Changes since 2.8.6:
- Support External Account Binding (EAB)
- Support ZeroSSL.com CA
- Support preferred-chain
- More dns api support
- Adds Docker multi-arch build support
Also remove incorrect (unnecessary) dependency on mozilla-rootcerts.
OK by ryoon@
1.5.0
* Added support for Python 3.9.
* Dropped support for Python 3.5.
* Stopped supporting running tests with ``python setup.py test`` which is
deprecated in favor of ``python -m pytest``.
1.23.0:
Features
Add custom scopes for access tokens from the metadata service
Bug Fixes
deps: Revert "fix: pin 'aoihttp < 3.7.0dev'
pin 'aoihttp < 3.7.0dev'
remove checks for ancient versions of Cryptography
(pkgsrc changes)
- Add ./autogen.sh for pre-configure:
- Add following two lines to get the similar PLIST
CONFIGURE_ARGS+= --enable-gtk-doc
.include "../../textproc/gtk-doc/buildlink3.mk"
- Add following lines to avoid "msgfmt: unknown option -- desktop" (thanks joerg@)
.if ${OPSYS} == "NetBSD"
TOOLS_PLATFORM.msgfmt=
.endif
(upstream changes)
gcr 3.38.0:
- No changes from 3.37.91
gcr 3.37.91:
- meson: missing dependency on generated oids header [GNOME/gcr#48, GNOME/gcr!57]
- Correct display of key usage extensions [GNOME/gcr#47, GNOME/gcr!56]
- meson: Correctly set internal vapi dependencies [GNOME/gcr!55]
- Cleanup GType boilerplate [GNOME/gcr!53]
- gck: Fixed test failures [GNOME/gcr#42, GNOME/gcr!51, GNOME/gcr!52]
- Updated translations
gcr 3.36.0:
- gcr: Update gtk-doc get_der_data() vfunc [GNOME/gcr!48]
- Updated translations
gcr 3.35.91:
- Mark deprecated functions with G_DEPRECATED [GNOME/gcr#36, GNOME/gcr!47]
- egg-oid: Add comments for translators for new abbrevations [GNOME/gcr#40, GNOME/gcr!45]
- Updated translations
gcr 3.35.90:
- Add support for "NEW CERTIFICATE REQUEST" header [GNOME/gcr!44]
- Add support for GOST certificates [GNOME/gcr!43]
- Rework handling of ASN.1 standard types [GNOME/gcr!42]
- Fix a few regressions in the Meson build [GNOME/gcr!46, 7ba0e00d]
- Add support for g_autoptr [GNOME/gcr!36, GNOME/gcr#16]
- Fixed some compiler warnings [GNOME/gcr!38]
- Updated translations
gcr 3.35.1:
- gcr-certificate: Add (virtual) annotation [GNOME/gcr!35, GNOME/gcr#37]
- Always use G_PARAM_STATIC_STRINGS [GNOME/gcr!31]
- Support Meson build system [GNOME/gcr!11,32,33,34]
- Avoid potential 64-bit pointer aliasing alignment issues [GNOME/gcr!27, GNOME/gcr#34]
- Update README to mention correct environment variables [GNOME/gcr!25]
- build: Use sed for .desktop variables substitution [GNOME/gcr!24]
- Updated translations
gcr 3.34.0:
- gcr-prompt-dialog: Allow the use of mnemonics in the choice label [GNOME/gcr!22]
- Use python3 shebang in ui/icons/render-icons.py [GNOME/gcr!21]
- configure: Use PKG_PROG_PKG_CONFIG instead of reinventing it [GNOME/gcr!20]
- Replace tap-gtester with one that relies on GLib 2.38+ TAP output [GNOME/gcr!19]
- Remove SKS network from keyserver defaults [GNOME/gcr!18]
- Updated translations
gcr 3.33.4:
- Move from intltool to gettext [GNOME/gcr#18]
- Fix parameter type for signal handler causing stack smashing on ppc64le [GNOME/gcr!16]
- cleanup: Don't use deprecated g_type_class_add_private() anymore [GNOME/gcr!12]
- Fix GIR annotations [GNOME/gcr!10]
- Fix hashtable ordering assumptions [GNOME/gcr!9]
- build: Fix gcr-trust symbols not appearing in GIR, and hence also VAPI [GNOME/gcr!7]
- Update gcr_pkcs11_get_trust_{store|lookup}_slot URI checks [GNOME/gcr!5]
- build: Update tap scripts for Python 3 compat [GNOME/gcr!2]
- Updated translations
Authelia is an open-source authentication and authorization server providing
2-factor authentication and single sign-on (SSO) for your applications via a web
portal. It acts as a companion of reverse proxies like nginx, Traefik or HAProxy
to let them know whether queries should pass through. Unauthenticated user are
redirected to Authelia Sign-in portal instead.
This is required for newer versions of finance/electrum.
Optimized C library for ECDSA signatures and secret/public key operations on
curve secp256k1.
This library is intended to be the highest quality publicly available library
for cryptography on the secp256k1 curve. However, the primary focus of its
development has been for usage in the Bitcoin system and usage unlike Bitcoin's
may be less well tested, verified, or suffer from a less well thought out
interface. Correct usage requires some care and consideration that the library
is fit for your application's purpose.
Features:
* secp256k1 ECDSA signing/verification and key generation.
* Additive and multiplicative tweaking of secret/public keys.
* Serialization/parsing of secret keys, public keys, signatures.
* Constant time, constant memory access signing and public key generation.
* Derandomized ECDSA (via RFC6979 or with a caller provided function.)
* Very efficient implementation.
* Suitable for embedded systems.
* Optional module for public key recovery.
* Optional module for ECDH key exchange.
Experimental features have not received enough scrutiny to satisfy the standard
of quality of this library but are made available for testing and review by the
community. The APIs of these features should not be considered stable.
Merge:
absorb issuer fingerprint (RFC4880bis 5.2.3.28) in libverify.c
from jhigh from src/
While here, fix build with RELRO and a pkglint warning.
Bump version to 20201101.
Noteworthy changes in version 1.8.7 (2020-10-23) [C22/A2/R8]
------------------------------------------------
* Bug fixes:
- Support opaque MPI with gcry_mpi_print. [#4872]
- Fix extra entropy collection via clock_gettime. Note that this
fallback code path is not used on any decent hardware. [#4966]
- Allow for a Unicode random seed file on Windows. [#5098]
This release updates Firefox to 78.4.0esr and NoScript to 11.1.3.
This release includes important security updates to Firefox.
Note: Now Javascript on the Safest security level is governed by
NoScript again. It was set as false when on Safest in 9.5a9. The
javascript.enabled preference was reset to true for everyone using
Safest beginning in Tor Browser 10.0 and you must re-set it as
false if that is your preference.
v 11.1.3
============================================================
x Fixed regression: document media and font restrictions
always cascaded (thanks BrainDedd for report)
x Remove domPolicy logging when debugging is off
x Trivial reordering from Mozilla source
x Updated TLDs
v 11.1.1
============================================================
x Updated TLDs
x Better heuristic to figure out missing data while
computing contextual policies
x Fixed regression breaking per-tab restrictions disablement
(thanks Horsefly for report)
v 11.1.0
============================================================
x Improved blocking of media documents unaffected by
webRequest
x Automatically init tag message with last changelog
x Improved NOSCRIPT element emulation compatibility with XML
documents
x webNavigation.onCommitted + tabs.executeScript to deliver
DOM policies earlier whenever possible
x Partial work-around for Fx 80 file:// documents parsing
inconsistencies (further fix for issue #156)
x Cache policy on top document for file:// subdocuments
(fixes issue #156)
x Enforce more restrictive CSP on media/object documents
x Better cross-browser media handling
x [Mobile] Use tabs as prompts if the browser.windows API is
missing
x Fix browser UI for image, audio and video content being
partially broken on file:// URLs
x Normalize file:// directory paths on Firefox
x Allow browser UI scripts for file:// directory navigation
x Updated TLDs
x [L10n] Updated mk
v 11.1.0rc2
============================================================
x Improved blocking of media documents unaffected by
webRequest
x Automatically init tag message with last changelog
v 11.1.0rc1
============================================================
x Improved NOSCRIPT element emulation compatibility with XML
documents
v 11.0.47rc6
============================================================
x webNavigation.onCommitted + tabs.executeScript to deliver
DOM policies earlier whenever possible
x Fixed typo causing CSP-based media blocking to skip
requests with no content-type header
v 11.0.47rc5
============================================================
x Partial work-around for Fx 80 file:// documents parsing
inconsistencies (further fix for issue #156)
v 11.0.47rc4
============================================================
x Cache policy on top document for file:// subdocuments
(fixes issue #156)
x Updated TLDs
x Enforce more restrictive CSP on media/object documents
v 11.0.47rc3
============================================================
x Better cross-browser media handling
x Improved file: directory path normalization
v 11.0.47rc2
============================================================
x [Mobile] Use tabs as prompts if the browser.windows API is
missing
v 11.0.47rc1
============================================================
x Fix browser UI for image, audio and video content being
partially broken on file:// URLs
x Normalize file:// directory paths on Firefox
x Allow browser UI scripts for file:// directory navigation
x Updated TLDs
x [L10n] Updated mk
Changelog:
## 2.6.2 (2020-10-21)
### Added
- Add option to keep window always on top to view menu [#5542]
- Move show/hide usernames and passwords to view menu [#5542]
- Add command line options and environment variables for changing the config locations [#5452]
- Include TOTP settings in CSV import/export and add support for ISO datetimes [#5346]
### Changed
- Mask sensitive information in command execution confirmation prompt [#5542]
- SSH Agent: Avoid shortcut conflict on macOS by changing "Add key" to Ctrl+H on all platforms [#5484]
This module implements PAM over U2F and FIDO2, providing an easy way to
integrate the YubiKey (or other U2F/FIDO2 compliant authenticators) into
your existing infrastructure.
pkgsrc: also bump bl3 for libcbor solib version change.
hid_linux: return FIDO_OK if no devices are found.
hid_osx:
repair communication with U2F tokens, gh#166; reliability fixes.
fido2-{assert,cred}: new options to explicitly toggle UP, UV.
Support for configurable report lengths.
New API calls:
fido_cbor_info_maxcredcntlst;
fido_cbor_info_maxcredidlen;
fido_cred_aaguid_len;
fido_cred_aaguid_ptr;
fido_dev_get_touch_begin;
fido_dev_get_touch_status.
Use COSE_ECDH_ES256 with CTAP_CBOR_CLIENT_PIN; gh#154.
Allow CTAP messages up to 2048 bytes; gh#171.
Ensure we only list USB devices by default.
6.3p2
This release introduces a new utility called vidoas (vi doas). This tool is a
shell script which creates a copy of the doas.conf file, allows the admin to
edit the file, and then checks its syntax for errors. If a problem is found,
vidoas reports which line the error was on and asks us to try editing the file
again. Once the new doas.conf file contains the proper syntax, it is installed
and overwrites the old doas.conf file.
This tool is designed to assist admins and avoid introducing errors to doas.conf
which might accidentally revoke admin access to the machine.
6.3p1
In this release, we work around a quirk of the GNU parameter parser which
required us to use double-dashes (--) after doas's parameters and before a
target command's parameters. In the past we used "doas -- pacman -Syu" and now
we can use simply "doas pacman -Syu".
This change affects only GNU/Linux systems, other platforms like FreeBSD,
NetBSD, etc already had this behaviour.
6.3
This release introduces a few minor changes:
-Added command line parameter (-S) which launches an interactive shell. This is
equivalent to "su -l" or "sudo -i".
-Updated documentation to include the new -S flag.
-Updated documentation to assist users in installing doas on some Linux
distributions, such as CentOS, that prevent PAM authentication from working by
default.
6.2p5
This release simply adds a new sample PAM configuration file for FreeBSD (and
compatible systems). The new sample configuration file is named
campat/pam.conf.freebsd.
Calling setusercontext(3) makes per-user temporary storage work (see
per_user_tmp in security(7) and rc.conf(5)).
May as well use our reallocarray(3) instead of the bundled compat code.
This notably fixes a security issue, CVE-2020-27197.
Version 1.1.118:
* #247 [CVE-2020-27197] Avoid SSRF on parsing XML (@orsinium)
Version 1.1.117:
* #244 SSL Verify Server not working correctly (@motok) (@nschwane)
* #245 Unicode lxml.etree.SerialisationError on lxml 4.5.0+ (@advptr)
Version 1.1.116:
* #240 PY3 Compatibility changes for HTTP Response Body (@nschwane)
Version 1.1.115:
* #239 Convert the HTTP response body to a string type (PY3 this will be bytes) (@sddj)
Version 1.1.114:
* #237 Support converting dicts to content bindings (@danielsamuels)
* #238 Provide XMLParser copies instead of reusing the cached instance. Prevents future messages to lose namespace
Version 1.1.113:
* #234 Add ability to load a configuration file when executing a script
* #232 Fix TLS handshake failure when a server requires SNI (@marcelslotema)
Version 1.1.112:
* #227 Fixes to poll_client script (Python3 compatibility)
* #226 Clean-up documentation warnings
* #228 Fix 'HTTPMessage' has no attribute 'getheader' (Python3 compatibility)
* #225 Fix checks that involve xpath (lxml) to prevent FutureWarning message
* #230 Fix parsing status message round-trip (@danielsamuels)
Thanks leot@ and pkgsrc's security team for the heads up!
Pull-up to be requested.
3.1.1
-----
2020/06/15
- Various documentation fixes.
- Fixed various compiler warnings.
- Fixed some integer overflows (16-bit platforms only).
3.1.0
-----
2020/04/03
- Added Elligator 2 mappings (hash to curve, curve to hash).
- Added OPRF support (with scalar inversion).
- Added Edwards25519 -> Curve25519 conversions
3.0.0
-----
2020/01/19
- Deprecated the incremental AEAD interface.
- Deprecated the incremental Chacha20, added a direct interface.
- Added IETF Chacha20 (96-bit nonce), as described in RFC 8439.
- Moved deprecated interfaces to a separate `src/deprecated` folder.
- Removed the `ED25519_SHA512` preprocessor flag.
- `crypto_x25519()` and `crypto_key_exchange()` now return `void`.
- Added a custom hash interface to EdDSA. Several instances of EdDSA
can share the same binary.
- Added optional support for HMAC SHA-512
- Moved all SHA-512 operations to `src/optional/monocypher-ed25519.(h|c)`
- Optional support for Ed25519 no longer requires a preprocessor flag.
Add `src/optional/monocypher-ed25519.(h|c)` to your project instead.
2.0.6
-----
2019/10/21
- Added the `BLAKE2_NO_UNROLLING` preprocessor definition. Activating it
makes the binary about 5KB smaller, and speeds up processing times on
many embedded processors.
- Reduced the stack usage of signature verification by about
40%. Signature verification now fits in smaller machines.
- Fixed many implicit casts warnings.
- Fixed the manual here and there.
- Lots of small nitpicks.
Certbot 1.9.0
Added
--preconfigured-renewal flag, for packager use only.
See the packaging guide.
Changed
certbot-auto was deprecated on all systems except for those based on Debian or RHEL.
Update the packaging instructions to promote usage of python -m pytest to test Certbot
instead of the deprecated python setup.py test setuptools approach.
Reduced CLI logging when reloading nginx, if it is not running.
Reduced CLI logging when handling some kinds of errors.
Fixed
Fixed server_name case-sensitivity in the nginx plugin.
The minimum version of the acme library required by Certbot was corrected.
In the previous release, Certbot said it required acme>=1.6.0 when it
actually required acme>=1.8.0 to properly support removing contact
information from an ACME account.
Upgraded the version of httplib2 used in our snaps and Docker images to add
support for proxy environment variables and fix the plugin for Google Cloud
DNS.
**1.7.4** (2020-10-08)
======================
Small followup to 1.7.3 release.
Bugfixes
--------
* Fixed some Python 2.6 errors from last release (:issue:`128`)
Other Changes
-------------
* :mod:`passlib.ext.django` -- updated tests to pass for Django 1.8 - 3.1 (:issue:`98`);
along with some internal refactoring of the test classes.
* .. py:currentmodule:: passlib.context
:class:`CryptContext` will now throw :exc:`~passlib.exc.UnknownHashError` when it can't identify
a hash provided to methods such as :meth:`!CryptContext.verify`.
Previously it would throw a generic :exc:`ValueError`.
Deprecations
------------
* :mod:`passlib.ext.django`: This extension will require Django 2.2 or newer as of Passlib 1.8.
**1.7.3** (2020-10-06)
======================
This release rolls up assorted bug & compatibility fixes since 1.7.2.
Administrative Changes
----------------------
.. rst-class:: without-title
.. note::
**Passlib has moved to Heptapod!**
Due to BitBucket deprecating Mercurial support, Passlib's public repository and issue tracker
has been relocated. It's now located at `<https://foss.heptapod.net/python-libs/passlib>`_,
and is powered by `Heptapod <https://heptapod.net/>`_.
Hosting for this and other open-source projects graciously provided by the people at
`Octobus <https://octobus.net/>`_ and `CleverCloud <https://clever-cloud.com/>`_!
The mailing list and documentation urls remain the same.
New Features
------------
* .. py:currentmodule:: passlib.hash
:class:`ldap_salted_sha512`: LDAP "salted hash" support added for SHA-256 and SHA-512 (:issue:`124`).
Bugfixes
--------
* .. py:currentmodule:: passlib.hash
:class:`bcrypt`: Under python 3, OS native backend wasn't being detected on BSD platforms.
This was due to a few internal issues in feature-detection code, which have been fixed.
* :func:`passlib.utils.safe_crypt`: Support :func:`crypt.crypt` unexpectedly
returning bytes under Python 3 (:issue:`113`).
* :func:`passlib.utils.safe_crypt`: Support :func:`crypt.crypt` throwing :exc:`OSError`,
which can happen as of Python 3.9 (:issue:`115`).
* :mod:`passlib.ext.django`: fixed lru_cache import (django 3 compatibility)
* :mod:`!passlib.tests`: fixed bug where :meth:`HandlerCase.test_82_crypt_support` wasn't
being run on systems lacking support for the hasher being tested.
This test now runs regardless of system support.
Other Changes
-------------
* .. py:currentmodule:: passlib.hash
:class:`bcrypt_sha256`: Internal algorithm has been changed to use HMAC-SHA256 instead of
plain SHA256. This should strengthen the hash against brute-force attempts which bypass
the intermediary hash by using known-sha256-digest lookup tables (:issue:`114`).
* .. py:currentmodule:: passlib.hash
:class:`bcrypt`: OS native backend ("os_crypt") now raises the new :exc:`~passlib.exc.PasswordValueError`
if password is provided as non-UTF8 bytes under python 3
(These can't be passed through, due to limitation in stdlib's :func:`!crypt.crypt`).
Prior to this release, it confusingly raised :exc:`~passlib.exc.MissingBackendError` instead.
Also improved legacy bcrypt format workarounds, to support a few more UTF8 edge cases than before.
* Modified some internals to help run on FIPS systems (:issue:`116`):
In particular, when MD5 hash is not available, :class:`~passlib.hash.hex_md5`
will now return a dummy hasher which throws an error if used; rather than throwing
an uncaught :exc:`!ValueError` when an application attempts to import it. (Similar behavior
added for the other unsalted digest hashes).
.. py:currentmodule:: passlib.crypto.digest
Also, :func:`lookup_hash`'s ``required=False`` kwd was modified to report unsupported hashes
via the :attr:`HashInfo.supported` attribute; rather than letting ValueErrors through uncaught.
This should allow CryptContext instances to be created on FIPS systems without having
a load-time error (though they will still receive an error if an attempt is made to actually
*use* a FIPS-disabled hash).
* Internal errors calling stdlib's :func:`crypt.crypt`, or third party libraries,
will now raise the new :exc:`~passlib.exc.InternalBackendError` (a RuntimeError);
where previously it would raise an :exc:`AssertionError`.
* Various Python 3.9 compatibility fixes (including ``NotImplemented``-related warning, :issue:`125`)
Version 0.15
This is the last release before v1.0. In this release, we added more RFCs
implementations and did some refactors for JOSE:
RFC8037: CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)
RFC7638: JSON Web Key (JWK) Thumbprint
We also fixed bugs for integrations:
Fixed support for HTTPX>=0.14.3
Added OAuth clients of HTTPX back
Fixed parallel token refreshes for HTTPX async OAuth 2 client
Raise OAuthError when callback contains errors
Breaking Change:
The parameter algorithms in JsonWebSignature and JsonWebEncryption
are changed. Usually you don't have to care about it since you won't use it directly.
Whole JSON Web Key is refactored, please check JSON Web Key (JWK)
Changes:
Unfortunately no changelog is provided by upstream, according commit messages
mostly bug fixes and a new tamper script that works with time-based queries.
