| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
2.2.1:
Reverted a change to GeneralNames which prohibited having zero elements, due to breakages.
Fixed a bug in :func:~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding that caused it to raise InvalidUnwrap when key length modulo 8 was zero.
|
|
0.1.77 2017/09/23
* Convert double quotes to single quotes to match #{URL}
0.1.76 2017/09/07
* Merge pull request #9 from sempervictus/feature-payload_msil_jit
0.1.75 2017/08/25
* Remove useless failing spec
* Improve use of RandomIdentifier::Generator
* Add MSIL to template constants
* Update spec for MSIL payload
* Implement MSIL payload in Rex gem via template
* Update spec for command
* Finalize quote wrapper
* Rework quote handling
* Cleanup Command single quotes redundant gsub
0.1.74 2017/07/18
* Alternative to IEX in dl_and_exec_string methods
* Command spec - deal with :use_single_quotes
* Output and command improvements for Win10
0.1.73 2017/05/12
* update spec to require Ruby 2.2.0 or greater
|
|
0.1.10 2017/10/25
* improve cert generation
|
|
0.1.13 2017/07/20
* partially revert 06bfb88
* minor gem cleanups
|
|
0.1.17 2018/02/09
* Add bourne busybox base64 decoder
0.1.16 2017/11/29
* Add user agent regexes to HTTP CmdStagers
|
|
0.1.13 2017/10/30
* add E500V2 architecture for PPC
0.1.12 2017/08/20
* add license, fixup metadata, unlock unneeded pins
|
|
0.2.16 2017/05/12
* update spec to require Ruby 2.2.0 or greater
|
|
7.2.0 (2018-01-17)
Closed issues:
* list_vuln_exceptions returns API error #312
* Credentials failure after using Site.copy #307
* XML serialization for VulnException incorrect due to extra whitespace #304
* Nexpose timeout does not seem to work #299
Merged pull requests:
* Update vuln exceptions to use generally available API version #313
(mhuffman-r7)
* Add a method to add common vuln status filters to report configs #303
(gschneider-r7)
* Updated for Ruby 2.4 Support #301 (twosevenzero)
|
|
**** 1.05 March 20, Tuesday
Feature
Support added for Ed25519 and Ed448 algorithms
Fix: rt.cpan.org #124650
Net::DNS::SEC::Private must not die if attribute is not present
|
|
No proper change log is not available. Please refer commit log:
<https://github.com/rapid7/mettle/commits/master>.
|
|
No proper change log is not available. Please refer commit log:
<https://github.com/rapid7/metasploit-payloads/commits/master>.
|
|
ClamAV 0.99.4 is a hotfix release to patch a set of vulnerabilities.
- fixes for the following CVE's: CVE-2012-6706, CVE-2017-6419,
CVE-2017-11423, CVE-2018-0202, and CVE-2018-1000085.
- also included are 2 fixes for file descriptor leaks as well fixes for
a handful of other important bugs, including patches to support g++ 6, C++11.
|
|
Fixes RELRO build. Bump PKGREVISION.
|
|
2.2:
BACKWARDS INCOMPATIBLE: Support for Python 2.6 has been dropped.
Resolved a bug in HKDF that incorrectly constrained output size.
Added :class:~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP256R1, :class:~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP384R1, and :class:~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP512R1 to support inter-operating with systems like German smart meters.
Added token rotation support to :doc:Fernet </fernet> with :meth:~cryptography.fernet.MultiFernet.rotate.
Fixed a memory leak in :func:~cryptography.hazmat.primitives.asymmetric.ec.derive_private_key.
Added support for AES key wrapping with padding via :func:~cryptography.hazmat.primitives.keywrap.aes_key_wrap_with_padding and :func:~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding .
Allow loading DSA keys with 224 bit q.
|
|
## 5.0.0 (2017-06-13)
* [#159](https://github.com/cryptosphere/rbnacl/pull/159)
Support the BLAKE2b Initialize-Update-Finalize API.
([@fudanchii])
|
|
changes in version 1.28:
* The formerly internal yat2m tool is now installed for a native
build.
* The new files gpgrt.m4 and gpgrt-config are now installed. They
can be used instead of gpg-error.m4 and gpg-error-config.
* New logging functions similar to those used by GnuPG.
* New helper functions for platform abstraction.
|
|
This is to reflect the behaviour documented in netpgp(1).
Originally submitted on tech-pkg@ as:
[PATCH 09/11] Output signatures to the standard output for "-"
Only modified for consistency with the coding style; as also applied in
NetBSD's src repository.
|
|
Originally submitted on tech-pkg@ as:
[PATCH 07/11] Correct option "--armor"
[PATCH 08/11] Also document alternate option "--detach"
As also applied in NetBSD's src repository.
|
|
Originally submitted on tech-pkg@ as:
[PATCH 04/11] Do not use random data for pass-phrases on EOF
Only modified for consistency with the coding style; as also applied in
NetBSD's src repository.
Tested on NetBSD/amd64.
|
|
This also fixes a crash when the pass-phrase entered is empty.
Originally submitted on tech-pkg@ as:
[PATCH 02/11] Do not truncate pass-phrases without a newline character
Only modified for consistency with the coding style; as also applied in
NetBSD's src repository.
Tested on NetBSD/amd64.
|
|
Originally submitted on tech-pkg@ as:
[PATCH 06/11] Do not ask for a passphrase when empty
Only modified for consistency with the coding style; as also applied in
NetBSD's src repository.
Tested on NetBSD/amd64.
|
|
|
|
## [1.16.0][] (2018-02-03)
* [#417](https://github.com/capistrano/sshkit/pull/417): Cache key generation for connections becomes slow when `known_hosts` is a valid `net/ssh` options and `known_hosts` file is big. This changes the cache key generation and fixes performance issue - [@ElvinEfendi](https://github.com/ElvinEfendi).
## [1.15.1][] (2017-11-18)
This is a small bug-fix release that fixes problems with `upload!` and `download!` that were inadvertently introduced in 1.15.0.
### Breaking changes
* None
### Bug fixes
* [#410](https://github.com/capistrano/sshkit/pull/410): fix NoMethodError when using upload!/download! with Pathnames - [@UnderpantsGnome](https://github.com/UnderpantsGnome)
* [#411](https://github.com/capistrano/sshkit/pull/410): fix upload!/download! when using relative paths outside of `within` blocks - [@Fjan](https://github.com/Fjan)
## [1.15.0][] (2017-11-03)
### New features
* [#408](https://github.com/capistrano/sshkit/pull/408): upload! and download! now respect `within` - [@sj26](https://github.com/sj26)
### Potentially breaking changes
* `upload!` and `download!` now support remote paths which are
relative to the `within` working directory. They were previously documented
as only supporting absolute paths, but relative paths still worked relative
to the remote working directory. If you rely on the previous behaviour you
may need to adjust your code.
|
|
1.85 2018-03-14
Preparations for transferring maintenace to a new maintainer
Fixed test failure in t/local/33_x509_create_cert.t for some version of OpenSSL.
Fixed free() error that causes "Free to wrong pool ..." merssage on Windows.
Reported and patched by Steffen Ullrich.
|
|
2.4.1:
[Bug] Ed25519 auth key decryption raised an unexpected exception when given a unicode password string (typical in python 3). Report by Theodor van Nahl and fix by Pierce Lopez.
[Bug] Add newer key classes for Ed25519 and ECDSA to paramiko.__all__ so that code introspecting that attribute, or using from paramiko import * (such as some IDEs) sees them. Thanks to @patriksevallius for the patch.
[Bug] Fix a security flaw (CVE-2018-7750) in Paramiko’s server mode (emphasis on server mode; this does not impact client use!) where authentication status was not checked before processing channel-open and other requests typically only sent after authenticating. Big thanks to Matthijs Kooijman for the report.
|
|
Release 1.12.1:
Implemented a fix for CVE-2018-7749, where a modified SSH client could request that an AsyncSSH server perform operations before authentication had completed. Thanks go to Matthijs Kooijman for discovering and reporting this issue and helping to review the fix.
Added a non-blocking collect_output() method to SSHClientProcess to allow applications to retrieve data received on an output stream without blocking. This call can be called multiple times and freely intermixed with regular read calls with a guarantee that output will always be returned in order and without duplication.
Updated debug logging implementation to make it more maintainable, and to fix an issue where unprocessed packets were not logged in some cases.
Extended the support below for non-ASCII characters in comments to apply to X.509 certificates, allowing an optional encoding to be passed in to get_comment() and set_comment() and a get_comment_bytes() function to get the raw comment bytes without performing Unicode decoding.
Fixed an issue where a UnicodeDecodeError could be reported in some cases instead of a KeyEncryptionError when a private key was imported using the wrong passphrase.
Fixed the reporting of the MAC algorithm selected during key exchange to properly report the cipher name for GCM and Chacha ciphers that don’t use a separate MAC algorithm. The correct value was being returned in queries after the key exchange was complete, but the logging was being done before this adjustment was made.
Fixed the documentation of connection_made() in SSHSession subclasses to properly reflect the type of SSHChannel objects passed to them.
|
|
### Added
- Support for obtaining wildcard certificates and a newer version of the ACME
protocol such as the one implemented by Let's Encrypt's upcoming ACMEv2
endpoint was added to Certbot and its ACME library. Certbot still works with
older ACME versions and will automatically change the version of the protocol
used based on the version the ACME CA implements.
- The Apache and Nginx plugins are now able to automatically install a wildcard
certificate to multiple virtual hosts that you select from your server
configuration.
- The `certbot install` command now accepts the `--cert-name` flag for
selecting a certificate.
- `acme.client.BackwardsCompatibleClientV2` was added to Certbot's ACME library
which automatically handles most of the differences between new and old ACME
versions. `acme.client.ClientV2` is also available for people who only want
to support one version of the protocol or want to handle the differences
between versions themselves.
- certbot-auto now supports the flag --install-only which has the script
install Certbot and its dependencies and exit without invoking Certbot.
- Support for issuing a single certificate for a wildcard and base domain was
added to our Google Cloud DNS plugin. To do this, we now require your API
credentials have additional permissions, however, your credentials will
already have these permissions unless you defined a custom role with fewer
permissions than the standard DNS administrator role provided by Google.
These permissions are also only needed for the case described above so it
will continue to work for existing users. For more information about the
permissions changes, see the documentation in the plugin.
### Changed
- We have broken lockstep between our ACME library, Certbot, and its plugins.
This means that the different components do not need to be the same version
to work together like they did previously. This makes packaging easier
because not every piece of Certbot needs to be repackaged to ship a change to
a subset of its components.
- Support for Python 2.6 and Python 3.3 has been removed from ACME, Certbot,
Certbot's plugins, and certbot-auto. If you are using certbot-auto on a RHEL
6 based system, it will walk you through the process of installing Certbot
with Python 3 and refuse to upgrade to a newer version of Certbot until you
have done so.
- Certbot's components now work with older versions of setuptools to simplify
packaging for EPEL 7.
### Fixed
- Issues caused by Certbot's Nginx plugin adding multiple ipv6only directives
has been resolved.
- A problem where Certbot's Apache plugin would add redundant include
directives for the TLS configuration managed by Certbot has been fixed.
- Certbot's webroot plugin now properly deletes any directories it creates.
|
|
|
|
|
|
The two packages have been re-merged after the removal of a circular
dependency.
|
|
The circular dependency that prompted splitting this package is no longer
an issue, as acme now depends on context instead of golang.org/x/net/context.
Thus, this package now contains what used to be go-crypto-acme and conflicts
with it.
|
|
Data::Password::passwdqc provides an object oriented Perl interface
to Openwall Project's passwdqc. It allows you to check password
strength and also lets you generate quality controllable random
password.
|
|
p5-Crypt-SMIME is a perl5 module that provides a class for handling S/MIME
messages. It can sign, verify, encrypt and decrypt messages.
|
|
|
|
|
|
3.5.1:
Fix mismatch with declaration and definition of addmul128.
|
|
1.1.0:
Removed DES code as the license was found to be incorrect from the source
Added new DES code not based on the original
Fixed up some deprecation warnings
Changed tests from running unittest to py.test
Changed licence from GPL to MIT as code is not all my own
|
|
New features
* Import and export of ECC curves in compressed form.
* The initial counter for a cipher in CTR mode can be a byte string (in addition to an integer).
* Faster PBKDF2 for HMAC-based PRFs (at least 20x for short passwords, more for longer passwords). Thanks to Christian Heimes for pointing out the implementation was under-optimized.
* The salt for PBKDF2 can be either a string or bytes.
Resolved issues
* Without libgmp, modular exponentiation (since v3.4.8) crashed on 32-bit big-endian systems.
Breaks in compatibility
* Removed support for Python < 2.6.
|
|
This library is used to gain direct access to the functions exposed by Daniel
J. Bernstein's nacl library via libsodium. It has been constructed to maintain
extensive documentation on how to use nacl as well as being completely
portable. The file in libnacl/__init__.py can be pulled out and placed directly
in any project to give a single file binding to all of nacl.
|
|
What's new in Sudo 1.8.22
* Commands run in the background from a script run via sudo will
no longer receive SIGHUP when the parent exits and I/O logging
is enabled.
* A particularly offensive insult is now disabled by default.
* The description of "sudo -i" now correctly documents that
the "env_keep" and "env_check" sudoers options are applied to
the environment.
* Fixed a crash when the system's host name is not set.
* The sudoers2ldif script now handles #include and #includedir
directives.
* Fixed a bug where sudo would silently exit when the command was
not allowed by sudoers and the "passwd_tries" sudoers option
was set to a value less than one.
* Fixed a bug with the "listpw" and "verifypw" sudoers options and
multiple sudoers sources. If the option is set to "all", a
password should be required unless none of a user's sudoers
entries from any source require authentication.
* Fixed a bug with the "listpw" and "verifypw" sudoers options in
the LDAP and SSSD back-ends. If the option is set to "any", and
the entry contained multiple rules, only the first matching rule
was checked. If an entry contained more than one matching rule
and the first rule required authentication but a subsequent rule
did not, sudo would prompt for a password when it should not have.
* When running a command as the invoking user (not root), sudo
would execute the command with the same group vector it was
started with. Sudo now executes the command with a new group
vector based on the group database which is consistent with
how su(1) operates.
* Fixed a double free in the SSSD back-end that could occur when
ipa_hostname is present in sssd.conf and is set to an unqualified
host name.
* When I/O logging is enabled, sudo will now write to the terminal
even when it is a background process. Previously, sudo would
only write to the tty when it was the foreground process when
I/O logging was enabled. If the TOSTOP terminal flag is set,
sudo will suspend the command (and then itself) with the SIGTTOU
signal.
* A new "authfail_message" sudoers option that overrides the
default "N incorrect password attempt(s)".
* An empty sudoRunAsUser attribute in the LDAP and SSSD backends
will now match the invoking user. This is more consistent with
how an empty runas user in the sudoers file is treated.
* Documented that in check mode, visudo does not check the owner/mode
on files specified with the -f flag.
* It is now an error to specify the runas user as an empty string
on the command line. Previously, an empty runas user was treated
the same as an unspecified runas user.
* When "timestamp_type" option is set to "tty" and a terminal is
present, the time stamp record will now include the start time
of the session leader. When the "timestamp_type" option is set
to "ppid" or when no terminal is available, the start time of
the parent process is used instead. This significantly reduces
the likelihood of a time stamp record being re-used when a user
logs out and back in again.
* The sudoers time stamp file format is now documented in the new
sudoers_timestamp manual.
* The "timestamp_type" option now takes a "kernel" value on OpenBSD
systems. This causes the tty-based time stamp to be stored in
the kernel instead of on the file system. If no tty is present,
the time stamp is considered to be invalid.
* Visudo will now use the SUDO_EDITOR environment variable (if
present) in addition to VISUAL and EDITOR.
|
|
|
|
20180301
- Update from Mozilla repository to 2018-01-17
- Update bundled mk-ca-bundle.pl from upstream.
|
|
|
|
* Depend on security/mozilla-rootcerts-1.0.20180111
|
|
* Based on NSS 3.35 beta 1
|
|
Notable changes since 0.6.12:
* R/digest.R: Support serializeVersion format
* sha1() handles empty matrices
* sha1() gains an `algo` argument
* sha1() handles raw class
* R/sha1.R (sha1.POSIXlt): Unclass POSIXlt object
|
|
munge-0.5.13 (2017-09-26):
- Added support for OpenSSL 1.1.0. (#54)
- Added support for UID/GID values >= 2^31.
- Added support for getentropy() and getrandom().
- Added --trusted-group cmdline opt to munged.
- Added --log-file and --seed-file cmdline opts to munged. (#57)
- Changed default MAC algorithm to SHA-256.
- Fixed autoconf installation directory variable substitution. (#47)
- Fixed all gcc, clang, and valgrind warnings.
- Improved resilience and unpredictability of PRNG.
- Improved hash table performance.
- Removed libmissing dependency from libmunge. (#49)
munge-0.5.12 (2016-02-25):
- Changed project homepage to <https://dun.github.io/munge/>.
- Changed RPM specfile from sysvinit to systemd. (#33)
- Added --max-ttl cmdline opt to munged. (#28)
- Added --pid-file cmdline opt to munged. (#41)
- Added support for "make dist" and "make distcheck". (#45)
- Fixed group-writable permissions error for logfile on Ubuntu. (#31)
- Fixed packaging with missing pkgconfig munge.pc file. (#25)
- Fixed packaging with missing systemd service & tmpfiles.d config. (#34)
- Fixed recursive make command in makefiles. (#40)
|
|
0.058 2018-02-27
- fix: decode_b58b + invalid input
|
|
|
|
## 0.9.5 (February 26th, 2018)
IMPROVEMENTS:
- auth: Allow sending default_lease_ttl and max_lease_ttl values when enabling
auth methods.
- secret/database: Add list functionality to `database/config` endpoint
- physical/consul: Allow setting a specific service address
- replication: When bootstrapping a new secondary, if the initial cluster
connection fails, Vault will attempt to roll back state so that
bootstrapping can be tried again, rather than having to recreate the
downstream cluster. This will still require fetching a new secondary
activation token.
BUG FIXES:
- auth/aws: Update libraries to fix regression verifying PKCS#7 identity
documents
- listener: Revert to Go 1.9 for now to allow certificates with non-DNS names
in their DNS SANs to be used for Vault's TLS connections
- replication: Fix issue with a performance secondary/DR primary node losing
its DR primary status when performing an update-primary operation
- replication: Fix issue where performance secondaries could be unable to
automatically connect to a performance primary after that performance
primary has been promoted to a DR primary from a DR secondary
- ui: Fix behavior when a value contains a `.`
## 0.9.4 (February 20th, 2018)
SECURITY:
- Role Tags used with the EC2 style of AWS auth were being improperly parsed;
as a result they were not being used to properly restrict values.
Implementations following our suggestion of using these as defense-in-depth
rather than the only source of restriction should not have significant
impact.
FEATURES:
- ChaCha20-Poly1305 support in `transit`: You can now encrypt and decrypt
with ChaCha20-Poly1305 in `transit`. Key derivation and convergent
encryption is also supported.
- Okta Push support in Okta Auth Backend: If a user account has MFA
required within Okta, an Okta Push MFA flow can be used to successfully
finish authentication.
- PKI Improvements: Custom OID subject alternate names can now be set,
subject to allow restrictions that support globbing. Additionally, Country,
Locality, Province, Street Address, and Postal Code can now be set in
certificate subjects.
- Manta Storage: Joyent Triton Manta can now be used for Vault storage
- Google Cloud Spanner Storage: Google Cloud Spanner can now be used for
Vault storage
IMPROVEMENTS:
- auth/centrify: Add CLI helper
- audit: Always log failure metrics, even if zero, to ensure the values appear
on dashboards
- cli: Disable color when output is not a TTY
- cli: Add `-format` flag to all subcommands
- cli: Do not display deprecation warnings when the format is not table
- core: If over a predefined lease count (256k), log a warning not more than
once a minute. Too many leases can be problematic for many of the storage
backends and often this number of leases is indicative of a need for
workflow improvements.
- secret/nomad: Have generated ACL tokens cap out at 64 characters
- secret/pki: Country, Locality, Province, Street Address, and Postal Code can
now be set on certificates
- secret/pki: UTF-8 Other Names can now be set in Subject Alternate Names in
issued certs; allowed values can be set per role and support globbing
- secret/pki: Add a flag to make the common name optional on certs
- secret/pki: Ensure only DNS-compatible names go into DNS SANs; additionally,
properly handle IDNA transformations for these DNS names
- secret/ssh: Add `valid-principles` flag to CLI for CA mode
- storage/manta: Add Manta storage
- ui (Enterprise): Support for ChaCha20-Poly1305 keys in the transit engine.
BUG FIXES:
- api/renewer: Honor increment value in renew auth calls
- auth/approle: Fix inability to use limited-use-count secret IDs on
replication performance secondaries
- auth/approle: Cleanup of secret ID accessors during tidy and removal of
dangling accessor entries
- auth/aws-ec2: Avoid masking of role tag response
- auth/cert: Verify DNS SANs in the authenticating certificate
- auth/okta: Return configured durations as seconds, not nanoseconds
- auth/okta: Get all okta groups for a user vs. default 200 limit
- auth/token: Token creation via the CLI no longer forces periodic token
creation. Passing an explicit zero value for the period no longer create
periodic tokens.
- command: Fix interpreted formatting directives when printing raw fields
- command: Correctly format output when using -field and -format flags at the
same time
- command/rekey: Re-add lost `stored-shares` parameter
- command/ssh: Create and reuse the api client
- command/status: Fix panic when status returns 500 from leadership lookup
- identity: Fix race when creating entities
- plugin/gRPC: Fixed an issue with list requests and raw responses coming from
plugins using gRPC transport
- plugin/gRPC: Fix panic when special paths are not set
- secret/pki: Verify a name is a valid hostname before adding to DNS SANs
- secret/transit: Fix auditing when reading a key after it has been backed up
or restored
- secret/transit: Fix storage/memory consistency when persistence fails
- storage/consul: Validate that service names are RFC 1123 compliant
- storage/etcd3: Fix memory ballooning with standby instances
- storage/etcd3: Fix large lists (like token loading at startup) not being
handled
- storage/postgresql: Fix compatibility with versions using custom string
version tags
- storage/zookeeper: Update vendoring to fix freezing issues
- ui (Enterprise): Decoding the replication token should no longer error and
prevent enabling of a secondary replication cluster via the ui.
- plugin/gRPC: Add connection info to the request object
|
