| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
2020.6.20:
Unknown changes
|
|
0.0.4:
Features
expose a few httplib2 properties and a method
|
|
1.19.0:
Features
add quota project to base credentials class
check 'iss' in verify_oauth2_token
Bug Fixes
migrate signBlob to iamcredentials.googleapis.com
Documentation
remove 3.4 from supported versions list
|
|
NetBSD/SunOS support upstreamed
|
|
NetBSD and SunOS support upstreamed
|
|
|
|
Changes:
0.0.8
-----
- add vb_test.php check
- add phpinfo test
0.0.7
-----
- add a test for openelasticsearch
- add check for django debugging on error pages
- print more information about invalid hostnames
- add laravel telescope test
|
|
Previously after the openssl-* renames it ended up as a dangling symlink,
causing "pkg_admin check" failures. Bump PKGREVISION.
|
|
Add [0] to unspecified array; gcc 7 errors while gcc 5 was ok with the
previous code. (Temporary until this package is updated.)
|
|
|
|
1.5.0:
* Added the `mic_present` property to the `NtlmContext` class to determine if a MIC has been added to the authentication message.
* Added the `sign` and `verify` function to the `NtlmContext` to sign data and verify signatures.
* Added the `reset_rc4_state` function to the `NtlmContext` to allow a caller to reset the incoming and outgoing RC4 cipher.
* Added the `NTLMSSP_NEGOTIATE_UNICODE` flag to the negotiate message to ensure the challenge and authentication message's text fields can be unicode encoded
|
|
1.6.0
Added
Certbot snaps are now available for the arm64 and armhf architectures.
Add minimal code to run Nginx plugin on NetBSD.
Make Certbot snap find externally snapped plugins
Function certbot.compat.filesystem.umask is a drop-in replacement for os.umask implementing umask for both UNIX and Windows systems.
Support for alternative certificate chains in the acme module.
Added --preferred-chain <issuer CN>. If a CA offers multiple certificate chains, it may be used to indicate to Certbot which chain should be preferred.
e.g. --preferred-chain "DST Root CA X3"
Changed
Allow session tickets to be disabled in Apache when mod_ssl is statically linked.
Generalize UI warning message on renewal rate limits
Certbot behaves similarly on Windows to on UNIX systems regarding umask, and the umask 022 is applied by default: all files/directories are not writable by anyone other than the user running Certbot and the system/admin users.
Read acmev1 Let's Encrypt server URL from renewal config as acmev2 URL to prepare for impending acmev1 deprecation.
Fixed
Cloudflare API Tokens may now be restricted to individual zones.
Don't use StrictVersion, but LooseVersion to check version requirements with setuptools, to fix some packaging issues with libraries respecting PEP404 for version string, with doesn't match StrictVersion requirements.
Certbot output doesn't refer to SSL Labs due to confusing scoring behavior.
Fix paths when calling to programs outside of the Certbot Snap, fixing the apache and nginx plugins on, e.g., CentOS 7.
|
|
(1) There is no {get,make,set}context support before Darwin 9
(2) Instead of failing the build on makedepend(8) malfunction, have
make(1) ignore its return value - which used to be the default for
previous OpenSSL versions.
|
|
* fix loading from DER files when type set to any
* fix lifetime of certificates from <2000
* updates for Lua 5.4
|
|
v1.6.9: Meyer (Patch 9)
There were no releases between 1.6.5 and 1.6.9 due to release pipeline issues with Github Actions; please use this release instead.
Raise exception on unknown usage
Update tutorial to make server_name equal FQDN
Handle missing locale.LC_MESSAGES on Windows
|
|
A comprehensive OpenSSL module for Lua.
It includes support for certificate and key management, key generation,
signature verification, and deep bindings to the distinguished name,
alternative name, and X.509v3 extension interfaces.
It also binds OpenSSL's bignum, message digest, HMAC, cipher, and CSPRNG
interfaces. The end goal is to bind almost everything that OpenSSL supports,
but no more. It's intended as a low-level interface.
Basic bindings to OpenSSL's SSL* session and SSL_CTX* prototype objects are
available, but they cannot yet be used standalone to do SSL I/O. cqueues
supports SSL/TLS sockets internally, accepts an SSL_CTX* object from Lua
code for session configuration, and exports an SSL* object to Lua for session
introspection.
|
|
This is a really old version that is likely vulnerable.
AFAIK the only consumer of boringssl is Chromium which vendors its
own variant, otherwise the library is just for internal Google use
|
|
v1.4.1
• Use sudo when necessary to install in system-wide NSS stores (#192)
• Add a -version flag (#191)
• Speed up macOS execution by 4x for most users (#135)
• Minor usability improvements (#182, #178, #188)
v1.4.0
macOS Catalina compatibility, URL and email SANs, and more
macOS 10.15 Catalina introduced certificate lifespan limits which block mkcert
certificates. As a temporary measure, mkcert certificates now have a fixed
notBefore date of June 1st, 2019. Once the ACME server is implemented,
certificate lifespan will be shortened to 3 months. (#174)
Certificates generated by previous versions of mkcert after July 1st, 2019 will
not work on macOS 10.15 Catalina, and will have to be regenerated. The root CA
is unaffected and there is no need to rerun mkcert -install.
URL (#166) and email (for S/MIME, #152) SANs are now supported.
Client certificates are now created with a -client filename suffix, and they
claim the serverAuth EKU as well as the clientAuth one.
The certificate subject now includes the full user name, like
filippo@Bistromath.local (Filippo Valsorda).
SLES, OpenSUSE (#162), Snapcraft (#116), and CentOS 7 (#120) are now supported.
Linux release binaries are now fully static, and will work regardless of the
system libc. (#169)
v1.3.0
New advanced options:
• -ecdsa to generate ECDSA private keys
• -client to generate client certificates
• -csr to sign certificate signing requests
• $TRUST_STORES to select what stores to install into
Also, in other news:
• Add "Firefox Nightly.app" support on macOS
• Set the CommonName when generating PKCS#12 files for IIS
|
|
|
|
|
|
= mbed TLS 2.23.0 branch released 2020-07-01
Default behavior changes
* In the experimental PSA secure element interface, change the encoding of
key lifetimes to encode a persistence level and the location. Although C
prototypes do not effectively change, code calling
psa_register_se_driver() must be modified to pass the driver's location
instead of the keys' lifetime. If the library is upgraded on an existing
device, keys created with the old lifetime value will not be readable or
removable through Mbed TLS after the upgrade.
Features
* New functions in the error module return constant strings for
high- and low-level error codes, complementing mbedtls_strerror()
which constructs a string for any error code, including compound
ones, but requires a writable buffer. Contributed by Gaurav Aggarwal
in #3176.
* The new utility programs/ssl/ssl_context_info prints a human-readable
dump of an SSL context saved with mbedtls_ssl_context_save().
* Add support for midipix, a POSIX layer for Microsoft Windows.
* Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows
parsing unsupported certificate extensions via user provided callback.
Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as
a solution to #3241.
* Pass the "certificate policies" extension to the callback supplied to
mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported
policies (#3419).
* Added support to entropy_poll for the kern.arandom syscall supported on
some BSD systems. Contributed by Nia Alarie in #3423.
* Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239
Security
* Fix a side channel vulnerability in modular exponentiation that could
reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee,
Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul
Strackx (Fortanix) in #3394.
* Fix side channel in mbedtls_ecp_check_pub_priv() and
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
private key that didn't include the uncompressed public key), as well as
mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
f_rng argument. An attacker with access to precise enough timing and
memory access information (typically an untrusted operating system
attacking a secure enclave) could fully recover the ECC private key.
Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
macros). This would cause the original Lucky 13 attack to be possible in
those configurations, allowing an active network attacker to recover
plaintext after repeated timing measurements under some conditions.
Reported and fix suggested by Luc Perneel in #3246.
Bugfix
* Fix the Visual Studio Release x64 build configuration for mbedtls itself.
Completes a previous fix in Mbed TLS 2.19 that only fixed the build for
the example programs. Reported in #1430 and fix contributed by irwir.
* Fix undefined behavior in X.509 certificate parsing if the
pathLenConstraint basic constraint value is equal to INT_MAX.
The actual effect with almost every compiler is the intended
behavior, so this is unlikely to be exploitable anywhere. #3192
* Fix issue with a detected HW accelerated record error not being exposed
due to shadowed variable. Contributed by Sander Visser in #3310.
* Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
NULL pointer argument. Contributed by Sander Visser in #3312.
* Fix potential linker errors on dual world platforms by inlining
mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately
from psa_crypto.c. Fixes #3300.
* Remove dead code in X.509 certificate parsing. Contributed by irwir in
#2855.
* Include asn1.h in error.c. Fixes #3328 reported by David Hu.
* Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
when PRNG function fails. Contributed by Jonas Lejeune in #3318.
* Remove unused macros from MSVC projects. Reported in #3297 and fix
submitted in #3333 by irwir.
* Add additional bounds checks in ssl_write_client_hello() preventing
output buffer overflow if the configuration declared a buffer that was
too small.
* Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and
fix submitted in #3421 by Nia Alarie.
* Fix building library/net_sockets.c and the ssl_mail_client program on
NetBSD. Contributed by Nia Alarie in #3422.
* Fix false positive uninitialised variable reported by cpp-check.
Contributed by Sander Visser in #3311.
* Update iv and len context pointers manually when reallocating buffers
using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues
when receiving a connection with CID, when these fields were shifted
in ssl_parse_record_header().
Changes
* Fix warnings about signedness issues in format strings. The build is now
clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
in #3153.
* Fix minor performance issue in operations on Curve25519 caused by using a
suboptimal modular reduction in one place. Found and fix contributed by
Aurelien Jarno in #3209.
* Combine identical cases in switch statements in md.c. Contributed
by irwir in #3208.
* Simplify a bounds check in ssl_write_certificate_request(). Contributed
by irwir in #3150.
* Unify the example programs termination to call mbedtls_exit() instead of
using a return command. This has been done to enable customization of the
behavior in bare metal environments.
* Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
Contributed by Koh M. Nakagawa in #3326.
* Use FindPython3 when cmake version >= 3.15.0
* Abort the ClientHello writing function as soon as some extension doesn't
fit into the record buffer. Previously, such extensions were silently
dropped. As a consequence, the TLS handshake now fails when the output
buffer is not large enough to hold the ClientHello.
* The unit tests now rely on header files in tests/include/test and source
files in tests/src. When building with make or cmake, the files in
tests/src are compiled and the resulting object linked into each test
executable.
* The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
`MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
coutermeasures. If side channels are not a concern, this dependency can
be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`.
* Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes
Martinho. #3147
* Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported
in #3182 and fix submitted by irwir. #3217
* Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319
|
|
v1.6.7:
Update version in setup.py and docs/conf.py.
|
|
This release updates Firefox to 68.10.0esr and NoScript to 11.0.32.
Also, this release features important security updates to Firefox.
The full changelog since Tor Browser 9.5 is:
All Platforms
Update Firefox to 68.10.0esr
Update NoScript to 11.0.32
Translations update
Bug 40009: Improve tor's client auth stability
Windows + OS X + Linux
Bug 34361: "Prioritize .onion sites when known" appears under General
Bug 34362: Improve Onion Service Authentication prompt
Bug 34369: Fix learn more link in Onion Auth prompt
Bug 34379: Fix learn more for Onion-Location
Bug 34347: The Tor Network part on the onboarding is not new anymore
|
|
v 11.0.32
============================================================
x [L10n] Updated it, mk, sv_SE
x Fixed setting CUSTOM permissions in private mode may cause
the TRUSTED preset to become temporary
x Updated TLDs
x [XSS] Updated HTML 5 events support
x More compact high contrast appearance
v 11.0.31
============================================================
x Focus "OK" button on dialog-mode UI
x Fixed various toolbar buttons DnD issues
x Updated TLDs
x [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it,
ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr,
zh_CN, zh_TW
x Fixed very low contrast HTTPS-only label in High Contrast
mode
v 11.0.31rc2
============================================================
x Focus "OK" button on dialog-mode UI
x [L10n] Updated da
x Fixed various toolbar buttons DnD graphic issues
x Updated TLDs
v 11.0.31rc1
============================================================
x [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it,
ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr,
zh_CN, zh_TW
x Fixed very low contrast HTTPS-only label in High Contrast
mode
x More precise DnD of toolbar buttons + work-around for
https://bugzilla.mozilla.org/show_bug.cgi?id=568313
|
|
|
|
|
|
|
|
It isn't extracted properly by archivers/pax, which leads to
packaging errors on some platforms, e.g. some Solaris derivatives.
(gtar works too, but the common approach here seems to be to just
keep it simple and specify bsdtar universally.) This should address
PR pkg/55448 from Hauke Fath.
|
|
|
|
|
|
Lua wrapper for the bcrypt password hashing function
|
|
|
|
|
|
The arc4random family of functions provides a cryptographic pseudorandom
number generator automatically seeded from the system entropy pool and
safe to use from multiple threads. arc4random is designed to prevent an
adversary from guessing outputs, unlike rand(3) and random(3), and is
faster and more convenient than reading from /dev/urandom directly.
This is a Lua wrapper for arc4random(3), portable to systems that
do and don't have it natively in libc. On systems where arc4random
may be insecure it provides a replacement.
|
|
Lua C binding for the Argon2 password hashing algorithm
|
|
|
|
|
|
3.9.8:
Resolved issues
* The Shamir's secret sharing implementation is not actually compatible with ``ssss``.
Added an optional parameter to enable interoperability.
* Skip altogether loading of ``gmp.dll`` on Windows.
* Fix incorrect CFB decryption when the input and the output are the same buffer.
|
|
Motivation: the default behaviour of reopening /dev/urandom repeatedly
for every 128 bytes of entropy required is _exceedingly_ slow on NetBSD.
Not helped is using fread(), which assumes a long-lived file and buffers
excessively. This change makes the standard gen_entropy tool run in
milliseconds instead of seconds when it generates 48K of randomness.
Not only that, but sysctl is a lot more robust in e.g. chroots, resource
limited processes, etc.
Risk: On NetBSD, the security properties of the previous and current
behaviour are identical.
Upstreamed: https://github.com/ARMmbed/mbedtls/pull/3423
Bump PKGREVISION.
|
|
Changelog:
This release fixes the following security issues:
- In some situations an SSH server could cause PuTTY to access freed
mdmory by pretending to accept an SSH key and then refusing the
actual signature. It can only happen if you're using an SSH agent.
- New configuration option to disable PuTTY's default policy of
changing its host key algorithm preferences to prefer keys it
already knows. (There is a theoretical information leak in this
policy.)
Other bug fixes include:
- Windows installer: the text in the installer UI is now visible in
Windows high-contrast mode. (Previously it was white on white by
mistake.)
- Windows 7: fixed spurious OS out-of-memory error when reading
passwords from a Windows console (e.g. psftp).
- Terminal crash: the dreaded "line==NULL" error could happen if an
application switched between the main and alternate screens while
the user was looking at the scrollback.
- Terminal crash: the terminal could fail an assertion when sending
an empty answerback string, and when pasting text none of whose
characters exist in the selected character set.
- SSH: fixed endless memory-allocating loop that could be triggered
by the combination of a misbehaving SSH agent and PuTTY's bug
compatibility mode for padded RSA signatures.
- File transfer: when uploading files to some SFTP servers (e.g. the
one in proftpd's mod_sftp), PSFTP would consume up to 4GB of local
memory before sending anything to the server.
- Terminal behaviour: sometimes the cursor was put in the wrong place
after restoring from the alternate screen.
- GTK: fixed font size calculation when using newer Pango libraries
(e.g. the one on Ubuntu 20.04).
- GTK: scroll wheel events now work in unusual environments like VNC.
|
|
Instead:
1. Package makefiles including their own options.mk
2. Packages say "SUBST_CLASSES+=djberrno" to get the hack, if needed
3. Packages adjust SUBST_FILES.djberrno, if needed
Should fix bulk build failures due to multiple inclusions of options.mk
and/or incorrect definitions of DJB_ERRNO_HACK.
Approved during the freeze by wiz@.
|
|
Update ruby-metasploit-model to 3.0.0, this is a leaf package and is
curently marked as broken.
3.0.0
* Switch to use Ruby on Rails 5.2.
|
|
Update ruby-sshkey to 2.0.0.
pkgsrc change: add "USE_LANGUAGES= # none".
2.0.0 (2019-02-11)
* Breaking Change: Drop support for Ruby 1.9
* Feature: Accept valid ed25519 keys with leading zero byte (#37)
* Feature: Support sshfp (#30)
|
|
Add "USE_LANGUAGES= # noen" for pure Ruby packages.
|
|
Update ruby-metasploit_payloads-mettle to 1.0.1.
No releasenote nor changelog is available. Quote from
<https://github.com/rapid7/mettle/compare/v1.0.0...v1.0.1>:
1.0.1 (2020-06-18)
* Use DER instead of PEM for TLV encryption.
|
|
Update ruby-metasploit-payloads to 2.0.5.
No releasenote nor changelog is available. Please refer commit log
in details:
<https://github.com/rapid7/metasploit-payloads/compare/v2.0.3...v2.0.5>.
|
|
|
|
|
|
1.9.0:
- SCardEndTransaction(): greatly improve performances (x300)
- tokenparser: accept any Unicode character in a reader name
- Use /run instead of /var/run by default
- Fix a memory leak from a polkit call
- Some other minor improvements
1.8.26:
- Use poll() instead of select() to allow file descriptor higher than FD_SETSIZE
- Enable reader filtering by default
- pcsc-spy:
. Do not read output buffer after error
. Adjust code to handle autoallocated buffers
. fix year-2038 issue by using long instead of int
- Android: fix compilation
- if client/server protocol mismatch:
. log an explicit message
. SCardEstablishContext() returns SCARD_E_SERVICE_STOPPED
- polkit: log the error message if polkit_authority_get_sync() fails
- Exit with EXIT_SUCCESS on shutdown to please systemd
- Doxygen: fix minor issues in the documentation
- Add --disable-documentation option
- Fix a minor memory leak
1.8.25:
- Fix a socket issue when pcscd is used inside LXC container
- pcsc-spy: always provide a total time of execution
- Fix resource leak if SCardEstablishContext() fails
- Fix realloc(3) error handling (possible memory leak)
- Remove usage of function chmod(2) to use fchmod(2) (fix race condition)
1.8.24:
- the project moved to https://pcsclite.apdu.fr/
- SCardGetStatusChange(): Fix a rare race condition
- SCardReleaseContext(): do not release a lock owned by another context
- SCardReconnect(): suspend card auto power off
- Allow "=" in serial driver filenames
- Add the thread id in the pcscd log lines
- pcsc-spy: correctly handle incomplete log file
- Simclist: avoid to divide by zero in list_findpos()
- Some other minor improvements
|
|
1.18.0:
Features
make load_credentials_from_file a public method
Bug Fixes
no warning if quota_project_id is given
|
