Commit graph

9 commits

Author SHA1 Message Date
Samuel Dion-Girardeau
f377aa3ed2 Add support for Python 3.8 (#115)
* Remove Travis Python 3.7 hack

No longer necessary: 3.7 is supported out-of-the-box

* Add support for Python 3.8

And explicitly document in setup.py

* "Upgrade base Docker image to Python 3.8"a

* Add entry about py38 support in WIP changelog

* Explicitly declare python versions in setup.py

* Bump Werkzeug to 0.15.6

This is the latest 0.15 version. 0.16 might be incompatible

The fix we are looking for is in [0.15.5](http://werkzeug.palletsprojects.com/en/0.15.x/changes/#version-0-15-5):

> Fix a TypeError due to changes to ast.Module in Python 3.8.
2019-11-25 08:58:29 -08:00
dependabot[bot]
b3e1068c01
Bump werkzeug from 0.14.1 to 0.15.3
Bumps [werkzeug](https://github.com/pallets/werkzeug) from 0.14.1 to 0.15.3.
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/master/CHANGES.rst)
- [Commits](https://github.com/pallets/werkzeug/compare/0.14.1...0.15.3)

Signed-off-by: dependabot[bot] <support@github.com>
2019-08-21 16:50:22 +00:00
Jon Parise
2aa7272a59
Upgrade to Jinja2 2.10.1 (#101)
This patch release fixes a security issue (CVE-2019-10906) involving
str.format_map.
2019-04-12 13:26:46 -07:00
Jon Parise
30db653f14 Upgrade to cryptography 2.3.1
This addresses CVE-2018-10903:

    A flaw was found in python-cryptography versions between >=1.9.0 and
    <2.3. The finalize_with_tag API did not enforce a minimum tag
    length. If a user did not validate the input length prior to passing
    it to finalize_with_tag an attacker could craft an invalid payload
    with a shortened tag (e.g. 1 byte) such that they would have a 1 in
    256 chance of passing the MAC check. GCM tag forgeries can cause key
    leakage.

... although snappass isn't affected because we doesn't use the
vulnerable `finalize_with_tag` API.
2018-10-31 09:39:18 -07:00
Samuel Dion-Girardeau
5981884cd2 Update all Python requirements to latest stable
All PyPI packages now have the latest version available.
2018-07-12 21:23:25 -04:00
Nicholas Charriere
75b6a6919f Make mock a requirement, not dev-requirement 2018-05-07 08:23:30 -07:00
Samuel Dion-Girardeau
dc6054f09c Encrypt passwords stored in Redis
Using symmetric encryption in the `cryptography`'s `Fernet` class,
we can ensure that no one can snoop the passwords simply by having access
to the Redis store.

An encryption key is sent to the secret receiver, along with the 32 character
Redis key that identifies the secret, which is needed to decrypt the password.
2017-05-11 21:28:22 -04:00
Samuel Dion-Girardeau
a8401434cb Bump flask to 0.11.1
One of the main advantages is the easy debug mode,
with autoreload capabilities.

Several other fixes & features:
http://flask.pocoo.org/docs/0.11/changelog/#version-0-11
2016-08-22 20:32:22 -04:00
Dave Dash
eefe2bdc76 Prepare snappass for distribution. 2013-10-05 23:10:50 -07:00