Release notes
*Sourced from [openpgp's releases](https://github.com/openpgpjs/openpgpjs/releases).*
> ## v4.3.0 - Security Release
> This release fixes more security issues. Please upgrade to the latest version as soon as possible.
>
> ## Security fixes
>
> - Validate ECC public keys, to prevent an attack extracting private keys
> - Remove non-AES CFB quick check, to prevent side-channel timing attacks
> - Reject messages encrypted with a symmetric algorithm not in preferred algorithms
> - Check signature public key algorithm against issuer key algorithm
> - Always look at the same literal data packet in getText() and verify()
> - Return generic error on PKESK checksum mismatch when decrypting
>
> ## Other changes
>
> - Fix undefined behavior when reading 3DES-encrypted packet
> - Consider non-expired signatures from expired keys to still be valid
> - Check that signing key was not expired at signature creation time
> - Check that message signatures are not expired when verifying them
> - Fix revocation example in README, use `revocationCertificate` instead of `revocationSignature`
> - Fix CMAC of the empty string
> - Add config values to preferred algorithms
> - Fall back to RFC4880bis-mandated symmetric algorithms (AES128 and EAX) instead of config value
>
> ## Example of behavior changes for preferred algorithms
>
> As an example, previously, if you set `openpgp.config.encryption_cipher = openpgp.enums.symmetric.twofish`, OpenPGP.js would:
> 1. When generating a key, not add Twofish to the preferred algorithms
> 2. When encrypting to that generated key, not use Twofish (since it wasn't in the preferred algorithms)
> 3. When encrypting to a key with non-supported preferred algorithms, or multiple keys with no overlapping preferred algorithms, fall back to Twofish
>
> Then, if you were to decrypt that last message using GPG, it would warn that the message was encrypted with an algorithm that's not in the preferred algorithms. This could happen even with the default config value of AES256, since RFC4880 mandates falling back to 3DES, not AES256. (RFC4880bis mandates falling back to AES128.)
>
> Since this version, if you set `openpgp.config.encryption_cipher = openpgp.enums.symmetric.twofish`, OpenPGP.js will instead:
>
> 1. When generating a key, add Twofish to the preferred algorithms
> 2. When encrypting to that generated key, use Twofish (since it is in the preferred algorithms)
> 3. When encrypting to a key with non-supported preferred algorithms, or multiple keys with no overlapping preferred algorithms, fall back to AES128 (since that's the algorithm mandated by RFC4880bis)
>
> ## Example of backwards-incompatible behavior
>
> In some edge cases, some of the above changes are not backwards-compatible. For example, if you use OpenPGP.js < 4.3.0 and:
>
> 1. Set `openpgp.config.encryption_cipher` to any value other than `openpgp.enums.symmetric.aes256`, `openpgp.enums.symmetric.aes128` or `openpgp.enums.symmetric.tripledes`, and
> 2. Encrypt messages to a key with non-supported preferred algorithms, or multiple keys with no overlapping preferred algorithms
>
> And then try to decrypt those messages using OpenPGP.js >= 4.3.0, you will get an error. (Similarly, GPG gives a warning in this situation, but still decrypts the messages as well.)
>
> ## v4.2.1
> When verifying signatures, compute data to verify based on expected signature type rather than the type of the signature to be verified. ([#799](https://github-redirect.dependabot.com/openpgpjs/openpgpjs/issues/799))
>
> ... (truncated)
Commits
- [`d24bdd5`](https://github.com/openpgpjs/openpgpjs/commit/d24bdd5fa21b501b2fd3defacab5af24c63dd322) Release new version
- [`f0f9a5c`](https://github.com/openpgpjs/openpgpjs/commit/f0f9a5c2a4f561abd88240166f6351072af8df09) Fix key generation tests on Node
- [`b1b1994`](https://github.com/openpgpjs/openpgpjs/commit/b1b19946d83da39969fdc22340e32b1d58a3f047) Merge pull request [#816](https://github-redirect.dependabot.com/openpgpjs/openpgpjs/issues/816) from twiss/security-fixes
- [`804e911`](https://github.com/openpgpjs/openpgpjs/commit/804e91140a83cdc1e2d8477b690a756162fd8102) Add config values to preferred algorithms
- [`926047f`](https://github.com/openpgpjs/openpgpjs/commit/926047f0b3e55467f059f90afa85282dde5db812) Default to RFC4880bis-mandated symmetric algos
- [`0660831`](https://github.com/openpgpjs/openpgpjs/commit/06608318d4215ff9320de9630df1848853b803fe) Fix CMAC of the empty string
- [`9b83f6f`](https://github.com/openpgpjs/openpgpjs/commit/9b83f6fcb2a89d15494e742631b01714a26c231d) Return generic error on PKESK checksum mismatch when decrypting
- [`e727097`](https://github.com/openpgpjs/openpgpjs/commit/e727097bb068e348fceba31a59cd1d660b403600) Always look at the same literal data packet in getText() and verify()
- [`8720adc`](https://github.com/openpgpjs/openpgpjs/commit/8720adcf65ee6ec653757329208b2e89d00707f0) Check signature public key algorithm against issuer key algorithm
- [`3b9676f`](https://github.com/openpgpjs/openpgpjs/commit/3b9676f2e9a4984d7607a8552d884dd2365478b2) Reject messages encrypted with a symmetric algo not in preferred algos
- Additional commits viewable in [compare view](https://github.com/openpgpjs/openpgpjs/compare/v2.6.2...v4.3.0)
Maintainer changes
This version was pushed to npm by [sunnyrajan](https://www.npmjs.com/~sunnyrajan), a new releaser for openpgp since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/NEEOInc/neeo-sdk/network/alerts).
Bumps openpgp from 2.6.2 to 4.3.0.
Release notes
*Sourced from [openpgp's releases](https://github.com/openpgpjs/openpgpjs/releases).* > ## v4.3.0 - Security Release > This release fixes more security issues. Please upgrade to the latest version as soon as possible. > > ## Security fixes > > - Validate ECC public keys, to prevent an attack extracting private keys > - Remove non-AES CFB quick check, to prevent side-channel timing attacks > - Reject messages encrypted with a symmetric algorithm not in preferred algorithms > - Check signature public key algorithm against issuer key algorithm > - Always look at the same literal data packet in getText() and verify() > - Return generic error on PKESK checksum mismatch when decrypting > > ## Other changes > > - Fix undefined behavior when reading 3DES-encrypted packet > - Consider non-expired signatures from expired keys to still be valid > - Check that signing key was not expired at signature creation time > - Check that message signatures are not expired when verifying them > - Fix revocation example in README, use `revocationCertificate` instead of `revocationSignature` > - Fix CMAC of the empty string > - Add config values to preferred algorithms > - Fall back to RFC4880bis-mandated symmetric algorithms (AES128 and EAX) instead of config value > > ## Example of behavior changes for preferred algorithms > > As an example, previously, if you set `openpgp.config.encryption_cipher = openpgp.enums.symmetric.twofish`, OpenPGP.js would: > 1. When generating a key, not add Twofish to the preferred algorithms > 2. When encrypting to that generated key, not use Twofish (since it wasn't in the preferred algorithms) > 3. When encrypting to a key with non-supported preferred algorithms, or multiple keys with no overlapping preferred algorithms, fall back to Twofish > > Then, if you were to decrypt that last message using GPG, it would warn that the message was encrypted with an algorithm that's not in the preferred algorithms. This could happen even with the default config value of AES256, since RFC4880 mandates falling back to 3DES, not AES256. (RFC4880bis mandates falling back to AES128.) > > Since this version, if you set `openpgp.config.encryption_cipher = openpgp.enums.symmetric.twofish`, OpenPGP.js will instead: > > 1. When generating a key, add Twofish to the preferred algorithms > 2. When encrypting to that generated key, use Twofish (since it is in the preferred algorithms) > 3. When encrypting to a key with non-supported preferred algorithms, or multiple keys with no overlapping preferred algorithms, fall back to AES128 (since that's the algorithm mandated by RFC4880bis) > > ## Example of backwards-incompatible behavior > > In some edge cases, some of the above changes are not backwards-compatible. For example, if you use OpenPGP.js < 4.3.0 and: > > 1. Set `openpgp.config.encryption_cipher` to any value other than `openpgp.enums.symmetric.aes256`, `openpgp.enums.symmetric.aes128` or `openpgp.enums.symmetric.tripledes`, and > 2. Encrypt messages to a key with non-supported preferred algorithms, or multiple keys with no overlapping preferred algorithms > > And then try to decrypt those messages using OpenPGP.js >= 4.3.0, you will get an error. (Similarly, GPG gives a warning in this situation, but still decrypts the messages as well.) > > ## v4.2.1 > When verifying signatures, compute data to verify based on expected signature type rather than the type of the signature to be verified. ([#799](https://github-redirect.dependabot.com/openpgpjs/openpgpjs/issues/799)) > > ... (truncated)Commits
- [`d24bdd5`](https://github.com/openpgpjs/openpgpjs/commit/d24bdd5fa21b501b2fd3defacab5af24c63dd322) Release new version - [`f0f9a5c`](https://github.com/openpgpjs/openpgpjs/commit/f0f9a5c2a4f561abd88240166f6351072af8df09) Fix key generation tests on Node - [`b1b1994`](https://github.com/openpgpjs/openpgpjs/commit/b1b19946d83da39969fdc22340e32b1d58a3f047) Merge pull request [#816](https://github-redirect.dependabot.com/openpgpjs/openpgpjs/issues/816) from twiss/security-fixes - [`804e911`](https://github.com/openpgpjs/openpgpjs/commit/804e91140a83cdc1e2d8477b690a756162fd8102) Add config values to preferred algorithms - [`926047f`](https://github.com/openpgpjs/openpgpjs/commit/926047f0b3e55467f059f90afa85282dde5db812) Default to RFC4880bis-mandated symmetric algos - [`0660831`](https://github.com/openpgpjs/openpgpjs/commit/06608318d4215ff9320de9630df1848853b803fe) Fix CMAC of the empty string - [`9b83f6f`](https://github.com/openpgpjs/openpgpjs/commit/9b83f6fcb2a89d15494e742631b01714a26c231d) Return generic error on PKESK checksum mismatch when decrypting - [`e727097`](https://github.com/openpgpjs/openpgpjs/commit/e727097bb068e348fceba31a59cd1d660b403600) Always look at the same literal data packet in getText() and verify() - [`8720adc`](https://github.com/openpgpjs/openpgpjs/commit/8720adcf65ee6ec653757329208b2e89d00707f0) Check signature public key algorithm against issuer key algorithm - [`3b9676f`](https://github.com/openpgpjs/openpgpjs/commit/3b9676f2e9a4984d7607a8552d884dd2365478b2) Reject messages encrypted with a symmetric algo not in preferred algos - Additional commits viewable in [compare view](https://github.com/openpgpjs/openpgpjs/compare/v2.6.2...v4.3.0)Maintainer changes
This version was pushed to npm by [sunnyrajan](https://www.npmjs.com/~sunnyrajan), a new releaser for openpgp since your current version.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/NEEOInc/neeo-sdk/network/alerts).