Skip to content

Commit

Permalink
Fix security dependency
Browse files Browse the repository at this point in the history
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 1 packages, using free DB (updated once a month)                     |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pipenv                     | 2020.8.13 | >=2018.10.9,<=2021.11.23 | 44492    |
  +==============================================================================+
  | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version     |
  | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of       |
  | requirements files allows an attacker to insert a specially crafted string   |
  | inside a comment anywhere within a requirements.txt file, which will cause   |
  | victims who use pipenv to install the requirements file to download          |
  | dependencies from a package index server controlled by the attacker. By      |
  | embedding malicious code in packages served from their malicious index       |
  | server, the attacker can trigger arbitrary remote code execution (RCE) on    |
  | the victims' systems. If an attacker is able to hide a malicious '--index-   |
  | url' option in a requirements file that a victim installs with pipenv, the   |
  | attacker can embed arbitrary malicious code in packages served from their    |
  | malicious index server that will be executed on the victim's host during     |
  | installation (remote code execution/RCE). When pip installs from a source    |
  | distribution, any code in the setup.py is executed by the install process.   |
  | GHSA-qc9x-gjcv-465w       |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 63 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pillow                     | 8.3.2     | <9.0.0                   | 44487    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow |
  | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that   |
  | use the Python exec method.                                                  |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-    |
  | builtins-available-to-imagemath-eval                                         |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44485    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in    |
  | Pillow before 9.0.0 improperly initializes ImagePath.Path.                   |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44524    |
  +==============================================================================+
  | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to |
  | avoid Denial of Service attacks.                                             |
  | python-pillow/Pillow#5921                            |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44525    |
  +==============================================================================+
  | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS.    |
  | python-pillow/Pillow#5912                            |
  | https://github.com/python-                                                   |
  | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363                |
  +==============================================================================+
  | pillow                     | 8.3.2     | <9.0.0                   | 44486    |
  +==============================================================================+
  | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in    |
  | Pillow before 9.0.0 has a buffer over-read during initialization of          |
  | ImagePath.Path.                                                              |
  | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-       |
  | imagepath-path-array-handling                                                |
  +==============================================================================+
  | urllib3                    | 1.25.11   | <1.26.5                  | 43975    |
  +==============================================================================+
  | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in |
  | urllib3 before 1.26.5. When provided with a URL containing many @ characters |
  | in the authority component, the authority regular expression exhibits        |
  | catastrophic backtracking, causing a denial of service if a URL were passed  |
  | as a parameter or redirected to via an HTTP redirect.                        |
  | GHSA-q2q7-5pp4-w6pg                            |
  +==============================================================================+
  • Loading branch information
sbrunner committed Feb 2, 2022
1 parent e2fea3b commit f25400d
Show file tree
Hide file tree
Showing 3 changed files with 79 additions and 83 deletions.
15 changes: 8 additions & 7 deletions Pipfile
Original file line number Diff line number Diff line change
Expand Up @@ -17,19 +17,20 @@ gunicorn = "==20.0.4" # c2cwsgiutils
objgraph = "==3.5.0" # c2cwsgiutils
psycopg2 = "==2.8.6" # c2cwsgiutils
pyramid-tm = "==2.4" # c2cwsgiutils
sentry-sdk = "==1.0.0" # c2cwsgiutils
sentry-sdk = "==1.5.4" # c2cwsgiutils
sqlalchemy = "==1.3.23" # c2cwsgiutils
transaction = "==3.0.1" # c2cwsgiutils
ujson = "==4.0.2" # c2cwsgiutils
cornice = "==5.1.0" # c2cwsgiutils
"zope.sqlalchemy" = "==1.3" # c2cwsgiutils
jsonschema = "==3.2.0"
setuptools = "==45.2.0"
# Lock dependencies
attrs = "==20.3.0"
azure-core = "==1.13.0"
azure-storage-blob = "==12.8.0"
boto3 = "==1.17.52"
botocore = "==1.20.52"
boto3 = "==1.20.46"
botocore = "==1.23.46"
bottle = "==0.12.19"
cee-syslog-handler = "==0.6.0"
certifi = "==2020.12.5"
Expand All @@ -46,20 +47,20 @@ markupsafe = "==1.1.1"
msrest = "==0.6.21"
oauthlib = "==3.1.0"
pastedeploy = "==2.1.1"
pillow = "==8.3.2"
pillow = "==9.0.0"
plaster = "==1.0"
plaster-pastedeploy = "==0.7"
pycparser = "==2.20"
pyproj = "==3.0.1"
pyramid = "==1.10.8"
pyrsistent = "==0.17.3"
redis = "==3.5.3"
requests = "==2.25.1"
requests = "==2.27.1"
requests-oauthlib = "==1.3.0"
s3transfer = "==0.3.7"
s3transfer = "==0.5.0"
six = "==1.15.0"
translationstring = "==1.4"
urllib3 = "==1.26.4"
urllib3 = "==1.26.8"
venusian = "==3.0.0"
webob = "==1.8.7"
"zope.deprecation" = "==4.4.0"
Expand Down
145 changes: 70 additions & 75 deletions Pipfile.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion requirements.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
pipenv==2020.11.15
pipenv==2022.1.8

0 comments on commit f25400d

Please sign in to comment.