jwt-pq 0.6.0 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: c0c45ba386fb98df768124e32529f0e0d80f574ddf0a0132e57e87a3ce94ea7a
4
- data.tar.gz: c6071071b4814e40c707179d575447b7d730a1a2a789ba1cee5bdf71929abb47
3
+ metadata.gz: 3e22fd166db5a77e02477a645fe843107a8615e89f5e33d914754495e28ac112
4
+ data.tar.gz: 8f1a3acd924b82fb720ecff5882ece4c9842fca6a0aab9cf3710d6b3783ad93b
5
5
  SHA512:
6
- metadata.gz: 96c10bfd04d93b946f634257b95427a64e39cf23d8a10f330b1b4bdc3d29e212d0a575ddb7486df7ab47d88bd8af73d21ac4ec2620507db9c5289e2bc5a2588b
7
- data.tar.gz: 88bc0b05ade5ab27f3dfa8b56d7f8bf3d8bb566145468e452c7a570db5db0e57ddabcc9ad452d86a48206633368675b83cf7a28d832f54a157cc80e75559464a
6
+ metadata.gz: 6b9711b89b4edf08e92e379ed6b821107abc0c89468ac8df9c54e97db862948a88f561ce4163deae149d813bcd2259cfdfba45b241985899ba9f2547d1dfce4c
7
+ data.tar.gz: 7dee45f2a9cd096881aaf2f6c8f29fa700b3b6f99419af409c817693d5cb5aaaec85f624fe752e03d9bc5cc5915f266d310961a21805d183d0123232a3ee98b5
data/CHANGELOG.md CHANGED
@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ## [0.6.1] - 2026-07-13
11
+
12
+ ### Security
13
+
14
+ - Bundled liboqs updated from 0.15.0 to [0.16.0](https://github.com/open-quantum-safe/liboqs/releases/tag/0.16.0), which patches five upstream security issues, including [CVE-2026-44518](https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-wf7v-fhxj-73m2) and [GHSA-2wxh-55qf-c7wg](https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-2wxh-55qf-c7wg) (moderate, out-of-bounds reads in XMSS/XMSS^MT signature verification). None of the patched code paths (XMSS/XMSS^MT, CROSS, FrodoKEM) are compiled into jwt-pq's ML-DSA-only build, so jwt-pq itself was not exposed; the bump keeps the bundled library on a supported upstream release (#57)
15
+
16
+ ### Dependencies
17
+
18
+ - Bump `codecov/codecov-action` from 6.0.1 to 7.0.0 (#49)
19
+ - Bump `actions/checkout` from 6.0.3 to 7.0.0 (#52)
20
+
10
21
  ## [0.6.0] - 2026-04-22
11
22
 
12
23
  ### Added
@@ -151,7 +162,8 @@ Throughput on Ruby 3.4.6, macOS x86_64, liboqs 0.15.0 (benchmark-ips, 2s warmup
151
162
  - Optional dependency on jwt-eddsa / ed25519
152
163
  - Error classes: `LiboqsError`, `KeyError`, `SignatureError`, `MissingDependencyError`
153
164
 
154
- [Unreleased]: https://github.com/marcelopazzo/jwt-pq/compare/v0.6.0...HEAD
165
+ [Unreleased]: https://github.com/marcelopazzo/jwt-pq/compare/v0.6.1...HEAD
166
+ [0.6.1]: https://github.com/marcelopazzo/jwt-pq/compare/v0.6.0...v0.6.1
155
167
  [0.6.0]: https://github.com/marcelopazzo/jwt-pq/compare/v0.5.1...v0.6.0
156
168
  [0.5.1]: https://github.com/marcelopazzo/jwt-pq/compare/v0.5.0...v0.5.1
157
169
  [0.5.0]: https://github.com/marcelopazzo/jwt-pq/compare/v0.4.0...v0.5.0
data/SECURITY.md CHANGED
@@ -38,7 +38,7 @@ Out of scope (report upstream):
38
38
 
39
39
  ## Upstream liboqs advisories
40
40
 
41
- jwt-pq bundles a pinned version of liboqs (see `LIBOQS_VERSION` in `ext/jwt/pq/extconf.rb`, currently **0.15.0**, integrity-checked against a SHA-256 of the source tarball).
41
+ jwt-pq bundles a pinned version of liboqs (see `LIBOQS_VERSION` in `ext/jwt/pq/extconf.rb`, currently **0.16.0**, integrity-checked against a SHA-256 of the source tarball).
42
42
 
43
43
  When [liboqs](https://github.com/open-quantum-safe/liboqs/security/advisories) publishes a security advisory affecting an algorithm we ship:
44
44
 
@@ -10,8 +10,8 @@ require "zlib"
10
10
  require "etc"
11
11
  require "tmpdir"
12
12
 
13
- LIBOQS_VERSION = "0.15.0"
14
- LIBOQS_SHA256 = "3983f7cd1247f37fb76a040e6fd684894d44a84cecdcfbdb90559b3216684b5c"
13
+ LIBOQS_VERSION = "0.16.0"
14
+ LIBOQS_SHA256 = "162d5b510518ee5f285f82fa1f16402a885176e818bf1b1a4c3c91c9a2f01eae"
15
15
  LIBOQS_URL = "https://github.com/open-quantum-safe/liboqs/archive/refs/tags/#{LIBOQS_VERSION}.tar.gz"
16
16
 
17
17
  PACKAGE_ROOT_DIR = File.expand_path("../../..", __dir__)
@@ -3,6 +3,6 @@
3
3
  module JWT
4
4
  module PQ
5
5
  # Current gem version.
6
- VERSION = "0.6.0"
6
+ VERSION = "0.6.1"
7
7
  end
8
8
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: jwt-pq
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.6.0
4
+ version: 0.6.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Marcelo Almeida