search

USStateDept / State-TalentMAP-API

Source Code - https://github.com/USStateDept/State-TalentMAP
Other
12 stars 11 forks source link

chore(deps): bump pysaml2 from 4.5.0 to 6.5.0 #529

Open dependabot[bot] opened 3 years ago

dependabot[bot] commented 3 years ago

Bumps pysaml2 from 4.5.0 to 6.5.0.

Release notes

Sourced from pysaml2's releases.

Version 6.5.0

6.5.0 (2021-01-20) - Security release

  • Fix processing of invalid SAML XML documents - CVE-2021-21238
  • Fix unspecified xmlsec1 key-type preference - CVE-2021-21239
  • Add more tests regarding XSW attacks
  • Add XML Schemas for SAML2 and common extensions
  • Fix the XML parser to not break on ePTID AttributeValues
  • Fix the initialization value of the return_addrs property of the StatusResponse object
  • Fix SWAMID entity-category policy regarding eduPersonTargetedID
  • data: use importlib to load package data (backwards compatibility through the importlib_resources package)
  • docs: improve the documentation for the signing_algorithm and digest_algorithm options
  • examples: fix the logging configuration of the example-IdP
  • tests: allow tests to pass on 32bit systems by properly choosing dates in test XML documents
  • tests: improvements on the generation of response and assertion objects
  • tests: expand tests on python-3.9 and python-3.10-dev

Version 6.4.1

6.4.1 (2020-12-08)

  • Indicate minimum required python version during installation

Version 6.4.0

6.4.0 (2020-12-08)

  • Add preferred signing and digest algorithms configuration options: Use the new configuration options signing_algorithm and digest_algorithm.
  • Fix signed SAML AuthnRequest and Response when HTTP-Redirect binding is used: Previously, the query params Signature and SigAlg were not included.
  • Ignore duplicate RequestedAttribute entries when filtering attributes
  • tests: Avoid reuse of old test data files

Version 6.3.1

6.3.1 (2020-11-11)

  • Fix extraction of RegistrationInfo when no information is available
  • Fix http_info struct to include status-code

Version 6.3.0

6.3.0 (2020-10-30)

  • Allow to specify policy configurations based on the registration authority.
  • Add new configuration option logout_responses_signed to sign logout responses.
  • When available and appropriate return the ResponseLocation along with the Location attribute.
  • Always use base64.encodebytes; base64.encodestring has been dropped.
  • Examples: fix IdP example that was outputing debug statements on stdout that became

... (truncated)

Changelog

Sourced from pysaml2's changelog.

6.5.0 (2021-01-20) - Security release

  • Fix processing of invalid SAML XML documents - [CVE-2021-21238]
  • Fix unspecified xmlsec1 key-type preference - [CVE-2021-21239]
  • Add more tests regarding XSW attacks
  • Add XML Schemas for SAML2 and common extensions
  • Fix the XML parser to not break on ePTID AttributeValues
  • Fix the initialization value of the return_addrs property of the StatusResponse object
  • Fix SWAMID entity-category policy regarding eduPersonTargetedID
  • data: use importlib to load package data (backwards compatibility through the importlib_resources package)
  • docs: improve the documentation for the signing_algorithm and digest_algorithm options
  • examples: fix the logging configuration of the example-IdP
  • tests: allow tests to pass on 32bit systems by properly choosing dates in test XML documents
  • tests: improvements on the generation of response and assertion objects
  • tests: expand tests on python-3.9 and python-3.10-dev

6.4.1 (2020-12-08)

  • Indicate minimum required python version during installation

6.4.0 (2020-12-08)

  • Add preferred signing and digest algorithms configuration options: Use the new configuration options signing_algorithm and digest_algorithm.
  • Fix signed SAML AuthnRequest and Response when HTTP-Redirect binding is used: Previously, the query params Signature and SigAlg were not included.
  • Ignore duplicate RequestedAttribute entries when filtering attributes
  • tests: Avoid reuse of old test data files

6.3.1 (2020-11-11)

  • Fix extraction of RegistrationInfo when no information is available
  • Fix http_info struct to include status-code

6.3.0 (2020-10-30)

  • Allow to specify policy configurations based on the registration authority.
  • Add new configuration option logout_responses_signed to sign logout responses.
  • When available and appropriate return the ResponseLocation along with the Location attribute.
  • Always use base64.encodebytes; base64.encodestring has been dropped.
  • Examples: fix IdP example that was outputing debug statements on stdout that became part of its metadata.
  • CI/CD: Use Ubuntu bionic as the host to run the CI/CD process.
  • CI/CD: Pre-releases are now available on [test.pypi.org][pypi.test.pysaml2]. Each commit/merge on the master branch autotically creates a new pre-release. To install a

... (truncated)

Commits
  • 12ec4a7 Release version 6.5.0
  • 1d8fd26 Merge pull request from GHSA-f4g9-h89h-jgv9
  • 46578df Merge pull request from GHSA-5p3x-r448-pc62
  • 751dbf5 Fix CVE-2021-21239 - Restrict the key data that xmlsec1 accepts to only x509 ...
  • 3b70772 Fix CVE-2021-21238 - SAML XML Signature wrapping
  • b76ea40 Add xsd schemas
  • cd6030d Fix the parser to not break on ePTID AttributeValues
  • 8dcb31b Strengthen XSW tests
  • aaf6c54 Set the dates in test XML documents to be earlier than 2036 to allow 32bit sy...
  • 17f4daf Load the encryption template using package resources
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/USStateDept/State-TalentMAP-API/network/alerts).