Age | Commit message (Collapse) | Author | Files | Lines |
|
1.0.13
- Add nif version of tls module
1.0.12
- depends on p1_utils-1.0.9
|
|
- Add support for PAM_RHOST
|
|
Use PREFIX rather than LOCALBASE. What matters is where this packages
prefix is, not anything else.
Substitute all paths the same way, assigning to sh variables in one
place, alphabetically, and then using them. Sort list of substituted
variables alphabetically also, so it's easier to review the code.
No functional change for any reasonable configuration.
Based on a suggestion by J. Lewis Muir on pkgsrc-users.
|
|
From the release notes for version 3.6.3:
* BUGFIX: Heap overflow (4a342f0)
* BUGFIX: Off-by-one NULL write in stack buffer (964d6c0)
* BUGFIX: Multiple issues in "dotnet" module (f40c14c, fc35e5f)
From the release notes for version 3.6.2:
* Increase RE_MAX_AST_LEVELS from 2000 to 6000.
* BUGFIX: Buffer overrun in regexp engine (issue #678)
* BUGFIX: Null pointer dereference in regexp engine (issue #682).
XXX pullup (security fixes)
|
|
Bug fixes:
- Mitigate a flush+reload side-channel attack on RSA secret keys
dubbed "Sliding right into disaster". For details see
<https://eprint.iacr.org/2017/627>. [CVE-2017-7526]
|
|
|
|
scheme.
Hawk lets two parties securely communicate with each other using messages
signed by a shared key. It is based on HTTP MAC access authentication (which
was based on parts of OAuth 1.0).
The Mohawk API is a little different from that of the Node library (i.e. the
living Hawk spec). It was redesigned to be more intuitive to developers, less
prone to security problems, and more Pythonic.
|
|
Bug fixes:
* Fix packaging issue had erroneously installed the test package.
|
|
Update upstream bug report URLs.
|
|
|
|
Backward-incompatible changes:
- Removed the deprecated OpenSSL.rand.egd() function.
Applications should prefer os.urandom() for random number generation.
- Removed the deprecated default digest argument to OpenSSL.crypto.CRL.export().
Callers must now always pass an explicit digest.
- Fixed a bug with ASN1_TIME casting in X509.set_notBefore(),
X509.set_notAfter(), Revoked.set_rev_date(), Revoked.set_nextUpdate(),
and Revoked.set_lastUpdate(). You must now pass times in the form
YYYYMMDDhhmmssZ. YYYYMMDDhhmmss+hhmm and YYYYMMDDhhmmss-hhmm
will no longer work.
Deprecations:
- Deprecated the legacy "Type" aliases: ContextType, ConnectionType, PKeyType, X509NameType, X509ExtensionType, X509ReqType, X509Type, X509StoreType, CRLType, PKCS7Type, PKCS12Type, NetscapeSPKIType.
The names without the "Type"-suffix should be used instead.
Changes:
- Added OpenSSL.crypto.X509.from_cryptography() and OpenSSL.crypto.X509.to_cryptography() for converting X.509 certificate to and from pyca/cryptography objects.
- Added OpenSSL.crypto.X509Req.from_cryptography(), OpenSSL.crypto.X509Req.to_cryptography(), OpenSSL.crypto.CRL.from_cryptography(), and OpenSSL.crypto.CRL.to_cryptography() for converting X.509 CSRs and CRLs to and from pyca/cryptography objects.
- Added OpenSSL.debug that allows to get an overview of used library versions (including linked OpenSSL) and other useful runtime information using python -m OpenSSL.debug.
- Added a fallback path to Context.set_default_verify_paths() to accommodate the upcoming release of cryptography manylinux1 wheels.
|
|
|
|
|
|
While here, remove empty line from PLIST.
* Version 3.5.13 (released 2017-06-07)
** libgnutls: fixed issue with AES-GCM in-place encryption and decryption in
aarch64. Resolves gitlab issue #204.
** libgnutls: no longer parse the ResponseID field of the status response
TLS extension. The field is not used by GnuTLS nor is made available to
calling applications. That addresses a null pointer dereference on server
side caused by packets containing the ResponseID field. Reported
by Hubert Kario. [GNUTLS-SA-2017-4]
** libgnutls: tolerate certificates which do not have strict DER time encoding.
It is possible using 3rd party tools to generate certificates with time fields
that do not conform to DER requirements. Since 3.4.x these certificates were rejected
and cannot be used with GnuTLS, however that caused problems with existing private
certificate infrastructures, which were relying on such certificates (see gitlab
issue #196). Tolerate reading and using these certificates.
** minitasn1: updated to libtasn1 4.11.
** certtool: allow multiple certificates to be used in --p7-sign with
the --load-certificate option. Patch by Karl Tarbe.
|
|
|
|
Address <sys/user.h> removal fallout.
|
|
|
|
* New features
- PKCS#11 engine DLL updated to version 0.4.5.
- Default engine UI set with ENGINE_CTRL_SET_USER_INTERFACE.
- Key file name added into the passphrase console prompt.
- Performance optimization in memory leak detection.
* Bugfixes
- Fixed crashes with the OpenSSL 1.1.0 branch.
- Fixed certificate verification with "verifyPeer = yes"
and "verifyChain = no" (the default), while the peer
only returns a single certificate.
|
|
A recent rototill of mozilla-rootcerts removed the notion of /etc/ssl.
Remove that notion here so this builds again.
Add comment questioning setting PREFIX to /etc when pkgsrc openssl is
used, now that /etc/ssl is no longer used.
|
|
|
|
This generates private/public SSH keypairs using pure Ruby.
|
|
This package installs into either the builtin openssl or the pkgsrc
one, depending on which is chosen. However, that's not obviously
right (while also not obviously wrong). If there are two versions of
of openssl, perhaps both should have certificates configured. Or
perhaps not -- this simply adds a comment that the issue bears
thinking about.
|
|
|
|
## [1.3.0][] (2017-06-16)
* [#109](https://github.com/mattbrictson/airbrussh/pull/109): Add configurable task prefix - [@gondalez](https://github.com/gondalez)
|
|
Argon2 & Scrypt hash support
TOTP support
PBKDF2 now has faster builtin backend, and utilizes other backends where available
Lots of API cleanups and internal refactoring
HtpasswdFile reader is now more flexible, and with improved security options.
Refreshed documentation
|
|
1.9 - 2017-05-29
~~~~~~~~~~~~~~~~
* **BACKWARDS INCOMPATIBLE:** Elliptic Curve signature verification no longer
returns ``True`` on success. This brings it in line with the interface's
documentation, and our intent. The correct way to use
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.verify`
has always been to check whether or not
:class:`~cryptography.exceptions.InvalidSignature` was raised.
* **BACKWARDS INCOMPATIBLE:** Dropped support for macOS 10.7 and 10.8.
* **BACKWARDS INCOMPATIBLE:** The minimum supported PyPy version is now 5.3.
* Python 3.3 support has been deprecated, and will be removed in the next
``cryptography`` release.
* Add support for providing ``tag`` during
:class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` finalization via
:meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag`.
* Fixed an issue preventing ``cryptography`` from compiling against
LibreSSL 2.5.x.
* Added
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.key_size`
and
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.key_size`
as convenience methods for determining the bit size of a secret scalar for
the curve.
* Accessing an unrecognized extension marked critical on an X.509 object will
no longer raise an ``UnsupportedExtension`` exception, instead an
:class:`~cryptography.x509.UnrecognizedExtension` object will be returned.
This behavior was based on a poor reading of the RFC, unknown critical
extensions only need to be rejected on certificate verification.
* The CommonCrypto backend has been removed.
* MultiBackend has been removed.
* ``Whirlpool`` and ``RIPEMD160`` have been deprecated.
|
|
(Ride earlier PKGREVISION.)
|
|
Earlier, code was added to "touch $conffile" to work around openssl
issuing a warning if openssl.conf was not present. This is
problematic because if the warning is appropriate, 1) we have no way
of knowing that an empty config file is correct and 2) we should not
silence it. If the warning is buggy, then openssl and/or the base
system should be fixed. Further, this code changes the modification
date of the config file on every run, even when there is a valid
config file.
(There was no discussion prior, three objections and no concurrences,
and no response, so reverting seems ok.)
|
|
Now, ca-certificates.crt is always in the main certs dir, because we
have been careful about builtin vs pkgsrc paths. So the directory
must exist (because it was checked earlier). Instead, check for the
ca-certificates.crt file existing. Add more questioning comments.
Based on a patch by J. Lewis Muir.
|
|
Describe issues with touching the config file and the spurious
directory check surrounding ca-certificates.crt.
|
|
This package can depend on builtin openssl or pkgsrc openssl.
However, it had paths from the base system hardcoded. Be more
thorough about using builtin vs pkgsrc paths. This is a minimal
change to use builtin/pkgsrc paths; future commits will note latent
issues uncovered in the process.
Based on a report to pkgsrc-users by J. Lewis Muir.
|
|
|
|
|
|
Noteworthy changes in version 1.7.7 (2017-06-02) [C21/A1/R7]
------------------------------------------------
* Bug fixes:
- Fix possible timing attack on EdDSA session key.
- Fix long standing bug in secure memory implementation which could
lead to a segv on free. [bug#3027]
|
|
Update security/hitch to 1.4.6.
hitch-1.4.6 (2017-06-06)
- Fix a problem that broke mock-based builds for el6/el7
hitch-1.4.5 (2017-05-31)
- Set SSL_OP_SINGLE_ECDH_USE to force a fresh ECDH key pair per
handshake
- Fix a bug where we ended up leaking a zombie process on reload
- Fix a bug where the management process could not find its
configuration files after a reload when chroot was configured
- Output the offending line on a configuration file parsing error
- Fix build for non-C99/C11 compilers
- Fix the shared cache code to make it work also with OpenSSL 1.1.0
- Fix an unchecked loop situation that could occur when running with
shared cache enabled
- Various autotools configuration fixes
- A few minor doc fixes
|
|
Added
- Plugins for performing DNS challenges for popular providers
- IPv6 support in the standalone plugin.
- A mechanism for keeping your Apache and Nginx SSL/TLS configuration
up to date.
- --http-01-address and --tls-sni-01-address flags for controlling the
address Certbot listens on when using the standalone plugin.
- The command certbot certificates that lists certificates managed by
Certbot now performs additional validity checks to notify you if
your files have become corrupted.
Changed
- Messages custom hooks print to stdout are now displayed by Certbot
when not running in --quiet mode.
- jwk and alg fields in JWS objects have been moved into the protected
header causing Certbot to more closely follow the latest version of
the ACME spec.
Fixed
- Permissions on renewal configuration files are now properly
preserved when they are updated.
- A bug causing Certbot to display strange defaults in its help output
when using Python <= 2.7.4 has been fixed.
- Certbot now properly handles mixed case domain names found in custom
CSRs.
- A number of poorly worded prompts and error messages.
Removed
- Support for OpenSSL 1.0.0 in certbot-auto has been removed as we now
pin a newer version of cryptography which dropped support for this
version.
|
|
2.049 2017/06/12A
- fixed problem caused by typo in the context of session cache
https://github.com/noxxi/p5-io-socket-ssl/issues/60
- update PublicSuffix information from publicsuffix.org
|
|
Changes from previous version:
+ New AES and GHASH implementations for POWER8 processors (provides
AES/GCM at more than 2 gigabytes per second!).
+ Improved GHASH implementation with AES-NI opcodes (pclmulqdq).
+ New Poly1305 implementation with 64 -> 128 multiplications,
available on some 64-bit architectures.
+ New "i62" big-integer code with 64 -> 128 multiplications, available
on some 64-bit architectures (RSA is much faster).
+ Some mostly cosmetic patches to support very old systems (BearSSL
now compiles and run on Debian 2.2 "potato" from 2000, with GCC
2.95).
|
|
## 0.7.3 (June 7th, 2017)
SECURITY:
- Cert auth backend now checks validity of individual certificates
- App-ID path salting was skipped in 0.7.1/0.7.2
DEPRECATIONS/CHANGES:
- Step-Down is Forwarded
FEATURES:
- ed25519 Signing/Verification in Transit with Key Derivation
- Key Version Specification for Encryption in Transit
- Replication Primary Discovery (Enterprise)
IMPROVEMENTS:
- api/health: Add Sys().Health()
- audit: Add auth information to requests that error out
- command/auth: Add `-no-store` option that prevents the auth command
from storing the returned token into the configured token helper
- core/forwarding: Request forwarding now heartbeats to prevent unused
connections from being terminated by firewalls or proxies
- plugins/databases: Add MongoDB as an internal database plugin
- storage/dynamodb: Add a method for checking the existence of
children, speeding up deletion operations in the DynamoDB storage backend
- storage/mysql: Add max_parallel parameter to MySQL backend
- secret/databases: Support listing connections
- secret/databases: Support custom renewal statements in Postgres
database plugin
- secret/databases: Use the role name as part of generated credentials
- ui (Enterprise): Transit key and secret browsing UI handle large
lists better
- ui (Enterprise): root tokens are no longer persisted
- ui (Enterprise): support for mounting Database and TOTP secret
backends
BUG FIXES:
- auth/app-id: Fix regression causing loading of salts to be skipped
- auth/aws: Improve EC2 describe instances performance
- auth/aws: Fix lookup of some instance profile ARNs
- auth/aws: Resolve ARNs to internal AWS IDs which makes lookup at
various points (e.g. renewal time) more robust
- auth/aws: Properly honor configured period when using IAM
authentication
- auth/aws: Check that a bound IAM principal is not empty (in the
current state of the role) before requiring it match the previously
authenticated client
- auth/cert: Fix panic on renewal
- auth/cert: Certificate verification for non-CA certs
- core/acl: Prevent race condition when compiling ACLs in some
scenarios
- secret/database: Increase wrapping token TTL; in a loaded scenario
it could be too short
- secret/generic: Allow integers to be set as the value of `ttl` field
as the documentation claims is supported
- secret/ssh: Added host key callback to ssh client config
- storage/s3: Avoid a panic when some bad data is returned
- storage/dynamodb: Fix list functions working improperly on Windows
- storage/file: Don't leak file descriptors in some error cases
- storage/swift: Fix pre-v3 project/tenant name reading
|
|
=== 2.0.0 / 26 Jan 2017
* Update net-ssh dependency to 4.0.0 which requires Ruby version >= 2.0 [delano]
=== 1.3.0 / 26 Jan 2017
* Fix for loop_wait option on initialization [mfazekas, tpitale]
* Use bundler and remove remove jeweler [tpitale]
* Use minitest instead of test/unit [tpitale]
* Added Travis CI config [tpitale]
|
|
=== 4.1.0
=== 4.1.0.rc1
* ProxyJump support [Ryan McGeary, #500]
* Fix agent detection on Windows [Christian Koehler, #495]
=== 4.1.0.beta1
* Fix nil error when libsodium is not there [chapmajs ,#488]
* SSH certificate support for client auth [David Bartley, #485]
=== 4.0.1
=== 4.0.1.rc2
* ENV["HOME"] might be empty so filter non expandable paths [Matt Casper, #351]
=== 4.0.1.rc1
* support of rbnacl 4.0 and better error message [#479]
* support include in config files [Kimura Masayuki, #475]
* fixed issue with ruby 2.2 or older on windows [#472]
=== 4.0.0
=== 4.0.0.rc3
* parse `+` character in config files [Christoph Lupprich, #470, #314]
=== 4.0.0.rc2
* Fixed OpenSSL 2.0/Ruby 2.4.0 warnings [Miklós Fazekas, #468]
* Added ssh-ed25519 to KnownHosts:SUPPORTED_TYPE [detatka-kuzlatka-otevrete, Miklós Fazekas, #459]
* Allow nil for :passhrase and passing in nil option is now a depreaction warning [Miklós Fazekas, #465]
=== 4.0.0.rc1
* Allow :password to be nil for capistrano v2 compatibility [Will Bryant, #357]
* In next_packet if prefer consuming buffer before filling it again if we have enough data [Miklós Fazekas, #454]
=== 4.0.0.beta4
* Added exitstatus method to exec's return [Miklós Fazekas, #452]
* Don't raise from exec if server closes transport just after channel close [Miklós Fazekas, #450]
* Removed java_pageant, as jruby should be using regular pagent impl [Miklós Fazekas, ]
* Use SSH_AUTH_SOCK if possible on windows (cygwin) [Miklós Fazekas, Martin Dürst, #365, #361]
* HTTPS proxy support [Marcus Ilgner, #432]
* Supports ruby 2.4.0.dev new exception type from OpenSSL::PKey.read
=== 4.0.0.beta3
* Fix Net::SSH::Disconnect exceptions when channels are closed cleanly [Miklos Fazekas, #421, #422]
=== 4.0.0.beta2
* Fix raiseUnlessLoaded undefined ERROR issue [Miklos Fazekas, #418]
=== 4.0.0.beta1
* Fix pageant [elconas, #235]
* Relaxed rbnacl,rbnacl-selenium contstraints ang give better errors about them [Miklos Fazekas, #398]
* Fix UTF-8 encoding issues [Ethan J. Brown, #407]
=== 4.0.0.alpha4
* Experimental event loop abstraction [Miklos Fazekas]
* RbNacl dependency is optional [Miklos Fazekas]
* agent_socket_factory option [Alon Goldboim]
* client sends KEXINIT, it doesn't have to wait for server [Miklos Fazekas]
* better error message when option is nil [Kane Morgan]
* prompting can be customized [Miklos Fazekas]
=== 4.0.0.alpha3
* added max_select_wait_time [Eugene Kenny]
=== 4.0.0.alpha2
* when transport closes we're cleaning up channels [Miklos Fazekas]
=== 4.0.0.alpha1
* ed25519 key support [Miklos Fazekas]
* removed camellia [Miklos Fazekas]
=== 3.1.0
=== 3.1.0.rc1
* fix Secure#verify [Jean Boussier]
* use the smallest of don't spend longer time than keepalive if it's configured [Eugene Kenny]
=== 3.1.0.beta3
* forward/on_open_failed should stop listning closed socket otherwise it locks #269 [Miklos Fazekas,Scott McGillivray]
* fix incorrect pattern handling in config files #310 [Miklos Fazekas]
=== 3.1.0.beta2
* trying to execute something on a not yet opend channel throws nicer messag [Miklos Fazekas]
* calling close on a not opened channel marks the channel for close [Miklos Fazekas]
* read keepalive configuration from ssh config files [Miklos Fazekas]
* send client version on hadshake before waiting for server to reduce handshake time [Miklos Fazekas]
* allow custom Net::SSH::KnownHosts implementations [Jean Boussier]
* memoize known host so we only search it once per session [Jean Boussier, Miklos Fazekas]
=== 3.0.2
=== 3.0.2.rc1
* fixed rare WaitWritable error with proxy commands [Miklos Fazkas, Andre Meij]]
* if Net::SSH.start user is nil and config has no entry we default to Etc.getlogin
* Bugfix: CHANNEL_CLOSE was sent before draining ouput buffer #280 [Christopher F. Auston]
=== 3.0.1
=== 3.0.1.rc1
* Breaking change from 2.* series: exec! without block now returns empty string instread of nil if command has no output [https://github.com/net-ssh/net-ssh/pull/273]
* Support remote_user as %r in proxy commands [Dominic Scheirlinck]
* Raise Net::SSH::ConnectionTimeout from connection timeout [Carl Hoerberg]
=== 3.0.0.rc1
* SemVer: Major version change because of dropping of ruby 1.9
|
|
|
|
|
|
|
|
|
|
https://rt.cpan.org/Public/Bug/Display.html?id=102651
Switch back to gnupg1. Bump PKGREVISION.
|
|
New features:
Allow passing prompt='consent' via the flow_from_clientsecrets
|
|
|
|
|
|
In the release notes:
* BUGFIX: Stack overflow caused by uncontrolled recursiveness (CVE-2017-9304)
* BUGFIX: pe.overlay.size was undefined if the PE didn't have an overlay. Now it's set to 0 in those cases.
* BUGFIX: Fix initalization issue that could cause a crash if rules compiled with a 32bit yarac is used with a 64bit yara.
|