Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: cve-2024-22910 #1097

Closed
wants to merge 1 commit into from
Closed

security: cve-2024-22910 #1097

wants to merge 1 commit into from

Conversation

misogihagi
Copy link

@lukehinds
Copy link
Member

@ericwb / @sigmavirus24 worth us getting a release out to turn off the noisey cve scanners, but I don't believe we are impacted. The exploit seems to only work when USE_SHELL or Shell=True is use (we do in fact warn against it).

@sigmavirus24
Copy link
Member

@ericwb / @sigmavirus24 worth us getting a release out to turn off the noisey cve scanners, but I don't believe we are impacted. The exploit seems to only work when USE_SHELL or Shell=True is use (we do in fact warn against it).

It really doesn't feel worth it. Greater equal means reinstalling will get you the new version unless you otherwise have it constrained. And if you have it constrained you have the power to shut up those scanners that suck so very much

@lukehinds
Copy link
Member

@ericwb / @sigmavirus24 worth us getting a release out to turn off the noisey cve scanners, but I don't believe we are impacted. The exploit seems to only work when USE_SHELL or Shell=True is use (we do in fact warn against it).

It really doesn't feel worth it. Greater equal means reinstalling will get you the new version unless you otherwise have it constrained. And if you have it constrained you have the power to shut up those scanners that suck so very much

I am inclined to agree. Let's roll it up in the next release.

I will close, but thanks for raising @misogihagi

@lukehinds lukehinds closed this Jan 19, 2024
@lukehinds lukehinds reopened this Jan 19, 2024
@lukehinds
Copy link
Member

Reopen (it was a PR, not an issue)

@ericwb
Copy link
Member

ericwb commented Jan 19, 2024

We also don't support or test running Bandit on Windows, so this CVE doesn't apply.

@sigmavirus24
Copy link
Member

Fixing this by making gitpython an extra

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericwb ericwb Awaiting requested review from ericwb ericwb is a code owner

@lukehinds lukehinds Awaiting requested review from lukehinds lukehinds is a code owner

@sigmavirus24 sigmavirus24 Awaiting requested review from sigmavirus24 sigmavirus24 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@misogihagi @lukehinds @sigmavirus24 @ericwb