summaryrefslogtreecommitdiff
path: root/security
AgeCommit message (Collapse)AuthorFilesLines
2019-03-31py-cryptodome: Fix build on !i386 and !x86_64 MACHINE_ARCHsleot3-3/+7
2019-03-27gnutls: Update to 3.6.7leot2-7/+7
Bug fix and security release on the stable 3.6.x branch. OK during the freeze by <jperkin>, thanks! Changes: 3.6.7 ----- - libgnutls, gnutls tools: Every gnutls_free() will automatically set the free'd pointer to NULL. This prevents possible use-after-free and double free issues. Use-after-free will be turned into NULL dereference. The counter-measure does not extend to applications using gnutls_free(). - libgnutls: Fixed a memory corruption (double free) vulnerability in the certificate verification API. Reported by Tavis Ormandy; addressed with the change above. [GNUTLS-SA-2019-03-27, #694] - libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages; Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704] - libgnutls: enforce key usage limitations on certificates more actively. Previously we would enforce it for TLS1.2 protocol, now we enforce it even when TLS1.3 is negotiated, or on client certificates as well. When an inappropriate for TLS1.3 certificate is seen on the credentials structure GnuTLS will disable TLS1.3 support for that session (#690). - libgnutls: the default number of tickets sent under TLS 1.3 was increased to two. This makes it easier for clients which perform multiple connections to the server to use the tickets sent by a default server. - libgnutls: enforce the equality of the two signature parameters fields in a certificate. We were already enforcing the signature algorithm, but there was a bug in parameter checking code. - libgnutls: fixed issue preventing sending and receiving from different threads when false start was enabled (#713). - libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable session, as non-writeable security officer sessions are undefined in PKCS#11 (#721). - libgnutls: no longer send downgrade sentinel in TLS 1.3. Previously the sentinel value was embedded to early in version negotiation and was sent even on TLS 1.3. It is now sent only when TLS 1.2 or earlier is negotiated (#689). - gnutls-cli: Added option --logfile to redirect informational messages output. - No API and ABI modifications since last version.
2019-03-27gnupg2: Fix build.jperkin2-1/+84
2019-03-25libssh2: update to 1.8.1.wiz2-7/+7
Version 1.8.1 (14 Mar 2019) Will Cosgrove (14 Mar 2019) - [Michael Buckley brought this change] More 1.8.0 security fixes (#316) * Defend against possible integer overflows in comp_method_zlib_decomp. * Defend against writing beyond the end of the payload in _libssh2_transport_read(). * Sanitize padding_length - _libssh2_transport_read(). https://libssh2.org/CVE-2019-3861.html This prevents an underflow resulting in a potential out-of-bounds read if a server sends a too-large padding_length, possibly with malicious intent. * Prevent zero-byte allocation in sftp_packet_read() which could lead to an out-of-bounds read. https://libssh2.org/CVE-2019-3858.html * Check the length of data passed to sftp_packet_add() to prevent out-of-bounds reads. * Add a required_size parameter to sftp_packet_require et. al. to require callers of these functions to handle packets that are too short. https://libssh2.org/CVE-2019-3860.html * Additional length checks to prevent out-of-bounds reads and writes in _libssh2_packet_add(). https://libssh2.org/CVE-2019-3862.html GitHub (14 Mar 2019) - [Will Cosgrove brought this change] 1.8 Security fixes (#314) * fixed possible integer overflow in packet_length CVE https://www.libssh2.org/CVE-2019-3861.html * fixed possible interger overflow with userauth_keyboard_interactive CVE https://www.libssh2.org/CVE-2019-3856.html * fixed possible out zero byte/incorrect bounds allocation CVE https://www.libssh2.org/CVE-2019-3857.html * bounds checks for response packets * fixed integer overflow in userauth_keyboard_interactive CVE https://www.libssh2.org/CVE-2019-3863.html
2019-03-25*: recursive bump for vala-0.44wiz1-2/+2
2019-03-24Update to 0.23.15ryoon3-26/+9
Changelog: trust: Improve error handling if backed trust file is corrupted [#206] url: Prefer upper-case letters in hex characters when encoding [#193] trust/extract-jks.c: also honor SOURCE_DATE_EPOCH time [#202] virtual: Prefer fixed closures to libffi closures [#196] Fix issues spotted by coverity and cppcheck [#194, #204] Build and test fixes [#164, #191, #199, #201]
2019-03-24py-cryptodome: updated to 3.8.0adam3-9/+73
3.8.0: New features * Speed-up ECC performance. ECDSA is 33 times faster on the NIST P-256 curve. * Added support for NIST P-384 and P-521 curves. * EccKey has new methods size_in_bits() and size_in_bytes(). * Support HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 in PBE2/PBKDF2. Resolved issues * DER objects were not rejected if their length field had a leading zero. * Allow legacy RC2 ciphers to have 40-bit keys. * ASN.1 Object IDs did not allow the value 0 in the path. Breaks in compatibility * point_at_infinity() becomes an instance method for Crypto.PublicKey.ECC.EccKey, from a static one.
2019-03-22Update to 2.4.0ryoon5-35/+60
* Disable PaX MPROTECT to enable autotype Changelog: New Database Wizard [#1952] Advanced Search [#1797] Automatic update checker [#2648] KeeShare database synchronization [#2109, #1992, #2738, #2742, #2746, #2739] Improve favicon fetching; transition to Duck-Duck-Go [#2795, #2011, #2439] Remove KeePassHttp support [#1752] CLI: output info to stderr for easier scripting [#2558] CLI: Add --quiet option [#2507] CLI: Add create command [#2540] CLI: Add recursive listing of entries [#2345] CLI: Fix stdin/stdout encoding on Windows [#2425] SSH Agent: Support OpenSSH for Windows [#1994] macOS: TouchID Quick Unlock [#1851] macOS: Multiple improvements; include CLI in DMG [#2165, #2331, #2583] Linux: Prevent Klipper from storing secrets in clipboard [#1969] Linux: Use polling based file watching for NFS [#2171] Linux: Enable use of browser plugin in Snap build [#2802] TOTP QR Code Generator [#1167] High-DPI Scaling for 4k screens [#2404] Make keyboard shortcuts more consistent [#2431] Warn user if deleting referenced entries [#1744] Allow toolbar to be hidden and repositioned [#1819, #2357] Increase max allowed database timeout to 12 hours [#2173] Password generator uses existing password length by default [#2318] Improve alert message box button labels [#2376] Show message when a database merge makes no changes [#2551] Browser Integration Enhancements [#1497, #2253, #1904, #2232, #1850, #2218, #2391, #2396, #2542, #2622, #2637, #2790] Overall Code Improvements [#2316, #2284, #2351, #2402, #2410, #2419, #2422, #2443, #2491, #2506, #2610, #2667, #2709, #2731]
2019-03-21security: Add monocypherleot1-1/+2
2019-03-20libssh: update to 0.87.wiz3-10/+10
version 0.8.7 (released 2019-02-25) * Fixed handling extension flags in the server implementation * Fixed exporting ed25519 private keys * Fixed corner cases for rsa-sha2 signatures * Fixed some issues with connector
2019-03-20caff: update to 2.9.wiz2-7/+7
No relevant changes.
2019-03-20gnupg2: updated to 2.2.14adam3-17/+24
Noteworthy changes in version 2.2.14: * gpg: Allow import of PGP desktop exported secret keys. Also avoid importing secret keys if the secret keyblock is not valid. * gpg: Do not error out on version 5 keys in the local keyring. * gpg: Make invalid primary key algo obvious in key listings. * sm: Do not mark a certificate in a key listing as de-vs compliant if its use for a signature will not be possible. * sm: Fix certificate creation with key on card. * sm: Create rsa3072 bit certificates by default. * sm: Print Yubikey attestation extensions with --dump-cert. * agent: Fix cancellation handling for scdaemon. * agent: Support --mode=ssh option for CLEAR_PASSPHRASE. * scd: Fix flushing of the CA-FPR DOs in app-openpgp. * scd: Avoid a conflict error with the "undefined" app. * dirmngr: Add CSRF protection exception for protonmail. * dirmngr: Fix build problems with gcc 9 in libdns. * gpgconf: New option --show-socket for use wity --launch. * gpgtar: Make option -C work for archive creation.
2019-03-20gnutls: updated to 3.6.6adam3-9/+12
Version 3.6.6: * libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits on the public key. * libgnutls: Added support for raw public-key authentication as defined in RFC7250. Raw public-keys can be negotiated by enabling the corresponding certificate types via the priority strings. The raw public-key mechanism must be explicitly enabled via the GNUTLS_ENABLE_RAWPK init flag. * libgnutls: When on server or client side we are sending no extensions we do not set an empty extensions field but we rather remove that field competely. This solves a regression since 3.5.x and improves compatibility of the server side with certain clients. * libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if the CKA_SIGN is not set. * libgnutls: The priority string option %NO_EXTENSIONS was improved to completely disable extensions at all cases, while providing a functional session. This also implies that when specified, TLS1.3 is disabled. * libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated. The previous definition was non-functional. * API and ABI modifications: GNUTLS_ENABLE_RAWPK: Added GNUTLS_ENABLE_CERT_TYPE_NEG: Removed (was no-op; replaced by GNUTLS_ENABLE_RAWPK) GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION: Deprecated GNUTLS_PCERT_NO_CERT: Deprecated
2019-03-20libgpg-error: updated to 1.36adam2-8/+7
Noteworthy changes in version 1.36: * Two new error codes to better support PIV cards. * Support armv7a-unknown-linux-gnueabihf. * Increased estream buffer sizes for Windows. * Interface changes relative to the 1.34 release: GPG_ERR_NO_AUTH NEW. GPG_ERR_BAD_AUTH NEW.
2019-03-18Recursive bump for ghostscript default changegdt1-2/+2
2019-03-16Add monocypher version 2.0.5maya6-0/+78
Monocypher is an easy to use crypto library. It is: - Small. Sloccount counts about 1700 lines of code, small enough to allow audits. The binaries are under 65KB. = Easy to deploy. Just add monocypher.c and monocypher.h to your project. They compile as C99 or C++, have no dependency, and are dedicated to the public domain. - Easy to use. The API is small, consistent, and cannot fail on correct input. - Fast. The primitives are fast to begin with, and performance wasn't needlessly sacrificed. Monocypher holds up pretty well against Libsodium, despite being closer in size to TweetNaCl.
2019-03-16Revbump all Go packages after Go 1.12.1 update.bsiegert7-14/+14
2019-03-15tor-browser: bump PKGREVISION to be on the safe side.wiz1-1/+2
A recent firefox60 change made this use the internal jpeg library instead of the pkgsrc version.
2019-03-15tor-browser: update for recent changes to firefox60 and rust.wiz14-448/+64
Reduce diffs to firefox60 even more while here.
2019-03-14polkit: Fix build on Darwin.jperkin2-4/+16
2019-03-10py-certbot: updated to 0.32.0adam21-251/+253
Added If possible, Certbot uses built-in support for OCSP from recent cryptography versions instead of the OpenSSL binary: as a consequence Certbot does not need the OpenSSL binary to be installed anymore if cryptography>=2.5 is installed. Changed Certbot and its acme module now depend on josepy>=1.1.0 to avoid printing the warnings described at https://github.com/certbot/josepy/issues/13. Apache plugin now respects CERTBOT_DOCS environment variable when adding command line defaults. The running of manual plugin hooks is now always included in Certbot's log output. Tests execution for certbot, certbot-apache and certbot-nginx packages now relies on pytest. An ACME CA server may return a "Retry-After" HTTP header on authorization polling, as specified in the ACME protocol, to indicate when the next polling should occur. Certbot now reads this header if set and respect its value. The acme module avoids sending the keyAuthorization field in the JWS payload when responding to a challenge as the field is not included in the current ACME protocol. To ease the migration path for ACME CA servers, Certbot and its acme module will first try the request without the keyAuthorization field but will temporarily retry the request with the field included if a malformed error is received. This fallback will be removed in version 0.34.0.
2019-03-09all: revbump Go packages, now that they use go112 to buildbsiegert7-14/+14
2019-03-06mate-polkit: update to 1.22gutteridge1-5/+5
### mate-polkit 1.22.0 * Translations update * Initialize Travis CI support
2019-03-05Updated security/ocaml-safepass for dune compatibility.jaapb3-6/+6
Package now compatible with dune 1.7; revbump.
2019-03-05Updated security/ocaml-ssl for dune compatiblity.jaapb3-5/+6
Package is now compatible with dune 1.7; revbump.
2019-03-04py-m2crypto: updated to 0.32.0adam3-11/+22
0.32.0: - setup.py: use ${CPP} as path to cpp - Bump pipeline OpenSSL from 1.1.0i to 1.1.0j - Stub wchar_t helpers and ignore unused WCHAR defs - Add type comment to setup.py
2019-03-04hitch-1.5.0 (2018-12-17)tnn2-7/+7
Support for UNIX domain socket connections. New configuration file settings pem-dir and pem-dir-glob. Support for TLS 1.3. Fixed a bug that would cause a crash on reload if ocsp-dir was changed. Add log-level. This supersedes the previous quiet setting. Add proxy-tlv. This enables extra reporting of cipher and protocol. Drop TLSv1.1 from the default TLS protocols list.
2019-03-03security/f-prot-antivirus6: remove files for f-prot-antivirus6-*-bintaca8-325/+0
Remove common files for f-prot-antivirus6-*-bin packages.
2019-03-03security/f-prot-antivirus6-ws-bin: remove packagetaca3-33/+0
Remove f-prot-antivirus6-ws-bin package version 6.2.3. Althoguth F-PROT Antivirus is still supported for licensed users, its antivirus engine (i.e. program itself) did not updated since 2013 and it is sold for Linux and Windows (no *BSD). So it's time to remove it from pkgsrc.
2019-03-03security/f-prot-antivirus6-fs-bin: remove packagetaca3-32/+0
Remove f-prot-antivirus6-fs-bin package version 6.2.3. Althoguth F-PROT Antivirus is still supported for licensed users, its antivirus engine (i.e. program itself) did not updated since 2013 and it is sold for Linux and Windows (no *BSD). So it's time to remove it from pkgsrc.
2019-03-03security/Makefile: remove f-prot-antivirus6*taca1-5/+1
2019-03-03security/f-prot-antivirus6-ms-bin: remove packagetaca7-238/+0
Remove f-prot-antivirus6-ms-bin package version 6.2.3. Althoguth F-PROT Antivirus is still supported for licensed users, its antivirus engine (i.e. program itself) did not updated since 2013 and it is sold for Linux and Windows (no *BSD). So it's time to remove it from pkgsrc.
2019-03-03py-asyncssh: updated to 1.16.0adam3-15/+18
1.16.0: Added support for Ed448 host/client keys and certificates and rewrote Ed25519 support to use the PyCA implementation, reducing the dependency on libnacl and libsodium to only be needed to support the chacha20-poly1305 cipher. Added support for PKCS-8 format Ed25519 and Ed448 private and public keys (in addition to the OpenSSH format previously supported). Added support for multiple delimiters in SSHReader’s readuntil() function, causing it to return data as soon as any of the specified delimiters are matched. Added the ability to register custom key handlers in the line editor which can modify the input line, extending the built-in editing functionality. Added SSHSubprocessProtocol and SSHSubprocessTransport classes to provide compatibility with asyncio.SubprocessProtocol and asyncio.SubprocessTransport. Code which is designed to call BaseEventLoop.subprocess_shell() or BaseEventLoop.subprocess_exec() can be easily adapted to work against a remote process by calling SSHClientConnection.create_subprocess(). Added support for sending keepalive messages when the SSH connection is idle, with an option to automatically disconnect the connection if the remote system doesn’t respond to these keepalives. Changed AsyncSSH to ignore errors when loading unsupported key types from the default file locations. Changed the reuse_port option to only be available on Python releases which support it (3.4.4 and later). Fixed an issue where MSG_IGNORE packets could sometimes be sent between MSG_NEWKEYS and MSG_EXT_INFO, which caused some SSH implementations to fail to properly parse the MSG_EXT_INFO. Fixed a couple of errors in the handling of disconnects occurring prior to authentication completing. Renamed “session_encoding” and “session_errors” arguments in asyncssh.create_server() to “encoding” and “errors”, to match the names used for these arguments in other AsyncSSH APIs. The old names are still supported for now, but they are marked as deprecated and will be removed in a future release.
2019-02-28py-cryptography[_vectors]: updated to 2.6.1adam6-16/+40
2.6.1: * Resolved an error in our build infrastructure that broke our Python3 wheels for macOS and Linux. 2.6: * **BACKWARDS INCOMPATIBLE:** Removed cryptography.hazmat.primitives.asymmetric.utils.encode_rfc6979_signature and cryptography.hazmat.primitives.asymmetric.utils.decode_rfc6979_signature, which had been deprecated for nearly 4 years. Use :func:~cryptography.hazmat.primitives.asymmetric.utils.encode_dss_signature and :func:~cryptography.hazmat.primitives.asymmetric.utils.decode_dss_signature instead. * **BACKWARDS INCOMPATIBLE**: Removed cryptography.x509.Certificate.serial, which had been deprecated for nearly 3 years. Use :attr:~cryptography.x509.Certificate.serial_number instead. * Updated Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.1b. * Added support for :doc:/hazmat/primitives/asymmetric/ed448 when using OpenSSL 1.1.1b or newer. * Added support for :doc:/hazmat/primitives/asymmetric/ed25519 when using OpenSSL 1.1.1b or newer. * :func:~cryptography.hazmat.primitives.serialization.load_ssh_public_key can now load ed25519 public keys. * Add support for easily mapping an object identifier to its elliptic curve class via :func:~cryptography.hazmat.primitives.asymmetric.ec.get_curve_for_oid. * Add support for OpenSSL when compiled with the no-engine (OPENSSL_NO_ENGINE) flag.
2019-02-27py-keyring: updated to 18.0.0adam3-18/+25
18.0.0 * On macOS, the backend now raises a KeyringLocked when access to the keyring is denied (on get or set) instead of PasswordSetError or KeyringError. Any API users may need to account for this change, probably by catching the parent KeyringError. Additionally, the error message from the underying error is now included in any errors that occur. 17.1.1 * Update packaging technique to avoid 0.0.0 releases. 17.1.0 * When calling keyring.core.init_backend, if any limit function is supplied, it is saved and later honored by the ChainerBackend as well. 17.0.0 * Remove application attribute from stored passwords using SecretService, addressing regression introduced in 10.5.0. Impacted Linux keyrings will once again prompt for a password for "Python program". 16.1.1 * Fix error on import due to circular imports on Python 3.4. 16.1.0 * Refactor ChainerBackend, introduced in 16.0 to function as any other backend, activating when relevant. 16.0.2 * In Windows backend, trap all exceptions when attempting to import pywin32. 16.0.1 * Once again allow all positive, non-zero priority keyrings to participate. 16.0.0 * Fix race condition in delete_password on Windows. * All suitable backends (priority 1 and greater) are allowed to participate. 15.2.0 * Added new API for get_credentials, for backends that can resolve both a username and password for a service. 15.1.0 * Add the Null keyring, disabled by default. * Added --disable option to command-line interface. * Now honor a PYTHON_KEYRING_BACKEND environment variable to select a backend. Environments may set to keyring.backends.null.Keyring to disable keyring.
2019-02-25tor-browser: update to 8.5.wiz169-6245/+2810
This is based on a git checkout from a couple days ago; not completely sure about the version number. The Makefile now contains a short how-to for updating this package. Many thanks for the www/firefox60 patches! Use at your own risk! Survives basic browsing and check.torproject.org claims it connects via tor. Changes: too many to document.
2019-02-23py-certbot-dns-luadns: add version 0.31.0triaxx5-1/+50
LuaDNS Authenticator plugin for Certbot
2019-02-23py-certbot-dns-nsone: add version 0.31.0triaxx5-1/+49
NS1 DNS Authenticator plugin for Certbot
2019-02-23tor-browser: comment out non-existing URL (MASTER_SITES)wiz1-2/+2
2019-02-19py-nacl: Fix correct name of the package (remove py-prefix)tm1-2/+2
2019-02-19py-nacl: Provide PKGNAME fix to work with lintpkgsrctm1-2/+2
2019-02-19py-nacl: remove unwanted example filetm1-95/+0
2019-02-19py-nacl: update to 1.3.0tm4-52/+169
1.3.0 2018-09-26 - Added support for Python 3.7. - Update libsodium to 1.0.16. - Run and test all code examples in PyNaCl docs through sphinx's doctest builder. - Add low-level bindings for chacha20-poly1305 AEAD constructions. - Add low-level bindings for the chacha20-poly1305 secretstream constructions. - Add low-level bindings for ed25519ph pre-hashed signing construction. - Add low-level bindings for constant-time increment and addition on fixed-precision big integers represented as little-endian byte sequences. - Add low-level bindings for the ISO/IEC 7816-4 compatible padding API. - Add low-level bindings for libsodium's crypto_kx... key exchange construction. - Set hypothesis deadline to None in tests/test_pwhash.py to avoid incorrect test failures on slower processor architectures. GitHub issue #370 1.2.1 - 2017-12-04 - Update hypothesis minimum allowed version. - Infrastructure: add proper configuration for readthedocs builder runtime environment. 1.2.0 - 2017-11-01 - Update libsodium to 1.0.15. - Infrastructure: add jenkins support for automatic build of manylinux1 binary wheels - Added support for SealedBox construction. - Added support for argon2i and argon2id password hashing constructs and restructured high-level password hashing implementation to expose the same interface for all hashers. - Added support for 128 bit siphashx24 variant of siphash24. - Added support for from_seed APIs for X25519 keypair generation. - Dropped support for Python 3.3.
2019-02-14py-cryptopp: updated to 0.7.1adam3-19/+34
release pycryptopp-0.7.1 disable optimized assembly implementations by default tweaks to the benchmarking scripts
2019-02-14caff: Fix build under macOS and possibly other platformstron1-2/+2
Add GNU sed to the list of required build tools because the makefile uses the non standard option "-i".
2019-02-14add and enable pinentry-fltkjnemeth1-1/+2
2019-02-13libssh: update to 0.86.wiz3-11/+10
version 0.8.6 (released 2018-12-24) * Fixed compilation issues with different OpenSSL versions * Fixed StrictHostKeyChecking in new knownhosts API * Fixed ssh_send_keepalive() with packet filter * Fixed possible crash with knownhosts options * Fixed issus with rekeying * Fixed strong ECDSA keys * Fixed some issues with rsa-sha2 extentions * Fixed access violation in ssh_init() (static linking) * Fixed ssh_channel_close() handling
2019-02-13caff: update to 2.8.wiz3-16/+14
signing-party (2.8-1) unstable; urgency=low [ Guilhem Moulin ] * caff: + Add the "only-sign-text-ids" to the list of gpg(1) options imported from ~/.gnupg/gpg.conf. + Ensure the terminal is "sane enough" when asking questions ('echo', 'echok', 'icanon', 'icrnl' settings are all set), and restore original settings when exit()'ing the program. (Closes: #872529) * caff, gpglist, gpgsigs: in `gpg --with-colons` output, allow signature class to be followed with an optional revocation reason. gpg(1) does that since 2.2.9. (Closes: #905097.) * caff, gpg-key2latex, gpg-key2ps, gpglist, gpgsigs, keylookup: Remove references to https://pgp-tools.alioth.debian.org/ . * caff, gpg-key2latex, gpg-key2ps, gpg-mailkeys, gpglist, gpgparticipants, gpgsigs, keylookup: Remove SVN keywords ($Id$, $Rev$, etc.) -- Guilhem Moulin <guilhem@debian.org> Mon, 28 Jan 2019 03:05:33 +0100
2019-02-13libsecret: update to 0.18.7.wiz3-24/+7
0.18.7 * Migrate from intltool to gettext [!2] * Fix uninitialized memory returned by secret_item_get_schema_name() [#15] * secret-session: Avoid double-free in service_encode_plain_secret() * Port tap script to Python 3 [!4] * Build and test fixes [#734630] * Updated translations
2019-02-13pinentry/Makefile.common: mention pinentry-fltkwiz1-1/+2