Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Python deps to fix security vulnerabilities #736

Closed
c0c0n3 opened this issue Aug 12, 2023 · 0 comments · Fixed by #737
Closed

Update Python deps to fix security vulnerabilities #736

c0c0n3 opened this issue Aug 12, 2023 · 0 comments · Fixed by #737
Assignees
@c0c0n3
Labels
enhancement

Comments

@c0c0n3
Copy link
Member

c0c0n3 commented Aug 12, 2023

Is your feature request related to a problem? Please describe.

Our Python deps are ancient and some of them have serious security vulnerabilities.

Describe the solution you'd like

Upgrade all deps that have security vulnerabilities. If possible, upgrade the other deps too.

Describe alternatives you've considered

N/A

Additional context

See

Also, pipenv check reports

-> Vulnerability found in certifi version 2018.10.15
   Vulnerability ID: 52365
   Affected spec: <2022.12.07
   ADVISORY: Certifi 2022.12.07 includes a fix for CVE-2022-23491: Certifi 2022.12.07 removes root certificates from "TrustCor"
   from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being...
   CVE-2022-23491
   For more information, please visit https://pyup.io/v/52365/742


-> Vulnerability found in click version 7.1.2
   Vulnerability ID: 47833
   Affected spec: <8.0.0
   ADVISORY: Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure
   'mktemp()'.https://github.com/pallets/click/issues/1752
   PVE-2022-47833
   For more information, please visit https://pyup.io/v/47833/742


-> Vulnerability found in flask version 1.1.4
   Vulnerability ID: 55261
   Affected spec: <2.2.5
   ADVISORY: Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response
   containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also...
   CVE-2023-30861
   For more information, please visit https://pyup.io/v/55261/742


-> Vulnerability found in pydantic version 1.9.0
   Vulnerability ID: 50916
   Affected spec: <1.10.2
   ADVISORY: Pydantic 1.10.2 prevents long strings as int inputs to fix
   CVE-2020-10735.https://github.com/pydantic/pydantic/commit/eccd85e4d012e70ffbd81f379179da900d4621c5
   CVE-2020-10735
   For more information, please visit https://pyup.io/v/50916/742


-> Vulnerability found in requests version 2.27.1
   Vulnerability ID: 58755
   Affected spec: >=2.3.0,<2.31.0
   ADVISORY: Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-
   Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use...
   CVE-2023-32681
   For more information, please visit https://pyup.io/v/58755/742


-> Vulnerability found in setuptools version 60.8.2
   Vulnerability ID: 52495
   Affected spec: <65.5.1
   ADVISORY: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via
   HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
   CVE-2022-40897
   For more information, please visit https://pyup.io/v/52495/742


-> Vulnerability found in werkzeug version 1.0.1
   Vulnerability ID: 54456
   Affected spec: >=0,<2.1.1
   ADVISORY: ** DISPUTED ** Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform
   HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position...
   CVE-2022-29361
   For more information, please visit https://pyup.io/v/54456/742


-> Vulnerability found in werkzeug version 1.0.1
   Vulnerability ID: 53325
   Affected spec: <2.2.3
   ADVISORY: Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data
   parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU...
   CVE-2023-25577
   For more information, please visit https://pyup.io/v/53325/742


-> Vulnerability found in werkzeug version 1.0.1
   Vulnerability ID: 53326
   Affected spec: <2.2.3
   ADVISORY: Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like
   '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this...
   CVE-2023-23934
   For more information, please visit https://pyup.io/v/53326/742
@c0c0n3 c0c0n3 self-assigned this Aug 12, 2023
@c0c0n3 c0c0n3 linked a pull request Aug 13, 2023 that will close this issue
Remedy bit rot #737
Merged
12 tasks
@c0c0n3 c0c0n3 mentioned this issue Aug 13, 2023
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@c0c0n3 c0c0n3

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remedy bit rot orchestracities/ngsi-timeseries-api
1 participant
@c0c0n3