* Fix a bug with the 'urllist' parameter where urls would be forgotten.
* Manpages converted to asciidoc.
Version 2.16 (released 2014-06-10)
* Fix a crashbug with the new parameter 'urllist'
Version 2.15 (released 2014-04-30)
* Added new parameter 'urllist'
* Added pam_yubico(8) man page.
* Fix memory leak.
* Bump yubico-c-client version requirement to 2.12.
Version 5.07, 2014.11.01, urgency: MEDIUM:
* New features
- Several SMTP server protocol negotiation improvements.
- Added UTF-8 byte order marks to stunnel.conf templates.
- DH parameters are no longer generated by "make cert".
The hardcoded DH parameters are sufficiently secure,
and modern TLS implementations will use ECDH anyway.
- Updated manual for the "options" configuration file option.
- Added support for systemd 209 or later.
- New --disable-systemd ./configure option.
- setuid/setgid commented out in stunnel.conf-sample.
* Bugfixes
- Added support for UTF-8 byte order mark in stunnel.conf.
- Compilation fix for OpenSSL with disabled SSLv2 or SSLv3.
- Non-blocking mode set on inetd and systemd descriptors.
- shfolder.h replaced with shlobj.h for compatibility
with modern Microsoft compilers.
Version 5.06, 2014.10.15, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1j.
https://www.openssl.org/news/secadv_20141015.txt
- The insecure SSLv2 protocol is now disabled by default.
It can be enabled with "options = -NO_SSLv2".
- The insecure SSLv3 protocol is now disabled by default.
It can be enabled with "options = -NO_SSLv3".
- Default sslVersion changed to "all" (also in FIPS mode)
to autonegotiate the highest supported TLS version.
* New features
- Added missing SSL options to match OpenSSL 1.0.1j.
- New "-options" commandline option to display the list
of supported SSL options.
* Bugfixes
- Fixed FORK threading build regression bug.
- Fixed missing periodic Win32 GUI log updates.
Version 5.05, 2014.10.10, urgency: MEDIUM:
* New features
- Asynchronous communication with the GUI thread for faster
logging on Win32.
- systemd socket activation (thx to Mark Theunissen).
- The parameter of "options" can now be prefixed with "-"
to clear an SSL option, for example:
"options = -LEGACY_SERVER_CONNECT".
- Improved "transparent = destination" manual page (thx to
Vadim Penzin).
* Bugfixes
- Fixed POLLIN|POLLHUP condition handling error resulting
in prematurely closed (truncated) connection.
- Fixed a null pointer dereference regression bug in the
"transparent = destination" functionality (thx to
Vadim Penzin). This bug was introduced in stunnel 5.00.
- Fixed startup thread synchronization with Win32 GUI.
- Fixed erroneously closed stdin/stdout/stderr if specified
as the -fd commandline option parameter.
- A number of minor Win32 GUI bugfixes and improvements.
- Merged most of the Windows CE patches (thx to Pierre Delaage).
- Fixed incorrect CreateService() error message on Win32.
- Implemented a workaround for defective Cygwin file
descriptor passing breaking the libwrap support:
http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors
Version 5.04, 2014.09.21, urgency: LOW:
* New features
- Support for local mode ("exec" option) on Win32.
- Support for UTF-8 config file and log file.
- Win32 UTF-16 build (thx to Pierre Delaage for support).
- Support for Unicode file names on Win32.
- A more explicit service description provided for the
Windows SCM (thx to Pierre Delaage).
- TCP/IP dependency added for NT service in order to prevent
initialization failure at boot time.
- FIPS canister updated to version 2.0.8 in the Win32 binary
build.
* Bugfixes
- load_icon_default() modified to return copies of default icons
instead of the original resources to prevent the resources
from being destroyed.
- Partially merged Windows CE patches (thx to Pierre Delaage).
- Fixed typos in stunnel.init.in and vc.mak.
- Fixed incorrect memory allocation statistics update in
str_realloc().
- Missing REMOTE_PORT environmental variable is provided to
processes spawned with "exec" on Unix platforms.
- Taskbar icon is no longer disabled for NT service.
- Fixed taskbar icon initialization when commandline options are
specified.
- Reportedly more compatible values used for the dwDesiredAccess
parameter of the CreateFile() function (thx to Pierre Delaage).
- A number of minor Win32 GUI bugfixes and improvements.
Secret Sharing Scheme, into the packages collection.
In simple terms, this package provides a library for implementing the
sharing of secrets and two tools for simple use-cases of the
algorithm. The library implements what is known as Shamir's method
for secret sharing in the Galois Field 2^8. In slightly simpler words,
this is N-of-M secret-sharing byte-by-byte. Essentially this allows
us to split a secret S into any M shares S1..SM such that any N of
those shares can be used to reconstruct S but any less than N shares
yields no information whatsoever.
there's no need to byte-swap values read from a local file.
This would cause some IXFRs to mysteriously and consistently fail
until manual intervention is done, because the wrong (byte-swapped)
SOA serial# was being stuffed into the IXFR requests.
Ref. https://issues.opendnssec.org/browse/SUPPORT-147.
Also fix the rc.d script to not insist that the components must be
running to allow "stop" to proceed, so that "restart" or "stop" can
be done if one or both of the processes have exited or crashed.
Bump PKGREVISION.
library wind-down function is both called on dlclose() and exit().
Should avoid segfault when trying to call the atexit function after
dlclose() which unmaps the library. Fixes PR pkg/49333, thanks to
joerg@ for the suggested fix.
Also, the IRIX and NetBSD tool name to get at nawk is just "awk",
flagged by pkglint.
Bump PKGREVISION.
Upstream changes:
5.93 Sun Oct 26 06:00:48 MST 2014
- corrected alignment problem in SHA struct (src/sha.h)
-- thanks to H. Merijn Brand and J. Hietaniemi for
analysis and suggested patch
- provided workaround in t/methods.t for unreliable -T test
-- Some Perl 5.8's mistake text for binary
2.002 2014/10/21
- fix check for (invalid) IPv4 when validating hostname against certificate. Do
not use inet_aton any longer because it can cause DNS lookups for malformed
IP. RT#99448, thanks to justincase[AT]yopmail[DOT]com.
- Update PublicSuffix with latest version from publicsuffix.org - lots of new
top level domains.
- Add exception to PublicSuffix for s3.amazonaws.com - RT#99702, thanks to
cpan[AT]cpanel[DOT]net.
2.001 2014/10/21
- Add SSL_OP_SINGLE_(DH|ECDH)_USE to default options to increase PFS security.
Thanks to Heikki Vatiainen for suggesting.
- Update external tests with currently expected fingerprints of hosts.
- Some fixes to make it still work on 5.8.1.
Changelog:
spiped-1.4.2
* Fix crash on platforms which support AESNI (i386, amd64) but do not
automatically provide 16-byte alignment to large memory allocations
(glibc, possibly others).
0.6.1 - 2014-10-15
~~~~~~~~~~~~~~~~~~
* Updated Windows wheels to be compiled against OpenSSL 1.0.1j.
* Fixed an issue where OpenSSL 1.0.1j changed the errors returned by some
functions.
* Added our license file to the ``cryptography-vectors`` package.
* Implemented DSA hash truncation support (per FIPS 186-3) in the OpenSSL
backend. This works around an issue in 1.0.0, 1.0.0a, and 1.0.0b where
truncation was not implemented.
Noteworthy changes in version 1.17 (2014-10-15) [C13/A13/R0]
-----------------------------------------------
* New error codes for TLS protocol libraries.
* New configure option --enable-build-timestamp.
* New man page for gpg-error-config.
2.000 2014/10/15
- consider SSL3.0 as broken because of POODLE and disable it by default.
- Skip live tests without asking if environment NO_NETWORK_TESTING is set.
Thanks to ntyni[AT]debian[DOT]org for suggestion.
- skip tests which require fork on non-default windows setups without proper
fork. Thanks to SHAY for https://github.com/noxxi/p5-io-socket-ssl/pull/18
Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
*) SRTP Memory Leak.
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack. This issue affects OpenSSL
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. Implementations of OpenSSL that
have been compiled with OPENSSL_NO_SRTP defined are not affected.
The fix was developed by the OpenSSL team.
(CVE-2014-3513)
[OpenSSL team]
*) Session Ticket Memory Leak.
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
(CVE-2014-3567)
[Steve Henson]
*) Build option no-ssl3 is incomplete.
When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
(CVE-2014-3568)
[Akamai and the OpenSSL team]
*) Add support for TLS_FALLBACK_SCSV.
Client applications doing fallback retries should call
SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
(CVE-2014-3566)
[Adam Langley, Bodo Moeller]
*) Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original when
verifying RSA signature: this will reject any improperly encoded
DigestInfo structures.
Note: this is a precautionary measure and no attacks are currently known.
[Steve Henson]
1.999 2014/10/09
- make sure we don't use version 0.30 of IO::Socket::IP
- make sure that PeerHost is checked on all places where PeerAddr is
checked, because these are synonyms and IO::Socket::IP prefers PeerHost
while others prefer PeerAddr. Also accept PeerService additionally to
PeerPort.
See https://github.com/noxxi/p5-io-socket-ssl/issues/16 for details.
- add ability to use client certificates and to overwrite hostname with
util/analyze-ssl.pl.
** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle
strings with embedded spaces and escaped commas.
** libgnutls: Corrected gnutls_x509_crl_verify() which would always report
a CRL signature as invalid.
** libgnutls: Fixed issue with certificates being sanitized by gnutls prior
to signature verification. That resulted to certain non-DER compliant modifications
of valid certificates, being corrected by libtasn1's parser and restructured as
the original.
- Added sanity checks in the decoding of time when
ASN1_DECODE_FLAG_STRICT_DER is used.
- Fixes in the decoding of OCTET STRING when close to the end
of the structure.
Changes include:
- More fixes to build in Windows with zlib (mingw and msvc).
- Build .cmxs with C bindings (Closes: #1303)
- Use advapi32 on Windows (Close: #1055)
- Allow to define --zlib-include and --zlib-libdir if zlib is not installed in
the standard location.
- Added SHA-3 hash function.
Changes:
* Add support for TLS1.1 and TLS1.2 (thanks Thomas Calderon).
* Add function to initialize Diffie-Hellman and elliptic curve parameters
(thanks Thomas Calderon and Edwin Török).
* Add set_client_SNI_hostname to specify client-side SNI hostname (thanks
Mauricio Fernandez).
* Fix double leave of blocking section in ocaml_ssl_accept (thanks Edwin Török).
* Check for errors in SSL_connect/SSL_accept (thanks Jérôme Vouillon).
* Clear the error queue before calling SSL_read and similar functions;
SSL_get_error does not work reliably otherwise (thanks Jérôme Vouillon).
* Allow static linking on Mingw64 (thanks schadinger).
0.6 - 2014-09-29
~~~~~~~~~~~~~~~~
* Added
:func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key` to
ease loading private keys, and
:func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key` to
support loading public keys.
* Removed the, deprecated in 0.4, support for the ``salt_length`` argument to
the :class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF1`
constructor. The ``salt_length`` should be passed to
:class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` instead.
* Fix compilation on OS X Yosemite.
* Deprecated ``elliptic_curve_private_key_from_numbers`` and
``elliptic_curve_public_key_from_numbers`` in favor of
``load_elliptic_curve_private_numbers`` and
``load_elliptic_curve_public_numbers`` on
:class:`~cryptography.hazmat.backends.interfaces.EllipticCurveBackend`.
* Added
:class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePrivateKeyWithNumbers`
and
:class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePublicKeyWithNumbers`
support.
* Work around three GCM related bugs in CommonCrypto and OpenSSL.
* On the CommonCrypto backend adding AAD but not subsequently calling update
would return null tag bytes.
* One the CommonCrypto backend a call to update without an empty add AAD call
would return null ciphertext bytes.
* On the OpenSSL backend with certain versions adding AAD only would give
invalid tag bytes.
* Support loading EC private keys from PEM.
While here, add rpath to pkgconfig file.
* Version 1.0.0
- The API and ABI are now stable. New features will be added, but
backward-compatibility is guaranteed through all the 1.x.y releases.
- crypto_sign() properly works with overlapping regions again. Thanks
to @pysiak for reporting this regression introduced in version 0.6.1.
- The test suite has been extended.
* Version 0.7.1 (1.0 RC2)
- This is the second release candidate of Sodium 1.0. Minor
compilation, readability and portability changes have been made and the
test suite was improved, but the API is the same as the previous release
candidate.
* Version 0.7.0 (1.0 RC1)
- Allocating memory to store sensitive data can now be done using
sodium_malloc() and sodium_allocarray(). These functions add guard
pages around the protected data to make it less likely to be
accessible in a heartbleed-like scenario. In addition, the protection
for memory regions allocated that way can be changed using
sodium_mprotect_noaccess(), sodium_mprotect_readonly() and
sodium_mprotect_readwrite().
- ed25519 keys can be converted to curve25519 keys with
crypto_sign_ed25519_pk_to_curve25519() and
crypto_sign_ed25519_sk_to_curve25519(). This allows using the same
keys for signature and encryption.
- The seed and the public key can be extracted from an ed25519 key
using crypto_sign_ed25519_sk_to_seed() and crypto_sign_ed25519_sk_to_pk().
- aes256 was removed. A timing-attack resistant implementation might
be added later, but not before version 1.0 is tagged.
- The crypto_pwhash_scryptxsalsa208sha256_* compatibility layer was
removed. Use crypto_pwhash_scryptsalsa208sha256_*.
- The compatibility layer for implementation-specific functions was
removed.
- Compilation issues with Mingw64 on MSYS (not MSYS2) were fixed.
- crypto_pwhash_scryptsalsa208sha256_STRPREFIX was added: it contains
the prefix produced by crypto_pwhash_scryptsalsa208sha256_str()
* Version 0.6.1
- Important bug fix: when crypto_sign_open() was given a signed
message too short to even contain a signature, it was putting an
unlimited amount of zeros into the target buffer instead of
immediately returning -1. The bug was introduced in version 0.5.0.
- New API: crypto_sign_detached() and crypto_sign_verify_detached()
to produce and verify ed25519 signatures without having to duplicate
the message.
- New ./configure switch: --enable-minimal, to create a smaller
library, with only the functions required for the high-level API.
Mainly useful for the JavaScript target and embedded systems.
- All the symbols are now exported by the Emscripten build script.
- The pkg-config .pc file is now always installed even if the
pkg-config tool is not available during the installation.
* Version 0.6.0
- The ChaCha20 stream cipher has been added, as crypto_stream_chacha20_*
- The ChaCha20Poly1305 AEAD construction has been implemented, as
crypto_aead_chacha20poly1305_*
- The _easy API does not require any heap allocations any more and
does not have any overhead over the NaCl API. With the password
hashing function being an obvious exception, the library doesn't
allocate and will not allocate heap memory ever.
- crypto_box and crypto_secretbox have a new _detached API to store
the authentication tag and the encrypted message separately.
- crypto_pwhash_scryptxsalsa208sha256*() functions have been renamed
crypto_pwhash_scryptsalsa208sha256*().
- The low-level crypto_pwhash_scryptsalsa208sha256_ll() function
allows setting individual parameters of the scrypt function.
- New macros and functions for recommended crypto_pwhash_* parameters
have been added.
- Similarly to crypto_sign_seed_keypair(), crypto_box_seed_keypair()
has been introduced to deterministically generate a key pair from a seed.
- crypto_onetimeauth() now provides a streaming interface.
- crypto_stream_chacha20_xor_ic() and crypto_stream_salsa20_xor_ic()
have been added to use a non-zero initial block counter.
- On Windows, CryptGenRandom() was replaced by RtlGenRandom(), which
doesn't require the Crypt API.
- The high bit in curve25519 is masked instead of processing the key as
a 256-bit value.
- The curve25519 ref implementation was replaced by the latest ref10
implementation from Supercop.
- sodium_mlock() now prevents memory from being included in coredumps
on Linux 3.4+
* Version 0.5.0
- sodium_mlock()/sodium_munlock() have been introduced to lock pages
in memory before storing sensitive data, and to zero them before
unlocking them.
- High-level wrappers for crypto_box and crypto_secretbox
(crypto_box_easy and crypto_secretbox_easy) can be used to avoid
dealing with the specific memory layout regular functions depend on.
- crypto_pwhash_scryptsalsa208sha256* functions have been added
to derive a key from a password, and for password storage.
- Salsa20 and ed25519 implementations now support overlapping
inputs/keys/outputs (changes imported from supercop-20140505).
- New build scripts for Visual Studio, Emscripten, different Android
architectures and msys2 are available.
- The poly1305-53 implementation has been replaced with Floodyberry's
poly1305-donna32 and poly1305-donna64 implementations.
- sodium_hex2bin() has been added to complement sodium_bin2hex().
- On OpenBSD and Bitrig, arc4random() is used instead of reading
/dev/urandom.
- crypto_auth_hmac_sha512() has been implemented.
- sha256 and sha512 now have a streaming interface.
- hmacsha256, hmacsha512 and hmacsha512256 now support keys of
arbitrary length, and have a streaming interface.
- crypto_verify_64() has been implemented.
- first-class Visual Studio build system, thanks to @evoskuil
- CPU features are now detected at runtime.
24 September 2014
- make hotplug using libudev (default) more robust
- add ReiserFS file system support (for configuration files)
- add musl libC support (increase the thread stack)
- Some other minor improvements and bug corrections
Noteworthy changes in version 1.16 (2014-09-18) [C12/A12/R2]
-----------------------------------------------
* Support building for iOS.
* Fixed a prototype mismatch.
* Fix es_fclose for streams opened with "samethread".
* Use pkg-config to find curl, instead of libcurl.m4.
* ykclient: Added --cai parameter to specify GnuTLS-compatible CA Info.
* libykclient: Added ykclient_set_ca_info function.
Used when curl is linked with GnuTLS, used to set CA Info.
* libykclient: Added ykclient_set_url_bases function.
Uses a more reasonable/extensible URL string syntax. The old
ykclient_set_url_templates is hereby deprecated.
* Added shared library versioning script.
* Valgrind is used for selftests.
* Fix URLs for opensource.y.com -> developers.y.com move.
* Whitelist firmware version 3.3 and detect new PIDs.
Version 1.15.2 (released 2014-07-30)
* Whitelist firmware version 2.5
* Read key when importing configuration.
* Fix formatting error in information about what is written to key.
* Check return codes when doinf NDEF writes.
* Signer Engine: Print secondary server address when logging notify reply
errors.
* Build: Fixed various OpenBSD compatibility issues.
* OPENDNSSEC-621: conf.xml: New options: <PidFile> for both enforcer and
signer, and <SocketFile> for the signer.
* New tool: ods-getconf: to retrieve a configuration value from conf.xml
given an expression.
Bugfixes:
* OPENDNSSEC-469: ods-ksmutil: 'zone add' command when zonelist.xml.backup
can't be written zone is still added to database, solved it by checking the
zonelist.xml.backup is writable before adding zones, and add error message
when add zone failed.
* OPENDNSSEC-617: Signer Engine: Fix DNS Input Adapter to not reject zone
the first time due to RFC 1982 serial arethmetic.
* OPENDNSSEC-619: memory leak when signer failed, solved it by add
ldns_rr_free(signature) in libhsm.c
* OPENDNSSEC-627: Signer Engine: Unable to update serial after restart
when the backup files has been removed.
* OPENDNSSEC-628: Signer Engine: Ingored notifies log level is changed
from debug to info.
* OPENDNSSEC-630: Signer Engine: Fix inbound zone transfer for root zone.
* libhsm: Fixed a few other memory leaks.
* simple-dnskey-mailer.sh: Fix syntax error.
Note: this commit is part of reorganizing some of the recently
imported R packages, which are being reimported into more appropriate
categories (and removed from math) as a result of a recent discussion
on tech-pkg and privately with wiz@. See the thread starting with:
http://mail-index.netbsd.org/tech-pkg/2014/09/05/msg013558.html
The digest package provides a function 'digest()' for the creation of
hash digests of arbitrary R objects (using the md5, sha-1, sha-256 and
crc32 algorithms) permitting easy comparison of R language objects, as
well as a function 'hmac()' to create hash-based message
authentication code.
Note: this commit is part of reorganizing some of the recently
imported R packages, which are being reimported into more appropriate
categories (and removed from math) as a result of a recent discussion
on tech-pkg and privately with wiz@. See the thread starting with:
http://mail-index.netbsd.org/tech-pkg/2014/09/05/msg013558.html
Quoted from http://jessekornblum.livejournal.com/295883.html:
This is an important update, which corrects a bug in the signature
generation code. Any ssdeep hashes created with version 2.10 should be
recomputed. The signatures are not wrong per se though, they are just not
as good as they should be"
Noteworthy changes in version 1.15 (2014-09-11) [C12/A12/R1]
-----------------------------------------------
* This releases fixes problems with the use of off_t and ssize_t by
the estream functions introduced with 1.14. Although this is
technically an ABI break on some platforms, we take this as a
simple bug fix for 1.14. The new functions are very unlikely in
use by any code and thus no breakage should happen. The 1.14
tarball will be removed from the archive.
* Add type gpgrt_off_t which is guaranteed to be 64 bit.
* Add type gpgrt_ssize_t to make use on Windows easier. On Unix
platforms this is an alias for ssize_t.
Noteworthy changes in version 1.14 (2014-09-08) [C12/A12/R0]
-----------------------------------------------
* Added gpgrt_lock_trylock.
* Added the estream library under the name gpgrt and a set of macros
to use them with their "es_" names.
* Interface changes relative to the 1.13 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPG_ERR_KEY_DISABLED NEW.
gpgrt_init NEW macro.
gpgrt_check_version NEW.
gpgrt_lock_trylock NEW.
gpgrt_set_syscall_clamp NEW.
gpgrt_set_alloc_func NEW.
gpgrt_stream_t NEW.
gpgrt_cookie_io_functions_t NEW.
gpgrt_syshd_t NEW.
GPGRT_SYSHD_NONE NEW.
GPGRT_SYSHD_FD NEW.
GPGRT_SYSHD_SOCK NEW.
GPGRT_SYSHD_RVID NEW.
GPGRT_SYSHD_HANDLE NEW.
gpgrt_stdin NEW macro.
gpgrt_stdout NEW macro.
gpgrt_stderr NEW macro.
gpgrt_fopen NEW.
gpgrt_mopen NEW.
gpgrt_fopenmem NEW.
gpgrt_fopenmem_init NEW.
gpgrt_fdopen NEW.
gpgrt_fdopen_nc NEW.
gpgrt_sysopen NEW.
gpgrt_sysopen_nc NEW.
gpgrt_fpopen NEW.
gpgrt_fpopen_nc NEW.
gpgrt_freopen NEW.
gpgrt_fopencookie NEW.
gpgrt_fclose NEW.
gpgrt_fclose_snatch NEW.
gpgrt_onclose NEW.
gpgrt_fileno NEW.
gpgrt_fileno_unlocked NEW.
gpgrt_syshd NEW.
gpgrt_syshd_unlocked NEW.
gpgrt_flockfile NEW.
gpgrt_ftrylockfile NEW.
gpgrt_funlockfile NEW.
gpgrt_feof NEW.
gpgrt_feof_unlocked NEW.
gpgrt_ferror NEW.
gpgrt_ferror_unlocked NEW.
gpgrt_clearerr NEW.
gpgrt_clearerr_unlocked NEW.
gpgrt_fflush NEW.
gpgrt_fseek NEW.
gpgrt_fseeko NEW.
gpgrt_ftell NEW.
gpgrt_ftello NEW.
gpgrt_rewind NEW.
gpgrt_getc NEW macro.
gpgrt_getc_unlocked NEW macro.
gpgrt_fgetc NEW.
gpgrt_fputc NEW.
gpgrt_ungetc NEW.
gpgrt_read NEW.
gpgrt_write NEW.
gpgrt_write_sanitized NEW.
gpgrt_write_hexstring NEW.
gpgrt_fread NEW.
gpgrt_fwrite NEW.
gpgrt_fgets NEW.
gpgrt_putc NEW macro.
gpgrt_putc_unlocked NEW macro.
gpgrt_fputs NEW.
gpgrt_fputs_unlocked NEW.
gpgrt_getline NEW.
gpgrt_read_line NEW.
gpgrt_free NEW.
gpgrt_fprintf NEW.
gpgrt_fprintf_unlocked NEW.
gpgrt_printf NEW.
gpgrt_printf_unlocked NEW.
gpgrt_vfprintf NEW.
gpgrt_vfprintf_unlocked NEW.
gpgrt_setvbuf NEW.
gpgrt_setbuf NEW.
gpgrt_set_binary NEW.
gpgrt_tmpfile NEW.
gpgrt_opaque_set NEW.
gpgrt_opaque_get NEW.
gpgrt_fname_set NEW.
gpgrt_fname_get NEW.
gpgrt_asprintf NEW.
gpgrt_vasprintf NEW.
gpgrt_bsprintf NEW.
gpgrt_vbsprintf NEW.
gpgrt_snprintf NEW.
gpgrt_vsnprintf NEW.
1.998 2014/09/07
- make client authentication work at the server side when SNI is in by use
having CA path and other settings in all SSL contexts instead of only the main
one. Based on code from lundstrom[DOT]jerry[AT]gmail[DOT]com,
https://github.com/noxxi/p5-io-socket-ssl/pull/15
* Relaxed the license for many source files to cut-down BSD.
* Relaxed the license for John the Ripper as a whole from GPLv2 (exact
version) to GPLv2 or newer with optional OpenSSL and unRAR exceptions.
* Enhanced the support for DES-based tripcodes by making use of the
bitslice DES implementation and supporting OpenMP parallelization.
* Implemented bitmaps for fast initial comparison of computed hashes
against those loaded for cracking.
This provides a substantial performance improvement when cracking large
numbers of fast hashes.
* With 32-bit x86 builds and at least MMX enabled, the "two hashes at a
time" code for bcrypt is now enabled for GCC 4.2 and newer.
This is faster bcrypt cracking on some old and new computers running
32-bit operating systems or VMs for whatever reason.
* Revised the incremental mode to let the current character counts grow
for each character position independently, with the aim to improve
efficiency in terms of successful guesses per candidate passwords tested.
* Revised the pre-defined incremental modes, as well as external mode
filters that are used to generate .chr files.
* Added makechr, a script to (re-)generate .chr files.
* Enhanced the status reporting to include four distinct speed metrics
(g/s, p/s, c/s, and C/s).
* Added the "--fork=N" and "--node=MIN[-MAX]/TOTAL" options for trivial
parallel and distributed processing.
spiped-1.4.1
* Fix build on OS X, and improve strict POSIX compliance.
* Improved zeroing of sensitive cryptographic data.
spiped-1.4.0
* Add automatic detection of compiler support (at compile-time) and CPU
support (at run-time) for x86 "AES New Instructions"; and when available,
use these to improve cryptographic performance.
* Add support for -g option, which makes {spiped, spipe} require perfect
forward secrecy by dropping connections if the peer endpoint is detected to
be running using the -f option.
0.50 - 2014-03-14
- Version 0.49 implicitly required Moose; switch to a technique that
does not
- Modernize CHANGES
0.49 - 2014-03-13
- Restore context-sensitive (array/arrayref) behavior of multiple array
methods from 0.46.
- Fix MANIFEST/.gitignore inconsistency
0.48 - 2014-03-10
- Switch from --always-trust to --trust-model=always
0.47 - 2014-03-10
- No changes from 0.47_02
0.47_02 - 2014-02-14
- Remove a stray 'use Data::Dumper::Concise' added in 0.47_01
0.47_01 - 2014-01-27
- Switch from Any::Moose to Moo
- Accept "gpg (GnuPG/MacGPG2)" as a valid gpg version
- Typo fixes in documentation
1.997 2014/07/12
- thanks to return code 1 from Net::SSLeay::library_init if the library needed
initialization and 0 if not we can now clearly distinguish if initialization
was needed and do not need any work-arounds for perlcc by the user.
1.996 2014/07/12
- move initialization of OpenSSL-internals out of INIT again because this
breaks if module is used with require. Since there is no right place to
work in all circumstances just document the work-arounds needed for
perlcc. RT#97166
1.995 2014/07/11
- RT#95452 - move initialization and creation of OpenSSL-internals into INIT
section, so they get executed after compilation and perlcc is happy.
- refresh option for peer_certificate, so that it checks if the certificate
changed in the mean time (on renegotiation)
- fix fingerprint checking - now applies only to topmost certificate
- IO::Socket::SSL::Utils - accept extensions within CERT_create
- documentations fixes thanks to frioux
- fix documentation bug RT#96765, thanks to Salvatore Bonaccorso.
1.994 2014/06/22
- IO::Socket::SSL can now be used as dual-use socket, e.g. start plain, upgrade
to SSL and downgrade again all with the same object. See documentation of
SSL_startHandshake and chapter Advanced Usage.
- try to apply SSL_ca* even if verify_mode is 0, but don't complain if this
fails. This is needed if one wants to explicitly verify OCSP lookups even if
verification is otherwise off, because otherwise the signature check would
fail. This is mostly useful for testing.
- reorder documentation of attributes for new, so that the more important ones
are at the top.
1.993 2014/06/13
- major rewrite of documentation, now in separate file
- rework error handling to distinguish between SSL errors and internal errors
(like missing capabilities).
- fix handling of default_ca if given during the run of the program (Debian#750646)
- util/analyze-ssl.pl - fix hostname check if SNI does not work
1.66 2014-08-21
Fixed compile problem with perl prior to 5.8.8, similar to
RT#76267. Reported by Graham Knop.
Fixed a problem with Socket::IPPROTO_TCP on early perls.
After discussions with the community and the original author Sampo
Kellomaki, the license conditions have been changed to "Perl Artisitic
License 2.0".
1.65 2014-07-14
Added note to doc to make it clear that X509_get_subjectAltNames returns a
packed binary IP address for type 7 - GEN_IPADD.
Improvements to SSL_OCSP_response_verify to compile under non c99
compilers. Requested by MERIJNB.
Port to Android, contributed by Brian Fraser. Includes Android specific
version of RSA_generate_key.
Added LibreSSL support, patch provided by Alexander Bluhm. Thanks!
Patch that fixes the support for SSL_set_info_callback and adds
SSL_CTX_set_info_callback and SSL_set_state. Support for these functions is
necessary to either detect renegotiation or to enforce
renegotiation. Contributed by Steffen Ullrich. Thanks!
Fixed a problem with SSL_set_state not available on some early OpenSSLs,
patched by Steffen Ullrich. Thanks!
Removed arbitrary size limits from calls to tcp_read_all in tcpcat() and
http_cat().
Removed unnecessary Debian_SPANTS.txt from MANIFEST. Again.
1.64 2014-06-11
Fixes for test ocsp.t. Test now does not fail if HTTP::Tiny is not
installed.
Fixed repository in META.yml.
Fixed a problem with SSL_get_peer_cert_chain: if the SSL handshake
results in an anonymous authentication, like ADH-DES-CBC3-SHA,
get_peer_cert_chain will not return an empty list, but instead return the
SSL object. Reported and fixed by Steffen
Ullrich. Thanks.
Fixed a problem where patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=3009244da47b989c4cc59ba02cf81a4e9d8f8431
caused a failed test in t/local/33_x509_create_cert.t.
0.28 2013-11-21
- Removed silly micro-optimization that was responsible for generating a
warning in Perl versions prior to 5.18.
0.27 2013-10-06
- Merged pull request from David Steinbrunner: specifying meta-spec
so metadata can be seen/used.
- Fixed t/05-kwalitee.t to work with latest revisions on Test::Kwalitee.
Noteworthy changes in version 1.5.1 (2014-07-30) [C24/A13/R0]
-------------------------------------------------------------
* Fixed possible overflow in gpgsm and uiserver engines.
[CVE-2014-3564]
* Added support for GnuPG 2.1's --with-secret option.
* Interface changes relative to the 1.5.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPGME_KEYLIST_MODE_WITH_SECRET NEW.
Noteworthy changes in version 1.5.0 (2014-05-21) [C23/A12/R0]
-------------------------------------------------------------
* On Unices the engine file names are not not anymore hardwired but
located via the envvar PATH. All options to set the name of the
engines for the configure run are removed.
* If GPGME finds the gpgconf binary it defaults to using gpg2 or
whatever gpgconf tells as name for the OpenPGP engine. If gpgconf
is not found, GPGME looks for an engine named "gpg".
* New feature to use the gpgme I/O subsystem to run arbitrary
commands.
* New flag to use encryption without the default compression step.
* New function to access "gpg-conf --list-dirs"
* New configure option --enable-fixed-path for use by Android.
* Support ECC algorithms.
* Interface changes relative to the 1.4.3 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgme_get_dirinfo NEW.
gpgme_op_spawn_start NEW.
gpgme_op_spawn NEW.
GPGME_PROTOCOL_SPAWN NEW.
GPGME_SPAWN_DETACHED NEW.
GPGME_SPAWN_ALLOW_SET_FG NEW.
GPGME_ENCRYPT_NO_COMPRESS NEW.
GPGME_PK_ECC NEW.
GPGME_MD_SHA224 NEW.
gpgme_subkey_t EXTENDED: New field curve.
GPGME_STATUS_PLAINTEXT_LENGTH NEW.
GPGME_STATUS_MOUNTPOINT NEW.
GPGME_STATUS_PINENTRY_LAUNCHED NEW.
GPGME_STATUS_ATTRIBUTE NEW.
GPGME_STATUS_BEGIN_SIGNING NEW.
GPGME_STATUS_KEY_NOT_CREATED NEW.
** libgnutls: initialize parameters variable on PKCS 8 decryption.
** libgnutls: Explicitly set the exponent in PKCS 11 key generation.
That improves compatibility with certain PKCS 11 modules. Contributed by
Wolfgang Meyer zu Bergsten.
** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1
algorithms.
** libgnutls: when checking the hostname of a certificate with multiple CNs
ensure that the "most specific" CN is being used.
** libgnutls: In DTLS ignore only errors that relate to unexpected packets
and decryption failures.
** API and ABI modifications:
No changes since last version.
0.5.4 - 2014-08-20
~~~~~~~~~~~~~~~~~~
* Added several functions to the OpenSSL bindings to support new
functionality in pyOpenSSL.
* Fixed a redefined constant causing compilation failure with Solaris 11.2.
Noteworthy changes in version 1.4.4 (2014-07-30) [C22/A11/R1]
-------------------------------------------------------------
Backported from 1.5.1:
* Fixed possible overflow in gpgsm and uiserver engines.
[CVE-2014-3564]
* Fixed possibled segv in gpgme_op_card_edit.
* Fixed minor memleaks and possible zombie processes.
* Fixed prototype inconsistencies and void pointer arithmetic.
Noteworthy changes in version 1.4.3 (2013-08-12) [C22/A11/R0]
-------------------------------------------------------------
* The default engine names are now taken from the output of gpgconf.
If gpgconf is not found the use of gpg 1 is assumed.
* Under Windows the default engines names are first searched in the
installation directory of the gpgme DLL.
* New function gpgme_data_identify to detect the type of a message.
* Interface changes relative to the 1.4.2 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgme_signers_count NEW.
gpgme_data_type_t NEW.
gpgme_data_identify NEW.
Noteworthy changes in version 1.4.2 (2013-05-28)
------------------------------------------------
* Allow symmetric encryption with gpgme_op_encrypt_sign.
* Fixed mismatching off_t definitions on Windows.
* Interface changes relative to the 1.4.1 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgme_off_t NEW.
gpgme_size_t NEW.
GPGME_PROTOCOL_OPENPGP NEW alias.
Noteworthy changes in version 1.6.2 (2014-08-21) [C20/A0/R2]
------------------------------------------------
* Map deprecated RSA algo number to the RSA algo number for better
backward compatibility.
* Support a 0x40 compression prefix for EdDSA.
* Improve ARM hardware feature detection and building.
* Fix powerpc-apple-darwin detection
* Fix building for the x32 ABI platform.
* Support building using the latest mingw-w64 toolchain.
* Fix some possible NULL deref bugs.
& building with /usr/vac/bin/cc, add the necessary checks to Makefile
to use the correct profile depending on what CC/ABI is set to.
Patch from Sevan Janiyan in PR 49131, but moved a few lines to not
affect Darwin.
packaged for wip by zecrazytux.
Haskell package providing efficient cryptographic hash implementations
for strict and lazy bytestrings.
For now, CRC32 and Adler32 are supported; they are
implemented as FFI bindings to efficient code from zlib.
Noteworthy changes in version 2.0.26 (2014-08-12)
-------------------------------------------------
* gpg: Fix a regression in 2.0.24 if a subkey id is given
to --recv-keys et al.
* gpg: Cap attribute packets at 16MB.
* gpgsm: Auto-create the ".gnupg" home directory in the same
way gpg does.
* scdaemon: Allow for certificates > 1024 when using PC/SC.
NaCl (pronounced "salt") is a new easy-to-use high-speed software
library for network communication, encryption, decryption, signatures,
etc. NaCl's goal is to provide all of the core operations needed
to build higher-level cryptographic tools.
Of course, other libraries already exist for these core operations.
NaCl advances the state of the art by improving security, by improving
usability, and by improving speed.
Version 5.03, 2014.08.07, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1i.
See https://www.openssl.org/news/secadv_20140806.txt
* New features
- FIPS autoconfiguration cleanup.
- FIPS canister updated to version 2.0.6.
- Improved SNI diagnostic logging.
* Bugfixes
- Compilation fixes for old versions of OpenSSL.
- Fixed whitespace handling in the stunnel.init script.
Version 5.02, 2014.06.09, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1h.
See https://www.openssl.org/news/secadv_20140605.txt
* New features
- Major rewrite of the protocol.c interface: it is now possible to add
protocol negotiations at multiple connection phases, protocols can
individually decide whether the remote connection will be
established before or after SSL/TLS is negotiated.
- Heap memory blocks are wiped before release. This only works for
block allocated by stunnel, and not by OpenSSL or other libraries.
- The safe_memcmp() function implemented with execution time not
dependent on the compared data.
- Updated the stunnel.conf and stunnel.init templates.
- Added a client-mode example to the manual.
* Bugfixes
- Fixed "failover = rr" broken since version 5.00.
- Fixed "taskbar = no" broken since version 5.00.
- Compilation fix for missing SSL_OP_MSIE_SSLV2_RSA_PADDING option.
Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
*) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
SRP code can be overrun an internal buffer. Add sanity check that
g, A, B < N to SRP code.
Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for discovering this issue.
(CVE-2014-3512)
[Steve Henson]
*) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message
is badly fragmented. This allows a man-in-the-middle attacker to force a
downgrade to TLS 1.0 even if both the server and the client support a
higher protocol version, by modifying the client's TLS records.
Thanks to David Benjamin and Adam Langley (Google) for discovering and
researching this issue.
(CVE-2014-3511)
[David Benjamin]
*) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
to a denial of service attack. A malicious server can crash the client
with a null pointer dereference (read) by specifying an anonymous (EC)DH
ciphersuite and sending carefully crafted handshake messages.
Thanks to Felix Gröbert (Google) for discovering and researching this
issue.
(CVE-2014-3510)
[Emilia Käsper]
*) By sending carefully crafted DTLS packets an attacker could cause openssl
to leak memory. This can be exploited through a Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
(CVE-2014-3507)
[Adam Langley]
*) An attacker can force openssl to consume large amounts of memory whilst
processing DTLS handshake messages. This can be exploited through a
Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
(CVE-2014-3506)
[Adam Langley]
*) An attacker can force an error condition which causes openssl to crash
whilst processing DTLS packets due to memory being freed twice. This
can be exploited through a Denial of Service attack.
Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
this issue.
(CVE-2014-3505)
[Adam Langley]
*) If a multithreaded client connects to a malicious server using a resumed
session and the server sends an ec point format extension it could write
up to 255 bytes to freed memory.
Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
issue.
(CVE-2014-3509)
[Gabor Tyukasz]
*) A malicious server can crash an OpenSSL client with a null pointer
dereference (read) by specifying an SRP ciphersuite even though it was not
properly negotiated with the client. This can be exploited through a
Denial of Service attack.
Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
discovering and researching this issue.
(CVE-2014-5139)
[Steve Henson]
*) A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information
from the stack. Applications may be affected if they echo pretty printing
output to the attacker.
Thanks to Ivan Fratric (Google) for discovering this issue.
(CVE-2014-3508)
[Emilia Käsper, and Steve Henson]
*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
for corner cases. (Certain input points at infinity could lead to
bogus results, with non-infinity inputs mapped to infinity too.)
[Bodo Moeller]
---
4.0
---
* Removed ``keyring_path`` parameter from ``load_keyring``. See release notes
for 3.0.3 for more details.
* Issue #22: Removed support for loading the config from the current
directory. The config file must now be located in the platform-specific
config location.
pev is a PE file analysis toolkit that includes some nice programs to work with
PE files in many systems. It can be useful for programmers, security analysts
and forensic investigators. It's licensed under GPLv3+ terms.
0.5.2 - 2014-07-09
~~~~~~~~~~~~~~~~~~
* Add
:class:`~cryptography.hazmat.backends.interfaces.TraditionalOpenSSLSerializationBackend`
support to :doc:`/hazmat/backends/multibackend`.
* Fix compilation error on OS X 10.8 (Mountain Lion).
0.5.1 - 2014-07-07
~~~~~~~~~~~~~~~~~~
* Add
:class:`~cryptography.hazmat.backends.interfaces.PKCS8SerializationBackend`
support to :doc:`/hazmat/backends/multibackend`.
0.5 - 2014-07-07
~~~~~~~~~~~~~~~~
* **BACKWARDS INCOMPATIBLE:**
:class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` no longer allows
truncation of tags by default. Previous versions of ``cryptography`` allowed
tags to be truncated by default, applications wishing to preserve this
behavior (not recommended) can pass the ``min_tag_length`` argument.
* Windows builds now statically link OpenSSL by default. When installing a
wheel on Windows you no longer need to install OpenSSL separately. Windows
users can switch between static and dynamic linking with an environment
variable. See :doc:`/installation` for more details.
* Added :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDFExpand`.
* Added :class:`~cryptography.hazmat.primitives.ciphers.modes.CFB8` support
for :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` and
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` on
:doc:`/hazmat/backends/commoncrypto` and :doc:`/hazmat/backends/openssl`.
* Added ``AES`` :class:`~cryptography.hazmat.primitives.ciphers.modes.CTR`
support to the OpenSSL backend when linked against 0.9.8.
* Added
:class:`~cryptography.hazmat.backends.interfaces.PKCS8SerializationBackend`
and
:class:`~cryptography.hazmat.backends.interfaces.TraditionalOpenSSLSerializationBackend`
support to the :doc:`/hazmat/backends/openssl`.
* Added :doc:`/hazmat/primitives/asymmetric/ec` and
:class:`~cryptography.hazmat.backends.interfaces.EllipticCurveBackend`.
* Added :class:`~cryptography.hazmat.primitives.ciphers.modes.ECB` support
for :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` on
:doc:`/hazmat/backends/commoncrypto` and :doc:`/hazmat/backends/openssl`.
* Deprecated :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
in favor of backend specific providers of the
:class:`~cryptography.hazmat.primitives.interfaces.RSAPrivateKey` interface.
* Deprecated :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`
in favor of backend specific providers of the
:class:`~cryptography.hazmat.primitives.interfaces.RSAPublicKey` interface.
* Deprecated :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`
in favor of backend specific providers of the
:class:`~cryptography.hazmat.primitives.interfaces.DSAPrivateKey` interface.
* Deprecated :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`
in favor of backend specific providers of the
:class:`~cryptography.hazmat.primitives.interfaces.DSAPublicKey` interface.
* Deprecated :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`
in favor of backend specific providers of the
:class:`~cryptography.hazmat.primitives.interfaces.DSAParameters` interface.
* Deprecated ``encrypt_rsa``, ``decrypt_rsa``, ``create_rsa_signature_ctx`` and
``create_rsa_verification_ctx`` on
:class:`~cryptography.hazmat.backends.interfaces.RSABackend`.
* Deprecated ``create_dsa_signature_ctx`` and ``create_dsa_verification_ctx``
on :class:`~cryptography.hazmat.backends.interfaces.DSABackend`.
Sshguard is a small program that monitors services running on your
machine from the log files. When it detects that someone is doing
something bad to a service, sshguard blocks the IP address of the bad
guy with a firewall rule.
Sshguard was started in 2006 to mitigate the growing brute force
attacks to SSH servers. Because of the generality of its infrastructure,
however, it was soon extended to monitor and protect more and more services.
Changes from previous:
----------------------
0.26 Fri Jan 31 2014
- LICENSE section and file (CPANTS).
- Minimum version of perl in Build.PL / META.yml .
0.25 Fri Dec 27 2013
- Update the link to the version control repository.
0.24 Tue Dec 03 2013
- Add keywords and a link to he repository to Build.PL / META.yml.
0.23 Tue Dec 03 2013
- Add t/style-trailing-space.t .
- Update the POD in lib/String/Random.pm .
- Add t/pod.t .
- Convert Build.PL to Test::Run::Builder.
- Hopefully fix https://rt.cpan.org/Public/Bug/Display.html?id=86894
- Bug #86894 for String-Random: Spurious warnings
Noteworthy changes in version 2.0.25 (2014-06-30)
-------------------------------------------------
* gpg: Fix a regression in 2.0.24 if more than one keyid is given
to --recv-keys et al.
* gpg: Cap RSA and Elgamal keysize at 4096 bit also for unattended
key generation.
* gpgsm: Fix a DISPLAY related problem with --export-secret-key-p12.
* scdaemon: Support reader Gemalto IDBridge CT30.
Noteworthy changes in version 1.4.18 (2014-06-30)
-------------------------------------------------
* Fix a regression in 1.4.17 if more than one keyid is given
to --recv-keys et al.
* Cap RSA and Elgamal keysize at 4096 bit also for unattended key
generation.
Changelog:
Version 1.4.3 - November 27 2012
libssh2 1.4.3 GPG sig (685712 bytes)
Changes:
compression: add support for zlib@openssh.com
Bug fixes:
sftp_read: return error if a too large package arrives
libssh2_hostkey_hash.3: update the description of return value
Fixed MSVC NMakefile
examples: use stderr for messages, stdout for data
openssl: do not leak memory when handling errors
improved handling of disabled MD5 algorithm in OpenSSL
known_hosts: Fail when parsing unknown keys in known_hosts file
configure: gcrypt doesn't come with pkg-config support
session_free: wrong variable used for keeping state
libssh2_userauth_publickey_fromfile_ex.3: mention publickey == NULL
comp_method_zlib_decomp: handle Z_BUF_ERROR when inflating
Version 1.4.2 - May 18 2012
libssh2 1.4.2 GPG sig (679992 bytes)
Bug fixes:
Return LIBSSH2_ERROR_SOCKET_DISCONNECT on EOF when reading banner
userauth.c: fread() from public key file to correctly detect any
errors
configure.ac: Add option to disable build of the example
applications
Added 'Requires.private:' line to libssh2.pc
SFTP: filter off incoming "zombie" responses
gettimeofday: no need for a replacement under cygwin
SSH_MSG_CHANNEL_REQUEST: default to want_reply
win32/libssh2_config.h: Remove hardcoded #define LIBSSH2_HAVE_ZLIB
Version 1.4.1 - April 4 2012
libssh2 1.4.1 GPG sig (658507 bytes)
Bug fixes:
build error with gcrypt backend
always do "forced" window updates to avoid corner case stalls
aes: the init function fails when OpenSSL has AES support
transport_send: Finish in-progress key exchange before sending data
channel_write: acknowledge transport errors
examples/x11.c: Make sure sizeof passed to read operation is correct
examples/x11.c:,Fix suspicious sizeof usage
sftp_packet_add: verify the packet before accepting it
SFTP: preserve the original error code more
sftp_packet_read: adjust window size as necessary
Use safer snprintf rather then sprintf in several places
Define and use LIBSSH2_INVALID_SOCKET instead of INVALID_SOCKET
sftp_write: cannot return acked data *and* EAGAIN
sftp_read: avoid data *and* EAGAIN
libssh2.h: Add missing prototype for libssh2_session_banner_set()
Version 1.4.0 - January 31 2012
libssh2 1.4.0 GPG sig (653514 bytes)
Changes:
Added libssh2_session_supported_algs()
Added libssh2_session_banner_get()
Added libssh2_sftp_get_channel()
libssh2.h: bump the default window size to 256K
Bug fixes:
sftp-seek: clear EOF flag
userauth: Provide more informations if ssh pub key extraction fails
ssh2_exec: skip error outputs for EAGAIN
LIBSSH2_SFTP_PACKET_MAXLEN: increase to 80000
knownhost_check(): Don't dereference ext if NULL is passed
knownhost_add: Avoid dereferencing uninitialized memory on error
path
OpenSSL EVP: fix threaded use of structs
_libssh2_channel_read: react on errors from receive_window_adjust
sftp_read: cap the read ahead maximum amount
_libssh2_channel_read: fix non-blocking window adjusting
Version 1.3.0 - September 6 2011
libssh2 1.3.0 GPG sig (639262 bytes)
Changes:
Added custom callbacks for performing low level socket I/O
Bug fixes:
sftp_read: advance offset correctly for buffered copies
libssh2_sftp_seek64: flush packetlist and buffered data
_libssh2_packet_add: adjust window size when truncating
sftp_read: a short read is not end of file
Version 1.2.9 - August 16 2011
libssh2 1.2.9 GPG sig (642150 bytes)
Changes:
Added libssh2_session_set_timeout() and
libssh2_session_get_timeout() to make blocking calls get a timeout
Bug fixes:
configure and pkg-config: fix $VERSION
s/\.NF/.nf/ to fix wrong macro name caught by man --warnings
keepalive: add first basic man pages
sftp_write: flush the packetlist on error
sftp_write: clean offsets on error
msvcproj: added libs and debug stuff
SCP: fix incorrect error code
session_startup: init state properly
sftp_write_sliding: send the complete file
userauth_keyboard_interactive: skip code on zero length auth
_libssh2_wait_socket: fix timeouts for poll() uses
agent_list_identities: fix out of scope access
_libssh2_recv(): handle ENOENT error as EAGAIN
userauth_keyboard_interactive: fix buffer overflow
removed man pages for non-existing functions!
gettimeofday: fix name space pollution
_libssh2_channel_write: handle window_size == 0 better
Version 1.2.8 - April 5 2011
libssh2 1.2.8 GPG sig (637707 bytes)
Changes:
added libssh2_free, libssh2_channel_get_exit_signal and
libssh2_session_handshake
SFTP read/write remade and now MUCH faster, especially on high
latency connections
added new examples: ssh2_echo.c, sftp_append.c and
sftp_write_sliding.c
userauth: derive publickey from private
NEWS: now generated from git
Bug fixes:
Support unlimited number of host names in a single line of the
known_hosts file.
fix memory leak in userauth_keyboard_interactive()
fix memory leaks (two times cipher_data) for each sftp session
session_startup: manage server data before server identification
SCP: allow file names with bytes > 126
scp_recv: improved treatment of channel_read() returning zero
libssh2_userauth_authenticated: make it work as documented
variable size cleanup: match internal variable sizes better with the
sizes of the fields used on the wire
channel_request_pty_size: fix reqPTY_state
sftp_symlink: return error if receive buffer too small
sftp_readdir: return error if buffer is too small
libssh2_knownhost_readfile.3: clarify return value
configure: stop using the deprecated AM_INIT_AUTOMAKE syntax
Fixed Win32 makefile which was now broken at resource build
kex_agree_hostkey: fix NULL pointer derefence
_libssh2_ntohu64: fix conversion from network bytes to uint64
ssize_t: proper typedef with MSVC compilers
zlib: Add debug tracing of zlib errors
decomp: increase decompression buffer sizes
Version 1.2.7 - August 17 2010
libssh2 1.2.7 GPG sig (583105 bytes)
Changes:
Added Watcom makefile
Bug fixes:
Better handling of invalid key files
inputchecks: make lots of API functions check for NULL pointers
libssh2_session_callback_set: extended the man page
SFTP: limit write() to not produce overly large packets
agent: make libssh2_agent_userauth() work blocking properly
_libssh2_userauth_publickey: reject method names longer than the
data
channel_free: ignore problems with channel_close()
typedef: make ssize_t get typedef without LIBSSH2_WIN32
_libssh2_wait_socket: poll needs milliseconds
libssh2_wait_socket: reset error code to "leak" EAGAIN less
Added include for sys/select.h to get fd.set on some platforms
session_free: free more data to avoid memory leaks
openssl: make use of the EVP interface
Fix underscore typo for 64-bit printf format specifiers on Windows
Make libssh2_debug() create a correctly terminated string
userauth_hostbased_fromfile: packet length too short
handshake: Compression enabled at the wrong time
Don't overflow MD5 server hostkey
Version 1.2.6 - June 10 2010
libssh2 1.2.6 GPG sig (579590 bytes)
Changes:
Added libssh2_sftp_statvfs() and libssh2_sftp_fstatvfs()
Added libssh2_knownhost_checkp()
Added libssh2_scp_send64()
Bug fixes:
wait_socket: make c89 compliant and use two fd_sets for select()
OpenSSL AES-128-CTR detection
proper keyboard-interactive user dialog in the sftp.c example
build procedure for VMS
fixed libssh2.dsw to use the generated libssh2.dsp
several Windows-related build fixes
fail to init SFTP if session isn't already authenticated
many tiny fixes that address clang-analyzer warnings
sftp_open: deal with short channel_write calls
libssh2_publickey_init: fixed to work better non-blocking
sftp_close_handle: add precation to not access NULL pointer
sftp_readdir: simplified and bugfixed
channel_write: if data has been sent, don't return EAGAIN
Version 1.2.5 - April 13 2010
libssh2 1.2.5 GPG sig (559553 bytes)
Changes:
Added Add keep-alive support: libssh2_keepalive_config() and
libssh2_keepalive_send()
Added libssh2_knownhost_addc(), libssh2_init() and libssh2_exit()
Added LIBSSH2_SFTP_S_IS***() macros
Bug fixes:
fix memory leak in libssh2_session_startup()
added missing error codes - shown as hangs in blocking mode
fix memory leak in userauth_keyboard_interactive()
libssh2_knownhost_del: fix write to freed memory
Send and receive channel EOF before sending SSH_MSG_CHANNEL_CLOSE
Use AES-CTR from OpenSSL when available
Fixed gettimeofday to compile with Visual C++ 6
NULL dereference when window adjusting a non-existing channel
avoid using poll on interix and mac os x systems
fix scp memory leak
Correctly clear blocking flag after sending multipart packet
Reduce used window sizes by factor 10
libssh2_userauth_publickey_fromfile_ex() handles a NULL password
sftp_init() deal with _libssh2_channel_write() short returns
Version 1.2.4 - February 13 2010
libssh2 1.2.4 GPG sig (547675 bytes)
Bug fixes:
Resolve compile issues on Solaris x64 and UltraSPARC
Allow compiling with OpenSSL when AES isn't available
Fix Tru64 socklen_t compile issue with example/direct_tcpip.c
Version 1.2.3 - February 3 2010
libssh2 1.2.3 GPG sig (547652 bytes)
Changes:
ssh-agent support with the new libssh2_agent_* functions
Added libssh2_trace_sethandler()
Added the direct_tcpip.c and ssh2_agent.c examples
Bug fixes:
Fixed memory leak in userauth_publickey
Fixed publickey authentication regression
Silenced several compiler warnings
avoid returning data to memory already freed
transport layer fix for bogus -39 (LIBSSH2_ERROR_BAD_USE) errors
Fixed padding in ssh-dss signature blob encoding
Fixed direction blocking flag problems
Fixed memory leak in sftp_fstat()
Upstream changes:
5.92 Sun Jun 1 00:15:44 MST 2014
- fixed reserved-word clash when compiling with C++
-- use 'classname' instead of 'class'
-- ref. SHA.xs (rt.cpan.org #96090)
- silenced MSC compiler warning about signed/unsigned comparison
-- ref. SHA.xs (rt.cpan.org #95830)
5.91 Fri May 16 10:21:44 MST 2014
- restored original 'addfile' for use on opened file handles
-- allows callbacks in place of actual files
-- ref. IO::Callback (rt.cpan.org #95643)
- re-established inheritance from Digest::base
-- to pick up future Digest enhancements automatically
- cleaned up documentation
5.90 Wed May 7 07:57:08 MST 2014
- consolidated all dynamic memory allocation into XSUBs
-- streamlines referencing of SHA objects
-- simplifies DESTROYing of objects
- enhanced Makefile.PL to allow 'use warnings'
-- automatically reverts to $^W for early Perls
- scrubbed C and Perl code to remove all compiler warnings
Upstream changes:
0.22 Sun Jun 1 00:15:46 MST 2014
- fixed reserved-word clash when compiling with C++
-- use 'classname' instead of 'class'
-- ref. SHA3.xs (rt.cpan.org #96090)
0.21 Fri May 16 10:21:46 MST 2014
- restored original 'addfile' for use on opened file handles
-- allows callbacks in place of actual files
-- ref. IO::Callback (rt.cpan.org #95643)
- re-established inheritance from Digest::base
-- to pick up future Digest enhancements automatically
- cleaned up documentation
0.20 Wed May 7 07:57:10 MST 2014
- consolidated all dynamic memory allocation into XSUBs
-- streamlines referencing of SHA3 objects
-- simplifies DESTROYing of objects
- enhanced Makefile.PL to allow 'use warnings'
-- automatically reverts to $^W for early Perls
- scrubbed C and Perl code to remove all compiler warnings
= Version 1.2.11 released 2014-07-11
Features
* Entropy module now supports seed writing and reading
Changes
* Introduced POLARSSL_HAVE_READDIR_R for systems without it
* Improvements to the CMake build system, contributed by Julian Ospald.
* Work around a bug of the version of Clang shipped by Apple with Mavericks
that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
* Improvements to tests/Makefile, contributed by Oden Eriksson.
* Use UTC time to check certificate validity.
* Reject certificates with times not in UTC, per RFC 5280.
* Migrate zeroizing of data to polarssl_zeroize() instead of memset()
against unwanted compiler optimizations
Security
* Forbid change of server certificate during renegotiation to prevent
"triple handshake" attack when authentication mode is optional (the
attack was already impossible when authentication is required).
* Check notBefore timestamp of certificates and CRLs from the future.
* Forbid sequence number wrapping
* Prevent potential NULL pointer dereference in ssl_read_record() (found by
TrustInSoft)
* Fix length checking for AEAD ciphersuites (found by Codenomicon).
It was possible to crash the server (and client) using crafted messages
when a GCM suite was chosen.
Bugfix
* Fixed X.509 hostname comparison (with non-regular characters)
* SSL now gracefully handles missing RNG
* crypt_and_hash app checks MAC before final decryption
* Fixed x509_crt_parse_path() bug on Windows platforms
* Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
TrustInSoft)
* Fixed potential overflow in certificate size verification in
ssl_write_certificate() (found by TrustInSoft)
* Fix ASM format in bn_mul.h
* Potential memory leak in bignum_selftest()
* Replaced expired test certificate
* ssl_mail_client now terminates lines with CRLF, instead of LF
* Fix bug in RSA PKCS#1 v1.5 "reversed" operations
* Fixed testing with out-of-source builds using cmake
* Fixed version-major intolerance in server
* Fixed CMake symlinking on out-of-source builds
* Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
Alex Wilson.)
* ssl_init() was leaving a dirty pointer in ssl_context if malloc of
out_ctr failed
* ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
of one of them failed
* x509_get_current_time() uses localtime_r() to prevent thread issues
* Some example server programs were not sending the close_notify alert.
* Potential memory leak in mpi_exp_mod() when error occurs during
calculation of RR.
* Improve interoperability by not writing extension length in ClientHello
when no extensions are present (found by Matthew Page)
* rsa_check_pubkey() now allows an E up to N
* On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
* mpi_fill_random() was creating numbers larger than requested on
big-endian platform when size was not an integer number of limbs
* Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
* Stricter check on SSL ClientHello internal sizes compared to actual packet
size (found by TrustInSoft)
* Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
* Use \n\t rather than semicolons for bn_mul asm, since some assemblers
interpret semicolons as comment delimiters (found by Barry K. Nathan).
* Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
* Fix base64_decode() to return and check length correctly (in case of
tight buffers)
= Version 1.2.10 released 2013-10-07
Changes
* Changed RSA blinding to a slower but thread-safe version
* Make get_pkcs_padding() constant-time
Bugfix
* Fixed memory leak in RSA as a result of introduction of blinding
* Fixed ssl_pkcs11_decrypt() prototype
* Fixed MSVC project files
= Version 1.2.9 released 2013-10-01
Changes
* x509_verify() now case insensitive for cn (RFC 6125 6.4)
Bugfix
* Fixed potential memory leak when failing to resume a session
* Fixed potential file descriptor leaks (found by Remi Gacogne)
* Minor fixes
Security
* Fixed potential heap buffer overflow on large hostname setting
* Fixed potential negative value misinterpretation in load_file()
* RSA blinding on CRT operations to counter timing attacks
(found by Cyril Arnaud and Pierre-Alain Fouque)
A Ruby library for verifying and serving OpenID identities. Features:
* Easy to use API for verifying OpenID identites - OpenID::Consumer
* Support for serving OpenID identites - OpenID::Server
* Does not depend on underlying web framework
* Supports multiple storage mechanisms (Filesystem, ActiveRecord, Memory)
* Example code to help you get started, including:
* Ruby on Rails based consumer and server
* OpenIDLoginGenerator for quickly getting creating a rails app that uses
OpenID for authentication
* ActiveRecordOpenIDStore plugin
* Comprehensive test suite
* Supports both OpenID 1 and OpenID 2 transparently
OpenID support for Ruby. OpenID is a decentralized identification system that
allows users to prove they own a url. OpenID for Ruby currently includes only
consumer modules.
- Various build problems on Solaris, OpenBSD, AIX.
- Crashes of clamd on Windows and Mac OS X platforms when reloading the virus signature database.
- Infinite loop in clamdscan when clamd is not running.
- Freshclam failure on Solaris 10.
- Buffer underruns when handling multi-part MIME email attachments.
- Configuration of OpenSSL on various platforms.
- Name collisions on Ubuntu 14.04, Debian sid, and Slackware 14.1.
- Linking issues with libclamunrar
Noteworthy changes in version 2.0.24 (2014-06-24)
-------------------------------------------------
* gpg: Avoid DoS due to garbled compressed data packets.
* gpg: Screen keyserver responses to avoid importing unwanted keys
from rogue servers.
* gpg: The validity of user ids is now shown by default. To revert
this add "list-options no-show-uid-validity" to gpg.conf.
* gpg: Print more specific reason codes with the INV_RECP status.
* gpg: Allow loading of a cert only key to an OpenPGP card.
* gpg-agent: Make ssh support for ECDSA keys work with Libgcrypt 1.6.
Noteworthy changes in version 2.0.23 (2014-06-03)
-------------------------------------------------
* gpg: Reject signatures made using the MD5 hash algorithm unless the
new option --allow-weak-digest-algos or --pgp2 are given.
* gpg: Do not create a trustdb file if --trust-model=always is used.
* gpg: Only the major version number is by default included in the
armored output.
* gpg: Print a warning if the Gnome-Keyring-Daemon intercepts the
communication with the gpg-agent.
* gpg: The format of the fallback key listing ("gpg KEYFILE") is now more
aligned to the regular key listing ("gpg -k").
* gpg: The option--show-session-key prints its output now before the
decryption of the bulk message starts.
* gpg: New %U expando for the photo viewer.
* gpgsm: Improved handling of re-issued CA certificates.
* scdaemon: Various fixes for pinpad equipped card readers.
* Minor bug fixes.
Noteworthy changes in version 1.4.17 (2014-06-23)
-------------------------------------------------
* Avoid DoS due to garbled compressed data packets.
* Screen keyserver reponses to avoid import of unwanted keys by rogue
servers.
* Add hash algorithms to the "sig" records of the colon output.
* More specific reason codes for INV_RECP status.
* Fixes for PC/SC access on Apple.
* Minor bug fixes.
Upstream changes:
-----------------
:release:`1.14.0 <2014-05-07>`
------------------------------
🐛`-` paramiko.file.BufferedFile.read incorrectly returned text
strings after the Python 3 migration, despite bytes being more
appropriate for file contents
(which may be binary or of an unknown encoding.) This has been addressed.
Note
paramiko.file.BufferedFile.readline continues to return strings,
not bytes, as "lines" only make sense for textual data.
It assumes UTF-8 by default.
This should fix this issue raised on the Obnam mailing list.
Thanks to Antoine Brenner for the patch.
🐛`-` Added self.args for exception classes. Used for unpickling.
Related to (Fabric #986, Fabric #714). Thanks to Alex Plugaru.
🐛`-` Fix logging error in sftp_client for filenames containing
the '%' character. Thanks to Antoine Brenner.
🐛`308` Fix regression in dsskey.py that caused sporadic
signature verification failures. Thanks to Chris Rose.
:support:`299` Use deterministic signatures for ECDSA keys for
improved security. Thanks to Alex Gaynor.
:support:`297` Replace PyCrypto's Random with os.urandom for
improved speed and security. Thanks again to Alex.
:support:`295` Swap out a bunch of PyCrypto hash functions with use of
hashlib. Thanks to Alex Gaynor.
:support:`290` (also :issue:`292`) Add support for building universal
(Python 2+3 compatible) wheel files during the release process.
Courtesy of Alex Gaynor.
:support:`284` Add Python language trove identifiers to setup.py.
Thanks to Alex Gaynor for catch & patch.
🐛`235` Improve string type testing in a handful of spots
(e.g. s/if type(x) is str/if isinstance(x, basestring)/g.)
Thanks to @ksamuel for the report.
:release:`1.13.0 <2014-03-13>`
------------------------------
:feature:`16` Python 3 support! Our test suite passes under Python 3,
and it (& Fabric's test suite) continues to pass under Python 2.
Python 2.5 is no longer supported with this change!
The merged code was built on many contributors' efforts, both code &
feedback. In no particular order, we thank Daniel Goertzen, Ivan
Kolodyazhny, Tomi Pieviläinen, Jason R. Coombs, Jan N. Schulze,
@Lazik, Dorian Pula, Scott Maxwell, Tshepang Lekhonkhobe, Aaron Meurer,
and Dave Halter.
:support:`256 backported` Convert API documentation to Sphinx, yielding
a new API docs website to replace the old Epydoc one.
Thanks to Olle Lundberg for the initial conversion work.
🐛`-` Use constant-time hash comparison operations where possible,
to protect against timing-based attacks. Thanks to Alex Gaynor for the patch.
:release:`1.12.2 <2014-02-14>`
------------------------------
:feature:`58` Allow client code to access the stored SSH server banner via
Transport.get_banner <paramiko.transport.Transport.get_banner>.
Thanks to @Jhoanor for the patch.
🐛`252` (Fabric #1020) Enhanced the implementation of ProxyCommand to
avoid a deadlock/hang condition that frequently occurs at Transport
shutdown time. Thanks to Mateusz Kobos, Matthijs van der Vleuten and
Guillaume Zitta for the original reports and to Marius Gedminas for
helping test nontrivial use cases.
🐛`268` Fix some missed renames of ProxyCommand related error classes.
Thanks to Marius Gedminas for catch & patch.
🐛`34` (PR :issue:`35`) Fix SFTP prefetching incompatibility with some
SFTP servers regarding request/response ordering.
Thanks to Richard Kettlewell.
🐛`193` (and its attentant PRs :issue:`230` & :issue:`253`) Fix SSH
agent problems present on Windows. Thanks to David Hobbs for initial
report and to Aarni Koskela & Olle Lundberg for the patches.
:release:`1.12.1 <2014-01-08>`
------------------------------
🐛`225 (1.12+)` Note ecdsa requirement in README. Thanks to Amaury
Rodriguez for the catch.
🐛`176` Fix AttributeError bugs in known_hosts file (re)loading.
Thanks to Nathan Scowcroft for the patch & Martin Blumenstingl for the
initial test case.
Upstream changes:
-----------------
* Release 0.11 (10 Mar 2014)
Add signature-encoding functions "sigencode_{strings,string,der}_canonize"
which canonicalize the S value (using the smaller of the two possible
values). Add "validate_point=" argument to VerifyingKey.from_string()
constructor (defaults to True) which can be used to disable time-consuming
point validation when importing a pre-validated verifying key. Drop python2.5
support (untested but not explicitly broken yet), update trove classifiers.
[Changes for 0.73 - Wed Jun 5 23:44:57 CST 2013]
* Properly redo the previous fix using File::Spec->file_name_is_absolute.
[Changes for 0.72 - Wed Jun 5 23:19:02 CST 2013]
* Only allow loading Digest::* from absolute paths in @INC,
by ensuring they begin with \ or / characters.
Contributed by: Florian Weimer (CVE-2013-2145)
[Changes for 0.71 - Tue Jun 4 18:24:10 CST 2013]
* Constrain the user-specified digest name to /^\w+\d+$/.
* Avoid loading Digest::* from relative paths in @INC.
Contributed by: Florian Weimer (CVE-2013-2145)
[Changes for 0.70 - Thu Nov 29 01:45:54 CST 2012]
* Don't check gpg version if gpg does not exist.
This avoids unnecessary warnings during installation
when gpg executable is not installed.
Contributed by: Kenichi Ishigaki
[Changes for 0.69 - Fri Nov 2 23:04:19 CST 2012]
* Support for gpg under these alternate names:
gpg gpg2 gnupg gnupg2
Contributed by: Michael Schwern
1.4.17 - 11 June 2014, Ludovic Rousseau
- Add support of
. Feitian R502
. Free Software Initiative of Japan Gnuk Token
. German Privacy Foundation Crypto Stick v2.0
. HID Global veriCLASS Reader
. HID OMNIKEY 5025-CL
. Identive Technologies Multi-ISO HF Reader - USB
. OMNIKEY 5421
. OMNIKEY AG 3121 USB
. udea MILKO V1.
- Fix support of O2 Micro Oz776. The reader is limited to 9600 bps
- some minor bugs removed
* Fixed error in version number in META.yml
* Improvements to OCSP support: It turns out that some CA (like
Verisign) sign the OCSP response with the CA we have in the trust
store and don't attach this certifcate in the response. But OpenSSL
by itself only considers the certificates included in the response
and SSL_OCSP_response_verify added the certificates in the chain
too. Now, we also add the trusted CA from the store which signed
the lowest chain certificate, at least if we could not verify the
OCSP response without doing it. Patch from Steffen Ullrich. Thanks.
* Fixed some compiler warnings.
- RT #94974: I forgot that `return` just returns from the code block for
`catch`, not the subroutine so `filter_libs` was still trying to link
against various libraries even when Devel::CheckLib was not installed.
- Various minor fixes to C code
- Various fixes to the distribution such as manifest files, additional
tests, bundled module etc
- Address RT bugs #94828 and #79212
- REMINDER: make test WILL FAIL if your OpenSSL is vulnerable to Heartbleed.
- Add additional functions exposing information that can be obtained via
SSLeay_version.
- Add ability to query OpenSSL version, add test whether OpenSSL library
being used is vulnerable to the Heartbleed bug.
- Assorted fixes to Makefile.PL, most importantly to fix build problems with
Strawberry Perl.
- In Makefile.PL, use assert_lib to find the libraries against which we can
actually link rather than passing a big bowl of libs to WriteMakefile.
Bail out early if we can't link against any of the candidate libraries.
- Make sure t/02-live.t actually uses Net::SSL.
- Address RT bugs #88786, #88269, #78848, and #79477
- Makefile.PL now respects live-tests and no-live-tests, and allows library
and header locations to be specified via the command line arguments
libpath and incpath, respectively.
- These options can also be specified using the environment variables
CRYPT_SSLEAY_LIVE_TEST_WANTED
OPENSSL_LIB
OPENSSL_INC
- Also fixed a number of embarrasing logic errors and typos in Makefile.PL
which were introduced in previous 0.65_xx versions.
- Reorganize Makefile.PL to allow incpath and libpath command line
arguments. This attempts to address RT #88786, #88269, #79477, and #78848.
This was supposed to be the next step immediately after drastically
specifying Makefile.PL. But never got done.
- Also add encoded version number to openssl-version output.
- Address pull requests from GitHub and bug reports on RT. These address RT
issues #83764, #86425, #86819, #62133, #82715, #90803
1.992 2014/06/01
- set $! to undef before doing IO (accept, read..). On Winwdows a connection
reset could cause SSL read error without setting $!, so make sure we don't
keep the old value and maybe thus run into endless loop.
1.991 2014/05/27
- new option SSL_OCSP_TRY_STAPLE to enforce staple request even if
VERIFY_NONE
- work around for RT#96013 in peer_certificates
1.990 2014/05/27
- added option SSL_ocsp_staple_callback to get the stapled OCSP response
and verify it somewhere else
- try to fix warnings on Windows again (#95967)
- work around temporary OCSP error in t/external/ocsp.t
1.989 2014/05/24
- fix#95881 (warnings on windows), thanks to TMHALL
1.988 2014/05/17
- add transparent support for DER and PKCS#12 files to specify cert and key,
e.g. it will autodetect the format
- if SSL_cert_file is PEM and no SSL_key_file is given it will check if
the key is in SSL_cert_file too
1.987 2014/05/17
- fix t/verify_hostname_standalone.t on systems without usable IDNA or IPv6
#95719, thanks srchulo
- enable IPv6 support only if we have a usable inet_pton
- remove stale entries from MANIFEST (thanks seen[AT]myfairpoint[DOT]net)
1.986 2014/05/16
- allow IPv4 in common name, because browsers allow this too. But only for
scheme www/http, not for rfc2818 (because RC2818 does not allow this).
In default scheme IPv6 and IPv4 are allowed in CN.
Thanks to heiko[DOT]hund[AT]sophos[DOT]com for reporting the problem.
- Fix handling of public suffix. Add exemption for *.googleapis.com
wildcard, which should be better not allowed according to public suffix
list but actually is used.
- Add hostname verification test based on older test of chromium. But change
some of the test expectations because we don't want to support IP as SAN
DNS and because we enforce a public suffix list (and thus *.co.uk should
not be allowed)
Bugfixes:
* OPENDNSSEC-607: libhsm not using all mandatory attributes for GOST key
generation.
* OPENDNSSEC-609: ods-ksmutil: 'key list' command fails with error in 1.4.4
on MySQL.
2013-Jun-16 v2.2 - Trap and handle SIGINT (^C presses).
Trap and handle SIGTSTP (^Z presses).
Trap and handle SIGCONT (continues after ^Z).
Stopped printing found dictionary words in pwck.
2013-Jul-01 v2.3 - More readline() and signal handling improvements.
Title conflict checks in cli_new()/edit()/mv().
Group title conflict checks in rename().
cli_new() now accepts optional path&|title param.
cli_ls() can now list multiple paths.
cli_edit() now shows the "old" values for users
to edit, if Term::ReadLine::Gnu is available.
cli_edit() now aborts all changes on ^C.
cli_saveas() now asks before overwriting a file.
2013-Nov-26 v2.4 - Fixed several "perl -cw" warnings reported on
2013-07-09 as SourceForge bug #9.
Bug fix for the cl command, but in sub cli_ls().
First pass at Strawberry perl/MS Windows support.
- Enhanced support for Term::ReadLine::Perl
- Added support for Term::ReadLine::Perl5
Added display of expire time for show -a.
Added -a option to the find command.
Used the new magic_file_type() in a few places.
Added generatePasswordFromDict() and "w" generation.
Added the -v option to the version command.
- Added the versions command.
2014-Mar-15 v2.5 - Added length control (gNN) to password generation.
Added the copy command (and cp alias).
Added the clone command.
Added optional modules not installed to version -v.
Groups can now also be moved with the mv command.
Modified cli_cls() to also work on MS Windows.
Suppressed Term::ReadLine::Gnu hint on MS Windows.
Suppressed missing termcap warning on MS Windows.
Print a min number of *s to not leak passwd length.
Removed unneeded use of Term::ReadLine.
Quieted "inherited AUTOLOAD for non-method" warns
caused by Term::Readline::Gnu on perl 5.14.x.
2014-Jun-06 v2.6 - Added interactive password generation ("i" method).
- Thanks to Florian Tham for the idea and patch.
Show entry's tags if present (KeePass >= v2.11).
- Thanks to Florian Tham for the patch.
Add/edit support for tags if a v2 file is opened.
Added tags to the searched fields for "find -a".
Show string fields (key/val pairs) in v2 files.
Add/edit for string fields if a v2 file is opened.
Show information about entries' file attachments.
2014-03-20 SourceForge feature request #6.
New "attach" command to manage file attachments.
Added "Recycle Bin" functionality and --no-recycle.
For --readonly, don't create a lock file and don't
warn if one exists. 2014-03-27 SourceForge bug #11.
Added key file generation to saveas and export.
2014-04-19 SourceForge bug #13.
Added -expired option to the find command.
Added "dir" as an alias for "ls"
Added some additional info to the stats command.
Added more detailed OS info for Linux/Win in vers.
Now hides Meta-Info/SYSTEM entries.
Fixed bug with SIGTSTP handling (^Z presses).
Fixed missing refresh_state_all_paths() in cli_rm.
3.8
---
* Issue #22: Deprecated loading of config from current directory. Support for
loading the config in this manner will be removed in a future version.
* Issue #131: Keyring now will prefer ``pywin32-ctypes
<https://pypi.python.org/pypi/pywin32-ctypes>``_ to pywin32 if available.
Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014]
o Fix for CVE-2014-0224
o Fix for CVE-2014-0221
o Fix for CVE-2014-0195
o Fix for CVE-2014-3470
o Fix for CVE-2010-5298
Net::SSH::Multi is a library for controlling multiple Net::SSH
connections via a single interface. It exposes an API similar to that
of Net::SSH::Connection::Session and Net::SSH::Connection::Channel,
making it simpler to adapt programs designed for single connections to
be used with multiple connections.
This library is particularly useful for automating repetitive tasks
that must be performed on multiple machines. It executes the commands
in parallel, and allows commands to be executed on subsets of servers
(defined by groups).
- Fixes for machine-readable indices. Key expiration times are now read
from self-signatures on the key's UIDs. In addition, instead of 8-digit
key IDs, index entries now return the most specific key ID possible:
16-digit key ID for V3 keys, and the full fingerprint for V4 keys.
- Add metadata information (number of keys, number of files,
checksums, etc) to key dump. This allows for information on the
key dump ahead of download/import, and direct verification of checksums
using md5sum -c <metadata-file>.
- Replaced occurrances of the deprecated operator 'or' with '||' (BB issue #2)
- Upgraded to cryptlib-1.7 and own changes are now packaged as separate
patches that is installed during 'make'. Added the SHA-3 algorithm, Keccak
- Option max_matches was setting max_internal_matches. Fixed (BB issue #4)
- op=hget now supports option=mr for completeness (BB issue #17)
- Add CORS header to web server responses. Allows JavaScript code to
interact with keyservers, for example the OpenPGP.js project.
- Change the default hkp_address and recon_address to making the
default configuration support IPv6. (Requires OCaml 3.11.0 or newer)
- Only use '-warn-error A' if the source is marked as development as per
the version suffix (+) (part of BB Issue #2)
- Reduce logging verbosity for debug level lower than 6 for (i) bad requests,
and (ii) no results found (removal of HTTP headers in log) (BB Issue #13)
- Add additional OIDs for ECC RFC6637 style implementations
(brainpool and secp256k1) (BB Issue #25) and fix issue for 32 bit arches.
- Fix a non-persistent cross-site scripting possibility resulting from
improper input sanitation before writing to client. (BB Issue #26 | CVE-2014-3207)
- Corrected an off-by-one error in ASN.1 DER tag decoding.
- Several improvements and new safety checks on DER decoding;
issues found using Codenomicon TLS test suite.
- Marked asn1_der_decoding_element() as deprecated. Use
asn1_der_decoding() instead.
Makefile. Updated to 1.1.1.0. Changes:
Version 1.1.1.0
2014-05-09
- Support for STIX v1.1.1
- Updated all schemalocations to reference new STIX v1.1.1 schemas
- Changed Confidence.source to be of type InformationSource
- Changed Statement.source to be of type InformationSource
- Changed Sighting.source to be of type InformationSource
- Updated AvailabilityLossType CV to align with STIX v1.1.1
Python/C bindings for the ssdeep library at http://ssdeep.sourceforge.net:
* hash_buf / hash_bytes - returns the ssdeep hash for a given buffer
* hash_file - returns the ssdeep hash for filepath
* compare - returns the % match between 2 hashes
import pydeep
pydeep.hash_buf('somedata')
pydeep.hash_file('path-to-file')
pydeep.compare('hash1','hash2')
* New Features
- Fuzzy Hashing engine re-written to be thread safe.
* Bug Fixes
- Able to handle long file paths on Win32.
- Fixed bug on comparing signatures with the same block size.
- Fixed crash on comparing short signatures.
- Fixed memory leak
* Version 3.2.15 (released 2014-05-30)
** libgnutls: Eliminated memory corruption issue in Server Hello parsing.
Issue reported by Joonas Kuorilehto of Codenomicon.
** libgnutls: Several memory leaks caused by error conditions were
fixed. The leaks were identified using valgrind and the Codenomicon
TLS test suite.
** libgnutls: Increased the maximum certificate size buffer
in the PKCS #11 subsystem.
** libgnutls: Check the return code of getpwuid_r() instead of relying
on the result value. That avoids issue in certain systems, when using
tofu authentication and the home path cannot be determined. Issue reported
by Viktor Dukhovni.
** gnutls-cli: if dane is requested but not PKIX verification, then
only do verify the end certificate.
** ocsptool: Include path in ocsp request. This resolves#108582
(https://savannah.gnu.org/support/?108582), reported by Matt McCutchen.
** API and ABI modifications:
No changes since last version.
* Version 3.2.14 (released 2014-05-06)
** libgnutls: Fixed issue with the check of incoming data when two
different recv and send pointers have been specified. Reported and
investigated by JMRecio.
** libgnutls: Fixed issue in the RSA-PSK key exchange, which would
result to illegal memory access if a server hint was provided.
** libgnutls: Fixed client memory leak in the PSK key exchange, if a
server hint was provided.
** libgnutls: Several small bug fixes identified using valgrind and
the Codenomicon TLS test suite.
** libgnutls: Several small bug fixes found by coverity.
** libgnutls-dane: Accept a certificate using DANE if there is at least one
entry that matches the certificate. Patch by simon [at] arlott.org.
** configure: Added --with-nettle-mini option, which allows linking
with a libnettle that contains gmp.
** certtool: The ECDSA keys generated by default use the SECP256R1 curve
which is supported more widely than the previously used SECP224R1.
** API and ABI modifications:
No changes since last version.
* Version 3.2.13 (released 2014-04-07)
** libgnutls: gnutls_openpgp_keyring_import will no longer fail silently
if there are no base64 data. Report and patch by Ramkumar Chinchani.
** libgnutls: gnutls_record_send is now safe to be called under DTLS when
in corked mode.
** libgnutls: Ciphersuites that use the SHA256 or SHA384 MACs are
only available in TLS 1.0 as SSL 3.0 doesn't specify parameters for
these algorithms.
** libgnutls: Changed the behaviour in wildcard acceptance in certificates.
Wildcards are only accepted when there are more than two domain components
after the wildcard. This drops support for the permissive RFC2818 wildcards
and adds more conservative support based on the suggestions in RFC6125. Suggested
by Jeffrey Walton.
** certtool: When no password is provided to export a PKCS #8 keys, do
not encrypt by default. This reverts to the certtool behavior of gnutls
3.0. The previous behavior of encrypting using an empty password can be
replicating using the new parameter --empty-password.
** p11tool: Avoid dual initialization of the PKCS #11 subsystem when
the --provider option is given.
** API and ABI modifications:
No changes since last version.
