| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
0.50 - 2014-03-14
- Version 0.49 implicitly required Moose; switch to a technique that
does not
- Modernize CHANGES
0.49 - 2014-03-13
- Restore context-sensitive (array/arrayref) behavior of multiple array
methods from 0.46.
- Fix MANIFEST/.gitignore inconsistency
0.48 - 2014-03-10
- Switch from --always-trust to --trust-model=always
0.47 - 2014-03-10
- No changes from 0.47_02
0.47_02 - 2014-02-14
- Remove a stray 'use Data::Dumper::Concise' added in 0.47_01
0.47_01 - 2014-01-27
- Switch from Any::Moose to Moo
- Accept "gpg (GnuPG/MacGPG2)" as a valid gpg version
- Typo fixes in documentation
|
|
1.997 2014/07/12
- thanks to return code 1 from Net::SSLeay::library_init if the library needed
initialization and 0 if not we can now clearly distinguish if initialization
was needed and do not need any work-arounds for perlcc by the user.
1.996 2014/07/12
- move initialization of OpenSSL-internals out of INIT again because this
breaks if module is used with require. Since there is no right place to
work in all circumstances just document the work-arounds needed for
perlcc. RT#97166
1.995 2014/07/11
- RT#95452 - move initialization and creation of OpenSSL-internals into INIT
section, so they get executed after compilation and perlcc is happy.
- refresh option for peer_certificate, so that it checks if the certificate
changed in the mean time (on renegotiation)
- fix fingerprint checking - now applies only to topmost certificate
- IO::Socket::SSL::Utils - accept extensions within CERT_create
- documentations fixes thanks to frioux
- fix documentation bug RT#96765, thanks to Salvatore Bonaccorso.
1.994 2014/06/22
- IO::Socket::SSL can now be used as dual-use socket, e.g. start plain, upgrade
to SSL and downgrade again all with the same object. See documentation of
SSL_startHandshake and chapter Advanced Usage.
- try to apply SSL_ca* even if verify_mode is 0, but don't complain if this
fails. This is needed if one wants to explicitly verify OCSP lookups even if
verification is otherwise off, because otherwise the signature check would
fail. This is mostly useful for testing.
- reorder documentation of attributes for new, so that the more important ones
are at the top.
1.993 2014/06/13
- major rewrite of documentation, now in separate file
- rework error handling to distinguish between SSL errors and internal errors
(like missing capabilities).
- fix handling of default_ca if given during the run of the program (Debian#750646)
- util/analyze-ssl.pl - fix hostname check if SNI does not work
|
|
1.66 2014-08-21
Fixed compile problem with perl prior to 5.8.8, similar to
RT#76267. Reported by Graham Knop.
Fixed a problem with Socket::IPPROTO_TCP on early perls.
After discussions with the community and the original author Sampo
Kellomaki, the license conditions have been changed to "Perl Artisitic
License 2.0".
1.65 2014-07-14
Added note to doc to make it clear that X509_get_subjectAltNames returns a
packed binary IP address for type 7 - GEN_IPADD.
Improvements to SSL_OCSP_response_verify to compile under non c99
compilers. Requested by MERIJNB.
Port to Android, contributed by Brian Fraser. Includes Android specific
version of RSA_generate_key.
Added LibreSSL support, patch provided by Alexander Bluhm. Thanks!
Patch that fixes the support for SSL_set_info_callback and adds
SSL_CTX_set_info_callback and SSL_set_state. Support for these functions is
necessary to either detect renegotiation or to enforce
renegotiation. Contributed by Steffen Ullrich. Thanks!
Fixed a problem with SSL_set_state not available on some early OpenSSLs,
patched by Steffen Ullrich. Thanks!
Removed arbitrary size limits from calls to tcp_read_all in tcpcat() and
http_cat().
Removed unnecessary Debian_SPANTS.txt from MANIFEST. Again.
1.64 2014-06-11
Fixes for test ocsp.t. Test now does not fail if HTTP::Tiny is not
installed.
Fixed repository in META.yml.
Fixed a problem with SSL_get_peer_cert_chain: if the SSL handshake
results in an anonymous authentication, like ADH-DES-CBC3-SHA,
get_peer_cert_chain will not return an empty list, but instead return the
SSL object. Reported and fixed by Steffen
Ullrich. Thanks.
Fixed a problem where patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=3009244da47b989c4cc59ba02cf81a4e9d8f8431
caused a failed test in t/local/33_x509_create_cert.t.
|
|
in PR 49176. Bump PKGREVISION.
|
|
0.28 2013-11-21
- Removed silly micro-optimization that was responsible for generating a
warning in Perl versions prior to 5.18.
0.27 2013-10-06
- Merged pull request from David Steinbrunner: specifying meta-spec
so metadata can be seen/used.
- Fixed t/05-kwalitee.t to work with latest revisions on Test::Kwalitee.
|
|
Noteworthy changes in version 1.5.1 (2014-07-30) [C24/A13/R0]
-------------------------------------------------------------
* Fixed possible overflow in gpgsm and uiserver engines.
[CVE-2014-3564]
* Added support for GnuPG 2.1's --with-secret option.
* Interface changes relative to the 1.5.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPGME_KEYLIST_MODE_WITH_SECRET NEW.
Noteworthy changes in version 1.5.0 (2014-05-21) [C23/A12/R0]
-------------------------------------------------------------
* On Unices the engine file names are not not anymore hardwired but
located via the envvar PATH. All options to set the name of the
engines for the configure run are removed.
* If GPGME finds the gpgconf binary it defaults to using gpg2 or
whatever gpgconf tells as name for the OpenPGP engine. If gpgconf
is not found, GPGME looks for an engine named "gpg".
* New feature to use the gpgme I/O subsystem to run arbitrary
commands.
* New flag to use encryption without the default compression step.
* New function to access "gpg-conf --list-dirs"
* New configure option --enable-fixed-path for use by Android.
* Support ECC algorithms.
* Interface changes relative to the 1.4.3 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgme_get_dirinfo NEW.
gpgme_op_spawn_start NEW.
gpgme_op_spawn NEW.
GPGME_PROTOCOL_SPAWN NEW.
GPGME_SPAWN_DETACHED NEW.
GPGME_SPAWN_ALLOW_SET_FG NEW.
GPGME_ENCRYPT_NO_COMPRESS NEW.
GPGME_PK_ECC NEW.
GPGME_MD_SHA224 NEW.
gpgme_subkey_t EXTENDED: New field curve.
GPGME_STATUS_PLAINTEXT_LENGTH NEW.
GPGME_STATUS_MOUNTPOINT NEW.
GPGME_STATUS_PINENTRY_LAUNCHED NEW.
GPGME_STATUS_ATTRIBUTE NEW.
GPGME_STATUS_BEGIN_SIGNING NEW.
GPGME_STATUS_KEY_NOT_CREATED NEW.
|
|
Diff looks like perl style cleanups.
|
|
|
|
** libgnutls: initialize parameters variable on PKCS 8 decryption.
** libgnutls: Explicitly set the exponent in PKCS 11 key generation.
That improves compatibility with certain PKCS 11 modules. Contributed by
Wolfgang Meyer zu Bergsten.
** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1
algorithms.
** libgnutls: when checking the hostname of a certificate with multiple CNs
ensure that the "most specific" CN is being used.
** libgnutls: In DTLS ignore only errors that relate to unexpected packets
and decryption failures.
** API and ABI modifications:
No changes since last version.
|
|
upstream. If this patch is still necessary for you, please discuss
at https://bugs.g10code.com/gnupg/issue1703
Bump PKGREVISION.
|
|
discussed with wiz@.
|
|
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=43376891c01f4aff1fbfb23beafebb5adfd0868c
revbump to pick it up.
|
|
CVE-2014-4343, CVE-2014-4344 & MITKRB5-SA-2014-001 (CVE-2014-4345).
|
|
|
|
|
|
Bump revision.
|
|
0.5.4 - 2014-08-20
~~~~~~~~~~~~~~~~~~
* Added several functions to the OpenSSL bindings to support new
functionality in pyOpenSSL.
* Fixed a redefined constant causing compilation failure with Solaris 11.2.
|
|
|
|
|
|
See
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=43376891c01f4aff1fbfb23beafebb5adfd0868c
|
|
Noteworthy changes in version 1.4.4 (2014-07-30) [C22/A11/R1]
-------------------------------------------------------------
Backported from 1.5.1:
* Fixed possible overflow in gpgsm and uiserver engines.
[CVE-2014-3564]
* Fixed possibled segv in gpgme_op_card_edit.
* Fixed minor memleaks and possible zombie processes.
* Fixed prototype inconsistencies and void pointer arithmetic.
Noteworthy changes in version 1.4.3 (2013-08-12) [C22/A11/R0]
-------------------------------------------------------------
* The default engine names are now taken from the output of gpgconf.
If gpgconf is not found the use of gpg 1 is assumed.
* Under Windows the default engines names are first searched in the
installation directory of the gpgme DLL.
* New function gpgme_data_identify to detect the type of a message.
* Interface changes relative to the 1.4.2 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgme_signers_count NEW.
gpgme_data_type_t NEW.
gpgme_data_identify NEW.
Noteworthy changes in version 1.4.2 (2013-05-28)
------------------------------------------------
* Allow symmetric encryption with gpgme_op_encrypt_sign.
* Fixed mismatching off_t definitions on Windows.
* Interface changes relative to the 1.4.1 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgme_off_t NEW.
gpgme_size_t NEW.
GPGME_PROTOCOL_OPENPGP NEW alias.
|
|
|
|
|
|
Noteworthy changes in version 1.6.2 (2014-08-21) [C20/A0/R2]
------------------------------------------------
* Map deprecated RSA algo number to the RSA algo number for better
backward compatibility.
* Support a 0x40 compression prefix for EdDSA.
* Improve ARM hardware feature detection and building.
* Fix powerpc-apple-darwin detection
* Fix building for the x32 ABI platform.
* Support building using the latest mingw-w64 toolchain.
* Fix some possible NULL deref bugs.
|
|
|
|
|
|
& building with /usr/vac/bin/cc, add the necessary checks to Makefile
to use the correct profile depending on what CC/ABI is set to.
Patch from Sevan Janiyan in PR 49131, but moved a few lines to not
affect Darwin.
|
|
|
|
creation of pid files
|
|
|
|
packaged for wip by zecrazytux.
Haskell package providing efficient cryptographic hash implementations
for strict and lazy bytestrings.
For now, CRC32 and Adler32 are supported; they are
implemented as FFI bindings to efficient code from zlib.
|
|
Noteworthy changes in version 2.0.26 (2014-08-12)
-------------------------------------------------
* gpg: Fix a regression in 2.0.24 if a subkey id is given
to --recv-keys et al.
* gpg: Cap attribute packets at 16MB.
* gpgsm: Auto-create the ".gnupg" home directory in the same
way gpg does.
* scdaemon: Allow for certificates > 1024 when using PC/SC.
|
|
PR 49111 by Youri Mouton.
|
|
|
|
|
|
NaCl (pronounced "salt") is a new easy-to-use high-speed software
library for network communication, encryption, decryption, signatures,
etc. NaCl's goal is to provide all of the core operations needed
to build higher-level cryptographic tools.
Of course, other libraries already exist for these core operations.
NaCl advances the state of the art by improving security, by improving
usability, and by improving speed.
|
|
Version 5.03, 2014.08.07, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1i.
See https://www.openssl.org/news/secadv_20140806.txt
* New features
- FIPS autoconfiguration cleanup.
- FIPS canister updated to version 2.0.6.
- Improved SNI diagnostic logging.
* Bugfixes
- Compilation fixes for old versions of OpenSSL.
- Fixed whitespace handling in the stunnel.init script.
Version 5.02, 2014.06.09, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1h.
See https://www.openssl.org/news/secadv_20140605.txt
* New features
- Major rewrite of the protocol.c interface: it is now possible to add
protocol negotiations at multiple connection phases, protocols can
individually decide whether the remote connection will be
established before or after SSL/TLS is negotiated.
- Heap memory blocks are wiped before release. This only works for
block allocated by stunnel, and not by OpenSSL or other libraries.
- The safe_memcmp() function implemented with execution time not
dependent on the compared data.
- Updated the stunnel.conf and stunnel.init templates.
- Added a client-mode example to the manual.
* Bugfixes
- Fixed "failover = rr" broken since version 5.00.
- Fixed "taskbar = no" broken since version 5.00.
- Compilation fix for missing SSL_OP_MSIE_SSLV2_RSA_PADDING option.
|
|
0.5.3 - 2014-08-06
~~~~~~~~~~~~~~~~~~
* Updated Windows wheels to be compiled against OpenSSL 1.0.1i.
|
|
|
|
|
|
Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
*) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
SRP code can be overrun an internal buffer. Add sanity check that
g, A, B < N to SRP code.
Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for discovering this issue.
(CVE-2014-3512)
[Steve Henson]
*) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message
is badly fragmented. This allows a man-in-the-middle attacker to force a
downgrade to TLS 1.0 even if both the server and the client support a
higher protocol version, by modifying the client's TLS records.
Thanks to David Benjamin and Adam Langley (Google) for discovering and
researching this issue.
(CVE-2014-3511)
[David Benjamin]
*) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
to a denial of service attack. A malicious server can crash the client
with a null pointer dereference (read) by specifying an anonymous (EC)DH
ciphersuite and sending carefully crafted handshake messages.
Thanks to Felix Gröbert (Google) for discovering and researching this
issue.
(CVE-2014-3510)
[Emilia Käsper]
*) By sending carefully crafted DTLS packets an attacker could cause openssl
to leak memory. This can be exploited through a Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
(CVE-2014-3507)
[Adam Langley]
*) An attacker can force openssl to consume large amounts of memory whilst
processing DTLS handshake messages. This can be exploited through a
Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
(CVE-2014-3506)
[Adam Langley]
*) An attacker can force an error condition which causes openssl to crash
whilst processing DTLS packets due to memory being freed twice. This
can be exploited through a Denial of Service attack.
Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
this issue.
(CVE-2014-3505)
[Adam Langley]
*) If a multithreaded client connects to a malicious server using a resumed
session and the server sends an ec point format extension it could write
up to 255 bytes to freed memory.
Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
issue.
(CVE-2014-3509)
[Gabor Tyukasz]
*) A malicious server can crash an OpenSSL client with a null pointer
dereference (read) by specifying an SRP ciphersuite even though it was not
properly negotiated with the client. This can be exploited through a
Denial of Service attack.
Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
discovering and researching this issue.
(CVE-2014-5139)
[Steve Henson]
*) A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information
from the stack. Applications may be affected if they echo pretty printing
output to the attacker.
Thanks to Ivan Fratric (Google) for discovering this issue.
(CVE-2014-3508)
[Emilia Käsper, and Steve Henson]
*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
for corner cases. (Certain input points at infinity could lead to
bogus results, with non-infinity inputs mapped to infinity too.)
[Bodo Moeller]
|
|
|
|
|
|
---
4.0
---
* Removed ``keyring_path`` parameter from ``load_keyring``. See release notes
for 3.0.3 for more details.
* Issue #22: Removed support for loading the config from the current
directory. The config file must now be located in the platform-specific
config location.
|
|
|
|
pev is a PE file analysis toolkit that includes some nice programs to work with
PE files in many systems. It can be useful for programmers, security analysts
and forensic investigators. It's licensed under GPLv3+ terms.
|
|
|
|
0.5.2 - 2014-07-09
~~~~~~~~~~~~~~~~~~
* Add
:class:`~cryptography.hazmat.backends.interfaces.TraditionalOpenSSLSerializationBackend`
support to :doc:`/hazmat/backends/multibackend`.
* Fix compilation error on OS X 10.8 (Mountain Lion).
0.5.1 - 2014-07-07
~~~~~~~~~~~~~~~~~~
* Add
:class:`~cryptography.hazmat.backends.interfaces.PKCS8SerializationBackend`
support to :doc:`/hazmat/backends/multibackend`.
0.5 - 2014-07-07
~~~~~~~~~~~~~~~~
* **BACKWARDS INCOMPATIBLE:**
:class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` no longer allows
truncation of tags by default. Previous versions of ``cryptography`` allowed
tags to be truncated by default, applications wishing to preserve this
behavior (not recommended) can pass the ``min_tag_length`` argument.
* Windows builds now statically link OpenSSL by default. When installing a
wheel on Windows you no longer need to install OpenSSL separately. Windows
users can switch between static and dynamic linking with an environment
variable. See :doc:`/installation` for more details.
* Added :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDFExpand`.
* Added :class:`~cryptography.hazmat.primitives.ciphers.modes.CFB8` support
for :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` and
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` on
:doc:`/hazmat/backends/commoncrypto` and :doc:`/hazmat/backends/openssl`.
* Added ``AES`` :class:`~cryptography.hazmat.primitives.ciphers.modes.CTR`
support to the OpenSSL backend when linked against 0.9.8.
* Added
:class:`~cryptography.hazmat.backends.interfaces.PKCS8SerializationBackend`
and
:class:`~cryptography.hazmat.backends.interfaces.TraditionalOpenSSLSerializationBackend`
support to the :doc:`/hazmat/backends/openssl`.
* Added :doc:`/hazmat/primitives/asymmetric/ec` and
:class:`~cryptography.hazmat.backends.interfaces.EllipticCurveBackend`.
* Added :class:`~cryptography.hazmat.primitives.ciphers.modes.ECB` support
for :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` on
:doc:`/hazmat/backends/commoncrypto` and :doc:`/hazmat/backends/openssl`.
* Deprecated :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
in favor of backend specific providers of the
:class:`~cryptography.hazmat.primitives.interfaces.RSAPrivateKey` interface.
* Deprecated :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`
in favor of backend specific providers of the
:class:`~cryptography.hazmat.primitives.interfaces.RSAPublicKey` interface.
* Deprecated :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`
in favor of backend specific providers of the
:class:`~cryptography.hazmat.primitives.interfaces.DSAPrivateKey` interface.
* Deprecated :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`
in favor of backend specific providers of the
:class:`~cryptography.hazmat.primitives.interfaces.DSAPublicKey` interface.
* Deprecated :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`
in favor of backend specific providers of the
:class:`~cryptography.hazmat.primitives.interfaces.DSAParameters` interface.
* Deprecated ``encrypt_rsa``, ``decrypt_rsa``, ``create_rsa_signature_ctx`` and
``create_rsa_verification_ctx`` on
:class:`~cryptography.hazmat.backends.interfaces.RSABackend`.
* Deprecated ``create_dsa_signature_ctx`` and ``create_dsa_verification_ctx``
on :class:`~cryptography.hazmat.backends.interfaces.DSABackend`.
|
|
|
