Fix a bug in X509 DN string comparisons that could result in out of
bound reads. This could result in information leakage, denial of
service, or potentially incorrect certificate validation results.
(CVE-2017-2801)
Avoid throwing during a destructor since this is undefined in
C++11 and rarely a good idea. (GH #930)
Fix a bug causing modular exponentiations done modulo even numbers
to almost always be incorrect, unless the values were small. This
bug is not known to affect any cryptographic operation in Botan. (GH
#754)
Avoid use of C++11 std::to_string in some code added in 1.10.14
(GH #747#834)
Fix integer overflow during BER decoding, found by Falko Strenzke.
This bug is not thought to be directly exploitable but upgrading ASAP
is advised. (CVE-2016-9132)
Fix two cases where (in error situations) an exception would be thrown
from a destructor, causing a call to std::terminate.
When RC4 is disabled in the build, also prevent it from being included
in the OpenSSL provider. (GH #638)
- Use constant time modular inverse algorithm to avoid possible side
channel attack against ECDSA (CVE-2016-2849)
- Use constant time PKCS #1 unpadding to avoid possible side channel
attack against RSA decryption (CVE-2015-7827)
Make a temporary hack for non-SunOS, not yet fully verified;
this somehow needs to mirror what the package's configure.py
figures out, and expressing that properly and portably in
pkgsrc seems hard.
the PLIST.x86* entries. The sse2 entries are however gone, but a few
new ones have appeared (md4_x86_32.h etc.) Installs cleanly now on
NetBSD/i386 6.1.5.
Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
either because they themselves are not ready or because a
dependency isn't. This is annotated by
PYTHON_VERSIONS_INCOMPATIBLE= 33 # not yet ported as of x.y.z
or
PYTHON_VERSIONS_INCOMPATIBLE= 33 # py-foo, py-bar
respectively, please use the same style for other packages,
and check during updates.
Use versioned_dependencies.mk where applicable.
Use REPLACE_PYTHON instead of handcoded alternatives, where applicable.
Reorder Makefile sections into standard order, where applicable.
Remove PYTHON_VERSIONS_INCLUDE_3X lines since that will be default
with the next commit.
Whitespace cleanups and other nits corrected, where necessary.
* 1.8.14, 2012-07-18
- The malloc allocator would return null instead of throwing in the event of
an allocation failure, which could cause an application crash due to null
pointer dereference where normally an exception would occur.
- Recent versions of OpenSSL include extra information in ECC private keys,
the presence of which caused an exception when such a key was loaded by
botan. The decoding of ECC private keys has been changed to ignore these
fields if they are set.
- AutoSeeded_RNG has been changed to prefer /dev/random over /dev/urandom
- Fix detection of s390x (Debian bug 638347)
1) Update two configuration files to include DragonFly, which results in
additional generated files.
2) Update PLIST.DragonFly (it was wrong in any case)
platform files except Darwin. Also add the *_sse2 entries to Darwin.
Note that both *_amd64 and *_sse2 are conditional on x86_64, so this
division of files per platform is easier to do by PLIST tweaks than by
further Makefile conditionals.
This fixes the build of botan under OS X Lion with ABI=64 and should be
a no-op for all other platforms.
* 1.8.13, 2011-07-02
- A race in Algorithm_Factory that could cause crashes in multithreaded
code has been fixed.
* 1.8.12, 2011-06-20
- If EMSA3(Raw) was used for more than one signature, it would produce
incorrect output.
- Fix the --enable-debug option to configure.py
- Improve OS detection on Cygwin
- Fix compilation under Sun Studio 12 on Solaris
- Fix a memory leak in the constructors of DataSource_Stream and
DataSink_Stream which would occur if opening the file failed. PR 144
* 1.8.11, 2010-11-02
- Fix a number of CRL encoding and decoding bugs
- When building a debug library under VC++, use the debug runtime
- Fix compilation under Sun Studio on Linux and Solaris
- Add several functions for compatability with 1.9
- In the examples, read most input files as binary
- The Perl build script has been removed in this release
* 1.8.10, 2010-08-31
- Switch default PKCS #8 encryption algorithm from 3DES to AES-256
- Increase default hash iterations from 2048 to 10000 in PBES1 and
PBES2
- Use small tables in the first round of AES
- Add PBKDF typedef and get_pbkdf for better compatability with 1.9
- Add version of S2K::derive_key taking salt and iteration count
- Enable the /proc-walking entropy source on NetBSD
- Fix the doxygen makefile target
* 1.8.9, 2010-06-16
- Use constant time multiplication in IDEA
- Avoid possible timing attack against OAEP decoding
- Add new X509::BER_encode and PKCS8::BER_encode
- Enable DLL builds under Windows
- Add Win32 installer support
- Add support for the Clang compiler
- Fix problem in semcem.h preventing build under Clang or GCC 3.4
- Fix bug that prevented creation of DSA groups under 1024 bits
- Fix crash in GMP_Engine if library is shutdown and reinitialized
- Work around problem with recent binutils in x86-64 SHA-1
- The Perl build script is no longer supported and refuses to run by
default
* 1.8.8, 2009-11-03
- Alter Skein-512 to match the tweaked 1.2 specification
- Fix use of inline asm for access to x86 bswap function
- Allow building the library without AES enabled
- Add 'powerpc64' alias to ppc64 arch for Gentoo ebuild
This update is quite delicate and I'm sure it'll break somewhere. So far
I've only been able to test it in NetBSD/amd64 and Mac OS X Leopard.
I'm bumping the dependency version in buildlink3.mk because the only package
using this seems to be Monotone, and I'll updating it right away.
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
