Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
55, 56 and 70
|
|
|
|
2.040 2016/12/17
- fix detection of default CA path for OpenSSL 1.1.x
- Utils::CERT_asHash now includes the signature algorithm used
- Utils::CERT_asHash can now deal with large serial numbers
|
|
1.7.1 - 2016-12-13
~~~~~~~~~~~~~~~~~~
* Fixed a regression in ``int_from_bytes`` where it failed to accept
``bytearray``.
1.7 - 2016-12-12
~~~~~~~~~~~~~~~~
* Support for OpenSSL 1.0.0 has been removed. Users on older version of OpenSSL
will need to upgrade.
* Added support for Diffie-Hellman key exchange using
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKeyWithSerialization.exchange`
* The OS random engine for OpenSSL has been rewritten to improve compatibility
with embedded Python and other edge cases. More information about this change
can be found in the
`pull request <https://github.com/pyca/cryptography/pull/3229>`_.
|
|
* gpg: New algorithm for selecting the best ranked public key when
using a mail address with -r, -R, or --locate-key.
* gpg: New option --with-tofu-info to print a new "tfs" record in
colon formatted key listings.
* gpg: New option --compliance as an alternative way to specify
options like --rfc2440, --rfc4880, et al.
* gpg: Many changes to the TOFU implementation.
* gpg: Improve usability of --quick-gen-key.
* gpg: In --verbose mode print a diagnostic when a pinentry is
launched.
* gpg: Remove code which warns for old versions of gnome-keyring.
* gpg: New option --override-session-key-fd.
* gpg: Option --output does now work with --verify.
* gpgv: New option --output to allow saving the verified data.
* gpgv: New option --enable-special-filenames.
* agent, dirmngr: New --supervised mode for use by systemd and alike.
* agent: By default listen on all available sockets using standard
names.
* agent: Invoke scdaemon with --homedir.
* dirmngr: On Linux now detects the removal of its own socket and
terminates.
* scd: Support ECC key generation.
* scd: Support more card readers.
* dirmngr: New option --allow-version-check to download a software
version database in the background.
* dirmngr: Use system provided CAs if no --hkp-cacert is given.
* dirmngr: Use a default keyserver if none is explicitly set
* gpgconf: New command --query-swdb to check software versions
against an copy of an online database.
* gpgconf: Print the socket directory with --list-dirs.
* tools: The WKS tools now support draft version -02.
* tools: Always build gpg-wks-client and install under libexec.
* tools: New option --supported for gpg-wks-client.
* The log-file option now accepts a value "socket://" to log to the
socket named "S.log" in the standard socket directory.
* Provide fake pinentries for use by tests cases of downstream
developers.
* Fixed many bugs and regressions.
* Many changes and improvements for the test suite.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Many of these definitely do not depend on readline.
So there must be a different underlying problem, and that
should be tracked down instead of papering over it.
|
|
Noteworthy changes in version 1.7.4 (2016-12-09) [C21/A1/R4]
------------------------------------------------
* Performance:
- More ARMv8/AArch32 improvements for AES, GCM, SHA-256, and SHA-1.
- Add ARMv8/AArch32 assembly implementation for Twofish and
Camellia.
- Add bulk processing implementation for ARMv8/AArch32.
- Add Stribog OIDs.
- Improve the DRBG performance and sync the code with the Linux
version.
* Internal changes:
- When secure memory is requested by the MPI functions or by
gcry_xmalloc_secure, they do not anymore lead to a fatal error if
the secure memory pool is used up. Instead new pools are
allocated as needed. These new pools are not protected against
being swapped out (mlock can't be used). However, these days
this is considered a minor issue and can easily be mitigated by
using encrypted swap space.
* Bug fixes:
- Fix GOST 28147 CryptoPro-B S-box.
- Fix error code handling of mlock calls.
|
|
|
|
|
|
PR 51696 by Dmitry Marakasov.
|
|
solves:
=> Bootstrap dependency digest>=20010302: found digest-20160304
===> Building for openssl-1.0.2jnb1
making depend in crypto...
gmake[1]: Entering directory '/construction/security/openssl/work/openssl-1.0.2j/crypto'
../util/domd: makedepend: not found
|
|
new packages. Most of which are the remaining modules of the Tryton
platform which weren't packaged. The others are dependencies of the new
modules. This was tested on FreeBSD and is based in large part on Richard
Palo's (richard@) work. This is the most recent release of the Tryton
platform, version 4.2. There's a very large list of changes from the 3.8
series we have in pkgsrc. If you're interested, those functional changes
can be found here:
http://www.tryton.org/posts/new-tryton-release-42.html
http://www.tryton.org/posts/new-tryton-release-40.html
|
|
Changelog from 0.9.3 and 0.9.4 is quite long. Expect new and improved
jails, actions and filter. Details are here :
- https://github.com/fail2ban/fail2ban/releases/tag/0.9.4
- https://github.com/fail2ban/fail2ban/releases/tag/0.9.5
Pkgsrc changes are :
- added man pages (fail2ban-testcases.1 fail2ban.1)
- added and reorderd filters, actions, and documentation files
- minor edits to please pkglint
|
|
|
|
|
|
Solves:
/usr/libexec/binutils225/elf/ld.gold: error: cannot find -lreadline
The missing specification is obvious on DragonFly because there's
no publically accessible version of readline in base.
|
|
|
|
Bump PKGREVISION.
Noticed by marino.
|
|
|
|
|
|
|
|
Noteworthy changes in version 1.0.0 (2016-11-22)
------------------------------------------------
* Qt pinentry now supports repeat mode in one dialog.
* Qt and GTK pinentries now make it possible to show the entered
value.
* Qt pinentry now only grabs the keyboard if an entry field is
focused.
* Fixed foreground handling in pinentry-qt if compiled with Qt5 for
Windows.
* Fixed potential crash in Qt qualitybar calculation.
* GTK keyboard grabbing is now a bit more robust. The cursor is
changed to a big dot as a visual indication that a pinentry has
popped up and is waiting for input.
* The GNOME pinentry now falls back to curses if it can't use the
GCR system prompter or a screenlock is active.
* Fixed error output for cached passwords.
* A show/hide passphrase button or checkbox is now available with
some pinentry flavors.
* Improved diagnostics and error codes.
|
|
2.0.1 (2016-11-23)
------------------
* (FIX) Normalize handling of request.scopes list
|
|
1.6 - 2016-11-22
~~~~~~~~~~~~~~~~
* Deprecated support for OpenSSL 1.0.0. Support will be removed in
``cryptography`` 1.7.
* Replaced the Python-based OpenSSL locking callbacks with a C version to fix
a potential deadlock that could occur if a garbage collection cycle occurred
while inside the lock.
* Added support for :class:`~cryptography.hazmat.primitives.hashes.BLAKE2b` and
:class:`~cryptography.hazmat.primitives.hashes.BLAKE2s` when using OpenSSL
1.1.0.
* Added
:attr:`~cryptography.x509.Certificate.signature_algorithm_oid` support to
:class:`~cryptography.x509.Certificate`.
* Added
:attr:`~cryptography.x509.CertificateSigningRequest.signature_algorithm_oid`
support to :class:`~cryptography.x509.CertificateSigningRequest`.
* Added
:attr:`~cryptography.x509.CertificateRevocationList.signature_algorithm_oid`
support to :class:`~cryptography.x509.CertificateRevocationList`.
* Added support for :class:`~cryptography.hazmat.primitives.kdf.scrypt.Scrypt`
when using OpenSSL 1.1.0.
* Added a workaround to improve compatibility with Python application bundling
tools like ``PyInstaller`` and ``cx_freeze``.
* Added support for generating a
:meth:`~cryptography.x509.random_serial_number`.
* Added support for encoding ``IPv4Network`` and ``IPv6Network`` in X.509
certificates for use with :class:`~cryptography.x509.NameConstraints`.
* Added :meth:`~cryptography.x509.Name.public_bytes` to
:class:`~cryptography.x509.Name`.
* Added :class:`~cryptography.x509.RelativeDistinguishedName`
* :class:`~cryptography.x509.DistributionPoint` now accepts
:class:`~cryptography.x509.RelativeDistinguishedName` for
:attr:`~cryptography.x509.DistributionPoint.relative_name`.
Deprecated use of :class:`~cryptography.x509.Name` as
:attr:`~cryptography.x509.DistributionPoint.relative_name`.
* :class:`~cryptography.x509.Name` now accepts an iterable of
:class:`~cryptography.x509.RelativeDistinguishedName`. RDNs can
be accessed via the :attr:`~cryptography.x509.Name.rdns`
attribute. When constructed with an iterable of
:class:`~cryptography.x509.NameAttribute`, each attribute becomes
a single-valued RDN.
* Added
:func:`~cryptography.hazmat.primitives.asymmetric.ec.derive_private_key`.
* Added support for signing and verifying RSA, DSA, and ECDSA signatures with
:class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed`
digests.
|
|
2.039 2016/11/20
- OpenSSL 1.1.0c changed the behavior of SSL_read so that it now returns -1 on
EOF without proper SSL shutdown. Since it looks like that this behavior will
be kept at least for 1.1.1+ adapt to the changed API by treating errno=NOERR
on SSL_ERROR_SYSCALL as EOF.
|
|
Noteworthy changes in version 1.25 (2016-11-14) [C20/A20/R0]
-----------------------------------------------
* New interface gpgrt_get_syscall_clamp to allow libaries to make use
of Libgpg-error's system call wrapper functions.
* gpgrt_poll does now work under Windows.
* Fixed bug in the locking code when used with the nPth threading
library.
* Added support for {i686,x86_64}-apple-darwin.
* Added new error codes.
* Interface changes relative to the 1.23 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgrt_get_syscall_clamp NEW.
GPG_ERR_ENGINE_TOO_OLD NEW.
GPG_ERR_WINDOW_TOO_SMALL NEW.
GPG_ERR_WINDOW_TOO_LARGE NEW.
GPG_ERR_MISSING_ENVVAR NEW.
GPG_ERR_USER_ID_EXISTS NEW.
GPG_ERR_NAME_EXISTS NEW.
GPG_ERR_DUP_NAME NEW.
GPG_ERR_TOO_OLD NEW.
GPG_ERR_TOO_YOUNG NEW.
|
|
has already internally called the former, and doing it twice causes
an abort internally in the pthread library in NetBSD 7.0.
Bump PKGREVISION.
|
|
SmartOS.
|
|
Bump PKGREVISION.
|
|
Bump PKGREVISION.
|
|
There were many releases since the last version packaged in pkgsrc. Please
refer to nikto's documentation for an exhaustive list.
|
|
|
|
|
|
- Use constant time modular inverse algorithm to avoid possible side
channel attack against ECDSA (CVE-2016-2849)
- Use constant time PKCS #1 unpadding to avoid possible side channel
attack against RSA decryption (CVE-2015-7827)
|
|
|
|
'RLIMIT_MEMLOCK' and fails with the default mlock code.
|
|
- avoid side channel with OAEP (CVE-2016-8871)
- avoid Lucky13 timing attack against CBC-based TLS cipher
- added X25519-based key exchange for TLS
- add support for the TLS Supported Point Formats Extension from
RFC 4492
- add support for the NewHope Ring-LWE key encapsulation algorithm
for estimated ~200 bit security level against a quantum attacker.
- add support for TLS Encrypt-then-MAC extension
- Fix undefined behavior in Curve25519 for 32bit platforms
- bugfix for GCM when 32-bit counters overflowed
- added ChaCha20Poly1305 TLS cipher
|
|
0.4.2
- Fix to bug in ndg.httpsclient.utils.open_url - duplicate open call.
0.4.1
- Include metadata tags to show Python 3 compatibility
|
|
1.5.3 - 2016-11-05
~~~~~~~~~~~~~~~~~~
* **SECURITY ISSUE**: Fixed a bug where ``HKDF`` would return an empty
byte-string if used with a ``length`` less than ``algorithm.digest_size``.
Credit to **Markus Döring** for reporting the issue.
|
|
Local changes (retained from earlier versions):
* Some adaptations of the build setup (conversion scripts etc.)
* in signer/ixfr.c, log the zone name if the soamin assertion trigers
* in signer/zone.c, if there's a bad ixfr journal file, save it, for debug
Upstream changes:
News:
This is a bug fix release targeting a memory leak in the signer
when being used in the "bump in the wire" model where the signer
would send out notify messages and respond to IXFR requests for
the signed zone. This typically would manifest itself with very
frequent outgoing IXFRs over a longer period of time.
When upgrading from 1.4.10 (the 1.4.11 release was skipped) no
migration steps are needed. For upgrading from earlier releases
see the migration steps in the individual releases, most notably
in 1.4.8.2. This version of OpenDNSSEC does however require a
slightly less older minimal version of the library ldns.
Fixes:
* OPENDNSSEC-808: Crash on query with empty query section
(thanks Havard Eidnes).
* SUPPORT-191: Regression, Must accept notify without SOA (thanks
Christos Trochalakis).
* OPENDNSSEC-845: memory leak occuring when responding to IXFR
out when having had multiple updates.
* OPENDNSSEC-805: Avoid full resign due to mismatch in backup file
when upgrading from 1.4.8 or later.
* OPENDNSSEC-828: parsing zone list could show data from next zone
when zones iterated on single line.
* OPENDNSSEC-811,OPENDNSSEC-827,e.o.: compiler warnings and other
static code analysis cleanup
* OPENDNSSEC-847: Broken DNS IN notifications when pkt answer
section is empty.
* OPENDNSSEC-838: Crash in signer after having removed a zone.
* Update dependency to ldns to version 1.6.17 enabling the DNS HIP record.
* Prevent responding to queries when not fully started yet.
|
|
Helps build on debian mipseb (which uses o32 abi and not n32), but build
still doesn't complete.
|
|
(distinfo already has the checksum for this corrected patch, sorry.)
|