tlswrapper is an TLS encryption wrapper between remote client and local
program prog. Systemd.socket/inetd/tcpserver/... creates the server
connection, tlswrapper encrypts/decrypts data stream and reads/writes
data from/to the program prog as follows:
Internet <--> systemd.socket/inetd/tcpserver/... <--> tlswrapper <--> prog
By running separate instance of tlswrapper for each TLS connection, a
vulnerability in the code (e.g. bug in the TLS library) can't be used to
compromise the memory of another connection.
To protect against secret-information leaks to the network connection
(such Heartbleed) tlswrapper runs two independent processes for every
TLS connection. One process holds secret-keys and runs secret-keys
operations and second talks to the network. Processes communicate with
each other through UNIX pipes.
Use "ld -shared" rather than "ld --shared". The former allows cwrappers to
detect shared lib link mode. This makes it omit "-pie" which would remove
required symbols.
share/zoneminder/htdocs/ajax/stream.php.
Because all the PHP extensions self-enable in this decade, there's no need
to configure php-sockets. The same is also true of all the other
extensions, so just remove those unnecessary instructions from MESSAGE.
Bump PKGREVISION to 7 and bump year to 2022 (NZDT).
Changes since v5.0.0:
wolfSSL Release 5.1.0 (Dec 27, 2021)
Release 5.1.0 of wolfSSL embedded TLS has bug fixes and new features including:
Vulnerabilities
* [Low] Potential for DoS attack on a wolfSSL client due to processing hello
packets of the incorrect side. This affects only connections using TLS v1.2
or less that have also been compromised by a man in the middle
attack. Thanks to James Henderson, Mathy Vanhoef, Chris M. Stone, Sam
L. Thomas, Nicolas Bailleut, and Tom Chothia (University of Birmingham, KU
Leuven, ENS Rennes for the report.
* [Low] Client side session resumption issue once the session resumption cache
has been filled up. The hijacking of a session resumption has been
demonstrated so far with only non verified peer connections. That is where
the client is not verifying the server’s CA that it is connecting to. There
is the potential though for other cases involving proxies that are verifying
the server to be at risk, if using wolfSSL in a case involving proxies use
wolfSSL_get1_session and then wolfSSL_SESSION_free when done where
possible. If not adding in the session get/free function calls we recommend
that users of wolfSSL that are resuming sessions update to the latest
version (wolfSSL version 5.1.0 or later). Thanks to the UK's National Cyber
Security Centre (NCSC) for the report.
New Feature Additions
Ports
* Curve25519 support with NXP SE050 added
* Renesas RA6M4 support with SCE Protected Mode and FSP 3.5.0
* Renesas TSIP 1.14 support for RX65N/RX72N
Post Quantum
* Post quantum resistant algorithms used with Apache port
* NIST round 3 FALCON Signature Scheme support added to TLS 1.3 connections
* FALCON added to the benchmarking application
* Testing of cURL with wolfSSL post quantum resistant build
Compatibility Layer Additions
* Updated NGINX port to NGINX version 1.21.4
* Updated Apache port to Apache version 2.4.51
* Add support for SSL_OP_NO_TLSv1_2 flag with wolfSSL_CTX_set_options function
* Support added for the functions
- SSL_CTX_get_max_early_data
- SSL_CTX_set_max_early_data
- SSL_set_max_early_data
- SSL_get_max_early_data
- SSL_CTX_clear_mode
- SSL_CONF_cmd_value_type
- SSL_read_early_data
- SSL_write_early_data
Misc.
* Crypto callback support for AES-CCM added. A callback function can be
registered and used instead of the default AES-CCM implementation in
wolfSSL.
* Added AES-OFB to the FIPS boundary for future FIPS validations.
* Add support for custom OIDs used with CSR (certificate signing request)
generation using the macro WOLFSSL_CUSTOM_OID
* Added HKDF extract callback function for use with TLS 1.3
* Add variant from RFC6979 of deterministic ECC signing that can be enabled
using the macro WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT
* Added the function wc_GetPubKeyDerFromCert to get the public key from a
DecodedCert structure
* Added the functions wc_InitDecodedCert, wc_ParseCert and wc_FreeDecodedCert
for access to decoding a certificate into a DecodedCert structure
* Added the macro WOLFSSL_ECC_NO_SMALL_STACK for hybrid builds where the
numerous malloc/free with ECC is undesired but small stack use is desired
throughout the rest of the library
* Added the function wc_d2i_PKCS12_fp for reading a PKCS12 file and parsing it
Fixes
PORT Fixes
* Building with Android wpa_supplicant and KeyStore
* Setting initial value of CA certificate with TSIP enabled
* Cryptocell ECC build fix and fix with RSA disabled
* IoT-SAFE improvement for Key/File slot ID size, fix for C++ compile, and
fixes for retrieving the public key after key generation
Math Library Fixes
* Check return values on TFM library montgomery function in case the system
runs out of memory. This resolves an edge case of invalid ECC signatures
being created.
* SP math library sanity check on size of values passed to sp_gcd.
* SP math library sanity check on exponentiation by 0 with mod_exp
* Update base ECC mp_sqrtmod_prime function to handle an edge case of zero
* TFM math library with Intel MULX multiply fix for carry in assembly code
Misc.
* Fix for potential heap buffer overflow with compatibility layer PEM parsing
* Fix for edge memory leak case with an error encountered during TLS
resumption
* Fix for length on inner sequence created with wc_DhKeyToDer when handling
small DH keys
* Fix for sanity check on input argument to DSA sign and verify
* Fix for setting of the return value with ASN1 integer get on an i386 device
* Fix for BER to DER size checks with PKCS7 decryption
* Fix for memory leak with PrintPubKeyEC function in compatibility layer
* Edge case with deterministic ECC key generation when the private key has
leading 0’s
* Fix for build with OPENSSL_EXTRA and NO_WOLFSSL_STUB both defined
* Use page aligned memory with ECDSA signing and KCAPI
* Skip expired sessions for TLS 1.3 rather than turning off the resume
behavior
* Fix for DTLS handling dropped or retransmitted messages
Improvements/Optimizations
Build Options and Warnings
* Bugfix: could not build with liboqs and without DH enabled
* Build with macro NO_ECC_KEY_EXPORT fixed
* Fix for building with the macro HAVE_ENCRYPT_THEN_MAC when session export is
enabled
* Building with wolfSentry and HAVE_EX_DATA macro set
Math Libraries
* Improvement for performance with SP C implementation of montgomery reduction
for ECC (P256 and P384) and SP ARM64 implementation for ECC (P384)
* With SP math handle case of dividing by length of dividend
* SP math improvement for lo/hi register names to be used with older GCC
compilers
Misc.
* ASN name constraints checking code refactor for better efficiency and
readability
* Refactor of compatibility layer stack free’ing calls to simplify and reduce
code
* Scrubbed code for trailing spaces, hard tabs, and any control characters
* Explicit check that leaf certificate's public key type match cipher suite
signature algorithm
* Additional NULL sanity checks on WOLFSSL struct internally and improve
switch statement fallthrough
* Retain OCSP error value when CRL is enabled with certificate parsing
* Update to NATIVE LwIP support for TCP use
* Sanity check on PEM size when parsing a PEM with OpenSSL compatibility layer
API.
* SWIG wrapper was removed from the codebase in favor of dedicated Java and
Python wrappers.
* Updates to bundled example client for when to load the CA, handling print
out of IP alt names, and printing out the peers certificate in PEM format
* Handling BER encoded inner content type with PKCS7 verify
* Checking for SOCKET_EPIPE errors from low level socket
* Improvements to cleanup in the case that wolfSSL_Init fails
* Update test and example certificates expiration dates
* In some situations the X.509 verifier would discard an error on an
unverified certificate chain, resulting in an authentication bypass.
Thanks to Ilya Shipitsin and Timo Steinlein for reporting.
Changed
Allow showing options menu for empty keyrings
Update the edition of Rust to 2021
Copy Cargo.lock into docker build stage for caching
Bump the Rust version in Dockerfile
Use ubuntu-20.04 runner for workflows
Specify the toolchain explicitly for crates.io releases
Install Rust toolchain for audit job
Apply clippy::format_in_format_args suggestion
Apply clippy::single_char_pattern suggestion
Fixed
Fix config file extension in README.md
Use references for OS command arguments
Fix the Rust profile specification in audit workflow
Packaging: While this is 3.2.8 in distfile and upstream announcements,
tt is sort of 3.2.2.1 in unpack dir and shlib versions.
This is a security release fixing a buffer overflow. While upstream
has a changes file, there are no entries for anything beyond 3.2.8,
and the changes are thus expected to be only security fixes as
described at:
https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk
Version 4.8
- Switch to [Poetry](https://python-poetry.org/) for dependency and release management.
- Compatibility with Python 3.10.
- Chain exceptions using `raise new_exception from old_exception`
- Added marker file for PEP 561. This will allow type checking tools in dependent projects
to use type annotations from Python-RSA
- Use the Chinese Remainder Theorem when decrypting with a private key. This
makes decryption 2-4x faster
Add ruby-vault package version 0.16.0 required by newer ruby-chef.
Vault Ruby Client
Vault is the official Ruby client for interacting with Vault:
https://vaultproject.io by HashiCorp.
0.1.18 (2021-09-29)
* Land #16, Make the synchronization functions public
0.1.19 (2021-11-15)
* Land #17, Add the stopwatch function
0.1.20 (2021-11-16)
* Merge pull request #18 from zeroSteiner/feat/stopwatch/elapsed_seconds
Refactor into a Stopwatch module
2.0.61 (2021-11-29)
* Land #510, honour the pty flag
2.0.62 (2021-12-07)
* resolve_host should return NULL on failure
* Land #513, fix php stdapi loading on php 5.3.29
2.0.63 (2021-12-08)
* Land #514, fix python exception when closing channels
2.0.64 (2021-12-08)
* Fix#512, fix python cmd_exec argument list during
PROCESS_EXECUTE_FLAG_SUBSHELL
* Land #515, Fix#512, fix python cmd_exec argv
2.0.65 (2021-12-08)
* Return an empty stat buf when stat fails
* Land #511, fix stderr output in python channels
2.0.66 (2021-12-09)
* Land #516, fix python stat on inaccessible directory
* Land #517, fix php stat on inaccessible directory
LuaSec 1.0.2
---------------
This version includes:
* Fix handle SSL_send SYSCALL error without errno
* Fix off by one in cert:validat(notafter)
* Fix meth_get_{sinagure => signature}_name function name
* Fix update the Lua state reference on the selected SSL context after SNI
* Fix ignore SSL_OP_BIT(n) macro and update option.c
Certbot 1.22.0
Added
Support for Python 3.10 was added to Certbot and all of its components.
The function certbot.util.parse_loose_version was added to parse version
strings in the same way as the now deprecated distutils.version.LooseVersion
class from the Python standard library.
Added --issuance-timeout. This option specifies how long (in seconds) Certbot will wait
for the server to issue a certificate.
Changed
The function certbot.util.get_strict_version was deprecated and will be
removed in a future release.
Fixed
Fixed an issue on Windows where the web.config created by Certbot would sometimes
conflict with preexisting configurations.
Fixed an issue on Windows where the webroot plugin would crash when multiple domains
had the same webroot. This affected Certbot 1.21.0.
## [1.1.0]
### Added
* CLI: The `--path <PATH>` flag has been added, allowing users to limit
dependency discovery to one or more paths (specified separately)
when `pip-audit` is invoked in environment mode
([#148](https://github.com/trailofbits/pip-audit/pull/148))
* CLI: The `pip-audit` CLI can now be accessed through `python -m pip_audit`.
All functionality is identical to the functionality provided by the
`pip-audit` entrypoint
([#173](https://github.com/trailofbits/pip-audit/pull/173))
* CLI: The `--verbose` flag has been added, allowing users to receive more
more verbose output from `pip-audit`. Supplying the `--verbose` flag
overrides the `PIP_AUDIT_LOGLEVEL` environment variable and is equivalent to
setting it to `debug`
([#185](https://github.com/trailofbits/pip-audit/pull/185))
### Changed
* CLI: `pip-audit` now clears its spinner bar from the terminal upon
completion, preventing visual confusion
([#174](https://github.com/trailofbits/pip-audit/pull/174))
### Fixed
* Dependency sources: a crash caused by `platform.python_version` returning
an version string that couldn't be parsed as a PEP-440 version was fixed
([#175](https://github.com/trailofbits/pip-audit/pull/175))
* Dependency sources: a crash caused by incorrect assumptions about
the structure of source distributions was fixed
([#166](https://github.com/trailofbits/pip-audit/pull/166))
* Vulnerability sources: a performance issue on Windows caused by cache failures
was fixed ([#178](https://github.com/trailofbits/pip-audit/pull/178))
## [1.0.1] - 2021-12-02
### Fixed
* CLI: The `--desc` flag no longer requires a following argument. If passed
as a bare option, `--desc` is equivalent to `--desc on`
([#153](https://github.com/trailofbits/pip-audit/pull/153))
* Dependency resolution: The PyPI-based dependency resolver no longer throws
an uncaught exception on package resolution errors; instead, the package
is marked as skipped and an appropriate warning or fatal error (in
`--strict` mode) is produced
([#162](https://github.com/trailofbits/pip-audit/pull/162))
* CLI: When providing the `--cache-dir` flag, the command to read the pip cache
directory is no longer executed. Previously this was always executed and
could result into failure when the command fails. In CI environments, the
default `~/.cache` directory is typically not writable by the build user and
this meant that the `python -m pip cache dir` would fail before this fix,
even if the `--cache-dir` flag was provided.
([#161](https://github.com/trailofbits/pip-audit/pull/161))
## [1.0.0] - 2021-12-01
### Added
* This is the first stable release of `pip-audit`! The CLI is considered
stable from this point on, and all changes will comply with
[Semantic Versioning](https://semver.org/)
## [0.0.9] - 2021-12-01
### Added
* CLI: Skipped dependencies are now listed in the output of `pip-audit`,
for supporting output formats
([#145](https://github.com/trailofbits/pip-audit/pull/145))
* CLI: `pip-audit` now supports a "strict" mode (enabled with `-S` or
`--strict`) that fails if the audit if any individual dependency cannot be
resolved or audited. The default behavior is still to skip any individual
dependency errors ([#146](https://github.com/trailofbits/pip-audit/pull/146))
This CycloneDX module for Python can generate valid CycloneDX
bill-of-material document containing an aggregate of all project
dependencies.
This module is not designed for standalone use.
This project provides a runnable Python-based application for
generating CycloneDX bill-of-material documents from either:
* Your current Python Environment
* Your project's manifest (e.g. Pipfile.lock, poetry.lock or
requirements.txt)
* Conda as a Package Manager
The BOM will contain an aggregate of all your current project's
dependencies, or those defined by the manifest you supply.
CycloneDX is a lightweight BOM specification that is easily created,
human-readable, and simple to parse.
-editmode=keep now default if no other mode is specified
-only include files in includedir if they do not start with .
-trimmed error when unable to communicate with syslog
3.12.0
New features
ECC keys in the SEC1 format can be exported and imported.
Add support for KMAC128, KMAC256, TupleHash128, and TupleHash256 (NIST SP-800 185).
Add support for KangarooTwelve.
Resolved issues
An asymmetric key could not be imported as a memoryview.
cSHAKE128/256 generated a wrong output for customization strings longer than 255 bytes.
CBC decryption generated the wrong plaintext when the input and the output were the same buffer.
