by abieber@
CFSSL is CloudFlare's PKI/TLS swiss army knife. It is both a command
line tool and an HTTP API server for signing, verifying, and bundling
TLS certificates.
"pcscd --debug" prints dark blue lines background, rendering them unreadable
on dark background. The daemon has "-T" to enforce colored output, but no
switch to disable colors on TTYs.
Disable all detection logic such that "-T" is the only way to get colors.
OK sthen
* Fixed CVE-2019-18634, a buffer overflow when the "pwfeedback"
sudoers option is enabled on systems with uni-directional pipes.
* The "sudoedit_checkdir" option now treats a user-owned directory
as writable, even if it does not have the write bit set at the
time of check. Symbolic links will no longer be followed by
sudoedit in any user-owned directory. Bug #912
* Fixed sudoedit on macOS 10.15 and above where the root file system
is mounted read-only. Bug #913.
* Fixed a crash introduced in sudo 1.8.30 when suspending sudo
at the password prompt. Bug #914.
* Fixed compilation on systems where the mmap MAP_ANON flag
is not available. Bug #915.
Lots of new support, improvements but also CVE fixes, see
https://github.com/OpenSC/OpenSC/wiki#news
Testing and version string fix from Gabriel Kihlman, thanks!
OK rsadowski
scrypt estimates the amount of available RAM, and ignores RLIMIT_DATA on
systems which have mmap. From tedu@ (http://mail.tarsnap.com/scrypt/msg00263.html):
"...this is the wrong thing to do for OpenBSD. On OpenBSD, rlimit_data
is applied to anonymous mmap (since that's now the heap) for
consistency. RLIMIT_RSS is a vestigal do nothing define."
Issue is fixed by reverting 2b478e7ce5
While here set COMPILER and COMPILER_LANGS to fix building on sparc64
and powerpc (from kmos@, and tested by kmos@ and cwen@).
OK cwen@, "patch looks good to me" tedu@
* Fixed a warning on macOS introduced in sudo 1.8.29 when sudo
attempts to set the open file limit to unlimited. Bug #904.
* Sudo now closes file descriptors before changing uids. This
prevents a non-root process from interfering with sudo's ability
to close file descriptors on systems that support the prlimit(2)
system call.
* Sudo now treats an attempt to run "sudo sudoedit" as simply
"sudoedit". If the sudoers file contains a fully-qualified path
to sudoedit, sudo will now treat it simply as "sudoedit" (with
no path). Visudo will will now treat a fully-qualified path
to sudoedit as an error. Bug #871.
* Fixed a bug introduced in sudo 1.8.28 where sudo would warn about
a missing /etc/environment file on AIX and Linux when PAM is not
enabled. Bug #907
* Fixed a bug on Linux introduced in sudo 1.8.29 that prevented
the askpass program from running due to an unlimited stack size
resource limit. Bug #908.
* If a group provider plugin has optional arguments, the argument list
passed to the plugin is now NULL terminated as per the documentation.
* The user's time stamp file is now only updated if both authentication
and approval phases succeed. This is consistent with the behavior
of sudo prior to version 1.8.23. Bug #910
* The new allow_unknown_runas_id sudoers setting can be used to
enable or disable the use of unknown user or group IDs. Previously,
sudo would always allow unknown user or group IDs if the sudoers
entry permitted it, including via the "ALL" alias. As of sudo
1.8.30, the admin must explicitly enable support for unknown IDs.
* The new runas_check_shell sudoers setting can be used to require
that the runas user have a shell listed in the /etc/shells file.
On many systems, users such as "bin", do not have a valid shell
and this flag can be used to prevent commands from being run as
those users.
* Fixed a problem restoring the SELinux tty context during reboot
if mctransd is killed before sudo finishes. GitHub Issue #17.
* Fixed an intermittent warning on NetBSD when sudo restores the
initial stack size limit.
Significant change since 1.2.1 is that in addition to the scrypt
command-line utility, a library "libscrypt-kdf" is build and installed.
While here:
- Change HOMEPAGE/MASTER_SITES to https
- Enable tests
- Set DEBUG_PACKAGES
OK sthen@
"You wrote a cool network client or server. It encrypts connections
using TLS. Your test suite needs to make TLS connections to itself.
Uh oh. Your test suite probably doesn't have a valid TLS certificate.
Now what?
trustme is a tiny Python package that does one thing: it gives you
a fake certificate authority (CA) that you can use to generate fake
TLS certs to use in your tests. Well, technically they're real
certs, they're just signed by your CA, which nobody trusts. But you
can trust it. Trust me."
Provides a temporary CA for doing TLS tests.
Needed for (at least) the py-aiohttp tests.
Version 0.5.3
OK kn@
- Only new exports added so bump minor.
- Cleanup WANTLIB
- Fix MASTER_SITE URL
- Cleanup plugin configuration
LibreSSL patches from Gentoo developer Stefan Strogin from here:
3e69b18db7
hitch-1.5.2 (2019-11-27)
- Fix a problem introduced in the previous release that prevented us from
running as a non-privileged user (Issue: 322).
hitch-1.5.1 (2019-11-26)
- Support for TCP Fast Open. Is is disabled by default (Issue: 185)
- Various code cleanups and minor bug fixes.
Upstream reworked their privdrop code and I have neither time nor further
interest in maintaining pledge patches, so drop support for it.
- Only new exports added so bump minor.
- Cleanup WANTLIB
- Fix MASTER_SITE URL
- Cleanup plugin configuration
LibreSSL patches from Gentoo developer Stefan Strogin from here:
3e69b18db7
Tested by landry@ with qgis
things. Most notably it allows testing RSA_padding_check_PKCS1_OAEP_mgf1()
and dlg's XChaCha20-Poly1305 implementation.
ok fcambus (earlier diff) jsing
Fixes some bugs and adds support for a new hash function. Changelog can
be found at https://github.com/rhash/RHash/blob/v1.3.8/ChangeLog.
Additional changes:
- Change HOMEPAGE; the old one gave a 404
- Take MAINTAINER
OK sthen@
use three scrypt backends; one in hashlib in python itself, one is
py-scrypt, and one is an internal slow pure-python implementation.
hashlib in our Python packages doesn't include scrypt (this requires
OpenSSL 1.1+'s scrypt code and isn't supported in libressl), and slow
pure-python implementation is slow, so provide the best available one.
This is a set of Python bindings for the scrypt key derivation function.
Scrypt is useful when encrypting passwords as it is possible to specify a
*minimum* amount of time to use when encrypting and decrypting. If, for
example, a password takes 0.05 seconds to verify, a user won't notice
the slight delay when signing in, but doing a brute force search of
several billion passwords will take a considerable amount of time. This
is in contrast to more traditional hash functions such as MD5 or the SHA
family which can be implemented extremely fast on cheap hardware.
The YubiKey Manager can configure FIDO2, OTP and PIV functionality on
a YubiKey. It works with any currently supported YubiKey. You can also
use the tool to check the type and firmware of a YubiKey. In addition,
you can use the extended settings to specify other features, such as to
configure 3-second long touch.
Provides library functionality for communicating with a FIDO device
over USB as well as verifying attestation and assertion signatures.
This library aims to support the FIDO U2F and FIDO 2.0 protocols for
communicating with a USB authenticator via the Client-to-Authenticator
Protocol (CTAP 1 and 2). In addition to this low-level device access,
classes defined in the fido2.client and fido2.server modules implement
higher level operations which are useful when interfacing with an
Authenticator, or when implementing WebAuthn support for a Relying
Party.
As warned by upstream, "This project is in beta. Expect things to
change or break at any time!" - it is currently known not to work on
OpenBSD with some device types.
From Lucas Raab < tuftedocelot at fastmail dot fm >, thanks!
Feedback from Georg Steuck
Feedback and OK kmos (earlier version)
Feedback and OK sthen
- build eapol_test, it's a useful way to test RADIUS servers + EAP
- rather than using a whole new build config file, copy and patch the
upstream default, making it easier to incorporate upstream changes in new
versions, and see what we have/haven't enabled
- replace /dev/urandom with arc4random_buf
25 March 2019
- Fix a socket issue when pcscd is used inside LXC container
- pcsc-spy: always provide a total time of execution
- Fix resource leak if SCardEstablishContext() fails
- Fix realloc(3) error handling (possible memory leak)
- Remove usage of function chmod(2) to use fchmod(2) (fix race condition)
1.8.24
12 October 2018
- the project moved to https://pcsclite.apdu.fr/
- SCardGetStatusChange(): Fix a rare race condition
- SCardReleaseContext(): do not release a lock owned by another context
- SCardReconnect(): suspend card auto power off
- Allow "=" in serial driver filenames
- Add the thread id in the pcscd log lines
- pcsc-spy: correctly handle incomplete log file
- Simclist: avoid to divide by zero in list_findpos()
- Some other minor improvements
No problems with a Yubikey NEO.
The pyscard smartcard library is a framework for building smart card
aware applications in Python.
the PCSC API Python wrapper module.
- smartcard.scard, an extension module wrapping the WinSCard API (smart
card base components) also known as PC/SC
- smartcard, a higher level Python framework built on top of the raw
PC/SC API
Version 1.9.9
From Lucas Rabb
Input and tweaks from myself and sthen
OK sthen
Crypt::PKCS10 parses PKCS #10 requests and provides accessor methods to
extract the requested data. First, the request will be parsed using the
included ASN.1 definition. Common object identifiers will be translated to
their corresponding names. Additionally, accessor methods allow to extract
single data fields. Bit Strings like signatures will be printed in their
hexadecimal representation.
From henning@; ok sthen@ afresh1@
The Crypt::LE module provides the functionality necessary to use Let's
Encrypt API and generate free SSL certificates for your domains. It can
also be used to generate private RSA and ECC keys or Certificate Signing
Requests without resorting to openssl command line. Crypt::LE is shipped
with a self-sufficient client for obtaining SSL certificates, le.pl.
Both ACME v1 and ACME v2 protocols and wildcard certificate issuance are
supported.
From henning@; ok sthen@ afresh1@
* The cvtsudoers command will now reject non-LDIF input when converting
from LDIF format to sudoers or JSON formats.
* The new log_allowed and log_denied sudoers settings make it possible
to disable logging and auditing of allowed and/or denied commands.
* The umask is now handled differently on systems with PAM or login.conf.
If the umask is explicitly set in sudoers, that value is used regardless
of what PAM or login.conf may specify. However, if the umask is not
explicitly set in sudoers, PAM or login.conf may now override the default
sudoers umask. Bug #900.
* For "make install", the sudoers file is no longer checked for syntax
errors when DESTDIR is set. The default sudoers file includes the
contents of /etc/sudoers.d which may not be readable as non-root.
Bug #902.
* Sudo now sets most resource limits to their maximum value to avoid
problems caused by insufficient resources, such as an inability to
allocate memory or open files and pipes.
* Fixed a regression introduced in sudo 1.8.28 where sudo would refuse
to run if the parent process was not associated with a session.
This was due to sudo passing a session ID of -1 to the plugin.