### Version 5.57, 2020.10.11, urgency: HIGH
* Security bugfixes
- The "redirect" option was fixed to properly
handle "verifyChain = yes" (thx to Rob Hoes).
- OpenSSL DLLs updated to version 1.1.1h.
* New features
- New securityLevel configuration file option.
- FIPS support for RHEL-based distributions.
- Support for modern PostgreSQL clients (thx to Bram Geron).
- Windows tooltip texts updated to mention "stunnel".
- TLS 1.3 configuration updated for better compatibility.
* Bugfixes
- Fixed a transfer() loop bug.
- Fixed memory leaks on configuration reloading errors.
- DH/ECDH initialization restored for client sections.
- Delay startup with systemd until network is online.
- bin\libssp-0.dll removed when uninstalling.
- A number of testing framework fixes and improvements.
3.2.1 - 2020-10-27
Disable blinding on RSA public keys to address an error with some versions of OpenSSL.
3.2 - 2020-10-25
SECURITY ISSUE: Attempted to make RSA PKCS#1v1.5 decryption more constant time, to protect against Bleichenbacher vulnerabilities. Due to limitations imposed by our API, we cannot completely mitigate this vulnerability and a future release will contain a new API which is designed to be resilient to these for contexts where it is required. Credit to Hubert Kario for reporting the issue. CVE-2020-25659
Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL will need to upgrade.
Added basic support for PKCS7 signing (including SMIME) via :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder`.
3.1.1 - 2020-09-22
Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1h.
3.1 - 2020-08-26
BACKWARDS INCOMPATIBLE: Removed support for idna based :term:`U-label` parsing in various X.509 classes. This support was originally deprecated in version 2.1 and moved to an extra in 2.5.
Deprecated OpenSSL 1.0.2 support. OpenSSL 1.0.2 is no longer supported by the OpenSSL project. The next version of cryptography will drop support for it.
Deprecated support for Python 3.5. This version sees very little use and will be removed in the next release.
backend arguments to functions are no longer required and the default backend will automatically be selected if no backend is provided.
Added initial support for parsing certificates from PKCS7 files with :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates` and :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates` .
Calling update or update_into on :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with data longer than 231 bytes no longer raises an OverflowError. This also resolves the same issue in :doc:`/fernet`.
3.0 - 2020-07-20
BACKWARDS INCOMPATIBLE: Removed support for passing an :class:`~cryptography.x509.Extension` instance to :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`, as per our deprecation policy.
BACKWARDS INCOMPATIBLE: Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has been removed (2.9.1+ is still supported).
BACKWARDS INCOMPATIBLE: Dropped support for macOS 10.9, macOS users must upgrade to 10.10 or newer.
BACKWARDS INCOMPATIBLE: RSA :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` no longer accepts public_exponent values except 65537 and 3 (the latter for legacy purposes).
BACKWARDS INCOMPATIBLE: X.509 certificate parsing now enforces that the version field contains a valid value, rather than deferring this check until :attr:`~cryptography.x509.Certificate.version` is accessed.
Deprecated support for Python 2. At the time there is no time table for actually dropping support, however we strongly encourage all users to upgrade their Python, as Python 2 no longer receives support from the Python core team.
If you have trouble suppressing this warning in tests view the :ref:`FAQ entry addressing this issue <faq-howto-handle-deprecation-warning>`.
Added support for OpenSSH serialization format for ec, ed25519, rsa and dsa private keys: :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key` for loading and :attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.OpenSSH` for writing.
Added support for OpenSSH certificates to :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`.
Added :meth:`~cryptography.fernet.Fernet.encrypt_at_time` and :meth:`~cryptography.fernet.Fernet.decrypt_at_time` to :class:`~cryptography.fernet.Fernet`.
Added support for the :class:`~cryptography.x509.SubjectInformationAccess` X.509 extension.
Added support for parsing :class:`~cryptography.x509.SignedCertificateTimestamps` in OCSP responses.
Added support for parsing attributes in certificate signing requests via :meth:`~cryptography.x509.CertificateSigningRequest.get_attribute_for_oid`.
Added support for encoding attributes in certificate signing requests via :meth:`~cryptography.x509.CertificateSigningRequestBuilder.add_attribute`.
On OpenSSL 1.1.1d and higher cryptography now uses OpenSSL's built-in CSPRNG instead of its own OS random engine because these versions of OpenSSL properly reseed on fork.
Added initial support for creating PKCS12 files with :func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates`.
2020.11.17
* Copy URL in EASE interstitial
* Dependapot NPM updates
* CRX distribution scripts for transparency for Edge and Opera
* Port inclusion on allowlist for EASE
* UI change to reflect a global setting
CrackLib is a library containing a C function (well, lots of functions
really, but you only need to use one of them) which may be used in a
"passwd"-like program.
The idea is simple: try to prevent users from choosing passwords that
could be guessed by "Crack" by filtering them out, at source.
CrackLib is an offshoot of the the version 5 "Crack" software, and
contains a considerable number of ideas nicked from the new software.
0.20.4
* secret-file-collection: Make MAC comparison constant time [!60]
* Initialize libgcrypt for SecretFileCollection [!56]
* meson: Add tests for GIR-based languages [!54]
* man: Add a bugtracker section to the manpage [!14]
* meson: add option introspection [!53]
* Updated translations
--------------
polkit 0.118
--------------
WARNING WARNING WARNING: This is a prerelease on the road to polkit
1.0. Public API might change and certain parts of the code still needs
some security review. Use at your own risk.
This is polkit 0.118.
Highlights:
move to mozjs78
tarball CI fix
Build requirements
glib, gobject, gio >= 2.32
mozjs-78
gobject-introspection >= 0.6.2 (optional)
pam (optional)
ConsoleKit OR systemd
Changes since polkit 0.117:
Xi Ruoyao:
tarball fixup for distcheck
Valentin David:
updated dependency to mozjs78
Many thanks to all contributors!
Jan Rybar et al.,
September 8, 2020
--------------
polkit 0.117
--------------
WARNING WARNING WARNING: This is a prerelease on the road to polkit
1.0. Public API might change and certain parts of the code still needs
some security review. Use at your own risk.
This is polkit 0.117.
Highlights:
Gitlab CI activation - all merge requests are tested before merged
New Norwegian translation, several other language updates
Build requirements
glib, gobject, gio >= 2.32
mozjs-68
gobject-introspection >= 0.6.2 (optional)
pam (optional)
ConsoleKit OR systemd
Changes since polkit 0.116:
Bastien Nocera:
Activated Gitlab CI
Xi Ruoyao:
Updated dependency to mozjs68
Kalev Lember, Jan Rybar
Memory management fixes
Anders Jonsson, Karl Ove Hufthammer, Andika Triwidada, Yuri Chornoivan:
Language updates
Many thanks to all contributors!
Jan Rybar et al.,
July 24, 2020
Noteworthy changes in version 2.2.24
------------------------------------
* Allow Unicode file names on Windows almost everywhere. Note that
it is still not possible to use Unicode strings on the command
line. This change also fixes a regression in 2.2.22 related to
non-ascii file names.
* Fix localized time printing on Windows.
* gpg: New command --quick-revoke-sig.
* gpg: Do not use weak digest algos if selected by recipient
preference during sign+encrypt.
* gpg: Switch to AES256 for symmetric encryption in de-vs mode.
* gpg: Silence weak digest warnings with --quiet.
* gpg: Print new status line CANCELED_BY_USER for a cancel during
symmetric encryption.
* gpg: Fix the encrypt+sign hash algo preference selection for
ECDSA. This is in particular needed for keys created from
existing smartcard based keys.
* agent: Fix secret key import of GnuPG 2.3 generated Ed25519 keys.
* agent: Keep some permissions of private-keys-v1.d.
* dirmngr: Align sks-keyservers.netCA.pem use between ntbtls and
gnutls builds.
* dirmngr: Fix the pool keyserver case for a single host in the
pool.
* scd: Fix the use case of verify_chv2 by CHECKPIN.
* scd: Various improvements to the ccid-driver.
* scd: Minor fixes for Yubikey
* gpgconf: New option --show-versions.
* w32: Install gpg-check-pattern and example profiles. Install
Windows subsystem variant of gpgconf (gpgconf-w32).
* i18n: Complete overhaul and completion of the Italian translation.
Thanks to Denis Renzi.
* Require Libgcrypt 1.8 because 1.7 has long reached end-of-life.
This release updates Firefox to 78.5.0esr and updates Tor to 0.4.4.6.
This release includes important security updates to Firefox.
The full changelog since Tor Browser 10.0.4 (Desktop) is:
Windows + OS X + Linux
Update Firefox to 78.5.0esr
Update Tor to 0.4.4.6
Bug 40212: Add new default obfs4 bridge
3.0.8 (2020-09-09)
* Provide --version option
* Version information now within generated certificates like on *nix
* Fixed issue where gen-dh overwrote existing files without warning
* Fixed issue with ED/EC certificates were still signed by RSA
* Added support for export-p8
* Clarified error message
* 2->3 upgrade now errors and prints message when vars isn't found
* Update OpenSSL Windows binaries to 1.1.1g
* Version 1.8.1 (released 2019-08-02) [stable]
** gsasl: IMAP client code now permits empty SASL tokens prefixed with '+'.
Normally servers should send '+ '. Buggy servers include Microsoft
Exchange. Reported by Adam Sjøgren.
** GSSAPI client: Now retrieves GSASL_AUTHZID for authorization identity.
** GSSAPI client: Can now transmit an empty/missing authorization identity.
See lib/NEWS for more information.
** Build fixes.
Update of gnulib, including how it is bootstrapped.
** i18n: Updated translations.
(Otherwise a few objects fail pretty early in the build.) Install the
shared library as .dylib on Darwin. Set MASTER_SITES=${HOMEPAGE}. Sort
PLIST and chmod -x libbearssl.a to quell pkglint warnings.
This release updates NoScript to 11.1.5 and includes an important security update to Firefox.
The full changelog since Tor Browser 10.0.2 (Desktop) is:
Windows + OS X + Linux
Update NoScript to 11.1.5
Bug 40021: Keep page shown after Tor Browser update purple
Bug 40022: EOY November Update - Matching
Bug 40219: Backport Mozilla Bug 1675905
Translations update
Build System
Windows + OS X + Linux
Update Go to 1.14.11
Bug 40141: Include "desktop" in signed tag
v 11.1.5
============================================================
x Updated TLD
x Fixed potential infinite loop via DOMContentLoaded
x Work-around for Firefox 82 media redirection bug (thanks
ppxxbu and skriptimaahinen)
x Updated TLDs
v 11.1.5rc2
============================================================
x Updated TLD
x Fixed potential infinite loop via DOMContentLoaded
v 11.1.5rc1
============================================================
x Work-around for Firefox 82 media redirection bug (thanks
ppxxbu and skriptimaahinen)
x Updated TLDs
v 11.1.4
============================================================
x Fixed sloppy CSP media blocker detection breaking MSE
blob: media placeholders on Chromium
x Fixed race condition causing temporary settings not to
survive updates sometimes
x Updated TLDs
x [Mobile] Improved prompts appearance on Android
v 11.1.4rc3
============================================================
x Fixed sloppy CSP media blocker detection breaking MSE
blob: media placeholders on Chromium
v 11.1.4rc2
============================================================
x Fixed race condition causing temporary settings not to
survive updates sometimes
v 11.1.4rc1
============================================================
x Updated TLDs
x [Mobile] Improved prompts appearance on Android
Changes since 2.8.6:
- Support External Account Binding (EAB)
- Support ZeroSSL.com CA
- Support preferred-chain
- More dns api support
- Adds Docker multi-arch build support
Also remove incorrect (unnecessary) dependency on mozilla-rootcerts.
OK by ryoon@
1.5.0
* Added support for Python 3.9.
* Dropped support for Python 3.5.
* Stopped supporting running tests with ``python setup.py test`` which is
deprecated in favor of ``python -m pytest``.
1.23.0:
Features
Add custom scopes for access tokens from the metadata service
Bug Fixes
deps: Revert "fix: pin 'aoihttp < 3.7.0dev'
pin 'aoihttp < 3.7.0dev'
remove checks for ancient versions of Cryptography
(pkgsrc changes)
- Add ./autogen.sh for pre-configure:
- Add following two lines to get the similar PLIST
CONFIGURE_ARGS+= --enable-gtk-doc
.include "../../textproc/gtk-doc/buildlink3.mk"
- Add following lines to avoid "msgfmt: unknown option -- desktop" (thanks joerg@)
.if ${OPSYS} == "NetBSD"
TOOLS_PLATFORM.msgfmt=
.endif
(upstream changes)
gcr 3.38.0:
- No changes from 3.37.91
gcr 3.37.91:
- meson: missing dependency on generated oids header [GNOME/gcr#48, GNOME/gcr!57]
- Correct display of key usage extensions [GNOME/gcr#47, GNOME/gcr!56]
- meson: Correctly set internal vapi dependencies [GNOME/gcr!55]
- Cleanup GType boilerplate [GNOME/gcr!53]
- gck: Fixed test failures [GNOME/gcr#42, GNOME/gcr!51, GNOME/gcr!52]
- Updated translations
gcr 3.36.0:
- gcr: Update gtk-doc get_der_data() vfunc [GNOME/gcr!48]
- Updated translations
gcr 3.35.91:
- Mark deprecated functions with G_DEPRECATED [GNOME/gcr#36, GNOME/gcr!47]
- egg-oid: Add comments for translators for new abbrevations [GNOME/gcr#40, GNOME/gcr!45]
- Updated translations
gcr 3.35.90:
- Add support for "NEW CERTIFICATE REQUEST" header [GNOME/gcr!44]
- Add support for GOST certificates [GNOME/gcr!43]
- Rework handling of ASN.1 standard types [GNOME/gcr!42]
- Fix a few regressions in the Meson build [GNOME/gcr!46, 7ba0e00d]
- Add support for g_autoptr [GNOME/gcr!36, GNOME/gcr#16]
- Fixed some compiler warnings [GNOME/gcr!38]
- Updated translations
gcr 3.35.1:
- gcr-certificate: Add (virtual) annotation [GNOME/gcr!35, GNOME/gcr#37]
- Always use G_PARAM_STATIC_STRINGS [GNOME/gcr!31]
- Support Meson build system [GNOME/gcr!11,32,33,34]
- Avoid potential 64-bit pointer aliasing alignment issues [GNOME/gcr!27, GNOME/gcr#34]
- Update README to mention correct environment variables [GNOME/gcr!25]
- build: Use sed for .desktop variables substitution [GNOME/gcr!24]
- Updated translations
gcr 3.34.0:
- gcr-prompt-dialog: Allow the use of mnemonics in the choice label [GNOME/gcr!22]
- Use python3 shebang in ui/icons/render-icons.py [GNOME/gcr!21]
- configure: Use PKG_PROG_PKG_CONFIG instead of reinventing it [GNOME/gcr!20]
- Replace tap-gtester with one that relies on GLib 2.38+ TAP output [GNOME/gcr!19]
- Remove SKS network from keyserver defaults [GNOME/gcr!18]
- Updated translations
gcr 3.33.4:
- Move from intltool to gettext [GNOME/gcr#18]
- Fix parameter type for signal handler causing stack smashing on ppc64le [GNOME/gcr!16]
- cleanup: Don't use deprecated g_type_class_add_private() anymore [GNOME/gcr!12]
- Fix GIR annotations [GNOME/gcr!10]
- Fix hashtable ordering assumptions [GNOME/gcr!9]
- build: Fix gcr-trust symbols not appearing in GIR, and hence also VAPI [GNOME/gcr!7]
- Update gcr_pkcs11_get_trust_{store|lookup}_slot URI checks [GNOME/gcr!5]
- build: Update tap scripts for Python 3 compat [GNOME/gcr!2]
- Updated translations
Authelia is an open-source authentication and authorization server providing
2-factor authentication and single sign-on (SSO) for your applications via a web
portal. It acts as a companion of reverse proxies like nginx, Traefik or HAProxy
to let them know whether queries should pass through. Unauthenticated user are
redirected to Authelia Sign-in portal instead.
This is required for newer versions of finance/electrum.
Optimized C library for ECDSA signatures and secret/public key operations on
curve secp256k1.
This library is intended to be the highest quality publicly available library
for cryptography on the secp256k1 curve. However, the primary focus of its
development has been for usage in the Bitcoin system and usage unlike Bitcoin's
may be less well tested, verified, or suffer from a less well thought out
interface. Correct usage requires some care and consideration that the library
is fit for your application's purpose.
Features:
* secp256k1 ECDSA signing/verification and key generation.
* Additive and multiplicative tweaking of secret/public keys.
* Serialization/parsing of secret keys, public keys, signatures.
* Constant time, constant memory access signing and public key generation.
* Derandomized ECDSA (via RFC6979 or with a caller provided function.)
* Very efficient implementation.
* Suitable for embedded systems.
* Optional module for public key recovery.
* Optional module for ECDH key exchange.
Experimental features have not received enough scrutiny to satisfy the standard
of quality of this library but are made available for testing and review by the
community. The APIs of these features should not be considered stable.
Merge:
absorb issuer fingerprint (RFC4880bis 5.2.3.28) in libverify.c
from jhigh from src/
While here, fix build with RELRO and a pkglint warning.
Bump version to 20201101.
Noteworthy changes in version 1.8.7 (2020-10-23) [C22/A2/R8]
------------------------------------------------
* Bug fixes:
- Support opaque MPI with gcry_mpi_print. [#4872]
- Fix extra entropy collection via clock_gettime. Note that this
fallback code path is not used on any decent hardware. [#4966]
- Allow for a Unicode random seed file on Windows. [#5098]
This release updates Firefox to 78.4.0esr and NoScript to 11.1.3.
This release includes important security updates to Firefox.
Note: Now Javascript on the Safest security level is governed by
NoScript again. It was set as false when on Safest in 9.5a9. The
javascript.enabled preference was reset to true for everyone using
Safest beginning in Tor Browser 10.0 and you must re-set it as
false if that is your preference.
v 11.1.3
============================================================
x Fixed regression: document media and font restrictions
always cascaded (thanks BrainDedd for report)
x Remove domPolicy logging when debugging is off
x Trivial reordering from Mozilla source
x Updated TLDs
v 11.1.1
============================================================
x Updated TLDs
x Better heuristic to figure out missing data while
computing contextual policies
x Fixed regression breaking per-tab restrictions disablement
(thanks Horsefly for report)
v 11.1.0
============================================================
x Improved blocking of media documents unaffected by
webRequest
x Automatically init tag message with last changelog
x Improved NOSCRIPT element emulation compatibility with XML
documents
x webNavigation.onCommitted + tabs.executeScript to deliver
DOM policies earlier whenever possible
x Partial work-around for Fx 80 file:// documents parsing
inconsistencies (further fix for issue #156)
x Cache policy on top document for file:// subdocuments
(fixes issue #156)
x Enforce more restrictive CSP on media/object documents
x Better cross-browser media handling
x [Mobile] Use tabs as prompts if the browser.windows API is
missing
x Fix browser UI for image, audio and video content being
partially broken on file:// URLs
x Normalize file:// directory paths on Firefox
x Allow browser UI scripts for file:// directory navigation
x Updated TLDs
x [L10n] Updated mk
v 11.1.0rc2
============================================================
x Improved blocking of media documents unaffected by
webRequest
x Automatically init tag message with last changelog
v 11.1.0rc1
============================================================
x Improved NOSCRIPT element emulation compatibility with XML
documents
v 11.0.47rc6
============================================================
x webNavigation.onCommitted + tabs.executeScript to deliver
DOM policies earlier whenever possible
x Fixed typo causing CSP-based media blocking to skip
requests with no content-type header
v 11.0.47rc5
============================================================
x Partial work-around for Fx 80 file:// documents parsing
inconsistencies (further fix for issue #156)
v 11.0.47rc4
============================================================
x Cache policy on top document for file:// subdocuments
(fixes issue #156)
x Updated TLDs
x Enforce more restrictive CSP on media/object documents
v 11.0.47rc3
============================================================
x Better cross-browser media handling
x Improved file: directory path normalization
v 11.0.47rc2
============================================================
x [Mobile] Use tabs as prompts if the browser.windows API is
missing
v 11.0.47rc1
============================================================
x Fix browser UI for image, audio and video content being
partially broken on file:// URLs
x Normalize file:// directory paths on Firefox
x Allow browser UI scripts for file:// directory navigation
x Updated TLDs
x [L10n] Updated mk
Changelog:
## 2.6.2 (2020-10-21)
### Added
- Add option to keep window always on top to view menu [#5542]
- Move show/hide usernames and passwords to view menu [#5542]
- Add command line options and environment variables for changing the config locations [#5452]
- Include TOTP settings in CSV import/export and add support for ISO datetimes [#5346]
### Changed
- Mask sensitive information in command execution confirmation prompt [#5542]
- SSH Agent: Avoid shortcut conflict on macOS by changing "Add key" to Ctrl+H on all platforms [#5484]