pkgsrc changes:
- Document all the patches
- Honors user's CFLAGS and don't remove -Wall from CFLAGS in patch-aa: they are
usually pretty useful
- Unset OPT_{NORMAL,INLINE} optimizations via MAKE_FLAGS to minimize patch-aa
- Remove not needed NO_CONFIGURE
- Use pre-configure as stage for SUBST (now that NO_CONFIGURE is removed)
Changes:
The following changes have been made between John 1.8.0 and 1.9.0:
* Increased the interleaving for bcrypt on x86-64 from 2x to 3x for a major
speedup on CPUs without SMT. Unfortunately, this sometimes results in a minor
performance regression when running multiple threads on CPUs with SMT.
* Recognize the $2b$ bcrypt prefix.
* In the generic crypt(3) format, detect descrypt with valid vs. invalid salts
as separate id's for our heuristics on supported hash types.
* Introduced a number of optimizations for faster handling of large password
hash files, including loading, cracking, and "--show". Some of these use more
memory than before, yet in a more efficient manner.
* Benchmark using all-different candidate passwords of length 7 by default.
* Dropped undocumented special handling of "Mc" in 'c' and 'C' rule commands.
* Dropped undocumented limitation of the 'M' and 'Q' rule commands where they
would sometimes memorize/check only up to the current hash type's length limit
yet this optimization wouldn't necessarily be transparent (e.g., if a later
command would extract a substring from above the hash type's length limit and
bring it to within the limit).
* Implemented special-case handling of repeated rule commands '$', '^', '[',
']', '{', and '}', as well as faster handling of the 'D' command.
* When built with "--fork" support, disallow session names with all-digit
suffixes since these clash with those produced by "--fork".
* Forward SIGTERM to --fork'ed children.
* Set stdout to line buffered (rather than potentially fully buffered), except
for "--stdout", "--show", and auxiliary programs such as "unshadow".
* On Windows, restore normal processing of Ctrl-C in case our parent (such as
Johnny the GUI) had disabled it.
* Added linux-x86*-avx512 and linux-x86*-avx2 make targets, which use
respectively AVX-512 and AVX2 for bitslice DES.
* Added linux-mic make target for Intel MIC (first generation Xeon Phi, aka
Knights Corner), which uses its 512-bit SIMD intrinsics for bitslice DES.
(For second generation Xeon Phi, aka Knights Landing, use linux-x86-64-avx512.)
* Added linux-arm64le, linux-arm32le-neon, and linux-arm32le make targets.
(The first two of these make use of ASIMD or NEON for bitslice DES.)
* Added linux-sparc64 make target.
* Made a minor optimization to MMX and SSE2 assembly code for LM hash.
* Dropped Ultrix and SCO support.
* Don't probe for alternate config file names (like john.ini when on Unix).
* "DokuWiki" external mode sample has been added to the default john.conf.
* Fixed operator precedence in the external mode compiler to be the same as C.
* Fixed an out of bounds write bug in the external mode virtual machine.
* Fixed a bug introduced in version 1.7.4 in the wordlist rules engine, where
some sequences of rule commands could overflow a word buffer.
* Fixed a bug where unaligned access SSE/AVX instructions would unnecessarily
be generated by GCC 4.6+ in the bitslice DES code in non-OpenMP builds.
* Fixed a bug where "Warning: no OpenMP support for this hash type" could be
printed in "--stdout" mode.
* Made assorted other bugfixes, portability and documentation enhancements.
1.20.1
Bug Fixes
reduce refresh clock skew to 10 seconds
set Content-Type header in the request to signBlob API to avoid Invalid JSON payload error
1.20.0
Features
Add debug logging that can help with diagnosing auth lib. path
Show the transport exception that happened for GCE Metadata
packaging: add support for Python 3.8
Noteworthy changes in version 1.14.0
------------------------------------
* New keylist mode to force the engine to return the keygrip.
* New export mode to export as OpenSSH public key.
* New context flag "extended-edit" to enable expert key edit.
* Deprecate the anyway non working trustlist functions.
* cpp: Add convenience API to obtain remarks.
* cpp: The sign key edit-interactor now supports multiple signatures
from the same key.
* qt: Extended signkeyjob to handle remarks and multiple signatures.
* qt: Added job API for gpg-card.
* qt: The logging category has been changed to gpg.qgpgme to be more
consistent with other qt logging categories.
* Interface changes relative to the 1.13.1 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPGME_KEYLIST_MODE_WITH_KEYGRIP NEW.
GPGME_EXPORT_MODE_SSH NEW.
gpgme_user_id_t EXTENDED: New field 'uidhash'.
cpp: UserID::remark NEW.
cpp: UserID::remarks NEW.
cpp: GpgSignKeyEditInteractor::setDupeOk NEW.
cpp: Context::exportPublicKeys EXTENDED: New param 'flags'.
cpp: Context::startPublicKeyExport EXTENDED: New param 'flags'.
cpp: Context::ExportMode NEW.
qt: SignKeyJob::setDupeOk NEW.
qt: SignKeyJob::setRemark NEW.
qt: GpgCardJob NEW.
qt: ExportJob::setExportFlags NEW.
Noteworthy changes in version 1.4.0
-----------------------------------
* Supports ECDSA and EdDSA certificate creation and parsing.
* Supports ECDH enveloped data.
* Supports ECDSA and EdDSA signed data.
* Supports rsaPSS signature verification.
* Supports standard file descriptors in ksba_reader_read.
* New configure flag --disable-doc.
* Improves supports for reproducible builds.
* Allows for optional elements in keyinfo objects.
* Updates the config and M4 scripts to the latest version.
* Fixes error detection in the CMS parser.
* Fixes memory leak in ksba_cms_identify.
* Fixes build warnings on macOS.
* Uses --disable-new-dtags if LD_LIBRARY_PATH is defined.
* New constants KSBA_VERSION and KSBA_VERSION_NUMBER.
* New API to make creation of DER objects easy.
* Interface changes relative to the 1.3.5 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
KSBA_VERSION NEW.
KSBA_VERSION_NUMBER NEW.
KSBA_CT_SPC_IND_DATA_CTX NEW.
KSBA_CLASS_* NEW.
KSBA_TYPE_* NEW.
ksba_der_t NEW.
ksba_der_release NEW.
ksba_der_builder_new NEW.
ksba_der_builder_reset NEW.
ksba_der_add_ptr NEW.
ksba_der_add_val NEW.
ksba_der_add_int NEW.
ksba_der_add_oid NEW.
ksba_der_add_bts NEW.
ksba_der_add_der NEW.
ksba_der_add_tag NEW.
ksba_der_add_end NEW.
ksba_der_builder_get NEW.
Tor Browser 9.5.3 -- July 28 2020
* All Platforms
* Update Firefox to 68.11.0esr
* Update NoScript to 11.0.34
* Update Tor to 0.4.3.6
Tor Browser 9.5.2 -- July 7 2020
* Android
* Update Firefox to 68.10.1esr
1.4.0
- `core.ObjectIdentifier` and all derived classes now obey X.660 §7.6 and
thus restrict the first arc to 0 to 2, and the second arc to less than
40 if the first arc is 0 or 1. This also fixes parsing of OIDs where the
first arc is 2 and the second arc is greater than 39.
- Fixed `keys.PublicKeyInfo.bit_size` to return an int rather than a float
on Python 3 when working with elliptic curve keys
- Fixed the `asn1crypto-tests` sdist on PyPi to work properly to generate a
.whl
v 11.0.34
============================================================
x Fixed regression breaking network-based CSP injection
v 11.0.33
============================================================
x Switch from HTTP to DOM event based CSP reporting in
compatible browsers
x [XSS] Updated HTML event attributes
x Updated TLDs
Release 2.3.0
Added initial support for reading configuration from OpenSSH-compatible config files, when present. Both client and server configuration files are supported, but not all config options are supported. See the AsyncSSH documentation for the latest list of what client and server options are supported, as well as what match conditions and percent substitutions are understood.
Added support for the concept of only a subset of supported algorithms being enabled by default, and for the ability to use wildcards when specifying algorithm names. Also, OpenSSH’s syntax of prefixing the list with ‘^’, ‘+’, or ‘-‘ is supported for incrementally adjusting the list of algorithms starting from the default set.
Added support for specifying a preferred list of client authentication methods, in order of preference. Previously, the order of preference was hard-coded into AsyncSSH.
Added the ability to use AsyncSSH’s “password” argument on servers which are using keyboard-interactive authentication to prompt for a “passcode”. Previously, this was only supported when the prompt was for a “password”.
Added support for providing separate lists of private keys and certificates, rather than requiring them to be specifying together as a tuple. When this new option is used, AsyncSSH will automatically associate the private keys with their corresponding certificates if matching certificates are present in the list.
Added support for the “known_hosts” argument to accept a list of known host files, rather than just a single file. Known hosts can also be specified using the GlobalKnownHostFile and UserKnownHostFile config file options, each of which can take multiple filenames.
Added new “request_tty” option to provide finer grained control over whether AsyncSSH will request a TTY when opening new sessions. The default is to still tie this to whether a “term_type” is specified, but now that can be overridden. Supported options of “yes”, “no”, “force”, and “auto” match the values supported by OpenSSH.
Added new “rdns_lookup” option to control whether the server does a reverse DNS of client addresses to allow matching of clients based on hostname in authorized keys and config files. When this option is disabled (the default), matches can only be based on client IP.
Added new “send_env” argument when opening a session to forward local environment variables using their existing values, augmenting the “env” argument that lets you specify remote environment variables to set and their corresponding values.
Added new “tcp_keepalive” option to control whether TCP-level keepalives are enabled or not on SSH connections. Previously, TCP keepalives were enabled unconditionally and this is still the default, but the new option provides a way to disable them.
Added support for sending and parsing client EXT_INFO messages, and for sending the “global-requests-ok” option in these messages when AsyncSSH is acting as a client.
Added support for expansion of ‘~’ home directory expansion when specifying arguments which contain filenames.
Added support for time intervals and byte counts to optionally be specified as string values with units, allowing for values such as “1.5h” or “1h30m” instead of having to specify that as 5400 seconds. Similarly, a byte count of “1g” can be passed to indicate 1 gigabyte, rather than specifying 1073741824 bytes.
Enhanced logging to report lists of sent and received algorithms when no matching algorithm is found. Thanks go to Jeremy Schulman for suggesting this.
Fixed an interoperability issue with PKIXSSH when attempting to use X.509 certificates with a signature algorithm of “x509v3-rsa2048-sha256”.
Fixed an issue with some links not working in the ReadTheDocs sidebar. Thanks go to Christoph Giese for reporting this issue.
Fixed keepalive handler to avoid leaking a timer object in some cases. Thanks go to Tom van Neerijnen for reporting this issue.
The original master site is gone. The new one redirects to Github but for
the ancient release we package (1.5.3, newest is 7.x), it does not have the
distfile.
Update NetBSD/pkgsrc#68
Noteworthy changes in version 2.2.21
* gpg: Improve symmetric decryption speed by about 25%.
* gpg: Support decryption of AEAD encrypted data packets.
* gpg: Add option --no-include-key-block.
* gpg: Allow for extra padding in ECDH.
* gpg: Only a single pinentry is shown for symmetric encryption if
the pinentry supports this.
* gpg: Print a note if no keys are given to --delete-key.
* gpg,gpgsm: The ridiculous passphrase quality bar is not anymore
shown.
* gpgsm: Certificates without a CRL distribution point are now
considered valid without looking up a CRL. The new option
--enable-issuer-based-crl-check can be used to revert to the
former behaviour.
* gpgsm: Support rsaPSS signature verification.
* gpgsm: Unless CRL checking is disabled lookup a missing issuer
certificate using the certificate's authorityInfoAccess.
* gpgsm: Print the certificate's serial number also in decimal
notation.
* gpgsm: Fix possible NULL-deref in messages of --gen-key.
* scd: Support the CardOS 5 based D-Trust Card 3.1.
* dirmngr: Allow http URLs with "LOOKUP --url".
* wkd: Take name of sendmail from configure. Fixes an OpenBSD
specific bug.
Noteworthy changes in version 1.8.6 (2020-07-06) [C22/A2/R6]
------------------------------------------------
* Bug fixes:
- Fix build problems on OpenIndiana et al. [#4818]
- Fix GCM bug on arm64 which troubles for example OMEMO. [#4986]
- Fix wrong code execution in Poly1305 ARM/NEON implementation.
[#4833]
- Detect a div-by-zero in a debug helper tool. [#4868]
- Use a constant time mpi_inv in some cases and change the order
mpi_invm is called. [#4869]
- Fix mpi_copy to correctly handle flags of opaque MPIs.
- Fix mpi_cmp to consider +0 and -0 the same.
* Other features:
- Add OIDs from RFC-8410 as aliases for Ed25519 and Curve25519.
pkglint 20.2.0 (and a bit earlier) does not insist on entries
for directories any longer that do not contain complete packages.
Remove them.
While here, fix security/Makefile that had two missing entries.
Update clamav to 0.102.4.
## 0.102.4
ClamAV 0.102.4 is a bug patch release to address the following issues.
- [CVE-2020-3350](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3350):
Fix a vulnerability wherein a malicious user could replace a scan target's
directory with a symlink to another path to trick clamscan, clamdscan, or
clamonacc into removing or moving a different file (eg. a critical system
file). The issue would affect users that use the --move or --remove options
for clamscan, clamdscan, and clamonacc.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software).
- [CVE-2020-3327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327):
Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.3 that
could cause a Denial-of-Service (DoS) condition. Improper bounds checking
results in an out-of-bounds read which could cause a crash.
The previous fix for this CVE in 0.102.3 was incomplete. This fix correctly
resolves the issue.
- [CVE-2020-3481](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3481):
Fix a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3
could cause a Denial-of-Service (DoS) condition. Improper error handling
may result in a crash due to a NULL pointer dereference.
This vulnerability is mitigated for those using the official ClamAV
signature databases because the file type signatures in daily.cvd
will not enable the EGG archive parser in versions affected by the
vulnerability.
1.19.0:
Features
add quota project to base credentials class
check 'iss' in verify_oauth2_token
Bug Fixes
migrate signBlob to iamcredentials.googleapis.com
Documentation
remove 3.4 from supported versions list
Changes:
0.0.8
-----
- add vb_test.php check
- add phpinfo test
0.0.7
-----
- add a test for openelasticsearch
- add check for django debugging on error pages
- print more information about invalid hostnames
- add laravel telescope test
1.5.0:
* Added the `mic_present` property to the `NtlmContext` class to determine if a MIC has been added to the authentication message.
* Added the `sign` and `verify` function to the `NtlmContext` to sign data and verify signatures.
* Added the `reset_rc4_state` function to the `NtlmContext` to allow a caller to reset the incoming and outgoing RC4 cipher.
* Added the `NTLMSSP_NEGOTIATE_UNICODE` flag to the negotiate message to ensure the challenge and authentication message's text fields can be unicode encoded
1.6.0
Added
Certbot snaps are now available for the arm64 and armhf architectures.
Add minimal code to run Nginx plugin on NetBSD.
Make Certbot snap find externally snapped plugins
Function certbot.compat.filesystem.umask is a drop-in replacement for os.umask implementing umask for both UNIX and Windows systems.
Support for alternative certificate chains in the acme module.
Added --preferred-chain <issuer CN>. If a CA offers multiple certificate chains, it may be used to indicate to Certbot which chain should be preferred.
e.g. --preferred-chain "DST Root CA X3"
Changed
Allow session tickets to be disabled in Apache when mod_ssl is statically linked.
Generalize UI warning message on renewal rate limits
Certbot behaves similarly on Windows to on UNIX systems regarding umask, and the umask 022 is applied by default: all files/directories are not writable by anyone other than the user running Certbot and the system/admin users.
Read acmev1 Let's Encrypt server URL from renewal config as acmev2 URL to prepare for impending acmev1 deprecation.
Fixed
Cloudflare API Tokens may now be restricted to individual zones.
Don't use StrictVersion, but LooseVersion to check version requirements with setuptools, to fix some packaging issues with libraries respecting PEP404 for version string, with doesn't match StrictVersion requirements.
Certbot output doesn't refer to SSL Labs due to confusing scoring behavior.
Fix paths when calling to programs outside of the Certbot Snap, fixing the apache and nginx plugins on, e.g., CentOS 7.
(1) There is no {get,make,set}context support before Darwin 9
(2) Instead of failing the build on makedepend(8) malfunction, have
make(1) ignore its return value - which used to be the default for
previous OpenSSL versions.
v1.6.9: Meyer (Patch 9)
There were no releases between 1.6.5 and 1.6.9 due to release pipeline issues with Github Actions; please use this release instead.
Raise exception on unknown usage
Update tutorial to make server_name equal FQDN
Handle missing locale.LC_MESSAGES on Windows
A comprehensive OpenSSL module for Lua.
It includes support for certificate and key management, key generation,
signature verification, and deep bindings to the distinguished name,
alternative name, and X.509v3 extension interfaces.
It also binds OpenSSL's bignum, message digest, HMAC, cipher, and CSPRNG
interfaces. The end goal is to bind almost everything that OpenSSL supports,
but no more. It's intended as a low-level interface.
Basic bindings to OpenSSL's SSL* session and SSL_CTX* prototype objects are
available, but they cannot yet be used standalone to do SSL I/O. cqueues
supports SSL/TLS sockets internally, accepts an SSL_CTX* object from Lua
code for session configuration, and exports an SSL* object to Lua for session
introspection.
This is a really old version that is likely vulnerable.
AFAIK the only consumer of boringssl is Chromium which vendors its
own variant, otherwise the library is just for internal Google use
v1.4.1
• Use sudo when necessary to install in system-wide NSS stores (#192)
• Add a -version flag (#191)
• Speed up macOS execution by 4x for most users (#135)
• Minor usability improvements (#182, #178, #188)
v1.4.0
macOS Catalina compatibility, URL and email SANs, and more
macOS 10.15 Catalina introduced certificate lifespan limits which block mkcert
certificates. As a temporary measure, mkcert certificates now have a fixed
notBefore date of June 1st, 2019. Once the ACME server is implemented,
certificate lifespan will be shortened to 3 months. (#174)
Certificates generated by previous versions of mkcert after July 1st, 2019 will
not work on macOS 10.15 Catalina, and will have to be regenerated. The root CA
is unaffected and there is no need to rerun mkcert -install.
URL (#166) and email (for S/MIME, #152) SANs are now supported.
Client certificates are now created with a -client filename suffix, and they
claim the serverAuth EKU as well as the clientAuth one.
The certificate subject now includes the full user name, like
filippo@Bistromath.local (Filippo Valsorda).
SLES, OpenSUSE (#162), Snapcraft (#116), and CentOS 7 (#120) are now supported.
Linux release binaries are now fully static, and will work regardless of the
system libc. (#169)
v1.3.0
New advanced options:
• -ecdsa to generate ECDSA private keys
• -client to generate client certificates
• -csr to sign certificate signing requests
• $TRUST_STORES to select what stores to install into
Also, in other news:
• Add "Firefox Nightly.app" support on macOS
• Set the CommonName when generating PKCS#12 files for IIS
