The arc4random family of functions provides a cryptographic pseudorandom
number generator automatically seeded from the system entropy pool and
safe to use from multiple threads. arc4random is designed to prevent an
adversary from guessing outputs, unlike rand(3) and random(3), and is
faster and more convenient than reading from /dev/urandom directly.
This is a Lua wrapper for arc4random(3), portable to systems that
do and don't have it natively in libc. On systems where arc4random
may be insecure it provides a replacement.
3.9.8:
Resolved issues
* The Shamir's secret sharing implementation is not actually compatible with ``ssss``.
Added an optional parameter to enable interoperability.
* Skip altogether loading of ``gmp.dll`` on Windows.
* Fix incorrect CFB decryption when the input and the output are the same buffer.
Motivation: the default behaviour of reopening /dev/urandom repeatedly
for every 128 bytes of entropy required is _exceedingly_ slow on NetBSD.
Not helped is using fread(), which assumes a long-lived file and buffers
excessively. This change makes the standard gen_entropy tool run in
milliseconds instead of seconds when it generates 48K of randomness.
Not only that, but sysctl is a lot more robust in e.g. chroots, resource
limited processes, etc.
Risk: On NetBSD, the security properties of the previous and current
behaviour are identical.
Upstreamed: https://github.com/ARMmbed/mbedtls/pull/3423
Bump PKGREVISION.
Changelog:
This release fixes the following security issues:
- In some situations an SSH server could cause PuTTY to access freed
mdmory by pretending to accept an SSH key and then refusing the
actual signature. It can only happen if you're using an SSH agent.
- New configuration option to disable PuTTY's default policy of
changing its host key algorithm preferences to prefer keys it
already knows. (There is a theoretical information leak in this
policy.)
Other bug fixes include:
- Windows installer: the text in the installer UI is now visible in
Windows high-contrast mode. (Previously it was white on white by
mistake.)
- Windows 7: fixed spurious OS out-of-memory error when reading
passwords from a Windows console (e.g. psftp).
- Terminal crash: the dreaded "line==NULL" error could happen if an
application switched between the main and alternate screens while
the user was looking at the scrollback.
- Terminal crash: the terminal could fail an assertion when sending
an empty answerback string, and when pasting text none of whose
characters exist in the selected character set.
- SSH: fixed endless memory-allocating loop that could be triggered
by the combination of a misbehaving SSH agent and PuTTY's bug
compatibility mode for padded RSA signatures.
- File transfer: when uploading files to some SFTP servers (e.g. the
one in proftpd's mod_sftp), PSFTP would consume up to 4GB of local
memory before sending anything to the server.
- Terminal behaviour: sometimes the cursor was put in the wrong place
after restoring from the alternate screen.
- GTK: fixed font size calculation when using newer Pango libraries
(e.g. the one on Ubuntu 20.04).
- GTK: scroll wheel events now work in unusual environments like VNC.
Instead:
1. Package makefiles including their own options.mk
2. Packages say "SUBST_CLASSES+=djberrno" to get the hack, if needed
3. Packages adjust SUBST_FILES.djberrno, if needed
Should fix bulk build failures due to multiple inclusions of options.mk
and/or incorrect definitions of DJB_ERRNO_HACK.
Approved during the freeze by wiz@.
Update ruby-sshkey to 2.0.0.
pkgsrc change: add "USE_LANGUAGES= # none".
2.0.0 (2019-02-11)
* Breaking Change: Drop support for Ruby 1.9
* Feature: Accept valid ed25519 keys with leading zero byte (#37)
* Feature: Support sshfp (#30)
Update ruby-metasploit_payloads-mettle to 1.0.1.
No releasenote nor changelog is available. Quote from
<https://github.com/rapid7/mettle/compare/v1.0.0...v1.0.1>:
1.0.1 (2020-06-18)
* Use DER instead of PEM for TLV encryption.
1.9.0:
- SCardEndTransaction(): greatly improve performances (x300)
- tokenparser: accept any Unicode character in a reader name
- Use /run instead of /var/run by default
- Fix a memory leak from a polkit call
- Some other minor improvements
1.8.26:
- Use poll() instead of select() to allow file descriptor higher than FD_SETSIZE
- Enable reader filtering by default
- pcsc-spy:
. Do not read output buffer after error
. Adjust code to handle autoallocated buffers
. fix year-2038 issue by using long instead of int
- Android: fix compilation
- if client/server protocol mismatch:
. log an explicit message
. SCardEstablishContext() returns SCARD_E_SERVICE_STOPPED
- polkit: log the error message if polkit_authority_get_sync() fails
- Exit with EXIT_SUCCESS on shutdown to please systemd
- Doxygen: fix minor issues in the documentation
- Add --disable-documentation option
- Fix a minor memory leak
1.8.25:
- Fix a socket issue when pcscd is used inside LXC container
- pcsc-spy: always provide a total time of execution
- Fix resource leak if SCardEstablishContext() fails
- Fix realloc(3) error handling (possible memory leak)
- Remove usage of function chmod(2) to use fchmod(2) (fix race condition)
1.8.24:
- the project moved to https://pcsclite.apdu.fr/
- SCardGetStatusChange(): Fix a rare race condition
- SCardReleaseContext(): do not release a lock owned by another context
- SCardReconnect(): suspend card auto power off
- Allow "=" in serial driver filenames
- Add the thread id in the pcscd log lines
- pcsc-spy: correctly handle incomplete log file
- Simclist: avoid to divide by zero in list_findpos()
- Some other minor improvements
Passphrase is a zero-dependency passphrase generator.
It is pretty fast (over 6000 times faster than
bitwarden's "bw generate -p",) and you can use any wordlist.
An English wordlist is included, and is the default.
Unfortunately no changelog is provided by upstream, main changes between 1.4.2
are added support for CrateDB, Cubid, Drizzle, Apache Ignite, Amazon Aurora
forks, InterSystems cache, eXtremeDB.
OAuth often seems complicated and difficult-to-implement. There are several
prominent libraries for handling OAuth requests, but they all suffer from one
or both of the following:
* They predate the OAuth 1.0 spec, AKA RFC 5849.
* They predate the OAuth 2.0 spec, AKA RFC 6749.
* They assume the usage of a specific HTTP request library.
OAuthLib is a generic utility which implements the logic of OAuth without
assuming a specific HTTP request object or web framework. Use it to graft OAuth
client support onto your favorite HTTP library, or provider support onto your
favourite web framework. If you're a maintainer of such a library, write a thin
veneer on top of OAuthLib and get OAuth support for very little effort.
Single sign-on framework for GNOME. It aims to provide a way for users to
setup online accounts to be used by the core system and core applications
only. Calendar entries show up in GNOME Shell, e-mail in Evolution, online
storages are exposed as GVolumes, and so on.
Update to ruby-net-ssh 6.1.0.
=== 6.1.0
* adapt to ssh's default bahaviors when no username is provided.
When Net::SSH.start user is nil and config has no entry
we default to Etc.getpwuid.name() instead of Etc.getlogin(). [#749]
=== 6.1.0.rc1
* Make sha2-{256,512}-etm@openssh.com MAC default again [#761]
* Support algorithm subtraction syntax from ssh_config [#751]
Add openssl-cmac package version 2.0.1.
Ruby Gem for
* RFC 4493 - The AES-CMAC Algorithm (http://tools.ietf.org/html/rfc4493)
* RFC 4494 - The AES-CMAC-96 Algorithm and Its Use with IPsec
(http://tools.ietf.org/html/rfc4494)
* RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
Algorithm for the Internet Key Exchange Protocol (IKE)
(http://tools.ietf.org/html/rfc4615)
