0.9 - 2015-05-13
~~~~~~~~~~~~~~~~
* Removed support for Python 3.2. This version of Python is rarely used
and caused support headaches. Users affected by this should upgrade to 3.3+.
* Deprecated support for Python 2.6. At the time there is no time table for
actually dropping support, however we strongly encourage all users to upgrade
their Python, as Python 2.6 no longer receives support from the Python core
team.
* Add support for the
:class:`~cryptography.hazmat.primitives.asymmetric.ec.SECP256K1` elliptic
curve.
* Fixed compilation when using an OpenSSL which was compiled with the
``no-comp`` (``OPENSSL_NO_COMP``) option.
* Support :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
serialization of public keys using the ``public_bytes`` method of
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKeyWithSerialization`,
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKeyWithSerialization`,
and
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKeyWithSerialization`.
* Support :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
serialization of private keys using the ``private_bytes`` method of
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization`,
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKeyWithSerialization`,
and
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization`.
* Add support for parsing X.509 certificate signing requests (CSRs) with
:func:`~cryptography.x509.load_pem_x509_csr` and
:func:`~cryptography.x509.load_der_x509_csr`.
* Moved ``cryptography.exceptions.InvalidToken`` to
:class:`cryptography.hazmat.primitives.twofactor.InvalidToken` and deprecated
the old location. This was moved to minimize confusion between this exception
and :class:`cryptography.fernet.InvalidToken`.
* Added support for X.509 extensions in :class:`~cryptography.x509.Certificate`
objects. The following extensions are supported as of this release:
* :class:`~cryptography.x509.BasicConstraints`
* :class:`~cryptography.x509.AuthorityKeyIdentifier`
* :class:`~cryptography.x509.SubjectKeyIdentifier`
* :class:`~cryptography.x509.KeyUsage`
* :class:`~cryptography.x509.SubjectAlternativeName`
* :class:`~cryptography.x509.ExtendedKeyUsage`
* :class:`~cryptography.x509.CRLDistributionPoints`
* :class:`~cryptography.x509.AuthorityInformationAccess`
* :class:`~cryptography.x509.CertificatePolicies`
Note that unsupported extensions with the critical flag raise
:class:`~cryptography.x509.UnsupportedExtension` while unsupported extensions
set to non-critical are silently ignored. Read the
:doc:`X.509 documentation</x509>` for more information.
Noteworthy changes in version 0.9.2 (2015-05-11)
------------------------------------------------
* Support for saving the passphrase with libsecret.
* Escape key works in the Gtk+ pinentry.
* Improvements for pinentry-tty.
* Minor cleanups for the native Windows pinentry.
2.014 2015/05/13
- work around problem with IO::Socket::INET6 on windows, by explicitly using
Domain AF_INET in the tests.
Fixes RT#104226 reported by CHORNY
This release contains new scanning features and bug fixes.
- Improvements to PDF processing: decryption, escape sequence
handling, and file property collection.
- Scanning/analysis of additional Microsoft Office 2003 XML format.
- Fix infinite loop condition on crafted y0da cryptor file. Identified
and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221.
- Fix crash on crafted petite packed file. Reported and patch
supplied by Sebastian Andrzej Siewior. CVE-2015-2222.
- Fix false negatives on files within iso9660 containers. This issue
was reported by Minzhuan Gong.
- Fix a couple crashes on crafted upack packed file. Identified and
patches supplied by Sebastian Andrzej Siewior.
- Fix a crash during algorithmic detection on crafted PE file.
Identified and patch supplied by Sebastian Andrzej Siewior.
- Fix an infinite loop condition on a crafted "xz" archive file.
This was reported by Dimitri Kirchner and Goulven Guiheux.
CVE-2015-2668.
- Fix compilation error after ./configure --disable-pthreads.
Reported and fix suggested by John E. Krokes.
- Apply upstream patch for possible heap overflow in Henry Spencer's
regex library. CVE-2015-2305.
- Fix crash in upx decoder with crafted file. Discovered and patch
supplied by Sebastian Andrzej Siewior. CVE-2015-2170.
- Fix segfault scanning certain HTML files. Reported with sample by
Kai Risku.
- Improve detections within xar/pkg files.
- Switch to using IETF ALPN extension for negotiating application-level
protocols for TLS in place of NPN extension.
- Optimizations for ECDSA
- Allow using OpenSSL's RSA implementation
- RC4 is deprecated and will be removed in the future
- Removed global state like the global PRNG.
- Cleaner registration for algorithm etc, potentially requires changes
for statically linked programs.
- Simple C binding for common operations
- Optimized reductors for P-192, P-224, P-256, P-384, P-521
- Experimental OCB support for TLS
- Reduced memory footprint of CTR
- botan-config has been merged into botan
- Removal of SSLv3 support
- MCEIES, DTLS-STRP, SipHash, Curve25519, Poly1305, ChaCha20Poly1305
supported
- Changed format of serialized TLS sessions
- TLS heartbeat messages support user-defined size of padding for PMTU
discovery
- RFC 6979 support for deterministic nouns and signatures with DSA and ECDSA
- Support for TLS fallback signaling
2.014 2015/05/05
- Utils::CERT_create - work around problems with authorityInfoAccess, where
OpenSSL i2v does not create the same string as v2i expects
- Intercept - don't clone some specific extensions which make only sense with
the original certificate
2.013 2015/05/01
- assign severities to internal error handling and make sure that follow-up
errors like "configuration failed" or "certificate verify error" don't
replace more specific "hostname verification failed" when reporting in
sub errstr/$SSL_ERROR. see also RT#103423
- enhanced documentation thanks to Chase Whitener
https://github.com/noxxi/p5-io-socket-ssl/pull/26
Upstream changes:
0.19 Sun Feb 8 11:30:09 2015
- fixed issue with OO crc64, #101999
- remove Build.PL as it seems to have some issues with the XS support
0.20 Sun Feb 8 16:45:13 2015
- removed debug code
0.21 Sat Feb 21 13:18:25 2015
- new() throwing an error if an unsupported type is specified
Upstream changes:
2014-04-28 Gisle Aas <gisle@ActiveState.com>
Release 2.04
No change. I accidentally deleted the 2.03 dist from CPAN when trying
to clean up old Digest-MD5 dists.
* Noteworthy changes in release 4.5 (released 2015-04-29) [stable]
- Corrected an invalid memory access in octet string decoding.
Reported by Hanno Böck.
Upstream changes:
0.24 Sat Jan 10 00:45:34 MST 2015
- simplified shabits() routine (bitwise input buffering)
-- slightly less efficient but easier to understand
- minor documentation tweaks and additions
0.23 Sun Jan 4 05:36:30 MST 2015
- updated to reflect Draft FIPS 202
-- append domain separation bits to message
-- implement SHAKE128 and SHAKE256 Extendable-Output
Functions (XOFs)
The intention of zmsystemctl.pl is to use bin/pkexec to allow the apache user
to start and stop the ZoneMinder services on operating systems using systemd
and newer versions of Polkit than Pkgsrc currently has.
If the base OS doesn't use systemd (E.g. anything not Linux), this file
shouldn't be used anyway.
In Pkgsrc we ignore the potentially absent pkexec interpreter in this file.
If the base OS uses systemd, it probably also has pkexec in its base
installation.
Bump PKGREVISION.
service_identity aspires to give you all the tools you need for
verifying whether a certificate is valid for the intended purposes.
In the simplest case, this means host name verification. However,
service_identity implements RFC 6125 fully and plans to add other
relevant RFCs too.
py-bcrypt is a Python wrapper of OpenBSD's Blowfish password hashing code, as
described in "A Future-Adaptable Password Scheme" by Niels Provos and David
Mazieres.
This system hashes passwords using a version of Bruce Schneier's Blowfish block
cipher with modifications designed to raise the cost of off-line password
cracking and frustrate fast hardware implementation. The computation cost of the
algorithm is parametised, so it can be increased as computers get faster. The
intent is to make a compromise of a password database less likely to result in
an attacker gaining knowledge of the plaintext passwords (e.g. using John the
Ripper).
As of py-bcrypt-0.4, this module can also be used as a Key Derivation Function
(KDF) to turn a password and salt into a cryptographic key.
It operates the mozilla-rootcerts installer script in order to allow
managing the resulting output openssl certs with the package tools.
Since openssl does not support more than one directory of certificates
(sheesh) this is an abusive package - it installs directly into the
openssl certs directory even though this is a sysconfig directory that
should normally only be touched using the config files infrastructure.
And, for native openssl, it's in the root /etc outside of $PREFIX.
Nonetheless, having this package is better than not having it.
Probably at some point this and the mozilla-rootcerts package should
be folded together in some fashion; but I didn't want to do that up
front, and in particular I didn't want to muck with the installer
script in mozilla-rootcerts any more than necessary to make this
package possible. This in particular prevented e.g. installing the
certs in share/ and symlinking them into the certs directory.
As things are, if you already have the certs installed manually you
can install this package over them cleanly, and thenceforth not have
to update them by hand.
