A pure Unix shell script implementing ACME client protocol
* An ACME protocol client written purely in Shell (Unix shell) language.
* Full ACME protocol implementation.
* Support ACME v1 and ACME v2
* Support ACME v2 wildcard certs
* Simple, powerful and very easy to use. You only need 3 minutes to learn it.
* Bash, dash and sh compatible.
* Simplest shell script for Let's Encrypt free certificate client.
* Purely written in Shell with no dependencies on python or the official
Let's Encrypt client.
* Just one script to issue, renew and install your certificates automatically.
* DOES NOT require root/sudoer access.
* Docker friendly
* IPv6 support
What's new in Sudo 1.8.26
* Fixed a bug in cvtsudoers when converting to JSON format when
alias expansion is enabled.
* Sudo no long sets the USERNAME environment variable when running
commands. This is a non-standard environment variable that was
set on some older Linux systems.
* Sudo now treats the LOGNAME and USER environment variables (as
well as the LOGIN variable on AIX) as a single unit. If one is
preserved or removed from the environment using env_keep, env_check
or env_delete, so is the other.
* Added support for OpenLDAP's TLS_REQCERT setting in ldap.conf.
* Sudo now logs when the command was suspended and resumed in the
I/O logs. This information is used by sudoreplay to skip the
time suspended when replaying the session unless the new -S flag
is used.
* Fixed documentation problems found by the igor utility.
* Sudo now prints a warning message when there is an error or end
of file while reading the password instead of exiting silently.
* Fixed a bug in the sudoers LDAP back-end parsing the command_timeout,
role, type, privs and limitprivs sudoOptions. This also affected
cvtsudoers conversion from LDIF to sudoers or JSON.
* Fixed a bug that prevented timeout settings in sudoers from
functioning unless a timeout was also specified on the command
line.
* Asturian translation for sudo from translationproject.org.
* When generating LDIF output, cvtsudoers can now be configured
to pad the sudoOrder increment such that the start order is used
as a prefix.
* Fixed a bug introduced in sudo 1.8.25 that prevented sudo from
properly setting the user's groups on AIX.
* If the user specifies a group via sudo's -g option that matches
any of the target user's groups, it is now allowed even if no
groups are present in the Runas_Spec. Previously, it was only
allowed if it matched the target user's primary group.
* The sudoers LDAP back-end now supports negated sudoRunAsUser and
sudoRunAsGroup entries.
* Sudo now provides a proper error message when the "fqdn" sudoers
option is set and it is unable to resolve the local host name.
* Portuguese translation for sudo and sudoers from translationproject.org.
* Sudo now includes sudoers LDAP schema for the on-line configuration
supported by OpenLDAP.
18.3.0:
Changes:
- argon2.PasswordHasher's hash type is configurable now.
18.2.0:
Changes:
- The hash type for argon2.PasswordHasher is Argon2\ **id** now.
This decision has been made based on the recommendations in the latest Argon2 RFC draft <https://tools.ietf.org/html/draft-irtf-cfrg-argon2-03#section-4>_.
- To make the change of hash type backward compatible, argon2.PasswordHasher.verify() now determines the type of the hash and verifies it accordingly.
- Some of the hash parameters have been made stricter to be closer to said recommendations.
The current goal for a hash verification times is around 50ms.
- To allow for bespoke decisions about upgrading Argon2 parameters, it's now possible to extract them from a hash via the argon2.extract_parameters() function.
- Additionally argon2.PasswordHasher now has a check_needs_rehash() method that allows to verify whether a hash has been created with the instance's parameters or whether it should be rehashed.
0.31.0:
- Compatibility with OpenSSL 1.1.1 (partly workaround, maybe requires
further investigation)
- Fixes for Windows builds
- Fixes of installs on AWS Lambda
- Fixes of Mac OS X related failures
- Fix Python 2.6 compatibility issues
2.4.1:
Fixed a build breakage in our manylinux1 wheels.
2.4:
BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL 2.4.x.
Deprecated OpenSSL 1.0.1 support. OpenSSL 1.0.1 is no longer supported by the OpenSSL project. At this time there is no time table for dropping support, however we strongly encourage all users to upgrade or install cryptography from a wheel.
Added initial :doc:OCSP </x509/ocsp> support.
Added support for :class:~cryptography.x509.PrecertPoison.
* Version 3.6.4 (released 2018-09-24)
** libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol.
** libgnutls: Corrected regression since 3.6.3 in the callbacks set with
gnutls_certificate_set_retrieve_function() which could not handle the case where
no certificates were returned, or the callbacks were set to NULL (see #528).
** libgnutls: gnutls_handshake() on server returns early on handshake when no
certificate is presented by client and the gnutls_init() flag GNUTLS_ENABLE_EARLY_START
is specified.
** libgnutls: Added session ticket key rotation on server side with TOTP.
The key set with gnutls_session_ticket_enable_server() is used as a
master key to generate time-based keys for tickets. The rotation
relates to the gnutls_db_set_cache_expiration() period.
** libgnutls: The 'record size limit' extension is added and preferred to the
'max record size' extension when possible.
** libgnutls: Provide a more flexible PKCS#11 search of trust store certificates.
This addresses the problem where the CA certificate doesn't have a subject key
identifier whereas the end certificates have an authority key identifier (#569)
** libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(),
gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import
and export GOST parameters in the "native" little endian format used for these
curves. This is an intentional incompatible change with 3.6.3.
** libgnutls: Added support for seperately negotiating client and server certificate types
as defined in RFC7250. This mechanism must be explicitly enabled via the
GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init().
** gnutls-cli: enable CRL validation on startup (#564)
** API and ABI modifications:
GNUTLS_ENABLE_EARLY_START: Added
GNUTLS_ENABLE_CERT_TYPE_NEG: Added
GNUTLS_TL_FAIL_ON_INVALID_CRL: Added
GNUTLS_CERTIFICATE_VERIFY_CRLS: Added
gnutls_ctype_target_t: New enumeration
gnutls_record_set_max_early_data_size: Added
gnutls_certificate_type_get2: Added
gnutls_priority_certificate_type_list2: Added
gnutls_ffdhe_6144_group_prime: Added
gnutls_ffdhe_6144_group_generator: Added
gnutls_ffdhe_6144_key_bits: Added
Noteworthy changes in version 2.2.11:
* gpgsm: Fix CRL loading when intermediate certicates are not yet
trusted.
* gpgsm: Fix an error message about the digest algo.
* gpg: Fix a wrong warning due to new sign usage check introduced
with 2.2.9.
* gpg: Print the "data source" even for an unsuccessful keyserver
query.
* gpg: Do not store the TOFU trust model in the trustdb. This
allows to enable or disable a TOFO model without triggering a
trustdb rebuild.
* scd: Fix cases of "Bad PIN" after using "forcesig".
* agent: Fix possible hang in the ssh handler.
* dirmngr: Tack the unmodified mail address to a WKD request. See
commit a2bd4a64e5b057f291a60a9499f881dd47745e2f for details.
* dirmngr: Tweak diagnostic about missing LDAP server file.
* dirmngr: In verbose mode print the OCSP responder id.
* dirmngr: Fix parsing of the LDAP port.
* wks: Add option --directory/-C to the server. Always build the
server on Unix systems.
* wks: Add option --with-colons to the client. Support sites which
use the policy file instead of the submission-address file.
* Fix EBADF when gpg et al. are called by broken CGI scripts.
* Fix some minor memory leaks and bugs.
Noteworthy changes in version 1.8.4:
* Bug fixes:
- Fix infinite loop due to applications using fork the wrong
way.
- Fix possible leak of a few bits of secret primes to pageable
memory.
- Fix possible hang in the RNG (1.8.3 only).
- Several minor fixes.
* Performance:
- On Linux always make use of getrandom if possible and then use
its /dev/urandom behaviour.
3.7.0:
New features
* Added support for Poly1305 MAC (with AES and ChaCha20 ciphers for key derivation).
* Added support for ChaCha20-Poly1305 AEAD cipher.
* New parameter output for Crypto.Util.strxor.strxor, Crypto.Util.strxor.strxor_c,
encrypt and decrypt methods in symmetric ciphers (Crypto.Cipher package).
output is a pre-allocated buffer (a bytearray or a writeable memoryview)
where the result must be stored.
This requires less memory for very large payloads; it is also more efficient when
encrypting (or decrypting) several small payloads.
Resolved issues
* AES-GCM hangs when processing more than 4GB at a time on x86 with PCLMULQDQ instruction.
Breaks in compatibility
* Drop support for Python 3.3.
* Remove Crypto.Util.py3compat.unhexlify and Crypto.Util.py3compat.hexlify.
* With the old Python 2.6, use only ctypes (and not cffi) to interface to native code.
version 0.7.6 (released 2018-10-16)
* Fixed CVE-2018-10933
* Added support for OpenSSL 1.1
* Added SHA256 support for ssh_get_publickey_hash()
* Fixed config parsing
* Fixed random memory corruption when importing pubkeys
version 0.7.5 (released 2017-04-13)
* Fixed a memory allocation issue with buffers
* Fixed PKI on Windows
* Fixed some SSHv1 functions
* Fixed config hostname expansion
version 0.7.4 (released 2017-02-03)
* Added id_ed25519 to the default identity list
* Fixed sftp EOF packet handling
* Fixed ssh_send_banner() to confirm with RFC 4253
* Fixed some memory leaks
Changes include:
- use jbuilder for building
- allow picking different versions of Bcrypt hashes
- use unbuffered IO to read only required number of bytes from /dev/urandom
Version 1.1.111:
Update clients.py to work with Python 2.6, 3.3, 3.5, and 3.6.
Add Python 3.6 support.
Handle Unicode- and byte-strings consistently.
Add timeout parameter to call_taxii_service2 (@mbekavac)
Add support for STIX 1.2.
Add user_agent parameter to call_taxii_service2
3.0.5:
Fix: use AES256 for CA key
Also, don't use read -s, use stty -echo
Fix broken "nopass" option
Add -r to read to stop errors reported by shellcheck (and to behave)
remove overzealous quotes around $pkcs_opts (more SC errors)
Support for LibreSSL (now works on latest version of MacOS)
EasyRSA version will be reported in certificate comments
Client certificates now expire in 3 year (1080 days) by default
CHANGES:
- `sys/seal-status` now includes an `initialized` boolean in the
output. If Vault is not initialized, it will return a `200` with
this value set `false` instead of a `400`.
- `passthrough_request_headers` will now deny certain headers from
being provided to backends based on a global denylist.
FEATURES:
- AWS Secret Engine Root Credential Rotation: The credential used by
the AWS secret engine can now be rotated, to ensure that only Vault
knows the credentials it is using.
- Storage Backend Migrator: A new `operator migrate` command allows
offline migration of data between two storage backends.
- AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise):
AliCloud KMS can now be used a support seal for Auto Unseal and
Seal Wrapping.
BUG FIXES:
- auth/okta: Fix reading deprecated `token` parameter if a token was
previously set in the configuration
- core: Re-add deprecated capabilities information for now
- core: Fix handling of cyclic token relationships
- storage/mysql: Fix locking on MariaDB
- replication: Fix DR API when using a token
- identity: Ensure old group alias is removed when a new one is
written
- storage/alicloud: Don't call uname on package init
- secrets/jwt: Fix issue where request context would be canceled too
early
- ui: fix need to have update for aws iam creds generation
- ui: fix calculation of token expiry
IMPROVEMENTS:
- auth/aws: The identity alias name can now configured to be either
IAM unique ID of the IAM Principal, or ARN of the caller identity
- auth/cert: Add allowed_organizational_units support
- cli: Format TTLs for non-secret responses
- identity: Support operating on entities and groups by their names
- plugins: Add `env` parameter when registering plugins to the catalog
to allow operators to include environment variables during plugin
execution.
- secrets/aws: WAL Rollback improvements
- secrets/aws: Allow specifying STS role-default TTLs
- secrets/pki: Add configuration support for setting NotBefore
- core: Support for passing the Vault token via an Authorization
Bearer header
- replication: Reindex process now runs in the background and does not
block other vault operations
- storage/zookeeper: Enable TLS based communication with Zookeeper
- ui: you can now init a cluster with a seal config
- ui: added the option to force promote replication clusters
- replication: Allow promotion of a secondary when data is syncing
with a "force" flag
Version 4.0:
- Removed deprecated modules:
- rsa.varblock
- rsa.bigfile
- rsa._version133
- rsa._version200
- Removed CLI commands that use the VARBLOCK/bigfile format.
- Ensured that PublicKey.save_pkcs1() and PrivateKey.save_pkcs1() always return bytes.
- Dropped support for Python 2.6 and 3.3.
- Dropped support for Psyco.
- Miller-Rabin iterations determined by bitsize of key.
- Added function rsa.find_signature_hash() to return the name of the hashing
algorithm used to sign a message. rsa.verify() now also returns that name,
instead of always returning True.
- Add support for SHA-224 for PKCS1 signatures.
- Transitioned from requirements.txt to Pipenv for package management.
Upstream changes:
0.31 Mon Sep 24 2018
- Remove default of SHA256 for RSA keys. This has caused significant
problems with downstream modules and it has always been possible to
do $key->use_sha256_hash()
Upstream changes:
2.060 2018/09/16
- support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too)
Thanks to ppisar[AT]redhat.com for major help
see also https://rt.cpan.org/Ticket/Display.html?id=126899
TLS 1.3 support is not complete yet for session resume
v4.1.3
**Note**: oauth2client is deprecated. No more features will be added to the
libraries and the core team is turning down support.
* Changed OAuth2 endpoints to use oauth2.googleapis.com variants.
0.1.78 (2018-06-21)
* Land #13, Update cmd_psh_payload to simplify exec_in_place
0.1.79 (2018-08-01)
* Land #12, Update GetMethod for GetProcAddress for Windows 10 1803
0.2.17 (2018-02-09)
* Land #9, remove use of 'fun' keyword
* Land #10, add rand_country
0.2.18 (2018-04-12)
* Land #11, ranges for rand_base and rand_text_*
0.2.19 (2018-04-18)
* Land #13, add text encryption / encoding wrappers
0.2.20 (2018-04-18)
* Land #14, remove RC4/SHA256 support
* Land #12, bump ruby deps
0.2.21 (2018-06-13)
* Land #16, simplify shuffle_a implementation
* Land #17, speedup to_mixed_case_array
* Land #18, use single regular expression for strict case
* Land #19, remove unnecessary gsub regex to remove newline
* Land #21, add SHA2 digest wrappers
=== 5.0.2
* fix ctr for jruby [#612]
=== 5.0.1
* default_keys were not loaded even if no keys or key_data options specified [#607]
=== 5.0.0
* Breaking change: ed25519 now requires ed25519 gem instead of RbNaCl gem [#563]
* Verify_host_key options rename (true, false, :very, :secure depreacted new equivalents are :never, :accept_new_or_local_tunnel :accept_new :always) [Jared Beck, #595]
=== 5.0.0.rc2
* Add .dll extensions to dlopen on cygwin [#603]
* Fix host certificate validation [#601]
=== 5.0.0.rc1
* Fix larger than 4GB file transfers [#599]
* Update HTTP proxy to version 1.1 [Connor Dunn, #597]
=== 5.0.0.beta2
* Support for sha256 pubkey fingerprint [Tom Maher, #585]
* Don't try to load default_keys if key_data option is used [Josh Larson, #589]
* Added fingerprint_hash defaulting to SHA256 as fingerprint format, and MD5 can be used as an option [Miklós Fazekas, #591]
=== 5.0.0.beta1
* Don't leave proxy command as zombie on timeout [DimitriosLisenko, #560]
* Use OpenSSL for aes*-ctr for up to 5x throughput improvement [Miklós Fazekas, Harald Sitter, #570]
* Optimize slice! usage in CTR for up to 2x throughput improvement [Harald Sitter, #569]
* Replace RbNaCl dependency with ed25519 gem [Tony Arcieri ,#563]
* Add initial Match support [Kasumi Hanazuki, #553]
Instead of using a generic `base64' initialize the BASE64 variable in order to
actually use converters/base64 (this was problematic when for example NetBSD
base64(1) was used).
Bump PKGREVISION
What's new in Sudo 1.8.25p1
* Fixed a bug introduced in sudo 1.8.25 that caused a crash on
systems that have the poll() function but not the ppoll() function.
Bug #851.
2.4.2:
Fix exploit (CVE pending) in Paramiko’s server mode (not client mode) where hostile clients could trick the server into thinking they were authenticated without actually submitting valid authentication.
Specifically, steps have been taken to start separating client and server related message types in the message handling tables within Transport and AuthHandler; this work is not complete but enough has been performed to close off this particular exploit (which was the only obvious such exploit for this particular channel).
Modify protocol message handling such that Transport does not respond to MSG_UNIMPLEMENTED with its own MSG_UNIMPLEMENTED. This behavior probably didn’t cause any outright errors, but it doesn’t seem to conform to the RFCs and could cause (non-infinite) feedback loops in some scenarios (usually those involving Paramiko on both ends).
Add *.pub files to the MANIFEST so distributed source packages contain some necessary test assets. Credit: Alexander Kapshuna.
Backport pytest support and application of the black code formatter (both of which previously only existed in the 2.4 branch and above) to everything 2.0 and newer. This makes back/forward porting bugfixes significantly easier.
Backport changes from 979 (added in Paramiko 2.3) to Paramiko 2.0-2.2, using duck-typing to preserve backwards compatibility. This allows these older versions to use newer Cryptography sign/verify APIs when available, without requiring them (as is the case with Paramiko 2.3+).
Release 1.14.0:
Changed license from EPL 1.0 to EPL 2.0 with GPL 2.0 or later as an available secondary license.
Added support for automatically parallelizing large reads and write made using the SFTPClientFile class, similar to what was already available in the get/put/copy methods of SFTPClient.
Added support for get_extra_info() in SSH process classes, returning information associated with the channel the process is tied to.
Added new set_extra_info() method on SSH connection and channel classes, allowing applications to store additional information on these objects.
Added handlers for OpenSSH keepalive global & channel requests to avoid messages about unknown requests in the debug log. These requests are still logged, but at debug level 2 instead of 1 and they are not labeled as unknown.
Fixed race condition when closing sockets associated with forwarded connections.
Improved error handling during connection close in SFTPClient.
Worked around issues with integer overflow on systems with a 32-bit time_t value when dates beyond 2038 are used in X.509 certificates.
Added guards around some imports and tests which were causing problems on Fedora 27.
Changed debug level for reporting PTY modes from 1 to 2 to reduce noise in the logs.
Improved SFTP debug log output when sending EOF responses.
What's new in Sudo 1.8.25
* Fixed a bug introduced in sudo 1.8.20 that broke formatting of
I/O log timing file entries on systems without a C99-compatible
snprintf() function. Our replacement snprintf() doesn't support
floating point so we can't use the "%f" format directive.
* I/O log timing file entries now use a monotonic timer and include
nanosecond precision. A monotonic timer that does not increment
while the system is sleeping is used where available.
* Fixed a bug introduced in sudo 1.8.24 where sudoNotAfter in the LDAP
backend was not being properly parsed.
* When sudo runs a command in a pseudo-tty, the slave device is
now closed in the main process immediately after starting the
monitor process. This removes the need for an AIX-specific
workaround that was added in sudo 1.8.24.
* Added support for monotonic timers on HP-UX.
* Fixed a bug displaying timeout values the "sudo -V" output.
The value displayed was 3600 times the actual value.
* Fixed a build issue on AIX 7.1 BOS levels that include memset_s()
and define rsize_t in string.h.
* The testsudoers utility now supports querying an LDIF-format
policy.
* Sudo now sets the LOGIN environment variable to the same value as
LOGNAME on AIX systems.
* Fixed a regression introduced in sudo 1.8.24 where the LDAP and
SSSD backends evaluated the rules in reverse sudoOrder.
xdotool-3.20160805.1 supports the --file option.
Please also note that with the previous patch spaces in password
were ignored possibly leading to surprising and incorrect paste,
sorry for that! (now they should work fine)
Bump PKGREVISION
- Client DoS due to large DH parameter
During key agreement in a TLS handshake using a DH(E) based ciphersuite a
malicious server can send a very large prime value to the client. This will
cause the client to spend an unreasonably long period of time generating a
key for this prime resulting in a hang until the client has finished. This
could be exploited in a Denial Of Service attack.
This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
(CVE-2018-0732)
[Guido Vranken]
- Cache timing vulnerability in RSA Key Generation
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
a cache timing side channel attack. An attacker with sufficient access to
mount cache timing attacks during the RSA key generation process could
recover the private key.
This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
(CVE-2018-0737)
[Billy Brumley]
- Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
parameter is no longer accepted, as it leads to a corrupt table. NULL
pem_str is reserved for alias entries only.
[Richard Levitte]
- Revert blinding in ECDSA sign and instead make problematic addition
length-invariant. Switch even to fixed-length Montgomery multiplication.
[Andy Polyakov]
- Change generating and checking of primes so that the error rate of not
being prime depends on the intended use based on the size of the input.
For larger primes this will result in more rounds of Miller-Rabin.
The maximal error rate for primes with more than 1080 bits is lowered
to 2^-128.
[Kurt Roeckx, Annie Yousar]
- Increase the number of Miller-Rabin rounds for DSA key generating to 64.
[Kurt Roeckx]
- Add blinding to ECDSA and DSA signatures to protect against side channel
attacks discovered by Keegan Ryan (NCC Group).
[Matt Caswell]
- When unlocking a pass phrase protected PEM file or PKCS#8 container, we
now allow empty (zero character) pass phrases.
[Richard Levitte]
- Certificate time validation (X509_cmp_time) enforces stricter
compliance with RFC 5280. Fractional seconds and timezone offsets
are no longer allowed.
[Emilia Käsper]
* New features
- Performance optimizations.
- Logging of negotiated or resumed TLS session IDs (thx
to ANSSI - National Cybersecurity Agency of France).
- Merged Debian 10-enabled.patch and 11-killproc.patch
(thx to Peter Pentchev).
* Bugfixes
- Fixed a crash in the session persistence implementation.
- Fixed syslog identifier after configuration file reload.
- Fixed non-interactive "make check" invocations.
- Fixed reloading syslog configuration.
- stunnel.pem created with SHA-256 instead of SHA-1.
- SHA-256 "make check" certificates.
- Make regular expression accept a whitespace after CN.
- Don't fail on openssl 1.1 output
- Add documentation and support for Red Hat openssl directories
- fix parsing of new (?) openssl output format
- Fix broken Markdown headings
- FIX CN parsing to work with OpenSSL 1.1
- Make acme_tiny.py executable in index
- Minor tweak that makes deploying a tiny bit easier
- OpenSSL output seems to have changed another time.
- fixed changing error message
- fixed more error message case changes
- Fix typos
- switched to grabbing the agreement url from /directory, addresses #145, #148, #172, #189
- damn python3 bytes-to-strings encoding gets you again...
- added python 3.6 to test coverage
- update SSL config
- mostly working ACMEv2, except for letsencrypt/boulder#3367
- deprecated CA url in favor of using the direct certificate authority directory url
- added badNonce retries
- consolidated external commandline execution error handling to bring back under 200 lines of code
- removed challenge payload that is no longer needed in new acme spec
- updated test coverage to ignore new setup.py file (setup install still gets tested via test_install.py)
- updated readme to note that ACME v2 certificate downloads now include the intermediate certificate
- added optional contact details
- fixed buffer to unicode decoding for tests
- cleaned up help and copyright text
- Readme: Only needs access to private account key
- added tiny user agent
- don't skip ValueError when urlopen(Request(nonvalid, ...))
hitch-1.4.8 (2018-04-19)
------------------------
- Reworked the dynamic backend bits.
- Update docs to recommend running Hitch as a separate non-privileged
user.
hitch-1.4.7 (2018-01-11)
------------------------
- Massive test suite refactor and update.
- Fix OpenBSD/FreeBSD/POSIX portability issues: restrict fstat(1) to
OpenBSD, bring sockstat(1) support back, drop pathchk(1) usage in
the test suite, switch from sockstat(1) to fstat(1)
- Add an OCSP refresh timeout parameter
- Autotools polish
- Random usage of config section if reduntant
- Support for separate key files
- Fix logging to syslog even when set to syslog = off
- Making log-filename, recv-bufsize and send-bufsize parameters
available though command line and config file.
- Fix: global backaddr is assumed to be static
- Add support for session-cache in config file and as cmdline option
- Plug file descriptor leak: killing worker processes would leave the
pipe's write end open, leaking one file descriptor per worker upon
reload
SECURITY:
- Random Byte Reading in Barrier: Prior to this release, Vault was not
properly checking the error code when reading random bytes for the IV for
AES operations in its cryptographic barrier. Specifically, this means that
such an IV could potentially be zero multiple times, causing nonce re-use
and weakening the security of the key. On most platforms this should never
happen because reading from kernel random sources is non-blocking and always
successful, but there may be platform-specific behavior that has not been
accounted for. (Vault has tests to check exactly this, and the tests have
never seen nonce re-use.)
FEATURES:
- AliCloud Agent Support: Vault Agent can now authenticate against the
AliCloud auth method.
- UI: Enable AliCloud auth method and Azure secrets engine via the UI.
IMPROVEMENTS:
- core: Logging level for most logs (not including secrets/auth plugins) can
now be changed on-the-fly via `SIGHUP`, reading the desired value from
Vault's config file
BUG FIXES:
- core: Ensure we use a background context when stepping down
- core: Properly check error return from random byte reading
- core: Re-add `sys/` top-route injection for now
- core: Properly store the replication checkpoint file if it's larger than the
storage engine's per-item limit
- identity: Update MemDB with identity group alias while loading groups
- secrets/database: Fix nil pointer when revoking some leases
- secrets/pki: Fix sign-verbatim losing extra Subject attributes
- secrets/pki: Remove certificates from store when tidying revoked
certificates and simplify API
- ui: JSON editor will not coerce input to an object, and will now show an
error about Vault expecting an object
- ui: authentication form will now default to any methods that have been tuned
to show up for unauthenticated users
trustme is a tiny Python package that does one thing: it gives you a fake
certificate authority (CA) that you can use to generate fake TLS certs to use
in your tests. Well, technically they're real certs, they're just signed by
your CA, which nobody trusts. But you can trust it. Trust me.
## 0.27.0 - 2018-09-05
### Added
- The Apache plugin now accepts the parameter --apache-ctl which can
be used to configure the path to the Apache control script.
### Changed
- When using `acme.client.ClientV2` (or
`acme.client.BackwardsCompatibleClientV2` with an ACME server that
supports a newer version of the ACME protocol), an
`acme.errors.ConflictError` will be raised if you try to create
an ACME account with a key that has already been used. Previously,
a JSON parsing error was raised in this scenario when using the
library with Let's Encrypt's ACMEv2 endpoint.
### Fixed
- When Apache is not installed, Certbot's Apache plugin no longer
prints messages about being unable to find apachectl to the
terminal when the plugin is not selected.
- If you're using the Apache plugin with the --apache-vhost-root flag
set to a directory containing a disabled virtual host for the
domain you're requesting a certificate for, the virtual host will
now be temporarily enabled if necessary to pass the HTTP challenge.
- The documentation for the Certbot package can now be built using
Sphinx 1.6+.
- You can now call `query_registration` without having to first call
`new_account` on `acme.client.ClientV2` objects.
- The requirement of `setuptools>=1.0` has been removed from
`certbot-dns-ovh`.
- Names in certbot-dns-sakuracloud's tests have been updated to refer
to Sakura Cloud rather than NS1 whose plugin certbot-dns-sakuracloud
was based on.
## 0.26.1 - 2018-07-17
### Fixed
- Fix a bug that was triggered when users who had previously manually
set `--server` to get ACMEv2 certs tried to renew ACMEv1 certs.
Changelog:
Noteworthy changes in version 2.2.10 (2018-08-30)
-------------------------------------------------
gpg: Refresh expired keys originating from the WKD. [#2917]
gpg: Use a 256 KiB limit for a WKD imported key.
gpg: New option --known-notation. [#4060]
scd: Add support for the Trustica Cryptoucan reader.
agent: Speed up starting during on-demand launching. [#3490]
dirmngr: Validate SRV records in WKD queries.
duo_unix-1.10.4:
- Removed failmode decision from auth endpoint and moved it to only
preauth according to standards in our other integrations
- Updated Duo Unix to speak up to TLS 1.2
- Support for LibreSSL 2.7.0 and up
- Minor memory leak fixes
- Output message when user is locked out
duo_unix-1.10.3:
- Added support for http_proxy with SELinux enabled
duo_unix-1.10.2:
- Added default failmode values in config files
DEPRECATIONS/CHANGES:
- Request Timeouts: A default request timeout of 90s is now enforced. This
setting can be overwritten in the config file. If you anticipate requests
taking longer than 90s this setting should be updated before upgrading.
- (NOTE: will be re-added into 0.11.1 as it broke more than anticipated. There
will be some further guidelines around when this will be removed again.)
* `sys/` Top Level Injection: For the last two years for backwards
compatibility data for various `sys/` routes has been injected into both the
Secret's Data map and into the top level of the JSON response object.
However, this has some subtle issues that pop up from time to time and is
becoming increasingly complicated to maintain, so it's finally being
removed.
- Path Fallback for List Operations: For a very long time Vault has
automatically adjusted `list` operations to always end in a `/`, as list
operations operates on prefixes, so all list operations by definition end
with `/`. This was done server-side so affects all clients. However, this
has also led to a lot of confusion for users writing policies that assume
that the path that they use in the CLI is the path used internally. Starting
in 0.11, ACL policies gain a new fallback rule for listing: they will use a
matching path ending in `/` if available, but if not found, they will look
for the same path without a trailing `/`. This allows putting `list`
capabilities in the same path block as most other capabilities for that
path, while not providing any extra access if `list` wasn't actually
provided there.
- Performance Standbys On By Default: If you flavor/license of Vault
Enterprise supports Performance Standbys, they are on by default. You can
disable this behavior per-node with the `disable_performance_standby`
configuration flag.
- AWS Secret Engine Roles: The AWS Secret Engine roles are now explicit about
the type of AWS credential they are generating; this reduces reduce
ambiguity that existed previously as well as enables new features for
specific credential types. Writing role data and generating credentials
remain backwards compatible; however, the data returned when reading a
role's configuration has changed in backwards-incompatible ways. Anything
that depended on reading role data from the AWS secret engine will break
until it is updated to work with the new format.
FEATURES:
- Namespaces (Enterprise): A set of features within Vault Enterprise
that allows Vault environments to support *Secure Multi-tenancy* within a
single Vault Enterprise infrastructure. Through namespaces, Vault
administrators can support tenant isolation for teams and individuals as
well as empower those individuals to self-manage their own tenant
environment.
- Performance Standbys (Enterprise): Standby nodes can now service
requests that do not modify storage. This provides near-horizontal scaling
of a cluster in some workloads, and is the intra-cluster analogue of
the existing Performance Replication feature, which replicates to distinct
clusters in other datacenters, geos, etc.
- AliCloud OSS Storage: AliCloud OSS can now be used for Vault storage.
- AliCloud Auth Plugin: AliCloud's identity services can now be used to
grant access to Vault. See the plugin repository for more information.
- Azure Secrets Plugin: There is now a plugin (pulled in to Vault) that
allows generating credentials to allow access to Azure. See the plugin
repository for more information.
- HA Support for MySQL Storage: MySQL storage now supports HA.
- ACL Templating: ACL policies can now be templated using identity Entity,
Groups, and Metadata.
- UI Onboarding wizards: The Vault UI can provide contextual help and
guidance, linking out to relevant links or guides on vaultproject.io for
various workflows in Vault.
IMPROVEMENTS:
- agent: Add `exit_after_auth` to be able to use the Agent for a single
authentication
- auth/approle: Add ability to set token bound CIDRs on individual Secret IDs
- cli: Add support for passing parameters to `vault read` operations
- secrets/aws: Make credential types more explicit
- secrets/nomad: Support for longer token names
- secrets/pki: Allow disabling CRL generation
- storage/azure: Add support for different Azure environments
- storage/file: Sort keys in list responses
- storage/mysql: Support special characters in database and table names.
BUG FIXES:
- auth/jwt: Always validate `aud` claim even if `bound_audiences` isn't set
(IOW, error in this case)
- core: Prevent Go's HTTP library from interspersing logs in a different
format and/or interleaved
- identity: Properly populate `mount_path` and `mount_type` on group lookup
- identity: Fix persisting alias metadata
- identity: Fix carryover issue from previously fixed race condition that
could cause Vault not to start up due to two entities referencing the same
alias. These entities are now merged.
- replication: Fix issue causing some pages not to flush to storage
- secrets/database: Fix inability to update custom SQL statements on
database roles.
- secrets/pki: Disallow putting the CA's serial on its CRL. While technically
legal, doing so inherently means the CRL can't be trusted anyways, so it's
not useful and easy to footgun.
- storage/gcp,spanner: Fix data races
- upstream renamed to google-authenticator-libpam,
but keep our existing PKGNAME in pkgsrc for now
- convert to github.mk style package
- install documentation
- other upstream changes unknown
[Changes for 0.82 - Sun Aug 26 23:00:04 CST 2018]
* Fix CRLF handling on Win32. (@niklasholm)
* Default to SHA256 on new hashes as SHA1 is deprecated. (@niklasholm)
2.059 2018/08/15
- fix memleak when CRL are used.
Thanks to Franz Skale for report and patch
https://rt.cpan.org/Ticket/Display.html?id=125867
- fix memleak when using stop_SSL and threads, reported by Paul Evans
https://rt.cpan.org/Ticket/Display.html?id=125867#txn-1797132
2.058 2018/07/19
- fix t/session_ticket.t: it failed with OpenSSL 1.1.* since this version
expects the extKeyUsage of clientAuth in the client cert also to be allowed
by the CA if CA uses extKeyUsage
2.057 2018/07/18
- fix memory leak which occured with explicit stop_SSL in connection with
non-blocking sockets or timeout - https://rt.cpan.org/Ticket/Display.html?id=125867
Thanks to Paul Evans for reporting
- fix redefine warnings in case Socket6 is installed but neither IO::Socket::IP
nor IO::Socket::INET6 - https://rt.cpan.org/Ticket/Display.html?id=124963
- IO::Socket::SSL::Intercept - optional 'serial' argument can be starting number
or callback to create serial number based on the original certificate
- new function get_session_reused to check if a session got reused
- IO::Socket::SSL::Utils::CERT_asHash: fingerprint_xxx now set to the correct value
Sudo 1.8.24
* The LDAP and SSS back-ends now use the same rule evaluation code
as the sudoers file backend. This builds on the work in sudo
1.8.23 where the formatting functions for "sudo -l" output were
shared. The handling of negated commands in SSS and LDAP is
unchanged.
* Fixed a regression introduced in 1.8.23 where "sudo -i" could
not be used in conjunction with --preserve-env=VARIABLE.
* cvtsudoers can now parse base64-encoded attributes in LDIF files.
* Random insults are now more random.
* Fixed the noexec wordexp(3) test on FreeBSD.
* Added SUDO_CONV_PREFER_TTY flag for conversation function to
tell sudo to try writing to /dev/tty first. Can be used in
conjunction with SUDO_CONV_INFO_MSG and SUDO_CONV_ERROR_MSG.
* Sudo now supports an arbitrary number of groups per user on
Solaris. Previously, only the first 64 groups were found.
This should remove the need to set "max_groups" in sudo.conf.
* Fixed typos in the OpenLDAP sudo schema.
* Fixed a race condition when building with parallel make.
* Fixed a duplicate free when netgroup_base in ldap.conf is set
to an invalid value.
* Fixed a bug introduced in sudo 1.8.23 on AIX that could prevent
local users and groups from being resolved properly on systems
that have users stored in NIS, LDAP or AD.
* Added a workaround for an AIX bug exposed by a change in sudo
1.8.23 that prevents the terminal mode from being restored when
I/O logging is enabled.
* On systems using PAM, sudo now ignores the PAM_NEW_AUTHTOK_REQD
and PAM_AUTHTOK_EXPIRED errors from PAM account management if
authentication is disabled for the user. This fixes a regression
introduced in sudo 1.8.23.
* Fixed an ambiguity in the sudoers manual in the description and
definition of User, Runas, Host, and Cmnd Aliases.
* Fixed a bug that resulted in only the first window size change
event being logged.
* Fixed a bug on HP-UX systems introduced in sudo 1.8.22 that
caused sudo to prompt for a password every time when tty-based
time stamp files were in use.
* Fixed a compilation problem on systems that define O_PATH or
O_SEARCH in fnctl.h but do not define O_DIRECTORY.
0.23.13 (stable)
* server: Enable socket activation through systemd [PR#173]
* rpc-server: p11_kit_remote_serve_tokens: Allow exporting all modules [PR#174]
* proxy: Fail early if there is no slot mapping [PR#175]
* Remove hard dependency on libpthread on glibc systems [PR#177]
* Build fixes [PR#170, PR#176]
This is polkit 0.115.
Highlights:
Fixes CVE-2018-1116, a local information disclosure and denial of service
caused by trusting client-submitted UIDs when referencing processes.
Thanks to Matthias Gerstner of the SUSE security team for reporting
this issue.
Changes since polkit 0.114:
Miloslav Trmač (1):
Fix CVE-2018-1116: Trusting client-supplied UID
Ray Strode (3):
Post-release version bump to 0.115
jsauthority: pass "%s" format string to remaining report function
NEWS: fix date from 2017 to 2018 for 0.114 entry
* Version 3.6.3 (released 2018-07-16)
** libgnutls: Introduced support for draft-ietf-tls-tls13-28. It includes version
negotiation, post handshake authentication, length hiding, multiple OCSP support,
consistent ciphersuite support across protocols, hello retry requests, ability
to adjust key shares via gnutls_init() flags, certificate authorities extension,
and key usage limits. TLS1.3 draft-28 support can be enabled by default if
the option --enable-tls13-support is given to configure script.
** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or
earlier and TLS 1.3. When SRP or NULL ciphersuites are specified in priority strings
TLS 1.3 is will be disabled. When Anonymous ciphersuites are specified in priority
strings, then TLS 1.3 negotiation will be disabled if the session is associated
only with an anonymous credentials structure.
** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836.
This adds support for using GOST keys for digital signatures and under PKCS#7, PKCS#12,
and PKCS#8 standards. In particular added elliptic curves GOST R 34.10-2001 CryptoProA
256-bit curve (RFC 4357), GOST R 34.10-2001 CryptoProXchA 256-bit curve (RFC 4357),
and GOST R 34.10-2012 TC26-512-A 512-bit curve (RFC 7836).
** Provide a uniform cipher list across supported TLS protocols; the CAMELLIA ciphers
as well as ciphers utilizing HMAC-SHA384 and SHA256 have been removed from the default
priority strings, as they are undefined under TLS1.3 and they provide not advantage
over other options in earlier protocols.
** The SSL 3.0 protocol is disabled on compile-time by default. It can be re-enabled
by specifying --enable-ssl3-support on configure script.
** libgnutls: Introduced function to switch the current FIPS140-2 operational
mode, i.e., strict vs a more lax mode which will allow certain non FIPS140-2
operations.
** libgnutls: Introduced low-level function to assist applications attempting client
hello extension parsing, prior to GnuTLS' parsing of the message.
** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no
modifications to the certificate. That prevents DER re-encoding issues with incorrectly
encoded certificates, or other DER incompatibilities to affect a TLS session.
Relates with #403
** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups
which are preferred by the server. That unfortunately has complicated semantics
as TLS1.2 requires specific ordering of the groups based on the ciphersuite ordering,
which could make group order unpredictable if TLS1.3 is negotiated.
** Improved counter-measures for TLS CBC record padding. Kenny Paterson, Eyal Ronen
and Adi Shamir reported that the existing counter-measures had certain issues and
were insufficient when the attacker has additional access to the CPU cache and
performs a chosen-plaintext attack. This affected the legacy CBC ciphersuites. [CVSS: medium]
** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation
of legacy CBC ciphersuites unless encrypt-then-mac is negotiated.
** libgnutls: gnutls_privkey_import_ext4() was enhanced with the
GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag.
** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2,
gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default
unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API
change for these functions which make them err towards safety.
** libgnutls: improved aarch64 cpu features detection by using getauxval().
** certtool: It is now possible to specify certificate and serial CRL numbers greater
than 2**63-2 as a hex-encoded string both when prompted and in a template file.
Default certificate serial numbers are now fully random. Default CRL
numbers include more random bits and are larger than in previous GnuTLS versions.
Since CRL numbers are required to be monotonic, specify suitable CRL numbers manually
if you intend to later downgrade to previous versions as it was not possible
to specify large CRL numbers in previous versions of certtool.
Sudo 1.8.23
* PAM account management modules and BSD auto approval modules are
now run even when no password is required.
* For kernel-based time stamps, if no terminal is present, fall
back to parent-pid style time stamps.
* The new cvtsudoers utility replaces both the "sudoers2ldif" script
and the "visudo -x" functionality. It can read a file in either
sudoers or LDIF format and produce JSON, LDIF or sudoers output.
It is also possible to filter the generated output file by user,
group or host name.
* The file, ldap and sss sudoers backends now share a common set
of formatting functions for "sudo -l" output, which is also used
by the cvtsudoers utility.
* The /run directory is now used in preference to /var/run if it
exists.
* More accurate descriptions of the --with-rundir and --with-vardir
configure options.
* The setpassent() and setgroupent() functions are now used on systems
that support them to keep the passwd and group database open.
Sudo performs a lot of passwd and group lookups so it can be
beneficial to avoid opening and closing the files each time.
* The new case_insensitive_user and case_insensitive_group sudoers
options can be used to control whether sudo does case-sensitive
matching of users and groups in sudoers. Case insensitive
matching is now the default.
* Fixed a bug on some systems where sudo could hang on command
exit when I/O logging was enabled.
* Fixed the build-time process start time test on Linux when the
test is run from within a container.
* When determining which temporary directory to use, sudoedit now
checks the directory for writability before using it. Previously,
sudoedit only performed an existence check.
* Sudo now includes an optional set of Monty Python-inspired insults.
* Fixed the execution of scripts with an associated digest (checksum)
in sudoers on FreeBSD systems. FreeBSD does not have a proper
/dev/fd directory mounted by default and its fexecve(2) is not
fully POSIX compliant when executing scripts.
* Chinese (Taiwan) translation for sudo from translationproject.org.
3.6.5:
Fixed incorrect AES encryption/decryption with AES acceleration on x86 due to gcc’s optimization and strict aliasing rules.
More prime number candidates than necessary where discarded as composite due to the limited way D values were searched in the Lucas test.
Fixed ResouceWarnings and DeprecationWarnings.
Workaround for Python 3.7.0 bug on Windows
Discussed with and thanks to <imil>!
Changes:
1.7.3
-----
Pass 1.7.3 has been released with a few small bug fixes, including one
regression involving storing binary data in pass from 1.7.2.
Revision 0.4.4:
- Fixed native encoder type map to include all ASN.1 types
rather than just ambiguous ones
- Fixed crash in .prettyPrint of Sequence and Set occurring
at OPTIONAL components
* Security bugfixes
- Fixed requesting client certificate when specified
as a global option.
* New features
- Certificate subject checks modified to accept certificates
if at least one of the specified checks matches.
Each R package should include ../../math/R/Makefile.extension, which also
defines MASTER_SITES. Consequently, it is redundant for the individual
packages to do the same. Package-specific definitions also prevent
redefining MASTER_SITES in a single common place.
1.13.3:
Added support for setting the Unicode error handling strategy in conjunction with setting an encoding when creating new SSH sessions, streams, and processes. This strategy can also be set when specifying a session encoding in create_server(), and when providing an encoding in the get_comment() and set_comment() functions on private/public keys and certificates.
Changed handling of Unicode in channels to use incrmeental codec, similar to what was previously done in process redirection.
Added Python 3.7 to the list of classifiers in setup.py, now that it has been released.
Updated Travis CI configuration to add Python 3.7 builds, and moved Linux builds on never versions of Python up to xenial.
Added missing coroutine decorator in test_channel.
2.3:
SECURITY ISSUE: :meth:~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag allowed tag truncation by default which can allow tag forgery in some cases. The method now enforces the min_tag_length provided to the :class:~cryptography.hazmat.primitives.ciphers.modes.GCM constructor. CVE-2018-10903
Added support for Python 3.7.
Added :meth:~cryptography.fernet.Fernet.extract_timestamp to get the authenticated timestamp of a :doc:Fernet </fernet> token.
Support for Python 2.7.x without hmac.compare_digest has been deprecated. We will require Python 2.7.7 or higher (or 2.7.6 on Ubuntu) in the next cryptography release.
Fixed multiple issues preventing cryptography from compiling against LibreSSL 2.7.x.
Added :class:~cryptography.x509.CertificateRevocationList.get_revoked_certificate_by_serial_number for quick serial number searches in CRLs.
The :class:~cryptography.x509.RelativeDistinguishedName class now preserves the order of attributes. Duplicate attributes now raise an error instead of silently discarding duplicates.
:func:~cryptography.hazmat.primitives.keywrap.aes_key_unwrap and :func:~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding now raise :class:~cryptography.hazmat.primitives.keywrap.InvalidUnwrap if the wrapped key is an invalid length, instead of ValueError.
### Added
- A new security enhancement which we're calling AutoHSTS has been
added to Certbot's Apache plugin. This enhancement configures your
webserver to send a HTTP Strict Transport Security header with a low
max-age value that is slowly increased over time. The max-age value is
not increased to a large value until you've successfully managed to
renew your certificate. This enhancement can be requested with the
--auto-hsts flag.
- New official DNS plugins have been created for Gehirn Infrastracture
Service, Linode, OVH, and Sakura Cloud. These plugins can be found
on our Docker Hub page at https://hub.docker.com/u/certbot and on
PyPI.
- The ability to reuse ACME accounts from Let's Encrypt's ACMEv1
endpoint on Let's Encrypt's ACMEv2 endpoint has been added.
- Certbot and its components now support Python 3.7.
- Certbot's install subcommand now allows you to interactively choose
which certificate to install from the list of certificates managed
by Certbot.
- Certbot now accepts the flag `--no-autorenew` which causes any
obtained certificates to not be automatically renewed when it
approaches expiration.
- Support for parsing the TLS-ALPN-01 challenge has been added back to
the acme library.
### Changed
- Certbot's default ACME server has been changed to Let's Encrypt's
ACMEv2 endpoint. By default, this server will now be used for both
new certificate lineages and renewals.
- The Nginx plugin is no longer marked labeled as an "Alpha" version.
- The `prepare` method of Certbot's plugins is no longer called before
running "Updater" enhancements that are run on every invocation of
`certbot renew`.
version 1.32:
* Fixes a problem with gpgrt_fflush and gpgrt_fopencookie.
* Fixes a problem with the C11 header stdnoreturn.h.
* The yat2m tool can now also be build on Windows.
* Updates translations for Spanish, Russian and Ukrainian.
Changelog:
Noteworthy changes in version 2.2.9 (2018-07-12)
------------------------------------------------
* dirmngr: Fix recursive resolver mode and other bugs in the libdns
code. [#3374,#3803,#3610]
* dirmngr: When using libgpg-error 1.32 or later a GnuPG build with
NTBTLS support (e.g. the standard Windows installer) does not
anymore block for dozens of seconds before returning data.
* gpg: Fix bug in --show-keys which actually imported revocation
certificates. [#4017]
* gpg: Ignore too long user-ID and comment packets. [#4022]
* gpg: Fix crash due to bad German translation. Improved printf
format compile time check.
* gpg: Handle missing ISSUER sub packet gracefully in the presence of
the new ISSUER_FPR. [#4046]
* gpg: Allow decryption using several passphrases in most cases.
[#3795,#4050]
* gpg: Command --show-keys now enables the list options
show-unusable-uids, show-unusable-subkeys, show-notations and
show-policy-urls by default.
* gpg: Command --show-keys now prints revocation certificates. [#4018]
* gpg: Add revocation reason to the "rev" and "rvs" records of the
option --with-colons. [#1173]
* gpg: Export option export-clean does now remove certain expired
subkeys; export-minimal removes all expired subkeys. [#3622]
* gpg: New "usage" property for the drop-subkey filters. [#4019]
Release-info: https://dev.gnupg.org/T4036
See-also: gnupg-announce/2018q3/000427.html
zoneinder uses %ld to print tv.tv_sec, which is of type time_t. On
NetBSD, that's int64_t, which happens to match long on amd64, but not
on arm, and hence printf often segfaults. Kludge around this by
casting to long, which should work for about 20 years, by which time a
proper fix should have arrived in a zoneminder release.
Not yet raised upstream, because our package is 1.28.1 and upstream
has released 1.30.4.
3.6.4:
New features
* Build Python 3.7 wheels on Linux, Windows and Mac.
Resolved issues
* Rename _cpuid module to make upgrades more robust.
* More meaningful exceptions in case of mismatch in IV length (CBC/OFB/CFB modes).
* Fix compilation issues on Solaris 10/11.
* Version 3.6.2 (released 2018-02-16)
** libgnutls: When verifying against a self signed certificate ignore issuer.
That is, ignore issuer when checking the issuer's parameters strength, resolving
issue #347 which caused self signed certificates to be additionally marked as of
insufficient security level.
** libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data
MTU calculation now, it correctly accounts for the fixed overhead due to
padding (as 1 byte), while at the same time considers the rest of the
padding as part of data MTU.
** libgnutls: Address issue of loading of all PKCS#11 modules on startup
on systems with a PKCS#11 trust store (as opposed to a file trust store).
Introduced a multi-stage initialization which loads the trust modules, and
other modules are deferred for the first pure PKCS#11 request.
** libgnutls: The SRP authentication will reject any parameters outside
RFC5054. This protects any client from potential MitM due to insecure
parameters. That also brings SRP in par with the RFC7919 changes to
Diffie-Hellman.
** libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters
for SRP authentication.
** libgnutls: Addressed issue in the accelerated code affecting interoperability
with versions of nettle >= 3.4.
** libgnutls: Addressed issue in the AES-GCM acceleration under aarch64.
** libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by
Vitezslav Cizek).
** srptool: the --create-conf option no longer includes 1024-bit parameters.
** p11tool: Fixed the deletion of objects in batch mode.
** API and ABI modifications:
gnutls_srp_8192_group_generator: Added
gnutls_srp_8192_group_prime: Added
* Version 3.6.1 (released 2017-10-21)
** libgnutls: Fixed interoperability issue with openssl when safe renegotiation was
used. Resolves gitlab issue #259.
** libgnutls: gnutls_x509_crl_sign, gnutls_x509_crt_sign,
gnutls_x509_crq_sign, were modified to sign with a better algorithm than
SHA1. They will now sign with an algorithm that corresponds to the security
level of the signer's key.
** libgnutls: gnutls_x509_*_sign2() functions and gnutls_x509_*_privkey_sign()
accept GNUTLS_DIG_UNKNOWN (0) as a hash function option. That will signal
the function to auto-detect an appropriate hash algorithm to use.
** libgnutls: Removed support for signature algorithms using SHA2-224 in TLS.
TLS 1.3 no longer uses SHA2-224 and it was never a widespread algorithm
in TLS 1.2. As such, no reason to keep supporting it.
** libgnutls: Refuse to use client certificates containing disallowed
algorithms for a session. That reverts a change on 3.5.5, which allowed
a client to use DSA-SHA1 due to his old DSA certificate, without requiring him
to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).
The previous approach was to allow a smooth move for client infrastructure
after the DSA algorithm became disabled by default, and is no longer necessary
as DSA is now being universally deprecated.
** libgnutls: Refuse to resume a session which had a different SNI advertised. That
improves RFC6066 support in server side. Reported by Thomas Klute.
** p11tool: Mark all generated objects as sensitive by default.
** p11tool: added options --sign-params and --hash. This allows testing
signature with multiple algorithms, including RSA-PSS.
** API and ABI modifications:
No changes since last version.
0.23.12 (stable)
* Fix compile error when PKCS#11 GNU calling convention is enabled [PR#160]
* Fix getauxval() and secure_getenv() emulation on macOS and FreeBSD [PR#167]
* Build and test fixes on macOS [PR#162, PR#168]
0.23.11 (stable)
* trust: Add extractor for edk2/cacerts.bin [PR#139]
* modules: Add option to control module visibility from proxy [PR#140]
* trust: Prevent trust module being loaded by proxy module [PR#142]
* library: Use dedicated locale object for printing error [PR#148]
* Treat CKR_CRYPTOKI_ALREADY_INITIALIZED correctly [PR#134]
* Improve const correctness for P11KitUri [PR#152]
* PKCS#11 URI scheme comparison is now case insensitive [PR#156]
* Build and test fixes [PR#151, PR#149, PR#141, PR#138, PR#135]
1.2.0:
Deprecated ntlm_auth.ntlm.Ntlm in favour of ntlm_auth.ntlm.NtlmContext
This is because Ntlm is heavily geared towards HTTP auth which is not always the case, NtlmContext makes things more generic
Updated docs and tests to reflect this
Dropped support for Python 3.3
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
