Closed dependabot[bot] closed 4 years ago
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version
or @dependabot ignore this minor version
.
If you change your mind, just re-open this PR and I'll resolve any conflicts on it.
Bumps ecdsa from 0.13 to 0.13.3.
Release notes
*Sourced from [ecdsa's releases](https://github.com/warner/python-ecdsa/releases).* > ## ecdsa 0.13.3 > Fix CVE-2019-14853 - possible DoS caused by malformed signature decoding > Fix CVE-2019-14859 - signature malleability caused by insufficient checks of DER encoding > > Also harden key decoding from string and DER encodings. > > ## ecdsa 0.13.2 > Restore compatibility of setup.py with Python 2.6 and 2.7. > > ## ecdsa 0.13.1 > Fix the PyPI wheel - the old version included .pyc files.Changelog
*Sourced from [ecdsa's changelog](https://github.com/warner/python-ecdsa/blob/master/NEWS).* > * Release 0.14.1 (06 Nov 2019) > > Remove the obsolete `six.py` file from wheel > > * Release 0.14 (06 Nov 2019) > > Bug fixes: > Strict checking of DER requirements when parsing SEQUENCE, INTEGER, > OBJECT IDENTIFIER and BITSTRING objects. > DER parsers now consistently raise `UnexpectedDER` exception on malformed DER > encoded byte strings. > Make sure that both malformed and invalid signatures raise `BadSignatureError`. > Ensure that all `SigningKey` and `VerifyingKey` methods that should accept > bytes-like objects actually do accept them (also avoid copying input strings). > Make `SigningKey.sign_digest_deterministic` use default object hashfunc when > none was provided. > `encode_integer` now works for large integers. > Make `encode_oid` and `remove_object` correctly handle OBJECT IDENTIFIERs > with large second subidentifier and padding in encoded subidentifiers. > > New features: > Deterministic signature methods now accept `extra_entropy` parameter to further > randomise the selection of `k` (the nonce) for signature, as specified in > RFC6979. > Recovery of public key from signature is now supported. > Support for SEC1/X9.62 formatted keys, all three encodings are supported: > "uncompressed", "compressed" and "hybrid". Both string, and PEM/DER will > automatically accept them, if the size of the key matches the curve. > Benchmarking application now provides performance numbers that are easier to > compare against OpenSSL. > Support for all Brainpool curves (non-twisted). > > New API: > `CurveFp`: `__str__` is now supported. > `SigningKey.sign_deterministic`, `SigningKey.sign_digest_deterministic` and > `generate_k`: extra_entropy parameter was added > `Signature.recover_public_keys` was added > `VerifyingKey.from_public_key_recovery` and > `VerifyingKey.from_public_key_recovery_with_digest` were added > `VerifyingKey.to_string`: `encoding` parameter was added > `VerifyingKey.to_der` and `SigningKey.to_der`: `point_encoding` parameter was > added. > `encode_bitstring`: `unused` parameter was added > `remove_bitstring`: `expect_unused` parameter was added > `SECP256k1` is now part of `curves` `*` import > `Curves`: `__repr__` is now supported > `VerifyingKey`: `__repr__` is now supported > > Deprecations: > Python 2.5 is not supported any more - dead code removal. > ... (truncated)Commits
- [`7add221`](https://github.com/warner/python-ecdsa/commit/7add2213c992f51267eed8288b560f3f4108a28d) update NEWS file for 0.13.3 - [`5c4c74a`](https://github.com/warner/python-ecdsa/commit/5c4c74a454c852727ac3c0207a4010486dde1866) Merge pull request [#124](https://github-redirect.dependabot.com/warner/python-ecdsa/issues/124) from tomato42/backport-sig-decode - [`1eb2c04`](https://github.com/warner/python-ecdsa/commit/1eb2c0410b97ac5101b5db20e2924d79db3e8ec5) update README with error handling of from_string() and from_der() - [`b95be03`](https://github.com/warner/python-ecdsa/commit/b95be03d8540b3a088263cbb3a0a376a8a0efbd0) execute also new tests in Travis - [`99c907d`](https://github.com/warner/python-ecdsa/commit/99c907d7acc94da6685470328174ea7299863dfd) harden also key decoding - [`3427fa2`](https://github.com/warner/python-ecdsa/commit/3427fa29f319b27898a28601955807abb44c0830) ensure that the encoding is actually the minimal one for length and integer - [`563d2ee`](https://github.com/warner/python-ecdsa/commit/563d2ee2c07e10ae4f77ccde4161d6a14c681b1b) make variable names in remove_integer more aproppriate - [`14abfe0`](https://github.com/warner/python-ecdsa/commit/14abfe020d4907fd9849f269b98f5f8f1060366b) explicitly specify the distro to get py26 and py33 - [`9080d1d`](https://github.com/warner/python-ecdsa/commit/9080d1d5ac533da0de00466aaffb49bee808bb4e) fix length decoding - [`897178c`](https://github.com/warner/python-ecdsa/commit/897178ca093282979ff19cc4035eadbc30ac0d23) give the same handling to string encoded signatures as to DER - Additional commits viewable in [compare view](https://github.com/warner/python-ecdsa/compare/python-ecdsa-0.13...python-ecdsa-0.13.3)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Crystalnix/omaha-server/network/alerts).