Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-jwcrypto for openSUSE:Factory
checked in at 2024-03-20 21:09:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-jwcrypto (Old)
and /work/SRC/openSUSE:Factory/.python-jwcrypto.new.1905 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-jwcrypto"
Wed Mar 20 21:09:48 2024 rev:16 rq:1159234 version:1.5.6
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-jwcrypto/python-jwcrypto.changes
2024-01-05 22:59:11.213391570 +0100
+++
/work/SRC/openSUSE:Factory/.python-jwcrypto.new.1905/python-jwcrypto.changes
2024-03-20 21:10:03.996516073 +0100
@@ -1,0 +2,12 @@
+Tue Mar 19 07:14:44 UTC 2024 - Dirk Müller <[email protected]>
+
+- update to 1.5.6:
+ * Address potential DoS with high compression ratio
+- update to 1.5.4:
+ * One more release bump to address issues with
+ typing_extensions minimum required version
+- update to 1.5.3:
+ * Drop python 3.6 and 3.7 and add 3.11 support
+ * replace deprecated package with typing_extensions
+
+-------------------------------------------------------------------
Old:
----
jwcrypto-1.5.1.tar.gz
New:
----
jwcrypto-1.5.6.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-jwcrypto.spec ++++++
--- /var/tmp/diff_new_pack.59QUUO/_old 2024-03-20 21:10:04.604538416 +0100
+++ /var/tmp/diff_new_pack.59QUUO/_new 2024-03-20 21:10:04.608538562 +0100
@@ -16,23 +16,25 @@
#
+%{?sle15_python_module_pythons}
Name: python-jwcrypto
-Version: 1.5.1
+Version: 1.5.6
Release: 0
Summary: Python module package implementing JOSE Web standards
License: LGPL-3.0-only
URL: https://github.com/latchset/jwcrypto
Source:
https://files.pythonhosted.org/packages/source/j/jwcrypto/jwcrypto-%{version}.tar.gz
-BuildRequires: %{python_module Deprecated}
+BuildRequires: %{python_module base >= 3.8}
BuildRequires: %{python_module cryptography >= 3.4}
BuildRequires: %{python_module pip}
BuildRequires: %{python_module pytest}
BuildRequires: %{python_module setuptools}
+BuildRequires: %{python_module typing-extensions >= 4.5.0}
BuildRequires: %{python_module wheel}
BuildRequires: fdupes
BuildRequires: python-rpm-macros
-Requires: python-Deprecated
Requires: python-cryptography >= 3.4
+Requires: python-typing-extensions >= 4.5.0
BuildArch: noarch
%python_subpackages
++++++ jwcrypto-1.5.1.tar.gz -> jwcrypto-1.5.6.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jwcrypto-1.5.1/PKG-INFO new/jwcrypto-1.5.6/PKG-INFO
--- old/jwcrypto-1.5.1/PKG-INFO 2023-12-26 20:51:00.196697500 +0100
+++ new/jwcrypto-1.5.6/PKG-INFO 2024-03-06 20:58:26.596289400 +0100
@@ -1,20 +1,19 @@
Metadata-Version: 2.1
Name: jwcrypto
-Version: 1.5.1
+Version: 1.5.6
Summary: Implementation of JOSE Web standards
Home-page: https://github.com/latchset/jwcrypto
Maintainer: JWCrypto Project Contributors
Maintainer-email: [email protected]
License: LGPLv3+
-Classifier: Programming Language :: Python :: 3.6
-Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
Classifier: Intended Audience :: Developers
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
-Requires-Python: >= 3.6
+Requires-Python: >= 3.8
Description-Content-Type: text/markdown
License-File: LICENSE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jwcrypto-1.5.1/jwcrypto/VERSION
new/jwcrypto-1.5.6/jwcrypto/VERSION
--- old/jwcrypto-1.5.1/jwcrypto/VERSION 2023-12-26 20:50:49.000000000 +0100
+++ new/jwcrypto-1.5.6/jwcrypto/VERSION 2024-03-06 20:46:25.000000000 +0100
@@ -1 +1 @@
-1.5.1
+1.5.6
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jwcrypto-1.5.1/jwcrypto/jwe.py
new/jwcrypto-1.5.6/jwcrypto/jwe.py
--- old/jwcrypto-1.5.1/jwcrypto/jwe.py 2023-12-26 20:50:49.000000000 +0100
+++ new/jwcrypto-1.5.6/jwcrypto/jwe.py 2024-03-06 20:46:25.000000000 +0100
@@ -10,6 +10,9 @@
from jwcrypto.jwa import JWA
from jwcrypto.jwk import JWKSet
+# Limit the amount of data we are willing to decompress by default.
+default_max_compressed_size = 256 * 1024
+
# RFC 7516 - 4.1
# name: (description, supported?)
@@ -422,6 +425,10 @@
compress = jh.get('zip', None)
if compress == 'DEF':
+ if len(data) > default_max_compressed_size:
+ raise InvalidJWEData(
+ 'Compressed data exceeds maximum allowed'
+ 'size' + f' ({default_max_compressed_size})')
self.plaintext = zlib.decompress(data, -zlib.MAX_WBITS)
elif compress is None:
self.plaintext = data
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jwcrypto-1.5.1/jwcrypto/jwk.py
new/jwcrypto-1.5.6/jwcrypto/jwk.py
--- old/jwcrypto-1.5.1/jwcrypto/jwk.py 2023-12-26 20:50:49.000000000 +0100
+++ new/jwcrypto-1.5.6/jwcrypto/jwk.py 2024-03-06 20:46:25.000000000 +0100
@@ -11,7 +11,7 @@
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.asymmetric import rsa
-from deprecated import deprecated
+from typing_extensions import deprecated
from jwcrypto.common import JWException
from jwcrypto.common import base64url_decode, base64url_encode
@@ -764,13 +764,13 @@
return self.get('kty') == 'oct'
@property
- @deprecated
+ @deprecated('')
def key_type(self):
"""The Key type"""
return self.get('kty')
@property
- @deprecated
+ @deprecated('')
def key_id(self):
"""The Key ID.
Provided by the kid parameter if present, otherwise returns None.
@@ -778,14 +778,14 @@
return self.get('kid')
@property
- @deprecated
+ @deprecated('')
def key_curve(self):
"""The Curve Name."""
if self.get('kty') not in ['EC', 'OKP']:
raise InvalidJWKType('Not an EC or OKP key')
return self.get('crv')
- @deprecated
+ @deprecated('')
def get_curve(self, arg):
"""Gets the Elliptic Curve associated with the key.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jwcrypto-1.5.1/jwcrypto/jwt.py
new/jwcrypto-1.5.6/jwcrypto/jwt.py
--- old/jwcrypto-1.5.1/jwcrypto/jwt.py 2023-12-26 20:50:49.000000000 +0100
+++ new/jwcrypto-1.5.6/jwcrypto/jwt.py 2024-03-06 20:46:25.000000000 +0100
@@ -4,7 +4,7 @@
import time
import uuid
-from deprecated import deprecated
+from typing_extensions import deprecated
from jwcrypto.common import JWException, JWKeyNotFound
from jwcrypto.common import json_decode, json_encode
@@ -123,7 +123,7 @@
super(JWTInvalidClaimFormat, self).__init__(msg)
-@deprecated
+@deprecated('')
class JWTMissingKeyID(JWException):
"""JSON Web Token is missing key id.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jwcrypto-1.5.1/jwcrypto/tests.py
new/jwcrypto-1.5.6/jwcrypto/tests.py
--- old/jwcrypto-1.5.1/jwcrypto/tests.py 2023-12-26 20:50:49.000000000
+0100
+++ new/jwcrypto-1.5.6/jwcrypto/tests.py 2024-03-06 20:46:25.000000000
+0100
@@ -2111,6 +2111,32 @@
jwa.default_max_pbkdf2_iterations += 2
p2cenc.add_recipient(key)
+ def test_jwe_decompression_max(self):
+ key = jwk.JWK(kty='oct', k=base64url_encode(b'A' * (128 // 8)))
+ payload = '{"u": "' + "u" * 400000000 + '", "uu":"' \
+ + "u" * 400000000 + '"}'
+ protected_header = {
+ "alg": "A128KW",
+ "enc": "A128GCM",
+ "typ": "JWE",
+ "zip": "DEF",
+ }
+ enc = jwe.JWE(payload.encode('utf-8'),
+ recipient=key,
+ protected=protected_header).serialize(compact=True)
+ with self.assertRaises(jwe.InvalidJWEData):
+ check = jwe.JWE()
+ check.deserialize(enc)
+ check.decrypt(key)
+
+ defmax = jwe.default_max_compressed_size
+ jwe.default_max_compressed_size = 1000000000
+ # ensure we can eraise the limit and decrypt
+ check = jwe.JWE()
+ check.deserialize(enc)
+ check.decrypt(key)
+ jwe.default_max_compressed_size = defmax
+
class JWATests(unittest.TestCase):
def test_jwa_create(self):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jwcrypto-1.5.1/jwcrypto.egg-info/PKG-INFO
new/jwcrypto-1.5.6/jwcrypto.egg-info/PKG-INFO
--- old/jwcrypto-1.5.1/jwcrypto.egg-info/PKG-INFO 2023-12-26
20:51:00.000000000 +0100
+++ new/jwcrypto-1.5.6/jwcrypto.egg-info/PKG-INFO 2024-03-06
20:58:26.000000000 +0100
@@ -1,20 +1,19 @@
Metadata-Version: 2.1
Name: jwcrypto
-Version: 1.5.1
+Version: 1.5.6
Summary: Implementation of JOSE Web standards
Home-page: https://github.com/latchset/jwcrypto
Maintainer: JWCrypto Project Contributors
Maintainer-email: [email protected]
License: LGPLv3+
-Classifier: Programming Language :: Python :: 3.6
-Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
Classifier: Intended Audience :: Developers
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
-Requires-Python: >= 3.6
+Requires-Python: >= 3.8
Description-Content-Type: text/markdown
License-File: LICENSE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jwcrypto-1.5.1/jwcrypto.egg-info/requires.txt
new/jwcrypto-1.5.6/jwcrypto.egg-info/requires.txt
--- old/jwcrypto-1.5.1/jwcrypto.egg-info/requires.txt 2023-12-26
20:51:00.000000000 +0100
+++ new/jwcrypto-1.5.6/jwcrypto.egg-info/requires.txt 2024-03-06
20:58:26.000000000 +0100
@@ -1,2 +1,2 @@
cryptography>=3.4
-deprecated
+typing_extensions>=4.5.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jwcrypto-1.5.1/setup.py new/jwcrypto-1.5.6/setup.py
--- old/jwcrypto-1.5.1/setup.py 2023-12-26 20:50:49.000000000 +0100
+++ new/jwcrypto-1.5.6/setup.py 2024-03-06 20:46:25.000000000 +0100
@@ -26,11 +26,10 @@
long_description=long_description,
long_description_content_type='text/markdown',
classifiers = [
- 'Programming Language :: Python :: 3.6',
- 'Programming Language :: Python :: 3.7',
'Programming Language :: Python :: 3.8',
'Programming Language :: Python :: 3.9',
'Programming Language :: Python :: 3.10',
+ 'Programming Language :: Python :: 3.11',
'Intended Audience :: Developers',
'Topic :: Security',
'Topic :: Software Development :: Libraries :: Python Modules'
@@ -38,7 +37,7 @@
data_files = [('share/doc/jwcrypto', ['LICENSE', 'README.md'])],
install_requires = [
'cryptography >= 3.4',
- 'deprecated',
+ 'typing_extensions >= 4.5.0',
],
- python_requires = '>= 3.6',
+ python_requires = '>= 3.8',
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jwcrypto-1.5.1/tox.ini new/jwcrypto-1.5.6/tox.ini
--- old/jwcrypto-1.5.1/tox.ini 2023-12-26 20:50:49.000000000 +0100
+++ new/jwcrypto-1.5.6/tox.ini 2024-03-06 20:46:25.000000000 +0100
@@ -1,5 +1,5 @@
[tox]
-envlist = lint,py36,py37,py38,py39,py310,pep8,doc,sphinx,doctest
+envlist = lint,py38,py39,py310,py311,pep8,doc,sphinx,doctest
skip_missing_interpreters = true
[testenv]
@@ -16,7 +16,7 @@
{envpython} -m coverage report -m
[testenv:lint]
-basepython = python3.10
+basepython = python3.11
deps =
pylint
#sitepackages = True
@@ -24,7 +24,7 @@
{envpython} -m pylint -d c,r,i,W0613 -r n -f colorized --notes=
--disable=star-args ./jwcrypto
[testenv:pep8]
-basepython = python3.10
+basepython = python3.11
deps =
flake8
flake8-import-order
@@ -37,13 +37,13 @@
doc8
docutils
markdown
-basepython = python3.10
+basepython = python3.11
commands =
doc8 --allow-long-titles README.md
markdown_py README.md -f {toxworkdir}/README.md.html
[testenv:sphinx]
-basepython = python3.10
+basepython = python3.11
changedir = docs/source
deps =
sphinx
@@ -51,7 +51,7 @@
sphinx-build -n -v -W -b html -d {envtmpdir}/doctrees . {envtmpdir}/html
[testenv:doctest]
-basepython = python3.10
+basepython = python3.11
changedir = docs/source
deps =
sphinx
@@ -59,7 +59,7 @@
sphinx-build -v -W -b doctest -d {envtmpdir}/doctrees . {envtmpdir}/doctest
[testenv:codespell]
-basepython = python3.10
+basepython = python3.11
deps =
codespell
commands =
