ver. 0.11.2 (2020/11/23) - heal-the-world-with-security-tools
Fixes:
* [stability] prevent race condition - no ban if filter (backend) is continuously busy if
too many messages will be found in log, e. g. initial scan of large log-file or journal (gh-2660)
* pyinotify-backend sporadically avoided initial scanning of log-file by start
* python 3.9 compatibility (and Travis CI support)
* restoring a large number (500+ depending on files ulimit) of current bans when using PyPy fixed
* manual ban is written to database, so can be restored by restart (gh-2647)
* `jail.conf`: don't specify `action` directly in jails (use `action_` or `banaction` instead)
* no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified
per jail or in default section in jail.local), closes gh-2357
* ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh-2686)
* don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes),
so would bother the action interpolation
* fixed type conversion in config readers (take place after all interpolations get ready), that allows to
specify typed parameters variable (as substitutions) as well as to supply it in other sections or as init parameters.
* `action.d/*-ipset*.conf`: several ipset actions fixed (no timeout per default anymore), so no discrepancy
between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh-2703)
* `action.d/cloudflare.conf`: fixed `actionunban` (considering new-line chars and optionally real json-parsing
with `jq`, gh-2140, gh-2656)
* `action.d/nftables.conf` (type=multiport only): fixed port range selector, replacing `:` with `-` (gh-2763)
* `action.d/firewallcmd-*.conf` (multiport only): fixed port range selector, replacing `:` with `-` (gh-2821)
* `action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or initial `lowest_rule_num` (gh-2836)
* `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line`
should be interpolated in definition section (inside the filter-config, gh-2650)
* `filter.d/dovecot.conf`:
- add managesieve and submission support (gh-2795);
- accept messages with more verbose logging (gh-2573);
* `filter.d/courier-smtp.conf`: prefregex extended to consider port in log-message (gh-2697)
* `filter.d/traefik-auth.conf`: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle
the match of username differently (gh-2693):
- `normal`: matches 401 with supplied username only
- `ddos`: matches 401 without supplied username only
- `aggressive`: matches 401 and any variant (with and without username)
* `filter.d/sshd.conf`: normalizing of user pattern in all RE's, allowing empty user (gh-2749)
New Features and Enhancements:
* fail2ban-regex:
- speedup formatted output (bypass unneeded stats creation)
- extended with prefregex statistic
- more informative output for `datepattern` (e. g. set from filter) - pattern : description
* parsing of action in jail-configs considers space between action-names as separator also
(previously only new-line was allowed), for example `action = a b` would specify 2 actions `a` and `b`
* new filter and jail for GitLab recognizing failed application logins (gh-2689)
* new filter and jail for Grafana recognizing failed application logins (gh-2855)
* new filter and jail for SoftEtherVPN recognizing failed application logins (gh-2723)
* `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured (gh-2631)
* `filter.d/bitwarden.conf` enhanced to support syslog (gh-2778)
* introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex;
* datetemplate: improved anchor detection for capturing groups `(^...)`;
* datepattern: improved handling with wrong recognized timestamps (timezones, no datepattern, etc)
as well as some warnings signaling user about invalid pattern or zone (gh-2814):
- filter gets mode in-operation, which gets activated if filter starts processing of new messages;
in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much
from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected
bypass of failure (previously exceeding `findtime`);
- better interaction with non-matching optional datepattern or invalid timestamps;
- implements special datepattern `{NONE}` - allow to find failures totally without date-time in log messages,
whereas filter will use now as timestamp (gh-2802)
* performance optimization of `datepattern` (better search algorithm in datedetector, especially for single template);
* fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh-2791;
* extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag
prefix `<F-TUPLE_`, that would combine value of `<F-V>` with all value of `<F-TUPLE_V?_n?>` tags (gh-2755)
- Minisign can be compiled with Zig instead of cmake+make+a C toolchain
- Minimal VERIFY_ONLY versions can be built again
- Prehashing is now enabled by default, regardless of the input size. Support
for non-prehashed signatures will eventually be removed
- Legacy signatures can be rejected with the addition of the -H flag
Release 5.0.1
CHANGELOG
* Set interpreter to 'python3', so running `./acme-tiny.py --help` will use python3 by default
NOTE: You can still run using python 2 by running `python acme-tiny.py --help`
Release v1.7.2: George (Patch 2)
Fix broken symlink in GitHub release asset
Add wheels for macOS - both x86_64 and arm64
Fix distutil deprecation on Python 3.10 by using setuptools instead
Release v1.7.0: George
Support for running tests against Heimdal in CI
Add Kerberos specific GSS-API Extensions
Tidy up docs and turn warnings into errors
Support DCE IOV functions on macOS
2.8.0 2021-10-09
[Feature] Add a prefetch keyword argument to SFTPClient.get/SFTPClient.getfo so users who need to skip SFTP prefetching are able to conditionally turn it off. Thanks to Github user @h3ll0r for the PR.
[Bug] Newer server-side key exchange algorithms not intended to use SHA1 (diffie-hellman-group14-sha256, diffie-hellman-group16-sha512) were incorrectly using SHA1 after all, due to a bug causing them to ignore the hash_algo class attribute. This has been corrected. Big thanks to @miverson for the report and to Benno Rice for the patch.
[Support] Remove leading whitespace from OpenSSH RSA test suite static key fixture, to conform better to spec. Credit: Alex Gaynor.
[Support] Add missing test suite fixtures directory to MANIFEST.in, reinstating the ability to run Paramiko’s tests from an sdist tarball. Thanks to Sandro Tosi for reporting the issue and to Blazej Michalik for the PR.
[Support]: Update our CI to catch issues with sdist generation, installation and testing.
[Support]: Administrivia overhaul, including but not limited to:
Migrate CI to CircleCI
Primary dev branch is now main (renamed)
Many README edits for clarity, modernization etc; including a bunch more (and consistent) status badges & unification with main project site index
PyPI page much more fleshed out (long_description is now filled in with the README; sidebar links expanded; etc)
flake8, pytest configs split out of setup.cfg into their own files
Invoke/invocations (used by maintainers/contributors) upgraded to modern versions
[0.8.1] - 2021-10-10
Added:
-Support changing the default file explorer
Changed:
-Include the manpage of configuration file in binary releases
-Allow dead code for event handler fields
-Apply clippy::needless_lifetimes suggestion
-Improve the Docker build and push workflow
-Merge the build and test steps in CI workflow
-Disable the terminal buffer check temporarily
-Disable the gpg info renderer test
-Bump dependencies
Fixed:
-Use implicit reference for state module tests
-Use a fixed line width for renderer tests
Removed:
-Remove the hardcoded last character from renderer tests
1.20.0
Added
* Added `--no-reuse-key`. This remains the default behavior, but the flag may be
useful to unset the `--reuse-key` option on existing certificates.
Fixed
* The certbot-dns-rfc2136 plugin in Certbot 1.19.0 inadvertently had an implicit
dependency on `dnspython>=2.0`. This has been relaxed to `dnspython>=1.15.0`.
3.11.0
Resolved issues
Especially for very small bit sizes, Crypto.Util.number.getPrime() was occasionally generating primes larger than given the bit size.
Correct typing annotations for PKCS115_Cipher.decrypt().
decrypt() method of a PKCS#1v1.5 cipher returned a bytearray instead of bytes.
External DSA domain parameters were accepted even when the modulus (p) was not prime. This affected Crypto.PublicKey.DSA.generate() and Crypto.PublicKey.DSA.construct().
Noteworthy changes in version 2.2.31 (2021-09-15)
-------------------------------------------------
* agent: Fix a regression in GET_PASSPHRASE.
* scd: Fix an assertion failure in close_pcsc_reader.
* scd: Add support for PC/SC in "GETINFO reader_list".
Noteworthy changes in version 2.2.30 (2021-08-26)
-------------------------------------------------
* gpg: Extended gpg-check-pattern to support accept rules,
conjunctions, and case-sensitive matching.
* agent: New option --pinentry-formatted-passphrase.
* agent: New option --check-sym-passphrase-pattern.
* agent: Use the sysconfdir for the pattern files.
* agent: Add "checkpin" inquiry for use by pinentry.
* wkd: Fix client issue with leading or trailing spaces in
user-ids.
* Pass XDG_SESSION_TYPE and QT_QPA_PLATFORM envvars to Pinentry.
* Under Windows use LOCAL_APPDATA for the socket directory.
Noteworthy changes in version 2.2.29 (2021-07-04)
-------------------------------------------------
* Fix regression in 2.2.28 for Yubikey NEO.
* Change the default keyserver to keyserver.ubuntu.com. This is a
temporary change due to the shutdown of the SKS keyserver pools.
* gpg: Let --fetch-key return an exit code on failure.
* dirmngr: Fix regression in KS_GET for mail address pattern.
* Add fallback in case the Windows console can't cope with Unicode.
* Improve initialization of SPR532 in the CCID driver and make the
driver more robust.
* Make test suite work in presence of a broken Libgcrypt
installation.
* Make configure option --disable-ldap work again.
Noteworthy changes in version 2.2.28 (2021-06-10)
-------------------------------------------------
* gpg: Auto import keys specified with --trusted-keys.
* gpg: Allow decryption w/o public key but with correct card
inserted.
* gpg: Allow fingerprint based lookup with --locate-external-key.
* gpg: Lookup a missing public key of the current card via LDAP.
* gpg: New option --force-sign-key.
* gpg: Use a more descriptive password prompt for symmetric
decryption.
* gpg: Do not use the self-sigs-only option for LDAP keyserver
imports.
* gpg: Keep temp files when opening images via xdg-open.
* gpg: Fix mailbox based search via AKL keyserver method.
* gpg: Fix sending an OpenPGP key with umlaut to an LDAP keyserver.
* gpg: Allow ECDH with a smartcard returning only the x-coordinate.
* gpgsm: New option --ldapserver as an alias for --keyserver. Note
that configuring servers in gpgsm and gpg is deprecated; please
use the dirmngr configuration options.
* gpgsm: Support AES-GCM decryption.
* gpgsm: Support decryption of password protected files.
* gpgsm: Lock keyboxes also during a search to fix lockups on
Windows.
* agent: Skip unknown unknown ssh curves seen on
cards.
* scdaemon: New option --pcsc-shared.
* scdaemon: Backport PKCS#15 card support from GnuPG 2.3
* scdaemon: Fix CCID driver for SCM SPR332/SPR532.
* scdaemon: Fix possible PC/SC removed card problem.
* scdaemon: Fix unblock PIN by a Reset Code with KDF.
* scdaemon: Support compressed points.
* scdaemon: Prettify S/N for Yubikeys and fix reading for early
Yubikey 5 tokens.
* dirmngr: New option --ldapserver to avoid the need for the
separate dirmngr_ldapservers.conf file.
* dirmngr: The dirmngr_ldap wrapper has been rewritten to properly
support ldap-over-tls and starttls for X.509 certificates and
CRLs.
* dirmngr: OpenPGP LDAP keyservers may now also be configured using
the same syntax as used for X.509 and CRL LDAP servers. This
avoids the former cumbersome quoting rules and adds a flexible set
of flags to control the connection.
* dirmngr: The "ldaps" scheme of an OpenPGP keyserver URL is now
interpreted as ldap-with-starttls on port 389. To use the
non-standardized ldap-over-tls the new LDAP configuration method
of the new attribute "gpgNtds" needs to be used.
* dirmngr: Return the fingerprint as search result also for LDAP
OpenPGP keyservers. This requires the modernized LDAP schema.
* dirmngr: An OpenPGP LDAP search by a mailbox now ignores revoked
keys.
* gpgconf: Make runtime changes with non-default homedir work.
* gpgconf: Do not translate an empty string to the PO file's meta
data.
* gpgconf: Fix argv overflow if --homedir is used.
* gpgconf: Return a new pseudo option "compliance_de_vs".
* gpgtar: Fix file size computation under Windows.
* Full Unicode support for the Windows command line.
* Fix problem with Windows Job objects and auto start of our
daemons.
* i18n: In German always use "Passwort" instead of "Passphrase" in
prompts.
- Update to Zig 0.8.0
- Fix password length option
- Updates for Zig 0.7.0
- Add password option
- Handle empty/malformed files
- Add contrib folder and script that prepares wordlists
- Replace default wordlist
The previous wordlist was derived from an English dictionary from
LibreOffice. It contained slurs and other hurtful words. It is
replaced with the EFF long wordlist. I apologise for including the
LibreOffice dictionary.
- Clean up options parsing
3.10.4 (25 September 2021)
Resolved issues
Output of Crypto.Util.number.long_to_bytes() was not always a multiple of blocksize.
3.10.3 (22 September 2021)
Resolved issues
Fixed symbol conflict between different versions of libgmp.
Improved robustness of PKCS#1v1.5 decryption against timing attacks.
Fixed segmentation faults on Apple M1 and other Aarch64 SoCs, when the GMP library add accessed via ctypes. Do not use GMP's own sscanf and snprintf routines: instead, use simpler conversion routines.
Workaround for cffi calling ctypes.util.find_library(), which invokes gcc and ld on Linux, considerably slowing down all imports. On certain configurations, that may also leave temporary files behind.
Fix RSAES-OAEP, as it didn't always fail when zero padding was incorrect.
New features
Added support for SHA-3 hash functions to HMAC.
1.10.0 (2021-09-27)
-------------------
* josepy is now compliant with PEP-561: type checkers will fetch types from the inline
types annotations when josepy is installed as a dependency in a Python project.
* Added a `field` function to assist in adding type annotations for Fields in classes.
If the field function is used to define a `Field` in a `JSONObjectWithFields` based
class without a type annotation, an error will be raised.
* josepy's tests can no longer be imported under the name josepy, however, they are still
included in the package and you can run them by installing josepy with "tests" extras and
running `python -m pytest`.
1.9.0 (2021-09-09)
------------------
* Removed pytest-cache testing dependency.
* Fixed a bug that sometimes caused incorrect padding to be used when
serializing Elliptic Curve keys as JSON Web Keys.
* Version 1.1.1 (released 2021-05-19)
** Fix an issue where PIN authentication could be bypassed (CVE-2021-31924).
** Fix an issue with nodetect and non-resident credentials.
** Fix build issues with musl libc.
** Add support for self-attestation in pamu2fcfg.
** Fix minor bugs found by fuzzing.
0.1.91 (2021-04-23)
* Land #30, Implement the rc4 wrapper
0.1.92 (2021-07-09)
* Land #31, add method to obfuscate string literals
* Land #32, fix unit tests
0.1.93 (2021-07-19)
* Land #33, Add github actions for tests
* Land #35, Add W^X powershell payload templates
0.1.30 (2021-03-25)
* Land #31, Consistently return nil as the failure indicator
0.1.31 (2021-08-05)
* Land #37, Honor the SSLVersion for server sockets
0.1.32 (2021-08-05)
* Land #36, Use getsockname to get the real local info
0.1.33 (2021-08-05)
* Land #35, Fix Default IPv6 LocalHost
0.2.35 (2021-04-08)
* Land #41, Add rand_password method to Rex::Text
0.2.36 (2021-07-01)
* Land #30, Fix for vbapplication payload generation
0.2.37 (2021-08-13)
* Land #24, Implement Rex::Text random function name generator
4.1.4 (2021-09-09)
Merged Pull Requests
* added back the begin and end #380 (nikhil2611)
4.1.3 (2021-09-07)
Merged Pull Requests
* Upgrade to GitHub-native Dependabot #371 (dependabot-preview[bot])
* fix-verify-pipeline #377 (jayashrig158)
* Replaced exception with the warnings and removed related failing
specs(used earlier for raising issue) #367 (sanga1794)
Release 2.7.2
* Fixed a regression related to server host key selection when attempting
to use a leading '+' to add algorithms to the front of the default list.
* Fixed logging to properly handle SFTPName objects with string filenames.
* Fixed SSH_EXT_INFO to only be sent after the first key exchange.
Certbot 1.19.0
Added
The certbot-dns-rfc2136 plugin always assumed the use of an IP address as the
target server, but this was never checked. Until now. The plugin raises an error
if the configured target server is not a valid IPv4 or IPv6 address.
Our acme library now supports requesting certificates for IP addresses.
This feature is still unsupported by Certbot and Let's Encrypt.
Changed
Several attributes in certbot.display.util module are deprecated and will
be removed in a future release of Certbot. Any import of these attributes will
emit a warning to prepare the transition for developers.
zope based interfaces in certbot.interfaces module are deprecated and will
be removed in a future release of Certbot. Any import of these interfaces will
emit a warning to prepare the transition for developers.
We removed the dependency on chardet from our acme library. Except for when
downloading a certificate in an alternate format, our acme library now
assumes all server responses are UTF-8 encoded which is required by RFC 8555.
Fixed
Fixed parsing of Defined values in the Apache plugin to allow for = in the value.
Fixed a relatively harmless crash when issuing a certificate with --quiet/-q.
Release 2.7.1 (6 Sep 2021)
--------------------------
* Added an option to allow encrypted keys to be ignored when no passphrase
is set. This behavior previously happened by default when loading keys
from default locations, but now this option to load_keypairs() can be
specified when loading any set of keys.
* Changed loading of default keys to automatically skip key types which
aren't supported due to missing dependencies.
* Added the ability to specify "default" for server_host_key_algs, as
a way for a client to request that its full set of default algorithms
be advertised to the server, rather than just the algorithms matching
keys in the client's known hosts list. Thanks go to Manfred Kaiser
for suggesting this improvement.
* Added support for tilde-expansion in the config file "include"
directive. Thanks go to Zack Cerza for reporting this and suggesting
a fix.
* Improved interoperatbility of AsyncSSH SOCKS listener by sending a zero
address rather than an empty hostname in the SOCKS CONNECT response.
Thanks go to Github user juouy for reporting this and suggesting a fix.
* Fixed a couple of issues related to sending SSH_EXT_INFO messages.
* Fixed an issue with using SSHAcceptor as an async context manager.
Thanks go to Paulo Costa for reporing this.
* Fixed an issue where a tunnel wasn't always cleaned up properly when
creating a remote listener.
* Improved handling of connection drops, avoiding exceptions from being
raised in some cases when the transport is abruptly closed.
* Made AsyncSSH SFTP support more tolerant of file permission values with
undefined bits set. Thanks go to GitHub user ccwufu for reporting this.
* Added some missing key exchange algorithms in the AsyncSSH documentation.
Thanks go to Jeremy Norris for noticing and reporting this.
* Added support for running AsyncSSH unit tests on systems with OpenSSL
3.0 installed. Thanks go to Ken Dreyer for raising this issue and
pointing out the new OpenSSL "provider" support for legacy algorithms.
Upstream changes:
2.072
- add PEM_certs2file and PEM_file2certs in IO::Socket::SSL::Utils based
on idea by rovo89 in #101
- certs/*.p12 used for testing should now work with OpenSSL 3.0 too #108
- update public suffix database
Upstream changes:
0.32 Wed Sep 8 2021
- Prefix internal bn2sv function so it doesn't collide with Net::SSLeay
- Ensure that verify() leaves openssl error stack clean on failure
- Fixed broken SEE ALSO links.
- prevent outer $SIG{__DIE__} handler from being called during optional require.
- omit done_testing since it does not work for older perl versions
Upstream changes:
0.08 Wed Oct 21 2020
- Switch to XSLoader
0.07 Wed Oct 21 2020
- Rename the subroutine compress to not conflict with libz's symbol
- Update manifest and .gitignore
- Move modules to lib/
- drop use vars and Exporter
- Do not provide examples of indirect calls to the module.
Added:
-Add a configuration file
-Support global locations for the configuration file
-Check GPG_TUI_CONFIG environment variable for config file
-Add manpage for the configuration file (gpg-tui.toml.5)
-Add :style command for changing styles
Changed:
-Rename the shell completions binary
-Use the correct name for completions binary
-Update the example shell completions command
-Bump dependencies
Fixed:
-Disable tests for the completions binary
-Build only the main binary in Dockerfile
-Update the build dependencies for the docker image
1.0.11 (2021-08-02)
From commit logs:
* Add brackets to linux proc names like ps does.
* Only wrap process names in brackets on linux.
* Use the entire process path.
* Use a preprocessor directive instead of strcasestr.
libssh2 1.10
This release includes the following enhancements and bugfixes:
o adds agent forwarding support
o adds OpenSSH Agent support on Windows
o adds ECDSA key support using the Mbed TLS backend
o adds ECDSA cert authentication
o adds diffie-hellman-group14-sha256, diffie-hellman-group16-sha512,
diffie-hellman-group18-sha512 key exchanges
o adds support for PKIX key reading when using ed25519 with OpenSSL
o adds support for EWOULDBLOCK on VMS systems
o adds support for building with OpenSSL 3
o adds support for using FIPS mode in OpenSSL
o adds debug symbols when building with MSVC
o adds support for building on the 3DS
o adds unicode build support on Windows
o restores os400 building
o increases min, max and opt Diffie Hellman group values
o improves portiablity of the make file
o improves timeout behavior with 2FA keyboard auth
o various improvements to the Wincng backend
o fixes reading parital packet replies when using an agent
o fixes Diffie Hellman key exchange on Windows 1903+ builds
o fixes building tests with older versions of OpenSSL
o fixes possible multiple definition warnings
o fixes potential cast issues _libssh2_ecdsa_key_get_curve_type()
o fixes potential use after free if libssh2_init() is called twice
o improved linking when using Mbed TLS
o fixes call to libssh2_crypto_exit() if crypto hasn't been initialized
o fixes crash when loading public keys with no id
o fixes possible out of bounds read when exchanging keys
o fixes possible out of bounds read when reading packets
o fixes possible out of bounds read when opening an X11 connection
o fixes possible out of bounds read when ecdh host keys
o fixes possible hang when trying to read a disconnected socket
o fixes a crash when using the delayed compression option
o fixes read error with large known host entries
o fixes various warnings
o fixes various small memory leaks
o improved error handling, various detailed errors will now be reported
o builds are now using OSS-Fuzz
o builds now use autoreconf instead of a custom build script
o cmake now respects install directory
o improved CI backend
o updated HACKING-CRYPTO documentation
o use markdown file extensions
o improved unit tests
version 0.9.6 (released 2021-08-26)
* CVE-2021-3634: Fix possible heap-buffer overflow when rekeying with
different key exchange mechanism
* Fix several memory leaks on error paths
* Reset pending_call_state on disconnect
* Fix handshake bug with AEAD ciphers and no HMAC overlap
* Use OPENSSL_CRYPTO_LIBRARIES in CMake
* Ignore request success and failure message if they are not expected
* Support more identity files in configuration
* Avoid setting compiler flags directly in CMake
* Support build directories with special characters
* Include stdlib.h to avoid crash in Windows
* Fix sftp_new_channel constructs an invalid object
* Fix Ninja multiple rules error
* Several tests fixes
Noteworthy changes in version 1.9.4 (2021-08-22) [C23/A3/R4]
------------------------------------------------
* Bug fixes:
- Fix Elgamal encryption for other implementations.
[#5328,CVE-2021-33560]
- Fix alignment problem on macOS. [#5440]
- Check the input length of the point in ECDH. [#5423]
- Fix an abort in gcry_pk_get_param for "Curve25519". [#5490]
* Other features:
- Add GCM and CCM to OID mapping table for AES. [a83fb13a3b]
Pkgsrc changes:
* Note that we need go >= 1.15.15.
Upstream changes:
26 August 2021
SECURITY:
* UI Secret Caching: The Vault UI erroneously cached and exposed
user-viewed secrets between authenticated sessions in a single
shared browser, if the browser window / tab was not refreshed or
closed between logout and a subsequent login. This vulnerability,
CVE-2021-38554, was fixed in Vault 1.8.0 and will be addressed in
pending 1.7.4 / 1.6.6 releases.
CHANGES:
* go: Update go version to 1.15.15 [GH-12423]
IMPROVEMENTS:
* db/cassandra: Added tls_server_name to specify server name for
TLS validation [GH-11820]
BUG FIXES:
* physical/raft: Fix safeio.Rename error when restoring snapshots
on windows [GH-12377]
* secret: fix the bug where transit encrypt batch doesn't work
with key_version [GH-11628]
* secrets/database: Fixed an issue that prevented external database
plugin processes from restarting after a shutdown. [GH-12087]
* ui: Automatically refresh the page when user logs out [GH-12035]
* ui: Fixes metrics page when read on counter config not allowed [GH-12348]
* ui: fix oidc login with Safari [GH-11884]
Major changes in 1.18.4
Fix a denial of service attack against the KDC encrypted challenge code [CVE-2021-36222].
Fix a memory leak when gss_inquire_cred() is called without a credential handle.
Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
*) Fixed an SM2 Decryption Buffer Overflow.
In order to decrypt SM2 encrypted data an application is expected to call the
API function EVP_PKEY_decrypt(). Typically an application will call this
function twice. The first time, on entry, the "out" parameter can be NULL and,
on exit, the "outlen" parameter is populated with the buffer size required to
hold the decrypted plaintext. The application can then allocate a sufficiently
sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL
value for the "out" parameter.
A bug in the implementation of the SM2 decryption code means that the
calculation of the buffer size required to hold the plaintext returned by the
first call to EVP_PKEY_decrypt() can be smaller than the actual size required by
the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is
called by the application a second time with a buffer that is too small.
A malicious attacker who is able present SM2 content for decryption to an
application could cause attacker chosen data to overflow the buffer by up to a
maximum of 62 bytes altering the contents of other data held after the
buffer, possibly changing application behaviour or causing the application to
crash. The location of the buffer is application dependent but is typically
heap allocated.
(CVE-2021-3711)
[Matt Caswell]
*) Fixed various read buffer overruns processing ASN.1 strings
ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING
structure which contains a buffer holding the string data and a field holding
the buffer length. This contrasts with normal C strings which are repesented as
a buffer for the string data which is terminated with a NUL (0) byte.
Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's
own "d2i" functions (and other similar parsing functions) as well as any string
whose value has been set with the ASN1_STRING_set() function will additionally
NUL terminate the byte array in the ASN1_STRING structure.
However, it is possible for applications to directly construct valid ASN1_STRING
structures which do not NUL terminate the byte array by directly setting the
"data" and "length" fields in the ASN1_STRING array. This can also happen by
using the ASN1_STRING_set0() function.
Numerous OpenSSL functions that print ASN.1 data have been found to assume that
the ASN1_STRING byte array will be NUL terminated, even though this is not
guaranteed for strings that have been directly constructed. Where an application
requests an ASN.1 structure to be printed, and where that ASN.1 structure
contains ASN1_STRINGs that have been directly constructed by the application
without NUL terminating the "data" field, then a read buffer overrun can occur.
The same thing can also occur during name constraints processing of certificates
(for example if a certificate has been directly constructed by the application
instead of loading it via the OpenSSL parsing functions, and the certificate
contains non NUL terminated ASN1_STRING structures). It can also occur in the
X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions.
If a malicious actor can cause an application to directly construct an
ASN1_STRING and then process it through one of the affected OpenSSL functions
then this issue could be hit. This might result in a crash (causing a Denial of
Service attack). It could also result in the disclosure of private memory
contents (such as private keys, or sensitive plaintext).
(CVE-2021-3712)
[Matt Caswell]
Query, set, delete credentials from the 'git' credential store. Manage
'GitHub' tokens and other 'git' credentials. This package is to be
used by other packages that need to authenticate to 'GitHub' and/or
other 'git' repositories.
Aims to support all features of the system credential store, including
non-portable ones. Supports 'Keychain' on 'macOS', and 'Credential
Manager' on 'Windows'. See the 'keyring' package if you need a
portable 'API'.
Release 4.1.1
CHANGELOG
* Support already valid authorizations
* Moved to Github Actions workflows for automated tests, started using Let's Encrypt pebble test server, increased test coverage to 100%
* Added test to ensure path traversal can't be exploited
* Started logging Account IDs for later reference
* Various README updates
This version updates Firefox to 78.13.0esr. This version includes
important security updates to Firefox.
Warning:
Tor Browser will stop supporting version 2 onion services very
soon. Please see the previously published deprecation timeline.
Migrate your services and update your bookmarks to version 3 onion
services as soon as possible.
The full changelog since Tor Browser 10.5.2:
Windows + OS X + Linux
Update Firefox to 78.13.0esr
Update NoScript to 11.2.11
Bug 40041: Remove V2 Deprecation banner on about:tor for desktop
Bug 40506: Saved Logins not available in 10.5
Bug 40524: Update DuckDuckGo onion site URL in search preferences and onboarding
v 11.2.11
============================================================
x [nscl] Fixed JavaScript access to CSS rules broken on
Chromium when unrestricted CSS is disabled - issue #204
x Prevent Chromium builds from being sent to AMO for signing
x [nscl] Fixed CPU/RAM overload on some pages with
unrestricted CSS disabled but scripting enabled (not
recommended setting) - issue #194, issue #199
x [nscl] Fixed CPU spikes on Chromium triggered by automatic
file downloads (thanks ptheborg for report)
v 11.2.10
============================================================
x Cross-browser file naming consistency, in spite of version
numbering incompatibilities
x [nscl] Fix for potential race conditions on certain page
transitions (issue #205)
x Handle exception when accessing navigator.serviceWorker on
sandboxed frames
x MS Edge support
v 11.2.9
============================================================
x [L10n] Updated de, mk
x Replace deprecated extension.getURL() with
runtime.getURL()
x REUSE-compliant licensing boilerplate
x Remove unused/refactored-out files
x Relicensing as GPL3+
x [nscl] Fixed infinite recursion issue on window.open
wrappers
x Avoid treating JavaScript files as embeddings when opened
as top-level documents
[0.7.4] - 2021-08-07
Added:
Add config for splash screen to check SHA256 hash of assets
Changed:
Bump rust-embed to 6.0.0
Bump tui to 0.16.0
Bump gpgme to 0.10.0
Center the options menu title
Fixed:
Mark the unsupported algorithms as unrecognized/unknown
Fix the failing test about options menu title
1.18.0
Added
New functions that Certbot plugins can use to interact with the user have been added to certbot.display.util. We plan to deprecate using IDisplay with zope in favor of these new functions in the future.
The Plugin, Authenticator and Installer classes are added to certbot.interfaces module as alternatives to Certbot's current zope based plugin interfaces. The API of these interfaces is identical, but they are based on Python's abc module instead of zope. Certbot will continue to detect plugins that implement either interface, but we plan to drop support for zope based interfaces in a future version of Certbot.
The class certbot.configuration.NamespaceConfig is added to the Certbot's public API.
Changed
When self-validating HTTP-01 challenges using acme.challenges.HTTP01Response.simple_verify, we now assume that the response is composed of only ASCII characters. Previously we were relying on the default behavior of the requests library which tries to guess the encoding of the response which was error prone.
acme: the .client.Client and .client.BackwardsCompatibleClientV2 classes are now deprecated in favor of .client.ClientV2.
The certbot.tests.patch_get_utility* functions have been deprecated. Plugins should now patch certbot.display.util themselves in their tests or use certbot.tests.util.patch_display_util as a temporary workaround.
In order to simplify the transition to Certbot's new plugin interfaces, the classes Plugin and Installer in certbot.plugins.common module and certbot.plugins.dns_common.DNSAuthenticator now implement Certbot's new plugin interfaces. The Certbot plugins based on these classes are now automatically detected as implementing these interfaces.
We added a dependency on chardet to our acme library so that it will be used over charset_normalizer in newer versions of requests.
Fixed
The Apache authenticator no longer crashes with "Unable to insert label" when encountering a completely empty vhost. This issue affected Certbot 1.17.0.
Users of the Certbot snap on Debian 9 (Stretch) should no longer encounter an "access denied" error when installing DNS plugins.
-Fix example
-Check should fail if handed a non-regular file
-Document control characters
-Optional environment passthrough
-Removing superfluous backtick
-Child should be handled in parent
-Removing redundant util.rs
-Reorganising tests to storage overheads
-Clippy suggestions
-Removing need to drop privs in child
-Forking can be done as low priv user
[0.7.3] - 2021-07-25
Added:
-Add Wayland clipboard support (#30)
-Add 'in the media' section to README.md
Changed:
-Import the test key from keyserver in CI workflow
Fixed:
-Handle clipboard errors
1.33.1 (2021-07-20)
Bug Fixes
fallback to source creds expiration in downscoped tokens
Reverts
revert "feat: service account is able to use a private token endpoint
1.33.0 (2021-07-14)
Features
define CredentialAccessBoundary classes
define google.auth.downscoped.Credentials class
service account is able to use a private token endpoint
Bug Fixes
fix fetch_id_token credential lookup order to match adc
Documentation
fix code block formatting in 'user-guide.rst'
1.32.1 (2021-06-30)
Bug Fixes
avoid leaking sub-session created for '_auth_request'
1.32.0 (2021-06-16)
Features
allow scopes for self signed jwt
1.31.0 (2021-06-09)
Features
define useful properties on google.auth.external_account.Credentials
Bug Fixes
avoid deleting items while iterating
Changelog:
These features are new in 0.76 (released 2021-07-17):
New option to abandon an SSH connection if the server allows you to authenticate in a trivial manner.
Bug fix: Windows PuTTY crashed when the 'Use system colours' option was used.
Bug fix: crash on Windows when using MIT Kerberos together with 'Restart Session'.
Bug fix: Windows PuTTY leaked named pipes after contacting Pageant.
Bug fix: Windows PuTTY didn't update the window while you held down the scrollbar arrow buttons long enough to 'key-repeat'.
Bug fix: user colour-palette reconfiguration via 'Change Settings' were delayed-action.
Bug fix: server colour-palette reconfigurations were sometimes lost.
Bug fix: a tight loop could occur on reading a truncated private key file.
Bug fix: the Windows Pageant GUI key list didn't display key lengths.
These features were new in 0.75 (released 2021-05-08):
Security fix: on Windows, a server could DoS the whole Windows GUI by telling the PuTTY window to change its title repeatedly at high speed.
Pageant now supports loading a key still encrypted, and decrypting it later by prompting for the passphrase on first use.
Upgraded default SSH key fingerprint format to OpenSSH-style SHA-256.
Upgraded private key file format to PPK3, with improved passphrase hashing and no use of SHA-1.
Terminal now supports ESC [ 9 m for strikethrough text.
New protocols: bare ssh-connection layer for use over already-secure IPC channels, and SUPDUP for talking to very old systems such as PDP-10s.
PuTTYgen now supports alternative provable-prime generation algorithm for RSA and DSA.
The Unix tools can now connect directly to a Unix-domain socket.
Changes since v4.8.0:
wolfSSL Release 4.8.1 (July 16, 2021)
Release 4.8.1 of wolfSSL embedded TLS has an OCSP vulnerability fix:
Vulnerabilities
* [High] OCSP verification issue when response is for a certificate with no
relation to the chain in question BUT that response contains the NoCheck
extension which effectively disables ALL verification of that one cert.
Users who should upgrade to 4.8.1 are TLS client users doing OCSP, TLS
server users doing mutual auth with OCSP, and CertManager users doing OCSP
independent of TLS. Thanks to Jan Nauber, Marco Smeets, Werner Rueschenbaum
and Alissa Kim of Volkswagen Infotainment for the report.
Certbot 1.17.0
Added
Add Void Linux overrides for certbot-apache.
Changed
We changed how dependencies are specified between Certbot packages. For this
and future releases, higher level Certbot components will require that lower
level components are the same version or newer. More specifically, version X
of the Certbot package will now always require acme>=X and version Y of a
plugin package will always require acme>=Y and certbot=>Y. Specifying
dependencies in this way simplifies testing and development.
The Apache authenticator now always configures virtual hosts which do not have
an explicit ServerName. This should make it work more reliably with the
default Apache configuration in Debian-based environments.
Fixed
When we increased the logging level on our nginx "Could not parse file" message,
it caused a previously-existing inability to parse empty files to become more
visible. We have now added the ability to correctly parse empty files, so that
message should only show for more significant errors.
It's required to install sub-folders which contains scripts for notify and
dnsapi support. Change default folder for scripts to share folder and symlink
to sbin.
Bump PKGREVISION.
[0.7.2] - 2021-07-20
Added:
-Add the missing views for signature notations
Changed:
-Mark the default signing key with a symbol
Fixed:
-Override the default key for all gpg fallback commands
-Sleep the event handler thread if input is disabled (#29)
With heimdal, you'll get undefined symbol errors like this one:
/usr/pkg/lib/python3.8/site-packages/kerberos.so: Undefined PLT symbol "krb5_free_keytab_entry_contents"
Bump PKGREVISION.
[0.7.1] - 2021-07-17
Added:
-Add an example for selection mode to README.md
Changed:
-Update README.md about libxkbcommon-dev dependency (#26)
Fixed:
-Run the terminal on stderr and use stdout for output (#27)
10.5.2
Windows + OS X + Linux
Update Firefox to 78.12.0esr
Bug 40497: Cannot set multiple pages as home pages in 10.5a17
Bug 40507: Full update is not downloaded after applying partial update fails
Bug 40510: open tabs get redirected to about:torconnect on restart
10.5.1
Android-only
10.5
All Platforms
Update NoScript to 11.2.9
Update Tor Launcher to 0.2.30
Translations update
Bug 25483: Provide Snowflake based on Pion for Windows, macOS, and Linux
Bug 33761: Remove unnecessary snowflake dependencies
Bug 40064: Bump libevent to 2.1.12
Bug 40137: Migrate https-everywhere storage to idb
Bug 40261: Bump versions of snowflake and webrtc
Bug 40263: Update domain front for Snowflake
Bug 40302: Update version of snowflake
Bug 40030: DuckDuckGo redirect to html doesn't work
Windows + OS X + Linux
Bug 27476: Implement about:torconnect captive portal within Tor Browser [tor-browser]
Bug 32228: Bookmark TPO support domains in Tor Browser
Bug 33803: Add a secondary nightly MAR signing key [tor-browser]
Bug 33954: Consider different approach for Bug 2176
Bug 34345: "Don't Bootstrap" Startup Mode
Bug 40011: Rename tor-browser-brand.ftl to brand.ftl
Bug 40012: Fix about:tor not loading some images in 82
Bug 40138: Move our primary nightly MAR signing key to tor-browser
Bug 40209: Implement Basic Crypto Safety
Bug 40428: Correct minor Cryptocurrency warning string typo
Bug 40429: Update Onboarding for 10.5
Bug 40455: Block or recover background requests after bootstrap
Bug 40456: Update the SecureDrop HTTPS-Everywhere update channel
Bug 40475: Include clearing CORS preflight cache
Bug 40478: Onion alias url rewrite is broken
Bug 40484: Bootstrapping page show Quickstart text
Bug 40490: BridgeDB bridge captcha selection is broken in alpha
Bug 40495: Onion pattern is focusable by click on about:torconnect
Bug 40499: Onion Alias doesn't work with TOR_SKIP_LAUNCH
Linux
Bug 40089: Remove CentOS 6 support for Tor Browser 10.5
Build System
All Platforms
Update Go to 1.15.13
Bug 23631: Use rootless containers [tor-browser-build]
Bug 33693: Change snowflake and meek dummy address [tor-browser]
Bug 40016: getfpaths is not setting origin_project
Bug 40169: Update apt package cache after calling pre_pkginst, too
Bug 40194: Remove osname part in cbindgen filename
Windows + OS X + Linux
Bug 40081: Build Mozilla code with --enable-rust-simd
Bug 40104: Use our TMPDIR when creating our .mar files
Bug 40133: Bump Rust version for ESR 78 to 1.43.0
Bug 40166: Update apt cache before calling pre_pkginst in container-image config
Linux
Bug 26238: Move to Debian Jessie for our Linux builds
Bug 31729: Support Wayland
Bug 40041: Remove CentOS 6 support for 10.5 series
Bug 40103: Add i386 pkg-config path for linux-i686
Bug 40112: Strip libstdc++ we ship
Bug 40118: Add missing libdrm dev package to firefox container
Bug 40235: Bump apt for Jessie containers
Changes since v4.7.0:
wolfSSL Release 4.8.0 (July 09, 2021)
Release 4.8.0 of wolfSSL embedded TLS has bug fixes and new features including:
Vulnerabilities
* [Low] OCSP request/response verification issue. In the case that the serial
number in the OCSP request differs from the serial number in the OCSP
response the error from the comparison was not resulting in a failed
verification. We recommend users that have wolfSSL version 4.6.0 and 4.7.0
with OCSP enabled update their version of wolfSSL. Version 4.5.0 and earlier
are not affected by this report. Thanks to Rainer, Roee, Barak, Hila and
Shoshi (from Cymotive and CARIAD) for the report.
* [Low] CVE-2021-24116: Side-Channel cache look up vulnerability in base64 PEM
decoding for versions of wolfSSL 4.5.0 and earlier. Versions 4.6.0 and up
contain a fix and do not need to be updated for this report. If decoding a
PEM format private key using version 4.5.0 and older of wolfSSL then we
recommend updating the version of wolfSSL used. Thanks to Florian Sieck, Jan
Wichelmann, Sebastian Berndt and Thomas Eisenbarth for the report.
New Feature Additions
New Product
* Added wolfSentry build with --enable-wolfsentry and tie-ins to wolfSSL code
for use with wolfSentry
Ports
* QNX CAAM driver added, supporting ECC black keys, CMAC, BLOBs, and TRNG use
* _WIN32_WCE wolfCrypt port added
* INTIME_RTOS directory support added
* Added support for STM32G0
* Renesas RX: Added intrinsics for rot[rl], revl (thanks @rliebscher)
* Added support for running wolfcrypt/test/testwolfcrypt on Dolphin emulator
to test DEVKITPRO port
* Zephyr project port updated to latest version 2.6.X
ASN1 and PKCS
* Storing policy constraint extension from certificate added
* Added support for NID_favouriteDrink pilot
* Added the API function wc_EncryptPKCS8Key to handle encrypting a DER,
PKCS#8-formatted key
Compatibility Layer Additions
* Open Source PORTS Added/Updated
* OpenVPN
* OpenLDAP
* socat-1.7.4.1
* Updated QT port for 5.15.2
* Changes to extend set_cipher_list() compatibility layer API to have
set_ciphersuites compatibility layer API capability
* Added more support for SHA3 in the EVP layer
* API Added
* MD5/MD5_Transform
* SHA/SHA_Transform/SHA1_Transform
* SHA224/SHA256_Transform/SHA512_Transform
* SSL_CTX_get0_param/SSL_CTX_set1_param
* X509_load_crl_file
* SSL_CTX_get_min_proto_version
* EVP_ENCODE_CTX_new
* EVP_ENCODE_CTX_free
* EVP_EncodeInit
* EVP_EncodeUpdate
* EVP_EncodeFinal
* EVP_DecodeInit
* EVP_DecodeUpdate
* EVP_DecodeFinal
* EVP_PKEY_print_public
* BIO_tell
* THREADID_current
* THREADID_hash
* SSL_CTX_set_ecdh_auto
* RAND_set_rand_method()
* X509_LOOKUP_ctrl()
* RSA_bits
* EC_curve_nist2nid
* EC_KEY_set_group
* SSL_SESSION_set_cipher
* SSL_set_psk_use_session_callback
* EVP_PKEY_param_check
* DH_get0_pqg
* CRYPTO_get_ex_new_index
* SSL_SESSION_is_resumable
* SSL_CONF_cmd
* SSL_CONF_CTX_finish
* SSL_CTX_keylog_cb_func
* SSL_CTX_set_keylog_callback
* SSL_CTX_get_keylog_callback
Misc.
* Added wolfSSL_CTX_get_TicketEncCtx getter function to return the ticket
encryption ctx value
* Added wc_AesKeyWrap_ex and wc_AesKeyUnWrap_ex APIs to accept an Aes object
to use for the AES operations
* Added implementation of AES-GCM streaming (--enable-aesgcm-stream)
* Added deterministic generation of k with ECC following RFC6979 when the
macro WOLFSL_ECDSA_DETERMINISTIC_K is defined and wc_ecc_set_deterministic
function is called
* Implemented wc_DsaParamsDecode and wc_DsaKeyToParamsDer
* Asynchronous support for TLS v1.3 TLSX ECC/DH key generation and key
agreement
* Added crypto callback support for Ed/Curve25519 and SHA2-512/384
* TLS 1.3 OPwolfSSL_key_update_response function added to see if a update
response is needed
Fixes
* Fix for detecting extra unused bytes that are in an ASN1 sequence appended
to the end of a valid ECC signature
* Fix for keyid with ktri CMS (breaks compatibility with previous keyid ASN1
syntax)
* Fix for failed handshake if a client offers more than 150 cipher
suites. Thanks to Marcel Maehren, Philipp Nieting, Robert Merget from Ruhr
University Bochum Sven Hebrok, Juraj Somorovsky from Paderborn University
* Fix for default order of deprecated elliptic curves SECP224R1, SECP192R1,
SECP160R1. Thanks to Marcel Maehren, Philipp Nieting, Robert Merget from
Ruhr University Bochum Sven Hebrok, Juraj Somorovsky from Paderborn
University
* Fix for corner TLS downgrade case where a TLS 1.3 setup that allows for
downgrades but has TLS 1.3 set as the minimum version would still downgrade
to TLS 1.2
PKCS7 (Multiple fixes throughout regarding memory leaks with SMIME and heap
buffer overflows due to streaming functionality)
* Fix PKCS7 dynamic content save/restore in PKCS7_VerifySignedData
* Fix for heap buffer overflow on compare with wc_PKCS7_DecryptKtri
* Fix for heap buffer overflow with wc_PKCS7_VerifySignedData
* Fix for heap buffer overflow with wc_PKCS7_DecodeEnvelopedData
* Check size of public key used with certificate passed into
wc_PKCS7_InitWithCert before XMEMCPY to avoid overflow
* Fix for heap buffer overflow fix for wolfSSL_SMIME_read_PKCS7
* Fix to cleanly free memory in error state with wolfSSL_SMIME_read_PKCS7
* SMIME error checking improvements and canonicalize multi-part messages
before hashing
DTLS Fixes
* DTLS fix to correctly move the Tx sequence number forward
* DTLS fix for sequence and epoch number with secure renegotiation cookie
exchange
* Fix for Chacha-Poly AEAD for DTLS 1.2 with secure renegotiation
PORT Fixes
* Fix AES, aligned key for the HW module with DCP port
* Fix ATECC608A TNGTLS certificate size issue (thanks @vppillai)
* Fixes for mingw compile warnings
* Fixes for NXP LTC ECC/RSA
* Fix ESP32 RSA hw accelerator initialization issue
* Fixes for STM32 PKA with ECC
* Fixes for STM32 AES GCM for HAL's that support byte sized headers
* Espressif ESP32 SHA_CTX macro conflict resolved
Math Library Fixes
* For platforms that support limits.h or windows make sure both
SIZEOF_LONG_LONG and SIZEOF_LONG are set to avoid issues with CTC_SETTINGS
* SP C 32/64: fix corner cases around subtraction affecting RSA PSS use
* Fix to return the error code from sp_cond_swap_ct when malloc fails
* Fix potential memory leak with small stack in the function fp_gcd
* Static Analysis Fixes
* Fixes made from Coverity analysis including:
* Cleanups for some return values,
* Fix for leak with wolfSSL_a2i_ASN1_INTEGER
* Sanity check on length in wolfSSL_BN_rand
* Sanity check size in TLSX_Parse catching a possible integer overflow
* Fixes found with -fsanitize=undefined testing
* Fix null dereferences or undefined memcpy calls
* Fix alignment in myCryptoDevCb
* Fix default DTLS context assignment
* Added align configure option to force data alignment
Misc.
* Fix for wolfSSL_ASN1_TIME_adj set length
* Fix for freeing structure on error case in the function AddTrustedPeer
* Return value of SSL_read when called after bidirectional shutdown
* Fix for build options ./configure --enable-dtls --disable-asn
* FIx for detection of a salt length from an RSA PSS signature
* Fix to free up globalRNGMutex mutex when cleaning up global RNG
* Fix leak when multiple hardware names are in SAN
* Fix nonblocking ret value from CRL I/O callbacks
* Fix wolfSSL_BIO_free_all return type to better match for compatibility layer
* Fix for make distcheck, maintainer-clean, to allow distribution builds
* Fix for async with fragmented packets
* Fix for the build or RSA verify or public only
* Fix for return value of wolfSSL_BIO_set_ssl to better match expected
compatibility layer return value
* Fix for sanity checks on size of issuer hash and key along with better
freeing on error cases with DecodeBasicOcspResponse
* Fix for potential memory leak with wolfSSL_OCSP_cert_to_id
Improvements/Optimizations
DTLS/TLS Code Base
* Improved TLS v1.3 time rollover support
* TLS 1.3 PSK: use the hash algorithm to choose cipher suite
* TLS Extended Master Secret ext: TLS13 - send in second Client Hello if in
first
* TLS Encrypt then MAC: check all padding bytes are the same value
* wolfSSL_GetMaxRecordSize updated to now take additional cipher data into
account
* Updated session export/import with DTLS to handle a new internal options
flag
* Refactored dtls_expected_peer_handshake_number handling
* Added wolfSSL_CTX_get_ephemeral_key and wolfSSL_get_ephemeral_key for
loading a constant key in place of an ephemeral one
* Improved checking of XSNPRINTF return value in DecodePolicyOID
Build Options and Warnings
* Added wolfSSL_CTX_set_verify to the ABI list
* Adjusted FP_ECC build to not allow SECP160R1, SECP160R2, SECP160K1 and
SECP224K1. FP_ECC does not work with scalars that are the length of the
order when the order is longer than the prime.
* Added CMake support for CURVE25519, ED25519, CURVE448, and ED448
* cmake addition to test paths when building
* Added support for session tickets in CMake
* Added support for reproducible builds with CMake
* Turn on reproducible-build by default when enable-distro
* Windows Project: Include the X448 and Ed448 files
* GCC-11 compile time warning fixes
* Fix for compiling build of ./configure '--disable-tlsv12'
'-enable-pkcallbacks'
* Added build error for insecure build combination of secure renegotiation
enabled with extended master secret disabled when session resumption is
enabled
* Updated building and running with Apple M1
* Apache httpd build without TLS 1.3 macro guard added
* Enable SHA3 and SHAKE256 requirements automatically when ED448 is enabled
* Added option for AES CBC cipher routines to return BAD_LENGTH_E when called
with an input buffer length not a multiple of AES_BLOCK_SIZE
* Macro WOLFSSL_SP_INT_DIGIT_ALIGN added for alignment on buffers with SP
build. This was needed for compiler building on a Renesas board.
* Build support with no hashes enabled an no RNG compiled in
* Allow use of FREESCALE hardware RNG without a specific port
* Resolved some warnings with Windows builds and PBKDF disabled
* Updated the version of autoconf and automake along with fixes for some new
GCC-10 warnings
Math Libraries
* SP: Thumb implementation that works with clang
* SP math all: sp_cmp handling of negative values
* SP C ECC: mont sub - always normalize after sub before check for add
* TFM math library prime checking, added more error checks with small stack
build
* Sanity checks on 0 value with GCD math function
* fp_exptmod_ct error checking and small stack variable free on error
* Sanity check on supported digit size when calling mp_add_d in non fastmath
builds
* Support for mp_dump with SP Math ALL
* WOLFSSL_SP_NO_MALLOC for both the normal SP build and small SP build now
* WOLFSSL_SP_NO_DYN_STACK added for SP small code that is not small stack
build to avoid dynamic stack
PKCS 7/8
* wc_PKCS7_DecodeCompressedData to optionally handle a packet without content
wrapping
* Added setting of content type parsed with PKCS7
wc_PKCS7_DecodeAuthEnvelopedData and wc_PKCS7_DecodeEnvelopedData
* PKCS8 code improvements and refactoring
Misc.
* Sanity checks on null inputs to the functions wolfSSL_X509_get_serialNumber
and wolfSSL_X509_NAME_print_ex
* Added ARM CryptoCell support for importing public key with
wc_ecc_import_x963_ex()
* Improved checking for possible use of key->dp == NULL cases with ECC
functions
* Updated SHAKE256 to compile with NIST FIPS 202 standard and added support
for OID values (thanks to strongX509)
* Improved ECC operations when using WOLFSSL_NO_MALLOC
* Added WOLFSSL_SNIFFER_FATAL_ERROR for an return value when sniffer is in a
fatal state
* Allow parsing spaces in Base64_SkipNewline
* Issue callback when exceeding depth limit rather than error out with
OPENSSL_EXTRA build
* Added NXP LTC RSA key generation acceleration
For additional vulnerability information visit the vulnerability page at
https://www.wolfssl.com/docs/security-vulnerabilities/
See INSTALL file for build instructions.
More info can be found on-line at https://wolfssl.com/wolfSSL/Docs.html
If this ever worked it only did by accident. Specifying, for example,
"-arch arm64" as used on macOS is enough to break its custom configure
script that assumes all arguments start with "-".
The flags seem to propogate through the environment normally.
Upstream changes:
1.54 June 3, 2021
* Removed a superfluous call to makerandom_itv() thanks to Larry
Leszczynski <larryl@emailplus.org>.
* Improved makerandom_itv test to ensure generated numbers are in the
intterval.
* Actually include t/chisquare.t
Upstream changes:
0.033 2021-05-01
- fix#31 verify_xxx options do not work properly with decode_payload=0
0.032 2021-03-18
- fix#30 use lower uid/gid in release tarball
0.031 2021-01-10
- fix#29 Broken JWS support for ES256K "alg" type
0.030 2021-01-08
- fix#28 Using "kid_keys" with PS256 fails
Release v1.6.14: Meyer (Patch 14)
Support for 32-bit Windows python
Enable specification of krb5-config via environment variable
Support for GSS_C_CHANNEL_BOUND_FLAG
Support for docs build with sphinx 4
Fix undefined variable in get_all_statuses()
Add support for str objects in the cred store dict
Requests is an HTTP library, written in Python, for human beings.
This library adds optional GSSAPI authentication support and supports
mutual authentication.
Fix packaging on 32-bit platforms by disabling int128 dependency.
3.04 Mon 17 May 2021 10:58:37 AM EDT
- Fixed bug involving manually-specified IV not being used in some circumstances.
Release 2.7.0 (19 Jun 2021)
Added support for the ProxyCommand config file option and a corresponding proxy_command argument in the SSH connection options, allowing a subprocess to be used to make the connection to the SSH server. When the config option is used, it should be fully compatible with OpenSSH percent expansion in the command to run.
Added support for accessing terminal information as properties in the SSHServerProcess class. As part of this change, both the environment and terminal modes are now available as read-only mappings. Thanks again to velavokr for suggesitng this and submitting a PR with a proposed version of the change.
Fixed terminal information passed to pty_requested() callback to properly reflect requested terminal type, size, and modes. Thanks go to velavokr for reporting this issue and proposing a fix.
Fixed an edge case where a connection object might not be cleaned up properly if the connection request was cancelled before it was fully established.
Fixed an issue where some unit tests weren’t properly closing connection objects before exiting.
0.6.2 - 2021-06-27
Changed:
- Bump the Rust version in Dockerfile
- Use entrypoint for the docker container
- Update the docker command for quickly launching the app
0.6.1 - 2021-06-26
Changed:
- Run the container as non-root/dedicated user
- Update the docker alias in README.md
0.6.0 - 2021-06-25
Added:
- Support importing keys from the clipboard (#3)
- Add git-cliff configuration file
Changed:
- Update the keyserver link
Fixed:
- Apply clippy lints
- Update application command tests
## 2.6.6 (2021-06-11)
### Fixed
- Fix focusing search when pressing hotkey [#6603]
- Trim whitespace from TOTP key input prior to processing [#6604]
- Fix building on macOS [#6598]
- Resolve compiler warnings for unused return values [#6607]
## 2.6.5 (2021-06-07)
### Added
- Show search bar when toolbar is hidden or in overflow [#6279]
- Show countdown for clipboard clearing in status bar [#6333]
- Command line option to lock all open databases [#6511]
- Allow CSV import of bare TOTP secrets [#6211]
- Retain file creation time when saving database [#6576]
- Set permissions of saved attachments to be private to the current user [#6363]
- OPVault: Use Text instead of Name for attribute names [#6334]
### Changed
- Reports: Allow resizing of reports columns [#6435]
- Reports: Toggle showing expired entries [#6534]
- Save Always on Top setting [#6236]
- Password generator can exclude additional lookalike characters (6/G, 8/B) [#6196]
### Fixed
- Allow setting MSI properties in unattended install [#6196]
- Update MainWindow minimum size to enable smaller verticle space [#6196]
- Use application font size when setting default or monospace fonts [#6332]
- Fix notes not clearing in entry preview panel in some cases [#6481]
- macOS: Correct window activation when restoring from tray [#6575]
- macOS: Better handling of minimize after unlock when using browser integration [#6338]
- Linux: Start after the system tray is available on LXQt [#6216]
- Linux: Allow selection of modal dialogs on X11 in Auto-Type [#6204]
- KeeShare: prevent crash when file extension is missing [#6174]
2020-10-27: Hitch 1.7.0 released. This introduces support for PROXYv2 in --proxy-proxy mode,
adds new command line switches for various settings, and fixes a bug relating to an imbalance
in worker process load distribution, among other things. See the changelog for more information.
2020-08-31: Hitch 1.6.1 released. Fixes an issue in the PROXYv2 handling where we sometimes would
transmit the wrong 'verify' status for client certificate verification. (changelog)
3.1.1 (2021-05-31)
------------------
OAuth2.0 Provider - Bugfixes
* Fix acceptance of valid IPv6 addresses in URI validation
OAuth2.0 Client - Bugfixes
* Base OAuth2 Client now has a consistent way of managing the `scope`: it consistently
relies on the `scope` provided in the constructor if any, except if overridden temporarily
in a method call. Note that in particular providing a non-None `scope` in
`prepare_authorization_request` or `prepare_refresh_token` does not override anymore
`self.scope` forever, it is just used temporarily.
* MobileApplicationClient.prepare_request_uri and MobileApplicationClient.parse_request_uri_response,
ServiceApplicationClient.prepare_request_body,
and WebApplicationClient.prepare_request_uri now correctly use the default `scope` provided in
constructor.
* LegacyApplicationClient.prepare_request_body now correctly uses the default `scope` provided in constructor
OAuth2.0 Provider - Bugfixes
* client_credentials grant: fix log message
* OpenID Connect Hybrid - fix nonce not passed to add_id_token
* Different prompt values are now handled according to spec (e.g. prompt=none)
* OpenID Connect - fix Authorization: Basic parsing
General
* improved skeleton validator for public vs private client
* replace mock library with standard unittest.mock
* build isort integration
* python2 code removal
* add python3.8 support
* bump minimum versions of pyjwt and cryptography
mdigest reads the files from the argument list and computes a message
digest hash for the file content.
If the argument list is empty mdigest reads from standard in.
