Skip to content

Bump the pip group across 1 directory with 10 updates#5

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/pip/pip-d966020962
Open

Bump the pip group across 1 directory with 10 updates#5
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/pip/pip-d966020962

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github May 20, 2024

Bumps the pip group with 10 updates in the / directory:

Package From To
certifi 2018.8.24 2023.7.22
flask 1.0.2 2.2.5
httplib2 0.11.3 0.19.0
idna 2.7 3.7
jinja2 2.10 3.1.4
pyjwt 1.4.2 2.4.0
requests 2.19.1 2.32.0
rsa 4.0 4.7
urllib3 1.23 1.26.18
werkzeug 0.14.1 3.0.3

Updates certifi from 2018.8.24 to 2023.7.22

Commits

Updates flask from 1.0.2 to 2.2.5

Release notes

Sourced from flask's releases.

2.2.5

This is a security fix release for the 2.2.x release branch. Note that 2.3.x is the currently supported release branch; please upgrade to the latest version if possible.

2.2.4

This is a fix release for the 2.2.x release branch.

2.2.3

This is a fix release for the 2.2.x release branch.

2.2.2

This is a fix release for the 2.2.0 feature release.

2.2.1

This is a fix release for the 2.2.0 feature release.

2.2.0

This is a feature release, which includes new features and removes previously deprecated code. The 2.2.x branch is now the supported bug fix branch, the 2.1.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades.

2.1.3

2.1.2

This is a fix release for the 2.1.0 feature release.

2.1.1

This is a fix release for the 2.1.0 feature release.

... (truncated)

Changelog

Sourced from flask's changelog.

Version 2.2.5

Released 2023-05-02

  • Update for compatibility with Werkzeug 2.3.3.
  • Set Vary: Cookie header when the session is accessed, modified, or refreshed.

Version 2.2.4

Released 2023-04-25

  • Update for compatibility with Werkzeug 2.3.

Version 2.2.3

Released 2023-02-15

  • Autoescape is enabled by default for .svg template files. :issue:4831
  • Fix the type of template_folder to accept pathlib.Path. :issue:4892
  • Add --debug option to the flask run command. :issue:4777

Version 2.2.2

Released 2022-08-08

  • Update Werkzeug dependency to >= 2.2.2. This includes fixes related to the new faster router, header parsing, and the development server. :pr:4754
  • Fix the default value for app.env to be "production". This attribute remains deprecated. :issue:4740

Version 2.2.1

Released 2022-08-03

  • Setting or accessing json_encoder or json_decoder raises a deprecation warning. :issue:4732

Version 2.2.0

... (truncated)

Commits

Updates httplib2 from 0.11.3 to 0.19.0

Changelog

Sourced from httplib2's changelog.

0.19.0

auth: parse headers using pyparsing instead of regexp httplib2/httplib2#182

auth: WSSE token needs to be string not bytes httplib2/httplib2#179

0.18.1

explicit build-backend workaround for pip build isolation bug "AttributeError: 'module' object has no attribute 'legacy'" on pip install httplib2/httplib2#169

0.18.0

IMPORTANT security vulnerability CWE-93 CRLF injection Force %xx quote of space, CR, LF characters in uri. Special thanks to Recar https://github.com/Ciyfly for discrete notification. https://cwe.mitre.org/data/definitions/93.html

0.17.4

Ship test suite in source dist httplib2/httplib2#168

0.17.3

IronPython2.7: relative import iri2uri fixes ImportError httplib2/httplib2#163

0.17.2

python3 + debug + IPv6 disabled: https raised "IndexError: Replacement index 1 out of range for positional args tuple" httplib2/httplib2#161

0.17.1

python3: no_proxy was not checked with https httplib2/httplib2#160

0.17.0

feature: Http().redirect_codes set, works after follow(_all)_redirects check This allows one line workaround for old gcloud library that uses 308 response without redirect semantics. httplib2/httplib2#156

0.16.0

... (truncated)

Commits
  • 81e80d0 v0.19.0 release
  • c3aed1e fix release script, interactive part
  • bd9ee25 parse auth headers using pyparsing instead of regexp
  • 33090ab initial fuzz testing integration with OSS-Fuzz
  • 595e248 auth: WSSE token needs to be string not bytes
  • 9bf300c v0.18.1 release
  • cb2940a explicit build-backend workaround pip build isolation bug 6264
  • 94f48ef check-manifest build tool
  • 828c26d Security Policy
  • 8373177 v0.18.0 release
  • Additional commits viewable in compare view

Updates idna from 2.7 to 3.7

Release notes

Sourced from idna's releases.

v3.7

What's Changed

  • Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

Changelog

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

  • Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

3.6 (2023-11-25) ++++++++++++++++

  • Fix regression to include tests in source distribution.

3.5 (2023-11-24) ++++++++++++++++

  • Update to Unicode 15.1.0
  • String codec name is now "idna2008" as overriding the system codec "idna" was not working.
  • Fix typing error for codec encoding
  • "setup.cfg" has been added for this release due to some downstream lack of adherence to PEP 517. Should be removed in a future release so please prepare accordingly.
  • Removed reliance on a symlink for the "idna-data" tool to comport with PEP 517 and the Python Packaging User Guide for sdist archives.
  • Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions to this release.

3.4 (2022-09-14) ++++++++++++++++

  • Update to Unicode 15.0.0
  • Migrate to pyproject.toml for build information (PEP 621)
  • Correct another instance where generic exception was raised instead of IDNAError for malformed input
  • Source distribution uses zeroized file ownership for improved reproducibility

Thanks to Seth Michael Larson for contributions to this release.

3.3 (2021-10-13) ++++++++++++++++

  • Update to Unicode 14.0.0
  • Update to in-line type annotations
  • Throw IDNAError exception correctly for some malformed input
  • Advertise support for Python 3.10
  • Improve testing regime on Github

... (truncated)

Commits
  • 1d365e1 Release v3.7
  • c1b3154 Merge pull request #172 from kjd/optimize-contextj
  • 0394ec7 Merge branch 'master' into optimize-contextj
  • cd58a23 Merge pull request #152 from elliotwutingfeng/dev
  • 5beb28b More efficient resolution of joiner contexts
  • 1b12148 Update ossf/scorecard-action to v2.3.1
  • d516b87 Update Github actions/checkout to v4
  • c095c75 Merge branch 'master' into dev
  • 60a0a4c Fix typo in GitHub Actions workflow key
  • 5918a0e Merge branch 'master' into dev
  • Additional commits viewable in compare view

Updates jinja2 from 2.10 to 3.1.4

Release notes

Sourced from jinja2's releases.

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

  • The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

3.1.3

This is a fix release for the 3.1.x feature branch.

3.1.2

This is a fix release for the 3.1.0 feature release.

3.1.1

3.1.0

This is a feature release, which includes new features and removes previously deprecated features. The 3.1.x branch is now the supported bugfix branch, the 3.0.x branch has become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. We also encourage upgrading to MarkupSafe 2.1.1, the latest version at this time.

3.0.3

3.0.2

3.0.1

3.0.0

New major versions of all the core Pallets libraries, including Jinja 3.0, have been released! 🎉

This represents a significant amount of work, and there are quite a few changes. Be sure to carefully read the changelog, and use tools such as pip-compile and Dependabot to pin your dependencies and control your updates.

... (truncated)

Changelog

Sourced from jinja2's changelog.

Version 3.1.4

Released 2024-05-05

  • The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. :ghsa:h75v-3vvj-5mfj

Version 3.1.3

Released 2024-01-10

  • Fix compiler error when checking if required blocks in parent templates are empty. :pr:1858
  • xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
  • Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. :pr:1918

Version 3.1.2

Released 2022-04-28

  • Add parameters to Environment.overlay to match __init__. :issue:1645
  • Handle race condition in FileSystemBytecodeCache. :issue:1654

Version 3.1.1

Released 2022-03-25

  • The template filename on Windows uses the primary path separator. :issue:1637

Version 3.1.0

Released 2022-03-24

  • Drop support for Python 3.6. :pr:1534
  • Remove previously deprecated code. :pr:1544

... (truncated)

Commits

Updates pyjwt from 1.4.2 to 2.4.0

Release notes

Sourced from pyjwt's releases.

2.4.0

Security

What's Changed

New Contributors

Full Changelog: jpadilla/pyjwt@2.3.0...2.4.0

2.3.0

What's Changed

... (truncated)

Changelog

Sourced from pyjwt's changelog.

v2.4.0 <https://github.com/jpadilla/pyjwt/compare/2.3.0...2.4.0>__

Security


- [CVE-2022-29217] Prevent key confusion through non-blocklisted public key formats. https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24

Changed



- Explicit check the key for ECAlgorithm by @estin in https://github.com/jpadilla/pyjwt/pull/713
- Raise DeprecationWarning for jwt.decode(verify=...) by @akx in https://github.com/jpadilla/pyjwt/pull/742

Fixed



- Don't use implicit optionals by @rekyungmin in https://github.com/jpadilla/pyjwt/pull/705
- documentation fix: show correct scope for decode_complete() by @sseering in https://github.com/jpadilla/pyjwt/pull/661
- fix: Update copyright information by @kkirsche in https://github.com/jpadilla/pyjwt/pull/729
- Don't mutate options dictionary in .decode_complete() by @akx in https://github.com/jpadilla/pyjwt/pull/743

Added




v2.3.0 &amp;lt;https://github.com/jpadilla/pyjwt/compare/2.2.0...2.3.0&amp;gt;__


Fixed



- Revert &amp;quot;Remove arbitrary kwargs.&amp;quot; `[#701](https://github.com/jpadilla/pyjwt/issues/701) &amp;lt;https://github.com/jpadilla/pyjwt/pull/701&amp;gt;`__

Added



    

  • Add exception chaining [#702](https://github.com/jpadilla/pyjwt/issues/702) &amp;lt;https://github.com/jpadilla/pyjwt/pull/702&amp;gt;__
    • 



v2.2.0 &amp;lt;https://github.com/jpadilla/pyjwt/compare/2.1.0...2.2.0&amp;gt;__


&lt;/tr&gt;&lt;/table&gt;

</code></pre>

</blockquote>

<p>... (truncated)</p>

</details>

<details>

<summary>Commits</summary>


<ul>

<li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/jpadilla/pyjwt/commit/83ff831a4d11190e3a0bed781da43f8d84352653&quot;&gt;&lt;code&gt;83ff831&lt;/code&gt;&lt;/a">https://github.com/jpadilla/pyjwt/commit/83ff831a4d11190e3a0bed781da43f8d84352653&quot;&gt;&lt;code&gt;83ff831&lt;/code&gt;&lt;/a> chore: update changelog</li>

<li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/jpadilla/pyjwt/commit/4c1ce8fd9019dd312ff257b5141cdb6d897379d9&quot;&gt;&lt;code&gt;4c1ce8f&lt;/code&gt;&lt;/a">https://github.com/jpadilla/pyjwt/commit/4c1ce8fd9019dd312ff257b5141cdb6d897379d9&quot;&gt;&lt;code&gt;4c1ce8f&lt;/code&gt;&lt;/a> chore: update changelog</li>

<li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/jpadilla/pyjwt/commit/96f3f0275745c5a455c019a0d3476a054980e8ea&quot;&gt;&lt;code&gt;96f3f02&lt;/code&gt;&lt;/a">https://github.com/jpadilla/pyjwt/commit/96f3f0275745c5a455c019a0d3476a054980e8ea&quot;&gt;&lt;code&gt;96f3f02&lt;/code&gt;&lt;/a> fix: failing advisory test</li>

<li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc&quot;&gt;&lt;code&gt;9c52867&lt;/code&gt;&lt;/a">https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc&quot;&gt;&lt;code&gt;9c52867&lt;/code&gt;&lt;/a> Merge pull request from GHSA-ffqj-6fqr-9h24</li>

<li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/jpadilla/pyjwt/commit/24b29adfebcb4f057a3cef5aaf35653bc0c1c8cc&quot;&gt;&lt;code&gt;24b29ad&lt;/code&gt;&lt;/a">https://github.com/jpadilla/pyjwt/commit/24b29adfebcb4f057a3cef5aaf35653bc0c1c8cc&quot;&gt;&lt;code&gt;24b29ad&lt;/code&gt;&lt;/a> Update CHANGELOG.rst (<a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://redirect.github.com/jpadilla/pyjwt/issues/751&quot;&gt;#751&lt;/a&gt;)&lt;/li">https://redirect.github.com/jpadilla/pyjwt/issues/751&quot;&gt;#751&lt;/a&gt;)&lt;/li>

<li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/jpadilla/pyjwt/commit/31f5acb8fb3ec6cdfe2b1b0a4a8f329b5f3ca67f&quot;&gt;&lt;code&gt;31f5acb&lt;/code&gt;&lt;/a">https://github.com/jpadilla/pyjwt/commit/31f5acb8fb3ec6cdfe2b1b0a4a8f329b5f3ca67f&quot;&gt;&lt;code&gt;31f5acb&lt;/code&gt;&lt;/a> Replace various string interpolations with f-strings (<a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://redirect.github.com/jpadilla/pyjwt/issues/744&quot;&gt;#744&lt;/a&gt;)&lt;/li">https://redirect.github.com/jpadilla/pyjwt/issues/744&quot;&gt;#744&lt;/a&gt;)&lt;/li>

<li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/jpadilla/pyjwt/commit/5581a31c21de70444c1162bcfa29f7e0fc86edda&quot;&gt;&lt;code&gt;5581a31&lt;/code&gt;&lt;/a">https://github.com/jpadilla/pyjwt/commit/5581a31c21de70444c1162bcfa29f7e0fc86edda&quot;&gt;&lt;code&gt;5581a31&lt;/code&gt;&lt;/a> [pre-commit.ci] pre-commit autoupdate (<a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://redirect.github.com/jpadilla/pyjwt/issues/748&quot;&gt;#748&lt;/a&gt;)&lt;/li">https://redirect.github.com/jpadilla/pyjwt/issues/748&quot;&gt;#748&lt;/a&gt;)&lt;/li>

<li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/jpadilla/pyjwt/commit/3d4d82248f1120c87f1f4e0e8793eaa1d54843a6&quot;&gt;&lt;code&gt;3d4d822&lt;/code&gt;&lt;/a">https://github.com/jpadilla/pyjwt/commit/3d4d82248f1120c87f1f4e0e8793eaa1d54843a6&quot;&gt;&lt;code&gt;3d4d822&lt;/code&gt;&lt;/a> Don't mutate options dictionary in .decode_complete() (<a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://redirect.github.com/jpadilla/pyjwt/issues/743&quot;&gt;#743&lt;/a&gt;)&lt;/li">https://redirect.github.com/jpadilla/pyjwt/issues/743&quot;&gt;#743&lt;/a&gt;)&lt;/li>

<li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/jpadilla/pyjwt/commit/1f1fe15bb41846c602b3e106176b2c692b93a613&quot;&gt;&lt;code&gt;1f1fe15&lt;/code&gt;&lt;/a">https://github.com/jpadilla/pyjwt/commit/1f1fe15bb41846c602b3e106176b2c692b93a613&quot;&gt;&lt;code&gt;1f1fe15&lt;/code&gt;&lt;/a> Add a deprecation warning when jwt.decode() is called with the legacy verify=...</li>

<li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/jpadilla/pyjwt/commit/35fa28e59d99b99c6a780d2a029a74d6bbba8b1e&quot;&gt;&lt;code&gt;35fa28e&lt;/code&gt;&lt;/a">https://github.com/jpadilla/pyjwt/commit/35fa28e59d99b99c6a780d2a029a74d6bbba8b1e&quot;&gt;&lt;code&gt;35fa28e&lt;/code&gt;&lt;/a> [pre-commit.ci] pre-commit autoupdate (<a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://redirect.github.com/jpadilla/pyjwt/issues/740&quot;&gt;#740&lt;/a&gt;)&lt;/li">https://redirect.github.com/jpadilla/pyjwt/issues/740&quot;&gt;#740&lt;/a&gt;)&lt;/li>

<li>Additional commits viewable in <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/jpadilla/pyjwt/compare/1.4.2...2.4.0&quot;&gt;compare">https://github.com/jpadilla/pyjwt/compare/1.4.2...2.4.0&quot;&gt;compare view</a></li>

</ul>

</details>


<br />




Updates requests from 2.19.1 to 2.32.0



Release notes

Sourced from requests's releases.




v2.32.0


2.32.0 (2024-05-20)


🐍 PYCON US 2024 EDITION 🐍


Security



Improvements


    

  • verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
    • 

  • Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)
    • 



Bugfixes


    

  • Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
    • 

  • Fixed deserialization bug in JSONDecodeError. (#6629)
    • 

  • Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)
    • 



Deprecations


    

  • Requests has officially added support for CPython 3.12 (#6503)
    • 

  • Requests has officially added support for PyPy 3.9 and 3.10 (#6641)
    • 

  • Requests has officially dropped support for CPython 3.7 (#6642)
    • 

  • Requests has officially dropped support for PyPy 3.7 and 3.8 (#6641)
    • 



Documentation


    

  • Various typo fixes and doc improvements.
    • 



Packaging


    

  • Requests has started adopting some modern packaging practices.
The source files for the projects (formerly requests) is now located
in src/requests in the Requests sdist. (#6506)
    • 

  • Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system
using hatchling. This should not impact the average user, but extremely old
versions of packaging utilities may have issues with the new packaging format.
    • 



New Contributors






... (truncated)





Changelog

Sourced from requests's changelog.




2.32.0 (2024-05-20)


Security



Improvements


    

  • verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
    • 

  • Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)
    • 



Bugfixes


    

  • Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
    • 

  • Fixed deserialization bug in JSONDecodeError. (#6629)
    • 

  • Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)
    • 



Deprecations


    

  • Requests has officially added support for CPython 3.12 (#6503)
    • 

  • Requests has officially added support for PyPy 3.9 and 3.10 (#6641)
    • 

  • Requests has officially dropped support for CPython 3.7 (#6642)
    • 

  • Requests has officially dropped support for PyPy 3.7 and 3.8 (#6641)
    • 



Documentation


    

  • Various typo fixes and doc improvements.
    • 



Packaging


    

  • Requests has started adopting some modern packaging practices.
The source files for the projects (formerly requests) is now located
in src/requests in the Requests sdist. (#6506)
    • 

  • Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system
using hatchling. This should not impact the average user, but extremely old
versions of packaging utilities may have issues with the new packaging format.
    • 



2.31.0 (2023-05-22)


Security





... (truncated)





Commits

    

  • d6ebc4a v2.32.0
    • 

  • 9a40d12 Avoid reloading root certificates to improve concurrent performance (#6667)
    • 

  • 0c030f7 Merge pull request #6702 from nateprewitt/no_char_detection
    • 

  • 555b870 Allow character detection dependencies to be optional in post-packaging steps
    • 

  • d6dded3 Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-test
    • 

  • bf24b7d Use an invalid URI that will not cause httpbin to throw 500
    • 

  • 2d5f547 Pin 3.8 and 3.9 runners back to macos-13 (#6688)
    • 

  • f1bb07d Merge pull request #6687 from psf/dependabot/github_actions/github/codeql-act...
    • 

  • 60047ad Bump github/codeql-action from 3.24.0 to 3.25.0
    • 

  • 31ebb81 Merge pull request #6682 from frenzymadness/pytest8
    • 

  • Additional commits viewable in compare view
    • 







Updates rsa from 4.0 to 4.7



Changelog

Sourced from rsa's changelog.




Version 4.7 - released 2021-01-10


    

  • Fix #165:
CVE-2020-25658 - Bleichenbacher-style timing oracle in PKCS#1 v1.5 decryption
code
    • 

  • Add padding length check as described by PKCS#1 v1.5 (Fixes
#164)
    • 

  • Reuse of blinding factors to speed up blinding operations.
Fixes #162.
    • 

  • Declare & test support for Python 3.9
    • 



Version 4.4 & 4.6 - released 2020-06-12


Version 4.4 and 4.6 are almost a re-tagged release of version 4.2. It requires
Python 3.5+. To avoid older Python installations from trying to upgrade to RSA
4.4, this is now made explicit in the python_requires argument in setup.py.
There was a mistake releasing 4.4 as "3.5+ only", which made it necessary to
retag 4.4 as 4.6 as well.


No functional changes compared to version 4.2.


Version 4.3 & 4.5 - released 2020-06-12


Version 4.3 and 4.5 are almost a re-tagged release of version 4.0. It is the
last to support Python 2.7. This is now made explicit in the python_requires
argument in setup.py. Python 3.4 is not supported by this release. There was a
mistake releasing 4.4 as "3.5+ only", which made it necessary to retag 4.3 as
4.5 as well.


Two security fixes have also been backported, so 4.3 = 4.0 + these two fixes.


    

  • Choose blinding factor relatively prime to N. Thanks Christian Heimes for pointing this out.
    • 

  • Reject cyphertexts (when decrypting) and signatures (when verifying) that have
been modified by prepending zero bytes. This resolves CVE-2020-13757. Thanks
Carnil for pointing this out.
    • 



Version 4.2 - released 2020-06-10


    

  • Rolled back the switch to Poetry, and reverted back to using Pipenv + setup.py
for dependency management. There apparently is an issue no-binary installs of
packages build with Poetry. This fixes
#148
    • 

  • Limited SHA3 support to those Python versions (3.6+) that support it natively.
The third-party library that adds support for this to Python 3.5 is a binary
package, and thus breaks the pure-Python nature of Python-RSA.
This should fix #147.
    • 






... (truncated)





Commits

    

  • fa3282a Bumped version to 4.7
    • 

  • a364e82 Marked version 4.7 as released
    • 

  • 539c54a Fix #170: mistake in examples of documentation
    • 

  • b81e317 Declare support for and test Python 3.9
    • 

  • 06ec1ea Fix #162: Blinding uses slow algorithm
    • 

  • 341e5c4 Directly raise DecryptionError when crypto length is bad
    • 

  • f254895 Use bytes.find() instead of bytes.index()
    • 

  • 240b0d8 Add link to changelog
    • 

  • f878c37 Fix #164: Add padding length check as described by PKCS#1 v1.5
    • 

  • dae8ce0 Fix #165: CVE-2020-25658 - Bleichenbacher-style timing oracle
    • 

  • Additional commits viewable in compare view
    • 







Updates urllib3 from 1.23 to 1.26.18



Release notes

Sourced from urllib3's releases.




1.26.18


    

  • Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (GHSA-g4mx-q9vg-27p4)
    • 



1.26.17


    

  • Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (GHSA-v845-jxx5-vc9f)
    • 



1.26.16


    

  • Fixed thread-safety issue where accessing a PoolManager with many distinct origins would cause connection pools to be closed while requests are in progress (#2954)
    • 



1.26.15



1.26.14


    

  • Fixed parsing of port 0 (zero) returning None, instead of 0 (#2850)
    • 

  • Removed deprecated HTTPResponse.getheaders() calls in urllib3.contrib module.
    • 



1.26.13


    

  • Deprecated the HTTPResponse.getheaders() and HTTPResponse.getheader() methods.
    • 

  • Fixed an issue where parsing a URL with leading zeroes in the port would be rejected even when the port number after removing the zeroes was valid.
    • 

  • Fixed a deprecation warning when using cryptography v39.0.0.
    • 

  • Removed the <4 in the Requires-Python packaging metadata field.
    • 



1.26.12


    

  • Deprecated the urllib3[secure] extra and the urllib3.contrib.pyopenssl module. Both will be removed in v2.x. See this GitHub issue for justification and info on how to migrate.
    • 



1.26.11


If you or your organization rely on urllib3 consider supporting us via GitHub Sponsors.


:warning: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap


    

  • Fixed an issue where reading more than 2 GiB in a call to HTTPResponse.read would raise an OverflowError on Python 3.9 and earlier.
    • 



1.26.10


If you or your organization rely on urllib3 consider supporting us via GitHub Sponsors.


:warning: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap


:closed_lock_with_key: This is the first release to be signed with Sigstore! You can verify the distributables using the .sig and .crt files included on this release.


    

  • Removed support for Python 3.5
    • 

  • Fixed an issue where a ProxyError recommending configuring the proxy as HTTP instead of HTTPS could appear even when an HTTPS proxy wasn't configured.
    • 



1.26.9


If you or your organization rely on urllib3 consider supporting us via GitHub Sponsors.





... (truncated)





Changelog

Sourced from urllib3's changelog.




1.26.18 (2023-10-17)


    

  • Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.
    • 



1.26.17 (2023-10-02)


    

  • Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. ([#3139](https://github.com/urllib3/urllib3/issues/3139) <https://github.com/urllib3/urllib3/pull/3139>_)
    • 



1.26.16 (2023-05-23)


    

  • Fixed thread-safety issue where accessing a PoolManager with many distinct origins
would cause connection pools to be closed while requests are in progress ([#2954](https://github.com/urllib3/urllib3/issues/2954) <https://github.com/urllib3/urllib3/pull/2954>_)
    • 



1.26.15 (2023-03-10)


    

  • Fix socket timeout value when HTTPConnection is reused ([#2645](https://github.com/urllib3/urllib3/issues/2645) <https://github.com/urllib3/urllib3/issues/2645>__)
    • 

  • Remove "!" character from the unreserved characters in IPv6 Zone ID parsing
([#2899](https://github.com/urllib3/urllib3/issues/2899) <https://github.com/urllib3/urllib3/issues/2899>__)
    • 

  • Fix IDNA handling of '\x80' byte ([#2901](https://github.com/urllib3/urllib3/issues/2901) <https://github.com/urllib3/urllib3/issues/2901>__)
    • 



1.26.14 (2023-01-11)


    

  • Fixed parsing of port 0 (zero) returning None, instead of 0. ([#2850](https://github.com/urllib3/urllib3/issues/2850) <https://github.com/urllib3/urllib3/issues/2850>__)
    • 

  • Removed deprecated getheaders() calls in contrib module. Fixed the type hint of PoolKey.key_retries by adding bool to the union. ([#2865](https://github.com/urllib3/urllib3/issues/2865) <https://github.com/urllib3/urllib3/issues/2865>__)
    • 



1.26.13 (2022-11-23)


    

  • Deprecated the HTTPResponse.getheaders() and HTTPResponse.getheader() methods.
    • 

  • Fixed an issue where parsing a URL with leading zeroes in the port would be rejected
even when the port number after removing the zeroes was valid.
    • 

  • Fixed a deprecation warning when using cryptography v39.0.0.
    • 

  • Removed the <4 in the Requires-Python packaging metadata field.
    • 



1.26.12 (2022-08-22)


    

  • Deprecated the urllib3[secure] extra and the urllib3.contrib.pyopenssl module.
Both will be removed in v2.x. See this GitHub issue <https://github.com/urllib3/urllib3/issues/2680>_
for justification and info on how to migrate.
    • 



1.26.11 (2022-07-25)


    

  • Fixed an issue where reading more than 2 GiB in a call to HTTPResponse.read would
    • 






... (truncated)





Commits

    

  • 9c2c230 Release 1.26.18 (#3159)
    • 

  • b594c5c Merge pull request from GHSA-g4mx-q9vg-27p4
    • 

  • 944f0eb [1.26] Use vendored six in urllib3.contrib.securetransportDescription has been truncated

@dependabot
7a9a61f 
---
updated-dependencies:
- dependency-name: certifi
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: flask
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: httplib2
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: idna
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: jinja2
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pyjwt
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: requests
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: rsa
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: urllib3
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: werkzeug
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels May 20, 2024
@dependabot dependabot bot mentioned this pull request May 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants