summaryrefslogtreecommitdiff
path: root/security
AgeCommit message (Collapse)AuthorFilesLines
2017-01-30Update to 0.10wen2-9/+8
Update LICENSE Upstream changes: 0.10 2016-11-18 - Avoid stray backup files. - https://rt.cpan.org/Ticket/Display.html?id=118830 - Thanks to KENTNL. - Avoid duplicate test files. - https://rt.cpan.org/Ticket/Display.html?id=118830 - Thanks to KENTNL.
2017-01-29Update to 5.40 (5.39 not fetchable). From the changelog:schmonz2-7/+7
* Security bugfixes - OpenSSL DLLs updated to version 1.0.2k. https://www.openssl.org/news/secadv/20170126.txt * New features - DH ciphersuites are now disabled by default. - The daily server DH parameter regeneration is only performed if DH ciphersuites are enabled in the configuration file. - "checkHost" and "checkEmail" were modified to require either "verifyChain" or "verifyPeer" (thx to Małorzata Olszówka). * Bugfixes - Fixed setting default ciphers.
2017-01-28Updated py-OpenSSL to 16.2.0.wiz3-7/+39
Add patch that makes tests on NetBSD progress further. But then there's a segfault. See https://github.com/pyca/pyopenssl/issues/596 16.2.0 (2016-10-15) ------------------- Changes: ^^^^^^^^ - Fixed compatibility errors with OpenSSL 1.1.0. - Fixed an issue that caused failures with subinterpreters and embedded Pythons. `#552 <https://github.com/pyca/pyopenssl/pull/552>`_ 16.1.0 (2016-08-26) ------------------- Deprecations: ^^^^^^^^^^^^^ - Dropped support for OpenSSL 0.9.8. Changes: ^^^^^^^^ - Fix memory leak in ``OpenSSL.crypto.dump_privatekey()`` with ``FILETYPE_TEXT``. `#496 <https://github.com/pyca/pyopenssl/pull/496>`_ - Enable use of CRL (and more) in verify context. `#483 <https://github.com/pyca/pyopenssl/pull/483>`_ - ``OpenSSL.crypto.PKey`` can now be constructed from ``cryptography`` objects and also exported as such. `#439 <https://github.com/pyca/pyopenssl/pull/439>`_ - Support newer versions of ``cryptography`` which use opaque structs for OpenSSL 1.1.0 compatibility.
2017-01-28Fix test segfault by using upstream patch #3350:wiz3-2/+29
https://github.com/pyca/cryptography/pull/3350 Bump PKGREVISION. Identified by @reaperhulk in https://github.com/pyca/cryptography/issues/3372
2017-01-28Updated py-cryptography to 1.7.2.wiz2-7/+10
Add more test dependencies. Self tests cause a python core dump, see https://github.com/pyca/cryptography/issues/3372 1.7.2 - 2017-01-27 ~~~~~~~~~~~~~~~~~~ * Updated Windows and macOS wheels to be compiled against OpenSSL 1.0.2k.
2017-01-28+ py-cryptography_vectorswiz1-1/+2
2017-01-28Import py-cryptography_vectors-1.7.2 as security/py-cryptography_vectors.wiz4-0/+2151
This package contains the test vectors for the cryptography python module.
2017-01-26Update security/openssl to 1.0.2k.jperkin3-24/+7
Changes between 1.0.2j and 1.0.2k [26 Jan 2017] *) Truncated packet could crash via OOB read If one side of an SSL/TLS path is running on a 32-bit host and a specific cipher is being used, then a truncated packet can cause that host to perform an out-of-bounds read, usually resulting in a crash. This issue was reported to OpenSSL by Robert Święcki of Google. (CVE-2017-3731) [Andy Polyakov] *) BN_mod_exp may produce incorrect results on x86_64 There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem. This issue was reported to OpenSSL by the OSS-Fuzz project. (CVE-2017-3732) [Andy Polyakov] *) Montgomery multiplication may produce incorrect results There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected. This issue was publicly reported as transient failures and was not initially recognized as a security issue. Thanks to Richard Morgan for providing reproducible case. (CVE-2016-7055) [Andy Polyakov] *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0 or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to prevent issues where no progress is being made and the peer continually sends unrecognised record types, using up resources processing them. [Matt Caswell]
2017-01-25Update py-acme and py-certbot to 0.10.1.wiz3-8/+13
All py-certbot self tests pass. 39 self test failures in py-acme (running py.test), one core dump in openssl (running make test). Changes: Test bug fixes
2017-01-24Update to 5.39ryoon3-12/+12
Changelog: Version 5.39, 2017.01.01, urgency: LOW * New features - PKCS#11 engine (pkcs11.dll) added to the Win32 build. - Per-destination TLS session cache added for the client mode. - The new "logId" parameter "process" added to log PID values. - Added support for the new SSL_set_options() values. - Updated the manual page. - Obsolete references to "SSL" replaced with "TLS". * Bugfixes - Fixed "logId" parameter to also work in inetd mode. - "delay = yes" properly enforces "failover = prio". - Fixed fd_set allocation size on Win64. - Fixed reloading invalid configuration file on Win32. - Fixed resolving addresses with unconfigured network interfaces. Version 5.38, 2016.11.26, urgency: MEDIUM * New features - "sni=" can be used to prevent sending the SNI extension. - The AI_ADDRCONFIG resolver flag is used when available. - Merged Debian 06-lfs.patch (thx Peter Pentchev). * Bugfixes - Fixed a memory allocation bug causing crashes with OpenSSL 1.1.0. - Fixed error handling for mixed IPv4/IPv6 destinations. - Merged Debian 08-typos.patch (thx Peter Pentchev). Version 5.37, 2016.11.06, urgency: MEDIUM * Bugfixes - OpenSSL DLLs updated to version 1.0.2j (stops crashes). - The default SNI target (not handled by any slave service) is handled by the master service rather than rejected. - Removed thread synchronization in the FORK threading model. Version 5.36, 2016.09.22, urgency: HIGH * Security bugfixes - OpenSSL DLLs updated to version 1.0.2i. https://www.openssl.org/news/secadv_20160922.txt * New features - Added support for OpenSSL 1.1.0 built with "no-deprecated". - Removed direct zlib dependency.
2017-01-22Updated libgcrypt to 1.7.6.wiz2-7/+7
All tests pass. Noteworthy changes in version 1.7.6 (2017-01-18) [C21/A1/R6] ------------------------------------------------ * Bug fixes: - Fix AES CTR self-check detected failure in the SSSE3 based implementation. - Remove gratuitous select before the getrandom syscall.
2017-01-22Update to 6.0.8ryoon190-4026/+2381
* Use OpenBSD Ports distfile * Profile directory has changed to $HOME/TorBrowser-Data * Besed on Firefox 45.6.0
2017-01-22Fixed spelling of NetBSD in mail addresses.rillig1-2/+2
2017-01-21Update security/erlang-fast_tls to 1.0.10.fhajny2-7/+7
- Add ability to use system installed deps instead fetching them from git.
2017-01-21Recursive revbump from audio/pulseaudio-10.0ryoon2-4/+4
2017-01-20Update OpenDNSSEC to version 1.4.13.he3-25/+7
Pkgsrc changes: * Remove patch now integrated. Upstream changes: OpenDNSSEC 1.4.13 - 2017-01-20 * OPENDNSSEC-778: Double NSEC3PARAM record after resalt. * OPENDNSSEC-853: Fixed serial_xfr_acquired not updated in state file. * Wrong error was sometimes being print on failing TCP connect. * Add support for OpenSSL 1.1.0. * OPENDNSSEC-866: Script for migration between MySQL and SQLite was outdated.
2017-01-19Convert all occurrences (353 by my count) ofagc17-58/+58
MASTER_SITES= site1 \ site2 style continuation lines to be simple repeated MASTER_SITES+= site1 MASTER_SITES+= site2 lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint accordingly.
2017-01-19Update to kgpg 16.08.0markd2-9/+8
minor changes - last kde4 version
2017-01-19GC deprecated logic for openssh without /dev/urandom. This option is no longermaya3-23/+3
supported by OpenSSH.
2017-01-16Recursive bump for libvpx shlib major change.wiz1-2/+2
2017-01-16Update security/php-ssh2 to 0.13.fhajny2-8/+7
- Fixed bug #63660 php_ssh2_fopen_wrapper_parse_path segfaults - Fixed bug #63855 compilation fails on windows - Fixed bug #64535 php_ssh2_sftp_dirstream_read segfault on error - Add reflection API support - Add exit-status support for ssh2 file wrappers - Fixed bug #58893 Unable to request a channel from remote host - Fix segfault when trying to authenticate in servers that do not support authentication (none)
2017-01-16Updated p5-Net-SSLeay to 1.80.wiz2-7/+7
1.80 2017-01-05 Patch from Steffen Ulrich that fixed unexpected changes in the control flow of the Perl program which seemed to be triggered by the ticket key callback. Thanks Steffen.
2017-01-16Updated p5-IO-Socket-SSL to 2.043.wiz2-7/+7
2.043 2017/01/06 - make t/session_ticket.t work with OpenSSL 1.1.0. With this version the session does not get reused any longer if it was not properly closed which is now done using an explicit close by the client which causes a proper SSL_shutdown 2.042 2017/01/05 - enable session ticket callback with Net::SSLeay>=1.80
2017-01-16Update OpenDNSSEC to version 1.4.12nb3.he3-3/+20
* Apply fix from OPENDNSSEC-778: double NSEC3PARAMS on re-salt.
2017-01-16More fixes for build on SmartOS/Solaris.joerg4-5/+33
2017-01-12Revert last commit. According to wiz@ in private mail, CONFLICTS is neededrodent2-5/+2
for configuration files only.
2017-01-12Update security/py-{acme,certbot} to 0.10.0.fhajny6-22/+34
No changelog released, commits closed for 0.10.0: - Stop IDisplay AssertionErrors - Add update_symlinks to "--help manage" - Hide rename command for 0.10.0 - Disable rename command for 0.10.0 - Break on failure to deploy cert - Incorrect success condition in nginx - certbot delete and rename evoke IDisplay - Put update_symlinks in certbot --help manage - Fix Error Message for invalid FQDNs - pyopenssl inject workaround - pyparsing.restOfLine is not a function, don't call it - Add information on updating [certbot|letsencrypt]-auto - Remove quotes so tilde is expanded - Correctly report when we skip hooks during renewal - Add line number to Augeas syntax error message - Mention line in (Apache) conf file in case of Augeas parse/syntax error - Fixes #3954 and adds a test to prevent regressions - Further OCSP improvements - `-n` doesn't like `force_interactive`? - Save allow_subset_of_names in renewal conf files - I promise checklists are OK (fixes #3934) - Return domains for _find_domains_or_certname - --cert-name causes explosions when trying to use "run" as an installer - Interactivity glitch in git master - Document some particularities of the revoke subcommand - test using os.path.sep not hardcoded / - Save --pre and --post hooks in renewal conf files, and run them in a sophisticated way - Don't add ServerAlias directives when the domain is already covered by a wildcard - Mitigate problems for people who run without -n - Use relative paths for livedir symlinks - Implement delete command - Use isatty checks before asking new questions - Ensure apt-cache is always running in English if we're going to grep - Sort the names by domain (then subdomain) before showing them - Merge the manual and script plugins - --allow-subset-of-names should probably be a renewalparam - Fix certbox-nginx address equality check - Implement our fancy new --help output - Make renew command respect the --cert-name flag - Error when using non-english locale on Debian - Document defaults - Improve simple --help output - Add pyasn1 back to le-auto - Mark Nginx vhosts as ssl when any vhost is on ssl at that address - Fully check for Nginx address equality - Preserve --must-staple in configuration for renewal (#3844) - Git master certbot is making executable renewal conf files? - Improve the "certbot certificates" output - Renewal: Preserve 'OCSP Must Staple' (option --must-staple) - Security enhancement cleanup - Parallalelise nosetests from tox - "certbot certificates" is API-like, so make it future-proof - Fix LE_AUTO_SUDO usage - Remove the sphinxcontrib.programout [docs]dependency - No more relative path connection from live-crt to archive-crt files - Ensure tests pass with openssl 1.1 - Output success message for revoke command - acme module fails tests with openssl 1.1 - Pin pyopenssl 16.2.0 in certbot-auto - Fixed output of `certbot-auto --version`(#3637). - Take advantage of urllib3 pyopenssl rewrite - Busybox support - Fix --http-01-port typo at source - Implement the --cert-name flag to select a lineage by its name. - Fix reinstall message - Changed plugin interface return types (#3748). - Remove letshelp-letsencrypt - Bump pyopenssl version - Bump python-cryptography to 1.5.3 - Remove get_all_certs_keys() from Apache and Nginx - Further merge --script-* with --*-hook - Certbot opens curses sessions for informational notices, breaking automation - Fix writing pem files with Python3 - Strange reinstallation errors - Don't re-add redirects if one exists - Use subprocess.Popen.terminate instead of os.killpg - Generalize return types for plugin interfaces - Don't re-append Nginx redirect directive - Cli help is sometimes wrong about what the default for something is - [certbot-auto] Bump cryptography version to 1.5.2 - python-cryptography build failure on sid - Remove sphinxcontrib-programoutput dependency? - Allow notification interface to not wrap text - Fix non-ASCII domain check. - Add renew_hook to options stored in the renewal config, #3394 - Where oh where has sphinxcontrib-programoutput gone? - Remove some domain name checks. - Allowing modification check to run using "tox" - How to modify *-auto - Don't crash when U-label IDN provided on command line - Add README file to each live directory explaining its contents. - Allow user to select all domains by typing empty string at checklist - Fix issue with suggest_unsafe undeclared - Update docs/contributing.rst to match display behavior during release. - Referencing unbound variable in certbot.display.ops.get_email - Add list-certs command - Remove the curses dialog, thereby deprecating the --help and --dialog command line options - Remove the curses dialog, thereby deprecating the --help and --dialog command line options - Specify archive directory in renewal configuration file - 0.9.1 fails in non-interactive use (pythondialog, error opening terminal) - Allow certbot to get a cert for default_servers - [nginx] Cert for two domains in one virtaulhost fails - [nginx] --hsts and --uir flags not working? - `certbot-auto --version` still says `letsencrypt 0.9.3` (should say `certbot 0.9.3`?) - Add a cli option for "all domains my installer sees" - Stop rejecting punycode domain names - Standalone vs. Apache for available ports - nginx-compatibility-weirdness - Support requesting IDNA2008 Punycode domains - Cert Management Improvement Project (C-MIP) - Add --lineage command line option for nicer SAN management. - Fix requirements.txt surgery in response to shipping certbot-nginx - Use correct Content-Types in headers. - Missing Content-Type 'application/json' in POST requests - Script plugin - Inconsistent error placement - Server alias [revision requested] - When getopts is called multiple time we need to reset OPTIND. - certbot-auto: Print link to doc on debugging pip install error [revision requested] - Update ACME error namespace to match the new draft. - Update errors to match latest ACME version. - Testing the output of build.py against lea-source/lea - Make return type of certbot.interfaces.IInstaller.get_all_keys_certs() an iterator - Fix requirements file surgery for 0.10.0 release - Update Where Are My Certs section. - Hooks do not get stored in renewal config file - Multiple vhosts - Bind to IPv6, fix the problem of ipv6 site cannot generate / renew certificate [revision requested] - Warning message for low memory servers - Run simple certbot-auto tests with `tox` - letsencrypt-auto-source/letsencrypt-auto should be the output of build.py - DialogError should come with --text instructions - Support correct error namespace - Verification URL after successful certificate configuration can't be opened from terminal - Use appropriate caution when handling configurations that have complex rewrite logic - `revoke` doesn't output any status - adding -delete option to remove the cert files - Stop using simple_verify in manual plugin - Ways of specifying what to renew - Allow removing SAN from multidomain certificate when renewing - Dialog is sometimes ugly - Allow user to override sudo as root authorization method [minor revision requested] - Add a README file to each live directory explaining its contents - ExecutableNotFound
2017-01-12py-crypto and py-cryptodome CONFLICT with:rodent2-2/+5
${PYSITELIB}/Crypto/Cipher/AES.py
2017-01-11Add libunistring to bl3.mk, it's linked into libgnutls{,xx}.so.wiz1-1/+2
PR 51830
2017-01-11Remove -Werror from compilation flags.wiz1-1/+3
PR 51821 PR 51829
2017-01-10Updated gnutls to 3.5.8.wiz4-35/+28
* Version 3.5.8 (released 2016-01-09) ** libgnutls: Ensure that multiple calls to the gnutls_set_priority_* functions will not leave the verification profiles field to an undefined state. The last call will take precedence. ** libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned by PKCS#8 decryption functions when an invalid key is provided. This addresses regression on decrypting certain PKCS#8 keys. ** libgnutls: Introduced option to override the default priority string used by the library. The intention is to allow support of system-wide priority strings (as set with --with-system-priority-file). The configure option is --with-default-priority-string. ** libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption. This prevents crashes when decrypting malformed PKCS#8 keys. ** libgnutls: Fix crash on the loading of malformed private keys with certain parameters set to zero. ** libgnutls: Fix double free in certificate information printing. If the PKIX extension proxy was set with a policy language set but no policy specified, that could lead to a double free. ** libgnutls: Addressed memory leaks in client and server side error paths (issues found using oss-fuzz project) ** libgnutls: Addressed memory leaks in X.509 certificate printing error paths (issues found using oss-fuzz project) ** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project) ** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing. (issues found using oss-fuzz project) ** API and ABI modifications: No changes since last version. * Version 3.5.7 (released 2016-12-8) ** libgnutls: Include CHACHA20-POLY1305 ciphersuites in the SECURE128 and SECURE256 priority strings. ** libgnutls: Require libtasn1 4.9; this ensures gnutls will correctly operate with OIDs which have elements that exceed 2^32. ** libgnutls: The DN decoding functions output the traditional DN format rather than the strict RFC4514 compliant textual DN. This reverts the 3.5.6 introduced change, and allows applications which depended on the previous format to continue to function. Introduced new functions which output the strict format by default, and can revert to the old one using a flag. ** libgnutls: Improved TPM key handling. Check authorization requirements prior to using a key and fix issue on loop for PIN input. Patches by James Bottomley. ** libgnutls: In all functions accepting UTF-8 passwords, ensure that passwords are normalized according to RFC7613. When invalid UTF-8 passwords are detected, they are only tolerated for decryption. This introduces a libunistring dependency on GnuTLS. A version of libunistring is included in the library for the platforms that do not ship it; it can be used with the '--with-included-unistring' option to configure script. ** libgnutls: When setting a subject alternative name in a certificate which is in UTF-8 format, it will transparently be converted to IDNA form prior to storing. ** libgnutls: GNUTLS_CRT_PRINT_ONELINE flag on gnutls_x509_crt_print() will print the SHA256 key-ID instead of a certificate fingerprint. ** libgnutls: enhance the PKCS#7 verification capabilities. In the case signers that are not discoverable using the trust list or input, use the stored list as pool to generate a trusted chain to the signer. ** libgnutls: Improved MTU calculation precision for the CBC ciphersuites under DTLS. ** libgnutls: [added missing news entry since 3.5.0] No longer tolerate certificate key usage violations for TLS signature verification, and decryption. That is GnuTLS will fail to connect to servers which incorrectly use a restricted to signing certificate for decryption, or vice-versa. This reverts the lax behavior introduced in 3.1.0, due to several such broken servers being available. The %COMPAT priority keyword can be used to work-around connecting on these servers. ** certtool: When exporting a CRQ in DER format ensure no text data are intermixed. Patch by Dmitry Eremin-Solenikov. ** certtool: Include the SHA-256 variant of key ID in --certificate-info options. ** p11tool: Introduced the --initialize-pin and --initialize-so-pin options. ** API and ABI modifications: gnutls_utf8_password_normalize: Added gnutls_ocsp_resp_get_responder2: Added gnutls_x509_crt_get_issuer_dn3: Added gnutls_x509_crt_get_dn3: Added gnutls_x509_rdn_get2: Added gnutls_x509_dn_get_str2: Added gnutls_x509_crl_get_issuer_dn3: Added gnutls_x509_crq_get_dn3: Added * Version 3.5.6 (released 2016-11-04) ** libgnutls: Enhanced the PKCS#7 parser to allow decoding old (pre-rfc5652) structures with arbitrary encapsulated content. ** libgnutls: Introduced a function group to set known DH parameters using groups from RFC7919. ** libgnutls: Added more strict RFC4514 textual DN encoding and decoding. Now the generated textual DN is in reverse order according to RFC4514, and functions which generate a DN from strings such gnutls_x509_crt_set_*dn() set the expected DN (reverse of the provided string). ** libgnutls: Introduced time and constraints checks in the end certificate in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct() functions. ** libgnutls: Set limits on the maximum number of alerts handled. That is, applications using gnutls could be tricked into an busy loop if the peer sends continuously alert messages. Applications which set a maximum handshake time (via gnutls_handshake_set_timeout) will eventually recover but others may remain in a busy loops indefinitely. This is related but not identical to CVE-2016-8610, due to the difference in alert handling of the libraries (gnutls delegates that handling to applications). ** libgnutls: Reverted the change which made the gnutls_certificate_set_*key* functions return an index (introduced in 3.5.5), to avoid affecting programs which explicitly check success of the function as equality to zero. In order for these functions to return an index an explicit call to gnutls_certificate_set_flags with the GNUTLS_CERTIFICATE_API_V2 flag is now required. ** libgnutls: Reverted the behavior of sending a status request extension even without a response (introduced in 3.5.5). That is, we no longer reply to a client's hello with a status request, with a status request extension. Although that behavior is legal, it creates incompatibility issues with releases in the gnutls 3.3.x branch. ** libgnutls: Delayed the initialization of the random generator at the first call of gnutls_rnd(). This allows applications to load on systems which getrandom() would block, without blocking until real random data are needed. ** certtool: --get-dh-params will output parameters from the RFC7919 groups. ** p11tool: improvements in --initialize option. ** API and ABI modifications: GNUTLS_CERTIFICATE_API_V2: Added GNUTLS_NO_TICKETS: Added gnutls_pkcs7_get_embedded_data_oid: Added gnutls_anon_set_server_known_dh_params: Added gnutls_certificate_set_known_dh_params: Added gnutls_psk_set_server_known_dh_params: Added gnutls_x509_crt_check_key_purpose: Added * Version 3.5.5 (released 2016-10-09) ** libgnutls: enhanced gnutls_certificate_set_ocsp_status_request_file() to allow importing multiple OCSP request files, one for each chain provided. ** libgnutls: The gnutls_certificate_set_key* functions return an index of the added chain. That index can be used either with gnutls_certificate_set_ocsp_status_request_file(), or with gnutls_certificate_get_crt_raw() and friends. ** libgnutls: Added SHA*, AES-GCM, AES-CCM and AES-CBC optimized implementations for the aarch64 architecture. Uses Andy Polyakov's assembly code. ** libgnutls: Ensure proper cleanups on gnutls_certificate_set_*key() failures due to key mismatch. This prevents leaks or double freeing on such failures. ** libgnutls: Increased the maximum size of the handshake message hash. This will allow the library to cope better with larger packets, as the ones offered by current TLS 1.3 drafts. ** libgnutls: Allow to use client certificates despite them containing disallowed algorithms for a session. That allows for example a client to use DSA-SHA1 due to his old DSA certificate, without requiring him to enable DSA-SHA1 (and thus make it acceptable for the server's certificate). ** libgnutls: Reverted AESNI code on x86 to earlier version as the latest version was creating position depending code. Added checks in the CI to detect position depending code early. ** guile: Update code to the I/O port API of Guile >= 2.1.4 This makes sure the GnuTLS bindings will work with the forthcoming 2.2 stable series of Guile, of which 2.1 is a preview. ** API and ABI modifications: gnutls_certificate_set_ocsp_status_request_function2: Added gnutls_session_ext_register: Added gnutls_session_supplemental_register: Added GNUTLS_E_PK_INVALID_PUBKEY: Added GNUTLS_E_PK_INVALID_PRIVKEY: Added
2017-01-10Updated libtasn1 to 4.9.wiz2-7/+7
* Noteworthy changes in release 4.9 (released 2016-07-25) [stable] - Fixes to OID encoding of OIDs which have elements which exceed 2^32
2017-01-09Update security/hitch to 1.4.4.fhajny6-57/+64
hitch-1.4.4 (2016-12-22) ------------------------ - OpenSSL 1.1.0 compatibility fixes. OpenSSL 1.1.0 is now fully supported with Hitch. - Fix a bug in the OCSP refresh code that could make it loop with immediate refreshes flooding an OCSP responder. - Force the SSL_OP_SINGLE_DH_USE setting. This protects against an OpenSSL vulnerability where a remote attacker could discover private DH exponents (CVE-2016-0701). hitch-1.4.3 (2016-11-14) ------------------------ - OCSP stapling is now enabled by default. Users should create ocsp-dir (default: /var/lib/hitch/) and make it writable for the hitch user. - Build error due to man page generation on FreeBSD (most likely non-Linux) has been fixed. hitch-1.4.2 (2016-11-08) ------------------------ - Example configuration file hitch.conf.example has been shortened and defaults moved into Hitch itself. Default cipher string is now what we believe to be secure. Users are recommended to use the built-in default from now on, unless they have special requirements. - hitch.conf(5) manual has been added. - Hitch will now send a TLS Close notification during connection teardown. This fixes an incomplete read with a GnuTLS client when the backend (thttpd) used EOF to signal end of data, leaving some octets discarded by gnutls client-side. (Issue 127_) - Autotools will now detect SO_REUSEPORT availability. (Issue 122_) - Improved error handling on memory allocation failure.
2017-01-07gnutls: don't redefine max_align_t on FreeBSD. It incorrectly fails themaya1-10/+12
configure test because the type in stddef.h is guarded by a c11 macro (most likely). Force the configure test to pass. From David Shao in PR pkg/51793 (originally from FreeBSD ports).
2017-01-07Update to 0.18wen2-8/+7
Upstream changes: 0.18 2016/11/17 - OpenSSL 1.1.0 compatibility - fix Kwalitee Issues 0.17 2016/10/27 - Makefile.PL fixing v0.16 0.16 2016/10/27 - Makefile.PL supports OPENSSL_PREFIX or OPENSSL_LIB+OPENSSL_INCLUDE env variables - Makefile.PL tries to find libcrypto via pkg-config - Make the files non-executable - Doc fixes (grammar)
2017-01-05Use the curses framework.roy2-11/+4
Punt silly buildlink depds.
2017-01-05pwsafe doesn't really use curses.roy2-4/+4
2017-01-05Remove patch that is not in distinfo.wiz1-18/+0
2017-01-04Updated p5-Net-SSLeay to 1.79.wiz2-7/+7
1.79 2017-01-03 Patch to fix a few inline variable declarations that cause errors for older compilers. From Andy Grundman. Thanks. Patch: Generated C code is not compatible with MSVC, AIX cc, probably others. Added some PREINIT blocks and replaced 2 cases of INIT with PREINIT. From Andy Grundman. Thanks. Patch to fix: Fails to compile if the OpenSSL library it's built against has compression support compiled out. From Stephan Wall. Thanks. Added RSA_get_key_parameters() to return a list of pointers to RSA key internals. Patch to fix some documentation typos courtesy gregor herrmann. RSA_get_key_parameters() is now only available prior OpenSSL 1.1. Testing with openssl-1.1.0b.
2017-01-04Updated p5-IO-Socket-SSL to 2.041.wiz2-7/+7
2.041 2017/01/04 - leave session ticket callback off for now until the needed patch is included in Net::SSLeay. See https://rt.cpan.org/Ticket/Display.html?id=116118#txn-1696146
2017-01-03Move to the curses framework.roy1-2/+2
2017-01-03Update security/erlang-fast_tls to 1.0.9.fhajny3-11/+11
Version 1.0.9 - Fix problem with compilation agains libressl - Make tests use localy build c library instead of system one Version 1.0.8 - Use p1_utils 1.0.6 - Make it possible to decode certificate to OTP format - Make sure p1_sha isn't compiled to native code
2017-01-03Use "${MV} || ${TRUE}" and "${RM} -f" consistently in post-install targets.jperkin1-2/+2
2017-01-03Update security/vault to 0.6.4fhajny2-8/+7
SECURITY: - default Policy Privilege Escalation: If a parent token did not have the default policy attached to its token, it could still create children with the default policy. This is no longer allowed (unless the parent has sudo capability for the creation path). In most cases this is low severity since the access grants in the default policy are meant to be access grants that are acceptable for all tokens to have. - Leases Not Expired When Limited Use Token Runs Out of Uses: When using limited-use tokens to create leased secrets, if the limited-use token was revoked due to running out of uses (rather than due to TTL expiration or explicit revocation) it would fail to revoke the leased secrets. These secrets would still be revoked when their TTL expired, limiting the severity of this issue. An endpoint has been added (auth/token/tidy) that can perform housekeeping tasks on the token store; one of its tasks can detect this situation and revoke the associated leases. FEATURES: - Policy UI (Enterprise): Vault Enterprise UI now supports viewing, creating, and editing policies. IMPROVEMENTS: - http: Vault now sets a no-store cache control header to make it more secure in setups that are not end-to-end encrypted BUG FIXES: - auth/ldap: Don't panic if dialing returns an error and starttls is enabled; instead, return the error - ui (Enterprise): Submitting an unseal key now properly resets the form so a browser refresh isn't required to continue. 0.6.3 (December 6, 2016) DEPRECATIONS/CHANGES: - Request size limitation: A maximum request size of 32MB is imposed to prevent a denial of service attack with arbitrarily large requests - LDAP denies passwordless binds by default: In new LDAP mounts, or when existing LDAP mounts are rewritten, passwordless binds will be denied by default. The new deny_null_bind parameter can be set to false to allow these. - Any audit backend activated satisfies conditions: Previously, when a new Vault node was taking over service in an HA cluster, all audit backends were required to be loaded successfully to take over active duty. This behavior now matches the behavior of the audit logging system itself: at least one audit backend must successfully be loaded. The server log contains an error when this occurs. This helps keep a Vault HA cluster working when there is a misconfiguration on a standby node. FEATURES: - Web UI (Enterprise): Vault Enterprise now contains a built-in web UI that offers access to a number of features, including init/unsealing/sealing, authentication via userpass or LDAP, and K/V reading/writing. The capability set of the UI will be expanding rapidly in further releases. To enable it, set ui = true in the top level of Vault's configuration file and point a web browser at your Vault address. - Google Cloud Storage Physical Backend: You can now use GCS for storing Vault data IMPROVEMENTS: - auth/github: Policies can now be assigned to users as well as to teams - cli: Set the number of retries on 500 down to 0 by default (no retrying). It can be very confusing to users when there is a pause while the retries happen if they haven't explicitly set it. With request forwarding the need for this is lessened anyways. - core: Response wrapping is now allowed to be specified by backend responses (requires backends gaining support) - physical/consul: When announcing service, use the scheme of the Vault server rather than the Consul client - secret/consul: Added listing functionality to roles - secret/postgresql: Added revocation_sql parameter on the role endpoint to enable customization of user revocation SQL statements - secret/transit: Add listing of keys BUG FIXES: - api/unwrap, command/unwrap: Increase compatibility of unwrap command with Vault 0.6.1 and older - api/unwrap, command/unwrap: Fix error when no client token exists - auth/approle: Creating the index for the role_id properly - auth/aws-ec2: Handle the case of multiple upgrade attempts when setting the instance-profile ARN - auth/ldap: Avoid leaking connections on login - command/path-help: Use the actual error generated by Vault rather than always using 500 when there is a path help error - command/ssh: Use temporary file for identity and ensure its deletion before the command returns - cli: Fix error printing values with -field if the values contained formatting directives - command/server: Don't say mlock is supported on OSX when it isn't. - core: Fix bug where a failure to come up as active node (e.g. if an audit backend failed) could lead to deadlock - physical/mysql: Fix potential crash during setup due to a query failure - secret/consul: Fix panic on user error
2017-01-02Update to 0.97. From the changelog:schmonz3-9/+10
- Updated for bglibs v2
2017-01-01Indent.schmonz1-12/+12
2017-01-01Fix build on OS X and quell pkglint.schmonz5-7/+42
2017-01-01Update to 0.4.8. From the changelog:schmonz6-178/+210
0.4.8 - 11/12/2014 - Added more acknowledgements and security considerations 0.4.7 - 11/12/2014 - Added TLS 1.2 support (Yngve Pettersen and Paul Sokolovsky) - Don't offer SSLv3 by default (e.g. POODLE) - Fixed bug with PyCrypto_RSA integration - Fixed harmless bug that added non-prime into sieves list - Added "make test" and "make test-dev" targets (Hubert Kario) 0.4.5 - 3/20/2013 - **API CHANGE**: TLSClosedConnectionError instead of ValueError when writing to a closed connection. This inherits from socket.error, so should interact better with SocketServer (see http://bugs.python.org/issue14574) and other things expecting a socket.error in this situation. - Added support for RC4-MD5 ciphersuite (if enabled in settings) - This is allegedly necessary to connect to some Internet servers. - Added TLSConnection.unread() function - Switched to New-style classes (inherit from 'object') - Minor cleanups 0.4.4 - 2/25/2013 - Added Python 3 support (Martin von Loewis) - Added NPN client support (Marcelo Fernandez) - Switched to RC4 as preferred cipher - faster in Python, avoids "Lucky 13" timing attacks - Fixed bug when specifying ciphers for anon ciphersuites - Made RSA hashAndVerify() tolerant of sigs w/o encoded NULL AlgorithmParam - (this function is not used for TLS currently, and this tolerance may not even be necessary) 0.4.3 - 9/27/2012 - Minor bugfix (0.4.2 doesn't load tackpy) 0.4.2 - 9/25/2012 - Updated TACK (compatible with tackpy 0.9.9) 0.4.1 - 5/22/2012 - Fixed RSA padding bugs (w/help from John Randolph) - Updated TACK (compatible with tackpy 0.9.7) - Added SNI - Added NPN server support (Sam Rushing/Google) - Added AnonDH (Dimitris Moraitis) - Added X509CertChain.parsePemList - Improved XML-RPC (Kees Bos) 0.4.0 - 2/11/2012 - Fixed pycrypto support - Fixed python 2.6 problems 0.3.9.x - 2/7/2012 Much code cleanup, in particular decomposing the handshake functions so they are readable. The main new feature is support for TACK, an experimental authentication method that provides a new way to pin server certificates (See https://github.com/moxie0/Convergence/wiki/TACK ). Also: - Security Fixes - Sends SCSV ciphersuite as per RFC 5746, to signal non-renegotiated Client Hello. Does not support renegotiation (never has). - Change from e=3 to e=65537 for generated RSA keys, not strictly necessary but mitigates risk of sloppy verifier. - 1/(n-1) countermeasure for BEAST. - Behavior changes: - Split cmdline into tls.py and tlstest.py, improved options. - Formalized LICENSE. - Defaults to closing socket after sending close_notify, fixes hanging. problem that would occur sometime when waiting for other party's close_notify. - Update SRP to RFC 5054 compliance. - Removed client handshake "callbacks", no longer support the SRP re-handshake idiom within a single handshake function. - Bugfixes - Added hashlib support, removes Deprecation Warning due to sha and md5. - Handled GeneratorExit exceptions that are a new Python feature, and interfere with the async code if not handled. - Removed: - Shared keys (it was based on an ancient I-D, not TLS-PSK). - cryptlib support, it wasn't used much, we have enough other options. - cryptoIDs (TACK is better). - win32prng extension module, as os.urandom is now available. - Twisted integration (unused?, slowed down loading). - Jython code (ancient, didn't work). - Compat support for python versions < 2.7. - Additions - Support for TACK via TACKpy. - Support for CertificateRequest.certificate_authorities ("reqCAs") - Added TLSConnection.shutdown() to better mimic socket. - Enabled Session resumption for XMLRPCTransport.
2017-01-01Revbump after boost updateadam20-39/+40
2017-01-01Add python-3.6 to incompatible versions.wiz29-58/+58