Update dependent packages to clear safety errors #126
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…esolve vulnerabilities reported by safety.: +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 64 packages, using default DB | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pylint | 2.4.2 | <2.5.0 | 38224 | +==============================================================================+ | Pylint 2.5.0 no longer allows ``python -m pylint ...`` to import user code. | | Previously, it added the current working directory as the first element of | | ``sys.path``. This opened up a potential security hole where ``pylint`` | | would import user level code as long as that code resided in modules having | | the same name as stdlib or pylint's own modules. | +==============================================================================+ | pyyaml | 5.1.2 | <5.3.1 | 38100 | +==============================================================================+ | A vulnerability was discovered in the PyYAML library in versions before | | 5.3.1, where it is susceptible to arbitrary code execution when it processes | | untrusted YAML files through the full_load method or with the FullLoader | | loader. Applications that use the library to process untrusted input may be | | vulnerable to this flaw. An attacker could use this flaw to execute | | arbitrary code on the system by abusing the python/object/new constructor. | | See: CVE-2020-1747. | +==============================================================================+ | pyyaml | 5.1.2 | >=5.1,<=5.1.2 | 38639 | +==============================================================================+ | CVE-2019-20477: PyYAML 5.1 through 5.1.2 has insufficient restrictions on | | the load and load_all functions because of a class deserialization issue, | | e.g., Popen is a class in the subprocess module. NOTE: this issue exists | | because of an incomplete fix for CVE-2017-18342. | +==============================================================================+ | urllib3 | 1.25.6 | <1.25.9 | 38834 | +==============================================================================+ | urllib3 before 1.25.9 allows CRLF injection if the attacker controls the | | HTTP request method, as demonstrated by inserting CR and LF control | | characters in the first argument of putrequest(). See: CVE-2020-26137. | | (NOTE: this is similar to CVE-2020-26116.) | +==============================================================================+ | urllib3 | 1.25.6 | >=1.25.2,<=1.25.7 | 27519 | +==============================================================================+ | The _encode_invalid_chars function in util/url.py in the urllib3 library | | 1.25.2 through 1.25.7 for Python allows a denial of service (CPU | | consumption) because of an inefficient algorithm. The percent_encodings | | array contains all matches of percent encodings. It is not deduplicated. For | | a URL of length N, the size of percent_encodings may be up to O(N). The next | | step (normalize existing percent-encoded bytes) also takes up to O(N) for | | each step, so the total time is O(N^2). If percent_encodings were | | deduplicated, the time to compute _encode_invalid_chars would be O(kN), | | where k is at most 484 ((10+6*2)^2). See: CVE-2020-7212. | +==============================================================================+
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updating urllib3, pylint, pyyaml (and astroid due to dependency) to resolve vulnerabilities reported by safety; details in commit message. Aardvark builds/tests clean in our pipeline and we've seen no new issues since deploying with updated packages on 12/10.