Commit graph

12041 commits

Author SHA1 Message Date
adam
2eaf0fa01e py-cryptography: updated to 38.0.3
38.0.3 - 2022-11-01
~~~~~~~~~~~~~~~~~~~
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.7,
  which resolves *CVE-2022-3602* and *CVE-2022-3786*.


38.0.2 - 2022-10-11
~~~~~~~~~~~~~~~~~~~
This release was subsequently yanked from PyPI due to a regression in OpenSSL.

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.6.
2022-11-02 08:41:16 +00:00
adam
f4eda51b92 py-google-auth-oauthlib: updated to 0.7.0
0.7.0 (2022-10-25)

Bug Fixes

setup.py: increase required google-auth version to >=2.13.0
2022-10-31 10:45:22 +00:00
adam
6d7c2ce4c6 py-nacl: not for Python 2.7 2022-10-31 08:11:43 +00:00
wiz
4f4e4e5a45 keepassxc: update to 2.7.4.
## 2.7.4 (2022-10-29)

### Changes
- Add 2 months expiration preset [#8687]
- CLI: Add Unicode support on Windows [#8618]

### Fixes
- Fix crash on macOS when unlocking database [#8676]
- Fix display of passwords in preview panel [#8633]
- Fix clicking links in entry preview panel [#8644]
- Prevent expired entries search if no results returned [#8643]
- Browser: Revert code causing connection problems [#8665]
- Browser: Fix socket file symbolic link on Linux [#8656]
- Flatpak: Fix launching browser proxy service [#8680]
- SSH Agent: Fix paegent support on Windows [#8619]

## 2.7.3 (2022-10-23)

### Changes
- Enhance Tags Support and Add Saved Searches [#8435, #8607]
- Significant improvements to entry preview panel [#7993]
- Add password strength indicator to all password fields [#7885]
- Limit zxcvbn entropy estimation length to 128 characters [#7748]
- Try full URL path when fetching favicon [#8565]
- Hide usernames in preview panel when hidden in entry view [#8608]
- Enable dark title bar on windows when accent color is not used [#8498]
- Add option to display passwords in color in preview panel [#7097]
- Add XML Export option to GUI [#8524]
- Increase entropy required for a "good" password rating to 75 [#8523]
- Add shortcut to copy password with TOTP appended [#8443]
- Show entry count in status bar [#8435]
- Allow KeePassXC to be built without X11 [#8147]
- Enable use of VivoKey Apex and Dangerous Things FlexSecure tokens [#8332]
- Add setting for number of recent files [#8239]
- Add Ctrl+Tab shortcut to cycle databases in unlock dialog [#8168]
- Replace offensive words in eff_large.wordlist [#7968]
- Auto-Type: PICKCHARS can specify attribute and ignore BEEP [#8118]
- Linux: Add isHardwareKeySupported and refreshHardwareKeys to DBus methods [#8055]
- Add config variable to specify default database file name [#8042]
- Support numeric aware sorting on Windows and macOS [#8363]
- CLI: Add `db-edit` command [#8400]
- CLI: Add option to display all attributes with `show` command [#8256]
- CLI: Show UUID and tags with `show` and `clip` commands [#8241]
- Browser: Move socket into separate directory on Linux [#8030]
- Browser: Add group setting to omit WWW subdomain when matching URLs [#7988]
- FdoSecrets: Ask to unlock the database when creating items [#8022, #8028]
- FdoSecrets: Skip entries in recycle bin when searching [#8021]

### Fixes
- Fix potential deadlock in UI when saving [#8606]
- Fix newlines when copying notes from preview panel [#8542]
- Fix dark mode detection on Linux [#8477]
- Fix crash when deleting items in recycle bin while searching [#8117]
- Fix crash when trying to close database during unlock [#8144]
- Fix tabbing around the interface [#8435, #8520]
- Fix OPVault import when there are multiple OTP fields [#8436]
- Fix various Windows Hello bugs [#8354]
- Fix use of Apple Watch for Quick Unlock [#8311]
- Better handling of "Lock on Minimize" setting [#8202]
- Check for write permission before entering portable mode [#8447]
- Correct regex escape logic to prevent parse errors [#7778]
- Normalize slashes and file case for last used databases [#7864, #7214]
- Link ykcore against pthread [#7807]
- Auto-Type: Fix menu entries in selection dialog on Windows [#7987]
- Auto-Type: Fix use of modifiers under macOS [#8111]
- CLI: Fix output when using clip with the -t flag [#8271]
- Browser: Use asynchronous access confirm dialog [#8273]
- Browser: Always send database locked/unlocked status [#8114]
2022-10-30 11:25:47 +00:00
fcambus
880cf5d9f3 Add ssh-audit. 2022-10-29 14:04:18 +00:00
fcambus
3e18504404 security/ssh-audit: import ssh-audit-2.5.0.
ssh-audit is a tool for ssh server & client configuration auditing.

Features:
* SSH1 and SSH2 protocol server support
* analyze SSH client configuration
* grab banner, recognize device or software and OS, detect compression
* gather key-exchange, host-key, encryption and MAC algorithms
* output algorithm information
  (available since, removed/disabled, unsafe/weak/legacy, etc)
* output algorithm recommendations
  (append or remove based on recognized software version)
* output security information (related issues, assigned CVE list, etc)
* analyze SSH version compatibility based on algorithm information
* historical information from OpenSSH, Dropbear SSH and libssh
* policy scans to ensure adherence to a hardened/standard configuration
2022-10-29 14:03:09 +00:00
wiz
dbe1a54e9d *: bump PKGREVISION for libunistring shlib major bump 2022-10-26 10:31:34 +00:00
wiz
530502eac9 *: bump PKGREVISION for libunistring shlib major bump 2022-10-26 10:31:00 +00:00
adam
c9d6bb4ed1 py-google-auth-oauthlib: updated to 0.6.0
0.6.0
Features

Update to allow for 3PI credentials

Bug Fixes

Add timeout to run_local_server when waiting for response

Documentation

Update readme to point to current docs url
2022-10-25 19:17:38 +00:00
adam
703b70833c py-google-auth: updated to 2.13.0
2.13.0 (2022-10-14)

Features

Adds new external account authorized user credentials
Implement pluggable auth interactive mode
Introduce the functionality to override token_uri in credentials

Bug Fixes

Adding one more pattern to relax the regex check for sts and impersonation url endpoints

2.12.0 (2022-09-26)

Features

Retry behavior

Bug Fixes

Modify RefreshError exception to use gcloud ADC command.
Revert "Update token refresh threshold from 20 seconds to 5 minutes".
2022-10-25 19:12:58 +00:00
adam
96bc52a0df py-nacl: updated to 1.5.0
1.5.0
BACKWARDS INCOMPATIBLE: Removed support for Python 2.7 and Python 3.5.
BACKWARDS INCOMPATIBLE: We no longer distribute manylinux1 wheels.
Added manylinux2014, manylinux_2_24, musllinux, and macOS universal2 wheels (the latter supports macOS arm64).
Update libsodium to 1.0.18-stable (July 25, 2021 release).
Add inline type hints.
2022-10-25 11:33:05 +00:00
adam
8d8ca11a96 py-oauthlib: updated to 3.2.2
3.2.2 (2022-10-17)
------------------
OAuth2.0 Provider:
* CVE-2022-36087
2022-10-25 07:26:58 +00:00
adam
0727947f8c sudo: updated to 1.9.12
What's new in Sudo 1.9.12

 * Fixed a bug in the ptrace-based intercept mode where the current
   working directory could include garbage at the end.

 * Fixed a compilation error on systems that lack the stdint.h
   header.

 * Fixed a bug when logging the command's exit status in intercept
   mode.  The wrong command could be logged with the exit status.

 * For ptrace-based intercept mode, sudo will now attempt to
   verify that the command path name, arguments and environment
   have not changed from the time when they were authorized by the
   security policy.  The new "intercept_verify" sudoers setting can
   be used to control this behavior.

 * Fixed running commands with a relative path (e.g. ./foo) in
   intercept mode.  Previously, this would fail if sudo's current
   working directory was different from that of the command.

 * Sudo now supports passing the execve(2) system call the NULL
   pointer for the `argv` and/or `envp` arguments when in intercept
   mode.  Linux treats a NULL pointer like an empty array.

 * The sudoers LDAP schema now allows sudoUser, sudoRunasUser and
   sudoRunasGroup to include UTF-8 characters, not just 7-bit ASCII.

 * Fixed a problem with "sudo -i" on SELinux when the target user's
   home directory is not searchable by sudo.

 * Neovim has been added to the list of visudo editors that support
   passing the line number on the command line.

 * Fixed a bug in sudo's SHA384 and SHA512 message digest padding.

 * Added a new "-N" (--no-update) command line option to sudo which
   can be used to prevent sudo from updating the user's cached
   credentials.  It is now possible to determine whether or not a
   user's cached credentials are currently valid by running:

        $ sudo -Nnv

   and checking the exit value.  One use case for this is to indicate
   in a shell prompt that sudo is "active" for the user.

 * PAM approval modules are no longer invoked when running sub-commands
   in intercept mode unless the "intercept_authenticate" option is set.
   There is a substantial performance penalty for calling into PAM
   for each command run.  PAM approval modules are still called for
   the initial command.

 * Intercept mode on Linux now uses process_vm_readv(2) and
   process_vm_writev(2) if available.

 * The XDG_CURRENT_DESKTOP environment variable is now preserved
   by default.  This makes it possible for graphical applications
   to choose the correct theme when run via sudo.

 * On 64-bit systems, if sudo fails to load a sudoers group plugin,
   it will use system-specific heuristics to try to locate a 64-bit
   version of the plugin.

 * The cvtsudoers manual now documents the JSON and CSV output
   formats.

 * Fixed a bug where sub-commands were not being logged to a remote
   log server when log_subcmds was enabled.

 * The new log_stdin, log_stdout, log_stderr, log_ttyin, and log_ttyout
   sudoers settings can be used to support more fine-grained I/O logging.
   The sudo front-end no longer allocates a pseudo-terminal when running
   a command if the I/O logging plugin requests logging of stdin, stdout,
   or stderr but not terminal input/output.

 * Quieted a libgcrypt run-time initialization warning.

 * Fixed a bug in visudo that caused literal backslashes to be removed
   from the EDITOR environment variable.

 * The sudo Python plugin now implements the "find_spec" method instead
   of the the deprecated "find_module".  This fixes a test failure when
   a newer version of setuptools that doesn't include "find_module" is
   found on the system.

 * Fixed a bug introduced in sudo 1.9.9 where sudo_logsrvd created
   the process ID file, usually /var/run/sudo/sudo_logsrvd.pid, as
   a directory instead of a plain file.  The same bug could result
   in I/O log directories that end in six or more X's being created
   literally in addition to the name being used as a template for
   the mkdtemp(3) function.

 * Fixed a long-standing bug where a sudoers rule with a command
   line argument of "", which indicates the command may be run with
   no arguments, would also match a literal "" on the command line.

 * Added the -I option to visudo which only edits the main sudoers
   file.  Include files are not edited unless a syntax error is found.

 * Fixed "sudo -l -U otheruser" output when the runas list is empty.
   Previously, sudo would list the invoking user instead of the
   list user.

 * Fixed the display of command tags and options in "sudo -l" output
   when the RunAs user or group changes.  A new line is started for
   RunAs changes which means we need to display the command tags
   and options again.

 * The sesh helper program now uses getopt_long(3) to parse the
   command line options.

 * The embedded copy of zlib has been updated to version 1.2.13.

 * Fixed a bug that prevented event log data from being sent to the
   log server when I/O logging was not enabled.  This only affected
   systems without PAM or configurations where the pam_session and
   pam_setcred options were disabled in the sudoers file.

 * Fixed a bug where "sudo -l" output included a carriage return
   after the newline.  This is only needed when displaying to a
   terminal in raw mode.
2022-10-24 10:29:19 +00:00
nros
5c483e9e79 revision bump for qore 1.12.0 2022-10-20 12:11:51 +00:00
wiz
93d3286e27 security/Makefile: sort 2022-10-20 06:48:18 +00:00
nia
aa839a9daf fighting a losing battle against the py-cryptography rustification, part 5
Convert py-OpenSSL users to versioned_dependencies.mk
2022-10-19 14:25:18 +00:00
nia
b0c188c93a fighting a losing battle against the py-cryptography rustification, part 4
Add support for py-OpenSSL to versioned_dependencies.mk
2022-10-19 14:17:54 +00:00
nia
505adeae10 fighting a losing battle against the py-cryptography rustification, part 3
Re-import the last version of py-OpenSSL without a hard unnecessary
dependency on rustified py-cryptography
2022-10-19 14:11:01 +00:00
nia
1825d370e7 fighting a losing battle against the py-cryptography rustification, part 3
Re-import the last version of py-OpenSSL without a hard unnecessary
dependency on rustified py-cryptography
2022-10-19 14:10:03 +00:00
nia
5dfa1bcb59 fighting a losing battle against py-cryptography rustification, part 2
Switch users to versioned_dependencies.mk.
2022-10-19 13:56:31 +00:00
nia
1b56eedcba python: Special handling of py-cryptography for versioned_dependencies.mk 2022-10-19 13:37:21 +00:00
nia
ef8cdb09ed py27-cryptography: Restore support for Python 3, we want this because
it doesn't require rust
2022-10-19 13:18:46 +00:00
nia
9fc225d529 Remove "norust" version of py-cryptograpy, it's the same as the "py27" version 2022-10-19 13:15:36 +00:00
nia
deafbef89f Re-import the last Rust-free version of py-cryptography for ARMv6 2022-10-19 12:38:26 +00:00
adam
d26707a131 gnupg2: add new patch 2022-10-17 09:13:18 +00:00
adam
08d90eb841 gnupg2: updated to 2.2.40
Noteworthy changes in version 2.2.40 (2022-10-10)
-------------------------------------------------
* gpg: Do not consider unknown public keys as non-compliant while
  decrypting.
* gpg: Avoid to emit a compliance mode line if Libgcrypt is
  non-compliant.
* gpg: In de-vs mode use AES-128 instead of 3-DES as implicit
  preference.
* gpgsm: Fix reporting of bad passphrase error during PKCS-11
  import.
* dirmngr: Fix CRL Distribution Point fallback to other schemes.
* dirmngr: New LDAP server flag "areconly" (A-record-only).
* dirmngr: Fix upload of multiple keys for an LDAP server specified
  using the colon format.
* dirmngr: Use LDAP schema v2 when a Base DN is specified.
* wkd: New command --mirror for gpg-wks-client.
2022-10-17 09:08:17 +00:00
he
dcadba351f security/py-denyhosts: port to work with python 3.x.
ListType and TupleType is just "list" and "tuple" in python 3,
google reveals...
Bump PKGREVISION.
2022-10-15 20:29:48 +00:00
triaxx
e0cac944ed erlang-jose: Update to 1.11.2
upstream changes:
-----------------
1.11.2 (2021-08-06)
  o Add compatability with OTP 24
2022-10-15 17:52:42 +00:00
triaxx
918e2b0d0f erlang-epam: Update to 1.0.12
upstream changes:
-----------------
Version 1.0.12
  o Fix building without calling configure first
Version 1.0.11
  o Switch from using Travis to Github Actions as CI
  o Fix compatibility with OTP24
2022-10-15 12:04:42 +00:00
triaxx
5a6a7d1919 erlang-fast_tls: Update to 1.1.16
upstream changes:
-----------------
Version 1.1.16
  o Fix compilations on windows
  o Reintroduce blocking of renegotions for Openssl < 1.1.0h
Version 1.1.15
  o Fix compilation on pre c99 systems
Version 1.1.14
  o Updating p1_utils to version 1.0.25.
  o Improve compatibility with OpenSSL 3.0
  o Improve compatiblity with LibreSSL >= 3.5
  o Add 'keyfile', 'dh' and 'fips_mode' options
Version 1.1.13
  o Updating p1_utils to version 1.0.23.
  o Switch from using Travis to Github Actions as CI
2022-10-15 12:01:57 +00:00
triaxx
68201c481b erlang-pkix: Update to 1.0.9
upstream changes:
-----------------
Version 1.0.9
  o Generate documentaion for hex.pm packages
  o Update CA bundle
Version 1.0.8
  o Switch from using Travis to Github Actions as CI
2022-10-15 11:59:18 +00:00
triaxx
951c06937f erlang-p1_acme: Update to 1.0.20
upstream changes:
-----------------
Version 1.0.20
  o Updating yconf to version 1.0.14.
Version 1.0.19
  o Updating yconf to version 1.0.13.
  o Fix order in which dependencies are started
Version 1.0.18
  o Updating jiffy to version 1.1.1 to support Mix compilation again
Version 1.0.17
  o Updating jiffy to version 1.1.0 to support Erlang/OTP 25.0-rc1
  o Copy code from eimp to use override_deps_versions only when not rebar3
Version 1.0.14
  o Generate documentation when publishing to hex
  o Updating jose to version 1.11.1.
Version 1.0.13
  o Updating yconf to version 1.0.12.
  o Switch from using Travis to Github Actions as CI
2022-10-14 20:17:53 +00:00
triaxx
89317c3845 erlang-p1_oauth2: Update to 0.6.11
upstream changes:
-----------------
Version 0.6.11
  o Generate documentation when generating hex.pm package
  o Remove usage of deprecated crypto functions
  o Improve errors reporting
Version 0.6.10
  o Switch from using Travis to Github Actions as CI
Version 0.6.9
  o Dialyzer: Update Response record definition: fields may be undefined
2022-10-14 20:11:27 +00:00
adam
d348646bf0 py-authlib: updated to 1.1.0
Version 1.1.0

This release contains breaking changes and security fixes.

Allow to pass claims_options to Framework OpenID Connect clients.
Fix .stream with context for HTTPX OAuth clients.
Fix Starlette OAuth client for cache store.

Breaking changes:

Raise InvalidGrantError for invalid code, redirect_uri and no user errors in OAuth 2.0 server.

The default authlib.jose.jwt would only work with JSON Web Signature algorithms, if you would like to use JWT with JWE algorithms, please pass the algorithms parameter:

jwt = JsonWebToken(['A128KW', 'A128GCM', 'DEF'])
Security fixes: CVE-2022-39175 and CVE-2022-39174, both related to JOSE.


Version 1.0.1

Fix authenticate_none method.
Allow to pass in alternative signing algorithm to RFC7523 authentication methods.
Fix missing_token for Flask OAuth client.
Allow openid in any place of the scope.
Security fix for validating essential value on blank value in JWT.


Version 1.0.0

We have dropped support for Python 2 in this release. We have removed built-in SQLAlchemy integration.

OAuth Client Changes:

The whole framework client integrations have been restructured, if you are using the client properly, e.g. oauth.register(...), it would work as before.

OAuth Provider Changes:

In Flask OAuth 2.0 provider, we have removed the deprecated OAUTH2_JWT_XXX configuration, instead, developers should define .get_jwt_config on OpenID extensions and grant types.

SQLAlchemy integrations has been removed from Authlib. Developers should define the database by themselves.

JOSE Changes

JWS has been renamed to JsonWebSignature
JWE has been renamed to JsonWebEncryption
JWK has been renamed to JsonWebKey
JWT has been renamed to JsonWebToken
The "Key" model has been re-designed, checkout the :ref:`jwk_guide` for updates.

Added ES256K algorithm for JWS and JWT.
2022-10-14 09:06:36 +00:00
wiz
8e8f151de4 openssl: downgrade to 1.1.1q
The tarball was retracted due to a regression, to quote:

We have received a report of a significant regression in the latest
3.0.6 and 1.1.1r versions. The regression is not thought to have
security consequences. While the regression is further investigated we
have taken the decision to withdraw the 3.0.6 and 1.1.1r versions and
instead recommend that users remain on the previous 3.0.5 and 1.1.1q
versions for now.

We will issue a new plan for the release of 3.0.7 and 1.1.1s soon.

From https://mta.openssl.org/pipermail/openssl-announce/2022-October/000237.html
2022-10-12 14:32:38 +00:00
wiz
21f8466626 openssl: update to 1.1.1r.
Major changes between OpenSSL 1.1.1q and OpenSSL 1.1.1r [11 Oct 2022]

      o Added a missing header for memcmp that caused compilation failure on
        some platforms
2022-10-12 13:38:23 +00:00
wiz
bd30094c9a Changes since OpenSSH 9.0
=========================

This release is focused on bug fixing.

Security
========

This release contains fixes for three minor memory safety problems.
None are believed to be exploitable, but we report most memory safety
problems as potential security vulnerabilities out of caution.

 * ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing.
   Reported by Qualys

 * ssh-keygen(1): double free() in error path of file hashing step in
   signing/verify code; GHPR333

 * ssh-keysign(8): double-free in error path introduced in openssh-8.9

Potentially-incompatible changes
--------------------------------

 * The portable OpenSSH project now signs commits and release tags
   using git's recent SSH signature support. The list of developer
   signing keys is included in the repository as .git_allowed_signers
   and is cross-signed using the PGP key that is still used to sign
   release artifacts:
   https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

 * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
   are now first-match-wins to match other directives. Previously
   if an environment variable was multiply specified the last set
   value would have been used. bz3438

 * ssh-keygen(8): ssh-keygen -A (generate all default host key types)
   will no longer generate DSA keys, as these are insecure and have
   not been used by default for some years.


New features
------------

 * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
   RSA key length. Keys below this length will be ignored for user
   authentication and for host authentication in sshd(8).

   ssh(1) will terminate a connection if the server offers an RSA key
   that falls below this limit, as the SSH protocol does not include
   the ability to retry a failed key exchange.

 * sftp-server(8): add a "users-groups-by-id@openssh.com" extension
   request that allows the client to obtain user/group names that
   correspond to a set of uids/gids.

 * sftp(1): use "users-groups-by-id@openssh.com" sftp-server
   extension (when available) to fill in user/group names for
   directory listings.

 * sftp-server(8): support the "home-directory" extension request
   defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps
   a bit with the existing "expand-path@openssh.com", but some other
   clients support it.

 * ssh-keygen(1), sshd(8): allow certificate validity intervals,
   sshsig verification times and authorized_keys expiry-time options
   to accept dates in the UTC time zone in addition to the default
   of interpreting them in the system time zone. YYYYMMDD and
   YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed
   with a 'Z' character.

   Also allow certificate validity intervals to be specified in raw
   seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
   is intended for use by regress tests and other tools that call
   ssh-keygen as part of a CA workflow. bz3468

 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
   "/usr/libexec/sftp-server -el debug3"

 * ssh-keygen(1): allow the existing -U (use agent) flag to work
   with "-Y sign" operations, where it will be interpreted to require
   that the private keys is hosted in an agent; bz3429

Bugfixes
--------

 * ssh-keygen(1): implement the "verify-required" certificate option.
   This was already documented when support for user-verified FIDO
   keys was added, but the ssh-keygen(1) code was missing.

 * ssh-agent(1): hook up the restrict_websafe command-line flag;
   previously the flag was accepted but never actually used.

 * sftp(1): improve filename tab completions: never try to complete
   names to non-existent commands, and better match the completion
   type (local or remote filename) against the argument position
   being completed.

 * ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key
   handling, especially relating to keys that request
   user-verification. These should reduce the number of unnecessary
   PIN prompts for keys that support intrinsic user verification.
   GHPR302, GHPR329

 * ssh-keygen(1): when enrolling a FIDO resident key, check if a
   credential with matching application and user ID strings already
   exists and, if so, prompt the user for confirmation before
   overwriting the credential. GHPR329

 * sshd(8): improve logging of errors when opening authorized_keys
   files. bz2042

 * ssh(1): avoid multiplexing operations that could cause SIGPIPE from
   causing the client to exit early. bz3454

 * ssh_config(5), sshd_config(5): clarify that the RekeyLimit
   directive applies to both transmitted and received data. GHPR328

 * ssh-keygen(1): avoid double fclose() in error path.

 * sshd(8): log an error if pipe() fails while accepting a
   connection. bz3447

 * ssh(1), ssh-keygen(1): fix possible NULL deref when built without
   FIDO support. bz3443

 * ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage.
   GHPR294.

 * sshd(8): ensure that authentication passwords are cleared from
   memory in error paths. GHPR286

 * ssh(1), ssh-agent(1): avoid possibility of notifier code executing
   kill(-1). GHPR286

 * ssh_config(5): note that the ProxyJump directive also accepts the
   same tokens as ProxyCommand. GHPR305.

 * scp(1): do not not ftruncate(3) files early when in sftp mode. The
   previous behaviour of unconditionally truncating the destination
   file would cause "scp ~/foo localhost:foo" and the reverse
   "scp localhost:foo ~/foo" to delete all the contents of their
   destination. bz3431

 * ssh-keygen(1): improve error message when 'ssh-keygen -Y sign' is
   unable to load a private key; bz3429

 * sftp(1), scp(1): when performing operations that glob(3) a remote
   path, ensure that the implicit working directory used to construct
   that path escapes glob(3) characters. This prevents glob characters
   from being processed in places they shouldn't, e.g. "cd /tmp/a*/",
   "get *.txt" should have the get operation treat the path "/tmp/a*"
   literally and not attempt to expand it.

 * ssh(1), sshd(8): be stricter in which characters will be accepted
   in specifying a mask length; allow only 0-9. GHPR278

 * ssh-keygen(1): avoid printing hash algorithm twice when dumping a
   KRL

 * ssh(1), sshd(8): continue running local I/O for open channels
   during SSH transport rekeying. This should make ~-escapes work in
   the client (e.g. to exit) if the connection happened to have
   stalled during a rekey event.

 * ssh(1), sshd(8): avoid potential poll() spin during rekeying

 * Further hardening for sshbuf internals: disallow "reparenting" a
   hierarchical sshbuf and zero the entire buffer if reallocation
   fails. GHPR287

Portability
-----------

 * ssh(1), ssh-keygen(1), sshd(8): automatically enable the built-in
   FIDO security key support if libfido2 is found and usable, unless
   --without-security-key-builtin was requested.

 * ssh(1), ssh-keygen(1), sshd(8): many fixes to make the WinHello
   FIDO device usable on Cygwin. The windows://hello FIDO device will
   be automatically used by default on this platform unless requested
   otherwise, or when probing resident FIDO credentials (an operation
   not currently supported by WinHello).

 * Portable OpenSSH: remove workarounds for obsolete and unsupported
   versions of OpenSSL libcrypto. In particular, this release removes
   fallback support for OpenSSL that lacks AES-CTR or AES-GCM.

   Those AES cipher modes were added to OpenSSL prior to the minimum
   version currently supported by OpenSSH, so this is not expected to
   impact any currently supported configurations.

 * sshd(8): fix SANDBOX_SECCOMP_FILTER_DEBUG on current Linux/glibc

 * All: resync and clean up internal CSPRNG code.

 * scp(1), sftp(1), sftp-server(8): avoid linking these programs with
   unnecessary libraries. They are no longer linked against libz and
   libcrypto. This may be of benefit to space constrained systems
   using any of those components in isolation.

 * sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox
   architectures.

 * configure: remove special casing of crypt(). configure will no
   longer search for crypt() in libcrypto, as it was removed from
   there years ago. configure will now only search libc and libcrypt.

 * configure: refuse to use OpenSSL 3.0.4 due to potential RCE in its
   RSA implementation (CVE-2022-2274) on x86_64.

 * All: request 1.1x API compatibility for OpenSSL >=3.x; GHPR#322

 * ssh(1), ssh-keygen(1), sshd(8): fix a number of missing includes
   required by the XMSS code on some platforms.

 * sshd(8): cache timezone data in capsicum sandbox.
2022-10-12 13:34:59 +00:00
taca
ee718a9666 Remove lines for Ruby 2.6. 2022-10-10 03:36:48 +00:00
taca
04559dee6e security/ruby-snaky_hash: update to 2.0.1
Added

* Certificate for signing gem releases (@pboling)
* Gemspec metadata (@pboling)

	- funding_uri
	- mailing_list_uri

* Checksums for released gems (@pboling)

Changed

* Gem releases are now cryptographically signed (@pboling)
2022-10-09 08:26:15 +00:00
taca
8246fbd98c security/ruby-oauth-tty: update to 1.0.5
1.0.4 (2022-09-19)

Added

* Certificate for signing gem releases (@pboling)
* Gemspec metadata (@pboling)

	- funding_uri
	- mailing_list_uri

* Installation and usage documentation (@pboling)
* SHA 512 Checksum for release (@pboling)

Changed

* Gem releases are now cryptographically signed (@pboling)

1.0.5 (2022-09-20)

Added

* SHA 256 Checksum for release (in addition to SHA 512) (@pboling)
* Aligned checksums directory name with rake build:checksum task (@pboling)
* General Cleanup
2022-10-09 08:24:23 +00:00
taca
115aaa4dda security/ruby-metasploit-payloads: update to 2.0.97
2.0.95 (2022-09-22)

* Changes are too many to write here, please refer:
  <https://github.com/rapid7/metasploit-payloads/compare/v2.0.94...v2.0.95>

2.0.96 (2022-09-22)

* Land #585, Add stdapi_registry_check_key_exists for Python

2.0.97 (2022-09-29)

* land #588, Add TrustedSec's COFFLoader as Meterpreter Extension
2022-10-09 08:20:48 +00:00
adam
6b82056761 libksba: updated to 1.6.2
Noteworthy changes in version 1.6.2 (2022-10-07) [C22/A14/R2]
------------------------------------------------

 * Fix integer overflow in the CRL parser.
2022-10-09 07:51:10 +00:00
adam
8071b60aa4 libgpg-error: updated to 1.46
Noteworthy changes in version 1.46 (2022-10-07) [C33/A33/R1]
-----------------------------------------------

 * Support for bidirectional pipes under Windows.  [T6112]

 * REG_DWORD types are now support in the Windows Registry.
   [rE745d333cf7]

 * Added ES_SYSHD_SOCK support for gpgrt_sysopen under Windows.
   [rE018ea46a30]

 * Fixed gpgrt_log_get_fd for the file case.  [T5922]

 * Avoids header problem with C11 and "noreturn".  [T4002]

 * The gpg-error-config command is not installed by default, because
   it is now replaced by use of pkg-config/gpgrt-config with
   gpg-error.pc.  Supply --enable-install-gpg-error-config configure
   option, if it's really needed.

 * Fixed support of posix-lock for FreeBSD.  [rE6e17e70bb7]

 * Build fixes for some Mingw tool chain versions.  [T5890, T4656]

 * Removed remaining support for WindowsCE.  [T5912]

 * Updated config.guess, config.sub, and config.rpath.  [T6078]

 * gpg-error-config is now only installed when enabled.  [T5683]

 * System paths are now stripped from --cflags --and --libs.  [T6136]
2022-10-09 07:50:29 +00:00
bsiegert
aeb1f39ca8 New package for signify, from pkgsrc-wip
The signify utility creates and verifies cryptographic signatures.
A signature verifies the integrity of a message

This version of signify is part of outils, a portable collection of
non-standard OpenBSD tools.
2022-10-08 11:30:26 +00:00
adam
3c34c53829 py-acme py-certbot*: updated to 1.31.0
Certbot 1.31.0

Changed

If Certbot exits before setting up its usual log files, the temporary directory created to save logging information will begin with the name certbot-log- rather than a generic name. This should not be considered a stable aspect of Certbot and may change again in the future.

Fixed

Fixed an incompatibility in the certbot-dns-cloudflare plugin and the Cloudflare library
which was introduced in the Cloudflare library version 2.10.1. The library would raise
an error if a token was specified in the Certbot --dns-cloudflare-credentials file as
well as the cloudflare.cfg configuration file of the Cloudflare library.
2022-10-07 07:27:14 +00:00
bsiegert
e5cb21c812 Revbump all Go packages after go119 security update 2022-10-05 11:32:55 +00:00
nia
0426c79223 py-cryptodome: Fails with a compiler defaulting to c89 2022-10-03 11:36:42 +00:00
nros
d3657b8608 Revbump due to security/crypto++ update 2022-10-02 16:34:33 +00:00
nros
f1557a0b15 Update security/crypto++ to version 8.7.0
Changes according to Changelog:

8.7.0 - August 7, 2022
      - minor release, recompile of programs required
      - expanded community input and support
        * 81 unique contributors as of this release
      - fix RSA key generation for small moduli
      - fix AES-GCM with AESNI but without CLMUL
      - fix Clang warning with C++17
      - fix MinGW builds due to use of O_NOFOLLOW
      - rework CFB_CipherTemplate::ProcessData and AdditiveCipherTemplate::ProcessData
        * restored performance and avoided performance penalty of a temp buffer
      - fix undersized SecBlock buffer in Integer bit operations
      - work around several GCC 11 & 12 problems

8.6.0 - September 21, 2021
      - minor release, recompile of programs required
      - expanded community input and support
        * 74 unique contributors as of this release
      - fix ElGamal encryption
      - fix ChaCha20 AVX2 implementation
      - add octal and decimal literal prefix parsing to Integer
      - add missing overload in ed25519Signer and ed25519Verifier
      - make SHA-NI independent of AVX and AVX2
      - fix OldRandomPool GenerateWord32
      - use CPPFLAGS during feature testing
      - fix compile on CentOS 5
      - fix compile on FreeBSD
      - fix feature testing on ARM A-32 and Aarch64
      - enable inline ASM for CRC and PMULL on Apple M1
      - fix Intel oneAPI compile
      - rename test files with *.cpp extension
      - fix GCC compile error due to missing _mm256_set_m128i
      - add LSH-256 and LSH-512 hash functions
      - add ECIES_P1363 for backwards compatibility
      - fix AdditiveCipherTemplate<T> ProcessData
      - remove CRYPTOPP_NO_CXX11 define
      - add -fno-common for Darwin builds
      - update documentation

8.5.0 - March 7, 2021
      - minor release, no recompile of programs required
      - expanded community input and support
        * 70 unique contributors as of this release
      - port to Apple M1 hardware

8.4.0 - January 2, 2021
      - minor release, recompile of programs required
      - expanded community input and support
        * 67 unique contributors as of this release
      - fix SIGILL on POWER8 when compiling with GCC 10
      - fix potential out-of-bounds write in FixedSizeAllocatorWithCleanup
      - fix compile on AIX POWER7 with IBM XLC 12.01
      - fix compile on Solaris with SunCC 12.6
      - revert changes for constant-time elliptic curve algorithms
      - fix makefile clean and distclean recipes

8.3.0 - December 20, 2020
      - minor release, recompile of programs required
      - expanded community input and support
        * 66 unique contributors as of this release
      - fix use of macro CRYPTOPP_ALIGN_DATA
      - fix potential out-of-bounds read in ECDSA
      - fix std::bad_alloc when using ByteQueue in pipeline
      - fix missing CRYPTOPP_CXX17_EXCEPTIONS with Clang
      - fix potential out-of-bounds read in GCM mode
      - add configure.sh when preprocessor macros fail
      - fix potential out-of-bounds read in SipHash
      - fix compile error on POWER9 due to vec_xl_be
      - fix K233 curve on POWER8
      - add Cirrus CI testing
      - fix broken encryption for some 64-bit ciphers
      - fix Android cpu-features.c using C++ compiler
      - disable RDRAND and RDSEED for some AMD processors
      - fix BLAKE2 hash calculation using Salt and Personalization
      - refresh Android and iOS build scripts
      - add XTS mode
      - fix circular dependency between misc.h and secblock.h
      - add Certificate interface
      - fix recursion in AES::Encryption without AESNI
      - add missing OID for ElGamal encryption
      - fix missing override in KeyDerivationFunction-derived classes
      - fix RDSEED assemble under MSVC
      - fix elliptic curve timing leaks (CVE-2019-14318)
      - add link-library variable to Makefiles
      - fix SIZE_MAX definition in misc.h
      - add GetWord64 and PutWord64 to BufferedTransformation
      - use HKDF in AutoSeededX917RNG::Reseed
      - fix Asan finding in VMAC on i686 in inline asm
      - fix undeclared identifier _mm_roti_epi64 on Gentoo
      - fix ECIES and GetSymmetricKeyLength
      - fix possible divide by zero in PKCS5_PBKDF2_HMAC
      - refine ASN.1 encoders and decoders
      - disable BMI2 code paths in Integer class
      - fix use of CRYPTOPP_CLANG_VERSION
      - add NEON SHA1, SHA256 and SHA512 from Cryptogams
      - add ARM SHA1, SHA256 and SHA512 from Cryptogams
      - make config.h more autoconf friendly
      - handle Clang triplet armv8l-unknown-linux-gnueabihf
      - fix reference binding to misaligned address in xed25519
      - clear asserts in TestDataNameValuePairs
2022-10-02 16:20:26 +00:00
fox
ec007eef82 security/wolfssl: Update to v5.5.1
Changes since v5.5.0:

wolfSSL Release 5.5.1 (Sep 28, 2022) Latest

Vulnerabilities
* [Med] Denial of service attack and buffer overflow against TLS 1.3 servers
  using session ticket resumption. When built with --enable-session-ticket and
  making use of TLS 1.3 server code in wolfSSL, there is the possibility of a
  malicious client to craft a malformed second ClientHello packet that causes
  the server to crash. This issue is limited to when using both
  --enable-session-ticket and TLS 1.3 on the server side. Users with TLS 1.3
  servers, and having --enable-session-ticket, should update to the latest
  version of wolfSSL. Thanks to Max at Trail of Bits for the report and
  "LORIA, INRIA, France" for research on tlspuffin.

New Feature Additions
* Add support for non-blocking ECC key gen and shared secret gen for
  P-256/384/521
* Add support for non-blocking ECDHE/ECDSA in TLS/DTLS layer.
* Port to NXP RT685 with FreeRTOS
* Add option to build post quantum Kyber API (--enable-kyber)
* Add post quantum algorithm sphincs to wolfCrypt
* Config. option to force no asm with SP build (--enable-sp=noasm)
* Allow post quantum keyshare for DTLS 1.3

Enhancements
* DTLSv1.3: Do HRR Cookie exchange by default
* Add wolfSSL_EVP_PKEY_new_CMAC_key to OpenSSL compatible API
* Update ide win10 build files to add missing sp source files
* Improve Workbench docs
* Improve EVP support for CHACHA20_POLY1305
* Improve wc_SetCustomExtension documentation
* RSA-PSS with OCSP and add simple OCSP response DER verify test case
* Clean up some FIPS versioning logic in configure.ac and WIN10 user_settings.h
* Don't over-allocate memory for DTLS fragments
* Add WOLFSSL_ATECC_TFLXTLS for Atmel port
* SHA-3 performance improvements with x86_64 assembly
* Add code to fallback to S/W if TSIP cannot handle
* Improves entropy with VxWorks
* Make time in milliseconds 64-bits for longer session ticket lives
* Support for setting cipher list with bytes
* wolfSSL_set1_curves_list(), wolfSSL_CTX_set1_curves_list() improvements
* Add to RSAES-OAEP key parsing for pkcs7
* Add missing DN nid to work with PrintName()
* SP int: default to 16 bit word size when NO_64BIT defined
* Limit the amount of fragments we store per a DTLS connection and error out
  when max limit is reached
* Detect when certificate's RSA public key size is too big and fail on loading
  of certificate

Fixes
* Fix for async with OCSP non-blocking in ProcessPeerCerts
* Fixes for building with 32-bit and socket size sign/unsigned mismatch
* Fix Windows CMakeList compiler options
* TLS 1.3 Middle-Box compat: fix missing brace
* Configuration consistency fixes for RSA keys and way to force disable of
  private keys
* Fix for Aarch64 Mac M1 SP use
* Fix build errors and warnings for MSVC with DTLS 1.3
* Fix HMAC compat layer function for SHA-1
* Fix DTLS 1.3 do not negotiate ConnectionID in HelloRetryRequest
* Check return from call to wc_Time
* SP math: fix build configuration with opensslall
* Fix for async session tickets
* SP int mp_init_size fixes when SP_WORD_SIZE == 8
* Ed. function to make public key now checks for if the private key flag is set
* Fix HashRaw WC_SHA256_DIGEST_SIZE for wc_Sha256GetHash
* Fix for building with PSK only
* Set correct types in wolfSSL_sk_*_new functions
* Sanity check that size passed to mp_init_size() is no more than SP_INT_DIGITS
2022-10-01 11:47:09 +00:00