When building with the gnupg1 option some tests force the need of
gpg-agent and fails as noticed by <uwe> via PR pkg/53160.
Adjust options.mk accordingly disabling gpgsm tests for the gnupg1
option.
Should fix PR pkg/53160 reported by <uwe>.
Part of PR pkg/52941.
This library provides Reauth support to Google's authentication
libraries for Python. Reauth allows using two-factor authentication for
end-user credentials.
pyu2f is a python based U2F host library for Linux, Windows, and MacOS.
It provides functionality for interacting with a U2F device over USB.
pyu2f uses ctypes to make system calls directly to interface with the
USB HID device. This means that no platform specific shared libraries
need to be compiled for pyu2f to work.
By default pyu2f will use its own U2F stack implementation to sign
requests. If desired, pyu2f can offload signing to a pluggable command
line tool.
Upstream for mcrypt is effectively dead so incorporate patches from
other OSS packaging systems. These patches address the following:
* CVE-2012-4409 (fix)
* CVE-2012-4527 (fix)
* Spelling and grammar fixes for man page
* Fix potential format-string attacks (no vulnerability Id)
* Fix potential buffer overflows (no vulnerability Id)
* Make native format default as in Debian, Red Hat, and SUSE since
openpgp format handling is seriously broken.
* Fix ARM build [unclear if this is necessary for non-Linux systems]
* Correct include file for OSX
Release 1.13.0:
Added support for dynamic port forwarding via SOCKS, where AsyncSSH will open a listener which understands SOCKS connect requests and for each request open a TCP/IP tunnel over SSH to the requested host and port.
Added support in SSHProcess for I/O redirection to file objects that implement read(), write(), and close() functions as coroutines, such as the “aiofiles” package. In such cases, AsyncSSH will automaically detect that it needs to make async calls to these methods when it performs I/O.
Added support for using pathlib objects in SSHProcess I/O redirection.
Added multiple improvements to pattern matching support in the SFTPClient glob(), mget(), mput(), and mcopy() methods. AsyncSSH now allows you to use ‘**’ in a pattern to do a recursive directory search, allows character ranges in square brackets in a pattern, and allows a trailing slash in a pattern to be specified to request that only directories matching the pattern should be returned.
Fixed an issue with calling readline() and readuntil() with a timeout, where partial data received before the timeout was sometimes discarded. Any partial data which was received when a timeout occurs will now be left in the input buffer, so it is still available to future read() calls.
Fixed a race condition where trying to restart a read() after a timeout could sometimes raise an exception about multiple simultaneous reads.
Changed readuntil() in SSHReader to raise IncompleteReadError if the receive window fills up before a delimiter match is found. This also applies to readline(), which will return a partial line without a newline at the end when this occurs. To support longer lines, a caller can call readuntil() or readline() as many times as they’d like, appending the data returned to the previous partial data until a delimiter is found or some maximum size is exceeded. Since the default window size is 2 MBytes, though, it’s very unlikely this will be needed in most applications.
Reworked the crypto support in AsyncSSH to separate packet encryption and decryption into its own module and simplified the directory structure of the asyncssh.crypto package, eliminating a pyca subdirectory that was created back when AsyncSSH used a mix of PyCA and PyCrypto.
2.1.0 (2018-05-21)
------------------
* Fixed some copy and paste typos (#535)
* Use secrets module in Python 3.6 and later (#533)
* Add request argument to confirm_redirect_uri (#504)
* Avoid populating spurious token credentials (#542)
* Make populate attributes API public (#546)
18.0.0:
Backward-incompatible changes:
- The minimum cryptography version is now 2.2.1.
- Support for Python 2.6 has been dropped.
Changes:
- Added Connection.get_certificate to retrieve the local certificate.
- OpenSSL.SSL.Connection now sets SSL_MODE_AUTO_RETRY by default.
- Added Context.set_tlsext_use_srtp to enable negotiation of SRTP keying material.
Previously if `automake' was not available during the build,
patch-libsecret_Makefile.am was effectively not applied to the Makefile.
To avoid to depends on `automake' just directly patch the Makefile.in.
Should fix the problem reported by Mayuresh on pkgsrc-users@
regarding the use of dollar single quotes ($'...') (also if `automake' is not
available!).
This should fix the problem reported by Mayuresh via pkgsrc-users@:
<https://mail-index.NetBSD.org/pkgsrc-users/2018/05/20/msg026746.html>
No PKGREVISION bump since it should only fix the problem on platforms where the
shell does not support dollar single quotes (i.e. `$'...'').
Thanks to <youri> for testing this patch!
# Version 1.3.1
* Revert "pins: remove GlobalSign R1/R3 pins" from Robert Copeland
* Readme update from Wesley Schwengle
* Add Dockerfile to create a clean build environment from Wesley Schwengle
* Missing dependencies in readme
* Added CLion project files to ignore list
# Version 1.3.0
* `lpass show` now supports `--json` format
* `lpass show` now supports `--quiet` flag to suppress prompts,
from Pau Sanchez
* `lpass import` has `--keep-dupes` flag which will preserve duplicate
accounts on import
* `LPASS_PINENTRY` environment variable may now be used to set custom
path to pinentry, from Martynas Mickevičius
* Build fix for aarch64 and others from Natanael Copa
* New fish completions from Israel Chauca Fuentes
* Zsh completions from Richard Hillmann
* Brew build instructions updates from Roger D. Winans
* bugfix: site notes now show up in notes textarea instead of fields
* spelling fixes from Josh Soref
# Version 1.2.2
* `lpass ls --format` now supports "%al" to show URL, from Yikai Zhao
* $VISUAL can be used in preference to $EDITOR, from Wesley Schwengle
* `lpass edit` can now directly edit multiline ssh keys
* fields are now preserved when edited with `lpass edit`
* Bugfix: use-after-free in http.c fixed, from Björn Ketelaars
* Bugfix: command-line completion now works for names with spaces
* Bugfix: loading attachments from shared folders now works, from Spencer
Whyte
* Debian packing updates from Hannes Hörl
* Documentation updates from Darragh Grealish and Steven Liekens
### Added
- certbot now has an enhance subcommand which allows you to configure
security enhancements like HTTP to HTTPS redirects, OCSP stapling,
and HSTS without reinstalling a certificate.
- certbot-dns-rfc2136 now allows the user to specify the port to use
to reach the DNS server in its credentials file.
- acme now parses the wildcard field included in authorizations so it
can be used by users of the library.
### Changed
- certbot-dns-route53 used to wait for each DNS update to propagate
before sending the next one, but now it sends all updates before
waiting which speeds up issuance for multiple domains dramatically.
- We've doubled the time Certbot will spend polling authorizations
before timing out.
- The level of the message logged when Certbot is being used with
non-standard paths warning that crontabs for renewal included in
Certbot packages from OS package managers may not work has been
reduced. This stops the message from being written to stderr every
time `certbot renew` runs.
### Fixed
- certbot-auto now works with Python 3.6.
Based on the previous default behave on NetBSD add bzip2 and zlib to the
suggested options. In the past gnupg2 automatically detected bzip2 and
zlib from the system and enabled these options also if no buildlink file
was present.
bzip2 and zlib still stay as options because if gnupg2 remote agent
forwarding is used both gnupg2 versions (local and remote) need to provide
the same compression options. This allow the user to build gnupg2 with or
without compression options if needed.
PKGREVISION bump because new suggested options might require an rebuild on
different operating systems if bzip2 and zlib was not accidentally detected
and enabled.
Reviewed by wiedi
* patch-lib_libpam_openpam__constants.c:
* comment it (make pkglint happy)
* fix OPENPAM_MODULES_DIR (avoid openpam loading basesystem modules)
* remove "CONFIGURE_ARGS+= --without-pam-su" (option not recognized by configure)
* change '_dep_' to 'dep' in builtin.mk (make pkglint happy)
* fix paths in manpages
Changes from upstream:
============================================================================
OpenPAM Resedacea 2017-04-30
- BUGFIX: Reinstore the NULL check in pam_end(3) which was removed in
OpenPAM Radula, as it breaks common error-handling constructs.
- BUGFIX: Return PAM_SYMBOL_ERR instead of PAM_SYSTEM_ERR from the
dispatcher when the required service function could not be found.
- ENHANCE: Introduce the PAM_BAD_HANDLE error code for when pamh is
NULL in API functions that have a NULL check.
- ENHANCE: Introduce the PAM_BAD_ITEM, PAM_BAD_FEATURE and
PAM_BAD_CONSTANT error codes for situations where we previously
incorrectly used PAM_SYMBOL_ERR to denote that an invalid constant
had been passed to an API function.
- ENHANCE: Improve the RETURN VALUES section in API man pages,
especially for functions that cannot fail, which were incorrectly
documented as returning -1 on failure.
============================================================================
OpenPAM Radula 2017-02-19
- BUGFIX: Fix an inverted test which prevented pam_get_authtok(3) and
pam_get_user(3) from using application-provided custom prompts.
- BUGFIX: Plug a memory leak in pam_set_item(3).
- BUGFIX: Plug a potential memory leak in openpam_readlinev(3).
- BUGFIX: In openpam_readword(3), support line continuations within
whitespace.
- ENHANCE: Add a feature flag to control fallback to "other" policy.
- ENHANCE: Add a pam_return(8) module which returns an arbitrary
code specified in the module options.
- ENHANCE: More and better unit tests.
drop polkitgtkmate library and its docs
Fix reshow/hide icon with statusnotifier
status-icon: don’t use stock icons
polkitmateauthenticationdialog: avoid deprecated GtkAlignment
polkitmateauthenticationdialog: replace a GTK_STOCK deprecation
Translations update
Changes since 1.0.5:
Version 1.06
* Add -P for overriding the password prompt we search for
* Add -v for verbose logging of the prompt detection prompt.
* Allow packagers and compilers to change the default password prompt.
* When giving -V, also print the default password prompt.
Also, add patch from FreeBSD to fix tty issue which prevents sshpass from
seeing the password prompt.
pkgsrc changes:
- Rename `xclip' PKG_OPTION to `x11' (and add a PKG_OPTIONS_LEGACY_OPTS
accordingly) and also depends on converters/base64 (needed by the `--clip'
option, like xclip) and qrencode (needed by the new `--qrcode' option).
- Add support for `test' target and adjust the part of the test suite for
gnupg>=2.2.5 via patches/patch-tests_t0300-reencryption.sh.
- sysutils/pwgen is no more needed, remove it from DEPENDS
(now `tr -dc '<characters>' < /dev/urandom' is used instead)
- Add patches/patch-contrib_dmenu_passmenu to fix `passmenu --type'
(at least xdotool-2.20110530.1 does not support any `--file' option used by
passmenu)
- Adjust PAX invocations in `do-install' target to ignore possible `*.orig'
and `.gitignore' files.
Changes
1.7.1
-----
== Bug Fixes ==
* Fix test suite on OS X
* Add compatibility with GnuPG 2.2.19
* Uniformly use the $GPG variable
* Do the correct thing with subkeys when reencrypting
1.7
---
== New Features ==
* Extensions: pass can now load user-defined extensions from a system
directory or a user directory. There's already a nice ecosystem of
extensions being built, even at this early stage. See the pass man page for
more information.
* Signatures: there is now an option to enforce signatures of the .gpg-id file
and extensions using an environment variable.
* QRCodes: generate and show have now learned the --qrcode/-q switch. Note to
package maintainers: this adds a dependency on the popular qrencode package.
* Password generation: rather than use pwgen, we now use /dev/urandom more
directly, which results in more assured password security, as well as
customizable character sets, via an environment variable. See the pass man
page for more information on this customization. Package maintainers: you
may now drop the dependency on pwgen.
* Importers: there now are several more importers. More and more folks are
moving to pass!
* Selectable clipping: you can now specify which line you wish to copy to the
clipboard or display with a qrcode when using -c or -q.
* Git discovery: The PASSWORD_STORE_GIT environment variable has been removed,
and instead pass will automatically choose the git repository closest to the
file being modified (but not out of the actual password store itself). This
should help people who like to nest git repos for different organizations.
* Bug fixes: too many to count.
== Note To Distros ==
* Drop the dependency of pwgen.
* Add the dependency of qrencode.
* The Makefile now does the right thing with DESTDIR, so you might want to
double check that your package recipe does the right thing.
* The semantics for auto-detection of bash completion has changed, with new
environment variables for such things. See INSTALL for details.
changes in version 2.2.7:
* gpg: New option --no-symkey-cache to disable the passphrase cache
for symmetrical en- and decryption.
* gpg: The ERRSIG status now prints the fingerprint if that is part
of the signature.
* gpg: Relax emitting of FAILURE status lines
* gpg: Add a status flag to "sig" lines printed with --list-sigs.
* gpg: Fix "Too many open files" when using --multifile.
* ssh: Return an error for unknown ssh-agent flags.
* dirmngr: Fix a regression since 2.1.16 which caused corrupted CRL
caches under Windows.
* dirmngr: Fix a CNAME problem with pools and TLS. Also use a fixed
mapping of keys.gnupg.net to sks-keyservers.net.
* dirmngr: Try resurrecting dead hosts earlier (from 3 to 1.5 hours).
* dirmngr: Fallback to CRL if no default OCSP responder is configured.
* dirmngr: Implement CRL fetching via https. Here a redirection to
http is explictly allowed.
* dirmngr: Make LDAP searching and CRL fetching work under Windows.
This stopped working with 2.1.
* agent,dirmngr: New sub-command "getenv" for "getinfo" to ease
debugging.
6.02 Fri Apr 20 16:25:30 MST 2018
- silenced compiler warnings from VS2017
-- ref. rt.cpan.org #124477
-- thanks to Sergey Aleynikov for diagnostics
- modified addfile to return error when given a directory name
-- makes behavior consistent with GNU coreutils shaXsum
-- thanks to Scott Baker for pointing this out
0.060 2018-05-01
- bundled libtomcrypt update
- Math::BigInt::LTM - remove buggy tests failing with the latest Math::BigInt
- basically no changes to the perl modules
0.30 Tue May 1 2018
- Working windows library detection
- Actively testing on appveyor for windows now.
- work correctly on LibreSSL
0.29_03 Mon Apr 16 2018
- Add whirlpool hash support.
- Crypt::OpenSSL::Random is now required at comnpile-time.
- Use the new interface to RSA_generate_key if available
- Add library paths to LIBS from Crypt::OpenSSL::Guess
Remove hack for DragonFly/i386, DragonFly is 64-bit only nowadays.
Noteworthy changes in version 1.30 (2018-04-30) [C24/A24/R1]
-----------------------------------------------
* Fix for a hang on Windows when using gpgrt_poll under nPth.
* Build fix for Solaris. [#3869]
--------------
polkit 0.114
--------------
WARNING WARNING WARNING: This is a prerelease on the road to polkit
1.0. Public API might change and certain parts of the code still needs
some security review. Use at your own risk.
This is polkit 0.114.
Highlights:
Port to mozjs 52, the latest version of the firefox JavaScript engine.
Add gettext support for policy files
Fixes for various memory leaks
Build requirements
glib, gobject, gio >= 2.32
mozjs-52
gobject-introspection >= 0.6.2 (optional)
pam (optional)
ConsoleKit OR systemd
Changes since polkit 0.113:
Anders Jonsson (2):
pkcheck: fix man typos
Add Swedish translation
Antoine Jacoutot (1):
Add support for OpenBSD
Christian Kirbach (1):
Add German translation
Colin Walters (3):
build: Pull in GCC warning infra from ostree
build: Use AC_USE_SYSTEM_EXTENSIONS
tests: Correct boundary test for overflow
Dariusz Gadomski (2):
Fix multi-line pam text info.
Refactor send_to_helper usage
Gabor Kelemen (1):
Add initial Hungarian translation, and add hu to LINGUAS
Jeremy Linton (5):
change mozjs interface module to c++
Switch to hard requiring mozjs24
Fix warnings caused by building with C++
Replace autocompartment
test: Add a test case to handle actions without explicit rules
Jiří Klimeš (1):
trivial: fix deprecated indication for polkit_agent_register_listener()
Matthias Clasen (1):
Add gettext support for .policy files
Miloslav Trmač (21):
Post-release version bump to 0.114
Consistently use HAVE_NETGROUP_H instead of HAVE_OPENBSD
Fix a memory leak of PolkitAgentListener's Server object
Remove polkitbackendconfigsource.[ch]
Add Slovak translation by Dusan Kazik <prescott66@gmail.com>
Add Indonesian translation by Andika Triwidada
Add Chinese (Taiwan) translation
Fix a typo in polkit(8)
Simplify GVariant reference counting
Fix a memory leak on an error path of lookup_asv (twice)
Fix a memory leak in server_handle_register_authentication_agent_with_options
Fix a memory leak in server_handle_unregister_authentication_agent
Fix a memory leak in server_handle_authentication_agent_response{,2}
Fix memory leaks in server_handle_*_temporary_authorizations
Fix error handling in polkit_authority_enumerate_temporary_authorizations_finish
Fix a memory leak per agent authentication
Fix a memory leak on agent authentication cancellation
Audit and fix GVariant reference counting
Fix help for (pkttyagent -s)
Fix a race condition when terminating runaway_killer_thread
Move to current GLib
Mingye Wang (Arthur2e5) (1):
Add zh_CN translation
Muhammet Kara (1):
Added Turkish translation
OBATA Akio (1):
Add support for NetBSD
Peter Hutterer (1):
gettext: switch to default-translate "no"
Philip Withnall (3):
polkit: Add g_autoptr() support for GObject-derived polkit types
data: Set GIO_USE_VFS=local in the environment
polkitbackend: Fix typos in a couple of initialisation error messages
Piotr Drąg (1):
Add Polish translation
Rafael Fontenelle (1):
Add Brazilian Portuguese translation
Ray Strode (34):
configure: bump mozjs requirement to 52
jsauthority: fix how classes are defined
jsauthority: use JS_FN instead of JS_FS
jsauthority: get rid of JSRuntime
jsauthority: change how setVersion is called
jsauthority: call JS_Init
jsauthority: call JS_InitSelfHostedCode
jsauthority: change how JIT is disabled
jsauthority: JS::SetWarningReporter instead of JS_SetErrorReporter
jsauthority: add UTF8 suffix to renamed functions
jsauthority: pass "%s" format string to report functions
jsauthority: s/JSBool/bool/
jsauthority: s/jsval/JS::Value/
jsauthority: s/JSVAL_NULL/JS::NullValue()/
jsauthority: s/JSVAL_VOID/JS::UndefinedValue()/
jsauthority: s/OBJECT_TO_JSVAL/JS::ObjectValue/
jsauthority: s/STRING_TO_JSVAL/JS::StringValue/
jsauthority: s/BOOLEAN_TO_JSVAL/JS::BooleanValue/
jsauthority: JSVAL_TO_OBJECT (o) to o.toObjectOrNull()
jsauthority: JSVAL_TO_STRING (s) to s.toString()
jsauthority: JSVAL_IS_STRING (s) to s.isString()
jsauthority: JSVAL_IS_NULL (o) to o.isNull()
jsauthority: Fix up JS_CallFunctionName invocations
jsauthority: use InterruptCallback api instead of OperationCallback
jsauthority: redo how global objects are set up
jsauthority: root some locals to the context
jsauthority: adapt arguments for new JS::Compile API
jsauthority: adapt arguments for new JS_ExecuteScript API
jsauthority: use JS::Evaluate instead of JS_EvaluateScript
jsauthority: fix up set_property methods
jsauthority: stop using JS_GetStringCharsZ
jsauthority: switch from JS_ConvertArguments to JS::CallArgsFromVp
jsauthority: re-enable JIT
Port JavaScript authority to mozjs52
Rui Matos (1):
polkitpermission: Fix a memory leak on authority changes
Sebastien Bacher (1):
Support polkit session agent running outside user session
Stef Walter (2):
polkitagent: Fix access after dereference on hashtable
polkitagent: No double warnings in polkit_agent_listener_register()
Sven Eden (1):
configure: enable elogind support in PolicyKit
Yuri Chornoivan (1):
Add Ukrainian translation
enkore (1):
Fix abnomal formatting of authentication header lines
muzena (1):
Add hr.po
Thanks to our contributors.
Colin Walters and Miloslav Trmač,
April 2, 2017
DEPRECATIONS/CHANGES:
- `vault kv` and Vault versions: In 0.10.1 some issues with `vault kv` against
v1 K/V engine mounts are fixed. However, using 0.10.1 for both the server
and CLI versions is required.
- Mount information visibility: Users that have access to any path within a
mount can now see information about that mount, such as its type and
options, via some API calls.
- Identity and Local Mounts: Local mounts would allow creating Identity
entities but these would not be able to be used successfully (even locally)
in replicated scenarios. We have now disallowed entities and groups from
being created for local mounts in the first place.
FEATURES:
- X-Forwarded-For support: `X-Forwarded-For` headers can now be used to set the
client IP seen by Vault. See the TCP listener configuration
page for details.
- CIDR IP Binding for Tokens: Tokens now support being bound to specific
CIDR(s) for usage. Currently this is implemented in Token Roles; usage can be
expanded to other authentication backends over time.
- `vault kv patch` command: A new `kv patch` helper command that allows
modifying only some values in existing data at a K/V path, but uses
check-and-set to ensure that this modification happens safely.
- AppRole Local Secret IDs: Roles can now be configured to generate secret IDs
local to the cluster. This enables performance secondaries to generate and
consume secret IDs without contacting the primary.
- AES-GCM Support for PKCS#11 [BETA] (Enterprise): For supporting HSMs,
AES-GCM can now be used in lieu of AES-CBC/HMAC-SHA256. This has currently
only been fully tested on AWS CloudHSM.
- Auto Unseal/Seal Wrap Key Rotation Support (Enterprise): Auto Unseal
mechanisms, including PKCS#11 HSMs, now support rotation of encryption keys,
and migration between key and encryption types, such as from AES-CBC to
AES-GCM, can be performed at the same time (where supported).
IMPROVEMENTS:
- auth/approle: Support for cluster local secret IDs. This enables secondaries
to generate secret IDs without contacting the primary
- auth/token: Add to the token lookup response, the policies inherited due to
identity associations
- auth/token: Add CIDR binding to token roles
- cli: Add `vault kv patch`
- core: Add X-Forwarded-For support
- core: Add token CIDR-binding support
- identity: Add the ability to disable an entity. Disabling an entity does not
revoke associated tokens, but while the entity is disabled they cannot be
used.
- physical/consul: Allow tuning of session TTL and lock wait time
- replication: Dynamically adjust WAL cleanup over a period of time based on
the rate of writes committed
- secret/ssh: Update dynamic key install script to use shell locking to avoid
concurrent modifications
- ui: Access to `sys/mounts` is no longer needed to use the UI - the list of
engines will show you the ones you implicitly have access to (because you have
access to to secrets in those engines)
BUG FIXES:
- cli: Fix `vault kv` backwards compatibility with KV v1 engine mounts
- identity: Persist entity memberships in external identity groups across
mounts
- identity: Fix error preventing authentication using local mounts on
performance secondary replication clusters
- replication: Fix issue causing secondaries to not connect properly to a
pre-0.10 primary until the primary was upgraded
- secret/gcp: Fix panic on rollback when a roleset wasn't created properly
- secret/gcp: Fix panic on renewal
- ui: Fix IE11 form submissions in a few parts of the application
- ui: Fix IE file saving on policy pages and init screens
- ui: Fixed an issue where the AWS secret backend would show the wrong menu
- ui: Fixed an issue where policies with commas would not render in the
interface properly
- ui: Corrected the saving of mount tune ttls for auth methods
- ui: Credentials generation no longer checks capabilities before making
api calls. This should fix needing "update" capabilites to read IAM
credentials in the AWS secrets engine
0.30.0:
- Various small typos (Windows builds, Fix SSL.Connection.__del__)
- The project is now Linux-distribution agnostic
- Replace all old-style classes with the new ones (it shouldn't cause
any problems, but feel free to file an issue, if it does)
- Do not by-pass a potential transfer decoding in m2urllib2
- Update M2Crypto.six with 1.11.0 and replace our local workarounds with
new functions.
- SSLv3 just removed.
- Don't support Python 2.6 on Windows anymore. Windows users don't have
python as a system package, so they are usually more likely to upgrade
anyway.
Upstream changes:
1.04 Fri Apr 20 16:25:30 MST 2018
- silenced compiler warnings from VS2017
-- ref. rt.cpan.org #124477
-- thanks to Sergey Aleynikov for diagnostics
- modified addfile to return error when given a directory name
-- makes behavior consistent with GNU coreutils shaXsum
-- thanks to Scott Baker for pointing this out
Revision 0.2.1, released 23-11-2017
- Allow ANY DEFINED BY objects expanding automatically if requested
- Imports PEP8'ed
Revision 0.1.5, released 10-10-2017
- OCSP response blob fixed in test
- Fixed wrong OCSP ResponderID components tagging
Revision 0.1.4, released 07-09-2017
- Typo fixed in the dependency spec
Revision 0.1.3, released 07-09-2017
- Apparently, pip>=1.5.6 is still widely used and it is not PEP440
compliant. Had to replace the `~=` version dependency spec with a
sequence of simple comparisons to remain compatible with the aging pip.
Revision 0.1.2, released 07-09-2017
- Pinned to pyasn1 ~0.3.4
Revision 0.1.1, released 27-08-2017
- Tests refactored into proper unit tests
- pem.readBase64fromText() convenience function added
- Pinned to pyasn1 0.3.3
Release 1.12.2:
Added support for using pathlib objects as paths in calls to SFTP methods, in addition to Unicode and byte strings. This is mainly intended for use in constructing local paths, but it can also be used for remote paths as long as POSIX-style pathlib objects are used and an appropriate path encoding is set to handle the conversion from Unicode to bytes.
Changed server EXT_INFO message to only be sent after the first SSH key exchange, to match the specification recently published in RFC 8308.
Fixed edge case in TCP connection forwarding where data received on a forward TCP connection was not delivered if the connection was closed or half-closed before the corresponding SSH tunnel was fully established.
Made note about OpenSSH not properly handling send_signal more visible.
3.6.1:
New features
Added Google Wycheproof tests (https://github.com/google/wycheproof) for RSA, DSA, ECDSA, GCM, SIV, EAX, CMAC.
New parameter mac_len (length of MAC tag) for CMAC.
Resolved issues
In certain circumstances (at counter wrapping, which happens on average after 32 GBi) AES GCM produced wrong ciphertexts.
Method encrypt() of AES SIV cipher could be still called, whereas only encrypt_and_digest() should be allowed.
This is a development release, but gnutls needs at least 0.23.x,
so take the latest development release.
0.23.10 (devel)
* filter: Respect "write-protected" vendor-specific attribute in
PKCS#11 URI [PR#129]
* server: Improve shell integration and documentation [PR#107, PR#108]
* proxy: Reuse existing slot ID mapping in after fork() [PR#120]
* trust: Forcibly mark "Default Trust" read-only [PR#123]
* New function p11_kit_override_system_files() which can be used for
testing [PR#110]
* trust: Filter out duplicate extensions [PR#69]
* Update translations [PR#128]
* Bug fixes [PR#125, PR#126]
0.23.9 (devel)
* Fix p11-kit server regressions [PR#103, PR#104]
* trust: Respect anyExtendedKeyUsage in CA certificates [PR#99]
* Build fixes related to reallocarray [PR#96, PR#98, PR#100]
0.23.8 (devel)
* Improve vendor query attributes handling in PKCS#11 URI [PR#92]
* Add OTP and GOST mechanisms to pkcs11.h [PR#90, PR#91]
* New envvar P11_KIT_NO_USER_CONFIG to stop looking at user
configurations [PR#87]
* Build fixes for Solaris and 32-bit big-endian platforms [PR#81, PR#86]
0.23.7 (devel)
* Fix memory issues with "p11-kit server" [PR#78]
* Build fixes [PR#77 ...]
0.23.6 (devel)
* Port "p11-kit server" to Windows and portability fixes of the RPC
protocol [PR#67, PR#72, PR#74]
* Recover the old behavior of "trust anchor --remove" [PR#70, PR#71]
* Build fixes [PR#63 ...]
0.23.5 (devel)
* Fix license notice of common/unix-peer.c [PR#58]
* Remove systemd unit files for now [PR#60]
* Build fixes for FreeBSD [PR#56]
0.23.4 (devel)
* Recognize query attributes defined in PKCS#11 URI (RFC7512) [PR#31,
PR#37, PR#52]
* The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY
attribute, used by Firefox [#99453, PR#46]
* Add 'trust dump' command to dump all PKCS#11 objects in the
persistence format [PR#44]
* New experimental 'p11-kit server' command that allows PKCS#11
forwarding through a Unix domain socket. A client-side module
p11-kit-client.so is also provided [PR#15]
* Add systemd unit files for exporting the proxy module through a
Unix domain socket [PR#35]
* New P11KitIter API to iterate over slots, tokens, and modules in
addition to objects [PR#28]
* libffi dependency is now optional [PR#9]
* Build fixes for FreeBSD, macOS, and Windows [PR#32, PR#39, PR#45]
0.23.3 (devel)
* Install private executables in libexecdir [#98817]
* Fix link error of proxy module on macOS [#98022]
* Use new PKCS#11 URI specification for URIs [#97245]
* Support x-init-reserved argument of C_Initialize() in remote modules [#80519]
* Incorporate changes from PKCS#11 2.40 specification
* Bump libtool library version
* Documentation fixes
* Build fixes [#87192 ...]
0.23.2 (devel)
* Fix forking issues with libffi [#90289 ...]
* Updated translations
* Build fixes [#90827#89081#92434#92520#92445#92551#92843#92842#92807#93211 ...]
0.23.1 (devel)
* Use new PKCS#11 URI draft fields for URIs [#86474#87582]
* Add pem-directory-hash extract format
* Build fixes
- Deprecated support for Python 2.6 and 3.3.
- Use the sign and verify methods when they are available in
cryptography instead of the deprecated methods signer and
verifier.
v1.5.0: Jordan
Features
Added build support for mingw32
Implement gss_set_cred_option() and gss_set_sec_context_option()
Bugfixes
Handle GSS_NO_OID_SET when creating sets
### Added
- Support for OpenResty was added to the Nginx plugin.
### Changed
- The timestamps in Certbot's logfiles now use the system's local time
zone rather than UTC.
- Certbot's DNS plugins that use Lexicon now rely on Lexicon>=2.2.1 to
be able to create and delete multiple TXT records on a single
domain.
- certbot-dns-google's test suite now works without an internet
connection.
### Fixed
- Removed a small window that if during which an error occurred,
Certbot wouldn't clean up performed challenges.
- The parameters `default` and `ipv6only` are now removed from
`listen` directives when creating a new server block in the Nginx
plugin.
- `server_name` directives enclosed in quotation marks in Nginx are
now properly supported.
- Resolved an issue preventing the Apache plugin from starting Apache
when it's not currently running on RHEL and Gentoo based systems.
3.6.0:
New features
Introduced export_key and deprecated exportKey for DSA and RSA key objects.
Ciphers and hash functions accept memoryview objects in input.
Added support for SHA-512/224 and SHA-512/256.
Resolved issues
Reintroduced Crypto.__version__ variable as in PyCrypto.
Fixed compilation problem with MinGW.
Noteworthy changes in version 2.2.6:
* gpg,gpgsm: New option --request-origin to pretend requests coming
from a browser or a remote site.
* gpg: Fix race condition on trustdb.gpg updates due to too early
released lock.
* gpg: Emit FAILURE status lines in almost all cases.
* gpg: Implement --dry-run for --passwd to make checking a key's
passphrase straightforward.
* gpg: Make sure to only accept a certification capable key for key
signatures.
* gpg: Better user interaction in --card-edit for the factory-reset
sub-command.
* gpg: Improve changing key attributes in --card-edit by adding an
explicit "key-attr" sub-command.
* gpg: Print the keygrips in the --card-status.
* scd: Support KDF DO setup.
* scd: Fix some issues with PC/SC on Windows.
* scd: Fix suspend/resume handling in the CCID driver.
* agent: Evict cached passphrases also via a timer.
* agent: Use separate passphrase caches depending on the request
origin.
* ssh: Support signature flags.
* dirmngr: Handle failures related to missing IPv6 support
gracefully.
* Fix corner cases related to specified home directory with
drive letter on Windows.
* Allow the use of UNC directory names as homedir.
Noteworthy changes in version 1.29:
* The yat2m tool is during cross-compile now also installed on the
host platform.
* New option parser and associated functions similar to the one used
by GnuPG.
* New Base-64 encoder.
* Fixes regression in 1.28 for arm64 and w64 builds.
* Interface changes relative to the 1.28 release:
gpgrt_argparse New.
gpgrt_usage New.
gpgrt_strusage New.
gpgrt_set_strusage New.
gpgrt_set_usage_outfnc New.
gpgrt_set_fixed_string_mapper New.
GPGRT_ENABLE_ARGPARSE_MACROS New macro.
gpgrt_b64enc_start New.
gpgrt_b64enc_write New.
gpgrt_b64enc_finish New.
SECURITY:
- Log sanitization for Combined Database Secret Engine: In certain failure
scenarios with incorrectly formatted connection urls, the raw connection
errors were being returned to the user with the configured database
credentials. Errors are now sanitized before being returned to the user.
DEPRECATIONS/CHANGES:
- Database plugin compatibility: The database plugin interface was enhanced to
support some additional functionality related to root credential rotation
and supporting templated URL strings. The changes were made in a
backwards-compatible way and all builtin plugins were updated with the new
features. Custom plugins not built into Vault will need to be upgraded to
support templated URL strings and root rotation. Additionally, the
Initialize method was deprecated in favor of a new Init method that supports
configuration modifications that occur in the plugin back to the primary
data store.
- Removal of returned secret information: For a long time Vault has returned
configuration given to various secret engines and auth methods with secret
values (such as secret API keys or passwords) still intact, and with a
warning to the user on write that anyone with read access could see the
secret. This was mostly done to make it easy for tools like Terraform to
judge whether state had drifted. However, it also feels quite un-Vault-y to
do this and we've never felt very comfortable doing so. In 0.10 we have gone
through and removed this behavior from the various backends; fields which
contained secret values are simply no longer returned on read. We are
working with the Terraform team to make changes to their provider to
accommodate this as best as possible, and users of other tools may have to
make adjustments, but in the end we felt that the ends did not justify the
means and we needed to prioritize security over operational convenience.
- LDAP auth method case sensitivity: We now treat usernames and groups
configured locally for policy assignment in a case insensitive fashion by
default. Existing configurations will continue to work as they do now;
however, the next time a configuration is written `case_sensitive_names`
will need to be explicitly set to `true`.
- TTL handling within core: All lease TTL handling has been centralized within
the core of Vault to ensure consistency across all backends. Since this was
previously delegated to individual backends, there may be some slight
differences in TTLs generated from some backends.
- Removal of default `secret/` mount: In 0.12 we will stop mounting `secret/`
by default at initialization time (it will still be available in `dev`
mode).
FEATURES:
- OSS UI: The Vault UI is now fully open-source. Similarly to the CLI, some
features are only available with a supporting version of Vault, but the code
base is entirely open.
- Versioned K/V: The `kv` backend has been completely revamped, featuring
flexible versioning of values, check-and-set protections, and more. A new
`vault kv` subcommand allows friendly interactions with it. Existing mounts
of the `kv` backend can be upgraded to the new versioned mode (downgrades
are not currently supported). The old "passthrough" mode is still the
default for new mounts; versioning can be turned on by setting the
`-version=2` flag for the `vault secrets enable` command.
- Database Root Credential Rotation: Database configurations can now rotate
their own configured admin/root credentials, allowing configured credentials
for a database connection to be rotated immediately after sending them into
Vault, invalidating the old credentials and ensuring only Vault knows the
actual valid values.
- Azure Authentication Plugin: There is now a plugin (pulled in to Vault) that
allows authenticating Azure machines to Vault using Azure's Managed Service
Identity credentials. See the [plugin
repository](https://github.com/hashicorp/vault-plugin-auth-azure) for more
information.
- GCP Secrets Plugin: There is now a plugin (pulled in to Vault) that allows
generating secrets to allow access to GCP. See the [plugin
repository](https://github.com/hashicorp/vault-plugin-secrets-gcp) for more
information.
- Selective Audit HMACing of Request and Response Data Keys: HMACing in audit
logs can be turned off for specific keys in the request input map and
response `data` map on a per-mount basis.
- Passthrough Request Headers: Request headers can now be selectively passed
through to backends on a per-mount basis. This is useful in various cases
when plugins are interacting with external services.
- HA for Google Cloud Storage: The GCS storage type now supports HA.
- UI support for identity: Add and edit entities, groups, and their associated
aliases.
- UI auth method support: Enable, disable, and configure all of the built-in
authentication methods.
- UI (Enterprise): View and edit Sentinel policies.
IMPROVEMENTS:
- core: Centralize TTL generation for leases in core
- identity: API to update group-alias by ID
- secret/cassandra: Update Cassandra storage delete function to not use batch
operations
- storage/mysql: Allow setting max idle connections and connection lifetime
- storage/gcs: Add HA support
- ui: Add Nomad to the list of available secret engines
- ui: Adds ability to set static headers to be returned by the UI
BUG FIXES:
- api: Fix retries not working
- auth/gcp: Invalidate clients on config change
- auth/token: Revoke-orphan and tidy operations now correctly cleans up the
parent prefix entry in the underlying storage backend. These operations also
mark corresponding child tokens as orphans by removing the parent/secondary
index from the entries.
- command: Re-add `-mfa` flag and migrate to OSS binary
- core: Fix issue occurring from mounting two auth backends with the same path
with one mount having `auth/` in front
- mfa: Invalidation of MFA configurations (Enterprise)
- replication: Fix a panic on some non-64-bit platforms
- replication: Fix invalidation of policies on performance secondaries
- secret/pki: When tidying if a value is unexpectedly nil, delete it and move
on
- storage/s3: Fix panic if S3 returns no Content-Length header
- ui: Fixed an issue where the UI was checking incorrect paths when operating
on transit keys. Capabilities are now checked when attempting to encrypt /
decrypt, etc.
- ui: Fixed IE 11 layout issues and JS errors that would stop the application
from running.
- ui: Fixed the link that gets rendered when a user doesn't have permissions
to view the root of a secret engine. The link now sends them back to the list
of secret engines.
- replication: Fix issue with DR secondaries when using mount specified local
paths.
- cli: Fix an issue where generating a dr operation token would not output the
token
OTX Direct Connect agents provide a way to automatically update your
security infrastructure with pulses you have subscribed to from with
Open Threat Exchange. By using Direct Connect, the indicators
contained within the pulses you have subscribed to can be downloaded
and made locally available for other applications such as Intrusion
Detection Systems, Firewalls, and other security-focused applications.
2.0.7:
Moved oauthlib into new organization on GitHub.
Include license file in the generated wheel package.
When deploying a release to PyPI, include the wheel distribution.
Check access token in self.token dict.
Added bottle-oauthlib to docs.
Update repository location in Travis.
Updated docs for organization change.
Replace G+ with Gitter.
Update requirements.
Add shields for Python versions, license and RTD.
Fix ReadTheDocs build
Fixed "make" command to test upstream with local oauthlib.
Replace IRC notification with Gitter Hook.
Added Github Releases deploy provider.
Based on the wip package by myself with fixes from rillig.
KeePassXC can store your passwords safely and auto-type them into
your everyday websites and applications.
Changes between 1.0.2n and 1.0.2o [27 Mar 2018]
*) Constructed ASN.1 types with a recursive definition could exceed the stack
Constructed ASN.1 types with a recursive definition (such as can be found
in PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack. There
are no such structures used within SSL/TLS that come from untrusted sources
so this is considered safe.
This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
project.
(CVE-2018-0739)
[Matt Caswell]
0.22.2
- A type error introduced in 0.22.1 that would occur during challenge
cleanup when a Certbot plugin raises an exception while trying to
complete the challenge was fixed.
0.22.1
- The ACME server used with Certbot's --dry-run and --staging flags is
now Let's Encrypt's ACMEv2 staging server which allows people to
also test ACMEv2 features with these flags.
- The HTTP Content-Type header is now set to the correct value during
certificate revocation with new versions of the ACME protocol.
- When using Certbot with Let's Encrypt's ACMEv2 server, it would add
a blank line to the top of chain.pem and between the certificates in
fullchain.pem for each lineage. These blank lines have been removed.
- Resolved a bug that caused Certbot's --allow-subset-of-names flag
not to work.
- Fixed a regression in acme.client.Client that caused the class to
not work when it was initialized without a ClientNetwork which is
done by some of the other projects using our ACME library.
0.1.12 (2018/03/21)
* Land #9, improve SSL certificate generation
* fix is_mac_addr to validate if something is _only_ a mac address
* Improve SSL certificate generation
0.1.11 (2018/02/09)
* Land #8, factor out SSL bits
* Address Brent's comment - drop @@loaded_openssl
* Implement a certificate provider pattern in Socket
* Extract and mixin cert ops from server module
DEPRECATIONS/CHANGES:
- The AWS authentication backend now allows binds for inputs as either a
comma-delimited string or a string array. However, to keep consistency with
input and output, when reading a role the binds will now be returned as
string arrays rather than strings.
- In order to prefix-match IAM role and instance profile ARNs in AWS auth
backend, you now must explicitly opt-in by adding a `*` to the end of the
ARN. Existing configurations will be upgraded automatically, but when
writing a new role configuration the updated behavior will be used.
FEATURES:
- Replication Activation Enhancements: When activating a replication
secondary, a public key can now be fetched first from the target cluster.
This public key can be provided to the primary when requesting the
activation token. If provided, the public key will be used to perform a
Diffie-Hellman key exchange resulting in a shared key that encrypts the
contents of the activation token. The purpose is to protect against
accidental disclosure of the contents of the token if unwrapped by the wrong
party, given that the contents of the token are highly sensitive. If
accidentally unwrapped, the contents of the token are not usable by the
unwrapping party. It is important to note that just as a malicious operator
could unwrap the contents of the token, a malicious operator can pretend to
be a secondary and complete the Diffie-Hellman exchange on their own; this
feature provides defense in depth but still requires due diligence around
replication activation, including multiple eyes on the commands/tokens and
proper auditing.
IMPROVEMENTS:
- api: Update renewer grace period logic. It no longer is static, but rather
dynamically calculates one based on the current lease duration after each
renew.
- auth/approle: Allow array input for bound_cidr_list
- auth/aws: Allow using lists in role bind parameters
- auth/aws: Allow binding by EC2 instance IDs
- auth/aws: Allow non-prefix-matched IAM role and instance profile ARNs
- auth/ldap: Set a very large size limit on queries
- core: Log info notifications of revoked leases for all leases/reasons, not
just expirations
- physical/couchdb: Removed limit on the listing of items
- secret/pki: Support certificate policies
- secret/pki: Add ability to have CA:true encoded into intermediate CSRs, to
improve compatibility with some ADFS scenarios
- secret/transit: Allow selecting signature algorithm as well as hash
algorithm when signing/verifying
- server: Make sure `tls_disable_client_cert` is actually a true value rather
than just set
- storage/dynamodb: Allow specifying max retries for dynamo client
- storage/gcs: Allow specifying chunk size for transfers, which can reduce
memory utilization
- sys/capabilities: Add the ability to use multiple paths for capability
checking
BUG FIXES:
- auth/aws: Fix honoring `max_ttl` when a corresponding role `ttl` is not also
set
- auth/okta: Fix honoring configured `max_ttl` value
- auth/token: If a periodic token being issued has a period greater than the
max_lease_ttl configured on the token store mount, truncate it. This matches
renewal behavior; before it was inconsistent between issuance and renewal.
- cli: Improve error messages around `vault auth help` when there is no CLI
helper for a particular method
2.2.1:
Reverted a change to GeneralNames which prohibited having zero elements, due to breakages.
Fixed a bug in :func:~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding that caused it to raise InvalidUnwrap when key length modulo 8 was zero.
0.1.77 2017/09/23
* Convert double quotes to single quotes to match #{URL}
0.1.76 2017/09/07
* Merge pull request #9 from sempervictus/feature-payload_msil_jit
0.1.75 2017/08/25
* Remove useless failing spec
* Improve use of RandomIdentifier::Generator
* Add MSIL to template constants
* Update spec for MSIL payload
* Implement MSIL payload in Rex gem via template
* Update spec for command
* Finalize quote wrapper
* Rework quote handling
* Cleanup Command single quotes redundant gsub
0.1.74 2017/07/18
* Alternative to IEX in dl_and_exec_string methods
* Command spec - deal with :use_single_quotes
* Output and command improvements for Win10
0.1.73 2017/05/12
* update spec to require Ruby 2.2.0 or greater
7.2.0 (2018-01-17)
Closed issues:
* list_vuln_exceptions returns API error #312
* Credentials failure after using Site.copy #307
* XML serialization for VulnException incorrect due to extra whitespace #304
* Nexpose timeout does not seem to work #299
Merged pull requests:
* Update vuln exceptions to use generally available API version #313
(mhuffman-r7)
* Add a method to add common vuln status filters to report configs #303
(gschneider-r7)
* Updated for Ruby 2.4 Support #301 (twosevenzero)
**** 1.05 March 20, Tuesday
Feature
Support added for Ed25519 and Ed448 algorithms
Fix: rt.cpan.org #124650
Net::DNS::SEC::Private must not die if attribute is not present
ClamAV 0.99.4 is a hotfix release to patch a set of vulnerabilities.
- fixes for the following CVE's: CVE-2012-6706, CVE-2017-6419,
CVE-2017-11423, CVE-2018-0202, and CVE-2018-1000085.
- also included are 2 fixes for file descriptor leaks as well fixes for
a handful of other important bugs, including patches to support g++ 6, C++11.
2.2:
BACKWARDS INCOMPATIBLE: Support for Python 2.6 has been dropped.
Resolved a bug in HKDF that incorrectly constrained output size.
Added :class:~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP256R1, :class:~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP384R1, and :class:~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP512R1 to support inter-operating with systems like German smart meters.
Added token rotation support to :doc:Fernet </fernet> with :meth:~cryptography.fernet.MultiFernet.rotate.
Fixed a memory leak in :func:~cryptography.hazmat.primitives.asymmetric.ec.derive_private_key.
Added support for AES key wrapping with padding via :func:~cryptography.hazmat.primitives.keywrap.aes_key_wrap_with_padding and :func:~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding .
Allow loading DSA keys with 224 bit q.
changes in version 1.28:
* The formerly internal yat2m tool is now installed for a native
build.
* The new files gpgrt.m4 and gpgrt-config are now installed. They
can be used instead of gpg-error.m4 and gpg-error-config.
* New logging functions similar to those used by GnuPG.
* New helper functions for platform abstraction.
This is to reflect the behaviour documented in netpgp(1).
Originally submitted on tech-pkg@ as:
[PATCH 09/11] Output signatures to the standard output for "-"
Only modified for consistency with the coding style; as also applied in
NetBSD's src repository.
Originally submitted on tech-pkg@ as:
[PATCH 07/11] Correct option "--armor"
[PATCH 08/11] Also document alternate option "--detach"
As also applied in NetBSD's src repository.
Originally submitted on tech-pkg@ as:
[PATCH 04/11] Do not use random data for pass-phrases on EOF
Only modified for consistency with the coding style; as also applied in
NetBSD's src repository.
Tested on NetBSD/amd64.
This also fixes a crash when the pass-phrase entered is empty.
Originally submitted on tech-pkg@ as:
[PATCH 02/11] Do not truncate pass-phrases without a newline character
Only modified for consistency with the coding style; as also applied in
NetBSD's src repository.
Tested on NetBSD/amd64.
Originally submitted on tech-pkg@ as:
[PATCH 06/11] Do not ask for a passphrase when empty
Only modified for consistency with the coding style; as also applied in
NetBSD's src repository.
Tested on NetBSD/amd64.
## [1.16.0][] (2018-02-03)
* [#417](https://github.com/capistrano/sshkit/pull/417): Cache key generation for connections becomes slow when `known_hosts` is a valid `net/ssh` options and `known_hosts` file is big. This changes the cache key generation and fixes performance issue - [@ElvinEfendi](https://github.com/ElvinEfendi).
## [1.15.1][] (2017-11-18)
This is a small bug-fix release that fixes problems with `upload!` and `download!` that were inadvertently introduced in 1.15.0.
### Breaking changes
* None
### Bug fixes
* [#410](https://github.com/capistrano/sshkit/pull/410): fix NoMethodError when using upload!/download! with Pathnames - [@UnderpantsGnome](https://github.com/UnderpantsGnome)
* [#411](https://github.com/capistrano/sshkit/pull/410): fix upload!/download! when using relative paths outside of `within` blocks - [@Fjan](https://github.com/Fjan)
## [1.15.0][] (2017-11-03)
### New features
* [#408](https://github.com/capistrano/sshkit/pull/408): upload! and download! now respect `within` - [@sj26](https://github.com/sj26)
### Potentially breaking changes
* `upload!` and `download!` now support remote paths which are
relative to the `within` working directory. They were previously documented
as only supporting absolute paths, but relative paths still worked relative
to the remote working directory. If you rely on the previous behaviour you
may need to adjust your code.
1.85 2018-03-14
Preparations for transferring maintenace to a new maintainer
Fixed test failure in t/local/33_x509_create_cert.t for some version of OpenSSL.
Fixed free() error that causes "Free to wrong pool ..." merssage on Windows.
Reported and patched by Steffen Ullrich.
2.4.1:
[Bug] Ed25519 auth key decryption raised an unexpected exception when given a unicode password string (typical in python 3). Report by Theodor van Nahl and fix by Pierce Lopez.
[Bug] Add newer key classes for Ed25519 and ECDSA to paramiko.__all__ so that code introspecting that attribute, or using from paramiko import * (such as some IDEs) sees them. Thanks to @patriksevallius for the patch.
[Bug] Fix a security flaw (CVE-2018-7750) in Paramiko’s server mode (emphasis on server mode; this does not impact client use!) where authentication status was not checked before processing channel-open and other requests typically only sent after authenticating. Big thanks to Matthijs Kooijman for the report.
Release 1.12.1:
Implemented a fix for CVE-2018-7749, where a modified SSH client could request that an AsyncSSH server perform operations before authentication had completed. Thanks go to Matthijs Kooijman for discovering and reporting this issue and helping to review the fix.
Added a non-blocking collect_output() method to SSHClientProcess to allow applications to retrieve data received on an output stream without blocking. This call can be called multiple times and freely intermixed with regular read calls with a guarantee that output will always be returned in order and without duplication.
Updated debug logging implementation to make it more maintainable, and to fix an issue where unprocessed packets were not logged in some cases.
Extended the support below for non-ASCII characters in comments to apply to X.509 certificates, allowing an optional encoding to be passed in to get_comment() and set_comment() and a get_comment_bytes() function to get the raw comment bytes without performing Unicode decoding.
Fixed an issue where a UnicodeDecodeError could be reported in some cases instead of a KeyEncryptionError when a private key was imported using the wrong passphrase.
Fixed the reporting of the MAC algorithm selected during key exchange to properly report the cipher name for GCM and Chacha ciphers that don’t use a separate MAC algorithm. The correct value was being returned in queries after the key exchange was complete, but the logging was being done before this adjustment was made.
Fixed the documentation of connection_made() in SSHSession subclasses to properly reflect the type of SSHChannel objects passed to them.
### Added
- Support for obtaining wildcard certificates and a newer version of the ACME
protocol such as the one implemented by Let's Encrypt's upcoming ACMEv2
endpoint was added to Certbot and its ACME library. Certbot still works with
older ACME versions and will automatically change the version of the protocol
used based on the version the ACME CA implements.
- The Apache and Nginx plugins are now able to automatically install a wildcard
certificate to multiple virtual hosts that you select from your server
configuration.
- The `certbot install` command now accepts the `--cert-name` flag for
selecting a certificate.
- `acme.client.BackwardsCompatibleClientV2` was added to Certbot's ACME library
which automatically handles most of the differences between new and old ACME
versions. `acme.client.ClientV2` is also available for people who only want
to support one version of the protocol or want to handle the differences
between versions themselves.
- certbot-auto now supports the flag --install-only which has the script
install Certbot and its dependencies and exit without invoking Certbot.
- Support for issuing a single certificate for a wildcard and base domain was
added to our Google Cloud DNS plugin. To do this, we now require your API
credentials have additional permissions, however, your credentials will
already have these permissions unless you defined a custom role with fewer
permissions than the standard DNS administrator role provided by Google.
These permissions are also only needed for the case described above so it
will continue to work for existing users. For more information about the
permissions changes, see the documentation in the plugin.
### Changed
- We have broken lockstep between our ACME library, Certbot, and its plugins.
This means that the different components do not need to be the same version
to work together like they did previously. This makes packaging easier
because not every piece of Certbot needs to be repackaged to ship a change to
a subset of its components.
- Support for Python 2.6 and Python 3.3 has been removed from ACME, Certbot,
Certbot's plugins, and certbot-auto. If you are using certbot-auto on a RHEL
6 based system, it will walk you through the process of installing Certbot
with Python 3 and refuse to upgrade to a newer version of Certbot until you
have done so.
- Certbot's components now work with older versions of setuptools to simplify
packaging for EPEL 7.
### Fixed
- Issues caused by Certbot's Nginx plugin adding multiple ipv6only directives
has been resolved.
- A problem where Certbot's Apache plugin would add redundant include
directives for the TLS configuration managed by Certbot has been fixed.
- Certbot's webroot plugin now properly deletes any directories it creates.
The circular dependency that prompted splitting this package is no longer
an issue, as acme now depends on context instead of golang.org/x/net/context.
Thus, this package now contains what used to be go-crypto-acme and conflicts
with it.
Data::Password::passwdqc provides an object oriented Perl interface
to Openwall Project's passwdqc. It allows you to check password
strength and also lets you generate quality controllable random
password.
