CVE-2022-3602

Advisory

Xknx 2.0.0 updates its dependency 'cryptography' to v38.0.3 to include security fixes.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Interface changes

- Removed `own_address` from `XKNX` class. `ConnectionConfig` `individual_address` can be used to set a source address for routing instead.
If set for a secure tunnelling connection, a tunnel with this IA will be read from the knxkeys file.
- Disable TelegramQueue rate limiting by default.
- Separate discovery multicast group from routing group. Add `multicast_group` and `multicast_port` `ConnectionConfig` parameters.

Connection and Discovery

- Use manually configured IP secure tunnel password over loading it from keyring.
- GatewayScanFilter now also matches secure enabled gateways by default. The `secure` argument as been replaced by `secure_tunnelling` and `secure_routing` arguments. When multiple methods are `True` a gateway is matched if one of them is supported. Non-secure methods don't match if secure is required for that gateway.
- Self description queries more information from Core v2 devices via SearchRequestExtended.

Features

- Add support for python 3.11
- Add methods to Keyring to get interfaces by individual address (host or tunnel).

Internal

- Remove `InterfaceWithUserIdNotFound` and `InvalidSignature` errors in favor of `InvalidSecureConfiguration`.
- Keyring: rename `load_key_ring` to `load_keyring` and make it a coroutine.

Management

- Fix APCI service parsing for 10bit control fileds.
- Set reasonable default count values for APCI classes.
- Set xknx.current_address for routing connections so management frames received over Routing are handled properly.
- Fix wrong length of AuthorizeRequest.
- Raise sane error messages in Management.

Bugfixes

- No mutable default arguments. Fixes unexpected behaviour like GatewayScanner not finding all interfaces.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3602