Upstream changes:
-----------------
:release:`1.14.0 <2014-05-07>`
------------------------------
🐛`-` paramiko.file.BufferedFile.read incorrectly returned text
strings after the Python 3 migration, despite bytes being more
appropriate for file contents
(which may be binary or of an unknown encoding.) This has been addressed.
Note
paramiko.file.BufferedFile.readline continues to return strings,
not bytes, as "lines" only make sense for textual data.
It assumes UTF-8 by default.
This should fix this issue raised on the Obnam mailing list.
Thanks to Antoine Brenner for the patch.
🐛`-` Added self.args for exception classes. Used for unpickling.
Related to (Fabric #986, Fabric #714). Thanks to Alex Plugaru.
🐛`-` Fix logging error in sftp_client for filenames containing
the '%' character. Thanks to Antoine Brenner.
🐛`308` Fix regression in dsskey.py that caused sporadic
signature verification failures. Thanks to Chris Rose.
:support:`299` Use deterministic signatures for ECDSA keys for
improved security. Thanks to Alex Gaynor.
:support:`297` Replace PyCrypto's Random with os.urandom for
improved speed and security. Thanks again to Alex.
:support:`295` Swap out a bunch of PyCrypto hash functions with use of
hashlib. Thanks to Alex Gaynor.
:support:`290` (also :issue:`292`) Add support for building universal
(Python 2+3 compatible) wheel files during the release process.
Courtesy of Alex Gaynor.
:support:`284` Add Python language trove identifiers to setup.py.
Thanks to Alex Gaynor for catch & patch.
🐛`235` Improve string type testing in a handful of spots
(e.g. s/if type(x) is str/if isinstance(x, basestring)/g.)
Thanks to @ksamuel for the report.
:release:`1.13.0 <2014-03-13>`
------------------------------
:feature:`16` Python 3 support! Our test suite passes under Python 3,
and it (& Fabric's test suite) continues to pass under Python 2.
Python 2.5 is no longer supported with this change!
The merged code was built on many contributors' efforts, both code &
feedback. In no particular order, we thank Daniel Goertzen, Ivan
Kolodyazhny, Tomi Pieviläinen, Jason R. Coombs, Jan N. Schulze,
@Lazik, Dorian Pula, Scott Maxwell, Tshepang Lekhonkhobe, Aaron Meurer,
and Dave Halter.
:support:`256 backported` Convert API documentation to Sphinx, yielding
a new API docs website to replace the old Epydoc one.
Thanks to Olle Lundberg for the initial conversion work.
🐛`-` Use constant-time hash comparison operations where possible,
to protect against timing-based attacks. Thanks to Alex Gaynor for the patch.
:release:`1.12.2 <2014-02-14>`
------------------------------
:feature:`58` Allow client code to access the stored SSH server banner via
Transport.get_banner <paramiko.transport.Transport.get_banner>.
Thanks to @Jhoanor for the patch.
🐛`252` (Fabric #1020) Enhanced the implementation of ProxyCommand to
avoid a deadlock/hang condition that frequently occurs at Transport
shutdown time. Thanks to Mateusz Kobos, Matthijs van der Vleuten and
Guillaume Zitta for the original reports and to Marius Gedminas for
helping test nontrivial use cases.
🐛`268` Fix some missed renames of ProxyCommand related error classes.
Thanks to Marius Gedminas for catch & patch.
🐛`34` (PR :issue:`35`) Fix SFTP prefetching incompatibility with some
SFTP servers regarding request/response ordering.
Thanks to Richard Kettlewell.
🐛`193` (and its attentant PRs :issue:`230` & :issue:`253`) Fix SSH
agent problems present on Windows. Thanks to David Hobbs for initial
report and to Aarni Koskela & Olle Lundberg for the patches.
:release:`1.12.1 <2014-01-08>`
------------------------------
🐛`225 (1.12+)` Note ecdsa requirement in README. Thanks to Amaury
Rodriguez for the catch.
🐛`176` Fix AttributeError bugs in known_hosts file (re)loading.
Thanks to Nathan Scowcroft for the patch & Martin Blumenstingl for the
initial test case.
Upstream changes:
-----------------
* Release 0.11 (10 Mar 2014)
Add signature-encoding functions "sigencode_{strings,string,der}_canonize"
which canonicalize the S value (using the smaller of the two possible
values). Add "validate_point=" argument to VerifyingKey.from_string()
constructor (defaults to True) which can be used to disable time-consuming
point validation when importing a pre-validated verifying key. Drop python2.5
support (untested but not explicitly broken yet), update trove classifiers.
[Changes for 0.73 - Wed Jun 5 23:44:57 CST 2013]
* Properly redo the previous fix using File::Spec->file_name_is_absolute.
[Changes for 0.72 - Wed Jun 5 23:19:02 CST 2013]
* Only allow loading Digest::* from absolute paths in @INC,
by ensuring they begin with \ or / characters.
Contributed by: Florian Weimer (CVE-2013-2145)
[Changes for 0.71 - Tue Jun 4 18:24:10 CST 2013]
* Constrain the user-specified digest name to /^\w+\d+$/.
* Avoid loading Digest::* from relative paths in @INC.
Contributed by: Florian Weimer (CVE-2013-2145)
[Changes for 0.70 - Thu Nov 29 01:45:54 CST 2012]
* Don't check gpg version if gpg does not exist.
This avoids unnecessary warnings during installation
when gpg executable is not installed.
Contributed by: Kenichi Ishigaki
[Changes for 0.69 - Fri Nov 2 23:04:19 CST 2012]
* Support for gpg under these alternate names:
gpg gpg2 gnupg gnupg2
Contributed by: Michael Schwern
1.4.17 - 11 June 2014, Ludovic Rousseau
- Add support of
. Feitian R502
. Free Software Initiative of Japan Gnuk Token
. German Privacy Foundation Crypto Stick v2.0
. HID Global veriCLASS Reader
. HID OMNIKEY 5025-CL
. Identive Technologies Multi-ISO HF Reader - USB
. OMNIKEY 5421
. OMNIKEY AG 3121 USB
. udea MILKO V1.
- Fix support of O2 Micro Oz776. The reader is limited to 9600 bps
- some minor bugs removed
* Fixed error in version number in META.yml
* Improvements to OCSP support: It turns out that some CA (like
Verisign) sign the OCSP response with the CA we have in the trust
store and don't attach this certifcate in the response. But OpenSSL
by itself only considers the certificates included in the response
and SSL_OCSP_response_verify added the certificates in the chain
too. Now, we also add the trusted CA from the store which signed
the lowest chain certificate, at least if we could not verify the
OCSP response without doing it. Patch from Steffen Ullrich. Thanks.
* Fixed some compiler warnings.
- RT #94974: I forgot that `return` just returns from the code block for
`catch`, not the subroutine so `filter_libs` was still trying to link
against various libraries even when Devel::CheckLib was not installed.
- Various minor fixes to C code
- Various fixes to the distribution such as manifest files, additional
tests, bundled module etc
- Address RT bugs #94828 and #79212
- REMINDER: make test WILL FAIL if your OpenSSL is vulnerable to Heartbleed.
- Add additional functions exposing information that can be obtained via
SSLeay_version.
- Add ability to query OpenSSL version, add test whether OpenSSL library
being used is vulnerable to the Heartbleed bug.
- Assorted fixes to Makefile.PL, most importantly to fix build problems with
Strawberry Perl.
- In Makefile.PL, use assert_lib to find the libraries against which we can
actually link rather than passing a big bowl of libs to WriteMakefile.
Bail out early if we can't link against any of the candidate libraries.
- Make sure t/02-live.t actually uses Net::SSL.
- Address RT bugs #88786, #88269, #78848, and #79477
- Makefile.PL now respects live-tests and no-live-tests, and allows library
and header locations to be specified via the command line arguments
libpath and incpath, respectively.
- These options can also be specified using the environment variables
CRYPT_SSLEAY_LIVE_TEST_WANTED
OPENSSL_LIB
OPENSSL_INC
- Also fixed a number of embarrasing logic errors and typos in Makefile.PL
which were introduced in previous 0.65_xx versions.
- Reorganize Makefile.PL to allow incpath and libpath command line
arguments. This attempts to address RT #88786, #88269, #79477, and #78848.
This was supposed to be the next step immediately after drastically
specifying Makefile.PL. But never got done.
- Also add encoded version number to openssl-version output.
- Address pull requests from GitHub and bug reports on RT. These address RT
issues #83764, #86425, #86819, #62133, #82715, #90803
1.992 2014/06/01
- set $! to undef before doing IO (accept, read..). On Winwdows a connection
reset could cause SSL read error without setting $!, so make sure we don't
keep the old value and maybe thus run into endless loop.
1.991 2014/05/27
- new option SSL_OCSP_TRY_STAPLE to enforce staple request even if
VERIFY_NONE
- work around for RT#96013 in peer_certificates
1.990 2014/05/27
- added option SSL_ocsp_staple_callback to get the stapled OCSP response
and verify it somewhere else
- try to fix warnings on Windows again (#95967)
- work around temporary OCSP error in t/external/ocsp.t
1.989 2014/05/24
- fix#95881 (warnings on windows), thanks to TMHALL
1.988 2014/05/17
- add transparent support for DER and PKCS#12 files to specify cert and key,
e.g. it will autodetect the format
- if SSL_cert_file is PEM and no SSL_key_file is given it will check if
the key is in SSL_cert_file too
1.987 2014/05/17
- fix t/verify_hostname_standalone.t on systems without usable IDNA or IPv6
#95719, thanks srchulo
- enable IPv6 support only if we have a usable inet_pton
- remove stale entries from MANIFEST (thanks seen[AT]myfairpoint[DOT]net)
1.986 2014/05/16
- allow IPv4 in common name, because browsers allow this too. But only for
scheme www/http, not for rfc2818 (because RC2818 does not allow this).
In default scheme IPv6 and IPv4 are allowed in CN.
Thanks to heiko[DOT]hund[AT]sophos[DOT]com for reporting the problem.
- Fix handling of public suffix. Add exemption for *.googleapis.com
wildcard, which should be better not allowed according to public suffix
list but actually is used.
- Add hostname verification test based on older test of chromium. But change
some of the test expectations because we don't want to support IP as SAN
DNS and because we enforce a public suffix list (and thus *.co.uk should
not be allowed)
Bugfixes:
* OPENDNSSEC-607: libhsm not using all mandatory attributes for GOST key
generation.
* OPENDNSSEC-609: ods-ksmutil: 'key list' command fails with error in 1.4.4
on MySQL.
2013-Jun-16 v2.2 - Trap and handle SIGINT (^C presses).
Trap and handle SIGTSTP (^Z presses).
Trap and handle SIGCONT (continues after ^Z).
Stopped printing found dictionary words in pwck.
2013-Jul-01 v2.3 - More readline() and signal handling improvements.
Title conflict checks in cli_new()/edit()/mv().
Group title conflict checks in rename().
cli_new() now accepts optional path&|title param.
cli_ls() can now list multiple paths.
cli_edit() now shows the "old" values for users
to edit, if Term::ReadLine::Gnu is available.
cli_edit() now aborts all changes on ^C.
cli_saveas() now asks before overwriting a file.
2013-Nov-26 v2.4 - Fixed several "perl -cw" warnings reported on
2013-07-09 as SourceForge bug #9.
Bug fix for the cl command, but in sub cli_ls().
First pass at Strawberry perl/MS Windows support.
- Enhanced support for Term::ReadLine::Perl
- Added support for Term::ReadLine::Perl5
Added display of expire time for show -a.
Added -a option to the find command.
Used the new magic_file_type() in a few places.
Added generatePasswordFromDict() and "w" generation.
Added the -v option to the version command.
- Added the versions command.
2014-Mar-15 v2.5 - Added length control (gNN) to password generation.
Added the copy command (and cp alias).
Added the clone command.
Added optional modules not installed to version -v.
Groups can now also be moved with the mv command.
Modified cli_cls() to also work on MS Windows.
Suppressed Term::ReadLine::Gnu hint on MS Windows.
Suppressed missing termcap warning on MS Windows.
Print a min number of *s to not leak passwd length.
Removed unneeded use of Term::ReadLine.
Quieted "inherited AUTOLOAD for non-method" warns
caused by Term::Readline::Gnu on perl 5.14.x.
2014-Jun-06 v2.6 - Added interactive password generation ("i" method).
- Thanks to Florian Tham for the idea and patch.
Show entry's tags if present (KeePass >= v2.11).
- Thanks to Florian Tham for the patch.
Add/edit support for tags if a v2 file is opened.
Added tags to the searched fields for "find -a".
Show string fields (key/val pairs) in v2 files.
Add/edit for string fields if a v2 file is opened.
Show information about entries' file attachments.
2014-03-20 SourceForge feature request #6.
New "attach" command to manage file attachments.
Added "Recycle Bin" functionality and --no-recycle.
For --readonly, don't create a lock file and don't
warn if one exists. 2014-03-27 SourceForge bug #11.
Added key file generation to saveas and export.
2014-04-19 SourceForge bug #13.
Added -expired option to the find command.
Added "dir" as an alias for "ls"
Added some additional info to the stats command.
Added more detailed OS info for Linux/Win in vers.
Now hides Meta-Info/SYSTEM entries.
Fixed bug with SIGTSTP handling (^Z presses).
Fixed missing refresh_state_all_paths() in cli_rm.
3.8
---
* Issue #22: Deprecated loading of config from current directory. Support for
loading the config in this manner will be removed in a future version.
* Issue #131: Keyring now will prefer ``pywin32-ctypes
<https://pypi.python.org/pypi/pywin32-ctypes>``_ to pywin32 if available.
Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014]
o Fix for CVE-2014-0224
o Fix for CVE-2014-0221
o Fix for CVE-2014-0195
o Fix for CVE-2014-3470
o Fix for CVE-2010-5298
Net::SSH::Multi is a library for controlling multiple Net::SSH
connections via a single interface. It exposes an API similar to that
of Net::SSH::Connection::Session and Net::SSH::Connection::Channel,
making it simpler to adapt programs designed for single connections to
be used with multiple connections.
This library is particularly useful for automating repetitive tasks
that must be performed on multiple machines. It executes the commands
in parallel, and allows commands to be executed on subsets of servers
(defined by groups).
- Fixes for machine-readable indices. Key expiration times are now read
from self-signatures on the key's UIDs. In addition, instead of 8-digit
key IDs, index entries now return the most specific key ID possible:
16-digit key ID for V3 keys, and the full fingerprint for V4 keys.
- Add metadata information (number of keys, number of files,
checksums, etc) to key dump. This allows for information on the
key dump ahead of download/import, and direct verification of checksums
using md5sum -c <metadata-file>.
- Replaced occurrances of the deprecated operator 'or' with '||' (BB issue #2)
- Upgraded to cryptlib-1.7 and own changes are now packaged as separate
patches that is installed during 'make'. Added the SHA-3 algorithm, Keccak
- Option max_matches was setting max_internal_matches. Fixed (BB issue #4)
- op=hget now supports option=mr for completeness (BB issue #17)
- Add CORS header to web server responses. Allows JavaScript code to
interact with keyservers, for example the OpenPGP.js project.
- Change the default hkp_address and recon_address to making the
default configuration support IPv6. (Requires OCaml 3.11.0 or newer)
- Only use '-warn-error A' if the source is marked as development as per
the version suffix (+) (part of BB Issue #2)
- Reduce logging verbosity for debug level lower than 6 for (i) bad requests,
and (ii) no results found (removal of HTTP headers in log) (BB Issue #13)
- Add additional OIDs for ECC RFC6637 style implementations
(brainpool and secp256k1) (BB Issue #25) and fix issue for 32 bit arches.
- Fix a non-persistent cross-site scripting possibility resulting from
improper input sanitation before writing to client. (BB Issue #26 | CVE-2014-3207)
- Corrected an off-by-one error in ASN.1 DER tag decoding.
- Several improvements and new safety checks on DER decoding;
issues found using Codenomicon TLS test suite.
- Marked asn1_der_decoding_element() as deprecated. Use
asn1_der_decoding() instead.
Makefile. Updated to 1.1.1.0. Changes:
Version 1.1.1.0
2014-05-09
- Support for STIX v1.1.1
- Updated all schemalocations to reference new STIX v1.1.1 schemas
- Changed Confidence.source to be of type InformationSource
- Changed Statement.source to be of type InformationSource
- Changed Sighting.source to be of type InformationSource
- Updated AvailabilityLossType CV to align with STIX v1.1.1
Python/C bindings for the ssdeep library at http://ssdeep.sourceforge.net:
* hash_buf / hash_bytes - returns the ssdeep hash for a given buffer
* hash_file - returns the ssdeep hash for filepath
* compare - returns the % match between 2 hashes
import pydeep
pydeep.hash_buf('somedata')
pydeep.hash_file('path-to-file')
pydeep.compare('hash1','hash2')
* New Features
- Fuzzy Hashing engine re-written to be thread safe.
* Bug Fixes
- Able to handle long file paths on Win32.
- Fixed bug on comparing signatures with the same block size.
- Fixed crash on comparing short signatures.
- Fixed memory leak
* Version 3.2.15 (released 2014-05-30)
** libgnutls: Eliminated memory corruption issue in Server Hello parsing.
Issue reported by Joonas Kuorilehto of Codenomicon.
** libgnutls: Several memory leaks caused by error conditions were
fixed. The leaks were identified using valgrind and the Codenomicon
TLS test suite.
** libgnutls: Increased the maximum certificate size buffer
in the PKCS #11 subsystem.
** libgnutls: Check the return code of getpwuid_r() instead of relying
on the result value. That avoids issue in certain systems, when using
tofu authentication and the home path cannot be determined. Issue reported
by Viktor Dukhovni.
** gnutls-cli: if dane is requested but not PKIX verification, then
only do verify the end certificate.
** ocsptool: Include path in ocsp request. This resolves#108582
(https://savannah.gnu.org/support/?108582), reported by Matt McCutchen.
** API and ABI modifications:
No changes since last version.
* Version 3.2.14 (released 2014-05-06)
** libgnutls: Fixed issue with the check of incoming data when two
different recv and send pointers have been specified. Reported and
investigated by JMRecio.
** libgnutls: Fixed issue in the RSA-PSK key exchange, which would
result to illegal memory access if a server hint was provided.
** libgnutls: Fixed client memory leak in the PSK key exchange, if a
server hint was provided.
** libgnutls: Several small bug fixes identified using valgrind and
the Codenomicon TLS test suite.
** libgnutls: Several small bug fixes found by coverity.
** libgnutls-dane: Accept a certificate using DANE if there is at least one
entry that matches the certificate. Patch by simon [at] arlott.org.
** configure: Added --with-nettle-mini option, which allows linking
with a libnettle that contains gmp.
** certtool: The ECDSA keys generated by default use the SECP256R1 curve
which is supported more widely than the previously used SECP224R1.
** API and ABI modifications:
No changes since last version.
* Version 3.2.13 (released 2014-04-07)
** libgnutls: gnutls_openpgp_keyring_import will no longer fail silently
if there are no base64 data. Report and patch by Ramkumar Chinchani.
** libgnutls: gnutls_record_send is now safe to be called under DTLS when
in corked mode.
** libgnutls: Ciphersuites that use the SHA256 or SHA384 MACs are
only available in TLS 1.0 as SSL 3.0 doesn't specify parameters for
these algorithms.
** libgnutls: Changed the behaviour in wildcard acceptance in certificates.
Wildcards are only accepted when there are more than two domain components
after the wildcard. This drops support for the permissive RFC2818 wildcards
and adds more conservative support based on the suggestions in RFC6125. Suggested
by Jeffrey Walton.
** certtool: When no password is provided to export a PKCS #8 keys, do
not encrypt by default. This reverts to the certtool behavior of gnutls
3.0. The previous behavior of encrypting using an empty password can be
replicating using the new parameter --empty-password.
** p11tool: Avoid dual initialization of the PKCS #11 subsystem when
the --provider option is given.
** API and ABI modifications:
No changes since last version.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
and remove it during deinstallation. This matches the behaviour of the
"nss_pam" package and makes configuring NetBSD as an LDAP client easier.
Bump package revision because of this fix.
NetBSD's shell, and passing the -m option to NetBSD's "su" command to support
users without login shells.
Add the PREFIX to all script PATHs. This can allow sudo to be installed and
used as an alternative to su, should there be any value in doing that.
Bump PKGREVISION.
