* Fixed a null-pointer-dereference and segfault that could occur when creating
a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
definitions in :rfc:`2633` :rfc:`3370`.
.. _v42-0-3:
42.0.3 - 2024-02-15
Fixed an initialization issue that caused key loading failures for some
users.
.. _v42-0-2:
42.0.2 - 2024-01-30
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
``X25519PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
``X448PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
and ``DHPrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.
.. _v42-0-1:
42.0.1 - 2024-01-24
Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey
:meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign.
Resolved compatibility issue with loading certain RSA public keys in
:func:~cryptography.hazmat.primitives.serialization.load_pem_public_key.
This is a security fix release for the 2.2.x release branch. Note that 2.3.x is the currently supported release branch; please upgrade to the latest version if possible.
Fix issue where specially crafted inputs to encode() could
take exceptionally long amount of time to process. [CVE-2024-3651]
Thanks to Guido Vranken for reporting the issue.
3.6 (2023-11-25)
++++++++++++++++
Fix regression to include tests in source distribution.
3.5 (2023-11-24)
++++++++++++++++
Update to Unicode 15.1.0
String codec name is now "idna2008" as overriding the system codec
"idna" was not working.
Fix typing error for codec encoding
"setup.cfg" has been added for this release due to some downstream
lack of adherence to PEP 517. Should be removed in a future release
so please prepare accordingly.
Removed reliance on a symlink for the "idna-data" tool to comport
with PEP 517 and the Python Packaging User Guide for sdist archives.
Added security reporting protocol for project
Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions
to this release.
Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
forwarding of Proxy-Authorization headers to destination servers when
following HTTPS redirects.
When proxies are defined with user info (https://user:pass@proxy:8080), Requests
will construct a Proxy-Authorization header that is attached to the request to
authenticate with the proxy.
In cases where Requests receives a redirect response, it previously reattached
the Proxy-Authorization header incorrectly, resulting in the value being
sent through the tunneled connection to the destination server. Users who rely on
defining their proxy credentials in the URL are strongly encouraged to upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
credentials once the change has been fully deployed.
Users who do not use a proxy or do not supply their proxy credentials through
the user information portion of their proxy URL are not subject to this
vulnerability.
Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
forwarding of Proxy-Authorization headers to destination servers when
following HTTPS redirects.
When proxies are defined with user info (https://user:pass@proxy:8080), Requests
will construct a Proxy-Authorization header that is attached to the request to
authenticate with the proxy.
In cases where Requests receives a redirect response, it previously reattached
the Proxy-Authorization header incorrectly, resulting in the value being
sent through the tunneled connection to the destination server. Users who rely on
defining their proxy credentials in the URL are strongly encouraged to upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
credentials once the change has been fully deployed.
Users who do not use a proxy or do not supply their proxy credentials through
the user information portion of their proxy URL are not subject to this
vulnerability.
Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (GHSA-g4mx-q9vg-27p4)
1.26.17
Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (GHSA-v845-jxx5-vc9f)
1.26.16
Fixed thread-safety issue where accessing a PoolManager with many distinct origins would cause connection pools to be closed while requests are in progress (#2954)
Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.
1.26.17 (2023-10-02)
Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. ([#3139](https://github.com/urllib3/urllib3/issues/3139) <https://github.com/urllib3/urllib3/pull/3139>_)
1.26.16 (2023-05-23)
Fixed thread-safety issue where accessing a PoolManager with many distinct origins
would cause connection pools to be closed while requests are in progress ([#2954](https://github.com/urllib3/urllib3/issues/2954) <https://github.com/urllib3/urllib3/pull/2954>_)
1.26.15 (2023-03-10)
Fix socket timeout value when HTTPConnection is reused ([#2645](https://github.com/urllib3/urllib3/issues/2645) <https://github.com/urllib3/urllib3/issues/2645>__)
Remove "!" character from the unreserved characters in IPv6 Zone ID parsing
([#2899](https://github.com/urllib3/urllib3/issues/2899) <https://github.com/urllib3/urllib3/issues/2899>__)
Fix IDNA handling of '\x80' byte ([#2901](https://github.com/urllib3/urllib3/issues/2901) <https://github.com/urllib3/urllib3/issues/2901>__)
1.26.14 (2023-01-11)
Fixed parsing of port 0 (zero) returning None, instead of 0. ([#2850](https://github.com/urllib3/urllib3/issues/2850) <https://github.com/urllib3/urllib3/issues/2850>__)
Removed deprecated getheaders() calls in contrib module. Fixed the type hint of PoolKey.key_retries by adding bool to the union. ([#2865](https://github.com/urllib3/urllib3/issues/2865) <https://github.com/urllib3/urllib3/issues/2865>__)
1.26.13 (2022-11-23)
Deprecated the HTTPResponse.getheaders() and HTTPResponse.getheader() methods.
Fixed an issue where parsing a URL with leading zeroes in the port would be rejected
even when the port number after removing the zeroes was valid.
Fixed a deprecation warning when using cryptography v39.0.0.
Removed the <4 in the Requires-Python packaging metadata field.
This is a feature release, which includes new features, removes previously deprecated code, and adds new deprecations. The 2.3.x branch is now the supported fix branch, the 2.2.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.
Fix slow multipart parsing for large parts potentially enabling DoS
attacks.
Version 2.3.7
Released 2023-08-14
Use flit_core instead of setuptools as build backend.
Fix parsing of multipart bodies. :issue:2734
Adjust index of last newline in data start. :issue:2761
Parsing ints from header values strips spacing first. :issue:2734
Fix empty file streaming when testing. :issue:2740
Clearer error message when URL rule does not start with slash. :pr:2750
Acceptq value can be a float without a decimal part. :issue:2751
Version 2.3.6
Released 2023-06-08
FileStorage.content_length does not fail if the form data did not provide a
value. :issue:2726
Version 2.3.5
Released 2023-06-07
Python 3.12 compatibility. :issue:2704
Fix handling of invalid base64 values in Authorization.from_header. :issue:2717
The debugger escapes the exception message in the page title. :pr:2719
When binding routing.Map, a long IDNA server_name with a port does not fail
encoding. :issue:2700
iri_to_uri shows a deprecation warning instead of an error when passing bytes.
:issue:2708
When parsing numbers in HTTP request headers such as Content-Length, only ASCII
digits are accepted rather than any format that Python's int and float
accept. :issue:2716
* Fixed a null-pointer-dereference and segfault that could occur when creating
a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
definitions in :rfc:`2633` :rfc:`3370`.
.. _v42-0-3:
42.0.3 - 2024-02-15
Fixed an initialization issue that caused key loading failures for some
users.
.. _v42-0-2:
42.0.2 - 2024-01-30
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
``X25519PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
``X448PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
and ``DHPrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.
.. _v42-0-1:
42.0.1 - 2024-01-24
Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey
:meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign.
Resolved compatibility issue with loading certain RSA public keys in
:func:~cryptography.hazmat.primitives.serialization.load_pem_public_key.
Bumps the pip group with 10 updates in the /apps/bank/contacts/src directory:
2022.9.24
2023.7.22
38.0.2
42.0.4
2.2.2
2.2.5
1.49.1
1.53.2
3.4
3.7
3.1.2
3.1.3
3.15.0
3.19.1
2.28.1
2.31.0
1.26.12
1.26.18
2.2.2
2.3.8
Bumps the pip group with 9 updates in the /apps/bank/frontend/src directory:
2022.9.24
2023.7.22
38.0.2
42.0.4
2.2.2
2.2.5
1.49.1
1.53.2
3.4
3.7
3.1.2
3.1.3
2.28.1
2.31.0
1.26.12
1.26.18
2.2.2
2.3.8
Bumps the pip group with 8 updates in the /apps/bank/loadgenerator/src directory:
2022.9.24
2023.7.22
2.2.2
2.2.5
3.4
3.7
3.1.2
3.1.3
2.28.1
2.31.0
1.26.12
1.26.18
2.2.2
2.3.8
22.8.0
23.9.0
Bumps the pip group with 10 updates in the /apps/bank/user/src directory:
2022.9.24
2023.7.22
38.0.2
42.0.4
2.2.2
2.2.5
1.49.1
1.53.2
3.4
3.7
3.1.2
3.1.3
3.15.0
3.19.1
2.28.1
2.31.0
1.26.12
1.26.18
2.2.2
2.3.8
Bumps the pip group with 6 updates in the /apps/shop/email/src directory:
2022.9.24
2023.7.22
1.49.1
1.53.2
3.4
3.7
3.1.2
3.1.3
2.28.1
2.31.0
1.26.12
1.26.18
Bumps the pip group with 8 updates in the /apps/shop/loadgenerator/src directory:
2022.9.24
2023.7.22
2.2.2
2.2.5
3.4
3.7
3.1.2
3.1.3
2.28.1
2.31.0
1.26.12
1.26.18
2.2.2
2.3.8
21.12.0
23.9.0
Bumps the pip group with 5 updates in the /apps/shop/recommendation/src directory:
2022.9.24
2023.7.22
1.49.1
1.53.2
3.4
3.7
2.28.1
2.31.0
1.26.12
1.26.18
Updates
certifi
from 2022.9.24 to 2023.7.22Commits
8fb96ed
2023.07.22afe7722
Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)2038739
Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)44df761
Hash pin Actions and enable dependabot (#228)8b3d7ba
2023.05.0753da240
ci: Add Python 3.12-dev to the testing (#224)c2fc3b1
Create a Security Policy (#222)c211ef4
Set up permissions to github workflows (#218)2087de5
Don't let deprecation warning fail CI (#219)e0b9fc5
remove paragraphs about 1024-bit roots from READMEUpdates
cryptography
from 38.0.2 to 42.0.4Changelog
Sourced from cryptography's changelog.
... (truncated)
Commits
fe18470
Bump for 42.0.4 release (#10445)aaa2dd0
Fix ASN.1 issues in PKCS#7 and S/MIME signing (#10373) (#10442)7a4d012
Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match (#10423) ...df314bb
backport actions m1 switch to 42.0.x (#10415)c49a7a5
changelog and version bump for 42.0.3 (#10396)396bcf6
fix provider loading take two (#10390) (#10395)0e0e46f
backport: initialize openssl's legacy provider in rust (#10323) (#10333)2202123
changelog and version bump 42.0.2 (#10268)f7032bd
bump openssl in CI (#10298) (#10299)002e886
Fixes #10294 -- correct accidental change to exchange kwarg (#10295) (#10296)Updates
flask
from 2.2.2 to 2.2.5Release notes
Sourced from flask's releases.
Changelog
Sourced from flask's changelog.
Commits
47af817
release version 2.2.5afd63b1
Merge pull request #5109 from pallets/backport-vary-cookie8646edc
setVary: Cookie
header consistently for sessiona6367da
Merge pull request #5108 from pallets/werkzeug-compat3fbfbad
werkzeug 2.3.3 compatibility726d3f4
start version 2.2.5ddc7acc
Merge pull request #5081 from pallets/release-2.2.474e0329
release version 2.2.42d46068
update dev env64bc458
update dev dependenciesUpdates
grpcio
from 1.49.1 to 1.53.2Release notes
Sourced from grpcio's releases.
... (truncated)
Commits
afb307f
[v1.53.x][Interop] Backport Python image update (#33864)7a9373b
[Backport] [dependency] Restrict cython to less than 3.X (#33770)fdb64a6
[v1.53][Build] Update Phusion baseimage (#33767) (#33836)cdf4186
[PSM Interop] Legacy tests: fix xDS test client build (v1.53.x backport) (#33...ce5b93a
[PSM Interop] Legacy test builds always pull the driver from master (v1.53.x ...b24b6ea
[release] Bump release version to 1.53.2 (#33709)1e86ca5
[backport][iomgr][EventEngine] Improve server handling of file descriptor exh...aff3066
[PSM interop] Don't fail url_map target if sub-target already failed (v1.53.x...539d75c
[PSM interop] Don't fail target if sub-target already failed (#33222) (v1.53....3e79c88
[Release] Bump version to 1.53.1 (on v1.53.x branch) (#33047)Updates
idna
from 3.4 to 3.7Release notes
Sourced from idna's releases.
Changelog
Sourced from idna's changelog.
Commits
1d365e1
Release v3.7c1b3154
Merge pull request #172 from kjd/optimize-contextj0394ec7
Merge branch 'master' into optimize-contextjcd58a23
Merge pull request #152 from elliotwutingfeng/dev5beb28b
More efficient resolution of joiner contexts1b12148
Update ossf/scorecard-action to v2.3.1d516b87
Update Github actions/checkout to v4c095c75
Merge branch 'master' into dev60a0a4c
Fix typo in GitHub Actions workflow key5918a0e
Merge branch 'master' into devUpdates
jinja2
from 3.1.2 to 3.1.3Release notes
Sourced from jinja2's releases.
Changelog
Sourced from jinja2's changelog.
Commits
d9de4bb
release version 3.1.350124e1
skip test pypi9ea7222
use trusted publishingda703f7
use trusted publishingbce1746
use trusted publishing7277d80
update pre-commit hooks5c8a105
Make nested-trans-block exceptions nicer (#1918)19a55db
Make nested-trans-block exceptions nicer7167953
Merge pull request from GHSA-h5c8-rqwp-cp957dd3680
xmlattr filter disallows keys with spacesUpdates
pycryptodome
from 3.15.0 to 3.19.1Release notes
Sourced from pycryptodome's releases.
... (truncated)
Changelog
Sourced from pycryptodome's changelog.
... (truncated)
Commits
ef270ab
Update wheels action3278edd
Update changelog and version10e8216
Update PSS verify signature code example.4ec4b85
Bump version0deea1b
Use constant-time (faster) padding decoding also for OAEP519e7ae
Avoid changing signature of RSA._decrypt() method if possible1aa9dca
Update changelog and bump versionafb5e27
Fix side-channel leakage in RSA decryptionee91c67
Update CMAC.py43a466d
Fix small "passes" typo.Updates
requests
from 2.28.1 to 2.31.0Release notes
Sourced from requests's releases.
... (truncated)
Changelog
Sourced from requests's changelog.
... (truncated)
Commits
147c851
v2.31.074ea7cf
Merge pull request from GHSA-j8r2-6x86-q33q3022253
test on pypy 3.8 and pypy 3.9 on windows and macos (#6424)b639e66
test on py3.12 (#6448)d3d5044
Fixed a small typo (#6452)2ad18e0
v2.30.0f2629e9
Remove strict parameter (#6434)87d63de
v2.29.051716c4
enable the warnings plugin (#6416)a7da1ab
try on ubuntu 22.04 (#6418)Updates
urllib3
from 1.26.12 to 1.26.18Release notes
Sourced from urllib3's releases.
Changelog
Sourced from urllib3's changelog.
Commits
9c2c230
Release 1.26.18 (#3159)b594c5c
Merge pull request from GHSA-g4mx-q9vg-27p4944f0eb
[1.26] Use vendored six in urllib3.contrib.securetransportc9016bf
Release 1.26.170122035
Backport GHSA-v845-jxx5-vc9f (#3139)e63989f
Fix installingbrotli
extra on Python 2.72e7a24d
[1.26] Configure OS for RTD to fix building docs57181d6
[1.26] Improve error message when calling urllib3.request() (#3058)3c01480
[1.26] Run coverage even with failed jobsd94029b
Release 1.26.16Updates
werkzeug
from 2.2.2 to 2.3.8Release notes
Sourced from werkzeug's releases.
... (truncated)
Changelog
Sourced from werkzeug's changelog.
... (truncated)
Commits
dc90943
Release version 2.3.8f230020
Fix: slow multipart parsing for huge files with few CR/LF characters26f3e95
reformat lines828bab4
Start version 2.3.83c2ba3d
Release version 2.3.7ac9974c
Fix qvalue parsing (#2753)88f4ed6
qvalue parsing accepts float without decimaldd1f137
Fix: Improve Error Message (#2750)fdc295a
clearer url rule slash errora0f4bf4
fix: improve error messageUpdates
certifi
from 2022.9.24 to 2023.7.22Commits
8fb96ed
2023.07.22afe7722
Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)2038739
Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)44df761
Hash pin Actions and enable dependabot (#228)8b3d7ba
2023.05.0753da240
ci: Add Python 3.12-dev to the testing (#224)c2fc3b1
Create a Security Policy (#222)c211ef4
Set up permissions to github workflows (#218)2087de5
Don't let deprecation warning fail CI (#219)e0b9fc5
remove paragraphs about 1024-bit roots from READMEUpdates
cryptography
from 38.0.2 to 42.0.4Changelog
Sourced from cryptography's changelog.
... (truncated)
Commits
fe18470
Bump for 42.0.4 release (#10445)aaa2dd0
Fix ASN.1 issues in PKCS#7 and S/MIME signing (#10373) (#10442)7a4d012
Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match (#10423) ...df314bb
backport actions m1 switch to 42.0.x (#10415)c49a7a5
changelog and version bump for 42.0.3 (#10396)396bcf6
fix provider loading take two (#10390) (Superseded by #48.