Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
shared Makefile.common.
|
|
Significant changes since 1.2.0:
* A new -v option instructs scrypt to print the key derivation parameters
it has selected.
* A new --version option prints the version number of the scrypt utility.
* A new -P option make scrypt read the passphrase from standard input; this
is designed for scripts which pipe a passphrase in from elsewhere.
* A new -f option makes 'scrypt dec' ignore the amount of memory or CPU time
it thinks decrypting a file will take, and proceed anyway; this may be useful
in cases where scrypt's estimation is wrong.
* The '-M maxmem' option now accepts "humanized" inputs, e.g., "-M 1GB".
There are also a variety of less visible changes: Performance improvements
in the SHA256 routines, minor bug and compiler warning fixes, the addition
of a test suite, and some minor code reorganization.
|
|
Bump PKGREVISION.
|
|
|
|
Requests is an HTTP library, written in Python, for human beings. This
library adds optional Kerberos/GSSAPI authentication support and supports
mutual authentication.
|
|
Allow `authGSSClientInit` principal kwarg to be None.
|
|
|
|
|
|
depends on ruby18.
|
|
|
|
## [1.2.0][] (2017-04-14)
* [#95](https://github.com/mattbrictson/airbrussh/pull/95): colorize LogMessage label on WARN level and above - [@klyonrad](https://github.com/klyonrad)
* [#106](https://github.com/mattbrictson/airbrussh/pull/106): Remove the `log_file` parameter from the `CommandFormatter#exit_message` method; it was unused - [@mattbrictson](https://github.com/mattbrictson)
|
|
## [1.13.1][] (2017-03-31)
### Breaking changes
* None
### Bug fixes
* [#397](https://github.com/capistrano/sshkt/pull/397): Fix NoMethodError assign_defaults with net-ssh older than 4.0.0 - [@shirosaki](https://github.com/shirosaki)
## [1.13.0][] (2017-03-24)
### Breaking changes
* None
### New features
* [#372](https://github.com/capistrano/sshkit/pull/372): Use cp_r in local backend with recursive option - [@okuramasafumi](https://github.com/okuramasafumi)
### Bug fixes
* [#390](https://github.com/capistrano/sshkit/pull/390): Properly wrap Ruby StandardError w/ add'l context - [@mattbrictson](https://github.com/mattbrictson)
* [#392](https://github.com/capistrano/sshkit/pull/392): Fix open two connections with changed cache key - [@shirosaki](https://github.com/shirosaki)
|
|
|
|
|
|
|
|
Inhibit its use on Darwin to fix the build.
|
|
|
|
|
|
2.048 2017/04/16
- fixed small memory leaks during destruction of socket and context, RT#120643
|
|
|
|
Based on PR 52165 by Jonathan Schleifer.
Noteworthy changes in version 2.1.20 (2017-04-03)
-------------------------------------------------
* gpg: New properties 'expired', 'revoked', and 'disbaled' for the
import and export filters.
* gpg: New command --quick-set-primary-uid.
* gpg: New compliance field for the --with-colon key listing.
* gpg: Changed the key parser to generalize the processing of local
meta data packets.
* gpg: Fixed assertion failure in the TOFU trust model.
* gpg: Fixed exporting of zero length user ID packets.
* scd: Improved support for multiple readers.
* scd: Fixed timeout handling for key generation.
* agent: New option --enable-extended-key-format.
* dirmngr: Do not add a keyserver to a new dirmngr.conf. Dirmngr
uses a default keyserver.
* dimngr: Do not treat TLS warning alerts as severe error when
building with GNUTLS.
* dirmngr: Actually take /etc/hosts in account.
* wks: Fixed client problems on Windows. Published keys are now set
to world-readable.
* tests: Fixed creation of temporary directories.
* A socket directory for a non standard GNUGHOME is now created on
the fly under /run/user. Thus "gpgconf --create-socketdir" is now
optional. The use of "gpgconf --remove-socketdir" to clean up
obsolete socket directories is however recommended to avoid
cluttering /run/user with useless directories.
* Fixed build problems on some platforms.
Noteworthy changes in version 2.1.19 (2017-03-01)
-------------------------------------------------
* gpg: Print a warning if Tor mode is requested but the Tor daemon
is not running.
* gpg: New status code DECRYPTION_KEY to print the actual private
key used for decryption.
* gpgv: New options --log-file and --debug.
* gpg-agent: Revamp the prompts to ask for card PINs.
* scd: Support for multiple card readers.
* scd: Removed option --debug-disable-ticker. Ticker is used
only when it is required to watch removal of device/card.
* scd: Improved detection of card inserting and removal.
* dirmngr: New option --disable-ipv4.
* dirmngr: New option --no-use-tor to explicitly disable the use of
Tor.
* dirmngr: The option --allow-version-check is now required even if
the option --use-tor is also used.
* dirmngr: Handle a missing nsswitch.conf gracefully.
* dirmngr: Avoid PTR lookups for keyserver pools. The are only done
for the debug command "keyserver --hosttable".
* dirmngr: Rework the internal certificate cache to support classes
of certificates. Load system provided certificates on startup.
Add options --tls, --no-crl, and --systrust to the "VALIDATE"
command.
* dirmngr: Add support for the ntbtls library.
* wks: Create mails with a "WKS-Phase" header. Fix detection of
Draft-2 mode.
* The Windows installer is now build with limited TLS support.
* Many other bug fixes and new regression tests.
See-also: gnupg-announce/2017q1/000402.html
|
|
|
|
|
|
Some of the more important changes:
- Fix incorrect truncation in Bcrypt. Passwords in length between 56 and
72 characters were truncated at 56 characters. Found and reported by
Solar Designer. (CVE-2017-7252) (GH #938)
- Fix a bug in X509 DN string comparisons that could result in out of
bound reads. This could result in information leakage, denial of
service, or potentially incorrect certificate validation results.
Found independently by Cisco Talos team and OSS-Fuzz. (CVE-2017-2801)
- Correct minimum work factor for Bcrypt password hashes. All other
implementations require the work factor be at least 4. Previously
Botan simply required it be greater than zero. (GH #938)
- Converge on a single side channel silent EC blinded multiply
algorithm. Uses Montgomery ladder with order/2 bits scalar blinding
and point randomization now by default. (GH #893)
- Add ability to search for certificates using the SHA-256 of the
distinguished name. (GH #900)
- Support a 0-length IV in ChaCha stream cipher. Such an IV is treated
identically to an 8-byte IV of all zeros.
- Previously Botan forbid any use of times past 2037 to avoid Y2038
issues. Now this restriction is only in place on systems which have a
32-bit time_t. (GH #933 fixing #917)
- Fix a longstanding bug in modular exponentiation which caused most
exponentiations modulo an even number to have an incorrect result;
such moduli occur only rarely in cryptographic contexts. (GH #754)
- Fix a bug in BigInt multiply operation, introduced in 1.11.30, which
could cause incorrect results. Found by OSS-Fuzz fuzzing the ressol
function, where the bug manifested as an incorrect modular
exponentiation. OSS-Fuzz bug #287
- Fix a bug that meant the “ietf/modp/6144” and “ietf/modp/8192”
discrete log groups used an incorrect value for the generator,
specifically the value (p-1)/2 was used instead of the correct value
of 2.
- DL_Group strong generation previously set the generator to 2. However
sometimes 2 generates the entire group mod p, rather than the subgroup
mod q. This is invalid by X9.42 standard, and exposes incautious
applications to small subgroup attacks. Now DL_Group uses the smallest
g which is a quadratic residue. (GH #818)
- The default TLS policy now requires 2048 or larger DH groups by
default.
- The default Path_Validation_Restrictions constructor has changed to
require at least 110 bit signature strength. This means 1024 bit RSA
certificates and also SHA-1 certificates are rejected by default. Both
settings were already the default for certificate validation in TLS
handshake, but this changes it for applications also.
- Fix integer overflow during BER decoding, found by Falko Strenzke.
This bug is not thought to be directly exploitable but upgrading ASAP
is advised. (CVE-2016-9132)
- Add post-quantum signature scheme XMSS. Provides either 128 or 256 bit
(post-quantum) security, with small public and private keys, fast
verification, and reasonably small signatures (2500 bytes for 128-bit
security). Signature generation is very slow, on the order of seconds.
And very importantly the signature scheme is stateful: each leaf index
must only be used once, or all security is lost. In the appropriate
system where signatures are rarely generated (such as code signing)
XMSS makes an excellent choice. (GH #717 #736)
- Add support for client-side OCSP stapling to TLS. (GH #738)
- Previously both public and private keys performed automatic self
testing after generation or loading. However this often caused
unexpected application performance problems, and so has been removed.
Instead applications must call check_key explicitly. (GH #704)
- Fix TLS session resumption bugs which caused resumption failures if an
application used a single session cache for both TLS and DTLS. (GH
#688)
- The default TLS policy now disables static RSA ciphersuites, all DSA
ciphersuites, and the AES CCM-8 ciphersuites. Disabling static RSA by
default protects servers from oracle attacks, as well as enforcing a
forward secure ciphersuite. Some applications may be forced to
re-enable RSA for interop reasons. DSA and CCM-8 are rarely used, and
likely should not be negotiated outside of special circumstances.
- The default TLS policy now prefers ChaCha20Poly1305 cipher over any
AES mode.
- The default TLS policy now orders ECC curve preferences in order by
performance, with x25519 first, then P-256, then P-521, then the rest.
|
|
Fix a bug in X509 DN string comparisons that could result in out of
bound reads. This could result in information leakage, denial of
service, or potentially incorrect certificate validation results.
(CVE-2017-2801)
Avoid throwing during a destructor since this is undefined in
C++11 and rarely a good idea. (GH #930)
Fix a bug causing modular exponentiations done modulo even numbers
to almost always be incorrect, unless the values were small. This
bug is not known to affect any cryptographic operation in Botan. (GH
#754)
Avoid use of C++11 std::to_string in some code added in 1.10.14
(GH #747 #834)
Fix integer overflow during BER decoding, found by Falko Strenzke.
This bug is not thought to be directly exploitable but upgrading ASAP
is advised. (CVE-2016-9132)
Fix two cases where (in error situations) an exception would be thrown
from a destructor, causing a call to std::terminate.
When RC4 is disabled in the build, also prevent it from being included
in the OpenSSL provider. (GH #638)
|
|
|
|
|
|
- Wheel distribution format now supported
- Fix to misspelled rfc2459.id_at_sutname variable
- Fix to misspelled rfc2459.NameConstraints component tag ID
- Fix to misspelled rfc2459.GeneralSubtree component default status
|
|
|
|
|
|
-----------------------------------
- Improved SEQUENCE/SET/CHOICE decoding performance by maintaining a single shared
NamedType object for all instances of SEQUENCE/SET object.
- Improved INTEGER encoding/decoding by switching to Python's built-in
integer serialization functions.
- Improved BitString performance by rebasing it onto Python int type and leveraging
fast Integer serialization functions.
- BitString type usability improved in many ways: for example bitshifting and
numeric operation on BitString is now possible.
- Minor ObjectIdentifier type performance optimization.
- ASN.1 character types refactored to keep unicode contents internally
(rather than serialized octet stream) and duck-type it directly.
- ASN.1 OctetString initialized from a Python object performs bytes()
on it when running on Python 3 (used to do str() which is probably
less logical).
- Missing support for NoValue.__sizeof__ added.
- Added checks to make sure SEQUENCE/SET components being assigned
match the prototypes.
- Setter methods for constructed types consistently accept matchTags
and matchConstraints flags to control the strictness of inner
components compatibility verification. Previously, these checks
were tied to verifyConstraints flag, now they are all independent.
- General documentation improvements here and there.
- Fix to __reversed__() magic to make it returning an iterator.
- Test suite simplified and unified.
- The __all__ variable added to most of the Python modules.
- The "test" directory renamed into "tests" not to collide with
the "test" module.
|
|
Unknown
|
|
--------------------------------------
2.09 2016.10.26
- Fix creation of keys in ecdsa, ed25519 key classes
- Update eg/pssh-keygen to create ecdsa, ed25519 keys
- Handle hostkeys-00@openssh.com global requests
- Add support for 'CheckHostIP' and 'UpdateHostKeys' config options
- Refactor handling of '+' syntax in options
- Key fingerprints now output sha256-base64 by default.
(md5 can be specified with FingerprintHash config option)
- Add id_ed25519, id_ecdsa to default identity files
- Documentation updates in Perl.pm to reflect new functionality in 2.XX
2.08 2016.10.14
- Use sha512 instead of md5 in Net::SSH::Perl::Cipher->new_from_key_str()
to provide ChachaPoly with enough key material
Tests in t/05-cipher.t should now pass on all platforms [ CPAN bug #114077 ]
- Add AES128_CBC to cipher tests
- Info on using features not enabled by default added to README
2.07 2016.10.13
- Fix blowfish compilation on SunOS [CPAN bug #116323]
- Fix bug in Packet [CPAN bug #118335]
- Add support for '+' syntax in MACs option
- Remove hmac-sha1 from default MACs. It can re-enabled
by passing the option: 'MACs +hmac-sha1'
2.06 2016.10.04
- Add support for additional fixed Diffie-Hellman 2K, 4K and 8K groups
from OpenSSH 7.3 (draft-ietf-curdle-ssh-kex-sha2-03)
- Kex defaults now updated to draft-ietf-curdle-ssh-kex-sha2-03
recommendations (diffie-hellman-group-exchange-sha1 removed)
It can re-enabled by passing the option:
'KexAlgorithms +diffie-hellman-group-exchange-sha1'
2.05 2016.10.03
- Add support for '+' syntax in Ciphers, KexAlgorithms, HostKeyAlgorithms
options as in OpenSSH
2.04 2016.05.11
- Add ECDSA key support
- Improve extract_public() in Key.pm inspired by
https://github.com/renormalist/Net-SSH-Perl/pull/12
but implement comment with backwards compat with RSA/DSA datafellows
- Fix XS from being loaded more than once (warnings from Net::SFTP)
2.03 2016.05.06
- Fixes so that "make test" passes
2.02 2016.05.04
- Use CryptX to further reduce module depedencies
This eliminates the need for:
Math::Pari
Crypt::DH
Crypt::RSA
Crypt::DSA
Crypt::DES
Crypt::Blowfish
MIME::Base64
- Add support for rsa-sha2-512,rsa-sha2-256 signing with RSA keys
- Implement HashKnownHosts, KexAlgorithms, MACs config directives
- Add XS code for Chacha20, BSD Blowfish, Ed25519 routines
- Properly handle and create known_hosts entries when port is specified
- Remove obsolete ciphers, MACs, Kex from default list to duplicate
upcoming OpenSSH behavior
- Bug fixes
2.01 2016.02.19
- Use CryptX to reduce module depedencies
This eliminates the need for:
BSD::arc4random
Digest::MD5
Digest::SHA
Digest::HMAC_MD5
Crypt::OpenSSL::AES
2.00 2015.12.07
- Add Chacha20-Poly1305 cipher support for best security
(Requires Crypt::OpenSSH::ChachaPoly, see README)
- Add AES Cipher support in CTR mode (CBC mode supported in Ed25519
keys only)
- Add Group Exchange (RFC4523) Diffie-Hellman Key Exchange
- Add Curve25519 (curve25519-sha256@libssh.org) Key Exchange support
(Requires Crypt::Curve25519)
- Add hmac-sha2-256,hmac-sha2-512 MAC support
- Add hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
Encrypt-then-MAC (ETM) MAC support
- Use BSD::arc4random for encrypted packet padding
- Add support for Ed25519 ssh/host keys (Requires Crypt::Ed25519)
Encrypted Ed25519 key support requires Crypt::OpenBSD::Blowfish
(See README for info)
- Default ciphers order is now chacha,aes,3des,blowfish,arcfour
- Default KEX order is now Curve25519, DHGEXSHA256, DHGEXSHA1, DH14, DH1
- Default MAC order is now hmac-sha2-512-etm@openssh.com,
hmac-sha2-256-etm@openssh.com, sha2-512, sha2-256, sha1, md5
- SSH Keys can now be in DOS format (no need to remove CR/LF)
- SOCKS proxy support via sub class Net::SSH:Perl::Proxy
- Now does not abort due to OpenSSH 6.8+ server
SSH2_MSG_GLOBAL_REQUEST messages for host key rotation
(pkgsrc changes)
- Adjust DEPENDS base upon above note (p5-CryptX related)
|
|
|
|
Cryptography in CryptX is based on https://github.com/libtom/libtomcrypt
|
|
0.13.0 - 2017-04-06
Added
- --debug-challenges pauses Certbot after setting up challenges for
debugging.
- The Nginx parser can handle all valid directives in configuration
files.
- Nginx ciphersuites changed to Mozilla Intermediate.
- certbot-auto --no-bootstrap won't install OS dependencies.
Fixed
- --register-unsafely-without-email respects --quiet.
- Hyphenated renewalparams are now saved in renewal config files.
- --dry-run no longer persists keys and csrs.
- No longer hangs when trying to start Nginx in Arch Linux.
- Apache rewrite rules no longer double-encode characters.
0.12.0 - 2017-03-02
Added
- Allow non-camelcase Apache VirtualHost names
- Allow more log messages to be silenced
Fixed
- Fix a regression around using --cert-name when getting new
certificates
|
|
---------------------------------------------
0.19 2017/01/13
- fix building against openssl 1.1.0 without compat modes (eroen)
|
|
------------------------------------------------
0.08 2017/02/08
- Makefile.PL MSWin32 fix
0.07 2016/10/25
- Makefile.PL supports OPENSSL_PREFIX or OPENSSL_LIB+OPENSSL_INCLUDE env variables
- Makefile.PL tries to find libcrypto via pkg-config
|
|
----------------------------------
2015-11-19 author <author@debian>
* README: Release 1.4.14
* PCSC.xs: Update copyright date
* PCSC.xs: _StringifyError(): cast Error in a (DWORD)
On Mac OS X El Capitan (at least) the value is extended to 64 bits and
is then wrong.
We get 0xFFFFFFFF80100068 instead of 0x80100068 and all the error codes
are all converted to the default error: "Unknown (reader specific ?) error..."
|
|
---------------------------------------
0.74 Feb 10, 2017
- Update list of options accepted by method "sftp" (bug report
by Mirror).
|
|
---------------------------------------
**** 1.03 August 26, 2016
Fix: rt.cpan.org #108908
Tests break when Net::DNS gets shadowed by existing pre-1.01 version.
|
|
---------------------------------------------
changes from 0.07 to 0.08
=========================
* updated Makefile.PL to reflect changes in default @INC handling v5.25+.
* fleshed README with documentation
* added README.md for GitHub
* updated to 'Nil' license
|
|
---------------------------------------------
0.26 2015-12-08 Mike McCauley
- pass CFLAGS and CPPFLAGS explicitly in the subdirectory to get all
hardening flags, Patch from Florian Schlichting.
|
|
2.0.2 (2017-03-19)
------------------
* Dropped support for Python 2.6, 3.2 & 3.3.
* (FIX) `OpenIDConnector` will no longer raise an AttributeError when calling `openid_authorization_validator()` twice.
|
|
1.81
Patch from Alexander Bluhm to enable RSA_get_key_parameters with
LibreSSL. Again.
Fixed memory leak in X509_get_subjectAltNames. Reported and patched by Jim Westfall.
Added . to lib path in Makefile.PL to accommodate people who are using a perl with -Ddefault_inc_excludes_dot.
Fixed build failure if engine support not present. Patch from Paul Green.
Improvements to get_my_thread_id to work around possibility of ERRSV not being defined eg on OpenWRT.
|
|
|
|
but old SITE (before updates) only has wrong checksum one and NetBSD mirror
holds proper DISTFILE anyway.
|
|
|
|
|