Add ruby-vault package version 0.16.0 required by newer ruby-chef.
Vault Ruby Client
Vault is the official Ruby client for interacting with Vault:
https://vaultproject.io by HashiCorp.
0.1.18 (2021-09-29)
* Land #16, Make the synchronization functions public
0.1.19 (2021-11-15)
* Land #17, Add the stopwatch function
0.1.20 (2021-11-16)
* Merge pull request #18 from zeroSteiner/feat/stopwatch/elapsed_seconds
Refactor into a Stopwatch module
2.0.61 (2021-11-29)
* Land #510, honour the pty flag
2.0.62 (2021-12-07)
* resolve_host should return NULL on failure
* Land #513, fix php stdapi loading on php 5.3.29
2.0.63 (2021-12-08)
* Land #514, fix python exception when closing channels
2.0.64 (2021-12-08)
* Fix#512, fix python cmd_exec argument list during
PROCESS_EXECUTE_FLAG_SUBSHELL
* Land #515, Fix#512, fix python cmd_exec argv
2.0.65 (2021-12-08)
* Return an empty stat buf when stat fails
* Land #511, fix stderr output in python channels
2.0.66 (2021-12-09)
* Land #516, fix python stat on inaccessible directory
* Land #517, fix php stat on inaccessible directory
LuaSec 1.0.2
---------------
This version includes:
* Fix handle SSL_send SYSCALL error without errno
* Fix off by one in cert:validat(notafter)
* Fix meth_get_{sinagure => signature}_name function name
* Fix update the Lua state reference on the selected SSL context after SNI
* Fix ignore SSL_OP_BIT(n) macro and update option.c
Certbot 1.22.0
Added
Support for Python 3.10 was added to Certbot and all of its components.
The function certbot.util.parse_loose_version was added to parse version
strings in the same way as the now deprecated distutils.version.LooseVersion
class from the Python standard library.
Added --issuance-timeout. This option specifies how long (in seconds) Certbot will wait
for the server to issue a certificate.
Changed
The function certbot.util.get_strict_version was deprecated and will be
removed in a future release.
Fixed
Fixed an issue on Windows where the web.config created by Certbot would sometimes
conflict with preexisting configurations.
Fixed an issue on Windows where the webroot plugin would crash when multiple domains
had the same webroot. This affected Certbot 1.21.0.
## [1.1.0]
### Added
* CLI: The `--path <PATH>` flag has been added, allowing users to limit
dependency discovery to one or more paths (specified separately)
when `pip-audit` is invoked in environment mode
([#148](https://github.com/trailofbits/pip-audit/pull/148))
* CLI: The `pip-audit` CLI can now be accessed through `python -m pip_audit`.
All functionality is identical to the functionality provided by the
`pip-audit` entrypoint
([#173](https://github.com/trailofbits/pip-audit/pull/173))
* CLI: The `--verbose` flag has been added, allowing users to receive more
more verbose output from `pip-audit`. Supplying the `--verbose` flag
overrides the `PIP_AUDIT_LOGLEVEL` environment variable and is equivalent to
setting it to `debug`
([#185](https://github.com/trailofbits/pip-audit/pull/185))
### Changed
* CLI: `pip-audit` now clears its spinner bar from the terminal upon
completion, preventing visual confusion
([#174](https://github.com/trailofbits/pip-audit/pull/174))
### Fixed
* Dependency sources: a crash caused by `platform.python_version` returning
an version string that couldn't be parsed as a PEP-440 version was fixed
([#175](https://github.com/trailofbits/pip-audit/pull/175))
* Dependency sources: a crash caused by incorrect assumptions about
the structure of source distributions was fixed
([#166](https://github.com/trailofbits/pip-audit/pull/166))
* Vulnerability sources: a performance issue on Windows caused by cache failures
was fixed ([#178](https://github.com/trailofbits/pip-audit/pull/178))
## [1.0.1] - 2021-12-02
### Fixed
* CLI: The `--desc` flag no longer requires a following argument. If passed
as a bare option, `--desc` is equivalent to `--desc on`
([#153](https://github.com/trailofbits/pip-audit/pull/153))
* Dependency resolution: The PyPI-based dependency resolver no longer throws
an uncaught exception on package resolution errors; instead, the package
is marked as skipped and an appropriate warning or fatal error (in
`--strict` mode) is produced
([#162](https://github.com/trailofbits/pip-audit/pull/162))
* CLI: When providing the `--cache-dir` flag, the command to read the pip cache
directory is no longer executed. Previously this was always executed and
could result into failure when the command fails. In CI environments, the
default `~/.cache` directory is typically not writable by the build user and
this meant that the `python -m pip cache dir` would fail before this fix,
even if the `--cache-dir` flag was provided.
([#161](https://github.com/trailofbits/pip-audit/pull/161))
## [1.0.0] - 2021-12-01
### Added
* This is the first stable release of `pip-audit`! The CLI is considered
stable from this point on, and all changes will comply with
[Semantic Versioning](https://semver.org/)
## [0.0.9] - 2021-12-01
### Added
* CLI: Skipped dependencies are now listed in the output of `pip-audit`,
for supporting output formats
([#145](https://github.com/trailofbits/pip-audit/pull/145))
* CLI: `pip-audit` now supports a "strict" mode (enabled with `-S` or
`--strict`) that fails if the audit if any individual dependency cannot be
resolved or audited. The default behavior is still to skip any individual
dependency errors ([#146](https://github.com/trailofbits/pip-audit/pull/146))
This CycloneDX module for Python can generate valid CycloneDX
bill-of-material document containing an aggregate of all project
dependencies.
This module is not designed for standalone use.
This project provides a runnable Python-based application for
generating CycloneDX bill-of-material documents from either:
* Your current Python Environment
* Your project's manifest (e.g. Pipfile.lock, poetry.lock or
requirements.txt)
* Conda as a Package Manager
The BOM will contain an aggregate of all your current project's
dependencies, or those defined by the manifest you supply.
CycloneDX is a lightweight BOM specification that is easily created,
human-readable, and simple to parse.
-editmode=keep now default if no other mode is specified
-only include files in includedir if they do not start with .
-trimmed error when unable to communicate with syslog
3.12.0
New features
ECC keys in the SEC1 format can be exported and imported.
Add support for KMAC128, KMAC256, TupleHash128, and TupleHash256 (NIST SP-800 185).
Add support for KangarooTwelve.
Resolved issues
An asymmetric key could not be imported as a memoryview.
cSHAKE128/256 generated a wrong output for customization strings longer than 255 bytes.
CBC decryption generated the wrong plaintext when the input and the output were the same buffer.
1.11.0
------
* Added support for Python 3.10.
* We changed the PGP key used to sign the packages we upload to PyPI. Going
forward, releases will be signed with one of three different keys. All of
these keys are available on major key servers and signed by our previous PGP
key. The fingerprints of these new keys are:
- BF6BCFC89E90747B9A680FD7B6029E8500F7DB16
- 86379B4F0AF371B50CD9E5FF3402831161D1D280
- 20F201346BF8F3F455A73F9A780CC99432A28621
This module provides functions for encrypting and decrypting scrambled
passwords in Juniper router configurations. Only passwords starting with
'$9$' are supported.
2.8.1 2021-11-28
[Bug]: (also 908) Update PKey and subclasses to compare (__eq__) via direct field/attribute comparison instead of hashing (while retaining the existing behavior of __hash__ via a slight refactor). Big thanks to Josh Snyder and Jun Omae for the reports, and to Josh Snyder for reproduction details & patch.
Warning
This fixes a security flaw! If you are running Paramiko on 32-bit systems with low entropy (such as any 32-bit Python 2, or a 32-bit Python 3 which is running with PYTHONHASHSEED=0) it is possible for an attacker to craft a new keypair from an exfiltrated public key, which Paramiko would consider equal to the original key.
This could enable attacks such as, but not limited to, the following:
Paramiko server processes would incorrectly authenticate the attacker (using their generated private key) as if they were the victim. We see this as the most plausible attack using this flaw.
Paramiko client processes would incorrectly validate a connected server (when host key verification is enabled) while subjected to a man-in-the-middle attack. This impacts more users than the server-side version, but also carries higher requirements for the attacker, namely successful DNS poisoning or other MITM techniques.
[Bug] 1257: (also 1266) Update RSA and ECDSA key decoding subroutines to correctly catch exception types thrown by modern versions of Cryptography (specifically TypeError and its internal UnsupportedAlgorithm). These exception classes will now become SSHException instances instead of bubbling up. Thanks to Ignat Semenov for the report and @tylergarcianet for an early patch.
[Bug] 1024: Deleting items from HostKeys would incorrectly raise KeyError even for valid keys, due to a logic bug. This has been fixed. Report & patch credit: Jia Zhang.
[Bug] 985: (via 992) Fix listdir failure when server uses a locale. Now on Python 2.7 SFTPAttributes will decode abbreviated month names correctly rather than raise UnicodeDecodeError`. Patch courtesy of Martin Packman.
0.5.8 (2021-11-10)
Added
* Added more documentation files to packaged gem, e.g. SECURITY.md,
CODE_OF_CONDUCT.md
Fixed
* Removed reference to RUBY_VERSION from gemspec, as it depends on rake
release, which is problematic on some ruby engines. (by @pboling)
0.5.7 (2021-11-02)
Added
* Setup Rubocop (#205, #208 by @pboling)
* Added CODE_OF_CONDUCT.md (#217, #218 by @pboling)
* Added FUNDING.yml (#217, #218 by @pboling)
* Added Client Certificate Options: :ssl_client_cert and :ssl_client_key
(#136, #220 by @pboling)
* Handle a nested array of hashes in OAuth::Helper.normalize (#80, #221 by
@pboling)
Changed
* Switch from TravisCI to Github Actions (#202, #207, #176 by @pboling)
* Upgrade webmock to v3.14.0 (#196 by @pboling)
* Upgrade em-http-request to v1.1.7 (#173 by @pboling)
* Upgrade mocha to v1.13.0 (#193 by @pboling)
* HISTORY renamed to CHANGELOG.md, and follows Keep a Changelog (#214, #215
by @pboling)
* CHANGELOG, LICENSE, and README now ship with packaged gem (#214, #215 by
@pboling)
* README.rdoc renamed to README.md (#217, #218 by @pboling)
* Require plaintext signature method by default (#135 by @confiks &
@pboling)
Fixed
* Fixed Infinite Redirect in v0.5.5, v0.5.6 (#186, #210 by @pboling)
* Fixed NoMethodError on missing leading slash in path (#194, #211 by
@pboling)
* Fixed NoMethodError on nil request object (#165, #212 by @pboling)
* Fixed Unsafe String Comparison (#156, #209 by @pboling and @drosseau)
* Fixed typos in Gemspec (#204, #203, #208 by @pboling)
* Copyright Notice in LICENSE - added correct years (#217, #218 by @pboling)
* Fixed request proxy Class constant reference scopes - was missing :: in
many places (#225, #226 by @pboling)
Removed
* Remove direct development dependency on nokogiri (#299 by @pboling)
Pkgsrc changes:
* Change naming style for patches
* Adapt patches to new version
* Relinquish maintainership to indicate others can update
* Add dependency on py-expat
Upstream changes:
3.0
======================
Initial translation of code from Python 2 to Python 3.
DenyHosts can now be run as either a Python 2 or a Python 3
program.
Added patch from Fedora to fix initial sync issue and
insure info logging stream is active.
(Provided by Jason Tibbitts.)
Added "import logging" to denyhosts.py to avoid errors
when setting up logging. (See above change.)
Added option PF_TABLE_FILE to the configuration file.
When this option is enabled it causes DenyHosts to write
blocked IP addresses to a text file. The default location
is /etc/blacklist. This text file should correspond to a
PF firewall table.
At start-up, try to create the file specified by
HOSTS_DENY. That way we avoid errors later if the
file does not exists. Can be a problem on operating systems
where /etc/hosts.deny does not exist in the default
configuration.
Added regex pattern to detect invalid user accounts. This blocks
connections from remote hosts who are attempting to login
with accounts not found on the local system.
While these connections to non-existent accounts are relatively harmless,
they are usually used as part of a brute force attack and filtering them
before they reach OpenSSH is a good idea.
2.10
======================
- Updated example rule for PF in configuration file
to make black listing attacking IPs more effective.
- Added debugging info in case we cannot create a new
PF table entry.
- Fixed syntax for comparing suspecious logins. Avoids
always testing true/false depending on Python version.
- No longer require ETC_DIR in the configuration file.
Use a default value "/etc" if ETC_DIR is not manually
specified.
- Make sure DenyHosts logs when running in foreground mode.
When in foreground, warnings are logged to a file rather
than outputted to terminal. Keeps things clean.
- Add --unlock command line arguement to remove old
lock files.
- Updated README, version and Makefile with new
version/maintainer information.
- Added check for PAM failures on FreeBSD. This should block both
failed user logins that are reported by PAM and also block
repteated attempts at accessing the root account when root
logins are disabled by OpenSSH. The latter does not really add
more practical protection, but can prevent the connection \
attempts at the firewall level before the OpenSSH service
is contacted.
- Add systemd unit file, denyhosts.service
2.9 (November 3, 2014)
======================
- DenyHost now supports working with the PF
packet filter, a popular firewall for FreeBSD,
OpenBSD, TrueOS, PC-BSD and NetBSD.
To enable PF support in DenyHost, comment
out the IPTABLES option in the denyhosts.conf file
and enable the PFCTL_PATH and PF_TABLE options.
DenyHost will add misbehaving IP addresses to the
PF table specified by "PF_TABLE". This table
should be blocked using the pf.conf file. Please
see the denyhosts.conf file for more information
and example PF rules for blocking incoming traffic.
Please note that even if /etc/hosts.deny is not used
to block incoming connectins, the file should still exists
or DenyHosts may throw an error. (This should be fixed
in the next release.)
2.8 (June 12, 2014)
===================
- Use standard errno instead of hardcoded errno value.
Patch provided by Pino Toscano.
- Make sure PLUGIN_DENY is called for each host we receive from
the sync server.
Patch provided by Sean M. Collins.
- Made sure only new hosts in hosts.deny are reported as new, not
all hosts. This prevents the PLUGIN_DENY plugin from getting
old entries repeatedly.
Patch provided by Chris Erdle.
- We now check user defined regular expression filters, even
if we already found a match with an existing filter. This
allows the user to filter more services without using
a plugin.
Patch provided by Ben.
- Added --purge-all command line flag to allow us to remove all
old entries from the deny file without waiting.
Patch provided by 9MediaCenterGUI on SourceForge.
- Updated copyright information and some documentation.
- Added manual page from Debian and fixed typo. Added
additional command line options to man page.
- Added --purgeip option to allow us to remove specific
IP addresses from the blocked list at start time.
Patch provided by Nelson Howell.
Should close Debian bug 529089.
- Updated FAILED_ENTRY_REGEX7 to be more flexible.
- Added ability to use Linux iptables to block incoming
connections. See IPTABLES option in the configuration file.
- Made it possible to block specific ports, allowing remote
hosts to conenct to some services while being blocked on
others by the iptables firewall.
See the BLOCKPORT option in the configuration file.
2.7 (May 18, 2014)
==================
- Forked code from DenyHosts (denyhosts.sf.net)
New project now maintained at denyhost.sf.net
- Added private moduls patch from Marco Bertorello. Loads
modules from /usr/share/denyhosts
- Place config, lock and executable file in more
standard locations. Patch provided by Marco Bertorello.
- Fixed configuration (denyhosts.cfg-dist) to better support
Debian and Ubuntu. Patch supplied by Marco Nenciarini.
- Added warning to migrate switch. Patch provided by
Marco Bertorello.
- Avoid installing unwanted files (extra scripts and changelog).
Patch provided by Marco Nenciarini.
- Fix bug which would not recognize an attack on the root
user account. Patch provided by Kyle Willmon.
- Fix pattern matching bug (CVE-2007-4323).
Patch provided by Nico Golde.
- Added foreground mode for debugging.
Patch supplied by Marco Bertorello.
- Applied patch to fix plugin execution.
Patched provided by Marco Bertorello.
- Added patch to prevent DenyHosts from running with
a double --config switch.
Patch provided by Maro Bertorello.
- Convert path of "env" from /bin/env to /usr/bin/env
Patch provided by Kyle Willmon.
- Added patch to perform missing bounds check in Purge action.
Provided by Kyle Willmon.
- Added patch to include SYNC_PROXY_SERVER configuration option.
Provided by Kyle Willmon.
- Change HOSTNAME_LOOKUP to default to "NO". Will save time.
Also brings us into closer alignment with FreeBSD patches.
- Added /usr/sbin/nologin to restricted_from_passwd script.
Requirement from FreeBSD patch set.
- Added variable "ETC_DIR" which dictates the location of
configuration files. This should usually be set to
/etc or /usr/local/etc
- The restricted-usernames file is now loaded from the "ETC_DIR"
directory, rather than from "WORK_DIR" to avoid this
human-made configuration file from being over-writeen.
Closes Ubuntu bug #675034
- Confirm setting timestamp over-writes old tiemstamp file.
Closes Ubuntu bug #564476
- Applied advanced pattern check for authentication file which
takes into account alternative port numbers. Patch provided by
Helmut Grohne.
- Updated license and readme files.
- Updated help output from DenyHost script to include --config tip.
-This release fixes one major issue that has been assigned CVE-2019-25016.
Rules that allowed the user to execute any command would inherit the
executing users PATH instead of resetting it to a default PATH.
The path will now be correctly reset (d5acd52) to the defined default PATH.
Those rules still allow the user to execute any program from their PATH
but executed commands won't inherit the users PATH anymore.
Rules that limit the user to execute only a specific command are not affected
by this and are only executed from the default PATH and with the PATH
environment variable set to the safe default.
Other changes are:
-apply missing man page changes
-Fixes to the configuration parser 2d7431c, 01ac841 and 36cc28e
-Minor documentation and error message wording changes.
Changelog:
Noteworthy changes in version 2.2.33 (2021-11-23)
-------------------------------------------------
* gpg: New option --min-rsa-length. [rG6ee01c1d26]
* gpg: New option --forbid-gen-key. [rG985fb25c46]
* gpg: New option --override-compliance-check. [T5655]
* gpgconf: New command --show-configs. [rG8fe3f57643]
* agent,dirmngr: New option --steal-socket. [rG6507c6ab10]
* scd: Improve the selection of the default PC/SC reader. [T5644]
* gpg: Fix printing of binary notations. [T5667]
* gpg: Remove stale ultimately trusted keys from the trustdb. [T5685]
* gpgsm: Detect circular chains in --list-chain. [rGc9343bec83]
* gpgconf: Create the local option file even if the global file
exists. [T5650]
* dirmngr: Make reading resolv.conf more robust. [T5657]
* gpg-wks-server: Fix created file permissions. [rGf54feb4470]
* scd: Support longer data for ssh-agent authentication with openpgp
cards. [T5682]
* Support gpgconf.ctl for NetBSD and Solaris. [T5656,T5671]
* Silence "Garbled console data" warning under Windows in most
cases.
* Silence warning about the rootdir under Unices w/o a mounted /proc
file system.
* Fix possible build problems about missing include files. [T5592]
* i18n: Replace the term "PIN-Cache" by "Passswort-Cache" in the
German translation. [rgf453d52e53]
* i18n: Update the Russian translation.
Release-info: https://dev.gnupg.org/T5641
See-also: gnupg-announce/2021q4/000467.html
pip-audit is a prototype tool for scanning Python environments for
packages with known vulnerabilities. It uses the Python Packaging
Advisory Database via the PyPI JSON API as a source of vulnerability
reports.
Certbot 1.21.0
Added
Certbot will generate a web.config file on Windows in the challenge path
when the webroot plugin is used, if one does not exist. This web.config file
lets IIS serve challenge files while they do not have an extension.
Changed
We changed the PGP key used to sign the packages we upload to PyPI. Going
forward, releases will be signed with one of three different keys. All of
these keys are available on major key servers and signed by our previous PGP
key. The fingerprints of these new keys are:
BF6BCFC89E90747B9A680FD7B6029E8500F7DB16
86379B4F0AF371B50CD9E5FF3402831161D1D280
20F201346BF8F3F455A73F9A780CC99432A28621
Fixed
More details about these changes can be found on our GitHub repo.
