1.52 December 22, 2018
* Add a chi square statistical test. t/chisquare.t
* Uniform can be passed to the constructor of Crypt::Random::Generator.
This should be the default, and will likely be in the next release.
* Fixed minor bugs & typos.
1.51 December 22, 2018
* Test no longer looks for non-eq of two generated numbers as these can be
correctly the same if test is run enough number of times.
https://rt.cpan.org/Ticket/Display.html?id=99880
* Removed outdated dependency info.
https://rt.cpan.org/Ticket/Display.html?id=94441
* Removed /dev/random read from the test, as it can hang when there is
insufficient entropy.
https://rt.cpan.org/Ticket/Display.html?id=30423
* Removed potentially unsafe include in bin/makerandom.
https://rt.cpan.org/Ticket/Display.html?id=128062
There is no chance that line 1 contains an include argument, after being
sent through REPLACE_PERL. And even then, including a relative path would
not make sense.
Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020]
o Fixed an overflow bug in the x64_64 Montgomery squaring procedure
used in exponentiation with 512-bit moduli (CVE-2019-1551)
Noteworthy changes in version 2.2.20:
* Protect the error counter against overflow to guarantee that the
tools can't be tricked into returning success after an error.
* gpg: Make really sure that --verify-files always returns an error.
* gpg: Fix key listing --with-secret if a pattern is given.
* gpg: Fix detection of certain keys used as default-key.
* gpg: Fix default-key selection when a card is available.
* gpg: Fix key expiration and key usage for keys created with a
creation date of zero.
* gpgsm: Fix import of some CR,LF terminated certificates.
* gpg: New options --include-key-block and --auto-key-import to
allow encrypted replies after an initial signed message.
* gpg: Allow the use of a fingerprint with --trusted-key.
* gpg: New property "fpr" for use by --export-filter.
* scdaemon: Disable the pinpad if a KDF DO is used.
* dirmngr: Improve finding OCSP certificates.
* Avoid build problems with LTO or gcc-10.
It has long been an issue that heimdal installs "su" which shadows
system su and behaves differently. Now, with openssl 1.1, many people
are getting heimdal installed that did not expect it or ask for it.
(Really, heimdal should be split into libraries and apps, so that
programs can have kerberos support without adding commands to the
user's namespace, but this is vastly easier.)
(In response to on-list complaints, and believing this will not be
contoversial.)
Release 2.2.0
Added support for U2F/FIDO2 security keys, with the following capabilities:
ECDSA (NISTP256) and Ed25519 key algorithms
Key generation, including control over the application and user the key is associated with and whether touch is required when using the key
Certificate generation, both as a key being signed and a CA key
Resident keys, allowing security keys to be used on multiple machines without any information being stored outside of the key
Access to and management of keys loaded in an OpenSSH ssh-agent
Support for both user and host keys and certificates
Support for “no-touch-required” option in authorized_keys files
Support for “no-touch-required” option in OpenSSH certificates
Compatibility with security key support added in OpenSSH version 8.2
Added login timeout client option and limits on the length and number of banner lines AsyncSSH will accept prior to the SSH version header.
Improved load_keypairs() to read public key files, confirming that they are consistent with their associated private key when they are present.
Fixed issues in the SCP server related to handling filenames with spaces.
Fixed an issue with resuming reading after readuntil() returns an incomplete read.
Fixed a potential issue related to asyncio not reporting sockname/peername when a connection is closed immediately after it is opened.
Made SSHConnection a subclass of asyncio.Protocol to please type checkers.
This was marked NOT_FOR_UNPRIVILEGED, but that is only appropriate
when the package (abusively, as a pre-existing well-discussed
compromise) writes outside of the pkgsrc prefix.
Patch by Jason Bacon, with general approval on tech-pkg.
ok dholland@
rvault is a secure and authenticated store for secrets (passwords,
keys, certificates) and small documents. It uses envelope encryption
with one-time password (OTP) authentication. The vault can be operated
as a file system in userspace. It is written in C11 and distributed
under the 2-clause BSD license.
From rmind@
= mbed TLS 2.16.5 branch released 2020-02-20
Security
* Fix potential memory overread when performing an ECDSA signature
operation. The overread only happens with cryptographically low
probability (of the order of 2^-n where n is the bitsize of the curve)
unless the RNG is broken, and could result in information disclosure or
denial of service (application crash or extra resource consumption).
Found by Auke Zeilstra and Peter Schwabe, using static analysis.
* To avoid a side channel vulnerability when parsing an RSA private key,
read all the CRT parameters from the DER structure rather than
reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob
Brumley. Reported and fix contributed by Jack Lloyd.
ARMmbed/mbed-crypto#352
Bugfix
* Fix an unchecked call to mbedtls_md() in the x509write module.
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys that would later be rejected by functions expecting private
keys. Found by Catena cyber using oss-fuzz (issue 20467).
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys with invalid values by silently fixing those values.
## 2.5.3 (2020-01-19)
### Fixed
- Fix a possible database lockout when removing a YubiKey from a KDBX 3.1 database [#4147]
- Fix crash if Auto-Type is performed on a new entry [#4150]
- Fix crash when all entries are deleted from a group [#4156]
- Improve the reliability of clipboard clearing on Gnome [#4165]
- Do not check cmd:// URLs for valid URL syntax anymore [#4172]
- Prevent unnecessary merges for databases on network shares [#4153]
- Browser: Prevent native messaging proxy from blocking application shutdown [#4155]
- Browser: Improve website URL matching [#4134, #4177]
### Added
- Browser: Enable support for Chromium-based Edge Browser [#3359]
Changes from 2.43 to 2.44:
New Features:
* Added option 'Use file transactions for writing [22]configuration
settings' (turned on by default).
* If the option 'Do not store data in the Windows clipboard history
and the cloud clipboard' is turned on (which it is by default),
KeePass now additionally excludes its clipboard contents from
processing by Windows' internal ClipboardMonitor component.
* Added commands to find database files ('File' -> 'Open' -> 'Find
Files' and 'Find Files (In Folder)').
* Added 'Edit' menu in the [23]internal text editor (including new
'Select All' and 'Find' commands with keyboard shortcuts).
* Added keyboard shortcuts for formatting commands in the internal
text editor.
* Added 'Cancel' button in the save confirmation dialog of the
internal text editor.
* Added {CLIPBOARD} and {CLIPBOARD-SET:/T/} [24]placeholders, which
get/set the clipboard content.
* Added support for [25]importing True Key 4 CSV files.
* Added command line options for adding/removing scheme-specific URL
overrides.
* Added an auto-type event for [26]plugins.
* When loading a plugin on a Unix-like system fails, the error
message now includes a hint that the 'mono-complete' package may be
required.
* In order to avoid a Windows Input Method Editor (IME) bug
(resulting in a black screen and/or an IME/CTF process with high
CPU usage), KeePass now disables the IME on [27]secure desktops.
Improvements:
* [28]Auto-Type: improved compatibility with VMware Workstation.
* Auto-Type into virtual machines: improved compatibility with
certain guest systems.
* The option to use the 'Clipboard Viewer Ignore' clipboard format is
now turned on by default.
* Improved menu/toolbar item state updating in the internal text
editor.
* Improved performance of Spr compilations.
* Before writing a local configuration file whose path has been
specified using the '-cfg-local:' [29]command line parameter,
KeePass now tries to create the parent directory, if it does not
exist yet.
* Improved conversion of file URIs to local file paths.
* Improved compatibility of the list view dialog with plugins.
* If ChaCha20 is selected as file [30]encryption algorithm, the
database is now saved in the [31]KDBX 4 format (thanks to
[32]AMOSSYS).
* Minor [33]process memory protection improvements.
* HTML export/printing: KeePass now generates HTML 5 documents
(instead of XHTML 1.0 documents).
* HTML export/printing: improved internal CSS.
* HTML exports do not contain temporary content identifiers anymore.
* XSL files: HTML output now conforms to HTML 5 instead of XHTML 1.0.
* XSL files: improved internal CSS.
* CHM pages are now rendered in the highest standards mode supported
by Internet Explorer (EdgeHTML mode).
* Migrated most of the documentation from XHTML 1.0 to HTML 5.
* Various code optimizations.
* Minor other improvements.
Bugfixes:
* In the internal text editor, the 'Delete' command does not reset
RTF text formattings anymore.
* The [34]KeyCreationFlags bit 2^19 (for hiding the passwords) now
works as intended.
Security
* Fix side channel vulnerability in ECDSA. Our bignum implementation is not
constant time/constant trace, so side channel attacks can retrieve the
blinded value, factor it (as it is smaller than RSA keys and not guaranteed
to have only large prime factors), and then, by brute force, recover the
key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
* Zeroize local variables in mbedtls_internal_aes_encrypt() and
mbedtls_internal_aes_decrypt() before exiting the function. The value of
these variables can be used to recover the last round key. To follow best
practice and to limit the impact of buffer overread vulnerabilities (like
Heartbleed) we need to zeroize them before exiting the function.
Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
Grant Hernandez, and Kevin Butler (University of Florida) and
Dave Tian (Purdue University).
* Fix side channel vulnerability in ECDSA key generation. Obtaining precise
timings on the comparison in the key generation enabled the attacker to
learn leading bits of the ephemeral key used during ECDSA signatures and to
recover the private key. Reported by Jeremy Dubeuf.
* Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
failures could happen with alternative implementations of AES. Bug
reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
Sectra.
Bugfix
* Remove redundant line for getting the bitlen of a bignum, since the variable
holding the returned value is overwritten a line after.
Found by irwir in #2377.
* Support mbedtls_hmac_drbg_set_entropy_len() and
mbedtls_ctr_drbg_set_entropy_len() before the DRBG is seeded. Before,
the initial seeding always reset the entropy length to the compile-time
default.
Changes
* Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
from the cipher abstraction layer. Fixes#2198.
* Clarify how the interface of the CTR_DRBG and HMAC modules relates to
NIST SP 800-90A. In particular CTR_DRBG requires an explicit nonce
to achieve a 256-bit strength if MBEDTLS_ENTROPY_FORCE_SHA256 is set.
1.2.0:
Added
Added support for Cloudflare's limited-scope API Tokens
Added support for $hostname in nginx server_name directive
Changed
Add directory field to error message when field is missing.
If MD5 hasher is not available, try it in non-security mode (fix for FIPS systems)
Disable old SSL versions and ciphersuites and remove SSLCompression off setting to follow Mozilla recommendations in Apache.
Remove ECDHE-RSA-AES128-SHA from NGINX ciphers list now that Windows 2008 R2 and Windows 7 are EOLed
Support for Python 3.4 has been removed.
Fixed
Fix collections.abc imports for Python 3.9.
More details about these changes can be found on our GitHub repo.
1.1.0:
Changed
Removed the fallback introduced with 0.34.0 in acme to retry a POST-as-GET request as a GET request when the targeted ACME CA server seems to not support POST-as-GET requests.
certbot-auto no longer supports architectures other than x86_64 on RHEL 6 based systems. Existing certbot-auto installations affected by this will continue to work, but they will no longer receive updates. To install a newer version of Certbot on these systems, you should update your OS.
Support for Python 3.4 in Certbot and its ACME library is deprecated and will be removed in the next release of Certbot. certbot-auto users on x86_64 systems running RHEL 6 or derivatives will be asked to enable Software Collections (SCL) repository so Python 3.6 can be installed. certbot-auto can enable the SCL repo for you on CentOS 6 while users on other RHEL 6 based systems will be asked to do this manually.
Update clamav to 0.102.2.
## 0.102.2
ClamAV 0.102.2 is a bug patch release to address the following issues.
- [CVE-2020-3123](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123):
An Denial-of-Service (DoS) condition may occur when using the optional credit
card data-loss-prevention (DLP) feature. Improper bounds checking of an
unsigned variable resulted in an out-of-bounds read which causes a crash.
- Significantly improved scan speed of PDF files on Windows.
- Re-applied a fix to alleviate file access issues when scanning RAR files in
downstream projects that use libclamav where the scanning engine is operating
in a low-privelege process. This bug was originally fixed in 0.101.2 and the
fix was mistakenly omitted from 0.102.0.
- Fixed an issue wherein freshclam failed to update if the database version
downloaded is 1 version older than advertised. This situation may occur after
a new database version is published. The issue affected users downloading the
whole CVD database file.
- Changed the default freshclam ReceiveTimeout setting to 0 (infinite).
The ReceiveTimeout had caused needless database update failures for users with
slower internet connections.
- Correctly display number of kilobytes (KiB) in progress bar and reduced the
size of the progress bar to accomodate 80-char width terminals.
- Fixed an issue where running freshclam manually causes a daemonized freshclam
process to fail when it updates because the manual instance deletes the
temporary download directory. Freshclam temporary files will now download to a
unique directory created at the time of an update instead of using a hardcoded
directory created/destroyed at the program start/exit.
- Fix for Freshclam's OnOutdatedExecute config option.
- Fixes a memory leak in the error condition handling for the email parser.
- Improved bound checking and error handling in ARJ archive parser.
- Improved error handling in PDF parser.
- Fix for memory leak in byte-compare signature handler.
- Updates to the unit test suite to support libcheck 0.13.
- Updates to support autoconf 2.69 and automake 1.15.
Special thanks to the following for code contributions and bug reports:
- Antoine Deschênes
- Eric Lindblad
- Gianluigi Tiesi
- Tuomo Soini
Upstream changes:
OpenDNSSEC 2.1.6 - 2020-02-11:
* OPENDNSSEC-913: verify database connection upon every use.
* OPENDNSSEC-944: bad display of date of next transition (regression)
* SUPPORT-250: missing signatures on using combined keys (CSK)
* OPENDNSSEC-945: memory leak per command to enforcer.
* OPENDNSSEC-946: unclean enforcer exit in case of certain config
problems.
* OPENDNSSEC-411: set-policy command to change policy of zone
(experimental). Requestes explicit enforce command to take effect.
snallygaster is a tool that looks for files accessible on web servers that
shouldn't be public and can pose a security risk.
Typical examples include publicly accessible git repositories, backup files
potentially containing passwords or database dumps. In addition it contains a
few checks for other security vulnerabilities.
Noteworthy changes in version 1.37:
* Fixes a build problems when using Gawk 5.0
* Fixes Bourne shell incompatibilities on Solaris.
* Improves cross-comiling support.
* On Windows strerror_s is now used to emulate strerror_r.
* New error codes to map SQLite primary error codes.
* Now uses poll(2) instead of select(2) in gpgrt_poll if possible.
* Fixes a bug in gpgrt_close.
* Fixes build problem under Cygwin.
* Fixes a few minor portability bugs.
* Version 3.6.12 (released 2020-02-01)
** libgnutls: Introduced TLS session flag (gnutls_session_get_flags())
to identify sessions that client request OCSP status request (#829).
** libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448
signature algorithm (RFC 8032) under TLS (#86).
** libgnutls: Added the default-priority-string option to system configuration;
it allows overriding the compiled-in default-priority-string.
** libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by
draft-smyshlyaev-tls12-gost-suites-07).
By default this ciphersuite is disabled. It can be enabled by adding
+GOST to priority string. In the future this priority string may enable
other GOST ciphersuites as well. Note, that server will fail to negotiate
GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It
is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites
are enabled on GnuTLS-based servers.
** libgnutls: added priority shortcuts for different GOST categories like
CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL.
** libgnutls: Reject certificates with invalid time fields. That is we reject
certificates with invalid characters in Time fields, or invalid time formatting
To continue accepting the invalid form compile with --disable-strict-der-time
(#207, #870).
** libgnutls: Reject certificates which contain duplicate extensions. We were
previously printing warnings when printing such a certificate, but that is
not always sufficient to flag such certificates as invalid. Instead we now
refuse to import them (#887).
** libgnutls: If a CA is found in the trusted list, check in addition to
time validity, whether the algorithms comply to the expected level prior
to accepting it. This addresses the problem of accepting CAs which would
have been marked as insecure otherwise (#877).
** libgnutls: The min-verification-profile from system configuration applies
for all certificate verifications, not only under TLS. The configuration can
be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable.
** libgnutls: The stapled OCSP certificate verification adheres to the convention
used throughout the library of setting the 'GNUTLS_CERT_INVALID' flag.
** libgnutls: On client side only send OCSP staples if they have been requested
by the server, and on server side always advertise that we support OCSP stapling
(#876).
** libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible
with gnutls_ocsp_req_t but const.
** certtool: Added the --verify-profile option to set a certificate
verification profile. Use '--verify-profile low' for certificate verification
to apply the 'NORMAL' verification profile.
** certtool: The add_extension template option is considered even when generating
a certificate from a certificate request.
** API and ABI modifications:
GNUTLS_SFLAGS_CLI_REQUESTED_OCSP: Added
GNUTLS_SFLAGS_SERV_REQUESTED_OCSP: Added
gnutls_ocsp_req_const_t: Added
3.9.6:
Resolved issues
* Fix building of wheels for OSX by explicitly setting `sysroot` location.
3.9.5:
Resolved issues
* RSA OAEP decryption was not verifying that all ``PS`` bytes are zero.
* GH-372: fixed memory leak for operations that use memoryviews when `cffi` is not installed.
* Fixed wrong ASN.1 OID for HMAC-SHA512 in PBE2.
New features
* Updated Wycheproof test vectors to version 0.8r12.
In addition to about two years of changes, this contains notably the
following security fix:
When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
overflow could occur, causing a panic, due to malformed ASN.1 being
passed to any of the ASN1 methods of String.
Tested on linux/386 and darwin/amd64.
This fixes CVE-2020-7919 and was found thanks to the Project Wycheproof
test vectors.
pkgsrc changes:
Once again, the acme subdirectory was removed as it introduces a circular
dependency with go-net.
Prodded several times by ng0@
What's new:
* Fixed CVE-2019-18634, a buffer overflow when the "pwfeedback"
sudoers option is enabled on systems with uni-directional pipes.
* The "sudoedit_checkdir" option now treats a user-owned directory
as writable, even if it does not have the write bit set at the
time of check. Symbolic links will no longer be followed by
sudoedit in any user-owned directory. Bug #912
* Fixed sudoedit on macOS 10.15 and above where the root file system
is mounted read-only. Bug #913.
* Fixed a crash introduced in sudo 1.8.30 when suspending sudo
at the password prompt. Bug #914.
* Fixed compilation on systems where the mmap MAP_ANON flag
is not available. Bug #915.
RFC 8624 says "MUST NOT" for signing and "MAY" for sig-checking.
The sqlite3 change is related to the OpenDNSSEC v2 change, to be
consistent with the choice there.
PKGREVISION bumped.
build with qt5 5.14
All frameworks
Port from QRegExp to QRegularExpression
Port from qrand to QRandomGenerator
Fix compilation with Qt 5.15 (e.g. endl is now Qt::endl,
QHash insertMulti now requires using QMultiHash...)
Attica
Don't use a verified nullptr as a data source
Support multiple children elements in comment elements
Set a proper agent string for Attica requests
Baloo
Correctly report if baloo_file is unavailable
Check cursor_open return value
Initialise QML monitor values
Move URL parsing methods from kioslave to query object
Breeze Icons
Change XHTML icon to be a purple HTML icon
Merge headphones and zigzag in the center
Add application/x-audacity-project icon
Add 32px preferences-system
Add application/vnd.apple.pkpass icon
icon for ktimetracker using the PNG in the app repo, to be replaced
with real breeze SVG
add kipi icon, needs redone as a breeze theme svg [or just kill off kipi]
Extra CMake Modules
[android] Fix apk install target
Support PyQt5 compiled with SIP 5
Framework Integration
Remove ColorSchemeFilter from KStyle
KDE Doxygen Tools
Display fully qualified class/namespace name as page header
KCalendarCore
Improve README.md to have an Introduction section
Make incidence geographic coordinate also accessible as a property
Fix RRULE generation for timezones
KCMUtils
Deprecate KCModuleContainer
KCodecs
Fix invalid cast to enum by changing the type to int rather than enum
KCompletion
Deprecate KPixmapProvider
[KHistoryComboBox] Add method to set an icon provider
KConfig
kconfig EBN transport protocol cleanup
Expose getter to KConfigWatcher's config
Fix writeFlags with KConfigCompilerSignallingItem
Add a comment pointing to the history of Cut and Delete sharing a shortcut
KConfigWidgets
Rename "Configure Shortcuts" to "Configure Keyboard Shortcuts"
KContacts
Align ECM and Qt setup with Frameworks conventions
Specify ECM dependency version as in any other framework
KCoreAddons
Add KPluginMetaData::supportsMimeType
[KAutoSaveFile] Use QUrl::path() instead of toLocalFile()
Unbreak build w/ PROCSTAT: add missing impl. of KProcessList::processInfo
[KProcessList] Optimize KProcessList::processInfo
[KAutoSaveFile] Improve the comment in tempFileName()
Fix KAutoSaveFile broken on long path
KDeclarative
[KeySequenceHelper] Grab actual window when embedded
Add optional subtitle to grid delegate
[QImageItem/QPixmapItem] Don't lose precision during calculation
KFileMetaData
Partial fix for accentuated characters in file name on Windows
Remove unrequired private declarations for taglibextractor
Partial solution to accept accentuated characters on windows
xattr: fix crash on dangling symlinks
KIconThemes
Set breeze as default theme when reading from configuration file
Deprecate the top-level IconSize() function
Fix centering scaled icons on high dpi pixmaps
KImageFormats
pic: Fix Invalid-enum-value undefined behaviour
KIO
[KFilePlacesModel] Fix supported scheme check for devices
Embed protocol data also for Windows version of trash ioslave
Adding support for mounting KIOFuse URLs for applications that don't use KIO
Add truncation support to FileJob
Deprecate KUrlPixmapProvider
Deprecate KFileWidget::toolBar
[KUrlNavigator] Add RPM support to krarc:
KFilePlaceEditDialog: fix crash when editing the Trash place
Add button to open the folder in filelight to view more details
Show more details in warning dialog shown before starting a
privileged operation
KDirOperator: Use a fixed line height for scroll speed
Additional fields such as deletion time and original path are now
shown in the file properties dialog
KFilePlacesModel: properly parent tagsLister to avoid memleak.
HTTP ioslave: call correct base class in virtual_hook(). The
base of HTTP ioslave is TCPSlaveBase, not SlaveBase
Ftp ioslave: fix 4 character time interpreted as year
Re-add KDirOperator::keyPressEvent to preserve BC
Use QStyle for determining icon sizes
Kirigami
ActionToolBar: Only show the overflow button if there are visible
items in the menu
Don't build and install app templates on android
Don't hardcode the margin of the CardsListView
Add support for custom display components to Action
Let the other components grow if there's more things on the header
Remove dynamic item creation in DefaultListItemBackground
reintroduce the collapse button
Show application window icon on AboutPage
KItemModels
Add KColumnHeadersModel
KJS
Added tests for Math.exp()
Added tests for various assignment operators
Test special cases of multiplicate operators (*, / and %)
KNewStuff
Ensure the dialog title is correct with an uninitialised engine
Don't show the info icon on the big preview delegate
Support archive installs with adoption commands
Send along the config name with requests
KPeople
Expose enum to the metaobject compiler
KQuickCharts
Also correct the shader header files
Correct license headers for shaders
KService
Deprecate KServiceTypeProfile
KTextEditor
Add "line-count" property to the ConfigInterface
Avoid unwanted horizontal scrolling
KWayland
[plasmashell] Update docs for panelTakesFocus to make it generic
[plasmashell] Add signal for panelTakesFocus changing
KXMLGUI
KActionCollection: provide a changed() signal as a replacement for removed()
Adjust keyboard shortcut configuration window's title
NetworkManagerQt
Manager: add support for AddAndActivateConnection2
cmake: Consider NM headers as system includes
Sync Utils::securityIsValid with NetworkManager
Plasma Framework
[ToolTip] Round position
Enable wheel events on Slider {}
Sync QWindow flag WindowDoesNotAcceptFocus to wayland plasmashell interface
[calendar] Check out of bounds array access in QLocale lookup
[Plasma Dialog] Use QXcbWindowFunctions for setting window types Qt
WindowFlags doesn't know
[PC3] Complete plasma progress bar animation
[PC3] Only show progress bar indicator when the ends won't overlap
[RFC] Fix Display Configuration icon margins
[ColorScope] Work with plain QObjects again
[Breeze Desktop Theme] Add monochrome user-desktop icon
Remove default width from PlasmaComponents3.Button
[PC3 ToolButton] Have the label take into account complementary color schemes
Added background colors to active and inactive icon view
QQC2StyleBridge
[ToolTip] Round position
Update size hint when font changes
Solid
Display first / in mounted storage access description
Ensure mounted nfs filesystems matches their fstab declared counterpart
Sonnet
The signal done is deprecated in favour of spellCheckDone, now correctly emitted
Syntax Highlighting
LaTeX: fix brackets in some commands
TypeScript: add "bigint" primitive type
Python: improve numbers, add octals, binaries and "breakpoint" keyword
SELinux: add "glblub" keyword and update permissions list
Several enhancements to gitolite syntax definition
pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
Needed for updating epiphany.
0.20.0
* secret-backend: New interface to represent password storage backend [!34]
* secret-backend: Add local-storage backend [!6]
* item: Port to GTask [!43]
* Build fixes [!34, !37, !38, !40, !41, !42, ...]
* Updated translations
0.19.1
* service: Fix secret_service_ensure_session_finish error propagation [!36]
0.19.0
* secret-password: Add necessary functions to migrate from D-Bus based API [!32]
* egg: Request that secure memory not be dumped to disk [!30]
* Add version macros [!29]
* Add missing GType to flags in .gir [!16, !19]
* paths: Port from GSimpleAsyncResult to GTask [!26]
* build: Bump meson_version to 0.50 [!18, !35]
* Build and test fixes [!15, !20, !21, !23, !33, ...]
Add ruby-gssapi version 1.3.0 package.
Ruby GSSAPI Library
This is a wrapper around the system GSSAPI library (MIT only at this time).
It exposes the low-level GSSAPI methods like gss_init_sec_context and
gss_wrap and also provides an easier to use wrapper on top of this for
common usage scenarios.
Add ruby-ed25519 version 1.2.4 package.
# ed25519.rb
A Ruby binding to the Ed25519 elliptic curve public-key signature system
described in [RFC 8032].
Two implementations are provided: a MRI C extension which uses the "ref10"
implementation from the SUPERCOP benchmark suite, and a pure Java version
based on [str4d/ed25519-java].
Ed25519 is one of two notable algorithms implemented atop the Curve25519
elliptic curve. The [x25519 gem] is a related project of this one,
and implements the X25519 Diffie-Hellman key exchange algorithm on the
Montgomery form of Curve25519.
[RFC 8032]: https://tools.ietf.org/html/rfc8032
[str4d/ed25519-java]: https://github.com/str4d/ed25519-java
[x25519 gem]: https://github.com/crypto-rb/x25519
The hackage security library provides both server and client utilities
for securing the Hackage package server
(http://hackage.haskell.org/). It is based on The Update Framework
(http://theupdateframework.com/), a set of recommendations developed
by security researchers at various universities in the US as well as
developers on the Tor project (https://www.torproject.org/).
The current implementation supports only index signing, thereby
enabling untrusted mirrors. It does not yet provide facilities for
author package signing.
pkglint --only "https instead of http" -r -F
With manual adjustments afterwards since pkglint 19.4.4 fixed a few
indentations in unrelated lines.
This mainly affects projects hosted at SourceForce, as well as
freedesktop.org, CTAN and GNU.
This package provides a simple, fast, self-contained copy of the
Ed25519 public-key signature system with a clean interface. It also
includes support for detached signatures, and thorough documentation
on the design and implementation, including usage guidelines.
A practical incremental and one-pass, pure API to the SHA-256
cryptographic hash algorithm according to FIPS 180-4 with performance
close to the fastest implementations available in other languages.
This library implements the SHA suite of message digest functions,
according to NIST FIPS 180-2 (with the SHA-224 addendum), as well as
the SHA-based HMAC routines. The functions have been tested against
most of the NIST and RFC test vectors for the various functions. While
some attention has been paid to performance, these do not presently
reach the speed of well-tuned libraries, like OpenSSL.
Native Haskell TLS and SSL protocol implementation for server and
client.
This provides a high-level implementation of a sensitive security
protocol, eliminating a common set of security issues through the use
of the advanced type system, high level constructions and common
Haskell features.
Currently implement the SSL3.0, TLS1.0, TLS1.1, TLS1.2 and TLS 1.3
protocol, and support RSA and Ephemeral (Elliptic curve and regular)
Diffie Hellman key exchanges, and many extensions.
This is a major upgrade to the current LTS release. 1.0.2 and 1.1.0 are now
out of support and should not be used.
pkgsrc changes include a large cleanup of patches and targets, many of which
were clearly bogus, for example a CONFLICTS entry against a package that has
never existed, and one that was removed in 1999.
Tested on SmartOS, macOS, and NetBSD. Used for the SmartOS pkgsrc-2019Q4 LTS
release.
There are far too many individual changes to list, so the following text is
instead taken from the 1.1.1 blog announcement:
--------------------------------------------------------------------------
After two years of work we are excited to be releasing our latest version today
- OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we
are committing to support it for at least five years.
OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been
made from over 200 individual contributors since the release of OpenSSL 1.1.0.
These statistics just illustrate the amazing vitality and diversity of the
OpenSSL community. The contributions didn't just come in the form of commits
though. There has been a great deal of interest in this new version so thanks
needs to be extended to the large number of users who have downloaded the beta
releases to test them out and report bugs.
The headline new feature is TLSv1.3. This new version of the Transport Layer
Security (formerly known as SSL) protocol was published by the IETF just one
month ago as RFC8446. This is a major rewrite of the standard and introduces
significant changes, features and improvements which have been reflected in the
new OpenSSL version.
What's more is that OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0
so most applications that work with 1.1.0 can gain many of the benefits of
TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very
differently to TLSv1.2 though there are a few caveats that may impact a
minority of applications. See the TLSv1.3 page on the OpenSSL wiki for more
details.
Some of the benefits of TLSv1.3 include:
* Improved connection times due to a reduction in the number of round trips
required between the client and server
* The ability, in certain circumstances, for clients to start sending
encrypted data to the server straight away without any round trips with the
server required (a feature known as 0-RTT or “early data”).
* Improved security due to the removal of various obsolete and insecure
cryptographic algorithms and encryption of more of the connection handshake
Other features in the 1.1.1 release include:
* Complete rewrite of the OpenSSL random number generator to introduce the
following capabilities:
* The default RAND method now utilizes an AES-CTR DRBG according to NIST
standard SP 800-90Ar1.
* Support for multiple DRBG instances with seed chaining.
* There is a public and private DRBG instance.
* The DRBG instances are fork-safe.
* Keep all global DRBG instances on the secure heap if it is enabled.
* The public and private DRBG instance are per thread for lock free
operation
* Support for various new cryptographic algorithms including:
* SHA3
* SHA512/224 and SHA512/256
* EdDSA (including Ed25519 and Ed448)
* X448 (adding to the existing X25519 support in 1.1.0)
* Multi-prime RSA
* SM2
* SM3
* SM4
* SipHash
* ARIA (including TLS support)
* Signficant Side-Channel attack security improvements
* Maximum Fragment Length TLS extension support
* A new STORE module, which implements a uniform and URI based reader of
stores that can contain keys, certificates, CRLs and numerous other objects.
Since 1.1.1 is our new LTS release we are strongly advising all users to
upgrade as soon as possible. For most applications this should be straight
forward if they are written to work with OpenSSL 1.1.0. Since OpenSSL 1.1.0 is
not an LTS release it will start receiving security fixes only with immediate
affect as per our previous announcement and as published in our release
strategy. It will cease receiving all support in one years time.
Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support
until the end of this year. After that it will receive security fixes only. It
will stop receiving all support at the end of 2019. Users of that release are
strongly advised to upgrade to OpenSSL 1.1.1.
Changelog:
2.8.5
fix auto upgrade error message.
2.8.4
Avoiding autoupdate by checking master hash value.
more dns api support'
adapt recent letsencrypt ca http headers changes.
bugs fixes.
Recommended to upgrade.
1.10.1:
Bug Fixes
google.auth.compute_engine.metadata: add retry to google.auth.compute_engine._metadata.get()
always pass body of type bytes to google.auth.transport.Request
## 2.5.2 (2020-01-04)
### Added
- Browser: Show UI warning when entering invalid URLs [#3912]
- Browser: Option to use an entry only for HTTP auth [#3927]
### Changed
- Disable the user interface when merging or saving the database [#3991]
- Ability to hide protected attribute after reveal [#3877]
- Remove mention of "snaps" in Windows and macOS [#3879]
- CLI: Merge parameter for source database key file (--key-file-from) [#3961]
- Improve GUI tests reliability on Hi-DPI displays [#4075]
- Disable deprecation warnings to allow building with Qt 5.14+ [#4075]
- OPVault: Use 'otp' attribute for TOTP field imports [#4075]
### Fixed
- Fix crashes when saving a database to cloud storage [#3991]
- Fix crash when pressing enter twice while opening database [#3885]
- Fix handling of HTML when displayed in the entry preview panel [#3910]
- Fix start minimized to tray on Linux [#3899]
- Fix Auto Open with key file only databases [#4075]
- Fix escape key closing the standalone password generator [#3892]
- macOS: Fix monospace font usage in password field and notes [#4075]
- macOS: Fix building on macOS 10.9 to 10.11 [#3946]
- Fix TOTP setup dialog not closing on database lock [#4075]
- Browser: Fix condition where additional URLs are ignored [#4033]
- Browser: Fix subdomain matching to return only relevant site entries [#3854]
- Secret Service: Fix multiple crashes and incompatibilities [#3871, #4009, #4074]
- Secret Service: Fix searching of entries [#4008, #4036]
- Secret Service: Fix behavior when exposed group is recycled [#3914]
- CLI: Release the database instance before exiting interactive mode [#3889]
- Fix (most) memory leaks in tests [#3922]
## 2.5.1 (2019-11-11)
### Added
- Add programmatic use of the EntrySearcher [#3760]
- Explicitly clear database memory upon locking even if the object is not deleted immediately [#3824]
- macOS: Add ability to perform notarization of built package [#3827]
### Changed
- Reduce file hash checking to every 30 seconds to correct performance issues [#3724]
- Correct formatting of notes in entry preview widget [#3727]
- Improve performance and UX of database statistics page [#3780]
- Improve interface for key file selection to discourage use of the database file [#3807]
- Hide Auto-Type sequences column when not needed [#3794]
- macOS: Revert back to using Carbon API for hotkey detection [#3794]
- CLI: Do not show protected fields by default [#3710]
### Fixed
- Secret Service: Correct issues interfacing with various applications [#3761]
- Fix building without additional features [#3693]
- Fix handling TOTP secret keys that require padding [#3764]
- Fix database unlock dialog password field focus [#3764]
- Correctly label open databases as locked on launch [#3764]
- Prevent infinite recursion when two databases AutoOpen each other [#3764]
- Browser: Fix incorrect matching of invalid URLs [#3759]
- Properly stylize the application name on Linux [#3775]
- Show application icon on Plasma Wayland sessions [#3777]
- macOS: Check for Auto-Type permissions on use instead of at launch [#3794]
## 2.5.0 (2019-10-26)
### Added
- Add 'Paper Backup' aka 'Export to HTML file' to the 'Database' menu [#3277]
- Add statistics panel with information about the database (number of entries, number of unique passwords, etc.) to the Database Settings dialog [#2034]
- Add offline user manual accessible via the 'Help' menu [#3274]
- Add support for importing 1Password OpVault files [#2292]
- Implement Freedesktop.org secret storage DBus protocol so that KeePassXC can be used as a vault service by libsecret [#2726]
- Add support for OnlyKey as an alternative to YubiKeys (requires yubikey-personalization >= 1.20.0) [#3352]
- Add group sorting feature [#3282]
- Add feature to download favicons for all entries at once [#3169]
- Add word case option to passphrase generator [#3172]
- Add support for RFC6238-compliant TOTP hashes [#2972]
- Add UNIX man page for main program [#3665]
- Add 'Monospaced font' option to the notes field [#3321]
- Add support for key files in auto open [#3504]
- Add search field for filtering entries in Auto-Type dialog [#2955]
- Complete usernames based on known usernames from other entries [#3300]
- Parse hyperlinks in the notes field of the entry preview pane [#3596]
- Allow abbreviation of field names in entry search [#3440]
- Allow setting group icons recursively [#3273]
- Add copy context menu for username and password in Auto-Type dialog [#3038]
- Drop to background after copying a password to the clipboard [#3253]
- Add 'Lock databases' entry to tray icon menu [#2896]
- Add option to minimize window after unlocking [#3439]
- Add option to minimize window after opening a URL [#3302]
- Request accessibility permissions for Auto-Type on macOS [#3624]
- Browser: Add initial support for multiple URLs [#3558]
- Browser: Add entry-specific browser integration settings [#3444]
- CLI: Add offline HIBP checker (requires a downloaded HIBP dump) [#2707]
- CLI: Add 'flatten' option to the 'ls' command [#3276]
- CLI: Add password generation options to `Add` and `Edit` commands [#3275]
- CLI: Add XML import [#3572]
- CLI: Add CSV export to the 'export' command [#3278]
- CLI: Add `-y --yubikey` option for YubiKey [#3416]
- CLI: Add `--dry-run` option for merging databases [#3254]
- CLI: Add group commands (mv, mkdir and rmdir) [#3313].
- CLI: Add interactive shell mode command `open` [#3224]
### Changed
- Redesign database unlock dialog [ #3287]
- Rework the entry preview panel [ #3306]
- Move notes to General tab on Group Preview Panel [#3336]
- Enable entry actions when editing an entry and cleanup entry context menu [#3641]
- Improve detection of external database changes [#2389]
- Warn if user is trying to use a KDBX file as a key file [#3625]
- Add option to disable KeePassHTTP settings migrations prompt [#3349, #3344]
- Re-enabled Wayland support (no Auto-Type yet) [#3520, #3341]
- Add icon to 'Toggle Window' action in tray icon menu [#3244]
- Merge custom data between databases only when necessary [#3475]
- Improve various file-handling related issues when picking files using the system's file dialog [#3473]
- Add 'New Entry' context menu when no entries are selected [#3671]
- Reduce default Argon2 settings from 128 MiB and one thread per CPU core to 64 MiB and two threads to account for lower-spec mobile hardware [ #3672]
- Browser: Remove unused 'Remember' checkbox for HTTP Basic Auth [#3371]
- Browser: Show database name when pairing with a new browser [#3638]
- Browser: Show URL in allow access dialog [#3639]
- CLI: The password length option `-l` for the CLI commands `Add` and `Edit` is now `-L` [#3275]
- CLI: The `-u` shorthand for the `--upper` password generation option has been renamed to `-U` [#3275]
- CLI: Rename command `extract` to `export`. [#3277]
### Fixed
- Improve accessibility for assistive technologies [#3409]
- Correctly unlock all databases if `--pw-stdin` is provided [#2916]
- Fix password generator issues with special characters [#3303]
- Fix KeePassXC interrupting shutdown procedure [#3666]
- Fix password visibility toggle button state on unlock dialog [#3312]
- Fix potential data loss if database is reloaded while user is editing an entry [#3656]
- Fix hard-coded background color in search help popup [#3001]
- Fix font choice for password preview [#3425]
- Fix handling of read-only files when autosave is enabled [#3408]
- Handle symlinks correctly when atomic saves are disabled [#3463]
- Enable HighDPI icon scaling on Linux [#3332]
- Make Auto-Type on macOS more robust and remove old Carbon API calls [#3634, [#3347)]
- Hide Share tab if KeePassXC is compiled without KeeShare support and other minor KeeShare improvements [#3654, [#3291, #3029, #3031, #3236]
- Correctly bring window to the front when clicking tray icon on macOS [#3576]
- Correct application shortcut created by MSI Installer on Windows [#3296]
- Fix crash when removing custom data [#3508]
- Fix placeholder resolution in URLs [#3281]
- Fix various inconsistencies and platform-dependent compilation bugs [#3664, #3662, #3660, #3655, #3649, #3417, #3357, #3319, #3318, #3304]
- Browser: Fix potential leaking of entries through the browser integration API if multiple databases are opened [#3480]
- Browser: Fix password entropy calculation [#3107]
- Browser: Fix Windows registry settings for portable installation [#3603]
keysigning parties. It allows you to quickly and easily sign each UID on
a set of PGP keys. It is designed to take the pain out of the
sign-all-the-keys part of PGP Keysigning Party while adding security to
the process.
1.10.0:
Features
send quota project id in x-goog-user-project for OAuth2 credentials
1.9.0:
Features
add timeout parameter to AuthorizedSession.request()
1.3.0
- Added `encrypt_key_pref` (`1.2.840.113549.1.9.16.2.11`) to
`cms.CMSAttributeType()`, along with related structures
- Added Brainpool curves from RFC 5639 to `keys.NamedCurve()`
- Fixed `x509.Certificate().subject_directory_attributes_value`
- Fixed some incorrectly computed minimum elliptic curve primary key
encoding sizes in `keys.NamedCurve()`
- Fixed a `TypeError` when trying to call `.untag()` or `.copy()` on a
`core.UTCTime()` or `core.GeneralizedTime()`, or a value containing one,
when using Python 2
--------------------------------------------------------------------------
LuaSec 0.9
---------------
This version includes:
* Add DNS-based Authentication of Named Entities (DANE) support
* Add __close() metamethod
* Fix deprecation warnings with OpenSSL 1.1
* Fix special case listing of TLS 1.3 EC curves
* Fix general_name leak in cert:extensions()
* Fix unexported 'ssl.config' table
* Replace $(LD) with $(CCLD) variable
* Remove multiple definitions of 'ssl_options' variable
* Use tag in git format: v0.9
--------------------------------------------------------------------------
LuaSec 0.8.2
---------------
This version includes:
* Fix unexported 'ssl.config' table (backported)
--------------------------------------------------------------------------
LuaSec 0.8.1
---------------
This version includes:
* Fix general_name leak in cert:extensions() (backported)
--------------------------------------------------------------------------
LuaSec 0.8
---------------
This version includes:
* Add support to ALPN
* Add support to TLS 1.3
* Add support to multiple certificates
* Add timeout to https module (https.TIMEOUT)
* Drop support to SSL 3.0
* Drop support to TLS 1.0 from https module
* Fix invalid reference to Lua state
* Fix memory leak when get certficate extensions
--------------------------------------------------------------------------
LuaSec 0.7.2
---------------
This version includes:
* Fix unexported 'ssl.config' table (backported)
--------------------------------------------------------------------------
LuaSec 0.7.1
---------------
This version includes:
* Fix general_name leak in cert:extensions() (backported)
--------------------------------------------------------------------------
LuaSec 0.7
---------------
LuaSec depends on OpenSSL, and integrates with LuaSocket to make it
easy to add secure connections to any Lua applications or scripts.
Documentation: https://github.com/brunoos/luasec/wiki
This version includes:
* Add support to OpenSSL 1.1.0
* Add support to elliptic curves list
* Add ssl.config that exports some OpenSSL information
* Add integration with luaossl
Major changes between OpenSSL 1.0.2t and OpenSSL 1.0.2u [20 Dec 2019]
Fixed an an overflow bug in the x64_64 Montgomery squaring procedure used
in exponentiation with 512-bit moduli (CVE-2019-1551)
Changelog picked from https://github.com/slicer69/doas/releases:
6.2p4:
* Keeping environment variables with keepenv
On some platforms (seemingly Linux and macOS) it is possible for
repeated calls to getpwuid() can over-write the original struct
passwd structure. (This behaviour may vary depending on which
C library is used. This can lead to the original user's
environment data being overwritten by the target user's, even
when "keepenv" is specified in the doas.conf file.
We now do a deep copy of the original and target users' struct
passwd information to avoid over-writing the original on platforms
where libc uses a static area for all calls.
version 0.9.3 (released 2019-12-10)
* Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution
* SSH-01-003 Client: Missing NULL check leads to crash in erroneous state
* SSH-01-006 General: Various unchecked Null-derefs cause DOS
* SSH-01-007 PKI Gcrypt: Potential UAF/double free with RSA pubkeys
* SSH-01-010 SSH: Deprecated hash function in fingerprinting
* SSH-01-013 Conf-Parsing: Recursive wildcards in hostnames lead to DOS
* SSH-01-014 Conf-Parsing: Integer underflow leads to OOB array access
* SSH-01-001 State Machine: Initial machine states should be set explicitly
* SSH-01-002 Kex: Differently bound macros used to iterate same array
* SSH-01-005 Code-Quality: Integer sign confusion during assignments
* SSH-01-008 SCP: Protocol Injection via unescaped File Names
* SSH-01-009 SSH: Update documentation which RFCs are implemented
* SSH-01-012 PKI: Information leak via uninitialized stack buffer
* Portability fixes from pkgsrc have been merged upstream
* Add runas_check_shell flag to require a runas user to have a valid
shell. Not enabled by default.
* Add a new flag "allow_unknown_runas_id" to control matching of unknown
IDs. Previous, sudo would always allow unknown user or group IDs if
the sudoers entry permitted it. This included the "ALL" alias. With
this change, the admin must explicitly enable support for unknown IDs.
* Transparently handle the "sudo sudoedit" problem. Some admin are
confused about how to give users sudoedit permission and many users
try to run sudoedit via sudo instead of directly. If the user runs
"sudo sudoedit" sudo will now treat it as plain "sudoedit" after
issuing a warning. If the admin has specified a fully-qualified path
for sudoedit in sudoers, sudo will treat it as just "sudoedit" and
match accordingly. In visudo (but not sudo), a fully-qualified path
for sudoedit is now treated as an error.
* When restoring old resource limits, try to recover if we receive
EINVAL. On NetBSD, setrlimit(2) can return EINVAL if the new soft
limit is lower than the current resource usage. This can be a problem
when restoring the old stack limit if sudo has raised it.
* Restore resource limits before executing the askpass program. Linux
with docker seems to have issues executing a program when the stack
size is unlimited. Bug #908
* macOS does not allow rlim_cur to be set to RLIM_INFINITY for
RLIMIT_NOFILE. We need to use OPEN_MAX instead as per the macOS
setrlimit manual. Bug #904
* Use 64-bit resource limits on AIX.
The new code that unlimits many resources appears to have been problematic
on a number of fronts. Fetched the current version of src/limits.c from
the sudo hg repo. RLIMIT_STACK (i.e. "3") is no longer set to RLIM_INFINITY.
Added code to output the name of the limit instead of its number.
Major changes between version 1.8.29 and 1.8.28p1:
The cvtsudoers command will now reject non-LDIF input when converting from LDIF format to sudoers or JSON formats.
The new log_allowed and log_denied sudoers settings make it possible to disable logging and auditing of allowed and/or denied commands.
The umask is now handled differently on systems with PAM or login.conf. If the umask is explicitly set in sudoers, that value is used regardless of what PAM or login.conf may specify. However, if the umask is not explicitly set in sudoers, PAM or login.conf may now override the default sudoers umask.
For make install, the sudoers file is no longer checked for syntax errors when DESTDIR is set. The default sudoers file includes the contents of /etc/sudoers.d which may not be readable as non-root.
Sudo now sets most resource limits to their maximum value to avoid problems caused by insufficient resources, such as an inability to allocate memory or open files and pipes.
Fixed a regression introduced in sudo 1.8.28 where sudo would refuse to run if the parent process was not associated with a session. This was due to sudo passing a session ID of -1 to the plugin.
1.8.2:
Bug Fixes
revert "feat: send quota project id in x-goog-user-project header for OAuth2 credentials"
1.8.1:
Bug Fixes
revert "feat: add timeout to AuthorizedSession.request()
1.8.0:
Features
add to_json method to google.oauth2.credentials.Credentials
add timeout to AuthorizedSession.request()
send quota project id in x-goog-user-project header for OAuth2 credentials
Certbot 1.0.0
Removed:
* The docs extras for the certbot-apache and certbot-nginx packages
have been removed.
Changed:
* certbot-auto has deprecated support for systems using OpenSSL 1.0.1 that are
not running on x86-64. This primarily affects RHEL 6 based systems.
* Certbot's config_changes subcommand has been removed
* certbot.plugins.common.TLSSNI01 has been removed.
* Deprecated attributes related to the TLS-SNI-01 challenge in
acme.challenges and acme.standalone
have been removed.
* The functions certbot.client.view_config_changes,
certbot.main.config_changes,
certbot.plugins.common.Installer.view_config_changes,
certbot.reverter.Reverter.view_config_changes, and
certbot.util.get_systemd_os_info have been removed
* Certbot's register --update-registration subcommand has been removed
* When possible, default to automatically configuring the webserver so all requests
redirect to secure HTTPS access. This is mostly relevant when running Certbot
in non-interactive mode. Previously, the default was to not redirect all requests.
Coordinated with leot@ and he@ while investigating CVE-2019-19648.
The changes listed for this version include:
* Duplicated string modifiers are now an error.
* More flexible xor modifier.
* Implement private strings (#1096)
* Add field_offsets to dotnet module.
* Implement crc32 functions in hash module.
* Improvements to rich_signature functions in pe module.
* Implement sandboxed API using SAPI
* BUGFIX: Some regexp character classes not matching correctly when used with nocase modifier (#1117)
* BUGFIX: Reduce the number of ERROR_TOO_MANY_RE_FIBERS errors for certain hex pattern containing large jumps (#1107)
* BUGFIX: Buffer overrun in dotnet module (#1108)
* BUGFIX: Segfault in certain Windows versions (#1068)
* BUGFIX: Memory leak while attaching to a process fails (#1070)
Changes for version 3.10.0:
* Optimize integer range loops by exiting earlier when possible.
* Cache the result of PE module's imphash function in order to improve performance.
* Harden virtual machine against malicious code.
* BUGFIX: xor modifier not working as expected if not accompanied by ascii (#1053).
* BUGFIX: \s and \S character classes in regular expressions now include vertical tab, new line, carriage return and form feed characters.
* BUGFIX: Regression bug in hex strings containing wildcards (#1025).
* BUGFIX: Buffer overrun in elf module.
* BUGFIX: Buffer overrun in dotnet module
Changes for version 3.9.0:
* Improve scan performance for certain strings.
* Reduce stack usage.
* Prevent inadvertent use of compiled rules by forcing the use of -C when using yara command-line tool.
* BUGFIX: Buffer overflow in "dotnet" module.
* BUGFIX: Internal error when running multiple instances of YARA in Mac OS X. (#945)
* BUGFIX: Regexp regression when using nested quantifiers {x,y} for certain values of x and y. (#1018)
* BUGFIX: High RAM consumption in "pe" module while parsing certain files.(0c8b461)
* BUGFIX: Denial of service when using "dex" module. Found by the Cisco Talos team. (#1023)
* BUGFIX: Issues with comments inside hex strings.
Changes for version 3.8.1:
* BUGFIX: Some combinations of boolean command-line flags were broken in version 3.8.0.
* BUGFIX: While reporting errors that occur at the end of the file, the file name appeared as null.
* BUGFIX: dex module now works in big-endian architectures.
* BUGFIX: Keep ABI compatibility by keeping deprecated functions visible.
Changes for version 3.8.0:
* Scanner API
* New xor modifier for strings
* New fields and functions in PE module.
* Add functions min and max to math module.
* Make compiled.
* yara and yaracsupport reading rules from stdin by using - as the file name.
* Rule compilation is faster.
* BUGFIX: Regression in regex engine. /ba{3}b/ was matching baaaab.
* BUGFIX: Function yr_compiler_add_fd() was reading only the first 1024 bytes of the file.
* BUGFIX: Wrong calculation of sha256 hashes in Windows when using native crypto API.
* Lots of more bug fixes.
Changes for version 3.7.1:
* Fix regression in include directive (issue #796)
* Fix bug in PE checksum calculation causing wrong results in some cases.
2.7.1:
[Bug] Fix a bug in support for ECDSA keys under the newly supported OpenSSH key format. Thanks to Pierce Lopez for the patch.
[Bug] The new-style private key format (added in 2.7) suffered from an unpadding bug which had been fixed earlier for Ed25519 (as that key type has always used the newer format). That fix has been refactored and applied to the base key class, courtesy of Pierce Lopez.
2.7.0:
[Feature]: Add new convenience classmethod constructors to SSHConfig: from_text, from_file, and from_path. No more annoying two-step process!
[Feature] Implement most ‘canonical hostname’ ssh_config functionality (CanonicalizeHostname, CanonicalDomains, CanonicalizeFallbackLocal, and CanonicalizeMaxDots; CanonicalizePermittedCNAMEs has not yet been implemented). All were previously silently ignored. Reported by Michael Leinartas.
[Feature] Implement support for the Match keyword in ssh_config files. Previously, this keyword was simply ignored & keywords inside such blocks were treated as if they were part of the previous block. Thanks to Michael Leinartas for the initial patchset.
Note
This feature adds a new optional install dependency, Invoke, for managing Match exec subprocesses.
[Feature]: A couple of outright SSHConfig parse errors were previously represented as vanilla Exception instances; as part of recent feature work a more specific exception class, ConfigParseError, has been created. It is now also used in those older spots, which is naturally backwards compatible.
[Feature] Implement support for OpenSSH 6.5-style private key files (typically denoted as having BEGIN OPENSSH PRIVATE KEY headers instead of PEM format’s BEGIN RSA PRIVATE KEY or similar). If you were getting any sort of weird auth error from “modern” keys generated on newer operating system releases (such as macOS Mojave), this is the first update to try.
Major thanks to everyone who contributed or tested versions of the patch, including but not limited to: Kevin Abel, Michiel Tiller, Pierce Lopez, and Jared Hobbs.
[Bug]: Perform deduplication of IdentityFile contents during ssh_config parsing; previously, if your config would result in the same value being encountered more than once, IdentityFile would contain that many copies of the same string.
[Bug]: Paramiko’s use of subprocess for ProxyCommand support is conditionally imported to prevent issues on limited interpreter platforms like Google Compute Engine. However, any resulting ImportError was lost instead of preserved for raising (in the rare cases where a user tried leveraging ProxyCommand in such an environment). This has been fixed.
[Bug]: ssh_config token expansion used a different method of determining the local username ($USER env var), compared to what the (much older) client connection code does (getpass.getuser, which includes $USER but may check other variables first, and is generally much more comprehensive). Both modules now use getpass.getuser.
[Support]: Explicitly document which ssh_config features we currently support. Previously users just had to guess, which is simply no good.
[Support]: Additional installation extras_require “flavors” (ed25519, invoke, and all) have been added to our packaging metadata; see the install docs for details.
Changelog since 0.7.0
2019-01-05 - Version 0.9.2
* Fixu Windows build issues, thanks Luka Logar.
* Use pin-cache configuration, thanks Luka Logar.
* Support openssl-1.1, thanks Thorsten Alteholz, W. Michael Petullo.
2017-09-26 - Version 0.9.1
* Support unix domain socket credentials on FreeBSD.
* Introduce GNUPG_PKCS11_SOCKETDIR to instruct where sockets are created.
* Make proxy systemd service work again per change of systemd behavior.
2017-08-25 - Version 0.9.0
* Avoid dup of stdin/stdout so that the terminate assuan hack operational
again.
* Introduce gnupg-pkcs11-scd-proxy to allow isolation of the PKCS#11
provider.
* Lots of cleanups.
2017-07-15 - Version 0.8.0
* Support multiple tokens via serial numbers by hashing token id into
serial number.
Implementation changes the card serial number yet again, executing
gpg --card-status should resync.
2017-04-18 - Version 0.7.6
* Add --homedir parameter.
* Rework serial responses for gnupg-2.1.19.
2017-03-01 - Version 0.7.5
* Fix issue with decrypting padded data, thanks to smunaut.
* Catchup with gnupg-2.1 changes which caused inability to support
both gpg and gpgsm. Implementation had to change card serial
number, as a result current keys of gpg will look for the
previous serial card.
emulate-openpgpg option is obsoleted and removed.
ACTION REQUIRED
in order to assign new card serial number to existing keys.
backup your ~/.gnupg.
delete all PKCS#11 secret keys using:
gpg --delete-secret-keys $KEY then
Then refresh keys using:
gpg --card-edit
In <gnupg-2.1.19 the keys should be re-generated using:
admin
generate
Do not replace keys!
gpg will learn the private keys of the new card and attach to
the existing public keys.
* Support gnupg-2.1 features of using existing keys, keys
should not be explicitly specified in configuration file
any more.
2017-01-18 - Version 0.7.4
* Fix gpg change in serialno attribute.
* Sync with gnupg-2.1, thanks to Moritz Bechler.
2011-07-30 -- Version 0.7.3
* Use assuan_sock_init, bug#3382372.
2011-04-09 -- Version 0.7.2
* Some cleanups, thanks to Timo Schulz.
* Sync hashing algorithms for OpenPGP.
2011-03-16 -- Version 0.7.1
* Sync with gnupg-2.0.17.
Noteworthy changes in version 2.2.19:
* gpg: Fix double free when decrypting for hidden recipients.
Regression in 2.2.18.
* gpg: Use auto-key-locate for encryption even for mail addressed
given with angle brackets.
* gpgsm: Add special case for certain expired intermediate
certificates.
Not sure of 3.6.11.1's specific changes - possibly fixing an incorrectly
generated tarball?
These changes from apply:
* Version 3.6.11 (released 2019-12-01)
** libgnutls: Use KERN_ARND for the system random number generator on NetBSD.
This syscall provides an endless stream of random numbers from the kernel's
ChaCha20-based random number generator, without blocking or requiring an open file
descriptor.
** libgnutls: Corrected issue with TLS 1.2 session ticket handling as client
during resumption (#841).
** libgnutls: gnutls_base64_decode2() succeeds decoding the empty string to
the empty string. This is a behavioral change of the API but it conforms
to the RFC4648 expectations (#834).
** libgnutls: Fixed AES-CFB8 implementation, when input is shorter than
the block size. Fix backported from nettle.
** certtool: CRL distribution points will be set in CA certificates even when
non self-signed (#765).
** gnutls-cli/serv: added raw public-key handling capabilities (RFC7250).
Key material can be set via the --rawpkkeyfile and --rawpkfile flags.
** API and ABI modifications:
No changes since last version.
ftp.cyrusimap.org has been down for months. Asked about this on the
cyrus-info mailinglist months ago with no responses. So lets drop it from
MASTER_SITES.
The directory old on the ftp is also available in the http download so I
added that to MASTER_SITES as well.
Update clamav to 0.102.1.
## 0.102.1
ClamAV 0.102.1 is a security patch release to address the following issues.
- Fix for the following vulnerability affecting 0.102.0 and 0.101.4 and prior:
- [CVE-2019-15961](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15961)
A Denial-of-Service (DoS) vulnerability may occur when scanning a specially
crafted email file as a result of excessively long scan times. The issue is
resolved by implementing several maximums in parsing MIME messages and by
optimizing use of memory allocation.
- Build system fixes to build clamav-milter, to correctly link with libxml2 when
detected, and to correctly detect fanotify for on-access scanning feature
support.
- Signature load time is significantly reduced by changing to a more efficient
algorithm for loading signature patterns and allocating the AC trie.
Patch courtesy of Alberto Wu.
- Introduced a new configure option to statically link libjson-c with libclamav.
Static linking with libjson is highly recommended to prevent crashes in
applications that use libclamav alongside another JSON parsing library.
- Null-dereference fix in email parser when using the `--gen-json` metadata
option.
- Fixes for Authenticode parsing and certificate signature (.crb database) bugs.
Special thanks to the following for code contributions and bug reports:
- Alberto Wu
- Joran Dirk Greef
- Reio Remma
Release 2.1.0:
Added support in the SSHProcess redirect mechanism to accept asyncio StreamReader and StreamWriter objects, allowing asyncio streams to be plugged in as stdin/stdout/stderr in an SSHProcess.
Added support for key handlers in the AsyncSSH line editor to trigger signals being delivered when certain “hot keys” are hit while reading input.
Improved cleanup of unreturned connection objects when an error occurs or the connection request is canceled or times out.
Improved cleanup of SSH agent client objects to avoid triggering a false positive warning in Python 3.8.
Added an example to the documentation for how to create reverse-direction SSH client and server connections.
Made check of session objects against None explicit to avoid confusion on user-defined sessions that implement __len__ or __bool__.
Release 2.0.1:
Some API changes which should have been included in the 2.0.0 release were missed. This release corrects that, but means that additional changes may be needed in applications moving to 2.0.1. This should hopefully be the last of such changes, but if any other issues are discovered, additional changes will be limited to 2.0.x patch releases and the API will stabilize again in the AsyncSSH 2.1 release. See the next bullet for details about the additional incompatible change.
To be consistent with other connect and listen functions, all methods on SSHClientConnection which previously returned None on listen failures have been changed to raise an exception instead. A new ChannelListenError exception will now be raised when an SSH server returns failure on a request to open a remote listener. This change affects the following SSHClientConnection methods: create_server, create_unix_server, start_server, start_unix_server, forward_remote_port, and forward_remote_path.
Restored the ability for SSHListener objects to be used as async context managers. This previously worked in AsyncSSH 1.x and was unintentionally broken in AsyncSSH 2.0.0.
Added support for a number of additional functions to be called from within an “async with” statement. These functions already returned objects capable of being async context managers, but were not decorated to allow them to be directly called from within “async with”. This change applies to the top level functions create_server, listen, and listen_reverse and the SSHClientConnection methods create_server, create_unix_server, start_server, start_unix_server, forward_local_port, forward_local_path, forward_remote_port, forward_remote_path, listen_ssh, and listen_reverse_ssh,
Fixed a couple of issues in loading OpenSSH-format certificates which were missing a trailing newline.
Changed load_certificates() to allow multiple certificates to be loaded from a single byte string argument, making it more consistent with how load_certificates() works when reading from a file.
Release 2.0.0:
NEW MAJOR VERSION: See below for potentially incompatible changes.
Updated AsyncSSH to use the modern async/await syntax internally, now requiring Python 3.6 or later. Those wishing to use AsyncSSH on Python 3.4 or 3.5 should stick to the AsyncSSH 1.x releases.
Changed first argument of SFTPServer constructor from an SSHServerConnection (conn) to an SSHServerChannel (chan) to allow custom SFTP server implementations to access environment variables set on the channel that SFTP is run over. Applications which subclass the SFTPServer class and implement an __init__ method will need to be updated to account for this change and pass the new argument through to the SFTPServer parent class. If the subclass has no __init__ and just uses the connection, channel, and env properties of SFTPServer to access this information, no changes should be required.
Removed deprecated “session_encoding” and “session_errors” arguments from create_server() and listen() functions. These arguments were renamed to “encoding” and “errors” back in version 1.16.0 to be consistent with other AsyncSSH APIs.
Removed get_environment(), get_command(), and get_subsystem() methods on SSHServerProcess class. This information was made available as “env”, “command”, and “subsystem” properties of SSHServerProcess in AsyncSSH 1.11.0.
Removed optional loop argument from all public AsyncSSH APIs, consistent with the deprecation of this argument in the asyncio package in Python 3.8. Calls will now always use the event loop which is active at the time of the call.
Removed support for non-async context managers on AsyncSSH connections and processes and SFTP client connections and file objects. Callers should use “async with” to invoke the async the context managers on these objects.
Added support for SSHAgentClient being an async context manager. To be consistent with other connect calls, connect_agent() will now raise an exception when no agent is found or a connection failure occurs, rather than logging a warning and returning None. Callers should catch OSError or ChannelOpenError exceptions rather than looking for a return value of None when calling this function.
Added set_input() and clear_input() methods on SSHLineEditorChannel to change the value of the current input line when line editing is enabled.
Added is_closing() method to the SSHChannel, SSHProcess, SSHWriter, and SSHSubprocessTransport classes. mirroring the asyncio BaseTransport and StreamWriter methods added in Python 3.7.
Added wait_closed() async method to the SSHWriter class, mirroring the asyncio StreamWriter method added in Python 3.7.
### Version 5.56, 2019.11.22, urgency: HIGH
* New features
- Various text files converted to Markdown format.
* Bugfixes
- Support for realpath(3) implementations incompatible
with POSIX.1-2008, such as 4.4BSD or Solaris.
- Support for engines without PRNG seeding methods (thx to
Petr Mikhalitsyn).
- Retry unsuccessful port binding on configuration
file reload.
- Thread safety fixes in SSL_SESSION object handling.
- Terminate clients on exit in the FORK threading model.
Changelog:
Noteworthy changes in version 2.2.18 (2019-11-25)
-------------------------------------------------
* gpg: Changed the way keys are detected on a smartcards; this
allows the use of non-OpenPGP cards. In the case of a not very
likely regression the new option --use-only-openpgp-card is
available. [#4681]
* gpg: The commands --full-gen-key and --quick-gen-key now allow
direct key generation from supported cards. [#4681]
* gpg: Prepare against chosen-prefix SHA-1 collisions in key
signatures. This change removes all SHA-1 based key signature
newer than 2019-01-19 from the web-of-trust. Note that this
includes all key signature created with dsa1024 keys. The new
option --allow-weak-key-signatues can be used to override the new
and safer behaviour. [#4755,CVE-2019-14855]
* gpg: Improve performance for import of large keyblocks. [#4592]
* gpg: Implement a keybox compression run. [#4644]
* gpg: Show warnings from dirmngr about redirect and certificate
problems (details require --verbose as usual).
* gpg: Allow to pass the empty string for the passphrase if the
'--passphase=' syntax is used. [#4633]
* gpg: Fix printing of the KDF object attributes.
* gpg: Avoid surprises with --locate-external-key and certain
--auto-key-locate settings. [#4662]
* gpg: Improve selection of best matching key. [#4713]
* gpg: Delete key binding signature when deletring a subkey.
[#4665,#4457]
* gpg: Fix a potential loss of key sigantures during import with
self-sigs-only active. [#4628]
* gpg: Silence "marked as ultimately trusted" diagnostics if
option --quiet is used. [#4634]
* gpg: Silence some diagnostics during in key listsing even with
option --verbose. [#4627]
* gpg, gpgsm: Change parsing of agent's pkdecrypt results. [#4652]
* gpgsm: Support AES-256 keys.
* gpgsm: Fix a bug in triggering a keybox compression run if
--faked-system-time is used.
* dirmngr: System CA certificates are no longer used for the SKS
pool if GNUTLS instead of NTBTLS is used as TLS library. [#4594]
* dirmngr: On Windows detect usability of IPv4 and IPv6 interfaces
to avoid long timeouts. [#4165]
* scd: Fix BWI value for APDU level transfers to make Gemalto Ezio
Shield and Trustica Cryptoucan work. [#4654,#4566]
* wkd: gpg-wks-client --install-key now installs the required policy
file.
Changes between 1.0.2s and 1.0.2t [10 Sep 2019]
*) For built-in EC curves, ensure an EC_GROUP built from the curve name is
used even when parsing explicit parameters, when loading a serialized key
or calling `EC_GROUP_new_from_ecpkparameters()`/
`EC_GROUP_new_from_ecparameters()`.
This prevents bypass of security hardening and performance gains,
especially for curves with specialized EC_METHODs.
By default, if a key encoded with explicit parameters is loaded and later
serialized, the output is still encoded with explicit parameters, even if
internally a "named" EC_GROUP is used for computation.
[Nicola Tuveri]
*) Compute ECC cofactors if not provided during EC_GROUP construction. Before
this change, EC_GROUP_set_generator would accept order and/or cofactor as
NULL. After this change, only the cofactor parameter can be NULL. It also
does some minimal sanity checks on the passed order.
(CVE-2019-1547)
[Billy Bob Brumley]
*) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.
As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
(CVE-2019-1563)
[Bernd Edlinger]
*) Document issue with installation paths in diverse Windows builds
'/usr/local/ssl' is an unsafe prefix for location to install OpenSSL
binaries and run-time config file.
(CVE-2019-1552)
[Richard Levitte]
Use github distfile because pypi one is missing.
Revision 0.2.8, released 16-11-2019
-----------------------------------
- Improve test routines for modules that use certificate extensions
- Improve test for RFC3709 with a real world certificate
- Added RFC7633 providing TLS Features Certificate Extension
- Added RFC7229 providing OIDs for Test Certificate Policies
- Added tests for RFC3280, RFC3281, RFC3852, and RFC4211
- Added RFC6960 providing Online Certificate Status Protocol (OCSP)
- Added RFC6955 providing Diffie-Hellman Proof-of-Possession Algorithms
- Updated the handling of maps for use with openType for RFC 3279
- Added RFC6486 providing RPKI Manifests
- Added RFC6487 providing Profile for X.509 PKIX Resource Certificates
- Added RFC6170 providing Certificate Image in the Internet X.509 Public
Key Infrastructure, and import the object identifier into RFC3709.
- Added RFC6187 providing Certificates for Secure Shell Authentication
- Added RFC6482 providing RPKI Route Origin Authorizations (ROAs)
- Added RFC6664 providing S/MIME Capabilities for Public Keys
- Added RFC6120 providing Extensible Messaging and Presence Protocol
names in certificates
- Added RFC4985 providing Subject Alternative Name for expression of
service names in certificates
- Added RFC5924 providing Extended Key Usage for Session Initiation
Protocol (SIP) in X.509 certificates
- Added RFC5916 providing Device Owner Attribute
- Added RFC7508 providing Securing Header Fields with S/MIME
- Update RFC8226 to use ComponentPresentConstraint() instead of the
previous work around
- Add RFC2631 providing OtherInfo for Diffie-Hellman Key Agreement
- Add RFC3114 providing test values for the S/MIME Security Label
- Add RFC5755 providing Attribute Certificate Profile for Authorization
- Add RFC5913 providing Clearance Attribute and Authority Clearance
Constraints Certificate Extension
- Add RFC5917 providing Clearance Sponsor Attribute
- Add RFC4043 providing Internet X.509 PKI Permanent Identifier
- Add RFC7585 providing Network Access Identifier (NAI) Realm Name
for Certificates
- Update RFC3770 to support openType for attributes and reported errata
- Add RFC4334 providing Certificate Extensions and Attributes for
Authentication in PPP and Wireless LAN Networks
3.9.4:
Resolved issues
* Prevent ``key_to_english`` from creating invalid data when fed with
keys of length not multiple of 8.
* Fix blocking RSA signing/decryption when key has very small factor.
1.7.2:
This release rolls up assorted bug & compatibility fixes since 1.7.1.
New Features
* .. py:currentmodule:: passlib.hash
:class:`argon2`: Now supports Argon2 "ID" and "D" hashes (assuming new enough backend library).
Now defaults to "ID" hashes instead of "I" hashes, but this can be overridden via ``type`` keyword.
* .. py:currentmodule:: passlib.hash
:class:`scrypt`: Now uses python 3.6 stdlib's :func:`hashlib.scrypt` as backend,
if present
Revision 0.4.8:
- Added ability of combining `SingleValueConstraint` and
`PermittedAlphabetConstraint` objects into one for proper modeling
`FROM ... EXCEPT ...` ASN.1 clause.
19.1.0:
Backward-incompatible changes:
- Removed deprecated ContextType, ConnectionType, PKeyType, X509NameType, X509ReqType, X509Type, X509StoreType, CRLType, PKCS7Type, PKCS12Type, and NetscapeSPKIType aliases.
Use the classes without the Type suffix instead.
- The minimum cryptography version is now 2.8 due to issues on macOS with a transitive dependency.
Deprecations:
- Deprecated OpenSSL.SSL.Context.set_npn_advertise_callback, OpenSSL.SSL.Context.set_npn_select_callback, and OpenSSL.SSL.Connection.get_next_proto_negotiated.
ALPN should be used instead.
Changes:
- Support bytearray in SSL.Connection.send() by using cffi's from_buffer.
- The OpenSSL.SSL.Context.set_alpn_select_callback can return a new NO_OVERLAPPING_PROTOCOLS sentinel value
to allow a TLS handshake to complete without an application protocol.
0.40.1:
Changed
Added back support for Python 3.4 to Certbot components and certbot-auto due to a bug when requiring Python 2.7 or 3.5+ on RHEL 6 based systems.
More details about these changes can be found on our GitHub repo.
0.40.0:
Changed
We deprecated support for Python 3.4 in Certbot and its ACME library. Support for Python 3.4 will be removed in the next major release of Certbot. certbot-auto users on RHEL 6 based systems will be asked to enable Software Collections (SCL) repository so Python 3.6 can be installed. certbot-auto can enable the SCL repo for you on CentOS 6 while users on other RHEL 6 based systems will be asked to do this manually.
--server may now be combined with --dry-run. Certbot will, as before, use the staging server instead of the live server when --dry-run is used.
--dry-run now requests fresh authorizations every time, fixing the issue where it was prone to falsely reporting success.
Updated certbot-dns-google to depend on newer versions of google-api-python-client and oauth2client.
The OS detection logic again uses distro library for Linux OSes
certbot.plugins.common.TLSSNI01 has been deprecated and will be removed in a future release.
CLI flags --tls-sni-01-port and --tls-sni-01-address have been removed.
The values tls-sni and tls-sni-01 for the --preferred-challenges flag are no longer accepted.
Removed the flags: --agree-dev-preview, --dialog, and --apache-init-script
acme.standalone.BaseRequestHandlerWithLogging and acme.standalone.simple_tls_sni_01_server have been deprecated and will be removed in a future release of the library.
certbot-dns-rfc2136 now use TCP to query SOA records.
Fixed
More details about these changes can be found on our GitHub repo.
19.2.0:
Backward-incompatible changes:
- Python 3.4 is not supported anymore.
It has been unsupported by the Python core team for a while now and its PyPI downloads are negligible.
It's very unlikely that ``argon2-cffi`` will break under 3.4 anytime soon, but we don't test it and don't ship binary wheels for it anymore.
Changes:
- The dependency on ``enum34`` is now protected using a PEP 508 marker.
This fixes problems when the sdist is handled by a different interpreter version than the one running it.
v1.7.0
Implementation Changes
Add retry loop for fetching authentication token if any 'Internal Failure' occurs (#368)
Use cls parameter instead of class (#341)
New Features
Add support for impersonated_credentials.Sign, IDToken (#348)
Add downscoping to OAuth2 credentials (#309)
Dependencies
Update dependency cachetools to v3 (#357)
Update dependency rsa to v4 (#358)
Set an upper bound on dependencies version (#352)
Require a minimum version of setuptools (#322)
Documentation
Add busunkim96 as maintainer (#373)
Update user-guide.rst (#337)
Fix typo in jwt docs (#332)
Clarify which SA has Token Creator role (#330)
Internal / Testing Changes
Change 'name' to distribution name (#379)
Fix system tests, move to Kokoro (#372)
Blacken (#375)
Rename nox.py -> noxfile.py (#369)
Add initial renovate config (#356)
Use new pytest api to keep building with pytest 5 (#353)
3.9.3:
* Align stack of functions using SSE2 intrinsics to avoid crashes,
when compiled with gcc on 32-bit x86 platforms.
3.9.2:
New features
* Add Python 3.8 wheels for Mac.
Resolved issues
* Avoid allocating arrays of ``__m128i`` on the stack, to cope with buggy compilers.
* Remove blanket ``-O3`` optimization for gcc and clang, to cope with buggy compilers.
* Fix typing stubs for signatures.
* Deal with gcc installations that don't have ``x86intrin.h``.
version 0.9.1 (released 2019-10-25)
* Added support for Ed25519 via OpenSSL
* Added support for X25519 via OpenSSL
* Added support for localuser in Match keyword
* Fixed Match keyword to be case sensitive
* Fixed compilation with LibreSSL
* Fixed error report of channel open (T75)
* Fixed sftp documentation (T137)
* Fixed known_hosts parsing (T156)
* Fixed build issue with MinGW (T157)
* Fixed build with gcc 9 (T164)
* Fixed deprecation issues (T165)
* Fixed known_hosts directory creation (T166)
OpenDNSSEC version 2 is not a drop-in replacement for OpenDNSSEC version 1.
See lib/opendnssec/README.md for migration instructions if you were
previously using version 1.
Upstream changes since OpenDNSSEC version 1.4.x:
OpenDNSSEC 2.1.5 - 2019-11-05
* SUPPORT-245: Resolve memory leak in signer introduced in 2.1.4.
* SUPPORT-244: Don't require Host and Port to be specified in conf.xml
when migrating with a MySQL-based enforcer database backend.
* Allow for MySQL database to pre-exist when performing a migration,
and be a bit more verbose during migration.
* New -f argument to ods-enforcer key list to show the full list of key states,
similar to combinining -d and -v.
* Fix AllowExtraction tag in configuration file definition (thanks to raixie1A).
* SUPPORT-242: Skip over EDNS cookie option (thanks to Håvard Eidne and
Ulrich-Lorenz Schlueter).
* SUPPORT-240: Prevent exit of enforcer daemon upon interrupted interaction
with CLI commands.
* Correct some error messages (thanks to Jonas Berlin).
OpenDNSSEC 2.1.4 - 2019-05-16
* SUPPORT-229: Missing signatures for key new while signatures for old key
still present under certain kasp policies, leading to bogus zones.
Root cause for bug existed but made prominent since 2.1.3 release.
* OPENDNSSEC-942: time leap command for signer for debugging purposes
only, not to be used on actual deployments.
* OPENDNSSEC-943: support build on MacOS with missing pthread barriers
* SUPPORT-229: fixed for too early retivement of signatures upon double
rrsig key roll signing strategy.
* Strip build directory from doxygen docs
* remove bashisms from ods-kasp2html.in
* upgrade developer build scripts to softhsm-2.5.0 update some platform
dependent files (only for developers).
* The ods-signer and ods-signerd man page should be in section 8 not 22
Note that this might mean that package managers should remove the older
man pages from the old location.
OpenDNSSEC 2.1.3 - 2017-08-10
* OPENDNSSEC-508: Tag <RolloverNotification> was not functioning correctly
* OPENDNSSEC-901: Enforcer would ignore <ManualKeyGeneration/> tag in conf.xml
* OPENDNSSEC-906: Tag <AllowExtraction> tag included from late 1.4 development
* OPENDNSSEC-894: repair configuration script to allow excluding the build of
the enforcer.
* OPENDNSSEC-890: Mismatching TTLs in record sets would cause bogus signatures.
* OPENDNSSEC-886: Improper time calculation on 32 bits machine causes purge
time to be skipped.
* OPENDNSSEC-904 / SUPPORT-216 autoconfigure fails to properly identify
functions in ssl library on certain distributions
causing tsig unknown algorithm hmac-sha256
* OPENDNSSEC-908: Warn when TTL exceeds KASP's MaxZoneTTL instead of capping.
OpenDNSSEC 2.1.1 - 2017-04-28
* OPENDNSSEC-882: Signerd exit code always non-zero.
* OPENDNSSEC-889: MySQL migration script didn't work for all database and
MySQL versions.
* OPENDNSSEC-887: Segfault on extraneous <Interval> tag.
* OPENDNSSEC-880: Command line parsing for import key command failed.
* OPENDNSSEC-890: Bogus signatures upon wrong zone input when TTLs for
same rrset are mismatching.
OpenDNSSEC 2.1.0 - 2017-02-22
* If listening port for signer is not set in conf file, the default value
"15354" is used.
* Enforce and signconf tasks are now scheduled individually per zone. Resign
per policy.
* OPENDNSSEC-450: Implement support for ECDSA P-256, P-384, GOST.
Notice: SoftHSMv1 only supports RSA. SoftHSMv2 can be compiled with
support for these.
* zone delete removes tasks associated with zone from queue.
* Show help for ods-enforcer-db-setup
* OPENDNSSEC-778: Double NSEC3PARAM record after resalt.
* In the kasp file, KSK/ZSK section, the algorithm length MUST be set now.
* signer clear <zone> would assert when signconf wasn't read yet.
* The <Interval> tag had been deprecated, and is now no longer allowed to
be specified in the conf.xml for the Enforcer.
* OPENDNSSEC-864: ods-signer didn't print help. Also --version and --socket
options where not processed.
* OPENDNSSEC-869: ds-seen command did not give error on badly formatted keytag.
* OPENDNSSEC-681: After fork() allow child process to pass error messages to
parent so they can be printed to the console in case of failed start.
* OPENDNSSEC-849: Crash on free of part of IXFR structure.
* OPENDNSSEC-759: Reduce HSM access during ods-signerd start. Daemon should
start quicker and earlier available for user input.
* OPENDNSSEC-479: Transferring zones and sending notifies through
a bound socket , using the same interface as listener.
* Key cache is now shared between threads.
* OPENDNSSEC-858: Don't print "completed in x seconds" to stderr for enforcer
commands.
* Various memory leaks
* OPENDNSSEC-601: signer and enforcer working dir would not properly
fallback to default when not specified.
* OPENDNSSEC-503: Speed up initial signing and algorithm rollover.
* A bash autocompletion script is included in contrib for ods-enforcer and
ods-signer.
* SUPPORT-208: Strip comment from key export.
* OPENDNSSEC-552: On key export don't print SHA1 DS by default.
(introduced --sha1 option to key export.) Usage of sha1 is deprecated and
will be removed from future versions of OpenDNSSEC.
OpenDNSSEC 2.0.1 - 2016-07-21
* Fixed crash and linking issue in ods-migrate.
* Fixed case where 2.0.0 could not read backup files from 1.4.10.
* Fixed bug in migration script where key state wasn't transformed properly.
OpenDNSSEC 2.0.0-1
* include db creation scripts in dist tarball needed for migration from 1.4.
OpenDNSSEC 2.0.0 - 2016-07-07
* OpenDNSSEC-99: Skip "are you sure" messages. Add --force and -f flag to
ods-enforcer-db-setup and hsmutil purge
* OPENDNSSEC-808: Crash on query with empty query section (thanks
Havard Eidnes)
* OpenDNSSEC-771: Signer. Do not log warning on deleting a missing
NSEC3PARAM RR.
* OPENDNSSEC-801: Set AA flag on outgoing AXFR.
* SUPPORT-191: Regression, Must accept notify without SOA (thanks
Christos Trochalakis)
OpenDNSSEC 2.0b1 - 2016-04-14
First public release of OpenDNSSEC. Initial pre-releases have been
made to a smaller audience, this pre-release is explicitly made available
to all. At this moment, there are no known functional bugs. There are
naturally issues, especially to make working with OpenDNSSEC easier, however
none should prevent you to use OpenDNSSEC in production for the average
case, even though this is a pre-release. Which is because of the still
limited documentation, and is not being run in production yet.
* The enforcer can no longer be run on a single policy at a time
anymore. An enforce run will always process all zones.
* The key generate method is at this time not available.
* The key export method will not allow you to export keys for all zones
at once (--all flag) or for a particular type of key (--keystate).
It will not export ZSK keys.
* The zonelist.xml in etc/opendnssec is no longer updated automatically,
and by default works as if the --no-xml flag was specified. Use
--xml to the zone add command to update the zonelist.xml. If updating
the zonelist fails, the zone will still be added and not updated in
the xml with future zone adds.
* Plugins directory renamed to contrib.
* Default signer working directory renamed from tmp to signer.
* Configure option --with-database-backend renamed --with-enforcer-database
* Zones on a manual rollover policy will not get a key assigned to them
immediately.
OpenDNSSEC 2.0.0a5
Project transfer to NLnetLabs, performing code drop as-is for evaluation
purposes only.
OpenDNSSEC 2.0.0a4 (EnforcerNG branch)
* SUPPORT-72: Improve logging when failed to increment serial in case
of key rollover and serial value "keep" [OPENDNSSEC-461].
* SUPPORT-114: libhsm: Optimize storage in HSM by deleting the public
key directly if SkipPublicKey is used [OPENDNSSEC-573].
* OPENDNSSEC-106: Add 'ods-enforcerd -p <policy>' option. This prompts the
enforcer to run once and only process the specified policy and associated
zones.
* OPENDNSSEC-330: NSEC3PARAM TTL can now be optionally configured in kasp.xml.
Default value remains PT0S.
* OPENDNSSEC-390: ods-ksmutil: Add an option to the 'ods-ksmutil key ds-seen'
command so the user can choose not to notify the enforcer.
* OPENDNSSEC-430: ods-ksmutil: Improve 'zone add' - Zone add command
could warn if a specified zone file or adapter file does not exits.
* OPENDNSSEC-431: ods-ksmutil: Improve 'zone add' - Support default <input>
and <output> values for DNS adapters.
* OPENDNSSEC-454: ods-ksmutil: Add option for 'ods-ksmutil key import' to
check if there is a matching key in the repository before import.
* OPENDNSSEC-281: Enforcer NG: Commandhandler sometimes unresponsive.
* OPENDNSSEC-276, Enforcer NG: HSM initialized after fork().
* OPENDNSSEC-330: Signer Engine: NSEC3PARAM TTL is default TTL again, to
prevent bad caching effects on resolvers.
* OPENDNSSEC-428: Add option for 'ods-ksmutil key generate' to take
number of zones as a parameter
* OPENDNSSEC-515: Signer Engine: Don't replace tabs in RR with whitespace.
Bugfixes:
* OPENDNSSEC-435: Signer Engine: Fix a serious memory leak in signature
cleanup.
* OPENDNSSEC-463: Signer Engine: Duration PT0S is now printed correctly.
* OPENDNSSEC-466: Signer Engine: Created bad TSIG signature when falling back
to AXFR.
* OPENDNSSEC-467: Signer Engine: After ods-signer clear, signer should not use
inbound serial.
OpenDNSSEC 2.0.0a3 (EnforcerNG branch) - 2012-06-18
Bugfixes:
* SUPPORT-66: Signer Engine: Fix file descriptor leak in case of TCP write
error [OPENDNSSEC-427].
* SUPPORT-71: Signer Engine: Fix double free crash in case of HSM connection
error during signing [OPENDNSSEC-444].
* OPENDNSSEC-401: 'ods-signer sign <zone> --serial <nr>' command produces seg
fault when run directly on command line (i.e. not via interactive mode)
* OPENDNSSEC-440: 'ods-ksmutil key generate' and the enforcer can create
too many keys if there are keys already available and the KSK and ZSK use
same algorithm and length
* OPENDNSSEC-424: Signer Engine: Respond to SOA queries from file instead
of memory. Makes response non-blocking.
* OPENDNSSEC-425 Change "hsmutil list" output so that the table header goes
to stdout not stderr
* OPENDNSSEC-438: 'ods-ksmutil key generate' and the enforcer can create
too many keys for <SharedKeys/> policies when KSK and ZSK use same
algorithm and length
* OPENDNSSEC-443: ods-ksmutil: Clean up of hsm connection handling
* Signer Engine: Improved Inbound XFR checking.
* Signer Engine: Fix double free corruption in case of adding zone with
DNS Outbound Adapters and NotifyCommand enabled.
* Enforcer: Limit number of pregenerated keys when using <SharedKeys>.
* Enforcer: MySQL database backend implemented.
* Enforcer: New directive <MaxZoneTTL> to make safe assumptions about
zonefile.
* Enforcer: New zone add command, allow specifying adapters.
* Enforcer: New zone del command, use --force for still signed zones.
* Enforcer: Pre-generate keys on the HSM.
* Enforcer: SQLite database backend implemented.
* OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on SOA
Minimum change.
Bugfixes:
* OPENDNSSEC-481: libhsm: Fix an off-by-one length check error.
* OPENDNSSEC-482: libhsm: Improved cleanup for C_FindObjects.
Go implementation of the 64-bit xxHash algorithm (XXH64).
This implementation provides a fast pure-Go implementation
and an even faster assembly implementation for amd64.
SoftHSM2 is not a drop-in replacement for SoftHSM version 1, so this
is added as a separate package. See softhsm2-migrate(1) for
migration instructions.
Upstream changes since SoftHSM version 1.x:
SoftHSM 2.5.0 - 2018-09-24
* Issue #323: Support for EDDSA with vendor defined mechanisms.
(Patch from Francis Dupont)
* Issue #362: CMake Build System Support for SoftHSM.
(Patch from Constantine Grantcharov)
* Issue #368: Support migrating 32-bit SoftHSMv1 DB on 64-bit system (LP64).
* Issue #385: Default is not to build EDDSA since it has not been released in
OpenSSL.
* Issue #387: Windows: Add VS2017 detection to Configure.py.
(Patch from Jaroslav Imrich)
* Issue #412: Replace PKCS11 headers with a version from p11-kit.
(Patch from Alexander Bokovoy)
Bugfixes:
* Issue #366: Support cross-compilation.
(Patch from Michael Weiser)
* Issue #377: Duplicate symbol error with custom p11test.
* Issue #386: Use RDRAND in OpenSSL if that engine is available.
* Issue #388: Update DBTests.cpp to fix x86 test failure.
(Patch from tcely)
* Issue #393: Not setting CKA_PUBLIC_KEY_INFO correctly.
(Patch from pkalapat)
* Issue #401: Wrong key and keyserver mentioned in installation documentation.
(Patch from Berry A.W. van Halderen)
* Issue #408: Remove mutex callbacks after C_Finalize().
(Patch from Alexander Bokovoy)
SoftHSM 2.4.0 - 2018-02-27
* Issue #135: Support PKCS#8 for GOST.
* Issue #140: Support for CKA_ALLOWED_MECHANISMS.
(Patch from Brad Hess)
* Issue #141: Support CKA_ALWAYS_AUTHENTICATE for private key objects.
* Issue #220: Support for CKM_DES3_CMAC and CKM_AES_CMAC.
* Issue #226: Configuration option for Windows build to enable build with
static CRT (/MT).
* Issue #325: Support for CKM_AES_GCM.
* Issue #334: Document that initialized tokens will be reassigned to another
slot (based on the token serial number).
* Issue #335: Support for CKM_RSA_PKCS_PSS.
(Patch from Nikos Mavrogiannopoulos)
* Issue #341: Import AES keys with softhsm2-util.
(Patch from Pavel Cherezov)
* Issue #348: Document that OSX needs pkg-config to detect cppunit.
* Issue #349: softhsm2-util will check the configuration and report any
issues before loading the PKCS#11 library.
Bugfixes:
* Issue #345: Private objects are presented to security officer in search
results.
* Issue #358: Race condition when multiple applications are creating and
reading object files.
SoftHSM 2.3.0 - 2017-07-03
* Issue #130: Upgraded to PKCS#11 v2.40.
* Minor changes to some return values.
* Added CKA_DESTROYABLE to all objects. Used by C_DestroyObject().
* Added CKA_PUBLIC_KEY_INFO to certificates, private, and public key
objects. Will be accepted from application, but SoftHSM will
currently not calculate it.
* Issue #142: Support for CKM_AES_CTR.
* Issue #155: Add unit tests for SessionManager.
* Issue #189: C_DigestKey returns CKR_KEY_INDIGESTIBLE when key
attribute CKA_EXTRACTABLE = false. Whitelist SHA algorithms to allow
C_DigestKey in this case.
* Issue #225: Show slot id after initialization.
* Issue #247: Run AppVeyor (Windows CI) for each PR and merge.
* Issue #257: Set CKA_DECRYPT/CKA_ENCRYPT flags on key import to true.
(Patch from Martin Domke)
* Issue #261: Add support for libeaycompat lib for FIPS on Windows.
(Patch from Matt Hauck)
* Issue #262: Support importing ECDSA P-521 in softhsm-util.
* Issue #276: Support for Botan 2.0.
* Issue #279: Editorial changes from Mountain Lion to Sierra.
(Patch from Mike Neumann)
* Issue #283: More detailed error messages when initializing SoftHSM.
* Issue #285: Support for LibreSSL.
(Patch from Alon Bar-Lev)
* Issue #286: Update .gitignore.
(Patch from Alon Bar-Lev)
* Issue #291: Change to enable builds and reports on new Jenkinks
environment.
* Issue #293: Detect cppunit in autoconf.
(Patch from Alon Bar-Lev)
* Issue #309: CKO_CERTIFICATE and CKO_PUBLIC_KEY now defaults to
CKA_PRIVATE=false.
* Issue #314: Update README with information about logging.
* Issue #330: Adjust log levels for failing to enumerate object store.
(Patch from Nikos Mavrogiannopoulos)
Bugfixes:
* Issue #216: Better handling of CRYPTO_set_locking_callback() for OpenSSL.
* Issue #265: Fix deriving shared secret with ECC.
* Issue #280: HMAC with sizes less than L bytes is strongly discouraged.
Set a lower bound equal to L bytes in ulMinKeySize and check it when
initializing the operation.
* Issue #281: Fix test of p11 shared library.
(Patch from Lars Silvén)
* Issue #289: Minor fix of 'EVP_CipherFinal_ex'.
(Patch from Viktor Tarasov)
* Issue #297: Fix build with cppunit.
(Patch from Ludovic Rousseau)
* Issue #302: Export PKCS#11 symbols from the library.
(Patch from Ludovic Rousseau)
* Issue #305: Zero pad key to fit the block in CKM_AES_KEY_WRAP.
* Issue #313: Detecting CppUnit when using Macports.
(Patch from mouse07410)
SoftHSM 2.2.0 - 2016-12-05
* Issue #143: Delete a token using softhsm2-util.
* Issue #185: Change access mode bits for /var/lib/softhsm/tokens/
to 1777. All users can now create tokens, but only access their own.
(Patch from Rick van Rein)
* Issue #186: Reinitializing a token will now keep the token, but all
token objects are deleted, the user PIN is removed and the token
label is updated.
* Issue #190: Support for OpenSSL 1.1.0.
* Issue #198: Calling C_GetSlotList with NULL_PTR will make sure that
there is always a slot with an uninitialized token available.
* Issue #199: The token serial number will be used when setting the slot
number. The serial number is set after the token has been initialized.
(Patch from Lars Silvén)
* Issue #203: Update the command utils to use the token label or serial
to find the token and its slot number.
* Issue #209: Possibility to test other PKCS#11 implementations with the
CppUnit test.
(Patch from Lars Silvén)
* Issue #223: Mark public key as non private by default.
(Patch from Nikos Mavrogiannopoulos)
* Issue #230: Install p11-kit module, to disable use --disable-p11-kit.
(Patch from David Woodhouse)
* Issue #237: Add windows continuous integration build.
(Patch from Peter Polacko)
Bugfixes:
* Issue #201: Missing new source file and test configuration in the
Windows build project.
* Issue #205: ECDSA P-521 support for OpenSSL and better test coverage.
* Issue #207: Fix segmentation faults in loadLibrary function.
(Patch from Jaroslav Imrich)
* Issue #215: Update the Homebrew install notes for OSX.
* Issue #218: Fix build warnings.
* Issue #235: Add the libtool install command for OSX.
(Patch from Mark Wylde)
* Issue #236: Use GetEnvironmentVariable instead of getenv on Windows.
(Patch from Jaroslav Imrich)
* Issue #239: Crash on module unload with OpenSSL.
(Patch from David Woodhouse)
* Issue #241: Added EXTRALIBS to Windows utils project.
(Patch from Peter Polacko)
* Issue #250: C++11 not detected.
* Issue #255: API changes in Botan 1.11.27.
* Issue #260: Fix include guard to check WITH_FIPS.
(Patch from Matt Hauck)
* Issue #268: p11test fails on 32-bit systems.
* Issue #270: Build warning about "converting a string constant".
* Issue #272: Fix C++11 check to look for unique_ptr.
(Patch from Matt Hauck)
SoftHSM 2.1.0 - 2016-03-14
* Issue #136: Improved guide and build scripts for Windows.
(Thanks to Jaroslav Imrich)
* Issue #144: The password prompt in softhsm2-util can now be
interrupted (ctrl-c).
* Issue #166: Add slots.removable config option.
(Patch from Sumit Bose)
* Issue #180: Windows configure script improvements.
(Patch from Arnaud Grandville)
Bugfixes:
* Issue #128: Prioritize the return values in C_GetAttributeValue.
(Patch from Nicholas Wilson)
* Issue #129: Fix errors reported by Visual Studio 2015.
(Patch from Jaroslav Imrich)
* Issue #132: Handle the CKA_CHECK_VALUE correctly for certificates
and symmetric key objects.
* Issue #154: Fix the Windows build and destruction order of objects.
(Patch from Arnaud Grandville)
* Issue #162: Not possible to create certificate objects containing
CKA_CERTIFICATE_CATEGORY, CKA_NAME_HASH_ALGORITHM, or
CKA_JAVA_MIDP_SECURITY_DOMAIN.
* Issue #163: Do not attempt decryption of empty byte strings.
(Patch from Michal Kepien)
* Issue #165: Minor changes after a PVS-Studio code analysis, and
C_EncryptUpdate crash if no ciphered data is produced.
(Patch from Arnaud Grandville)
* Issue #169: One-byte buffer overflow in call to EVP_DecryptUpdate.
* Issue #171: Problem while closing library that is initialized but
improperly finalized.
* Issue #173: Adjust return values for the template parsing.
* Issue #174: C_DeriveKey() error with leading zero bytes.
* Issue #177: CKA_NEVER_EXTRACTABLE set to CK_FALSE on objects
created with C_CreateObject.
* Issue #182: Resolve compiler warning.
(Patch from Josh Datko)
* Issue #184: Stop discarding the global OpenSSL libcrypto state.
(Patch from Michal Trojnara)
* SOFTHSM-123: Fix library cleanup on BSD.
SoftHSM 2.0.0 - 2015-07-17
* SOFTHSM-121: Test cases for C_DecryptUpdate/C_DecryptFinal.
* Support C_DecryptUpdate/C_DecryptFinal for symmetric algorithms.
(Patch from Thomas Calderon)
Bugfixes:
* SOFTHSM-120: Segfault after renaming variables.
SoftHSM 2.0.0b3 - 2015-04-17
* SOFTHSM-113: Support for Botan 1.11.15
* SOFTHSM-119: softhsm2-util: Support ECDSA key import
(Patch from Magnus Ahltorp)
* SUPPORT-139: Support deriving generic secrets, DES, DES2, DES3, and AES.
Using DH, ECDH or symmetric encryption.
Bugfixes:
* SOFTHSM-108: A marked as trusted certificate cannot be imported.
* SOFTHSM-109: Unused parameter and variable warnings.
* SOFTHSM-110: subdir-objects warnings from autoreconf.
* SOFTHSM-111: Include FIPS-NOTES.md in dist.
* SOFTHSM-112: CKM_AES_KEY_WRAP* conflict in pkcs11.h.
* SOFTHSM-114: Fix memory leak in a test script.
* SOFTHSM-115: Fix static analysis warnings.
* SUPPORT-154: A marked as non-modifiable object cannot be generated.
* SUPPORT-155: auto_ptr is deprecated in C++11, use unique_ptr.
* SUPPORT-157: Derived secrets were truncated after encryption and
could thus not be decrypted.
* Mutex should call MutexFactory wrapper functions.
(Patch from Jerry Lundstrom)
* Return detailed error message to loadLibrary().
(Patch from Petr Spacek)
SoftHSM 2.0.0b2 - 2014-12-28
* SOFTHSM-50: OpenSSL FIPS support.
* SOFTHSM-64: Updated build script for Windows.
* SOFTHSM-100: Use --free with softhsm2-util to initialize the first
free token.
* SOFTHSM-103: Allow runtime configuration of log level.
* SOFTHSM-107: Support for CKM_<symcipher>_CBC_PAD.
* Add support for CKM_RSA_PKCS_OAEP key un/wrapping.
(Patch from Petr Spacek)
* Use OpenSSL EVP interface for AES key wrapping.
(Patch from Petr Spacek)
* Allow reading configuration file from user's home directory.
(Patch from Nikos Mavrogiannopoulos)
Bugfixes:
* SOFTHSM-102: C_DeriveKey() uses OBJECT_OP_GENERATE.
* Coverity found a number of issues.
SoftHSM 2.0.0b1 - 2014-09-10
* SOFTHSM-84: Check that all mandatory attributes are given during
the creation process.
* SOFTHSM-92: Enable -fvisibility=hidden on per default
* SUPPORT-137: Implement C_EncryptUpdate and C_EncryptFinal
(Patch from Martin Paljak)
* Add support for CKM_RSA_PKCS key un/wrapping
(Patch from Petr Spacek)
Bugfixes:
* SOFTHSM-66: Attribute handling when using multiple threads
* SOFTHSM-93: Invalid C++ object recycling.
* SOFTHSM-95: umask affecting the calling application.
* SOFTHSM-97: Check if Botan has already been initialized.
* SOFTHSM-98: Handle mandatory attributes for DSA, DH, and ECDSA
correctly.
* SOFTHSM-99: Binary encoding of GOST values.
* SUPPORT-136: softhsm2-keyconv creates files with sensitive material
in insecure way.
SoftHSM 2.0.0a2 - 2014-03-25
* SOFTHSM-68: Display a better configure message when there is a
version of Botan with a broken ECC/GOST/OID implementation.
* SOFTHSM-70: Improved handling of the database backend.
* SOFTHSM-71: Supporting Botan 1.11.
* SOFTHSM-76: Do not generate RSA keys smaller than 1024 bit when
using the Botan crypto backend.
* SOFTHSM-83: Support CKA_VALUE_BITS for CKK_DH private key object.
* SOFTHSM-85: Rename libsofthsm.so to libsofthsm2.so and prefix the
command line utilties with softhsm2-.
* SOFTHSM-89: Use constants and not strings for signaling algorithms.
* SUPPORT-129: Possible to use an empty template in C_GenerateKey.
The class and key type are inherited from the generation mechanism.
Some mechanisms do however require a length attribute. [SOFTHSM-88]
* SUPPORT-131: Support RSA-PSS using SHA1, SHA224, SHA256, SHA384,
or SHA512. [SOFTHSM-87]
Bugfixes:
* SOFTHSM-39: Fix 64 bit build on sparc sun4v.
* SOFTHSM-69: GOST did not work when you disabled ECC.
* SOFTHSM-78: Correct the attribute checks for a number of objects.
* SOFTHSM-80: Prevent segfault in OpenSSL GOST HMAC code.
* SOFTHSM-91: Fix a warning from static code analysis.
* Fixed a number of memory leaks.
SoftHSM 2.0.0a1 - 2014-02-10
This is the first alpha release of SoftHSMv2. It focuses on a higher
level of security by encrypting sensitive information and using
unswappable memory. There is also a more generalized crypto backend,
where you can use Botan or OpenSSL.
Update ruby-net-ssh to 5.2.0.
o pkgsr change:
* Add "USE_LANGUAGES= # none".
=== 5.2.0
=== 5.2.0.rc3
* Fix check_host_ip read from config
* Support ssh-ed25519 in kown hosts
=== 5.2.0.rc2
* Read check_host_ip from ssh config files
=== 5.2.0.rc1
* Interpret * and ? in know_hosts file [Romain Tartière, #660]
* New :check_host_ip so ip checking can be disabled in known hosts [Romain Tartière, #656]
=== 5.1.0
=== 5.1.0.rc1
* Support new OpenSSH private key format for rsa - bcrypt for rsa (ed25519 already supported) [#646]
* Support IdentityAgent is ssh config [Frank Groeneveld, #645]
* Improve Match processin in ssh config [Aleksandrs Ļedovskis, #642]
* Ignore signature verification when verify_host_key is never [Piotr Kliczewski, #641]
* Alg preference was changed to prefer stronger encryptions [Tray, #637]
Packages defined the variable BROKEN inconsistently. Some added quotes,
like they are required in PKG_FAIL_REASON, some omitted them.
Now all packages behave the same, and pkglint will flag future mistakes.
Since the variables assignments all use the = operator instead of +=, all
except the last one are ignored. These are not needed anyway since Perl
modules don't need to have a correct interpreter.
2019-Aug-16 v3.3 - Allow open and save with key-only authentication,
as requested in SF bug #35.
- Prevent "multiple entries titled" warning in the
/_found/ area, as reports in SF bug #36.
- Fix two bugs affecting Windows, as reported in
SourceForge patch #11.
- Mark /_found entries as "*OLD" when listed, if
they reside in a group named old. Addresses an
issue where searches turn up "old" accounts.
The libSTARK library implements scalable and transparent argument of
knowledge (STARK) systems. These systems can be executed with, or
without, zero knowledge (ZK), and may be designed as either
interactive or non-interactive protocols. The theoretical
constructions which this library implements are described in detail in
the zk-STARK paper:
Scalable, transparent, and post-quantum secure computational integrity
Eli Ben-Sasson and Iddo Bentov and Yinon Horesh and Michael Riabzev
https://eprint.iacr.org/2018/046
* Noteworthy changes in release 4.14 (released 2019-07-21) [stable]
- New #defines for version checking: ASN1_VERSION_MAJOR, ASN1_VERSION_MINOR,
ASN1_VERSION_PATCH, ASN1_VERSION_NUMBER. The next release will switch
to semantic version semantics.
- Simplify ordering of SET OF elements by using qsort().
- Marked explicitly const uses of asn1_node with the introduction
of the (compatible) asn1_node_const type.
- Limit recursion in _asn1_expand_object_id() to detect infinite
recursion in incorrect .asn files (#4).
- asn1_array2tree(): fixed thread safety issues.
- Several fixes in gtk-doc generation.
fixes CVE-2018-1000654
Pkgsrc changes:
* Fix == in shell script test.
* Add some patches to make this build on NetBSD.
Upstream changes:
## 1.2.3 (September 12, 2019)
FEATURES:
* Oracle Cloud (OCI) Integration: Vault now support using Oracle
Cloud for storage, auto unseal, and authentication.
IMPROVEMENTS:
* auth/jwt: Groups claim matching now treats a string response
as a single element list [JWT-63]
* auth/kubernetes: enable better support for projected tokens
API by allowing user to specify issuer [GH-65]
* auth/pcf: The PCF auth plugin was renamed to the CF auth plugin,
maintaining full backwards compatibility [GH-7346]
* replication: Premium packages now come with unlimited performance
standby nodes
BUG FIXES:
* agent: Allow batch tokens and other non-renewable tokens to be
used for agent operations [GH-7441]
* auth/jwt: Fix an error where newer (v1.2) token_* configuration
parameters were not being applied to tokens generated using
the OIDC login flow [JWT-67]
* seal/transit: Allow using Vault Agent for transit seal operations
[GH-7441]
* storage/couchdb: Fix a file descriptor leak [GH-7345]
* ui: Fix a bug where the status menu would disappear when trying
to revoke a token [GH-7337]
* ui: Fix a regression that prevented input of custom items in
search-select [GH-7338]
* ui: Fix an issue with the namespace picker being unable to
render nested namespaces named with numbers and sorting of
namespaces in the picker [GH-7333]
## 1.2.2 (August 15, 2019)
CHANGES:
* auth/pcf: The signature format has been updated to use the
standard Base64 encoding instead of the URL-safe variant.
Signatures created using the previous format will continue to
be accepted [PCF-27]
* core: The http response code returned when an identity token
key is not found has been changed from 400 to 404
IMPROVEMENTS:
* identity: Remove 512 entity limit for groups [GH-7317]
BUG FIXES:
* auth/approle: Fix an error where an empty token_type string
was not being correctly handled as TokenTypeDefault [GH-7273]
* auth/radius: Fix panic when logging in [GH-7286]
* ui: the string-list widget will now honor multiline input [GH-7254]
* ui: various visual bugs in the KV interface were addressed [GH-7307]
* ui: fixed incorrect URL to access help in LDAP auth [GH-7299]
1.2.1 (August 6th, 2019)
BUG FIXES:
* agent: Fix a panic on creds pulling in some error conditions
in aws and alicloud auth methods [GH-7238]
* auth/approle: Fix error reading role-id on a role created
pre-1.2 [GH-7231]
* auth/token: Fix sudo check in non-root namespaces on create
[GH-7224]
* core: Fix health checks with perfstandbyok=true returning the
wrong status code [GH-7240]
* ui: The web CLI will now parse input as a shell string, with
special characters escaped [GH-7206]
* ui: The UI will now redirect to a page after authentication
[GH-7088]
* ui (Enterprise): The list of namespaces is now cleared when
logging out [GH-7186]
## 1.2.0 (July 30th, 2019)
CHANGES:
* Token store roles use new, common token fields for the values
that overlap with other auth backends. period, explicit_max_ttl,
and bound_cidrs will continue to work, with priority being
given to the token_ prefixed versions of those parameters. They
will also be returned when doing a read on the role if they
were used to provide values initially; however, in Vault 1.4
if period or explicit_max_ttl is zero they will no longer be
returned. (explicit_max_ttl was already not returned if empty.)
* Due to underlying changes in Go version 1.12 and Go > 1.11.5,
Vault is now stricter about what characters it will accept in
path names. Whereas before it would filter out unprintable
characters (and this could be turned off), control characters
and other invalid characters are now rejected within Go's HTTP
library before the request is passed to Vault, and this cannot
be disabled. To continue using these (e.g. for already-written
paths), they must be properly percent-encoded (e.g. \r becomes
%0D, \x00 becomes %00, and so on).
* The user-configured regions on the AWSKMS seal stanza will now
be preferred over regions set in the enclosing environment.
This is a breaking change.
* All values in audit logs now are omitted if they are empty.
This helps reduce the size of audit log entries by not reproducing
keys in each entry that commonly don't contain any value, which
can help in cases where audit log entries are above the maximum
UDP packet size and others.
* Both PeriodicFunc and WALRollback functions will be called if
both are provided. Previously WALRollback would only be called
if PeriodicFunc was not set. See GH-6717 for details.
* Vault now uses Go's official dependency management system, Go
Modules, to manage dependencies. As a result to both reduce
transitive dependencies for API library users and plugin authors,
and to work around various conflicts, we have moved various
helpers around, mostly under an sdk/ submodule. A couple of
functions have also moved from plugin helper code to the api/
submodule. If you are a plugin author, take a look at some of
our official plugins and the paths they are importing for
guidance.
* AppRole uses new, common token fields for values that overlap
with other auth backends. period and policies will continue to
work, with priority being given to the token_ prefixed versions
of those parameters. They will also be returned when doing a
read on the role if they were used to provide values initially.
* In AppRole, "default" is no longer automatically added to the
policies parameter. This was a no-op since it would always be
added anyways by Vault's core; however, this can now be explicitly
disabled with the new token_no_default_policy field.
* In AppRole, bound_cidr_list is no longer returned when reading
a role
* rollback: Rollback will no longer display log messages when it
runs; it will only display messages on error.
* Database plugins will now default to 4 max_open_connections
rather than 2.
FEATURES:
* Integrated Storage: Vault 1.2 includes a tech preview of a new
way to manage storage directly within a Vault cluster. This
new integrated storage solution is based on the Raft protocol
which is also used to back HashiCorp Consul and HashiCorp Nomad.
* Combined DB credential rotation: Alternative mode for the
Combined DB Secret Engine to automatically rotate existing
database account credentials and set Vault as the source of
truth for credentials.
* Identity Tokens: Vault's Identity system can now generate
OIDC-compliant ID tokens. These customizable tokens allow
encapsulating a signed, verifiable snapshot of identity
information and metadata. They can be use by other applications-even
those without Vault authorization-as a way of establishing
identity based on a Vault entity.
* Pivotal Cloud Foundry plugin: New auth method using Pivotal
Cloud Foundry certificates for Vault authentication.
* ElasticSearch database plugin: New ElasticSearch database plugin
issues unique, short-lived ElasticSearch credentials.
* New UI Features: An HTTP Request Volume Page and new UI for
editing LDAP Users and Groups have been added.
* HA support for Postgres: PostgreSQL versions >= 9.5 may now
but used as and HA storage backend.
* KMIP secrets engine (Enterprise): Allows Vault to operate as
a KMIP Server, seamlessly brokering cryptographic operations
for traditional infrastructure.
* Common Token Fields: Auth methods now use common fields for
controlling token behavior, making it easier to understand
configuration across methods.
* Vault API explorer: The Vault UI now includes an embedded API
explorer where you can browse the endpoints avaliable to you
and make requests. To try it out, open the Web CLI and type
api.
IMPROVEMENTS:
* agent: Allow EC2 nonce to be passed in [GH-6953]
* agent: Add optional namespace parameter, which sets the default
namespace for the auto-auth functionality [GH-6988]
* agent: Add cert auto-auth method [GH-6652]
* api: Add support for passing data to delete operations via
DeleteWithData [GH-7139]
* audit/file: Dramatically speed up file operations by changing
locking/marshaling order [GH-7024]
* auth/jwt: A JWKS endpoint may now be configured for signature
verification [JWT-43]
* auth/jwt: A new verbose_oidc_logging role parameter has been
added to help troubleshoot OIDC configuration [JWT-57]
* auth/jwt: bound_claims will now match received claims that are
lists if any element of the list is one of the expected values
[JWT-50]
* auth/jwt: Leeways for nbf and exp are now configurable, as is
clock skew leeway [JWT-53]
* auth/kubernetes: Allow service names/namespaces to be configured
as globs [KUBEAUTH-58]
* auth/token: Allow the support of the identity system for the
token backend via token roles [GH-6267]
* auth/token: Add a large set of token configuration options to
token store roles [GH-6662]
* cli: path-help now allows -format=json to be specified, which
will output OpenAPI [GH-7006]
* cli: Add support for passing parameters to vault delete operations
[GH-7139]
* cli: Add a log-format CLI flag that can specify either "standard"
or "json" for the log format for the vault servercommand.
[GH-6840]
* cli: Add -dev-no-store-token to allow dev servers to not store
the generated token at the tokenhelper location [GH-7104]
* identity: Allow a group alias' canonical ID to be modified
* namespaces: Namespaces can now be created and deleted from
performance replication secondaries
* plugins: Change the default for max_open_connections for DB
plugins to 4 [GH-7093]
* replication: Client TLS authentication is now supported when
enabling or updating a replication secondary
* secrets/database: Cassandra operations will now cancel on client
timeout [GH-6954]
* secrets/kv: Add optional delete_version_after parameter, which
takes a duration and can be set on the mount and/or the metadata
for a specific key [GH-7005]
* storage/postgres: LIST now performs better on large datasets
[GH-6546]
* storage/s3: A new path parameter allows selecting the path
within a bucket for Vault data [GH-7157]
* ui: KV v1 and v2 will now gracefully degrade allowing a write
without read workflow in the UI [GH-6570]
* ui: Many visual improvements with the addition of Toolbars
[GH-6626], the restyling of the Confirm Action component
[GH-6741], and using a new set of glyphs for our Icon component
[GH-6736]
* ui: Lazy loading parts of the application so that the total
initial payload is smaller [GH-6718]
* ui: Tabbing to auto-complete in filters will first complete a
common prefix if there is one [GH-6759]
* ui: Removing jQuery from the application makes the initial JS
payload smaller [GH-6768]
BUG FIXES:
* audit: Log requests and responses due to invalid wrapping token
provided [GH-6541]
* audit: Fix bug preventing request counter queries from working
with auditing enabled [GH-6767
* auth/aws: AWS Roles are now upgraded and saved to the latest
version just after the AWS credential plugin is mounted.
[GH-7025]
* auth/aws: Fix a case where a panic could stem from a malformed
assumed-role ARN when parsing this value [GH-6917]
* auth/aws: Fix an error complaining about a read-only view that
could occur during updating of a role when on a performance
replication secondary [GH-6926]
* auth/jwt: Fix a regression introduced in 1.1.1 that disabled
checking of client_id for OIDC logins [JWT-54]
* auth/jwt: Fix a panic during OIDC CLI logins that could occur
if the Vault server response is empty [JWT-55]
* auth/jwt: Fix issue where OIDC logins might intermittently fail
when using performance standbys [JWT-61]
* identity: Fix a case where modifying aliases of an entity could
end up moving the entity into the wrong namespace
* namespaces: Fix a behavior (currently only known to be benign)
where we wouldn't delete policies through the official functions
before wiping the namespaces on deletion
* secrets/database: Escape username/password before using in
connection URL [GH-7089]
* secrets/pki: Forward revocation requests to active node when
on a performance standby [GH-7173]
* ui: Fix timestamp on some transit keys [GH-6827]
* ui: Show Entities and Groups in Side Navigation [GH-7138]
* ui: Ensure dropdown updates selected item on HTTP Request
Metrics page
## 1.1.4/1.1.5 (July 25th/30th, 2019)
NOTE:
Although 1.1.4 was tagged, we realized very soon after the tag was
publicly pushed that an intended fix was accidentally left out. As
a result, 1.1.4 was not officially announced and 1.1.5 should be
used as the release after 1.1.3.
IMPROVEMENTS:
* identity: Allow a group alias' canonical ID to be modified
* namespaces: Improve namespace deletion performance [GH-6939]
* namespaces: Namespaces can now be created and deleted from
performance replication secondaries
BUG FIXES:
* api: Add backwards compat support for API env vars [GH-7135]
* auth/aws: Fix a case where a panic could stem from a malformed
assumed-role ARN when parsing this value [GH-6917]
* auth/ldap: Add use_pre111_group_cn_behavior flag to allow
recovering from a regression caused by a bug fix starting in
1.1.1 [GH-7208]
* auth/aws: Use a role cache to avoid separate locking paths
[GH-6926]
* core: Fix a deadlock if a panic happens during request handling
[GH-6920]
* core: Fix an issue that may cause key upgrades to not be cleaned
up properly [GH-6949]
* core: Don't shutdown if key upgrades fail due to canceled
context [GH-7070]
* core: Fix panic caused by handling requests while vault is
inactive
* identity: Fix reading entity and groups that have spaces in
their names [GH-7055]
* identity: Ensure entity alias operations properly verify
namespace [GH-6886]
* mfa: Fix a nil pointer panic that could occur if invalid Duo
credentials were supplied
* replication: Forward step-down on perf standbys to match HA
behavior
* replication: Fix various read only storage errors on performance
standbys
* replication: Stop forwarding before stopping replication to
eliminate some possible bad states
* secrets/database: Allow cassandra queries to be cancled [GH-6954]
* storage/consul: Fix a regression causing vault to not connect
to consul over unix sockets [GH-6859]
* ui: Fix saving of TTL and string array fields generated by Open
API [GH-7094]
## 1.1.3 (June 5th, 2019)
IMPROVEMENTS:
* agent: Now supports proxying request query parameters [GH-6772]
* core: Mount table output now includes a UUID indicating the
storage path [GH-6633]
* core: HTTP server timeout values are now configurable [GH-6666]
* replication: Improve performance of the reindex operation on
secondary clusters when mount filters are in use
* replication: Replication status API now returns the state and
progress of a reindex
BUG FIXES:
* api: Return the Entity ID in the secret output [GH-6819]
* auth/jwt: Consider bound claims when considering if there is at least one
bound constraint [JWT-49]
* auth/okta: Fix handling of group names containing slashes [GH-6665]
* cli: Add deprecated stored-shares flag back to the init command [GH-6677]
* cli: Fix a panic when the KV command would return no data [GH-6675]
* cli: Fix issue causing CLI list operations to not return proper format when
there is an empty response [GH-6776]
* core: Correctly honor non-HMAC request keys when auditing requests [GH-6653]
* core: Fix the `x-vault-unauthenticated` value in OpenAPI for a number of
endpoints [GH-6654]
* core: Fix issue where some OpenAPI parameters were incorrectly listed as
being sent as a header [GH-6679]
* core: Fix issue that would allow duplicate mount names to be used [GH-6771]
* namespaces: Fix behavior when using `root` instead of `root/` as the
namespace header value
* pki: fix a panic when a client submits a null value [GH-5679]
* replication: Properly update mount entry cache on a secondary to apply all
new values after a tune
* replication: Properly close connection on bootstrap error
* replication: Fix an issue causing startup problems if a namespace policy
wasn't replicated properly
* replication: Fix longer than necessary WAL replay during an initial reindex
* replication: Fix error during mount filter invalidation on DR
secondary clusters
* secrets/ad: Make time buffer configurable [AD-35]
* secrets/gcp: Check for nil config when getting credentials [SGCP-35]
* secrets/gcp: Fix error checking in some cases where the returned value could
be 403 instead of 404 [SGCP-37]
* secrets/gcpkms: Disable key rotation when deleting a key [GCPKMS-10]
* storage/consul: recognize `https://` address even if schema not specified
[GH-6602]
* storage/dynamodb: Fix an issue where a deleted lock key in DynamoDB (HA)
could cause constant switching of the active node [GH-6637]
* storage/dynamodb: Eliminate a high-CPU condition that could occur if an
error was received from the DynamoDB API [GH-6640]
* storage/gcs: Correctly use configured chunk size values [GH-6655]
* storage/mssql: Use the correct database when pre-created schemas exist
[GH-6356]
* ui: Fix issue with select arrows on drop down menus [GH-6627]
* ui: Fix an issue where sensitive input values weren't being saved to the
server [GH-6586]
* ui: Fix web cli parsing when using quoted values [GH-6755]
* ui: Fix a namespace workflow mapping identities from external namespaces by
allowing arbitrary input in search-select component [GH-6728]
* core: Fix issue that would allow duplicate mount names to be used [GH-6771]
* namespaces: Fix behavior when using `root` instead of `root/` as the
namespace header value
* pki: fix a panic when a client submits a null value [GH-5679]
* replication: Properly update mount entry cache on a secondary to apply all
new values after a tune
* replication: Properly close connection on bootstrap error
* replication: Fix an issue causing startup problems if a namespace policy
wasn't replicated properly
* replication: Fix longer than necessary WAL replay during an initial reindex
* replication: Fix error during mount filter invalidation on DR
secondary clusters
* secrets/ad: Make time buffer configurable [AD-35]
* secrets/gcp: Check for nil config when getting credentials [SGCP-35]
* secrets/gcp: Fix error checking in some cases where the returned value could
be 403 instead of 404 [SGCP-37]
* secrets/gcpkms: Disable key rotation when deleting a key [GCPKMS-10]
* storage/consul: recognize `https://` address even if schema not specified
[GH-6602]
* storage/dynamodb: Fix an issue where a deleted lock key in DynamoDB (HA)
could cause constant switching of the active node [GH-6637]
* storage/dynamodb: Eliminate a high-CPU condition that could occur if an
error was received from the DynamoDB API [GH-6640]
* storage/gcs: Correctly use configured chunk size values [GH-6655]
* storage/mssql: Use the correct database when pre-created schemas exist
[GH-6356]
* ui: Fix issue with select arrows on drop down menus [GH-6627]
* ui: Fix an issue where sensitive input values weren't being saved to the
server [GH-6586]
* ui: Fix web cli parsing when using quoted values [GH-6755]
* ui: Fix a namespace workflow mapping identities from external namespaces by
allowing arbitrary input in search-select component [GH-6728]
## 1.1.2 (April 18th, 2019)
This is a bug fix release containing the two items below. It is otherwise
unchanged from 1.1.1.
BUG FIXES:
* auth/okta: Fix a potential dropped error [GH-6592]
* secrets/kv: Fix a regression on upgrade where a KVv2 mount could fail to be
mounted on unseal if it had previously been mounted but not written to
[KV-31]
## 1.1.1 (April 11th, 2019)
SECURITY:
* Given: (a) performance replication is enabled; (b) performance standbys are
in use on the performance replication secondary cluster; and (c) mount
filters are in use, if a mount that was previously available to a secondary
is updated to be filtered out, although the data would be removed from the
secondary cluster, the in-memory cache of the data would not be purged on
the performance standby nodes. As a result, the previously-available data
could still be read from memory if it was ever read from disk, and if this
included mount configuration data this could result in token or lease
BUG FIXES:
* agent: Allow auto-auth to be used with caching without having to define any
sinks [GH-6468]
* agent: Disallow some nonsensical config file combinations [GH-6471]
* auth/ldap: Fix CN check not working if CN was not all in uppercase [GH-6518]
* auth/jwt: The CLI helper for OIDC logins will now open the
browser to the correct URL when running on Windows [JWT-37]
* auth/jwt: Fix OIDC login issue where configured TLS certs weren't
being used [JWT-40]
* auth/jwt: Fix an issue where the `oidc_scopes` parameter was
not being included in the response to a role read request [JWT-35]
* core: Fix seal migration case when migrating to Shamir and a seal block
wasn't explicitly specified [GH-6455]
* core: Fix unwrapping when using namespaced wrapping tokens [GH-6536]
* core: Fix incorrect representation of required properties in OpenAPI output
[GH-6490]
* core: Fix deadlock that could happen when using the UI [GH-6560]
* identity: Fix updating groups removing existing members [GH-6527]
* identity: Properly invalidate group alias in performance secondary [GH-6564]
* identity: Use namespace context when loading entities and groups to ensure
merging of duplicate entries works properly [GH-6563]
* replication: Fix performance standby election failure [GH-6561]
* replication: Fix mount filter invalidation on performance standby nodes
* replication: Fix license reloading on performance standby nodes
* replication: Fix handling of control groups on performance standby nodes
* replication: Fix some forwarding scenarios with request bodies using
performance standby nodes [GH-6538]
* secret/gcp: Fix roleset binding when using JSON [GCP-27]
* secret/pki: Use `uri_sans` param in when not using CSR parameters [GH-6505]
* storage/dynamodb: Fix a race condition possible in HA configurations
that could leave the cluster without a leader [GH-6512]
* ui: Fix an issue where in production builds OpenAPI model
generation was failing, causing any form using it to render
labels with missing fields [GH-6474]
* ui: Fix issue nav-hiding when moving between namespaces [GH-6473]
* ui: Secrets will always show in the nav regardless of access to
cubbyhole [GH-6477]
* ui: fix SSH OTP generation [GH-6540]
* ui: add polyfill to load UI in IE11 [GH-6567]
* ui: Fix issue where some elements would fail to work properly if using ACLs
with segment-wildcard paths (`/+/` segments) [GH-6525]
## 1.1.0 (March 18th, 2019)
CHANGES:
* auth/jwt: The `groups_claim_delimiter_pattern` field has been removed. If the
groups claim is not at the top level, it can now be specified as a
[JSONPointer](https://tools.ietf.org/html/rfc6901).
* auth/jwt: Roles now have a "role type" parameter with a default type of
"oidc". To configure new JWT roles, a role type of "jwt" must be explicitly
specified.
* cli: CLI commands deprecated in 0.9.2 are now removed. Please see the CLI
help/warning output in previous versions of Vault for updated commands.
* core: Vault no longer automatically mounts a K/V backend at the "secret/"
path when initializing Vault
* core: Vault's cluster port will now be open at all times on HA standby nodes
* plugins: Vault no longer supports running netRPC plugins. These were
deprecated in favor of gRPC based plugins and any plugin built since 0.9.4
defaults to gRPC. Older plugins may need to be recompiled against the latest
Vault dependencies.
FEATURES:
* **Vault Agent Caching**: Vault Agent can now be configured to act as a
caching proxy to Vault. Clients can send requests to Vault Agent and the
request will be proxied to the Vault server and cached locally in Agent.
Currently Agent will cache generated leases and tokens and keep them
renewed. The proxy can also use the Auto Auth feature so clients do not need
to authenticate to Vault, but rather can make requests to Agent and have
Agent fully manage token lifecycle.
* **OIDC Redirect Flow Support**: The JWT auth backend now supports OIDC
roles. These allow authentication via an OIDC-compliant provider via the
user's browser. The login may be initiated from the Vault UI or through
the `vault login` command.
* **ACL Path Wildcard**: ACL paths can now use the `+` character to enable
wild card matching for a single directory in the path definition.
* **Transit Auto Unseal**: Vault can now be configured to use the Transit
Secret Engine in another Vault cluster as an auto unseal provider.
IMPROVEMENTS:
* auth/jwt: A default role can be set. It will be used during
JWT/OIDC logins if a role is not specified.
* auth/jwt: Arbitrary claims data can now be copied into token &
alias metadata.
* auth/jwt: An arbitrary set of bound claims can now be configured for a role.
* auth/jwt: The name "oidc" has been added as an alias for the
jwt backend. Either name may be specified in the `auth enable` command.
* command/server: A warning will be printed when 'tls_cipher_suites'
includes a blacklisted cipher suite or all cipher suites are blacklisted
by the HTTP/2 specification [GH-6300]
* core/metrics: Prometheus pull support using a new sys/metrics
endpoint. [GH-5308]
* core: On non-windows platforms a SIGUSR2 will make the server log a dump of
all running goroutines' stack traces for debugging purposes [GH-6240]
* replication: The initial replication indexing process on newly
initialized or upgraded clusters now runs asynchronously
* sentinel: Add token namespace id and path, available in rules as
token.namespace.id and token.namespace.path
* ui: The UI is now leveraging OpenAPI definitions to pull in
fields for various forms. This means, it will not be necessary to add
fields on the go and JS sides in the future. [GH-6209]
BUG FIXES:
* auth/jwt: Apply `bound_claims` validation across all login paths
* auth/jwt: Update `bound_audiences` validation during non-OIDC
logins to accept any matched audience, as documented and handled
in OIDC logins [JWT-30]
* auth/token: Fix issue where empty values for token role update call were
ignored [GH-6314]
* core: The `operator migrate` command will no longer hang on empty key names
[GH-6371]
* identity: Fix a panic at login when external group has a nil alias [GH-6230]
* namespaces: Clear out identity store items upon namespace deletion
* replication/perfstandby: Fixed a bug causing performance standbys to wait
longer than necessary after forwarding a write to the active node
* replication/mountfilter: Fix a deadlock that could occur when mount filters
were updated [GH-6426]
* secret/kv: Fix issue where a v1âv2 upgrade could run on a performance
standby when using a local mount
* secret/ssh: Fix for a bug where attempting to delete the last ssh role
in the zeroaddress configuration could fail [GH-6390]
* secret/totp: Uppercase provided keys so they don't fail base32 validation
[GH-6400]
* secret/transit: Multiple HMAC, Sign or Verify operations can now be
performed with one API call using the new `batch_input` parameter [GH-5875]
* sys: `sys/internal/ui/mounts` will no longer return secret or auth mounts
that have been filtered. Similarly, `sys/internal/ui/mount/:path` will
return a error response if a filtered mount path is requested. [GH-6412]
* ui: Fix for a bug where you couldn't access the data tab after clicking on
wrap details on the unwrap page [GH-6404]
* ui: Fix an issue where the policies tab was erroneously hidden [GH-6301]
* ui: Fix encoding issues with kv interfaces [GH-6294]
## 1.0.3.1 (March 14th, 2019) (Enterprise Only)
SECURITY:
* A regression was fixed in replication mount filter code introduced in Vault
1.0 that caused the underlying filtered data to be replicated to
secondaries. This data was not accessible to users via Vault's API but via a
combination of privileged configuration file changes/Vault commands it could
be read. Upgrading to this version or 1.1 will fix this issue and cause the
replicated data to be deleted from filtered secondaries. More information
was sent to customer contacts on file.
## 1.0.3 (February 12th, 2019)
CHANGES:
* New AWS authentication plugin mounts will default to using the generated
role ID as the Identity alias name. This applies to both EC2 and IAM auth.
Existing mounts that explicitly set this value will not be affected but
mounts that specified no preference will switch over on upgrade.
* The default policy now allows a token to look up its associated identity
entity either by name or by id [GH-6105]
* The Vault UI's navigation and onboarding wizard now only displays items that
are permitted in a users' policy [GH-5980, GH-6094]
* An issue was fixed that caused recovery keys to not work on
secondary clusters when using a different unseal mechanism/key
than the primary. This would be hit if the cluster was rekeyed
or initialized after 1.0. We recommend rekeying the recovery
keys on the primary cluster if you meet the above requirements.
FEATURES:
* **cURL Command Output**: CLI commands can now use the `-output-curl-string`
flag to print out an equivalent cURL command.
* **Response Headers From Plugins**: Plugins can now send back headers that
will be included in the response to a client. The set of allowed headers can
be managed by the operator.
IMPROVEMENTS:
* auth/aws: AWS EC2 authentication can optionally create entity aliases by
role ID [GH-6133]
* auth/jwt: The supported set of signing algorithms is now configurable [JWT
plugin GH-16]
* core: When starting from an uninitialized state, HA nodes will now attempt
to auto-unseal using a configured auto-unseal mechanism after the active
node initializes Vault [GH-6039]
* secret/database: Add socket keepalive option for Cassandra [GH-6201]
* secret/ssh: Add signed key constraints, allowing enforcement of key types
and minimum key sizes [GH-6030]
* secret/transit: ECDSA signatures can now be marshaled in JWS-compatible
fashion [GH-6077]
* storage/etcd: Support SRV service names [GH-6087]
* storage/aws: Support specifying a KMS key ID for server-side encryption
[GH-5996]
BUG FIXES:
* core: Fix a rare case where a standby whose connection is entirely torn down
to the active node, then reconnects to the same active node, may not
successfully resume operation [GH-6167]
* cors: Don't duplicate headers when they're written [GH-6207]
* identity: Persist merged entities only on the primary [GH-6075]
* replication: Fix a potential race when a token is created and then used with
a performance standby very quickly, before an associated entity has been
replicated. If the entity is not found in this scenario, the request will
forward to the active node.
* replication: Fix issue where recovery keys would not work on secondary
clusters if using a different unseal mechanism than the primary.
* replication: Fix a "failed to register lease" error when using performance
standbys
* storage/postgresql: The `Get` method will now return an Entry object with
the `Key` member correctly populated with the full path that was requested
instead of just the last path element [GH-6044]
## 1.0.2 (January 15th, 2019)
SECURITY:
* When creating a child token from a parent with `bound_cidrs`, the list of
CIDRs would not be propagated to the child token, allowing the child token
to be used from any address.
CHANGES:
* secret/aws: Role now returns `credential_type` instead of `credential_types`
to match role input. If a legacy role that can supply more than one
credential type, they will be concatenated with a `,`.
* physical/dynamodb, autoseal/aws: Instead of Vault performing environment
variable handling, and overriding static (config file) values if found, we
use the default AWS SDK env handling behavior, which also looks for
deprecated values. If you were previously providing both config values and
environment values, please ensure the config values are unset if you want to
use environment values.
* Namespaces (Enterprise): Providing "root" as the header value for
`X-Vault-Namespace` will perform the request on the root namespace. This is
equivalent to providing an empty value. Creating a namespace called "root" in
the root namespace is disallowed.
FEATURES:
* **InfluxDB Database Plugin**: Use Vault to dynamically create
and manage InfluxDB users
IMPROVEMENTS:
* auth/aws: AWS EC2 authentication can optionally create entity aliases by
image ID [GH-5846]
* autoseal/gcpckms: Reduce the required permissions for the GCPCKMS autounseal
[GH-5999]
* physical/foundationdb: TLS support added. [GH-5800]
BUG FIXES:
* api: Fix a couple of places where we were using the `LIST` HTTP verb
(necessary to get the right method into the wrapping lookup function) and
not then modifying it to a `GET`; although this is officially the verb Vault
uses for listing and it's fully legal to use custom verbs, since many WAFs
and API gateways choke on anything outside of RFC-standardized verbs we fall
back to `GET` [GH-6026]
* autoseal/aws: Fix reading session tokens when AWS access key/secret key are
also provided [GH-5965]
* command/operator/rekey: Fix help output showing `-delete-backup` when it
should show `-backup-delete` [GH-5981]
* core: Fix bound_cidrs not being propagated to child tokens
* replication: Correctly forward identity entity creation that originates from
performance standby nodes (Enterprise)
* secret/aws: Make input `credential_type` match the output type (string, not
array) [GH-5972]
* secret/cubbyhole: Properly cleanup cubbyhole after token revocation [GH-6006]
* secret/pki: Fix reading certificates on windows with the file
storage backend [GH-6013]
* ui (enterprise): properly display perf-standby count on the
license page [GH-5971]
* ui: fix disappearing nested secrets and go to the nearest parent
when deleting a secret - [GH-5976]
* ui: fix error where deleting an item via the context menu would fail if the
item name contained dots [GH-6018]
* ui: allow saving of kv secret after an errored save attempt [GH-6022]
* ui: fix display of kv-v1 secret containing a key named "keys" [GH-6023]
## 1.0.1 (December 14th, 2018)
SECURITY:
* Update version of Go to 1.11.3 to fix Go bug
https://github.com/golang/go/issues/29233 which corresponds to
CVE-2018-16875
* Database user revocation: If a client has configured custom revocation
statements for a role with a value of `""`, that statement would be executed
verbatim, resulting in a lack of actual revocation but success for the
operation. Vault will now strip empty statements from any provided; as a
result if an empty statement is provided, it will behave as if no statement
is provided, falling back to the default revocation statement.
CHANGES:
* secret/database: On role read, empty statements will be returned as empty
slices instead of potentially being returned as JSON null values. This makes
it more in line with other parts of Vault and makes it easier for statically
typed languages to interpret the values.
IMPROVEMENTS:
* cli: Strip iTerm extra characters from password manager input [GH-5837]
* command/server: Setting default kv engine to v1 in -dev mode can now be
specified via -dev-kv-v1 [GH-5919]
* core: Add operationId field to OpenAPI output [GH-5876]
* ui: Added ability to search for Group and Policy IDs when creating Groups
and Entities instead of typing them in manually
BUG FIXES:
* auth/azure: Cache azure authorizer [15]
* auth/gcp: Remove explicit project for service account in GCE authorizer [58]
* cli: Show correct stored keys/threshold for autoseals [GH-5910]
* cli: Fix backwards compatibility fallback when listing plugins [GH-5913]
* core: Fix upgrades when the seal config had been created on early versions
of vault [GH-5956]
* namespaces: Correctly reload the proper mount when tuning or reloading the
mount [GH-5937]
* secret/azure: Cache azure authorizer [19]
* secret/database: Strip empty statements on user input [GH-5955]
* secret/gcpkms: Add path for retrieving the public key [5]
* secret/pki: Fix panic that could occur during tidy operation when malformed
data was found [GH-5931]
* secret/pki: Strip empty line in ca_chain output [GH-5779]
* ui: Fixed a bug where the web CLI was not usable via the `fullscreen`
command - [GH-5909]
* ui: Fix a bug where you couldn't write a jwt auth method config [GH-5936]
## 0.11.6 (December 14th, 2018)
This release contains the three security fixes from 1.0.0 and 1.0.1 and the
following bug fixes from 1.0.0/1.0.1:
* namespaces: Correctly reload the proper mount when tuning or reloading the
mount [GH-5937]
* replication/perfstandby: Fix audit table upgrade on standbys [GH-5811]
* replication/perfstandby: Fix redirect on approle update [GH-5820]
* secrets/kv: Fix issue where storage version would get incorrectly downgraded
[GH-5809]
It is otherwise identical to 0.11.5.
## 1.0.0 (December 3rd, 2018)
SECURITY:
* When debugging a customer incident we discovered that in the case of
malformed data from an autoseal mechanism, Vault's master key could be
logged in Vault's server log. For this to happen, the data would need to be
modified by the autoseal mechanism after being submitted to it by Vault but
prior to encryption, or after decryption, prior to it being returned to
Vault. To put it another way, it requires the data that Vault submits for
encryption to not match the data returned after decryption. It is not
sufficient for the autoseal mechanism to return an error, and it cannot be
triggered by an outside attacker changing the on-disk ciphertext as all
autoseal mechanisms use authenticated encryption. We do not believe that
this is generally a cause for concern; since it involves the autoseal
mechanism returning bad data to Vault but with no error, in a working Vault
configuration this code path should never be hit, and if hitting this issue
Vault will not be unsealing properly anyways so it will be obvious what is
happening and an immediate rekey of the master key can be performed after
service is restored. We have filed for a CVE (CVE-2018-19786) and a CVSS V3
score of 5.2 has been assigned.
CHANGES:
* Tokens are now prefixed by a designation to indicate what type of token they
are. Service tokens start with `s.` and batch tokens start with `b.`.
Existing tokens will still work (they are all of service type and will be
considered as such). Prefixing allows us to be more efficient when consuming
a token, which keeps the critical path of requests faster.
* Paths within `auth/token` that allow specifying a token or accessor in the
URL have been removed. These have been deprecated since March 2016 and
undocumented, but were retained for backwards compatibility. They shouldn't
be used due to the possibility of those paths being logged, so at this point
they are simply being removed.
* Vault will no longer accept updates when the storage key has invalid UTF-8
character encoding [GH-5819]
* Mount/Auth tuning the `options` map on backends will now upsert any provided
values, and keep any of the existing values in place if not provided. The
options map itself cannot be unset once it's set, but the keypairs within the
map can be unset if an empty value is provided, with the exception of the
`version` keypair which is handled differently for KVv2 purposes.
* Agent no longer automatically reauthenticates when new credentials are
detected. It's not strictly necessary and in some cases was causing
reauthentication much more often than intended.
* HSM Regenerate Key Support Removed: Vault no longer supports destroying and
regenerating encryption keys on an HSM; it only supports creating them.
Although this has never been a source of a customer incident, it is simply a
code path that is too trivial to activate, especially by mistyping
`regenerate_key` instead of `generate_key`.
* Barrier Config Upgrade (Enterprise): When upgrading from Vault 0.8.x, the
seal type in the barrier config storage entry will be upgraded from
"hsm-auto" to "awskms" or "pkcs11" upon unseal if using AWSKMS or HSM seals.
If performing seal migration, the barrier config should first be upgraded
prior to starting migration.
* Go API client uses pooled HTTP client: The Go API client now uses a
connection-pooling HTTP client by default. For CLI operations this makes no
difference but it should provide significant performance benefits for those
writing custom clients using the Go API library. As before, this can be
changed to any custom HTTP client by the caller.
* Builtin Secret Engines and Auth Methods are integrated deeper into the
plugin system. The plugin catalog can now override builtin plugins with
custom versions of the same name. Additionally the plugin system now
requires a plugin `type` field when configuring plugins, this can be "auth",
"database", or "secret".
FEATURES:
* **Auto-Unseal in Open Source**: Cloud-based auto-unseal has been migrated
from Enterprise to Open Source. We've created a migrator to allow migrating
between Shamir seals and auto unseal methods.
* **Batch Tokens**: Batch tokens trade off some features of service tokens for no
storage overhead, and in most cases can be used across performance
replication clusters.
* **Replication Speed Improvements**: We've worked hard to speed up a lot of
operations when using Vault Enterprise Replication.
* **GCP KMS Secrets Engine**: This new secrets engine provides a Transit-like
pattern to keys stored within GCP Cloud KMS.
* **AppRole support in Vault Agent Auto-Auth**: You can now use AppRole
credentials when having Agent automatically authenticate to Vault
* **OpenAPI Support**: Descriptions of mounted backends can be served directly
from Vault
* **Kubernetes Projected Service Account Tokens**: Projected Service Account
Tokens are now supported in Kubernetes auth
* **Response Wrapping in UI**: Added ability to wrap secrets and easily copy
the wrap token or secret JSON in the UI
IMPROVEMENTS:
* agent: Support for configuring the location of the kubernetes service account
[GH-5725]
* auth/token: New tokens are indexed in storage HMAC-SHA256 instead of SHA1
* secret/totp: Allow @ character to be part of key name [GH-5652]
* secret/consul: Add support for new policy based tokens added in Consul 1.4
[GH-5586]
* ui: Improve the token auto-renew warning, and automatically begin renewal
when a user becomes active again [GH-5662]
* ui: The unbundled UI page now has some styling [GH-5665]
* ui: Improved banner and popup design [GH-5672]
* ui: Added token type to auth method mount config [GH-5723]
* ui: Display additonal wrap info when unwrapping. [GH-5664]
* ui: Empty states have updated styling and link to relevant actions and
documentation [GH-5758]
* ui: Allow editing of KV V2 data when a token doesn't have capabilities to
read secret metadata [GH-5879]
BUG FIXES:
* agent: Fix auth when multiple redirects [GH-5814]
* cli: Restore the `-policy-override` flag [GH-5826]
* core: Fix rekey progress reset which did not happen under certain
circumstances. [GH-5743]
* core: Migration from autounseal to shamir will clean up old keys [GH-5671]
* identity: Update group memberships when entity is deleted [GH-5786]
* replication/perfstandby: Fix audit table upgrade on standbys [GH-5811]
* replication/perfstandby: Fix redirect on approle update [GH-5820]
* secrets/azure: Fix valid roles being rejected for duplicate ids despite
having distinct scopes
[[GH-16]](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/16)
* storage/gcs: Send md5 of values to GCS to avoid potential corruption
[GH-5804]
* secrets/kv: Fix issue where storage version would get incorrectly downgraded
[GH-5809]
* secrets/kv: Disallow empty paths on a `kv put` while accepting empty paths
for all other operations for backwards compatibility
[[GH-19]](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/19)
* ui: Allow for secret creation in kv v2 when cas_required=true [GH-5823]
* ui: Fix dr secondary operation token generation via the ui [GH-5818]
* ui: Fix the PKI context menu so that items load [GH-5824]
* ui: Update DR Secondary Token generation command [GH-5857]
* ui: Fix pagination bug where controls would be rendered once for each
item when viewing policies [GH-5866]
* ui: Fix bug where `sys/leases/revoke` required 'sudo' capability to show
the revoke button in the UI [GH-5647]
* ui: Fix issue where certain pages wouldn't render in a namespace [GH-5692]
## 0.11.5 (November 13th, 2018)
BUG FIXES:
* agent: Fix issue when specifying two file sinks [GH-5610]
* auth/userpass: Fix minor timing issue that could leak the presence of a
username [GH-5614]
* autounseal/alicloud: Fix issue interacting with the API (Enterprise)
* autounseal/azure: Fix key version tracking (Enterprise)
* cli: Fix panic that could occur if parameters were not provided [GH-5603]
* core: Fix buggy behavior if trying to remount into a namespace
* identity: Fix duplication of entity alias entity during alias transfer
between entities [GH-5733]
* namespaces: Fix tuning of auth mounts in a namespace
* ui: Fix bug where editing secrets as JSON doesn't save properly [GH-5660]
* ui: Fix issue where IE 11 didn't render the UI and also had a broken form
when trying to use tool/hash [GH-5714]
## 0.11.4 (October 23rd, 2018)
CHANGES:
* core: HA lock file is no longer copied during `operator migrate` [GH-5503].
We've categorized this as a change, but generally this can be considered
just a bug fix, and no action is needed.
FEATURES:
* **Transit Key Trimming**: Keys in transit secret engine can now be trimmed to
remove older unused key versions
* **Web UI support for KV Version 2**: Browse, delete, undelete and destroy
individual secret versions in the UI
* **Azure Existing Service Principal Support**: Credentials can
now be generated against an existing service principal
IMPROVEMENTS:
* core: Add last WAL in leader/health output for easier debugging [GH-5523]
* identity: Identity names will now be handled case insensitively by default.
This includes names of entities, aliases and groups [GH-5404]
* secrets/aws: Added role-option max_sts_ttl to cap TTL for AWS STS
credentials [GH-5500]
* secret/database: Allow Cassandra user to be non-superuser so long as it has
role creation permissions [GH-5402]
* secret/radius: Allow setting the NAS Identifier value in the generated
packet [GH-5465]
* secret/ssh: Allow usage of JSON arrays when setting zero addresses [GH-5528]
* secret/transit: Allow trimming unused keys [GH-5388]
* ui: Support KVv2 [GH-5547], [GH-5563]
* ui: Allow viewing and updating Vault license via the UI
* ui: Onboarding will now display your progress through the chosen tutorials
* ui: Dynamic secret backends obfuscate sensitive data by default and
visibility is toggleable
BUG FIXES:
* agent: Fix potential hang during agent shutdown [GH-5026]
* auth/ldap: Fix listing of users/groups that contain slashes [GH-5537]
* core: Fix memory leak during some expiration calls [GH-5505]
* core: Fix generate-root operations requiring empty `otp` to be provided
instead of an empty body [GH-5495]
* identity: Remove lookup check during alias removal from entity [GH-5524]
* secret/pki: Fix TTL/MaxTTL check when using `sign-verbatim` [GH-5549]
* secret/pki: Fix regression in 0.11.2+ causing the NotBefore value of
generated certificates to be set to the Unix epoch if the role value was not
set, instead of using the default of 30 seconds [GH-5481]
* storage/mysql: Use `varbinary` instead of `varchar` when creating HA tables
[GH-5529]
## 0.11.3 (October 8th, 2018)
SECURITY:
* Revocation: A regression in 0.11.2 (OSS) and 0.11.0 (Enterprise) caused
lease IDs containing periods (`.`) to not be revoked properly. Upon startup
when revocation is tried again these should now revoke successfully.
IMPROVEMENTS:
* auth/ldap: Listing of users and groups return absolute paths [GH-5537]
* secret/pki: OID SANs can now specify `*` to allow any value [GH-5459]
BUG FIXES:
* auth/ldap: Fix panic if specific values were given to be escaped [GH-5471]
* cli/auth: Fix panic if `vault auth` was given no parameters [GH-5473]
* secret/database/mongodb: Fix panic that could occur at high load [GH-5463]
* secret/pki: Fix CA generation not allowing OID SANs [GH-5459]
The new patches fix compatibility with OpenSSL 1.1.0, and attempt to fix
the build on FreeBSD, NetBSD, and OpenBSD. It does not link on NetBSD
(like the previous version, 0.70) but it does on macOS.
There was no changelog upstream.
heimdal includes a copy of the relevant functions itself.
Add a comment that the dependency should be re-enabled when updating
this package.
Bump PKGREVISION.
2.8:
* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
OpenSSL 1.1.1d.
* Added support for Python 3.8.
* Added class methods
:meth:`Poly1305.generate_tag
<cryptography.hazmat.primitives.poly1305.Poly1305.generate_tag>`
and
:meth:`Poly1305.verify_tag
<cryptography.hazmat.primitives.poly1305.Poly1305.verify_tag>`
for Poly1305 sign and verify operations.
* Deprecated support for OpenSSL 1.0.1. Support will be removed in
``cryptography`` 2.9.
* We now ship ``manylinux2010`` wheels in addition to our ``manylinux1``
wheels.
* Added support for ``ed25519`` and ``ed448`` keys in the
:class:`~cryptography.x509.CertificateBuilder`,
:class:`~cryptography.x509.CertificateSigningRequestBuilder`,
:class:`~cryptography.x509.CertificateRevocationListBuilder` and
:class:`~cryptography.x509.ocsp.OCSPResponseBuilder`.
* ``cryptography`` no longer depends on ``asn1crypto``.
* :class:`~cryptography.x509.FreshestCRL` is now allowed as a
:class:`~cryptography.x509.CertificateRevocationList` extension.
1.2.0
- Added `asn1crypto.load_order()`, which returns a `list` of unicode strings
of the names of the fully-qualified module names for all of submodules of
the package. The module names are listed in their dependency load order.
This is primarily intended for the sake of implementing hot reloading.
1.1.0
- Added User ID (`0.9.2342.19200300.100.1.1`) to `x509.NameType()`
- Added various EC named curves to `keys.NamedCurve()`
Significant items from https://github.com/slicer69/doas/releases:
doas 6.2p2
* Introducing macOS support
Due to the dedicated work by Gordon Bergling, the doas
command now builds and runs on macOS. This release
contains no functionality changes, just the ability to
build and run on macOS.
Sudo will now only set PAM_TTY to the empty string when no terminal is present on Solaris and Linux. This workaround is only needed on those systems which may have PAM modules that misbehave when PAM_TTY is not set.
The mailerflags sudoers option now has a default value even if sendmail support was disabled at configure time. Fixes a crash when the mailerpath sudoers option is set but mailerflags is not. Bug #878.
Sudo will now filter out last login messages on HP-UX unless it a shell is being run via sudo -s or sudo -i. Otherwise, when trusted mode is enabled, these messages will be displayed for each command.
On AIX, when the user's password has expired and PAM is not in use, sudo will now allow the user to change their password. Bug #883.
Sudo has a new -B command line option that will ring the terminal bell when prompting for a password.
Sudo no longer refuses to prompt for a password when it cannot determine the user's terminal as long as it can open /dev/tty. This allows sudo to function on systems where /proc is unavailable, such as when running in a chroot environment.
The env_editor sudoers flag is now on by default. This makes source builds more consistent with the packages generated by sudo's mkpkg script.
Sudo no longer ships with pre-formatted copies of the manual pages. These were included for systems like IRIX that don't ship with an nroff utility. There are now multiple Open Source nroff replacements so this should no longer be an issue.
Fixed a bad interaction with configure's --prefix and --disable-shared options. Bug #886.
More verbose error message when a password is required and no terminal is present. Bug #828.
Command tags, such as NOPASSWD, are honored when a user tries to run a command that is allowed by sudoers but which does not actually exist on the file system. Bug #888.
Asturian translation for sudoers from translationproject.org.
I/O log timing files now store signal suspend and resume information in the form of a signal name instead of a number.
Fixed a bug introduced in 1.8.24 that prevented sudo from honoring the value of ipa_hostname from sssd.conf, if specified, when matching the host name.
Fixed a bug introduced in 1.8.21 that prevented the core dump resource limit set in the pam_limits module from taking effect. Bug #894.
Fixed parsing of double-quoted Defaults group and netgroup bindings.
The user ID is now used when matching sudoUser attributes in LDAP. Previously, the user name, group name and group IDs were used when matching but not the user ID.
Sudo now writes PAM messages to the user's terminal, if available, instead of the standard output or standard error. This prevents PAM output from being intermixed with that of the command when output is sent to a file or pipe. Bug #895.
Sudoedit now honors the umask and umask_override settings in sudoers. Previously, the user's umask was used as-is.
Fixed a bug where the terminal's file context was not restored when using SELinux RBAC. Bug #898.
Fixed a security issue where a sudo user may be able to run a command as root when the Runas specification explicitly disallows root access as long as the ALL keyword is listed first. This vulnerability has been assigned CVE-2019-14287
1.0.1
Fix an absolute import in keys to a relative import
1.0.0
Backwards Compatibility Breaks
cms.KeyEncryptionAlgorithmId().native now returns the value "rsaes_pkcs1v15" for OID 1.2.840.113549.1.1.1 instead of "rsa"
Removed functionality to calculate public key values from private key values. Alternatives have been added to oscrypto.
keys.PrivateKeyInfo().unwrap() is now oscrypto.asymmetric.PrivateKey().unwrap()
keys.PrivateKeyInfo().public_key is now oscrypto.asymmetric.PrivateKey().public_key.unwrap()
keys.PrivateKeyInfo().public_key_info is now oscrypto.asymmetric.PrivateKey().public_key.asn1
keys.PrivateKeyInfo().fingerprint is now oscrypto.asymmetric.PrivateKey().fingerprint
keys.PublicKeyInfo().unwrap() is now oscrypto.asymmetric.PublicKey().unwrap()
keys.PublicKeyInfo().fingerprint is now oscrypto.asymmetric.PublicKey().fingerprint
Enhancements
Significantly improved parsing of core.UTCTime() and core.GeneralizedTime() values that include timezones and fractional seconds
util.timezone has a more complete implementation
core.Choice() may now be constructed by a 2-element tuple or a 1-key dict
Added x509.Certificate().not_valid_before and x509.Certificate().not_valid_after
Added core.BitString().unused_bits
Added keys.NamedCurve.register() for non-mainstream curve OIDs
No longer try to load optional performance dependency, libcrypto, on Mac or Linux
ocsp.CertStatus().native will now return meaningful unicode string values when the status choice is "good" or "unknown". Previously both returned None due to the way the structure was designed.
Add support for explicit RSA SSA PSS (1.2.840.113549.1.1.10) to keys.PublicKeyInfo() and keys.PrivateKeyInfo()
Added structures for nested SHA-256 Windows PE signatures to cms.CMSAttribute()
Added RC4 (1.2.840.113549.3.4) to algos.EncryptionAlgorithmId()
Added secp256k1 (1.3.132.0.10) to keys.NamedCurve()
Added SHA-3 and SHAKE OIDs to algos.DigestAlgorithmId() and algos.HmacAlgorithmId()
Added RSA ES OAEP (1.2.840.113549.1.1.7) to cms.KeyEncryptionAlgorithmId()
Add IKE Intermediate (1.3.6.1.5.5.8.2.2) to x509.KeyPurposeId()
x509.EmailAddress() and x509.DNSName() now handle invalidly-encoded values using tags for core.PrintableString() and core.UTF8String()
Add parameter structue from RFC 5084 for AES-CCM to algos.EncryptionAlgorithm()
Improved robustness of parsing broken core.Sequence() and core.SequenceOf() values
Bug Fixes
Fixed encoding of tag values over 30
core.IntegerBitString() and core.IntegerOctetString() now restrict values to non-negative integers since negative values are not implemented
When copying or dumping a BER-encoded indefinite-length value, automatically force re-encoding to DER. To ensure all nested values are always DER-encoded, .dump(True) must be called.
Fix UnboundLocalError when calling x509.IPAddress().native on an encoded value that has a length of zero
Fixed passing class_ via unicode string name to core.Asn1Value()
Fixed a bug where EC private keys with leading null bytes would be encoded in keys.ECPrivateKey() more narrowly than RFC 5915 requires
Fixed some edge-case bugs in util.int_to_bytes()
x509.URI() now only normalizes values when comparing
Fixed BER-decoding of indefinite length core.BitString()
Fixed DER-encoding of empty core.BitString()
Fixed a missing return value for core.Choice().parse()
Fixed core.Choice().contents working when the chosen alternative is a core.Choice() also
Fixed parsing and encoding of nested core.Choice() objects
Fixed a bug causing core.ObjectIdentifier().native to sometimes not map the OID
* The On-Access Scanning feature has been migrated out of clamd and
into a brand new utility named clamonacc, which is disabled in this
package as it is for Linux only.
* The freshclam database update utility has undergone a significant
update. This includes:
+ Added support for HTTPS.
+ Support for database mirrors hosted on ports other than 80.
+ Removal of the mirror management feature (mirrors.dat).
+ An all new libfreshclam library API.
* Added support for extracting ESTsoft .egg archives. This feature is
new code developed from scratch using ESTsoft's Egg-archive
specification and without referencing the UnEgg library provided by
ESTsoft. This was necessary because the UnEgg library's license
includes restrictions limiting the commercial use of the UnEgg library.
Full release notes available at:
https://github.com/Cisco-Talos/clamav-devel/blob/rel/0.102/NEWS.md
Revision 0.2.7:
- Added maps for use with openType to RFC 3565
- Added RFC2985 providing PKCS#9 Attributes
- Added RFC3770 providing Certificate Extensions and Attributes for
Authentication in PPP and Wireless LAN Networks
- Added RFC5914 providing Trust Anchor Format
- Added RFC6010 providing CMS Content Constraints (CCC) Extension
- Added RFC6031 providing CMS Symmetric Key Package Content Type
- Added RFC6032 providing CMS Encrypted Key Package Content Type
- Added RFC7030 providing Enrollment over Secure Transport (EST)
- Added RFC7292 providing PKCS #12, which is the Personal Information
Exchange Syntax v1.1
- Added RFC8018 providing PKCS #5, which is the Password-Based
Cryptography Specification, Version 2.1
- Automatically update the maps for use with openType for RFC3709,
RFC6402, RFC7191, and RFC8226 when the module is imported
- Added RFC6211 providing CMS Algorithm Identifier Protection Attribute
- Added RFC8449 providing Certificate Extension for Hash Of Root Key
- Updated RFC2459 and RFC5280 for TODO in the certificate extension map
- Added RFC7906 providing NSA's CMS Key Management Attributes
- Added RFC7894 providing EST Alternative Challenge Password Attributes
- Updated the handling of maps for use with openType so that just doing
an import of the modules is enough in most situations; updates to
RFC 2634, RFC 3274, RFC 3779, RFC 4073, RFC 4108, RFC 5035, RFC 5083,
RFC 5084, RFC 5480, RFC 5940, RFC 5958, RFC 6019, and RFC 8520
- Updated the handling of attribute maps for use with openType in
RFC 5958 to use the rfc5652.cmsAttributesMap
- Added RFC5990 providing RSA-KEM Key Transport Algorithm in the CMS
- Fixed malformed `rfc4210.RevRepContent` data structure layout
- Added RFC5934 providing Trust Anchor Management Protocol (TAMP)
- Added RFC6210 providing Experiment for Hash Functions with Parameters
- Added RFC5751 providing S/MIME Version 3.2 Message Specification
- Added RFC8494 providing Multicast Email (MULE) over ACP 142
- Added RFC8398 providing Internationalized Email Addresses in
X.509 Certificates
- Added RFC8419 providing Edwards-Curve Digital Signature Algorithm
(EdDSA) Signatures in the CMS
- Added RFC8479 providing Storing Validation Parameters in PKCS#8
- Added RFC8360 providing Resource Public Key Infrastructure (RPKI)
Validation Reconsidered
- Added RFC8358 providing Digital Signatures on Internet-Draft Documents
- Added RFC8209 providing BGPsec Router PKI Profile
- Added RFC8017 providing PKCS #1 Version 2.2
- Added RFC7914 providing scrypt Password-Based Key Derivation Function
- Added RFC7773 providing Authentication Context Certificate Extension
* Version 3.6.10 (released 2019-09-29)
** libgnutls: Added support for deterministic ECDSA/DSA (RFC6979)
Deterministic signing can be enabled by setting
GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE when calling gnutls_privkey_sign_*()
functions (#94).
** libgnutls: add gnutls_aead_cipher_encryptv2 and gnutls_aead_cipher_decryptv2
functions that will perform in-place encryption/decryption on data buffers (#718).
** libgnutls: Corrected issue in gnutls_session_get_data2() which could fail under
TLS1.3, if a timeout callback was not set using gnutls_transport_set_pull_timeout_function()
(#823).
** libgnutls: added interoperability tests with gnutls 2.12.x; addressed
issue with large record handling due to random padding (#811).
** libgnutls: the server now selects the highest TLS protocol version,
if TLS 1.3 is enabled and the client advertises an older protocol version first (#837).
** libgnutls: fix non-PIC assembly on i386 (#818).
** libgnutls: added support for GOST 28147-89 cipher in CNT (GOST counter) mode
and MAC generation based on GOST 28147-89 (IMIT). For description of the
modes see RFC 5830. S-Box is id-tc26-gost-28147-param-Z (TC26Z) defined in
RFC 7836.
** certtool: when outputting an encrypted private key do not insert the textual description
of it. This fixes a regression since 3.6.5 (#840).
** API and ABI modifications:
gnutls_aead_cipher_encryptv2: Added
gnutls_aead_cipher_decryptv2: Added
GNUTLS_CIPHER_GOST28147_TC26Z_CNT: Added
GNUTLS_MAC_GOST28147_TC26Z_IMIT: Added
0.39.0:
Added
Support for Python 3.8 was added to Certbot and all of its components.
Support for CentOS 8 was added to certbot-auto.
Changed
Don't send OCSP requests for expired certificates
Return to using platform.linux_distribution instead of distro.linux_distribution in OS fingerprinting for Python < 3.8
Updated the Nginx plugin's TLS configuration to keep support for some versions of IE11.
Fixed
Fixed OS detection in the Apache plugin on RHEL 6.
= mbed TLS 2.16.3 branch released 2019-09-06
Security
* Fix a missing error detection in ECJPAKE. This could have caused a
predictable shared secret if a hardware accelerator failed and the other
side of the key exchange had a similar bug.
* The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
implement blinding. Because of this for the same key and message the same
blinding value was generated. This reduced the effectiveness of the
countermeasure and leaked information about the private key through side
channels. Reported by Jack Lloyd.
* When writing a private EC key, use a constant size for the private
value, as specified in RFC 5915. Previously, the value was written
as an ASN.1 INTEGER, which caused the size of the key to leak
about 1 bit of information on average and could cause the value to be
1 byte too large for the output buffer.
API Changes
* The new function mbedtls_ecdsa_sign_det_ext() is similar to
mbedtls_ecdsa_sign_det() but allows passing an external RNG for the
purpose of blinding.
Bugfix
* Fix to allow building test suites with any warning that detects unused
functions. Fixes#1628.
* Fix typo in net_would_block(). Fixes#528 reported by github-monoculture.
* Remove redundant include file in timing.c. Fixes#2640 reported by irwir.
* Fix Visual Studio Release x64 build configuration by inheriting
PlatformToolset from the project configuration. Fixes#1430 reported by
irwir.
* Enable Suite B with subset of ECP curves. Make sure the code compiles even
if some curves are not defined. Fixes#1591 reported by dbedev.
* Fix misuse of signed arithmetic in the HAVEGE module. #2598
* Update test certificates that were about to expire. Reported by
Bernhard M. Wiedemann in #2357.
* Fix the build on ARMv5TE in ARM mode to not use assembly instructions
that are only available in Thumb mode. Fix contributed by Aurelien Jarno
in #2169.
* Fix undefined memset(NULL) call in test_suite_nist_kw.
* Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256.
* Fix propagation of restart contexts in restartable EC operations.
This could previously lead to segmentation faults in builds using an
address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
* Fix memory leak in in mpi_miller_rabin(). Contributed by
Jens Wiklander <jens.wiklander@linaro.org> in #2363
* Improve code clarity in x509_crt module, removing false-positive
uninitialized variable warnings on some recent toolchains (GCC8, etc).
Discovered and fixed by Andy Gross (Linaro), #2392.
* Zero length buffer check for undefined behavior in
mbedtls_platform_zeroize(). FixesARMmbed/mbed-crypto#49.
* Fix bug in endianness conversion in bignum module. This lead to
functionally incorrect code on bigendian systems which don't have
__BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes#2622.
Changes
* Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
suggests). #2671
* Make `make clean` clean all programs always. Fixes#1862.
= mbed TLS 2.16.2 branch released 2019-06-11
Security
* Make mbedtls_ecdh_get_params return an error if the second key
belongs to a different group from the first. Before, if an application
passed keys that belonged to different group, the first key's data was
interpreted according to the second group, which could lead to either
an error or a meaningless output from mbedtls_ecdh_get_params. In the
latter case, this could expose at most 5 bits of the private key.
Bugfix
* Server's RSA certificate in certs.c was SHA-1 signed. In the default
mbedTLS configuration only SHA-2 signed certificates are accepted.
This certificate is used in the demo server programs, which lead the
client programs to fail at the peer's certificate verification
due to an unacceptable hash signature. The certificate has been
updated to one that is SHA-256 signed. Fix contributed by
Illya Gerasymchuk.
* Fix private key DER output in the key_app_writer example. File contents
were shifted by one byte, creating an invalid ASN.1 tag. Fixed by
Christian Walther in #2239.
* Fix potential memory leak in X.509 self test. Found and fixed by
Junhwan Park, #2106.
* Reduce stack usage of hkdf tests. Fixes#2195.
* Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
used with negative inputs. Found by Guido Vranken in #2404. Credit to
OSS-Fuzz.
* Fix bugs in the AEAD test suite which would be exposed by ciphers which
either used both encrypt and decrypt key schedules, or which perform padding.
GCM and CCM were not affected. Fixed by Jack Lloyd.
* Fix incorrect default port number in ssl_mail_client example's usage.
Found and fixed by irwir. #2337
* Add missing parentheses around parameters in the definition of the
public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation
in case operators binding less strongly than subtraction were used
for the parameter.
* Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
sni entry parameter. Reported by inestlerode in #560.
* Add DER-encoded test CRTs to library/certs.c, allowing
the example programs ssl_server2 and ssl_client2 to be run
if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes#2254.
* Fix missing bounds checks in X.509 parsing functions that could
lead to successful parsing of ill-formed X.509 CRTs. Fixes#2437.
* Fix multiple X.509 functions previously returning ASN.1 low-level error
codes to always wrap these codes into X.509 high level error codes before
returning. Fixes#2431.
Changes
* Return from various debugging routines immediately if the
provided SSL context is unset.
* Remove dead code from bignum.c in the default configuration.
Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes#2309.
* Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh.
Contributed by Peter Kolbus (Garmin).
* Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to
improve clarity. Fixes#2258.
* Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes#821.
= mbed TLS 2.16.1 branch released 2019-03-19
Features
* Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites
from the default list (enabled by default). See
https://sweet32.info/SWEET32_CCS16.pdf.
Bugfix
* Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined
when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes#2242.
* Run the AD too long test only if MBEDTLS_CCM_ALT is not defined.
Raised as a comment in #1996.
* Reduce the stack consumption of mbedtls_mpi_fill_random() which could
previously lead to a stack overflow on constrained targets.
* Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions
in the header files, which missed the precompilation check. #971
* Fix clobber list in MIPS assembly for large integer multiplication.
Previously, this could lead to functionally incorrect assembly being
produced by some optimizing compilers, showing up as failures in
e.g. RSA or ECC signature operations. Reported in #1722, fix suggested
by Aurelien Jarno and submitted by Jeffrey Martin.
* Fix signed-to-unsigned integer conversion warning
in X.509 module. Fixes#2212.
* Reduce stack usage of `mpi_write_hlp()` by eliminating recursion.
Fixes#2190.
* Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
* Remove the mbedtls namespacing from the header file, to fix a "file not found"
build error. Fixed by Haijun Gu #2319.
* Fix returning the value 1 when mbedtls_ecdsa_genkey failed.
* Fix false failure in all.sh when backup files exist in include/mbedtls
(e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407.
* Ensure that unused bits are zero when writing ASN.1 bitstrings when using
mbedtls_asn1_write_bitstring().
* Fix issue when writing the named bitstrings in KeyUsage and NsCertType
extensions in CSRs and CRTs that caused these bitstrings to not be encoded
correctly as trailing zeroes were not accounted for as unused bits in the
leading content octet. Fixes#1610.
Changes
* Include configuration file in all header files that use configuration,
instead of relying on other header files that they include.
Inserted as an enhancement for #1371
* Add support for alternative CSR headers, as used by Microsoft and defined
in RFC 7468. Found by Michael Ernst. Fixes#767.
* Fix configuration queries in ssl-opt.h. #2030
* Ensure that ssl-opt.h can be run in OS X. #2029
* Reduce the complexity of the timing tests. They were assuming more than the
underlying OS actually guarantees.
* Re-enable certain interoperability tests in ssl-opt.sh which had previously
been disabled for lack of a sufficiently recent version of GnuTLS on the CI.
* Ciphersuites based on 3DES now have the lowest priority by default when
they are enabled.
= mbed TLS 2.16.0 branch released 2018-12-21
Features
* Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation
of parameters in the API. This allows detection of obvious misuses of the
API, such as passing NULL pointers. The API of existing functions hasn't
changed, but requirements on parameters have been made more explicit in
the documentation. See the corresponding API documentation for each
function to see for which parameter values it is defined. This feature is
disabled by default. See its API documentation in config.h for additional
steps you have to take when enabling it.
API Changes
* The following functions in the random generator modules have been
deprecated and replaced as shown below. The new functions change
the return type from void to int to allow returning error codes when
using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest
primitive. Fixes#1798.
mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
* Extend ECDH interface to enable alternative implementations.
* Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for
ARIA, CAMELLIA and Blowfish. These error codes will be replaced by
the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
* Additional parameter validation checks have been added for the following
modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI.
Where modules have had parameter validation added, existing parameter
checks may have changed. Some modules, such as Chacha20 had existing
parameter validation whereas other modules had little. This has now been
changed so that the same level of validation is present in all modules, and
that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default
is off. That means that checks which were previously present by default
will no longer be.
New deprecations
* Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update
in favor of functions that can return an error code.
Bugfix
* Fix for Clang, which was reporting a warning for the bignum.c inline
assembly for AMD64 targets creating string literals greater than those
permitted by the ISO C99 standard. Found by Aaron Jones. Fixes#482.
* Fix runtime error in `mbedtls_platform_entropy_poll()` when run
through qemu user emulation. Reported and fix suggested by randombit
in #1212. Fixes#1212.
* Fix an unsafe bounds check when restoring an SSL session from a ticket.
This could lead to a buffer overflow, but only in case ticket authentication
was broken. Reported and fix suggested by Guido Vranken in #659.
* Add explicit integer to enumeration type casts to example program
programs/pkey/gen_key which previously led to compilation failure
on some toolchains. Reported by phoenixmcallister. Fixes#2170.
* Fix double initialization of ECC hardware that made some accelerators
hang.
* Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence
of check for certificate/key matching. Reported by Attila Molnar, #507.
Changelog:
Vulnerabilities fixed in this release include:
- On Windows, the listening sockets used for local port forwarding
were opened in a mode that did not prevent other processes from
also listening on the same ports and stealing some of the incoming
connections.
- In the PuTTY terminal, bracketed paste mode was broken in 0.72, in
a way that made the pasted data look like manual keyboard input. So
any application relying on the bracketing sequences to protect
against malicious clipboard contents would have been misled.
- An SSH-1 server could trigger an access to freed memory by sending
the SSH1_MSG_DISCONNECT message. Not known to be exploitable.
Other bug fixes include:
- Windows Plink no longer crashes on startup when it tries to tell
you it's reusing an existing SSH connection.
- Windows PuTTY now updates its terminal window size correctly if the
screen resolution changes while it's maximised.
- If you display the coloured error messages from gcc in the PuTTY
terminal, there is no longer a missing character if a colour change
happens exactly at the end of a line.
- If you use the 'Clear Scrollback' menu option or escape sequence
while text in the scrollback is selected, it no longer causes an
assertion failure.
pkgsrc changes:
---------------
* Add devel/py-distro as a runtime dependency. Certbot claims >=1.0.1 but
non-linux distribution are supported only from 1.2.0.
Last update in 2009, homepage not reachable; only builds with php-5.6
but one of it's dependencies is per default built against a newer php,
so this can't even build.
Version 1.2.1:
* Fixup release: Remove minimum version for sqlalchemy dependency which was
set too high.
* yhsm-yubikey-ksm: Add --proxy/--proxies argument for logging proxies
requests.
Version 1.2.0:
* yhsm-validation-server: Support OATH TOTP.
* yhsm-init-oath-token: Handle keys with length != 20.
* yhsm-yubikey-ksm: Allow passing soft-HSM keys via stdin by passing "-" as
device argument.
* yhsm-yubikey-ksm: Allow passing --db-url via environment variable.
* Moved utils, yubikey-ksm and validation-server to be included when
installing using pip.
* Use entry_point scripts generated by setuptools.
* Moved man pages to man/ directory.
* Bugfix: Fix AEAD generation on Windows by writing in binary mode.
* Bugfix: Support AEADs generated on Windows using pyhsm <= 1.1.1.
* Bugfix: Avoid installing unit test package.
* Bugfix: yhsm-import-keys: Fix --aes-key argument used when importing
without a YubiHSM.
Version 1.1.1:
* Fixup release.
Version 1.1.0:
* Restructured the repository and build process.
* Use Semantic Versioning (semver.org).
* Added support for a "soft" HSM in yhsm-yubikey-ksm, yhsm-import-keys
and yhsm-generate-keys.
Version 1.0.4l:
* Documentation is now in asciidoc format.
* yhsm-yubikey-ksm: Fix bug when the same public ID occured for multiple
keyhandles.
3.1.1
Trap AttributeError in Gnome backend as in some environments
it seems that will happen.
Fix issue where a backslash in the service name would cause
errors on Registry backend on Windows.
3.1
``keyrings.alt`` no longer depends on the ``keyring.util.escape``
module.
3.0
``keyrings`` namespace should now use the pkgutil native technique
rather than relying on pkg_resources.
2.4
File based backends now reject non-string types for passwords.
Fix compilation of gnutls with compilers missing __get_cpuid_count.
Taken from upstream and fixed in version 3.6.10 .
Fixes compilation on NetBSD 8 without setting GCC_REQD.
Significant changes since 1.2.1:
* In addition to the scrypt command-line utility, a library "libscrypt-kdf"
can now be built and installed by passing the --enable-libscrypt-kdf option
to configure.
* On x86 CPUs which support them, RDRAND and SHA extensions are used to
provide supplemental entropy and speed up hash computations respectively.
* When estimating the amount of available RAM, scrypt ignores RLIMIT_DATA on
systems which have mmap.
* A new command "scrypt info encfile" prints information about an encrypted
file without decrypting it.
