Release 0.16.1
New API:
`VerifyingKey.precompute()` supports `lazy` argument to delay precomputation
to the first time the key is used to verify a signature.
Doc fixes:
Documentation for the `VerifyingKey.precompute()` method.
Bug fix:
Make created signatures correct when the hash used is bigger than the curve
order bit size and the curve order is not a multiple of 8 (this affects
only users of custom curves or hashes with output larger than 512 bits).
Performance:
Speed up library load time by calculating the generator point multiplication
tables the first time the points are used, not when they are initialised.
Maintenance:
Include Python 3.9 in CI testing.
Test coverage for the `VerifyingKey.precompute()` method.
Small speed-ups for the test suite.
Drop MESSAGE content pointing out mozilla-rootcerts-openssl that is
duplicative with DESCR.
Move MESSAGE content about installation for gnupg2 into a
documentation file; this is simply normal documentation about how to
use an installed package. Mention this documentation in DESCR, so
that prospective users get the right sense of what the package can do.
install .pc files there too, now fully avoiding conflicts with OpenSSL.
Add a buildlink3.mk hack for the .pc files to get found. Restore missing
${PLIST.man} to PLIST. Bump PKGREVISION.
### Version 5.57, 2020.10.11, urgency: HIGH
* Security bugfixes
- The "redirect" option was fixed to properly
handle "verifyChain = yes" (thx to Rob Hoes).
- OpenSSL DLLs updated to version 1.1.1h.
* New features
- New securityLevel configuration file option.
- FIPS support for RHEL-based distributions.
- Support for modern PostgreSQL clients (thx to Bram Geron).
- Windows tooltip texts updated to mention "stunnel".
- TLS 1.3 configuration updated for better compatibility.
* Bugfixes
- Fixed a transfer() loop bug.
- Fixed memory leaks on configuration reloading errors.
- DH/ECDH initialization restored for client sections.
- Delay startup with systemd until network is online.
- bin\libssp-0.dll removed when uninstalling.
- A number of testing framework fixes and improvements.
3.2.1 - 2020-10-27
Disable blinding on RSA public keys to address an error with some versions of OpenSSL.
3.2 - 2020-10-25
SECURITY ISSUE: Attempted to make RSA PKCS#1v1.5 decryption more constant time, to protect against Bleichenbacher vulnerabilities. Due to limitations imposed by our API, we cannot completely mitigate this vulnerability and a future release will contain a new API which is designed to be resilient to these for contexts where it is required. Credit to Hubert Kario for reporting the issue. CVE-2020-25659
Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL will need to upgrade.
Added basic support for PKCS7 signing (including SMIME) via :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder`.
3.1.1 - 2020-09-22
Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1h.
3.1 - 2020-08-26
BACKWARDS INCOMPATIBLE: Removed support for idna based :term:`U-label` parsing in various X.509 classes. This support was originally deprecated in version 2.1 and moved to an extra in 2.5.
Deprecated OpenSSL 1.0.2 support. OpenSSL 1.0.2 is no longer supported by the OpenSSL project. The next version of cryptography will drop support for it.
Deprecated support for Python 3.5. This version sees very little use and will be removed in the next release.
backend arguments to functions are no longer required and the default backend will automatically be selected if no backend is provided.
Added initial support for parsing certificates from PKCS7 files with :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates` and :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates` .
Calling update or update_into on :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with data longer than 231 bytes no longer raises an OverflowError. This also resolves the same issue in :doc:`/fernet`.
3.0 - 2020-07-20
BACKWARDS INCOMPATIBLE: Removed support for passing an :class:`~cryptography.x509.Extension` instance to :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`, as per our deprecation policy.
BACKWARDS INCOMPATIBLE: Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has been removed (2.9.1+ is still supported).
BACKWARDS INCOMPATIBLE: Dropped support for macOS 10.9, macOS users must upgrade to 10.10 or newer.
BACKWARDS INCOMPATIBLE: RSA :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` no longer accepts public_exponent values except 65537 and 3 (the latter for legacy purposes).
BACKWARDS INCOMPATIBLE: X.509 certificate parsing now enforces that the version field contains a valid value, rather than deferring this check until :attr:`~cryptography.x509.Certificate.version` is accessed.
Deprecated support for Python 2. At the time there is no time table for actually dropping support, however we strongly encourage all users to upgrade their Python, as Python 2 no longer receives support from the Python core team.
If you have trouble suppressing this warning in tests view the :ref:`FAQ entry addressing this issue <faq-howto-handle-deprecation-warning>`.
Added support for OpenSSH serialization format for ec, ed25519, rsa and dsa private keys: :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key` for loading and :attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.OpenSSH` for writing.
Added support for OpenSSH certificates to :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key`.
Added :meth:`~cryptography.fernet.Fernet.encrypt_at_time` and :meth:`~cryptography.fernet.Fernet.decrypt_at_time` to :class:`~cryptography.fernet.Fernet`.
Added support for the :class:`~cryptography.x509.SubjectInformationAccess` X.509 extension.
Added support for parsing :class:`~cryptography.x509.SignedCertificateTimestamps` in OCSP responses.
Added support for parsing attributes in certificate signing requests via :meth:`~cryptography.x509.CertificateSigningRequest.get_attribute_for_oid`.
Added support for encoding attributes in certificate signing requests via :meth:`~cryptography.x509.CertificateSigningRequestBuilder.add_attribute`.
On OpenSSL 1.1.1d and higher cryptography now uses OpenSSL's built-in CSPRNG instead of its own OS random engine because these versions of OpenSSL properly reseed on fork.
Added initial support for creating PKCS12 files with :func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates`.
2020.11.17
* Copy URL in EASE interstitial
* Dependapot NPM updates
* CRX distribution scripts for transparency for Edge and Opera
* Port inclusion on allowlist for EASE
* UI change to reflect a global setting
CrackLib is a library containing a C function (well, lots of functions
really, but you only need to use one of them) which may be used in a
"passwd"-like program.
The idea is simple: try to prevent users from choosing passwords that
could be guessed by "Crack" by filtering them out, at source.
CrackLib is an offshoot of the the version 5 "Crack" software, and
contains a considerable number of ideas nicked from the new software.
0.20.4
* secret-file-collection: Make MAC comparison constant time [!60]
* Initialize libgcrypt for SecretFileCollection [!56]
* meson: Add tests for GIR-based languages [!54]
* man: Add a bugtracker section to the manpage [!14]
* meson: add option introspection [!53]
* Updated translations
--------------
polkit 0.118
--------------
WARNING WARNING WARNING: This is a prerelease on the road to polkit
1.0. Public API might change and certain parts of the code still needs
some security review. Use at your own risk.
This is polkit 0.118.
Highlights:
move to mozjs78
tarball CI fix
Build requirements
glib, gobject, gio >= 2.32
mozjs-78
gobject-introspection >= 0.6.2 (optional)
pam (optional)
ConsoleKit OR systemd
Changes since polkit 0.117:
Xi Ruoyao:
tarball fixup for distcheck
Valentin David:
updated dependency to mozjs78
Many thanks to all contributors!
Jan Rybar et al.,
September 8, 2020
--------------
polkit 0.117
--------------
WARNING WARNING WARNING: This is a prerelease on the road to polkit
1.0. Public API might change and certain parts of the code still needs
some security review. Use at your own risk.
This is polkit 0.117.
Highlights:
Gitlab CI activation - all merge requests are tested before merged
New Norwegian translation, several other language updates
Build requirements
glib, gobject, gio >= 2.32
mozjs-68
gobject-introspection >= 0.6.2 (optional)
pam (optional)
ConsoleKit OR systemd
Changes since polkit 0.116:
Bastien Nocera:
Activated Gitlab CI
Xi Ruoyao:
Updated dependency to mozjs68
Kalev Lember, Jan Rybar
Memory management fixes
Anders Jonsson, Karl Ove Hufthammer, Andika Triwidada, Yuri Chornoivan:
Language updates
Many thanks to all contributors!
Jan Rybar et al.,
July 24, 2020
Noteworthy changes in version 2.2.24
------------------------------------
* Allow Unicode file names on Windows almost everywhere. Note that
it is still not possible to use Unicode strings on the command
line. This change also fixes a regression in 2.2.22 related to
non-ascii file names.
* Fix localized time printing on Windows.
* gpg: New command --quick-revoke-sig.
* gpg: Do not use weak digest algos if selected by recipient
preference during sign+encrypt.
* gpg: Switch to AES256 for symmetric encryption in de-vs mode.
* gpg: Silence weak digest warnings with --quiet.
* gpg: Print new status line CANCELED_BY_USER for a cancel during
symmetric encryption.
* gpg: Fix the encrypt+sign hash algo preference selection for
ECDSA. This is in particular needed for keys created from
existing smartcard based keys.
* agent: Fix secret key import of GnuPG 2.3 generated Ed25519 keys.
* agent: Keep some permissions of private-keys-v1.d.
* dirmngr: Align sks-keyservers.netCA.pem use between ntbtls and
gnutls builds.
* dirmngr: Fix the pool keyserver case for a single host in the
pool.
* scd: Fix the use case of verify_chv2 by CHECKPIN.
* scd: Various improvements to the ccid-driver.
* scd: Minor fixes for Yubikey
* gpgconf: New option --show-versions.
* w32: Install gpg-check-pattern and example profiles. Install
Windows subsystem variant of gpgconf (gpgconf-w32).
* i18n: Complete overhaul and completion of the Italian translation.
Thanks to Denis Renzi.
* Require Libgcrypt 1.8 because 1.7 has long reached end-of-life.
This release updates Firefox to 78.5.0esr and updates Tor to 0.4.4.6.
This release includes important security updates to Firefox.
The full changelog since Tor Browser 10.0.4 (Desktop) is:
Windows + OS X + Linux
Update Firefox to 78.5.0esr
Update Tor to 0.4.4.6
Bug 40212: Add new default obfs4 bridge
3.0.8 (2020-09-09)
* Provide --version option
* Version information now within generated certificates like on *nix
* Fixed issue where gen-dh overwrote existing files without warning
* Fixed issue with ED/EC certificates were still signed by RSA
* Added support for export-p8
* Clarified error message
* 2->3 upgrade now errors and prints message when vars isn't found
* Update OpenSSL Windows binaries to 1.1.1g
* Version 1.8.1 (released 2019-08-02) [stable]
** gsasl: IMAP client code now permits empty SASL tokens prefixed with '+'.
Normally servers should send '+ '. Buggy servers include Microsoft
Exchange. Reported by Adam Sjøgren.
** GSSAPI client: Now retrieves GSASL_AUTHZID for authorization identity.
** GSSAPI client: Can now transmit an empty/missing authorization identity.
See lib/NEWS for more information.
** Build fixes.
Update of gnulib, including how it is bootstrapped.
** i18n: Updated translations.
(Otherwise a few objects fail pretty early in the build.) Install the
shared library as .dylib on Darwin. Set MASTER_SITES=${HOMEPAGE}. Sort
PLIST and chmod -x libbearssl.a to quell pkglint warnings.
This release updates NoScript to 11.1.5 and includes an important security update to Firefox.
The full changelog since Tor Browser 10.0.2 (Desktop) is:
Windows + OS X + Linux
Update NoScript to 11.1.5
Bug 40021: Keep page shown after Tor Browser update purple
Bug 40022: EOY November Update - Matching
Bug 40219: Backport Mozilla Bug 1675905
Translations update
Build System
Windows + OS X + Linux
Update Go to 1.14.11
Bug 40141: Include "desktop" in signed tag
v 11.1.5
============================================================
x Updated TLD
x Fixed potential infinite loop via DOMContentLoaded
x Work-around for Firefox 82 media redirection bug (thanks
ppxxbu and skriptimaahinen)
x Updated TLDs
v 11.1.5rc2
============================================================
x Updated TLD
x Fixed potential infinite loop via DOMContentLoaded
v 11.1.5rc1
============================================================
x Work-around for Firefox 82 media redirection bug (thanks
ppxxbu and skriptimaahinen)
x Updated TLDs
v 11.1.4
============================================================
x Fixed sloppy CSP media blocker detection breaking MSE
blob: media placeholders on Chromium
x Fixed race condition causing temporary settings not to
survive updates sometimes
x Updated TLDs
x [Mobile] Improved prompts appearance on Android
v 11.1.4rc3
============================================================
x Fixed sloppy CSP media blocker detection breaking MSE
blob: media placeholders on Chromium
v 11.1.4rc2
============================================================
x Fixed race condition causing temporary settings not to
survive updates sometimes
v 11.1.4rc1
============================================================
x Updated TLDs
x [Mobile] Improved prompts appearance on Android
Changes since 2.8.6:
- Support External Account Binding (EAB)
- Support ZeroSSL.com CA
- Support preferred-chain
- More dns api support
- Adds Docker multi-arch build support
Also remove incorrect (unnecessary) dependency on mozilla-rootcerts.
OK by ryoon@
1.5.0
* Added support for Python 3.9.
* Dropped support for Python 3.5.
* Stopped supporting running tests with ``python setup.py test`` which is
deprecated in favor of ``python -m pytest``.
1.23.0:
Features
Add custom scopes for access tokens from the metadata service
Bug Fixes
deps: Revert "fix: pin 'aoihttp < 3.7.0dev'
pin 'aoihttp < 3.7.0dev'
remove checks for ancient versions of Cryptography
(pkgsrc changes)
- Add ./autogen.sh for pre-configure:
- Add following two lines to get the similar PLIST
CONFIGURE_ARGS+= --enable-gtk-doc
.include "../../textproc/gtk-doc/buildlink3.mk"
- Add following lines to avoid "msgfmt: unknown option -- desktop" (thanks joerg@)
.if ${OPSYS} == "NetBSD"
TOOLS_PLATFORM.msgfmt=
.endif
(upstream changes)
gcr 3.38.0:
- No changes from 3.37.91
gcr 3.37.91:
- meson: missing dependency on generated oids header [GNOME/gcr#48, GNOME/gcr!57]
- Correct display of key usage extensions [GNOME/gcr#47, GNOME/gcr!56]
- meson: Correctly set internal vapi dependencies [GNOME/gcr!55]
- Cleanup GType boilerplate [GNOME/gcr!53]
- gck: Fixed test failures [GNOME/gcr#42, GNOME/gcr!51, GNOME/gcr!52]
- Updated translations
gcr 3.36.0:
- gcr: Update gtk-doc get_der_data() vfunc [GNOME/gcr!48]
- Updated translations
gcr 3.35.91:
- Mark deprecated functions with G_DEPRECATED [GNOME/gcr#36, GNOME/gcr!47]
- egg-oid: Add comments for translators for new abbrevations [GNOME/gcr#40, GNOME/gcr!45]
- Updated translations
gcr 3.35.90:
- Add support for "NEW CERTIFICATE REQUEST" header [GNOME/gcr!44]
- Add support for GOST certificates [GNOME/gcr!43]
- Rework handling of ASN.1 standard types [GNOME/gcr!42]
- Fix a few regressions in the Meson build [GNOME/gcr!46, 7ba0e00d]
- Add support for g_autoptr [GNOME/gcr!36, GNOME/gcr#16]
- Fixed some compiler warnings [GNOME/gcr!38]
- Updated translations
gcr 3.35.1:
- gcr-certificate: Add (virtual) annotation [GNOME/gcr!35, GNOME/gcr#37]
- Always use G_PARAM_STATIC_STRINGS [GNOME/gcr!31]
- Support Meson build system [GNOME/gcr!11,32,33,34]
- Avoid potential 64-bit pointer aliasing alignment issues [GNOME/gcr!27, GNOME/gcr#34]
- Update README to mention correct environment variables [GNOME/gcr!25]
- build: Use sed for .desktop variables substitution [GNOME/gcr!24]
- Updated translations
gcr 3.34.0:
- gcr-prompt-dialog: Allow the use of mnemonics in the choice label [GNOME/gcr!22]
- Use python3 shebang in ui/icons/render-icons.py [GNOME/gcr!21]
- configure: Use PKG_PROG_PKG_CONFIG instead of reinventing it [GNOME/gcr!20]
- Replace tap-gtester with one that relies on GLib 2.38+ TAP output [GNOME/gcr!19]
- Remove SKS network from keyserver defaults [GNOME/gcr!18]
- Updated translations
gcr 3.33.4:
- Move from intltool to gettext [GNOME/gcr#18]
- Fix parameter type for signal handler causing stack smashing on ppc64le [GNOME/gcr!16]
- cleanup: Don't use deprecated g_type_class_add_private() anymore [GNOME/gcr!12]
- Fix GIR annotations [GNOME/gcr!10]
- Fix hashtable ordering assumptions [GNOME/gcr!9]
- build: Fix gcr-trust symbols not appearing in GIR, and hence also VAPI [GNOME/gcr!7]
- Update gcr_pkcs11_get_trust_{store|lookup}_slot URI checks [GNOME/gcr!5]
- build: Update tap scripts for Python 3 compat [GNOME/gcr!2]
- Updated translations
Authelia is an open-source authentication and authorization server providing
2-factor authentication and single sign-on (SSO) for your applications via a web
portal. It acts as a companion of reverse proxies like nginx, Traefik or HAProxy
to let them know whether queries should pass through. Unauthenticated user are
redirected to Authelia Sign-in portal instead.
