chore(deps): update dependency cryptography to v39.0.1 [security] by renovate-bot · Pull Request #446 · googleapis/python-iot

renovate-bot · 2023-02-08T05:10:02Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
cryptography (changelog)	`==39.0.0` -> `==39.0.1`

GitHub Vulnerability Alerts

CVE-2023-23931

Previously, Cipher.update_into would accept Python objects which implement the buffer protocol, but provide only immutable buffers:

>>> outbuf = b"\x00" * 32
>>> c = ciphers.Cipher(AES(b"\x00" * 32), modes.ECB()).encryptor()
>>> c.update_into(b"\x00" * 16, outbuf)
16
>>> outbuf
b'\xdc\x95\xc0x\xa2@&#8203;\x89\x89\xadH\xa2\x14\x92\x84 \x87\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

This would allow immutable objects (such as bytes) to be mutated, thus violating fundamental rules of Python. This is a soundness bug -- it allows programmers to misuse an API, it cannot be exploited by attacker controlled data alone.

This now correctly raises an exception.

This issue has been present since update_into was originally introduced in cryptography 1.8.

Release Notes

pyca/cryptography

`v39.0.1`

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

chore(deps): update dependency cryptography to v39.0.1 [security]

bdef71b

renovate-bot requested a review from a team as a code owner February 8, 2023 05:10

renovate-bot requested review from a team and leahecole February 8, 2023 05:10

trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Feb 8, 2023

product-auto-label bot added size: xs Pull request size is extra small. api: cloudiot Issues related to the googleapis/python-iot API. labels Feb 8, 2023

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Feb 8, 2023

blunderbuss-gcf bot assigned joeklemm Feb 8, 2023

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 8, 2023

Merge branch 'main' into renovate/pypi-cryptography-vulnerability

1dbceec

trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Feb 8, 2023

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Feb 8, 2023

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 8, 2023

parthea approved these changes Feb 8, 2023

View reviewed changes

parthea merged commit 3ce7a17 into googleapis:main Feb 8, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency cryptography to v39.0.1 [security]#446

chore(deps): update dependency cryptography to v39.0.1 [security]#446
parthea merged 2 commits intogoogleapis:mainfrom
renovate-bot:renovate/pypi-cryptography-vulnerability

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

GitHub Vulnerability Alerts

CVE-2023-23931

Release Notes

v39.0.1

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

`v39.0.1`