* Version 3.2.5 (released 2013-10-23)
** libgnutls: Documentation and build-time fixes.
** libgnutls: Allow the generation of DH groups of less than 700 bits.
** libgnutls: Added several combinations of ciphersuites with SHA256 and SHA384 as MAC,
as well as Camellia with GCM.
** libdane: Added interfaces to allow initialization of dane_query_t from
external DNS resolutions, and to allow direct verification of a certificate
chain against a dane_query_t. Contributed by Christian Grothoff.
** libdane: Fixed a buffer overflow in dane_query_tlsa(). This could be
triggered by a DNS server supplying more than 4 DANE records. Report and fix
by Christian Grothoff.
** srptool: Fixed index command line option. Patch by Attila Molnar.
** gnutls-cli: Added support for inline commands, using the
--inline-commands-prefix and --inline-commands options. Patch by Raj Raman.
** certtool: pathlen constraint is now read correctly. Reported by
Christoph Seitz.
** API and ABI modifications:
gnutls_certificate_get_crt_raw: Added
dane_verify_crt_raw: Added
dane_raw_tlsa: Added
* Version 3.2.4 (released 2013-08-31)
** libgnutls: Fixes when session tickets and session DB are used.
Report and initial patch by Stefan Buehler.
** libgnutls: Added the RSA-PSK key exchange. Patch by by Frank Morgner,
based on previous patch by Bardenheuer GmbH and Bundesdruckerei GmbH.
** libgnutls: Added ciphersuites that use ARCFOUR with ECDHE. Patch
by Stefan Buehler.
** libgnutls: Added the PFS priority string option.
** libgnutls: Gnulib included files are strictly LGPLv2.
** libgnutls: Corrected gnutls_certificate_server_set_request().
Reported by Petr Pisar.
** API and ABI modifications:
gnutls_record_set_timeout: Exported
Changes since 1.0.5:
* SunOS build fix
* An other client info bugfix
* Client info bugfixes
* Client info option
* Client certificate validation
* Some cleanup in the client side connection code
* Type conversion to compile cleanly on OS X
* Version 0.4.5
- Restore compatibility with OSX <= 10.6
* Version 0.4.4
- Visual Studio is officially supported (VC 2010 & VC 2013)
- mingw64 is now supported
- big-endian architectures are now supported as well
- The donna_c64 implementation of curve25519_donna_c64 now handles
non-canonical points like the ref implementation
- Missing scalarmult_curve25519 and stream_salsa20 constants are now exported
- A crypto_onetimeauth_poly1305_ref() wrapper has been added
pkgsrc changes:
---------------
- Depends on security/py-ecdsa
- FETCH_USING=curl to deal with PyPi's htpps only website.
upstream changes:
-----------------
v1.12.0 (27th Sep 2013)
-----------------------
* #152: Add tentative support for ECDSA keys. *This adds the ecdsa
module as a new dependency of Paramiko.* The module is available at
[warner/python-ecdsa on Github](https://github.com/warner/python-ecdsa) and
[ecdsa on PyPI](https://pypi.python.org/pypi/ecdsa).
* Note that you might still run into problems with key negotiation --
Paramiko picks the first key that the server offers, which might not be
what you have in your known_hosts file.
* Mega thanks to Ethan Glasser-Camp for the patch.
* #136: Add server-side support for the SSH protocol's 'env' command. Thanks to
Benjamin Pollack for the patch.
v1.11.2 (27th Sep 2013)
-----------------------
* #156: Fix potential deadlock condition when using Channel objects as sockets
(e.g. when using SSH gatewaying). Thanks to Steven Noonan and Frank Arnold
for catch & patch.
* #179: Fix a missing variable causing errors when an ssh_config file has a
non-default AddressFamily set. Thanks to Ed Marshall & Tomaz Muraus for catch
& patch.
* #200: Fix an exception-causing typo in `demo_simple.py`. Thanks to Alex
Buchanan for catch & Dave Foster for patch.
* #199: Typo fix in the license header cross-project. Thanks to Armin Ronacher
for catch & patch.
v1.12.0 (27th Sep 2013)
-----------------------
* #152: Add tentative support for ECDSA keys. *This adds the ecdsa
module as a new dependency of Paramiko.* The module is available at
[warner/python-ecdsa on Github](https://github.com/warner/python-ecdsa) and
[ecdsa on PyPI](https://pypi.python.org/pypi/ecdsa).
* Note that you might still run into problems with key negotiation --
Paramiko picks the first key that the server offers, which might not be
what you have in your known_hosts file.
* Mega thanks to Ethan Glasser-Camp for the patch.
* #136: Add server-side support for the SSH protocol's 'env' command. Thanks to
Benjamin Pollack for the patch.
v1.11.2 (27th Sep 2013)
-----------------------
* #156: Fix potential deadlock condition when using Channel objects as sockets
(e.g. when using SSH gatewaying). Thanks to Steven Noonan and Frank Arnold
for catch & patch.
* #179: Fix a missing variable causing errors when an ssh_config file has a
non-default AddressFamily set. Thanks to Ed Marshall & Tomaz Muraus for catch
& patch.
* #200: Fix an exception-causing typo in `demo_simple.py`. Thanks to Alex
Buchanan for catch & Dave Foster for patch.
* #199: Typo fix in the license header cross-project. Thanks to Armin Ronacher
for catch & patch.
py-ecdsa is an easy-to-use implementation of ECDSA cryptography (Elliptic Curve
Digital Signature Algorithm), implemented purely in Python, released under the
MIT license. With this library, you can quickly create keypairs (signing key
and verifying key), sign messages, and verify the signatures. The keys and
signatures are very short, making them easy to handle and incorporate into
other protocols.
pax -rw, the destination directory must exist. pax in NetBSD creates it if
not, pax in MirBSD complains. I read through all pkgsrc Makefiles that use
pax and added an entry to INSTALLATION_DIRS, or an INSTALL_DATA_DIR
invocation.
I did not test all the changes but they should be fairly safe. If you notice
any breakage because of this change, please contact me.
vis.h and glob.h are installed on Linux
(Debian GNU/Linux 7.1 and CentOS 6.4 at least)
* Makefile of Rev 1.100 removes vis.h and glob.h hack. My two Linux
environments require vis.h and glob.h entries for PLIST.
Set PLIST.vis and PLIST.glob for Linux.
The YubiHSM is Yubico's take on the Hardware Security Module (HSM),
designed for protecting secrets on authentication servers, including
cryptographic keys and passwords, at unmatched simplicity and low
cost.
- Add support of
. HID OMNIKEY 5127 CK
. HID OMNIKEY 5326 DFR
. HID OMNIKEY 5427 CK
. Ingenico WITEO USB Smart Card Reader (Base and Badge)
. SecuTech SecuTech Token
- Add support of card movement notifications for multi-slot readers
- Check libusb is at least at version 1.0.8
- Get the serialconfdir value from pcsc-lite pkg config instead of
using $(DESTDIR)/$(sysconfdir)/reader.conf.d/
- Disable class driver on Mac OS X
- Update the bundle name template to include the vendor name
- some minor bugs removed
1.4.11 - 12 June 2013, Ludovic Rousseau
- Add support of
. Gemalto IDBridge CT30
. Gemalto IDBridge K30
. SCM Microsystems Inc. SCL010 Contactless Reader
. SCM Microsystems Inc. SDI011 Contactless Reader
. THRC reader
- Better management of time extension requests
- parse: better support of devices with bInterfaceClass = 0xFF
- udev rule file: Remove setting group to pcscd, remove support of
Linux kernel < 2.6.35 for auto power up management
- some minor bugs removed
1.4.10 - 16 April 2013, Ludovic Rousseau
- Add support of
. ACS APG8201 USB Reader with PID 0x8202
. GIS Ltd SmartMouse USB
. Gemalto IDBridge K3000
. Identive CLOUD 2700 F Smart Card Reader
. Identive CLOUD 2700 R Smart Card Reader
. Identive CLOUD 4500 F Dual Interface Reader
. Identive CLOUD 4510 F Contactless + SAM Reader
. Identive CLOUD 4700 F Dual Interface Reader
. Identive CLOUD 4710 F Contactless + SAM Reader
. Inside Secure AT90SCR050
. Inside Secure AT90SCR100
. Inside Secure AT90SCR200
. SCR3310-NTTCom USB SmartCard Reader
. SafeTech SafeTouch
. SpringCard H512 Series
. SpringCard H663 Series
. SpringCard NFC'Roll
. Yubico Yubikey NEO CCID
. Yubico Yubikey NEO OTP+CCID
- Add support of time extension for Escape commands
1.4.9 - 16 January 2013, Ludovic Rousseau
- Add support of
. Aktiv Rutoken PINPad In
. Aktiv Rutoken PINPad Ex
. REINER SCT cyberJack go
- Info.plist: Correctly handle reader names containing &
Noteworthy changes in version 2.0.22 (2013-10-04)
-------------------------------------------------
* Fixed possible infinite recursion in the compressed packet
parser. [CVE-2013-4402]
* Improved support for some card readers.
* Prepared building with the forthcoming Libgcrypt 1.6.
* Protect against rogue keyservers sending secret keys.
Noteworthy changes in version 1.4.15 (2013-10-04)
-------------------------------------------------
* Fixed possible infinite recursion in the compressed packet
parser. [CVE-2013-4402]
* Protect against rogue keyservers sending secret keys.
* Use 2048 bit also as default for batch key generation.
* Minor bug fixes.
* Version 0.4.3
- crypto_sign_seedbytes() and crypto_sign_SEEDBYTES were added.
- crypto_onetimeauth_poly1305_implementation_name() was added.
- poly1305-ref has been replaced by a faster implementation,
Floodyberry's poly1305-donna-unrolled.
- Stackmarkings have been added to assembly code, for Hardened Gentoo.
- pkg-config can now be used in order to retrieve compilations flags for
using libsodium.
- crypto_stream_aes256estream_*() can now deal with unaligned input
on platforms that require word alignment.
- portability improvements.
- New Features
- OWL - The Owl Monitoring System uses timed DNS queries
to monitor basic network functionality. The system
consists of a manager host and a set of sensor hosts.
The Owl sensors perform periodic DNS queries and
report to the Owl manager the time taken for each
query. Over time, this shows the responsiveness of
the DNS infrastructure.
- dnssec-nodes - Many new features have been added:
- The validation tree now supports clicking on
boxes to highlight it and the arrows that derive
from it. Great for use when teaching about
DNSSEC.
- An extensive filter/effect editor now lets you
tailor the look of a graph to color-code, set
the alpha levels, etc of nodes based on their
names, status, data types, etc.
- Right clicking on a node lets you center the
graph on that node.
- More data types are collected and shown in the
data view.
- Support for arguments on the command line for
parsing log files, pcap files and domain names.
- The validation view has received a visual clean-up
- Many other bug fixes
- Bloodhound: - A mozilla-based DNSSEC-enabled browser with DANE support
- Added support for validation of SSL certificates
using the DANE protocol.
- curl - Added support for validation of SSL certificates
using the DANE protocol.
- libval - Added support for local DANE validation
- Extended the dt-danechk commandline tool to check
the X509 cert provided over the SSL connection
against the TLSA record.
- Optimized glue record lookup when the only ip
addresses configured for the host are for a single
address family (ipv4 or ipv6)
- fine tune res_io source management
- dnssec-check - dnssec-check now checks DNAME support
- rollerd - A new set of steps for KSK rollover has been
implemented. A cache-expiration wait phase has
been moved after the publication of DS records in
order to allow name caches to reflect the changes.
In addition to rollerd, supporting program have
been modified to recognize this change.
- rollrec files - A new "information rollrec" has been added to the
rollrec files. This will allow infomration to be
specified for the collection of rollrecs. At this
time, the only information stored in this rollrec
is the version number of the rollrec file.
In addition to the rollrec.pm Perl module, programs
which use this module have been modified to recognize
this change.
If you use the rollrec.pm module, you should test
to see if your code is affected. The modifications
for the info rollrec have been made to minimize
affected programs. If you parse the rollrec files
yourself, you will have to account for this change.
- multiple - The perl-based tools can now use either the
ZoneFile::Fast or the Net::DNS zone file parser,
thanks to a patch from Sebastian Schmidt (yath@yath.de).
- ZoneFile:Fast - Support for TLSA
- Made it compatible with newer Net::DNS releases
- Qt5 - A patch to support DNSSEC checks in Qt5 DNS lookups
- Bug Fixes
- zonesigner - Fixed SOA parsing and serial number update issues
- libval - Properly initialize memory in sockaddr structures
before use.
