Update dependency idna to v3 [SECURITY] #1

Merged

timatlee merged 1 commits from renovate/pypi-idna-vulnerability into main 2024-06-11 18:39:48 -06:00

Conversation 0 Commits 1 Files Changed 1 +1 -1

renovate-bot commented 2024-06-11 08:40:59 -06:00

Collaborator

Copy Link

This PR contains the following updates:

Package	Update	Change
idna (changelog)	major	==2.10 -> ==3.7

---

Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode

CVE-2024-3651 / GHSA-jjg7-2v4v-x38h

More information

Details

Impact

A specially crafted argument to the idna.encode() function could consume significant resources. This may lead to a denial-of-service.

Patches

The function has been refined to reject such strings without the associated resource consumption in version 3.7.

Workarounds

Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the idna.encode() function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.

References

• https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb

Severity

• CVSS Score: 6.2 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h
• https://github.com/kjd/idna

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

kjd/idna (idna)

v3.7

Compare Source

What's Changed

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: https://github.com/kjd/idna/compare/v3.6...v3.7

v3.6

Compare Source

v3.5

Compare Source

v3.4

Compare Source

v3.3

Compare Source

v3.2

Compare Source

v3.1

Compare Source

v3.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Edmonton, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [idna](https://github.com/kjd/idna) ([changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst)) | major | `==2.10` -> `==3.7` | --- ### Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode [CVE-2024-3651](https://nvd.nist.gov/vuln/detail/CVE-2024-3651) / [GHSA-jjg7-2v4v-x38h](https://github.com/advisories/GHSA-jjg7-2v4v-x38h) <details> <summary>More information</summary> #### Details ##### Impact A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service. ##### Patches The function has been refined to reject such strings without the associated resource consumption in version 3.7. ##### Workarounds Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the `idna.encode()` function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application. ##### References * https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb #### Severity - CVSS Score: 6.2 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h](https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h) - [https://github.com/kjd/idna](https://github.com/kjd/idna) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-jjg7-2v4v-x38h) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>kjd/idna (idna)</summary> ### [`v3.7`](https://github.com/kjd/idna/releases/tag/v3.7) [Compare Source](https://github.com/kjd/idna/compare/v3.6...v3.7) #### What's Changed - Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. \[CVE-2024-3651] Thanks to Guido Vranken for reporting the issue. **Full Changelog**: https://github.com/kjd/idna/compare/v3.6...v3.7 ### [`v3.6`](https://github.com/kjd/idna/compare/v3.5...v3.6) [Compare Source](https://github.com/kjd/idna/compare/v3.5...v3.6) ### [`v3.5`](https://github.com/kjd/idna/compare/v3.4...v3.5) [Compare Source](https://github.com/kjd/idna/compare/v3.4...v3.5) ### [`v3.4`](https://github.com/kjd/idna/compare/v3.3...v3.4) [Compare Source](https://github.com/kjd/idna/compare/v3.3...v3.4) ### [`v3.3`](https://github.com/kjd/idna/compare/v3.2...v3.3) [Compare Source](https://github.com/kjd/idna/compare/v3.2...v3.3) ### [`v3.2`](https://github.com/kjd/idna/compare/v3.1...v3.2) [Compare Source](https://github.com/kjd/idna/compare/v3.1...v3.2) ### [`v3.1`](https://github.com/kjd/idna/compare/v3.0...v3.1) [Compare Source](https://github.com/kjd/idna/compare/v3.0...v3.1) ### [`v3.0`](https://github.com/kjd/idna/compare/v2.10...v3.0) [Compare Source](https://github.com/kjd/idna/compare/v2.10...v3.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone America/Edmonton, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MDIuMCIsInVwZGF0ZWRJblZlciI6IjM3LjQwMi4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

renovate-bot added 1 commit 2024-06-11 08:40:59 -06:00

Update dependency idna to v3 [SECURITY] 753b3523c6

timatlee merged commit a781f2cd80 into main 2024-06-11 18:39:48 -06:00

timatlee referenced this issue from a commit 2024-06-11 18:39:50 -06:00

Merge pull request 'Update dependency idna to v3 [SECURITY]' (#1) from renovate/pypi-idna-vulnerability into main

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Assignees

Clear assignees

renovate-bot timatlee

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: timatlee/cloudflare-ddns-docker-updated#1

No description provided.