zatosource / zato

ESB, SOA, REST, APIs and Cloud Integrations in Python
https://zato.io
GNU Affero General Public License v3.0
1.12k stars 240 forks source link

Bump cryptography from 2.2.2 to 2.3 in /code #1010

Closed dependabot[bot] closed 4 years ago

dependabot[bot] commented 4 years ago

Bumps cryptography from 2.2.2 to 2.3.

Changelog *Sourced from [cryptography's changelog](https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst).* > 2.3 - 2018-07-18 > ~~~~~~~~~~~~~~~~ > > * **SECURITY ISSUE:** > :meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag` > allowed tag truncation by default which can allow tag forgery in some cases. > The method now enforces the ``min_tag_length`` provided to the > :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` constructor. > *CVE-2018-10903* > * Added support for Python 3.7. > * Added :meth:`~cryptography.fernet.Fernet.extract_timestamp` to get the > authenticated timestamp of a :doc:`Fernet ` token. > * Support for Python 2.7.x without ``hmac.compare_digest`` has been deprecated. > We will require Python 2.7.7 or higher (or 2.7.6 on Ubuntu) in the next > ``cryptography`` release. > * Fixed multiple issues preventing ``cryptography`` from compiling against > LibreSSL 2.7.x. > * Added > :class:`~cryptography.x509.CertificateRevocationList.get_revoked_certificate_by_serial_number` > for quick serial number searches in CRLs. > * The :class:`~cryptography.x509.RelativeDistinguishedName` class now > preserves the order of attributes. Duplicate attributes now raise an error > instead of silently discarding duplicates. > * :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap` and > :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding` > now raise :class:`~cryptography.hazmat.primitives.keywrap.InvalidUnwrap` if > the wrapped key is an invalid length, instead of ``ValueError``. > > .. _v2-2-2:
Commits - [`0a846e2`](https://github.com/pyca/cryptography/commit/0a846e294806478770469219a26cd49dcb5502d7) bump version and changelog for 2.3 release ([#4356](https://github-redirect.dependabot.com/pyca/cryptography/issues/4356)) - [`feb1345`](https://github.com/pyca/cryptography/commit/feb134586ee6ca56e2c53b35d0ffbb79eb1b5dee) Refs [#3331](https://github-redirect.dependabot.com/pyca/cryptography/issues/3331) -- integrated wycheproof ECDH tests ([#4354](https://github-redirect.dependabot.com/pyca/cryptography/issues/4354)) - [`dfb332d`](https://github.com/pyca/cryptography/commit/dfb332da50ee9358ef9f46b2e8ffb28f1cfd8751) improve skip msg when skipping an ECDH test in test_ec ([#4355](https://github-redirect.dependabot.com/pyca/cryptography/issues/4355)) - [`4de0049`](https://github.com/pyca/cryptography/commit/4de004955b2d9d0d714fe29ae95b8eff7ee983a1) add wycheproof gcm tests ([#4349](https://github-redirect.dependabot.com/pyca/cryptography/issues/4349)) - [`c563b57`](https://github.com/pyca/cryptography/commit/c563b576b3bba4a93f8f47272759b29f182dea13) min_tag_length is an int ([#4351](https://github-redirect.dependabot.com/pyca/cryptography/issues/4351)) - [`db62ec9`](https://github.com/pyca/cryptography/commit/db62ec9967d95e666eb6898766944d9e50532b2d) also check iv length for GCM nonce in AEAD ([#4350](https://github-redirect.dependabot.com/pyca/cryptography/issues/4350)) - [`12a1cac`](https://github.com/pyca/cryptography/commit/12a1cacb6ae6de51a003dcc884e769854a1345a8) raise ValueError on zero length GCM IV ([#4348](https://github-redirect.dependabot.com/pyca/cryptography/issues/4348)) - [`7ca0e46`](https://github.com/pyca/cryptography/commit/7ca0e46d82606b8a12ff323181065a00885d39dc) add chacha20poly1305 wycheproof tests ([#4345](https://github-redirect.dependabot.com/pyca/cryptography/issues/4345)) - [`14faf3c`](https://github.com/pyca/cryptography/commit/14faf3ca00d39f12bc379518bed66f9169a891d9) add wycheproof tests for AES CMAC ([#4344](https://github-redirect.dependabot.com/pyca/cryptography/issues/4344)) - [`d4378e4`](https://github.com/pyca/cryptography/commit/d4378e42937b56f473ddade2667f919ce32208cb) disallow implicit tag truncation with finalize_with_tag ([#4342](https://github-redirect.dependabot.com/pyca/cryptography/issues/4342)) - Additional commits viewable in [compare view](https://github.com/pyca/cryptography/compare/2.2.2...2.3)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/zatosource/zato/network/alerts).
dependabot[bot] commented 4 years ago

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.