-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Snyk] unlimited allocation of resources #3396
Comments
dependency tree for current fec-cms python packages:
|
In order to upgrade |
After consulting with the team, this package does not cause a significant external security vulnerability since only approved and authenticated Wagtail users can upload resources to our system. We plan to patch this package when we upgrade our django and wagtail versions. See issue #3105. |
Issue may be related: #3422
Summary
a new security vulnerability was found by
snyk
. Upgradingpillow
will require somewagtail
anddjango
[-related] package updates as well, i.e., there are dependency requirements beyondwagtail > pillow
.Overview
pillow is a PIL fork.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
Remediation
Upgrade pillow to version 6.2.0 or higher.
Completion Criteria
The text was updated successfully, but these errors were encountered: