Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
2019.11.28:
Unknown changes
|
|
2.7.1:
[Bug] Fix a bug in support for ECDSA keys under the newly supported OpenSSH key format. Thanks to Pierce Lopez for the patch.
[Bug] The new-style private key format (added in 2.7) suffered from an unpadding bug which had been fixed earlier for Ed25519 (as that key type has always used the newer format). That fix has been refactored and applied to the base key class, courtesy of Pierce Lopez.
2.7.0:
[Feature]: Add new convenience classmethod constructors to SSHConfig: from_text, from_file, and from_path. No more annoying two-step process!
[Feature] Implement most ‘canonical hostname’ ssh_config functionality (CanonicalizeHostname, CanonicalDomains, CanonicalizeFallbackLocal, and CanonicalizeMaxDots; CanonicalizePermittedCNAMEs has not yet been implemented). All were previously silently ignored. Reported by Michael Leinartas.
[Feature] Implement support for the Match keyword in ssh_config files. Previously, this keyword was simply ignored & keywords inside such blocks were treated as if they were part of the previous block. Thanks to Michael Leinartas for the initial patchset.
Note
This feature adds a new optional install dependency, Invoke, for managing Match exec subprocesses.
[Feature]: A couple of outright SSHConfig parse errors were previously represented as vanilla Exception instances; as part of recent feature work a more specific exception class, ConfigParseError, has been created. It is now also used in those older spots, which is naturally backwards compatible.
[Feature] Implement support for OpenSSH 6.5-style private key files (typically denoted as having BEGIN OPENSSH PRIVATE KEY headers instead of PEM format’s BEGIN RSA PRIVATE KEY or similar). If you were getting any sort of weird auth error from “modern” keys generated on newer operating system releases (such as macOS Mojave), this is the first update to try.
Major thanks to everyone who contributed or tested versions of the patch, including but not limited to: Kevin Abel, Michiel Tiller, Pierce Lopez, and Jared Hobbs.
[Bug]: Perform deduplication of IdentityFile contents during ssh_config parsing; previously, if your config would result in the same value being encountered more than once, IdentityFile would contain that many copies of the same string.
[Bug]: Paramiko’s use of subprocess for ProxyCommand support is conditionally imported to prevent issues on limited interpreter platforms like Google Compute Engine. However, any resulting ImportError was lost instead of preserved for raising (in the rare cases where a user tried leveraging ProxyCommand in such an environment). This has been fixed.
[Bug]: ssh_config token expansion used a different method of determining the local username ($USER env var), compared to what the (much older) client connection code does (getpass.getuser, which includes $USER but may check other variables first, and is generally much more comprehensive). Both modules now use getpass.getuser.
[Support]: Explicitly document which ssh_config features we currently support. Previously users just had to guess, which is simply no good.
[Support]: Additional installation extras_require “flavors” (ed25519, invoke, and all) have been added to our packaging metadata; see the install docs for details.
|
|
Changelog since 0.7.0
2019-01-05 - Version 0.9.2
* Fixu Windows build issues, thanks Luka Logar.
* Use pin-cache configuration, thanks Luka Logar.
* Support openssl-1.1, thanks Thorsten Alteholz, W. Michael Petullo.
2017-09-26 - Version 0.9.1
* Support unix domain socket credentials on FreeBSD.
* Introduce GNUPG_PKCS11_SOCKETDIR to instruct where sockets are created.
* Make proxy systemd service work again per change of systemd behavior.
2017-08-25 - Version 0.9.0
* Avoid dup of stdin/stdout so that the terminate assuan hack operational
again.
* Introduce gnupg-pkcs11-scd-proxy to allow isolation of the PKCS#11
provider.
* Lots of cleanups.
2017-07-15 - Version 0.8.0
* Support multiple tokens via serial numbers by hashing token id into
serial number.
Implementation changes the card serial number yet again, executing
gpg --card-status should resync.
2017-04-18 - Version 0.7.6
* Add --homedir parameter.
* Rework serial responses for gnupg-2.1.19.
2017-03-01 - Version 0.7.5
* Fix issue with decrypting padded data, thanks to smunaut.
* Catchup with gnupg-2.1 changes which caused inability to support
both gpg and gpgsm. Implementation had to change card serial
number, as a result current keys of gpg will look for the
previous serial card.
emulate-openpgpg option is obsoleted and removed.
ACTION REQUIRED
in order to assign new card serial number to existing keys.
backup your ~/.gnupg.
delete all PKCS#11 secret keys using:
gpg --delete-secret-keys $KEY then
Then refresh keys using:
gpg --card-edit
In <gnupg-2.1.19 the keys should be re-generated using:
admin
generate
Do not replace keys!
gpg will learn the private keys of the new card and attach to
the existing public keys.
* Support gnupg-2.1 features of using existing keys, keys
should not be explicitly specified in configuration file
any more.
2017-01-18 - Version 0.7.4
* Fix gpg change in serialno attribute.
* Sync with gnupg-2.1, thanks to Moritz Bechler.
2011-07-30 -- Version 0.7.3
* Use assuan_sock_init, bug#3382372.
2011-04-09 -- Version 0.7.2
* Some cleanups, thanks to Timo Schulz.
* Sync hashing algorithms for OpenPGP.
2011-03-16 -- Version 0.7.1
* Sync with gnupg-2.0.17.
|
|
Noteworthy changes in version 2.2.19:
* gpg: Fix double free when decrypting for hidden recipients.
Regression in 2.2.18.
* gpg: Use auto-key-locate for encryption even for mail addressed
given with angle brackets.
* gpgsm: Add special case for certain expired intermediate
certificates.
|
|
|
|
Not sure of 3.6.11.1's specific changes - possibly fixing an incorrectly
generated tarball?
These changes from apply:
* Version 3.6.11 (released 2019-12-01)
** libgnutls: Use KERN_ARND for the system random number generator on NetBSD.
This syscall provides an endless stream of random numbers from the kernel's
ChaCha20-based random number generator, without blocking or requiring an open file
descriptor.
** libgnutls: Corrected issue with TLS 1.2 session ticket handling as client
during resumption (#841).
** libgnutls: gnutls_base64_decode2() succeeds decoding the empty string to
the empty string. This is a behavioral change of the API but it conforms
to the RFC4648 expectations (#834).
** libgnutls: Fixed AES-CFB8 implementation, when input is shorter than
the block size. Fix backported from nettle.
** certtool: CRL distribution points will be set in CA certificates even when
non self-signed (#765).
** gnutls-cli/serv: added raw public-key handling capabilities (RFC7250).
Key material can be set via the --rawpkkeyfile and --rawpkfile flags.
** API and ABI modifications:
No changes since last version.
|
|
ftp.cyrusimap.org has been down for months. Asked about this on the
cyrus-info mailinglist months ago with no responses. So lets drop it from
MASTER_SITES.
The directory old on the ftp is also available in the http download so I
added that to MASTER_SITES as well.
|
|
Update clamav to 0.102.1.
## 0.102.1
ClamAV 0.102.1 is a security patch release to address the following issues.
- Fix for the following vulnerability affecting 0.102.0 and 0.101.4 and prior:
- [CVE-2019-15961](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15961)
A Denial-of-Service (DoS) vulnerability may occur when scanning a specially
crafted email file as a result of excessively long scan times. The issue is
resolved by implementing several maximums in parsing MIME messages and by
optimizing use of memory allocation.
- Build system fixes to build clamav-milter, to correctly link with libxml2 when
detected, and to correctly detect fanotify for on-access scanning feature
support.
- Signature load time is significantly reduced by changing to a more efficient
algorithm for loading signature patterns and allocating the AC trie.
Patch courtesy of Alberto Wu.
- Introduced a new configure option to statically link libjson-c with libclamav.
Static linking with libjson is highly recommended to prevent crashes in
applications that use libclamav alongside another JSON parsing library.
- Null-dereference fix in email parser when using the `--gen-json` metadata
option.
- Fixes for Authenticode parsing and certificate signature (.crb database) bugs.
Special thanks to the following for code contributions and bug reports:
- Alberto Wu
- Joran Dirk Greef
- Reio Remma
|
|
Release 2.1.0:
Added support in the SSHProcess redirect mechanism to accept asyncio StreamReader and StreamWriter objects, allowing asyncio streams to be plugged in as stdin/stdout/stderr in an SSHProcess.
Added support for key handlers in the AsyncSSH line editor to trigger signals being delivered when certain “hot keys” are hit while reading input.
Improved cleanup of unreturned connection objects when an error occurs or the connection request is canceled or times out.
Improved cleanup of SSH agent client objects to avoid triggering a false positive warning in Python 3.8.
Added an example to the documentation for how to create reverse-direction SSH client and server connections.
Made check of session objects against None explicit to avoid confusion on user-defined sessions that implement __len__ or __bool__.
Release 2.0.1:
Some API changes which should have been included in the 2.0.0 release were missed. This release corrects that, but means that additional changes may be needed in applications moving to 2.0.1. This should hopefully be the last of such changes, but if any other issues are discovered, additional changes will be limited to 2.0.x patch releases and the API will stabilize again in the AsyncSSH 2.1 release. See the next bullet for details about the additional incompatible change.
To be consistent with other connect and listen functions, all methods on SSHClientConnection which previously returned None on listen failures have been changed to raise an exception instead. A new ChannelListenError exception will now be raised when an SSH server returns failure on a request to open a remote listener. This change affects the following SSHClientConnection methods: create_server, create_unix_server, start_server, start_unix_server, forward_remote_port, and forward_remote_path.
Restored the ability for SSHListener objects to be used as async context managers. This previously worked in AsyncSSH 1.x and was unintentionally broken in AsyncSSH 2.0.0.
Added support for a number of additional functions to be called from within an “async with” statement. These functions already returned objects capable of being async context managers, but were not decorated to allow them to be directly called from within “async with”. This change applies to the top level functions create_server, listen, and listen_reverse and the SSHClientConnection methods create_server, create_unix_server, start_server, start_unix_server, forward_local_port, forward_local_path, forward_remote_port, forward_remote_path, listen_ssh, and listen_reverse_ssh,
Fixed a couple of issues in loading OpenSSH-format certificates which were missing a trailing newline.
Changed load_certificates() to allow multiple certificates to be loaded from a single byte string argument, making it more consistent with how load_certificates() works when reading from a file.
Release 2.0.0:
NEW MAJOR VERSION: See below for potentially incompatible changes.
Updated AsyncSSH to use the modern async/await syntax internally, now requiring Python 3.6 or later. Those wishing to use AsyncSSH on Python 3.4 or 3.5 should stick to the AsyncSSH 1.x releases.
Changed first argument of SFTPServer constructor from an SSHServerConnection (conn) to an SSHServerChannel (chan) to allow custom SFTP server implementations to access environment variables set on the channel that SFTP is run over. Applications which subclass the SFTPServer class and implement an __init__ method will need to be updated to account for this change and pass the new argument through to the SFTPServer parent class. If the subclass has no __init__ and just uses the connection, channel, and env properties of SFTPServer to access this information, no changes should be required.
Removed deprecated “session_encoding” and “session_errors” arguments from create_server() and listen() functions. These arguments were renamed to “encoding” and “errors” back in version 1.16.0 to be consistent with other AsyncSSH APIs.
Removed get_environment(), get_command(), and get_subsystem() methods on SSHServerProcess class. This information was made available as “env”, “command”, and “subsystem” properties of SSHServerProcess in AsyncSSH 1.11.0.
Removed optional loop argument from all public AsyncSSH APIs, consistent with the deprecation of this argument in the asyncio package in Python 3.8. Calls will now always use the event loop which is active at the time of the call.
Removed support for non-async context managers on AsyncSSH connections and processes and SFTP client connections and file objects. Callers should use “async with” to invoke the async the context managers on these objects.
Added support for SSHAgentClient being an async context manager. To be consistent with other connect calls, connect_agent() will now raise an exception when no agent is found or a connection failure occurs, rather than logging a warning and returning None. Callers should catch OSError or ChannelOpenError exceptions rather than looking for a return value of None when calling this function.
Added set_input() and clear_input() methods on SSHLineEditorChannel to change the value of the current input line when line editing is enabled.
Added is_closing() method to the SSHChannel, SSHProcess, SSHWriter, and SSHSubprocessTransport classes. mirroring the asyncio BaseTransport and StreamWriter methods added in Python 3.7.
Added wait_closed() async method to the SSHWriter class, mirroring the asyncio StreamWriter method added in Python 3.7.
|
|
|
|
### Version 5.56, 2019.11.22, urgency: HIGH
* New features
- Various text files converted to Markdown format.
* Bugfixes
- Support for realpath(3) implementations incompatible
with POSIX.1-2008, such as 4.4BSD or Solaris.
- Support for engines without PRNG seeding methods (thx to
Petr Mikhalitsyn).
- Retry unsuccessful port binding on configuration
file reload.
- Thread safety fixes in SSL_SESSION object handling.
- Terminate clients on exit in the FORK threading model.
|
|
|
|
3.7.0.1:
Match Python 3.7
|
|
From Joern Clausen in PR pkg/54694.
|
|
Changelog:
Noteworthy changes in version 2.2.18 (2019-11-25)
-------------------------------------------------
* gpg: Changed the way keys are detected on a smartcards; this
allows the use of non-OpenPGP cards. In the case of a not very
likely regression the new option --use-only-openpgp-card is
available. [#4681]
* gpg: The commands --full-gen-key and --quick-gen-key now allow
direct key generation from supported cards. [#4681]
* gpg: Prepare against chosen-prefix SHA-1 collisions in key
signatures. This change removes all SHA-1 based key signature
newer than 2019-01-19 from the web-of-trust. Note that this
includes all key signature created with dsa1024 keys. The new
option --allow-weak-key-signatues can be used to override the new
and safer behaviour. [#4755,CVE-2019-14855]
* gpg: Improve performance for import of large keyblocks. [#4592]
* gpg: Implement a keybox compression run. [#4644]
* gpg: Show warnings from dirmngr about redirect and certificate
problems (details require --verbose as usual).
* gpg: Allow to pass the empty string for the passphrase if the
'--passphase=' syntax is used. [#4633]
* gpg: Fix printing of the KDF object attributes.
* gpg: Avoid surprises with --locate-external-key and certain
--auto-key-locate settings. [#4662]
* gpg: Improve selection of best matching key. [#4713]
* gpg: Delete key binding signature when deletring a subkey.
[#4665,#4457]
* gpg: Fix a potential loss of key sigantures during import with
self-sigs-only active. [#4628]
* gpg: Silence "marked as ultimately trusted" diagnostics if
option --quiet is used. [#4634]
* gpg: Silence some diagnostics during in key listsing even with
option --verbose. [#4627]
* gpg, gpgsm: Change parsing of agent's pkdecrypt results. [#4652]
* gpgsm: Support AES-256 keys.
* gpgsm: Fix a bug in triggering a keybox compression run if
--faked-system-time is used.
* dirmngr: System CA certificates are no longer used for the SKS
pool if GNUTLS instead of NTBTLS is used as TLS library. [#4594]
* dirmngr: On Windows detect usability of IPv4 and IPv6 interfaces
to avoid long timeouts. [#4165]
* scd: Fix BWI value for APDU level transfers to make Gemalto Ezio
Shield and Trustica Cryptoucan work. [#4654,#4566]
* wkd: gpg-wks-client --install-key now installs the required policy
file.
|
|
Changes between 1.0.2s and 1.0.2t [10 Sep 2019]
*) For built-in EC curves, ensure an EC_GROUP built from the curve name is
used even when parsing explicit parameters, when loading a serialized key
or calling `EC_GROUP_new_from_ecpkparameters()`/
`EC_GROUP_new_from_ecparameters()`.
This prevents bypass of security hardening and performance gains,
especially for curves with specialized EC_METHODs.
By default, if a key encoded with explicit parameters is loaded and later
serialized, the output is still encoded with explicit parameters, even if
internally a "named" EC_GROUP is used for computation.
[Nicola Tuveri]
*) Compute ECC cofactors if not provided during EC_GROUP construction. Before
this change, EC_GROUP_set_generator would accept order and/or cofactor as
NULL. After this change, only the cofactor parameter can be NULL. It also
does some minimal sanity checks on the passed order.
(CVE-2019-1547)
[Billy Bob Brumley]
*) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.
As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
(CVE-2019-1563)
[Bernd Edlinger]
*) Document issue with installation paths in diverse Windows builds
'/usr/local/ssl' is an unsafe prefix for location to install OpenSSL
binaries and run-time config file.
(CVE-2019-1552)
[Richard Levitte]
|
|
Use github distfile because pypi one is missing.
Revision 0.2.8, released 16-11-2019
-----------------------------------
- Improve test routines for modules that use certificate extensions
- Improve test for RFC3709 with a real world certificate
- Added RFC7633 providing TLS Features Certificate Extension
- Added RFC7229 providing OIDs for Test Certificate Policies
- Added tests for RFC3280, RFC3281, RFC3852, and RFC4211
- Added RFC6960 providing Online Certificate Status Protocol (OCSP)
- Added RFC6955 providing Diffie-Hellman Proof-of-Possession Algorithms
- Updated the handling of maps for use with openType for RFC 3279
- Added RFC6486 providing RPKI Manifests
- Added RFC6487 providing Profile for X.509 PKIX Resource Certificates
- Added RFC6170 providing Certificate Image in the Internet X.509 Public
Key Infrastructure, and import the object identifier into RFC3709.
- Added RFC6187 providing Certificates for Secure Shell Authentication
- Added RFC6482 providing RPKI Route Origin Authorizations (ROAs)
- Added RFC6664 providing S/MIME Capabilities for Public Keys
- Added RFC6120 providing Extensible Messaging and Presence Protocol
names in certificates
- Added RFC4985 providing Subject Alternative Name for expression of
service names in certificates
- Added RFC5924 providing Extended Key Usage for Session Initiation
Protocol (SIP) in X.509 certificates
- Added RFC5916 providing Device Owner Attribute
- Added RFC7508 providing Securing Header Fields with S/MIME
- Update RFC8226 to use ComponentPresentConstraint() instead of the
previous work around
- Add RFC2631 providing OtherInfo for Diffie-Hellman Key Agreement
- Add RFC3114 providing test values for the S/MIME Security Label
- Add RFC5755 providing Attribute Certificate Profile for Authorization
- Add RFC5913 providing Clearance Attribute and Authority Clearance
Constraints Certificate Extension
- Add RFC5917 providing Clearance Sponsor Attribute
- Add RFC4043 providing Internet X.509 PKI Permanent Identifier
- Add RFC7585 providing Network Access Identifier (NAI) Realm Name
for Certificates
- Update RFC3770 to support openType for attributes and reported errata
- Add RFC4334 providing Certificate Extensions and Attributes for
Authentication in PPP and Wireless LAN Networks
|
|
3.9.4:
Resolved issues
* Prevent ``key_to_english`` from creating invalid data when fed with
keys of length not multiple of 8.
* Fix blocking RSA signing/decryption when key has very small factor.
|
|
1.7.2:
This release rolls up assorted bug & compatibility fixes since 1.7.1.
New Features
* .. py:currentmodule:: passlib.hash
:class:`argon2`: Now supports Argon2 "ID" and "D" hashes (assuming new enough backend library).
Now defaults to "ID" hashes instead of "I" hashes, but this can be overridden via ``type`` keyword.
* .. py:currentmodule:: passlib.hash
:class:`scrypt`: Now uses python 3.6 stdlib's :func:`hashlib.scrypt` as backend,
if present
|
|
Should resolve build on SmartOS.
(Amazingly, the wrong expression worked fine on NetbSD with gcc when
it was tested.)
|
|
|
|
|
|
|
|
Update ruby-sshkit package to 1.20.0.
## [1.20.0][] (2019-08-03)
* [#468](https://github.com/capistrano/sshkit/pull/468): Make `upload!` take a `:verbosity` option like `exec` does - [@grosser](https://github.com/grosser)
## [1.19.1][] (2019-07-02)
* [#465](https://github.com/capistrano/sshkit/pull/456): Fix a regression in 1.19.0 that prevented `~` from being used in Capistrano paths, e.g. `:deploy_to`, etc. - [@grosser](https://github.com/grosser)
## [1.19.0][] (2019-06-30)
* [#455](https://github.com/capistrano/sshkit/pull/455): Ensure UUID of commands are stable in logging - [@lazyatom](https://github.com/lazyatom)
* [#453](https://github.com/capistrano/sshkit/pull/453): `as` and `within` now properly escape their user/group/path arguments, and the command nested within an `as` block is now properly escaped before passing to `sh -c`. In the unlikely case that you were manually escaping commands passed to SSHKit as a workaround, you will no longer need to do this. See [#458](https://github.com/capistrano/sshkit/issues/458) for examples of what has been fixed. - [@grosser](https://github.com/grosser)
* [#460](https://github.com/capistrano/sshkit/pull/460): Handle IPv6 addresses without port - [@will-in-wi](https://github.com/will-in-wi)
## [1.18.2][] (2019-02-03)
* [#448](https://github.com/capistrano/sshkit/pull/448): Fix misbehaving connection eviction loop when disabling connection pooling - [Sebastian Cohnen](https://github.com/tisba)
## [1.18.1][] (2019-01-26)
* [#447](https://github.com/capistrano/sshkit/pull/447): Fix broken thread safety by widening critical section - [Takumasa Ochi](https://github.com/aeroastro)
|
|
Update ruby-ruby-openid package to version 2.9.2.
## 2.9.2
* Perform all checks before verifying endpoints.
[#126](https://github.com/openid/ruby-openid/pull/126)
## 2.9.1
* Updated CHANGELOG.md
## 2.9.0
* Remove deprecated `autorequire` from gemspec.
[#123](https://github.com/openid/ruby-openid/pull/123)
* Rescue from `Yadis::XRI::XRIHTTPError` on discovery.
[#106](https://github.com/openid/ruby-openid/pull/106)
* Avoid SSRF for claimed_id request.
[#121](https://github.com/openid/ruby-openid/pull/121)
* Updated documentation.
[#115](https://github.com/openid/ruby-openid/pull/115), [#116](https://github.com/openid/ruby-openid/pull/116), [#117](https://github.com/openid/ruby-openid/pull/117), [#118](https://github.com/openid/ruby-openid/pull/118)
* Reduce warnings output in test runs.
[#119](https://github.com/openid/ruby-openid/pull/119)
* Drop deprecated option from gemspec.
[#120](https://github.com/openid/ruby-openid/pull/120)
* Remove circular require.
[#113](https://github.com/openid/ruby-openid/pull/113)
* Updated Travis CI config with Ruby 2.6
[#114](https://github.com/openid/ruby-openid/pull/114)
* Simplify Bundler require; remove need for extra `:require`.
[#112](https://github.com/openid/ruby-openid/pull/112)
## 2.8.0
* Fix `admin/mkassoc` script.
See https://github.com/openid/ruby-openid/pull/103
* Allow specifying timeout for `OpenID::StandardFetcher` in environment variables.
See https://github.com/openid/ruby-openid/pull/109
* Fixed some documentation.
See https://github.com/openid/ruby-openid/pull/111
* Fixed example server.
See https://github.com/openid/ruby-openid/pull/91
* Fixed tests.
See https://github.com/openid/ruby-openid/pull/86
* Misc. changes to the CI setup.
See
- https://github.com/openid/ruby-openid/pull/110
- https://github.com/openid/ruby-openid/pull/108
- https://github.com/openid/ruby-openid/pull/107
|
|
Revision 0.4.8:
- Added ability of combining `SingleValueConstraint` and
`PermittedAlphabetConstraint` objects into one for proper modeling
`FROM ... EXCEPT ...` ASN.1 clause.
|
|
19.1.0:
Backward-incompatible changes:
- Removed deprecated ContextType, ConnectionType, PKeyType, X509NameType, X509ReqType, X509Type, X509StoreType, CRLType, PKCS7Type, PKCS12Type, and NetscapeSPKIType aliases.
Use the classes without the Type suffix instead.
- The minimum cryptography version is now 2.8 due to issues on macOS with a transitive dependency.
Deprecations:
- Deprecated OpenSSL.SSL.Context.set_npn_advertise_callback, OpenSSL.SSL.Context.set_npn_select_callback, and OpenSSL.SSL.Connection.get_next_proto_negotiated.
ALPN should be used instead.
Changes:
- Support bytearray in SSL.Connection.send() by using cffi's from_buffer.
- The OpenSSL.SSL.Context.set_alpn_select_callback can return a new NO_OVERLAPPING_PROTOCOLS sentinel value
to allow a TLS handshake to complete without an application protocol.
|
|
|
|
0.40.1:
Changed
Added back support for Python 3.4 to Certbot components and certbot-auto due to a bug when requiring Python 2.7 or 3.5+ on RHEL 6 based systems.
More details about these changes can be found on our GitHub repo.
0.40.0:
Changed
We deprecated support for Python 3.4 in Certbot and its ACME library. Support for Python 3.4 will be removed in the next major release of Certbot. certbot-auto users on RHEL 6 based systems will be asked to enable Software Collections (SCL) repository so Python 3.6 can be installed. certbot-auto can enable the SCL repo for you on CentOS 6 while users on other RHEL 6 based systems will be asked to do this manually.
--server may now be combined with --dry-run. Certbot will, as before, use the staging server instead of the live server when --dry-run is used.
--dry-run now requests fresh authorizations every time, fixing the issue where it was prone to falsely reporting success.
Updated certbot-dns-google to depend on newer versions of google-api-python-client and oauth2client.
The OS detection logic again uses distro library for Linux OSes
certbot.plugins.common.TLSSNI01 has been deprecated and will be removed in a future release.
CLI flags --tls-sni-01-port and --tls-sni-01-address have been removed.
The values tls-sni and tls-sni-01 for the --preferred-challenges flag are no longer accepted.
Removed the flags: --agree-dev-preview, --dialog, and --apache-init-script
acme.standalone.BaseRequestHandlerWithLogging and acme.standalone.simple_tls_sni_01_server have been deprecated and will be removed in a future release of the library.
certbot-dns-rfc2136 now use TCP to query SOA records.
Fixed
More details about these changes can be found on our GitHub repo.
|
|
1.7.1:
Bug Fixes
* change 'internal_failure' condition to also use `error' field
|
|
19.2.0:
Backward-incompatible changes:
- Python 3.4 is not supported anymore.
It has been unsupported by the Python core team for a while now and its PyPI downloads are negligible.
It's very unlikely that ``argon2-cffi`` will break under 3.4 anytime soon, but we don't test it and don't ship binary wheels for it anymore.
Changes:
- The dependency on ``enum34`` is now protected using a PEP 508 marker.
This fixes problems when the sdist is handled by a different interpreter version than the one running it.
|
|
Trustme 0.5.3:
Features
Added :attr:`CA.from_pem` to import an existing certificate authority; this allows migrating to trustme step-by-step.
|
|
v1.7.0
Implementation Changes
Add retry loop for fetching authentication token if any 'Internal Failure' occurs (#368)
Use cls parameter instead of class (#341)
New Features
Add support for impersonated_credentials.Sign, IDToken (#348)
Add downscoping to OAuth2 credentials (#309)
Dependencies
Update dependency cachetools to v3 (#357)
Update dependency rsa to v4 (#358)
Set an upper bound on dependencies version (#352)
Require a minimum version of setuptools (#322)
Documentation
Add busunkim96 as maintainer (#373)
Update user-guide.rst (#337)
Fix typo in jwt docs (#332)
Clarify which SA has Token Creator role (#330)
Internal / Testing Changes
Change 'name' to distribution name (#379)
Fix system tests, move to Kokoro (#372)
Blacken (#375)
Rename nox.py -> noxfile.py (#369)
Add initial renovate config (#356)
Use new pytest api to keep building with pytest 5 (#353)
|
|
1.1.0:
Support passing file-like objects (those implementing .read(n)) as the content parameter for Resources. See mohawk.Sender for details.
|
|
version 0.9.2 (released 2019-11-07)
* Fixed libssh-config.cmake
* Fixed issues with rsa algorithm negotiation (T191)
* Fixed detection of OpenSSL ed25519 support (T197)
|
|
3.9.3:
* Align stack of functions using SSE2 intrinsics to avoid crashes,
when compiled with gcc on 32-bit x86 platforms.
3.9.2:
New features
* Add Python 3.8 wheels for Mac.
Resolved issues
* Avoid allocating arrays of ``__m128i`` on the stack, to cope with buggy compilers.
* Remove blanket ``-O3`` optimization for gcc and clang, to cope with buggy compilers.
* Fix typing stubs for signatures.
* Deal with gcc installations that don't have ``x86intrin.h``.
|
|
5.62.0
KWallet
fix starting kwalletmanager, the desktop file name has a '5' in it
5.63.0
KWallet
HiDPI support
|
|
3.9.1:
New features
* Add Python 3.8 wheels for Linux and Windows.
Resolved issues
* Minor speed-up when importing RSA.
|
|
0.4.1
Implementation Changes
Don't auto-generate code_verifier by default.
Internal / Testing Changes
Add renovate.json
|
|
1.3.0:
- Instagram compliance fix
- Added ``force_querystring`` argument to fetch_token() method on OAuth2Session
|
|
|
|
version 0.9.1 (released 2019-10-25)
* Added support for Ed25519 via OpenSSL
* Added support for X25519 via OpenSSL
* Added support for localuser in Match keyword
* Fixed Match keyword to be case sensitive
* Fixed compilation with LibreSSL
* Fixed error report of channel open (T75)
* Fixed sftp documentation (T137)
* Fixed known_hosts parsing (T156)
* Fixed build issue with MinGW (T157)
* Fixed build with gcc 9 (T164)
* Fixed deprecation issues (T165)
* Fixed known_hosts directory creation (T166)
|
|
|
|
OpenDNSSEC version 2 is not a drop-in replacement for OpenDNSSEC version 1.
See lib/opendnssec/README.md for migration instructions if you were
previously using version 1.
Upstream changes since OpenDNSSEC version 1.4.x:
OpenDNSSEC 2.1.5 - 2019-11-05
* SUPPORT-245: Resolve memory leak in signer introduced in 2.1.4.
* SUPPORT-244: Don't require Host and Port to be specified in conf.xml
when migrating with a MySQL-based enforcer database backend.
* Allow for MySQL database to pre-exist when performing a migration,
and be a bit more verbose during migration.
* New -f argument to ods-enforcer key list to show the full list of key states,
similar to combinining -d and -v.
* Fix AllowExtraction tag in configuration file definition (thanks to raixie1A).
* SUPPORT-242: Skip over EDNS cookie option (thanks to Håvard Eidne and
Ulrich-Lorenz Schlueter).
* SUPPORT-240: Prevent exit of enforcer daemon upon interrupted interaction
with CLI commands.
* Correct some error messages (thanks to Jonas Berlin).
OpenDNSSEC 2.1.4 - 2019-05-16
* SUPPORT-229: Missing signatures for key new while signatures for old key
still present under certain kasp policies, leading to bogus zones.
Root cause for bug existed but made prominent since 2.1.3 release.
* OPENDNSSEC-942: time leap command for signer for debugging purposes
only, not to be used on actual deployments.
* OPENDNSSEC-943: support build on MacOS with missing pthread barriers
* SUPPORT-229: fixed for too early retivement of signatures upon double
rrsig key roll signing strategy.
* Strip build directory from doxygen docs
* remove bashisms from ods-kasp2html.in
* upgrade developer build scripts to softhsm-2.5.0 update some platform
dependent files (only for developers).
* The ods-signer and ods-signerd man page should be in section 8 not 22
Note that this might mean that package managers should remove the older
man pages from the old location.
OpenDNSSEC 2.1.3 - 2017-08-10
* OPENDNSSEC-508: Tag <RolloverNotification> was not functioning correctly
* OPENDNSSEC-901: Enforcer would ignore <ManualKeyGeneration/> tag in conf.xml
* OPENDNSSEC-906: Tag <AllowExtraction> tag included from late 1.4 development
* OPENDNSSEC-894: repair configuration script to allow excluding the build of
the enforcer.
* OPENDNSSEC-890: Mismatching TTLs in record sets would cause bogus signatures.
* OPENDNSSEC-886: Improper time calculation on 32 bits machine causes purge
time to be skipped.
* OPENDNSSEC-904 / SUPPORT-216 autoconfigure fails to properly identify
functions in ssl library on certain distributions
causing tsig unknown algorithm hmac-sha256
* OPENDNSSEC-908: Warn when TTL exceeds KASP's MaxZoneTTL instead of capping.
OpenDNSSEC 2.1.1 - 2017-04-28
* OPENDNSSEC-882: Signerd exit code always non-zero.
* OPENDNSSEC-889: MySQL migration script didn't work for all database and
MySQL versions.
* OPENDNSSEC-887: Segfault on extraneous <Interval> tag.
* OPENDNSSEC-880: Command line parsing for import key command failed.
* OPENDNSSEC-890: Bogus signatures upon wrong zone input when TTLs for
same rrset are mismatching.
OpenDNSSEC 2.1.0 - 2017-02-22
* If listening port for signer is not set in conf file, the default value
"15354" is used.
* Enforce and signconf tasks are now scheduled individually per zone. Resign
per policy.
* OPENDNSSEC-450: Implement support for ECDSA P-256, P-384, GOST.
Notice: SoftHSMv1 only supports RSA. SoftHSMv2 can be compiled with
support for these.
* zone delete removes tasks associated with zone from queue.
* Show help for ods-enforcer-db-setup
* OPENDNSSEC-778: Double NSEC3PARAM record after resalt.
* In the kasp file, KSK/ZSK section, the algorithm length MUST be set now.
* signer clear <zone> would assert when signconf wasn't read yet.
* The <Interval> tag had been deprecated, and is now no longer allowed to
be specified in the conf.xml for the Enforcer.
* OPENDNSSEC-864: ods-signer didn't print help. Also --version and --socket
options where not processed.
* OPENDNSSEC-869: ds-seen command did not give error on badly formatted keytag.
* OPENDNSSEC-681: After fork() allow child process to pass error messages to
parent so they can be printed to the console in case of failed start.
* OPENDNSSEC-849: Crash on free of part of IXFR structure.
* OPENDNSSEC-759: Reduce HSM access during ods-signerd start. Daemon should
start quicker and earlier available for user input.
* OPENDNSSEC-479: Transferring zones and sending notifies through
a bound socket , using the same interface as listener.
* Key cache is now shared between threads.
* OPENDNSSEC-858: Don't print "completed in x seconds" to stderr for enforcer
commands.
* Various memory leaks
* OPENDNSSEC-601: signer and enforcer working dir would not properly
fallback to default when not specified.
* OPENDNSSEC-503: Speed up initial signing and algorithm rollover.
* A bash autocompletion script is included in contrib for ods-enforcer and
ods-signer.
* SUPPORT-208: Strip comment from key export.
* OPENDNSSEC-552: On key export don't print SHA1 DS by default.
(introduced --sha1 option to key export.) Usage of sha1 is deprecated and
will be removed from future versions of OpenDNSSEC.
OpenDNSSEC 2.0.1 - 2016-07-21
* Fixed crash and linking issue in ods-migrate.
* Fixed case where 2.0.0 could not read backup files from 1.4.10.
* Fixed bug in migration script where key state wasn't transformed properly.
OpenDNSSEC 2.0.0-1
* include db creation scripts in dist tarball needed for migration from 1.4.
OpenDNSSEC 2.0.0 - 2016-07-07
* OpenDNSSEC-99: Skip "are you sure" messages. Add --force and -f flag to
ods-enforcer-db-setup and hsmutil purge
* OPENDNSSEC-808: Crash on query with empty query section (thanks
Havard Eidnes)
* OpenDNSSEC-771: Signer. Do not log warning on deleting a missing
NSEC3PARAM RR.
* OPENDNSSEC-801: Set AA flag on outgoing AXFR.
* SUPPORT-191: Regression, Must accept notify without SOA (thanks
Christos Trochalakis)
OpenDNSSEC 2.0b1 - 2016-04-14
First public release of OpenDNSSEC. Initial pre-releases have been
made to a smaller audience, this pre-release is explicitly made available
to all. At this moment, there are no known functional bugs. There are
naturally issues, especially to make working with OpenDNSSEC easier, however
none should prevent you to use OpenDNSSEC in production for the average
case, even though this is a pre-release. Which is because of the still
limited documentation, and is not being run in production yet.
* The enforcer can no longer be run on a single policy at a time
anymore. An enforce run will always process all zones.
* The key generate method is at this time not available.
* The key export method will not allow you to export keys for all zones
at once (--all flag) or for a particular type of key (--keystate).
It will not export ZSK keys.
* The zonelist.xml in etc/opendnssec is no longer updated automatically,
and by default works as if the --no-xml flag was specified. Use
--xml to the zone add command to update the zonelist.xml. If updating
the zonelist fails, the zone will still be added and not updated in
the xml with future zone adds.
* Plugins directory renamed to contrib.
* Default signer working directory renamed from tmp to signer.
* Configure option --with-database-backend renamed --with-enforcer-database
* Zones on a manual rollover policy will not get a key assigned to them
immediately.
OpenDNSSEC 2.0.0a5
Project transfer to NLnetLabs, performing code drop as-is for evaluation
purposes only.
OpenDNSSEC 2.0.0a4 (EnforcerNG branch)
* SUPPORT-72: Improve logging when failed to increment serial in case
of key rollover and serial value "keep" [OPENDNSSEC-461].
* SUPPORT-114: libhsm: Optimize storage in HSM by deleting the public
key directly if SkipPublicKey is used [OPENDNSSEC-573].
* OPENDNSSEC-106: Add 'ods-enforcerd -p <policy>' option. This prompts the
enforcer to run once and only process the specified policy and associated
zones.
* OPENDNSSEC-330: NSEC3PARAM TTL can now be optionally configured in kasp.xml.
Default value remains PT0S.
* OPENDNSSEC-390: ods-ksmutil: Add an option to the 'ods-ksmutil key ds-seen'
command so the user can choose not to notify the enforcer.
* OPENDNSSEC-430: ods-ksmutil: Improve 'zone add' - Zone add command
could warn if a specified zone file or adapter file does not exits.
* OPENDNSSEC-431: ods-ksmutil: Improve 'zone add' - Support default <input>
and <output> values for DNS adapters.
* OPENDNSSEC-454: ods-ksmutil: Add option for 'ods-ksmutil key import' to
check if there is a matching key in the repository before import.
* OPENDNSSEC-281: Enforcer NG: Commandhandler sometimes unresponsive.
* OPENDNSSEC-276, Enforcer NG: HSM initialized after fork().
* OPENDNSSEC-330: Signer Engine: NSEC3PARAM TTL is default TTL again, to
prevent bad caching effects on resolvers.
* OPENDNSSEC-428: Add option for 'ods-ksmutil key generate' to take
number of zones as a parameter
* OPENDNSSEC-515: Signer Engine: Don't replace tabs in RR with whitespace.
Bugfixes:
* OPENDNSSEC-435: Signer Engine: Fix a serious memory leak in signature
cleanup.
* OPENDNSSEC-463: Signer Engine: Duration PT0S is now printed correctly.
* OPENDNSSEC-466: Signer Engine: Created bad TSIG signature when falling back
to AXFR.
* OPENDNSSEC-467: Signer Engine: After ods-signer clear, signer should not use
inbound serial.
OpenDNSSEC 2.0.0a3 (EnforcerNG branch) - 2012-06-18
Bugfixes:
* SUPPORT-66: Signer Engine: Fix file descriptor leak in case of TCP write
error [OPENDNSSEC-427].
* SUPPORT-71: Signer Engine: Fix double free crash in case of HSM connection
error during signing [OPENDNSSEC-444].
* OPENDNSSEC-401: 'ods-signer sign <zone> --serial <nr>' command produces seg
fault when run directly on command line (i.e. not via interactive mode)
* OPENDNSSEC-440: 'ods-ksmutil key generate' and the enforcer can create
too many keys if there are keys already available and the KSK and ZSK use
same algorithm and length
* OPENDNSSEC-424: Signer Engine: Respond to SOA queries from file instead
of memory. Makes response non-blocking.
* OPENDNSSEC-425 Change "hsmutil list" output so that the table header goes
to stdout not stderr
* OPENDNSSEC-438: 'ods-ksmutil key generate' and the enforcer can create
too many keys for <SharedKeys/> policies when KSK and ZSK use same
algorithm and length
* OPENDNSSEC-443: ods-ksmutil: Clean up of hsm connection handling
* Signer Engine: Improved Inbound XFR checking.
* Signer Engine: Fix double free corruption in case of adding zone with
DNS Outbound Adapters and NotifyCommand enabled.
* Enforcer: Limit number of pregenerated keys when using <SharedKeys>.
* Enforcer: MySQL database backend implemented.
* Enforcer: New directive <MaxZoneTTL> to make safe assumptions about
zonefile.
* Enforcer: New zone add command, allow specifying adapters.
* Enforcer: New zone del command, use --force for still signed zones.
* Enforcer: Pre-generate keys on the HSM.
* Enforcer: SQLite database backend implemented.
* OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on SOA
Minimum change.
Bugfixes:
* OPENDNSSEC-481: libhsm: Fix an off-by-one length check error.
* OPENDNSSEC-482: libhsm: Improved cleanup for C_FindObjects.
|
|
Go implementation of the 64-bit xxHash algorithm (XXH64).
This implementation provides a fast pure-Go implementation
and an even faster assembly implementation for amd64.
|
|
|
|
SoftHSM2 is not a drop-in replacement for SoftHSM version 1, so this
is added as a separate package. See softhsm2-migrate(1) for
migration instructions.
Upstream changes since SoftHSM version 1.x:
SoftHSM 2.5.0 - 2018-09-24
* Issue #323: Support for EDDSA with vendor defined mechanisms.
(Patch from Francis Dupont)
* Issue #362: CMake Build System Support for SoftHSM.
(Patch from Constantine Grantcharov)
* Issue #368: Support migrating 32-bit SoftHSMv1 DB on 64-bit system (LP64).
* Issue #385: Default is not to build EDDSA since it has not been released in
OpenSSL.
* Issue #387: Windows: Add VS2017 detection to Configure.py.
(Patch from Jaroslav Imrich)
* Issue #412: Replace PKCS11 headers with a version from p11-kit.
(Patch from Alexander Bokovoy)
Bugfixes:
* Issue #366: Support cross-compilation.
(Patch from Michael Weiser)
* Issue #377: Duplicate symbol error with custom p11test.
* Issue #386: Use RDRAND in OpenSSL if that engine is available.
* Issue #388: Update DBTests.cpp to fix x86 test failure.
(Patch from tcely)
* Issue #393: Not setting CKA_PUBLIC_KEY_INFO correctly.
(Patch from pkalapat)
* Issue #401: Wrong key and keyserver mentioned in installation documentation.
(Patch from Berry A.W. van Halderen)
* Issue #408: Remove mutex callbacks after C_Finalize().
(Patch from Alexander Bokovoy)
SoftHSM 2.4.0 - 2018-02-27
* Issue #135: Support PKCS#8 for GOST.
* Issue #140: Support for CKA_ALLOWED_MECHANISMS.
(Patch from Brad Hess)
* Issue #141: Support CKA_ALWAYS_AUTHENTICATE for private key objects.
* Issue #220: Support for CKM_DES3_CMAC and CKM_AES_CMAC.
* Issue #226: Configuration option for Windows build to enable build with
static CRT (/MT).
* Issue #325: Support for CKM_AES_GCM.
* Issue #334: Document that initialized tokens will be reassigned to another
slot (based on the token serial number).
* Issue #335: Support for CKM_RSA_PKCS_PSS.
(Patch from Nikos Mavrogiannopoulos)
* Issue #341: Import AES keys with softhsm2-util.
(Patch from Pavel Cherezov)
* Issue #348: Document that OSX needs pkg-config to detect cppunit.
* Issue #349: softhsm2-util will check the configuration and report any
issues before loading the PKCS#11 library.
Bugfixes:
* Issue #345: Private objects are presented to security officer in search
results.
* Issue #358: Race condition when multiple applications are creating and
reading object files.
SoftHSM 2.3.0 - 2017-07-03
* Issue #130: Upgraded to PKCS#11 v2.40.
* Minor changes to some return values.
* Added CKA_DESTROYABLE to all objects. Used by C_DestroyObject().
* Added CKA_PUBLIC_KEY_INFO to certificates, private, and public key
objects. Will be accepted from application, but SoftHSM will
currently not calculate it.
* Issue #142: Support for CKM_AES_CTR.
* Issue #155: Add unit tests for SessionManager.
* Issue #189: C_DigestKey returns CKR_KEY_INDIGESTIBLE when key
attribute CKA_EXTRACTABLE = false. Whitelist SHA algorithms to allow
C_DigestKey in this case.
* Issue #225: Show slot id after initialization.
* Issue #247: Run AppVeyor (Windows CI) for each PR and merge.
* Issue #257: Set CKA_DECRYPT/CKA_ENCRYPT flags on key import to true.
(Patch from Martin Domke)
* Issue #261: Add support for libeaycompat lib for FIPS on Windows.
(Patch from Matt Hauck)
* Issue #262: Support importing ECDSA P-521 in softhsm-util.
* Issue #276: Support for Botan 2.0.
* Issue #279: Editorial changes from Mountain Lion to Sierra.
(Patch from Mike Neumann)
* Issue #283: More detailed error messages when initializing SoftHSM.
* Issue #285: Support for LibreSSL.
(Patch from Alon Bar-Lev)
* Issue #286: Update .gitignore.
(Patch from Alon Bar-Lev)
* Issue #291: Change to enable builds and reports on new Jenkinks
environment.
* Issue #293: Detect cppunit in autoconf.
(Patch from Alon Bar-Lev)
* Issue #309: CKO_CERTIFICATE and CKO_PUBLIC_KEY now defaults to
CKA_PRIVATE=false.
* Issue #314: Update README with information about logging.
* Issue #330: Adjust log levels for failing to enumerate object store.
(Patch from Nikos Mavrogiannopoulos)
Bugfixes:
* Issue #216: Better handling of CRYPTO_set_locking_callback() for OpenSSL.
* Issue #265: Fix deriving shared secret with ECC.
* Issue #280: HMAC with sizes less than L bytes is strongly discouraged.
Set a lower bound equal to L bytes in ulMinKeySize and check it when
initializing the operation.
* Issue #281: Fix test of p11 shared library.
(Patch from Lars Silvén)
* Issue #289: Minor fix of 'EVP_CipherFinal_ex'.
(Patch from Viktor Tarasov)
* Issue #297: Fix build with cppunit.
(Patch from Ludovic Rousseau)
* Issue #302: Export PKCS#11 symbols from the library.
(Patch from Ludovic Rousseau)
* Issue #305: Zero pad key to fit the block in CKM_AES_KEY_WRAP.
* Issue #313: Detecting CppUnit when using Macports.
(Patch from mouse07410)
SoftHSM 2.2.0 - 2016-12-05
* Issue #143: Delete a token using softhsm2-util.
* Issue #185: Change access mode bits for /var/lib/softhsm/tokens/
to 1777. All users can now create tokens, but only access their own.
(Patch from Rick van Rein)
* Issue #186: Reinitializing a token will now keep the token, but all
token objects are deleted, the user PIN is removed and the token
label is updated.
* Issue #190: Support for OpenSSL 1.1.0.
* Issue #198: Calling C_GetSlotList with NULL_PTR will make sure that
there is always a slot with an uninitialized token available.
* Issue #199: The token serial number will be used when setting the slot
number. The serial number is set after the token has been initialized.
(Patch from Lars Silvén)
* Issue #203: Update the command utils to use the token label or serial
to find the token and its slot number.
* Issue #209: Possibility to test other PKCS#11 implementations with the
CppUnit test.
(Patch from Lars Silvén)
* Issue #223: Mark public key as non private by default.
(Patch from Nikos Mavrogiannopoulos)
* Issue #230: Install p11-kit module, to disable use --disable-p11-kit.
(Patch from David Woodhouse)
* Issue #237: Add windows continuous integration build.
(Patch from Peter Polacko)
Bugfixes:
* Issue #201: Missing new source file and test configuration in the
Windows build project.
* Issue #205: ECDSA P-521 support for OpenSSL and better test coverage.
* Issue #207: Fix segmentation faults in loadLibrary function.
(Patch from Jaroslav Imrich)
* Issue #215: Update the Homebrew install notes for OSX.
* Issue #218: Fix build warnings.
* Issue #235: Add the libtool install command for OSX.
(Patch from Mark Wylde)
* Issue #236: Use GetEnvironmentVariable instead of getenv on Windows.
(Patch from Jaroslav Imrich)
* Issue #239: Crash on module unload with OpenSSL.
(Patch from David Woodhouse)
* Issue #241: Added EXTRALIBS to Windows utils project.
(Patch from Peter Polacko)
* Issue #250: C++11 not detected.
* Issue #255: API changes in Botan 1.11.27.
* Issue #260: Fix include guard to check WITH_FIPS.
(Patch from Matt Hauck)
* Issue #268: p11test fails on 32-bit systems.
* Issue #270: Build warning about "converting a string constant".
* Issue #272: Fix C++11 check to look for unique_ptr.
(Patch from Matt Hauck)
SoftHSM 2.1.0 - 2016-03-14
* Issue #136: Improved guide and build scripts for Windows.
(Thanks to Jaroslav Imrich)
* Issue #144: The password prompt in softhsm2-util can now be
interrupted (ctrl-c).
* Issue #166: Add slots.removable config option.
(Patch from Sumit Bose)
* Issue #180: Windows configure script improvements.
(Patch from Arnaud Grandville)
Bugfixes:
* Issue #128: Prioritize the return values in C_GetAttributeValue.
(Patch from Nicholas Wilson)
* Issue #129: Fix errors reported by Visual Studio 2015.
(Patch from Jaroslav Imrich)
* Issue #132: Handle the CKA_CHECK_VALUE correctly for certificates
and symmetric key objects.
* Issue #154: Fix the Windows build and destruction order of objects.
(Patch from Arnaud Grandville)
* Issue #162: Not possible to create certificate objects containing
CKA_CERTIFICATE_CATEGORY, CKA_NAME_HASH_ALGORITHM, or
CKA_JAVA_MIDP_SECURITY_DOMAIN.
* Issue #163: Do not attempt decryption of empty byte strings.
(Patch from Michal Kepien)
* Issue #165: Minor changes after a PVS-Studio code analysis, and
C_EncryptUpdate crash if no ciphered data is produced.
(Patch from Arnaud Grandville)
* Issue #169: One-byte buffer overflow in call to EVP_DecryptUpdate.
* Issue #171: Problem while closing library that is initialized but
improperly finalized.
* Issue #173: Adjust return values for the template parsing.
* Issue #174: C_DeriveKey() error with leading zero bytes.
* Issue #177: CKA_NEVER_EXTRACTABLE set to CK_FALSE on objects
created with C_CreateObject.
* Issue #182: Resolve compiler warning.
(Patch from Josh Datko)
* Issue #184: Stop discarding the global OpenSSL libcrypto state.
(Patch from Michal Trojnara)
* SOFTHSM-123: Fix library cleanup on BSD.
SoftHSM 2.0.0 - 2015-07-17
* SOFTHSM-121: Test cases for C_DecryptUpdate/C_DecryptFinal.
* Support C_DecryptUpdate/C_DecryptFinal for symmetric algorithms.
(Patch from Thomas Calderon)
Bugfixes:
* SOFTHSM-120: Segfault after renaming variables.
SoftHSM 2.0.0b3 - 2015-04-17
* SOFTHSM-113: Support for Botan 1.11.15
* SOFTHSM-119: softhsm2-util: Support ECDSA key import
(Patch from Magnus Ahltorp)
* SUPPORT-139: Support deriving generic secrets, DES, DES2, DES3, and AES.
Using DH, ECDH or symmetric encryption.
Bugfixes:
* SOFTHSM-108: A marked as trusted certificate cannot be imported.
* SOFTHSM-109: Unused parameter and variable warnings.
* SOFTHSM-110: subdir-objects warnings from autoreconf.
* SOFTHSM-111: Include FIPS-NOTES.md in dist.
* SOFTHSM-112: CKM_AES_KEY_WRAP* conflict in pkcs11.h.
* SOFTHSM-114: Fix memory leak in a test script.
* SOFTHSM-115: Fix static analysis warnings.
* SUPPORT-154: A marked as non-modifiable object cannot be generated.
* SUPPORT-155: auto_ptr is deprecated in C++11, use unique_ptr.
* SUPPORT-157: Derived secrets were truncated after encryption and
could thus not be decrypted.
* Mutex should call MutexFactory wrapper functions.
(Patch from Jerry Lundstrom)
* Return detailed error message to loadLibrary().
(Patch from Petr Spacek)
SoftHSM 2.0.0b2 - 2014-12-28
* SOFTHSM-50: OpenSSL FIPS support.
* SOFTHSM-64: Updated build script for Windows.
* SOFTHSM-100: Use --free with softhsm2-util to initialize the first
free token.
* SOFTHSM-103: Allow runtime configuration of log level.
* SOFTHSM-107: Support for CKM_<symcipher>_CBC_PAD.
* Add support for CKM_RSA_PKCS_OAEP key un/wrapping.
(Patch from Petr Spacek)
* Use OpenSSL EVP interface for AES key wrapping.
(Patch from Petr Spacek)
* Allow reading configuration file from user's home directory.
(Patch from Nikos Mavrogiannopoulos)
Bugfixes:
* SOFTHSM-102: C_DeriveKey() uses OBJECT_OP_GENERATE.
* Coverity found a number of issues.
SoftHSM 2.0.0b1 - 2014-09-10
* SOFTHSM-84: Check that all mandatory attributes are given during
the creation process.
* SOFTHSM-92: Enable -fvisibility=hidden on per default
* SUPPORT-137: Implement C_EncryptUpdate and C_EncryptFinal
(Patch from Martin Paljak)
* Add support for CKM_RSA_PKCS key un/wrapping
(Patch from Petr Spacek)
Bugfixes:
* SOFTHSM-66: Attribute handling when using multiple threads
* SOFTHSM-93: Invalid C++ object recycling.
* SOFTHSM-95: umask affecting the calling application.
* SOFTHSM-97: Check if Botan has already been initialized.
* SOFTHSM-98: Handle mandatory attributes for DSA, DH, and ECDSA
correctly.
* SOFTHSM-99: Binary encoding of GOST values.
* SUPPORT-136: softhsm2-keyconv creates files with sensitive material
in insecure way.
SoftHSM 2.0.0a2 - 2014-03-25
* SOFTHSM-68: Display a better configure message when there is a
version of Botan with a broken ECC/GOST/OID implementation.
* SOFTHSM-70: Improved handling of the database backend.
* SOFTHSM-71: Supporting Botan 1.11.
* SOFTHSM-76: Do not generate RSA keys smaller than 1024 bit when
using the Botan crypto backend.
* SOFTHSM-83: Support CKA_VALUE_BITS for CKK_DH private key object.
* SOFTHSM-85: Rename libsofthsm.so to libsofthsm2.so and prefix the
command line utilties with softhsm2-.
* SOFTHSM-89: Use constants and not strings for signaling algorithms.
* SUPPORT-129: Possible to use an empty template in C_GenerateKey.
The class and key type are inherited from the generation mechanism.
Some mechanisms do however require a length attribute. [SOFTHSM-88]
* SUPPORT-131: Support RSA-PSS using SHA1, SHA224, SHA256, SHA384,
or SHA512. [SOFTHSM-87]
Bugfixes:
* SOFTHSM-39: Fix 64 bit build on sparc sun4v.
* SOFTHSM-69: GOST did not work when you disabled ECC.
* SOFTHSM-78: Correct the attribute checks for a number of objects.
* SOFTHSM-80: Prevent segfault in OpenSSL GOST HMAC code.
* SOFTHSM-91: Fix a warning from static code analysis.
* Fixed a number of memory leaks.
SoftHSM 2.0.0a1 - 2014-02-10
This is the first alpha release of SoftHSMv2. It focuses on a higher
level of security by encrypting sensitive information and using
unswappable memory. There is also a more generalized crypto backend,
where you can use Botan or OpenSSL.
|
|
|
|
Update to ruby-net-scp to 2.0.0.
o pkgsr change:
* Add "USE_LANGUAGES= # none".
=== 2.0.0
* NetSSH 5.* support
|