| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Pkgsrc changes:
* Fix == in shell script test.
* Add some patches to make this build on NetBSD.
Upstream changes:
## 1.2.3 (September 12, 2019)
FEATURES:
* Oracle Cloud (OCI) Integration: Vault now support using Oracle
Cloud for storage, auto unseal, and authentication.
IMPROVEMENTS:
* auth/jwt: Groups claim matching now treats a string response
as a single element list [JWT-63]
* auth/kubernetes: enable better support for projected tokens
API by allowing user to specify issuer [GH-65]
* auth/pcf: The PCF auth plugin was renamed to the CF auth plugin,
maintaining full backwards compatibility [GH-7346]
* replication: Premium packages now come with unlimited performance
standby nodes
BUG FIXES:
* agent: Allow batch tokens and other non-renewable tokens to be
used for agent operations [GH-7441]
* auth/jwt: Fix an error where newer (v1.2) token_* configuration
parameters were not being applied to tokens generated using
the OIDC login flow [JWT-67]
* seal/transit: Allow using Vault Agent for transit seal operations
[GH-7441]
* storage/couchdb: Fix a file descriptor leak [GH-7345]
* ui: Fix a bug where the status menu would disappear when trying
to revoke a token [GH-7337]
* ui: Fix a regression that prevented input of custom items in
search-select [GH-7338]
* ui: Fix an issue with the namespace picker being unable to
render nested namespaces named with numbers and sorting of
namespaces in the picker [GH-7333]
## 1.2.2 (August 15, 2019)
CHANGES:
* auth/pcf: The signature format has been updated to use the
standard Base64 encoding instead of the URL-safe variant.
Signatures created using the previous format will continue to
be accepted [PCF-27]
* core: The http response code returned when an identity token
key is not found has been changed from 400 to 404
IMPROVEMENTS:
* identity: Remove 512 entity limit for groups [GH-7317]
BUG FIXES:
* auth/approle: Fix an error where an empty token_type string
was not being correctly handled as TokenTypeDefault [GH-7273]
* auth/radius: Fix panic when logging in [GH-7286]
* ui: the string-list widget will now honor multiline input [GH-7254]
* ui: various visual bugs in the KV interface were addressed [GH-7307]
* ui: fixed incorrect URL to access help in LDAP auth [GH-7299]
1.2.1 (August 6th, 2019)
BUG FIXES:
* agent: Fix a panic on creds pulling in some error conditions
in aws and alicloud auth methods [GH-7238]
* auth/approle: Fix error reading role-id on a role created
pre-1.2 [GH-7231]
* auth/token: Fix sudo check in non-root namespaces on create
[GH-7224]
* core: Fix health checks with perfstandbyok=true returning the
wrong status code [GH-7240]
* ui: The web CLI will now parse input as a shell string, with
special characters escaped [GH-7206]
* ui: The UI will now redirect to a page after authentication
[GH-7088]
* ui (Enterprise): The list of namespaces is now cleared when
logging out [GH-7186]
## 1.2.0 (July 30th, 2019)
CHANGES:
* Token store roles use new, common token fields for the values
that overlap with other auth backends. period, explicit_max_ttl,
and bound_cidrs will continue to work, with priority being
given to the token_ prefixed versions of those parameters. They
will also be returned when doing a read on the role if they
were used to provide values initially; however, in Vault 1.4
if period or explicit_max_ttl is zero they will no longer be
returned. (explicit_max_ttl was already not returned if empty.)
* Due to underlying changes in Go version 1.12 and Go > 1.11.5,
Vault is now stricter about what characters it will accept in
path names. Whereas before it would filter out unprintable
characters (and this could be turned off), control characters
and other invalid characters are now rejected within Go's HTTP
library before the request is passed to Vault, and this cannot
be disabled. To continue using these (e.g. for already-written
paths), they must be properly percent-encoded (e.g. \r becomes
%0D, \x00 becomes %00, and so on).
* The user-configured regions on the AWSKMS seal stanza will now
be preferred over regions set in the enclosing environment.
This is a breaking change.
* All values in audit logs now are omitted if they are empty.
This helps reduce the size of audit log entries by not reproducing
keys in each entry that commonly don't contain any value, which
can help in cases where audit log entries are above the maximum
UDP packet size and others.
* Both PeriodicFunc and WALRollback functions will be called if
both are provided. Previously WALRollback would only be called
if PeriodicFunc was not set. See GH-6717 for details.
* Vault now uses Go's official dependency management system, Go
Modules, to manage dependencies. As a result to both reduce
transitive dependencies for API library users and plugin authors,
and to work around various conflicts, we have moved various
helpers around, mostly under an sdk/ submodule. A couple of
functions have also moved from plugin helper code to the api/
submodule. If you are a plugin author, take a look at some of
our official plugins and the paths they are importing for
guidance.
* AppRole uses new, common token fields for values that overlap
with other auth backends. period and policies will continue to
work, with priority being given to the token_ prefixed versions
of those parameters. They will also be returned when doing a
read on the role if they were used to provide values initially.
* In AppRole, "default" is no longer automatically added to the
policies parameter. This was a no-op since it would always be
added anyways by Vault's core; however, this can now be explicitly
disabled with the new token_no_default_policy field.
* In AppRole, bound_cidr_list is no longer returned when reading
a role
* rollback: Rollback will no longer display log messages when it
runs; it will only display messages on error.
* Database plugins will now default to 4 max_open_connections
rather than 2.
FEATURES:
* Integrated Storage: Vault 1.2 includes a tech preview of a new
way to manage storage directly within a Vault cluster. This
new integrated storage solution is based on the Raft protocol
which is also used to back HashiCorp Consul and HashiCorp Nomad.
* Combined DB credential rotation: Alternative mode for the
Combined DB Secret Engine to automatically rotate existing
database account credentials and set Vault as the source of
truth for credentials.
* Identity Tokens: Vault's Identity system can now generate
OIDC-compliant ID tokens. These customizable tokens allow
encapsulating a signed, verifiable snapshot of identity
information and metadata. They can be use by other applications-even
those without Vault authorization-as a way of establishing
identity based on a Vault entity.
* Pivotal Cloud Foundry plugin: New auth method using Pivotal
Cloud Foundry certificates for Vault authentication.
* ElasticSearch database plugin: New ElasticSearch database plugin
issues unique, short-lived ElasticSearch credentials.
* New UI Features: An HTTP Request Volume Page and new UI for
editing LDAP Users and Groups have been added.
* HA support for Postgres: PostgreSQL versions >= 9.5 may now
but used as and HA storage backend.
* KMIP secrets engine (Enterprise): Allows Vault to operate as
a KMIP Server, seamlessly brokering cryptographic operations
for traditional infrastructure.
* Common Token Fields: Auth methods now use common fields for
controlling token behavior, making it easier to understand
configuration across methods.
* Vault API explorer: The Vault UI now includes an embedded API
explorer where you can browse the endpoints avaliable to you
and make requests. To try it out, open the Web CLI and type
api.
IMPROVEMENTS:
* agent: Allow EC2 nonce to be passed in [GH-6953]
* agent: Add optional namespace parameter, which sets the default
namespace for the auto-auth functionality [GH-6988]
* agent: Add cert auto-auth method [GH-6652]
* api: Add support for passing data to delete operations via
DeleteWithData [GH-7139]
* audit/file: Dramatically speed up file operations by changing
locking/marshaling order [GH-7024]
* auth/jwt: A JWKS endpoint may now be configured for signature
verification [JWT-43]
* auth/jwt: A new verbose_oidc_logging role parameter has been
added to help troubleshoot OIDC configuration [JWT-57]
* auth/jwt: bound_claims will now match received claims that are
lists if any element of the list is one of the expected values
[JWT-50]
* auth/jwt: Leeways for nbf and exp are now configurable, as is
clock skew leeway [JWT-53]
* auth/kubernetes: Allow service names/namespaces to be configured
as globs [KUBEAUTH-58]
* auth/token: Allow the support of the identity system for the
token backend via token roles [GH-6267]
* auth/token: Add a large set of token configuration options to
token store roles [GH-6662]
* cli: path-help now allows -format=json to be specified, which
will output OpenAPI [GH-7006]
* cli: Add support for passing parameters to vault delete operations
[GH-7139]
* cli: Add a log-format CLI flag that can specify either "standard"
or "json" for the log format for the vault servercommand.
[GH-6840]
* cli: Add -dev-no-store-token to allow dev servers to not store
the generated token at the tokenhelper location [GH-7104]
* identity: Allow a group alias' canonical ID to be modified
* namespaces: Namespaces can now be created and deleted from
performance replication secondaries
* plugins: Change the default for max_open_connections for DB
plugins to 4 [GH-7093]
* replication: Client TLS authentication is now supported when
enabling or updating a replication secondary
* secrets/database: Cassandra operations will now cancel on client
timeout [GH-6954]
* secrets/kv: Add optional delete_version_after parameter, which
takes a duration and can be set on the mount and/or the metadata
for a specific key [GH-7005]
* storage/postgres: LIST now performs better on large datasets
[GH-6546]
* storage/s3: A new path parameter allows selecting the path
within a bucket for Vault data [GH-7157]
* ui: KV v1 and v2 will now gracefully degrade allowing a write
without read workflow in the UI [GH-6570]
* ui: Many visual improvements with the addition of Toolbars
[GH-6626], the restyling of the Confirm Action component
[GH-6741], and using a new set of glyphs for our Icon component
[GH-6736]
* ui: Lazy loading parts of the application so that the total
initial payload is smaller [GH-6718]
* ui: Tabbing to auto-complete in filters will first complete a
common prefix if there is one [GH-6759]
* ui: Removing jQuery from the application makes the initial JS
payload smaller [GH-6768]
BUG FIXES:
* audit: Log requests and responses due to invalid wrapping token
provided [GH-6541]
* audit: Fix bug preventing request counter queries from working
with auditing enabled [GH-6767
* auth/aws: AWS Roles are now upgraded and saved to the latest
version just after the AWS credential plugin is mounted.
[GH-7025]
* auth/aws: Fix a case where a panic could stem from a malformed
assumed-role ARN when parsing this value [GH-6917]
* auth/aws: Fix an error complaining about a read-only view that
could occur during updating of a role when on a performance
replication secondary [GH-6926]
* auth/jwt: Fix a regression introduced in 1.1.1 that disabled
checking of client_id for OIDC logins [JWT-54]
* auth/jwt: Fix a panic during OIDC CLI logins that could occur
if the Vault server response is empty [JWT-55]
* auth/jwt: Fix issue where OIDC logins might intermittently fail
when using performance standbys [JWT-61]
* identity: Fix a case where modifying aliases of an entity could
end up moving the entity into the wrong namespace
* namespaces: Fix a behavior (currently only known to be benign)
where we wouldn't delete policies through the official functions
before wiping the namespaces on deletion
* secrets/database: Escape username/password before using in
connection URL [GH-7089]
* secrets/pki: Forward revocation requests to active node when
on a performance standby [GH-7173]
* ui: Fix timestamp on some transit keys [GH-6827]
* ui: Show Entities and Groups in Side Navigation [GH-7138]
* ui: Ensure dropdown updates selected item on HTTP Request
Metrics page
## 1.1.4/1.1.5 (July 25th/30th, 2019)
NOTE:
Although 1.1.4 was tagged, we realized very soon after the tag was
publicly pushed that an intended fix was accidentally left out. As
a result, 1.1.4 was not officially announced and 1.1.5 should be
used as the release after 1.1.3.
IMPROVEMENTS:
* identity: Allow a group alias' canonical ID to be modified
* namespaces: Improve namespace deletion performance [GH-6939]
* namespaces: Namespaces can now be created and deleted from
performance replication secondaries
BUG FIXES:
* api: Add backwards compat support for API env vars [GH-7135]
* auth/aws: Fix a case where a panic could stem from a malformed
assumed-role ARN when parsing this value [GH-6917]
* auth/ldap: Add use_pre111_group_cn_behavior flag to allow
recovering from a regression caused by a bug fix starting in
1.1.1 [GH-7208]
* auth/aws: Use a role cache to avoid separate locking paths
[GH-6926]
* core: Fix a deadlock if a panic happens during request handling
[GH-6920]
* core: Fix an issue that may cause key upgrades to not be cleaned
up properly [GH-6949]
* core: Don't shutdown if key upgrades fail due to canceled
context [GH-7070]
* core: Fix panic caused by handling requests while vault is
inactive
* identity: Fix reading entity and groups that have spaces in
their names [GH-7055]
* identity: Ensure entity alias operations properly verify
namespace [GH-6886]
* mfa: Fix a nil pointer panic that could occur if invalid Duo
credentials were supplied
* replication: Forward step-down on perf standbys to match HA
behavior
* replication: Fix various read only storage errors on performance
standbys
* replication: Stop forwarding before stopping replication to
eliminate some possible bad states
* secrets/database: Allow cassandra queries to be cancled [GH-6954]
* storage/consul: Fix a regression causing vault to not connect
to consul over unix sockets [GH-6859]
* ui: Fix saving of TTL and string array fields generated by Open
API [GH-7094]
## 1.1.3 (June 5th, 2019)
IMPROVEMENTS:
* agent: Now supports proxying request query parameters [GH-6772]
* core: Mount table output now includes a UUID indicating the
storage path [GH-6633]
* core: HTTP server timeout values are now configurable [GH-6666]
* replication: Improve performance of the reindex operation on
secondary clusters when mount filters are in use
* replication: Replication status API now returns the state and
progress of a reindex
BUG FIXES:
* api: Return the Entity ID in the secret output [GH-6819]
* auth/jwt: Consider bound claims when considering if there is at least one
bound constraint [JWT-49]
* auth/okta: Fix handling of group names containing slashes [GH-6665]
* cli: Add deprecated stored-shares flag back to the init command [GH-6677]
* cli: Fix a panic when the KV command would return no data [GH-6675]
* cli: Fix issue causing CLI list operations to not return proper format when
there is an empty response [GH-6776]
* core: Correctly honor non-HMAC request keys when auditing requests [GH-6653]
* core: Fix the `x-vault-unauthenticated` value in OpenAPI for a number of
endpoints [GH-6654]
* core: Fix issue where some OpenAPI parameters were incorrectly listed as
being sent as a header [GH-6679]
* core: Fix issue that would allow duplicate mount names to be used [GH-6771]
* namespaces: Fix behavior when using `root` instead of `root/` as the
namespace header value
* pki: fix a panic when a client submits a null value [GH-5679]
* replication: Properly update mount entry cache on a secondary to apply all
new values after a tune
* replication: Properly close connection on bootstrap error
* replication: Fix an issue causing startup problems if a namespace policy
wasn't replicated properly
* replication: Fix longer than necessary WAL replay during an initial reindex
* replication: Fix error during mount filter invalidation on DR
secondary clusters
* secrets/ad: Make time buffer configurable [AD-35]
* secrets/gcp: Check for nil config when getting credentials [SGCP-35]
* secrets/gcp: Fix error checking in some cases where the returned value could
be 403 instead of 404 [SGCP-37]
* secrets/gcpkms: Disable key rotation when deleting a key [GCPKMS-10]
* storage/consul: recognize `https://` address even if schema not specified
[GH-6602]
* storage/dynamodb: Fix an issue where a deleted lock key in DynamoDB (HA)
could cause constant switching of the active node [GH-6637]
* storage/dynamodb: Eliminate a high-CPU condition that could occur if an
error was received from the DynamoDB API [GH-6640]
* storage/gcs: Correctly use configured chunk size values [GH-6655]
* storage/mssql: Use the correct database when pre-created schemas exist
[GH-6356]
* ui: Fix issue with select arrows on drop down menus [GH-6627]
* ui: Fix an issue where sensitive input values weren't being saved to the
server [GH-6586]
* ui: Fix web cli parsing when using quoted values [GH-6755]
* ui: Fix a namespace workflow mapping identities from external namespaces by
allowing arbitrary input in search-select component [GH-6728]
* core: Fix issue that would allow duplicate mount names to be used [GH-6771]
* namespaces: Fix behavior when using `root` instead of `root/` as the
namespace header value
* pki: fix a panic when a client submits a null value [GH-5679]
* replication: Properly update mount entry cache on a secondary to apply all
new values after a tune
* replication: Properly close connection on bootstrap error
* replication: Fix an issue causing startup problems if a namespace policy
wasn't replicated properly
* replication: Fix longer than necessary WAL replay during an initial reindex
* replication: Fix error during mount filter invalidation on DR
secondary clusters
* secrets/ad: Make time buffer configurable [AD-35]
* secrets/gcp: Check for nil config when getting credentials [SGCP-35]
* secrets/gcp: Fix error checking in some cases where the returned value could
be 403 instead of 404 [SGCP-37]
* secrets/gcpkms: Disable key rotation when deleting a key [GCPKMS-10]
* storage/consul: recognize `https://` address even if schema not specified
[GH-6602]
* storage/dynamodb: Fix an issue where a deleted lock key in DynamoDB (HA)
could cause constant switching of the active node [GH-6637]
* storage/dynamodb: Eliminate a high-CPU condition that could occur if an
error was received from the DynamoDB API [GH-6640]
* storage/gcs: Correctly use configured chunk size values [GH-6655]
* storage/mssql: Use the correct database when pre-created schemas exist
[GH-6356]
* ui: Fix issue with select arrows on drop down menus [GH-6627]
* ui: Fix an issue where sensitive input values weren't being saved to the
server [GH-6586]
* ui: Fix web cli parsing when using quoted values [GH-6755]
* ui: Fix a namespace workflow mapping identities from external namespaces by
allowing arbitrary input in search-select component [GH-6728]
## 1.1.2 (April 18th, 2019)
This is a bug fix release containing the two items below. It is otherwise
unchanged from 1.1.1.
BUG FIXES:
* auth/okta: Fix a potential dropped error [GH-6592]
* secrets/kv: Fix a regression on upgrade where a KVv2 mount could fail to be
mounted on unseal if it had previously been mounted but not written to
[KV-31]
## 1.1.1 (April 11th, 2019)
SECURITY:
* Given: (a) performance replication is enabled; (b) performance standbys are
in use on the performance replication secondary cluster; and (c) mount
filters are in use, if a mount that was previously available to a secondary
is updated to be filtered out, although the data would be removed from the
secondary cluster, the in-memory cache of the data would not be purged on
the performance standby nodes. As a result, the previously-available data
could still be read from memory if it was ever read from disk, and if this
included mount configuration data this could result in token or lease
BUG FIXES:
* agent: Allow auto-auth to be used with caching without having to define any
sinks [GH-6468]
* agent: Disallow some nonsensical config file combinations [GH-6471]
* auth/ldap: Fix CN check not working if CN was not all in uppercase [GH-6518]
* auth/jwt: The CLI helper for OIDC logins will now open the
browser to the correct URL when running on Windows [JWT-37]
* auth/jwt: Fix OIDC login issue where configured TLS certs weren't
being used [JWT-40]
* auth/jwt: Fix an issue where the `oidc_scopes` parameter was
not being included in the response to a role read request [JWT-35]
* core: Fix seal migration case when migrating to Shamir and a seal block
wasn't explicitly specified [GH-6455]
* core: Fix unwrapping when using namespaced wrapping tokens [GH-6536]
* core: Fix incorrect representation of required properties in OpenAPI output
[GH-6490]
* core: Fix deadlock that could happen when using the UI [GH-6560]
* identity: Fix updating groups removing existing members [GH-6527]
* identity: Properly invalidate group alias in performance secondary [GH-6564]
* identity: Use namespace context when loading entities and groups to ensure
merging of duplicate entries works properly [GH-6563]
* replication: Fix performance standby election failure [GH-6561]
* replication: Fix mount filter invalidation on performance standby nodes
* replication: Fix license reloading on performance standby nodes
* replication: Fix handling of control groups on performance standby nodes
* replication: Fix some forwarding scenarios with request bodies using
performance standby nodes [GH-6538]
* secret/gcp: Fix roleset binding when using JSON [GCP-27]
* secret/pki: Use `uri_sans` param in when not using CSR parameters [GH-6505]
* storage/dynamodb: Fix a race condition possible in HA configurations
that could leave the cluster without a leader [GH-6512]
* ui: Fix an issue where in production builds OpenAPI model
generation was failing, causing any form using it to render
labels with missing fields [GH-6474]
* ui: Fix issue nav-hiding when moving between namespaces [GH-6473]
* ui: Secrets will always show in the nav regardless of access to
cubbyhole [GH-6477]
* ui: fix SSH OTP generation [GH-6540]
* ui: add polyfill to load UI in IE11 [GH-6567]
* ui: Fix issue where some elements would fail to work properly if using ACLs
with segment-wildcard paths (`/+/` segments) [GH-6525]
## 1.1.0 (March 18th, 2019)
CHANGES:
* auth/jwt: The `groups_claim_delimiter_pattern` field has been removed. If the
groups claim is not at the top level, it can now be specified as a
[JSONPointer](https://tools.ietf.org/html/rfc6901).
* auth/jwt: Roles now have a "role type" parameter with a default type of
"oidc". To configure new JWT roles, a role type of "jwt" must be explicitly
specified.
* cli: CLI commands deprecated in 0.9.2 are now removed. Please see the CLI
help/warning output in previous versions of Vault for updated commands.
* core: Vault no longer automatically mounts a K/V backend at the "secret/"
path when initializing Vault
* core: Vault's cluster port will now be open at all times on HA standby nodes
* plugins: Vault no longer supports running netRPC plugins. These were
deprecated in favor of gRPC based plugins and any plugin built since 0.9.4
defaults to gRPC. Older plugins may need to be recompiled against the latest
Vault dependencies.
FEATURES:
* **Vault Agent Caching**: Vault Agent can now be configured to act as a
caching proxy to Vault. Clients can send requests to Vault Agent and the
request will be proxied to the Vault server and cached locally in Agent.
Currently Agent will cache generated leases and tokens and keep them
renewed. The proxy can also use the Auto Auth feature so clients do not need
to authenticate to Vault, but rather can make requests to Agent and have
Agent fully manage token lifecycle.
* **OIDC Redirect Flow Support**: The JWT auth backend now supports OIDC
roles. These allow authentication via an OIDC-compliant provider via the
user's browser. The login may be initiated from the Vault UI or through
the `vault login` command.
* **ACL Path Wildcard**: ACL paths can now use the `+` character to enable
wild card matching for a single directory in the path definition.
* **Transit Auto Unseal**: Vault can now be configured to use the Transit
Secret Engine in another Vault cluster as an auto unseal provider.
IMPROVEMENTS:
* auth/jwt: A default role can be set. It will be used during
JWT/OIDC logins if a role is not specified.
* auth/jwt: Arbitrary claims data can now be copied into token &
alias metadata.
* auth/jwt: An arbitrary set of bound claims can now be configured for a role.
* auth/jwt: The name "oidc" has been added as an alias for the
jwt backend. Either name may be specified in the `auth enable` command.
* command/server: A warning will be printed when 'tls_cipher_suites'
includes a blacklisted cipher suite or all cipher suites are blacklisted
by the HTTP/2 specification [GH-6300]
* core/metrics: Prometheus pull support using a new sys/metrics
endpoint. [GH-5308]
* core: On non-windows platforms a SIGUSR2 will make the server log a dump of
all running goroutines' stack traces for debugging purposes [GH-6240]
* replication: The initial replication indexing process on newly
initialized or upgraded clusters now runs asynchronously
* sentinel: Add token namespace id and path, available in rules as
token.namespace.id and token.namespace.path
* ui: The UI is now leveraging OpenAPI definitions to pull in
fields for various forms. This means, it will not be necessary to add
fields on the go and JS sides in the future. [GH-6209]
BUG FIXES:
* auth/jwt: Apply `bound_claims` validation across all login paths
* auth/jwt: Update `bound_audiences` validation during non-OIDC
logins to accept any matched audience, as documented and handled
in OIDC logins [JWT-30]
* auth/token: Fix issue where empty values for token role update call were
ignored [GH-6314]
* core: The `operator migrate` command will no longer hang on empty key names
[GH-6371]
* identity: Fix a panic at login when external group has a nil alias [GH-6230]
* namespaces: Clear out identity store items upon namespace deletion
* replication/perfstandby: Fixed a bug causing performance standbys to wait
longer than necessary after forwarding a write to the active node
* replication/mountfilter: Fix a deadlock that could occur when mount filters
were updated [GH-6426]
* secret/kv: Fix issue where a v1âv2 upgrade could run on a performance
standby when using a local mount
* secret/ssh: Fix for a bug where attempting to delete the last ssh role
in the zeroaddress configuration could fail [GH-6390]
* secret/totp: Uppercase provided keys so they don't fail base32 validation
[GH-6400]
* secret/transit: Multiple HMAC, Sign or Verify operations can now be
performed with one API call using the new `batch_input` parameter [GH-5875]
* sys: `sys/internal/ui/mounts` will no longer return secret or auth mounts
that have been filtered. Similarly, `sys/internal/ui/mount/:path` will
return a error response if a filtered mount path is requested. [GH-6412]
* ui: Fix for a bug where you couldn't access the data tab after clicking on
wrap details on the unwrap page [GH-6404]
* ui: Fix an issue where the policies tab was erroneously hidden [GH-6301]
* ui: Fix encoding issues with kv interfaces [GH-6294]
## 1.0.3.1 (March 14th, 2019) (Enterprise Only)
SECURITY:
* A regression was fixed in replication mount filter code introduced in Vault
1.0 that caused the underlying filtered data to be replicated to
secondaries. This data was not accessible to users via Vault's API but via a
combination of privileged configuration file changes/Vault commands it could
be read. Upgrading to this version or 1.1 will fix this issue and cause the
replicated data to be deleted from filtered secondaries. More information
was sent to customer contacts on file.
## 1.0.3 (February 12th, 2019)
CHANGES:
* New AWS authentication plugin mounts will default to using the generated
role ID as the Identity alias name. This applies to both EC2 and IAM auth.
Existing mounts that explicitly set this value will not be affected but
mounts that specified no preference will switch over on upgrade.
* The default policy now allows a token to look up its associated identity
entity either by name or by id [GH-6105]
* The Vault UI's navigation and onboarding wizard now only displays items that
are permitted in a users' policy [GH-5980, GH-6094]
* An issue was fixed that caused recovery keys to not work on
secondary clusters when using a different unseal mechanism/key
than the primary. This would be hit if the cluster was rekeyed
or initialized after 1.0. We recommend rekeying the recovery
keys on the primary cluster if you meet the above requirements.
FEATURES:
* **cURL Command Output**: CLI commands can now use the `-output-curl-string`
flag to print out an equivalent cURL command.
* **Response Headers From Plugins**: Plugins can now send back headers that
will be included in the response to a client. The set of allowed headers can
be managed by the operator.
IMPROVEMENTS:
* auth/aws: AWS EC2 authentication can optionally create entity aliases by
role ID [GH-6133]
* auth/jwt: The supported set of signing algorithms is now configurable [JWT
plugin GH-16]
* core: When starting from an uninitialized state, HA nodes will now attempt
to auto-unseal using a configured auto-unseal mechanism after the active
node initializes Vault [GH-6039]
* secret/database: Add socket keepalive option for Cassandra [GH-6201]
* secret/ssh: Add signed key constraints, allowing enforcement of key types
and minimum key sizes [GH-6030]
* secret/transit: ECDSA signatures can now be marshaled in JWS-compatible
fashion [GH-6077]
* storage/etcd: Support SRV service names [GH-6087]
* storage/aws: Support specifying a KMS key ID for server-side encryption
[GH-5996]
BUG FIXES:
* core: Fix a rare case where a standby whose connection is entirely torn down
to the active node, then reconnects to the same active node, may not
successfully resume operation [GH-6167]
* cors: Don't duplicate headers when they're written [GH-6207]
* identity: Persist merged entities only on the primary [GH-6075]
* replication: Fix a potential race when a token is created and then used with
a performance standby very quickly, before an associated entity has been
replicated. If the entity is not found in this scenario, the request will
forward to the active node.
* replication: Fix issue where recovery keys would not work on secondary
clusters if using a different unseal mechanism than the primary.
* replication: Fix a "failed to register lease" error when using performance
standbys
* storage/postgresql: The `Get` method will now return an Entry object with
the `Key` member correctly populated with the full path that was requested
instead of just the last path element [GH-6044]
## 1.0.2 (January 15th, 2019)
SECURITY:
* When creating a child token from a parent with `bound_cidrs`, the list of
CIDRs would not be propagated to the child token, allowing the child token
to be used from any address.
CHANGES:
* secret/aws: Role now returns `credential_type` instead of `credential_types`
to match role input. If a legacy role that can supply more than one
credential type, they will be concatenated with a `,`.
* physical/dynamodb, autoseal/aws: Instead of Vault performing environment
variable handling, and overriding static (config file) values if found, we
use the default AWS SDK env handling behavior, which also looks for
deprecated values. If you were previously providing both config values and
environment values, please ensure the config values are unset if you want to
use environment values.
* Namespaces (Enterprise): Providing "root" as the header value for
`X-Vault-Namespace` will perform the request on the root namespace. This is
equivalent to providing an empty value. Creating a namespace called "root" in
the root namespace is disallowed.
FEATURES:
* **InfluxDB Database Plugin**: Use Vault to dynamically create
and manage InfluxDB users
IMPROVEMENTS:
* auth/aws: AWS EC2 authentication can optionally create entity aliases by
image ID [GH-5846]
* autoseal/gcpckms: Reduce the required permissions for the GCPCKMS autounseal
[GH-5999]
* physical/foundationdb: TLS support added. [GH-5800]
BUG FIXES:
* api: Fix a couple of places where we were using the `LIST` HTTP verb
(necessary to get the right method into the wrapping lookup function) and
not then modifying it to a `GET`; although this is officially the verb Vault
uses for listing and it's fully legal to use custom verbs, since many WAFs
and API gateways choke on anything outside of RFC-standardized verbs we fall
back to `GET` [GH-6026]
* autoseal/aws: Fix reading session tokens when AWS access key/secret key are
also provided [GH-5965]
* command/operator/rekey: Fix help output showing `-delete-backup` when it
should show `-backup-delete` [GH-5981]
* core: Fix bound_cidrs not being propagated to child tokens
* replication: Correctly forward identity entity creation that originates from
performance standby nodes (Enterprise)
* secret/aws: Make input `credential_type` match the output type (string, not
array) [GH-5972]
* secret/cubbyhole: Properly cleanup cubbyhole after token revocation [GH-6006]
* secret/pki: Fix reading certificates on windows with the file
storage backend [GH-6013]
* ui (enterprise): properly display perf-standby count on the
license page [GH-5971]
* ui: fix disappearing nested secrets and go to the nearest parent
when deleting a secret - [GH-5976]
* ui: fix error where deleting an item via the context menu would fail if the
item name contained dots [GH-6018]
* ui: allow saving of kv secret after an errored save attempt [GH-6022]
* ui: fix display of kv-v1 secret containing a key named "keys" [GH-6023]
## 1.0.1 (December 14th, 2018)
SECURITY:
* Update version of Go to 1.11.3 to fix Go bug
https://github.com/golang/go/issues/29233 which corresponds to
CVE-2018-16875
* Database user revocation: If a client has configured custom revocation
statements for a role with a value of `""`, that statement would be executed
verbatim, resulting in a lack of actual revocation but success for the
operation. Vault will now strip empty statements from any provided; as a
result if an empty statement is provided, it will behave as if no statement
is provided, falling back to the default revocation statement.
CHANGES:
* secret/database: On role read, empty statements will be returned as empty
slices instead of potentially being returned as JSON null values. This makes
it more in line with other parts of Vault and makes it easier for statically
typed languages to interpret the values.
IMPROVEMENTS:
* cli: Strip iTerm extra characters from password manager input [GH-5837]
* command/server: Setting default kv engine to v1 in -dev mode can now be
specified via -dev-kv-v1 [GH-5919]
* core: Add operationId field to OpenAPI output [GH-5876]
* ui: Added ability to search for Group and Policy IDs when creating Groups
and Entities instead of typing them in manually
BUG FIXES:
* auth/azure: Cache azure authorizer [15]
* auth/gcp: Remove explicit project for service account in GCE authorizer [58]
* cli: Show correct stored keys/threshold for autoseals [GH-5910]
* cli: Fix backwards compatibility fallback when listing plugins [GH-5913]
* core: Fix upgrades when the seal config had been created on early versions
of vault [GH-5956]
* namespaces: Correctly reload the proper mount when tuning or reloading the
mount [GH-5937]
* secret/azure: Cache azure authorizer [19]
* secret/database: Strip empty statements on user input [GH-5955]
* secret/gcpkms: Add path for retrieving the public key [5]
* secret/pki: Fix panic that could occur during tidy operation when malformed
data was found [GH-5931]
* secret/pki: Strip empty line in ca_chain output [GH-5779]
* ui: Fixed a bug where the web CLI was not usable via the `fullscreen`
command - [GH-5909]
* ui: Fix a bug where you couldn't write a jwt auth method config [GH-5936]
## 0.11.6 (December 14th, 2018)
This release contains the three security fixes from 1.0.0 and 1.0.1 and the
following bug fixes from 1.0.0/1.0.1:
* namespaces: Correctly reload the proper mount when tuning or reloading the
mount [GH-5937]
* replication/perfstandby: Fix audit table upgrade on standbys [GH-5811]
* replication/perfstandby: Fix redirect on approle update [GH-5820]
* secrets/kv: Fix issue where storage version would get incorrectly downgraded
[GH-5809]
It is otherwise identical to 0.11.5.
## 1.0.0 (December 3rd, 2018)
SECURITY:
* When debugging a customer incident we discovered that in the case of
malformed data from an autoseal mechanism, Vault's master key could be
logged in Vault's server log. For this to happen, the data would need to be
modified by the autoseal mechanism after being submitted to it by Vault but
prior to encryption, or after decryption, prior to it being returned to
Vault. To put it another way, it requires the data that Vault submits for
encryption to not match the data returned after decryption. It is not
sufficient for the autoseal mechanism to return an error, and it cannot be
triggered by an outside attacker changing the on-disk ciphertext as all
autoseal mechanisms use authenticated encryption. We do not believe that
this is generally a cause for concern; since it involves the autoseal
mechanism returning bad data to Vault but with no error, in a working Vault
configuration this code path should never be hit, and if hitting this issue
Vault will not be unsealing properly anyways so it will be obvious what is
happening and an immediate rekey of the master key can be performed after
service is restored. We have filed for a CVE (CVE-2018-19786) and a CVSS V3
score of 5.2 has been assigned.
CHANGES:
* Tokens are now prefixed by a designation to indicate what type of token they
are. Service tokens start with `s.` and batch tokens start with `b.`.
Existing tokens will still work (they are all of service type and will be
considered as such). Prefixing allows us to be more efficient when consuming
a token, which keeps the critical path of requests faster.
* Paths within `auth/token` that allow specifying a token or accessor in the
URL have been removed. These have been deprecated since March 2016 and
undocumented, but were retained for backwards compatibility. They shouldn't
be used due to the possibility of those paths being logged, so at this point
they are simply being removed.
* Vault will no longer accept updates when the storage key has invalid UTF-8
character encoding [GH-5819]
* Mount/Auth tuning the `options` map on backends will now upsert any provided
values, and keep any of the existing values in place if not provided. The
options map itself cannot be unset once it's set, but the keypairs within the
map can be unset if an empty value is provided, with the exception of the
`version` keypair which is handled differently for KVv2 purposes.
* Agent no longer automatically reauthenticates when new credentials are
detected. It's not strictly necessary and in some cases was causing
reauthentication much more often than intended.
* HSM Regenerate Key Support Removed: Vault no longer supports destroying and
regenerating encryption keys on an HSM; it only supports creating them.
Although this has never been a source of a customer incident, it is simply a
code path that is too trivial to activate, especially by mistyping
`regenerate_key` instead of `generate_key`.
* Barrier Config Upgrade (Enterprise): When upgrading from Vault 0.8.x, the
seal type in the barrier config storage entry will be upgraded from
"hsm-auto" to "awskms" or "pkcs11" upon unseal if using AWSKMS or HSM seals.
If performing seal migration, the barrier config should first be upgraded
prior to starting migration.
* Go API client uses pooled HTTP client: The Go API client now uses a
connection-pooling HTTP client by default. For CLI operations this makes no
difference but it should provide significant performance benefits for those
writing custom clients using the Go API library. As before, this can be
changed to any custom HTTP client by the caller.
* Builtin Secret Engines and Auth Methods are integrated deeper into the
plugin system. The plugin catalog can now override builtin plugins with
custom versions of the same name. Additionally the plugin system now
requires a plugin `type` field when configuring plugins, this can be "auth",
"database", or "secret".
FEATURES:
* **Auto-Unseal in Open Source**: Cloud-based auto-unseal has been migrated
from Enterprise to Open Source. We've created a migrator to allow migrating
between Shamir seals and auto unseal methods.
* **Batch Tokens**: Batch tokens trade off some features of service tokens for no
storage overhead, and in most cases can be used across performance
replication clusters.
* **Replication Speed Improvements**: We've worked hard to speed up a lot of
operations when using Vault Enterprise Replication.
* **GCP KMS Secrets Engine**: This new secrets engine provides a Transit-like
pattern to keys stored within GCP Cloud KMS.
* **AppRole support in Vault Agent Auto-Auth**: You can now use AppRole
credentials when having Agent automatically authenticate to Vault
* **OpenAPI Support**: Descriptions of mounted backends can be served directly
from Vault
* **Kubernetes Projected Service Account Tokens**: Projected Service Account
Tokens are now supported in Kubernetes auth
* **Response Wrapping in UI**: Added ability to wrap secrets and easily copy
the wrap token or secret JSON in the UI
IMPROVEMENTS:
* agent: Support for configuring the location of the kubernetes service account
[GH-5725]
* auth/token: New tokens are indexed in storage HMAC-SHA256 instead of SHA1
* secret/totp: Allow @ character to be part of key name [GH-5652]
* secret/consul: Add support for new policy based tokens added in Consul 1.4
[GH-5586]
* ui: Improve the token auto-renew warning, and automatically begin renewal
when a user becomes active again [GH-5662]
* ui: The unbundled UI page now has some styling [GH-5665]
* ui: Improved banner and popup design [GH-5672]
* ui: Added token type to auth method mount config [GH-5723]
* ui: Display additonal wrap info when unwrapping. [GH-5664]
* ui: Empty states have updated styling and link to relevant actions and
documentation [GH-5758]
* ui: Allow editing of KV V2 data when a token doesn't have capabilities to
read secret metadata [GH-5879]
BUG FIXES:
* agent: Fix auth when multiple redirects [GH-5814]
* cli: Restore the `-policy-override` flag [GH-5826]
* core: Fix rekey progress reset which did not happen under certain
circumstances. [GH-5743]
* core: Migration from autounseal to shamir will clean up old keys [GH-5671]
* identity: Update group memberships when entity is deleted [GH-5786]
* replication/perfstandby: Fix audit table upgrade on standbys [GH-5811]
* replication/perfstandby: Fix redirect on approle update [GH-5820]
* secrets/azure: Fix valid roles being rejected for duplicate ids despite
having distinct scopes
[[GH-16]](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/16)
* storage/gcs: Send md5 of values to GCS to avoid potential corruption
[GH-5804]
* secrets/kv: Fix issue where storage version would get incorrectly downgraded
[GH-5809]
* secrets/kv: Disallow empty paths on a `kv put` while accepting empty paths
for all other operations for backwards compatibility
[[GH-19]](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/19)
* ui: Allow for secret creation in kv v2 when cas_required=true [GH-5823]
* ui: Fix dr secondary operation token generation via the ui [GH-5818]
* ui: Fix the PKI context menu so that items load [GH-5824]
* ui: Update DR Secondary Token generation command [GH-5857]
* ui: Fix pagination bug where controls would be rendered once for each
item when viewing policies [GH-5866]
* ui: Fix bug where `sys/leases/revoke` required 'sudo' capability to show
the revoke button in the UI [GH-5647]
* ui: Fix issue where certain pages wouldn't render in a namespace [GH-5692]
## 0.11.5 (November 13th, 2018)
BUG FIXES:
* agent: Fix issue when specifying two file sinks [GH-5610]
* auth/userpass: Fix minor timing issue that could leak the presence of a
username [GH-5614]
* autounseal/alicloud: Fix issue interacting with the API (Enterprise)
* autounseal/azure: Fix key version tracking (Enterprise)
* cli: Fix panic that could occur if parameters were not provided [GH-5603]
* core: Fix buggy behavior if trying to remount into a namespace
* identity: Fix duplication of entity alias entity during alias transfer
between entities [GH-5733]
* namespaces: Fix tuning of auth mounts in a namespace
* ui: Fix bug where editing secrets as JSON doesn't save properly [GH-5660]
* ui: Fix issue where IE 11 didn't render the UI and also had a broken form
when trying to use tool/hash [GH-5714]
## 0.11.4 (October 23rd, 2018)
CHANGES:
* core: HA lock file is no longer copied during `operator migrate` [GH-5503].
We've categorized this as a change, but generally this can be considered
just a bug fix, and no action is needed.
FEATURES:
* **Transit Key Trimming**: Keys in transit secret engine can now be trimmed to
remove older unused key versions
* **Web UI support for KV Version 2**: Browse, delete, undelete and destroy
individual secret versions in the UI
* **Azure Existing Service Principal Support**: Credentials can
now be generated against an existing service principal
IMPROVEMENTS:
* core: Add last WAL in leader/health output for easier debugging [GH-5523]
* identity: Identity names will now be handled case insensitively by default.
This includes names of entities, aliases and groups [GH-5404]
* secrets/aws: Added role-option max_sts_ttl to cap TTL for AWS STS
credentials [GH-5500]
* secret/database: Allow Cassandra user to be non-superuser so long as it has
role creation permissions [GH-5402]
* secret/radius: Allow setting the NAS Identifier value in the generated
packet [GH-5465]
* secret/ssh: Allow usage of JSON arrays when setting zero addresses [GH-5528]
* secret/transit: Allow trimming unused keys [GH-5388]
* ui: Support KVv2 [GH-5547], [GH-5563]
* ui: Allow viewing and updating Vault license via the UI
* ui: Onboarding will now display your progress through the chosen tutorials
* ui: Dynamic secret backends obfuscate sensitive data by default and
visibility is toggleable
BUG FIXES:
* agent: Fix potential hang during agent shutdown [GH-5026]
* auth/ldap: Fix listing of users/groups that contain slashes [GH-5537]
* core: Fix memory leak during some expiration calls [GH-5505]
* core: Fix generate-root operations requiring empty `otp` to be provided
instead of an empty body [GH-5495]
* identity: Remove lookup check during alias removal from entity [GH-5524]
* secret/pki: Fix TTL/MaxTTL check when using `sign-verbatim` [GH-5549]
* secret/pki: Fix regression in 0.11.2+ causing the NotBefore value of
generated certificates to be set to the Unix epoch if the role value was not
set, instead of using the default of 30 seconds [GH-5481]
* storage/mysql: Use `varbinary` instead of `varchar` when creating HA tables
[GH-5529]
## 0.11.3 (October 8th, 2018)
SECURITY:
* Revocation: A regression in 0.11.2 (OSS) and 0.11.0 (Enterprise) caused
lease IDs containing periods (`.`) to not be revoked properly. Upon startup
when revocation is tried again these should now revoke successfully.
IMPROVEMENTS:
* auth/ldap: Listing of users and groups return absolute paths [GH-5537]
* secret/pki: OID SANs can now specify `*` to allow any value [GH-5459]
BUG FIXES:
* auth/ldap: Fix panic if specific values were given to be escaped [GH-5471]
* cli/auth: Fix panic if `vault auth` was given no parameters [GH-5473]
* secret/database/mongodb: Fix panic that could occur at high load [GH-5463]
* secret/pki: Fix CA generation not allowing OID SANs [GH-5459]
|
|
The new patches fix compatibility with OpenSSL 1.1.0, and attempt to fix
the build on FreeBSD, NetBSD, and OpenBSD. It does not link on NetBSD
(like the previous version, 0.70) but it does on macOS.
There was no changelog upstream.
|
|
|
|
|
|
heimdal includes a copy of the relevant functions itself.
Add a comment that the dependency should be re-enabled when updating
this package.
Bump PKGREVISION.
|
|
2.8:
* Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with
OpenSSL 1.1.1d.
* Added support for Python 3.8.
* Added class methods
:meth:`Poly1305.generate_tag
<cryptography.hazmat.primitives.poly1305.Poly1305.generate_tag>`
and
:meth:`Poly1305.verify_tag
<cryptography.hazmat.primitives.poly1305.Poly1305.verify_tag>`
for Poly1305 sign and verify operations.
* Deprecated support for OpenSSL 1.0.1. Support will be removed in
``cryptography`` 2.9.
* We now ship ``manylinux2010`` wheels in addition to our ``manylinux1``
wheels.
* Added support for ``ed25519`` and ``ed448`` keys in the
:class:`~cryptography.x509.CertificateBuilder`,
:class:`~cryptography.x509.CertificateSigningRequestBuilder`,
:class:`~cryptography.x509.CertificateRevocationListBuilder` and
:class:`~cryptography.x509.ocsp.OCSPResponseBuilder`.
* ``cryptography`` no longer depends on ``asn1crypto``.
* :class:`~cryptography.x509.FreshestCRL` is now allowed as a
:class:`~cryptography.x509.CertificateRevocationList` extension.
|
|
|
|
Thanks nros for the heads up.
|
|
1.2.0
- Added `asn1crypto.load_order()`, which returns a `list` of unicode strings
of the names of the fully-qualified module names for all of submodules of
the package. The module names are listed in their dependency load order.
This is primarily intended for the sake of implementing hot reloading.
1.1.0
- Added User ID (`0.9.2342.19200300.100.1.1`) to `x509.NameType()`
- Added various EC named curves to `keys.NamedCurve()`
|
|
Thanks taca for the heads up.
|
|
Significant items from https://github.com/slicer69/doas/releases:
doas 6.2p2
* Introducing macOS support
Due to the dedicated work by Gordon Bergling, the doas
command now builds and runs on macOS. This release
contains no functionality changes, just the ability to
build and run on macOS.
|
|
Sudo will now only set PAM_TTY to the empty string when no terminal is present on Solaris and Linux. This workaround is only needed on those systems which may have PAM modules that misbehave when PAM_TTY is not set.
The mailerflags sudoers option now has a default value even if sendmail support was disabled at configure time. Fixes a crash when the mailerpath sudoers option is set but mailerflags is not. Bug #878.
Sudo will now filter out last login messages on HP-UX unless it a shell is being run via sudo -s or sudo -i. Otherwise, when trusted mode is enabled, these messages will be displayed for each command.
On AIX, when the user's password has expired and PAM is not in use, sudo will now allow the user to change their password. Bug #883.
Sudo has a new -B command line option that will ring the terminal bell when prompting for a password.
Sudo no longer refuses to prompt for a password when it cannot determine the user's terminal as long as it can open /dev/tty. This allows sudo to function on systems where /proc is unavailable, such as when running in a chroot environment.
The env_editor sudoers flag is now on by default. This makes source builds more consistent with the packages generated by sudo's mkpkg script.
Sudo no longer ships with pre-formatted copies of the manual pages. These were included for systems like IRIX that don't ship with an nroff utility. There are now multiple Open Source nroff replacements so this should no longer be an issue.
Fixed a bad interaction with configure's --prefix and --disable-shared options. Bug #886.
More verbose error message when a password is required and no terminal is present. Bug #828.
Command tags, such as NOPASSWD, are honored when a user tries to run a command that is allowed by sudoers but which does not actually exist on the file system. Bug #888.
Asturian translation for sudoers from translationproject.org.
I/O log timing files now store signal suspend and resume information in the form of a signal name instead of a number.
Fixed a bug introduced in 1.8.24 that prevented sudo from honoring the value of ipa_hostname from sssd.conf, if specified, when matching the host name.
Fixed a bug introduced in 1.8.21 that prevented the core dump resource limit set in the pam_limits module from taking effect. Bug #894.
Fixed parsing of double-quoted Defaults group and netgroup bindings.
The user ID is now used when matching sudoUser attributes in LDAP. Previously, the user name, group name and group IDs were used when matching but not the user ID.
Sudo now writes PAM messages to the user's terminal, if available, instead of the standard output or standard error. This prevents PAM output from being intermixed with that of the command when output is sent to a file or pipe. Bug #895.
Sudoedit now honors the umask and umask_override settings in sudoers. Previously, the user's umask was used as-is.
Fixed a bug where the terminal's file context was not restored when using SELinux RBAC. Bug #898.
Fixed a security issue where a sudo user may be able to run a command as root when the Runas specification explicitly disallows root access as long as the ALL keyword is listed first. This vulnerability has been assigned CVE-2019-14287
|
|
|
|
|
|
|
|
1.0.1
Fix an absolute import in keys to a relative import
1.0.0
Backwards Compatibility Breaks
cms.KeyEncryptionAlgorithmId().native now returns the value "rsaes_pkcs1v15" for OID 1.2.840.113549.1.1.1 instead of "rsa"
Removed functionality to calculate public key values from private key values. Alternatives have been added to oscrypto.
keys.PrivateKeyInfo().unwrap() is now oscrypto.asymmetric.PrivateKey().unwrap()
keys.PrivateKeyInfo().public_key is now oscrypto.asymmetric.PrivateKey().public_key.unwrap()
keys.PrivateKeyInfo().public_key_info is now oscrypto.asymmetric.PrivateKey().public_key.asn1
keys.PrivateKeyInfo().fingerprint is now oscrypto.asymmetric.PrivateKey().fingerprint
keys.PublicKeyInfo().unwrap() is now oscrypto.asymmetric.PublicKey().unwrap()
keys.PublicKeyInfo().fingerprint is now oscrypto.asymmetric.PublicKey().fingerprint
Enhancements
Significantly improved parsing of core.UTCTime() and core.GeneralizedTime() values that include timezones and fractional seconds
util.timezone has a more complete implementation
core.Choice() may now be constructed by a 2-element tuple or a 1-key dict
Added x509.Certificate().not_valid_before and x509.Certificate().not_valid_after
Added core.BitString().unused_bits
Added keys.NamedCurve.register() for non-mainstream curve OIDs
No longer try to load optional performance dependency, libcrypto, on Mac or Linux
ocsp.CertStatus().native will now return meaningful unicode string values when the status choice is "good" or "unknown". Previously both returned None due to the way the structure was designed.
Add support for explicit RSA SSA PSS (1.2.840.113549.1.1.10) to keys.PublicKeyInfo() and keys.PrivateKeyInfo()
Added structures for nested SHA-256 Windows PE signatures to cms.CMSAttribute()
Added RC4 (1.2.840.113549.3.4) to algos.EncryptionAlgorithmId()
Added secp256k1 (1.3.132.0.10) to keys.NamedCurve()
Added SHA-3 and SHAKE OIDs to algos.DigestAlgorithmId() and algos.HmacAlgorithmId()
Added RSA ES OAEP (1.2.840.113549.1.1.7) to cms.KeyEncryptionAlgorithmId()
Add IKE Intermediate (1.3.6.1.5.5.8.2.2) to x509.KeyPurposeId()
x509.EmailAddress() and x509.DNSName() now handle invalidly-encoded values using tags for core.PrintableString() and core.UTF8String()
Add parameter structue from RFC 5084 for AES-CCM to algos.EncryptionAlgorithm()
Improved robustness of parsing broken core.Sequence() and core.SequenceOf() values
Bug Fixes
Fixed encoding of tag values over 30
core.IntegerBitString() and core.IntegerOctetString() now restrict values to non-negative integers since negative values are not implemented
When copying or dumping a BER-encoded indefinite-length value, automatically force re-encoding to DER. To ensure all nested values are always DER-encoded, .dump(True) must be called.
Fix UnboundLocalError when calling x509.IPAddress().native on an encoded value that has a length of zero
Fixed passing class_ via unicode string name to core.Asn1Value()
Fixed a bug where EC private keys with leading null bytes would be encoded in keys.ECPrivateKey() more narrowly than RFC 5915 requires
Fixed some edge-case bugs in util.int_to_bytes()
x509.URI() now only normalizes values when comparing
Fixed BER-decoding of indefinite length core.BitString()
Fixed DER-encoding of empty core.BitString()
Fixed a missing return value for core.Choice().parse()
Fixed core.Choice().contents working when the chosen alternative is a core.Choice() also
Fixed parsing and encoding of nested core.Choice() objects
Fixed a bug causing core.ObjectIdentifier().native to sometimes not map the OID
|
|
|
|
* The On-Access Scanning feature has been migrated out of clamd and
into a brand new utility named clamonacc, which is disabled in this
package as it is for Linux only.
* The freshclam database update utility has undergone a significant
update. This includes:
+ Added support for HTTPS.
+ Support for database mirrors hosted on ports other than 80.
+ Removal of the mirror management feature (mirrors.dat).
+ An all new libfreshclam library API.
* Added support for extracting ESTsoft .egg archives. This feature is
new code developed from scratch using ESTsoft's Egg-archive
specification and without referencing the UnEgg library provided by
ESTsoft. This was necessary because the UnEgg library's license
includes restrictions limiting the commercial use of the UnEgg library.
Full release notes available at:
https://github.com/Cisco-Talos/clamav-devel/blob/rel/0.102/NEWS.md
|
|
Changelog:
Letsencrypt CA recent changed the CDN provider, which resulted
in hanging issues.
Any downstream package should update.
This is important.
|
|
Revision 0.2.7:
- Added maps for use with openType to RFC 3565
- Added RFC2985 providing PKCS#9 Attributes
- Added RFC3770 providing Certificate Extensions and Attributes for
Authentication in PPP and Wireless LAN Networks
- Added RFC5914 providing Trust Anchor Format
- Added RFC6010 providing CMS Content Constraints (CCC) Extension
- Added RFC6031 providing CMS Symmetric Key Package Content Type
- Added RFC6032 providing CMS Encrypted Key Package Content Type
- Added RFC7030 providing Enrollment over Secure Transport (EST)
- Added RFC7292 providing PKCS #12, which is the Personal Information
Exchange Syntax v1.1
- Added RFC8018 providing PKCS #5, which is the Password-Based
Cryptography Specification, Version 2.1
- Automatically update the maps for use with openType for RFC3709,
RFC6402, RFC7191, and RFC8226 when the module is imported
- Added RFC6211 providing CMS Algorithm Identifier Protection Attribute
- Added RFC8449 providing Certificate Extension for Hash Of Root Key
- Updated RFC2459 and RFC5280 for TODO in the certificate extension map
- Added RFC7906 providing NSA's CMS Key Management Attributes
- Added RFC7894 providing EST Alternative Challenge Password Attributes
- Updated the handling of maps for use with openType so that just doing
an import of the modules is enough in most situations; updates to
RFC 2634, RFC 3274, RFC 3779, RFC 4073, RFC 4108, RFC 5035, RFC 5083,
RFC 5084, RFC 5480, RFC 5940, RFC 5958, RFC 6019, and RFC 8520
- Updated the handling of attribute maps for use with openType in
RFC 5958 to use the rfc5652.cmsAttributesMap
- Added RFC5990 providing RSA-KEM Key Transport Algorithm in the CMS
- Fixed malformed `rfc4210.RevRepContent` data structure layout
- Added RFC5934 providing Trust Anchor Management Protocol (TAMP)
- Added RFC6210 providing Experiment for Hash Functions with Parameters
- Added RFC5751 providing S/MIME Version 3.2 Message Specification
- Added RFC8494 providing Multicast Email (MULE) over ACP 142
- Added RFC8398 providing Internationalized Email Addresses in
X.509 Certificates
- Added RFC8419 providing Edwards-Curve Digital Signature Algorithm
(EdDSA) Signatures in the CMS
- Added RFC8479 providing Storing Validation Parameters in PKCS#8
- Added RFC8360 providing Resource Public Key Infrastructure (RPKI)
Validation Reconsidered
- Added RFC8358 providing Digital Signatures on Internet-Draft Documents
- Added RFC8209 providing BGPsec Router PKI Profile
- Added RFC8017 providing PKCS #1 Version 2.2
- Added RFC7914 providing scrypt Password-Based Key Derivation Function
- Added RFC7773 providing Authentication Context Certificate Extension
|
|
|
|
pkgsrc changes:
---------------
* Apply upstream patches that will be removed in next release
(https://github.com/gpg/libgpg-error/commit/7865041)
* Bump revision
|
|
Use PKG_SYSCONFDIR when moving files to EGDIR.
Fixes install when PKG_SYSCONFDIR is set to something else than
${PREFIX}/etc
|
|
* Version 3.6.10 (released 2019-09-29)
** libgnutls: Added support for deterministic ECDSA/DSA (RFC6979)
Deterministic signing can be enabled by setting
GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE when calling gnutls_privkey_sign_*()
functions (#94).
** libgnutls: add gnutls_aead_cipher_encryptv2 and gnutls_aead_cipher_decryptv2
functions that will perform in-place encryption/decryption on data buffers (#718).
** libgnutls: Corrected issue in gnutls_session_get_data2() which could fail under
TLS1.3, if a timeout callback was not set using gnutls_transport_set_pull_timeout_function()
(#823).
** libgnutls: added interoperability tests with gnutls 2.12.x; addressed
issue with large record handling due to random padding (#811).
** libgnutls: the server now selects the highest TLS protocol version,
if TLS 1.3 is enabled and the client advertises an older protocol version first (#837).
** libgnutls: fix non-PIC assembly on i386 (#818).
** libgnutls: added support for GOST 28147-89 cipher in CNT (GOST counter) mode
and MAC generation based on GOST 28147-89 (IMIT). For description of the
modes see RFC 5830. S-Box is id-tc26-gost-28147-param-Z (TC26Z) defined in
RFC 7836.
** certtool: when outputting an encrypted private key do not insert the textual description
of it. This fixes a regression since 3.6.5 (#840).
** API and ABI modifications:
gnutls_aead_cipher_encryptv2: Added
gnutls_aead_cipher_decryptv2: Added
GNUTLS_CIPHER_GOST28147_TC26Z_CNT: Added
GNUTLS_MAC_GOST28147_TC26Z_IMIT: Added
|
|
pointed out by mrg and gcc8:
+ don't read an automatic array element we haven't already written
|
|
0.39.0:
Added
Support for Python 3.8 was added to Certbot and all of its components.
Support for CentOS 8 was added to certbot-auto.
Changed
Don't send OCSP requests for expired certificates
Return to using platform.linux_distribution instead of distro.linux_distribution in OS fingerprinting for Python < 3.8
Updated the Nginx plugin's TLS configuration to keep support for some versions of IE11.
Fixed
Fixed OS detection in the Apache plugin on RHEL 6.
|
|
pkgsrc changes
--------------
* s/wip/devel/ for py-distro dependency (wip was for test only but
committed by inattention)
|
|
|
|
= mbed TLS 2.16.3 branch released 2019-09-06
Security
* Fix a missing error detection in ECJPAKE. This could have caused a
predictable shared secret if a hardware accelerator failed and the other
side of the key exchange had a similar bug.
* The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
implement blinding. Because of this for the same key and message the same
blinding value was generated. This reduced the effectiveness of the
countermeasure and leaked information about the private key through side
channels. Reported by Jack Lloyd.
* When writing a private EC key, use a constant size for the private
value, as specified in RFC 5915. Previously, the value was written
as an ASN.1 INTEGER, which caused the size of the key to leak
about 1 bit of information on average and could cause the value to be
1 byte too large for the output buffer.
API Changes
* The new function mbedtls_ecdsa_sign_det_ext() is similar to
mbedtls_ecdsa_sign_det() but allows passing an external RNG for the
purpose of blinding.
Bugfix
* Fix to allow building test suites with any warning that detects unused
functions. Fixes #1628.
* Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
* Remove redundant include file in timing.c. Fixes #2640 reported by irwir.
* Fix Visual Studio Release x64 build configuration by inheriting
PlatformToolset from the project configuration. Fixes #1430 reported by
irwir.
* Enable Suite B with subset of ECP curves. Make sure the code compiles even
if some curves are not defined. Fixes #1591 reported by dbedev.
* Fix misuse of signed arithmetic in the HAVEGE module. #2598
* Update test certificates that were about to expire. Reported by
Bernhard M. Wiedemann in #2357.
* Fix the build on ARMv5TE in ARM mode to not use assembly instructions
that are only available in Thumb mode. Fix contributed by Aurelien Jarno
in #2169.
* Fix undefined memset(NULL) call in test_suite_nist_kw.
* Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256.
* Fix propagation of restart contexts in restartable EC operations.
This could previously lead to segmentation faults in builds using an
address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
* Fix memory leak in in mpi_miller_rabin(). Contributed by
Jens Wiklander <jens.wiklander@linaro.org> in #2363
* Improve code clarity in x509_crt module, removing false-positive
uninitialized variable warnings on some recent toolchains (GCC8, etc).
Discovered and fixed by Andy Gross (Linaro), #2392.
* Zero length buffer check for undefined behavior in
mbedtls_platform_zeroize(). Fixes ARMmbed/mbed-crypto#49.
* Fix bug in endianness conversion in bignum module. This lead to
functionally incorrect code on bigendian systems which don't have
__BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes #2622.
Changes
* Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
suggests). #2671
* Make `make clean` clean all programs always. Fixes #1862.
= mbed TLS 2.16.2 branch released 2019-06-11
Security
* Make mbedtls_ecdh_get_params return an error if the second key
belongs to a different group from the first. Before, if an application
passed keys that belonged to different group, the first key's data was
interpreted according to the second group, which could lead to either
an error or a meaningless output from mbedtls_ecdh_get_params. In the
latter case, this could expose at most 5 bits of the private key.
Bugfix
* Server's RSA certificate in certs.c was SHA-1 signed. In the default
mbedTLS configuration only SHA-2 signed certificates are accepted.
This certificate is used in the demo server programs, which lead the
client programs to fail at the peer's certificate verification
due to an unacceptable hash signature. The certificate has been
updated to one that is SHA-256 signed. Fix contributed by
Illya Gerasymchuk.
* Fix private key DER output in the key_app_writer example. File contents
were shifted by one byte, creating an invalid ASN.1 tag. Fixed by
Christian Walther in #2239.
* Fix potential memory leak in X.509 self test. Found and fixed by
Junhwan Park, #2106.
* Reduce stack usage of hkdf tests. Fixes #2195.
* Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
used with negative inputs. Found by Guido Vranken in #2404. Credit to
OSS-Fuzz.
* Fix bugs in the AEAD test suite which would be exposed by ciphers which
either used both encrypt and decrypt key schedules, or which perform padding.
GCM and CCM were not affected. Fixed by Jack Lloyd.
* Fix incorrect default port number in ssl_mail_client example's usage.
Found and fixed by irwir. #2337
* Add missing parentheses around parameters in the definition of the
public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation
in case operators binding less strongly than subtraction were used
for the parameter.
* Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
sni entry parameter. Reported by inestlerode in #560.
* Add DER-encoded test CRTs to library/certs.c, allowing
the example programs ssl_server2 and ssl_client2 to be run
if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254.
* Fix missing bounds checks in X.509 parsing functions that could
lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
* Fix multiple X.509 functions previously returning ASN.1 low-level error
codes to always wrap these codes into X.509 high level error codes before
returning. Fixes #2431.
Changes
* Return from various debugging routines immediately if the
provided SSL context is unset.
* Remove dead code from bignum.c in the default configuration.
Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309.
* Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh.
Contributed by Peter Kolbus (Garmin).
* Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to
improve clarity. Fixes #2258.
* Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
= mbed TLS 2.16.1 branch released 2019-03-19
Features
* Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites
from the default list (enabled by default). See
https://sweet32.info/SWEET32_CCS16.pdf.
Bugfix
* Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined
when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242.
* Run the AD too long test only if MBEDTLS_CCM_ALT is not defined.
Raised as a comment in #1996.
* Reduce the stack consumption of mbedtls_mpi_fill_random() which could
previously lead to a stack overflow on constrained targets.
* Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions
in the header files, which missed the precompilation check. #971
* Fix clobber list in MIPS assembly for large integer multiplication.
Previously, this could lead to functionally incorrect assembly being
produced by some optimizing compilers, showing up as failures in
e.g. RSA or ECC signature operations. Reported in #1722, fix suggested
by Aurelien Jarno and submitted by Jeffrey Martin.
* Fix signed-to-unsigned integer conversion warning
in X.509 module. Fixes #2212.
* Reduce stack usage of `mpi_write_hlp()` by eliminating recursion.
Fixes #2190.
* Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
* Remove the mbedtls namespacing from the header file, to fix a "file not found"
build error. Fixed by Haijun Gu #2319.
* Fix returning the value 1 when mbedtls_ecdsa_genkey failed.
* Fix false failure in all.sh when backup files exist in include/mbedtls
(e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407.
* Ensure that unused bits are zero when writing ASN.1 bitstrings when using
mbedtls_asn1_write_bitstring().
* Fix issue when writing the named bitstrings in KeyUsage and NsCertType
extensions in CSRs and CRTs that caused these bitstrings to not be encoded
correctly as trailing zeroes were not accounted for as unused bits in the
leading content octet. Fixes #1610.
Changes
* Include configuration file in all header files that use configuration,
instead of relying on other header files that they include.
Inserted as an enhancement for #1371
* Add support for alternative CSR headers, as used by Microsoft and defined
in RFC 7468. Found by Michael Ernst. Fixes #767.
* Fix configuration queries in ssl-opt.h. #2030
* Ensure that ssl-opt.h can be run in OS X. #2029
* Reduce the complexity of the timing tests. They were assuming more than the
underlying OS actually guarantees.
* Re-enable certain interoperability tests in ssl-opt.sh which had previously
been disabled for lack of a sufficiently recent version of GnuTLS on the CI.
* Ciphersuites based on 3DES now have the lowest priority by default when
they are enabled.
= mbed TLS 2.16.0 branch released 2018-12-21
Features
* Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation
of parameters in the API. This allows detection of obvious misuses of the
API, such as passing NULL pointers. The API of existing functions hasn't
changed, but requirements on parameters have been made more explicit in
the documentation. See the corresponding API documentation for each
function to see for which parameter values it is defined. This feature is
disabled by default. See its API documentation in config.h for additional
steps you have to take when enabling it.
API Changes
* The following functions in the random generator modules have been
deprecated and replaced as shown below. The new functions change
the return type from void to int to allow returning error codes when
using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest
primitive. Fixes #1798.
mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
* Extend ECDH interface to enable alternative implementations.
* Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for
ARIA, CAMELLIA and Blowfish. These error codes will be replaced by
the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
* Additional parameter validation checks have been added for the following
modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI.
Where modules have had parameter validation added, existing parameter
checks may have changed. Some modules, such as Chacha20 had existing
parameter validation whereas other modules had little. This has now been
changed so that the same level of validation is present in all modules, and
that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default
is off. That means that checks which were previously present by default
will no longer be.
New deprecations
* Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update
in favor of functions that can return an error code.
Bugfix
* Fix for Clang, which was reporting a warning for the bignum.c inline
assembly for AMD64 targets creating string literals greater than those
permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482.
* Fix runtime error in `mbedtls_platform_entropy_poll()` when run
through qemu user emulation. Reported and fix suggested by randombit
in #1212. Fixes #1212.
* Fix an unsafe bounds check when restoring an SSL session from a ticket.
This could lead to a buffer overflow, but only in case ticket authentication
was broken. Reported and fix suggested by Guido Vranken in #659.
* Add explicit integer to enumeration type casts to example program
programs/pkey/gen_key which previously led to compilation failure
on some toolchains. Reported by phoenixmcallister. Fixes #2170.
* Fix double initialization of ECC hardware that made some accelerators
hang.
* Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence
of check for certificate/key matching. Reported by Attila Molnar, #507.
|
|
Changelog:
Vulnerabilities fixed in this release include:
- On Windows, the listening sockets used for local port forwarding
were opened in a mode that did not prevent other processes from
also listening on the same ports and stealing some of the incoming
connections.
- In the PuTTY terminal, bracketed paste mode was broken in 0.72, in
a way that made the pasted data look like manual keyboard input. So
any application relying on the bracketing sequences to protect
against malicious clipboard contents would have been misled.
- An SSH-1 server could trigger an access to freed memory by sending
the SSH1_MSG_DISCONNECT message. Not known to be exploitable.
Other bug fixes include:
- Windows Plink no longer crashes on startup when it tries to tell
you it's reusing an existing SSH connection.
- Windows PuTTY now updates its terminal window size correctly if the
screen resolution changes while it's maximised.
- If you display the coloured error messages from gcc in the PuTTY
terminal, there is no longer a missing character if a colour change
happens exactly at the end of a line.
- If you use the 'Clear Scrollback' menu option or escape sequence
while text in the scrollback is selected, it no longer causes an
assertion failure.
|
|
|
|
|
|
pkgsrc changes:
---------------
* Add devel/py-distro as a runtime dependency. Certbot claims >=1.0.1 but
non-linux distribution are supported only from 1.2.0.
|
|
Regenerate asm files with -fPIC
PR pkg/54555: security/gnutls 3.6.9 runs afoul of PAX MPROTECT and
text relocations on netbsd-9/i386
Bump PKGREVISION.
|
|
ok wiz@ for PMC
|
|
Last update in 2009, homepage not reachable; only builds with php-5.6
but one of it's dependencies is per default built against a newer php,
so this can't even build.
|
|
|
|
|
|
Version 1.2.1:
* Fixup release: Remove minimum version for sqlalchemy dependency which was
set too high.
* yhsm-yubikey-ksm: Add --proxy/--proxies argument for logging proxies
requests.
Version 1.2.0:
* yhsm-validation-server: Support OATH TOTP.
* yhsm-init-oath-token: Handle keys with length != 20.
* yhsm-yubikey-ksm: Allow passing soft-HSM keys via stdin by passing "-" as
device argument.
* yhsm-yubikey-ksm: Allow passing --db-url via environment variable.
* Moved utils, yubikey-ksm and validation-server to be included when
installing using pip.
* Use entry_point scripts generated by setuptools.
* Moved man pages to man/ directory.
* Bugfix: Fix AEAD generation on Windows by writing in binary mode.
* Bugfix: Support AEADs generated on Windows using pyhsm <= 1.1.1.
* Bugfix: Avoid installing unit test package.
* Bugfix: yhsm-import-keys: Fix --aes-key argument used when importing
without a YubiHSM.
Version 1.1.1:
* Fixup release.
Version 1.1.0:
* Restructured the repository and build process.
* Use Semantic Versioning (semver.org).
* Added support for a "soft" HSM in yhsm-yubikey-ksm, yhsm-import-keys
and yhsm-generate-keys.
Version 1.0.4l:
* Documentation is now in asciidoc format.
* yhsm-yubikey-ksm: Fix bug when the same public ID occured for multiple
keyhandles.
|
|
3.1.1
Trap AttributeError in Gnome backend as in some environments
it seems that will happen.
Fix issue where a backslash in the service name would cause
errors on Registry backend on Windows.
3.1
``keyrings.alt`` no longer depends on the ``keyring.util.escape``
module.
3.0
``keyrings`` namespace should now use the pkgutil native technique
rather than relying on pkg_resources.
2.4
File based backends now reject non-string types for passwords.
|
|
19.2.0
* Add support for get_credential() with the SecretService backend
|
|
|
|
|
|
|
|
|
|
Closes PR security/54556.
|
|
Fix compilation of gnutls with compilers missing __get_cpuid_count.
Taken from upstream and fixed in version 3.6.10 .
Fixes compilation on NetBSD 8 without setting GCC_REQD.
|
|
Significant changes since 1.2.1:
* In addition to the scrypt command-line utility, a library "libscrypt-kdf"
can now be built and installed by passing the --enable-libscrypt-kdf option
to configure.
* On x86 CPUs which support them, RDRAND and SHA extensions are used to
provide supplemental entropy and speed up hash computations respectively.
* When estimating the amount of available RAM, scrypt ignores RLIMIT_DATA on
systems which have mmap.
* A new command "scrypt info encfile" prints information about an encrypted
file without decrypting it.
|
|
* Version 3.6.9 (released 2019-07-25)
** libgnutls: add gnutls_hash_copy/gnutls_hmac_copy functions that will create a copy
of digest or MAC context. Copying contexts for externally-registered digest and MAC
contexts is unupported (#787).
** Marked the crypto implementation override APIs as deprecated. These APIs are rarely
used, are for a niche use case, but have significant side effects, such as preventing
any internal re-organization and extension of the internal cipher API. The APIs remain
functional though a compiler warning will be issued, and a future minor version update
may transform them to a no-op while keeping ABI compatibility (#789).
** libgnutls: Added support for AES-GMAC, as a separate to GCM, MAC algorithm (#781).
** libgnutls: gnutls_privkey_sign_hash2 now accepts the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA
flag as documented. This makes it a complete replacement of gnutls_privkey_sign_hash().
** libgnutls: Added support for Generalname registeredID.
** The priority configuration was enhanced to allow more elaborate
system-wide configuration of the library (#587).
The following changes were included:
- The file is read as an ini file with '#' indicating a comment.
- The section "[priorities]" or global follows the existing semantics of
the configuration file, and allows to specify system-wide priority strings
which are accessed with the '@' prefix.
- The section "[overrides]" is added with the parameters "insecure-hash",
"insecure-sig", "insecure-sig-for-cert", "disabled-curve",
"disabled-version", "min-verification-profile", "tls-disabled-cipher",
"tls-disabled-mac", "tls-disabled-group", "tls-disabled-kx", which prohibit
specific algorithms or options globally. Existing algorithms in the
library can be marked as disabled and insecure, but no hard-coded
insecure algorithm can be marked as secure (so that the configuration
cannot be abused to make the system vulnerable).
- Unknown sections or options are skipped with a debug message, unless
the GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID environment parameter is
set to 1.
** libgnutls: Added new flag for GNUTLS_CPUID_OVERRIDE
- 0x20: Enable SHA_NI instruction set
** API and ABI modifications:
gnutls_crypto_register_cipher: Deprecated
gnutls_crypto_register_aead_cipher: Deprecated
gnutls_crypto_register_digest: Deprecated
gnutls_crypto_register_mac: Deprecated
gnutls_get_system_config_file: Added
gnutls_hash_copy: Added
gnutls_hmac_copy: Added
GNUTLS_MAC_AES_GMAC_128: Added
GNUTLS_MAC_AES_GMAC_192: Added
GNUTLS_MAC_AES_CMAC_256: Added
GNUTLS_SAN_REGISTERED_ID: Added
|
|
Bump PKGREVISION.
|
