Chore(deps): [security] bump idna from 3.6 to 3.7
Bumps idna from 3.6 to 3.7. This update includes a security fix.
Vulnerabilities fixed
Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode
Impact
A specially crafted argument to the
idna.encode()
function could consume significant resources. This may lead to a denial-of-service.Patches
The function has been refined to reject such strings without the associated resource consumption in version 3.7.
Workarounds
Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the
idna.encode()
function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.References
Patched versions: 3.7 Affected versions: < 3.7
Release notes
Sourced from idna's releases.
v3.7
What's Changed
- Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]
Thanks to Guido Vranken for reporting the issue.
Full Changelog: https://github.com/kjd/idna/compare/v3.6...v3.7
Changelog
Sourced from idna's changelog.
3.7 (2024-04-11) ++++++++++++++++
- Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]
Thanks to Guido Vranken for reporting the issue.
Commits
-
1d365e1
Release v3.7 -
c1b3154
Merge pull request #172 from kjd/optimize-contextj -
0394ec7
Merge branch 'master' into optimize-contextj -
cd58a23
Merge pull request #152 from elliotwutingfeng/dev -
5beb28b
More efficient resolution of joiner contexts -
1b12148
Update ossf/scorecard-action to v2.3.1 -
d516b87
Update Github actions/checkout to v4 -
c095c75
Merge branch 'master' into dev -
60a0a4c
Fix typo in GitHub Actions workflow key -
5918a0e
Merge branch 'master' into dev - Additional commits viewable in compare view