* pkgsrc change: switch dependency from net/bind914 to net/bind916.
zkt 1.1.4 -- 9. May 2016
* misc Hint to mailinglist removed from README file
* bug pathname wasn't initialized in any case (dist_and_reload() in nscomm.c
Thanks Jeremy C. Reed
* bug move $(LIBS) at the end of the ggc link line in Makefile.in
* misc Exitcode of external command is now visible in log messages
stderr of each external command is redirected to stdin
* bug Fixed some potential memory leaks in ncparse.c dki.c zfparse.c
and zkt-soaserial.c (mostly a missing fclose() on error conditions).
Thanks to Jeremy C. Reed
* misc README file changed to Markdown syntax
* bug running zkt-keyman -3 didn't change anything on the key database
so a zkt-signer run afterwards didn't see anything to do.
Now the timestamp of the dnskey.db will be reset to a value less
than the timestamp of the (new) key signing key.
Thanks to Sven Strickroth for finding this.
* func New binary zkt-delegate added
Because it depends on the ldns library, it is located in
a separate directory and use a different Makefile
* func New Compile time option "--enable-ds-tracking" added.
Now dig is used on KSK rollover to check if the DS record
is announced in the parent zone.
Thanks to Sven Strickroth providing the patch.
zkt 1.1.3 -- 21. Nov 2014
* func New Config Parameter DependFiles added.
Contains a (comma separated) list of files which are
included into the ZoneFile. The timestamps of this files
are checked additional to the timestamp of the ZoneFile.
Based on a suggestion from Sven Strickroth
* misc Makefile changed to build tar file out of git repository
* misc Minimum supported BIND version is now 9.8
* bug Fixed bug in BIND version parsing (9.10.1 was parsed as 910
which is similar to 9.1.0)
Version 9.10.1 is parsed now as 091001
* misc Remove flag to request large exponent when creating keys
(BIND always creates keys with large exponents since BIND 9.5.0)
* misc Project moved to github
Thanks to Jakob Schlyter for doing the initial stuff
Major changes in 4.1
--------------------
Version 4.0 was the last version to support Python 2 and 3.4. Version 4.1 is compatible with Python 3.5+ only.
(newer changes not found)
Python-RSA is a pure-Python RSA implementation. It supports encryption
and decryption, signing and verifying signatures, and key generation
according to PKCS#1 version 1.5. It can be used as a Python library
as well as on the commandline.
This package contains the last version supported by Python 2.x.
I was confused about which SUBST was not ok, and had removed two, when
only one was troubled.
This is probably still not quite right, but zoneminder needs an update
of multiple major versions anyway.
Thanks to rillig@ for review and hints.
This is a collection of simple PIN or passphrase entry dialogs which
utilize the Assuan protocol as described by the aegypten project.
It provides programs for several graphical toolkits, such as FLTK,
GTK+ and QT, as well as for the console, using curses.
This package contains the GNOME 3 frontend.
v 11.0.41rc2
============================================================
x More precise event suppression mechanism
x Fixed regression: events suppressed on file:// pages
unless scripts are allowed
x Updated TLDs
v 11.0.41rc2
============================================================
x More precise event suppression mechanism
v 11.0.41rc1
============================================================
x Fixed regression: events suppressed on file:// pages
unless scripts are allowed
x Updated TLDs
v 11.0.40
============================================================
x Avoid synchronous policy fetching whenever possible
(fixes multiple issues)
v 11.0.40rc2
============================================================
x Avoid synchronous policy fetching whenever possible
v 11.0.40rc1
============================================================
x Handle edge case in file:// pages: policy change and
reload before DOMContentLoaded
v 11.0.39
============================================================
x Fix reload loops on broken file: HTML documents (thanks
bernie for report)
x [XSS] Updated HTML event attributes
x Local policy fallback for file: and ftp: URLs using
window.name rather than sessionStorage
x [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it,
ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr,
zh_CN, zh_TW
x Added "Revoke temporary permissions on NoScript updates,
even if the browser is not restarted" advanced option
x Let temporary permissions survive NoScript updates
(shameless hack)
x Fixed some traps around Messages abstraction
x Ignore search / hash on policy matching of domain-less
URLs (e.g. file:///...)
x Updated TLDs
x Fixed automatic scrolling hampers usability on long sites
lists in popup
x Better timing for event attributes removal/restore
x Work-arounds for edge cases in synchronous page loads
bypassing webRequest (thanks skriptimaahinen)
v 11.0.39rc8
============================================================
x Several hacks to make non-distruptive updates compatible
with Chromium
x Tighten localPolicy persistence mechanism during reloads
v 11.0.39rc7
============================================================
x Temporary settings survival more resilient and compatible
with Fenix
x [L10n] Updated es
v 11.0.39rc6
============================================================
x Fix reload loops on broken file: HTML documents (thanks
bernie for report)
x [XSS] Updated HTML event attributes
v 11.0.39rc5
============================================================
x Local policy fallback for file: and ftp: URLs using
window.name rather than sessionStorage
x [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it,
ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr,
zh_CN, zh_TW
x Renamed option to "Revoke temporary permissions on
NoScript updates, even if the browser is not restarted"
v 11.0.39rc4
============================================================
x Added option to forget temporary settings immediately
whenever NoScript gets updated
x Fixed regression: file:/// URLs reloaded whenever NoScript
gets reinstalled / enabled / reloaded
x More resilient and easy to debug survival data retrieving
v 11.0.39rc3
============================================================
x Fixed regression causing manual NoScript downgrades to be
delayed until manual restart
v 11.0.39rc2
============================================================
x Let temporary permissions survive NoScript updates
(shameless hack)
x Fixed some traps around Messages abstraction
x Ignore search / hash on policy matching of domain-less
URLs (e.g. file:///...)
x Removed useless CSS property
x Updated TLDs
v 11.0.39rc1
============================================================
x Updated TLDs
x Fixed automatic scrolling hampers usability on long sites
lists in popup
x Fixed typo in vendor-prefixed CSS
v 11.0.38rc2
============================================================
x Better timing for event attributes removal/restore
v 11.0.38rc1
============================================================
x Work-arounds for edge cases in synchronous page loads
bypassing webRequest (thanks skriptimaahinen)
x [L10n] Updated bn
v 11.0.38
============================================================
x Better timing for event attributes removal/restore
x Work-arounds for edge cases in synchronous page loads
bypassing webRequest (thanks skriptimaahinen)
x [L10n] Updated bn
v 11.0.38rc2
============================================================
x Better timing for event attributes removal/restore
v 11.0.38rc1
============================================================
x Work-arounds for edge cases in synchronous page loads
bypassing webRequest (thanks skriptimaahinen)
x [L10n] Updated bn
v 11.0.37
============================================================
x Simpler and more reliable sendSyncMessage implementation
and usage
x sendSyncMessage support for multiple suspension requests
(should fix extension script injection issues)
x Updated TLDs
v 11.0.37rc3
============================================================
x Simpler and more reliable sendSyncMessage implementation
and usage
x Updated TLDs
v 11.0.37rc2
============================================================
x SyncMessage suspending on DOM modification as well
x Updated TLDs
v 11.0.37rc1
============================================================
x Updated TLDs
x sendSyncMessage support for multiple suspension requests
(should fix extension script injection issues)
v 11.0.36
============================================================
x Fixed regression: temporary permissions revocation not
working anymore on privileged pages
x SendSyncMessage script execution safety net more
compatible with other extensions (e.g. BlockTube)
v 11.0.35
============================================================
x Avoid unnecessary reloads on temporary permissions
revocation
x [UI] Removed accidental cyan background for site labels
x [L10n] Updated es
x Work-around for conflict with extensions inserting
elements into content pages' DOM early
x [XSS] Updated HTML events
x Updated TLDs
x Fixed buggy policy references in the Options dialog
x More accurate NOSCRIPT element emulation
x Anticipate onScriptDisabled surrogates to first script-src
'none' CSP violation
x isTrusted checks for all the content events
x Improved look in mobile portrait mode
x Let SyncMessage prevent undesired script execution
scheduled during suspension
v 11.0.35rc4
============================================================
x Avoid unnecessary reloads on temporary permissions
revocation
x Fixed potentially infinite loop in SyncMessage Firefox
implementation
x [UI] Removed accidental cyan background for site labels
x [L10n] Updated es
v 11.0.35rc3
============================================================
x Work-around for conflict with extensions inserting
elements into content pages' DOM early
x [XSS] Updated HTML events
v 11.0.35rc2
============================================================
x Updated TLDs
x Fixed buggy policy references in the Options dialog
x More accurate NOSCRIPT element emulation
x Anticipate onScriptDisabled surrogates to first script-src
'none' CSP violation
x isTrusted checks for all the content events
x Improved look in mobile portrait mode
v 11.0.35rc1
============================================================
x Let SyncMessage prevent undesired script execution
scheduled during suspension
Certbot 1.7.0
Added
Third-party plugins can be used without prefix (plugin_name instead of dist_name:plugin_name):
this concerns the plugin name, CLI flags, and keys in credential files.
The prefixed form is still supported but is deprecated, and will be removed in a future release.
Added --nginx-sleep-seconds (default 1) for environments where nginx takes a long time to reload.
Changed
The Linode DNS plugin now waits 120 seconds for DNS propagation, instead of 1200,
due to https://www.linode.com/blog/linode/linode-turns-17/
We deprecated support for Python 3.5 in Certbot and its ACME library.
Support for Python 3.5 will be removed in the next major release of Certbot.
More details about these changes can be found on our GitHub repo.
This is the last version that supports autoconf, and this update is
only because it's a reasonable benefit/cost tradeoff as an
intermediaate step. Tested on netbsd-9/earmv7hf-el.
Upstream chanages:
many bug fixes and improvements
zoneminder API
Multiserver
limted ONVIF support
See more at
https://github.com/ZoneMinder/zoneminder/releases/tag/v1.29.0-rc2 and
before and after.
Note that when updating, one must run zmupdate to modify the db schema.
give "gpg: can't connect to the agent: File name too long". Make this
less annoying by not running tests before 'make test' (and fixing that
pkgsrc target).
As of 1.24, MATE requires GNU-specific msgfmt features. meta-pkgs/mate/
Makefile.common r. 1.10 expressed this tool dependency using
USE_BUILTIN.gettext=no, but this exposed pkgsrc gettext-libs in the
build environment as well, which some MATE packages then linked
against, but gettext-libs didn't end up being declared as a run-time
dependency, so binary package installations were broken (with the
workaround of manually installing the undeclared gettext-libs
dependency). Express this dependency differently, so GNU msgfmt is
used as a tool without exposing pkgsrc gettext-libs.
(The pkgsrc tooling infrastruture could be altered to provide a
distinct "gmsgfmt" tool, same with "gxgettext", and perhaps others.
Here I'm just immediately concerned with fixing this packaging issue.)
Addresses PR pkg/55503 by Jay Patel.
* Disable document option, it requires asciidoctor.
Changelog:
## 2.6.1 (2020-08-19)
### Added
- Add menu entries for auto-typing only username or only password [#4891]
- Browser: Add command for retrieving current TOTP [#5278]
- Improve man pages [#5010]
- Linux: Support Xfce screen lock signals [#4971]
- Linux: Add OARS metadata to AppStream markup [#5031]
- SSH Agent: Substitute tilde with %USERPROFILE% on Windows [#5116]
### Changed
- Improve password generator UI and UX [#5129]
- Do not prompt to restart if switching the theme back and forth [#5084]
- Change actions for F1, F2, and F3 keys [#5082]
- Skip referenced passwords in health check report [#5056]
- Check system-wide Qt translations directory for downstream translations packaging [#5064]
- macOS: Change password visibility toggle shortcut to Ctrl+H to avoid conflict with system shortcut [#5114]
- Browser: Only display domain name in browser access confirm dialog to avoid overly wide window sizes [#5214]
### Fixed
- Fix clipboard not being cleared when database is locked while timeout is still active [#5184]
- Fix list of previous databases not being cleared in some cases [#5123]
- Fix saving of non-data changes on database lock [#5210]
- Fix search results banner theming [#5197]
- Don't enforce theme palette in Classic theme mode and add hover effect for buttons [#5122,#5267]
- Fix label clipping in settings on high-DPI screens [#5227]
- Fix excessive memory usage by icons on systems with high-DPI screens [#5266]
- Fix crash if number of TOTP digits exceeds ten [#5106]
- Fix slot detection when first YubiKey is configured on the second slot [#5004]
- Prevent crash if focus widget gets deleted during saving [#5005]
- Always show buttons for opening or saving attachments [#4956]
- Update link to Auto-Type help [#5228]
- Fix build errors with Ninja [#5121]
- CLI: Fix db-info command wrongly labelled as db-show in usage listing [#5140]
- Windows: Use Classic theme by default if high-contrast mode is on [#5191]
- Linux: Add workaround for qt5ct bug, causing icons not to show up [#5011]
- Linux: Correct high-DPI display by not allowing fractional scaling [#5185]
- Browser: Consider subdomain and path when requesting only "best-matching credentials" [#4832]
- SSH Agent: Always forget all keys on lock [#5115]
## 2.6.0 (2020-07-06)
### Added
- Custom Light and Dark themes [#4110, #4769, #4791, #4892, #4915]
- Compact mode to use classic Group and Entry line height [#4910]
- New monochrome tray icons [#4796, #4803]
- View menu to quickly switch themes, compact mode, and toggle UI elements [#4910]
- Search for groups and scope search to matched groups [#4705]
- Save Database Backup feature [#4550]
- Sort entries by "natural order" and move lines up/down [#4357]
- Option to launch KeePassXC on system startup/login [#4675]
- Caps Lock warning on password input fields [#3646]
- Add "Size" column to entry view [#4588]
- Browser-like tab experience using Ctrl+[Num] (Alt+[Num] on Linux) [#4063, #4305]
- Password Generator: Define additional characters to choose from [#3876]
- Reports: Database password health check (offline) [#3993]
- Reports: HIBP online service to check for breached passwords [#4438]
- Auto-Type: DateTime placeholders [#4409]
- Browser: Show group name in results sent to browser extension [#4111]
- Browser: Ability to define a custom browser location (macOS and Linux only) [#4148]
- Browser: Ability to change root group UUID and inline edit connection ID [#4315, #4591]
- CLI: `db-info` command [#4231]
- CLI: Use wl-clipboard if xclip is not available (Linux) [#4323]
- CLI: Incorporate xclip into snap builds [#4697]
- SSH Agent: Key file path env substitution, SSH_AUTH_SOCK override, and connection test [#3769, #3801, #4545]
- SSH Agent: Context menu actions to add/remove keys [#4290]
### Changed
- Complete replacement of default database icons [#4699]
- Complete replacement of application icons [#4066, #4161, #4203, #4411]
- Complete rewrite of documentation and manpages using Asciidoctor [#4937]
- Complete refactor of config files; separate between local and roaming [#4665]
- Complete refactor of browser integration and proxy code [#4680]
- Complete refactor of hardware key integration (YubiKey and OnlyKey) [#4584, #4843]
- Significantly improve performance when saving and opening databases [#4309, #4833]
- Remove read-only detection for database files [#4508]
- Overhaul of password fields and password generator [#4367]
- Replace instances of "Master Key" with "Database Credentials" [#4929]
- Change settings checkboxes to positive phrasing for consistency [#4715]
- Improve UX of using entry actions (focus fix) [#3893]
- Set expiration time to Now when enabling entry expiration [#4406]
- Always show "New Entry" in context menu [#4617]
- Issue warning before adding large attachments [#4651]
- Improve importing OPVault [#4630]
- Improve AutoOpen capability [#3901, #4752]
- Check for updates every 7 days even while still running [#4752]
- Improve Windows installer UI/UX [#4675]
- Improve config file handling of portable distribution [#4131, #4752]
- macOS: Hide dock icon when application is hidden to tray [#4782]
- Browser: Use unlock dialog to improve UX of opening a locked database [#3698]
- Browser: Improve database and entry settings experience [#4392, #4591]
- Browser: Improve confirm access dialog [#2143, #4660]
- KeeShare: Improve monitoring file changes of shares [#4720]
- CLI: Rename `create` command to `db-create` [#4231]
- CLI: Cleanup `db-create` options (`--set-key-file` and `--set-password`) [#4313]
- CLI: Use stderr for help text and password prompts [#4086, #4623]
- FdoSecrets: Display existing secret service process [#4128]
### Fixed
- Fix changing focus around the main window using tab key [#4641]
- Fix search field clearing while still using the application [#4368]
- Improve search help widget displaying on macOS and Linux [#4236]
- Return keyboard focus after editing an entry [#4287]
- Reset database path after failed "Save As" [#4526]
- Make builds reproducible [#4411]
- Improve handling of ccache when building [#4104, #4335]
- Windows: Use correct UI font and size [#4769]
- macOS: Properly re-hide application window after browser integration and Auto-Type usage [#4909]
- Linux: Fix version number not embedded in AppImage [#4842]
- Auto-Type: Fix crash when performing on new entry [#4132]
- Browser: Send legacy HTTP settings to recycle bin [#4589]
- Browser: Fix merging browser keys [#4685]
- CLI: Fix encoding when exporting database [#3921]
- SSH Agent: Improve reliability and underlying code [#3833, #4256, #4549, #4595]
- FdoSecrets: Fix crash when editing settings before service is enabled [#4332]
Changes since v4.4.0:
wolfSSL Release 4.5.0 (August 19, 2020)
If you have questions about this release, feel free to contact us on our
info@ address.
Release 4.5.0 of wolfSSL embedded TLS has bug fixes and new features including:
New Feature Additions
* Added Xilinx Vitis 2019.2 example and README updates
* TLS v1.3 is now enabled by default
* Building FIPS 140-2 code and test on Solaris
* Secure renegotiation with DTLS 1.2
* Update RSA calls for hardware acceleration with Xilsecure
* Additional OpenSSL compatibility layer functions added
* Cypress PSoC6 wolfCrypt driver added
* Added STM32CubeIDE support
* Added certificate parsing and inspection to C# wrapper layer
* TLS v1.3 sniffer support added
* TSIP v1.09 for target board GR-ROSE support added
* Added support for the "X72N Envision Kit" evaluation board
* Support for ECC nonblocking using the configure options
"--enable-ecc=nonblock --enable-sp=yes,nonblock CFLAGS=-DWOLFSSL_PUBLIC_MP"
* Added wc_curve25519_make_pub function to generate a public key given the
private one
Fixes
* PIC32MZ hardware cache and large hashes fix
* AES-GCM use with EVP layer in compatibility layer code
* Fix for RSA_LOW_MEM with ARM build of SP code
* Sanity check on tag length with AES-CCM to conform with RFC 3610
* Fixes for 32 and 64 bit software implementations of SP code when
WOLFSSL_SP_CACHE_RESISTANT is defined
* GCC warning fixes for GCC 9 and later
* Sanity check on HKDF expand length to conform with RFC 5869
* Fixes for STM32 CubeMX HAL with AES-GCM
* Fixed point cache look up table (LUT) implementation fixes
* Fix for ARM 32bit SP code when calling div word
* Fix for potential out of bounds read when parsing CRLs
* Fix for potential out of bounds read with RSA unpadding
* AES-CCM optimized counter fix
* Updates to Xcode projects for new files and features
* Fix for adding CRL’s to a WOLFSSL_X509_STORE structure
* FIPSv2 build with opensslall build fixes
* Fixes for CryptoCell use with ECC and signature wrappers
* Fix for mod calculation with SP code dealing with 3072 bit keys
* Fix for handling certificates with multiple OU’s in name
* Fix for SP math implementation of sp_add_d and add a sanity check on
rshb range
* Fix for sanity check on padding with DES3 conversion of PEM to DER
* Sanity check for potential out of bounds read with fp_read_radix_16
* Additional checking of ECC scalars.
* Fixing the FIPS Ready build w.r.t. ecc.c.
* When processing certificate names with OpenSSL compatibility layer
enabled, unknown name item types were getting handled as having NID 0,
and failing. Added a couple more items to what is handled correctly,
and ignoring anything that is an unknown type.
Improvements/Optimizations
* TLS 1.3 certificate verify update to handle 8192 bit RSA keys
* wpa_supplicant support with reduced code size option
* TLS 1.3 alerts encrypted when possible
* Many minor coverity fixes added
* Error checking when parsing PKCS12 DER
* IAR warning in test.c resolved
* ATECC608A improvements for use with Harmony 3 and PIC32 MZ
* Support for AES-GCM and wc_SignatureVerifyHash with static memory and no
malloc’s
* Enable SNI by default with JNI/JSSE builds
* NetBSD GCC compiler warnings resolved
* Additional test cases and code coverage added including curve25519 and
curve448 tests
* Option for user defined mutexes with WOLFSSL_USER_MUTEX
* Sniffer API’s for loading buffer directly
* Fixes and improvements from going through the DO-178 process were added
* Doxygen updates and fixes for auto documentation generation
* Changed the configure option for FIPS Ready builds to be
`--enable-fips=ready`.
This release of wolfSSL includes fixes for 6 security vulnerabilities.
wolfSSL version 4.5.0 contains 6 vulnerability fixes: 2 fixes for TLS 1.3,
2 side channel attack mitigations, 1 fix for a potential private key leak
in a specific use case, 1 fix for DTLS.
* In earlier versions of wolfSSL there exists a potential man in the middle
attack on TLS 1.3 clients. Malicious attackers with a privileged network
position can impersonate TLS 1.3 servers and bypass authentication. Users
that have applications with client side code and have TLS 1.3 turned on,
should update to the latest version of wolfSSL. Users that do not have
TLS 1.3 turned on, or that are server side only, are NOT affected by this
report. Thanks to Gerald Doussot from NCC group for the report.
* Denial of service attack on TLS 1.3 servers from repetitively sending
ChangeCipherSpecs messages. This denial of service results from the
relatively low effort of sending a ChangeCipherSpecs message versus the
effort of the server to process that message. Users with TLS 1.3 servers are
recommended to update to the most recent version of wolfSSL which limits the
number of TLS 1.3 ChangeCipherSpecs that can be received in order to avoid
this DoS attack. CVE-2020-12457 was reserved for the report. Thanks to
Lenny Wang of Tencent Security Xuanwu LAB.
* Potential cache timing attacks on public key operations in builds that are
not using SP (single precision). Users that have a system where malicious
agents could execute code on the system, are not using the SP build with
wolfSSL, and are doing private key operations on the system (such as signing
with a private key) are recommended to regenerate private keys and update to
the most recent version of wolfSSL. CVE-2020-15309 is reserved for this
issue. Thanks to Ida Bruhns from Universität zu Lübeck for the report.
* When using SGX with EC scalar multiplication the possibility of side-channel
attacks are present. To mitigate the risk of side channel attacks wolfSSL’s
single precision EC operations should be used instead. Release 4.5.0 turns
this on be default now with SGX builds and in previous versions of wolfSSL
this can be turned on by using the WOLFSSL_SP macros. Thank you to
Alejandro Cabrera Aldaya, Cesar Pereida García and Billy Bob Brumley from
the Network and Information Security Group (NISEC) at Tampere University for
the report.
* Leak of private key in the case that PEM format private keys are bundled in
with PEM certificates into a single file. This is due to the
misclassification of certificate type versus private key type when parsing
through the PEM file. To be affected, wolfSSL would need to have been built
with OPENSSL_EXTRA (--enable-opensslextra). Some build variants such as
--enable-all and --enable-opensslall also turn on this code path, checking
wolfssl/options.h for OPENSSL_EXTRA will show if the macro was used with the
build. If having built with the opensslextra enable option and having placed
PEM certificates with PEM private keys in the same file when loading up the
certificate file, then we recommend updating wolfSSL for this use case and
also recommend regenerating any private keys in the file.
* During the handshake, clear application_data messages in epoch 0 are
processed and returned to the application. Fixed by dropping received
application_data messages in epoch 0. Thank you to Paul Fiterau of Uppsala
University and Robert Merget of Ruhr-University Bochum for the report.
For additional vulnerability information visit the vulnerability page at
https://www.wolfssl.com/docs/security-vulnerabilities/
See INSTALL file for build instructions.
More info can be found on-line at https://wolfssl.com/wolfSSL/Docs.html
acceleration code. If we're x86_64, and the assembler is GNU, and the
version is too old, disable hardware acceleration. Other non-working
combinations can be added as they're discovered. No functional change
intended to any platforms where this previously built, but since it's
hard to be sure of that, I'm bumping PKGREVISION.
Alternatively, we could build with gas from devel/binutils when needed.
multimedia/libvpx says it does this (for similar reasons), but I
couldn't get that to work here, and am suspicious whether it still
works there.
This enables built-in U2F/FIDO security key support, without any
SSH_SK_PROVIDER middleware library needed. Works only on platforms
with working libfido2, so not enabled by default yet. We should
enable it by default in NetBSD>=10 and maybe some other platforms.
packaging changes: accomodate README to README.md transition
upstream changes:
- support added for many cards/readers (see README.md upstream for list)
- bugfixes
- minor improvements
1.4.33 - 25 June 2020, Ludovic Rousseau
- add --enable-oslog argument for macOS
use os_log(3) for macOS >= 10.12 (Sierra)
- Update PCSC submodule to get Unicode support
1.4.32 - 22 April 2020, Ludovic Rousseau
- Add SCardGetAttrib(.., SCARD_ATTR_CHANNEL_ID, ..) for USB devices
- Increase the timeout used to detect the Identiv uTrust 3700/3701 F readers
- Fix PowerOn bug for ICCD type A & B devices
- Disable pinpad for Chicony HP Skylab USB Smartcard Keyboard
1.4.31 - 10 August 2019, Ludovic Rousseau
1.4.30 - 19 September 2018, Ludovic Rousseau
- The project moved to https://ccid.apdu.fr/
- Disabled readers
- REINER SCT cyberJack RFID standard
1.4.29 - 21 February 2018, Ludovic Rousseau
- The C3PO LTC31 v2 wrongly declares PIN support
- Remove extra EGT patch because if has bad side effects
1.4.28 - 11 October 2017, Ludovic Rousseau
- Disabled readers
- Jinmuyu Electronics Co., Ltd. MR800
Yubico's Python library and command-line tool for managing Yubikeys.
Meta-package security/ykman gives a more obvious name, without any
Python package prefixing, for the ykman command-line tool package.
The webauthn API is disabled by default in the Tor Browser:
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26614
In order to use it, risking the consequences since the Tor Project
has not audited its anonymity properties, you have to explicitly
enable security.webauthn.webauthn=true in about:config.
So if you definitely want to log into a web site using U2F in spite
of that, with location privacy but not anonymity, then these patches
now enable it to work on NetBSD (with the caveat that enabling
security.webauthn.webauthn=true applies also to any web site that
tries to use the webauthn API, not just the ones you want to log
into).
Changes since previous pkgsrc version 2.5.1, from the NEWS file
Also add a fix for proper escape single quotes in RelayState
From upstream https://dev.entrouvert.org/issues/45581
2.6.1 - Aptil 22th 2019
----------------------
42 commits, 425 files changed, 3894 insertions, 795 deletions
- Keep order of SessionIndexes
- Clear SessionIndex when private SessionIndexes is empty (#41950)
- misc: clear warnings about class_init signature using coccinelle
- tests: fix compilation with check>0.12 (#39101)
- Sort input file lists to make build deterministic (#40454)
- debian: disable php7 (#28608)
- Modify .gitignore for PHP 7 binding (#28608)
- Add PHP 7 binding (#28608)
- Fix tests broken by new DEBUG logs (#12829)
- Improve error logging during node parsing (#12829)
- Improve configure compatibility (#32425)
- Improve compatibility with Solaris (#32425)
- Fix reference count in lasso_server_add_provider2 (fixes#35061)
- Fix python multi-version builds on jessie and stretch
- docs: do not use Internet to fetch DTDs, entities or documents (#35590)
- fix missing include <strings.h> for index() (fixes#33791)
- PAOS: Do not populate "Destination" attribute (Dmitrii Shcherbakov)
- export symbol lasso_log (#33784)
- Do not ignore WantAuthnRequestSigned value with hint MAYBE (#33354)
- Use io.open(encoding=utf8) in extract_symbols/sections.py (#33360)
- xml: adapt schema in saml2:AuthnContext (#29340)
- Fix ECP signature not found error when only assertion is signed (#26828)
- autoconf: search python interpreters by versions (John Dennis)
- python: make tools compatible with Py3 (John Dennis)
- python: run tests and tools with same interpreter as binding target (John Dennis)
- improve resiliency of lasso_inflate (#24853)
- fix segfault in lasso_get_saml_message (#24830)
- python: add classmethod Profile.getIssuer (#24831)
- website: add news about 2.6.0 release
- debian: sync with debian package (#24595)
- faq: fix references to lasso.profileGetIssuer (#24832)
- python: add a classmethod for lasso.profileGetIssuer (#24831)
- tools: fix segfault in lasso_get_saml_message (fixes#24830)
- jenkins.sh: add a make clean to prevent previous build to break new ones
- tools: set output buffer size in lasso_inflate to 20 times the input size (fixes#24853)
- Use python interpreter specified configure script
- Make Python scripts compatible with both Py2 and Py3
- fix duplicate definition of LogoutTestCase and logoutSuite
- Downcase UTF-8 file encoding name
- Make more Python scripts compatible with both Py2 and Py3
- Configure should search for versioned Python interpreter.
- Clean python cache when building python3 binding
- Move AC_SUBST declaration for AM_CFLAGS with alike (#24771)
- Remove -Werror from --enable-debugging (fixes#24771)
- xml: fix parsing of saml:AuthnContext (fixes#25640)
2.6.0 - June 1st 2018
---------------------
32 commits, 73 files changed, 1920 insertions, 696 deletions
- add inline implementation of lasso_log
- Choose the Reference transform based on the chosen Signature transform (fixes#10155)
- add support for C14N 1.1 methods and C14N withComments methods (fixes#4863)
- remove DGME specific commented out code
- add docstring on SHA-2 signature method enum
- tests: silence unused variable warning
- check node names in lasso_node_impl_init_from_xml() (fixes#47)
- fix segfault when parsed node has no namespace (#47)
- do not call xmlSecKeyDuplicate is source key is NULL
- enable user supplied CFLAGS
- Fix ecp test validate_idp_list() (fixes#11421)
- tests: convert log level as string
- fix definitions of error, critical and warning macros (fixes#12830)
- jenkins.sh: add V=1
- add defined for the XML namespace
- ignore unknown attributes from the xsi: namespace
- saml-2.0: improve support for free content inside samlp2:Extensions (fixes#18581)
- debian: initialize stretch packaging with a copy of upstream debian (#21772)
- replace use of <xmlsec/soap.h> which is deprecated (fixes#18771)
- fix get_issuer and get_in_response_to
- route logs from libxml2 and libxmlsec through GLib logging
- tests: prevent crash in glib caused by abort on recursive logging
- java: stop setting a bytecode version target
- add xmlsec_soap.h to Makefile
- python: route logs for libxml2 and libxmlsec2 to their own logger
- perl: force use of the in-tree lasso when running tests (fixes#23276)
- perl: set DESTDIR and PREFIX at Makefile's creation
- Replace xmlSecSoap functions with lasso implementations
- add a pem-public-key runtime flag
- deprecate loading PEM formatted public keys in lasso_xmlsec_load_key_info
- perl/tests: build Makefile.perl before running the tests
