While the certs dir should exist, pkg_delete of
mozilla-rootcerts-openssl currently removes it, despite it not having
been created by the corresponding pkg_add. Instead of failing if the
directory does not exist, simply emit a warning and create it.
Changes since pam-p11-0.1.5 from the NEWS file:
New in 0.3.1; 2019-09-11; Frank Morgner
* CVE-2019-16058: Fixed buffer overflow when creating signatures longer than 256
bytes
New in 0.3.0; 2019-04-24; Frank Morgner
* Add Italian translation
* Add support for matching the PIN-input with a regular expression
* Add support for macOS
* Add support for building with OpenSSL 1.1.1
* Add support for nistp256/384/521 keys in authorized_keys file
New in 0.2.0; 2018-05-16; Frank Morgner
* Add user documentation in Readme.md
* Add support for PIN pad readers
* Add support for changing/unblocking PIN (use with passwd)
* Add support for localized user feedback
* Add support for cards without certificates (e.g. OpenPGP card)
* Add support for PKCS#11 modules with multiple slots
* Add support for building with OpenSSL 1.1
* Merged opensc and openssh module into pam_p11.so
* Fixed memory leaks, coverity issues, compiler warnings
* Created `test-passwd` and `test-login` for testing standard use cases
New in 0.1.6; 2017-03-06; Alon Bar-Lev
* Build system rewritten (NOTICE: configure options was modified).
Changes since libp11-0.2.8 from the NEWS file:
New in 0.4.4; 2017-01-26; Michal Trojnara
* Fixed a state reset caused by re-login on LOAD_CERT_CTRL engine ctrl;
fixes#141 (Michal Trojnara)
* "?" and "&" allowed as URI separators; fixes#142 (Michal Trojnara)
* engine: Unified private/public key and certificate enumeration
to be performed without login if possible (Michal Trojnara)
New in 0.4.3; 2016-12-04; Michal Trojnara
* Use UI to get CKU_CONTEXT_SPECIFIC PINs (Michal Trojnara)
* Added graceful handling of alien (non-PKCS#11) keys (Michal Trojnara)
* Added symbol versioning (Nikos Mavrogiannopoulos)
* Soname tied with with the OpenSSL soname (Nikos Mavrogiannopoulos)
* Added MSYS2, Cygwin, and MinGW/MSYS support (Pawel Witas)
* Workaround implemented for a deadlock in PKCS#11 modules that
internally use OpenSSL engines (Michal Trojnara, Pawel Witas)
* Fixed an EVP_PKEY reference count leak (David Woodhouse)
* Fixed OpenSSL 1.1.x crash in public RSA methods (Doug Engert,
Michal Trojnara)
* Fixed OpenSSL 1.1.x builds (Nikos Mavrogiannopoulos, Michal Trojnara)
* Fixed retrieving PIN values from certificate URIs (Andrei Korikov)
* Fixed symlink installation (Alon Bar-Lev)
New in 0.4.2; 2016-09-25; Michal Trojnara
* Fixed a 0.4.0 regression bug causing the engine finish function to
remove any configured engine parameters; fixes#104 (Michal Trojnara)
New in 0.4.1; 2016-09-17; Michal Trojnara
* Use enginesdir provided by libcrypto.pc if available (David Woodhouse)
* Certificate cache destroyed on login/logout (David Woodhouse)
* Fixed accessing certificates marked as CKA_PRIVATE (David Woodhouse)
* Directly included libp11 code into the engine (Matt Hauck)
* Fixed handling simultaneous make jobs (Derek Straka)
* Reverted an old hack that broke engine initialization (Michal Trojnara)
* Fixed loading of multiple keys due to unneeded re-logging (Matt Hauck)
* Makefile fixes and improvements (Nikos Mavrogiannopoulos)
* Fixed several certificate selection bugs (Michal Trojnara)
* The signed message digest is truncated if it is too long for the
signing curve (David von Oheimb)
* Workaround for broken PKCS#11 modules not returning CKA_EC_POINT
in the ASN1_OCTET_STRING format (Michal Trojnara)
* OpenSSL 1.1.0 build fixes (Michal Trojnara)
New in 0.4.0; 2016-03-28; Michal Trojnara
* Merged engine_pkcs11 (Michal Trojnara)
* Added ECDSA support for OpenSSL < 1.0.2 (Michal Trojnara)
* Added ECDH key derivation support (Doug Engert and Michal Trojnara)
* Added support for RSA_NO_PADDING RSA private key decryption, used
by OpenSSL for various features including OAEP (Michal Trojnara)
* Added support for the ANSI X9.31 (RSA_X931_PADDING) RSA padding
(Michal Trojnara)
* Added support for RSA encryption (not only signing) (Michal Trojnara)
* Added CKA_ALWAYS_AUTHENTICATE support (Michal Trojnara)
* Fixed double locking the global engine lock (Michal Trojnara)
* Fixed incorrect errors reported on signing/encryption/decryption
(Michal Trojnara)
* Fixed deadlocks in keys and certificates listing (Brian Hinz)
* Use PKCS11_MODULE_PATH environment variable (Doug Engert)
* Added support for building against OpenSSL 1.1.0-dev (Doug Engert)
* Returned EVP_PKEY objects are no longer "const" (Michal Trojnara)
* Fixed building against OpenSSL 0.9.8 (Michal Trojnara)
* Removed support for OpenSSL 0.9.7 (Michal Trojnara)
New in 0.3.1; 2016-01-22; Michal Trojnara
* Added PKCS11_is_logged_in to the API (Mikhail Denisenko)
* Added PKCS11_enumerate_public_keys to the API (Michal Trojnara)
* Fixed EVP_PKEY handling of public keys (Michal Trojnara)
* Added thread safety based on OpenSSL dynamic locks (Michal Trojnara)
* A private index is allocated for ex_data access (RSA and ECDSA classes)
instead of using the reserved index zero (app_data) (Michal Trojnara)
* Fixes in reinitialization after fork; addresses #39
(Michal Trojnara)
* Improved searching for dlopen() (Christoph Moench-Tegeder)
* MSVC build fixes (Michal Trojnara)
* Fixed memory leaks in pkcs11_get_evp_key_rsa() (Michal Trojnara)
New in 0.3.0; 2015-10-09; Nikos Mavrogiannopoulos
* Added small test suite based on softhsm (run on make check)
* Memory leak fixes (Christian Heimes)
* On module initialization tell the module to that the OS locking
primitives are OK to use (Mike Gerow)
* Transparently handle applications that fork. That is call C_Initialize()
and reopen any handles if a fork is detected.
* Eliminated any hard coded limits for certificate size (Doug Engert)
* Added support for ECDSA (Doug Engert)
* Allow RSA_NO_PADDING padding mode in PKCS11_private_encrypt
(Stephane Adenot)
* Eliminated several hard-coded limits in parameter sizes.
It is now known that there are people that prefer manual operation via
the mozilla-rootcerts script to the mozilla-rootcerts-openssl package.
Therefore, mention both approaches (without veering into documentation
of them or tutorial -- just enough to make people aware they exist).
Explain the purpose, and then explain the mechanism and why it is
somewhat and very irregular in the pkgsrc and native cases.
Point to mozilla-rootcerts as providing certificates without
configuring them as trust anchors.
* Noteworthy changes in release 4.16.0 (released 2020-02-01) [stable]
- asn1_decode_simple_ber: added support for constructed definite
octet strings. This allows this function decode the whole set of
BER encodings for OCTET STRINGs.
- asn1_get_object_id_der: enhance the range of decoded OIDs (#25).
This also makes OID encoding and decoding more strict on invalid
input. This may break gnutls' test suite before 3.6.12 as it was
relying on decoding some invalid OIDs.
- asn1_object_id_der: New function
* Noteworthy changes in release 4.15.0 (released 2019-11-21) [stable]
- The generated tree no longer contains ASN.1 built-in types even
if they are explicitly defined in the description. Previously
a warning was printed when these types were seen, now they are
ignored.
- Several fixes in ASN.1 definition parser, preventing several
crashes and leaks in the tools due to improper ASN.1.
- Switched to semantic versioning.
Update ruby-sshkit: update to 1.21.0.
pkgsrc change: add "USE_LANGUAGES= # none".
1.20.0 (2019-08-03)
* #468: Make upload! take a :verbosity option like exec does - @grosser
1.19.1 (2019-07-02)
* #465: Fix a regression in 1.19.0 that prevented ~ from being used in
Capistrano paths, e.g. :deploy_to, etc. - @grosser
1.19.0 (2019-07-01)
* #455: Ensure UUID of commands are stable in logging - @lazyatom
* #453: as and within now properly escape their user/group/path arguments,
and the command nested within an as block is now properly escaped before
passing to sh -c. In the unlikely case that you were manually escaping
commands passed to SSHKit as a workaround, you will no longer need to do
this. See #458 for examples of what has been fixed. - @grosser
* #460: Handle IPv6 addresses without port - @will-in-wi
1.18.2 (2019-02-03)
* #448: Fix misbehaving connection eviction loop when disabling connection
pooling - Sebastian Cohnen
1.18.1 (2019-01-26)
* #447: Fix broken thread safety by widening critical section - Takumasa Ochi
Update ruby-rbnacl to 7.1.1.
## [7.1.1] (2020-01-27)
- Test on Ruby 2.7 ([#208])
- Add project metadata to the gemspec ([#207])
- Resolve FFI deprecation warning ([#206])
## [7.1.0] (2019-09-07)
- Attached signature API ([#197], [#202])
- Fix the `generichash` state definition ([#200])
## [7.0.0] (2019-05-23)
- Drop support for Ruby 2.2 ([#194])
## [6.0.1] (2019-01-27)
- Add fallback `sodium_constants` for Argon2 ([#189])
- Support libsodium versions used by Heroku ([#186])
- Sealed boxes ([#184])
Update ruby-openssl-ccm to 1.2.2.
pkgsrc change: add "USE_LANGUAGES= # none".
Version 1.2.2 (2019-01-08)
* Update cipher validation to be case-insensitive
Update ruby-bcrypt to 3.1.13.
pkgsrc change: correct HOMEPAGE.
3.1.13 May 31 2019
- No longer include compiled binaries for Windows. See GH #173.
- Update C and Java implementations to latest versions [GH #182 by @fonica]
- Bump default cost to 12 [GH #181 by @bdewater]
- Remove explicit support for Rubies 1.8 and 1.9
- Define SKIP_GNU token when building extension (Fixes FreeBSD >= 12)
[GH #189 by @adam12]
Update ruby-airbrussh to 1.4.0.
1.4.0 (2019-10-13)
New Features
* Allow ConsoleFormatter context to be configurable (#131) @pblesi
1.3.4 (2019-09-15)
Housekeeping
* Add issues, source code URLs to gemspec metadata (#129) @mattbrictson
* Add changelog_uri to metadata to easily link from rubygems.org (#128)
@nickhammond
1.3.3 (2019-08-18)
Bug Fixes
* Fix LoadError when airbrussh is used without rake installed (#127)
@mattbrictson
Housekeeping
* Migrate to new GitHub Actions config format (#125) @mattbrictson
* Remove chandler from rake release process (#124) @mattbrictson
* Set up release-drafter (#123) @mattbrictson
* Eliminate double CI builds on PRs (#122) @mattbrictson
1.3.2 (2019-06-15)
* #121: Gracefully handle SSH output that has invalid UTF-8 encoding instead
of raising an exception - @mattbrictson
Certbot 1.3.0
Added
Added certbot.ocsp Certbot's API. The certbot.ocsp module can be used to
determine the OCSP status of certificates.
Don't verify the existing certificate in HTTP01Response.simple_verify, for
compatibility with the real-world ACME challenge checks.
Changed
Certbot will now renew certificates early if they have been revoked according
to OCSP.
Fix acme module warnings when response Content-Type includes params (e.g. charset).
Fixed issue where webroot plugin would incorrectly raise Read-only file system
error when creating challenge directories
# Changelog
## 1.10.1 (2020-01-08)
* Fixes
* Add PEM/DER compatibility layer for PKCS-8 incompatibilities with various versions of OTP, `crypto`, and `public_key`; see [#82](https://github.com/potatosalad/erlang-jose/issues/82)
## 1.10.0 (2020-01-03)
* Enhancements
* Remove [base64url](https://github.com/dvv/base64url) dependency and include embedded version.
* Add support for `C20P` and `XC20P` encryption based on [draft-amringer-jose-chacha](https://tools.ietf.org/html/draft-amringer-jose-chacha-01) (ChaCha20/Poly1305 and XChaCha20/Poly1305).
* Add support for ECDH-ES keywrapping for AES-GCM, ChaCha20/Poly1305, and XChaCha20/Poly1305.
* Add support for PBES2 keywrapping for AES-GCM, ChaCha20/Poly1305, and XChaCha20/Poly1305.
* Add support for `ECDH-1PU` encryption based on [draft-madden-jose-ecdh-1pu](https://tools.ietf.org/html/draft-madden-jose-ecdh-1pu-02).
* Add support for reading/writing DER format (or PKCS8 format).
* Fixes
* Fix PSS salt length (thanks to [@ntrepid8](https://github.com/ntrepid8), see [#65](https://github.com/potatosalad/erlang-jose/pull/65))
* Speed up and stabilize tests on CI environment.
## 1.9.0 (2018-12-31)
* Enhancements
* Add support for [Jason](https://github.com/michalmuskala/jason) JSON encoding and decoding.
* Add support for Poison 4.x and lexical ordering.
* Use `public_key` over `cutkey` for RSA key generation if available.
* Drop support for older versions of OTP (19+ now required).
* Relicense library under MIT license.
* Fixes
* Add macro so the application compiles without warnings after `erlang:get_stacktrace/0` has been deprecated.
* Extra sanity check for RSA padding modes when falling back.
Update pear-Crypt_GPG to 1.6.4.
1.6.4 (2020-03-22 08:00 UTC)
Changelog:
* Use classmap for autoloading in composer as this package does not follow
PSR-0.
* Support default gpg binary location on NixOS.
* Fix IgnoreVerifyErrors issues with GnuPG 1.4 and PHP5.
* Add possibility to add custom arguments to gpg commands.
* Add option to choose compression algorithm.
* Compatibility with phpunit >= 6.0.
2.067 2020/02/14
- fix memory leak on incomplete handshake
https://github.com/noxxi/p5-io-socket-ssl/issues/92
Thanks to olegwtf
- add support for SSL_MODE_RELEASE_BUFFERS via SSL_mode_release_buffers
This can decrease memory usage at the costs of more allocations
https://rt.cpan.org/Ticket/Display.html?id=129463
- more detailed error messages when loading of certificate file failed
https://github.com/noxxi/p5-io-socket-ssl/issues/89
- fix for ip_in_cn == 6 in verify_hostname scheme
https://rt.cpan.org/Ticket/Display.html?id=131384
- deal with new MODE_AUTO_RETRY default in OpenSSL 1.1.1
- fix warning when no ecdh support is available
- documentation update regarding use of select and TLS 1.3
- various fixes in documentation
https://github.com/noxxi/p5-io-socket-ssl/issues/91https://github.com/noxxi/p5-io-socket-ssl/issues/90https://github.com/noxxi/p5-io-socket-ssl/issues/87https://github.com/noxxi/p5-io-socket-ssl/issues/81
- stability fix t/core.t
2.066 2019/03/06
- fix test t/verify_partial_chain.t by using the newly exposed function
can_partial_chain instead of guessing (wrongly) if the functionality is
available
2.065 2019/03/05
- make sure that Net::SSLeay::CTX_get0_param is defined before using
X509_V_FLAG_PARTIAL_CHAIN. Net::SSLeay 1.85 defined only the second with
LibreSSL 2.7.4 but not the first
https://rt.cpan.org/Ticket/Display.html?id=128716
- prefer AES for server side cipher default since it is usually
hardware-accelerated
2.064 2019/03/04
- make algorithm for fingerprint optional, i.e. detect based on length of
fingerprint - https://rt.cpan.org/Ticket/Display.html?id=127773
- fix t/sessions.t and improve stability of t/verify_hostname.t on windows
- use CTX_set_ecdh_auto when needed (OpenSSL 1.0.2) if explicit curves are set
- update fingerprints for live tests
2.063 2019/03/01
- support for both RSA and ECDSA certificate on same domain
- update PublicSuffix
- Refuse to build if Net::SSLeay is compiled with one version of OpenSSL but
then linked against another API-incompatible version (ie. more than just the
patchlevel differs).
2.062 2019/02/24
- Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and
OpenSSL (1.1.0+). This makes leaf certificates or intermediate certificates in
the trust store be usable as full trust anchors too.
2.061 2019/02/23
- Support for TLS 1.3 session reuse. Needs Net::SSLeay 1.86+.
Note that the previous (and undocumented) API for the session cache has been
changed.
- Support for multiple curves, automatic setting of curves and setting of
supported curves in client. Needs Net::SSLeay 1.86+.
- Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when
client certificates are provided. Thanks to jorton[AT]redhat[DOT]com.
Needs Net::SSLeay 1.86+.
1.88 2019-05-10
- New stable release incorporating all changes from developer
releases 1.86_01 to 1.86_11.
- From this release, Net-SSLeay is switching to an "odd/even"
developer/stable release version numbering system, like that of
many core modules (e.g. ExtUtils::MakeMaker): developer releases
will have an odd minor version number (and the usual "_xx" suffix),
and stable releases will have an even minor version number. This
means there is no Net-SSLeay 1.87.
- Summary of major changes since version 1.85:
- Mike McCauley has stepped down as maintainer. The new maintainers
are Chris Novakovic, Heikki Vatiainen and Tuure Vartiainen.
- The source code has moved from the now-defunct Debian Subversion
server (alioth.debian.org) to GitHub
(https://github.com/radiator-software/p5-net-ssleay).
- Net-SSLeay is provided under the terms of the Artistic License
2.0 - this has been the case since version 1.66, but references
to other licenses remained in the source code, causing ambiguity.
- Perl 5.8.1 or newer is now required to use Net-SSLeay. This has
already been the case for some time in practice, as the test
suite hasn't fully passed on Perl 5.6 for several years.
- Much-improved compatibility with OpenSSL 1.1.1, and improved
support for TLS 1.3.
- Fixed a long-standing bug in cb_data_advanced_put() that caused
memory leaks when callbacks were frequently added and removed.
- Support in the test suite for "hardened" OpenSSL configurations
that set a default security level of 2 or higher (e.g., in the
OpenSSL packages that ship with recent versions of Debian, Fedora
and Ubuntu).
1.52 December 22, 2018
* Add a chi square statistical test. t/chisquare.t
* Uniform can be passed to the constructor of Crypt::Random::Generator.
This should be the default, and will likely be in the next release.
* Fixed minor bugs & typos.
1.51 December 22, 2018
* Test no longer looks for non-eq of two generated numbers as these can be
correctly the same if test is run enough number of times.
https://rt.cpan.org/Ticket/Display.html?id=99880
* Removed outdated dependency info.
https://rt.cpan.org/Ticket/Display.html?id=94441
* Removed /dev/random read from the test, as it can hang when there is
insufficient entropy.
https://rt.cpan.org/Ticket/Display.html?id=30423
* Removed potentially unsafe include in bin/makerandom.
https://rt.cpan.org/Ticket/Display.html?id=128062
There is no chance that line 1 contains an include argument, after being
sent through REPLACE_PERL. And even then, including a relative path would
not make sense.
Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020]
o Fixed an overflow bug in the x64_64 Montgomery squaring procedure
used in exponentiation with 512-bit moduli (CVE-2019-1551)
Noteworthy changes in version 2.2.20:
* Protect the error counter against overflow to guarantee that the
tools can't be tricked into returning success after an error.
* gpg: Make really sure that --verify-files always returns an error.
* gpg: Fix key listing --with-secret if a pattern is given.
* gpg: Fix detection of certain keys used as default-key.
* gpg: Fix default-key selection when a card is available.
* gpg: Fix key expiration and key usage for keys created with a
creation date of zero.
* gpgsm: Fix import of some CR,LF terminated certificates.
* gpg: New options --include-key-block and --auto-key-import to
allow encrypted replies after an initial signed message.
* gpg: Allow the use of a fingerprint with --trusted-key.
* gpg: New property "fpr" for use by --export-filter.
* scdaemon: Disable the pinpad if a KDF DO is used.
* dirmngr: Improve finding OCSP certificates.
* Avoid build problems with LTO or gcc-10.
It has long been an issue that heimdal installs "su" which shadows
system su and behaves differently. Now, with openssl 1.1, many people
are getting heimdal installed that did not expect it or ask for it.
(Really, heimdal should be split into libraries and apps, so that
programs can have kerberos support without adding commands to the
user's namespace, but this is vastly easier.)
(In response to on-list complaints, and believing this will not be
contoversial.)
Release 2.2.0
Added support for U2F/FIDO2 security keys, with the following capabilities:
ECDSA (NISTP256) and Ed25519 key algorithms
Key generation, including control over the application and user the key is associated with and whether touch is required when using the key
Certificate generation, both as a key being signed and a CA key
Resident keys, allowing security keys to be used on multiple machines without any information being stored outside of the key
Access to and management of keys loaded in an OpenSSH ssh-agent
Support for both user and host keys and certificates
Support for “no-touch-required” option in authorized_keys files
Support for “no-touch-required” option in OpenSSH certificates
Compatibility with security key support added in OpenSSH version 8.2
Added login timeout client option and limits on the length and number of banner lines AsyncSSH will accept prior to the SSH version header.
Improved load_keypairs() to read public key files, confirming that they are consistent with their associated private key when they are present.
Fixed issues in the SCP server related to handling filenames with spaces.
Fixed an issue with resuming reading after readuntil() returns an incomplete read.
Fixed a potential issue related to asyncio not reporting sockname/peername when a connection is closed immediately after it is opened.
Made SSHConnection a subclass of asyncio.Protocol to please type checkers.
This was marked NOT_FOR_UNPRIVILEGED, but that is only appropriate
when the package (abusively, as a pre-existing well-discussed
compromise) writes outside of the pkgsrc prefix.
Patch by Jason Bacon, with general approval on tech-pkg.
ok dholland@
rvault is a secure and authenticated store for secrets (passwords,
keys, certificates) and small documents. It uses envelope encryption
with one-time password (OTP) authentication. The vault can be operated
as a file system in userspace. It is written in C11 and distributed
under the 2-clause BSD license.
From rmind@
= mbed TLS 2.16.5 branch released 2020-02-20
Security
* Fix potential memory overread when performing an ECDSA signature
operation. The overread only happens with cryptographically low
probability (of the order of 2^-n where n is the bitsize of the curve)
unless the RNG is broken, and could result in information disclosure or
denial of service (application crash or extra resource consumption).
Found by Auke Zeilstra and Peter Schwabe, using static analysis.
* To avoid a side channel vulnerability when parsing an RSA private key,
read all the CRT parameters from the DER structure rather than
reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob
Brumley. Reported and fix contributed by Jack Lloyd.
ARMmbed/mbed-crypto#352
Bugfix
* Fix an unchecked call to mbedtls_md() in the x509write module.
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys that would later be rejected by functions expecting private
keys. Found by Catena cyber using oss-fuzz (issue 20467).
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys with invalid values by silently fixing those values.
## 2.5.3 (2020-01-19)
### Fixed
- Fix a possible database lockout when removing a YubiKey from a KDBX 3.1 database [#4147]
- Fix crash if Auto-Type is performed on a new entry [#4150]
- Fix crash when all entries are deleted from a group [#4156]
- Improve the reliability of clipboard clearing on Gnome [#4165]
- Do not check cmd:// URLs for valid URL syntax anymore [#4172]
- Prevent unnecessary merges for databases on network shares [#4153]
- Browser: Prevent native messaging proxy from blocking application shutdown [#4155]
- Browser: Improve website URL matching [#4134, #4177]
### Added
- Browser: Enable support for Chromium-based Edge Browser [#3359]
Changes from 2.43 to 2.44:
New Features:
* Added option 'Use file transactions for writing [22]configuration
settings' (turned on by default).
* If the option 'Do not store data in the Windows clipboard history
and the cloud clipboard' is turned on (which it is by default),
KeePass now additionally excludes its clipboard contents from
processing by Windows' internal ClipboardMonitor component.
* Added commands to find database files ('File' -> 'Open' -> 'Find
Files' and 'Find Files (In Folder)').
* Added 'Edit' menu in the [23]internal text editor (including new
'Select All' and 'Find' commands with keyboard shortcuts).
* Added keyboard shortcuts for formatting commands in the internal
text editor.
* Added 'Cancel' button in the save confirmation dialog of the
internal text editor.
* Added {CLIPBOARD} and {CLIPBOARD-SET:/T/} [24]placeholders, which
get/set the clipboard content.
* Added support for [25]importing True Key 4 CSV files.
* Added command line options for adding/removing scheme-specific URL
overrides.
* Added an auto-type event for [26]plugins.
* When loading a plugin on a Unix-like system fails, the error
message now includes a hint that the 'mono-complete' package may be
required.
* In order to avoid a Windows Input Method Editor (IME) bug
(resulting in a black screen and/or an IME/CTF process with high
CPU usage), KeePass now disables the IME on [27]secure desktops.
Improvements:
* [28]Auto-Type: improved compatibility with VMware Workstation.
* Auto-Type into virtual machines: improved compatibility with
certain guest systems.
* The option to use the 'Clipboard Viewer Ignore' clipboard format is
now turned on by default.
* Improved menu/toolbar item state updating in the internal text
editor.
* Improved performance of Spr compilations.
* Before writing a local configuration file whose path has been
specified using the '-cfg-local:' [29]command line parameter,
KeePass now tries to create the parent directory, if it does not
exist yet.
* Improved conversion of file URIs to local file paths.
* Improved compatibility of the list view dialog with plugins.
* If ChaCha20 is selected as file [30]encryption algorithm, the
database is now saved in the [31]KDBX 4 format (thanks to
[32]AMOSSYS).
* Minor [33]process memory protection improvements.
* HTML export/printing: KeePass now generates HTML 5 documents
(instead of XHTML 1.0 documents).
* HTML export/printing: improved internal CSS.
* HTML exports do not contain temporary content identifiers anymore.
* XSL files: HTML output now conforms to HTML 5 instead of XHTML 1.0.
* XSL files: improved internal CSS.
* CHM pages are now rendered in the highest standards mode supported
by Internet Explorer (EdgeHTML mode).
* Migrated most of the documentation from XHTML 1.0 to HTML 5.
* Various code optimizations.
* Minor other improvements.
Bugfixes:
* In the internal text editor, the 'Delete' command does not reset
RTF text formattings anymore.
* The [34]KeyCreationFlags bit 2^19 (for hiding the passwords) now
works as intended.
Security
* Fix side channel vulnerability in ECDSA. Our bignum implementation is not
constant time/constant trace, so side channel attacks can retrieve the
blinded value, factor it (as it is smaller than RSA keys and not guaranteed
to have only large prime factors), and then, by brute force, recover the
key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
* Zeroize local variables in mbedtls_internal_aes_encrypt() and
mbedtls_internal_aes_decrypt() before exiting the function. The value of
these variables can be used to recover the last round key. To follow best
practice and to limit the impact of buffer overread vulnerabilities (like
Heartbleed) we need to zeroize them before exiting the function.
Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
Grant Hernandez, and Kevin Butler (University of Florida) and
Dave Tian (Purdue University).
* Fix side channel vulnerability in ECDSA key generation. Obtaining precise
timings on the comparison in the key generation enabled the attacker to
learn leading bits of the ephemeral key used during ECDSA signatures and to
recover the private key. Reported by Jeremy Dubeuf.
* Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
failures could happen with alternative implementations of AES. Bug
reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
Sectra.
Bugfix
* Remove redundant line for getting the bitlen of a bignum, since the variable
holding the returned value is overwritten a line after.
Found by irwir in #2377.
* Support mbedtls_hmac_drbg_set_entropy_len() and
mbedtls_ctr_drbg_set_entropy_len() before the DRBG is seeded. Before,
the initial seeding always reset the entropy length to the compile-time
default.
Changes
* Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
from the cipher abstraction layer. Fixes#2198.
* Clarify how the interface of the CTR_DRBG and HMAC modules relates to
NIST SP 800-90A. In particular CTR_DRBG requires an explicit nonce
to achieve a 256-bit strength if MBEDTLS_ENTROPY_FORCE_SHA256 is set.
1.2.0:
Added
Added support for Cloudflare's limited-scope API Tokens
Added support for $hostname in nginx server_name directive
Changed
Add directory field to error message when field is missing.
If MD5 hasher is not available, try it in non-security mode (fix for FIPS systems)
Disable old SSL versions and ciphersuites and remove SSLCompression off setting to follow Mozilla recommendations in Apache.
Remove ECDHE-RSA-AES128-SHA from NGINX ciphers list now that Windows 2008 R2 and Windows 7 are EOLed
Support for Python 3.4 has been removed.
Fixed
Fix collections.abc imports for Python 3.9.
More details about these changes can be found on our GitHub repo.
1.1.0:
Changed
Removed the fallback introduced with 0.34.0 in acme to retry a POST-as-GET request as a GET request when the targeted ACME CA server seems to not support POST-as-GET requests.
certbot-auto no longer supports architectures other than x86_64 on RHEL 6 based systems. Existing certbot-auto installations affected by this will continue to work, but they will no longer receive updates. To install a newer version of Certbot on these systems, you should update your OS.
Support for Python 3.4 in Certbot and its ACME library is deprecated and will be removed in the next release of Certbot. certbot-auto users on x86_64 systems running RHEL 6 or derivatives will be asked to enable Software Collections (SCL) repository so Python 3.6 can be installed. certbot-auto can enable the SCL repo for you on CentOS 6 while users on other RHEL 6 based systems will be asked to do this manually.
Update clamav to 0.102.2.
## 0.102.2
ClamAV 0.102.2 is a bug patch release to address the following issues.
- [CVE-2020-3123](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123):
An Denial-of-Service (DoS) condition may occur when using the optional credit
card data-loss-prevention (DLP) feature. Improper bounds checking of an
unsigned variable resulted in an out-of-bounds read which causes a crash.
- Significantly improved scan speed of PDF files on Windows.
- Re-applied a fix to alleviate file access issues when scanning RAR files in
downstream projects that use libclamav where the scanning engine is operating
in a low-privelege process. This bug was originally fixed in 0.101.2 and the
fix was mistakenly omitted from 0.102.0.
- Fixed an issue wherein freshclam failed to update if the database version
downloaded is 1 version older than advertised. This situation may occur after
a new database version is published. The issue affected users downloading the
whole CVD database file.
- Changed the default freshclam ReceiveTimeout setting to 0 (infinite).
The ReceiveTimeout had caused needless database update failures for users with
slower internet connections.
- Correctly display number of kilobytes (KiB) in progress bar and reduced the
size of the progress bar to accomodate 80-char width terminals.
- Fixed an issue where running freshclam manually causes a daemonized freshclam
process to fail when it updates because the manual instance deletes the
temporary download directory. Freshclam temporary files will now download to a
unique directory created at the time of an update instead of using a hardcoded
directory created/destroyed at the program start/exit.
- Fix for Freshclam's OnOutdatedExecute config option.
- Fixes a memory leak in the error condition handling for the email parser.
- Improved bound checking and error handling in ARJ archive parser.
- Improved error handling in PDF parser.
- Fix for memory leak in byte-compare signature handler.
- Updates to the unit test suite to support libcheck 0.13.
- Updates to support autoconf 2.69 and automake 1.15.
Special thanks to the following for code contributions and bug reports:
- Antoine Deschênes
- Eric Lindblad
- Gianluigi Tiesi
- Tuomo Soini
Upstream changes:
OpenDNSSEC 2.1.6 - 2020-02-11:
* OPENDNSSEC-913: verify database connection upon every use.
* OPENDNSSEC-944: bad display of date of next transition (regression)
* SUPPORT-250: missing signatures on using combined keys (CSK)
* OPENDNSSEC-945: memory leak per command to enforcer.
* OPENDNSSEC-946: unclean enforcer exit in case of certain config
problems.
* OPENDNSSEC-411: set-policy command to change policy of zone
(experimental). Requestes explicit enforce command to take effect.
snallygaster is a tool that looks for files accessible on web servers that
shouldn't be public and can pose a security risk.
Typical examples include publicly accessible git repositories, backup files
potentially containing passwords or database dumps. In addition it contains a
few checks for other security vulnerabilities.
Noteworthy changes in version 1.37:
* Fixes a build problems when using Gawk 5.0
* Fixes Bourne shell incompatibilities on Solaris.
* Improves cross-comiling support.
* On Windows strerror_s is now used to emulate strerror_r.
* New error codes to map SQLite primary error codes.
* Now uses poll(2) instead of select(2) in gpgrt_poll if possible.
* Fixes a bug in gpgrt_close.
* Fixes build problem under Cygwin.
* Fixes a few minor portability bugs.
* Version 3.6.12 (released 2020-02-01)
** libgnutls: Introduced TLS session flag (gnutls_session_get_flags())
to identify sessions that client request OCSP status request (#829).
** libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448
signature algorithm (RFC 8032) under TLS (#86).
** libgnutls: Added the default-priority-string option to system configuration;
it allows overriding the compiled-in default-priority-string.
** libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by
draft-smyshlyaev-tls12-gost-suites-07).
By default this ciphersuite is disabled. It can be enabled by adding
+GOST to priority string. In the future this priority string may enable
other GOST ciphersuites as well. Note, that server will fail to negotiate
GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It
is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites
are enabled on GnuTLS-based servers.
** libgnutls: added priority shortcuts for different GOST categories like
CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL.
** libgnutls: Reject certificates with invalid time fields. That is we reject
certificates with invalid characters in Time fields, or invalid time formatting
To continue accepting the invalid form compile with --disable-strict-der-time
(#207, #870).
** libgnutls: Reject certificates which contain duplicate extensions. We were
previously printing warnings when printing such a certificate, but that is
not always sufficient to flag such certificates as invalid. Instead we now
refuse to import them (#887).
** libgnutls: If a CA is found in the trusted list, check in addition to
time validity, whether the algorithms comply to the expected level prior
to accepting it. This addresses the problem of accepting CAs which would
have been marked as insecure otherwise (#877).
** libgnutls: The min-verification-profile from system configuration applies
for all certificate verifications, not only under TLS. The configuration can
be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable.
** libgnutls: The stapled OCSP certificate verification adheres to the convention
used throughout the library of setting the 'GNUTLS_CERT_INVALID' flag.
** libgnutls: On client side only send OCSP staples if they have been requested
by the server, and on server side always advertise that we support OCSP stapling
(#876).
** libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible
with gnutls_ocsp_req_t but const.
** certtool: Added the --verify-profile option to set a certificate
verification profile. Use '--verify-profile low' for certificate verification
to apply the 'NORMAL' verification profile.
** certtool: The add_extension template option is considered even when generating
a certificate from a certificate request.
** API and ABI modifications:
GNUTLS_SFLAGS_CLI_REQUESTED_OCSP: Added
GNUTLS_SFLAGS_SERV_REQUESTED_OCSP: Added
gnutls_ocsp_req_const_t: Added
3.9.6:
Resolved issues
* Fix building of wheels for OSX by explicitly setting `sysroot` location.
3.9.5:
Resolved issues
* RSA OAEP decryption was not verifying that all ``PS`` bytes are zero.
* GH-372: fixed memory leak for operations that use memoryviews when `cffi` is not installed.
* Fixed wrong ASN.1 OID for HMAC-SHA512 in PBE2.
New features
* Updated Wycheproof test vectors to version 0.8r12.
In addition to about two years of changes, this contains notably the
following security fix:
When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
overflow could occur, causing a panic, due to malformed ASN.1 being
passed to any of the ASN1 methods of String.
Tested on linux/386 and darwin/amd64.
This fixes CVE-2020-7919 and was found thanks to the Project Wycheproof
test vectors.
pkgsrc changes:
Once again, the acme subdirectory was removed as it introduces a circular
dependency with go-net.
Prodded several times by ng0@
What's new:
* Fixed CVE-2019-18634, a buffer overflow when the "pwfeedback"
sudoers option is enabled on systems with uni-directional pipes.
* The "sudoedit_checkdir" option now treats a user-owned directory
as writable, even if it does not have the write bit set at the
time of check. Symbolic links will no longer be followed by
sudoedit in any user-owned directory. Bug #912
* Fixed sudoedit on macOS 10.15 and above where the root file system
is mounted read-only. Bug #913.
* Fixed a crash introduced in sudo 1.8.30 when suspending sudo
at the password prompt. Bug #914.
* Fixed compilation on systems where the mmap MAP_ANON flag
is not available. Bug #915.
RFC 8624 says "MUST NOT" for signing and "MAY" for sig-checking.
The sqlite3 change is related to the OpenDNSSEC v2 change, to be
consistent with the choice there.
PKGREVISION bumped.
build with qt5 5.14
All frameworks
Port from QRegExp to QRegularExpression
Port from qrand to QRandomGenerator
Fix compilation with Qt 5.15 (e.g. endl is now Qt::endl,
QHash insertMulti now requires using QMultiHash...)
Attica
Don't use a verified nullptr as a data source
Support multiple children elements in comment elements
Set a proper agent string for Attica requests
Baloo
Correctly report if baloo_file is unavailable
Check cursor_open return value
Initialise QML monitor values
Move URL parsing methods from kioslave to query object
Breeze Icons
Change XHTML icon to be a purple HTML icon
Merge headphones and zigzag in the center
Add application/x-audacity-project icon
Add 32px preferences-system
Add application/vnd.apple.pkpass icon
icon for ktimetracker using the PNG in the app repo, to be replaced
with real breeze SVG
add kipi icon, needs redone as a breeze theme svg [or just kill off kipi]
Extra CMake Modules
[android] Fix apk install target
Support PyQt5 compiled with SIP 5
Framework Integration
Remove ColorSchemeFilter from KStyle
KDE Doxygen Tools
Display fully qualified class/namespace name as page header
KCalendarCore
Improve README.md to have an Introduction section
Make incidence geographic coordinate also accessible as a property
Fix RRULE generation for timezones
KCMUtils
Deprecate KCModuleContainer
KCodecs
Fix invalid cast to enum by changing the type to int rather than enum
KCompletion
Deprecate KPixmapProvider
[KHistoryComboBox] Add method to set an icon provider
KConfig
kconfig EBN transport protocol cleanup
Expose getter to KConfigWatcher's config
Fix writeFlags with KConfigCompilerSignallingItem
Add a comment pointing to the history of Cut and Delete sharing a shortcut
KConfigWidgets
Rename "Configure Shortcuts" to "Configure Keyboard Shortcuts"
KContacts
Align ECM and Qt setup with Frameworks conventions
Specify ECM dependency version as in any other framework
KCoreAddons
Add KPluginMetaData::supportsMimeType
[KAutoSaveFile] Use QUrl::path() instead of toLocalFile()
Unbreak build w/ PROCSTAT: add missing impl. of KProcessList::processInfo
[KProcessList] Optimize KProcessList::processInfo
[KAutoSaveFile] Improve the comment in tempFileName()
Fix KAutoSaveFile broken on long path
KDeclarative
[KeySequenceHelper] Grab actual window when embedded
Add optional subtitle to grid delegate
[QImageItem/QPixmapItem] Don't lose precision during calculation
KFileMetaData
Partial fix for accentuated characters in file name on Windows
Remove unrequired private declarations for taglibextractor
Partial solution to accept accentuated characters on windows
xattr: fix crash on dangling symlinks
KIconThemes
Set breeze as default theme when reading from configuration file
Deprecate the top-level IconSize() function
Fix centering scaled icons on high dpi pixmaps
KImageFormats
pic: Fix Invalid-enum-value undefined behaviour
KIO
[KFilePlacesModel] Fix supported scheme check for devices
Embed protocol data also for Windows version of trash ioslave
Adding support for mounting KIOFuse URLs for applications that don't use KIO
Add truncation support to FileJob
Deprecate KUrlPixmapProvider
Deprecate KFileWidget::toolBar
[KUrlNavigator] Add RPM support to krarc:
KFilePlaceEditDialog: fix crash when editing the Trash place
Add button to open the folder in filelight to view more details
Show more details in warning dialog shown before starting a
privileged operation
KDirOperator: Use a fixed line height for scroll speed
Additional fields such as deletion time and original path are now
shown in the file properties dialog
KFilePlacesModel: properly parent tagsLister to avoid memleak.
HTTP ioslave: call correct base class in virtual_hook(). The
base of HTTP ioslave is TCPSlaveBase, not SlaveBase
Ftp ioslave: fix 4 character time interpreted as year
Re-add KDirOperator::keyPressEvent to preserve BC
Use QStyle for determining icon sizes
Kirigami
ActionToolBar: Only show the overflow button if there are visible
items in the menu
Don't build and install app templates on android
Don't hardcode the margin of the CardsListView
Add support for custom display components to Action
Let the other components grow if there's more things on the header
Remove dynamic item creation in DefaultListItemBackground
reintroduce the collapse button
Show application window icon on AboutPage
KItemModels
Add KColumnHeadersModel
KJS
Added tests for Math.exp()
Added tests for various assignment operators
Test special cases of multiplicate operators (*, / and %)
KNewStuff
Ensure the dialog title is correct with an uninitialised engine
Don't show the info icon on the big preview delegate
Support archive installs with adoption commands
Send along the config name with requests
KPeople
Expose enum to the metaobject compiler
KQuickCharts
Also correct the shader header files
Correct license headers for shaders
KService
Deprecate KServiceTypeProfile
KTextEditor
Add "line-count" property to the ConfigInterface
Avoid unwanted horizontal scrolling
KWayland
[plasmashell] Update docs for panelTakesFocus to make it generic
[plasmashell] Add signal for panelTakesFocus changing
KXMLGUI
KActionCollection: provide a changed() signal as a replacement for removed()
Adjust keyboard shortcut configuration window's title
NetworkManagerQt
Manager: add support for AddAndActivateConnection2
cmake: Consider NM headers as system includes
Sync Utils::securityIsValid with NetworkManager
Plasma Framework
[ToolTip] Round position
Enable wheel events on Slider {}
Sync QWindow flag WindowDoesNotAcceptFocus to wayland plasmashell interface
[calendar] Check out of bounds array access in QLocale lookup
[Plasma Dialog] Use QXcbWindowFunctions for setting window types Qt
WindowFlags doesn't know
[PC3] Complete plasma progress bar animation
[PC3] Only show progress bar indicator when the ends won't overlap
[RFC] Fix Display Configuration icon margins
[ColorScope] Work with plain QObjects again
[Breeze Desktop Theme] Add monochrome user-desktop icon
Remove default width from PlasmaComponents3.Button
[PC3 ToolButton] Have the label take into account complementary color schemes
Added background colors to active and inactive icon view
QQC2StyleBridge
[ToolTip] Round position
Update size hint when font changes
Solid
Display first / in mounted storage access description
Ensure mounted nfs filesystems matches their fstab declared counterpart
Sonnet
The signal done is deprecated in favour of spellCheckDone, now correctly emitted
Syntax Highlighting
LaTeX: fix brackets in some commands
TypeScript: add "bigint" primitive type
Python: improve numbers, add octals, binaries and "breakpoint" keyword
SELinux: add "glblub" keyword and update permissions list
Several enhancements to gitolite syntax definition
pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
Needed for updating epiphany.
0.20.0
* secret-backend: New interface to represent password storage backend [!34]
* secret-backend: Add local-storage backend [!6]
* item: Port to GTask [!43]
* Build fixes [!34, !37, !38, !40, !41, !42, ...]
* Updated translations
0.19.1
* service: Fix secret_service_ensure_session_finish error propagation [!36]
0.19.0
* secret-password: Add necessary functions to migrate from D-Bus based API [!32]
* egg: Request that secure memory not be dumped to disk [!30]
* Add version macros [!29]
* Add missing GType to flags in .gir [!16, !19]
* paths: Port from GSimpleAsyncResult to GTask [!26]
* build: Bump meson_version to 0.50 [!18, !35]
* Build and test fixes [!15, !20, !21, !23, !33, ...]
Add ruby-gssapi version 1.3.0 package.
Ruby GSSAPI Library
This is a wrapper around the system GSSAPI library (MIT only at this time).
It exposes the low-level GSSAPI methods like gss_init_sec_context and
gss_wrap and also provides an easier to use wrapper on top of this for
common usage scenarios.
Add ruby-ed25519 version 1.2.4 package.
# ed25519.rb
A Ruby binding to the Ed25519 elliptic curve public-key signature system
described in [RFC 8032].
Two implementations are provided: a MRI C extension which uses the "ref10"
implementation from the SUPERCOP benchmark suite, and a pure Java version
based on [str4d/ed25519-java].
Ed25519 is one of two notable algorithms implemented atop the Curve25519
elliptic curve. The [x25519 gem] is a related project of this one,
and implements the X25519 Diffie-Hellman key exchange algorithm on the
Montgomery form of Curve25519.
[RFC 8032]: https://tools.ietf.org/html/rfc8032
[str4d/ed25519-java]: https://github.com/str4d/ed25519-java
[x25519 gem]: https://github.com/crypto-rb/x25519
The hackage security library provides both server and client utilities
for securing the Hackage package server
(http://hackage.haskell.org/). It is based on The Update Framework
(http://theupdateframework.com/), a set of recommendations developed
by security researchers at various universities in the US as well as
developers on the Tor project (https://www.torproject.org/).
The current implementation supports only index signing, thereby
enabling untrusted mirrors. It does not yet provide facilities for
author package signing.
pkglint --only "https instead of http" -r -F
With manual adjustments afterwards since pkglint 19.4.4 fixed a few
indentations in unrelated lines.
This mainly affects projects hosted at SourceForce, as well as
freedesktop.org, CTAN and GNU.
This package provides a simple, fast, self-contained copy of the
Ed25519 public-key signature system with a clean interface. It also
includes support for detached signatures, and thorough documentation
on the design and implementation, including usage guidelines.
A practical incremental and one-pass, pure API to the SHA-256
cryptographic hash algorithm according to FIPS 180-4 with performance
close to the fastest implementations available in other languages.
This library implements the SHA suite of message digest functions,
according to NIST FIPS 180-2 (with the SHA-224 addendum), as well as
the SHA-based HMAC routines. The functions have been tested against
most of the NIST and RFC test vectors for the various functions. While
some attention has been paid to performance, these do not presently
reach the speed of well-tuned libraries, like OpenSSL.
Native Haskell TLS and SSL protocol implementation for server and
client.
This provides a high-level implementation of a sensitive security
protocol, eliminating a common set of security issues through the use
of the advanced type system, high level constructions and common
Haskell features.
Currently implement the SSL3.0, TLS1.0, TLS1.1, TLS1.2 and TLS 1.3
protocol, and support RSA and Ephemeral (Elliptic curve and regular)
Diffie Hellman key exchanges, and many extensions.
This is a major upgrade to the current LTS release. 1.0.2 and 1.1.0 are now
out of support and should not be used.
pkgsrc changes include a large cleanup of patches and targets, many of which
were clearly bogus, for example a CONFLICTS entry against a package that has
never existed, and one that was removed in 1999.
Tested on SmartOS, macOS, and NetBSD. Used for the SmartOS pkgsrc-2019Q4 LTS
release.
There are far too many individual changes to list, so the following text is
instead taken from the 1.1.1 blog announcement:
--------------------------------------------------------------------------
After two years of work we are excited to be releasing our latest version today
- OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we
are committing to support it for at least five years.
OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been
made from over 200 individual contributors since the release of OpenSSL 1.1.0.
These statistics just illustrate the amazing vitality and diversity of the
OpenSSL community. The contributions didn't just come in the form of commits
though. There has been a great deal of interest in this new version so thanks
needs to be extended to the large number of users who have downloaded the beta
releases to test them out and report bugs.
The headline new feature is TLSv1.3. This new version of the Transport Layer
Security (formerly known as SSL) protocol was published by the IETF just one
month ago as RFC8446. This is a major rewrite of the standard and introduces
significant changes, features and improvements which have been reflected in the
new OpenSSL version.
What's more is that OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0
so most applications that work with 1.1.0 can gain many of the benefits of
TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very
differently to TLSv1.2 though there are a few caveats that may impact a
minority of applications. See the TLSv1.3 page on the OpenSSL wiki for more
details.
Some of the benefits of TLSv1.3 include:
* Improved connection times due to a reduction in the number of round trips
required between the client and server
* The ability, in certain circumstances, for clients to start sending
encrypted data to the server straight away without any round trips with the
server required (a feature known as 0-RTT or “early data”).
* Improved security due to the removal of various obsolete and insecure
cryptographic algorithms and encryption of more of the connection handshake
Other features in the 1.1.1 release include:
* Complete rewrite of the OpenSSL random number generator to introduce the
following capabilities:
* The default RAND method now utilizes an AES-CTR DRBG according to NIST
standard SP 800-90Ar1.
* Support for multiple DRBG instances with seed chaining.
* There is a public and private DRBG instance.
* The DRBG instances are fork-safe.
* Keep all global DRBG instances on the secure heap if it is enabled.
* The public and private DRBG instance are per thread for lock free
operation
* Support for various new cryptographic algorithms including:
* SHA3
* SHA512/224 and SHA512/256
* EdDSA (including Ed25519 and Ed448)
* X448 (adding to the existing X25519 support in 1.1.0)
* Multi-prime RSA
* SM2
* SM3
* SM4
* SipHash
* ARIA (including TLS support)
* Signficant Side-Channel attack security improvements
* Maximum Fragment Length TLS extension support
* A new STORE module, which implements a uniform and URI based reader of
stores that can contain keys, certificates, CRLs and numerous other objects.
Since 1.1.1 is our new LTS release we are strongly advising all users to
upgrade as soon as possible. For most applications this should be straight
forward if they are written to work with OpenSSL 1.1.0. Since OpenSSL 1.1.0 is
not an LTS release it will start receiving security fixes only with immediate
affect as per our previous announcement and as published in our release
strategy. It will cease receiving all support in one years time.
Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support
until the end of this year. After that it will receive security fixes only. It
will stop receiving all support at the end of 2019. Users of that release are
strongly advised to upgrade to OpenSSL 1.1.1.
Changelog:
2.8.5
fix auto upgrade error message.
2.8.4
Avoiding autoupdate by checking master hash value.
more dns api support'
adapt recent letsencrypt ca http headers changes.
bugs fixes.
Recommended to upgrade.
1.10.1:
Bug Fixes
google.auth.compute_engine.metadata: add retry to google.auth.compute_engine._metadata.get()
always pass body of type bytes to google.auth.transport.Request
## 2.5.2 (2020-01-04)
### Added
- Browser: Show UI warning when entering invalid URLs [#3912]
- Browser: Option to use an entry only for HTTP auth [#3927]
### Changed
- Disable the user interface when merging or saving the database [#3991]
- Ability to hide protected attribute after reveal [#3877]
- Remove mention of "snaps" in Windows and macOS [#3879]
- CLI: Merge parameter for source database key file (--key-file-from) [#3961]
- Improve GUI tests reliability on Hi-DPI displays [#4075]
- Disable deprecation warnings to allow building with Qt 5.14+ [#4075]
- OPVault: Use 'otp' attribute for TOTP field imports [#4075]
### Fixed
- Fix crashes when saving a database to cloud storage [#3991]
- Fix crash when pressing enter twice while opening database [#3885]
- Fix handling of HTML when displayed in the entry preview panel [#3910]
- Fix start minimized to tray on Linux [#3899]
- Fix Auto Open with key file only databases [#4075]
- Fix escape key closing the standalone password generator [#3892]
- macOS: Fix monospace font usage in password field and notes [#4075]
- macOS: Fix building on macOS 10.9 to 10.11 [#3946]
- Fix TOTP setup dialog not closing on database lock [#4075]
- Browser: Fix condition where additional URLs are ignored [#4033]
- Browser: Fix subdomain matching to return only relevant site entries [#3854]
- Secret Service: Fix multiple crashes and incompatibilities [#3871, #4009, #4074]
- Secret Service: Fix searching of entries [#4008, #4036]
- Secret Service: Fix behavior when exposed group is recycled [#3914]
- CLI: Release the database instance before exiting interactive mode [#3889]
- Fix (most) memory leaks in tests [#3922]
## 2.5.1 (2019-11-11)
### Added
- Add programmatic use of the EntrySearcher [#3760]
- Explicitly clear database memory upon locking even if the object is not deleted immediately [#3824]
- macOS: Add ability to perform notarization of built package [#3827]
### Changed
- Reduce file hash checking to every 30 seconds to correct performance issues [#3724]
- Correct formatting of notes in entry preview widget [#3727]
- Improve performance and UX of database statistics page [#3780]
- Improve interface for key file selection to discourage use of the database file [#3807]
- Hide Auto-Type sequences column when not needed [#3794]
- macOS: Revert back to using Carbon API for hotkey detection [#3794]
- CLI: Do not show protected fields by default [#3710]
### Fixed
- Secret Service: Correct issues interfacing with various applications [#3761]
- Fix building without additional features [#3693]
- Fix handling TOTP secret keys that require padding [#3764]
- Fix database unlock dialog password field focus [#3764]
- Correctly label open databases as locked on launch [#3764]
- Prevent infinite recursion when two databases AutoOpen each other [#3764]
- Browser: Fix incorrect matching of invalid URLs [#3759]
- Properly stylize the application name on Linux [#3775]
- Show application icon on Plasma Wayland sessions [#3777]
- macOS: Check for Auto-Type permissions on use instead of at launch [#3794]
## 2.5.0 (2019-10-26)
### Added
- Add 'Paper Backup' aka 'Export to HTML file' to the 'Database' menu [#3277]
- Add statistics panel with information about the database (number of entries, number of unique passwords, etc.) to the Database Settings dialog [#2034]
- Add offline user manual accessible via the 'Help' menu [#3274]
- Add support for importing 1Password OpVault files [#2292]
- Implement Freedesktop.org secret storage DBus protocol so that KeePassXC can be used as a vault service by libsecret [#2726]
- Add support for OnlyKey as an alternative to YubiKeys (requires yubikey-personalization >= 1.20.0) [#3352]
- Add group sorting feature [#3282]
- Add feature to download favicons for all entries at once [#3169]
- Add word case option to passphrase generator [#3172]
- Add support for RFC6238-compliant TOTP hashes [#2972]
- Add UNIX man page for main program [#3665]
- Add 'Monospaced font' option to the notes field [#3321]
- Add support for key files in auto open [#3504]
- Add search field for filtering entries in Auto-Type dialog [#2955]
- Complete usernames based on known usernames from other entries [#3300]
- Parse hyperlinks in the notes field of the entry preview pane [#3596]
- Allow abbreviation of field names in entry search [#3440]
- Allow setting group icons recursively [#3273]
- Add copy context menu for username and password in Auto-Type dialog [#3038]
- Drop to background after copying a password to the clipboard [#3253]
- Add 'Lock databases' entry to tray icon menu [#2896]
- Add option to minimize window after unlocking [#3439]
- Add option to minimize window after opening a URL [#3302]
- Request accessibility permissions for Auto-Type on macOS [#3624]
- Browser: Add initial support for multiple URLs [#3558]
- Browser: Add entry-specific browser integration settings [#3444]
- CLI: Add offline HIBP checker (requires a downloaded HIBP dump) [#2707]
- CLI: Add 'flatten' option to the 'ls' command [#3276]
- CLI: Add password generation options to `Add` and `Edit` commands [#3275]
- CLI: Add XML import [#3572]
- CLI: Add CSV export to the 'export' command [#3278]
- CLI: Add `-y --yubikey` option for YubiKey [#3416]
- CLI: Add `--dry-run` option for merging databases [#3254]
- CLI: Add group commands (mv, mkdir and rmdir) [#3313].
- CLI: Add interactive shell mode command `open` [#3224]
### Changed
- Redesign database unlock dialog [ #3287]
- Rework the entry preview panel [ #3306]
- Move notes to General tab on Group Preview Panel [#3336]
- Enable entry actions when editing an entry and cleanup entry context menu [#3641]
- Improve detection of external database changes [#2389]
- Warn if user is trying to use a KDBX file as a key file [#3625]
- Add option to disable KeePassHTTP settings migrations prompt [#3349, #3344]
- Re-enabled Wayland support (no Auto-Type yet) [#3520, #3341]
- Add icon to 'Toggle Window' action in tray icon menu [#3244]
- Merge custom data between databases only when necessary [#3475]
- Improve various file-handling related issues when picking files using the system's file dialog [#3473]
- Add 'New Entry' context menu when no entries are selected [#3671]
- Reduce default Argon2 settings from 128 MiB and one thread per CPU core to 64 MiB and two threads to account for lower-spec mobile hardware [ #3672]
- Browser: Remove unused 'Remember' checkbox for HTTP Basic Auth [#3371]
- Browser: Show database name when pairing with a new browser [#3638]
- Browser: Show URL in allow access dialog [#3639]
- CLI: The password length option `-l` for the CLI commands `Add` and `Edit` is now `-L` [#3275]
- CLI: The `-u` shorthand for the `--upper` password generation option has been renamed to `-U` [#3275]
- CLI: Rename command `extract` to `export`. [#3277]
### Fixed
- Improve accessibility for assistive technologies [#3409]
- Correctly unlock all databases if `--pw-stdin` is provided [#2916]
- Fix password generator issues with special characters [#3303]
- Fix KeePassXC interrupting shutdown procedure [#3666]
- Fix password visibility toggle button state on unlock dialog [#3312]
- Fix potential data loss if database is reloaded while user is editing an entry [#3656]
- Fix hard-coded background color in search help popup [#3001]
- Fix font choice for password preview [#3425]
- Fix handling of read-only files when autosave is enabled [#3408]
- Handle symlinks correctly when atomic saves are disabled [#3463]
- Enable HighDPI icon scaling on Linux [#3332]
- Make Auto-Type on macOS more robust and remove old Carbon API calls [#3634, [#3347)]
- Hide Share tab if KeePassXC is compiled without KeeShare support and other minor KeeShare improvements [#3654, [#3291, #3029, #3031, #3236]
- Correctly bring window to the front when clicking tray icon on macOS [#3576]
- Correct application shortcut created by MSI Installer on Windows [#3296]
- Fix crash when removing custom data [#3508]
- Fix placeholder resolution in URLs [#3281]
- Fix various inconsistencies and platform-dependent compilation bugs [#3664, #3662, #3660, #3655, #3649, #3417, #3357, #3319, #3318, #3304]
- Browser: Fix potential leaking of entries through the browser integration API if multiple databases are opened [#3480]
- Browser: Fix password entropy calculation [#3107]
- Browser: Fix Windows registry settings for portable installation [#3603]
keysigning parties. It allows you to quickly and easily sign each UID on
a set of PGP keys. It is designed to take the pain out of the
sign-all-the-keys part of PGP Keysigning Party while adding security to
the process.
1.10.0:
Features
send quota project id in x-goog-user-project for OAuth2 credentials
1.9.0:
Features
add timeout parameter to AuthorizedSession.request()
1.3.0
- Added `encrypt_key_pref` (`1.2.840.113549.1.9.16.2.11`) to
`cms.CMSAttributeType()`, along with related structures
- Added Brainpool curves from RFC 5639 to `keys.NamedCurve()`
- Fixed `x509.Certificate().subject_directory_attributes_value`
- Fixed some incorrectly computed minimum elliptic curve primary key
encoding sizes in `keys.NamedCurve()`
- Fixed a `TypeError` when trying to call `.untag()` or `.copy()` on a
`core.UTCTime()` or `core.GeneralizedTime()`, or a value containing one,
when using Python 2
--------------------------------------------------------------------------
LuaSec 0.9
---------------
This version includes:
* Add DNS-based Authentication of Named Entities (DANE) support
* Add __close() metamethod
* Fix deprecation warnings with OpenSSL 1.1
* Fix special case listing of TLS 1.3 EC curves
* Fix general_name leak in cert:extensions()
* Fix unexported 'ssl.config' table
* Replace $(LD) with $(CCLD) variable
* Remove multiple definitions of 'ssl_options' variable
* Use tag in git format: v0.9
--------------------------------------------------------------------------
LuaSec 0.8.2
---------------
This version includes:
* Fix unexported 'ssl.config' table (backported)
--------------------------------------------------------------------------
LuaSec 0.8.1
---------------
This version includes:
* Fix general_name leak in cert:extensions() (backported)
--------------------------------------------------------------------------
LuaSec 0.8
---------------
This version includes:
* Add support to ALPN
* Add support to TLS 1.3
* Add support to multiple certificates
* Add timeout to https module (https.TIMEOUT)
* Drop support to SSL 3.0
* Drop support to TLS 1.0 from https module
* Fix invalid reference to Lua state
* Fix memory leak when get certficate extensions
--------------------------------------------------------------------------
LuaSec 0.7.2
---------------
This version includes:
* Fix unexported 'ssl.config' table (backported)
--------------------------------------------------------------------------
LuaSec 0.7.1
---------------
This version includes:
* Fix general_name leak in cert:extensions() (backported)
--------------------------------------------------------------------------
LuaSec 0.7
---------------
LuaSec depends on OpenSSL, and integrates with LuaSocket to make it
easy to add secure connections to any Lua applications or scripts.
Documentation: https://github.com/brunoos/luasec/wiki
This version includes:
* Add support to OpenSSL 1.1.0
* Add support to elliptic curves list
* Add ssl.config that exports some OpenSSL information
* Add integration with luaossl
Major changes between OpenSSL 1.0.2t and OpenSSL 1.0.2u [20 Dec 2019]
Fixed an an overflow bug in the x64_64 Montgomery squaring procedure used
in exponentiation with 512-bit moduli (CVE-2019-1551)
Changelog picked from https://github.com/slicer69/doas/releases:
6.2p4:
* Keeping environment variables with keepenv
On some platforms (seemingly Linux and macOS) it is possible for
repeated calls to getpwuid() can over-write the original struct
passwd structure. (This behaviour may vary depending on which
C library is used. This can lead to the original user's
environment data being overwritten by the target user's, even
when "keepenv" is specified in the doas.conf file.
We now do a deep copy of the original and target users' struct
passwd information to avoid over-writing the original on platforms
where libc uses a static area for all calls.
version 0.9.3 (released 2019-12-10)
* Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution
* SSH-01-003 Client: Missing NULL check leads to crash in erroneous state
* SSH-01-006 General: Various unchecked Null-derefs cause DOS
* SSH-01-007 PKI Gcrypt: Potential UAF/double free with RSA pubkeys
* SSH-01-010 SSH: Deprecated hash function in fingerprinting
* SSH-01-013 Conf-Parsing: Recursive wildcards in hostnames lead to DOS
* SSH-01-014 Conf-Parsing: Integer underflow leads to OOB array access
* SSH-01-001 State Machine: Initial machine states should be set explicitly
* SSH-01-002 Kex: Differently bound macros used to iterate same array
* SSH-01-005 Code-Quality: Integer sign confusion during assignments
* SSH-01-008 SCP: Protocol Injection via unescaped File Names
* SSH-01-009 SSH: Update documentation which RFCs are implemented
* SSH-01-012 PKI: Information leak via uninitialized stack buffer
* Portability fixes from pkgsrc have been merged upstream
* Add runas_check_shell flag to require a runas user to have a valid
shell. Not enabled by default.
* Add a new flag "allow_unknown_runas_id" to control matching of unknown
IDs. Previous, sudo would always allow unknown user or group IDs if
the sudoers entry permitted it. This included the "ALL" alias. With
this change, the admin must explicitly enable support for unknown IDs.
* Transparently handle the "sudo sudoedit" problem. Some admin are
confused about how to give users sudoedit permission and many users
try to run sudoedit via sudo instead of directly. If the user runs
"sudo sudoedit" sudo will now treat it as plain "sudoedit" after
issuing a warning. If the admin has specified a fully-qualified path
for sudoedit in sudoers, sudo will treat it as just "sudoedit" and
match accordingly. In visudo (but not sudo), a fully-qualified path
for sudoedit is now treated as an error.
* When restoring old resource limits, try to recover if we receive
EINVAL. On NetBSD, setrlimit(2) can return EINVAL if the new soft
limit is lower than the current resource usage. This can be a problem
when restoring the old stack limit if sudo has raised it.
* Restore resource limits before executing the askpass program. Linux
with docker seems to have issues executing a program when the stack
size is unlimited. Bug #908
* macOS does not allow rlim_cur to be set to RLIM_INFINITY for
RLIMIT_NOFILE. We need to use OPEN_MAX instead as per the macOS
setrlimit manual. Bug #904
* Use 64-bit resource limits on AIX.
The new code that unlimits many resources appears to have been problematic
on a number of fronts. Fetched the current version of src/limits.c from
the sudo hg repo. RLIMIT_STACK (i.e. "3") is no longer set to RLIM_INFINITY.
Added code to output the name of the limit instead of its number.
Major changes between version 1.8.29 and 1.8.28p1:
The cvtsudoers command will now reject non-LDIF input when converting from LDIF format to sudoers or JSON formats.
The new log_allowed and log_denied sudoers settings make it possible to disable logging and auditing of allowed and/or denied commands.
The umask is now handled differently on systems with PAM or login.conf. If the umask is explicitly set in sudoers, that value is used regardless of what PAM or login.conf may specify. However, if the umask is not explicitly set in sudoers, PAM or login.conf may now override the default sudoers umask.
For make install, the sudoers file is no longer checked for syntax errors when DESTDIR is set. The default sudoers file includes the contents of /etc/sudoers.d which may not be readable as non-root.
Sudo now sets most resource limits to their maximum value to avoid problems caused by insufficient resources, such as an inability to allocate memory or open files and pipes.
Fixed a regression introduced in sudo 1.8.28 where sudo would refuse to run if the parent process was not associated with a session. This was due to sudo passing a session ID of -1 to the plugin.
1.8.2:
Bug Fixes
revert "feat: send quota project id in x-goog-user-project header for OAuth2 credentials"
1.8.1:
Bug Fixes
revert "feat: add timeout to AuthorizedSession.request()
1.8.0:
Features
add to_json method to google.oauth2.credentials.Credentials
add timeout to AuthorizedSession.request()
send quota project id in x-goog-user-project header for OAuth2 credentials
Certbot 1.0.0
Removed:
* The docs extras for the certbot-apache and certbot-nginx packages
have been removed.
Changed:
* certbot-auto has deprecated support for systems using OpenSSL 1.0.1 that are
not running on x86-64. This primarily affects RHEL 6 based systems.
* Certbot's config_changes subcommand has been removed
* certbot.plugins.common.TLSSNI01 has been removed.
* Deprecated attributes related to the TLS-SNI-01 challenge in
acme.challenges and acme.standalone
have been removed.
* The functions certbot.client.view_config_changes,
certbot.main.config_changes,
certbot.plugins.common.Installer.view_config_changes,
certbot.reverter.Reverter.view_config_changes, and
certbot.util.get_systemd_os_info have been removed
* Certbot's register --update-registration subcommand has been removed
* When possible, default to automatically configuring the webserver so all requests
redirect to secure HTTPS access. This is mostly relevant when running Certbot
in non-interactive mode. Previously, the default was to not redirect all requests.
Coordinated with leot@ and he@ while investigating CVE-2019-19648.
The changes listed for this version include:
* Duplicated string modifiers are now an error.
* More flexible xor modifier.
* Implement private strings (#1096)
* Add field_offsets to dotnet module.
* Implement crc32 functions in hash module.
* Improvements to rich_signature functions in pe module.
* Implement sandboxed API using SAPI
* BUGFIX: Some regexp character classes not matching correctly when used with nocase modifier (#1117)
* BUGFIX: Reduce the number of ERROR_TOO_MANY_RE_FIBERS errors for certain hex pattern containing large jumps (#1107)
* BUGFIX: Buffer overrun in dotnet module (#1108)
* BUGFIX: Segfault in certain Windows versions (#1068)
* BUGFIX: Memory leak while attaching to a process fails (#1070)
Changes for version 3.10.0:
* Optimize integer range loops by exiting earlier when possible.
* Cache the result of PE module's imphash function in order to improve performance.
* Harden virtual machine against malicious code.
* BUGFIX: xor modifier not working as expected if not accompanied by ascii (#1053).
* BUGFIX: \s and \S character classes in regular expressions now include vertical tab, new line, carriage return and form feed characters.
* BUGFIX: Regression bug in hex strings containing wildcards (#1025).
* BUGFIX: Buffer overrun in elf module.
* BUGFIX: Buffer overrun in dotnet module
Changes for version 3.9.0:
* Improve scan performance for certain strings.
* Reduce stack usage.
* Prevent inadvertent use of compiled rules by forcing the use of -C when using yara command-line tool.
* BUGFIX: Buffer overflow in "dotnet" module.
* BUGFIX: Internal error when running multiple instances of YARA in Mac OS X. (#945)
* BUGFIX: Regexp regression when using nested quantifiers {x,y} for certain values of x and y. (#1018)
* BUGFIX: High RAM consumption in "pe" module while parsing certain files.(0c8b461)
* BUGFIX: Denial of service when using "dex" module. Found by the Cisco Talos team. (#1023)
* BUGFIX: Issues with comments inside hex strings.
Changes for version 3.8.1:
* BUGFIX: Some combinations of boolean command-line flags were broken in version 3.8.0.
* BUGFIX: While reporting errors that occur at the end of the file, the file name appeared as null.
* BUGFIX: dex module now works in big-endian architectures.
* BUGFIX: Keep ABI compatibility by keeping deprecated functions visible.
Changes for version 3.8.0:
* Scanner API
* New xor modifier for strings
* New fields and functions in PE module.
* Add functions min and max to math module.
* Make compiled.
* yara and yaracsupport reading rules from stdin by using - as the file name.
* Rule compilation is faster.
* BUGFIX: Regression in regex engine. /ba{3}b/ was matching baaaab.
* BUGFIX: Function yr_compiler_add_fd() was reading only the first 1024 bytes of the file.
* BUGFIX: Wrong calculation of sha256 hashes in Windows when using native crypto API.
* Lots of more bug fixes.
Changes for version 3.7.1:
* Fix regression in include directive (issue #796)
* Fix bug in PE checksum calculation causing wrong results in some cases.
2.7.1:
[Bug] Fix a bug in support for ECDSA keys under the newly supported OpenSSH key format. Thanks to Pierce Lopez for the patch.
[Bug] The new-style private key format (added in 2.7) suffered from an unpadding bug which had been fixed earlier for Ed25519 (as that key type has always used the newer format). That fix has been refactored and applied to the base key class, courtesy of Pierce Lopez.
2.7.0:
[Feature]: Add new convenience classmethod constructors to SSHConfig: from_text, from_file, and from_path. No more annoying two-step process!
[Feature] Implement most ‘canonical hostname’ ssh_config functionality (CanonicalizeHostname, CanonicalDomains, CanonicalizeFallbackLocal, and CanonicalizeMaxDots; CanonicalizePermittedCNAMEs has not yet been implemented). All were previously silently ignored. Reported by Michael Leinartas.
[Feature] Implement support for the Match keyword in ssh_config files. Previously, this keyword was simply ignored & keywords inside such blocks were treated as if they were part of the previous block. Thanks to Michael Leinartas for the initial patchset.
Note
This feature adds a new optional install dependency, Invoke, for managing Match exec subprocesses.
[Feature]: A couple of outright SSHConfig parse errors were previously represented as vanilla Exception instances; as part of recent feature work a more specific exception class, ConfigParseError, has been created. It is now also used in those older spots, which is naturally backwards compatible.
[Feature] Implement support for OpenSSH 6.5-style private key files (typically denoted as having BEGIN OPENSSH PRIVATE KEY headers instead of PEM format’s BEGIN RSA PRIVATE KEY or similar). If you were getting any sort of weird auth error from “modern” keys generated on newer operating system releases (such as macOS Mojave), this is the first update to try.
Major thanks to everyone who contributed or tested versions of the patch, including but not limited to: Kevin Abel, Michiel Tiller, Pierce Lopez, and Jared Hobbs.
[Bug]: Perform deduplication of IdentityFile contents during ssh_config parsing; previously, if your config would result in the same value being encountered more than once, IdentityFile would contain that many copies of the same string.
[Bug]: Paramiko’s use of subprocess for ProxyCommand support is conditionally imported to prevent issues on limited interpreter platforms like Google Compute Engine. However, any resulting ImportError was lost instead of preserved for raising (in the rare cases where a user tried leveraging ProxyCommand in such an environment). This has been fixed.
[Bug]: ssh_config token expansion used a different method of determining the local username ($USER env var), compared to what the (much older) client connection code does (getpass.getuser, which includes $USER but may check other variables first, and is generally much more comprehensive). Both modules now use getpass.getuser.
[Support]: Explicitly document which ssh_config features we currently support. Previously users just had to guess, which is simply no good.
[Support]: Additional installation extras_require “flavors” (ed25519, invoke, and all) have been added to our packaging metadata; see the install docs for details.
Changelog since 0.7.0
2019-01-05 - Version 0.9.2
* Fixu Windows build issues, thanks Luka Logar.
* Use pin-cache configuration, thanks Luka Logar.
* Support openssl-1.1, thanks Thorsten Alteholz, W. Michael Petullo.
2017-09-26 - Version 0.9.1
* Support unix domain socket credentials on FreeBSD.
* Introduce GNUPG_PKCS11_SOCKETDIR to instruct where sockets are created.
* Make proxy systemd service work again per change of systemd behavior.
2017-08-25 - Version 0.9.0
* Avoid dup of stdin/stdout so that the terminate assuan hack operational
again.
* Introduce gnupg-pkcs11-scd-proxy to allow isolation of the PKCS#11
provider.
* Lots of cleanups.
2017-07-15 - Version 0.8.0
* Support multiple tokens via serial numbers by hashing token id into
serial number.
Implementation changes the card serial number yet again, executing
gpg --card-status should resync.
2017-04-18 - Version 0.7.6
* Add --homedir parameter.
* Rework serial responses for gnupg-2.1.19.
2017-03-01 - Version 0.7.5
* Fix issue with decrypting padded data, thanks to smunaut.
* Catchup with gnupg-2.1 changes which caused inability to support
both gpg and gpgsm. Implementation had to change card serial
number, as a result current keys of gpg will look for the
previous serial card.
emulate-openpgpg option is obsoleted and removed.
ACTION REQUIRED
in order to assign new card serial number to existing keys.
backup your ~/.gnupg.
delete all PKCS#11 secret keys using:
gpg --delete-secret-keys $KEY then
Then refresh keys using:
gpg --card-edit
In <gnupg-2.1.19 the keys should be re-generated using:
admin
generate
Do not replace keys!
gpg will learn the private keys of the new card and attach to
the existing public keys.
* Support gnupg-2.1 features of using existing keys, keys
should not be explicitly specified in configuration file
any more.
2017-01-18 - Version 0.7.4
* Fix gpg change in serialno attribute.
* Sync with gnupg-2.1, thanks to Moritz Bechler.
2011-07-30 -- Version 0.7.3
* Use assuan_sock_init, bug#3382372.
2011-04-09 -- Version 0.7.2
* Some cleanups, thanks to Timo Schulz.
* Sync hashing algorithms for OpenPGP.
2011-03-16 -- Version 0.7.1
* Sync with gnupg-2.0.17.
Noteworthy changes in version 2.2.19:
* gpg: Fix double free when decrypting for hidden recipients.
Regression in 2.2.18.
* gpg: Use auto-key-locate for encryption even for mail addressed
given with angle brackets.
* gpgsm: Add special case for certain expired intermediate
certificates.
Not sure of 3.6.11.1's specific changes - possibly fixing an incorrectly
generated tarball?
These changes from apply:
* Version 3.6.11 (released 2019-12-01)
** libgnutls: Use KERN_ARND for the system random number generator on NetBSD.
This syscall provides an endless stream of random numbers from the kernel's
ChaCha20-based random number generator, without blocking or requiring an open file
descriptor.
** libgnutls: Corrected issue with TLS 1.2 session ticket handling as client
during resumption (#841).
** libgnutls: gnutls_base64_decode2() succeeds decoding the empty string to
the empty string. This is a behavioral change of the API but it conforms
to the RFC4648 expectations (#834).
** libgnutls: Fixed AES-CFB8 implementation, when input is shorter than
the block size. Fix backported from nettle.
** certtool: CRL distribution points will be set in CA certificates even when
non self-signed (#765).
** gnutls-cli/serv: added raw public-key handling capabilities (RFC7250).
Key material can be set via the --rawpkkeyfile and --rawpkfile flags.
** API and ABI modifications:
No changes since last version.
ftp.cyrusimap.org has been down for months. Asked about this on the
cyrus-info mailinglist months ago with no responses. So lets drop it from
MASTER_SITES.
The directory old on the ftp is also available in the http download so I
added that to MASTER_SITES as well.
Update clamav to 0.102.1.
## 0.102.1
ClamAV 0.102.1 is a security patch release to address the following issues.
- Fix for the following vulnerability affecting 0.102.0 and 0.101.4 and prior:
- [CVE-2019-15961](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15961)
A Denial-of-Service (DoS) vulnerability may occur when scanning a specially
crafted email file as a result of excessively long scan times. The issue is
resolved by implementing several maximums in parsing MIME messages and by
optimizing use of memory allocation.
- Build system fixes to build clamav-milter, to correctly link with libxml2 when
detected, and to correctly detect fanotify for on-access scanning feature
support.
- Signature load time is significantly reduced by changing to a more efficient
algorithm for loading signature patterns and allocating the AC trie.
Patch courtesy of Alberto Wu.
- Introduced a new configure option to statically link libjson-c with libclamav.
Static linking with libjson is highly recommended to prevent crashes in
applications that use libclamav alongside another JSON parsing library.
- Null-dereference fix in email parser when using the `--gen-json` metadata
option.
- Fixes for Authenticode parsing and certificate signature (.crb database) bugs.
Special thanks to the following for code contributions and bug reports:
- Alberto Wu
- Joran Dirk Greef
- Reio Remma
Release 2.1.0:
Added support in the SSHProcess redirect mechanism to accept asyncio StreamReader and StreamWriter objects, allowing asyncio streams to be plugged in as stdin/stdout/stderr in an SSHProcess.
Added support for key handlers in the AsyncSSH line editor to trigger signals being delivered when certain “hot keys” are hit while reading input.
Improved cleanup of unreturned connection objects when an error occurs or the connection request is canceled or times out.
Improved cleanup of SSH agent client objects to avoid triggering a false positive warning in Python 3.8.
Added an example to the documentation for how to create reverse-direction SSH client and server connections.
Made check of session objects against None explicit to avoid confusion on user-defined sessions that implement __len__ or __bool__.
Release 2.0.1:
Some API changes which should have been included in the 2.0.0 release were missed. This release corrects that, but means that additional changes may be needed in applications moving to 2.0.1. This should hopefully be the last of such changes, but if any other issues are discovered, additional changes will be limited to 2.0.x patch releases and the API will stabilize again in the AsyncSSH 2.1 release. See the next bullet for details about the additional incompatible change.
To be consistent with other connect and listen functions, all methods on SSHClientConnection which previously returned None on listen failures have been changed to raise an exception instead. A new ChannelListenError exception will now be raised when an SSH server returns failure on a request to open a remote listener. This change affects the following SSHClientConnection methods: create_server, create_unix_server, start_server, start_unix_server, forward_remote_port, and forward_remote_path.
Restored the ability for SSHListener objects to be used as async context managers. This previously worked in AsyncSSH 1.x and was unintentionally broken in AsyncSSH 2.0.0.
Added support for a number of additional functions to be called from within an “async with” statement. These functions already returned objects capable of being async context managers, but were not decorated to allow them to be directly called from within “async with”. This change applies to the top level functions create_server, listen, and listen_reverse and the SSHClientConnection methods create_server, create_unix_server, start_server, start_unix_server, forward_local_port, forward_local_path, forward_remote_port, forward_remote_path, listen_ssh, and listen_reverse_ssh,
Fixed a couple of issues in loading OpenSSH-format certificates which were missing a trailing newline.
Changed load_certificates() to allow multiple certificates to be loaded from a single byte string argument, making it more consistent with how load_certificates() works when reading from a file.
Release 2.0.0:
NEW MAJOR VERSION: See below for potentially incompatible changes.
Updated AsyncSSH to use the modern async/await syntax internally, now requiring Python 3.6 or later. Those wishing to use AsyncSSH on Python 3.4 or 3.5 should stick to the AsyncSSH 1.x releases.
Changed first argument of SFTPServer constructor from an SSHServerConnection (conn) to an SSHServerChannel (chan) to allow custom SFTP server implementations to access environment variables set on the channel that SFTP is run over. Applications which subclass the SFTPServer class and implement an __init__ method will need to be updated to account for this change and pass the new argument through to the SFTPServer parent class. If the subclass has no __init__ and just uses the connection, channel, and env properties of SFTPServer to access this information, no changes should be required.
Removed deprecated “session_encoding” and “session_errors” arguments from create_server() and listen() functions. These arguments were renamed to “encoding” and “errors” back in version 1.16.0 to be consistent with other AsyncSSH APIs.
Removed get_environment(), get_command(), and get_subsystem() methods on SSHServerProcess class. This information was made available as “env”, “command”, and “subsystem” properties of SSHServerProcess in AsyncSSH 1.11.0.
Removed optional loop argument from all public AsyncSSH APIs, consistent with the deprecation of this argument in the asyncio package in Python 3.8. Calls will now always use the event loop which is active at the time of the call.
Removed support for non-async context managers on AsyncSSH connections and processes and SFTP client connections and file objects. Callers should use “async with” to invoke the async the context managers on these objects.
Added support for SSHAgentClient being an async context manager. To be consistent with other connect calls, connect_agent() will now raise an exception when no agent is found or a connection failure occurs, rather than logging a warning and returning None. Callers should catch OSError or ChannelOpenError exceptions rather than looking for a return value of None when calling this function.
Added set_input() and clear_input() methods on SSHLineEditorChannel to change the value of the current input line when line editing is enabled.
Added is_closing() method to the SSHChannel, SSHProcess, SSHWriter, and SSHSubprocessTransport classes. mirroring the asyncio BaseTransport and StreamWriter methods added in Python 3.7.
Added wait_closed() async method to the SSHWriter class, mirroring the asyncio StreamWriter method added in Python 3.7.
### Version 5.56, 2019.11.22, urgency: HIGH
* New features
- Various text files converted to Markdown format.
* Bugfixes
- Support for realpath(3) implementations incompatible
with POSIX.1-2008, such as 4.4BSD or Solaris.
- Support for engines without PRNG seeding methods (thx to
Petr Mikhalitsyn).
- Retry unsuccessful port binding on configuration
file reload.
- Thread safety fixes in SSL_SESSION object handling.
- Terminate clients on exit in the FORK threading model.
