Update dependency azure-storage-blob to v12.13.0 [SECURITY] #621
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.
This PR contains the following updates:
==12.4.0
->==12.13.0
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2022-30187
Summary
The Azure Storage Encryption library in Java and other languages is vulnerable to a CBC Padding Oracle attack, similar to CVE-2020-8911. The library is not vulnerable to the equivalent of CVE-2020-8912, but only because it currently only supports AES-CBC as encryption mode.
Severity
Moderate - The vulnerability poses insider risks/privilege escalation risks, circumventing controls for stored data.
Further Analysis
The Java Azure Blob Storage Encryption SDK is impacted by an issue that can result in loss of confidentiality and message forgery. The attack requires write access to the container in question, and that the attacker has access to an endpoint that reveals decryption failures (without revealing the plaintext) and that when encrypting the CBC option was chosen as content cipher.
This advisory describes the plaintext revealing vulnerabilities in the Java Azure Blob Storage Encryption SDK, with a similar issue in the other blob storage SDKs being present as well.
In the current version of the Azure Blob Storage crypto SDK, the only algorithm option that allows users to encrypt files is to AES-CBC, without computing a MAC on the data.
This exposes a padding oracle vulnerability: If the attacker has write access to the blob container bucket and can observe whether or not an endpoint with access to the key can decrypt a file (without observing the file contents that the endpoint learns in the process), they can reconstruct the plaintext with (on average) 128*length(plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors.
Timeline
Date reported: March 29 2022
Date preview: June 16 2022
Date GA: July 11 2022
Date disclosed: July 17 2022
Release Notes
Azure/azure-sdk-for-python (azure-storage-blob)
v12.13.0
Compare Source
12.13.0 (2022-07-07)
Bugs Fixed
delete_blobs
by supplyingversion_id
.v12.12.0
Compare Source
12.12.0 (2022-05-09)
Features Added
upload_blob()
anddownload_blob()
via a new optional callback,progress_hook
.Bugs Fixed:
BlobClient.from_blob_url()
such that users will receive a more helpful errormessage if they pass an incorrect URL without a full
/container/blob
path.an Account SAS with certain service level operations.
v12.11.0
Compare Source
12.11.0 (2022-03-29)
Warning This release involves a bug fix that may change the behavior for some users. In previous versions,
the
tag
parameter onBlobSasPermissions
defaulted toTrue
meaning a Blob SAS URL would include thet
permissionby default. This was not the intended behavior. This release adjusts
BlobSasPermission
so thetag
permission willdefault to
False
, like all other permissions.Bugs Fixed
BlobSasPermissions
where thetag
permission had a default value ofTrue
andtherefore was being added to the SAS token by default.
v12.10.0
Compare Source
12.10.0 (2022-03-08)
This version and all future versions will require Python 3.6+. Python 2.7 is no longer supported.
Stable release of preview features
permanent_delete
set_immutability_policy
copy_from_url()
).Previously \uFFFE and \uFFFF would fail if present in blob name.
find_blobs_by_tags()
on a container.Find (f)
container SAS permission.Bugs Fixed
upload_blob()
from working with an OS pipereader stream on Linux. (#23131)
v12.9.0
Compare Source
12.9.0 (2021-09-15)
Stable release of preview features
v12.8.1
Compare Source
12.8.1 (2021-04-20)
Fixes
AccountName
,AccountKey
etc. in conn_str case insensitiveexists()
for CPK encrypted blobs (#18041)ThreadPoolExecutor
(#8955)v12.8.0
Compare Source
12.8.0 (2021-03-01)
Stable release of preview features
ContainerClient.exists()
methodFixes
delete_blob()
method signature (#15891)v12.7.1
Compare Source
12.7.1 (2021-01-20)
Fixes
v12.7.0
Compare Source
12.7.0 (2021-01-13)
Stable release of preview features
upload_blob_from_url
api onBlobClient
.AzureSasCredential
to allow SAS rotation in long living clients.Fixes
v12.6.0
Compare Source
12.6.0 (2020-11-10)
Stable release of preview features
ArrowDialect
as output format ofquery_blob
undelete_container
on BlobServiceClient.Fixes
Notes
azure-core
from azure-core<2.0.0,>=1.6.0 to azure-core<2.0.0,>=1.9.0 to get continuation_token attr on AzureError.v12.5.0
Compare Source
12.5.0 (2020-09-10)
New features
exists
method (#13221).Fixes
copy_blob_from_url
,upload_blob_from_url
etc (#13275).get_blob_properties
response (#13287).Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.