Safety CI > michardy/account-hijacking-prevention

pyup-update-cryptography-2.8-to-42.0.6

3 hours ago

d7b5ad2d

Update cryptography from 2.8 to 42.0.6

tornado 6.0.3 and pymongo 3.10.1 have known security vulnerabilities.

Package

Installed

Affected

Info

tornado

6.0.3

<6.3.3

show

Summary: Tornado's interpretation of symbols `-`, `+`, and `_` within chunk lengths and 'Content-Length' values contradicts the HTTP RFCs stipulations, potentially creating an avenue for request smuggling. This issue is generally found when Tornado operates behind specific proxies that understand these non-standard characters diversely, mostly observed in earlier versions of 'haproxy'; however, the latest version remains unaffected.

Details: Tornado utilizes the 'int' constructor to decipher the 'Content-Length' headers and chunk lengths in the locations mentioned below:

`tornado/http1connection.py:445`
Python3 code: self._expected_content_remaining = int(headers["Content-Length"])

`tornado/http1connection.py:621`
Python3 code: content_length = int(headers["Content-Length"])

`tornado/http1connection.py:671`
Python3 code: chunk_len = int(chunk_len_str.strip(), 16)

Notably, though the equation `int("0_0")` equates to `int("+0")`, `int("-0")`, and `int("0")`, using the 'int' constructor as a strategy for validating and parsing strings containing ASCII digits only is proven inadequate.

tornado

6.0.3

<6.3.2

show

Tornado 6.3.2 includes a fix for CVE-2023-28370: Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

pymongo

3.10.1

<4.6.3

show

Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte. See CVE-2024-21506.

pyup-update-coverage-5.0.3-to-7.5.1

3 hours ago

8ec9f8f5

Update coverage from 5.0.3 to 7.5.1

tornado 6.0.3, pymongo 3.10.1 and cryptography 2.8 have known security vulnerabilities.

Package	Installed	Affected	Info
tornado	6.0.3	<6.3.3	show Summary: Tornado's interpretation of symbols `-`, `+`, and `_` within chunk lengths and 'Content-Length' values contradicts the HTTP RFCs stipulations, potentially creating an avenue for request smuggling. This issue is generally found when Tornado operates behind specific proxies that understand these non-standard characters diversely, mostly observed in earlier versions of 'haproxy'; however, the latest version remains unaffected. Details: Tornado utilizes the 'int' constructor to decipher the 'Content-Length' headers and chunk lengths in the locations mentioned below: `tornado/http1connection.py:445` Python3 code: self._expected_content_remaining = int(headers["Content-Length"]) `tornado/http1connection.py:621` Python3 code: content_length = int(headers["Content-Length"]) `tornado/http1connection.py:671` Python3 code: chunk_len = int(chunk_len_str.strip(), 16) Notably, though the equation `int("0_0")` equates to `int("+0")`, `int("-0")`, and `int("0")`, using the 'int' constructor as a strategy for validating and parsing strings containing ASCII digits only is proven inadequate.
tornado	6.0.3	<6.3.2	show Tornado 6.3.2 includes a fix for CVE-2023-28370: Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.
pymongo	3.10.1	<4.6.3	show Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte. See CVE-2024-21506.
cryptography	2.8	<42.0.5	show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f
cryptography	2.8	>=1.8,<39.0.1	show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r
cryptography	2.8	>=0.8,<41.0.3	show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229
cryptography	2.8	<41.0.0	show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229
cryptography	2.8	<3.3	show Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing. https://github.com/pyca/cryptography/pull/5592
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229
cryptography	2.8	>=0.8,<41.0.3	show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229
cryptography	2.8	<42.0.0	show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters.
cryptography	2.8	<41.0.5	show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix.
cryptography	2.8	<41.0.4	show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512
cryptography	2.8	<41.0.2	show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.
cryptography	2.8	<=3.2	show Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.
cryptography	2.8	<3.3.2	show Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
cryptography	2.8	<42.0.0	show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782.
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229
cryptography	2.8	>=0.8,<41.0.3	show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229

pyup-update-bcrypt-3.1.7-to-4.1.3

16 hours ago

e8c74b82

Update bcrypt from 3.1.7 to 4.1.3

tornado 6.0.3, pymongo 3.10.1 and cryptography 2.8 have known security vulnerabilities.

Package	Installed	Affected	Info
tornado	6.0.3	<6.3.3	show Summary: Tornado's interpretation of symbols `-`, `+`, and `_` within chunk lengths and 'Content-Length' values contradicts the HTTP RFCs stipulations, potentially creating an avenue for request smuggling. This issue is generally found when Tornado operates behind specific proxies that understand these non-standard characters diversely, mostly observed in earlier versions of 'haproxy'; however, the latest version remains unaffected. Details: Tornado utilizes the 'int' constructor to decipher the 'Content-Length' headers and chunk lengths in the locations mentioned below: `tornado/http1connection.py:445` Python3 code: self._expected_content_remaining = int(headers["Content-Length"]) `tornado/http1connection.py:621` Python3 code: content_length = int(headers["Content-Length"]) `tornado/http1connection.py:671` Python3 code: chunk_len = int(chunk_len_str.strip(), 16) Notably, though the equation `int("0_0")` equates to `int("+0")`, `int("-0")`, and `int("0")`, using the 'int' constructor as a strategy for validating and parsing strings containing ASCII digits only is proven inadequate.
tornado	6.0.3	<6.3.2	show Tornado 6.3.2 includes a fix for CVE-2023-28370: Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.
pymongo	3.10.1	<4.6.3	show Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte. See CVE-2024-21506.
cryptography	2.8	<42.0.5	show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f
cryptography	2.8	>=1.8,<39.0.1	show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r
cryptography	2.8	>=0.8,<41.0.3	show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229
cryptography	2.8	<41.0.0	show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229
cryptography	2.8	<3.3	show Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing. https://github.com/pyca/cryptography/pull/5592
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229
cryptography	2.8	>=0.8,<41.0.3	show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229
cryptography	2.8	<42.0.0	show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters.
cryptography	2.8	<41.0.5	show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix.
cryptography	2.8	<41.0.4	show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512
cryptography	2.8	<41.0.2	show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.
cryptography	2.8	<=3.2	show Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.
cryptography	2.8	<3.3.2	show Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
cryptography	2.8	<42.0.0	show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782.
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229
cryptography	2.8	>=0.8,<41.0.3	show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229
cryptography	2.8	<39.0.1	show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229

pyup-update-pymongo-3.10.1-to-4.7.1

4 days, 4 hours ago

a0480a67

Update pymongo from 3.10.1 to 4.7.1