* Update the README with information on moving the database
between different architectures.
Bugfixes:
* Fix the destruction order of the Singleton objects.
=== 2.3.0 / 11 Jan 2012
* Support for hmac-sha2 and diffie-hellman-group-exchange-sha256 [Ryosuke Yamazaki]
=== 2.2.2 / 04 Jan 2012
* Fixed: Connection hangs on ServerVersion.new(socket, logger) [muffl0n]
* Avoid dying when unsupported auth mechanisms are defined [pcn]
(Yes, that ridiculous version number really is what upstream calls it.)
No NEWS entry, but announcement includes:
2012-03-13 Zooko Wilcox-O'Hearn <zooko@zooko.com>
* src/pycryptopp/_version.py: release pycryptopp-0.6.0
* add Ed25519 signatures (#75)
* add XSalsa20 cipher (#40)
* switch from darcs to git for revision control
* pycryptopp version numbers now include a decimal encoding of *
* reorganize the source tree and the version number generation
* aesmodule.cpp: validate size of IV and throw exception if it
is not 16 (#70)
* fixed compile errors with gcc-4.7.0 (#78)
* fixed compile errors concerning "CryptoPP::g_nullNameValuePairs" (#77)
* suppress warnings from valgrind with new OpenSSL 1.0.1 on Fedora (#82)
* raise Python exception instead of uncaught C++ exception
(resulting in abort) when deserializing malformed RSA keys (#83)
* libgnutls: Corrections in record packet parsing.
* libgnutls: Fixes in SRP authentication.
* libgnutls: Added function to force explicit reinitialization of PKCS 11
modules. This is required on the child process after a fork.
* libgnutls: PKCS 11 objects that do not have ID no longer crash listing.
* API and ABI modifications: gnutls_pkcs11_reinit: Added
Changes between 0.9.8t and 0.9.8u [12 Mar 2012]
*) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
in CMS and PKCS7 code. When RSA decryption fails use a random key for
content decryption and always return the same error. Note: this attack
needs on average 2^20 messages so it only affects automated senders. The
old behaviour can be reenabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
an MMA defence is not necessary.
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
this issue. (CVE-2012-0884)
[Steve Henson]
*) Fix CVE-2011-4619: make sure we really are receiving a
client hello before rejecting multiple SGC restarts. Thanks to
Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
[Steve Henson]
from 1.42 to 1.45.
Upstream changes:
1.45 2012-02-25
Added mising doc for SESSION_cmp. Patch by paul.
1.44 2012-02-25
Added missing t/data/binary-test.file to MANIFEST
1.43 2012-02-24
Fixed some typos. Patched by Neil Bowers.
SSLeay.pm convenience functions now call Net::SSLeay::initialize that
initializes the SSL library at most once.
Patch from kmx to protect SSLeay_add_ssl_algorithms from multiple loads
and reentrancy in multi-threaded perls.
Patch from kmx to add reentrancy protection for callbacks in
multithreading.
Updated ppport.h, fixed some complaints from ppport.h
Fixed a problem with CTX_use_PKCS12_file on Windows, since the file was
not opened in binary mode. Reported by kmx.
Added resources line for SVN repository to Makefile. Suggested by kmx.
Fixed complaints unders some windows compilers about cast from pointer to integer of
different size. Suggested by kmx.
Added thread safety and dynamic locking. This should complete thread
safety work, making Net::SSLeay completely thread-safe. Patches by kind
assistance of kmx.
Improvements to openssl backwards compatibility. Now build with versions
back to 0.9.6. With extreme thanks to kmx.
Improvements to documentation, thanks to kmx.
SUMMARY OF NEWLY INTRODUCED FUNCTIONS:
- Net::SSLeay::initialize
- Net::SSLeay::SSLeay
- Net::SSLeay::SSLeay_version
- Net::SSLeay::SSLeay_version
- Net::SSLeay::ASN1_TIME_new
- Net::SSLeay::ASN1_TIME_free
- Net::SSLeay::ASN1_TIME_set
- Net::SSLeay::P_ASN1_TIME_get_isotime
- Net::SSLeay::P_ASN1_TIME_set_isotime
- Net::SSLeay::P_ASN1_TIME_put2string
- Net::SSLeay::OpenSSL_add_all_digests
- Net::SSLeay::P_EVP_MD_list_all
- Net::SSLeay::EVP_get_digestbyname
- Net::SSLeay::EVP_MD_type
- Net::SSLeay::EVP_MD_size
- Net::SSLeay::EVP_MD_CTX_md
- Net::SSLeay::EVP_MD_CTX_create
- Net::SSLeay::EVP_MD_CTX_destroy
- Net::SSLeay::EVP_DigestInit
- Net::SSLeay::EVP_DigestInit_ex
- Net::SSLeay::EVP_DigestUpdate
- Net::SSLeay::EVP_DigestFinal
- Net::SSLeay::EVP_DigestFinal_ex
- Net::SSLeay::EVP_Digest
- Net::SSLeay::SHA1
- Net::SSLeay::SHA256
- Net::SSLeay::SHA512
- Net::SSLeay::EVP_sha1
- Net::SSLeay::EVP_sha512
Fixed a problem with set_proxy where the password was not properly
set. The code to do this went missing at some stage. Reported by Ulrich
Weber via RT.
Further improvements to testing time functions.
Added t/local/37_asn1_time.t
Added various digest functions, documentation and tests
Removed debug from P_ASN1_TIME_get_isotime. Courtesy kmx.
Remove unnecessary warnings about Random number generator not
seeded. Courtesy kmx.
Fixed an error in 04_basic.t triggered if Test::Exception not present.
Added documentation for many CTX_ functions. Courtesy kmx.
Fixed mionor typos in SSLeay.xs. Courtesy kmx.
Moved documentation to new lib/Net/SSLeay.pod. Courtesy kmx.
Additions to documentation in pod. Courtesy kmx.
Fixed some incorrect return types from SSL_set_options
SSL_CTX_set_options. Courtesy kmx.
Further documentation in pod. Courtesy kmx.
Small fixes to XS code + one new trivial function SSL_CIPHER_get_name
And one more thing - 02_pod_coverage.t is turned ON passing all tests -
never ever allow a new function without at least a short doc. Courtesy
kmx.
Removed 2 unnecessary 'local $[;' from SSLeay.pm
Noteworthy changes in version 1.4.12 (2012-01-30)
-------------------------------------------------
* GPG now accepts a space separated fingerprint as a user ID.
This allows to copy and paste the fingerprint from the key
listing.
* Removed support for the original HKP keyserver which is not
anymore used by any site.
* Rebuild the trustdb after changing the option --min-cert-level.
* Improved JPEG detection.
* Included more VMS patches
* Made it easier to create an installer for Windows.
* Supports the 32 bit variant of the mingw-w64 toolchain.
* Made file locking more portable.
* Minor bug fixes.
Release Notes - Heimdal - Version Heimdal 1.5.2
Security fixes
- CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege
- Check that key types strictly match - denial of service
Release Notes - Heimdal - Version Heimdal 1.5.1
Bug fixes
- Fix building on Solaris, requires c99
- Fix building on Windows
- Build system updates
Release Notes - Heimdal - Version Heimdal 1.5
New features
- Support GSS name extensions/attributes
- SHA512 support
- No Kerberos 4 support
- Basic support for MIT Admin protocol (SECGSS flavor)
in kadmind (extract keytab)
- Replace editline with libedit
This is primarily a bugfix release.
* Fix an interaction in iprop that could cause spurious excess kadmind processes
when a kprop child fails.
Changes 1.8.5:
This is primarily a bugfix release.
* Fix MITKRB5-SA-2011-006 KDC denial of service vulnerabilities
[CVE-2011-1528 CVE-2011-1529 CVE-2011-4151].
Fixed incorrect documentation of how to enable CRL checking.
Fixed incorrect letter in Sebastien in Credits.
Reversed order of the Changes file to be reverse chronological.
Fixed a a compile error when building on Windows with MSVC6.
1.41
Fixed incorrect const signatures for 1.0 that were causing warnings.
Now have clean compile with 0.9.8a through 1.0.0.
1.40
Fixed incorrect argument type in call to SSL_set1_param
Fixed a number of issues with pointer sizes
Removed redundant pointer cast tests from t/
Added Perl version requirements to SSLeay.pm
1.39
Downgraded Module::Install to 0.93 since 1.01 was causing problems in
the Makefile.
1.38
- Fixed a problem with various symbols that only became available
in OpenSSL 0.9.8 such as X509_VERIFY_PARAM and X509_POLICY_NODE,
causing build failures with older versions of OpenSSL.
1.37
- Added X509_get_fingerprint, contributed by Thierry Walrant (with
minor changes die to the fact that stricmp is not avialable. Cert
types must be lowercase. Also added test to 07_sslecho.t
- Added suport for SSL_CTX_set1_param, SSL_set1_param,
selected X509_VERIFY_PARAM_* OBJ_* functions. Added new test
t/local/36_verify.t
- Fixed an uninitialized value warning in $Net::SSLeay::proxyauth
- Update so net-ssleay will compile if SSLV2 is not present.
- Fixed a problem where sslcat (and possibly other functions) expect
RSA keys and will not load DSA keys for client certificates.
- Removed SSL_CTX_v2_new and SSLv2_method() for OpenSSL 1.0 and later.
- Added CTX_use_PKCS12_file contributed by "Andrew A. Budkin".
2011-12-10 PuTTY 0.62 released
PuTTY 0.62 is out, containing only bug fixes from 0.61, in particular a security fix preventing passwords from being accidentally
retained in memory.
2011-11-27 PuTTY 0.62 pre-release builds available
PuTTY 0.61 had a few noticeable bugs in it (but nothing security-related), so we are planning to make a 0.62 release containing just bug
fixes. The Wishlist page lists the bugs that will be fixed by the 0.62 release. The Download page now contains pre-release snapshots of
0.62, which contain those bug fixes and should be otherwise stable. (The usual development snapshots, containing other development since
0.61, are also still available.)
2011-07-12 PuTTY 0.61 is released
PuTTY 0.61 is out, after over four years (sorry!), with new features, bug fixes, and compatibility updates for Windows 7 and various SSH
server software.
MUNGE (MUNGE Uid 'N' Gid Emporium) is an authentication service
for creating and validating credentials. It is designed to be
highly scalable for use in an HPC cluster environment. It allows
a process to authenticate the UID and GID of another local or
remote process within a group of hosts having common users and
groups. These hosts form a security realm that is defined by a
shared cryptographic key. Clients within this security realm can
create and validate credentials without the use of root
privileges, reserved ports, or platform-specific methods.
Upstream changes:
Not complete, the only info mentionned in the Changelog is this:
2011-01-16 -- pycryptopp v0.5.28
re-enable the ECDSA module, but please do not rely on it as it is expected to
change in backwards-incompatible ways in future releases several changes to the
build system to make it tidier and less error-prone -- see revision control
history for details
Upstream changes:
2011-09-02 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* Release 0.13
2011-06-12 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/crypto/pkey.c: Add the PKey.check method, mostly
implemented by Rick Dean, to verify the internal consistency of a
PKey instance.
2011-06-12 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/crypto/crypto.c: Fix the sign and verify functions so
they handle data with embedded NULs. Fix by David Brodsky
<lp:~lihalla>.
2011-05-20 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/ssl/connection.c, OpenSSL/test/test_ssl.py: Add a new
method to the Connection type, get_peer_cert_chain, for retrieving
the peer's certificate chain.
2011-05-19 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/crypto/x509.c, OpenSSL/test/test_crypto.py: Add a new
method to the X509 type, get_signature_algorithm, for inspecting
the signature algorithm field of the certificate. Based on a
patch from <lp:~okuda>.
2011-05-10 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/crypto/crypto.h: Work around a Windows/OpenSSL 1.0 issue
explicitly including a Windows header before any OpenSSL headers.
* OpenSSL/crypto/pkcs12.c: Work around an OpenSSL 1.0 issue by
explicitly flushing errors known to be uninteresting after calling
PKCS12_parse.
* OpenSSL/ssl/context.c: Remove SSLv2 support if the underlying
OpenSSL library does not provide it.
* OpenSSL/test/test_crypto.py: Support an OpenSSL 1.0 change from
MD5 to SHA1 by allowing either hash algorithm's result as the
return value of X509.subject_name_hash.
* OpenSSL/test/test_ssl.py: Support an OpenSSL 1.0 change from MD5
to SHA1 by constructing certificate files named using both hash
algorithms' results when testing Context.load_verify_locations.
* Support OpenSSL 1.0.0a.
2011-04-15 Jean-Paul Calderone <exarkun@twistedmatrix.com>
* OpenSSL/ssl/ssl.c: Add OPENSSL_VERSION_NUMBER, SSLeay_version
and related constants for retrieving version information about the
underlying OpenSSL library.
