2.059 2018/08/15
- fix memleak when CRL are used.
Thanks to Franz Skale for report and patch
https://rt.cpan.org/Ticket/Display.html?id=125867
- fix memleak when using stop_SSL and threads, reported by Paul Evans
https://rt.cpan.org/Ticket/Display.html?id=125867#txn-1797132
2.058 2018/07/19
- fix t/session_ticket.t: it failed with OpenSSL 1.1.* since this version
expects the extKeyUsage of clientAuth in the client cert also to be allowed
by the CA if CA uses extKeyUsage
2.057 2018/07/18
- fix memory leak which occured with explicit stop_SSL in connection with
non-blocking sockets or timeout - https://rt.cpan.org/Ticket/Display.html?id=125867
Thanks to Paul Evans for reporting
- fix redefine warnings in case Socket6 is installed but neither IO::Socket::IP
nor IO::Socket::INET6 - https://rt.cpan.org/Ticket/Display.html?id=124963
- IO::Socket::SSL::Intercept - optional 'serial' argument can be starting number
or callback to create serial number based on the original certificate
- new function get_session_reused to check if a session got reused
- IO::Socket::SSL::Utils::CERT_asHash: fingerprint_xxx now set to the correct value
Sudo 1.8.24
* The LDAP and SSS back-ends now use the same rule evaluation code
as the sudoers file backend. This builds on the work in sudo
1.8.23 where the formatting functions for "sudo -l" output were
shared. The handling of negated commands in SSS and LDAP is
unchanged.
* Fixed a regression introduced in 1.8.23 where "sudo -i" could
not be used in conjunction with --preserve-env=VARIABLE.
* cvtsudoers can now parse base64-encoded attributes in LDIF files.
* Random insults are now more random.
* Fixed the noexec wordexp(3) test on FreeBSD.
* Added SUDO_CONV_PREFER_TTY flag for conversation function to
tell sudo to try writing to /dev/tty first. Can be used in
conjunction with SUDO_CONV_INFO_MSG and SUDO_CONV_ERROR_MSG.
* Sudo now supports an arbitrary number of groups per user on
Solaris. Previously, only the first 64 groups were found.
This should remove the need to set "max_groups" in sudo.conf.
* Fixed typos in the OpenLDAP sudo schema.
* Fixed a race condition when building with parallel make.
* Fixed a duplicate free when netgroup_base in ldap.conf is set
to an invalid value.
* Fixed a bug introduced in sudo 1.8.23 on AIX that could prevent
local users and groups from being resolved properly on systems
that have users stored in NIS, LDAP or AD.
* Added a workaround for an AIX bug exposed by a change in sudo
1.8.23 that prevents the terminal mode from being restored when
I/O logging is enabled.
* On systems using PAM, sudo now ignores the PAM_NEW_AUTHTOK_REQD
and PAM_AUTHTOK_EXPIRED errors from PAM account management if
authentication is disabled for the user. This fixes a regression
introduced in sudo 1.8.23.
* Fixed an ambiguity in the sudoers manual in the description and
definition of User, Runas, Host, and Cmnd Aliases.
* Fixed a bug that resulted in only the first window size change
event being logged.
* Fixed a bug on HP-UX systems introduced in sudo 1.8.22 that
caused sudo to prompt for a password every time when tty-based
time stamp files were in use.
* Fixed a compilation problem on systems that define O_PATH or
O_SEARCH in fnctl.h but do not define O_DIRECTORY.
0.23.13 (stable)
* server: Enable socket activation through systemd [PR#173]
* rpc-server: p11_kit_remote_serve_tokens: Allow exporting all modules [PR#174]
* proxy: Fail early if there is no slot mapping [PR#175]
* Remove hard dependency on libpthread on glibc systems [PR#177]
* Build fixes [PR#170, PR#176]
This is polkit 0.115.
Highlights:
Fixes CVE-2018-1116, a local information disclosure and denial of service
caused by trusting client-submitted UIDs when referencing processes.
Thanks to Matthias Gerstner of the SUSE security team for reporting
this issue.
Changes since polkit 0.114:
Miloslav Trmač (1):
Fix CVE-2018-1116: Trusting client-supplied UID
Ray Strode (3):
Post-release version bump to 0.115
jsauthority: pass "%s" format string to remaining report function
NEWS: fix date from 2017 to 2018 for 0.114 entry
* Version 3.6.3 (released 2018-07-16)
** libgnutls: Introduced support for draft-ietf-tls-tls13-28. It includes version
negotiation, post handshake authentication, length hiding, multiple OCSP support,
consistent ciphersuite support across protocols, hello retry requests, ability
to adjust key shares via gnutls_init() flags, certificate authorities extension,
and key usage limits. TLS1.3 draft-28 support can be enabled by default if
the option --enable-tls13-support is given to configure script.
** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or
earlier and TLS 1.3. When SRP or NULL ciphersuites are specified in priority strings
TLS 1.3 is will be disabled. When Anonymous ciphersuites are specified in priority
strings, then TLS 1.3 negotiation will be disabled if the session is associated
only with an anonymous credentials structure.
** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836.
This adds support for using GOST keys for digital signatures and under PKCS#7, PKCS#12,
and PKCS#8 standards. In particular added elliptic curves GOST R 34.10-2001 CryptoProA
256-bit curve (RFC 4357), GOST R 34.10-2001 CryptoProXchA 256-bit curve (RFC 4357),
and GOST R 34.10-2012 TC26-512-A 512-bit curve (RFC 7836).
** Provide a uniform cipher list across supported TLS protocols; the CAMELLIA ciphers
as well as ciphers utilizing HMAC-SHA384 and SHA256 have been removed from the default
priority strings, as they are undefined under TLS1.3 and they provide not advantage
over other options in earlier protocols.
** The SSL 3.0 protocol is disabled on compile-time by default. It can be re-enabled
by specifying --enable-ssl3-support on configure script.
** libgnutls: Introduced function to switch the current FIPS140-2 operational
mode, i.e., strict vs a more lax mode which will allow certain non FIPS140-2
operations.
** libgnutls: Introduced low-level function to assist applications attempting client
hello extension parsing, prior to GnuTLS' parsing of the message.
** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no
modifications to the certificate. That prevents DER re-encoding issues with incorrectly
encoded certificates, or other DER incompatibilities to affect a TLS session.
Relates with #403
** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups
which are preferred by the server. That unfortunately has complicated semantics
as TLS1.2 requires specific ordering of the groups based on the ciphersuite ordering,
which could make group order unpredictable if TLS1.3 is negotiated.
** Improved counter-measures for TLS CBC record padding. Kenny Paterson, Eyal Ronen
and Adi Shamir reported that the existing counter-measures had certain issues and
were insufficient when the attacker has additional access to the CPU cache and
performs a chosen-plaintext attack. This affected the legacy CBC ciphersuites. [CVSS: medium]
** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation
of legacy CBC ciphersuites unless encrypt-then-mac is negotiated.
** libgnutls: gnutls_privkey_import_ext4() was enhanced with the
GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag.
** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2,
gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default
unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API
change for these functions which make them err towards safety.
** libgnutls: improved aarch64 cpu features detection by using getauxval().
** certtool: It is now possible to specify certificate and serial CRL numbers greater
than 2**63-2 as a hex-encoded string both when prompted and in a template file.
Default certificate serial numbers are now fully random. Default CRL
numbers include more random bits and are larger than in previous GnuTLS versions.
Since CRL numbers are required to be monotonic, specify suitable CRL numbers manually
if you intend to later downgrade to previous versions as it was not possible
to specify large CRL numbers in previous versions of certtool.
Sudo 1.8.23
* PAM account management modules and BSD auto approval modules are
now run even when no password is required.
* For kernel-based time stamps, if no terminal is present, fall
back to parent-pid style time stamps.
* The new cvtsudoers utility replaces both the "sudoers2ldif" script
and the "visudo -x" functionality. It can read a file in either
sudoers or LDIF format and produce JSON, LDIF or sudoers output.
It is also possible to filter the generated output file by user,
group or host name.
* The file, ldap and sss sudoers backends now share a common set
of formatting functions for "sudo -l" output, which is also used
by the cvtsudoers utility.
* The /run directory is now used in preference to /var/run if it
exists.
* More accurate descriptions of the --with-rundir and --with-vardir
configure options.
* The setpassent() and setgroupent() functions are now used on systems
that support them to keep the passwd and group database open.
Sudo performs a lot of passwd and group lookups so it can be
beneficial to avoid opening and closing the files each time.
* The new case_insensitive_user and case_insensitive_group sudoers
options can be used to control whether sudo does case-sensitive
matching of users and groups in sudoers. Case insensitive
matching is now the default.
* Fixed a bug on some systems where sudo could hang on command
exit when I/O logging was enabled.
* Fixed the build-time process start time test on Linux when the
test is run from within a container.
* When determining which temporary directory to use, sudoedit now
checks the directory for writability before using it. Previously,
sudoedit only performed an existence check.
* Sudo now includes an optional set of Monty Python-inspired insults.
* Fixed the execution of scripts with an associated digest (checksum)
in sudoers on FreeBSD systems. FreeBSD does not have a proper
/dev/fd directory mounted by default and its fexecve(2) is not
fully POSIX compliant when executing scripts.
* Chinese (Taiwan) translation for sudo from translationproject.org.
3.6.5:
Fixed incorrect AES encryption/decryption with AES acceleration on x86 due to gcc’s optimization and strict aliasing rules.
More prime number candidates than necessary where discarded as composite due to the limited way D values were searched in the Lucas test.
Fixed ResouceWarnings and DeprecationWarnings.
Workaround for Python 3.7.0 bug on Windows
Discussed with and thanks to <imil>!
Changes:
1.7.3
-----
Pass 1.7.3 has been released with a few small bug fixes, including one
regression involving storing binary data in pass from 1.7.2.
Revision 0.4.4:
- Fixed native encoder type map to include all ASN.1 types
rather than just ambiguous ones
- Fixed crash in .prettyPrint of Sequence and Set occurring
at OPTIONAL components
* Security bugfixes
- Fixed requesting client certificate when specified
as a global option.
* New features
- Certificate subject checks modified to accept certificates
if at least one of the specified checks matches.
Each R package should include ../../math/R/Makefile.extension, which also
defines MASTER_SITES. Consequently, it is redundant for the individual
packages to do the same. Package-specific definitions also prevent
redefining MASTER_SITES in a single common place.
1.13.3:
Added support for setting the Unicode error handling strategy in conjunction with setting an encoding when creating new SSH sessions, streams, and processes. This strategy can also be set when specifying a session encoding in create_server(), and when providing an encoding in the get_comment() and set_comment() functions on private/public keys and certificates.
Changed handling of Unicode in channels to use incrmeental codec, similar to what was previously done in process redirection.
Added Python 3.7 to the list of classifiers in setup.py, now that it has been released.
Updated Travis CI configuration to add Python 3.7 builds, and moved Linux builds on never versions of Python up to xenial.
Added missing coroutine decorator in test_channel.
2.3:
SECURITY ISSUE: :meth:~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag allowed tag truncation by default which can allow tag forgery in some cases. The method now enforces the min_tag_length provided to the :class:~cryptography.hazmat.primitives.ciphers.modes.GCM constructor. CVE-2018-10903
Added support for Python 3.7.
Added :meth:~cryptography.fernet.Fernet.extract_timestamp to get the authenticated timestamp of a :doc:Fernet </fernet> token.
Support for Python 2.7.x without hmac.compare_digest has been deprecated. We will require Python 2.7.7 or higher (or 2.7.6 on Ubuntu) in the next cryptography release.
Fixed multiple issues preventing cryptography from compiling against LibreSSL 2.7.x.
Added :class:~cryptography.x509.CertificateRevocationList.get_revoked_certificate_by_serial_number for quick serial number searches in CRLs.
The :class:~cryptography.x509.RelativeDistinguishedName class now preserves the order of attributes. Duplicate attributes now raise an error instead of silently discarding duplicates.
:func:~cryptography.hazmat.primitives.keywrap.aes_key_unwrap and :func:~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding now raise :class:~cryptography.hazmat.primitives.keywrap.InvalidUnwrap if the wrapped key is an invalid length, instead of ValueError.
### Added
- A new security enhancement which we're calling AutoHSTS has been
added to Certbot's Apache plugin. This enhancement configures your
webserver to send a HTTP Strict Transport Security header with a low
max-age value that is slowly increased over time. The max-age value is
not increased to a large value until you've successfully managed to
renew your certificate. This enhancement can be requested with the
--auto-hsts flag.
- New official DNS plugins have been created for Gehirn Infrastracture
Service, Linode, OVH, and Sakura Cloud. These plugins can be found
on our Docker Hub page at https://hub.docker.com/u/certbot and on
PyPI.
- The ability to reuse ACME accounts from Let's Encrypt's ACMEv1
endpoint on Let's Encrypt's ACMEv2 endpoint has been added.
- Certbot and its components now support Python 3.7.
- Certbot's install subcommand now allows you to interactively choose
which certificate to install from the list of certificates managed
by Certbot.
- Certbot now accepts the flag `--no-autorenew` which causes any
obtained certificates to not be automatically renewed when it
approaches expiration.
- Support for parsing the TLS-ALPN-01 challenge has been added back to
the acme library.
### Changed
- Certbot's default ACME server has been changed to Let's Encrypt's
ACMEv2 endpoint. By default, this server will now be used for both
new certificate lineages and renewals.
- The Nginx plugin is no longer marked labeled as an "Alpha" version.
- The `prepare` method of Certbot's plugins is no longer called before
running "Updater" enhancements that are run on every invocation of
`certbot renew`.
version 1.32:
* Fixes a problem with gpgrt_fflush and gpgrt_fopencookie.
* Fixes a problem with the C11 header stdnoreturn.h.
* The yat2m tool can now also be build on Windows.
* Updates translations for Spanish, Russian and Ukrainian.
Changelog:
Noteworthy changes in version 2.2.9 (2018-07-12)
------------------------------------------------
* dirmngr: Fix recursive resolver mode and other bugs in the libdns
code. [#3374,#3803,#3610]
* dirmngr: When using libgpg-error 1.32 or later a GnuPG build with
NTBTLS support (e.g. the standard Windows installer) does not
anymore block for dozens of seconds before returning data.
* gpg: Fix bug in --show-keys which actually imported revocation
certificates. [#4017]
* gpg: Ignore too long user-ID and comment packets. [#4022]
* gpg: Fix crash due to bad German translation. Improved printf
format compile time check.
* gpg: Handle missing ISSUER sub packet gracefully in the presence of
the new ISSUER_FPR. [#4046]
* gpg: Allow decryption using several passphrases in most cases.
[#3795,#4050]
* gpg: Command --show-keys now enables the list options
show-unusable-uids, show-unusable-subkeys, show-notations and
show-policy-urls by default.
* gpg: Command --show-keys now prints revocation certificates. [#4018]
* gpg: Add revocation reason to the "rev" and "rvs" records of the
option --with-colons. [#1173]
* gpg: Export option export-clean does now remove certain expired
subkeys; export-minimal removes all expired subkeys. [#3622]
* gpg: New "usage" property for the drop-subkey filters. [#4019]
Release-info: https://dev.gnupg.org/T4036
See-also: gnupg-announce/2018q3/000427.html
zoneinder uses %ld to print tv.tv_sec, which is of type time_t. On
NetBSD, that's int64_t, which happens to match long on amd64, but not
on arm, and hence printf often segfaults. Kludge around this by
casting to long, which should work for about 20 years, by which time a
proper fix should have arrived in a zoneminder release.
Not yet raised upstream, because our package is 1.28.1 and upstream
has released 1.30.4.
3.6.4:
New features
* Build Python 3.7 wheels on Linux, Windows and Mac.
Resolved issues
* Rename _cpuid module to make upgrades more robust.
* More meaningful exceptions in case of mismatch in IV length (CBC/OFB/CFB modes).
* Fix compilation issues on Solaris 10/11.
