Skip to content

Commit

Permalink
Fix security dependency
Browse files Browse the repository at this point in the history
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 1 packages, using free DB (updated once a month)                     |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2020.8.13 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 63 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pillow                     | 8.3.2     | <9.0.0                   | 44487    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow |
  | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that   |
  | use the Python exec method.                                                  |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-    |
  | builtins-available-to-imagemath-eval                                         |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44485    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in    |
  | Pillow before 9.0.0 improperly initializes ImagePath.Path.                   |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44524    |
  +==============================================================================+
  | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to |
  | avoid Denial of Service attacks.                                             |
  | python-pillow/Pillow#5921                            |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44525    |
  +==============================================================================+
  | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS.    |
  | python-pillow/Pillow#5912                            |
  | https://github.com/python-                                                   |
  | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44486    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in    |
  | Pillow before 9.0.0 has a buffer over-read during initialization of          |
  | ImagePath.Path.                                                              |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | urllib3                    | 1.25.11   | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  • Loading branch information
sbrunner committed Feb 2, 2022
1 parent 101e18a commit ab74db7
Show file tree
Hide file tree
Showing 4 changed files with 109 additions and 72 deletions.
35 changes: 34 additions & 1 deletion Pipfile
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ transaction = "==3.0.0" # c2cwsgiutils
ujson = "==4.0.1" # c2cwsgiutils
cornice = "==5.0.3" # c2cwsgiutils
"zope.sqlalchemy" = "==1.3" # c2cwsgiutils
setuptools = "==59.7.0"
# Pin
"azure-core" = "==1.13.0"
"azure-storage-blob" = "==12.8.0"
Expand All @@ -45,7 +46,7 @@ cornice = "==5.0.3" # c2cwsgiutils
"msrest" = "==0.6.21"
"oauthlib" = "==3.1.0"
"pastedeploy" = "==2.1.1"
pillow = "==8.3.2"
pillow = "==9.0.0"
"plaster" = "==1.0"
"plaster-pastedeploy" = "==0.7"
"pycparser" = "==2.20"
Expand All @@ -70,3 +71,35 @@ pytest = "==6.1.1"
mypy = "==0.790"
prospector = "==1.3.1"
flake8 = "==3.8.4"
# Lock dependencies
astroid = "==2.4.1"
attrs = "==21.1.0"
dodgy = "==0.2.1"
flake8-polyfill = "==1.0.2"
iniconfig = "==1.1.1"
isort = "==4.3.21"
lazy-object-proxy = "==1.4.3"
mccabe = "==0.6.1"
mypy-extensions = "==0.4.3"
packaging = "==20.9"
pep8-naming = "==0.10.0"
pluggy = "==0.13.1"
py = "==1.10.0"
pycodestyle = "==2.6.0"
pydocstyle = "==6.0.0"
pyflakes = "==2.2.0"
pylint = "==2.5.3"
pylint-celery = "==0.3"
pylint-django = "==2.1.0"
pylint-flask = "==0.6"
pylint-plugin-utils = "==0.6"
pyparsing = "==2.4.7"
pyyaml = "==5.4.1"
requirements-detector = "==0.7"
setoptconf = "==0.2.0"
six = "==1.15.0"
snowballstemmer = "==2.1.0"
toml = "==0.10.2"
typed-ast = "==1.4.3"
typing-extensions = "==3.10.0.0"
wrapt = "==1.12.1"
Loading

0 comments on commit ab74db7

Please sign in to comment.