It's not available.
ftp://ftp.belnet.be/pub/OpenBSD/OpenSSH/portable/ (capitalize openbsd) is
availabe, but it's a mirror, not the special old distfile holder.
Moreover, mirrors have good enough old versions, and "old" subdirectory
have much old distfiles.
* Version 1.0.1
- DLL_EXPORT was renamed SODIUM_DLL_EXPORT in order to avoid
collisions with similar macros defined by other libraries.
- sodium_bin2hex() is now constant-time.
- crypto_secretbox_detached() now supports overlapping input and output
regions.
- NaCl's donna_c64 implementation of curve25519 was reading an extra byte
past the end of the buffer containing the base point. This has been
fixed.
2.009 2014/01/12
- remove util/analyze.pl. This tool is now together with other SSL tools in
https://github.com/noxxi/p5-ssl-tools
- added ALPN support (needs OpenSSL1.02, Net::SSLeay 1.56+) thanks to TEAM,
RT#101452
2015-01-12 Gisle Aas <gisle@ActiveState.com>
Release 2.54
David Mitchell: silence some compiler warnings
Jonathan Hall: Add ->context() feature
Steve Hay: Sync with blead
bulk88: const the vtable
zefram: 5.6 threads test fix
Upstream changes:
5.95 Sat Jan 10 12:15:36 MST 2015
- modified the bit-ordering test (ref. t/bitorder.t)
-- supplied directory-change preamble for CORE builds
5.94 Sat Jan 10 00:45:28 MST 2015
- added support for threaded builds
-- PERL_GET_NO_CONTEXT, pTHX_, aTHX_, etc.
-- employed 'const' storage class where possible
-- ref. rt.cpan.org #101260
- simplified shabits() routine (bitwise input buffering)
-- slightly less efficient but easier to understand
-- ref. rt.cpan.org #101344
- minor documentation tweaks and additions
Before 1.6.0 version, libgcrypt called pth_init() on it's own,
in later version dirmngr has to be the one to call pth_init().
With this dirmngr actually works (does not seg fault immediately).
Since it's a runtime problem, PKGREVISION bumped.
OK@ wiz
Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
*) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
message can cause a segmentation fault in OpenSSL due to a NULL pointer
dereference. This could lead to a Denial Of Service attack. Thanks to
Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
(CVE-2014-3571)
[Steve Henson]
*) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
dtls1_buffer_record function under certain conditions. In particular this
could occur if an attacker sent repeated DTLS records with the same
sequence number but for the next epoch. The memory leak could be exploited
by an attacker in a Denial of Service attack through memory exhaustion.
Thanks to Chris Mueller for reporting this issue.
(CVE-2015-0206)
[Matt Caswell]
*) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
method would be set to NULL which could later result in a NULL pointer
dereference. Thanks to Frank Schmirler for reporting this issue.
(CVE-2014-3569)
[Kurt Roeckx]
*) Abort handshake if server key exchange message is omitted for ephemeral
ECDH ciphersuites.
Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
reporting this issue.
(CVE-2014-3572)
[Steve Henson]
*) Remove non-export ephemeral RSA code on client and server. This code
violated the TLS standard by allowing the use of temporary RSA keys in
non-export ciphersuites and could be used by a server to effectively
downgrade the RSA key length used to a value smaller than the server
certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
INRIA or reporting this issue.
(CVE-2015-0204)
[Steve Henson]
*) Fixed issue where DH client certificates are accepted without verification.
An OpenSSL server will accept a DH certificate for client authentication
without the certificate verify message. This effectively allows a client to
authenticate without the use of a private key. This only affects servers
which trust a client certificate authority which issues certificates
containing DH keys: these are extremely rare and hardly ever encountered.
Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
this issue.
(CVE-2015-0205)
[Steve Henson]
*) Ensure that the session ID context of an SSL is updated when its
SSL_CTX is updated via SSL_set_SSL_CTX.
The session ID context is typically set from the parent SSL_CTX,
and can vary with the CTX.
[Adam Langley]
*) Fix various certificate fingerprint issues.
By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.
1. Reject signatures with non zero unused bits.
If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.
2. Check certificate algorithm consistency.
Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.
Thanks to Konrad Kraszewski from Google for reporting this issue.
3. Check DSA/ECDSA signatures use DER.
Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.
This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).
Further analysis was conducted and fixes were developed by Stephen Henson
of the OpenSSL core team.
(CVE-2014-8275)
[Steve Henson]
*) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
results on some platforms, including x86_64. This bug occurs at random
with a very low probability, and is not known to be exploitable in any
way, though its exact impact is difficult to determine. Thanks to Pieter
Wuille (Blockstream) who reported this issue and also suggested an initial
fix. Further analysis was conducted by the OpenSSL development team and
Adam Langley of Google. The final fix was developed by Andy Polyakov of
the OpenSSL core team.
(CVE-2014-3570)
[Andy Polyakov]
*) Do not resume sessions on the server if the negotiated protocol
version does not match the session's version. Resuming with a different
version, while not strictly forbidden by the RFC, is of questionable
sanity and breaks all known clients.
[David Benjamin, Emilia Käsper]
*) Tighten handling of the ChangeCipherSpec (CCS) message: reject
early CCS messages during renegotiation. (Note that because
renegotiation is encrypted, this early CCS was not exploitable.)
[Emilia Käsper]
*) Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.
Similarly, ensure that the client requires a session ticket if one
was advertised in the ServerHello. Previously, a TLS client would
ignore a missing NewSessionTicket message.
[Emilia Käsper]
0.7.1 - 2014-12-28
~~~~~~~~~~~~~~~~~~
* Fixed an issue preventing compilation on platforms where ``OPENSSL_NO_SSL3``
was defined.
0.7 - 2014-12-17
~~~~~~~~~~~~~~~~
* Cryptography has been relicensed from the Apache Software License, Version
2.0, to being available under *either* the Apache Software License, Version
2.0, or the BSD license.
* Added key-rotation support to :doc:`Fernet </fernet>` with
:class:`~cryptography.fernet.MultiFernet`.
* More bit-lengths are now support for ``p`` and ``q`` when loading DSA keys
from numbers.
* Added :class:`~cryptography.hazmat.primitives.interfaces.MACContext` as a
common interface for CMAC and HMAC and deprecated
:class:`~cryptography.hazmat.primitives.interfaces.CMACContext`.
* Added support for encoding and decoding :rfc:`6979` signatures in
:doc:`/hazmat/primitives/asymmetric/utils`.
* Added
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` to
support the loading of OpenSSH public keys (:rfc:`4253`). Only RSA and DSA
keys are currently supported.
* Added initial support for X.509 certificate parsing. See the
:doc:`X.509 documentation</x509>` for more information.
Collection.
Password management should be simple and follow Unix philosophy. With pass,
each password lives inside of a gpg encrypted file whose filename is the title
of the website or resource that requires the password. These encrypted files
may be organized into meaningful folder hierarchies, copied from computer to
computer, and, in general, manipulated using standard command line file
management utilities.
pass makes managing these individual password files extremely easy. All
passwords live in ~/.password-store, and pass provides some nice commands for
adding, editing, generating, and retrieving passwords. It is a very short and
simple shell script. It's capable of temporarily putting passwords on your
clipboard and tracking password changes using git
This is a collection of both secure hash functions (such as SHA256 and
RIPEMD160), and various encryption algorithms (AES, DES, RSA, ElGamal,
etc.). The package is structured to make adding new modules easy.
One possible application of the modules is writing secure administration
tools. Another application is in writing daemons and servers. Clients
and servers can encrypt the data being exchanged and mutually
authenticate themselves; daemons can encrypt private data for added
security. Python also provides a pleasant framework for prototyping and
experimentation with cryptographic algorithms; thanks to its
arbitrary-length integers, public key algorithms are easily implemented.
In lib/x509/rfc2818_hostname.c, ipv6 related structs are used, but
at least on FreeBSD, arpa/inet.h does not contains the necessary
structs. If netinet/in.h is present, we use it instead of arpa/inet.h.
Reviewed by wiz
packaged for wip by nros.
The Qore xmlsec module gives Qore programs the possibility to support
XML signature(xmldsig) and XML encryption(xmlenc) as defined by W3C.
packaged for wip by nros.
The ssh2 module provides Qore the possibility to communicate with sshd
servers via the ssh2 protocol; the underlying functionality is provided
by libssh2.
packaged for wip by nros.
ASN.1(Abstract Syntax Notation One) module for Qore provides an API to
dynamically create, parse and convert ASN.1 data structures to concrete
output formats (like DER).
2.008 2014/12/16
- work around recent OCSP verification errors for revoked.grc.com (badly signed
OCSP response, Firefox also complains about it) in test t/external/ocsp.t.
- util/analyze.pl - report more details about preferred cipher for specific TLS
versions
- New Features:
- donuts: - Added the ability to summarize information
about a zone in the output, such as the upcoming
entire zone expiry time, etc
- Added the ability to query live zones for
records to analyze. EG:
donuts live:good-a,badsign-a test.dnssec-tools.org
- Added a -V switch to dump records analyzed
- libval: - Add support for conditionally checking all RRSIGs
on an assertion even if one that validates is
already found.
- Look for zonecuts based on NS records, not SOA
- Added initial support for TSIG in order to enable
libval to query recursive name servers that
authorized recursive lookup for only those hosts
that used a particular TSIG key.
- Validator.pm - Store respondent name server information in result
structure.
- Owl - additional sensor modules
- additional data analysis on manager
- logging to the Owl sensors modules
- optimized sensor data organization
(requires software upgrades on both sensor and
manager at the same time)
- added -restart option to owl-sensord for
restarting sensor modules
- improvements to the installation guide
- rollerd - generalized zonegroup entry in rollecs to be lists of tags
- rndc option support added
- dnssec-check - Ported to Qt5
- dnssec-nodes - Ported to Qt5
- lookup - Ported to Qt5
- dnssec-system-tray
- Ported to Qt5
- Bug Fixes
- Fixed bugs in libval, rollerd, blinkenlights, Owl
sensor modules, and Owl manager
- Use rlimits to try and limit file descriptor use in
libsres so we don't run out of available sockets.
- Eliminate a few hardcoded paths in various perl modules
- Fix various compiler warnings
- Update autoconf and related files
upstream. Thanks wiz@ for advice.
-------------------------
2014-10-26 Werner Koch <wk@gnupg.org>
Release 0.9.0.
(.. ommitted ..)
Remove support form QT3 and GTK+-1.
* configure.ac: Remove old qt and gtk+-1 support.
-- This will remove pinentry-{gtk,qt} by next commit.
-- Touched files on this commit are Makefile.common and distinfo only
-------------------------
2014-10-26 Werner Koch <wk@gnupg.org>
Release 0.9.0.
gtk: Aboid segv for opaste keys.
* gtk+-2/gtksecentry.c (gtk_secure_entry_class_init): Disable paste
key bindings.
Remove support form QT3 and GTK+-1.
* configure.ac: Remove old qt and gtk+-1 support.
* Makefile.am: Ditto.
2014-10-26 Stanislav Ochotnicky <sochotnicky@redhat.com>
Check if we are on tty before initializing curses.
* pinentry/pinentry-curses.c (dialog_run): Check stant stdin and stout
are connected to ttys.
2014-10-26 Werner Koch <wk@gnupg.org>
gtk: Allow pasting using the mouse.
* gtk+-2/gtksecentry.h (_GtkSecureEntry): Add fields insert_pos,
real_changed, cand change_count.
(_GtkSecureEntryClass): Add field paste_clipboard.
* gtk+-2/gtksecentry.c (PASTE_CLIPBOARD): New.
(gtk_secure_entry_class_init): Set paste_clipboard and create
paste-clipboard signal.
(gtk_secure_entry_button_press): Call gtk_secure_entry_pase.
(begin_change, end_change, emit_changed): New.
(gtk_secure_entry_real_insert_text): Use emit_changed.
(gtk_secure_entry_real_delete_text): Ditto.
(paste_received, gtk_secure_entry_paste)
(gtk_secure_entry_paste_clipboard): New.
2014-10-24 Werner Koch <wk@gnupg.org>
gtk+-2: Make current focus visible again.
* gtk+-2/pinentry-gtk-2.c (grab_keyboard): Return false
(ungrab_keyboard): Ditto.
gtk+-2: Implement the SETREPEAT command.
* gtk+-2/pinentry-gtk-2.c (repeat_entry, error_label): New.
(button_clicked): Implement repeat check.
(changed_text_handler): Clear repeat field.
(create_window): Add repeat entry.
Add commands to allow implementing a "repeat passphrase" field.
* pinentry/pinentry.c (cmd_setrepeat): New.
(cmd_setrepeaterror): New.
(register_commands): Add new commands.
(cmd_getpin): Print "PIN_REPEATED" status.
Another commit follows for other files.
This is the last version pinentry-{qt,gtk} are available.
-----------------------------------------
2014-09-18 Werner Koch <wk@gnupg.org>
Release 0.8.4.
Add missing build support files and move them to build-aux.
Use generic autogen.sh script.
* autogen.rc: New.
* autogen.sh: New. Take from GnuPG.
* Makefile.am (EXTRA_DIST): Add autogen.rc.
(DISTCHECK_CONFIGURE_FLAGS): Disable qt4.
2014-08-12 Werner Koch <wk@gnupg.org>
common: Fix compiler warning.
* pinentry/pinentry.c (pinentry_utf8_to_local): Use cast for iconv arg.
(pinentry_local_to_utf8): Ditto.
New pinentry-tty version for dumb terminals.
* Makefile.am: Add pinentry-tty.
* NEWS: Add news about pinentry-tty.
* README: Update.
* configure.ac: Add support for this pinentry.
* tty/Makefile.am: New.
* tty/pinentry-tty.c: New.
2014-08-06 Andre Heinecke <aheinecke@intevation.de>
Check for MOC also if pinentry-qt is disabled.
* configure.ac: Call QT_PATH_MOC if pinentry_qt4 is not no.
Add fallbacks for SetForegroundWindow.
If that foreground window fails pinentry-qt now tries to
attach to the current foreground process and then tries
to set the foreground window again. If that fails it also
calls ShowWindow as a last resort.
* qt4/pinentrydialog.cpp (raiseWindow): Add fallbacks in
case SetForegroundWindow fails.
Use raiseWindow also for confirm dialogs.
This should fix the case that the dialog opened
in the foreground but a warning / confirm dialog
opened in the background.
* qt4/pinentryconfirm.cpp, qt4/pinentryconfirm.h (showEvent):
New overwrite base class method to call raiseWindow.
* NEWS: Mention this.
2014-07-30 Andre Heinecke <aheinecke@intevation.de>
Set some accessibility information.
* qt4/main.cpp (qt_cmd_handler): Build buttons with accessibile
Description.
* qt4/pinentrydialog.cpp (setDescription, setError, setOkText)
(setCancelText, setQualityBar): Set an accessible description.
* qt4/pinentryconfirm.cpp (PinentryConfirm): Set message
box contents also as accessible values.
* NEWS: Mention it and the copy/paste change from last year.
2013-07-15 Andre Heinecke <aheinecke@intevation.de>
Lower paste length limit to 300.
This should be more then enough and avoids possible problems
with libassuan cmd line lenght or percent escaping etc.
* qt4/qsecurelineedit.cpp (insert): Lower paste limit
Limit paste length to 1023 characters.
* qt4/qsecurelineedit.cpp (insert): Check for a maximum
length before allocation the secmem string.
Fix contextmenu support for pasting.
MOC ignores preprocessor definitions so we can not conditionally
declare SLOTS. So we now move the ifdefs in the definition and
always declare the SLOTS.
* qt4/qsecurelinedit.cpp (cut, copy, paste): Do nothing if
QT_NO_CLIPBOARD is defined.
* qt4/qsecurelinedit.h: Always declare cut, copy and paste slots
Remove check for RTL extensions.
Our code does nothing RTL specific there anyway. And the
qt_use_rtl_extensions symbol has been removed.
* qt4/qsecurelinedit.cpp: Remove check for RTL extensions.
2013-07-12 Werner Koch <wk@gnupg.org>
Fix for commit fb38be9 to allow for "make distcheck".
* qt4/Makefile.am: Make correct use of BUILT_SOURCES.
2013-05-29 Andre Heinecke <aheinecke@intevation.de>
Add pinentry-qt4-clipboard option.
Enabling this option will make it possible to paste a
passphrase into pinentry-qt4. This defeats the secmem
mechanism but drastically increases usability for some
users.
* configure.ac: New option pinentry-qt4-clipboard.
* qt4/qsecurelineedit.cpp, qt4/qsecurelineedit.h: Activate
clipboard and context menu if PINENTRY_QT4_CLIPBOARD is defined.
Remove qt4 moc files and add moc to buildsystem.
This is neccessary to conditionally enable signals/slots
at build time.
* qt4/Makefile.am: Moc files automatically.
* qt4/pinentryconfirm.moc, qt4/pinentrydialog.moc,
qsecurelineedit.moc: Removed.
Changelog for this version:
pev 0.70 - December 26, 2013
! Missing full/English documentation.
! Missing valid XML and HTML output formats.
! pestr: no support for --net option when parsing unicode strings.
! pestr: unable to handle too big strings.
* libpe: rewritten, now using mmap. (Jardel Weyrich).
* pestr: added countries domains suffixes.
* readpe and peres: output enhancements (Jardel Weyrich).
+ pehash: sections and headers hash calculation (Jardel Weyrich).
+ pehash: ssdeep fuzzy hash calculation.
+ pehash: support for new digest hashes like sha512, ripemd160 and more.
+ peres: added new tool to analyze/extract PE resources (Marcelo Fleury).
+ pescan: cpl malware detection.
+ pescan: undocumented anti-disassembly fpu trick detection.
+ pesec: show and extract cerfiticates from digitally signed binaries (Jardel Weyrich).
- readpe can't show functions exported by ID only.
- readpe: fixed subsystem types (Dmitry Mostovenko).
ChangeLog for this version:
Wed, 12 Nov 2014 14:30:39 EDT (swebb)
-------------------------------------
* bb11176 - Instruct OpenSSL to allow MD5 when in FIPS-compliant mode.
Patch submitted by Reinhard Max.
Mon, 10 Nov 2014 11:03:29 EDT (swebb)
-------------------------------------
* bb11155 - Adjust the logic surrounding adjusting the PE section sizes
This fixes a crash with maliciously crafted yoda's crypter files and
also improves virus detections for PE files.
Thu, 6 Nov 2014 14:51:26 EDT (swebb)
-------------------------------------
* bb11088 - Merge in fixes for clamscan -a crash bug
Mon, 20 Oct 2014 11:33:18 EDT (swebb)
-------------------------------------
* Revert "bb#10731 - Allow to specificy a group for the socket of which
the user is not a member"
Thu, 31 Jul 2014 19:11:22 EDT (swebb)
-------------------------------------
* Add support for XDP PDF file format
Thu, Jul 31 11:50:23 EDT 2014 (swebb)
------------------------------------
* bb#10731 - Allow specification of a group for the milter socket of which
the user is not a member - patch submitted by Sebastian Andrzej Siewior
Fri, 25 Jul 2014 12:26:04 EDT (klin)
------------------------------------
* bb#10981 - applied LLVM 3.1-3.4 - patch submitted by Andreas Cadhalpun
Fri, 25 Jul 2014 12:06:13 (klin)
--------------------------------
* clambc: added diagnostic tools for bytecode IR
Tue, 8 Jul 2014 19:53:41 EDT (swebb)
------------------------------------
* mass cleanup of compiler warnings
Tue, 08 Jul 11:30:00 EDT 2014 (morgan)
------------------------------------
* 0.98.5 beta release
Mon, 07 Jul 09:00:00 EDT 2014 (swebb)
------------------------------------
* 0.98.5-beta1 release engineering
Thu, 03 Jul 22:14:40 EDT 2014 (swebb)
------------------------------------
* Call cl_initialize_crypto() in cl_init()
Thu, 03 Jul 16:28:10 EDT 2014 (swebb)
------------------------------------
* Finalize PDF parsing code for the preclassification feature
Wed, 25 Jun 16:26:33 EDT 2014 (swebb)
------------------------------------
* Finalize linking in libjson, a new optional dependency
Fri, 13 Jun 2014 16:11:15 EDT (smorgan)
---------------------------------------
* add timeout facility for file property scanning
Tue, 3 Jun 2014 13:31:50 EDT (smorgan)
--------------------------------------
* add callback for user processing of json string and json scan result
Wed, 7 May 2014 10:56:35 EDT (swebb)
------------------------------------
* PE file properties collection
Tue, 6 May 2014 15:26:30 EDT (klin)
-----------------------------------
* add api to read json to the bytecode api
Thu, 1 May 2014 16:59:01 EDT (klin)
-----------------------------------
* docx/pptx/xlsx file properties collection
Wed, 30 Apr 2014 16:38:55 EDT (swebb)
-------------------------------------
* pdf file properties collection
Tue, 22 Apr 2014 14:22:39 EDT (klin)
------------------------------------
* json api wrapper
Mon, 21 Apr 2014 18:30:28 EDT (klin)
------------------------------------
* doc/ppt/xls file properties collection
Wed, 16 Apr 18:14:45 2014 EDT (smorgan)
--------------------------------------
* Initial libjson-c configure/build support and json file properties work
* Version 3.2.20 (released 2014-11-10)
** libgnutls: Removed superfluous random generator refresh on every call
of gnutls_deinit(). That reduces load and usage of /dev/urandom.
** libgnutls: Corrected issue in export of ECC parameters to X9.63 format.
Reported by Sean Burford [GNUTLS-SA-2014-5].
** API and ABI modifications:
No changes since last version.
* Version 3.2.19 (released 2014-10-13)
** libgnutls: Fixes in the transparent import of PKCS #11 certificates.
Reported by Joseph Peruski.
** libgnutls: Fixed issue with unexpected non-fatal errors resetting the
handshake's hash buffer, in applications using the heartbeat extension
or DTLS. Reported by Joeri de Ruiter.
** libgnutls: fix issue in DTLS retransmission when session tickets
were in use; reported by Manuel Pégourié-Gonnard.
** libgnutls: Prevent abort() in library if getrusage() fails. Try to
detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work.
** guile: new 'set-session-server-name!' procedure; see the manual for
details.
** API and ABI modifications:
No changes since last version.
Changes since 20141129:
+ bring over lint changes from src/crypto version of this utility
+ add a helper function to get an element from a cursor
+ added a small compile and test script, which uses BSD makefiles
+ change WARNS level in BSD Makefile from 6 to 5 - changes to make
WARNS=6 compile are way too intrusive and distracting to be useful
+ bump version to 20141204
Changes:
* The patch for SUPPORT-147 got integrated upstream.
* Regenerate enforcer/utils/Makefile.in diff
Upstream changes:
* SUPPORT-147: Zone updating via zone transfer can get stuck
* Crash on 'retransfer command when not using DNS adapters.
2.007 2014/11/26
- make getline/readline fall back to super class if class is not sslified yet,
i.e. behave the same as sysread, syswrite etc.
This fixes RT#100529
Noteworthy changes in version 1.3.2 (2014-11-25) [C19/A11/R3]
------------------------------------------------
* Fixed a buffer overflow in ksba_oid_to_str.
Noteworthy changes in version 1.3.1 (2014-09-18)
------------------------------------------------
* Fixed memory leak in CRL parsing.
* Build fixes for Windows, Android, and ppc64el.
Python-RSA is a pure-Python RSA implementation. It supports encryption
and decryption, signing and verifying signatures, and key generation
according to PKCS#1 version 1.5. It can be used as a Python library
as well as on the commandline.
This is a small but growing collection of ASN.1 data structures
expressed in Python terms using the pyasn1 data model.
It's thought to be useful to protocol developers and testers.
2.006 2014/11/22
- Make (hopefully) non-blocking work on windows by using EWOULDBLOCK instead of
EAGAIN. While this is the same on UNIX it is different on Windows and socket
operations return there (WSA)EWOULDBLOCK and not EAGAIN. Enable non-blocking
tests on Windows too.
- make PublicSuffix::_default_data thread safe
- update PublicSuffix with latest list from publicsuffix.org
code branch fro SoftHSMv2: ensure created pkcs8 file is not
group- or world-readable.
Rename patch-aa to patch-Makefile.in, and add a comment.
Bump PKGREVISION.
2.005 2014/11/15
- next try to fix t/protocol_version.t for OpenSSL w/o SSLv3 support
2.004 2014/11/15
- only test fix: fix t/protocol_version.t to deal with OpenSSL installations
which are compiled without SSLv3 support.
2.003 2014/11/14
- make SSLv3 available even if the SSL library disables it by default in
SSL_CTX_new (like done in LibreSSL). Default will stay to disable SSLv3,
so this will be only done when setting SSL_version explicitly.
- fix possible segmentation fault when trying to use an invalid certificate,
reported by Nick Andrew.
- Use only the ICANN part of the default public suffix list and not the
private domains. This makes existing exceptions for s3.amazonaws.com and
googleapis.com obsolete. Thanks to Gervase Markham from mozilla.org.
base for other systems. It allows the creation of users, which can
be authenticated by username, password, and optionally a YubiKey
OTP.
Aside from providing a user authentication backend, YubiAuth allows
storing and retrieving arbitrary key-value attributes for each user
as well as each YubiKey.
* Fix udev rules so they contain four digits.
* Only try to detach the kernel driver if it's attached. For libusb-1.0
* Let import config report errors properly.
NEO. There is a command line tool "ykneomgr" for interactive use.
It supports querying the YubiKey NEO for firmware version, operation
mode (OTP/CCID) and serial number. You may also mode switch the
device and manage applets (list, delete and install).
PolarSSL ChangeLog
= Version 1.2.12 released 2014-10-24
Security
* Remotely-triggerable memory leak when parsing some X.509 certificates
(server is not affected if it doesn't ask for a client certificate).
(Found using Codenomicon Defensics.)
Bugfix
* Fix potential bad read in parsing ServerHello (found by Adrien
Vialletelle).
* ssl_close_notify() could send more than one message in some circumstances
with non-blocking I/O.
* x509_crt_parse() did not increase total_failed on PEM error
* Fix compiler warnings on iOS (found by Sander Niemeijer).
* Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
* Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
* ssl_read() could return non-application data records on server while
renegotation was pending, and on client when a HelloRequest was received.
* Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
Changes
* X.509 certificates with more than one AttributeTypeAndValue per
RelativeDistinguishedName are not accepted any more.
* ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
* Accept spaces at end of line or end of buffer in base64_decode().
* Add yk_get_key_vid_pid() to get the vendor and product id of a key.
* Add flags for ykinfo to print vendor and product id.
* Fix a bug in the osx backend where it would return an error opening
a composite device with two hid interfaces.
