2.7.1 RC2

CHANGELOG.md

@@ -20,6 +20,62 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
 ### Fixed
 - Import in `licensing_manager.py`.
 - Type of global `logger` and `connect` variable.
+### Security
+- Set higher minimum version `2.31.0` for `requests`, as vulnerabilities were found in earlier versions:
+  - CVE-2023-32681, Score: 6.1 (Medium)
+    - Requests is a HTTP library. Requests has been leaking Proxy-Authorization headers to destination servers when 
+      redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the 
+      `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify 
+      the header in the request itself and remove it prior to forwarding to the destination server. However when sent 
+      over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility 
+      into the tunneled request. This results in Requests forwarding proxy credentials to the destination server 
+      unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue affects 
+      versions 2.3.0 through 2.30.0.
+    - https://devhub.checkmarx.com/cve-details/CVE-2023-32681/
+- Set higher minimum version `2.5.1` for `unicorn-binance-rest-api` are affected by vulnerabilities in used dependencies! 
+  - Dependency `certifi`:
+    - CVE-2023-37920, Score: 9.8 (High)
+      - Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while 
+        verifying the identity of TLS hosts. Certifi 1.0.1 through 2023.5.7 recognizes "e-Tugra" root certificates. 
+        e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their 
+        systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
+      - https://devhub.checkmarx.com/cve-details/CVE-2023-37920/
+  - Dependency `cryptography`:
+    - CVE-2023-38325, Score: 7.5 (High)
+      - The cryptography package versions prior to 41.0.2 for Python mishandles SSH certificates that have critical 
+        options.
+      - https://devhub.checkmarx.com/cve-details/CVE-2023-38325/
+    - CVE-2023-49083, Score: 7.5 (High)
+      - Cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling 
+        `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and 
+        segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application 
+        attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system 
+        availability and stability. This issue affects versions 3.1 through 41.0.5.
+      - https://devhub.checkmarx.com/cve-details/CVE-2023-49083/
+    - CVE-2023-50782, Score: 7.5 (High)
+      - A flaw was found in the python cryptography package versions prior to 42.0.0. This issue may allow a remote 
+        attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of 
+        confidential or sensitive data. This issue is an incomplete fix of CVE-2020-25659.
+      - https://devhub.checkmarx.com/cve-details/CVE-2023-50782/
+    - CVE-2024-26130, Score: 7.5 (High)
+      - cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting 
+        in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a 
+        certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` 
+        set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, 
+        crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` 
+        is properly raised.
+      - https://devhub.checkmarx.com/cve-details/CVE-2024-26130/
+  - Dependency  `requests`:
+    - CVE-2023-32681, Score: 6.1 (Medium)
+      - Requests is a HTTP library. Requests has been leaking Proxy-Authorization headers to destination servers when 
+        redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the 
+        `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify 
+        the header in the request itself and remove it prior to forwarding to the destination server. However when sent 
+        over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility 
+        into the tunneled request. This results in Requests forwarding proxy credentials to the destination server 
+        unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue affects 
+        versions 2.3.0 through 2.30.0.
+      - https://devhub.checkmarx.com/cve-details/CVE-2023-32681/
 
 ## 2.7.0
 ### Added

dev/sphinx/source/changelog.md

@@ -20,6 +20,62 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
 ### Fixed
 - Import in `licensing_manager.py`.
 - Type of global `logger` and `connect` variable.
+### Security
+- Set higher minimum version `2.31.0` for `requests`, as vulnerabilities were found in earlier versions:
+  - CVE-2023-32681, Score: 6.1 (Medium)
+    - Requests is a HTTP library. Requests has been leaking Proxy-Authorization headers to destination servers when 
+      redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the 
+      `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify 
+      the header in the request itself and remove it prior to forwarding to the destination server. However when sent 
+      over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility 
+      into the tunneled request. This results in Requests forwarding proxy credentials to the destination server 
+      unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue affects 
+      versions 2.3.0 through 2.30.0.
+    - https://devhub.checkmarx.com/cve-details/CVE-2023-32681/
+- Set higher minimum version `2.5.1` for `unicorn-binance-rest-api` are affected by vulnerabilities in used dependencies! 
+  - Dependency `certifi`:
+    - CVE-2023-37920, Score: 9.8 (High)
+      - Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while 
+        verifying the identity of TLS hosts. Certifi 1.0.1 through 2023.5.7 recognizes "e-Tugra" root certificates. 
+        e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their 
+        systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
+      - https://devhub.checkmarx.com/cve-details/CVE-2023-37920/
+  - Dependency `cryptography`:
+    - CVE-2023-38325, Score: 7.5 (High)
+      - The cryptography package versions prior to 41.0.2 for Python mishandles SSH certificates that have critical 
+        options.
+      - https://devhub.checkmarx.com/cve-details/CVE-2023-38325/
+    - CVE-2023-49083, Score: 7.5 (High)
+      - Cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling 
+        `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and 
+        segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application 
+        attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system 
+        availability and stability. This issue affects versions 3.1 through 41.0.5.
+      - https://devhub.checkmarx.com/cve-details/CVE-2023-49083/
+    - CVE-2023-50782, Score: 7.5 (High)
+      - A flaw was found in the python cryptography package versions prior to 42.0.0. This issue may allow a remote 
+        attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of 
+        confidential or sensitive data. This issue is an incomplete fix of CVE-2020-25659.
+      - https://devhub.checkmarx.com/cve-details/CVE-2023-50782/
+    - CVE-2024-26130, Score: 7.5 (High)
+      - cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting 
+        in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a 
+        certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` 
+        set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, 
+        crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` 
+        is properly raised.
+      - https://devhub.checkmarx.com/cve-details/CVE-2024-26130/
+  - Dependency  `requests`:
+    - CVE-2023-32681, Score: 6.1 (Medium)
+      - Requests is a HTTP library. Requests has been leaking Proxy-Authorization headers to destination servers when 
+        redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the 
+        `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify 
+        the header in the request itself and remove it prior to forwarding to the destination server. However when sent 
+        over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility 
+        into the tunneled request. This results in Requests forwarding proxy credentials to the destination server 
+        unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue affects 
+        versions 2.3.0 through 2.30.0.
+      - https://devhub.checkmarx.com/cve-details/CVE-2023-32681/
 
 ## 2.7.0
 ### Added

docs/_modules/index.html

@@ -254,7 +254,7 @@ <h3>Navigation</h3>
     <a href="https://docs.lucit.tech">Index of all LUCIT Software Documentation</a><br />
     &copy; <a href="/license.html">Copyright</a> 2023-2023, LUCIT Systems and Development. All Rights Reserved..
     See <a href="/license.html">License</a> for more information.<br />
-    Last updated on May 14 2024 at 21:10 (CET).
+    Last updated on May 14 2024 at 21:34 (CET).
     <a href="https://github.com/LUCIT-Systems-and-Development/unicorn-binance-websocket-api/issues/new/choose">Found a bug</a>?
     <br />
     Created using <a href="https://www.sphinx-doc.org/">Sphinx</a> 7.2.6.

docs/_modules/unicorn_binance_websocket_api/manager.html

@@ -208,7 +208,7 @@ <h1>Source code for unicorn_binance_websocket_api.manager</h1><div class="highli
 
 
 <span class="n">__app_name__</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="s2">&quot;unicorn-binance-websocket-api&quot;</span>
-<span class="n">__version__</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="s2">&quot;2.7.1&quot;</span>
+<span class="n">__version__</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="s2">&quot;2.7.1.dev&quot;</span>
 <span class="n">__logger__</span><span class="p">:</span> <span class="n">logging</span><span class="o">.</span><span class="n">getLogger</span> <span class="o">=</span> <span class="n">logging</span><span class="o">.</span><span class="n">getLogger</span><span class="p">(</span><span class="s2">&quot;unicorn_binance_websocket_api&quot;</span><span class="p">)</span>
 
 <span class="n">logger</span> <span class="o">=</span> <span class="n">__logger__</span>
@@ -5428,7 +5428,7 @@ <h3>Navigation</h3>
     <a href="https://docs.lucit.tech">Index of all LUCIT Software Documentation</a><br />
     &copy; <a href="/license.html">Copyright</a> 2023-2023, LUCIT Systems and Development. All Rights Reserved..
     See <a href="/license.html">License</a> for more information.<br />
-    Last updated on May 14 2024 at 21:10 (CET).
+    Last updated on May 14 2024 at 21:34 (CET).
     <a href="https://github.com/LUCIT-Systems-and-Development/unicorn-binance-websocket-api/issues/new/choose">Found a bug</a>?
     <br />
     Created using <a href="https://www.sphinx-doc.org/">Sphinx</a> 7.2.6.

docs/_sources/changelog.md.txt

@@ -20,6 +20,62 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
 ### Fixed
 - Import in `licensing_manager.py`.
 - Type of global `logger` and `connect` variable.
+### Security
+- Set higher minimum version `2.31.0` for `requests`, as vulnerabilities were found in earlier versions:
+  - CVE-2023-32681, Score: 6.1 (Medium)
+    - Requests is a HTTP library. Requests has been leaking Proxy-Authorization headers to destination servers when 
+      redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the 
+      `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify 
+      the header in the request itself and remove it prior to forwarding to the destination server. However when sent 
+      over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility 
+      into the tunneled request. This results in Requests forwarding proxy credentials to the destination server 
+      unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue affects 
+      versions 2.3.0 through 2.30.0.
+    - https://devhub.checkmarx.com/cve-details/CVE-2023-32681/
+- Set higher minimum version `2.5.1` for `unicorn-binance-rest-api` are affected by vulnerabilities in used dependencies! 
+  - Dependency `certifi`:
+    - CVE-2023-37920, Score: 9.8 (High)
+      - Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while 
+        verifying the identity of TLS hosts. Certifi 1.0.1 through 2023.5.7 recognizes "e-Tugra" root certificates. 
+        e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their 
+        systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
+      - https://devhub.checkmarx.com/cve-details/CVE-2023-37920/
+  - Dependency `cryptography`:
+    - CVE-2023-38325, Score: 7.5 (High)
+      - The cryptography package versions prior to 41.0.2 for Python mishandles SSH certificates that have critical 
+        options.
+      - https://devhub.checkmarx.com/cve-details/CVE-2023-38325/
+    - CVE-2023-49083, Score: 7.5 (High)
+      - Cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling 
+        `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and 
+        segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application 
+        attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system 
+        availability and stability. This issue affects versions 3.1 through 41.0.5.
+      - https://devhub.checkmarx.com/cve-details/CVE-2023-49083/
+    - CVE-2023-50782, Score: 7.5 (High)
+      - A flaw was found in the python cryptography package versions prior to 42.0.0. This issue may allow a remote 
+        attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of 
+        confidential or sensitive data. This issue is an incomplete fix of CVE-2020-25659.
+      - https://devhub.checkmarx.com/cve-details/CVE-2023-50782/
+    - CVE-2024-26130, Score: 7.5 (High)
+      - cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting 
+        in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a 
+        certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` 
+        set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, 
+        crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` 
+        is properly raised.
+      - https://devhub.checkmarx.com/cve-details/CVE-2024-26130/
+  - Dependency  `requests`:
+    - CVE-2023-32681, Score: 6.1 (Medium)
+      - Requests is a HTTP library. Requests has been leaking Proxy-Authorization headers to destination servers when 
+        redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the 
+        `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify 
+        the header in the request itself and remove it prior to forwarding to the destination server. However when sent 
+        over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility 
+        into the tunneled request. This results in Requests forwarding proxy credentials to the destination server 
+        unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue affects 
+        versions 2.3.0 through 2.30.0.
+      - https://devhub.checkmarx.com/cve-details/CVE-2023-32681/
 
 ## 2.7.0
 ### Added