NetBSD's shell, and passing the -m option to NetBSD's "su" command to support
users without login shells.
Add the PREFIX to all script PATHs. This can allow sudo to be installed and
used as an alternative to su, should there be any value in doing that.
Bump PKGREVISION.
TweetNaCl is the world's first auditable high-security cryptographic
library. TweetNaCl fits into just 100 tweets while supporting all
25 of the NaCl functions used by applications.
This package installs a libtool library of the code.
libtaxii is a Python library for handling TAXII Messages as Python objects and
invoking TAXII Services.
A primary goal of libtaxii is to remain faithful to both the TAXII
specifications and to customary Python practices. libtaxii is designed to be
intuitive both to Python developers and XML developers.
A python library for parsing, manipulating, and generating STIX content.
The python-stix library utilizes the STIX v1.1 bindings, is under heavy
development. For more information about STIX, see http://stix.mitre.org.
A python library for parsing, manipulating, and generating CybOX content.
A primary goal of the python-cybox library is to remain faithful to both the
CybOX standard and to customary Python practices. There are places where these
will conflict, and the goal is to make the library intuitive both to those
familiar with the XML schemas (but less familiar with Python) and also to
experienced Python developers who want to add CybOX support to their programs.
* OpenBSD's vis.h requires stdlib.h
* OpenBSD has SO_PEERCRED, but it is different from Linux's one
* __weak_alias is not for OpenBSD's gcc 4.2.1
* OpenBSD 5.5 has not VIS_HTTPSTYLE.
* Fix PLIST for OpenBSD
1.985 2014/05/15
- make OCSP callback return 1 even if it was called on the server side
because of bad setup of the socket. Otherwise we get an endless calling
of the OCSP callback.
- consider an OCSP response which is not yet or no longer valid a soft error
instead of an hard error
- fix skip in t/external/ocsp.t in case fingerprint does not match
- RT#95633 call EVP_PKEY_free not EVP_KEY_free in
IO::Socket::SSL::Utils::KEY_free. Thanks to paul[AT]city-fan[DOT]org
- util/analyze.pl - with --show-chain check if chain with SNI is different
from chain w/o SNI.
1.984 2014/05/10
- added OCSP support:
- needs Net::SSLeay >=1.59
- for usage see documentation of IO::Socket::SSL (examples and anything with
OCSP in the name)
- new tool util/analyze-ssl.pl which is intended to help in debugging of SSL
problems and to get information about capabilities of server. Works also
as en example of how to use various features (like OCSP, SNI..)
- fix peer_certificates (returns leaf certificate only once on client side)
- added timeout for stop_SSL (either with Timeout or with the default
timeout for IO::Socket)
- fix IO::Socket::SSL::Utils mapping between ASN1_TIME and time_t when local
time is not GMT. Use Net::SSLeay::ASN1_TIME_timet if available.
- fix t/external/usable_ca.t for system with junk in CA files
1.983 2014/05/03
- fix public suffix handling: ajax.googleapis.com should be ok even if googleapis.com
is in public suffix list (e.g. check one level less)
#95317, thanks to purification[AT]ukr[DOT]net
- usable_ca.t - update fingerprints after heartbleed attack
- usable_ca.t - make sure we have usable CA for tested hosts in CA store
1.982 2014/04/24
- fix for using subroutine as argument to set_args_filter_hack
1.981 2014/04/08
- #95432 fix ecdhe Test for openssl1.0.1d, thanks to paul[AT]city-fan[DOT]org
- fix detection of openssl1.0.1d (detected 1.0.1e instead)
- new function can_ecdh in IO::Socket::SSL
1.980 2014/04/08
- fixed incorrect calculation of certificate fingerprint in get_fingerprint*
and comparison in SSL_fingerprint. Thanks to
david[DT]palmer[AT]gradwell[DOT]com for reporting.
- disable elliptic curve support for openssl 1.0.1d on 64bit because of
openssl rt#2975
1.979 2014/04/06
- hostname checking:
- configuration of 'leftmost' is renamed to 'full_label', but the old
version is kept for compatibility reasons.
- documentation of predefined schemes fixed to match reality
1.978 2014/04/04
- RT#94424 again, fix test on older openssl version with no SNI support
1.977 2014/04/04
- fix publicsuffix for IDNA, more tests with various IDNA libs
RT#94424. Thanks to paul[AT]city-fan[DOT]org
- reuse result of IDN lib detection from PublicSuffix.pm in SSL.pm
- add more checks to external/usable_ca.t. Now it is enough that at least
one of the hosts verifies against the builtin CA store
- add openssl and Net::SSleay version to diagnostics in load test
1.976 2014/04/03
- added public prefix checking to verification of wildcard certificates,
e.g. accept *.foo.com but not *.co.uk.
See documentation of SSL_verifycn_publicsuffix and
IO::Socket::SSL::PublicSuffix
Thanks to noloader for pointing out the problem.
1.975 2014/04/02
- BEHAVIOR CHANGE: work around TEA misfeature on OS X builtin openssl, e.g.
guarantee that only the explicitly given CA or the openssl default CA will
be used. This means that certificates inside the OS X keyring will no
longer be used, because there is no way to control the use by openssl
(e.g. certificate pinning etc)
- make external tests run by default to make sure default CA works on all
platforms, it skips automatically on network problems like timeouts or ssl
interception, can also use http(s)_proxy environment variables
1.974 2014/04/02
- new function peer_certificates to get the whole certificate chain, needs
Net::SSLeay>=1.58
- extended IO::Socket::Utils::CERT_asHash to provide way more information,
like issuer information, cert and pubkey digests, all extensions, CRL
distributions points and OCSP uri
1.973 2014/03/25
- with SSL_ca certificate handles can now be used additionally to
SSL_ca_file and SSL_ca_path
- do not complain longer if SSL_ca_file and SSL_ca_path are both given,
instead add both as options to the CA store
- Shortcut 'issuer' to give both issuer_cert and issuer_key in CERT_create.
1.972 2014/03/23
- make sure t/external/usable_ca.t works also with older openssl without
support for SNI. RT#94117. Thanks to paul[AT]city-fan[DOT]org
1.971 2014/03/22
- try to use SSL_hostname for hostname verification if no SSL_verifycn_name
is given. This way hostname for SNI and verification can be specified in
one step.
- new test program example/simulate_proxy.pl
1.970 2014/03/19
- fix rt#93987 by making sure sub default_ca does use a local $_ and not a
version of an outer scope which might be read-only. Thanks to gshank
1.969 2014/03/13
- fix set_defaults to match documentation regarding short names
- new function set_args_filter_hack to make it possible to override bad SSL
settings from other code at the last moment.
- determine default_ca on module load (and not on first use in each thread)
- don't try default hostname verification if verify_mode 0
- fix hostname verification when reusing context
1.968 2014/03/13
- BEHAVIOR CHANGE: removed implicit defaults of certs/server-{cert,key}.pem
for SSL_{cert,key}_file and ca/,certs/my-ca.pem for SSL_ca_file.
These defaults were depreceated since 1.951 (2013/7/3).
- Usable CA verification path on Windows etc:
Do not use Net::SSLeay::CTX_set_default_verify_paths any longer to set
system/build dependended default verification path, because there was no
way to retrieve these default values and check if they contained usable
CA. Instead re-implement the same algorithm and export the results with
public function default_ca() and make it possible to overwrite it.
Also check for usable verification path during build.
If no usable path are detected require Mozilla::CA at build and try to
use it at runtime.
1.61 2014-05-12
Changes calloc to Newx and free to Safefree, otherwise there might be
problems because calloc is done from a different memory pool than free (depends
on the build options for perl, but seen on Windows). Patch from Steffen
Ullrich. Thanks.
1.60 2014-05-10
Fixed a typo in an error message. Patch from gregor herrmann. Thanks.
Fixed a problem with building with openssl that does not support
OCSP. Also fixed some newly introduced warnings
if compiled with -Wall. Patch from Steffen Ullrich. Thanks.
fix build-failure on most Debian architectures:
SSLeay.xs: In function 'XS_Net__SSLeay_OCSP_response_results':
SSLeay.xs:5602:3: error: format not a string literal and no format
arguments. Patch from gregor herrmann.
1.59 2014-05-10
Fixed local/30_error.t, so that tests do not fail if diagnostics are
enabled.
Fixed error messages about undefined strings used with length or
split. Reported and patched by Peter Heuchert.
Improvements to configuration of OPTIMIZE flags, to prevent overriding
of perls expected optimization flags. Caution: HPUX aCC optimize options are special.
SSL_peek() now returns openssl error code as second item when called in
array context, same as SSL_read. Patch from Andreas Mohr.
Fixed some warnings.
Added support for tlsv1.1 tlsv1.2 via $Net::SSLeay::ssl_version. Patch
from Andreas Mohr.
Improve examples in 'Using other perl modules based on
Net::SSLeay'. Patched by Andreas Mohr.
Added support for OCSP. Patched by Steffen Ullrich. Thanks!
Added missing t/external/ocsp.t
- Support for common raw disk image formats using 512 byte sectors,
specifically GPT, APM, and MBR partitioning.
- Experimental support of OpenIOC files. ClamAV will now extract file
hashes from OpenIOC files residing in the signature database location,
and generate ClamAV hash signatures. ClamAV uses no other OpenIOC
features at this time. No OpenIOC files will be delivered through
freshclam. See openioc.org and iocbucket.com for additional information
about OpenIOC.
- All ClamAV sockets (clamd, freshclam, clamav-milter, clamdscan, clamdtop)
now support IPV6 addresses and configuration parameters.
- Use OpenSSL file hash functions for improved performance. OpenSSL
is now prerequisite software for ClamAV 0.98.3.
- Improved detection of malware scripts within image files. Issue reported
by Maarten Broekman.
- Change to circumvent possible denial of service when processing icons within
specially crafted PE files. Icon limits are now in place with corresponding
clamd and clamscan configuration parameters. This issue was reported by
Joxean Koret.
- Improvements to the fidelity of the ClamAV pattern matcher, an issue
reported by Christian Blichmann.
- Opt-in collection of statistics. Statistics collected are: sizes and MD5
hashes of files, PE file section counts and section MD5 hashes, and names
and counts of detected viruses. Enable statistics collection with the
--enable-stats clamscan flag or StatsEnabled clamd configuration
parameter.
- Improvements to ClamAV build process, unit tests, and platform support with
assistance and suggestions by Sebastian Andrzej Siewior, Scott Kitterman,
and Dave Simonson.
- Patch by Arkadiusz Miskiewicz to improve error handling in freshclam.
- ClamAV 0.98.3 also includes miscellaneous bug fixes and documentation
improvements.
Collection.
OAuth often seems complicated and difficult-to-implement. There are several
prominent libraries for handling OAuth requests, but they all suffer from one
or both of the following:
* They predate the OAuth 1.0 spec, AKA RFC 5849.
* They predate the OAuth 2.0 spec, AKA RFC 6749.
* They assume the usage of a specific HTTP request library.
OAuthLib is a generic utility which implements the logic of OAuth without
assuming a specific HTTP request object or web framework. Use it to graft OAuth
client support onto your favorite HTTP library, or provider support onto your
favourite web framework. If you're a maintainer of such a library, write a thin
veneer on top of OAuthLib and get OAuth support for very little effort.
0.4 - 2014-05-03
~~~~~~~~~~~~~~~~
* Deprecated ``salt_length`` on
:class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF1` and added it
to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. It will be
removed from ``MGF1`` in two releases per our :doc:`/api-stability` policy.
* Added :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED` support.
* Added :class:`~cryptography.hazmat.primitives.cmac.CMAC`.
* Added decryption support to
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
and encryption support to
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`.
* Added signature support to
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`
and verification support to
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`.
0.3 - 2014-03-27
~~~~~~~~~~~~~~~~
* Added :class:`~cryptography.hazmat.primitives.twofactor.hotp.HOTP`.
* Added :class:`~cryptography.hazmat.primitives.twofactor.totp.TOTP`.
* Added :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA` support.
* Added signature support to
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
and verification support to
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`.
* Moved test vectors to the new ``cryptography_vectors`` package.
* OpenBSD 5.5 has no _PASSWORD_WARNDAYS definition in its header files
Declare _PASSWORD_WARNDAYS as 14 if _PASSWORD_WARNDAYS is not defined.
Move the definition above its use.
- Correctly handle decoding of recursive CHOICE options.
- Allow deleting elements of SET OF.
- Several small bug fixes found by coverity.
- Code improvements
Changelog:
Version 5.01, unreleased, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1g.
This version mitigates TLS heartbeat read overrun (CVE-2014-0160).
* New features
- X.509 extensions added to the created self-signed stunnel.pem.
- "FIPS = no" also allowed in non-FIPS builds of stunnel.
- Search all certificates with the same subject name for a matching
public key rather than only the first one (thx to Leon Winter).
- Create logs in the local application data folder if stunnel folder
is not writable on Win32.
* Bugfixes
- close_notify not sent when SSL still has some data buffered.
- Protocol negotiation with server-side SNI fixed.
- A Mac OS X missing symbols fixed.
- Win32 configuration file reload crash fixed.
- Added s_pool_free() on exec+connect service retires.
- Line-buffering enforced on stderr output.
Noteworthy changes in version 1.13 (2014-04-15)
-----------------------------------------------
* Added a portable mutex API.
* The AM_PATH_GPG_ERROR macro now defines GPG_ERROR_MT_CFLAGS and
GPG_ERROR_MT_LIBS autoconf output variables for use by programs
which need gpgrt based thread support. gpg-error-config has a new
option --mt.
* Interface changes relative to the 1.12 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPG_ERR_KEY_ON_CARD NEW.
GPG_ERR_MAC_ALGO NEW.
GPG_ERR_INV_LOCK_OBJ NEW.
gpgrt_lock_t NEW.
GPGRT_LOCK_INITIALIZER NEW.
GPGRT_LOCK_DEFINE NEW.
gpgrt_lock_init NEW.
gpgrt_lock_lock NEW.
gpgrt_lock_unlock NEW.
gpgrt_lock_destroy NEW.
gpgrt_yield NEW.
PortableSigner is a signing (with X.509 certificates) program for
PDF files. It's platform independent and runs (tested) under
Windows (2000, XP, ...), Linux and Mac OS X.
It's possible to sign PDF documents digital with X.509 certificates.
This signed documents are read only. Therefore it's possible to
implement "electronic paper".
