* Fixed a null-pointer-dereference and segfault that could occur when creating
a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
definitions in :rfc:`2633` :rfc:`3370`.
.. _v42-0-3:
42.0.3 - 2024-02-15
Fixed an initialization issue that caused key loading failures for some
users.
.. _v42-0-2:
42.0.2 - 2024-01-30
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
``X25519PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
``X448PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
and ``DHPrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.
.. _v42-0-1:
42.0.1 - 2024-01-24
Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey
:meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign.
Resolved compatibility issue with loading certain RSA public keys in
:func:~cryptography.hazmat.primitives.serialization.load_pem_public_key.
This is a bug fix release for 2.6.0 where the "TuDoor" fix erroneously
suppressed legitimate Truncated exceptions. This caused the stub
resolver to timeout instead of failing over to TCP when a legitimate
truncated response was received over UDP.
This release addresses the potential DoS issue discussed in the
"TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is
vulnerable to a potential DoS if a bad-in-some-way response from the
right address and port forged by an attacker arrives before a
legitimate one on the UDP port dnspython is using for that query. In
this situation, dnspython might switch to querying another resolver or
give up entirely, possibly denying service for that resolution. This
release addresses the issue by adopting the recommended mitigation,
which is ignoring the bad packets and continuing to listen for a
legitimate response until the timeout for the query has expired.
Thank you to all the contributors to this release, and, as usual,
thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian
Wellington.
This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.
Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.
dnspython 2.5.0
See the What's New page for a summary of this release.
Thanks to all the contributors, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.
The Tudoor fix ate legitimate Truncated exceptions, preventing the resolver from
failing over to TCP and causing the query to timeout #1053.
2.6.0
As mentioned in the "TuDoor" paper and the associated CVE-2023-29483, the dnspython
stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the
right address and port forged by an attacker arrives before a legitimate one on the
UDP port dnspython is using for that query.
This release addresses the issue by adopting the recommended mitigation, which is
ignoring the bad packets and continuing to listen for a legitimate response until
the timeout for the query has expired.
Added support for the NSID EDNS option.
Dnspython now looks for version metadata for optional packages and will not
use them if they are too old. This prevents possible exceptions when a
feature like DoH is not desired in dnspython, but an old httpx is installed
along with dnspython for some other purpose.
The DoHNameserver class now allows GET to be used instead of the default POST,
and also passes source and source_port correctly to the underlying query
methods.
2.5.0
Dnspython now uses hatchling for builds.
Asynchronous destinationless sockets now work on Windows.
Cython is no longer supported due to various typing issues.
Dnspython now explicitly canonicalizes IPv4 and IPv6 addresses.
Previously it was possible for non-canonical IPv6 forms to be stored
in a AAAA address, which would work correctly but possibly cause
problmes if the address were used as a key in a dictionary.
The number of messages in a section can be retrieved with
section_count().
Truncation preferences for messages can be specified.
The length of a message can be automatically prepended when
rendering.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/miigotu/certbot-dns-godaddy/network/alerts).
Bumps the pip group with 3 updates in the / directory: cryptography, dnspython and idna.
Updates
cryptography
from 41.0.7 to 42.0.4Changelog
Sourced from cryptography's changelog.
... (truncated)
Commits
fe18470
Bump for 42.0.4 release (#10445)aaa2dd0
Fix ASN.1 issues in PKCS#7 and S/MIME signing (#10373) (#10442)7a4d012
Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match (#10423) ...df314bb
backport actions m1 switch to 42.0.x (#10415)c49a7a5
changelog and version bump for 42.0.3 (#10396)396bcf6
fix provider loading take two (#10390) (#10395)0e0e46f
backport: initialize openssl's legacy provider in rust (#10323) (#10333)2202123
changelog and version bump 42.0.2 (#10268)f7032bd
bump openssl in CI (#10298) (#10299)002e886
Fixes #10294 -- correct accidental change to exchange kwarg (#10295) (#10296)Updates
dnspython
from 2.4.2 to 2.6.1Release notes
Sourced from dnspython's releases.
Changelog
Sourced from dnspython's changelog.
... (truncated)
Commits
0a742b9
update CI0ea5ad0
The Tudoor fix should not eat valid Truncated exceptions #1053 (#1054)f12d398
2.6.1 version prepcecb853
Further improve CVE fix coverage to 100% for sync and async.7952e31
test IgnoreErrorse093299
For the Tudoor fix, we also need the UDP nameserver to ignore_unexpected.3af9f78
2.6.0 versioningca63d95
Require cryptography >=41 instead of 42.902cbf3
Create CODE_OF_CONDUCT.mded9795f
github contributing and pull request templateUpdates
idna
from 3.6 to 3.7Release notes
Sourced from idna's releases.
Changelog
Sourced from idna's changelog.
Commits
1d365e1
Release v3.7c1b3154
Merge pull request #172 from kjd/optimize-contextj0394ec7
Merge branch 'master' into optimize-contextjcd58a23
Merge pull request #152 from elliotwutingfeng/dev5beb28b
More efficient resolution of joiner contexts1b12148
Update ossf/scorecard-action to v2.3.1d516b87
Update Github actions/checkout to v4c095c75
Merge branch 'master' into dev60a0a4c
Fix typo in GitHub Actions workflow key5918a0e
Merge branch 'master' into devDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show