Age | Commit message (Collapse) | Author | Files | Lines |
|
Changelog:
Rebase to Firefox 38.7.0
|
|
Changelog: 2016-03-05 PuTTY 0.67 released, fixing a SECURITY HOLE
PuTTY 0.67, released today, fixes a security hole in 0.66 and
before: vuln-pscp-sink-sscanf. It also contains a few other small
bug fixes.
Also, for the first time, the Windows executables in this release
(including the installer) are signed using an Authenticode certificate,
to help protect against tampering in transit from our website or
after downloading. You should find that they list "Simon Tatham"
as the verified publisher.
|
|
Changes since 2.4.1 from NEWS file:
2.5.1 - February 19th 2016
---------------------------
17 commits, 16 files changed, 1096 insertions, 42 deletions
- Add missing urn constants used in PAOS HTTP header
- Set NotBefore in SAML 2.0 login assertions
- tests: fix leak in test test16_test_get_issuer
- id-ff: fix leak of profile->private_data->message_id
- saml-2.0: fix leak of message_id in
lasso_profile_saml20_build_paos_request_msg
- tests: fix leaks in test_ecp
- xml: fix wrong termination of comment
- xml: fix leak in lasso_soap_envelope_new_full
- profile: fix leak of private idp_list field
- saml-2.0: fix leaks of url
- tests: fix leak
- tests: update valgrind suppressions
- perl: remove quotes from $PERL -V::ccflags: output (#9572)
- Fix wrong snippet type (fixes #9616). Thanks to Brett Gardner for the patch.
- tools.c: use correct NID and digest length when building RSA signature
using SHA-2 digest
(fixes #10019) Thanks to Brett Gardner for the patch.
- bindings/php5: fix enum getters and setters (fixes #10032). Thanks to
Brett Gardner for the bug report.
- fix warning about INCLUDES directive
2.5.0 - September 2nd 2015
--------------------------
151 commits, 180 files changed, 8391 insertions, 1339 deletions
- lots of bugfixes (reported by static analysis tools like clang,
coverity and manual inspection) thanks to Simo Sorce and John Dennis from
RedHat
- xsd:choices are now parsed correctly by implementing a real finite automata
for parsing XML documents. New flag for jumping forward and backward in
schema snippets have been added. It fixes parsing of message from third
party not following the ordre from the schema (they are entitled to do it but
most SAML implementations do not)
- added C CGI examples for SP and IdP side
- removed the _POSIX_SOURCE declaration
- added support for the SHA-2 family of hash functions
- fixed protocol profile selection when parsing AuthnRequest
- added support for Python 3, thanks to Houzefa Abbasbhay from
XCG Consulting
- fixed default value of WantAuthnRequestSigned in metadata parsing
- SAML 2.0 ECP is now functionnal, thanks to John Dennis from RedHat
- added two new API function to LassoProfile to extract the Issuer and
InResponseTo attribute of messages, allowing pre-treatment before parsing
the message, to load the metadata of the remote provider, or find the request
which the response matches.
- fixed segfault when parsing HTTP-Redirect marlformed base64 content
- added support for automake 1.15 (jdennis)
|
|
v2.10, 07.03.2016
- forgot another change in the v2.00 changelog...
- changed license from GPL to Artistic
- improved kwalitee:
- added license information to meta files
- removed test.pl
- added eg/ecb.pl (command line en- and decryption)
- added dummy cipher, so the test suite makes sense even if there are no block ciphers installed
- refactored test data from test scripts
|
|
|
|
Changelog:
0.22.1 (stable)
* Use SubjectKeyIdentifier for CKA_ID when available [#84761]
* Allow 'BEGIN PuBLIC KEY' PEM blocks in .p11-kit files
* Bump libtool library version
* Build fixes [#84665 ...]
0.22.0 (stable)
* Remove the 'isolated = yes' option due to unclear semantics
replacement forth coming in later versions.
* Use secure_getenv() where necessary
* Run separate binary for 'p11-kit remote' command
0.21.3 (unstable)
* New public pkcs11x.h header containing extensions [#83495]
* Export necessary defines to lookup attached extensions [#83495]
* Use term 'attached extensions' rather than 'stabled extensions'
* Make proxy module respect 'critical = no' [#83651]
* Show public-key-info in 'trust list --details'
* Build fixes [#75674 ...]
0.21.2 (unstable)
* Don't use invalid keys for looking up stapled extensions [#82328]
* Better error messages when invalid certificate extensions
* Fix parsing of some odd OpenSSL TRUSTED CERTIFICATE files
* Fix some leaks, and memory issues
* Silence some clang scanner warnings
* Fix build against older pthread implementations [#82617]
* Move to a non-recursive Makefile
* Can now specify which tests to run on command line
0.21.1 (unstable)
* Add new 'isolate' pkcs11 config option [#80472]
* Add 'p11-kit remote' command for isolating modules [#54105]
* Don't complain about C_Finalize after a fork
* Other minor fixes
0.20.3 (stable)
* Fix problems reinitializing managed modules after fork
* Fix bad bookeeping when fail initializing one of the modules
* Fix case where module would be unloaded while in use [#74919]
* Remove assertions when module used before initialized [#74919]
* Fix handling of mmap failure and mapping empty files [#74773]
* Stable p11_kit_be_quiet() and p11_kit_be_loud() functions
* Require automake 1.12 or later
* Build fixes for Windows [#76594 #74149]
0.20.2 (stable)
* Fix bug where blacklist didn't affect extracted ca-anchors if the anchor
and blacklist were not in the same trust path (regression) [#73558]
* Check for race in BasicConstraints stapled extension [#69314]
* autogen.sh now runs configure as srcdir != builddir by default
* Build fixes and cleanup
0.20.1 (stable)
* Extract compat trust data after we've changes
* Skip compat extraction if running as non-root
* Better failure messages when removing anchors
* Build cleanup
0.20.0 (stable)
* Doc fixes
0.19.4 (unstable)
* 'trust anchor' now adds/removes certificate anchors
* 'trust list' lists trust policy stuff
* 'p11-kit extract' is now 'trust extract'
* 'p11-kit extract-trust' is now 'trust extract-compat'
* Workarounds for working on broken zfsonlinux.org [#68525]
* Add --with-module-config parameter to the configure script [#68122]
* Add support for removing stored PKCS#11 objects in trust module
* Various debugging tweaks
0.19.3 (unstable)
* Fix up problems with automake testing
* Fix a bunch of memory leaks in newly refactored code
* Don't use _GNU_SOURCE and the unportability it brings
* Testing fixes
0.19.2 (unstable)
* Add basic 'trust anchor' command to store a new anchor
* Support for writing out trust token objects
* Port to use CKA_PUBLIC_KEY_INFO and updated trust store spec
* Add option to use freebl for hashing
* Implement reloading of token data
* Fix warnings and possible minor bugs higlighted by code scanners
* Don't load configs in home directories when running setuid or setgid
* Support treating ~/.config as $XDG_CONFIG_HOME
* Use $XDG_DATA_HOME/pkcs11 as default user config directory
* Use $TMPDIR instead of $TEMP while testing
* Open files and fds with O_CLOEXEC
* Abort initialization if a critical module fails to load
* Don't use thread-unsafe functions: strerror, getpwuid
* Fix p11_kit_space_strlen() result when empty string
* Refactoring of where various components live
* Build fixes
0.19.1 (unstable)
* Refactor API to be able to handle managed modules
* Deprecate much of old p11-kit API
* Implement concept of managed modules
* Make C_CloseAllSessions function work for multiple callers
* New dependency on libffi
* Fix possible threading problems reported by hellgrind
* Add log-calls option
* Mark p11_kit_message() as a stable function
* Use our own unit testing framework
0.18.3 (stable)
* Fix reinitialization of trust module [#65401]
* Fix crash in trust module C_Initialize
* Mac OS fixes [#57714]
0.18.2 (stable)
* Build fixes [#64378 ...]
0.18.1 (stable)
* Put the external tools in $libdir/p11-kit
* Documentation build fixes
0.18.0 (stable)
* Fix use of trust module with gcr and empathy [#62896]
* Further tweaks to trust module date parsing
* Fix unaligned memory reads [#62819]
* Win32 fixes [#63062, #63046]
* Debug and logging tweaks [#62874]
* Other build fixes
0.17.5 (unstable)
* Don't try to guess at overflowing time values on 32-bit systems [#62825]
* Test fixes [#927394]
0.17.4 (unstable)
* Check for duplicate certificates in a token, warn and discard [#62548]
* Implement a proper index so we have decent load performance
0.17.3 (unstable)
* Use descriptive labels for the trust module tokens [#62534]
* Remove the temporary built in distrust objects
* Make extracted output directories and files read-only [#61898]
* Don't export unneccessary ABI
* Build fixes [#62479]
0.17.2 (unstable)
* Fix build on 32-bit linux
* Fix several crashers
0.17.1 (unstable)
* Support a p11-kit specific PKCS#11 attribute persistance format [#62156]
* Use the SHA1 hash of SPKI as the CKA_ID in the trust module by default [#62329]
* Refactor a trust builder which builds objects out of parsed data [#62329]
* Combine trust policy when extracting certificates [#61497]
* The extract --comment option adds comments to PEM bundles [#62029]
* A new 'priority' config option for ordering modules [#61978]
* Make each configured path its own trust module token [#61499]
* Use --with-trust-paths to configure trust module [#62327]
* Fix bug decoding some PEM files
* Better debug output for trust module lookups
* Work around bug in NSS when doing serial number lookups
* Work around broken strndup() function in firefox
* Fix the nickname for the distrusted attribute
* Build fixes
0.16.4 (stable)
* Display per command help again [#62153]
* Don't always print tools debug output [#62152]
0.16.3 (stable)
* When iterating don't skip tokens without the CKF_TOKEN_INITIALIZED flag
* Hardcode some distrust records for NSS temporarily
* Parse global options better in the p11-kit command
* Better debugging
0.16.2 (stable)
* Fix regression in 'p11-kit extract --purpose' option [#62009]
* Documentation updates
* Build fixes [#62001, ...]
0.16.1 (stable)
* Don't break when cA field of BasicConstraints is missing [#61975]
* Documentation fixes and updates
* p11-kit extract-trust is a placeholder script now
0.16.0 (stable)
* Update the pkcs11.h header for new mechanisms
* Fix build and tests on mingw64 (ie: win32)
* Relicense LGPL code to BSD license
* Documentation tweaks
* Pull translations from Transifex [#60792]
* Build fixes [#61739, #60894, #61740]
0.15.2 (unstable)
* Add German and Finish translations
* Better define the libtasn1 dependency
* Crasher and bug fixes
* Build fixes
0.15.1 (unstable)
* Fix some memory leaks
* Add a location for packages to drop module configs
* Documentation updates and fixes
* Add command line tool manual page
* Remove unused err() function and friends
* Move more code into common/ directory and refactor
* Add a system trust policy module
* Refactor how the p11-kit command line tool works
* Add p11-kit extract and extract-trust commands
* Don't complain if we cannot access ~/.pkcs11/pkcs11.conf
* Refuse to load the p11-kit-proxy.so as a registered module
* Don't fail initialization if last initialized module fails
0.14
* Change default for user-config to merge
* Always URI-encode the 'id' attribute in PKCS#11 URIs
* Expect a .module extension on module configs
* Windows compatibility fixes
* Testing fixes
* Build fixes
0.13
* Don't allow reading of PIN files larger than 4096 bytes
* If a module is not marked as critical then ignore init failure
* Use preconditions to check for input problems and out of memory
* Add enable-in and disable-in options to module config
* Fix the flags in pin.h
* Use gcc extensions to check varargs during compile
* Fix crasher when a duplicate module is present
* Fix broken hashmap behavior
* Testing fixes
* Win32 build fixes
* 'p11-kit -h' now works
* Documentation fixes
0.12
* Build fix
0.11
* Remove automatic reinitialization of PKCS#11 after fork
|
|
|
|
2.0.1
* Fix multiple segfaults (kgovande, rlerdorf)
2.0.0
- PHP 7 Support
- Bug 67658: configure does not detect missing pcre.h
- Bug 67665: update fetch to accept 20X HTTP ranges
- Bug 67883: check SERVER[REDIRECT_HTTP_AUTHORIZATION]
for the Authorization header
|
|
OAuth is an authorization protocol built on top of HTTP which allows
applications to securely access data without having to store usernames
and passwords.
|
|
in runtime failures which weren't previously detected due to a bug in
check-shlibs. Bump PKGREVISION.
|
|
|
|
v2.05, 04.03.2016
- make Crypt:ECB work under perl-5.8.* again
- some changes actually made in v2.00 haven't been mentioned in the changelog
- add some more block ciphers to the test suite
- minor changes in test.pl
- minor documentation update
|
|
|
|
Changelog:
Version 5.31, 2016.03.01, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2g.
https://www.openssl.org/news/secadv_20160301.txt
* New features
- Added logging the list of client CAs requested by the server.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
* Bugfixes
- Only reset the watchdog if some data was actually transferred.
- A workaround implemented for the unexpected exceptfds set by
select() on WinCE 6.0 (thx to Richard Kraemer).
|
|
1.2.3 - 2016-03-01
~~~~~~~~~~~~~~~~~~
* Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2g.
|
|
v2.00, 19.02.2016
- better compatibility with current Crypt::CBC:
- allow passing options like Crypt::CBC does (new and old styles)
- allow passing an existing cipher object (RT bug 112020)
- added padding styles, including custom padding
- added methods for accessing keysize and blocksize of a cipher
- remove caching; the feature did finally not seem to make much sense
- use Test::More (thanks to Xavier Guimard for providing a patch, RT bug 82301)
- changed internal attribute names (foo -> _foo and Foo -> foo)
- much more internal code cleanup
- updated documentation
|
|
|
|
|
|
configure with a lesser version.
|
|
SSLv2 which is now the norm in both NetBSD's base system and "pkgsrc".
As the program never supported TLS 1.2 its usefulness was limitted anyway.
|
|
not clear all bits. (Can happen on Linux --
https://bugs.launchpad.net/ubuntu/+source/coreutils/+bug/67583)
|
|
## v2.0.0
* Add django_util (#332)
* Avoid OAuth2Credentials `id_token` going out of sync after a token
refresh (#337)
* Move to a `contrib` sub-package code not considered a core part of
the library (#346, #353, #370, #375, #376, #382)
* Add `token_expiry` to `devshell` credentials (#372)
* Move `Storage` locking into a base class (#379)
* Added dictionary storage (#380)
* Added `to_json` and `from_json` methods to all `Credentials`
classes (#385)
* Fall back to read-only credentials on EACCES errors (#389)
* Coalesced the two `ServiceAccountCredentials`
classes (#395, #396, #397, #398, #400)
### Special Note About `ServiceAccountCredentials`:
-------------------------------------------------
For JSON keys, you can create a credential via
```py
from oauth2client.service_account import ServiceAccountCredentials
credentials = ServiceAccountCredentials.from_json_keyfile_name(
key_file_name, scopes=[...])
```
You can still rely on
```py
from oauth2client.client import GoogleCredentials
credentials = GoogleCredentials.get_application_default()
```
returning these credentials when you set the `GOOGLE_APPLICATION_CREDENTIALS`
environment variable.
For `.p12` keys, construct via
```py
credentials = ServiceAccountCredentials.from_p12_keyfil(
service_account_email, key_file_name, scopes=[...])
```
though we urge you to use JSON keys (rather than `.p12` keys) if you can.
This is equivalent to the previous method
```py
# PRE-oauth2client 2.0.0 EXAMPLE CODE!
from oauth2client.client import SignedJwtAssertionCredentials
with open(key_file_name, 'rb') as key_file:
private_key = key_file.read()
credentials = SignedJwtAssertionCredentials(
service_account_email, private_key, scope=[...])
```
|
|
so force the locale to "C".
Fixes mozilla-rootcerts under Linux.
|
|
Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
Builds that are not configured with "enable-weak-ssl-ciphers" will not
provide any "EXPORT" or "LOW" strength ciphers.
[Viktor Dukhovni]
* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
is by default disabled at build-time. Builds that are not configured with
"enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
will need to explicitly call either of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
as appropriate. Even if either of those is used, or the application
explicitly uses the version-specific SSLv2_method() or its client and
server variants, SSLv2 ciphers vulnerable to exhaustive search key
recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
ciphers, and SSLv2 56-bit DES are no longer available.
(CVE-2016-0800)
[Viktor Dukhovni]
*) Fix a double-free in DSA code
A double free bug was discovered when OpenSSL parses malformed DSA private
keys and could lead to a DoS attack or memory corruption for applications
that receive DSA private keys from untrusted sources. This scenario is
considered rare.
This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
libFuzzer.
(CVE-2016-0705)
[Stephen Henson]
*) Disable SRP fake user seed to address a server memory leak.
Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
SRP_VBASE_get_by_user had inconsistent memory management behaviour.
In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
was changed to ignore the "fake user" SRP seed, even if the seed
is configured.
Users should use SRP_VBASE_get1_by_user instead. Note that in
SRP_VBASE_get1_by_user, caller must free the returned value. Note
also that even though configuring the SRP seed attempts to hide
invalid usernames by continuing the handshake with fake
credentials, this behaviour is not constant time and no strong
guarantees are made that the handshake is indistinguishable from
that of a valid user.
(CVE-2016-0798)
[Emilia Käsper]
*) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
In the BN_hex2bn function the number of hex digits is calculated using an
int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
large values of |i| this can result in |bn_expand| not allocating any
memory because |i * 4| is negative. This can leave the internal BIGNUM data
field as NULL leading to a subsequent NULL ptr deref. For very large values
of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
In this case memory is allocated to the internal BIGNUM data field, but it
is insufficiently sized leading to heap corruption. A similar issue exists
in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
is ever called by user applications with very large untrusted hex/dec data.
This is anticipated to be a rare occurrence.
All OpenSSL internal usage of these functions use data that is not expected
to be untrusted, e.g. config file data or application command line
arguments. If user developed applications generate config file data based
on untrusted data then it is possible that this could also lead to security
consequences. This is also anticipated to be rare.
This issue was reported to OpenSSL by Guido Vranken.
(CVE-2016-0797)
[Matt Caswell]
*) Fix memory issues in BIO_*printf functions
The internal |fmtstr| function used in processing a "%s" format string in
the BIO_*printf functions could overflow while calculating the length of a
string and cause an OOB read when printing very long strings.
Additionally the internal |doapr_outch| function can attempt to write to an
OOB memory location (at an offset from the NULL pointer) in the event of a
memory allocation failure. In 1.0.2 and below this could be caused where
the size of a buffer to be allocated is greater than INT_MAX. E.g. this
could be in processing a very long "%s" format string. Memory leaks can
also occur.
The first issue may mask the second issue dependent on compiler behaviour.
These problems could enable attacks where large amounts of untrusted data
is passed to the BIO_*printf functions. If applications use these functions
in this way then they could be vulnerable. OpenSSL itself uses these
functions when printing out human-readable dumps of ASN.1 data. Therefore
applications that print this data could be vulnerable if the data is from
untrusted sources. OpenSSL command line applications could also be
vulnerable where they print out ASN.1 data, or if untrusted data is passed
as command line arguments.
Libssl is not considered directly vulnerable. Additionally certificates etc
received via remote connections via libssl are also unlikely to be able to
trigger these issues because of message size limits enforced within libssl.
This issue was reported to OpenSSL Guido Vranken.
(CVE-2016-0799)
[Matt Caswell]
*) Side channel attack on modular exponentiation
A side-channel attack was found which makes use of cache-bank conflicts on
the Intel Sandy-Bridge microarchitecture which could lead to the recovery
of RSA keys. The ability to exploit this issue is limited as it relies on
an attacker who has control of code in a thread running on the same
hyper-threaded core as the victim thread which is performing decryptions.
This issue was reported to OpenSSL by Yuval Yarom, The University of
Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
Nadia Heninger, University of Pennsylvania with more information at
http://cachebleed.info.
(CVE-2016-0702)
[Andy Polyakov]
*) Change the req app to generate a 2048-bit RSA/DSA key by default,
if no keysize is specified with default_bits. This fixes an
omission in an earlier change that changed all RSA/DSA key generation
apps to use 2048 bits by default.
[Emilia Käsper]
|
|
From http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.6-relnotes.txt
This release is based on the stable OpenBSD 5.8 branch.
* Deprecated the SSL_OP_SINGLE_DH_USE flag
|
|
insensitive filesystem.
|
|
Resolves PR 50625
Thanks to jgw AT SDF for PR and kamil@ for the heads up.
|
|
on Darwin/64-bit.
|
|
The ssh_packet_read_poll2 function in packet.c allows remote attackers to
cause a denial of service.
|
|
|
|
|
|
Upstream changes:
News:
The main motivations for this release are bug fixes related to use
cases with large number of zones (more than 50 zones) in combination
with an XFR based setup. Too much concurrent zone transfers causes
new transfers to be held back. These excess transfers however were
not properly scheduled for later.
No migration steps needed when upgrading from OpenDNSSEC 1.4.8.
Bugfixes:
* Add TCP waiting queue. Fix signer getting `stuck' when adding
many zones at once. Thanks to Havard Eidnes to bringing this
to our attention.
* OPENDNSSEC-723: received SOA serial reported as on disk.
* Fix potential locking issue on SOA serial.
* Crash on shutdown. At all times join xfr and dns handler threads.
* Make handling of notifies more consistent. Previous implementation
would bounce between code paths.
|
|
|
|
|
|
Changes:
libssh2_session_set_last_error: Add function
mac: Add support for HMAC-SHA-256 and HMAC-SHA-512
WinCNG: support for SHA256/512 HMAC
kex: Added diffie-hellman-group-exchange-sha256 support
OS/400 crypto library QC3 support
Bug fixes:
diffie_hellman_sha256: convert bytes to bits CVE-2016-0787
SFTP: Increase speed and datasize in SFTP read
openssl: make libssh2_sha1 return error code
openssl: fix memleak in _libssh2_dsa_sha1_verify()
cmake: include CMake files in the release tarballs
Fix builds with Visual Studio 2015
hostkey.c: Fix compiling error when OPENSSL_NO_MD5 is defined
GNUmakefile: add support for LIBSSH2_LDFLAG_EXTRAS
GNUmakefile: add -m64 CFLAGS when targeting mingw64
kex: free server host key before allocating it (again)
SCP: add libssh2_scp_recv2 to support large (> 2GB) files on windows
channel: Detect bad usage of libssh2_channel_process_startup
userauth: Fix off by one error when reading public key file
kex: removed dupe entry from libssh2_kex_methods
_libssh2_error: Support allocating the error message
hostkey: fix invalid memory access if libssh2_dsa_new fails
hostkey: align code path of ssh_rsa_init to ssh_dss_init
libssh2.pc.in: fix the output of pkg-config --libs
wincng: fixed possible memory leak in _libssh2_wincng_hash
wincng: fixed _libssh2_wincng_hash_final return value
add OpenSSL 1.1.0-pre2 compatibility
agent_disconnect_unix: unset the agent fd after closing it
sftp: stop reading when buffer is full
sftp: Send at least one read request before reading
sftp: Don't return EAGAIN if data was written to buffer
sftp: Check read packet file offset
configure: build "silent" if possible
openssl: add OpenSSL 1.1.0-pre3-dev compatibility
GNUmakefile: list system libs after user libs
|
|
They all build, I checked :)
|
|
version 0.7.3 (released 2016-01-23)
* Fixed CVE-2016-0739
* Fixed ssh-agent on big endian
* Fixed some documentation issues
|
|
|
|
|
|
16.0.0 (2016-02-18)
-------------------
Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Python 3.3 and 2.6 aren't supported anymore.
They may work by chance but any effort to keep them working has ceased.
The last Python 2.6 release was on October 29, 2013 and isn't supported by the CPython core team anymore.
Major Python packages like Django and Twisted dropped Python 2.6 a while ago already.
Python 3.3 never had a significant user base and wasn't part of any distribution's LTS release.
- pyOpenSSL versions older than 0.14 are not tested anymore.
They don't even build with recent OpenSSL versions.
Changes:
^^^^^^^^
- Officially support Python 3.5.
- ``service_identity.SubjectAltNameWarning`` is now raised if the server certicate lacks a proper ``SubjectAltName``.
[`#9 <https://github.com/pyca/service_identity/issues/9>`_]
- Add a ``__str__`` method to ``VerificationError``.
- Port from ``characteristic`` to its spiritual successor `attrs <https://attrs.readthedocs.org/>`_.
|
|
+ get rid of calls to snprintf which simply add the returned value to
the number of characters used so far. This practice is unsafe. Instead,
use a dynamic buffer and grow its size to accommodate the contents.
+ add USE_ARG definition to some files which use it but don't check to
see that it's been defined
pkgsrc changes:
+ Bump version number to 20160214
+ Use the same method as libnetpgpverify for finding the version number
from the sources.
|
|
Changes:
2015.11.20.1
------------
o Add Equifax Secure CA to weak 1024 bit bundle.
2015.11.20
----------
o Ship weak.pem cert bundle.
|
|
Needed by py-google-api-python-client-1.4.2.
## v1.5.2
* Add access token refresh error class that includes HTTP status (#310)
* Python3 compatibility fixes for Django (#316, #318)
* Fix incremental auth in flask_util (#322)
* Fall back to credential refresh on EDEADLK in multistore_file (#336)
## v1.5.1
* Fix bad indent in `tools.run_flow()` (#301, bug was
introduced when switching from 2 space indents to 4)
## v1.5.0
* Fix (more like clarify) `bytes` / `str` handling in crypto
methods. (#203, #250, #272)
* Replacing `webapp` with `webapp2` in `oauth2client.appengine` (#217)
* Added optional `state` parameter to
`step1_get_authorize_url`. (#219 and #222)
* Added `flask_util` module that provides a Flask extension to aid
with using OAuth2 web server flow. This provides the same functionality
as the `appengine.webapp2` OAuth2Decorator, but will work with any Flask
application regardless of hosting environment. (#226, #273)
* Track scopes used on credentials objects (#230)
* Moving docs to [readthedocs.org][1] (#237, #238, #244)
* Removing `old_run` module. Was deprecated July 2, 2013. (#285)
* Avoid proxies when querying for GCE metadata (to check if
running on GCE) (#114, #293)
[1]: https://readthedocs.org/
## v1.4.12
* Fix OS X flaky test failure (#189).
* Fix broken OpenSSL import (#191).
* Remove `@util.positional` from wrapped request in `Credentials.authorize()`
(#196, #197).
* Changing pinned dependencies to `>=` (#200, #204).
* Support client authentication using `Authorization` header (#206).
* Clarify environment check in case where GAE imports succeed but GAE services
aren't available (#208).
## v1.4.11
* Better environment detection with Managed VMs.
* Better OpenSSL detection in exotic environments.
## v1.4.10
* Update the `OpenSSL` check to be less strict about finding `crypto.py` in
the `OpenSSL` directory.
* `tox` updates for new environment handling in `tox`.
## v1.4.9
* Ensure that the ADC fails if we try to *write* the well-known file to a
directory that doesn't exist, but not if we try to *read* from one.
## v1.4.8
* Better handling of `body` during token refresh when `body` is a stream.
* Better handling of expired tokens in storage.
* Cleanup around `openSSL` import.
* Allow custom directory for the `well_known_file`.
* Integration tests for python2 and python3. (!!!)
* Stricter file permissions when saving the `well_known_file`.
* Test cleanup around config file locations.
## v1.4.7
* Add support for Google Developer Shell credentials.
* Better handling of filesystem errors in credential refresh.
* python3 fixes
* Add `NO_GCE_CHECK` for skipping GCE detection.
* Better error messages on `InvalidClientSecretsError`.
* Comment cleanup on `run_flow`.
## v1.4.6
* Add utility function to convert PKCS12 key to PEM. (#115)
* Change GCE detection logic. (#93)
* Add a tox env for doc generation.
## v1.4.5
* Set a shorter timeout for an Application Default Credentials issue on some
networks. (#93, #101)
* Test cleanup, switch from mox to mock. (#103)
* Switch docs to sphinx from epydoc.
## v1.4.4
* Fix a bug in bytes/string encoding of headers.
## v1.4.3
* Big thanks to @dhermes for spotting and fixing a mess in our test setup.
* Fix a serious issue with tests not being run. (#86, #87, #89)
* Start credentials cleanup for single 2LO/3LO call. (#83, #84)
* Clean up stack traces when re-raising in some places. (#79)
* Clean up doc building. (#81, #82)
* Fixed minimum version for `six` dependency. (#75)
|
|
|
|
What is the Tor Browser?
The Tor software protects you by bouncing your communications around
a distributed network of relays run by volunteers all around the
world: it prevents somebody watching your Internet connection from
learning what sites you visit, it prevents the sites you visit from
learning your physical location, and it lets you access sites which
are blocked.
|
|
Noteworthy changes in version 1.6.5 (2016-02-09) [C20/A0/R5]
------------------------------------------------
* Mitigate side-channel attack on ECDH with Weierstrass curves
[CVE-2015-7511]. See http://www.cs.tau.ac.IL/~tromer/ecdh/ for
details.
* Fix build problem on Solaris.
|
|
No upstream changelog.
|
|
Upstream changes:
0.11 2015-10-09 rurban
- add libressl support, unsupported random_egd() with libressl
0.10 2015-02-04 rurban
- fix LIBS argument, fatal on Windows. thanks to kmx
0.09 2015-02-04 rurban
- add missing hints/MSWin32.pl (kmx, RT #56455)
- add a couple of distro tests
- fix gcov target
0.08 2015-02-03 rurban
- remove Devel::CheckLib which does not work for 2 required libs
- replace DynaLoader by XSLoader
0.07 2015-02-03 rurban
- Bump version to publish an official release
0.06 rurban
- Typo in doc (dsteinbrunner)
0.05 2013-04-02 14:31:30 rurban
- Add inc/Devel/CheckLib, improve POD, add README and some helper targets
- Better diagnostics when the openssl libraries are not found
- Support INCDIR= and LIBDIR= arguments to Makefile.PL
- Add MSWin32 hints to find the openssl libraries
- Autocreate README
- Fix some -Wpointer-sign warnings
- Remove wrong Crypt::OpenSSL::RSA package names in docs and errmsg
|
|
Upstream changes:
0.15 2015/02/03
- #84367 Win32 compatibility patch
- #80369 fix errors in POD. Mainly just missing =over/=back
- #80368 Makefile.PL: unneeded -lssl in LIBS
|
|
2.024 2016/02/06
- Work around issue where the connect fails on systems having only a loopback
interface and where IO::Socket::IP is used as super class (default when
available). Since IO::Socket::IP sets AI_ADDRCONFIG by default connect to
localhost would fail on this systems. This happened at least for the tests,
see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813796
Workaround is to explicitely set GetAddrInfoFlags to 0 if no GetAddrInfoFlags
is set but the Family/Domain is given. In this case AI_ADDRCONFIG would not
be useful anyway but would cause at most harm.
|