| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
3.7.0:
New features
* Added support for Poly1305 MAC (with AES and ChaCha20 ciphers for key derivation).
* Added support for ChaCha20-Poly1305 AEAD cipher.
* New parameter output for Crypto.Util.strxor.strxor, Crypto.Util.strxor.strxor_c,
encrypt and decrypt methods in symmetric ciphers (Crypto.Cipher package).
output is a pre-allocated buffer (a bytearray or a writeable memoryview)
where the result must be stored.
This requires less memory for very large payloads; it is also more efficient when
encrypting (or decrypting) several small payloads.
Resolved issues
* AES-GCM hangs when processing more than 4GB at a time on x86 with PCLMULQDQ instruction.
Breaks in compatibility
* Drop support for Python 3.3.
* Remove Crypto.Util.py3compat.unhexlify and Crypto.Util.py3compat.hexlify.
* With the old Python 2.6, use only ctypes (and not cffi) to interface to native code.
|
|
Thanks to <wiz>!
|
|
The recent hunspell update has changed the name of the library, so these
need to be rebuilt.
prodded by wiz@ and leot@.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2018.10.15:
Unknown changes
|
|
version 0.7.6 (released 2018-10-16)
* Fixed CVE-2018-10933
* Added support for OpenSSL 1.1
* Added SHA256 support for ssh_get_publickey_hash()
* Fixed config parsing
* Fixed random memory corruption when importing pubkeys
version 0.7.5 (released 2017-04-13)
* Fixed a memory allocation issue with buffers
* Fixed PKI on Windows
* Fixed some SSHv1 functions
* Fixed config hostname expansion
version 0.7.4 (released 2017-02-03)
* Added id_ed25519 to the default identity list
* Fixed sftp EOF packet handling
* Fixed ssh_send_banner() to confirm with RFC 4253
* Fixed some memory leaks
|
|
Changes include:
- use jbuilder for building
- allow picking different versions of Bcrypt hashes
- use unbuffered IO to read only required number of bytes from /dev/urandom
|
|
Version 1.1.111:
Update clients.py to work with Python 2.6, 3.3, 3.5, and 3.6.
Add Python 3.6 support.
Handle Unicode- and byte-strings consistently.
Add timeout parameter to call_taxii_service2 (@mbekavac)
Add support for STIX 1.2.
Add user_agent parameter to call_taxii_service2
|
|
Changes:
- On indefinite string decoding, set a maximum level of allowed recursions
(3) to protect the BER decoder from a stack exhaustion.
|
|
Project moved from sourceforge to github.
|
|
new master site https://pcsclite.apdu.fr
|
|
|
|
3.0.5:
Fix: use AES256 for CA key
Also, don't use read -s, use stty -echo
Fix broken "nopass" option
Add -r to read to stop errors reported by shellcheck (and to behave)
remove overzealous quotes around $pkcs_opts (more SC errors)
Support for LibreSSL (now works on latest version of MacOS)
EasyRSA version will be reported in certificate comments
Client certificates now expire in 3 year (1080 days) by default
|
|
CHANGES:
- `sys/seal-status` now includes an `initialized` boolean in the
output. If Vault is not initialized, it will return a `200` with
this value set `false` instead of a `400`.
- `passthrough_request_headers` will now deny certain headers from
being provided to backends based on a global denylist.
FEATURES:
- AWS Secret Engine Root Credential Rotation: The credential used by
the AWS secret engine can now be rotated, to ensure that only Vault
knows the credentials it is using.
- Storage Backend Migrator: A new `operator migrate` command allows
offline migration of data between two storage backends.
- AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise):
AliCloud KMS can now be used a support seal for Auto Unseal and
Seal Wrapping.
BUG FIXES:
- auth/okta: Fix reading deprecated `token` parameter if a token was
previously set in the configuration
- core: Re-add deprecated capabilities information for now
- core: Fix handling of cyclic token relationships
- storage/mysql: Fix locking on MariaDB
- replication: Fix DR API when using a token
- identity: Ensure old group alias is removed when a new one is
written
- storage/alicloud: Don't call uname on package init
- secrets/jwt: Fix issue where request context would be canceled too
early
- ui: fix need to have update for aws iam creds generation
- ui: fix calculation of token expiry
IMPROVEMENTS:
- auth/aws: The identity alias name can now configured to be either
IAM unique ID of the IAM Principal, or ARN of the caller identity
- auth/cert: Add allowed_organizational_units support
- cli: Format TTLs for non-secret responses
- identity: Support operating on entities and groups by their names
- plugins: Add `env` parameter when registering plugins to the catalog
to allow operators to include environment variables during plugin
execution.
- secrets/aws: WAL Rollback improvements
- secrets/aws: Allow specifying STS role-default TTLs
- secrets/pki: Add configuration support for setting NotBefore
- core: Support for passing the Vault token via an Authorization
Bearer header
- replication: Reindex process now runs in the background and does not
block other vault operations
- storage/zookeeper: Enable TLS based communication with Zookeeper
- ui: you can now init a cluster with a seal config
- ui: added the option to force promote replication clusters
- replication: Allow promotion of a secondary when data is syncing
with a "force" flag
|
|
Version 4.0:
- Removed deprecated modules:
- rsa.varblock
- rsa.bigfile
- rsa._version133
- rsa._version200
- Removed CLI commands that use the VARBLOCK/bigfile format.
- Ensured that PublicKey.save_pkcs1() and PrivateKey.save_pkcs1() always return bytes.
- Dropped support for Python 2.6 and 3.3.
- Dropped support for Psyco.
- Miller-Rabin iterations determined by bitsize of key.
- Added function rsa.find_signature_hash() to return the name of the hashing
algorithm used to sign a message. rsa.verify() now also returns that name,
instead of always returning True.
- Add support for SHA-224 for PKCS1 signatures.
- Transitioned from requirements.txt to Pipenv for package management.
|
|
Changes:
- Unfortunately no changelog is provided but according commit messages bug fixes
and misc improvements
|
|
|
|
Upstream changes:
0.31 Mon Sep 24 2018
- Remove default of SHA256 for RSA keys. This has caused significant
problems with downstream modules and it has always been possible to
do $key->use_sha256_hash()
|
|
Upstream changes:
2.060 2018/09/16
- support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too)
Thanks to ppisar[AT]redhat.com for major help
see also https://rt.cpan.org/Ticket/Display.html?id=126899
TLS 1.3 support is not complete yet for session resume
|
|
|
|
|
|
Only used on DragonFly
|
|
* Bump PKGREVISION
|
|
v4.1.3
**Note**: oauth2client is deprecated. No more features will be added to the
libraries and the core team is turning down support.
* Changed OAuth2 endpoints to use oauth2.googleapis.com variants.
|
|
|
|
0.1.78 (2018-06-21)
* Land #13, Update cmd_psh_payload to simplify exec_in_place
0.1.79 (2018-08-01)
* Land #12, Update GetMethod for GetProcAddress for Windows 10 1803
|
|
0.1.18
* Add CmdStager option to skip command compression
0.1.19
* Rename opts[:nocompress] to opts[:noconcat]
|
|
0.2.17 (2018-02-09)
* Land #9, remove use of 'fun' keyword
* Land #10, add rand_country
0.2.18 (2018-04-12)
* Land #11, ranges for rand_base and rand_text_*
0.2.19 (2018-04-18)
* Land #13, add text encryption / encoding wrappers
0.2.20 (2018-04-18)
* Land #14, remove RC4/SHA256 support
* Land #12, bump ruby deps
0.2.21 (2018-06-13)
* Land #16, simplify shuffle_a implementation
* Land #17, speedup to_mixed_case_array
* Land #18, use single regular expression for strict case
* Land #19, remove unnecessary gsub regex to remove newline
* Land #21, add SHA2 digest wrappers
|
|
0.1.13
* add helper methods for determining supported SSL version methods
0.1.14
* Add IPv6 support to addr_atoc and addr_ctoa
0.1.15
* SSH socket registration removed
|
|
No proper change log is not available. Please refer commit log:
<https://github.com/rapid7/mettle/commits/master>.
|
|
No proper change log is not available. Please refer commit log:
<https://github.com/rapid7/metasploit-payloads/commits/master>.
|
|
## [1.17.0][] (2018-07-07)
* [#430](https://github.com/capistrano/sshkit/pull/430): [Feature] Command Argument STDOUT/capistrano.log Hiding - [@NorseGaud](https://github.com/NorseGaud)
## [1.16.1][] (2018-05-20)
* [#425](https://github.com/capistrano/sshkit/pull/425): Command#group incorrectly escapes double quotes, resulting in a a syntax error when specifying the group execution using `as`. This issue manifested when user command quotes changed from double quotes to single quotes. This fix removes the double quote escaping - [@pblesi](https://github.com/pblesi).
|
|
v7.2.1 (2018-06-01)
Merged pull requests:
* When passed a filename, download a report in chunks #321 (toofishes)
|
|
=== 5.0.2
* fix ctr for jruby [#612]
=== 5.0.1
* default_keys were not loaded even if no keys or key_data options specified [#607]
=== 5.0.0
* Breaking change: ed25519 now requires ed25519 gem instead of RbNaCl gem [#563]
* Verify_host_key options rename (true, false, :very, :secure depreacted new equivalents are :never, :accept_new_or_local_tunnel :accept_new :always) [Jared Beck, #595]
=== 5.0.0.rc2
* Add .dll extensions to dlopen on cygwin [#603]
* Fix host certificate validation [#601]
=== 5.0.0.rc1
* Fix larger than 4GB file transfers [#599]
* Update HTTP proxy to version 1.1 [Connor Dunn, #597]
=== 5.0.0.beta2
* Support for sha256 pubkey fingerprint [Tom Maher, #585]
* Don't try to load default_keys if key_data option is used [Josh Larson, #589]
* Added fingerprint_hash defaulting to SHA256 as fingerprint format, and MD5 can be used as an option [Miklós Fazekas, #591]
=== 5.0.0.beta1
* Don't leave proxy command as zombie on timeout [DimitriosLisenko, #560]
* Use OpenSSL for aes*-ctr for up to 5x throughput improvement [Miklós Fazekas, Harald Sitter, #570]
* Optimize slice! usage in CTR for up to 2x throughput improvement [Harald Sitter, #569]
* Replace RbNaCl dependency with ed25519 gem [Tony Arcieri ,#563]
* Add initial Match support [Kasumi Hanazuki, #553]
|
|
3.1.12 May 16 2018
- Add support for Ruby 2.3, 2.4, and 2.5 in compiled Windows binaries
- Fix compatibility with libxcrypt [GH #164 by @besser82]
|
|
Instead of using a generic `base64' initialize the BASE64 variable in order to
actually use converters/base64 (this was problematic when for example NetBSD
base64(1) was used).
Bump PKGREVISION
|
|
What's new in Sudo 1.8.25p1
* Fixed a bug introduced in sudo 1.8.25 that caused a crash on
systems that have the poll() function but not the ppoll() function.
Bug #851.
|
|
|
|
2.4.2:
Fix exploit (CVE pending) in Paramiko’s server mode (not client mode) where hostile clients could trick the server into thinking they were authenticated without actually submitting valid authentication.
Specifically, steps have been taken to start separating client and server related message types in the message handling tables within Transport and AuthHandler; this work is not complete but enough has been performed to close off this particular exploit (which was the only obvious such exploit for this particular channel).
Modify protocol message handling such that Transport does not respond to MSG_UNIMPLEMENTED with its own MSG_UNIMPLEMENTED. This behavior probably didn’t cause any outright errors, but it doesn’t seem to conform to the RFCs and could cause (non-infinite) feedback loops in some scenarios (usually those involving Paramiko on both ends).
Add *.pub files to the MANIFEST so distributed source packages contain some necessary test assets. Credit: Alexander Kapshuna.
Backport pytest support and application of the black code formatter (both of which previously only existed in the 2.4 branch and above) to everything 2.0 and newer. This makes back/forward porting bugfixes significantly easier.
Backport changes from 979 (added in Paramiko 2.3) to Paramiko 2.0-2.2, using duck-typing to preserve backwards compatibility. This allows these older versions to use newer Cryptography sign/verify APIs when available, without requiring them (as is the case with Paramiko 2.3+).
|
|
Release 1.14.0:
Changed license from EPL 1.0 to EPL 2.0 with GPL 2.0 or later as an available secondary license.
Added support for automatically parallelizing large reads and write made using the SFTPClientFile class, similar to what was already available in the get/put/copy methods of SFTPClient.
Added support for get_extra_info() in SSH process classes, returning information associated with the channel the process is tied to.
Added new set_extra_info() method on SSH connection and channel classes, allowing applications to store additional information on these objects.
Added handlers for OpenSSH keepalive global & channel requests to avoid messages about unknown requests in the debug log. These requests are still logged, but at debug level 2 instead of 1 and they are not labeled as unknown.
Fixed race condition when closing sockets associated with forwarded connections.
Improved error handling during connection close in SFTPClient.
Worked around issues with integer overflow on systems with a 32-bit time_t value when dates beyond 2038 are used in X.509 certificates.
Added guards around some imports and tests which were causing problems on Fedora 27.
Changed debug level for reporting PTY modes from 1 to 2 to reduce noise in the logs.
Improved SFTP debug log output when sending EOF responses.
|
|
What's new in Sudo 1.8.25
* Fixed a bug introduced in sudo 1.8.20 that broke formatting of
I/O log timing file entries on systems without a C99-compatible
snprintf() function. Our replacement snprintf() doesn't support
floating point so we can't use the "%f" format directive.
* I/O log timing file entries now use a monotonic timer and include
nanosecond precision. A monotonic timer that does not increment
while the system is sleeping is used where available.
* Fixed a bug introduced in sudo 1.8.24 where sudoNotAfter in the LDAP
backend was not being properly parsed.
* When sudo runs a command in a pseudo-tty, the slave device is
now closed in the main process immediately after starting the
monitor process. This removes the need for an AIX-specific
workaround that was added in sudo 1.8.24.
* Added support for monotonic timers on HP-UX.
* Fixed a bug displaying timeout values the "sudo -V" output.
The value displayed was 3600 times the actual value.
* Fixed a build issue on AIX 7.1 BOS levels that include memset_s()
and define rsize_t in string.h.
* The testsudoers utility now supports querying an LDIF-format
policy.
* Sudo now sets the LOGIN environment variable to the same value as
LOGNAME on AIX systems.
* Fixed a regression introduced in sudo 1.8.24 where the LDAP and
SSSD backends evaluated the rules in reverse sudoOrder.
|
|
xdotool-3.20160805.1 supports the --file option.
Please also note that with the previous patch spaces in password
were ignored possibly leading to surprising and incorrect paste,
sorry for that! (now they should work fine)
Bump PKGREVISION
|
|
|
|
- Client DoS due to large DH parameter
During key agreement in a TLS handshake using a DH(E) based ciphersuite a
malicious server can send a very large prime value to the client. This will
cause the client to spend an unreasonably long period of time generating a
key for this prime resulting in a hang until the client has finished. This
could be exploited in a Denial Of Service attack.
This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
(CVE-2018-0732)
[Guido Vranken]
- Cache timing vulnerability in RSA Key Generation
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
a cache timing side channel attack. An attacker with sufficient access to
mount cache timing attacks during the RSA key generation process could
recover the private key.
This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
(CVE-2018-0737)
[Billy Brumley]
- Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
parameter is no longer accepted, as it leads to a corrupt table. NULL
pem_str is reserved for alias entries only.
[Richard Levitte]
- Revert blinding in ECDSA sign and instead make problematic addition
length-invariant. Switch even to fixed-length Montgomery multiplication.
[Andy Polyakov]
- Change generating and checking of primes so that the error rate of not
being prime depends on the intended use based on the size of the input.
For larger primes this will result in more rounds of Miller-Rabin.
The maximal error rate for primes with more than 1080 bits is lowered
to 2^-128.
[Kurt Roeckx, Annie Yousar]
- Increase the number of Miller-Rabin rounds for DSA key generating to 64.
[Kurt Roeckx]
- Add blinding to ECDSA and DSA signatures to protect against side channel
attacks discovered by Keegan Ryan (NCC Group).
[Matt Caswell]
- When unlocking a pass phrase protected PEM file or PKCS#8 container, we
now allow empty (zero character) pass phrases.
[Richard Levitte]
- Certificate time validation (X509_cmp_time) enforces stricter
compliance with RFC 5280. Fractional seconds and timezone offsets
are no longer allowed.
[Emilia Käsper]
|
|
* New features
- Performance optimizations.
- Logging of negotiated or resumed TLS session IDs (thx
to ANSSI - National Cybersecurity Agency of France).
- Merged Debian 10-enabled.patch and 11-killproc.patch
(thx to Peter Pentchev).
* Bugfixes
- Fixed a crash in the session persistence implementation.
- Fixed syslog identifier after configuration file reload.
- Fixed non-interactive "make check" invocations.
- Fixed reloading syslog configuration.
- stunnel.pem created with SHA-256 instead of SHA-1.
- SHA-256 "make check" certificates.
|
