0.39.0:
Added
Support for Python 3.8 was added to Certbot and all of its components.
Support for CentOS 8 was added to certbot-auto.
Changed
Don't send OCSP requests for expired certificates
Return to using platform.linux_distribution instead of distro.linux_distribution in OS fingerprinting for Python < 3.8
Updated the Nginx plugin's TLS configuration to keep support for some versions of IE11.
Fixed
Fixed OS detection in the Apache plugin on RHEL 6.
= mbed TLS 2.16.3 branch released 2019-09-06
Security
* Fix a missing error detection in ECJPAKE. This could have caused a
predictable shared secret if a hardware accelerator failed and the other
side of the key exchange had a similar bug.
* The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
implement blinding. Because of this for the same key and message the same
blinding value was generated. This reduced the effectiveness of the
countermeasure and leaked information about the private key through side
channels. Reported by Jack Lloyd.
* When writing a private EC key, use a constant size for the private
value, as specified in RFC 5915. Previously, the value was written
as an ASN.1 INTEGER, which caused the size of the key to leak
about 1 bit of information on average and could cause the value to be
1 byte too large for the output buffer.
API Changes
* The new function mbedtls_ecdsa_sign_det_ext() is similar to
mbedtls_ecdsa_sign_det() but allows passing an external RNG for the
purpose of blinding.
Bugfix
* Fix to allow building test suites with any warning that detects unused
functions. Fixes#1628.
* Fix typo in net_would_block(). Fixes#528 reported by github-monoculture.
* Remove redundant include file in timing.c. Fixes#2640 reported by irwir.
* Fix Visual Studio Release x64 build configuration by inheriting
PlatformToolset from the project configuration. Fixes#1430 reported by
irwir.
* Enable Suite B with subset of ECP curves. Make sure the code compiles even
if some curves are not defined. Fixes#1591 reported by dbedev.
* Fix misuse of signed arithmetic in the HAVEGE module. #2598
* Update test certificates that were about to expire. Reported by
Bernhard M. Wiedemann in #2357.
* Fix the build on ARMv5TE in ARM mode to not use assembly instructions
that are only available in Thumb mode. Fix contributed by Aurelien Jarno
in #2169.
* Fix undefined memset(NULL) call in test_suite_nist_kw.
* Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256.
* Fix propagation of restart contexts in restartable EC operations.
This could previously lead to segmentation faults in builds using an
address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
* Fix memory leak in in mpi_miller_rabin(). Contributed by
Jens Wiklander <jens.wiklander@linaro.org> in #2363
* Improve code clarity in x509_crt module, removing false-positive
uninitialized variable warnings on some recent toolchains (GCC8, etc).
Discovered and fixed by Andy Gross (Linaro), #2392.
* Zero length buffer check for undefined behavior in
mbedtls_platform_zeroize(). FixesARMmbed/mbed-crypto#49.
* Fix bug in endianness conversion in bignum module. This lead to
functionally incorrect code on bigendian systems which don't have
__BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes#2622.
Changes
* Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
suggests). #2671
* Make `make clean` clean all programs always. Fixes#1862.
= mbed TLS 2.16.2 branch released 2019-06-11
Security
* Make mbedtls_ecdh_get_params return an error if the second key
belongs to a different group from the first. Before, if an application
passed keys that belonged to different group, the first key's data was
interpreted according to the second group, which could lead to either
an error or a meaningless output from mbedtls_ecdh_get_params. In the
latter case, this could expose at most 5 bits of the private key.
Bugfix
* Server's RSA certificate in certs.c was SHA-1 signed. In the default
mbedTLS configuration only SHA-2 signed certificates are accepted.
This certificate is used in the demo server programs, which lead the
client programs to fail at the peer's certificate verification
due to an unacceptable hash signature. The certificate has been
updated to one that is SHA-256 signed. Fix contributed by
Illya Gerasymchuk.
* Fix private key DER output in the key_app_writer example. File contents
were shifted by one byte, creating an invalid ASN.1 tag. Fixed by
Christian Walther in #2239.
* Fix potential memory leak in X.509 self test. Found and fixed by
Junhwan Park, #2106.
* Reduce stack usage of hkdf tests. Fixes#2195.
* Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
used with negative inputs. Found by Guido Vranken in #2404. Credit to
OSS-Fuzz.
* Fix bugs in the AEAD test suite which would be exposed by ciphers which
either used both encrypt and decrypt key schedules, or which perform padding.
GCM and CCM were not affected. Fixed by Jack Lloyd.
* Fix incorrect default port number in ssl_mail_client example's usage.
Found and fixed by irwir. #2337
* Add missing parentheses around parameters in the definition of the
public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation
in case operators binding less strongly than subtraction were used
for the parameter.
* Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
sni entry parameter. Reported by inestlerode in #560.
* Add DER-encoded test CRTs to library/certs.c, allowing
the example programs ssl_server2 and ssl_client2 to be run
if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes#2254.
* Fix missing bounds checks in X.509 parsing functions that could
lead to successful parsing of ill-formed X.509 CRTs. Fixes#2437.
* Fix multiple X.509 functions previously returning ASN.1 low-level error
codes to always wrap these codes into X.509 high level error codes before
returning. Fixes#2431.
Changes
* Return from various debugging routines immediately if the
provided SSL context is unset.
* Remove dead code from bignum.c in the default configuration.
Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes#2309.
* Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh.
Contributed by Peter Kolbus (Garmin).
* Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to
improve clarity. Fixes#2258.
* Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes#821.
= mbed TLS 2.16.1 branch released 2019-03-19
Features
* Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites
from the default list (enabled by default). See
https://sweet32.info/SWEET32_CCS16.pdf.
Bugfix
* Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined
when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes#2242.
* Run the AD too long test only if MBEDTLS_CCM_ALT is not defined.
Raised as a comment in #1996.
* Reduce the stack consumption of mbedtls_mpi_fill_random() which could
previously lead to a stack overflow on constrained targets.
* Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions
in the header files, which missed the precompilation check. #971
* Fix clobber list in MIPS assembly for large integer multiplication.
Previously, this could lead to functionally incorrect assembly being
produced by some optimizing compilers, showing up as failures in
e.g. RSA or ECC signature operations. Reported in #1722, fix suggested
by Aurelien Jarno and submitted by Jeffrey Martin.
* Fix signed-to-unsigned integer conversion warning
in X.509 module. Fixes#2212.
* Reduce stack usage of `mpi_write_hlp()` by eliminating recursion.
Fixes#2190.
* Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
* Remove the mbedtls namespacing from the header file, to fix a "file not found"
build error. Fixed by Haijun Gu #2319.
* Fix returning the value 1 when mbedtls_ecdsa_genkey failed.
* Fix false failure in all.sh when backup files exist in include/mbedtls
(e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407.
* Ensure that unused bits are zero when writing ASN.1 bitstrings when using
mbedtls_asn1_write_bitstring().
* Fix issue when writing the named bitstrings in KeyUsage and NsCertType
extensions in CSRs and CRTs that caused these bitstrings to not be encoded
correctly as trailing zeroes were not accounted for as unused bits in the
leading content octet. Fixes#1610.
Changes
* Include configuration file in all header files that use configuration,
instead of relying on other header files that they include.
Inserted as an enhancement for #1371
* Add support for alternative CSR headers, as used by Microsoft and defined
in RFC 7468. Found by Michael Ernst. Fixes#767.
* Fix configuration queries in ssl-opt.h. #2030
* Ensure that ssl-opt.h can be run in OS X. #2029
* Reduce the complexity of the timing tests. They were assuming more than the
underlying OS actually guarantees.
* Re-enable certain interoperability tests in ssl-opt.sh which had previously
been disabled for lack of a sufficiently recent version of GnuTLS on the CI.
* Ciphersuites based on 3DES now have the lowest priority by default when
they are enabled.
= mbed TLS 2.16.0 branch released 2018-12-21
Features
* Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation
of parameters in the API. This allows detection of obvious misuses of the
API, such as passing NULL pointers. The API of existing functions hasn't
changed, but requirements on parameters have been made more explicit in
the documentation. See the corresponding API documentation for each
function to see for which parameter values it is defined. This feature is
disabled by default. See its API documentation in config.h for additional
steps you have to take when enabling it.
API Changes
* The following functions in the random generator modules have been
deprecated and replaced as shown below. The new functions change
the return type from void to int to allow returning error codes when
using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest
primitive. Fixes#1798.
mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
* Extend ECDH interface to enable alternative implementations.
* Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for
ARIA, CAMELLIA and Blowfish. These error codes will be replaced by
the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
* Additional parameter validation checks have been added for the following
modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI.
Where modules have had parameter validation added, existing parameter
checks may have changed. Some modules, such as Chacha20 had existing
parameter validation whereas other modules had little. This has now been
changed so that the same level of validation is present in all modules, and
that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default
is off. That means that checks which were previously present by default
will no longer be.
New deprecations
* Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update
in favor of functions that can return an error code.
Bugfix
* Fix for Clang, which was reporting a warning for the bignum.c inline
assembly for AMD64 targets creating string literals greater than those
permitted by the ISO C99 standard. Found by Aaron Jones. Fixes#482.
* Fix runtime error in `mbedtls_platform_entropy_poll()` when run
through qemu user emulation. Reported and fix suggested by randombit
in #1212. Fixes#1212.
* Fix an unsafe bounds check when restoring an SSL session from a ticket.
This could lead to a buffer overflow, but only in case ticket authentication
was broken. Reported and fix suggested by Guido Vranken in #659.
* Add explicit integer to enumeration type casts to example program
programs/pkey/gen_key which previously led to compilation failure
on some toolchains. Reported by phoenixmcallister. Fixes#2170.
* Fix double initialization of ECC hardware that made some accelerators
hang.
* Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence
of check for certificate/key matching. Reported by Attila Molnar, #507.
Changelog:
Vulnerabilities fixed in this release include:
- On Windows, the listening sockets used for local port forwarding
were opened in a mode that did not prevent other processes from
also listening on the same ports and stealing some of the incoming
connections.
- In the PuTTY terminal, bracketed paste mode was broken in 0.72, in
a way that made the pasted data look like manual keyboard input. So
any application relying on the bracketing sequences to protect
against malicious clipboard contents would have been misled.
- An SSH-1 server could trigger an access to freed memory by sending
the SSH1_MSG_DISCONNECT message. Not known to be exploitable.
Other bug fixes include:
- Windows Plink no longer crashes on startup when it tries to tell
you it's reusing an existing SSH connection.
- Windows PuTTY now updates its terminal window size correctly if the
screen resolution changes while it's maximised.
- If you display the coloured error messages from gcc in the PuTTY
terminal, there is no longer a missing character if a colour change
happens exactly at the end of a line.
- If you use the 'Clear Scrollback' menu option or escape sequence
while text in the scrollback is selected, it no longer causes an
assertion failure.
pkgsrc changes:
---------------
* Add devel/py-distro as a runtime dependency. Certbot claims >=1.0.1 but
non-linux distribution are supported only from 1.2.0.
Last update in 2009, homepage not reachable; only builds with php-5.6
but one of it's dependencies is per default built against a newer php,
so this can't even build.
Version 1.2.1:
* Fixup release: Remove minimum version for sqlalchemy dependency which was
set too high.
* yhsm-yubikey-ksm: Add --proxy/--proxies argument for logging proxies
requests.
Version 1.2.0:
* yhsm-validation-server: Support OATH TOTP.
* yhsm-init-oath-token: Handle keys with length != 20.
* yhsm-yubikey-ksm: Allow passing soft-HSM keys via stdin by passing "-" as
device argument.
* yhsm-yubikey-ksm: Allow passing --db-url via environment variable.
* Moved utils, yubikey-ksm and validation-server to be included when
installing using pip.
* Use entry_point scripts generated by setuptools.
* Moved man pages to man/ directory.
* Bugfix: Fix AEAD generation on Windows by writing in binary mode.
* Bugfix: Support AEADs generated on Windows using pyhsm <= 1.1.1.
* Bugfix: Avoid installing unit test package.
* Bugfix: yhsm-import-keys: Fix --aes-key argument used when importing
without a YubiHSM.
Version 1.1.1:
* Fixup release.
Version 1.1.0:
* Restructured the repository and build process.
* Use Semantic Versioning (semver.org).
* Added support for a "soft" HSM in yhsm-yubikey-ksm, yhsm-import-keys
and yhsm-generate-keys.
Version 1.0.4l:
* Documentation is now in asciidoc format.
* yhsm-yubikey-ksm: Fix bug when the same public ID occured for multiple
keyhandles.
3.1.1
Trap AttributeError in Gnome backend as in some environments
it seems that will happen.
Fix issue where a backslash in the service name would cause
errors on Registry backend on Windows.
3.1
``keyrings.alt`` no longer depends on the ``keyring.util.escape``
module.
3.0
``keyrings`` namespace should now use the pkgutil native technique
rather than relying on pkg_resources.
2.4
File based backends now reject non-string types for passwords.
Fix compilation of gnutls with compilers missing __get_cpuid_count.
Taken from upstream and fixed in version 3.6.10 .
Fixes compilation on NetBSD 8 without setting GCC_REQD.
Significant changes since 1.2.1:
* In addition to the scrypt command-line utility, a library "libscrypt-kdf"
can now be built and installed by passing the --enable-libscrypt-kdf option
to configure.
* On x86 CPUs which support them, RDRAND and SHA extensions are used to
provide supplemental entropy and speed up hash computations respectively.
* When estimating the amount of available RAM, scrypt ignores RLIMIT_DATA on
systems which have mmap.
* A new command "scrypt info encfile" prints information about an encrypted
file without decrypting it.
* Version 3.6.9 (released 2019-07-25)
** libgnutls: add gnutls_hash_copy/gnutls_hmac_copy functions that will create a copy
of digest or MAC context. Copying contexts for externally-registered digest and MAC
contexts is unupported (#787).
** Marked the crypto implementation override APIs as deprecated. These APIs are rarely
used, are for a niche use case, but have significant side effects, such as preventing
any internal re-organization and extension of the internal cipher API. The APIs remain
functional though a compiler warning will be issued, and a future minor version update
may transform them to a no-op while keeping ABI compatibility (#789).
** libgnutls: Added support for AES-GMAC, as a separate to GCM, MAC algorithm (#781).
** libgnutls: gnutls_privkey_sign_hash2 now accepts the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA
flag as documented. This makes it a complete replacement of gnutls_privkey_sign_hash().
** libgnutls: Added support for Generalname registeredID.
** The priority configuration was enhanced to allow more elaborate
system-wide configuration of the library (#587).
The following changes were included:
- The file is read as an ini file with '#' indicating a comment.
- The section "[priorities]" or global follows the existing semantics of
the configuration file, and allows to specify system-wide priority strings
which are accessed with the '@' prefix.
- The section "[overrides]" is added with the parameters "insecure-hash",
"insecure-sig", "insecure-sig-for-cert", "disabled-curve",
"disabled-version", "min-verification-profile", "tls-disabled-cipher",
"tls-disabled-mac", "tls-disabled-group", "tls-disabled-kx", which prohibit
specific algorithms or options globally. Existing algorithms in the
library can be marked as disabled and insecure, but no hard-coded
insecure algorithm can be marked as secure (so that the configuration
cannot be abused to make the system vulnerable).
- Unknown sections or options are skipped with a debug message, unless
the GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID environment parameter is
set to 1.
** libgnutls: Added new flag for GNUTLS_CPUID_OVERRIDE
- 0x20: Enable SHA_NI instruction set
** API and ABI modifications:
gnutls_crypto_register_cipher: Deprecated
gnutls_crypto_register_aead_cipher: Deprecated
gnutls_crypto_register_digest: Deprecated
gnutls_crypto_register_mac: Deprecated
gnutls_get_system_config_file: Added
gnutls_hash_copy: Added
gnutls_hmac_copy: Added
GNUTLS_MAC_AES_GMAC_128: Added
GNUTLS_MAC_AES_GMAC_192: Added
GNUTLS_MAC_AES_CMAC_256: Added
GNUTLS_SAN_REGISTERED_ID: Added
ChangeLog
Added support for AES-GCM
Added improved rekeying support
Added performance improvements
Disabled blowfish support by default
Fixed several ssh config parsing issues
Added support for DH Group Exchange KEX
Added support for Encrypt-then-MAC mode
Added support for parsing server side configuration file
Added support for ECDSA/Ed25519 certificates
Added FIPS 140-2 compatibility
Improved known_hosts parsing
Improved documentation
Improved OpenSSL API usage for KEX, DH, KDF and signatures
Significant items from https://github.com/slicer69/doas/releases:
doas 6.2p1
* Fixes a crash on Linux systems when a specified user on the
command line did not match a valid entry in the doas.conf file.
In the past, doas would first try to find an exact username match
when the "-u" flag was used and, if one could not be found, it
would try to find a matching numeric UID.
Now doas requires that an exact username be specified when
"-u" is used. This avoids confusion (and, on Linux, fuzzy matches
when a username begins with a number). This means "doas -u 0" can
no longer be used to run a command as root, and "duas -u 1000" is
not ambigious if there is a user with the name "1000" on the system.
doas 6.2
* Group permissions of the original user are now dropped on Linux.
This prevents the original user's group access from interfering
with the target user's owned files. Group permissions were already
dropped on FreeBSD (and I believe) NetBSD, and this brings doas's
Linux behaviour into line with the other systems.
* Fixed a couple of compiler warnings that get rid of either unneeded
variables or introduce sanity checks on return functions.
This should make doas more secure, across platforms/compilers.
doas 6.1p1
* ported to illumos, added support for SmartOS and
OpenIndiana.
* Better pkgsrc integration.
* Version 2.15 (released 2015-11-12)
** Add ykclient_get_server_response() to the library.
** Show more information from the commandline on debug.
** Add proxy support via Curl.
* Version 2.14 (released 2015-03-05)
** Switch default templates to https.
** Fixup call to curl_easy_escape() to use a easy handle.
* Version 1.20.0 (released 2019-07-03)
** Add yk_open_key_vid_pid() allowing vid and pid to be specified.
** Documentation fixes.
** Clear potentially sensitive material from buffers.
** Fix potential buffer overwrite.
* Version 1.19.3 (released 2019-02-22)
** Fix capability read.
* Version 1.19.2 (released 2019-02-19)
** Fix test on mac.
** Fix serial read and challenge response.
* Version 1.19.1 (released 2019-02-19)
** Error out on json output with randomSeed.
** Validate more length fields.
** Use correct FormatMessage function on windows.
** Overflow, bounds and error condition checks.
** Try to zero sensitive memory better.
* Version 1.19.0 (released 2018-04-24)
** Add yk_write_device_info().
** Add ykpersonalize cli switch -D for device info.
** Add code for handling personalization interface of major version 5.
* Version 1.18.1 (released 2018-01-16)
** Support reading accesscode and private ID from stdin.
** Parse optional arguments correctly.
** Documentation fixes.
** Fix for ykinfo modhex serial output when it ends with c.
** Treat all firmware versions as supported.
* Version 1.18.0 (released 2017-01-27)
** Let ykchalresp read challenge from a file.
** Add support of working with a numbered key when many connected
Thanks to Thomas Habets <habets@google.com>
** Documentation clarifications.
** Fixup argument parsing of flags with optional arguments on BSD platforms.
** Fix a file descriptor leak on windows.
* Version 1.17.3 (released 2015-12-28)
** Dont read to much if we don't find a key.
** Text updates to make options clearer.
** Correct logic for question when mode switching to non-otp mode.
** Add 4.3 as supported firmware.
* Version 1.17.2 (released 2015-09-22)
** Let _yk_write() return an error if yk_wait_for_key_status() fails.
** Fix a mistake in help, fixed is up to 16 bytes, 32 characters.
** Add 4.2 as supported firmware.
* Version 1.17.1 (released 2015-04-01)
** Fixup of 1.17.0
* Version 1.17.0 (released 2015-04-01)
** add yk_get_capabilities() to fetch capabilities.
** add -c to ykinfo to fetch capabilities.
** whitelist firmware 4.1.x
* Version 1.16.4 (released 2015-03-23)
** change the tool to accept autoeject time as a short instead of a byte
* Version 1.16.3 (released 2015-03-10)
** whitelist YubiKey version 3.4.x
** only try to set libusb configuration if it's unset on the device
* Version 1.16.2 (released 2014-11-28)
** ykinfo: fix modhex printout when serial is an odd number of hex digits.
** whitelist yubikey version 4.0.x
** try to open more PIDs and add for udev.
0.38.0:
Added
Disable session tickets for Nginx users when appropriate.
Changed
If Certbot fails to rollback your server configuration, the error message links to the Let's Encrypt forum. Change the link to the Help category now that the Server category has been closed.
Replace platform.linux_distribution with distro.linux_distribution as a step towards Python 3.8 support in Certbot.
Fixed
Fixed OS detection in the Apache plugin on Scientific Linux.
Noteworthy changes in version 1.8.5 (2019-08-29) [C22/A2/R5]
------------------------------------------------
* Bug fixes:
- Add mitigation against an ECDSA timing attack.
[#4626,CVE-2019-13627]
- Improve ECDSA unblinding.
* Other features:
- Provide a pkg-config file for libgcrypt.
Release-info: https://dev.gnupg.org/T4683
19.1.0
* macOS Keyring now honors a ``KEYCHAIN_PATH``
environment variable. If set, Keyring will use that
keychain instead of the default.
19.0.2
* Refresh package skeleton.
* Adopt `black <https://pypi.org/project/black>`_ code style.
19.0.1
* Merge with 18.0.1.
18.0.1
* ExceptionInfo no longer retains a reference to the
traceback.
3.9.0:
New features
* Add support for loading PEM files encrypted with AES256-CBC.
* Add support for XChaCha20 and XChaCha20-Poly1305 ciphers.
* Add support for bcrypt key derivation function (`Crypto.Protocol.KDF.bcrypt`).
* Add support for left multiplication of an EC point by a scalar.
* Add support for importing ECC and RSA keys in the new OpenSSH format.
Resolved issues
* it was not possible to invert an EC point anymore.
* fix printing of DSA keys.
* `DSA.generate()` was not always using the `randfunc` input.
* the MD2 hash had block size of 64 bytes instead of 16; as result the HMAC construction gave incorrect results.
Revision 0.4.7:
- Added `isInconsistent` property to all constructed types. This property
conceptually replaces `verifySizeSpec` method to serve a more general
purpose e.g. ensuring all required fields are in a good shape. By default
this check invokes subtype constraints verification and is run by codecs
on value de/serialisation.
- Deprecate `subtypeSpec` attributes and keyword argument. It is now
recommended to pass `ValueSizeConstraint`, as well as all other constraints,
to `subtypeSpec`.
- Fixed a design bug in a way of how the items assigned to constructed
types are verified. Now if `Asn1Type`-based object is assigned, its
compatibility is verified based on having all tags and constraint
objects as the type in field definition. When a bare Python value is
assigned, then field type object is cloned and initialized with the
bare value (constraints verificaton would run at this moment).
- Added `WithComponentsConstraint` along with related
`ComponentPresentConstraint` and `ComponentAbsentConstraint` classes
to be used with `Sequence`/`Set` types representing
`SET ... WITH COMPONENTS ...` like ASN.1 constructs.
Pkgsrc changes:
* Adapt patch to enforcer/utils/Makefile.in
Upstream changes:
* OPENDNSSEC-888: Fixup database conversion script.
* OPENDNSSEC-752: Incorrect calculated number of KSKs needed when KSK and ZSK
have exactly the same paramaters.
* OPENDNSSEC-890: Bogus signatures upon wrong zone input when TTLs for
same rrset are mismatching.
Release 1.18.0:
Added support for GSSAPI ECDH and Edwards DH key exchange algorithms.
Fixed gssapi-with-mic authentication to work with GSS key exchanges, in cases where gssapi-keyex is not supported.
Made connect_ssh and connect_reverse_ssh methods into async context managers, simplifying the syntax needed to use them to create tunneled SSH connections.
Fixed a couple of issues with known hosts matching on tunneled SSH connections.
Improved flexibility of key/certificate parser automatic format detection to properly recognize PEM even when other arbitrary text is present at the beginning of the file. With this change, the parser can also now handle mixing of multiple key formats in a single file.
Added support for OpenSSL “TRUSTED” PEM certificates. For now, no enforcement is done of the additional trust restrictions, but such certificates can be loaded and used by AsyncSSH without converting them back to regular PEM format.
Fixed some additional SFTP and SCP issues related to parsing of Windows paths with drive letters and paths with multiple colons.
Made AsyncSSH tolerant of a client which sends multiple service requests for the “ssh-userauth” service. This is needed by the Paramiko client when it tries more than one form of authentication on a connection.
doas is a port of OpenBSD's doas which runs on FreeBSD, Linux and
NetBSD.
The doas utility is a program originally written for OpenBSD which
allows a user to run a command as though they were another
user. Typically doas is used to allow non-privleged users to run
commands as though they were the root user. The doas program acts as
an alternative to sudo, which is a popular method in the Linux
community for granting admin access to specific users.
The doas program offers two benefits over sudo: its configuration file
has a simple syntax and it is smaller, requiring less effort to audit
the code. This makes it harder for both admins and coders to make
mistakes that potentially open security holes in the system.
0.37.2:
Stop disabling TLS session tickets in Nginx as it caused TLS failures on some systems.
0.37.1:
Fixed
Stop disabling TLS session tickets in Apache as it caused TLS failures on some systems.
0.37.0:
Added
Turn off session tickets for apache plugin by default
acme: Authz deactivation added to acme module.
Changed
Follow updated Mozilla recommendations for Nginx ssl_protocols, ssl_ciphers, and ssl_prefer_server_ciphers
Fixed
Fix certbot-auto failures on RHEL 8.
Some of the upstream changes since 0.4.0 :
* OpenSSL binary path is now configurable
* Support for ACME v02
* Challenge validation loop has been modified to loop over authorization identifiers instead of altnames (ACMEv2 + wildcard support)
* Use new ACME v2 endpoint by default
* Initial support for tls-alpn-01 validation
* OCSP refresh interval is now configurable
Full changelog available here :
https://github.com/lukas2511/dehydrated/blob/v0.6.5/CHANGELOG
Despite the changelog, the meson files are not included in
the distribution, so keep using autoconf for this release.
0.18.8
* Add support for g_autoptr() to our types [!11]
* Remove deprecated g_type_class_add_private() [!14]
* Bump GLib dependency (2.44+)
* Add meson build support [!9]
* Fix vapi generation [!15, ...]
* Build fixes [!12, !13]
* Updated translations
Minisign is a dead simple tool to sign files and verify signatures.
It is portable, lightweight, and uses the highly secure Ed25519 public-key
signature system.
OK kamil@
X - Certificate and Key management
This application is intended for creating and managing X.509
certificates, certificate requests, RSA, DSA and EC private keys,
Smartcards and CRLs. Everything that is needed for a CA is
implemented. All CAs can sign sub-CAs recursively. These certificate
chains are shown clearly. For an easy company-wide use there are
customiseable templates that can be used for certificate or request
generation.
All cryptographic data is stored in a SQL database. SQLite, MySQL
(MariaDB) and PostgreSQL databases are supported.
3.1.0:
OAuth2.0 Provider - Features
OIDC add support of nonce, c_hash, at_hash fields
New RequestValidator.fill_id_token method
Deprecated RequestValidator.get_id_token method
OIDC add UserInfo endpoint
New RequestValidator.get_userinfo_claims method
OAuth2.0 Provider - Security
Enhance data leak to logs
New default to not expose request content in logs
New function oauthlib.set_debug(True)
Disabling query parameters for POST requests
OAuth2.0 Provider - Bugfixes
Fix validate_authorization_request to return the new PKCE fields
Fix token_type to be case-insensitive (bearer and Bearer)
OAuth2.0 Client - Bugfixes
Fix Authorization Code's errors processing
BackendApplication.Client.prepare_request_body use the "scope" argument as intended.
Fix edge case when expires_in=Null
OAuth1.0 Client
Add case-insensitive headers to oauth1 BaseEndpoint
Implementation of elliptic curve cryptography using the Montgomery
and Edwards curves Curve25519, Ed25519, Ed448-Goldilocks and
Curve448, using the Decaf / Ristretto encoding.
v1.6.1:
Features
* Windows support, with wheels!
* GSSAPI extension rfc4178 (set_neg_mechs) support
* Expose mechanisms in the high-level API
* Test suite improvements
Documentation
* Add documentation for common cred store values
* Documentation typo fixes
Bindings to OpenSSL libssl and libcrypto, plus custom SSH key parsers.
Supports RSA, DSA and EC curves P-256, P-384, P-521, and curve25519.
Cryptographic signatures can either be created and verified manually
or via x509 certificates. AES can be used in cbc, ctr or gcm mode for
symmetric encryption; RSA for asymmetric (public key) encryption or EC
for Diffie Hellman. High-level envelope functions combine RSA and AES
for encrypting arbitrary sized data. Other utilities include key
generators, hash functions (md5, sha1, sha256, etc), base64 encoder, a
secure random number generator, and 'bignum' math methods for manually
performing crypto calculations on large multibyte integers.
Cross-platform utilities for prompting the user for credentials or a
passphrase, for example to authenticate with a server or read a
protected key. Includes native programs for MacOS and Windows, hence
no 'tcltk' is required. Password entry can be invoked in two different
ways: directly from R via the askpass() function, or indirectly as
password-entry back-end for 'ssh-agent' or 'git-credential' via the
SSH_ASKPASS and GIT_ASKPASS environment variables. Thereby the user
can be prompted for credentials or a passphrase if needed when R calls
out to git or ssh.
The canonical form [1] of an R package Makefile includes the
following:
- The first stanza includes R_PKGNAME, R_PKGVER, PKGREVISION (as
needed), and CATEGORIES.
- HOMEPAGE is not present but defined in math/R/Makefile.extension to
refer to the CRAN web page describing the package. Other relevant
web pages are often linked from there via the URL field.
This updates all current R packages to this form, which will make
regular updates _much_ easier, especially using pkgtools/R2pkg.
[1] http://mail-index.netbsd.org/tech-pkg/2019/08/02/msg021711.html
Remove rar support to workaround PR pkg/54420
This release includes 3 extra security related bug fixes that do not
apply to prior versions. In addition, it includes a number of minor bug
fixes and improvements.
* Fixes for the following vulnerabilities affecting 0.101.1 and
prior:
+ CVE-2019-1787: An out-of-bounds heap read condition may occur
when scanning PDF documents. The defect is a failure to
correctly keep track of the number of bytes remaining in a
buffer when indexing file data.
+ CVE-2019-1789: An out-of-bounds heap read condition may occur
when scanning PE files (i.e. Windows EXE and DLL files) that
have been packed using Aspack as a result of inadequate
bound-checking.
+ CVE-2019-1788: An out-of-bounds heap write condition may occur
when scanning OLE2 files such as Microsoft Office 97-2003
documents. The invalid write happens when an invalid pointer
is mistakenly used to initialize a 32bit integer to zero. This
is likely to crash the application.
* Fixes for the following ClamAV vulnerabilities:
+ CVE-2018-15378: Vulnerability in ClamAV's MEW unpacking
feature that could allow an unauthenticated, remote attacker
to cause a denial of service (DoS) condition on an affected
device. Reported by Secunia Research at Flexera.
+ Fix for a 2-byte buffer over-read bug in ClamAV's PDF parsing
code. Reported by Alex Gaynor.
* Fixes for the following vulnerabilities in bundled third-party
libraries:
+ CVE-2018-14680: An issue was discovered in mspack/chmd.c in
libmspack before 0.7alpha. It does not reject blank CHM
filenames.
+ CVE-2018-14681: An issue was discovered in kwajd_read_headers
in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file
header extensions could cause a one or two byte overwrite.
+ CVE-2018-14682: An issue was discovered in mspack/chmd.c in
libmspack before 0.7alpha. There is an off-by-one error in the
TOLOWER() macro for CHM decompression.
+ Additionally, 0.100.2 reverted 0.100.1's patch for
CVE-2018-14679, and applied libmspack's version of the fix in
its place.
* Fixes for the following CVE's:
+ CVE-2017-16932: Vulnerability in libxml2 dependency (affects
ClamAV on Windows only).
+ CVE-2018-0360: HWP integer overflow, infinite loop
vulnerability. Reported by Secunia Research at Flexera.
+ CVE-2018-0361: ClamAV PDF object length check, unreasonably
long time to parse relatively small file. Reported by aCaB.
For the full release notes, see:
https://github.com/Cisco-Talos/clamav-devel/blob/clamav-0.101.2/NEWS.md
Release 1.17.1:
Improved construction of file paths in SFTP to better handle native Windows source paths containing backslashes or drive letters.
Improved SFTP parallel I/O for large reads and file copies to better handle the case where a read returns less data than what was requested when not at the end of the file, allowing AsyncSSH to get back the right result even if the requested block size is larger than the SFTP server can handle.
Fixed an issue where the requested SFTP block_size wasn’t used in the get, copy, mget, and mcopy functions if it was larger than the default size of 16 KB.
Fixed a problem where the list of client keys provided in an SSHClientConnectionOptions object wasn’t always preserved properly across the opening of multiple SSH connections.
Changed SSH agent client code to avoid printing a warning on Windows when unable to connect to the SSH agent using the default path. A warning will be printed if the agent_path or SSH_AUTH_SOCK is explicitly set, but AsyncSSH will remain quiet if no agent path is set and no SSH agent is running.
Made AsyncSSH tolerant of unexpected authentication success/failure messages sent after authentication completes. AsyncSSH previously treated this as a protocol error and dropped the connection, while most other SSH implementations ignored these messages and allowed the connection to continue.
Made AsyncSSH tolerant of SFTP status responses which are missing error message and language tag fields, improving interoperability with servers that omit these fields. When missing, AsyncSSH treats these fields as if they were set to empty strings.
Revision 0.2.6:
- Added RFC3560 providing RSAES-OAEP Key Transport Algorithm
in CMS
- Added RFC6019 providing BinaryTime - an alternate format
for representing Date and Time
- RFC3565 superseded by RFC5649
- Added RFC5480 providng Elliptic Curve Cryptography Subject
Public Key Information
- Added RFC8520 providing X.509 Extensions for MUD URL and
MUD Signer
- Added RFC3161 providing Time-Stamp Protocol support
- Added RFC3709 providing Logotypes in X.509 Certificates
- Added RFC3274 providing CMS Compressed Data Content Type
- Added RFC4073 providing Multiple Contents protection with CMS
- Added RFC2634 providing Enhanced Security Services for S/MIME
- Added RFC5915 providing Elliptic Curve Private Key
- Added RFC5940 providing CMS Revocation Information Choices
- Added RFC7296 providing IKEv2 Certificate Bundle
- Added RFC8619 providing HKDF Algorithm Identifiers
- Added RFC7191 providing CMS Key Package Receipt and Error Content
Types
- Added openType support for ORAddress Extension Attributes and
Algorithm Identifiers in the RFC5280 module
- Added RFC5035 providing Update to Enhanced Security Services for
S/MIME
- Added openType support for CMS Content Types and CMS Attributes
in the RFC5652 module
- Added openType support to RFC 2986 by importing definitions from
the RFC 5280 module so that the same maps are used.
- Added maps for use with openType to RFC 2634, RFC 3274, RFC 3709,
RFC 3779, RFC 4055, RFC 4073, RFC 4108, RFC 5035, RFC 5083, RFC 5480,
RFC 5940, RFC 5958, RFC 6010, RFC 6019, RFC 6402, RFC 7191, RFC 8226,
and RFC 8520
- Changed `ValueSizeConstraint` erroneously applied to `SequenceOf`
and `SetOf` objects via `subtypeConstraint` attribute to be applied
via `sizeSpec` attribute. Although `sizeSpec` takes the same constraint
objects as `subtypeConstraint`, the former is only verified on
de/serialization i.e. when the [constructed] object at hand is fully
populated, while the latter is applied to [scalar] types at the moment
of instantiation.
Revision 0.4.6:
- Added previously missing SET OF ANY construct encoding/decoding support.
- Added omitEmptyOptionals option which is respected by Sequence
and Set encoders. When omitEmptyOptionals is set to True, empty
initialized optional components are not encoded. Default is False.
- New elements to SequenceOf/SetOf objects can now be added at any
position - the requirement for the new elements to reside at the end
of the existing ones (i.e. s[len(s)] = 123) is removed.
- List-like slicing support added to SequenceOf/SetOf objects.
- Removed default initializer from SequenceOf/SetOf types to ensure
consistent behaviour with the rest of ASN.1 types. Before this change,
SequenceOf/SetOf instances immediately become value objects behaving
like an empty list. With this change, SequenceOf/SetOf objects
remain schema objects unless a component is added or .clear() is
called.
This change can potentially cause incompatibilities with existing
pyasn1 objects which assume SequenceOf/SetOf instances are value
objects right upon instantiation.
The behaviour of Sequence/Set types depends on the componentType
initializer: if on componentType is given, the behaviour is the
same as SequenceOf/SetOf have. IF componentType is given, but
neither optional nor defaulted components are present, the created
instance remains schema object, If, however, either optional or
defaulted component isi present, the created instance immediately
becomes a value object.
- Added .reset() method to all constructed types to turn value object
into a schema object.
- Added PyAsn1UnicodeDecodeError/PyAsn1UnicodeDecodeError exceptions
to help the caller treating unicode errors happening internally
to pyasn1 at the upper layers.
- Added support for subseconds CER/DER encoding edge cases in
GeneralizedTime codec.
- Fixed 3-digit fractional seconds value CER/DER encoding of
GeneralizedTime.
- Fixed AnyDecoder to accept possible TagMap as asn1Spec
to make dumping raw value operational
Changes:
* Support TLS-alpn mode.
* Support Post-As-Get
* Support Buypass.com CA
* Support 12 more dns api.
* Bug fixes.
* Use letsencrypt v2 api as default.
* Use dns over tls to check domain status.
* Support Windows native taskschuler for cronjob.
* fix IDN name issues.
* fix other issues.
Changelog:
This is a SECURITY UPDATE, fixing vulnerabilities in the obsolete SSH-1
protocol. It also includes many bug fixes over 0.71. We recommend that
everybody update.
Vulnerabilities fixed in this release include:
- A malicious SSH-1 server could trigger a buffer overrun by sending
extremely short RSA keys, or certain bad packet length fields.
Either of these could happen before host key verification, so even
if you trust the server you *intended* to connect to, you would
still be at risk.
(However, the SSH-1 protocol is obsolete, and recent versions of
PuTTY do not try it by default, so you are only at risk if you work
with old servers and have explicitly configured SSH-1.)
- If a malicious process found a way to impersonate Pageant, then it
could cause an integer overflow in any of the SSH client tools
(PuTTY, Plink, PSCP, PSFTP) which accessed the malicious Pageant.
Other security-related bug fixes include:
- The 'trust sigil' system introduced in PuTTY 0.71 to protect
against server spoofing attacks had multiple bugs. Trust sigils
were not turned off after login in the SSH-1 and Rlogin protocols,
and not turned back on if you used the Restart Session command.
Both are now fixed.
Other bug fixes include:
- Kerberos key exchange could crash at the start of an SSH session
in the presence of a third-party Windows provider such as
MIT Kerberos for Windows, and could also crash if the server sent
an ordinary SSH host key as part of the Kerberos exchange.
- In SSH-2 keyboard-interactive authentication, one of the message
fields sent by the server (namely the 'instructions' message) was
accidentally never displayed to the user.
- When using SSH-2 connection sharing, pasting text into a downstream
PuTTY window that included a line longer than 16Kb could cause that
window's connection to be closed.
- When using PSCP in old-fashioned SCP mode, downloading files
specified by a wildcard could cause a newline character to be
appended to the downloaded file names. Also, using the -p option to
preserve file times failed with a spurious error message.
- On Windows, the numeric keypad key that should generate '.' or ','
depending on keyboard layout was always generating '.'.
- RSA keys generated by PuTTYgen could be 1 bit shorter than
requested. (Harmless, but a regression in 0.71 compared to 0.70.)
8.5.4:
All platforms
Update Firefox to 60.8.0esr
Update Torbutton to 2.1.12
Bug 30577: Add Fundraising Banner
Bug 31041: Stop syncing network.cookie.lifetimePolicy
Translations update
Update HTTPS Everywhere to 2019.6.27
Bug 31055+31058: Remove four default bridges
Bug 30712: Backport fix for Mozilla's bug 1552993
Bug 30849: Backport fixes for Mozilla's bug 1552627 and 1549833
Windows + OS X + Linux
Update Tor to 0.4.0.5
Update OpenSSL to 1.0.2s
Bug 29045: Ensure that tor does not start up in dormant mode
OS X
Bug 30631: Blurry Tor Browser icon on macOS app switcher
8.5.3:
All platforms
Pick up fix for Mozilla's bug 1560192
8.5.2:
All platforms
Pick up fix for Mozilla's bug 1544386
Update NoScript to 10.6.3
Bug 29904: NoScript blocks MP4 on higher security levels
Bug 30624+29043+29647: Prevent XSS protection from freezing the browser
8.5.1:
All platforms
Update Torbutton to 2.1.10
Bug 30565: Sync nocertdb with privatebrowsing.autostart at startup
Bug 30464: Add WebGL to safer descriptions
Translations update
Update NoScript to 10.6.2
Bug 29969: Remove workaround for Mozilla's bug 1532530
Update HTTPS Everywhere to 2019.5.13
Bug 30541: Disable WebGL readPixel() for web content
Windows + OS X + Linux
Bug 30560: Better match actual toolbar in onboarding toolbar graphic
Bug 30571: Correct more information URL for security settings
Android
Bug 30635: Sync mobile default bridges list with desktop one
Build System
All platforms
Bug 30480: Check that signed tag contains expected tag name
- apparently the Let's Encrypt test server is rejecting example.com emails
- added official python 3.7 support in setup.py
- fixed#226, start using POST-as-GET for GET requests
- fixed additional POST-as-GET
- addresses #205, a situation where polling may hang indefinitely
- Also accept critical SAN extensions.
- fixed#222, we shouldn't delete the challenge files on errors, but we
should clean them up on success
pkgsrc changes:
- Remove PYTHON_VERSIONS_INCOMPATIBLE, Python 3.x is now supported too
- Take MAINTAINERship
Changes:
- Upstream doesn't provide changelog (and CHANGELOG file just reference to
commit messages). According skimming of commit messages mostly bugfixes and
improvements.
NEWS for the Nettle 3.5.1 release
The Nettle-3.5.1 corrects a packaging mistake in Nettle-3.5.
The new directory x86_64/sha_ni were missing in the tar file,
breaking x86_64 builds with --enable-fat, and producing worse
performance than promised for builds with --enable-x86-sha-ni.
Also a few unused in-progress assembly files were accidentally
included in the tar file.
These problems are corrected in Nettle-3.5.1. There are no
other changes, and also the library version numbers are
unchanged.
NEWS for the Nettle 3.5 release
This release adds a couple of new features and optimizations,
and deletes or deprecates a few obsolete features. It is *not*
binary (ABI) compatible with earlier versions. Except for
deprecations listed below, it is intended to be fully
source-level (API) compatible with Nettle-3.4.1.
The shared library names are libnettle.so.7.0 and
libhogweed.so.5.0, with sonames libnettle.so.7 and
libhogweed.so.5.
Changes in behavior:
* Nettle's gcm_crypt will now call the underlying block cipher
to process more than one block at a time. This is not a
change to the documented behavior, but unfortunately breaks
assumptions accidentally made in GnuTLS, up to and including
version 3.6.1.
New features:
* Support for CFB8 (Cipher Feedback Mode, processing a single
octet per block cipher operation), contributed by Dmitry
Eremin-Solenikov.
* Support for CMAC (RFC 4493), contributed by Nikos
Mavrogiannopoulos.
* Support for XTS mode, contributed by Simo Sorce.
Optimizations:
* Improved performance of the x86_64 AES implementation using
the aesni instructions. Gives a large speedup for operations
processing multiple blocks at a time (including CTR mode,
GCM mode, and CBC decrypt, but *not* CBC encrypt).
* Improved performance for CTR mode, for the common case of
16-byte block size. Pass more data at a time to underlying
block cipher, and fill the counter blocks more efficiently.
Extension to also handle GCM mode efficiently contributed
by Nikos Mavrogiannopoulos.
* New x86_64 implementation of sha1 and sha256, for processors
supporting the sha_ni instructions. Speedup of 3-5 times on
affected processors.
* Improved parameters for the precomputation of tables used
for ecc signatures. Roughly 10%-15% speedup of the ecdsa
sign operation using the secp_256r1, secp_384r1 and
secp_521r1 curves, and 25% speedup of ed25519 sign
operation, benchmarked on x86_64. Table sizes unchanged,
around 16 KB per curve.
* In ARM fat builds, automatically select Neon implementation
of Chacha, where possible. Contributed by Yuriy M.
Kaminskiy.
Deleted features:
* The header file des-compat.h and everything declared therein
has been deleted, as announced earlier. This file provided a
subset of the old libdes/ssleay/openssl interface for DES
and triple-DES. DES is still supported, via the functions
declared in des.h.
* Functions using the old struct aes_ctx have been marked as
deprecated. Use the fixed key size interface instead, e.g.,
struct aes256_ctx, introduced in Nettle-3.0.
* The header file nettle-stdint.h, and corresponding autoconf
tests, have been deleted. Nettle now requires that the
compiler/libc provides <stdint.h>.
Miscellaneous:
* Support for big-endian ARM systems, contributed by Michael
Weiser.
* The programs aesdata, desdata, twofishdata, shadata and
gcmdata are no longer built by default. Makefile
improvements contributed by Jay Foad.
* The "example" program examples/eratosthenes.c has been
deleted.
* The contents of hash context structs, and the deprecated
aes_ctx struct, have been reorganized, to enable later
optimizations.
The shared library names are libnettle.so.7.0 and
libhogweed.so.5.0.
* Change MASTER_SITES to https://
Changelog:
Version 5.55, 2019.06.10, urgency: HIGH
* Security bugfixes
- Fixed a Windows local privilege escalation vulnerability
caused insecure OpenSSL cross-compilation defaults.
Successful exploitation requires stunnel to be deployed
as a Windows service, and user-writable C:\ folder. This
vulnerability was discovered and reported by Rich Mirch.
- OpenSSL DLLs updated to version 1.1.1c.
* Bugfixes
- Implemented a workaround for Windows hangs caused by its
inability to the monitor the same socket descriptor from
multiple threads.
- Windows configuration (including cryptographic keys)
is now completely removed at uninstall.
- A number of testing framework fixes and improvements.
Version 5.54, 2019.05.15, urgency: LOW
* New features
- New "ticketKeySecret" and "ticketMacSecret" options
to control confidentiality and integrity protection
of the issued session tickets. These options allow
for session resumption on other nodes in a cluster.
- Added logging the list of active connections on
SIGUSR2 or with Windows GUI.
- Logging of the assigned bind address instead of the
requested bind address.
* Bugfixes
- Service threads are terminated before OpenSSL cleanup
to prevent occasional stunnel crashes at shutdown.
Version 5.53, 2019.04.10, urgency: HIGH
* New features
- Android binary updated to support Android 4.x.
* Bugfixes
- Fixed data transfer stalls introduced in stunnel 5.51.
Version 5.52, 2019.04.08, urgency: HIGH
* Bugfixes
- Fixed a transfer() loop bug introduced in stunnel 5.51.
0.36.0:
Added
-----
Turn off session tickets for nginx plugin by default
Added missing error types from RFC8555 to acme
Changed
-------
Support for Ubuntu 14.04 Trusty has been removed.
Update the 'manage your account' help to be more generic.
The error message when Certbot's Apache plugin is unable to modify your Apache configuration has been improved.
Certbot's config_changes subcommand has been deprecated and will be removed in a future release.
certbot config_changes no longer accepts a --num parameter.
The functions certbot.plugins.common.Installer.view_config_changes and certbot.reverter.Reverter.view_config_changes have been deprecated and will be removed in a future release.
Fixed
-----
Replace some unnecessary platform-specific line separation.
The libtool-ification caused plugins to have a "lib" prefix, causing a mismatch
with what the code was trying to dlopen(), and failures. Bump PKGREVISION.
Changes
=======
* Version 3.6.8 (released 2019-05-28)
** libgnutls: Added gnutls_prf_early() function to retrieve early keying
material (#329)
** libgnutls: Added support for AES-XTS cipher (#354)
** libgnutls: Fix calculation of Streebog digests (incorrect carry operation in
512 bit addition)
** libgnutls: During Diffie-Hellman operations in TLS, verify that the peer's
public key is on the right subgroup (y^q=1 mod p), when q is available (under
TLS 1.3 and under earlier versions when RFC7919 parameters are used).
** libgnutls: the gnutls_srp_set_server_credentials_function can now be used
with the 8192 parameters as well (#995).
** libgnutls: Fixed bug preventing the use of gnutls_pubkey_verify_data2() and
gnutls_pubkey_verify_hash2() with the GNUTLS_VERIFY_DISABLE_CA_SIGN flag (#754)
** libgnutls: The priority string option %ALLOW_SMALL_RECORDS was added to allow
clients to communicate with the server advertising smaller limits than 512
** libgnutls: Apply STD3 ASCII rules in gnutls_idna_map() to prevent
hostname/domain crafting via IDNA conversion (#720)
** certtool: allow the digital signature key usage flag in CA certificates.
Previously certtool would ignore this flag for CA certificates even if
specified (#767)
** gnutls-cli/serv: added the --keymatexport and --keymatexportsize options.
These allow testing the RFC5705 using these tools.
** API and ABI modifications:
gnutls_prf_early: Added
gnutls_record_set_max_recv_size: Added
gnutls_dh_params_import_raw3: Added
gnutls_ffdhe_2048_group_q: Added
gnutls_ffdhe_3072_group_q: Added
gnutls_ffdhe_4096_group_q: Added
gnutls_ffdhe_6144_group_q: Added
gnutls_ffdhe_8192_group_q: Added
Noteworthy changes in version 2.2.17:
* gpg: Ignore all key-signatures received from keyservers. This
change is required to mitigate a DoS due to keys flooded with
faked key-signatures. The old behaviour can be achieved by adding
keyserver-options no-self-sigs-only,no-import-clean
to your gpg.conf.
* gpg: If an imported keyblocks is too large to be stored in the
keybox (pubring.kbx) do not error out but fallback to an import
using the options "self-sigs-only,import-clean".
* gpg: New command --locate-external-key which can be used to
refresh keys from the Web Key Directory or via other methods
configured with --auto-key-locate.
* gpg: New import option "self-sigs-only".
* gpg: In --auto-key-retrieve prefer WKD over keyservers.
* dirmngr: Support the "openpgpkey" subdomain feature from
draft-koch-openpgp-webkey-service-07.
* dirmngr: Add an exception for the "openpgpkey" subdomain to the
CSRF protection.
* dirmngr: Fix endless loop due to http errors 503 and 504.
* dirmngr: Fix TLS bug during redirection of HKP requests.
* gpgconf: Fix a race condition when killing components.
July 1st, 2018
v1.18.2
-- Fix Side Channel Based ECDSA Key Extraction (CVE-2018-12437) (PR #408)
-- Fix potential stack overflow when DER flexi-decoding (CVE-2018-0739) (PR #373)
-- Fix two-key 3DES (PR #390)
-- Fix accelerated CTR mode (PR #359)
-- Fix Fortuna PRNG (PR #363)
-- Fix compilation on platforms where cc doesn't point to gcc (PR #382)
-- Fix using the wrong environment variable LT instead of LIBTOOL (PR #392)
-- Fix build on platforms where the compiler provides __WCHAR_MAX__ but wchar.h is not available (PR #390)
-- Fix & re-factor crypt_list_all_sizes() and crypt_list_all_constants() (PR #414)
-- Minor fixes (PR's #350#351#375#377#378#379)
January 22nd, 2018
v1.18.1
-- Fix wrong SHA3 blocksizes, thanks to Claus Fischer for reporting this via Mail (PR #329)
-- Fix NULL-pointer dereference in `ccm_memory()` with LTC_CLEAN_STACK enabled (PR #327)
-- Fix `ccm_process()` being unable to process input buffers longer than 256 bytes (PR #326)
-- Fix the `register_all_{ciphers,hashes,prngs}()` return values (PR #316)
-- Fix some typos, warnings and duplicate prototypes in code & doc (PR's #310#320#321#335)
-- Fix possible undefined behavior with LTC_PTHREAD (PR #337)
-- Fix some DER bugs (PR #339)
-- Fix CTR-mode when accelerator is used (OP-TEE/optee_os #2086)
-- Fix installation procedure (Issue #340)
October 10th, 2017
v1.18.0
-- Bugfix multi2
-- Bugfix Noekeon
-- Bugfix XTEA
-- Bugfix rng_get_bytes() on windows where we could read from c:\dev\random
-- Fixed the Bleichbacher Signature attack in PKCS#1 v1.5 EMSA, thanks to Alex Dent
-- Fixed a potential cache-based timing attack in CCM, thanks to Sebastian Verschoor
-- Fix GCM counter reuse and potential timing attacks in EAX, OCB and OCBv3,
thanks to Raphaël Jamet
-- Implement hardened RSA operations when CRT is used
-- Enabled timing resistant calculations of ECC and RSA operations per default
-- Applied some patches from the OLPC project regarding PKCS#1 and preventing
the hash algorithms from overflowing
-- Larry Bugbee contributed the necessary stuff to more easily call libtomcrypt
from a dynamic language like Python, as shown in his pyTomCrypt
-- Nikos Mavrogiannopoulos contributed RSA blinding and export of RSA and DSA keys
in OpenSSL/GnuTLS compatible format
-- Patrick Pelletier contributed a smart volley of patches
-- Christopher Brown contributed some patches and additions to ASN.1/DER
-- Pascal Brand of STMicroelectronics contributed patches regarding CCM, the
XTS mode and RSA private key operations with keys without CRT parameters
-- RC2 now also works with smaller key-sizes
-- Improved/extended several tests & demos
-- Hardened DSA and RSA by testing (through Karel's perl-CryptX)
against Google's "Wycheproof" and Kudelski Security's "CDF"
-- Fixed all compiler warnings
-- Fixed several build issues on FreeBSD, NetBSD, Linux x32 ABI, HP-UX/IA64,
Mac OS X, Windows (32&64bit, Cygwin, MingW & MSVC) ...
-- Re-worked all makefiles
-- Re-worked most PRNG's
-- The code is now verified by a linter, thanks to Francois Perrad
-- Documentation (crypt.pdf) is now built deterministically, thanks to Michael Stapelberg
-- Add Adler32 and CRC32 checksum algorithms
-- Add Base64-URL de-/encoding and some strict variants
-- Add Blake2b & Blake2s (hash & mac), thanks to Kelvin Sherlock
-- Add Camellia block cipher
-- Add ChaCha (stream cipher), Poly1305 (mac), ChaCha20Poly1305 (encauth)
-- Add constant-time mem-compare mem_neq()
-- Add DER GeneralizedTime de-/encoding
-- Add DSA and ECC key generation FIPS-186-4 compliance
-- Add HKDF, thanks to RyanC (especially for also providing documentation :-) )
-- Add OCBv3
-- Add PKCS#1 v1.5 mode of SSL3.0
-- Add PKCS#1 testvectors from RSA
-- Add PKCS#8 & X.509 import for RSA keys
-- Add stream cipher API
-- Add SHA3 & SHAKE
-- Add SHA512/256 and SHA512/224
-- Add Triple-DES 2-key mode, thanks to Paul Howarth
-- Brought back Diffie-Hellman
Changes:
- adds ECDSA keys and host key support when using OpenSSL
- adds ED25519 key and host key support when using OpenSSL 1.1.1
- adds OpenSSH style key file reading
- adds AES CTR mode support when using WinCNG
- adds PEM passphrase protected file support for Libgcrypt and WinCNG
- adds SHA256 hostkey fingerprint
- adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path()
- adds explicit zeroing of sensitive data in memory
- adds additional bounds checks to network buffer reads
- adds the ability to use the server default permissions when creating sftp directories
- adds support for building with OpenSSL no engine flag
- adds support for building with LibreSSL
- increased sftp packet size to 256k
- fixed oversized packet handling in sftp
- fixed building with OpenSSL 1.1
- fixed a possible crash if sftp stat gets an unexpected response
- fixed incorrect parsing of the KEX preference string value
- fixed conditional RSA and AES-CTR support
- fixed a small memory leak during the key exchange process
- fixed a possible memory leak of the ssh banner string
- fixed various small memory leaks in the backends
- fixed possible out of bounds read when parsing public keys from the server
- fixed possible out of bounds read when parsing invalid PEM files
- no longer null terminates the scp remote exec command
- now handle errors when diffie hellman key pair generation fails
- fixed compiling on Windows with the flag STDCALL=ON
- improved building instructions
- improved unit tests
3.0.2:
* Fixed space encoding in base string URI used in the signature base string.
* Fixed OIDC /token response which wrongly returned "&state=None"
* Doc: The value `state` must not be stored by the AS, only returned in /authorize response.
* Fixed OIDC "nonce" checks: raise errors when it's mandatory
Noteworthy changes in version 1.13.1:
* cpp: gpgme_set_global_flag is now wrapped.
* w32: Improved handling of unicode install paths.
* w32: The gpgme_io_spawn error message is now only shown once.
* Fixed a crash introduced in 1.13.0 when working with S/MIME.
* w32: Fixed format string errors introduced in 1.13.0 that could
cause crashes.
* w32: Fixed an error in the new diagnostic gpgsm support introduced
in 1.13.0 that caused crashes in low fd scenarios.
* python: Fixed a DecryptionError Exception.
* python: No longer raises BadSignatures from decrypt(verify=True).
* Add security/libsodium as dependency
Changelog:
2.4.3 (2019-06-12)
=========================
- Fix library loading issues in the Snap and macOS releases [#3247]
- Fix various keyboard navigation issues [#3248]
- Fix main window toggling regression when clicking the tray icon on KDE [#3258]
- Add documentation for keyboard shortcuts to source code distribution [#3215]
2.4.2 (2019-05-31)
=========================
- Improve resilience against memory attacks - overwrite memory before free [#3020]
- Prevent infinite save loop when location is unavailable [#3026]
- Attempt to fix quitting application when shutdown or logout issued [#3199]
- Support merging database custom data [#3002]
- Fix opening URL's with non-http schemes [#3153]
- Fix data loss due to not reading all database attachments if duplicates exist [#3180]
- Fix entry context menu disabling when using keyboard navigation [#3199]
- Fix behaviors when canceling an entry edit [#3199]
- Fix processing of tray icon click and doubleclick [#3112]
- Update group in preview widget when focused [#3199]
- Prefer DuckDuckGo service over direct icon download (increases resolution) [#2996]
- Remove apply button in application settings [#3019]
- Use winqtdeploy on Windows to correct deployment issues [#3025]
- Don't mark entry edit as modified when attribute selection changes [#3041]
- Use console code page CP_UTF8 on Windows if supported [#3050]
- Snap: Fix locking database with session lock [#3046]
- Snap: Fix theming across Linux distributions [#3057]
- Snap: Use SNAP_USER_COMMON and SNAP_USER_DATA directories [#3131]
- KeeShare: Automatically enable WITH_XC_KEESHARE_SECURE if quazip is found [#3088]
- macOS: Fix toolbar text when in dark mode [#2998]
- macOS: Lock database on switching user [#3097]
- macOS: Fix global Auto-Type when the database is locked [#3138]
- Browser: Close popups when database is locked [#3093]
- Browser: Add tests [#3016]
- Browser: Don't create default group if custom group is enabled [#3127]
2.6.0:
Add a new keyword argument to SSHClient.connect and Transport, disabled_algorithms, which allows selectively disabling one or more kex/key/cipher/etc algorithms. This can be useful when disabling algorithms your target server (or client) does not support cleanly, or to work around unpatched bugs in Paramiko’s own implementation thereof.
SSHClient.exec_command previously returned a naive ChannelFile object for its stdin value; such objects don’t know to properly shut down the remote end’s stdin when they .close(). This lead to issues (such as hangs) when running remote commands that read from stdin.
Add backwards-compatible support for the gssapi GSSAPI library, as the previous backend (python-gssapi) has since become defunct. This change also includes tests for the GSSAPI functionality.
Tweak many exception classes so their string representations are more human-friendly; this also includes incidental changes to some super() calls.
Tested on OS X Tiger PowerPC and NetBSD-HEAD amd64
Changes between 1.0.2r and 1.0.2s [28 May 2019]
*) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
This changes the size when using the genpkey app when no size is given. It
fixes an omission in earlier changes that changed all RSA, DSA and DH
generation apps to use 2048 bits by default.
[Kurt Roeckx]
*) Add FIPS support for Android Arm 64-bit
Support for Android Arm 64-bit was added to the OpenSSL FIPS Object
Module in Version 2.0.10. For some reason, the corresponding target
'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be
built with FIPS support on Android Arm 64-bit. This omission has been
fixed.
[Matthias St. Pierre]
Changes between 1.0.2q and 1.0.2r [26 Feb 2019]
*) 0-byte record padding oracle
If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive one)
then OpenSSL can respond differently to the calling application if a 0 byte
record is received with invalid padding compared to if a 0 byte record is
received with an invalid MAC. If the application then behaves differently
based on that in a way that is detectable to the remote peer, then this
amounts to a padding oracle that could be used to decrypt data.
In order for this to be exploitable "non-stitched" ciphersuites must be in
use. Stitched ciphersuites are optimised implementations of certain
commonly used ciphersuites. Also the application must call SSL_shutdown()
twice even if a protocol error has occurred (applications should not do
this but some do anyway).
This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod
Aviram, with additional investigation by Steven Collison and Andrew
Hourselt. It was reported to OpenSSL on 10th December 2018.
(CVE-2019-1559)
[Matt Caswell]
*) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
[Richard Levitte]
Changes between 1.0.2p and 1.0.2q [20 Nov 2018]
*) Microarchitecture timing vulnerability in ECC scalar multiplication
OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been
shown to be vulnerable to a microarchitecture timing side channel attack.
An attacker with sufficient access to mount local timing attacks during
ECDSA signature generation could recover the private key.
This issue was reported to OpenSSL on 26th October 2018 by Alejandro
Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
Nicola Tuveri.
(CVE-2018-5407)
[Billy Brumley]
*) Timing vulnerability in DSA signature generation
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
(CVE-2018-0734)
[Paul Dale]
*) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object
Module, accidentally introduced while backporting security fixes from the
development branch and hindering the use of ECC in FIPS mode.
[Nicola Tuveri]
3.1.7:
Set a setuptools lower bound for PEP517 wheel building.
We no longer distribute 32-bit manylinux1 wheels. Continuing to produce them was a maintenance burden.
0.35.1:
Fixed
Support for specifying an authoritative base domain in our dns-rfc2136 plugin has been removed. This feature was added in our last release but had a bug which caused the plugin to fail so the feature has been removed until it can be added properly.
Despite us having broken lockstep, we are continuing to release new versions of all Certbot components during releases for the time being, however, the only package with changes other than its version number was:
certbot-dns-rfc2136
py-certbot: update to 0.35.0
py-certbot-apache: update to 0.35.0
py-certbot-dns-luadns: update to 0.35.0
py-certbot-dns-nsone: update to 0.35.0
py-certbot-dns-ovh: update to 0.35.0
py-certbot-dns-rfc2136: update to 0.35.0
py-certbot-dns-route53: update to 0.35.0
py-certbot-dns-sakuracloud: update to 0.35.0
py-certbot-nginx: update to 0.35.0
pkgsrc changes:
---------------
* Add py-certbot/Makefile.common to make version number coherent
upstream changes:
-----------------
- Added
o dns_rfc2136 plugin now supports explicitly specifing an authorative base domain for cases when the automatic method does not work (e.g. Split horizon DNS)
- Fixed
o Renewal parameter webroot_path is always saved, avoiding some regressions when webroot authenticator plugin is invoked with no challenge to perform.
o Certbot now accepts OCSP responses when an explicit authorized responder, different from the issuer, is used to sign OCSP responses.
o Scripts in Certbot hook directories are no longer executed when their filenames end in a tilde.
- Despite us having broken lockstep, we are continuing to release new versions of all Certbot components during releases for the time being, however, the only package with changes other than its version number was:
o certbot
o certbot-dns-rfc2136
Release 1.17.0:
Added support for “reverse direction” SSH connections, useful to support applications like NETCONF Call Home, described in RFC 8071.
Added support for the PyCA implementation of Chacha20-Poly1305, eliminating the dependency on libnacl/libsodium to provide this functionality, as long as OpenSSL 1.1.1b or later is installed.
Restored libnacl support for Curve25519/Ed25519 on systems which have an older version of OpenSSL that doesn’t have that support. This fallback also applies to Chacha20-Poly1305.
Fixed Pageant support on Windows to use the Pageant agent by default when it is available and client keys are not explicitly configured.
Disabled the use of RSA SHA-2 signatures when using the Pageant or Windows 10 OpenSSH agent on Windows, since neither of those support the signature flags options to request them.
Fixed a regression where a callable was no longer usable in the sftp_factory argument of create_server.
2.5.0:
[Feature] Updated SSHConfig.lookup so it returns a new, type-casting-friendly dict subclass (SSHConfigDict) in lieu of dict literals. This ought to be backwards compatible, and allows an easier way to check boolean or int type ssh_config values.
[Feature] Add support for Curve25519 key exchange (aka curve25519-sha256@libssh.org).
[Feature] Add support for encrypt-then-MAC (ETM) schemes (hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com) and two newer Diffie-Hellman group key exchange algorithms (group14, using SHA256; and group16, using SHA512). Patch courtesy of Edgar Sousa.
[Support] Update our install docs with (somewhat) recently added additional dependencies; we previously only required Cryptography, but the docs never got updated after we incurred bcrypt and pynacl requirements for Ed25519 key support.
Additionally, pyasn1 was never actually hard-required; it was necessary during a development branch, and is used by the optional GSSAPI support, but is not required for regular installation. Thus, it has been removed from our setup.py and its imports in the GSSAPI code made optional.
[Support] Add *.pub files to the MANIFEST so distributed source packages contain some necessary test assets. Credit: Alexander Kapshuna.
[Support] Add support for the modern (as of Python 3.3) import location of MutableMapping (used in host key management) to avoid the old location becoming deprecated in Python 3.8.
[Support] Raise Cryptography dependency requirement to version 2.5 (from 1.5) and update some deprecated uses of its API.
Version 8.2.0
minor release, no recompile of programs required
expanded community input and support
56 unique contributors as of this release
use PowerPC unaligned loads and stores with Power8
add SKIPJACK test vectors
fix SHAKE-128 and SHAKE-256 compile
removed IS_NEON from Makefile
fix Aarch64 build on Fedora 29
fix missing GF2NT_233_Multiply_Reduce_CLMUL in FIPS DLL
add missing BLAKE2 constructors
fix missing BlockSize() in BLAKE2 classes
Version 8.1.0
minor release, no recompile of programs required
expanded community input and support
56 unique contributors as of this release
fix OS X PowerPC builds with Clang
add Microsoft ARM64 support
fix iPhone Simulator build due to missign symbols
add CRYPTOPP_BUGGY_SIMD_LOAD_AND_STORE
add carryless multiplies for NIST b233 and k233 curves
fix OpenMP build due to use of OpenMP 4 with down-level compilers
add SignStream and VerifyStream for ed25519 and large files
fix missing AlgorithmProvider in PanamaHash
add SHAKE-128 and SHAKE-256
fix AVX2 build due to _mm256_broadcastsi128_si256
add IETF ChaCha, XChaCha, ChaChaPoly1305 and XChaChaPoly1305
Version 8.0.0
major release, recompile of programs required
expanded community input and support
54 unique contributors as of this release
add x25519 key exchange and ed25519 signature scheme
add limited Asymmetric Key Package support from RFC 5958
add Power9 DARN random number generator support
add CHAM, HC-128, HC-256, Hight, LEA, Rabbit, Simeck
fix FixedSizeAllocatorWithCleanup may be unaligned on some platforms
cutover to GNU Make-based cpu feature tests
rename files with dashes to underscores
fix LegacyDecryptor and LegacyDecryptorWithMAC use wrong MAC
fix incorrect AES/CBC decryption on Windows
avoid Singleton<T> when possible, avoid std::call_once completely
fix SPARC alignment problems due to GetAlignmentOf<T>() on word64
add ARM AES asm implementation from Cryptogams
remove CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS support
