Changes:
v3.2.2
## What's Changed
* Fixed `panic: assignment to entry in nil map` and create default map
v3.2.1
## What's Changed
* Added memguardian + various optimizations
* Fixed overriding the predefined ratelimiter
* Fixed issue with javascript protocol
* Updated templates loader/parser caches (refactor)
v3.2.0
## What's Changed
### New Features
* Added fuzzing support in http protocol
* Added authenticated scaning support
* Added `-fuzz` option for loading fuzzing templates
* Added Gitea reporting
* Added transparent memoization via func annotation
* Added issue tracker JSONL output + CLI summary
* Added `self-contained` request at http request level
* Added `-payload-concurrency` option
* Added `disable-unsigned-templates` option
* Added ldap protocol enhancements
### Bug Fixes
* Fixed issue to purge cache on global callback set
* Fixed network layer should not have forceful read
* Fixed workflow to publish docs
* Fixed `stop-at-first-match` issue in http protocol
* Fixed header nil check
* Fixed issue to use maxsize in template
* Fixed issue to validate code template in workflows
* Fixed issue with temp file cleanup
* Fixed issue with nuclei loading ignored templates
* Fixed multiple bugs
### Other Changes
* Added more granular, issue tracker level filtering
* Added callback support to StandardWriter
* switched dependency for kerberos js module (ropnop/gorkb5 -> jcmturner/gokrb5)
* use system resolver first with system-resolvers
* javascript bindings + docs generation enhancements
v3.1.10
## What's Changed
* Fixed concurrent map writes in tmplexec package
* Added more `NetworkConfig` options to the SDK
v3.1.9
## What's Changed
* Added hybrid tech detection (wappalyzer + tech templates) with automatic scan (`-as`)
* Added projectdiscovery/useragent
* Added passive option support in SDK
* Fixed issue with long running scans at the end of scan
* Fixed issue in javascript protocol with connection pooling
v3.1.8
## What's Changed
* Fixed multiple memory leaks and optimizations
* Fixed issue with not resolving hosts from `/etc/hosts` file
* Fixed issue of array iteration in flow
* Fixed panic in smb javascript template
* Fixed an issue with case sensitive dns interaction with interactsh
* Fixed issue with reporting with optional support of `-or` option
* Fixed issue with mysql module in JavaScript
v3.1.7
## What's Changed
* Added support to upload result to existing pdpc scan using `-scan-id` option
* Fixed issue with pdcp result upload with large output file
* Fixed issue with pdcp result upload when using with env variable
v3.1.6
## What's Changed
* Added `GetServiceTicket` method to the kerberos module
* Added `GetKerberoastableUsers` method in ldap module
* Added support to dump resume files when a runner hangs
* Fixed multiple memory leaks + optimizations
* Fixed timeout issue + added custom timeout support in js protocol
* Fixed variables merge order in code templates
* Fixed issue with dynamic extractors in flow
* Fixed panic in interactsh process interaction ( nil check on compiled operators)
* Fixed panic error + support offlinehttp in flow templates
v3.1.5
## What's Changed
### Other Changes
* Fixed a bug introduced in previous version
v3.1.4
## What's Changed
### New Features
* Added `self-contained` input support to fuzzing templates
* Added support to include additional custom tags with `-as` option
* Added internal matchers (to hide match results in flow) using `internal: true`
* Added exclude list support to layer 4 via fastdialer
### Bug Fixes
* Fixed issue with dynamic extracted variable to make it reusable
* Fixed early exit issue for non zero status code in code protocol
* Fixed missing results issue in flow based template
### Other Changes
* deprecate(remove): file write in extractor using `to` attribute for security
reasons
* Using network policy everywhere
Changes:
v1.6.0
## What's Changed
* Fixed issue with `-csv` format including response header/body as default
* Fixed issue with `-exclude` option
* Updated default JSONL output fields
- Added `tech` and `cdn`, `cdn_name`, can be optionally disabled (`-tech-detect=false`)
- Removed `hash`, can be optionally enabled (`-hash md5,mmh3`)
> Caution
> Updated default JSONL output fields
v1.5.0
> Warning
> This release upgrades ASNMap to the latest 1.1.0 version that uses an
> authenticated API. If you utilize the `-asn` option of httpx, one time
> configuration is required to set up PDCP API Key.
> You can do this using the `-auth` option or through setting up an
> environment variable, such as `export PDCP_API_KEY=xxxxx`
## What's Changed
* Updated to authenticated ASNMap client
* Fixed issue with `-exclude` option
v1.4.0
## What's Changed
### Maintenance
* Updated useragent library
* Fixed exclude cdn option
* Added sdk stream test
v1.3.9
## What's Changed
### Maintenance
* Fixed multiple issues related high memory uses
v1.3.8
## What's Changed
* Removed `-ec` option in favor of newly added `-exclude` option
* Added customizable `-exclude` option:
-e, -exclude string[] exclude host matching specified filter
('cdn', 'private-ips', cidr, ip, regex)
* Added timeout option for screenshot
-st, -screenshot-timeout int set timeout for screenshot in
seconds (default 10)
* Added option to set custom headless options
-ho, -headless-options string[] start headless chrome with additional
options
* Fixed issue with use of system resolver with custom resolver input
* Fixed issue with existing response directory
* Fixed issue with `-websocket` and `-pipeline` detection
* Fixed issue with redirects with `-ports` option
* Fixed issue with `-tls-probe` option
v1.3.7
## What's Changed
### Bug Fixes
* Fixed new line break issue with `-title` option
* Fixed build error on `termux/android`
* Fixed path issue on windows
* Fixed chrome zombie process using leakless
* Fixed panic crash with `-asn` option
### Other Changes
* Added SNI to jsonl output
* Added optional flag (`-eph`) to skip private host / ips for probing
* Added hyperlink to host result
* Increased timeout for a page lifecycle event
v1.3.6
## What's Changed
### New Features
* Added phash calculation for screenshot
* Added visual recon clusters in jsonl output
### Other Changes
* Update redirect chain storage
Changes:
v1.2.1
## What's Changed
### Other Changes
* Added `-no-color` support via env variable
v1.2.0
> Warning
> This release upgrades ASNMap to the latest 1.1.0 version
> that uses an authenticated API. If you utilize the `-asn` option of
> dnsx, one time configuration is required to set up PDCP API
> Key.
> You can do this using the `-auth` option or through setting up an
> environment variable, such as`export PDCP_API_KEY=xxxxx`
## What's Changed
### New Features
* Added `-recon` option to pull all dns records
### Other Changes
* Updated to latest ASNMap API
v1.1.6
## What's Changed
### Other Changes
* Added additional public resolver
* Fixed panic crash
v4.1.3
docs: imprve environment use cases and examples
fix: declared license texts as such, not as license name
v4.1.2
build: use poetry v1.8.1
v4.1.1
docs: improve example for programmatic call of CLI
fix: normalize package extras
v4.1.0
feat: support poetry multi-constraint dependencies
2.29.0 (2024-03-18)
Features
Adds support for custom suppliers in AWS and Identity Pool credentials
Bug Fixes
Refactor tech debt in aws and identity pool credentials
* Add DER support for gernerating and parsing CSR
* Add support for generating ed25519 keys and certs (#1061)
* Add unit test for custom extension supt
* Build images on base image for target platform
* Respect custom x509 ext in selfsign
* add workflow to run goreleaser snapshot
* also output sha256 digest when generating certificate
* build pacakges with latest go
* build(deps): bump actions/checkout from 3 to 4
* build(deps): bump actions/setup-go from 4 to 5
* build(deps): bump actions/upload-artifact from 3 to 4
* build(deps): bump codecov/codecov-action from 3 to 4
* build(deps): bump docker/build-push-action from 3 to 4
* build(deps): bump docker/build-push-action from 4 to 5
* build(deps): bump docker/login-action from 2 to 3
* build(deps): bump docker/metadata-action from 4 to 5
* build(deps): bump docker/setup-buildx-action from 2 to 3
* build(deps): bump docker/setup-qemu-action from 2 to 3
* build(deps): bump github.com/go-sql-driver/mysql from 1.6.0 to 1.7.1
* build(deps): bump github.com/google/certificate-transparency-go
* build(deps): bump github.com/google/certificate-transparency-go
* build(deps): bump github.com/jmoiron/sqlx from 1.3.3 to 1.3.5
* build(deps): bump github.com/lib/pq from 1.10.1 to 1.10.9
* build(deps): bump github.com/mattn/go-sqlite3 from 1.14.16 to 1.14.17
* build(deps): bump github.com/mattn/go-sqlite3 from 1.14.17 to 1.14.18
* build(deps): bump github.com/mattn/go-sqlite3 from 1.14.18 to 1.14.19
* build(deps): bump github.com/mattn/go-sqlite3 from 1.14.19 to 1.14.20
* build(deps): bump github.com/mattn/go-sqlite3 from 1.14.20 to 1.14.22
* build(deps): bump github.com/prometheus/client_golang
* build(deps): bump github.com/prometheus/client_golang
* build(deps): bump github.com/prometheus/client_golang
* build(deps): bump github.com/prometheus/client_golang
* build(deps): bump github.com/prometheus/client_golang
* build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.2
* build(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3
* build(deps): bump github.com/stretchr/testify from 1.8.3 to 1.8.4
* build(deps): bump github.com/zmap/zlint/v3 from 3.4.1 to 3.5.0
* build(deps): bump golang.org/x/crypto from 0.10.0 to 0.12.0
* build(deps): bump golang.org/x/crypto from 0.12.0 to 0.13.0
* build(deps): bump golang.org/x/crypto from 0.13.0 to 0.14.0
* build(deps): bump golang.org/x/crypto from 0.14.0 to 0.15.0
* build(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0
* build(deps): bump golang.org/x/crypto from 0.17.0 to 0.18.0
* build(deps): bump golang.org/x/crypto from 0.18.0 to 0.19.0
* build(deps): bump golang.org/x/crypto from 0.8.0 to 0.9.0
* build(deps): bump golang.org/x/crypto from 0.9.0 to 0.10.0
* build(deps): bump golang.org/x/net from 0.10.0 to 0.17.0
* build(deps): bump golangci/golangci-lint-action from 3 to 4
* bump github.com/zmap/zlint/v3 from 3.1.0 to 3.4.1
* certdb/sql: remove uses of github.com/stretchr/testify/require
* code optimization
* configure dependabot
* fix architecture for docker builds
* go.yml: update actions/checkout to v3, actions/setup-go to v4
* goreleaser: Add ARMv7 binaries
* reenable vcs stamping with docker image that supports it
* snapshot.yml: update actions/checkout to v3
* update documentation with sha256 hashes
* update lint test for bumped zlint
Changes since 5.6.6:
wolfSSL Release 5.7.0 (Mar 20, 2024)
NOTE: * --enable-heapmath is being deprecated and will be removed by end of
2024
NOTE: In future releases, --enable-des3 (which is disabled by default) will
be insufficient in itself to enable DES3 in TLS cipher suites. A new option,
--enable-des3-tls-suites, will need to be supplied in addition. This option
should only be used in backward compatibility scenarios, as it is inherently
insecure.
NOTE: This release switches the default ASN.1 parser to the new ASN template
code. If the original ASN.1 code is preferred define WOLFSSL_ASN_ORIGINAL to
use it. See PR #7199.
Vulnerabilities
* [High] CVE-2024-0901 Potential denial of service and out of bounds read.
Affects TLS 1.3 on the server side when accepting a connection from a
malicious TLS 1.3 client. If using TLS 1.3 on the server side it is
recommended to update the version of wolfSSL used. Fixed in this GitHub
pull request #7099
* [Med] CVE-2024-1545 Fault Injection vulnerability in
RsaPrivateDecryption function that potentially allows an attacker thathas
access to the same system with a victims process to perform aRowhammer
fault injection. Thanks to Junkai Liang, Zhi Zhang, Xin Zhang,Qingni Shen
for the report (Peking University, The University of WesternAustralia)."
Fixed in this GitHub pull request #7167
* [Med] Fault injection attack with EdDSA signature operations. This
affects ed25519 sign operations where the system could be susceptible to
Rowhammer attacks. Thanks to Junkai Liang, Zhi Zhang, Xin Zhang, Qingni
Shen for the report (Peking University, The University of Western
Australia). Fixed in this GitHub pull request #7212
New Feature Additions
* Added --enable-experimental configure flag to gate out features that are
currently experimental. Now liboqs, kyber, lms, xmss, and dual-alg-certs
require the --enable-experimental flag.
POST QUANTUM SUPPORT ADDITIONS
* Experimental framework for using wolfSSL’s XMSS implementation (PR 7161)
* Experimental framework for using wolfSSL’s LMS implementation (PR 7283)
* Experimental wolfSSL Kyber implementation and assembly optimizations,
enabled with --enable-experimental --enable-kyber (PR 7318)
* Experimental support for post quantum dual key/signature certificates. A
few known issues and sanitizer checks are in progress with this feature.
Enabled with the configure flags --enable-experimental
--enable-dual-alg-certs (PR 7112)
* CryptoCb support for PQC algorithms (PR 7110)
OTHER FEATURE ADDITIONS
* The Linux kernel module now supports registration of AES-GCM, AES-XTS,
AES-CBC, and AES-CFB with the kernel cryptosystem through the new
--enable-linuxkm-lkcapi-register option, enabling automatic use of
wolfCrypt implementations by the dm-crypt/luks and ESP subsystems. In
particular, wolfCrypt AES-XTS with –enable-aesni is faster than the
native kernel implementation.
* CryptoCb hook to one-shot CMAC functions (PR 7059)
* BER content streaming support for PKCS7_VerifySignedData and sign/
encrypt operations (PR 6961 & 7184)
* IoT-Safe SHA-384 and SHA-512 support (PR 7176)
* I/O callbacks for content and output with PKCS7 bundle sign/encrypt to
reduce peak memory usage (PR 7272)
* Microchip PIC24 support and example project (PR 7151)
* AutoSAR shim layer for RNG, SHA256, and AES (PR 7296)
* wolfSSL_CertManagerUnloadIntermediateCerts API to clear intermediate
certs added to certificate store (PR 7245)
* Implement SSL_get_peer_signature_nid and SSL_get_peer_signature_type_nid
(PR 7236)
Enhancements and Optimizations
* Remove obsolete user-crypto functionality and Intel IPP support (PR 7097)
* Support for RSA-PSS signatures with CRL use (PR 7119)
* Enhancement for AES-GCM use with Xilsecure on Microblaze (PR 7051)
* Support for crypto cb only build with ECC and NXP CAAM (PR 7269)
* Improve liboqs integration adding locking and init/cleanup functions (PR
7026)
* Prevent memory access before clientSession->serverRow and
clientSession->serverIdx are sanitized (PR 7096)
* Enhancements to reproducible build (PR 7267)
* Update Arduino example TLS Client/Server and improve support for ESP32
(PR 7304 & 7177)
* XC32 compiler version 4.x compatibility (PR 7128)
* Porting for build on PlayStation 3 and 4 (PR 7072)
* Improvements for Espressif use; SHA HW/SW selection and use on ESP32-C2/
ESP8684, wolfSSL_NewThread() type, component cmake fix, and update TLS
client example for ESP8266 (PR 7081, 7173, 7077, 7148, 7240)
* Allow crypto callbacks with SHA-1 HW (PR 7087)
* Update OpenSSH port to version 9.6p1(PR 7203)
* ARM Thumb2 enhancements, AES-GCM support for GCM_SMALL, alignment fix on
key, fix for ASM clobber list (PR 7291,7301,7221)
* Expand heap hint support for static memory build with more x509 functions
(PR 7136)
* Improving ARMv8 ChaCha20 ASM (alignment) (PR 7182)
* Unknown extension callback wolfSSL_CertManagerSetUnknownExtCallback added
to CertManager (PR 7194)
* Implement wc_rng_new_ex for use with devID’s with crypto callback (PR
7271)
* Allow reading 0-RTT data after writing 0.5-RTT data (PR 7102)
* Send alert on bad PSK binder error (PR 7235)
* Enhancements to CMake build files for use with cross compiling (PR 7188)
Fixes
* Fix for checking result of MAC verify when no AAD is used with AES-GCM
and Xilinx Xilsecure (PR 7051)
* Fix for Aria sign use (PR 7082)
* Fix for invalid dh_ffdhe_test test case using Intel QuickAssist (PR 7085)
* Fixes for TI AES and SHA on TM4C with HW acceleration and add full AES
GCM and CCM support with TLS (PR 7018)
* Fixes for STM32 PKA use with ECC (PR 7098)
* Fixes for TLS 1.3 with crypto callbacks to offload KDF / HMAC operation
(PR 7070)
* Fix include path for FSP 3.5 on Renesas RA6M4 (PR 7101)
* Siphash x64 asm fix for use with older compilers (PR 7299)
* Fix for SGX build with SP (PR 7308)
* Fix to Make it mandatory that the cookie is sent back in new ClientHello
when seen in a HelloRetryRequest with (PR 7190)
* Fix for wrap around behavior with BIO pairs (PR 7169)
* OCSP fixes for parsing of response correctly when there was a revocation
reason and returning correct error value with date checks (PR 7241 & 7255)
* Fix build with NO_STDIO_FILESYSTEM and improve checks for XGETENV (PR
7150)
* Fix for DTLS sequence number and cookie when downgrading DTLS version (PR
7214)
* Fix for write_dup use with chacha-poly cipher suites (PR 7206)
* Fix for multiple handshake messages in one record failing with
OUT_OF_ORDER_E when downgrading from TLS 1.3 to TLS 1.2 (PR 7141)
* Fix for AES ECB build with Thumb and alignment (PR 7094)
* Fix for negotiate handshake until the end in wolfSSL_read/wolfSSL_write
if hitting an edge case with want read/write (PR 7237)
Version 3.8.4 (released 2024-03-18)
** libgnutls: RSA-OAEP encryption scheme is now supported
To use it with an unrestricted RSA private key, one would need to
initialize a gnutls_x509_spki_t object with necessary parameters
for RSA-OAEP and attach it to the private key. It is also possible
to import restricted private keys if they are stored in PKCS#8
format.
** libgnutls: Fix side-channel in the deterministic ECDSA.
[GNUTLS-SA-2023-12-04, CVSS: medium] [CVE-2024-28834]
** libgnutls: Fixed a bug where certtool crashed when verifying a certificate
chain with more than 16 certificates.
[GNUTLS-SA-2024-01-23, CVSS: medium] [CVE-2024-28835]
** libgnutls: Compression libraries are now loaded dynamically as needed
instead of all being loaded during gnutls library initialization.
As a result, the library initialization should be faster.
** build: The gnutls library can now be linked with the static library
of GMP. Note that in order for this to work libgmp.a needs to be
compiled with -fPIC and libhogweed in Nettle also has to be linked
to the static library of GMP. This can be used to prevent custom
memory allocators from being overriden by other applications.
Noteworthy changes in version 1.3.0 (2024-03-18)
------------------------------------------------
* qt: Add new Qt6 frontend.
* qt: Set parent window on Wayland.
* qt: Fix capslock detection on Wayland.
* qt: Fix window icon on Wayland.
* qt: Add support for external password manager with libsecret.
* qt: Remove focus indication by text selection.
* qt: Use same focus indication for labels as Kleopatra.
* qt: Improve accessibility.
* gnome3: Prefer gcr-4.
* curses: Fix timeout handling.
* curses: Add SETREPEATOK and quality bar colors.
* curses: Add password quality meter.
* curses,tty: Upon SIGINT, let pinentry exit gracefully.
* w32: Fix non-focused window and simplify code.
* Disable secret storage integration when running on KDE Plasma.
* The Windows CE support has been removed.
* Version 1.1.3 (released 2024-03-13)
** Fix USB HID issue on MacOS that sometimes caused a pause while waiting for a
timeout.
** Fix argument to CredProp extension where an enum value was required instead of
also allowing a string.
** Fix parsing of some key types (ES384, ES512) causing signature verification to fail.
** Deprecation: Calling websafe_decode with a bytes argument instead of str.
This will raise a TypeError in the next major version of the library.
[0.11.0] - 2024-03-17
Added
Add log view pane to the TUI (#201)
Changed
Simplify cargo-tarpaulin installation in CI
Set up mergify
Switch to ratatui-splash-screen
Fixed
Show all the algorithm names (#154)
Apply clippy suggestions
v1.4.0 (27 Feb 2024)
++++++++++++++++++++++++
Additions & changes:
- ``OAuth2Session`` now correctly uses the ``self.verify`` value if ``verify``
is not overridden in ``fetch_token`` and ``refresh_token``. Fixes `#404
<https://github.com/requests/requests-oauthlib/issues/404>`_.
- ``OAuth2Session`` constructor now uses its ``client.scope`` when a ``client``
is provided and ``scope`` is not overridden. Fixes `#408
<https://github.com/requests/requests-oauthlib/issues/408>`_
- Add ``refresh_token_request`` and ``access_token_request`` compliance hooks
- Add PKCE support and Auth0 example
- Add support for Python 3.8-3.12
- Remove support of Python 2.x, <3.7
- Migrated to Github Action
- Updated dependencies
- Cleanup some docs and examples
## 2.7.7 (2024-03-09)
### Changes
- Support USB Hotplug for Hardware Key interface [#10092]
- Support 1PUX and Bitwarden import [#9815]
- Browser: Add support for PassKeys [#8825, #9987, #10318]
- Build System: Move to vcpkg manifest mode [#10088]
### Fixes
- Fix multiple TOTP issues [#9874]
- Fix focus loss on save when the editor is not visible anymore [#10075]
- Fix visual when removing entry from history [#9947]
- Fix first entry is not selected when a search is performed [#9868]
- Prevent scrollbars on entry drag/drop [#9747]
- Prevent duplicate characters in "Also choose from" field of password generator [#9803]
- Security: Prevent byte-by-byte and attachment inference side channel attacks [#10266]
- Browser: Fix raising Update Entry messagebox [#9853]
- Browser: Fix bugs when returning credentials [#9136]
- Browser: Fix crash on database open from browser [#9939]
- Browser: Fix support for referenced URL fields [#8788]
- MacOS: Fix crash when changing highlight/accent color [#10348]
- MacOS: Fix TouchID appearing even though lid is closed [#10092]
- Windows: Fix terminating KeePassXC processes with MSI installer [#9822]
- FdoSecrets: Fix database merge crash when enabled [#10136]
24.1.0 (2024-03-09)
Backward-incompatible changes:
* Removed the deprecated ``OpenSSL.crypto.PKCS12`` and
``OpenSSL.crypto.NetscapeSPKI``. ``OpenSSL.crypto.PKCS12`` may be replaced
by the PKCS#12 APIs in the ``cryptography`` package.
Noteworthy changes in version 2.4.5 (2024-03-07)
------------------------------------------------
* gpg,gpgv: New option --assert-pubkey-algo. [T6946]
* gpg: Emit status lines for errors in the compression layer.
[T6977]
* gpg: Fix invocation with --trusted-keys and --no-options. [T7025]
* gpgsm: Allow for a longer salt in PKCS#12 files. [T6757]
* gpgtar: Make --status-fd=2 work on Windows. [T6961]
* scd: Support for the ACR-122U NFC reader. [rG1682ca9f01]
* scd: Suport D-TRUST ECC cards. [T7000,T7001]
* scd: Allow auto detaching of kernel drivers; can be disabled with
the new compatibility-flag ccid-no-auto-detach. [rGa1ea3b13e0]
* scd: Allow setting a PIN length of 6 also with a reset code for
openpgp cards. [T6843]
* agent: Allow GET_PASSPHRASE in restricted mode. [rGadf4db6e20]
* dirmngr: Trust system's root CAs for checking CRL issuers.
[T6963]
* dirmngr: Fix regression in 2.4.4 in fetching keys via hkps.
[T6997]
* gpg-wks-client: Make option --mirror work properly w/o specifying
domains. [rG37cc255e49]
* g13,gpg-wks-client: Allow command style options as in "g13 mount
foo". [rGa09157ccb2]
* Allow tilde expansion for the foo-program options. [T7017]
* Make the getswdb.sh tool usable outside the GnuPG tree.
1.7.8
* Add a SARIF output formatter
* [B605] Add functions that are vulnerable to shell injection.
* Bump docker/setup-buildx-action from 3.0.0 to 3.1.0
* filter data is safe for tarfile extractall
* Use datetime to avoid updating copyright year
* Add 1.7.7 to versions of bug template
* Bump sigstore/cosign-installer from 3.3.0 to 3.4.0
* Utilize PyPI's trusted publishing
* Incorrect tag naming in readme
Noteworthy changes in version 2.5.7 (2024-03-06)
* New configure option --with-libtool-modification.
* Change the naming of the 64 bit Windows DLL from libassuan6-0.dll
to libassuan-0.dll to sync this with what we did for libgpg-error.
New in 0.25.0; 2024-03-06
Security
CVE-2023-5992: Side-channel leaks while stripping encryption PKCS#1.5 padding in OpenSC
CVE-2024-1454: Potential use-after-free in AuthentIC driver during card enrollment in pkcs15init
General improvements
Update OpenSSL 1.1.1 to 3.0 in MacOS build
Remove support for old card drivers Akis, GPK, Incrypto34 and Westcos, disable Cyberflex driver
Fix 64b to 32b conversions
Improvements for the p11test
Fix reader initialization without SCardControl
Make RSA PKCS#1 v1.5 depadding constant-time
Add option for disabling PKCS#1 v1.5 depadding (type 01 and 02) on the card
Enable MSI signing via Signpath CI integration for Windows
Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer
minidriver
Fix wrong hash selection
pkcs11-tool
Simplify printing EC keys parameters
Add option to import GENERIC key
Add support for importing Ed25518/448 keys
drust-tool
Add tool for D-Trust cards
IDPrime
Support uncompressed certificates on IDPrime 940
Enhance IDPrime logging
Add SafeNet 5110+ FIPS token support
D-Trust Signature Cards
Add support for RSA D-Trust Signature Card 4.1 and 4.4
EstEID
Remove expired EstEID 3.* card support
ePass2003
Allow SW implementation with more SHA2 hashes and ECDSA
Fix EC key generation
SmartCard-HSM
Fix SELECT APDU command
MyEID
Update for PKCS#15 profile
Rutoken
Support for RSA 4096 key algorithm
OpenPGP
Fix decryption requiting Manage Security Environment for authentication key
2.0.3: Ludovic Rousseau
3 March 2024
- add SCARD_E_UNKNOWN_RES_MNG back
2.0.2: Ludovic Rousseau
3 March 2024
- SCardConnect() & SCardReconnect(): restrict the protocol used
- negotiate PTS also for the backup protocol
- pcscd.8:
. document --disable-polkit
. add "CONFIGURATION FILE" section
- Some other minor improvements
From Ricardo Branco in PR pkg/57963.
ClosesNetBSD/pkgsrc#129.
This Go program uses goroutines to calculate multiple hashes on strings, files
and directories. The output format is fully configurable.
Notable changes
- `sq` now uses `sequoia-keystore` for secret key operations.
When decrypting a message, `sq` will automatically ask the
keystore to decrypt the message. `sq sign --signer-key` can be
used to specify a signing key managed by the key store.
- New top-level option: `sq --no-key-store`: A new switch to
disable the use of the key store.
- New top-level option: `sq --key-store`: A new option to use an
alternate key store.
- New subcommand `sq key list` to list keys managed by the key
store.
- New subcommand `sq key import` to import a key into the key
store.
- When showing a user ID for a certificate, choose the one that is
most authenticated.
2.7.2
Fixed
pip-audit now invokes pip with --keyring-provider=subprocess, partially fixing a regression that was introduced with another authentication fix in 2.6.2. This allows the interior pip to use keyring to perform third-party index authentication.
Packaged by pin@ and myself in wip.
sq, the Sequoia-PGP command line tool
Sequoia-PGP is an implementation of OpenPGP in Rust. It includes a suite of
library crates, which are meant to be used from applications.
This crate provides the 'sq' command line application.
'sq' is aimed at command line users as a way to use OpenPGP conveniently from
the command line.
See the sq user guide for instructions:
https://sequoia-pgp.gitlab.io/sq-user-guide/
The program also has built-in help, using the --help option and help subcommand.
1.9.15p3 (2023-12-13)
* Always disable core dumps when sudo sends itself a fatal signal.
Fixes a problem where sudo could potentially dump core dump when
it re-sends the fatal signal to itself. This is only an issue
if the command received a signal that would normally result in
a core dump but the command did not actually dump core.
* Fixed a bug matching a command with a relative path name when
the sudoers rule uses shell globbing rules for the path name.
Bug #1062.
* Permit visudo to be run even if the local host name is not set.
GitHub issue #332.
* Fixed an editing error introduced in sudo 1.9.15 that could
prevent sudoreplay from replaying sessions correctly.
GitHub issue #334.
* Fixed a bug introduced in sudo 1.9.15 where "sudo -l > /dev/null"
could hang on Linux systems. GitHub issue #335.
* Fixed a bug introduced in sudo 1.9.15 where Solaris privileges
specified in sudoers were not applied to the command being run.
1.9.15p4 (2023-12-15)
* Fixed a bug introduced in sudo 1.9.15 that could prevent a user's
privileges from being listed by "sudo -l" if the sudoers entry
in /etc/nsswitch.conf contains "[SUCCESS=return]". This did not
affect the ability to run commands via sudo. Bug #1063.
1.9.15p5 (2023-12-30)
* Fixed evaluation of the "lecture", "listpw", "verifypw", and
"fdexec" sudoers Defaults settings when used without an explicit
value. Previously, if specified without a value they were
evaluated as boolean "false", even when the negation operator
('!') was not present.
* Fixed a bug introduced in sudo 1.9.14 that prevented LDAP
netgroup queries using the NETGROUP_BASE setting from being
performed.
* Sudo will now transparently rename a user's lecture file from
the older name-based path to the newer user-ID-based path.
GitHub issue #342.
* Fixed a bug introduced in sudo 1.9.15 that could cause a memory
allocation failure if sysconf(_SC_LOGIN_NAME_MAX) fails. Bug #1066.
Upstream changes:
0.40 - Sat Feb 17 06:34:33 2024
Moving $OSNAME checks to compile time with GH#4. Thanks to Aristotle.
Test and documentation fixes in GH#1, GH#2, GH#3. Thanks to guest20.
Upstream changes:
v2.23, 16.01.2024
- no code changes
- ignoring Crypt::OpenSSL::Blowfish in test suite, as it is no longer
accepting 56 byte keys (as other Blowfish implementations do)
- added GPLv2 text
Pkgsrc changes:
Add pkg-config override.
Changes From changelog:
* Fix a potential denial of service caused by accepting arbitrary
length primes as potential elliptic curve parameters in ASN.1
encodings. With very large inputs the primality verification
can become computationally expensive. Now any prime field larger
than 1024 bits is rejected immediately. Reported by Bing Shi.
(GH #3914)
* Switch to using a constant time binary algorithm for computing
GCD (GH #3912)
* Fix a bug in SHAKE_Cipher which could cause incorrect output
if set_key was called multiple times. (GH #3192)
* Fix a bug in RSA-KEM encryption where the shared secret key
was incorrectly not padded to exactly the byte length of the
modulus. This would cause an incorrect shared key with ~1/256
probability. (GH #3380)
* In RSA decryption and signature verification, reject bytestrings
which are longer than the public modulus. Previously, otherwise
valid signatures/ciphertexts with additional leading zero bytes
would also be accepted. (GH #3380)
* Add support for short nonces in XTS (GH #3384#3336)
* Fix NIST keywrap which was incorrect when wrapping 64-bit keys
(GH #3384#3340)
* Fix nonce handling bug in EAX (GH #3382#3335)
* Fix a bug in PKCS11 AttributeContainer where adding an attribute
that already existed could cause incorrect references to the
existing attributes. (GH #3185)
* Apply patches which allow GCC 4.7 to compile Botan 2.x. Previously
at least GCC 4.8 had been required. (GH #3273)
* Fix a build time problem affecting VCpkg (GH #3071)
* Fix a build problem affecting Windows ARM with Visual C++ (GH #3871)