search

FiniteMonkeys / kerbal-maps

A Google Maps-like UI for Kerbal Space Program (KSP) celestial bodies.
Apache License 2.0
9 stars 4 forks source link

[Security] Bump pow from 1.0.0 to 1.0.19 #219

Closed dependabot-preview[bot] closed 4 years ago

dependabot-preview[bot] commented 4 years ago

Bumps pow from 1.0.0 to 1.0.19.

Release notes

Sourced from pow's releases.

v1.0.19

Warning: This release will now sign and verify all tokens, causing previous tokens to no longer work. Any sessions and persistent sessions will be invalidated.

Enhancements

  • [Pow.Plug.Session] Now sets a global lock when renewing the session #414
  • [PowPersistentSession.Plug.Cookie] Now sets a global lock when authenticating the user #414
  • [PowEmailConfirmation.Plug] Added PowEmailConfirmation.Plug.sign_confirmation_token/2 to sign the email_confirmation_token to prevent timing attacks #417
  • [PowEmailConfirmation.Plug] Added PowEmailConfirmation.Plug.load_user_by_token/2 to verify the signed email_confirmation_token to prevent timing attacks #446
  • [PowEmailConfirmation.Plug] Added PowEmailConfirmation.Plug.confirm_email/2 with map as second argument #446
  • [PowInvitation.Plug] Added PowInvitation.Plug.sign_invitation_token/2 to sign the invitation_token #417
  • [PowInvitation.Plug] Added PowInvitation.Plug.load_invited_user_by_token/2 to verify the signed invitation_token to prevent timing attacks #417
  • [PowResetPassword.Plug] Changed PowResetPassword.Plug.create_reset_token/2 to sign the :token #417
  • [PowResetPassword.Plug] Added PowResetPassword.Plug.load_user_by_token/2 to verify the signed token to prevent timing attacks #417
  • [PowResetPassword.Plug] Changed PowResetPassword.Plug.update_user_password/2 so it decodes the signed token #417
  • [PowPersistentSession.Plug.Cookie] Now uses signed tokens to prevent timing attacks #417
  • [Pow.Plug.Session] Now uses signed session ID's to prevent timing attacks #417
  • [Pow.Plug] Added Pow.Plug.sign_token/4 to sign tokens #417
  • [Pow.Plug] Added Pow.Plug.verify_token/4 to decode and verify signed tokens #417
  • [Pow.Plug.MessageVerifier] Added Pow.Plug.MessageVerifier module to sign and verify messages #417
  • [PowEmailConfirmation.Ecto.Context] Added PowEmailConfirmation.Ecto.Context.confirm_email/3 #446
  • [PowEmailConfirmation.Ecto.Schema] Added confirm_email_changeset/2 and pow_confirm_email_changeset/2 to the macro #446
  • [PowEmailConfirmation.Ecto.Schema] Added PowEmailConfirmation.Ecto.Schema.confirm_email_changeset/2 #446
  • [PowInvitation.Ecto.Schema] Added accept_invitation_changeset/2 and pow_accept_invitation_changeset/2 to the macro #446
  • [PowResetPassword.Ecto.Schema] Added reset_password_changeset/2 and pow_reset_password_changeset/2 to the macro #446
  • [Pow.Ecto.Schema] Now emits a warning instead of raising error with missing fields/associations #455

Deprecations

  • [PowEmailConfirmation.Plug] PowEmailConfirmation.Plug.confirm_email/2 with token param as second argument has been deprecated in favor of PowEmailConfirmation.Plug.load_user_by_token/2, and PowEmailConfirmation.Plug.confirm_email/2 with map as second argument #446
  • [PowInvitation.Plug] PowInvitation.Plug.invited_user_from_token/2 has been deprecated in favor of PowInvitation.Plug.load_invited_user_by_token/2 #417
  • [PowInvitation.Plug] PowInvitation.Plug.assign_invited_user/2 has been deprecated #417
  • [PowResetPassword.Plug] PowResetPassword.Plug.user_from_token/2 has been deprecated in favor of PowResetPassword.Plug.load_user_by_token/2 #417
  • [PowResetPassword.Plug] PowResetPassword.Plug.assign_reset_password_user/2 has been deprecated #417
  • [PowEmailConfirmation.Ecto.Context] PowEmailConfirmation.Ecto.Context.confirm_email/2 deprecated in favor of PowEmailConfirmation.Ecto.Context.confirm_email/3 #446
  • [PowEmailConfirmation.Ecto.Schema] PowEmailConfirmation.Ecto.Schema.confirm_email_changeset/1 deprecated in favor of PowEmailConfirmation.Ecto.Schema.confirm_email_changeset/2 #446

Documentation

v1.0.18

Bug fixes

  • [Pow.Phoenix.Routes] Fixed bug where callback route methods is not using the overridden method #418
  • [PowPersistentSession.Plug.Cookie] PowPersistentSession.Plug.Cookie.delete/2 now correctly pulls token during :before_send callback #420
  • [Pow.Plug.Session] Pow.Plug.Session.delete/2 now correctly pulls session id during :before_send callback so PowEmailConfirmation will remove set session #420

v1.0.17

Enhancements

... (truncated)
Changelog

Sourced from pow's changelog.

v1.0.19 (2020-03-13)

Warning: This release will now sign and verify all tokens, causing previous tokens to no longer work. Any sessions and persistent sessions will be invalidated.

Enhancements

  • [Pow.Plug.Session] Now sets a global lock when renewing the session
  • [PowPersistentSession.Plug.Cookie] Now sets a global lock when authenticating the user
  • [PowEmailConfirmation.Plug] Added PowEmailConfirmation.Plug.sign_confirmation_token/2 to sign the email_confirmation_token to prevent timing attacks
  • [PowEmailConfirmation.Plug] Added PowEmailConfirmation.Plug.load_user_by_token/2 to verify the signed email_confirmation_token to prevent timing attacks
  • [PowEmailConfirmation.Plug] Added PowEmailConfirmation.Plug.confirm_email/2 with map as second argument
  • [PowInvitation.Plug] Added PowInvitation.Plug.sign_invitation_token/2 to sign the invitation_token
  • [PowInvitation.Plug] Added PowInvitation.Plug.load_invited_user_by_token/2 to verify the signed invitation_token to prevent timing attacks
  • [PowResetPassword.Plug] Changed PowResetPassword.Plug.create_reset_token/2 to sign the :token
  • [PowResetPassword.Plug] Added PowResetPassword.Plug.load_user_by_token/2 to verify the signed token to prevent timing attacks
  • [PowResetPassword.Plug] Changed PowResetPassword.Plug.update_user_password/2 so it decodes the signed token
  • [PowPersistentSession.Plug.Cookie] Now uses signed tokens to prevent timing attacks
  • [Pow.Plug.Session] Now uses signed session ID's to prevent timing attacks
  • [Pow.Plug] Added Pow.Plug.sign_token/4 to sign tokens
  • [Pow.Plug] Added Pow.Plug.verify_token/4 to decode and verify signed tokens
  • [Pow.Plug.MessageVerifier] Added Pow.Plug.MessageVerifier module to sign and verify messages
  • [PowEmailConfirmation.Ecto.Context] Added PowEmailConfirmation.Ecto.Context.confirm_email/3
  • [PowEmailConfirmation.Ecto.Schema] Added confirm_email_changeset/2 and pow_confirm_email_changeset/2 to the macro
  • [PowEmailConfirmation.Ecto.Schema] Added PowEmailConfirmation.Ecto.Schema.confirm_email_changeset/2
  • [PowInvitation.Ecto.Schema] Added accept_invitation_changeset/2 and pow_accept_invitation_changeset/2 to the macro
  • [PowResetPassword.Ecto.Schema] Added reset_password_changeset/2 and pow_reset_password_changeset/2 to the macro
  • [Pow.Ecto.Schema] Now emits a warning instead of raising error with missing fields/associations

Deprecations

  • [PowEmailConfirmation.Plug] PowEmailConfirmation.Plug.confirm_email/2 with token param as second argument has been deprecated in favor of PowEmailConfirmation.Plug.load_user_by_token/2, and PowEmailConfirmation.Plug.confirm_email/2 with map as second argument
  • [PowInvitation.Plug] PowInvitation.Plug.invited_user_from_token/2 has been deprecated in favor of PowInvitation.Plug.load_invited_user_by_token/2
  • [PowInvitation.Plug] PowInvitation.Plug.assign_invited_user/2 has been deprecated
  • [PowResetPassword.Plug] PowResetPassword.Plug.user_from_token/2 has been deprecated in favor of PowResetPassword.Plug.load_user_by_token/2
  • [PowResetPassword.Plug] PowResetPassword.Plug.assign_reset_password_user/2 has been deprecated
  • [PowEmailConfirmation.Ecto.Context] PowEmailConfirmation.Ecto.Context.confirm_email/2 deprecated in favor of PowEmailConfirmation.Ecto.Context.confirm_email/3
  • [PowEmailConfirmation.Ecto.Schema] PowEmailConfirmation.Ecto.Schema.confirm_email_changeset/1 deprecated in favor of PowEmailConfirmation.Ecto.Schema.confirm_email_changeset/2

Documentation

v1.0.18 (2020-02-14)

Bug fixes

  • [Pow.Phoenix.Routes] Fixed bug where callback route methods is not using the overridden method
  • [PowPersistentSession.Plug.Cookie] PowPersistentSession.Plug.Cookie.delete/2 now correctly pulls token during :before_send callback
  • [Pow.Plug.Session] Pow.Plug.Session.delete/2 now correctly pulls session id during :before_send callback so PowEmailConfirmation will remove set session
... (truncated)
Commits
  • 76475d7 Roll version
  • 9740b87 Merge pull request #455 from danschultzer/warn-instead-raise-fields
  • 86a0ace Now emits warning instead of raising during compilation
  • 76594bd Merge pull request #454 from danschultzer/update-api-guide
  • 44866f3 Update API guide to ensure that renewal token gets deleted
  • 8e5a20f Merge branch 'nduitz-fix-store-backwards-compatibility'
  • 4e02997 Ensure that error is raised if store can't be loaded
  • e9fa49f ensure code is loaded before checking for function
  • a3bf5ce Update docs
  • 35311b8 Merge pull request #450 from danschultzer/update-api-guide
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)
dependabot-preview[bot] commented 4 years ago

We've just been alerted that this update fixes a security vulnerability:

Sourced from The Elixir Advisory Database.

Session fixation

Impact

The use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability.

Workarounds

Call Plug.Conn.configure_session(conn, renew: true) periodically and after ... (truncated)

Patched versions: [">= 1.0.16"]