New in 2.1.28
build:
configure - Restore LIBS after checking gss_inquire_sec_context_by_oid
makemd5.c - Fix potential out of bound writes
fix build with –disable-shared –enable-static
Dozens of fixes for Windows specific builds
Fix cross platform builds with SPNEGO
Do not try to build broken java subtree
Fix build error with –enable-auth-sasldb
common:
plugin_common.c:
Ensure size is always checked if called repeatedly (#617)
documentation:
Fixed generation of saslauthd(8) man page
Fixed installation of saslauthd(8) and testsaslauthd(8) man pages (#373)
Updates for additional SCRAM mechanisms
Fix sasl_decode64 and sasl_encode64 man pages
Tons of fixes for Sphinx
include:
sasl.h:
Allow up to 16 bits for security flags
lib:
checkpw.c:
Skip one call to strcat
Disable auxprop-hashed (#374)
client.c:
Use proper length for fully qualified domain names
common.c:
CVE-2019-19906 Fix off by one error (#587)
external.c:
fix EXTERNAL with non-terminated input (#689)
saslutil.c:
fix index_64 to be a signed char (#619)
plugins:
gssapi.c:
Emit debug log only in case of errors
ntlm.c:
Fail compile if MD4 is not available (#632)
sql.c:
Finish reading residual return data (#639)
CVE-2022-24407 Escape password for SQL insert/update commands.
sasldb:
db_gdbm.c:
fix gdbm_errno overlay from gdbm_close
DIGEST-MD5 plugin:
Prevent double free of RC4 context
Use OpenSSL RC4 implementation if available
SCRAM plugin:
Return BADAUTH on incorrect password (#545)
Add -224, -384, -512 (#552)
Remove SCRAM_HASH_SIZE
Add function to return SCRAM auth method name
Allocate enough memory in scam_setpass()
Add function to sort SCRAM methods by hash strength
Update windows build for newer SCRAM options
saslauthd:
auth_httpform.c:
Avoid signed overflow with non-ascii characters (#576)
auth_krb5.c:
support setting an explicit auth_krb5 server name
support setting an explicit servername with Heimdal
unify the MIT and Heimdal auth_krb5 implementations
Remove call to krbtf
auth_rimap.c:
provide native memmem implementation if missing
lak.c:
Allow LDAP_OPT_X_TLS_REQUIRE_CERT to be 0 (no certificate verification)
lak.h:
Increase supported DN length to 4096 (#626)
Added:
-Support custom file name for the exported keys (#4)
Changed:
-Switch to clap for argument parsing
-Update license copyright years
-Update lychee arguments
-Apply clippy::needless_borrow suggestion
-Add tests for custom file name
-Bump the Rust version in Dockerfile
-Bump dependencies
1.3.0 (2022-01-24)
Feature
bom-ref for Component and Vulnerability default to a UUID (#142) (3953bb6)
1.2.0 (2022-01-24)
Feature
Add CPE to component (#138) (269ee15)
1.1.1 (2022-01-19)
Fix
Bump dependencies (#136) (18ec498)
1.1.0 (2022-01-13)
Feature
Add support for bom.metadata.component (#118) (1ac31f4)
1.0.0 (2022-01-13)
Support for CycloneDX schema version 1.4 (#108)
Breaking Changes
Support for CycloneDX 1.4. This includes:
Support for tools having externalReferences
Allowing version for a Component to be optional in 1.4
Support for releaseNotes per Component
Support for the core schema implementation of Vulnerabilities (VEX)
Features
$schema is now included in JSON BOMs
Concrete Parsers how now been moved into downstream projects to keep this libraries focus on modelling and outputting CycloneDX - see https://github.com/CycloneDX/cyclonedx-python
Fixes
Unit tests now include schema validation (we've left schema validation out of the core library due to dependency bloat)
Ensure schema is adhered to in 1.0
URIs are now used throughout the library through a new XsUri class to provide URI validation
Other
Documentation is now hosted on readthedocs.org (https://cyclonedx-python-library.readthedocs.io/)
Added reference to release of this library on Anaconda
0.12.3 (2021-12-15)
Fix
Removed requirements-parser as dependency (temp) as not available for Python 3 as Wheel (#98) (3677d9f)
0.12.2 (2021-12-09)
Fix
Tightened dependency packageurl-python (#95) (eb4ae5c)
0.12.1 (2021-12-09)
Fix
Further loosened dependency definitions (8bef6ec)
0.12.0 (2021-12-09)
Feature
Loosed dependency versions to make this library more consumable (55f10fb)
A practical incremental and one-pass, pure API to the MD5 hash algorithm
(including HMAC support) with performance close to the fastest
implementations available in other languages.
The implementation is made in C with a haskell FFI wrapper that hides the C
implementation.
Noteworthy changes in version 2.2.34 (2022-02-07)
-------------------------------------------------
* gpgconf: Backport the improved option reading and writing code
from 2.3. [rG7a3a1ef370,T4788]
* gpgconf: Do not list ignored options and mark forced options as
read-only. [T5732]
* gpgconf: Correctly show registry entries with --show-configs.
[T5724]
* gpgconf: Add command aliases -L, -K, and -R. [rGf16c535eee]
* gpgconf: Tweak the use of the ldapserver option. [T5801]
* gpgconf: Make "--launch gpg-agent" work again. [rG5a7ed6dd8f]
* gpg: Accept Ed25519 private keys in modernized encoding. [T5120]
* gpg: Fix adding the list of ultimate trusted keys. [T5742]
* gpgsm: New option --ignore-cert-with-oid. [rGbcf446b70c]
* dirmngr: Avoid initial delay on the first keyserver access in
presence of --no-use-tor. [rGdde88897e2]
* scdaemon: Also prefer Yubikeys if no reader port is given.
[rG38c666ec3f]
* agent: Make missing strings translatable and update German and
Japanese translations. [T4777]
* ssh: Fix adding an ed25519 key with a zero length comment. [T5794]
* gpgtar: Create and handle extended headers to support long file
names. [T5754]
* Fix the creation of socket directories under Windows for non-ascii
account names. [rG7d1215cb9c]
* Improve the registry HKCU->HKLM fallback. [rG96db487a4d]
* Prettify the --help output of most commands.
A practical incremental and one-pass, pure API to the SHA-1 hash algorithm
(including HMAC support) with performance close to the fastest
implementations available in other languages.
The implementation is made in C with a haskell FFI wrapper that hides the C
implementation.
Noteworthy changes in version 1.10.0 (2022-02-01) [C24/A4/R0]
-------------------------------------------------
* New and extended interfaces:
- New control codes to check for FIPS 140-3 approved algorithms.
- New control code to switch into non-FIPS mode.
- New cipher modes SIV and GCM-SIV as specified by RFC-5297.
- Extended cipher mode AESWRAP with padding as specified by
RFC-5649. [T5752]
- New set of KDF functions.
- New KDF modes Argon2 and Balloon.
- New functions for combining hashing and signing/verification. [T4894]
* Performance:
- Improved support for PowerPC architectures.
- Improved ECC performance on zSeries/s390x by using accelerated
scalar multiplication.
- Many more assembler performance improvements for several
architectures.
* Bug fixes:
- Fix Elgamal encryption for other implementations.
[R5328,CVE-2021-40528]
- Fix alignment problem on macOS. [T5440]
- Check the input length of the point in ECDH. [T5423]
- Fix an abort in gcry_pk_get_param for "Curve25519". [T5490]
* Other features:
- The control code GCRYCTL_SET_ENFORCED_FIPS_FLAG is ignored
because it is useless with the FIPS 140-3 related changes.
- Update of the jitter entropy RNG code. [T5523]
- Simplification of the entropy gatherer when using the getentropy
system call.
0.6.2.0
* Safely prepare for when cabal factors out Cabal-syntax
0.6.1.0
* Support basic auth in package-indices (#252)
* Fix tests due to new aeson handling of unescaped control sequences (#256)
* Bump a lot of bounds on packages we depend on
Certbot 1.23.0
Added
Added show_account subcommand, which will fetch the account information
from the ACME server and show the account details (account URL and, if
applicable, email address or addresses)
We deprecated support for Python 3.6 in Certbot and its ACME library.
Support for Python 3.6 will be removed in the next major release of Certbot.
Fixed
GCP Permission list for certbot-dns-google in plugin documentation
dns-digitalocean used the SOA TTL for newly created records, rather than 30 seconds.
Revoking a certificate based on an ECDSA key can now be done with --key-path.
3.2.0 (2022-01-29)
------------------
OAuth2.0 Client:
* Add Device Authorization Flow for Web Application
* Add PKCE support for Client
* Fallback to none in case of wrong expires_at format.
OAuth2.0 Provider:
* Add support for CORS to metadata endpoint.
* Add support for CORS to token endpoint.
* Remove comma after Bearer in WWW-Authenticate
OAuth2.0 Provider - OIDC:
* Call save_token in Hybrid code flow
* OIDC add support of refreshing ID Tokens with `refresh_id_token`
* The RefreshTokenGrant modifiers now take the same arguments as the
AuthorizationCodeGrant modifiers (`token`, `token_handler`, `request`).
General:
* Added Python 3.9, 3.10, 3.11
* Improve Travis & Coverage
This has been marked BROKEN since 2019. The newest version of this
software, "Greenbone", would be a welcome addition to pkgsrc if anyone
would like to see it return.
This update is to make sure the package
works correctly qore version 1.2.
This is version 1.0.0.
Our patches are not needed anymore.
Remove options.mk since cmake is now
used as build system and the configure
arguments are not valid for cmake.
Change maintainer address since it has
changed.
Noteworthy changes in version 1.44 (2022-01-27)
-----------------------------------------------
* Fix dependency to gpg-error-config-test.sh.
* Run the posix locking test only on supported platforms.
* Detect Linux systems using musl.
* Fix gpg-error-config-test for PKG_CONFIG_LIBDIR.
* Fix returning of option attributes for options with args.
* Add Turkish translations.
1.5.0 - 27 January 2022, Ludovic Rousseau
- Add support of
- ACS ACR1281U
- Circle CCR7125 ICC
- Circle CIR125 ICC
- Circle CIR125-DOT ICC
- Circle CIR215 CL with iProduct 0x2100
- Circle CIR315 DI
- Circle CIR315 with idProduct: 0x0324
- Circle CIR315 with idProduct: 0x7004
- Circle CIR415 CL
- Circle CIR515 ICC
- Circle CIR615 CL
- Circle CIR615 CL & 1S
- ELYCTIS CL reader
- Nitrokey Nitrokey 3
- Thales Shield M4 Reader
- Add support of simultaneous slot access on multi slots readers
- Use FeliCa instead of Felica on SONY request
- Fix SafeNet eToken 5110 SC issue
- Allow vendor control commands for Omnikey 5427 CK
- always compute readTimeout to use a value greater than default 3 seconds
- Check the bSeq value when receiving a CCID frame
- Avoid logging errors when a reader is removed
- Some other minor improvements
The previous version of this patch added build dependencies at the
wrong point: we need the headers generated by the time the object is
compiled, not by the time the final binary is linked. (This matches the
actual upstream change set.)
CHangelog:
Changes in `3.2.10 <https://gitlab.matrix.org/matrix-org/olm/tags/3.2.10>`_
=========================================================================
This release includes no change since 3.2.9, but is created to be able to
publish again the Android library on MavenCentral.
Changes in `3.2.9 <https://gitlab.matrix.org/matrix-org/olm/tags/3.2.9>`_
=========================================================================
This release includes the following changes since 3.2.8:
* Switch C++ tests to use doctest. Thanks to Nicolas Werner.
* Switch JavaScript tests to use jasmine instead of deprecated jasmine-node.
* Add session describe function to Python binding. Thanks to Tulir Asokan.
Release 2.9.0 (23 Jan 2022)
---------------------------
* Added mypy-compatible type annotations to all AsyncSSH modules, and a
"py.typed" file to signal that annotations are now available for this
package.
* Added experimental support for SFTP versions 4-6. While AsyncSSH still
defaults to only advertising version 3 when acting as both a client and
a server, applications can explicitly enable support for later versions,
which will be used if both ends of the connection agree. Not all features
are fully supported, but a number of useful enhancements are now
available, including as users and groups specified by name, higher
resolution timestamps, and more granular error reporting.
* Updated documentation to make it clear that keys from a PKCS11 provider
or ssh-agent will be used even when client_keys is specified, unless
those sources are explicitly disabled.
* Improved handling of task cancellation in AsyncSSH to avoid triggering
an error of "Future exception was never retrieved". Thanks go to Krzysztof
Kotlenga for reporting this issue and providing test code to reliably
reproduce it.
* Changed implementation of OpenSSH keepalive handler to improve
interoperability with servers which don't expect a "success" response
when this message is sent.
Release 2.8.1 (8 Nov 2021)
--------------------------
* Fixed a regression in handling of the passphrase argument used to
decrypt private keys.
Release 2.8.0 (3 Nov 2021)
--------------------------
* Added new connect_timeout option to set a timeout which includes the
time taken to open an outbound TCP connection, allowing connections
to be aborted without waiting for the default socket connect timeout.
The existing login_timeout option only applies after the TCP connection
was established, so it could not be used for this. The support for the
ConnectTimeout config file option has also been updated to use this new
capability, making it more consistent with OpenSSH's behavior.
* Added the ability to use the passphrase argument specified in a connect
call to be used to decrypt keys used to connect to bastion hosts.
Previously, this argument was only applied when making a connection
to the main host and encrypted keys could only be used when they
were loaded separately.
* Updated AsyncSSH's "Record" class to make it more IDE-friendly when
it comes to things like auto-completion. This class is used as a base
class for SSHCompletedProcess and various SFTP attribute classes.
Thanks go to Github user zentarim for suggesting this improvement.
* Fixed a potential uncaught exception when handling forwarded connections
which are immediately closed by a peer.
3.13.0
New features
------------
* Add support for curve NIST P-224.
Resolved issues
---------------
* Fixed typing info for ``Crypto.PublicKey.ECC``.
Other changes
-------------
* Relaxed ECDSA requirements for FIPS 186 signatures and accept any SHA-2 or SHA-3 hash.
``sign()`` and ``verify()`` will be performed even if the hash is stronger than the ECC key.
Version 3.7.3 (released 2022-01-17)
** libgnutls: The allowlisting configuration mode has been added to the system-wide
settings. In this mode, all the algorithms are initially marked as insecure
or disabled, while the applications can re-enable them either through the
[overrides] section of the configuration file or the new API.
** The build infrastructure no longer depends on GNU AutoGen for generating
command-line option handling, template file parsing in certtool, and
documentation generation. This change also removes run-time or
bundled dependency on the libopts library, and requires Python 3.6 or later
to regenerate the distribution tarball.
Note that this brings in known backward incompatibility in command-line
tools, such as long options are now case sensitive, while previously they
were treated in a case insensitive manner: for example --RSA is no longer a
valid option of certtool. The existing scripts using GnuTLS tools may need
adjustment for this change.
** libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and
used as a gnutls_privkey_t. The code was originally written for the
OpenConnect VPN project by David Woodhouse. To generate such blobs, use the
tpm2tss-genkey tool from tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
or the tpm2_encodeobject tool from unreleased tpm2-tools.
** libgnutls: The library now transparently enables Linux KTLS
(kernel TLS) when the feature is compiled in with --enable-ktls configuration
option. If the KTLS initialization fails it automatically falls back
to the user space implementation.
** certtool: The certtool command can now read the Certificate Transparency
(RFC 6962) SCT extension. New API functions are also provided to
access and manipulate the extension values.
** certtool: The certtool command can now generate, manipulate, and evaluate
x25519 and x448 public keys, private keys, and certificates.
** libgnutls: Disabling a hashing algorithm through "insecure-hash"
configuration directive now also disables TLS ciphersuites that use it as a
PRF algorithm.
** libgnutls: PKCS#12 files are now created with modern algorithms by default.
Previously certtool used PKCS12-3DES-SHA1 for key derivation and
HMAC-SHA1 as an integity measure in PKCS#12. Now it uses AES-128-CBC with
PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
default PBKDF2 iteration count has been increased to 600000.
** libgnutls: PKCS#12 keys derived using GOST algorithm now uses
HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to
conform with the latest TC-26 requirements.
** libgnutls: The library now provides a means to report the status of approved
cryptographic operations. To adhere to the FIPS140-3 IG 2.4.C., this
complements the existing mechanism to prohibit the use of unapproved
algorithms by making the library unusable state.
** gnutls-cli: The gnutls-cli command now provides a --list-config option to
print the library configuration.
** libgnutls: Fixed possible race condition in
gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared
among multiple threads. [GNUTLS-SA-2022-01-17, CVSS: low]
** API and ABI modifications:
GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t
GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_certificate_verify_flags
gnutls_ecc_curve_set_enabled: Added.
gnutls_sign_set_secure: Added.
gnutls_sign_set_secure_for_certs: Added.
gnutls_digest_set_secure: Added.
gnutls_protocol_set_enabled: Added.
gnutls_fips140_context_init: New function
gnutls_fips140_context_deinit: New function
gnutls_fips140_push_context: New function
gnutls_fips140_pop_context: New function
gnutls_fips140_get_operation_state: New function
gnutls_fips140_operation_state_t: New enum
gnutls_transport_is_ktls_enabled: New function
gnutls_get_library_configuration: New function
0.103.5 (2022-01-12)
ClamAV 0.103.5 is a critical patch release with the following fixes:
* CVE-2022-20698<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>:
Fix for invalid pointer read that may cause a crash. This issue affects
0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the
CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json
option) is enabled.
Cisco would like to thank Laurent Delosieres of ManoMano for reporting
this vulnerability.
* Fixed ability to disable the file size limit with libclamav C API, like
this:
cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);
This issue didn't affect ClamD or ClamScan which also can disable the
limit by setting it to zero using MaxFileSize 0 in clamd.conf for ClamD,
or clamscan --max-filesize=0 for ClamScan.
Note: Internally, the max file size is still set to 2 GiB. Disabling the
limit for a scan will fall back on the internal 2 GiB limitation.
* Increased the maximum line length for ClamAV config files from 512 bytes
to 1,024 bytes to allow for longer config option strings.
* SigTool: Fix insufficient buffer size for --list-sigs that caused a
failure when listing a database containing one or more very long
signatures. This fix was backported from 0.104.
Special thanks to the following for code contributions and bug reports:
* Laurent Delosieres
Noteworthy changes in version 1.6.0 (2021-06-10) [C22/A14/R0]
------------------------------------------------
* Limited support for the Authenticated-Enveloped-Data content type.
[81fdcd680c12]
* Support password based decryption. [cb7f2484a09c]
* Fix build problem on macOS.
* Silence warnings from static analyzers.
* Interface changes relative to the 1.5.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
KSBA_CT_AUTHENVELOPED_DATA NEW.
Release-info: https://dev.gnupg.org/T5479
Noteworthy changes in version 1.5.1 (2021-04-06) [C21/A13/R1]
------------------------------------------------
* Support Brainpool curves specified by ECDomainParameters.
Release-info: https://dev.gnupg.org/T5379
Noteworthy changes in version 1.5.0 (2020-11-18) [C21/A13/R0]
------------------------------------------------
* ksba_cms_identify now identifies OpenPGP keyblock content.
* Supports TR-03111 plain format ECDSA signature verification.
* Fixes a CMS signed data parser bug exhibited by a somewhat strange
CMS message. [b6438e768c]
* Interface changes relative to the 1.4.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
KSBA_CT_OPENPGP_KEYBLOCK NEW.
Release-info: https://dev.gnupg.org/T5146
Noteworthy changes in version 1.2.0 (2021-08-25)
------------------------------------------------
* qt: Show a warning if Caps Lock is on on Windows, X11 (requires
libX11 and Qt5X11Extras), and Wayland (requires KF5WaylandClient).
[T4950]
* qt: Support password formatting. This makes generated passwords
easier to transcript. [T5517]
* qt: Fix showing of pinentry window on Wayland. [T5528]
* qt: Check passphrase constraints before accepting passphrase if
passphrase constraints are requested to be enforced. [T5532]
* qt: Improve detection of running in a GUI session. [T3659]
* qt: Improve accessibility when entering new password.
"-o $@" is already sufficient.
Also for SunPro, set OPENSSL_HOST.SunOS-x86_64=solaris64-x86_64-cc
(that's cc, not gcc) to avoid this error linking libcrypto.so:
cc: Warning: Option --libgcc passed to ld, if ld is invoked,
ignored otherwise
cc: No valid input files specified, no output generated
"make package" succeeds on:
- Solaris 11 with "Studio 12.6 Sun C 5.15"
- Tribblix m25.1 with pkgsrc gcc7
- CentOS 7 with pkgsrc gcc7
- FreeBSD 13 with system clang
- OpenBSD 7.0 with system clang
- NetBSD 9.2 and -current with system gcc
- CentOS 8 with system gcc
- Debian 11, 10, 9 with system gcc
- Devuan 4 with system gcc
- Ubuntu 21, 18, 16, 14 with system gcc
- Void with system gcc
- Gentoo with system gcc
Switch to python-gnupg.
This module allows easy access to GnuPG’s key management, encryption and signature functionality from Python programs. It is intended for use with Python 2.4 or greater.
1.9.5: Ludovic Rousseau
4 December 2021
- pcscd: autoexit even if no client connects
- Fix variable substitution in systemd units
- fix potential race conditions with powerState handling
- Add and use tag TAG_IFD_DEVICE_REMOVED
- UnitaryTests: port code to Python 3
1.9.4: Ludovic Rousseau
1 October 2021
- fix a memory leak when libusb is used for hotplug (i.e. non-Linux
systems)
1.9.3: Ludovic Rousseau
6 August 2021
- fix a stupid regression with systemd introduced in the previous version
1.9.2: Ludovic Rousseau
3 August 2021
- improve NetBSD support
- pcsc-spy: version 1.1
. add option -t|--thread
. x10 speed increase
. correctly exit at end-of-file
. remove, now useless, support of macOS
- systemd:
. use /etc/default/pcscd as EnvironmentFile
. use $PCSCD_ARGS to specify more arguments
- SetProtocol: Handle IFD_NOT_SUPPORTED from the driver
- hotplug_libudev.c: sanitize interface name
- pcsc_demo: change licence from GPLv3 to BSD
- use Python 3 for Python scripts (psc-spy, UnitaryTests)
- Some other minor improvements
hashcat is the world's fastest and most advanced password recovery
utility, supporting five unique modes of attack for over 160
highly-optimized hashing algorithms. hashcat currently supports
CPU's, GPU's other hardware-accelerators on Linux, Windows and OSX,
and has facilities to help enable distributed password cracking.
From pkgsrc-wip, original packaging by adam@; thanks!
is quite happy to use php-mysqlnd, which in turn is a built-in component
of all versions of PHP in Pkgsrc.
Drop the dependency, and therefore expand the PHP_VERSIONS_ACCEPTED
constraint.
ZoneMinder 1.29.0 seems to work fine on at least PHP 5.6 and 7.4.
Under PHP 8.0 it is logging at Error level type errors out of skin.js.
Under PHP 8.1 it is logging at Panic level that strftime is deprecated.
Bump PKGREVISION.
This is annoying, but for now we must always explicitly combine
GITHUB_SUBMODULES with EXTRACT_USING+=bsdtar.
This is because mk/fetch/github.mk uses OPTS_TAR=--strip-components=1
and that is not supported by nbtar(pax), which is the default pkgsrc
tar on some platforms. We cannot override EXTRACT_USING in github.mk
because that is too late.
We should switch all platforms to bsdtar and retire pax.
Signedjson 1.1.1
Bugfixes
- Fix incorrect typing annotation for `decode_signing_key_base64`.
- Reinstate `decode_verify_key_base64` function which was erroneously removed in 1.1.0.
Internal Changes
- Use `setuptools_scm` for the version number.
Changes since v5.1.0:
wolfSSL Release 5.1.1 (Jan 3rd, 2022)
Release 5.1.1 of wolfSSL embedded TLS has a high vulnerability fix:
Vulnerabilities
* [High] In connections using AES-CBC or DES3 with TLS/DTLS 1.2 or 1.1 the IV
being used is not random. Users using wolfSSL version 5.0.0 or 5.1.0 doing
TLS/DTLS 1.2 or 1.1 connections, without AEAD only, should update the
version of wolfSSL used.
This flag should be set for packages that import pkg_resources
and thus need setuptools after the build step.
Set this flag for packages that need it and bump PKGREVISION.
tlswrapper is an TLS encryption wrapper between remote client and local
program prog. Systemd.socket/inetd/tcpserver/... creates the server
connection, tlswrapper encrypts/decrypts data stream and reads/writes
data from/to the program prog as follows:
Internet <--> systemd.socket/inetd/tcpserver/... <--> tlswrapper <--> prog
By running separate instance of tlswrapper for each TLS connection, a
vulnerability in the code (e.g. bug in the TLS library) can't be used to
compromise the memory of another connection.
To protect against secret-information leaks to the network connection
(such Heartbleed) tlswrapper runs two independent processes for every
TLS connection. One process holds secret-keys and runs secret-keys
operations and second talks to the network. Processes communicate with
each other through UNIX pipes.
Use "ld -shared" rather than "ld --shared". The former allows cwrappers to
detect shared lib link mode. This makes it omit "-pie" which would remove
required symbols.
share/zoneminder/htdocs/ajax/stream.php.
Because all the PHP extensions self-enable in this decade, there's no need
to configure php-sockets. The same is also true of all the other
extensions, so just remove those unnecessary instructions from MESSAGE.
Bump PKGREVISION to 7 and bump year to 2022 (NZDT).
Changes since v5.0.0:
wolfSSL Release 5.1.0 (Dec 27, 2021)
Release 5.1.0 of wolfSSL embedded TLS has bug fixes and new features including:
Vulnerabilities
* [Low] Potential for DoS attack on a wolfSSL client due to processing hello
packets of the incorrect side. This affects only connections using TLS v1.2
or less that have also been compromised by a man in the middle
attack. Thanks to James Henderson, Mathy Vanhoef, Chris M. Stone, Sam
L. Thomas, Nicolas Bailleut, and Tom Chothia (University of Birmingham, KU
Leuven, ENS Rennes for the report.
* [Low] Client side session resumption issue once the session resumption cache
has been filled up. The hijacking of a session resumption has been
demonstrated so far with only non verified peer connections. That is where
the client is not verifying the server’s CA that it is connecting to. There
is the potential though for other cases involving proxies that are verifying
the server to be at risk, if using wolfSSL in a case involving proxies use
wolfSSL_get1_session and then wolfSSL_SESSION_free when done where
possible. If not adding in the session get/free function calls we recommend
that users of wolfSSL that are resuming sessions update to the latest
version (wolfSSL version 5.1.0 or later). Thanks to the UK's National Cyber
Security Centre (NCSC) for the report.
New Feature Additions
Ports
* Curve25519 support with NXP SE050 added
* Renesas RA6M4 support with SCE Protected Mode and FSP 3.5.0
* Renesas TSIP 1.14 support for RX65N/RX72N
Post Quantum
* Post quantum resistant algorithms used with Apache port
* NIST round 3 FALCON Signature Scheme support added to TLS 1.3 connections
* FALCON added to the benchmarking application
* Testing of cURL with wolfSSL post quantum resistant build
Compatibility Layer Additions
* Updated NGINX port to NGINX version 1.21.4
* Updated Apache port to Apache version 2.4.51
* Add support for SSL_OP_NO_TLSv1_2 flag with wolfSSL_CTX_set_options function
* Support added for the functions
- SSL_CTX_get_max_early_data
- SSL_CTX_set_max_early_data
- SSL_set_max_early_data
- SSL_get_max_early_data
- SSL_CTX_clear_mode
- SSL_CONF_cmd_value_type
- SSL_read_early_data
- SSL_write_early_data
Misc.
* Crypto callback support for AES-CCM added. A callback function can be
registered and used instead of the default AES-CCM implementation in
wolfSSL.
* Added AES-OFB to the FIPS boundary for future FIPS validations.
* Add support for custom OIDs used with CSR (certificate signing request)
generation using the macro WOLFSSL_CUSTOM_OID
* Added HKDF extract callback function for use with TLS 1.3
* Add variant from RFC6979 of deterministic ECC signing that can be enabled
using the macro WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT
* Added the function wc_GetPubKeyDerFromCert to get the public key from a
DecodedCert structure
* Added the functions wc_InitDecodedCert, wc_ParseCert and wc_FreeDecodedCert
for access to decoding a certificate into a DecodedCert structure
* Added the macro WOLFSSL_ECC_NO_SMALL_STACK for hybrid builds where the
numerous malloc/free with ECC is undesired but small stack use is desired
throughout the rest of the library
* Added the function wc_d2i_PKCS12_fp for reading a PKCS12 file and parsing it
Fixes
PORT Fixes
* Building with Android wpa_supplicant and KeyStore
* Setting initial value of CA certificate with TSIP enabled
* Cryptocell ECC build fix and fix with RSA disabled
* IoT-SAFE improvement for Key/File slot ID size, fix for C++ compile, and
fixes for retrieving the public key after key generation
Math Library Fixes
* Check return values on TFM library montgomery function in case the system
runs out of memory. This resolves an edge case of invalid ECC signatures
being created.
* SP math library sanity check on size of values passed to sp_gcd.
* SP math library sanity check on exponentiation by 0 with mod_exp
* Update base ECC mp_sqrtmod_prime function to handle an edge case of zero
* TFM math library with Intel MULX multiply fix for carry in assembly code
Misc.
* Fix for potential heap buffer overflow with compatibility layer PEM parsing
* Fix for edge memory leak case with an error encountered during TLS
resumption
* Fix for length on inner sequence created with wc_DhKeyToDer when handling
small DH keys
* Fix for sanity check on input argument to DSA sign and verify
* Fix for setting of the return value with ASN1 integer get on an i386 device
* Fix for BER to DER size checks with PKCS7 decryption
* Fix for memory leak with PrintPubKeyEC function in compatibility layer
* Edge case with deterministic ECC key generation when the private key has
leading 0’s
* Fix for build with OPENSSL_EXTRA and NO_WOLFSSL_STUB both defined
* Use page aligned memory with ECDSA signing and KCAPI
* Skip expired sessions for TLS 1.3 rather than turning off the resume
behavior
* Fix for DTLS handling dropped or retransmitted messages
Improvements/Optimizations
Build Options and Warnings
* Bugfix: could not build with liboqs and without DH enabled
* Build with macro NO_ECC_KEY_EXPORT fixed
* Fix for building with the macro HAVE_ENCRYPT_THEN_MAC when session export is
enabled
* Building with wolfSentry and HAVE_EX_DATA macro set
Math Libraries
* Improvement for performance with SP C implementation of montgomery reduction
for ECC (P256 and P384) and SP ARM64 implementation for ECC (P384)
* With SP math handle case of dividing by length of dividend
* SP math improvement for lo/hi register names to be used with older GCC
compilers
Misc.
* ASN name constraints checking code refactor for better efficiency and
readability
* Refactor of compatibility layer stack free’ing calls to simplify and reduce
code
* Scrubbed code for trailing spaces, hard tabs, and any control characters
* Explicit check that leaf certificate's public key type match cipher suite
signature algorithm
* Additional NULL sanity checks on WOLFSSL struct internally and improve
switch statement fallthrough
* Retain OCSP error value when CRL is enabled with certificate parsing
* Update to NATIVE LwIP support for TCP use
* Sanity check on PEM size when parsing a PEM with OpenSSL compatibility layer
API.
* SWIG wrapper was removed from the codebase in favor of dedicated Java and
Python wrappers.
* Updates to bundled example client for when to load the CA, handling print
out of IP alt names, and printing out the peers certificate in PEM format
* Handling BER encoded inner content type with PKCS7 verify
* Checking for SOCKET_EPIPE errors from low level socket
* Improvements to cleanup in the case that wolfSSL_Init fails
* Update test and example certificates expiration dates
* In some situations the X.509 verifier would discard an error on an
unverified certificate chain, resulting in an authentication bypass.
Thanks to Ilya Shipitsin and Timo Steinlein for reporting.
Changed
Allow showing options menu for empty keyrings
Update the edition of Rust to 2021
Copy Cargo.lock into docker build stage for caching
Bump the Rust version in Dockerfile
Use ubuntu-20.04 runner for workflows
Specify the toolchain explicitly for crates.io releases
Install Rust toolchain for audit job
Apply clippy::format_in_format_args suggestion
Apply clippy::single_char_pattern suggestion
Fixed
Fix config file extension in README.md
Use references for OS command arguments
Fix the Rust profile specification in audit workflow
Packaging: While this is 3.2.8 in distfile and upstream announcements,
tt is sort of 3.2.2.1 in unpack dir and shlib versions.
This is a security release fixing a buffer overflow. While upstream
has a changes file, there are no entries for anything beyond 3.2.8,
and the changes are thus expected to be only security fixes as
described at:
https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk
Version 4.8
- Switch to [Poetry](https://python-poetry.org/) for dependency and release management.
- Compatibility with Python 3.10.
- Chain exceptions using `raise new_exception from old_exception`
- Added marker file for PEP 561. This will allow type checking tools in dependent projects
to use type annotations from Python-RSA
- Use the Chinese Remainder Theorem when decrypting with a private key. This
makes decryption 2-4x faster
Add ruby-vault package version 0.16.0 required by newer ruby-chef.
Vault Ruby Client
Vault is the official Ruby client for interacting with Vault:
https://vaultproject.io by HashiCorp.
0.1.18 (2021-09-29)
* Land #16, Make the synchronization functions public
0.1.19 (2021-11-15)
* Land #17, Add the stopwatch function
0.1.20 (2021-11-16)
* Merge pull request #18 from zeroSteiner/feat/stopwatch/elapsed_seconds
Refactor into a Stopwatch module
2.0.61 (2021-11-29)
* Land #510, honour the pty flag
2.0.62 (2021-12-07)
* resolve_host should return NULL on failure
* Land #513, fix php stdapi loading on php 5.3.29
2.0.63 (2021-12-08)
* Land #514, fix python exception when closing channels
2.0.64 (2021-12-08)
* Fix#512, fix python cmd_exec argument list during
PROCESS_EXECUTE_FLAG_SUBSHELL
* Land #515, Fix#512, fix python cmd_exec argv
2.0.65 (2021-12-08)
* Return an empty stat buf when stat fails
* Land #511, fix stderr output in python channels
2.0.66 (2021-12-09)
* Land #516, fix python stat on inaccessible directory
* Land #517, fix php stat on inaccessible directory
LuaSec 1.0.2
---------------
This version includes:
* Fix handle SSL_send SYSCALL error without errno
* Fix off by one in cert:validat(notafter)
* Fix meth_get_{sinagure => signature}_name function name
* Fix update the Lua state reference on the selected SSL context after SNI
* Fix ignore SSL_OP_BIT(n) macro and update option.c
Certbot 1.22.0
Added
Support for Python 3.10 was added to Certbot and all of its components.
The function certbot.util.parse_loose_version was added to parse version
strings in the same way as the now deprecated distutils.version.LooseVersion
class from the Python standard library.
Added --issuance-timeout. This option specifies how long (in seconds) Certbot will wait
for the server to issue a certificate.
Changed
The function certbot.util.get_strict_version was deprecated and will be
removed in a future release.
Fixed
Fixed an issue on Windows where the web.config created by Certbot would sometimes
conflict with preexisting configurations.
Fixed an issue on Windows where the webroot plugin would crash when multiple domains
had the same webroot. This affected Certbot 1.21.0.
## [1.1.0]
### Added
* CLI: The `--path <PATH>` flag has been added, allowing users to limit
dependency discovery to one or more paths (specified separately)
when `pip-audit` is invoked in environment mode
([#148](https://github.com/trailofbits/pip-audit/pull/148))
* CLI: The `pip-audit` CLI can now be accessed through `python -m pip_audit`.
All functionality is identical to the functionality provided by the
`pip-audit` entrypoint
([#173](https://github.com/trailofbits/pip-audit/pull/173))
* CLI: The `--verbose` flag has been added, allowing users to receive more
more verbose output from `pip-audit`. Supplying the `--verbose` flag
overrides the `PIP_AUDIT_LOGLEVEL` environment variable and is equivalent to
setting it to `debug`
([#185](https://github.com/trailofbits/pip-audit/pull/185))
### Changed
* CLI: `pip-audit` now clears its spinner bar from the terminal upon
completion, preventing visual confusion
([#174](https://github.com/trailofbits/pip-audit/pull/174))
### Fixed
* Dependency sources: a crash caused by `platform.python_version` returning
an version string that couldn't be parsed as a PEP-440 version was fixed
([#175](https://github.com/trailofbits/pip-audit/pull/175))
* Dependency sources: a crash caused by incorrect assumptions about
the structure of source distributions was fixed
([#166](https://github.com/trailofbits/pip-audit/pull/166))
* Vulnerability sources: a performance issue on Windows caused by cache failures
was fixed ([#178](https://github.com/trailofbits/pip-audit/pull/178))
## [1.0.1] - 2021-12-02
### Fixed
* CLI: The `--desc` flag no longer requires a following argument. If passed
as a bare option, `--desc` is equivalent to `--desc on`
([#153](https://github.com/trailofbits/pip-audit/pull/153))
* Dependency resolution: The PyPI-based dependency resolver no longer throws
an uncaught exception on package resolution errors; instead, the package
is marked as skipped and an appropriate warning or fatal error (in
`--strict` mode) is produced
([#162](https://github.com/trailofbits/pip-audit/pull/162))
* CLI: When providing the `--cache-dir` flag, the command to read the pip cache
directory is no longer executed. Previously this was always executed and
could result into failure when the command fails. In CI environments, the
default `~/.cache` directory is typically not writable by the build user and
this meant that the `python -m pip cache dir` would fail before this fix,
even if the `--cache-dir` flag was provided.
([#161](https://github.com/trailofbits/pip-audit/pull/161))
## [1.0.0] - 2021-12-01
### Added
* This is the first stable release of `pip-audit`! The CLI is considered
stable from this point on, and all changes will comply with
[Semantic Versioning](https://semver.org/)
## [0.0.9] - 2021-12-01
### Added
* CLI: Skipped dependencies are now listed in the output of `pip-audit`,
for supporting output formats
([#145](https://github.com/trailofbits/pip-audit/pull/145))
* CLI: `pip-audit` now supports a "strict" mode (enabled with `-S` or
`--strict`) that fails if the audit if any individual dependency cannot be
resolved or audited. The default behavior is still to skip any individual
dependency errors ([#146](https://github.com/trailofbits/pip-audit/pull/146))
This CycloneDX module for Python can generate valid CycloneDX
bill-of-material document containing an aggregate of all project
dependencies.
This module is not designed for standalone use.
This project provides a runnable Python-based application for
generating CycloneDX bill-of-material documents from either:
* Your current Python Environment
* Your project's manifest (e.g. Pipfile.lock, poetry.lock or
requirements.txt)
* Conda as a Package Manager
The BOM will contain an aggregate of all your current project's
dependencies, or those defined by the manifest you supply.
CycloneDX is a lightweight BOM specification that is easily created,
human-readable, and simple to parse.
-editmode=keep now default if no other mode is specified
-only include files in includedir if they do not start with .
-trimmed error when unable to communicate with syslog
3.12.0
New features
ECC keys in the SEC1 format can be exported and imported.
Add support for KMAC128, KMAC256, TupleHash128, and TupleHash256 (NIST SP-800 185).
Add support for KangarooTwelve.
Resolved issues
An asymmetric key could not be imported as a memoryview.
cSHAKE128/256 generated a wrong output for customization strings longer than 255 bytes.
CBC decryption generated the wrong plaintext when the input and the output were the same buffer.
1.11.0
------
* Added support for Python 3.10.
* We changed the PGP key used to sign the packages we upload to PyPI. Going
forward, releases will be signed with one of three different keys. All of
these keys are available on major key servers and signed by our previous PGP
key. The fingerprints of these new keys are:
- BF6BCFC89E90747B9A680FD7B6029E8500F7DB16
- 86379B4F0AF371B50CD9E5FF3402831161D1D280
- 20F201346BF8F3F455A73F9A780CC99432A28621
This module provides functions for encrypting and decrypting scrambled
passwords in Juniper router configurations. Only passwords starting with
'$9$' are supported.
2.8.1 2021-11-28
[Bug]: (also 908) Update PKey and subclasses to compare (__eq__) via direct field/attribute comparison instead of hashing (while retaining the existing behavior of __hash__ via a slight refactor). Big thanks to Josh Snyder and Jun Omae for the reports, and to Josh Snyder for reproduction details & patch.
Warning
This fixes a security flaw! If you are running Paramiko on 32-bit systems with low entropy (such as any 32-bit Python 2, or a 32-bit Python 3 which is running with PYTHONHASHSEED=0) it is possible for an attacker to craft a new keypair from an exfiltrated public key, which Paramiko would consider equal to the original key.
This could enable attacks such as, but not limited to, the following:
Paramiko server processes would incorrectly authenticate the attacker (using their generated private key) as if they were the victim. We see this as the most plausible attack using this flaw.
Paramiko client processes would incorrectly validate a connected server (when host key verification is enabled) while subjected to a man-in-the-middle attack. This impacts more users than the server-side version, but also carries higher requirements for the attacker, namely successful DNS poisoning or other MITM techniques.
[Bug] 1257: (also 1266) Update RSA and ECDSA key decoding subroutines to correctly catch exception types thrown by modern versions of Cryptography (specifically TypeError and its internal UnsupportedAlgorithm). These exception classes will now become SSHException instances instead of bubbling up. Thanks to Ignat Semenov for the report and @tylergarcianet for an early patch.
[Bug] 1024: Deleting items from HostKeys would incorrectly raise KeyError even for valid keys, due to a logic bug. This has been fixed. Report & patch credit: Jia Zhang.
[Bug] 985: (via 992) Fix listdir failure when server uses a locale. Now on Python 2.7 SFTPAttributes will decode abbreviated month names correctly rather than raise UnicodeDecodeError`. Patch courtesy of Martin Packman.
0.5.8 (2021-11-10)
Added
* Added more documentation files to packaged gem, e.g. SECURITY.md,
CODE_OF_CONDUCT.md
Fixed
* Removed reference to RUBY_VERSION from gemspec, as it depends on rake
release, which is problematic on some ruby engines. (by @pboling)
0.5.7 (2021-11-02)
Added
* Setup Rubocop (#205, #208 by @pboling)
* Added CODE_OF_CONDUCT.md (#217, #218 by @pboling)
* Added FUNDING.yml (#217, #218 by @pboling)
* Added Client Certificate Options: :ssl_client_cert and :ssl_client_key
(#136, #220 by @pboling)
* Handle a nested array of hashes in OAuth::Helper.normalize (#80, #221 by
@pboling)
Changed
* Switch from TravisCI to Github Actions (#202, #207, #176 by @pboling)
* Upgrade webmock to v3.14.0 (#196 by @pboling)
* Upgrade em-http-request to v1.1.7 (#173 by @pboling)
* Upgrade mocha to v1.13.0 (#193 by @pboling)
* HISTORY renamed to CHANGELOG.md, and follows Keep a Changelog (#214, #215
by @pboling)
* CHANGELOG, LICENSE, and README now ship with packaged gem (#214, #215 by
@pboling)
* README.rdoc renamed to README.md (#217, #218 by @pboling)
* Require plaintext signature method by default (#135 by @confiks &
@pboling)
Fixed
* Fixed Infinite Redirect in v0.5.5, v0.5.6 (#186, #210 by @pboling)
* Fixed NoMethodError on missing leading slash in path (#194, #211 by
@pboling)
* Fixed NoMethodError on nil request object (#165, #212 by @pboling)
* Fixed Unsafe String Comparison (#156, #209 by @pboling and @drosseau)
* Fixed typos in Gemspec (#204, #203, #208 by @pboling)
* Copyright Notice in LICENSE - added correct years (#217, #218 by @pboling)
* Fixed request proxy Class constant reference scopes - was missing :: in
many places (#225, #226 by @pboling)
Removed
* Remove direct development dependency on nokogiri (#299 by @pboling)
Pkgsrc changes:
* Change naming style for patches
* Adapt patches to new version
* Relinquish maintainership to indicate others can update
* Add dependency on py-expat
Upstream changes:
3.0
======================
Initial translation of code from Python 2 to Python 3.
DenyHosts can now be run as either a Python 2 or a Python 3
program.
Added patch from Fedora to fix initial sync issue and
insure info logging stream is active.
(Provided by Jason Tibbitts.)
Added "import logging" to denyhosts.py to avoid errors
when setting up logging. (See above change.)
Added option PF_TABLE_FILE to the configuration file.
When this option is enabled it causes DenyHosts to write
blocked IP addresses to a text file. The default location
is /etc/blacklist. This text file should correspond to a
PF firewall table.
At start-up, try to create the file specified by
HOSTS_DENY. That way we avoid errors later if the
file does not exists. Can be a problem on operating systems
where /etc/hosts.deny does not exist in the default
configuration.
Added regex pattern to detect invalid user accounts. This blocks
connections from remote hosts who are attempting to login
with accounts not found on the local system.
While these connections to non-existent accounts are relatively harmless,
they are usually used as part of a brute force attack and filtering them
before they reach OpenSSH is a good idea.
2.10
======================
- Updated example rule for PF in configuration file
to make black listing attacking IPs more effective.
- Added debugging info in case we cannot create a new
PF table entry.
- Fixed syntax for comparing suspecious logins. Avoids
always testing true/false depending on Python version.
- No longer require ETC_DIR in the configuration file.
Use a default value "/etc" if ETC_DIR is not manually
specified.
- Make sure DenyHosts logs when running in foreground mode.
When in foreground, warnings are logged to a file rather
than outputted to terminal. Keeps things clean.
- Add --unlock command line arguement to remove old
lock files.
- Updated README, version and Makefile with new
version/maintainer information.
- Added check for PAM failures on FreeBSD. This should block both
failed user logins that are reported by PAM and also block
repteated attempts at accessing the root account when root
logins are disabled by OpenSSH. The latter does not really add
more practical protection, but can prevent the connection \
attempts at the firewall level before the OpenSSH service
is contacted.
- Add systemd unit file, denyhosts.service
2.9 (November 3, 2014)
======================
- DenyHost now supports working with the PF
packet filter, a popular firewall for FreeBSD,
OpenBSD, TrueOS, PC-BSD and NetBSD.
To enable PF support in DenyHost, comment
out the IPTABLES option in the denyhosts.conf file
and enable the PFCTL_PATH and PF_TABLE options.
DenyHost will add misbehaving IP addresses to the
PF table specified by "PF_TABLE". This table
should be blocked using the pf.conf file. Please
see the denyhosts.conf file for more information
and example PF rules for blocking incoming traffic.
Please note that even if /etc/hosts.deny is not used
to block incoming connectins, the file should still exists
or DenyHosts may throw an error. (This should be fixed
in the next release.)
2.8 (June 12, 2014)
===================
- Use standard errno instead of hardcoded errno value.
Patch provided by Pino Toscano.
- Make sure PLUGIN_DENY is called for each host we receive from
the sync server.
Patch provided by Sean M. Collins.
- Made sure only new hosts in hosts.deny are reported as new, not
all hosts. This prevents the PLUGIN_DENY plugin from getting
old entries repeatedly.
Patch provided by Chris Erdle.
- We now check user defined regular expression filters, even
if we already found a match with an existing filter. This
allows the user to filter more services without using
a plugin.
Patch provided by Ben.
- Added --purge-all command line flag to allow us to remove all
old entries from the deny file without waiting.
Patch provided by 9MediaCenterGUI on SourceForge.
- Updated copyright information and some documentation.
- Added manual page from Debian and fixed typo. Added
additional command line options to man page.
- Added --purgeip option to allow us to remove specific
IP addresses from the blocked list at start time.
Patch provided by Nelson Howell.
Should close Debian bug 529089.
- Updated FAILED_ENTRY_REGEX7 to be more flexible.
- Added ability to use Linux iptables to block incoming
connections. See IPTABLES option in the configuration file.
- Made it possible to block specific ports, allowing remote
hosts to conenct to some services while being blocked on
others by the iptables firewall.
See the BLOCKPORT option in the configuration file.
2.7 (May 18, 2014)
==================
- Forked code from DenyHosts (denyhosts.sf.net)
New project now maintained at denyhost.sf.net
- Added private moduls patch from Marco Bertorello. Loads
modules from /usr/share/denyhosts
- Place config, lock and executable file in more
standard locations. Patch provided by Marco Bertorello.
- Fixed configuration (denyhosts.cfg-dist) to better support
Debian and Ubuntu. Patch supplied by Marco Nenciarini.
- Added warning to migrate switch. Patch provided by
Marco Bertorello.
- Avoid installing unwanted files (extra scripts and changelog).
Patch provided by Marco Nenciarini.
- Fix bug which would not recognize an attack on the root
user account. Patch provided by Kyle Willmon.
- Fix pattern matching bug (CVE-2007-4323).
Patch provided by Nico Golde.
- Added foreground mode for debugging.
Patch supplied by Marco Bertorello.
- Applied patch to fix plugin execution.
Patched provided by Marco Bertorello.
- Added patch to prevent DenyHosts from running with
a double --config switch.
Patch provided by Maro Bertorello.
- Convert path of "env" from /bin/env to /usr/bin/env
Patch provided by Kyle Willmon.
- Added patch to perform missing bounds check in Purge action.
Provided by Kyle Willmon.
- Added patch to include SYNC_PROXY_SERVER configuration option.
Provided by Kyle Willmon.
- Change HOSTNAME_LOOKUP to default to "NO". Will save time.
Also brings us into closer alignment with FreeBSD patches.
- Added /usr/sbin/nologin to restricted_from_passwd script.
Requirement from FreeBSD patch set.
- Added variable "ETC_DIR" which dictates the location of
configuration files. This should usually be set to
/etc or /usr/local/etc
- The restricted-usernames file is now loaded from the "ETC_DIR"
directory, rather than from "WORK_DIR" to avoid this
human-made configuration file from being over-writeen.
Closes Ubuntu bug #675034
- Confirm setting timestamp over-writes old tiemstamp file.
Closes Ubuntu bug #564476
- Applied advanced pattern check for authentication file which
takes into account alternative port numbers. Patch provided by
Helmut Grohne.
- Updated license and readme files.
- Updated help output from DenyHost script to include --config tip.
-This release fixes one major issue that has been assigned CVE-2019-25016.
Rules that allowed the user to execute any command would inherit the
executing users PATH instead of resetting it to a default PATH.
The path will now be correctly reset (d5acd52) to the defined default PATH.
Those rules still allow the user to execute any program from their PATH
but executed commands won't inherit the users PATH anymore.
Rules that limit the user to execute only a specific command are not affected
by this and are only executed from the default PATH and with the PATH
environment variable set to the safe default.
Other changes are:
-apply missing man page changes
-Fixes to the configuration parser 2d7431c, 01ac841 and 36cc28e
-Minor documentation and error message wording changes.
Changelog:
Noteworthy changes in version 2.2.33 (2021-11-23)
-------------------------------------------------
* gpg: New option --min-rsa-length. [rG6ee01c1d26]
* gpg: New option --forbid-gen-key. [rG985fb25c46]
* gpg: New option --override-compliance-check. [T5655]
* gpgconf: New command --show-configs. [rG8fe3f57643]
* agent,dirmngr: New option --steal-socket. [rG6507c6ab10]
* scd: Improve the selection of the default PC/SC reader. [T5644]
* gpg: Fix printing of binary notations. [T5667]
* gpg: Remove stale ultimately trusted keys from the trustdb. [T5685]
* gpgsm: Detect circular chains in --list-chain. [rGc9343bec83]
* gpgconf: Create the local option file even if the global file
exists. [T5650]
* dirmngr: Make reading resolv.conf more robust. [T5657]
* gpg-wks-server: Fix created file permissions. [rGf54feb4470]
* scd: Support longer data for ssh-agent authentication with openpgp
cards. [T5682]
* Support gpgconf.ctl for NetBSD and Solaris. [T5656,T5671]
* Silence "Garbled console data" warning under Windows in most
cases.
* Silence warning about the rootdir under Unices w/o a mounted /proc
file system.
* Fix possible build problems about missing include files. [T5592]
* i18n: Replace the term "PIN-Cache" by "Passswort-Cache" in the
German translation. [rgf453d52e53]
* i18n: Update the Russian translation.
Release-info: https://dev.gnupg.org/T5641
See-also: gnupg-announce/2021q4/000467.html
pip-audit is a prototype tool for scanning Python environments for
packages with known vulnerabilities. It uses the Python Packaging
Advisory Database via the PyPI JSON API as a source of vulnerability
reports.
Certbot 1.21.0
Added
Certbot will generate a web.config file on Windows in the challenge path
when the webroot plugin is used, if one does not exist. This web.config file
lets IIS serve challenge files while they do not have an extension.
Changed
We changed the PGP key used to sign the packages we upload to PyPI. Going
forward, releases will be signed with one of three different keys. All of
these keys are available on major key servers and signed by our previous PGP
key. The fingerprints of these new keys are:
BF6BCFC89E90747B9A680FD7B6029E8500F7DB16
86379B4F0AF371B50CD9E5FF3402831161D1D280
20F201346BF8F3F455A73F9A780CC99432A28621
Fixed
More details about these changes can be found on our GitHub repo.
-backslashes within arguments now require escaping
-editmode=keep to preserve the file permission bits from an existing file
-exact_{rule,target,name,hostname,dir} which are literal
-nix bump to 0.23.0
-deprecating regex term in favour of rule
ClamAV 0.103.4 is a critical patch release with the following fixes:
- FreshClam:
- Add a 24-hour cool-down for FreshClam clients that have received an HTTP
403 (Forbidden) response from the CDN.
This is to reduce the volume of 403-response data served to blocked
FreshClam clients that are configured with a tight update-loop.
- Fixed a bug where FreshClam treats an empty CDIFF as an incremental update
failure instead of as an intentional request to download the whole CVD.
- ClamDScan: Fix a scan error when broken symlinks are encountered on macOS with
"FollowDirectorySymlinks" and "FollowFileSymlinks" options disabled.
- Overhauled the scan recursion / nested archive extraction logic and added new
limits on embedded file-type recognition performed during the "raw" scan of
each file. This limits embedded file-type misidentification and prevents
detecting embedded file content that is found/extracted and scanned at other
layers in the scanning process.
- Fix an issue with the FMap module that failed to read from some nested files.
- Fixed an issue where failing to load some rules from a Yara file containing
multiple rules may cause a crash.
- Fixed assorted compiler warnings.
- Fixed assorted Coverity static code analysis issues.
- Scan limits:
- Added virus-name suffixes to the alerts that trigger when a scan limit has
been exceeded. Rather than simply `Heuristics.Limits.Exceeded`, you may now
see limit-specific virus-names, to include:
- `Heuristics.Limits.Exceeded.MaxFileSize`
- `Heuristics.Limits.Exceeded.MaxScanSize`
- `Heuristics.Limits.Exceeded.MaxFiles`
- `Heuristics.Limits.Exceeded.MaxRecursion`
- `Heuristics.Limits.Exceeded.MaxScanTime`
- Renamed the `Heuristics.Email.ExceedsMax.*` alerts to align with the other
limit alerts names. These alerts include:
- `Heuristics.Limits.Exceeded.EmailLineFoldcnt`
- `Heuristics.Limits.Exceeded.EmailHeaderBytes`
- `Heuristics.Limits.Exceeded.EmailHeaders`
- `Heuristics.Limits.Exceeded.EmailMIMEPartsPerMessage`
- `Heuristics.Limits.Exceeded.EmailMIMEArguments`
- Fixed an issue where the Email-related scan limits would alert even when the
"AlertExceedsMax" (`--alert-exceeds-max`) scan option is not enabled.
- Fixes an issue in the Zip parser where exceeding the "MaxFiles" limit or
the "MaxFileSize" limit would abort the scan but would fail to alert.
The Zip scan limit issues were independently identified and reported by
Aaron Leliaert and Max Allan.
- Fixed a leak in the Email parser when using the `--gen-json` scan option.
- Fixed an issue where a failure to record metadata in the Email parser when
using the `--gen-json` scan option could cause the Email parser to abort the
scan early and fail to extract and scan additional content.
- Fixed a file name memory leak in the Zip parser.
- Fixed an issue where certain signature patterns may cause a crash or cause
unintended matches on some systems when converting characters to uppercase if
a UTF-8 unicode single-byte grapheme becomes a multi-byte grapheme.
Patch courtesy of Andrea De Pasquale.
Other fixes backported from 0.104.0:
- Fixed a crash in programs that use libclamav when the programs don't set a
callback for the "virus found" event.
Patch courtesy of Markus Strehle.
- Added checks to the the SIS archive parser to prevent an SIS file entry from
pointing to the archive, which would result in a loop. This was not an actual
infinite loop, as ClamAV's scan recursion limit limits the depth of nested
archive extraction.
- ClamOnAcc: Fixed a socket file descriptor leak that could result in a crash
when all available file descriptors are exhausted.
- FreshClam: Fixed an issue where FreshClam would download a CVD repeatedly if a
zero-byte CDIFF is downloaded or if the incremental update failed and if the
CVD downloaded after that is older than advertised.
Patch courtesy of Andrew Williams.
- ClamDScan:
- Fixed a memory leak of the scan target filename when using the
`--fdpass` or `--stream` options.
- Fixed an issue where ClamDScan would fail to scan any file after excluding
a file with the "ExcludePath" option when using when using the `--multiscan`
(`-m`) option along with either `--fdpass` or `--stream`.
Also fixed a memory leak of the accidentally-excluded paths in this case.
- Fixed a single file path memory leak when using `--fdpass`.
- Fixed an issue where the "ExcludePath" regex may fail to exclude absolute
paths when the scan is invoked with a relative path.
Special thanks to the following for code contributions and bug reports:
- Aaron Leliaert
- Andrea De Pasquale
- Andrew Williams
- Markus Strehle
- Max Allan
Changes since v4.8.1:
wolfSSL Release 5.0.0 (Nov 01, 2021)
Release 5.0.0 of wolfSSL embedded TLS has bug fixes and new features including:
Vulnerabilities
* [\Low] Hang with DSA signature creation when a specific q value is used in a
maliciously crafted key. If a DSA key with an invalid q value of either 1 or
0 was decoded and used for creating a signature, it would result in a hang
in wolfSSL. Users that are creating signatures with DSA and are using keys
supplied from an outside source are affected.
* [\Low] Issue with incorrectly validating a certificate that has multiple
subject alternative names when given a name constraint. In the case where
more than one subject alternative name is used in the certificate, previous
versions of wolfSSL could incorrectly validate the certificate. Users
verifying certificates with multiple alternative names and name constraints,
are recommended to either use the certificate verify callback to check for
this case or update the version of wolfSSL used. Thanks to Luiz Angelo Daros
de Luca for the report.
New Feature Additions
New Product
* FIPS 140-3 -- currently undergoing laboratory testing, code review and
ultimately CMVP validation. Targeting the latest FIPS standard.
Ports
* IoT-Safe with TLS demo
* SE050 port with support for RNG, SHA, AES, ECC (sign/verify/shared secret)
and ED25519
* Support for Renesas TSIP v1.13 on RX72N
Post Quantum
* Support for OQS's (liboqs version 0.7.0) implementation of NIST Round 3 KEMs
as TLS 1.3 groups --with-liboqs
* Hybridizing NIST ECC groups with the OQS groups
* Remove legacy NTRU and QSH
* Make quantum-safe groups available to the compatibility layer
Linux Kernel Module
* Full support for FIPS 140-3, with in-kernel power on self test (POST) and
conditional algorithm self test(s) (CAST)
* --enable-linuxkm-pie -- position-independent in-kernel wolfCrypt container,
for FIPS
* Vectorized x86 acceleration in PK algs (RSA, ECC, DH, DSA) and AES/AES-GCM
* Vectorized x86 acceleration in interrupt handlers
* Support for Linux-native module signatures
* Complete SSL/TLS and Crypto API callable from other kernel module(s)
* Support for LTS kernel lines: 3.16, 4.4, 4.9, 5.4, 5.10
Compatibility Layer Additions
* Ports
* Add support for libssh2
* Add support for pyOpenSSL
* Add support for libimobiledevice
* Add support for rsyslog
* Add support for OpenSSH 8.5p1
* Add support for Python 3.8.5
* API/Structs Added
* ERR_lib_error_string
* EVP_blake2
* wolfSSL_set_client_CA_list
* wolfSSL_EVP_sha512_224
* wolfSSL_EVP_sha512_256
* wc_Sha512_224/2256Hash
* wc_Sha512_224/256Hash
* wc_InitSha512_224/256
* wc_InitSha512_224/256_ex
* wc_Sha512_224/256Update
* wc_Sha512_224/256FinalRaw
* wc_Sha512_224/256Final
* wc_Sha512_224/256Free
* wc_Sha512_224/256GetHash
* wc_Sha512_224/256Copy
* wc_Sha512_224/256SetFlags
* wc_Sha512_224/256GetFlags
* wc_Sha512_224/256Transform
* EVP_MD_do_all and OBJ_NAME_do_all
* EVP_shake128
* EVP_shake256
* SSL_CTX_set_num_tickets
* SSL_CTX_get_num_tickets
* SSL_CIPHER_get_auth_nid
* SSL_CIPHER_get_cipher_nid
* SSL_CIPHER_get_digest_nid
* SSL_CIPHER_get_kx_nid
* SSL_CIPHER_is_aead
* SSL_CTX_set_msg_callback
* a2i_IPADDRESS
* GENERAL_NAME_print
* X509_VERIFY_PARAM_set1_ip
* EVP_CIPHER_CTX_set_iv_length
* PEM_read_bio_RSA_PUBKEY
* i2t_ASN1_OBJECT
* DH_set_length
* Set_tlsext_max_fragment_length
* AUTHORITY_iNFO_ACCESS_free
* EVP_PBE_scrypt
* ASN1_R_HEADER_TOO_LONG
* ERR_LIB
* X509_get_default_cert_file/file_env/dir/dir_env() stubs
* SSL_get_read_ahead/SSL_set_read_ahead()
* SSL_SESSION_has_ticket()
* SSL_SESSION_get_ticket_lifetime_hint()
* DIST_POINT_new
* DIST_POINT_free
* DIST_POINTS_free
* CRL_DIST_POINTS_free
* sk_DIST_POINT_push
* sk_DIST_POINT_value
* sk_DIST_POINT_num
* sk_DIST_POINT_pop_free
* sk_DIST_POINT_free
* X509_get_extension_flags
* X509_get_key_usage
* X509_get_extended_key_usage
* ASN1_TIME_to_tm
* ASN1_TIME_diff
* PEM_read_X509_REQ
* ERR_load_ERR_strings
* BIO_ssl_shutdown
* BIO_get_ssl
* BIO_new_ssl_connect
* BIO_set_conn_hostname
* NID_pkcs9_contentType
Misc.
* KCAPI: add support for using libkcapi for crypto (Linux Kernel)
* Configure option for --with-max-rsa-bits= and --with-max-ecc-bits=
* SP ARM Thumb support for Keil and performance improvements
* Add support for WOLFSSL_VERIFY_POST_HANDSHAKE verify mode
* PKCS #11: support static linking with PKCS #11 library
--enable-pkcs11=static LIBS=-l
* Add build option --enable-wolfclu for use with wolfCLU product
* Add support for X9.42 header i.e “BEGIN X9.42 DH PARAMETERS”
* Add --enable-altcertchains for configuring wolfSSL with alternate
certificate chains feature enabled
* Add public API wc_RsaKeyToPublicDer_ex to allow getting RSA public key
without ASN.1 header (can return only seq + n + e)
* Add SNI and TLSx options to CMake build
Fixes
PORT Fixes
* Add return value checking for FREESCALE_RNGA
* Fix MMCAU_SHA256 type warnings
* Fixes for building with Microchip XC32 and ATECC
Math Library Fixes
* TFM check that the modulus length is valid for fixed data array size
* TFM fp_submod_ct fix check for greater
* Check return value of mp_grow in mp_mod_2d
* Fix for ECC point multiply to error out on large multipliers
* SP ECC error on multiplier larger than curve order
TLS 1.3
* TLS1.3 sanity check for cases where a private key is larger than the configured maximum
* Fix early data max size handling in TLS v1.3
* Fixes for PK callbacks with TLS v1.3
* Check min downgrade when no extensions are sent with the ServerHello
Misc.
* Previously wolfSSL enum values were used as NID’s. Now only the
compatibility layer NID enums are the NID values:
* CTC_SHAwDSA -> NID_dsaWithSHA1
* CTC_SHA256wDSA -> NID_dsa_with_SHA256
* CTC_MD2wRSA -> NID_md2WithRSAEncryption
* CTC_MD5wRSA -> NID_md5WithRSAEncryption
* CTC_SHAwRSA -> NID_sha1WithRSAEncryption
* CTC_SHA224wRSA -> NID_sha224WithRSAEncryption
* CTC_SHA256wRSA -> NID_sha256WithRSAEncryption
* CTC_SHA384wRSA -> NID_sha384WithRSAEncryption
* CTC_SHA512wRSA -> NID_sha512WithRSAEncryption
* CTC_SHA3_224wRSA -> NID_RSA_SHA3_224
* CTC_SHA3_256wRSA -> NID_RSA_SHA3_256
* CTC_SHA3_384wRSA -> NID_RSA_SHA3_384
* CTC_SHA3_512wRSA -> NID_RSA_SHA3_512
* CTC_SHAwECDSA -> NID_ecdsa_with_SHA1
* CTC_SHA224wECDSA -> NID_ecdsa_with_SHA224
* CTC_SHA256wECDSA -> NID_ecdsa_with_SHA256
* CTC_SHA384wECDSA -> NID_ecdsa_with_SHA384
* CTC_SHA512wECDSA -> NID_ecdsa_with_SHA512
* CTC_SHA3_224wECDSA -> NID_ecdsa_with_SHA3_224
* CTC_SHA3_256wECDSA -> NID_ecdsa_with_SHA3_256
* CTC_SHA3_384wECDSA -> NID_ecdsa_with_SHA3_384
* CTC_SHA3_512wECDSA -> NID_ecdsa_with_SHA3_512
* DSAk -> NID_dsa
* RSAk -> NID_rsaEncryption
* ECDSAk -> NID_X9_62_id_ecPublicKey
* BASIC_CA_OID -> NID_basic_constraints
* ALT_NAMES_OID -> NID_subject_alt_name
* CRL_DIST_OID -> NID_crl_distribution_points
* AUTH_INFO_OID -> NID_info_access
* AUTH_KEY_OID -> NID_authority_key_identifier
* SUBJ_KEY_OID -> NID_subject_key_identifier
* INHIBIT_ANY_OID -> NID_inhibit_any_policy
* Fix for DES IV size used with FIPSv2
* Fix signed comparison issue with serialSz
* Fix missing CBIOSend and properly guard hmac in DupSSL()
* Fix calculation of length of encoding in ssl.c
* Fix encoding to check proper length in asn.c
* Fix for wc_ecc_ctx_free and heap hint
* Fix for debug messages with AF_ALG build
* Fix for static memory with bucket size matching.
* Fixes for SRP with heap hint.
* Fixes for CAAM build macros and spelling for Keil build
* Sniffer fix for possible math issue around 64-bit pointer and 32-bit unsigned int
* Fix for sniffer TCP sequence rollover
* wolfSSL_PEM_write_bio_PUBKEY to write only the public part
* Fix for sending only supported groups in TLS extension
* Fix for sniffer to better handle spurious retransmission edge case
* SSL_set_alpn_protos and SSL_CTX_set_alpn_protos now returns 0 on
successFixes issue with SSL_CTX_set1_curves_list and SSL_set1_curves_list
not checking the last character of the names variable provided, non-0 on
failure to better match expected return values
* Fixes and improvements for crypto callbacks with TLS (mutual auth)
* Fix for bad memory_mutex lock on static memory cleanup
* Zero terminate name constraints strings when parsing certificates
* Fix for verifying a certificate when multiple permitted name constraints are used
* Fix typo in ifdef for HAVE_ED448
* Fix typos in comments in SHA512
* Add sanity check on buffer size with ED25519 key decode
* Sanity check on PKCS7 stream amount read
* PKCS7 fix for double free on error case and sanity check on set serial number
* Sanity check on PKCS7 input size wc_PKCS7_ParseSignerInfo
* Forgive a DTLS session trying to send too much at once
Improvements/Optimizations
Build Options and Warnings
* Rework of RC4 disable by default and depreciation
* wolfSSL as a Zephyr module (without setup.sh)
* Add include config.h to bio.c
* Support for PKCS7 without AES CBC.
* Fixes for building without AES CBC
* Added WOLFSSL_DH_EXTRA to --enable-all and --enable-sniffer
* Add a CMake option to build wolfcrypt test and bench code as libraries
* GCC makefile: allow overriding and provide more flexibility
Math Libraries
* Improve performance of fp_submod_ct() and fp_addmod_ct()
* Improve performance of sp_submod_ct() and sp_addmod_ct()
* SP int, handle even modulus with exponentiation
Misc.
* Cleanups for Arduino examples and memory documentation
* Refactor hex char to byte conversions
* Added GCC-ARM TLS server example
* Improvements to session locking to allow per-row
* Improved sniffer statistics and documentation
* EVP key support for heap hint and crypto callbacks
* Reduced stack size for dh_generation_test and Curve ASN functions
* Espressif README Syntax / keyword highlighting / clarifications
* AARCH64 SHA512: implementation using crypto instructions added
* wc_RsaPSS_CheckPadding_ex2 added for use with HEAP hint
* wc_AesKeyWrap_ex and wc_AesKeyUnWrap_ex bound checks on input and output sizes
* Add additional error handling to wolfSSL_BIO_get_len
* Add code to use popen and the command 'host', useful with qemu
* Adjustment to subject alt names order with compatibility layer to better match expected order
* Reduce BIO compatibility layer verbosity
* Set a default upper bound on error queue size with compatibility layer
* WOLFSSL_CRL_ALLOW_MISSING_CDP macro for Skip CRL verification in case no CDP in peer cert
* Fixes for scan-build LLVM-13 and expanded coverage
* Increase the default DTLS_MTU_ADDITIONAL_READ_BUFFER and make it adjustable
Noteworthy changes in version 1.43 (2021-11-03) [C32/A32/R1]
-----------------------------------------------
* Fix for building against GNU libc 2.34. [T5547]
* Fix build problems on macOS. [T5440,T5610]
* Fix gpgrt-config problems. [T5381,T5595]
* Fix gpgrt_free for legacy platforms. [448bf7b01cad]
* Fix truncation of error message in the middle of a character.
[T5048]
* Fix the --disable-threads configure options. [T5495]
* Improve lock-obj generation for cross-builds [99ae862a96a5]
* Improve cross-builds. [T5365]
* Improve gpgrt_wait_processes. [T5381]
* Allow config files to read values from the Windows Registry and
from envvars. [b1790f4cc71f]
* Update the Russian and Czech translations.
21.0.0
Backward-incompatible changes:
- The minimum ``cryptography`` version is now 3.3.
- Drop support for Python 3.5
Changes:
- Raise an error when an invalid ALPN value is set.
- Added ``OpenSSL.SSL.Context.set_min_proto_version`` and ``OpenSSL.SSL.Context.set_max_proto_version``
to set the minimum and maximum supported TLS version
- Updated ``to_cryptography`` and ``from_cryptography`` methods to support an upcoming release of ``cryptography`` without raising deprecation warnings.
--------------
polkit 0.120
--------------
Changes since polkit 0.119:
Inigo Martinez:
transition from Intltool to gettext
Simon McVittie:
several tarball, meson and pipeline fixups
Hugo Carvalho:
Portuguese translation
Sergiu Bivol:
Romanian translation
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2
* New features
- New 'sessionResume' service-level option to allow
or disallow session resumption
- Added support for the new SSL_set_options() values.
- Download fresh ca-certs.pem for each new release.
* Bugfixes
- Fixed 'redirect' with 'protocol'. This combination is
not supported by 'smtp', 'pop3' and 'imap' protocols.
- Enforced minimum WIN32 log window size.
- Fixed support for password-protected private keys with
OpenSSL 3.0 (thx to Dmitry Belyavskiy).
- Added missing TLS options supported in OpenSSL 1.1.1k.
This version supports openssl 1.1, so re-enable it.
Release Notes - Heimdal - Version Heimdal 7.7
Bug fixes
- PKCS#11 hcrypto back-end
. initialize the p11_module_load function list
. verify that not only is a mechanism present but that its mechanism
info states that it offers the required encryption, decryption or
digest services
- krb5:
. Starting with 7.6, Heimdal permitted requesting authenticated
anonymous tickets. However, it did not verify that a KDC in fact
returned an anonymous ticket when one was requested.
- Cease setting the KDCOption reaquest_anonymous flag when issuing
S4UProxy (constrained delegation) TGS requests.
. when the Win2K PKINIT compatibility option is set, do
not require krbtgt otherName to match when validating KDC
certificate.
. set PKINIT_BTMM flag per Apple implementation
. use memset_s() instead of memset()
- kdc:
. When generating KRB5SignedPath in the AS, use the reply client name
rather than the one from the request, so validation will work
correctly in the TGS.
. allow checksum of PA-FOR-USER to be HMAC_MD5. Even if tgt used
an enctype with a different checksum. Per [MS-SFU] 2.2.1
PA-FOR-USER the checksum is always HMAC_MD5, and that's what
Windows and MIT clients send.
In heimdal both the client and kdc use instead the
checksum of the tgt, and therefore work with each other
but Windows and MIT clients fail against heimdal KDC.
Both Windows and MIT KDCs would allow any keyed checksum
to be used so Heimdal client interoperates with them.
Change Heimdal KDC to allow HMAC_MD5 even for non RC4
based tgt in order to support per-spec clients.
. use memset_s() instead of memset().
- Detect Heimdal 1.0 through 7.6 clients that issue S4UProxy
(constrained delegation) TGS Requests with the request
anonymous flag set. These requests will be treated as
S4UProxy requests and not anonymous requests.
- HDB:
. Set SQLite3 backend default page size to 8KB.
. Add hdb_set_sync() method
- kadmind:
. disable HDB sync during database load avoiding unnecessary disk i/o.
- ipropd:
. disable HDB sync during receive_everything. Doing an fsync
per-record when receiving the complete HDB is a performance
disaster. Among other things, if the HDB is very large, then
one slave receving a full HDB can cause other slaves to timeout
and, if HDB write activity is high enough to cause iprop log
truncation, then also need full syncs, which leads to a cycle of
full syncs for all slaves until HDB write activity drops.
Allowing the iprop log to be larger helps, but improving
receive_everything() performance helps even more.
- kinit:
. Anonymous PKINIT tickets discard the realm information used
to locate the issuing AS. Store the issuing realm in the
credentials cache in order to locate a KDC which can renew them.
. Do not leak the result of krb5_cc_get_config() when determining
anonymous PKINIT start realm.
- klist:
. Show transited-policy-checked, ok-as-delegate and anonymous
flags when listing credentials.
- tests:
. Regenerate certs so that they expire before the 2038 armageddon
so the test suite will pass on 32-bit operating systems until the
underlying issues can be resolved.
- Solaris:
. Define _STDC_C11_BCI for memset_s prototype
- build tooling:
. Convert from python 2 to python 3
- documentation
. rename verify-password to verify-password-quality
. hprop default mode is encrypt
. kadmind "all" permission does not include "get-keys"
. verify-password-quality might not be stateless
Release Notes - Heimdal - Version Heimdal 7.6
Security
- CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum
When the Heimdal KDC checks the checksum that is placed on the
S4U2Self packet by the server to protect the requested principal
against modification, it does not confirm that the checksum
algorithm that protects the user name (principal) in the request
is keyed. This allows a man-in-the-middle attacker who can
intercept the request to the KDC to modify the packet by replacing
the user name (principal) in the request with any desired user
name (principal) that exists in the KDC and replace the checksum
protecting that name with a CRC32 checksum (which requires no
prior knowledge to compute).
This would allow a S4U2Self ticket requested on behalf of user
name (principal) user@EXAMPLE.COM to any service to be changed
to a S4U2Self ticket with a user name (principal) of
Administrator@EXAMPLE.COM. This ticket would then contain the
PAC of the modified user name (principal).
- CVE-2019-12098, client-only:
RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge
when anonymous PKINIT is used. Failure to do so can permit an active
attacker to become a man-in-the-middle.
Bug fixes
- Happy eyeballs: Don't wait for responses from known-unreachable KDCs.
- kdc: check return copy_Realm, copy_PrincipalName, copy_EncryptionKey
- kinit:
. cleanup temporary ccaches
. see man page for "kinit --anonymous" command line syntax change
- kdc: Make anonymous AS-requests more RFC8062-compliant.
- Updated expired test certificates
- Solaris:
. PKCS#11 hcrypto backend broken since 7.0.1
. Building with Sun Pro C
Features
- kuser: support authenticated anonymous AS-REQs in kinit
- kdc: support for anonymous TGS-REQs
- kgetcred support for anonymous service tickets
- Support builds with OpenSSL 1.1.1
Release Notes - Heimdal - Version Heimdal 7.5
Security
- Fix CVE-2017-17439, which is a remote denial of service
vulnerability:
In Heimdal 7.1 through 7.4, remote unauthenticated attackers
are able to crash the KDC by sending a crafted UDP packet
containing empty data fields for client name or realm.
Bug fixes
- Handle long input lines when reloading database dumps.
- In pre-forked mode (default on Unix), correctly clear
the process ids of exited children, allowing new child processes
to replace the old.
- Fixed incorrect KDC response when no-cross realm TGT exists,
allowing client requests to fail quickly rather than time
out after trying to get a correct answer from each KDC.
Release Notes - Heimdal - Version Heimdal 7.4
Security
- Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
This is a critical vulnerability.
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
See https://www.orpheus-lyre.info/ for more details.
Release Notes - Heimdal - Version Heimdal 7.3
Security
- Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently
caused the previous hop realm to not be added to the transit path
of issued tickets. This may, in some cases, enable bypass of capath
policy in Heimdal versions 1.5 through 7.2.
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
(CVE-2017-6594)
Release Notes - Heimdal - Version Heimdal 7.2
Bug fixes
- Portability improvements
- More strict parsing of encoded URI components in HTTP KDC
- Fixed memory leak in malloc error recovery in NTLM GSSAPI mechanism
- Avoid overly specific CPU info in krb5-config in aid of reproducible builds
- Don't do AFS string-to-key tests when feature is disabled
- Skip mdb_stat test when the command is not available
- Windows: update SHA2 timestamp server
- hdb: add missing export hdb_generate_key_set_password_with_ks_tuple
- Fix signature of hdb_generate_key_set_password()
- Windows: enable KX509 support in the KDC
- kdc: fix kx509 service principal match
- iprop: handle case where master sends nothing new
- ipropd-slave: fix incorrect error codes
- Allow choice of sqlite for HDB pref
- check-iprop: don't fail to kill daemons
- roken: pidfile -> rk_pidfile
- kdc: _kdc_do_kx509 fix use after free error
- Do not detect x32 as 64-bit platform.
- No sys/ttydefaults.h on CYGWIN
- Fix check-iprop races
- roken_detach_prep() close pipe
Release Notes - Heimdal - Version Heimdal 7.1
Security
- kx509 realm-chopping security bug
- non-authorization of alias additions/removals in kadmind
(CVE-2016-2400)
Feature
- iprop has been revamped to fix a number of race conditions that could
lead to inconsistent replication
- Hierarchical capath support
- AES Encryption with HMAC-SHA2 for Kerberos 5
draft-ietf-kitten-aes-cts-hmac-sha2-11
- hcrypto is now thread safe on all platforms
- libhcrypto has new backends: CNG (Windows), PKCS#11 (mainly for
Solaris), and OpenSSL. OpenSSL is now a first-class libhcrypto backend.
OpenSSL 1.0.x and 1.1 are both supported. AES-NI used when supported by
backend
- HDB now supports LMDB
- Thread support on Windows
- RFC 6113 Generalized Framework for Kerberos Pre-Authentication (FAST)
- New GSS APIs:
. gss_localname
- Allow setting what encryption types a principal should have with
[kadmin] default_key_rules, see krb5.conf manpage for more info
- Unify libhcrypto with LTC (libtomcrypto)
- asn1_compile 64-bit INTEGER functionality
- HDB key history support including --keepold kadmin password option
- Improved cross-realm key rollover safety
- New krb5_kuserok() and krb5_aname_to_localname() plug-in interfaces
- Improved MIT compatibility
. kadm5 API
. Migration from MIT KDB via "mitdb" HDB backend
. Capable of writing the HDB in MIT dump format
- Improved Active Directory interoperability
. Enctype selection issues for PAC and other authz-data signatures
. Cross realm key rollover (kvno 0)
- New [kdc] enctype negotiation configuration:
. tgt-use-strongest-session-key
. svc-use-strongest-session-key
. preauth-use-strongest-session-key
. use-strongest-server-key
- The KDC process now uses a multi-process model improving
resiliency and performance
- Allow batch-mode kinit with password file
- SIGINFO support added to kinit cmd
- New kx509 configuration options:
. kx509_ca
. kca_service
. kx509_include_pkinit_san
. kx509_template
- Improved Heimdal library/plugin version safety
- Name canonicalization
. DNS resolver searchlist
. Improved referral support
. Support host:port host-based services
- Pluggable libheimbase interface for DBs
- Improve IPv6 Support
- LDAP
. Bind DN and password
. Start TLS
- klist --json
- DIR credential cache type
- Updated upstream SQLite and libedit
- Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh,
telnet, xnlock
- Completely remove RAND_egd support
- Moved kadmin and ktutil to /usr/bin
- Stricter fcache checks (see fcache_strict_checking krb5.conf setting)
. use O_NOFOLLOW
. don't follow symlinks
. require cache files to be owned by the user
. require sensible permissions (not group/other readable)
- Implemented gss_store_cred()
- Many more
Bug fixes
- iprop has been revamped to fix a number of race conditions that could
lead to data loss
- Include non-loopback addresses assigned to loopback interfaces
when requesting tickets with addresses
- KDC 1DES session key selection (for AFS rxkad-k5 compatibility)
- Keytab file descriptor and lock leak
- Credential cache corruption bugs
(NOTE: The FILE ccache is still not entirely safe due to the
fundamentally unsafe design of POSIX file locking)
- gss_pseudo_random() interop bug
- Plugins are now preferentially loaded from the run-time install tree
- Reauthentication after password change in init_creds_password
- Memory leak in the client kadmin library
- TGS client requests renewable/forwardable/proxiable when possible
- Locking issues in DB1 and DB3 HDB backends
- Master HDB can remain locked while waiting for network I/O
- Renewal/refresh logic when kinit is provided with a command
- KDC handling of enterprise principals
- Use correct bit for anon-pkinit
- Many more
The shared library major version of libtls has been bumped to 22.
tls_connect(3) and friends now strip a trailing dot from servername.
This patch imports the missing scripts/wrap-compiler-for-flag-check
file, which was incorrectly causing compiler flags to not be used.
From the upstream LibreSSL changelog:
* New Features
- Added support for OpenSSL 1.1.1 TLSv1.3 APIs.
- Enabled the new X.509 validator to allow verification of
modern certificate chains.
* Portable Improvements
- Added Universal Windows Platform (UWP) build support.
- Fixed mingw-w64 builds on newer versions with missing SSP support.
* API and Documentation Enhancements
- Added the following APIs from OpenSSL
BN_bn2binpad BN_bn2lebinpad BN_lebin2bn EC_GROUP_get_curve
EC_GROUP_order_bits EC_GROUP_set_curve
EC_POINT_get_affine_coordinates
EC_POINT_set_affine_coordinates
EC_POINT_set_compressed_coordinates EVP_DigestSign
EVP_DigestVerify SSL_CIPHER_find SSL_CTX_get0_privatekey
SSL_CTX_get_max_early_data SSL_CTX_get_ssl_method
SSL_CTX_set_ciphersuites SSL_CTX_set_max_early_data
SSL_CTX_set_post_handshake_auth SSL_SESSION_get0_cipher
SSL_SESSION_get_max_early_data SSL_SESSION_is_resumable
SSL_SESSION_set_max_early_data SSL_get_early_data_status
SSL_get_max_early_data SSL_read_early_data SSL_set0_rbio
SSL_set_ciphersuites SSL_set_max_early_data
SSL_set_post_handshake_auth
SSL_set_psk_use_session_callback
SSL_verify_client_post_handshake SSL_write_early_data
- Added AES-GCM constants from RFC 7714 for SRTP.
* Compatibility Changes
- Implement flushing for TLSv1.3 handshakes behavior, needed for Apache.
- Call the info callback on connect/accept exit in TLSv1.3,
needed for p5-Net-SSLeay.
- Default to using named curve parameter encoding from
pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE.
- Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback.
* Testing and Proactive Security
- Added additional state machine test coverage.
- Improved integration test support with ruby/openssl tests.
- Error codes and callback support in new X.509 validator made
compatible with p5-Net_SSLeay tests.
* Internal Improvements
- Numerous fixes and improvements to the new X.509 validator to
ensure compatible error codes and callback support compatible
with the legacy OpenSSL validator.
Changes:
- We don't have bugs for the DST roots, but we add a new useful command "--set-default-chain" for the users to fix the chains fast.
- More dns apis are added.
- More deploy hooks are added.
- Normal bug fixes.
ver. 0.11.2 (2020/11/23) - heal-the-world-with-security-tools
Fixes:
* [stability] prevent race condition - no ban if filter (backend) is continuously busy if
too many messages will be found in log, e. g. initial scan of large log-file or journal (gh-2660)
* pyinotify-backend sporadically avoided initial scanning of log-file by start
* python 3.9 compatibility (and Travis CI support)
* restoring a large number (500+ depending on files ulimit) of current bans when using PyPy fixed
* manual ban is written to database, so can be restored by restart (gh-2647)
* `jail.conf`: don't specify `action` directly in jails (use `action_` or `banaction` instead)
* no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified
per jail or in default section in jail.local), closes gh-2357
* ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh-2686)
* don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes),
so would bother the action interpolation
* fixed type conversion in config readers (take place after all interpolations get ready), that allows to
specify typed parameters variable (as substitutions) as well as to supply it in other sections or as init parameters.
* `action.d/*-ipset*.conf`: several ipset actions fixed (no timeout per default anymore), so no discrepancy
between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh-2703)
* `action.d/cloudflare.conf`: fixed `actionunban` (considering new-line chars and optionally real json-parsing
with `jq`, gh-2140, gh-2656)
* `action.d/nftables.conf` (type=multiport only): fixed port range selector, replacing `:` with `-` (gh-2763)
* `action.d/firewallcmd-*.conf` (multiport only): fixed port range selector, replacing `:` with `-` (gh-2821)
* `action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or initial `lowest_rule_num` (gh-2836)
* `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line`
should be interpolated in definition section (inside the filter-config, gh-2650)
* `filter.d/dovecot.conf`:
- add managesieve and submission support (gh-2795);
- accept messages with more verbose logging (gh-2573);
* `filter.d/courier-smtp.conf`: prefregex extended to consider port in log-message (gh-2697)
* `filter.d/traefik-auth.conf`: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle
the match of username differently (gh-2693):
- `normal`: matches 401 with supplied username only
- `ddos`: matches 401 without supplied username only
- `aggressive`: matches 401 and any variant (with and without username)
* `filter.d/sshd.conf`: normalizing of user pattern in all RE's, allowing empty user (gh-2749)
New Features and Enhancements:
* fail2ban-regex:
- speedup formatted output (bypass unneeded stats creation)
- extended with prefregex statistic
- more informative output for `datepattern` (e. g. set from filter) - pattern : description
* parsing of action in jail-configs considers space between action-names as separator also
(previously only new-line was allowed), for example `action = a b` would specify 2 actions `a` and `b`
* new filter and jail for GitLab recognizing failed application logins (gh-2689)
* new filter and jail for Grafana recognizing failed application logins (gh-2855)
* new filter and jail for SoftEtherVPN recognizing failed application logins (gh-2723)
* `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured (gh-2631)
* `filter.d/bitwarden.conf` enhanced to support syslog (gh-2778)
* introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex;
* datetemplate: improved anchor detection for capturing groups `(^...)`;
* datepattern: improved handling with wrong recognized timestamps (timezones, no datepattern, etc)
as well as some warnings signaling user about invalid pattern or zone (gh-2814):
- filter gets mode in-operation, which gets activated if filter starts processing of new messages;
in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much
from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected
bypass of failure (previously exceeding `findtime`);
- better interaction with non-matching optional datepattern or invalid timestamps;
- implements special datepattern `{NONE}` - allow to find failures totally without date-time in log messages,
whereas filter will use now as timestamp (gh-2802)
* performance optimization of `datepattern` (better search algorithm in datedetector, especially for single template);
* fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh-2791;
* extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag
prefix `<F-TUPLE_`, that would combine value of `<F-V>` with all value of `<F-TUPLE_V?_n?>` tags (gh-2755)
- Minisign can be compiled with Zig instead of cmake+make+a C toolchain
- Minimal VERIFY_ONLY versions can be built again
- Prehashing is now enabled by default, regardless of the input size. Support
for non-prehashed signatures will eventually be removed
- Legacy signatures can be rejected with the addition of the -H flag
Release 5.0.1
CHANGELOG
* Set interpreter to 'python3', so running `./acme-tiny.py --help` will use python3 by default
NOTE: You can still run using python 2 by running `python acme-tiny.py --help`
Release v1.7.2: George (Patch 2)
Fix broken symlink in GitHub release asset
Add wheels for macOS - both x86_64 and arm64
Fix distutil deprecation on Python 3.10 by using setuptools instead
Release v1.7.0: George
Support for running tests against Heimdal in CI
Add Kerberos specific GSS-API Extensions
Tidy up docs and turn warnings into errors
Support DCE IOV functions on macOS
2.8.0 2021-10-09
[Feature] Add a prefetch keyword argument to SFTPClient.get/SFTPClient.getfo so users who need to skip SFTP prefetching are able to conditionally turn it off. Thanks to Github user @h3ll0r for the PR.
[Bug] Newer server-side key exchange algorithms not intended to use SHA1 (diffie-hellman-group14-sha256, diffie-hellman-group16-sha512) were incorrectly using SHA1 after all, due to a bug causing them to ignore the hash_algo class attribute. This has been corrected. Big thanks to @miverson for the report and to Benno Rice for the patch.
[Support] Remove leading whitespace from OpenSSH RSA test suite static key fixture, to conform better to spec. Credit: Alex Gaynor.
[Support] Add missing test suite fixtures directory to MANIFEST.in, reinstating the ability to run Paramiko’s tests from an sdist tarball. Thanks to Sandro Tosi for reporting the issue and to Blazej Michalik for the PR.
[Support]: Update our CI to catch issues with sdist generation, installation and testing.
[Support]: Administrivia overhaul, including but not limited to:
Migrate CI to CircleCI
Primary dev branch is now main (renamed)
Many README edits for clarity, modernization etc; including a bunch more (and consistent) status badges & unification with main project site index
PyPI page much more fleshed out (long_description is now filled in with the README; sidebar links expanded; etc)
flake8, pytest configs split out of setup.cfg into their own files
Invoke/invocations (used by maintainers/contributors) upgraded to modern versions
[0.8.1] - 2021-10-10
Added:
-Support changing the default file explorer
Changed:
-Include the manpage of configuration file in binary releases
-Allow dead code for event handler fields
-Apply clippy::needless_lifetimes suggestion
-Improve the Docker build and push workflow
-Merge the build and test steps in CI workflow
-Disable the terminal buffer check temporarily
-Disable the gpg info renderer test
-Bump dependencies
Fixed:
-Use implicit reference for state module tests
-Use a fixed line width for renderer tests
Removed:
-Remove the hardcoded last character from renderer tests
1.20.0
Added
* Added `--no-reuse-key`. This remains the default behavior, but the flag may be
useful to unset the `--reuse-key` option on existing certificates.
Fixed
* The certbot-dns-rfc2136 plugin in Certbot 1.19.0 inadvertently had an implicit
dependency on `dnspython>=2.0`. This has been relaxed to `dnspython>=1.15.0`.
3.11.0
Resolved issues
Especially for very small bit sizes, Crypto.Util.number.getPrime() was occasionally generating primes larger than given the bit size.
Correct typing annotations for PKCS115_Cipher.decrypt().
decrypt() method of a PKCS#1v1.5 cipher returned a bytearray instead of bytes.
External DSA domain parameters were accepted even when the modulus (p) was not prime. This affected Crypto.PublicKey.DSA.generate() and Crypto.PublicKey.DSA.construct().
Noteworthy changes in version 2.2.31 (2021-09-15)
-------------------------------------------------
* agent: Fix a regression in GET_PASSPHRASE.
* scd: Fix an assertion failure in close_pcsc_reader.
* scd: Add support for PC/SC in "GETINFO reader_list".
Noteworthy changes in version 2.2.30 (2021-08-26)
-------------------------------------------------
* gpg: Extended gpg-check-pattern to support accept rules,
conjunctions, and case-sensitive matching.
* agent: New option --pinentry-formatted-passphrase.
* agent: New option --check-sym-passphrase-pattern.
* agent: Use the sysconfdir for the pattern files.
* agent: Add "checkpin" inquiry for use by pinentry.
* wkd: Fix client issue with leading or trailing spaces in
user-ids.
* Pass XDG_SESSION_TYPE and QT_QPA_PLATFORM envvars to Pinentry.
* Under Windows use LOCAL_APPDATA for the socket directory.
Noteworthy changes in version 2.2.29 (2021-07-04)
-------------------------------------------------
* Fix regression in 2.2.28 for Yubikey NEO.
* Change the default keyserver to keyserver.ubuntu.com. This is a
temporary change due to the shutdown of the SKS keyserver pools.
* gpg: Let --fetch-key return an exit code on failure.
* dirmngr: Fix regression in KS_GET for mail address pattern.
* Add fallback in case the Windows console can't cope with Unicode.
* Improve initialization of SPR532 in the CCID driver and make the
driver more robust.
* Make test suite work in presence of a broken Libgcrypt
installation.
* Make configure option --disable-ldap work again.
Noteworthy changes in version 2.2.28 (2021-06-10)
-------------------------------------------------
* gpg: Auto import keys specified with --trusted-keys.
* gpg: Allow decryption w/o public key but with correct card
inserted.
* gpg: Allow fingerprint based lookup with --locate-external-key.
* gpg: Lookup a missing public key of the current card via LDAP.
* gpg: New option --force-sign-key.
* gpg: Use a more descriptive password prompt for symmetric
decryption.
* gpg: Do not use the self-sigs-only option for LDAP keyserver
imports.
* gpg: Keep temp files when opening images via xdg-open.
* gpg: Fix mailbox based search via AKL keyserver method.
* gpg: Fix sending an OpenPGP key with umlaut to an LDAP keyserver.
* gpg: Allow ECDH with a smartcard returning only the x-coordinate.
* gpgsm: New option --ldapserver as an alias for --keyserver. Note
that configuring servers in gpgsm and gpg is deprecated; please
use the dirmngr configuration options.
* gpgsm: Support AES-GCM decryption.
* gpgsm: Support decryption of password protected files.
* gpgsm: Lock keyboxes also during a search to fix lockups on
Windows.
* agent: Skip unknown unknown ssh curves seen on
cards.
* scdaemon: New option --pcsc-shared.
* scdaemon: Backport PKCS#15 card support from GnuPG 2.3
* scdaemon: Fix CCID driver for SCM SPR332/SPR532.
* scdaemon: Fix possible PC/SC removed card problem.
* scdaemon: Fix unblock PIN by a Reset Code with KDF.
* scdaemon: Support compressed points.
* scdaemon: Prettify S/N for Yubikeys and fix reading for early
Yubikey 5 tokens.
* dirmngr: New option --ldapserver to avoid the need for the
separate dirmngr_ldapservers.conf file.
* dirmngr: The dirmngr_ldap wrapper has been rewritten to properly
support ldap-over-tls and starttls for X.509 certificates and
CRLs.
* dirmngr: OpenPGP LDAP keyservers may now also be configured using
the same syntax as used for X.509 and CRL LDAP servers. This
avoids the former cumbersome quoting rules and adds a flexible set
of flags to control the connection.
* dirmngr: The "ldaps" scheme of an OpenPGP keyserver URL is now
interpreted as ldap-with-starttls on port 389. To use the
non-standardized ldap-over-tls the new LDAP configuration method
of the new attribute "gpgNtds" needs to be used.
* dirmngr: Return the fingerprint as search result also for LDAP
OpenPGP keyservers. This requires the modernized LDAP schema.
* dirmngr: An OpenPGP LDAP search by a mailbox now ignores revoked
keys.
* gpgconf: Make runtime changes with non-default homedir work.
* gpgconf: Do not translate an empty string to the PO file's meta
data.
* gpgconf: Fix argv overflow if --homedir is used.
* gpgconf: Return a new pseudo option "compliance_de_vs".
* gpgtar: Fix file size computation under Windows.
* Full Unicode support for the Windows command line.
* Fix problem with Windows Job objects and auto start of our
daemons.
* i18n: In German always use "Passwort" instead of "Passphrase" in
prompts.
- Update to Zig 0.8.0
- Fix password length option
- Updates for Zig 0.7.0
- Add password option
- Handle empty/malformed files
- Add contrib folder and script that prepares wordlists
- Replace default wordlist
The previous wordlist was derived from an English dictionary from
LibreOffice. It contained slurs and other hurtful words. It is
replaced with the EFF long wordlist. I apologise for including the
LibreOffice dictionary.
- Clean up options parsing
