= mbed TLS 2.16.5 branch released 2020-02-20
Security
* Fix potential memory overread when performing an ECDSA signature
operation. The overread only happens with cryptographically low
probability (of the order of 2^-n where n is the bitsize of the curve)
unless the RNG is broken, and could result in information disclosure or
denial of service (application crash or extra resource consumption).
Found by Auke Zeilstra and Peter Schwabe, using static analysis.
* To avoid a side channel vulnerability when parsing an RSA private key,
read all the CRT parameters from the DER structure rather than
reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob
Brumley. Reported and fix contributed by Jack Lloyd.
ARMmbed/mbed-crypto#352
Bugfix
* Fix an unchecked call to mbedtls_md() in the x509write module.
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys that would later be rejected by functions expecting private
keys. Found by Catena cyber using oss-fuzz (issue 20467).
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys with invalid values by silently fixing those values.
## 2.5.3 (2020-01-19)
### Fixed
- Fix a possible database lockout when removing a YubiKey from a KDBX 3.1 database [#4147]
- Fix crash if Auto-Type is performed on a new entry [#4150]
- Fix crash when all entries are deleted from a group [#4156]
- Improve the reliability of clipboard clearing on Gnome [#4165]
- Do not check cmd:// URLs for valid URL syntax anymore [#4172]
- Prevent unnecessary merges for databases on network shares [#4153]
- Browser: Prevent native messaging proxy from blocking application shutdown [#4155]
- Browser: Improve website URL matching [#4134, #4177]
### Added
- Browser: Enable support for Chromium-based Edge Browser [#3359]
Changes from 2.43 to 2.44:
New Features:
* Added option 'Use file transactions for writing [22]configuration
settings' (turned on by default).
* If the option 'Do not store data in the Windows clipboard history
and the cloud clipboard' is turned on (which it is by default),
KeePass now additionally excludes its clipboard contents from
processing by Windows' internal ClipboardMonitor component.
* Added commands to find database files ('File' -> 'Open' -> 'Find
Files' and 'Find Files (In Folder)').
* Added 'Edit' menu in the [23]internal text editor (including new
'Select All' and 'Find' commands with keyboard shortcuts).
* Added keyboard shortcuts for formatting commands in the internal
text editor.
* Added 'Cancel' button in the save confirmation dialog of the
internal text editor.
* Added {CLIPBOARD} and {CLIPBOARD-SET:/T/} [24]placeholders, which
get/set the clipboard content.
* Added support for [25]importing True Key 4 CSV files.
* Added command line options for adding/removing scheme-specific URL
overrides.
* Added an auto-type event for [26]plugins.
* When loading a plugin on a Unix-like system fails, the error
message now includes a hint that the 'mono-complete' package may be
required.
* In order to avoid a Windows Input Method Editor (IME) bug
(resulting in a black screen and/or an IME/CTF process with high
CPU usage), KeePass now disables the IME on [27]secure desktops.
Improvements:
* [28]Auto-Type: improved compatibility with VMware Workstation.
* Auto-Type into virtual machines: improved compatibility with
certain guest systems.
* The option to use the 'Clipboard Viewer Ignore' clipboard format is
now turned on by default.
* Improved menu/toolbar item state updating in the internal text
editor.
* Improved performance of Spr compilations.
* Before writing a local configuration file whose path has been
specified using the '-cfg-local:' [29]command line parameter,
KeePass now tries to create the parent directory, if it does not
exist yet.
* Improved conversion of file URIs to local file paths.
* Improved compatibility of the list view dialog with plugins.
* If ChaCha20 is selected as file [30]encryption algorithm, the
database is now saved in the [31]KDBX 4 format (thanks to
[32]AMOSSYS).
* Minor [33]process memory protection improvements.
* HTML export/printing: KeePass now generates HTML 5 documents
(instead of XHTML 1.0 documents).
* HTML export/printing: improved internal CSS.
* HTML exports do not contain temporary content identifiers anymore.
* XSL files: HTML output now conforms to HTML 5 instead of XHTML 1.0.
* XSL files: improved internal CSS.
* CHM pages are now rendered in the highest standards mode supported
by Internet Explorer (EdgeHTML mode).
* Migrated most of the documentation from XHTML 1.0 to HTML 5.
* Various code optimizations.
* Minor other improvements.
Bugfixes:
* In the internal text editor, the 'Delete' command does not reset
RTF text formattings anymore.
* The [34]KeyCreationFlags bit 2^19 (for hiding the passwords) now
works as intended.
Security
* Fix side channel vulnerability in ECDSA. Our bignum implementation is not
constant time/constant trace, so side channel attacks can retrieve the
blinded value, factor it (as it is smaller than RSA keys and not guaranteed
to have only large prime factors), and then, by brute force, recover the
key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
* Zeroize local variables in mbedtls_internal_aes_encrypt() and
mbedtls_internal_aes_decrypt() before exiting the function. The value of
these variables can be used to recover the last round key. To follow best
practice and to limit the impact of buffer overread vulnerabilities (like
Heartbleed) we need to zeroize them before exiting the function.
Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
Grant Hernandez, and Kevin Butler (University of Florida) and
Dave Tian (Purdue University).
* Fix side channel vulnerability in ECDSA key generation. Obtaining precise
timings on the comparison in the key generation enabled the attacker to
learn leading bits of the ephemeral key used during ECDSA signatures and to
recover the private key. Reported by Jeremy Dubeuf.
* Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
failures could happen with alternative implementations of AES. Bug
reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
Sectra.
Bugfix
* Remove redundant line for getting the bitlen of a bignum, since the variable
holding the returned value is overwritten a line after.
Found by irwir in #2377.
* Support mbedtls_hmac_drbg_set_entropy_len() and
mbedtls_ctr_drbg_set_entropy_len() before the DRBG is seeded. Before,
the initial seeding always reset the entropy length to the compile-time
default.
Changes
* Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
from the cipher abstraction layer. Fixes#2198.
* Clarify how the interface of the CTR_DRBG and HMAC modules relates to
NIST SP 800-90A. In particular CTR_DRBG requires an explicit nonce
to achieve a 256-bit strength if MBEDTLS_ENTROPY_FORCE_SHA256 is set.
1.2.0:
Added
Added support for Cloudflare's limited-scope API Tokens
Added support for $hostname in nginx server_name directive
Changed
Add directory field to error message when field is missing.
If MD5 hasher is not available, try it in non-security mode (fix for FIPS systems)
Disable old SSL versions and ciphersuites and remove SSLCompression off setting to follow Mozilla recommendations in Apache.
Remove ECDHE-RSA-AES128-SHA from NGINX ciphers list now that Windows 2008 R2 and Windows 7 are EOLed
Support for Python 3.4 has been removed.
Fixed
Fix collections.abc imports for Python 3.9.
More details about these changes can be found on our GitHub repo.
1.1.0:
Changed
Removed the fallback introduced with 0.34.0 in acme to retry a POST-as-GET request as a GET request when the targeted ACME CA server seems to not support POST-as-GET requests.
certbot-auto no longer supports architectures other than x86_64 on RHEL 6 based systems. Existing certbot-auto installations affected by this will continue to work, but they will no longer receive updates. To install a newer version of Certbot on these systems, you should update your OS.
Support for Python 3.4 in Certbot and its ACME library is deprecated and will be removed in the next release of Certbot. certbot-auto users on x86_64 systems running RHEL 6 or derivatives will be asked to enable Software Collections (SCL) repository so Python 3.6 can be installed. certbot-auto can enable the SCL repo for you on CentOS 6 while users on other RHEL 6 based systems will be asked to do this manually.
Update clamav to 0.102.2.
## 0.102.2
ClamAV 0.102.2 is a bug patch release to address the following issues.
- [CVE-2020-3123](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123):
An Denial-of-Service (DoS) condition may occur when using the optional credit
card data-loss-prevention (DLP) feature. Improper bounds checking of an
unsigned variable resulted in an out-of-bounds read which causes a crash.
- Significantly improved scan speed of PDF files on Windows.
- Re-applied a fix to alleviate file access issues when scanning RAR files in
downstream projects that use libclamav where the scanning engine is operating
in a low-privelege process. This bug was originally fixed in 0.101.2 and the
fix was mistakenly omitted from 0.102.0.
- Fixed an issue wherein freshclam failed to update if the database version
downloaded is 1 version older than advertised. This situation may occur after
a new database version is published. The issue affected users downloading the
whole CVD database file.
- Changed the default freshclam ReceiveTimeout setting to 0 (infinite).
The ReceiveTimeout had caused needless database update failures for users with
slower internet connections.
- Correctly display number of kilobytes (KiB) in progress bar and reduced the
size of the progress bar to accomodate 80-char width terminals.
- Fixed an issue where running freshclam manually causes a daemonized freshclam
process to fail when it updates because the manual instance deletes the
temporary download directory. Freshclam temporary files will now download to a
unique directory created at the time of an update instead of using a hardcoded
directory created/destroyed at the program start/exit.
- Fix for Freshclam's OnOutdatedExecute config option.
- Fixes a memory leak in the error condition handling for the email parser.
- Improved bound checking and error handling in ARJ archive parser.
- Improved error handling in PDF parser.
- Fix for memory leak in byte-compare signature handler.
- Updates to the unit test suite to support libcheck 0.13.
- Updates to support autoconf 2.69 and automake 1.15.
Special thanks to the following for code contributions and bug reports:
- Antoine Deschênes
- Eric Lindblad
- Gianluigi Tiesi
- Tuomo Soini
Upstream changes:
OpenDNSSEC 2.1.6 - 2020-02-11:
* OPENDNSSEC-913: verify database connection upon every use.
* OPENDNSSEC-944: bad display of date of next transition (regression)
* SUPPORT-250: missing signatures on using combined keys (CSK)
* OPENDNSSEC-945: memory leak per command to enforcer.
* OPENDNSSEC-946: unclean enforcer exit in case of certain config
problems.
* OPENDNSSEC-411: set-policy command to change policy of zone
(experimental). Requestes explicit enforce command to take effect.
snallygaster is a tool that looks for files accessible on web servers that
shouldn't be public and can pose a security risk.
Typical examples include publicly accessible git repositories, backup files
potentially containing passwords or database dumps. In addition it contains a
few checks for other security vulnerabilities.
Noteworthy changes in version 1.37:
* Fixes a build problems when using Gawk 5.0
* Fixes Bourne shell incompatibilities on Solaris.
* Improves cross-comiling support.
* On Windows strerror_s is now used to emulate strerror_r.
* New error codes to map SQLite primary error codes.
* Now uses poll(2) instead of select(2) in gpgrt_poll if possible.
* Fixes a bug in gpgrt_close.
* Fixes build problem under Cygwin.
* Fixes a few minor portability bugs.
* Version 3.6.12 (released 2020-02-01)
** libgnutls: Introduced TLS session flag (gnutls_session_get_flags())
to identify sessions that client request OCSP status request (#829).
** libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448
signature algorithm (RFC 8032) under TLS (#86).
** libgnutls: Added the default-priority-string option to system configuration;
it allows overriding the compiled-in default-priority-string.
** libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by
draft-smyshlyaev-tls12-gost-suites-07).
By default this ciphersuite is disabled. It can be enabled by adding
+GOST to priority string. In the future this priority string may enable
other GOST ciphersuites as well. Note, that server will fail to negotiate
GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It
is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites
are enabled on GnuTLS-based servers.
** libgnutls: added priority shortcuts for different GOST categories like
CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL.
** libgnutls: Reject certificates with invalid time fields. That is we reject
certificates with invalid characters in Time fields, or invalid time formatting
To continue accepting the invalid form compile with --disable-strict-der-time
(#207, #870).
** libgnutls: Reject certificates which contain duplicate extensions. We were
previously printing warnings when printing such a certificate, but that is
not always sufficient to flag such certificates as invalid. Instead we now
refuse to import them (#887).
** libgnutls: If a CA is found in the trusted list, check in addition to
time validity, whether the algorithms comply to the expected level prior
to accepting it. This addresses the problem of accepting CAs which would
have been marked as insecure otherwise (#877).
** libgnutls: The min-verification-profile from system configuration applies
for all certificate verifications, not only under TLS. The configuration can
be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable.
** libgnutls: The stapled OCSP certificate verification adheres to the convention
used throughout the library of setting the 'GNUTLS_CERT_INVALID' flag.
** libgnutls: On client side only send OCSP staples if they have been requested
by the server, and on server side always advertise that we support OCSP stapling
(#876).
** libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible
with gnutls_ocsp_req_t but const.
** certtool: Added the --verify-profile option to set a certificate
verification profile. Use '--verify-profile low' for certificate verification
to apply the 'NORMAL' verification profile.
** certtool: The add_extension template option is considered even when generating
a certificate from a certificate request.
** API and ABI modifications:
GNUTLS_SFLAGS_CLI_REQUESTED_OCSP: Added
GNUTLS_SFLAGS_SERV_REQUESTED_OCSP: Added
gnutls_ocsp_req_const_t: Added
3.9.6:
Resolved issues
* Fix building of wheels for OSX by explicitly setting `sysroot` location.
3.9.5:
Resolved issues
* RSA OAEP decryption was not verifying that all ``PS`` bytes are zero.
* GH-372: fixed memory leak for operations that use memoryviews when `cffi` is not installed.
* Fixed wrong ASN.1 OID for HMAC-SHA512 in PBE2.
New features
* Updated Wycheproof test vectors to version 0.8r12.
In addition to about two years of changes, this contains notably the
following security fix:
When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
overflow could occur, causing a panic, due to malformed ASN.1 being
passed to any of the ASN1 methods of String.
Tested on linux/386 and darwin/amd64.
This fixes CVE-2020-7919 and was found thanks to the Project Wycheproof
test vectors.
pkgsrc changes:
Once again, the acme subdirectory was removed as it introduces a circular
dependency with go-net.
Prodded several times by ng0@
What's new:
* Fixed CVE-2019-18634, a buffer overflow when the "pwfeedback"
sudoers option is enabled on systems with uni-directional pipes.
* The "sudoedit_checkdir" option now treats a user-owned directory
as writable, even if it does not have the write bit set at the
time of check. Symbolic links will no longer be followed by
sudoedit in any user-owned directory. Bug #912
* Fixed sudoedit on macOS 10.15 and above where the root file system
is mounted read-only. Bug #913.
* Fixed a crash introduced in sudo 1.8.30 when suspending sudo
at the password prompt. Bug #914.
* Fixed compilation on systems where the mmap MAP_ANON flag
is not available. Bug #915.
RFC 8624 says "MUST NOT" for signing and "MAY" for sig-checking.
The sqlite3 change is related to the OpenDNSSEC v2 change, to be
consistent with the choice there.
PKGREVISION bumped.
