0.30 Tue May 1 2018
- Working windows library detection
- Actively testing on appveyor for windows now.
- work correctly on LibreSSL
0.29_03 Mon Apr 16 2018
- Add whirlpool hash support.
- Crypt::OpenSSL::Random is now required at comnpile-time.
- Use the new interface to RSA_generate_key if available
- Add library paths to LIBS from Crypt::OpenSSL::Guess
Remove hack for DragonFly/i386, DragonFly is 64-bit only nowadays.
Noteworthy changes in version 1.30 (2018-04-30) [C24/A24/R1]
-----------------------------------------------
* Fix for a hang on Windows when using gpgrt_poll under nPth.
* Build fix for Solaris. [#3869]
--------------
polkit 0.114
--------------
WARNING WARNING WARNING: This is a prerelease on the road to polkit
1.0. Public API might change and certain parts of the code still needs
some security review. Use at your own risk.
This is polkit 0.114.
Highlights:
Port to mozjs 52, the latest version of the firefox JavaScript engine.
Add gettext support for policy files
Fixes for various memory leaks
Build requirements
glib, gobject, gio >= 2.32
mozjs-52
gobject-introspection >= 0.6.2 (optional)
pam (optional)
ConsoleKit OR systemd
Changes since polkit 0.113:
Anders Jonsson (2):
pkcheck: fix man typos
Add Swedish translation
Antoine Jacoutot (1):
Add support for OpenBSD
Christian Kirbach (1):
Add German translation
Colin Walters (3):
build: Pull in GCC warning infra from ostree
build: Use AC_USE_SYSTEM_EXTENSIONS
tests: Correct boundary test for overflow
Dariusz Gadomski (2):
Fix multi-line pam text info.
Refactor send_to_helper usage
Gabor Kelemen (1):
Add initial Hungarian translation, and add hu to LINGUAS
Jeremy Linton (5):
change mozjs interface module to c++
Switch to hard requiring mozjs24
Fix warnings caused by building with C++
Replace autocompartment
test: Add a test case to handle actions without explicit rules
Jiří Klimeš (1):
trivial: fix deprecated indication for polkit_agent_register_listener()
Matthias Clasen (1):
Add gettext support for .policy files
Miloslav Trmač (21):
Post-release version bump to 0.114
Consistently use HAVE_NETGROUP_H instead of HAVE_OPENBSD
Fix a memory leak of PolkitAgentListener's Server object
Remove polkitbackendconfigsource.[ch]
Add Slovak translation by Dusan Kazik <prescott66@gmail.com>
Add Indonesian translation by Andika Triwidada
Add Chinese (Taiwan) translation
Fix a typo in polkit(8)
Simplify GVariant reference counting
Fix a memory leak on an error path of lookup_asv (twice)
Fix a memory leak in server_handle_register_authentication_agent_with_options
Fix a memory leak in server_handle_unregister_authentication_agent
Fix a memory leak in server_handle_authentication_agent_response{,2}
Fix memory leaks in server_handle_*_temporary_authorizations
Fix error handling in polkit_authority_enumerate_temporary_authorizations_finish
Fix a memory leak per agent authentication
Fix a memory leak on agent authentication cancellation
Audit and fix GVariant reference counting
Fix help for (pkttyagent -s)
Fix a race condition when terminating runaway_killer_thread
Move to current GLib
Mingye Wang (Arthur2e5) (1):
Add zh_CN translation
Muhammet Kara (1):
Added Turkish translation
OBATA Akio (1):
Add support for NetBSD
Peter Hutterer (1):
gettext: switch to default-translate "no"
Philip Withnall (3):
polkit: Add g_autoptr() support for GObject-derived polkit types
data: Set GIO_USE_VFS=local in the environment
polkitbackend: Fix typos in a couple of initialisation error messages
Piotr Drąg (1):
Add Polish translation
Rafael Fontenelle (1):
Add Brazilian Portuguese translation
Ray Strode (34):
configure: bump mozjs requirement to 52
jsauthority: fix how classes are defined
jsauthority: use JS_FN instead of JS_FS
jsauthority: get rid of JSRuntime
jsauthority: change how setVersion is called
jsauthority: call JS_Init
jsauthority: call JS_InitSelfHostedCode
jsauthority: change how JIT is disabled
jsauthority: JS::SetWarningReporter instead of JS_SetErrorReporter
jsauthority: add UTF8 suffix to renamed functions
jsauthority: pass "%s" format string to report functions
jsauthority: s/JSBool/bool/
jsauthority: s/jsval/JS::Value/
jsauthority: s/JSVAL_NULL/JS::NullValue()/
jsauthority: s/JSVAL_VOID/JS::UndefinedValue()/
jsauthority: s/OBJECT_TO_JSVAL/JS::ObjectValue/
jsauthority: s/STRING_TO_JSVAL/JS::StringValue/
jsauthority: s/BOOLEAN_TO_JSVAL/JS::BooleanValue/
jsauthority: JSVAL_TO_OBJECT (o) to o.toObjectOrNull()
jsauthority: JSVAL_TO_STRING (s) to s.toString()
jsauthority: JSVAL_IS_STRING (s) to s.isString()
jsauthority: JSVAL_IS_NULL (o) to o.isNull()
jsauthority: Fix up JS_CallFunctionName invocations
jsauthority: use InterruptCallback api instead of OperationCallback
jsauthority: redo how global objects are set up
jsauthority: root some locals to the context
jsauthority: adapt arguments for new JS::Compile API
jsauthority: adapt arguments for new JS_ExecuteScript API
jsauthority: use JS::Evaluate instead of JS_EvaluateScript
jsauthority: fix up set_property methods
jsauthority: stop using JS_GetStringCharsZ
jsauthority: switch from JS_ConvertArguments to JS::CallArgsFromVp
jsauthority: re-enable JIT
Port JavaScript authority to mozjs52
Rui Matos (1):
polkitpermission: Fix a memory leak on authority changes
Sebastien Bacher (1):
Support polkit session agent running outside user session
Stef Walter (2):
polkitagent: Fix access after dereference on hashtable
polkitagent: No double warnings in polkit_agent_listener_register()
Sven Eden (1):
configure: enable elogind support in PolicyKit
Yuri Chornoivan (1):
Add Ukrainian translation
enkore (1):
Fix abnomal formatting of authentication header lines
muzena (1):
Add hr.po
Thanks to our contributors.
Colin Walters and Miloslav Trmač,
April 2, 2017
DEPRECATIONS/CHANGES:
- `vault kv` and Vault versions: In 0.10.1 some issues with `vault kv` against
v1 K/V engine mounts are fixed. However, using 0.10.1 for both the server
and CLI versions is required.
- Mount information visibility: Users that have access to any path within a
mount can now see information about that mount, such as its type and
options, via some API calls.
- Identity and Local Mounts: Local mounts would allow creating Identity
entities but these would not be able to be used successfully (even locally)
in replicated scenarios. We have now disallowed entities and groups from
being created for local mounts in the first place.
FEATURES:
- X-Forwarded-For support: `X-Forwarded-For` headers can now be used to set the
client IP seen by Vault. See the TCP listener configuration
page for details.
- CIDR IP Binding for Tokens: Tokens now support being bound to specific
CIDR(s) for usage. Currently this is implemented in Token Roles; usage can be
expanded to other authentication backends over time.
- `vault kv patch` command: A new `kv patch` helper command that allows
modifying only some values in existing data at a K/V path, but uses
check-and-set to ensure that this modification happens safely.
- AppRole Local Secret IDs: Roles can now be configured to generate secret IDs
local to the cluster. This enables performance secondaries to generate and
consume secret IDs without contacting the primary.
- AES-GCM Support for PKCS#11 [BETA] (Enterprise): For supporting HSMs,
AES-GCM can now be used in lieu of AES-CBC/HMAC-SHA256. This has currently
only been fully tested on AWS CloudHSM.
- Auto Unseal/Seal Wrap Key Rotation Support (Enterprise): Auto Unseal
mechanisms, including PKCS#11 HSMs, now support rotation of encryption keys,
and migration between key and encryption types, such as from AES-CBC to
AES-GCM, can be performed at the same time (where supported).
IMPROVEMENTS:
- auth/approle: Support for cluster local secret IDs. This enables secondaries
to generate secret IDs without contacting the primary
- auth/token: Add to the token lookup response, the policies inherited due to
identity associations
- auth/token: Add CIDR binding to token roles
- cli: Add `vault kv patch`
- core: Add X-Forwarded-For support
- core: Add token CIDR-binding support
- identity: Add the ability to disable an entity. Disabling an entity does not
revoke associated tokens, but while the entity is disabled they cannot be
used.
- physical/consul: Allow tuning of session TTL and lock wait time
- replication: Dynamically adjust WAL cleanup over a period of time based on
the rate of writes committed
- secret/ssh: Update dynamic key install script to use shell locking to avoid
concurrent modifications
- ui: Access to `sys/mounts` is no longer needed to use the UI - the list of
engines will show you the ones you implicitly have access to (because you have
access to to secrets in those engines)
BUG FIXES:
- cli: Fix `vault kv` backwards compatibility with KV v1 engine mounts
- identity: Persist entity memberships in external identity groups across
mounts
- identity: Fix error preventing authentication using local mounts on
performance secondary replication clusters
- replication: Fix issue causing secondaries to not connect properly to a
pre-0.10 primary until the primary was upgraded
- secret/gcp: Fix panic on rollback when a roleset wasn't created properly
- secret/gcp: Fix panic on renewal
- ui: Fix IE11 form submissions in a few parts of the application
- ui: Fix IE file saving on policy pages and init screens
- ui: Fixed an issue where the AWS secret backend would show the wrong menu
- ui: Fixed an issue where policies with commas would not render in the
interface properly
- ui: Corrected the saving of mount tune ttls for auth methods
- ui: Credentials generation no longer checks capabilities before making
api calls. This should fix needing "update" capabilites to read IAM
credentials in the AWS secrets engine
0.30.0:
- Various small typos (Windows builds, Fix SSL.Connection.__del__)
- The project is now Linux-distribution agnostic
- Replace all old-style classes with the new ones (it shouldn't cause
any problems, but feel free to file an issue, if it does)
- Do not by-pass a potential transfer decoding in m2urllib2
- Update M2Crypto.six with 1.11.0 and replace our local workarounds with
new functions.
- SSLv3 just removed.
- Don't support Python 2.6 on Windows anymore. Windows users don't have
python as a system package, so they are usually more likely to upgrade
anyway.
Upstream changes:
1.04 Fri Apr 20 16:25:30 MST 2018
- silenced compiler warnings from VS2017
-- ref. rt.cpan.org #124477
-- thanks to Sergey Aleynikov for diagnostics
- modified addfile to return error when given a directory name
-- makes behavior consistent with GNU coreutils shaXsum
-- thanks to Scott Baker for pointing this out
Revision 0.2.1, released 23-11-2017
- Allow ANY DEFINED BY objects expanding automatically if requested
- Imports PEP8'ed
Revision 0.1.5, released 10-10-2017
- OCSP response blob fixed in test
- Fixed wrong OCSP ResponderID components tagging
Revision 0.1.4, released 07-09-2017
- Typo fixed in the dependency spec
Revision 0.1.3, released 07-09-2017
- Apparently, pip>=1.5.6 is still widely used and it is not PEP440
compliant. Had to replace the `~=` version dependency spec with a
sequence of simple comparisons to remain compatible with the aging pip.
Revision 0.1.2, released 07-09-2017
- Pinned to pyasn1 ~0.3.4
Revision 0.1.1, released 27-08-2017
- Tests refactored into proper unit tests
- pem.readBase64fromText() convenience function added
- Pinned to pyasn1 0.3.3
Release 1.12.2:
Added support for using pathlib objects as paths in calls to SFTP methods, in addition to Unicode and byte strings. This is mainly intended for use in constructing local paths, but it can also be used for remote paths as long as POSIX-style pathlib objects are used and an appropriate path encoding is set to handle the conversion from Unicode to bytes.
Changed server EXT_INFO message to only be sent after the first SSH key exchange, to match the specification recently published in RFC 8308.
Fixed edge case in TCP connection forwarding where data received on a forward TCP connection was not delivered if the connection was closed or half-closed before the corresponding SSH tunnel was fully established.
Made note about OpenSSH not properly handling send_signal more visible.
3.6.1:
New features
Added Google Wycheproof tests (https://github.com/google/wycheproof) for RSA, DSA, ECDSA, GCM, SIV, EAX, CMAC.
New parameter mac_len (length of MAC tag) for CMAC.
Resolved issues
In certain circumstances (at counter wrapping, which happens on average after 32 GBi) AES GCM produced wrong ciphertexts.
Method encrypt() of AES SIV cipher could be still called, whereas only encrypt_and_digest() should be allowed.
This is a development release, but gnutls needs at least 0.23.x,
so take the latest development release.
0.23.10 (devel)
* filter: Respect "write-protected" vendor-specific attribute in
PKCS#11 URI [PR#129]
* server: Improve shell integration and documentation [PR#107, PR#108]
* proxy: Reuse existing slot ID mapping in after fork() [PR#120]
* trust: Forcibly mark "Default Trust" read-only [PR#123]
* New function p11_kit_override_system_files() which can be used for
testing [PR#110]
* trust: Filter out duplicate extensions [PR#69]
* Update translations [PR#128]
* Bug fixes [PR#125, PR#126]
0.23.9 (devel)
* Fix p11-kit server regressions [PR#103, PR#104]
* trust: Respect anyExtendedKeyUsage in CA certificates [PR#99]
* Build fixes related to reallocarray [PR#96, PR#98, PR#100]
0.23.8 (devel)
* Improve vendor query attributes handling in PKCS#11 URI [PR#92]
* Add OTP and GOST mechanisms to pkcs11.h [PR#90, PR#91]
* New envvar P11_KIT_NO_USER_CONFIG to stop looking at user
configurations [PR#87]
* Build fixes for Solaris and 32-bit big-endian platforms [PR#81, PR#86]
0.23.7 (devel)
* Fix memory issues with "p11-kit server" [PR#78]
* Build fixes [PR#77 ...]
0.23.6 (devel)
* Port "p11-kit server" to Windows and portability fixes of the RPC
protocol [PR#67, PR#72, PR#74]
* Recover the old behavior of "trust anchor --remove" [PR#70, PR#71]
* Build fixes [PR#63 ...]
0.23.5 (devel)
* Fix license notice of common/unix-peer.c [PR#58]
* Remove systemd unit files for now [PR#60]
* Build fixes for FreeBSD [PR#56]
0.23.4 (devel)
* Recognize query attributes defined in PKCS#11 URI (RFC7512) [PR#31,
PR#37, PR#52]
* The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY
attribute, used by Firefox [#99453, PR#46]
* Add 'trust dump' command to dump all PKCS#11 objects in the
persistence format [PR#44]
* New experimental 'p11-kit server' command that allows PKCS#11
forwarding through a Unix domain socket. A client-side module
p11-kit-client.so is also provided [PR#15]
* Add systemd unit files for exporting the proxy module through a
Unix domain socket [PR#35]
* New P11KitIter API to iterate over slots, tokens, and modules in
addition to objects [PR#28]
* libffi dependency is now optional [PR#9]
* Build fixes for FreeBSD, macOS, and Windows [PR#32, PR#39, PR#45]
0.23.3 (devel)
* Install private executables in libexecdir [#98817]
* Fix link error of proxy module on macOS [#98022]
* Use new PKCS#11 URI specification for URIs [#97245]
* Support x-init-reserved argument of C_Initialize() in remote modules [#80519]
* Incorporate changes from PKCS#11 2.40 specification
* Bump libtool library version
* Documentation fixes
* Build fixes [#87192 ...]
0.23.2 (devel)
* Fix forking issues with libffi [#90289 ...]
* Updated translations
* Build fixes [#90827#89081#92434#92520#92445#92551#92843#92842#92807#93211 ...]
0.23.1 (devel)
* Use new PKCS#11 URI draft fields for URIs [#86474#87582]
* Add pem-directory-hash extract format
* Build fixes
- Deprecated support for Python 2.6 and 3.3.
- Use the sign and verify methods when they are available in
cryptography instead of the deprecated methods signer and
verifier.
v1.5.0: Jordan
Features
Added build support for mingw32
Implement gss_set_cred_option() and gss_set_sec_context_option()
Bugfixes
Handle GSS_NO_OID_SET when creating sets
### Added
- Support for OpenResty was added to the Nginx plugin.
### Changed
- The timestamps in Certbot's logfiles now use the system's local time
zone rather than UTC.
- Certbot's DNS plugins that use Lexicon now rely on Lexicon>=2.2.1 to
be able to create and delete multiple TXT records on a single
domain.
- certbot-dns-google's test suite now works without an internet
connection.
### Fixed
- Removed a small window that if during which an error occurred,
Certbot wouldn't clean up performed challenges.
- The parameters `default` and `ipv6only` are now removed from
`listen` directives when creating a new server block in the Nginx
plugin.
- `server_name` directives enclosed in quotation marks in Nginx are
now properly supported.
- Resolved an issue preventing the Apache plugin from starting Apache
when it's not currently running on RHEL and Gentoo based systems.
3.6.0:
New features
Introduced export_key and deprecated exportKey for DSA and RSA key objects.
Ciphers and hash functions accept memoryview objects in input.
Added support for SHA-512/224 and SHA-512/256.
Resolved issues
Reintroduced Crypto.__version__ variable as in PyCrypto.
Fixed compilation problem with MinGW.
Noteworthy changes in version 2.2.6:
* gpg,gpgsm: New option --request-origin to pretend requests coming
from a browser or a remote site.
* gpg: Fix race condition on trustdb.gpg updates due to too early
released lock.
* gpg: Emit FAILURE status lines in almost all cases.
* gpg: Implement --dry-run for --passwd to make checking a key's
passphrase straightforward.
* gpg: Make sure to only accept a certification capable key for key
signatures.
* gpg: Better user interaction in --card-edit for the factory-reset
sub-command.
* gpg: Improve changing key attributes in --card-edit by adding an
explicit "key-attr" sub-command.
* gpg: Print the keygrips in the --card-status.
* scd: Support KDF DO setup.
* scd: Fix some issues with PC/SC on Windows.
* scd: Fix suspend/resume handling in the CCID driver.
* agent: Evict cached passphrases also via a timer.
* agent: Use separate passphrase caches depending on the request
origin.
* ssh: Support signature flags.
* dirmngr: Handle failures related to missing IPv6 support
gracefully.
* Fix corner cases related to specified home directory with
drive letter on Windows.
* Allow the use of UNC directory names as homedir.
Noteworthy changes in version 1.29:
* The yat2m tool is during cross-compile now also installed on the
host platform.
* New option parser and associated functions similar to the one used
by GnuPG.
* New Base-64 encoder.
* Fixes regression in 1.28 for arm64 and w64 builds.
* Interface changes relative to the 1.28 release:
gpgrt_argparse New.
gpgrt_usage New.
gpgrt_strusage New.
gpgrt_set_strusage New.
gpgrt_set_usage_outfnc New.
gpgrt_set_fixed_string_mapper New.
GPGRT_ENABLE_ARGPARSE_MACROS New macro.
gpgrt_b64enc_start New.
gpgrt_b64enc_write New.
gpgrt_b64enc_finish New.
SECURITY:
- Log sanitization for Combined Database Secret Engine: In certain failure
scenarios with incorrectly formatted connection urls, the raw connection
errors were being returned to the user with the configured database
credentials. Errors are now sanitized before being returned to the user.
DEPRECATIONS/CHANGES:
- Database plugin compatibility: The database plugin interface was enhanced to
support some additional functionality related to root credential rotation
and supporting templated URL strings. The changes were made in a
backwards-compatible way and all builtin plugins were updated with the new
features. Custom plugins not built into Vault will need to be upgraded to
support templated URL strings and root rotation. Additionally, the
Initialize method was deprecated in favor of a new Init method that supports
configuration modifications that occur in the plugin back to the primary
data store.
- Removal of returned secret information: For a long time Vault has returned
configuration given to various secret engines and auth methods with secret
values (such as secret API keys or passwords) still intact, and with a
warning to the user on write that anyone with read access could see the
secret. This was mostly done to make it easy for tools like Terraform to
judge whether state had drifted. However, it also feels quite un-Vault-y to
do this and we've never felt very comfortable doing so. In 0.10 we have gone
through and removed this behavior from the various backends; fields which
contained secret values are simply no longer returned on read. We are
working with the Terraform team to make changes to their provider to
accommodate this as best as possible, and users of other tools may have to
make adjustments, but in the end we felt that the ends did not justify the
means and we needed to prioritize security over operational convenience.
- LDAP auth method case sensitivity: We now treat usernames and groups
configured locally for policy assignment in a case insensitive fashion by
default. Existing configurations will continue to work as they do now;
however, the next time a configuration is written `case_sensitive_names`
will need to be explicitly set to `true`.
- TTL handling within core: All lease TTL handling has been centralized within
the core of Vault to ensure consistency across all backends. Since this was
previously delegated to individual backends, there may be some slight
differences in TTLs generated from some backends.
- Removal of default `secret/` mount: In 0.12 we will stop mounting `secret/`
by default at initialization time (it will still be available in `dev`
mode).
FEATURES:
- OSS UI: The Vault UI is now fully open-source. Similarly to the CLI, some
features are only available with a supporting version of Vault, but the code
base is entirely open.
- Versioned K/V: The `kv` backend has been completely revamped, featuring
flexible versioning of values, check-and-set protections, and more. A new
`vault kv` subcommand allows friendly interactions with it. Existing mounts
of the `kv` backend can be upgraded to the new versioned mode (downgrades
are not currently supported). The old "passthrough" mode is still the
default for new mounts; versioning can be turned on by setting the
`-version=2` flag for the `vault secrets enable` command.
- Database Root Credential Rotation: Database configurations can now rotate
their own configured admin/root credentials, allowing configured credentials
for a database connection to be rotated immediately after sending them into
Vault, invalidating the old credentials and ensuring only Vault knows the
actual valid values.
- Azure Authentication Plugin: There is now a plugin (pulled in to Vault) that
allows authenticating Azure machines to Vault using Azure's Managed Service
Identity credentials. See the [plugin
repository](https://github.com/hashicorp/vault-plugin-auth-azure) for more
information.
- GCP Secrets Plugin: There is now a plugin (pulled in to Vault) that allows
generating secrets to allow access to GCP. See the [plugin
repository](https://github.com/hashicorp/vault-plugin-secrets-gcp) for more
information.
- Selective Audit HMACing of Request and Response Data Keys: HMACing in audit
logs can be turned off for specific keys in the request input map and
response `data` map on a per-mount basis.
- Passthrough Request Headers: Request headers can now be selectively passed
through to backends on a per-mount basis. This is useful in various cases
when plugins are interacting with external services.
- HA for Google Cloud Storage: The GCS storage type now supports HA.
- UI support for identity: Add and edit entities, groups, and their associated
aliases.
- UI auth method support: Enable, disable, and configure all of the built-in
authentication methods.
- UI (Enterprise): View and edit Sentinel policies.
IMPROVEMENTS:
- core: Centralize TTL generation for leases in core
- identity: API to update group-alias by ID
- secret/cassandra: Update Cassandra storage delete function to not use batch
operations
- storage/mysql: Allow setting max idle connections and connection lifetime
- storage/gcs: Add HA support
- ui: Add Nomad to the list of available secret engines
- ui: Adds ability to set static headers to be returned by the UI
BUG FIXES:
- api: Fix retries not working
- auth/gcp: Invalidate clients on config change
- auth/token: Revoke-orphan and tidy operations now correctly cleans up the
parent prefix entry in the underlying storage backend. These operations also
mark corresponding child tokens as orphans by removing the parent/secondary
index from the entries.
- command: Re-add `-mfa` flag and migrate to OSS binary
- core: Fix issue occurring from mounting two auth backends with the same path
with one mount having `auth/` in front
- mfa: Invalidation of MFA configurations (Enterprise)
- replication: Fix a panic on some non-64-bit platforms
- replication: Fix invalidation of policies on performance secondaries
- secret/pki: When tidying if a value is unexpectedly nil, delete it and move
on
- storage/s3: Fix panic if S3 returns no Content-Length header
- ui: Fixed an issue where the UI was checking incorrect paths when operating
on transit keys. Capabilities are now checked when attempting to encrypt /
decrypt, etc.
- ui: Fixed IE 11 layout issues and JS errors that would stop the application
from running.
- ui: Fixed the link that gets rendered when a user doesn't have permissions
to view the root of a secret engine. The link now sends them back to the list
of secret engines.
- replication: Fix issue with DR secondaries when using mount specified local
paths.
- cli: Fix an issue where generating a dr operation token would not output the
token
