| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
This eCAP adapter checks HTTP request and response bodies using the ClamAV
antivirus library and denies access to messages with detected viruses.
|
|
Noteworthy changes in version 1.3.4 (2016-05-03) [C19/A11/R4]
------------------------------------------------
* Fixed two OOB read access bugs which could be used to force a DoS.
* Fixed a crash due to faulty curve OID lookup code.
* Synced the list of supported curves with those of Libgcrypt.
* New configure option --enable-build-timestamp; a build timestamp is
not anymore used by default.
|
|
|
|
/usr/pkg/lib/libclamav.so:
-lxml2.2 => /usr/pkg/lib/libxml2.so.2
-lz.1 => /usr/lib/libz.so.1
-lc.12 => /usr/lib/libc.so.12
-llzma.2 => /usr/lib/liblzma.so.2
-lpthread.1 => /usr/lib/libpthread.so.1
-lm.0 => /usr/lib/libm.so.0
-lbz2.1 => /usr/lib/libbz2.so.1
-lltdl.7 => /usr/pkg/lib/libltdl.so.7
-lstdc++.7 => /usr/lib/libstdc++.so.7
-lssl.11 => /usr/lib/libssl.so.11
-lcrypto.11 => /usr/lib/libcrypto.so.11
-lcrypt.1 => /lib/libcrypt.so.1
-lpcre.1 => /usr/pkg/lib/libpcre.so.1
|
|
Noteworthy changes in version 2.1.13 (2016-06-16)
-------------------------------------------------
* gpg: New command --quick-addkey. Extend the --quick-gen-key
command.
* gpg: New --keyid-format "none" which is now also the default.
* gpg: New option --with-subkey-fingerprint.
* gpg: Include Signer's UID subpacket in signatures if the secret key
has been specified using a mail address and the new option
--disable-signer-uid is not used.
* gpg: Allow unattended deletion of a secret key.
* gpg: Allow export of non-passphrase protected secret keys.
* gpg: New status lines KEY_CONSIDERED and NOTATION_FLAGS.
* gpg: Change status line TOFU_STATS_LONG to use '~' as
a non-breaking-space character.
* gpg: Speedup key listings in Tofu mode.
* gpg: Make sure that the current and total values of a PROGRESS
status line are small enough.
* gpgsm: Allow the use of AES192 and SERPENT ciphers.
* dirmngr: Adjust WKD lookup to current specs.
* dirmngr: Fallback to LDAP v3 if v2 is is not supported.
* gpgconf: New commands --create-socketdir and --remove-socketdir,
new option --homedir.
* If a /run/user/$UID directory exists, that directory is now used
for IPC sockets instead of the GNUPGHOME directory. This fixes
problems with NFS and too long socket names and thus avoids the
need for redirection files.
* The Speedo build systems now uses the new versions.gnupg.org server
to retrieve the default package versions.
* Fix detection of libusb on FreeBSD.
* Speedup fd closing after a fork.
|
|
Noteworthy changes in version 1.7.1 (2016-06-15) [C21/A1/R1]
------------------------------------------------
* Bug fixes:
- Fix ecc_verify for cofactor support.
- Fix portability bug when using gcc with Solaris 9 SPARC.
- Build fix for OpenBSD/amd64
- Add OIDs to the Serpent ciphers.
* Internal changes:
- Use getrandom system call on Linux if available.
- Blinding is now also used for RSA signature creation.
- Changed names of debug envvars
|
|
This breaks removes the legacy PolarSSL compatibility layer. For
software that needs it, please use security/mbedtls1 instead.
Change license to apache-2.0.
Upstream changelog since 1.3.11 follows.
= mbed TLS 2.2.1 released 2016-01-05
Security
- Fix potential double free when mbedtls_asn1_store_named_data() fails
to allocate memory. Only used for certificate generation, not
triggerable remotely in SSL/TLS.
- Disable MD5 handshake signatures in TLS 1.2 by default
Bugfix
- Fix over-restrictive length limit in GCM.
- Fix bug in certificate validation that caused valid chains to be
rejected when the first intermediate certificate has
pathLenConstraint=0.
- Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign()
- Fix suboptimal handling of unexpected records that caused interop
issues with some peers over unreliable links. Avoid dropping an
entire DTLS datagram if a single record in a datagram is unexpected,
instead only drop the record and look at subsequent records (if any
are present) in the same datagram.
= mbed TLS 2.2.0 released 2015-11-04
Security
- Fix potential double free if mbedtls_ssl_conf_psk() is called more
than once and some allocation fails. Cannot be forced remotely.
- Fix potential heap corruption on Windows when
mbedtls_x509_crt_parse_path() is passed a path longer than 2GB.
Cannot be triggered remotely.
- Fix potential buffer overflow in some asn1_write_xxx() functions.
Cannot be triggered remotely unless you create X.509 certificates
based on untrusted input or write keys of untrusted origin.
- The X509 max_pathlen constraint was not enforced on intermediate
certificates.
Features
- Experimental support for EC J-PAKE as defined in Thread 1.0.0.
Disabled by default as the specification might still change.
- Added a key extraction callback to accees the master secret and key
block. (Potential uses include EAP-TLS and Thread.)
Bugfix
- Self-signed certificates were not excluded from pathlen counting,
resulting in some valid X.509 being incorrectly rejected.
- Fix build error with configurations where ECDHE-PSK is the only key
exchange.
- Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
ECHD-ECDSA if the only key exchange. Multiple reports.
- Fixed a bug causing some handshakes to fail due to some non-fatal
alerts not being properly ignored.
- mbedtls_x509_crt_verify(_with_profile)() now also checks the key
type and size/curve against the profile. Before that, there was no
way to set a minimum key size for end-entity certificates with
RSA keys.
- Fix failures in MPI on Sparc(64) due to use of bad assembly code.
- Fix typo in name of the extKeyUsage OID.
- Fix bug in ASN.1 encoding of booleans that caused generated CA
certificates to be rejected by some applications, including OS X
Keychain.
Changes
- Improved performance of mbedtls_ecp_muladd() when one of the scalars
is or -1.
= mbed TLS 2.1.2 released 2015-10-06
Security
- Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
overflow of the hostname or session ticket.
- Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more
than once in the same handhake and mbedtls_ssl_conf_psk() was used.
- Fix stack buffer overflow in pkcs12 decryption (used by
mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
- Fix potential buffer overflow in mbedtls_mpi_read_string().
- Fix potential random memory allocation in mbedtls_pem_read_buffer()
on crafted PEM input data.
- Fix possible heap buffer overflow in base64_encoded() when the input
buffer is 512MB or larger on 32-bit platforms.
- Fix potential double-free if mbedtls_conf_psk() is called repeatedly
on the same mbedtls_ssl_config object and memory allocation fails.
- Fix potential heap buffer overflow in servers that perform client
authentication against a crafted CA cert. Cannot be triggered
remotely unless you allow third parties to pick trust CAs for
client auth.
Bugfix
- Fix compile error in net.c with musl libc.
- Fix macroization of 'inline' keyword when building as C++.
Changes
- Added checking of hostname length in mbedtls_ssl_set_hostname() to
ensure domain names are compliant with RFC 1035.
- Fixed paths for check_config.h in example config files.
= mbed TLS 2.1.1 released 2015-09-17
Security
- Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
signatures.
- Fix possible client-side NULL pointer dereference (read) when the
client tries to continue the handshake after it failed (a misuse
of the API).
Bugfix
- Fix warning when using a 64bit platform.
- Fix off-by-one error in parsing Supported Point Format extension
that caused some handshakes to fail.
Changes
- Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile()
to allow use of mbedtls_x509_crt_profile_next.
- When a client initiates a reconnect from the same port as a live
connection, if cookie verification is available
(MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable
cookie callbacks set with mbedtls_ssl_conf_dtls_cookies()), this
will be detected and mbedtls_ssl_read() will return
MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a
new handshake with the same context. (See RFC 6347 section 4.2.8.)
= mbed TLS 2.1.0 released 2015-09-04
Features
- Added support for yotta as a build system.
- Primary open source license changed to Apache 2.0 license.
Bugfix
- Fix segfault in the benchmark program when benchmarking DHM.
- Fix build error with CMake and pre-4.5 versions of GCC
- Fix bug when parsing a ServerHello without extensions
- Fix bug in CMake lists that caused libmbedcrypto.a not to be
installed
- Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to
be installed
- Fix compile error with armcc 5 with --gnu option.
- Fix bug in Makefile that caused programs not to be installed
correctly
- Fix bug in Makefile that prevented from installing without building
the tests
- Fix missing -static-libgcc when building shared libraries for
Windows with make.
- Fix link error when building shared libraries for Windows with make.
- Fix error when loading libmbedtls.so.
- Fix bug in mbedtls_ssl_conf_default() that caused the default preset
to be always used
- Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could
result trying to unlock an unlocked mutex on invalid input
- Fix -Wshadow warnings
- Fix memory corruption on client with overlong PSK identity, around
SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely
- Fix unused function warning when using MBEDTLS_MDx_ALT or
MBEDTLS_SHAxxx_ALT
- Fix memory corruption in pkey programs
Changes
- The PEM parser now accepts a trailing space at end of lines
- It is now possible to #include a user-provided configuration file at
the end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on
the compiler's command line.
- When verifying a certificate chain, if an intermediate certificate
is trusted, no later cert is checked.
- Prepend a "thread identifier" to debug messages
- Add mbedtls_ssl_get_max_frag_len() to query the current maximum
fragment length.
= mbed TLS 2.0.0 released 2015-07-13
Features
- Support for DTLS 1.0 and 1.2 (RFC 6347).
- Ability to override core functions from MDx, SHAx, AES and DES
modules with custom implementation (eg hardware accelerated),
complementing the ability to override the whole module.
- New server-side implementation of session tickets that rotate keys
to preserve forward secrecy, and allows sharing across multiple
contexts.
- Added a concept of X.509 cerificate verification profile that
controls which algorithms and key sizes (curves for ECDSA) are
acceptable.
- Expanded configurability of security parameters in the SSL module
with mbedtls_ssl_conf_dhm_min_bitlen() and mbedtls_ssl_conf_sig_hashes().
- Introduced a concept of presets for SSL security-relevant
configuration parameters.
API Changes
- The library has been split into libmbedcrypto, libmbedx509,
libmbedtls. You now need to link to all of them if you use TLS
for example.
- All public identifiers moved to the mbedtls_* or MBEDTLS_*
namespace. Some names have been further changed to make them more
consistent. Migration helpers scripts/rename.pl and
include/mbedlts/compat-1.3.h are provided. Full list of renamings
in scripts/data_files/rename-1.3-2.0.txt
- Renamings of fields inside structures, not covered by the previous
list:
mbedtls_cipher_info_t.key_length -> key_bitlen
mbedtls_cipher_context_t.key_length -> key_bitlen
mbedtls_ecp_curve_info.size -> bit_size
- Headers are now found in the 'mbedtls' directory (previously
'polarssl').
- The following _init() functions that could return errors have
been split into an _init() that returns void and another function
that should generally be the first function called on this context after
init:
mbedtls_ssl_init() -> mbedtls_ssl_setup()
mbedtls_ccm_init() -> mbedtls_ccm_setkey()
mbedtls_gcm_init() -> mbedtls_gcm_setkey()
mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
Note that for mbedtls_ssl_setup(), you need to be done setting up
the ssl_config structure before calling it.
- Most ssl_set_xxx() functions (all except ssl_set_bio(),
ssl_set_hostname(),
ssl_set_session() and ssl_set_client_transport_id(), plus
ssl_legacy_renegotiation()) have been renamed to
mbedtls_ssl_conf_xxx() (see rename.pl and compat-1.3.h above) and
their first argument's type changed from ssl_context to ssl_config.
- ssl_set_bio() changed signature (contexts merged, order switched,
one additional callback for read-with-timeout).
- The following functions have been introduced and must be used in
callback implementations (SNI, PSK) instead of their *conf
counterparts:
mbedtls_ssl_set_hs_own_cert()
mbedtls_ssl_set_hs_ca_chain()
mbedtls_ssl_set_hs_psk()
- mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now
set using mbedtls_ssl_set_hostname().
- mbedtls_ssl_conf_session_cache() changed prototype (only one context
pointer, parameters reordered).
- On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in
place of mbedtls_ssl_conf_session_tickets() to enable session
tickets.
- The SSL debug callback gained two new arguments (file name, line
number).
- Debug modes were removed.
- mbedtls_ssl_conf_truncated_hmac() now returns void.
- mbedtls_memory_buffer_alloc_init() now returns void.
- X.509 verification flags are now an uint32_t. Affect the signature
of:
mbedtls_ssl_get_verify_result()
mbedtls_x509_ctr_verify_info()
mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
- The following functions changed prototype to avoid an in-out length
parameter:
mbedtls_base64_encode()
mbedtls_base64_decode()
mbedtls_mpi_write_string()
mbedtls_dhm_calc_secret()
- In the NET module, all "int" and "int *" arguments for file
descriptors changed type to "mbedtls_net_context *".
- net_accept() gained new arguments for the size of the client_ip
buffer.
- In the threading layer, mbedtls_mutex_init() and
mbedtls_mutex_free() now return void.
- ecdsa_write_signature() gained an addtional md_alg argument and
ecdsa_write_signature_det() was deprecated.
- pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA.
- Last argument of x509_crt_check_key_usage() and
mbedtls_x509write_crt_set_key_usage() changed from int to unsigned.
- test_ca_list (from certs.h) is renamed to test_cas_pem and is only
available if POLARSSL_PEM_PARSE_C is defined (it never worked
without).
- Test certificates in certs.c are no longer guaranteed to be
nul-terminated strings; use the new *_len variables instead of strlen().
- Functions mbedtls_x509_xxx_parse(), mbedtls_pk_parse_key(),
mbedtls_pk_parse_public_key() and mbedtls_dhm_parse_dhm() now expect
the length parameter to include the terminating null byte for PEM input.
- Signature of mpi_mul_mpi() changed to make the last argument
unsigned
- calloc() is now used instead of malloc() everywhere. API of platform
layer and the memory_buffer_alloc module changed accordingly.
- Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
(support for renegotiation now needs explicit enabling in config.h).
- Split MBEDTLS_HAVE_TIME into MBEDTLS_HAVE_TIME and
MBEDTLS_HAVE_TIME_DATE in config.h
- net_connect() and net_bind() have a new 'proto' argument to choose
between TCP and UDP, using the macros NET_PROTO_TCP or
NET_PROTO_UDP. Their 'port' argument type is changed to a string.
- Some constness fixes
Removals
- Removed mbedtls_ecp_group_read_string(). Only named groups are
supported.
- Removed mbedtls_ecp_sub() and mbedtls_ecp_add(), use
mbedtls_ecp_muladd().
- Removed individual mdX_hmac, shaX_hmac, mdX_file and shaX_file
functions (use generic functions from md.h)
- Removed mbedtls_timing_msleep(). Use mbedtls_net_usleep() or a
custom waiting function.
- Removed test DHM parameters from the test certs module.
- Removed the PBKDF2 module (use PKCS5).
- Removed POLARSSL_ERROR_STRERROR_BC (use mbedtls_strerror()).
- Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
- Removed openssl.h (very partial OpenSSL compatibility layer).
- Configuration options POLARSSL_HAVE_LONGLONG was removed (now always
on).
- Configuration options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16
have been removed (compiler is required to support 32-bit operations).
- Configuration option POLARSSL_HAVE_IPV6 was removed (always
enabled).
- Removed test program o_p_test, the script compat.sh does more.
- Removed test program ssl_test, superseded by ssl-opt.sh.
- Removed helper script active-config.pl
New deprecations
- md_init_ctx() is deprecated in favour of md_setup(), that adds a
third argument (allowing memory savings if HMAC is not used)
Semi-API changes (technically public, morally private)
- Renamed a few headers to include _internal in the name. Those
headers are not supposed to be included by users.
- Changed md_info_t into an opaque structure (use md_get_xxx()
accessors).
- Changed pk_info_t into an opaque structure.
- Changed cipher_base_t into an opaque structure.
- Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and
x509_crl.
- x509_crt.key_usage changed from unsigned char to unsigned int.
- Removed r and s from ecdsa_context
- Removed mode from des_context and des3_context
Default behavior changes
- The default minimum TLS version is now TLS 1.0.
- RC4 is now blacklisted by default in the SSL/TLS layer, and excluded
from the default ciphersuite list returned by ssl_list_ciphersuites()
- Support for receiving SSLv2 ClientHello is now disabled by default
at compile time.
- The default authmode for SSL/TLS clients is now REQUIRED.
- Support for RSA_ALT contexts in the PK layer is now optional. Since
is is enabled in the default configuration, this is only noticeable
if using a custom config.h
- Default DHM parameters server-side upgraded from 1024 to 2048 bits.
- A minimum RSA key size of 2048 bits is now enforced during
ceritificate chain verification.
- Negotiation of truncated HMAC is now disabled by default on server
too.
- The following functions are now case-sensitive:
mbedtls_cipher_info_from_string()
mbedtls_ecp_curve_info_from_name()
mbedtls_md_info_from_string()
mbedtls_ssl_ciphersuite_from_string()
mbedtls_version_check_feature()
Requirement changes
- The minimum MSVC version required is now 2010 (better C99 support).
- The NET layer now unconditionnaly relies on getaddrinfo() and
select().
- Compiler is required to support C99 types such as long long and
uint32_t.
API changes from the 1.4 preview branch
- ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio()
with new prototype, and mbedtls_ssl_set_read_timeout().
- The following functions now return void:
mbedtls_ssl_conf_transport()
mbedtls_ssl_conf_max_version()
mbedtls_ssl_conf_min_version()
- DTLS no longer hard-depends on TIMING_C, but uses a callback
interface instead, see mbedtls_ssl_set_timer_cb(), with the Timing
module providing an example implementation, see
mbedtls_timing_delay_context and mbedtls_timing_set/get_delay().
- With UDP sockets, it is no longer necessary to call net_bind() again
after a successful net_accept().
Changes
- mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now
thread-safe if MBEDTLS_THREADING_C is enabled.
- Reduced ROM fooprint of SHA-256 and added an option to reduce it
even more (at the expense of performance) MBEDTLS_SHA256_SMALLER.
|
|
|
|
This is based on security/mbedtls and only meant for compatibility
with software that doesn't support mbedtls>=2 yet (mainly requires
the PolarSSL compatibility layer).
|
|
+ don't assume memory will be NUL-terminated when printing
|
|
|
|
No changelog provided, Github issues touched:
- Update the autos in response to 0.8.1 release
- Fix default detection
- Provide nonroot guidance when logging gets EACCES.
- Add additional warning with actual exception message during
renewal
- Interactive webroot values not stored in renewal config file
- Preserve common name during renewal
- Mageia Bootstrap
- Initialize Augeas in a different method to be able to react to
ImportError
- Renew changes common name
- Update letsencrypt-auto in response to Arch package rename
- On Mac OSX: "ValueError: Invalid header value"
- Strip "\n" from end of OS version string for OS X.
- Revert "Use --force-reinstall to fix bad virtualenv package"
- Exit if cannot bootstrap in certbot-auto
- Add --disable-hook-validation
- --post-hook validation too strict
- letsencrypt-auto gives "sudo" is not available
- mageia bootstrap [needs revision]
- Install/compile fails of letsencrypt-auto on Smartos/Illumos
|
|
+ bring over joerg's printflike change from the netpgpverify
version in src/crypto
+ add a test for cleartext signatures with version information
to complement the one with no version information
|
|
Simplify the method of finding the end of the versioning information
in the signature - back up to the "\n" character at the end of the
signature start:
"-----BEGIN PGP SIGNATURE-----\n"
and then find the "\n\n" character sequence to denote the start of the
signature itself. The previous version worked, but this is more efficient.
|
|
+ handle signatures created by gpg with "--no-emit-version", don't assume
there will always be a version string.
+ add a test for above
Fixes security PR/51240.
Thanks to xnox@ubuntu.com for reporting the error
|
|
|
|
A pure-Python implmentation of the AES block cipher algorithm and the common
modes of operation (CBC, CFB, CTR, ECB and OFB).
Features:
- Supports all AES key sizes
- Supports all AES common modes
- Pure-Python (no external dependancies)
- BlockFeeder API allows streams to easily be encrypted and decrypted
- Python 2.x and 3.x support (make sure you pass in bytes(), not strings for
Python 3)
|
|
|
|
|
|
on pkgsrc-users.
Changes from 0.99.1 to 0.99.2 are available only with ChangeLog and it
is too many to write here. Please refer ChangeLog file.
0.99.1
------
ClamAV 0.99.1 contains a new feature for parsing Hancom Office files
including extracting and scanning embedded objects. ClamAV 0.99.1
also contains important bug fixes. Please see ChangeLog for details.
|
|
|
|
|
|
just one PLIST. Installs cleanly on NetBSD/i386 and NetBSD/amd64.
|
|
Make a temporary hack for non-SunOS, not yet fully verified;
this somehow needs to mirror what the package's configure.py
figures out, and expressing that properly and portably in
pkgsrc seems hard.
|
|
|
|
Kerberos over HTTP Negotiate/SPNEGO support for urllib2
|
|
This Python package is a high-level wrapper for Kerberos (GSSAPI)
operations. The goal is to avoid having to build a module that
wraps the entire Kerberos.framework, and instead offer a limited
set of functions that do what is needed for client/server Kerberos
authentication based on RFC 4559.
|
|
|
|
|
|
|
|
original manifest.xml file and the output from "svccfg export".
|
|
|
|
original manifest.xml file and the output from "svccfg export".
|
|
News:
This release fix targets stability issues which have had a history
and had been hard to reproduce. Stability should be improved,
running OpenDNSSEC as a long term service.
Changes in TTL in the input zone that seem not to be propagated,
notifies to slaves under load that where not handled properly and
could lead to assertions. NSEC3PARAM that would appear duplicate
in the resulting zone, and crashes in the signer daemon in seldom
race conditions or re-opening due to a HSM reset.
No migration steps needed when upgrading from OpenDNSSEC 1.4.9.
Also have a look at our OpenDNSSEC 2.0 beta release, its impending
release will help us forward with new development and signal phasing
out historic releases.
Fixes:
* SUPPORT-156 OPENDNSSEC-771: Multiple NSEC3PARAM records in signed
zone. After a resalt the signer would fail to remove the old
NSEC3PARAM RR until a manual resign or incoming transfer. Old
NSEC3PARAMS are removed when inserting a new record, even if
they look the same.
* OPENDNSSEC-725: Signer did not properly handle new update while
still distributing notifies to slaves. An AXFR disconnect looked
not to be handled gracefully.
* SUPPORT-171: Signer would sometimes hit an assertion using DNS
output adapter when .ixfr was missing or corrupt but .backup file
available. Above two issues also in part addresses problems
with seemingly corrected backup files (SOA serial). Also an
crash on badly configured DNS output adapters is averted.
* The signer daemon will now refuse to start when failed to open
a listen socket for DNS handling.
* OPENDNSSEC-478 OPENDNSSEC-750 OPENDNSSEC-581 OPENDNSSEC-582
SUPPORT-88: Segmentation fault in signer daemon when opening and
closing hsm multiple times. Also addresses other concurrency
access by avoiding a common context to the HSM (a.k.a. NULL
context).
* OPENDNSSEC-798: Improper use of key handles across hsm reopen,
causing keys not to be available after a re-open.
* SUPPORT-186: IXFR disregards TTL changes, when only TTL of an
RR is changed. TTL changes should be treated like any other
changes to records. When OpenDNSSEC now overrides a TTL value,
this is now reported in the log files.
|
|
the PLIST.x86* entries. The sse2 entries are however gone, but a few
new ones have appeared (md4_x86_32.h etc.) Installs cleanly now on
NetBSD/i386 6.1.5.
|
|
Bump revision
|
|
1.1.2 (2016-06-01)
------------------
* (Fix) Query strings should be able to include colons.
* (Fix) Cast body to a string to ensure that we can perform a regex substitution on it.
|
|
1.4 - 2016-06-04
~~~~~~~~~~~~~~~~
* Support for OpenSSL 0.9.8 has been removed. Users on older versions of
OpenSSL will need to upgrade.
* Added :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC`.
* Added support for ``OpenSSH`` public key serialization.
* Added support for SHA-2 in RSA
:class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP` when using
OpenSSL 1.0.2 or greater.
* Added "one shot"
:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey.sign`
and
:meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey.verify`
methods to RSA keys.
|
|
Bump PKGREVISION.
|
|
Notable changes between 0.5 and 0.6:
Options from OpenSSL 1.0.2f
Use "any" protocol, but SSL.
Merge pull request #20 from Zash/zash/checkissued
Method for checking if one certificate issued another
Merge pull request #68 from ignacio/master
Enables building with LuaRocks and MS compilers
Enables building with LuaRocks and MS compilers
Merge pull request #56 from gleydsonsoares/Makefile-tweaks
Makefile tweaks
Keep 'sslv23' for compability, but deprected. (it will be removed in the next version)
Merge pull request #62 from gleydsonsoares/update_protocol_samples
add TLS_method / rename "sslv23" to "any" / update protocol samples.
update protocol samples(bring "tlsv1_2" to clients and "any" to servers)
for consistency and readability, rename "sslv23" to "any" since that it is related to {TLS, SSLv23}methods that handles all supported protocols.
add TLS_method(). for now, keep SSLv23_method() for compatibility.
Update samples (using 'tlsv1').
Merge pull request #55 from gleydsonsoares/ifndef-OPENSSL_NO_SSL3
guard SSLv3_method() with #ifndef OPENSSL_NO_SSL3
Add lsec_testcontext().
bump MACOSX_VERSION
fix typo; s,intall,install,
guard SSLv3_method() with #ifndef OPENSSL_NO_SSL3
Set flags to compile with internal inet_ntop() by default.
Tag "alpha" explicit.
MinGW progress.
Merge pull request #53 from hishamhm/master
Reuse tag in the LuaSec upstream repository.
Merge pull request #26 from Tieske/master
Update rockspec to fix Windows build
Alternative implementation to inet_ntop() for old versions of Windows.
Do not hardcode ar
added batch files to generate sample certs on Windows
Perform all validation before allocating structures
Validate signatures too.
API changes to root:issued([intermediate]*, cert)
Fix inet_ntop() on Windows.
Merge branch 'master' of https://github.com/brunoos/luasec
Merge branch 'moteus_rock'
added bindir to lib section, as mingw links against dll's to be found in bindir
updated defines in rockspec
Merge branch 'master' of github.com:Tieske/luasec into moteus_rock
use winsock 2
Don't set globals from C.
Fix unpack().
Stop using module().
Change to luaL_newlib().
Remove luaL_optint() and luaL_checkint().
BSD headers.
Merge pull request #21 from Zash/zash/iPAddress-fix
iPAddress encoding
Stop if we don't have a string.
Changed for strict compiles.
Fix for LibreSSL/OPENSSL_NO_COMP
Problem on Win64, since double does not represent SOCKET_INVALID exactly.
- Add a parameter to server:sni(), so that we can accept an unknown name, using the initial context.
- Add the method :getsniname() to retrieve the SNI hostname used.
Updated (and renamed) rockspec Windows
Encode iPAddress fields in human readable form
Don't try to encode IP addresses as UTF-8
Return early if ASN1 string is invalid
Push nil if unable to encode ASN1 string as UTF-8
Return human readable error message from cert:issued()
SNI support.
SNI support.
Merge pull request #17 from Zash/zash/checkkey
Verify that certificate and key belong together
Merge pull request #19 from Zash/zash/pubkey
Zash/pubkey
Add cert:pubkey() to methods registry
Add cert:issued(leafcert) for checking chains
Check if private key matches cert only if both key and cert are set
Check that certificate matches private key
Add method for extracting public key, type and size from x509 objects
|
|
Version 5.32, 2016.05.03, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2h.
https://www.openssl.org/news/secadv_20160503.txt
* New features
- New "socket = a:IPV6_V6ONLY=yes" option to only bind IPv6.
- Memory leak detection.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- Added/fixed Red Hat scripts (thx to Andrew Colin Kissa).
* Bugfixes
- Workaround for a WinCE sockets quirk (thx to Richard Kraemer).
- Fixed data alignment on 64-bit MSVC (thx to Yuris W. Auzins).
|
|
0.31 2016/05/09
* Fixing a buffer overrun.
0.30 2016/04/13
* Security fix: https://github.com/kazu-yamamoto/pgpdump/pull/16
|
|
SmartOS. Sort PLIST with LANG=C.
|
|
Changes in 0.8.0
- The main new feature in this release is the register subcommand
which can be used to register an account with the Let's Encrypt
CA. Additionally, you can run certbot register
--update-registration to change the e-mail address associated
with your registration.
Full commit log since 0.7.0:
https://github.com/certbot/certbot/compare/v0.7.0...v0.8.0
Changes in 0.7.0:
- --must-staple to request certificates from Let's Encrypt with the
OCSP must staple extension
- automatic configuration of OSCP stapling for Apache
- requesting certificates for domains found in the common name
of a custom CSR
- a number of bug fixes
Full commit log since 0.6.0
https://github.com/certbot/certbot/compare/v0.6.0...v0.7.0
|
|
+ minor cosmetic change to bn.h to also define BN_mod_sub, missed in
previous
|
|
being available on newer illumos, as it simplifies PLIST.glob.
|
|
Jorge Schrauwen in joyent/pkgsrc#354.
Bump PKGREVISION.
|
|
|
