Needed by py-google-api-python-client-1.4.2.
## v1.5.2
* Add access token refresh error class that includes HTTP status (#310)
* Python3 compatibility fixes for Django (#316, #318)
* Fix incremental auth in flask_util (#322)
* Fall back to credential refresh on EDEADLK in multistore_file (#336)
## v1.5.1
* Fix bad indent in `tools.run_flow()` (#301, bug was
introduced when switching from 2 space indents to 4)
## v1.5.0
* Fix (more like clarify) `bytes` / `str` handling in crypto
methods. (#203, #250, #272)
* Replacing `webapp` with `webapp2` in `oauth2client.appengine` (#217)
* Added optional `state` parameter to
`step1_get_authorize_url`. (#219 and #222)
* Added `flask_util` module that provides a Flask extension to aid
with using OAuth2 web server flow. This provides the same functionality
as the `appengine.webapp2` OAuth2Decorator, but will work with any Flask
application regardless of hosting environment. (#226, #273)
* Track scopes used on credentials objects (#230)
* Moving docs to [readthedocs.org][1] (#237, #238, #244)
* Removing `old_run` module. Was deprecated July 2, 2013. (#285)
* Avoid proxies when querying for GCE metadata (to check if
running on GCE) (#114, #293)
[1]: https://readthedocs.org/
## v1.4.12
* Fix OS X flaky test failure (#189).
* Fix broken OpenSSL import (#191).
* Remove `@util.positional` from wrapped request in `Credentials.authorize()`
(#196, #197).
* Changing pinned dependencies to `>=` (#200, #204).
* Support client authentication using `Authorization` header (#206).
* Clarify environment check in case where GAE imports succeed but GAE services
aren't available (#208).
## v1.4.11
* Better environment detection with Managed VMs.
* Better OpenSSL detection in exotic environments.
## v1.4.10
* Update the `OpenSSL` check to be less strict about finding `crypto.py` in
the `OpenSSL` directory.
* `tox` updates for new environment handling in `tox`.
## v1.4.9
* Ensure that the ADC fails if we try to *write* the well-known file to a
directory that doesn't exist, but not if we try to *read* from one.
## v1.4.8
* Better handling of `body` during token refresh when `body` is a stream.
* Better handling of expired tokens in storage.
* Cleanup around `openSSL` import.
* Allow custom directory for the `well_known_file`.
* Integration tests for python2 and python3. (!!!)
* Stricter file permissions when saving the `well_known_file`.
* Test cleanup around config file locations.
## v1.4.7
* Add support for Google Developer Shell credentials.
* Better handling of filesystem errors in credential refresh.
* python3 fixes
* Add `NO_GCE_CHECK` for skipping GCE detection.
* Better error messages on `InvalidClientSecretsError`.
* Comment cleanup on `run_flow`.
## v1.4.6
* Add utility function to convert PKCS12 key to PEM. (#115)
* Change GCE detection logic. (#93)
* Add a tox env for doc generation.
## v1.4.5
* Set a shorter timeout for an Application Default Credentials issue on some
networks. (#93, #101)
* Test cleanup, switch from mox to mock. (#103)
* Switch docs to sphinx from epydoc.
## v1.4.4
* Fix a bug in bytes/string encoding of headers.
## v1.4.3
* Big thanks to @dhermes for spotting and fixing a mess in our test setup.
* Fix a serious issue with tests not being run. (#86, #87, #89)
* Start credentials cleanup for single 2LO/3LO call. (#83, #84)
* Clean up stack traces when re-raising in some places. (#79)
* Clean up doc building. (#81, #82)
* Fixed minimum version for `six` dependency. (#75)
What is the Tor Browser?
The Tor software protects you by bouncing your communications around
a distributed network of relays run by volunteers all around the
world: it prevents somebody watching your Internet connection from
learning what sites you visit, it prevents the sites you visit from
learning your physical location, and it lets you access sites which
are blocked.
Noteworthy changes in version 1.6.5 (2016-02-09) [C20/A0/R5]
------------------------------------------------
* Mitigate side-channel attack on ECDH with Weierstrass curves
[CVE-2015-7511]. See http://www.cs.tau.ac.IL/~tromer/ecdh/ for
details.
* Fix build problem on Solaris.
Upstream changes:
0.11 2015-10-09 rurban
- add libressl support, unsupported random_egd() with libressl
0.10 2015-02-04 rurban
- fix LIBS argument, fatal on Windows. thanks to kmx
0.09 2015-02-04 rurban
- add missing hints/MSWin32.pl (kmx, RT #56455)
- add a couple of distro tests
- fix gcov target
0.08 2015-02-03 rurban
- remove Devel::CheckLib which does not work for 2 required libs
- replace DynaLoader by XSLoader
0.07 2015-02-03 rurban
- Bump version to publish an official release
0.06 rurban
- Typo in doc (dsteinbrunner)
0.05 2013-04-02 14:31:30 rurban
- Add inc/Devel/CheckLib, improve POD, add README and some helper targets
- Better diagnostics when the openssl libraries are not found
- Support INCDIR= and LIBDIR= arguments to Makefile.PL
- Add MSWin32 hints to find the openssl libraries
- Autocreate README
- Fix some -Wpointer-sign warnings
- Remove wrong Crypt::OpenSSL::RSA package names in docs and errmsg
2.024 2016/02/06
- Work around issue where the connect fails on systems having only a loopback
interface and where IO::Socket::IP is used as super class (default when
available). Since IO::Socket::IP sets AI_ADDRCONFIG by default connect to
localhost would fail on this systems. This happened at least for the tests,
see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813796
Workaround is to explicitely set GetAddrInfoFlags to 0 if no GetAddrInfoFlags
is set but the Family/Domain is given. In this case AI_ADDRCONFIG would not
be useful anyway but would cause at most harm.
- Handle the case where the CPU supports AVX, but we are running
on an hypervisor with AVX disabled/not supported.
- Faster (2x) scalarmult_base() when using the ref10 implementation
ocaml.mk. It was becoming more trouble than it was worth: only a minority
of packages used it, and it only made Makefiles more confusing.
(I've left out some packages: these will be updated forthwith)
which contains all the trusted certificates in PEM format. This file
can e.g. be used with command line clients like "curl" or "wget" to
validate certificates.
2.0.1:
- Flush temporary file before opening attachment. [#390]
- Disable password generator when showing entry in history mode. [#422]
- Strip invalid XML chars when writing databases. [#392]
- Add repair function to fix databases with invalid XML chars. [#392]
- Display custom icons scaled. [#322]
- Allow opening databases that have no password and keyfile. [#391]
- Fix crash when importing .kdb files with invalid icon ids. [#425]
- Update translations.
2.0.2:
- Fix regression in database writer that caused it to strip certain special
characters (characters from Unicode plane > 0).
- Fix bug in repair function that caused it to strip non-ASCII characters.
0.5.2 (2015-11-23)
=====
* Add OPENSSL_NO_SSL3 preprocessor flag to disable SSLv3 (thanks Jérémie
Courrèges-Anglas).
0.5.1 (2015-05-27)
=====
* Fix META file for versions of OCaml older than 4.02.0 (thanks Anil
Madhavapeddy, closes#20).
0.5.0 (2015-05-18)
=====
* Allow to honor server cipher preferences (thanks mfp, closes#18).
* Add functions for reading into/writing from bigarrays, avoiding copy (thanks
mfp, closes#15).
* Support disabling SSL protocol versions (thanks Edwin Török, closes#13).
* Use Bytes instead of String for read and write, changes the ABI thus the
version bump (thanks Vincent Bernardoff, closes#16, and mfp, closes#19).
* Make verbosity of client_verify_callback configurable (thanks Nicolas Trangez,
closes#12).
* Fix build with old versions of SSL (thanks Edwin Török, closes#10).
Fix some pkglint while here.
NEWS for the Nettle 3.2 release
Bug fixes:
* The SHA3 implementation is updated according to the FIPS 202
standard. It is not interoperable with earlier versions of
Nettle. Thanks to Nikos Mavrogiannopoulos. To easily
differentiate at compile time, sha3.h defines the constant
NETTLE_SHA3_FIPS202.
* Fix corner-case carry propagation bugs affecting elliptic
curve operations on the curves secp_256r1 and secp_384r1 on
certain platforms, including x86_64. Reported by Hanno Böck.
New features:
* New functions for RSA private key operations, identified by
the "_tr" suffix, with better resistance to side channel
attacks and to hardware or software failures which could
break the CRT optimization. See the Nettle manual for
details. Initial patch by Nikos Mavrogiannopoulos.
* New functions nettle_version_major, nettle_version_minor, as
a run-time variant of the compile-time constants
NETTLE_VERSION_MAJOR and NETTLE_VERSION_MINOR.
Optimizations:
* New ARM Neon implementation of the chacha stream cipher.
Miscellaneous:
* ABI detection on mips, with improved default libdir
location. Contributed by Klaus Ziegler.
* Fixes for ARM assembly syntax, to work better with the clang
assembler. Thanks to Jukka Ukkonen.
* Disabled use of ifunc relocations for fat builds, to fix
problems most easily triggered by using dlopen RTLD_NOW.
The shared library names are libnettle.so.6.2 and
libhogweed.so.4.2, with sonames still libnettle.so.6 and
libhogweed.so.4. It is intended to be fully binary compatible
with nettle-3.1.
-------------------
Revision history for Perl extension Net::OpenSSH.
0.70 Jan 20, 2016
- Re-release as stable.
0.69_01 Jan 14, 2016
- Add fish.pm to MANIFEST (bug reported by Erik Ferguson).
0.68 Dec 20, 2015
- Rerelease as stable.
0.67_02 Dec 4, 2015
- Do not croak when a method gets an unknown argument as far
as its value is undef.
0.67_01 Nov 7, 2015
- fix internal waitpid usage (bug report by Konrad
Bucheli, #rt108516)
- use strict and warnings in Net::OpenSSH::ConnectionCache
(bug report and fix by Mohammad S Anwar)
0.66 Oct 11, 2015
- documentation fix (reported by Alex Kok)
- allow redirecting debug output to a custom file handle
0.65_06 Aug 26, 2015
- accept IPv6 addresess with zone indexes (bug report by
Cserb叩k M叩rton)
- some documentation corrections (bug report and patch by
Florian Schlichting)
0.65_05 Jul 13, 2015
- improve documentation
0.65_04 Jul 13, 2015
- add support for Object::Remote framework integration
- be more explicit on errors about non matching host public
keys if possible (still unfinished, bug report by Ferenc
Erki)
- add support for connecting to remote unix sockets (requires
patch to OpenSSH)
0.65_03 Jun 18, 2015
- remove defined-or operator usage in order to remain perl
5.8.x compatible
0.65_02 Jun 17, 2015
- accept as targets URIs where the username contains the at
sign (bug report by Mark Rushing)
0.65_01 Mar 12, 2015
- add disown_master method
- add sshfs_mount.pl sample
0.64 Mar 12, 2015
WARNING: mayor internal changes have been introduced since
last stable release!!!
- Rerelease as stable
0.63_07 Jan 25, 2015
- umask is not thread safe, avoid it (bug report and fix by
Shaun Pankau)
0.63_06 Jan 15, 2015
- DESTROY was overwritting $@
0.63_05 Jan 8, 2015
WARNING, this is a mayor internal change!!!
it may introduce regression bugs!!!
===============================================================
- completely revamp internal logic for master monitoring
===============================================================
- add constructor option 'connect'
- add method 'any'
- add "contributing code" documentation section
- update TODO list
0.63_04 Jan 4, 2015
- remove usage of defined-or operator in order to restore
support for perl 5.8
0.63_03 Jan 3, 2015
- remove usage of defined-or operator in order to restore
support for perl 5.8
0.63_02 Jan 2, 2015
- make module instalable on Windows and Cygwin
- fix error on regular expression inside quoting.t (bug report
by Slaven Rezic)
- documentation section about security added
- doc corrections (reported by Gregor Herrmann from Debian)
- AT&T ksh is broken, don't use it when testing quoting
functions (bug report by Greg Oldendick)
0.63_01 Jun 14, 2014
- add clean_cache method to Net::OpenSSH::ConnectionCache (bug
report by Mithun Ayachit)
0.62 Jun 14, 2014
- rerelease as stable
0.61_18 May 6, 2014
- add passwd_prompt feature
- check for the password not being requested a second time
(bug report by leschm)
- more spelling errors corrected
0.61_17 Apr 24, 2014
- lots of spelling errors corrected
- support code for master_setpgrp feature was not reseting the
terminal process group owner on failure (bug report by
Matthias Hofer)
- MSWin, MSCmd and Chain quoters where missing from the
MANIFEST and so not being distributed
- document MSWin and MSCmd quoters
- add dummy package Net::OpenSSH::SSH
0.61_16 Apr 6, 2014
- add work around in quoting.t for Solaris csh 'fixing'
invalid UTF8 sequences
0.61_15 Apr 2, 2014
- from OpenSSH version 6.5 UNKNOWN is not a valid
you-are-not-going-to-use-it-anyway hostname as it tries to
resolve; now we use 0.0.0.0 instead
- add support for master_setpgrp and setpgrp features
- scp does not accept setting bandwidth limit to 0
0.61_14 Oct 30, 2013
- the way used in tests to detect when they are running in the
background was broken (bug report by Victor Efimov)
0.61_13 Oct 28, 2013
- set bath_mode when test are being run on the background
(bug report by Victor Efimov)
- disable testing against custom ssh server as it is currently
broken
0.61_12 Oct 10, 2013
- rsync_* was not replicating time attributes when copy_attrs
was set (bug report and fix by SUN Guonian)
- add chain quoter
- add quoters for MS Windows (MSWin, MSCmd)
- extended argument quoting was never triggered
- stream_encoding option was not accepted by capture2 method
- glob_quoting option was not accepted by most methods
- rename quote_style option as remote_shell
0.61_11 Aug 29, 2013
- rsync_get method relied on a feature not available in old
but still widely used versions of rsync (bug report by
laiweiwei)
0.61_10 Jul 29, 2013
- disable ControlPersist only when OpenSSH version >= 5.6 (bug
report by Philippe Bruhat)
- autodetect OpenSSH version during object creation
0.61_09 Jul 19, 2013
- forcibly disable ControlPersist that may have been set from
ssh configuration files (bug report by Philippe Bruhat)
0.61_08 Jul 19, 2013
- fix test errors on perl 5.8
0.61_07 Jul 15, 2013
- capture methods were not hanling retriable errors correctly
(bug report by Victor Efimov)
0.61_06 Jul 12, 2013
- another take into the shell_is_clean sanity check. Now we
mimic sshd close enough to fool bash and make it behave as
when really called by sshd
0.61_05 Jul 11, 2013
- add shell_is_clean sanity check to test scripts to avoid
false negatives while testing (bug report by Karen
Etheridge)
0.61_04 Jun 28, 2013
- print more informative error messages when loading an
optional module fail
- remove useless old fix for a nonexistent bug on
_fileno_dup_over (un-bug report by Tammy Rockvam)
0.61_03 May 10, 2013
- when testing on AIX don't check mux socket permissions and
use correct ps arguments (bug report by mwatson)
- apply doc patch by Florian of Debian project
- add open3socket method
- open2socket and open2pty now return the socket and pty
respectively when called on scalar context
- methods returning several file objects now croak when called
on scalar context
0.61_02 Apr 16, 2013
- add support for multiple shell quoting backends
- add support for X11 forwarding
0.61_01 Mar 18, 2013
- remote shell detection code was broken in tests (bug report
by Neil Bowers)
- skip tests requiring a bourne shell when the remote shell is
csh or some derivative as tcsh
0.60 Feb 15, 2013
- scp_put and rsync_put where not handling correctly the case
where glob was set but the given file patterns didn't match
any local file (bug report by Pavel Leity).
- $SIG{__DIE__} was not always localized before calling eval
0.59 Jan 31, 2013
- release as stable
- fix some misspellings
0.58_04 May 2, 2012
- solve some git merge mistakes
0.58_03 May 1, 2012
- several misspellings corrected on the docs (bug report by
Florian Schlichting from Debian - I love these guys!)
- don't put square brackets around IPv6 addreses when passing
the hostname to ssh (bug report by Alexey ?)
0.58_02 Apr 16, 2012
- strict_mode lets pass world-writable directories if they
have the restricted deletion flag set
- implement sshfs import and export methods
- add forward_agent feature
- do not disable ssh-agent when using password authentication
- some documentation improvements
0.58_01 Jan 30, 2012
- add new documentation section about debugging
- new helper module Net::OpenSSH::OSTracer added
- ConnectionCache module was missing from MANIFEST
- correction on default_ssh_opts feature documentation
(reported by Yann Kerherv.)
---------------
2.023 2016/01/30
- OpenSSL 1.0.2f changed the behavior of SSL shutdown in case the TLS connection
was not fully established (commit: f73c737c7ac908c5d6407c419769123392a3b0a9).
This somehow resulted in Net::SSLeay::shutdown returning 0 (i.e. keep trying)
which caused an endless loop. It will now ignore this result in case the TLS
connection was not yet established and consider the TLS connection closed
instead.
Version 5.30, 2016.01.28, urgency: HIGH
Security bugfixes
OpenSSL DLLs updated to version 1.0.2f.
https://www.openssl.org/news/secadv_20160128.txt
New features
Improved compatibility with the current OpenSSL 1.1.0-dev tree.
Added OpenSSL autodetection for the recent versions of Xcode.
Bugfixes
Fixed references to /etc removed from stunnel.init.in.
Stopped even trying -fstack-protector on unsupported platforms
(thx to Rob Lockhart).
Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
*) DH small subgroups
Historically OpenSSL only ever generated DH parameters based on "safe"
primes. More recently (in version 1.0.2) support was provided for
generating X9.42 style parameter files such as those required for RFC 5114
support. The primes used in such files may not be "safe". Where an
application is using DH configured with parameters based on primes that are
not "safe" then an attacker could use this fact to find a peer's private
DH exponent. This attack requires that the attacker complete multiple
handshakes in which the peer uses the same private DH exponent. For example
this could be used to discover a TLS server's private DH exponent if it's
reusing the private DH exponent or it's using a static DH ciphersuite.
OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
TLS. It is not on by default. If the option is not set then the server
reuses the same private DH exponent for the life of the server process and
would be vulnerable to this attack. It is believed that many popular
applications do set this option and would therefore not be at risk.
The fix for this issue adds an additional check where a "q" parameter is
available (as is the case in X9.42 based parameters). This detects the
only known attack, and is the only possible defense for static DH
ciphersuites. This could have some performance impact.
Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
default and cannot be disabled. This could have some performance impact.
This issue was reported to OpenSSL by Antonio Sanso (Adobe).
(CVE-2016-0701)
[Matt Caswell]
*) SSLv2 doesn't block disabled ciphers
A malicious client can negotiate SSLv2 ciphers that have been disabled on
the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
been disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2.
This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
and Sebastian Schinzel.
(CVE-2015-3197)
[Viktor Dukhovni]
*) Reject DH handshakes with parameters shorter than 1024 bits.
[Kurt Roeckx]
Noteworthy changes in version 2.1.11 (2016-01-26)
-------------------------------------------------
* gpg: New command --export-ssh-key to replace the gpgkey2ssh tool.
* gpg: Allow to generate mail address only keys with --gen-key.
* gpg: "--list-options show-usage" is now the default.
* gpg: Make lookup of DNS CERT records holding an URL work.
* gpg: Emit PROGRESS status lines during key generation.
* gpg: Don't check for ambigious or non-matching key specification in
the config file or given to --encrypt-to. This feature will return
in 2.3.x.
* gpg: Lock keybox files while updating them.
* gpg: Solve rare error on Windows during keyring and Keybox updates.
* gpg: Fix possible keyring corruption. (bug#2193)
* gpg: Fix regression of "bkuptocard" sub-command in --edit-key and
remove "checkbkupkey" sub-command introduced with 2.1. (bug#2169)
* gpg: Fix internal error in gpgv when using default keyid-format.
* gpg: Fix --auto-key-retrieve to work with dirmngr.conf configured
keyservers. (bug#2147).
* agent: New option --pinentry-timeout.
* scd: Improve unplugging of USB readers under Windows.
* scd: Fix regression for generating RSA keys on card.
* dirmmgr: All configured keyservers are now searched.
* dirmngr: Install CA certificate for hkps.pool.sks-keyservers.net.
Use this certiticate even if --hkp-cacert is not used.
* gpgtar: Add actual encryption code. gpgtar does now fully replace
gpg-zip.
* gpgtar: Fix filename encoding problem on Windows.
* Print a warning if a GnuPG component is using an older version of
gpg-agent, dirmngr, or scdaemon.
Changelog:
Version 5.29, 2016.01.08, urgency: LOW
* New features
- New WIN32 icons.
- Performance improvement: rwlocks used for locking with pthreads.
* Bugfixes
- Compilation fix for *BSD.
- Fixed configuration file reload for relative stunnel.conf path
on Unix.
- Fixed ignoring CRLfile unless CAfile was also specified (thx
to Strukov Petr).
Previously there were at least 5 different ways MACHINE_ARCH could be set,
some statically and some at run time, and in many cases these settings
differed, leading to issues at pkg_add time where there was conflict
between the setting encoded into the package and that used by pkg_install.
Instead, move to a single source of truth where the correct value based on
the host and the chosen (or default) ABI is determined in the bootstrap
script. The value can still be overridden in mk.conf if necessary, e.g.
for cross-compiling.
ABI is now set by default and if unset a default is calculated based on
MACHINE_ARCH. This fixes some OS, e.g. Linux, where the wrong default was
previously chosen.
As a result of the refactoring there is no need for LOWER_ARCH, with
references to it replaced by MACHINE_ARCH. SPARC_TARGET_ARCH is also
removed.
While here pass all the dependencies via MAKE_ENV (this will - hopefully - avoid
further problem on platforms where openssl and libevent are not builtins).
1.2.1 - 2016-01-08
~~~~~~~~~~~~~~~~~~
* Reverts a change to an OpenSSL ``EVP_PKEY`` object that caused errors with
``pyOpenSSL``.
1.2 - 2016-01-08
~~~~~~~~~~~~~~~~
* **BACKWARDS INCOMPATIBLE:**
:class:`~cryptography.x509.RevokedCertificate`
:attr:`~cryptography.x509.RevokedCertificate.extensions` now uses extension
classes rather than returning raw values inside the
:class:`~cryptography.x509.Extension`
:attr:`~cryptography.x509.Extension.value`. The new classes
are:
* :class:`~cryptography.x509.CertificateIssuer`
* :class:`~cryptography.x509.CRLReason`
* :class:`~cryptography.x509.InvalidityDate`
* Deprecated support for OpenSSL 0.9.8 and 1.0.0. At this time there is no time
table for actually dropping support, however we strongly encourage all users
to upgrade, as those versions no longer receives support from the OpenSSL
project.
* The :class:`~cryptography.x509.Certificate` class now has
:attr:`~cryptography.x509.Certificate.signature` and
:attr:`~cryptography.x509.Certificate.tbs_certificate_bytes` attributes.
* The :class:`~cryptography.x509.CertificateSigningRequest` class now has
:attr:`~cryptography.x509.CertificateSigningRequest.signature` and
:attr:`~cryptography.x509.CertificateSigningRequest.tbs_certrequest_bytes`
attributes.
* The :class:`~cryptography.x509.CertificateRevocationList` class now has
:attr:`~cryptography.x509.CertificateRevocationList.signature` and
:attr:`~cryptography.x509.CertificateRevocationList.tbs_certlist_bytes`
attributes.
* :class:`~cryptography.x509.NameConstraints` are now supported in the
:class:`~cryptography.x509.CertificateBuilder` and
:class:`~cryptography.x509.CertificateSigningRequestBuilder`.
* Support serialization of certificate revocation lists using the
:meth:`~cryptography.x509.CertificateRevocationList.public_bytes` method of
:class:`~cryptography.x509.CertificateRevocationList`.
* Add support for parsing :class:`~cryptography.x509.CertificateRevocationList`
:meth:`~cryptography.x509.CertificateRevocationList.extensions` in the
OpenSSL backend. The following extensions are currently supported:
* :class:`~cryptography.x509.AuthorityInformationAccess`
* :class:`~cryptography.x509.AuthorityKeyIdentifier`
* :class:`~cryptography.x509.CRLNumber`
* :class:`~cryptography.x509.IssuerAlternativeName`
* Added :class:`~cryptography.x509.CertificateRevocationListBuilder` and
:class:`~cryptography.x509.RevokedCertificateBuilder` to allow creation of
CRLs.
* Unrecognized non-critical X.509 extensions are now parsed into an
:class:`~cryptography.x509.UnrecognizedExtension` object.
