| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Bug fixes.
|
|
|
|
Changelog since previous version in pkgsrc
crusdesaml-1.8 2017-05-26
Fix crash introduced server side in 1.6 for saml_log()
crusdesaml-1.7 2017-05-22
Only iterate on XML_ELEMENT_NODE nodes
crusdesaml-1.6 2017-05-20
Typos in man pages (Florian Best)
Don't log the password length if it is too small (Florian Best)
Stop if wxmlXPathRegisterNs failed (Florian Best)
autoconf: Remove duplicate $(DESTDIR) (Florian Best)
PAM: Require only one provider (Florian Best)
PAM: No SONAME versioning (Philipp Hahn)
autoconf: Only strictness foreign (Philipp Hahn)
PAM: fix static PAM module build (Philipp Hahn)
Hide internal symbols (Philipp Hahn)
Fix varadic function SIGSEGV (Philipp Hahn)
Fix crash when using saml_log()/saml_error() in SASL client plugin
crusdesaml-1.5 2012-11-13
mod_shib2 compatibility, debug messages (Jan Tomasek)
|
|
RCD_SCRIPT_WRK.<script> was set previously to prevent a name conflict
with ${WRKSRC} because in the past, it defaulted to ${WRKDIR}/<script>.
This has since been changed to default to ${WRKDIR}/.rc.d/<script> to
prevent unintended name collisions, which makes this definition no longer
needed.
|
|
Pkgsrc changes:
Adapt PLIST.
Upstream changes:
1.18.2 2017-02-20
[Bug] #895: Fix a bug in server-mode concerning multiple interactive
auth steps (which were incorrectly responded to). Thanks to Dennis
Kaarsemaker for catch & patch.
[Bug] #713: (via #714 and #889) Don't pass initialization vectors
to PyCrypto when dealing with counter-mode ciphers; newer PyCrypto
versions throw an exception otherwise (older ones simply ignored
this parameter altogether). Thanks to @jmh045000 for report &
patches.
[Bug] #44: (via #891) SSHClient now gives its internal Transport
a handle on itself, preventing garbage collection of the client
until the session is closed. Without this, some code which returns
stream or transport objects without the client that generated
them, would result in premature session closure when the client
was GCd. Credit: @w31rd0 for original report, Omer Anson for the
patch.
[Bug] #862: (via #863) Avoid test suite exceptions on platforms
lacking errno.ETIME (which seems to be some FreeBSD and some
Windows environments.) Thanks to Sofian Brabez.
[Bug] #853: Tweak how RSAKey.__str__ behaves so it doesn't
cause TypeError under Python 3. Thanks to Francisco Couzo for
the report.
[Support] #866: (also #838) Remove an old test-related file we
don't support, and add PyPy to Travis-CI config. Thanks to
Pierce Lopez for the final patch and Pedro Rodrigues for an
earlier edition.
1.18.1 2016-12-12
[Bug] #859: (via #860) A tweak to the original patch implementing
#398 was not fully applied, causing calls to invoke_shell to
fail with AttributeError. This has been fixed. Patch credit:
Kirk Byers.
1.18.0 2016-12-09
[Feature] #398: Add an environment dict argument to
Client.exec_command (plus the lower level Channel.update_environment
and Channel.set_environment_variable methods) which implements
the env SSH message type. This means the remote shell environment
can be set without the use of VARNAME=value shell tricks,
provided the server's AcceptEnv lists the variables you need
to set. Thanks to Philip Lorenz for the pull request.
[Feature] #780: (also #779, and may help users affected by
#520) Add an optional timeout parameter to Transport.start_client
(and feed it the value of the configured connection timeout
when used within SSHClient.) This helps prevent situations
where network connectivity isn't timing out, but the remote
server is otherwise unable to service the connection in a timely
manner. Credit to @sanseihappa.
[Support] #819: Document how lacking gmp headers at install
time can cause a significant performance hit if you build
PyCrypto from source. (Most system-distributed packages already
have this enabled.)
[Support] #854: Fix incorrect docstring/param-list for
Transport.auth_gssapi_keyex so it matches the real signature.
Caught by @Score_Under.
[Support] #792: Minor updates to the README and demos; thanks to Alan Yee.
[Support] #801: Skip a Unix-only test when on Windows; thanks to Gabi Davar.
For pre-1.18.0 changes, see
http://www.paramiko.org/changelog.html
|
|
The 5.6.5 release was mostly a maintenance release. The release included two CVE fixes.
The first, CVE-2016-7420, was a procedural finding due to external build systems failing to define NDEBUG for release builds. The gap was the project's failure to tell users to define NDEBUG. The second, CVE-2016-7544, was a potential memory corruption on Windows platforms when using Microsoft compilers due to use of _malloca and _freea.
Due to CVE-2016-7420 and the possibility for an unwanted assert to egress data, users and distros are encouraged to recompile the library and all dependent programs.
|
|
Pkgsrc changes:
Adapt PLIST.
Upstream changes:
* Version 3.5.12 (released 2017-05-11)
** libgnutls: enabled TCP Fast open for MacOSX. Patch by Tim Ruehsen.
** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP addresses
against DNS fields of certificate (CN or DNSname). The previous behavior
was to tolerate some misconfigured servers, but that was non-standard
and skipped any IP constraints present in higher level certificates.
** libgnutls: when converting to IDNA2008, fallback to IDNA2003
(i.e., transitional encoding) if the domain cannot be converted.
That provides maximum compatibility with browsers like firefox
that perform the same conversion.
** libgnutls: fix issue in RSA-PSK client callback which resulted
in no username being sent to the peer. Patch by Nicolas Dufresne.
** libgnutls: fix regression causing stapled extensions in trust modules not
to be considered.
** certtool: introduced the email_protection_key option. This
option was introduced in documentation for certtool without an
implementation of it. It is a shortcut for option 'key_purpose_oid
= 1.3.6.1.5.5.7.3.4'.
** certtool: made printing of key ID and key PIN consistent between
certificates, public keys, and private keys. That is the private
key printing now uses the same format as the rest.
** gnutls-cli: introduced the --sni-hostname option. This allows overriding the
hostname advertised to the peer.
** API and ABI modifications:
No changes since last version.
* Version 3.5.11 (released 2017-04-07)
** gnutls.pc: do not include libtool options into Libs.private.
** libgnutls: Fixed issue when rehandshaking without a client certificate in
a session which initially used one. Reported by Frantisek Sumsal.
** libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP
certificate parsing. Issues found using oss-fuzz project and were fixed
by Alex Gaynor:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=737
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=824
** libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access.
That allows PKCS#11 operations such as signing to be performed with the
same object from multiple threads.
** libgnutls: Added support for MacOSX key chain for obtaining
trust store's root CA certificates. That is,
gnutls_x509_trust_list_add_system_trust() and
gnutls_certificate_set_x509_system_trust() will load the certificates
from the key chain. That also means that we no longer check for a
default trust store file in configure when building on MacOSX (unless
explicitly asked to). Patch by David Caldwell.
** libgnutls: when disabling OpenPGP authentication, the resulting library
is ABI compatible (with openpgp related functions being stubs that fail
on invocation).
** API and ABI modifications:
No changes since last version.
* Version 3.5.10 (released 2017-03-06)
** gnutls.pc: do not include libidn2 in Requires.private. The
libidn2 versions available do not include libidn2.pc, thus the
inclusion was causing pkg-config issues. Instead we include
-lidn2 in Libs.private when compile against libidn2.
** libgnutls: optimized access to subject alternative names (SANs)
in parsed certificates. The previous implementation assumed a
small number of SANs in a certificate, with repeated calls to
ASN.1 decoding of the extension without any intermediate caching.
That caused delays in certificates with a long list of names in
functions such as gnutls_x509_crt_check_hostname(). With the
current code, the SANs are parsed once on certificate import.
Resolves gitlab issue #165.
** libgnutls: Addressed integer overflow resulting to invalid memory
write in OpenPGP certificate parsing. Issue found using oss-fuzz
project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420
[GNUTLS-SA-2017-3A]
** libgnutls: Addressed read of 1 byte past the end of buffer in OpenPGP
certificate parsing. Issue found using oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391
** libgnutls: Addressed crashes in OpenPGP certificate parsing, related
to private key parser. No longer allow OpenPGP certificates (public keys)
to contain private key sub-packets. Issue found using oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 [GNUTLS-SA-2017-3B]
** libgnutls: Addressed large allocation in OpenPGP certificate parsing, that
could lead in out-of-memory condition. Issue found using oss-fuzz project,
and was fixed by Alex Gaynor:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C]
** libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469
when printing certificate information.
** libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify()
flags can be set from the gnutls_certificate_verify_flags enumeration.
This allows the functions to pass the same flags available for certificates
to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or
GNUTLS_VERIFY_ALLOW_BROKEN).
** libgnutls: gnutls_store_commitment() can accept flag
GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate
in applications which use SHA1 for example, after SHA1 is deprecated.
** certtool: No longer ignore the 'add_critical_extension' template option if
the 'add_extension' option is not present.
** gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the
starttls-proto command. Patch by Robert Scheck.
** API and ABI modifications:
No changes since last version.
|
|
|
|
2016.74 - 21 July 2016
- Security: Message printout was vulnerable to format string injection.
If specific usernames including "%" symbols can be created on a system
(validated by getpwnam()) then an attacker could run arbitrary code as root
when connecting to Dropbear server.
A dbclient user who can control username or host arguments could potentially
run arbitrary code as the dbclient user. This could be a problem if scripts
or webpages pass untrusted input to the dbclient program.
CVE-2016-7406
https://secure.ucc.asn.au/hg/dropbear/rev/b66a483f3dcb
- Security: dropbearconvert import of OpenSSH keys could run arbitrary code as
the local dropbearconvert user when parsing malicious key files
CVE-2016-7407
https://secure.ucc.asn.au/hg/dropbear/rev/34e6127ef02e
- Security: dbclient could run arbitrary code as the local dbclient user if
particular -m or -c arguments are provided. This could be an issue where
dbclient is used in scripts.
CVE-2016-7408
https://secure.ucc.asn.au/hg/dropbear/rev/eed9376a4ad6
- Security: dbclient or dropbear server could expose process memory to the
running user if compiled with DEBUG_TRACE and running with -v
CVE-2016-7409
https://secure.ucc.asn.au/hg/dropbear/rev/6a14b1f6dc04
The security issues were reported by an anonymous researcher working with
Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html
- Fix port forwarding failure when connecting to domains that have both
IPv4 and IPv6 addresses. The bug was introduced in 2015.68
- Fix 100% CPU use while waiting for rekey to complete. Thanks to Zhang Hui P
for the patch
2016.73 - 18 March 2016
- Support syslog in dbclient, option -o usesyslog=yes. Patch from Konstantin Tokarev
- Kill a proxycommand when dbclient exits, patch from Konstantin Tokarev
- Option to exit when a TCP forward fails, patch from Konstantin Tokarev
- New "-o" option parsing from Konstantin Tokarev. This allows handling some extra options
in the style of OpenSSH, though implementing all OpenSSH options is not planned.
- Fix crash when fallback initshells() is used, reported by Michael Nowak and Mike Tzou
- Allow specifying commands eg "dropbearmulti dbclient ..." instead of symlinks
- Various cleanups for issues found by a lint tool, patch from Francois Perrad
- Fix tab indent consistency, patch from Francois Perrad
- Fix issues found by cppcheck, reported by Mike Tzou
- Use system memset_s() or explicit_bzero() if available to clear memory. Also make
libtomcrypt/libtommath routines use that (or Dropbear's own m_burn()).
- Prevent scp failing when the local user doesn't exist. Based on patch from Michael Witten.
- Improved Travis CI test running, thanks to Mike Tzou
- Improve some code that was flagged by Coverity and Fortify Static Code Analyzer
2016.72 - 9 March 2016
- Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions,
found by github.com/tintinweb. Thanks for Damien Miller for a patch. CVE-2016-3116
https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff
2015.71 - 3 December 2015
- Fix "bad buf_incrpos" when data is transferred, broke in 2015.69
- Fix crash on exit when -p address:port is used, broke in 2015.68, thanks to
Frank Stollenwerk for reporting and investigation
- Fix building with only ENABLE_CLI_REMOTETCPFWD given, patch from Konstantin Tokarev
- Fix bad configure script test which didn't work with dash shell, patch from Juergen Daubert,
broke in 2015.70
- Fix server race condition that could cause sessions to hang on exit,
https://github.com/robotframework/SSHLibrary/issues/128
2015.70 - 26 November 2015
- Fix server password authentication on Linux, broke in 2015.69
2015.69 - 25 November 2015
- Fix crash when forwarded TCP connections fail to connect (bug introduced in 2015.68)
- Avoid hang on session close when multiple sessions are started, affects Qt Creator
Patch from Andrzej Szombierski
- Reduce per-channel memory consumption in common case, increase default
channel limit from 100 to 1000 which should improve SOCKS forwarding for modern
webpages
- Handle multiple command line arguments in a single flag, thanks to Guilhem Moulin
- Manpage improvements from Guilhem Moulin
- Build fixes for Android from Mike Frysinger
- Don't display the MOTD when an explicit command is run from Guilhem Moulin
- Check curve25519 shared secret isn't zero
2015.68 - Saturday 8 August 2015
- Reduce local data copying for improved efficiency. Measured 30%
increase in throughput for connections to localhost
- Forwarded TCP ports connect asynchronously and try all available addresses
(IPv4, IPv6, round robin DNS)
- Fix all compile warnings, many patches from Gaël Portay
Note that configure with -Werror may not be successful on some platforms (OS X)
and some configuration options may still result in unused variable
warnings.
- Use TCP Fast Open on Linux if available. Saves a round trip at connection
to hosts that have previously been connected.
Needs a recent Linux kernel and possibly "sysctl -w net.ipv4.tcp_fastopen=3"
Client side is disabled by default pending further compatibility testing
with networks and systems.
- Increase maximum command length to 9000 bytes
- Free memory before exiting, patch from Thorsten Horstmann. Useful for
Dropbear ports to embedded systems and for checking memory leaks
with valgrind. Only partially implemented for dbclient.
This is disabled by default, enable with DROPBEAR_CLEANUP in sysoptions.h
- DROPBEAR_DEFAULT_CLI_AUTHKEY setting now always prepends home directory unless
there is a leading slash (~ isn't treated specially)
- Fix small ECC memory leaks
- Tighten validation of Diffie-Hellman parameters, from Florent Daigniere of
Matta Consulting. Odds of bad values are around 2**-512 -- improbable.
- Twofish-ctr cipher is supported though disabled by default
- Fix pre-authentication timeout when waiting for client SSH-2.0 banner, thanks
to CL Ouyang
- Fix null pointer crash with restrictions in authorized_keys without a command, patch from
Guilhem Moulin
- Ensure authentication timeout is handled while reading the initial banner,
thanks to CL Ouyang for finding it.
- Fix null pointer crash when handling bad ECC keys. Found by afl-fuzz
2015.67 - Wednesday 28 January 2015
- Call fsync() after generating private keys to ensure they aren't lost if a
reboot occurs. Thanks to Peter Korsgaard
- Disable non-delayed zlib compression by default on the server. Can be
enabled if required for old clients with DROPBEAR_SERVER_DELAY_ZLIB
- Default client key path ~/.ssh/id_dropbear
- Prefer stronger algorithms by default, from Fedor Brunner.
AES256 over 3DES
Diffie-hellman group14 over group1
- Add option to disable CBC ciphers.
- Disable twofish in default options.h
- Enable sha2 HMAC algorithms by default, the code was already required
for ECC key exchange. sha1 is the first preference still for performance.
- Fix installing dropbear.8 in a separate build directory, from Like Ma
- Allow configure to succeed if libtomcrypt/libtommath are missing, from Elan Ruusamäe
- Don't crash if ssh-agent provides an unknown type of key. From Catalin Patulea
- Minor bug fixes, a few issues found by Coverity scan
2014.66 - Thursday 23 October 2014
- Use the same keepalive handling behaviour as OpenSSH. This will work better
with some SSH implementations that have different behaviour with unknown
message types.
- Don't reply with SSH_MSG_UNIMPLEMENTED when we receive a reply to our own
keepalive message
- Set $SSH_CLIENT to keep bash happy, patch from Ryan Cleere
- Fix wtmp which broke since 2013.62, patch from Whoopie
2014.65 - Friday 8 August 2014
- Fix 2014.64 regression, server session hang on exit with scp (and probably
others), thanks to NiLuJe for tracking it down
- Fix 2014.64 regression, clock_gettime() error handling which broke on older
Linux kernels, reported by NiLuJe
- Fix 2014.64 regression, writev() could occassionally fail with EAGAIN which
wasn't caught
- Avoid error message when trying to set QoS on proxycommand or multihop pipes
- Use /usr/bin/xauth, thanks to Mike Frysinger
- Don't exit the client if the local user entry can't be found, thanks to iquaba
2014.64 - Sunday 27 July 2014
- Fix compiling with ECDSA and DSS disabled
- Don't exit abruptly if too many outgoing packets are queued for writev(). Patch
thanks to Ronny Meeus
- The -K keepalive option now behaves more like OpenSSH's "ServerAliveInterval".
If no response is received after 3 keepalives then the session is terminated. This
will close connections faster than waiting for a TCP timeout.
- Rework TCP priority setting. New settings are
if (connecting || ptys || x11) tos = LOWDELAY
else if (tcp_forwards) tos = 0
else tos = BULK
Thanks to Catalin Patulea for the suggestion.
- Improve handling of many concurrent new TCP forwarded connections, should now
be able to handle as many as MAX_CHANNELS. Thanks to Eduardo Silva for reporting
and investigating it.
- Make sure that exit messages from the client are printed, regression in 2013.57
- Use monotonic clock where available, timeouts won't be affected by system time
changes
- Add -V for version
2014.63 - Wednesday 19 February 2014
- Fix ~. to terminate a client interactive session after waking a laptop
from sleep.
- Changed port separator syntax again, now using host^port. This is because
IPv6 link-local addresses use %. Reported by Gui Iribarren
- Avoid constantly relinking dropbearmulti target, fix "make install"
for multi target, thanks to Mike Frysinger
- Avoid getting stuck in a loop writing huge key files, reported by Bruno
Thomsen
- Don't link dropbearkey or dropbearconvert to libz or libutil,
thanks to Nicolas Boos
- Fix linking -lcrypt on systems without /usr/lib, thanks to Nicolas Boos
- Avoid crash on exit due to cleaned up keys before last packets are sent,
debugged by Ronald Wahl
- Fix a race condition in rekeying where Dropbear would exit if it received a
still-in-flight packet after initiating rekeying. Reported by Oliver Metz.
This is a longstanding bug but is triggered more easily since 2013.57
- Fix README for ecdsa keys, from Catalin Patulea
- Ensure that generated RSA keys are always exactly the length
requested. Previously Dropbear always generated N+16 or N+15 bit keys.
Thanks to Unit 193
- Fix DROPBEAR_CLI_IMMEDIATE_AUTH mode which saves a network round trip if the
first public key succeeds. Still not enabled by default, needs more
compatibility testing with other implementations.
- Fix for port 0 forwarding in the client and port forwarding with Apache MINA SSHD.
- Fix for bad system linux/pkt-sched.h header file with older Linux
kernels, from Steve Dover
- Fix signal handlers so that errno is saved, thanks to Erik Ahlén for a patch
and Mark Wickham for independently spotting the same problem.
|
|
Noteworthy changes in version 2.1.21 (2017-05-15)
-------------------------------------------------
* gpg,gpgsm: Fix corruption of old style keyring.gpg files. This
bug was introduced with version 2.1.20. Note that the default
pubring.kbx format was not affected.
* gpg,dirmngr: Removed the skeleton config file support. The
system's standard methods for providing default configuration
files should be used instead.
* w32: The Windows installer now allows installion of GnuPG without
Administrator permissions.
* gpg: Fixed import filter property match bug.
* scd: Removed Linux support for Cardman 4040 PCMCIA reader.
* scd: Fixed some corner case bugs in resume/suspend handling.
* Many minor bug fixes and code cleanup.
|
|
|
|
The release notes mention:
* Match length operator (http://yara.readthedocs.io/en/v3.5.0/writingrules.html#match-length)
* Performance improvements
* Less memory consumption while scanning processes
* Exception handling when scanning memory blocks
* Negative integers in meta fields
* Added the --stack-size command-argument
* Functions import_ordinal, is_dll, is_32bit and is_64bit added to PE module
* Functions rich_signature.toolid and rich_signature.version added to PE module
* Lots of bug fixes
The Python bindings are now released from a different tree, with the same
versioning apparently though.
"welcome to update" pettai@
|
|
|
|
Note: oauth2client is now deprecated. No more features will be added to the
libraries and the core team is turning down support. We recommend you use
google-auth and oauthlib.
New features:
* Allow customizing the GCE metadata service address via an env var.
* Store original encoded and signed identity JWT in OAuth2Credentials.
* Use jsonpickle in django contrib, if available.
Bug fixes:
* Typo fixes.
* Remove b64 padding from PKCE values, per RFC7636.
* Include LICENSE in Manifest.in.
* Fix tests and CI.
* Escape callback error code in flask_util.
|
|
|
|
Use ALTERNATIVES to handle different Python versions better.
0.14.0 - 2017-05-04
Added
- Python 3.3+ support for all Certbot packages. certbot-auto still
currently only supports Python 2, but the acme, certbot,
certbot-apache, and certbot-nginx packages on PyPI now fully support
Python 2.6, 2.7, and 3.3+.
- Certbot's Apache plugin now handles multiple virtual hosts per file.
- Lockfiles to prevent multiple versions of Certbot running
simultaneously.
Changed
- When converting an HTTP virtual host to HTTPS in Apache, Certbot
only copies the virtual host rather than the entire contents of the
file it's contained in.
- The Nginx plugin now includes SSL/TLS directives in a separate file
located in Certbot's configuration directory rather than copying the
contents of the file into every modified server block.
Fixed
- Ensure logging is configured before parts of Certbot attempt to log
any messages.
- Support for the --quiet flag in certbot-auto.
- Reverted a change made in a previous release to make the acme and
certbot packages always depend on argparse. This dependency is
conditional again on the user's Python version.
- Small bugs in the Nginx plugin such as properly handling empty
server blocks and setting server_names_hash_bucket_size during
challenges.
|
|
0.7.2 (May 8th, 2017)
BUG FIXES:
- audit: Fix auditing entries containing certain kinds of time values
0.7.1 (May 5th, 2017)
DEPRECATIONS/CHANGES:
- LDAP Auth Backend: Group membership queries will now run as the
binddn user when binddn/bindpass are configured, rather than as the
authenticating user as was the case previously.
FEATURES:
- AWS IAM Authentication
- MSSQL Physical Backend
- Lease Listing and Lookup
- TOTP Secret Backend
- Database Secret Backend & Secure Plugins (Beta)
IMPROVEMENTS:
- auth/cert: Support for constraints on subject Common Name and
DNS/email Subject Alternate Names in certificates
- auth/ldap: Use the binding credentials to search group membership
rather than the user credentials
- cli/revoke: Add -self option to allow revoking the currently active
token
- core: Randomize x coordinate in Shamir shares
- tidy: Improvements to auth/token/tidy and sys/leases/tidy to handle
more cleanup cases
- secret/pki: Add no_store option that allows certificates to be
issued without being stored. This removes the ability to look up
and/or add to a CRL but helps with scaling to very large numbers of
certificates.
- secret/pki: If used with a role parameter, the sign-verbatim/<role>
endpoint honors the values of generate_lease, no_store, ttl and
max_ttl from the given role
- secret/pki: Add role parameter allow_glob_domains that enables
defining names in allowed_domains containing * glob patterns
- secret/pki: Update certificate storage to not use characters that
are not supported on some filesystems
- storage/etcd3: Add discovery_srv option to query for SRV records to
find servers
- storage/s3: Support max_parallel option to limit concurrent
outstanding requests
- storage/s3: Use pooled transport for http client
- storage/swift: Allow domain values for V3 authentication
BUG FIXES:
- api: Respect a configured path in Vault's address
- auth/aws-ec2: New bounds added as criteria to allow role creation
- auth/ldap: Don't lowercase groups attached to users
- cli: Don't panic if vault write is used with the force flag but no
path
- core: Help operations should request forward since standbys may not
have appropriate info
- replication: Fix enabling secondaries when certain mounts already
existed on the primary
- secret/mssql: Update mssql driver to support queries with colons
- secret/pki: Don't lowercase O/OU values in certs
- secret/pki: Don't attempt to validate IP SANs if none are provided
|
|
Unknown
|
|
|
|
- Added ``OpenSSL.X509Store.set_time()`` to set a custom verification time when verifying certificate chains.
- Added a collection of functions for working with OCSP stapling.
None of these functions make it possible to validate OCSP assertions, only to staple them into the handshake and to retrieve the stapled assertion if provided.
Users will need to write their own code to handle OCSP assertions.
We specifically added: ``Context.set_ocsp_server_callback``, ``Context.set_ocsp_client_callback``, and ``Connection.request_ocsp``.
- Changed the ``SSL`` module's memory allocation policy to avoid zeroing memory it allocates when unnecessary.
This reduces CPU usage and memory allocation time by an amount proportional to the size of the allocation.
For applications that process a lot of TLS data or that use very lage allocations this can provide considerable performance improvements.
- Automatically set ``SSL_CTX_set_ecdh_auto()`` on ``OpenSSL.SSL.Context``.
- Fix empty exceptions from ``OpenSSL.crypto.load_privatekey()``.
|
|
Added parser.peek()
Implemented proper support for BER-encoded indefinite length strings of all kinds - core.BitString, core.OctetString and all of the core classes that are natively represented as Python unicode strings
Fixed a bug with encoding LDAP URLs in x509.URI
Correct x509.DNSName to allow a leading ., such as when used with x509.NameConstraints
Fixed an issue with dumping the parsed contents of core.Any when explicitly tagged
Custom setup.py clean now accepts the short -a flag for compatibility
|
|
- Fixed dates in CHANGELOG.txt
|
|
Bug fixes.
|
|
|
|
* Convert to use GTK 3 to fix build
Changelog:
These features are new in 0.69 (released 2017-04-29):
Security fix: the Windows PuTTY binaries should no longer be vulnerable to hijacking by specially named DLLs in the same directory, even the names we missed when we thought we'd fixed this in 0.68. See vuln-indirect-dll-hijack-2.
Windows PuTTY should work with MIT Kerberos again, after our DLL hijacking defences broke it.
Jump lists should now appear again on the PuTTY shortcut in the Windows Start Menu.
You can now explicitly configure SSH terminal mode settings not to be sent to the server, if your server objects to them.
|
|
We have released LibreSSL 2.5.4, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. It includes the following
changes:
* Reverted a previous change that forced consistency between return
value and error code when specifing a certificate verification
callback, since this breaks the documented API. When a user supplied
callback always returns 1, and later code checks the error code to
potentially abort post verification, this will result in incorrect
successul certificate verification.
* Switched Linux getrandom() usage to non-blocking mode, continuing to
use fallback mechanims if unsuccessful. This works around a design
flaw in Linux getrandom(2) where early boot usage in a library makes
it impossible to recover if getrandom(2) is not yet initialized.
* Fixed a bug caused by the return value being set early to signal
successful DTLS cookie validation. This can mask a later failure and
result in a positive return value being returned from
ssl3_get_client_hello(), when it should return a negative value to
propagate the error.
* Fixed a build error on non-x86/x86_64 systems running Solaris.
We have released LibreSSL 2.5.3, based on OpenBSD 6.1, which will be the new
stable release series. LibreSSL 2.3.x support has also ended. LibreSSL 2.5.3
contains the following changes from the previous stable release.
* libtls now supports ALPN and SNI
* libtls adds a new callback interface for integrating custom IO functions.
Thanks to Tobias Pape.
* libtls now handles 4 cipher suite groups:
"secure" (TLSv1.2+AEAD+PFS)
"compat" (HIGH:!aNULL)
"legacy" (HIGH:MEDIUM:!aNULL)
"insecure" (ALL:!aNULL:!eNULL)
This allows for flexibility and finer grained control, rather than having
two extremes (an issue raised by Marko Kreen some time ago).
* Tightened error handling for tls_config_set_ciphers().
* libtls now always loads CA, key and certificate files at the time the
configuration function is called. This simplifies code and results in a single
memory based code path being used to provide data to libssl.
* Added support for OCSP intermediate certificates.
* Added functions used by stunnel and exim from BoringSSL - this brings in
X509_check_host, X509_check_email, X509_check_ip, and X509_check_ip_asc.
* Added initial support for iOS, thanks to Jacob Berkman.
* Improved behavior of arc4random on Windows when using memory leak analysis
software.
* Correctly handle an EOF that occurs prior to the TLS handshake completing.
Reported by Vasily Kolobkov, based on a diff from Marko Kreen.
* Limit the support of the "backward compatible" ssl2 handshake to only be
used if TLS 1.0 is enabled.
* Fix incorrect results in certain cases on 64-bit systems when BN_mod_word()
can return incorrect results. BN_mod_word() now can return an error condition.
Thanks to Brian Smith.
* Added constant-time updates to address CVE-2016-0702
* Fixed undefined behavior in BN_GF2m_mod_arr()
* Removed unused Cryptographic Message Support (CMS)
* More conversions of long long idioms to time_t
* Improved compatibility by avoiding printing NULL strings with printf.
* Reverted change that cleans up the EVP cipher context in EVP_EncryptFinal()
and EVP_DecryptFinal(). Some software relies on the previous behaviour.
* Avoid unbounded memory growth in libssl, which can be triggered by a TLS
client repeatedly renegotiating and sending OCSP Status Request TLS extensions.
* Avoid falling back to a weak digest for (EC)DH when using SNI with libssl.
* X509_cmp_time() now passes a malformed GeneralizedTime field as an error.
Reported by Theofilos Petsios.
* Detect zero-length encrypted session data early, instead of when malloc(0)
fails or the HMAC check fails. Noted independently by jsing@ and Kurt Cancemi.
* Check for and handle failure of HMAC_{Update,Final} or EVP_DecryptUpdate().
* Massive update and normalization of manpages, conversion to mandoc format.
Many pages were rewritten for clarity and accuracy. Portable doc links are
up-to-date with a new conversion tool.
* Curve25519 Key Exchange support.
* Support for alternate chains for certificate verification.
* Code cleanups, CBB conversions, further unification of DTLS/SSL handshake
code, further ASN1 macro expansion and removal.
* Private symbols are now hidden in libssl and libcrypto.
* Friendly certificate verification error messages in libtls, peer
verification is now always enabled.
* Added OCSP stapling support to libtls and nc.
* Added ocspcheck utility to validate a certificate against its OCSP responder
and save the reply for stapling
* Enhanced regression tests and error handling for libtls.
* Added explicit constant and non-constant time BN functions, defaulting to
constant time wherever possible.
* Moved many leaked implementation details in public structs behind opaque
pointers.
* Added ticket support to libtls.
* Added support for setting the supported EC curves via
SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
SSL{_CTX}_set1_curves{_list} names. This also changes the default list of
curves to be X25519, P-256 and P-384. All other curves must be manually
enabled.
* Added -groups option to openssl(1) s_client for specifying the curves to be
used in a colon-separated list.
* Merged client/server version negotiation code paths into one, reducing much
duplicate code.
* Removed error function codes from libssl and libcrypto.
* Fixed an issue where a truncated packet could crash via an OOB read.
* Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows client-initiated
renegotiation. This is the default for libtls servers.
* Avoid a side-channel cache-timing attack that can leak the ECDSA private
keys when signing. This is due to BN_mod_inverse() being used without the
constant time flag being set. Reported by Cesar Pereida Garcia and Billy
Brumley (Tampere University of Technology). The fix was developed by Cesar
Pereida Garcia.
* iOS and MacOS compatibility updates from Simone Basso and Jacob Berkman.
* Added the recallocarray(3) memory allocation function, and converted various
places in the library to use it, such as CBB and BUF_MEM_grow. recallocarray(3)
is similar to reallocarray. Newly allocated memory is cleared similar to
calloc(3). Memory that becomes unallocated while shrinking or moving existing
allocations is explicitly discarded by unmapping or clearing to 0.
* Added new root CAs from SECOM Trust Systems / Security Communication of Japan.
* Added EVP interface for MD5+SHA1 hashes.
* Fixed DTLS client failures when the server sends a certificate request.
* Correct handling of padding when upgrading an SSLv2 challenge into an
SSLv3/TLS connection.
* Allow protocols and ciphers to be set on a TLS config object in libtls.
* Improved nc(1) TLS handshake CPU usage and server-side error reporting.
* Add a constant time version of BN_gcd and use it default for BN_gcd to avoid
the possibility of sidechannel timing attacks against RSA private key
generation - Thanks to Alejandro Cabrera
We have released LibreSSL 2.5.2, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. It includes the following
changes:
* Added the recallocarray(3) memory allocation function, and converted
various places in the library to use it, such as CBB and BUF_MEM_grow.
recallocarray(3) is similar to reallocarray. Newly allocated memory
is cleared similar to calloc(3). Memory that becomes unallocated
while shrinking or moving existing allocations is explicitly
discarded by unmapping or clearing to 0.
* Added new root CAs from SECOM Trust Systems / Security Communication
of Japan.
* Added EVP interface for MD5+SHA1 hashes.
* Fixed DTLS client failures when the server sends a certificate
request.
* Correct handling of padding when upgrading an SSLv2 challenge into
an SSLv3/TLS connection.
* Allow protocols and ciphers to be set on a TLS config object in
libtls.
* Improved nc(1) TLS handshake CPU usage and server-side error
reporting.
The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.
|
|
|
|
Fix build on (at least) SunOS by depending on go-sys.
|
|
|
|
|
|
shared Makefile.common.
|
|
Significant changes since 1.2.0:
* A new -v option instructs scrypt to print the key derivation parameters
it has selected.
* A new --version option prints the version number of the scrypt utility.
* A new -P option make scrypt read the passphrase from standard input; this
is designed for scripts which pipe a passphrase in from elsewhere.
* A new -f option makes 'scrypt dec' ignore the amount of memory or CPU time
it thinks decrypting a file will take, and proceed anyway; this may be useful
in cases where scrypt's estimation is wrong.
* The '-M maxmem' option now accepts "humanized" inputs, e.g., "-M 1GB".
There are also a variety of less visible changes: Performance improvements
in the SHA256 routines, minor bug and compiler warning fixes, the addition
of a test suite, and some minor code reorganization.
|
|
Bump PKGREVISION.
|
|
|
|
Requests is an HTTP library, written in Python, for human beings. This
library adds optional Kerberos/GSSAPI authentication support and supports
mutual authentication.
|
|
Allow `authGSSClientInit` principal kwarg to be None.
|
|
|
|
|
|
depends on ruby18.
|
|
|
|
## [1.2.0][] (2017-04-14)
* [#95](https://github.com/mattbrictson/airbrussh/pull/95): colorize LogMessage label on WARN level and above - [@klyonrad](https://github.com/klyonrad)
* [#106](https://github.com/mattbrictson/airbrussh/pull/106): Remove the `log_file` parameter from the `CommandFormatter#exit_message` method; it was unused - [@mattbrictson](https://github.com/mattbrictson)
|
|
## [1.13.1][] (2017-03-31)
### Breaking changes
* None
### Bug fixes
* [#397](https://github.com/capistrano/sshkt/pull/397): Fix NoMethodError assign_defaults with net-ssh older than 4.0.0 - [@shirosaki](https://github.com/shirosaki)
## [1.13.0][] (2017-03-24)
### Breaking changes
* None
### New features
* [#372](https://github.com/capistrano/sshkit/pull/372): Use cp_r in local backend with recursive option - [@okuramasafumi](https://github.com/okuramasafumi)
### Bug fixes
* [#390](https://github.com/capistrano/sshkit/pull/390): Properly wrap Ruby StandardError w/ add'l context - [@mattbrictson](https://github.com/mattbrictson)
* [#392](https://github.com/capistrano/sshkit/pull/392): Fix open two connections with changed cache key - [@shirosaki](https://github.com/shirosaki)
|
|
|
|
|
|
|
|
Inhibit its use on Darwin to fix the build.
|
|
|
|
|
|
2.048 2017/04/16
- fixed small memory leaks during destruction of socket and context, RT#120643
|
|
|
