- Client DoS due to large DH parameter
During key agreement in a TLS handshake using a DH(E) based ciphersuite a
malicious server can send a very large prime value to the client. This will
cause the client to spend an unreasonably long period of time generating a
key for this prime resulting in a hang until the client has finished. This
could be exploited in a Denial Of Service attack.
This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
(CVE-2018-0732)
[Guido Vranken]
- Cache timing vulnerability in RSA Key Generation
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
a cache timing side channel attack. An attacker with sufficient access to
mount cache timing attacks during the RSA key generation process could
recover the private key.
This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
(CVE-2018-0737)
[Billy Brumley]
- Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
parameter is no longer accepted, as it leads to a corrupt table. NULL
pem_str is reserved for alias entries only.
[Richard Levitte]
- Revert blinding in ECDSA sign and instead make problematic addition
length-invariant. Switch even to fixed-length Montgomery multiplication.
[Andy Polyakov]
- Change generating and checking of primes so that the error rate of not
being prime depends on the intended use based on the size of the input.
For larger primes this will result in more rounds of Miller-Rabin.
The maximal error rate for primes with more than 1080 bits is lowered
to 2^-128.
[Kurt Roeckx, Annie Yousar]
- Increase the number of Miller-Rabin rounds for DSA key generating to 64.
[Kurt Roeckx]
- Add blinding to ECDSA and DSA signatures to protect against side channel
attacks discovered by Keegan Ryan (NCC Group).
[Matt Caswell]
- When unlocking a pass phrase protected PEM file or PKCS#8 container, we
now allow empty (zero character) pass phrases.
[Richard Levitte]
- Certificate time validation (X509_cmp_time) enforces stricter
compliance with RFC 5280. Fractional seconds and timezone offsets
are no longer allowed.
[Emilia Käsper]
* New features
- Performance optimizations.
- Logging of negotiated or resumed TLS session IDs (thx
to ANSSI - National Cybersecurity Agency of France).
- Merged Debian 10-enabled.patch and 11-killproc.patch
(thx to Peter Pentchev).
* Bugfixes
- Fixed a crash in the session persistence implementation.
- Fixed syslog identifier after configuration file reload.
- Fixed non-interactive "make check" invocations.
- Fixed reloading syslog configuration.
- stunnel.pem created with SHA-256 instead of SHA-1.
- SHA-256 "make check" certificates.
- Make regular expression accept a whitespace after CN.
- Don't fail on openssl 1.1 output
- Add documentation and support for Red Hat openssl directories
- fix parsing of new (?) openssl output format
- Fix broken Markdown headings
- FIX CN parsing to work with OpenSSL 1.1
- Make acme_tiny.py executable in index
- Minor tweak that makes deploying a tiny bit easier
- OpenSSL output seems to have changed another time.
- fixed changing error message
- fixed more error message case changes
- Fix typos
- switched to grabbing the agreement url from /directory, addresses #145, #148, #172, #189
- damn python3 bytes-to-strings encoding gets you again...
- added python 3.6 to test coverage
- update SSL config
- mostly working ACMEv2, except for letsencrypt/boulder#3367
- deprecated CA url in favor of using the direct certificate authority directory url
- added badNonce retries
- consolidated external commandline execution error handling to bring back under 200 lines of code
- removed challenge payload that is no longer needed in new acme spec
- updated test coverage to ignore new setup.py file (setup install still gets tested via test_install.py)
- updated readme to note that ACME v2 certificate downloads now include the intermediate certificate
- added optional contact details
- fixed buffer to unicode decoding for tests
- cleaned up help and copyright text
- Readme: Only needs access to private account key
- added tiny user agent
- don't skip ValueError when urlopen(Request(nonvalid, ...))
hitch-1.4.8 (2018-04-19)
------------------------
- Reworked the dynamic backend bits.
- Update docs to recommend running Hitch as a separate non-privileged
user.
hitch-1.4.7 (2018-01-11)
------------------------
- Massive test suite refactor and update.
- Fix OpenBSD/FreeBSD/POSIX portability issues: restrict fstat(1) to
OpenBSD, bring sockstat(1) support back, drop pathchk(1) usage in
the test suite, switch from sockstat(1) to fstat(1)
- Add an OCSP refresh timeout parameter
- Autotools polish
- Random usage of config section if reduntant
- Support for separate key files
- Fix logging to syslog even when set to syslog = off
- Making log-filename, recv-bufsize and send-bufsize parameters
available though command line and config file.
- Fix: global backaddr is assumed to be static
- Add support for session-cache in config file and as cmdline option
- Plug file descriptor leak: killing worker processes would leave the
pipe's write end open, leaking one file descriptor per worker upon
reload
SECURITY:
- Random Byte Reading in Barrier: Prior to this release, Vault was not
properly checking the error code when reading random bytes for the IV for
AES operations in its cryptographic barrier. Specifically, this means that
such an IV could potentially be zero multiple times, causing nonce re-use
and weakening the security of the key. On most platforms this should never
happen because reading from kernel random sources is non-blocking and always
successful, but there may be platform-specific behavior that has not been
accounted for. (Vault has tests to check exactly this, and the tests have
never seen nonce re-use.)
FEATURES:
- AliCloud Agent Support: Vault Agent can now authenticate against the
AliCloud auth method.
- UI: Enable AliCloud auth method and Azure secrets engine via the UI.
IMPROVEMENTS:
- core: Logging level for most logs (not including secrets/auth plugins) can
now be changed on-the-fly via `SIGHUP`, reading the desired value from
Vault's config file
BUG FIXES:
- core: Ensure we use a background context when stepping down
- core: Properly check error return from random byte reading
- core: Re-add `sys/` top-route injection for now
- core: Properly store the replication checkpoint file if it's larger than the
storage engine's per-item limit
- identity: Update MemDB with identity group alias while loading groups
- secrets/database: Fix nil pointer when revoking some leases
- secrets/pki: Fix sign-verbatim losing extra Subject attributes
- secrets/pki: Remove certificates from store when tidying revoked
certificates and simplify API
- ui: JSON editor will not coerce input to an object, and will now show an
error about Vault expecting an object
- ui: authentication form will now default to any methods that have been tuned
to show up for unauthenticated users
trustme is a tiny Python package that does one thing: it gives you a fake
certificate authority (CA) that you can use to generate fake TLS certs to use
in your tests. Well, technically they're real certs, they're just signed by
your CA, which nobody trusts. But you can trust it. Trust me.
## 0.27.0 - 2018-09-05
### Added
- The Apache plugin now accepts the parameter --apache-ctl which can
be used to configure the path to the Apache control script.
### Changed
- When using `acme.client.ClientV2` (or
`acme.client.BackwardsCompatibleClientV2` with an ACME server that
supports a newer version of the ACME protocol), an
`acme.errors.ConflictError` will be raised if you try to create
an ACME account with a key that has already been used. Previously,
a JSON parsing error was raised in this scenario when using the
library with Let's Encrypt's ACMEv2 endpoint.
### Fixed
- When Apache is not installed, Certbot's Apache plugin no longer
prints messages about being unable to find apachectl to the
terminal when the plugin is not selected.
- If you're using the Apache plugin with the --apache-vhost-root flag
set to a directory containing a disabled virtual host for the
domain you're requesting a certificate for, the virtual host will
now be temporarily enabled if necessary to pass the HTTP challenge.
- The documentation for the Certbot package can now be built using
Sphinx 1.6+.
- You can now call `query_registration` without having to first call
`new_account` on `acme.client.ClientV2` objects.
- The requirement of `setuptools>=1.0` has been removed from
`certbot-dns-ovh`.
- Names in certbot-dns-sakuracloud's tests have been updated to refer
to Sakura Cloud rather than NS1 whose plugin certbot-dns-sakuracloud
was based on.
## 0.26.1 - 2018-07-17
### Fixed
- Fix a bug that was triggered when users who had previously manually
set `--server` to get ACMEv2 certs tried to renew ACMEv1 certs.
Changelog:
Noteworthy changes in version 2.2.10 (2018-08-30)
-------------------------------------------------
gpg: Refresh expired keys originating from the WKD. [#2917]
gpg: Use a 256 KiB limit for a WKD imported key.
gpg: New option --known-notation. [#4060]
scd: Add support for the Trustica Cryptoucan reader.
agent: Speed up starting during on-demand launching. [#3490]
dirmngr: Validate SRV records in WKD queries.
duo_unix-1.10.4:
- Removed failmode decision from auth endpoint and moved it to only
preauth according to standards in our other integrations
- Updated Duo Unix to speak up to TLS 1.2
- Support for LibreSSL 2.7.0 and up
- Minor memory leak fixes
- Output message when user is locked out
duo_unix-1.10.3:
- Added support for http_proxy with SELinux enabled
duo_unix-1.10.2:
- Added default failmode values in config files
DEPRECATIONS/CHANGES:
- Request Timeouts: A default request timeout of 90s is now enforced. This
setting can be overwritten in the config file. If you anticipate requests
taking longer than 90s this setting should be updated before upgrading.
- (NOTE: will be re-added into 0.11.1 as it broke more than anticipated. There
will be some further guidelines around when this will be removed again.)
* `sys/` Top Level Injection: For the last two years for backwards
compatibility data for various `sys/` routes has been injected into both the
Secret's Data map and into the top level of the JSON response object.
However, this has some subtle issues that pop up from time to time and is
becoming increasingly complicated to maintain, so it's finally being
removed.
- Path Fallback for List Operations: For a very long time Vault has
automatically adjusted `list` operations to always end in a `/`, as list
operations operates on prefixes, so all list operations by definition end
with `/`. This was done server-side so affects all clients. However, this
has also led to a lot of confusion for users writing policies that assume
that the path that they use in the CLI is the path used internally. Starting
in 0.11, ACL policies gain a new fallback rule for listing: they will use a
matching path ending in `/` if available, but if not found, they will look
for the same path without a trailing `/`. This allows putting `list`
capabilities in the same path block as most other capabilities for that
path, while not providing any extra access if `list` wasn't actually
provided there.
- Performance Standbys On By Default: If you flavor/license of Vault
Enterprise supports Performance Standbys, they are on by default. You can
disable this behavior per-node with the `disable_performance_standby`
configuration flag.
- AWS Secret Engine Roles: The AWS Secret Engine roles are now explicit about
the type of AWS credential they are generating; this reduces reduce
ambiguity that existed previously as well as enables new features for
specific credential types. Writing role data and generating credentials
remain backwards compatible; however, the data returned when reading a
role's configuration has changed in backwards-incompatible ways. Anything
that depended on reading role data from the AWS secret engine will break
until it is updated to work with the new format.
FEATURES:
- Namespaces (Enterprise): A set of features within Vault Enterprise
that allows Vault environments to support *Secure Multi-tenancy* within a
single Vault Enterprise infrastructure. Through namespaces, Vault
administrators can support tenant isolation for teams and individuals as
well as empower those individuals to self-manage their own tenant
environment.
- Performance Standbys (Enterprise): Standby nodes can now service
requests that do not modify storage. This provides near-horizontal scaling
of a cluster in some workloads, and is the intra-cluster analogue of
the existing Performance Replication feature, which replicates to distinct
clusters in other datacenters, geos, etc.
- AliCloud OSS Storage: AliCloud OSS can now be used for Vault storage.
- AliCloud Auth Plugin: AliCloud's identity services can now be used to
grant access to Vault. See the plugin repository for more information.
- Azure Secrets Plugin: There is now a plugin (pulled in to Vault) that
allows generating credentials to allow access to Azure. See the plugin
repository for more information.
- HA Support for MySQL Storage: MySQL storage now supports HA.
- ACL Templating: ACL policies can now be templated using identity Entity,
Groups, and Metadata.
- UI Onboarding wizards: The Vault UI can provide contextual help and
guidance, linking out to relevant links or guides on vaultproject.io for
various workflows in Vault.
IMPROVEMENTS:
- agent: Add `exit_after_auth` to be able to use the Agent for a single
authentication
- auth/approle: Add ability to set token bound CIDRs on individual Secret IDs
- cli: Add support for passing parameters to `vault read` operations
- secrets/aws: Make credential types more explicit
- secrets/nomad: Support for longer token names
- secrets/pki: Allow disabling CRL generation
- storage/azure: Add support for different Azure environments
- storage/file: Sort keys in list responses
- storage/mysql: Support special characters in database and table names.
BUG FIXES:
- auth/jwt: Always validate `aud` claim even if `bound_audiences` isn't set
(IOW, error in this case)
- core: Prevent Go's HTTP library from interspersing logs in a different
format and/or interleaved
- identity: Properly populate `mount_path` and `mount_type` on group lookup
- identity: Fix persisting alias metadata
- identity: Fix carryover issue from previously fixed race condition that
could cause Vault not to start up due to two entities referencing the same
alias. These entities are now merged.
- replication: Fix issue causing some pages not to flush to storage
- secrets/database: Fix inability to update custom SQL statements on
database roles.
- secrets/pki: Disallow putting the CA's serial on its CRL. While technically
legal, doing so inherently means the CRL can't be trusted anyways, so it's
not useful and easy to footgun.
- storage/gcp,spanner: Fix data races
- upstream renamed to google-authenticator-libpam,
but keep our existing PKGNAME in pkgsrc for now
- convert to github.mk style package
- install documentation
- other upstream changes unknown
[Changes for 0.82 - Sun Aug 26 23:00:04 CST 2018]
* Fix CRLF handling on Win32. (@niklasholm)
* Default to SHA256 on new hashes as SHA1 is deprecated. (@niklasholm)
2.059 2018/08/15
- fix memleak when CRL are used.
Thanks to Franz Skale for report and patch
https://rt.cpan.org/Ticket/Display.html?id=125867
- fix memleak when using stop_SSL and threads, reported by Paul Evans
https://rt.cpan.org/Ticket/Display.html?id=125867#txn-1797132
2.058 2018/07/19
- fix t/session_ticket.t: it failed with OpenSSL 1.1.* since this version
expects the extKeyUsage of clientAuth in the client cert also to be allowed
by the CA if CA uses extKeyUsage
2.057 2018/07/18
- fix memory leak which occured with explicit stop_SSL in connection with
non-blocking sockets or timeout - https://rt.cpan.org/Ticket/Display.html?id=125867
Thanks to Paul Evans for reporting
- fix redefine warnings in case Socket6 is installed but neither IO::Socket::IP
nor IO::Socket::INET6 - https://rt.cpan.org/Ticket/Display.html?id=124963
- IO::Socket::SSL::Intercept - optional 'serial' argument can be starting number
or callback to create serial number based on the original certificate
- new function get_session_reused to check if a session got reused
- IO::Socket::SSL::Utils::CERT_asHash: fingerprint_xxx now set to the correct value
Sudo 1.8.24
* The LDAP and SSS back-ends now use the same rule evaluation code
as the sudoers file backend. This builds on the work in sudo
1.8.23 where the formatting functions for "sudo -l" output were
shared. The handling of negated commands in SSS and LDAP is
unchanged.
* Fixed a regression introduced in 1.8.23 where "sudo -i" could
not be used in conjunction with --preserve-env=VARIABLE.
* cvtsudoers can now parse base64-encoded attributes in LDIF files.
* Random insults are now more random.
* Fixed the noexec wordexp(3) test on FreeBSD.
* Added SUDO_CONV_PREFER_TTY flag for conversation function to
tell sudo to try writing to /dev/tty first. Can be used in
conjunction with SUDO_CONV_INFO_MSG and SUDO_CONV_ERROR_MSG.
* Sudo now supports an arbitrary number of groups per user on
Solaris. Previously, only the first 64 groups were found.
This should remove the need to set "max_groups" in sudo.conf.
* Fixed typos in the OpenLDAP sudo schema.
* Fixed a race condition when building with parallel make.
* Fixed a duplicate free when netgroup_base in ldap.conf is set
to an invalid value.
* Fixed a bug introduced in sudo 1.8.23 on AIX that could prevent
local users and groups from being resolved properly on systems
that have users stored in NIS, LDAP or AD.
* Added a workaround for an AIX bug exposed by a change in sudo
1.8.23 that prevents the terminal mode from being restored when
I/O logging is enabled.
* On systems using PAM, sudo now ignores the PAM_NEW_AUTHTOK_REQD
and PAM_AUTHTOK_EXPIRED errors from PAM account management if
authentication is disabled for the user. This fixes a regression
introduced in sudo 1.8.23.
* Fixed an ambiguity in the sudoers manual in the description and
definition of User, Runas, Host, and Cmnd Aliases.
* Fixed a bug that resulted in only the first window size change
event being logged.
* Fixed a bug on HP-UX systems introduced in sudo 1.8.22 that
caused sudo to prompt for a password every time when tty-based
time stamp files were in use.
* Fixed a compilation problem on systems that define O_PATH or
O_SEARCH in fnctl.h but do not define O_DIRECTORY.
0.23.13 (stable)
* server: Enable socket activation through systemd [PR#173]
* rpc-server: p11_kit_remote_serve_tokens: Allow exporting all modules [PR#174]
* proxy: Fail early if there is no slot mapping [PR#175]
* Remove hard dependency on libpthread on glibc systems [PR#177]
* Build fixes [PR#170, PR#176]
This is polkit 0.115.
Highlights:
Fixes CVE-2018-1116, a local information disclosure and denial of service
caused by trusting client-submitted UIDs when referencing processes.
Thanks to Matthias Gerstner of the SUSE security team for reporting
this issue.
Changes since polkit 0.114:
Miloslav Trmač (1):
Fix CVE-2018-1116: Trusting client-supplied UID
Ray Strode (3):
Post-release version bump to 0.115
jsauthority: pass "%s" format string to remaining report function
NEWS: fix date from 2017 to 2018 for 0.114 entry
* Version 3.6.3 (released 2018-07-16)
** libgnutls: Introduced support for draft-ietf-tls-tls13-28. It includes version
negotiation, post handshake authentication, length hiding, multiple OCSP support,
consistent ciphersuite support across protocols, hello retry requests, ability
to adjust key shares via gnutls_init() flags, certificate authorities extension,
and key usage limits. TLS1.3 draft-28 support can be enabled by default if
the option --enable-tls13-support is given to configure script.
** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or
earlier and TLS 1.3. When SRP or NULL ciphersuites are specified in priority strings
TLS 1.3 is will be disabled. When Anonymous ciphersuites are specified in priority
strings, then TLS 1.3 negotiation will be disabled if the session is associated
only with an anonymous credentials structure.
** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836.
This adds support for using GOST keys for digital signatures and under PKCS#7, PKCS#12,
and PKCS#8 standards. In particular added elliptic curves GOST R 34.10-2001 CryptoProA
256-bit curve (RFC 4357), GOST R 34.10-2001 CryptoProXchA 256-bit curve (RFC 4357),
and GOST R 34.10-2012 TC26-512-A 512-bit curve (RFC 7836).
** Provide a uniform cipher list across supported TLS protocols; the CAMELLIA ciphers
as well as ciphers utilizing HMAC-SHA384 and SHA256 have been removed from the default
priority strings, as they are undefined under TLS1.3 and they provide not advantage
over other options in earlier protocols.
** The SSL 3.0 protocol is disabled on compile-time by default. It can be re-enabled
by specifying --enable-ssl3-support on configure script.
** libgnutls: Introduced function to switch the current FIPS140-2 operational
mode, i.e., strict vs a more lax mode which will allow certain non FIPS140-2
operations.
** libgnutls: Introduced low-level function to assist applications attempting client
hello extension parsing, prior to GnuTLS' parsing of the message.
** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no
modifications to the certificate. That prevents DER re-encoding issues with incorrectly
encoded certificates, or other DER incompatibilities to affect a TLS session.
Relates with #403
** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups
which are preferred by the server. That unfortunately has complicated semantics
as TLS1.2 requires specific ordering of the groups based on the ciphersuite ordering,
which could make group order unpredictable if TLS1.3 is negotiated.
** Improved counter-measures for TLS CBC record padding. Kenny Paterson, Eyal Ronen
and Adi Shamir reported that the existing counter-measures had certain issues and
were insufficient when the attacker has additional access to the CPU cache and
performs a chosen-plaintext attack. This affected the legacy CBC ciphersuites. [CVSS: medium]
** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation
of legacy CBC ciphersuites unless encrypt-then-mac is negotiated.
** libgnutls: gnutls_privkey_import_ext4() was enhanced with the
GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag.
** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2,
gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default
unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API
change for these functions which make them err towards safety.
** libgnutls: improved aarch64 cpu features detection by using getauxval().
** certtool: It is now possible to specify certificate and serial CRL numbers greater
than 2**63-2 as a hex-encoded string both when prompted and in a template file.
Default certificate serial numbers are now fully random. Default CRL
numbers include more random bits and are larger than in previous GnuTLS versions.
Since CRL numbers are required to be monotonic, specify suitable CRL numbers manually
if you intend to later downgrade to previous versions as it was not possible
to specify large CRL numbers in previous versions of certtool.
Sudo 1.8.23
* PAM account management modules and BSD auto approval modules are
now run even when no password is required.
* For kernel-based time stamps, if no terminal is present, fall
back to parent-pid style time stamps.
* The new cvtsudoers utility replaces both the "sudoers2ldif" script
and the "visudo -x" functionality. It can read a file in either
sudoers or LDIF format and produce JSON, LDIF or sudoers output.
It is also possible to filter the generated output file by user,
group or host name.
* The file, ldap and sss sudoers backends now share a common set
of formatting functions for "sudo -l" output, which is also used
by the cvtsudoers utility.
* The /run directory is now used in preference to /var/run if it
exists.
* More accurate descriptions of the --with-rundir and --with-vardir
configure options.
* The setpassent() and setgroupent() functions are now used on systems
that support them to keep the passwd and group database open.
Sudo performs a lot of passwd and group lookups so it can be
beneficial to avoid opening and closing the files each time.
* The new case_insensitive_user and case_insensitive_group sudoers
options can be used to control whether sudo does case-sensitive
matching of users and groups in sudoers. Case insensitive
matching is now the default.
* Fixed a bug on some systems where sudo could hang on command
exit when I/O logging was enabled.
* Fixed the build-time process start time test on Linux when the
test is run from within a container.
* When determining which temporary directory to use, sudoedit now
checks the directory for writability before using it. Previously,
sudoedit only performed an existence check.
* Sudo now includes an optional set of Monty Python-inspired insults.
* Fixed the execution of scripts with an associated digest (checksum)
in sudoers on FreeBSD systems. FreeBSD does not have a proper
/dev/fd directory mounted by default and its fexecve(2) is not
fully POSIX compliant when executing scripts.
* Chinese (Taiwan) translation for sudo from translationproject.org.
3.6.5:
Fixed incorrect AES encryption/decryption with AES acceleration on x86 due to gcc’s optimization and strict aliasing rules.
More prime number candidates than necessary where discarded as composite due to the limited way D values were searched in the Lucas test.
Fixed ResouceWarnings and DeprecationWarnings.
Workaround for Python 3.7.0 bug on Windows
Discussed with and thanks to <imil>!
Changes:
1.7.3
-----
Pass 1.7.3 has been released with a few small bug fixes, including one
regression involving storing binary data in pass from 1.7.2.
Revision 0.4.4:
- Fixed native encoder type map to include all ASN.1 types
rather than just ambiguous ones
- Fixed crash in .prettyPrint of Sequence and Set occurring
at OPTIONAL components
* Security bugfixes
- Fixed requesting client certificate when specified
as a global option.
* New features
- Certificate subject checks modified to accept certificates
if at least one of the specified checks matches.
Each R package should include ../../math/R/Makefile.extension, which also
defines MASTER_SITES. Consequently, it is redundant for the individual
packages to do the same. Package-specific definitions also prevent
redefining MASTER_SITES in a single common place.
1.13.3:
Added support for setting the Unicode error handling strategy in conjunction with setting an encoding when creating new SSH sessions, streams, and processes. This strategy can also be set when specifying a session encoding in create_server(), and when providing an encoding in the get_comment() and set_comment() functions on private/public keys and certificates.
Changed handling of Unicode in channels to use incrmeental codec, similar to what was previously done in process redirection.
Added Python 3.7 to the list of classifiers in setup.py, now that it has been released.
Updated Travis CI configuration to add Python 3.7 builds, and moved Linux builds on never versions of Python up to xenial.
Added missing coroutine decorator in test_channel.
2.3:
SECURITY ISSUE: :meth:~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag allowed tag truncation by default which can allow tag forgery in some cases. The method now enforces the min_tag_length provided to the :class:~cryptography.hazmat.primitives.ciphers.modes.GCM constructor. CVE-2018-10903
Added support for Python 3.7.
Added :meth:~cryptography.fernet.Fernet.extract_timestamp to get the authenticated timestamp of a :doc:Fernet </fernet> token.
Support for Python 2.7.x without hmac.compare_digest has been deprecated. We will require Python 2.7.7 or higher (or 2.7.6 on Ubuntu) in the next cryptography release.
Fixed multiple issues preventing cryptography from compiling against LibreSSL 2.7.x.
Added :class:~cryptography.x509.CertificateRevocationList.get_revoked_certificate_by_serial_number for quick serial number searches in CRLs.
The :class:~cryptography.x509.RelativeDistinguishedName class now preserves the order of attributes. Duplicate attributes now raise an error instead of silently discarding duplicates.
:func:~cryptography.hazmat.primitives.keywrap.aes_key_unwrap and :func:~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding now raise :class:~cryptography.hazmat.primitives.keywrap.InvalidUnwrap if the wrapped key is an invalid length, instead of ValueError.
### Added
- A new security enhancement which we're calling AutoHSTS has been
added to Certbot's Apache plugin. This enhancement configures your
webserver to send a HTTP Strict Transport Security header with a low
max-age value that is slowly increased over time. The max-age value is
not increased to a large value until you've successfully managed to
renew your certificate. This enhancement can be requested with the
--auto-hsts flag.
- New official DNS plugins have been created for Gehirn Infrastracture
Service, Linode, OVH, and Sakura Cloud. These plugins can be found
on our Docker Hub page at https://hub.docker.com/u/certbot and on
PyPI.
- The ability to reuse ACME accounts from Let's Encrypt's ACMEv1
endpoint on Let's Encrypt's ACMEv2 endpoint has been added.
- Certbot and its components now support Python 3.7.
- Certbot's install subcommand now allows you to interactively choose
which certificate to install from the list of certificates managed
by Certbot.
- Certbot now accepts the flag `--no-autorenew` which causes any
obtained certificates to not be automatically renewed when it
approaches expiration.
- Support for parsing the TLS-ALPN-01 challenge has been added back to
the acme library.
### Changed
- Certbot's default ACME server has been changed to Let's Encrypt's
ACMEv2 endpoint. By default, this server will now be used for both
new certificate lineages and renewals.
- The Nginx plugin is no longer marked labeled as an "Alpha" version.
- The `prepare` method of Certbot's plugins is no longer called before
running "Updater" enhancements that are run on every invocation of
`certbot renew`.
version 1.32:
* Fixes a problem with gpgrt_fflush and gpgrt_fopencookie.
* Fixes a problem with the C11 header stdnoreturn.h.
* The yat2m tool can now also be build on Windows.
* Updates translations for Spanish, Russian and Ukrainian.
Changelog:
Noteworthy changes in version 2.2.9 (2018-07-12)
------------------------------------------------
* dirmngr: Fix recursive resolver mode and other bugs in the libdns
code. [#3374,#3803,#3610]
* dirmngr: When using libgpg-error 1.32 or later a GnuPG build with
NTBTLS support (e.g. the standard Windows installer) does not
anymore block for dozens of seconds before returning data.
* gpg: Fix bug in --show-keys which actually imported revocation
certificates. [#4017]
* gpg: Ignore too long user-ID and comment packets. [#4022]
* gpg: Fix crash due to bad German translation. Improved printf
format compile time check.
* gpg: Handle missing ISSUER sub packet gracefully in the presence of
the new ISSUER_FPR. [#4046]
* gpg: Allow decryption using several passphrases in most cases.
[#3795,#4050]
* gpg: Command --show-keys now enables the list options
show-unusable-uids, show-unusable-subkeys, show-notations and
show-policy-urls by default.
* gpg: Command --show-keys now prints revocation certificates. [#4018]
* gpg: Add revocation reason to the "rev" and "rvs" records of the
option --with-colons. [#1173]
* gpg: Export option export-clean does now remove certain expired
subkeys; export-minimal removes all expired subkeys. [#3622]
* gpg: New "usage" property for the drop-subkey filters. [#4019]
Release-info: https://dev.gnupg.org/T4036
See-also: gnupg-announce/2018q3/000427.html
zoneinder uses %ld to print tv.tv_sec, which is of type time_t. On
NetBSD, that's int64_t, which happens to match long on amd64, but not
on arm, and hence printf often segfaults. Kludge around this by
casting to long, which should work for about 20 years, by which time a
proper fix should have arrived in a zoneminder release.
Not yet raised upstream, because our package is 1.28.1 and upstream
has released 1.30.4.
3.6.4:
New features
* Build Python 3.7 wheels on Linux, Windows and Mac.
Resolved issues
* Rename _cpuid module to make upgrades more robust.
* More meaningful exceptions in case of mismatch in IV length (CBC/OFB/CFB modes).
* Fix compilation issues on Solaris 10/11.
* Version 3.6.2 (released 2018-02-16)
** libgnutls: When verifying against a self signed certificate ignore issuer.
That is, ignore issuer when checking the issuer's parameters strength, resolving
issue #347 which caused self signed certificates to be additionally marked as of
insufficient security level.
** libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data
MTU calculation now, it correctly accounts for the fixed overhead due to
padding (as 1 byte), while at the same time considers the rest of the
padding as part of data MTU.
** libgnutls: Address issue of loading of all PKCS#11 modules on startup
on systems with a PKCS#11 trust store (as opposed to a file trust store).
Introduced a multi-stage initialization which loads the trust modules, and
other modules are deferred for the first pure PKCS#11 request.
** libgnutls: The SRP authentication will reject any parameters outside
RFC5054. This protects any client from potential MitM due to insecure
parameters. That also brings SRP in par with the RFC7919 changes to
Diffie-Hellman.
** libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters
for SRP authentication.
** libgnutls: Addressed issue in the accelerated code affecting interoperability
with versions of nettle >= 3.4.
** libgnutls: Addressed issue in the AES-GCM acceleration under aarch64.
** libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by
Vitezslav Cizek).
** srptool: the --create-conf option no longer includes 1024-bit parameters.
** p11tool: Fixed the deletion of objects in batch mode.
** API and ABI modifications:
gnutls_srp_8192_group_generator: Added
gnutls_srp_8192_group_prime: Added
* Version 3.6.1 (released 2017-10-21)
** libgnutls: Fixed interoperability issue with openssl when safe renegotiation was
used. Resolves gitlab issue #259.
** libgnutls: gnutls_x509_crl_sign, gnutls_x509_crt_sign,
gnutls_x509_crq_sign, were modified to sign with a better algorithm than
SHA1. They will now sign with an algorithm that corresponds to the security
level of the signer's key.
** libgnutls: gnutls_x509_*_sign2() functions and gnutls_x509_*_privkey_sign()
accept GNUTLS_DIG_UNKNOWN (0) as a hash function option. That will signal
the function to auto-detect an appropriate hash algorithm to use.
** libgnutls: Removed support for signature algorithms using SHA2-224 in TLS.
TLS 1.3 no longer uses SHA2-224 and it was never a widespread algorithm
in TLS 1.2. As such, no reason to keep supporting it.
** libgnutls: Refuse to use client certificates containing disallowed
algorithms for a session. That reverts a change on 3.5.5, which allowed
a client to use DSA-SHA1 due to his old DSA certificate, without requiring him
to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).
The previous approach was to allow a smooth move for client infrastructure
after the DSA algorithm became disabled by default, and is no longer necessary
as DSA is now being universally deprecated.
** libgnutls: Refuse to resume a session which had a different SNI advertised. That
improves RFC6066 support in server side. Reported by Thomas Klute.
** p11tool: Mark all generated objects as sensitive by default.
** p11tool: added options --sign-params and --hash. This allows testing
signature with multiple algorithms, including RSA-PSS.
** API and ABI modifications:
No changes since last version.
0.23.12 (stable)
* Fix compile error when PKCS#11 GNU calling convention is enabled [PR#160]
* Fix getauxval() and secure_getenv() emulation on macOS and FreeBSD [PR#167]
* Build and test fixes on macOS [PR#162, PR#168]
0.23.11 (stable)
* trust: Add extractor for edk2/cacerts.bin [PR#139]
* modules: Add option to control module visibility from proxy [PR#140]
* trust: Prevent trust module being loaded by proxy module [PR#142]
* library: Use dedicated locale object for printing error [PR#148]
* Treat CKR_CRYPTOKI_ALREADY_INITIALIZED correctly [PR#134]
* Improve const correctness for P11KitUri [PR#152]
* PKCS#11 URI scheme comparison is now case insensitive [PR#156]
* Build and test fixes [PR#151, PR#149, PR#141, PR#138, PR#135]
1.2.0:
Deprecated ntlm_auth.ntlm.Ntlm in favour of ntlm_auth.ntlm.NtlmContext
This is because Ntlm is heavily geared towards HTTP auth which is not always the case, NtlmContext makes things more generic
Updated docs and tests to reflect this
Dropped support for Python 3.3
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
version 1.11.1:
* Fixed build problems in the 1.11.0 release.
* Added C++ interfaces which were planned for 1.11.0.
version 1.11.0:
* New encryption API to support direct key specification including
hidden recipients option and taking keys from a file. This also
allows to enforce the use of a subkey.
* New encryption flag for the new API to enforce the use of plain
mail addresses (addr-spec).
* The import API can now tell whether v3 keys are skipped. These old
and basically broken keys are not anymore supported by GnuPG 2.1.
* The decrypt and verify API will now return the MIME flag as
specified by RFC-4880bis.
* The offline mode now has an effect on gpg by disabling all network
access.
* A failed OpenPGP verification how returns the fingerprint of the
intended key if a recent gpg version was used for signature
creation.
* New tool gpgme-json as native messaging server for web browsers.
As of now public key encryption and decryption is supported.
Requires Libgpg-error 1.29.
* New context flag "request-origin" which has an effect when used
with GnuPG 2.2.6 or later.
* New context flag "no-symkey-cache" which has an effect when used
with GnuPG 2.2.7 or later.
* New convenience constant GPGME_KEYLIST_MODE_LOCATE.
* Improved the Python documentation.
* Fixed a potential regression with GnuPG 2.2.6 or later.
* Fixed a crash in the Python bindings on 32 bit platforms.
* Various minor fixes.
Release 1.13.2:
Added support for accessing client host keys via the OpenSSH ssh-keysign program when doing host-based authentication. If ssh-keysign is present and enabled on the system, an AsyncSSH based SSH client can use host-based authentication without access to the host private keys.
Added support for using pathlib path objects when reading and writing private and public keys and certificates.
Added support for auth_completed() callback in the SSHServer class which runs when authentication completes successfully on each new connection.
Fixed host-based authentication unit tests to mock out calls to getnameinfo() to avoid failures on systems with restricted network functionality.
3.6.3:
Resolved issues
GH175: Fixed incorrect results for CTR encryption/decryption with more than 8 blocks.
3.6.2:
New features
ChaCha20 accepts 96 bit nonces (in addition to 64 bit nonces) as defined in RFC7539.
Accelerate AES-GCM on x86 using PCLMULQDQ instruction.
Accelerate AES-ECB and AES-CTR on x86 by pipelining AESNI instructions.
As result of the two improvements above, on x86 (Broadwell):
AES-ECB and AES-CTR are 3x faster
AES-GCM is 9x faster
Resolved issues
On Windows, MPIR library was stilled pulled in if renamed to gmp.dll.
Breaks in compatibility
In Crypto.Util.number, functions floor_div and exact_div have been removed. Also, ceil_div is limited to non-negative terms only.
Also add upstream patch for building with Qt 5.11.
2.3.3
Fix crash when browser integration is enabled [#1923]
2.3.2
Enable high entropy ASLR on Windows [#1747]
Enhance favicon fetching [#1786]
Fix crash on Windows due to Auto-Type [#1691]
Fix dark tray icon changing all icons [#1680]
Fix --pw-stdin not using getPassword function [#1686]
Fix placeholders being resolved in notes [#1907]
Enable auto-type start delay to be configurable [#1908]
Browser: Fix native messaging reply size [#1719]
Browser: Increase maximum buffer size [#1720]
Browser: Enhance usability and functionality [#1810, #1822, #1830, #1884, #1906]
SSH Agent: Parse aes-256-cbc/ctr keys [#1682]
SSH Agent: Enhance usability and functionality [#1677, #1679, #1681, #1787]
2.3.1
Fix unnecessary automatic upgrade to KDBX 4.0 and prevent challenge-response key being stripped [#1568]
Abort saving and show an error message when challenge-response fails [#1659]
Support inner stream protection on all string attributes [#1646]
Fix favicon downloads not finishing on some websites [#1657]
Fix freeze due to invalid STDIN data [#1628]
Correct issue with encrypted RSA SSH keys [#1587]
Fix crash on macOS due to QTBUG-54832 [#1607]
Show error message if ssh-agent communication fails [#1614]
Fix --pw-stdin and filename parameters being ignored [#1608]
Fix Auto-Type syntax check not allowing spaces and special characters [#1626]
Fix reference placeholders in combination with Auto-Type [#1649]
Fix qtbase translations not being loaded [#1611]
Fix startup crash on Windows due to missing SVG libraries [#1662]
Correct database tab order regression [#1610]
Fix GCC 8 compilation error [#1612]
Fix copying of advanced attributes on KDE [#1640]
Fix member initialization of CategoryListWidgetDelegate [#1613]
Fix inconsistent toolbar icon sizes and provide higher-quality icons [#1616]
Improve preview panel geometry [#1609]
making generate-files-mac in kadmin...
making generate-files-mac in kadmin/cli...
../../util/ss/mk_cmds kadmin_ct.ct
/usr/bin/yacc getdate.y
"getdate.y", line 180: fatal: invalid escape, or illegal reserved word: expect
*** Error code 1
-- use bison(1) instead.
Changelog:
2.7.4
We have released LibreSSL 2.7.4, a security update for the
2.7.x series. It contains the following changes:
* Avoid a timing side-channel leak when generating DSA and ECDSA
signatures. This is caused by an attempt to do fast modular
arithmetic, which introduces branches that leak information
regarding secret values. Issue identified and reported by Keegan
Ryan of NCC Group.
* Reject excessively large primes in DH key generation. Problem
reported by Guido Vranken to OpenSSL
(https://github.com/openssl/openssl/pull/6457) and based on his
diff.
2.7.3
We have released LibreSSL 2.7.3, which will be arriving in the LibreSSL
directory of your local OpenBSD mirror soon. This is the first bugfix
release from the 2.7 series, which includes the following changes from 2.7.2:
* Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej Sury.
* Limited tls_config_clear_keys() to only clear private keys.
This was inadvertently clearing the keypair, which includes the OCSP staple
and pubkey hash - if an application called tls_configure() followed by
tls_config_clear_keys(), this would prevent OCSP staples from working.
* Fixed an issue normalizing CPU architecture in the configure script,
which disabled assembly optimizations on platforms that get detected
as 'amd64', opposed to 'x86_64'.
2.7.2
ve released LibreSSL 2.7.2, which will be arriving in the LibreSSL
directory of your local OpenBSD mirror soon. This is the first stable release
from the 2.7 series, which is also included with OpenBSD 6.3.
It includes the following changes from 2.7.1
* Updated and added extensive new HISTORY sections to API manuals.
* Added support for shared library builds with CMake on all supported
platforms. Note that some of the CMake options have changed, consult
the README for details.
LibreSSL 2.7.2 also includes:
* Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
observations of real-world usage in applications. These are
implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility
changes have not been made to existing structs, allowing code written
for older OpenSSL APIs to continue working.
* Extensive corrections, improvements, and additions to the
API documentation, including new public APIs from OpenSSL that had
no pre-existing documentation.
* Added support for automatic library initialization in libcrypto,
libssl, and libtls. Support for pthread_once or a compatible
equivalent is now required of the target operating system. As a
side-effect, minimum Windows support is Vista or higher.
* Converted more packet handling methods to CBB, which improves
resiliency when generating TLS messages.
* Completed TLS extension handling rewrite, improving consistency of
checks for malformed and duplicate extensions.
* Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.
This removes the last remaining use of the old M_ASN1_* macros
(asn1_mac.h) from API that needs to continue to exist.
* Added support for client-side session resumption in libtls.
A libtls client can specify a session file descriptor (a regular
file with appropriate ownership and permissions) and libtls will
manage reading and writing of session data across TLS handshakes.
* Improved support for strict alignment on ARMv7 architectures,
conditionally enabling assembly in those cases.
* Fixed a memory leak in libtls when reusing a tls_config.
* Merged more DTLS support into the regular TLS code path, removing
duplicated code.
* Many improvements to Windows Cmake-based builds and tests,
especially when targeting Visual Studio.
2.7.1
We have released LibreSSL 2.7.1, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. This is the second
release from the 2.7 series, which will be part of OpenBSD 6.3.
It includes the following changes from 2.7.0
* Fixed a bug in int_x509_param_set_hosts, calling strlen() if name
length provided is 0 to match the OpenSSL behaviour. Issue noticed
by Christian Heimes <christian@python.org>
* Fixed builds macOS 10.11 and older.
LibreSSL 2.7.1 also includes:
* Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
observations of real-world usage in applications. These are
implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility
changes have not been made to existing structs, allowing code written
for older OpenSSL APIs to continue working.
* Extensive corrections, improvements, and additions to the
API documentation, including new public APIs from OpenSSL that had
no pre-existing documentation.
* Added support for automatic library initialization in libcrypto,
libssl, and libtls. Support for pthread_once or a compatible
equivalent is now required of the target operating system. As a
side-effect, minimum Windows support is Vista or higher.
* Converted more packet handling methods to CBB, which improves
resiliency when generating TLS messages.
* Completed TLS extension handling rewrite, improving consistency of
checks for malformed and duplicate extensions.
* Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.
This removes the last remaining use of the old M_ASN1_* macros
(asn1_mac.h) from API that needs to continue to exist.
* Added support for client-side session resumption in libtls.
A libtls client can specify a session file descriptor (a regular
file with appropriate ownership and permissions) and libtls will
manage reading and writing of session data across TLS handshakes.
* Improved support for strict alignment on ARMv7 architectures,
conditionally enabling assembly in those cases.
* Fixed a memory leak in libtls when reusing a tls_config.
* Merged more DTLS support into the regular TLS code path, removing
duplicated code.
* Many improvements to Windows Cmake-based builds and tests,
especially when targeting Visual Studio.
2.7.0
We have released LibreSSL 2.7.0, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. This is the first
release from the 2.7 series, which will be part of OpenBSD 6.3.
It includes the following changes:
* Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
observations of real-world usage in applications. These are
implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility
changes have not been made to existing structs, allowing code written
for older OpenSSL APIs to continue working.
* Extensive corrections, improvements, and additions to the
API documentation, including new public APIs from OpenSSL that had
no pre-existing documentation.
* Added support for automatic library initialization in libcrypto,
libssl, and libtls. Support for pthread_once or a compatible
equivalent is now required of the target operating system. As a
side-effect, minimum Windows support is Vista or higher.
* Converted more packet handling methods to CBB, which improves
resiliency when generating TLS messages.
* Completed TLS extension handling rewrite, improving consistency of
checks for malformed and duplicate extensions.
* Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.
This removes the last remaining use of the old M_ASN1_* macros
(asn1_mac.h) from API that needs to continue to exist.
* Added support for client-side session resumption in libtls.
A libtls client can specify a session file descriptor (a regular
file with appropriate ownership and permissions) and libtls will
manage reading and writing of session data across TLS handshakes.
* Improved support for strict alignment on ARMv7 architectures,
conditionally enabling assembly in those cases.
* Fixed a memory leak in libtls when reusing a tls_config.
* Merged more DTLS support into the regular TLS code path, removing
duplicated code.
* Many improvements to Windows Cmake-based builds and tests,
especially when targeting Visual Studio.
version 1.8.3:
Bug fixes:
- Use blinding for ECDSA signing to mitigate a novel side-channel
attack.
- Fix incorrect counter overflow handling for GCM when using an IV
size other than 96 bit.
- Fix incorrect output of AES-keywrap mode for in-place encryption
on some platforms.
- Fix the gcry_mpi_ec_curve_point point validation function.
- Fix rare assertion failure in gcry_prime_check.
Release 1.13.1:
Added client and server support for host-based SSH authentication. If enabled, this will allow all users from a given host to be authenticated by a shared host key, rather than each user needing their own key. This should only be used with hosts which are trusted to keep their host keys secure and provide accurate client usernames.
Added support for RSA key exchange algorithms (rsa2048-sha256 and rsa1024-sha1) available in PuTTY and some mobile SSH clients.
Added support for the SECP256K1 elliptic curve for ECDSA keys and ECDH key exchange. This curve is supported by the Bitvise SSH client and server.
Added debug logging of the algorithms listed in a received kexinit message.
1.6.3 Release date: 2018-06-04 01:59 UTC
Changelog:
* Exclude tools/ and package.php from a composer archive.
* Make possible to get a list of GnuPG warnings collected on last operation.
* Fix Bug #21242: PHPUnit tests fail sometimes while deleting
S.gpg-agent.extra.
* Fix mode argument type in docblock.
v1.0.0 (4 June 2018)
++++++++++++++++++++
- **Removed support for Python 2.6 and Python 3.3.**
This project now supports Python 2.7, and Python 3.4 and above.
- Added several examples to the documentation.
- Added plentymarkets compliance fix.
- Added a ``token`` property to OAuth1Session, to match the corresponding
``token`` property on OAuth2Session.
Major changes in 1.16.1 (2018-05-03)
This is a bug fix release.
Fix flaws in LDAP DN checking, including a null dereference KDC crash which could be triggered by kadmin clients with administrative privileges [CVE-2018-5729, CVE-2018-5730].
Fix a KDC PKINIT memory leak.
Fix a small KDC memory leak on transited or authdata errors when processing TGS requests.
Fix a regression in pkinit_cert_match matching of client certificates containing Microsoft UPN SANs.
Fix a null dereference when the KDC sends a large TGS reply.
Fix "kdestroy -A" with the KCM credential cache type.
Allow validation of Microsoft PACs containing enterprise names.
Fix the handling of capaths "." values.
Fix handling of repeated subsection specifications in profile files (such as when multiple included files specify relations in the same subsection).
Major changes in 1.16 (2017-12-05)
Administrator experience:
The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option.
The ktutil addent command supports the "-k 0" option to ignore the key version, and the "-s" option to use a non-default salt string.
kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode.
The "encrypted_challenge_indicator" realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication.
Localization support can be disabled at build time with the --disable-nls configure option.
Developer experience:
The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC.
The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request.
The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals.
KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request.
GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid().
GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid().
kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization.
Protocol evolution:
The client library will continue to try pre-authentication mechanisms after most failure conditions.
The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts.
The client library will use a random nonce for TGS requests instead of the current system time.
For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported).
When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization.
User experience:
Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106.
Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname.
Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times.
A German translation has been added.
Code quality:
The build is warning-clean under clang with the configured warning options.
The automated test suite runs cleanly under AddressSanitizer.
Major changes in 1.15.3 (2018-05-03)
This is a bug fix release.
Fix flaws in LDAP DN checking, including a null dereference KDC crash which could be triggered by kadmin clients with administrative privileges [CVE-2018-5729, CVE-2018-5730].
Fix a KDC PKINIT memory leak.
Fix a small KDC memory leak on transited or authdata errors when processing TGS requests.
Fix a null dereference when the KDC sends a large TGS reply.
Fix "kdestroy -A" with the KCM credential cache type.
Fix the handling of capaths "." values.
Fix handling of repeated subsection specifications in profile files (such as when multiple included files specify relations in the same subsection).
Major changes in 1.15.2 (2017-09-25)
This is a bug fix release.
Fix a KDC denial of service vulnerability caused by unset status strings [CVE-2017-11368]
Preserve GSS contexts on init/accept failure [CVE-2017-11462]
Fix kadm5 setkey operation with LDAP KDB module
Use a ten-second timeout after successful connection for HTTPS KDC requests, as we do for TCP requests
Fix client null dereference when KDC offers encrypted challenge without FAST
Ignore dotfiles when processing profile includedir directive
Improve documentation
Major changes in 1.15.1 (2017-03-01)
This is a bug fix release.
Allow KDB modules to determine how the e_data field of principal fields is freed
Fix udp_preference_limit when the KDC location is configured with SRV records
Fix KDC and kadmind startup on some IPv4-only systems
Fix the processing of PKINIT certificate matching rules which have two components and no explicit relation
Improve documentation
Major changes in 1.15 (2016-12-01)
Administrator experience:
Improve support for multihomed Kerberos servers by adding options for specifying restricted listening addresses for the KDC and kadmind.
Add support to kadmin for remote extraction of current keys without changing them (requires a special kadmin permission that is excluded from the wildcard permission), with the exception of highly protected keys.
Add a lockdown_keys principal attribute to prevent retrieval of the principal's keys (old or new) via the kadmin protocol. In newly created databases, this attribute is set on the krbtgt and kadmin principals.
Restore recursive dump capability for DB2 back end, so sites can more easily recover from database corruption resulting from power failure events.
Add DNS auto-discovery of KDC and kpasswd servers from URI records, in addition to SRV records. URI records can convey TCP and UDP servers and master KDC status in a single DNS lookup, and can also point to HTTPS proxy servers.
Add support for password history to the LDAP back end.
Add support for principal renaming to the LDAP back end.
Use the getrandom system call on supported Linux kernels to avoid blocking problems when getting entropy from the operating system.
In the PKINIT client, use the correct DigestInfo encoding for PKCS #1 signatures, so that some especially strict smart cards will work.
Code quality:
Clean up numerous compilation warnings.
Remove various infrequently built modules, including some preauth modules that were not built by default.
Developer experience:
Add support for building with OpenSSL 1.1.
Use SHA-256 instead of MD5 for (non-cryptographic) hashing of authenticators in the replay cache. This helps sites that must build with FIPS 140 conformant libraries that lack MD5.
Eliminate util/reconf and allow the use of autoreconf alone to regenerate the configure script.
Protocol evolution:
Add support for the AES-SHA2 enctypes, which allows sites to conform to Suite B crypto requirements.
pkgsrc changes:
- Deprecate PKG_OPTIONS.pass in favour of PKG_OPTIONS.password-store
- Remove patches/patch-tests_t0300-reencryption.sh, fixed similarly upstream
Changes:
1.7.2
-----
Pass 1.7.2 has a number of important changes and bug fixes, including
a fix for CVE-2018-12356. Everybody must update immediately.
### Added
- Support for the ready status type was added to acme. Without this change,
Certbot and acme users will begin encountering errors when using Let's
Encrypt's ACMEv2 API starting on June 19th for the staging environment and
July 5th for production. See
https://community.letsencrypt.org/t/acmev2-order-ready-status/62866 for more
information.
- Certbot now accepts the flag --reuse-key which will cause the same key to be
used in the certificate when the lineage is renewed rather than generating a
new key.
- You can now add multiple email addresses to your ACME account with Certbot by
providing a comma separated list of emails to the --email flag.
- Support for Let's Encrypt's upcoming TLS-ALPN-01 challenge was added to acme.
For more information, see
https://community.letsencrypt.org/t/tls-alpn-validation-method/63814/1.
- acme now supports specifying the source address to bind to when sending
outgoing connections. You still cannot specify this address using Certbot.
- If you run Certbot against Let's Encrypt's ACMEv2 staging server but don't
already have an account registered at that server URL, Certbot will
automatically reuse your staging account from Let's Encrypt's ACMEv1 endpoint
if it exists.
- Interfaces were added to Certbot allowing plugins to be called at additional
points. The `GenericUpdater` interface allows plugins to perform actions
every time `certbot renew` is run, regardless of whether any certificates are
due for renewal, and the `RenewDeployer` interface allows plugins to perform
actions when a certificate is renewed. See `certbot.interfaces` for more
information.
### Changed
- When running Certbot with --dry-run and you don't already have a staging
account, the created account does not contain an email address even if one
was provided to avoid expiration emails from Let's Encrypt's staging server.
- certbot-nginx does a better job of automatically detecting the location of
Nginx's configuration files when run on BSD based systems.
- acme now requires and uses pytest when running tests with setuptools with
`python setup.py test`.
- `certbot config_changes` no longer waits for user input before exiting.
### Fixed
- Misleading log output that caused users to think that Certbot's standalone
plugin failed to bind to a port when performing a challenge has been
corrected.
- An issue where certbot-nginx would fail to enable HSTS if the server block
already had an `add_header` directive has been resolved.
- certbot-nginx now does a better job detecting the server block to base the
configuration for TLS-SNI challenges on.
Changes:
Noteworthy changes in version 2.2.8 (2018-06-08)
------------------------------------------------
* gpg: Decryption of messages not using the MDC mode will now lead
to a hard failure even if a legacy cipher algorithm was used. The
option --ignore-mdc-error can be used to turn this failure into a
warning. Take care: Never use that option unconditionally or
without a prior warning.
* gpg: The MDC encryption mode is now always used regardless of the
cipher algorithm or any preferences. For testing --rfc2440 can be
used to create a message without an MDC.
* gpg: Sanitize the diagnostic output of the original file name in
verbose mode. [#4012, CVE-2018-12020]
* gpg: Detect suspicious multiple plaintext packets in a more
reliable way. [#4000]
* gpg: Fix the duplicate key signature detection code. [#3994]
* gpg: The options --no-mdc-warn, --force-mdc, --no-force-mdc,
--disable-mdc and --no-disable-mdc have no more effect.
* agent: Add DBUS_SESSION_BUS_ADDRESS and a few other envvars to the
list of startup environment variables. [#3947]
Changes from release notes:
* added the Ssh2Connections user module
* added the following SFTPClient methods supporting
streams:SFTPClient::get(), SFTPClient::put()
* fixed bugs retrieving zero-length text files with
SFTPClient::getFile(), SFTPClient::getTextFile(),
SFTPClient::get(), and SFTPClient::retrieveFile()
* fixed bugs streaming data with SFTPClient::transferFile()
and SFTPClient::put()
* argument error in SFTPClient disconnection with
socket errors causes a crash
* infinite loop in SftpPoller polling when
PO_NO_PROCESS_CONTROL is not set and no sleep
option is given
* implement support for additional directories
in SftpPoller
* SftpPoller::run() cannot be synchronized
* compile fixes for Solaris 10 g++
* add constructor option to SftpPoller for checking
if polled directories are writable
* fixed a bug that could cause a crash when an error
occurs in the SFTPClient class
* streaming from SFTP server impossible without user
re-implementing SftpPoller methods
* fixed a bug in libssh2 library initialization
error reporting
Changelog:
Version 5.46, 2018.05.28, urgency: MEDIUM
* New features
- The default cipher list was updated to a safer value:
"HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK".
* Bugfixes
- Default accept address restored to INADDR_ANY.
Version 5.45, 2018.05.21, urgency: MEDIUM
* New feature sponsored by https://loadbalancer.org/
- Implemented delayed deallocation of service sections
after configuration file reload.
* Other new features
- OpenSSL DLLs updated to version 1.0.2o.
- Deprecated the sslVersion option.
- The "socket" option is now also available in service sections.
- Implemented try-restart in the SysV init script (thx to
Peter Pentchev).
- TLS 1.3 compliant session handling for OpenSSL 1.1.1.
- Default "failover" value changed from "rr" to "prio".
- New "make check" tests.
* Bugfixes
- A service no longer refuses to start if binding fails for
some (but not all) addresses:ports.
- Fixed compression handling with OpenSSL 1.1.0 and later.
- _beginthread() replaced with safer _beginthreadex().
- Fixed exception handling in libwrap.
- Fixed exec+connect services.
- Fixed automatic resolver delaying.
- Fixed a Gentoo cross-compilation bug (thx to Joe Harvell).
- A number of "make check" framework fixes.
- Fixed false postive memory leak logs.
- Build fixes for OpenSSL versions down to 0.9.7.
- Fixed (again) round-robin failover in the FORK threading model.
Version 5.44, 2017.11.26, urgency: MEDIUM
* New features
- Signed Win32 executables, libraries, and installer.
* Bugfixes
- Default accept address restored to INADDR_ANY.
- Fixed a race condition in "make check".
- Fixed removing the pid file after configuration reload.
Version 5.43, 2017.11.05, urgency: LOW
* New features
- OpenSSL DLLs updated to version 1.0.2m.
- Android build updated to OpenSSL 1.1.0g.
- Allow for multiple "accept" ports per section.
- Self-test framework (make check).
- Added config load before OpenSSL init (thx to Dmitrii Pichulin).
- OpenSSL 1.1.0 support for Travis CI.
- OpenSSL 1.1.1-dev compilation fixes.
* Bugfixes
- Fixed a memory fault on Solaris.
- Fixed round-robin failover in the FORK threading model.
- Fixed handling SSL_ERROR_ZERO_RETURN in SSL_shutdown().
- Minor fixes of the logging subsystem.
Upstream changes:
**** 1.09 Jun 4, 2018
Avoid use of EC_GROUP_new, EC_GROUP_set_curve_GFp, and
EC_GFp_mont_method which are expected to disappear.
Fix filename conflict when tests run in parallel using make -j
**** 1.08 May 11, 2018
Internal reorganisation to use OpenSSL EVP interface
Without including the autogen bl3 if devel/autogen package was
installed autogen (the tool) was used but then the build failed
because it tried to include <autoopts/options.h> unconditionally.
Add `--enable-local-libopts' to CONFIGURE_ARGS to avoid that.
- Move the CONFIGURE_ARGS in the `gnupg1' logic after DEPENDS to make the
two branches symmetric
- Adjust the comment, the tests needs gpgsm, not gpg-agent
Suggested via a private email by <uwe>, thanks!
When building with the gnupg1 option some tests force the need of
gpg-agent and fails as noticed by <uwe> via PR pkg/53160.
Adjust options.mk accordingly disabling gpgsm tests for the gnupg1
option.
Should fix PR pkg/53160 reported by <uwe>.
Part of PR pkg/52941.
This library provides Reauth support to Google's authentication
libraries for Python. Reauth allows using two-factor authentication for
end-user credentials.
pyu2f is a python based U2F host library for Linux, Windows, and MacOS.
It provides functionality for interacting with a U2F device over USB.
pyu2f uses ctypes to make system calls directly to interface with the
USB HID device. This means that no platform specific shared libraries
need to be compiled for pyu2f to work.
By default pyu2f will use its own U2F stack implementation to sign
requests. If desired, pyu2f can offload signing to a pluggable command
line tool.
Upstream for mcrypt is effectively dead so incorporate patches from
other OSS packaging systems. These patches address the following:
* CVE-2012-4409 (fix)
* CVE-2012-4527 (fix)
* Spelling and grammar fixes for man page
* Fix potential format-string attacks (no vulnerability Id)
* Fix potential buffer overflows (no vulnerability Id)
* Make native format default as in Debian, Red Hat, and SUSE since
openpgp format handling is seriously broken.
* Fix ARM build [unclear if this is necessary for non-Linux systems]
* Correct include file for OSX
Release 1.13.0:
Added support for dynamic port forwarding via SOCKS, where AsyncSSH will open a listener which understands SOCKS connect requests and for each request open a TCP/IP tunnel over SSH to the requested host and port.
Added support in SSHProcess for I/O redirection to file objects that implement read(), write(), and close() functions as coroutines, such as the “aiofiles” package. In such cases, AsyncSSH will automaically detect that it needs to make async calls to these methods when it performs I/O.
Added support for using pathlib objects in SSHProcess I/O redirection.
Added multiple improvements to pattern matching support in the SFTPClient glob(), mget(), mput(), and mcopy() methods. AsyncSSH now allows you to use ‘**’ in a pattern to do a recursive directory search, allows character ranges in square brackets in a pattern, and allows a trailing slash in a pattern to be specified to request that only directories matching the pattern should be returned.
Fixed an issue with calling readline() and readuntil() with a timeout, where partial data received before the timeout was sometimes discarded. Any partial data which was received when a timeout occurs will now be left in the input buffer, so it is still available to future read() calls.
Fixed a race condition where trying to restart a read() after a timeout could sometimes raise an exception about multiple simultaneous reads.
Changed readuntil() in SSHReader to raise IncompleteReadError if the receive window fills up before a delimiter match is found. This also applies to readline(), which will return a partial line without a newline at the end when this occurs. To support longer lines, a caller can call readuntil() or readline() as many times as they’d like, appending the data returned to the previous partial data until a delimiter is found or some maximum size is exceeded. Since the default window size is 2 MBytes, though, it’s very unlikely this will be needed in most applications.
Reworked the crypto support in AsyncSSH to separate packet encryption and decryption into its own module and simplified the directory structure of the asyncssh.crypto package, eliminating a pyca subdirectory that was created back when AsyncSSH used a mix of PyCA and PyCrypto.
2.1.0 (2018-05-21)
------------------
* Fixed some copy and paste typos (#535)
* Use secrets module in Python 3.6 and later (#533)
* Add request argument to confirm_redirect_uri (#504)
* Avoid populating spurious token credentials (#542)
* Make populate attributes API public (#546)
18.0.0:
Backward-incompatible changes:
- The minimum cryptography version is now 2.2.1.
- Support for Python 2.6 has been dropped.
Changes:
- Added Connection.get_certificate to retrieve the local certificate.
- OpenSSL.SSL.Connection now sets SSL_MODE_AUTO_RETRY by default.
- Added Context.set_tlsext_use_srtp to enable negotiation of SRTP keying material.
Previously if `automake' was not available during the build,
patch-libsecret_Makefile.am was effectively not applied to the Makefile.
To avoid to depends on `automake' just directly patch the Makefile.in.
Should fix the problem reported by Mayuresh on pkgsrc-users@
regarding the use of dollar single quotes ($'...') (also if `automake' is not
available!).
This should fix the problem reported by Mayuresh via pkgsrc-users@:
<https://mail-index.NetBSD.org/pkgsrc-users/2018/05/20/msg026746.html>
No PKGREVISION bump since it should only fix the problem on platforms where the
shell does not support dollar single quotes (i.e. `$'...'').
Thanks to <youri> for testing this patch!
# Version 1.3.1
* Revert "pins: remove GlobalSign R1/R3 pins" from Robert Copeland
* Readme update from Wesley Schwengle
* Add Dockerfile to create a clean build environment from Wesley Schwengle
* Missing dependencies in readme
* Added CLion project files to ignore list
# Version 1.3.0
* `lpass show` now supports `--json` format
* `lpass show` now supports `--quiet` flag to suppress prompts,
from Pau Sanchez
* `lpass import` has `--keep-dupes` flag which will preserve duplicate
accounts on import
* `LPASS_PINENTRY` environment variable may now be used to set custom
path to pinentry, from Martynas Mickevičius
* Build fix for aarch64 and others from Natanael Copa
* New fish completions from Israel Chauca Fuentes
* Zsh completions from Richard Hillmann
* Brew build instructions updates from Roger D. Winans
* bugfix: site notes now show up in notes textarea instead of fields
* spelling fixes from Josh Soref
# Version 1.2.2
* `lpass ls --format` now supports "%al" to show URL, from Yikai Zhao
* $VISUAL can be used in preference to $EDITOR, from Wesley Schwengle
* `lpass edit` can now directly edit multiline ssh keys
* fields are now preserved when edited with `lpass edit`
* Bugfix: use-after-free in http.c fixed, from Björn Ketelaars
* Bugfix: command-line completion now works for names with spaces
* Bugfix: loading attachments from shared folders now works, from Spencer
Whyte
* Debian packing updates from Hannes Hörl
* Documentation updates from Darragh Grealish and Steven Liekens
### Added
- certbot now has an enhance subcommand which allows you to configure
security enhancements like HTTP to HTTPS redirects, OCSP stapling,
and HSTS without reinstalling a certificate.
- certbot-dns-rfc2136 now allows the user to specify the port to use
to reach the DNS server in its credentials file.
- acme now parses the wildcard field included in authorizations so it
can be used by users of the library.
### Changed
- certbot-dns-route53 used to wait for each DNS update to propagate
before sending the next one, but now it sends all updates before
waiting which speeds up issuance for multiple domains dramatically.
- We've doubled the time Certbot will spend polling authorizations
before timing out.
- The level of the message logged when Certbot is being used with
non-standard paths warning that crontabs for renewal included in
Certbot packages from OS package managers may not work has been
reduced. This stops the message from being written to stderr every
time `certbot renew` runs.
### Fixed
- certbot-auto now works with Python 3.6.
Based on the previous default behave on NetBSD add bzip2 and zlib to the
suggested options. In the past gnupg2 automatically detected bzip2 and
zlib from the system and enabled these options also if no buildlink file
was present.
bzip2 and zlib still stay as options because if gnupg2 remote agent
forwarding is used both gnupg2 versions (local and remote) need to provide
the same compression options. This allow the user to build gnupg2 with or
without compression options if needed.
PKGREVISION bump because new suggested options might require an rebuild on
different operating systems if bzip2 and zlib was not accidentally detected
and enabled.
Reviewed by wiedi
* patch-lib_libpam_openpam__constants.c:
* comment it (make pkglint happy)
* fix OPENPAM_MODULES_DIR (avoid openpam loading basesystem modules)
* remove "CONFIGURE_ARGS+= --without-pam-su" (option not recognized by configure)
* change '_dep_' to 'dep' in builtin.mk (make pkglint happy)
* fix paths in manpages
Changes from upstream:
============================================================================
OpenPAM Resedacea 2017-04-30
- BUGFIX: Reinstore the NULL check in pam_end(3) which was removed in
OpenPAM Radula, as it breaks common error-handling constructs.
- BUGFIX: Return PAM_SYMBOL_ERR instead of PAM_SYSTEM_ERR from the
dispatcher when the required service function could not be found.
- ENHANCE: Introduce the PAM_BAD_HANDLE error code for when pamh is
NULL in API functions that have a NULL check.
- ENHANCE: Introduce the PAM_BAD_ITEM, PAM_BAD_FEATURE and
PAM_BAD_CONSTANT error codes for situations where we previously
incorrectly used PAM_SYMBOL_ERR to denote that an invalid constant
had been passed to an API function.
- ENHANCE: Improve the RETURN VALUES section in API man pages,
especially for functions that cannot fail, which were incorrectly
documented as returning -1 on failure.
============================================================================
OpenPAM Radula 2017-02-19
- BUGFIX: Fix an inverted test which prevented pam_get_authtok(3) and
pam_get_user(3) from using application-provided custom prompts.
- BUGFIX: Plug a memory leak in pam_set_item(3).
- BUGFIX: Plug a potential memory leak in openpam_readlinev(3).
- BUGFIX: In openpam_readword(3), support line continuations within
whitespace.
- ENHANCE: Add a feature flag to control fallback to "other" policy.
- ENHANCE: Add a pam_return(8) module which returns an arbitrary
code specified in the module options.
- ENHANCE: More and better unit tests.
drop polkitgtkmate library and its docs
Fix reshow/hide icon with statusnotifier
status-icon: don’t use stock icons
polkitmateauthenticationdialog: avoid deprecated GtkAlignment
polkitmateauthenticationdialog: replace a GTK_STOCK deprecation
Translations update
Changes since 1.0.5:
Version 1.06
* Add -P for overriding the password prompt we search for
* Add -v for verbose logging of the prompt detection prompt.
* Allow packagers and compilers to change the default password prompt.
* When giving -V, also print the default password prompt.
Also, add patch from FreeBSD to fix tty issue which prevents sshpass from
seeing the password prompt.
pkgsrc changes:
- Rename `xclip' PKG_OPTION to `x11' (and add a PKG_OPTIONS_LEGACY_OPTS
accordingly) and also depends on converters/base64 (needed by the `--clip'
option, like xclip) and qrencode (needed by the new `--qrcode' option).
- Add support for `test' target and adjust the part of the test suite for
gnupg>=2.2.5 via patches/patch-tests_t0300-reencryption.sh.
- sysutils/pwgen is no more needed, remove it from DEPENDS
(now `tr -dc '<characters>' < /dev/urandom' is used instead)
- Add patches/patch-contrib_dmenu_passmenu to fix `passmenu --type'
(at least xdotool-2.20110530.1 does not support any `--file' option used by
passmenu)
- Adjust PAX invocations in `do-install' target to ignore possible `*.orig'
and `.gitignore' files.
Changes
1.7.1
-----
== Bug Fixes ==
* Fix test suite on OS X
* Add compatibility with GnuPG 2.2.19
* Uniformly use the $GPG variable
* Do the correct thing with subkeys when reencrypting
1.7
---
== New Features ==
* Extensions: pass can now load user-defined extensions from a system
directory or a user directory. There's already a nice ecosystem of
extensions being built, even at this early stage. See the pass man page for
more information.
* Signatures: there is now an option to enforce signatures of the .gpg-id file
and extensions using an environment variable.
* QRCodes: generate and show have now learned the --qrcode/-q switch. Note to
package maintainers: this adds a dependency on the popular qrencode package.
* Password generation: rather than use pwgen, we now use /dev/urandom more
directly, which results in more assured password security, as well as
customizable character sets, via an environment variable. See the pass man
page for more information on this customization. Package maintainers: you
may now drop the dependency on pwgen.
* Importers: there now are several more importers. More and more folks are
moving to pass!
* Selectable clipping: you can now specify which line you wish to copy to the
clipboard or display with a qrcode when using -c or -q.
* Git discovery: The PASSWORD_STORE_GIT environment variable has been removed,
and instead pass will automatically choose the git repository closest to the
file being modified (but not out of the actual password store itself). This
should help people who like to nest git repos for different organizations.
* Bug fixes: too many to count.
== Note To Distros ==
* Drop the dependency of pwgen.
* Add the dependency of qrencode.
* The Makefile now does the right thing with DESTDIR, so you might want to
double check that your package recipe does the right thing.
* The semantics for auto-detection of bash completion has changed, with new
environment variables for such things. See INSTALL for details.
changes in version 2.2.7:
* gpg: New option --no-symkey-cache to disable the passphrase cache
for symmetrical en- and decryption.
* gpg: The ERRSIG status now prints the fingerprint if that is part
of the signature.
* gpg: Relax emitting of FAILURE status lines
* gpg: Add a status flag to "sig" lines printed with --list-sigs.
* gpg: Fix "Too many open files" when using --multifile.
* ssh: Return an error for unknown ssh-agent flags.
* dirmngr: Fix a regression since 2.1.16 which caused corrupted CRL
caches under Windows.
* dirmngr: Fix a CNAME problem with pools and TLS. Also use a fixed
mapping of keys.gnupg.net to sks-keyservers.net.
* dirmngr: Try resurrecting dead hosts earlier (from 3 to 1.5 hours).
* dirmngr: Fallback to CRL if no default OCSP responder is configured.
* dirmngr: Implement CRL fetching via https. Here a redirection to
http is explictly allowed.
* dirmngr: Make LDAP searching and CRL fetching work under Windows.
This stopped working with 2.1.
* agent,dirmngr: New sub-command "getenv" for "getinfo" to ease
debugging.
6.02 Fri Apr 20 16:25:30 MST 2018
- silenced compiler warnings from VS2017
-- ref. rt.cpan.org #124477
-- thanks to Sergey Aleynikov for diagnostics
- modified addfile to return error when given a directory name
-- makes behavior consistent with GNU coreutils shaXsum
-- thanks to Scott Baker for pointing this out
0.060 2018-05-01
- bundled libtomcrypt update
- Math::BigInt::LTM - remove buggy tests failing with the latest Math::BigInt
- basically no changes to the perl modules
0.30 Tue May 1 2018
- Working windows library detection
- Actively testing on appveyor for windows now.
- work correctly on LibreSSL
0.29_03 Mon Apr 16 2018
- Add whirlpool hash support.
- Crypt::OpenSSL::Random is now required at comnpile-time.
- Use the new interface to RSA_generate_key if available
- Add library paths to LIBS from Crypt::OpenSSL::Guess
Remove hack for DragonFly/i386, DragonFly is 64-bit only nowadays.
Noteworthy changes in version 1.30 (2018-04-30) [C24/A24/R1]
-----------------------------------------------
* Fix for a hang on Windows when using gpgrt_poll under nPth.
* Build fix for Solaris. [#3869]
--------------
polkit 0.114
--------------
WARNING WARNING WARNING: This is a prerelease on the road to polkit
1.0. Public API might change and certain parts of the code still needs
some security review. Use at your own risk.
This is polkit 0.114.
Highlights:
Port to mozjs 52, the latest version of the firefox JavaScript engine.
Add gettext support for policy files
Fixes for various memory leaks
Build requirements
glib, gobject, gio >= 2.32
mozjs-52
gobject-introspection >= 0.6.2 (optional)
pam (optional)
ConsoleKit OR systemd
Changes since polkit 0.113:
Anders Jonsson (2):
pkcheck: fix man typos
Add Swedish translation
Antoine Jacoutot (1):
Add support for OpenBSD
Christian Kirbach (1):
Add German translation
Colin Walters (3):
build: Pull in GCC warning infra from ostree
build: Use AC_USE_SYSTEM_EXTENSIONS
tests: Correct boundary test for overflow
Dariusz Gadomski (2):
Fix multi-line pam text info.
Refactor send_to_helper usage
Gabor Kelemen (1):
Add initial Hungarian translation, and add hu to LINGUAS
Jeremy Linton (5):
change mozjs interface module to c++
Switch to hard requiring mozjs24
Fix warnings caused by building with C++
Replace autocompartment
test: Add a test case to handle actions without explicit rules
Jiří Klimeš (1):
trivial: fix deprecated indication for polkit_agent_register_listener()
Matthias Clasen (1):
Add gettext support for .policy files
Miloslav Trmač (21):
Post-release version bump to 0.114
Consistently use HAVE_NETGROUP_H instead of HAVE_OPENBSD
Fix a memory leak of PolkitAgentListener's Server object
Remove polkitbackendconfigsource.[ch]
Add Slovak translation by Dusan Kazik <prescott66@gmail.com>
Add Indonesian translation by Andika Triwidada
Add Chinese (Taiwan) translation
Fix a typo in polkit(8)
Simplify GVariant reference counting
Fix a memory leak on an error path of lookup_asv (twice)
Fix a memory leak in server_handle_register_authentication_agent_with_options
Fix a memory leak in server_handle_unregister_authentication_agent
Fix a memory leak in server_handle_authentication_agent_response{,2}
Fix memory leaks in server_handle_*_temporary_authorizations
Fix error handling in polkit_authority_enumerate_temporary_authorizations_finish
Fix a memory leak per agent authentication
Fix a memory leak on agent authentication cancellation
Audit and fix GVariant reference counting
Fix help for (pkttyagent -s)
Fix a race condition when terminating runaway_killer_thread
Move to current GLib
Mingye Wang (Arthur2e5) (1):
Add zh_CN translation
Muhammet Kara (1):
Added Turkish translation
OBATA Akio (1):
Add support for NetBSD
Peter Hutterer (1):
gettext: switch to default-translate "no"
Philip Withnall (3):
polkit: Add g_autoptr() support for GObject-derived polkit types
data: Set GIO_USE_VFS=local in the environment
polkitbackend: Fix typos in a couple of initialisation error messages
Piotr Drąg (1):
Add Polish translation
Rafael Fontenelle (1):
Add Brazilian Portuguese translation
Ray Strode (34):
configure: bump mozjs requirement to 52
jsauthority: fix how classes are defined
jsauthority: use JS_FN instead of JS_FS
jsauthority: get rid of JSRuntime
jsauthority: change how setVersion is called
jsauthority: call JS_Init
jsauthority: call JS_InitSelfHostedCode
jsauthority: change how JIT is disabled
jsauthority: JS::SetWarningReporter instead of JS_SetErrorReporter
jsauthority: add UTF8 suffix to renamed functions
jsauthority: pass "%s" format string to report functions
jsauthority: s/JSBool/bool/
jsauthority: s/jsval/JS::Value/
jsauthority: s/JSVAL_NULL/JS::NullValue()/
jsauthority: s/JSVAL_VOID/JS::UndefinedValue()/
jsauthority: s/OBJECT_TO_JSVAL/JS::ObjectValue/
jsauthority: s/STRING_TO_JSVAL/JS::StringValue/
jsauthority: s/BOOLEAN_TO_JSVAL/JS::BooleanValue/
jsauthority: JSVAL_TO_OBJECT (o) to o.toObjectOrNull()
jsauthority: JSVAL_TO_STRING (s) to s.toString()
jsauthority: JSVAL_IS_STRING (s) to s.isString()
jsauthority: JSVAL_IS_NULL (o) to o.isNull()
jsauthority: Fix up JS_CallFunctionName invocations
jsauthority: use InterruptCallback api instead of OperationCallback
jsauthority: redo how global objects are set up
jsauthority: root some locals to the context
jsauthority: adapt arguments for new JS::Compile API
jsauthority: adapt arguments for new JS_ExecuteScript API
jsauthority: use JS::Evaluate instead of JS_EvaluateScript
jsauthority: fix up set_property methods
jsauthority: stop using JS_GetStringCharsZ
jsauthority: switch from JS_ConvertArguments to JS::CallArgsFromVp
jsauthority: re-enable JIT
Port JavaScript authority to mozjs52
Rui Matos (1):
polkitpermission: Fix a memory leak on authority changes
Sebastien Bacher (1):
Support polkit session agent running outside user session
Stef Walter (2):
polkitagent: Fix access after dereference on hashtable
polkitagent: No double warnings in polkit_agent_listener_register()
Sven Eden (1):
configure: enable elogind support in PolicyKit
Yuri Chornoivan (1):
Add Ukrainian translation
enkore (1):
Fix abnomal formatting of authentication header lines
muzena (1):
Add hr.po
Thanks to our contributors.
Colin Walters and Miloslav Trmač,
April 2, 2017
DEPRECATIONS/CHANGES:
- `vault kv` and Vault versions: In 0.10.1 some issues with `vault kv` against
v1 K/V engine mounts are fixed. However, using 0.10.1 for both the server
and CLI versions is required.
- Mount information visibility: Users that have access to any path within a
mount can now see information about that mount, such as its type and
options, via some API calls.
- Identity and Local Mounts: Local mounts would allow creating Identity
entities but these would not be able to be used successfully (even locally)
in replicated scenarios. We have now disallowed entities and groups from
being created for local mounts in the first place.
FEATURES:
- X-Forwarded-For support: `X-Forwarded-For` headers can now be used to set the
client IP seen by Vault. See the TCP listener configuration
page for details.
- CIDR IP Binding for Tokens: Tokens now support being bound to specific
CIDR(s) for usage. Currently this is implemented in Token Roles; usage can be
expanded to other authentication backends over time.
- `vault kv patch` command: A new `kv patch` helper command that allows
modifying only some values in existing data at a K/V path, but uses
check-and-set to ensure that this modification happens safely.
- AppRole Local Secret IDs: Roles can now be configured to generate secret IDs
local to the cluster. This enables performance secondaries to generate and
consume secret IDs without contacting the primary.
- AES-GCM Support for PKCS#11 [BETA] (Enterprise): For supporting HSMs,
AES-GCM can now be used in lieu of AES-CBC/HMAC-SHA256. This has currently
only been fully tested on AWS CloudHSM.
- Auto Unseal/Seal Wrap Key Rotation Support (Enterprise): Auto Unseal
mechanisms, including PKCS#11 HSMs, now support rotation of encryption keys,
and migration between key and encryption types, such as from AES-CBC to
AES-GCM, can be performed at the same time (where supported).
IMPROVEMENTS:
- auth/approle: Support for cluster local secret IDs. This enables secondaries
to generate secret IDs without contacting the primary
- auth/token: Add to the token lookup response, the policies inherited due to
identity associations
- auth/token: Add CIDR binding to token roles
- cli: Add `vault kv patch`
- core: Add X-Forwarded-For support
- core: Add token CIDR-binding support
- identity: Add the ability to disable an entity. Disabling an entity does not
revoke associated tokens, but while the entity is disabled they cannot be
used.
- physical/consul: Allow tuning of session TTL and lock wait time
- replication: Dynamically adjust WAL cleanup over a period of time based on
the rate of writes committed
- secret/ssh: Update dynamic key install script to use shell locking to avoid
concurrent modifications
- ui: Access to `sys/mounts` is no longer needed to use the UI - the list of
engines will show you the ones you implicitly have access to (because you have
access to to secrets in those engines)
BUG FIXES:
- cli: Fix `vault kv` backwards compatibility with KV v1 engine mounts
- identity: Persist entity memberships in external identity groups across
mounts
- identity: Fix error preventing authentication using local mounts on
performance secondary replication clusters
- replication: Fix issue causing secondaries to not connect properly to a
pre-0.10 primary until the primary was upgraded
- secret/gcp: Fix panic on rollback when a roleset wasn't created properly
- secret/gcp: Fix panic on renewal
- ui: Fix IE11 form submissions in a few parts of the application
- ui: Fix IE file saving on policy pages and init screens
- ui: Fixed an issue where the AWS secret backend would show the wrong menu
- ui: Fixed an issue where policies with commas would not render in the
interface properly
- ui: Corrected the saving of mount tune ttls for auth methods
- ui: Credentials generation no longer checks capabilities before making
api calls. This should fix needing "update" capabilites to read IAM
credentials in the AWS secrets engine
0.30.0:
- Various small typos (Windows builds, Fix SSL.Connection.__del__)
- The project is now Linux-distribution agnostic
- Replace all old-style classes with the new ones (it shouldn't cause
any problems, but feel free to file an issue, if it does)
- Do not by-pass a potential transfer decoding in m2urllib2
- Update M2Crypto.six with 1.11.0 and replace our local workarounds with
new functions.
- SSLv3 just removed.
- Don't support Python 2.6 on Windows anymore. Windows users don't have
python as a system package, so they are usually more likely to upgrade
anyway.
Upstream changes:
1.04 Fri Apr 20 16:25:30 MST 2018
- silenced compiler warnings from VS2017
-- ref. rt.cpan.org #124477
-- thanks to Sergey Aleynikov for diagnostics
- modified addfile to return error when given a directory name
-- makes behavior consistent with GNU coreutils shaXsum
-- thanks to Scott Baker for pointing this out
Revision 0.2.1, released 23-11-2017
- Allow ANY DEFINED BY objects expanding automatically if requested
- Imports PEP8'ed
Revision 0.1.5, released 10-10-2017
- OCSP response blob fixed in test
- Fixed wrong OCSP ResponderID components tagging
Revision 0.1.4, released 07-09-2017
- Typo fixed in the dependency spec
Revision 0.1.3, released 07-09-2017
- Apparently, pip>=1.5.6 is still widely used and it is not PEP440
compliant. Had to replace the `~=` version dependency spec with a
sequence of simple comparisons to remain compatible with the aging pip.
Revision 0.1.2, released 07-09-2017
- Pinned to pyasn1 ~0.3.4
Revision 0.1.1, released 27-08-2017
- Tests refactored into proper unit tests
- pem.readBase64fromText() convenience function added
- Pinned to pyasn1 0.3.3
Release 1.12.2:
Added support for using pathlib objects as paths in calls to SFTP methods, in addition to Unicode and byte strings. This is mainly intended for use in constructing local paths, but it can also be used for remote paths as long as POSIX-style pathlib objects are used and an appropriate path encoding is set to handle the conversion from Unicode to bytes.
Changed server EXT_INFO message to only be sent after the first SSH key exchange, to match the specification recently published in RFC 8308.
Fixed edge case in TCP connection forwarding where data received on a forward TCP connection was not delivered if the connection was closed or half-closed before the corresponding SSH tunnel was fully established.
Made note about OpenSSH not properly handling send_signal more visible.
3.6.1:
New features
Added Google Wycheproof tests (https://github.com/google/wycheproof) for RSA, DSA, ECDSA, GCM, SIV, EAX, CMAC.
New parameter mac_len (length of MAC tag) for CMAC.
Resolved issues
In certain circumstances (at counter wrapping, which happens on average after 32 GBi) AES GCM produced wrong ciphertexts.
Method encrypt() of AES SIV cipher could be still called, whereas only encrypt_and_digest() should be allowed.
This is a development release, but gnutls needs at least 0.23.x,
so take the latest development release.
0.23.10 (devel)
* filter: Respect "write-protected" vendor-specific attribute in
PKCS#11 URI [PR#129]
* server: Improve shell integration and documentation [PR#107, PR#108]
* proxy: Reuse existing slot ID mapping in after fork() [PR#120]
* trust: Forcibly mark "Default Trust" read-only [PR#123]
* New function p11_kit_override_system_files() which can be used for
testing [PR#110]
* trust: Filter out duplicate extensions [PR#69]
* Update translations [PR#128]
* Bug fixes [PR#125, PR#126]
0.23.9 (devel)
* Fix p11-kit server regressions [PR#103, PR#104]
* trust: Respect anyExtendedKeyUsage in CA certificates [PR#99]
* Build fixes related to reallocarray [PR#96, PR#98, PR#100]
0.23.8 (devel)
* Improve vendor query attributes handling in PKCS#11 URI [PR#92]
* Add OTP and GOST mechanisms to pkcs11.h [PR#90, PR#91]
* New envvar P11_KIT_NO_USER_CONFIG to stop looking at user
configurations [PR#87]
* Build fixes for Solaris and 32-bit big-endian platforms [PR#81, PR#86]
0.23.7 (devel)
* Fix memory issues with "p11-kit server" [PR#78]
* Build fixes [PR#77 ...]
0.23.6 (devel)
* Port "p11-kit server" to Windows and portability fixes of the RPC
protocol [PR#67, PR#72, PR#74]
* Recover the old behavior of "trust anchor --remove" [PR#70, PR#71]
* Build fixes [PR#63 ...]
0.23.5 (devel)
* Fix license notice of common/unix-peer.c [PR#58]
* Remove systemd unit files for now [PR#60]
* Build fixes for FreeBSD [PR#56]
0.23.4 (devel)
* Recognize query attributes defined in PKCS#11 URI (RFC7512) [PR#31,
PR#37, PR#52]
* The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY
attribute, used by Firefox [#99453, PR#46]
* Add 'trust dump' command to dump all PKCS#11 objects in the
persistence format [PR#44]
* New experimental 'p11-kit server' command that allows PKCS#11
forwarding through a Unix domain socket. A client-side module
p11-kit-client.so is also provided [PR#15]
* Add systemd unit files for exporting the proxy module through a
Unix domain socket [PR#35]
* New P11KitIter API to iterate over slots, tokens, and modules in
addition to objects [PR#28]
* libffi dependency is now optional [PR#9]
* Build fixes for FreeBSD, macOS, and Windows [PR#32, PR#39, PR#45]
0.23.3 (devel)
* Install private executables in libexecdir [#98817]
* Fix link error of proxy module on macOS [#98022]
* Use new PKCS#11 URI specification for URIs [#97245]
* Support x-init-reserved argument of C_Initialize() in remote modules [#80519]
* Incorporate changes from PKCS#11 2.40 specification
* Bump libtool library version
* Documentation fixes
* Build fixes [#87192 ...]
0.23.2 (devel)
* Fix forking issues with libffi [#90289 ...]
* Updated translations
* Build fixes [#90827#89081#92434#92520#92445#92551#92843#92842#92807#93211 ...]
0.23.1 (devel)
* Use new PKCS#11 URI draft fields for URIs [#86474#87582]
* Add pem-directory-hash extract format
* Build fixes
- Deprecated support for Python 2.6 and 3.3.
- Use the sign and verify methods when they are available in
cryptography instead of the deprecated methods signer and
verifier.
v1.5.0: Jordan
Features
Added build support for mingw32
Implement gss_set_cred_option() and gss_set_sec_context_option()
Bugfixes
Handle GSS_NO_OID_SET when creating sets
### Added
- Support for OpenResty was added to the Nginx plugin.
### Changed
- The timestamps in Certbot's logfiles now use the system's local time
zone rather than UTC.
- Certbot's DNS plugins that use Lexicon now rely on Lexicon>=2.2.1 to
be able to create and delete multiple TXT records on a single
domain.
- certbot-dns-google's test suite now works without an internet
connection.
### Fixed
- Removed a small window that if during which an error occurred,
Certbot wouldn't clean up performed challenges.
- The parameters `default` and `ipv6only` are now removed from
`listen` directives when creating a new server block in the Nginx
plugin.
- `server_name` directives enclosed in quotation marks in Nginx are
now properly supported.
- Resolved an issue preventing the Apache plugin from starting Apache
when it's not currently running on RHEL and Gentoo based systems.
3.6.0:
New features
Introduced export_key and deprecated exportKey for DSA and RSA key objects.
Ciphers and hash functions accept memoryview objects in input.
Added support for SHA-512/224 and SHA-512/256.
Resolved issues
Reintroduced Crypto.__version__ variable as in PyCrypto.
Fixed compilation problem with MinGW.
Noteworthy changes in version 2.2.6:
* gpg,gpgsm: New option --request-origin to pretend requests coming
from a browser or a remote site.
* gpg: Fix race condition on trustdb.gpg updates due to too early
released lock.
* gpg: Emit FAILURE status lines in almost all cases.
* gpg: Implement --dry-run for --passwd to make checking a key's
passphrase straightforward.
* gpg: Make sure to only accept a certification capable key for key
signatures.
* gpg: Better user interaction in --card-edit for the factory-reset
sub-command.
* gpg: Improve changing key attributes in --card-edit by adding an
explicit "key-attr" sub-command.
* gpg: Print the keygrips in the --card-status.
* scd: Support KDF DO setup.
* scd: Fix some issues with PC/SC on Windows.
* scd: Fix suspend/resume handling in the CCID driver.
* agent: Evict cached passphrases also via a timer.
* agent: Use separate passphrase caches depending on the request
origin.
* ssh: Support signature flags.
* dirmngr: Handle failures related to missing IPv6 support
gracefully.
* Fix corner cases related to specified home directory with
drive letter on Windows.
* Allow the use of UNC directory names as homedir.
Noteworthy changes in version 1.29:
* The yat2m tool is during cross-compile now also installed on the
host platform.
* New option parser and associated functions similar to the one used
by GnuPG.
* New Base-64 encoder.
* Fixes regression in 1.28 for arm64 and w64 builds.
* Interface changes relative to the 1.28 release:
gpgrt_argparse New.
gpgrt_usage New.
gpgrt_strusage New.
gpgrt_set_strusage New.
gpgrt_set_usage_outfnc New.
gpgrt_set_fixed_string_mapper New.
GPGRT_ENABLE_ARGPARSE_MACROS New macro.
gpgrt_b64enc_start New.
gpgrt_b64enc_write New.
gpgrt_b64enc_finish New.
SECURITY:
- Log sanitization for Combined Database Secret Engine: In certain failure
scenarios with incorrectly formatted connection urls, the raw connection
errors were being returned to the user with the configured database
credentials. Errors are now sanitized before being returned to the user.
DEPRECATIONS/CHANGES:
- Database plugin compatibility: The database plugin interface was enhanced to
support some additional functionality related to root credential rotation
and supporting templated URL strings. The changes were made in a
backwards-compatible way and all builtin plugins were updated with the new
features. Custom plugins not built into Vault will need to be upgraded to
support templated URL strings and root rotation. Additionally, the
Initialize method was deprecated in favor of a new Init method that supports
configuration modifications that occur in the plugin back to the primary
data store.
- Removal of returned secret information: For a long time Vault has returned
configuration given to various secret engines and auth methods with secret
values (such as secret API keys or passwords) still intact, and with a
warning to the user on write that anyone with read access could see the
secret. This was mostly done to make it easy for tools like Terraform to
judge whether state had drifted. However, it also feels quite un-Vault-y to
do this and we've never felt very comfortable doing so. In 0.10 we have gone
through and removed this behavior from the various backends; fields which
contained secret values are simply no longer returned on read. We are
working with the Terraform team to make changes to their provider to
accommodate this as best as possible, and users of other tools may have to
make adjustments, but in the end we felt that the ends did not justify the
means and we needed to prioritize security over operational convenience.
- LDAP auth method case sensitivity: We now treat usernames and groups
configured locally for policy assignment in a case insensitive fashion by
default. Existing configurations will continue to work as they do now;
however, the next time a configuration is written `case_sensitive_names`
will need to be explicitly set to `true`.
- TTL handling within core: All lease TTL handling has been centralized within
the core of Vault to ensure consistency across all backends. Since this was
previously delegated to individual backends, there may be some slight
differences in TTLs generated from some backends.
- Removal of default `secret/` mount: In 0.12 we will stop mounting `secret/`
by default at initialization time (it will still be available in `dev`
mode).
FEATURES:
- OSS UI: The Vault UI is now fully open-source. Similarly to the CLI, some
features are only available with a supporting version of Vault, but the code
base is entirely open.
- Versioned K/V: The `kv` backend has been completely revamped, featuring
flexible versioning of values, check-and-set protections, and more. A new
`vault kv` subcommand allows friendly interactions with it. Existing mounts
of the `kv` backend can be upgraded to the new versioned mode (downgrades
are not currently supported). The old "passthrough" mode is still the
default for new mounts; versioning can be turned on by setting the
`-version=2` flag for the `vault secrets enable` command.
- Database Root Credential Rotation: Database configurations can now rotate
their own configured admin/root credentials, allowing configured credentials
for a database connection to be rotated immediately after sending them into
Vault, invalidating the old credentials and ensuring only Vault knows the
actual valid values.
- Azure Authentication Plugin: There is now a plugin (pulled in to Vault) that
allows authenticating Azure machines to Vault using Azure's Managed Service
Identity credentials. See the [plugin
repository](https://github.com/hashicorp/vault-plugin-auth-azure) for more
information.
- GCP Secrets Plugin: There is now a plugin (pulled in to Vault) that allows
generating secrets to allow access to GCP. See the [plugin
repository](https://github.com/hashicorp/vault-plugin-secrets-gcp) for more
information.
- Selective Audit HMACing of Request and Response Data Keys: HMACing in audit
logs can be turned off for specific keys in the request input map and
response `data` map on a per-mount basis.
- Passthrough Request Headers: Request headers can now be selectively passed
through to backends on a per-mount basis. This is useful in various cases
when plugins are interacting with external services.
- HA for Google Cloud Storage: The GCS storage type now supports HA.
- UI support for identity: Add and edit entities, groups, and their associated
aliases.
- UI auth method support: Enable, disable, and configure all of the built-in
authentication methods.
- UI (Enterprise): View and edit Sentinel policies.
IMPROVEMENTS:
- core: Centralize TTL generation for leases in core
- identity: API to update group-alias by ID
- secret/cassandra: Update Cassandra storage delete function to not use batch
operations
- storage/mysql: Allow setting max idle connections and connection lifetime
- storage/gcs: Add HA support
- ui: Add Nomad to the list of available secret engines
- ui: Adds ability to set static headers to be returned by the UI
BUG FIXES:
- api: Fix retries not working
- auth/gcp: Invalidate clients on config change
- auth/token: Revoke-orphan and tidy operations now correctly cleans up the
parent prefix entry in the underlying storage backend. These operations also
mark corresponding child tokens as orphans by removing the parent/secondary
index from the entries.
- command: Re-add `-mfa` flag and migrate to OSS binary
- core: Fix issue occurring from mounting two auth backends with the same path
with one mount having `auth/` in front
- mfa: Invalidation of MFA configurations (Enterprise)
- replication: Fix a panic on some non-64-bit platforms
- replication: Fix invalidation of policies on performance secondaries
- secret/pki: When tidying if a value is unexpectedly nil, delete it and move
on
- storage/s3: Fix panic if S3 returns no Content-Length header
- ui: Fixed an issue where the UI was checking incorrect paths when operating
on transit keys. Capabilities are now checked when attempting to encrypt /
decrypt, etc.
- ui: Fixed IE 11 layout issues and JS errors that would stop the application
from running.
- ui: Fixed the link that gets rendered when a user doesn't have permissions
to view the root of a secret engine. The link now sends them back to the list
of secret engines.
- replication: Fix issue with DR secondaries when using mount specified local
paths.
- cli: Fix an issue where generating a dr operation token would not output the
token
OTX Direct Connect agents provide a way to automatically update your
security infrastructure with pulses you have subscribed to from with
Open Threat Exchange. By using Direct Connect, the indicators
contained within the pulses you have subscribed to can be downloaded
and made locally available for other applications such as Intrusion
Detection Systems, Firewalls, and other security-focused applications.
2.0.7:
Moved oauthlib into new organization on GitHub.
Include license file in the generated wheel package.
When deploying a release to PyPI, include the wheel distribution.
Check access token in self.token dict.
Added bottle-oauthlib to docs.
Update repository location in Travis.
Updated docs for organization change.
Replace G+ with Gitter.
Update requirements.
Add shields for Python versions, license and RTD.
Fix ReadTheDocs build
Fixed "make" command to test upstream with local oauthlib.
Replace IRC notification with Gitter Hook.
Added Github Releases deploy provider.
Based on the wip package by myself with fixes from rillig.
KeePassXC can store your passwords safely and auto-type them into
your everyday websites and applications.
Changes between 1.0.2n and 1.0.2o [27 Mar 2018]
*) Constructed ASN.1 types with a recursive definition could exceed the stack
Constructed ASN.1 types with a recursive definition (such as can be found
in PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack. There
are no such structures used within SSL/TLS that come from untrusted sources
so this is considered safe.
This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
project.
(CVE-2018-0739)
[Matt Caswell]
0.22.2
- A type error introduced in 0.22.1 that would occur during challenge
cleanup when a Certbot plugin raises an exception while trying to
complete the challenge was fixed.
0.22.1
- The ACME server used with Certbot's --dry-run and --staging flags is
now Let's Encrypt's ACMEv2 staging server which allows people to
also test ACMEv2 features with these flags.
- The HTTP Content-Type header is now set to the correct value during
certificate revocation with new versions of the ACME protocol.
- When using Certbot with Let's Encrypt's ACMEv2 server, it would add
a blank line to the top of chain.pem and between the certificates in
fullchain.pem for each lineage. These blank lines have been removed.
- Resolved a bug that caused Certbot's --allow-subset-of-names flag
not to work.
- Fixed a regression in acme.client.Client that caused the class to
not work when it was initialized without a ClientNetwork which is
done by some of the other projects using our ACME library.
0.1.12 (2018/03/21)
* Land #9, improve SSL certificate generation
* fix is_mac_addr to validate if something is _only_ a mac address
* Improve SSL certificate generation
0.1.11 (2018/02/09)
* Land #8, factor out SSL bits
* Address Brent's comment - drop @@loaded_openssl
* Implement a certificate provider pattern in Socket
* Extract and mixin cert ops from server module
DEPRECATIONS/CHANGES:
- The AWS authentication backend now allows binds for inputs as either a
comma-delimited string or a string array. However, to keep consistency with
input and output, when reading a role the binds will now be returned as
string arrays rather than strings.
- In order to prefix-match IAM role and instance profile ARNs in AWS auth
backend, you now must explicitly opt-in by adding a `*` to the end of the
ARN. Existing configurations will be upgraded automatically, but when
writing a new role configuration the updated behavior will be used.
FEATURES:
- Replication Activation Enhancements: When activating a replication
secondary, a public key can now be fetched first from the target cluster.
This public key can be provided to the primary when requesting the
activation token. If provided, the public key will be used to perform a
Diffie-Hellman key exchange resulting in a shared key that encrypts the
contents of the activation token. The purpose is to protect against
accidental disclosure of the contents of the token if unwrapped by the wrong
party, given that the contents of the token are highly sensitive. If
accidentally unwrapped, the contents of the token are not usable by the
unwrapping party. It is important to note that just as a malicious operator
could unwrap the contents of the token, a malicious operator can pretend to
be a secondary and complete the Diffie-Hellman exchange on their own; this
feature provides defense in depth but still requires due diligence around
replication activation, including multiple eyes on the commands/tokens and
proper auditing.
IMPROVEMENTS:
- api: Update renewer grace period logic. It no longer is static, but rather
dynamically calculates one based on the current lease duration after each
renew.
- auth/approle: Allow array input for bound_cidr_list
- auth/aws: Allow using lists in role bind parameters
- auth/aws: Allow binding by EC2 instance IDs
- auth/aws: Allow non-prefix-matched IAM role and instance profile ARNs
- auth/ldap: Set a very large size limit on queries
- core: Log info notifications of revoked leases for all leases/reasons, not
just expirations
- physical/couchdb: Removed limit on the listing of items
- secret/pki: Support certificate policies
- secret/pki: Add ability to have CA:true encoded into intermediate CSRs, to
improve compatibility with some ADFS scenarios
- secret/transit: Allow selecting signature algorithm as well as hash
algorithm when signing/verifying
- server: Make sure `tls_disable_client_cert` is actually a true value rather
than just set
- storage/dynamodb: Allow specifying max retries for dynamo client
- storage/gcs: Allow specifying chunk size for transfers, which can reduce
memory utilization
- sys/capabilities: Add the ability to use multiple paths for capability
checking
BUG FIXES:
- auth/aws: Fix honoring `max_ttl` when a corresponding role `ttl` is not also
set
- auth/okta: Fix honoring configured `max_ttl` value
- auth/token: If a periodic token being issued has a period greater than the
max_lease_ttl configured on the token store mount, truncate it. This matches
renewal behavior; before it was inconsistent between issuance and renewal.
- cli: Improve error messages around `vault auth help` when there is no CLI
helper for a particular method
2.2.1:
Reverted a change to GeneralNames which prohibited having zero elements, due to breakages.
Fixed a bug in :func:~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding that caused it to raise InvalidUnwrap when key length modulo 8 was zero.
0.1.77 2017/09/23
* Convert double quotes to single quotes to match #{URL}
0.1.76 2017/09/07
* Merge pull request #9 from sempervictus/feature-payload_msil_jit
0.1.75 2017/08/25
* Remove useless failing spec
* Improve use of RandomIdentifier::Generator
* Add MSIL to template constants
* Update spec for MSIL payload
* Implement MSIL payload in Rex gem via template
* Update spec for command
* Finalize quote wrapper
* Rework quote handling
* Cleanup Command single quotes redundant gsub
0.1.74 2017/07/18
* Alternative to IEX in dl_and_exec_string methods
* Command spec - deal with :use_single_quotes
* Output and command improvements for Win10
0.1.73 2017/05/12
* update spec to require Ruby 2.2.0 or greater
7.2.0 (2018-01-17)
Closed issues:
* list_vuln_exceptions returns API error #312
* Credentials failure after using Site.copy #307
* XML serialization for VulnException incorrect due to extra whitespace #304
* Nexpose timeout does not seem to work #299
Merged pull requests:
* Update vuln exceptions to use generally available API version #313
(mhuffman-r7)
* Add a method to add common vuln status filters to report configs #303
(gschneider-r7)
* Updated for Ruby 2.4 Support #301 (twosevenzero)
**** 1.05 March 20, Tuesday
Feature
Support added for Ed25519 and Ed448 algorithms
Fix: rt.cpan.org #124650
Net::DNS::SEC::Private must not die if attribute is not present
