SECURITY:
* Common name not being validated when `exclude_cn_from_sans` option used in
`pki` backend
DEPRECATIONS/CHANGES:
* List Operations Always Use Trailing Slash
* PKI Defaults to Unleased Certificates
FEATURES:
* Replication (Enterprise)
* Response Wrapping & Replication in the Vault Enterprise UI
* Expanded Access Control Policies
* SSH Backend As Certificate Authority
IMPROVEMENTS:
* api/request: Passing username and password information in API request
* audit: Logging the token's use count with authentication response and
logging the remaining uses of the client token with request
* auth/approle: Support for restricting the number of uses on the tokens
issued
* auth/aws-ec2: AWS EC2 auth backend now supports constraints for VPC ID,
Subnet ID and Region
* auth/ldap: Use the value of the `LOGNAME` or `USER` env vars for the
username if not explicitly set on the command line when authenticating
* audit: Support adding a configurable prefix (such as `@cee`) before each
line
* core: Canonicalize list operations to use a trailing slash
* core: Add option to disable caching on a per-mount level
* core: Add ability to require valid client certs in listener config
* physical/dynamodb: Implement a session timeout to avoid having to use
recovery mode in the case of an unclean shutdown, which makes HA much safer
* secret/pki: O (Organization) values can now be set to role-defined values
for issued/signed certificates
* secret/pki: Certificates issued/signed from PKI backend do not generate
leases by default
* secret/pki: When using DER format, still return the private key type
* secret/pki: Add an intermediate to the CA chain even if it lacks an
authority key ID
* secret/pki: Add role option to use CSR SANs
* secret/ssh: SSH backend as CA to sign user and host certificates
* secret/ssh: Support reading of SSH CA public key from `config/ca` endpoint
and also return it when CA key pair is generated
BUG FIXES:
* audit: When auditing headers use case-insensitive comparisons
* auth/aws-ec2: Return role period in seconds and not nanoseconds
* auth/okta: Fix panic if user had no local groups and/or policies set
* command/server: Fix parsing of redirect address when port is not mentioned
* physical/postgresql: Fix listing returning incorrect results if there were
multiple levels of children
Full changelog:
https://github.com/hashicorp/vault/blob/v0.7.0/CHANGELOG.md
PuTTY 0.68, released today, supports elliptic-curve cryptography for host
keys, user authentication keys, and key exchange. Also, for the first time,
it comes in a 64-bit Windows version.
This update may create a build issue for non-BSD due to ancient functions
being different on BSD and SYSV. there's always macros if this fails.
sqlmap is an open source penetration testing tool that automates
the process of detecting and exploiting SQL injection flaws and
taking over of database servers. It comes with a powerful detection
engine, many niche features for the ultimate penetration tester
and a broad range of switches lasting from database fingerprinting,
over data fetching from the database, to accessing the underlying
file system and executing commands on the operating system via
out-of-band connections.
1.8.1 - 2017-03-10
~~~~~~~~~~~~~~~~~~
* Fixed macOS wheels to properly link against 1.1.0 rather than 1.0.2.
1.8 - 2017-03-09
~~~~~~~~~~~~~~~~
* Added support for Python 3.6.
* Windows and macOS wheels now link against OpenSSL 1.1.0.
* macOS wheels are no longer universal. This change significantly shrinks the
size of the wheels. Users on macOS 32-bit Python (if there are any) should
migrate to 64-bit or build their own packages.
* Changed ASN.1 dependency from ``pyasn1`` to ``asn1crypto`` resulting in a
general performance increase when encoding/decoding ASN.1 structures. Also,
the ``pyasn1_modules`` test dependency is no longer required.
* Added support for
:meth:`~cryptography.hazmat.primitives.ciphers.CipherContext.update_into` on
:class:`~cryptography.hazmat.primitives.ciphers.CipherContext`.
* Added
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKeyWithSerialization.private_bytes`
to
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKeyWithSerialization`.
* Added
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKeyWithSerialization.public_bytes`
to
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKeyWithSerialization`.
* :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`
and
:func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`
now require that ``password`` must be bytes if provided. Previously this
was documented but not enforced.
* Added support for subgroup order in :doc:`/hazmat/primitives/asymmetric/dh`.
Fast ASN.1 parser and serializer with definitions for private keys,
public keys, certificates, CRL, OCSP, CMS, PKCS#3, PKCS#7, PKCS#8,
PKCS#12, PKCS#5, X.509 and TSP.
1.6.0 2017-02-26 03:26 UTC
Changelog:
* This release adds GnuPG 2.1 support.
* Internal API has been refactored.
* Fix Bug #21182: Ignore invalid proc_close() exit code
* Fix Bug G#28: Use --batch argument for key imports when no passphrase is
provided.
* Fix Bug #21151: GPG-AGENT process is not automatically closed when using
GnuPG 2.0
* Fix Bug #21152: Ignore time conflicts (by default)
* Fixed Bug #21148: Throw bad-passphrase exception instead of key-not-found
exception on decryption
Upstream changes:
2017-01-26 Dirk Eddelbuettel <edd@debian.org>
* DESCRIPTION (Version, Date): Release 0.6.12
2017-01-23 Thierry Onkelinx <thierry.onkelinx@inbo.be>
* NAMESPACE: export sha1.function() and sha1.call()
* R/sha1.R:
- sha1() gains methods for the class "function" and "call"
- sha1() gains a ... argument, currently only relevant for
"function"
- sha1() takes arguments into account for hash for complex,
Date and array. Note that this will lead to different
hasheS for these classes and for objects containing
these classes
* man/sha1.rd: update helppage for sha1()
* tests/sha1Test.R: update unit tests for sha1()
2017-01-01 Dirk Eddelbuettel <edd@debian.org>
* DESCRIPTION (Version, Date): Release 0.6.11
* R/sha1.R (sha1.anova): Added more #nocov marks
* src/sha2.c (SHA256_Transform): Idem
* tests/AESTest.R (hextextToRaw): Print AES object
* tests/AESTest.Rout.save: Updated
2016-12-08 Dirk Eddelbuettel <edd@debian.org>
* NAMESPACE: Register (and exported) makeRaw S3 methods
* man/makeRaw.Rd: New manual page
* tests/hmacTest.R: Direct call to makeRaw()
* tests/hmacTest.Rout.save: Ditto
* src/digest.c: Additional #nocov tags
* src/xxhash.c: Ditto
2016-12-07 Dirk Eddelbuettel <edd@debian.org>
* DESCRIPTION (Version, Date): Rolled minor version
* README.md: Use shields.io badge for codecov
* R/digest.R: Additional #nocov tags
* src/sha2.c: Ditto
* src/raes.c: Ditto
* tests/hmacTest.R: Additional tests
* tests/hmacTest.Rout.save: Ditto
2016-11-30 Dirk Eddelbuettel <edd@debian.org>
* .travis.yml (before_install): Activate PPA as we (currently)
need an updated version of (r-cran)-covr to run coverage
* tests/load-unload.R: Comment-out for now as it upsets coverage
* tests/digestTest.R: Test two more algorithms
* tests/digestTest.Rout.save: Updated reference output
* R/digest.R: Added #nocov tags
* R/zzz.R (.onUnload): Ditto
* src/crc32.c: Ditto
* src/pmurhash.c: Ditto
* src/raes.c: Ditto
* src/sha2.c: Ditto
* src/xxhash.c: Ditto
2016-11-26 Dirk Eddelbuettel <edd@debian.org>
* .travis.yml (after_success): Integrated Jim Hester's suggestion of
activating code coverage sent many moons ago (in PR #12)
* .codecov.yml (comment): Added
* .Rbuildignore: Exclude .codecov.yml
* README.md: Added code coverage badge
2016-10-16 Dirk Eddelbuettel <edd@debian.org>
* R/digest.R (digest): Support 'nosharing' option of base::serialize
as suggested by Radford Neal whose pqR uses this
2016-08-02 Dirk Eddelbuettel <edd@debian.org>
* DESCRIPTION (License): Now GPL (>= 2), cf issue 36 on GH
* README.md: Updated badge accordingly
2016-08-02 Dirk Eddelbuettel <edd@debian.org>
* DESCRIPTION (Version): Release 0.6.10
* DESCRIPTION (Description): Shortened to one paragraph
* DESCRIPTION (BugReports): URL to GH issues added
* .travis.yml: Rewritten for run.sh from forked r-travis
2016-07-12 Henrik Bengtsson <hb@aroma-project.org>
* src/digest.c: Correct bug with skip and file parameter interaction
* tests/digestTest.R: Test code
* tests/digestTest.Rout.save: Test reference output
* R/zzz.R: Allow for unloading of shared library
* tests/load-unload.R: Test code
* DESCRIPTION: Rolled minor Version and Date
2016-05-25 Thierry Onkelinx <thierry.onkelinx@inbo.be>
* R/sha1.R: Support for pairlist and name
* tests/sha1Test.R: Support for pairlist and name
* man/sha1.Rd: Support for pairlist, name, complex, array and Date
* NAMESPACE: Support for pairlist, name and array
* DESCRIPTION: bump version number and date
2016-05-01 Viliam Simko <viliam.simko@gmail.com>
* R/sha1.R: Support for complex, Date and array
* tests/sha1Test.R: Ditto
* NAMESPACE: Ditto
2016-04-27 Dirk Eddelbuettel <edd@debian.org>
* DESCRIPTION (Author): Add Qiang Kou to Authors
* README.md: Ditto
2016-01-25 Dirk Eddelbuettel <edd@debian.org>
* src/digest.c (digest): Use XLENGTH if R >= 3.0.0 (issue #29)
2016-01-11 Thierry Onkelinx <thierry.onkelinx@inbo.be>
* R/sha1.R: handle empty list and empty dataframe (#issue 27);
take the object class, digits and zapsmall into account (#PR 28)
* vignettes/sha1.Rmd: Small edits to reflect changes is sha1()
2016-01-09 Michel Lang <michellang@gmail.com>
* R/sha1.R: Add a length check to sha1(), use vapply()
This is a client for signing certificates with an ACME-server
(currently only provided by letsencrypt) implemented as a
relatively simple bash-script.
It uses the openssl utility for everything related to
actually handling keys and certificates,
so you need to have that installed.
Other dependencies are: curl, sed, grep, mktemp
(all found on almost any system, curl being the only exception)
The library can also be compiled using MinGW.
Removed use of alloca().
[Security] Removed implementation of deprecated "quick check" feature of PGP block cipher mode.
Improved the performance of scrypt by converting some Python to C.
Noteworthy changes in version 1.27 (2017-02-28) [C22/A22/R0]
-----------------------------------------------
* Added a Base64 decoder.
* Added support for the sh3 architecture.
* Added header gpgrt.h as an alias for gpg-error.h.
* Fixed macro GPGRT_GCC_VERSION.
* Fixed a race in non-blocking I/O on Windows.
* Interface changes relative to the 1.26 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgrt_b64state_t NEW type.
gpgrt_b64dec_start NEW.
gpgrt_b64dec_proc NEW.
gpgrt_b64dec_finish NEW.
GPG_ERR_WRONG_NAME NEW.
gpgrt.h NEW header.
Otherwise, there is one nonsensical warning on every openssl invocation.
I have seen dozens of recipes for NetBSD setups, and each one cargo-cults
a "touch openssl.cnf" against that noise.
Bump package revision.
** libgnutls: Removed any references to OpenPGP functionality in documentation,
and marked all functions in openpgp.h as deprecated. That functionality
is considered deprecated and should not be used for other reason than
backwards compatibility.
** libgnutls: Improve detection of AVX support. In certain cases when
when the instruction was available on the host, but not on a VM running
gnutls, detection could fail causing illegal instruction usage.
** libgnutls: Added support for IDNA2008 for internationalized DNS names.
If gnutls is compiled using libidn2 (the latest version is recommended),
it will support IDNA2008 instead of the now obsolete IDNA2003 standard.
Resolves gitlab issue 150. Based on patch by Tim Ruehsen.
** p11tool: re-use ID from corresponding objects when writing certificates.
That is, when writing a certificate which has a corresponding public key,
or private key in the token, ensure that we use the same ID for the
certificate.
** API and ABI modifications:
gnutls_idna_map: Added
gnutls_idna_reverse_map: Added
# 20161029
* Argon2id added
* Better documentation
* Dual licensing CC0 / Apache 2.0
* Minor bug fixes (no security issue)
# 20160406
* Version 1.3 of Argon2
* Version number in encoded hash
* Refactored low-level API
* Visibility control for library symbols
* Microsoft Visual Studio solution
* New bindings
* Minor bug and warning fixes (no security issue)
# 20151206
* Python bindings
* Password read from stdin, instead of being an argument
* Compatibility FreeBSD, NetBSD, OpenBSD
* Constant-time verification
* Minor bug and warning fixes (no security issue)
v0.8.0 (14 February 2017)
+++++++++++++++++++++++++
- Added Fitbit compliance fix.
- Fixed an issue where newlines in the response body for the access token
request would cause errors when trying to extract the token.
- Fixed an issue introduced in v0.7.0 where users passing ``auth`` to several
methods would encounter conflicts with the ``client_id`` and
``client_secret``-derived auth. The user-supplied ``auth`` argument is now
used in preference to those options.
- More cleanups, removal of obsolete stuff, and moves towards py3k
compatibility.
- Add support for EC.get_builtin_curves() and use it for testing.
- Enable AES CTR mode
- Bundle-in six module v. 1.10.0
- add rand_file_name and rand_status
- remove all LHASH fiddling
- Extend Travis and GitLab CI configuration to test also py3k (with
allowed_failures) and CentOS6 (on GitLab CI).
- Add CONTRIBUTORS.rst. Thank you!
- Add PEP-484 type hints in comments to all Python files (except for
tests)
- Use context managers for file handling wherever possible instead of
leaking open file descriptors.
- Improve defaults handling for SSL_CTX_new().
- Fix PGP tests to actually run
2.047 2017/02/16
- better fix for problem which 2.046 tried to fix but broke LWP this way
2.046 2017/02/15
- cleanup everything in DESTROY and make sure to start with a fresh %{*self}
in configure_SSL because it can happen that a GLOB gets used again without
calling DESTROY (https://github.com/noxxi/p5-io-socket-ssl/issues/56)
2.045 2017/02/13
- fixed memory leak caused by not destroying CREATED_IN_THIS_THREAD for SSL
objects -> github pull#55
- optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD
if perl is compiled w/o thread support
- small fix in t/protocol_version.t to use older versions of Net::SSLeay
with openssl build w/o SSLv3 support
- when setting SSL_keepSocketOnError to true the socket will not be closed
on fatal error. This is a modified version of
https://github.com/noxxi/p5-io-socket-ssl/pull/53/
Summary of upstream changelog:
bug fixes
many new ATRs
ATR_analysis: propose to submit the ATR if not known
We propose to submit the ATR at http://smartcard-atr.appspot.com/ when
the ATR is not found in the list.
The message is always displayed for an unknown ATR, not just after the
list has been updated.
ATR_analysis: correctly use wget to store the ATR list
1.4.26 - 7 January 2017, Ludovic Rousseau
- Add support of
. Bit4id Digital DNA Key
. Bit4id tokenME FIPS v3
. INGENICO Leo
. appidkey GmbH ID60-USB
- Add support of
- PowerOn: the default algorithm is now 5V then 1.8V then 3V then fail.
It is still possible to change the initial voltage in the
Info.plist file. Now, in any case, all the values are tried
before failing.
- Negociate maximum baud rate when bNumDataRatesSupported = 0
- Some minor improvements
1.4.25 - 30 September 2016, Ludovic Rousseau
- Add support of
. Aladdin R.D. JaCarta (idProduct: 0x0402)
. Broadcom Corp 5880 (idProduct: 0x5832)
. Broadcom Corp 5880 (idProduct: 0x5833)
. Broadcom Corp 5880 (idProduct: 0x5834)
. ESMART Token GOST X2 ET1020-A
. Feitian VR504 VHBR Contactless & Contact Card Reader
. Feitian bR500
. Gemalto K50
. appidkey GmbH ID100-USB SC Reader
. appidkey GmbH ID50 -USB
- Remove suport of
. Broadcom Corp 5880 (idProduct: 0x5800)
. Broadcom Corp 5880 (idProduct: 0x5805)
. KEBTechnology KONA USB SmartCard
- macOS: Fix composite device enumeration
- Fix crash with GemCore Pos Pro and GemCore Sim Pro
- Some minor improvements
1.4.24 - 22 May 2016, Ludovic Rousseau
- Add support of
. Generic USB Smart Card Reader
. Giesecke & Devrient GmbH StarSign CUT S
. HID AVIATOR Generic
- better support of Elatec TWN4 SmartCard NFC
- better support of SCM SCL011
- betetr support of HID Aviator generic
- fix SCARD_ATTR_VENDOR_IFD_SERIAL_NO attribute size
- fix a race condition on card events with multiple readers
- Some minor improvements
1.4.23 - 20 April 2016, Ludovic Rousseau
- Add support of
. ACS ACR3901U ICC Reader
. Alcor Micro AU9560
. Cherry SmartTerminal XX44
. HID Global OMNIKEY 3x21 Smart Card Reader
. HID Global OMNIKEY 5022 Smart Card Reader
. HID Global OMNIKEY 6121 Smart Card Reader
. IonIDe Smartcard Reader reader
. KACST HSID Reader
. KACST HSID Reader Dual Storage
. KACST HSID Reader Single Storage
- Remove support of
. VMware Virtual USB CCID
- Do NOT add support of
. DUALi DE-ABCM6
- Fix a busy loop consuming 100% of CPU for some composite USB devices
impacted readers: Yubico Yubikey NEO U2F+CCID and Broadcom BCM5880
- Remove support of (unused) option DRIVER_OPTION_RESET_ON_CLOSE
- log libusb error name instead of decimal value
- Some minor improvements
1.4.22 - 10 January 2016, Ludovic Rousseau
- Add support of
. Aktiv Rutoken PINPad 2
. Aladdin R.D. JC-WebPass (JC600)
. Aladdin R.D. JCR-770
. Aladdin R.D. JaCarta
. Aladdin R.D. JaCarta Flash
. Aladdin R.D. JaCarta LT
. Aladdin R.D. JaCarta U2F (JC602)
. Athena ASEDrive IIIe Combo Bio PIV
. Athena ASEDrive IIIe KB Bio PIV
. GEMALTO CT1100
. GEMALTO K1100
. Hitachi, Ltd. Hitachi Biometric Reader
. Hitachi, Ltd. Hitachi Portable Biometric Reader
. Nitrokey Nitrokey Storage
. THURSBY SOFTWARE TSS-PK1
. Thursby Software Systems, Inc. TSS-PK7
. Thursby Software Systems, Inc. TSS-PK8
- Patch for Microchip SEC1110 reader on Mac OS X (card events notification)
- Patch for Cherry KC 1000 SC (problem was with a T=1 card and case 2 APDU)
- Fix support of FEATURE_MCT_READER_DIRECT for the Kobil mIDentity
visual reader
- Set timeout to 90 sec for PPDU (Pseudo APDU) commands. This change
allows the use of a Secure Verify command sent as a PPDU through
SCardTransmit().
- Fix a crash when reader reader initialization failed
- Fix initialization bug with Gemalto Pinpad reader on Mac OS X
- Some minor bugs fixed
1.4.21 - 21 October 2015, Ludovic Rousseau
- Add support of
. ACS ACR1252 Dual Reader
. Chicony HP USB Smartcard CCID Keyboard JP
. Chicony HP USB Smartcard CCID Keyboard KR
. FT ePass2003Auto
. Feitian bR301 BLE
. Feitian iR301 (ProductID 0x0619)
. Feitian iR301 (ProductID 0x061C)
. Identiv @MAXX ID-1 Smart Card Reader
. Identiv @MAXX Light2 token
. Identiv CLOUD 2980 F Smart Card Reader
. Identiv Identiv uTrust 4701 F Dual Interface Reader
. Identiv SCR3500 A Contact Reader
. Identiv SCR3500 B Contact Reader
. Identiv SCR35xx USB Smart Card Reader
. Identiv uTrust 2900 R Smart Card Reader
. Identiv uTrust 2910 R Smart Card Reader
. Identiv uTrust 2910 R Taglio SC Reader
. Identiv uTrust 3512 SAM slot Token
. Identiv uTrust 3522 embd SE RFID Token
. Identiv uTrust 3700 F CL Reader
. Identiv uTrust 3701 F CL Reader
. Identive Identive CLOUD 4000 F DTC
. Liteon HP SC Keyboard - Apollo (Liteon)
. Liteon HP SC Keyboard - Apollo JP (Liteon)
. Liteon HP SC Keyboard - Apollo KR (Liteon)
. Nitrokey Nitrokey HSM
. Nitrokey Nitrokey Pro
. Nitrokey Nitrokey Start
. Rocketek RT-SCR1
. VASCO DIGIPASS 875
. WatchCNPC USB CCID Key
- Remove support of
. Crypto Stick Crypto Stick v1.4 is an old version of Nitrokey Nitrokey Pro
. Free Software Initiative of Japan Gnuk Token is an old version
of Nitrokey Nitrokey Start
- Add Feitain R502 dual interface (composite) reader on Mac OS X
- display a human readable version of the error code returned by
libusb
- Mac OS X: wait until libusb/the reader is ready
- some minor bugs fixed
