Project OCEAN is an open science collaboration focused on understanding the open source ecosystems creating datasets that enable research and forming a clear understanding of the state of open source communities.
* Fixed a null-pointer-dereference and segfault that could occur when creating
a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
definitions in :rfc:`2633` :rfc:`3370`.
.. _v42-0-3:
42.0.3 - 2024-02-15
Fixed an initialization issue that caused key loading failures for some
users.
.. _v42-0-2:
42.0.2 - 2024-01-30
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
``X25519PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
``X448PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
and ``DHPrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.
.. _v42-0-1:
42.0.1 - 2024-01-24
Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey
:meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign.
Resolved compatibility issue with loading certain RSA public keys in
:func:~cryptography.hazmat.primitives.serialization.load_pem_public_key.
This is a bug fix release for 2.6.0 where the "TuDoor" fix erroneously
suppressed legitimate Truncated exceptions. This caused the stub
resolver to timeout instead of failing over to TCP when a legitimate
truncated response was received over UDP.
This release addresses the potential DoS issue discussed in the
"TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is
vulnerable to a potential DoS if a bad-in-some-way response from the
right address and port forged by an attacker arrives before a
legitimate one on the UDP port dnspython is using for that query. In
this situation, dnspython might switch to querying another resolver or
give up entirely, possibly denying service for that resolution. This
release addresses the issue by adopting the recommended mitigation,
which is ignoring the bad packets and continuing to listen for a
legitimate response until the timeout for the query has expired.
Thank you to all the contributors to this release, and, as usual,
thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian
Wellington.
This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.
Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.
dnspython 2.5.0
See the What's New page for a summary of this release.
Thanks to all the contributors, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.
dnspython 2.4.2
This is a bug fix release, see the What's New page in the documentation for a summary.
Thanks to the people who reported the bugs and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.
The Tudoor fix ate legitimate Truncated exceptions, preventing the resolver from
failing over to TCP and causing the query to timeout #1053.
2.6.0
As mentioned in the "TuDoor" paper and the associated CVE-2023-29483, the dnspython
stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the
right address and port forged by an attacker arrives before a legitimate one on the
UDP port dnspython is using for that query.
This release addresses the issue by adopting the recommended mitigation, which is
ignoring the bad packets and continuing to listen for a legitimate response until
the timeout for the query has expired.
Added support for the NSID EDNS option.
Dnspython now looks for version metadata for optional packages and will not
use them if they are too old. This prevents possible exceptions when a
feature like DoH is not desired in dnspython, but an old httpx is installed
along with dnspython for some other purpose.
The DoHNameserver class now allows GET to be used instead of the default POST,
and also passes source and source_port correctly to the underlying query
methods.
2.5.0
Dnspython now uses hatchling for builds.
Asynchronous destinationless sockets now work on Windows.
Cython is no longer supported due to various typing issues.
Dnspython now explicitly canonicalizes IPv4 and IPv6 addresses.
Previously it was possible for non-canonical IPv6 forms to be stored
in a AAAA address, which would work correctly but possibly cause
problmes if the address were used as a key in a dictionary.
The number of messages in a section can be retrieved with
section_count().
Truncation preferences for messages can be specified.
The length of a message can be automatically prepended when
rendering.
Fix issue where specially crafted inputs to encode() could
take exceptionally long amount of time to process. [CVE-2024-3651]
Thanks to Guido Vranken for reporting the issue.
3.6 (2023-11-25)
++++++++++++++++
Fix regression to include tests in source distribution.
3.5 (2023-11-24)
++++++++++++++++
Update to Unicode 15.1.0
String codec name is now "idna2008" as overriding the system codec
"idna" was not working.
Fix typing error for codec encoding
"setup.cfg" has been added for this release due to some downstream
lack of adherence to PEP 517. Should be removed in a future release
so please prepare accordingly.
Removed reliance on a symlink for the "idna-data" tool to comport
with PEP 517 and the Python Packaging User Guide for sdist archives.
Added security reporting protocol for project
Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions
to this release.
This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.
The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj
3.1.3
This is a fix release for the 3.1.x feature branch.
Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.
The xmlattr filter does not allow keys with / solidus, >
greater-than sign, or = equals sign, in addition to disallowing spaces.
Regardless of any validation done by Jinja, user input should never be used
as keys to this filter, or must be separately validated first.
:ghsa:h75v-3vvj-5mfj
Version 3.1.3
Released 2024-01-10
Fix compiler error when checking if required blocks in parent templates are
empty. :pr:1858
xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
Make error messages stemming from invalid nesting of {% trans %} blocks
more helpful. :pr:1918
quickly jump to open tabs/recently closed files by using a new searchable modal dialog (press Ctrl+Alt+A to open the dialog, or click on the [↗] icon in the sidebar):
Full notebook windowing mode by default
Notebooks in the full windowing mode only render the visible cells, significantly improving the performance of the application. One limitation of full mode is that the search function in your browser may produce false negatives; using the JupyterLab search function is recommended. To revert to the behaviour from JupyterLab 4.1, go to Settings → Settings Editor → Notebook, scroll to "Windowing mode", and choose defer.
Improved Shortcuts Editor
Among the numerous improvements and bug fixes for the keyboard shortcuts editor:
it is now possible to remove the default shortcuts,
shortcuts are correctly sorted when using a language pack,
shortcuts with different arguments are now correctly displayed as individual entries.
Dark high contrast theme
A new theme, JupyterLab Dark High Contrast, which is intended to benefit users with the need for higher contrast, following the WCAG AAA accessibility standard for color contrast.
To select this theme, from the menu bar, choose Settings → Theme → JupyterLab Dark High Contrast. Please provide feedback and suggestions on further improvements to this theme.
Fixed a bug appearing in Python 3.12 where "RuntimeError: can't create new thread at interpreter shutdown"
could be written to stderr when a MongoClient's thread starts as the python interpreter is shutting down.
Issues Resolved
...............
See the PyMongo 4.6.2 release notes in JIRA_ for the list of resolved issues
in this release.
Bumps the pip group with 14 updates in the /archive/mailing-list-data-pipelines directory:
2022.9.24
2023.7.22
38.0.3
42.0.4
2.2.1
2.6.1
1.50.0
1.53.2
3.4
3.7
3.1.2
3.1.4
1.23.2
2.11.2
3.5.0
3.6.7
2.12.0
3.4.0
10.0.0
14.0.1
4.3.2
4.6.3
2.28.1
2.31.0
6.2
6.3.3
1.26.12
1.26.18
Updates
certifi
from 2022.9.24 to 2023.7.22Commits
8fb96ed
2023.07.22afe7722
Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)2038739
Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)44df761
Hash pin Actions and enable dependabot (#228)8b3d7ba
2023.05.0753da240
ci: Add Python 3.12-dev to the testing (#224)c2fc3b1
Create a Security Policy (#222)c211ef4
Set up permissions to github workflows (#218)2087de5
Don't let deprecation warning fail CI (#219)e0b9fc5
remove paragraphs about 1024-bit roots from READMEUpdates
cryptography
from 38.0.3 to 42.0.4Changelog
Sourced from cryptography's changelog.
... (truncated)
Commits
fe18470
Bump for 42.0.4 release (#10445)aaa2dd0
Fix ASN.1 issues in PKCS#7 and S/MIME signing (#10373) (#10442)7a4d012
Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match (#10423) ...df314bb
backport actions m1 switch to 42.0.x (#10415)c49a7a5
changelog and version bump for 42.0.3 (#10396)396bcf6
fix provider loading take two (#10390) (#10395)0e0e46f
backport: initialize openssl's legacy provider in rust (#10323) (#10333)2202123
changelog and version bump 42.0.2 (#10268)f7032bd
bump openssl in CI (#10298) (#10299)002e886
Fixes #10294 -- correct accidental change to exchange kwarg (#10295) (#10296)Updates
dnspython
from 2.2.1 to 2.6.1Release notes
Sourced from dnspython's releases.
Changelog
Sourced from dnspython's changelog.
... (truncated)
Commits
0a742b9
update CI0ea5ad0
The Tudoor fix should not eat valid Truncated exceptions #1053 (#1054)f12d398
2.6.1 version prepcecb853
Further improve CVE fix coverage to 100% for sync and async.7952e31
test IgnoreErrorse093299
For the Tudoor fix, we also need the UDP nameserver to ignore_unexpected.3af9f78
2.6.0 versioningca63d95
Require cryptography >=41 instead of 42.902cbf3
Create CODE_OF_CONDUCT.mded9795f
github contributing and pull request templateUpdates
grpcio
from 1.50.0 to 1.53.2Release notes
Sourced from grpcio's releases.
... (truncated)
Commits
afb307f
[v1.53.x][Interop] Backport Python image update (#33864)7a9373b
[Backport] [dependency] Restrict cython to less than 3.X (#33770)fdb64a6
[v1.53][Build] Update Phusion baseimage (#33767) (#33836)cdf4186
[PSM Interop] Legacy tests: fix xDS test client build (v1.53.x backport) (#33...ce5b93a
[PSM Interop] Legacy test builds always pull the driver from master (v1.53.x ...b24b6ea
[release] Bump release version to 1.53.2 (#33709)1e86ca5
[backport][iomgr][EventEngine] Improve server handling of file descriptor exh...aff3066
[PSM interop] Don't fail url_map target if sub-target already failed (v1.53.x...539d75c
[PSM interop] Don't fail target if sub-target already failed (#33222) (v1.53....3e79c88
[Release] Bump version to 1.53.1 (on v1.53.x branch) (#33047)Updates
idna
from 3.4 to 3.7Release notes
Sourced from idna's releases.
Changelog
Sourced from idna's changelog.
Commits
1d365e1
Release v3.7c1b3154
Merge pull request #172 from kjd/optimize-contextj0394ec7
Merge branch 'master' into optimize-contextjcd58a23
Merge pull request #152 from elliotwutingfeng/dev5beb28b
More efficient resolution of joiner contexts1b12148
Update ossf/scorecard-action to v2.3.1d516b87
Update Github actions/checkout to v4c095c75
Merge branch 'master' into dev60a0a4c
Fix typo in GitHub Actions workflow key5918a0e
Merge branch 'master' into devUpdates
jinja2
from 3.1.2 to 3.1.4Release notes
Sourced from jinja2's releases.
Changelog
Sourced from jinja2's changelog.
Commits
dd4a8b5
release version 3.1.40668239
Merge pull request from GHSA-h75v-3vvj-5mfjd655030
disallow invalid characters in keys to xmlattr filtera7863ba
add ghsa linksb5c98e7
start version 3.1.4da3a9f0
update project files (#1968)0ee5eb4
satisfy formatter, linter, and strict mypy20477c6
update project files (#5457)e491223
update pyyaml dev dependency36f9885
fix pr linkUpdates
jupyter-server
from 1.23.2 to 2.11.2Release notes
Sourced from jupyter-server's releases.
... (truncated)
Changelog
Sourced from jupyter-server's changelog.
... (truncated)
Commits
9bd9657
Publish 2.11.20056c3a
Merge pull request from GHSA-h56g-gq9v-vc8r88eca99
Bump to 2.12.0.dev03755794
Publish 2.11.140a95e5
avoid unhandled error on some invalid paths (#1369)ecd5b1f
Change md5 to hash and hash_algorithm, fix incompatibility (#1367)8e5d766
Bump to 2.12.0.dev0cc74bb6
Publish 2.11.0e7c0f33
Update api docs with md5 param (#1364)0983b71
Update ruff and typings (#1365)Updates
jupyterlab
from 3.5.0 to 3.6.7Release notes
Sourced from jupyterlab's releases.
... (truncated)
Changelog
Sourced from jupyterlab's changelog.
... (truncated)
Commits
f0226c6
[ci skip] New versionfccd83d
Merge pull request from GHSA-44cc-43rp-59473b6b789
Backport PR #15496: Pinactions/labeler
to v4 to fix failing CI action (#15...d68fca2
Fix docs deployment failing on 3.6 branch (#15424)887700d
Backport PR #15462: Fix URLs in debugger-extension (#15490)304f117
[3.6.x] Fix M1 install, declarenode-gyp@^9.0.0
(#15395)82bb1c8
Backport PR #14534 and PR #15237 on branch 3.6.x (Hide completer when changin...18abc5c
[ci skip] Publish 3.6.6fbefeb3
[ci skip] New versionb86cc20
Remove pre-commit job (#15154)Updates
paramiko
from 2.12.0 to 3.4.0Commits
f0881ba
Cut 3.4.03e4bdf9
Changelog/comment updates30b447b
Linting33508c9
Expand MessageOrderError use to handle more packet types96db1e2
Raise exception when sequence numbers rollover during initial kex58785d2
Changelog tweak re: other new Transport kwarg8dcb237
Test-suite-only bugfix: defer did not actually imply skip_verifyfa46de7
Reset sequence numbers on rekey75e311d
Enforce zero seqno on kexinit73f079f
Fill in CVE number for Terrapin attackUpdates
pyarrow
from 10.0.0 to 14.0.1Commits
ba53748
MINOR: [Release] Update versions for 14.0.1529f376
MINOR: [Release] Update .deb/.rpm changelogs for 14.0.1b84bbca
MINOR: [Release] Update CHANGELOG.md for 14.0.1f141709
GH-38607: [Python] Disable PyExtensionType autoload (#38608)5a37e74
GH-38431: [Python][CI] Update fs.type_name checks for s3fs tests (#38455)2dcee3f
MINOR: [Release] Update versions for 14.0.0297428c
MINOR: [Release] Update .deb/.rpm changelogs for 14.0.03e9734f
MINOR: [Release] Update CHANGELOG.md for 14.0.09f90995
GH-38332: [CI][Release] Resolve symlinks in RAT lint (#38337)bd61239
GH-35531: [Python] C Data Interface PyCapsule Protocol (#37797)Updates
pymongo
from 4.3.2 to 4.6.3Release notes
Sourced from pymongo's releases.
Changelog
Sourced from pymongo's changelog.
... (truncated)
Commits
8da192f
BUMP 4.6.356b6b6d
PYTHON-4305 Fix bson size check (#1564)449d0f3
BUMP to 4.6.3.dev0e04576d
DEVPROD-3871 Use teardown_task when there is one function/command ... _Description has been truncated_