Skip to content

Releases: amadejpapez/ApplSec

15.3

26 Dec 19:50
Compare
Choose a tag to compare

Added

  • Support for new security content page design (48a90fb) - Apple appears to have started a new page design on some older and newer releases

Previous:

Screenshot 2023-12-26 at 8 48 24 PM

New:

Screenshot 2023-12-26 at 8 49 26 PM

15.2

26 Dec 18:23
Compare
Choose a tag to compare

Added

  • Support for Rapid Security Response (RSR) updates
    • remove line break from RSR updates, example "Rapid Security Response\nmacOS Ventura 13.4.1 (a)" (f640f29)
    • RSR have a different security notes title (4071317)

Changed

  • New logo and screenshots. (6cb233f, e408226, 7c34da9) - I received an email from Apple and my Mastodon account got temporarily suspended, because I used their Apple Security logo and used "Apple" in my name (Apple Security Updates), which they considered copyright infringement and impersonation. After changes it got unsuspended. :)
  • beta updates should also contain RC updates (b3d5d4d)

Fixed

  • "(Details available soon.)" was not getting correctly removed as Apple sometimes used the dot or not, sometimes a different capitalization,... (4362aa9)
  • Apple sometimes spells RC out for some releases (766ce08)

Code

  • use dependabot grouping feature, to group all pip updates into one PR (4f39b43)

15.1

26 Jun 19:15
Compare
Choose a tag to compare

Changed

  • in zero-day posts, each CVE will now have releases sorted alphabetically

Fixed

  • upgrade security content links from http to https
  • remove   character from release names

Code

  • more and improved tests

15.0

13 Jun 13:45
Compare
Choose a tag to compare

Added

  • Bot now follows Apple Developer - Releases page. This allows for quicker posts about updates, before security contents is published. Posts about new updates should now be posted sooner, contain build numbers and beta software!
  • New Security Content and Entry Changes posts now contain, below each release name, a link to their security content. This should make it easier to access the said security content. For now only enabled for Mastodon, as it makes the post too long and then splits it into many tweets with each having around 2 or 3 releases.

Changed

  • New Releases or New Security Content post will now be made first, followed by others. Previously, everything was before (zero-days,...) and then New Security Content was the last post.
  • If a set of releases share multiple zero-days, they will be grouped together. Meaning CVE information separated by coma and then listed releases. This avoids same set of releases being repeated by different CVEs.
  • "NEW UPDATES RELEASED" posts now contain releases from RSS with build numbers. Previous "NEW UPDATES RELEASED" with "x bugs fixed" have been moved to "NEW SECURITY CONTENT".

Fixed

  • Twitter posts are now up to 280 characters, as previously it was set at max 250

Code

  • more and improved testing
  • various other moving around, renames and more

14.0

12 Apr 19:26
Compare
Choose a tag to compare

Added

  • catch releases with non-today release date, Apple sometimes adds security content for a release a day or more later
  • automatically add hashtags to Mastodon posts

Changed

  • run bot more often at the time when Apple usually releases updates, so it should catch them quicker
  • sort releases both by number of bugs and then by name

Fixed

  • do not skip over Additional Recognition section and catch entry changes there, this is a regression and a new test has been added
  • strip "(details available soon)" from release names

Code

  • run bot as a GitHub Action cron job, previously it was on PythonAnywhere
  • add test-requirements.txt for test dependencies
  • use emojis directly, remove emoji package dependency
  • store API keys inside of environmental variables, instead of a JSON file
  • various other moving around, renames and more

13.0

26 Dec 14:55
Compare
Choose a tag to compare

Added

  • bot is now also available on Mastodon

Changed

  • new releases are now sorted by the number of bugs, so release with the most bug fixes is now at the top
  • update wording "zero-day may have been actively exploited" to align with Apple's wording
  • re-format zero-day tweet to make more clear which zero-days are new, old and what zero-days are in each release
  • update multiple tweet wordings
  • also sort releases by number of bugs/changes in Security Content Available and Entry Changes

Fixed

  • if all iOS bugs were fixed in top four modules except 1, it would say "and 1 other vulnerabilities fixed"

Code

  • use lxml package for more html parsing, rely less on regex
  • make a Release class
  • do not request all data of the last 20 releases at every run
  • a lot of other code changes and moving around
  • better testing
  • use type hints
  • add CHANGELOG.md
  • add Dependabot

12.0

11 Feb 22:46
Compare
Choose a tag to compare

ADDED

  • if there is only one new release, tweet with its release notes link instead of the main page link
  • a few small tweet rewording changes, mostly on a zero-day tweet
  • 64ea6d6 remove tweeting of Apple Web Server fixes. It stopped working in September 2021 when Apple reformatted the website. Text from every entry saying on which domain the issue was reported got removed. Because no entries were added in two months, I think these tweets are no longer useful.
  • d9ba4bb On January 19th 2022 Apple updated 25 release notes, all the way back to two years ago, causing the bot to not catch all of them. Checking for release note entry changes is now done once per day, on midnight. It is checking for added/updated entries on the previous day and on a lot more release notes than before.

FIXED

  • Apple sometimes re-releases versions with the same release name but with a different build number (mostly Safari), causing two releases to have the same title. Bot now recognizes this because otherwise it messed with checking.
  • if Apple updated a release note entry twice, the bot did not catch the second change
  • 21fe1df Because the bot is running hourly and checking for changes with the current date, it did not catch changes made between 11pm and 12am. On midnight it now does checking with the previous date.

CODE

  • 3999e18 move to Twitter API v2
  • a lot of code refactoring, regex updates and style changes in this release
  • add pytest testing and add GitHub Action check for it on each commit push!

11.0

07 Nov 19:15
Compare
Choose a tag to compare

ADDED

  • Bot is now running every hour! This enables it to catch more changes and quicker.
  • cad1bfd Before if security content is not available yet, the bot would tweet that in the New Releases. Now when release notes become available a new tweet will be made.
  • 1c8b581 tweetZeroDay() now tweets which part of the OS had the zero-day

CHANGED

  • 1c8b581 if all of the bugs in the new release are zero-days, do not run tweetiOSParts() as all of the info is now tweetZeroDay() tweet
  • 1c8b581 rewritten tweeting function, now creating tweets checks if twet is 280 characters long and creates a thread
  • fb03b18 save all of the tweeted info into stored_data.json, as the bot is running hourly this prevents tweeting same info twice
  • 3aa7f43 lastTwentyReleases has been changed to lastFiftyReleases as the bot did not catch some of the changes Apple made

FIXED

  • 11801d4 tweetZeroDays(): may tweet one zero day twice
  • b3582bd tweetiOSParts(): do not run if there are no release notes yet and updated regex
  • 3a84ed5 getData(): releases with release notes but no bugs fixed would cause an error
  • 470ab2c tweetWebServerFixes(): only tweet if there are any fixes as Apple is not updating this page regularly
  • e4954c4 tweetYearlyReport(): run on newReleases instead of lastTwentyReleases

10.2

04 Jul 12:58
Compare
Choose a tag to compare

FIXED

  • tweetEntryChanges() only ran on new releases instead of last 20 releases

CODE

  • moved all tweeting functions to separate files, which will make it a lot easier to read, maintain and to add new features
  • improved regex

10.1

18 Jun 18:49
54e2593
Compare
Choose a tag to compare

CHANGED

  • new releases are now tweeted in the reverse order as more important updates are usually pushed first

FIXED

  • if tweetiOSParts() failed it would still try to tweet the results as that part was not indented right
  • if a month number was 12, the bot would search 2021-012 on Apple website, which would obviously fail - zero is now added only if a number is under 10
  • as zero-day CVEs are stored in zeroDay.txt, the bot now creates this file if it does not exist instead of failing
  • there was an issue with the bot picking other dates from the Apple Web Server Notifications page

CODE

  • API authentication keys are now stored in auth_secrets.py file (which is in .gitignore)
  • moved scripts to a separate file, separated tweeting function into its own file
  • ran isort on files