNAMELEN - 1) { + return (gethostbyname(name)); + } else { +- sprintf(dot_name, "%s.", name); +- return (gethostbyname(dot_name)); ++ sprintf(dot_name, "%s.", name); ++ hp = gethostbyname(dot_name); ++ if (hp) ++ return hp; ++ else ++ return (gethostbyname(name)); + } + } + --- tcp-wrappers-7.6.dbs.orig/debian/patches/tcpdchk_libwrapped +++ tcp-wrappers-7.6.dbs/debian/patches/tcpdchk_libwrapped @@ -0,0 +1,39 @@ +diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c +--- tcp_wrappers_7.6.orig/tcpdchk.c 2003-08-21 02:50:37.000000000 +0200 ++++ tcp_wrappers_7.6/tcpdchk.c 2003-08-21 02:50:33.000000000 +0200 +@@ -53,6 +53,24 @@ + #include "inetcf.h" + #include "scaffold.h" + ++/* list of programs which are known to be linked with libwrap in debian */ ++static const char *const libwrap_programs[] = { ++ "portmap", "mountd", "statd", "ugidd", ++ "redir", "rlinetd", ++ "sshd", ++ "atftpd", ++ "diald", ++ "esound", ++ "gdm", "gnome-session", ++ "icecast", "icecast_admin", "icecast_client", "icecast_source", ++ "mysqld", ++ "ntop", ++ "pptpd", ++ "rquotad", ++ "sendmail", "smail", ++ NULL ++}; ++ + /* + * Stolen from hosts_access.c... + */ +@@ -147,8 +165,8 @@ + /* + * These are not run from inetd but may have built-in access control. + */ +- inet_set("portmap", WR_NOT); +- inet_set("rpcbind", WR_NOT); ++ for (c = 0; libwrap_programs[c]; c++) ++ inet_set(libwrap_programs[c], WR_YES); + + /* + * Check accessibility of access control files. --- tcp-wrappers-7.6.dbs.orig/debian/patches/match_port +++ tcp-wrappers-7.6.dbs/debian/patches/match_port @@ -0,0 +1,64 @@ +diff -ruNp tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c +--- tcp_wrappers_7.6.orig/hosts_access.c 2007-01-08 01:31:32.000000000 +0100 ++++ tcp_wrappers_7.6/hosts_access.c 2007-01-08 01:31:08.000000000 +0100 +@@ -232,6 +232,36 @@ int (*match_fn) (); + return (NO); + } + ++/* ++ * daemon_or_port_match - match server information: if the server endpoint ++ * pattern is a port number, match against port number of connection; ++ * otherwise match against daemon executable name ++ */ ++ ++static int daemon_or_port_match(char *tok, struct request_info *request) { ++ unsigned int port, sin_port; ++ char junk; ++ ++ /* daemon name */ ++ if (sscanf(tok, "%u%c", &port, &junk) != 1 || port > 65535) ++ return (string_match(tok, eval_daemon(request))); ++ ++ /* port number */ ++ if (!request->server->sin) ++ return (NO); ++ ++#ifdef INET6 ++ sin_port = ntohs(((struct sockaddr_in *)request->server->sin)->sin_port); ++#else ++ sin_port = ntohs(request->server->sin->sin_port); ++#endif ++ ++ if (port == sin_port) ++ return (YES); ++ else ++ return (NO); ++} ++ + /* server_match - match server information */ + + static int server_match(tok, request) +@@ -241,9 +271,9 @@ struct request_info *request; + char *host; + + if ((host = split_at(tok + 1, '@')) == 0) { /* plain daemon */ +- return (string_match(tok, eval_daemon(request))); ++ return (daemon_or_port_match(tok, request)); + } else { /* daemon@host */ +- return (string_match(tok, eval_daemon(request)) ++ return (daemon_or_port_match(tok, request) + && host_match(host, request->server)); + } + } +diff -ruNp tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 +--- tcp_wrappers_7.6.orig/hosts_access.5 2007-01-08 01:31:32.000000000 +0100 ++++ tcp_wrappers_7.6/hosts_access.5 2007-01-08 01:30:18.000000000 +0100 +@@ -51,7 +51,7 @@ being optional: + daemon_list : client_list [ : shell_command ] + .PP + \fIdaemon_list\fR is a list of one or more daemon process names +-(argv[0] values) or wildcards (see below). ++(argv[0] values) or server port numbers or wildcards (see below). + .PP + \fIclient_list\fR is a list + of one or more host names, host addresses, patterns or wildcards (see --- tcp-wrappers-7.6.dbs.orig/debian/patches/14_cidr_support +++ tcp-wrappers-7.6.dbs/debian/patches/14_cidr_support @@ -0,0 +1,66 @@ +diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 +--- tcp_wrappers_7.6.orig/hosts_access.5 2003-08-21 03:15:36.000000000 +0200 ++++ tcp_wrappers_7.6/hosts_access.5 2003-08-21 03:15:31.000000000 +0200 +@@ -90,6 +90,10 @@ + pattern `131.155.72.0/255.255.254.0\' matches every address in the + range `131.155.72.0\' through `131.155.73.255\'. + .IP \(bu ++An expression of the form `n.n.n.n/mm' is interpreted as a ++`net/masklength' pair, where `mm' is the number of consecutive `1' ++bits in the netmask applied to the `n.n.n.n' address. ++.IP \(bu + An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a + `[net]/prefixlen\' pair. An IPv6 host address is matched if + `prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the +diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c +--- tcp_wrappers_7.6.orig/hosts_access.c 2003-08-21 03:15:36.000000000 +0200 ++++ tcp_wrappers_7.6/hosts_access.c 2003-08-21 03:09:30.000000000 +0200 +@@ -417,7 +417,8 @@ + if ((addr = dot_quad_addr(string)) == INADDR_NONE) + return (NO); + if ((net = dot_quad_addr(net_tok)) == INADDR_NONE +- || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) { ++ || ((mask = dot_quad_addr(mask_tok)) == INADDR_NONE ++ && (mask = cidr_mask_addr(mask_tok)) == 0)) { + #ifndef INET6 + tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok); + #endif +diff -ruN tcp_wrappers_7.6.orig/misc.c tcp_wrappers_7.6/misc.c +--- tcp_wrappers_7.6.orig/misc.c 2003-08-21 03:15:36.000000000 +0200 ++++ tcp_wrappers_7.6/misc.c 2003-08-21 03:09:30.000000000 +0200 +@@ -107,3 +107,17 @@ + } + return (runs == 4 ? inet_addr(str) : INADDR_NONE); + } ++ ++/* cidr_mask_addr - convert cidr netmask length to internal form */ ++ ++unsigned long cidr_mask_addr(str) ++char *str; ++{ ++ int maskbits; ++ ++ maskbits = atoi(str); ++ if (maskbits < 1 || maskbits > 32) ++ return (0); ++ return htonl(0xFFFFFFFF << (32 - maskbits)); ++} ++ +diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c +--- tcp_wrappers_7.6.orig/tcpdchk.c 2003-08-21 03:15:36.000000000 +0200 ++++ tcp_wrappers_7.6/tcpdchk.c 2003-08-21 03:09:30.000000000 +0200 +@@ -497,12 +497,12 @@ + int mask_len; + + if ((dot_quad_addr(pat) == INADDR_NONE +- || dot_quad_addr(mask) == INADDR_NONE) ++ || dot_quad_addr(mask) == INADDR_NONE && cidr_mask_addr(mask) == 0) + && (!is_inet6_addr(pat) + || ((mask_len = atoi(mask)) < 0 || mask_len > 128))) + #else + if (dot_quad_addr(pat) == INADDR_NONE +- || dot_quad_addr(mask) == INADDR_NONE) ++ || dot_quad_addr(mask) == INADDR_NONE && cidr_mask_addr(mask) == 0) + #endif + tcpd_warn("%s/%s: bad net/mask pattern", pat, mask); + } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ --- tcp-wrappers-7.6.dbs.orig/debian/patches/safe_finger +++ tcp-wrappers-7.6.dbs/debian/patches/safe_finger @@ -0,0 +1,29 @@ +--- tcp-wrappers-7.6-ipv6.1.orig/safe_finger.c ++++ tcp-wrappers-7.6-ipv6.1/safe_finger.c +@@ -26,21 +26,24 @@ + #include + #include + #include ++#include + + extern void exit(); + + /* Local stuff */ + +-char path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin"; ++char path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin"; + + #define TIME_LIMIT 60 /* Do not keep listinging forever */ + #define INPUT_LENGTH 100000 /* Do not keep listinging forever */ + #define LINE_LENGTH 128 /* Editors can choke on long lines */ + #define FINGER_PROGRAM "finger" /* Most, if not all, UNIX systems */ + #define UNPRIV_NAME "nobody" /* Preferred privilege level */ +-#define UNPRIV_UGID 32767 /* Default uid and gid */ ++#define UNPRIV_UGID 65534 /* Default uid and gid */ + + int finger_pid; ++int allow_severity = SEVERITY; ++int deny_severity = LOG_WARNING; + + void cleanup(sig) + int sig; --- tcp-wrappers-7.6.dbs.orig/debian/patches/rfc931.diff +++ tcp-wrappers-7.6.dbs/debian/patches/rfc931.diff @@ -0,0 +1,39 @@ +diff -ruNp tcp_wrappers_7.6.orig/scaffold.c tcp_wrappers_7.6/scaffold.c +--- tcp_wrappers_7.6.orig/scaffold.c 2005-03-09 18:22:04.000000000 +0100 ++++ tcp_wrappers_7.6/scaffold.c 2005-03-09 18:20:47.000000000 +0100 +@@ -237,10 +237,17 @@ struct request_info *request; + + /* ARGSUSED */ + +-void rfc931(request) +-struct request_info *request; ++void rfc931(rmt_sin, our_sin, dest) ++#ifdef INET6 ++struct sockaddr *rmt_sin; ++struct sockaddr *our_sin; ++#else ++struct sockaddr_in *rmt_sin; ++struct sockaddr_in *our_sin; ++#endif ++char *dest; + { +- strcpy(request->user, unknown); ++ strcpy(dest, unknown); + } + + /* check_path - examine accessibility */ +diff -ruNp tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h +--- tcp_wrappers_7.6.orig/tcpd.h 2005-03-09 18:22:04.000000000 +0100 ++++ tcp_wrappers_7.6/tcpd.h 2005-03-09 18:21:23.000000000 +0100 +@@ -83,7 +83,11 @@ extern int hosts_access(struct request_i + extern void shell_cmd(char *); /* execute shell command */ + extern char *percent_x(char *, int, char *, struct request_info *); + /* do % expansion */ ++#ifdef INET6 + extern void rfc931(struct sockaddr *, struct sockaddr *, char *); ++#else ++extern void rfc931(struct sockaddr_in *, struct sockaddr_in *, char *); ++#endif + /* client name from RFC 931 daemon */ + extern void clean_exit(struct request_info *); /* clean up and exit */ + extern void refuse(struct request_info *); /* clean up and exit */ --- tcp-wrappers-7.6.dbs.orig/debian/patches/fix_warnings +++ tcp-wrappers-7.6.dbs/debian/patches/fix_warnings @@ -0,0 +1,45 @@ +diff -ruNp tcp_wrappers_7.6.orig/fix_options.c tcp_wrappers_7.6/fix_options.c +--- tcp_wrappers_7.6.orig/fix_options.c 2006-03-01 23:45:28.000000000 +0100 ++++ tcp_wrappers_7.6/fix_options.c 2006-03-01 23:45:25.000000000 +0100 +@@ -50,7 +50,7 @@ struct request_info *request; + struct in_addr dummy; + #ifdef INET6 + struct sockaddr_storage ss; +- int sslen; ++ socklen_t sslen; + + /* + * check if this is AF_INET socket +diff -ruNp tcp_wrappers_7.6.orig/options.c tcp_wrappers_7.6/options.c +--- tcp_wrappers_7.6.orig/options.c 2006-03-01 23:45:28.000000000 +0100 ++++ tcp_wrappers_7.6/options.c 2006-03-01 22:55:44.000000000 +0100 +@@ -41,6 +41,7 @@ static char sccsid[] = "@(#) options.c 1 + #include + #include + #include ++#include + #include + #include + #include +diff -ruNp tcp_wrappers_7.6.orig/scaffold.c tcp_wrappers_7.6/scaffold.c +--- tcp_wrappers_7.6.orig/scaffold.c 2006-03-01 23:45:28.000000000 +0100 ++++ tcp_wrappers_7.6/scaffold.c 2006-03-01 22:56:13.000000000 +0100 +@@ -17,6 +17,7 @@ static char sccs_id[] = "@(#) scaffold.c + #include + #include + #include ++#include + #include + #include + #include +diff -ruNp tcp_wrappers_7.6.orig/shell_cmd.c tcp_wrappers_7.6/shell_cmd.c +--- tcp_wrappers_7.6.orig/shell_cmd.c 1994-12-28 17:42:44.000000000 +0100 ++++ tcp_wrappers_7.6/shell_cmd.c 2006-03-01 22:55:30.000000000 +0100 +@@ -18,6 +18,7 @@ static char sccsid[] = "@(#) shell_cmd.c + #include + #include + #include ++#include + #include + #include + --- tcp-wrappers-7.6.dbs.orig/debian/patches/sig_fix +++ tcp-wrappers-7.6.dbs/debian/patches/sig_fix @@ -0,0 +1,44 @@ +* Fri May 6 2005 Thomas Woerner 7.6-39 +- fixed sig patch (#141110). Thanks to Nikita Shulga for the patch + +* Mon Feb 10 2003 Harald Hoyer 7.6-29 +- added security patch tcp_wrappers-7.6-sig.patch + +diff -ruNp tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c +--- tcp_wrappers_7.6.orig/hosts_access.c 2006-03-01 22:14:14.000000000 +0100 ++++ tcp_wrappers_7.6/hosts_access.c 2006-03-01 22:14:11.000000000 +0100 +@@ -66,6 +66,7 @@ static char sep[] = ", \t\r\n"; + + #define YES 1 + #define NO 0 ++#define ERR -1 + + /* + * These variables are globally visible so that they can be redirected in +@@ -130,11 +131,11 @@ struct request_info *request; + verdict = setjmp(tcpd_buf); + if (verdict != 0) + return (verdict == AC_PERMIT); +- if (table_match(hosts_allow_table, request)) ++ if (table_match(hosts_allow_table, request) == YES) + return (YES); +- if (table_match(hosts_deny_table, request)) +- return (NO); +- return (YES); ++ if (table_match(hosts_deny_table, request) == NO) ++ return (YES); ++ return (NO); + } + + /* table_match - match table entries with (daemon, client) pair */ +@@ -178,8 +179,9 @@ struct request_info *request; + (void) fclose(fp); + } else if (errno != ENOENT) { + tcpd_warn("cannot open %s: %m", table); ++ match = ERR; + } +- if (match) { ++ if (match == YES) { + if (hosts_access_verbose > 1) + syslog(LOG_DEBUG, "matched: %s line %d", + tcpd_context.file, tcpd_context.line); --- tcp-wrappers-7.6.dbs.orig/debian/patches/expand_remote_port +++ tcp-wrappers-7.6.dbs/debian/patches/expand_remote_port @@ -0,0 +1,71 @@ +diff -ruN tcp_wrappers_7.6.orig/eval.c tcp_wrappers_7.6/eval.c +--- tcp_wrappers_7.6.orig/eval.c 1995-01-30 19:51:46.000000000 +0100 ++++ tcp_wrappers_7.6/eval.c 2004-11-04 13:59:01.000000000 +0100 +@@ -98,6 +98,28 @@ + } + } + ++/* eval_port - return string with the port */ ++char *eval_port(saddr) ++#ifdef INET6 ++struct sockaddr *saddr; ++#else ++struct sockaddr_in *saddr; ++#endif ++{ ++ static char port[16]; ++ if (saddr != 0) { ++ sprintf(port, "%u", ++#ifdef INET6 ++ ntohs(((struct sockaddr_in *)saddr)->sin_port)); ++#else ++ ntohs(saddr->sin_port)); ++#endif ++ } else { ++ strcpy(port, "0"); ++ } ++ return (port); ++} ++ + /* eval_client - return string with as much about the client as we know */ + + char *eval_client(request) +diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 +--- tcp_wrappers_7.6.orig/hosts_access.5 2004-11-04 13:17:45.000000000 +0100 ++++ tcp_wrappers_7.6/hosts_access.5 2004-11-04 13:55:32.000000000 +0100 +@@ -175,6 +175,8 @@ + unavailable. + .IP "%n (%N)" + The client (server) host name (or "unknown" or "paranoid"). ++.IP "%r (%R)" ++The clients (servers) port number (or "0"). + .IP %p + The daemon process id. + .IP %s +diff -ruN tcp_wrappers_7.6.orig/percent_x.c tcp_wrappers_7.6/percent_x.c +--- tcp_wrappers_7.6.orig/percent_x.c 1994-12-28 17:42:38.000000000 +0100 ++++ tcp_wrappers_7.6/percent_x.c 2004-11-04 13:19:29.000000000 +0100 +@@ -63,6 +63,8 @@ + ch == 'n' ? eval_hostname(request->client) : + ch == 'N' ? eval_hostname(request->server) : + ch == 'p' ? eval_pid(request) : ++ ch == 'r' ? eval_port(request->client->sin) : ++ ch == 'R' ? eval_port(request->server->sin) : + ch == 's' ? eval_server(request) : + ch == 'u' ? eval_user(request) : + ch == '%' ? "%" : (tcpd_warn("unrecognized %%%c", ch), ""); +diff -ruN tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h +--- tcp_wrappers_7.6.orig/tcpd.h 2004-11-04 13:17:45.000000000 +0100 ++++ tcp_wrappers_7.6/tcpd.h 2004-11-04 13:19:13.000000000 +0100 +@@ -145,6 +145,11 @@ + extern char *eval_hostinfo(struct host_info *); /* host name or address */ + extern char *eval_client(struct request_info *);/* whatever is available */ + extern char *eval_server(struct request_info *);/* whatever is available */ ++#ifdef INET6 ++extern char *eval_port(struct sockaddr *); ++#else ++extern char *eval_port(struct sockaddr_in *); ++#endif + #define eval_daemon(r) ((r)->daemon) /* daemon process name */ + #define eval_pid(r) ((r)->pid) /* process id */ + --- tcp-wrappers-7.6.dbs.orig/debian/patches/12_makefile_config +++ tcp-wrappers-7.6.dbs/debian/patches/12_makefile_config @@ -0,0 +1,81 @@ +diff -ruN tcp_wrappers_7.6.orig/Makefile tcp_wrappers_7.6/Makefile +--- tcp_wrappers_7.6.orig/Makefile 2003-08-21 01:43:39.000000000 +0200 ++++ tcp_wrappers_7.6/Makefile 2003-08-21 01:43:35.000000000 +0200 +@@ -45,7 +45,7 @@ + # + # SysV.4 Solaris 2.x OSF AIX + #REAL_DAEMON_DIR=/usr/sbin +-# ++REAL_DAEMON_DIR=/usr/sbin + # BSD 4.4 + #REAL_DAEMON_DIR=/usr/libexec + # +@@ -512,6 +519,7 @@ + # (examples: allow, deny, banners, twist and spawn). + # + #STYLE = -DPROCESS_OPTIONS # Enable language extensions. ++STYLE = "-DPROCESS_OPTIONS -DACLEXEC" + + ################################################################ + # Optional: Changing the default disposition of logfile records +@@ -535,6 +543,7 @@ + # The LOG_XXX names below are taken from the /usr/include/syslog.h file. + + FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use ++FACILITY= LOG_DAEMON + + # The syslog priority at which successful connections are logged. + +@@ -631,6 +640,7 @@ + # lookups altogether, see the next section. + + PARANOID= -DPARANOID ++PARANOID= + + ######################################## + # Optional: turning off hostname lookups +@@ -644,6 +654,7 @@ + # mode (see previous section) and comment out the following definition. + + HOSTNAME= -DALWAYS_HOSTNAME ++HOSTNAME= + + ############################################# + # Optional: Turning on host ADDRESS checking +@@ -670,6 +681,7 @@ + # Solaris 2.x, and Linux. See your system documentation for details. + # + # KILL_OPT= -DKILL_IP_OPTIONS ++KILL_OPT= -DKILL_IP_OPTIONS + + ## End configuration options + ############################ +@@ -677,9 +689,10 @@ + # Protection against weird shells or weird make programs. + + SHELL = /bin/sh +-.c.o:; $(CC) $(CFLAGS) -c $*.c ++.c.o:; $(CC) $(CFLAGS) -o $*.o -c $*.c + +-CFLAGS = -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \ ++COPTS = -O2 -g ++CFLAGS = $(COPTS) -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \ + $(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \ + -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \ + -DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \ +@@ -712,10 +725,11 @@ + + config-check: + @set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; } +- @set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \ +- if cmp cflags /tmp/cflags.$$$$ ; \ +- then rm /tmp/cflags.$$$$ ; \ +- else mv /tmp/cflags.$$$$ cflags ; \ ++ @set +e; echo $(CFLAGS) >cflags.new ; \ ++ if cmp cflags cflags.new ; \ ++ then rm cflags.new ; \ ++ else mv cflags.new cflags ; \ + fi >/dev/null 2>/dev/null ++ @if [ ! -d shared ]; then mkdir shared; fi + + $(LIB): $(LIB_OBJ) --- tcp-wrappers-7.6.dbs.orig/debian/patches/05_wildcard_matching +++ tcp-wrappers-7.6.dbs/debian/patches/05_wildcard_matching @@ -0,0 +1,103 @@ +See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=17847 + +diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 +--- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 18:54:33.000000000 +0200 ++++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 18:54:27.000000000 +0200 +@@ -89,6 +89,10 @@ + bitwise AND of the address and the `mask\'. For example, the net/mask + pattern `131.155.72.0/255.255.254.0\' matches every address in the + range `131.155.72.0\' through `131.155.73.255\'. ++.IP \(bu ++Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This ++method of matching cannot be used in conjunction with `net/mask\' matching, ++hostname matching beginning with `.\' or IP address matching ending with `.\'. + .SH WILDCARDS + The access control language supports explicit wildcards: + .IP ALL +diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c +--- tcp_wrappers_7.6.orig/hosts_access.c 1997-02-12 02:13:23.000000000 +0100 ++++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 18:52:21.000000000 +0200 +@@ -289,6 +289,11 @@ + { + int n; + ++#ifndef DISABLE_WILDCARD_MATCHING ++ if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */ ++ return (match_pattern_ylo(string,tok)); ++ } else ++#endif + if (tok[0] == '.') { /* suffix */ + n = strlen(string) - strlen(tok); + return (n > 0 && STR_EQ(tok, string + n)); +@@ -329,3 +334,71 @@ + } + return ((addr & mask) == net); + } ++ ++#ifndef DISABLE_WILDCARD_MATCHING ++/* Note: this feature has been adapted in a pretty straightforward way ++ from Tatu Ylonen's last SSH version under free license by ++ Pekka Savola . ++ ++ Copyright (c) 1995 Tatu Ylonen , Espoo, Finland ++*/ ++ ++/* Returns true if the given string matches the pattern (which may contain ++ ? and * as wildcards), and zero if it does not match. */ ++ ++int match_pattern_ylo(const char *s, const char *pattern) ++{ ++ while (1) ++ { ++ /* If at end of pattern, accept if also at end of string. */ ++ if (!*pattern) ++ return !*s; ++ ++ /* Process '*'. */ ++ if (*pattern == '*') ++ { ++ /* Skip the asterisk. */ ++ pattern++; ++ ++ /* If at end of pattern, accept immediately. */ ++ if (!*pattern) ++ return 1; ++ ++ /* If next character in pattern is known, optimize. */ ++ if (*pattern != '?' && *pattern != '*') ++ { ++ /* Look instances of the next character in pattern, and try ++ to match starting from those. */ ++ for (; *s; s++) ++ if (*s == *pattern && ++ match_pattern_ylo(s + 1, pattern + 1)) ++ return 1; ++ /* Failed. */ ++ return 0; ++ } ++ ++ /* Move ahead one character at a time and try to match at each ++ position. */ ++ for (; *s; s++) ++ if (match_pattern_ylo(s, pattern)) ++ return 1; ++ /* Failed. */ ++ return 0; ++ } ++ ++ /* There must be at least one more character in the string. If we are ++ at the end, fail. */ ++ if (!*s) ++ return 0; ++ ++ /* Check if the next character of the string is acceptable. */ ++ if (*pattern != '?' && *pattern != *s) ++ return 0; ++ ++ /* Move to the next character, both in string and in pattern. */ ++ s++; ++ pattern++; ++ } ++ /*NOTREACHED*/ ++} ++#endif /* DISABLE_WILDCARD_MATCHING */ --- tcp-wrappers-7.6.dbs.orig/debian/patches/11_tcpd_blacklist +++ tcp-wrappers-7.6.dbs/debian/patches/11_tcpd_blacklist @@ -0,0 +1,151 @@ +Path: news.porcupine.org!news.porcupine.org!not-for-mail +From: Wietse Venema +Newsgroups: comp.mail.sendmail,comp.security.unix +Subject: TCP Wrapper Blacklist Extension +Followup-To: poster +Date: 8 Sep 1997 18:53:13 -0400 +Organization: Wietse's hangout while on sabattical in the USA +Lines: 147 +Sender: wietse@spike.porcupine.org +Message-ID: <5v1vkp$h4f$1@spike.porcupine.org> +NNTP-Posting-Host: spike.porcupine.org +Xref: news.porcupine.org comp.mail.sendmail:3541 comp.security.unix:7158 + +The patch below adds a new host pattern to the TCP Wrapper access +control language. Instead of a host name or address pattern, you +can specify an external /file/name with host name or address +patterns. The feature can be used recursively. + +The /file/name extension makes it easy to blacklist bad sites, for +example, to block unwanted electronic mail when libwrap is linked +into sendmail. Adding hosts to a simple text file is much easier +than having to edit a more complex hosts.allow/deny file. + +I developed this a year or so ago as a substitute for NIS netgroups. +At that time, I did not consider it of sufficient interest for +inclusion in the TCP Wrapper distribution. How times have changed. + +The patch is relative to TCP Wrappers version 7.6. The main archive +site is ftp://ftp.win.tue.nl/pub/security/tcp_wrappers_7.6.tar.gz + +Thanks to the Debian LINUX folks for expressing their interest in +this patch. + + Wietse + + +[diff updated by Md] + +diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 +--- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 19:28:09.000000000 +0200 ++++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 19:28:01.000000000 +0200 +@@ -97,6 +97,13 @@ + `[3ffe:505:2:1::]/64\' matches every address in the range + `3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'. + .IP \(bu ++A string that begins with a `/\' character is treated as a file ++name. A host name or address is matched if it matches any host name ++or address pattern listed in the named file. The file format is ++zero or more lines with zero or more host name or address patterns ++separated by whitespace. A file name pattern can be used anywhere ++a host name or address pattern can be used. ++.IP \(bu + Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This + method of matching cannot be used in conjunction with `net/mask\' matching, + hostname matching beginning with `.\' or IP address matching ending with `.\'. +diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c +--- tcp_wrappers_7.6.orig/hosts_access.c 2004-04-10 19:28:09.000000000 +0200 ++++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 19:27:05.000000000 +0200 +@@ -253,6 +253,26 @@ + } + } + ++/* hostfile_match - look up host patterns from file */ ++ ++static int hostfile_match(path, host) ++char *path; ++struct hosts_info *host; ++{ ++ char tok[BUFSIZ]; ++ int match = NO; ++ FILE *fp; ++ ++ if ((fp = fopen(path, "r")) != 0) { ++ while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host))) ++ /* void */ ; ++ fclose(fp); ++ } else if (errno != ENOENT) { ++ tcpd_warn("open %s: %m", path); ++ } ++ return (match); ++} ++ + /* host_match - match host name and/or address against pattern */ + + static int host_match(tok, host) +@@ -280,6 +300,8 @@ + tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */ + return (NO); + #endif ++ } else if (tok[0] == '/') { /* /file hack */ ++ return (hostfile_match(tok, host)); + } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */ + char *name = eval_hostname(host); + return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name)); +diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c +--- tcp_wrappers_7.6.orig/tcpdchk.c 2004-04-10 19:28:09.000000000 +0200 ++++ tcp_wrappers_7.6/tcpdchk.c 2004-04-10 19:27:05.000000000 +0200 +@@ -353,6 +353,8 @@ + { + if (pat[0] == '@') { + tcpd_warn("%s: daemon name begins with \"@\"", pat); ++ } else if (pat[0] == '/') { ++ tcpd_warn("%s: daemon name begins with \"/\"", pat); + } else if (pat[0] == '.') { + tcpd_warn("%s: daemon name begins with dot", pat); + } else if (pat[strlen(pat) - 1] == '.') { +@@ -385,6 +387,8 @@ + { + if (pat[0] == '@') { /* @netgroup */ + tcpd_warn("%s: user name begins with \"@\"", pat); ++ } else if (pat[0] == '/') { ++ tcpd_warn("%s: user name begins with \"/\"", pat); + } else if (pat[0] == '.') { + tcpd_warn("%s: user name begins with dot", pat); + } else if (pat[strlen(pat) - 1] == '.') { +@@ -430,8 +434,13 @@ + static int check_host(pat) + char *pat; + { ++ char buf[BUFSIZ]; + char *mask; + int addr_count = 1; ++ FILE *fp; ++ struct tcpd_context saved_context; ++ char *cp; ++ char *wsp = " \t\r\n"; + + if (pat[0] == '@') { /* @netgroup */ + #ifdef NO_NETGRENT +@@ -450,6 +459,21 @@ + tcpd_warn("netgroup support disabled"); + #endif + #endif ++ } else if (pat[0] == '/') { /* /path/name */ ++ if ((fp = fopen(pat, "r")) != 0) { ++ saved_context = tcpd_context; ++ tcpd_context.file = pat; ++ tcpd_context.line = 0; ++ while (fgets(buf, sizeof(buf), fp)) { ++ tcpd_context.line++; ++ for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp)) ++ check_host(cp); ++ } ++ tcpd_context = saved_context; ++ fclose(fp); ++ } else if (errno != ENOENT) { ++ tcpd_warn("open %s: %m", pat); ++ } + } else if (mask = split_at(pat, '/')) { /* network/netmask */ + #ifdef INET6 + int mask_len; --- tcp-wrappers-7.6.dbs.orig/debian/patches/aclexec +++ tcp-wrappers-7.6.dbs/debian/patches/aclexec @@ -0,0 +1,137 @@ +diff -ruNp tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c +--- tcp_wrappers_7.6.orig/hosts_access.c 2006-03-01 19:25:45.000000000 +0100 ++++ tcp_wrappers_7.6/hosts_access.c 2006-03-01 19:23:58.000000000 +0100 +@@ -82,6 +82,9 @@ int hosts_access_verbose = 0; + */ + + int resident = (-1); /* -1, 0: unknown; +1: yes */ ++#ifdef ACLEXEC ++int aclexec_matched = 0; ++#endif + + /* Forward declarations. */ + +@@ -185,6 +188,12 @@ struct request_info *request; + if (sh_cmd) { + #ifdef PROCESS_OPTIONS + process_options(sh_cmd, request); ++# ifdef ACLEXEC ++ if (aclexec_matched) { ++ syslog(LOG_INFO, "aclexec returned %d", aclexec_matched); ++ match = NO; ++ } ++# endif + #else + char cmd[BUFSIZ]; + shell_cmd(percent_x(cmd, sizeof(cmd), sh_cmd, request)); +diff -ruNp tcp_wrappers_7.6.orig/options.c tcp_wrappers_7.6/options.c +--- tcp_wrappers_7.6.orig/options.c 1996-02-11 17:01:32.000000000 +0100 ++++ tcp_wrappers_7.6/options.c 2006-03-01 19:24:25.000000000 +0100 +@@ -47,6 +47,7 @@ static char sccsid[] = "@(#) options.c 1 + #include + #include + #include ++#include + + #ifndef MAXPATHNAMELEN + #define MAXPATHNAMELEN BUFSIZ +@@ -76,6 +77,7 @@ static void group_option(); /* execute + static void umask_option(); /* execute "umask mask" option */ + static void linger_option(); /* execute "linger time" option */ + static void keepalive_option(); /* execute "keepalive" option */ ++static void aclexec_option(); /* execute "aclexec command" option */ + static void spawn_option(); /* execute "spawn command" option */ + static void twist_option(); /* execute "twist command" option */ + static void rfc931_option(); /* execute "rfc931" option */ +@@ -113,6 +115,9 @@ static struct option option_table[] = { + "umask", umask_option, NEED_ARG, + "linger", linger_option, NEED_ARG, + "keepalive", keepalive_option, 0, ++#ifdef ACLEXEC ++ "aclexec", aclexec_option, NEED_ARG | EXPAND_ARG, ++#endif + "spawn", spawn_option, NEED_ARG | EXPAND_ARG, + "twist", twist_option, NEED_ARG | EXPAND_ARG | USE_LAST, + "rfc931", rfc931_option, OPT_ARG, +@@ -310,6 +315,54 @@ struct request_info *request; + shell_cmd(value); + } + ++#ifdef ACLEXEC ++/* aclexec_option - spawn a shell command and check status */ ++ ++/* ARGSUSED */ ++ ++static void aclexec_option(value, request) ++char *value; ++struct request_info *request; ++{ ++ int status, child_pid, wait_pid; ++ extern int aclexec_matched; ++ ++ if (dry_run != 0) ++ return; ++ ++ child_pid = fork(); ++ ++ /* Something went wrong: we MUST terminate the process. */ ++ if (child_pid < 0) { ++ tcpd_warn("aclexec_option: /bin/sh: %m"); ++ clean_exit(request); ++ } ++ ++ if (child_pid == 0) { ++ execl("/bin/sh", "sh", "-c", value, (char *) 0); ++ ++ /* Something went wrong. We MUST terminate the child process. */ ++ tcpd_warn("execl /bin/sh: %m"); ++ _exit(0); ++ } ++ ++ while ((wait_pid = wait(&status)) != -1 && wait_pid != child_pid) ++ /* void */ ; ++ ++ aclexec_matched = 1; ++ ++ if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { ++ aclexec_matched = 0; ++ } ++ ++ if (WIFSIGNALED(status)) ++ tcpd_warn("process %d exited with signal %d", child_pid, ++ WTERMSIG(status)); ++ ++ return; ++} ++#endif ++ + /* linger_option - set the socket linger time (Marc Boucher ) */ + + /* ARGSUSED */ +diff -ruNp tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5 +--- tcp_wrappers_7.6.orig/hosts_options.5 2006-03-01 21:48:43.000000000 +0100 ++++ tcp_wrappers_7.6/hosts_options.5 2006-03-01 21:47:39.000000000 +0100 +@@ -52,6 +52,23 @@ ALL: ALL: ALLOW + .sp + Notice the leading dot on the domain name patterns. + .SH RUNNING OTHER COMMANDS ++.IP "aclexec shell_command" ++Execute, in a child process, the specified shell command, after ++performing the % expansions described in the hosts_access(5) ++manual page. The command is executed with stdin, stdout and stderr ++connected to the null device, so that it won't mess up the ++conversation with the client host. Example: ++.sp ++.nf ++.ti +3 ++smtp : ALL : aclexec checkdnsbl %a ++.fi ++.sp ++executes, in a background child process, the shell command "checkdnsbl %a" ++after replacing %a by the address of the remote host. ++.sp ++The connection will be allowed or refused depending on whether the ++command returns a true or false exit status. + .IP "spawn shell_command" + Execute, in a child process, the specified shell command, after + performing the % expansions described in the hosts_access(5) --- tcp-wrappers-7.6.dbs.orig/debian/patches/size_t +++ tcp-wrappers-7.6.dbs/debian/patches/size_t @@ -0,0 +1,42 @@ +diff -ruN tcp_wrappers_7.6.orig/fix_options.c tcp_wrappers_7.6/fix_options.c +--- tcp_wrappers_7.6.orig/fix_options.c 2003-08-21 03:41:33.000000000 +0200 ++++ tcp_wrappers_7.6/fix_options.c 2003-08-21 03:41:27.000000000 +0200 +@@ -38,7 +38,11 @@ + #ifdef IP_OPTIONS + unsigned char optbuf[BUFFER_SIZE / 3], *cp; + char lbuf[BUFFER_SIZE], *lp; ++#ifdef __GLIBC__ ++ size_t optsize = sizeof(optbuf), ipproto; ++#else + int optsize = sizeof(optbuf), ipproto; ++#endif + struct protoent *ip; + int fd = request->fd; + unsigned int opt; +diff -ruN tcp_wrappers_7.6.orig/socket.c tcp_wrappers_7.6/socket.c +--- tcp_wrappers_7.6.orig/socket.c 2003-08-21 03:41:33.000000000 +0200 ++++ tcp_wrappers_7.6/socket.c 2003-08-21 03:40:51.000000000 +0200 +@@ -90,7 +90,11 @@ + static struct sockaddr_in client; + static struct sockaddr_in server; + #endif ++#ifdef __GLIBC__ ++ size_t len; ++#else + int len; ++#endif + char buf[BUFSIZ]; + int fd = request->fd; + +@@ -421,7 +425,11 @@ + #else + struct sockaddr_in sin; + #endif ++#ifdef __GLIBC__ ++ size_t size = sizeof(sin); ++#else + int size = sizeof(sin); ++#endif + + /* + * Eat up the not-yet received datagram. Some systems insist on a --- tcp-wrappers-7.6.dbs.orig/debian/patches/10_usagi-ipv6 +++ tcp-wrappers-7.6.dbs/debian/patches/10_usagi-ipv6 @@ -0,0 +1,1253 @@ +diff -ruN tcp_wrappers_7.6.orig/fix_options.c tcp_wrappers_7.6/fix_options.c +--- tcp_wrappers_7.6.orig/fix_options.c 1997-04-08 02:29:19.000000000 +0200 ++++ tcp_wrappers_7.6/fix_options.c 2004-04-10 19:07:43.000000000 +0200 +@@ -11,6 +11,9 @@ + + #include + #include ++#ifdef INET6 ++#include ++#endif + #include + #include + #include +@@ -41,6 +44,22 @@ + unsigned int opt; + int optlen; + struct in_addr dummy; ++#ifdef INET6 ++ struct sockaddr_storage ss; ++ int sslen; ++ ++ /* ++ * check if this is AF_INET socket ++ * XXX IPv6 support? ++ */ ++ sslen = sizeof(ss); ++ if (getsockname(fd, (struct sockaddr *)&ss, &sslen) < 0) { ++ syslog(LOG_ERR, "getpeername: %m"); ++ clean_exit(request); ++ } ++ if (ss.ss_family != AF_INET) ++ return; ++#endif + + if ((ip = getprotobyname("ip")) != 0) + ipproto = ip->p_proto; +diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 +--- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 19:22:58.000000000 +0200 ++++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 19:07:43.000000000 +0200 +@@ -85,11 +85,18 @@ + for daemon process names or for client user names. + .IP \(bu + An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a +-`net/mask\' pair. A host address is matched if `net\' is equal to the ++`net/mask\' pair. An IPv4 host address is matched if `net\' is equal to the + bitwise AND of the address and the `mask\'. For example, the net/mask + pattern `131.155.72.0/255.255.254.0\' matches every address in the + range `131.155.72.0\' through `131.155.73.255\'. + .IP \(bu ++An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a ++`[net]/prefixlen\' pair. An IPv6 host address is matched if ++`prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the ++address. For example, the [net]/prefixlen pattern ++`[3ffe:505:2:1::]/64\' matches every address in the range ++`3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'. ++.IP \(bu + Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This + method of matching cannot be used in conjunction with `net/mask\' matching, + hostname matching beginning with `.\' or IP address matching ending with `.\'. +diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c +--- tcp_wrappers_7.6.orig/hosts_access.c 2004-04-10 19:22:58.000000000 +0200 ++++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 19:07:43.000000000 +0200 +@@ -24,7 +24,13 @@ + /* System libraries. */ + + #include ++#ifdef INT32_T ++ typedef uint32_t u_int32_t; ++#endif + #include ++#ifdef INET6 ++#include ++#endif + #include + #include + #include +@@ -33,6 +39,9 @@ + #include + #include + #include ++#ifdef INET6 ++#include ++#endif + + extern char *fgets(); + extern int errno; +@@ -82,6 +91,10 @@ + static int host_match(); + static int string_match(); + static int masked_match(); ++#ifdef INET6 ++static int masked_match4(); ++static int masked_match6(); ++#endif + + /* Size of logical line buffer. */ + +@@ -289,6 +302,13 @@ + { + int n; + ++#ifdef INET6 ++ /* convert IPv4 mapped IPv6 address to IPv4 address */ ++ if (STRN_EQ(string, "::ffff:", 7) ++ && dot_quad_addr(string + 7) != INADDR_NONE) { ++ string += 7; ++ } ++#endif + #ifndef DISABLE_WILDCARD_MATCHING + if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */ + return (match_pattern_ylo(string,tok)); +@@ -304,20 +324,72 @@ + } else if (tok[(n = strlen(tok)) - 1] == '.') { /* prefix */ + return (STRN_EQ(tok, string, n)); + } else { /* exact match */ ++#ifdef INET6 ++ struct addrinfo hints, *res; ++ struct sockaddr_in6 pat, addr; ++ int len, ret; ++ char ch; ++ ++ len = strlen(tok); ++ if (*tok == '[' && tok[len - 1] == ']') { ++ ch = tok[len - 1]; ++ tok[len - 1] = '\0'; ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = AF_INET6; ++ hints.ai_socktype = SOCK_STREAM; ++ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; ++ if ((ret = getaddrinfo(tok + 1, NULL, &hints, &res)) == 0) { ++ memcpy(&pat, res->ai_addr, sizeof(pat)); ++ freeaddrinfo(res); ++ } ++ tok[len - 1] = ch; ++ if (ret != 0 || getaddrinfo(string, NULL, &hints, &res) != 0) ++ return NO; ++ memcpy(&addr, res->ai_addr, sizeof(addr)); ++ freeaddrinfo(res); ++#ifdef NI_WITHSCOPEID ++ if (pat.sin6_scope_id != 0 && ++ addr.sin6_scope_id != pat.sin6_scope_id) ++ return NO; ++#endif ++ return (!memcmp(&pat.sin6_addr, &addr.sin6_addr, ++ sizeof(struct in6_addr))); ++ return (ret); ++ } ++#endif + return (STR_EQ(tok, string)); + } + } + + /* masked_match - match address against netnumber/netmask */ + ++#ifdef INET6 + static int masked_match(net_tok, mask_tok, string) + char *net_tok; + char *mask_tok; + char *string; + { ++ return (masked_match4(net_tok, mask_tok, string) || ++ masked_match6(net_tok, mask_tok, string)); ++} ++ ++static int masked_match4(net_tok, mask_tok, string) ++#else ++static int masked_match(net_tok, mask_tok, string) ++#endif ++char *net_tok; ++char *mask_tok; ++char *string; ++{ ++#ifdef INET6 ++ u_int32_t net; ++ u_int32_t mask; ++ u_int32_t addr; ++#else + unsigned long net; + unsigned long mask; + unsigned long addr; ++#endif + + /* + * Disallow forms other than dotted quad: the treatment that inet_addr() +@@ -329,12 +401,78 @@ + return (NO); + if ((net = dot_quad_addr(net_tok)) == INADDR_NONE + || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) { ++#ifndef INET6 + tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok); ++#endif + return (NO); /* not tcpd_jump() */ + } + return ((addr & mask) == net); + } + ++#ifdef INET6 ++static int masked_match6(net_tok, mask_tok, string) ++char *net_tok; ++char *mask_tok; ++char *string; ++{ ++ struct addrinfo hints, *res; ++ struct sockaddr_in6 net, addr; ++ u_int32_t mask; ++ int len, mask_len, i = 0; ++ char ch; ++ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = AF_INET6; ++ hints.ai_socktype = SOCK_STREAM; ++ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; ++ if (getaddrinfo(string, NULL, &hints, &res) != 0) ++ return NO; ++ memcpy(&addr, res->ai_addr, sizeof(addr)); ++ freeaddrinfo(res); ++ ++ if (IN6_IS_ADDR_V4MAPPED(&addr.sin6_addr)) { ++ if ((*(u_int32_t *)&net.sin6_addr.s6_addr[12] = dot_quad_addr(net_tok)) == INADDR_NONE ++ || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) ++ return (NO); ++ return ((*(u_int32_t *)&addr.sin6_addr.s6_addr[12] & mask) == *(u_int32_t *)&net.sin6_addr.s6_addr[12]); ++ } ++ ++ /* match IPv6 address against netnumber/prefixlen */ ++ len = strlen(net_tok); ++ if (*net_tok != '[' || net_tok[len - 1] != ']') ++ return NO; ++ ch = net_tok[len - 1]; ++ net_tok[len - 1] = '\0'; ++ if (getaddrinfo(net_tok + 1, NULL, &hints, &res) != 0) { ++ net_tok[len - 1] = ch; ++ return NO; ++ } ++ memcpy(&net, res->ai_addr, sizeof(net)); ++ freeaddrinfo(res); ++ net_tok[len - 1] = ch; ++ if ((mask_len = atoi(mask_tok)) < 0 || mask_len > 128) ++ return NO; ++ ++#ifdef NI_WITHSCOPEID ++ if (net.sin6_scope_id != 0 && addr.sin6_scope_id != net.sin6_scope_id) ++ return NO; ++#endif ++ while (mask_len > 0) { ++ if (mask_len < 32) { ++ mask = htonl(~(0xffffffff >> mask_len)); ++ if ((*(u_int32_t *)&addr.sin6_addr.s6_addr[i] & mask) != (*(u_int32_t *)&net.sin6_addr.s6_addr[i] & mask)) ++ return NO; ++ break; ++ } ++ if (*(u_int32_t *)&addr.sin6_addr.s6_addr[i] != *(u_int32_t *)&net.sin6_addr.s6_addr[i]) ++ return NO; ++ i += 4; ++ mask_len -= 32; ++ } ++ return YES; ++} ++#endif /* INET6 */ ++ + #ifndef DISABLE_WILDCARD_MATCHING + /* Note: this feature has been adapted in a pretty straightforward way + from Tatu Ylonen's last SSH version under free license by +diff -ruN tcp_wrappers_7.6.orig/Makefile tcp_wrappers_7.6/Makefile +--- tcp_wrappers_7.6.orig/Makefile 1997-03-21 19:27:21.000000000 +0100 ++++ tcp_wrappers_7.6/Makefile 2004-04-10 19:22:44.000000000 +0200 +@@ -21,7 +21,7 @@ + @echo " dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix" + @echo " linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211" + @echo " ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4" +- @echo " sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2" ++ @echo " sunos40 sunos5 solaris8 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2" + @echo " uts215 uxp" + @echo + @echo "If none of these match your environment, edit the system" +@@ -131,20 +131,34 @@ + NETGROUP=-DNETGROUP TLI= SYSTYPE="-systype bsd43" all + + # Freebsd and linux by default have no NIS. +-386bsd netbsd bsdos: ++386bsd bsdos: + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ + LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ + EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all + + freebsd: + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ ++ LIBS="-L/usr/local/v6/lib -linet6" \ + LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ +- EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all ++ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" \ ++ VSYSLOG= all ++ ++netbsd: ++ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ ++ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ ++ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" VSYSLOG= all + + linux: + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ +- LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \ +- NETGROUP= TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER" all ++ LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \ ++ NETGROUP="-DNETGROUP" TLI= VSYSLOG= BUGS= \ ++ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all ++ ++gnu: ++ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ ++ LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \ ++ NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= \ ++ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR" all + + # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x. + hpux hpux8 hpux9 hpux10: +@@ -196,6 +210,13 @@ + NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \ + BUGS="$(BUGS) -DSOLARIS_24_GETHOSTBYNAME_BUG" all + ++# SunOS 5.8 is another SYSV4 variant, but has IPv6 support ++solaris8: ++ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ ++ LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv VSYSLOG= \ ++ NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \ ++ EXTRA_CFLAGS="-DINET6 -DNO_CLONE_DEVICE -DINT32_T" all ++ + # Generic SYSV40 + esix sysv4: + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ +diff -ruN tcp_wrappers_7.6.orig/misc.c tcp_wrappers_7.6/misc.c +--- tcp_wrappers_7.6.orig/misc.c 1996-02-11 17:01:30.000000000 +0100 ++++ tcp_wrappers_7.6/misc.c 2004-04-10 19:07:43.000000000 +0200 +@@ -58,9 +58,31 @@ + { + char *cp; + ++#ifdef INET6 ++ int bracket = 0; ++ ++ for (cp = string; cp && *cp; cp++) { ++ switch (*cp) { ++ case '[': ++ bracket++; ++ break; ++ case ']': ++ bracket--; ++ break; ++ default: ++ if (bracket == 0 && *cp == delimiter) { ++ *cp++ = 0; ++ return cp; ++ } ++ break; ++ } ++ } ++ return (NULL); ++#else + if ((cp = strchr(string, delimiter)) != 0) + *cp++ = 0; + return (cp); ++#endif + } + + /* dot_quad_addr - convert dotted quad to internal form */ +diff -ruN tcp_wrappers_7.6.orig/refuse.c tcp_wrappers_7.6/refuse.c +--- tcp_wrappers_7.6.orig/refuse.c 1994-12-28 17:42:40.000000000 +0100 ++++ tcp_wrappers_7.6/refuse.c 2004-04-10 19:07:43.000000000 +0200 +@@ -25,7 +25,12 @@ + void refuse(request) + struct request_info *request; + { ++#ifdef INET6 ++ syslog(deny_severity, "refused connect from %s (%s)", ++ eval_client(request), eval_hostaddr(request->client)); ++#else + syslog(deny_severity, "refused connect from %s", eval_client(request)); ++#endif + clean_exit(request); + /* NOTREACHED */ + } +diff -ruN tcp_wrappers_7.6.orig/rfc931.c tcp_wrappers_7.6/rfc931.c +--- tcp_wrappers_7.6.orig/rfc931.c 1995-01-02 16:11:34.000000000 +0100 ++++ tcp_wrappers_7.6/rfc931.c 2004-04-10 19:07:43.000000000 +0200 +@@ -68,20 +68,50 @@ + /* rfc931 - return remote user name, given socket structures */ + + void rfc931(rmt_sin, our_sin, dest) ++#ifdef INET6 ++struct sockaddr *rmt_sin; ++struct sockaddr *our_sin; ++#else + struct sockaddr_in *rmt_sin; + struct sockaddr_in *our_sin; ++#endif + char *dest; + { + unsigned rmt_port; + unsigned our_port; ++#ifdef INET6 ++ struct sockaddr_storage rmt_query_sin; ++ struct sockaddr_storage our_query_sin; ++ int alen; ++#else + struct sockaddr_in rmt_query_sin; + struct sockaddr_in our_query_sin; ++#endif + char user[256]; /* XXX */ + char buffer[512]; /* XXX */ + char *cp; + char *result = unknown; + FILE *fp; + ++#ifdef INET6 ++ /* address family must be the same */ ++ if (rmt_sin->sa_family != our_sin->sa_family) { ++ STRN_CPY(dest, result, STRING_LENGTH); ++ return; ++ } ++ switch (our_sin->sa_family) { ++ case AF_INET: ++ alen = sizeof(struct sockaddr_in); ++ break; ++ case AF_INET6: ++ alen = sizeof(struct sockaddr_in6); ++ break; ++ default: ++ STRN_CPY(dest, result, STRING_LENGTH); ++ return; ++ } ++#endif ++ + /* + * Use one unbuffered stdio stream for writing to and for reading from + * the RFC931 etc. server. This is done because of a bug in the SunOS +@@ -92,7 +122,11 @@ + * sockets. + */ + ++#ifdef INET6 ++ if ((fp = fsocket(our_sin->sa_family, SOCK_STREAM, 0)) != 0) { ++#else + if ((fp = fsocket(AF_INET, SOCK_STREAM, 0)) != 0) { ++#endif + setbuf(fp, (char *) 0); + + /* +@@ -112,6 +146,25 @@ + * addresses from the query socket. + */ + ++#ifdef INET6 ++ memcpy(&our_query_sin, our_sin, alen); ++ memcpy(&rmt_query_sin, rmt_sin, alen); ++ switch (our_sin->sa_family) { ++ case AF_INET: ++ ((struct sockaddr_in *)&our_query_sin)->sin_port = htons(ANY_PORT); ++ ((struct sockaddr_in *)&rmt_query_sin)->sin_port = htons(RFC931_PORT); ++ break; ++ case AF_INET6: ++ ((struct sockaddr_in6 *)&our_query_sin)->sin6_port = htons(ANY_PORT); ++ ((struct sockaddr_in6 *)&rmt_query_sin)->sin6_port = htons(RFC931_PORT); ++ break; ++ } ++ ++ if (bind(fileno(fp), (struct sockaddr *) & our_query_sin, ++ alen) >= 0 && ++ connect(fileno(fp), (struct sockaddr *) & rmt_query_sin, ++ alen) >= 0) { ++#else + our_query_sin = *our_sin; + our_query_sin.sin_port = htons(ANY_PORT); + rmt_query_sin = *rmt_sin; +@@ -121,6 +174,7 @@ + sizeof(our_query_sin)) >= 0 && + connect(fileno(fp), (struct sockaddr *) & rmt_query_sin, + sizeof(rmt_query_sin)) >= 0) { ++#endif + + /* + * Send query to server. Neglect the risk that a 13-byte +@@ -129,8 +183,13 @@ + */ + + fprintf(fp, "%u,%u\r\n", ++#ifdef INET6 ++ ntohs(((struct sockaddr_in *)rmt_sin)->sin_port), ++ ntohs(((struct sockaddr_in *)our_sin)->sin_port)); ++#else + ntohs(rmt_sin->sin_port), + ntohs(our_sin->sin_port)); ++#endif + fflush(fp); + + /* +@@ -144,8 +203,13 @@ + && ferror(fp) == 0 && feof(fp) == 0 + && sscanf(buffer, "%u , %u : USERID :%*[^:]:%255s", + &rmt_port, &our_port, user) == 3 ++#ifdef INET6 ++ && ntohs(((struct sockaddr_in *)rmt_sin)->sin_port) == rmt_port ++ && ntohs(((struct sockaddr_in *)our_sin)->sin_port) == our_port) { ++#else + && ntohs(rmt_sin->sin_port) == rmt_port + && ntohs(our_sin->sin_port) == our_port) { ++#endif + + /* + * Strip trailing carriage return. It is part of the +diff -ruN tcp_wrappers_7.6.orig/scaffold.c tcp_wrappers_7.6/scaffold.c +--- tcp_wrappers_7.6.orig/scaffold.c 1997-03-21 19:27:24.000000000 +0100 ++++ tcp_wrappers_7.6/scaffold.c 2004-04-10 19:07:43.000000000 +0200 +@@ -25,7 +25,9 @@ + #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ + #endif + ++#ifndef INET6 + extern char *malloc(); ++#endif + + /* Application-specific. */ + +@@ -39,6 +41,7 @@ + int deny_severity = LOG_WARNING; + int rfc931_timeout = RFC931_TIMEOUT; + ++#ifndef INET6 + /* dup_hostent - create hostent in one memory block */ + + static struct hostent *dup_hostent(hp) +@@ -73,9 +76,46 @@ + } + return (&hb->host); + } ++#endif + + /* find_inet_addr - find all addresses for this host, result to free() */ + ++#ifdef INET6 ++struct addrinfo *find_inet_addr(host) ++char *host; ++{ ++ struct addrinfo hints, *res; ++ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = PF_UNSPEC; ++ hints.ai_socktype = SOCK_STREAM; ++ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; ++ if (getaddrinfo(host, NULL, &hints, &res) == 0) ++ return (res); ++ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = PF_UNSPEC; ++ hints.ai_socktype = SOCK_STREAM; ++ hints.ai_flags = AI_PASSIVE | AI_CANONNAME; ++ if (getaddrinfo(host, NULL, &hints, &res) != 0) { ++ tcpd_warn("%s: host not found", host); ++ return (0); ++ } ++ if (res->ai_family != AF_INET6 && res->ai_family != AF_INET) { ++ tcpd_warn("%d: not an internet host", res->ai_family); ++ freeaddrinfo(res); ++ return (0); ++ } ++ if (!res->ai_canonname) { ++ tcpd_warn("%s: hostname alias", host); ++ tcpd_warn("(cannot obtain official name)", res->ai_canonname); ++ } else if (STR_NE(host, res->ai_canonname)) { ++ tcpd_warn("%s: hostname alias", host); ++ tcpd_warn("(official name: %.*s)", STRING_LENGTH, res->ai_canonname); ++ } ++ return (res); ++} ++#else + struct hostent *find_inet_addr(host) + char *host; + { +@@ -118,6 +158,7 @@ + } + return (dup_hostent(hp)); + } ++#endif + + /* check_dns - give each address thorough workout, return address count */ + +@@ -125,8 +166,13 @@ + char *host; + { + struct request_info request; ++#ifdef INET6 ++ struct sockaddr_storage sin; ++ struct addrinfo *hp, *res; ++#else + struct sockaddr_in sin; + struct hostent *hp; ++#endif + int count; + char *addr; + +@@ -134,11 +180,18 @@ + return (0); + request_init(&request, RQ_CLIENT_SIN, &sin, 0); + sock_methods(&request); ++#ifndef INET6 + memset((char *) &sin, 0, sizeof(sin)); + sin.sin_family = AF_INET; ++#endif + ++#ifdef INET6 ++ for (res = hp, count = 0; res; res = res->ai_next, count++) { ++ memcpy(&sin, res->ai_addr, res->ai_addrlen); ++#else + for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { + memcpy((char *) &sin.sin_addr, addr, sizeof(sin.sin_addr)); ++#endif + + /* + * Force host name and address conversions. Use the request structure +@@ -151,7 +204,11 @@ + tcpd_warn("host address %s->name lookup failed", + eval_hostaddr(request.client)); + } ++#ifdef INET6 ++ freeaddrinfo(hp); ++#else + free((char *) hp); ++#endif + return (count); + } + +diff -ruN tcp_wrappers_7.6.orig/scaffold.h tcp_wrappers_7.6/scaffold.h +--- tcp_wrappers_7.6.orig/scaffold.h 1994-12-31 18:19:20.000000000 +0100 ++++ tcp_wrappers_7.6/scaffold.h 2004-04-10 19:07:43.000000000 +0200 +@@ -4,6 +4,10 @@ + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + ++#ifdef INET6 ++extern struct addrinfo *find_inet_addr(); ++#else + extern struct hostent *find_inet_addr(); ++#endif + extern int check_dns(); + extern int check_path(); +diff -ruN tcp_wrappers_7.6.orig/socket.c tcp_wrappers_7.6/socket.c +--- tcp_wrappers_7.6.orig/socket.c 2004-04-10 19:22:58.000000000 +0200 ++++ tcp_wrappers_7.6/socket.c 2004-04-10 19:07:43.000000000 +0200 +@@ -24,13 +24,22 @@ + #include + #include + #include ++#ifdef INT32_T ++typedef uint32_t u_int32_t; ++#endif + #include + #include + #include + #include + #include + ++#ifdef INET6 ++#ifndef NI_WITHSCOPEID ++#define NI_WITHSCOPEID 0 ++#endif ++#else + extern char *inet_ntoa(); ++#endif + + /* Local stuff. */ + +@@ -79,8 +88,13 @@ + void sock_host(request) + struct request_info *request; + { ++#ifdef INET6 ++ static struct sockaddr_storage client; ++ static struct sockaddr_storage server; ++#else + static struct sockaddr_in client; + static struct sockaddr_in server; ++#endif + int len; + char buf[BUFSIZ]; + int fd = request->fd; +@@ -109,7 +123,11 @@ + memset(buf, 0 sizeof(buf)); + #endif + } ++#ifdef INET6 ++ request->client->sin = (struct sockaddr *)&client; ++#else + request->client->sin = &client; ++#endif + + /* + * Determine the server binding. This is used for client username +@@ -122,7 +140,11 @@ + tcpd_warn("getsockname: %m"); + return; + } ++#ifdef INET6 ++ request->server->sin = (struct sockaddr *)&server; ++#else + request->server->sin = &server; ++#endif + } + + /* sock_hostaddr - map endpoint address to printable form */ +@@ -130,10 +152,26 @@ + void sock_hostaddr(host) + struct host_info *host; + { ++#ifdef INET6 ++ struct sockaddr *sin = host->sin; ++ int salen; ++ ++ if (!sin) ++ return; ++#ifdef SIN6_LEN ++ salen = sin->sa_len; ++#else ++ salen = (sin->sa_family == AF_INET) ? sizeof(struct sockaddr_in) ++ : sizeof(struct sockaddr_in6); ++#endif ++ getnameinfo(sin, salen, host->addr, sizeof(host->addr), ++ NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID); ++#else + struct sockaddr_in *sin = host->sin; + + if (sin != 0) + STRN_CPY(host->addr, inet_ntoa(sin->sin_addr), sizeof(host->addr)); ++#endif + } + + /* sock_hostname - map endpoint address to host name */ +@@ -141,6 +179,160 @@ + void sock_hostname(host) + struct host_info *host; + { ++#ifdef INET6 ++ struct sockaddr *sin = host->sin; ++ struct sockaddr_in sin4; ++ struct addrinfo hints, *res, *res0 = NULL; ++ int salen, alen, err = 1; ++ char *ap = NULL, *rap, hname[NI_MAXHOST]; ++ ++ if (sin != NULL) { ++ if (sin->sa_family == AF_INET6) { ++ struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sin; ++ ++ if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { ++ memset(&sin4, 0, sizeof(sin4)); ++#ifdef SIN6_LEN ++ sin4.sin_len = sizeof(sin4); ++#endif ++ sin4.sin_family = AF_INET; ++ sin4.sin_port = sin6->sin6_port; ++ sin4.sin_addr.s_addr = *(u_int32_t *)&sin6->sin6_addr.s6_addr[12]; ++ sin = (struct sockaddr *)&sin4; ++ } ++ } ++ switch (sin->sa_family) { ++ case AF_INET: ++ ap = (char *)&((struct sockaddr_in *)sin)->sin_addr; ++ alen = sizeof(struct in_addr); ++ salen = sizeof(struct sockaddr_in); ++ break; ++ case AF_INET6: ++ ap = (char *)&((struct sockaddr_in6 *)sin)->sin6_addr; ++ alen = sizeof(struct in6_addr); ++ salen = sizeof(struct sockaddr_in6); ++ break; ++ default: ++ break; ++ } ++ if (ap) ++ err = getnameinfo(sin, salen, hname, sizeof(hname), ++ NULL, 0, NI_WITHSCOPEID | NI_NAMEREQD); ++ } ++ if (!err) { ++ ++ STRN_CPY(host->name, hname, sizeof(host->name)); ++ ++ /* reject numeric addresses */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = sin->sa_family; ++ hints.ai_socktype = SOCK_STREAM; ++ hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST; ++ if ((err = getaddrinfo(host->name, NULL, &hints, &res0) == 0)) { ++ freeaddrinfo(res0); ++ res0 = NULL; ++ tcpd_warn("host name/name mismatch: " ++ "reverse lookup results in non-FQDN %s", ++ host->name); ++ strcpy(host->name, paranoid); /* name is bad, clobber it */ ++ } ++ err = !err; ++ } ++ if (!err) { ++ /* we are now sure that this is non-numeric */ ++ ++ /* ++ * Verify that the address is a member of the address list returned ++ * by gethostbyname(hostname). ++ * ++ * Verify also that gethostbyaddr() and gethostbyname() return the same ++ * hostname, or rshd and rlogind may still end up being spoofed. ++ * ++ * On some sites, gethostbyname("localhost") returns "localhost.domain". ++ * This is a DNS artefact. We treat it as a special case. When we ++ * can't believe the address list from gethostbyname("localhost") ++ * we're in big trouble anyway. ++ */ ++ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = sin->sa_family; ++ hints.ai_socktype = SOCK_STREAM; ++ hints.ai_flags = AI_PASSIVE | AI_CANONNAME; ++ if (getaddrinfo(host->name, NULL, &hints, &res0) != 0) { ++ ++ /* ++ * Unable to verify that the host name matches the address. This ++ * may be a transient problem or a botched name server setup. ++ */ ++ ++ tcpd_warn("can't verify hostname: getaddrinfo(%s, %s) failed", ++ host->name, ++ (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6"); ++ ++ } else if ((res0->ai_canonname == NULL ++ || STR_NE(host->name, res0->ai_canonname)) ++ && STR_NE(host->name, "localhost")) { ++ ++ /* ++ * The gethostbyaddr() and gethostbyname() calls did not return ++ * the same hostname. This could be a nameserver configuration ++ * problem. It could also be that someone is trying to spoof us. ++ */ ++ ++ tcpd_warn("host name/name mismatch: %s != %.*s", ++ host->name, STRING_LENGTH, ++ (res0->ai_canonname == NULL) ? "" : res0->ai_canonname); ++ ++ } else { ++ ++ /* ++ * The address should be a member of the address list returned by ++ * gethostbyname(). We should first verify that the h_addrtype ++ * field is AF_INET, but this program has already caused too much ++ * grief on systems with broken library code. ++ */ ++ ++ for (res = res0; res; res = res->ai_next) { ++ if (res->ai_family != sin->sa_family) ++ continue; ++ switch (res->ai_family) { ++ case AF_INET: ++ rap = (char *)&((struct sockaddr_in *)res->ai_addr)->sin_addr; ++ break; ++ case AF_INET6: ++ /* need to check scope_id */ ++ if (((struct sockaddr_in6 *)sin)->sin6_scope_id != ++ ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id) { ++ continue; ++ } ++ rap = (char *)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; ++ break; ++ default: ++ continue; ++ } ++ if (memcmp(rap, ap, alen) == 0) { ++ freeaddrinfo(res0); ++ return; /* name is good, keep it */ ++ } ++ } ++ ++ /* ++ * The host name does not map to the initial address. Perhaps ++ * someone has messed up. Perhaps someone compromised a name ++ * server. ++ */ ++ ++ getnameinfo(sin, salen, hname, sizeof(hname), ++ NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID); ++ tcpd_warn("host name/address mismatch: %s != %.*s", ++ hname, STRING_LENGTH, ++ (res0->ai_canonname == NULL) ? "" : res0->ai_canonname); ++ } ++ strcpy(host->name, paranoid); /* name is bad, clobber it */ ++ if (res0) ++ freeaddrinfo(res0); ++ } ++#else /* INET6 */ + struct sockaddr_in *sin = host->sin; + struct hostent *hp; + int i; +@@ -220,6 +412,7 @@ + } + strcpy(host->name, paranoid); /* name is bad, clobber it */ + } ++#endif /* INET6 */ + } + + /* sock_sink - absorb unreceived IP datagram */ +@@ -228,7 +421,11 @@ + int fd; + { + char buf[BUFSIZ]; ++#ifdef INET6 ++ struct sockaddr_storage sin; ++#else + struct sockaddr_in sin; ++#endif + int size = sizeof(sin); + + /* +diff -ruN tcp_wrappers_7.6.orig/tcpd.c tcp_wrappers_7.6/tcpd.c +--- tcp_wrappers_7.6.orig/tcpd.c 1996-02-11 17:01:33.000000000 +0100 ++++ tcp_wrappers_7.6/tcpd.c 2004-04-10 19:07:43.000000000 +0200 +@@ -120,7 +120,12 @@ + + /* Report request and invoke the real daemon program. */ + ++#ifdef INET6 ++ syslog(allow_severity, "connect from %s (%s)", ++ eval_client(&request), eval_hostaddr(request.client)); ++#else + syslog(allow_severity, "connect from %s", eval_client(&request)); ++#endif + closelog(); + (void) execv(path, argv); + syslog(LOG_ERR, "error: cannot execute %s: %m", path); +diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c +--- tcp_wrappers_7.6.orig/tcpdchk.c 1997-02-12 02:13:25.000000000 +0100 ++++ tcp_wrappers_7.6/tcpdchk.c 2004-04-10 19:07:43.000000000 +0200 +@@ -22,6 +22,9 @@ + + #include + #include ++#ifdef INET6 ++#include ++#endif + #include + #include + #include +@@ -397,6 +400,31 @@ + } + } + ++#ifdef INET6 ++static int is_inet6_addr(pat) ++ char *pat; ++{ ++ struct addrinfo hints, *res; ++ int len, ret; ++ char ch; ++ ++ if (*pat != '[') ++ return (0); ++ len = strlen(pat); ++ if ((ch = pat[len - 1]) != ']') ++ return (0); ++ pat[len - 1] = '\0'; ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = AF_INET6; ++ hints.ai_socktype = SOCK_STREAM; ++ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; ++ if ((ret = getaddrinfo(pat + 1, NULL, &hints, &res)) == 0) ++ freeaddrinfo(res); ++ pat[len - 1] = ch; ++ return (ret == 0); ++} ++#endif ++ + /* check_host - criticize host pattern */ + + static int check_host(pat) +@@ -423,14 +451,27 @@ + #endif + #endif + } else if (mask = split_at(pat, '/')) { /* network/netmask */ ++#ifdef INET6 ++ int mask_len; ++ ++ if ((dot_quad_addr(pat) == INADDR_NONE ++ || dot_quad_addr(mask) == INADDR_NONE) ++ && (!is_inet6_addr(pat) ++ || ((mask_len = atoi(mask)) < 0 || mask_len > 128))) ++#else + if (dot_quad_addr(pat) == INADDR_NONE + || dot_quad_addr(mask) == INADDR_NONE) ++#endif + tcpd_warn("%s/%s: bad net/mask pattern", pat, mask); + } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ + tcpd_warn("FAIL is no longer recognized"); + tcpd_warn("(use EXCEPT or DENY instead)"); + } else if (reserved_name(pat)) { /* other reserved */ + /* void */ ; ++#ifdef INET6 ++ } else if (is_inet6_addr(pat)) { /* IPv6 address */ ++ addr_count = 1; ++#endif + } else if (NOT_INADDR(pat)) { /* internet name */ + if (pat[strlen(pat) - 1] == '.') { + tcpd_warn("%s: domain or host name ends in dot", pat); +diff -ruN tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h +--- tcp_wrappers_7.6.orig/tcpd.h 1996-03-19 16:22:25.000000000 +0100 ++++ tcp_wrappers_7.6/tcpd.h 2004-04-10 19:07:43.000000000 +0200 +@@ -11,7 +11,11 @@ + struct host_info { + char name[STRING_LENGTH]; /* access via eval_hostname(host) */ + char addr[STRING_LENGTH]; /* access via eval_hostaddr(host) */ ++#ifdef INET6 ++ struct sockaddr *sin; /* socket address or 0 */ ++#else + struct sockaddr_in *sin; /* socket address or 0 */ ++#endif + struct t_unitdata *unit; /* TLI transport address or 0 */ + struct request_info *request; /* for shared information */ + }; +diff -ruN tcp_wrappers_7.6.orig/tcpdmatch.c tcp_wrappers_7.6/tcpdmatch.c +--- tcp_wrappers_7.6.orig/tcpdmatch.c 1996-02-11 17:01:36.000000000 +0100 ++++ tcp_wrappers_7.6/tcpdmatch.c 2004-04-10 19:07:43.000000000 +0200 +@@ -57,7 +57,11 @@ + int argc; + char **argv; + { ++#ifdef INET6 ++ struct addrinfo hints, *hp, *res; ++#else + struct hostent *hp; ++#endif + char *myname = argv[0]; + char *client; + char *server; +@@ -68,8 +72,13 @@ + int ch; + char *inetcf = 0; + int count; ++#ifdef INET6 ++ struct sockaddr_storage server_sin; ++ struct sockaddr_storage client_sin; ++#else + struct sockaddr_in server_sin; + struct sockaddr_in client_sin; ++#endif + struct stat st; + + /* +@@ -172,13 +181,20 @@ + if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) { + if ((hp = find_inet_addr(server)) == 0) + exit(1); ++#ifndef INET6 + memset((char *) &server_sin, 0, sizeof(server_sin)); + server_sin.sin_family = AF_INET; ++#endif + request_set(&request, RQ_SERVER_SIN, &server_sin, 0); + ++#ifdef INET6 ++ for (res = hp, count = 0; res; res = res->ai_next, count++) { ++ memcpy(&server_sin, res->ai_addr, res->ai_addrlen); ++#else + for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { + memcpy((char *) &server_sin.sin_addr, addr, + sizeof(server_sin.sin_addr)); ++#endif + + /* + * Force evaluation of server host name and address. Host name +@@ -194,7 +210,11 @@ + fprintf(stderr, "Please specify an address instead\n"); + exit(1); + } ++#ifdef INET6 ++ freeaddrinfo(hp); ++#else + free((char *) hp); ++#endif + } else { + request_set(&request, RQ_SERVER_NAME, server, 0); + } +@@ -208,6 +228,18 @@ + tcpdmatch(&request); + exit(0); + } ++#ifdef INET6 ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = AF_INET6; ++ hints.ai_socktype = SOCK_STREAM; ++ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; ++ if (getaddrinfo(client, NULL, &hints, &res) == 0) { ++ freeaddrinfo(res); ++ request_set(&request, RQ_CLIENT_ADDR, client, 0); ++ tcpdmatch(&request); ++ exit(0); ++ } ++#endif + + /* + * Perhaps they are testing special client hostname patterns that aren't +@@ -229,6 +261,34 @@ + */ + if ((hp = find_inet_addr(client)) == 0) + exit(1); ++#ifdef INET6 ++ request_set(&request, RQ_CLIENT_SIN, &client_sin, 0); ++ ++ for (res = hp, count = 0; res; res = res->ai_next, count++) { ++ memcpy(&client_sin, res->ai_addr, res->ai_addrlen); ++ ++ /* ++ * getnameinfo() doesn't do reverse lookup against link-local ++ * address. So, we pass through host name evaluation against ++ * such addresses. ++ */ ++ if (res->ai_family != AF_INET6 || ++ !IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr)) { ++ /* ++ * Force evaluation of client host name and address. Host name ++ * conflicts will be reported while eval_hostname() does its job. ++ */ ++ request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0); ++ if (STR_EQ(eval_hostname(request.client), unknown)) ++ tcpd_warn("host address %s->name lookup failed", ++ eval_hostaddr(request.client)); ++ } ++ tcpdmatch(&request); ++ if (res->ai_next) ++ printf("\n"); ++ } ++ freeaddrinfo(hp); ++#else + memset((char *) &client_sin, 0, sizeof(client_sin)); + client_sin.sin_family = AF_INET; + request_set(&request, RQ_CLIENT_SIN, &client_sin, 0); +@@ -250,6 +310,7 @@ + printf("\n"); + } + free((char *) hp); ++#endif + exit(0); + } + +diff -ruN tcp_wrappers_7.6.orig/tli.c tcp_wrappers_7.6/tli.c +--- tcp_wrappers_7.6.orig/tli.c 1997-03-21 19:27:26.000000000 +0100 ++++ tcp_wrappers_7.6/tli.c 2004-04-10 19:07:43.000000000 +0200 +@@ -65,8 +65,13 @@ + void tli_host(request) + struct request_info *request; + { ++#ifdef INET6 ++ static struct sockaddr_storage client; ++ static struct sockaddr_storage server; ++#else + static struct sockaddr_in client; + static struct sockaddr_in server; ++#endif + + /* + * If we discover that we are using an IP transport, pretend we never +@@ -76,14 +81,29 @@ + + tli_endpoints(request); + if ((request->config = tli_transport(request->fd)) != 0 ++#ifdef INET6 ++ && (STR_EQ(request->config->nc_protofmly, "inet") || ++ STR_EQ(request->config->nc_protofmly, "inet6"))) { ++#else + && STR_EQ(request->config->nc_protofmly, "inet")) { ++#endif + if (request->client->unit != 0) { ++#ifdef INET6 ++ client = *(struct sockaddr_storage *) request->client->unit->addr.buf; ++ request->client->sin = (struct sockaddr *) &client; ++#else + client = *(struct sockaddr_in *) request->client->unit->addr.buf; + request->client->sin = &client; ++#endif + } + if (request->server->unit != 0) { ++#ifdef INET6 ++ server = *(struct sockaddr_storage *) request->server->unit->addr.buf; ++ request->server->sin = (struct sockaddr *) &server; ++#else + server = *(struct sockaddr_in *) request->server->unit->addr.buf; + request->server->sin = &server; ++#endif + } + tli_cleanup(request); + sock_methods(request); +@@ -187,7 +207,15 @@ + } + while (config = getnetconfig(handlep)) { + if (stat(config->nc_device, &from_config) == 0) { ++#ifdef NO_CLONE_DEVICE ++ /* ++ * If the network devices are not cloned (as is the case for ++ * Solaris 8 Beta), we must compare the major device numbers. ++ */ ++ if (major(from_config.st_rdev) == major(from_client.st_rdev)) ++#else + if (minor(from_config.st_rdev) == major(from_client.st_rdev)) ++#endif + break; + } + } +diff -ruN tcp_wrappers_7.6.orig/update.c tcp_wrappers_7.6/update.c +--- tcp_wrappers_7.6.orig/update.c 1994-12-28 17:42:56.000000000 +0100 ++++ tcp_wrappers_7.6/update.c 2004-04-10 19:07:43.000000000 +0200 +@@ -46,10 +46,18 @@ + request->fd = va_arg(ap, int); + continue; + case RQ_CLIENT_SIN: ++#ifdef INET6 ++ request->client->sin = va_arg(ap, struct sockaddr *); ++#else + request->client->sin = va_arg(ap, struct sockaddr_in *); ++#endif + continue; + case RQ_SERVER_SIN: ++#ifdef INET6 ++ request->server->sin = va_arg(ap, struct sockaddr *); ++#else + request->server->sin = va_arg(ap, struct sockaddr_in *); ++#endif + continue; + + /* +diff -ruN tcp_wrappers_7.6.orig/workarounds.c tcp_wrappers_7.6/workarounds.c +--- tcp_wrappers_7.6.orig/workarounds.c 1996-03-19 16:22:26.000000000 +0100 ++++ tcp_wrappers_7.6/workarounds.c 2004-04-10 19:07:43.000000000 +0200 +@@ -166,11 +166,22 @@ + int *len; + { + int ret; ++#ifdef INET6 ++ struct sockaddr *sin = sa; ++#else + struct sockaddr_in *sin = (struct sockaddr_in *) sa; ++#endif + + if ((ret = getpeername(sock, sa, len)) >= 0 ++#ifdef INET6 ++ && ((sin->su_si.si_family == AF_INET6 ++ && IN6_IS_ADDR_UNSPECIFIED(&sin->su_sin6.sin6_addr)) ++ || (sin->su_si.si_family == AF_INET ++ && sin->su_sin.sin_addr.s_addr == 0))) { ++#else + && sa->sa_family == AF_INET + && sin->sin_addr.s_addr == 0) { ++#endif + errno = ENOTCONN; + return (-1); + } else { --- tcp-wrappers-7.6.dbs.orig/debian/patches/00_man_quoting.diff +++ tcp-wrappers-7.6.dbs/debian/patches/00_man_quoting.diff @@ -0,0 +1,75 @@ +diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 +--- tcp_wrappers_7.6.orig/hosts_access.5 1995-01-30 19:51:47.000000000 +0100 ++++ tcp_wrappers_7.6/hosts_access.5 2004-04-09 16:59:45.000000000 +0200 +@@ -173,7 +173,7 @@ + Patterns like these can be used when the machine has different internet + addresses with different internet hostnames. Service providers can use + this facility to offer FTP, GOPHER or WWW archives with internet names +-that may even belong to different organizations. See also the `twist' ++that may even belong to different organizations. See also the `twist\' + option in the hosts_options(5) document. Some systems (Solaris, + FreeBSD) can have more than one internet address on one physical + interface; with other systems you may have to resort to SLIP or PPP +@@ -236,10 +236,10 @@ + Before accepting a client request, the wrappers can use the IDENT + service to find out that the client did not send the request at all. + When the client host provides IDENT service, a negative IDENT lookup +-result (the client matches `UNKNOWN@host') is strong evidence of a host ++result (the client matches `UNKNOWN@host\') is strong evidence of a host + spoofing attack. + .PP +-A positive IDENT lookup result (the client matches `KNOWN@host') is ++A positive IDENT lookup result (the client matches `KNOWN@host\') is + less trustworthy. It is possible for an intruder to spoof both the + client connection and the IDENT lookup, although doing so is much + harder than spoofing just a client connection. It may also be that +diff -ruN tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5 +--- tcp_wrappers_7.6.orig/hosts_options.5 1994-12-28 17:42:29.000000000 +0100 ++++ tcp_wrappers_7.6/hosts_options.5 2004-04-09 16:59:49.000000000 +0200 +@@ -124,7 +124,7 @@ + value is taken. + .SH MISCELLANEOUS + .IP "banners /some/directory" +-Look for a file in `/some/directory' with the same name as the daemon ++Look for a file in `/some/directory\' with the same name as the daemon + process (for example in.telnetd for the telnet service), and copy its + contents to the client. Newline characters are replaced by + carriage-return newline, and % sequences are expanded (see +diff -ruN tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8 +--- tcp_wrappers_7.6.orig/tcpdmatch.8 1996-02-11 17:01:36.000000000 +0100 ++++ tcp_wrappers_7.6/tcpdmatch.8 2004-04-09 17:00:49.000000000 +0200 +@@ -26,7 +26,7 @@ + A daemon process name. Typically, the last component of a daemon + executable pathname. + .IP client +-A host name or network address, or one of the `unknown' or `paranoid' ++A host name or network address, or one of the `unknown\' or `paranoid\' + wildcard patterns. + .sp + When a client host name is specified, \fItcpdmatch\fR gives a +@@ -37,13 +37,13 @@ + .PP + Optional information specified with the \fIdaemon@server\fR form: + .IP server +-A host name or network address, or one of the `unknown' or `paranoid' +-wildcard patterns. The default server name is `unknown'. ++A host name or network address, or one of the `unknown\' or `paranoid\' ++wildcard patterns. The default server name is `unknown\'. + .PP + Optional information specified with the \fIuser@client\fR form: + .IP user + A client user identifier. Typically, a login name or a numeric userid. +-The default user name is `unknown'. ++The default user name is `unknown\'. + .SH OPTIONS + .IP -d + Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current +@@ -70,7 +70,7 @@ + .ti +5 + tcpdmatch in.telnetd paranoid + .PP +-On some systems, daemon names have no `in.' prefix, or \fItcpdmatch\fR ++On some systems, daemon names have no `in.\' prefix, or \fItcpdmatch\fR + may need some help to locate the inetd configuration file. + .SH FILES + .PP --- tcp-wrappers-7.6.dbs.orig/debian/patches/man_fromhost +++ tcp-wrappers-7.6.dbs/debian/patches/man_fromhost @@ -0,0 +1,21 @@ +diff -ruN tcp_wrappers_7.6.orig/hosts_access.3 tcp_wrappers_7.6/hosts_access.3 +--- tcp_wrappers_7.6.orig/hosts_access.3 2004-04-25 00:10:48.000000000 +0200 ++++ tcp_wrappers_7.6/hosts_access.3 2004-04-25 00:09:36.000000000 +0200 +@@ -14,6 +14,9 @@ + struct request_info *request_set(request, key, value, ..., 0) + struct request_info *request; + ++void fromhost(request) ++struct request_info *request; ++ + int hosts_access(request) + struct request_info *request; + +@@ -60,6 +63,7 @@ + is available, host names and client user names are looked up on demand, + using the request structure as a cache. hosts_access() returns zero if + access should be denied. ++fromhost() must be called before hosts_access(). + .PP + hosts_ctl() is a wrapper around the request_init() and hosts_access() + routines with a perhaps more convenient interface (though it does not --- tcp-wrappers-7.6.dbs.orig/debian/patches/11_usagi_fix +++ tcp-wrappers-7.6.dbs/debian/patches/11_usagi_fix @@ -0,0 +1,45 @@ +diff -uN tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.new/hosts_access.c +--- tcp_wrappers_7.6/hosts_access.c Mon May 20 14:00:56 2002 ++++ tcp_wrappers_7.6.new/hosts_access.c Mon May 20 14:25:05 2002 +@@ -448,6 +448,15 @@ + int len, mask_len, i = 0; + char ch; + ++ /* ++ * Behavior of getaddrinfo() against IPv4-mapped IPv6 address is ++ * different between KAME and Solaris8. While KAME returns ++ * AF_INET6, Solaris8 returns AF_INET. So, we avoid this here. ++ */ ++ if (STRN_EQ(string, "::ffff:", 7) ++ && dot_quad_addr(string + 7) != INADDR_NONE) ++ return (masked_match4(net_tok, mask_tok, string + 7)); ++ + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_INET6; + hints.ai_socktype = SOCK_STREAM; +@@ -457,13 +466,6 @@ + memcpy(&addr, res->ai_addr, sizeof(addr)); + freeaddrinfo(res); + +- if (IN6_IS_ADDR_V4MAPPED(&addr.sin6_addr)) { +- if ((*(u_int32_t *)&net.sin6_addr.s6_addr[12] = dot_quad_addr(net_tok)) == INADDR_NONE +- || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) +- return (NO); +- return ((*(u_int32_t *)&addr.sin6_addr.s6_addr[12] & mask) == *(u_int32_t *)&net.sin6_addr.s6_addr[12]); +- } +- + /* match IPv6 address against netnumber/prefixlen */ + len = strlen(net_tok); + if (*net_tok != '[' || net_tok[len - 1] != ']') +diff -uN tcp_wrappers_7.6/socket.c tcp_wrappers_7.6.new/socket.c +--- tcp_wrappers_7.6/socket.c Mon May 20 13:48:35 2002 ++++ tcp_wrappers_7.6.new/socket.c Mon May 20 14:22:27 2002 +@@ -228,7 +228,7 @@ + hints.ai_family = sin->sa_family; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST; +- if ((err = getaddrinfo(host->name, NULL, &hints, &res0) == 0)) { ++ if ((err = getaddrinfo(host->name, NULL, &hints, &res0)) == 0) { + freeaddrinfo(res0); + res0 = NULL; + tcpd_warn("host name/name mismatch: " --- tcp-wrappers-7.6.dbs.orig/debian/patches/01_man_portability +++ tcp-wrappers-7.6.dbs/debian/patches/01_man_portability @@ -0,0 +1,248 @@ +diff -ruNp tcp_wrappers_7.6.orig/hosts_access.3 tcp_wrappers_7.6/hosts_access.3 +--- tcp_wrappers_7.6.orig/hosts_access.3 2005-03-09 18:30:25.000000000 +0100 ++++ tcp_wrappers_7.6/hosts_access.3 2005-03-09 18:27:03.000000000 +0100 +@@ -3,7 +3,7 @@ + hosts_access, hosts_ctl, request_init, request_set \- access control library + .SH SYNOPSIS + .nf +-#include "tcpd.h" ++#include + + extern int allow_severity; + extern int deny_severity; +diff -ruNp tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 +--- tcp_wrappers_7.6.orig/hosts_access.5 2005-03-09 18:30:25.000000000 +0100 ++++ tcp_wrappers_7.6/hosts_access.5 2005-03-09 18:30:18.000000000 +0100 +@@ -8,9 +8,9 @@ name, host name/address) patterns. Exam + impatient reader is encouraged to skip to the EXAMPLES section for a + quick introduction. + .PP +-An extended version of the access control language is described in the +-\fIhosts_options\fR(5) document. The extensions are turned on at +-program build time by building with -DPROCESS_OPTIONS. ++The extended version of the access control language is described in the ++\fIhosts_options\fR(5) document. \fBNote that this language supersedes ++the meaning of \fIshell_command\fB as documented below.\fR + .PP + In the following text, \fIdaemon\fR is the the process name of a + network daemon process, and \fIclient\fR is the name and/or address of +@@ -346,8 +346,8 @@ in.tftpd: LOCAL, .my.domain + /etc/hosts.deny: + .in +3 + .nf +-in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\ +- /usr/ucb/mail -s %d-%h root) & ++in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\ ++ /usr/bin/mail -s %d-%h root) & + .fi + .PP + The safe_finger command comes with the tcpd wrapper and should be +@@ -383,6 +383,7 @@ that shouldn\'t. All problems are repor + .fi + .SH SEE ALSO + .nf ++hosts_options(5) extended syntax. + tcpd(8) tcp/ip daemon wrapper program. + tcpdchk(8), tcpdmatch(8), test programs. + .SH BUGS +diff -ruNp tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5 +--- tcp_wrappers_7.6.orig/hosts_options.5 2005-03-09 18:30:24.000000000 +0100 ++++ tcp_wrappers_7.6/hosts_options.5 2005-03-09 18:27:03.000000000 +0100 +@@ -2,10 +2,8 @@ + .SH NAME + hosts_options \- host access control language extensions + .SH DESCRIPTION +-This document describes optional extensions to the language described +-in the hosts_access(5) document. The extensions are enabled at program +-build time. For example, by editing the Makefile and turning on the +-PROCESS_OPTIONS compile-time option. ++This document describes extensions to the language described ++in the hosts_access(5) document. + .PP + The extensible language uses the following format: + .sp +@@ -58,12 +56,12 @@ Notice the leading dot on the domain nam + Execute, in a child process, the specified shell command, after + performing the % expansions described in the hosts_access(5) + manual page. The command is executed with stdin, stdout and stderr +-connected to the null device, so that it won\'t mess up the ++connected to the null device, so that it won't mess up the + conversation with the client host. Example: + .sp + .nf + .ti +3 +-spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) & ++spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) & + .fi + .sp + executes, in a background child process, the shell command "safe_finger +diff -ruNp tcp_wrappers_7.6.orig/inetcf.c tcp_wrappers_7.6/inetcf.c +--- tcp_wrappers_7.6.orig/inetcf.c 1997-02-12 02:13:24.000000000 +0100 ++++ tcp_wrappers_7.6/inetcf.c 2005-03-09 18:27:03.000000000 +0100 +@@ -26,13 +26,17 @@ extern void exit(); + * guesses. Shorter names follow longer ones. + */ + char *inet_files[] = { ++#if 0 + "/private/etc/inetd.conf", /* NEXT */ + "/etc/inet/inetd.conf", /* SYSV4 */ + "/usr/etc/inetd.conf", /* IRIX?? */ ++#endif + "/etc/inetd.conf", /* BSD */ ++#if 0 + "/etc/net/tlid.conf", /* SYSV4?? */ + "/etc/saf/tlid.conf", /* SYSV4?? */ + "/etc/tlid.conf", /* SYSV4?? */ ++#endif + 0, + }; + +diff -ruNp tcp_wrappers_7.6.orig/tcpd.8 tcp_wrappers_7.6/tcpd.8 +--- tcp_wrappers_7.6.orig/tcpd.8 1996-02-21 16:39:16.000000000 +0100 ++++ tcp_wrappers_7.6/tcpd.8 2005-03-09 18:27:03.000000000 +0100 +@@ -12,7 +12,11 @@ The program supports both 4.3BSD-style s + TLI. Functionality may be limited when the protocol underneath TLI is + not an internet protocol. + .PP +-Operation is as follows: whenever a request for service arrives, the ++There are two possible modes of operation: execution of \fItcpd\fP ++before a service started by \fIinetd\fP, or linking a daemon with ++the \fIlibwrap\fP shared library as documented in the \fIhosts_access\fR(3) ++manual page. Operation when started by \fIinetd\fP ++is as follows: whenever a request for service arrives, the + \fIinetd\fP daemon is tricked into running the \fItcpd\fP program + instead of the desired server. \fItcpd\fP logs the request and does + some additional checks. When all is well, \fItcpd\fP runs the +@@ -88,11 +92,11 @@ configuration files. + .sp + .in +5 + # mkdir /other/place +-# mv /usr/etc/in.fingerd /other/place +-# cp tcpd /usr/etc/in.fingerd ++# mv /usr/sbin/in.fingerd /other/place ++# cp tcpd /usr/sbin/in.fingerd + .fi + .PP +-The example assumes that the network daemons live in /usr/etc. On some ++The example assumes that the network daemons live in /usr/sbin. On some + systems, network daemons live in /usr/sbin or in /usr/libexec, or have + no `in.\' prefix to their name. + .SH EXAMPLE 2 +@@ -101,35 +105,34 @@ are left in their original place. + .PP + In order to monitor access to the \fIfinger\fR service, perform the + following edits on the \fIinetd\fR configuration file (usually +-\fI/etc/inetd.conf\fR or \fI/etc/inet/inetd.conf\fR): ++\fI/etc/inetd.conf\fR): + .nf + .sp + .ti +5 +-finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd ++finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd + .sp + becomes: + .sp + .ti +5 +-finger stream tcp nowait nobody /some/where/tcpd in.fingerd ++finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd + .sp + .fi + .PP +-The example assumes that the network daemons live in /usr/etc. On some ++The example assumes that the network daemons live in /usr/sbin. On some + systems, network daemons live in /usr/sbin or in /usr/libexec, the + daemons have no `in.\' prefix to their name, or there is no userid + field in the inetd configuration file. + .PP + Similar changes will be needed for the other services that are to be + covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8) +-process to make the changes effective. AIX users may also have to +-execute the `inetimp\' command. ++process to make the changes effective. + .SH EXAMPLE 3 + In the case of daemons that do not live in a common directory ("secret" + or otherwise), edit the \fIinetd\fR configuration file so that it + specifies an absolute path name for the process name field. For example: + .nf + .sp +- ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd ++ ntalk dgram udp wait root /usr/sbin/tcpd /usr/local/lib/ntalkd + .sp + .fi + .PP +@@ -164,6 +167,7 @@ The default locations of the host access + .SH SEE ALSO + .na + .nf ++hosts_access(3), functions provided by the libwrap library. + hosts_access(5), format of the tcpd access control tables. + syslog.conf(5), format of the syslogd control file. + inetd.conf(5), format of the inetd control file. +diff -ruNp tcp_wrappers_7.6.orig/tcpdchk.8 tcp_wrappers_7.6/tcpdchk.8 +--- tcp_wrappers_7.6.orig/tcpdchk.8 1995-01-08 17:00:31.000000000 +0100 ++++ tcp_wrappers_7.6/tcpdchk.8 2005-03-09 18:27:03.000000000 +0100 +@@ -9,8 +9,8 @@ tcpdchk [-a] [-d] [-i inet_conf] [-v] + potential and real problems it can find. The program examines the + \fItcpd\fR access control files (by default, these are + \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR), and compares the +-entries in these files against entries in the \fIinetd\fR or \fItlid\fR +-network configuration files. ++entries in these files against entries in the \fIinetd\fR ++network configuration file. + .PP + \fItcpdchk\fR reports problems such as non-existent pathnames; services + that appear in \fItcpd\fR access control rules, but are not controlled +@@ -26,14 +26,13 @@ problem. + .SH OPTIONS + .IP -a + Report access control rules that permit access without an explicit +-ALLOW keyword. This applies only when the extended access control +-language is enabled (build with -DPROCESS_OPTIONS). ++ALLOW keyword. + .IP -d + Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current + directory instead of the default ones. + .IP "-i inet_conf" + Specify this option when \fItcpdchk\fR is unable to find your +-\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when ++\fIinetd.conf\fR network configuration file, or when + you suspect that the program uses the wrong one. + .IP -v + Display the contents of each access control rule. Daemon lists, client +@@ -54,7 +53,6 @@ tcpdmatch(8), explain what tcpd would do + hosts_access(5), format of the tcpd access control tables. + hosts_options(5), format of the language extensions. + inetd.conf(5), format of the inetd control file. +-tlid.conf(5), format of the tlid control file. + .SH AUTHORS + .na + .nf +diff -ruNp tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8 +--- tcp_wrappers_7.6.orig/tcpdmatch.8 2005-03-09 18:30:24.000000000 +0100 ++++ tcp_wrappers_7.6/tcpdmatch.8 2005-03-09 18:27:03.000000000 +0100 +@@ -13,7 +13,7 @@ request for service. Examples are given + The program examines the \fItcpd\fR access control tables (default + \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR) and prints its + conclusion. For maximal accuracy, it extracts additional information +-from your \fIinetd\fR or \fItlid\fR network configuration file. ++from your \fIinetd\fR network configuration file. + .PP + When \fItcpdmatch\fR finds a match in the access control tables, it + identifies the matched rule. In addition, it displays the optional +@@ -50,7 +50,7 @@ Examine \fIhosts.allow\fR and \fIhosts.d + directory instead of the default ones. + .IP "-i inet_conf" + Specify this option when \fItcpdmatch\fR is unable to find your +-\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when ++\fIinetd.conf\fR network configuration file, or when + you suspect that the program uses the wrong one. + .SH EXAMPLES + To predict how \fItcpd\fR would handle a telnet request from the local +@@ -86,7 +86,6 @@ tcpdchk(8), tcpd configuration checker + hosts_access(5), format of the tcpd access control tables. + hosts_options(5), format of the language extensions. + inetd.conf(5), format of the inetd control file. +-tlid.conf(5), format of the tlid control file. + .SH AUTHORS + .na + .nf --- tcp-wrappers-7.6.dbs.orig/debian/patches/siglongjmp +++ tcp-wrappers-7.6.dbs/debian/patches/siglongjmp @@ -0,0 +1,30 @@ +diff -ruNp tcp_wrappers_7.6.orig/rfc931.c tcp_wrappers_7.6/rfc931.c +--- tcp_wrappers_7.6.orig/rfc931.c 2004-08-29 18:42:25.000000000 +0200 ++++ tcp_wrappers_7.6/rfc931.c 2004-08-29 18:41:04.000000000 +0200 +@@ -33,7 +33,7 @@ static char sccsid[] = "@(#) rfc931.c 1. + + int rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */ + +-static jmp_buf timebuf; ++static sigjmp_buf timebuf; + + /* fsocket - open stdio stream on top of socket */ + +@@ -62,7 +62,7 @@ int protocol; + static void timeout(sig) + int sig; + { +- longjmp(timebuf, sig); ++ siglongjmp(timebuf, sig); + } + + /* rfc931 - return remote user name, given socket structures */ +@@ -135,7 +135,7 @@ char *dest; + * Set up a timer so we won't get stuck while waiting for the server. + */ + +- if (setjmp(timebuf) == 0) { ++ if (sigsetjmp(timebuf, 1) == 0) { + /* Save SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */ + saved_timeout = alarm(0); + nact.sa_handler = timeout; --- tcp-wrappers-7.6.dbs.orig/debian/patches/restore_sigalarm +++ tcp-wrappers-7.6.dbs/debian/patches/restore_sigalarm @@ -0,0 +1,37 @@ +diff -ruN tcp_wrappers_7.6.orig/rfc931.c tcp_wrappers_7.6/rfc931.c +--- tcp_wrappers_7.6.orig/rfc931.c 2004-08-29 18:40:08.000000000 +0200 ++++ tcp_wrappers_7.6/rfc931.c 2004-08-29 18:40:02.000000000 +0200 +@@ -92,6 +92,8 @@ + char *cp; + char *result = unknown; + FILE *fp; ++ unsigned saved_timeout; ++ struct sigaction nact, oact; + + #ifdef INET6 + /* address family must be the same */ +@@ -134,7 +136,12 @@ + */ + + if (setjmp(timebuf) == 0) { +- signal(SIGALRM, timeout); ++ /* Save SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */ ++ saved_timeout = alarm(0); ++ nact.sa_handler = timeout; ++ nact.sa_flags = 0; ++ (void) sigemptyset(&nact.sa_mask); ++ (void) sigaction(SIGALRM, &nact, &oact); + alarm(rfc931_timeout); + + /* +@@ -223,6 +230,10 @@ + } + alarm(0); + } ++ /* Restore SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */ ++ (void) sigaction(SIGALRM, &oact, NULL); ++ if (saved_timeout > 0) ++ alarm(saved_timeout); + fclose(fp); + } + STRN_CPY(dest, result, STRING_LENGTH); --- tcp-wrappers-7.6.dbs.orig/debian/patches/have_strerror +++ tcp-wrappers-7.6.dbs/debian/patches/have_strerror @@ -0,0 +1,19 @@ +diff -ruN tcp_wrappers_7.6.orig/percent_m.c tcp_wrappers_7.6/percent_m.c +--- tcp_wrappers_7.6.orig/percent_m.c 1994-12-28 17:42:37.000000000 +0100 ++++ tcp_wrappers_7.6/percent_m.c 2003-08-21 02:45:31.000000000 +0200 +@@ -29,11 +29,15 @@ + + while (*bp = *cp) + if (*cp == '%' && cp[1] == 'm') { ++#ifdef HAVE_STRERROR ++ strcpy(bp, strerror(errno)); ++#else + if (errno < sys_nerr && errno > 0) { + strcpy(bp, sys_errlist[errno]); + } else { + sprintf(bp, "Unknown error %d", errno); + } ++#endif + bp += strlen(bp); + cp += 2; + } else { --- tcp-wrappers-7.6.dbs.orig/debian/copyright +++ tcp-wrappers-7.6.dbs/debian/copyright @@ -0,0 +1,33 @@ +This package was debianized by Anthony Towns on +Tue, 10 Aug 1999 12:06:33 +1000. + +It was downloaded from ftp://ftp.porcupine.org/pub/security/index.html + +and includes ftp://ftp.porcupine.org/pub/security/tcpd-blacklist-patch + +Copyright updated on 2001/06/08 from +ftp://ftp.porcupine.org/pub/security/tcp_wrappers_license + +Upstream Author: Wietse Venema + +Copyright: + +/************************************************************************ +* Copyright 1995 by Wietse Venema. All rights reserved. Some individual +* files may be covered by other copyrights. +* +* This material was originally written and compiled by Wietse Venema at +* Eindhoven University of Technology, The Netherlands, in 1990, 1991, +* 1992, 1993, 1994 and 1995. +* +* Redistribution and use in source and binary forms, with or without +* modification, are permitted provided that this entire copyright notice +* is duplicated in all such copies. +* +* This software is provided "as is" and without any expressed or implied +* warranties, including, without limitation, the implied warranties of +* merchantibility and fitness for any particular purpose. +************************************************************************/ + +Thanks to Wietse Venema for his permission to include the tcp_wrapper +package in the Debian Distribution. --- tcp-wrappers-7.6.dbs.orig/debian/tcpd.postinst +++ tcp-wrappers-7.6.dbs/debian/tcpd.postinst @@ -0,0 +1,100 @@ +#!/bin/sh -e + +# must be sourced at the top level or $@ will be lost when $0 is executed +if [ "$1" = "configure" ]; then + . /usr/share/debconf/confmodule +fi + +create_hosts_files() { + if [ -e /etc/hosts.allow -a -e /etc/hosts.deny ]; then + return 0 + fi + + # The default paranoid mode, in order to avoid breaking expected + # behaviour is 'false', however, if debconf is used to set this to + # true then we add a more restrictive definition + PARANOID="false" + + db_get tcpd/paranoid-mode || true + PARANOID="$RET" + + if [ ! -e /etc/hosts.allow ]; then + cat > /etc/hosts.allow <> /etc/hosts.allow < /etc/hosts.deny <> /etc/hosts.deny <> /etc/hosts.deny <&2 + exit 1 + ;; +esac + +#DEBHELPER# --- tcp-wrappers-7.6.dbs.orig/debian/libwrap0-dev.links +++ tcp-wrappers-7.6.dbs/debian/libwrap0-dev.links @@ -0,0 +1,3 @@ +usr/share/man/man3/hosts_access.3 usr/share/man/man3/hosts_ctl.3 +usr/share/man/man3/hosts_access.3 usr/share/man/man3/request_init.3 +usr/share/man/man3/hosts_access.3 usr/share/man/man3/request_set.3 --- tcp-wrappers-7.6.dbs.orig/debian/tcpd.install +++ tcp-wrappers-7.6.dbs/debian/tcpd.install @@ -0,0 +1,5 @@ +tcpd /usr/sbin/ +tcpdchk /usr/sbin/ +tcpdmatch /usr/sbin/ +try-from /usr/sbin/ +safe_finger /usr/sbin/ --- tcp-wrappers-7.6.dbs.orig/debian/tcpd.templates +++ tcp-wrappers-7.6.dbs/debian/tcpd.templates @@ -0,0 +1,21 @@ +Template: tcpd/paranoid-mode +Type: boolean +Default: false +_description: Should tcpd setup paranoid hosts.allow and hosts.access? + /etc/hosts.allow and /etc/hosts.deny will be setup since you do not have + have any of these files yet. You can either have a generic and permissive + configuration which will allow any incoming connection or a paranoid + configuration which will not allow remote connections regardless of + where they originate from. + . + The second option, even if more secure, will block out all communication, + including, for example, remote administration. So if you need this + don't choose it. + . + Regardless of which option you select you can always manually edit both + files to suit your needs, for this, review the hosts_access(5) manpage. + This might include giving remote access of services to legitimate hosts. + . + Notice this only applies to internet services that use the libwrap library. + Remote connections will still be possible to services that do not use + this library, consider using firewall rules to block access to these.