PortableSigner is a signing (with X.509 certificates) program for
PDF files. It's platform independent and runs (tested) under
Windows (2000, XP, ...), Linux and Mac OS X.
It's possible to sign PDF documents digital with X.509 certificates.
This signed documents are read only. Therefore it's possible to
implement "electronic paper".
Digest::SHA3 is a complete implementation of the NIST SHA-3
cryptographic hash function, known originally as Keccak. It
gives Perl programmers a convenient way to calculate SHA3-224,
SHA3-256, SHA3-384, and SHA3-512 message digests, as well as
variable-length hashes using the SHA3-0 variant. The module
can handle all types of input, including partial-byte data.
Upstream changes:
5.89 Sat Apr 19 05:14:48 MST 2014
- added universal newlines mode ("U") to addfile and shasum
-- based on Python Universal Newlines concept
-- newlines identical across MacOS, DOS, and UNIX
-- will deprecate portable mode ("p") in future
-- "U" mode is cleaner and more efficient
- enhanced performance
-- reduced number of dynamic memory allocations
-- sped up addfile method with use of C code
-- ref. SHA.xs (_addfilebin and _addfileuniv)
- eliminated experimental -M option in favor of new -R option
-- reverses order of digest module preference
-- undocumented: for test and development use only
- sealed memory leak in SHA.xs
-- arose only with SvPVbyte exceptions during eval
- patched inheritence bug (ref: rt.cpan.org #94830)
-- use sv_isobject/sv_derived_from instead of sv_isa
- added 'allocated' flag to SHA structure (ref. src/sha.h)
-- to guard against Perl double frees
spiped (pronounced "ess-pipe-dee") is a utility for creating symmetrically
encrypted and authenticated pipes between socket addresses, so that one may
connect to one address (e.g., a UNIX socket on localhost) and transparently
have a connection established to another address (e.g., a UNIX socket on a
different system). This is similar to 'ssh -L' functionality, but does not
use SSH and requires a pre-shared symmetric key.
Note that spiped:
1. Requires a strong key file: The file specified via the -k option should
have at least 256 bits of entropy. ('dd if=/dev/urandom bs=32 count=1' is
your friend.)
2. Does not provide any protection against information leakage via packet
timing: Running telnet over spiped will protect a password from being directly
read from the network, but will not obscure the typing rhythm.
3. Can significantly increase bandwidth usage for interactive sessions: It
sends data in packets of 1024 bytes, and pads smaller messages up to this
length, so a 1 byte write could be expanded to 1024 bytes if it cannot be
coalesced with adjacent bytes.
4. Uses a symmetric key -- so anyone who can connect to an spiped "server" is
also able to impersonate it.
Add LICENSE
Upstream changes:
0.05 2014-02-03
- Replaced old testsuite (test.pl) with tests in t/
- Added "use warnings"
- Specified min version of perl 5.6.0
- Fixed pod errors
- Changed doc for internal funcs from pod to comments
0.04 2013-10-28
- github repo and license type (perl) now specified in Makefile.PL
so it will appear in the dist's metadata.
0.03 2013-04-10
- Fixed bug where word() would sometimes go into an infinite loop
- Reformatted according to CPAN::Changes::Spec
Add LICENSE
Upstream changes:
1.40 2013-09-30 15:32:00
- No code changes.
- Maintenance by Ron Savage <rsavage@cpan.org>.
- Fabricate some version #s for this file.
- Made Passwd.pm utf-8 so we can use Luis' proper name.
- Clean up code formatting.
- Clean up Makefile.PL.
- Use fake (ASCII) 帽 in Makefile.PL to keep Solaris happy. See RT#68478.
- Clean up README.
- Add Build.PL.
- Add Changes and Changelog.ini.
- Add META.*.
- Adopt Test::More in t/basic.t.
- Adopt 'use strict' and 'use warnings' to PasswdMD5.pm and t/basic.t.
- Accept patch for new function random_md5_salt(), and tests, from kbrint@rufus.net.
With thanx. See RT#37036.
- Add xt/author/pod.t.
Upstream changes:
5.88 Mon Mar 17 08:46:10 MST 2014
- added OUTPUT clause in SHA.xs to silence compiler warning
-- ref. shaclose()
- changed text file test (-T) to act on filehandles
-- ref. addfile portable mode
-- improves consistency when reading from STDIN
-- still acts on filenames for early Perls (< 5.6)
- added -M and -V options to shasum
-- undocumented: for development and testing use only
5.87 Mon Feb 17 16:42:02 MST 2014
- simplified capture of intermediate SHA states
-- can now be done via strings (ref. getstate/putstate)
-- substantially reduces size of src/sha.c
- tightened code in SHA.xs
-- added sv_isa checks when invoking methods
5.86 Thu Jan 30 08:24:28 MST 2014
- improved the performance of hexadecimal output functions
-- ref. 'shahex' in src/sha.c
-- thanks to Thomas Drugeon for ideas and test script
(CVE-2014-0076 is already fixed in pkgsrc).
OpenSSL CHANGES
_______________
Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
*) A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)
[Adam Langley, Bodo Moeller]
*) Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140
Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
[Yuval Yarom and Naomi Benger]
*) TLS pad extension: draft-agl-tls-padding-03
Workaround for the "TLS hang bug" (see FAQ and opensslPR#2771): if the
TLS client Hello record length value would otherwise be > 255 and
less that 512 pad with a dummy extension containing zeroes so it
is at least 512 bytes long.
[Adam Langley, Steve Henson]
* A new certificate (X509) API, which supports:
- Reading the subject (identity) and issuer of the certificate.
- Reading various X509 extensions, including email and dnsName.
- Converting certificates to and from the standard ASCII PEM
format.
- Generating the fingerprint/digest of a certificate (using SHA1,
SHA256 or SHA512).
- Reading the certificate's expiration, serial number, and other
info.
* The ability to get more detailed information from OpenSSL about
why a certificate failed verification, for each certificate in the
chain.
* Flags to force acceptance of invalid certificates, e.g. to allow
the use of self-signed certificates in a Trust On First Use model.
* Flags to control checking CRLs for certificate revocation status.
* Support for ECDH cipher suites.
* An API to get the TLS 'finished' messages used for SASL channel
binding (e.g. the SCRAM PLUS mechanisms).
from pkgsrc-wip, packaged by Kamel Derouiche (required for PR pkg/42561).
ezPyCrypto is the culmination of my search for an approachable yet powerful
crypto library for Python.
changes:
-adds support for DSA-SHA256, ECDSA-SHA1, ECDSA-SHA224,
ECDSA-SHA256, ECDSA-SHA384, ECDSA-SHA512
-fixes a number of miscellaneous bugs
add "test" target
Version 0.24
~~~~~~~~~~~~
- Added a `BadHeader` exception that is used for bad headers
that replaces the old `BadPayload` exception that was reused
in those cases.
Packaging changes:
- adapt to non-standardly-named github WRKSRC
- bootstrap automake (this is a git snapshot, not "make distribution"
output)
Upstream changes:
New in 0.2.8; 2011-04-15; Martin Paljak
* Bumped soname for PKCS11_token struct size changes (Martin Paljak).
* Display the number of available slots (Ludovic Rousseau).
* Add openssl libcrypto to pkg-config private libs list (Kalev Lember).
* Fix building examples with --no-add-needed which is the default in Fedora
(Kalev Lember).
* Expose more token flags in PKCS11_token structure (Kalev Lember).
* Check that private data is not NULL in pkcs11_release_slot (Robin Bryce,
ticket #137).
New in 0.2.7; 2009-10-20; Andreas Jellinghaus
* If CKR_CRYPTOKI_ALREADY_INITIALIZED is returned from C_Initialize(): ignore.
(Needed for unloaded/reloaded engines e.g. in wpa_supplicant.) By David Smith.
1.4.16 - 23 March 2014, Ludovic Rousseau
- Add support of
. Crypto Stick Crypto Stick v1.4
. Hewlett Packard USB Smartcard CCID Keyboard
. IID AT90S064 CCID READER
. INSIDE Secure VaultIC 405 Smart Object
. INSIDE Secure VaultIC 441 Smart Object
. Microchip SEC1110
. Microchip SEC1210
. Watchdata W5181
- Add support of DRIVER_OPTION_DISABLE_PIN_RETRIES
The Gemalto pinpad reader sends a VERIFY command with no PIN value
in order to retreive the remaining retries from the card. Some
cards (like the OpenPGP card) do not support this.
It is now possible to disable this behavior from the Gemalto
Pinpad and Covadis Véga Alpha.
- Add support of WTX received before SW during Secure Pin Entry Verify
The Swiss health care card sends a WTX request before returning
the SW code. If the reader is in TPDU and the card is in T=1 the
driver must manage the request itself.
The Digest::JHash module allows you to use the fast JHash hashing
algorithm developed by Bob Jenkins from within Perl programs. The
algorithm takes as input a message of arbitrary length and produces
as output a 32-bit "message digest" of the input in the form of an
unsigned long integer.
Call it a low calorie version of MD5 if you like.
Packaging changes:
- adapt to non-standardly-named github WRKSRC
- bootstrap automake (this is a git snapshot, not "make distribution"
output)
Upstream changes:
New in 0.1.8; 2010-01-07; Andreas Jellinghaus
* Fix problem causing slot_n parsing returning not certs or keys
by Camille Moncelier
* Fix missing declaration of set_init_args symbol
by Arfrever Frehtes Taifersar Arahesis
New in 0.1.7; 2009-10-20; Andreas Jellinghaus
* Buffer overrun fixed by David Smith
New in 0.1.6; 2009-06-15; Andreas Jellinghaus
* Fixed set_pin (strdup causes segfault in OPENSSL_CLEANSE later)
* Require new libp11 0.2.5 with new function to get the slot id.
* Revert changes to slot parsing code - seems partial bogus and
orginal author doesn't respond to questions.
* print slot id in verbose mode (Douglas E. Engert).
2014-03-04 release (0.3.13)
* Mostly added convenience functions for wrapper APIs:
- functions to manage the list of CA roots from client code;
- functions to convert hash values to and from imprints;
- a function to extract the data hash from a timestamp.
2014-01-20 release (0.3.12)
* Publications file verification switched away from hardcoded CA root
certificate:
- on most platforms OpenSSL trust store is used;
- on Windows Crypto API and its trust store are used by default,
with option to switch to OpenSSL and its trust store.
* Now builds with both OpenSSL 0.9.8 and OpenSSL 1.0.
* Lifted a restriction of the underlying WinINet library that limited
the number of simultaneous HTTP requests to 2 on Windows.
* Various other improvements to the build scripts.
* Replaced test timestamps with more recent ones.
---
3.7
---
* Gnome keyring no longer relies on the GNOME_KEYRING_CONTROL environment
variable.
* Issue #140: Restore compatibility for older versions of PyWin32.
---
3.6
---
* `Pull Request #1 (github) <https://github.com/jaraco/keyring/pull/1>`_:
Add support for packages that wish to bundle keyring by using relative
imports throughout.
---
3.5
---
* Issue #49: Give the backend priorities a 1.5 multiplier bump when an
XDG_CURRENT_DESKTOP environment variable matches the keyring's target
environment.
* Issue #99: Clarified documentation on location of config and data files.
Prepared the code base to treat the two differently on Unix-based systems.
For now, the behavior is unchanged.
---
3.4
---
* Extracted FileBacked and Encrypted base classes.
* Add a pyinstaller hook to expose backend modules. Ref #124
* Pull request #41: Use errno module instead of hardcoding error codes.
* SecretService backend: correctly handle cases when user dismissed
the collection creation or unlock prompt.
---
3.3
---
* Pull request #40: KWallet backend will now honor the ``KDE_FULL_SESSION``
environment variable as found on openSUSE.
-----
3.2.1
-----
* SecretService backend: use a different function to check that the
backend is functional. The default collection may not exist, but
the collection will remain usable in that case.
Also, make the error message more verbose.
Resolves https://bugs.launchpad.net/bugs/1242412.
---
3.2
---
* Issue #120: Invoke KeyringBackend.priority during load_keyring to ensure
that any keyring loaded is actually viable (or raises an informative
exception).
* File keyring:
- Issue #123: fix removing items.
- Correctly escape item name when removing.
- Use with statement when working with files.
* Add a test for removing one item in group.
* Issue #81: Added experimental support for third-party backends. See
`keyring.core._load_library_extensions` for information on supplying
a third-party backend.
---
3.1
---
* All code now runs natively on both Python 2 and Python 3, no 2to3 conversion
is required.
* Testsuite: clean up, and make more use of unittest2 methods.
-----
3.0.5
-----
* Issue #114: Fix logic in pyfs detection.
-----
3.0.4
-----
* Issue #114: Fix detection of pyfs under Mercurial Demand Import.
-----
3.0.3
-----
* Simplified the implementation of ``keyring.core.load_keyring``. It now uses
``__import__`` instead of loading modules explicitly. The ``keyring_path``
parameter to ``load_keyring`` is now deprecated. Callers should instead
ensure their module is available on ``sys.path`` before calling
``load_keyring``. Keyring still honors ``keyring-path``. This change fixes
Issue #113 in which the explicit module loading of keyring modules was
breaking package-relative imports.
-----
3.0.2
-----
* Renamed ``keyring.util.platform`` to ``keyring.util.platform_``. As reported
in Issue #112 and `mercurial_keyring #31
<https://bitbucket.org/Mekk/mercurial_keyring/issue/31>`_ and in `Mercurial
itself <http://bz.selenic.com/show_bug.cgi?id=4029>`_, Mercurial's Demand
Import does not honor ``absolute_import`` directives, so it's not possible
to have a module with the same name as another top-level module. A patch is
in place to fix this issue upstream, but to support older Mercurial
versions, this patch will remain for some time.
-----
3.0.1
-----
* Ensure that modules are actually imported even in Mercurial's Demand Import
environment.
---
3.0
---
* Removed support for Python 2.5.
* Removed names in ``keyring.backend`` moved in 1.1 and previously retained
for compatibilty.
-----
2.1.1
-----
* Restored Python 2.5 compatibility (lost in 2.0).
---
2.1
---
* Issue #10: Added a 'store' attribute to the OS X Keyring, enabling custom
instances of the KeyringBackend to use another store, such as the
'internet' store. For example::
keys = keyring.backends.OS_X.Keyring()
keys.store = 'internet'
keys.set_password(system, user, password)
keys.get_password(system, user)
The default for all instances can be set in the class::
keyring.backends.OS_X.Keyring.store = 'internet'
* GnomeKeyring: fix availability checks, and make sure the warning
message from pygobject is not printed.
* Fixes to GnomeKeyring and SecretService tests.
-----
2.0.3
-----
* Issue #112: Backend viability/priority checks now are more aggressive about
module presence checking, requesting ``__name__`` from imported modules to
force the demand importer to actually attempt the import.
-----
2.0.2
-----
* Issue #111: Windows backend isn't viable on non-Windows platforms.
-----
2.0.1
-----
* Issue #110: Fix issues with ``Windows.RegistryKeyring``.
---
2.0
---
* Issue #80: Prioritized backend support. The primary interface for Keyring
backend classes has been refactored to now emit a 'priority' based on the
current environment (operating system, libraries available, etc). These
priorities provide an indication of the applicability of that backend for
the current environment. Users are still welcome to specify a particular
backend in configuration, but the default behavior should now be to select
the most appropriate backend by default.
-----
1.6.1
-----
* Only include pytest-runner in 'setup requirements' when ptr invocation is
indicated in the command-line (Issue #105).
---
1.6
---
* GNOME Keyring backend:
- Use the same attributes (``username`` / ``service``) as the SecretService
backend uses, allow searching for old ones for compatibility.
- Also set ``application`` attribute.
- Correctly handle all types of errors, not only ``CANCELLED`` and ``NO_MATCH``.
- Avoid printing warnings to stderr when GnomeKeyring is not available.
* Secret Service backend:
- Use a better label for passwords, the same as GNOME Keyring backend uses.
---
1.5
---
* SecretService: allow deleting items created using previous python-keyring
versions.
Before the switch to secretstorage, python-keyring didn't set "application"
attribute. Now in addition to supporting searching for items without that
attribute, python-keyring also supports deleting them.
* Use ``secretstorage.get_default_collection`` if it's available.
On secretstorage 1.0 or later, python-keyring now tries to create the
default collection if it doesn't exist, instead of just raising the error.
* Improvements for tests, including fix for Issue #102.
---
1.4
---
* Switch GnomeKeyring backend to use native libgnome-keyring via
GObject Introspection, not the obsolete python-gnomekeyring module.
---
1.3
---
* Use the `SecretStorage library <https://pypi.python.org/pypi/SecretStorage>`_
to implement the Secret Service backend (instead of using dbus directly).
Now the keyring supports prompting for and deleting passwords. Fixes#69,
#77, and #93.
* Catch `gnomekeyring.IOError` per the issue `reported in Nova client
<https://bugs.launchpad.net/python-novaclient/+bug/1116302>`_.
* Issue #92 Added support for delete_password on Mac OS X Keychain.
-----
1.2.3
-----
* Fix for Encrypted File backend on Python 3.
* Issue #97 Improved support for PyPy.
-----
1.2.2
-----
* Fixed handling situations when user cancels kwallet dialog or denies access
for the app.
-----
1.2.1
-----
* Fix for kwallet delete.
* Fix for OS X backend on Python 3.
* Issue #84: Fix for Google backend on Python 3 (use of raw_input not caught
by 2to3).
---
1.2
---
* Implemented delete_password on most keyrings. Keyring 2.0 will require
delete_password to implement a Keyring. Fixes#79.
-----
1.1.2
-----
* Issue #78: pyfilesystem backend now works on Windows.
-----
1.1.1
-----
* Fixed MANIFEST.in so .rst files are included.
---
1.1
---
This is the last build that will support installation in a pure-distutils
mode. Subsequent releases will require setuptools/distribute to install.
Python 3 installs have always had this requirement (for 2to3 install support),
but starting with the next minor release (1.2+), setuptools will be required.
Additionally, this release has made some substantial refactoring in an
attempt to modularize the backends. An attempt has been made to maintain 100%
backward-compatibility, although if your library does anything fancy with
module structure or clasess, some tweaking may be necessary. The
backward-compatible references will be removed in 2.0, so the 1.1+ releases
represent a transitional implementation which should work with both legacy
and updated module structure.
* Added a console-script 'keyring' invoking the command-line interface.
* Deprecated _ExtensionKeyring.
* Moved PasswordSetError and InitError to an `errors` module (references kept
for backward-compatibility).
* Moved concrete backend implementations into their own modules (references
kept for backward compatibility):
- OSXKeychain -> backends.OS_X.Keyring
- GnomeKeyring -> backends.Gnome.Keyring
- SecretServiceKeyring -> backends.SecretService.Keyring
- KDEKWallet -> backends.kwallet.Keyring
- BasicFileKeyring -> backends.file.BaseKeyring
- CryptedFileKeyring -> backends.file.EncryptedKeyring
- UncryptedFileKeyring -> backends.file.PlaintextKeyring
- Win32CryptoKeyring -> backends.Windows.EncryptedKeyring
- WinVaultKeyring -> backends.Windows.WinVaultKeyring
- Win32CryptoRegistry -> backends.Windows.RegistryKeyring
- select_windows_backend -> backends.Windows.select_windows_backend
- GoogleDocsKeyring -> backends.Google.DocsKeyring
- Credential -> keyring.credentials.Credential
- BaseCredential -> keyring.credentials.SimpleCredential
- EnvironCredential -> keyring.credentials.EnvironCredential
- GoogleEnvironCredential -> backends.Google.EnvironCredential
- BaseKeyczarCrypter -> backends.keyczar.BaseCrypter
- KeyczarCrypter -> backends.keyczar.Crypter
- EnvironKeyczarCrypter -> backends.keyczar.EnvironCrypter
- EnvironGoogleDocsKeyring -> backends.Google.KeyczarDocsKeyring
- BasicPyfilesystemKeyring -> backends.pyfs.BasicKeyring
- UnencryptedPyfilesystemKeyring -> backends.pyfs.PlaintextKeyring
- EncryptedPyfilesystemKeyring -> backends.pyfs.EncryptedKeyring
- EnvironEncryptedPyfilesystemKeyring -> backends.pyfs.KeyczarKeyring
- MultipartKeyringWrapper -> backends.multi.MultipartKeyringWrapper
* Officially require Python 2.5 or greater (although unofficially, this
requirement has been in place since 0.10).
---
1.0
---
This backward-incompatible release attempts to remove some cruft from the
codebase that's accumulated over the versions.
* Removed legacy file relocation support. `keyring` no longer supports loading
configuration or file-based backends from ~. If upgrading from 0.8 or later,
the files should already have been migrated to their new proper locations.
If upgrading from 0.7.x or earlier, the files will have to be migrated
manually.
* Removed CryptedFileKeyring migration support. To maintain an existing
CryptedFileKeyring, one must first upgrade to 0.9.2 or later and access the
keyring before upgrading to 1.0 to retain the existing keyring.
* File System backends now create files without group and world permissions.
Fixes#67.
------
0.10.1
------
* Merged 0.9.3 to include fix for #75.
----
0.10
----
* Add support for using `Keyczar <http://www.keyczar.org/>`_ to encrypt
keyrings. Keyczar is "an open source cryptographic toolkit designed to make
it easier and safer for developers to use cryptography in their
applications."
* Added support for storing keyrings on Google Docs or any other filesystem
supported by pyfilesystem.
* Fixed issue in Gnome Keyring when unicode is passed as the service name,
username, or password.
* Tweaked SecretService code to pass unicode to DBus, as unicode is the
preferred format.
* Issue #71 - Fixed logic in CryptedFileKeyring.
* Unencrypted keyring file will be saved with user read/write (and not group
or world read/write).
-----
0.9.3
-----
* Ensure migration is run when get_password is called. Fixes#75. Thanks to
Marc Deslauriers for reporting the bug and supplying the patch.
-----
0.9.2
-----
* Keyring 0.9.1 introduced a whole different storage format for the
CryptedFileKeyring, but this introduced some potential compatibility issues.
This release incorporates the security updates but reverts to the INI file
format for storage, only encrypting the passwords and leaving the service
and usernames in plaintext. Subsequent releases may incorporate a new
keyring to implement a whole-file encrypted version. Fixes#64.
* The CryptedFileKeyring now requires simplejson for Python 2.5 clients.
-----
0.9.1
-----
* Fix for issue where SecretServiceBackend.set_password would raise a
UnicodeError on Python 3 or when a unicode password was provided on Python
2.
* CryptedFileKeyring now uses PBKDF2 to derive the key from the user's
password and a random hash. The IV is chosen randomly as well. All the
stored passwords are encrypted at once. Any keyrings using the old format
will be automatically converted to the new format (but will no longer be
compatible with 0.9 and earlier). The user's password is no longer limited
to 32 characters. PyCrypto 2.5 or greater is now required for this keyring.
---
0.9
---
* Add support for GTK 3 and secret service D-Bus. Fixes#52.
* Issue #60 - Use correct method for decoding.
-----
0.8.1
-----
* Fix regression in keyring lib on Windows XP where the LOCALAPPDATA
environment variable is not present.
---
0.8
---
* Mac OS X keyring backend now uses subprocess calls to the `security`
command instead of calling the API, which with the latest updates, no
longer allows Python to invoke from a virtualenv. Fixes issue #13.
* When using file-based storage, the keyring files are no longer stored
in the user's home directory, but are instead stored in platform-friendly
locations (`%localappdata%\Python Keyring` on Windows and according to
the freedesktop.org Base Dir Specification
(`$XDG_DATA_HOME/python_keyring` or `$HOME/.local/share/python_keyring`)
on other operating systems). This fixes#21.
*Backward Compatibility Notice*
Due to the new storage location for file-based keyrings, keyring 0.8
supports backward compatibility by automatically moving the password
files to the updated location. In general, users can upgrade to 0.8 and
continue to operate normally. Any applications that customize the storage
location or make assumptions about the storage location will need to take
this change into consideration. Additionally, after upgrading to 0.8,
it is not possible to downgrade to 0.7 without manually moving
configuration files. In 1.0, the backward compatibilty
will be removed.
-----
0.7.1
-----
* Removed non-ASCII characters from README and CHANGES docs (required by
distutils if we're to include them in the long_description). Fixes#55.
---
0.7
---
* Python 3 is now supported. All tests now pass under Python 3.2 on
Windows and Linux (although Linux backend support is limited). Fixes#28.
* Extension modules on Mac and Windows replaced by pure-Python ctypes
implementations. Thanks to Jerome Laheurte.
* WinVaultKeyring now supports multiple passwords for the same service. Fixes
#47.
* Most of the tests don't require user interaction anymore.
* Entries stored in Gnome Keyring appears now with a meaningful name if you try
to browser your keyring (for ex. with Seahorse)
* Tests from Gnome Keyring no longer pollute the user own keyring.
* `keyring.util.escape` now accepts only unicode strings. Don't try to encode
strings passed to it.
-----
0.6.2
-----
* fix compiling on OSX with XCode 4.0
-----
0.6.1
-----
* Gnome keyring should not be used if there is no DISPLAY or if the dbus is
not around (https://bugs.launchpad.net/launchpadlib/+bug/752282).
---
0.6
---
* Added `keyring.http` for facilitating HTTP Auth using keyring.
* Add a utility to access the keyring from the command line.
* SUPPORT-114: libhsm: Optimize storage in HSM by deleting the public
key directly if SkipPublicKey is used [OPENDNSSEC-574].
* OPENDNSSEC-358: ods-ksmutil:Extend 'key list' command with options to filter
on key type and state. This allows keys in the GENERATE and DEAD state to be
output.
* OPENDNSSEC-457: ods-ksmutil: Add a check on the 'zone add' input/output
type parameter to allow only File or DNS.
* OPENDNSSEC-549: Signer Engine: Put NSEC3 records on empty non-terminals
derived from unsigned delegations (be compatible with servers that are
incompatible with RFC 5155 errata 3441).
* Make/build: Include README.md in dist tar-ball.
Bugfixes:
* SUPPORT-86: Fixed build on OS X [OPENDNSSEC-512].
* SUPPORT-97: Signer Engine: Fix after restart signer thinks zone has expired
[OPENDNSSEC-526].
* SUPPORT-101: Signer Engine: Fix multiple zone transfer to single file bug
[OPENDNSSEC-529].
* SUPPORT-102: Signer Engine: Fix statistics (count can be negative)/
* SUPPORT-108: Signer Engine: Don't replace tabs in RRs with whitespace
[OPENDNSSEC-520].
* SUPPORT-116: ods-ksmutil: 'key import' date validation fails on certain
dates [OPENDNSSEC-553].
* SUPPORT-128: ods-ksmutil. Man page had incorrect formatting [OPENDNSSEC-576].
* SUPPORT-127: ods-signer: Fix manpage sections.
* OPENDNSSEC-481: libhsm: Fix an off-by-one length check error.
* OPENDNSSEC-482: libhsm: Improved cleanup for C_FindObjects.
* OPENDNSSEC-531: ods-ksmutil: Exported value of <Parent><SOA><TTL> in
'policy export' output could be wrong on MySQL.
* OPENDNSSEC-537: libhsm: Possible memory corruption in hsm_get_slot_id.
* OPENDNSSEC-544: Signer Engine: Fix assertion error that happens on an IXFR
request with EDNS.
* OPENDNSSEC-546: enforcer & ods-ksmutil: Improve logging on key creation
and alloctaion.
* OPENDNSSEC-560: Signer Engine: Don't crash when unsigned zone has no SOA.
* Signer Engine: Fix a race condition when stopping daemon.
cryptography is a package designed to expose cryptographic recipes
and primitives to Python developers. Our goal is for it to be your
"cryptographic standard library".
cryptography includes both high level recipes, and low level
interfaces to common cryptographic algorithms such as symmetric
ciphers, message digests and key derivation functions.
Comitted during the freeze since py-OpenSSL needs it.
py-OpenSSL 0.14 started depending on six, but this package didn't, so
"import OpenSSL" failed. Confusingly, this led to build failures in
tahoe-lafs because somehow setuptools determined six was needed and
tried to download it.
After this commit, "make test" in py-OpenSSL still fails; it tries to download
"cryptography" and "cffi".
opensc upstream has removed the use of ltdl. Thus, it is not longer
reasonable to expect it to be able to dlopen a .la file. So pass the
.so, not the .la, to configure, when using the pcsc-lite (default)
option. Resolves a failure of pkcs15-init to load modules.
sbin/pcscd is linked with libusb1, but the installed libraries and
headers do not reference libusb at all. Not including libusb1 avoids
having pcsc-lite's bl3 pull in pthreads to depending packages.
snapshot) by Richard Hansen of BBN.
Mostly the update is straightforward, with a bit more effort to avoid
pthreads. (Threads are not ok because pam modules dlopen opensc, and
pam modules are used from nonthreaded programs.)
New in 0.13.0; 2012-12-04
* New card driver ePass2003.
* OpenPGP card:
greatly improved card driver and PKCS#15 emulation;
implemented write (pkcs15init) mode;
greatly enhanced documentation and tools.
* ECDSA keys supported in 'read' and 'write' modes by
internal PKCS#15 library, PKCS#11 and tools.
* Minidriver in 'write' mode.
* SM: secure messaging in GlobalPlatform-SP01 and CW14890 specifications;
supported by ePass2003, IAS/ECC and AuthentIC cards;
"ACL" and "APDU" modes to trigger secure messaging session;
'local' version of the external secure messaging module.
* PKCS#15: support of 'secret-key' PKCS#15 objects
support of 'authentication-object' PKCS#15 objects
support of 'algReference' common key PKCS#15 attribute
support of 'algReference' common key PKCS#15 attribute
support of 'subjectName' common public key PKCS#15 attribute
* PKCS#11: removed 'onepin' version of pkcs#11 module
configuration options to expose slots for PINs and present on-card applications.
support GOSTR3410 generate key mechanism
* Support of PACE reader.
* Remove libltdl reference.
* ECDSA supported by MyEID card
* New card driver for the SmartCard-HSM, a light-weight hardware security module
* New useful commands in 'opensc-explorer' tool: 'find', 'put-data', ...
* fixed SIGV issue due to the unsupported public key format
* fixes for the number of documentation issues
[2013/12/18]
* Version 2.3.2
Fix up compilation issues causing problems with a non-GNU make.
[2013/11/13]
* Version 2.3.1
- Caleb Land<caleb.land@gmail.com>
Remove sgetspent on implementations using pwd.h
[2013/11/13]
* Version 2.3.0
- Caleb Land<caleb.land@gmail.com>
Merge OS X work into main gem. Fix bugs with OS X implementation and tweak support for FreeBSD.
See 20d98b7d9e
- Add license file to Manifest.
=== 2.8.0 / 01 Feb 2014
* Handle ssh-rsa and ssh-dss certificate files [bobveznat]
* Correctly interpret /etc/ssh_config Authentication settings based on openssh /etc/ssh_config system defaults [therealjessesanford, liggitt]
* Fixed pageant support for Windows [jarredholman]
* Support %r in ProxyCommand configuration in ssh_config files as defined in OpenSSH [yugui]
* Don't use ssh-agent if :keys_only is true [SFEley]
* Fix the bug in keys with comments [bobtfish]
* Add a failing tests for options in pub keys [bobtfish]
* Assert that the return value from ssh block is returned [carlhoerberg]
* Don't close the connection it's already closed [carlhoerberg]
* Ensure the connection closes even on exception [carlhoerberg]
* Make the authentication error message more useful [deric]
* Fix "ConnectionError" typo in lib/net/ssh/proxy/socks5.rb [mirakui]
* Allow KeyManager to recover from incompatible agents [ecki, delano]
* Fix for "Authentication Method determination can pick up a class from the root namespace" [dave.sieh]
3.1.3 Feb 21 2014
- Add support for Ruby 2.1 in compiled Windows binaries
- Rename gem from "bcrypt-ruby" to just "bcrypt". [GH #86 by @sferik]
3.1.6 Feb 21 2014
- Dummy version of "bcrypt-ruby" needed a couple version bumps to fix some
bugs. It felt wrong to have that at a higher version than the real gem, so
the real gem is getting bumped to 3.1.6.
3.1.7 Feb 24 2014
- Rebuild corrupt Java binary version of gem [GH #90]
- The 2.1 support for Windows binaries alleged in 3.1.3 was a lie -- documentation removed
libgcrypt installs a library and 3 binaries, none of which are linked
against pthreads (on NetBSD 6). It installs one .h, which also does
not reference pthreads. However, it contains a comment that thread
callbacks were removed from libgcrypt as of 1.6. I rebuilt dirmngr,
glib-networking, gnupg2, libgnome-keyring, libksba, libotr, libxslt,
and pidgin-otr with the new version with no issues.
Note that I am not removing mk/pthread.buildlink3.mk from Makefile,
because it builds t-lock (used in make test but not installed) with
threads.
to cover all releases in this update...)
---------------- VERSION 4.1.3 --------------
- fixed bug that could crash UFS/ExtX in inode_lookup.
- More bounds checking in ISO9660 code
- Image layer bounds checking
- Update version of SQLITE-JDBC
- Config file for YAFFS2 spare area
- New method in image layer to return names
- Yaffs2 cleanup.
- Escape all strings in SQLite database
- SQlite code uses NTTFS sequence number to match parent IDs
---------------- VERSION 4.1.2 --------------
Core:
- TskAutoDB considers not finding a VS/FS a critical error.
---------------- VERSION 4.1.1 --------------
Core:
- Added FILE_SHARE_WRITE to all windows open calls.
- removed unused methods in CRC code that caused compile errors.
- Added NTFS FNAME times to time2 struct in TSK_FS_META to make them
easier to access -- should have done this a long time ago!
- fls -m and tsk_gettimes output NTFS FNAME times to output for timelines.
- hfind with EnCase hashsets works when DB is specified (and not only index)
- TskAuto now goes into UNALLOC partitions by default too.
- Added support to automatically find all Cellebrite raw dump files given
the name of the first image.
- Added NTFS sequence to parent address in directory and directory itself.
- Updated SQLite code to use sequence when finding parent object ID.
---------------- VERSION 4.1.0 --------------
Core:
- Added YAFFS2 support (patch from viaForensics).
- Added Ext4 support (patch from kfairbanks)
- changed all include paths to be 'tsk' instead of 'tsk3'
-- IMPORTANT FOR ALL DEVELOPERS!
---------------- VERSION 4.0.2 --------------
New Features:
- Added fiwalk tool from Simson. Not supported in Visual Studio yet.
---------------- VERSION 4.0.1 --------------
New Features:
- Can open raw Windows devices with write mode sharing.
- More DOS partition types are displayed.
- Added fcat tool that takes in file name and exports content (equivalent to using ifind and icat together).
- Added new API to TskImgDB that returns hash value associated with carved files.
- performance improvements with FAT code (maps and dir_add)
- performance improvements with NTFS code (maps)
- added AONLY flag to block_walk
- Updated blkls and blkcalc to use AONLY flag -- MUCH faster.
---------------- VERSION 4.0.0 --------------
New Features:
- Added multithreaded support
- Added C++ wrapper classes
- Added JNI bindings / Java data model classes
- 3314047: Added utf8-specific versions of 'toid' methods for img,vs,fs types
- 3184429: More consistent printing of unset times (all zerso instead of 1970)
- New database design that allows for multiple images in the same database
- GPT volume system tries other sector sizes if first attempt fails.
- Added hash calculation and lookup to AutoDB and JNI.
- Upgraded SQLite to 3.7.9.
- EnCase hash support
- Libewf v2 support (it is now non-beta)
- First file in a raw split or E01 can be specified and the rest of the files
are found.
- mactime displays times as 0 if the time is not set (isntead of 1970)
- Changed behavior of 'mactime -y' to use ISO8601 format.
- Updated HFS+ code from ATC-NY.
- FAT orphan file improvements to reduce false positives.
- TskAuto better reports errors.
* Don't install internal header files.
* Don't print debug info when the "debug" parameter is not given.
* Use PBKDF2 to process expected reply for challenge-response mode.
* Fixup memory leaks and leaks of privilege.
* Let return values reflect whether the user wasn't found or other error.
* Add -6 and -8 flags to ykchalresp to output the response as a truncated
OATH code.
* Add -t to ykchalresp to use current time / 30 as challenge in TOTP
fashion.
* Fix for a crash in the libusb-0.1 backend.
Version 1.15.0 (released 2014-01-10)
* add new Neo version 3.2 as supported.
* let ykp_AES_key_from_password() return error if it can't get a random
salt.
* let -a without option mean ask for raw key on STDIN.
* let no -a given mean generate a random key
* add ykp_AES_key_from_raw() and ykp_HMAC_key_from_raw() that sets the
key from a byte array.
* remove -osalt= and possibility to generate key from password.
* add YK_ENODATA that's returned when no data is returned from
the device and no other underlying error is set.
Packaged in wip by Richard Hansen of BBN.
GPShell is a script interpreter which talks to a smart card which
complies to the GlobalPlatform Card Specification. It is written on
top of the GlobalPlatform Library. It uses the PC-SC Connection
Plugin for accessing smart cards. It can establish a secure channel
with a smart card, load, instantiate, delete and list applications on
supported smart cards. These applications are practically always
JavaCard applets.
0.18
* Mark most of unstable API as stable
* Bump Glib dependency (2.38+)
* Add secret_service_encode_dbus_secret() and decode functions
* Use TAP for testing, parallel tests, and non-recursive make
* Updated FSF's address
* Remove unstable vapi [#721429]
* Build fixes [#720087#720244#707452]
* Updated translations
Of utmost importance: it fixes CVE 2014-0016.
Thanks to jgw (Jeff W) _AT_ sdf.org for working on the same patch
independently.
In before the freeze! Changelog follows.
Security bugfixes
Added PRNG state update in fork threading (CVE-2014-0016).
New global configuration file defaults
Default "fips" option value is now "no", as FIPS mode is only helpful for compliance, and never for actual security.
Default "pid" is now "", i.e. not to create a pid file at startup.
New service-level configuration file defaults
Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2" due to AlFBPPS attack and bad performance of DH ciphersuites.
Default "libwrap" setting is now "no" to improve performance.
New features
OpenSSL DLLs updated to version 1.0.1f.
zlib DLL updated to version 1.2.8.
autoconf scripts upgraded to version 2.69.
TLS 1.1 and TLS 1.2 are now allowed in the FIPS mode.
New service-level option "redirect" to redirect SSL client connections on authentication failures instead of rejecting them.
New global "engineDefault" configuration file option to control which OpenSSL tasks are delegated to the current engine. Available tasks: ALL, RSA, DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1.
New service-level configuration file option "engineId" to select the engine by identifier, e.g. "engineId = capi".
New global configuration file option "log" to control whether to append (the default), or to overwrite log file while (re)opening.
Different taskbar icon colors to indicate the service state.
New global configuration file options "iconIdle", "iconActive", and "iconError" to select status icon on GUI taskbar.
Removed the limit of 63 stunnel.conf sections on Win32 platform.
Installation of a sample certificate was moved to a separate "cert" target in order to allow unattended (e.g. scripted) installations.
Reduced length of the logged thread identifier. It is still based on the OS thread ID, and thus not unique over long periods of time.
Improved readability of error messages printed when stunnel refuses to start due to a critical error.
Bugfixes
LD_PRELOAD Solaris compatibility bug fixed (thx to Norm Jacobs).
CRYPTO_NUM_LOCKS replaced with CRYPTO_num_locks() to improve binary compatibility with diverse builds of OpenSSL (thx to Norm Jacobs).
Corrected round-robin failover behavior under heavy load.
Numerous fixes in the engine support code.
On Win32 platform .rnd file moved from c:\ to the stunnel folder.
* liboath: Fix usersfile bug that caused it to update the wrong line.
When an usersfile contain multiple lines for the same user but with an
unparseable token type (e.g., HOTP vs TOTP), the code would update the
wrong line of the file. Since the then updated line could be a
commented out line, this can lead to the same OTP being accepted
multiple times which is a security vulnerability. CVE-2013-7322
CVs: ----------------------------------------------------------------------
http://www.sudo.ws/sudo/alerts/env_add.html
What's new in Sudo 1.7.10p8?
* Sudo's exit code now indicates a failure if the user does not
successfully authenticate.
* On HP-UX systems, sudo will now use the pstat() function to
determine the tty instead of ttyname().
* Fixed compilation when --without-iologdir configure option is
specified.
* On systems with BSD login classes, if the user specified a group
(not a user) to run the command as, it was possible to specify
a different login class even when the command was not run as the
super user.
* The closefrom() emulation on Mac OS X now uses /dev/fd if possible.
It also now sets the close on exec flag instead of actually
closing the descriptors to avoid a crash in libdispatch.
* The sudoers plugin will now ignore invalid domain names when
checking netgroup membership. Most Linux systems use the string
"(none)" for the NIS-style domain name instead of an empty string.
* Fixed the logic when checking environment variables on the
command line against the env_check and env_delete blacklists.
This is only a problem when env_reset is disabled in sudoers.
The libmerkletree library implements Merkle tree calculation, and also
includes some higher-level functions to verify a file against a
previously-generated Merkle tree.
A Merkle tree is a hash tree calculated across blocks in data. Any
block size can be specified in this implementation. A digest is
calculated across each block in the data, and then a digest is
calculated across blocks of the checksums, and this continues until
only one block of digest exists. The hierarchical nature of this
allows individual blocks of a file to be verified, even if other parts
of the file have been modified. A degenerate case, in which the data
is less than the blocksize, will mean that a single digest value for
the block is calculated. This will be the same as the digest
algorithm applied to the whole file.
The digest calculations themselves are done by the libmultigest(3)
library, and allow concatenation of multiple digests to produce a
single large digest value.
The merkletree(1) command performs Merkle tree calculation and
verification on the input data. This allows the establishment of the
block positions (i.e. relative neighbourhood) of any changed data.
libmultigest is a library interface to calculate multiple digests at
the same time, without having to re-scan data. This is to protect
against any single digest algorithm being found to have second
pre-images. Up to 32 digests can be specified on the command line.
The data being used as input to the digest can be modified by using a
regular expression-based substitution operation, so that any Version
Control System identifiers can be normalised before being digested.
If no substitution regular expression is provided, the input data will
be used as-is.
The list of digests provided is:
BLAKE2, CRC32C, MD5, RMD160, SHA1, SHA256, SHA512,
SHA3-224, SHA3-256, SHA3-384, SHA3-512, SIZE,
TIGER, TIGER2, WHIRLPOOL
The multigest utility calculates message digests of files or, if no
file is specified, standard input. The list of possible algorithms is
given in the libmultigest(3) manual page.
The multigest utility is a simple wrapper for the various
different algorithm implementations, , and was designed to be
scalable as new message digest algorithms are developed.
+ Check the correct field in the struct is not NULL in sig_verify_dsa()
+ Move to using our own byte-swapping routines - portability
+ Check for errors in bzlib
+ Bump version number to 20140304
** libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2)
** libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw
when provided with invalid data. Reported by Dmitriy Anisimkov.
** libgnutls: Corrected timeout issue in subsequent to the first
DTLS handshakes.
** libgnutls: Removed unconditional not-trusted message in
gnutls_certificate_verification_status_print() when used with
OpenPGP certificates. Reported by Michel Briand.
** libgnutls: All ciphersuites that were available in TLS1.0 or
later are now made available in SSL3.0 or later to prevent
any incompatibilities with servers that negotiate them in SSL 3.0.
** ocsptool: When verifying a response and a signer isn't provided
assume that the signer is the issuer.
** ocsptool: When sending a nonce, verify that the nonce exists
in the OCSP response.
** gnutls-cli: Added --strict-tofu option; contributed by Jens
Lechtenboerger.
** API and ABI modifications:
No changes since last version.
Changes between PBC version 0.5.14 and 0.5.13
* Eta pairing (type I), by Homer Hsing
Changes between PBC version 0.5.13 and 0.5.12
* Many thanks to Homer Hsing for volunteering to maintain this library.
* Flattened nested functions.
* Bugfix for test script.
Changes between PBC version 0.5.12 and 0.5.11
* Fixed a parsing bug reported by Michael Adjedj.
Changes between PBC version 0.5.11 and 0.5.10
* Support native win32 compilation via autotools. Thanks to Michael Rushanan.
Some changes from joerg, others from myself.
There were two patches to cast __FUNCTION__ to const char *; this is
apparently to work around a warning. gcc on NetBSD 6 and clang on osx
10.9 do not emit a warning with the unpatched code. Upstream doesn't
understand the patch, and I don't etiher. ok pettai@
Take maintainership.
Builds on NetBSD/i386 6-stable, not tested (but
MAINTAINER=pkgsrc-users, so presumbly that's ok).
pkgsrc notes: We used to patch -ldl from spy, but the patch didn't
apply and spy is no longer built. So I left a patch that adds a
comment to spy Makefile.in.
http://ludovicrousseau.blogspot.fr/2014/02/new-version-of-pcsc-lite-1811.html
No major changes except polkit support (pushed by RedHat).
Changes:
pcsc-lite-1.8.11: Ludovic Rousseau
14 February 2014
- Add polkit support. See doc/README.polkit
- /etc/reader.conf: CHANNELID and DEVICENAME are both optional but not
at the same time
- Some other minor improvements and bug corrections
1.8.10: minor bugfix
http://ludovicrousseau.blogspot.fr/2013/10/new-version-of-pcsc-lite-189.html
After a long (maybe too long) time I now publish a new version of pcsc-lite.
A lot a small bugs fixed.
Changes
pcsc-lite-1.8.9: Ludovic Rousseau
16 October 2013
- SCardEndTransaction(): Return an error if is called with no
corresponding SCardBeginTransaction()
- SCardGetAttrib(): Add support of SCARD_ATTR_DEVICE_SYSTEM_NAME
- SCardGetAttrib(): Fix bug in SCARD_ATTR_DEVICE_FRIENDLY_NAME
- SCardBeginTransaction() was not correctly releasing a mutex when the
hCard handle was invalidated
The problem was that SCardGetStatusChange() was blocked because
SCardBeginTransaction() had not released the context mutex.
- PCSC/reader.h: Use C99 flexible array member
The structures PIN_MODIFY_STRUCTURE and PIN_VERIFY_STRUCTURE now use a
C99 flexible array member when available for abData field.
uint8_t abData[];
- Add support of --reader-name-no-serial and --reader-name-no-interface
It is now possible to NOT add the USB serial number of the reader
using --reader-name-no-serial
It is now possible to NOT add the CCID interface name of the reader
using --reader-name-no-interface
- Add support of serialconfdir pkg-config variable
It is now possible to use pkg-config to get the directory used by
pcscd to fetch serial drivers configurations.
$ pkg-config libpcsclite --variable=serialconfdir
/etc/reader.conf.d
- pcsc-spy: Try to display the thread in the order they appear in the log
- pcsc-spy: Add SCARD_ATTR_DEVICE_SYSTEM_NAME
- Check the Info.plist file is (a minimum) correct
- Update PROTOCOL_VERSION_MINOR from 2 to 3
We broke the API between version 1.8.3 and 1.8.4 by changing the value
of MAX_READERNAME. This change should have been made before releasing
version 1.8.4 to make mix of versions clearly non working instead of
failing with strange errors.
- hotplug_libudev.c: Fix a memory leak in case of error
- Fix OpenBSD 5.2 compilation regarding dlopen
- correctly manage thread safe multi-slot readers
- Do not use pthread_atfork() any more (fix problem on FreeBSD)
- fix memory leaks.
This was not really a problem unless you embedd pcscd in another
process and do init/deinit pcscd without exiting the process (as maybe
used on Android or iOS).
- pcscd.8 manpage: add documentation for --max-thread,
--max-card-handle-per-thread, --max-card-handle-per-reader,
--force-reader-polling, --error, --critical and --color
- Some other minor improvements and bug corrections
(This update was not tested, but built fine.)
http://ludovicrousseau.blogspot.fr/2014/02/new-version-of-libccid-1415.html
1.4.15 - 14 February 2014, Ludovic Rousseau
- Add support of
. DUALi DRAGON NFC READER
. Feitian bR301
. Gemalto CR30 reader in serial communication
. Gemalto Ezio Shield Pro SC
. IIT E.Key Almaz-1C
- PIN_MODIFY_STRUCTURE & PIN_VERIFY_STRUCTURE: Fix calculation of
the command length after pcsc-lite 1.8.9 (October 2013) changed
the PCSC/reader.h header
- Add specific PIN min (0) & max (25) sizes for SmartTerminal
ST-2xxx
- Do not get the data rates if bNumDataRatesSupported = 0
- Support Gemalto features for pinpad readers MinimumPINSize,
MaximumPINSize and bEntryValidationCondition are fetched from the
reader firmware
- disable (broken) pinpad for Fujitsu SmartCase KB SCR eSIG
- examples/scardcontrol.c:
. Parse codes returned by a pinpad (as SW1/SW2)
Known codes for now are:
0x9000: Success
0x6400: Timeout
0x6401: Cancelled by user
0x6402: PIN mismatch
0x6403: Too short or too long PIN
. Retrieve min and max PIN sizes from the driver
. Retrieve bEntryValidationCondition from the driver
- be more strict for bInterfaceClass = 255 by also checking extra_length
- some minor bugs removed
http://ludovicrousseau.blogspot.fr/2013/11/new-version-of-libccid-1414.html
1.4.14 - 25 November 2013, Ludovic Rousseau
- Add support of
. Gemalto GemCore SIM Pro firmware 2.0 (using USB)
- report FEATURE_IFD_PIN_PROPERTIES only for pinpad readers
- Generalize the management of (old) readers with bDeviceClass = 0xFF
- some minor bugs removed
http://ludovicrousseau.blogspot.fr/2013/10/new-version-of-libccid-1413.html
1.4.13 - 9 October 2013, Ludovic Rousseau
- Add support of
. Access IS ePassport Reader
. Planeta RC700-NFC CCID
- Add support of Windows value for CM_IOCTL_GET_FEATURE_REQUEST
Windows uses 0x313520 for SCARD_CTL_CODE(3400) pcsc-lite uses
0x42000D48 for SCARD_CTL_CODE(3400)
RDP aplications (like rdesktop) will convert SCardControl()
commands from a Windows application (so using 0x313520) to
pcsc-lite.
- fix multi-slot support for card movement notification (introduced
in 1.4.12)
- Mac OS X: differentiate each libccid library by the dynamic linker
using --prefix=/fake/$BUNDLE_ID
- some minor bugs removed
2014-01-09 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL: Port to the cffi-based OpenSSL bindings provided by
<https://github.com/pyca/cryptography>
2013-10-06 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/ssl/context.c: Add support for negotiating TLS v1.1 or
v1.2.
2013-10-03 Christian Heimes <christian@python.org>
* OpenSSL/crypto/x509.c: Fix an inconsistency in memory management
in X509.get_serial_number which leads to crashes on some runtimes
(certain Windows/Python 3.3 environments, at least).
Changes from previous version:
+ portability fixes from xtraeme for his Linux distribution:
+ add search for ar(1) into autoconf (I fixed this differently
so as not to rely on an automake check)
+ define __printflike if it's not already defined
+ fix missing asprintf (I fixed this differently)
checking builtin before including openssl/builtin.mk, so that wanted openssl
will be picked up (formerly, BUILTINK_API_DEPENDS.openssl is ignored).
Bump PKGREVISION.
Miscellaneous bug fixes.
Miscellaneous portability fixes.
Support ECDSA and SHA-256 in SSHFP.
Add support for SHA-384 digests in DS (RFC 6605).
Support multiple -t options.
Changes:
Avoid a warning on Gentoo Linux about fwrite(3) -- their glibc
declares fwrite(3) with the warn_unused_result attribute, from Razvan
Cojocaru
Manual page improvements from Anthony J. Bentley
validation in the DNS notify/transfer-chain. Currently credns is a fork of
the NSD_3_2 branch that has been extended with the possibility to assess
zones (received or updated by AXFR or IXFR) by running an external
verifier. Only zones that are deemed correct by the verifier will be
notified to (public) slave servers and offered for transfer.
Main change is that the netpgpverify binary is no longer part of this
package - instead, pkgsrc/security/netpgpverify and
pkgsrc/security/libnetpgpverify should be used.
Other changes since previous version include:
> ----------------------------
> revision 1.96
> date: 2012-02-21 22:58:54 -0800; author: agc; state: Exp; lines: +5 -15;
> Add the --trusted-keys argument to netpgpkeys(1) to print out PGP ids in a
> machine-readable manner.
> ----------------------------
> revision 1.95
> date: 2012-02-21 22:29:40 -0800; author: agc; state: Exp; lines: +1 -3;
> re-order the fields that we print out in the pgp_sprint_pubkey() function
> to be more usual.
>
> print out the name from within pgp_sprint_pubkey() rather than tagging it
> onto the end of the output from the function.
> ----------------------------
> revision 1.94
> date: 2011-08-02 00:16:56 -0700; author: agc; state: Exp; lines: +19 -8;
> branches: 1.94.2;
> plug some memory leaks in error paths
> ----------------------------
> revision 1.93
> date: 2011-08-01 22:36:45 -0700; author: agc; state: Exp; lines: +19 -13;
> when matching pubkeys, also return the first (pgp) uid for the key in the
> resultant key listing
>
> when using json to format keys returned from libnetpgp, also prepare for
> machine-readable format ("mr") as well as human ("human"), even though
> it's not yet used.
> ----------------------------
> revision 1.92
> date: 2011-06-27 20:35:28 -0700; author: agc; state: Exp; lines: +45 -24;
> get some things off the TODO list
>
> when initialising, recognise keys in a different order.
>
> 1. read the public keyring
>
> 2. if a userid has been specified, use it
>
> 3. if not, check the configuration file (~/.gnupg/gpg.conf) for a
> default user id
>
> 4, only read the secret keyring if we need to (decrypting or signing)
>
> 5. if signing, and we still don't have a userid, use the first key in
> the secret keyring
>
> 6. if encrypting, and we still have no userid, use the first in the
> public keyring
>
> ssh keys remain the same as previously.
> ----------------------------
> revision 1.91
> date: 2011-06-27 00:05:31 -0700; author: agc; state: Exp; lines: +7 -5;
> only attempt to load the secret key if we need to (for signing or for
> decrypting).
> ----------------------------
> revision 1.90
> date: 2011-06-24 17:37:44 -0700; author: agc; state: Exp; lines: +11 -7;
> change mj library to take an additional argument for a string type,
> denoting its length. this allows binary strings to be encoded using
> libmj.
>
> escape magic characters in json strings in a more efficient manner.
> the previous method was not scalable.
>
> update callers to suit
>
> bump libmj major version number
>
> add examples to the libmj(3) man page
> ----------------------------
> revision 1.89
> date: 2011-01-02 21:34:53 -0800; author: agc; state: Exp; lines: +2 -2;
> avoid a double free - from Anthony Bentley.
> ----------------------------
> revision 1.88
> date: 2011-01-01 15:00:24 -0800; author: agc; state: Exp; lines: +17 -15;
> clean up lint (on amd64)
> ----------------------------
> revision 1.87
> date: 2010-12-01 14:14:52 -0800; author: agc; state: Exp; lines: +5 -2;
> avoid nameclash - call the generated user id variable "generated userid"
> avoid nameclash - call the generated user id variable "generated userid"
>
> also keep the time of structure initialisation as an internal variable.
> ----------------------------
> revision 1.86
> date: 2010-12-01 14:01:41 -0800; author: agc; state: Exp; lines: +4 -2;
> When generating a key, set the new key's userid (last 16 bytes of
> fingerprint) as an internal netpgp variable.
>
> This can then be queried using netpgp_getvar(netpgp, "userid") to find the
> new key's id.
> ----------------------------
> revision 1.85
> date: 2010-11-28 20:20:12 -0800; author: agc; state: Exp; lines: +73 -18;
> Fix PR 44075 from Peter Pentchev, but do this by adding a
> --numtries=<attempts> option to netpgp(1) to provide the maximum
> number of attempts to retrieve the correct passphrase when signing or
> decrypting, and use it in libnetpgp(3). The default number of
> attempts is 3, and a value of "unlimited" will loop until the correct
> passphrase has been entered.
> ----------------------------
> revision 1.84
> date: 2010-11-15 00:27:40 -0800; author: agc; state: Exp; lines: +13 -4;
> Use a regular expression to match the various ASCII-armoured headers we
> may encounter - fixes PR 44074 from Peter Pentchev in a different way.
> ----------------------------
> revision 1.83
> date: 2010-11-15 00:03:39 -0800; author: agc; state: Exp; lines: +48 -3;
> Changes to help with netpgp key generation and interoperability:
>
> + use plain SHA1 for session key s2k negotiation
> + don't warn on some conditions when inflating (reading a compressed file)
> since the conditions don't hold for partial block lengths
> + prompt for a passphrase when generating a new key - used in the upcoming
> secret-sharing functionality for netpgp
> ----------------------------
Switch over to using the zero-pre-requisite netpgpverify sources by
using reachover infrastructure to make sure we have one set of
sources.
This also brings with it the benefit of being able to use SSH
public keys, as well as PGP pub keys, when verifying signatures.
Extend the package building mechanism so that it can be built using
libtool (the default), or without libtool, depending on whether
"BOOTSTRAP" is defined at package build time.
security/p5-IO-Socket-SSL from 1.953 to 1.967.
Upstream changes:
1.967 2014/02/06
- verify the hostname inside a certificate by default with a superset of
common verification schemes instead of not verifying identity at all.
For now it will only complain if name verification failed, in the future
it will fail certificate verification, forcing you to set the expected
SSL_verifycn_name if you want to accept the certificate.
- new option SSL_fingerprint and new methods get_fingerprint and
get_fingerprint_bin. Together they can be used to selectively accept
specific certificates which would otherwise fail verification, like
self-signed, outdated or from unknown CAs.
This makes another reason to disable verification obsolete.
- Utils:
- default RSA key length 2048
- digest algorithm to sign certificate in CERT_create can be given,
defaults to SHA-256
- CERT_create can now issue non-CA selfsigned certificate
- CERT_create add some more useful constraints to certificate
- spelling fixes, thanks to ville[dot]skytta[at]iki[dot]fi
1.966 2014/01/21
- fixed bug introduced in 1.964 - disabling TLSv1_2 worked no longer with
specifying !TLSv12, only !TLSv1_2 worked
- fixed leak of session objects in SessionCache, if another session
replaced an existing session (introduced in 1.965)
1.965 2014/01/16
- new key SSL_session_key to influence how sessions are inserted and looked
up in the clients session cache. This makes it possible to share sessions
over different ip:host (like required with some FTPS servers)
- t/core.t - handle case, were default loopback source is not 127.0.0.1, like
in FreeBSD jails
1.964 2014/01/15
- Disabling TLSv1_1 did not work, because the constant was wrong. Now it gets
the constants from calling Net::SSLeay::SSL_OP_NO_TLSv1_1 etc
- The new syntax for the protocols is TLSv1_1 instead of TLSv11. This matches
the syntax from OpenSSL. The old syntax continues to work in SSL_version.
- New functions get_sslversion and get_sslversion_int which get the SSL version
of the establish session as string or int.
- disable t/io-socket-inet6.t if Acme::Override::INET is installed
1.963 2014/01/13
- fix behavior of stop_SSL: for blocking sockets it now enough to call it
once, for non-blocking it should be called again as long as EAGAIN and
SSL_ERROR is set to SSL_WANT_(READ|WRITE).
- don't call blocking if start_SSL failed and downgraded socket has no
blocking method, thanks to tokuhirom
- documentation enhancements:
- special section for differences to IO::Socket
- describe problem with blocking accept on non-blocking socket
- describe arguments to new_from_fd and make clear, that for upgrading an
existing IO::Socket start_SSL should be used directly
1.962 2013/11/27
- work around problems with older F5 BIG-IP by offering fewer ciphers on the
client side by default, so that the client hello stays below 255 byte
1.961 2013/11/26
- IO::Socket::SSL::Utils::CERT_create can now create CA-certificates which
are not self-signed (by giving issuer_*)
1.960 2013/11/12
only documentation enhancements:
- clarify with text and example code, that within event loops not only
select/poll should be used, but also pending has to be called.
- better introduction into SSL, at least mention anonymous authentication as
something you don't want and should take care with the right cipher
- make it more clear, that user better does not change the cipher list, unless
he really know what he is doing
1.959 2013/11/12
- bugfix test core.t windows only
1.958 2013/11/11
- cleanup: remove workaround for old IO::Socket::INET6 but instead require at
least version 2.55 which is now 5 years old
- fix t/session.t #RT90240, thanks to paul[AT]city-fan[DOT]org
1.957 2013/11/11
- fixed t/core.t: test uses cipher_list of HIGH, which includes anonymous
authorization. With the DH param given by default since 1.956 old versions of
openssl (like 0.9.8k) used cipher ADH-AES256-SHA (e.g. anonymous
authorization) instead of AES256-SHA and thus the check for the peer
certificate failed (because ADH does not exchanges certificates).
Fixed by explicitly specifying HIGH:!aNULL as cipher
RT#90221, thanks to paul[AT]city-fan[DOT]org
- cleaned up tests:
- remove ssl_settings.req and 02settings.t, because all tests now create a
simple socket at 127.0.0.1 and thus global settings are no longer needed.
- some tests did not have use strict(!), fixed it.
- removed special handling for older Net::SSLeay versions, which are less than
our minimum requirement
- some syntax enhancements, removed some SSL_version and SSL_cipher_list
options where they were not really needed
1.956 2013/11/10
lots of behavior changes for more secure defaults:
- BEHAVIOR CHANGE: make default cipher list more secure, especially
- no longer support MD5 by default (broken)
- no longer support anonymous authentication by default (vulnerable to man in
the middle attacks)
- prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so that
it uses by default forward secrecy, if underlying Net::SSLeay/openssl
supports it
- move RC4 at the end, e.g. 3DES is preferred (BEAST attack should hopefully
been fixed and now RC4 is considered less safe than 3DES)
- default SSL_honor_cipher_order to 1, e.g. when used as server it tries to
get the best cipher even if client prefers other ciphers
PLEASE NOTE that this might break connections with older, less secure
implementations. In this case revert to 'ALL:!LOW:!EXP:!aNULL' or so.
- BEHAVIOR CHANGE: SSL_cipher_list now gets set on context not SSL object and
thus gets reused if context gets reused. PLEASE NOTE that using
SSL_cipher_list together with SSL_reuse_ctx has no longer effect on the
ciphers of the context.
- rework hostname verification schemes
- add rfc names as scheme (e.g. 'rfc2818',...)
- add SIP, SNMP, syslog, netconf, GIST
- BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
- BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
- BEHAVIOR CHANGE: anywhere wildcards like www* now match only 'www1', 'www2'..
but not 'www'
- anywhere wildcards like x* are no longer applied to IDNA names (which start
with 'xn--')
- fix crash of Utils::CERT_free
- support TLSv11, TLSv12 as handshake protocols
1.955 2013/10/11
- support for forward secrecy using ECDH, if the Net::SSLeay/openssl version
supports it.
1.954 2013/9/15
- accept older versions of ExtUtils::MakeMaker and add meta information
like link to repository only for newer versions.
security/p5-Net-SSLeay from 1.55nb1 to 1.58.
Upstream changes:
1.58 2014-01-15
Always use size_t for strlen() return value, requested by Alexander Bluhm.
t/external/20_cert_chain.t was missing from dist.
Version number in META.yml was incorrect
Improvements to test t/external/20_cert_chain.t to provoke following bug:
Fixed crash due to SSL_get_peer_cert_chain incorrectly free'ing the chain
after use.
Fixed a problem when compiling against openssl where OPENSSL_NO_EC is set.
1.57 2014-01-09
Fixed remaining problems with test suite: pod coverage and kwalitee tests
are only enabled with RELEASE_TESTING=1
1.56 2014-01-08
Fixed a typo in documentation of BEAST Attack, patched by gregor
herrmann.
Added LICENSE file copied form OpenSSL distribution to prevent complaints
from various versions of kwalitee.
Adjusted license: in META.yml to be 'openssl'
Adds support for the basic operations necessary to support ECDH for PFS,
e.g. EC_KEY_new_by_curve_name, EC_KEY_free and SSL_CTX_set_tmp_ecdh.
Improvements to t/handle/external/50_external.t to handle the case when a
test connection was not possible. Patched by Alexandr Ciornii.
Added support for ALPN TLS extension. Patch from Lubomir Rintel. Tested
with openssl-1.0.2-stable-SNAP-20131205.
Fix an use-after-free error. Patch from Lubomir Rintel.
Fixed a problem with Invalid comparison on OBJ_cmp result in
t/local/36_verify.t. Contributed by paul.
Added support for get_peer_cert_chain(). Patch by Markus Benning.
Fixed a bug that cold cause stack faults: mixed up PUTBACK with SPAGAIN
in ssleay_RSA_generate_key_cb_invoke()
a final PUTBACK is needed here. A second issue is also fixed:
cb->data defaults to &PL_sv_undef but throught the code you do not check
against &PL_sv_undef, just NULL.
To avoid passing the 3rd optional arg at all, do not create it. This fixes all the
cb->data checks and wrong refcounts on &PL_sv_undef. Patched by Reini Urban.
Deleted support for SSL_get_tlsa_record_byname: it is not included in
OpenSSL git master.
1.) OpenSSL 0.9.8* doesn't support TLS 1.2, Elliptic curve cryptography
and other modern TLS features.
2.) Supporting OpenSSL 0.9.8* causes extra maintenance overhead.
As a result NetBSD 5.*, all versions of Mac OS X and possibly other
platforms will now use OpenSSL from "pkgsrc".
17 Dec 2013 - 2.7.7
-------------------
Fixes:
- Changed release version to 2.7.7
- Got the configure scripts inside the release tarball
16 Dec 2013 - 2.7.6
-------------------
Improvements:
- Organizes all Makefile.am - 1cde4d2dd9d96747536c1c25d06ba0677069477f
Now using one file per line (sorted). This is the better way to handle it, since it reduces the possibility of merge conflicts.
- nginx: generates config file using configure input. - 351b9cc357d439e30ebd61d89a9e38ecf55c6827
The nginx config file was looking for depedencies by its own, by doing that it was ignoring the options that were passed to configure script. This commit deletes this config file and adds a meta-config which is populated by configure whenever the standalone-module is enabled.
- nginx: adds lua support - da16d9e5d51d4ef8734687514a4e1368e7fb4284
- iis: Cosmetics fixies on sqli. - 5046c8327ea21c69b4c0d0c0057c692b05b09fef
This is needed to get it compiled with VS2011 on Windows8
- Regression tests: makes configuration compatible with 2.2 and 2.4 (try 2) - ae252ee8767069363906e5a611dff487b799b839
- nginx: Trying apxs and apxs2 while compiling nginx module - 65d9272fdc353e1263567b60604542d377d19672
- nginx: Trying apxs and apxs2 while compiling nginx module - 35fd75d859e4a8873b8843da1db13e04a1b08140
- macos: Using glibtoolize instead of libtoolize - 751a9f4e45213cd69f00c62c71edc9d7ad99b82d
- regression-tests: makes configuration compatible with 2.2 and 2.4 - 6fc4cac37ab1be8d1232140042b58fe4bd93ee17
- Regression test: get it working with apache 2.4 - e9813cd0d9bfc5b0c9aa5832634ec1b39b805108
Changes in httpd.conf.in to get it working with apache 2.4
- Code cosmetics. - 7366f35c1d80772d739b35da8faa972f92a72b97
Changed to reduce the number of possible fails during Build Bot compilation.
- iis: Waiting for 5 seconds before move curl directory - 9bf2959c919587ebc63f5a1b8c0785da8927bff5
Testing buildbot.
- Redefines unixd_set_global_mutex_perms on tests - f70f6f4281b806627e0cf0dbb9c84ae5864bdb16
Avoding conflicts with the standalone implementation
- Adds verbose quality check - 388943440cc9b8c6fdea09f5e365a2e5a3e792e2
Vera++ and ccpcheck are not outputing to the stderr instead stdout allowing the buildbot to extract some numbers about it.
- Adds support for coding style and quality check - b77e90152d119609ac78a7028383c3b79898b2cf
Initial effort to get the code on shape. This will be executed by the buildbots as soon as they get ready for it.
- iis: New improvements on the Wix installer - 2ea5a74a7bfb00f21312e51e48aa6dac03d84600
* Now the installation is divided in modules: ModSecurity and CRS.
* Added default configuration
* Configuration was moved to "Program Files" folder
* Build_msi script now using candle available in %PATH%
- iis: Removes the installer helper dependency - 1a12648c9f6028f251af0f03c889397c7954b74c
Now using appcmd directly with WiX instead of calling the installer helper.
- iis: Remove readme.html - 550d5aae21cba696cac1ce75ab8113e5255d5a59
This HTML is about "Creating a Native Module for IIS7" not straight related to ModSecurity itself.
- iis: Adds batch script to compile Wix - a2c5fc831baf0b324ebb66b0f878dacf1ec2f808
This batch script can be used to generate our msi installer.
- iis: Adds Wix installer resources - 3604763e15a665eb7a6ecae1f7e7c65cebbb1d17
This is all about cosmetic changes.
- iss: Removes Post-Build event. - 28bbde1bb218b004654cb865fc8563d69b848dc2
There was a copy on Post-Build event using a hard coded path. This patch removes this Post-Build event.
- iis: Relative paths on the VS project file - 368617ddb2443f9b6036f80a648d467d07c9a054
There are a ModSecurityIIS solution and project files, those were using hard coded paths to meet the dependencies. As consequence of the last update in our build scripts, now we are able to built the dependencies and load it to our Visual Studio project using relative paths.
- iis: Adds release script - 9477118903861ce80c4c27cb581bf3462315e98e
- iis: fixies the Installer.cpp coding style - 79875b1af8e8571098345b91557bab9c06eb7c88
- iis: Removes AppWizard remade file - 91738f93bcc82b6ab756c550a66b6cf6af2fa9f8
Apparently the AppWizard was used to generate part of this Installer, the ReadMe.txt created by the AppWizard was removed by this commit
- iss: Removes pre-compiled headers - adfbeb85dcfa9466b72eebb8d1bd8eb7728bab79
No need to use the pre-compiled headers in InstallerHelper, removing it, in order to keep the project lean.
- iis: Moves installer to InstallerHelper - 6adf25667dd4bfa33010bd6d8ae3d35046a69967
To organize the folder the Installer application was renamed to installer helper. It is not the real installer, it is just an helper which is executed during the installation phase.
- iss: Removes fart dependencies - 8c3b8d81b613aaa38f28472af1eb26c90c7fc9da
This commit removes the dependency of the fart.exe utility. The utility was responsible to rename contents inside some dependencies build files. Those modifications are not longer needed.
- iss: Better err handling in build scripts. - 192599bf63b6ae5aa08e4536a90d5d0a17f969f7
Now checking for errors in every step of the build phase
- iis: Moves build_module.bat to build_modsecurity.bat - e25c6b2e85ced7beba4d41867dbdf30e9c1286d3
The build_modsecurity.bat is now on the iis sub-directory, not in the dependencies anymore. Its content was also changed fixing all the paths.
- iis: Identifies arch before unzip apache - cf5de78dfb9fffd21edf17af9e1db8f2fd83c804
Currently we need the Apache binary which could be used in 32 or 64 bits. This patch makes usage of 'cl' to identify which architecture is set.
- iis: Renamves winbuild to dependencies - 1447766e816a896e88c9c8f053fcc3f62797bac1
Since the directory becomes all about dependencies there is no need to call it winbuild anymore.
- iis: Removes unnecessary files from winbuild dir - 9f8cbf6ed8034ba42aa4967699308df09864fd18
Those .mak files seems to be part of an old build system. Since the script are now working fine, this commit removes all those .mac files and also a CMakeList.txt and the Makefile.win.
- iis: Improves the iis build system - b277e538f28c87c81c1b50925dd8b82996b88294
Now checking for common errors while building. Refactoring on the build scripts, now there is this build_dependencies.bat script on the iis sub-folder. By calling this script all the dependencies should be build under the winbuild/. This commit also removes build scripts that were not needed anymore.
- iis: Fixes the vcxproj file - a946a163f0ad822c760af80ca32dda61f0e6b2a9
Versions of the dependencies were changed, as long as the version of the Visual Studio, now 12.
- iis: Removes unecessary files from the build system - 26738d2e34bcc7620047bd23180e0e26a64c71ee
The following files were removed:
* VCVarsQueryRegistry.bat
* vcvars64.bat
* vsvars32.bat
The visual studio files can be called direcltly, not necessary to distribute those files, at least in VS12.
- iss: Changes httpd version 2.4.6 - 0a772cb0748aa51a01800e0473309b9de792b456
Apache version was changed to 2.4.6 to sync with the current apache lounge version.
- iis: Changes the version of the dependencies - 3e6fb41d36b7a5e98a55d8f52b88b29d1bd50b64
* pcre from 8.30 to 8.33
* zlib from 1.2.7 to 1.2.8
* libxml2 from 2.7.7 to 2.9.1
* curl from 7.24 to 7.33.0
- Removes standalone/Makefile.in - e3c19d53d23c48fea337aae76a87b2a85c36a1f1
Makefile.in is recommended to be in the repository whenever it is edit manually, in our case the automatically generated Makefile.in is ok.
Bug Fixes:
- test: Avoids conflict of fuctions definition - cef72855e4106ce29e1d39103ebf9eb9ab28f17e
- test: Makes the unit tests to work again - cc982ae42ec86c79a67be1a01c6ee35fb06c272c
The unit tests was not working due to lack update. This patch adds the necessary stuff to have it work again.
- iis: Avoids directory link while building - ad330a44bfa39430cf6340cb52971568cccdf1d6
Build scripts was creating links allowing the project to be loaded into Visual Studio without care about the dependencies versions. Sometimes windows refuse to delete those links leading the script to fail. This patch moves the sources directories instead of create links to it.
- QA: Avoids the utilization of 3rd filedescriptor - 69c5ccac662f4e11a6eefd54a3e912583c067b9d
No need to use a 3rd description on the quality check scripts. Stderr is now redirected to stdout and filtered as needed.
- Supports WarningCountingShellCommand in cppcheck and vera - baaf502363e68c3240b60adb7f7c91f5b4f0ba03
WarningCountingShellCommand allow us to have some measurements on the buildbot waterfall.
- iis: Using base_rules instead of activated_rules - 7b1537058fa451e0df7098cd907ef19f04102f9d
- iis: Fix inet_pton build problem - a4202146b8d26b6615bbab986383fe0afae60d77
There is a function named inet_pton on windows API, with different signature. This patch just override the windows function and point the inet_pton to our implementation.
- iis: Adds Wix installer xml file.c - b32cb7d9ab397160f0154aa4bd4e9638658b41e6
This commit adds the Wix template to our git repository.
- iis: build_modsecurity.bat fixies - 7e03e3f840375ed682c35a5bb67932461cc77013
This commit enable a cleanup on the mod_security build directory avoiding symbols with different architectures.
- iis: Fix mlogc build on windows - 9b7663fa79377a0685130a019916d810f31e7478
The libcurl path was not pointing to the correct directory
- Fix#154, Uses addn instead of apr_table_setn - 1734221d9d3a78f9aafd68e35717da9ee1a4fe51
The headers are represented in the format of an apr_table, which is able to handle elements with the same key, however the function apr_table_setn checks if the key exists before add the element, if so it replaces the old value with the new one. This was making our implementation to just keep the last added Cookie. The apr_table_addn function, which is now used, just add a new item without check for olders one.
- Merge pull request #579 from zimmerle/revert_139 - 61e54f2067ae760808359926ff91d57275df1aac
Revert merge request #139
- Revert "Merge pull request #139 from chaizhenhua/remotes/trunk" - 7f7d00fa2c364716691df1b45779304b24a0debb
This reverts commit 10fd40fb0d06f6c577d870b6f15d2f6e2a3a5b1b, reversing changes made to 414033aafa94cd50c9b310afd3f164740caccc94.
- Merge pull request #578 from client9/remotes/trunk - b0c3977845f60747b15ae10531b7d20355a22627
libinjection sync to v3.8.0
- libinjection sync - a5f175d79fac1e69124da4e1e227b622e7e233d7
- Merge pull request #152 from client9/remotes/trunk - 88ebf8a0bdbc4db1be76f3a2e70df77cc52a5925
Sync to libinjection v3.7.1
- libinjection sync - fcb6dc13ed6efb066fb9b70405eecab8b83a2d96
- libinjection sync - f52242a013f301ca5c17e59b662124833cb7cc6d
- Merge pull request #148 from zimmerle/bugfix_charset_missing_string_terminator - b76e26d81ddafc2b99bffad53d1426f8fd33080a
Bugfix: missing string terminator while mounting the charset (nginx)
- Bugfix: missing string terminator while mounting the charset (nginx) - ff19dcd5c53d4af61d0a9397d4616f47f80ee207
The charset in headers is mounted using ngx_snprintf which does not place the string terminator. This patch adds the terminator at the end of the string. The size was correctly allocated, just missing the terminator.
- Merge pull request #141 from client9/remotes/trunk - 9a630eea23a7ead4e77617c86dc937fd7a421a57
libinjection sync to v3.6.0
- libinjection sync - 11217207e8f2e0cf15742273836399866971071a
- Fix Chunked string case sensitive issue - CVE-2013-5705 - f8d441cd25172fdfe5b613442fedfc0da3cc333d
- Revert "Fix Chuncked string case sensitive issue" - 3901128f17e0763ac1a260106b79859d2aad6d90
This reverts commit 16a815a3c2735f62238ef99af26090a2b8430d3d.
- Fix Chuncked string case sensitive issue - 16a815a3c2735f62238ef99af26090a2b8430d3d
- Merge pull request #139 from chaizhenhua/remotes/trunk - 10fd40fb0d06f6c577d870b6f15d2f6e2a3a5b1b
Fixed fd leackage after reload
- Merge pull request #138 from client9/remotes/trunk - 414033aafa94cd50c9b310afd3f164740caccc94
libinjection sync
- Fixed fd leackage after reload - e0993fcd7a166ce9e1a279a47d050af1311d9001
- libinjection sync - 2268626c20260e88cab9b7830f8a06101fa7172a
- Fix logical disjunction and conjunction issues - 7e0a9ecf7d492e85650671a0cfcfd53e5f15df2c
23 Jul 2013 - 2.7.5
-------------------
Improvements:
* SecUnicodeCodePage is deprecated. SecUnicodeMapFile now accepts the code page as a second parameter.
* Updated Libinjection to version 3.4.1. Many improvements were made.
* Severity action now supports strings (emergency, alert, critical, error, warning, notice, info, debug).
Bug Fixes:
* Fixed utf8toUnicode tfn null byte conversion.
* Fixed NGINX crash when issue reload command.
* Fixed flush output buffer before inject modified hashed response body.
* Fixed url normalization for Hash Engine.
* Fixed NGINX ap_unixd_set_global_perms_mutex compilation error with apache 2.4 devel files.
Security Issues:
10 May 2013 - 2.7.4
-------------------
Improvements:
* Added Libinjection project http://www.client9.com/projects/libinjection/ as a new operator @detectSQLi. (Thanks Nick Galbreath).
* Added new variable SDBM_DELETE_ERROR that will be set to 1 when sdbm engine fails to delete entries.
* NGINX is now set to STABLE. Thanks chaizhenhua and all the people in community who help the project testing, sending feedback and patches.
Bug Fixes:
* Fixed SecRulePerfTime storing unnecessary rules performance times.
* Fixed Possible SDBM deadlock condition.
* Fixed Possible @rsub memory leak.
* Fixed REMOTE_ADDR content will receive the client ip address when mod_remoteip.c is present.
* Fixed NGINX Audit engine in Concurrent mode was overwriting existing alert files because a issue with UNIQUE_ID.
* Fixed CPU 100% issue in NGINX port. This is also related to an memory leak when loading response body.
Security Issues:
* Fixed Remote Null Pointer DeReference (CVE-2013-2765). When forceRequestBodyVariable action is triggered and a unknown Content-Type is used,
mod_security will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL. (Thanks Younes JAAIDI).
28 Mar 2013 - 2.7.3
-------------------
* Fixed IIS version race condition when module is initialized.
* Fixed IIS version failing config commands in libapr.
* Nginx version is now RC quality. The rule engine should works for all phases.
We fixed many issues and missing features (for more information please check jira).
Code is running well with latest Nginx 1.2.7 stable.
Thanks chaizhenhua for your help.
* Added MULTIPART_NAME and MULTIPART_FILENAME. Should be used soon by CRS
and will help prevent attacks using multipart data.
* Added --enable-htaccess-config configure option. It will allow the follow directives
to be used into .htaccess files when AllowOverride Options is set:
- SecAction
- SecRule
- SecRuleRemoveByMsg
- SecRuleRemoveByTag
- SecRuleRemoveById
- SecRuleUpdateActionById
- SecRuleUpdateTargetById
- SecRuleUpdateTargetByTag
- SecRuleUpdateTargetByMsg
* Improvements in the ID duplicate code checking. Should be faster now.
* SECURITY: Added SecXmlExternalEntity (On|Off - default it Off) that will disable
by default the external entity load task executed by LibXml2. This is a security issue
[CVE-2013-1915] reported by Timur Yunusov, Alexey Osipov (Positive Technologies).
21 Jan 2013 - 2.7.2
-------------------
* IIS version is now stable.
* Fixed IIS version does not pass through POST data to ASP.NET when SecRequestBodyAccess
is set to On (MODSEC-372).
* Fixed IIS version HTTP Request Smuggling protection does not work (MODSEC-344).
* Fixed IIS version PHP Injection Attack (958976) protection does not work (MODSEC-346).
* Fixed IIS version Request limit protections are not working (MODSEC-349).
* Fixed IIS version Outbound protections are not working (MODSEC-350).
* Added IIS version better installer.
* NGINX version removed ModSecurityPassCommand (Thanks chaizhenhua).
* Fixed NGINX version ngx_http_read_client_request_body returned unexpected buffer type (Thanks chaizhenhua).
* Fixed NGINX version INCS config directories on fedora (Thanks chaizhenhua).
* Added NGINX version Added drop action for nginx (Thanks chaizhenhua).
* Fixed bug in cpf_verify operator (Thanks Hideaki Hayashi).
* Fixed build modsecurity under Arch Linux.
* Fixed make test crashing when JIT pcre is enabled.
* Fixed better cookie separator detection code.
* Fixed mod_security displaying wrong ip address in error.log using apache 2.4 and mod_remoteip.
* Fixed mod_security was not compiling when use apr without ipv6 support.
* Fixed mod_security was not compiling when use lua 5.2.
* Fixed issue when execute make install under Solaris.
* Fixed ipmatchf operator was not working as expected.
01 Nov 2012 - 2.7.1
-------------------
* Changed "Encryption" name of directives and options related to hmac feature to "Hash".
SecEncryptionEngine to SecHashEngine
SecEncryptionKey to SecHashKey
SecEncryptionParam to SecHashParam
SecEncryptionMethodRx to SecHashMethodRx
SecEncryptionMethodPm to SecHashMethodPm
@validateEncryption to @validateHash
ctl:EncryptionEnforcement to ctl:HashEnforcement
ctl:EncryptionEngine to ctl:HashEngine
* Added a better random bytes generator using apr_generate_random_bytes() to create
the HMAC key.
* Fixed byte conversion issue during logging under Linux s390x platform.
* Fixed compilation bug with LibXML2 2.9.0 (Thanks Athmane Madjoudj).
* Fixed parsing error with modsecurity-recommended.conf and Apache 2.4.
* Fixed DROP action was disabled for Apache 2 module by mistake.
* Fixed bug when use ctl:ruleRemoveTargetByTag.
* Fixed IIS and NGINX modules bugs.
* Fixed bug when @strmatch patterns use invalid escape sequence (Thanks Hideaki Hayashi).
* Fixed bugs in @verifySSN (Thanks Hideaki Hayashi).
* The doc/ directory now contains the instructions to access online documentation.
15 Oct 2012 - 2.7.0
-------------------
* Fixed Pause action should work as a disruptive action (MODSEC-297).
* Fixed Problem loading mod_env variables in phase 2 (MODSEC-226).
* Fixed Detect cookie v0 separator and use it for parsing (MODSEC-261).
* Fixed Variable REMOTE_ADDR with wrong IP address in NGINX version (MODSEC-337).
* Fixed Errors compiling NGINX version.
* Added Include directive into standalone module. IIS and NGINX module should
support Include directive like Apache2.
* Added MULTIPART_INVALID_PART flag. Also used in rule id 200002 for multipart strict
validation. https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20121017-0_mod_security_ruleset_bypass.txt).
* Updated Reference Manual.
25 Sep 2012 - 2.6.8
-------------------
* Fixed ctl:ruleRemoveTargetByID order issue (MODSEC-333). Thanks to Armadillo Dasypodidae.
* Fixed variable HIGHEST_SEVERITY incorrectly gets reset in a chain rule (MODSEC-315). Thanks to Valery Reznic.
10 Sep 2012 - 2.7.0-rc3
-------------------
* Fixed requests bigger than SecRequestBodyNoFilesLimit were truncated even engine mode was detection only.
* Fixed double close() for multipart temporary files (Thanks Seema Deepak).
* Fixed many small issues reported by Coverity Scanner (Thanks Peter Vrabek).
* Fixed format string issue in ngnix experimental code. (Thanks Eldar Zaitov).
* Added ctl:ruleRemoveTargetByTag/Msg and removed ctl:ruleUpdateTargetByTag/Msg.
* Added IIS and Ngnix platform code.
* Added new transformation utf8toUnicode.
23 Jul 2012 - 2.6.7
-------------------
* Fixed explicit target replacement using SecUpdateTargetById was broken.
* The ctl:ruleUpdateTargetById is deprecated and will be removed for future versions since
there is no safe way to use it per-request.
* Added ctl:ruleRemoveTargetById that can be used to exclude targets to be processed per-request.
22 Jun 2012 - 2.7.0-rc2
-------------------
* Fixed compilation errors and warnings under Windows platform.
* Fixed SecEncryptionKey was not working as expected.
08 Jun 2012 - 2.7.0-rc1
-------------------
* Added SecEncryptionEngine. Initial crypt engine support, at the momment it will sign some Html
and Response Header options.
* Added SecEncryptionKey to define the a rand or static key for crypt engine.
* Added SecEncryptionParam to define the new parameter name.
* Added SecEncryptionMethodRx used with a regular expression to inspect the html in response
body/header and decide what to protect.
* Added SecEncryptionMethodPm used with multiple or single strings to inspect the html in response
body/header and decide what to protect.
* Added ctl encryptionEngine as a per transaction version of SecEncryptionEgine diretive.
* Added ctl encryptionEnforcement that will allow the engine to sign the data but the enforcement is
disabled.
* Added validateEncryption operator to enforce the signed elements.
* Added rsub operator supports the syntax |hex| allowing users to use special chars like \n \r.
* Added SecRuleUpdateTargetById now supports id range.
* Added SecRuleUpdateTargetByMsg and its ctl version (Thanks Scott Gifford).
* Added SecRuleUpdateTargetByTag and its ctl version (Thanks Scott Gifford).
* Added SecRulePerfTime when greater than zero it will fill rule id's execution time into PERF_RULE
and log id=usec information in the new Perf-rule-info: line in part H.
* Added PERF_RULES variable that contains rule execution time.
* Added Engine-mode: section in part H.
* Added ruleRemoveByMsg ctl version.
* Added removeCommentsChar and removeComments now can work with <!-- --> style.
* Added SecArgumentSeparator and SecCookieFormat can be used in different scope locations.
* Added Rules must have ID action and must be numeric.
* Added The use of tfns are deprecated in SecDefaultAction. Should be forbid in the future.
* Added Macro expansion support to the action pause.
* Added IpmatchFromFile/IpmatchF operator.
* Added New setrsc action, the RESOURCE collection used SecWebAppId Name Space
* Added Configure option --enable-cache-lua that allows reuse of Lua VM per transaction.
It will only take any effect when ModSecurity has multiple scripts to run per transaction.
* Added Configure option --enable-pcre-jit that allows ModSecurity regex engine to use PCRE Jit support.
* Added Configure option --enable-request-early that allows ModSecurity run phase 1 in post_read_request hook.
* Added RBL operator now support the httpBl api (http://www.projecthoneypot.org/httpbl_api.php).
* Added SecHttpBlKey to be used with httpBl api.
* Added SecSensorId will specify the modsecurity sensor name into audit log part H.
* Added aliases to phase:2 (phase:request), phase:4 (phase:response) and phase:5 (phase:logging).
* Added USERAGENT_IP variable. Created when Apache24 is used with mod_remoteip to know the real
client ip address.
^ Added new rule metadata actions ver, maturity and accuracy. Also included into RULE collection.
* Updated Reference manual into doc/ directory.
* Fixed Variable DURATION contains the elapsed time in microseconds for compatible reasons with apache and
other variables.
* Fixed Preserve names/identity of the variables going into MATCHED_VARS.
* Fixed Redirect macro expansion does not work in SecDefaultAction when SecRule uses block action.
* Fixed rsub operator does not work as expect if regex contains parentheses (Thanks Jerome Freilinger).
* Current Google Safe Browsing implementation is deprecated. Google changed the API and does not allow
anymore the malware database for download.
08 Jun 2012 - 2.6.6
-------------------
* Added build system support for KfreeBSD and HURD.
* Fixed a multipart bypass issue related to quote parsing
Credits to Qualys Vulnerability & Malware Research Labs (VMRL).
20 Mar 2012 - 2.6.5
-------------------
* Fixed increased a specific message debug level in SBDM code (MODSEC-293).
* Cleanup build system.
09 Mar 2012 - 2.6.4
-------------------
* Fixed Mlogc 100% CPU consume (Thanks Klaubert Herr and Ebrahim Khalilzadeh).
* Fixed ModSecurity cannot load session and user sdbm data.
* Fixed updateTargetById was creating rule unparsed content making apache memory grow.
* Code cleanup.
23 Feb 2012 - 2.6.4-rc1
-------------------
* Fixed @rsub adding garbage data into stream variables.
* Fixed regex for section A into mlogc-batch-load.pl (Thanks Ebrahim Khalilzadeh).
* Fixed logdata cuts message without closing it with final chars.
* Added sanitizeMatchedBytes support to verifyCPF, verifyCC and verifySSN.
06 Dec 2011 - 2.6.3-rc1
-------------------
* Fixed MATCHED_VARS does not correctly handle multiple VARS with the same name.
* Fixed SDBM garbage collection was not working as expected, increasing the size of files.
* Fixed wrong timestamp calculation for some time zones in log files.
* Fixed SecUpdateTargetById failed to load multiple VARS (MODSEC-270).
* Fixed Reverted hexDecode for hexEncode compatibility reason.
* Added SecCollectionTimeout to set collection timeout, default is 3600.
* Added sqlHexDecode transformation to decode sql hex data. Thanks Marc Stern.
30 Sep 2011 - 2.6.2
-------------------
* Fixed hexDecode test during make.
* Updated the reference manual into doc/ directory.
5 Sep 2011 - 2.6.2-rc1
-------------------
* Added support to macro expansion for rx operator.
* Added new transformations removeComments and removeCommentsChars
* Fixed colletion names are not case-sensitive anymore.
* Fixed compilation errors with apache 2.0.
* Fixed build system was not using some libraries CFLAGS.
* Fixed check for valid hex values into hexDecode transformation.
* Fixed ctl:ruleUpdateTargetById appending multiple targets.
18 Jun 2011 - 2.6.1
-------------------
* Updated the reference manual into doc/ directory.
11 Jul 2011 - trunk
-------------------
* Add HttpBl support to rbl operator.
30 Jun 2011 - 2.6.1-rc1
-------------------
* Fixed SecUploadFileMode doesn't work with the new build system.
* Fixed building with Lua library (Thanks Diego Elio).
* Fixed some ./configure --enable* features not being enabled in compilation time.
* Improvements on GSB database add/search operations.
* Log part K was removed from modsecurity.conf-recommended.
* Added SecUnicodeMapFile directive. Must be use to load the unicode.mapping file.
* Added SecUnicodeCodePage directive. Used to define the unicode code page. There are a few already available:
1250 (ANSI - Central Europe)
1251 (ANSI - Cyrillic)
1252 (ANSI - Latin I)
1253 (ANSI - Greek)
1254 (ANSI - Turkish)
1255 (ANSI - Hebrew)
1256 (ANSI - Arabic)
1257 (ANSI - Baltic)
1258 (ANSI/OEM - Viet Nam)
20127 (US-ASCII)
20261 (T.61)
20866 (Russian - KOI8)
28591 (ISO 8859-1 Latin I)
28592 (ISO 8859-2 Central Europe)
28605 (ISO 8859-15 Latin 9)
37 (IBM EBCDIC - U.S./Canada)
437 (OEM - United States)
500 (IBM EBCDIC - International)
850 (OEM - Multilingual Latin I)
860 (OEM - Portuguese)
861 (OEM - Icelandic)
863 (OEM - Canadian French)
865 (OEM - Nordic)
874 (ANSI/OEM - Thai)
932 (ANSI/OEM - Japanese Shift-JIS)
936 (ANSI/OEM - Simplified Chinese GBK)
949 (ANSI/OEM - Korean)
950 (ANSI/OEM - Traditional Chinese Big5)
Also mapping some extra unicode chars defined at http://tools.ietf.org/html/rfc3490#section-3.1
* Fixed SecRequestBodyLimit was truncating the real request body.
18 May 2011 - 2.6.0
-------------------
* Added SecWriteStateLimit for Slow Post DoS mitigation.
* Fix problem when buffering in input filter.
* Fix memory leak when use MATCHED_VAR_NAMES.
2 May 2011 - 2.6.0-rc2
-------------------
* Added code optimizations - thanks Diego Elio.
* Added support to AIX and HPUX in the build system (untested).
* Renamed decodeBase64Ext to base64DecodeExt.
* Build system improvements - thanks Diego Elio.
* Improvements on gsblookup parser.
* Fixed input filter bug when upload files and SecStreamInBodyInspect is enabled.
* Logging improvements and bug fix.
* Remove extra useless files when make clean and maintainer-clean
18 Apr 2011 - 2.6.0-rc1
-------------------
* Replaced previous GPLv2 License to Apachev2.
* Added Google Safe Browsing lookups operator and directive. It should be
used to extract and lookup urls from http packets.
* Added Data Modification operator. It must be used with STREAM_* variables
to replace/add/edit any data from http bodies.
* Added STREAM_OUPUT_BODY and STREAM_INPUT_BODY variables to work with data
modification operators.
* Added fast ip address operator. It supports partial ip address, cidr for
IPv4 and IPv6. Thanks Tom Donovan.
* Added new sensitive data tracking verifyCPF and verifySSN.
* Added MATCHED_VARS and MATCHED_VARS_NAMES. It is similiar to MATCHED_VAR,
but now we should see all matched variables.
* Added UNIQUE_ID variable. It holds the data created my mod_unique_id.
* Added new tranformation cmdline. Thanks Marc Stern.
* Added new exception handling operators and directives. It should help users
reduce FN and FPs. The directives SecRuleUpdateTargetById, SecRuleRemoveByTag
and its ctl actions were included.
* Added SecStreamOutBodyInspection and SecStreamInBodyInspection to enable STREAM_*
variables.
* Added SecGsbLookupDB used to load Google Safe Browsing malware databse into
memory.
* Added the directive SecInterceptOnError to control what to do if a rule returns
values less than zero.
* Improvements in DetectionOnly engine mode. Also added SecRequestBodyLimitAction
to control what to do if the engine receive a http request over a hard limit.
Note that there is now many combinations with SecRuleEngine and the limit action
directives for response and request data. Please see the reference manual.
* Improvements under RBL operator. It now will parse return code values for some
RBL lists.
* Added new Log Part J. It should log some informations about uploaded files.
* Added new sanitizeMatchedBytes action. It will give more flexibilty for user to sanitize
logged data, also improving peformance when sanitize big amount of data.
* Improvements on Logging phase. It is possible now see full chains, distinguish between
simple rules, chain starters and chain nodes.
* Improvements on AutoTools usage.
* Improvements on pattern matching operators, pmf, pm and strmatch now supports more flexible
input data allowing any kind of special char.
* Improvements on SecRuleUpdateActionById to update chain nodes.
* Many bugs were fixed. Please see the ModSecurity Jira for more details
19 Mar 2010 - trunk
-------------------
* Added SecDisableBackendCompression, which disabled backend compression
while keeping the frontend compression enabled (assuming mod_deflate
in installed and configured in the proxy). [Ivan Ristic]
* Added REQUEST_BODY_LENGTH, which contains the number of request body
bytes read. [Ivan Ristic]
* Integrate with mod_log_config using the %{VARNAME}M format string.
(MODSEC-108) [Ivan Ristic]
* Replaced the previous time-measuring mechanism with a new one, which
provides the following information: request time, request duration,
phase duration (for all 5 phases), time spent dealing with persistent
storage, and time spent on audit logging. The new information is now
available in the Stopwatch2 audit log header. The Stopwatch header
remains for backward compatiblity, although it now only includes
the request time and request duration values. Added the following
variables: PERF_COMBINED, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3,
PERF_PHASE4, PERF_PHASE5, PERF_SREAD, PERF_SWRITE, PERF_LOGGING,
PERF_GC. [Ivan Ristic]
* Added DURATION, which contains the time ellapsed since the beginning
of the current transaction, in milliseconds. [Ivan Ristic]
* Adjusted phase 5 to execute just prior to mod_log_config. This should
allow phase 5 rules to to implement conditional logging, as well as
pave support for allowing access to all ModSecurity variables from
mog_log_config. [Ivan Ristic]
* Added the URLENCODED_ERROR flag, which is raised whenever invalid URL
encoding is encountered in the query string or in the request body
(but only if URLENCODED request body processor is used). (MODSEC-111)
[Ivan Ristic]
* Removed the obsolete PDF UXSS functionality. (MODSEC-96) [Ivan Ristic]
* Renamed normalisePath to normalizePath and normalisePathWin to
normalizePathWin. Kept the previous names for backward compatibility.
(MODSEC-103) [Ivan Ristic]
* Moved phase 1 to be run in the same Apache hook as phase 2. This means
that you can now have phase 1 rules in <Location> tags and, more
importantly, override server configuration in <Location> and others.
(MODSEC-98) [Ivan Ristic]
* Renamed the sanitise family of actions to sanitize. Kept the old variants
for backward compatibility. (MODSEC-95) [Ivan Ristic]
* Improve the logging of the ctl action. (MODSEC-99) [Ivan Ristic]
* Cleanup build files that were from the Apache source.
Changes from previous version:
Add the ability for netpgpverify to verify ssh-pub-key-based signatures.
It is much more likely for ssh (rather than pgp) keys to be available,
and used, as a source of authentication data. These changes add the
ability for netpgpverify(1) -- the standalone, zero-prereq utility -
to verify signatures made by netpgp when using ssh keys.
Running the regression tests in WRKDIR gives the following output:
% mk -f *.bsd tst
./netpgpverify -k pubring.gpg NetBSD-6.0_RC1_hashes.asc
Good signature for NetBSD-6.0_RC1_hashes.asc made Thu Aug 23 11:47:50 2012
signature 4096/RSA (Encrypt or Sign) 064973ac4c4a706e 2009-06-23
fingerprint ddee 2bdb 9c98 a0d1 d4fb dbf7 0649 73ac 4c4a 706e
uid NetBSD Security Officer <security-officer@NetBSD.org>
./netpgpverify -k pubring.gpg NetBSD-6.0_RC1_hashes.gpg
Good signature for NetBSD-6.0_RC1_hashes.gpg made Thu Mar 14 13:32:59 2013
signature 4096/RSA (Encrypt or Sign) 064973ac4c4a706e 2009-06-23
fingerprint ddee 2bdb 9c98 a0d1 d4fb dbf7 0649 73ac 4c4a 706e
uid NetBSD Security Officer <security-officer@NetBSD.org>
./netpgpverify -v
netpgpverify portable 20140202
./netpgpverify -S sshtest-20140202.pub data.gpg
Good signature for data.gpg made Mon Feb 3 17:54:21 2014
signature 4096/RSA (Encrypt or Sign) 4d129225945bbb8f 1970-01-01
fingerprint 874b 75de d6a3 341f 2d5a 2219 4d12 9225 945b bb8f
uid netbsd-001.cupertino.alistaircrooks.com (sshtest-20140202.pub) <agc@netbsd-001.cupertino.alistaircrooks.com>
./netpgpverify -S sshtest-20140202.pub data.sig
Good signature for data.sig made Sun Feb 2 21:45:05 2014
signature 4096/RSA (Encrypt or Sign) 4d129225945bbb8f 1970-01-01
fingerprint 874b 75de d6a3 341f 2d5a 2219 4d12 9225 945b bb8f
uid netbsd-001.cupertino.alistaircrooks.com (sshtest-20140202.pub) <agc@netbsd-001.cupertino.alistaircrooks.com>
expected failure, to check bad signatures fail to verify
sed -e 's|A|B|' data.gpg | ./netpgpverify -S sshtest-20140202.pub
Signature did not match contents -- Signature on data did not match
*** Error code 1 (ignored)
%
A new HOWTO file is provided in the sources (files/HOWTO) to show how
to sign data using ssh keys and netpgp(1).
Noteworthy changes in version 1.6.1 (2014-01-29)
------------------------------------------------
* Added emulation for broken Whirlpool code prior to 1.6.0.
* Improved performance of KDF functions.
* Improved ECDSA compliance.
* Fixed locking for Windows and non-ELF Pthread systems (regression
in 1.6.0)
* Fixed message digest lookup by OID (regression in 1.6.0).
* Fixed a build problem on NetBSD.
* Fixed memory leaks in ECC code.
* Fixed some asm build problems and feature detection bugs.
* Interface changes relative to the 1.6.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GCRY_MD_FLAG_BUGEMU1 NEW (minor API change).
package build as a normal user
+ don't refer to MAKEFLAGS outside of pkgsrc/mk
+ add comments to patch files
+ use BSD_INSTALL_* definitions in the build Makefile
+ re-order some parts of the pkgsrc Makefile
+ use pkgsrc definitions for CFLAGS.${OPSYS} rather than conditionals
XXX - TO DO - fix the xauth issue here
0.16
* Clarify documentation for secret_service_clear_xxx() [#705629]
* Pass return_type to prompt async begin functions, rather than finish
* Simpler way to use custom service/collection/item types
* service: Rename secret_service_new() and friends to xxx_open()
* Add secret_value_get_text() function to return NULL terminated secret
* Fix return types in secret_service_search_finish() on error paths [#698040]
* Testing fixes [#705202]
* Build fixes [#704233]
* Updated translations
security/py-backports.ssl_match_hostname.
The Secure Sockets layer is only actually secure if you check the
hostname in the certificate returned by the server to which you
are connecting, and verify that it matches to hostname that you
are trying to reach.
But the matching logic, defined in RFC2818, can be a bit tricky to
implement on your own. So the ssl package in the Standard Library
of Python 3.2 and greater now includes a match_hostname() function
for performing this check instead of requiring every application
to implement the check separately.
This package contains the backport of this functionality to Python 2.
- Fixed a regression bug introduced in version 4.55 causing random
crashes on several platforms, including Windows 7.
- Fixed incorrect "stunnel -exit" process synchronisation.
- Fixed FIPS detection with new versions of the OpenSSL library.
- Failure to open the log file at startup is no longer ignored.
Assembler issues still seem to be there at least on SunOS.
* Version 3.2.9 (released 2014-01-24)
** libgnutls: The %DUMBFW option in priority string only
appends data to client hello if the expected size is in the
"black hole" range.
** libgnutls: %COMPAT implies %DUMBFW.
** libgnutls: gnutls_session_get_desc() returns a more compact
ciphersuite description.
* libgnutls: In PKCS #11 allow deleting multiple non-certificate data.
** libgnutls: When a PKCS #11 trust store is specified (e.g. using the
configure option --with-default-trust-store-pkcs11), then the PKCS #11
token is used on demand to obtain the trusted anchors, rather than
preloading all trusted certificates. That delegates CA certificate management
and blacklist checking to the PKCS #11 module.
** libgnutls: When a PKCS #11 trust store is specified in configure option
or in gnutls_x509_trust_list_add_trust_file(), then the module is used
to obtain the verification anchors and any required blacklists as in
http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-pkcs11.html
** libgnutls: Fix in OCSP certificate status extension handling
in non-blocking servers. Patch by Nils Maier.
** p11tool: Added --so-login option to force login as security
officer (admin).
** API and ABI modifications:
No changes since last version.
either because they themselves are not ready or because a
dependency isn't. This is annotated by
PYTHON_VERSIONS_INCOMPATIBLE= 33 # not yet ported as of x.y.z
or
PYTHON_VERSIONS_INCOMPATIBLE= 33 # py-foo, py-bar
respectively, please use the same style for other packages,
and check during updates.
Use versioned_dependencies.mk where applicable.
Use REPLACE_PYTHON instead of handcoded alternatives, where applicable.
Reorder Makefile sections into standard order, where applicable.
Remove PYTHON_VERSIONS_INCLUDE_3X lines since that will be default
with the next commit.
Whitespace cleanups and other nits corrected, where necessary.
Changes in 3.2.8.1:
Note, that I've realized that this release has issues with the
assembly files in win32 and macosx systems. In these systems
use gnutls 3.2.8.1.
3.2.8:
* Version 3.2.8 (released 2013-12-20)
** libgnutls: Updated code for AES-NI. That prevents an uninitialized
variable complaint from valgrind.
** libgnutls: Enforce a maximum size for DH primes.
** libgnutls: Added SSSE3 optimized SHA1, and SHA256, using Andy Polyakov's
code.
** libgnutls: Added SSSE3 optimized AES using Mike Hamburg's code.
** libgnutls: It only links to librt if the required functions are
not present in libc. This also prevents an indirect linking to libpthread.
** libgnutls: Fixed issue with gnulib strerror replacement by adding
the strerror gnulib module.
** libgnutls: The time provided in the TLS random values is only precise
on its first 3 bytes. That prevents leakage of the precise system
time (at least on the client side when only few connections are
done on a single server).
** certtool: The --verify option will use the system CAs if the
load-ca-certificate option is not provided.
** configure: Added option --with-default-blacklist-file to allow
specifying a certificate blacklist file.
** configure: Added --disable-non-suiteb-curves option. This option
restricts the supported curves to SuiteB curves.
** API and ABI modifications:
gnutls_record_check_corked: Added
quality improvements. These include:
- Extraction, decompression, and scanning of files within Apple Disk Image (DMG) format.
- Extraction, decompression, and scanning of files within Extensible Archive (XAR) format.
XAR format is commonly used for software packaging, such as PKG and RPM, as well as
general archival.
- Decompression and scanning of files in "Xz" compression format.
- Improvements and fixes to extraction and scanning of ole formats.
- Option to force all scanned data to disk. This impacts only a few file types where
some embedded content is normally scanned in memory. Enabling this option
ensures that a file descriptor exists when callback functions are used, at a small
performance cost. This should only be needed when callback functions are used
that need file access.
- Various improvements to ClamAV configuration, support of third party libraries,
and unit tests.
- Fix for TLS record tampering bug. A carefully crafted invalid
handshake could crash OpenSSL with a NULL pointer exception.
Thanks to Anton Johansson for reporting this issues.
(CVE-2013-4353)
- Keep original DTLS digest and encryption contexts in retransmission
structures so we can use the previous session parameters if they need
to be resent. (CVE-2013-6450)
[Steve Henson]
- Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
avoids preferring ECDHE-ECDSA ciphers when the client appears to be
Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
[Rob Stradling, Adam Langley]
expressions containing a '/' (divide) are problematic because according to
the SUN x86 Assembly Language Reference Manual, '/' should be treated as
starting comments.
To get over this, gas has '--divide' do not treat `/' as a comment character
**1.6.2** (2013-12-26)
======================
Minor changes & compatibility fixes
* Re-tuned the :attr:`~passlib.ifc.PasswordHash.default_rounds`
values for all of the hashes.
* Added the new :doc:`bcrypt_sha256 <lib/passlib.hash.bcrypt_sha256>` hash,
which wraps BCrypt using SHA256 in order to work around
BCrypt's password size limitations (:issue:`43`).
* :doc:`passlib.hash.bcrypt <lib/passlib.hash.bcrypt>`:
Added support for the `bcrypt <https://pypi.python.org/pypi/bcrypt>`_
library as one of the possible bcrypt backends that will be
used if available. (:issue:`49`)
* :mod:`passlib.ext.django`: Passlib's Django extension
(and it's related hashes and unittests) have been updated to
handle some minor API changes in Django 1.5-1.6. They should
now be compatible with Django 1.2 and up. (:issue:`50`)
Noteworthy changes in version 1.6.0 (2013-12-16)
------------------------------------------------
* Removed the long deprecated gcry_ac interface. Thus Libgcrypt is
not anymore ABI compatible to previous versions if they used the ac
interface.
* Removed the module register subsystem.
* The deprecated message digest debug macros have been removed. Use
gcry_md_debug instead.
* Removed deprecated control codes.
* Improved performance of most cipher algorithms as well as for the
SHA family of hash functions.
* Added support for the IDEA cipher algorithm.
* Added support for the Salsa20 and reduced Salsa20/12 stream ciphers.
* Added limited support for the GOST 28147-89 cipher algorithm.
* Added support for the GOST R 34.11-94 and R 34.11-2012 (Stribog)
hash algorithms.
* Added a random number generator to directly use the system's RNG.
Also added an interface to prefer the use of a specified RNG.
* Added support for the SCRYPT algorithm.
* Mitigated the Yarom/Falkner flush+reload side-channel attack on RSA
secret keys. See <http://eprint.iacr.org/2013/448> [CVE-2013-4242].
* Added support for Deterministic DSA as per RFC-6969.
* Added support for curve Ed25519.
* Added a scatter gather hash convenience function.
* Added several MPI amd SEXP helper functions.
* Added support for negative numbers to gcry_mpi_print,
gcry_mpi_aprint and gcry_mpi_scan.
* The algorithm ids GCRY_PK_ECDSA and GCRY_PK_ECDH are now
deprecated. Use GCRY_PK_ECC if you need an algorithm id.
* Changed gcry_pk_genkey for "ecc" to only include the curve name and
not the parameters. The flag "param" may be used to revert this.
* Added a feature to globally disable selected hardware features.
* Added debug helper functions.
