All Platforms
Update Firefox to 68.7.0esr
Bump NoScript to 11.0.23
Bug 33630: Remove noisebridge01 default bridge
Windows + OS X + Linux
Bug 33771: Update some existing licenses and add Libevent license
Bug 33723: Bump openssl version to 1.1.1f
Major changes in 1.18:
Administrator experience
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with ".rcache2" by default.
* setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context().
* Add an "enforce_ok_as_delegate" krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value for default_tkt_enctypes and default_tgs_enctypes.
Developer experience
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account name from a PAC.
Protocol evolution
* Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.)
* Remove support for an old ("draft 9") variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.)
User experience
* Add support for "dns_canonicalize_hostname=fallback", causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found.
* Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a "qualify_shortname" krb5.conf relation to override this suffix or disable expansion.
* Honor the transited-policy-checked ticket flag on application servers, eliminating the requirement to configure capaths on servers in some scenarios.
Code quality
* The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested.
Major changes in 1.17.1:
This is a bug fix release.
* Fix a bug preventing "addprinc -randkey -kvno" from working in kadmin.
* Fix a bug preventing time skew correction from working when a KCM credential cache is used.
Major changes in 1.17:
Administrator experience
* A new Kerberos database module using the Lightning Memory-Mapped Database library (LMDB) has been added. The LMDB KDB module should be more performant and more robust than the DB2 module, and may become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific principal names are requested.
* kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode.
Developer experience
* The new krb5_get_etype_info() API can be used to retrieve enctype, salt, and string-to-key parameters from the KDC for a client principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should perform better.
Protocol evolution
* The SPAKE pre-authentication mechanism is now supported. This mechanism protects against password dictionary attacks without requiring any additional infrastructure such as certificates. SPAKE is enabled by default on clients, but must be manually enabled on the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can protect against scenarios where an attacker uses temporary access to a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid spurious error messages about replays when a response packet is dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a third-party KDB module such as Samba's. The client code for cross-realm S4U2Self requests is also now more robust.
User experience
* The new ktutil addent -f flag can be used to fetch salt information from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache within a collection by client principal name.
* The Kerberos man page has been restored, and documents the environment variables that affect programs using the Kerberos library.
Code quality
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work with more recent versions of Visual Studio. A large volume of unused Windows-specific code has been removed. Visual Studio 2013 or later is now required.
v1.6.5: Meyer (patch 5)
Fix python_requires so that python-3.5 users hopefully don't get a version they can't use
v1.6.4: Meyer (patch 4)
Fix missing substitution in inquire_property
Fix DLL handling on Windows with workarounds
Tor Browser 9.0.8 -- April 5 2020
* All Platforms
* Mozilla Bug 1620818 - Release nsDocShell::mContentViewer properly
* Mozilla Bug 1626728 - Normalize shutdown
Tor Browser 9.0.7 -- March 20 2020
* All Platforms
* Bump NoScript to 11.0.19
* Bump Https-Everywhere to 2020.3.16
* Bug 33613: Disable Javascript on Safest security level
spiped-1.6.1
* New option -u username:groupname (spiped): change the user and/or group
ownership of the process.
* Use RDRAND as an additional source of entropy on CPUs which support it.
* Use SHANI instructions on CPUs which support them.
* Warn about failed connections and exit with non-zero status (spipe).
spiped-1.6.0
* The -n option (spiped) is no longer limited to a maximum limit of
500 simultaneous connections.
* The -k option now accepts "-" as a synonym for standard input.
* New option -v (spipe/spiped): Print version number.
* Add workaround for docker signal-handling bug in spiped.
* Perform a graceful shutdown on SIGTERM.
This release contains plenty of new features, bug-fixes, and general
improvements. Some of the most important highlights include:
* We did it again, the MATE desktop environment is easier to use than before,
once the user starts the session. Do you want to hide applications startup?
Now you can set which applications to show on startup.
* Engrampa now has support for a handful of extra formats, as well as fixed
support for passwords and unicode characters in some of them.
* Eye of MATE now has support for Wayland and we’ve added support for
embedded color profiles.
* The thumbnail generation has been reworked and fixed in several places.
* Added support for webp files.
* Our window manager, marco, has gotten quite a few changes:
* We’ve brought a bunch of window decorations from the past to feed
your nostalgia.
* Finally added invisible resize borders. No more struggling to find a
border to grab with your mouse!
* All window controls (you know, the min, max, close buttons) are now
rendered in HiDPI.
* The Alt+Tab and Workspace Switcher popups have been entirely reworked.
Now they render in beautiful OSD style, are more configurable, and can
respond to keyboard arrows.
* Tiling windows with the keyboard now allows you to cycle through
different window sizes. You no longer need to feel constrained by only
half of your screen.
* The System Monitor panel applet now has support for NVMe drives.
* Calculator now supports using either “pi” or “π”.
* Scientific notation has been improved.
* Some fixes for supporting pre-defined physical constants.
* The Control Center now displays its icons correctly on HiDPI displays.
* A brand new Time And Date Manager app has been added.
* The Mouse app now supports acceleration profiles.
* The Preferred Applications app has been improved for accessibility, as well
as better support for integration with IM clients.
* The Indicator Applet has slightly better interaction with
oddly-sized icons.
* Speaking of icons, the network manager applet icons in our own themes have
been entirely redesigned and can now be enjoyed on HiDPI displays.
* If you’re the type of person that does not like to be disturbed when busy,
or giving a presentation, or watching a movie, you’ll be happy to know that
the notification daemon now supports a Do-Not-Disturb mode.
* The MATE Panel had several bugs that caused crashes in the past when
changing layouts. Those are now fixed!
* Support for Wayland compatibility has improved considerably.
* Status icons (a.k.a. notification area, or system tray) have support
for HiDPI displays.
* Wanda the Fish got a make-over and now you can enjoy her in full
HiDPI glory.
* The window list applet now supports window thumbnails on hover.
* Various accessibility improvements throughout the panel and its
core applets.
* If your system doesn’t, uh, support systemd you might be interested in
knowing that we’ve added support for elogind to both the MATE Screensaver
and the MATE Session.
* We’ve also added a brand new MATE Disk Image Mounter utility.
* Mozo, the menu editor, now supports Undo and Redo actions.
* Pluma plugins have now fully switched to Python 3.
* Pluma no longer has to envy anything from other complex editors, since it
can now show the formatting marks.
* i18n: All applications have been migrated from intltools to gettext.
This is polkit 0.116.
Highlights:
Fix of CVE-2018-19788, high UIDs caused overflow in polkit;
Fix of CVE-2019-6133, kernel vulnerability (Slowfork) allowed local privilege escalation.
Changes since polkit 0.115:
Kyle Walker:
Leaking zombie child processes
Jan Rybar:
Possible resource leak found by static analyzer
Output messages tuneup
Sanity fixes
pkttyagent tty echo disabled on SIGINT
Ray Strode:
HACKING: add link to Code of Conduct
Philip Withnall:
polkitbackend: comment typos fix
Zbigniew Jędrzejewski-Szmek:
configure.ac: fix detection of systemd with cgroups v2
CVE-2018-19788 High UIDs overflow fix
Colin Walters:
CVE-2019-6133 Slowfork vulnerability fix
Matthew Leeds:
Allow unset process-uid
Emmanuele Bassi
Port the JS authority to mozjs-60
Göran Uddeborg:
Use JS_EncodeStringToUTF8
Many thanks to all contributors!
Jan Rybar et al.,
April 25, 2019
3.0.7:
Include OpenSSL libs and binary for Windows 1.1.0j
Remove RANDFILE environment variable
Workaround for bug in win32 mktemp
Handle IP address in SAN and renewals
Workaround for ash and no set -o echo
Shore up windows testing framework
Provide upgrade mechanism for older versions of EasyRSA
Add support for KDC certificates
Add support for Edward Curves
Add support for EASYRSA_PASSIN and EASYRSA_PASSOUT env vars
Add support for RID to SAN
2.9:
* **BACKWARDS INCOMPATIBLE:** Support for Python 3.4 has been removed due to
low usage and maintenance burden.
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.0.1 has been removed.
Users on older version of OpenSSL will need to upgrade.
* **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.6.x has been removed.
* Removed support for calling
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey.public_bytes`
with no arguments, as per our deprecation policy. You must now pass
``encoding`` and ``format``.
* **BACKWARDS INCOMPATIBLE:** Reversed the order in which
:meth:`~cryptography.x509.Name.rfc4514_string` returns the RDNs
as required by :rfc:`4514`.
* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1f.
* Added support for parsing
:attr:`~cryptography.x509.ocsp.OCSPResponse.single_extensions` in an OCSP
response.
* :class:`~cryptography.x509.NameAttribute` values can now be empty strings.
Version 3.6.13:
** libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support), since 3.6.3.
The DTLS client would not contribute any randomness to the DTLS negotiation,
breaking the security guarantees of the DTLS protocol
[GNUTLS-SA-2020-03-31, CVSS: high]
** libgnutls: Added new APIs to access KDF algorithms.
** libgnutls: Added new callback gnutls_keylog_func that enables a custom
logging functionality.
** libgnutls: Added support for non-null terminated usernames in PSK
negotiation.
** gnutls-cli-debug: Improved support for old servers that only support
SSL 3.0.
** API and ABI modifications:
gnutls_hkdf_extract: Added
gnutls_hkdf_expand: Added
gnutls_pbkdf2: Added
gnutls_session_get_keylog_function: Added
gnutls_session_set_keylog_function: Added
gnutls_prf_hash_get: Added
gnutls_psk_server_get_username2: Added
gnutls_psk_set_client_credentials2: Added
gnutls_psk_set_client_credentials_function2: Added
gnutls_psk_set_server_credentials_function2: Added
Features
add mTLS ADC support for HTTP (#457) (bb9215a)
add SslCredentials class for mTLS ADC (#448) (dafb41f)
fetch id token from GCE metadata server (#462) (97e7700)
Bug Fixes
don't use threads for gRPC AuthMetadataPlugin (#467) (ee373f8)
make ThreadPoolExecutor a class var (#461) (b526473)
While the certs dir should exist, pkg_delete of
mozilla-rootcerts-openssl currently removes it, despite it not having
been created by the corresponding pkg_add. Instead of failing if the
directory does not exist, simply emit a warning and create it.
Changes since pam-p11-0.1.5 from the NEWS file:
New in 0.3.1; 2019-09-11; Frank Morgner
* CVE-2019-16058: Fixed buffer overflow when creating signatures longer than 256
bytes
New in 0.3.0; 2019-04-24; Frank Morgner
* Add Italian translation
* Add support for matching the PIN-input with a regular expression
* Add support for macOS
* Add support for building with OpenSSL 1.1.1
* Add support for nistp256/384/521 keys in authorized_keys file
New in 0.2.0; 2018-05-16; Frank Morgner
* Add user documentation in Readme.md
* Add support for PIN pad readers
* Add support for changing/unblocking PIN (use with passwd)
* Add support for localized user feedback
* Add support for cards without certificates (e.g. OpenPGP card)
* Add support for PKCS#11 modules with multiple slots
* Add support for building with OpenSSL 1.1
* Merged opensc and openssh module into pam_p11.so
* Fixed memory leaks, coverity issues, compiler warnings
* Created `test-passwd` and `test-login` for testing standard use cases
New in 0.1.6; 2017-03-06; Alon Bar-Lev
* Build system rewritten (NOTICE: configure options was modified).
Changes since libp11-0.2.8 from the NEWS file:
New in 0.4.4; 2017-01-26; Michal Trojnara
* Fixed a state reset caused by re-login on LOAD_CERT_CTRL engine ctrl;
fixes#141 (Michal Trojnara)
* "?" and "&" allowed as URI separators; fixes#142 (Michal Trojnara)
* engine: Unified private/public key and certificate enumeration
to be performed without login if possible (Michal Trojnara)
New in 0.4.3; 2016-12-04; Michal Trojnara
* Use UI to get CKU_CONTEXT_SPECIFIC PINs (Michal Trojnara)
* Added graceful handling of alien (non-PKCS#11) keys (Michal Trojnara)
* Added symbol versioning (Nikos Mavrogiannopoulos)
* Soname tied with with the OpenSSL soname (Nikos Mavrogiannopoulos)
* Added MSYS2, Cygwin, and MinGW/MSYS support (Pawel Witas)
* Workaround implemented for a deadlock in PKCS#11 modules that
internally use OpenSSL engines (Michal Trojnara, Pawel Witas)
* Fixed an EVP_PKEY reference count leak (David Woodhouse)
* Fixed OpenSSL 1.1.x crash in public RSA methods (Doug Engert,
Michal Trojnara)
* Fixed OpenSSL 1.1.x builds (Nikos Mavrogiannopoulos, Michal Trojnara)
* Fixed retrieving PIN values from certificate URIs (Andrei Korikov)
* Fixed symlink installation (Alon Bar-Lev)
New in 0.4.2; 2016-09-25; Michal Trojnara
* Fixed a 0.4.0 regression bug causing the engine finish function to
remove any configured engine parameters; fixes#104 (Michal Trojnara)
New in 0.4.1; 2016-09-17; Michal Trojnara
* Use enginesdir provided by libcrypto.pc if available (David Woodhouse)
* Certificate cache destroyed on login/logout (David Woodhouse)
* Fixed accessing certificates marked as CKA_PRIVATE (David Woodhouse)
* Directly included libp11 code into the engine (Matt Hauck)
* Fixed handling simultaneous make jobs (Derek Straka)
* Reverted an old hack that broke engine initialization (Michal Trojnara)
* Fixed loading of multiple keys due to unneeded re-logging (Matt Hauck)
* Makefile fixes and improvements (Nikos Mavrogiannopoulos)
* Fixed several certificate selection bugs (Michal Trojnara)
* The signed message digest is truncated if it is too long for the
signing curve (David von Oheimb)
* Workaround for broken PKCS#11 modules not returning CKA_EC_POINT
in the ASN1_OCTET_STRING format (Michal Trojnara)
* OpenSSL 1.1.0 build fixes (Michal Trojnara)
New in 0.4.0; 2016-03-28; Michal Trojnara
* Merged engine_pkcs11 (Michal Trojnara)
* Added ECDSA support for OpenSSL < 1.0.2 (Michal Trojnara)
* Added ECDH key derivation support (Doug Engert and Michal Trojnara)
* Added support for RSA_NO_PADDING RSA private key decryption, used
by OpenSSL for various features including OAEP (Michal Trojnara)
* Added support for the ANSI X9.31 (RSA_X931_PADDING) RSA padding
(Michal Trojnara)
* Added support for RSA encryption (not only signing) (Michal Trojnara)
* Added CKA_ALWAYS_AUTHENTICATE support (Michal Trojnara)
* Fixed double locking the global engine lock (Michal Trojnara)
* Fixed incorrect errors reported on signing/encryption/decryption
(Michal Trojnara)
* Fixed deadlocks in keys and certificates listing (Brian Hinz)
* Use PKCS11_MODULE_PATH environment variable (Doug Engert)
* Added support for building against OpenSSL 1.1.0-dev (Doug Engert)
* Returned EVP_PKEY objects are no longer "const" (Michal Trojnara)
* Fixed building against OpenSSL 0.9.8 (Michal Trojnara)
* Removed support for OpenSSL 0.9.7 (Michal Trojnara)
New in 0.3.1; 2016-01-22; Michal Trojnara
* Added PKCS11_is_logged_in to the API (Mikhail Denisenko)
* Added PKCS11_enumerate_public_keys to the API (Michal Trojnara)
* Fixed EVP_PKEY handling of public keys (Michal Trojnara)
* Added thread safety based on OpenSSL dynamic locks (Michal Trojnara)
* A private index is allocated for ex_data access (RSA and ECDSA classes)
instead of using the reserved index zero (app_data) (Michal Trojnara)
* Fixes in reinitialization after fork; addresses #39
(Michal Trojnara)
* Improved searching for dlopen() (Christoph Moench-Tegeder)
* MSVC build fixes (Michal Trojnara)
* Fixed memory leaks in pkcs11_get_evp_key_rsa() (Michal Trojnara)
New in 0.3.0; 2015-10-09; Nikos Mavrogiannopoulos
* Added small test suite based on softhsm (run on make check)
* Memory leak fixes (Christian Heimes)
* On module initialization tell the module to that the OS locking
primitives are OK to use (Mike Gerow)
* Transparently handle applications that fork. That is call C_Initialize()
and reopen any handles if a fork is detected.
* Eliminated any hard coded limits for certificate size (Doug Engert)
* Added support for ECDSA (Doug Engert)
* Allow RSA_NO_PADDING padding mode in PKCS11_private_encrypt
(Stephane Adenot)
* Eliminated several hard-coded limits in parameter sizes.
It is now known that there are people that prefer manual operation via
the mozilla-rootcerts script to the mozilla-rootcerts-openssl package.
Therefore, mention both approaches (without veering into documentation
of them or tutorial -- just enough to make people aware they exist).
Explain the purpose, and then explain the mechanism and why it is
somewhat and very irregular in the pkgsrc and native cases.
Point to mozilla-rootcerts as providing certificates without
configuring them as trust anchors.
* Noteworthy changes in release 4.16.0 (released 2020-02-01) [stable]
- asn1_decode_simple_ber: added support for constructed definite
octet strings. This allows this function decode the whole set of
BER encodings for OCTET STRINGs.
- asn1_get_object_id_der: enhance the range of decoded OIDs (#25).
This also makes OID encoding and decoding more strict on invalid
input. This may break gnutls' test suite before 3.6.12 as it was
relying on decoding some invalid OIDs.
- asn1_object_id_der: New function
* Noteworthy changes in release 4.15.0 (released 2019-11-21) [stable]
- The generated tree no longer contains ASN.1 built-in types even
if they are explicitly defined in the description. Previously
a warning was printed when these types were seen, now they are
ignored.
- Several fixes in ASN.1 definition parser, preventing several
crashes and leaks in the tools due to improper ASN.1.
- Switched to semantic versioning.
Update ruby-sshkit: update to 1.21.0.
pkgsrc change: add "USE_LANGUAGES= # none".
1.20.0 (2019-08-03)
* #468: Make upload! take a :verbosity option like exec does - @grosser
1.19.1 (2019-07-02)
* #465: Fix a regression in 1.19.0 that prevented ~ from being used in
Capistrano paths, e.g. :deploy_to, etc. - @grosser
1.19.0 (2019-07-01)
* #455: Ensure UUID of commands are stable in logging - @lazyatom
* #453: as and within now properly escape their user/group/path arguments,
and the command nested within an as block is now properly escaped before
passing to sh -c. In the unlikely case that you were manually escaping
commands passed to SSHKit as a workaround, you will no longer need to do
this. See #458 for examples of what has been fixed. - @grosser
* #460: Handle IPv6 addresses without port - @will-in-wi
1.18.2 (2019-02-03)
* #448: Fix misbehaving connection eviction loop when disabling connection
pooling - Sebastian Cohnen
1.18.1 (2019-01-26)
* #447: Fix broken thread safety by widening critical section - Takumasa Ochi
