Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update dependent packages to clear safety errors (#126)
* Prevent updater threads from crashing when access is denied by SCP, as described in #123 * Fix flake8 complaints re whitespace & comments. * Remove errant ] somehow added to vars in f strings in two log messages. * Updating urllib3, pylint, pyyaml (and astroid due to dependency) to resolve vulnerabilities reported by safety.: +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 64 packages, using default DB | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pylint | 2.4.2 | <2.5.0 | 38224 | +==============================================================================+ | Pylint 2.5.0 no longer allows ``python -m pylint ...`` to import user code. | | Previously, it added the current working directory as the first element of | | ``sys.path``. This opened up a potential security hole where ``pylint`` | | would import user level code as long as that code resided in modules having | | the same name as stdlib or pylint's own modules. | +==============================================================================+ | pyyaml | 5.1.2 | <5.3.1 | 38100 | +==============================================================================+ | A vulnerability was discovered in the PyYAML library in versions before | | 5.3.1, where it is susceptible to arbitrary code execution when it processes | | untrusted YAML files through the full_load method or with the FullLoader | | loader. Applications that use the library to process untrusted input may be | | vulnerable to this flaw. An attacker could use this flaw to execute | | arbitrary code on the system by abusing the python/object/new constructor. | | See: CVE-2020-1747. | +==============================================================================+ | pyyaml | 5.1.2 | >=5.1,<=5.1.2 | 38639 | +==============================================================================+ | CVE-2019-20477: PyYAML 5.1 through 5.1.2 has insufficient restrictions on | | the load and load_all functions because of a class deserialization issue, | | e.g., Popen is a class in the subprocess module. NOTE: this issue exists | | because of an incomplete fix for CVE-2017-18342. | +==============================================================================+ | urllib3 | 1.25.6 | <1.25.9 | 38834 | +==============================================================================+ | urllib3 before 1.25.9 allows CRLF injection if the attacker controls the | | HTTP request method, as demonstrated by inserting CR and LF control | | characters in the first argument of putrequest(). See: CVE-2020-26137. | | (NOTE: this is similar to CVE-2020-26116.) | +==============================================================================+ | urllib3 | 1.25.6 | >=1.25.2,<=1.25.7 | 27519 | +==============================================================================+ | The _encode_invalid_chars function in util/url.py in the urllib3 library | | 1.25.2 through 1.25.7 for Python allows a denial of service (CPU | | consumption) because of an inefficient algorithm. The percent_encodings | | array contains all matches of percent encodings. It is not deduplicated. For | | a URL of length N, the size of percent_encodings may be up to O(N). The next | | step (normalize existing percent-encoded bytes) also takes up to O(N) for | | each step, so the total time is O(N^2). If percent_encodings were | | deduplicated, the time to compute _encode_invalid_chars would be O(kN), | | where k is at most 484 ((10+6*2)^2). See: CVE-2020-7212. | +==============================================================================+
- Loading branch information
1 parent
cff424b
commit 9627edf