* Fixed a null-pointer-dereference and segfault that could occur when creating
a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
definitions in :rfc:`2633` :rfc:`3370`.
.. _v42-0-3:
42.0.3 - 2024-02-15
Fixed an initialization issue that caused key loading failures for some
users.
.. _v42-0-2:
42.0.2 - 2024-01-30
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
``X25519PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
``X448PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
and ``DHPrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.
.. _v42-0-1:
42.0.1 - 2024-01-24
Fixed an issue with incorrect keyword-argument naming with EllipticCurvePrivateKey
:meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign.
Resolved compatibility issue with loading certain RSA public keys in
:func:~cryptography.hazmat.primitives.serialization.load_pem_public_key.
verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)
Bugfixes
Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
Fixed deserialization bug in JSONDecodeError. (#6629)
Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)
Deprecations
Requests has officially added support for CPython 3.12 (#6503)
Requests has officially added support for PyPy 3.9 and 3.10 (#6641)
Requests has officially dropped support for CPython 3.7 (#6642)
Requests has officially dropped support for PyPy 3.7 and 3.8 (#6641)
Documentation
Various typo fixes and doc improvements.
Packaging
Requests has started adopting some modern packaging practices.
The source files for the projects (formerly requests) is now located
in src/requests in the Requests sdist. (#6506)
Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system
using hatchling. This should not impact the average user, but extremely old
versions of packaging utilities may have issues with the new packaging format.
verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)
Bugfixes
Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
Fixed deserialization bug in JSONDecodeError. (#6629)
Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)
Deprecations
Requests has officially added support for CPython 3.12 (#6503)
Requests has officially added support for PyPy 3.9 and 3.10 (#6641)
Requests has officially dropped support for CPython 3.7 (#6642)
Requests has officially dropped support for PyPy 3.7 and 3.8 (#6641)
Documentation
Various typo fixes and doc improvements.
Packaging
Requests has started adopting some modern packaging practices.
The source files for the projects (formerly requests) is now located
in src/requests in the Requests sdist. (#6506)
Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system
using hatchling. This should not impact the average user, but extremely old
versions of packaging utilities may have issues with the new packaging format.
This is the Werkzeug 3.0.3 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.
Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. GHSA-2g68-c3qc-8985
Make reloader more robust when "" is in sys.path. #2823
Better TLS cert format with adhoc dev certs. #2891
Inform Python < 3.12 how to handle itms-services URIs correctly, rather than using an overly-broad workaround in Werkzeug that caused some redirect URIs to be passed on without encoding. #2828
Type annotation for Rule.endpoint and other uses of endpoint is Any. #2836
3.0.2
This is a fix release for the 3.0.x feature branch.
Only allow localhost, .localhost, 127.0.0.1, or the specified
hostname when running the dev server, to make debugger requests. Additional
hosts can be added by using the debugger middleware directly. The debugger
UI makes requests using the full URL rather than only the path.
:ghsa:2g68-c3qc-8985
Make reloader more robust when "" is in sys.path. :pr:2823
Better TLS cert format with adhoc dev certs. :pr:2891
Inform Python < 3.12 how to handle itms-services URIs correctly, rather
than using an overly-broad workaround in Werkzeug that caused some redirect
URIs to be passed on without encoding. :issue:2828
Type annotation for Rule.endpoint and other uses of endpoint is
Any. :issue:2836
Make reloader more robust when "" is in sys.path. :pr:2823
Version 3.0.2
Released 2024-04-01
Ensure setting merge_slashes to False results in NotFound for
repeated-slash requests against single slash routes. :issue:2834
Fix handling of TypeError in TypeConversionDict.get() to match
ValueError. :issue:2843
Fix response_wrapper type check in test client. :issue:2831
Make the return type of MultiPartParser.parse more precise.
:issue:2840
Raise an error if converter arguments cannot be parsed. :issue:2822
Version 3.0.1
Released 2023-10-24
Fix slow multipart parsing for large parts potentially enabling DoS attacks.
Fix issue where specially crafted inputs to encode() could
take exceptionally long amount of time to process. [CVE-2024-3651]
Thanks to Guido Vranken for reporting the issue.
3.6 (2023-11-25)
++++++++++++++++
Fix regression to include tests in source distribution.
3.5 (2023-11-24)
++++++++++++++++
Update to Unicode 15.1.0
String codec name is now "idna2008" as overriding the system codec
"idna" was not working.
Fix typing error for codec encoding
"setup.cfg" has been added for this release due to some downstream
lack of adherence to PEP 517. Should be removed in a future release
so please prepare accordingly.
Removed reliance on a symlink for the "idna-data" tool to comport
with PEP 517 and the Python Packaging User Guide for sdist archives.
Added security reporting protocol for project
Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions
to this release.
This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.
The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj
3.1.3
This is a fix release for the 3.1.x feature branch.
Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.
The xmlattr filter does not allow keys with / solidus, >
greater-than sign, or = equals sign, in addition to disallowing spaces.
Regardless of any validation done by Jinja, user input should never be used
as keys to this filter, or must be separately validated first.
:ghsa:h75v-3vvj-5mfj
Version 3.1.3
Released 2024-01-10
Fix compiler error when checking if required blocks in parent templates are
empty. :pr:1858
xmlattr filter does not allow keys with spaces. :ghsa:h5c8-rqwp-cp95
Make error messages stemming from invalid nesting of {% trans %} blocks
more helpful. :pr:1918
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/wizarrrr/wizarr/network/alerts).
Looks like this PR is already up-to-date with master! If you'd still like to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.
Bumps the pip group with 7 updates in the /apps/wizarr-backend directory:
41.0.4
42.0.4
2.31.0
2.32.0
3.0.0
3.0.3
21.2.0
22.0.0
1.10.12
1.10.13
3.4
3.7
3.1.2
3.1.4
Updates
cryptography
from 41.0.4 to 42.0.4Changelog
Sourced from cryptography's changelog.
... (truncated)
Commits
fe18470
Bump for 42.0.4 release (#10445)aaa2dd0
Fix ASN.1 issues in PKCS#7 and S/MIME signing (#10373) (#10442)7a4d012
Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match (#10423) ...df314bb
backport actions m1 switch to 42.0.x (#10415)c49a7a5
changelog and version bump for 42.0.3 (#10396)396bcf6
fix provider loading take two (#10390) (#10395)0e0e46f
backport: initialize openssl's legacy provider in rust (#10323) (#10333)2202123
changelog and version bump 42.0.2 (#10268)f7032bd
bump openssl in CI (#10298) (#10299)002e886
Fixes #10294 -- correct accidental change to exchange kwarg (#10295) (#10296)Updates
requests
from 2.31.0 to 2.32.0Release notes
Sourced from requests's releases.
... (truncated)
Changelog
Sourced from requests's changelog.
Commits
d6ebc4a
v2.32.09a40d12
Avoid reloading root certificates to improve concurrent performance (#6667)0c030f7
Merge pull request #6702 from nateprewitt/no_char_detection555b870
Allow character detection dependencies to be optional in post-packaging stepsd6dded3
Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-testbf24b7d
Use an invalid URI that will not cause httpbin to throw 5002d5f547
Pin 3.8 and 3.9 runners back to macos-13 (#6688)f1bb07d
Merge pull request #6687 from psf/dependabot/github_actions/github/codeql-act...60047ad
Bump github/codeql-action from 3.24.0 to 3.25.031ebb81
Merge pull request #6682 from frenzymadness/pytest8Updates
werkzeug
from 3.0.0 to 3.0.3Release notes
Sourced from werkzeug's releases.
Changelog
Sourced from werkzeug's changelog.
Commits
f9995e9
release version 3.0.33386395
Merge pull request from GHSA-2g68-c3qc-8985890b6b6
only require trusted host for evalex71b69df
restrict debugger trusted hostsd2d3869
endpoint type is Any (#2895)7080b55
endpoint type is Any7555eff
remove iri_to_uri redirect workaround (#2894)97fb2f7
remove _invalid_iri_to_uri workaround249527f
make cn field a valid single hostname, and use wildcard in SANs field. (#2892)793be47
update adhoc tls dev cert formatUpdates
gunicorn
from 21.2.0 to 22.0.0Release notes
Sourced from gunicorn's releases.
Commits
f63d59e
bump to 22.04ac81e0
Merge pull request #3175 from e-kwsm/typo401cecf
Merge pull request #3179 from dhdaines/exclude-eventlet-03600243ec3
fix(deps): exclude eventlet 0.36.0628a0bc
chore: fix typos88fc4a4
Merge pull request #3131 from pajod/patch-py12-rebaseddeae2fc
CI: back off the agressive timeoutf470382
docs: promise 3.12 compat5e30bfa
add changelog to project.urls (updated for PEP621)481c3f9
remove setup.cfg - overridden by pyproject.tomlUpdates
pydantic
from 1.10.12 to 1.10.13Release notes
Sourced from pydantic's releases.
Changelog
Sourced from pydantic's changelog.
Commits
8822578
Prepare release 1.10.13 (#7674)59d8f38
[Backport] Add max length check tovalidate_email
(#7673)69b92b5
Make the v1 mypy plugin work with both v1 and v2 (#6920)87bf417
Update pip commands to install 1.10 (#6930)Updates
idna
from 3.4 to 3.7Release notes
Sourced from idna's releases.
Changelog
Sourced from idna's changelog.
Commits
1d365e1
Release v3.7c1b3154
Merge pull request #172 from kjd/optimize-contextj0394ec7
Merge branch 'master' into optimize-contextjcd58a23
Merge pull request #152 from elliotwutingfeng/dev5beb28b
More efficient resolution of joiner contexts1b12148
Update ossf/scorecard-action to v2.3.1d516b87
Update Github actions/checkout to v4c095c75
Merge branch 'master' into dev60a0a4c
Fix typo in GitHub Actions workflow key5918a0e
Merge branch 'master' into devUpdates
jinja2
from 3.1.2 to 3.1.4Release notes
Sourced from jinja2's releases.
Changelog
Sourced from jinja2's changelog.
Commits
dd4a8b5
release version 3.1.40668239
Merge pull request from GHSA-h75v-3vvj-5mfjd655030
disallow invalid characters in keys to xmlattr filtera7863ba
add ghsa linksb5c98e7
start version 3.1.4da3a9f0
update project files (#1968)0ee5eb4
satisfy formatter, linter, and strict mypy20477c6
update project files (#5457)e491223
update pyyaml dev dependency36f9885
fix pr linkDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show