pkgsrc changes:
---------------
- Depends on security/py-ecdsa
- FETCH_USING=curl to deal with PyPi's htpps only website.
upstream changes:
-----------------
v1.12.0 (27th Sep 2013)
-----------------------
* #152: Add tentative support for ECDSA keys. *This adds the ecdsa
module as a new dependency of Paramiko.* The module is available at
[warner/python-ecdsa on Github](https://github.com/warner/python-ecdsa) and
[ecdsa on PyPI](https://pypi.python.org/pypi/ecdsa).
* Note that you might still run into problems with key negotiation --
Paramiko picks the first key that the server offers, which might not be
what you have in your known_hosts file.
* Mega thanks to Ethan Glasser-Camp for the patch.
* #136: Add server-side support for the SSH protocol's 'env' command. Thanks to
Benjamin Pollack for the patch.
v1.11.2 (27th Sep 2013)
-----------------------
* #156: Fix potential deadlock condition when using Channel objects as sockets
(e.g. when using SSH gatewaying). Thanks to Steven Noonan and Frank Arnold
for catch & patch.
* #179: Fix a missing variable causing errors when an ssh_config file has a
non-default AddressFamily set. Thanks to Ed Marshall & Tomaz Muraus for catch
& patch.
* #200: Fix an exception-causing typo in `demo_simple.py`. Thanks to Alex
Buchanan for catch & Dave Foster for patch.
* #199: Typo fix in the license header cross-project. Thanks to Armin Ronacher
for catch & patch.
v1.12.0 (27th Sep 2013)
-----------------------
* #152: Add tentative support for ECDSA keys. *This adds the ecdsa
module as a new dependency of Paramiko.* The module is available at
[warner/python-ecdsa on Github](https://github.com/warner/python-ecdsa) and
[ecdsa on PyPI](https://pypi.python.org/pypi/ecdsa).
* Note that you might still run into problems with key negotiation --
Paramiko picks the first key that the server offers, which might not be
what you have in your known_hosts file.
* Mega thanks to Ethan Glasser-Camp for the patch.
* #136: Add server-side support for the SSH protocol's 'env' command. Thanks to
Benjamin Pollack for the patch.
v1.11.2 (27th Sep 2013)
-----------------------
* #156: Fix potential deadlock condition when using Channel objects as sockets
(e.g. when using SSH gatewaying). Thanks to Steven Noonan and Frank Arnold
for catch & patch.
* #179: Fix a missing variable causing errors when an ssh_config file has a
non-default AddressFamily set. Thanks to Ed Marshall & Tomaz Muraus for catch
& patch.
* #200: Fix an exception-causing typo in `demo_simple.py`. Thanks to Alex
Buchanan for catch & Dave Foster for patch.
* #199: Typo fix in the license header cross-project. Thanks to Armin Ronacher
for catch & patch.
py-ecdsa is an easy-to-use implementation of ECDSA cryptography (Elliptic Curve
Digital Signature Algorithm), implemented purely in Python, released under the
MIT license. With this library, you can quickly create keypairs (signing key
and verifying key), sign messages, and verify the signatures. The keys and
signatures are very short, making them easy to handle and incorporate into
other protocols.
pax -rw, the destination directory must exist. pax in NetBSD creates it if
not, pax in MirBSD complains. I read through all pkgsrc Makefiles that use
pax and added an entry to INSTALLATION_DIRS, or an INSTALL_DATA_DIR
invocation.
I did not test all the changes but they should be fairly safe. If you notice
any breakage because of this change, please contact me.
vis.h and glob.h are installed on Linux
(Debian GNU/Linux 7.1 and CentOS 6.4 at least)
* Makefile of Rev 1.100 removes vis.h and glob.h hack. My two Linux
environments require vis.h and glob.h entries for PLIST.
Set PLIST.vis and PLIST.glob for Linux.
The YubiHSM is Yubico's take on the Hardware Security Module (HSM),
designed for protecting secrets on authentication servers, including
cryptographic keys and passwords, at unmatched simplicity and low
cost.
- Add support of
. HID OMNIKEY 5127 CK
. HID OMNIKEY 5326 DFR
. HID OMNIKEY 5427 CK
. Ingenico WITEO USB Smart Card Reader (Base and Badge)
. SecuTech SecuTech Token
- Add support of card movement notifications for multi-slot readers
- Check libusb is at least at version 1.0.8
- Get the serialconfdir value from pcsc-lite pkg config instead of
using $(DESTDIR)/$(sysconfdir)/reader.conf.d/
- Disable class driver on Mac OS X
- Update the bundle name template to include the vendor name
- some minor bugs removed
1.4.11 - 12 June 2013, Ludovic Rousseau
- Add support of
. Gemalto IDBridge CT30
. Gemalto IDBridge K30
. SCM Microsystems Inc. SCL010 Contactless Reader
. SCM Microsystems Inc. SDI011 Contactless Reader
. THRC reader
- Better management of time extension requests
- parse: better support of devices with bInterfaceClass = 0xFF
- udev rule file: Remove setting group to pcscd, remove support of
Linux kernel < 2.6.35 for auto power up management
- some minor bugs removed
1.4.10 - 16 April 2013, Ludovic Rousseau
- Add support of
. ACS APG8201 USB Reader with PID 0x8202
. GIS Ltd SmartMouse USB
. Gemalto IDBridge K3000
. Identive CLOUD 2700 F Smart Card Reader
. Identive CLOUD 2700 R Smart Card Reader
. Identive CLOUD 4500 F Dual Interface Reader
. Identive CLOUD 4510 F Contactless + SAM Reader
. Identive CLOUD 4700 F Dual Interface Reader
. Identive CLOUD 4710 F Contactless + SAM Reader
. Inside Secure AT90SCR050
. Inside Secure AT90SCR100
. Inside Secure AT90SCR200
. SCR3310-NTTCom USB SmartCard Reader
. SafeTech SafeTouch
. SpringCard H512 Series
. SpringCard H663 Series
. SpringCard NFC'Roll
. Yubico Yubikey NEO CCID
. Yubico Yubikey NEO OTP+CCID
- Add support of time extension for Escape commands
1.4.9 - 16 January 2013, Ludovic Rousseau
- Add support of
. Aktiv Rutoken PINPad In
. Aktiv Rutoken PINPad Ex
. REINER SCT cyberJack go
- Info.plist: Correctly handle reader names containing &
Noteworthy changes in version 2.0.22 (2013-10-04)
-------------------------------------------------
* Fixed possible infinite recursion in the compressed packet
parser. [CVE-2013-4402]
* Improved support for some card readers.
* Prepared building with the forthcoming Libgcrypt 1.6.
* Protect against rogue keyservers sending secret keys.
Noteworthy changes in version 1.4.15 (2013-10-04)
-------------------------------------------------
* Fixed possible infinite recursion in the compressed packet
parser. [CVE-2013-4402]
* Protect against rogue keyservers sending secret keys.
* Use 2048 bit also as default for batch key generation.
* Minor bug fixes.
* Version 0.4.3
- crypto_sign_seedbytes() and crypto_sign_SEEDBYTES were added.
- crypto_onetimeauth_poly1305_implementation_name() was added.
- poly1305-ref has been replaced by a faster implementation,
Floodyberry's poly1305-donna-unrolled.
- Stackmarkings have been added to assembly code, for Hardened Gentoo.
- pkg-config can now be used in order to retrieve compilations flags for
using libsodium.
- crypto_stream_aes256estream_*() can now deal with unaligned input
on platforms that require word alignment.
- portability improvements.
- New Features
- OWL - The Owl Monitoring System uses timed DNS queries
to monitor basic network functionality. The system
consists of a manager host and a set of sensor hosts.
The Owl sensors perform periodic DNS queries and
report to the Owl manager the time taken for each
query. Over time, this shows the responsiveness of
the DNS infrastructure.
- dnssec-nodes - Many new features have been added:
- The validation tree now supports clicking on
boxes to highlight it and the arrows that derive
from it. Great for use when teaching about
DNSSEC.
- An extensive filter/effect editor now lets you
tailor the look of a graph to color-code, set
the alpha levels, etc of nodes based on their
names, status, data types, etc.
- Right clicking on a node lets you center the
graph on that node.
- More data types are collected and shown in the
data view.
- Support for arguments on the command line for
parsing log files, pcap files and domain names.
- The validation view has received a visual clean-up
- Many other bug fixes
- Bloodhound: - A mozilla-based DNSSEC-enabled browser with DANE support
- Added support for validation of SSL certificates
using the DANE protocol.
- curl - Added support for validation of SSL certificates
using the DANE protocol.
- libval - Added support for local DANE validation
- Extended the dt-danechk commandline tool to check
the X509 cert provided over the SSL connection
against the TLSA record.
- Optimized glue record lookup when the only ip
addresses configured for the host are for a single
address family (ipv4 or ipv6)
- fine tune res_io source management
- dnssec-check - dnssec-check now checks DNAME support
- rollerd - A new set of steps for KSK rollover has been
implemented. A cache-expiration wait phase has
been moved after the publication of DS records in
order to allow name caches to reflect the changes.
In addition to rollerd, supporting program have
been modified to recognize this change.
- rollrec files - A new "information rollrec" has been added to the
rollrec files. This will allow infomration to be
specified for the collection of rollrecs. At this
time, the only information stored in this rollrec
is the version number of the rollrec file.
In addition to the rollrec.pm Perl module, programs
which use this module have been modified to recognize
this change.
If you use the rollrec.pm module, you should test
to see if your code is affected. The modifications
for the info rollrec have been made to minimize
affected programs. If you parse the rollrec files
yourself, you will have to account for this change.
- multiple - The perl-based tools can now use either the
ZoneFile::Fast or the Net::DNS zone file parser,
thanks to a patch from Sebastian Schmidt (yath@yath.de).
- ZoneFile:Fast - Support for TLSA
- Made it compatible with newer Net::DNS releases
- Qt5 - A patch to support DNSSEC checks in Qt5 DNS lookups
- Bug Fixes
- zonesigner - Fixed SOA parsing and serial number update issues
- libval - Properly initialize memory in sockaddr structures
before use.
=== 2.7.0 / 11 Sep 2013
* Fix for 'Could not parse PKey: no start line' error on private keys with
passphrases (issue #101) [metametaclass]
* Automatically forward environment variables defined in OpenSSH config files
[fnordfish]
* Guard against socket.gets being nil in Net::SSH::Proxy::HTTP [krishicks]
* Implemented experimental keepalive feature [noric]
=== 2.6.8 / 6 Jul 2013
* Added support for host wildcard substitution [GabKlein]
* Added a wait to the loop in close to help fix possible blocks [Josh
Kalderimis]
* Fixed test file encoding issues with Ruby 2.0 (#87) [voxik]
3.1.0 May 07 2013
- Add BCrypt::Password.valid_hash?(str) to check if a string is a valid
bcrypt password hash
- BCrypt::Password cost should be set to DEFAULT_COST if nil
- Add BCrypt::Engine.cost attribute for getting/setting a default cost
externally
3.1.1 Jul 10 2013
- Remove support for Ruby 1.8 in compiled win32 binaries
3.1.2 Aug 26 2013
- Add support for Ruby 1.8 and 2.0 (in addition to 1.9) in compiled Windows
binaries
- Add support for 64-bit Windows
* liboath: Add new API methods for validating TOTP OTPs
The new methods (oath_totp_validate3 and oath_totp_validate3_callback)
introduce a new parameter *otp_counter, which is set to the actual
counter used to calculate the OTP (unless it is a NULL pointer). This
allows for easier OTP replay detection in applications using liboath.
Patch from Fabian Grünbichler <fabian.gruenbichler@tuwien.ac.at>.
Version 2.2.0 (released 2013-07-07)
* libpskc: Add functions for setting PSKC data.
The new functions are pskc_add_keypackage and all pskc_set_* functions
(see libpskc/include/pskc/keypackage.h). This allow you to write
programs that generate new PSKC structures.
* liboath: Permit different passwords for different tokens for the same user.
Thanks to Christian Hesse <list@eworm.de>.
* build: Improve building from git with most recent automake and gengetopt.
Thanks to Christian Hesse <list@eworm.de>.
* build: Valgrind is not enabled by default.
It causes too much false positives. For developers who want, use
--enable-valgrind-tests. It is still enabled by default when building
from the version controlled sources (see cfg.mk). Thanks to Christian
Hesse <list@eworm.de>.
* liboath: Make header file usable from C++ (extern "C" guard).
Reported by Alan Markus <alan.markus@gmail.com>.
* Fixups of import/export.
Add targetConfig to show in which slot a configuration is intended.
Possible memory leaks on error conditions.
* Add -d switch to ykpersonalize for dry-run.
* Add ykp_clear_config() for clearing configuration flags.
* Add getter functions for all configuration flags.
* Add -V to all tools to output version.
* Add ykp_get_acccode_type() and ykp_set_acccode_type()
Only to do with export, showing where the access code came from
in the ycfg.
* Add -1 and -2 options to ykinfo to show programming state.
- [UTMP input] New input module parsing utmp/wtmp files in Linux
- [SELINUX input] New input module parsing SELinux audit files in Linux
- [l2t_process] Renamed to l2t_process_old, being replaced by l2t_process.py
from l2t-tools.
- [EVTX Library] Fixed a small bug in the code, causing some EVTX file
parsing to fail.
- [Altiris input] Fixed a small bug when the date is malformed.
- [Log2Timeline library] Fixed few bugs:
- Small error in the format sort, caused oxml to sometimes be skipped
in processing.
- [GENERIC_LINUX input] Added a small extra eval sentence.
- [LS_QUARANTINE] Fixed a minor bug in the get_time routine, if a database
occurs it is caught by an eval sentence.
- [TEST] Added few more tests.
- [MOST INPUT MODULES] Changed the line:
my $line = <$fh> or return undef;
in most input modules.
- [WIN library] Added few more transformations of Windows stored time zones
into a "olson" ones understood by DateTime.
- [CHROME input] Fixed a small unicode bug in the "File Downloaded" section.
- [faersluskra2timalina] Added a new frontend to the tool, exact copy of
log2timeline, except all parameters in Icelandic... kinda
Aprils fool joke, except not in April.. so enjoy.
- [timescanner tool] Removed this frontend from the Makefile since it serves
no purpose (as in no longer part of the automatic installation).
