v 11.0.41rc2
============================================================
x More precise event suppression mechanism
x Fixed regression: events suppressed on file:// pages
unless scripts are allowed
x Updated TLDs
v 11.0.41rc2
============================================================
x More precise event suppression mechanism
v 11.0.41rc1
============================================================
x Fixed regression: events suppressed on file:// pages
unless scripts are allowed
x Updated TLDs
v 11.0.40
============================================================
x Avoid synchronous policy fetching whenever possible
(fixes multiple issues)
v 11.0.40rc2
============================================================
x Avoid synchronous policy fetching whenever possible
v 11.0.40rc1
============================================================
x Handle edge case in file:// pages: policy change and
reload before DOMContentLoaded
v 11.0.39
============================================================
x Fix reload loops on broken file: HTML documents (thanks
bernie for report)
x [XSS] Updated HTML event attributes
x Local policy fallback for file: and ftp: URLs using
window.name rather than sessionStorage
x [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it,
ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr,
zh_CN, zh_TW
x Added "Revoke temporary permissions on NoScript updates,
even if the browser is not restarted" advanced option
x Let temporary permissions survive NoScript updates
(shameless hack)
x Fixed some traps around Messages abstraction
x Ignore search / hash on policy matching of domain-less
URLs (e.g. file:///...)
x Updated TLDs
x Fixed automatic scrolling hampers usability on long sites
lists in popup
x Better timing for event attributes removal/restore
x Work-arounds for edge cases in synchronous page loads
bypassing webRequest (thanks skriptimaahinen)
v 11.0.39rc8
============================================================
x Several hacks to make non-distruptive updates compatible
with Chromium
x Tighten localPolicy persistence mechanism during reloads
v 11.0.39rc7
============================================================
x Temporary settings survival more resilient and compatible
with Fenix
x [L10n] Updated es
v 11.0.39rc6
============================================================
x Fix reload loops on broken file: HTML documents (thanks
bernie for report)
x [XSS] Updated HTML event attributes
v 11.0.39rc5
============================================================
x Local policy fallback for file: and ftp: URLs using
window.name rather than sessionStorage
x [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it,
ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr,
zh_CN, zh_TW
x Renamed option to "Revoke temporary permissions on
NoScript updates, even if the browser is not restarted"
v 11.0.39rc4
============================================================
x Added option to forget temporary settings immediately
whenever NoScript gets updated
x Fixed regression: file:/// URLs reloaded whenever NoScript
gets reinstalled / enabled / reloaded
x More resilient and easy to debug survival data retrieving
v 11.0.39rc3
============================================================
x Fixed regression causing manual NoScript downgrades to be
delayed until manual restart
v 11.0.39rc2
============================================================
x Let temporary permissions survive NoScript updates
(shameless hack)
x Fixed some traps around Messages abstraction
x Ignore search / hash on policy matching of domain-less
URLs (e.g. file:///...)
x Removed useless CSS property
x Updated TLDs
v 11.0.39rc1
============================================================
x Updated TLDs
x Fixed automatic scrolling hampers usability on long sites
lists in popup
x Fixed typo in vendor-prefixed CSS
v 11.0.38rc2
============================================================
x Better timing for event attributes removal/restore
v 11.0.38rc1
============================================================
x Work-arounds for edge cases in synchronous page loads
bypassing webRequest (thanks skriptimaahinen)
x [L10n] Updated bn
v 11.0.38
============================================================
x Better timing for event attributes removal/restore
x Work-arounds for edge cases in synchronous page loads
bypassing webRequest (thanks skriptimaahinen)
x [L10n] Updated bn
v 11.0.38rc2
============================================================
x Better timing for event attributes removal/restore
v 11.0.38rc1
============================================================
x Work-arounds for edge cases in synchronous page loads
bypassing webRequest (thanks skriptimaahinen)
x [L10n] Updated bn
v 11.0.37
============================================================
x Simpler and more reliable sendSyncMessage implementation
and usage
x sendSyncMessage support for multiple suspension requests
(should fix extension script injection issues)
x Updated TLDs
v 11.0.37rc3
============================================================
x Simpler and more reliable sendSyncMessage implementation
and usage
x Updated TLDs
v 11.0.37rc2
============================================================
x SyncMessage suspending on DOM modification as well
x Updated TLDs
v 11.0.37rc1
============================================================
x Updated TLDs
x sendSyncMessage support for multiple suspension requests
(should fix extension script injection issues)
v 11.0.36
============================================================
x Fixed regression: temporary permissions revocation not
working anymore on privileged pages
x SendSyncMessage script execution safety net more
compatible with other extensions (e.g. BlockTube)
v 11.0.35
============================================================
x Avoid unnecessary reloads on temporary permissions
revocation
x [UI] Removed accidental cyan background for site labels
x [L10n] Updated es
x Work-around for conflict with extensions inserting
elements into content pages' DOM early
x [XSS] Updated HTML events
x Updated TLDs
x Fixed buggy policy references in the Options dialog
x More accurate NOSCRIPT element emulation
x Anticipate onScriptDisabled surrogates to first script-src
'none' CSP violation
x isTrusted checks for all the content events
x Improved look in mobile portrait mode
x Let SyncMessage prevent undesired script execution
scheduled during suspension
v 11.0.35rc4
============================================================
x Avoid unnecessary reloads on temporary permissions
revocation
x Fixed potentially infinite loop in SyncMessage Firefox
implementation
x [UI] Removed accidental cyan background for site labels
x [L10n] Updated es
v 11.0.35rc3
============================================================
x Work-around for conflict with extensions inserting
elements into content pages' DOM early
x [XSS] Updated HTML events
v 11.0.35rc2
============================================================
x Updated TLDs
x Fixed buggy policy references in the Options dialog
x More accurate NOSCRIPT element emulation
x Anticipate onScriptDisabled surrogates to first script-src
'none' CSP violation
x isTrusted checks for all the content events
x Improved look in mobile portrait mode
v 11.0.35rc1
============================================================
x Let SyncMessage prevent undesired script execution
scheduled during suspension
Certbot 1.7.0
Added
Third-party plugins can be used without prefix (plugin_name instead of dist_name:plugin_name):
this concerns the plugin name, CLI flags, and keys in credential files.
The prefixed form is still supported but is deprecated, and will be removed in a future release.
Added --nginx-sleep-seconds (default 1) for environments where nginx takes a long time to reload.
Changed
The Linode DNS plugin now waits 120 seconds for DNS propagation, instead of 1200,
due to https://www.linode.com/blog/linode/linode-turns-17/
We deprecated support for Python 3.5 in Certbot and its ACME library.
Support for Python 3.5 will be removed in the next major release of Certbot.
More details about these changes can be found on our GitHub repo.
This is the last version that supports autoconf, and this update is
only because it's a reasonable benefit/cost tradeoff as an
intermediaate step. Tested on netbsd-9/earmv7hf-el.
Upstream chanages:
many bug fixes and improvements
zoneminder API
Multiserver
limted ONVIF support
See more at
https://github.com/ZoneMinder/zoneminder/releases/tag/v1.29.0-rc2 and
before and after.
Note that when updating, one must run zmupdate to modify the db schema.
give "gpg: can't connect to the agent: File name too long". Make this
less annoying by not running tests before 'make test' (and fixing that
pkgsrc target).
As of 1.24, MATE requires GNU-specific msgfmt features. meta-pkgs/mate/
Makefile.common r. 1.10 expressed this tool dependency using
USE_BUILTIN.gettext=no, but this exposed pkgsrc gettext-libs in the
build environment as well, which some MATE packages then linked
against, but gettext-libs didn't end up being declared as a run-time
dependency, so binary package installations were broken (with the
workaround of manually installing the undeclared gettext-libs
dependency). Express this dependency differently, so GNU msgfmt is
used as a tool without exposing pkgsrc gettext-libs.
(The pkgsrc tooling infrastruture could be altered to provide a
distinct "gmsgfmt" tool, same with "gxgettext", and perhaps others.
Here I'm just immediately concerned with fixing this packaging issue.)
Addresses PR pkg/55503 by Jay Patel.
* Disable document option, it requires asciidoctor.
Changelog:
## 2.6.1 (2020-08-19)
### Added
- Add menu entries for auto-typing only username or only password [#4891]
- Browser: Add command for retrieving current TOTP [#5278]
- Improve man pages [#5010]
- Linux: Support Xfce screen lock signals [#4971]
- Linux: Add OARS metadata to AppStream markup [#5031]
- SSH Agent: Substitute tilde with %USERPROFILE% on Windows [#5116]
### Changed
- Improve password generator UI and UX [#5129]
- Do not prompt to restart if switching the theme back and forth [#5084]
- Change actions for F1, F2, and F3 keys [#5082]
- Skip referenced passwords in health check report [#5056]
- Check system-wide Qt translations directory for downstream translations packaging [#5064]
- macOS: Change password visibility toggle shortcut to Ctrl+H to avoid conflict with system shortcut [#5114]
- Browser: Only display domain name in browser access confirm dialog to avoid overly wide window sizes [#5214]
### Fixed
- Fix clipboard not being cleared when database is locked while timeout is still active [#5184]
- Fix list of previous databases not being cleared in some cases [#5123]
- Fix saving of non-data changes on database lock [#5210]
- Fix search results banner theming [#5197]
- Don't enforce theme palette in Classic theme mode and add hover effect for buttons [#5122,#5267]
- Fix label clipping in settings on high-DPI screens [#5227]
- Fix excessive memory usage by icons on systems with high-DPI screens [#5266]
- Fix crash if number of TOTP digits exceeds ten [#5106]
- Fix slot detection when first YubiKey is configured on the second slot [#5004]
- Prevent crash if focus widget gets deleted during saving [#5005]
- Always show buttons for opening or saving attachments [#4956]
- Update link to Auto-Type help [#5228]
- Fix build errors with Ninja [#5121]
- CLI: Fix db-info command wrongly labelled as db-show in usage listing [#5140]
- Windows: Use Classic theme by default if high-contrast mode is on [#5191]
- Linux: Add workaround for qt5ct bug, causing icons not to show up [#5011]
- Linux: Correct high-DPI display by not allowing fractional scaling [#5185]
- Browser: Consider subdomain and path when requesting only "best-matching credentials" [#4832]
- SSH Agent: Always forget all keys on lock [#5115]
## 2.6.0 (2020-07-06)
### Added
- Custom Light and Dark themes [#4110, #4769, #4791, #4892, #4915]
- Compact mode to use classic Group and Entry line height [#4910]
- New monochrome tray icons [#4796, #4803]
- View menu to quickly switch themes, compact mode, and toggle UI elements [#4910]
- Search for groups and scope search to matched groups [#4705]
- Save Database Backup feature [#4550]
- Sort entries by "natural order" and move lines up/down [#4357]
- Option to launch KeePassXC on system startup/login [#4675]
- Caps Lock warning on password input fields [#3646]
- Add "Size" column to entry view [#4588]
- Browser-like tab experience using Ctrl+[Num] (Alt+[Num] on Linux) [#4063, #4305]
- Password Generator: Define additional characters to choose from [#3876]
- Reports: Database password health check (offline) [#3993]
- Reports: HIBP online service to check for breached passwords [#4438]
- Auto-Type: DateTime placeholders [#4409]
- Browser: Show group name in results sent to browser extension [#4111]
- Browser: Ability to define a custom browser location (macOS and Linux only) [#4148]
- Browser: Ability to change root group UUID and inline edit connection ID [#4315, #4591]
- CLI: `db-info` command [#4231]
- CLI: Use wl-clipboard if xclip is not available (Linux) [#4323]
- CLI: Incorporate xclip into snap builds [#4697]
- SSH Agent: Key file path env substitution, SSH_AUTH_SOCK override, and connection test [#3769, #3801, #4545]
- SSH Agent: Context menu actions to add/remove keys [#4290]
### Changed
- Complete replacement of default database icons [#4699]
- Complete replacement of application icons [#4066, #4161, #4203, #4411]
- Complete rewrite of documentation and manpages using Asciidoctor [#4937]
- Complete refactor of config files; separate between local and roaming [#4665]
- Complete refactor of browser integration and proxy code [#4680]
- Complete refactor of hardware key integration (YubiKey and OnlyKey) [#4584, #4843]
- Significantly improve performance when saving and opening databases [#4309, #4833]
- Remove read-only detection for database files [#4508]
- Overhaul of password fields and password generator [#4367]
- Replace instances of "Master Key" with "Database Credentials" [#4929]
- Change settings checkboxes to positive phrasing for consistency [#4715]
- Improve UX of using entry actions (focus fix) [#3893]
- Set expiration time to Now when enabling entry expiration [#4406]
- Always show "New Entry" in context menu [#4617]
- Issue warning before adding large attachments [#4651]
- Improve importing OPVault [#4630]
- Improve AutoOpen capability [#3901, #4752]
- Check for updates every 7 days even while still running [#4752]
- Improve Windows installer UI/UX [#4675]
- Improve config file handling of portable distribution [#4131, #4752]
- macOS: Hide dock icon when application is hidden to tray [#4782]
- Browser: Use unlock dialog to improve UX of opening a locked database [#3698]
- Browser: Improve database and entry settings experience [#4392, #4591]
- Browser: Improve confirm access dialog [#2143, #4660]
- KeeShare: Improve monitoring file changes of shares [#4720]
- CLI: Rename `create` command to `db-create` [#4231]
- CLI: Cleanup `db-create` options (`--set-key-file` and `--set-password`) [#4313]
- CLI: Use stderr for help text and password prompts [#4086, #4623]
- FdoSecrets: Display existing secret service process [#4128]
### Fixed
- Fix changing focus around the main window using tab key [#4641]
- Fix search field clearing while still using the application [#4368]
- Improve search help widget displaying on macOS and Linux [#4236]
- Return keyboard focus after editing an entry [#4287]
- Reset database path after failed "Save As" [#4526]
- Make builds reproducible [#4411]
- Improve handling of ccache when building [#4104, #4335]
- Windows: Use correct UI font and size [#4769]
- macOS: Properly re-hide application window after browser integration and Auto-Type usage [#4909]
- Linux: Fix version number not embedded in AppImage [#4842]
- Auto-Type: Fix crash when performing on new entry [#4132]
- Browser: Send legacy HTTP settings to recycle bin [#4589]
- Browser: Fix merging browser keys [#4685]
- CLI: Fix encoding when exporting database [#3921]
- SSH Agent: Improve reliability and underlying code [#3833, #4256, #4549, #4595]
- FdoSecrets: Fix crash when editing settings before service is enabled [#4332]
Changes since v4.4.0:
wolfSSL Release 4.5.0 (August 19, 2020)
If you have questions about this release, feel free to contact us on our
info@ address.
Release 4.5.0 of wolfSSL embedded TLS has bug fixes and new features including:
New Feature Additions
* Added Xilinx Vitis 2019.2 example and README updates
* TLS v1.3 is now enabled by default
* Building FIPS 140-2 code and test on Solaris
* Secure renegotiation with DTLS 1.2
* Update RSA calls for hardware acceleration with Xilsecure
* Additional OpenSSL compatibility layer functions added
* Cypress PSoC6 wolfCrypt driver added
* Added STM32CubeIDE support
* Added certificate parsing and inspection to C# wrapper layer
* TLS v1.3 sniffer support added
* TSIP v1.09 for target board GR-ROSE support added
* Added support for the "X72N Envision Kit" evaluation board
* Support for ECC nonblocking using the configure options
"--enable-ecc=nonblock --enable-sp=yes,nonblock CFLAGS=-DWOLFSSL_PUBLIC_MP"
* Added wc_curve25519_make_pub function to generate a public key given the
private one
Fixes
* PIC32MZ hardware cache and large hashes fix
* AES-GCM use with EVP layer in compatibility layer code
* Fix for RSA_LOW_MEM with ARM build of SP code
* Sanity check on tag length with AES-CCM to conform with RFC 3610
* Fixes for 32 and 64 bit software implementations of SP code when
WOLFSSL_SP_CACHE_RESISTANT is defined
* GCC warning fixes for GCC 9 and later
* Sanity check on HKDF expand length to conform with RFC 5869
* Fixes for STM32 CubeMX HAL with AES-GCM
* Fixed point cache look up table (LUT) implementation fixes
* Fix for ARM 32bit SP code when calling div word
* Fix for potential out of bounds read when parsing CRLs
* Fix for potential out of bounds read with RSA unpadding
* AES-CCM optimized counter fix
* Updates to Xcode projects for new files and features
* Fix for adding CRL’s to a WOLFSSL_X509_STORE structure
* FIPSv2 build with opensslall build fixes
* Fixes for CryptoCell use with ECC and signature wrappers
* Fix for mod calculation with SP code dealing with 3072 bit keys
* Fix for handling certificates with multiple OU’s in name
* Fix for SP math implementation of sp_add_d and add a sanity check on
rshb range
* Fix for sanity check on padding with DES3 conversion of PEM to DER
* Sanity check for potential out of bounds read with fp_read_radix_16
* Additional checking of ECC scalars.
* Fixing the FIPS Ready build w.r.t. ecc.c.
* When processing certificate names with OpenSSL compatibility layer
enabled, unknown name item types were getting handled as having NID 0,
and failing. Added a couple more items to what is handled correctly,
and ignoring anything that is an unknown type.
Improvements/Optimizations
* TLS 1.3 certificate verify update to handle 8192 bit RSA keys
* wpa_supplicant support with reduced code size option
* TLS 1.3 alerts encrypted when possible
* Many minor coverity fixes added
* Error checking when parsing PKCS12 DER
* IAR warning in test.c resolved
* ATECC608A improvements for use with Harmony 3 and PIC32 MZ
* Support for AES-GCM and wc_SignatureVerifyHash with static memory and no
malloc’s
* Enable SNI by default with JNI/JSSE builds
* NetBSD GCC compiler warnings resolved
* Additional test cases and code coverage added including curve25519 and
curve448 tests
* Option for user defined mutexes with WOLFSSL_USER_MUTEX
* Sniffer API’s for loading buffer directly
* Fixes and improvements from going through the DO-178 process were added
* Doxygen updates and fixes for auto documentation generation
* Changed the configure option for FIPS Ready builds to be
`--enable-fips=ready`.
This release of wolfSSL includes fixes for 6 security vulnerabilities.
wolfSSL version 4.5.0 contains 6 vulnerability fixes: 2 fixes for TLS 1.3,
2 side channel attack mitigations, 1 fix for a potential private key leak
in a specific use case, 1 fix for DTLS.
* In earlier versions of wolfSSL there exists a potential man in the middle
attack on TLS 1.3 clients. Malicious attackers with a privileged network
position can impersonate TLS 1.3 servers and bypass authentication. Users
that have applications with client side code and have TLS 1.3 turned on,
should update to the latest version of wolfSSL. Users that do not have
TLS 1.3 turned on, or that are server side only, are NOT affected by this
report. Thanks to Gerald Doussot from NCC group for the report.
* Denial of service attack on TLS 1.3 servers from repetitively sending
ChangeCipherSpecs messages. This denial of service results from the
relatively low effort of sending a ChangeCipherSpecs message versus the
effort of the server to process that message. Users with TLS 1.3 servers are
recommended to update to the most recent version of wolfSSL which limits the
number of TLS 1.3 ChangeCipherSpecs that can be received in order to avoid
this DoS attack. CVE-2020-12457 was reserved for the report. Thanks to
Lenny Wang of Tencent Security Xuanwu LAB.
* Potential cache timing attacks on public key operations in builds that are
not using SP (single precision). Users that have a system where malicious
agents could execute code on the system, are not using the SP build with
wolfSSL, and are doing private key operations on the system (such as signing
with a private key) are recommended to regenerate private keys and update to
the most recent version of wolfSSL. CVE-2020-15309 is reserved for this
issue. Thanks to Ida Bruhns from Universität zu Lübeck for the report.
* When using SGX with EC scalar multiplication the possibility of side-channel
attacks are present. To mitigate the risk of side channel attacks wolfSSL’s
single precision EC operations should be used instead. Release 4.5.0 turns
this on be default now with SGX builds and in previous versions of wolfSSL
this can be turned on by using the WOLFSSL_SP macros. Thank you to
Alejandro Cabrera Aldaya, Cesar Pereida García and Billy Bob Brumley from
the Network and Information Security Group (NISEC) at Tampere University for
the report.
* Leak of private key in the case that PEM format private keys are bundled in
with PEM certificates into a single file. This is due to the
misclassification of certificate type versus private key type when parsing
through the PEM file. To be affected, wolfSSL would need to have been built
with OPENSSL_EXTRA (--enable-opensslextra). Some build variants such as
--enable-all and --enable-opensslall also turn on this code path, checking
wolfssl/options.h for OPENSSL_EXTRA will show if the macro was used with the
build. If having built with the opensslextra enable option and having placed
PEM certificates with PEM private keys in the same file when loading up the
certificate file, then we recommend updating wolfSSL for this use case and
also recommend regenerating any private keys in the file.
* During the handshake, clear application_data messages in epoch 0 are
processed and returned to the application. Fixed by dropping received
application_data messages in epoch 0. Thank you to Paul Fiterau of Uppsala
University and Robert Merget of Ruhr-University Bochum for the report.
For additional vulnerability information visit the vulnerability page at
https://www.wolfssl.com/docs/security-vulnerabilities/
See INSTALL file for build instructions.
More info can be found on-line at https://wolfssl.com/wolfSSL/Docs.html
acceleration code. If we're x86_64, and the assembler is GNU, and the
version is too old, disable hardware acceleration. Other non-working
combinations can be added as they're discovered. No functional change
intended to any platforms where this previously built, but since it's
hard to be sure of that, I'm bumping PKGREVISION.
Alternatively, we could build with gas from devel/binutils when needed.
multimedia/libvpx says it does this (for similar reasons), but I
couldn't get that to work here, and am suspicious whether it still
works there.
This enables built-in U2F/FIDO security key support, without any
SSH_SK_PROVIDER middleware library needed. Works only on platforms
with working libfido2, so not enabled by default yet. We should
enable it by default in NetBSD>=10 and maybe some other platforms.
packaging changes: accomodate README to README.md transition
upstream changes:
- support added for many cards/readers (see README.md upstream for list)
- bugfixes
- minor improvements
1.4.33 - 25 June 2020, Ludovic Rousseau
- add --enable-oslog argument for macOS
use os_log(3) for macOS >= 10.12 (Sierra)
- Update PCSC submodule to get Unicode support
1.4.32 - 22 April 2020, Ludovic Rousseau
- Add SCardGetAttrib(.., SCARD_ATTR_CHANNEL_ID, ..) for USB devices
- Increase the timeout used to detect the Identiv uTrust 3700/3701 F readers
- Fix PowerOn bug for ICCD type A & B devices
- Disable pinpad for Chicony HP Skylab USB Smartcard Keyboard
1.4.31 - 10 August 2019, Ludovic Rousseau
1.4.30 - 19 September 2018, Ludovic Rousseau
- The project moved to https://ccid.apdu.fr/
- Disabled readers
- REINER SCT cyberJack RFID standard
1.4.29 - 21 February 2018, Ludovic Rousseau
- The C3PO LTC31 v2 wrongly declares PIN support
- Remove extra EGT patch because if has bad side effects
1.4.28 - 11 October 2017, Ludovic Rousseau
- Disabled readers
- Jinmuyu Electronics Co., Ltd. MR800
Yubico's Python library and command-line tool for managing Yubikeys.
Meta-package security/ykman gives a more obvious name, without any
Python package prefixing, for the ykman command-line tool package.
The webauthn API is disabled by default in the Tor Browser:
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26614
In order to use it, risking the consequences since the Tor Project
has not audited its anonymity properties, you have to explicitly
enable security.webauthn.webauthn=true in about:config.
So if you definitely want to log into a web site using U2F in spite
of that, with location privacy but not anonymity, then these patches
now enable it to work on NetBSD (with the caveat that enabling
security.webauthn.webauthn=true applies also to any web site that
tries to use the webauthn API, not just the ones you want to log
into).
Changes since previous pkgsrc version 2.5.1, from the NEWS file
Also add a fix for proper escape single quotes in RelayState
From upstream https://dev.entrouvert.org/issues/45581
2.6.1 - Aptil 22th 2019
----------------------
42 commits, 425 files changed, 3894 insertions, 795 deletions
- Keep order of SessionIndexes
- Clear SessionIndex when private SessionIndexes is empty (#41950)
- misc: clear warnings about class_init signature using coccinelle
- tests: fix compilation with check>0.12 (#39101)
- Sort input file lists to make build deterministic (#40454)
- debian: disable php7 (#28608)
- Modify .gitignore for PHP 7 binding (#28608)
- Add PHP 7 binding (#28608)
- Fix tests broken by new DEBUG logs (#12829)
- Improve error logging during node parsing (#12829)
- Improve configure compatibility (#32425)
- Improve compatibility with Solaris (#32425)
- Fix reference count in lasso_server_add_provider2 (fixes#35061)
- Fix python multi-version builds on jessie and stretch
- docs: do not use Internet to fetch DTDs, entities or documents (#35590)
- fix missing include <strings.h> for index() (fixes#33791)
- PAOS: Do not populate "Destination" attribute (Dmitrii Shcherbakov)
- export symbol lasso_log (#33784)
- Do not ignore WantAuthnRequestSigned value with hint MAYBE (#33354)
- Use io.open(encoding=utf8) in extract_symbols/sections.py (#33360)
- xml: adapt schema in saml2:AuthnContext (#29340)
- Fix ECP signature not found error when only assertion is signed (#26828)
- autoconf: search python interpreters by versions (John Dennis)
- python: make tools compatible with Py3 (John Dennis)
- python: run tests and tools with same interpreter as binding target (John Dennis)
- improve resiliency of lasso_inflate (#24853)
- fix segfault in lasso_get_saml_message (#24830)
- python: add classmethod Profile.getIssuer (#24831)
- website: add news about 2.6.0 release
- debian: sync with debian package (#24595)
- faq: fix references to lasso.profileGetIssuer (#24832)
- python: add a classmethod for lasso.profileGetIssuer (#24831)
- tools: fix segfault in lasso_get_saml_message (fixes#24830)
- jenkins.sh: add a make clean to prevent previous build to break new ones
- tools: set output buffer size in lasso_inflate to 20 times the input size (fixes#24853)
- Use python interpreter specified configure script
- Make Python scripts compatible with both Py2 and Py3
- fix duplicate definition of LogoutTestCase and logoutSuite
- Downcase UTF-8 file encoding name
- Make more Python scripts compatible with both Py2 and Py3
- Configure should search for versioned Python interpreter.
- Clean python cache when building python3 binding
- Move AC_SUBST declaration for AM_CFLAGS with alike (#24771)
- Remove -Werror from --enable-debugging (fixes#24771)
- xml: fix parsing of saml:AuthnContext (fixes#25640)
2.6.0 - June 1st 2018
---------------------
32 commits, 73 files changed, 1920 insertions, 696 deletions
- add inline implementation of lasso_log
- Choose the Reference transform based on the chosen Signature transform (fixes#10155)
- add support for C14N 1.1 methods and C14N withComments methods (fixes#4863)
- remove DGME specific commented out code
- add docstring on SHA-2 signature method enum
- tests: silence unused variable warning
- check node names in lasso_node_impl_init_from_xml() (fixes#47)
- fix segfault when parsed node has no namespace (#47)
- do not call xmlSecKeyDuplicate is source key is NULL
- enable user supplied CFLAGS
- Fix ecp test validate_idp_list() (fixes#11421)
- tests: convert log level as string
- fix definitions of error, critical and warning macros (fixes#12830)
- jenkins.sh: add V=1
- add defined for the XML namespace
- ignore unknown attributes from the xsi: namespace
- saml-2.0: improve support for free content inside samlp2:Extensions (fixes#18581)
- debian: initialize stretch packaging with a copy of upstream debian (#21772)
- replace use of <xmlsec/soap.h> which is deprecated (fixes#18771)
- fix get_issuer and get_in_response_to
- route logs from libxml2 and libxmlsec through GLib logging
- tests: prevent crash in glib caused by abort on recursive logging
- java: stop setting a bytecode version target
- add xmlsec_soap.h to Makefile
- python: route logs for libxml2 and libxmlsec2 to their own logger
- perl: force use of the in-tree lasso when running tests (fixes#23276)
- perl: set DESTDIR and PREFIX at Makefile's creation
- Replace xmlSecSoap functions with lasso implementations
- add a pem-public-key runtime flag
- deprecate loading PEM formatted public keys in lasso_xmlsec_load_key_info
- perl/tests: build Makefile.perl before running the tests
pkgsrc changes:
- Document all the patches
- Honors user's CFLAGS and don't remove -Wall from CFLAGS in patch-aa: they are
usually pretty useful
- Unset OPT_{NORMAL,INLINE} optimizations via MAKE_FLAGS to minimize patch-aa
- Remove not needed NO_CONFIGURE
- Use pre-configure as stage for SUBST (now that NO_CONFIGURE is removed)
Changes:
The following changes have been made between John 1.8.0 and 1.9.0:
* Increased the interleaving for bcrypt on x86-64 from 2x to 3x for a major
speedup on CPUs without SMT. Unfortunately, this sometimes results in a minor
performance regression when running multiple threads on CPUs with SMT.
* Recognize the $2b$ bcrypt prefix.
* In the generic crypt(3) format, detect descrypt with valid vs. invalid salts
as separate id's for our heuristics on supported hash types.
* Introduced a number of optimizations for faster handling of large password
hash files, including loading, cracking, and "--show". Some of these use more
memory than before, yet in a more efficient manner.
* Benchmark using all-different candidate passwords of length 7 by default.
* Dropped undocumented special handling of "Mc" in 'c' and 'C' rule commands.
* Dropped undocumented limitation of the 'M' and 'Q' rule commands where they
would sometimes memorize/check only up to the current hash type's length limit
yet this optimization wouldn't necessarily be transparent (e.g., if a later
command would extract a substring from above the hash type's length limit and
bring it to within the limit).
* Implemented special-case handling of repeated rule commands '$', '^', '[',
']', '{', and '}', as well as faster handling of the 'D' command.
* When built with "--fork" support, disallow session names with all-digit
suffixes since these clash with those produced by "--fork".
* Forward SIGTERM to --fork'ed children.
* Set stdout to line buffered (rather than potentially fully buffered), except
for "--stdout", "--show", and auxiliary programs such as "unshadow".
* On Windows, restore normal processing of Ctrl-C in case our parent (such as
Johnny the GUI) had disabled it.
* Added linux-x86*-avx512 and linux-x86*-avx2 make targets, which use
respectively AVX-512 and AVX2 for bitslice DES.
* Added linux-mic make target for Intel MIC (first generation Xeon Phi, aka
Knights Corner), which uses its 512-bit SIMD intrinsics for bitslice DES.
(For second generation Xeon Phi, aka Knights Landing, use linux-x86-64-avx512.)
* Added linux-arm64le, linux-arm32le-neon, and linux-arm32le make targets.
(The first two of these make use of ASIMD or NEON for bitslice DES.)
* Added linux-sparc64 make target.
* Made a minor optimization to MMX and SSE2 assembly code for LM hash.
* Dropped Ultrix and SCO support.
* Don't probe for alternate config file names (like john.ini when on Unix).
* "DokuWiki" external mode sample has been added to the default john.conf.
* Fixed operator precedence in the external mode compiler to be the same as C.
* Fixed an out of bounds write bug in the external mode virtual machine.
* Fixed a bug introduced in version 1.7.4 in the wordlist rules engine, where
some sequences of rule commands could overflow a word buffer.
* Fixed a bug where unaligned access SSE/AVX instructions would unnecessarily
be generated by GCC 4.6+ in the bitslice DES code in non-OpenMP builds.
* Fixed a bug where "Warning: no OpenMP support for this hash type" could be
printed in "--stdout" mode.
* Made assorted other bugfixes, portability and documentation enhancements.
1.20.1
Bug Fixes
reduce refresh clock skew to 10 seconds
set Content-Type header in the request to signBlob API to avoid Invalid JSON payload error
1.20.0
Features
Add debug logging that can help with diagnosing auth lib. path
Show the transport exception that happened for GCE Metadata
packaging: add support for Python 3.8
Noteworthy changes in version 1.14.0
------------------------------------
* New keylist mode to force the engine to return the keygrip.
* New export mode to export as OpenSSH public key.
* New context flag "extended-edit" to enable expert key edit.
* Deprecate the anyway non working trustlist functions.
* cpp: Add convenience API to obtain remarks.
* cpp: The sign key edit-interactor now supports multiple signatures
from the same key.
* qt: Extended signkeyjob to handle remarks and multiple signatures.
* qt: Added job API for gpg-card.
* qt: The logging category has been changed to gpg.qgpgme to be more
consistent with other qt logging categories.
* Interface changes relative to the 1.13.1 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPGME_KEYLIST_MODE_WITH_KEYGRIP NEW.
GPGME_EXPORT_MODE_SSH NEW.
gpgme_user_id_t EXTENDED: New field 'uidhash'.
cpp: UserID::remark NEW.
cpp: UserID::remarks NEW.
cpp: GpgSignKeyEditInteractor::setDupeOk NEW.
cpp: Context::exportPublicKeys EXTENDED: New param 'flags'.
cpp: Context::startPublicKeyExport EXTENDED: New param 'flags'.
cpp: Context::ExportMode NEW.
qt: SignKeyJob::setDupeOk NEW.
qt: SignKeyJob::setRemark NEW.
qt: GpgCardJob NEW.
qt: ExportJob::setExportFlags NEW.
Noteworthy changes in version 1.4.0
-----------------------------------
* Supports ECDSA and EdDSA certificate creation and parsing.
* Supports ECDH enveloped data.
* Supports ECDSA and EdDSA signed data.
* Supports rsaPSS signature verification.
* Supports standard file descriptors in ksba_reader_read.
* New configure flag --disable-doc.
* Improves supports for reproducible builds.
* Allows for optional elements in keyinfo objects.
* Updates the config and M4 scripts to the latest version.
* Fixes error detection in the CMS parser.
* Fixes memory leak in ksba_cms_identify.
* Fixes build warnings on macOS.
* Uses --disable-new-dtags if LD_LIBRARY_PATH is defined.
* New constants KSBA_VERSION and KSBA_VERSION_NUMBER.
* New API to make creation of DER objects easy.
* Interface changes relative to the 1.3.5 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
KSBA_VERSION NEW.
KSBA_VERSION_NUMBER NEW.
KSBA_CT_SPC_IND_DATA_CTX NEW.
KSBA_CLASS_* NEW.
KSBA_TYPE_* NEW.
ksba_der_t NEW.
ksba_der_release NEW.
ksba_der_builder_new NEW.
ksba_der_builder_reset NEW.
ksba_der_add_ptr NEW.
ksba_der_add_val NEW.
ksba_der_add_int NEW.
ksba_der_add_oid NEW.
ksba_der_add_bts NEW.
ksba_der_add_der NEW.
ksba_der_add_tag NEW.
ksba_der_add_end NEW.
ksba_der_builder_get NEW.
Tor Browser 9.5.3 -- July 28 2020
* All Platforms
* Update Firefox to 68.11.0esr
* Update NoScript to 11.0.34
* Update Tor to 0.4.3.6
Tor Browser 9.5.2 -- July 7 2020
* Android
* Update Firefox to 68.10.1esr
1.4.0
- `core.ObjectIdentifier` and all derived classes now obey X.660 §7.6 and
thus restrict the first arc to 0 to 2, and the second arc to less than
40 if the first arc is 0 or 1. This also fixes parsing of OIDs where the
first arc is 2 and the second arc is greater than 39.
- Fixed `keys.PublicKeyInfo.bit_size` to return an int rather than a float
on Python 3 when working with elliptic curve keys
- Fixed the `asn1crypto-tests` sdist on PyPi to work properly to generate a
.whl
v 11.0.34
============================================================
x Fixed regression breaking network-based CSP injection
v 11.0.33
============================================================
x Switch from HTTP to DOM event based CSP reporting in
compatible browsers
x [XSS] Updated HTML event attributes
x Updated TLDs
