pyup-update-pytest-3.2.5-to-4.6.2
4 years, 11 months ago
Update pytest from 3.2.5 to 4.6.2
cryptography 2.1.3 and requests 2.18.4 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| cryptography | 2.1.3 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
| cryptography | 2.1.3 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
| cryptography | 2.1.3 | <3.3.2 |
show Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. |
| cryptography | 2.1.3 | <=3.2 |
show Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. |
| cryptography | 2.1.3 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
| cryptography | 2.1.3 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
| cryptography | 2.1.3 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <3.3 |
show Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing. https://github.com/pyca/cryptography/pull/5592 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
| cryptography | 2.1.3 | >=1.9.0,<2.3 |
show A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
| requests | 2.18.4 | <=2.19.1 |
show Requests before 2.20.0 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. |
| requests | 2.18.4 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
pyup-update-pytest-3.2.5-to-4.6.1
4 years, 11 months ago
Update pytest from 3.2.5 to 4.6.1
cryptography 2.1.3 and requests 2.18.4 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| cryptography | 2.1.3 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
| cryptography | 2.1.3 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
| cryptography | 2.1.3 | <3.3.2 |
show Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. |
| cryptography | 2.1.3 | <=3.2 |
show Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. |
| cryptography | 2.1.3 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
| cryptography | 2.1.3 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
| cryptography | 2.1.3 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <3.3 |
show Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing. https://github.com/pyca/cryptography/pull/5592 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
| cryptography | 2.1.3 | >=1.9.0,<2.3 |
show A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
| requests | 2.18.4 | <=2.19.1 |
show Requests before 2.20.0 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. |
| requests | 2.18.4 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
pyup-update-sphinx-1.6.5-to-2.1.0
4 years, 11 months ago
Update sphinx from 1.6.5 to 2.1.0
cryptography 2.1.3 and requests 2.18.4 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| cryptography | 2.1.3 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
| cryptography | 2.1.3 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
| cryptography | 2.1.3 | <3.3.2 |
show Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. |
| cryptography | 2.1.3 | <=3.2 |
show Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. |
| cryptography | 2.1.3 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
| cryptography | 2.1.3 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
| cryptography | 2.1.3 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <3.3 |
show Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing. https://github.com/pyca/cryptography/pull/5592 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
| cryptography | 2.1.3 | >=1.9.0,<2.3 |
show A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
| requests | 2.18.4 | <=2.19.1 |
show Requests before 2.20.0 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. |
| requests | 2.18.4 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
pyup-update-pytest-3.2.5-to-4.6.0
4 years, 11 months ago
Update pytest from 3.2.5 to 4.6.0
cryptography 2.1.3 and requests 2.18.4 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| cryptography | 2.1.3 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
| cryptography | 2.1.3 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
| cryptography | 2.1.3 | <3.3.2 |
show Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. |
| cryptography | 2.1.3 | <=3.2 |
show Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. |
| cryptography | 2.1.3 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
| cryptography | 2.1.3 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
| cryptography | 2.1.3 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <3.3 |
show Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing. https://github.com/pyca/cryptography/pull/5592 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
| cryptography | 2.1.3 | >=1.9.0,<2.3 |
show A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
| requests | 2.18.4 | <=2.19.1 |
show Requests before 2.20.0 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. |
| requests | 2.18.4 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
pyup-update-cryptography-2.1.3-to-2.7
4 years, 11 months ago
Update cryptography from 2.1.3 to 2.7
requests 2.18.4 has known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| requests | 2.18.4 | <=2.19.1 |
show Requests before 2.20.0 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. |
| requests | 2.18.4 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
pyup-update-pytest-runner-3.0-to-5.1
4 years, 11 months ago
Update pytest-runner from 3.0 to 5.1
cryptography 2.1.3 and requests 2.18.4 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| cryptography | 2.1.3 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
| cryptography | 2.1.3 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
| cryptography | 2.1.3 | <3.3.2 |
show Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. |
| cryptography | 2.1.3 | <=3.2 |
show Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. |
| cryptography | 2.1.3 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
| cryptography | 2.1.3 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
| cryptography | 2.1.3 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <3.3 |
show Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing. https://github.com/pyca/cryptography/pull/5592 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
| cryptography | 2.1.3 | >=1.9.0,<2.3 |
show A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
| requests | 2.18.4 | <=2.19.1 |
show Requests before 2.20.0 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. |
| requests | 2.18.4 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
pyup-update-tox-2.9.1-to-3.12.1
4 years, 11 months ago
Update tox from 2.9.1 to 3.12.1
cryptography 2.1.3 and requests 2.18.4 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| cryptography | 2.1.3 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
| cryptography | 2.1.3 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
| cryptography | 2.1.3 | <3.3.2 |
show Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. |
| cryptography | 2.1.3 | <=3.2 |
show Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. |
| cryptography | 2.1.3 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
| cryptography | 2.1.3 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
| cryptography | 2.1.3 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <3.3 |
show Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing. https://github.com/pyca/cryptography/pull/5592 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
| cryptography | 2.1.3 | >=1.9.0,<2.3 |
show A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
| requests | 2.18.4 | <=2.19.1 |
show Requests before 2.20.0 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. |
| requests | 2.18.4 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
pyup-update-pytest-runner-3.0-to-5.0
4 years, 11 months ago
Update pytest-runner from 3.0 to 5.0
cryptography 2.1.3 and requests 2.18.4 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| cryptography | 2.1.3 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
| cryptography | 2.1.3 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
| cryptography | 2.1.3 | <3.3.2 |
show Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. |
| cryptography | 2.1.3 | <=3.2 |
show Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. |
| cryptography | 2.1.3 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
| cryptography | 2.1.3 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
| cryptography | 2.1.3 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <3.3 |
show Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing. https://github.com/pyca/cryptography/pull/5592 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
| cryptography | 2.1.3 | >=1.9.0,<2.3 |
show A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
| requests | 2.18.4 | <=2.19.1 |
show Requests before 2.20.0 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. |
| requests | 2.18.4 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
pyup-update-tox-2.9.1-to-3.12.0
4 years, 11 months ago
Update tox from 2.9.1 to 3.12.0
cryptography 2.1.3 and requests 2.18.4 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| cryptography | 2.1.3 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
| cryptography | 2.1.3 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
| cryptography | 2.1.3 | <3.3.2 |
show Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. |
| cryptography | 2.1.3 | <=3.2 |
show Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. |
| cryptography | 2.1.3 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
| cryptography | 2.1.3 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
| cryptography | 2.1.3 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <3.3 |
show Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing. https://github.com/pyca/cryptography/pull/5592 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
| cryptography | 2.1.3 | >=1.9.0,<2.3 |
show A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
| requests | 2.18.4 | <=2.19.1 |
show Requests before 2.20.0 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. |
| requests | 2.18.4 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
pyup-update-requests-2.18.4-to-2.22.0
4 years, 11 months ago
Update requests from 2.18.4 to 2.22.0
cryptography 2.1.3 has known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| cryptography | 2.1.3 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
| cryptography | 2.1.3 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
| cryptography | 2.1.3 | <3.3.2 |
show Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. |
| cryptography | 2.1.3 | <=3.2 |
show Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. |
| cryptography | 2.1.3 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
| cryptography | 2.1.3 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
| cryptography | 2.1.3 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <3.3 |
show Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing. https://github.com/pyca/cryptography/pull/5592 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
| cryptography | 2.1.3 | >=1.9.0,<2.3 |
show A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
pyup-update-tox-2.9.1-to-3.11.1
4 years, 11 months ago
Update tox from 2.9.1 to 3.11.1
cryptography 2.1.3 and requests 2.18.4 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| cryptography | 2.1.3 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
| cryptography | 2.1.3 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
| cryptography | 2.1.3 | <3.3.2 |
show Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. |
| cryptography | 2.1.3 | <=3.2 |
show Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. |
| cryptography | 2.1.3 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
| cryptography | 2.1.3 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
| cryptography | 2.1.3 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <3.3 |
show Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing. https://github.com/pyca/cryptography/pull/5592 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
| cryptography | 2.1.3 | >=1.9.0,<2.3 |
show A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
| requests | 2.18.4 | <=2.19.1 |
show Requests before 2.20.0 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. |
| requests | 2.18.4 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
pyup-update-tox-2.9.1-to-3.11.0
4 years, 11 months ago
Update tox from 2.9.1 to 3.11.0
cryptography 2.1.3 and requests 2.18.4 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| cryptography | 2.1.3 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
| cryptography | 2.1.3 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
| cryptography | 2.1.3 | <3.3.2 |
show Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. |
| cryptography | 2.1.3 | <=3.2 |
show Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. |
| cryptography | 2.1.3 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
| cryptography | 2.1.3 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
| cryptography | 2.1.3 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <3.3 |
show Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing. https://github.com/pyca/cryptography/pull/5592 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
| cryptography | 2.1.3 | >=1.9.0,<2.3 |
show A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
| requests | 2.18.4 | <=2.19.1 |
show Requests before 2.20.0 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. |
| requests | 2.18.4 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
pyup-update-tox-2.9.1-to-3.10.0
4 years, 11 months ago
Update tox from 2.9.1 to 3.10.0
cryptography 2.1.3 and requests 2.18.4 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| cryptography | 2.1.3 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
| cryptography | 2.1.3 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
| cryptography | 2.1.3 | <3.3.2 |
show Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. |
| cryptography | 2.1.3 | <=3.2 |
show Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. |
| cryptography | 2.1.3 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
| cryptography | 2.1.3 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
| cryptography | 2.1.3 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <3.3 |
show Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing. https://github.com/pyca/cryptography/pull/5592 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
| cryptography | 2.1.3 | >=1.9.0,<2.3 |
show A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
| requests | 2.18.4 | <=2.19.1 |
show Requests before 2.20.0 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. |
| requests | 2.18.4 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
pyup-update-pytest-3.2.5-to-4.5.0
4 years, 11 months ago
Update pytest from 3.2.5 to 4.5.0
cryptography 2.1.3 and requests 2.18.4 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| cryptography | 2.1.3 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
| cryptography | 2.1.3 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
| cryptography | 2.1.3 | <3.3.2 |
show Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. |
| cryptography | 2.1.3 | <=3.2 |
show Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. |
| cryptography | 2.1.3 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
| cryptography | 2.1.3 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
| cryptography | 2.1.3 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <3.3 |
show Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing. https://github.com/pyca/cryptography/pull/5592 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
| cryptography | 2.1.3 | >=1.9.0,<2.3 |
show A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
| requests | 2.18.4 | <=2.19.1 |
show Requests before 2.20.0 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. |
| requests | 2.18.4 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
pyup-update-wheel-0.30.0-to-0.33.4
4 years, 11 months ago
Update wheel from 0.30.0 to 0.33.4
cryptography 2.1.3 and requests 2.18.4 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| cryptography | 2.1.3 | <42.0.0 |
show Cryptography starting from version 42.0.0 updates its CI configurations to use newer versions of BoringSSL or OpenSSL as a countermeasure to CVE-2023-5678. This vulnerability, affecting the package, could cause Denial of Service through specific DH key generation and verification functions when given overly long parameters. |
| cryptography | 2.1.3 | <41.0.2 |
show The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. |
| cryptography | 2.1.3 | <3.3.2 |
show Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. |
| cryptography | 2.1.3 | <=3.2 |
show Cryptography 3.2 and prior are vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. |
| cryptography | 2.1.3 | <42.0.5 |
show Cryptography version 42.0.5 introduces a limit on the number of name constraint checks during X.509 path validation to prevent denial of service attacks. https://github.com/pyca/cryptography/commit/4be53bf20cc90cbac01f5f94c5d1aecc5289ba1f |
| cryptography | 2.1.3 | <42.0.0 |
show A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. See CVE-2023-50782. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=1.8,<39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r |
| cryptography | 2.1.3 | <41.0.4 |
show Cryptography 41.0.4 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3, that includes a security fix. https://github.com/pyca/cryptography/commit/fc11bce6930e591ce26a2317b31b9ce2b3e25512 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <3.3 |
show Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing. https://github.com/pyca/cryptography/pull/5592 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl. https://github.com/pyca/cryptography/issues/7940 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.5 |
show Cryptography 41.0.5 updates Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4, that includes a security fix. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/b22271cf3c3dd8dc8978f8f4b00b5c7060b6538d https://www.openssl.org/news/secadv/20230731.txt |
| cryptography | 2.1.3 | >=1.9.0,<2.3 |
show A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. See: CVE-2018-10903. |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for CVE-2023-2975: AES-SIV implementation ignores empty associated data entries. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230714.txt |
| cryptography | 2.1.3 | >=0.8,<41.0.3 |
show Cryptography 41.0.3 updates its bundled OpenSSL version to include a fix for a Denial of Service vulnerability. https://github.com/pyca/cryptography/commit/bfa4d95f0f356f2d535efd5c775e0fb3efe90ef2 https://www.openssl.org/news/secadv/20230719.txt |
| cryptography | 2.1.3 | <39.0.1 |
show Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes. https://github.com/pyca/cryptography/issues/8229 |
| cryptography | 2.1.3 | <41.0.0 |
show Cryptography 41.0.0 updates its dependency 'OpenSSL' to v3.1.1 to include a security fix. https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22 |
| requests | 2.18.4 | <=2.19.1 |
show Requests before 2.20.0 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. |
| requests | 2.18.4 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
Python 3 badge
URL
https://pyup.io/repos/github/mwisner/python-kong-management/python-3-shield.svg
Markdown
[](https://pyup.io/repos/github/mwisner/python-kong-management/)
Restructured Text
.. image:: https://pyup.io/repos/github/mwisner/python-kong-management/python-3-shield.svg
:target: https://pyup.io/repos/github/mwisner/python-kong-management/
:alt: Python 3
HTML
<a href="https://pyup.io/repos/github/mwisner/python-kong-management/"><img src="https://pyup.io/repos/github/mwisner/python-kong-management/shield.svg" alt="Python 3" /></a>
Textile
!https://pyup.io/repos/github/mwisner/python-kong-management/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/mwisner/python-kong-management/
RDoc
{<img src="https://pyup.io/repos/github/mwisner/python-kong-management/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/mwisner/python-kong-management/]
pyup.io badge
URL
https://pyup.io/repos/github/mwisner/python-kong-management/shield.svg
Markdown
[](https://pyup.io/repos/github/mwisner/python-kong-management/)
Restructured Text
.. image:: https://pyup.io/repos/github/mwisner/python-kong-management/shield.svg
:target: https://pyup.io/repos/github/mwisner/python-kong-management/
:alt: Updates
HTML
<a href="https://pyup.io/repos/github/mwisner/python-kong-management/"><img src="https://pyup.io/repos/github/mwisner/python-kong-management/shield.svg" alt="Updates" /></a>
Textile
!https://pyup.io/repos/github/mwisner/python-kong-management/shield.svg(Updates)!:https://pyup.io/repos/github/mwisner/python-kong-management/
RDoc
{<img src="https://pyup.io/repos/github/mwisner/python-kong-management/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/mwisner/python-kong-management/]