snappass/CHANGELOG.rst

Version 1.5.0
-------------
* Added support for "2 week" secret lifetimes.
* The ``NO_SSL`` environment variable is now propertly parsed.
* The ``URL_PREFIX`` environment variable can be used to add a prefix to URLs,
  which is useful when running behind a reverse proxy like nginx.
* Prevent prefetching bots from destroying secrets.
* Replaced mockredis with fakeredis in the unit test environment.
* Added support for Python 3.8.

Version 1.4.2
-------------
 * Various minor README and documentation improvements
 * Upgrade to Jinja 2.10.1
 * Fix autocomplete bug where hitting "back" would allow to autocomplete the password

Version 1.4.1
-------------
 * Switch to local (non-CDN) Font Awesome assets
 * Upgraded cryptography to 2.3.1 (for CVE-2018-10903, although snappass is
   unaffected because it doesn't use the vulnerable ``finalize_with_tag`` API)

Version 1.4.0
-------------
*You will lose stored passwords during the upgrade to this version*
 * Added a prefix in redis in front of the storage keys, making the redis safer to share with other applications
 * Small test and syntax improvements

Version 1.3.0
-------------
* Quote urls to fix bug with ending in '='
* Mock redis
* Drop support for python 2.6 and python 3.3

Version 1.2.0
-------------
* Added Fernet cryptography to the stored keys, prevent access to full text passwords if someone has access to Redis
Prepare the 1.5.0 release (#127) 2020-09-15 18:22:49 +02:00			`Version 1.5.0`
			`-------------`
			`* Added support for "2 week" secret lifetimes.`
			* The ``NO_SSL`` environment variable is now propertly parsed.
Move to version 1.5.0 (in development) Also start the changelog for this next release. 2019-08-09 23:40:07 +02:00			* The ``URL_PREFIX`` environment variable can be used to add a prefix to URLs,
			`which is useful when running behind a reverse proxy like nginx.`
Prepare the 1.5.0 release (#127) 2020-09-15 18:22:49 +02:00			`* Prevent prefetching bots from destroying secrets.`
Move to version 1.5.0 (in development) Also start the changelog for this next release. 2019-08-09 23:40:07 +02:00			`* Replaced mockredis with fakeredis in the unit test environment.`
Add support for Python 3.8 (#115) * Remove Travis Python 3.7 hack No longer necessary: 3.7 is supported out-of-the-box * Add support for Python 3.8 And explicitly document in setup.py * "Upgrade base Docker image to Python 3.8"a * Add entry about py38 support in WIP changelog * Explicitly declare python versions in setup.py * Bump Werkzeug to 0.15.6 This is the latest 0.15 version. 0.16 might be incompatible The fix we are looking for is in [0.15.5](http://werkzeug.palletsprojects.com/en/0.15.x/changes/#version-0-15-5): > Fix a TypeError due to changes to ast.Module in Python 3.8. 2019-11-25 17:58:29 +01:00			`* Added support for Python 3.8.`
Move to version 1.5.0 (in development) Also start the changelog for this next release. 2019-08-09 23:40:07 +02:00
Bump version: 1.4.1 → 1.4.2 2019-06-02 21:37:08 +02:00			`Version 1.4.2`
			`-------------`
			`* Various minor README and documentation improvements`
			`* Upgrade to Jinja 2.10.1`
			`* Fix autocomplete bug where hitting "back" would allow to autocomplete the password`

Upgrade to cryptography 2.3.1 This addresses CVE-2018-10903: A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. ... although snappass isn't affected because we doesn't use the vulnerable `finalize_with_tag` API. 2018-10-31 17:35:44 +01:00			`Version 1.4.1`
			`-------------`
Prepare the 1.4.1 release - Update the changelog - Include our Code of Conduct and Adopters documents 2018-10-31 23:49:25 +01:00			`* Switch to local (non-CDN) Font Awesome assets`
Upgrade to cryptography 2.3.1 This addresses CVE-2018-10903: A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. ... although snappass isn't affected because we doesn't use the vulnerable `finalize_with_tag` API. 2018-10-31 17:35:44 +01:00			`* Upgraded cryptography to 2.3.1 (for CVE-2018-10903, although snappass is`
			unaffected because it doesn't use the vulnerable ``finalize_with_tag`` API)

Add changelog for 1.4.0 2018-07-03 17:30:22 +02:00			`Version 1.4.0`
			`-------------`
			`You will lose stored passwords during the upgrade to this version`
			`* Added a prefix in redis in front of the storage keys, making the redis safer to share with other applications`
			`* Small test and syntax improvements`

Bump version to 1.3.0 2018-05-07 18:23:51 +02:00			`Version 1.3.0`
			`-------------`
			`* Quote urls to fix bug with ending in '='`
			`* Mock redis`
			`* Drop support for python 2.6 and python 3.3`

Add CHANGELOG file, fixes #67 2017-05-16 19:34:37 +02:00			`Version 1.2.0`
			`-------------`
			`* Added Fernet cryptography to the stored keys, prevent access to full text passwords if someone has access to Redis`