Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency rsa to v4.7 #20

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

mend-for-github-com[bot]
Copy link

@mend-for-github-com mend-for-github-com bot commented Jul 6, 2022

This PR contains the following updates:

Package Update Change
rsa (source) minor ==4.0 -> ==4.7

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity CVSS Score CVE
High High 7.5 CVE-2020-13757
High High 7.5 CVE-2020-25658

Release Notes

sybrenstuvel/python-rsa (rsa)

v4.7

  • Fix picking/unpickling issue introduced in 4.7
    (#​173)

v4.6

Version 4.4 and 4.6 are almost a re-tagged release of version 4.2. It requires
Python 3.5+. To avoid older Python installations from trying to upgrade to RSA
4.4, this is now made explicit in the python_requires argument in setup.py.
There was a mistake releasing 4.4 as "3.5+ only", which made it necessary to
retag 4.4 as 4.6 as well.

No functional changes compared to version 4.2.

v4.5

Version 4.3 and 4.5 are almost a re-tagged release of version 4.0. It is the
last to support Python 2.7. This is now made explicit in the python_requires
argument in setup.py. Python 3.4 is not supported by this release. There was a
mistake releasing 4.4 as "3.5+ only", which made it necessary to retag 4.3 as
4.5 as well.

Two security fixes have also been backported, so 4.3 = 4.0 + these two fixes.

  • Choose blinding factor relatively prime to N. Thanks Christian Heimes for pointing this out.
  • Reject cyphertexts (when decrypting) and signatures (when verifying) that have
    been modified by prepending zero bytes. This resolves CVE-2020-13757. Thanks
    Carnil for pointing this out.

v4.4

Version 4.4 and 4.6 are almost a re-tagged release of version 4.2. It requires
Python 3.5+. To avoid older Python installations from trying to upgrade to RSA
4.4, this is now made explicit in the python_requires argument in setup.py.
There was a mistake releasing 4.4 as "3.5+ only", which made it necessary to
retag 4.4 as 4.6 as well.

No functional changes compared to version 4.2.

v4.3

Version 4.3 and 4.5 are almost a re-tagged release of version 4.0. It is the
last to support Python 2.7. This is now made explicit in the python_requires
argument in setup.py. Python 3.4 is not supported by this release. There was a
mistake releasing 4.4 as "3.5+ only", which made it necessary to retag 4.3 as
4.5 as well.

Two security fixes have also been backported, so 4.3 = 4.0 + these two fixes.

  • Choose blinding factor relatively prime to N. Thanks Christian Heimes for pointing this out.
  • Reject cyphertexts (when decrypting) and signatures (when verifying) that have
    been modified by prepending zero bytes. This resolves CVE-2020-13757. Thanks
    Carnil for pointing this out.

v4.2

  • Rolled back the switch to Poetry, and reverted back to using Pipenv + setup.py
    for dependency management. There apparently is an issue no-binary installs of
    packages build with Poetry. This fixes
    #​148
  • Limited SHA3 support to those Python versions (3.6+) that support it natively.
    The third-party library that adds support for this to Python 3.5 is a binary
    package, and thus breaks the pure-Python nature of Python-RSA.
    This should fix #​147.

v4.1

  • Drop support for Python 3.6 (#​209)
    and declare support for 3.11 (#​208).
  • Upgrade pytest dependency to fix a security issue.
  • Upgrade pytest-cov as well, for good measure.
  • Upgrade MyPy (#​211).

  • If you want to rebase/retry this PR, check this box

@mend-for-github-com mend-for-github-com bot added the security fix Security fix generated by Mend label Jul 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security fix Security fix generated by Mend
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants