Noteworthy changes in version 1.45 (2022-04-07)
-----------------------------------------------
* Support the "sysopen" mode parameter for gpgrt_fopen so that file
names longer than MAX_PATH can be supported under Windows.
* gpgrt_access and gpgrt_mkdir now support file names longer than
MAX_PATH.
* gpgrt_fopen now maps "/dev/null" to "nul" on Windows.
* Published some internal helper functions for Windows.
* Interface changes relative to the 1.42 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgrt_free_wchar NEW.
gpgrt_fname_to_wchar NEW.
gpgrt_utf8_to_wchar NEW.
gpgrt_wchar_to_utf8 NEW.
Upstream changes:
1.19 Oct 11, 2021
Use new EVP_PKEY construction API for OpenSSL post 3.x.x.
Remove support for obsolete ECC-GOST.
Add LICENSE file to comply with Fedora/RedHat announcement
and WARNING of restrictions on use of strong cryptography.
Reimported from security/botan-devel.
Botan is a crypto library written in C++. It provides a variety of
cryptographic algorithms, including common ones such as AES, MD5, SHA,
HMAC, RSA, Diffie-Hellman, DSA, and ECDSA, as well as many others that
are more obscure or specialized. It also offers X.509v3 certificates
and CRLs, and PKCS #10 certificate requests. A message processing
system that uses a filter/pipeline metaphor allows for many common
cryptographic tasks to be completed with just a few lines of code.
Assembly optimizations for common CPUs, including x86, x86-64, and
PowerPC, offers further speedups for critical tasks such as SHA-1
hashing and multiple precision integer operations.
This package contains major version 2 of the library.
The version contains a much improved TLS infrastructure. It also
depends on C++11.
Reimported from security/botan.
Botan is a crypto library written in C++. It provides a variety of
cryptographic algorithms, including common ones such as AES, MD5, SHA,
HMAC, RSA, Diffie-Hellman, DSA, and ECDSA, as well as many others that
are more obscure or specialized. It also offers X.509v3 certificates
and CRLs, and PKCS #10 certificate requests. A message processing
system that uses a filter/pipeline metaphor allows for many common
cryptographic tasks to be completed with just a few lines of code.
Assembly optimizations for common CPUs, including x86, x86-64, and
PowerPC, offers further speedups for critical tasks such as SHA-1
hashing and multiple precision integer operations.
Botan is licensed under the same permissive terms as NetBSD itself.
This package contains the old major version 1 of the library.
Version 2.19.1, 2022-01-21
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Fix a compilation problem affecting macOS XCode (GH #2880)
* Fix a build problem preventing amalgamation builds in 2.19.0
(GH #2879)
Version 2.19.0, 2022-01-19
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Add a forward error correction code compatible with the
zfec library (GH #2868#2866)
* Improve Emscripten build (GH #2864)
* Always use ``-L`` before build flags (GH #2858 2848)
* Fix compilation issue on earlier macOS versions (GH #2851)
* Add a GCC 4.8 CI target to prevent build regressions (GH #2869)
* Add support for Loongarch64 (GH #2877)
* Check OSXSAVE flag before using AVX2 instructions (GH #2878)
Version 2.18.2, 2021-10-25
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Avoid using short exponents when encrypting in ElGamal, as some PGP
implementations generate keys with parameters that are weak when
short exponents are used (GH #2794)
* Fix a low risk OAEP decryption side channel (GH #2797)
* Work around a miscompilation of SHA-3 caused by a bug in Clang 12
and XCode 13. (GH #2826)
* Remove support in OpenSSL provider for algorithms which are
disabled by default in OpenSSL 3.0 (GH #2823, #2814)
* Add CI based on GitHub actions to replace Travis CI (GH #2632)
* Fix the online OCSP test, as the certificate involved had expired.
(GH #2799)
* Fix some test failures induced by the expiration of the trust root
"DST Root CA X3" (GH #2820)
Version 2.18.1, 2021-05-09
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Fix a build regression in 2.18.0 which caused linker flags which
contain ``-l`` within them (such as ``-fuse-linker-plugin``) to
be misinterpreted. (GH #2715)
* Fix a bug which caused decoding a certificate which contained
more than one name in a single RDN. (GH #2611#2630#2724)
* Fix a bug which caused OID lookup failures when run in a locale
which uses thousands separators (pt_BR was reported as having
this issue). (GH #2732#2730#2237)
* DNS names in name constraints were compared with case sensitivity, which
could cause valid certificates to be rejected. (GH #2739#2735)
* X.509 name constraint extensions were rejected if non-critical. RFC 5280
requires conforming CAs issue such extensions as critical, but not all
certificates are compliant, and all other known implementations do not
require this. (GH #2739#2736)
* X.509 name constraints were incorrectly applied to the certificate which
included the constraint. (GH #2739#2737)
Version 2.18.0, 2021-04-15
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Add support for implementing custom RNG objects through the
FFI interface (GH #2627#2600)
* Improve safegcd bounds, improving runtime performance (GH #2628#2619)
* Fix a bug introduced in 2.9.0 where BigInt::operator< would return
an incorrect result if both operands were negative. (GH #2641#2638)
* Reject non-TLS messages as quickly as possible without waiting for
a full record. (GH #2676)
* Add build support for RISC-V 32
* Fixes for TLS::Stream::async_shutdown (GH #2673)
* Fix a regression introduced in 2.17.0 where LDFLAGS which add an extra
library (such as ``-latomic`` needed on SPARC) were not always applied
effectively. (GH #2622#2623#2625)
2022.3.24
* Remove double prompt for EASE mode
* Add background tab to instruct users on how to turn on HTTPS-only mode in major browsers
* Dependency and rules updates
pkgsrc change: fix readline for CLI, enable browser support.
## 2.7.0 (2022-03-21)
### Major Additions
- Implement KDBX 4.1 [#7114]
- Add direct write save option for cloud storage and GVFS [#6594]
- Prevent screen capture on Windows and macOS [#6030]
- Support quick unlock using Windows Hello [#7384]
- Support quick unlock using Apple Watch [#5526]
- Allow specifying database backup paths [#7035]
- Add tag functionality [#6487][#7436][#7446]
- Add password rating column to entry view [#4797]
- Add group clone action [#6124]
- Show modifications between entry history items [#6789]
- Ability to bulk-delete and purge unused custom icons [#5970]
- Support adding custom passphrase wordlists [#6799]
- Support passphrase wordlists in numbered and PGP-signed formats [#6791]
- Implement support for hardware keys via wireless NFC [#6895]
- SSH Agent: Add support for OpenSSH 8.2 FIDO/U2F keys [#6371]
- CLI: Implement attachment handling [#5538]
- CLI: Add support for okon in offline HIBP checks [#5478]
- CLI: Implement `search` command and remove `locate` [#6805]
- CLI: Add db statistic output to `db-info` command [#7032]
- CLI: Add -i/--include option to `generate` command. [#7112]
- CLI: Add a -n (--notes) option to `add` and `edit` commands [#4646]
- CLI: Add keyfile option to `import` command [#5402]
- CLI: Adding a best option to clip to copy a password of the best match [#4489]
- Browser: Add Microsoft Edge support on Linux [#7100]
- Browser: Support native password generator from the extension [#6529]
- Browser: Add group settings [#4180]
- Browser: Add feature to ignore entries for HTTP-Auth Logins [#5394]
- Browser: Support triggering Auto-Type from browser extension [#6272]
- Browser: Add delete-entry command to API [#6899]
- Browser: Add search 'by-path' url to API [#5535]
- Browser: search for entries by UUID to API [#4763]
- Browser: Support auto-download of favicon on entry addition [#7179]
- Auto-Type: Major improvements to Auto-Type [#5864][#7463][#7435][#7391][#7129][#6400][#6364][#6361][#5283][#7507]
- Auto-Type: Fix typing to virtual machines on Windows [#7366]
- Auto-Type: Re-implement X11 keysym emulation [#7098]
- Auto-Type: Support multiple Xkb layouts [#6247]
- Auto-Type: Abort keystroke if modifiers held on X11 [#6351][#6357]
- Auto-Type: Add TOTP option to entry level Auto-Type menu [#6675]
- FdoSecrets: Major Refactor and Code Consolidation [#5747][#5660][#7043][#6915]
- FdoSecrets: Implement unlock before search [#6943]
- Reports: Add browser statistics report [#7197]
### Major Changes
- Port crypto backend to [Botan](https://github.com/randombit/botan) [#6209]
- Improve attachment handling and security [#6606][#5034][#7083]
- Allow selecting any open database in unlock dialog [#5427]
- KeeShare: Remove checking signed container and QuaZip dependency [#7223]
- Introduce security option to enable copy on double click (default off) [#6433]
- Add 'delete entry without confirm' functionality [#5812]
- Improve macOS and Windows platform integration [#5851]
- Lock only the current database by default [#6652]
- Show expired entries on DB unlock [#7290]
- Update D-Bus adaptor interface class name to match definition file [#7523]
### Other Changes and Fixes
- Add countdown progress bar to TOTP preview [#6930]
- Enter favicon url directly on icons page [#6614]
- Set C++17 as standard in the build system [#7180]
- Internalize ykcore into code base [#6654]
- Transition to Visual Studio builds on Windows [#5874]
- Ability to delete entries from health check reports [#6537]
- Enhance remembering last-used directories [#6711]
- Implement org.freedesktop.appearance.color-scheme support on Linux [#7422]
- Support sorting HTML export [#7011]
- Add display number of characters in passphrases [#5449]
- Use Alt+Tab on macOS to switch between databases [#5407]
- Add feature to sort groups using shortcut keys [#6999]
- Add CTRL+Enter to apply password generator changes [#6414]
- Display `Database created` timestamp on statistics report [#6876]
- Browser: Improve best matching credentials setting [#6893]
- SSH Agent: Use both Pageant and OpenSSH agent simultaneously on Windows [#6288]
- SSH Agent: Allow using database path to resolve keys [#6365]
- SSH Agent: Show correct error messages in main window [#7166]
- Multiple fixes for MSI installer [#6630]
- Fix tab order for CSV import dialog to match screen order [#7315]
- Don't mark kdbx:// urls as invalid [#7221]
- Make selected text copyable instead of copying password [#7209]
- Detect timestamp resolution for CSV files [#7196]
- Fix crash while downloading favicon [#7104]
- Correct naming of newly generated keyx files [#7010]
- Place the 'Recycle Bin' at the bottom of the list when groups are sorted [#7004]
- Handle tilde with custom browser paths [#6659]
- Don't scroll up when deleting an entry [#6833]
- Set the MIME-Type to text/plain when using wl-copy on wayland [#6832]
- Fix adaptive icon painting [#5989][#6033]
- Fix favicon download from URL with non-standard port [#5509]
- Ignore recycle bin on KeePassHTTP migration [#5481]
- Fix keepassxc-cr-recovery utility [#7521]
- Fix Auto-Type not working when audio recording indicator is active on macOS 12.2+ [#7526]
Noteworthy changes in version 1.10.1 (2022-03-28)
-------------------------------------------------
* Bug fixes:
- Fix minor memory leaks in FIPS mode.
- Build fixes for MUSL libc.
* Other:
- More portable integrity check in FIPS mode.
- Add X9.62 OIDs to sha256 and sha512 modules.
Version 3.7.4 (released 2022-03-17)
** libgnutls: Added support for certificate compression as defined in RFC8879.
** certtool: Added option --compress-cert that allows user to specify compression
methods for certificate compression.
** libgnutls: GnuTLS can now be compiled with --enable-strict-x509 configure
option to enforce stricter certificate sanity checks that are compliant
with RFC5280.
** libgnutls: Removed IA5String type from DirectoryString within issuer
and subject name to make DirectoryString RFC5280 compliant.
** libgnutls: Added function to retrieve the name of current ciphersuite
from session.
** API and ABI modifications:
GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member
GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member
gnutls_compress_certificate_get_selected_method: Added
gnutls_compress_certificate_set_methods: Added
Certbot 1.25.0
Changed
Dropped 32 bit support for the Windows beta installer
Windows beta installer is now distributed as "certbot-beta-installer-win_amd64.exe".
Users of the Windows beta should uninstall the old version before running this.
Added a check whether OCSP stapling is supported by the installer when requesting a
certificate with the run subcommand in combination with the --must-staple option.
If the installer does not support OCSP and the --must-staple option is used, Certbot
will raise an error and quit.
Certbot and its acme module now depend on josepy>=1.13.0 due to better type annotation
support.
Fixed
Updated dependencies to use new version of cryptography that uses OpenSSL 1.1.1n, in
response to https://www.openssl.org/news/secadv/20220315.txt.
Certbot 1.24.0
Added
When the --debug-challenges option is used in combination with -v, Certbot
now displays the challenge URLs (for http-01 challenges) or FQDNs (for
dns-01 challenges) and their expected return values.
Changed
Support for Python 3.6 was removed.
All Certbot components now require setuptools>=41.6.0.
The acme library now requires requests>=2.20.0.
Certbot and its acme library now require pytz>=2019.3.
certbot-nginx now requires pyparsing>=2.2.1.
certbot-dns-route53 now requires boto3>=1.15.15.
Fixed
Nginx plugin now checks included files for the singleton server_names_hash_bucket_size directive.
1.13.0 (2022-03-10)
-------------------
* Support for Python 3.6 has been deprecated and will be removed in the next
scheduled release.
* Corrected some type annotations.
Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]
o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
forever for non-prime moduli ([CVE-2022-0778])
Feature
Bump dependencies (da3f0ca)
Completed work on #155 (#172) (a926b34)
Support complete model for bom.metadata (#162) (2938a6c)
Support for bom.externalReferences in JSON and XML #124 (1b733d7)
Complete support for bom.components (#155) (32c0139)
Support services in XML BOMs (9edf6c9)
Fix
license_url not serialised in XML output #179 (#180) (f014d7c)
Component.bom_ref is not Optional in our model implementation (in the schema it is) - we generate a UUID if bom_ref is not supplied explicitly (5c954d1)
Temporary fix for __hash__ of Component with properties #153 (a51766d)
Further fix for #150 (1f55f3e)
Regression introduced by first fix for #150 (c09e396)
Components with no version (optional since 1.4) produce invalid BOM output in XML #150 (70d25c8)
expression not supported in Component Licsnes for version 1.0 (15b081b)
Breaking
Adopt PEP-3102 (da3f0ca)
Optional Lists are now non-optional Sets (da3f0ca)
Remove concept of DEFAULT schema version - replaced with LATEST schema version (da3f0ca)
Added BomRef data type (da3f0ca)
1.12.0 (2022-01-11)
-------------------
* Corrected some type annotations.
* Dropped support for cryptography<1.5.
* Added the top level attributes josepy.JWKEC, josepy.JWKOct, and
josepy.ComparableECKey for convenience and consistency.
Changes between 1.1.1l and 1.1.1m [14 Dec 2021]
*) Avoid loading of a dynamic engine twice.
*) Fixed building on Debian with kfreebsd kernels
*) Prioritise DANE TLSA issuer certs over peer certs
*) Fixed random API for MacOS prior to 10.12
Changes since v5.1.1:
wolfSSL Release 5.2.0 (Feb 21, 2022)
Release 5.2.0 of wolfSSL embedded TLS has bug fixes and new features including:
Vulnerabilities
* [High] A TLS v1.3 server who requires mutual authentication can be
bypassed. If a malicious client does not send the certificate_verify message
a client can connect without presenting a certificate even if the server
requires one. Thank you to Aina Toky Rasoamanana and Olivier Levillain of
Télécom SudParis.
* [High] A TLS v1.3 client attempting to authenticate a TLS v1.3 server can
have its certificate check bypassed. If the sig_algo in the
certificate_verify message is different than the certificate message checking
may be bypassed. Thank you to Aina Toky Rasoamanana and Olivier Levillain of
Télécom SudParis.
New Feature Additions
* Example applications for Renesas RX72N with FreeRTOS+IoT
* Renesas FSP 3.5.0 support for RA6M3
* For TLS 1.3, improved checks on order of received messages.
* Support for use of SHA-3 cryptography instructions available in ARMv8.2-A
architecture extensions. (For Apple M1)
* Support for use of SHA-512 cryptography instructions available in ARMv8.2-A
architecture extensions. (For Apple M1)
* Fixes for clang -Os on clang >= 12.0.0
* Expose Sequence Numbers so that Linux TLS (kTLS) can be configured
* Fix bug in TLSX_ALPN_ParseAndSet when using ALPN select callback.
* Allow DES3 with FIPS v5-dev.
* Include HMAC for deterministic ECC sign build
* Add --enable-chrony configure option. This sets build options needed to
build the Chrony NTP (Network Time Protocol) service.
* Add support for STM32U575xx boards.
* Fixes for NXP’s SE050 Ed25519/Curve25519.
* TLS: Secure renegotiation info on by default for compatibility.
* Inline C code version of ARM32 assembly for cryptographic algorithms
available and compiling for improved performance on ARM platforms
* Configure HMAC: define NO_HMAC to disable HMAC (default: enabled)
* ISO-TP transport layer support added to wolfio for TLS over CAN Bus
* Fix initialization bug in SiLabs AES support
* Domain and IP check is only performed on leaf certificates
ARM PSA Support (Platform Security Architecture) API
* Initial support added for ARM’s Platform Security Architecture (PSA) API in
wolfCrypt which allows support of ARM PSA enabled devices by wolfSSL,
wolfSSH, and wolfBoot and wolfCrypt FIPS.
* Included algorithms: ECDSA, ECDH, HKDF, AES, SHA1, SHA256, SHA224, RNG
ECICE Updates
* Support for more encryption algorithms: AES-256-CBC, AES-128-CTR,
AES-256-CTR
* Support for compressed public keys in messages.
Math Improvements
* Improved performance of X448 and Ed448 through inlining Karatsuba in square
and multiplication operations for 128-bit implementation (64-bit platforms
with 128-bit type support).
* SP Math C implementation: fix for corner case in curve specific
implementations of Montgomery Reduction (P-256, P-384).
* SP math all: assembly snippets added for ARM Thumb. Performance improvement
on platform.
* SP math all: ARM64/32 sp_div_word assembly snippets added to remove
dependency on __udiv3.
* SP C implementation: multiplication of two signed types with overflow is
undefined in C. Now cast to unsigned type before multiplication is
performed.
* SP C implementation correctly builds when using CFLAG: -m32
OpenSSL Compatibility Layer
* Added DH_get_2048_256 to compatibility layer.
* wolfSSLeay_version now returns the version of wolfSSL
* Added C++ exports for API’s in wolfssl/openssl/crypto.h. This allows better
compatibility when building with a C++ compiler.
* Fix for OpenSSL x509_NAME_hash mismatch
* Implement FIPS_mode and FIPS_mode_set in the compat layer.
* Fix for certreq and certgen options with openssl compatibility
* wolfSSL_BIO_dump() and wolfSSL_OBJ_obj2txt() rework
* Fix IV length bug in EVP AES-GCM code.
* Add new ASN1_INTEGER compatibility functions.
* Fix wolfSSL_PEM_X509_INFO_read with NO_FILESYSTEM
CMake Updates
* Check for valid override values.
* Add KEYGEN option.
* Cleanup help messages.
* Add options to support wolfTPM.
VisualStudio Updates
* Remove deprecated VS solution
* Fix VS unreachable code warning
New Algorithms and Protocols
* AES-SIV (RFC 5297)
* DTLS SRTP (RFC 5764), used with WebRTC to agree on profile for new real-time
session keys
* SipHash MAC/PRF for hash tables. Includes inline assembly for x86_64 and
Aarch64.
Remove Obsolete Algorithms
* IDEA
* Rabbit
* HC-128
New in 2.1.28
build:
configure - Restore LIBS after checking gss_inquire_sec_context_by_oid
makemd5.c - Fix potential out of bound writes
fix build with –disable-shared –enable-static
Dozens of fixes for Windows specific builds
Fix cross platform builds with SPNEGO
Do not try to build broken java subtree
Fix build error with –enable-auth-sasldb
common:
plugin_common.c:
Ensure size is always checked if called repeatedly (#617)
documentation:
Fixed generation of saslauthd(8) man page
Fixed installation of saslauthd(8) and testsaslauthd(8) man pages (#373)
Updates for additional SCRAM mechanisms
Fix sasl_decode64 and sasl_encode64 man pages
Tons of fixes for Sphinx
include:
sasl.h:
Allow up to 16 bits for security flags
lib:
checkpw.c:
Skip one call to strcat
Disable auxprop-hashed (#374)
client.c:
Use proper length for fully qualified domain names
common.c:
CVE-2019-19906 Fix off by one error (#587)
external.c:
fix EXTERNAL with non-terminated input (#689)
saslutil.c:
fix index_64 to be a signed char (#619)
plugins:
gssapi.c:
Emit debug log only in case of errors
ntlm.c:
Fail compile if MD4 is not available (#632)
sql.c:
Finish reading residual return data (#639)
CVE-2022-24407 Escape password for SQL insert/update commands.
sasldb:
db_gdbm.c:
fix gdbm_errno overlay from gdbm_close
DIGEST-MD5 plugin:
Prevent double free of RC4 context
Use OpenSSL RC4 implementation if available
SCRAM plugin:
Return BADAUTH on incorrect password (#545)
Add -224, -384, -512 (#552)
Remove SCRAM_HASH_SIZE
Add function to return SCRAM auth method name
Allocate enough memory in scam_setpass()
Add function to sort SCRAM methods by hash strength
Update windows build for newer SCRAM options
saslauthd:
auth_httpform.c:
Avoid signed overflow with non-ascii characters (#576)
auth_krb5.c:
support setting an explicit auth_krb5 server name
support setting an explicit servername with Heimdal
unify the MIT and Heimdal auth_krb5 implementations
Remove call to krbtf
auth_rimap.c:
provide native memmem implementation if missing
lak.c:
Allow LDAP_OPT_X_TLS_REQUIRE_CERT to be 0 (no certificate verification)
lak.h:
Increase supported DN length to 4096 (#626)
Added:
-Support custom file name for the exported keys (#4)
Changed:
-Switch to clap for argument parsing
-Update license copyright years
-Update lychee arguments
-Apply clippy::needless_borrow suggestion
-Add tests for custom file name
-Bump the Rust version in Dockerfile
-Bump dependencies
1.3.0 (2022-01-24)
Feature
bom-ref for Component and Vulnerability default to a UUID (#142) (3953bb6)
1.2.0 (2022-01-24)
Feature
Add CPE to component (#138) (269ee15)
1.1.1 (2022-01-19)
Fix
Bump dependencies (#136) (18ec498)
1.1.0 (2022-01-13)
Feature
Add support for bom.metadata.component (#118) (1ac31f4)
1.0.0 (2022-01-13)
Support for CycloneDX schema version 1.4 (#108)
Breaking Changes
Support for CycloneDX 1.4. This includes:
Support for tools having externalReferences
Allowing version for a Component to be optional in 1.4
Support for releaseNotes per Component
Support for the core schema implementation of Vulnerabilities (VEX)
Features
$schema is now included in JSON BOMs
Concrete Parsers how now been moved into downstream projects to keep this libraries focus on modelling and outputting CycloneDX - see https://github.com/CycloneDX/cyclonedx-python
Fixes
Unit tests now include schema validation (we've left schema validation out of the core library due to dependency bloat)
Ensure schema is adhered to in 1.0
URIs are now used throughout the library through a new XsUri class to provide URI validation
Other
Documentation is now hosted on readthedocs.org (https://cyclonedx-python-library.readthedocs.io/)
Added reference to release of this library on Anaconda
0.12.3 (2021-12-15)
Fix
Removed requirements-parser as dependency (temp) as not available for Python 3 as Wheel (#98) (3677d9f)
0.12.2 (2021-12-09)
Fix
Tightened dependency packageurl-python (#95) (eb4ae5c)
0.12.1 (2021-12-09)
Fix
Further loosened dependency definitions (8bef6ec)
0.12.0 (2021-12-09)
Feature
Loosed dependency versions to make this library more consumable (55f10fb)
