Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.
Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.
Related issues and pull requests on GitHub:
:issue:7978.
Fixed web.FileResponse doing blocking I/O in the event loop.
Related issues and pull requests on GitHub:
:issue:8012.
Fixed double compress when compression enabled and compressed file exists in server file responses.
Related issues and pull requests on GitHub:
:issue:8014.
Added runtime type check for ClientSessiontimeout parameter.
Related issues and pull requests on GitHub:
:issue:8021.
Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.
Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.
Related issues and pull requests on GitHub:
:issue:8074.
The internal locale-data loading functions now validate the name of the locale file to be loaded and only allow files within Babel's data directory. Thank you to Chris Lyne of Tenable, Inc. for discovering the issue!
* The internal locale-data loading functions now validate the name of the locale file to be loaded and only
allow files within Babel's data directory. Thank you to Chris Lyne of Tenable, Inc. for discovering the issue!
* Fixed a null-pointer-dereference and segfault that could occur when creating
a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
definitions in :rfc:`2633` :rfc:`3370`.
.. _v42-0-3:
42.0.3 - 2024-02-15
Fixed an initialization issue that caused key loading failures for some
users.
.. _v42-0-2:
42.0.2 - 2024-01-30
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
``X25519PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
``X448PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
and ``DHPrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.
.. _v42-0-1:
42.0.1 - 2024-01-24
Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey
:meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign.
Resolved compatibility issue with loading certain RSA public keys in
:func:~cryptography.hazmat.primitives.serialization.load_pem_public_key.
⬆️ Upgrade minimum version of python-multipart to >=0.0.7 to fix a vulnerability when using form data with a ReDos attack. You can also simply upgrade python-multipart.
✏️ Update highlighted line in docs/en/docs/tutorial/bigger-applications.md. PR #5490 by @papb.
📝 Add External Link: Explore How to Effectively Use JWT With FastAPI. PR #10212 by @aanchlia.
📝 Add hyperlink to docs/en/docs/tutorial/static-files.md. PR #10243 by @hungtsetse.
📝 Add External Link: Instrument a FastAPI service adding tracing with OpenTelemetry and send/show traces in Grafana Tempo. PR #9440 by @softwarebloat.
📝 Add location info to tutorial/bigger-applications.md. PR #10552 by @nilslindemann.
✏️ Fix Pydantic method name in docs/en/docs/advanced/path-operation-advanced-configuration.md. PR #10826 by @ahmedabdou14.
Translations
🌐 Add Spanish translation for docs/es/docs/external-links.md. PR #10933 by @pablocm83.
🌐 Update Korean translation for docs/ko/docs/tutorial/first-steps.md, docs/ko/docs/tutorial/index.md, docs/ko/docs/tutorial/path-params.md, and docs/ko/docs/tutorial/query-params.md. PR #4218 by @SnowSuno.
This is a security fix release for the 2.2.x release branch. Note that 2.3.x is the currently supported release branch; please upgrade to the latest version if possible.
[varLib.iup] Added workaround for a Cython bug in iup_delta_optimize that was leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas (60126435d, cython/cython#5732).
[varLib] Added new command-line entry point fonttools varLib.avar to add an avar table to an existing VF from axes mappings in a .designspace file (0a3360e52).
[instancer] Fixed bug whereby no longer used variation regions were not correctly pruned after VarData optimization (#3268).
[t1Lib] Fixed several Type 1 issues (#3238, #3240).
[otBase/packer] Allow sharing tables reached by different offset sizes (#3241, #3236, 457f11c2).
[varLib/merger] Fix Cursive attachment merging error when all anchors are NULL (#3248, #3247).
[ttLib] Fixed warning when calling addMultilingualName and ttFont parameter was not passed on to findMultilingualName (#3253).
4.42.0
[varLib] Use sentinel value 0xFFFF to mark a glyph advance in hmtx/vmtx as non participating, allowing sparse masters to contain glyphs for variation purposes other than {H,V}VAR (#3235).
[varLib/cff] Treat empty glyphs in non-default masters as missing, thus not participating in CFF2 delta computation, similarly to how varLib already treats them for gvar (#3234).
Added varLib.avarPlanner script to deduce 'correct' avar v1 axis mappings based on glyph average weights (#3223).
4.41.1
[subset] Fixed perf regression in v4.41.0 by making NameRecordVisitor only visit tables that do contain nameID references (#3213, #3214).
[varLib.instancer] Support instancing fonts containing null ConditionSet offsets in FeatureVariationRecords (#3211, #3212).
[statisticsPen] Report font glyph-average weight/width and font-wide slant.
[fontBuilder] Fixed head.created date incorrectly set to 0 instead of the current timestamp, regression introduced in v4.40.0 (#3210).
[varLib.merger] Support sparse CursivePos masters (#3209).
4.41.0
[fontBuilder] Fixed bug in setupOS2 with default panose attribute incorrectly being set to a dict instead of a Panose object (#3201).
[name] Added method to removeUnusedNameRecords in the user range (#3185).
[varLib.instancer] Fixed issue with L4 instancing (moving default) (#3179).
[cffLib] Use latin1 so we can roundtrip non-ASCII in {Full,Font,Family}Name (#3202).
[designspaceLib] Mark as optional in docs (as it is in the code).
[fontBuilder] Propagate the 'hidden' flag to the fvar Axis instance (#3184).
[fontBuilder] Update setupAvar() to also support avar 2, fixing _add_avar() call site (#3183).
Added new voltLib.voltToFea submodule (originally Tiro Typeworks' "Volto") for converting VOLT OpenType Layout sources to FEA format (#3164).
4.40.0
Published native binary wheels to PyPI for all the python minor versions and platform and architectures currently supported that would benefit from this. They will include precompiled Cython-accelerated modules (e.g. cu2qu) without requiring to compile them from source. The pure-python wheel and source distribution will continue to be published as always (pip will automatically chose them when no binary wheel is available for the given platform, e.g. pypy). Use pip install --no-binary=fonttools fonttools to expliclity request pip to install from the pure-python source.
[designspaceLib|varLib] Add initial support for specifying axis mappings and build avar2 table from those (#3123).
[feaLib] Support variable ligature caret position (#3130).
[varLib|glyf] Added option to --drop-implied-oncurves; test for impliable oncurve points either before or after rounding (#3146, #3147, #3155, #3156).
[TTGlyphPointPen] Don't error with empty contours, simply ignore them (#3145).
[sfnt] Fixed str vs bytes remnant of py3 transition in code dealing with de/compiling WOFF metadata (#3129).
[instancer-solver] Fixed bug when moving default instance with sparse masters (#3139, #3140).
[feaLib] Simplify variable scalars that don’t vary (#3132).
[pens] Added filter pen that explicitly emits closing line when lastPt != movePt (#3100).
[varStore] Improve optimize algorithm and better document the algorithm (#3124, #3127).
Added quantization option (#3126).
Added CI workflow config file for building native binary wheels (#3121).
[fontBuilder] Added glyphDataFormat=0 option; raise error when glyphs contain cubic outlines but glyphDataFormat was not explicitly set to 1 (#3113, #3119).
[varLib.iup] Added workaround for a Cython bug in iup_delta_optimize that was
leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas
(60126435d, cython/cython#5732).
[varLib] Added new command-line entry point fonttools varLib.avar to add an
avar table to an existing VF from axes mappings in a .designspace file (0a3360e52).
[instancer] Fixed bug whereby no longer used variation regions were not correctly pruned
after VarData optimization (#3268).
[t1Lib] Fixed several Type 1 issues (#3238, #3240).
[otBase/packer] Allow sharing tables reached by different offset sizes (#3241, #3236).
[varLib/merger] Fix Cursive attachment merging error when all anchors are NULL (#3248, #3247).
[ttLib] Fixed warning when calling addMultilingualName and ttFont parameter was not
passed on to findMultilingualName (#3253).
4.42.0 (released 2023-08-02)
[varLib] Use sentinel value 0xFFFF to mark a glyph advance in hmtx/vmtx as non
participating, allowing sparse masters to contain glyphs for variation purposes other
than {H,V}VAR (#3235).
[varLib/cff] Treat empty glyphs in non-default masters as missing, thus not participating
in CFF2 delta computation, similarly to how varLib already treats them for gvar (#3234).
Added varLib.avarPlanner script to deduce 'correct' avar v1 axis mappings based on
glyph average weights (#3223).
4.41.1 (released 2023-07-21)
[subset] Fixed perf regression in v4.41.0 by making NameRecordVisitor only visit
tables that do contain nameID references (#3213, #3214).
[varLib.instancer] Support instancing fonts containing null ConditionSet offsets in
FeatureVariationRecords (#3211, #3212).
[statisticsPen] Report font glyph-average weight/width and font-wide slant.
[fontBuilder] Fixed head.created date incorrectly set to 0 instead of the current
timestamp, regression introduced in v4.40.0 (#3210).
[varLib.merger] Support sparse CursivePos masters (#3209).
This is a feature release, which includes new features and removes previously deprecated features. The 3.1.x branch is now the supported bugfix branch, the 3.0.x branch has become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. We also encourage upgrading to MarkupSafe 2.1.1, the latest version at this time.
Follow our blog, Twitter, or GitHub to see future announcements.
This represents a significant amount of work, and there are quite a few changes. Be sure to carefully read the changelog, and use tools such as pip-compile and Dependabot to pin your dependencies and control your updates.
3.0.0rc2
Fixes an issue with the deprecated Markup subclass, #1401.
Bumps the pip group with 24 updates in the / directory:
3.8.43.9.22.9.02.9.12020.12.52023.7.2241.0.442.0.43.1.53.2.250.100.00.109.12.2.22.2.54.38.04.43.00.18.20.18.32.11.23.1.30.0.01.3.02.12.03.4.010.0.110.3.03.5+498e6ee0585.13.12.02.0.20.0.50.0.74.3.44.4.42.25.12.31.00.4.10.4.40.30.00.36.26.3.26.3.322.4.023.10.01.26.21.26.182.2.22.3.8Updates
aiohttpfrom 3.8.4 to 3.9.2Release notes
Sourced from aiohttp's releases.
... (truncated)
Changelog
Sourced from aiohttp's changelog.
... (truncated)
Commits
24a6d64Release v3.9.2 (#8082)9118a58[PR #8079/1c335944 backport][3.9] Validate static paths (#8080)435ad46[PR #3955/8960063e backport][3.9] Replace all tmpdir fixtures with tmp_path (...d33bc21Improve validation in HTTP parser (#8074) (#8078)0d945d1[PR #7916/822fbc74 backport][3.9] Add more information to contributing page (...3ec4fa1[PR #8069/69bbe874 backport][3.9] 📝 Only show changelog draft for non-release...419d715[PR #8066/cba34699 backport][3.9] 💅📝 Restructure the changelog for clarity (#...a54dab3[PR #8049/a379e634 backport][3.9] Set cause for ClientPayloadError (#8050)437ac47[PR #7995/43a5bc50 backport][3.9] Fix examples offallback_charset_resolver...034e5e3[PR #8042/4b91b530 backport][3.9] Tightening the runtime type check for ssl (...Updates
babelfrom 2.9.0 to 2.9.1Release notes
Sourced from babel's releases.
Changelog
Sourced from babel's changelog.
Commits
a99fa24Use 2.9.0's setup.py for 2.9.160b33e0Become 2.9.1412015eMerge pull request #782 from python-babel/locale-basename5caf717Disallow special filenames on Windows3a700b5Run locale identifiers throughos.path.basename()5afe2b2Merge pull request #754 from python-babel/github-ci58de834Replace Travis + Appveyor with GitHub Actions (WIP)d1bbc08import_cldr: use logging; add -q option156b7fbQuiesce CLDR download progress bar if requested (or not a TTY)613dc17Make the import warnings about unsupported number systems less verboseUpdates
certififrom 2020.12.5 to 2023.7.22Commits
8fb96ed2023.07.22afe7722Bump actions/setup-python from 4.6.1 to 4.7.0 (#230)2038739Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229)44df761Hash pin Actions and enable dependabot (#228)8b3d7ba2023.05.0753da240ci: Add Python 3.12-dev to the testing (#224)c2fc3b1Create a Security Policy (#222)c211ef4Set up permissions to github workflows (#218)2087de5Don't let deprecation warning fail CI (#219)e0b9fc5remove paragraphs about 1024-bit roots from READMEUpdates
cryptographyfrom 41.0.4 to 42.0.4Changelog
Sourced from cryptography's changelog.
... (truncated)
Commits
fe18470Bump for 42.0.4 release (#10445)aaa2dd0Fix ASN.1 issues in PKCS#7 and S/MIME signing (#10373) (#10442)7a4d012Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match (#10423) ...df314bbbackport actions m1 switch to 42.0.x (#10415)c49a7a5changelog and version bump for 42.0.3 (#10396)396bcf6fix provider loading take two (#10390) (#10395)0e0e46fbackport: initialize openssl's legacy provider in rust (#10323) (#10333)2202123changelog and version bump 42.0.2 (#10268)f7032bdbump openssl in CI (#10298) (#10299)002e886Fixes #10294 -- correct accidental change to exchange kwarg (#10295) (#10296)Updates
djangofrom 3.1.5 to 3.2.25Commits
c98eca3[3.2.x] Bumped version for 3.2.25 release.072963e[3.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words().2ad2676[3.2.x] Added release date for 3.2.25.fc41af6[3.2.x] Fixed #35172 -- Fixed intcomma for string floats.b9170b4[3.2.x] Added CVE-2024-24680 to security archive.e5350a9[3.2.x] Post release version bump.f5c8808[3.2.x] Bumped version for 3.2.24 release.c1171ff[3.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template ...9dc3456[3.2.x] Added stub release notes 3.2.24.90eae45[3.2.x] Fixed documented alias of smart_text().Updates
fastapifrom 0.100.0 to 0.109.1Release notes
Sourced from fastapi's releases.
... (truncated)
Commits
7633d15🔖 Release version 0.109.1a4de147📝 Update release notes9d34ad0Merge pull request from GHSA-qf9m-vfgh-m389ebf9723📝 Update release notes8590d0c👥 Update FastAPI People (#11074)063d7ff📝 Update release notes3c81e62🌐 Add Spanish translation fordocs/es/docs/external-links.md(#10933)6c4a143📝 Update release notesd254e2f🌐 Update Korean translation fordocs/ko/docs/tutorial/first-steps.md, `docs...6f6e786📝 Update release notesUpdates
flaskfrom 2.2.2 to 2.2.5Release notes
Sourced from flask's releases.
Changelog
Sourced from flask's changelog.
Commits
47af817release version 2.2.5afd63b1Merge pull request #5109 from pallets/backport-vary-cookie8646edcsetVary: Cookieheader consistently for sessiona6367daMerge pull request #5108 from pallets/werkzeug-compat3fbfbadwerkzeug 2.3.3 compatibility726d3f4start version 2.2.5ddc7accMerge pull request #5081 from pallets/release-2.2.474e0329release version 2.2.42d46068update dev env64bc458update dev dependenciesUpdates
fonttoolsfrom 4.38.0 to 4.43.0Release notes
Sourced from fonttools's releases.
... (truncated)
Changelog
Sourced from fonttools's changelog.
... (truncated)
Commits
145460eRelease 4.43.064f3fd8Update changelog [skip ci]7aea49eMerge pull request #3283 from hugovk/main4470c44Bump requirements.txt to support Python 3.120c87cbaBump scipy for Python 3.12 supporteda6fa5Add support for Python 3.120e033b0Bump reportlab from 3.6.12 to 3.6.13 in /Doc6012643[iup] Work around cython bugb14268a[iup] Remove copy/pasta0a3360e[varLib.avar] New module to compile avar from .designspace fileUpdates
futurefrom 0.18.2 to 0.18.3Release notes
Sourced from future's releases.
... (truncated)
Changelog
Sourced from future's changelog.
... (truncated)
Commits
af1db97Merge pull request #613 from PythonCharmers/lwan/0.18.3-release079ee9bPrepare for 0.18.3 release02f7a81Merge pull request #610 from wshanks/wshanks-patch-1c91d70bBackport fix for bpo-3880480523f3Merge pull request #569 from jmadler/master5e5af71Merge pull request #582 from r3m0t/patch-617e4bbdMerge pull request #596 from abjonnes/fix-print-trailing-comma1b427baMerge branch 'xZise-official-count' into masterc8eb497Merge branch 'official-count' of https://github.com/xZise/python-future into ...dffc579Fix bug in fix_print.py fixerUpdates
jinja2from 2.11.2 to 3.1.3Release notes
Sourced from jinja2's releases.