Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
A HTTPS client implementation for httplib and urllib2 based on
PyOpenSSL. PyOpenSSL provides a more fully featured SSL
implementation over the default provided with Python and
importantly enables full verification of the SSL peer.
|
|
Some of the upstream changes for 0.9.2 :
- various typo in config files
- filter.d/postfix-sasl.conf - tweak failregex and add ignoreregex to
ignore system authentication issues
- some fixes for EL7
New features :
- New filters:
- postfix-rbl
- apache-fakegooglebot.conf
- nginx-botsearch
- drupal-auth
- New actions:
- action.d/firewallcmd-multiport and action.d/firewallcmd-allports
- action.d/sendmail-geoip-lines.conf
- action.d/nsupdate to update DNSBL
- New status argument for fail2ban-client
Some of the upstream changes for 0.9.3 :
- IMPORTANT incompatible changes:
* filter.d/roundcube-auth.conf
- Changed logpath to 'errors' log (was 'userlogins')
* action.d/iptables-common.conf
- All calls to iptables command now use -w switch introduced in
iptables 1.4.20 (some distribution could have patched their
earlier base version as well) to provide this locking mechanism
useful under heavy load to avoid contesting on iptables calls.
If you need to disable, define 'action.d/iptables-common.local'
with empty value for 'lockingopt' in `[Init]` section.
* mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines
actions now include by default only the first 1000 log lines in
the emails. Adjust <grepopts> to augment the behavior.
- New Features:
* New filters:
- froxlor-auth - Thanks Joern Muehlencord
- apache-pass - filter Apache access log for successful authentication
* New actions:
- shorewall-ipset-proto6 - using proto feature of the Shorewall.
Still requires manual pre-configuration of the shorewall.
See the action file for detail.
* New jails:
- pass2allow-ftp - allows FTP traffic after successful
HTTP authentication
|
|
The find-prefix infrastructure was required in a pkgviews world where
packages installed from pkgsrc could have different installation
prefixes, and this was a way for a dependency prefix to be determined.
Now that pkgviews has been removed there is no longer any need for the
overhead of this infrastructure. Instead we use BUILDLINK_PREFIX.pkg
for dependencies pulled in via buildlink, or LOCALBASE/PREFIX where the
dependency is coming from pkgsrc.
Provides a reasonable performance win due to the reduction of `pkg_info
-qp` calls, some of which were redundant anyway as they were duplicating
the same information provided by BUILDLINK_PREFIX.pkg.
|
|
[2015/10/06]
* Version 2.5.0
- fixes for compiling for rubinius, at long last
- TESTS
- add a few method aliases
|
|
1.1.1 - 2015-11-19
~~~~~~~~~~~~~~~~~~
* Fixed several small bugs related to compiling the OpenSSL bindings with
unusual OpenSSL configurations.
* Resolved an issue where, depending on the method of installation and
which Python interpreter they were using, users on El Capitan (OS X 10.11)
may have seen an ``InternalError`` on import.
|
|
Provided by csosstudy in PR 50455.
Version 1.0.6
Optimized implementations of Blake2 have been added for modern Intel platforms. crypto_generichash() is now faster than MD5 and SHA1 implementations while being far more secure.
Functions for which the return value should be checked have been tagged with __attribute__ ((warn_unused_result)). This will intentionally break code compiled with -Werror that didn't bother checking critical return values.
The crypto_sign_edwards25519sha512batch_*() functions have been tagged as deprecated.
Undocumented symbols that were exported, but were only useful for internal purposes have been removed or made private: sodium_runtime_get_cpu_features(), the implementation-specific crypto_onetimeauth_poly1305_donna() symbols, crypto_onetimeauth_poly1305_set_implementation(), crypto_onetimeauth_poly1305_implementation_name() and crypto_onetimeauth_pick_best_implementation().
sodium_compare() now works as documented, and compares numbers in little-endian format instead of behaving like memcmp().
The previous changes should not break actual applications, but to be safe, the library version major was incremented.
sodium_runtime_has_ssse3() and sodium_runtime_has_sse41() have been added.
The library can now be compiled with the CompCert compiler.
Version 1.0.5
This release only fixes compilation issues on some platforms.
If 1.0.4 compiled and installed fine on your system, upgrading to this version is not required.
There are no functional changes.
Compilation issues on some platforms were fixed: missing alignment directives were added (required at least on RHEL-6/i386), a workaround for a VRP bug on gcc/armv7 was added, and the library can now be compiled with the SunPro compiler.
Javascript target: io.js is not supported any more. Use nodejs.
Version 1.0.4
Support for AES256-GCM has been added. This requires a CPU with the aesni and pclmul extensions, and is accessible via the crypto_aead_aes256gcm_*() functions.
The Javascript target doesn't use eval() any more, so that the library can be used in Chrome packaged applications.
QNX and CloudABI are now supported.
Support for NaCl has finally been added.
ChaCha20 with an extended (96 bit) nonce and a 32-bit counter has been implemented as crypto_stream_chacha20_ietf(), crypto_stream_chacha20_ietf_xor() and crypto_stream_chacha20_ietf_xor_ic(). An IETF-compatible version of ChaCha20Poly1305 is available as crypto_aead_chacha20poly1305_ietf_npubbytes(), crypto_aead_chacha20poly1305_ietf_encrypt() and crypto_aead_chacha20poly1305_ietf_decrypt().
The sodium_increment() helper function has been added, to increment an arbitrary large number (such as a nonce).
The sodium_compare() helper function has been added, to compare arbitrary large numbers (such as nonces, in order to prevent replay attacks).
Version 1.0.3
In addition to sodium_bin2hex(), sodium_hex2bin() is now a constant-time function.
crypto_stream_xsalsa20_ic() has been added.
crypto_generichash_statebytes(), crypto_auth_*_statebytes() and crypto_hash_*_statebytes() have been added in order to retrieve the size of structures keeping states from foreign languages.
The JavaScript target doesn't require /dev/urandom or an external randombytes() implementation any more. Other minor Emscripten-related improvements have been made in order to support libsodium.js
Custom randombytes implementations do not need to provide their own implementation of randombytes_uniform() any more. randombytes_stir() and randombytes_close() can also be NULL pointers if they are not required.
On Linux, getrandom(2) is being used instead of directly accessing /dev/urandom, if the kernel supports this system call.
crypto_box_seal() and crypto_box_seal_open() have been added.
A solutions for Visual Studio 2015 was added.
|
|
Changelog:
2015-11-07 PuTTY 0.66 released, fixing a SECURITY HOLE
PuTTY 0.66, released today, fixes a security hole in 0.65 and before:
vuln-ech-overflow. It also contains a few other small bug fixes and minor
features.
|
|
|
|
|
|
|
|
|
|
|
|
From upstream via Petar Bogdanovic on pkgsrc-users.
Bump PKGREVISION.
|
|
Pkgsrc changes:
* Adapt patches to match new files.
* Add new migration scripts to PLIST
Upstream changes:
News
* Support for RFC5011 style KSK rollovers. KSK section in the KASP
now accepts element.
* Enforcer: New repository option allows to generate keys with
CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped and
extracted from HSM.
Bugfixes
* SUPPORT-145: EOF handling an ARM architecture caused signer to hang.
* Fixed signer hitting assertion on short reply XFR handler.
* Include revoke bit in keytag calculation.
* Increased stacksize on some systems (thanks Patrik Lundin!).
* Stop ods-signerd on SIGINT.
Note:
* Updating from earlier versions of OpenDNSSEC requires use of the
database migration script(s) included in ${PKG}/share/opendnssec/
as the migrate_1_4_8* scripts.
|
|
pkgsrc changes:
o Simplify MASTER_SITES.
o Get rid of the EGG_NAME redefinition (seems no more needed).
Changes:
2015.09.06.2
o Ship weak cert bundle.
2015.09.06.1
o Provide old cert bundle.
o Use secure roots by defaults.
2015.09.06
o Update scripts to use mkcert.org.
|
|
1.1 - 2015-10-28
~~~~~~~~~~~~~~~~
* Added support for Elliptic Curve Diffie-Hellman with
:class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDH`.
* Added :class:`~cryptography.hazmat.primitives.kdf.x963kdf.X963KDF`.
* Added support for parsing certificate revocation lists (CRLs) using
:func:`~cryptography.x509.load_pem_x509_crl` and
:func:`~cryptography.x509.load_der_x509_crl`.
* Add support for AES key wrapping with
:func:`~cryptography.hazmat.primitives.keywrap.aes_key_wrap` and
:func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap`.
* Added a ``__hash__`` method to :class:`~cryptography.x509.Name`.
* Add support for encoding and decoding elliptic curve points to a byte string
form using
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point`
and
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`.
* Added :meth:`~cryptography.x509.Extensions.get_extension_for_class`.
* :class:`~cryptography.x509.CertificatePolicies` are now supported in the
:class:`~cryptography.x509.CertificateBuilder`.
* ``countryName`` is now encoded as a ``PrintableString`` when creating subject
and issuer distinguished names with the Certificate and CSR builder classes.
|
|
if ssh_host_key doesn't exist.
RSA1 support is dead and doesn't exist in the package we generate, hence,
regeneration of the key is executed everytime sshd is started/restarted.
Bump PKGREVISION
Reviewed by wiz@
|
|
|
|
Submitted upstream as https://bugzilla.cyrusimap.org/show_bug.cgi?id=3914
|
|
(anyone want to package the python bindings separately?)
|
|
v0.5.0 (4 May 2015)
+++++++++++++++++++
- Fix ``TypeError`` being raised instead of ``TokenMissing`` error.
- Raise requests exceptions on 4XX and 5XX responses in the OAuth2 flow.
- Avoid ``AttributeError`` when initializing the ``OAuth2Session`` class
without complete client information.
v0.4.2
++++++
- New ``authorized`` property on OAuth1Session and OAuth2Session, which allows
you to easily determine if the session is already authorized with OAuth tokens
or not.
- New ``TokenMissing`` and ``VerifierMissing`` exception classes for OAuth1Session:
this will make it easier to catch and identify these exceptions.
v0.4.1 (6 June 2014)
++++++++++++++++++++
- New install target ``[rsa]`` for people using OAuth1 RSA-SHA1 signature
method.
- Fixed bug in OAuth2 where supplied state param was not used in auth url.
- OAuth2 HTTPS checking can be disabled by setting environment variable
``OAUTHLIB_INSECURE_TRANSPORT``.
- OAuth1 now re-authorize upon redirects.
- OAuth1 token fetching now raise a detailed error message when the
response body is incorrectly encoded or the request was denied.
- Added support for custom OAuth1 clients.
- OAuth2 compliance fix for Sina Weibo.
- Multiple fixes to facebook compliance fix.
- Compliance fixes now re-encode body properly as bytes in Python 3.
- Logging now properly done under ``requests_oauthlib`` namespace instead
of piggybacking on oauthlib namespace.
- Logging introduced for OAuth1 auth and session.
|
|
Add commented out test dependencies.
|
|
1.0.3 (2015-08-16)
(Fix) Changed the documented return type of the `invalidate_request_token()` method from the RSA key to None since nobody is using the return type.
(Enhancement) Added a validator log that will store what the endpoint has computed for debugging and logging purposes (OAuth 1 only for now).
1.0.2 (2015-08-10)
(Fix) Allow client secret to be null for public applications that do not mandate it's specification in the query parameters.
(Fix) Encode request body before hashing in order to prevent encoding errors in Python 3.
1.0.1 (2015-07-27)
(Fix) Added token_type_hint to the list of default Request parameters.
1.0.0 (2015-07-19)
(Breaking Change) Replace pycrypto with cryptography from https://cryptography.io
(Breaking Change) Update jwt to 1.0.0 (which is backwards incompatible) no oauthlib api changes were made.
(Breaking Change) Raise attribute error for non-existing attributes in the Request object.
(Fix) Strip whitespace off of scope string.
(Change) Don't require to return the state in the access token response.
(Change) Hide password in logs.
(Fix) Fix incorrect invocation of prepare_refresh_body in the OAuth2 client.
(Fix) Handle empty/non-parsable query strings.
(Fix) Check if an RSA key is actually needed before requiring it.
(Change) Allow tuples for list_to_scope as well as sets and lists.
(Change) Add code to determine if client authentication is required for OAuth2.
(Fix) Fix error message on invalid Content-Type header for OAtuh1 signing.
(Fix) Allow ! character in query strings.
(Fix) OAuth1 now includes the body hash for requests that specify any content-type that isn't x-www-form-urlencoded.
(Fix) Fixed error description in oauth1 endpoint.
(Fix) Revocation endpoint for oauth2 will now return an empty string in the response body instead of 'None'.
Increased test coverage.
Performance improvements.
Documentation improvements and fixes.
0.7.2 (2014-11-13)
(Quick fix) Unpushed locally modified files got included in the PyPI 0.7.1 release. Doing a new clean release to address this. Please upgrade quickly and report any issues you are running into.
0.7.1 (2014-10-27)
(Quick fix) Add oauthlib.common.log object back in for libraries using it.
0.7.0 (2014-10-27)
(Change) OAuth2 clients will not raise a Warning on scope change if the environment variable OAUTHLIB_RELAX_TOKEN_SCOPE is set. The token will now be available as an attribute on the error, error.token. Token changes will now also be announced using blinker.
(Fix/Feature) Automatic fixes of non-compliant OAuth2 provider responses (e.g. Facebook).
(Fix) Logging is now tiered (per file) as opposed to logging all under oauthlib.
(Fix) Error messages should now include a description in their message.
(Fix/Feature) Optional support for jsonp callbacks after token revocation.
(Feature) Client side preparation of OAuth 2 token revocation requests.
(Feature) New OAuth2 client API methods for preparing full requests.
(Feature) OAuth1 SignatureOnlyEndpoint that only verifies signatures and client IDs.
(Fix/Feature) Refresh token grant now allow optional refresh tokens.
(Fix) add missing state param to OAuth2 errors.
(Fix) add_params_to_uri now properly parse fragment.
(Fix/Feature) All OAuth1 errors can now be imported from oauthlib.oauth1.
(Fix/Security) OAuth2 logs will now strip client provided password, if present.
Allow unescaped @ in urlencoded parameters.
0.6.3 (2014-06-10)
Quick fix. OAuth 1 client repr in 0.6.2 overwrote secrets when scrubbing for print.
0.6.2 (2014-06-06)
Numerous OAuth2 provider errors now suggest a status code of 401 instead of 400 (#247.
Added support for JSON web tokens with oauthlib.common.generate_signed_token. Install extra dependency with oauthlib[signedtoken] (#237).
OAuth2 scopes can be arbitrary objects with __str__ defined (#240).
OAuth 1 Clients can now register custom signature methods (#239).
Exposed new method oauthlib.oauth2.is_secure_transport that checks whether the given URL is HTTPS. Checks using this method can be disabled by setting the environment variable OAUTHLIB_INSECURE_TRANSPORT (#249).
OAuth1 clients now has __repr__ and will be printed with secrets scrubbed.
OAuth1 Client.get_oauth_params now takes an oauthlib.Request as an argument.
urldecode will now raise a much more informative error message on incorrectly encoded strings.
Plenty of typo and other doc fixes.
|
|
Add LICENSE
Upstream changes:
0.04 2014-06-12 NEILB
- Fixed bug that would occasionally generate a division by zero
in word() and word3(). RT#42832
- Fixed mistake in doc for word() and word3()
Thanks to Smylers for RT#11787.
- Switched to Dist::Zilla
- Reformatted this file as per CPAN::Changes::Spec
- Moved test.pl to t/01-require.t and simplified it
- Added real tests for chars(), word() and word3()
- Added github repo to pod
- Added package statement and use strict & warnings in ::de and ::en
- Tell dzil that the language model modules are binary, so they won't
be parsed with PPI, which takes 5+ minutes on my laptop.
|
|
Upstream changes:
0.06 2014-05-28
- Fixed typo in code comment (thanks dsteinbrunner)
- Added github repo to pod
- Added intro paragraph to doc and beefed up SEE ALSO section
|
|
No revbump because it failed to build before if there was one.
Fixes pkg/50348
|
|
|
|
This is the reference C implementation of Argon2, the password-hashing
function that won the Password Hashing Competition (PHC).
You should use Argon2 whenever you need to hash passwords for
credential storage, key derivation, or other applications.
There are two main versions of Argon2, Argon2i and Argon2d. Argon2i
is the safest against side-channel attacks, while Argon2d provides
the highest resistance against GPU cracking attacks.
Argon2i and Argon2d are parametrized by
* A time cost, which defines the amount of computation realized
and therefore the execution time, given in number of iterations
* A memory cost, which defines the memory usage, given in kibibytes
* A parallelism degree, which defines the number of parallel threads
|
|
krb5-config script, fixing SLES according to sobukus on IRC.
|
|
gnupg-2.1.9:
* gpg: Allow fetching keys via OpenPGP DANE (--auto-key-locate). New
option --print-dane-records.
* gpg: Fix for a problem with PGP-2 keys in a keyring.
* gpg: Fail with an error instead of a warning if a modern cipher
algorithm is used without a MDC.
* agent: New option --pinentry-invisible-char.
* agent: Always do a RSA signature verification after creation.
* agent: Fix a regression in ssh-add-ing Ed25519 keys.
* agent: Fix ssh fingerprint computation for nistp384 and EdDSA.
* agent: Fix crash during passprase entry on some platforms.
* scd: Change timeout to fix problems with some 2.1 cards.
* dirmngr: Displayed name is now Key Acquirer.
* dirmngr: Add option --keyserver. Deprecate that option for gpg.
Install a dirmngr.conf file from a skeleton for new installations.
gnupg-2.1.8:
* gpg: Sending very large keys to the keyservers works again.
* gpg: Validity strings in key listings are now again translatable.
* gpg: Emit FAILURE status lines to help GPGME.
* gpg: Does not anymore link to Libksba to reduce dependencies.
* gpgsm: Export of secret keys via Assuan is now possible.
* agent: Raise the maximum passphrase length from 100 to 255 bytes.
* agent: Fix regression using EdDSA keys with ssh.
* Does not anymore use a build timestamp by default.
* The fallback encoding for broken locale settings changed
from Latin-1 to UTF-8.
* Many code cleanups and improved internal documentation.
* Various minor bug fixes.
gnupg-2.1.7:
* gpg: Support encryption with Curve25519 if Libgcrypt 1.7 is used.
* gpg: In the --edit-key menu: Removed the need for "toggle", changed
how secret keys are indicated, new commands "fpr *" and "grip".
* gpg: More fixes related to legacy keys in a keyring.
* gpgv: Does now also work with a "trustedkeys.kbx" file.
* scd: Support some feature from the OpenPGP card 3.0 specs.
* scd: Improved ECC support
* agent: New option --force for the DELETE_KEY command.
* w32: Look for the Pinentry at more places.
* Dropped deprecated gpgsm-gencert.sh
* Various other bug fixes.
|
|
|
|
in the ejabberd 15.10 update that follows.
|
|
Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
|
|
Changes since previous version:
+ fix a bug where SHA512 case was missed in the digest_get_prefix()
function. Bug and fix from Felix Lange.
|
|
|
|
|
|
ok tnn@ re: options.mk v 1.3
|
|
fix the build yet, an additional patch to remove LD_LIBRARY_PATH is required
but needs wider testing.
|
|
want 2.0 to be the default, despite not supporting the latest crypto.
|
|
SmartOS for 64bit builds.
|
|
1.0.2 - 2015-09-27
~~~~~~~~~~~~~~~~~~
* **SECURITY ISSUE**: The OpenSSL backend prior to 1.0.2 made extensive use
of assertions to check response codes where our tests could not trigger a
failure. However, when Python is run with ``-O`` these asserts are optimized
away. If a user ran Python with this flag and got an invalid response code
this could result in undefined behavior or worse. Accordingly, all response
checks from the OpenSSL backend have been converted from ``assert``
to a true function call. Credit **Emilia Käsper (Google Security Team)**
for the report.
|
|
the package needs an update.
|
|
|
|
|
|
|
|
running with ABI=32 on a 64-bit native host.
|
|
Bump PKGREVISION as this removes dirmngr_ldap from default PLIST.
|
|
|
|
Upstream changes:
[Changes for 0.79 - Mon May 18 23:02:11 CST 2015]
* Restore "cpansign --skip" functionality.
Contributed by: CLOOS
[Changes for 0.78 - Thu Apr 9 16:58:27 CST 2015]
* Fix verify() use from cpanm and CPAN.pm.
Contributed by: ANDK
[Changes for 0.77 - Wed Apr 8 19:36:50 CST 2015]
* Include the latest public keys of PAUSE, ANDK and AUDREYT.
* Clarify scripts/cpansign copyright to CC0.
Reported by: @pghmcfc
[Changes for 0.76 - Wed Apr 8 18:05:48 CST 2015]
* Fix signature tests by defaulting to verify(skip=>1)
when $ENV{TEST_SIGNATURE} is true.
Reported by: @pghmcfc
[Changes for 0.75 - Tue Apr 7 04:56:09 CST 2015]
Two more issues reported by John Lightsey:
* Update ChangeLog.
* More protection of @INC from relative paths.
Fix various issues reported by John Lightsey:
[Changes for 0.74 - Tue Apr 7 02:39:14 CST 2015]
Fix various issues reported by John Lightsey:
* Fix GPG signature parsing logic.
* MANIFEST.SKIP is no longer consulted unless --skip is given.
* Properly use open() modes to avoid injection attacks.
|