Bump pyo3 from 0.13.2 to 0.17.3 in /src/rust #91

dependabot · 2022-11-02T09:44:26Z

Bumps pyo3 from 0.13.2 to 0.17.3.

Release notes

PyO3 0.17.3

This release confirms support for Python 3.11 in PyO3.

(Previous versions of PyO3 0.17 had been tested against release candidates of Python 3.11 and no Python 3.11 fixes have been added since 0.17.0, so all PyO3 0.17 versions should in practice be fine to use with Python 3.11.)

In addition, some other small additions and fixes have been added on top of PyO3 0.17.2.

Thank you to the following users for the improvements:

@adamreichold @ctb @datapythonista @davidhewitt @messense @saethlin

PyO3 0.17.2

This release contains non-breaking improvements and bugfixes over PyO3 0.17.1.

A new chrono feature has been added to support converting from types in chrono to types in the Python datetime module. The num-bigint feature has been expanded to add support to PyPy.

There has also been fixes for a couple of regressions observed in PyO3 0.17.

Thank you to the following users for the improvements:

@adamreichold @AdilZouitine @davidhewitt @messense @mrob95 @Oppen @prehner @Psykopear @ryanrussell @smheidrich @SquidDev

PyO3 0.17.1

This release contains some minor bug fixes for PyO3 0.17.0. In particular the new PyDictItems, PyDictKeys and PyDictValues types are actually accessible!

Thanks to @davidhewitt, @messense and @PrettyWood for the fixes.

PyO3 0.17.0

This release contains a focus on quality improvements over the PyO3 0.16 releases.

There have been new API types added such as PyDictKeys, PyDictValues, PyDictItems, PyCode, PyFrame, and PySuper. The PyMapping and PySequence types have changed so they are more directly compatible with the corresponding Python Mapping and Sequence base classes in the collections.abc module (this is a breaking change).

A new #[pyclass(frozen)] option has been added to opt-out of runtime borrow checking by removing the ability to access &mut self for objects owned by Python.

... (truncated)

Changelog

Sourced from pyo3's changelog.

[0.17.3] - 2022-11-01

Packaging

Support Python 3.11. (Previous versions of PyO3 0.17 have been tested against Python 3.11 release candidates and are expected to be compatible, this is the first version tested against Python 3.11.0.) #2708

Added

Implemented ExactSizeIterator for PyListIterator, PyDictIterator, PySetIterator and PyFrozenSetIterator. #2676

Fixed

Fix regression of impl FromPyObject for [T; N] no longer accepting types passing PySequence_Check, e.g. NumPy arrays, since version 0.17.0. This the same fix that was applied impl FromPyObject for Vec<T> in version 0.17.1 extended to fixed-size arrays. #2675

Fix UB in FunctionDescription::extract_arguments_fastcall due to creating slices from a null pointer. #2687

[0.17.2] - 2022-10-04

Packaging

Added optional chrono feature to convert chrono types into types in the datetime module. #2612

Added

Add support for num-bigint feature on PyPy. #2626

Fixed

Correctly implement __richcmp__ for enums, fixing __ne__ returning always returning True. #2622

Fix compile error since 0.17.0 with Option<&SomePyClass> argument with a default. #2630

Fix regression of impl FromPyObject for Vec<T> no longer accepting types passing PySequence_Check, e.g. NumPy arrays, since 0.17.0. #2631

[0.17.1] - 2022-08-28

Fixed

Fix visibility of PyDictItems, PyDictKeys, and PyDictValues types added in PyO3 0.17.0.

Fix compile failure when using #[pyo3(from_py_with = "...")] attribute on an argument of type Option<T>. #2592

Fix clippy redundant-closure lint on **kwargs arguments for #[pyfunction] and #[pymethods]. #2595

[0.17.0] - 2022-08-23

Packaging

Update inventory dependency to 0.3 (the multiple-pymethods feature now requires Rust 1.62 for correctness). #2492

Added

Add timezone_utc. #1588

Implement ToPyObject for [T; N]. #2313

... (truncated)

Commits

a3edbf4 release: 0.17.3
062470a Fix module name in getting started
5bbd21c Disable PyModule::filename on PyPy
522ac1c Run Rust tests using Valgrind and cargo-careful (#2706)
47540b8 packaging: support Python 3.11
64f52c6 add internal release notes
8088af3 Avoid calling slice::from_raw_parts with a null pointer
b6f17aa Update getting_started.md
7647b70 Point new users at specific source file for Rust code.
e48525f Add more implementations of ExactSizeIterator when iterating built-in Python ...
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.13.2 to 0.17.3. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/main/CHANGELOG.md) - [Commits](PyO3/pyo3@v0.13.2...v0.17.3) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

guardrails · 2022-11-02T09:49:46Z

⚠️ We detected 56 security issues in this pull request:

Mode: paranoid | Total findings: 56 | Considered vulnerability: 56

Insecure Use of Dangerous Function (4)

Docs

Details

💡

Title: Buffer overflow, Severity: Critical

cryptography/src/_cffi_src/openssl/src/osrandom_engine.c

Line 532 in 4ffdd63

strcpy((char *)p, name);

💡

Title: Buffer overflow, Severity: Critical

cryptography/src/_cffi_src/openssl/src/osrandom_engine.c

Line 334 in 4ffdd63

char dest[1];

💡

Title: Buffer overflow, Severity: Critical

cryptography/src/_cffi_src/openssl/src/osrandom_engine.c

Line 210 in 4ffdd63

n = (int)read(fd, buffer, (size_t)size);

💡

Title: Buffer overflow, Severity: Critical

cryptography/src/_cffi_src/openssl/src/osrandom_engine.c

Line 522 in 4ffdd63

len = strlen(name);

More info on how to fix Insecure Use of Dangerous Function in C/C++.

Insecure Access Control (1)

Docs

Details

💡

Title: Use of dangerous functions, Severity: Critical

cryptography/src/_cffi_src/openssl/src/osrandom_engine.c

Line 106 in 4ffdd63

int fd = open(path, open_flags);

More info on how to fix Insecure Access Control in C/C++.

Vulnerable Libraries (1)

Severity	Details
N/A	pkg:cargo/[email protected]@0.4.19 (t) - no patch available

More info on how to fix Vulnerable Libraries in Rust.

Hard-Coded Secrets (50)

Docs

Details

💡

Title: Twilio API Key, Severity: Medium

cryptography/vectors/cryptography_vectors/asymmetric/DH/dhkey_rfc5114_2.txt

Line 4 in 4ffdd63

    
           G = AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFAAB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7C17669101999024AF4D027275AC1348BB8A762D0521BC98AE247150422EA1ED409939D54DA7460CDB5F6C6B250717CBEF180EB34118E98D119529A45D6F834566E3025E316A330EFBB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC017981BC087F2A7065B384B890D3191F2BFA

💡

Title: Twilio API Key, Severity: Medium

cryptography/vectors/cryptography_vectors/asymmetric/DSA/FIPS_186-2/KeyPair.rsp

Line 21 in 4ffdd63

X = AC5862F9B6CD0B2E68B8784199A9883A94C10079

💡

Title: Twilio API Key, Severity: Medium

cryptography/vectors/cryptography_vectors/asymmetric/DH/RFC5114.txt

Line 21 in 4ffdd63

    
           G = AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFAAB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7C17669101999024AF4D027275AC1348BB8A762D0521BC98AE247150422EA1ED409939D54DA7460CDB5F6C6B250717CBEF180EB34118E98D119529A45D6F834566E3025E316A330EFBB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC017981BC087F2A7065B384B890D3191F2BFA

💡