RELEASE NOTES for TCPreen
version 1.2.2 (stable release)
===============================
$Id: NEWS,v 1.13 2003/02/27 11:55:25 rdenisc Exp $

  This is a stable release. Everyone is invited to upgrade to this new stable
serie. It is particularly important to upgrade from 1.0.3 or older, because
those version might crash: when a 0xff byte is received while hexadecimal log
format is in use, the program will incorrectly detect an error. This can be
particularly annoying when monitoring binary data streams.

  This particular release (1.2.2) improves root privileges handling, so that
it is a bit safer to give your semi-trustworthy users permissions to use
TCPreen on reserved TCP ports, either by setting tcpreen's setuid bit, or by
adding tcpreen to your /etc/sudoers if you have sudo installed (see
http://www.sudo.ws/).

  You can find major changes since version 1.0.0 below. For more general
informations on this program, see README. For syntax details and changes,
see the man page: tcpreen(1). For detailled internal changes, see ChangeLog.

=============================================================================
STABLE RELEASE 1.2.2 : Minor security fixes

# SetUID non-root user change forbidden:
  Non-root users can no longer run tcpreen as someone else when tcpreen has
  the SetUID root bit set, though this may be convenient in some particular
  environments. Use of the `-u' (or `--uid') option has been disabled for
  non-root users.
  
  Note that tcpreen is not installed SetUID by default, though this may be
  convenient in some particular environments (namely when one need to bind
  tcpreen to a reserved TCP port). Therefore, the bug does not affect
  standard setup (nor common vendor packages including Debian, FreeBSD,
  OpenBSD and, supposedly, Sourcemage).

# sudo support:
  tcpreen will use the SUDO_UID environment variable when run with *real*
  (as opposite to *effective*) UID root. That similarly prevents user
  impersonation when tcpreen is used (directly) with sudo
  (see http://www.sudo.ws/ for more information on sudo).

=============================================================================
STABLE RELEASE 1.2.1 : Minor bugfixes

# Compatibility hack for GNU <getopt.h> on non-GNU platforms, should fix
  compilation error on FreeBSD-current with libgnugetopt installed.

=============================================================================
STABLE RELEASE 1.2.0 : Minor bugfixes

# Compatibility fix for Sun Solaris.
# Removed useless replacement functions.
# Compatibility fix for MacOS X: it won't not work, though. Any help with
  that platform would be most welcome.

=============================================================================
RELEASE CANDIDATE 1.1.4 : Minor bugfixes.

# Cygwin-based binary release for Windows.
# Mixed connection notice messages fixed.

=============================================================================
DEVELOPMENT RELEASE 1.1.3 : Major feature enhancement, major bugfixes.

# Daemon mode support (option -d or --daemon):
    TCPreen can now run in the background and automatically send notices to
  syslog rather than the standard output. As  an example:
  
  $ tcpreen -d -o /home/joe/log_tcpreen smtp 10000
  
  gets TCPreen to forward port 10000 to local port smtp, and save data to
  /home/joe/log_tcpreen. Joe can then read '/home/joe/log_tcpreen' (it is
  IMPORTANT to specify the whole path name).

    This is still quite buggy and there is absolutely no signal handling.

  IMPORTANT NOTE: fork mode (option -F) is not enabled by default. You may
  really want to use it.

# Verbose enabled by default:
    Keep in mind you can use the '-q' switch to enable "quiet mode".

# Various minor bug fixes.

=============================================================================
DEVELOPMENT RELEASE 1.1.2 : Major feature enhancement.

# Improved error reporting on Windows:
    Error status is lost much less often than in previous Windows releases.

# New syntax for protocol selection: -p or --protocol
    A more extensible and flexible syntax is now used to specify an optionnal
  network communication protocol, instead of obsoleted -4 and -6 options.
  See the man page tcpreen(1) for more details. This is a basic example:

  $ tcpreen -v -p tcp/tcp6 smtp 10000


# C++ class for logging:
    C++ is now needed, because it is used by the data log system. This is the
  first step to support additionnal log file formats. That said, inspite of
  the major internal code change, there is very little change from the user
  point of view.

# Logging in multi-process mode:
    Thanks to the new data log system, it is now possible to use log files in
  multi-process mode (ie. with option '-F'). Each connection will be assigned
  a separate log file for data, based on the name/port of the client.

=============================================================================
DEVELOPMENT RELEASE 1.1.1 : Minor bugfixes.

# Portability enhancements: detects 'gnugetopt' library on FreeBSD
  for GNU-style long options.

# Windows port: TCPreen is experimentally available as a binary for Microsoft
  Windows with Winsock 1.1 or higher, though it lacks several features.

# Minor bug fixed while porting.
# Portability fixes for old systems that do not implement RFC 2553 (of March
  1999).

=============================================================================
DEVELOPMENT RELEASE 1.1.0 : Minor bugfixes.

# Silly error message with flag '-m' removed.
# '--strip' option shortcut is now '-S' instead of '-s'.
# New option '-a' or '--bind' to specify which local network interface to
  listen to. For example:
  
  $ tcpreen -vv -a localhost smtp 1025
  
  will cause TCPreen to listen to TCP port 1025, on interface 127.0.0.1 only,
  rather than on all interfaces.

# New option '-s' or '--server' to specify the hostname or address of the
  server to connect to. For example:
  
  $ tcpreen -vv -s www.google.com 80

  will cause TCPreen to connect to www.google.com (TCP port 80).
  By default, the local host is used.

# Command line syntax SLIGHTLY changed:
    TCPreen now expects only a port number or known service alias as a
  parameter to options '--inet6', '-6', '--inet' and '-4'. Use '-a', '-s',
  '-l' or '-c' to specify host names.

  Old syntax sample:
  $ tcpreen -v -4 [smtp.isp.com]:smtp [127.0.0.1]:1025

  New syntax sample:
  $ tcpreen -v -s smtp.isp.com -4 smtp -b 127.0.0.1 1025

    This should solve most command lines and shells issues encountered with
  previous version of the program.

=============================================================================
STABLE RELEASE 1.0.4 : Major security fixes.

1. Fixed remote Denial-Of-Service against hexadecimal log format:
------------------------------------------------------------------
  A bug in the hexadecimal and "stripped" log files format allowed any
remote client or server to interrupt execution of TCPreen. When a byte
of value 0xff (255) was received either way, hexadecimal log files
caused an error and TCPreen aborted. Stripped log files were not
affected by the bug because it failed to check for error condition
(this was fixed too).
  Other formats (ie. C-like and raw) were correctly implemented.

  Because TCPreen cannot use log files in multi-process mode, this bug
is not thought to be really dangerous, but can be rather annoying when
monitoring binary streams. Because of this limitations, production
systems, that most likely needs multi-process operation are normally
not affected. ONCE AGAIN, DO NOT USE TCPREEN IN PRODUCTION
ENVIRONMENT (at least, not yet).

2. Fixed stripped log format:
------------------------------
  The so-called "stripped" log files format was not correctly
implemented (it failed to check for I/O errors). This is now 
-hopefully- fixed.

=============================================================================
STABLE RELEASE 1.0.3 : Minor feature enhancement.

Partial support for old C library (namely Glibc 2.0):
------------------------------------------------------
  Replacement functions for systems that do not have getnameinfo()
and/or gai_strerror() were added. It is therefore now possible to use
TCPreen with old GNU libc 2.0 (and probably 2.1).
  In this case, IPv6 cannot be used however.

=============================================================================
STABLE RELEASE 1.0.2 : Code cleanup.

GNU gettext/libintl source stripped from official distribution:
----------------------------------------------------------------
  GNU gettext support has been updated. GNU gettext (libintl) is no
longer included in the distribution, which results in a smaller source
tarball and a quicker (but stilll huge) configure script.
  Please note that GNU gettext is still being used by TCPreen, as long
as it is *already* installed on your system (this is always the case if
you use the GNU C library, that is to say on GNU/Linux or GNU/Hurd).

  Non-english users are strongly encouraged to submit translation for
their native language.

=============================================================================
STABLE RELEASE 1.0.1 : Minor security fixes, minor bug fixes.

1. Safe log file opening:
--------------------------
  Various security checks are now done when trying to open a log file:
# ensure that the file is owned by the unprivileged user that tcpreen
is supposed to use,
# ensure that the log file is not a symbolic link (malicious users may
use this to alter critical files),
# ensure that the file was not modified during a race condition between
checking it and actually opening it.
If you were using links (either hard or symbolic) to real log files,
tcpreen will now refuse to operate (with error EPERM). This is an
inadequate use of log files. You should rather use scripts to rotate
script or whatever, as this is much less prone to security issues.

  Log files are now appended rather than erased when tcpreen is run
multiple times. This can be very handy for some users.

2. Anti-DNS spoofing:
----------------------
  DNS spoofing is now detected. In such circumstances, numeric address
will be displayed instead of spoofed hostname.

3. Long options segfault:
--------------------------
  Long options --inet and --inet6 would cause a segmentation fault
(SIGSEGV) in previous releases. Short options -4 and -6 were NOT
affected by this bug. Only systems that support long options are
affected, that is to say, systems that uses the GNU C library.

  This bug can probably not be exploited, as it consists of
dereferencing a pointer which is *always* NULL (unless you have an
unusual getopt_long() implementation).

=============================================================================
OLDER `NEWS' STRIPPED - See ChangeLog for chronological details

