1.9.5: Ludovic Rousseau
4 December 2021
- pcscd: autoexit even if no client connects
- Fix variable substitution in systemd units
- fix potential race conditions with powerState handling
- Add and use tag TAG_IFD_DEVICE_REMOVED
- UnitaryTests: port code to Python 3
1.9.4: Ludovic Rousseau
1 October 2021
- fix a memory leak when libusb is used for hotplug (i.e. non-Linux
systems)
1.9.3: Ludovic Rousseau
6 August 2021
- fix a stupid regression with systemd introduced in the previous version
1.9.2: Ludovic Rousseau
3 August 2021
- improve NetBSD support
- pcsc-spy: version 1.1
. add option -t|--thread
. x10 speed increase
. correctly exit at end-of-file
. remove, now useless, support of macOS
- systemd:
. use /etc/default/pcscd as EnvironmentFile
. use $PCSCD_ARGS to specify more arguments
- SetProtocol: Handle IFD_NOT_SUPPORTED from the driver
- hotplug_libudev.c: sanitize interface name
- pcsc_demo: change licence from GPLv3 to BSD
- use Python 3 for Python scripts (psc-spy, UnitaryTests)
- Some other minor improvements
hashcat is the world's fastest and most advanced password recovery
utility, supporting five unique modes of attack for over 160
highly-optimized hashing algorithms. hashcat currently supports
CPU's, GPU's other hardware-accelerators on Linux, Windows and OSX,
and has facilities to help enable distributed password cracking.
From pkgsrc-wip, original packaging by adam@; thanks!
is quite happy to use php-mysqlnd, which in turn is a built-in component
of all versions of PHP in Pkgsrc.
Drop the dependency, and therefore expand the PHP_VERSIONS_ACCEPTED
constraint.
ZoneMinder 1.29.0 seems to work fine on at least PHP 5.6 and 7.4.
Under PHP 8.0 it is logging at Error level type errors out of skin.js.
Under PHP 8.1 it is logging at Panic level that strftime is deprecated.
Bump PKGREVISION.
This is annoying, but for now we must always explicitly combine
GITHUB_SUBMODULES with EXTRACT_USING+=bsdtar.
This is because mk/fetch/github.mk uses OPTS_TAR=--strip-components=1
and that is not supported by nbtar(pax), which is the default pkgsrc
tar on some platforms. We cannot override EXTRACT_USING in github.mk
because that is too late.
We should switch all platforms to bsdtar and retire pax.
Signedjson 1.1.1
Bugfixes
- Fix incorrect typing annotation for `decode_signing_key_base64`.
- Reinstate `decode_verify_key_base64` function which was erroneously removed in 1.1.0.
Internal Changes
- Use `setuptools_scm` for the version number.
Changes since v5.1.0:
wolfSSL Release 5.1.1 (Jan 3rd, 2022)
Release 5.1.1 of wolfSSL embedded TLS has a high vulnerability fix:
Vulnerabilities
* [High] In connections using AES-CBC or DES3 with TLS/DTLS 1.2 or 1.1 the IV
being used is not random. Users using wolfSSL version 5.0.0 or 5.1.0 doing
TLS/DTLS 1.2 or 1.1 connections, without AEAD only, should update the
version of wolfSSL used.
This flag should be set for packages that import pkg_resources
and thus need setuptools after the build step.
Set this flag for packages that need it and bump PKGREVISION.
tlswrapper is an TLS encryption wrapper between remote client and local
program prog. Systemd.socket/inetd/tcpserver/... creates the server
connection, tlswrapper encrypts/decrypts data stream and reads/writes
data from/to the program prog as follows:
Internet <--> systemd.socket/inetd/tcpserver/... <--> tlswrapper <--> prog
By running separate instance of tlswrapper for each TLS connection, a
vulnerability in the code (e.g. bug in the TLS library) can't be used to
compromise the memory of another connection.
To protect against secret-information leaks to the network connection
(such Heartbleed) tlswrapper runs two independent processes for every
TLS connection. One process holds secret-keys and runs secret-keys
operations and second talks to the network. Processes communicate with
each other through UNIX pipes.
Use "ld -shared" rather than "ld --shared". The former allows cwrappers to
detect shared lib link mode. This makes it omit "-pie" which would remove
required symbols.
share/zoneminder/htdocs/ajax/stream.php.
Because all the PHP extensions self-enable in this decade, there's no need
to configure php-sockets. The same is also true of all the other
extensions, so just remove those unnecessary instructions from MESSAGE.
Bump PKGREVISION to 7 and bump year to 2022 (NZDT).
Changes since v5.0.0:
wolfSSL Release 5.1.0 (Dec 27, 2021)
Release 5.1.0 of wolfSSL embedded TLS has bug fixes and new features including:
Vulnerabilities
* [Low] Potential for DoS attack on a wolfSSL client due to processing hello
packets of the incorrect side. This affects only connections using TLS v1.2
or less that have also been compromised by a man in the middle
attack. Thanks to James Henderson, Mathy Vanhoef, Chris M. Stone, Sam
L. Thomas, Nicolas Bailleut, and Tom Chothia (University of Birmingham, KU
Leuven, ENS Rennes for the report.
* [Low] Client side session resumption issue once the session resumption cache
has been filled up. The hijacking of a session resumption has been
demonstrated so far with only non verified peer connections. That is where
the client is not verifying the server’s CA that it is connecting to. There
is the potential though for other cases involving proxies that are verifying
the server to be at risk, if using wolfSSL in a case involving proxies use
wolfSSL_get1_session and then wolfSSL_SESSION_free when done where
possible. If not adding in the session get/free function calls we recommend
that users of wolfSSL that are resuming sessions update to the latest
version (wolfSSL version 5.1.0 or later). Thanks to the UK's National Cyber
Security Centre (NCSC) for the report.
New Feature Additions
Ports
* Curve25519 support with NXP SE050 added
* Renesas RA6M4 support with SCE Protected Mode and FSP 3.5.0
* Renesas TSIP 1.14 support for RX65N/RX72N
Post Quantum
* Post quantum resistant algorithms used with Apache port
* NIST round 3 FALCON Signature Scheme support added to TLS 1.3 connections
* FALCON added to the benchmarking application
* Testing of cURL with wolfSSL post quantum resistant build
Compatibility Layer Additions
* Updated NGINX port to NGINX version 1.21.4
* Updated Apache port to Apache version 2.4.51
* Add support for SSL_OP_NO_TLSv1_2 flag with wolfSSL_CTX_set_options function
* Support added for the functions
- SSL_CTX_get_max_early_data
- SSL_CTX_set_max_early_data
- SSL_set_max_early_data
- SSL_get_max_early_data
- SSL_CTX_clear_mode
- SSL_CONF_cmd_value_type
- SSL_read_early_data
- SSL_write_early_data
Misc.
* Crypto callback support for AES-CCM added. A callback function can be
registered and used instead of the default AES-CCM implementation in
wolfSSL.
* Added AES-OFB to the FIPS boundary for future FIPS validations.
* Add support for custom OIDs used with CSR (certificate signing request)
generation using the macro WOLFSSL_CUSTOM_OID
* Added HKDF extract callback function for use with TLS 1.3
* Add variant from RFC6979 of deterministic ECC signing that can be enabled
using the macro WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT
* Added the function wc_GetPubKeyDerFromCert to get the public key from a
DecodedCert structure
* Added the functions wc_InitDecodedCert, wc_ParseCert and wc_FreeDecodedCert
for access to decoding a certificate into a DecodedCert structure
* Added the macro WOLFSSL_ECC_NO_SMALL_STACK for hybrid builds where the
numerous malloc/free with ECC is undesired but small stack use is desired
throughout the rest of the library
* Added the function wc_d2i_PKCS12_fp for reading a PKCS12 file and parsing it
Fixes
PORT Fixes
* Building with Android wpa_supplicant and KeyStore
* Setting initial value of CA certificate with TSIP enabled
* Cryptocell ECC build fix and fix with RSA disabled
* IoT-SAFE improvement for Key/File slot ID size, fix for C++ compile, and
fixes for retrieving the public key after key generation
Math Library Fixes
* Check return values on TFM library montgomery function in case the system
runs out of memory. This resolves an edge case of invalid ECC signatures
being created.
* SP math library sanity check on size of values passed to sp_gcd.
* SP math library sanity check on exponentiation by 0 with mod_exp
* Update base ECC mp_sqrtmod_prime function to handle an edge case of zero
* TFM math library with Intel MULX multiply fix for carry in assembly code
Misc.
* Fix for potential heap buffer overflow with compatibility layer PEM parsing
* Fix for edge memory leak case with an error encountered during TLS
resumption
* Fix for length on inner sequence created with wc_DhKeyToDer when handling
small DH keys
* Fix for sanity check on input argument to DSA sign and verify
* Fix for setting of the return value with ASN1 integer get on an i386 device
* Fix for BER to DER size checks with PKCS7 decryption
* Fix for memory leak with PrintPubKeyEC function in compatibility layer
* Edge case with deterministic ECC key generation when the private key has
leading 0’s
* Fix for build with OPENSSL_EXTRA and NO_WOLFSSL_STUB both defined
* Use page aligned memory with ECDSA signing and KCAPI
* Skip expired sessions for TLS 1.3 rather than turning off the resume
behavior
* Fix for DTLS handling dropped or retransmitted messages
Improvements/Optimizations
Build Options and Warnings
* Bugfix: could not build with liboqs and without DH enabled
* Build with macro NO_ECC_KEY_EXPORT fixed
* Fix for building with the macro HAVE_ENCRYPT_THEN_MAC when session export is
enabled
* Building with wolfSentry and HAVE_EX_DATA macro set
Math Libraries
* Improvement for performance with SP C implementation of montgomery reduction
for ECC (P256 and P384) and SP ARM64 implementation for ECC (P384)
* With SP math handle case of dividing by length of dividend
* SP math improvement for lo/hi register names to be used with older GCC
compilers
Misc.
* ASN name constraints checking code refactor for better efficiency and
readability
* Refactor of compatibility layer stack free’ing calls to simplify and reduce
code
* Scrubbed code for trailing spaces, hard tabs, and any control characters
* Explicit check that leaf certificate's public key type match cipher suite
signature algorithm
* Additional NULL sanity checks on WOLFSSL struct internally and improve
switch statement fallthrough
* Retain OCSP error value when CRL is enabled with certificate parsing
* Update to NATIVE LwIP support for TCP use
* Sanity check on PEM size when parsing a PEM with OpenSSL compatibility layer
API.
* SWIG wrapper was removed from the codebase in favor of dedicated Java and
Python wrappers.
* Updates to bundled example client for when to load the CA, handling print
out of IP alt names, and printing out the peers certificate in PEM format
* Handling BER encoded inner content type with PKCS7 verify
* Checking for SOCKET_EPIPE errors from low level socket
* Improvements to cleanup in the case that wolfSSL_Init fails
* Update test and example certificates expiration dates
* In some situations the X.509 verifier would discard an error on an
unverified certificate chain, resulting in an authentication bypass.
Thanks to Ilya Shipitsin and Timo Steinlein for reporting.
Changed
Allow showing options menu for empty keyrings
Update the edition of Rust to 2021
Copy Cargo.lock into docker build stage for caching
Bump the Rust version in Dockerfile
Use ubuntu-20.04 runner for workflows
Specify the toolchain explicitly for crates.io releases
Install Rust toolchain for audit job
Apply clippy::format_in_format_args suggestion
Apply clippy::single_char_pattern suggestion
Fixed
Fix config file extension in README.md
Use references for OS command arguments
Fix the Rust profile specification in audit workflow
Packaging: While this is 3.2.8 in distfile and upstream announcements,
tt is sort of 3.2.2.1 in unpack dir and shlib versions.
This is a security release fixing a buffer overflow. While upstream
has a changes file, there are no entries for anything beyond 3.2.8,
and the changes are thus expected to be only security fixes as
described at:
https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk
Version 4.8
- Switch to [Poetry](https://python-poetry.org/) for dependency and release management.
- Compatibility with Python 3.10.
- Chain exceptions using `raise new_exception from old_exception`
- Added marker file for PEP 561. This will allow type checking tools in dependent projects
to use type annotations from Python-RSA
- Use the Chinese Remainder Theorem when decrypting with a private key. This
makes decryption 2-4x faster
