search

ThalesGroup / pycryptoki

Python interface to SafeNet's PKCS11 library implementation
Apache License 2.0
58 stars 22 forks source link

Bump rpyc from 4.0.2 to 6.0.0 #49

Closed dependabot[bot] closed 3 months ago

dependabot[bot] commented 3 months ago

Bumps rpyc from 4.0.2 to 6.0.0.

Release notes

Sourced from rpyc's releases.

6.0.0: Fixed RCE from array

6.0.0

Date: 2024-02-23

  • #551 Resolves security issue that results in RCE. The fix breaks backwards compatibility for those that rely on the __array__ attribute used by numpy. This RCE is only exploitable when the server-side gets the attribute __array__ and calls it (e.g., np.array(x)). This issues effects all versions since major release 4.

5.3.1: Resolved timeout and thread binding issues

5.3.1

Date: 2023-02-21

  • #527 Resolved timeout issue that was introduced in 5.2.1
  • #525 and #524 Fixed experimental thread binding struct for platforms where unsigned long is 8-bits
    • While the fix for thread binding is not backwards compatible, it only impacts people using an experimental feature. Hence, I did a patch version bump.

5.2.3 Fixed classic and registry entrypoints

5.2.3

Date: 2022-08-03

  • #503 rpyc_classic.py and rpyc_registry.py are tracked by pyproject.toml and should resolve now. Moreover, they can now be resolved without their file suffixes as well.

5.2.1: Decorators, SSL updates, and more!

5.2.1

Date: 2022-07-30

  • #494 Added support for using decorators to expose methods (see #292)
  • #499 Allow BgServingThread serve and sleep intervals to be customized
  • #498 Avoid redefining hasattr_static on every check_attr` call
  • #489 Updated SSL context usage to avoid deprecated aspects and changes
  • #485 Add a configurable timeout on the zero deploy close method
  • #484 Fixed --mode CLI argument for rpyc_registry
  • #479 Fixed propagation of AttributeErrors raised by exposed descriptors
  • #476 Allow filtering by host on list_services
  • #493 and #502 Improved documentation and fixed typos
  • #492 Some work around race conditions but proper fix is rather involved (see #491)

5.2.0 was skipped due to PyPi not allowing file name reuse

5.0.0: Various improvements and backwards incompatible changes

Backwards Incompatible:

  • RPyC 5.0.0 cannot teleport functions to earlier versions
  • Deprecated Python 2 support to coincide with it's EOL

Improvements:

  • Server hostname default supports IPv4 and IPv6 by using the wildcard address #425
  • Added docker/docker-compose.yml for Python 3.6, 3.7, 3.8, 3.9, and 3.10 containers to improve local workflow
  • Fixed pickle failure on windows for connect_multiprocess and connect_thread #412

... (truncated)

Changelog

Sourced from rpyc's changelog.

6.0.0

Date: 2024-02-23

  • [#551](https://github.com/tomerfiliba-org/rpyc/issues/551)_ Resolves security issue that results in RCE. The fix breaks backwards compatibility for those that rely on the __array__ attribute used by numpy. This RCE is only exploitable when the server-side gets the attribute __array__ and calls it (e.g., np.array(x)). This issues effects all versions since major release 4.

.. _#551: tomerfiliba-org/rpyc#551

5.3.1

Date: 2023-02-21

  • [#527](https://github.com/tomerfiliba-org/rpyc/issues/527)_ Resolved timeout issue that was introduced in 5.2.1

  • [#525](https://github.com/tomerfiliba-org/rpyc/issues/525)_ and [#524](https://github.com/tomerfiliba-org/rpyc/issues/524)_ Fixed experimental thread binding struct for platforms where unsigned long is 8-bits

    • While the fix for thread binding is not backwards compatible, it only impacts people using an experimental feature. Hence, I did a patch version bump.

.. _#525: tomerfiliba-org/rpyc#525 .. _#524: tomerfiliba-org/rpyc#524 .. _#527: tomerfiliba-org/rpyc#527

5.3.0

Date: 2022-11-25

  • [#515](https://github.com/tomerfiliba-org/rpyc/issues/515)_ Support for Python 3.11 is available after teleportation bug fix
  • [#507](https://github.com/tomerfiliba-org/rpyc/issues/507)_ Experimental support for threading is added (default is disabled for now)
  • [#516](https://github.com/tomerfiliba-org/rpyc/issues/516)_ Resolved server-side exceptions due to the logic for checking if a name is in ModuleNamespace
  • [#511](https://github.com/tomerfiliba-org/rpyc/issues/511)_ Improved documentation on the life-cycle of a netref/proxy-object

.. _#515: tomerfiliba-org/rpyc#515 .. _#507: tomerfiliba-org/rpyc#507 .. _#516: tomerfiliba-org/rpyc#516 .. _#515: tomerfiliba-org/rpyc#515 .. _#511: tomerfiliba-org/rpyc#511

5.2.3

Date: 2022-08-03

  • [#503](https://github.com/tomerfiliba-org/rpyc/issues/503)_ rpyc_classic.py and rpyc_registry.py can now be resolved without the suffix as well.

.. _#503: tomerfiliba-org/rpyc#503

5.2.1

Date: 2022-07-30

  • [#494](https://github.com/tomerfiliba-org/rpyc/issues/494)_ Added support for using decorators to expose methods (see [#292](https://github.com/tomerfiliba-org/rpyc/issues/292)_)

... (truncated)

Commits
  • 0194cbd Updated CHANGELOG.rst for major release 6
  • bba1d35 Fixed #551 by validating the server side is configured to allow pickle
  • 19a9f03 Fixed matchs -> matches per codespell complaint
  • 63ee434 Fixed errors in test_urllib3.py
  • 1b071da Changed test host/ip settings for registry to avoid accidental ipv6 usage.
  • bd0e4d0 Stopped using logger.warn as it is deprecated, used logger.warning instead.
  • 3661e8c Add references to 3.12
  • f715399 Expanded testing to validate BaseNetref/NetrefMetaclass mro since any a f...
  • c3ff92b Added required settings build.os and build.tools that were missing from .read...
  • 3f82027 Updated classic.rst and services.rst print syntax to python 3
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/ThalesGroup/pycryptoki/network/alerts).
Sebastienlejeune commented 3 months ago

Hi @astraw38 could you check this one and merge it please ?

astraw38 commented 3 months ago

I think it's missing a few other places for rpyc version - I'll push the rest of the changes here & see.