New in 2.1.0
- Ported to Qt5 (Qt4 also supported)
- New building system. CMake instead of qmake
- Added CTR symetric cipher support to qca core
- Added no padding encryption algorithm to qca core
- qcatool2 renamed to qcatool
- fixed crash in qcatool when only options provided on command line without
any commands
- Use plugins installation path as hard-coded runtime plugins search path
- Added new functiion pluginPaths
- Added functions to get runtime QCA version
- Fixed 'no watch file' warnings in FileWatch
- Added EME_PKCS1v15_SSL Encryption Algorithm
- New implementation of SafeTimer to prevent crashes
- Updated certificates for unittests
- RSA Keys are permutable, can encrypt with private and decrypt with public
- Add unloadProvider() function for symmetry with insertProvider()
- Overloaded "makeKey" to derive a password depending on a time factor
- Remove pointer to deinit() routine from QCoreApplication at deinitialization
- Fix a couple of crashes where all plugins might not be available
- Fix operating on keys with unrelated expired subkeys
- Fixed timers in Synchronizer class
- Dropped randomunittest
- Fixed many unittests
- qca-gnupg: internal refactoring
- qca-gnupg: try both gpg and gpg2 to find gnupg executable
- qca-gnupg: fixed some encodings problem
- qca-ossl: no DSA_* dl groups in FIPS specification
- qca-ossl: added missed signatures to CRLContext
- qca-ossl: fixed certs time zone
- qca-nss: fixed KeyLenght for Cipher
- qca-botan: fixed getting result size for ciphers
3.4.8:
New features
* Added a native extension in pure C for modular exponentiation, optimized for SSE2 on x86.
In the process, we drop support for the arbitrary arithmetic library MPIR
on Windows, which is painful to compile and deploy.
The custom modular exponentiation is 130% (160%) slower on an Intel CPU in 32-bit (64-bit) mode,
compared to MPIR. Still, that is much faster that CPython's own `pow()` function which
is 900% (855%) slower than MPIR. Support for the GMP library on Unix remains.
* Added support for *manylinux* wheels.
* Support for Python 3.7.
Resolved issues
* The DSA parameter 'p' prime was created with 255 bits cleared
(but still with the correct strength).
* Not all docs were included in the tar ball.
* ECDSA verification failed for DER encoded signatures.
* Human-friendly messages for padding errors with ECB and CBC.
The software in this package is a Python module for generating objects that
compute the Cyclic Redundancy Check (CRC). There is no attempt in this package
to explain how the CRC works. There are a number of resources on the web that
give a good explanation of the algorithms.
This package allows the use of any 8, 16, 24, 32, or 64 bit CRC. You can
generate a Python function for the selected polynomial or an instance of the
Crc class which provides the same interface as the md5 and sha modules from the
Python standard library. A Crc class instance can also generate C/C++ source
code that can be used in another application.
Part of PR pkg/52941.
## 0.9.3 (January 28th, 2018)
A regression from a feature merge disabled the Nomad secrets backend in 0.9.2.
This release re-enables the Nomad secrets backend; it is otherwise identical to
0.9.2.
## 0.9.2 (January 26th, 2018)
SECURITY:
* Okta Auth Backend: While the Okta auth backend was successfully verifying
usernames and passwords, it was not checking the returned state of the
account, so accounts that had been marked locked out could still be used to
log in. Only accounts in SUCCESS or PASSWORD_WARN states are now allowed.
* Periodic Tokens: A regression in 0.9.1 meant that periodic tokens created by
the AppRole, AWS, and Cert auth backends would expire when the max TTL for
the backend/mount/system was hit instead of their stated behavior of living
as long as they are renewed. This is now fixed; existing tokens do not have
to be reissued as this was purely a regression in the renewal logic.
* Seal Wrapping: During certain replication states values written marked for
seal wrapping may not be wrapped on the secondaries. This has been fixed,
and existing values will be wrapped on next read or write. This does not
affect the barrier keys.
DEPRECATIONS/CHANGES:
* `sys/health` DR Secondary Reporting: The `replication_dr_secondary` bool
returned by `sys/health` could be misleading since it would be `false` both
when a cluster was not a DR secondary but also when the node is a standby in
the cluster and has not yet fully received state from the active node. This
could cause health checks on LBs to decide that the node was acceptable for
traffic even though DR secondaries cannot handle normal Vault traffic. (In
other words, the bool could only convey "yes" or "no" but not "not sure
yet".) This has been replaced by `replication_dr_mode` and
`replication_perf_mode` which are string values that convey the current
state of the node; a value of `disabled` indicates that replication is
disabled or the state is still being discovered. As a result, an LB check
can positively verify that the node is both not `disabled` and is not a DR
secondary, and avoid sending traffic to it if either is true.
* PKI Secret Backend Roles parameter types: For `ou` and `organization`
in role definitions in the PKI secret backend, input can now be a
comma-separated string or an array of strings. Reading a role will
now return arrays for these parameters.
* Plugin API Changes: The plugin API has been updated to utilize golang's
context.Context package. Many function signatures now accept a context
object as the first parameter. Existing plugins will need to pull in the
latest Vault code and update their function signatures to begin using
context and the new gRPC transport.
FEATURES:
* **gRPC Backend Plugins**: Backend plugins now use gRPC for transport,
allowing them to be written in other languages.
* **Brand New CLI**: Vault has a brand new CLI interface that is significantly
streamlined, supports autocomplete, and is almost entirely backwards
compatible.
* **UI: PKI Secret Backend (Enterprise)**: Configure PKI secret backends,
create and browse roles and certificates, and issue and sign certificates via
the listed roles.
IMPROVEMENTS:
* auth/aws: Handle IAM headers produced by clients that formulate numbers as
ints rather than strings [GH-3763]
* auth/okta: Support JSON lists when specifying groups and policies [GH-3801]
* autoseal/hsm: Attempt reconnecting to the HSM on certain kinds of issues,
including HA scenarios for some Gemalto HSMs.
(Enterprise)
* cli: Output password prompts to stderr to make it easier to pipe an output
token to another command [GH-3782]
* core: Report replication status in `sys/health` [GH-3810]
* physical/s3: Allow using paths with S3 for non-AWS deployments [GH-3730]
* physical/s3: Add ability to disable SSL for non-AWS deployments [GH-3730]
* plugins: Args for plugins can now be specified separately from the command,
allowing the same output format and input format for plugin information
[GH-3778]
* secret/pki: `ou` and `organization` can now be specified as a
comma-separated string or an array of strings [GH-3804]
* plugins: Plugins will fall back to using netrpc as the communication protocol
on older versions of Vault [GH-3833]
BUG FIXES:
* auth/(approle,aws,cert): Fix behavior where periodic tokens generated by
these backends could not have their TTL renewed beyond the system/mount max
TTL value [GH-3803]
* auth/aws: Fix error returned if `bound_iam_principal_arn` was given to an
existing role update [GH-3843]
* core/sealwrap: Speed improvements and bug fixes (Enterprise)
* identity: Delete group alias when an external group is deleted [GH-3773]
* legacymfa/duo: Fix intermittent panic when Duo could not be reached
[GH-2030]
3.0.5
* Fix#17 & #58: use AES256 for CA key
* Also, don't use read -s, use stty -echo
3.0.4
* Remove use of egrep (#154)
* Integrate with Travis-CI (#165)
* Remove "local" from variable assignment (#165)
* Other changes related to Travis-CI fixes
* Assign values to variables defined previously w/local
* Finally(?) fix the subjectAltName issues I presented earlier (really
fixes#168
Changes:
--------
* Tests can have more than 1 required OS (e.g. Linux OR NetBSD)
* Added 'system-groups' option to profile (Enterprise users)
* Overhaul of default profile and migrate to new style (setting=value)
* Show warning if old profile options are used
* Improved detection of binaries
* New group 'usb' for tests related to USB devices
Tests:
------
* [FILE-6363] - New test for /var/tmp (sticky bit)
* [MAIL-8802] - Added exim4 process name to improve detection of Exim
* [NETW-3030] - Changed name of dhcp client name process and added udhcpc
* [SSH-7408] - Restored UsePrivilegeSeparation
* [TIME-3170] - Added chrony configuration file for NetBSD
Security release fixing CVE-2017-12374, CVE-2017-12375, CVE-2017-12376,
CVE-2017-12377, CVE-2017-12378, CVE-2017-12379, CVE-2017-12380.
Also included are 2 minor fixes to properly detect openssl install locations on FreeBSD 11, and prevent false warnings about zlib 1.2.1# version numbers.
### Added
- Support for the HTTP-01 challenge type was added to our Apache and Nginx
plugins.
- IPv6 support was added to the Nginx plugin.
- Support for automatically creating server blocks based on the default server
block was added to the Nginx plugin.
- The flags --delete-after-revoke and --no-delete-after-revoke were added
allowing users to control whether the revoke subcommand also deletes the
certificates it is revoking.
### Changed
- We deprecated support for Python 2.6 and Python 3.3 in Certbot and its ACME
library.
- We split our implementation of JOSE (Javascript Object Signing and
Encryption) out of our ACME library and into a separate package named josepy.
- We updated the ciphersuites used in Apache to the new values recommended by
Mozilla
### Fixed
- An issue with our Apache plugin on Gentoo due to differences in their
apache2ctl command have been resolved.
Changes
(unfortunately upstream does not provide any changelog, this is based by
reading commit messages):
1.2
---
- Misc improvements and bug fixes
1.1.11
------
- Add support for Apache SHA1
- Add support for Joomla password
- Add support for vBulletin password hashes
- Add support for DJANGO_MD5 and DJANGO_SHA1
- Add WAF script for Wordfence
- Add WAF script for DOSarrest
- Misc improvements and bug fixes
1.1.10
------
- Polish translation
- Add support for blind-based charset dump
- Misc improvements and bug fixes
0.12.0:
- Add support for channel binding tokens (assumes pykerberos support >= 1.2.1)
- Add support for kerberos message encryption (assumes pykerberos support >= 1.2.1)
- Misc CI/test fixes
Changes:
--------
* Binary paths are now sorted
* Greek language added
* systemd detection improved
* VirtualBox detection extended
* Several code enhancements
Tests:
------
* [PHP-2379] - Small enhancement to resolve error on screen in some cases
* [MALW-3280] - Improved detection for BitDefender tooling
Use TEST_DEPENDS.
1.84 2018-01-17
Fixed an error in t/local/04_basic.t causing a test failure if
Test::Exception not installed. Reported by Joel Berger.
1.83 2018-01-16
Fixed a problem with exporting OPENSSL_NO_NEXTPROTONEG even though they are not availble on LibreSSL.
Patch patch-SSLeay_xs-NO_NPN from Alexander Bluhm.
Patch from Heikki Vatiainen adds support for SSL_set_default_passwd_cb* for
OpenSSL 1.1.0f and later. LibreSSL does not support these functions, at
least yet.
Patch from Heikki Vatiainen adds new functions related to SSL_CTX_new.
Patch from Heikki Vatiainen adds two new functions introduced in OpenSSL 1.1.0, a number
of constants and a couple of const qualifiers to SSLeay.xs. Tests and
documentation .pod were also updated.
Patch from Heikki Vatiainen adds one new OpenSSL 1.1.0 function and has a minor fix for
LibreSSL version detection:
* Added support for SSL_use_certificate_chain_file
function introduced in OpenSSL 1.1.0.
* Fixed LibreSSL version detection to correctly parse
LibreSSL minor version.
Patch from Steffen Ulrich to fix memory leaks in OCSP handling. Thanks.
Patch from Heikki Vatiainen adds new functions for certificate verification introduced in
OpenSSL 1.02, a number of constants, new test data files, new tests and
updates to .pod documentation.
The new functions provide access to the built-in wildcard check
functionality available in OpenSSL 1.0.2 and later.
The patch also adds new tests for the new functions and updates some of
the current tests for CTX_set_default_passwd_cb* functions.
Added X509_STORE_CTX_new and X509_verify_cert.
SSL_OCSP_response_verify now clears the error queue if OCSP_basic_verify fails but the
intermediate certificate succeeds. Patch from Stefan Ullrich.
Version 1.0.20
- Include uthash.h in hex package
Version 1.0.19
- Fix couple memory leaks
- Switch hashmap to uthash library
- Use system allocator in openssl
- Update ciphers and option to safer defaults
Lynis is an open source security auditing tool. Used by system
administrators, security professionals, and auditors, to evaluate the
security defenses of their Linux and Unix-based systems. It runs on the host
itself, so it performs more extensive security scans than vulnerability
scanners.
Noteworthy changes in version 1.1.0 (2017-12-03)
------------------------------------------------
* A FLTK1.3-based pinentry has been contributed.
* A TQt3-based pinentry has been contributed.
* New option --ttyalert for pinentry-curses to alert the user.
* Don't show "save passphrase" checkbox if secret service is
unavailable.
* The GTK Pinentry shows on Linux some information anout the process
which invoked the Pinentry.
* The GTK Pinentry does not anymore show tooltips when keyboard
grabbing is enabled.
* Fixed various minor problems.
