Commit graph

10917 commits

Author SHA1 Message Date
adam
3ce86a10c1 py-rsa: updated to 4.7
Version 4.7

CVE-2020-25658 - Bleichenbacher-style timing oracle in PKCS#1 v1.5 decryption code
Add padding length check as described by PKCS#1 v1.5
Reuse of blinding factors to speed up blinding operations.
Declare & test support for Python 3.9
2021-01-11 07:35:34 +00:00
mef
20224eb765 (security/oath-toolkit) Add TOOL_DEPENDS+= gtk-doc-[0-9]* 2021-01-11 02:22:19 +00:00
adam
b6eaa8757c py-kerberos: updated to 1.3.1
PyKerberos-1.3.1
Stop leaking context objects
Correct pointer alignment
2021-01-09 08:18:09 +00:00
triaxx
951eda4d02 p11-kit: Fix build on FreeBSD
The build step failed on FreeBSD due to undeclared SIZE_MAX. This error
has been fixed upstream (https://github.com/p11-glue/p11-kit/commit/507c394)
and the patch could be removed at the next update.
2021-01-08 21:09:08 +00:00
wiz
4de8b0eb15 gsasl: update to 1.10.0.
* Version 1.10.0 (released 2021-01-01) [stable]

** This is a new major stable release.  Brief changes compared to 1.8.x:

*** SCRAM-SHA-256 and SCRAM-SHA-256-PLUS support per RFC 7677.

*** SCRAM supports password-less usage (StoredKey/ServerKey).

*** New 'gsasl --mkpasswd' command to prepare SCRAM salted/hashed passwords.

*** Final warning that obsolete APIs will be removed.

*** Various cleanups, portability and other bug fixes.
See the entries in NEWS and lib/NEWS covering the 1.9.x branch for details.

* Version 1.9.3 (released 2021-01-01) [beta]

** Fix build/portability problems.  GnuTLS >= 3.4 is required.
Thanks to Bruno Haible for reports.

* Version 1.9.2 (released 2020-12-24) [beta]

** gsasl: Don't abort command on some exepected TLS events (for TLS 1.3).
Patch from Enrico Scholz <enrico.scholz@sigma-chemnitz.de> in:
https://lists.gnu.org/archive/html/help-gsasl/2020-08/msg00000.html

** gsasl: Use GnuTLS system trust settings by default for X.509 server
** certificate validation.
Before it was documented behaviour that unless --x509-ca-file was
used, no verification of the server-side certificate was performed.
Now instead it will use the system trust settings, which on properly
configured systems results in verification of the server certificate.
As a result, you may now start to get server certificate verification
errors in situations where you didn't expect them.  Use --x509-ca-file
with the empty string ("") as a file name to use the old behaviour to
not abort on server certificate verification failures.

** SCRAM, GS2 and GSSAPI retrieve properties later in
** the authentication process.
Before the property GSASL_CB_TLS_UNIQUE was retrieved during SCRAM
gsasl_client_start() and gsasl_server_start(), and the properties
GSSAPI_SERVICE and GSSAPI_HOSTNAME was retrived during GS2/GSSAPI
gsasl_server_start().  Now they are retrieved during the first call to
gsasl_step().

The only user-visible impact of this should be that 'gsasl
--client-mechanisms' and 'gsasl --server-mechanisms' will now not
query for parameters before giving a list of supported mechanisms,
which arguable gives a better user experience.  The downside of this
is that SCRAM-*-PLUS, GS2 and GSSAPI may be advertised even though
completing the server mechanism may not complete.

The problem with calling callbacks in the start() function is that the
callback will have no per-session context at that point, only a global
context, so the only way to give per-session unique callback responses
is to use a separate global handle per session.  This was discovered
in the Exim implementation of gsasl with SCRAM that used to request
the GSASL_CB_TLS_UNIQUE property in the start() function.  After
noticing this design issue, and writing this self test, it was
discovered that it also happened for the GSSAPI/GS2 server (not
client) mechanism for the GSASL_SERVICE and GSASL_HOSTNAME properties.

Thanks to Jeremy Harris for noticing the problem and discussion, see
https://lists.gnu.org/archive/html/help-gsasl/2020-01/msg00035.html

** gsasl: The --mkpasswd output format follows Dovecot 'doveadm pw'.

** Filenames of images in the manual are now prefixed with 'gsasl-'.
This makes /usr/share/info more understandable, and it is suggested by
at least Debian to do this in upstream.

** Build changes.
Some more compiler warnings used and code fixed.  Improved ./configure
diagnostics.

* Version 1.9.1 (released 2020-01-14) [beta]

** gsasl: New --mkpasswd argument to prepare salted/hashed passwords.
Currently mechanisms SCRAM-SHA-1 and SCRAM-SHA-256 are supported.  New
parameter --iteration-count to indicate number of PBKDF2 rounds,
default being 65536.  New parameter --salt to specify PBKDF2 salt.

* Version 1.9.0 (released 2020-01-03) [beta]

** Client and server support for SCRAM-SHA-256 and SCRAM-SHA-256-PLUS.

** gsasl: If PORT argument is "587" or "submission", SMTP mode is used.
Further, unrecognized PORT arguments will now on raise an error to
specify --smtp or --imap.
2021-01-07 22:09:52 +00:00
leot
0622934210 sqlmap: Update to 1.5
Changes:
Unfortunately no changelog is provided by upstream.
2021-01-06 14:47:36 +00:00
he
50db802a20 Upgrade vault to version 1.6.1:
Pkgsrc changes:
 * Added a patch to cope with docker client default settings (build
   also on NetBSD)


Upstream changes:

1.6.1
=====
December 16, 2020

SECURITY:
 * LDAP Auth Method: We addressed an issue where error messages
   returned by the LDAP auth methold allowed user enumeration
   [GH-10537]. This vulnerability affects Vault OSS and Vault Enterprise
   and is fixed in 1.5.6 and 1.6.1 (CVE-2020-35177).
 * Sentinel EGP: We've fixed incorrect handling of namespace paths
   to prevent users within namespaces from applying Sentinel EGP
   policies to paths above their namespace. This vulnerability
   affects Vault Enterprise and is fixed in 1.5.6 and 1.6.1
   (CVE-2020-35453).

IMPROVEMENTS:
 * auth/ldap: Improve consistency in error messages [GH-10537]
 * core/metrics: Added "vault operator usage" command. [GH-10365]
 * secrets/gcp: Truncate ServiceAccount display names longer than
   100 characters. [GH-10558]

BUG FIXES:
 * agent: Only set the namespace if the VAULT_NAMESPACE env var
   isn't present [GH-10556]
 * auth/jwt: Fixes bound_claims validation for provider-specific
   group and user info fetching. [GH-10546]
 * core (enterprise): Vault EGP policies attached to path * were
   not correctly scoped to the namespace.
 * core: Avoid deadlocks by ensuring that if grabLockOrStop returns
   stopped=true, the lock will not be held. [GH-10456]
 * core: Fix client.Clone() to include the address [GH-10077]
 * core: Fix rate limit resource quota migration from 1.5.x to
   1.6.x by ensuring purgeInterval and staleAge are set appropriately.
   [GH-10536]
 * core: Make all APIs that report init status consistent, and make
   them report initialized=true when a Raft join is in progress.
   [GH-10498]
 * secrets/database/influxdb: Fix issue where not all errors from
   InfluxDB were being handled [GH-10384]
 * secrets/database/mysql: Fixes issue where the DisplayName within
   generated usernames was the incorrect length [GH-10433]
 * secrets/database: Sanitize private_key field when reading database
   plugin config [GH-10416]
 * secrets/transit: allow for null string to be used for optional
   parameters in encrypt and decrypt [GH-10386]
 * storage/raft (enterprise): The parameter aws_s3_server_kms_key
   was misnamed and didn't work. Renamed to aws_s3_kms_key, and
   make it work so that when provided the given key will be used
   to encrypt the snapshot using AWS KMS.
 * transform (enterprise): Fix bug tokenization handling metadata
   on exportable stores
 * transform (enterprise): Fix transform configuration not handling
   stores parameter on the legacy path
 * transform (enterprise): Make expiration timestamps human readable
 * transform (enterprise): Return false for invalid tokens on the
   validate endpoint rather than returning an HTTP error
 * transform (enterprise): Fix bug where tokenization store changes
   are persisted but don't take effect
 * ui: Fix bug in Transform secret engine when a new role is added
   and then removed from a transformation [GH-10417]
 * ui: Fix footer URL linking to the correct version changelog.
   [GH-10491]
 * ui: Fox radio click on secrets and auth list pages. [GH-10586]


1.6.0
=====
November 11th, 2020

NOTE:

Binaries for 32-bit macOS (i.e. the darwin_386 build) will no longer
be published. This target was dropped in the latest version of the
Go compiler.

CHANGES:
 * agent: Agent now properly returns a non-zero exit code on error,
   such as one due to template rendering failure. Using
   error_on_missing_key in the template config will cause agent to
   immediately exit on failure. In order to make agent properly
   exit due to continuous failure from template rendering errors,
   the old behavior of indefinitely restarting the template server
   is now changed to exit once the default retry attempt of 12
   times (with exponential backoff) gets exhausted. [GH-9670]
 * token: Periodic tokens generated by auth methods will have the
   period value stored in its token entry. [GH-7885]
 * core: New telemetry metrics reporting mount table size and number
   of entries [GH-10201]
 * go: Updated Go version to 1.15.4 [GH-10366]

FEATURES:
 * Couchbase Secrets: Vault can now manage static and dynamic
   credentials for Couchbase. [GH-9664]
 * Expanded Password Policy Support: Custom password policies are
   now supported for all database engines.
 * Integrated Storage Auto Snapshots (Enterprise): This feature
   enables an operator to schedule snapshots of the integrated
   storage backend and ensure those snapshots are persisted elsewhere.
 * Integrated Storage Cloud Auto Join: This feature for integrated
   storage enables Vault nodes running in the cloud to automatically
   discover and join a Vault cluster via operator-supplied metadata.
 * Key Management Secrets Engine (Enterprise; Tech Preview): This
   new secret engine allows securely distributing and managing keys
   to Azure cloud KMS services.
 * Seal Migration: With Vault 1.6, we will support migrating from
   an auto unseal mechanism to a different mechanism of the same
   type. For example, if you were using an AWS KMS key to automatically
   unseal, you can now migrate to a different AWS KMS key.
 * Tokenization (Enterprise; Tech Preview): Tokenization supports
   creating irreversible "tokens" from sensitive data. Tokens can
   be used in less secure environments, protecting the original
   data.
 * Vault Client Count: Vault now counts the number of active entities
   (and non-entity tokens) per month and makes this information
   available via the "Metrics" section of the UI.

IMPROVEMENTS:
 * auth/approle: Role names can now be referenced in templated
   policies through the approle.metadata.role_name property [GH-9529]
 * auth/aws: Improve logic check on wildcard BoundIamPrincipalARNs
   and include role name on error messages on check failure [GH-10036]
 * auth/jwt: Add support for fetching groups and user information
   from G Suite during authentication. [GH-123]
 * auth/jwt: Adding EdDSA (ed25519) to supported algorithms [GH-129]
 * auth/jwt: Improve cli authorization error [GH-137]
 * auth/jwt: Add OIDC namespace_in_state option [GH-140]
 * secrets/transit: fix missing plaintext in bulk decrypt response [GH-9991]
 * command/server: Delay informational messages in -dev mode until
   logs have settled. [GH-9702]
 * command/server: Add environment variable support for disable_mlock.
   [GH-9931]
 * core/metrics: Add metrics for storage cache [GH_10079]
 * core/metrics: Add metrics for leader status [GH 10147]
 * physical/azure: Add the ability to use Azure Instance Metadata
   Service to set the credentials for Azure Blob storage on the
   backend. [GH-10189]
 * sdk/framework: Add a time type for API fields. [GH-9911]
 * secrets/database: Added support for password policies to all
   databases [GH-9641, and more]
 * secrets/database/cassandra: Added support for static credential
   rotation [GH-10051]
 * secrets/database/elasticsearch: Added support for static credential
   rotation [GH-19]
 * secrets/database/hanadb: Added support for root credential &
   static credential rotation [GH-10142]
 * secrets/database/hanadb: Default password generation now includes
   dashes. Custom statements may need to be updated to include
   quotes around the password field [GH-10142]
 * secrets/database/influxdb: Added support for static credential
   rotation [GH-10118]
 * secrets/database/mongodbatlas: Added support for root credential
   rotation [GH-14]
 * secrets/database/mongodbatlas: Support scopes field in creations
   statements for MongoDB Atlas database plugin [GH-15]
 * seal/awskms: Add logging during awskms auto-unseal [GH-9794]
 * storage/azure: Update SDK library to use azure-storage-blob-go
   since previous library has been deprecated. [GH-9577]
 * secrets/ad: rotate-root now supports POST requests like other
   secret engines [GH-70]
 * ui: Add ui functionality for the Transform Secret Engine [GH-9665]
 * ui: Pricing metrics dashboard [GH-10049]

BUG FIXES:
 * auth/jwt: Fix bug preventing config edit UI from rendering [GH-141]
 * cli: Don't open or overwrite a raft snapshot file on an unsuccessful
   vault operator raft snapshot [GH-9894]
 * core: Implement constant time version of shamir GF(2^8) math [GH-9932]
 * core: Fix resource leak in plugin API (plugin-dependent, not
   all plugins impacted) [GH-9557]
 * core: Fix race involved in enabling certain features via a
   license change
 * core: Fix error handling in HCL parsing of objects with invalid
   syntax [GH-410]
 * identity: Check for timeouts in entity API [GH-9925]
 * secrets/database: Fix handling of TLS options in mongodb connection
   strings [GH-9519]
 * secrets/gcp: Ensure that the IAM policy version is appropriately
   set after a roleset's bindings have changed. [GH-93]
 * ui: Mask LDAP bindpass while typing [GH-10087]
 * ui: Update language in promote dr modal flow [GH-10155]
 * ui: Update language on replication primary dashboard for clarity
   [GH-10205]
 * core: Fix bug where updating an existing path quota could
   introduce a conflict. [GH-10285]


1.5.6
=====
December 16, 2020

SECURITY:
 * LDAP Auth Method: We addressed an issue where error messages
   returned by the LDAP auth methold allowed user enumeration
   [GH-10537]. This vulnerability affects Vault OSS and Vault
   Enterprise and is fixed in 1.5.6 and 1.6.1 (CVE-2020-35177).
 * Sentinel EGP: We've fixed incorrect handling of namespace paths
   to prevent users within namespaces from applying Sentinel EGP
   policies to paths above their namespace. This vulnerability
   affects Vault Enterprise and is fixed in 1.5.6 and 1.6.1.

IMPROVEMENTS:
 * auth/ldap: Improve consistency in error messages [GH-10537]

BUG FIXES:
 * core (enterprise): Vault EGP policies attached to path * were
   not correctly scoped to the namespace.
 * core: Fix bug where updating an existing path quota could
   introduce a conflict [GH-10285]
 * core: Fix client.Clone() to include the address [GH-10077]
 * quotas (enterprise): Reset cache before loading quotas in the
   db during startup
 * secrets/transit: allow for null string to be used for optional
   parameters in encrypt and decrypt [GH-10386]


1.5.5
=====
October 21, 2020

IMPROVEMENTS:
 * auth/aws, core/seal, secret/aws: Set default IMDS timeouts to
   match AWS SDK [GH-10133]

BUG FIXES:
 * auth/aws: Restrict region selection when in the aws-us-gov
   partition to avoid IAM errors [GH-9947]
 * core (enterprise): Allow operators to add and remove (Raft)
   peers in a DR secondary cluster using Integrated Storage.
 * core (enterprise): Add DR operation token to the remove peer
   API and CLI command (when DR secondary).
 * core (enterprise): Fix deadlock in handling EGP policies
 * core (enterprise): Fix extraneous error messages in DR Cluster
 * secrets/mysql: Conditionally overwrite TLS parameters for MySQL
   secrets engine [GH-9729]
 * secrets/ad: Fix bug where password_policy setting was not using
   correct key when ad/config was read [GH-71]
 * ui: Fix issue with listing roles and methods on the same auth
   methods with different names [GH-10122]


1.5.4
=====
September 24th, 2020

SECURITY:
 * Batch Token Expiry: We addressed an issue where batch token
   leases could outlive their TTL because we were not scheduling
   the expiration time correctly. This vulnerability affects Vault
   OSS and Vault Enterprise 1.0 and newer and is fixed in 1.4.7
   and 1.5.4 (CVE-2020-25816).

IMPROVEMENTS:
 * secrets/pki: Handle expiration of a cert not in storage as a
   success [GH-9880]
 * auth/kubernetes: Add an option to disable defaulting to the
   local CA cert and service account JWT when running in a Kubernetes
   pod [GH-97]
 * secrets/gcp: Add check for 403 during rollback to prevent repeated
   deletion calls [GH-97]
 * core: Disable usage metrics collection on performance standby
   nodes. [GH-9966]
 * credential/aws: Added X-Amz-Content-Sha256 as a default STS
   request header [GH-10009]

BUG FIXES:
 * agent: Fix disable_fast_negotiation not being set on the auth
   method when configured by user. [GH-9892]
 * core (enterprise): Fix hang when cluster-wide plugin reload
   cleanup is slow on unseal
 * core (enterprise): Fix an error in cluster-wide plugin reload
   cleanup following such a reload
 * core: Fix crash when metrics collection encounters zero-length
   keys in KV store [GH-9811]
 * mfa (enterprise): Fix incorrect handling of PingID responses
   that could result in auth requests failing
 * replication (enterprise): Improve race condition when using a
   newly created token on a performance standby node
 * replication (enterprise): Only write failover cluster addresses
   if they've changed
 * ui: fix bug where dropdown for identity/entity management is not
   reflective of actual policy [GH-9958]
2021-01-05 11:02:51 +00:00
wiz
f2d850954a p11-kit: update to 0.23.22.
0.23.22 (stable)
 * Fix memory-safety issues that affect the RPC protocol
   (CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363), discovered
   and fixed by David Cook
 * anchor: Prefer persistent format when storing anchor [PR#329]
 * common: Fix infloop in p11_path_build [PR#326, PR#327]
 * proxy: C_CloseAllSessions: Make sure that calloc args are non-zero [PR#325]
 * common: Check for a NULL locale before freeing it [PR#321]
 * Build and test fixes [PR#313, PR#315, PR#317, PR#318, PR#319, PR#323, PR#330, PR#333, PR#334, PR#335, PR#338, PR#339]
2021-01-04 11:43:47 +00:00
wiz
712ae97c90 tor-browser-noscript: update to 11.1.7.
v 11.1.7
============================================================
x Optimize serviceWorker tracking for heavy tabs usage
  (thanks vadimm and barbaz for investigation)
x Force placeholder visibility on Youtube embeddings
x Fixed popup opening being slowed down if options UI is
  opened (thanks Sirus for report)
x Explicit failure for wrong settings importation formats
x Updated TLDs

v 11.1.7rc3
============================================================
x Updated TLDs
x Optimize serviceWorker tracking for heavy tabs usage
  (thanks vadimm and barbaz for investigation)
x Force placeholder visibility on Youtube embeddings

v 11.1.7rc2
============================================================
x Fixed popup opening being slowed down if options UI is
  opened (thanks Sirus for report)

v 11.1.7rc1
============================================================
x Explicit failure for wrong settings importation formats

v 11.1.6
============================================================
x Better handling of concurrent prompts issues (thanks
  billarbor for reporting)
x Remove z-index boosting from ancestors when placeholder is
  collapsed or replaced (issue #162)
x Fixed permission keyboard shortcuts being triggered with
  modifiers like CTRL (thanks barbaz for report)
x More accurate blockage reporting, with better filtering of
  page's own CSP effects
x [UI] Fixed bug in CUSTOM sites filtering (thanks barbaz
  for reporting)
x Fixed bug in automatic HTML events build-time updates
x Updated HTML events
x Updated TLDs
x [L10n] Updated sv_SE
x Better handling 0 width / 0 height media placeholders

v 11.1.6rc6
============================================================
x Better handling of concurrent prompts issues (thanks
  billarbor for reporting)

v 11.1.6rc5
============================================================
x Remove z-index boosting from ancestors when placeholder is
  collapsed or replaced (issue #162)

v 11.1.6rc4
============================================================
x Fixed permission keyboard shortcuts being triggered with
  modifiers like CTRL (thanks barbaz for report)

v 11.1.6rc3
============================================================
x More accurate blockage reporting, with better filtering of
  page's own CSP effects

v 11.1.6rc2
============================================================
x [UI] Fixed bug in CUSTOM sites filtering (thanks barbaz
  for reporting)
x Fixed bug in automatic HTML events build-time updates
x Updated HTML events
x Updated TLDs

v 11.1.6rc1
============================================================
x Updated TLDs
x [L10n] Updated sv_SE
x Better handling 0 width / 0 height media placeholders
2021-01-03 19:02:52 +00:00
wiz
460227ccb0 tor-browser: update to 10.0.7.
This release updates Firefox for desktops to 78.6.0esr and Firefox
for Android to 84.1.0. This release includes important security
updates to Firefox for Desktop, and similar important security
updates to Firefox for Android.

The full changelog since Desktop and Android Tor Browser 10.0.6 is:

    All Platforms
        Update HTTPS Everywhere to 2020.11.17
        Bug 40166: Disable security.certerrors.mitm.auto_enable_enterprise_roots
        Bug 40176: Update openssl to 1.1.1i
    Windows + OS X + Linux
        Update Firefox to 78.6.0esr
    Android
        Update Firefox to 84.1.0
        Update NoScript to 11.1.6
    Linux
        Bug 40226: Crash on Fedora Workstation Rawhide GNOME
    Build System
        All Platforms
            Bug 40139: Pick up rbm commit for bug 40008
            Bug 40161: Update Go compiler to 1.14.13
        Android
            Bug 40128: Allow updating Fenix allowed_addons.json
            Bug 40140: Create own Gradle project
            Bug 40155: Update toolchain for Fenix 84
            Bug 40156: Update Fenix and dependencies to 84.0.0-beta2
            Bug 40163: Avoid checking hash of .pom files
            Bug 40171: Include all uniffi-rs artifacts into application-services
            Bug 40184: Update Fenix and deps to 84.1.0

10.0.6

All Platforms

    Bug 40175: Update obfs4proxy's TLS certificate public key pinning
2021-01-03 19:00:38 +00:00
taca
de54b3d787 Switch to use PHP_VERSIONS_INCOMPATIBLE. 2021-01-03 16:06:57 +00:00
taca
190ba23c73 Remove reference to php72. 2021-01-03 15:26:11 +00:00
adam
21928bd8f3 py-asyncssh: updated to 2.5.0
Release 2.5.0

Added support for limiting which identities in an SSH agent will be used when making a connection, via a new “agent_identities” config option. This change also adds compatibility with the OpenSSL config file option “IdentitiesOnly”.
Added support for including Subject Key Identifier and Authority Key Identifier extensions in generated X.509 certificates to better comply with RFC 5280.
Added support for makedirs() and rmtree() methods in the AsyncSSH SFTP client, as well as a new scandir() method which returns an async iterator to more efficiently process very large directories. Thanks go to Joseph Ernest for suggesting these improvements.
Significantly reworked AsyncSSH line editor support to improve its performance by several orders of magnitude on long input lines, and added a configurable maximum line length when the editor is in use to avoid potential denial-of-service attacks. This limit defaults to 1024 bytes, but with the improvements it can reasonably handle lines which are megabytes in size if needed.
Changed AsyncSSH to allow SSH agent identities to still be used when an explicit list of client keys is specified, for better compatibility with OpenSSH. The previous behavior can still be achieved by explicitly setting the agent_path option to None when setting client_keys.
Changed AsyncSSH to enforce a limit of 1024 characters on usernames when acting as a server to avoid a potential denial-of-service issue related to SASLprep username normalization.
Changed SCP implementation to explicitly yield to other coroutines when sending a large file to better share an event loop.
Fixed a few potential race conditions related to cleanup of objects during connection close. Thanks go to Thomas Léveil for reporting one of these places and suggesting a fix.
Re-applied a previous fix which was unintentionally lost to allow Pageant to be used by default on Windows.
2021-01-03 10:30:04 +00:00
adam
6cc7770a07 py-gssapi: updated to 1.6.12
Release v1.6.12: Meyer (Patch 12)

Fix GSSAPI detection for macOS Big Sur
Clarify how to disable detection


Release v1.6.11: Meyer (Patch 11)

Fix build on FreeBSD
On FreeBSD, prefer GSSAPI from ports if available
Support python >= 3.8 in test suite by dropping dependency on should_be
Fix malformed S4U tests


Release v1.6.10: Meyer (Patch 10)

Provide python 3.9 Windows wheels
Fix shlex.split on Windows
Removed six package and other older py cleanup values
2021-01-03 10:27:50 +00:00
taca
1f38d4a13d security/php-ssh2: update to 1.2
pkgsrc change: Switch to use PHP_VERSIONS_INCOMPATIBLE.


1.2 (2019-09-18)

- Fix multiple reflection/documentation disparities [PR #29] (Michael Moravec)
- Fix PHP7 port. Restored commented reference counting. [Dmitry Stogov]
- Updates for php_url structure changes [Daniel Ciochiu]
- Make the PR generic for all PHP7 versions [Jan Ehrhardt]
- Fix compatibility with PHP 7.3 [Jan Ehrhardt]
- Fix config.w32 for compatibility with OpenSSL 1.1.x [Anatol]
- Make static inline for php_ssh2_sftp_attr2ssb [Andy Postnikov]
- Enable 7.1-7.3 on Travis CI [Andy Postnikov]
2021-01-03 07:38:19 +00:00
taca
afbf4247b6 php-ssdeep: update to 1.1.0
pkgsrc change: remove restriction to PHP versions.


1.1.0 (2018-02-20)

* Patch for PHP 7 support (remicollet)
* Add basic Windows support (weltling)
2021-01-03 07:36:42 +00:00
taca
ed61bc7172 security/php-pecl-mcrypt: update to 1.0.4
pkgsrc change: Switch to use PHP_VERSIONS_INCOMPATIBLE.


1.0.4 (2020-12-02)

- Make release to advertise PHP 8 support, which it already had.
2021-01-03 07:35:08 +00:00
taca
c829b77662 security/php-oauth: update to 2.0.7
Update php-oauth package to 2.0.7.

pkgsrc change: Update supported PHP versions.


2.0.7 (2020-09-18)

* PHP 8 compatibility

2.0.6 (2020-09-09)

* Fix github issue #14 (Fixes for 7.3/7.4 and opcache)

* Fix PHP-7.4 compatibility of object handler
* Fix memory leaks in OAuthProvider
* Fix crash in OAuthProvider's handler registration methods due to
  unconditional addref
* Fix crash in OAuth::fetch() due to modifying hash tables with a refcount>1

2.0.5 (2020-02-06)

* fix config.w32 (cmb)
* fix 7.3 segfault (rlerdorf)
* replace uint-uint32_t, ulong-zend_ulong (Jan-E)
* handle cases where a passed in array might be a const (keyurdg)
* Fix configure for recent cURL versions (cmb)
* Bug #76722 cURL library headers not recognized on Debian 9 (js361014)

2.0.4 (2019-12-02)

* fix php_pcre_match_impl call in 7.4+ (Remi)

2.0.3 (2018-09-30)

* Use _ex versions to avoid SIGABRT of during use of hash functions in 7.2+

2.0.2 (2016-06-18)

* Fix #72006
2021-01-03 06:54:03 +00:00
nia
44dae21149 dnssec-tools: Update to 2.2.3
"A number of bug fixes"
2021-01-02 21:39:05 +00:00
pin
68aee9f51d Add opendoas 2021-01-01 14:29:55 +00:00
pin
90b5f1abed security/opendoas: import package
Packaged in wip by Sunil Nimmagadda.

An unofficial, portable fork of the OpenBSD doas command.

doas is a minimal replacement for the venerable sudo. It was
initially written by Ted Unangst of the OpenBSD project to provide
95% of the features of sudo with a fraction of the codebase.
2021-01-01 14:28:56 +00:00
pin
23b212a550 security/doas: add conflict msg
Prepare to import opendoas
2021-01-01 14:21:23 +00:00
ryoon
bfac3f1b42 *: Recursive revbump from audio/pulseaudio-14.0 2021-01-01 09:52:09 +00:00
ryoon
a8e8c5c75e *: Recursive revbump from boost-1.75.0 2021-01-01 08:24:33 +00:00
nia
d742340ec7 Remove security/isakmpd.
Ancient ipsec stuff ported in 2003 then abandoned, doesn't work
with modern operating systems.

Directing (unlikely, this doesn't build) users to security/racoon2
2020-12-31 17:10:20 +00:00
nia
888e203925 Remove security/jessie.
Upstream is dead and no acceptable compatible JVMs are provided by
pkgsrc any longer.
2020-12-31 17:06:03 +00:00
nia
004bf3e05e Remove ipsec-tools.
"Important Note
The development of ipsec-tools has been ABANDONED.

ipsec-tools has security issues, and you should not use it. Please switch to a secure alternative!"

security/racoon2 provides an alternative that works with modern OS releases.
2020-12-31 17:01:25 +00:00
fox
8c3bb0eaa6 security/wolfssl: Updates to v4.6.0
Changes since v4.5.0:

wolfSSL Release 4.6.0 (December 22, 2020)

Release 4.6.0 of wolfSSL embedded TLS has bug fixes and new features including:

New Feature Additions

New Build Options

  * wolfSSL now enables linux kernel module support. Big news for Linux kernel
    module developers with crypto requirements! wolfCrypt and wolfSSL are now
    loadable as modules in the Linux kernel, providing the entire libwolfssl
    API natively to other kernel modules. For the first time on Linux, the
    entire TLS protocol stack can be loaded as a module, allowing fully
    kernel-resident TLS/DTLS endpoints with in-kernel handshaking.
    (--enable-linuxkm, --enable-linuxkm-defaults, --with-linux-source)
    (https://www.wolfssl.com/loading-wolfssl-into-the-linux-kernel/)
  * Build tests and updated instructions for use with Apple’s A12Z chipset
    (https://www.wolfssl.com/preliminary-cryptographic-benchmarks-on-new-apple-a12z-bionic-platform/)
  * Expansion of wolfSSL SP math implementation and addition of
    --enable-sp-math-all build option
  * Apache httpd w/TLS 1.3 support added
  * Sniffer support for TLS 1.3 and AES CCM
  * Support small memory footprint build with only TLS 1.3 and PSK without
    code for (EC)DHE and certificates

New Hardware Acceleration

  * Added support for NXP DCP (i.MX RT1060/1062) crypto co-processor
  * Add Silicon Labs hardware acceleration using SL SE Manager

New Algorithms

  * RC2 ECB/CBC added for use with PKCS#12 bundles
  * XChaCha and the XChaCha20-Poly1305 AEAD algorithm support added

Misc

  * Added support for 802.11Q VLAN frames to sniffer
  * Added OCSP function wolfSSL_get_ocsp_producedDate
  * Added API to set CPU ID flags cpuid_select_flags, cpuid_set_flag,
    cpuid_clear_flag
  * New DTLS/TLS non-blocking Secure Renegotiation example added to server.c
    and client.c

Fixes

Math Library

  * Fix mp_to_unsigned_bin_len out of bounds read with buffers longer than
    maximum MP
  * Fix for fp_read_radix_16 out of bounds read
  * Fix to add wrapper for new timing resistant wc_ecc_mulmod_ex2 function
    version in HW ECC acceleration
  * Handle an edge case with RSA-PSS encoding message to hash

Compatibility Layer Fixes

  * Fix for setting serial number wolfSSL_X509_set_serialNumber
  * Fix for setting ASN1 time not before / not after with WOLFSSL_X509
  * Fix for order of components in issuer name when using X509_sign
  * Fix for compatibility layer API DH_compute_key
  * EVP fix incorrect block size for GCM and buffer up AAD for
    encryption/decryption
  * EVP fix for AES-XTS key length return value and fix for string compare
    calls
  * Fix for mutex freeing during RNG failure case with EVP_KEY creation
  * Non blocking use with compatibility layer BIOs in TLS connections

Build Configuration

  * Fix for custom build with WOLFSSL_USER_MALLOC defined
  * ED448 compiler warning on Intel 32bit systems
  * CURVE448_SMALL build fix for 32bit systems with Curve448
  * Fix to build SP math with IAR
  * CMake fix to only set ranlib arguments for Mac, and for stray typo of
    , -> ;
  * Build with --enable-wpas=small fix
  * Fix for building fips ready using openssl extra
  * Fixes for building with Microchip (min/max and undef SHA_BLOCK_SIZE)
  * FIx for NO_FILESYSTEM build on Windows
  * Fixed SHA256 support for IMX-RT1060
  * Fix for ECC key gen with NO_TFM_64BIT

Sniffer

  * Fixes for sniffer when using static ECC keys. Adds back TLS v1.2 static
    ECC key fallback detection and fixes new ECC RNG requirement for timing
    resistance
  * Fix for sniffer with SNI enabled to properly handle WOLFSSL_SUCCESS error
    code in ProcessClientHello
  * Fix for sniffer using HAVE_MAX_FRAGMENT in "certificate" type message
  * Fix build error with unused "ret" when building with WOLFSSL_SNIFFER_WATCH.
  * Fix to not treat cert/key not found as error in myWatchCb and
    WOLFSSL_SNIFFER_WATCH.
  * Sniffer fixes for handling TCP out-of-range sequence number
  * Fixes SSLv3 use of ECDH in sniffer

PKCS

  * PKCS#11 fix to generate ECC key for decrypt/sign or derive
  * Fix for resetting internal variables when parsing a malformed PKCS#7
    bundle with PKCS7_VerifySignedData()
  * Verify the extracted public key in wc_PKCS7_InitWithCert
  * Fix for internal buffer size when using decompression with PKCS#7

Misc

  * Pin the C# verify callback function to keep from garbage collection
  * DH fixes for when public key is owned and free’d after a handshake
  * Fix for TLS 1.3 early data packets
  * Fix for STM32 issue with some Cube HAL versions and STM32 example timeout
  * Fix mmCAU and LTC hardware mutex locking to prevent double lock
  * Fix potential race condition with CRL monitor
  * Fix for possible malformed encrypted key with 3DES causing negative length
  * AES-CTR performance fixed with AES-NI

Improvements/Optimizations
SP and Math

  * mp_radix_size adjustment for leading 0
  * Resolve implicit cast warnings with SP build
  * Change mp_sqr to return an error if the result won't fit into the fixed
    length dp
  * ARM64 assembly with clang improvements, clang doesn't always handle use of
    x29 (FP or Frame Pointer) in inline assembly code correctly - reworked
    sp_2048_sqr_8 to not use x29
  * SP mod exp changed to support exponents of different lengths
  * TFM div: fix initial value of size in q so clamping doesn't OOB read
  * Numerous stack depth improvements with --enable-smallstack
  * Improve cache resistance with Base64 operations

TLS 1.3

  * TLS 1.3 wolfSSL_peek want read return addition
  * TLS 1.3: Fix P-521 algorithm matching

PKCS

  * Improvements and refactoring to PKCS#11 key look up
  * PKCS #11 changes for signing and loading RSA public key from private
  * check PKCS#7 SignedData private key is valid before using it
  * check PKCS#7 VerifySignedData content length against total bundle size
    to avoid large malloc

Compatibility Layer

  * EVP add block size for more ciphers in wolfSSL_EVP_CIPHER_block_size()
  * Return long names instead of short names in wolfSSL_OBJ_obj2txt()
  * Add additional OpenSSL compatibility functions to update the version of
    Apache httpd supported
  * add "CCM8" variants to cipher_names "CCM-8" ciphers, for OpenSSL compat

Builds

  * Cortex-M SP ASM support for IAR 6.70
  * STM Cube pack support (IDE/STM32Cube)
  * Build option --enable-aesgcm=4bit added for AES-GCM GMULT using 4 bit
    table
  * Xilinx IDE updates to allow XTIME override for Xilinx, spelling fixes in
    Xilinx README.md, and add Xilinx SDK printf support
  * Added ED448 to the "all" options and ED448 check key null argument sanity
    check
  * Added ARC4, 3DES, nullcipher, BLAKE2, BLAKE2s, XChaCha, MD2, and MD4 to
    the “all” options
  * Added an --enable-all-crypto option, to enable only the wolfCrypt features
    of --enable-all, combinable with --enable-cryptonly
  * Added the ability to selectively remove features from --enable-all and
    --enable-all-crypto using specific --disable- options
  * Use Intel intrinsics with Windows for RDSEED and RDRAND
    (thanks to dr-m from MariaDB)
  * Add option to build with WOLFSSL_NO_CLIENT_AUTH
  * Updated build requirements for wolfSSH use to be less restrictive
  * lighttpd support update for v1.4.56
  * Added batch file to copy files to ESP-IDF folders and resolved warnings
    when using v4.0 ESP-IDF
  * Added --enable-stacksize=verbose, showing at a glance the stack high water
    mark for each subtest in testwolfcrypt

ECC

  * Performance increase for ECC verify only, using non constant time SP modinv
  * During ECC verify add validation of r and s before any use
  * Always use safe add and dbl with ECC
  * Timing resistant scalar multiplication updated with use of Joye double-add
    ladder
  * Update mp_jacobi function to reduce stack and increase performance for
    base ECC build
  * Reduce heap memory use with wc_EccPrivateKeyDecode, Improvement to
    ECC wc_ecc_sig_to_rs and wc_ecc_rs_raw_to_sig to reduce memory use (avoid the mp_int)
  * Improve StoreECC_DSA_Sig bounds checking

OCSP

  * OCSP improvement to handle extensions in singleResponse
  * support for OCSP request/response for multiple certificates
  * OCSP Must Staple option added to require OCSP stapling response
  * Add support for id-pkix-ocsp-nocheck extension

Misc

  * Additional code coverage added for ECC and RSA, PKCS#7, 3DES, EVP and
    Blake2b operations
  * DTLS MTU: check MTU on write
  * Refactor hash sig selection and add the macros WOLFSSL_STRONGEST_HASH_SIG
    (picks the strongest hash) and WOLFSSL_ECDSA_MATCH_HASH (will pick the
     hash to match the ECC curve)
  * Strict certificate version allowed from client, TLS 1.2 / 1.3 can not
    accept client certificates lower than version 3
  * wolfSSL_get_ciphers_compat(), skip the fake indicator ciphers like the
    renegotiation indication and the quantum-safe hybrid
  * When parsing session ticket, check TLS version to see whether they are
    version compatible
  * Additional sanity check for invalid ASN1 padding on integer type
  * Adding in ChaCha20 streaming feature with Mac and Intel assembly build
  * Sniffer build with --enable-oldtls option on
2020-12-28 16:40:54 +00:00
mef
642e727152 (security/R-openssl) Add USE_TOOLS+= bash 2020-12-22 22:08:44 +00:00
mef
60c3b0270e Added security/R-credentials version 1.3.0 2020-12-21 14:48:41 +00:00
mef
bc74ed14b7 (security/R-credentials) import R-credentials-1.3.0
Setup and retrieve HTTPS and SSH credentials for use with 'git' and
other services. For HTTPS remotes the package interfaces the
'git-credential' utility which 'git' uses to store HTTP usernames and
passwords. For SSH remotes we provide convenient functions to find or
generate appropriate SSH keys. The package both helps the user to
setup a local git installation, and also provides a back-end for
git/ssh client libraries to authenticate with existing user
credentials.
2020-12-21 14:46:02 +00:00
mef
c03a81e5dc (security/R-openssl) Updated 1.4.1 to 1.4.3
1.4.3
 - Fix a harmless compiler warning for CRAN

1.4.2
 - Catch FIPS errors and add FIPS flag to openssl_config()
 - Win/Mac: update binary packages to openssl 1.1.1g
 - Early preparations for upcoming OpenSSL 3
2020-12-21 11:17:36 +00:00
leot
80944b237e py-OpenSSL: Update to 20.0.1
Changes:
20.0.1 (2020-12-15)
-------------------
Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Deprecations:
^^^^^^^^^^^^^

Changes:
^^^^^^^^
- Fixed compatibility with OpenSSL 1.1.0.

20.0.0 (2020-11-27)
-------------------
Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- The minimum ``cryptography`` version is now 3.2.
- Remove deprecated ``OpenSSL.tsafe`` module.
- Removed deprecated ``OpenSSL.SSL.Context.set_npn_advertise_callback``, ``OpenSSL.SSL.Context.set_npn_select_callback``, and ``OpenSSL.SSL.Connection.get_next_proto_negotiated``.
- Drop support for Python 3.4
- Drop support for OpenSSL 1.0.1 and 1.0.2

Deprecations:
^^^^^^^^^^^^^
- Deprecated ``OpenSSL.crypto.loads_pkcs7`` and ``OpenSSL.crypto.loads_pkcs12``.

Changes:
^^^^^^^^
- Added a new optional ``chain`` parameter to ``OpenSSL.crypto.X509StoreContext()``
  where additional untrusted certificates can be specified to help chain building.
  `#948 <https://github.com/pyca/pyopenssl/pull/948>`_
- Added ``OpenSSL.crypto.X509Store.load_locations`` to set trusted
  certificate file bundles and/or directories for verification.
  `#943 <https://github.com/pyca/pyopenssl/pull/943>`_
- Added ``Context.set_keylog_callback`` to log key material.
  `#910 <https://github.com/pyca/pyopenssl/pull/910>`_
- Added ``OpenSSL.SSL.Connection.get_verified_chain`` to retrieve the
  verified certificate chain of the peer.
  `#894 <https://github.com/pyca/pyopenssl/pull/894>`_.
- Make verification callback optional in ``Context.set_verify``.
  If omitted, OpenSSL's default verification is used.
  `#933 <https://github.com/pyca/pyopenssl/pull/933>`_
- Fixed a bug that could truncate or cause a zero-length key error due to a
  null byte in private key passphrase in ``OpenSSL.crypto.load_privatekey``
  and ``OpenSSL.crypto.dump_privatekey``.
  `#947 <https://github.com/pyca/pyopenssl/pull/947>`_
2020-12-19 11:52:26 +00:00
nia
e552a0a09f dropbear: Update to 2020.81 2020-12-19 11:07:10 +00:00
adam
5c144fd2d6 py-certifi: updated to 2020.12.5
2020.12.5:
Unknown changes
2020-12-15 12:04:58 +00:00
jperkin
f87fc77138 py-solo: Unbreak bulk builds. 2020-12-14 09:26:36 +00:00
adam
7e7472183e py-cryptography py-cryptography_vectors: updated to 3.3.1
3.3.1:
* Re-added a legacy symbol causing problems for older ``pyOpenSSL`` users.

3.3:
* **BACKWARDS INCOMPATIBLE:** Support for Python 3.5 has been removed due to
  low usage and maintenance burden.
* **BACKWARDS INCOMPATIBLE:** The
  :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` and
  :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM` now require
  64-bit to 1024-bit (8 byte to 128 byte) initialization vectors. This change
  is to conform with an upcoming OpenSSL release that will no longer support
  sizes outside this window.
* **BACKWARDS INCOMPATIBLE:** When deserializing asymmetric keys we now
  raise ``ValueError`` rather than ``UnsupportedAlgorithm`` when an
  unsupported cipher is used. This change is to conform with an upcoming
  OpenSSL release that will no longer distinguish between error types.
* **BACKWARDS INCOMPATIBLE:** We no longer allow loading of finite field
  Diffie-Hellman parameters of less than 512 bits in length. This change is to
  conform with an upcoming OpenSSL release that no longer supports smaller
  sizes. These keys were already wildly insecure and should not have been used
  in any application outside of testing.
* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
  OpenSSL 1.1.1i.
* Python 2 support is deprecated in ``cryptography``. This is the last release
  that will support Python 2.
* Added the
  :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey.recover_data_from_signature`
  function to
  :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`
  for recovering the signed data from an RSA signature.
2020-12-14 07:31:18 +00:00
adam
b925edf605 py-google-auth: updated to 1.24.0
1.24.0

Features
add Python 3.9 support, drop Python 3.5 support

Bug Fixes
avoid losing the original '_include_email' parameter in impersonated credentials

Documentation
fix typo in import
2020-12-14 06:10:36 +00:00
mef
3ca58542d5 (security/ocaml-ssl) Add devel/ocaml-dune-configurator as buildlink3.mk 2020-12-13 13:46:15 +00:00
riastradh
97b7d5836b security/py-solo: Import solo-python 0.0.26
Tool and Python library for managing SoloKeys
2020-12-13 07:21:29 +00:00
riastradh
2cef6442a9 security/py-fido2: Improve NetBSD patch.
- Simplify byte-munging with ctypes.
- Expose the product and vendor strings, not just numbers.
- Expose the serial number too.
2020-12-13 07:20:57 +00:00
adam
25fc48876a py-acme py-certbot*: updated to 1.10.1
1.10.1 - 2020-12-03

Fixed

Fixed a bug in certbot.util.add_deprecated_argument that caused the deprecated --manual-public-ip-logging-ok flag to crash Certbot in some scenarios.
More details about these changes can be found on our GitHub repo.


1.10.0 - 2020-12-01

Added

Added timeout to DNS query function calls for dns-rfc2136 plugin.
Confirmation when deleting certificates
CLI flag --key-type has been added to specify 'rsa' or 'ecdsa' (default 'rsa').
CLI flag --elliptic-curve has been added which takes an NIST/SECG elliptic curve. Any of secp256r1, secp384r1 and secp521r1 are accepted values.
The command certbot certficates lists the which type of the private key that was used for the private key.
Support for Python 3.9 was added to Certbot and all of its components.

Changed

certbot-auto was deprecated on Debian based systems.
CLI flag --manual-public-ip-logging-ok is now a no-op, generates a deprecation warning, and will be removed in a future release.

Fixed

Fixed a Unicode-related crash in the nginx plugin when running under Python 2.
2020-12-09 12:31:35 +00:00
wiz
174cbac92c openssl: update to 1.1.1i.
Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]

      o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)
2020-12-08 18:54:17 +00:00
pin
318e47e45b security/lxqt-openssh-askpass: update to 0.16.0
-Bumped version to 0.16.0.
2020-12-07 12:20:46 +00:00
pin
5e94ca922b security/lxqt-sudo: update to 0.16.0
-Use QFlags default constructor.
2020-12-07 12:17:20 +00:00
pin
f3aeae39e0 security/lxqt-policykit: update to 0.16.0
-Bumped version to 0.16.0.
-Translation updates.
2020-12-07 12:10:22 +00:00
nia
f6dd9d2f87 Revbump packages with a runtime Python dep but no version prefix.
For the Python 3.8 default switch.
2020-12-04 20:44:57 +00:00
jperkin
f9e011dd1b duo-unix: Update to 1.11.4.
Changes since 1.10.4:

duo_unix-1.11.4 - May 18, 2020
  Added support for Ubuntu 20.04.
  Added support tool to collect information (e.g. logs and PAM stacks) you can
  send to Duo Support when troubleshooting issues.
  Ubuntu 12.04 no longer supported.
  Updated GPG public key for downloading distribution packages.

duo_unix-1.11.3 - October 2019
  Support for CentOS 8, Red Hat 8, and Debian 10.
  Improved validation of BSON messages.
  Updated GPG public key for downloading distribution packages.

duo_unix-1.11.2 - June 2019
  Published a guide to recommended Kerberos configuration for Duo Unix. Thanks
  to Neal Poole at Facebook for bringing expertise and attention to this topic.
  Updated SELinux policy to allow local logins to use the pam_duo PAM module
  and made sshd configurable. This requires installation of
  selinux-policy-devel on CentOS and RHEL 7 as a prerequisite.
  Added support for spaces in group names when escaped with backslashes in
  pam_duo.conf and login_duo.conf
  Debian 7 no longer supported.

duo_unix-1.11.1 - November 2018
  Fixed bug causing console login to fail on certain systems.
  Debian 7 support is deprecated and will be removed in the next release.

duo_unix-1.11.0 - October 2018
  Added configuration options for parsing the Duo username out of the GECOS
  field: gecos_username_pos and gecos_delim.
  Support for Debian 9 (Stretch).
  CentOS 5 no longer supported.

duo_unix-1.10.5 - September 2018
  CentOS 5 Support is deprecated and will be removed in the next release.
  Fixed a bug that caused a segfault on systems where the hostname wasn't
  retrievable.
2020-12-04 12:15:41 +00:00
riastradh
77697b790a Revbump for openpam cppflags change months ago, belatedly. 2020-12-04 04:55:41 +00:00
nia
ba9a19cf09 acmesh: Update to 2.8.8
Changes:
    More dns apis added
    Bug fixes.
    Move CI checks from travis-ci to Github Actions by https://vmactions.org
2020-12-03 13:50:49 +00:00