| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
3.1.1
Trap AttributeError in Gnome backend as in some environments
it seems that will happen.
Fix issue where a backslash in the service name would cause
errors on Registry backend on Windows.
3.1
``keyrings.alt`` no longer depends on the ``keyring.util.escape``
module.
3.0
``keyrings`` namespace should now use the pkgutil native technique
rather than relying on pkg_resources.
2.4
File based backends now reject non-string types for passwords.
|
|
19.2.0
* Add support for get_credential() with the SecretService backend
|
|
|
|
|
|
|
|
|
|
Closes PR security/54556.
|
|
Fix compilation of gnutls with compilers missing __get_cpuid_count.
Taken from upstream and fixed in version 3.6.10 .
Fixes compilation on NetBSD 8 without setting GCC_REQD.
|
|
Significant changes since 1.2.1:
* In addition to the scrypt command-line utility, a library "libscrypt-kdf"
can now be built and installed by passing the --enable-libscrypt-kdf option
to configure.
* On x86 CPUs which support them, RDRAND and SHA extensions are used to
provide supplemental entropy and speed up hash computations respectively.
* When estimating the amount of available RAM, scrypt ignores RLIMIT_DATA on
systems which have mmap.
* A new command "scrypt info encfile" prints information about an encrypted
file without decrypting it.
|
|
* Version 3.6.9 (released 2019-07-25)
** libgnutls: add gnutls_hash_copy/gnutls_hmac_copy functions that will create a copy
of digest or MAC context. Copying contexts for externally-registered digest and MAC
contexts is unupported (#787).
** Marked the crypto implementation override APIs as deprecated. These APIs are rarely
used, are for a niche use case, but have significant side effects, such as preventing
any internal re-organization and extension of the internal cipher API. The APIs remain
functional though a compiler warning will be issued, and a future minor version update
may transform them to a no-op while keeping ABI compatibility (#789).
** libgnutls: Added support for AES-GMAC, as a separate to GCM, MAC algorithm (#781).
** libgnutls: gnutls_privkey_sign_hash2 now accepts the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA
flag as documented. This makes it a complete replacement of gnutls_privkey_sign_hash().
** libgnutls: Added support for Generalname registeredID.
** The priority configuration was enhanced to allow more elaborate
system-wide configuration of the library (#587).
The following changes were included:
- The file is read as an ini file with '#' indicating a comment.
- The section "[priorities]" or global follows the existing semantics of
the configuration file, and allows to specify system-wide priority strings
which are accessed with the '@' prefix.
- The section "[overrides]" is added with the parameters "insecure-hash",
"insecure-sig", "insecure-sig-for-cert", "disabled-curve",
"disabled-version", "min-verification-profile", "tls-disabled-cipher",
"tls-disabled-mac", "tls-disabled-group", "tls-disabled-kx", which prohibit
specific algorithms or options globally. Existing algorithms in the
library can be marked as disabled and insecure, but no hard-coded
insecure algorithm can be marked as secure (so that the configuration
cannot be abused to make the system vulnerable).
- Unknown sections or options are skipped with a debug message, unless
the GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID environment parameter is
set to 1.
** libgnutls: Added new flag for GNUTLS_CPUID_OVERRIDE
- 0x20: Enable SHA_NI instruction set
** API and ABI modifications:
gnutls_crypto_register_cipher: Deprecated
gnutls_crypto_register_aead_cipher: Deprecated
gnutls_crypto_register_digest: Deprecated
gnutls_crypto_register_mac: Deprecated
gnutls_get_system_config_file: Added
gnutls_hash_copy: Added
gnutls_hmac_copy: Added
GNUTLS_MAC_AES_GMAC_128: Added
GNUTLS_MAC_AES_GMAC_192: Added
GNUTLS_MAC_AES_CMAC_256: Added
GNUTLS_SAN_REGISTERED_ID: Added
|
|
Bump PKGREVISION.
|
|
ChangeLog
Added support for AES-GCM
Added improved rekeying support
Added performance improvements
Disabled blowfish support by default
Fixed several ssh config parsing issues
Added support for DH Group Exchange KEX
Added support for Encrypt-then-MAC mode
Added support for parsing server side configuration file
Added support for ECDSA/Ed25519 certificates
Added FIPS 140-2 compatibility
Improved known_hosts parsing
Improved documentation
Improved OpenSSL API usage for KEX, DH, KDF and signatures
|
|
|
|
Significant items from https://github.com/slicer69/doas/releases:
doas 6.2p1
* Fixes a crash on Linux systems when a specified user on the
command line did not match a valid entry in the doas.conf file.
In the past, doas would first try to find an exact username match
when the "-u" flag was used and, if one could not be found, it
would try to find a matching numeric UID.
Now doas requires that an exact username be specified when
"-u" is used. This avoids confusion (and, on Linux, fuzzy matches
when a username begins with a number). This means "doas -u 0" can
no longer be used to run a command as root, and "duas -u 1000" is
not ambigious if there is a user with the name "1000" on the system.
doas 6.2
* Group permissions of the original user are now dropped on Linux.
This prevents the original user's group access from interfering
with the target user's owned files. Group permissions were already
dropped on FreeBSD (and I believe) NetBSD, and this brings doas's
Linux behaviour into line with the other systems.
* Fixed a couple of compiler warnings that get rid of either unneeded
variables or introduce sanity checks on return functions.
This should make doas more secure, across platforms/compilers.
doas 6.1p1
* ported to illumos, added support for SmartOS and
OpenIndiana.
* Better pkgsrc integration.
|
|
|
|
* Version 2.15 (released 2015-11-12)
** Add ykclient_get_server_response() to the library.
** Show more information from the commandline on debug.
** Add proxy support via Curl.
* Version 2.14 (released 2015-03-05)
** Switch default templates to https.
** Fixup call to curl_easy_escape() to use a easy handle.
|
|
* Version 1.20.0 (released 2019-07-03)
** Add yk_open_key_vid_pid() allowing vid and pid to be specified.
** Documentation fixes.
** Clear potentially sensitive material from buffers.
** Fix potential buffer overwrite.
* Version 1.19.3 (released 2019-02-22)
** Fix capability read.
* Version 1.19.2 (released 2019-02-19)
** Fix test on mac.
** Fix serial read and challenge response.
* Version 1.19.1 (released 2019-02-19)
** Error out on json output with randomSeed.
** Validate more length fields.
** Use correct FormatMessage function on windows.
** Overflow, bounds and error condition checks.
** Try to zero sensitive memory better.
* Version 1.19.0 (released 2018-04-24)
** Add yk_write_device_info().
** Add ykpersonalize cli switch -D for device info.
** Add code for handling personalization interface of major version 5.
* Version 1.18.1 (released 2018-01-16)
** Support reading accesscode and private ID from stdin.
** Parse optional arguments correctly.
** Documentation fixes.
** Fix for ykinfo modhex serial output when it ends with c.
** Treat all firmware versions as supported.
* Version 1.18.0 (released 2017-01-27)
** Let ykchalresp read challenge from a file.
** Add support of working with a numbered key when many connected
Thanks to Thomas Habets <habets@google.com>
** Documentation clarifications.
** Fixup argument parsing of flags with optional arguments on BSD platforms.
** Fix a file descriptor leak on windows.
* Version 1.17.3 (released 2015-12-28)
** Dont read to much if we don't find a key.
** Text updates to make options clearer.
** Correct logic for question when mode switching to non-otp mode.
** Add 4.3 as supported firmware.
* Version 1.17.2 (released 2015-09-22)
** Let _yk_write() return an error if yk_wait_for_key_status() fails.
** Fix a mistake in help, fixed is up to 16 bytes, 32 characters.
** Add 4.2 as supported firmware.
* Version 1.17.1 (released 2015-04-01)
** Fixup of 1.17.0
* Version 1.17.0 (released 2015-04-01)
** add yk_get_capabilities() to fetch capabilities.
** add -c to ykinfo to fetch capabilities.
** whitelist firmware 4.1.x
* Version 1.16.4 (released 2015-03-23)
** change the tool to accept autoeject time as a short instead of a byte
* Version 1.16.3 (released 2015-03-10)
** whitelist YubiKey version 3.4.x
** only try to set libusb configuration if it's unset on the device
* Version 1.16.2 (released 2014-11-28)
** ykinfo: fix modhex printout when serial is an odd number of hex digits.
** whitelist yubikey version 4.0.x
** try to open more PIDs and add for udev.
|
|
* Version 1.13 (released 2015-03-05)
** Correct hex decode with uneven characters, for example "abc".
|
|
|
|
|
|
2019.9.11:
Unknown changes
|
|
0.38.0:
Added
Disable session tickets for Nginx users when appropriate.
Changed
If Certbot fails to rollback your server configuration, the error message links to the Let's Encrypt forum. Change the link to the Help category now that the Server category has been closed.
Replace platform.linux_distribution with distro.linux_distribution as a step towards Python 3.8 support in Certbot.
Fixed
Fixed OS detection in the Apache plugin on Scientific Linux.
|
|
Switch away from mono2 and install a desktop file.
|
|
Remove unrecognized flag (GCC 4.8.5), default to -std=gnu99, since we have
loop initial declarations.
tested on SmartOS and CentOS 7.
|
|
Needed to build on NetBSD 9 with gcc7.
|
|
There are a couple of functions that aren't defined, and this is easier than
patching (and doesn't impact other OS).
|
|
This may be required in order to access old, non-upgradable, devices for
which modulus size is less than 1024 bits (frequently 768 bits).
|
|
future Python 3.8
|
|
|
|
Noteworthy changes in version 1.8.5 (2019-08-29) [C22/A2/R5]
------------------------------------------------
* Bug fixes:
- Add mitigation against an ECDSA timing attack.
[#4626,CVE-2019-13627]
- Improve ECDSA unblinding.
* Other features:
- Provide a pkg-config file for libgcrypt.
Release-info: https://dev.gnupg.org/T4683
|
|
19.1.0
* macOS Keyring now honors a ``KEYCHAIN_PATH``
environment variable. If set, Keyring will use that
keychain instead of the default.
19.0.2
* Refresh package skeleton.
* Adopt `black <https://pypi.org/project/black>`_ code style.
19.0.1
* Merge with 18.0.1.
18.0.1
* ExceptionInfo no longer retains a reference to the
traceback.
|
|
3.9.0:
New features
* Add support for loading PEM files encrypted with AES256-CBC.
* Add support for XChaCha20 and XChaCha20-Poly1305 ciphers.
* Add support for bcrypt key derivation function (`Crypto.Protocol.KDF.bcrypt`).
* Add support for left multiplication of an EC point by a scalar.
* Add support for importing ECC and RSA keys in the new OpenSSH format.
Resolved issues
* it was not possible to invert an EC point anymore.
* fix printing of DSA keys.
* `DSA.generate()` was not always using the `randfunc` input.
* the MD2 hash had block size of 64 bytes instead of 16; as result the HMAC construction gave incorrect results.
|
|
Revision 0.4.7:
- Added `isInconsistent` property to all constructed types. This property
conceptually replaces `verifySizeSpec` method to serve a more general
purpose e.g. ensuring all required fields are in a good shape. By default
this check invokes subtype constraints verification and is run by codecs
on value de/serialisation.
- Deprecate `subtypeSpec` attributes and keyword argument. It is now
recommended to pass `ValueSizeConstraint`, as well as all other constraints,
to `subtypeSpec`.
- Fixed a design bug in a way of how the items assigned to constructed
types are verified. Now if `Asn1Type`-based object is assigned, its
compatibility is verified based on having all tags and constraint
objects as the type in field definition. When a bare Python value is
assigned, then field type object is cloned and initialized with the
bare value (constraints verificaton would run at this moment).
- Added `WithComponentsConstraint` along with related
`ComponentPresentConstraint` and `ComponentAbsentConstraint` classes
to be used with `Sequence`/`Set` types representing
`SET ... WITH COMPONENTS ...` like ASN.1 constructs.
|
|
- Support notifications for renewal: email, mailgun, sendgrid, IFTTT, pushover etc. https://github.com/Neilpang/acme.sh/wiki/notify
- add deploy hook to docker containers: https://github.com/Neilpang/acme.sh/wiki/deploy-to-docker-containers
- dns api: Schlundtech, NLnetLabs , acmeproxy, durabledns, Active24, MaraDNS, regru, jdcloud.com(京东云), Vultr, hexonet
- Support cloudflare new dns api Token format
- bug fixes.
|
|
Pkgsrc changes:
* Adapt patch to enforcer/utils/Makefile.in
Upstream changes:
* OPENDNSSEC-888: Fixup database conversion script.
* OPENDNSSEC-752: Incorrect calculated number of KSKs needed when KSK and ZSK
have exactly the same paramaters.
* OPENDNSSEC-890: Bogus signatures upon wrong zone input when TTLs for
same rrset are mismatching.
|
|
5.61.0
Move kwalletd initialization earlier
Remove kde4 migration agent completely
5.58.0
Set correct kwalletd_bin_path
Export path of kwalletd binary for kwallet_pam
|
|
changes unknown
|
|
5.59.0
Don't hardcode dbus policy install dir
5.58.0
Force KAuth helpers to have UTF-8 support
|
|
1.4.0:
* Added the session_key attribute to the NtlmContext class so the session key can be accessed in downstream libraries
|
|
Release 1.18.0:
Added support for GSSAPI ECDH and Edwards DH key exchange algorithms.
Fixed gssapi-with-mic authentication to work with GSS key exchanges, in cases where gssapi-keyex is not supported.
Made connect_ssh and connect_reverse_ssh methods into async context managers, simplifying the syntax needed to use them to create tunneled SSH connections.
Fixed a couple of issues with known hosts matching on tunneled SSH connections.
Improved flexibility of key/certificate parser automatic format detection to properly recognize PEM even when other arbitrary text is present at the beginning of the file. With this change, the parser can also now handle mixing of multiple key formats in a single file.
Added support for OpenSSL “TRUSTED” PEM certificates. For now, no enforcement is done of the additional trust restrictions, but such certificates can be loaded and used by AsyncSSH without converting them back to regular PEM format.
Fixed some additional SFTP and SCP issues related to parsing of Windows paths with drive letters and paths with multiple colons.
Made AsyncSSH tolerant of a client which sends multiple service requests for the “ssh-userauth” service. This is needed by the Paramiko client when it tries more than one form of authentication on a connection.
|
|
|
|
This includes API changes to add support for hostname validation and
APLN support, as well as some minor changes.
|
|
doas is a port of OpenBSD's doas which runs on FreeBSD, Linux and
NetBSD.
The doas utility is a program originally written for OpenBSD which
allows a user to run a command as though they were another
user. Typically doas is used to allow non-privleged users to run
commands as though they were the root user. The doas program acts as
an alternative to sudo, which is a popular method in the Linux
community for granting admin access to specific users.
The doas program offers two benefits over sudo: its configuration file
has a simple syntax and it is smaller, requiring less effort to audit
the code. This makes it harder for both admins and coders to make
mistakes that potentially open security holes in the system.
|
|
0.37.2:
Stop disabling TLS session tickets in Nginx as it caused TLS failures on some systems.
0.37.1:
Fixed
Stop disabling TLS session tickets in Apache as it caused TLS failures on some systems.
0.37.0:
Added
Turn off session tickets for apache plugin by default
acme: Authz deactivation added to acme module.
Changed
Follow updated Mozilla recommendations for Nginx ssl_protocols, ssl_ciphers, and ssl_prefer_server_ciphers
Fixed
Fix certbot-auto failures on RHEL 8.
|
|
|
|
1.2.0:
* Support for Python 2.6 and 3.3 has been removed.
* Known incompatibilities with Python 3.8 have been resolved.
|
|
0.064:
- fix libtommath patch - building on HP-UX 11.11 / PA-RISC
- necessary XS adaptation to the latest libtommath
- bundled libtomcrypt update branch:develop
|
|
Some of the upstream changes since 0.4.0 :
* OpenSSL binary path is now configurable
* Support for ACME v02
* Challenge validation loop has been modified to loop over authorization identifiers instead of altnames (ACMEv2 + wildcard support)
* Use new ACME v2 endpoint by default
* Initial support for tls-alpn-01 validation
* OCSP refresh interval is now configurable
Full changelog available here :
https://github.com/lukas2511/dehydrated/blob/v0.6.5/CHANGELOG
|
|
Despite the changelog, the meson files are not included in
the distribution, so keep using autoconf for this release.
0.18.8
* Add support for g_autoptr() to our types [!11]
* Remove deprecated g_type_class_add_private() [!14]
* Bump GLib dependency (2.44+)
* Add meson build support [!9]
* Fix vapi generation [!15, ...]
* Build fixes [!12, !13]
* Updated translations
|
|
|
