The new code that unlimits many resources appears to have been problematic
on a number of fronts. Fetched the current version of src/limits.c from
the sudo hg repo. RLIMIT_STACK (i.e. "3") is no longer set to RLIM_INFINITY.
Added code to output the name of the limit instead of its number.
Major changes between version 1.8.29 and 1.8.28p1:
The cvtsudoers command will now reject non-LDIF input when converting from LDIF format to sudoers or JSON formats.
The new log_allowed and log_denied sudoers settings make it possible to disable logging and auditing of allowed and/or denied commands.
The umask is now handled differently on systems with PAM or login.conf. If the umask is explicitly set in sudoers, that value is used regardless of what PAM or login.conf may specify. However, if the umask is not explicitly set in sudoers, PAM or login.conf may now override the default sudoers umask.
For make install, the sudoers file is no longer checked for syntax errors when DESTDIR is set. The default sudoers file includes the contents of /etc/sudoers.d which may not be readable as non-root.
Sudo now sets most resource limits to their maximum value to avoid problems caused by insufficient resources, such as an inability to allocate memory or open files and pipes.
Fixed a regression introduced in sudo 1.8.28 where sudo would refuse to run if the parent process was not associated with a session. This was due to sudo passing a session ID of -1 to the plugin.
1.8.2:
Bug Fixes
revert "feat: send quota project id in x-goog-user-project header for OAuth2 credentials"
1.8.1:
Bug Fixes
revert "feat: add timeout to AuthorizedSession.request()
1.8.0:
Features
add to_json method to google.oauth2.credentials.Credentials
add timeout to AuthorizedSession.request()
send quota project id in x-goog-user-project header for OAuth2 credentials
Certbot 1.0.0
Removed:
* The docs extras for the certbot-apache and certbot-nginx packages
have been removed.
Changed:
* certbot-auto has deprecated support for systems using OpenSSL 1.0.1 that are
not running on x86-64. This primarily affects RHEL 6 based systems.
* Certbot's config_changes subcommand has been removed
* certbot.plugins.common.TLSSNI01 has been removed.
* Deprecated attributes related to the TLS-SNI-01 challenge in
acme.challenges and acme.standalone
have been removed.
* The functions certbot.client.view_config_changes,
certbot.main.config_changes,
certbot.plugins.common.Installer.view_config_changes,
certbot.reverter.Reverter.view_config_changes, and
certbot.util.get_systemd_os_info have been removed
* Certbot's register --update-registration subcommand has been removed
* When possible, default to automatically configuring the webserver so all requests
redirect to secure HTTPS access. This is mostly relevant when running Certbot
in non-interactive mode. Previously, the default was to not redirect all requests.
Coordinated with leot@ and he@ while investigating CVE-2019-19648.
The changes listed for this version include:
* Duplicated string modifiers are now an error.
* More flexible xor modifier.
* Implement private strings (#1096)
* Add field_offsets to dotnet module.
* Implement crc32 functions in hash module.
* Improvements to rich_signature functions in pe module.
* Implement sandboxed API using SAPI
* BUGFIX: Some regexp character classes not matching correctly when used with nocase modifier (#1117)
* BUGFIX: Reduce the number of ERROR_TOO_MANY_RE_FIBERS errors for certain hex pattern containing large jumps (#1107)
* BUGFIX: Buffer overrun in dotnet module (#1108)
* BUGFIX: Segfault in certain Windows versions (#1068)
* BUGFIX: Memory leak while attaching to a process fails (#1070)
Changes for version 3.10.0:
* Optimize integer range loops by exiting earlier when possible.
* Cache the result of PE module's imphash function in order to improve performance.
* Harden virtual machine against malicious code.
* BUGFIX: xor modifier not working as expected if not accompanied by ascii (#1053).
* BUGFIX: \s and \S character classes in regular expressions now include vertical tab, new line, carriage return and form feed characters.
* BUGFIX: Regression bug in hex strings containing wildcards (#1025).
* BUGFIX: Buffer overrun in elf module.
* BUGFIX: Buffer overrun in dotnet module
Changes for version 3.9.0:
* Improve scan performance for certain strings.
* Reduce stack usage.
* Prevent inadvertent use of compiled rules by forcing the use of -C when using yara command-line tool.
* BUGFIX: Buffer overflow in "dotnet" module.
* BUGFIX: Internal error when running multiple instances of YARA in Mac OS X. (#945)
* BUGFIX: Regexp regression when using nested quantifiers {x,y} for certain values of x and y. (#1018)
* BUGFIX: High RAM consumption in "pe" module while parsing certain files.(0c8b461)
* BUGFIX: Denial of service when using "dex" module. Found by the Cisco Talos team. (#1023)
* BUGFIX: Issues with comments inside hex strings.
Changes for version 3.8.1:
* BUGFIX: Some combinations of boolean command-line flags were broken in version 3.8.0.
* BUGFIX: While reporting errors that occur at the end of the file, the file name appeared as null.
* BUGFIX: dex module now works in big-endian architectures.
* BUGFIX: Keep ABI compatibility by keeping deprecated functions visible.
Changes for version 3.8.0:
* Scanner API
* New xor modifier for strings
* New fields and functions in PE module.
* Add functions min and max to math module.
* Make compiled.
* yara and yaracsupport reading rules from stdin by using - as the file name.
* Rule compilation is faster.
* BUGFIX: Regression in regex engine. /ba{3}b/ was matching baaaab.
* BUGFIX: Function yr_compiler_add_fd() was reading only the first 1024 bytes of the file.
* BUGFIX: Wrong calculation of sha256 hashes in Windows when using native crypto API.
* Lots of more bug fixes.
Changes for version 3.7.1:
* Fix regression in include directive (issue #796)
* Fix bug in PE checksum calculation causing wrong results in some cases.
2.7.1:
[Bug] Fix a bug in support for ECDSA keys under the newly supported OpenSSH key format. Thanks to Pierce Lopez for the patch.
[Bug] The new-style private key format (added in 2.7) suffered from an unpadding bug which had been fixed earlier for Ed25519 (as that key type has always used the newer format). That fix has been refactored and applied to the base key class, courtesy of Pierce Lopez.
2.7.0:
[Feature]: Add new convenience classmethod constructors to SSHConfig: from_text, from_file, and from_path. No more annoying two-step process!
[Feature] Implement most ‘canonical hostname’ ssh_config functionality (CanonicalizeHostname, CanonicalDomains, CanonicalizeFallbackLocal, and CanonicalizeMaxDots; CanonicalizePermittedCNAMEs has not yet been implemented). All were previously silently ignored. Reported by Michael Leinartas.
[Feature] Implement support for the Match keyword in ssh_config files. Previously, this keyword was simply ignored & keywords inside such blocks were treated as if they were part of the previous block. Thanks to Michael Leinartas for the initial patchset.
Note
This feature adds a new optional install dependency, Invoke, for managing Match exec subprocesses.
[Feature]: A couple of outright SSHConfig parse errors were previously represented as vanilla Exception instances; as part of recent feature work a more specific exception class, ConfigParseError, has been created. It is now also used in those older spots, which is naturally backwards compatible.
[Feature] Implement support for OpenSSH 6.5-style private key files (typically denoted as having BEGIN OPENSSH PRIVATE KEY headers instead of PEM format’s BEGIN RSA PRIVATE KEY or similar). If you were getting any sort of weird auth error from “modern” keys generated on newer operating system releases (such as macOS Mojave), this is the first update to try.
Major thanks to everyone who contributed or tested versions of the patch, including but not limited to: Kevin Abel, Michiel Tiller, Pierce Lopez, and Jared Hobbs.
[Bug]: Perform deduplication of IdentityFile contents during ssh_config parsing; previously, if your config would result in the same value being encountered more than once, IdentityFile would contain that many copies of the same string.
[Bug]: Paramiko’s use of subprocess for ProxyCommand support is conditionally imported to prevent issues on limited interpreter platforms like Google Compute Engine. However, any resulting ImportError was lost instead of preserved for raising (in the rare cases where a user tried leveraging ProxyCommand in such an environment). This has been fixed.
[Bug]: ssh_config token expansion used a different method of determining the local username ($USER env var), compared to what the (much older) client connection code does (getpass.getuser, which includes $USER but may check other variables first, and is generally much more comprehensive). Both modules now use getpass.getuser.
[Support]: Explicitly document which ssh_config features we currently support. Previously users just had to guess, which is simply no good.
[Support]: Additional installation extras_require “flavors” (ed25519, invoke, and all) have been added to our packaging metadata; see the install docs for details.
Changelog since 0.7.0
2019-01-05 - Version 0.9.2
* Fixu Windows build issues, thanks Luka Logar.
* Use pin-cache configuration, thanks Luka Logar.
* Support openssl-1.1, thanks Thorsten Alteholz, W. Michael Petullo.
2017-09-26 - Version 0.9.1
* Support unix domain socket credentials on FreeBSD.
* Introduce GNUPG_PKCS11_SOCKETDIR to instruct where sockets are created.
* Make proxy systemd service work again per change of systemd behavior.
2017-08-25 - Version 0.9.0
* Avoid dup of stdin/stdout so that the terminate assuan hack operational
again.
* Introduce gnupg-pkcs11-scd-proxy to allow isolation of the PKCS#11
provider.
* Lots of cleanups.
2017-07-15 - Version 0.8.0
* Support multiple tokens via serial numbers by hashing token id into
serial number.
Implementation changes the card serial number yet again, executing
gpg --card-status should resync.
2017-04-18 - Version 0.7.6
* Add --homedir parameter.
* Rework serial responses for gnupg-2.1.19.
2017-03-01 - Version 0.7.5
* Fix issue with decrypting padded data, thanks to smunaut.
* Catchup with gnupg-2.1 changes which caused inability to support
both gpg and gpgsm. Implementation had to change card serial
number, as a result current keys of gpg will look for the
previous serial card.
emulate-openpgpg option is obsoleted and removed.
ACTION REQUIRED
in order to assign new card serial number to existing keys.
backup your ~/.gnupg.
delete all PKCS#11 secret keys using:
gpg --delete-secret-keys $KEY then
Then refresh keys using:
gpg --card-edit
In <gnupg-2.1.19 the keys should be re-generated using:
admin
generate
Do not replace keys!
gpg will learn the private keys of the new card and attach to
the existing public keys.
* Support gnupg-2.1 features of using existing keys, keys
should not be explicitly specified in configuration file
any more.
2017-01-18 - Version 0.7.4
* Fix gpg change in serialno attribute.
* Sync with gnupg-2.1, thanks to Moritz Bechler.
2011-07-30 -- Version 0.7.3
* Use assuan_sock_init, bug#3382372.
2011-04-09 -- Version 0.7.2
* Some cleanups, thanks to Timo Schulz.
* Sync hashing algorithms for OpenPGP.
2011-03-16 -- Version 0.7.1
* Sync with gnupg-2.0.17.
Noteworthy changes in version 2.2.19:
* gpg: Fix double free when decrypting for hidden recipients.
Regression in 2.2.18.
* gpg: Use auto-key-locate for encryption even for mail addressed
given with angle brackets.
* gpgsm: Add special case for certain expired intermediate
certificates.
Not sure of 3.6.11.1's specific changes - possibly fixing an incorrectly
generated tarball?
These changes from apply:
* Version 3.6.11 (released 2019-12-01)
** libgnutls: Use KERN_ARND for the system random number generator on NetBSD.
This syscall provides an endless stream of random numbers from the kernel's
ChaCha20-based random number generator, without blocking or requiring an open file
descriptor.
** libgnutls: Corrected issue with TLS 1.2 session ticket handling as client
during resumption (#841).
** libgnutls: gnutls_base64_decode2() succeeds decoding the empty string to
the empty string. This is a behavioral change of the API but it conforms
to the RFC4648 expectations (#834).
** libgnutls: Fixed AES-CFB8 implementation, when input is shorter than
the block size. Fix backported from nettle.
** certtool: CRL distribution points will be set in CA certificates even when
non self-signed (#765).
** gnutls-cli/serv: added raw public-key handling capabilities (RFC7250).
Key material can be set via the --rawpkkeyfile and --rawpkfile flags.
** API and ABI modifications:
No changes since last version.
ftp.cyrusimap.org has been down for months. Asked about this on the
cyrus-info mailinglist months ago with no responses. So lets drop it from
MASTER_SITES.
The directory old on the ftp is also available in the http download so I
added that to MASTER_SITES as well.
Update clamav to 0.102.1.
## 0.102.1
ClamAV 0.102.1 is a security patch release to address the following issues.
- Fix for the following vulnerability affecting 0.102.0 and 0.101.4 and prior:
- [CVE-2019-15961](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15961)
A Denial-of-Service (DoS) vulnerability may occur when scanning a specially
crafted email file as a result of excessively long scan times. The issue is
resolved by implementing several maximums in parsing MIME messages and by
optimizing use of memory allocation.
- Build system fixes to build clamav-milter, to correctly link with libxml2 when
detected, and to correctly detect fanotify for on-access scanning feature
support.
- Signature load time is significantly reduced by changing to a more efficient
algorithm for loading signature patterns and allocating the AC trie.
Patch courtesy of Alberto Wu.
- Introduced a new configure option to statically link libjson-c with libclamav.
Static linking with libjson is highly recommended to prevent crashes in
applications that use libclamav alongside another JSON parsing library.
- Null-dereference fix in email parser when using the `--gen-json` metadata
option.
- Fixes for Authenticode parsing and certificate signature (.crb database) bugs.
Special thanks to the following for code contributions and bug reports:
- Alberto Wu
- Joran Dirk Greef
- Reio Remma
Release 2.1.0:
Added support in the SSHProcess redirect mechanism to accept asyncio StreamReader and StreamWriter objects, allowing asyncio streams to be plugged in as stdin/stdout/stderr in an SSHProcess.
Added support for key handlers in the AsyncSSH line editor to trigger signals being delivered when certain “hot keys” are hit while reading input.
Improved cleanup of unreturned connection objects when an error occurs or the connection request is canceled or times out.
Improved cleanup of SSH agent client objects to avoid triggering a false positive warning in Python 3.8.
Added an example to the documentation for how to create reverse-direction SSH client and server connections.
Made check of session objects against None explicit to avoid confusion on user-defined sessions that implement __len__ or __bool__.
Release 2.0.1:
Some API changes which should have been included in the 2.0.0 release were missed. This release corrects that, but means that additional changes may be needed in applications moving to 2.0.1. This should hopefully be the last of such changes, but if any other issues are discovered, additional changes will be limited to 2.0.x patch releases and the API will stabilize again in the AsyncSSH 2.1 release. See the next bullet for details about the additional incompatible change.
To be consistent with other connect and listen functions, all methods on SSHClientConnection which previously returned None on listen failures have been changed to raise an exception instead. A new ChannelListenError exception will now be raised when an SSH server returns failure on a request to open a remote listener. This change affects the following SSHClientConnection methods: create_server, create_unix_server, start_server, start_unix_server, forward_remote_port, and forward_remote_path.
Restored the ability for SSHListener objects to be used as async context managers. This previously worked in AsyncSSH 1.x and was unintentionally broken in AsyncSSH 2.0.0.
Added support for a number of additional functions to be called from within an “async with” statement. These functions already returned objects capable of being async context managers, but were not decorated to allow them to be directly called from within “async with”. This change applies to the top level functions create_server, listen, and listen_reverse and the SSHClientConnection methods create_server, create_unix_server, start_server, start_unix_server, forward_local_port, forward_local_path, forward_remote_port, forward_remote_path, listen_ssh, and listen_reverse_ssh,
Fixed a couple of issues in loading OpenSSH-format certificates which were missing a trailing newline.
Changed load_certificates() to allow multiple certificates to be loaded from a single byte string argument, making it more consistent with how load_certificates() works when reading from a file.
Release 2.0.0:
NEW MAJOR VERSION: See below for potentially incompatible changes.
Updated AsyncSSH to use the modern async/await syntax internally, now requiring Python 3.6 or later. Those wishing to use AsyncSSH on Python 3.4 or 3.5 should stick to the AsyncSSH 1.x releases.
Changed first argument of SFTPServer constructor from an SSHServerConnection (conn) to an SSHServerChannel (chan) to allow custom SFTP server implementations to access environment variables set on the channel that SFTP is run over. Applications which subclass the SFTPServer class and implement an __init__ method will need to be updated to account for this change and pass the new argument through to the SFTPServer parent class. If the subclass has no __init__ and just uses the connection, channel, and env properties of SFTPServer to access this information, no changes should be required.
Removed deprecated “session_encoding” and “session_errors” arguments from create_server() and listen() functions. These arguments were renamed to “encoding” and “errors” back in version 1.16.0 to be consistent with other AsyncSSH APIs.
Removed get_environment(), get_command(), and get_subsystem() methods on SSHServerProcess class. This information was made available as “env”, “command”, and “subsystem” properties of SSHServerProcess in AsyncSSH 1.11.0.
Removed optional loop argument from all public AsyncSSH APIs, consistent with the deprecation of this argument in the asyncio package in Python 3.8. Calls will now always use the event loop which is active at the time of the call.
Removed support for non-async context managers on AsyncSSH connections and processes and SFTP client connections and file objects. Callers should use “async with” to invoke the async the context managers on these objects.
Added support for SSHAgentClient being an async context manager. To be consistent with other connect calls, connect_agent() will now raise an exception when no agent is found or a connection failure occurs, rather than logging a warning and returning None. Callers should catch OSError or ChannelOpenError exceptions rather than looking for a return value of None when calling this function.
Added set_input() and clear_input() methods on SSHLineEditorChannel to change the value of the current input line when line editing is enabled.
Added is_closing() method to the SSHChannel, SSHProcess, SSHWriter, and SSHSubprocessTransport classes. mirroring the asyncio BaseTransport and StreamWriter methods added in Python 3.7.
Added wait_closed() async method to the SSHWriter class, mirroring the asyncio StreamWriter method added in Python 3.7.
### Version 5.56, 2019.11.22, urgency: HIGH
* New features
- Various text files converted to Markdown format.
* Bugfixes
- Support for realpath(3) implementations incompatible
with POSIX.1-2008, such as 4.4BSD or Solaris.
- Support for engines without PRNG seeding methods (thx to
Petr Mikhalitsyn).
- Retry unsuccessful port binding on configuration
file reload.
- Thread safety fixes in SSL_SESSION object handling.
- Terminate clients on exit in the FORK threading model.
Changelog:
Noteworthy changes in version 2.2.18 (2019-11-25)
-------------------------------------------------
* gpg: Changed the way keys are detected on a smartcards; this
allows the use of non-OpenPGP cards. In the case of a not very
likely regression the new option --use-only-openpgp-card is
available. [#4681]
* gpg: The commands --full-gen-key and --quick-gen-key now allow
direct key generation from supported cards. [#4681]
* gpg: Prepare against chosen-prefix SHA-1 collisions in key
signatures. This change removes all SHA-1 based key signature
newer than 2019-01-19 from the web-of-trust. Note that this
includes all key signature created with dsa1024 keys. The new
option --allow-weak-key-signatues can be used to override the new
and safer behaviour. [#4755,CVE-2019-14855]
* gpg: Improve performance for import of large keyblocks. [#4592]
* gpg: Implement a keybox compression run. [#4644]
* gpg: Show warnings from dirmngr about redirect and certificate
problems (details require --verbose as usual).
* gpg: Allow to pass the empty string for the passphrase if the
'--passphase=' syntax is used. [#4633]
* gpg: Fix printing of the KDF object attributes.
* gpg: Avoid surprises with --locate-external-key and certain
--auto-key-locate settings. [#4662]
* gpg: Improve selection of best matching key. [#4713]
* gpg: Delete key binding signature when deletring a subkey.
[#4665,#4457]
* gpg: Fix a potential loss of key sigantures during import with
self-sigs-only active. [#4628]
* gpg: Silence "marked as ultimately trusted" diagnostics if
option --quiet is used. [#4634]
* gpg: Silence some diagnostics during in key listsing even with
option --verbose. [#4627]
* gpg, gpgsm: Change parsing of agent's pkdecrypt results. [#4652]
* gpgsm: Support AES-256 keys.
* gpgsm: Fix a bug in triggering a keybox compression run if
--faked-system-time is used.
* dirmngr: System CA certificates are no longer used for the SKS
pool if GNUTLS instead of NTBTLS is used as TLS library. [#4594]
* dirmngr: On Windows detect usability of IPv4 and IPv6 interfaces
to avoid long timeouts. [#4165]
* scd: Fix BWI value for APDU level transfers to make Gemalto Ezio
Shield and Trustica Cryptoucan work. [#4654,#4566]
* wkd: gpg-wks-client --install-key now installs the required policy
file.
Changes between 1.0.2s and 1.0.2t [10 Sep 2019]
*) For built-in EC curves, ensure an EC_GROUP built from the curve name is
used even when parsing explicit parameters, when loading a serialized key
or calling `EC_GROUP_new_from_ecpkparameters()`/
`EC_GROUP_new_from_ecparameters()`.
This prevents bypass of security hardening and performance gains,
especially for curves with specialized EC_METHODs.
By default, if a key encoded with explicit parameters is loaded and later
serialized, the output is still encoded with explicit parameters, even if
internally a "named" EC_GROUP is used for computation.
[Nicola Tuveri]
*) Compute ECC cofactors if not provided during EC_GROUP construction. Before
this change, EC_GROUP_set_generator would accept order and/or cofactor as
NULL. After this change, only the cofactor parameter can be NULL. It also
does some minimal sanity checks on the passed order.
(CVE-2019-1547)
[Billy Bob Brumley]
*) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.
As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
(CVE-2019-1563)
[Bernd Edlinger]
*) Document issue with installation paths in diverse Windows builds
'/usr/local/ssl' is an unsafe prefix for location to install OpenSSL
binaries and run-time config file.
(CVE-2019-1552)
[Richard Levitte]
Use github distfile because pypi one is missing.
Revision 0.2.8, released 16-11-2019
-----------------------------------
- Improve test routines for modules that use certificate extensions
- Improve test for RFC3709 with a real world certificate
- Added RFC7633 providing TLS Features Certificate Extension
- Added RFC7229 providing OIDs for Test Certificate Policies
- Added tests for RFC3280, RFC3281, RFC3852, and RFC4211
- Added RFC6960 providing Online Certificate Status Protocol (OCSP)
- Added RFC6955 providing Diffie-Hellman Proof-of-Possession Algorithms
- Updated the handling of maps for use with openType for RFC 3279
- Added RFC6486 providing RPKI Manifests
- Added RFC6487 providing Profile for X.509 PKIX Resource Certificates
- Added RFC6170 providing Certificate Image in the Internet X.509 Public
Key Infrastructure, and import the object identifier into RFC3709.
- Added RFC6187 providing Certificates for Secure Shell Authentication
- Added RFC6482 providing RPKI Route Origin Authorizations (ROAs)
- Added RFC6664 providing S/MIME Capabilities for Public Keys
- Added RFC6120 providing Extensible Messaging and Presence Protocol
names in certificates
- Added RFC4985 providing Subject Alternative Name for expression of
service names in certificates
- Added RFC5924 providing Extended Key Usage for Session Initiation
Protocol (SIP) in X.509 certificates
- Added RFC5916 providing Device Owner Attribute
- Added RFC7508 providing Securing Header Fields with S/MIME
- Update RFC8226 to use ComponentPresentConstraint() instead of the
previous work around
- Add RFC2631 providing OtherInfo for Diffie-Hellman Key Agreement
- Add RFC3114 providing test values for the S/MIME Security Label
- Add RFC5755 providing Attribute Certificate Profile for Authorization
- Add RFC5913 providing Clearance Attribute and Authority Clearance
Constraints Certificate Extension
- Add RFC5917 providing Clearance Sponsor Attribute
- Add RFC4043 providing Internet X.509 PKI Permanent Identifier
- Add RFC7585 providing Network Access Identifier (NAI) Realm Name
for Certificates
- Update RFC3770 to support openType for attributes and reported errata
- Add RFC4334 providing Certificate Extensions and Attributes for
Authentication in PPP and Wireless LAN Networks
3.9.4:
Resolved issues
* Prevent ``key_to_english`` from creating invalid data when fed with
keys of length not multiple of 8.
* Fix blocking RSA signing/decryption when key has very small factor.
1.7.2:
This release rolls up assorted bug & compatibility fixes since 1.7.1.
New Features
* .. py:currentmodule:: passlib.hash
:class:`argon2`: Now supports Argon2 "ID" and "D" hashes (assuming new enough backend library).
Now defaults to "ID" hashes instead of "I" hashes, but this can be overridden via ``type`` keyword.
* .. py:currentmodule:: passlib.hash
:class:`scrypt`: Now uses python 3.6 stdlib's :func:`hashlib.scrypt` as backend,
if present
Revision 0.4.8:
- Added ability of combining `SingleValueConstraint` and
`PermittedAlphabetConstraint` objects into one for proper modeling
`FROM ... EXCEPT ...` ASN.1 clause.
19.1.0:
Backward-incompatible changes:
- Removed deprecated ContextType, ConnectionType, PKeyType, X509NameType, X509ReqType, X509Type, X509StoreType, CRLType, PKCS7Type, PKCS12Type, and NetscapeSPKIType aliases.
Use the classes without the Type suffix instead.
- The minimum cryptography version is now 2.8 due to issues on macOS with a transitive dependency.
Deprecations:
- Deprecated OpenSSL.SSL.Context.set_npn_advertise_callback, OpenSSL.SSL.Context.set_npn_select_callback, and OpenSSL.SSL.Connection.get_next_proto_negotiated.
ALPN should be used instead.
Changes:
- Support bytearray in SSL.Connection.send() by using cffi's from_buffer.
- The OpenSSL.SSL.Context.set_alpn_select_callback can return a new NO_OVERLAPPING_PROTOCOLS sentinel value
to allow a TLS handshake to complete without an application protocol.
0.40.1:
Changed
Added back support for Python 3.4 to Certbot components and certbot-auto due to a bug when requiring Python 2.7 or 3.5+ on RHEL 6 based systems.
More details about these changes can be found on our GitHub repo.
0.40.0:
Changed
We deprecated support for Python 3.4 in Certbot and its ACME library. Support for Python 3.4 will be removed in the next major release of Certbot. certbot-auto users on RHEL 6 based systems will be asked to enable Software Collections (SCL) repository so Python 3.6 can be installed. certbot-auto can enable the SCL repo for you on CentOS 6 while users on other RHEL 6 based systems will be asked to do this manually.
--server may now be combined with --dry-run. Certbot will, as before, use the staging server instead of the live server when --dry-run is used.
--dry-run now requests fresh authorizations every time, fixing the issue where it was prone to falsely reporting success.
Updated certbot-dns-google to depend on newer versions of google-api-python-client and oauth2client.
The OS detection logic again uses distro library for Linux OSes
certbot.plugins.common.TLSSNI01 has been deprecated and will be removed in a future release.
CLI flags --tls-sni-01-port and --tls-sni-01-address have been removed.
The values tls-sni and tls-sni-01 for the --preferred-challenges flag are no longer accepted.
Removed the flags: --agree-dev-preview, --dialog, and --apache-init-script
acme.standalone.BaseRequestHandlerWithLogging and acme.standalone.simple_tls_sni_01_server have been deprecated and will be removed in a future release of the library.
certbot-dns-rfc2136 now use TCP to query SOA records.
Fixed
More details about these changes can be found on our GitHub repo.
