The majority of these patches were inspired from FreeBSD's ports. FreeBSD,
along with at least Debian, have removed Kerberos4 due to secuity concerns.
From: http://web.mit.edu/kerberos/krb4-end-of-life.html :
"Serious protocol flaws[2] have been found in Kerberos 4. These flaws permit
attacks which require far less effort than an exhaustive search of the DES
key space. These flaws make Kerberos 4 cross-realm authentication an
unacceptable security risk and raise serious questions about the security of
the entire Kerberos 4 protocol.
The known insecurity of DES, combined with the recently discovered protocol
flaws, make it extremely inadvisable to rely on the security of version 4 of
the Kerberos protocol. These factors motivate the MIT Kerberos Team to remove
support for Kerberos version 4 from the MIT implementation of Kerberos."
This end-of-life announcement is dated 19 October 2006. I think it's a
good question to ask why this package and the packages that depend on it
are still in pkgsrc.
signing-party (1.1.4-1) unstable; urgency=low
.
[ Thijs Kinkhorst ]
* caff:
+ Correct path of ~/.caffrc in informational messages (Closes: #582603).
+ Be more verbose on unexpected key ID (Closes: #645792).
* gpg-key2ps:
+ Apply patch from Uwe Kleine-König to deal with latin1 characters
(Closes: #596377).
.
[ Franck Joncourt ]
* gpg-mailkeys:
+ Correct path of ~/.gpg-mailkeysrc and ~/.signature in manpage.
+ Add new environment variable SENDMAIL_ARGS to allow user to pass
arguments to sendmail (closes: #599409).
* caff:
+ Refactor import of own key and import for keys to sign from keyrings.
+ Also automatically import keys to sign from the user's normal gpg
keyrings.
+ Use --no-auto-check-trustdb when importing keys from files or
the user's normal gpg keyrings (closes: #539643).
.
[ Peter Palfrader ]
* caff:
+ manpage: Refer to all of /usr/share/doc/signing-party/caff/ and not
just to /usr/share/doc/signing-party/caff/caffrc.sample
(closes: #568052).
+ Fix horrible &function calls used because of broken prototypes.
+ Even if all keys to sign were found in the user's normal gpg
keyrings we still need to import them (again) from any keyrings
passed with --key-files - the keys there might be newer, containing
new subkeys (for encryption), uids (for signing) or revocations.
+ Make importing of keys to be signed from the normal gpg optional
(--keys-from-gnupg).
+ refactor copying of command line options into global config variable.
+ Create the mail files in ~/.caff/keys even if mail is not sent
(closes: #590666).
* 1.8.13, 2011-07-02
- A race in Algorithm_Factory that could cause crashes in multithreaded
code has been fixed.
* 1.8.12, 2011-06-20
- If EMSA3(Raw) was used for more than one signature, it would produce
incorrect output.
- Fix the --enable-debug option to configure.py
- Improve OS detection on Cygwin
- Fix compilation under Sun Studio 12 on Solaris
- Fix a memory leak in the constructors of DataSource_Stream and
DataSink_Stream which would occur if opening the file failed. PR 144
* 1.8.11, 2010-11-02
- Fix a number of CRL encoding and decoding bugs
- When building a debug library under VC++, use the debug runtime
- Fix compilation under Sun Studio on Linux and Solaris
- Add several functions for compatability with 1.9
- In the examples, read most input files as binary
- The Perl build script has been removed in this release
* 1.8.10, 2010-08-31
- Switch default PKCS #8 encryption algorithm from 3DES to AES-256
- Increase default hash iterations from 2048 to 10000 in PBES1 and
PBES2
- Use small tables in the first round of AES
- Add PBKDF typedef and get_pbkdf for better compatability with 1.9
- Add version of S2K::derive_key taking salt and iteration count
- Enable the /proc-walking entropy source on NetBSD
- Fix the doxygen makefile target
* 1.8.9, 2010-06-16
- Use constant time multiplication in IDEA
- Avoid possible timing attack against OAEP decoding
- Add new X509::BER_encode and PKCS8::BER_encode
- Enable DLL builds under Windows
- Add Win32 installer support
- Add support for the Clang compiler
- Fix problem in semcem.h preventing build under Clang or GCC 3.4
- Fix bug that prevented creation of DSA groups under 1024 bits
- Fix crash in GMP_Engine if library is shutdown and reinitialized
- Work around problem with recent binutils in x86-64 SHA-1
- The Perl build script is no longer supported and refuses to run by
default
* 1.8.8, 2009-11-03
- Alter Skein-512 to match the tweaked 1.2 specification
- Fix use of inline asm for access to x86 bswap function
- Allow building the library without AES enabled
- Add 'powerpc64' alias to ppc64 arch for Gentoo ebuild
gss-extra.c fails compilation on DragonFly:
line 43: error: unexpected identifier or '(' before '&' token
It's on code that is only intended for a windows target. Gentoo patched
it by wrapping it in "if (defined _WIN32 || defined __WIN32__)" macro
which is effectively the same is deleting the definition completely,
which is what is being done here.
upstream Changelog:
2.4.1
=====
* Fix "error: Setup script exited with error: src/config.h: No such file or
directory" when installing via easy_install. (Sebastian Ramacher)
Bugfixes:
* Auditor: Handle ruby 1.9 differences in ods-kaspcheck.
* Auditor: Require dnsruby 1.53 for bugfixes.
* Bugfix #262: Drudgers seem to be in a waiting state, but the RRset
FIFO queue is full. Do an additional broadcast.
* Enforcer: Check HSM connection when waking up from sleep, attempt to
reconnect if it is not valid. (r5511 in trunk, ported into the branch
due to issues seen when CKR_DEVICE_ERROR returned by HSM.)
* libhsm: Added hsm_check_context() to check if the associated
sessions are still alive. (Required for the above.)
* ods-ksmutil: key import was not setting the retire time.
* Signer Engine: Fix a threading issue, that could leave a zone without a task.
* Signer Engine: Update the signed zone file if only the $TTL or
explicit TTL has been changed.
* Signer Engine: Remove the NSEC3PARAM RR when doing NSEC3 to NSEC rollover.
* Signer Engine: Deal with carriage returns (dos format) in zone file.
* Signer Engine: is PT0S means that refresh equals signtime.
* Signer Engine: Defense in depth in signer for duplicate keys.
* Signer Engine: Make sure that all required zonelist elements exist,
otherwise error.
* Signer Engine: Warn the user if the serial is b0rk, and you can not
use the serial from the signconf.
* Signer Engine: Log Auditor exit code.
* Fix a similar bug like #257: Error in ods-signerd, where a corrupted
backup file results in an invalid pointer free().
Changes from previous:
version 0.009; 2011-04-28
* in XS, use PERL_NO_GET_CONTEXT for efficiency
* in XS, declare "PROTOTYPES: DISABLE" to prevent automatic generation
of unintended prototypes
* jump through hoops to avoid compiler warnings
* use full stricture in test suite
* in Build.PL, complete declaration of configure-time requirements
* slightly reformat some Perl and C code to avoid exceeding 80 columns
* include META.json in distribution
* add MYMETA.json and MYMETA.yml to .cvsignore
Changes from previous:
1.06 2010.12.07
- Fixed an issue introduced in 1.05 on 32-bit systems in
Crypt::OpenPGP::Util::bigint2bin, where $base needed to be a
bigint. Thanks to Sam Crawley for the fix.
1.05 2010.12.06
- Removed Math::Pari as a dependency of Crypt::OpenPGP itself (it's
still a dependency of some of the backends, including Crypt::RSA).
Thanks to Sam Crawley for the patch.
- Skipped RIPEMD160 test on amd64 due to known bug in Crypt::RIPEMD160
(see rt19138 & rt53323). Thanks to Sam Crawley for the patch.
Changes from previous:
0.44 Mon May 2 21:36:13 EDT 2011
Bump Math::BigInt dependency to get the new 'try GMP' syntax.
0.43 Tue Mar 8 09:13:31 EST 2011
Stable release
Changelog:
Version 4.46, 2011.11.04, urgency: LOW:
* New features
- Added Unix socket support (e.g. "connect = /var/run/stunnel/socket").
- Added "verify = 4" mode to ignore CA chain and only verify peer certificate.
- Removed the limit of 16 IP addresses for a single 'connect' option.
- Removed the limit of 256 stunnel.conf sections in PTHREAD threading model.
It is still not possible have more than 63 sections on WIN32 platform.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms740141(v=vs.85).aspx
* Optimizations
- Reduced per-connection memory usage.
- Performed a major refactoring of internal data structures. Extensive
internal testing was performed, but some regression bugs are expected.
* Bugfixes
- Fixed WIN32 compilation with Mingw32.
- Fixed non-blocking API emulation layer in UCONTEXT threading model.
- Fixed signal handling in UCONTEXT threading model.
Changes from previous:
0.52 May 9, 2011
- release as stable
- skip bad passwd test when IO::Pty is not available
0.51_12 May 2, 2011
- require version 2 of the SSH protocol (bug report by Jo
Rhett)
- remove harmless "my $foo = ... if ..." bug
0.51_11 Apr 24, 2011
- encoding handling in sftp method was broken (bug report and
solution by Todd Rinaldo)
- sftp method was broken (regression)
- better support for sharing SSH connections with children
- more tests
- add sample for usage with Net::Telnet
- bad sample in documentation corrected
0.51_10 Mar 29, 2011
- error status was not reset between calls (regression)
- remove internal line numbers from error messages
- encoding errors were not propageted in pipe_in and pipe_out
methods
- minor debuging cleanup
- better messages on bad encoding errors
0.51_09 Mar 29, 2011
- add support for passphrase protected keys
- add support for passing the private key path as an explicit
constructor option
- bug solved on password handling
- bug solved in _fileno_dup_over
- remove redundant _check_master_and_clear_error
- more tests
- some doc improvements
0.51_08 Mar 28, 2011
- pipe_in and pipe_out were not correctly setting error status
on failure
- support argument_encoding in pipe_in and pipe_out
- document how to set StrictHostKeyChecking=no
- replace @error_prefix arguments by a localized stack
- use _load_module for Encode loading
- remove no-encoding hack on _master_ctl
0.51_07 Mar 22, 2011
- add encoding support
- undef $SIG{CHLD} inside blocking methods
0.51_06 Mar 16, 2011
- make hostname argument to constructor optional when
external_master is set
- better error handling in constructor
- s/reuse_master/external_master/. I never were happy with the
old option name.
- some minor doc corrections
0.51_05 Mar 15, 2011
- implement reuse_master feature
- do not propagate extra arguments from wait_for_master to
_wait_for_master
- accept ssh_opts in make_remote_command
0.51_04 Mar 10, 2011
- solve "Not enough arguments for grep" bug (reported by Tom
Wittbrodt)
- some documentation improvements
0.51_03 Mar 9, 2011
- error message corrected
- troubleshooting guide improved
- add pointer to OpenSSH Wikibook
- add autosudo.pl sample
- implement stdintout_dpipe_is_parent feature
0.51_02 Feb 10, 2011
- add support for test method
- add support for dpipe feature
- simplify _wait_for_master code
- remove spurious warnings generated when control command
failed to run (bug report by jaiieq from Perlmonks)
- timeout at object level where being ignored by _waitpid
- document how to run detached remote processes
0.51_01 Feb 1, 2011
- add support for kill_ssh_on_timeout feature and better
timeout handling
- set ssh option ServerAliveInterval
- system could return -1 on error instead of false
- add change_password.pl sample
- some tests were failing when using csh as the remote shell
(bug report by Scott Davis)
2.4
===
* Python 3 support! (Thorsten E. Behrens, Anders Sundman)
PyCrypto now supports every version of Python from 2.1 through 3.2.
* Timing-attack countermeasures in _fastmath: When built against
libgmp version 5 or later, we use mpz_powm_sec instead of mpz_powm.
This should prevent the timing attack described by Geremy Condra at
PyCon 2011:
http://blip.tv/pycon-us-videos-2009-2010-2011/pycon-2011-through-the-side-channel-timing-and-implementation-attacks-in-python-4897955
* New hash modules (for Python >= 2.5 only): SHA224, SHA384, and
SHA512 (Frédéric Bertolus)
* Configuration using GNU autoconf. This should help fix a bunch of
build issues.
* Support using MPIR as an alternative to GMP.
* Improve the test command in setup.py, by allowing tests to be
performed on a single sub-package or module only. (Legrandin)
You can now do something like this:
python setup.py test -m Hash.SHA256 --skip-slow-tests
* Fix double-decref of "counter" when Cipher object initialisation
fails (Ryan Kelly)
* Apply patches from Debian's python-crypto 2.3-3 package (Jan
Dittberner, Sebastian Ramacher):
- fix-RSA-generate-exception.patch
- epydoc-exclude-introspect.patch
- no-usr-local.patch
* Fix launchpad bug #702835: "Import key code is not compatible with
GMP library" (Legrandin)
* More tests, better documentation, various bugfixes.
