A few changed from tcp_wrappers 7.6

3 files changed, 35 insertions, 21 deletions

diff --git a/libexec/tcpd/BLURB b/libexec/tcpd/BLURB
index cc95cf74285..8d82fa7826f 100644
--- a/libexec/tcpd/BLURB
+++ b/libexec/tcpd/BLURB
@@ -1,5 +1,5 @@
-$OpenBSD: BLURB,v 1.1 1997/02/26 06:00:30 downsj Exp $
-@(#) BLURB 1.27 97/02/12 02:13:17
+$OpenBSD: BLURB,v 1.2 1997/06/01 05:21:39 downsj Exp $
+@(#) BLURB 1.28 97/03/21 19:27:18
 
 With this package you can monitor and filter incoming requests for the
 SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other
@@ -12,20 +12,18 @@ requested service; the wrappers do not exchange information with the
 client or server applications, and impose no overhead on the actual
 conversation between the client and server applications.
 
-This patch upgrades the tcp wrappers version 7.4 source code to version
-7.5.  Highlights of this release:
-
-    - Support for more UNIX system types.
-
-    - Improved protection against IP spoofing attacks with source-routed
-    TCP connections, by refusing them. This protection is not enabled by
-    default.
+This patch upgrades the tcp wrappers version 7.5 source code to
+version 7.6.  The source-routing protection in version 7.5 was not
+as strong as it could be. And all this effort was not needed with
+modern UNIX systems that can already stop source-routed traffic in
+the kernel. Examples are 4.4BSD derivatives, Solaris 2.x, and Linux.
 
 This release does not introduce new features. Do not bother applying
-this patch when you built your current tcp wrapper without enabling the
-KILL_OPTIONS compiler switch. The patch is not useful for obsolete UNIX
-versions that pre-date 4.4BSD, such as SunOS 4. Such systems are unable
-to receive source-routed connections and are therefore not vulnerable
+this patch when you built your version 7.x tcp wrapper without
+enabling the KILL_IP_OPTIONS compiler switch; when you can disable
+IP source routing options in the kernel; when you run a UNIX version
+that pre-dates 4.4BSD, such as SunOS 4. Such systems are unable to
+receive source-routed connections and are therefore not vulnerable
 to IP spoofing attacks with source-routed TCP connections.
 
 A complete change log is given in the CHANGES document.  As always,
diff --git a/libexec/tcpd/CHANGES b/libexec/tcpd/CHANGES
index 7b4c3c72368..aa23b243f62 100644
--- a/libexec/tcpd/CHANGES
+++ b/libexec/tcpd/CHANGES
@@ -1,10 +1,23 @@
-$OpenBSD: CHANGES,v 1.1 1997/02/26 06:00:31 downsj Exp $
+$OpenBSD: CHANGES,v 1.2 1997/06/01 05:21:39 downsj Exp $
 
 Request: after building the programs, please run the `tcpdchk' wrapper
 configuration checker. See the `tcpdchk.8' manual page (`nroff -man'
 format) for instructions. `tcpdchk' automatically identifies the most
 common configuration problems, and will save you and me a lot of time.
 
+Changes per release 7.6 (Mar 1997)
+==================================
+
+- Improved the anti source-routing protection. The code in version
+7.5 was not as strong as it could be, because I tried to be compatible
+with Linux. That was a mistake. Sorry for the inconvenience.
+
+- The program no longer terminates case of a source-routed connection,
+making the IP-spoofing code more usable for long-running daemons.
+
+- When syslogging DNS hostname problems, always stop after a limited
+number of characters.
+
 Changes per release 7.5 (Feb 1997)
 ==================================
 
diff --git a/libexec/tcpd/README b/libexec/tcpd/README
index 3d3f1f1c65b..1e52463617d 100644
--- a/libexec/tcpd/README
+++ b/libexec/tcpd/README
@@ -1,7 +1,7 @@
-$OpenBSD: README,v 1.1 1997/02/26 06:00:35 downsj Exp $
-@(#) README 1.29 97/02/12 02:13:20
+$OpenBSD: README,v 1.2 1997/06/01 05:21:40 downsj Exp $
+@(#) README 1.30 97/03/21 19:27:21
 
-This is the 7.5 version of the TCP/IP daemon wrapper package.
+This is the 7.6 version of the TCP/IP daemon wrapper package.
 
 Thank you for using this program. If you like it, send me a postcard.
 My postal address is at the bottom of this file.
@@ -329,9 +329,12 @@ very few, if any, UNIX vendors have adopted it.  Our site, and many
 other ones, has been running these enhanced daemons for several years,
 and without any ill effects.
 
-When the wrapper programs are compiled with -DKILL_IP_OPTIONS, the 
+When the wrapper programs are compiled with -DKILL_IP_OPTIONS, the
 programs refuse to service TCP connections with IP source routing
-options.
+options. -DKILL_IP_OPTIONS is not needed on modern UNIX systems
+that can stop source-routed traffic in the kernel. Examples are
+4.4BSD derivatives, Solaris 2.x, and Linux. See your system manuals
+for details.
 
 If you are going to use this feature on SunOS 4.1.x you should apply
 patch 100804-03+ or 101790-something depending on your SunOS version.
@@ -535,7 +538,7 @@ of the noise.  A more powerful tool is the Swatch monitoring system by
 Stephen E. Hansen and E. Todd Atkins. Swatch can process log files in
 real time and can associate arbitrary actions with patterns; its
 applications are by no means restricted to security.  Swatch is
-available from sierra.stanford.edu, directory /pub/sources.
+available ftp.stanford.edu, directory /general/security-tools/swatch.
 
 Socks, described in the UNIX Security III proceedings, can be used to
 control network traffic from hosts on an internal network, through a