- Deprecated support for Python 2.6 and 3.3.
- Use the sign and verify methods when they are available in
cryptography instead of the deprecated methods signer and
verifier.
v1.5.0: Jordan
Features
Added build support for mingw32
Implement gss_set_cred_option() and gss_set_sec_context_option()
Bugfixes
Handle GSS_NO_OID_SET when creating sets
### Added
- Support for OpenResty was added to the Nginx plugin.
### Changed
- The timestamps in Certbot's logfiles now use the system's local time
zone rather than UTC.
- Certbot's DNS plugins that use Lexicon now rely on Lexicon>=2.2.1 to
be able to create and delete multiple TXT records on a single
domain.
- certbot-dns-google's test suite now works without an internet
connection.
### Fixed
- Removed a small window that if during which an error occurred,
Certbot wouldn't clean up performed challenges.
- The parameters `default` and `ipv6only` are now removed from
`listen` directives when creating a new server block in the Nginx
plugin.
- `server_name` directives enclosed in quotation marks in Nginx are
now properly supported.
- Resolved an issue preventing the Apache plugin from starting Apache
when it's not currently running on RHEL and Gentoo based systems.
3.6.0:
New features
Introduced export_key and deprecated exportKey for DSA and RSA key objects.
Ciphers and hash functions accept memoryview objects in input.
Added support for SHA-512/224 and SHA-512/256.
Resolved issues
Reintroduced Crypto.__version__ variable as in PyCrypto.
Fixed compilation problem with MinGW.
Noteworthy changes in version 2.2.6:
* gpg,gpgsm: New option --request-origin to pretend requests coming
from a browser or a remote site.
* gpg: Fix race condition on trustdb.gpg updates due to too early
released lock.
* gpg: Emit FAILURE status lines in almost all cases.
* gpg: Implement --dry-run for --passwd to make checking a key's
passphrase straightforward.
* gpg: Make sure to only accept a certification capable key for key
signatures.
* gpg: Better user interaction in --card-edit for the factory-reset
sub-command.
* gpg: Improve changing key attributes in --card-edit by adding an
explicit "key-attr" sub-command.
* gpg: Print the keygrips in the --card-status.
* scd: Support KDF DO setup.
* scd: Fix some issues with PC/SC on Windows.
* scd: Fix suspend/resume handling in the CCID driver.
* agent: Evict cached passphrases also via a timer.
* agent: Use separate passphrase caches depending on the request
origin.
* ssh: Support signature flags.
* dirmngr: Handle failures related to missing IPv6 support
gracefully.
* Fix corner cases related to specified home directory with
drive letter on Windows.
* Allow the use of UNC directory names as homedir.
Noteworthy changes in version 1.29:
* The yat2m tool is during cross-compile now also installed on the
host platform.
* New option parser and associated functions similar to the one used
by GnuPG.
* New Base-64 encoder.
* Fixes regression in 1.28 for arm64 and w64 builds.
* Interface changes relative to the 1.28 release:
gpgrt_argparse New.
gpgrt_usage New.
gpgrt_strusage New.
gpgrt_set_strusage New.
gpgrt_set_usage_outfnc New.
gpgrt_set_fixed_string_mapper New.
GPGRT_ENABLE_ARGPARSE_MACROS New macro.
gpgrt_b64enc_start New.
gpgrt_b64enc_write New.
gpgrt_b64enc_finish New.
SECURITY:
- Log sanitization for Combined Database Secret Engine: In certain failure
scenarios with incorrectly formatted connection urls, the raw connection
errors were being returned to the user with the configured database
credentials. Errors are now sanitized before being returned to the user.
DEPRECATIONS/CHANGES:
- Database plugin compatibility: The database plugin interface was enhanced to
support some additional functionality related to root credential rotation
and supporting templated URL strings. The changes were made in a
backwards-compatible way and all builtin plugins were updated with the new
features. Custom plugins not built into Vault will need to be upgraded to
support templated URL strings and root rotation. Additionally, the
Initialize method was deprecated in favor of a new Init method that supports
configuration modifications that occur in the plugin back to the primary
data store.
- Removal of returned secret information: For a long time Vault has returned
configuration given to various secret engines and auth methods with secret
values (such as secret API keys or passwords) still intact, and with a
warning to the user on write that anyone with read access could see the
secret. This was mostly done to make it easy for tools like Terraform to
judge whether state had drifted. However, it also feels quite un-Vault-y to
do this and we've never felt very comfortable doing so. In 0.10 we have gone
through and removed this behavior from the various backends; fields which
contained secret values are simply no longer returned on read. We are
working with the Terraform team to make changes to their provider to
accommodate this as best as possible, and users of other tools may have to
make adjustments, but in the end we felt that the ends did not justify the
means and we needed to prioritize security over operational convenience.
- LDAP auth method case sensitivity: We now treat usernames and groups
configured locally for policy assignment in a case insensitive fashion by
default. Existing configurations will continue to work as they do now;
however, the next time a configuration is written `case_sensitive_names`
will need to be explicitly set to `true`.
- TTL handling within core: All lease TTL handling has been centralized within
the core of Vault to ensure consistency across all backends. Since this was
previously delegated to individual backends, there may be some slight
differences in TTLs generated from some backends.
- Removal of default `secret/` mount: In 0.12 we will stop mounting `secret/`
by default at initialization time (it will still be available in `dev`
mode).
FEATURES:
- OSS UI: The Vault UI is now fully open-source. Similarly to the CLI, some
features are only available with a supporting version of Vault, but the code
base is entirely open.
- Versioned K/V: The `kv` backend has been completely revamped, featuring
flexible versioning of values, check-and-set protections, and more. A new
`vault kv` subcommand allows friendly interactions with it. Existing mounts
of the `kv` backend can be upgraded to the new versioned mode (downgrades
are not currently supported). The old "passthrough" mode is still the
default for new mounts; versioning can be turned on by setting the
`-version=2` flag for the `vault secrets enable` command.
- Database Root Credential Rotation: Database configurations can now rotate
their own configured admin/root credentials, allowing configured credentials
for a database connection to be rotated immediately after sending them into
Vault, invalidating the old credentials and ensuring only Vault knows the
actual valid values.
- Azure Authentication Plugin: There is now a plugin (pulled in to Vault) that
allows authenticating Azure machines to Vault using Azure's Managed Service
Identity credentials. See the [plugin
repository](https://github.com/hashicorp/vault-plugin-auth-azure) for more
information.
- GCP Secrets Plugin: There is now a plugin (pulled in to Vault) that allows
generating secrets to allow access to GCP. See the [plugin
repository](https://github.com/hashicorp/vault-plugin-secrets-gcp) for more
information.
- Selective Audit HMACing of Request and Response Data Keys: HMACing in audit
logs can be turned off for specific keys in the request input map and
response `data` map on a per-mount basis.
- Passthrough Request Headers: Request headers can now be selectively passed
through to backends on a per-mount basis. This is useful in various cases
when plugins are interacting with external services.
- HA for Google Cloud Storage: The GCS storage type now supports HA.
- UI support for identity: Add and edit entities, groups, and their associated
aliases.
- UI auth method support: Enable, disable, and configure all of the built-in
authentication methods.
- UI (Enterprise): View and edit Sentinel policies.
IMPROVEMENTS:
- core: Centralize TTL generation for leases in core
- identity: API to update group-alias by ID
- secret/cassandra: Update Cassandra storage delete function to not use batch
operations
- storage/mysql: Allow setting max idle connections and connection lifetime
- storage/gcs: Add HA support
- ui: Add Nomad to the list of available secret engines
- ui: Adds ability to set static headers to be returned by the UI
BUG FIXES:
- api: Fix retries not working
- auth/gcp: Invalidate clients on config change
- auth/token: Revoke-orphan and tidy operations now correctly cleans up the
parent prefix entry in the underlying storage backend. These operations also
mark corresponding child tokens as orphans by removing the parent/secondary
index from the entries.
- command: Re-add `-mfa` flag and migrate to OSS binary
- core: Fix issue occurring from mounting two auth backends with the same path
with one mount having `auth/` in front
- mfa: Invalidation of MFA configurations (Enterprise)
- replication: Fix a panic on some non-64-bit platforms
- replication: Fix invalidation of policies on performance secondaries
- secret/pki: When tidying if a value is unexpectedly nil, delete it and move
on
- storage/s3: Fix panic if S3 returns no Content-Length header
- ui: Fixed an issue where the UI was checking incorrect paths when operating
on transit keys. Capabilities are now checked when attempting to encrypt /
decrypt, etc.
- ui: Fixed IE 11 layout issues and JS errors that would stop the application
from running.
- ui: Fixed the link that gets rendered when a user doesn't have permissions
to view the root of a secret engine. The link now sends them back to the list
of secret engines.
- replication: Fix issue with DR secondaries when using mount specified local
paths.
- cli: Fix an issue where generating a dr operation token would not output the
token
OTX Direct Connect agents provide a way to automatically update your
security infrastructure with pulses you have subscribed to from with
Open Threat Exchange. By using Direct Connect, the indicators
contained within the pulses you have subscribed to can be downloaded
and made locally available for other applications such as Intrusion
Detection Systems, Firewalls, and other security-focused applications.
2.0.7:
Moved oauthlib into new organization on GitHub.
Include license file in the generated wheel package.
When deploying a release to PyPI, include the wheel distribution.
Check access token in self.token dict.
Added bottle-oauthlib to docs.
Update repository location in Travis.
Updated docs for organization change.
Replace G+ with Gitter.
Update requirements.
Add shields for Python versions, license and RTD.
Fix ReadTheDocs build
Fixed "make" command to test upstream with local oauthlib.
Replace IRC notification with Gitter Hook.
Added Github Releases deploy provider.
Based on the wip package by myself with fixes from rillig.
KeePassXC can store your passwords safely and auto-type them into
your everyday websites and applications.
Changes between 1.0.2n and 1.0.2o [27 Mar 2018]
*) Constructed ASN.1 types with a recursive definition could exceed the stack
Constructed ASN.1 types with a recursive definition (such as can be found
in PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack. There
are no such structures used within SSL/TLS that come from untrusted sources
so this is considered safe.
This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
project.
(CVE-2018-0739)
[Matt Caswell]
0.22.2
- A type error introduced in 0.22.1 that would occur during challenge
cleanup when a Certbot plugin raises an exception while trying to
complete the challenge was fixed.
0.22.1
- The ACME server used with Certbot's --dry-run and --staging flags is
now Let's Encrypt's ACMEv2 staging server which allows people to
also test ACMEv2 features with these flags.
- The HTTP Content-Type header is now set to the correct value during
certificate revocation with new versions of the ACME protocol.
- When using Certbot with Let's Encrypt's ACMEv2 server, it would add
a blank line to the top of chain.pem and between the certificates in
fullchain.pem for each lineage. These blank lines have been removed.
- Resolved a bug that caused Certbot's --allow-subset-of-names flag
not to work.
- Fixed a regression in acme.client.Client that caused the class to
not work when it was initialized without a ClientNetwork which is
done by some of the other projects using our ACME library.
0.1.12 (2018/03/21)
* Land #9, improve SSL certificate generation
* fix is_mac_addr to validate if something is _only_ a mac address
* Improve SSL certificate generation
0.1.11 (2018/02/09)
* Land #8, factor out SSL bits
* Address Brent's comment - drop @@loaded_openssl
* Implement a certificate provider pattern in Socket
* Extract and mixin cert ops from server module
DEPRECATIONS/CHANGES:
- The AWS authentication backend now allows binds for inputs as either a
comma-delimited string or a string array. However, to keep consistency with
input and output, when reading a role the binds will now be returned as
string arrays rather than strings.
- In order to prefix-match IAM role and instance profile ARNs in AWS auth
backend, you now must explicitly opt-in by adding a `*` to the end of the
ARN. Existing configurations will be upgraded automatically, but when
writing a new role configuration the updated behavior will be used.
FEATURES:
- Replication Activation Enhancements: When activating a replication
secondary, a public key can now be fetched first from the target cluster.
This public key can be provided to the primary when requesting the
activation token. If provided, the public key will be used to perform a
Diffie-Hellman key exchange resulting in a shared key that encrypts the
contents of the activation token. The purpose is to protect against
accidental disclosure of the contents of the token if unwrapped by the wrong
party, given that the contents of the token are highly sensitive. If
accidentally unwrapped, the contents of the token are not usable by the
unwrapping party. It is important to note that just as a malicious operator
could unwrap the contents of the token, a malicious operator can pretend to
be a secondary and complete the Diffie-Hellman exchange on their own; this
feature provides defense in depth but still requires due diligence around
replication activation, including multiple eyes on the commands/tokens and
proper auditing.
IMPROVEMENTS:
- api: Update renewer grace period logic. It no longer is static, but rather
dynamically calculates one based on the current lease duration after each
renew.
- auth/approle: Allow array input for bound_cidr_list
- auth/aws: Allow using lists in role bind parameters
- auth/aws: Allow binding by EC2 instance IDs
- auth/aws: Allow non-prefix-matched IAM role and instance profile ARNs
- auth/ldap: Set a very large size limit on queries
- core: Log info notifications of revoked leases for all leases/reasons, not
just expirations
- physical/couchdb: Removed limit on the listing of items
- secret/pki: Support certificate policies
- secret/pki: Add ability to have CA:true encoded into intermediate CSRs, to
improve compatibility with some ADFS scenarios
- secret/transit: Allow selecting signature algorithm as well as hash
algorithm when signing/verifying
- server: Make sure `tls_disable_client_cert` is actually a true value rather
than just set
- storage/dynamodb: Allow specifying max retries for dynamo client
- storage/gcs: Allow specifying chunk size for transfers, which can reduce
memory utilization
- sys/capabilities: Add the ability to use multiple paths for capability
checking
BUG FIXES:
- auth/aws: Fix honoring `max_ttl` when a corresponding role `ttl` is not also
set
- auth/okta: Fix honoring configured `max_ttl` value
- auth/token: If a periodic token being issued has a period greater than the
max_lease_ttl configured on the token store mount, truncate it. This matches
renewal behavior; before it was inconsistent between issuance and renewal.
- cli: Improve error messages around `vault auth help` when there is no CLI
helper for a particular method
2.2.1:
Reverted a change to GeneralNames which prohibited having zero elements, due to breakages.
Fixed a bug in :func:~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding that caused it to raise InvalidUnwrap when key length modulo 8 was zero.
0.1.77 2017/09/23
* Convert double quotes to single quotes to match #{URL}
0.1.76 2017/09/07
* Merge pull request #9 from sempervictus/feature-payload_msil_jit
0.1.75 2017/08/25
* Remove useless failing spec
* Improve use of RandomIdentifier::Generator
* Add MSIL to template constants
* Update spec for MSIL payload
* Implement MSIL payload in Rex gem via template
* Update spec for command
* Finalize quote wrapper
* Rework quote handling
* Cleanup Command single quotes redundant gsub
0.1.74 2017/07/18
* Alternative to IEX in dl_and_exec_string methods
* Command spec - deal with :use_single_quotes
* Output and command improvements for Win10
0.1.73 2017/05/12
* update spec to require Ruby 2.2.0 or greater
7.2.0 (2018-01-17)
Closed issues:
* list_vuln_exceptions returns API error #312
* Credentials failure after using Site.copy #307
* XML serialization for VulnException incorrect due to extra whitespace #304
* Nexpose timeout does not seem to work #299
Merged pull requests:
* Update vuln exceptions to use generally available API version #313
(mhuffman-r7)
* Add a method to add common vuln status filters to report configs #303
(gschneider-r7)
* Updated for Ruby 2.4 Support #301 (twosevenzero)
**** 1.05 March 20, Tuesday
Feature
Support added for Ed25519 and Ed448 algorithms
Fix: rt.cpan.org #124650
Net::DNS::SEC::Private must not die if attribute is not present
ClamAV 0.99.4 is a hotfix release to patch a set of vulnerabilities.
- fixes for the following CVE's: CVE-2012-6706, CVE-2017-6419,
CVE-2017-11423, CVE-2018-0202, and CVE-2018-1000085.
- also included are 2 fixes for file descriptor leaks as well fixes for
a handful of other important bugs, including patches to support g++ 6, C++11.
