Commit graph

9413 commits

Author SHA1 Message Date
adam
bd6dd8b3bb py-m2crypto: updated to 0.30.1
0.30.1:
- Fix packaging (missed packaging testing file)
2018-04-30 08:51:15 +00:00
ryoon
a1a1d3360a Remove required version 2018-04-30 06:52:06 +00:00
ryoon
9444e74415 Revert previous security/openssl is 1.0
Pointed by wiz@, thank you.
2018-04-30 06:50:58 +00:00
ryoon
1826aedfab Fix build with OpenSSL 1.1
* From Fedora's xml-security-c-1.7.3_openssl1.1.patch
* Use OpenSSL 1.1 with BUILDLINK_API_DEPENDS
2018-04-30 05:25:24 +00:00
adam
35aa3efc12 revbump for boost-libs update 2018-04-29 21:31:17 +00:00
dholland
8a8150b5cb Bump PKGREVISION for previous. 2018-04-29 06:00:39 +00:00
wiz
e3801e2eb0 polkit: update to 0.114.
--------------
polkit 0.114
--------------

WARNING WARNING WARNING: This is a prerelease on the road to polkit
1.0. Public API might change and certain parts of the code still needs
some security review. Use at your own risk.

This is polkit 0.114.

Highlights:
 Port to mozjs 52, the latest version of the firefox JavaScript engine.

 Add gettext support for policy files

 Fixes for various memory leaks

Build requirements

 glib, gobject, gio    >= 2.32
 mozjs-52
 gobject-introspection >= 0.6.2 (optional)
 pam (optional)
 ConsoleKit OR systemd

Changes since polkit 0.113:

Anders Jonsson (2):
      pkcheck: fix man typos
      Add Swedish translation

Antoine Jacoutot (1):
      Add support for OpenBSD

Christian Kirbach (1):
      Add German translation

Colin Walters (3):
      build: Pull in GCC warning infra from ostree
      build: Use AC_USE_SYSTEM_EXTENSIONS
      tests: Correct boundary test for overflow

Dariusz Gadomski (2):
      Fix multi-line pam text info.
      Refactor send_to_helper usage

Gabor Kelemen (1):
      Add initial Hungarian translation, and add hu to LINGUAS

Jeremy Linton (5):
      change mozjs interface module to c++
      Switch to hard requiring mozjs24
      Fix warnings caused by building with C++
      Replace autocompartment
      test: Add a test case to handle actions without explicit rules

Jiří Klimeš (1):
      trivial: fix deprecated indication for polkit_agent_register_listener()

Matthias Clasen (1):
      Add gettext support for .policy files

Miloslav Trmač (21):
      Post-release version bump to 0.114
      Consistently use HAVE_NETGROUP_H instead of HAVE_OPENBSD
      Fix a memory leak of PolkitAgentListener's Server object
      Remove polkitbackendconfigsource.[ch]
      Add Slovak translation by Dusan Kazik <prescott66@gmail.com>
      Add Indonesian translation by Andika Triwidada
      Add Chinese (Taiwan) translation
      Fix a typo in polkit(8)
      Simplify GVariant reference counting
      Fix a memory leak on an error path of lookup_asv (twice)
      Fix a memory leak in server_handle_register_authentication_agent_with_options
      Fix a memory leak in server_handle_unregister_authentication_agent
      Fix a memory leak in server_handle_authentication_agent_response{,2}
      Fix memory leaks in server_handle_*_temporary_authorizations
      Fix error handling in polkit_authority_enumerate_temporary_authorizations_finish
      Fix a memory leak per agent authentication
      Fix a memory leak on agent authentication cancellation
      Audit and fix GVariant reference counting
      Fix help for (pkttyagent -s)
      Fix a race condition when terminating runaway_killer_thread
      Move to current GLib

Mingye Wang (Arthur2e5) (1):
      Add zh_CN translation

Muhammet Kara (1):
      Added Turkish translation

OBATA Akio (1):
      Add support for NetBSD

Peter Hutterer (1):
      gettext: switch to default-translate "no"

Philip Withnall (3):
      polkit: Add g_autoptr() support for GObject-derived polkit types
      data: Set GIO_USE_VFS=local in the environment
      polkitbackend: Fix typos in a couple of initialisation error messages

Piotr Drąg (1):
      Add Polish translation

Rafael Fontenelle (1):
      Add Brazilian Portuguese translation

Ray Strode (34):
      configure: bump mozjs requirement to 52
      jsauthority: fix how classes are defined
      jsauthority: use JS_FN instead of JS_FS
      jsauthority: get rid of JSRuntime
      jsauthority: change how setVersion is called
      jsauthority: call JS_Init
      jsauthority: call JS_InitSelfHostedCode
      jsauthority: change how JIT is disabled
      jsauthority: JS::SetWarningReporter instead of JS_SetErrorReporter
      jsauthority: add UTF8 suffix to renamed functions
      jsauthority: pass "%s" format string to report functions
      jsauthority: s/JSBool/bool/
      jsauthority: s/jsval/JS::Value/
      jsauthority: s/JSVAL_NULL/JS::NullValue()/
      jsauthority: s/JSVAL_VOID/JS::UndefinedValue()/
      jsauthority: s/OBJECT_TO_JSVAL/JS::ObjectValue/
      jsauthority: s/STRING_TO_JSVAL/JS::StringValue/
      jsauthority: s/BOOLEAN_TO_JSVAL/JS::BooleanValue/
      jsauthority: JSVAL_TO_OBJECT (o) to o.toObjectOrNull()
      jsauthority: JSVAL_TO_STRING (s) to s.toString()
      jsauthority: JSVAL_IS_STRING (s) to s.isString()
      jsauthority: JSVAL_IS_NULL (o) to o.isNull()
      jsauthority: Fix up JS_CallFunctionName invocations
      jsauthority: use InterruptCallback api instead of OperationCallback
      jsauthority: redo how global objects are set up
      jsauthority: root some locals to the context
      jsauthority: adapt arguments for new JS::Compile API
      jsauthority: adapt arguments for new JS_ExecuteScript API
      jsauthority: use JS::Evaluate instead of JS_EvaluateScript
      jsauthority: fix up set_property methods
      jsauthority: stop using JS_GetStringCharsZ
      jsauthority: switch from JS_ConvertArguments to JS::CallArgsFromVp
      jsauthority: re-enable JIT
      Port JavaScript authority to mozjs52

Rui Matos (1):
      polkitpermission: Fix a memory leak on authority changes

Sebastien Bacher (1):
      Support polkit session agent running outside user session

Stef Walter (2):
      polkitagent: Fix access after dereference on hashtable
      polkitagent: No double warnings in polkit_agent_listener_register()

Sven Eden (1):
      configure: enable elogind support in PolicyKit

Yuri Chornoivan (1):
      Add Ukrainian translation

enkore (1):
      Fix abnomal formatting of authentication header lines

muzena (1):
      Add hr.po

Thanks to our contributors.

Colin Walters and Miloslav Trmač,
April 2, 2017
2018-04-29 05:14:36 +00:00
dholland
aad8206af6 Set BUILDLINK_API_DEPENDS.gmp to require gmp>=5.0, per PR 52250.
Otherwise on Solaris it finds a really old builtin gmp and fails.
2018-04-29 04:09:08 +00:00
dholland
943e97a438 Use <ctype.h> properly. Noted in PR 51821. 2018-04-29 03:41:42 +00:00
wiz
7b8f46957d py-certifi: update to 2018.4.16.
No changelog found, assuming update to latest mozilla certs.
2018-04-27 14:38:41 +00:00
fhajny
d509f30245 security/vault: Update to 0.10.1.
DEPRECATIONS/CHANGES:

- `vault kv` and Vault versions: In 0.10.1 some issues with `vault kv` against
  v1 K/V engine mounts are fixed. However, using 0.10.1 for both the server
  and CLI versions is required.
- Mount information visibility: Users that have access to any path within a
  mount can now see information about that mount, such as its type and
  options, via some API calls.
- Identity and Local Mounts: Local mounts would allow creating Identity
  entities but these would not be able to be used successfully (even locally)
  in replicated scenarios. We have now disallowed entities and groups from
  being created for local mounts in the first place.

FEATURES:

- X-Forwarded-For support: `X-Forwarded-For` headers can now be used to set the
  client IP seen by Vault. See the TCP listener configuration
  page for details.
- CIDR IP Binding for Tokens: Tokens now support being bound to specific
  CIDR(s) for usage. Currently this is implemented in Token Roles; usage can be
  expanded to other authentication backends over time.
- `vault kv patch` command: A new `kv patch` helper command that allows
  modifying only some values in existing data at a K/V path, but uses
  check-and-set to ensure that this modification happens safely.
- AppRole Local Secret IDs: Roles can now be configured to generate secret IDs
  local to the cluster. This enables performance secondaries to generate and
  consume secret IDs without contacting the primary.
- AES-GCM Support for PKCS#11 [BETA] (Enterprise): For supporting HSMs,
  AES-GCM can now be used in lieu of AES-CBC/HMAC-SHA256. This has currently
  only been fully tested on AWS CloudHSM.
- Auto Unseal/Seal Wrap Key Rotation Support (Enterprise): Auto Unseal
  mechanisms, including PKCS#11 HSMs, now support rotation of encryption keys,
  and migration between key and encryption types, such as from AES-CBC to
  AES-GCM, can be performed at the same time (where supported).

IMPROVEMENTS:

- auth/approle: Support for cluster local secret IDs. This enables secondaries
  to generate secret IDs without contacting the primary
- auth/token: Add to the token lookup response, the policies inherited due to
  identity associations
- auth/token: Add CIDR binding to token roles
- cli: Add `vault kv patch`
- core: Add X-Forwarded-For support
- core: Add token CIDR-binding support
- identity: Add the ability to disable an entity. Disabling an entity does not
  revoke associated tokens, but while the entity is disabled they cannot be
  used.
- physical/consul: Allow tuning of session TTL and lock wait time
- replication: Dynamically adjust WAL cleanup over a period of time based on
  the rate of writes committed
- secret/ssh: Update dynamic key install script to use shell locking to avoid
  concurrent modifications
- ui: Access to `sys/mounts` is no longer needed to use the UI - the list of
  engines will show you the ones you implicitly have access to (because you have
  access to to secrets in those engines)

BUG FIXES:

- cli: Fix `vault kv` backwards compatibility with KV v1 engine mounts
- identity: Persist entity memberships in external identity groups across
  mounts
- identity: Fix error preventing authentication using local mounts on
  performance secondary replication clusters
- replication: Fix issue causing secondaries to not connect properly to a
  pre-0.10 primary until the primary was upgraded
- secret/gcp: Fix panic on rollback when a roleset wasn't created properly
- secret/gcp: Fix panic on renewal
- ui: Fix IE11 form submissions in a few parts of the application
- ui: Fix IE file saving on policy pages and init screens
- ui: Fixed an issue where the AWS secret backend would show the wrong menu
- ui: Fixed an issue where policies with commas would not render in the
  interface properly
- ui: Corrected the saving of mount tune ttls for auth methods
- ui: Credentials generation no longer checks capabilities before making
  api calls. This should fix needing "update" capabilites to read IAM
  credentials in the AWS secrets engine
2018-04-27 14:02:41 +00:00
adam
7f3c9ca1c4 py-m2crypto: updated to 0.30.0
0.30.0:
- Various small typos (Windows builds, Fix SSL.Connection.__del__)
- The project is now Linux-distribution agnostic
- Replace all old-style classes with the new ones (it shouldn't cause
  any problems, but feel free to file an issue, if it does)
- Do not by-pass a potential transfer decoding in m2urllib2
- Update M2Crypto.six with 1.11.0 and replace our local workarounds with
  new functions.
- SSLv3 just removed.
- Don't support Python 2.6 on Windows anymore. Windows users don't have
  python as a system package, so they are usually more likely to upgrade
  anyway.
2018-04-27 06:47:25 +00:00
wen
b0494ef5ce Update to 1.04
Upstream changes:
1.04  Fri Apr 20 16:25:30 MST 2018
	- silenced compiler warnings from VS2017
		-- ref. rt.cpan.org #124477
		-- thanks to Sergey Aleynikov for diagnostics
	- modified addfile to return error when given a directory name
		-- makes behavior consistent with GNU coreutils shaXsum
		-- thanks to Scott Baker for pointing this out
2018-04-22 11:41:36 +00:00
wiz
f367007762 *: gd.tuwien.ac.at/ftp.tuwien.ac.at is gone, remove it from various mastersites 2018-04-21 13:38:04 +00:00
wiz
a81318c607 Commit missing part of gnutls recursive bump.
Noted by Patrick Welche.
2018-04-19 22:12:25 +00:00
wen
0ed03edbbb Update to 0.14
Add missing DEPENDS

Upstream changes:
0.14  2018-04-17 rurban
        - add library paths to LIBS from Crypt::OpenSSL::Guess (akiym, PR #6)

0.13  2018-04-14 rurban
        - move Crypt::OpenSSL::Guess to configure dependency. (grinnz, PR #4)

0.12  2018-04-13 rurban
        - use Crypt::OpenSSL::Guess to resolve OpenSSL include path,
          fixes MacOS's homebrew OpenSSL installation problem. (akiym, PR #3)
2018-04-19 06:57:57 +00:00
wen
2e0dcf4164 Add p5-Crypt-OpenSSL-Guess. 2018-04-19 06:50:42 +00:00
wen
e0f62c277d Import Crypt::OpenSSL::Guess-0.11 as security/p5-Crypt-OpenSSL-Guess.
Crypt::OpenSSL::Guess provides helpers to guess OpenSSL include path
on any platforms.
2018-04-19 06:49:11 +00:00
wen
81cfd26475 Update to 0.059
Upstream changes:
0.059   2018-03-25
        - new Crypt::Digest::Keccak(224|256|384|512)
        - new methods sign_hash_rfc7518 + verify_hash_rfc7518 (Crypt::PK::ECC)
        - improved import of pkcs#8 private keys (Crypt::PK::ECC)
        - improved export allowing "compressed" variants (Crypt::PK::ECC)
        - fix #28 Apple's APNS pkcs8 auth key import fails (Crypt::PK::ECC)
        - fix cpantesters failure (5.8.1 related)
2018-04-19 03:12:32 +00:00
kamil
46528288c1 py-libtaxii: Improve distinfo
Reuse the GitHub framework and stop using plain ${PKGVERSION_NOREV}.zip for
distfile name.

No functional change intended.
2018-04-18 19:59:36 +00:00
kamil
c39007dcc5 sign: Improve distinfo
Reuse the GitHub framework and stop using plain ${PKGVERSION_NOREV}.zip for
distfile name.

No functional change intended.
2018-04-18 19:56:42 +00:00
kamil
89217a857c keychain: Improve distinfo
Reuse the GitHub framework and stop using plain ${PKGVERSION_NOREV}.zip for
distfile name.

No functional change intended.
2018-04-18 19:25:27 +00:00
adam
676d6e7c91 py-asn1-modules: updated to 0.2.1
Revision 0.2.1, released 23-11-2017
- Allow ANY DEFINED BY objects expanding automatically if requested
- Imports PEP8'ed

Revision 0.1.5, released 10-10-2017
- OCSP response blob fixed in test
- Fixed wrong OCSP ResponderID components tagging

Revision 0.1.4, released 07-09-2017
- Typo fixed in the dependency spec

Revision 0.1.3, released 07-09-2017
- Apparently, pip>=1.5.6 is still widely used and it is not PEP440
  compliant. Had to replace the `~=` version dependency spec with a
  sequence of simple comparisons to remain compatible with the aging pip.

Revision 0.1.2, released 07-09-2017
- Pinned to pyasn1 ~0.3.4

Revision 0.1.1, released 27-08-2017
- Tests refactored into proper unit tests
- pem.readBase64fromText() convenience function added
- Pinned to pyasn1 0.3.3
2018-04-18 09:43:27 +00:00
adam
3267424711 py-asyncssh: updated to 1.12.2
Release 1.12.2:
Added support for using pathlib objects as paths in calls to SFTP methods, in addition to Unicode and byte strings. This is mainly intended for use in constructing local paths, but it can also be used for remote paths as long as POSIX-style pathlib objects are used and an appropriate path encoding is set to handle the conversion from Unicode to bytes.
Changed server EXT_INFO message to only be sent after the first SSH key exchange, to match the specification recently published in RFC 8308.
Fixed edge case in TCP connection forwarding where data received on a forward TCP connection was not delivered if the connection was closed or half-closed before the corresponding SSH tunnel was fully established.
Made note about OpenSSH not properly handling send_signal more visible.
2018-04-18 07:01:23 +00:00
adam
48e82d850f py-cryptodome: updated to 3.6.1
3.6.1:
New features
Added Google Wycheproof tests (https://github.com/google/wycheproof) for RSA, DSA, ECDSA, GCM, SIV, EAX, CMAC.
New parameter mac_len (length of MAC tag) for CMAC.

Resolved issues
In certain circumstances (at counter wrapping, which happens on average after 32 GBi) AES GCM produced wrong ciphertexts.
Method encrypt() of AES SIV cipher could be still called, whereas only encrypt_and_digest() should be allowed.
2018-04-18 04:34:13 +00:00
schmonz
3460c0e6cd Fix PLIST on Darwin. 2018-04-18 00:46:25 +00:00
wiz
e5209a786e Add p11-kit to gnutls/bl3.mk and bump dependencies. 2018-04-17 22:29:31 +00:00
wiz
e03e208e97 gnutls: enable p11-kit.
PKCS#11 support is needed by glib-networking.
2018-04-17 13:28:53 +00:00
wiz
e632701894 p11-kit: update to 0.23.10.
This is a development release, but gnutls needs at least 0.23.x,
so take the latest development release.

0.23.10 (devel)
 * filter: Respect "write-protected" vendor-specific attribute in
   PKCS#11 URI [PR#129]
 * server: Improve shell integration and documentation [PR#107, PR#108]
 * proxy: Reuse existing slot ID mapping in after fork() [PR#120]
 * trust: Forcibly mark "Default Trust" read-only [PR#123]
 * New function p11_kit_override_system_files() which can be used for
   testing [PR#110]
 * trust: Filter out duplicate extensions [PR#69]
 * Update translations [PR#128]
 * Bug fixes [PR#125, PR#126]

0.23.9 (devel)
 * Fix p11-kit server regressions [PR#103, PR#104]
 * trust: Respect anyExtendedKeyUsage in CA certificates [PR#99]
 * Build fixes related to reallocarray [PR#96, PR#98, PR#100]

0.23.8 (devel)
 * Improve vendor query attributes handling in PKCS#11 URI [PR#92]
 * Add OTP and GOST mechanisms to pkcs11.h [PR#90, PR#91]
 * New envvar P11_KIT_NO_USER_CONFIG to stop looking at user
   configurations [PR#87]
 * Build fixes for Solaris and 32-bit big-endian platforms [PR#81, PR#86]

0.23.7 (devel)
 * Fix memory issues with "p11-kit server" [PR#78]
 * Build fixes [PR#77 ...]

0.23.6 (devel)
 * Port "p11-kit server" to Windows and portability fixes of the RPC
   protocol [PR#67, PR#72, PR#74]
 * Recover the old behavior of "trust anchor --remove" [PR#70, PR#71]
 * Build fixes [PR#63 ...]

0.23.5 (devel)
 * Fix license notice of common/unix-peer.c [PR#58]
 * Remove systemd unit files for now [PR#60]
 * Build fixes for FreeBSD [PR#56]

0.23.4 (devel)
 * Recognize query attributes defined in PKCS#11 URI (RFC7512) [PR#31,
   PR#37, PR#52]
 * The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY
   attribute, used by Firefox [#99453, PR#46]
 * Add 'trust dump' command to dump all PKCS#11 objects in the
   persistence format [PR#44]
 * New experimental 'p11-kit server' command that allows PKCS#11
   forwarding through a Unix domain socket.  A client-side module
   p11-kit-client.so is also provided [PR#15]
 * Add systemd unit files for exporting the proxy module through a
   Unix domain socket [PR#35]
 * New P11KitIter API to iterate over slots, tokens, and modules in
   addition to objects [PR#28]
 * libffi dependency is now optional [PR#9]
 * Build fixes for FreeBSD, macOS, and Windows [PR#32, PR#39, PR#45]

0.23.3 (devel)
 * Install private executables in libexecdir [#98817]
 * Fix link error of proxy module on macOS [#98022]
 * Use new PKCS#11 URI specification for URIs [#97245]
 * Support x-init-reserved argument of C_Initialize() in remote modules [#80519]
 * Incorporate changes from PKCS#11 2.40 specification
 * Bump libtool library version
 * Documentation fixes
 * Build fixes [#87192 ...]

0.23.2 (devel)
 * Fix forking issues with libffi [#90289 ...]
 * Updated translations
 * Build fixes [#90827 #89081 #92434 #92520 #92445 #92551 #92843 #92842 #92807 #93211 ...]

0.23.1 (devel)
 * Use new PKCS#11 URI draft fields for URIs [#86474 #87582]
 * Add pem-directory-hash extract format
 * Build fixes
2018-04-17 13:26:15 +00:00
christos
ffdec1b556 upgrade to 2.1.27-rc7 so that we can use it with openssl-1.1 2018-04-17 01:57:17 +00:00
wiz
8ee21bdcf0 Recursive bump for new fribidi dependency in pango. 2018-04-16 14:33:44 +00:00
wiz
cb3dfa903d libsecret: update to 0.18.6.
0.18.6
 * Fix shared key derivation between libsecret and gnome-keyring [#778357]
 * Avoid run-time error when gnome-keyring is not responding [#787391]
 * Enable cross compilation [#748111]
 * Port build scripts to Python 3 [#687637]
 * Build and test fixes [#767002, #777826, #734630, #768112]
 * GI annotation fixes [#785034]
 * Fix textual typos [#782206, ...]
 * Updated translations
2018-04-16 13:06:57 +00:00
fhajny
a624c3d255 security/py-josepy: Update to 1.1.0.
- Deprecated support for Python 2.6 and 3.3.
- Use the sign and verify methods when they are available in
  cryptography instead of the deprecated methods signer and
  verifier.
2018-04-16 12:19:36 +00:00
adam
299d329d51 revbump after icu update 2018-04-14 07:33:52 +00:00
jaapb
56ed9d3f04 Revbump associated with the upgrade of lang/ocaml
(this is the upgrade from 4.06 to 4.06.1)
2018-04-13 13:55:27 +00:00
adam
91d415325b py-gssapi: updated to 1.5.0
v1.5.0: Jordan
Features
Added build support for mingw32
Implement gss_set_cred_option() and gss_set_sec_context_option()

Bugfixes
Handle GSS_NO_OID_SET when creating sets
2018-04-13 09:27:30 +00:00
fhajny
35e37afea5 security/py-certbot: Update to 0.23.0.
### Added

- Support for OpenResty was added to the Nginx plugin.

### Changed

- The timestamps in Certbot's logfiles now use the system's local time
  zone rather than UTC.
- Certbot's DNS plugins that use Lexicon now rely on Lexicon>=2.2.1 to
  be able to create and delete multiple TXT records on a single
  domain.
- certbot-dns-google's test suite now works without an internet
  connection.

### Fixed

- Removed a small window that if during which an error occurred,
  Certbot wouldn't clean up performed challenges.
- The parameters `default` and `ipv6only` are now removed from
  `listen` directives when creating a new server block in the Nginx
  plugin.
- `server_name` directives enclosed in quotation marks in Nginx are
  now properly supported.
- Resolved an issue preventing the Apache plugin from starting Apache
  when it's not currently running on RHEL and Gentoo based systems.
2018-04-13 08:14:28 +00:00
adam
cb8b816ca3 py-cryptodome: updated to 3.6.0
3.6.0:
New features
Introduced export_key and deprecated exportKey for DSA and RSA key objects.
Ciphers and hash functions accept memoryview objects in input.
Added support for SHA-512/224 and SHA-512/256.

Resolved issues
Reintroduced Crypto.__version__ variable as in PyCrypto.
Fixed compilation problem with MinGW.
2018-04-13 07:28:39 +00:00
adam
ff82051373 gnupg2: updated to 2.2.6
Noteworthy changes in version 2.2.6:
* gpg,gpgsm: New option --request-origin to pretend requests coming
  from a browser or a remote site.
* gpg: Fix race condition on trustdb.gpg updates due to too early
  released lock.
* gpg: Emit FAILURE status lines in almost all cases.
* gpg: Implement --dry-run for --passwd to make checking a key's
  passphrase straightforward.
* gpg: Make sure to only accept a certification capable key for key
  signatures.
* gpg: Better user interaction in --card-edit for the factory-reset
  sub-command.
* gpg: Improve changing key attributes in --card-edit by adding an
  explicit "key-attr" sub-command.
* gpg: Print the keygrips in the --card-status.
* scd: Support KDF DO setup.
* scd: Fix some issues with PC/SC on Windows.
* scd: Fix suspend/resume handling in the CCID driver.
* agent: Evict cached passphrases also via a timer.
* agent: Use separate passphrase caches depending on the request
  origin.
* ssh: Support signature flags.
* dirmngr: Handle failures related to missing IPv6 support
  gracefully.
* Fix corner cases related to specified home directory with
  drive letter on Windows.
* Allow the use of UNC directory names as homedir.
2018-04-12 07:02:03 +00:00
adam
24c6c03acf libgpg-error: updated to 1.29
Noteworthy changes in version 1.29:
* The yat2m tool is during cross-compile now also installed on the
  host platform.
* New option parser and associated functions similar to the one used
  by GnuPG.
* New Base-64 encoder.
* Fixes regression in 1.28 for arm64 and w64 builds.
* Interface changes relative to the 1.28 release:
gpgrt_argparse                  New.
gpgrt_usage                     New.
gpgrt_strusage                  New.
gpgrt_set_strusage              New.
gpgrt_set_usage_outfnc          New.
gpgrt_set_fixed_string_mapper   New.
GPGRT_ENABLE_ARGPARSE_MACROS    New macro.
gpgrt_b64enc_start              New.
gpgrt_b64enc_write              New.
gpgrt_b64enc_finish             New.
2018-04-12 06:56:17 +00:00
fhajny
d3edb9a7a5 security/vault: Update to 0.10.0.
SECURITY:

- Log sanitization for Combined Database Secret Engine: In certain failure
  scenarios with incorrectly formatted connection urls, the raw connection
  errors were being returned to the user with the configured database
  credentials. Errors are now sanitized before being returned to the user.

DEPRECATIONS/CHANGES:

- Database plugin compatibility: The database plugin interface was enhanced to
  support some additional functionality related to root credential rotation
  and supporting templated URL strings. The changes were made in a
  backwards-compatible way and all builtin plugins were updated with the new
  features. Custom plugins not built into Vault will need to be upgraded to
  support templated URL strings and root rotation. Additionally, the
  Initialize method was deprecated in favor of a new Init method that supports
  configuration modifications that occur in the plugin back to the primary
  data store.
- Removal of returned secret information: For a long time Vault has returned
  configuration given to various secret engines and auth methods with secret
  values (such as secret API keys or passwords) still intact, and with a
  warning to the user on write that anyone with read access could see the
  secret. This was mostly done to make it easy for tools like Terraform to
  judge whether state had drifted. However, it also feels quite un-Vault-y to
  do this and we've never felt very comfortable doing so. In 0.10 we have gone
  through and removed this behavior from the various backends; fields which
  contained secret values are simply no longer returned on read. We are
  working with the Terraform team to make changes to their provider to
  accommodate this as best as possible, and users of other tools may have to
  make adjustments, but in the end we felt that the ends did not justify the
  means and we needed to prioritize security over operational convenience.
- LDAP auth method case sensitivity: We now treat usernames and groups
  configured locally for policy assignment in a case insensitive fashion by
  default. Existing configurations will continue to work as they do now;
  however, the next time a configuration is written `case_sensitive_names`
  will need to be explicitly set to `true`.
- TTL handling within core: All lease TTL handling has been centralized within
  the core of Vault to ensure consistency across all backends. Since this was
  previously delegated to individual backends, there may be some slight
  differences in TTLs generated from some backends.
- Removal of default `secret/` mount: In 0.12 we will stop mounting `secret/`
  by default at initialization time (it will still be available in `dev`
  mode).

FEATURES:

- OSS UI: The Vault UI is now fully open-source. Similarly to the CLI, some
  features are only available with a supporting version of Vault, but the code
  base is entirely open.
- Versioned K/V: The `kv` backend has been completely revamped, featuring
  flexible versioning of values, check-and-set protections, and more. A new
  `vault kv` subcommand allows friendly interactions with it. Existing mounts
  of the `kv` backend can be upgraded to the new versioned mode (downgrades
  are not currently supported). The old "passthrough" mode is still the
  default for new mounts; versioning can be turned on by setting the
  `-version=2` flag for the `vault secrets enable` command.
- Database Root Credential Rotation: Database configurations can now rotate
  their own configured admin/root credentials, allowing configured credentials
  for a database connection to be rotated immediately after sending them into
  Vault, invalidating the old credentials and ensuring only Vault knows the
  actual valid values.
- Azure Authentication Plugin: There is now a plugin (pulled in to Vault) that
  allows authenticating Azure machines to Vault using Azure's Managed Service
  Identity credentials. See the [plugin
  repository](https://github.com/hashicorp/vault-plugin-auth-azure) for more
  information.
- GCP Secrets Plugin: There is now a plugin (pulled in to Vault) that allows
  generating secrets to allow access to GCP. See the [plugin
  repository](https://github.com/hashicorp/vault-plugin-secrets-gcp) for more
  information.
- Selective Audit HMACing of Request and Response Data Keys: HMACing in audit
  logs can be turned off for specific keys in the request input map and
  response `data` map on a per-mount basis.
- Passthrough Request Headers: Request headers can now be selectively passed
  through to backends on a per-mount basis. This is useful in various cases
  when plugins are interacting with external services.
- HA for Google Cloud Storage: The GCS storage type now supports HA.
- UI support for identity: Add and edit entities, groups, and their associated
  aliases.
- UI auth method support: Enable, disable, and configure all of the built-in
  authentication methods.
- UI (Enterprise): View and edit Sentinel policies.

IMPROVEMENTS:

- core: Centralize TTL generation for leases in core
- identity: API to update group-alias by ID
- secret/cassandra: Update Cassandra storage delete function to not use batch
  operations
- storage/mysql: Allow setting max idle connections and connection lifetime

- storage/gcs: Add HA support
- ui: Add Nomad to the list of available secret engines
- ui: Adds ability to set static headers to be returned by the UI

BUG FIXES:

- api: Fix retries not working
- auth/gcp: Invalidate clients on config change
- auth/token: Revoke-orphan and tidy operations now correctly cleans up the
  parent prefix entry in the underlying storage backend. These operations also
  mark corresponding child tokens as orphans by removing the parent/secondary
  index from the entries.
- command: Re-add `-mfa` flag and migrate to OSS binary
- core: Fix issue occurring from mounting two auth backends with the same path
  with one mount having `auth/` in front
- mfa: Invalidation of MFA configurations (Enterprise)
- replication: Fix a panic on some non-64-bit platforms
- replication: Fix invalidation of policies on performance secondaries
- secret/pki: When tidying if a value is unexpectedly nil, delete it and move
  on
- storage/s3: Fix panic if S3 returns no Content-Length header
- ui: Fixed an issue where the UI was checking incorrect paths when operating
  on transit keys. Capabilities are now checked when attempting to encrypt /
  decrypt, etc.
- ui: Fixed IE 11 layout issues and JS errors that would stop the application
  from running.
- ui: Fixed the link that gets rendered when a user doesn't have permissions
  to view the root of a secret engine. The link now sends them back to the list
  of secret engines.
- replication: Fix issue with DR secondaries when using mount specified local
  paths.
- cli: Fix an issue where generating a dr operation token would not output the
  token
2018-04-11 15:35:49 +00:00
markd
ba4f2fe9c4 kf5: update to 5.44.0
3 months of bugfixes.
2018-04-11 11:50:34 +00:00
maya
bd90b6e9e3 libgpg-error: Fix build error on ARM via upstream patch.
PR pkg/53106, upstream fix noted by Matthias Peterman.
Bump PKGREVISION.
2018-04-11 08:29:24 +00:00
wen
a46b63d8f3 Update to 1.07
Upstream changes:
*** 1.07 April 5, 2018

Fix: rt.cpan.org #124880
	1.06 will not install on macOS

Feature
	Support for Ed25519 and Ed448 algorithms
2018-04-10 10:58:12 +00:00
triaxx
b934b83f20 Fix broken package due to invalid INSTALLATION_DIRS 2018-04-07 10:53:34 +00:00
wiz
b0a1c42aa0 keepassxc: remove now unnecessary qt5 hacks. 2018-04-07 07:35:50 +00:00
jnemeth
a9607c53b3 sort 2018-04-05 05:20:59 +00:00
jperkin
db6ed476ce libgpg-error: SunOS needs libsocket. 2018-04-04 08:08:54 +00:00
minskim
b47c072a9c security/Makefile: Add py-OTXv2 2018-04-03 14:33:54 +00:00
minskim
71511971e3 security/py-OTXv2: Import version 1.2
OTX Direct Connect agents provide a way to automatically update your
security infrastructure with pulses you have subscribed to from with
Open Threat Exchange. By using Direct Connect, the indicators
contained within the pulses you have subscribed to can be downloaded
and made locally available for other applications such as Intrusion
Detection Systems, Firewalls, and other security-focused applications.
2018-04-03 14:33:50 +00:00