- Deprecated support for Python 2.6 and 3.3.
- Use the sign and verify methods when they are available in
cryptography instead of the deprecated methods signer and
verifier.
v1.5.0: Jordan
Features
Added build support for mingw32
Implement gss_set_cred_option() and gss_set_sec_context_option()
Bugfixes
Handle GSS_NO_OID_SET when creating sets
### Added
- Support for OpenResty was added to the Nginx plugin.
### Changed
- The timestamps in Certbot's logfiles now use the system's local time
zone rather than UTC.
- Certbot's DNS plugins that use Lexicon now rely on Lexicon>=2.2.1 to
be able to create and delete multiple TXT records on a single
domain.
- certbot-dns-google's test suite now works without an internet
connection.
### Fixed
- Removed a small window that if during which an error occurred,
Certbot wouldn't clean up performed challenges.
- The parameters `default` and `ipv6only` are now removed from
`listen` directives when creating a new server block in the Nginx
plugin.
- `server_name` directives enclosed in quotation marks in Nginx are
now properly supported.
- Resolved an issue preventing the Apache plugin from starting Apache
when it's not currently running on RHEL and Gentoo based systems.
3.6.0:
New features
Introduced export_key and deprecated exportKey for DSA and RSA key objects.
Ciphers and hash functions accept memoryview objects in input.
Added support for SHA-512/224 and SHA-512/256.
Resolved issues
Reintroduced Crypto.__version__ variable as in PyCrypto.
Fixed compilation problem with MinGW.
Noteworthy changes in version 2.2.6:
* gpg,gpgsm: New option --request-origin to pretend requests coming
from a browser or a remote site.
* gpg: Fix race condition on trustdb.gpg updates due to too early
released lock.
* gpg: Emit FAILURE status lines in almost all cases.
* gpg: Implement --dry-run for --passwd to make checking a key's
passphrase straightforward.
* gpg: Make sure to only accept a certification capable key for key
signatures.
* gpg: Better user interaction in --card-edit for the factory-reset
sub-command.
* gpg: Improve changing key attributes in --card-edit by adding an
explicit "key-attr" sub-command.
* gpg: Print the keygrips in the --card-status.
* scd: Support KDF DO setup.
* scd: Fix some issues with PC/SC on Windows.
* scd: Fix suspend/resume handling in the CCID driver.
* agent: Evict cached passphrases also via a timer.
* agent: Use separate passphrase caches depending on the request
origin.
* ssh: Support signature flags.
* dirmngr: Handle failures related to missing IPv6 support
gracefully.
* Fix corner cases related to specified home directory with
drive letter on Windows.
* Allow the use of UNC directory names as homedir.
Noteworthy changes in version 1.29:
* The yat2m tool is during cross-compile now also installed on the
host platform.
* New option parser and associated functions similar to the one used
by GnuPG.
* New Base-64 encoder.
* Fixes regression in 1.28 for arm64 and w64 builds.
* Interface changes relative to the 1.28 release:
gpgrt_argparse New.
gpgrt_usage New.
gpgrt_strusage New.
gpgrt_set_strusage New.
gpgrt_set_usage_outfnc New.
gpgrt_set_fixed_string_mapper New.
GPGRT_ENABLE_ARGPARSE_MACROS New macro.
gpgrt_b64enc_start New.
gpgrt_b64enc_write New.
gpgrt_b64enc_finish New.
SECURITY:
- Log sanitization for Combined Database Secret Engine: In certain failure
scenarios with incorrectly formatted connection urls, the raw connection
errors were being returned to the user with the configured database
credentials. Errors are now sanitized before being returned to the user.
DEPRECATIONS/CHANGES:
- Database plugin compatibility: The database plugin interface was enhanced to
support some additional functionality related to root credential rotation
and supporting templated URL strings. The changes were made in a
backwards-compatible way and all builtin plugins were updated with the new
features. Custom plugins not built into Vault will need to be upgraded to
support templated URL strings and root rotation. Additionally, the
Initialize method was deprecated in favor of a new Init method that supports
configuration modifications that occur in the plugin back to the primary
data store.
- Removal of returned secret information: For a long time Vault has returned
configuration given to various secret engines and auth methods with secret
values (such as secret API keys or passwords) still intact, and with a
warning to the user on write that anyone with read access could see the
secret. This was mostly done to make it easy for tools like Terraform to
judge whether state had drifted. However, it also feels quite un-Vault-y to
do this and we've never felt very comfortable doing so. In 0.10 we have gone
through and removed this behavior from the various backends; fields which
contained secret values are simply no longer returned on read. We are
working with the Terraform team to make changes to their provider to
accommodate this as best as possible, and users of other tools may have to
make adjustments, but in the end we felt that the ends did not justify the
means and we needed to prioritize security over operational convenience.
- LDAP auth method case sensitivity: We now treat usernames and groups
configured locally for policy assignment in a case insensitive fashion by
default. Existing configurations will continue to work as they do now;
however, the next time a configuration is written `case_sensitive_names`
will need to be explicitly set to `true`.
- TTL handling within core: All lease TTL handling has been centralized within
the core of Vault to ensure consistency across all backends. Since this was
previously delegated to individual backends, there may be some slight
differences in TTLs generated from some backends.
- Removal of default `secret/` mount: In 0.12 we will stop mounting `secret/`
by default at initialization time (it will still be available in `dev`
mode).
FEATURES:
- OSS UI: The Vault UI is now fully open-source. Similarly to the CLI, some
features are only available with a supporting version of Vault, but the code
base is entirely open.
- Versioned K/V: The `kv` backend has been completely revamped, featuring
flexible versioning of values, check-and-set protections, and more. A new
`vault kv` subcommand allows friendly interactions with it. Existing mounts
of the `kv` backend can be upgraded to the new versioned mode (downgrades
are not currently supported). The old "passthrough" mode is still the
default for new mounts; versioning can be turned on by setting the
`-version=2` flag for the `vault secrets enable` command.
- Database Root Credential Rotation: Database configurations can now rotate
their own configured admin/root credentials, allowing configured credentials
for a database connection to be rotated immediately after sending them into
Vault, invalidating the old credentials and ensuring only Vault knows the
actual valid values.
- Azure Authentication Plugin: There is now a plugin (pulled in to Vault) that
allows authenticating Azure machines to Vault using Azure's Managed Service
Identity credentials. See the [plugin
repository](https://github.com/hashicorp/vault-plugin-auth-azure) for more
information.
- GCP Secrets Plugin: There is now a plugin (pulled in to Vault) that allows
generating secrets to allow access to GCP. See the [plugin
repository](https://github.com/hashicorp/vault-plugin-secrets-gcp) for more
information.
- Selective Audit HMACing of Request and Response Data Keys: HMACing in audit
logs can be turned off for specific keys in the request input map and
response `data` map on a per-mount basis.
- Passthrough Request Headers: Request headers can now be selectively passed
through to backends on a per-mount basis. This is useful in various cases
when plugins are interacting with external services.
- HA for Google Cloud Storage: The GCS storage type now supports HA.
- UI support for identity: Add and edit entities, groups, and their associated
aliases.
- UI auth method support: Enable, disable, and configure all of the built-in
authentication methods.
- UI (Enterprise): View and edit Sentinel policies.
IMPROVEMENTS:
- core: Centralize TTL generation for leases in core
- identity: API to update group-alias by ID
- secret/cassandra: Update Cassandra storage delete function to not use batch
operations
- storage/mysql: Allow setting max idle connections and connection lifetime
- storage/gcs: Add HA support
- ui: Add Nomad to the list of available secret engines
- ui: Adds ability to set static headers to be returned by the UI
BUG FIXES:
- api: Fix retries not working
- auth/gcp: Invalidate clients on config change
- auth/token: Revoke-orphan and tidy operations now correctly cleans up the
parent prefix entry in the underlying storage backend. These operations also
mark corresponding child tokens as orphans by removing the parent/secondary
index from the entries.
- command: Re-add `-mfa` flag and migrate to OSS binary
- core: Fix issue occurring from mounting two auth backends with the same path
with one mount having `auth/` in front
- mfa: Invalidation of MFA configurations (Enterprise)
- replication: Fix a panic on some non-64-bit platforms
- replication: Fix invalidation of policies on performance secondaries
- secret/pki: When tidying if a value is unexpectedly nil, delete it and move
on
- storage/s3: Fix panic if S3 returns no Content-Length header
- ui: Fixed an issue where the UI was checking incorrect paths when operating
on transit keys. Capabilities are now checked when attempting to encrypt /
decrypt, etc.
- ui: Fixed IE 11 layout issues and JS errors that would stop the application
from running.
- ui: Fixed the link that gets rendered when a user doesn't have permissions
to view the root of a secret engine. The link now sends them back to the list
of secret engines.
- replication: Fix issue with DR secondaries when using mount specified local
paths.
- cli: Fix an issue where generating a dr operation token would not output the
token
OTX Direct Connect agents provide a way to automatically update your
security infrastructure with pulses you have subscribed to from with
Open Threat Exchange. By using Direct Connect, the indicators
contained within the pulses you have subscribed to can be downloaded
and made locally available for other applications such as Intrusion
Detection Systems, Firewalls, and other security-focused applications.
2.0.7:
Moved oauthlib into new organization on GitHub.
Include license file in the generated wheel package.
When deploying a release to PyPI, include the wheel distribution.
Check access token in self.token dict.
Added bottle-oauthlib to docs.
Update repository location in Travis.
Updated docs for organization change.
Replace G+ with Gitter.
Update requirements.
Add shields for Python versions, license and RTD.
Fix ReadTheDocs build
Fixed "make" command to test upstream with local oauthlib.
Replace IRC notification with Gitter Hook.
Added Github Releases deploy provider.
Based on the wip package by myself with fixes from rillig.
KeePassXC can store your passwords safely and auto-type them into
your everyday websites and applications.
Changes between 1.0.2n and 1.0.2o [27 Mar 2018]
*) Constructed ASN.1 types with a recursive definition could exceed the stack
Constructed ASN.1 types with a recursive definition (such as can be found
in PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack. There
are no such structures used within SSL/TLS that come from untrusted sources
so this is considered safe.
This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
project.
(CVE-2018-0739)
[Matt Caswell]
0.22.2
- A type error introduced in 0.22.1 that would occur during challenge
cleanup when a Certbot plugin raises an exception while trying to
complete the challenge was fixed.
0.22.1
- The ACME server used with Certbot's --dry-run and --staging flags is
now Let's Encrypt's ACMEv2 staging server which allows people to
also test ACMEv2 features with these flags.
- The HTTP Content-Type header is now set to the correct value during
certificate revocation with new versions of the ACME protocol.
- When using Certbot with Let's Encrypt's ACMEv2 server, it would add
a blank line to the top of chain.pem and between the certificates in
fullchain.pem for each lineage. These blank lines have been removed.
- Resolved a bug that caused Certbot's --allow-subset-of-names flag
not to work.
- Fixed a regression in acme.client.Client that caused the class to
not work when it was initialized without a ClientNetwork which is
done by some of the other projects using our ACME library.
0.1.12 (2018/03/21)
* Land #9, improve SSL certificate generation
* fix is_mac_addr to validate if something is _only_ a mac address
* Improve SSL certificate generation
0.1.11 (2018/02/09)
* Land #8, factor out SSL bits
* Address Brent's comment - drop @@loaded_openssl
* Implement a certificate provider pattern in Socket
* Extract and mixin cert ops from server module
DEPRECATIONS/CHANGES:
- The AWS authentication backend now allows binds for inputs as either a
comma-delimited string or a string array. However, to keep consistency with
input and output, when reading a role the binds will now be returned as
string arrays rather than strings.
- In order to prefix-match IAM role and instance profile ARNs in AWS auth
backend, you now must explicitly opt-in by adding a `*` to the end of the
ARN. Existing configurations will be upgraded automatically, but when
writing a new role configuration the updated behavior will be used.
FEATURES:
- Replication Activation Enhancements: When activating a replication
secondary, a public key can now be fetched first from the target cluster.
This public key can be provided to the primary when requesting the
activation token. If provided, the public key will be used to perform a
Diffie-Hellman key exchange resulting in a shared key that encrypts the
contents of the activation token. The purpose is to protect against
accidental disclosure of the contents of the token if unwrapped by the wrong
party, given that the contents of the token are highly sensitive. If
accidentally unwrapped, the contents of the token are not usable by the
unwrapping party. It is important to note that just as a malicious operator
could unwrap the contents of the token, a malicious operator can pretend to
be a secondary and complete the Diffie-Hellman exchange on their own; this
feature provides defense in depth but still requires due diligence around
replication activation, including multiple eyes on the commands/tokens and
proper auditing.
IMPROVEMENTS:
- api: Update renewer grace period logic. It no longer is static, but rather
dynamically calculates one based on the current lease duration after each
renew.
- auth/approle: Allow array input for bound_cidr_list
- auth/aws: Allow using lists in role bind parameters
- auth/aws: Allow binding by EC2 instance IDs
- auth/aws: Allow non-prefix-matched IAM role and instance profile ARNs
- auth/ldap: Set a very large size limit on queries
- core: Log info notifications of revoked leases for all leases/reasons, not
just expirations
- physical/couchdb: Removed limit on the listing of items
- secret/pki: Support certificate policies
- secret/pki: Add ability to have CA:true encoded into intermediate CSRs, to
improve compatibility with some ADFS scenarios
- secret/transit: Allow selecting signature algorithm as well as hash
algorithm when signing/verifying
- server: Make sure `tls_disable_client_cert` is actually a true value rather
than just set
- storage/dynamodb: Allow specifying max retries for dynamo client
- storage/gcs: Allow specifying chunk size for transfers, which can reduce
memory utilization
- sys/capabilities: Add the ability to use multiple paths for capability
checking
BUG FIXES:
- auth/aws: Fix honoring `max_ttl` when a corresponding role `ttl` is not also
set
- auth/okta: Fix honoring configured `max_ttl` value
- auth/token: If a periodic token being issued has a period greater than the
max_lease_ttl configured on the token store mount, truncate it. This matches
renewal behavior; before it was inconsistent between issuance and renewal.
- cli: Improve error messages around `vault auth help` when there is no CLI
helper for a particular method
2.2.1:
Reverted a change to GeneralNames which prohibited having zero elements, due to breakages.
Fixed a bug in :func:~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding that caused it to raise InvalidUnwrap when key length modulo 8 was zero.
0.1.77 2017/09/23
* Convert double quotes to single quotes to match #{URL}
0.1.76 2017/09/07
* Merge pull request #9 from sempervictus/feature-payload_msil_jit
0.1.75 2017/08/25
* Remove useless failing spec
* Improve use of RandomIdentifier::Generator
* Add MSIL to template constants
* Update spec for MSIL payload
* Implement MSIL payload in Rex gem via template
* Update spec for command
* Finalize quote wrapper
* Rework quote handling
* Cleanup Command single quotes redundant gsub
0.1.74 2017/07/18
* Alternative to IEX in dl_and_exec_string methods
* Command spec - deal with :use_single_quotes
* Output and command improvements for Win10
0.1.73 2017/05/12
* update spec to require Ruby 2.2.0 or greater
7.2.0 (2018-01-17)
Closed issues:
* list_vuln_exceptions returns API error #312
* Credentials failure after using Site.copy #307
* XML serialization for VulnException incorrect due to extra whitespace #304
* Nexpose timeout does not seem to work #299
Merged pull requests:
* Update vuln exceptions to use generally available API version #313
(mhuffman-r7)
* Add a method to add common vuln status filters to report configs #303
(gschneider-r7)
* Updated for Ruby 2.4 Support #301 (twosevenzero)
**** 1.05 March 20, Tuesday
Feature
Support added for Ed25519 and Ed448 algorithms
Fix: rt.cpan.org #124650
Net::DNS::SEC::Private must not die if attribute is not present
ClamAV 0.99.4 is a hotfix release to patch a set of vulnerabilities.
- fixes for the following CVE's: CVE-2012-6706, CVE-2017-6419,
CVE-2017-11423, CVE-2018-0202, and CVE-2018-1000085.
- also included are 2 fixes for file descriptor leaks as well fixes for
a handful of other important bugs, including patches to support g++ 6, C++11.
2.2:
BACKWARDS INCOMPATIBLE: Support for Python 2.6 has been dropped.
Resolved a bug in HKDF that incorrectly constrained output size.
Added :class:~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP256R1, :class:~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP384R1, and :class:~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP512R1 to support inter-operating with systems like German smart meters.
Added token rotation support to :doc:Fernet </fernet> with :meth:~cryptography.fernet.MultiFernet.rotate.
Fixed a memory leak in :func:~cryptography.hazmat.primitives.asymmetric.ec.derive_private_key.
Added support for AES key wrapping with padding via :func:~cryptography.hazmat.primitives.keywrap.aes_key_wrap_with_padding and :func:~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding .
Allow loading DSA keys with 224 bit q.
changes in version 1.28:
* The formerly internal yat2m tool is now installed for a native
build.
* The new files gpgrt.m4 and gpgrt-config are now installed. They
can be used instead of gpg-error.m4 and gpg-error-config.
* New logging functions similar to those used by GnuPG.
* New helper functions for platform abstraction.
This is to reflect the behaviour documented in netpgp(1).
Originally submitted on tech-pkg@ as:
[PATCH 09/11] Output signatures to the standard output for "-"
Only modified for consistency with the coding style; as also applied in
NetBSD's src repository.
Originally submitted on tech-pkg@ as:
[PATCH 07/11] Correct option "--armor"
[PATCH 08/11] Also document alternate option "--detach"
As also applied in NetBSD's src repository.
Originally submitted on tech-pkg@ as:
[PATCH 04/11] Do not use random data for pass-phrases on EOF
Only modified for consistency with the coding style; as also applied in
NetBSD's src repository.
Tested on NetBSD/amd64.
This also fixes a crash when the pass-phrase entered is empty.
Originally submitted on tech-pkg@ as:
[PATCH 02/11] Do not truncate pass-phrases without a newline character
Only modified for consistency with the coding style; as also applied in
NetBSD's src repository.
Tested on NetBSD/amd64.
Originally submitted on tech-pkg@ as:
[PATCH 06/11] Do not ask for a passphrase when empty
Only modified for consistency with the coding style; as also applied in
NetBSD's src repository.
Tested on NetBSD/amd64.
## [1.16.0][] (2018-02-03)
* [#417](https://github.com/capistrano/sshkit/pull/417): Cache key generation for connections becomes slow when `known_hosts` is a valid `net/ssh` options and `known_hosts` file is big. This changes the cache key generation and fixes performance issue - [@ElvinEfendi](https://github.com/ElvinEfendi).
## [1.15.1][] (2017-11-18)
This is a small bug-fix release that fixes problems with `upload!` and `download!` that were inadvertently introduced in 1.15.0.
### Breaking changes
* None
### Bug fixes
* [#410](https://github.com/capistrano/sshkit/pull/410): fix NoMethodError when using upload!/download! with Pathnames - [@UnderpantsGnome](https://github.com/UnderpantsGnome)
* [#411](https://github.com/capistrano/sshkit/pull/410): fix upload!/download! when using relative paths outside of `within` blocks - [@Fjan](https://github.com/Fjan)
## [1.15.0][] (2017-11-03)
### New features
* [#408](https://github.com/capistrano/sshkit/pull/408): upload! and download! now respect `within` - [@sj26](https://github.com/sj26)
### Potentially breaking changes
* `upload!` and `download!` now support remote paths which are
relative to the `within` working directory. They were previously documented
as only supporting absolute paths, but relative paths still worked relative
to the remote working directory. If you rely on the previous behaviour you
may need to adjust your code.
1.85 2018-03-14
Preparations for transferring maintenace to a new maintainer
Fixed test failure in t/local/33_x509_create_cert.t for some version of OpenSSL.
Fixed free() error that causes "Free to wrong pool ..." merssage on Windows.
Reported and patched by Steffen Ullrich.
2.4.1:
[Bug] Ed25519 auth key decryption raised an unexpected exception when given a unicode password string (typical in python 3). Report by Theodor van Nahl and fix by Pierce Lopez.
[Bug] Add newer key classes for Ed25519 and ECDSA to paramiko.__all__ so that code introspecting that attribute, or using from paramiko import * (such as some IDEs) sees them. Thanks to @patriksevallius for the patch.
[Bug] Fix a security flaw (CVE-2018-7750) in Paramiko’s server mode (emphasis on server mode; this does not impact client use!) where authentication status was not checked before processing channel-open and other requests typically only sent after authenticating. Big thanks to Matthijs Kooijman for the report.
Release 1.12.1:
Implemented a fix for CVE-2018-7749, where a modified SSH client could request that an AsyncSSH server perform operations before authentication had completed. Thanks go to Matthijs Kooijman for discovering and reporting this issue and helping to review the fix.
Added a non-blocking collect_output() method to SSHClientProcess to allow applications to retrieve data received on an output stream without blocking. This call can be called multiple times and freely intermixed with regular read calls with a guarantee that output will always be returned in order and without duplication.
Updated debug logging implementation to make it more maintainable, and to fix an issue where unprocessed packets were not logged in some cases.
Extended the support below for non-ASCII characters in comments to apply to X.509 certificates, allowing an optional encoding to be passed in to get_comment() and set_comment() and a get_comment_bytes() function to get the raw comment bytes without performing Unicode decoding.
Fixed an issue where a UnicodeDecodeError could be reported in some cases instead of a KeyEncryptionError when a private key was imported using the wrong passphrase.
Fixed the reporting of the MAC algorithm selected during key exchange to properly report the cipher name for GCM and Chacha ciphers that don’t use a separate MAC algorithm. The correct value was being returned in queries after the key exchange was complete, but the logging was being done before this adjustment was made.
Fixed the documentation of connection_made() in SSHSession subclasses to properly reflect the type of SSHChannel objects passed to them.
### Added
- Support for obtaining wildcard certificates and a newer version of the ACME
protocol such as the one implemented by Let's Encrypt's upcoming ACMEv2
endpoint was added to Certbot and its ACME library. Certbot still works with
older ACME versions and will automatically change the version of the protocol
used based on the version the ACME CA implements.
- The Apache and Nginx plugins are now able to automatically install a wildcard
certificate to multiple virtual hosts that you select from your server
configuration.
- The `certbot install` command now accepts the `--cert-name` flag for
selecting a certificate.
- `acme.client.BackwardsCompatibleClientV2` was added to Certbot's ACME library
which automatically handles most of the differences between new and old ACME
versions. `acme.client.ClientV2` is also available for people who only want
to support one version of the protocol or want to handle the differences
between versions themselves.
- certbot-auto now supports the flag --install-only which has the script
install Certbot and its dependencies and exit without invoking Certbot.
- Support for issuing a single certificate for a wildcard and base domain was
added to our Google Cloud DNS plugin. To do this, we now require your API
credentials have additional permissions, however, your credentials will
already have these permissions unless you defined a custom role with fewer
permissions than the standard DNS administrator role provided by Google.
These permissions are also only needed for the case described above so it
will continue to work for existing users. For more information about the
permissions changes, see the documentation in the plugin.
### Changed
- We have broken lockstep between our ACME library, Certbot, and its plugins.
This means that the different components do not need to be the same version
to work together like they did previously. This makes packaging easier
because not every piece of Certbot needs to be repackaged to ship a change to
a subset of its components.
- Support for Python 2.6 and Python 3.3 has been removed from ACME, Certbot,
Certbot's plugins, and certbot-auto. If you are using certbot-auto on a RHEL
6 based system, it will walk you through the process of installing Certbot
with Python 3 and refuse to upgrade to a newer version of Certbot until you
have done so.
- Certbot's components now work with older versions of setuptools to simplify
packaging for EPEL 7.
### Fixed
- Issues caused by Certbot's Nginx plugin adding multiple ipv6only directives
has been resolved.
- A problem where Certbot's Apache plugin would add redundant include
directives for the TLS configuration managed by Certbot has been fixed.
- Certbot's webroot plugin now properly deletes any directories it creates.
The circular dependency that prompted splitting this package is no longer
an issue, as acme now depends on context instead of golang.org/x/net/context.
Thus, this package now contains what used to be go-crypto-acme and conflicts
with it.
Data::Password::passwdqc provides an object oriented Perl interface
to Openwall Project's passwdqc. It allows you to check password
strength and also lets you generate quality controllable random
password.
1.1.0:
Removed DES code as the license was found to be incorrect from the source
Added new DES code not based on the original
Fixed up some deprecation warnings
Changed tests from running unittest to py.test
Changed licence from GPL to MIT as code is not all my own
New features
* Import and export of ECC curves in compressed form.
* The initial counter for a cipher in CTR mode can be a byte string (in addition to an integer).
* Faster PBKDF2 for HMAC-based PRFs (at least 20x for short passwords, more for longer passwords). Thanks to Christian Heimes for pointing out the implementation was under-optimized.
* The salt for PBKDF2 can be either a string or bytes.
Resolved issues
* Without libgmp, modular exponentiation (since v3.4.8) crashed on 32-bit big-endian systems.
Breaks in compatibility
* Removed support for Python < 2.6.
This library is used to gain direct access to the functions exposed by Daniel
J. Bernstein's nacl library via libsodium. It has been constructed to maintain
extensive documentation on how to use nacl as well as being completely
portable. The file in libnacl/__init__.py can be pulled out and placed directly
in any project to give a single file binding to all of nacl.
What's new in Sudo 1.8.22
* Commands run in the background from a script run via sudo will
no longer receive SIGHUP when the parent exits and I/O logging
is enabled.
* A particularly offensive insult is now disabled by default.
* The description of "sudo -i" now correctly documents that
the "env_keep" and "env_check" sudoers options are applied to
the environment.
* Fixed a crash when the system's host name is not set.
* The sudoers2ldif script now handles #include and #includedir
directives.
* Fixed a bug where sudo would silently exit when the command was
not allowed by sudoers and the "passwd_tries" sudoers option
was set to a value less than one.
* Fixed a bug with the "listpw" and "verifypw" sudoers options and
multiple sudoers sources. If the option is set to "all", a
password should be required unless none of a user's sudoers
entries from any source require authentication.
* Fixed a bug with the "listpw" and "verifypw" sudoers options in
the LDAP and SSSD back-ends. If the option is set to "any", and
the entry contained multiple rules, only the first matching rule
was checked. If an entry contained more than one matching rule
and the first rule required authentication but a subsequent rule
did not, sudo would prompt for a password when it should not have.
* When running a command as the invoking user (not root), sudo
would execute the command with the same group vector it was
started with. Sudo now executes the command with a new group
vector based on the group database which is consistent with
how su(1) operates.
* Fixed a double free in the SSSD back-end that could occur when
ipa_hostname is present in sssd.conf and is set to an unqualified
host name.
* When I/O logging is enabled, sudo will now write to the terminal
even when it is a background process. Previously, sudo would
only write to the tty when it was the foreground process when
I/O logging was enabled. If the TOSTOP terminal flag is set,
sudo will suspend the command (and then itself) with the SIGTTOU
signal.
* A new "authfail_message" sudoers option that overrides the
default "N incorrect password attempt(s)".
* An empty sudoRunAsUser attribute in the LDAP and SSSD backends
will now match the invoking user. This is more consistent with
how an empty runas user in the sudoers file is treated.
* Documented that in check mode, visudo does not check the owner/mode
on files specified with the -f flag.
* It is now an error to specify the runas user as an empty string
on the command line. Previously, an empty runas user was treated
the same as an unspecified runas user.
* When "timestamp_type" option is set to "tty" and a terminal is
present, the time stamp record will now include the start time
of the session leader. When the "timestamp_type" option is set
to "ppid" or when no terminal is available, the start time of
the parent process is used instead. This significantly reduces
the likelihood of a time stamp record being re-used when a user
logs out and back in again.
* The sudoers time stamp file format is now documented in the new
sudoers_timestamp manual.
* The "timestamp_type" option now takes a "kernel" value on OpenBSD
systems. This causes the tty-based time stamp to be stored in
the kernel instead of on the file system. If no tty is present,
the time stamp is considered to be invalid.
* Visudo will now use the SUDO_EDITOR environment variable (if
present) in addition to VISUAL and EDITOR.
## 0.9.5 (February 26th, 2018)
IMPROVEMENTS:
- auth: Allow sending default_lease_ttl and max_lease_ttl values when enabling
auth methods.
- secret/database: Add list functionality to `database/config` endpoint
- physical/consul: Allow setting a specific service address
- replication: When bootstrapping a new secondary, if the initial cluster
connection fails, Vault will attempt to roll back state so that
bootstrapping can be tried again, rather than having to recreate the
downstream cluster. This will still require fetching a new secondary
activation token.
BUG FIXES:
- auth/aws: Update libraries to fix regression verifying PKCS#7 identity
documents
- listener: Revert to Go 1.9 for now to allow certificates with non-DNS names
in their DNS SANs to be used for Vault's TLS connections
- replication: Fix issue with a performance secondary/DR primary node losing
its DR primary status when performing an update-primary operation
- replication: Fix issue where performance secondaries could be unable to
automatically connect to a performance primary after that performance
primary has been promoted to a DR primary from a DR secondary
- ui: Fix behavior when a value contains a `.`
## 0.9.4 (February 20th, 2018)
SECURITY:
- Role Tags used with the EC2 style of AWS auth were being improperly parsed;
as a result they were not being used to properly restrict values.
Implementations following our suggestion of using these as defense-in-depth
rather than the only source of restriction should not have significant
impact.
FEATURES:
- ChaCha20-Poly1305 support in `transit`: You can now encrypt and decrypt
with ChaCha20-Poly1305 in `transit`. Key derivation and convergent
encryption is also supported.
- Okta Push support in Okta Auth Backend: If a user account has MFA
required within Okta, an Okta Push MFA flow can be used to successfully
finish authentication.
- PKI Improvements: Custom OID subject alternate names can now be set,
subject to allow restrictions that support globbing. Additionally, Country,
Locality, Province, Street Address, and Postal Code can now be set in
certificate subjects.
- Manta Storage: Joyent Triton Manta can now be used for Vault storage
- Google Cloud Spanner Storage: Google Cloud Spanner can now be used for
Vault storage
IMPROVEMENTS:
- auth/centrify: Add CLI helper
- audit: Always log failure metrics, even if zero, to ensure the values appear
on dashboards
- cli: Disable color when output is not a TTY
- cli: Add `-format` flag to all subcommands
- cli: Do not display deprecation warnings when the format is not table
- core: If over a predefined lease count (256k), log a warning not more than
once a minute. Too many leases can be problematic for many of the storage
backends and often this number of leases is indicative of a need for
workflow improvements.
- secret/nomad: Have generated ACL tokens cap out at 64 characters
- secret/pki: Country, Locality, Province, Street Address, and Postal Code can
now be set on certificates
- secret/pki: UTF-8 Other Names can now be set in Subject Alternate Names in
issued certs; allowed values can be set per role and support globbing
- secret/pki: Add a flag to make the common name optional on certs
- secret/pki: Ensure only DNS-compatible names go into DNS SANs; additionally,
properly handle IDNA transformations for these DNS names
- secret/ssh: Add `valid-principles` flag to CLI for CA mode
- storage/manta: Add Manta storage
- ui (Enterprise): Support for ChaCha20-Poly1305 keys in the transit engine.
BUG FIXES:
- api/renewer: Honor increment value in renew auth calls
- auth/approle: Fix inability to use limited-use-count secret IDs on
replication performance secondaries
- auth/approle: Cleanup of secret ID accessors during tidy and removal of
dangling accessor entries
- auth/aws-ec2: Avoid masking of role tag response
- auth/cert: Verify DNS SANs in the authenticating certificate
- auth/okta: Return configured durations as seconds, not nanoseconds
- auth/okta: Get all okta groups for a user vs. default 200 limit
- auth/token: Token creation via the CLI no longer forces periodic token
creation. Passing an explicit zero value for the period no longer create
periodic tokens.
- command: Fix interpreted formatting directives when printing raw fields
- command: Correctly format output when using -field and -format flags at the
same time
- command/rekey: Re-add lost `stored-shares` parameter
- command/ssh: Create and reuse the api client
- command/status: Fix panic when status returns 500 from leadership lookup
- identity: Fix race when creating entities
- plugin/gRPC: Fixed an issue with list requests and raw responses coming from
plugins using gRPC transport
- plugin/gRPC: Fix panic when special paths are not set
- secret/pki: Verify a name is a valid hostname before adding to DNS SANs
- secret/transit: Fix auditing when reading a key after it has been backed up
or restored
- secret/transit: Fix storage/memory consistency when persistence fails
- storage/consul: Validate that service names are RFC 1123 compliant
- storage/etcd3: Fix memory ballooning with standby instances
- storage/etcd3: Fix large lists (like token loading at startup) not being
handled
- storage/postgresql: Fix compatibility with versions using custom string
version tags
- storage/zookeeper: Update vendoring to fix freezing issues
- ui (Enterprise): Decoding the replication token should no longer error and
prevent enabling of a secondary replication cluster via the ui.
- plugin/gRPC: Add connection info to the request object
* Change file is inconsistent: no information about this release available
* Homepage and repository are dead: tarball reached and archived on
ftp.NetBSD.org thands to OpenPKG repository
* Configurations files are installed in VARBASE because CSPHOME must be
writable since CA tree is built in this directory
* Fix deprecated use of unescaped '{'
* Clean Makefile
version 2.2.5:
* gpg: Allow the use of the "cv25519" and "ed25519" short names in
addition to the canonical curve names in --batch --gen-key.
* gpg: Make sure to print all secret keys with option --list-only
and --decrypt.
* gpg: Fix the use of future-default with --quick-add-key for
signing keys.
* gpg: Select a secret key by checking availability under gpg-agent.
* gpg: Fix reversed prompt texts for --only-sign-text-ids.
* gpg,gpgsm: Fix detection of bogus keybox blobs on 32 bit systems.
* gpgsm: Fix regression since 2.1 in --export-secret-key-raw which
got $d mod (q-1)$ wrong. Note that most tools automatically fixup
that parameter anyway.
* ssh: Fix a regression in getting the client'd PID on *BSD and
macOS.
* scd: Support the KDF Data Object of the OpenPGP card 3.3.
* scd: Fix a regression in the internal CCID driver for certain card
readers.
* scd: Fix a problem on NetBSD killing scdaemon on gpg-agent
shutdown.
* dirmngr: Improve returned error description on failure of DNS
resolving.
* wks: Implement command --install-key for gpg-wks-server.
* Add option STATIC=1 to the Speedo build system to allow a build
with statically linked versions of the core GnuPG libraries. Also
use --enable-wks-tools by default by Speedo builds for Unix.
0.29.0:
- Fix building on Windows (all tests fix on Win32 and Win64 on all
supported combinations of versions of OpenSSL and Python)
- Fixes of some small bugs
0.77 Feb 15, 2018
- Fix regression broking password authentication (bug report
by Russell Shingleton).
0.76 Feb 8, 2018
- Allow passing "file_from" and "from0" options into "rsync"
(bug report and patch by Slaven Rezic, fixes #rt124357)
- Document how to manipulate port forwardings.
- Rename sample directory to examples (fixes #rt122042
reported by Karen Etheridge).
0.75_02 Jul 18, 2017
- Add support for "master_pty_force" and "get_master_pty_log"
features.
- Add support for "subsystem" feature.
0.75_01 Mar 3, 2017
- Use an opaque digest as the last part of the multiplexing
socket path in order to reduce its size (bug report by
Sombrerero_Loco at PerlMonks).
- Improve ctl_path/ctl_dir handling catching more errors
earlier.
- Add support for stdin_keep_open feature (bug report by
fwalters at PerlMonks).
**** 1.04 February 15, 2018
Feature
Cryptographic library access re-engineered using PerlXS
directly instead of CPAN Crypt::OpenSSL::(DSA|EDSA|RSA)
distributions which have fallen into disrepair.
2.056 2018/02/19
- Intercept - fix creation of serial number: base it on binary digest instead of
treating hex fingerprint as binary. Allow use of own serial numbers again.
- t/io-socket-ip.t - skip test if no IPv6 support on system RT#124464
- update PublicSuffix
2.055 2018/02/15
- use SNI also if hostname was given all-uppercase
- Utils::CERT_create - don't add authority key for issuer since Chrome does
not like this
- Intercept:
- change behavior of code based cache to better support synchronizing
within multiprocess/threaded setups
- don't use counter for serial number but somehow base it on original
certificate in order to avoid conflicts with reuse of serial numbers
after restart
- RT#124431 - better support platforms w/o IPv6
- RT#124306 - spelling fixes in documentation
2.054 2018/01/22
- added missing test certificates to MANIFEST
2.053 2018/01/21
- small behavior fixes
- if SSL_fingerprint is used and matches don't check for OCSP
- Utils::CERT_create - small fixes to properly specific purpose, ability to
use predefined complex purpose but disable some features
- update PublicSuffix
- updates for documentation, especially regarding pitfalls with forking or using
non-blocking sockets. Spelling fixes.
- test fixes and improvements
- stability improvements for live tests
- regenerate certificate in certs/ and make sure they are limited to the
correct purpose. Checkin program used to generate certificates.
- adjust tests since certificates have changed and some tests used
certificates intended for client authentication as server certificates,
which now no longer works
