- Fixed a NULL pointer deref in the X509_issuer_and_serial_hash()
function (CVE-2021-23841)
- Fixed the RSA_padding_check_SSLv23() function and the
RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks
- Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and
EVP_DecryptUpdate functions (CVE-2021-23840)
- Fixed SRP_Calc_client_key so that it runs in constant time
not moving to 3.4 yet because 1) we don't yet have setuptools-rust
which looks like it needs a pip update (which becomes py3 only),
and 2) we still have some py2 users of pyca:
devel/py-twisted 2+3 (2 is only used by telepathy-logger)
mail/mailpile 2-only
security/py-openssl 2+3 (2 is only used by yubiserve, py-twisted)
security/py-paramiko 2+3 (2 used by several)
security/py-service_identity 2+3 (2 is only used by py-twisted)
security/py-axolotl 2+3, 2 not used
www/py-http_ece 2+3, 2 not used
www/py-jwt 2+3, 2 not used
sites affected by dropping the geotrust root (apple store, apple news etc)
are on different CAs now and the other known ones are api endpoints not so
likely to be important in a standard browser. OK robert, landry said 'rm
all the things' earlier which I am treating as an OK ;)
some root certificates which are still used by Apple, so let's keep them
until Apple fixes their shit
This essentially reverts this commit:
091c01dfb4
ok landry@
This Ruby Gem provides FFI bindings, and a simplified interface, to the
Argon2 algorithm. Argon2 is the official winner of the Password Hashing
Competition, a several year project to identify a successor to
bcrypt/PBKDF/scrypt methods of securely storing passwords. This is an
independant project and not official from the PHC team.
OK sthen@
Stegseek is a lightning fast steghide cracker that can be used to
extract hidden data from files. It is built as a fork of the original
steghide project and, as a result, it is thousands of times faster than
other crackers and can run through the entirety of rockyou.txt* in under
2 seconds.
Stegseek can also be used to extract steghide metadata without a
password, which can be used to test whether a file contains steghide
data.
feedback kn@ and gonzalo@, lots of feedback and OK sthen@
Upstream still ships the tarball, that's it, as per CVS log:
"primary distsite and homepage have gone away".
The only TCP port I've been able to detect (after producing traffing on a
variety of them) is SSH -- and that only worked after enabling IPv4.
Siphon does not seem to support/detect IPv6 at all and it's OS fingerprints
are extremely old; besides Gentoo we're the only ones still packaging it
according to https://repology.org/project/siphon/versions .
Fails with "-fno-common".
OK cwen
That's a NetBus 1.6 client... upstream's dead as in NXDOMAIN, we seem to be
the only folks still packaging it.
It has not changed in twenty years (surprise!) and basically only exists to
screw around with old old Windows boxes which... still run the server?
Fails with "-fno-common".
OK jsg
- typo in default config
- use directories setup in PLIST for suricata-update and default config
- add missing @sample
- tweak readme
- build with libmaxminddb support
- add debug packages
- reinstate patches to run as !root
I still see problems with this, after running for a few minutes I get a
'unlocking already-unlocked mutex' SIGABRT, same before/after this diff
