Commit graph

8500 commits

Author SHA1 Message Date
wiz
da36760c3f Updated py-cryptography to 1.6.
1.6 - 2016-11-22
~~~~~~~~~~~~~~~~

* Deprecated support for OpenSSL 1.0.0. Support will be removed in
  ``cryptography`` 1.7.
* Replaced the Python-based OpenSSL locking callbacks with a C version to fix
  a potential deadlock that could occur if a garbage collection cycle occurred
  while inside the lock.
* Added support for :class:`~cryptography.hazmat.primitives.hashes.BLAKE2b` and
  :class:`~cryptography.hazmat.primitives.hashes.BLAKE2s` when using OpenSSL
  1.1.0.
* Added
  :attr:`~cryptography.x509.Certificate.signature_algorithm_oid` support to
  :class:`~cryptography.x509.Certificate`.
* Added
  :attr:`~cryptography.x509.CertificateSigningRequest.signature_algorithm_oid`
  support to :class:`~cryptography.x509.CertificateSigningRequest`.
* Added
  :attr:`~cryptography.x509.CertificateRevocationList.signature_algorithm_oid`
  support to :class:`~cryptography.x509.CertificateRevocationList`.
* Added support for :class:`~cryptography.hazmat.primitives.kdf.scrypt.Scrypt`
  when using OpenSSL 1.1.0.
* Added a workaround to improve compatibility with Python application bundling
  tools like ``PyInstaller`` and ``cx_freeze``.
* Added support for generating a
  :meth:`~cryptography.x509.random_serial_number`.
* Added support for encoding ``IPv4Network`` and ``IPv6Network`` in X.509
  certificates for use with :class:`~cryptography.x509.NameConstraints`.
* Added :meth:`~cryptography.x509.Name.public_bytes` to
  :class:`~cryptography.x509.Name`.
* Added :class:`~cryptography.x509.RelativeDistinguishedName`
* :class:`~cryptography.x509.DistributionPoint` now accepts
  :class:`~cryptography.x509.RelativeDistinguishedName` for
  :attr:`~cryptography.x509.DistributionPoint.relative_name`.
  Deprecated use of :class:`~cryptography.x509.Name` as
  :attr:`~cryptography.x509.DistributionPoint.relative_name`.
* :class:`~cryptography.x509.Name` now accepts an iterable of
  :class:`~cryptography.x509.RelativeDistinguishedName`.  RDNs can
  be accessed via the :attr:`~cryptography.x509.Name.rdns`
  attribute.  When constructed with an iterable of
  :class:`~cryptography.x509.NameAttribute`, each attribute becomes
  a single-valued RDN.
* Added
  :func:`~cryptography.hazmat.primitives.asymmetric.ec.derive_private_key`.
* Added support for signing and verifying RSA, DSA, and ECDSA signatures with
  :class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed`
  digests.
2016-11-28 13:15:51 +00:00
wiz
cfb5183ffa Updated p5-IO-Socket-SSL to 2.039.
2.039 2016/11/20
- OpenSSL 1.1.0c changed the behavior of SSL_read so that it now returns -1 on
  EOF without proper SSL shutdown. Since it looks like that this behavior will
  be kept at least for 1.1.1+ adapt to the changed API by treating errno=NOERR
  on SSL_ERROR_SYSCALL as EOF.
2016-11-28 13:00:16 +00:00
wiz
7a2077f62e Updated libgpg-error to 1.25.
Noteworthy changes in version 1.25 (2016-11-14) [C20/A20/R0]
-----------------------------------------------

 * New interface gpgrt_get_syscall_clamp to allow libaries to make use
   of Libgpg-error's system call wrapper functions.

 * gpgrt_poll does now work under Windows.

 * Fixed bug in the locking code when used with the nPth threading
   library.

 * Added support for {i686,x86_64}-apple-darwin.

 * Added new error codes.

 * Interface changes relative to the 1.23 release:
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 gpgrt_get_syscall_clamp          NEW.
 GPG_ERR_ENGINE_TOO_OLD	          NEW.
 GPG_ERR_WINDOW_TOO_SMALL         NEW.
 GPG_ERR_WINDOW_TOO_LARGE         NEW.
 GPG_ERR_MISSING_ENVVAR	          NEW.
 GPG_ERR_USER_ID_EXISTS           NEW.
 GPG_ERR_NAME_EXISTS              NEW.
 GPG_ERR_DUP_NAME                 NEW.
 GPG_ERR_TOO_OLD                  NEW.
 GPG_ERR_TOO_YOUNG                NEW.
2016-11-28 12:50:19 +00:00
he
edd8403c60 Avoid in effect calling xmlCleanupThreads twice, xmlCleanupParser
has already internally called the former, and doing it twice causes
an abort internally in the pthread library in NetBSD 7.0.
Bump PKGREVISION.
2016-11-27 14:25:41 +00:00
joerg
7362f8d479 Restore explicit CPU selection based on MACHINE_ARCH, needing e.g. on
SmartOS.
2016-11-23 13:01:54 +00:00
khorben
9434aa879c Correct the name of the configuration file in nikto(1)
Bump PKGREVISION.
2016-11-18 16:58:21 +00:00
khorben
474bc8f06f Correct path to nikto.conf in nikto(1)
Bump PKGREVISION.
2016-11-18 16:51:03 +00:00
khorben
9bb6d116b8 Package nikto 2.1.5
There were many releases since the last version packaged in pkgsrc. Please
refer to nikto's documentation for an exhaustive list.
2016-11-18 16:40:19 +00:00
joerg
0b4252e525 Regen. 2016-11-17 10:23:14 +00:00
joerg
e7ac1520a3 Bump ABI version for major bump. 2016-11-11 19:49:06 +00:00
joerg
eb7702387e Update to Botan-1.10.13:
- Use constant time modular inverse algorithm to avoid possible side
  channel attack against ECDSA (CVE-2016-2849)
- Use constant time PKCS #1 unpadding to avoid possible side channel
  attack against RSA decryption (CVE-2015-7827)
2016-11-11 19:46:48 +00:00
joerg
f1eec3779c Become maintainer. 2016-11-11 19:46:05 +00:00
joerg
570bc13054 Move Solaris-specific code first, at least SmartOS doesn't support
'RLIMIT_MEMLOCK' and fails with the default mlock code.
2016-11-11 19:44:51 +00:00
joerg
dfdf58c37b Update to Botan-1.11.33:
- avoid side channel with OAEP (CVE-2016-8871)
- avoid Lucky13 timing attack against CBC-based TLS cipher
- added X25519-based key exchange for TLS
- add support for the TLS Supported Point Formats Extension from
  RFC 4492
- add support for the NewHope Ring-LWE key encapsulation algorithm
  for estimated ~200 bit security level against a quantum attacker.
- add support for TLS Encrypt-then-MAC extension
- Fix undefined behavior in Curve25519 for 32bit platforms
- bugfix for GCM when 32-bit counters overflowed
- added ChaCha20Poly1305 TLS cipher
2016-11-11 19:41:44 +00:00
fhajny
be111ee80b Update security/py-ndg_httpsclient to 0.4.2.
0.4.2
- Fix to bug in ndg.httpsclient.utils.open_url - duplicate open call.

0.4.1
- Include metadata tags to show Python 3 compatibility
2016-11-11 09:09:02 +00:00
wiz
f07fe50e20 Updated py-cryptography to 1.5.3.
1.5.3 - 2016-11-05
~~~~~~~~~~~~~~~~~~

* **SECURITY ISSUE**: Fixed a bug where ``HKDF`` would return an empty
  byte-string if used with a ``length`` less than ``algorithm.digest_size``.
  Credit to **Markus Döring** for reporting the issue.
2016-11-07 10:48:13 +00:00
he
93ad5e7f7b Update OpenDNSSEC to version 1.4.12.
Local changes (retained from earlier versions):
 * Some adaptations of the build setup (conversion scripts etc.)
 * in signer/ixfr.c, log the zone name if the soamin assertion trigers
 * in signer/zone.c, if there's a bad ixfr journal file, save it, for debug

Upstream changes:

News:

  This is a bug fix release targeting a memory leak in the signer
  when being used in the "bump in the wire" model where the signer
  would send out notify messages and respond to IXFR requests for
  the signed zone. This typically would manifest itself with very
  frequent outgoing IXFRs over a longer period of time.

  When upgrading from 1.4.10 (the 1.4.11 release was skipped) no
  migration steps are needed. For upgrading from earlier releases
  see the migration steps in the individual releases, most notably
  in 1.4.8.2. This version of OpenDNSSEC does however require a
  slightly less older minimal version of the library ldns.

Fixes:

 * OPENDNSSEC-808: Crash on query with empty query section
   (thanks Havard Eidnes).
 * SUPPORT-191: Regression, Must accept notify without SOA (thanks
   Christos Trochalakis).
 * OPENDNSSEC-845: memory leak occuring when responding to IXFR
   out when having had multiple updates.
 * OPENDNSSEC-805: Avoid full resign due to mismatch in backup file
   when upgrading from 1.4.8 or later.
 * OPENDNSSEC-828: parsing zone list could show data from next zone
   when zones iterated on single line.
 * OPENDNSSEC-811,OPENDNSSEC-827,e.o.: compiler warnings and other
   static code analysis cleanup
 * OPENDNSSEC-847: Broken DNS IN notifications when pkt answer
   section is empty.
 * OPENDNSSEC-838: Crash in signer after having removed a zone.
 * Update dependency to ldns to version 1.6.17 enabling the DNS HIP record.
 * Prevent responding to queries when not fully started yet.
2016-11-06 12:54:35 +00:00
maya
8a845c329a openssl: do not assume MIPS ABI on linux
Helps build on debian mipseb (which uses o32 abi and not n32), but build
still doesn't complete.
2016-11-02 13:10:31 +00:00
tez
2c330b3931 Need to take advantage of the logic that makes this null on non-OSX.
(distinfo already has the checksum for this corrected patch, sorry.)
2016-10-31 17:15:36 +00:00
wiz
cdff4fe8ee Updated libssh2 to 1.8.0.
Version 1.8.0 (25 Oct 2016)

Daniel Stenberg (25 Oct 2016)
- RELEASE-NOTES: adjusted for 1.8.0

Kamil Dudka (20 Oct 2016)
- Revert "aes: the init function fails when OpenSSL has AES support"

  This partially reverts commit f4f2298ef3635acd031cc2ee0e71026cdcda5864
  because it caused the compatibility code to call initialization routines
  redundantly, leading to memory leakage with OpenSSL 1.1 and broken curl
  test-suite in Fedora:

  88 bytes in 1 blocks are definitely lost in loss record 5 of 8
     at 0x4C2DB8D: malloc (vg_replace_malloc.c:299)
     by 0x72C607D: CRYPTO_zalloc (mem.c:100)
     by 0x72A2480: EVP_CIPHER_meth_new (cmeth_lib.c:18)
     by 0x4E5A550: make_ctr_evp.isra.0 (openssl.c:407)
     by 0x4E5A8E8: _libssh2_init_aes_ctr (openssl.c:471)
     by 0x4E5BB5A: libssh2_init (global.c:49)

Daniel Stenberg (19 Oct 2016)
- [Charles Collicutt brought this change]

  libssh2_wait_socket: Fix comparison with api_timeout to use milliseconds (#134)

  Fixes #74

- [Charles Collicutt brought this change]

  Set err_msg on _libssh2_wait_socket errors (#135)

- Revert "travis: Test mbedtls too"

  This reverts commit 3e6de50a24815e72ec5597947f1831f6083b7da8.

  Travis doesn't seem to support the mbedtls-dev package

- maketgz: support "only" to only update version number locally

  and fix the date output locale

- configure: make the --with-* options override the OpenSSL default

  ... previously it would default to OpenSSL even with the --with-[crypto]
  options used unless you specificly disabled OpenSSL. Now, enabling another
  backend will automatically disable OpenSSL if the other one is found.

- [Keno Fischer brought this change]

  docs: Add documentation on new cmake/configure options

- [Keno Fischer brought this change]

  configure: Add support for building with mbedtls

- [wildart brought this change]

  travis: Test mbedtls too

- [wildart brought this change]

  crypto: add support for the mbedTLS backend

  Closes #132

- [wildart brought this change]

  cmake: Add CLEAR_MEMORY option, analogously to that for autoconf

- README.md: fix link typo

- README: markdown version to look nicer on github

Viktor Szakats (5 Sep 2016)
- [Taylor Holberton brought this change]

  openssl: add OpenSSL 1.1.0 compatibility

Daniel Stenberg (4 Sep 2016)
- [Antenore Gatta brought this change]

  tests: HAVE_NETINET_IN_H was not defined correctly (#127)

  Fixes #125

- SECURITY: fix web site typo

- SECURITY: security process

GitHub (14 Aug 2016)
- [Alexander Lamaison brought this change]

  Basic dockerised test suite.

  This introduces a test suite for libssh2. It runs OpenSSH in a Docker
  container because that works well on Windows (via docker-machine) as
  well as Linux. Presumably it works on Mac too with docker-machine, but
  I've not tested that.

  Because the test suite is docker-machine aware, you can also run it
  against a cloud provider, for more realistic network testing, by setting
  your cloud provider as your active docker machine. The Appveyor CI setup
  in this commit does that because Appveyor doesn't support docker
  locally.

Kamil Dudka (3 Aug 2016)
- [Viktor Szakats brought this change]

  misc.c: Delete unused static variables

  Closes #114

Daniel Stenberg (9 Apr 2016)
- [Will Cosgrove brought this change]

  Merge pull request #103 from willco007/patch-2

  Fix for security issue CVE-2016-0787

Alexander Lamaison (2 Apr 2016)
- [Zenju brought this change]

  Fix MSVC 14 compilation errors

  For _MSC_VER == 1900 these macros are not needed and create problems:



  1>C:\Program Files (x86)\Windows Kits\10\Include\10.0.10240.0\ucrt\stdio.h(1925): warning C4005: 'snprintf': macro redefinition (compiling source file libssh2-files\src\mac.c)

  1> \win32\libssh2_config.h(27): note: see previous definition of 'snprintf' (compiling source file libssh2-files\src\mac.c)

  1>C:\Program Files (x86)\Windows Kits\10\Include\10.0.10240.0\ucrt\stdio.h(1927): fatal error C1189: #error: Macro definition of snprintf conflicts with Standard Library function declaration (compiling source file libssh2-files\src\mac.c)

Daniel Stenberg (26 Mar 2016)
- [Brad Harder brought this change]

  _libssh2_channel_open: speeling error fixed in channel error message

Alexander Lamaison (15 Mar 2016)
- Link with crypt32.lib on Windows.

  Makes linking with static OpenSSL work again.  Although it's not
  required for dynamic OpenSSL, it does no harm.

  Fixes #98.

- [Craig A. Berry brought this change]

  Tweak VMS help file building.

  Primarily this is handling cases where top-level files moved into
  the docs/ directory.  I also corrected a typo and removed the
  claim that libssh2 is public domain.

- [Craig A. Berry brought this change]

  Build with standard stat structure on VMS.

  This gets us large file support, is available on any VMS release
  in the last decade and more, and gives stat other modern features
  such as 64-bit ino_t.

- [Craig A. Berry brought this change]

  Update vms/libssh2_config.h.

  VMS does have stdlib.h, gettimeofday(), and OpenSSL.  The latter
  is appropriate to hard-wire in the configuration because it's
  installed by default as part of the base operating system and
  there is currently no libgcrypt port.

- [Craig A. Berry brought this change]

  VMS can't use %zd for off_t format.

  %z is a C99-ism that VMS doesn't currently have; even though the
  compiler is C99-compliant, the library isn't quite.  The off_t used
  for the st_size element of the stat can be 32-bit or 64-bit, so
  detect what we've got and pick a format accordingly.

- [Craig A. Berry brought this change]

  Normalize line endings in libssh2_sftp_get_channel.3.

  Somehow it got Windows-style CRLF endings so convert to just LF,
  for consistency as well as not to confuse tools that will regard
  the \r as content (e.g. the OpenVMS help librarian).

Dan Fandrich (29 Feb 2016)
- libgcrypt: Fixed a NULL pointer dereference on OOM

Daniel Stenberg (24 Feb 2016)
- [Viktor Szakats brought this change]

  url updates, HTTP => HTTPS

  Closes #87

Dan Fandrich (23 Feb 2016)
- RELEASE-NOTES: removed some duplicated names
2016-10-31 16:18:02 +00:00
spz
1b2978d22b add a patch for CVE-2016-6318 from
https://bugzilla.redhat.com/attachment.cgi?id=1188599
2016-10-30 20:49:57 +00:00
bsiegert
e095d6272f Revbump packages depending on Go after the Go 1.7.3 update. 2016-10-29 08:59:46 +00:00
tez
66438d98b7 Update to 1.14.4 and fix build on OS X
Should resolve PR#51136
2016-10-28 20:56:14 +00:00
kamil
2f588d4a50 Update srm from 1.2.8 to 1.2.15
pkgsrc changes:
 - set LICENSE (x11)
 - add test target
 - add new NetBSD patches
 - keep INTERIX patch, not tested

Upstream changelog
==================
release 1.2.15
        fix handling of files > 2GB on Windows.
        fix handling of symlinks to files owned by root.

release 1.2.14
        fix fill() function, this fixes DoE and Gutmann modes.
        new --rcmp mode.
        use simple mode by default and not Gutmann 35 pass.

release 1.2.13
        fix handling of OsX resource forks.

release-1_2_12
        now using SVN on SourceForge.
        small updates to autotools build files.
        support Haiku operating system.
        overwrite POSIX extended attributes.
        srm has exit code != 0 if removing any file or directory failed.
        handle alternate data streams on Windows and NTFS.
        handle hard links on Windows and NTFS.

release-1_2_11
        Win32 command line wildcard expansion
        -v -v displays current write position
        SIGINFO, SIGUSR2 display current write position
        -x does not cross file system boundaries
        overwrite block devices

release-1_2_10
        Mac OsX compiles and works again
        add DoE wipe mode
        fix deletion of named pipes/fifos
        Debian fixes
        Win32 fixes

release-1_2_9
        fix deletion of 0 byte files
        fix handling of files <4096 bytes
        fix handling of files >2GiB on 32bit
        OpenBSD compat switch
        handle OsX ressource fork
        added some code from OsX port
        Win32 version
2016-10-27 19:49:44 +00:00
fhajny
fc5ecd710e Update security/vault to 0.6.2.
DEPRECATIONS/CHANGES:
- Convergent Encryption v2: New keys in transit using convergent mode will
  use a new nonce derivation mechanism rather than require the user to
  supply a nonce. While not explicitly increasing security, it minimizes the
  likelihood that a user will use the mode improperly and impact the security
  of their keys. Keys in convergent mode that were created in v0.6.1 will
  continue to work with the same mechanism (user-supplied nonce).
- etcd HA off by default: Following in the footsteps of dynamodb, the etcd
  storage backend now requires that ha_enabled be explicitly specified in
  the configuration file. The backend currently has known broken HA behavior,
  so this flag discourages use by default without explicitly enabling it. If
  you are using this functionality, when upgrading, you should set ha_enabled
  to "true" before starting the new versions of Vault.
- Default/Max lease/token TTLs are now 32 days: In previous versions of
  Vault the default was 30 days, but moving it to 32 days allows some
  operations (e.g. reauthenticating, renewing, etc.) to be performed via a
  monthly cron job.
- AppRole Secret ID endpoints changed: Secret ID and Secret ID accessors are
  no longer part of request URLs. The GET and DELETE operations are now
  moved to new endpoints (/lookup and /destroy) which consumes the input from
  the body and not the URL.
- AppRole requires at least one constraint: previously it was sufficient to
  turn off all AppRole authentication constraints (secret ID, CIDR block)
  and use the role ID only. It is now required that at least one additional
  constraint is enabled. Existing roles are unaffected, but any new roles or
  updated roles will require this.
- Reading wrapped responses from cubbyhole/response is deprecated. The
  sys/wrapping/unwrap endpoint should be used instead as it provides
  additional security, auditing, and other benefits. The ability to read
  directly will be removed in a future release.
- Request Forwarding is now on by default: in 0.6.1 this required toggling
  on, but is now enabled by default. This can be disabled via the
  "disable_clustering" parameter in Vault's config, or per-request with the
  X-Vault-No-Request-Forwarding header.
- In prior versions a bug caused the bound_iam_role_arn value in the aws-ec2
  authentication backend to actually use the instance profile ARN. This has
  been corrected, but as a result there is a behavior change. To match using
  the instance profile ARN, a new parameter bound_iam_instance_profile_arn has
  been added. Existing roles will automatically transfer the value over to the
  correct parameter, but the next time the role is updated, the new meanings
  will take effect.

FEATURES:
- Secret ID CIDR Restrictions in AppRole: Secret IDs generated under an
  approle can now specify a list of CIDR blocks from where the requests to
  generate secret IDs should originate from. If an approle already has CIDR
  restrictions specified, the CIDR restrictions on the secret ID should be a
  subset of those specified on the role [GH-1910]
- Initial Root Token PGP Encryption: Similar to generate-root, the root
  token created at initialization time can now be PGP encrypted [GH-1883]
- Support Chained Intermediate CAs in pki: The pki backend now allows, when
  a CA cert is being supplied as a signed root or intermediate, a trust
  chain of arbitrary length. The chain is returned as a parameter at
  certificate issue/sign time and is retrievable independently as well.
  [GH-1694]
- Response Wrapping Enhancements: There are new endpoints to look up
  response wrapped token parameters; wrap arbitrary values; rotate wrapping
  tokens; and unwrap with enhanced validation. In addition, list operations
  can now be response-wrapped. [GH-1927]
- Transit features: The transit backend now supports generating random bytes
  and SHA sums; HMACs; and signing and verification functionality using EC
  keys (P-256 curve)

IMPROVEMENTS:
- api: Return error when an invalid (as opposed to incorrect) unseal key is
  submitted, rather than ignoring it [GH-1782]
- api: Add method to call auth/token/create-orphan endpoint [GH-1834]
- api: Rekey operation now redirects from standbys to master [GH-1862]
- audit/file: Sending a SIGHUP to Vault now causes Vault to close and
  re-open the log file, making it easier to rotate audit logs [GH-1953]
- auth/aws-ec2: EC2 instances can get authenticated by presenting the
  identity document and its SHA256 RSA digest [GH-1961]
- auth/aws-ec2: IAM bound parameters on the aws-ec2 backend will perform a
  prefix match instead of exact match [GH-1943]
- auth/aws-ec2: Added a new constraint bound_iam_instance_profile_arn to
  refer to IAM instance profile ARN and fixed the earlier bound_iam_role_arn
  to refer to IAM role ARN instead of the instance profile ARN [GH-1913]
- auth/aws-ec2: Backend generates the nonce by default and clients can
  explicitly disable reauthentication by setting empty nonce [GH-1889]
- auth/token: Added warnings if tokens and accessors are used in URLs
  [GH-1806]
- command/format: The format flag on select CLI commands takes yml as an
  alias for yaml [GH-1899]
- core: Allow the size of the read cache to be set via the config file, and
  change the default value to 1MB (from 32KB) [GH-1784]
- core: Allow single and two-character path parameters for most places
  [GH-1811]
- core: Allow list operations to be response-wrapped [GH-1814]
- core: Provide better protection against timing attacks in Shamir code
  [GH-1877]
- core: Unmounting/disabling backends no longer returns an error if the
  mount didn't exist. This is line with elsewhere in Vault's API where
  DELETE is an idempotent operation. [GH-1903]
- credential/approle: At least one constraint is required to be enabled
  while creating and updating a role [GH-1882]
- secret/cassandra: Added consistency level for use with roles [GH-1931]
- secret/mysql: SQL for revoking user can be configured on the role
  [GH-1914]
- secret/transit: Use HKDF (RFC 5869) as the key derivation function for new
  keys [GH-1812]
- secret/transit: Empty plaintext values are now allowed [GH-1874]

BUG FIXES:
- audit: Fix panic being caused by some values logging as underlying Go
  types instead of formatted strings [GH-1912]
- auth/approle: Fixed panic on deleting approle that doesn't exist [GH-1920]
- auth/approle: Not letting secret IDs and secret ID accessors to get logged
  in plaintext in audit logs [GH-1947]
- auth/aws-ec2: Allow authentication if the underlying host is in a bad
  state but the instance is running [GH-1884]
- auth/token: Fixed metadata getting missed out from token lookup response
  by gracefully handling token entry upgrade [GH-1924]
- cli: Don't error on newline in token file [GH-1774]
- core: Pass back content-type header for forwarded requests [GH-1791]
- core: Fix panic if the same key was given twice to generate-root [GH-1827]
- core: Fix potential deadlock on unmount/remount [GH-1793]
- physical/file: Remove empty directories from the file storage backend
  [GH-1821]
- physical/zookeeper: Remove empty directories from the zookeeper storage
  backend and add a fix to the file storage backend's logic [GH-1964]
- secret/aws: Added update operation to aws/sts path to consider ttl
  parameter [39b75c6]
- secret/aws: Mark STS secrets as non-renewable [GH-1804]
- secret/cassandra: Properly store session for re-use [GH-1802]
- secret/ssh: Fix panic when revoking SSH dynamic keys [GH-1781]
2016-10-26 11:49:11 +00:00
sevan
19a2901758 Remove ap-modsecurity. 2016-10-23 02:07:33 +00:00
sevan
aef9d8c158 Drop package as it's no longer updated upstream and potentially vulnerable to several security issues.
Use security/ap-modsecurity2 instead.

ok gdt
2016-10-23 02:06:34 +00:00
kamil
5a7fd2b8c8 Stop mentioning sudo version prior 1.6 - it was over 16 years ago.
There is still ${PREFIX}/share/doc/sudo/UPGRADE with recent content.

It's not only about a sudoers file.
2016-10-21 20:50:42 +00:00
wiz
7f17c422cb Update py-certbot and py-acme to 0.9.3.
Changelog not found.
2016-10-19 13:45:54 +00:00
wiz
8046653d96 Updated py-requests-oauthlib to 0.7.0.
v0.7.0 (22 September 2016)
++++++++++++++++++++++++++

- Allowed ``OAuth2Session.request`` to take the ``client_id`` and
  ``client_secret`` parameters for the purposes of automatic token refresh,
  which may need them.

v0.6.2 (12 July 2016)
+++++++++++++++++++++

- Use ``client_id`` and ``client_secret`` for the Authorization header if
  provided.
- Allow explicit bypass of the Authorization header by setting ``auth=False``.
- Pass through the ``proxies`` kwarg when refreshing tokens.
- Miscellaneous cleanups.

v0.6.1 (19 February 2016)
+++++++++++++++++++++++++

- Fixed a bug when sending authorization in headers with no username and
  password present.
- Make sure we clear the session token before obtaining a new one.
- Some improvements to the Slack compliance fix.
- Avoid timing problems around token refresh.
- Allow passing arbitrary arguments to requests when calling
  ``fetch_request_token`` and ``fetch_access_token``.

v0.6.0 (14 December 2015)
+++++++++++++++++++++++++

- Add compliance fix for Slack.
- Add compliance fix for Mailchimp.
- ``TokenRequestDenied`` exceptions now carry the entire response, not just the
  status code.
- Pass through keyword arguments when refreshing tokens automatically.
- Send authorization in headers, not just body, to maximize compatibility.
- More getters/setters available for OAuth2 session client values.
- Allow sending custom headers when refreshing tokens, and set some defaults.
2016-10-19 13:39:33 +00:00
wiz
93a6e8645a Updated py-oauth2client to 4.0.0.
## v4.0.0

New features:
* New Django samples. (#636)
* Add support for RFC7636 PKCE. (#588)
* Release as a universal wheel. (#665)

Bug fixes:
* Fix django authorization redirect by correctly checking validity of credentials. (#651)
* Correct query loss when using parse_qsl to dict. (#622)
* Switch django models from pickle to jsonpickle. (#614)
* Support new MIDDLEWARE Django 1.10 aetting. (#623)
* Remove usage of os.environ.setdefault. (#621)
* Handle missing storage files correctly. (#576)
* Try to revoke token with POST when getting a 405. (#662)

Internal changes:
* Use transport module for GCE environment check. (#612)
* Remove __author__ lines and add contributors.md. (#627)
* Clean up imports. (#625)
* Use transport.request in tests. (#607)
* Drop unittest2 dependency (#610)
* Remove backslash line continuations. (#608)
* Use transport helpers in system tests. (#606)
* Clean up usage of HTTP mocks in tests. (#605)
* Remove all uses of MagicMock. (#598)
* Migrate test runner to pytest. (#569)
* Merge util.py and _helpers.py. (#579)
* Remove httplib2 imports from non-transport modules. (#577)

Breaking changes:
* Drop Python 3.3 support. (#603)
* Drop Python 2.6 support. (#590)
* Remove multistore_file. (#589)

## v3.0.0

* Populate `token_expiry` for GCE credentials. (#473)
* Move GCE metadata interface to a separate module. (#520)
* Populate `scopes` for GCE credentials. (#524)
* Fix Python 3.5 compatibility. (#531)
* Add `oauth2client.contrib.sqlalchemy`, a SQLAlchemy-based credential store. (#527)
* Improve error when an invalid client secret is provided. (#530)
* Add `oauth2client.contrib.multiprocess_storage`. This supersedes the functionality in `oauth2client.contrib.multistore_file`. (#504)
* Pull httplib2 usage into a separate transport module. (#559, #561)
* Refactor all django-related code into `oauth2client.contrib.django_util`. Add `DjangoORMStorage`, remove `FlowField`. (#546)
* Fix application default credentials resolution order. (#570)
* Add configurable timeout for GCE metadata server check. (#571)
* Add warnings when using deprecated `approval_prompt='force'`. (#572)
* Add deprecation warning to `oauth2client.contrib.multistore_file`. (#574)
* (Hygiene) PEP8 compliance and various style fixes (#537, #540, #552, #562)
* (Hygiene) Remove duplicated exception classes in `oauth2client.contrib.appengine`. (#533)

NOTE: The next major release of oauth2client (v4.0.0) will remove the `oauth2client.contrib.multistore_file` module.

## v2.2.0

* Added support to override `token_uri` and `revoke_uri` in `oauth2client.service_account.ServiceAccountCredentials`. (#510)
* `oauth2client.contrib.multistore_file` now handles `OSError` in addition to `IOError` because Windows may raise `OSError` where other platforms will raise `IOError`.
* `oauth2client.contrib.django_util` and `oauth2client.contrib.django_orm` have been updated to support Django 1.8 - 1.10. Versions of Django below 1.8 will not work with these modules.

## v2.1.0

* Add basic support for JWT access credentials. (#503)
* Fix `oauth2client.client.DeviceFlowInfo` to use UTC instead of the system timezone when calculating code expiration.

## v2.0.2

* Fix issue where `flask_util.UserOAuth2.required` would accept expired credentials (#452).
* Fix issue where `flask_util` would fill the session with `Flow` objects (#498).
* Fix issue with Python 3 binary strings in `Flow.step2_exchange` (#446).
* Improve test coverage to 100%.

## v2.0.1

* Making scopes optional on Google Compute Engine `AppAssertionCredentials`
  and adding a warning that GCE won't honor scopes (#419)
* Adding common `sign_blob()` to service account types and a
  `service_account_email` property. (#421)
* Improving error message in P12 factory
  `ServiceAccountCredentials.from_p12_keyfile` when pyOpenSSL is
  missing. (#424)
* Allowing default flags in `oauth2client.tools.run_flow()`
  rather than forcing users to create a dummy argparser (#426)
* Removing `oauth2client.util.dict_to_tuple_key()` from public
  interface (#429)
* Adding `oauth2client.contrib._appengine_ndb` helper module
  for `oauth2client.contrib.appengine` and moving most code that
  uses the `ndb` library into the helper (#434)
* Fix error in `django_util` sample code (#438)

## v2.0.0-post1

* Fix Google Compute Engine breakage (#411, breakage introduced in #387) that
  made it impossible to obtain access tokens
* Implement `ServiceAccountCredentials.from_p12_keyfile_buffer()`
  to allow passing a file-like object in addition to the factory
  constructor that uses a filename directly (#413)
* Implement `ServiceAccountCredentials.create_delegated()`
  to allow upgrading a credential to one that acts on behalf
  of a given subject (#420)
2016-10-19 13:02:48 +00:00
taca
2d510070c1 Update ruby-sshkit to 1.11.3.
## [1.11.3][] (2016-09-16)

  * Fix known_hosts caching to match on the entire hostlist
    [PR #364](https://github.com/capistrano/sshkit/pull/364) @byroot

## [1.11.2][] (2016-07-29)

### Bug fixes

  * Fixed a crash occurring when `Host@keys` was set to a non-Enumerable.
    @xavierholt [PR #360](https://github.com/capistrano/sshkit/pull/360)

## [1.11.1][] (2016-06-17)

### Bug fixes

  * Fixed a regression in 1.11.0 that would cause
    `ArgumentError: invalid option(s): known_hosts` in some older versions of
    net-ssh. @byroot [#357](https://github.com/capistrano/sshkit/issues/357)

## [1.11.0][] (2016-06-14)

### Bug fixes

  * Fixed colorized output alignment in Logger::Pretty. @xavierholt
    [PR #349](https://github.com/capistrano/sshkit/pull/349)
  * Fixed a bug that prevented nested `with` calls
    [#43](https://github.com/capistrano/sshkit/issues/43)

### Other changes

  * Known hosts lookup optimization is now enabled by default. @byroot

## 1.10.0 (2016-04-22)

  * You can now opt-in to caching of SSH's known_hosts file for a speed boost
    when deploying to a large fleet of servers. Refer to the
    [README](https://github.com/capistrano/sshkit/tree/v1.10.0#known-hosts-caching) for
    details. We plan to turn this on by default in a future version of SSHKit.
    [PR #330](https://github.com/capistrano/sshkit/pull/330) @byroot
  * SSHKit now explicitly closes its pooled SSH connections when Ruby exits;
    this fixes `zlib(finalizer): the stream was freed prematurely` warnings
    [PR #343](https://github.com/capistrano/sshkit/pull/343) @mattbrictson
  * Allow command map entries (`SSHKit::CommandMap#[]`) to be Procs
    [PR #310](https://github.com/capistrano/sshkit/pull/310)
    @mikz

## 1.9.0

**Refer to the 1.9.0.rc1 release notes for a full list of new features, fixes,
and potentially breaking changes since SSHKit 1.8.1.** There are no changes
since 1.9.0.rc1.

## 1.9.0.rc1

### Potentially breaking changes

  * The SSHKit DSL is no longer automatically included when you `require` it.
    **This means you  must now explicitly `include SSHKit::DSL`.**
    See [PR #219](https://github.com/capistrano/sshkit/pull/219) for details.
    @beatrichartz
  * `SSHKit::Backend::Printer#test` now always returns true
    [PR #312](https://github.com/capistrano/sshkit/pull/312) @mikz

### New features

  * `SSHKit::Formatter::Abstract` now accepts an optional Hash of options
    [PR #308](https://github.com/capistrano/sshkit/pull/308) @mattbrictson
  * Add `SSHKit::Backend.current` so that Capistrano plugin authors can refactor
    helper methods and still have easy access to the currently-executing Backend
    without having to use global variables.
  * Add `SSHKit.config.default_runner` options that allows to override default command runner.
    This option also accepts a name of the custom runner class.
  * The ConnectionPool has been rewritten in this release to be more efficient
    and have a cleaner internal API. You can still completely disable the pool
    by setting `SSHKit::Backend::Netssh.pool.idle_timeout = 0`.
    @mattbrictson @byroot [PR #328](https://github.com/capistrano/sshkit/pull/328)

### Bug fixes

  * make sure working directory for commands is properly cleared after `within` blocks
    [PR #307](https://github.com/capistrano/sshkit/pull/307)
    @steved
  * display more accurate string for commands with spaces being output in `Formatter::Pretty`
    [PR #304](https://github.com/capistrano/sshkit/pull/304)
    @steved
    [PR #319](https://github.com/capistrano/sshkit/pull/319) @mattbrictson
  * Fix a race condition experienced in JRuby that could cause multi-server
    deploys to fail. [PR #322](https://github.com/capistrano/sshkit/pull/322)
    @mattbrictson
2016-10-17 15:45:26 +00:00
taca
c0f13e6c4f Add and enable ruby-airbrussh. 2016-10-17 15:43:24 +00:00
taca
8553e3bffb Add ruby-airbrussh version 1.1.1.
A replacement log formatter for SSHKit that makes Capistrano output much
easier on the eyes. Just add Airbrussh to your Capfile and enjoy concise,
useful log output that is easy to read.
2016-10-17 15:42:35 +00:00
hans
889e7b9dd1 security/cyrus-sasl was changed to use doors on SunOS. Bump PKGREVISION. 2016-10-17 13:45:45 +00:00
fhajny
40b116f20b Update py-certbot and py-acme to 0.9.1.
No changelog available, issues closed since 0.8.1:

certbot 0.9.1
- Make --quiet reduce the logging level

certbot 0.9.0
- Allow tests to pass without dnspython
- Remove psutil dep
- Renew symlink safety
- Update Nginx redirect enhancement process to modify appropriate
  blocks
- If lineages are in an inconsistent (non-deployed) state, deploy
  them
- Restructure how Nginx parser re-finds vhosts, and disable
  creating new server blocks.
- Remove pointless question
- Tie Nginx OCSP stapling to enhancements system
- Nginx server block selection: Handle non-80/443 ports
- Include log retention count to 1000.
- Make parser.py: add_server_directives documentation consistent
  with functionality
- Fix Nginx prompt
- Make Nginx error out if no matching server block is found
- Only suggest names LE will accept
- Implement Nginx server block selection
- should_autorenew ignores symlinks
- Fixes cffi errors in Travis during oldest tests
- DNS challenge support in the manual plugin and general purpose
  --preferred-challenges flag
- Fixed hash_bucket_size detection for nginx
- Support both invalidEmail and invalidContact errors
- Removes duplication between README.rst and resources.rst
- Psutil tests
- Allow tests to run when psutil isn't available
- Tests fail on Certbot package due to missing psutil dependency
- Hide the Nginx plugin
- Add the Nginx plugin to certbot-auto
- OCSP stapling in Nginx
- Nginx plugin selection
- Add certbot-nginx to certbot-auto
- Missing links in README
- clarify invalid email error in non-interactive
- Replace '-' with '_' before filtering plugin settings
- Fix extra or lack of spacing between words in help for renew
  flags
- Fix Travis tests
- Avoid importing conflicting security policy directives
- Change log rotation scheme
- Plugins with hyphens do not receive their args during renewal
- Handle dns01 challenge into the manual plugin [see #3466]
- Enable unit tests of certbot core on Python 3
- Add os-release ID_LIKE parsing if original distribution mapping
  not found in constants
- Fix README typo
- Nginx plugin domain selection
- Fix spacing of nginx redirect blocks
- Rationalise challenge and port selection flags
- Remove psutil from requirements.txt
- prevent Github commits from modifying certbot-auto and
  letsencrypt-auto
- Gradually remove psutil dependency, bugfix [URGENT]
- psutil fails to install because hash is missing when running
  certbot-auto
- Failure to start Nginx after configuring redirect
- Prepare docs to turn off the wiki
- Certbot apache plugin fails with TypeError: 'NoneType' object
  has no attribute '__getitem__'
- Change fatal warning to a fatal message
- Fatal warnings
- Apache default default
- Deprecation fixes
- New docs structure and introduction
- Nginx charset_map and ${VARIABLE_SUBSTITUTION} parsing
- Unclear error about invalid email in non-interactive mode
- Use simple socket test for port availability if psutil not found
- Python 3 support for certonly
- Set dialog widgets to use autowidgetsize
- Errors when run without root
- Apache plugin PATH fallback
- Automatically enable EPEL after prompting users
- Multi-topic help listings
- Installer error
- Explain why Apache [appears] not to be installed
- ErrorHandler causing errors
- Update FreeBSD package name
- Comment out corresponding RewriteConds for filtered RewriteRule
- Permissive parsing of nginx map blocks
- add nginx round-trip tests to tox/travis
- Fix Unix signal handling in certbot.error_handler.ErrorHandler
- Resuming error handling functions after a signal
- Only write nginx config files if they've been modified
- If the user picks "cancel" from the Apache vhost selection menu,
  Certbot doesn't exit
- certbot removes http->https rules corrupts ruleset
- Fix typo
- Better document plugins and reversion
- Nginx parser apparently can't parse "map"
- Nginx plugin shouldn't write files it hasn't changed
- Fix Nginx reversion
- Merge Augeas fix for comment line continuations
- Remove warning about nginx options file
- Explain the most likely cause of a missing replay nonce error
- Bump pyca package versions
- Don't add wildcard listen if user has more specific
  configuration
- Remove unused nosexcover dependency
- Cleanup dev setup
- Nginx space preservation
- Set dialog widgets to use autowidgetsize
- Printing pip output to terminal when -v is used
- Log new cert and cert renewal
- Log whether renewing or obtaining a new certificate
- Added the argument --quiet and -q so then when used with a
  regular user there is no output to the screen.
- certbot-auto not quiet when used with regular user
- Adding sensible UI logging for typical user
- Replace psutils dependency
- Display DialogError details correctly
- -v implies --text
- Fix FQDN checks, closes #3057 and #3056
- Bug in FQDN detection: installer wrongly interprets _
- Installer thinks bare TLD is not a valid FQDN
- Limiting tox envlist to really needed tests
- trouble with Listen directives in CentOS 7 / ssl.conf
- Remove dangling footnote
- certbot-apache fails to parse files with comma in the filename
- pip and verbosity
- Dialog error messages
- NcursesDisplay.menu: treat ESC as cancel
- More useful error when running as non-root?
- -v should imply --text
- Update tox/instructions
- Error that results when run without root is unclear
- Enable EPEL in RPM bootstrapper
- Add dns-01 challenge support to the ACME client
- Apache plugin fails to parse OWASP's ModSecurity ruleset
- Audit nginx plugin for guaranteed config reversion in case of
  error
- NoInstallationError() from Apache plugin within renewal cron
  jobs due to /usr/sbin not being in the PATH
- nginx http redirect
- "No installers" error message not clear
- HelpfulArgumentParser should know about flags that are relevant
  to several topics
- Nginx configurator should preserve whitespace on output
- server blocks added to nginx.conf
- Nginx fails if ssl_session_cache already defined
- nginx leaves dirty/modified config files
- Sensible UI logging for typical user
- nginx plugin issue with server block containing multiple
  servernames
2016-10-11 09:23:35 +00:00
kamil
03304e5855 Add missing dependency: devel/argp
This fixes build on NetBSD-7.99.39 with pkgsrc-current from 2016-10-09.

Bump PKGREVISION to 2.
2016-10-09 22:02:07 +00:00
wiz
982c8f22e9 Recursive bump for all users of pgsql now that the default is 95. 2016-10-09 21:41:55 +00:00
wiz
fc6442def3 Updated caff to 2.5.
Mostly documentation fixes.
2016-10-09 20:57:05 +00:00
wiz
60ae1ad255 Mark as BROKEN 2016-10-09 19:50:01 +00:00
taca
ec7f820351 Update pear-Crypt_GPG to 1.4.3.
Changelog:

This release fixes following bugs:

* Fix Bug #21121: Searching for keys with pattern containing non-ascii
  characters.
* Fix Bug #21119: Parsing of user identifier without name.
* Added POSIX method to isRunning() consistent with terminate().
2016-10-09 12:30:30 +00:00
ryoon
1018597813 Update to 1.7.3
Changelog:
Bug

    [SANTUARIO-378] - xml-security-c cannot initialise on a Windows system with mandatory user profiles
    [SANTUARIO-380] - Avoid use of PATH_MAX where possible
    [SANTUARIO-381] - Spelling error in xsec/enc/OpenSSL/OpenSSLCryptoSymmetricKey.cpp
    [SANTUARIO-384] - OpenSSLCryptoKeyEC::signBase64SignatureDSA fails most of time
    [SANTUARIO-400] - Buffer overwrite in WinCAPICryptoSymmetricKey::encrypt() (WinCAPICryptoSymmetricKey.cpp)
    [SANTUARIO-409] - Win32 unicode build breaks due to wchar_t * passed to GetProcAddress()
    [SANTUARIO-426] - xml-security-c-1.7.3 not getting build on AIX with xerces-c-3.1.2

Improvement

    [SANTUARIO-386] - Spec file patch to add RHEL7 support
2016-10-09 03:17:18 +00:00
adam
3b88bd43a5 Revbump post boost update 2016-10-07 18:25:29 +00:00
wiz
fb91a07281 Updated p5-Module-Signature to 0.81.
No changelog found.
2016-10-05 06:38:41 +00:00
wiz
4e062c499f Updated libressl to 2.5.0.
2.5.0 - New APIs, bug fixes and improvements

	* libtls now supports ALPN and SNI

	* libtls adds a new callback interface for integrating custom IO
	  functions. Thanks to Tobias Pape.

	* libtls now handles 4 cipher suite groups:
	    "secure" (TLSv1.2+AEAD+PFS)
	    "compat" (HIGH:!aNULL)
	    "legacy" (HIGH:MEDIUM:!aNULL)
	    "insecure" (ALL:!aNULL:!eNULL)

	    This allows for flexibility and finer grained control, rather than
	    having two extremes (an issue raised by Marko Kreen some time ago).

	* Tightened error handling for tls_config_set_ciphers().

	* libtls now always loads CA, key and certificate files at the time the
	  configuration function is called. This simplifies code and results in
	  a single memory based code path being used to provide data to libssl.

	* Add support for OCSP intermediate certificates.

	* Added functions used by stunnel and exim from BoringSSL - this
	  brings in X509_check_host, X509_check_email, X509_check_ip, and
	  X509_check_ip_asc.

	* Added initial support for iOS, thanks to Jacob Berkman.

	* Improved behavior of arc4random on Windows when using memory leak
	  analysis software.

	* Correctly handle an EOF that occurs prior to the TLS handshake
	  completing. Reported by Vasily Kolobkov, based on a diff from Marko
	  Kreen.

	* Limit the support of the "backward compatible" ssl2 handshake to
	  only be used if TLS 1.0 is enabled.

	* Fix incorrect results in certain cases on 64-bit systems when
	  BN_mod_word() can return incorrect results. BN_mod_word() now can
	  return an error condition. Thanks to Brian Smith.

	* Added constant-time updates to address CVE-2016-0702

	* Fixed undefined behavior in BN_GF2m_mod_arr()

	* Removed unused Cryptographic Message Support (CMS)

	* More conversions of long long idioms to time_t

	* Improved compatibility by avoiding printing NULL strings with
	  printf.

	* Reverted change that cleans up the EVP cipher context in
	  EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
	  previous behaviour.

	* Avoid unbounded memory growth in libssl, which can be triggered by a
	  TLS client repeatedly renegotiating and sending OCSP Status Request
	  TLS extensions.

	* Avoid falling back to a weak digest for (EC)DH when using SNI with
	  libssl.

2.4.2 - Bug fixes and improvements

	* Fixed loading default certificate locations with openssl s_client.

	* Ensured OSCP only uses and compares GENERALIZEDTIME values as per
	  RFC6960. Also added fixes for OCSP to work with intermediate
	  certificates provided in responses.

	* Improved behavior of arc4random on Windows to not appear to leak
	  memory in debug tools, reduced privileges of allocated memory.

	* Fixed incorrect results from BN_mod_word() when the modulus is too
	  large, thanks to Brian Smith from BoringSSL.

	* Correctly handle an EOF prior to completing the TLS handshake in
	  libtls.

	* Improved libtls ceritificate loading and cipher string validation.

	* Updated libtls cipher group suites into four categories:
	    "secure"   (TLSv1.2+AEAD+PFS)
	    "compat"   (HIGH:!aNULL)
	    "legacy"   (HIGH:MEDIUM:!aNULL)
	    "insecure" (ALL:!aNULL:!eNULL)
	  This allows for flexibility and finer grained control, rather than
	  having two extremes.

	* Limited support for 'backward compatible' SSLv2 handshake packets to
	  when TLS 1.0 is enabled, providing more restricted compatibility
	  with TLS 1.0 clients.

	* openssl(1) and other documentation improvements.

	* Removed flags for disabling constant-time operations.
	  This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
	  DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
	  all of these operations unconditionally constant-time.


2.4.1 - Security fix

	* Correct a problem that prevents the DSA signing algorithm from
	  running in constant time even if the flag BN_FLG_CONSTTIME is set.
	  This issue was reported by Cesar Pereida (Aalto University), Billy
	  Brumley (Tampere University of Technology), and Yuval Yarom (The
	  University of Adelaide and NICTA). The fix was developed by Cesar
	  Pereida.

2.4.0 - Build improvements, new features

	* Many improvements to the CMake build infrastructure, including
	  Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
	  Inoguchi for this work.

	* Added missing error handling around bn_wexpand() calls.

	* Added explicit_bzero calls for freed ASN.1 objects.

	* Fixed X509_*set_object functions to return 0 on allocation failure.

	* Implemented the IETF ChaCha20-Poly1305 cipher suites.

	* Changed default EVP_aead_chacha20_poly1305() implementation to the
	  IETF version, which is now the default.

	* Fixed password prompts from openssl(1) to properly handle ^C.

	* Reworked error handling in libtls so that configuration errors are
	  visible.

	* Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.

	* Manpage fixes and updates
2016-10-04 11:39:23 +00:00
wiz
4ffe995993 Updated nettle to 3.3.
NEWS for the Nettle 3.3 release

	This release fixes a couple of bugs, and improves resistance
	to side-channel attacks on RSA and DSA private key operations.

	Changes in behavoir:

	* Invalid private RSA keys, with an even modulo, are now
	  rejected by rsa_private_key_prepare. (Earlier versions
	  allowed such keys, even if results of using them were bogus).

	  Nettle applications are required to call
	  rsa_private_key_prepare and check the return value, before
	  using any other RSA private key functions; failing to do so
	  may result in crashes for invalid private keys. As a
	  workaround for versions of Gnutls which don't use
	  rsa_private_key_prepare, additional checks for even moduli
	  are added to the rsa_*_tr functions which are used by all
	  recent versions of Gnutls.

	* Ignore bit 255 of the x coordinate of the input point to
	  curve25519_mul, as required by RFC 7748. To differentiate at
	  compile time, curve25519.h defines the constant
	  NETTLE_CURVE25519_RFC7748.

	Security:

	* RSA and DSA now use side-channel silent modular
	  exponentiation, to defend against attacks on the private key
	  from evil processes sharing the same processor cache. This
	  attack scenario is of particular relevance when running an
	  HTTPS server on a virtual machine, where you don't know who
	  you share the cache hardware with.

	  (Private key operations on elliptic curves were already
	  side-channel silent).

	Bug fixes:

	* Fix sexp-conv crashes on invalid input. Reported by Hanno
	  Böck.

	* Fix out-of-bounds read in des_weak_p. Fixed by Nikos
	  Mavrogiannopoulos.

	* Fix a couple of formally undefined shift operations,
	  reported by Nikos Mavrogiannopoulos.

	* Fix compilation with c89. Reported by Henrik Grubbström.

	New features:

	* New function memeql_sec, for side-channel silent comparison
	  of two memory areas.

	Miscellaneous:

	* Building the public key support of nettle now requires GMP
	  version 5.0 or later (unless --enable-mini-gmp is used).

	* Filenames of windows DLL libraries now include major number
	  only. So the dll names change at the same time as the
	  corresponding soname on ELF platforms. Fixed by Nikos
	  Mavrogiannopoulos.

	* Eliminate most pointer-signedness warnings. In the process,
	  the strings representing expression type for sexp_interator
	  functions were changed from const uint8_t * to const char *.
	  These functions are undocumented, and it doesn't change the
	  ABI on any platform I'm aware of.

	The shared library names are libnettle.so.6.3 and
	libhogweed.so.4.3, with sonames still libnettle.so.6 and
	libhogweed.so.4. It is intended to be fully binary compatible
	with nettle-3.1.
2016-10-03 12:28:19 +00:00
wiz
2ea9b05c83 Remove some dead code, python-3.3 is no more. 2016-10-03 12:25:36 +00:00
wiz
837a68bdec Updated py-cryptography to 1.5.2.
1.5.2 - 2016-09-26
~~~~~~~~~~~~~~~~~~

* Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2j.
2016-10-03 12:21:16 +00:00
wiz
a7cddc437b Remove incorrect comment and resulting weird license.
idea and mdc2 patents expired, so enable them by default.
rc5 looks like it might be expired as well, but I didn't find
anything relevant on that topic, so I left it alone.

Bump PKGREVISION.
2016-10-03 11:55:11 +00:00
wiz
1cdb494d03 idea patent has expired, so set LICENSE to something more useful. 2016-10-03 08:15:50 +00:00