search

sndnv / stasis

Backup and recovery system with emphasis on security and privacy
Apache License 2.0
53 stars 4 forks source link

Bump cryptography from 2.8 to 3.2 in /client-cli #13

Closed dependabot[bot] closed 3 years ago

dependabot[bot] commented 4 years ago

Bumps cryptography from 2.8 to 3.2.

Changelog

Sourced from cryptography's changelog.

3.2 - 2020-10-25


* **SECURITY ISSUE:** Attempted to make RSA PKCS#1v1.5 decryption more constant
  time, to protect against Bleichenbacher vulnerabilities. Due to limitations
  imposed by our API, we cannot completely mitigate this vulnerability and a
  future release will contain a new API which is designed to be resilient to
  these for contexts where it is required. Credit to **Hubert Kario** for
  reporting the issue. *CVE-2020-25659*
* Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL
  will need to upgrade.
* Added basic support for PKCS7 signing (including SMIME) via
  :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder`.

.. _v3-1-1:


3.1.1 - 2020-09-22

  • Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1h.

.. _v3-1:

3.1 - 2020-08-26


* **BACKWARDS INCOMPATIBLE:** Removed support for ``idna`` based
  :term:`U-label` parsing in various X.509 classes. This support was originally
  deprecated in version 2.1 and moved to an extra in 2.5.
* Deprecated OpenSSL 1.0.2 support. OpenSSL 1.0.2 is no longer supported by
  the OpenSSL project. The next version of ``cryptography`` will drop support
  for it.
* Deprecated support for Python 3.5. This version sees very little use and will
  be removed in the next release.
* ``backend`` arguments to functions are no longer required and the
  default backend will automatically be selected if no ``backend`` is provided.
* Added initial support for parsing certificates from PKCS7 files with
  :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
  and
  :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
  .
* Calling ``update`` or ``update_into`` on
  :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with ``data``
  longer than 2\ :sup:`31` bytes no longer raises an ``OverflowError``. This
  also resolves the same issue in :doc:`/fernet`.

.. _v3-0:


3.0 - 2020-07-20
</tr></table>

... (truncated)

Commits


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/sndnv/stasis/network/alerts).
codecov-io commented 4 years ago

Codecov Report

Merging #13 into master will decrease coverage by 4.16%. The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master      #13      +/-   ##
==========================================
- Coverage   98.86%   94.70%   -4.17%     
==========================================
  Files         336       56     -280     
  Lines        8569     1832    -6737     
  Branches      189       64     -125     
==========================================
- Hits         8472     1735    -6737     
  Misses         80       80              
  Partials       17       17
Flag Coverage Δ
#javascript 84.06% <ø> (ø)
#python 99.83% <ø> (ø)
#scala ?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...asis/client/service/components/init/ViaStdIn.scala
...cala/stasis/client/api/http/routes/ApiRoutes.scala
...security/devices/DeviceClientSecretGenerator.scala
...core/persistence/backends/slick/SlickBackend.scala
...a/stasis/client/service/ApplicationDirectory.scala
...clients/DefaultServerBootstrapEndpointClient.scala
...tasis/client/ops/scheduling/SchedulingConfig.scala
.../api/clients/DefaultServerCoreEndpointClient.scala
...rc/main/scala/stasis/core/packaging/Manifest.scala
.../main/scala/stasis/server/api/routes/Staging.scala
... and 270 more

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 29dadca...77252b8. Read the comment docs.