diff --git a/data/insecure_full.json b/data/insecure_full.json index 6a4b271f..57342080 100644 --- a/data/insecure_full.json +++ b/data/insecure_full.json @@ -1,7 +1,7 @@ { "$meta": { "advisory": "PyUp.io metadata", - "timestamp": 1614578401 + "timestamp": 1617256802 }, "abracadabra": [ { @@ -143,6 +143,15 @@ "<0.16.3" ], "v": "<0.16.3" + }, + { + "advisory": "Aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows \"pip install aiohttp >= 3.7.4\". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications. See CVE-2021-21330.", + "cve": "CVE-2021-21330", + "id": "pyup.io-39659", + "specs": [ + "<3.7.4" + ], + "v": "<3.7.4" } ], "aiohttp-auth-autz": [ @@ -310,6 +319,17 @@ "v": "<0.4.4" } ], + "ajsonrpc": [ + { + "advisory": "Ajsonrpc 1.1.0 ensures server security by having the response manager return a generic ServerError without error details in case of an application exception.", + "cve": null, + "id": "pyup.io-39665", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + } + ], "aldryn-django": [ { "advisory": "aldryn-django 1.8.10.1 uses an insecure Django release, 1.8.9.", @@ -437,7 +457,7 @@ }, { "advisory": "ampache 4.0.0:\r\n* Resolves CVE-2019-12385 for the SQL Injection", - "cve": null, + "cve": "CVE-2019-12385", "id": "pyup.io-37863", "specs": [ "<4.0.0" @@ -446,7 +466,7 @@ }, { "advisory": "ampache 4.0.0:\r\n* Resolves CVE-2019-12386 for the persistent XSS\r\n* Resolves NS-18-046 Multiple Reflected Cross-site Scripting Vulnerabilities in Ampache 3.9.0", - "cve": null, + "cve": "CVE-2019-12386", "id": "pyup.io-39602", "specs": [ "<4.0.0" @@ -2085,9 +2105,9 @@ "cve": "CVE-2020-35681", "id": "pyup.io-39368", "specs": [ - "<3.0.3" + ">=3.0.0,<3.0.3" ], - "v": "<3.0.3" + "v": ">=3.0.0,<3.0.3" } ], "chaosloader": [ @@ -2243,6 +2263,35 @@ "<1.0beta9" ], "v": "<1.0beta9" + }, + { + "advisory": "Chia-blockchain 1.0rc5 updates the 'aiohttp' dependency to 3.7.4 to address a low severity [security issue] (CVE-2021-21330).", + "cve": "CVE-2021-21330", + "id": "pyup.io-39672", + "specs": [ + "<1.0rc5" + ], + "v": "<1.0rc5" + }, + { + "advisory": "Chia-blockchain 1.0rc6 improves defense against many DDoS attacks by rate limiting for the full node. It also changes 'chia keys add' command to take secret words a prompt on the command line or stdin instead of command line arguments.", + "cve": null, + "id": "pyup.io-39703", + "specs": [ + "<1.0rc6" + ], + "v": "<1.0rc6" + } + ], + "chiavdf": [ + { + "advisory": "Chiavdf 1.0 includes a fix to prevent potential grinding attacks.", + "cve": null, + "id": "pyup.io-39691", + "specs": [ + "<1.0" + ], + "v": "<1.0" } ], "cinder": [ @@ -2372,6 +2421,15 @@ } ], "cliquery": [ + { + "advisory": "Cliquery 1.10.0 updates the 'lxml' dependency from 4.6.2 to 4.6.3 to fix a security vulnerability.", + "cve": null, + "id": "pyup.io-40090", + "specs": [ + "<1.10.0" + ], + "v": "<1.10.0" + }, { "advisory": "Cliquery 1.9.3 updates the 'lxml' dependency from 4.3.0 to 4.6.2. This is a security patch.", "cve": null, @@ -2508,6 +2566,17 @@ "v": "<2.0.17" } ], + "codeforcesapipy": [ + { + "advisory": "Codeforcesapipy 2.0.8 updates the 'lxml' dependency to 4.6.3 to resolve security issues.", + "cve": null, + "id": "pyup.io-40099", + "specs": [ + "<2.0.8" + ], + "v": "<2.0.8" + } + ], "coinbasepro": [ { "advisory": "coinbasepro 0.1.0 updates requests version to >=2.20.0 to address security vulnerability.", @@ -2530,6 +2599,17 @@ "v": "<8.0.0" } ], + "coinstac": [ + { + "advisory": "Coinstac 5.2.1 includes various security fixes and package updates.", + "cve": null, + "id": "pyup.io-40091", + "specs": [ + "<5.2.1" + ], + "v": "<5.2.1" + } + ], "colander": [ { "advisory": "colander 1.7.0 - The URL validator regex has been updated to no longer be vulnerable to a\r\n catastrophic backtracking that would have led to an infinite loop.", @@ -2682,6 +2762,15 @@ "<1.22.0" ], "v": "<1.22.0" + }, + { + "advisory": "Concrete-datastore 1.23.0 adds checks on the url_format for reset password view to avoid template injections.", + "cve": null, + "id": "pyup.io-39709", + "specs": [ + "<1.23.0" + ], + "v": "<1.23.0" } ], "conference-scheduler-cli": [ @@ -3073,6 +3162,17 @@ "v": "<1.2" } ], + "crypto-candlesticks": [ + { + "advisory": "Crypto-candlesticks 0.1.5 fixes a vulnerability in the 'jinja2' dependency.", + "cve": null, + "id": "pyup.io-39697", + "specs": [ + "<0.1.5" + ], + "v": "<0.1.5" + } + ], "cryptography": [ { "advisory": "cryptography 0.9.1 fixes a double free in the OpenSSL backend when using DSA to verify signatures. Note that this only affects PyPy 2.6.0 and (presently unreleased) CFFI versions greater than 1.1.0.", @@ -3524,6 +3624,15 @@ } ], "deltachat": [ + { + "advisory": "Deltachat 1.0.0b17 fixes SQL/injection malformed Chat-Group-Name breakage.", + "cve": null, + "id": "pyup.io-40086", + "specs": [ + "<1.0.0b17" + ], + "v": "<1.0.0b17" + }, { "advisory": "deltachat 1.0.0beta.2 has several security fixes", "cve": null, @@ -3532,6 +3641,15 @@ "<1.0.0beta.2" ], "v": "<1.0.0beta.2" + }, + { + "advisory": "Deltachat 1.51.0 improves and harden secure join feature.", + "cve": null, + "id": "pyup.io-40084", + "specs": [ + "<1.51.0" + ], + "v": "<1.51.0" } ], "deluge": [ @@ -3585,6 +3703,17 @@ "v": "<0.14.0" } ], + "digitalmarketplace-utils": [ + { + "advisory": "Digitalmarketplace-utils versions before v22.0.0 included vulnerabilities where untrusted input might result in susceptibility to a cross-site scripting (XSS) exploit.", + "cve": null, + "id": "pyup.io-39653", + "specs": [ + "<22.0.0" + ], + "v": "<22.0.0" + } + ], "directory-client-core": [ { "advisory": "Directory-client-core 5.1.1 upgrades a vulnerable Django version to Django 1.11.22.", @@ -4003,7 +4132,7 @@ }, { "advisory": "Django 1.11.23 fixes the following security issue in 1.11.22: CVE-2019-14232.", - "cve": null, + "cve": "CVE-2019-14232", "id": "pyup.io-37326", "specs": [ "==1.11.22" @@ -4048,7 +4177,7 @@ }, { "advisory": "Django 2.1.11 fixes a security issue in 2.1.10:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``", - "cve": null, + "cve": "CVE-2019-14232", "id": "pyup.io-37325", "specs": [ "==2.1.10" @@ -4102,7 +4231,7 @@ }, { "advisory": "Django 2.1.9 fixes security issues in 2.1.8: CVE-2019-12308 (AdminURLFieldWidget XSS).", - "cve": null, + "cve": "CVE-2019-12308", "id": "pyup.io-37185", "specs": [ "==2.1.8" @@ -4129,7 +4258,7 @@ }, { "advisory": "Django 2.2.2 fixes security issues in 2.2.1: CVE-2019-12308 (AdminURLFieldWidget XSS).", - "cve": null, + "cve": "CVE-2019-12308", "id": "pyup.io-37184", "specs": [ "==2.2.1" @@ -4147,7 +4276,7 @@ }, { "advisory": "Django 2.2.18 fixes a security issue with severity \"low\" in 2.2.17 (CVE-2021-3281).", - "cve": null, + "cve": "CVE-2021-3281", "id": "pyup.io-39523", "specs": [ "==2.2.17" @@ -4174,7 +4303,7 @@ }, { "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``", - "cve": null, + "cve": "CVE-2019-14233", "id": "pyup.io-39593", "specs": [ "==2.2.3" @@ -4183,7 +4312,7 @@ }, { "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``", - "cve": null, + "cve": "CVE-2019-14234", "id": "pyup.io-39592", "specs": [ "==2.2.3" @@ -4192,7 +4321,7 @@ }, { "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``", - "cve": null, + "cve": "CVE-2019-14235", "id": "pyup.io-39591", "specs": [ "==2.2.3" @@ -4201,7 +4330,7 @@ }, { "advisory": "Django 2.2.4 fixes a security issue in 2.2.3:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``", - "cve": null, + "cve": "CVE-2019-14232", "id": "pyup.io-37323", "specs": [ "==2.2.3" @@ -4246,7 +4375,7 @@ }, { "advisory": "Django 3.0.12 fixes a security issue with severity \"low\" in 3.0.11 (CVE-2021-3281).", - "cve": null, + "cve": "CVE-2021-3281", "id": "pyup.io-39522", "specs": [ "==3.0.11" @@ -4291,7 +4420,7 @@ }, { "advisory": "Django 3.1.6 fixes a security issue with severity \"low\" and a bug in 3.1.5 (CVE-2021-3281).", - "cve": null, + "cve": "CVE-2021-3281", "id": "pyup.io-39521", "specs": [ "==3.1.5" @@ -4722,7 +4851,7 @@ }, { "advisory": "In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by \"startapp --template\" and \"startproject --template\") allows directory traversal via an archive with absolute paths or relative paths with dot segments. See CVE-2021-3281.", - "cve": null, + "cve": "CVE-2021-3281", "id": "pyup.io-39526", "specs": [ ">=2.2,<2.2.18", @@ -6795,6 +6924,17 @@ "v": "<2.704" } ], + "encapsia-api": [ + { + "advisory": "Encapsia-api 0.2.9 updates dependencies for security reasons.", + "cve": null, + "id": "pyup.io-39689", + "specs": [ + "<0.2.9" + ], + "v": "<0.2.9" + } + ], "engineio-client": [ { "advisory": "engineio-client 3.1.2 - Bumps ws to version 1.1.2 (vulnerability fix) (539)", @@ -7436,6 +7576,17 @@ "v": "<=1.5.2" } ], + "flask-api-tools": [ + { + "advisory": "Flask-api-tools 1.6.2 fixes a security vulnerability discovered and patched in a dependency. See also .", + "cve": null, + "id": "pyup.io-40044", + "specs": [ + "<1.6.2" + ], + "v": "<1.6.2" + } + ], "flask-appbuilder": [ { "advisory": "Flask-appbuilder 0.2.0 includes reset password corrections.", @@ -8071,6 +8222,15 @@ "<0.1.1b2" ], "v": "<0.1.1b2" + }, + { + "advisory": "Gino-quart bumps jinja2 from version 2.11.2 to 2.11.3 to improve its security.", + "cve": null, + "id": "pyup.io-40058", + "specs": [ + "<0.1.1b4" + ], + "v": "<0.1.1b4" } ], "giosgapps-bindings": [ @@ -8236,6 +8396,17 @@ "v": "<1.5.4" } ], + "google-images-search": [ + { + "advisory": "Google-images-search 1.3.8 updates Pillow to version 8.1.1 to address a vulnerability.", + "cve": null, + "id": "pyup.io-40043", + "specs": [ + "<1.3.8" + ], + "v": "<1.3.8" + } + ], "gordo-components": [ { "advisory": "Gordo-components 0.15.1 updates the dependency urllib3 >= 1.24.2 to address urllib3 security alert - see https://nvd.nist.gov/vuln/detail/CVE-2019-11324", @@ -8333,6 +8504,35 @@ "v": "<6.0.0b3" } ], + "gunicorn": [ + { + "advisory": "Gunicorn 19.10.0 includes a security fix to prevent HTTP desync attack.", + "cve": null, + "id": "pyup.io-40105", + "specs": [ + "<19.10.0" + ], + "v": "<19.10.0" + }, + { + "advisory": "Gunicorn 19.4.0 includes a security fix to raise 'InvalidRequestLine' exception when the line contains malicious data.", + "cve": null, + "id": "pyup.io-40103", + "specs": [ + "<19.4.0" + ], + "v": "<19.4.0" + }, + { + "advisory": "Gunicorn 20.0.1 fixes chunked encoding support to prevent any request smuggling for security purposes.", + "cve": null, + "id": "pyup.io-40104", + "specs": [ + "<20.0.1" + ], + "v": "<20.0.1" + } + ], "gvar": [ { "advisory": "Gvar 9.2.1 fixes bugs in gvar.load and gvar.dump caused by recent security upgrades to pyYAML.", @@ -8688,6 +8888,17 @@ "v": "<0.9.0" } ], + "hubitatmaker": [ + { + "advisory": "Hubitatmaker 0.5.4 updates dependencies to fix some low-severity vulnerabilities.", + "cve": null, + "id": "pyup.io-40101", + "specs": [ + "<0.5.4" + ], + "v": "<0.5.4" + } + ], "hug": [ { "advisory": "hug 2.3.0 fixes a vulnerability in the static file router that allows files in parent directory to be accessed.", @@ -9023,6 +9234,17 @@ "v": "<1.1.1" } ], + "invenio-app-ils": [ + { + "advisory": "Invenio-app-ils 1.0.0a28 adds cookies configuration for improved security.", + "cve": null, + "id": "pyup.io-40030", + "specs": [ + "<1.0.0a28" + ], + "v": "<1.0.0a28" + } + ], "invenio-records": [ { "advisory": "Invenio-records 1.0.2 fixes a XSS vulnerability in the admin interface.", @@ -9045,6 +9267,17 @@ "v": "<0.1.3" } ], + "iotedgehubdev": [ + { + "advisory": "Lotedgehubdev 0.14.5 upgrades underlying dependencies to address vulnerability issues.", + "cve": null, + "id": "pyup.io-40098", + "specs": [ + "<0.14.5" + ], + "v": "<0.14.5" + } + ], "ipsilon": [ { "advisory": "The Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does not properly escape certain characters in a Python exception-message template, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via an HTTP response. See: CVE-2015-5216.", @@ -9198,7 +9431,7 @@ "jake": [ { "advisory": "Jake 0.2.59 resolves vulnerability CVE-2020-27783 in lxml.", - "cve": null, + "cve": "CVE-2020-27783", "id": "pyup.io-39256", "specs": [ "<0.2.59" @@ -9312,7 +9545,7 @@ }, { "advisory": "This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. See CVE-2020-28493.", - "cve": null, + "cve": "CVE-2020-28493", "id": "pyup.io-39525", "specs": [ ">=0.0.0,<2.11.3" @@ -9477,6 +9710,28 @@ "v": "<0.15" } ], + "jupyterlab": [ + { + "advisory": "Jupyterlab 3.0.8 updates the 'marked' dependency to address a vulnerability. See also .", + "cve": null, + "id": "pyup.io-40042", + "specs": [ + "<3.0.8" + ], + "v": "<3.0.8" + } + ], + "jupytext": [ + { + "advisory": "Jupytext 1.10.3 updates 'marked', an indirect dependency of the 'jupyterlab-jupytext' extension, to fix a moderate vulnerability (https://github.com/mwouts/jupytext/issues/750).", + "cve": null, + "id": "pyup.io-40093", + "specs": [ + "<1.10.3" + ], + "v": "<1.10.3" + } + ], "jw.util": [ { "advisory": "An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary Python code, resulting in OS command execution, because safe_load is not used. See: CVE-2020-13388.", @@ -9786,6 +10041,15 @@ "<2.2.0" ], "v": "<2.2.0" + }, + { + "advisory": "Khoros 3.5.0 added the '.github/workflows/bandit.yml' GitHub Action workflow configuration file to leverage the 'Python security check using Bandit' action to perform security audits with each push event. It also changed the default value for the 'shell' parameter to be 'False' in the :py:func:khoros.utils.core_utils.run_cmd function to improve overall security of the library. See also .", + "cve": null, + "id": "pyup.io-40102", + "specs": [ + "<3.5.0" + ], + "v": "<3.5.0" } ], "khorosjx": [ @@ -9961,7 +10225,7 @@ }, { "advisory": "Kiwitcms 6.10 updates Django from 2.2.1 to 2.2.2 (see CVE-2019-12308). Additionally, it adds missing permission checks for menus in Test run page UI template. Permission check are also added for TestExecution status and comment menu. See . Lastly, it re-enables static analysis with `bandit` and `Coverity Scan` in Travis CI.", - "cve": null, + "cve": "CVE-2019-12308", "id": "pyup.io-38537", "specs": [ "<6.10" @@ -9997,7 +10261,7 @@ }, { "advisory": "Kiwi TCMS 6.4 updates Django from 2.1.4 to 2.1.5, which deals with CVE-2019-3498.", - "cve": null, + "cve": "CVE-2019-3498", "id": "pyup.io-38541", "specs": [ "<6.4" @@ -10203,17 +10467,6 @@ "v": "<0.1.2" } ], - "lambda-warmer-py": [ - { - "advisory": "Lambda-warmer-py 1.2.0 upgrades the lodash dependency for security issues [131577c].", - "cve": null, - "id": "pyup.io-37371", - "specs": [ - "<1.2.0" - ], - "v": "<1.2.0" - } - ], "lambdajson": [ { "advisory": "lambdajson 0.1.5 includes a security fix. Using ast.literal_eval as eval.", @@ -10320,6 +10573,15 @@ "<0.1.5" ], "v": "<0.1.5" + }, + { + "advisory": "Lemur 0.9.0 fixes three critical vulnerabilities where an authenticated user could retrieve/access unauthorized information. See also .", + "cve": null, + "id": "pyup.io-40028", + "specs": [ + "<0.9.0" + ], + "v": "<0.9.0" } ], "libhxl": [ @@ -10524,6 +10786,15 @@ "<4.6.2" ], "v": "<4.6.2" + }, + { + "advisory": "The HTML cleaner in lxml 4.6.3 no longer includes the HTML5 'formaction' attribute to avoid it from allowing JavaScript to pass through. See also CVE-2021-28957.", + "cve": "CVE-2021-28957", + "id": "pyup.io-40072", + "specs": [ + "<4.6.3" + ], + "v": "<4.6.3" } ], "mackup": [ @@ -10706,6 +10977,15 @@ "<=2.3.8" ], "v": "<=2.3.8" + }, + { + "advisory": "markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time. See CVE-2021-26813.", + "cve": "CVE-2021-26813", + "id": "pyup.io-39670", + "specs": [ + ">=1.0.1.18,<2.4.0" + ], + "v": ">=1.0.1.18,<2.4.0" } ], "marshmallow": [ @@ -11001,9206 +11281,12100 @@ "mindspore": [ { "advisory": "Mindspore 0.5.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358.", - "cve": null, - "id": "pyup.io-39398", + "cve": "CVE-2020-15358", + "id": "pyup.io-39752", "specs": [ "<0.5.0beta" ], "v": "<0.5.0beta" }, { - "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", - "cve": null, - "id": "pyup.io-39397", + "advisory": "Mindspore 0.5.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358.", + "cve": "CVE-2020-13435", + "id": "pyup.io-39753", "specs": [ - "<0.6.0beta" + "<0.5.0beta" ], - "v": "<0.6.0beta" + "v": "<0.5.0beta" }, { - "advisory": "Mindspore 0.7.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", - "cve": null, - "id": "pyup.io-39396", + "advisory": "Mindspore 0.5.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358.", + "cve": "CVE-2020-13434", + "id": "pyup.io-39754", "specs": [ - "<0.7.0beta" + "<0.5.0beta" ], - "v": "<0.7.0beta" + "v": "<0.5.0beta" }, { - "advisory": "Mindspore 1.0.0 updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", - "cve": null, - "id": "pyup.io-39395", + "advisory": "Mindspore 0.5.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358.", + "cve": "CVE-2020-13632", + "id": "pyup.io-39755", "specs": [ - "<1.0.0" + "<0.5.0beta" ], - "v": "<1.0.0" - } - ], - "mini-amf": [ + "v": "<0.5.0beta" + }, { - "advisory": "mini-amf before 0.8 is vulnerable to XML entity attacks.", - "cve": null, - "id": "pyup.io-33048", + "advisory": "Mindspore 0.5.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358.", + "cve": "CVE-2020-13631", + "id": "pyup.io-39756", "specs": [ - "<0.8" + "<0.5.0beta" ], - "v": "<0.8" - } - ], - "miniwdl": [ - { - "advisory": "Miniwdl 0.6.0 manipulates ownership/permissions to improve security and user experience:\r\n* as run completes, chown everything in run directory to invoking user and primary group\r\n* run task commands with membership in invoking user's primary group, ensuring access to working directory even if they've dropped privileges (a good docker security practice)\r\n* `--as-me` to force all task commands to run as invoking user (more secure, but blocks commands that assume root e.g. apt-get)\r\n* Revert to always running command in bash (as required by WDL spec) rather than container $SHELL", - "cve": null, - "id": "pyup.io-37814", - "specs": [ - "<0.6.0" - ], - "v": "<0.6.0" - } - ], - "misago": [ + "v": "<0.5.0beta" + }, { - "advisory": "misago 0.19.4 updates requests to 2.20.0 resolving potential vulnerability in HTTP connections handling.", - "cve": null, - "id": "pyup.io-36607", + "advisory": "Mindspore 0.5.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358.", + "cve": "CVE-2020-15358", + "id": "pyup.io-39757", "specs": [ - "<0.19.4" + "<0.5.0beta" ], - "v": "<0.19.4" - } - ], - "mishmash": [ + "v": "<0.5.0beta" + }, { - "advisory": "mishmash 0.3b12 - Pyaml >= 4.2b1 for security alert.", - "cve": null, - "id": "pyup.io-36795", + "advisory": "Mindspore 0.5.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358.", + "cve": "CVE-2020-13630", + "id": "pyup.io-39758", "specs": [ - "<0.3b12" + "<0.5.0beta" ], - "v": "<0.3b12" - } - ], - "misp-maltego": [ + "v": "<0.5.0beta" + }, { - "advisory": "Misp-maltego 1.4.5 resolves an information disclosure vulnerability when using MISP-maltego as remote transform server. The transform server would cache the MISP credentials of the first user connected, and provide access to that MISP instance for any later user. See: CVE-2020-12889.", - "cve": "CVE-2020-12889", - "id": "pyup.io-38487", + "advisory": "Mindspore 0.5.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358.", + "cve": "CVE-2020-9327", + "id": "pyup.io-39759", "specs": [ - "<1.4.5" + "<0.5.0beta" ], - "v": "<1.4.5" - } - ], - "mistral": [ + "v": "<0.5.0beta" + }, { - "advisory": "An information-exposure vulnerability was discovered where openstack-mistral's undercloud log files containing clear-text information were made world readable. A malicious system user could exploit this flaw to access sensitive user information. See: CVE-2019-3866 and .", - "cve": "CVE-2019-3866", - "id": "pyup.io-37774", + "advisory": "Mindspore 0.5.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358.", + "cve": "CVE-2020-11655", + "id": "pyup.io-39760", "specs": [ - "<7.1.0", - ">=8.0,<8.1.0", - ">=9.0,<9.0.1" + "<0.5.0beta" ], - "v": "<7.1.0,>=8.0,<8.1.0,>=9.0,<9.0.1" + "v": "<0.5.0beta" }, { - "advisory": "A Denial of Service (DoS) condition is possible in OpenStack Mistral in versions up to and including 7.0.3. Submitting a specially crafted workflow definition YAML file containing nested anchors can lead to resource exhaustion culminating in a denial of service. See: CVE-2018-16848.", - "cve": "CVE-2018-16848", - "id": "pyup.io-38424", + "advisory": "Mindspore 0.5.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358.", + "cve": "CVE-2020-13871", + "id": "pyup.io-39761", "specs": [ - "<=7.0.3" + "<0.5.0beta" ], - "v": "<=7.0.3" - } - ], - "mistune": [ + "v": "<0.5.0beta" + }, { - "advisory": "mistune before 0.7.2 is vulnerable to an XSS attack. It is possible to bypass the renderer's link security check.", - "cve": null, - "id": "pyup.io-25890", + "advisory": "Mindspore 0.5.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358.", + "cve": "CVE-2020-11656", + "id": "pyup.io-39398", "specs": [ - "<0.7.2" + "<0.5.0beta" ], - "v": "<0.7.2" + "v": "<0.5.0beta" }, { - "advisory": "mistune before 0.8.1 has a cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py which allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the \"key\" argument.", - "cve": "CVE-2017-16876", - "id": "pyup.io-36332", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13790", + "id": "pyup.io-40061", "specs": [ - "<0.8.1" + "<0.6.0beta" ], - "v": "<0.8.1" + "v": "<0.6.0beta" }, { - "advisory": "Mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\\nscript:) or a crafted email address, related to the escape and autolink functions.", - "cve": null, - "id": "pyup.io-35030", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-15358", + "id": "pyup.io-40062", "specs": [ - "==0.7.4" + "<0.6.0beta" ], - "v": "==0.7.4" - } - ], - "mitiq": [ + "v": "<0.6.0beta" + }, { - "advisory": "Mitiq 0.4.0 updates notebook version in requirements to resolve a vulnerability. No details were provided.", - "cve": null, - "id": "pyup.io-39241", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13435", + "id": "pyup.io-40063", "specs": [ - "<0.4.0" + "<0.6.0beta" ], - "v": "<0.4.0" - } - ], - "mitmproxy": [ + "v": "<0.6.0beta" + }, { - "advisory": "mitmproxy before 0.17 has a XSS vulnerability in HTTP errors.", - "cve": null, - "id": "pyup.io-25891", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13434", + "id": "pyup.io-40064", "specs": [ - "<0.17" + "<0.6.0beta" ], - "v": "<0.17" + "v": "<0.6.0beta" }, { - "advisory": "mitmproxy before 4.0.3 does not protect mitmweb against DNS rebinding.", - "cve": "CVE-2018-14505", - "id": "pyup.io-36353", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13632", + "id": "pyup.io-40065", "specs": [ - "<4.0.3" + "<0.6.0beta" ], - "v": "<4.0.3" + "v": "<0.6.0beta" }, { - "advisory": "mitmproxy before 4.0.4 does not protect mitmweb against DNS rebinding.", - "cve": "CVE-2018-14505", - "id": "pyup.io-36352", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13631", + "id": "pyup.io-40066", "specs": [ - "<4.0.4" + "<0.6.0beta" ], - "v": "<4.0.4" + "v": "<0.6.0beta" }, { - "advisory": "Mitmproxy 5.0 fixes command injection vulnerabilities when exporting flows as curl/httpie commands. It also does not echo unsanitized user input in HTTP error responses.", - "cve": null, - "id": "pyup.io-38179", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-15358", + "id": "pyup.io-40067", "specs": [ - "<5.0" + "<0.6.0beta" ], - "v": "<5.0" - } - ], - "mitogen": [ + "v": "<0.6.0beta" + }, { - "advisory": "Before mitogen version 0.2.8, unidirectional routing, where contexts may optionally only communicate with parents and never siblings (so that air-gapped networks cannot be unintentionally bridged) was not inherited when a child was initiated directly from another child. This did not effect Ansible, since the controller initiates any new child used for routing, only forked tasks are initiated by children [gh:commit:`5924af15`].", - "cve": null, - "id": "pyup.io-37381", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13630", + "id": "pyup.io-40068", "specs": [ - "<0.2.8" + "<0.6.0beta" ], - "v": "<0.2.8" - } - ], - "mixminion": [ + "v": "<0.6.0beta" + }, { - "advisory": "mixminion before 0.0.2 is vulnerable to certain trivial DoS attacks. In particular, it's possible to send zlib bombs or flood a server with open connections.", - "cve": null, - "id": "pyup.io-25892", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-9327", + "id": "pyup.io-40069", "specs": [ - "<0.0.2" + "<0.6.0beta" ], - "v": "<0.0.2" - } - ], - "mkdocs-material": [ + "v": "<0.6.0beta" + }, { - "advisory": "mkdocs-material before 1.0.0 uses _blank targets on links which make it vulnerable to Cross Site Scripting attacks.", - "cve": null, - "id": "pyup.io-32121", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-11655", + "id": "pyup.io-40070", "specs": [ - "<1.0.0" + "<0.6.0beta" ], - "v": "<1.0.0" - } - ], - "mkdocs-table-reader-plugin": [ + "v": "<0.6.0beta" + }, { - "advisory": "Mkdocs-table-reader-plugin 0.2 drops the use of eval() in favor of ast.literal_eval() for security reasons.", - "cve": null, - "id": "pyup.io-38272", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13871", + "id": "pyup.io-40071", "specs": [ - "<0.2" + "<0.6.0beta" ], - "v": "<0.2" - } - ], - "mlalchemy": [ + "v": "<0.6.0beta" + }, { - "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in the parse_yaml_query method in parser.py in MLAlchemy before 0.2.2. When processing YAML-Based queries for data, a YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.", - "cve": "CVE-2017-16615", - "id": "pyup.io-35718", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-11656", + "id": "pyup.io-39397", "specs": [ - "<0.2.2" + "<0.6.0beta" ], - "v": "<0.2.2" - } - ], - "mockintosh": [ + "v": "<0.6.0beta" + }, { - "advisory": "Mockintosh 0.4 adds the ability to refer to external files (containing request and response bodies) and makes it secure by disallowing files outside the mock config hierarchy.", - "cve": null, - "id": "pyup.io-39463", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13790", + "id": "pyup.io-39784", "specs": [ - "<0.4" + "<0.6.0beta" ], - "v": "<0.4" - } - ], - "mockup": [ + "v": "<0.6.0beta" + }, { - "advisory": "mockup before 2.1.3 has XSS vulnerability issues in structure and relateditem patterns.", - "cve": null, - "id": "pyup.io-25893", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-15358", + "id": "pyup.io-39785", "specs": [ - "<2.1.3" + "<0.6.0beta" ], - "v": "<2.1.3" - } - ], - "moin": [ + "v": "<0.6.0beta" + }, { - "advisory": "The password_checker function in config/multiconfig.py in MoinMoin 1.6.1 uses the cracklib and python-crack features even though they are not thread-safe, which allows remote attackers to cause a denial of service (segmentation fault and crash) via unknown vectors.", - "cve": "CVE-2008-6549", - "id": "pyup.io-25894", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13435", + "id": "pyup.io-39786", "specs": [ - "<1.6.1" + "<0.6.0beta" ], - "v": "<1.6.1" + "v": "<0.6.0beta" }, { - "advisory": "Moin 1.9.10 includes a security fix for CVE-2016-9119.", - "cve": "CVE-2016-9119", - "id": "pyup.io-39587", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13434", + "id": "pyup.io-39787", "specs": [ - "<1.9.10" + "<0.6.0beta" ], - "v": "<1.9.10" + "v": "<0.6.0beta" }, { - "advisory": "Moin 1.9.10 includes a security fix for CVE-2016-7146.", - "cve": "CVE-2016-7146", - "id": "pyup.io-39588", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13632", + "id": "pyup.io-39788", "specs": [ - "<1.9.10" + "<0.6.0beta" ], - "v": "<1.9.10" + "v": "<0.6.0beta" }, { - "advisory": "Moin 1.9.10 includes a security fix for CVE-2017-5934, XSS in GUI editor related code.", - "cve": null, - "id": "pyup.io-36478", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13631", + "id": "pyup.io-39789", "specs": [ - "<1.9.10" + "<0.6.0beta" ], - "v": "<1.9.10" + "v": "<0.6.0beta" }, { - "advisory": "Moin 1.9.10 includes a security fix for CVE-2017-5934, XSS in GUI editor related code.", - "cve": "CVE-2017-5934", - "id": "pyup.io-36447", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-15358", + "id": "pyup.io-39790", "specs": [ - "<1.9.10" + "<0.6.0beta" ], - "v": "<1.9.10" + "v": "<0.6.0beta" }, { - "advisory": "Moin 2.2.2 removes two cross-site scripting vulnerabilities reported by \"office\".", - "cve": null, - "id": "pyup.io-36475", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13630", + "id": "pyup.io-39791", "specs": [ - "<2.2.2" + "<0.6.0beta" ], - "v": "<2.2.2" - } - ], - "mollie-api-python": [ + "v": "<0.6.0beta" + }, { - "advisory": "mollie-api-python 2.0.4 updates requests to 2.20.0 because of a moderate severity vulnerability in versions prior to 2.20.0", - "cve": null, - "id": "pyup.io-36650", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-9327", + "id": "pyup.io-39792", "specs": [ - "<2.0.4" + "<0.6.0beta" ], - "v": "<2.0.4" - } - ], - "monoshape": [ + "v": "<0.6.0beta" + }, { - "advisory": "Monoshape 1.2 updates Pillow version for security.", - "cve": null, - "id": "pyup.io-37605", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-11655", + "id": "pyup.io-39793", "specs": [ - "<1.2" + "<0.6.0beta" ], - "v": "<1.2" - } - ], - "mopidy-jellyfin": [ + "v": "<0.6.0beta" + }, { - "advisory": "Mopidy-jellyfin 0.3.1 addresses a security vulnerability in one of its dependencies.", - "cve": null, - "id": "pyup.io-37281", + "advisory": "Mindspore 0.6.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-11656", + "id": "pyup.io-39794", "specs": [ - "<0.3.1" + "<0.6.0beta" ], - "v": "<0.3.1" - } - ], - "morepath": [ + "v": "<0.6.0beta" + }, { - "advisory": "morepath before 0.14 has no host header validation to protect against header poisoning attacks.", - "cve": null, - "id": "pyup.io-25895", + "advisory": "Mindspore 0.7.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-11656", + "id": "pyup.io-39396", "specs": [ - "<0.14" + "<0.7.0beta" ], - "v": "<0.14" - } - ], - "mortimer": [ + "v": "<0.7.0beta" + }, { - "advisory": "Mortimer 0.4.5 further increases the data protection and data security through an improved handling of access to the alfred database from inside experiments.", - "cve": null, - "id": "pyup.io-38277", + "advisory": "Mindspore 0.7.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13790", + "id": "pyup.io-39773", "specs": [ - "<0.4.5" + "<0.7.0beta" ], - "v": "<0.4.5" - } - ], - "mosql": [ + "v": "<0.7.0beta" + }, { - "advisory": "mosql 0.10 includes several security related changes.", - "cve": null, - "id": "pyup.io-25896", + "advisory": "Mindspore 0.7.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-15358", + "id": "pyup.io-39774", "specs": [ - "<0.10" + "<0.7.0beta" ], - "v": "<0.10" - } - ], - "mpymodcore": [ + "v": "<0.7.0beta" + }, { - "advisory": "Mpymodcore 0.0.12 hardens the WindUp security (user module), and secures router with a redirect/bad request response.", - "cve": null, - "id": "pyup.io-38431", + "advisory": "Mindspore 0.7.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13435", + "id": "pyup.io-39775", "specs": [ - "<0.0.12" + "<0.7.0beta" ], - "v": "<0.0.12" + "v": "<0.7.0beta" }, { - "advisory": "Mpymodcore 0.0.9 includes hardening of WindUp security and it also secures router with a redirect/bad request response.", - "cve": null, - "id": "pyup.io-38218", + "advisory": "Mindspore 0.7.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13434", + "id": "pyup.io-39776", "specs": [ - "<0.0.9" + "<0.7.0beta" ], - "v": "<0.0.9" + "v": "<0.7.0beta" }, { - "advisory": "The changelog of mpymodcore 0.0.14 mentions some backlogged tasks, among which: \"WindUp security hardening, user module, secure router with redirect/bad request response\"", - "cve": null, - "id": "pyup.io-38795", + "advisory": "Mindspore 0.7.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13632", + "id": "pyup.io-39777", "specs": [ - "<=0.0.14" + "<0.7.0beta" ], - "v": "<=0.0.14" + "v": "<0.7.0beta" }, { - "advisory": "Mpymodcore version 0.0.15 and below (and possibly later version, too) are in need of WindUp security hardening. This is listed in the backlog.", - "cve": null, - "id": "pyup.io-38872", + "advisory": "Mindspore 0.7.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13631", + "id": "pyup.io-39778", "specs": [ - "<=0.0.15" + "<0.7.0beta" ], - "v": "<=0.0.15" + "v": "<0.7.0beta" }, { - "advisory": "Mpymodcore 0.0.17 mentions in its changelog that WindUp security hardening is a backlogged task.", - "cve": null, - "id": "pyup.io-38980", + "advisory": "Mindspore 0.7.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-15358", + "id": "pyup.io-39779", "specs": [ - "<=0.0.17" + "<0.7.0beta" ], - "v": "<=0.0.17" + "v": "<0.7.0beta" }, { - "advisory": "Mpymodcore 0.0.18 includes a note in its list of backlogged tasks to harden the security of WindUp, securing the router with a redirect/bad request response.", - "cve": null, - "id": "pyup.io-39161", + "advisory": "Mindspore 0.7.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13630", + "id": "pyup.io-39780", "specs": [ - "<=0.0.18" + "<0.7.0beta" ], - "v": "<=0.0.18" + "v": "<0.7.0beta" }, { - "advisory": "Mpymodcore 0.0.19 was released with the acknowledgement that WindUp requires security hardening.", - "cve": null, - "id": "pyup.io-39273", + "advisory": "Mindspore 0.7.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-9327", + "id": "pyup.io-39781", "specs": [ - "<=0.0.19" + "<0.7.0beta" ], - "v": "<=0.0.19" - } - ], - "mr.migrator": [ + "v": "<0.7.0beta" + }, { - "advisory": "mr.migrator 1.2 fixes a form problem with security hotfix.", - "cve": null, - "id": "pyup.io-25897", + "advisory": "Mindspore 0.7.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-11655", + "id": "pyup.io-39782", "specs": [ - "<1.2" + "<0.7.0beta" ], - "v": "<1.2" - } - ], - "msgpack": [ + "v": "<0.7.0beta" + }, { - "advisory": "msgpack 0.6.0 contains some backward incompatible changes for security reason (DoS).", - "cve": null, - "id": "pyup.io-36700", + "advisory": "Mindspore 0.7.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13871", + "id": "pyup.io-39783", "specs": [ - "<0.6.0" + "<0.7.0beta" ], - "v": "<0.6.0" - } - ], - "mss": [ + "v": "<0.7.0beta" + }, { - "advisory": "mss before 2.0.18 has a undisclosed security issue.", - "cve": null, - "id": "pyup.io-25898", + "advisory": "Mindspore 1.0.0 updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13790", + "id": "pyup.io-39762", "specs": [ - "<2.0.18" + "<1.0.0" ], - "v": "<2.0.18" - } - ], - "mtga": [ + "v": "<1.0.0" + }, { - "advisory": "mtga 2.0.0beta includes API security improvements & fixes.", - "cve": null, - "id": "pyup.io-36317", + "advisory": "Mindspore 1.0.0 updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-15358", + "id": "pyup.io-39763", "specs": [ - "<2.0.0beta" + "<1.0.0" ], - "v": "<2.0.0beta" - } - ], - "mtprotoproxy": [ + "v": "<1.0.0" + }, { - "advisory": "mtprotoproxy before 1.0.0 has the potential to allow for passive detection given known string lengths.\r\nV1.0.0 now adds random paddings to prevent this.", - "cve": null, - "id": "pyup.io-36301", + "advisory": "Mindspore 1.0.0 updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13435", + "id": "pyup.io-39764", "specs": [ "<1.0.0" ], "v": "<1.0.0" }, { - "advisory": "Mtprotoproxy 1.0.6 adds more protections from replay attacks.", - "cve": null, - "id": "pyup.io-37407", + "advisory": "Mindspore 1.0.0 updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13434", + "id": "pyup.io-39765", "specs": [ - "<1.0.6" + "<1.0.0" ], - "v": "<1.0.6" - } - ], - "muffnn": [ + "v": "<1.0.0" + }, { - "advisory": "Muffnn 2.3.1 increases the minimum version of tensorflow to v1.15.2 to fix a security vulnerability.", - "cve": null, - "id": "pyup.io-38154", + "advisory": "Mindspore 1.0.0 updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13632", + "id": "pyup.io-39766", "specs": [ - "<2.3.1" + "<1.0.0" ], - "v": "<2.3.1" + "v": "<1.0.0" }, { - "advisory": "Muffnn 2.3.2 increases the minimum version of 'tensorflow' to version 1.15.4 to fix the security vulnerability reported in .", - "cve": null, - "id": "pyup.io-39222", + "advisory": "Mindspore 1.0.0 updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13631", + "id": "pyup.io-39767", "specs": [ - "<2.3.2" + "<1.0.0" ], - "v": "<2.3.2" - } - ], - "murano-dashboard": [ + "v": "<1.0.0" + }, { - "advisory": "OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.", - "cve": "CVE-2016-4972", - "id": "pyup.io-25899", + "advisory": "Mindspore 1.0.0 updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-15358", + "id": "pyup.io-39768", "specs": [ - ">=2.0,<2.0.1", - "<1.0.3" + "<1.0.0" ], - "v": ">=2.0,<2.0.1,<1.0.3" - } - ], - "music21": [ + "v": "<1.0.0" + }, { - "advisory": "Music21 6.1.0 is no longer packaged with external modules; these will be installed when installing music21 via pip (otherwise run `pip install -r requirements.txt`). Speed and security improvements come with this.", - "cve": null, - "id": "pyup.io-38746", + "advisory": "Mindspore 1.0.0 updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13630", + "id": "pyup.io-39769", "specs": [ - "<6.1.0" + "<1.0.0" ], - "v": "<6.1.0" - } - ], - "mxnet": [ + "v": "<1.0.0" + }, { - "advisory": "In mxnet before 1.0.0, mxnet listens on all available interfaces when running training in distributed mode.", - "cve": null, - "id": "pyup.io-35115", + "advisory": "Mindspore 1.0.0 updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-9327", + "id": "pyup.io-39770", "specs": [ "<1.0.0" ], "v": "<1.0.0" - } - ], - "mysql-connector": [ + }, { - "advisory": "Unspecified vulnerability in the MySQL Connector component 2.1.3 and earlier and 2.0.4 and earlier in Oracle MySQL allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Connector/Python.", - "cve": "CVE-2016-5598", - "id": "pyup.io-25900", + "advisory": "Mindspore 1.0.0 updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-11655", + "id": "pyup.io-39771", "specs": [ - "<2.1.3" + "<1.0.0" ], - "v": "<2.1.3" - } - ], - "mysql-connector-python": [ + "v": "<1.0.0" + }, { - "advisory": "Unspecified vulnerability in the MySQL Connector component 2.1.3 and earlier and 2.0.4 and earlier in Oracle MySQL allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Connector/Python.", - "cve": "CVE-2016-5598", - "id": "pyup.io-25901", + "advisory": "Mindspore 1.0.0 updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13871", + "id": "pyup.io-39772", "specs": [ - "<2.0.4" + "<1.0.0" ], - "v": "<2.0.4" + "v": "<1.0.0" }, { - "advisory": "Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/Python). Supported versions that are affected are 8.0.13 and prior and 2.1.8 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Connectors accessible data as well as unauthorized access to critical data or complete access to all MySQL Connectors accessible data.", - "cve": "CVE-2019-2435", - "id": "pyup.io-36816", + "advisory": "Mindspore 1.0.0 updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358. It also updated libjpeg-turbo to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-11656", + "id": "pyup.io-39395", "specs": [ - "<=8.0.13" + "<1.0.0" ], - "v": "<=8.0.13" + "v": "<1.0.0" } ], - "nanopb": [ + "mini-amf": [ { - "advisory": "Nanopb 0.2.8 fixes a security issue with PB_ENABLE_MALLOC.", + "advisory": "mini-amf before 0.8 is vulnerable to XML entity attacks.", "cve": null, - "id": "pyup.io-37705", + "id": "pyup.io-33048", "specs": [ - "<0.2.8" + "<0.8" ], - "v": "<0.2.8" - }, + "v": "<0.8" + } + ], + "miniwdl": [ { - "advisory": "Nanopb 0.2.9.1 fixes a security issue due to size_t overflows.", + "advisory": "Miniwdl 0.6.0 manipulates ownership/permissions to improve security and user experience:\r\n* as run completes, chown everything in run directory to invoking user and primary group\r\n* run task commands with membership in invoking user's primary group, ensuring access to working directory even if they've dropped privileges (a good docker security practice)\r\n* `--as-me` to force all task commands to run as invoking user (more secure, but blocks commands that assume root e.g. apt-get)\r\n* Revert to always running command in bash (as required by WDL spec) rather than container $SHELL", "cve": null, - "id": "pyup.io-37808", + "id": "pyup.io-37814", "specs": [ - "<0.2.9.1" + "<0.6.0" ], - "v": "<0.2.9.1" - }, + "v": "<0.6.0" + } + ], + "misago": [ { - "advisory": "Nanopb before 0.3.1 fixes a security issue due to size_t overflows.", + "advisory": "misago 0.19.4 updates requests to 2.20.0 resolving potential vulnerability in HTTP connections handling.", "cve": null, - "id": "pyup.io-37704", + "id": "pyup.io-36607", "specs": [ - "<0.3.1" + "<0.19.4" ], - "v": "<0.3.1" - }, + "v": "<0.19.4" + } + ], + "mishmash": [ { - "advisory": "Nanopb 0.2.9.1 and 0.3.1 fix a security issue due to size_t overflows (issue 132).", + "advisory": "mishmash 0.3b12 - Pyaml >= 4.2b1 for security alert.", "cve": null, - "id": "pyup.io-37706", + "id": "pyup.io-36795", "specs": [ - ">=0.3.0,<0.3.1", - ">=0.2.0,<0.2.9.1" + "<0.3b12" ], - "v": ">=0.3.0,<0.3.1,>=0.2.0,<0.2.9.1" + "v": "<0.3b12" } ], - "natcap.invest": [ + "misp-maltego": [ { - "advisory": "Natcap.invest 3.8.1 bumps the psutil dependency requirement to psutil>=5.6.6 to address a double-free vulnerability documented in CVE-2019-18874.", - "cve": "CVE-2019-18874", - "id": "pyup.io-38271", + "advisory": "Misp-maltego 1.4.5 resolves an information disclosure vulnerability when using MISP-maltego as remote transform server. The transform server would cache the MISP credentials of the first user connected, and provide access to that MISP instance for any later user. See: CVE-2020-12889.", + "cve": "CVE-2020-12889", + "id": "pyup.io-38487", "specs": [ - "<3.8.1" + "<1.4.5" ], - "v": "<3.8.1" + "v": "<1.4.5" } ], - "nba-scraper": [ + "mistral": [ { - "advisory": "Nba-scraper 0.2.7 removes a security flaw where it wasn't verifying SSL certificates during testing.", - "cve": null, - "id": "pyup.io-37142", + "advisory": "An information-exposure vulnerability was discovered where openstack-mistral's undercloud log files containing clear-text information were made world readable. A malicious system user could exploit this flaw to access sensitive user information. See: CVE-2019-3866 and .", + "cve": "CVE-2019-3866", + "id": "pyup.io-37774", "specs": [ - "<0.2.7" + "<7.1.0", + ">=8.0,<8.1.0", + ">=9.0,<9.0.1" ], - "v": "<0.2.7" + "v": "<7.1.0,>=8.0,<8.1.0,>=9.0,<9.0.1" + }, + { + "advisory": "A Denial of Service (DoS) condition is possible in OpenStack Mistral in versions up to and including 7.0.3. Submitting a specially crafted workflow definition YAML file containing nested anchors can lead to resource exhaustion culminating in a denial of service. See: CVE-2018-16848.", + "cve": "CVE-2018-16848", + "id": "pyup.io-38424", + "specs": [ + "<=7.0.3" + ], + "v": "<=7.0.3" } ], - "nearbeach": [ + "mistune": [ { - "advisory": "Nearbeach 0.22.1 fixes several security issues in relation to Bandit, identified by Nearbeach as BUG491, BUG492, BUG493, BUG494, BUG495, BUG496, BUG497, and BUG498.", + "advisory": "mistune before 0.7.2 is vulnerable to an XSS attack. It is possible to bypass the renderer's link security check.", "cve": null, - "id": "pyup.io-37602", + "id": "pyup.io-25890", "specs": [ - "<0.22.1" + "<0.7.2" ], - "v": "<0.22.1" - } - ], - "neo-python": [ + "v": "<0.7.2" + }, { - "advisory": "neo-python 0.7.8 fixes vulnerability to RPC invoke functionality that can send node into unclosed loop during 'test' invokes.", + "advisory": "mistune before 0.8.1 has a cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py which allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the \"key\" argument.", + "cve": "CVE-2017-16876", + "id": "pyup.io-36332", + "specs": [ + "<0.8.1" + ], + "v": "<0.8.1" + }, + { + "advisory": "Mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\\nscript:) or a crafted email address, related to the escape and autolink functions.", "cve": null, - "id": "pyup.io-36441", + "id": "pyup.io-35030", "specs": [ - "<0.7.8" + "==0.7.4" ], - "v": "<0.7.8" + "v": "==0.7.4" } ], - "netdumplings": [ + "mitiq": [ { - "advisory": "Netdumplings 0.4.0 updates the websockets dependency to v7 to fix security warnings.", + "advisory": "Mitiq 0.4.0 updates notebook version in requirements to resolve a vulnerability. No details were provided.", "cve": null, - "id": "pyup.io-37208", + "id": "pyup.io-39241", "specs": [ "<0.4.0" ], "v": "<0.4.0" } ], - "netfoundry": [ + "mitmproxy": [ { - "advisory": "Netfoundry 4.19.0 fixes a rake vulnerability in the `.gemspec` file.", + "advisory": "mitmproxy before 0.17 has a XSS vulnerability in HTTP errors.", "cve": null, - "id": "pyup.io-39082", + "id": "pyup.io-25891", "specs": [ - "<4.19.0" + "<0.17" ], - "v": "<4.19.0" - } - ], - "netius": [ + "v": "<0.17" + }, { - "advisory": "netius prior to 1.17.58 is vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Transfer encoding header parsing which could allow for CL:TE or TE:TE attacks. See: CVE-2020-7655.", - "cve": "CVE-2020-7655", - "id": "pyup.io-38316", + "advisory": "mitmproxy before 4.0.3 does not protect mitmweb against DNS rebinding.", + "cve": "CVE-2018-14505", + "id": "pyup.io-36353", "specs": [ - "<1.17.58" + "<4.0.3" ], - "v": "<1.17.58" - } - ], - "netviel": [ + "v": "<4.0.3" + }, { - "advisory": "Netviel 0.2 fixes security vulnerabilities. No details were provided.", + "advisory": "mitmproxy before 4.0.4 does not protect mitmweb against DNS rebinding.", + "cve": "CVE-2018-14505", + "id": "pyup.io-36352", + "specs": [ + "<4.0.4" + ], + "v": "<4.0.4" + }, + { + "advisory": "Mitmproxy 5.0 fixes command injection vulnerabilities when exporting flows as curl/httpie commands. It also does not echo unsanitized user input in HTTP error responses.", "cve": null, - "id": "pyup.io-38366", + "id": "pyup.io-38179", "specs": [ - "<0.2" + "<5.0" ], - "v": "<0.2" + "v": "<5.0" } ], - "neutron": [ + "mitogen": [ { - "advisory": "An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes where those security groups are present, because of an Open vSwitch (OVS) firewall KeyError. All Neutron deployments utilizing neutron-openvswitch-agent are affected. See: CVE-2019-10876.", - "cve": "CVE-2019-10876", - "id": "pyup.io-37022", + "advisory": "Before mitogen version 0.2.8, unidirectional routing, where contexts may optionally only communicate with parents and never siblings (so that air-gapped networks cannot be unintentionally bridged) was not inherited when a child was initiated directly from another child. This did not effect Ansible, since the controller initiates any new child used for routing, only forked tasks are initiated by children [gh:commit:`5924af15`].", + "cve": null, + "id": "pyup.io-37381", "specs": [ - ">=11.0,<11.0.7", - ">=12.0,<12.0.6", - ">=13.0,<13.0.3" + "<0.2.8" ], - "v": ">=11.0,<11.0.7,>=12.0,<12.0.6,>=13.0,<13.0.3" + "v": "<0.2.8" } ], - "newrelic": [ + "mixminion": [ { - "advisory": "New Relic agents run explain plans for Slow Transaction Traces and Slow SQL Queries. Previous versions of the agents would run an explain plan on the SQL query by prepending the query with explain. This may cause an issue when there are multiple statements separated by semicolons in a single query. The first statement in the string returns its explain plan, but any subsequent statement after that may execute as a general SQL statement. Depending on the language, library, and database, the agent may return the results of the additional statements to New Relic. It is also possible that the additional statements could execute an additional INSERT or UPDATE command. With this security update, New Relic agents will no longer run explain plans on any query that contains a semicolon as a statement separator.", + "advisory": "mixminion before 0.0.2 is vulnerable to certain trivial DoS attacks. In particular, it's possible to send zlib bombs or flood a server with open connections.", "cve": null, - "id": "pyup.io-35805", + "id": "pyup.io-25892", "specs": [ - ">=1.1.0.192,<=2.106.0.87" + "<0.0.2" ], - "v": ">=1.1.0.192,<=2.106.0.87" + "v": "<0.0.2" } ], - "newsletter": [ + "mkdocs-material": [ { - "advisory": "newsletter 0.1.17pre in newsletterapp is now more secure by default. Does not setup default users for admin section.", + "advisory": "mkdocs-material before 1.0.0 uses _blank targets on links which make it vulnerable to Cross Site Scripting attacks.", "cve": null, - "id": "pyup.io-25902", + "id": "pyup.io-32121", "specs": [ - "<0.1.17pre" + "<1.0.0" ], - "v": "<0.1.17pre" - } - ], - "nfw": [ + "v": "<1.0.0" + }, { - "advisory": "nfw before 0.0.7 is vulnerable to SQL-injection attacks.", + "advisory": "Mkdocs-material 7.0.6 improves the security of the Docker image.", "cve": null, - "id": "pyup.io-32994", + "id": "pyup.io-39706", "specs": [ - "<0.0.7" + "<7.0.6" ], - "v": "<0.0.7" - } - ], - "ngraph-mxnet": [ - { - "advisory": "ngraph-mxnet 1.0.0 fixed a security bug that is causing MXNet to listen on all available interfaces when running training in distributed mode.", - "cve": null, - "id": "pyup.io-36701", - "specs": [ - "<1.0.0" - ], - "v": "<1.0.0" + "v": "<7.0.6" } ], - "nifcloud": [ + "mkdocs-table-reader-plugin": [ { - "advisory": "Nifcloud 0.1.7 updates dependencies to fix a vulnerability.", + "advisory": "Mkdocs-table-reader-plugin 0.2 drops the use of eval() in favor of ast.literal_eval() for security reasons.", "cve": null, - "id": "pyup.io-37098", + "id": "pyup.io-38272", "specs": [ - "<0.1.7" + "<0.2" ], - "v": "<0.1.7" + "v": "<0.2" } ], - "noiseprotocol": [ + "mlalchemy": [ { - "advisory": "noiseprotocol before 0.2.1 used an insecure transitive dependency (Cryptography<=2.1.3).", - "cve": null, - "id": "pyup.io-35043", + "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in the parse_yaml_query method in parser.py in MLAlchemy before 0.2.2. When processing YAML-Based queries for data, a YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.", + "cve": "CVE-2017-16615", + "id": "pyup.io-35718", "specs": [ - "<0.2.1" + "<0.2.2" ], - "v": "<0.2.1" + "v": "<0.2.2" } ], - "normcap": [ - { - "advisory": "Normcap 0.1.1 updates PyInstaller to avoid potential vulnerability.", - "cve": null, - "id": "pyup.io-37722", - "specs": [ - "<0.1.1" - ], - "v": "<0.1.1" - }, + "mlf-core": [ { - "advisory": "Normcap 0.1.2 updates the Bleach Package to avoid a potential vulnerability.", + "advisory": "Mlf-core 1.10.0 includes a fix for insecure MD5 (from Bandit report).", "cve": null, - "id": "pyup.io-38132", + "id": "pyup.io-39705", "specs": [ - "<0.1.2" + "<1.10.0" ], - "v": "<0.1.2" + "v": "<1.10.0" } ], - "notable": [ + "mockintosh": [ { - "advisory": "notable 0.0.6 fixes a security regression in the new BoltDB backend.", + "advisory": "Mockintosh 0.4 adds the ability to refer to external files (containing request and response bodies) and makes it secure by disallowing files outside the mock config hierarchy.", "cve": null, - "id": "pyup.io-34447", - "specs": [ - "<0.0.6" - ], - "v": "<0.0.6" - } - ], - "notebook": [ - { - "advisory": "The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types.", - "cve": "CVE-2015-7337", - "id": "pyup.io-25903", - "specs": [ - "<4.0.5" - ], - "v": "<4.0.5" - }, - { - "advisory": "Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate.", - "cve": "CVE-2015-6938", - "id": "pyup.io-25904", + "id": "pyup.io-39463", "specs": [ - ">=4.0,<4.0.5" + "<0.4" ], - "v": ">=4.0,<4.0.5" + "v": "<0.4" } ], - "notifications-python-client": [ + "mockup": [ { - "advisory": "notifications-python-client before 4.7.1 is vulnerable to a not further described security issue in PyJWT.", + "advisory": "mockup before 2.1.3 has XSS vulnerability issues in structure and relateditem patterns.", "cve": null, - "id": "pyup.io-35116", + "id": "pyup.io-25893", "specs": [ - "<4.7.1" + "<2.1.3" ], - "v": "<4.7.1" + "v": "<2.1.3" } ], - "nova": [ + "moin": [ { - "advisory": "An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is related to NovaProxyRequestHandlerBase.new_websocket_client in console/websocketproxy.py. See: CVE-2015-9543.", - "cve": "CVE-2015-9543", - "id": "pyup.io-37903", + "advisory": "The password_checker function in config/multiconfig.py in MoinMoin 1.6.1 uses the cracklib and python-crack features even though they are not thread-safe, which allows remote attackers to cause a denial of service (segmentation fault and crash) via unknown vectors.", + "cve": "CVE-2008-6549", + "id": "pyup.io-25894", "specs": [ - "<18.2.4", - ">=20.0.0.0rc1,<20.1.0", - ">=19.0.0.0rc1,<19.1.0" + "<1.6.1" ], - "v": "<18.2.4,>=20.0.0.0rc1,<20.1.0,>=19.0.0.0rc1,<19.1.0" + "v": "<1.6.1" }, { - "advisory": "An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that share the same paths as host devices previously referenced by the virtual machine on the source host. This can include block devices that map to different Cinder volumes at the destination than at the source. Only deployments allowing host-based connections (for instance, root and ephemeral devices) are affected. See: CVE-2020-17376.", - "cve": "CVE-2020-17376", - "id": "pyup.io-38722", + "advisory": "Moin 1.9.10 includes a security fix for CVE-2016-9119.", + "cve": "CVE-2016-9119", + "id": "pyup.io-39587", "specs": [ - "<19.3.1", - ">=20.0.0.0rc1,<20.3.1", - "==21.0.0" + "<1.9.10" ], - "v": "<19.3.1,>=20.0.0.0rc1,<20.3.1,==21.0.0" + "v": "<1.9.10" }, { - "advisory": "OpenStack Nova before 2012.1 allows someone with access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the EC2_SECRET_KEY (equivalent to a password). Exposing the EC2_ACCESS_KEY via http or tools that allow man-in-the-middle over https could allow an attacker to easily obtain the EC2_SECRET_KEY. An attacker could also presumably brute force values for EC2_ACCESS_KEY. See CVE-2011-4076.", - "cve": "CVE-2011-4076", - "id": "pyup.io-37736", + "advisory": "Moin 1.9.10 includes a security fix for CVE-2016-7146.", + "cve": "CVE-2016-7146", + "id": "pyup.io-39588", "specs": [ - "<2012.1" + "<1.9.10" ], - "v": "<2012.1" + "v": "<1.9.10" }, { - "advisory": "Versions of nova before 2012.1 could expose hypervisor host files to a guest operating system when processing a maliciously constructed qcow filesystem. See: CVE-2011-3147.", - "cve": "CVE-2011-3147", - "id": "pyup.io-37087", + "advisory": "Moin 1.9.10 includes a security fix for CVE-2017-5934, XSS in GUI editor related code.", + "cve": null, + "id": "pyup.io-36478", "specs": [ - "<2012.1" + "<1.9.10" ], - "v": "<2012.1" + "v": "<1.9.10" }, { - "advisory": "The OpenStack Nova (python-nova) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.2 and 1:2014.1-0 before 1:2014.1-0ubuntu1.2 and Openstack Cinder (python-cinder) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.1 and 1:2014.1-0 before 1:2014.1-0ubuntu1.1 for Ubuntu 13.10 and 14.04 LTS does not properly set the sudo configuration, which makes it easier for attackers to gain privileges by leveraging another vulnerability.", - "cve": "CVE-2013-1068", - "id": "pyup.io-25905", + "advisory": "Moin 1.9.10 includes a security fix for CVE-2017-5934, XSS in GUI editor related code.", + "cve": "CVE-2017-5934", + "id": "pyup.io-36447", "specs": [ - "<2013.2.3" + "<1.9.10" ], - "v": "<2013.2.3" + "v": "<1.9.10" }, { - "advisory": "OpenStack nova base images permissions are world readable. No fixes or affected versions are known. See: CVE-2013-0326.", - "cve": "CVE-2013-0326", - "id": "pyup.io-37745", + "advisory": "Moin 2.2.2 removes two cross-site scripting vulnerabilities reported by \"office\".", + "cve": null, + "id": "pyup.io-36475", "specs": [ - ">0" + "<2.2.2" ], - "v": ">0" + "v": "<2.2.2" } ], - "nrel-rex": [ + "mollie-api-python": [ { - "advisory": "Nrel-rex 0.2.16 adds a simple eval equation checker for malicious statements.", + "advisory": "mollie-api-python 2.0.4 updates requests to 2.20.0 because of a moderate severity vulnerability in versions prior to 2.20.0", "cve": null, - "id": "pyup.io-38909", + "id": "pyup.io-36650", "specs": [ - "<0.2.16" + "<2.0.4" ], - "v": "<0.2.16" + "v": "<2.0.4" } ], - "nsupdate": [ - { - "advisory": "nsupdate before 0.3.0 is vulnerable to a undisclosed security issue.", - "cve": null, - "id": "pyup.io-25906", - "specs": [ - "<0.3.0" - ], - "v": "<0.3.0" - }, - { - "advisory": "nsupdate 0.8.0 fixes a security issue: abuse_blocked flag could be worked around by abuser.", - "cve": null, - "id": "pyup.io-25907", - "specs": [ - "<0.8.0" - ], - "v": "<0.8.0" - }, + "monoshape": [ { - "advisory": "nsupdate 0.9.1 fixes a security issue with \"related hosts\" / \"service updaters\".", + "advisory": "Monoshape 1.2 updates Pillow version for security.", "cve": null, - "id": "pyup.io-25908", + "id": "pyup.io-37605", "specs": [ - "<0.9.1" + "<1.2" ], - "v": "<0.9.1" + "v": "<1.2" } ], - "nuitka": [ + "mopidy-jellyfin": [ { - "advisory": "Nuitka 0.6.12 uses https URLs for downloading dependency walker, for it to be more secure.", + "advisory": "Mopidy-jellyfin 0.3.1 addresses a security vulnerability in one of its dependencies.", "cve": null, - "id": "pyup.io-39648", + "id": "pyup.io-37281", "specs": [ - "<0.6.12" + "<0.3.1" ], - "v": "<0.6.12" + "v": "<0.3.1" } ], - "nukikata": [ + "morepath": [ { - "advisory": "Nukikata 1.4.0 raises an error if Cookiecutter tries to render a template that contains an undefined variable. Makes generation more robust and secure.", + "advisory": "morepath before 0.14 has no host header validation to protect against header poisoning attacks.", "cve": null, - "id": "pyup.io-38418", + "id": "pyup.io-25895", "specs": [ - "<1.4.0" + "<0.14" ], - "v": "<1.4.0" + "v": "<0.14" } ], - "numba": [ + "mortimer": [ { - "advisory": "Numba 0.49.0 includes an attempt at fixing frame injection in the dispatcher tracing path.", + "advisory": "Mortimer 0.4.5 further increases the data protection and data security through an improved handling of access to the alfred database from inside experiments.", "cve": null, - "id": "pyup.io-38983", + "id": "pyup.io-38277", "specs": [ - "<0.49.0" + "<0.4.5" ], - "v": "<0.49.0" + "v": "<0.4.5" } ], - "numpy": [ + "mosql": [ { - "advisory": "An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call.", - "cve": "CVE-2019-6446", - "id": "pyup.io-36810", + "advisory": "mosql 0.10 includes several security related changes.", + "cve": null, + "id": "pyup.io-25896", "specs": [ - "<=1.16.0" + "<0.10" ], - "v": "<=1.16.0" + "v": "<0.10" } ], - "nvidia-tensorflow": [ + "mpxj": [ { - "advisory": "Nvidia-tensorflow 1.10.0 builds & links in secure gRPC components (switch from the insecure grpc dependency to secure grpc dependency)", + "advisory": "Mpxj 5.0.0 fixes a XXE security vulnerability. See also .", "cve": null, - "id": "pyup.io-38457", + "id": "pyup.io-39675", "specs": [ - "<1.10.0" + "<5.0.0" ], - "v": "<1.10.0" + "v": "<5.0.0" }, { - "advisory": "Nvidia-tensorflow 1.12.2 fixes a potential security vulnerability where carefully crafted GIF images can produce a null pointer dereference during decoding.", - "cve": null, - "id": "pyup.io-38456", + "advisory": "Mpxj 8.1.4 addresses the CVE-2020-25020 XXE vulnerability.", + "cve": "CVE-2020-25020", + "id": "pyup.io-39674", "specs": [ - "<1.12.2" + "<8.1.4" ], - "v": "<1.12.2" + "v": "<8.1.4" }, { - "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "advisory": "Mpxj 8.3.5 addresses the CVE-2020-35460 zip slip vulnerability.", "cve": null, - "id": "pyup.io-38797", + "id": "pyup.io-39673", "specs": [ - "<1.15.3" + "<8.3.5" ], - "v": "<1.15.3" - }, - { - "advisory": "Nvidia-tensorflow 1.15.2 updates `sqlite3` to `3.30.01` to handle CVE-2019-16168.", - "cve": "CVE-2019-16168", - "id": "pyup.io-39582", + "v": "<8.3.5" + } + ], + "mpymodcore": [ + { + "advisory": "Mpymodcore 0.0.12 hardens the WindUp security (user module), and secures router with a redirect/bad request response.", + "cve": null, + "id": "pyup.io-38431", "specs": [ - ">=1.0.0,<1.15.2" + "<0.0.12" ], - "v": ">=1.0.0,<1.15.2" + "v": "<0.0.12" }, { - "advisory": "Nvidia-tensorflow 1.15.2 updates `sqlite3` to `3.30.01` to handle CVE-2019-19645.", - "cve": "CVE-2019-19645", - "id": "pyup.io-39583", + "advisory": "Mpymodcore 0.0.9 includes hardening of WindUp security and it also secures router with a redirect/bad request response.", + "cve": null, + "id": "pyup.io-38218", "specs": [ - ">=1.0.0,<1.15.2" + "<0.0.9" ], - "v": ">=1.0.0,<1.15.2" + "v": "<0.0.9" }, { - "advisory": "Nvidia-tensorflow 1.15.2 updates `sqlite3` to `3.30.01` to handle CVE-2019-19646.", - "cve": "CVE-2019-19646", - "id": "pyup.io-39584", + "advisory": "The changelog of mpymodcore 0.0.14 mentions some backlogged tasks, among which: \"WindUp security hardening, user module, secure router with redirect/bad request response\"", + "cve": null, + "id": "pyup.io-38795", "specs": [ - ">=1.0.0,<1.15.2" + "<=0.0.14" ], - "v": ">=1.0.0,<1.15.2" + "v": "<=0.0.14" }, { - "advisory": "Nvidia-tensorflow 1.15.2 updates `curl` to `7.66.0` to handle CVE-2019-5481.", - "cve": "CVE-2019-5481", - "id": "pyup.io-39585", + "advisory": "Mpymodcore version 0.0.15 and below (and possibly later version, too) are in need of WindUp security hardening. This is listed in the backlog.", + "cve": null, + "id": "pyup.io-38872", "specs": [ - ">=1.0.0,<1.15.2" + "<=0.0.15" ], - "v": ">=1.0.0,<1.15.2" + "v": "<=0.0.15" }, { - "advisory": "Nvidia-tensorflow 1.15.2 updates `curl` to `7.66.0` to handle CVE-2019-5482.", - "cve": "CVE-2019-5482", - "id": "pyup.io-39586", + "advisory": "Mpymodcore 0.0.17 mentions in its changelog that WindUp security hardening is a backlogged task.", + "cve": null, + "id": "pyup.io-38980", "specs": [ - ">=1.0.0,<1.15.2" + "<=0.0.17" ], - "v": ">=1.0.0,<1.15.2" + "v": "<=0.0.17" }, { - "advisory": "Nvidia-tensorflow 1.15.2\r\n* Fixes a security vulnerability where converting a Python string to a `tf.float16` value produces a segmentation fault (CVE-2020-5215)", + "advisory": "Mpymodcore 0.0.18 includes a note in its list of backlogged tasks to harden the security of WindUp, securing the router with a redirect/bad request response.", "cve": null, - "id": "pyup.io-38455", + "id": "pyup.io-39161", "specs": [ - ">=1.0.0,<1.15.2" + "<=0.0.18" ], - "v": ">=1.0.0,<1.15.2" - } - ], - "oauth-pyzure": [ + "v": "<=0.0.18" + }, { - "advisory": "Oauth-pyzure 0.1.4 is based on OSS vulnerability reports.", + "advisory": "Mpymodcore 0.0.19 was released with the acknowledgement that WindUp requires security hardening.", "cve": null, - "id": "pyup.io-39077", + "id": "pyup.io-39273", "specs": [ - "<0.1.4" + "<=0.0.19" ], - "v": "<0.1.4" + "v": "<=0.0.19" } ], - "oauth2": [ + "mqtt-io": [ { - "advisory": "The Server.verify_request function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL.", - "cve": "CVE-2013-4346", - "id": "pyup.io-35462", + "advisory": "Mqtt-io 0.5.2 updates PyYAML to a version that doesn't suffer from CVE-2020-1747 vulnerability.", + "cve": "CVE-2020-1747", + "id": "pyup.io-40018", "specs": [ - "<1.9" + "<0.5.2" ], - "v": "<1.9" - }, + "v": "<0.5.2" + } + ], + "mr.migrator": [ { - "advisory": "The (1) make_nonce, (2) generate_nonce, and (3) generate_verifier functions in SimpleGeo python-oauth2 uses weak random numbers to generate nonces, which makes it easier for remote attackers to guess the nonce via a brute force attack.", - "cve": "CVE-2013-4347", - "id": "pyup.io-35463", + "advisory": "mr.migrator 1.2 fixes a form problem with security hotfix.", + "cve": null, + "id": "pyup.io-25897", "specs": [ - "<1.9" + "<1.2" ], - "v": "<1.9" + "v": "<1.2" } ], - "oauthlib": [ + "msgpack": [ { - "advisory": "oauthlib before 0.7.0 is not stripping client provided passwords from OAuth2 logs.", + "advisory": "msgpack 0.6.0 contains some backward incompatible changes for security reason (DoS).", "cve": null, - "id": "pyup.io-25909", + "id": "pyup.io-36700", "specs": [ - "<0.7.0" + "<0.6.0" ], - "v": "<0.7.0" + "v": "<0.6.0" } ], - "obasparql": [ + "mss": [ { - "advisory": "Obasparql 2.0.1 bumps werkzeug to >= 0.15.3 to address CVE-2019-14806.", - "cve": "CVE-2019-14806", - "id": "pyup.io-38322", + "advisory": "mss before 2.0.18 has a undisclosed security issue.", + "cve": null, + "id": "pyup.io-25898", "specs": [ - "<2.0.1" + "<2.0.18" ], - "v": "<2.0.1" + "v": "<2.0.18" } ], - "obsplus": [ + "mtga": [ { - "advisory": "Obsplus 0.0.6 switched from MD5 hashing to SHA256 as the latter is more secure and the computational differences were negligible.", + "advisory": "mtga 2.0.0beta includes API security improvements & fixes.", "cve": null, - "id": "pyup.io-38088", + "id": "pyup.io-36317", "specs": [ - "<0.0.6" + "<2.0.0beta" ], - "v": "<0.0.6" + "v": "<2.0.0beta" } ], - "oci": [ + "mtprotoproxy": [ { - "advisory": "oci 2.0.2 opened up the dependency pinning on cryptography due to CVE-2018-10903 - OCI does not call the affected method in cryptography, but upgrading is recommended", - "cve": "CVE-2018-10903", - "id": "pyup.io-37415", + "advisory": "mtprotoproxy before 1.0.0 has the potential to allow for passive detection given known string lengths.\r\nV1.0.0 now adds random paddings to prevent this.", + "cve": null, + "id": "pyup.io-36301", "specs": [ - "<2.0.2" + "<1.0.0" ], - "v": "<2.0.2" + "v": "<1.0.0" }, { - "advisory": "oci 2.1.3 pyOpenSSL pinning was changed to pyOpenSSL>=17.5.0 and cryptography pinning to cryptography>=2.1.4 to address vulnerability CVE-2018-1000808", - "cve": "CVE-2018-1000808", - "id": "pyup.io-37831", + "advisory": "Mtprotoproxy 1.0.6 adds more protections from replay attacks.", + "cve": null, + "id": "pyup.io-37407", "specs": [ - "<2.1.3" + "<1.0.6" ], - "v": "<2.1.3" - }, + "v": "<1.0.6" + } + ], + "muffnn": [ { - "advisory": "In oci 2.1.3 pyOpenSSL pinning was changed to pyOpenSSL>=17.5.0 and cryptography pinning to cryptography>=2.1.4 to address vulnerability CVE-2018-1000808.", - "cve": "CVE-2018-1000808", - "id": "pyup.io-36786", + "advisory": "Muffnn 2.3.1 increases the minimum version of tensorflow to v1.15.2 to fix a security vulnerability.", + "cve": null, + "id": "pyup.io-38154", "specs": [ - "<2.1.3" + "<2.3.1" ], - "v": "<2.1.3" + "v": "<2.3.1" }, { - "advisory": "oci 2.10.0 changes pyOpenSSL pinning to pyOpenSSL>=17.5.0 and cryptography pinning to cryptography>=2.1.4 to address vulnerability CVE-2018-1000808", - "cve": "CVE-2018-1000808", - "id": "pyup.io-37830", + "advisory": "Muffnn 2.3.2 increases the minimum version of 'tensorflow' to version 1.15.4 to fix the security vulnerability reported in .", + "cve": null, + "id": "pyup.io-39222", "specs": [ - "<2.10.0" + "<2.3.2" ], - "v": "<2.10.0" - }, + "v": "<2.3.2" + } + ], + "murano-dashboard": [ { - "advisory": "Oci 2.24.1 pins cryptography to version 3.2.1 to address a vulnerability. See: .", + "advisory": "OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.", + "cve": "CVE-2016-4972", + "id": "pyup.io-25899", + "specs": [ + ">=2.0,<2.0.1", + "<1.0.3" + ], + "v": ">=2.0,<2.0.1,<1.0.3" + } + ], + "music21": [ + { + "advisory": "Music21 6.1.0 is no longer packaged with external modules; these will be installed when installing music21 via pip (otherwise run `pip install -r requirements.txt`). Speed and security improvements come with this.", "cve": null, - "id": "pyup.io-39212", + "id": "pyup.io-38746", "specs": [ - "<2.24.1" + "<6.1.0" ], - "v": "<2.24.1" + "v": "<6.1.0" } ], - "oci-cli": [ + "mxnet": [ { - "advisory": "Versions of oci-cli prior to 2.4.10 are affected by a security vulnerability. Versions 2.4.11 and later will automatically detect vulnerable installations, and if issues are detected, a warning will be displayed to the user. These issues can be remediated automatically by running the ``oci setup repair-file-permissions`` command.", + "advisory": "In mxnet before 1.0.0, mxnet listens on all available interfaces when running training in distributed mode.", "cve": null, - "id": "pyup.io-36148", + "id": "pyup.io-35115", "specs": [ - "<2.4.10" + "<1.0.0" ], - "v": "<2.4.10" - }, + "v": "<1.0.0" + } + ], + "mysql-connector": [ { - "advisory": "In oci-cli 2.4.40, pyOpenSSL was upgraded to version 17.5.0 and cryptography to version 2.1.4 to address a vulnerability identified on GitHub as CVE-2018-1000808.", - "cve": "CVE-2018-1000808", - "id": "pyup.io-36804", + "advisory": "Unspecified vulnerability in the MySQL Connector component 2.1.3 and earlier and 2.0.4 and earlier in Oracle MySQL allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Connector/Python.", + "cve": "CVE-2016-5598", + "id": "pyup.io-25900", "specs": [ - "<2.4.40" + "<2.1.3" ], - "v": "<2.4.40" - }, + "v": "<2.1.3" + } + ], + "mysql-connector-python": [ { - "advisory": "Oci-cli 2.5.9 upgrades Jinja2 to version 2.10.1 to address a vulnerability identified on GitHub as CVE-2019-10906. Jinga isn't used in Oci-cli's run-time system but as part of its documentation build process.", - "cve": "CVE-2019-10906", - "id": "pyup.io-37139", + "advisory": "Unspecified vulnerability in the MySQL Connector component 2.1.3 and earlier and 2.0.4 and earlier in Oracle MySQL allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Connector/Python.", + "cve": "CVE-2016-5598", + "id": "pyup.io-25901", "specs": [ - "<2.5.9" + "<2.0.4" ], - "v": "<2.5.9" + "v": "<2.0.4" }, { - "advisory": "Oci-cli 2.6.3 fixes CVE-2017-18342. In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used.", - "cve": "CVE-2017-18342", - "id": "pyup.io-37417", + "advisory": "Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/Python). Supported versions that are affected are 8.0.13 and prior and 2.1.8 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Connectors accessible data as well as unauthorized access to critical data or complete access to all MySQL Connectors accessible data.", + "cve": "CVE-2019-2435", + "id": "pyup.io-36816", "specs": [ - "<2.6.3" + "<=8.0.13" ], - "v": "<2.6.3" + "v": "<=8.0.13" } ], - "octavia": [ + "naas": [ { - "advisory": "An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.", - "cve": "CVE-2019-3895", - "id": "pyup.io-37192", + "advisory": "Naas 1.5.22 includes a security issue fix.", + "cve": null, + "id": "pyup.io-40076", "specs": [ - "<0.9.0" + "<1.5.22" ], - "v": "<0.9.0" - }, - { - "advisory": "Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.", - "cve": "CVE-2019-17134", - "id": "pyup.io-37547", - "specs": [ - ">=0.10.0,<2.1.2", - ">=3.0.0,<3.2.0", - ">=4.0.0,<4.1.0" - ], - "v": ">=0.10.0,<2.1.2,>=3.0.0,<3.2.0,>=4.0.0,<4.1.0" + "v": "<1.5.22" } ], - "oe-geoutils": [ + "nanopb": [ { - "advisory": "Oe-geoutils 1.5.2 solves security vulnerabilities from external packages 101.", + "advisory": "Nanopb 0.2.8 fixes a security issue with PB_ENABLE_MALLOC.", "cve": null, - "id": "pyup.io-37666", + "id": "pyup.io-37705", "specs": [ - "<1.5.2" + "<0.2.8" ], - "v": "<1.5.2" - } - ], - "oic": [ + "v": "<0.2.8" + }, { - "advisory": "In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. \r\n\r\nThe issues are: \r\n1) The IdToken signature algorithm was not checked automatically, but only if the expected algorithm was passed in as a kwarg. \r\n2) JWA `none` algorithm was allowed in all flows. \r\n3) oic.consumer.Consumer.parse_authz returns an unverified IdToken. The verification of the token was left to the discretion of the implementator. \r\n4) iat claim was not checked for sanity (i.e. it could be in the future). \r\n\r\nSee CVE-2020-26244.", - "cve": "CVE-2020-26244", - "id": "pyup.io-39221", + "advisory": "Nanopb 0.2.9.1 fixes a security issue due to size_t overflows.", + "cve": null, + "id": "pyup.io-37808", "specs": [ - "<1.2.1" + "<0.2.9.1" ], - "v": "<1.2.1" - } - ], - "onefuzz": [ + "v": "<0.2.9.1" + }, { - "advisory": "Onefuzz 2.5.0 updates multiple third-party Rust libraries. Addresses potential security issue [RUSTSEC-2021-0023].", + "advisory": "Nanopb before 0.3.1 fixes a security issue due to size_t overflows.", "cve": null, - "id": "pyup.io-39624", + "id": "pyup.io-37704", "specs": [ - "<2.5.0" + "<0.3.1" ], - "v": "<2.5.0" - } - ], - "onegov.form": [ + "v": "<0.3.1" + }, { - "advisory": "onegov.form before 0.16.1 is not escaping HTML labels in the dynamic formbuilder.", + "advisory": "Nanopb 0.2.9.1 and 0.3.1 fix a security issue due to size_t overflows (issue 132).", "cve": null, - "id": "pyup.io-25911", + "id": "pyup.io-37706", "specs": [ - "<0.16.1" + ">=0.3.0,<0.3.1", + ">=0.2.0,<0.2.9.1" ], - "v": "<0.16.1" + "v": ">=0.3.0,<0.3.1,>=0.2.0,<0.2.9.1" } ], - "onelogin-aws-assume-role": [ + "natcap.invest": [ { - "advisory": "For security reasons, onelogin-aws-assume-role 1.3.0 removes the ability to provide the IP using a command line parameter and is instead able to provide the IP address at the onelogin.sdk.json file.", - "cve": null, - "id": "pyup.io-37158", + "advisory": "Natcap.invest 3.8.1 bumps the psutil dependency requirement to psutil>=5.6.6 to address a double-free vulnerability documented in CVE-2019-18874.", + "cve": "CVE-2019-18874", + "id": "pyup.io-38271", "specs": [ - "<1.3.0" + "<3.8.1" ], - "v": "<1.3.0" + "v": "<3.8.1" } ], - "onixcheck": [ + "nba-scraper": [ { - "advisory": "onixcheck 0.8.0 adds secured XML-Parsing via defusedxml.", + "advisory": "Nba-scraper 0.2.7 removes a security flaw where it wasn't verifying SSL certificates during testing.", "cve": null, - "id": "pyup.io-25912", + "id": "pyup.io-37142", "specs": [ - "<0.8.0" + "<0.2.7" ], - "v": "<0.8.0" + "v": "<0.2.7" } ], - "online-judge-tools": [ + "nearbeach": [ { - "advisory": "Online-judge-tools 0.1.53 fixes a Regular Expression Injection issue and a Glob Injection issue.", + "advisory": "Nearbeach 0.22.1 fixes several security issues in relation to Bandit, identified by Nearbeach as BUG491, BUG492, BUG493, BUG494, BUG495, BUG496, BUG497, and BUG498.", "cve": null, - "id": "pyup.io-38902", + "id": "pyup.io-37602", "specs": [ - "<0.1.53" + "<0.22.1" ], - "v": "<0.1.53" + "v": "<0.22.1" } ], - "oodt": [ + "neo-python": [ { - "advisory": "oodt before 0.4 is vulnerable to XSS attacks via malformed query strings.", + "advisory": "neo-python 0.7.8 fixes vulnerability to RPC invoke functionality that can send node into unclosed loop during 'test' invokes.", "cve": null, - "id": "pyup.io-25913", + "id": "pyup.io-36441", "specs": [ - "<0.4" + "<0.7.8" ], - "v": "<0.4" + "v": "<0.7.8" } ], - "ooniprobe": [ + "netdumplings": [ { - "advisory": "ooniprobe before 1.0.2 is vulnerable to several undisclosed security issues.", + "advisory": "Netdumplings 0.4.0 updates the websockets dependency to v7 to fix security warnings.", "cve": null, - "id": "pyup.io-25914", + "id": "pyup.io-37208", "specs": [ - "<1.0.2" + "<0.4.0" ], - "v": "<1.0.2" + "v": "<0.4.0" } ], - "openapi-core": [ + "netfoundry": [ { - "advisory": "Openapi-core 0.13.0 includes a fix for CVE-2019-19844. It also introduces security validation with an API Key and support for HTTP security types.", - "cve": "CVE-2019-19844", - "id": "pyup.io-37894", + "advisory": "Netfoundry 4.19.0 fixes a rake vulnerability in the `.gemspec` file.", + "cve": null, + "id": "pyup.io-39082", "specs": [ - "<0.13.0" + "<4.19.0" ], - "v": "<0.13.0" + "v": "<4.19.0" } ], - "openapi-python-client": [ + "netius": [ { - "advisory": "In openapi-python-client 0.5.3, all values that get placed into python files (everything from enum names, to endpoint descriptions, to default values) are validated and/or sanitized to address arbitrary code execution vulnerabilities (CVE-2020-15142). Also, due to security concerns/implementation complexities, default values are temporarily unsupported for any `RefProperty` that doesn't refer to an enum.", - "cve": "CVE-2020-15142", - "id": "pyup.io-39581", + "advisory": "netius prior to 1.17.58 is vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Transfer encoding header parsing which could allow for CL:TE or TE:TE attacks. See: CVE-2020-7655.", + "cve": "CVE-2020-7655", + "id": "pyup.io-38316", "specs": [ - "<0.5.3" + "<1.17.58" ], - "v": "<0.5.3" - }, + "v": "<1.17.58" + } + ], + "netviel": [ { - "advisory": "Openapi-python-client 0.5.3 sanitizes all values that become file/directory names to address path traversal vulnerabilities (CVE-2020-15141). Additionally, due to security concerns/implementation complexities, default values are temporarily unsupported for any `RefProperty` that doesn't refer to an enum.", + "advisory": "Netviel 0.2 fixes security vulnerabilities. No details were provided.", "cve": null, - "id": "pyup.io-38685", + "id": "pyup.io-38366", "specs": [ - "<0.5.3" + "<0.2" ], - "v": "<0.5.3" - }, + "v": "<0.2" + } + ], + "neutron": [ { - "advisory": "In openapi-python-client before version 0.5.3, there is a path traversal vulnerability. If a user generated a client using a maliciously crafted OpenAPI document, it is possible for generated files to be placed in arbitrary locations on disk. See: CVE-2020-15141.", - "cve": "CVE-2020-15141", - "id": "pyup.io-38690", + "advisory": "An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes where those security groups are present, because of an Open vSwitch (OVS) firewall KeyError. All Neutron deployments utilizing neutron-openvswitch-agent are affected. See: CVE-2019-10876.", + "cve": "CVE-2019-10876", + "id": "pyup.io-37022", "specs": [ - "<0.5.3" + ">=11.0,<11.0.7", + ">=12.0,<12.0.6", + ">=13.0,<13.0.3" ], - "v": "<0.5.3" - }, + "v": ">=11.0,<11.0.7,>=12.0,<12.0.6,>=13.0,<13.0.3" + } + ], + "newrelic": [ { - "advisory": "In openapi-python-client before version 0.5.3, clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution. See: CVE-2020-15142.", - "cve": "CVE-2020-15142", - "id": "pyup.io-38691", + "advisory": "New Relic agents run explain plans for Slow Transaction Traces and Slow SQL Queries. Previous versions of the agents would run an explain plan on the SQL query by prepending the query with explain. This may cause an issue when there are multiple statements separated by semicolons in a single query. The first statement in the string returns its explain plan, but any subsequent statement after that may execute as a general SQL statement. Depending on the language, library, and database, the agent may return the results of the additional statements to New Relic. It is also possible that the additional statements could execute an additional INSERT or UPDATE command. With this security update, New Relic agents will no longer run explain plans on any query that contains a semicolon as a statement separator.", + "cve": null, + "id": "pyup.io-35805", "specs": [ - "<0.5.3" + ">=1.1.0.192,<=2.106.0.87" ], - "v": "<0.5.3" + "v": ">=1.1.0.192,<=2.106.0.87" } ], - "openapigenerator": [ + "newsletter": [ { - "advisory": "Openapigenerator 3.2.1 updates vulnerable dependencies (Javascript, #784).", + "advisory": "newsletter 0.1.17pre in newsletterapp is now more secure by default. Does not setup default users for admin section.", "cve": null, - "id": "pyup.io-37796", + "id": "pyup.io-25902", "specs": [ - "<3.2.1" + "<0.1.17pre" ], - "v": "<3.2.1" - }, + "v": "<0.1.17pre" + } + ], + "nfw": [ { - "advisory": "Openapigenerator 3.2.1 updates vulnerable dependencies (Javascript, #784).", + "advisory": "nfw before 0.0.7 is vulnerable to SQL-injection attacks.", "cve": null, - "id": "pyup.io-37631", + "id": "pyup.io-32994", "specs": [ - "<3.2.1" + "<0.0.7" ], - "v": "<3.2.1" - }, + "v": "<0.0.7" + } + ], + "ngraph-mxnet": [ { - "advisory": "Openapigenerator 3.2.2 updates vulnerable dependencies (JavaScript, #784).", + "advisory": "ngraph-mxnet 1.0.0 fixed a security bug that is causing MXNet to listen on all available interfaces when running training in distributed mode.", "cve": null, - "id": "pyup.io-37622", + "id": "pyup.io-36701", "specs": [ - "<3.2.2" + "<1.0.0" ], - "v": "<3.2.2" - }, + "v": "<1.0.0" + } + ], + "nifcloud": [ { - "advisory": "Openapigenerator 3.3.2 fixes the Jackson databind security issue (Java, #1259).", + "advisory": "Nifcloud 0.1.7 updates dependencies to fix a vulnerability.", "cve": null, - "id": "pyup.io-37629", + "id": "pyup.io-37098", "specs": [ - "<3.3.2" + "<0.1.7" ], - "v": "<3.3.2" - }, + "v": "<0.1.7" + } + ], + "noiseprotocol": [ { - "advisory": "Openapigenerator 3.3.3 fixes jackson-databind (Java) security issue #1259.", + "advisory": "noiseprotocol before 0.2.1 used an insecure transitive dependency (Cryptography<=2.1.3).", "cve": null, - "id": "pyup.io-37797", + "id": "pyup.io-35043", "specs": [ - "<3.3.3" + "<0.2.1" ], - "v": "<3.3.3" - }, + "v": "<0.2.1" + } + ], + "normcap": [ { - "advisory": "Openapigenerator 4.0.0 upgrades GRADLE to 2.14.1 to fix a vulnerability (Android, Java, Scala, #2416).", + "advisory": "Normcap 0.1.1 updates PyInstaller to avoid potential vulnerability.", "cve": null, - "id": "pyup.io-37627", + "id": "pyup.io-37722", "specs": [ - "<4.0.0" + "<0.1.1" ], - "v": "<4.0.0" + "v": "<0.1.1" }, { - "advisory": "Apenapigenerator v4.0.0-beta3 upgrades GRADLE to 2.14.1 to fix a vulnerability (Java, Scala, #2416).", + "advisory": "Normcap 0.1.2 updates the Bleach Package to avoid a potential vulnerability.", "cve": null, - "id": "pyup.io-37630", + "id": "pyup.io-38132", "specs": [ - "<4.0.0b3" + "<0.1.2" ], - "v": "<4.0.0b3" - }, - { - "advisory": "Openapigenerator 4.0.0beta2 fixes a security issue with dependencies (Java, #1820).", + "v": "<0.1.2" + } + ], + "notable": [ + { + "advisory": "notable 0.0.6 fixes a security regression in the new BoltDB backend.", "cve": null, - "id": "pyup.io-37628", + "id": "pyup.io-34447", "specs": [ - "<4.0.0beta2" + "<0.0.6" ], - "v": "<4.0.0beta2" - }, + "v": "<0.0.6" + } + ], + "notebook": [ { - "advisory": "Openapigenerator 4.0.2 bumps up the babel-cli version to fix security alert (Javascript/NodeJS, #3121).", - "cve": null, - "id": "pyup.io-37626", + "advisory": "The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types.", + "cve": "CVE-2015-7337", + "id": "pyup.io-25903", "specs": [ - "<4.0.2" + "<4.0.5" ], - "v": "<4.0.2" + "v": "<4.0.5" }, { - "advisory": "Openapigenerator 4.0.3 update JS flow dependencies to fix security issues (JavaScript, #3296).", - "cve": null, - "id": "pyup.io-37625", + "advisory": "Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate.", + "cve": "CVE-2015-6938", + "id": "pyup.io-25904", "specs": [ - "<4.0.3" + ">=4.0,<4.0.5" ], - "v": "<4.0.3" - }, + "v": ">=4.0,<4.0.5" + } + ], + "notifications-python-client": [ { - "advisory": "Openapigenerator 4.1.0 updates to address recent lodash Object prototype vulnerability (general, #3348).", + "advisory": "notifications-python-client before 4.7.1 is vulnerable to a not further described security issue in PyJWT.", "cve": null, - "id": "pyup.io-37624", + "id": "pyup.io-35116", "specs": [ - "<4.1.0" + "<4.7.1" ], - "v": "<4.1.0" - }, + "v": "<4.7.1" + } + ], + "nova": [ { - "advisory": "Openapigenerator 4.1.3 fixes the jackson-databind security issue (general, #3945).", - "cve": null, - "id": "pyup.io-37623", + "advisory": "An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is related to NovaProxyRequestHandlerBase.new_websocket_client in console/websocketproxy.py. See: CVE-2015-9543.", + "cve": "CVE-2015-9543", + "id": "pyup.io-37903", "specs": [ - "<4.1.3" + "<18.2.4", + ">=20.0.0.0rc1,<20.1.0", + ">=19.0.0.0rc1,<19.1.0" ], - "v": "<4.1.3" + "v": "<18.2.4,>=20.0.0.0rc1,<20.1.0,>=19.0.0.0rc1,<19.1.0" }, { - "advisory": "Openapigenerator 4.2.1 fixes the Jackson databind security issue (Java, #4370).", - "cve": null, - "id": "pyup.io-37798", + "advisory": "An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that share the same paths as host devices previously referenced by the virtual machine on the source host. This can include block devices that map to different Cinder volumes at the destination than at the source. Only deployments allowing host-based connections (for instance, root and ephemeral devices) are affected. See: CVE-2020-17376.", + "cve": "CVE-2020-17376", + "id": "pyup.io-38722", "specs": [ - "<4.2.1" + "<19.3.1", + ">=20.0.0.0rc1,<20.3.1", + "==21.0.0" ], - "v": "<4.2.1" + "v": "<19.3.1,>=20.0.0.0rc1,<20.3.1,==21.0.0" }, { - "advisory": "Openapigenerator 4.3.0 fixes CVE-2020-8130 [Ruby - #5483].", - "cve": "CVE-2020-8130", - "id": "pyup.io-38120", + "advisory": "OpenStack Nova before 2012.1 allows someone with access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the EC2_SECRET_KEY (equivalent to a password). Exposing the EC2_ACCESS_KEY via http or tools that allow man-in-the-middle over https could allow an attacker to easily obtain the EC2_SECRET_KEY. An attacker could also presumably brute force values for EC2_ACCESS_KEY. See CVE-2011-4076.", + "cve": "CVE-2011-4076", + "id": "pyup.io-37736", "specs": [ - "<4.3.0" + "<2012.1" ], - "v": "<4.3.0" - } - ], - "openslides": [ + "v": "<2012.1" + }, { - "advisory": "openslides 2.1 now validates HTML strings from CKEditor against XSS attacks.", - "cve": null, - "id": "pyup.io-34681", + "advisory": "Versions of nova before 2012.1 could expose hypervisor host files to a guest operating system when processing a maliciously constructed qcow filesystem. See: CVE-2011-3147.", + "cve": "CVE-2011-3147", + "id": "pyup.io-37087", "specs": [ - "<2.1" + "<2012.1" ], - "v": "<2.1" - } - ], - "openstack-keystone": [ + "v": "<2012.1" + }, { - "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times. See: CVE-2020-12692.", - "cve": "CVE-2020-12692", - "id": "pyup.io-38260", + "advisory": "The OpenStack Nova (python-nova) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.2 and 1:2014.1-0 before 1:2014.1-0ubuntu1.2 and Openstack Cinder (python-cinder) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.1 and 1:2014.1-0 before 1:2014.1-0ubuntu1.1 for Ubuntu 13.10 and 14.04 LTS does not properly set the sudo configuration, which makes it easier for attackers to gain privileges by leveraging another vulnerability.", + "cve": "CVE-2013-1068", + "id": "pyup.io-25905", "specs": [ - "<15.0.1", - "==16.0.0" + "<2013.2.3" ], - "v": "<15.0.1,==16.0.0" + "v": "<2013.2.3" }, { - "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. See: CVE-2020-12689.", - "cve": "CVE-2020-12689", - "id": "pyup.io-38257", + "advisory": "OpenStack nova base images permissions are world readable. No fixes or affected versions are known. See: CVE-2013-0326.", + "cve": "CVE-2013-0326", + "id": "pyup.io-37745", "specs": [ - "<15.0.1", - "==16.0.0" + ">0" ], - "v": "<15.0.1,==16.0.0" - }, + "v": ">0" + } + ], + "nox-poetry": [ { - "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. See: CVE-2020-12691.", - "cve": "CVE-2020-12691", - "id": "pyup.io-38259", + "advisory": "Nox-poetry 0.8.2 updates vulnerable sub-dependencies.", + "cve": null, + "id": "pyup.io-39702", "specs": [ - "<15.0.1", - "==16.0.0" + "<0.8.2" ], - "v": "<15.0.1,==16.0.0" - }, + "v": "<0.8.2" + } + ], + "nrel-rex": [ { - "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. See: CVE-2020-12690.", - "cve": "CVE-2020-12690", - "id": "pyup.io-38258", + "advisory": "Nrel-rex 0.2.16 adds a simple eval equation checker for malicious statements.", + "cve": null, + "id": "pyup.io-38909", "specs": [ - "<15.0.1", - "==16.0.0" + "<0.2.16" ], - "v": "<15.0.1,==16.0.0" - }, + "v": "<0.2.16" + } + ], + "nsupdate": [ { - "advisory": "OpenStack Keystone 15.0.0 and 16.0.0 are affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.) See: CVE-2019-19687.", - "cve": "CVE-2019-19687", - "id": "pyup.io-38588", + "advisory": "nsupdate before 0.3.0 is vulnerable to a undisclosed security issue.", + "cve": null, + "id": "pyup.io-25906", "specs": [ - "==15.0.0", - "==16.0.0" + "<0.3.0" ], - "v": "==15.0.0,==16.0.0" + "v": "<0.3.0" }, { - "advisory": "HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates. See: CVE-2013-2255.", - "cve": "CVE-2013-2255", - "id": "pyup.io-37620", + "advisory": "nsupdate 0.8.0 fixes a security issue: abuse_blocked flag could be worked around by abuser.", + "cve": null, + "id": "pyup.io-25907", "specs": [ - "==2013" + "<0.8.0" ], - "v": "==2013" + "v": "<0.8.0" }, { - "advisory": "It is possible to remotely trigger a crash in Keystone by sending an extremely long password. When Keystone is validating the password, glibc allocates space on the stack for the entire password. If the password is long enough, stack space can be exhausted, resulting in a crash. This vulnerability is mitigated by a patch to impose a reasonable limit on password length (4 kB). Reportedly, all versions are affected. See also: CVE-2012-1572 and .", - "cve": "CVE-2012-1572", - "id": "pyup.io-37740", + "advisory": "nsupdate 0.9.1 fixes a security issue with \"related hosts\" / \"service updaters\".", + "cve": null, + "id": "pyup.io-25908", "specs": [ - ">0" + "<0.9.1" ], - "v": ">0" + "v": "<0.9.1" } ], - "opentaxii": [ + "nuitka": [ { - "advisory": "opentaxii 0.1.11 requires recent version of `lxml` for security reasons.", + "advisory": "Nuitka 0.6.12 uses https URLs for downloading dependency walker, for it to be more secure.", "cve": null, - "id": "pyup.io-36897", + "id": "pyup.io-39648", "specs": [ - "<0.1.11" + "<0.6.12" ], - "v": "<0.1.11" + "v": "<0.6.12" } ], - "optimade": [ + "nukikata": [ { - "advisory": "Optimade 0.7.0 includes a fix that addresses a Django vulnerability. See: .", + "advisory": "Nukikata 1.4.0 raises an error if Cookiecutter tries to render a template that contains an undefined variable. Makes generation more robust and secure.", "cve": null, - "id": "pyup.io-38453", + "id": "pyup.io-38418", "specs": [ - "<0.7.0" + "<1.4.0" ], - "v": "<0.7.0" + "v": "<1.4.0" } ], - "orange3-bioinformatics": [ + "numba": [ { - "advisory": "Orange3-bioinformatics 4.2.0 adds the Orange.widgets.credentials.CredentialManager to securely store user password.", + "advisory": "Numba 0.49.0 includes an attempt at fixing frame injection in the dispatcher tracing path.", "cve": null, - "id": "pyup.io-38958", + "id": "pyup.io-38983", "specs": [ - "<4.2.0" + "<0.49.0" ], - "v": "<4.2.0" + "v": "<0.49.0" } ], - "ores": [ + "numpy": [ { - "advisory": "Ores 1.3.1 addresses yaml security issue by bumping dependency version. It also uses JSON as celery serializer for increased security.", - "cve": null, - "id": "pyup.io-37949", + "advisory": "An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call.", + "cve": "CVE-2019-6446", + "id": "pyup.io-36810", "specs": [ - "<1.3.1" + "<=1.16.0" ], - "v": "<1.3.1" + "v": "<=1.16.0" } ], - "osc": [ + "nvidia-tensorflow": [ { - "advisory": "Osc 0.123 is the first release that performs SSL certificate checks to prevent man-in-the-middle-attacks. Python-m2crypto is needed to make this work. Certificate checks can be turned off per server via 'sslcertck = 0' in .oscrc.", + "advisory": "Nvidia-tensorflow 1.10.0 builds & links in secure gRPC components (switch from the insecure grpc dependency to secure grpc dependency)", "cve": null, - "id": "pyup.io-37874", + "id": "pyup.io-38457", "specs": [ - "<0.123" + "<1.10.0" ], - "v": "<0.123" + "v": "<1.10.0" }, { - "advisory": "Osc 0.134 includes a security fix for the buildlog function. Terminal control characters are limited now.", + "advisory": "Nvidia-tensorflow 1.12.2 fixes a potential security vulnerability where carefully crafted GIF images can produce a null pointer dereference during decoding.", "cve": null, - "id": "pyup.io-37873", + "id": "pyup.io-38456", "specs": [ - "<0.134" + "<1.12.2" ], - "v": "<0.134" + "v": "<1.12.2" }, { - "advisory": "Osc 0.151 fixes shell command injection via crafted _service files. See: CVE-2015-0778.", - "cve": "CVE-2015-0778", - "id": "pyup.io-38486", + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2019-19880", + "id": "pyup.io-39710", "specs": [ - "<0.151" + "<1.15.3" ], - "v": "<0.151" + "v": "<1.15.3" }, { - "advisory": "Osc 0.165.3 fixes broken TLS certificate handling. See: CVE-2019-3685.", - "cve": "CVE-2019-3685", - "id": "pyup.io-38485", + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2019-19645", + "id": "pyup.io-39711", "specs": [ - "<0.165.3" + "<1.15.3" ], - "v": "<0.165.3" - } - ], - "otpauth": [ + "v": "<1.15.3" + }, { - "advisory": "otpauth before 1.0.1 is vulnerable to timing attacks.", - "cve": null, - "id": "pyup.io-25915", + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2019-19244", + "id": "pyup.io-39712", "specs": [ - "<1.0.1" + "<1.15.3" ], - "v": "<1.0.1" - } - ], - "ovirt-engine-sdk-python": [ + "v": "<1.15.3" + }, { - "advisory": "The python SDK before 3.1.0.6 and CLI before 3.1.0.8 for oVirt 3.1 does not check the server SSL certificate against the client keys, which allows remote attackers to spoof a server via a man-in-the-middle (MITM) attack.", - "cve": "CVE-2012-3533", - "id": "pyup.io-25916", + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2019-15601", + "id": "pyup.io-39713", "specs": [ - "<3.1.0.8" + "<1.15.3" ], - "v": "<3.1.0.8" + "v": "<1.15.3" }, { - "advisory": "ovirt-engine-sdk-python before 3.4.0.7 and 3.5.0.4 does not verify that the hostname of the remote endpoint matches the Common Name (CN) or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. This could allow man-in-the-middle attackers to spoof remote endpoints via an arbitrary valid certificate.", - "cve": "CVE-2014-0161", - "id": "pyup.io-37754", + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2019-13960", + "id": "pyup.io-39714", "specs": [ - "<3.4.0.7", - "==3.5.0.4" + "<1.15.3" ], - "v": "<3.4.0.7,==3.5.0.4" - } - ], - "ovs": [ + "v": "<1.15.3" + }, { - "advisory": "ovs 1.3.0 includes a fix that flow setups are now processed in a round-robin manner across ports to prevent any single client from monopolizing the CPU and conducting a denial of service attack.", - "cve": null, - "id": "pyup.io-25917", + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2019-10099", + "id": "pyup.io-39715", "specs": [ - "<1.3.0" + "<1.15.3" ], - "v": "<1.3.0" - } - ], - "owlmixin": [ + "v": "<1.15.3" + }, { - "advisory": "An exploitable vulnerability exists in the YAML loading functionality of util.py in OwlMixin before 2.0.0a12. A \"Load YAML\" string or file (aka load_yaml or load_yamlf) can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.", - "cve": "CVE-2017-16618", - "id": "pyup.io-35720", + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2018-20330", + "id": "pyup.io-39716", "specs": [ - "<2.0.0a12" + "<1.15.3" ], - "v": "<2.0.0a12" - } - ], - "pakettikauppa": [ + "v": "<1.15.3" + }, { - "advisory": "pakettikauppa 0.1.2 fixes Pip files and requirement files for fixing security issue in pyyaml module", - "cve": null, - "id": "pyup.io-36779", + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2018-19664", + "id": "pyup.io-39717", "specs": [ - "<0.1.2" + "<1.15.3" ], - "v": "<0.1.2" - } - ], - "palladium": [ + "v": "<1.15.3" + }, { - "advisory": "Palladium 1.2.2 updates requirements, fixing potential security vulnerabilities in dependencies.", - "cve": null, - "id": "pyup.io-37378", + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2018-17190", + "id": "pyup.io-39718", "specs": [ - "<1.2.2" + "<1.15.3" ], - "v": "<1.2.2" + "v": "<1.15.3" }, { - "advisory": "Palladium 1.2.3 updates its requirements in order to use newer versions of dependencies. This fixes some potential security vulnerabilities.", - "cve": null, - "id": "pyup.io-38263", + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2018-11770", + "id": "pyup.io-38797", "specs": [ - "<1.2.3" + "<1.15.3" ], - "v": "<1.2.3" - } - ], - "pandas-zmq": [ + "v": "<1.15.3" + }, { - "advisory": "Pandas-zmq 0.0.2 adds a signature to improve security.", - "cve": null, - "id": "pyup.io-38627", + "advisory": "Nvidia-tensorflow 1.15.2 updates `sqlite3` to `3.30.01` to handle CVE-2019-16168.", + "cve": "CVE-2019-16168", + "id": "pyup.io-39582", "specs": [ - "<0.0.2" + ">=1.0.0,<1.15.2" ], - "v": "<0.0.2" - } - ], - "pandevice": [ + "v": ">=1.0.0,<1.15.2" + }, { - "advisory": "Pandevice 0.11.0 adds `uuid` params for security and NAT rules.", - "cve": null, - "id": "pyup.io-37198", + "advisory": "Nvidia-tensorflow 1.15.2 updates `sqlite3` to `3.30.01` to handle CVE-2019-19645.", + "cve": "CVE-2019-19645", + "id": "pyup.io-39583", "specs": [ - "<0.11.0" + ">=1.0.0,<1.15.2" ], - "v": "<0.11.0" - } - ], - "pando": [ + "v": ">=1.0.0,<1.15.2" + }, { - "advisory": "pando before 0.39 is vulnerable to security bugs related to CRLF injection.", - "cve": null, - "id": "pyup.io-25918", + "advisory": "Nvidia-tensorflow 1.15.2 updates `sqlite3` to `3.30.01` to handle CVE-2019-19646.", + "cve": "CVE-2019-19646", + "id": "pyup.io-39584", "specs": [ - "<0.39" + ">=1.0.0,<1.15.2" ], - "v": "<0.39" + "v": ">=1.0.0,<1.15.2" }, { - "advisory": "pando before 0.42 is vulnerable to URL redirection attacks.", - "cve": null, - "id": "pyup.io-25919", + "advisory": "Nvidia-tensorflow 1.15.2 updates `curl` to `7.66.0` to handle CVE-2019-5481.", + "cve": "CVE-2019-5481", + "id": "pyup.io-39585", "specs": [ - "<0.42" + ">=1.0.0,<1.15.2" ], - "v": "<0.42" - } - ], - "pangres": [ + "v": ">=1.0.0,<1.15.2" + }, { - "advisory": "Pangres 2.1 was released with the claim that it became completely SQL injection safe. Everything is escaped or parameterized including schema, table and column names.", - "cve": null, - "id": "pyup.io-39284", + "advisory": "Nvidia-tensorflow 1.15.2 updates `curl` to `7.66.0` to handle CVE-2019-5482.", + "cve": "CVE-2019-5482", + "id": "pyup.io-39586", "specs": [ - "<2.1" + ">=1.0.0,<1.15.2" ], - "v": "<2.1" - } - ], - "panoptes-utils": [ + "v": ">=1.0.0,<1.15.2" + }, { - "advisory": "Panoptes-utils 0.2.21 bumps PyYaml to its latest version to suppress a security warning.", - "cve": null, - "id": "pyup.io-38493", + "advisory": "Nvidia-tensorflow 1.15.2\r\n* Fixes a security vulnerability where converting a Python string to a `tf.float16` value produces a segmentation fault (CVE-2020-5215)", + "cve": "CVE-2020-5215", + "id": "pyup.io-38455", "specs": [ - "<0.2.21" + ">=1.0.0,<1.15.2" ], - "v": "<0.2.21" + "v": ">=1.0.0,<1.15.2" } ], - "paradrop": [ + "oauth-pyzure": [ { - "advisory": "Paradrop 0.10.0 supports more WiFi encryption settings, including properly supporting CCMP for better security.", + "advisory": "Oauth-pyzure 0.1.4 is based on OSS vulnerability reports.", "cve": null, - "id": "pyup.io-37491", + "id": "pyup.io-39077", "specs": [ - "<0.10.0" + "<0.1.4" ], - "v": "<0.10.0" - }, + "v": "<0.1.4" + } + ], + "oauth2": [ { - "advisory": "Paradrop 0.13.0 updates dependency versions to address vulnerabilities in old versions of pyOpenSSL, requests, and urllib3.", - "cve": null, - "id": "pyup.io-37490", + "advisory": "The Server.verify_request function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL.", + "cve": "CVE-2013-4346", + "id": "pyup.io-35462", "specs": [ - "<0.13.0" + "<1.9" ], - "v": "<0.13.0" + "v": "<1.9" }, { - "advisory": "Paradrop 0.5 secures the router settings page with a login system.", - "cve": null, - "id": "pyup.io-37492", + "advisory": "The (1) make_nonce, (2) generate_nonce, and (3) generate_verifier functions in SimpleGeo python-oauth2 uses weak random numbers to generate nonces, which makes it easier for remote attackers to guess the nonce via a brute force attack.", + "cve": "CVE-2013-4347", + "id": "pyup.io-35463", "specs": [ - "<0.5" + "<1.9" ], - "v": "<0.5" + "v": "<1.9" } ], - "paramiko-ng": [ + "oauthlib": [ { - "advisory": "Paramiko-ng 1.7.2 fixes the PRNG to be more secure on windows and in cases where fork() is called.", + "advisory": "oauthlib before 0.7.0 is not stripping client provided passwords from OAuth2 logs.", "cve": null, - "id": "pyup.io-37114", + "id": "pyup.io-25909", "specs": [ - "<1.7.2" + "<0.7.0" ], - "v": "<1.7.2" + "v": "<0.7.0" } ], - "passlib": [ + "obasparql": [ { - "advisory": "passlib before 1.4 not disabled unix_fallback's \"wildcard password\" support unless explicitly enabled by user.", - "cve": null, - "id": "pyup.io-25921", + "advisory": "Obasparql 2.0.1 bumps werkzeug to >= 0.15.3 to address CVE-2019-14806.", + "cve": "CVE-2019-14806", + "id": "pyup.io-38322", "specs": [ - "<1.4" + "<2.0.1" ], - "v": "<1.4" + "v": "<2.0.1" } ], - "password-safe-box": [ + "obsplus": [ { - "advisory": "Password-safe-box 0.2 adds Fast Convert (which provides slightly better security than a normal hash).", + "advisory": "Obsplus 0.0.6 switched from MD5 hashing to SHA256 as the latter is more secure and the computational differences were negligible.", "cve": null, - "id": "pyup.io-38703", + "id": "pyup.io-38088", "specs": [ - "<0.2" + "<0.0.6" ], - "v": "<0.2" + "v": "<0.0.6" } ], - "paste": [ + "oci": [ { - "advisory": "paste before 0.9.5 has a security vulnerability in ``paste.urlparser``'s StaticURLParser and PkgResourcesParser where, with some servers, you could escape the document root.", - "cve": null, - "id": "pyup.io-25922", + "advisory": "oci 2.0.2 opened up the dependency pinning on cryptography due to CVE-2018-10903 - OCI does not call the affected method in cryptography, but upgrading is recommended", + "cve": "CVE-2018-10903", + "id": "pyup.io-37415", "specs": [ - "<0.9.5" + "<2.0.2" ], - "v": "<0.9.5" + "v": "<2.0.2" }, { - "advisory": "paste 1.1 includes a security fix for ``paste.urlparser.StaticURLParser``. The problem allowed escaping the root (and reading files) when used with ``paste.httpserver`` (this does not effect other servers, and does not apply when proxying requests from Apache to ``paste.httpserver``).", - "cve": null, - "id": "pyup.io-25923", + "advisory": "oci 2.1.3 pyOpenSSL pinning was changed to pyOpenSSL>=17.5.0 and cryptography pinning to cryptography>=2.1.4 to address vulnerability CVE-2018-1000808", + "cve": "CVE-2018-1000808", + "id": "pyup.io-37831", "specs": [ - "<1.1" + "<2.1.3" ], - "v": "<1.1" + "v": "<2.1.3" }, { - "advisory": "paste before 1.7.4 is vulnerable to a XSS attack in paste.urlparser.StaticURLParser.", - "cve": null, - "id": "pyup.io-25924", + "advisory": "In oci 2.1.3 pyOpenSSL pinning was changed to pyOpenSSL>=17.5.0 and cryptography pinning to cryptography>=2.1.4 to address vulnerability CVE-2018-1000808.", + "cve": "CVE-2018-1000808", + "id": "pyup.io-36786", "specs": [ - "<1.7.4" + "<2.1.3" ], - "v": "<1.7.4" + "v": "<2.1.3" }, { - "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in the paste.httpexceptions implementation in Paste before 1.7.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving a 404 status code, related to (1) paste.urlparser.StaticURLParser, (2) paste.urlparser.PkgResourcesParser, (3) paste.urlmap.URLMap, and (4) HTTPNotFound.", - "cve": "CVE-2010-2477", - "id": "pyup.io-35340", + "advisory": "oci 2.10.0 changes pyOpenSSL pinning to pyOpenSSL>=17.5.0 and cryptography pinning to cryptography>=2.1.4 to address vulnerability CVE-2018-1000808", + "cve": "CVE-2018-1000808", + "id": "pyup.io-37830", "specs": [ - "<1.7.4" + "<2.10.0" ], - "v": "<1.7.4" - } - ], - "pastescript": [ + "v": "<2.10.0" + }, { - "advisory": "Paste Script 1.7.5 and earlier does not properly set group memberships during execution with root privileges, which might allow remote attackers to bypass intended file-access restrictions by leveraging a web application that uses the local filesystem.", - "cve": "CVE-2012-0878", - "id": "pyup.io-25925", + "advisory": "Oci 2.24.1 pins cryptography to version 3.2.1 to address a vulnerability. See: .", + "cve": null, + "id": "pyup.io-39212", "specs": [ - "<1.7.5" + "<2.24.1" ], - "v": "<1.7.5" + "v": "<2.24.1" } ], - "pathfinder": [ + "oci-cli": [ { - "advisory": "Pathfinder 0.5.4 includes a fix that addresses a security alert regarding the version of jinja2.", + "advisory": "Versions of oci-cli prior to 2.4.10 are affected by a security vulnerability. Versions 2.4.11 and later will automatically detect vulnerable installations, and if issues are detected, a warning will be displayed to the user. These issues can be remediated automatically by running the ``oci setup repair-file-permissions`` command.", "cve": null, - "id": "pyup.io-38220", + "id": "pyup.io-36148", "specs": [ - "<0.5.4" + "<2.4.10" ], - "v": "<0.5.4" - } - ], - "pconf": [ + "v": "<2.4.10" + }, { - "advisory": "pconf before 1.3.3 is vulnerable to arbitrary code execution related to [CVE-2017-18342](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342) because of YAML's `load`. \r\nThis upgrades to use YAML `safe_load` instead of `load`.", - "cve": "CVE-2017-18342", - "id": "pyup.io-36293", + "advisory": "In oci-cli 2.4.40, pyOpenSSL was upgraded to version 17.5.0 and cryptography to version 2.1.4 to address a vulnerability identified on GitHub as CVE-2018-1000808.", + "cve": "CVE-2018-1000808", + "id": "pyup.io-36804", "specs": [ - "<1.3.3" + "<2.4.40" ], - "v": "<1.3.3" - } - ], - "pcp": [ + "v": "<2.4.40" + }, { - "advisory": "pcp before 2.1.911 has a not further described vulnerability in pcp.spec.in.", - "cve": null, - "id": "pyup.io-25926", + "advisory": "Oci-cli 2.5.9 upgrades Jinja2 to version 2.10.1 to address a vulnerability identified on GitHub as CVE-2019-10906. Jinga isn't used in Oci-cli's run-time system but as part of its documentation build process.", + "cve": "CVE-2019-10906", + "id": "pyup.io-37139", "specs": [ - "<2.1.911" + "<2.5.9" ], - "v": "<2.1.911" - } - ], - "pdfextract": [ + "v": "<2.5.9" + }, { - "advisory": "pdfextract before 0.0.2 is using `eval` on filenames, leading to execution of arbitrary Python code.", - "cve": null, - "id": "pyup.io-25927", + "advisory": "Oci-cli 2.6.3 fixes CVE-2017-18342. In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used.", + "cve": "CVE-2017-18342", + "id": "pyup.io-37417", "specs": [ - "<0.0.2" + "<2.6.3" ], - "v": "<0.0.2" + "v": "<2.6.3" } ], - "pdfreader": [ + "octavia": [ { - "advisory": "Pdfreader 0.1.6 updates its dependency on pillow to version >= 7.1.0 to address security issues. No details were provided.", - "cve": null, - "id": "pyup.io-39314", + "advisory": "An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.", + "cve": "CVE-2019-3895", + "id": "pyup.io-37192", "specs": [ - "<0.1.6" + "<0.9.0" ], - "v": "<0.1.6" + "v": "<0.9.0" }, { - "advisory": "Pdfreader 0.1.6.dev1 bumps Pillow to version >= 7.1.0 to address security issues.", - "cve": null, - "id": "pyup.io-39118", + "advisory": "Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.", + "cve": "CVE-2019-17134", + "id": "pyup.io-37547", "specs": [ - "<0.1.6.dev1" + ">=0.10.0,<2.1.2", + ">=3.0.0,<3.2.0", + ">=4.0.0,<4.1.0" ], - "v": "<0.1.6.dev1" + "v": ">=0.10.0,<2.1.2,>=3.0.0,<3.2.0,>=4.0.0,<4.1.0" } ], - "pdkit": [ + "oe-geoutils": [ { - "advisory": "Pdkit 1.2.1 includes an unspecified security fix for included libraries.", + "advisory": "Oe-geoutils 1.5.2 solves security vulnerabilities from external packages 101.", "cve": null, - "id": "pyup.io-37793", + "id": "pyup.io-37666", "specs": [ - "<1.2.1" + "<1.5.2" ], - "v": "<1.2.1" + "v": "<1.5.2" } ], - "peewee": [ + "oic": [ { - "advisory": "The main change in this release is the removal of the `AESEncryptedField`,\r\nwhich was included as part of the `playhouse.fields` extension. It was brought\r\nto my attention that there was some serious potential for security\r\nvulnerabilities. Rather than give users a false sense of security, I've decided\r\nthe best course of action is to remove the field.", - "cve": null, - "id": "pyup.io-34337", + "advisory": "In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. \r\n\r\nThe issues are: \r\n1) The IdToken signature algorithm was not checked automatically, but only if the expected algorithm was passed in as a kwarg. \r\n2) JWA `none` algorithm was allowed in all flows. \r\n3) oic.consumer.Consumer.parse_authz returns an unverified IdToken. The verification of the token was left to the discretion of the implementator. \r\n4) iat claim was not checked for sanity (i.e. it could be in the future). \r\n\r\nSee CVE-2020-26244.", + "cve": "CVE-2020-26244", + "id": "pyup.io-39221", "specs": [ - "<2.10.0" + "<1.2.1" ], - "v": "<2.10.0" + "v": "<1.2.1" } ], - "peppercorn": [ + "omero-web": [ { - "advisory": "peppercorn before 0.5 is vulnerable to DoS attacks due to the use of an iterative parser rather than a recursive parser.", - "cve": null, - "id": "pyup.io-25928", + "advisory": "OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 loads various information about the current user such as their id, name and the groups they are in, and these are available on the main webclient pages. This represents an information exposure vulnerability. Some additional information being loaded is not used by the webclient and is being removed in this release. This is fixed in version 5.9.0. See CVE-2021-21376.", + "cve": "CVE-2021-21376", + "id": "pyup.io-40088", "specs": [ - "<0.5" + "<5.9.0" ], - "v": "<0.5" - } - ], - "persephone": [ + "v": "<5.9.0" + }, { - "advisory": "Persephone 0.4.0 updates the nltk dependency to resolve a possible security issue.", - "cve": null, - "id": "pyup.io-38231", + "advisory": "OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting. See CVE-2021-21377.", + "cve": "CVE-2021-21377", + "id": "pyup.io-40089", "specs": [ - "<0.4.0" + "<5.9.0" ], - "v": "<0.4.0" + "v": "<5.9.0" } ], - "pex": [ + "onefuzz": [ { - "advisory": "pex before 0.5.6 follows links which may lead to security issues: https://rbcommons.com/s/twitter/r/293/.", + "advisory": "Onefuzz 2.5.0 updates multiple third-party Rust libraries. Addresses potential security issue [RUSTSEC-2021-0023].", "cve": null, - "id": "pyup.io-25929", + "id": "pyup.io-39624", "specs": [ - "<0.5.6" + "<2.5.0" ], - "v": "<0.5.6" + "v": "<2.5.0" }, { - "advisory": "Pex 0.8.0 includes a fix to refactor http handling to allow for alternate http implementations. This adds support for 'requests' , improving both performance and security. For more information, read the commit notes at and .", - "cve": null, - "id": "pyup.io-27426", + "advisory": "Onefuzz 2.7.0 updates multiple Python dependencies to addresses the potential security issue CVE-2020-28493. See also.", + "cve": "CVE-2020-28493", + "id": "pyup.io-39676", "specs": [ - "<0.8.0" + "<2.7.0" ], - "v": "<0.8.0" + "v": "<2.7.0" } ], - "phileo": [ + "onegov.form": [ { - "advisory": "phileo before 0.3 allows users to like anything and everything, which could potentially lead to security problems (eg. liking entries in permission tables, and thus seeing their content; liking administrative users and thus getting their username).", + "advisory": "onegov.form before 0.16.1 is not escaping HTML labels in the dynamic formbuilder.", "cve": null, - "id": "pyup.io-25930", + "id": "pyup.io-25911", "specs": [ - "<0.3" + "<0.16.1" ], - "v": "<0.3" + "v": "<0.16.1" } ], - "phoenix-letter": [ + "onelogin-aws-assume-role": [ { - "advisory": "Phoenix-letter 0.2.0 adds the flag '--aws-keys' to securely ask for the AWS credentials to avoid keeping sensitive information accessible in plain text. Without this flag, it falls back to the Boto3 default credential search.", + "advisory": "For security reasons, onelogin-aws-assume-role 1.3.0 removes the ability to provide the IP using a command line parameter and is instead able to provide the IP address at the onelogin.sdk.json file.", "cve": null, - "id": "pyup.io-39438", + "id": "pyup.io-37158", "specs": [ - "<0.2.0" + "<1.3.0" ], - "v": "<0.2.0" + "v": "<1.3.0" } ], - "phonenumbers": [ + "onixcheck": [ { - "advisory": "Phonenumbers 8.3.1 contains a security improvement of the getNationalSignificantNumber function to make it more robust against malicious input.", + "advisory": "onixcheck 0.8.0 adds secured XML-Parsing via defusedxml.", "cve": null, - "id": "pyup.io-39441", + "id": "pyup.io-25912", "specs": [ - "<8.3.1" + "<0.8.0" ], - "v": "<8.3.1" + "v": "<0.8.0" } ], - "pi-mqtt-gpio": [ + "online-judge-tools": [ { - "advisory": "Pi-mqtt-gpio 0.5.2 updates the PyYAML to a version that doesn't suffer from CVE-2020-1747 vulnerability.", - "cve": "CVE-2020-1747", - "id": "pyup.io-39464", + "advisory": "Online-judge-tools 0.1.53 fixes a Regular Expression Injection issue and a Glob Injection issue.", + "cve": null, + "id": "pyup.io-38902", "specs": [ - "<0.5.2" + "<0.1.53" ], - "v": "<0.5.2" + "v": "<0.1.53" } ], - "piccolo": [ + "oodt": [ { - "advisory": "Piccolo 0.2 uses 'QueryString' internally to represent queries (instead of raw strings) to harden against SQL injection.", + "advisory": "oodt before 0.4 is vulnerable to XSS attacks via malformed query strings.", "cve": null, - "id": "pyup.io-38919", + "id": "pyup.io-25913", "specs": [ - "<0.2" + "<0.4" ], - "v": "<0.2" - }, + "v": "<0.4" + } + ], + "ooniprobe": [ { - "advisory": "Piccolo 0.9.1 bumps node requirements because of a security warning.", + "advisory": "ooniprobe before 1.0.2 is vulnerable to several undisclosed security issues.", "cve": null, - "id": "pyup.io-38768", + "id": "pyup.io-25914", "specs": [ - "<0.9.1" + "<1.0.2" ], - "v": "<0.9.1" + "v": "<1.0.2" } ], - "piccolo-admin": [ + "openapi-core": [ { - "advisory": "Piccolo-admin 0.9.1 upgrades the node requirements because of a security warning.", - "cve": null, - "id": "pyup.io-38643", + "advisory": "Openapi-core 0.13.0 includes a fix for CVE-2019-19844. It also introduces security validation with an API Key and support for HTTP security types.", + "cve": "CVE-2019-19844", + "id": "pyup.io-37894", "specs": [ - "<0.9.1" + "<0.13.0" ], - "v": "<0.9.1" + "v": "<0.13.0" } ], - "pigar": [ + "openapi-python-client": [ { - "advisory": "pigar 0.9.1 sixes some potential security vulnerabilities", - "cve": null, - "id": "pyup.io-36904", + "advisory": "In openapi-python-client 0.5.3, all values that get placed into python files (everything from enum names, to endpoint descriptions, to default values) are validated and/or sanitized to address arbitrary code execution vulnerabilities (CVE-2020-15142). Also, due to security concerns/implementation complexities, default values are temporarily unsupported for any `RefProperty` that doesn't refer to an enum.", + "cve": "CVE-2020-15142", + "id": "pyup.io-39581", "specs": [ - "<0.9.1" + "<0.5.3" ], - "v": "<0.9.1" - } - ], - "pillow": [ + "v": "<0.5.3" + }, { - "advisory": "pillow before 2.3.1 makes insecure use of tempfile.mktemp (CVE-2014-1933).", - "cve": "CVE-2014-1933", - "id": "pyup.io-39580", + "advisory": "Openapi-python-client 0.5.3 sanitizes all values that become file/directory names to address path traversal vulnerabilities (CVE-2020-15141). Additionally, due to security concerns/implementation complexities, default values are temporarily unsupported for any `RefProperty` that doesn't refer to an enum.", + "cve": "CVE-2020-15141", + "id": "pyup.io-38685", "specs": [ - "<2.3.1" + "<0.5.3" ], - "v": "<2.3.1" + "v": "<0.5.3" }, { - "advisory": "pillow before 2.3.1 makes insecure use of tempfile.mktemp (CVE-2014-1932).", - "cve": null, - "id": "pyup.io-25931", + "advisory": "In openapi-python-client before version 0.5.3, there is a path traversal vulnerability. If a user generated a client using a maliciously crafted OpenAPI document, it is possible for generated files to be placed in arbitrary locations on disk. See: CVE-2020-15141.", + "cve": "CVE-2020-15141", + "id": "pyup.io-38690", "specs": [ - "<2.3.1" + "<0.5.3" ], - "v": "<2.3.1" + "v": "<0.5.3" }, { - "advisory": "pillow before 2.3.2 is vulnerable to a DOS in the IcnsImagePlugin.", - "cve": null, - "id": "pyup.io-25932", + "advisory": "In openapi-python-client before version 0.5.3, clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution. See: CVE-2020-15142.", + "cve": "CVE-2020-15142", + "id": "pyup.io-38691", "specs": [ - "<2.3.2" + "<0.5.3" ], - "v": "<2.3.2" - }, + "v": "<0.5.3" + } + ], + "openapigenerator": [ { - "advisory": "Pillow 2.5.0 includes a fix that prevents shell injection.", + "advisory": "Openapigenerator 3.2.1 updates vulnerable dependencies (Javascript, #784).", "cve": null, - "id": "pyup.io-38907", + "id": "pyup.io-37796", "specs": [ - "<2.5.0" + "<3.2.1" ], - "v": "<2.5.0" + "v": "<3.2.1" }, { - "advisory": "pillow before 2.5.2 is vulnerable to a DoS in the IcnsImagePlugin.", + "advisory": "Openapigenerator 3.2.1 updates vulnerable dependencies (Javascript, #784).", "cve": null, - "id": "pyup.io-25933", + "id": "pyup.io-37631", "specs": [ - "<2.5.2" + "<3.2.1" ], - "v": "<2.5.2" + "v": "<3.2.1" }, { - "advisory": "pillow before 2.5.3 is vulnerable to a DoS in the Jpeg2KImagePlugin.", + "advisory": "Openapigenerator 3.2.2 updates vulnerable dependencies (JavaScript, #784).", "cve": null, - "id": "pyup.io-25934", + "id": "pyup.io-37622", "specs": [ - "<2.5.3" + "<3.2.2" ], - "v": "<2.5.3" + "v": "<3.2.2" }, { - "advisory": "pillow before 2.6.0rc1 is vulnerable to CVE-2014-3598, a DOS in the Jpeg2KImagePlugin and CVE-2014-3589, a DOS in the IcnsImagePlugin.", - "cve": "CVE-2014-3598", - "id": "pyup.io-25935", + "advisory": "Openapigenerator 3.3.2 fixes the Jackson databind security issue (Java, #1259).", + "cve": null, + "id": "pyup.io-37629", "specs": [ - "<2.6.0rc1" + "<3.3.2" ], - "v": "<2.6.0rc1" + "v": "<3.3.2" }, { - "advisory": "pillow before 2.6.2 is vulnerable to a PNG decompression DoS (CVE-2014-9601).", - "cve": "CVE-2014-9601", - "id": "pyup.io-25936", + "advisory": "Openapigenerator 3.3.3 fixes jackson-databind (Java) security issue #1259.", + "cve": null, + "id": "pyup.io-37797", "specs": [ - "<2.6.2" + "<3.3.3" ], - "v": "<2.6.2" + "v": "<3.3.3" }, { - "advisory": "pillow before 2.7.0 is vulnerable to a PNG decompression DoS (CVE-2014-9601).", - "cve": "CVE-2014-9601", - "id": "pyup.io-25937", + "advisory": "Openapigenerator 4.0.0 upgrades GRADLE to 2.14.1 to fix a vulnerability (Android, Java, Scala, #2416).", + "cve": null, + "id": "pyup.io-37627", "specs": [ - "<2.7.0" + "<4.0.0" ], - "v": "<2.7.0" + "v": "<4.0.0" }, { - "advisory": "Buffer overflow in the ImagingLibTiffDecode function in libImaging/TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafted TIFF file.", - "cve": "CVE-2016-0740", - "id": "pyup.io-33134", + "advisory": "Apenapigenerator v4.0.0-beta3 upgrades GRADLE to 2.14.1 to fix a vulnerability (Java, Scala, #2416).", + "cve": null, + "id": "pyup.io-37630", "specs": [ - "<3.1.1" + "<4.0.0b3" ], - "v": "<3.1.1" + "v": "<4.0.0b3" }, { - "advisory": "Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.", - "cve": "CVE-2016-0775", - "id": "pyup.io-33135", + "advisory": "Openapigenerator 4.0.0beta2 fixes a security issue with dependencies (Java, #1820).", + "cve": null, + "id": "pyup.io-37628", "specs": [ - "<3.1.1" + "<4.0.0beta2" ], - "v": "<3.1.1" + "v": "<4.0.0beta2" }, { - "advisory": "Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PhotoCD file.", - "cve": "CVE-2016-2533", - "id": "pyup.io-33136", + "advisory": "Openapigenerator 4.0.2 bumps up the babel-cli version to fix security alert (Javascript/NodeJS, #3121).", + "cve": null, + "id": "pyup.io-37626", "specs": [ - "<3.1.1" + "<4.0.2" ], - "v": "<3.1.1" + "v": "<4.0.2" }, { - "advisory": "Integer overflow in the ImagingResampleHorizontal function in libImaging/Resample.c in Pillow before 3.1.1 allows remote attackers to have unspecified impact via negative values of the new size, which triggers a heap-based buffer overflow.", - "cve": "CVE-2016-4009", - "id": "pyup.io-33137", + "advisory": "Openapigenerator 4.0.3 update JS flow dependencies to fix security issues (JavaScript, #3296).", + "cve": null, + "id": "pyup.io-37625", "specs": [ - "<3.1.1" + "<4.0.3" ], - "v": "<3.1.1" + "v": "<4.0.3" }, { - "advisory": "pillow before 3.1.2 is vulnerable to an integer overflow in Jpeg2KEncode.c causing a buffer overflow. CVE-2016-3076.", - "cve": "CVE-2016-3076", - "id": "pyup.io-25943", + "advisory": "Openapigenerator 4.1.0 updates to address recent lodash Object prototype vulnerability (general, #3348).", + "cve": null, + "id": "pyup.io-37624", "specs": [ - "<3.1.2" + "<4.1.0" ], - "v": "<3.1.2" + "v": "<4.1.0" }, { - "advisory": "Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the \"crafted image file\" approach, related to an \"Insecure Sign Extension\" issue affecting the ImagingNew in Storage.c component.", - "cve": "CVE-2016-9190", - "id": "pyup.io-33138", + "advisory": "Openapigenerator 4.1.3 fixes the jackson-databind security issue (general, #3945).", + "cve": null, + "id": "pyup.io-37623", "specs": [ - "<3.3.2" + "<4.1.3" ], - "v": "<3.3.2" + "v": "<4.1.3" }, { - "advisory": "Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the \"crafted image file\" approach, related to an \"Integer Overflow\" issue affecting the Image.core.map_buffer in map.c component.", - "cve": "CVE-2016-9189", - "id": "pyup.io-33139", + "advisory": "Openapigenerator 4.2.1 fixes the Jackson databind security issue (Java, #4370).", + "cve": null, + "id": "pyup.io-37798", "specs": [ - "<3.3.2" + "<4.2.1" ], - "v": "<3.3.2" + "v": "<4.2.1" }, { - "advisory": "libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow. See: CVE-2020-5311.", - "cve": "CVE-2020-5311", - "id": "pyup.io-37780", + "advisory": "Openapigenerator 4.3.0 fixes CVE-2020-8130 [Ruby - #5483].", + "cve": "CVE-2020-8130", + "id": "pyup.io-38120", "specs": [ - "<6.2.2" + "<4.3.0" ], - "v": "<6.2.2" - }, + "v": "<4.3.0" + } + ], + "openslides": [ { - "advisory": "libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. See: CVE-2020-5310.", - "cve": "CVE-2020-5310", - "id": "pyup.io-37779", + "advisory": "openslides 2.1 now validates HTML strings from CKEditor against XSS attacks.", + "cve": null, + "id": "pyup.io-34681", "specs": [ - "<6.2.2" + "<2.1" ], - "v": "<6.2.2" - }, + "v": "<2.1" + } + ], + "openstack-keystone": [ { - "advisory": "libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. See: CVE-2020-5313.", - "cve": "CVE-2020-5313", - "id": "pyup.io-37782", + "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times. See: CVE-2020-12692.", + "cve": "CVE-2020-12692", + "id": "pyup.io-38260", "specs": [ - "<6.2.2" + "<15.0.1", + "==16.0.0" ], - "v": "<6.2.2" + "v": "<15.0.1,==16.0.0" }, { - "advisory": "libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. See:CVE-2020-5312.", - "cve": "CVE-2020-5312", - "id": "pyup.io-37781", + "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. See: CVE-2020-12689.", + "cve": "CVE-2020-12689", + "id": "pyup.io-38257", "specs": [ - "<6.2.2" + "<15.0.1", + "==16.0.0" ], - "v": "<6.2.2" + "v": "<15.0.1,==16.0.0" }, { - "advisory": "In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. See: CVE-2020-10378.", - "cve": "CVE-2020-10378", - "id": "pyup.io-38449", + "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. See: CVE-2020-12691.", + "cve": "CVE-2020-12691", + "id": "pyup.io-38259", "specs": [ - "<6.2.3", - ">=7.0.0,<7.0.1" + "<15.0.1", + "==16.0.0" ], - "v": "<6.2.3,>=7.0.0,<7.0.1" + "v": "<15.0.1,==16.0.0" }, { - "advisory": "In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer Overflows in libImaging/TiffDecode.c. See: CVE-2020-10379.", - "cve": "CVE-2020-10379", - "id": "pyup.io-38450", + "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. See: CVE-2020-12690.", + "cve": "CVE-2020-12690", + "id": "pyup.io-38258", "specs": [ - "<6.2.3", - ">=7.0.0,<7.0.1" + "<15.0.1", + "==16.0.0" ], - "v": "<6.2.3,>=7.0.0,<7.0.1" + "v": "<15.0.1,==16.0.0" }, { - "advisory": "In libImaging/Jpeg2KDecode.c in Pillow before 7.0.0, there are multiple out-of-bounds reads via a crafted JP2 file. See: CVE-2020-10994.", - "cve": "CVE-2020-10994", - "id": "pyup.io-38451", + "advisory": "OpenStack Keystone 15.0.0 and 16.0.0 are affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.) See: CVE-2019-19687.", + "cve": "CVE-2019-19687", + "id": "pyup.io-38588", "specs": [ - "<7.0.0" + "==15.0.0", + "==16.0.0" ], - "v": "<7.0.0" + "v": "==15.0.0,==16.0.0" }, { - "advisory": "In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files. See: CVE-2020-11538. Note that this is a different issue than CVE-2020-5311.", - "cve": "CVE-2020-11538", - "id": "pyup.io-38452", + "advisory": "HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates. See: CVE-2013-2255.", + "cve": "CVE-2013-2255", + "id": "pyup.io-37620", "specs": [ - "<=7.0.0" + "==2013" ], - "v": "<=7.0.0" + "v": "==2013" }, { - "advisory": "There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer. See: CVE-2019-19911.", - "cve": "CVE-2019-19911", - "id": "pyup.io-37772", + "advisory": "It is possible to remotely trigger a crash in Keystone by sending an extremely long password. When Keystone is validating the password, glibc allocates space on the stack for the entire password. If the password is long enough, stack space can be exhausted, resulting in a crash. This vulnerability is mitigated by a patch to impose a reasonable limit on password length (4 kB). Reportedly, all versions are affected. See also: CVE-2012-1572 and .", + "cve": "CVE-2012-1572", + "id": "pyup.io-37740", "specs": [ - ">6.0,<6.2.2" + ">0" ], - "v": ">6.0,<6.2.2" + "v": ">0" } ], - "pillow-simd": [ + "opentaxii": [ { - "advisory": "pillow-simd before 2.3.2 is vulnerable to CVE-2014-3589, a DOS in the IcnsImagePlugin.", - "cve": "CVE-2014-3589", - "id": "pyup.io-39579", + "advisory": "opentaxii 0.1.11 requires recent version of `lxml` for security reasons.", + "cve": null, + "id": "pyup.io-36897", "specs": [ - "<2.3.2" + "<0.1.11" ], - "v": "<2.3.2" - }, + "v": "<0.1.11" + } + ], + "openvino": [ { - "advisory": "pillow-simd before 2.3.2 is vulnerable to CVE-2014-3598, a DOS in the Jpeg2KImagePlugin.", + "advisory": "Openvino 2020.3.1 includes security and functionality bug fixes, and minor capability changes.", "cve": null, - "id": "pyup.io-25947", + "id": "pyup.io-40082", "specs": [ - "<2.3.2" + "<2020.3.1" ], - "v": "<2.3.2" + "v": "<2020.3.1" }, { - "advisory": "pillow-simd before 2.5.2 is vulnerable to CVE-2014-3598.", + "advisory": "Openvino 2021.2 includes new OpenVINO Security Add-on, which controls access to model(s) through secure packaging and execution. Based on KVM Virtual machines and Docker containers and compatible with the OpenVINO Model Server, this new add-on enables packaging for flexible deployment and controlled model access.", "cve": null, - "id": "pyup.io-25948", + "id": "pyup.io-40081", "specs": [ - "<2.5.2" + "<2021.2" ], - "v": "<2.5.2" - }, + "v": "<2021.2" + } + ], + "optimade": [ { - "advisory": "pillow-simd before 2.5.2 is vulnerable to CVE-2014-3589, a DOS in the IcnsImagePlugin.", - "cve": "CVE-2014-3589", - "id": "pyup.io-39578", + "advisory": "Optimade 0.7.0 includes a fix that addresses a Django vulnerability. See: .", + "cve": null, + "id": "pyup.io-38453", "specs": [ - "<2.5.2" + "<0.7.0" ], - "v": "<2.5.2" - }, + "v": "<0.7.0" + } + ], + "orange3-bioinformatics": [ { - "advisory": "Pillow-simd before 2.5.3 is vulnerable to CVE-2014-3598.", + "advisory": "Orange3-bioinformatics 4.2.0 adds the Orange.widgets.credentials.CredentialManager to securely store user password.", "cve": null, - "id": "pyup.io-25949", + "id": "pyup.io-38958", "specs": [ - "<2.5.3" + "<4.2.0" ], - "v": "<2.5.3" - }, + "v": "<4.2.0" + } + ], + "ores": [ { - "advisory": "pillow-simd before 2.5.3 is vulnerable to CVE-2014-3589, a DOS in the IcnsImagePlugin.", - "cve": "CVE-2014-3589", - "id": "pyup.io-39577", + "advisory": "Ores 1.3.1 addresses yaml security issue by bumping dependency version. It also uses JSON as celery serializer for increased security.", + "cve": null, + "id": "pyup.io-37949", "specs": [ - "<2.5.3" + "<1.3.1" ], - "v": "<2.5.3" - }, + "v": "<1.3.1" + } + ], + "osc": [ { - "advisory": "pillow-simd before 2.6.0rc1 is vulnerable to CVE-2014-3589, a DOS in the IcnsImagePlugin.", - "cve": "CVE-2014-3589", - "id": "pyup.io-39576", + "advisory": "Osc 0.123 is the first release that performs SSL certificate checks to prevent man-in-the-middle-attacks. Python-m2crypto is needed to make this work. Certificate checks can be turned off per server via 'sslcertck = 0' in .oscrc.", + "cve": null, + "id": "pyup.io-37874", "specs": [ - "<2.6.0rc1" + "<0.123" ], - "v": "<2.6.0rc1" + "v": "<0.123" }, { - "advisory": "Pillow-simd before 2.6.0rc1 is vulnerable to CVE-2014-3598.", + "advisory": "Osc 0.134 includes a security fix for the buildlog function. Terminal control characters are limited now.", "cve": null, - "id": "pyup.io-25950", + "id": "pyup.io-37873", "specs": [ - "<2.6.0rc1" + "<0.134" ], - "v": "<2.6.0rc1" + "v": "<0.134" }, { - "advisory": "pillow-simd before 2.6.2 is vulnerable to a PNG decompression DoS (CVE-2014-9601).", - "cve": "CVE-2014-9601", - "id": "pyup.io-25951", + "advisory": "Osc 0.151 fixes shell command injection via crafted _service files. See: CVE-2015-0778.", + "cve": "CVE-2015-0778", + "id": "pyup.io-38486", "specs": [ - "<2.6.2" + "<0.151" ], - "v": "<2.6.2" + "v": "<0.151" }, { - "advisory": "pillow-simd before 2.7.0 is vulnerable to a PNG decompression DoS (CVE-2014-9601).", - "cve": "CVE-2014-9601", - "id": "pyup.io-25952", + "advisory": "Osc 0.165.3 fixes broken TLS certificate handling. See: CVE-2019-3685.", + "cve": "CVE-2019-3685", + "id": "pyup.io-38485", "specs": [ - "<2.7.0" + "<0.165.3" ], - "v": "<2.7.0" - }, + "v": "<0.165.3" + } + ], + "otpauth": [ { - "advisory": "pillow-simd before 3.1.1 is vulnerable to multiple buffer overlows in Resample.c, PcdDecode.c, FliDecode.c and TiffDecode.c.", + "advisory": "otpauth before 1.0.1 is vulnerable to timing attacks.", "cve": null, - "id": "pyup.io-25953", + "id": "pyup.io-25915", "specs": [ - "<3.1.1" + "<1.0.1" ], - "v": "<3.1.1" + "v": "<1.0.1" + } + ], + "ovirt-engine-sdk-python": [ + { + "advisory": "The python SDK before 3.1.0.6 and CLI before 3.1.0.8 for oVirt 3.1 does not check the server SSL certificate against the client keys, which allows remote attackers to spoof a server via a man-in-the-middle (MITM) attack.", + "cve": "CVE-2012-3533", + "id": "pyup.io-25916", + "specs": [ + "<3.1.0.8" + ], + "v": "<3.1.0.8" }, { - "advisory": "pillow-simd before 3.1.2 is vulnerable to an integer overflow in Jpeg2KEncode.c causing a buffer overflow. CVE-2016-3076.", - "cve": "CVE-2016-3076", - "id": "pyup.io-25954", + "advisory": "ovirt-engine-sdk-python before 3.4.0.7 and 3.5.0.4 does not verify that the hostname of the remote endpoint matches the Common Name (CN) or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. This could allow man-in-the-middle attackers to spoof remote endpoints via an arbitrary valid certificate.", + "cve": "CVE-2014-0161", + "id": "pyup.io-37754", "specs": [ - "<3.1.2" + "<3.4.0.7", + "==3.5.0.4" ], - "v": "<3.1.2" + "v": "<3.4.0.7,==3.5.0.4" } ], - "pim-dm": [ + "ovs": [ { - "advisory": "pim-dm 1.0 includes dissertation work and an unspecified security implementation", + "advisory": "ovs 1.3.0 includes a fix that flow setups are now processed in a round-robin manner across ports to prevent any single client from monopolizing the CPU and conducting a denial of service attack.", "cve": null, - "id": "pyup.io-37857", + "id": "pyup.io-25917", "specs": [ - "<1.0" + "<1.3.0" ], - "v": "<1.0" + "v": "<1.3.0" } ], - "pinax-likes": [ + "owlmixin": [ { - "advisory": "pinax-likes before 0.3 allows users to like anything and everything, which could potentially lead to security problems (eg. liking entries in permission tables, and thus seeing their content; liking administrative users and thus getting their username).", - "cve": null, - "id": "pyup.io-25955", + "advisory": "An exploitable vulnerability exists in the YAML loading functionality of util.py in OwlMixin before 2.0.0a12. A \"Load YAML\" string or file (aka load_yaml or load_yamlf) can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.", + "cve": "CVE-2017-16618", + "id": "pyup.io-35720", "specs": [ - "<0.3" + "<2.0.0a12" ], - "v": "<0.3" + "v": "<2.0.0a12" } ], - "pip": [ + "pakettikauppa": [ { - "advisory": "pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.", - "cve": "CVE-2013-1629", - "id": "pyup.io-33140", + "advisory": "pakettikauppa 0.1.2 fixes Pip files and requirement files for fixing security issue in pyyaml module", + "cve": null, + "id": "pyup.io-36779", "specs": [ - "<1.3" + "<0.1.2" ], - "v": "<1.3" - }, + "v": "<0.1.2" + } + ], + "palladium": [ { - "advisory": "pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.", - "cve": "CVE-2013-1888", - "id": "pyup.io-33141", + "advisory": "Palladium 1.2.2 updates requirements, fixing potential security vulnerabilities in dependencies.", + "cve": null, + "id": "pyup.io-37378", "specs": [ - "<1.3" + "<1.2.2" ], - "v": "<1.3" + "v": "<1.2.2" }, { - "advisory": "pip 1.4 includes a security patch to pip's ssl support related to certificate DNS wildcard matching.", + "advisory": "Palladium 1.2.3 updates its requirements in order to use newer versions of dependencies. This fixes some potential security vulnerabilities.", "cve": null, - "id": "pyup.io-25959", + "id": "pyup.io-38263", "specs": [ - "<1.4" + "<1.2.3" ], - "v": "<1.4" - }, + "v": "<1.2.3" + } + ], + "pandas-zmq": [ { - "advisory": "The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks. See CVE-2013-5123.", - "cve": "CVE-2013-5123", - "id": "pyup.io-37752", + "advisory": "Pandas-zmq 0.0.2 adds a signature to improve security.", + "cve": null, + "id": "pyup.io-38627", "specs": [ - "<1.5" + "<0.0.2" ], - "v": "<1.5" - }, + "v": "<0.0.2" + } + ], + "pandevice": [ { - "advisory": "The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.", - "cve": "CVE-2019-20916", - "id": "pyup.io-38765", + "advisory": "Pandevice 0.11.0 adds `uuid` params for security and NAT rules.", + "cve": null, + "id": "pyup.io-37198", "specs": [ - "<19.2" + "<0.11.0" ], - "v": "<19.2" - }, + "v": "<0.11.0" + } + ], + "pando": [ { - "advisory": "pip before 6.0 is not using a randomized and secure default build directory when possible. (CVE-2014-8991).", - "cve": "CVE-2014-8991", - "id": "pyup.io-25960", + "advisory": "pando before 0.39 is vulnerable to security bugs related to CRLF injection.", + "cve": null, + "id": "pyup.io-25918", "specs": [ - "<6.0" + "<0.39" ], - "v": "<6.0" + "v": "<0.39" }, { - "advisory": "pip before 6.1.0 bundles a request release with a known security vulnerability. See CVE-2015-2296.", - "cve": "CVE-2014-8991", - "id": "pyup.io-25961", + "advisory": "pando before 0.42 is vulnerable to URL redirection attacks.", + "cve": null, + "id": "pyup.io-25919", "specs": [ - "<6.1.0" + "<0.42" ], - "v": "<6.1.0" + "v": "<0.42" } ], - "pipenv": [ + "pangres": [ { - "advisory": "Pipenv 2020.5.28 includes the --key command to include a personal PyUp API token when running `pipenv check`. This version also updates several dependencies to their latest versions for security and bug fixes.", + "advisory": "Pangres 2.1 was released with the claim that it became completely SQL injection safe. Everything is escaped or parameterized including schema, table and column names.", "cve": null, - "id": "pyup.io-38334", + "id": "pyup.io-39284", "specs": [ - "<2020.5.28" + "<2.1" ], - "v": "<2020.5.28" + "v": "<2.1" } ], - "pirate-get": [ + "panoptes-utils": [ { - "advisory": "pirate-get before 0.2.8 is not properly validating torrent file names.\r\n\r\n- https://github.com/vikstrous/pirate-get/issues/73", + "advisory": "Panoptes-utils 0.2.21 bumps PyYaml to its latest version to suppress a security warning.", "cve": null, - "id": "pyup.io-34168", + "id": "pyup.io-38493", "specs": [ - "<0.2.8" + "<0.2.21" ], - "v": "<0.2.8" + "v": "<0.2.21" } ], - "pkgcore": [ + "paradrop": [ { - "advisory": "pkgcore 0.4.7.12 includes a security fix; force cwd to something controlled for ebuild env. This blocks an attack detailed in glsa 200810-02; namely that an ebuild invoking python -c (which looks in cwd for modules to load) allows for an attacker to slip something in.", + "advisory": "Paradrop 0.10.0 supports more WiFi encryption settings, including properly supporting CCMP for better security.", "cve": null, - "id": "pyup.io-25962", + "id": "pyup.io-37491", "specs": [ - "<0.4.7.12" + "<0.10.0" ], - "v": "<0.4.7.12" - } - ], - "platformio": [ + "v": "<0.10.0" + }, { - "advisory": "platformio 4.1.0 fixes a security issue when extracting items from TAR archive - see https://github.com/platformio/platformio-core/issues/2995", + "advisory": "Paradrop 0.13.0 updates dependency versions to address vulnerabilities in old versions of pyOpenSSL, requests, and urllib3.", "cve": null, - "id": "pyup.io-37869", + "id": "pyup.io-37490", "specs": [ - "<4.1.0" + "<0.13.0" ], - "v": "<4.1.0" + "v": "<0.13.0" + }, + { + "advisory": "Paradrop 0.5 secures the router settings page with a login system.", + "cve": null, + "id": "pyup.io-37492", + "specs": [ + "<0.5" + ], + "v": "<0.5" } ], - "plomino": [ + "paramiko-ng": [ { - "advisory": "plomino before 1.18 has a major vulnerability in open_url (now, targeted sources must be declared safe from an local package).", + "advisory": "Paramiko-ng 1.7.2 fixes the PRNG to be more secure on windows and in cases where fork() is called.", "cve": null, - "id": "pyup.io-25963", + "id": "pyup.io-37114", "specs": [ - "<1.18" + "<1.7.2" ], - "v": "<1.18" - }, + "v": "<1.7.2" + } + ], + "passlib": [ { - "advisory": "plomino 1.5.3 includes a security fix: when a group has PlominoAuthors rights, members of this group are just authors on their own documents.", + "advisory": "passlib before 1.4 not disabled unix_fallback's \"wildcard password\" support unless explicitly enabled by user.", "cve": null, - "id": "pyup.io-25964", + "id": "pyup.io-25921", "specs": [ - "<1.5.3" + "<1.4" ], - "v": "<1.5.3" + "v": "<1.4" } ], - "plone": [ + "password-safe-box": [ { - "advisory": "Cross-site scripting (XSS) vulnerability in skins/plone_templates/default_error_message.pt in Plone before 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the type_name parameter to Members/ipa/createObject.", - "cve": "CVE-2011-1340", - "id": "pyup.io-25966", + "advisory": "Password-safe-box 0.2 adds Fast Convert (which provides slightly better security than a normal hash).", + "cve": null, + "id": "pyup.io-38703", "specs": [ - "<2.5.3" + "<0.2" ], - "v": "<2.5.3" - }, + "v": "<0.2" + } + ], + "paste": [ { - "advisory": "Cross-site scripting (XSS) vulnerability in PortalTransforms in Plone 2.1 through 3.3.4 before hotfix 20100612 allows remote attackers to inject arbitrary web script or HTML via the safe_html transform.", - "cve": "CVE-2010-2422", - "id": "pyup.io-25967", + "advisory": "paste before 0.9.5 has a security vulnerability in ``paste.urlparser``'s StaticURLParser and PkgResourcesParser where, with some servers, you could escape the document root.", + "cve": null, + "id": "pyup.io-25922", "specs": [ - "<3.3.4" + "<0.9.5" ], - "v": "<3.3.4" + "v": "<0.9.5" }, { - "advisory": "kupu_spellcheck.py in Kupu in Plone before 4.0 allows remote attackers to cause a denial of service (ZServer thread lock) via a crafted URL.", - "cve": "CVE-2012-5496", - "id": "pyup.io-33143", + "advisory": "paste 1.1 includes a security fix for ``paste.urlparser.StaticURLParser``. The problem allowed escaping the root (and reading files) when used with ``paste.httpserver`` (this does not effect other servers, and does not apply when proxying requests from Apache to ``paste.httpserver``).", + "cve": null, + "id": "pyup.io-25923", "specs": [ - "<4.0" + "<1.1" ], - "v": "<4.0" + "v": "<1.1" }, { - "advisory": "Cross-site scripting (XSS) vulnerability in Plone 4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted URL.", - "cve": "CVE-2011-1948", - "id": "pyup.io-25972", + "advisory": "paste before 1.7.4 is vulnerable to a XSS attack in paste.urlparser.StaticURLParser.", + "cve": null, + "id": "pyup.io-25924", "specs": [ - "<4.1" + "<1.7.4" ], - "v": "<4.1" + "v": "<1.7.4" }, { - "advisory": "Plone 4.1.3 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.", - "cve": "CVE-2011-4462", - "id": "pyup.io-25973", + "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in the paste.httpexceptions implementation in Paste before 1.7.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving a 404 status code, related to (1) paste.urlparser.StaticURLParser, (2) paste.urlparser.PkgResourcesParser, (3) paste.urlmap.URLMap, and (4) HTTPNotFound.", + "cve": "CVE-2010-2477", + "id": "pyup.io-35340", "specs": [ - "<4.1.3" + "<1.7.4" ], - "v": "<4.1.3" - }, + "v": "<1.7.4" + } + ], + "pastescript": [ { - "advisory": "plone.app.users in Plone 4.0 and 4.1 allows remote authenticated users to modify the properties of arbitrary accounts via unspecified vectors, as exploited in the wild in June 2011.", - "cve": "CVE-2011-1950", - "id": "pyup.io-25974", + "advisory": "Paste Script 1.7.5 and earlier does not properly set group memberships during execution with root privileges, which might allow remote attackers to bypass intended file-access restrictions by leveraging a web application that uses the local filesystem.", + "cve": "CVE-2012-0878", + "id": "pyup.io-25925", "specs": [ - "<4.2" + "<1.7.5" ], - "v": "<4.2" - }, + "v": "<1.7.5" + } + ], + "pathfinder": [ { - "advisory": "ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors.", - "cve": "CVE-2012-5503", - "id": "pyup.io-25999", + "advisory": "Pathfinder 0.5.4 includes a fix that addresses a security alert regarding the version of jinja2.", + "cve": null, + "id": "pyup.io-38220", "specs": [ - "<4.2.3", - "<4.3b1" + "<0.5.4" ], - "v": "<4.2.3,<4.3b1" - }, + "v": "<0.5.4" + } + ], + "pconf": [ { - "advisory": "ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.", - "cve": "CVE-2012-5486", - "id": "pyup.io-25996", + "advisory": "pconf before 1.3.3 is vulnerable to arbitrary code execution related to [CVE-2017-18342](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342) because of YAML's `load`. \r\nThis upgrades to use YAML `safe_load` instead of `load`.", + "cve": "CVE-2017-18342", + "id": "pyup.io-36293", "specs": [ - "<4.3" + "<1.3.3" ], - "v": "<4.3" - }, + "v": "<1.3.3" + } + ], + "pcp": [ { - "advisory": "The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. System using the plone docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. See CVE-2020-35190.", - "cve": "CVE-2020-35190", - "id": "pyup.io-39305", + "advisory": "pcp before 2.1.911 has a not further described vulnerability in pcp.spec.in.", + "cve": null, + "id": "pyup.io-25926", "specs": [ - "<4.3.18" + "<2.1.911" ], - "v": "<4.3.18" - }, + "v": "<2.1.911" + } + ], + "pdfextract": [ { - "advisory": "Plone 5.2.2 contains Products.isurlinportal 1.1.0 with a minor security hardening fix.", + "advisory": "pdfextract before 0.0.2 is using `eval` on filenames, leading to execution of arbitrary Python code.", "cve": null, - "id": "pyup.io-38990", + "id": "pyup.io-25927", "specs": [ - "<5.2.2" + "<0.0.2" ], - "v": "<5.2.2" - }, + "v": "<0.0.2" + } + ], + "pdfreader": [ { - "advisory": "Plone 5.2.2rc1 fixes that isURLInPortal could be tricked into accepting malicious links.", + "advisory": "Pdfreader 0.1.6 updates its dependency on pillow to version >= 7.1.0 to address security issues. No details were provided.", "cve": null, - "id": "pyup.io-38991", + "id": "pyup.io-39314", "specs": [ - "<5.2.2rc1" + "<0.1.6" ], - "v": "<5.2.2rc1" + "v": "<0.1.6" }, { - "advisory": "Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. See CVE-2020-28734.", - "cve": "CVE-2020-28734", - "id": "pyup.io-39376", + "advisory": "Pdfreader 0.1.6.dev1 bumps Pillow to version >= 7.1.0 to address security issues.", + "cve": null, + "id": "pyup.io-39118", "specs": [ - "<5.2.3" + "<0.1.6.dev1" ], - "v": "<5.2.3" - }, + "v": "<0.1.6.dev1" + } + ], + "pdkit": [ { - "advisory": "Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). See CVE-2020-28735.", - "cve": "CVE-2020-28735", - "id": "pyup.io-39377", + "advisory": "Pdkit 1.2.1 includes an unspecified security fix for included libraries.", + "cve": null, + "id": "pyup.io-37793", "specs": [ - "<5.2.3" + "<1.2.1" ], - "v": "<5.2.3" - }, + "v": "<1.2.1" + } + ], + "peewee": [ { - "advisory": "Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). See CVE-2020-28736.", - "cve": "CVE-2020-28736", - "id": "pyup.io-39378", + "advisory": "The main change in this release is the removal of the `AESEncryptedField`,\r\nwhich was included as part of the `playhouse.fields` extension. It was brought\r\nto my attention that there was some serious potential for security\r\nvulnerabilities. Rather than give users a false sense of security, I've decided\r\nthe best course of action is to remove the field.", + "cve": null, + "id": "pyup.io-34337", "specs": [ - "<5.2.3" + "<2.10.0" ], - "v": "<5.2.3" + "v": "<2.10.0" + } + ], + "peppercorn": [ + { + "advisory": "peppercorn before 0.5 is vulnerable to DoS attacks due to the use of an iterative parser rather than a recursive parser.", + "cve": null, + "id": "pyup.io-25928", + "specs": [ + "<0.5" + ], + "v": "<0.5" + } + ], + "persephone": [ + { + "advisory": "Persephone 0.4.0 updates the nltk dependency to resolve a possible security issue.", + "cve": null, + "id": "pyup.io-38231", + "specs": [ + "<0.4.0" + ], + "v": "<0.4.0" + } + ], + "pex": [ + { + "advisory": "pex before 0.5.6 follows links which may lead to security issues: https://rbcommons.com/s/twitter/r/293/.", + "cve": null, + "id": "pyup.io-25929", + "specs": [ + "<0.5.6" + ], + "v": "<0.5.6" }, { - "advisory": "Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and (2) PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a \"highly serious vulnerability.\" NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-0720.", - "cve": "CVE-2011-2528", - "id": "pyup.io-25965", + "advisory": "Pex 0.8.0 includes a fix to refactor http handling to allow for alternate http implementations. This adds support for 'requests' , improving both performance and security. For more information, read the commit notes at and .", + "cve": null, + "id": "pyup.io-27426", "specs": [ - "==3.3.5,==3.3.4,==3.3.3,==3.3.2" + "<0.8.0" ], - "v": "==3.3.5,==3.3.4,==3.3.3,==3.3.2" + "v": "<0.8.0" + } + ], + "phileo": [ + { + "advisory": "phileo before 0.3 allows users to like anything and everything, which could potentially lead to security problems (eg. liking entries in permission tables, and thus seeing their content; liking administrative users and thus getting their username).", + "cve": null, + "id": "pyup.io-25930", + "specs": [ + "<0.3" + ], + "v": "<0.3" + } + ], + "phoenix-letter": [ + { + "advisory": "Phoenix-letter 0.2.0 adds the flag '--aws-keys' to securely ask for the AWS credentials to avoid keeping sensitive information accessible in plain text. Without this flag, it falls back to the Boto3 default credential search.", + "cve": null, + "id": "pyup.io-39438", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" + } + ], + "phonenumbers": [ + { + "advisory": "Phonenumbers 8.3.1 contains a security improvement of the getNationalSignificantNumber function to make it more robust against malicious input.", + "cve": null, + "id": "pyup.io-39441", + "specs": [ + "<8.3.1" + ], + "v": "<8.3.1" + } + ], + "pi-mqtt-gpio": [ + { + "advisory": "Pi-mqtt-gpio 0.5.2 updates the PyYAML to a version that doesn't suffer from CVE-2020-1747 vulnerability.", + "cve": "CVE-2020-1747", + "id": "pyup.io-39464", + "specs": [ + "<0.5.2" + ], + "v": "<0.5.2" + } + ], + "piccolo": [ + { + "advisory": "Piccolo 0.2 uses 'QueryString' internally to represent queries (instead of raw strings) to harden against SQL injection.", + "cve": null, + "id": "pyup.io-38919", + "specs": [ + "<0.2" + ], + "v": "<0.2" }, { - "advisory": "Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.", - "cve": "CVE-2011-3587", - "id": "pyup.io-33144", + "advisory": "Piccolo 0.9.1 bumps node requirements because of a security warning.", + "cve": null, + "id": "pyup.io-38768", "specs": [ - ">4,<4.2a2" + "<0.9.1" ], - "v": ">4,<4.2a2" + "v": "<0.9.1" + } + ], + "piccolo-admin": [ + { + "advisory": "Piccolo-admin 0.9.1 upgrades the node requirements because of a security warning.", + "cve": null, + "id": "pyup.io-38643", + "specs": [ + "<0.9.1" + ], + "v": "<0.9.1" + } + ], + "pigar": [ + { + "advisory": "pigar 0.9.1 sixes some potential security vulnerabilities", + "cve": null, + "id": "pyup.io-36904", + "specs": [ + "<0.9.1" + ], + "v": "<0.9.1" + } + ], + "pillow": [ + { + "advisory": "pillow before 2.3.1 makes insecure use of tempfile.mktemp (CVE-2014-1933).", + "cve": "CVE-2014-1933", + "id": "pyup.io-39580", + "specs": [ + "<2.3.1" + ], + "v": "<2.3.1" }, { - "advisory": "Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method.", - "cve": "CVE-2017-5524", - "id": "pyup.io-35733", + "advisory": "pillow before 2.3.1 makes insecure use of tempfile.mktemp (CVE-2014-1932).", + "cve": "CVE-2014-1932", + "id": "pyup.io-25931", "specs": [ - ">4,<=4.3.11", - ">5,<=5.0.6" + "<2.3.1" ], - "v": ">4,<=4.3.11,>5,<=5.0.6" + "v": "<2.3.1" }, { - "advisory": "By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his own website instead. But in combination with another attack, you could be sent to the Plone login form and login, then get redirected to the specific url, and then get a second redirect to the attacker website. (The specific url can be seen by inspecting the hotfix code, but we don't want to make it too easy for attackers by spelling it out here.)", - "cve": "CVE-2017-1000484", - "id": "pyup.io-35704", + "advisory": "pillow before 2.3.2 is vulnerable to a DOS in the IcnsImagePlugin.", + "cve": null, + "id": "pyup.io-25932", "specs": [ - ">4,<=4.3.15", - ">=5.0,<5.1rc1" + "<2.3.2" ], - "v": ">4,<=4.3.15,>=5.0,<5.1rc1" + "v": "<2.3.2" }, { - "advisory": "Cross-site scripting (XSS) vulnerability in the safe_html filter in Products.PortalTransforms in Plone 2.1 through 4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-2422.", - "cve": "CVE-2011-1949", - "id": "pyup.io-25997", + "advisory": "Pillow 2.5.0 includes a fix that prevents shell injection.", + "cve": null, + "id": "pyup.io-38907", "specs": [ - ">=2.1,<4.2" + "<2.5.0" ], - "v": ">=2.1,<4.2" + "v": "<2.5.0" }, { - "advisory": "Unspecified vulnerability in Plone 2.5 through 4.0, as used in Conga, luci, and possibly other products, allows remote attackers to obtain administrative access, read or create arbitrary content, and change the site skin via unknown vectors.", - "cve": "CVE-2011-0720", - "id": "pyup.io-33142", + "advisory": "pillow before 2.5.2 is vulnerable to a DoS in the IcnsImagePlugin.", + "cve": null, + "id": "pyup.io-25933", "specs": [ - ">=2.5,<4.0" + "<2.5.2" ], - "v": ">=2.5,<4.0" + "v": "<2.5.2" }, { - "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Zope, as used in Plone 3.3.x through 3.3.6, 4.0.x through 4.0.9, 4.1.x through 4.1.6, 4.2.x through 4.2.7, and 4.3 through 4.3.2, allow remote attackers to inject arbitrary web script or HTML via unspecified input in the (1) browser_id_manager or (2) OFS.Image method. See: CVE-2013-7062.", - "cve": "CVE-2013-7062", - "id": "pyup.io-37753", + "advisory": "pillow before 2.5.3 is vulnerable to a DoS in the Jpeg2KImagePlugin.", + "cve": null, + "id": "pyup.io-25934", "specs": [ - ">=3.3.0,<=3.3.6", - ">=4.0,<=4.0.9", - ">=4.1.0,<=4.1.6", - ">=4.2.0,<=4.2.7", - ">=4.3,<=4.3.2" + "<2.5.3" ], - "v": ">=3.3.0,<=3.3.6,>=4.0,<=4.0.9,>=4.1.0,<=4.1.6,>=4.2.0,<=4.2.7,>=4.3,<=4.3.2" + "v": "<2.5.3" }, { - "advisory": "The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587.", - "cve": "CVE-2011-4030", - "id": "pyup.io-33145", + "advisory": "pillow before 2.6.0rc1 is vulnerable to CVE-2014-3598, a DOS in the Jpeg2KImagePlugin and CVE-2014-3589, a DOS in the IcnsImagePlugin.", + "cve": "CVE-2014-3598", + "id": "pyup.io-25935", "specs": [ - ">=4,<4.2a2" + "<2.6.0rc1" ], - "v": ">=4,<4.2a2" + "v": "<2.6.0rc1" }, { - "advisory": "SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.) See: CVE-2020-7939.", - "cve": "CVE-2020-7939", - "id": "pyup.io-37787", + "advisory": "pillow before 2.6.2 is vulnerable to a PNG decompression DoS (CVE-2014-9601).", + "cve": "CVE-2014-9601", + "id": "pyup.io-25936", "specs": [ - ">=4.0,<=5.2.1" + "<2.6.2" ], - "v": ">=4.0,<=5.2.1" + "v": "<2.6.2" }, { - "advisory": "An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site. See: CVE-2020-7936.", - "cve": "CVE-2020-7936", - "id": "pyup.io-37784", + "advisory": "pillow before 2.7.0 is vulnerable to a PNG decompression DoS (CVE-2014-9601).", + "cve": "CVE-2014-9601", + "id": "pyup.io-25937", "specs": [ - ">=4.0,<=5.2.1" + "<2.7.0" ], - "v": ">=4.0,<=5.2.1" + "v": "<2.7.0" }, { - "advisory": "Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking. See: CVE-2020-7940.", - "cve": "CVE-2020-7940", - "id": "pyup.io-37788", + "advisory": "Buffer overflow in the ImagingLibTiffDecode function in libImaging/TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafted TIFF file.", + "cve": "CVE-2016-0740", + "id": "pyup.io-33134", "specs": [ - ">=4.3,<=5.2.0" + "<3.1.1" ], - "v": ">=4.3,<=5.2.0" + "v": "<3.1.1" }, { - "advisory": "A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission.", - "cve": "CVE-2020-7941", - "id": "pyup.io-36898", + "advisory": "Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.", + "cve": "CVE-2016-0775", + "id": "pyup.io-33135", "specs": [ - ">=4.3,<=5.2.1" + "<3.1.1" ], - "v": ">=4.3,<=5.2.1" + "v": "<3.1.1" + }, + { + "advisory": "Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PhotoCD file.", + "cve": "CVE-2016-2533", + "id": "pyup.io-33136", + "specs": [ + "<3.1.1" + ], + "v": "<3.1.1" + }, + { + "advisory": "Integer overflow in the ImagingResampleHorizontal function in libImaging/Resample.c in Pillow before 3.1.1 allows remote attackers to have unspecified impact via negative values of the new size, which triggers a heap-based buffer overflow.", + "cve": "CVE-2016-4009", + "id": "pyup.io-33137", + "specs": [ + "<3.1.1" + ], + "v": "<3.1.1" + }, + { + "advisory": "pillow before 3.1.2 is vulnerable to an integer overflow in Jpeg2KEncode.c causing a buffer overflow. CVE-2016-3076.", + "cve": "CVE-2016-3076", + "id": "pyup.io-25943", + "specs": [ + "<3.1.2" + ], + "v": "<3.1.2" + }, + { + "advisory": "Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the \"crafted image file\" approach, related to an \"Insecure Sign Extension\" issue affecting the ImagingNew in Storage.c component.", + "cve": "CVE-2016-9190", + "id": "pyup.io-33138", + "specs": [ + "<3.3.2" + ], + "v": "<3.3.2" + }, + { + "advisory": "Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the \"crafted image file\" approach, related to an \"Integer Overflow\" issue affecting the Image.core.map_buffer in map.c component.", + "cve": "CVE-2016-9189", + "id": "pyup.io-33139", + "specs": [ + "<3.3.2" + ], + "v": "<3.3.2" + }, + { + "advisory": "libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow. See: CVE-2020-5311.", + "cve": "CVE-2020-5311", + "id": "pyup.io-37780", + "specs": [ + "<6.2.2" + ], + "v": "<6.2.2" + }, + { + "advisory": "libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. See: CVE-2020-5310.", + "cve": "CVE-2020-5310", + "id": "pyup.io-37779", + "specs": [ + "<6.2.2" + ], + "v": "<6.2.2" + }, + { + "advisory": "libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. See: CVE-2020-5313.", + "cve": "CVE-2020-5313", + "id": "pyup.io-37782", + "specs": [ + "<6.2.2" + ], + "v": "<6.2.2" + }, + { + "advisory": "libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. See:CVE-2020-5312.", + "cve": "CVE-2020-5312", + "id": "pyup.io-37781", + "specs": [ + "<6.2.2" + ], + "v": "<6.2.2" + }, + { + "advisory": "In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. See: CVE-2020-10378.", + "cve": "CVE-2020-10378", + "id": "pyup.io-38449", + "specs": [ + "<6.2.3", + ">=7.0.0,<7.0.1" + ], + "v": "<6.2.3,>=7.0.0,<7.0.1" + }, + { + "advisory": "In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer Overflows in libImaging/TiffDecode.c. See: CVE-2020-10379.", + "cve": "CVE-2020-10379", + "id": "pyup.io-38450", + "specs": [ + "<6.2.3", + ">=7.0.0,<7.0.1" + ], + "v": "<6.2.3,>=7.0.0,<7.0.1" + }, + { + "advisory": "In libImaging/Jpeg2KDecode.c in Pillow before 7.0.0, there are multiple out-of-bounds reads via a crafted JP2 file. See: CVE-2020-10994.", + "cve": "CVE-2020-10994", + "id": "pyup.io-38451", + "specs": [ + "<7.0.0" + ], + "v": "<7.0.0" + }, + { + "advisory": "In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files. See: CVE-2020-11538. Note that this is a different issue than CVE-2020-5311.", + "cve": "CVE-2020-11538", + "id": "pyup.io-38452", + "specs": [ + "<=7.0.0" + ], + "v": "<=7.0.0" + }, + { + "advisory": "There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer. See: CVE-2019-19911.", + "cve": "CVE-2019-19911", + "id": "pyup.io-37772", + "specs": [ + ">6.0,<6.2.2" + ], + "v": ">6.0,<6.2.2" + } + ], + "pillow-simd": [ + { + "advisory": "pillow-simd before 2.3.2 is vulnerable to CVE-2014-3589, a DOS in the IcnsImagePlugin.", + "cve": "CVE-2014-3589", + "id": "pyup.io-39579", + "specs": [ + "<2.3.2" + ], + "v": "<2.3.2" + }, + { + "advisory": "pillow-simd before 2.3.2 is vulnerable to CVE-2014-3598, a DOS in the Jpeg2KImagePlugin.", + "cve": "CVE-2014-3598", + "id": "pyup.io-25947", + "specs": [ + "<2.3.2" + ], + "v": "<2.3.2" + }, + { + "advisory": "pillow-simd before 2.5.2 is vulnerable to CVE-2014-3598.", + "cve": "CVE-2014-3598", + "id": "pyup.io-25948", + "specs": [ + "<2.5.2" + ], + "v": "<2.5.2" + }, + { + "advisory": "pillow-simd before 2.5.2 is vulnerable to CVE-2014-3589, a DOS in the IcnsImagePlugin.", + "cve": "CVE-2014-3589", + "id": "pyup.io-39578", + "specs": [ + "<2.5.2" + ], + "v": "<2.5.2" + }, + { + "advisory": "Pillow-simd before 2.5.3 is vulnerable to CVE-2014-3598.", + "cve": "CVE-2014-3598", + "id": "pyup.io-25949", + "specs": [ + "<2.5.3" + ], + "v": "<2.5.3" + }, + { + "advisory": "pillow-simd before 2.5.3 is vulnerable to CVE-2014-3589, a DOS in the IcnsImagePlugin.", + "cve": "CVE-2014-3589", + "id": "pyup.io-39577", + "specs": [ + "<2.5.3" + ], + "v": "<2.5.3" + }, + { + "advisory": "pillow-simd before 2.6.0rc1 is vulnerable to CVE-2014-3589, a DOS in the IcnsImagePlugin.", + "cve": "CVE-2014-3589", + "id": "pyup.io-39576", + "specs": [ + "<2.6.0rc1" + ], + "v": "<2.6.0rc1" + }, + { + "advisory": "Pillow-simd before 2.6.0rc1 is vulnerable to CVE-2014-3598.", + "cve": "CVE-2014-3598", + "id": "pyup.io-25950", + "specs": [ + "<2.6.0rc1" + ], + "v": "<2.6.0rc1" + }, + { + "advisory": "pillow-simd before 2.6.2 is vulnerable to a PNG decompression DoS (CVE-2014-9601).", + "cve": "CVE-2014-9601", + "id": "pyup.io-25951", + "specs": [ + "<2.6.2" + ], + "v": "<2.6.2" + }, + { + "advisory": "pillow-simd before 2.7.0 is vulnerable to a PNG decompression DoS (CVE-2014-9601).", + "cve": "CVE-2014-9601", + "id": "pyup.io-25952", + "specs": [ + "<2.7.0" + ], + "v": "<2.7.0" + }, + { + "advisory": "pillow-simd before 3.1.1 is vulnerable to multiple buffer overlows in Resample.c, PcdDecode.c, FliDecode.c and TiffDecode.c.", + "cve": null, + "id": "pyup.io-25953", + "specs": [ + "<3.1.1" + ], + "v": "<3.1.1" + }, + { + "advisory": "pillow-simd before 3.1.2 is vulnerable to an integer overflow in Jpeg2KEncode.c causing a buffer overflow. CVE-2016-3076.", + "cve": "CVE-2016-3076", + "id": "pyup.io-25954", + "specs": [ + "<3.1.2" + ], + "v": "<3.1.2" + } + ], + "pim-dm": [ + { + "advisory": "pim-dm 1.0 includes dissertation work and an unspecified security implementation", + "cve": null, + "id": "pyup.io-37857", + "specs": [ + "<1.0" + ], + "v": "<1.0" + } + ], + "pinax-likes": [ + { + "advisory": "pinax-likes before 0.3 allows users to like anything and everything, which could potentially lead to security problems (eg. liking entries in permission tables, and thus seeing their content; liking administrative users and thus getting their username).", + "cve": null, + "id": "pyup.io-25955", + "specs": [ + "<0.3" + ], + "v": "<0.3" + } + ], + "pip": [ + { + "advisory": "pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a \"pip install\" operation.", + "cve": "CVE-2013-1629", + "id": "pyup.io-33140", + "specs": [ + "<1.3" + ], + "v": "<1.3" + }, + { + "advisory": "pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.", + "cve": "CVE-2013-1888", + "id": "pyup.io-33141", + "specs": [ + "<1.3" + ], + "v": "<1.3" + }, + { + "advisory": "pip 1.4 includes a security patch to pip's ssl support related to certificate DNS wildcard matching.", + "cve": null, + "id": "pyup.io-25959", + "specs": [ + "<1.4" + ], + "v": "<1.4" + }, + { + "advisory": "The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks. See CVE-2013-5123.", + "cve": "CVE-2013-5123", + "id": "pyup.io-37752", + "specs": [ + "<1.5" + ], + "v": "<1.5" + }, + { + "advisory": "The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.", + "cve": "CVE-2019-20916", + "id": "pyup.io-38765", + "specs": [ + "<19.2" + ], + "v": "<19.2" + }, + { + "advisory": "pip before 6.0 is not using a randomized and secure default build directory when possible. (CVE-2014-8991).", + "cve": "CVE-2014-8991", + "id": "pyup.io-25960", + "specs": [ + "<6.0" + ], + "v": "<6.0" + }, + { + "advisory": "pip before 6.1.0 bundles a request release with a known security vulnerability. See CVE-2015-2296.", + "cve": "CVE-2014-8991", + "id": "pyup.io-25961", + "specs": [ + "<6.1.0" + ], + "v": "<6.1.0" + } + ], + "pipenv": [ + { + "advisory": "Pipenv 2020.5.28 includes the --key command to include a personal PyUp API token when running `pipenv check`. This version also updates several dependencies to their latest versions for security and bug fixes.", + "cve": null, + "id": "pyup.io-38334", + "specs": [ + "<2020.5.28" + ], + "v": "<2020.5.28" + } + ], + "pirate-get": [ + { + "advisory": "pirate-get before 0.2.8 is not properly validating torrent file names.\r\n\r\n- https://github.com/vikstrous/pirate-get/issues/73", + "cve": null, + "id": "pyup.io-34168", + "specs": [ + "<0.2.8" + ], + "v": "<0.2.8" + } + ], + "pkgcore": [ + { + "advisory": "pkgcore 0.4.7.12 includes a security fix; force cwd to something controlled for ebuild env. This blocks an attack detailed in glsa 200810-02; namely that an ebuild invoking python -c (which looks in cwd for modules to load) allows for an attacker to slip something in.", + "cve": null, + "id": "pyup.io-25962", + "specs": [ + "<0.4.7.12" + ], + "v": "<0.4.7.12" + } + ], + "platformio": [ + { + "advisory": "platformio 4.1.0 fixes a security issue when extracting items from TAR archive - see https://github.com/platformio/platformio-core/issues/2995", + "cve": null, + "id": "pyup.io-37869", + "specs": [ + "<4.1.0" + ], + "v": "<4.1.0" + } + ], + "plomino": [ + { + "advisory": "plomino before 1.18 has a major vulnerability in open_url (now, targeted sources must be declared safe from an local package).", + "cve": null, + "id": "pyup.io-25963", + "specs": [ + "<1.18" + ], + "v": "<1.18" + }, + { + "advisory": "plomino 1.5.3 includes a security fix: when a group has PlominoAuthors rights, members of this group are just authors on their own documents.", + "cve": null, + "id": "pyup.io-25964", + "specs": [ + "<1.5.3" + ], + "v": "<1.5.3" + } + ], + "plone": [ + { + "advisory": "Cross-site scripting (XSS) vulnerability in skins/plone_templates/default_error_message.pt in Plone before 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the type_name parameter to Members/ipa/createObject.", + "cve": "CVE-2011-1340", + "id": "pyup.io-25966", + "specs": [ + "<2.5.3" + ], + "v": "<2.5.3" + }, + { + "advisory": "Cross-site scripting (XSS) vulnerability in PortalTransforms in Plone 2.1 through 3.3.4 before hotfix 20100612 allows remote attackers to inject arbitrary web script or HTML via the safe_html transform.", + "cve": "CVE-2010-2422", + "id": "pyup.io-25967", + "specs": [ + "<3.3.4" + ], + "v": "<3.3.4" + }, + { + "advisory": "kupu_spellcheck.py in Kupu in Plone before 4.0 allows remote attackers to cause a denial of service (ZServer thread lock) via a crafted URL.", + "cve": "CVE-2012-5496", + "id": "pyup.io-33143", + "specs": [ + "<4.0" + ], + "v": "<4.0" + }, + { + "advisory": "Cross-site scripting (XSS) vulnerability in Plone 4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted URL.", + "cve": "CVE-2011-1948", + "id": "pyup.io-25972", + "specs": [ + "<4.1" + ], + "v": "<4.1" + }, + { + "advisory": "Plone 4.1.3 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.", + "cve": "CVE-2011-4462", + "id": "pyup.io-25973", + "specs": [ + "<4.1.3" + ], + "v": "<4.1.3" + }, + { + "advisory": "plone.app.users in Plone 4.0 and 4.1 allows remote authenticated users to modify the properties of arbitrary accounts via unspecified vectors, as exploited in the wild in June 2011.", + "cve": "CVE-2011-1950", + "id": "pyup.io-25974", + "specs": [ + "<4.2" + ], + "v": "<4.2" + }, + { + "advisory": "ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors.", + "cve": "CVE-2012-5503", + "id": "pyup.io-25999", + "specs": [ + "<4.2.3", + "<4.3b1" + ], + "v": "<4.2.3,<4.3b1" + }, + { + "advisory": "ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.", + "cve": "CVE-2012-5486", + "id": "pyup.io-25996", + "specs": [ + "<4.3" + ], + "v": "<4.3" + }, + { + "advisory": "The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. System using the plone docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. See CVE-2020-35190.", + "cve": "CVE-2020-35190", + "id": "pyup.io-39305", + "specs": [ + "<4.3.18" + ], + "v": "<4.3.18" + }, + { + "advisory": "Plone 5.2.2 contains Products.isurlinportal 1.1.0 with a minor security hardening fix.", + "cve": null, + "id": "pyup.io-38990", + "specs": [ + "<5.2.2" + ], + "v": "<5.2.2" + }, + { + "advisory": "Plone 5.2.2rc1 fixes that isURLInPortal could be tricked into accepting malicious links.", + "cve": null, + "id": "pyup.io-38991", + "specs": [ + "<5.2.2rc1" + ], + "v": "<5.2.2rc1" + }, + { + "advisory": "Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. See CVE-2020-28734.", + "cve": "CVE-2020-28734", + "id": "pyup.io-39376", + "specs": [ + "<5.2.3" + ], + "v": "<5.2.3" + }, + { + "advisory": "Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). See CVE-2020-28735.", + "cve": "CVE-2020-28735", + "id": "pyup.io-39377", + "specs": [ + "<5.2.3" + ], + "v": "<5.2.3" + }, + { + "advisory": "Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). See CVE-2020-28736.", + "cve": "CVE-2020-28736", + "id": "pyup.io-39378", + "specs": [ + "<5.2.3" + ], + "v": "<5.2.3" + }, + { + "advisory": "Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and (2) PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a \"highly serious vulnerability.\" NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-0720.", + "cve": "CVE-2011-2528", + "id": "pyup.io-25965", + "specs": [ + "==3.3.5,==3.3.4,==3.3.3,==3.3.2" + ], + "v": "==3.3.5,==3.3.4,==3.3.3,==3.3.2" + }, + { + "advisory": "A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists in site-controlpanel via the \"form.widgets.site_title\" parameter. See CVE-2021-29002.", + "cve": "CVE-2021-29002", + "id": "pyup.io-40094", + "specs": [ + "==5.2.3" + ], + "v": "==5.2.3" + }, + { + "advisory": "Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.", + "cve": "CVE-2011-3587", + "id": "pyup.io-33144", + "specs": [ + ">4,<4.2a2" + ], + "v": ">4,<4.2a2" + }, + { + "advisory": "Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method.", + "cve": "CVE-2017-5524", + "id": "pyup.io-35733", + "specs": [ + ">4,<=4.3.11", + ">5,<=5.0.6" + ], + "v": ">4,<=4.3.11,>5,<=5.0.6" + }, + { + "advisory": "By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his own website instead. But in combination with another attack, you could be sent to the Plone login form and login, then get redirected to the specific url, and then get a second redirect to the attacker website. (The specific url can be seen by inspecting the hotfix code, but we don't want to make it too easy for attackers by spelling it out here.)", + "cve": "CVE-2017-1000484", + "id": "pyup.io-35704", + "specs": [ + ">4,<=4.3.15", + ">=5.0,<5.1rc1" + ], + "v": ">4,<=4.3.15,>=5.0,<5.1rc1" + }, + { + "advisory": "Cross-site scripting (XSS) vulnerability in the safe_html filter in Products.PortalTransforms in Plone 2.1 through 4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-2422.", + "cve": "CVE-2011-1949", + "id": "pyup.io-25997", + "specs": [ + ">=2.1,<4.2" + ], + "v": ">=2.1,<4.2" + }, + { + "advisory": "Unspecified vulnerability in Plone 2.5 through 4.0, as used in Conga, luci, and possibly other products, allows remote attackers to obtain administrative access, read or create arbitrary content, and change the site skin via unknown vectors.", + "cve": "CVE-2011-0720", + "id": "pyup.io-33142", + "specs": [ + ">=2.5,<4.0" + ], + "v": ">=2.5,<4.0" + }, + { + "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Zope, as used in Plone 3.3.x through 3.3.6, 4.0.x through 4.0.9, 4.1.x through 4.1.6, 4.2.x through 4.2.7, and 4.3 through 4.3.2, allow remote attackers to inject arbitrary web script or HTML via unspecified input in the (1) browser_id_manager or (2) OFS.Image method. See: CVE-2013-7062.", + "cve": "CVE-2013-7062", + "id": "pyup.io-37753", + "specs": [ + ">=3.3.0,<=3.3.6", + ">=4.0,<=4.0.9", + ">=4.1.0,<=4.1.6", + ">=4.2.0,<=4.2.7", + ">=4.3,<=4.3.2" + ], + "v": ">=3.3.0,<=3.3.6,>=4.0,<=4.0.9,>=4.1.0,<=4.1.6,>=4.2.0,<=4.2.7,>=4.3,<=4.3.2" + }, + { + "advisory": "The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587.", + "cve": "CVE-2011-4030", + "id": "pyup.io-33145", + "specs": [ + ">=4,<4.2a2" + ], + "v": ">=4,<4.2a2" + }, + { + "advisory": "SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.) See: CVE-2020-7939.", + "cve": "CVE-2020-7939", + "id": "pyup.io-37787", + "specs": [ + ">=4.0,<=5.2.1" + ], + "v": ">=4.0,<=5.2.1" + }, + { + "advisory": "An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site. See: CVE-2020-7936.", + "cve": "CVE-2020-7936", + "id": "pyup.io-37784", + "specs": [ + ">=4.0,<=5.2.1" + ], + "v": ">=4.0,<=5.2.1" + }, + { + "advisory": "Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking. See: CVE-2020-7940.", + "cve": "CVE-2020-7940", + "id": "pyup.io-37788", + "specs": [ + ">=4.3,<=5.2.0" + ], + "v": ">=4.3,<=5.2.0" + }, + { + "advisory": "A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission.", + "cve": "CVE-2020-7941", + "id": "pyup.io-36898", + "specs": [ + ">=4.3,<=5.2.1" + ], + "v": ">=4.3,<=5.2.1" + }, + { + "advisory": "An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. See: CVE-2020-7937.", + "cve": "CVE-2020-7937", + "id": "pyup.io-37785", + "specs": [ + ">=5.0,<=5.2.1" + ], + "v": ">=5.0,<=5.2.1" + }, + { + "advisory": "plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level. See: CVE-2020-7938.", + "cve": "CVE-2020-7938", + "id": "pyup.io-37786", + "specs": [ + ">=5.2.0,<=5.2.1" + ], + "v": ">=5.2.0,<=5.2.1" + } + ], + "plone-app-contentmenu": [ + { + "advisory": "Plone-app-contentmenu 1.1.7 escapes the title of the defaultpage in the DisplayMenu. This fixes a potential\r\n xss attack and http://dev.plone.org/plone/ticket/8377.", + "cve": null, + "id": "pyup.io-36047", + "specs": [ + "<1.1.7" + ], + "v": "<1.1.7" + } + ], + "plone-app-contenttypes": [ + { + "advisory": "plone-app-contenttypes 1.2.15 fixes a possible cross site scripting (XSS) attack in lead image caption.", + "cve": null, + "id": "pyup.io-35870", + "specs": [ + "<1.2.15" + ], + "v": "<1.2.15" + } + ], + "plone-app-discussion": [ + { + "advisory": "plone-app-discussion 2.4.14 fixes a possible cross site scripting (XSS) attack on moderate comments page.", + "cve": null, + "id": "pyup.io-35864", + "specs": [ + "<2.4.14" + ], + "v": "<2.4.14" + } + ], + "plone-app-event": [ + { + "advisory": "plone-app-event 3.0 fixes a possible cross site scripting (XSS) attack in location field.", + "cve": null, + "id": "pyup.io-35923", + "specs": [ + "<3.0" + ], + "v": "<3.0" + } + ], + "plone-app-users": [ + { + "advisory": "Plone-app-users before 1.0.5 does not check for permission when editing other users' profiles. This fixes http://dev.plone.org/plone/ticket/11842 and http://plone.org/products/plone/security/advisories/CVE-2011-1950.", + "cve": "CVE-2011-1950", + "id": "pyup.io-36096", + "specs": [ + "<1.0.5" + ], + "v": "<1.0.5" + } + ], + "plone-dexterity": [ + { + "advisory": "In plone-dexterity before 2.3.0 Attribute access to schema fields can be protected. This\r\n worked for direct schemas, but was not implemented for permissions coming\r\n from behaviors.", + "cve": null, + "id": "pyup.io-35873", + "specs": [ + "<2.3.0" + ], + "v": "<2.3.0" + } + ], + "plone.app.content": [ + { + "advisory": "plone.app.content 3.3.1 includes security hotfix 20160830 for folder factories redirection.", + "cve": null, + "id": "pyup.io-26000", + "specs": [ + "<3.3.1" + ], + "v": "<3.3.1" + }, + { + "advisory": "Plone.app.content 3.8.1 integrate the Plone20200121 hotfix to prevent XSS in title - see: https://plone.org/security/hotfix/20200121/xss-in-the-title-field-on-plone-5-0-and-higher", + "cve": null, + "id": "pyup.io-38030", + "specs": [ + "<3.8.1" + ], + "v": "<3.8.1" + } + ], + "plone.app.contentmenu": [ + { + "advisory": "plone.app.contentmenu 1.1.7 fixes a potential xss attack and http://dev.plone.org/plone/ticket/8377.", + "cve": null, + "id": "pyup.io-26001", + "specs": [ + "<1.1.7" + ], + "v": "<1.1.7" + } + ], + "plone.app.contenttypes": [ + { + "advisory": "plone.app.contenttypes 1.2.15 fixes a possible cross site scripting (XSS) attack in lead image caption.", + "cve": null, + "id": "pyup.io-26002", + "specs": [ + "<1.2.15" + ], + "v": "<1.2.15" + }, + { + "advisory": "plone.app.contenttypes 2.1.6 integrates PloneHotFix20200121: add more permission checks - see https://plone.org/security/hotfix/20200121/privilege-escalation-for-overwriting-content", + "cve": "CVE-2020-7941", + "id": "pyup.io-37887", + "specs": [ + "<2.1.6" + ], + "v": "<2.1.6" + } + ], + "plone.app.dexterity": [ + { + "advisory": "The modeleditor in plone.app.dexterity 2.6.8 no longer resolves entities, and it removes processing instructions. This increases the security.", + "cve": null, + "id": "pyup.io-39143", + "specs": [ + "<2.6.8" + ], + "v": "<2.6.8" + } + ], + "plone.app.discussion": [ + { + "advisory": "plone.app.discussion 2.4.14 fixes a possible cross site scripting (XSS) attack on moderate comments page.", + "cve": null, + "id": "pyup.io-26003", + "specs": [ + "<2.4.14" + ], + "v": "<2.4.14" + }, + { + "advisory": "plone.app.discussion 2.4.18 includes security hotfix 20160830 for redirects.", + "cve": null, + "id": "pyup.io-26004", + "specs": [ + "<2.4.18" + ], + "v": "<2.4.18" + } + ], + "plone.app.event": [ + { + "advisory": "plone.app.event 3.0 fixes a possible cross site scripting (XSS) attack in location field", + "cve": null, + "id": "pyup.io-26005", + "specs": [ + "<3.0" + ], + "v": "<3.0" + }, + { + "advisory": "Plone.app.event 3.2.10 gives a validation error in the ical importer when a 'file://' URL is used (this could be a line of attack for a hacker).", + "cve": null, + "id": "pyup.io-39140", + "specs": [ + "<3.2.10" + ], + "v": "<3.2.10" + } + ], + "plone.app.layout": [ + { + "advisory": "Plone.app.layout 3.4.1 integrate the Plone20200121 hotfix to prevent XSS in title - see: https://plone.org/security/hotfix/20200121/xss-in-the-title-field-on-plone-5-0-and-higher", + "cve": null, + "id": "pyup.io-38031", + "specs": [ + "<3.4.1" + ], + "v": "<3.4.1" + } + ], + "plone.app.linkintegrity": [ + { + "advisory": "plone.app.linkintegrity 1.0.2 fixed security issue due to using pickles (see CVE-2007-5741).", + "cve": "CVE-2014-8991", + "id": "pyup.io-26006", + "specs": [ + "<1.0.2" + ], + "v": "<1.0.2" + } + ], + "plone.app.theming": [ + { + "advisory": "Plone.app.theming 4.1.6 fails when trying file protocol access in diazo rules. It also no longer resolves entities, and removes processing instructions. This are security enhancements.", + "cve": null, + "id": "pyup.io-39142", + "specs": [ + "<4.1.6" + ], + "v": "<4.1.6" + } + ], + "plone.dexterity": [ + { + "advisory": "plone.dexterity 2.3.0 fixes a security issue. Attribute access to schema fields can be protected. This worked for direct schemas, but was not implemented for permissions coming from behaviors.", + "cve": null, + "id": "pyup.io-26007", + "specs": [ + "<2.3.0" + ], + "v": "<2.3.0" + } + ], + "plone.formwidget.contenttree": [ + { + "advisory": "plone.formwidget.contenttree 1.0a3 fixes an issues with the security validator to work properly on add views and other views using namespace traversal.", + "cve": null, + "id": "pyup.io-26008", + "specs": [ + "<1.0a3" + ], + "v": "<1.0a3" + } + ], + "plone.memoize": [ + { + "advisory": "Plone.memoize 1.0.3 no longeruses hash when making cache keys. This is to avoid cache collisions, and to avoid a potential security problem where an attacker could manually craft collisions. Also, the use of hash() is no longer recommending in tests.", + "cve": null, + "id": "pyup.io-37107", + "specs": [ + "<1.0.3" + ], + "v": "<1.0.3" + } + ], + "plone.mockup": [ + { + "advisory": "plone.mockup before 2.1.3 is vulnerable to a XSS attack in structure and relateditem pattern.", + "cve": null, + "id": "pyup.io-26009", + "specs": [ + "<2.1.3" + ], + "v": "<2.1.3" + } + ], + "plone.openid": [ + { + "advisory": "plone.openid before 2.0.2 is not using the system number generator, even if it is available.", + "cve": null, + "id": "pyup.io-26010", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + } + ], + "plone.recipe.varnish": [ + { + "advisory": "Plone.recipe.varnish 6.0.0b1 updates to Varnish 6.0.6 LTS security release.", + "cve": null, + "id": "pyup.io-37942", + "specs": [ + "<6.0.0b1" + ], + "v": "<6.0.0b1" + } + ], + "plone.session": [ + { + "advisory": "Plone.session 3.6.2 hardens the default timeout of session. This solves Plone security internal issue 126 (severity low, non-critical). Also, the session timeout is now the same as in mod_auth_tkt: 2h. This follows the recommendation of the German BSI (federal office for security in the information technology) - see . For existing sites this can be adjusted at . The Plone Security Team follows the BSI and recommends administrators to change the setting in their existing Plone sites.", + "cve": null, + "id": "pyup.io-38207", + "specs": [ + "<3.6.2" + ], + "v": "<3.6.2" + } + ], + "plone.supermodel": [ + { + "advisory": "Plone.supermodel 1.6.3 no longer resolves entities in the xml parser. It also removes processing instructions. These are both security enhancements.", + "cve": null, + "id": "pyup.io-39141", + "specs": [ + "<1.6.3" + ], + "v": "<1.6.3" + } + ], + "plone.z3cform": [ + { + "advisory": "Plone.z3cform 0.5.9 fixes a security problem with the ++widget++ namespace [optilude].", + "cve": null, + "id": "pyup.io-37035", + "specs": [ + "<0.5.9" + ], + "v": "<0.5.9" + } + ], + "plotly": [ + { + "advisory": "Plotly 1.15.0 improves a potential XSS input in `text` fields.", + "cve": null, + "id": "pyup.io-37053", + "specs": [ + "<1.15.0" + ], + "v": "<1.15.0" + }, + { + "advisory": "Plotly 1.22.0 fixes an XSS vulnerability in a trace name on hover.", + "cve": null, + "id": "pyup.io-37052", + "specs": [ + "<1.22.0" + ], + "v": "<1.22.0" + }, + { + "advisory": "Plotly 1.5.1 updates insecure dev dependencies `ecstatic` and `uglify-js`.", + "cve": null, + "id": "pyup.io-38545", + "specs": [ + "<1.5.1" + ], + "v": "<1.5.1" + }, + { + "advisory": "Plotly 1.54.4 bumps `ecstatic`, `gl-selet-static`, `gl-plot2d` & `gl-plot3d` and drops `cwise` to simplify build process & address security warnings [4929, 4930, 4934].", + "cve": null, + "id": "pyup.io-38454", + "specs": [ + "<1.54.4" + ], + "v": "<1.54.4" + } + ], + "plugwise": [ + { + "advisory": "Plugwise 0.8.2 improves the security by switching from lxml to defusedxml.", + "cve": null, + "id": "pyup.io-39026", + "specs": [ + "<0.8.2" + ], + "v": "<0.8.2" + } + ], + "plumi.app": [ + { + "advisory": "plumi.app 4.2 includes a security hotfix related to LinguaPlone & plone.app.discussion.", + "cve": null, + "id": "pyup.io-26011", + "specs": [ + "<4.2" + ], + "v": "<4.2" + }, + { + "advisory": "plumi.app before 4.2.1 uses a insecure transitive dependency (plone<4.0.7).", + "cve": null, + "id": "pyup.io-26012", + "specs": [ + "<4.2.1" + ], + "v": "<4.2.1" + }, + { + "advisory": "plumi.app 4.2.2 patches a serious security vulnerability/", + "cve": null, + "id": "pyup.io-26013", + "specs": [ + "<4.2.2" + ], + "v": "<4.2.2" + } + ], + "plusminus": [ + { + "advisory": "Plusminus 0.3.0 has been hardened against some possible attacks, using deep expression nesting or formula references.", + "cve": null, + "id": "pyup.io-38323", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + } + ], + "pmr2.oauth": [ + { + "advisory": "pmr2.oauth before 0.4.2 is vulnerable to CSRF attacks.", + "cve": null, + "id": "pyup.io-26014", + "specs": [ + "<0.4.2" + ], + "v": "<0.4.2" + } + ], + "podder-task-base": [ + { + "advisory": "podder-task-base 0.4.0 changes: Update version of SQLAlchemy, Jinja for security reason", + "cve": null, + "id": "pyup.io-37260", + "specs": [ + "<0.4.0" + ], + "v": "<0.4.0" + } + ], + "pokedex.py": [ + { + "advisory": "pokedex.py 1.1.2 updates `requests` package to `>=2.20.0,<3.0.0` to fix information exposure vulnerability", + "cve": null, + "id": "pyup.io-36593", + "specs": [ + "<1.1.2" + ], + "v": "<1.1.2" + } + ], + "polemarch": [ + { + "advisory": "polemarch 1.2.1 change: Update `bootstrap` and `moment.js` for security reasons.", + "cve": null, + "id": "pyup.io-37229", + "specs": [ + "<1.2.1" + ], + "v": "<1.2.1" + } + ], + "polyaxon": [ + { + "advisory": "Polyaxon 0.4.1 updates dependencies exposing security vulnerabilities.", + "cve": null, + "id": "pyup.io-38029", + "specs": [ + "<0.4.1" + ], + "v": "<0.4.1" + }, + { + "advisory": "Polyaxon 0.4.3 update some packages that have some security and deprecation problems.", + "cve": null, + "id": "pyup.io-38028", + "specs": [ + "<0.4.3" + ], + "v": "<0.4.3" + }, + { + "advisory": "Polyaxon 0.5.1 updates lodash: vulnerability issue.", + "cve": null, + "id": "pyup.io-38025", + "specs": [ + "<0.5.1" + ], + "v": "<0.5.1" + }, + { + "advisory": "Polyaxon 0.5.5 updates dependencies with security release.", + "cve": null, + "id": "pyup.io-38023", + "specs": [ + "<0.5.5" + ], + "v": "<0.5.5" + }, + { + "advisory": "Polyaxon 0.6.0 fixes some unspecified security issues.", + "cve": null, + "id": "pyup.io-38022", + "specs": [ + "<0.6.0" + ], + "v": "<0.6.0" + } + ], + "poorwsgi": [ + { + "advisory": "poorwsgi 1.0.2 includes several security related enhancements related to secret key generation.", + "cve": null, + "id": "pyup.io-26015", + "specs": [ + "<1.0.2" + ], + "v": "<1.0.2" + } + ], + "pootle": [ + { + "advisory": "pootle before 2.8.0rc5 is vulnerable to several undisclosed security vulnerabilites.", + "cve": null, + "id": "pyup.io-34211", + "specs": [ + "<2.8.0rc5" + ], + "v": "<2.8.0rc5" + }, + { + "advisory": "pootle before 2.8.0rc6 has multiple, undisclosed, security vulnerabilites that were found during an audit.", + "cve": null, + "id": "pyup.io-34790", + "specs": [ + "<2.8.0rc6" + ], + "v": "<2.8.0rc6" + }, + { + "advisory": "pootle before 2.7.3 is vulnerable to XSS attacks, so everybody with Pootle 2.7.x needs to upgrade.", + "cve": null, + "id": "pyup.io-34201", + "specs": [ + ">=2.6,<2.7.3" + ], + "v": ">=2.6,<2.7.3" + } + ], + "postfix-mta-sts-resolver": [ + { + "advisory": "Postfix-mta-sts-resolver 0.6.1 hardens the container security.", + "cve": null, + "id": "pyup.io-37461", + "specs": [ + "<0.6.1" + ], + "v": "<0.6.1" + } + ], + "prefect": [ + { + "advisory": "Prefect 0.12.6 removes password from Postgres tasks' initialization methods for security.", + "cve": null, + "id": "pyup.io-38663", + "specs": [ + "<0.12.6" + ], + "v": "<0.12.6" + }, + { + "advisory": "Prefect 0.5.1 bumps `distributed` to 1.26.1 for enhanced security features - [878].", + "cve": null, + "id": "pyup.io-37020", + "specs": [ + "<0.5.1" + ], + "v": "<0.5.1" + } + ], + "pretaweb.healthcheck": [ + { + "advisory": "pretaweb.healthcheck before 1.0 is vulnerable to DoS attacks.", + "cve": null, + "id": "pyup.io-26016", + "specs": [ + "<1.0" + ], + "v": "<1.0" + } + ], + "priority": [ + { + "advisory": "priority before 1.2.0 is vulnerable to a denial of service attack whereby a remote peer can cause a user to insert an unbounded number of streams into the priority tree, eventually consuming all available memory.", + "cve": null, + "id": "pyup.io-26017", + "specs": [ + "<1.2.0" + ], + "v": "<1.2.0" + } + ], + "prisma-cloud-pipeline": [ + { + "advisory": "Prisma-cloud-pipeline 0.1.3 updates pyyaml because it has a vulnerability.", + "cve": null, + "id": "pyup.io-39686", + "specs": [ + "<0.1.3" + ], + "v": "<0.1.3" + } + ], + "privacyidea": [ + { + "advisory": "Privacyidea 3.4.1 uses a secure way to compare strings to avoid theoretical side channel attacks.", + "cve": null, + "id": "pyup.io-39341", + "specs": [ + "<3.4.1" + ], + "v": "<3.4.1" + } + ], + "products-cmfcore": [ + { + "advisory": "Products-cmfcore 2.1.0beta2 adds POST-only protections to security critical methods. See: CVE-2007-0240.", + "cve": "CVE-2007-0240", + "id": "pyup.io-36125", + "specs": [ + "<2.1.0beta2" + ], + "v": "<2.1.0beta2" + } + ], + "products-ploneformgen": [ + { + "advisory": "products-ploneformgen before 1.8.1 has a XSS vulnerability that could be exploited by users with the ability\r\n to create forms.", + "cve": null, + "id": "pyup.io-35878", + "specs": [ + "<1.8.1" + ], + "v": "<1.8.1" + } + ], + "products-zopetree": [ + { + "advisory": "Products-zopetree 1.3 fixes a security hole in the tree state decompressing mechanism. Previous versions were vulnerable to a denial of service attack using large tree states.", + "cve": null, + "id": "pyup.io-37726", + "specs": [ + "<1.3" + ], + "v": "<1.3" + } + ], + "products.cmfcontentpanels": [ + { + "advisory": "products.cmfcontentpanels before 1.4.1 has two not disclosed security issues.", + "cve": null, + "id": "pyup.io-26020", + "specs": [ + "<1.4.1" + ], + "v": "<1.4.1" + } + ], + "products.cmfcore": [ + { + "advisory": "Cross-site scripting (XSS) vulnerability in Zope 2.10.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a HTTP GET request. See: CVE-2007-0240.", + "cve": "CVE-2007-0240", + "id": "pyup.io-35820", + "specs": [ + "<2.1.0beta2" + ], + "v": "<2.1.0beta2" + }, + { + "advisory": "Products.cmfcore 2.3.0beta tightens the security for anonymous test user.", + "cve": null, + "id": "pyup.io-35818", + "specs": [ + "<2.3.0beta" + ], + "v": "<2.3.0beta" + } + ], + "products.cmfplone": [ + { + "advisory": "In Products.CMFPlone before 5.1b1, it's possible to access private content via str.format in through-the-web templates and scripts.", + "cve": null, + "id": "pyup.io-32997", + "specs": [ + "<5.1b1" + ], + "v": "<5.1b1" + }, + { + "advisory": "Products.cmfplone 5.2.2 contains Products.isurlinportal 1.1.0 with a minor security hardening fix.", + "cve": null, + "id": "pyup.io-38701", + "specs": [ + "<5.2.2" + ], + "v": "<5.2.2" + }, + { + "advisory": "Products.cmfplone 5.2.2rc1 fixes that isURLInPortal could be tricked into accepting malicious links.", + "cve": null, + "id": "pyup.io-39021", + "specs": [ + "<5.2.2rc1" + ], + "v": "<5.2.2rc1" + } + ], + "products.cmfquickinstallertool": [ + { + "advisory": "products.cmfquickinstallertool before 3.0.14 is vulnerable to several cross site scripting (XSS) attacks.", + "cve": null, + "id": "pyup.io-26021", + "specs": [ + "<3.0.14" + ], + "v": "<3.0.14" + } + ], + "products.cmfuid": [ + { + "advisory": "Products.cmfuid before 2.1.0beta2 has a vulnerability because it includes the Zope dependency version <2.10.2, which has an injection vulnerability. See: CVE-2007-0240.", + "cve": "CVE-2007-0240", + "id": "pyup.io-36300", + "specs": [ + "<2.1.0beta2" + ], + "v": "<2.1.0beta2" + } + ], + "products.dcworkflow": [ + { + "advisory": "Products.dcworkflow 2.1.0beta2 adds POST-only protections to security critical methods. See: CVE-2007-0240.", + "cve": "CVE-2007-0240", + "id": "pyup.io-38035", + "specs": [ + "<2.1.0beta2" + ], + "v": "<2.1.0beta2" + } + ], + "products.genericsetup": [ + { + "advisory": "Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. In Products.GenericSetup before version 2.1.1 there is an information disclosure vulnerability - anonymous visitors may view log and snapshot files generated by the Generic Setup Tool. The problem has been fixed in version 2.1.1. Depending on how you have installed Products.GenericSetup, you should change the buildout version pin to 2.1.1 and re-run the buildout, or if you used pip simply do pip install `\"Products.GenericSetup>=2.1.1\"`. See CVE-2021-21360.", + "cve": "CVE-2021-21360", + "id": "pyup.io-39685", + "specs": [ + "<2.1.1" + ], + "v": "<2.1.1" + } + ], + "products.ldapuserfolder": [ + { + "advisory": "The authenticate function in LDAPUserFolder/LDAPUserFolder.py in zope-ldapuserfolder 2.9-1 does not verify the password for the emergency account, which allows remote attackers to gain privileges.", + "cve": null, + "id": "pyup.io-33148", + "specs": [ + "<2.19" + ], + "v": "<2.19" + }, + { + "advisory": "The authenticate function in LDAPUserFolder/LDAPUserFolder.py in zope-ldapuserfolder 2.9-1 does not verify the password for the emergency account, which allows remote attackers to gain privileges.", + "cve": "CVE-2010-2944", + "id": "pyup.io-26023", + "specs": [ + "==2.9" + ], + "v": "==2.9" + } + ], + "products.ploneformgen": [ + { + "advisory": "products.ploneformgen before 1.8.1 is vulnerable to a XSS attack that could be exploited by users with the ability to create forms.", + "cve": null, + "id": "pyup.io-26024", + "specs": [ + "<1.8.1" + ], + "v": "<1.8.1" + } + ], + "products.plonepas": [ + { + "advisory": "The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product for Plone, does not properly handle the login form, which allows remote authenticated users to acquire the identity of an arbitrary user via unspecified vectors.", + "cve": "CVE-2009-0662", + "id": "pyup.io-33149", + "specs": [ + ">3.2.2,<3.9" + ], + "v": ">3.2.2,<3.9" + } + ], + "products.pluggableauthservice": [ + { + "advisory": "Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an open redirect vulnerability. A maliciously crafted link to the login form and login functionality could redirect the browser to a different website. The problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to `2.6.1` and re-run the buildout, or if you used `pip` simply do `pip install \"Products.PluggableAuthService>=2.6.1\". See CVE-2021-21337.", + "cve": "CVE-2021-21337", + "id": "pyup.io-39682", + "specs": [ + "<2.6.0" + ], + "v": "<2.6.0" + }, + { + "advisory": "Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin. The problem has been fixed in version 2.6.0. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to 2.6.0 and re-run the buildout, or if you used pip simply do `pip install \"Products.PluggableAuthService>=2.6.0\"`. See CVE-2021-21336.", + "cve": "CVE-2021-21336", + "id": "pyup.io-39681", + "specs": [ + "<2.6.0" + ], + "v": "<2.6.0" + }, + { + "advisory": "Products.PluggableAuthService 2.6.2 improves the security on several login string transformation methods.", + "cve": null, + "id": "pyup.io-39695", + "specs": [ + "<2.6.2" + ], + "v": "<2.6.2" + } + ], + "products.poi": [ + { + "advisory": "products.poi before 2.2.3 allows anonymous users to see issues inside private folders.", + "cve": null, + "id": "pyup.io-26027", + "specs": [ + "<2.2.3" + ], + "v": "<2.2.3" + } + ], + "projen": [ + { + "advisory": "Projen 0.3.10 inlcudes a fix for a security issue with standard-version 8.0.0.", + "cve": null, + "id": "pyup.io-39417", + "specs": [ + "<0.3.10" + ], + "v": "<0.3.10" + }, + { + "advisory": "Projen 0.7.0 addresses a security issue with standard-version 8.0.0.", + "cve": null, + "id": "pyup.io-39416", + "specs": [ + "<0.7.0" + ], + "v": "<0.7.0" + }, + { + "advisory": "Projen 0.8.0 addresses a security issue with standard-version 8.0.0.", + "cve": null, + "id": "pyup.io-39415", + "specs": [ + "<0.8.0" + ], + "v": "<0.8.0" + }, + { + "advisory": "Projen 0.9.0 addresses a security issue with standard-version 8.0.0.", + "cve": null, + "id": "pyup.io-39414", + "specs": [ + "<0.9.0" + ], + "v": "<0.9.0" + } + ], + "psd-tools": [ + { + "advisory": "Psd-tools 1.8.31 updates `pillow` dependency to >= 6.2.0 for security reasons.", + "cve": null, + "id": "pyup.io-38525", + "specs": [ + "<1.8.31" + ], + "v": "<1.8.31" + }, + { + "advisory": "Psd-tools 1.9.4 fixes a security issue related to compression in 1.8.37 - 1.9.3.", + "cve": null, + "id": "pyup.io-37654", + "specs": [ + ">=1.8.37,<=1.9.3" + ], + "v": ">=1.8.37,<=1.9.3" + } + ], + "psutil": [ + { + "advisory": "psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object. See CVE-2019-18874.", + "cve": "CVE-2019-18874", + "id": "pyup.io-37765", + "specs": [ + "<=5.6.5" + ], + "v": "<=5.6.5" + } + ], + "ptah": [ + { + "advisory": "ptah before 0.3.3 is vulnerable to a undisclosed attack.", + "cve": null, + "id": "pyup.io-26028", + "specs": [ + "<0.3.3" + ], + "v": "<0.3.3" + } + ], + "puccini": [ + { + "advisory": "Puccini 0.3 improves file output security.", + "cve": null, + "id": "pyup.io-40026", + "specs": [ + "<0.3" + ], + "v": "<0.3" + } + ], + "pulumi-kubernetes": [ + { + "advisory": "Pulumi-kubernetes 2.6.0 upgrades its version of pyyaml to fix a security vulnerability. See: CVE-2019-20477.", + "cve": "CVE-2019-20477", + "id": "pyup.io-38772", + "specs": [ + "<2.6.0" + ], + "v": "<2.6.0" + } + ], + "puput": [ + { + "advisory": "Puput 1.0.4 update the Django version to greater than 2.1.6 to fix security issues.", + "cve": null, + "id": "pyup.io-37153", + "specs": [ + "<1.0.4" + ], + "v": "<1.0.4" + } + ], + "pupyl": [ + { + "advisory": "Pupyl 0.10.4 includes a security update regarding its dependencies. No details are provided.", + "cve": null, + "id": "pyup.io-39208", + "specs": [ + "<0.10.4" + ], + "v": "<0.10.4" + }, + { + "advisory": "Pupyl 0.10.5 updated its dependencies version for security reasons.", + "cve": null, + "id": "pyup.io-39392", + "specs": [ + "<0.10.5" + ], + "v": "<0.10.5" + }, + { + "advisory": "Pupyl before 0.10.6 includes Tensorflow 2.3.1 which has security issues (see issue 73) and should therefore be upgraded to 2.4.0. However, the last version of Tensorflow has issues on its compilation (see Tensorflow issue 45744), and hence must be downgraded to ensure that the library still works.", + "cve": null, + "id": "pyup.io-39400", + "specs": [ + "<0.10.6" + ], + "v": "<0.10.6" + } + ], + "pure": [ + { + "advisory": "pure 1.5.2 prevents double prompt expansion in preprompt (e.g. secure against bad git branch names)", + "cve": null, + "id": "pyup.io-36940", + "specs": [ + "<1.5.2" + ], + "v": "<1.5.2" + } + ], + "pushradar": [ + { + "advisory": "Pushradar 3.0.0alpha.2 includes a patch to make the channel authentication more secure.", + "cve": null, + "id": "pyup.io-39630", + "specs": [ + "<3.0.0alpha.2", + "<3.0.0a2" + ], + "v": "<3.0.0alpha.2,<3.0.0a2" + } + ], + "pwd": [ + { + "advisory": "pwd is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", + "cve": null, + "id": "pyup.io-34983", + "specs": [ + ">0", + "<0" + ], + "v": ">0,<0" + } + ], + "pwman3": [ + { + "advisory": "pwman3 before 0.4.0 uses cPickle.loads and cPickle.dumps.", + "cve": null, + "id": "pyup.io-26029", + "specs": [ + "<0.4.0" + ], + "v": "<0.4.0" + } + ], + "pwntools": [ + { + "advisory": "The shellcraft generator in pwntools before 4.3.1 is vulnerable to Server-Side Template Injection (SSTI), which can lead to remote code execution. See CVE-2020-28468.", + "cve": "CVE-2020-28468", + "id": "pyup.io-39426", + "specs": [ + "<4.3.1" + ], + "v": "<4.3.1" + }, + { + "advisory": "Pwntools 4.3.1 fixes a shellcraft SSTI vulnerability.", + "cve": null, + "id": "pyup.io-39204", + "specs": [ + "<4.3.1" + ], + "v": "<4.3.1" + } + ], + "py": [ + { + "advisory": "A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. See CVE-2020-29651.", + "cve": "CVE-2020-29651", + "id": "pyup.io-39253", + "specs": [ + "<=1.9.0" + ], + "v": "<=1.9.0" + } + ], + "py-bcrypt": [ + { + "advisory": "The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten. See: CVE-2013-1895.", + "cve": "CVE-2013-1895", + "id": "pyup.io-37747", + "specs": [ + "<0.3" + ], + "v": "<0.3" + } + ], + "py-ci": [ + { + "advisory": "Py-ci 0.5.2 upgrades versions of requests and jinja2 due to security alerts. See: .", + "cve": null, + "id": "pyup.io-37333", + "specs": [ + "<0.5.2" + ], + "v": "<0.5.2" + } + ], + "py-crypto-hd-wallet": [ + { + "advisory": "Py-crypto-hd-wallet 0.2.0 removes the possibility to load a wallet from file. This did not make a lot of sense because saving a wallet to file in JSON format is only meant for a quick and temporary storing of keys, not as a definitive and secure way to store it. For storing a wallet for future loading, it'd make more sense to just store the mnemonic, seed or extended key (depending how the wallet was generated) instead of the complete key chain by adding some security (e.g. crypting the file). This can be done by the user directly, in the way he prefers, with the APIs that are present now.", + "cve": null, + "id": "pyup.io-38175", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" + } + ], + "py-espeak-ng": [ + { + "advisory": "py-espeak-ng 1.49.0 fixes many logic and security issues reported by clang scan-build, Coverity and msvc /analyze.", + "cve": null, + "id": "pyup.io-36322", + "specs": [ + "<1.49.0" + ], + "v": "<1.49.0" + } + ], + "py-gfm": [ + { + "advisory": "Py-gfm version 0.28.3.gfm.12 includes various security and bug fixes.", + "cve": null, + "id": "pyup.io-38621", + "specs": [ + "<0.28.3.gfm.12" + ], + "v": "<0.28.3.gfm.12" + } + ], + "py-hiverunner": [ + { + "advisory": "Py-hiverunner 5.0.0 updates the default supported Hive version to 2.3.4 because version 2.3.3 has a vulnerability. See: CVE-2018-1314.", + "cve": "CVE-2018-1314", + "id": "pyup.io-38559", + "specs": [ + "<5.0.0" + ], + "v": "<5.0.0" + } + ], + "py-mon": [ + { + "advisory": "Py-mon 1.18.7 upgrades pstree to remove a vulnerability. See: .", + "cve": null, + "id": "pyup.io-39345", + "specs": [ + "<1.18.7" + ], + "v": "<1.18.7" + } + ], + "py-ms": [ + { + "advisory": "py-ms 1.0.1 replaces Jaeger with Lightstep - improved security.", + "cve": null, + "id": "pyup.io-36875", + "specs": [ + "<1.0.1" + ], + "v": "<1.0.1" + } + ], + "py-nightscout": [ + { + "advisory": "Py-nightscout 0.10.2 updates Node to 8.9.1, with security fixes.", + "cve": null, + "id": "pyup.io-38662", + "specs": [ + "<0.10.2" + ], + "v": "<0.10.2" + }, + { + "advisory": "Py-nightscout 0.10.3 includes many upgrades to dependencies, including several security fixes.", + "cve": null, + "id": "pyup.io-38661", + "specs": [ + "<0.10.3" + ], + "v": "<0.10.3" + }, + { + "advisory": "Py-nightscout 0.11.0 includes various security updates:\r\n- Unsecure access via http is not allowed anymore by default. \r\n- The 'mqtt' module was removed because it had a security issue and was not used.\r\n- The 'sgvdata' module was removed because it had a security issue.\r\n- Various updates to dependencies with known security issues.\r\n- Nightscout is now only allowed to start with a secure Node JS. \r\n- General improved security and new environment variables such as INSECURE_USE_HTTP and SECURE_HSTS_HEADER.\r\n - HTTP Strict Transport Security (HSTS) headers are now enabled by default, settings SECURE_HSTS_HEADER and SECURE_HSTS_HEADER_*.", + "cve": null, + "id": "pyup.io-38660", + "specs": [ + "<0.11.0" + ], + "v": "<0.11.0" + }, + { + "advisory": "Py-nightscout 0.11.1 sticks to 'event-stream' version 3.3.4, because with 4.0.1 GitHub will issue a security warning.", + "cve": null, + "id": "pyup.io-38659", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Py-nightscout 0.12.0 includes many dependency updates for security reasons.", + "cve": null, + "id": "pyup.io-38658", + "specs": [ + "<0.12.0" + ], + "v": "<0.12.0" + }, + { + "advisory": "Py-nightscout 13.0.0 introduces the new APIv3, which generally provides a secured and HTTP REST compliant interface for Nightscout's data exchange.", + "cve": null, + "id": "pyup.io-38657", + "specs": [ + "<13.0.0" + ], + "v": "<13.0.0" + } + ], + "py-rate": [ + { + "advisory": "The luigi functionality before py-rate 0.3.0 was reported as vulnerable.", + "cve": null, + "id": "pyup.io-37312", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + } + ], + "py3web": [ + { + "advisory": "py3web before 0.21 isn't checking for bad characters in headers.", + "cve": null, + "id": "pyup.io-32919", + "specs": [ + "<0.21" + ], + "v": "<0.21" + } + ], + "pyamf": [ + { + "advisory": "pyamf 0.8 fixes a security issue and now wrappes all xml parsing in ``defusedxml`` to protect against any XML entity attacks. See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more details. Thanks to Nicolas Gr\u00e9goire (Agarri_FR) for the report.", + "cve": null, + "id": "pyup.io-34622", + "specs": [ + "<0.8" + ], + "v": "<0.8" + } + ], + "pyanyapi": [ + { + "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. A YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.", + "cve": "CVE-2017-16616", + "id": "pyup.io-35719", + "specs": [ + "<0.6.1" + ], + "v": "<0.6.1" + } + ], + "pyarmor": [ + { + "advisory": "pyarmor 5.1.2 Improves the security of PyArmor self", + "cve": null, + "id": "pyup.io-36853", + "specs": [ + "<5.1.2" + ], + "v": "<5.1.2" + } + ], + "pybald": [ + { + "advisory": "Pybald 0.5.6 updates SQLAlchemy dependency to 1.3.3 to mitigate a security issue with SQLAlchemy verstions <= 1.3.0.", + "cve": null, + "id": "pyup.io-37104", + "specs": [ + "<0.5.6" + ], + "v": "<0.5.6" + } + ], + "pybeerxml": [ + { + "advisory": "Pybeerxml 1.0.8 bumps some dependency versions for security fixes.", + "cve": null, + "id": "pyup.io-38251", + "specs": [ + "<1.0.8" + ], + "v": "<1.0.8" + } + ], + "pybible-cli": [ + { + "advisory": "Version 1.1.2: Bible pickle files have been replaced by JSON files for better performance and security.", + "cve": null, + "id": "pyup.io-38043", + "specs": [ + "<1.1.2" + ], + "v": "<1.1.2" + } + ], + "pyca": [ + { + "advisory": "Pyca 3.3 includes a configurable, random delay for ingests to avoid accidental DDoS attacks.", + "cve": null, + "id": "pyup.io-39215", + "specs": [ + "<3.3" + ], + "v": "<3.3" + } + ], + "pycapnp": [ + { + "advisory": "pycapnp before 0.5.5 bundled an insecure library (libcapnp).", + "cve": null, + "id": "pyup.io-26030", + "specs": [ + "<0.5.5" + ], + "v": "<0.5.5" + } + ], + "pycapnp-async": [ + { + "advisory": "Pycapnp-async 0.5.4 updates the bundled C++ libcapnp to v0.5.1.1 security release.", + "cve": null, + "id": "pyup.io-37586", + "specs": [ + "<0.5.4" + ], + "v": "<0.5.4" + }, + { + "advisory": "Pycapnp-async 0.5.5 updates the bundled C++ libcapnp to v0.5.1.2 security release.", + "cve": null, + "id": "pyup.io-37585", + "specs": [ + "<0.5.5" + ], + "v": "<0.5.5" + } + ], + "pycares": [ + { + "advisory": "pycares before 2.1.1 is vulnerable to CVE-2016-5180.", + "cve": "CVE-2016-5180", + "id": "pyup.io-26031", + "specs": [ + "<2.1.1" + ], + "v": "<2.1.1" + } + ], + "pycln": [ + { + "advisory": "Pycln 0.0.1alpha.3 mentions: \"C wrapped modules import star expanding related vulnerability by hadialqattan\"", + "cve": null, + "id": "pyup.io-38857", + "specs": [ + "<0.0.1alpha.3" + ], + "v": "<0.0.1alpha.3" + } + ], + "pyconll": [ + { + "advisory": "pyconll 1.1.0 updates ``requests`` dependency due to security flaw", + "cve": null, + "id": "pyup.io-36647", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, + { + "advisory": "pyconll before 1.1.2 the ``requests`` version used in ``requirements.txt`` was insecure.", + "cve": null, + "id": "pyup.io-36763", + "specs": [ + "<1.1.2" + ], + "v": "<1.1.2" + } + ], + "pycookiecheat": [ + { + "advisory": "Pycookiecheat 0.2.0 makes SQL query more secure by avoiding string formatting.", + "cve": null, + "id": "pyup.io-26729", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" + }, + { + "advisory": "Pycookiecheat 0.4.5 went back to using cryptography due to CVE-2013-7459.", + "cve": "CVE-2013-7459", + "id": "pyup.io-37543", + "specs": [ + "<0.4.5" + ], + "v": "<0.4.5" + } + ], + "pycrtsh": [ + { + "advisory": "Pycrtsh 0.3.4 upgrades the 'lxml' dependency from 4.5.1 to 4.6.2 following a security bug.", + "cve": null, + "id": "pyup.io-40087", + "specs": [ + "<0.3.4" + ], + "v": "<0.3.4" + } + ], + "pycryptex": [ + { + "advisory": "Pycryptex 0.5.0 adds new config keys (***secure-deletion*** and ***secure-deletion-passes***) to set securely deletion of clear files in encryption operations.", + "cve": null, + "id": "pyup.io-39109", + "specs": [ + "<0.5.0" + ], + "v": "<0.5.0" + } + ], + "pycrypto": [ + { + "advisory": "In the ElGamal schemes (for both encryption and signatures), g is supposed to be the generator of the entire Z^*_p group. However, in PyCrypto 2.5 and earlier, g is more simply the generator of a random sub-group of Z^*_p.", + "cve": null, + "id": "pyup.io-26032", + "specs": [ + "<2.6" + ], + "v": "<2.6" + }, + { + "advisory": "The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process.", + "cve": "CVE-2013-1445", + "id": "pyup.io-33150", + "specs": [ + "<2.6.1" + ], + "v": "<2.6.1" + }, + { + "advisory": "lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for PyCrypto's ElGamal implementation.", + "cve": "CVE-2018-6594", + "id": "pyup.io-35765", + "specs": [ + "<2.6.1" + ], + "v": "<2.6.1" + }, + { + "advisory": "Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) 2.6.1 allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py.", + "cve": "CVE-2013-7459", + "id": "pyup.io-35015", + "specs": [ + "<=2.6.1" + ], + "v": "<=2.6.1" + } + ], + "pycryptodome": [ + { + "advisory": "pycryptodome before 3.6.6 has a vulnerability on AESNI ECB with payloads smaller than 16 bytes.", + "cve": null, + "id": "pyup.io-36384", + "specs": [ + "<3.6.6" + ], + "v": "<3.6.6" + } + ], + "pycsw": [ + { + "advisory": "A SQL injection vulnerability in pycsw all versions before 2.0.2, 1.10.5 and 1.8.6 that leads to read and extract of any data from any table in the pycsw database that the database user has access to. Also on PostgreSQL (at least) it is possible to perform updates/inserts/deletes and database modifications to any table the database user has access to.", + "cve": "CVE-2016-8640", + "id": "pyup.io-36365", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + } + ], + "pydal": [ + { + "advisory": "pydal before 15.02.27 has a security flaw which could lead to db password storing in cache.", + "cve": null, + "id": "pyup.io-33022", + "specs": [ + "<15.02.27" + ], + "v": "<15.02.27" + } + ], + "pydotz": [ + { + "advisory": "pydotz 1.2.0 no longer has paths hard-coded due to security and privacy issues", + "cve": null, + "id": "pyup.io-37972", + "specs": [ + "<1.2.0" + ], + "v": "<1.2.0" + } + ], + "pyfda": [ + { + "advisory": "Pyfda 0.3.0 fixes an error when trying to load `*.npz` files: `numpy.load()` requires `allow_pickle = True` since version 1.16.3 for security reasons.", + "cve": null, + "id": "pyup.io-38164", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + } + ], + "pyforce": [ + { + "advisory": "Pyforce 1.8.0 fixes the external entities vulnerability #35.", + "cve": null, + "id": "pyup.io-38058", + "specs": [ + "<1.8.0" + ], + "v": "<1.8.0" + } + ], + "pyfrost": [ + { + "advisory": "Pyfrost 0.2.1 updates dependencies with security alerts.", + "cve": null, + "id": "pyup.io-38192", + "specs": [ + "<0.2.1" + ], + "v": "<0.2.1" + } + ], + "pyftpdlib": [ + { + "advisory": "pyftpdlib before 0.3.0 has a path traversal vulnerability in case of symbolic links escaping user's home directory.", + "cve": null, + "id": "pyup.io-26036", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + }, + { + "advisory": "Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.1 allows remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, a different vulnerability than CVE-2010-3494.", + "cve": "CVE-2009-5010", + "id": "pyup.io-26037", + "specs": [ + "<0.5.1" + ], + "v": "<0.5.1" + }, + { + "advisory": "Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.2 allows remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, a related issue to CVE-2010-3492.", + "cve": "CVE-2010-3494", + "id": "pyup.io-26038", + "specs": [ + "<0.5.2" + ], + "v": "<0.5.2" + } + ], + "pygopherd": [ + { + "advisory": "Pygopherd 0.9.0 includes several security enhancements. No details were included.", + "cve": null, + "id": "pyup.io-39437", + "specs": [ + "<0.9.0" + ], + "v": "<0.9.0" + } + ], + "pygresql": [ + { + "advisory": "The pygresql module 3.8.1 and 4.0 for Python does not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings.", + "cve": "CVE-2009-2940", + "id": "pyup.io-26039", + "specs": [ + "<4.0" + ], + "v": "<4.0" + } + ], + "pyinaturalist": [ + { + "advisory": "Pyinaturalist 0.7 includes minor dependency updates for security reasons.", + "cve": null, + "id": "pyup.io-39616", + "specs": [ + "<0.7" + ], + "v": "<0.7" + }, + { + "advisory": "Pyinaturalist 0.7.0 includes minor dependencies updates for security reasons.", + "cve": null, + "id": "pyup.io-37127", + "specs": [ + "<0.7.0" + ], + "v": "<0.7.0" + } + ], + "pyinstaller": [ + { + "advisory": "Pyinstaller 3.5 updates the bundled zlib library to version 1.2.11 to address vulnerabilities.", + "cve": null, + "id": "pyup.io-39153", + "specs": [ + "<3.5" + ], + "v": "<3.5" + } + ], + "pyjwt": [ + { + "advisory": "pyjwt before 1.0.0 allows to bypass signature verification by setting the alg header to None.", + "cve": null, + "id": "pyup.io-26040", + "specs": [ + "<1.0.0" + ], + "v": "<1.0.0" + }, + { + "advisory": "Pyjwt 1.0.0 includes a fix for security vulnerability where 'alg=None' header could bypass signature verification (https://github.com/jpadilla/pyjwt/pull/109) and adding support for a whitelist of allowed 'alg' values 'jwt.decode(algorithms=[])' (https://github.com/jpadilla/pyjwt/pull/110).", + "cve": null, + "id": "pyup.io-39458", + "specs": [ + "<1.0.0" + ], + "v": "<1.0.0" + }, + { + "advisory": "In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.", + "cve": null, + "id": "pyup.io-35014", + "specs": [ + "<1.5.1" + ], + "v": "<1.5.1" + } + ], + "pykarotz": [ + { + "advisory": "Electronic Arts Karotz Smart Rabbit 12.07.19.00 allows Python module hijacking. See: .", + "cve": "CVE-2013-4867", + "id": "pyup.io-37751", + "specs": [ + "==12.07.19.00" + ], + "v": "==12.07.19.00" + } + ], + "pykechain": [ + { + "advisory": "Pykechain 2.5.4 updates security advisory to install requests package later than 2.20.0 (CVE-2018-18074).", + "cve": "CVE-2018-18074", + "id": "pyup.io-36937", + "specs": [ + "<2.5.4" + ], + "v": "<2.5.4" + } + ], + "pylabnet": [ + { + "advisory": "Servers in pylabnet before version 0.3.0 were not secure by default.", + "cve": null, + "id": "pyup.io-38667", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + } + ], + "pyldap": [ + { + "advisory": "pyldap before 2.0.0pre05 is using an insecure transitive dependency (ldapurl).", + "cve": null, + "id": "pyup.io-26041", + "specs": [ + "<2.0.0pre05" + ], + "v": "<2.0.0pre05" + } + ], + "pylint": [ + { + "advisory": "Pylint 2.5.0 no longer allows ``python -m pylint ...`` to import user code. Previously, it added the current working directory as the first element of ``sys.path``. This opened up a potential security hole where ``pylint`` would import user level code as long as that code resided in modules having the same name as stdlib or pylint's own modules.", + "cve": null, + "id": "pyup.io-38224", + "specs": [ + "<2.5.0" + ], + "v": "<2.5.0" + }, + { + "advisory": "Pylint 2.7.0 includes a fix for vulnerable regular expressions in 'pyreverse'.", + "cve": null, + "id": "pyup.io-39621", + "specs": [ + "<2.7.0" + ], + "v": "<2.7.0" + } + ], + "pylivetrader": [ + { + "advisory": "Pylivetrader 0.2.0 changes the yaml config loading to use the safe loading. This is a security fix.", + "cve": null, + "id": "pyup.io-38294", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" + } + ], + "pylons": [ + { + "advisory": "pylons before 0.9.6.1 allows to access private controller methods to be accessed from the outside.", + "cve": null, + "id": "pyup.io-26042", + "specs": [ + "<0.9.6.1" + ], + "v": "<0.9.6.1" + }, + { + "advisory": "pylons before 0.9.7 is vulnerable to a XSS attack on the default error page.", + "cve": null, + "id": "pyup.io-26043", + "specs": [ + "<0.9.7" + ], + "v": "<0.9.7" + }, + { + "advisory": "pylons before 1.0.1RC1 is vulnerable to timing attacks on secure cookies.", + "cve": null, + "id": "pyup.io-26044", + "specs": [ + "<1.0.1RC1" + ], + "v": "<1.0.1RC1" + }, + { + "advisory": "pylons before 1.0.1rc1 is vulnerable to cookie timing attacks.", + "cve": null, + "id": "pyup.io-26045", + "specs": [ + "<1.0.1rc1" + ], + "v": "<1.0.1rc1" + }, + { + "advisory": "pylons before 1.0.2 includes \"Post Traceback\" which is a possible XSS vector.", + "cve": null, + "id": "pyup.io-26046", + "specs": [ + "<1.0.2" + ], + "v": "<1.0.2" + } + ], + "pymemcache": [ + { + "advisory": "pymemcache before 1.3.6 isn't sanitizing key inputs.", + "cve": null, + "id": "pyup.io-26047", + "specs": [ + "<1.3.6" + ], + "v": "<1.3.6" + } + ], + "pyminiracer": [ + { + "advisory": "A heap overflow in Sqreen PyMiniRacer (aka Python Mini Racer) before 0.3.0 allows remote attackers to potentially exploit heap corruption. See: CVE-2020-25489.", + "cve": "CVE-2020-25489", + "id": "pyup.io-38794", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + } + ], + "pymisp": [ + { + "advisory": "Pymisp 2.4.106 fixes CVE-2019-11324 (urllib3).", + "cve": "CVE-2019-11324", + "id": "pyup.io-37292", + "specs": [ + "<2.4.106" + ], + "v": "<2.4.106" + }, + { + "advisory": "Pymisp v2.4.67 includes a security fix: do not try to load any valid path as a MISP Event.\r\n\r\nThe MISP Event loader was trying to open any string passed as parameter if is an existing file path. Anything that isn't a valid MISP event would raise an exception, but I can see it used for malicious purposes.\r\n\r\n`load_file` will do the same, but the user can decide if it is safe to use.", + "cve": null, + "id": "pyup.io-38507", + "specs": [ + "<2.4.67" + ], + "v": "<2.4.67" + } + ], + "pymls": [ + { + "advisory": "Pymls 1.4.10 fixes the Github-reported security issues in requirements.txt and bumps PyYAML version in setup for security reasons (CVE-2017-18342).", + "cve": "CVE-2017-18342", + "id": "pyup.io-37193", + "specs": [ + "<1.4.10" + ], + "v": "<1.4.10" + } + ], + "pymongo": [ + { + "advisory": "bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo) before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to decoding of an \"invalid DBRef.\"", + "cve": "CVE-2013-2132", + "id": "pyup.io-35429", + "specs": [ + "<2.5.2" + ], + "v": "<2.5.2" + } + ], + "pynoorm": [ + { + "advisory": "pynoorm 0.4.2 updates PyYaml to 4.2b4 to fix security vulnerability", + "cve": null, + "id": "pyup.io-36789", + "specs": [ + "<0.4.2" + ], + "v": "<0.4.2" + } + ], + "pynps": [ + { + "advisory": "Pynps 1.2.0 removes support for search after updating database for security reasons.", + "cve": null, + "id": "pyup.io-37724", + "specs": [ + "<1.2.0" + ], + "v": "<1.2.0" + } + ], + "pyoes": [ + { + "advisory": "pyoes 0.9.0 change: Libs updaten - security alert", + "cve": null, + "id": "pyup.io-37254", + "specs": [ + "<0.9.0" + ], + "v": "<0.9.0" + } + ], + "pyomo": [ + { + "advisory": "Pyomo 5.7.2 fixes a security risk in GitHub Actions workflow (issue 1654).", + "cve": null, + "id": "pyup.io-39315", + "specs": [ + "<5.7.2" + ], + "v": "<5.7.2" + } + ], + "pyopenssl": [ + { + "advisory": "The X509Extension in pyOpenSSL before 0.13.1 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.", + "cve": "CVE-2013-4314", + "id": "pyup.io-35460", + "specs": [ + "<0.13.1" + ], + "v": "<0.13.1" + }, + { + "advisory": "Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on the calling application and if it retains a reference to the memory.. This vulnerability appears to have been fixed in 17.5.0.", + "cve": "CVE-2018-1000807", + "id": "pyup.io-36533", + "specs": [ + "<17.5.0" + ], + "v": "<17.5.0" + }, + { + "advisory": "Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted.", + "cve": "CVE-2018-1000808", + "id": "pyup.io-36534", + "specs": [ + "<17.5.0" + ], + "v": "<17.5.0" + } + ], + "pyorient": [ + { + "advisory": "pyorient before 1.4.9 has an SQL injection attack vector, exploitable in one location and potentially a few more, that allowed an attacker to change the WHERE clause in a query and cause it to return unexpected results", + "cve": null, + "id": "pyup.io-34150", + "specs": [ + "<1.4.9" + ], + "v": "<1.4.9" + } + ], + "pyowm": [ + { + "advisory": "pyowm 2.10 upgrades version for dependencies `requests` and `urllib3` as known security issues were raised for them.", + "cve": null, + "id": "pyup.io-36750", + "specs": [ + "<2.10" + ], + "v": "<2.10" + } + ], + "pypicloud": [ + { + "advisory": "pypicloud before 0.2.2 is vulnerable to a undisclosed attack.", + "cve": null, + "id": "pyup.io-26048", + "specs": [ + "<0.2.2" + ], + "v": "<0.2.2" + } + ], + "pypiserver": [ + { + "advisory": "pypiserver before 1.1.7 is vulnerable to XSS attacks.", + "cve": null, + "id": "pyup.io-26049", + "specs": [ + "<1.1.7" + ], + "v": "<1.1.7" + }, + { + "advisory": "pypiserver 1.2.6 mitigates potential CRLF injection attacks from malicious URLs", + "cve": null, + "id": "pyup.io-36843", + "specs": [ + "<1.2.6" + ], + "v": "<1.2.6" + } + ], + "pyplanet": [ + { + "advisory": "pyplanet 0.6.2 - security: Upgraded library to solve security issues (requests library).", + "cve": null, + "id": "pyup.io-36666", + "specs": [ + "<0.6.2" + ], + "v": "<0.6.2" + }, + { + "advisory": "Pyplanet 0.7.0 updates some libraries to fix some security issues (none of which were critical).", + "cve": null, + "id": "pyup.io-37476", + "specs": [ + "<0.7.0" + ], + "v": "<0.7.0" + } + ], + "pypostalcode": [ + { + "advisory": "Pypostalcode 0.3.5 fixes an SQL injection vulnerability (passing user input FSA codes could delete your FSA code database).", + "cve": null, + "id": "pyup.io-40033", + "specs": [ + "<0.3.5" + ], + "v": "<0.3.5" + } + ], + "pyqlib": [ + { + "advisory": "This affects all versions of package pyqlib. The workflow function in cli part of pyqlib was using an unsafe YAML load function. See CVE-2021-23338.", + "cve": "CVE-2021-23338", + "id": "pyup.io-40060", + "specs": [ + ">=0.0.0" + ], + "v": ">=0.0.0" + } + ], + "pyrad": [ + { + "advisory": "pyrad before 0.6 isn't handling timeouts in client module correctly, leading to a potential denial of service.", + "cve": null, + "id": "pyup.io-26050", + "specs": [ + "<0.6" + ], + "v": "<0.6" + } + ], + "pyradiomics": [ + { + "advisory": "pyradiomics before 1.1.1 used `eval`which is not secure.", + "cve": null, + "id": "pyup.io-36302", + "specs": [ + "<1.1.1" + ], + "v": "<1.1.1" + } + ], + "pyramid": [ + { + "advisory": "Pyramid 0.2 adds ACL-based security.", + "cve": null, + "id": "pyup.io-32177", + "specs": [ + "<0.2" + ], + "v": "<0.2" + }, + { + "advisory": "Pyramid 0.4.2 changes the default paster template generator to use ``Paste#http`` server rather than ``PasteScript#cherrpy`` server. The cherrypy server has a security risk in it when ``REMOTE_USER`` is trusted by the downstream application.", + "cve": null, + "id": "pyup.io-32184", + "specs": [ + "<0.4.2" + ], + "v": "<0.4.2" + }, + { + "advisory": "In pyramid before 1.0a3, the pylons_* paster template used the same string (``your_app_secret_string``) for the ``session.secret`` setting in the generated ``development.ini``. This was a security risk if left unchanged in a project that used one of the templates to produce production applications. It now uses a randomly generated string.", + "cve": null, + "id": "pyup.io-32685", + "specs": [ + "<1.0a3" + ], + "v": "<1.0a3" + }, + { + "advisory": "The default Mako renderer in pyramid 1.1a1 is configured to escape all HTML in expression tags. This is intended to help prevent XSS attacks caused by rendering unsanitized input from users. To revert this behavior in user's templates, they need to filter the expression through the 'n' filter. For example, ${ myhtml | n }. See .", + "cve": null, + "id": "pyup.io-32194", + "specs": [ + "<1.1a1" + ], + "v": "<1.1a1" + }, + { + "advisory": "The AuthTktAuthenticationPolicy in pyramid before 1.3a1 did not use a timing-attack-aware string comparator. See https://github.com/Pylons/pyramid/pull/320 for more info.", + "cve": null, + "id": "pyup.io-32688", + "specs": [ + "<1.3a1" + ], + "v": "<1.3a1" + }, + { + "advisory": "In pyramid 1.4a4 the ``pyramid.authentication.AuthTktAuthenticationPolicy`` has been updated to support newer hashing algorithms such as ``sha512``. Existing applications should consider updating if possible for improved security over the default md5 hashing.", + "cve": null, + "id": "pyup.io-32201", + "specs": [ + "<1.4a4" + ], + "v": "<1.4a4" + }, + { + "advisory": "Pyramid 1.6a1 improves robustness to timing attacks in the ``AuthTktCookieHelper`` and the ``SignedCookieSessionFactory`` classes by using the stdlib's ``hmac.compare_digest`` if it is available (such as Python 2.7.7+ and 3.3+). See: . Also, it avoids timing attacks against CSRF tokens. See: .", + "cve": null, + "id": "pyup.io-32203", + "specs": [ + "<1.6a1" + ], + "v": "<1.6a1" + }, + { + "advisory": "pyramid before 1.6a2 isn't sanitising JSONP callbacks correctly, see CVE-2014-4671.", + "cve": "CVE-2014-4671", + "id": "pyup.io-32204", + "specs": [ + "<1.6a2" + ], + "v": "<1.6a2" + } + ], + "pyramid-odesk": [ + { + "advisory": "pyramid-odesk before 1.1.2 performs logins and logouts through GET and is vulnerable to CSRF attacks.", + "cve": null, + "id": "pyup.io-26051", + "specs": [ + "<1.1.2" + ], + "v": "<1.1.2" + } + ], + "pyramid-weblayer": [ + { + "advisory": "pyramid-weblayer before 0.12 does not protect AJAX requests through the CSRF machinery.", + "cve": null, + "id": "pyup.io-26052", + "specs": [ + "<0.12" + ], + "v": "<0.12" + } + ], + "pyro": [ + { + "advisory": "pyro before 3.15 unsafely handles pid files in temporary directory locations and opening the pid file as root. An attacker can use this flaw to overwrite arbitrary files via symlinks.", + "cve": "CVE-2011-2765", + "id": "pyup.io-36385", + "specs": [ + "<3.15" + ], + "v": "<3.15" + } + ], + "pyro4": [ + { + "advisory": "pyro4 before 4.72 is not secure because the HMAC encryption key used with the -k command line option is plainly visible.\r\nUpgrade to 4.72 to show warnings when attempting this. In future use Pyro's 2-way SSL feature or alternatively set the HMAC key in the (new) environment variable PYRO_HMAC_KEY", + "cve": null, + "id": "pyup.io-36298", + "specs": [ + "<4.72" + ], + "v": "<4.72" + } + ], + "pyrocko": [ + { + "advisory": "Pyrocko 1.1.1 fixes a handler injection vulnerability.", + "cve": null, + "id": "pyup.io-38937", + "specs": [ + "<1.1.1" + ], + "v": "<1.1.1" + } + ], + "pyrotools": [ + { + "advisory": "Pyrotools before 1.0.1 updates requirements.txt to make sure urllib3 is a safe version. See CVE-2019-11324.", + "cve": "CVE-2019-11324", + "id": "pyup.io-37086", + "specs": [ + "<1.0.1" + ], + "v": "<1.0.1" + } + ], + "pysam": [ + { + "advisory": "pysam 0.11.2 wraps htslib/samtools/bcfools versions 1.4.1 in response to a security fix in these libraries", + "cve": null, + "id": "pyup.io-34332", + "specs": [ + "<0.11.2" + ], + "v": "<0.11.2" + } + ], + "pysaml2": [ + { + "advisory": "PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response.", + "cve": "CVE-2016-10127", + "id": "pyup.io-35659", + "specs": [ + "<4.4.0" + ], + "v": "<4.4.0" + }, + { + "advisory": "XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response.", + "cve": "CVE-2016-10149", + "id": "pyup.io-35660", + "specs": [ + "<4.4.0" + ], + "v": "<4.4.0" + }, + { + "advisory": "PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed. See: CVE-2020-5390.", + "cve": "CVE-2020-5390", + "id": "pyup.io-37783", + "specs": [ + "<5.0.0" + ], + "v": "<5.0.0" + }, + { + "advisory": "PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only _x509 certificates_ for the verification process of the SAML document signature. This is fixed in PySAML2 6.5.0. See CVE-2021-21239.", + "cve": "CVE-2021-21239", + "id": "pyup.io-39498", + "specs": [ + "<6.5.0" + ], + "v": "<6.5.0" + }, + { + "advisory": "PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping because it did not validate the SAML document against an XML schema. This allowed invalid XML documents to be processed and such a document can trick pysaml2 with a wrapped signature. This is fixed in PySAML2 6.5.0. See CVE-2021-21238.", + "cve": "CVE-2021-21238", + "id": "pyup.io-39497", + "specs": [ + "<6.5.0" + ], + "v": "<6.5.0" + }, + { + "advisory": "Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data.", + "cve": "CVE-2017-1000246", + "id": "pyup.io-35699", + "specs": [ + "<=4.4.0" + ], + "v": "<=4.4.0" + }, + { + "advisory": "pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.", + "cve": "CVE-2017-1000433", + "id": "pyup.io-35700", + "specs": [ + "<=4.4.0" + ], + "v": "<=4.4.0" + } + ], + "pysandbox": [ + { + "advisory": "pysandbox before 1.0.2 allows access to several dict methods.", + "cve": null, + "id": "pyup.io-26053", + "specs": [ + "<1.0.2" + ], + "v": "<1.0.2" + }, + { + "advisory": "pysandbox before 1.0.3 allows access to dict.__init__().", + "cve": null, + "id": "pyup.io-26054", + "specs": [ + "<1.0.3" + ], + "v": "<1.0.3" + }, + { + "advisory": "pysandbox before 1.5 has several security vulnerabilities.", + "cve": null, + "id": "pyup.io-26055", + "specs": [ + "<1.5" + ], + "v": "<1.5" + }, + { + "advisory": "pysandbox before 1.6 isn't setting __builtins__ to readonly when execute() is used.", + "cve": null, + "id": "pyup.io-26056", + "specs": [ + "<1.6" + ], + "v": "<1.6" + } + ], + "pysbd": [ + { + "advisory": "Pysbd 0.3.0rc includes an upgrade of bleach to address a security vulnerability.", + "cve": null, + "id": "pyup.io-38404", + "specs": [ + "<0.3.0rc" + ], + "v": "<0.3.0rc" + } + ], + "pyshop": [ + { + "advisory": "pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation.", + "cve": "CVE-2013-1630", + "id": "pyup.io-26057", + "specs": [ + "<0.7.1" + ], + "v": "<0.7.1" + } + ], + "pyspark": [ + { + "advisory": "Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs. See: CVE-2019-10099.", + "cve": "CVE-2019-10099", + "id": "pyup.io-37352", + "specs": [ + "<2.3.3" + ], + "v": "<2.3.3" + } + ], + "pyspf": [ + { + "advisory": "Pyspf 2.0.1 prevents cache poisoning attacks and malformed RR attacks.", + "cve": null, + "id": "pyup.io-37431", + "specs": [ + "<2.0.1" + ], + "v": "<2.0.1" + } + ], + "pytask-latex": [ + { + "advisory": "Pytask-latex 0.0.7 ensures that 'outputdirectory' is relative to the latex document to address security problems.", + "cve": null, + "id": "pyup.io-39658", + "specs": [ + "<0.0.7" + ], + "v": "<0.0.7" + } + ], + "pytest-aoc": [ + { + "advisory": "pytest-aoc 1.2a6 removes security misfeature: no cookies inside setup.cfg.", + "cve": null, + "id": "pyup.io-37267", + "specs": [ + "<1.2a6" + ], + "v": "<1.2a6" + } + ], + "pytest-devpi-server": [ + { + "advisory": "pytest-devpi-server before 1.1.0 uses a subshell in workspace.run.", + "cve": null, + "id": "pyup.io-26059", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + } + ], + "pytest-git": [ + { + "advisory": "pytest-git before 1.1.0 uses a subshell in workspace.run.", + "cve": null, + "id": "pyup.io-26060", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + } + ], + "pytest-profiling": [ + { + "advisory": "pytest-profiling before 1.1.0 uses a subshell in workspace.run.", + "cve": null, + "id": "pyup.io-26061", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + } + ], + "pytest-qt-app": [ + { + "advisory": "pytest-qt-app before 1.1.0 uses a subshell in workspace.run.", + "cve": null, + "id": "pyup.io-26062", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + } + ], + "pytest-server-fixtures": [ + { + "advisory": "pytest-server-fixtures before 1.1.0 uses a subshell in workspace.run.", + "cve": null, + "id": "pyup.io-26063", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + } + ], + "pytest-shutil": [ + { + "advisory": "pytest-shutil before 1.1.0 uses a subshell in workspace.run.", + "cve": null, + "id": "pyup.io-26064", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + } + ], + "pytest-verbose-parametrize": [ + { + "advisory": "pytest-verbose-parametrize before 1.1.0 uses a subshell in workspace.run.", + "cve": null, + "id": "pyup.io-26065", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + } + ], + "python": [ + { + "advisory": "Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.", + "cve": "CVE-2008-1721", + "id": "pyup.io-33152", + "specs": [ + "<2.5.2" + ], + "v": "<2.5.2" + }, + { + "advisory": "Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.", + "cve": "CVE-2008-1887", + "id": "pyup.io-33153", + "specs": [ + "<2.5.2" + ], + "v": "<2.5.2" + }, + { + "advisory": "Multiple integer overflows in imageop.c in Python before 2.5.3 allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows. NOTE: this issue is due to an incomplete fix for CVE-2007-4965.", + "cve": "CVE-2008-1679", + "id": "pyup.io-33151", + "specs": [ + "<2.5.3" + ], + "v": "<2.5.3" + }, + { + "advisory": "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", + "cve": "CVE-2016-0772", + "id": "pyup.io-33154", + "specs": [ + "<2.7.12", + ">=3.0,<3.4.5", + ">=3.5,<3.5.2" + ], + "v": "<2.7.12,>=3.0,<3.4.5,>=3.5,<3.5.2" + }, + { + "advisory": "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "cve": "CVE-2016-5636", + "id": "pyup.io-33155", + "specs": [ + "<2.7.12", + ">=3.0,<3.4.5", + ">=3.5,<3.5.2" + ], + "v": "<2.7.12,>=3.0,<3.4.5,>=3.5,<3.5.2" + }, + { + "advisory": "The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. See CVE-2021-23336.", + "cve": "CVE-2021-23336", + "id": "pyup.io-39619", + "specs": [ + ">=0.0.0,<3.6.13", + ">=3.7.0,<3.7.10", + ">=3.8.0,<3.8.8", + ">=3.9.0,<3.9.2" + ], + "v": ">=0.0.0,<3.6.13,>=3.7.0,<3.7.10,>=3.8.0,<3.8.8,>=3.9.0,<3.9.2" + }, + { + "advisory": "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", + "cve": "CVE-2011-4940", + "id": "pyup.io-26069", + "specs": [ + ">=2.6,<2.6.7", + "<2.5.6c1", + ">=2.7,<2.7.2" + ], + "v": ">=2.6,<2.6.7,<2.5.6c1,>=2.7,<2.7.2" + }, + { + "advisory": "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", + "cve": "CVE-2011-4944", + "id": "pyup.io-26074", + "specs": [ + ">=2.6,<3.3" + ], + "v": ">=2.6,<3.3" + }, + { + "advisory": "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", + "cve": "CVE-2012-1150", + "id": "pyup.io-26071", + "specs": [ + ">=2.7,<2.7.3", + ">=3.0,<3.1.5", + ">=3.2,<3.2.3", + "<2.6.8" + ], + "v": ">=2.7,<2.7.3,>=3.0,<3.1.5,>=3.2,<3.2.3,<2.6.8" + }, + { + "advisory": "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", + "cve": "CVE-2012-0845", + "id": "pyup.io-26070", + "specs": [ + ">=2.7,<2.7.3", + ">=3.2,<3.2.3", + ">=3.1,<3.1.5", + "<2.6.8" + ], + "v": ">=2.7,<2.7.3,>=3.2,<3.2.3,>=3.1,<3.1.5,<2.6.8" }, { - "advisory": "An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. See: CVE-2020-7937.", - "cve": "CVE-2020-7937", - "id": "pyup.io-37785", + "advisory": "Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely. See CVE-2021-3177.", + "cve": "CVE-2021-3177", + "id": "pyup.io-39465", "specs": [ - ">=5.0,<=5.2.1" + ">=3.0.0,<=3.9.1" ], - "v": ">=5.0,<=5.2.1" + "v": ">=3.0.0,<=3.9.1" }, { - "advisory": "plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level. See: CVE-2020-7938.", - "cve": "CVE-2020-7938", - "id": "pyup.io-37786", + "advisory": "The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.", + "cve": "CVE-2012-2135", + "id": "pyup.io-26076", "specs": [ - ">=5.2.0,<=5.2.1" + ">=3.1,<3.4" ], - "v": ">=5.2.0,<=5.2.1" - } - ], - "plone-app-contentmenu": [ + "v": ">=3.1,<3.4" + }, { - "advisory": "Plone-app-contentmenu 1.1.7 escapes the title of the defaultpage in the DisplayMenu. This fixes a potential\r\n xss attack and http://dev.plone.org/plone/ticket/8377.", - "cve": null, - "id": "pyup.io-36047", + "advisory": "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", + "cve": "CVE-2011-1521", + "id": "pyup.io-26075", "specs": [ - "<1.1.7" + ">=3.2,<3.2.1", + ">=2.7,<2.7.2" ], - "v": "<1.1.7" + "v": ">=3.2,<3.2.1,>=2.7,<2.7.2" } ], - "plone-app-contenttypes": [ + "python-augeas": [ { - "advisory": "plone-app-contenttypes 1.2.15 fixes a possible cross site scripting (XSS) attack in lead image caption.", + "advisory": "python-augeas before 1.0.0 is vulnerable to cross-mountpoint and symlink attacks.", "cve": null, - "id": "pyup.io-35870", + "id": "pyup.io-26077", "specs": [ - "<1.2.15" + "<1.0.0" ], - "v": "<1.2.15" + "v": "<1.0.0" } ], - "plone-app-discussion": [ + "python-bugzilla": [ { - "advisory": "plone-app-discussion 2.4.14 fixes a possible cross site scripting (XSS) attack on moderate comments page.", - "cve": null, - "id": "pyup.io-35864", + "advisory": "python-bugzilla before 0.9.0 does not validate X.509 certificates, which allows man-in-the-middle attackers to spoof Bugzilla servers via a crafted certificate.", + "cve": "CVE-2013-2191", + "id": "pyup.io-35432", "specs": [ - "<2.4.14" + "<0.9.0" ], - "v": "<2.4.14" + "v": "<0.9.0" } ], - "plone-app-event": [ + "python-cjson": [ { - "advisory": "plone-app-event 3.0 fixes a possible cross site scripting (XSS) attack in location field.", - "cve": null, - "id": "pyup.io-35923", + "advisory": "Dan Pascu python-cjson 1.0.5 does not properly handle a ['/'] argument to cjson.encode, which makes it easier for remote attackers to conduct certain cross-site scripting (XSS) attacks involving Firefox and the end tag of a SCRIPT element.", + "cve": "CVE-2009-4924", + "id": "pyup.io-33160", "specs": [ - "<3.0" + "<1.0.5" ], - "v": "<3.0" - } - ], - "plone-app-users": [ + "v": "<1.0.5" + }, { - "advisory": "Plone-app-users before 1.0.5 does not check for permission when editing other users' profiles. This fixes http://dev.plone.org/plone/ticket/11842 and http://plone.org/products/plone/security/advisories/CVE-2011-1950.", - "cve": "CVE-2011-1950", - "id": "pyup.io-36096", + "advisory": "Buffer overflow in Dan Pascu python-cjson 1.0.5, when UCS-4 encoding is enabled, allows context-dependent attackers to cause a denial of service (application crash) or possibly have unspecified other impact via vectors involving crafted Unicode input to the cjson.encode function.", + "cve": "CVE-2010-1666", + "id": "pyup.io-33161", "specs": [ "<1.0.5" ], "v": "<1.0.5" } ], - "plone-dexterity": [ + "python-clu": [ { - "advisory": "In plone-dexterity before 2.3.0 Attribute access to schema fields can be protected. This\r\n worked for direct schemas, but was not implemented for permissions coming\r\n from behaviors.", + "advisory": "Python-clu 0.5.1 removes an insecure Django requirement.", "cve": null, - "id": "pyup.io-35873", + "id": "pyup.io-37800", "specs": [ - "<2.3.0" + "<0.5.1" ], - "v": "<2.3.0" + "v": "<0.5.1" } ], - "plone.app.content": [ + "python-dbusmock": [ { - "advisory": "plone.app.content 3.3.1 includes security hotfix 20160830 for folder factories redirection.", + "advisory": "python-dbusmock before 0.15.1 is vulnerable to a tempfile attack. When loading a template from an arbitrary file through the AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() Python method, don't create or use Python's *.pyc cached files. By tricking a user into loading a template from a world-writable directory like /tmp, an attacker could run arbitrary code with the user's privileges by putting a crafted .pyc file into that directory. Note that this is highly unlikely to actually appear in practice as custom dbusmock templates are usually shipped in project directories, not directly in world-writable directories.", "cve": null, - "id": "pyup.io-26000", + "id": "pyup.io-26080", "specs": [ - "<3.3.1" + "<0.15.1" ], - "v": "<3.3.1" + "v": "<0.15.1" }, { - "advisory": "Plone.app.content 3.8.1 integrate the Plone20200121 hotfix to prevent XSS in title - see: https://plone.org/security/hotfix/20200121/xss-in-the-title-field-on-plone-5-0-and-higher", - "cve": null, - "id": "pyup.io-38030", + "advisory": "Python-dbusmock before version 0.15.1 AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() method could be tricked into executing malicious code if an attacker supplies a .pyc file. See CVE-2015-1326.", + "cve": "CVE-2015-1326", + "id": "pyup.io-37088", "specs": [ - "<3.8.1" + "<0.15.1" ], - "v": "<3.8.1" + "v": "<0.15.1" } ], - "plone.app.contentmenu": [ + "python-docx": [ { - "advisory": "plone.app.contentmenu 1.1.7 fixes a potential xss attack and http://dev.plone.org/plone/ticket/8377.", - "cve": null, - "id": "pyup.io-26001", + "advisory": "python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document.", + "cve": "CVE-2016-5851", + "id": "pyup.io-26081", "specs": [ - "<1.1.7" + "<0.8.6" ], - "v": "<1.1.7" + "v": "<0.8.6" } ], - "plone.app.contenttypes": [ + "python-engineio": [ { - "advisory": "plone.app.contenttypes 1.2.15 fixes a possible cross site scripting (XSS) attack in lead image caption.", + "advisory": "Python-engineio 3.5.2 removes a security alert in the requirements.", "cve": null, - "id": "pyup.io-26002", + "id": "pyup.io-37168", "specs": [ - "<1.2.15" + "<3.5.2" ], - "v": "<1.2.15" + "v": "<3.5.2" }, { - "advisory": "plone.app.contenttypes 2.1.6 integrates PloneHotFix20200121: add more permission checks - see https://plone.org/security/hotfix/20200121/privilege-escalation-for-overwriting-content", - "cve": "CVE-2020-7941", - "id": "pyup.io-37887", + "advisory": "Python-engineio 3.9.0 addresses potential websocket cross-origin attacks. See: .", + "cve": null, + "id": "pyup.io-37307", "specs": [ - "<2.1.6" + "<3.9.0" ], - "v": "<2.1.6" - } - ], - "plone.app.dexterity": [ + "v": "<3.9.0" + }, { - "advisory": "The modeleditor in plone.app.dexterity 2.6.8 no longer resolves entities, and it removes processing instructions. This increases the security.", - "cve": null, - "id": "pyup.io-39143", + "advisory": "An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted. See: .", + "cve": "CVE-2019-13611", + "id": "pyup.io-37288", "specs": [ - "<2.6.8" + "<=3.8.2" ], - "v": "<2.6.8" + "v": "<=3.8.2" } ], - "plone.app.discussion": [ + "python-fedora": [ { - "advisory": "plone.app.discussion 2.4.14 fixes a possible cross site scripting (XSS) attack on moderate comments page.", - "cve": null, - "id": "pyup.io-26003", + "advisory": "python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection", + "cve": "CVE-2017-1002150", + "id": "pyup.io-35705", "specs": [ - "<2.4.14" + "<=0.8.0" ], - "v": "<2.4.14" - }, + "v": "<=0.8.0" + } + ], + "python-gnupg": [ { - "advisory": "plone.app.discussion 2.4.18 includes security hotfix 20160830 for redirects.", - "cve": null, - "id": "pyup.io-26004", + "advisory": "python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted.", + "cve": "CVE-2019-6690", + "id": "pyup.io-36964", "specs": [ - "<2.4.18" + "==0.4.3" ], - "v": "<2.4.18" + "v": "==0.4.3" } ], - "plone.app.event": [ + "python-jose": [ { - "advisory": "plone.app.event 3.0 fixes a possible cross site scripting (XSS) attack in location field", - "cve": null, - "id": "pyup.io-26005", + "advisory": "python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys.", + "cve": "CVE-2016-7036", + "id": "pyup.io-35682", "specs": [ - "<3.0" + "<1.3.2" ], - "v": "<3.0" - }, + "v": "<1.3.2" + } + ], + "python-jss": [ { - "advisory": "Plone.app.event 3.2.10 gives a validation error in the ical importer when a 'file://' URL is used (this could be a line of attack for a hacker).", + "advisory": "Python-jss 2.1.0 updates the `urllib3` dependency to mitigate a vulnerability.", "cve": null, - "id": "pyup.io-39140", + "id": "pyup.io-38564", "specs": [ - "<3.2.10" + "<2.1.0" ], - "v": "<3.2.10" + "v": "<2.1.0" } ], - "plone.app.layout": [ + "python-keystoneclient": [ { - "advisory": "Plone.app.layout 3.4.1 integrate the Plone20200121 hotfix to prevent XSS in title - see: https://plone.org/security/hotfix/20200121/xss-in-the-title-field-on-plone-5-0-and-higher", - "cve": null, - "id": "pyup.io-38031", + "advisory": "The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the \"insecure\" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.", + "cve": "CVE-2015-1852", + "id": "pyup.io-26082", "specs": [ - "<3.4.1" + "<1.4.0" ], - "v": "<3.4.1" - } - ], - "plone.app.linkintegrity": [ + "v": "<1.4.0" + }, { - "advisory": "plone.app.linkintegrity 1.0.2 fixed security issue due to using pickles (see CVE-2007-5741).", - "cve": "CVE-2014-8991", - "id": "pyup.io-26006", + "advisory": "The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.", + "cve": "CVE-2015-7546", + "id": "pyup.io-26083", "specs": [ - "<1.0.2" + "<1.5.4", + ">=2.0,<2.3.3" ], - "v": "<1.0.2" - } - ], - "plone.app.theming": [ + "v": "<1.5.4,>=2.0,<2.3.3" + }, { - "advisory": "Plone.app.theming 4.1.6 fails when trying file protocol access in diazo rules. It also no longer resolves entities, and removes processing instructions. This are security enhancements.", - "cve": null, - "id": "pyup.io-39142", + "advisory": "python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass. See: CVE-2013-2166.", + "cve": "CVE-2013-2166", + "id": "pyup.io-37748", "specs": [ - "<4.1.6" + ">=0.2.3,<=0.2.5" ], - "v": "<4.1.6" + "v": ">=0.2.3,<=0.2.5" + }, + { + "advisory": "python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass. See CVE-2013-2167.", + "cve": "CVE-2013-2167", + "id": "pyup.io-37749", + "specs": [ + ">=0.2.3,<=0.2.5" + ], + "v": ">=0.2.3,<=0.2.5" } ], - "plone.dexterity": [ + "python-libnmap": [ { - "advisory": "plone.dexterity 2.3.0 fixes a security issue. Attribute access to schema fields can be protected. This worked for direct schemas, but was not implemented for permissions coming from behaviors.", - "cve": null, - "id": "pyup.io-26007", + "advisory": "libnmap < v0.6.3 is affected by: XML Injection. The impact is: Denial of service (DoS) by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML payload. See: CVE-2019-1010017.", + "cve": "CVE-2019-1010017", + "id": "pyup.io-37283", "specs": [ - "<2.3.0" + "<0.6.3" ], - "v": "<2.3.0" + "v": "<0.6.3" + }, + { + "advisory": "Python-libnmap 0.7.2 adds unittest for defusedxml to fix billionlaugh and external entities security issues. It also includes a fix for security issue on XXE (XML External Entities). See: CVE-2019-1010017.", + "cve": "CVE-2019-1010017", + "id": "pyup.io-39304", + "specs": [ + "<0.7.2" + ], + "v": "<0.7.2" } ], - "plone.formwidget.contenttree": [ + "python-libtorrent": [ { - "advisory": "plone.formwidget.contenttree 1.0a3 fixes an issues with the security validator to work properly on add views and other views using namespace traversal.", + "advisory": "python-libtorrent before 1.0.6 has several undisclosed vulnerabilities related to uTP.", "cve": null, - "id": "pyup.io-26008", + "id": "pyup.io-26084", "specs": [ - "<1.0a3" + "<1.0.6" ], - "v": "<1.0a3" + "v": "<1.0.6" } ], - "plone.memoize": [ + "python-muranoclient": [ { - "advisory": "Plone.memoize 1.0.3 no longeruses hash when making cache keys. This is to avoid cache collisions, and to avoid a potential security problem where an attacker could manually craft collisions. Also, the use of hash() is no longer recommending in tests.", - "cve": null, - "id": "pyup.io-37107", + "advisory": "OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.", + "cve": "CVE-2016-4972", + "id": "pyup.io-26085", "specs": [ - "<1.0.3" + "<0.7.3", + ">=0.8,<0.8.5" ], - "v": "<1.0.3" + "v": "<0.7.3,>=0.8,<0.8.5" } ], - "plone.mockup": [ + "python-nomad": [ { - "advisory": "plone.mockup before 2.1.3 is vulnerable to a XSS attack in structure and relateditem pattern.", + "advisory": "Python-nomad 1.0.1 updates `Requests` to 2.20.0. Earlier versions of `Requests` sent an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.", "cve": null, - "id": "pyup.io-26009", + "id": "pyup.io-36602", "specs": [ - "<2.1.3" + "<1.0.1" ], - "v": "<2.1.3" + "v": "<1.0.1" } ], - "plone.openid": [ + "python-openflow": [ { - "advisory": "plone.openid before 2.0.2 is not using the system number generator, even if it is available.", + "advisory": "python-openflow 2016.1.a1 fixes a undisclosed security vulnerability.", "cve": null, - "id": "pyup.io-26010", + "id": "pyup.io-33282", "specs": [ - "<2.0.2" + "<2016.1.a1" ], - "v": "<2.0.2" - } - ], - "plone.recipe.varnish": [ + "v": "<2016.1.a1" + }, { - "advisory": "Plone.recipe.varnish 6.0.0b1 updates to Varnish 6.0.6 LTS security release.", + "advisory": "python-openflow 2019.1b3 change: Updated dependencies versions in order to fix security bugs.", "cve": null, - "id": "pyup.io-37942", + "id": "pyup.io-37224", "specs": [ - "<6.0.0b1" + "<2019.1b3" ], - "v": "<6.0.0b1" + "v": "<2019.1b3" } ], - "plone.session": [ + "python-otr": [ { - "advisory": "Plone.session 3.6.2 hardens the default timeout of session. This solves Plone security internal issue 126 (severity low, non-critical). Also, the session timeout is now the same as in mod_auth_tkt: 2h. This follows the recommendation of the German BSI (federal office for security in the information technology) - see . For existing sites this can be adjusted at . The Plone Security Team follows the BSI and recommends administrators to change the setting in their existing Plone sites.", + "advisory": "python-otr before 1.1.0 is vulnerable to man-in-the-middle attacks as it allows to restart the protocol.", "cve": null, - "id": "pyup.io-38207", + "id": "pyup.io-26086", "specs": [ - "<3.6.2" + "<1.1.0" ], - "v": "<3.6.2" + "v": "<1.1.0" } ], - "plone.supermodel": [ + "python-picnic": [ { - "advisory": "Plone.supermodel 1.6.3 no longer resolves entities in the xml parser. It also removes processing instructions. These are both security enhancements.", + "advisory": "Python-picnic 1.2 prevents a seed-guessing attack by adding a per-signature salt to random tapes generation.", "cve": null, - "id": "pyup.io-39141", + "id": "pyup.io-38681", "specs": [ - "<1.6.3" + "<1.2" ], - "v": "<1.6.3" + "v": "<1.2" } ], - "plone.z3cform": [ + "python-pptx": [ { - "advisory": "Plone.z3cform 0.5.9 fixes a security problem with the ++widget++ namespace [optilude].", + "advisory": "python-pptx before 0.6.12 used a vulnerable version of Pillow.", "cve": null, - "id": "pyup.io-37035", + "id": "pyup.io-36382", "specs": [ - "<0.5.9" + "<0.6.12" ], - "v": "<0.5.9" + "v": "<0.6.12" } ], - "plotly": [ + "python-saml": [ { - "advisory": "Plotly 1.15.0 improves a potential XSS input in `text` fields.", + "advisory": "python-saml before 2.1.6 is vulnerable to Signature Wrapping attacks.", "cve": null, - "id": "pyup.io-37053", + "id": "pyup.io-26087", "specs": [ - "<1.15.0" + "<2.1.6" ], - "v": "<1.15.0" + "v": "<2.1.6" }, { - "advisory": "Plotly 1.22.0 fixes an XSS vulnerability in a trace name on hover.", + "advisory": "python-saml before 2.1.9 is vulnerable to Signature Wrapping attacks.", "cve": null, - "id": "pyup.io-37052", + "id": "pyup.io-26088", "specs": [ - "<1.22.0" + "<2.1.9" ], - "v": "<1.22.0" + "v": "<2.1.9" }, { - "advisory": "Plotly 1.5.1 updates insecure dev dependencies `ecstatic` and `uglify-js`.", - "cve": null, - "id": "pyup.io-38545", + "advisory": "Multiple SAML libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.", + "cve": "CVE-2017-11427", + "id": "pyup.io-35779", "specs": [ - "<1.5.1" + "<2.4.0" ], - "v": "<1.5.1" + "v": "<2.4.0" }, { - "advisory": "Plotly 1.54.4 bumps `ecstatic`, `gl-selet-static`, `gl-plot2d` & `gl-plot3d` and drops `cwise` to simplify build process & address security warnings [4929, 4930, 4934].", + "advisory": "Python-saml 2.5.0 includes security improvements to prevent XPath injection.", "cve": null, - "id": "pyup.io-38454", + "id": "pyup.io-39452", "specs": [ - "<1.54.4" + "<2.5.0" ], - "v": "<1.54.4" + "v": "<2.5.0" } ], - "plugwise": [ + "python-secrets": [ { - "advisory": "Plugwise 0.8.2 improves the security by switching from lxml to defusedxml.", + "advisory": "Python-secrets 0.9.1 adds ``six`` for securing ``input`` call.", "cve": null, - "id": "pyup.io-39026", + "id": "pyup.io-37582", "specs": [ - "<0.8.2" + "<0.9.1" ], - "v": "<0.8.2" - } - ], - "plumi.app": [ + "v": "<0.9.1" + }, { - "advisory": "plumi.app 4.2 includes a security hotfix related to LinguaPlone & plone.app.discussion.", + "advisory": "Python-secrets before 19.10.0 adds control of umask for better file perm security.", "cve": null, - "id": "pyup.io-26011", + "id": "pyup.io-37583", "specs": [ - "<4.2" + "<19.10.0" ], - "v": "<4.2" + "v": "<19.10.0" }, { - "advisory": "plumi.app before 4.2.1 uses a insecure transitive dependency (plone<4.0.7).", + "advisory": "Python-secrets before 19.8.0 adds insecure permissions checking", "cve": null, - "id": "pyup.io-26012", + "id": "pyup.io-37401", "specs": [ - "<4.2.1" + "<19.8.0" ], - "v": "<4.2.1" + "v": "<19.8.0" }, { - "advisory": "plumi.app 4.2.2 patches a serious security vulnerability/", + "advisory": "Python-secrets 19.8.3 ensures more secure permissions.", "cve": null, - "id": "pyup.io-26013", + "id": "pyup.io-37421", "specs": [ - "<4.2.2" + "<19.8.3" ], - "v": "<4.2.2" + "v": "<19.8.3" } ], - "plusminus": [ + "python-smooch": [ { - "advisory": "Plusminus 0.3.0 has been hardened against some possible attacks, using deep expression nesting or formula references.", - "cve": null, - "id": "pyup.io-38323", + "advisory": "Python-smooch 1.0.4 bumps requests gem due to CVE-2018-18074.", + "cve": "CVE-2018-18074", + "id": "pyup.io-36604", "specs": [ - "<0.3.0" + "<1.0.4" ], - "v": "<0.3.0" + "v": "<1.0.4" } ], - "pmr2.oauth": [ + "python-socketio": [ { - "advisory": "pmr2.oauth before 0.4.2 is vulnerable to CSRF attacks.", + "advisory": "Python-socketio 4.3.0 addresses potential websocket cross-origin attacks. See: .", "cve": null, - "id": "pyup.io-26014", + "id": "pyup.io-37308", "specs": [ - "<0.4.2" + "<4.3.0" ], - "v": "<0.4.2" + "v": "<4.3.0" } ], - "podder-task-base": [ + "python-zeep": [ { - "advisory": "podder-task-base 0.4.0 changes: Update version of SQLAlchemy, Jinja for security reason", + "advisory": "python-zeep 0.4.0 adds defusedxml module for XML security issues.", "cve": null, - "id": "pyup.io-37260", + "id": "pyup.io-36504", "specs": [ "<0.4.0" ], "v": "<0.4.0" } ], - "pokedex.py": [ - { - "advisory": "pokedex.py 1.1.2 updates `requests` package to `>=2.20.0,<3.0.0` to fix information exposure vulnerability", - "cve": null, - "id": "pyup.io-36593", - "specs": [ - "<1.1.2" - ], - "v": "<1.1.2" - } - ], - "polemarch": [ + "python3-ldap": [ { - "advisory": "polemarch 1.2.1 change: Update `bootstrap` and `moment.js` for security reasons.", + "advisory": "python3-ldap before 0.9.5.4 has a security issue in lazy connections.", "cve": null, - "id": "pyup.io-37229", + "id": "pyup.io-26089", "specs": [ - "<1.2.1" + "<0.9.5.4" ], - "v": "<1.2.1" + "v": "<0.9.5.4" } ], - "polyaxon": [ + "python3-saml": [ { - "advisory": "Polyaxon 0.4.1 updates dependencies exposing security vulnerabilities.", + "advisory": "python3-saml before 1.1.4 is vulnerable to signature wrapping attacks.", "cve": null, - "id": "pyup.io-38029", + "id": "pyup.io-26090", "specs": [ - "<0.4.1" + "<1.1.4" ], - "v": "<0.4.1" + "v": "<1.1.4" }, { - "advisory": "Polyaxon 0.4.3 update some packages that have some security and deprecation problems.", + "advisory": "python3-saml 1.2.0 introduces several undisclosed security improvements.", "cve": null, - "id": "pyup.io-38028", + "id": "pyup.io-26091", "specs": [ - "<0.4.3" + "<1.2.0" ], - "v": "<0.4.3" + "v": "<1.2.0" }, { - "advisory": "Polyaxon 0.5.1 updates lodash: vulnerability issue.", - "cve": null, - "id": "pyup.io-38025", + "advisory": "P{ython3-saml 1.2.6 now uses defusedxml that will prevent XEE and other attacks based on the abuse on XMLs. (CVE-2017-9672)", + "cve": "CVE-2017-9672", + "id": "pyup.io-34782", "specs": [ - "<0.5.1" + "<1.2.6" ], - "v": "<0.5.1" + "v": "<1.2.6" }, { - "advisory": "Polyaxon 0.5.5 updates dependencies with security release.", - "cve": null, - "id": "pyup.io-38023", + "advisory": "Multiple SAML libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.", + "cve": "CVE-2017-11427", + "id": "pyup.io-35780", "specs": [ - "<0.5.5" + "<1.4.0" ], - "v": "<0.5.5" + "v": "<1.4.0" }, { - "advisory": "Polyaxon 0.6.0 fixes some unspecified security issues.", + "advisory": "Python3-saml 1.5.0 contains security improvements to prevent XPath injection. It also disables DTD on the fromstring defusedxml method.", "cve": null, - "id": "pyup.io-38022", + "id": "pyup.io-39454", "specs": [ - "<0.6.0" + "<1.5.0" ], - "v": "<0.6.0" + "v": "<1.5.0" } ], - "poorwsgi": [ + "pytorch-lightning": [ { - "advisory": "poorwsgi 1.0.2 includes several security related enhancements related to secret key generation.", + "advisory": "Pytorch-lightning 0.9.0 fixes a shell injection vulnerability in a subprocess call.", "cve": null, - "id": "pyup.io-26015", + "id": "pyup.io-38707", "specs": [ - "<1.0.2" + "<0.9.0" ], - "v": "<1.0.2" + "v": "<0.9.0" } ], - "pootle": [ + "pytrackdat": [ { - "advisory": "pootle before 2.8.0rc5 is vulnerable to several undisclosed security vulnerabilites.", + "advisory": "Pytrackdat 0.2.0 validates the security of the administrator passwords.", "cve": null, - "id": "pyup.io-34211", + "id": "pyup.io-37141", "specs": [ - "<2.8.0rc5" + "<0.2.0" ], - "v": "<2.8.0rc5" - }, + "v": "<0.2.0" + } + ], + "pytsite": [ { - "advisory": "pootle before 2.8.0rc6 has multiple, undisclosed, security vulnerabilites that were found during an audit.", + "advisory": "pytsite before 1.2 has a critical web login security issue.", "cve": null, - "id": "pyup.io-34790", + "id": "pyup.io-34825", "specs": [ - "<2.8.0rc6" + "<1.2" ], - "v": "<2.8.0rc6" - }, + "v": "<1.2" + } + ], + "pyu4v": [ { - "advisory": "pootle before 2.7.3 is vulnerable to XSS attacks, so everybody with Pootle 2.7.x needs to upgrade.", + "advisory": "Pyu4v 9.1.2.0 introduced the option to create a secure snapshot by means of `create_storage_group_snapshot`.", "cve": null, - "id": "pyup.io-34201", + "id": "pyup.io-37914", "specs": [ - ">=2.6,<2.7.3" + "<9.1.2.0" ], - "v": ">=2.6,<2.7.3" + "v": "<9.1.2.0" } ], - "postfix-mta-sts-resolver": [ + "pyupdater": [ { - "advisory": "Postfix-mta-sts-resolver 0.6.1 hardens the container security.", + "advisory": "pyupdater before 0.20.0 is vulnerable to session fixation attacks and potentially cookie stealing.", "cve": null, - "id": "pyup.io-37461", + "id": "pyup.io-26092", "specs": [ - "<0.6.1" + "<0.20.0" ], - "v": "<0.6.1" + "v": "<0.20.0" } ], - "prefect": [ + "pyvcloud": [ { - "advisory": "Prefect 0.12.6 removes password from Postgres tasks' initialization methods for security.", - "cve": null, - "id": "pyup.io-38663", + "advisory": "Pyvcloud 20.0.0 fixes CVE-2017-18342: Replace yaml.load() with yaml.safe_load()", + "cve": "CVE-2017-18342", + "id": "pyup.io-36809", "specs": [ - "<0.12.6" + "<20.0.0" ], - "v": "<0.12.6" + "v": "<20.0.0" }, { - "advisory": "Prefect 0.5.1 bumps `distributed` to 1.26.1 for enhanced security features - [878].", + "advisory": "Pyvcloud 20.1.0 includes a fix for a pyyaml vulnerability found in requirements.txt", "cve": null, - "id": "pyup.io-37020", + "id": "pyup.io-37518", "specs": [ - "<0.5.1" + "<20.1.0" ], - "v": "<0.5.1" + "v": "<20.1.0" } ], - "pretaweb.healthcheck": [ + "pyvisa": [ { - "advisory": "pretaweb.healthcheck before 1.0 is vulnerable to DoS attacks.", + "advisory": "pyvisa before 0.9 has a undisclosed security vulnerability in visa.py.", "cve": null, - "id": "pyup.io-26016", + "id": "pyup.io-26093", "specs": [ - "<1.0" + "<0.9" ], - "v": "<1.0" + "v": "<0.9" } ], - "priority": [ + "pywbem": [ { - "advisory": "priority before 1.2.0 is vulnerable to a denial of service attack whereby a remote peer can cause a user to insert an unbounded number of streams into the priority tree, eventually consuming all available memory.", + "advisory": "pywbem 0.13.0 increases the minimum required versions dependent Python\r\n packages in order to fix security issues with these packages.", "cve": null, - "id": "pyup.io-26017", + "id": "pyup.io-36927", "specs": [ - "<1.2.0" + "<0.13.0" ], - "v": "<1.2.0" - } - ], - "privacyidea": [ + "v": "<0.13.0" + }, { - "advisory": "Privacyidea 3.4.1 uses a secure way to compare strings to avoid theoretical side channel attacks.", + "advisory": "Pywbem 0.14.3 updates the following packages to address security vulnerabilities:\r\n\r\n* requests from 2.19.1 to 2.20.1 (when on Python 2.7 or higher)\r\n* urllib3 from 1.22 to 1.23\r\n* bleach from 2.1.0 to 2.1.4", "cve": null, - "id": "pyup.io-39341", + "id": "pyup.io-38577", "specs": [ - "<3.4.1" + "<0.14.3" ], - "v": "<3.4.1" - } - ], - "products-cmfcore": [ + "v": "<0.14.3" + }, { - "advisory": "Products-cmfcore 2.1.0beta2 adds POST-only protections to security critical methods. See: CVE-2007-0240.", - "cve": "CVE-2007-0240", - "id": "pyup.io-36125", + "advisory": "Pywbem 0.17.0 changes the HTTPS support of `pywbem.WBEMListener` from using the deprecated `ssl.wrap_socket()` function to using the `ssl.SSLContext` class that was introduced in Python 2.7.9. This causes more secure SSL settings to be used. On Python versions before 2.7.9, pywbem will continue to use the deprecated `ssl.wrap_socket()` function.", + "cve": null, + "id": "pyup.io-38576", "specs": [ - "<2.1.0beta2" + "<0.17.0" ], - "v": "<2.1.0beta2" - } - ], - "products-ploneformgen": [ + "v": "<0.17.0" + }, { - "advisory": "products-ploneformgen before 1.8.1 has a XSS vulnerability that could be exploited by users with the ability\r\n to create forms.", + "advisory": "Pywbem 1.0.0 increases versions of the following packages to address security vulnerabilities:\r\n* requests from 2.19.1 to 2.20.1\r\n* urllib3 from 1.22 to 1.23\r\n* bleach from 2.1.0 to 2.1.4", "cve": null, - "id": "pyup.io-35878", + "id": "pyup.io-37517", "specs": [ - "<1.8.1" + "<1.0.0" ], - "v": "<1.8.1" - } - ], - "products-zopetree": [ + "v": "<1.0.0" + }, { - "advisory": "Products-zopetree 1.3 fixes a security hole in the tree state decompressing mechanism. Previous versions were vulnerable to a denial of service attack using large tree states.", + "advisory": "To address security vulnerabilities, pywbem 1.0.0b1 increases the versions of requests (from 2.19.1 to 2.20.1), urllib3 (from 1.22 to 1.23), and bleach (from 2.1.0 to 2.1.4). These packages are only used for development of pywbem.\r\n\r\nAlso, pywbem 1.0.0b1 changes the HTTPS support of `pywbem.WBEMListener` from using the deprecated `ssl.wrap_socket()` function to using the `ssl.SSLContext` class that was introduced in Python 2.7.9. This causes more secure SSL settings to be used. On Python versions before 2.7.9, pywbem will continue to use the deprecated `ssl.wrap_socket()` function.", "cve": null, - "id": "pyup.io-37726", + "id": "pyup.io-38444", "specs": [ - "<1.3" + "<1.0.0b1" ], - "v": "<1.3" - } - ], - "products.cmfcontentpanels": [ + "v": "<1.0.0b1" + }, { - "advisory": "products.cmfcontentpanels before 1.4.1 has two not disclosed security issues.", + "advisory": "Pywbem 1.2.0.dev1 increases the minimum version of 'PyYAML' to 5.2 on Python 3.4 and to 5.3.1 on Python 2.7 and >=3.5 to address security issues (- the relevant functions of PyYAML are not used by pywbem, though.) \r\n\r\nAdditionally, pywbem 1.2.0.dev1 increases the minimum version of 'urllib3' to 1.24.2 on Python 3.4 and to 1.25.9 on Python 2.7 and >=3.5 to address security issues. To support these versions of urllib3, the minimum version of\r\n'requests' was increased to 2.20.1 on Python 3.4 and to 2.22.0 on Python 2.7 and >=3.5.\r\n\r\nLastly, pywbem 1.2.0.dev1 increases the minimum versions of several other packages that are needed only for test or development of pywbem to address security issues. In particular: requests-toolbelt to 0.8.0; lxml to 4.6.2 (except for Python 3.4); pylint to 2.5.2 and astroid to 2.4.0 on Python >=3.5; typed-ast to 1.3.2 on Python 3.4; twine to 3.0.0 on Python >=3.6; pkginfo to 1.4.2; bleach to 3.1.2 on Python 3.4 and to 3.1.4 on Python 2.7 and Python >=3.5.", "cve": null, - "id": "pyup.io-26020", + "id": "pyup.io-39383", "specs": [ - "<1.4.1" + "<1.2.0.dev1" ], - "v": "<1.4.1" + "v": "<1.2.0.dev1" } ], - "products.cmfcore": [ - { - "advisory": "Cross-site scripting (XSS) vulnerability in Zope 2.10.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a HTTP GET request. See: CVE-2007-0240.", - "cve": "CVE-2007-0240", - "id": "pyup.io-35820", - "specs": [ - "<2.1.0beta2" - ], - "v": "<2.1.0beta2" - }, + "pywbemtools": [ { - "advisory": "Products.cmfcore 2.3.0beta tightens the security for anonymous test user.", + "advisory": "Pywbemtools 0.6.0 increases the minimum versions of some packages used for development to address security issues: twine, bleach, urllib3.", "cve": null, - "id": "pyup.io-35818", + "id": "pyup.io-38169", "specs": [ - "<2.3.0beta" + "<0.6.0" ], - "v": "<2.3.0beta" + "v": "<0.6.0" } ], - "products.cmfplone": [ + "pywebsite": [ { - "advisory": "In Products.CMFPlone before 5.1b1, it's possible to access private content via str.format in through-the-web templates and scripts.", + "advisory": "pywebsite 0.1.14pre's signed_url method is now (more) immune to VS timing attacks.", "cve": null, - "id": "pyup.io-32997", + "id": "pyup.io-26094", "specs": [ - "<5.1b1" + "<0.1.14pre" ], - "v": "<5.1b1" + "v": "<0.1.14pre" }, { - "advisory": "Products.cmfplone 5.2.2 contains Products.isurlinportal 1.1.0 with a minor security hardening fix.", + "advisory": "pywebsite before 0.1.9pre is vulnerable to length extension attacks, and value equivalence attacks.", "cve": null, - "id": "pyup.io-38701", + "id": "pyup.io-26095", "specs": [ - "<5.2.2" + "<0.1.9pre" ], - "v": "<5.2.2" - }, + "v": "<0.1.9pre" + } + ], + "pywikibot": [ { - "advisory": "Products.cmfplone 5.2.2rc1 fixes that isURLInPortal could be tricked into accepting malicious links.", + "advisory": "Pywikibot 3.0.20181203 require requests version 2.20.0 or later for security reasons.", "cve": null, - "id": "pyup.io-39021", + "id": "pyup.io-38151", "specs": [ - "<5.2.2rc1" + "<3.0.20181203" ], - "v": "<5.2.2rc1" + "v": "<3.0.20181203" } ], - "products.cmfquickinstallertool": [ + "pywren-ibm-cloud": [ { - "advisory": "products.cmfquickinstallertool before 3.0.14 is vulnerable to several cross site scripting (XSS) attacks.", - "cve": null, - "id": "pyup.io-26021", + "advisory": "Pywren-ibm-cloud 1.0.1 fixes the flask security issues. See CVE-2018-1000656.", + "cve": "CVE-2018-1000656", + "id": "pyup.io-37480", "specs": [ - "<3.0.14" + "<1.0.1" ], - "v": "<3.0.14" + "v": "<1.0.1" + }, + { + "advisory": "Pywren-ibm-cloud 1.0.19 fixes the CVE-2019-12855 security alert.", + "cve": "CVE-2019-12855", + "id": "pyup.io-37479", + "specs": [ + "<1.0.19" + ], + "v": "<1.0.19" } ], - "products.cmfuid": [ + "pyxmlsecurity": [ { - "advisory": "Products.cmfuid before 2.1.0beta2 has a vulnerability because it includes the Zope dependency version <2.10.2, which has an injection vulnerability. See: CVE-2007-0240.", - "cve": "CVE-2007-0240", - "id": "pyup.io-36300", + "advisory": "pyxmlsecurity 0.9 protects against wrapping attacks.", + "cve": null, + "id": "pyup.io-26096", "specs": [ - "<2.1.0beta2" + "<0.9" ], - "v": "<2.1.0beta2" + "v": "<0.9" } ], - "products.dcworkflow": [ + "pyxnat": [ { - "advisory": "Products.dcworkflow 2.1.0beta2 adds POST-only protections to security critical methods. See: CVE-2007-0240.", - "cve": "CVE-2007-0240", - "id": "pyup.io-38035", + "advisory": "Pyxnat 1.1.0.0 fixes a vulnerability by upgrading the `requests` package.", + "cve": null, + "id": "pyup.io-37196", "specs": [ - "<2.1.0beta2" + "<1.1.0.0" ], - "v": "<2.1.0beta2" + "v": "<1.1.0.0" } ], - "products.ldapuserfolder": [ + "pyyaml": [ { - "advisory": "The authenticate function in LDAPUserFolder/LDAPUserFolder.py in zope-ldapuserfolder 2.9-1 does not verify the password for the emergency account, which allows remote attackers to gain privileges.", - "cve": null, - "id": "pyup.io-33148", + "advisory": "Pyyaml before 4 uses ``yaml.load`` which has been assigned CVE-2017-18342.", + "cve": "CVE-2017-18342", + "id": "pyup.io-36333", "specs": [ - "<2.19" + "<4" ], - "v": "<2.19" + "v": "<4" }, { - "advisory": "The authenticate function in LDAPUserFolder/LDAPUserFolder.py in zope-ldapuserfolder 2.9-1 does not verify the password for the emergency account, which allows remote attackers to gain privileges.", - "cve": "CVE-2010-2944", - "id": "pyup.io-26023", + "advisory": "A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor. See: CVE-2020-1747.", + "cve": "CVE-2020-1747", + "id": "pyup.io-38100", "specs": [ - "==2.9" + "<5.3.1" ], - "v": "==2.9" - } - ], - "products.ploneformgen": [ + "v": "<5.3.1" + }, { - "advisory": "products.ploneformgen before 1.8.1 is vulnerable to a XSS attack that could be exploited by users with the ability to create forms.", - "cve": null, - "id": "pyup.io-26024", + "advisory": "A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747. See CVE-2020-14343.", + "cve": "CVE-2020-14343", + "id": "pyup.io-39611", "specs": [ - "<1.8.1" + "<5.4" ], - "v": "<1.8.1" - } - ], - "products.plonepas": [ + "v": "<5.4" + }, { - "advisory": "The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product for Plone, does not properly handle the login form, which allows remote authenticated users to acquire the identity of an arbitrary user via unspecified vectors.", - "cve": "CVE-2009-0662", - "id": "pyup.io-33149", + "advisory": "CVE-2019-20477: PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.", + "cve": "CVE-2019-20477", + "id": "pyup.io-38639", "specs": [ - ">3.2.2,<3.9" + ">=5.1,<=5.1.2" ], - "v": ">3.2.2,<3.9" + "v": ">=5.1,<=5.1.2" } ], - "products.poi": [ + "qi-jabberhelpdesk": [ { - "advisory": "products.poi before 2.2.3 allows anonymous users to see issues inside private folders.", + "advisory": "qi-jabberhelpdesk 0.30 includes unspecified security fixes, some vulnerable xml-rpc calls fixed. [ggozad]", "cve": null, - "id": "pyup.io-26027", + "id": "pyup.io-36052", "specs": [ - "<2.2.3" + "<0.30" ], - "v": "<2.2.3" + "v": "<0.30" } ], - "projen": [ - { - "advisory": "Projen 0.3.10 inlcudes a fix for a security issue with standard-version 8.0.0.", - "cve": null, - "id": "pyup.io-39417", - "specs": [ - "<0.3.10" - ], - "v": "<0.3.10" - }, + "qi.jabberhelpdesk": [ { - "advisory": "Projen 0.7.0 addresses a security issue with standard-version 8.0.0.", + "advisory": "qi.jabberhelpdesk before 0.30 has several undisclosed vulnerabilities in xml-rpc calls.", "cve": null, - "id": "pyup.io-39416", + "id": "pyup.io-26097", "specs": [ - "<0.7.0" + "<0.30" ], - "v": "<0.7.0" - }, + "v": "<0.30" + } + ], + "qlib": [ { - "advisory": "Projen 0.8.0 addresses a security issue with standard-version 8.0.0.", - "cve": null, - "id": "pyup.io-39415", + "advisory": "This affects all versions of package qlib. The workflow function in cli part of qlib was using an unsafe YAML load function. See CVE-2021-23338.", + "cve": "CVE-2021-23338", + "id": "pyup.io-39620", "specs": [ - "<0.8.0" + ">=0.0.0" ], - "v": "<0.8.0" - }, + "v": ">=0.0.0" + } + ], + "quandl-fund-xlsx": [ { - "advisory": "Projen 0.9.0 addresses a security issue with standard-version 8.0.0.", + "advisory": "quandl-fund-xlsx 0.2.1 - Minor security fix, requests version now >=2.20.0", "cve": null, - "id": "pyup.io-39414", + "id": "pyup.io-36655", "specs": [ - "<0.9.0" + "<0.2.1" ], - "v": "<0.9.0" + "v": "<0.2.1" } ], - "psd-tools": [ + "quart": [ { - "advisory": "Psd-tools 1.8.31 updates `pillow` dependency to >= 6.2.0 for security reasons.", + "advisory": "Quart 0.4.0 allows the request to be limited to prevent DOS attacks.", "cve": null, - "id": "pyup.io-38525", + "id": "pyup.io-39235", "specs": [ - "<1.8.31" + "<0.4.0" ], - "v": "<1.8.31" + "v": "<0.4.0" }, { - "advisory": "Psd-tools 1.9.4 fixes a security issue related to compression in 1.8.37 - 1.9.3.", + "advisory": "Quart 0.5.0 refactors to mitigate DOS attacks.", "cve": null, - "id": "pyup.io-37654", + "id": "pyup.io-39234", "specs": [ - ">=1.8.37,<=1.9.3" + "<0.5.0" ], - "v": ">=1.8.37,<=1.9.3" + "v": "<0.5.0" } ], - "psutil": [ + "quilt": [ { - "advisory": "psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object. See CVE-2019-18874.", - "cve": "CVE-2019-18874", - "id": "pyup.io-37765", + "advisory": "quilt 2.9.14 updates urllib3 version for security patch", + "cve": null, + "id": "pyup.io-36749", "specs": [ - "<=5.6.5" + "<2.9.14" ], - "v": "<=5.6.5" + "v": "<2.9.14" } ], - "ptah": [ + "quintagroup-seoptimizer": [ { - "advisory": "ptah before 0.3.3 is vulnerable to a undisclosed attack.", + "advisory": "quintagroup-seoptimizer 3.0.4 fixes a security issue for SEO Property action and view\r\n http://plone.org/products/plone-seo/issues/24", "cve": null, - "id": "pyup.io-26028", + "id": "pyup.io-36006", "specs": [ - "<0.3.3" + "<3.0.4" ], - "v": "<0.3.3" + "v": "<3.0.4" } ], - "pulumi-kubernetes": [ + "quintagroup.seoptimizer": [ { - "advisory": "Pulumi-kubernetes 2.6.0 upgrades its version of pyyaml to fix a security vulnerability. See: CVE-2019-20477.", - "cve": "CVE-2019-20477", - "id": "pyup.io-38772", + "advisory": "quintagroup.seoptimizer before 3.0.4 has a security issue for SEO Property action and view.", + "cve": null, + "id": "pyup.io-26098", "specs": [ - "<2.6.0" + "<3.0.4" ], - "v": "<2.6.0" + "v": "<3.0.4" } ], - "puput": [ + "qurro": [ { - "advisory": "Puput 1.0.4 update the Django version to greater than 2.1.6 to fix security issues.", + "advisory": "The text boxes in qurro 0.4.0 describing the currently-selected numerator / denominator features are now \"read-only\" (you can't edit them while using Qurro). This should remove any vulnerability to accidental edits of these text boxes.", "cve": null, - "id": "pyup.io-37153", + "id": "pyup.io-37374", "specs": [ - "<1.0.4" + "<0.4.0" ], - "v": "<1.0.4" + "v": "<0.4.0" } ], - "pupyl": [ + "qutebrowser": [ { - "advisory": "Pupyl 0.10.4 includes a security update regarding its dependencies. No details are provided.", + "advisory": "Qutebrowser 1.0.3 ships with PyQt 5.9.1 and Qt 5.9.2 which includes security fixes from Chromium up to version 61.0.3163.79.", "cve": null, - "id": "pyup.io-39208", + "id": "pyup.io-35044", "specs": [ - "<0.10.4" + "<1.0.3" ], - "v": "<0.10.4" + "v": "<1.0.3" }, { - "advisory": "Pupyl 0.10.5 updated its dependencies version for security reasons.", + "advisory": "Qutebrowser 1.1.2 ships with Qt 5.10.1 which includes security fixes from Chromium up to version 64.0.3282.140.", "cve": null, - "id": "pyup.io-39392", + "id": "pyup.io-35786", "specs": [ - "<0.10.5" + "<1.1.2" ], - "v": "<0.10.5" + "v": "<1.1.2" }, { - "advisory": "Pupyl before 0.10.6 includes Tensorflow 2.3.1 which has security issues (see issue 73) and should therefore be upgraded to 2.4.0. However, the last version of Tensorflow has issues on its compilation (see Tensorflow issue 45744), and hence must be downgraded to ensure that the library still works.", - "cve": null, - "id": "pyup.io-39400", + "advisory": "Qutebrowser 1.11.1 includes a fix for CVE-2020-11054: After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (`colors.statusbar.url.warn.fg`). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (`colors.statusbar.url.success_https`). While the user already has seen a certificate error prompt at this point (or set `content.ssl_strict` to `false` which is not recommended), this could still provide a false sense of security. This is now fixed.", + "cve": "CVE-2020-11054", + "id": "pyup.io-38266", "specs": [ - "<0.10.6" + "<1.11.1" ], - "v": "<0.10.6" - } - ], - "pure": [ + "v": "<1.11.1" + }, { - "advisory": "pure 1.5.2 prevents double prompt expansion in preprompt (e.g. secure against bad git branch names)", - "cve": null, - "id": "pyup.io-36940", + "advisory": "The Windows and macOS releases of Qutebrowser 1.14.1 ship Qt 5.15.2, which is based on Chromium 83.0.4103.122 with security fixes up to 86.0.4240.183. This includes CVE-2020-15999 in the bundled freetype library, which is known to be exploited in the wild.", + "cve": "CVE-2020-15999", + "id": "pyup.io-39227", "specs": [ - "<1.5.2" + "<1.14.1" ], - "v": "<1.5.2" - } - ], - "pushradar": [ + "v": "<1.14.1" + }, { - "advisory": "Pushradar 3.0.0alpha.2 includes a patch to make the channel authentication more secure.", + "advisory": "In qutebrowser 1.3.0, support for JavaScript Shared Web Workers has been disabled on Qt versions older than 5.11 because of security issues in Chromium. You can get the same effect in earlier versions via `:set qt.args ['disable-shared-workers']`. An equivalent workaround is also contained in Qt 5.9.5 and 5.10.1.", "cve": null, - "id": "pyup.io-39630", + "id": "pyup.io-36929", "specs": [ - "<3.0.0alpha.2", - "<3.0.0a2" + "<1.3.0" ], - "v": "<3.0.0alpha.2,<3.0.0a2" - } - ], - "pwd": [ + "v": "<1.3.0" + }, { - "advisory": "pwd is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", - "cve": null, - "id": "pyup.io-34983", + "advisory": "In qutebrowser 1.3.3, an XSS vulnerability on the `qute://history` page allowed websites to inject HTML into the page via a crafted title tag. This could allow them to steal your browsing history. If you're currently unable to upgrade, avoid using `:history`. See CVE-2018-1000559.", + "cve": "CVE-2018-1000559", + "id": "pyup.io-37812", "specs": [ - ">0", - "<0" + "<1.3.3" ], - "v": ">0,<0" - } - ], - "pwman3": [ + "v": "<1.3.3" + }, { - "advisory": "pwman3 before 0.4.0 uses cPickle.loads and cPickle.dumps.", + "advisory": "Qutebrowser 1.4.0 ships with Qt 5.11.1 in the macOS and Windows releases, which are based on Chromium 65.0.3325.151 with security fixes up to Chromium 67.0.3396.87. The security fix in v1.3.3 caused URLs with ampersands (`www.example.com?one=1&two=2`) to send the wrong arguments when clicked on the `qute://history` page.", "cve": null, - "id": "pyup.io-26029", + "id": "pyup.io-36294", "specs": [ - "<0.4.0" + "<1.4.0" ], - "v": "<0.4.0" - } - ], - "pwntools": [ + "v": "<1.4.0" + }, { - "advisory": "The shellcraft generator in pwntools before 4.3.1 is vulnerable to Server-Side Template Injection (SSTI), which can lead to remote code execution. See CVE-2020-28468.", - "cve": "CVE-2020-28468", - "id": "pyup.io-39426", + "advisory": "Qutebrowser 1.4.1 fixes the CSRF issue on the qute://settings page, leading to possible arbitrary code execution. See https://github.com/qutebrowser/qutebrowser/issues/4060 and CVE-2018-10895.", + "cve": "CVE-2018-10895", + "id": "pyup.io-36970", "specs": [ - "<4.3.1" + "<1.4.1" ], - "v": "<4.3.1" + "v": "<1.4.1" }, { - "advisory": "Pwntools 4.3.1 fixes a shellcraft SSTI vulnerability.", + "advisory": "Qutebrowser 1.5.0 ships with Python 3.7, PyQt 5.11.3 and Qt 5.11.2. QtWebEngine includes security fixes up to Chromium 68.0.3440.75 and various other fixes.", "cve": null, - "id": "pyup.io-39204", + "id": "pyup.io-36521", "specs": [ - "<4.3.1" + "<1.5.0" ], - "v": "<4.3.1" - } - ], - "py": [ + "v": "<1.5.0" + }, { - "advisory": "A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. See CVE-2020-29651.", - "cve": "CVE-2020-29651", - "id": "pyup.io-39253", + "advisory": "Qutebrowser 1.6.0 ships with Qt 5.12.1 which is based on Chromium 69.0.3497.128 with security fixes up to 71.0.3578.94.", + "cve": null, + "id": "pyup.io-36199", "specs": [ - "<=1.9.0" + "<1.6.0" ], - "v": "<=1.9.0" - } - ], - "py-bcrypt": [ + "v": "<1.6.0" + }, { - "advisory": "The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten. See: CVE-2013-1895.", - "cve": "CVE-2013-1895", - "id": "pyup.io-37747", + "advisory": "Qutebrowser 1.6.1 ships with Qt 5.12.2 in the macOS and Windows releases, which includes security fixes up to Chromium 72.0.3626.121 (including CVE-2019-5786 which is known to be exploited in the wild).", + "cve": "CVE-2019-5786", + "id": "pyup.io-36280", "specs": [ - "<0.3" + "<1.6.1" ], - "v": "<0.3" - } - ], - "py-ci": [ + "v": "<1.6.1" + }, { - "advisory": "Py-ci 0.5.2 upgrades versions of requests and jinja2 due to security alerts. See: .", + "advisory": "Qutebrowser 1.6.2 ships with Qt 5.12.3 in the macOS and Windows releases, which includes security fixes up to Chromium 73.0.3683.75.", "cve": null, - "id": "pyup.io-37333", + "id": "pyup.io-37120", "specs": [ - "<0.5.2" + "<1.6.2" ], - "v": "<0.5.2" - } - ], - "py-crypto-hd-wallet": [ + "v": "<1.6.2" + }, { - "advisory": "Py-crypto-hd-wallet 0.2.0 removes the possibility to load a wallet from file. This did not make a lot of sense because saving a wallet to file in JSON format is only meant for a quick and temporary storing of keys, not as a definitive and secure way to store it. For storing a wallet for future loading, it'd make more sense to just store the mnemonic, seed or extended key (depending how the wallet was generated) instead of the complete key chain by adding some security (e.g. crypting the file). This can be done by the user directly, in the way he prefers, with the APIs that are present now.", + "advisory": "Qutebrowser 1.7.0 ships with Qt 5.12.4 in the macOS and Windows releases, which includes security fixes up to Chromium 74.0.3729.157.", "cve": null, - "id": "pyup.io-38175", + "id": "pyup.io-37507", "specs": [ - "<0.2.0" + "<1.7.0" ], - "v": "<0.2.0" - } - ], - "py-espeak-ng": [ + "v": "<1.7.0" + }, { - "advisory": "py-espeak-ng 1.49.0 fixes many logic and security issues reported by clang scan-build, Coverity and msvc /analyze.", + "advisory": "Qutebrowser 1.8.0 ships with Qt 5.13.0 and QtWebEngine 5.13.1 in the macOS releases (based on Chromium 73.0.3683.105), and Qt/QtWebEngine 5.12.5 in the Windows release (based on Chromium 69.0.3497.128), which both include security fixes up to Chromium 76.0.3809.87.", "cve": null, - "id": "pyup.io-36322", + "id": "pyup.io-37506", "specs": [ - "<1.49.0" + "<1.8.0" ], - "v": "<1.49.0" - } - ], - "py-gfm": [ + "v": "<1.8.0" + }, { - "advisory": "Py-gfm version 0.28.3.gfm.12 includes various security and bug fixes.", + "advisory": "Qutebrowser 1.8.1 ships with Qt/QtWebEngine 5.12.5 in the macOS and Windows releases, which are based on Chromium 69.0.3497.128 with security fixes up to Chromium 76.0.3809.87.", "cve": null, - "id": "pyup.io-38621", + "id": "pyup.io-37511", "specs": [ - "<0.28.3.gfm.12" + "<1.8.1" ], - "v": "<0.28.3.gfm.12" - } - ], - "py-hiverunner": [ + "v": "<1.8.1" + }, { - "advisory": "Py-hiverunner 5.0.0 updates the default supported Hive version to 2.3.4 because version 2.3.3 has a vulnerability. See: CVE-2018-1314.", - "cve": "CVE-2018-1314", - "id": "pyup.io-38559", + "advisory": "Qutebrowser 1.8.2 ships with Qt 5.12.6 in the macOS and Windows releases, which includes security fixes up to Chromium 77.0.3865.120 plus a security fix for CVE-2019-13720 from Chromium 78.", + "cve": "CVE-2019-13720", + "id": "pyup.io-36433", "specs": [ - "<5.0.0" + "<1.8.2" ], - "v": "<5.0.0" + "v": "<1.8.2" } ], - "py-mon": [ + "radicale": [ { - "advisory": "Py-mon 1.18.7 upgrades pstree to remove a vulnerability. See: .", + "advisory": "radicale before 1.1.2 is vulnerable to bruteforce attacks when using the htpasswd authentication method.", "cve": null, - "id": "pyup.io-39345", + "id": "pyup.io-33323", "specs": [ - "<1.18.7" + "<1.1.2" ], - "v": "<1.18.7" + "v": "<1.1.2" } ], - "py-ms": [ + "raiden": [ { - "advisory": "py-ms 1.0.1 replaces Jaeger with Lightstep - improved security.", + "advisory": "Raiden 0.10.0 fixes a security issue where an attacker could eavesdrop Matrix communications between two nodes in private rooms.", "cve": null, - "id": "pyup.io-36875", + "id": "pyup.io-37316", "specs": [ - "<1.0.1" + "<0.10.0" ], - "v": "<1.0.1" - } - ], - "py-nightscout": [ + "v": "<0.10.0" + }, { - "advisory": "Py-nightscout 0.10.2 updates Node to 8.9.1, with security fixes.", + "advisory": "The Monitoring Service database in raiden before 0.2.0 (before 0.100.5.dev0) is vulnerable to timing based Monitoring Request injection. See .", "cve": null, - "id": "pyup.io-38662", + "id": "pyup.io-37364", "specs": [ - "<0.10.2" + "<0.2.0", + ">=0.100,<0.100.5.dev0" ], - "v": "<0.10.2" + "v": "<0.2.0,>=0.100,<0.100.5.dev0" }, { - "advisory": "Py-nightscout 0.10.3 includes many upgrades to dependencies, including several security fixes.", + "advisory": "Raiden 0.4.1 prevents DOS attacks and race conditions that caused client crashes.", "cve": null, - "id": "pyup.io-38661", + "id": "pyup.io-38520", "specs": [ - "<0.10.3" + "<0.4.1" ], - "v": "<0.10.3" - }, + "v": "<0.4.1" + } + ], + "raiden-services": [ { - "advisory": "Py-nightscout 0.11.0 includes various security updates:\r\n- Unsecure access via http is not allowed anymore by default. \r\n- The 'mqtt' module was removed because it had a security issue and was not used.\r\n- The 'sgvdata' module was removed because it had a security issue.\r\n- Various updates to dependencies with known security issues.\r\n- Nightscout is now only allowed to start with a secure Node JS. \r\n- General improved security and new environment variables such as INSECURE_USE_HTTP and SECURE_HSTS_HEADER.\r\n - HTTP Strict Transport Security (HSTS) headers are now enabled by default, settings SECURE_HSTS_HEADER and SECURE_HSTS_HEADER_*.", + "advisory": "In raiden-services before 0.2.0 , the Monitoring Service database was vulnerable to timing-based Monitoring Request injection. See: .", "cve": null, - "id": "pyup.io-38660", + "id": "pyup.io-37317", "specs": [ - "<0.11.0" + "<0.2.0" ], - "v": "<0.11.0" - }, + "v": "<0.2.0" + } + ], + "ramlwrap": [ { - "advisory": "Py-nightscout 0.11.1 sticks to 'event-stream' version 3.3.4, because with 4.0.1 GitHub will issue a security warning.", + "advisory": "Ramlwrap 2.2.2 updates PyYAML to a more secure version.", "cve": null, - "id": "pyup.io-38659", + "id": "pyup.io-38298", "specs": [ - "<0.11.1" + "<2.2.2" ], - "v": "<0.11.1" - }, + "v": "<2.2.2" + } + ], + "rasa": [ { - "advisory": "Py-nightscout 0.12.0 includes many dependency updates for security reasons.", - "cve": null, - "id": "pyup.io-38658", + "advisory": "Rasa 1.10.0 updates the pyyaml dependency to 5.3.1 to fix CVE-2020-1747.", + "cve": "CVE-2020-1747", + "id": "pyup.io-38230", "specs": [ - "<0.12.0" + "<1.10.0" ], - "v": "<0.12.0" + "v": "<1.10.0" }, { - "advisory": "Py-nightscout 13.0.0 introduces the new APIv3, which generally provides a secured and HTTP REST compliant interface for Nightscout's data exchange.", + "advisory": "The slack connector in rasa 2.1.0 changes the configuration for 'slack_signing_secret' to make the connector more secure (issue 7204). The configuration value needs to be added to your 'credentials.yml' if you are using the slack connector.", "cve": null, - "id": "pyup.io-38657", + "id": "pyup.io-39308", "specs": [ - "<13.0.0" + "<2.1.0" ], - "v": "<13.0.0" + "v": "<2.1.0" } ], - "py-rate": [ + "rasa-sdk": [ { - "advisory": "The luigi functionality before py-rate 0.3.0 was reported as vulnerable.", - "cve": null, - "id": "pyup.io-37312", + "advisory": "Rasa 1.10.0 updates the pyyaml dependency to 5.3.1 to fix CVE-2020-1747.", + "cve": "CVE-2020-1747", + "id": "pyup.io-38229", "specs": [ - "<0.3.0" + "<1.10.0" ], - "v": "<0.3.0" + "v": "<1.10.0" } ], - "py3web": [ + "rauth": [ { - "advisory": "py3web before 0.21 isn't checking for bad characters in headers.", + "advisory": "rauth before 0.7.0 isn't using a secure random number generator.", "cve": null, - "id": "pyup.io-32919", + "id": "pyup.io-26099", "specs": [ - "<0.21" + "<0.7.0" ], - "v": "<0.21" + "v": "<0.7.0" } ], - "pyamf": [ + "raylib": [ { - "advisory": "pyamf 0.8 fixes a security issue and now wrappes all xml parsing in ``defusedxml`` to protect against any XML entity attacks. See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more details. Thanks to Nicolas Gr\u00e9goire (Agarri_FR) for the report.", + "advisory": "Raylib 1.1.1 adds a security check if a file doesn't exist - [textures]", "cve": null, - "id": "pyup.io-34622", + "id": "pyup.io-37166", "specs": [ - "<0.8" + "<1.1.1" ], - "v": "<0.8" + "v": "<1.1.1" + }, + { + "advisory": "Raylib 1.2 adds a security check in case deployed vertex excess buffer size - [rlgl]", + "cve": null, + "id": "pyup.io-37165", + "specs": [ + "<1.2" + ], + "v": "<1.2" } ], - "pyanyapi": [ + "rchitect": [ { - "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. A YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.", - "cve": "CVE-2017-16616", - "id": "pyup.io-35719", + "advisory": "Rchitect 0.3.28 includes a new environment variable to stop reticulate code injection.", + "cve": null, + "id": "pyup.io-38971", "specs": [ - "<0.6.1" + "<0.3.28" ], - "v": "<0.6.1" + "v": "<0.3.28" } ], - "pyarmor": [ + "rdiff-backup": [ { - "advisory": "pyarmor 5.1.2 Improves the security of PyArmor self", + "advisory": "Version 0.5.0 increased rdiff-backup's security by using popen2.Popen3 and os.spawnvp instead of os.popen and os.system.", "cve": null, - "id": "pyup.io-36853", + "id": "pyup.io-38068", "specs": [ - "<5.1.2" + "<0.5.0" ], - "v": "<5.1.2" - } - ], - "pybald": [ + "v": "<0.5.0" + }, { - "advisory": "Pybald 0.5.6 updates SQLAlchemy dependency to 1.3.3 to mitigate a security issue with SQLAlchemy verstions <= 1.3.0.", + "advisory": "Rdiff-backup 0.9.3 adds some security features to the protocol, so rdiff-backup will now only allow commands from remote connections. The extra security will be enabled automatically on the client (it knows what to expect), but\r\nthe extra switches --restrict, --restrict-update-only, and --restrict-read-only have been added for use with --server.", "cve": null, - "id": "pyup.io-37104", + "id": "pyup.io-38067", "specs": [ - "<0.5.6" + "<0.9.3" ], - "v": "<0.5.6" - } - ], - "pybeerxml": [ + "v": "<0.9.3" + }, { - "advisory": "Pybeerxml 1.0.8 bumps some dependency versions for security fixes.", + "advisory": "Rdiff-backup 1.0.2 includes a fix for a spurious security violation from --create-full-path and a fix for bug 14545 which was introduced in version 1.0.1: Quoting caused a spurious security violation.", "cve": null, - "id": "pyup.io-38251", + "id": "pyup.io-38064", "specs": [ - "<1.0.8" + "<1.0.2" ], - "v": "<1.0.8" - } - ], - "pybible-cli": [ + "v": "<1.0.2" + }, { - "advisory": "Version 1.1.2: Bible pickle files have been replaced by JSON files for better performance and security.", + "advisory": "Rdiff-backup 1.1.6 fixes a security violation when restoring from a remote repository.", "cve": null, - "id": "pyup.io-38043", + "id": "pyup.io-38063", "specs": [ - "<1.1.2" + "<1.1.6" ], - "v": "<1.1.2" + "v": "<1.1.6" } ], - "pyca": [ + "readsettings": [ { - "advisory": "Pyca 3.3 includes a configurable, random delay for ingests to avoid accidental DDoS attacks.", + "advisory": "Readsettings 3.3.1 replaces `yaml.load` with the more secure, `yaml.safe_load`.", "cve": null, - "id": "pyup.io-39215", + "id": "pyup.io-37027", "specs": [ - "<3.3" + "<3.3.1" ], - "v": "<3.3" + "v": "<3.3.1" } ], - "pycapnp": [ + "recurly": [ { - "advisory": "pycapnp before 0.5.5 bundled an insecure library (libcapnp).", - "cve": null, - "id": "pyup.io-26030", + "advisory": "The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, 2.4.5, 2.5.1, 2.6.2 is vulnerable to a Server-Side Request Forgery vulnerability in the \"Resource.get\" method that could result in compromise of API keys or other critical resources.", + "cve": "CVE-2017-0906", + "id": "pyup.io-35697", "specs": [ - "<0.5.5" + "<=2.6.2" ], - "v": "<0.5.5" + "v": "<=2.6.2" } ], - "pycapnp-async": [ + "remme": [ { - "advisory": "Pycapnp-async 0.5.4 updates the bundled C++ libcapnp to v0.5.1.1 security release.", + "advisory": "remme 0.2.1alpha reviewed and fixed security issues on token operations.", "cve": null, - "id": "pyup.io-37586", + "id": "pyup.io-36973", "specs": [ - "<0.5.4" + "<0.2.1alpha" ], - "v": "<0.5.4" + "v": "<0.2.1alpha" }, { - "advisory": "Pycapnp-async 0.5.5 updates the bundled C++ libcapnp to v0.5.1.2 security release.", - "cve": null, - "id": "pyup.io-37585", + "advisory": "Remme 0.5.0alpha upgrades py-cryptography to mitigate CVE-2018-10903.", + "cve": "CVE-2018-10903", + "id": "pyup.io-36971", "specs": [ - "<0.5.5" + "<0.5.0-alpha" ], - "v": "<0.5.5" + "v": "<0.5.0-alpha" } ], - "pycares": [ + "rendertron": [ { - "advisory": "pycares before 2.1.1 is vulnerable to CVE-2016-5180.", - "cve": "CVE-2016-5180", - "id": "pyup.io-26031", + "advisory": "Rendertron 3.0.0 fixes a security issue with AppEngine deployments.", + "cve": null, + "id": "pyup.io-38571", "specs": [ - "<2.1.1" + "<3.0.0" ], - "v": "<2.1.1" + "v": "<3.0.0" } ], - "pycln": [ + "renku": [ { - "advisory": "Pycln 0.0.1alpha.3 mentions: \"C wrapped modules import star expanding related vulnerability by hadialqattan\"", + "advisory": "Renku version 0.4.0 fixes CVE-2017-18342.", + "cve": "CVE-2017-18342", + "id": "pyup.io-38552", + "specs": [ + "<0.4.0" + ], + "v": "<0.4.0" + }, + { + "advisory": "Renku 0.6.0 updates the werkzeug package due to security concerns - see https://github.com/SwissDataScienceCenter/renku-python/issues/633", "cve": null, - "id": "pyup.io-38857", + "id": "pyup.io-37548", "specs": [ - "<0.0.1alpha.3" + "<0.6.0" ], - "v": "<0.0.1alpha.3" + "v": "<0.6.0" } ], - "pyconll": [ + "repobee": [ { - "advisory": "pyconll 1.1.0 updates ``requests`` dependency due to security flaw", + "advisory": "Repobee 0.4.0 adds a strict security policy to prevent malicious code from executing.", "cve": null, - "id": "pyup.io-36647", + "id": "pyup.io-38523", "specs": [ - "<1.1.0" + "<0.4.0" ], - "v": "<1.1.0" + "v": "<0.4.0" }, { - "advisory": "pyconll before 1.1.2 the ``requests`` version used in ``requirements.txt`` was insecure.", + "advisory": "Repobee 1.3.2 uses git pull instead of git clone. This is a security update.", "cve": null, - "id": "pyup.io-36763", + "id": "pyup.io-38522", "specs": [ - "<1.1.2" + "<1.3.2" ], - "v": "<1.1.2" + "v": "<1.3.2" + }, + { + "advisory": "Repobee 2.0.2 includes a fix that filters out secure token from `show-config` command output [92aa5cf08cc08d2647a9f22bb6ff120cd5a88360].", + "cve": null, + "id": "pyup.io-37383", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" } ], - "pycookiecheat": [ + "reportlab": [ { - "advisory": "Pycookiecheat 0.2.0 makes SQL query more secure by avoiding string formatting.", - "cve": null, - "id": "pyup.io-26729", + "advisory": "ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with ' odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF. See CVE-2020-28463.", + "cve": "CVE-2020-28463", + "id": "pyup.io-39642", "specs": [ - "<0.4.5" + ">=0.0" ], - "v": "<0.4.5" + "v": ">=0.0" } ], - "pycryptex": [ + "requests": [ { - "advisory": "Pycryptex 0.5.0 adds new config keys (***secure-deletion*** and ***secure-deletion-passes***) to set securely deletion of clear files in encryption operations.", - "cve": null, - "id": "pyup.io-39109", + "advisory": "Requests before 2.3.0 exposes Authorization or Proxy-Authorization headers on redirect. This fixes CVE-2014-1830.", + "cve": "CVE-2014-1830", + "id": "pyup.io-39575", "specs": [ - "<0.5.0" + "<2.3.0" ], - "v": "<0.5.0" - } - ], - "pycrypto": [ + "v": "<2.3.0" + }, { - "advisory": "In the ElGamal schemes (for both encryption and signatures), g is supposed to be the generator of the entire Z^*_p group. However, in PyCrypto 2.5 and earlier, g is more simply the generator of a random sub-group of Z^*_p.", - "cve": null, - "id": "pyup.io-26032", + "advisory": "Requests before 2.3.0 exposes Authorization or Proxy-Authorization headers on redirect. See: CVE-2014-1829.", + "cve": "CVE-2014-1829", + "id": "pyup.io-26101", "specs": [ - "<2.6" + "<2.3.0" ], - "v": "<2.6" + "v": "<2.3.0" }, { - "advisory": "The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process.", - "cve": "CVE-2013-1445", - "id": "pyup.io-33150", + "advisory": "requests 2.6.0 fixes handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing.", + "cve": null, + "id": "pyup.io-26102", "specs": [ - "<2.6.1" + "<2.6.0" ], - "v": "<2.6.1" + "v": "<2.6.0" }, { - "advisory": "lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for PyCrypto's ElGamal implementation.", - "cve": "CVE-2018-6594", - "id": "pyup.io-35765", + "advisory": "The Requests package through 2.19.1 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.", + "cve": "CVE-2018-18074", + "id": "pyup.io-36546", "specs": [ - "<2.6.1" + "<=2.19.1" ], - "v": "<2.6.1" + "v": "<=2.19.1" }, { - "advisory": "Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) 2.6.1 allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py.", - "cve": "CVE-2013-7459", - "id": "pyup.io-35015", + "advisory": "The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.", + "cve": "CVE-2015-2296", + "id": "pyup.io-26103", "specs": [ - "<=2.6.1" + ">=2.1,<=2.5.3" ], - "v": "<=2.6.1" + "v": ">=2.1,<=2.5.3" } ], - "pycryptodome": [ + "requests-kerberos": [ { - "advisory": "pycryptodome before 3.6.6 has a vulnerability on AESNI ECB with payloads smaller than 16 bytes.", + "advisory": "requests-kerberos before 0.6 isn't handling mutual authentication correctly.", "cve": null, - "id": "pyup.io-36384", + "id": "pyup.io-26104", "specs": [ - "<3.6.6" + "<0.6" ], - "v": "<3.6.6" + "v": "<0.6" + }, + { + "advisory": "Python-requests-Kerberos through 0.5 does not handle mutual authentication. See: CVE-2014-8650 and .", + "cve": "CVE-2014-8650", + "id": "pyup.io-37758", + "specs": [ + "<=0.5" + ], + "v": "<=0.5" } ], - "pycsw": [ + "resilient": [ { - "advisory": "A SQL injection vulnerability in pycsw all versions before 2.0.2, 1.10.5 and 1.8.6 that leads to read and extract of any data from any table in the pycsw database that the database user has access to. Also on PostgreSQL (at least) it is possible to perform updates/inserts/deletes and database modifications to any table the database user has access to.", - "cve": "CVE-2016-8640", - "id": "pyup.io-36365", + "advisory": "IBM Resilient OnPrem 38.2 could allow a privileged user to inject malicious commands through Python3 scripting. IBM X-Force ID: 185503. See CVE-2020-4636.", + "cve": "CVE-2020-4636", + "id": "pyup.io-38888", "specs": [ - "<2.0.2" + "==38.2" ], - "v": "<2.0.2" + "v": "==38.2" } ], - "pydal": [ + "responsibly": [ { - "advisory": "pydal before 15.02.27 has a security flaw which could lead to db password storing in cache.", + "advisory": "Responsibly 0.0.3 fixes security issues with its dependencies.", "cve": null, - "id": "pyup.io-33022", + "id": "pyup.io-37335", "specs": [ - "<15.02.27" + "<0.0.3" ], - "v": "<15.02.27" + "v": "<0.0.3" } ], - "pydotz": [ + "restauth": [ { - "advisory": "pydotz 1.2.0 no longer has paths hard-coded due to security and privacy issues", + "advisory": "restauth before 0.6.3 did not verify passwords for services when using SECURE_CACHE = True.", "cve": null, - "id": "pyup.io-37972", + "id": "pyup.io-26105", "specs": [ - "<1.2.0" + "<0.6.3" ], - "v": "<1.2.0" + "v": "<0.6.3" } ], - "pyfda": [ + "restkit": [ { - "advisory": "Pyfda 0.3.0 fixes an error when trying to load `*.npz` files: `numpy.load()` requires `allow_pickle = True` since version 1.16.3 for security reasons.", - "cve": null, - "id": "pyup.io-38164", + "advisory": "Restkit allows man-in-the-middle attackers to spoof TLS servers by leveraging use of the ssl.wrap_socket function in Python with the default CERT_NONE value for the cert_reqs argument.", + "cve": "CVE-2015-2674", + "id": "pyup.io-35609", "specs": [ - "<0.3.0" + "<=4.2.2" ], - "v": "<0.3.0" + "v": "<=4.2.2" } ], - "pyforce": [ + "restrictedpython": [ { - "advisory": "Pyforce 1.8.0 fixes the external entities vulnerability #35.", + "advisory": "Restrictedpython 4.0 ships with a default implementation for ``_getattr_`` which prevents from using the ``format()`` method on str/unicode as it is not safe. See .\r\n\r\n **Caution:** If you do not already have secured the access to this ``format()`` method in your ``_getattr_`` implementation use ``RestrictedPython.Guards.safer_getattr()`` in your implementation to benefit from this fix.", "cve": null, - "id": "pyup.io-38058", + "id": "pyup.io-37433", "specs": [ - "<1.8.0" + "<4.0" ], - "v": "<1.8.0" + "v": "<4.0" } ], - "pyfrost": [ + "restview": [ { - "advisory": "Pyfrost 0.2.1 updates dependencies with security alerts.", + "advisory": "restview before 2.8.1 isn't properly checking the host header in HTTP requests, leading to possible DNS rebinding attacks. More info: https://github.com/mgedmin/restview/issues/51", "cve": null, - "id": "pyup.io-38192", + "id": "pyup.io-35166", "specs": [ - "<0.2.1" + "<2.8.1" ], - "v": "<0.2.1" + "v": "<2.8.1" } ], - "pyftpdlib": [ + "ricloud": [ { - "advisory": "pyftpdlib before 0.3.0 has a path traversal vulnerability in case of symbolic links escaping user's home directory.", + "advisory": "ricloud 2.3.8 updates requests in requirements due to vulnerability discovery.", "cve": null, - "id": "pyup.io-26036", + "id": "pyup.io-36723", "specs": [ - "<0.3.0" + "<2.3.8" ], - "v": "<0.3.0" - }, + "v": "<2.3.8" + } + ], + "rinzler": [ { - "advisory": "Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.1 allows remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, a different vulnerability than CVE-2010-3494.", - "cve": "CVE-2009-5010", - "id": "pyup.io-26037", + "advisory": "rinzler 2.0.5 includes a PyYAML vulnerability correction", + "cve": null, + "id": "pyup.io-36895", "specs": [ - "<0.5.1" + "<2.0.5" ], - "v": "<0.5.1" - }, + "v": "<2.0.5" + } + ], + "river-admin": [ { - "advisory": "Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.2 allows remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, a related issue to CVE-2010-3492.", - "cve": "CVE-2010-3494", - "id": "pyup.io-26038", + "advisory": "River-admin 0.5.2 fixes a vulnerability issue with `serialize-javascript` dependency.", + "cve": null, + "id": "pyup.io-37698", "specs": [ "<0.5.2" ], "v": "<0.5.2" } ], - "pygopherd": [ + "rmapy": [ { - "advisory": "Pygopherd 0.9.0 includes several security enhancements. No details were included.", + "advisory": "Rmapy 0.2.4 bumps jinja2 from version 2.10.1 to 2.11.3 to improve its security.", "cve": null, - "id": "pyup.io-39437", + "id": "pyup.io-40057", "specs": [ - "<0.9.0" + "<0.2.4" ], - "v": "<0.9.0" + "v": "<0.2.4" } ], - "pygresql": [ + "robotraconteur": [ { - "advisory": "The pygresql module 3.8.1 and 4.0 for Python does not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings.", - "cve": "CVE-2009-2940", - "id": "pyup.io-26039", + "advisory": "robotraconteur 0.9.0 changes: The `LocalTransport` file handle locations have been moved for increased security", + "cve": null, + "id": "pyup.io-37221", "specs": [ - "<4.0" + "<0.9.0" ], - "v": "<4.0" + "v": "<0.9.0" } ], - "pyinaturalist": [ + "rope": [ { - "advisory": "Pyinaturalist 0.7 includes minor dependency updates for security reasons.", - "cve": null, - "id": "pyup.io-39616", + "advisory": "base/oi/doa.py in the Rope library in CPython (aka Python) allows remote attackers to execute arbitrary code by leveraging an unsafe call to pickle.load.", + "cve": "CVE-2014-3539", + "id": "pyup.io-36155", "specs": [ - "<0.7" + "<0.10" ], - "v": "<0.7" - }, + "v": "<0.10" + } + ], + "rosdep": [ { - "advisory": "Pyinaturalist 0.7.0 includes minor dependencies updates for security reasons.", + "advisory": "Rosdep 0.15.2 migrates to yaml.safe_load to avoid yaml.load vulnerabilities.", "cve": null, - "id": "pyup.io-37127", + "id": "pyup.io-39115", "specs": [ - "<0.7.0" + "<0.15.2" ], - "v": "<0.7.0" + "v": "<0.15.2" } ], - "pyinstaller": [ + "rotten-tomatoes-cli": [ { - "advisory": "Pyinstaller 3.5 updates the bundled zlib library to version 1.2.11 to address vulnerabilities.", + "advisory": "Rotten-tomatoes-cli 0.0.2 updates the `pyyaml`, `urllib3`, and `requests` dependencies to avoid security vulnerabilities.", "cve": null, - "id": "pyup.io-39153", + "id": "pyup.io-37315", "specs": [ - "<3.5" + "<0.0.2" ], - "v": "<3.5" + "v": "<0.0.2" } ], - "pyjwt": [ + "roundup": [ { - "advisory": "pyjwt before 1.0.0 allows to bypass signature verification by setting the alg header to None.", - "cve": null, - "id": "pyup.io-26040", + "advisory": "Cross-site scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link.", + "cve": "CVE-2012-6130", + "id": "pyup.io-33162", "specs": [ - "<1.0.0" + "<1.4.20" ], - "v": "<1.0.0" + "v": "<1.4.20" }, { - "advisory": "Pyjwt 1.0.0 includes a fix for security vulnerability where 'alg=None' header could bypass signature verification (https://github.com/jpadilla/pyjwt/pull/109) and adding support for a whitelist of allowed 'alg' values 'jwt.decode(algorithms=[])' (https://github.com/jpadilla/pyjwt/pull/110).", - "cve": null, - "id": "pyup.io-39458", + "advisory": "Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1.", + "cve": "CVE-2012-6131", + "id": "pyup.io-33163", "specs": [ - "<1.0.0" + "<1.4.20" ], - "v": "<1.0.0" + "v": "<1.4.20" }, { - "advisory": "In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.", - "cve": null, - "id": "pyup.io-35014", + "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*. See: CVE-2012-6133.", + "cve": "CVE-2012-6133", + "id": "pyup.io-37744", "specs": [ - "<1.5.1" + "<1.4.20" ], - "v": "<1.5.1" - } - ], - "pykarotz": [ + "v": "<1.4.20" + }, { - "advisory": "Electronic Arts Karotz Smart Rabbit 12.07.19.00 allows Python module hijacking. See: .", - "cve": "CVE-2013-4867", - "id": "pyup.io-37751", + "advisory": "Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors. See: CVE-2019-10904.", + "cve": "CVE-2019-10904", + "id": "pyup.io-37025", "specs": [ - "==12.07.19.00" + "==1.6" ], - "v": "==12.07.19.00" + "v": "==1.6" } ], - "pykechain": [ + "rpc4django": [ { - "advisory": "Pykechain 2.5.4 updates security advisory to install requests package later than 2.20.0 (CVE-2018-18074).", - "cve": "CVE-2018-18074", - "id": "pyup.io-36937", + "advisory": "rpc4django before 0.2.3 is vulnerable to billion laughs denial of service attack.", + "cve": null, + "id": "pyup.io-26108", "specs": [ - "<2.5.4" + "<0.2.3" ], - "v": "<2.5.4" + "v": "<0.2.3" } ], - "pylabnet": [ + "rply": [ { - "advisory": "Servers in pylabnet before version 0.3.0 were not secure by default.", - "cve": null, - "id": "pyup.io-38667", + "advisory": "The parser cache functionality in parsergenerator.py in RPLY (aka python-rply) before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-*.json file with a predictable name.", + "cve": "CVE-2014-1604", + "id": "pyup.io-35520", "specs": [ - "<0.3.0" + "<0.7.1" ], - "v": "<0.3.0" - } - ], - "pyldap": [ + "v": "<0.7.1" + }, { - "advisory": "pyldap before 2.0.0pre05 is using an insecure transitive dependency (ldapurl).", - "cve": null, - "id": "pyup.io-26041", + "advisory": "python-rply before 0.7.4 insecurely creates temporary files. See: CVE-2014-1938.", + "cve": "CVE-2014-1938", + "id": "pyup.io-37755", "specs": [ - "<2.0.0pre05" + "<0.7.4" ], - "v": "<2.0.0pre05" + "v": "<0.7.4" } ], - "pylint": [ - { - "advisory": "Pylint 2.5.0 no longer allows ``python -m pylint ...`` to import user code. Previously, it added the current working directory as the first element of ``sys.path``. This opened up a potential security hole where ``pylint`` would import user level code as long as that code resided in modules having the same name as stdlib or pylint's own modules.", - "cve": null, - "id": "pyup.io-38224", - "specs": [ - "<2.5.0" - ], - "v": "<2.5.0" - }, + "rpyc": [ { - "advisory": "Pylint 2.7.0 includes a fix for vulnerable regular expressions in 'pyreverse'.", - "cve": null, - "id": "pyup.io-39621", + "advisory": "Rpyc 4.1.2 includes a fix for CVE-2019-16328 which was caused by a missing protocol security check.", + "cve": "CVE-2019-16328", + "id": "pyup.io-37525", "specs": [ - "<2.7.0" + "<4.1.2" ], - "v": "<2.7.0" + "v": "<4.1.2" } ], - "pylivetrader": [ + "rs-django-jet": [ { - "advisory": "Pylivetrader 0.2.0 changes the yaml config loading to use the safe loading. This is a security fix.", + "advisory": "rs-django-jet 1.0.4 fixes security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions.", "cve": null, - "id": "pyup.io-38294", + "id": "pyup.io-36903", "specs": [ - "<0.2.0" + "<1.0.4" ], - "v": "<0.2.0" + "v": "<1.0.4" } ], - "pylons": [ + "rsa": [ { - "advisory": "pylons before 0.9.6.1 allows to access private controller methods to be accessed from the outside.", + "advisory": "rsa 2.0 includes several undisclosed security improvements.", "cve": null, - "id": "pyup.io-26042", + "id": "pyup.io-26109", "specs": [ - "<0.9.6.1" + "<2.0" ], - "v": "<0.9.6.1" + "v": "<2.0" }, { - "advisory": "pylons before 0.9.7 is vulnerable to a XSS attack on the default error page.", - "cve": null, - "id": "pyup.io-26043", + "advisory": "The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.", + "cve": "CVE-2016-1494", + "id": "pyup.io-33164", "specs": [ - "<0.9.7" + "<3.3" ], - "v": "<0.9.7" + "v": "<3.3" }, { - "advisory": "pylons before 1.0.1RC1 is vulnerable to timing attacks on secure cookies.", + "advisory": "rsa before 3.4 has a undisclosed side-channel vulnerability.", "cve": null, - "id": "pyup.io-26044", + "id": "pyup.io-26112", "specs": [ - "<1.0.1RC1" + "<3.4" ], - "v": "<1.0.1RC1" + "v": "<3.4" }, { - "advisory": "pylons before 1.0.1rc1 is vulnerable to cookie timing attacks.", - "cve": null, - "id": "pyup.io-26045", + "advisory": "Rsa 4.3 includes two security fixes:\r\n- Choose blinding factor relatively prime to N.\r\n- Reject cyphertexts (when decrypting) and signatures (when verifying) that have been modified by prepending zero bytes. This resolves CVE-2020-13757.", + "cve": "CVE-2020-13757", + "id": "pyup.io-38414", "specs": [ - "<1.0.1rc1" + "<4.3" ], - "v": "<1.0.1rc1" + "v": "<4.3" }, { - "advisory": "pylons before 1.0.2 includes \"Post Traceback\" which is a possible XSS vector.", - "cve": null, - "id": "pyup.io-26046", + "advisory": "Python-RSA 4.0 ignores leading '\\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation). See CVE-2020-13757.", + "cve": "CVE-2020-13757", + "id": "pyup.io-38369", "specs": [ - "<1.0.2" + "==4.0" ], - "v": "<1.0.2" + "v": "==4.0" } ], - "pymemcache": [ + "rsanic": [ { - "advisory": "pymemcache before 1.3.6 isn't sanitizing key inputs.", + "advisory": "rsanic before 0.2.2 is vulnerable to XSS attacks.", "cve": null, - "id": "pyup.io-26047", + "id": "pyup.io-33007", "specs": [ - "<1.3.6" + "<0.2.2" ], - "v": "<1.3.6" + "v": "<0.2.2" } ], - "pyminiracer": [ + "rsconnect-jupyter": [ { - "advisory": "A heap overflow in Sqreen PyMiniRacer (aka Python Mini Racer) before 0.3.0 allows remote attackers to potentially exploit heap corruption. See: CVE-2020-25489.", - "cve": "CVE-2020-25489", - "id": "pyup.io-38794", + "advisory": "In addition to disabling TLS checking entirely, users in rsconnect-jupyter 1.3.0 have the option of uploading their own self-signed certificate bundle as a more secure TLS alternative.", + "cve": null, + "id": "pyup.io-38119", "specs": [ - "<0.3.0" + "<1.3.0" ], - "v": "<0.3.0" + "v": "<1.3.0" } ], - "pymisp": [ - { - "advisory": "Pymisp 2.4.106 fixes CVE-2019-11324 (urllib3).", - "cve": "CVE-2019-11324", - "id": "pyup.io-37292", - "specs": [ - "<2.4.106" - ], - "v": "<2.4.106" - }, + "rss2email": [ { - "advisory": "Pymisp v2.4.67 includes a security fix: do not try to load any valid path as a MISP Event.\r\n\r\nThe MISP Event loader was trying to open any string passed as parameter if is an existing file path. Anything that isn't a valid MISP event would raise an exception, but I can see it used for malicious purposes.\r\n\r\n`load_file` will do the same, but the user can decide if it is safe to use.", + "advisory": "Rss2email 3.10 fixes SMTP security issues.", "cve": null, - "id": "pyup.io-38507", + "id": "pyup.io-37430", "specs": [ - "<2.4.67" + "<3.10" ], - "v": "<2.4.67" + "v": "<3.10" } ], - "pymls": [ + "rtslib-fb": [ { - "advisory": "Pymls 1.4.10 fixes the Github-reported security issues in requirements.txt and bumps PyYAML version in setup for security reasons (CVE-2017-18342).", - "cve": "CVE-2017-18342", - "id": "pyup.io-37193", + "advisory": "Rtslib-fb 2.1.73 includes a fix for CVE-2020-14019.", + "cve": "CVE-2020-14019", + "id": "pyup.io-38468", "specs": [ - "<1.4.10" + "<2.1.73" ], - "v": "<1.4.10" + "v": "<2.1.73" } ], - "pymongo": [ + "rtv": [ { - "advisory": "bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo) before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to decoding of an \"invalid DBRef.\"", - "cve": "CVE-2013-2132", - "id": "pyup.io-35429", + "advisory": "rtv before 1.12.1 has a security vulnerability where malicious URLs could inject python code.", + "cve": null, + "id": "pyup.io-26113", "specs": [ - "<2.5.2" + "<1.12.1" ], - "v": "<2.5.2" + "v": "<1.12.1" } ], - "pynoorm": [ + "ruffruffs": [ { - "advisory": "pynoorm 0.4.2 updates PyYaml to 4.2b4 to fix security vulnerability", + "advisory": "ruffruffs 2.6.0 fixes handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing.", "cve": null, - "id": "pyup.io-36789", + "id": "pyup.io-26116", "specs": [ - "<0.4.2" + "<2.6.0" ], - "v": "<0.4.2" + "v": "<2.6.0" } ], - "pynps": [ + "runway": [ { - "advisory": "Pynps 1.2.0 removes support for search after updating database for security reasons.", + "advisory": "Runway 1.16.0 has enhanced security via nonce signing (Static Site AuthEdge).", "cve": null, - "id": "pyup.io-37724", + "id": "pyup.io-39085", "specs": [ - "<1.2.0" + "<1.16.0" ], - "v": "<1.2.0" + "v": "<1.16.0" } ], - "pyoes": [ + "s4": [ { - "advisory": "pyoes 0.9.0 change: Libs updaten - security alert", + "advisory": "S4 0.4.2 upgrades boto3 to minimum requirement to fix a vulnerability in a urllib3 dependency.", "cve": null, - "id": "pyup.io-37254", + "id": "pyup.io-37119", "specs": [ - "<0.9.0" + "<0.4.2" ], - "v": "<0.9.0" + "v": "<0.4.2" } ], - "pyomo": [ + "safety": [ { - "advisory": "Pyomo 5.7.2 fixes a security risk in GitHub Actions workflow (issue 1654).", + "advisory": "safety before 1.8.4 included the cryptography version <2.3, which had a security vulnerability.", "cve": null, - "id": "pyup.io-39315", + "id": "pyup.io-36367", "specs": [ - "<5.7.2" + "<1.8.4" ], - "v": "<5.7.2" + "v": "<1.8.4" } ], - "pyopenssl": [ - { - "advisory": "The X509Extension in pyOpenSSL before 0.13.1 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.", - "cve": "CVE-2013-4314", - "id": "pyup.io-35460", - "specs": [ - "<0.13.1" - ], - "v": "<0.13.1" - }, - { - "advisory": "Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on the calling application and if it retains a reference to the memory.. This vulnerability appears to have been fixed in 17.5.0.", - "cve": "CVE-2018-1000807", - "id": "pyup.io-36533", - "specs": [ - "<17.5.0" - ], - "v": "<17.5.0" - }, + "sagemaker-containers": [ { - "advisory": "Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted.", - "cve": "CVE-2018-1000808", - "id": "pyup.io-36534", + "advisory": "Sagemaker-containers 2.8.2 updates a dependency for security reasons.", + "cve": null, + "id": "pyup.io-38087", "specs": [ - "<17.5.0" + "<2.8.2" ], - "v": "<17.5.0" + "v": "<2.8.2" } ], - "pyorient": [ + "sagemaker-pytorch-inference": [ { - "advisory": "pyorient before 1.4.9 has an SQL injection attack vector, exploitable in one location and potentially a few more, that allowed an attacker to change the WHERE clause in a query and cause it to return unexpected results", + "advisory": "Sagemaker-pytorch-inference 1.4.1 updates various package versions to fix vulnerabilities.", "cve": null, - "id": "pyup.io-34150", + "id": "pyup.io-40029", "specs": [ - "<1.4.9" + "<1.4.1" ], - "v": "<1.4.9" + "v": "<1.4.1" } ], - "pyowm": [ + "salt": [ { - "advisory": "pyowm 2.10 upgrades version for dependencies `requests` and `urllib3` as known security issues were raised for them.", - "cve": null, - "id": "pyup.io-36750", + "advisory": "Salt 3000.4 prevents creating world-readable private keys with the TLS execution module (cve-2020-17490).", + "cve": "CVE-2020-17490", + "id": "pyup.io-39574", "specs": [ - "<2.10" + "<3000.4" ], - "v": "<2.10" - } - ], - "pypicloud": [ + "v": "<3000.4" + }, { - "advisory": "pypicloud before 0.2.2 is vulnerable to a undisclosed attack.", - "cve": null, - "id": "pyup.io-26048", + "advisory": "Salt 3000.4 prevents shell injections in netapi SSH client (CVE-2020-16846).", + "cve": "CVE-2020-16846", + "id": "pyup.io-39159", "specs": [ - "<0.2.2" + "<3000.4" ], - "v": "<0.2.2" - } - ], - "pypiserver": [ + "v": "<3000.4" + }, { - "advisory": "pypiserver before 1.1.7 is vulnerable to XSS attacks.", - "cve": null, - "id": "pyup.io-26049", + "advisory": "Salt 3001.1 updates PyYAML for security reasons. Additionally, psutil was updated due to CVE-2019-18874.", + "cve": "CVE-2019-18874", + "id": "pyup.io-38668", "specs": [ - "<1.1.7" + "<3001.1" ], - "v": "<1.1.7" + "v": "<3001.1" }, { - "advisory": "pypiserver 1.2.6 mitigates potential CRLF injection attacks from malicious URLs", - "cve": null, - "id": "pyup.io-36843", + "advisory": "Salt 3001.2 prevents creating world-readable private keys with the TLS execution module (cve-2020-17490).", + "cve": "CVE-2020-17490", + "id": "pyup.io-39573", "specs": [ - "<1.2.6" + ">=3001,<3001.2" ], - "v": "<1.2.6" - } - ], - "pyplanet": [ + "v": ">=3001,<3001.2" + }, { - "advisory": "pyplanet 0.6.2 - security: Upgraded library to solve security issues (requests library).", - "cve": null, - "id": "pyup.io-36666", + "advisory": "Salt 3001.2 prevents shell injections in netapi SSH client (CVE-2020-16846).", + "cve": "CVE-2020-16846", + "id": "pyup.io-39158", "specs": [ - "<0.6.2" + ">=3001,<3001.2" ], - "v": "<0.6.2" + "v": ">=3001,<3001.2" + }, + { + "advisory": "Salt 3002.1 properly validates eauth credentials and tokens along with their ACLs. Prior to this change eauth was not properly validated when calling Salt ssh via the salt-api. Any value for 'eauth' or 'token' would allow a user to bypass authentication and make calls to Salt ssh (CVE-2020-25592).", + "cve": "CVE-2020-25592", + "id": "pyup.io-39571", + "specs": [ + ">=3002,<3002.1" + ], + "v": ">=3002,<3002.1" }, { - "advisory": "Pyplanet 0.7.0 updates some libraries to fix some security issues (none of which were critical).", - "cve": null, - "id": "pyup.io-37476", + "advisory": "Salt 3002.1 prevents creating world-readable private keys with the TLS execution module (cve-2020-17490).", + "cve": "CVE-2020-17490", + "id": "pyup.io-39572", "specs": [ - "<0.7.0" + ">=3002,<3002.1" ], - "v": "<0.7.0" - } - ], - "pyrad": [ + "v": ">=3002,<3002.1" + }, { - "advisory": "pyrad before 0.6 isn't handling timeouts in client module correctly, leading to a potential denial of service.", - "cve": null, - "id": "pyup.io-26050", + "advisory": "Salt 3002.1 prevents shell injections in netapi SSH client (CVE-2020-16846).", + "cve": "CVE-2020-16846", + "id": "pyup.io-39157", "specs": [ - "<0.6" + ">=3002,<3002.1" ], - "v": "<0.6" + "v": ">=3002,<3002.1" } ], - "pyradiomics": [ + "salted": [ { - "advisory": "pyradiomics before 1.1.1 used `eval`which is not secure.", + "advisory": "Salted 0.5.4 requires lxml version >= 4.6.2 as it fixes a vulnerability and works with Python 3.9.", "cve": null, - "id": "pyup.io-36302", + "id": "pyup.io-39320", "specs": [ - "<1.1.1" + "<0.5.4" ], - "v": "<1.1.1" + "v": "<0.5.4" } ], - "pyramid": [ + "sanic-oauthlib": [ { - "advisory": "Pyramid 0.2 adds ACL-based security.", + "advisory": "Sanic-oauthlib 0.5.0 mentions \"**Security bug** for access token via `#92`\". No other information was provided.", "cve": null, - "id": "pyup.io-32177", + "id": "pyup.io-38524", "specs": [ - "<0.2" + "<0.5.0" ], - "v": "<0.2" + "v": "<0.5.0" }, { - "advisory": "Pyramid 0.4.2 changes the default paster template generator to use ``Paste#http`` server rather than ``PasteScript#cherrpy`` server. The cherrypy server has a security risk in it when ``REMOTE_USER`` is trusted by the downstream application.", + "advisory": "Sanic-oauthlib 0.9.1 improves security in a not further specified way.", "cve": null, - "id": "pyup.io-32184", + "id": "pyup.io-37397", "specs": [ - "<0.4.2" + "<0.9.1" ], - "v": "<0.4.2" - }, + "v": "<0.9.1" + } + ], + "satosa": [ { - "advisory": "In pyramid before 1.0a3, the pylons_* paster template used the same string (``your_app_secret_string``) for the ``session.secret`` setting in the generated ``development.ini``. This was a security risk if left unchanged in a project that used one of the templates to produce production applications. It now uses a randomly generated string.", + "advisory": "satosa before 0.6.1 uses an insecure transitive dependency (pycrypto).", "cve": null, - "id": "pyup.io-32685", + "id": "pyup.io-34714", "specs": [ - "<1.0a3" + "<0.6.1" ], - "v": "<1.0a3" - }, + "v": "<0.6.1" + } + ], + "sbp": [ { - "advisory": "The default Mako renderer in pyramid 1.1a1 is configured to escape all HTML in expression tags. This is intended to help prevent XSS attacks caused by rendering unsanitized input from users. To revert this behavior in user's templates, they need to filter the expression through the 'n' filter. For example, ${ myhtml | n }. See .", + "advisory": "sbp 2.4.2 updates mocha away from a security vulnerability in growl [\\575](https://github.com/swift-nav/libsbp/pull/575)", "cve": null, - "id": "pyup.io-32194", + "id": "pyup.io-36695", "specs": [ - "<1.1a1" + "<2.4.2" ], - "v": "<1.1a1" + "v": "<2.4.2" }, { - "advisory": "The AuthTktAuthenticationPolicy in pyramid before 1.3a1 did not use a timing-attack-aware string comparator. See https://github.com/Pylons/pyramid/pull/320 for more info.", + "advisory": "Sbp v2.6.5 pins minor rev versions, security fix for requests - see: https://github.com/swift-nav/libsbp/pull/709", "cve": null, - "id": "pyup.io-32688", + "id": "pyup.io-36662", "specs": [ - "<1.3a1" + "<2.6.5" ], - "v": "<1.3a1" + "v": "<2.6.5" }, { - "advisory": "In pyramid 1.4a4 the ``pyramid.authentication.AuthTktAuthenticationPolicy`` has been updated to support newer hashing algorithms such as ``sha512``. Existing applications should consider updating if possible for improved security over the default md5 hashing.", + "advisory": "sbp 2.7.0 updates requests to resolve security issue (https://github.com/swift-nav/libsbp/pull/708)", "cve": null, - "id": "pyup.io-32201", + "id": "pyup.io-37937", "specs": [ - "<1.4a4" + "<2.7.0" ], - "v": "<1.4a4" + "v": "<2.7.0" }, { - "advisory": "Pyramid 1.6a1 improves robustness to timing attacks in the ``AuthTktCookieHelper`` and the ``SignedCookieSessionFactory`` classes by using the stdlib's ``hmac.compare_digest`` if it is available (such as Python 2.7.7+ and 3.3+). See: . Also, it avoids timing attacks against CSRF tokens. See: .", + "advisory": "Sbp 2.7.0 updates requests to resolve security issue - see https://github.com/swift-nav/libsbp/pull/708", "cve": null, - "id": "pyup.io-32203", + "id": "pyup.io-37642", "specs": [ - "<1.6a1" + "<2.7.0" ], - "v": "<1.6a1" + "v": "<2.7.0" }, { - "advisory": "pyramid before 1.6a2 isn't sanitising JSONP callbacks correctly, see CVE-2014-4671.", - "cve": "CVE-2014-4671", - "id": "pyup.io-32204", + "advisory": "Sbp 3.1.1 fixes a JavaScript security warning. See: .", + "cve": null, + "id": "pyup.io-38393", "specs": [ - "<1.6a2" + "<2.8.0" ], - "v": "<1.6a2" + "v": "<2.8.0" } ], - "pyramid-odesk": [ + "scalyr-agent-2": [ { - "advisory": "pyramid-odesk before 1.1.2 performs logins and logouts through GET and is vulnerable to CSRF attacks.", - "cve": null, - "id": "pyup.io-26051", + "advisory": "The Scalyr Agent before 2.1.10 has Missing SSL Certificate Validation because, in some circumstances, native Python code is used that lacks a comparison of the hostname to commonName and subjectAltName. See: CVE-2020-24715.", + "cve": "CVE-2020-24715", + "id": "pyup.io-38724", "specs": [ - "<1.1.2" + "<2.1.10" ], - "v": "<1.1.2" - } - ], - "pyramid-weblayer": [ + "v": "<2.1.10" + }, { - "advisory": "pyramid-weblayer before 0.12 does not protect AJAX requests through the CSRF machinery.", + "advisory": "Scalyr-agent-2 version 2.1.10 fixes two bugs which opened up the possibility for MITM attack if an attacker was able to spoof or control the DNS. Additionally, this version explicitly requests TLS v1.2, which makes the agent more robust against potential downgrade attacks when connecting to the Scalyr API. This is only true when running the agent under Python >= 2.7.9.", "cve": null, - "id": "pyup.io-26052", + "id": "pyup.io-38807", "specs": [ - "<0.12" + "<2.1.10" ], - "v": "<0.12" + "v": "<2.1.10" } ], - "pyro": [ + "scapy": [ { - "advisory": "pyro before 3.15 unsafely handles pid files in temporary directory locations and opening the pid file as root. An attacker can use this flaw to overwrite arbitrary files via symlinks.", - "cve": "CVE-2011-2765", - "id": "pyup.io-36385", + "advisory": "Scapy 2.4.0 is affected by: Denial of Service. The impact is: infinite loop, resource consumption and program unresponsive. The component is: _RADIUSAttrPacketListField.getfield(self..). The attack vector is: over the network or in a pcap. both work. See: CVE-2019-1010142.", + "cve": "CVE-2019-1010142", + "id": "pyup.io-37285", "specs": [ - "<3.15" + "==2.4.0" ], - "v": "<3.15" - } - ], - "pyro4": [ + "v": "==2.4.0" + }, { - "advisory": "pyro4 before 4.72 is not secure because the HMAC encryption key used with the -k command line option is plainly visible.\r\nUpgrade to 4.72 to show warnings when attempting this. In future use Pyro's 2-way SSL feature or alternatively set the HMAC key in the (new) environment variable PYRO_HMAC_KEY", + "advisory": "Scapy 2.4.2 addresses a Malicious Radius Attribute DoS vulnerability. See: .", "cve": null, - "id": "pyup.io-36298", + "id": "pyup.io-37341", "specs": [ - "<4.72" + ">=2.4.0,<2.4.2" ], - "v": "<4.72" + "v": ">=2.4.0,<2.4.2" } ], - "pyrocko": [ + "sceptre": [ { - "advisory": "Pyrocko 1.1.1 fixes a handler injection vulnerability.", + "advisory": "sceptre 2.3.0 fixes Jinja autoescape vulnerability", "cve": null, - "id": "pyup.io-38937", + "id": "pyup.io-37821", "specs": [ - "<1.1.1" + "<2.3.0" ], - "v": "<1.1.1" + "v": "<2.3.0" } ], - "pyrotools": [ + "scons": [ { - "advisory": "Pyrotools before 1.0.1 updates requirements.txt to make sure urllib3 is a safe version. See CVE-2019-11324.", - "cve": "CVE-2019-11324", - "id": "pyup.io-37086", + "advisory": "Scons 4.0.0 converts the remaining uses of an insecure/deprecated mktemp method.", + "cve": null, + "id": "pyup.io-38489", "specs": [ - "<1.0.1" + "<4.0.0" ], - "v": "<1.0.1" + "v": "<4.0.0" } ], - "pysam": [ + "scrape": [ { - "advisory": "pysam 0.11.2 wraps htslib/samtools/bcfools versions 1.4.1 in response to a security fix in these libraries", + "advisory": "Scrape 0.10.2 updates the 'lxml' dependency from 4.3.0 to 4.6.2. This is a security patch.", "cve": null, - "id": "pyup.io-34332", + "id": "pyup.io-39424", "specs": [ - "<0.11.2" + "<0.10.2" ], - "v": "<0.11.2" + "v": "<0.10.2" } ], - "pysaml2": [ - { - "advisory": "PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response.", - "cve": "CVE-2016-10127", - "id": "pyup.io-35659", - "specs": [ - "<4.4.0" - ], - "v": "<4.4.0" - }, - { - "advisory": "XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response.", - "cve": "CVE-2016-10149", - "id": "pyup.io-35660", - "specs": [ - "<4.4.0" - ], - "v": "<4.4.0" - }, - { - "advisory": "PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed. See: CVE-2020-5390.", - "cve": "CVE-2020-5390", - "id": "pyup.io-37783", - "specs": [ - "<5.0.0" - ], - "v": "<5.0.0" - }, - { - "advisory": "PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only _x509 certificates_ for the verification process of the SAML document signature. This is fixed in PySAML2 6.5.0. See CVE-2021-21239.", - "cve": "CVE-2021-21239", - "id": "pyup.io-39498", - "specs": [ - "<6.5.0" - ], - "v": "<6.5.0" - }, - { - "advisory": "PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping because it did not validate the SAML document against an XML schema. This allowed invalid XML documents to be processed and such a document can trick pysaml2 with a wrapped signature. This is fixed in PySAML2 6.5.0. See CVE-2021-21238.", - "cve": "CVE-2021-21238", - "id": "pyup.io-39497", - "specs": [ - "<6.5.0" - ], - "v": "<6.5.0" - }, + "scrapydd": [ { - "advisory": "Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data.", - "cve": "CVE-2017-1000246", - "id": "pyup.io-35699", + "advisory": "Scrapydd 0.6.3 enhances the security by adding protection against cross-site request forgery.", + "cve": null, + "id": "pyup.io-37457", "specs": [ - "<=4.4.0" + "<0.6.3" ], - "v": "<=4.4.0" - }, + "v": "<0.6.3" + } + ], + "scvae": [ { - "advisory": "pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.", - "cve": "CVE-2017-1000433", - "id": "pyup.io-35700", + "advisory": "scvae 2.1.1 updates TensorFlow because of a security vulnerability.", + "cve": null, + "id": "pyup.io-37932", "specs": [ - "<=4.4.0" + "<2.1.1" ], - "v": "<=4.4.0" + "v": "<2.1.1" } ], - "pysandbox": [ + "sdcclient": [ { - "advisory": "pysandbox before 1.0.2 allows access to several dict methods.", + "advisory": "Sdcclient 0.7.0 adds support for secure commands audit.", "cve": null, - "id": "pyup.io-26053", + "id": "pyup.io-37050", "specs": [ - "<1.0.2" + "<0.7.0" ], - "v": "<1.0.2" - }, + "v": "<0.7.0" + } + ], + "seed-auth-api": [ { - "advisory": "pysandbox before 1.0.3 allows access to dict.__init__().", + "advisory": "Seed-auth-api 0.9.3 includes upgrades of dependencies with security vulnerabilities.", "cve": null, - "id": "pyup.io-26054", + "id": "pyup.io-37441", "specs": [ - "<1.0.3" + "<0.9.3" ], - "v": "<1.0.3" - }, + "v": "<0.9.3" + } + ], + "seed-control-interface": [ { - "advisory": "pysandbox before 1.5 has several security vulnerabilities.", + "advisory": "Seed-control-interface-service 0.9.16 includes upgrades of dependencies with security vulnerabilities.", "cve": null, - "id": "pyup.io-26055", + "id": "pyup.io-37440", "specs": [ - "<1.5" + "<0.9.16" ], - "v": "<1.5" - }, + "v": "<0.9.16" + } + ], + "seed-control-interface-service": [ { - "advisory": "pysandbox before 1.6 isn't setting __builtins__ to readonly when execute() is used.", + "advisory": "Seed-control-interface-service 0.9.6 includes upgrades of dependencies with security vulnerabilities.", "cve": null, - "id": "pyup.io-26056", + "id": "pyup.io-37442", "specs": [ - "<1.6" + "<0.9.6" ], - "v": "<1.6" + "v": "<0.9.6" } ], - "pysbd": [ + "seed-identity-store": [ { - "advisory": "Pysbd 0.3.0rc includes an upgrade of bleach to address a security vulnerability.", + "advisory": "Seed-identity-store 0.10.2 includes upgrades of dependencies with security vulnerabilities.", "cve": null, - "id": "pyup.io-38404", + "id": "pyup.io-37437", "specs": [ - "<0.3.0rc" + "<0.10.2" ], - "v": "<0.3.0rc" + "v": "<0.10.2" } ], - "pyshop": [ + "seed-message-sender": [ { - "advisory": "pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a download operation.", - "cve": "CVE-2013-1630", - "id": "pyup.io-26057", + "advisory": "Seed-message-sender 0.10.9 includes upgrades of dependencies with security vulnerabilities.", + "cve": null, + "id": "pyup.io-37436", "specs": [ - "<0.7.1" + "<0.10.9" ], - "v": "<0.7.1" + "v": "<0.10.9" } ], - "pyspark": [ + "seed-scheduler": [ { - "advisory": "Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs. See: CVE-2019-10099.", - "cve": "CVE-2019-10099", - "id": "pyup.io-37352", + "advisory": "Seed-scheduler 0.10.2 includes upgrades of dependencies with security vulnerabilities.", + "cve": null, + "id": "pyup.io-37439", "specs": [ - "<2.3.3" + "<0.10.2" ], - "v": "<2.3.3" + "v": "<0.10.2" } ], - "pyspf": [ + "seed-stage-based-messaging": [ { - "advisory": "Pyspf 2.0.1 prevents cache poisoning attacks and malformed RR attacks.", + "advisory": "seed-stage-based-messaging 0.11.0 upgrades requests to fix security vulnerability", "cve": null, - "id": "pyup.io-37431", + "id": "pyup.io-36653", "specs": [ - "<2.0.1" + "<0.11.0" ], - "v": "<2.0.1" - } - ], - "pytest-aoc": [ + "v": "<0.11.0" + }, { - "advisory": "pytest-aoc 1.2a6 removes security misfeature: no cookies inside setup.cfg.", + "advisory": "Seed-stage-based-messaging 0.13.0 includes upgrades of dependencies with security vulnerabilities.", "cve": null, - "id": "pyup.io-37267", + "id": "pyup.io-37438", "specs": [ - "<1.2a6" + "<0.13.0" ], - "v": "<1.2a6" + "v": "<0.13.0" } ], - "pytest-devpi-server": [ + "seldon-core": [ { - "advisory": "pytest-devpi-server before 1.1.0 uses a subshell in workspace.run.", + "advisory": "Seldon-core 0.2.4 includes a fix for Github security vulnerabilities in dependencies (issue 259) and a fix for vulnerability warnings with updates to engine and apife pom (issue 263).", "cve": null, - "id": "pyup.io-26059", + "id": "pyup.io-39360", "specs": [ - "<1.1.0" + "<0.2.4" ], - "v": "<1.1.0" - } - ], - "pytest-git": [ + "v": "<0.2.4" + }, { - "advisory": "pytest-git before 1.1.0 uses a subshell in workspace.run.", + "advisory": "Seldon-core 0.3.0 includes a fix for old Containers & Security Vulnerabilities (issue 528). It also updates the TF version for security (pull 575), and updates jackson-databind from version 2.8.11.2 to version 2.9.8 to address CVE-2018-12023 (pull 547).", + "cve": "CVE-2018-12023", + "id": "pyup.io-39547", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + }, + { + "advisory": "Seldon-core 0.3.0 includes a fix for old Containers & Security Vulnerabilities (issue 528). It also updates the TF version for security (pull 575), and updates jackson-databind from version 2.8.11.2 to version 2.9.8 to address CVE-2018-12022.", + "cve": "CVE-2018-12022", + "id": "pyup.io-39359", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + }, + { + "advisory": "Seldon-core 0.4.0 includes a fix for CVE-2018-1000654 in openjdk:8u201-jre-alpine3.", + "cve": "CVE-2018-1000654", + "id": "pyup.io-39358", + "specs": [ + "<0.4.0" + ], + "v": "<0.4.0" + }, + { + "advisory": "Seldon-core 0.4.2 closes issue 981 which addresses a Java dependencies that is not secure, and also closes issue 893 about a patch to prevent XSS.", "cve": null, - "id": "pyup.io-26060", + "id": "pyup.io-39357", "specs": [ - "<1.1.0" + "<0.4.2" ], - "v": "<1.1.0" - } - ], - "pytest-profiling": [ + "v": "<0.4.2" + }, { - "advisory": "pytest-profiling before 1.1.0 uses a subshell in workspace.run.", + "advisory": "seldon-core 0.5.1 bumps pillow from 6.0.0 to 6.2.0, see: https://github.com/SeldonIO/seldon-core/pull/1062", "cve": null, - "id": "pyup.io-26061", + "id": "pyup.io-37893", "specs": [ - "<1.1.0" + "<0.5.1" ], - "v": "<1.1.0" - } - ], - "pytest-qt-app": [ + "v": "<0.5.1" + }, { - "advisory": "pytest-qt-app before 1.1.0 uses a subshell in workspace.run.", + "advisory": "Seldon-core 1.0.0 includes a fix for CVE-2019-18224.", + "cve": "CVE-2019-18224", + "id": "pyup.io-39546", + "specs": [ + "<1.0.0" + ], + "v": "<1.0.0" + }, + { + "advisory": "Seldon-core 1.0.0 includes a fix for CVE-2019-5482.", + "cve": "CVE-2019-5482", + "id": "pyup.io-39361", + "specs": [ + "<1.0.0" + ], + "v": "<1.0.0" + }, + { + "advisory": "Seldon-core 1.0.2 includes a fix for CVE-2019-18224.", + "cve": "CVE-2019-18224", + "id": "pyup.io-39356", + "specs": [ + "<1.0.2" + ], + "v": "<1.0.2" + }, + { + "advisory": "Seldon-core 1.2.0 adds XSS patches to executor. It also closes potential security vulnerability issues with Default Engine Java Opts (issue 1597) and Java JMX Server (issue 1595).", "cve": null, - "id": "pyup.io-26062", + "id": "pyup.io-39328", "specs": [ - "<1.1.0" + "<1.2.0" ], - "v": "<1.1.0" + "v": "<1.2.0" } ], - "pytest-server-fixtures": [ + "selenium-wire": [ { - "advisory": "pytest-server-fixtures before 1.1.0 uses a subshell in workspace.run.", + "advisory": "Selenium-wire 1.2.1 uses SHA256 digest when creating site certificates to fix Chrome HSTS security errors.", "cve": null, - "id": "pyup.io-26063", + "id": "pyup.io-38396", "specs": [ - "<1.1.0" + "<1.2.1" ], - "v": "<1.1.0" + "v": "<1.2.1" } ], - "pytest-shutil": [ + "sentry": [ { - "advisory": "pytest-shutil before 1.1.0 uses a subshell in workspace.run.", + "advisory": "sentry before 0.12.2 has a security flaw where exponential numbers in specially crafted params could cause a CPU attack.", "cve": null, - "id": "pyup.io-26064", + "id": "pyup.io-33030", "specs": [ - "<1.1.0" + "<0.12.2" ], - "v": "<1.1.0" - } - ], - "pytest-verbose-parametrize": [ + "v": "<0.12.2" + }, { - "advisory": "pytest-verbose-parametrize before 1.1.0 uses a subshell in workspace.run.", + "advisory": "Sentry 5.7.0 updates https-proxy-agent to 3.0.0 for security reasons (issue 2262).", "cve": null, - "id": "pyup.io-26065", + "id": "pyup.io-39296", "specs": [ - "<1.1.0" + "<5.7.0" ], - "v": "<1.1.0" - } - ], - "python": [ + "v": "<5.7.0" + }, { - "advisory": "Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.", - "cve": "CVE-2008-1721", - "id": "pyup.io-33152", + "advisory": "sentry before 6.1.1 is vulnerable to a remote code execution exploit.", + "cve": null, + "id": "pyup.io-26117", + "specs": [ + "<6.1.1" + ], + "v": "<6.1.1" + }, + { + "advisory": "sentry before 7.4.0 has a XSS vulnerability with tag values not being escaped (on the group details page).", + "cve": null, + "id": "pyup.io-26118", "specs": [ - "<2.5.2" + "<7.4.0" ], - "v": "<2.5.2" + "v": "<7.4.0" }, { - "advisory": "Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow.", - "cve": "CVE-2008-1887", - "id": "pyup.io-33153", + "advisory": "sentry before 7.5.5 is vulnerable to a XSS attack in tags and the stream filter box.", + "cve": null, + "id": "pyup.io-26119", "specs": [ - "<2.5.2" + "<7.5.5" ], - "v": "<2.5.2" + "v": "<7.5.5" }, { - "advisory": "Multiple integer overflows in imageop.c in Python before 2.5.3 allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows. NOTE: this issue is due to an incomplete fix for CVE-2007-4965.", - "cve": "CVE-2008-1679", - "id": "pyup.io-33151", + "advisory": "sentry before 7.6.1 is vulnerable to a XSS attack in tags and the stream filter box.", + "cve": null, + "id": "pyup.io-26120", "specs": [ - "<2.5.3" + "<7.6.1" ], - "v": "<2.5.3" + "v": "<7.6.1" }, { - "advisory": "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"", - "cve": "CVE-2016-0772", - "id": "pyup.io-33154", + "advisory": "sentry before 8.1.4 has a security issue where a superuser had the ability to inject data into audit logs through the admin UI.", + "cve": null, + "id": "pyup.io-26121", "specs": [ - "<2.7.12", - ">=3.0,<3.4.5", - ">=3.5,<3.5.2" + "<8.1.4" ], - "v": "<2.7.12,>=3.0,<3.4.5,>=3.5,<3.5.2" + "v": "<8.1.4" }, { - "advisory": "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", - "cve": "CVE-2016-5636", - "id": "pyup.io-33155", + "advisory": "sentry before 8.1.5 if being run in multi-organization mode, it was possible for a user to craft a URL which would allow them to view membership details of other users.", + "cve": null, + "id": "pyup.io-26122", "specs": [ - "<2.7.12", - ">=3.0,<3.4.5", - ">=3.5,<3.5.2" + "<8.1.5" ], - "v": "<2.7.12,>=3.0,<3.4.5,>=3.5,<3.5.2" + "v": "<8.1.5" }, { - "advisory": "The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. See CVE-2021-23336.", - "cve": "CVE-2021-23336", - "id": "pyup.io-39619", + "advisory": "sentry before 8.2.2 has a security issue where a superuser had the ability to inject data into audit logs through the admin UI.", + "cve": null, + "id": "pyup.io-26123", "specs": [ - ">=0.0.0,<3.6.13", - ">=3.7.0,<3.7.10", - ">=3.8.0,<3.8.8", - ">=3.9.0,<3.9.2" + "<8.2.2" ], - "v": ">=0.0.0,<3.6.13,>=3.7.0,<3.7.10,>=3.8.0,<3.8.8,>=3.9.0,<3.9.2" + "v": "<8.2.2" }, { - "advisory": "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", - "cve": "CVE-2011-4940", - "id": "pyup.io-26069", + "advisory": "sentry before 8.2.4 if being run in multi-organization mode, it was possible for a user to craft a URL which would allow them to view membership details of other users.", + "cve": null, + "id": "pyup.io-26124", "specs": [ - ">=2.6,<2.6.7", - "<2.5.6c1", - ">=2.7,<2.7.2" + "<8.2.4" ], - "v": ">=2.6,<2.6.7,<2.5.6c1,>=2.7,<2.7.2" + "v": "<8.2.4" }, { - "advisory": "Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.", - "cve": "CVE-2011-4944", - "id": "pyup.io-26074", + "advisory": "sentry before 8.2.5 is vulnerable to an attack which allows API keys more permission than granted within the organization.", + "cve": null, + "id": "pyup.io-26125", "specs": [ - ">=2.6,<3.3" + "<8.2.5" ], - "v": ">=2.6,<3.3" + "v": "<8.2.5" }, { - "advisory": "Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.", - "cve": "CVE-2012-1150", - "id": "pyup.io-26071", + "advisory": "sentry before 8.3.3 is vulnerable to an attack which allows API keys more permission than granted within the organization.", + "cve": null, + "id": "pyup.io-26126", "specs": [ - ">=2.7,<2.7.3", - ">=3.0,<3.1.5", - ">=3.2,<3.2.3", - "<2.6.8" + "<8.3.3" ], - "v": ">=2.7,<2.7.3,>=3.0,<3.1.5,>=3.2,<3.2.3,<2.6.8" + "v": "<8.3.3" }, { - "advisory": "SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.", - "cve": "CVE-2012-0845", - "id": "pyup.io-26070", + "advisory": "sentry 8.8 includes various security fixes related to CSRF and XSS.", + "cve": null, + "id": "pyup.io-26127", "specs": [ - ">=2.7,<2.7.3", - ">=3.2,<3.2.3", - ">=3.1,<3.1.5", - "<2.6.8" + "<8.8" ], - "v": ">=2.7,<2.7.3,>=3.2,<3.2.3,>=3.1,<3.1.5,<2.6.8" - }, + "v": "<8.8" + } + ], + "sequoia-client-sdk": [ { - "advisory": "Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely. See CVE-2021-3177.", - "cve": "CVE-2021-3177", - "id": "pyup.io-39465", + "advisory": "sequoia-client-sdk 1.2.0 upgrades libraries `urllib3` and `requests` upgraded to solve security issues:", + "cve": null, + "id": "pyup.io-36949", "specs": [ - ">=3.0.0,<=3.9.1" + "<1.2.0" ], - "v": ">=3.0.0,<=3.9.1" + "v": "<1.2.0" }, { - "advisory": "The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.", - "cve": "CVE-2012-2135", - "id": "pyup.io-26076", + "advisory": "Sequoia-client-sdk 2.0.0 upgrades `urllib3` and `requests` to solve security issues.", + "cve": null, + "id": "pyup.io-37199", "specs": [ - ">=3.1,<3.4" + "<2.0.0" ], - "v": ">=3.1,<3.4" - }, + "v": "<2.0.0" + } + ], + "serpscrap": [ { - "advisory": "The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.", - "cve": "CVE-2011-1521", - "id": "pyup.io-26075", + "advisory": "Serpscrap 0.13.0 updates the dependency on chromedriver to >= 76.0.3809.68 and sqlalchemy>=1.3.7 to solve security issues and other minor update changes.", + "cve": null, + "id": "pyup.io-37406", "specs": [ - ">=3.2,<3.2.1", - ">=2.7,<2.7.2" + "<0.13.0" ], - "v": ">=3.2,<3.2.1,>=2.7,<2.7.2" + "v": "<0.13.0" } ], - "python-augeas": [ + "sesame": [ { - "advisory": "python-augeas before 1.0.0 is vulnerable to cross-mountpoint and symlink attacks.", + "advisory": "sesame 0.3.0 is using a secure extraction/decryption using tempfile.", "cve": null, - "id": "pyup.io-26077", + "id": "pyup.io-26128", "specs": [ - "<1.0.0" + "<0.3.0" ], - "v": "<1.0.0" + "v": "<0.3.0" } ], - "python-bugzilla": [ + "setup-tools": [ { - "advisory": "python-bugzilla before 0.9.0 does not validate X.509 certificates, which allows man-in-the-middle attackers to spoof Bugzilla servers via a crafted certificate.", - "cve": "CVE-2013-2191", - "id": "pyup.io-35432", + "advisory": "setup-tools is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", + "cve": null, + "id": "pyup.io-34984", "specs": [ - "<0.9.0" + ">0", + "<0" ], - "v": "<0.9.0" + "v": ">0,<0" } ], - "python-cjson": [ + "setuptools": [ { - "advisory": "Dan Pascu python-cjson 1.0.5 does not properly handle a ['/'] argument to cjson.encode, which makes it easier for remote attackers to conduct certain cross-site scripting (XSS) attacks involving Firefox and the end tag of a SCRIPT element.", - "cve": "CVE-2009-4924", - "id": "pyup.io-33160", + "advisory": "setuptools 0.9.5 fixes a security vulnerability in SSL certificate validation.", + "cve": null, + "id": "pyup.io-26129", "specs": [ - "<1.0.5" + "<0.9.5" ], - "v": "<1.0.5" + "v": "<0.9.5" }, { - "advisory": "Buffer overflow in Dan Pascu python-cjson 1.0.5, when UCS-4 encoding is enabled, allows context-dependent attackers to cause a denial of service (application crash) or possibly have unspecified other impact via vectors involving crafted Unicode input to the cjson.encode function.", - "cve": "CVE-2010-1666", - "id": "pyup.io-33161", + "advisory": "setuptools before 1.3 has a security vulnerability in SSL match_hostname check as reported in Python 17997.", + "cve": null, + "id": "pyup.io-26132", "specs": [ - "<1.0.5" + "<1.3" ], - "v": "<1.0.5" - } - ], - "python-clu": [ + "v": "<1.3" + }, { - "advisory": "Python-clu 0.5.1 removes an insecure Django requirement.", + "advisory": "setuptools 3.0 avoids the potential security vulnerabilities presented by use of tar archives in ez_setup.py. It also leverages the security features added to ZipFile.extract in Python 2.7.4.", "cve": null, - "id": "pyup.io-37800", + "id": "pyup.io-26133", "specs": [ - "<0.5.1" + "<3.0" ], - "v": "<0.5.1" + "v": "<3.0" } ], - "python-dbusmock": [ + "sevabot": [ { - "advisory": "python-dbusmock before 0.15.1 is vulnerable to a tempfile attack. When loading a template from an arbitrary file through the AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() Python method, don't create or use Python's *.pyc cached files. By tricking a user into loading a template from a world-writable directory like /tmp, an attacker could run arbitrary code with the user's privileges by putting a crafted .pyc file into that directory. Note that this is highly unlikely to actually appear in practice as custom dbusmock templates are usually shipped in project directories, not directly in world-writable directories.", + "advisory": "sevabot before 1.1 allows arbitrary commands to be executed.", "cve": null, - "id": "pyup.io-26080", - "specs": [ - "<0.15.1" - ], - "v": "<0.15.1" - }, - { - "advisory": "Python-dbusmock before version 0.15.1 AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() method could be tricked into executing malicious code if an attacker supplies a .pyc file. See CVE-2015-1326.", - "cve": "CVE-2015-1326", - "id": "pyup.io-37088", + "id": "pyup.io-26134", "specs": [ - "<0.15.1" + "<1.1" ], - "v": "<0.15.1" + "v": "<1.1" } ], - "python-docx": [ + "sftp-cloudfs": [ { - "advisory": "python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document.", - "cve": "CVE-2016-5851", - "id": "pyup.io-26081", + "advisory": "sftp-cloudfs before 0.13.1 is using an insecure transitive dependency (ftp-cloudfs<=0.26.1).", + "cve": null, + "id": "pyup.io-26135", "specs": [ - "<0.8.6" + "<0.13.1" ], - "v": "<0.8.6" + "v": "<0.13.1" } ], - "python-engineio": [ + "shaka-streamer": [ { - "advisory": "Python-engineio 3.5.2 removes a security alert in the requirements.", + "advisory": "Shaka-streamer 0.3.0 fixes the PyYAML deprecation warning and YAML loading vulnerability - see: https://github.com/google/shaka-streamer/issues/35", "cve": null, - "id": "pyup.io-37168", + "id": "pyup.io-37578", "specs": [ - "<3.5.2" + "<0.3.0" ], - "v": "<3.5.2" - }, + "v": "<0.3.0" + } + ], + "shiftboiler": [ { - "advisory": "Python-engineio 3.9.0 addresses potential websocket cross-origin attacks. See: .", + "advisory": "shiftboiler before 0.6.5 included a minor security issue: If google login did not return an id, user can takeover another user's account.", "cve": null, - "id": "pyup.io-37307", + "id": "pyup.io-36542", "specs": [ - "<3.9.0" + "<0.6.5" ], - "v": "<3.9.0" + "v": "<0.6.5" }, { - "advisory": "An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted. See: .", - "cve": "CVE-2019-13611", - "id": "pyup.io-37288", + "advisory": "Shiftboiler 0.9.3 contains improvements around application security. For instance session cookies and FlaskLogin's remember me cookies are now set to be secure and http-only by default in production environments. Additionally, flask applications are now CSRF-protected out of the box so you don't have to remember to enable this feature.", + "cve": null, + "id": "pyup.io-38472", "specs": [ - "<=3.8.2" + "<0.9.3" ], - "v": "<=3.8.2" + "v": "<0.9.3" } ], - "python-fedora": [ + "simplemonitor": [ { - "advisory": "python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection", - "cve": "CVE-2017-1002150", - "id": "pyup.io-35705", + "advisory": "simplemonitor 2.7 changes the remote monitor protocol and uses the JSON format for remote monitor protocol (more secure than pickle)", + "cve": null, + "id": "pyup.io-37886", "specs": [ - "<=0.8.0" + "<2.7" ], - "v": "<=0.8.0" + "v": "<2.7" } ], - "python-gnupg": [ + "simulaqron": [ { - "advisory": "python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted.", - "cve": "CVE-2019-6690", - "id": "pyup.io-36964", + "advisory": "Simulaqron 3.0.7 bumps to twisted 19.7 due to security vulnerabilities with earlier versions.", + "cve": null, + "id": "pyup.io-37571", "specs": [ - "==0.4.3" + "<3.0.7" ], - "v": "==0.4.3" + "v": "<3.0.7" } ], - "python-jose": [ + "skill-sdk": [ { - "advisory": "python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys.", - "cve": "CVE-2016-7036", - "id": "pyup.io-35682", + "advisory": "Skill-sdk 0.10.5 makes its underlying dependency 'Tornado' optional due to a security issue.", + "cve": null, + "id": "pyup.io-39692", "specs": [ - "<1.3.2" + "<0.10.5" ], - "v": "<1.3.2" + "v": "<0.10.5" } ], - "python-jss": [ + "slackeventsapi": [ { - "advisory": "Python-jss 2.1.0 updates the `urllib3` dependency to mitigate a vulnerability.", + "advisory": "slackeventsapi 2.1.0 updates minimum Flask version to address security vulnerability (45)", "cve": null, - "id": "pyup.io-38564", + "id": "pyup.io-36729", "specs": [ "<2.1.0" ], "v": "<2.1.0" } ], - "python-keystoneclient": [ - { - "advisory": "The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the \"insecure\" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.", - "cve": "CVE-2015-1852", - "id": "pyup.io-26082", - "specs": [ - "<1.4.0" - ], - "v": "<1.4.0" - }, - { - "advisory": "The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.", - "cve": "CVE-2015-7546", - "id": "pyup.io-26083", - "specs": [ - "<1.5.4", - ">=2.0,<2.3.3" - ], - "v": "<1.5.4,>=2.0,<2.3.3" - }, + "sleap": [ { - "advisory": "python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass. See: CVE-2013-2166.", - "cve": "CVE-2013-2166", - "id": "pyup.io-37748", + "advisory": "Sleap 1.0.10a4 updates TensorFlow 2.1.2 for security reasons.", + "cve": null, + "id": "pyup.io-39680", "specs": [ - ">=0.2.3,<=0.2.5" + "<1.0.10a4" ], - "v": ">=0.2.3,<=0.2.5" + "v": "<1.0.10a4" }, { - "advisory": "python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass. See CVE-2013-2167.", - "cve": "CVE-2013-2167", - "id": "pyup.io-37749", + "advisory": "Sleap 1.0.10a updates TensorFlow 2.1.2 for security reasons.", + "cve": null, + "id": "pyup.io-39679", "specs": [ - ">=0.2.3,<=0.2.5" + "<1.0.10a5" ], - "v": ">=0.2.3,<=0.2.5" + "v": "<1.0.10a5" } ], - "python-libnmap": [ - { - "advisory": "libnmap < v0.6.3 is affected by: XML Injection. The impact is: Denial of service (DoS) by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML payload. See: CVE-2019-1010017.", - "cve": "CVE-2019-1010017", - "id": "pyup.io-37283", - "specs": [ - "<0.6.3" - ], - "v": "<0.6.3" - }, + "smeagol": [ { - "advisory": "Python-libnmap 0.7.2 adds unittest for defusedxml to fix billionlaugh and external entities security issues. It also includes a fix for security issue on XXE (XML External Entities). See: CVE-2019-1010017.", - "cve": "CVE-2019-1010017", - "id": "pyup.io-39304", + "advisory": "smeagol 0.1.0 has several known bugs and security issues that need to be addressed before it can be used in production.", + "cve": null, + "id": "pyup.io-34818", "specs": [ - "<0.7.2" + "<0.1.0" ], - "v": "<0.7.2" + "v": "<0.1.0" } ], - "python-libtorrent": [ + "smqtk": [ { - "advisory": "python-libtorrent before 1.0.6 has several undisclosed vulnerabilities related to uTP.", + "advisory": "Smqtk 0.11.0 includes a number of security and stability fixes for algorithms and the IQR demo web application.", "cve": null, - "id": "pyup.io-26084", + "id": "pyup.io-38777", "specs": [ - "<1.0.6" + "<0.11.0" ], - "v": "<1.0.6" + "v": "<0.11.0" } ], - "python-muranoclient": [ + "smtpdfix": [ { - "advisory": "OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.", - "cve": "CVE-2016-4972", - "id": "pyup.io-26085", + "advisory": "Smtpdfix 0.2.9 requires a 'cryptography' dependency version 3.4.4 in response to security reports.", + "cve": null, + "id": "pyup.io-39708", "specs": [ - "<0.7.3", - ">=0.8,<0.8.5" + "<0.2.9" ], - "v": "<0.7.3,>=0.8,<0.8.5" + "v": "<0.2.9" } ], - "python-nomad": [ + "snakemake": [ { - "advisory": "Python-nomad 1.0.1 updates `Requests` to 2.20.0. Earlier versions of `Requests` sent an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.", + "advisory": "Snakemake 5.28.0 parses values more securely when using --config.", "cve": null, - "id": "pyup.io-36602", + "id": "pyup.io-39106", "specs": [ - "<1.0.1" + "<5.28.0" ], - "v": "<1.0.1" + "v": "<5.28.0" } ], - "python-openflow": [ + "snappass": [ { - "advisory": "python-openflow 2016.1.a1 fixes a undisclosed security vulnerability.", - "cve": null, - "id": "pyup.io-33282", + "advisory": "Snappass 1.4.1 upgrades cryptography to 2.3.1. See: CVE-2018-10903.", + "cve": "CVE-2018-10903", + "id": "pyup.io-36605", "specs": [ - "<2016.1.a1" + "<1.4.1" ], - "v": "<2016.1.a1" - }, + "v": "<1.4.1" + } + ], + "sncli": [ { - "advisory": "python-openflow 2019.1b3 change: Updated dependencies versions in order to fix security bugs.", + "advisory": "Sncli 0.4.0 contains a security fix for an arbitrary code execution bug. Copying text from notes to the clipboard was being performed by building a shell command to execute. This resulted in the line being copied substituted directly into the shell command. A carefully crafted line could run any arbitrary shell command, and some lines could crash the\r\nprocess causing the line to fail to copy. This fixes the issue by not using a shell to interpret the command, and\r\npassing the text to be copied directly to stdin.", "cve": null, - "id": "pyup.io-37224", + "id": "pyup.io-37302", "specs": [ - "<2019.1b3" + "<0.4.0" ], - "v": "<2019.1b3" + "v": "<0.4.0" } ], - "python-otr": [ + "soapfish": [ { - "advisory": "python-otr before 1.1.0 is vulnerable to man-in-the-middle attacks as it allows to restart the protocol.", + "advisory": "soapfish before 0.6.0 has a potential security issue - pattern restrictions were not applied correctly.", "cve": null, - "id": "pyup.io-26086", + "id": "pyup.io-26136", "specs": [ - "<1.1.0" + "<0.6.0" ], - "v": "<1.1.0" + "v": "<0.6.0" } ], - "python-picnic": [ + "soappy": [ { - "advisory": "Python-picnic 1.2 prevents a seed-guessing attack by adding a per-signature salt to random tapes generation.", + "advisory": "soappy before 0.12.6 allows remote attackers to read arbitrary files via a SOAP request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.", "cve": null, - "id": "pyup.io-38681", + "id": "pyup.io-26137", "specs": [ - "<1.2" + "<0.12.6" ], - "v": "<1.2" + "v": "<0.12.6" } ], - "python-pptx": [ + "soappy-py3": [ { - "advisory": "python-pptx before 0.6.12 used a vulnerable version of Pillow.", + "advisory": "soappy-py3 before 0.12.6 allows remote attackers to read arbitrary files via a SOAP request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.", "cve": null, - "id": "pyup.io-36382", + "id": "pyup.io-26138", "specs": [ - "<0.6.12" + "<0.12.6" ], - "v": "<0.6.12" + "v": "<0.12.6" } ], - "python-saml": [ + "sockjs-tornado": [ { - "advisory": "python-saml before 2.1.6 is vulnerable to Signature Wrapping attacks.", + "advisory": "Sockjs-tornado 1.0.7 includes a fix for a XSS vulnerability. No details are given. Possibly it's related to the XSS vulnerability that was addressed in 1.0.6, which jeopardized the HTMLFILE transport.", "cve": null, - "id": "pyup.io-26087", + "id": "pyup.io-38215", "specs": [ - "<2.1.6" + "<1.0.7" ], - "v": "<2.1.6" - }, + "v": "<1.0.7" + } + ], + "sopel": [ { - "advisory": "python-saml before 2.1.9 is vulnerable to Signature Wrapping attacks.", + "advisory": "'web.get' and 'web.post' in sopel 4.1.0 can be told to limit how much they read from a URL, to prevent malicious use.", "cve": null, - "id": "pyup.io-26088", + "id": "pyup.io-39121", "specs": [ - "<2.1.9" + "<4.1.0" ], - "v": "<2.1.9" + "v": "<4.1.0" }, { - "advisory": "Multiple SAML libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.", - "cve": "CVE-2017-11427", - "id": "pyup.io-35779", + "advisory": "A security issue involving an improperly named channel logs was fixed in Sopel 4.4.0.", + "cve": null, + "id": "pyup.io-26139", "specs": [ - "<2.4.0" + "<4.4.0" ], - "v": "<2.4.0" + "v": "<4.4.0" }, { - "advisory": "Python-saml 2.5.0 includes security improvements to prevent XPath injection.", + "advisory": "Sopel 6.3.0 uses the `requests` package for stability and security.", "cve": null, - "id": "pyup.io-39452", + "id": "pyup.io-27413", "specs": [ - "<2.5.0" + "<6.3.0" ], - "v": "<2.5.0" + "v": "<6.3.0" } ], - "python-secrets": [ - { - "advisory": "Python-secrets 0.9.1 adds ``six`` for securing ``input`` call.", - "cve": null, - "id": "pyup.io-37582", - "specs": [ - "<0.9.1" - ], - "v": "<0.9.1" - }, + "spacepy-x": [ { - "advisory": "Python-secrets before 19.10.0 adds control of umask for better file perm security.", + "advisory": "HTTPS has been re-enabled in spacepy-x 1.0.1 for secure API goodness.", "cve": null, - "id": "pyup.io-37583", + "id": "pyup.io-37388", "specs": [ - "<19.10.0" + "<1.0.1" ], - "v": "<19.10.0" - }, + "v": "<1.0.1" + } + ], + "sparselandtools": [ { - "advisory": "Python-secrets before 19.8.0 adds insecure permissions checking", + "advisory": "sparselandtools 1.0.1 requires newer versions of third party packages for security reasons in some cases", "cve": null, - "id": "pyup.io-37401", + "id": "pyup.io-37929", "specs": [ - "<19.8.0" + "<1.0.1" ], - "v": "<19.8.0" - }, + "v": "<1.0.1" + } + ], + "sphinx": [ { - "advisory": "Python-secrets 19.8.3 ensures more secure permissions.", + "advisory": "Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons.", "cve": null, - "id": "pyup.io-37421", + "id": "pyup.io-38330", "specs": [ - "<19.8.3" + "<3.0.4" ], - "v": "<19.8.3" + "v": "<3.0.4" } ], - "python-smooch": [ + "sphinx-paragraph-extractor": [ { - "advisory": "Python-smooch 1.0.4 bumps requests gem due to CVE-2018-18074.", - "cve": "CVE-2018-18074", - "id": "pyup.io-36604", + "advisory": "Sphinx-paragraph-extractor 1.0.4 updates dependencies for security reasons.", + "cve": null, + "id": "pyup.io-37082", "specs": [ "<1.0.4" ], "v": "<1.0.4" } ], - "python-socketio": [ + "sphinx-wagtail-theme": [ { - "advisory": "Python-socketio 4.3.0 addresses potential websocket cross-origin attacks. See: .", + "advisory": "Sphinx-wagtail-theme 4.3.0 updates yarn.lock for security reasons.", "cve": null, - "id": "pyup.io-37308", + "id": "pyup.io-40027", "specs": [ "<4.3.0" ], "v": "<4.3.0" } ], - "python-zeep": [ + "spintest": [ { - "advisory": "python-zeep 0.4.0 adds defusedxml module for XML security issues.", + "advisory": "spintest 0.2.0 renders the UUID Token invisible in the log to avoid security violation, when spintest is used during the CI/CD tools", "cve": null, - "id": "pyup.io-36504", + "id": "pyup.io-37859", "specs": [ - "<0.4.0" + "<0.2.0" ], - "v": "<0.4.0" + "v": "<0.2.0" } ], - "python3-ldap": [ + "splash": [ { - "advisory": "python3-ldap before 0.9.5.4 has a security issue in lazy connections.", + "advisory": "splash before 2.0.1 is vulnerable to a XSS attack in HTTP UI.", "cve": null, - "id": "pyup.io-26089", + "id": "pyup.io-26140", "specs": [ - "<0.9.5.4" + "<2.0.1" ], - "v": "<0.9.5.4" + "v": "<2.0.1" + }, + { + "advisory": "In splash before 2.3.2 xvfb binds to ports in the range 6000-6200 on all available interfaces.", + "cve": null, + "id": "pyup.io-33045", + "specs": [ + "<2.3.2" + ], + "v": "<2.3.2" } ], - "python3-saml": [ + "splunk-sdk": [ { - "advisory": "python3-saml before 1.1.4 is vulnerable to signature wrapping attacks.", - "cve": null, - "id": "pyup.io-26090", + "advisory": "Splunk-SDK-Python before 1.6.6 does not properly verify untrusted TLS server certificates, which could result in man-in-the-middle attacks.", + "cve": "CVE-2019-5729", + "id": "pyup.io-36969", "specs": [ - "<1.1.4" + "<1.6.6" ], - "v": "<1.1.4" - }, + "v": "<1.6.6" + } + ], + "spud": [ { - "advisory": "python3-saml 1.2.0 introduces several undisclosed security improvements.", + "advisory": "spud before 0.8 doesn't check permissions. Anybody could edit photos.", "cve": null, - "id": "pyup.io-26091", + "id": "pyup.io-26141", "specs": [ - "<1.2.0" + "<0.8" ], - "v": "<1.2.0" - }, + "v": "<0.8" + } + ], + "spyder-terminal": [ { - "advisory": "P{ython3-saml 1.2.6 now uses defusedxml that will prevent XEE and other attacks based on the abuse on XMLs. (CVE-2017-9672)", - "cve": "CVE-2017-9672", - "id": "pyup.io-34782", + "advisory": "Spyder-terminal 0.3.1 resolves several vulnerabilities. See: .", + "cve": null, + "id": "pyup.io-39132", "specs": [ - "<1.2.6" + "<0.3.1" ], - "v": "<1.2.6" - }, + "v": "<0.3.1" + } + ], + "sqlalchemy": [ { - "advisory": "Multiple SAML libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.", - "cve": "CVE-2017-11427", - "id": "pyup.io-35780", + "advisory": "SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. See: CVE-2019-7164.", + "cve": "CVE-2019-7164", + "id": "pyup.io-38497", "specs": [ - "<1.4.0" + "<=1.2.17", + ">=1.3.0b1,<=1.3.0b2" ], - "v": "<1.4.0" + "v": "<=1.2.17,>=1.3.0b1,<=1.3.0b2" }, { - "advisory": "Python3-saml 1.5.0 contains security improvements to prevent XPath injection. It also disables DTD on the fromstring defusedxml method.", - "cve": null, - "id": "pyup.io-39454", + "advisory": "SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled. See: CVE-2019-7548.", + "cve": "CVE-2019-7548", + "id": "pyup.io-38496", "specs": [ - "<1.5.0" + "==1.2.17" ], - "v": "<1.5.0" + "v": "==1.2.17" } ], - "pytorch-lightning": [ + "sqlalchemy-cockroachdb": [ { - "advisory": "Pytorch-lightning 0.9.0 fixes a shell injection vulnerability in a subprocess call.", + "advisory": "Sqlalchemy-cockroachdb 0.3.2 updates urllib3 to remove a security vulnerability.", "cve": null, - "id": "pyup.io-38707", + "id": "pyup.io-38405", "specs": [ - "<0.9.0" + "<0.3.2" ], - "v": "<0.9.0" + "v": "<0.3.2" } ], - "pytrackdat": [ + "sqlathanor": [ { - "advisory": "Pytrackdat 0.2.0 validates the security of the administrator passwords.", + "advisory": "Sqlathanor 0.5.0 updates the ``requirements.txt`` (which does not actually indicate utilization dependencies, and instead indicates development dependencies) to upgrade a number of libraries that had recently had security vulnerabilities discovered.", "cve": null, - "id": "pyup.io-37141", + "id": "pyup.io-37403", "specs": [ - "<0.2.0" + "<0.5.0" ], - "v": "<0.2.0" + "v": "<0.5.0" } ], - "pytsite": [ + "sqlfluff": [ { - "advisory": "pytsite before 1.2 has a critical web login security issue.", + "advisory": "Sqlfluff 0.3.2 moves to `SandboxedEnvironment` rather than `Environment` for jinja templating for security.", "cve": null, - "id": "pyup.io-34825", + "id": "pyup.io-38270", "specs": [ - "<1.2" + "<0.3.2" ], - "v": "<1.2" + "v": "<0.3.2" } ], - "pyu4v": [ + "ssh-audit": [ { - "advisory": "Pyu4v 9.1.2.0 introduced the option to create a secure snapshot by means of `create_storage_group_snapshot`.", + "advisory": "Ssh-audit 2.2.0 re-classifies the very common `ssh-rsa` host key type as weak, due to practical SHA-1 attacks - see https://eprint.iacr.org/2020/014.pdf", "cve": null, - "id": "pyup.io-37914", + "id": "pyup.io-38046", "specs": [ - "<9.1.2.0" + "<2.2.0" ], - "v": "<9.1.2.0" + "v": "<2.2.0" } ], - "pyupdater": [ + "ssh-decorate": [ { - "advisory": "pyupdater before 0.20.0 is vulnerable to session fixation attacks and potentially cookie stealing.", + "advisory": "Ssh-decorate version 0.28 through 0.31 is known to contain a backdoor that steals SSH credentials.", "cve": null, - "id": "pyup.io-26092", + "id": "pyup.io-38498", "specs": [ - "<0.20.0" + ">=0.28,<=0.31" ], - "v": "<0.20.0" + "v": ">=0.28,<=0.31" } ], - "pyvcloud": [ + "ssh-mitm": [ { - "advisory": "Pyvcloud 20.0.0 fixes CVE-2017-18342: Replace yaml.load() with yaml.safe_load()", - "cve": "CVE-2017-18342", - "id": "pyup.io-36809", + "advisory": "ssh-mitm before 0.3.11", + "cve": null, + "id": "pyup.io-39436", "specs": [ - "<20.0.0" + "<0.3.11" ], - "v": "<20.0.0" + "v": "<0.3.11" }, { - "advisory": "Pyvcloud 20.1.0 includes a fix for a pyyaml vulnerability found in requirements.txt", - "cve": null, - "id": "pyup.io-37518", + "advisory": "Ssh-mitm version 0.3.12 adds support for CVE-2019-6110 .", + "cve": "CVE-2019-6110", + "id": "pyup.io-39455", "specs": [ - "<20.1.0" + "<0.3.12" ], - "v": "<20.1.0" + "v": "<0.3.12" + }, + { + "advisory": "Ssh-mitm version 0.3.12 adds support for CVE-2019-6111.", + "cve": "CVE-2019-6111", + "id": "pyup.io-39456", + "specs": [ + "<0.3.12" + ], + "v": "<0.3.12" + }, + { + "advisory": "Ssh-mitm 0.3.19 added support for CVE-2020-14145 (OpenSSH Client information leak).", + "cve": "CVE-2020-14145", + "id": "pyup.io-39504", + "specs": [ + "<0.3.19" + ], + "v": "<0.3.19" } ], - "pyvisa": [ + "sslyze": [ { - "advisory": "pyvisa before 0.9 has a undisclosed security vulnerability in visa.py.", + "advisory": "Sslyze 3.0.2 improves the check for HTTP security headers by adding support for HTTP redirections.", "cve": null, - "id": "pyup.io-26093", + "id": "pyup.io-38197", "specs": [ - "<0.9" + "<3.0.2" ], - "v": "<0.9" + "v": "<3.0.2" } ], - "pywbem": [ + "st2client": [ { - "advisory": "pywbem 0.13.0 increases the minimum required versions dependent Python\r\n packages in order to fix security issues with these packages.", - "cve": null, - "id": "pyup.io-36927", + "advisory": "StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. This can occur if Python 3.x is used, the locale is not utf-8, and there is an attempt to log Unicode data (from an action or rule name). See CVE-2021-28667.", + "cve": "CVE-2021-28667", + "id": "pyup.io-40034", "specs": [ - "<0.13.0" + "<3.4.1" ], - "v": "<0.13.0" - }, + "v": "<3.4.1" + } + ], + "starcluster": [ { - "advisory": "Pywbem 0.14.3 updates the following packages to address security vulnerabilities:\r\n\r\n* requests from 2.19.1 to 2.20.1 (when on Python 2.7 or higher)\r\n* urllib3 from 1.22 to 1.23\r\n* bleach from 2.1.0 to 2.1.4", + "advisory": "starcluster before 0.95.3 opens up the VPC to the internet by default which is a security risk and it requires a special VPC configuration (internet gateway attached to the VPC and a route to the gateway with dest CIDR block 0.0.0.0/0 associated with the VPC subnet). Configuring this automatically (which does not happen currently) would be a security risk and without this configuration StarCluster cannot connect to the VPC nodes even though they've been assigned a public IP.", "cve": null, - "id": "pyup.io-38577", + "id": "pyup.io-26142", "specs": [ - "<0.14.3" + "<0.95.3" ], - "v": "<0.14.3" - }, + "v": "<0.95.3" + } + ], + "stargate": [ { - "advisory": "Pywbem 0.17.0 changes the HTTPS support of `pywbem.WBEMListener` from using the deprecated `ssl.wrap_socket()` function to using the `ssl.SSLContext` class that was introduced in Python 2.7.9. This causes more secure SSL settings to be used. On Python versions before 2.7.9, pywbem will continue to use the deprecated `ssl.wrap_socket()` function.", + "advisory": "stargate before 0.4 has several undisclosed security vulnerabilities.", "cve": null, - "id": "pyup.io-38576", + "id": "pyup.io-26143", "specs": [ - "<0.17.0" + "<0.4" ], - "v": "<0.17.0" - }, + "v": "<0.4" + } + ], + "staty": [ { - "advisory": "Pywbem 1.0.0 increases versions of the following packages to address security vulnerabilities:\r\n* requests from 2.19.1 to 2.20.1\r\n* urllib3 from 1.22 to 1.23\r\n* bleach from 2.1.0 to 2.1.4", + "advisory": "Staty 1.2.3 updates requirements to fix security issues.", "cve": null, - "id": "pyup.io-37517", + "id": "pyup.io-37049", "specs": [ - "<1.0.0" + "<1.2.3" ], - "v": "<1.0.0" - }, + "v": "<1.2.3" + } + ], + "stegano": [ { - "advisory": "To address security vulnerabilities, pywbem 1.0.0b1 increases the versions of requests (from 2.19.1 to 2.20.1), urllib3 (from 1.22 to 1.23), and bleach (from 2.1.0 to 2.1.4). These packages are only used for development of pywbem.\r\n\r\nAlso, pywbem 1.0.0b1 changes the HTTPS support of `pywbem.WBEMListener` from using the deprecated `ssl.wrap_socket()` function to using the `ssl.SSLContext` class that was introduced in Python 2.7.9. This causes more secure SSL settings to be used. On Python versions before 2.7.9, pywbem will continue to use the deprecated `ssl.wrap_socket()` function.", - "cve": null, - "id": "pyup.io-38444", + "advisory": "Stegano 0.8.6 fixes a potential security issue related to CVE-2018-18074.", + "cve": "CVE-2018-18074", + "id": "pyup.io-36625", "specs": [ - "<1.0.0b1" + "<0.8.6" ], - "v": "<1.0.0b1" - }, + "v": "<0.8.6" + } + ], + "stomp.py": [ { - "advisory": "Pywbem 1.2.0.dev1 increases the minimum version of 'PyYAML' to 5.2 on Python 3.4 and to 5.3.1 on Python 2.7 and >=3.5 to address security issues (- the relevant functions of PyYAML are not used by pywbem, though.) \r\n\r\nAdditionally, pywbem 1.2.0.dev1 increases the minimum version of 'urllib3' to 1.24.2 on Python 3.4 and to 1.25.9 on Python 2.7 and >=3.5 to address security issues. To support these versions of urllib3, the minimum version of\r\n'requests' was increased to 2.20.1 on Python 3.4 and to 2.22.0 on Python 2.7 and >=3.5.\r\n\r\nLastly, pywbem 1.2.0.dev1 increases the minimum versions of several other packages that are needed only for test or development of pywbem to address security issues. In particular: requests-toolbelt to 0.8.0; lxml to 4.6.2 (except for Python 3.4); pylint to 2.5.2 and astroid to 2.4.0 on Python >=3.5; typed-ast to 1.3.2 on Python 3.4; twine to 3.0.0 on Python >=3.6; pkginfo to 1.4.2; bleach to 3.1.2 on Python 3.4 and to 3.1.4 on Python 2.7 and Python >=3.5.", + "advisory": "Stomp.py 4.1.22 reduces verbosity in logging to not include headers unless debug level is turned on. This was a potential security issue as per: .", "cve": null, - "id": "pyup.io-39383", + "id": "pyup.io-37046", "specs": [ - "<1.2.0.dev1" + "<4.1.22" ], - "v": "<1.2.0.dev1" + "v": "<4.1.22" } ], - "pywbemtools": [ + "stork": [ { - "advisory": "Pywbemtools 0.6.0 increases the minimum versions of some packages used for development to address security issues: twine, bleach, urllib3.", + "advisory": "Stork 3.0.1 includes re-compiled dependencies to fix a security issue in a pinned dependency.", "cve": null, - "id": "pyup.io-38169", + "id": "pyup.io-38611", "specs": [ - "<0.6.0" + "<3.0.1" ], - "v": "<0.6.0" + "v": "<3.0.1" } ], - "pywebsite": [ + "stormpath": [ { - "advisory": "pywebsite 0.1.14pre's signed_url method is now (more) immune to VS timing attacks.", + "advisory": "stormpath before 2.0.5 is using an insecure transitive dependency (pyjwt).", "cve": null, - "id": "pyup.io-26094", + "id": "pyup.io-26144", "specs": [ - "<0.1.14pre" + "<2.0.5" ], - "v": "<0.1.14pre" + "v": "<2.0.5" }, { - "advisory": "pywebsite before 0.1.9pre is vulnerable to length extension attacks, and value equivalence attacks.", + "advisory": "stormpath before 2.5.0 doesn't validate JWT correctly.", "cve": null, - "id": "pyup.io-26095", + "id": "pyup.io-26145", "specs": [ - "<0.1.9pre" + "<2.5.0" ], - "v": "<0.1.9pre" + "v": "<2.5.0" } ], - "pywikibot": [ + "stormpath-sdk": [ { - "advisory": "Pywikibot 3.0.20181203 require requests version 2.20.0 or later for security reasons.", + "advisory": "stormpath-sdk before 2.5.0 doesn't validate JWT correctly.", "cve": null, - "id": "pyup.io-38151", + "id": "pyup.io-26146", "specs": [ - "<3.0.20181203" + "<2.5.0" ], - "v": "<3.0.20181203" + "v": "<2.5.0" } ], - "pywren-ibm-cloud": [ - { - "advisory": "Pywren-ibm-cloud 1.0.1 fixes the flask security issues. See CVE-2018-1000656.", - "cve": "CVE-2018-1000656", - "id": "pyup.io-37480", - "specs": [ - "<1.0.1" - ], - "v": "<1.0.1" - }, + "streamlit": [ { - "advisory": "Pywren-ibm-cloud 1.0.19 fixes the CVE-2019-12855 security alert.", - "cve": "CVE-2019-12855", - "id": "pyup.io-37479", + "advisory": "The `server.address` config option in streamlit 0.57.0 binds the server to that address for added security.", + "cve": null, + "id": "pyup.io-38121", "specs": [ - "<1.0.19" + "<0.57.0" ], - "v": "<1.0.19" + "v": "<0.57.0" } ], - "pyxmlsecurity": [ + "streamsx-kafka": [ { - "advisory": "pyxmlsecurity 0.9 protects against wrapping attacks.", + "advisory": "streamsx-kafka 1.5.1 - resolves security vulnerabilities in third-party libs", "cve": null, - "id": "pyup.io-26096", + "id": "pyup.io-36807", "specs": [ - "<0.9" + "<1.5.1" ], - "v": "<0.9" + "v": "<1.5.1" } ], - "pyxnat": [ + "streamsx-objectstorage": [ { - "advisory": "Pyxnat 1.1.0.0 fixes a vulnerability by upgrading the `requests` package.", + "advisory": "streamsx-objectstorage 1.7.2 resolves security vulnerabilities in third-party libs #135", "cve": null, - "id": "pyup.io-37196", + "id": "pyup.io-36618", "specs": [ - "<1.1.0.0" + "<1.7.0" ], - "v": "<1.1.0.0" + "v": "<1.7.0" } ], - "pyyaml": [ + "streamsx.messagehub": [ { - "advisory": "Pyyaml before 4 uses ``yaml.load`` which has been assigned CVE-2017-18342.", - "cve": "CVE-2017-18342", - "id": "pyup.io-36333", + "advisory": "streamsx.messagehub 1.5.1 resolves security vulnerabilities in third-party libs", + "cve": null, + "id": "pyup.io-36727", "specs": [ - "<4" + "<1.5.1" ], - "v": "<4" - }, + "v": "<1.5.1" + } + ], + "substra": [ { - "advisory": "A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor. See: CVE-2020-1747.", - "cve": "CVE-2020-1747", - "id": "pyup.io-38100", + "advisory": "Substra 0.0.19 fixes a vulnerability in lodash.", + "cve": null, + "id": "pyup.io-38835", "specs": [ - "<5.3.1" + "<0.0.19" ], - "v": "<5.3.1" - }, + "v": "<0.0.19" + } + ], + "suds": [ { - "advisory": "A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747. See CVE-2020-14343.", - "cve": "CVE-2020-14343", - "id": "pyup.io-39611", + "advisory": "cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/.", + "cve": "CVE-2013-2217", + "id": "pyup.io-35433", "specs": [ - "<5.4" + "<=0.4" ], - "v": "<5.4" - }, + "v": "<=0.4" + } + ], + "suds-community": [ { - "advisory": "CVE-2019-20477: PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.", - "cve": "CVE-2019-20477", - "id": "pyup.io-38639", + "advisory": "suds-community 0.7.0 fixes `FileCache` default cache location related security issue.", + "cve": "CVE-2013-2217", + "id": "pyup.io-36562", "specs": [ - ">=5.1,<=5.1.2" + "<0.7.0" ], - "v": ">=5.1,<=5.1.2" + "v": "<0.7.0" } ], - "qi-jabberhelpdesk": [ + "superdesk-planning": [ { - "advisory": "qi-jabberhelpdesk 0.30 includes unspecified security fixes, some vulnerable xml-rpc calls fixed. [ggozad]", + "advisory": "Superdesk-planning 2.0.2 includes a security patch which requires authentication for all API endpoints.", "cve": null, - "id": "pyup.io-36052", + "id": "pyup.io-39688", "specs": [ - "<0.30" + "<2.0.2" ], - "v": "<0.30" + "v": "<2.0.2" } ], - "qi.jabberhelpdesk": [ + "superset": [ { - "advisory": "qi.jabberhelpdesk before 0.30 has several undisclosed vulnerabilities in xml-rpc calls.", + "advisory": "Superset 0.11.0a allows for requesting access when denied on a dashboard view (#1192). It also allows to set static headers as configuration (#1126) and prevents XSS on FAB list views (#1125).", "cve": null, - "id": "pyup.io-26097", + "id": "pyup.io-26147", "specs": [ - "<0.30" + "<0.11.0a" ], - "v": "<0.30" - } - ], - "qlib": [ + "v": "<0.11.0a" + }, { - "advisory": "This affects all versions of package qlib. The workflow function in cli part of qlib was using an unsafe YAML load function. See CVE-2021-23338.", - "cve": "CVE-2021-23338", - "id": "pyup.io-39620", + "advisory": "Superset 0.14.0a improves jinja2 security by using SandboxedEnvironment (#1632) and improves the security scheme (#1587).", + "cve": null, + "id": "pyup.io-37486", "specs": [ - ">=0.0.0" + "<0.14.0a" ], - "v": ">=0.0.0" - } - ], - "quandl-fund-xlsx": [ + "v": "<0.14.0a" + }, { - "advisory": "quandl-fund-xlsx 0.2.1 - Minor security fix, requests version now >=2.20.0", + "advisory": "Superset 0.19.1a prevents XSS markup viz (#3211).", "cve": null, - "id": "pyup.io-36655", + "id": "pyup.io-37487", "specs": [ - "<0.2.1" + "<0.19.1a" ], - "v": "<0.2.1" - } - ], - "quart": [ + "v": "<0.19.1a" + }, { - "advisory": "Quart 0.4.0 allows the request to be limited to prevent DOS attacks.", + "advisory": "Superset 0.23.0a bumps dependencies with security issues (#4427). It also fixes 4 security vulnerabilities (#4390) and adds all derived FAB UserModelView views to admin only (#4180).", "cve": null, - "id": "pyup.io-39235", + "id": "pyup.io-36204", "specs": [ - "<0.4.0" + "<0.23.0a" ], - "v": "<0.4.0" + "v": "<0.23.0a" }, { - "advisory": "Quart 0.5.0 refactors to mitigate DOS attacks.", + "advisory": "Superset 0.29.0rc8a secures unsecured views and prevent regressions (#6553).", "cve": null, - "id": "pyup.io-39234", + "id": "pyup.io-37488", "specs": [ - "<0.5.0" + "<0.29.0rc8a" ], - "v": "<0.5.0" - } - ], - "quilt": [ + "v": "<0.29.0rc8a" + }, { - "advisory": "quilt 2.9.14 updates urllib3 version for security patch", + "advisory": "Superset 0.32.0rc2.dev2a includes new, deprecate merge_perm. Also, the FAB method is fixed (#7355).", "cve": null, - "id": "pyup.io-36749", + "id": "pyup.io-26584", "specs": [ - "<2.9.14" + "<0.32.0rc2.dev2a" ], - "v": "<2.9.14" - } - ], - "quintagroup-seoptimizer": [ + "v": "<0.32.0rc2.dev2a" + }, { - "advisory": "quintagroup-seoptimizer 3.0.4 fixes a security issue for SEO Property action and view\r\n http://plone.org/products/plone-seo/issues/24", + "advisory": "Superset 0.33.0rc1a adds Flask-Talisman (#7443).", "cve": null, - "id": "pyup.io-36006", + "id": "pyup.io-37485", "specs": [ - "<3.0.4" - ], - "v": "<3.0.4" - } - ], - "quintagroup.seoptimizer": [ + "<0.33.0rc1a" + ], + "v": "<0.33.0rc1a" + }, { - "advisory": "quintagroup.seoptimizer before 3.0.4 has a security issue for SEO Property action and view.", + "advisory": "Superset 0.34.0a adds docstrings and type hints (#7952), and bumps python libs, addressing insecure releases (#7550).", "cve": null, - "id": "pyup.io-26098", + "id": "pyup.io-26602", "specs": [ - "<3.0.4" + "<0.34.0a" ], - "v": "<3.0.4" + "v": "<0.34.0a" } ], - "qurro": [ + "superset-hand": [ { - "advisory": "The text boxes in qurro 0.4.0 describing the currently-selected numerator / denominator features are now \"read-only\" (you can't edit them while using Qurro). This should remove any vulnerability to accidental edits of these text boxes.", + "advisory": "superset-hand before 0.11.0 is vulnerable to a XSS attack on FAB list views.", "cve": null, - "id": "pyup.io-37374", + "id": "pyup.io-26148", "specs": [ - "<0.4.0" + "<0.11.0" ], - "v": "<0.4.0" + "v": "<0.11.0" } ], - "qutebrowser": [ + "superset-tddv": [ { - "advisory": "Qutebrowser 1.0.3 ships with PyQt 5.9.1 and Qt 5.9.2 which includes security fixes from Chromium up to version 61.0.3163.79.", + "advisory": "superset-tddv before 0.11.0 is vulnerable to a XSS attack on FAB list views.", "cve": null, - "id": "pyup.io-35044", + "id": "pyup.io-26149", "specs": [ - "<1.0.3" + "<0.11.0" ], - "v": "<1.0.3" - }, + "v": "<0.11.0" + } + ], + "supervisor": [ { - "advisory": "Qutebrowser 1.1.2 ships with Qt 5.10.1 which includes security fixes from Chromium up to version 64.0.3282.140.", + "advisory": "In supervisor before 3.3.3 (fix backported to 3.2.4, 3.1.4 and 3.0.1) a vulnerability was found where an authenticated client can send a malicious XML-RPC request to ``supervisord`` that will run arbitrary shell commands on the server. The commands will be run as the same user as ``supervisord``. Depending on how ``supervisord`` has been configured, this may be root. See https://github.com/Supervisor/supervisor/issues/964 for details.", "cve": null, - "id": "pyup.io-35786", + "id": "pyup.io-34840", "specs": [ - "<1.1.2" + ">=3.3,<3.3.3", + ">=3.2,<3.2.4", + ">=3.1,<3.1.4", + "<3.0.1" ], - "v": "<1.1.2" - }, + "v": ">=3.3,<3.3.3,>=3.2,<3.2.4,>=3.1,<3.1.4,<3.0.1" + } + ], + "svglib": [ { - "advisory": "Qutebrowser 1.11.1 includes a fix for CVE-2020-11054: After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (`colors.statusbar.url.warn.fg`). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (`colors.statusbar.url.success_https`). While the user already has seen a certificate error prompt at this point (or set `content.ssl_strict` to `false` which is not recommended), this could still provide a false sense of security. This is now fixed.", - "cve": "CVE-2020-11054", - "id": "pyup.io-38266", + "advisory": "The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call. See: CVE-2020-10799.", + "cve": "CVE-2020-10799", + "id": "pyup.io-38089", "specs": [ - "<1.11.1" + "<=0.9.3" ], - "v": "<1.11.1" - }, + "v": "<=0.9.3" + } + ], + "swauth": [ { - "advisory": "The Windows and macOS releases of Qutebrowser 1.14.1 ship Qt 5.15.2, which is based on Chromium 83.0.4103.122 with security fixes up to 86.0.4240.183. This includes CVE-2020-15999 in the bundled freetype library, which is known to be exploited in the wild.", + "advisory": "swauth before 1.1.0 has multiple undisclosed security vulnerabilities.", "cve": null, - "id": "pyup.io-39227", + "id": "pyup.io-26150", "specs": [ - "<1.14.1" + "<1.1.0" ], - "v": "<1.14.1" - }, + "v": "<1.1.0" + } + ], + "swift": [ { - "advisory": "In qutebrowser 1.3.0, support for JavaScript Shared Web Workers has been disabled on Qt versions older than 5.11 because of security issues in Chromium. You can get the same effect in earlier versions via `:set qt.args ['disable-shared-workers']`. An equivalent workaround is also contained in Qt 5.9.5 and 5.10.1.", - "cve": null, - "id": "pyup.io-36929", + "advisory": "swift before 2.6.0 is vulnerable to an attack where an unfinished read of a large object would leak a socket file descriptor and a small amount of memory. (CVE-2016-0738)", + "cve": "CVE-2016-0738", + "id": "pyup.io-26151", "specs": [ - "<1.3.0" + "<2.6.0" ], - "v": "<1.3.0" + "v": "<2.6.0" }, { - "advisory": "In qutebrowser 1.3.3, an XSS vulnerability on the `qute://history` page allowed websites to inject HTML into the page via a crafted title tag. This could allow them to steal your browsing history. If you're currently unable to upgrade, avoid using `:history`. See CVE-2018-1000559.", - "cve": "CVE-2018-1000559", - "id": "pyup.io-37812", + "advisory": "OpenStack Swift as of 2013-12-15 mishandles PYTHON_EGG_CACHE. See: CVE-2013-7109.\r\n\r\nConcerns about this vulnerability were minor, and the affected versions are not clear. See: .", + "cve": "CVE-2013-7109", + "id": "pyup.io-37917", "specs": [ - "<1.3.3" + ">=1.0.2,<2.15.2" ], - "v": "<1.3.3" - }, + "v": ">=1.0.2,<2.15.2" + } + ], + "swifter": [ { - "advisory": "Qutebrowser 1.4.0 ships with Qt 5.11.1 in the macOS and Windows releases, which are based on Chromium 65.0.3325.151 with security fixes up to Chromium 67.0.3396.87. The security fix in v1.3.3 caused URLs with ampersands (`www.example.com?one=1&two=2`) to send the wrong arguments when clicked on the `qute://history` page.", + "advisory": "Swifter 0.292 fixes a known security vulnerability in parso <= 0.4.0 by requiring parso > 0.4.0", "cve": null, - "id": "pyup.io-36294", + "id": "pyup.io-37369", "specs": [ - "<1.4.0" + "<0.292" ], - "v": "<1.4.0" - }, + "v": "<0.292" + } + ], + "syft": [ { - "advisory": "Qutebrowser 1.4.1 fixes the CSRF issue on the qute://settings page, leading to possible arbitrary code execution. See https://github.com/qutebrowser/qutebrowser/issues/4060 and CVE-2018-10895.", - "cve": "CVE-2018-10895", - "id": "pyup.io-36970", + "advisory": "Syft 0.2.3:\r\n* Fixes a potential security issue with unsafe YAML loading\r\n* Removes an insecure eval in native tensor interpreter", + "cve": null, + "id": "pyup.io-37958", "specs": [ - "<1.4.1" + "<0.2.3" ], - "v": "<1.4.1" + "v": "<0.2.3" }, { - "advisory": "Qutebrowser 1.5.0 ships with Python 3.7, PyQt 5.11.3 and Qt 5.11.2. QtWebEngine includes security fixes up to Chromium 68.0.3440.75 and various other fixes.", + "advisory": "syft 0.2.3.a1 removes an insecure eval in native tensor interpreter", "cve": null, - "id": "pyup.io-36521", + "id": "pyup.io-37930", "specs": [ - "<1.5.0" + "<0.2.3.a1" ], - "v": "<1.5.0" - }, + "v": "<0.2.3.a1" + } + ], + "synapse": [ { - "advisory": "Qutebrowser 1.6.0 ships with Qt 5.12.1 which is based on Chromium 69.0.3497.128 with security fixes up to 71.0.3578.94.", - "cve": null, - "id": "pyup.io-36199", + "advisory": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to a denial of service attack where homeservers will consume significantly more resources when requesting the .well-known file of a malicious homeserver. This affects any server which accepts federation requests from untrusted servers. Issue is resolved in version 1.25.0. As a workaround the `federation_domain_whitelist` setting can be used to restrict the homeservers communicated with over federation. See CVE-2021-21274.", + "cve": "CVE-2021-21274", + "id": "pyup.io-39662", "specs": [ - "<1.6.0" + "<1.25.0" ], - "v": "<1.6.0" + "v": "<1.25.0" }, { - "advisory": "Qutebrowser 1.6.1 ships with Qt 5.12.2 in the macOS and Windows releases, which includes security fixes up to Chromium 72.0.3626.121 (including CVE-2019-5786 which is known to be exploited in the wild).", - "cve": "CVE-2019-5786", - "id": "pyup.io-36280", + "advisory": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the user, although limited modification of request bodies was possible. For the most thorough protection server administrators should remove the deprecated `federation_ip_range_blacklist` from their settings after upgrading to Synapse v1.25.0 which will result in Synapse using the improved default IP address restrictions. See the new `ip_range_blacklist` and `ip_range_whitelist` settings if more specific control is necessary. See CVE-2021-21273.", + "cve": "CVE-2021-21273", + "id": "pyup.io-39661", "specs": [ - "<1.6.1" + "<1.25.0" ], - "v": "<1.6.1" + "v": "<1.25.0" }, { - "advisory": "Qutebrowser 1.6.2 ships with Qt 5.12.3 in the macOS and Windows releases, which includes security fixes up to Chromium 73.0.3683.75.", - "cve": null, - "id": "pyup.io-37120", + "advisory": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. This is fixed in version 1.27.0. See CVE-2021-21333.", + "cve": "CVE-2021-21333", + "id": "pyup.io-40107", "specs": [ - "<1.6.2" + "<1.27.0" ], - "v": "<1.6.2" + "v": "<1.27.0" }, { - "advisory": "Qutebrowser 1.7.0 ships with Qt 5.12.4 in the macOS and Windows releases, which includes security fixes up to Chromium 74.0.3729.157.", - "cve": null, - "id": "pyup.io-37507", + "advisory": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains. This is fixed in version 1.27.0. See CVE-2021-21332.", + "cve": "CVE-2021-21332", + "id": "pyup.io-40106", "specs": [ - "<1.7.0" + "<1.27.0" ], - "v": "<1.7.0" - }, + "v": "<1.27.0" + } + ], + "synse": [ { - "advisory": "Qutebrowser 1.8.0 ships with Qt 5.13.0 and QtWebEngine 5.13.1 in the macOS releases (based on Chromium 73.0.3683.105), and Qt/QtWebEngine 5.12.5 in the Windows release (based on Chromium 69.0.3497.128), which both include security fixes up to Chromium 76.0.3809.87.", + "advisory": "Synse 2.1.2 updates dependencies to fix a security vulnerability. See: .", "cve": null, - "id": "pyup.io-37506", + "id": "pyup.io-38512", "specs": [ - "<1.8.0" + "<2.1.2" ], - "v": "<1.8.0" + "v": "<2.1.2" }, { - "advisory": "Qutebrowser 1.8.1 ships with Qt/QtWebEngine 5.12.5 in the macOS and Windows releases, which are based on Chromium 69.0.3497.128 with security fixes up to Chromium 76.0.3809.87.", - "cve": null, - "id": "pyup.io-37511", + "advisory": "Synse v2.2.4 updates requests dep for CVE-2018-18074. See: .", + "cve": "CVE-2018-18074", + "id": "pyup.io-38511", "specs": [ - "<1.8.1" + "<2.2.4" ], - "v": "<1.8.1" + "v": "<2.2.4" }, { - "advisory": "Qutebrowser 1.8.2 ships with Qt 5.12.6 in the macOS and Windows releases, which includes security fixes up to Chromium 77.0.3865.120 plus a security fix for CVE-2019-13720 from Chromium 78.", - "cve": "CVE-2019-13720", - "id": "pyup.io-36433", + "advisory": "Synse 2.2.6 updates pyyaml version for CVE-2017-18342. See: .", + "cve": "CVE-2017-18342", + "id": "pyup.io-37393", "specs": [ - "<1.8.2" + "<2.2.6" ], - "v": "<1.8.2" + "v": "<2.2.6" } ], - "radicale": [ + "tablib": [ { - "advisory": "radicale before 1.1.2 is vulnerable to bruteforce attacks when using the htpasswd authentication method.", - "cve": null, - "id": "pyup.io-33323", + "advisory": "An exploitable vulnerability exists in the Databook loading functionality of Tablib 0.11.4. A yaml loaded Databook can execute arbitrary python commands resulting in command execution. An attacker can insert python into loaded yaml to trigger this vulnerability.", + "cve": "CVE-2017-2810", + "id": "pyup.io-35731", "specs": [ - "<1.1.2" + "<0.11.4" ], - "v": "<1.1.2" + "v": "<0.11.4" } ], - "raiden": [ + "tahoe-lafs": [ { - "advisory": "Raiden 0.10.0 fixes a security issue where an attacker could eavesdrop Matrix communications between two nodes in private rooms.", + "advisory": "tahoe-lafs before 1.2.0 doesn't make the immutable-file \"ciphertext hash tree\" mandatory.", "cve": null, - "id": "pyup.io-37316", + "id": "pyup.io-26152", "specs": [ - "<0.10.0" + "<1.2.0" ], - "v": "<0.10.0" + "v": "<1.2.0" }, { - "advisory": "The Monitoring Service database in raiden before 0.2.0 (before 0.100.5.dev0) is vulnerable to timing based Monitoring Request injection. See .", + "advisory": "tahoe-lafs before 1.4.1 is vulnerable to timing attacks due to our use of strcmp against the write-enabler.", "cve": null, - "id": "pyup.io-37364", + "id": "pyup.io-26153", "specs": [ - "<0.2.0", - ">=0.100,<0.100.5.dev0" + "<1.4.1" ], - "v": "<0.2.0,>=0.100,<0.100.5.dev0" + "v": "<1.4.1" }, { - "advisory": "Raiden 0.4.1 prevents DOS attacks and race conditions that caused client crashes.", - "cve": null, - "id": "pyup.io-38520", - "specs": [ - "<0.4.1" - ], - "v": "<0.4.1" - } - ], - "raiden-services": [ - { - "advisory": "In raiden-services before 0.2.0 , the Monitoring Service database was vulnerable to timing-based Monitoring Request injection. See: .", + "advisory": "tahoe-lafs before 1.8.3 has a flaw that would allow a person who knows a storage index of a file to delete shares of that file.", "cve": null, - "id": "pyup.io-37317", + "id": "pyup.io-26154", "specs": [ - "<0.2.0" + "<1.8.3" ], - "v": "<0.2.0" - } - ], - "ramlwrap": [ + "v": "<1.8.3" + }, { - "advisory": "Ramlwrap 2.2.2 updates PyYAML to a more secure version.", + "advisory": "tahoe-lafs before 1.9.1 has a flaw that would allow servers to cause undetected corruption when\r\n retrieving the contents of mutable files (both SDMF and MDMF).", "cve": null, - "id": "pyup.io-38298", - "specs": [ - "<2.2.2" - ], - "v": "<2.2.2" - } - ], - "rasa": [ - { - "advisory": "Rasa 1.10.0 updates the pyyaml dependency to 5.3.1 to fix CVE-2020-1747.", - "cve": "CVE-2020-1747", - "id": "pyup.io-38230", + "id": "pyup.io-26155", "specs": [ - "<1.10.0" + "<1.9.1" ], - "v": "<1.10.0" - }, + "v": "<1.9.1" + } + ], + "tapestry": [ { - "advisory": "The slack connector in rasa 2.1.0 changes the configuration for 'slack_signing_secret' to make the connector more secure (issue 7204). The configuration value needs to be added to your 'credentials.yml' if you are using the slack connector.", + "advisory": "Tapestry 1.1.0 closed the security issue which could result in recovery from unauthenticated blocks without warning the user.", "cve": null, - "id": "pyup.io-39308", + "id": "pyup.io-39374", "specs": [ - "<2.1.0" + "<1.1.0" ], - "v": "<2.1.0" + "v": "<1.1.0" } ], - "rasa-sdk": [ + "tapipy": [ { - "advisory": "Rasa 1.10.0 updates the pyyaml dependency to 5.3.1 to fix CVE-2020-1747.", - "cve": "CVE-2020-1747", - "id": "pyup.io-38229", + "advisory": "Tapipy 0.3.10 removes the 'cyptography' package dependency as it had security flaws and was not used.", + "cve": null, + "id": "pyup.io-40092", "specs": [ - "<1.10.0" + "<0.3.10" ], - "v": "<1.10.0" + "v": "<0.3.10" } ], - "rauth": [ + "taskcluster": [ { - "advisory": "rauth before 0.7.0 isn't using a secure random number generator.", + "advisory": "Taskcluster 24.1.3 fixes a possible XSS vulnerability with the lazylog viewer - see: http://bugzil.la/1605933", "cve": null, - "id": "pyup.io-26099", + "id": "pyup.io-37675", "specs": [ - "<0.7.0" + "<24.1.3" ], - "v": "<0.7.0" + "v": "<24.1.3" } ], - "raylib": [ + "tbats": [ { - "advisory": "Raylib 1.1.1 adds a security check if a file doesn't exist - [textures]", + "advisory": "Tbats 1.0.7 upgrades its dependencies due to an vulnerability in Jinja2. In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.", "cve": null, - "id": "pyup.io-37166", + "id": "pyup.io-37051", "specs": [ - "<1.1.1" + "<1.0.7" ], - "v": "<1.1.1" + "v": "<1.0.7" }, { - "advisory": "Raylib 1.2 adds a security check in case deployed vertex excess buffer size - [rlgl]", - "cve": null, - "id": "pyup.io-37165", + "advisory": "Tbats 1.0.8 upgrades its dependencies due to an vulnerability in urllib3. See CVE-2019-11324.", + "cve": "CVE-2019-11324", + "id": "pyup.io-37336", "specs": [ - "<1.2" + "<1.0.8" ], - "v": "<1.2" + "v": "<1.0.8" } ], - "rchitect": [ + "td-ameritrade-python-api": [ { - "advisory": "Rchitect 0.3.28 includes a new environment variable to stop reticulate code injection.", + "advisory": "Td-ameritrade-python-api 0.3.2 no longer auto-generates 'credentials.json' in the utility folder out of a concern for security. Instead, the user must specify where they would like to cache their refresh token.", "cve": null, - "id": "pyup.io-38971", + "id": "pyup.io-39230", "specs": [ - "<0.3.28" + "<0.3.2" ], - "v": "<0.3.28" + "v": "<0.3.2" } ], - "rdiff-backup": [ + "telegram-stats-bot": [ { - "advisory": "Version 0.5.0 increased rdiff-backup's security by using popen2.Popen3 and os.spawnvp instead of os.popen and os.system.", + "advisory": "Telegram-stats-bot 0.3.1 bumps crypography requirement to address a security vulnerability.", "cve": null, - "id": "pyup.io-38068", + "id": "pyup.io-39382", "specs": [ - "<0.5.0" + "<0.3.1" ], - "v": "<0.5.0" - }, + "v": "<0.3.1" + } + ], + "telemeta": [ { - "advisory": "Rdiff-backup 0.9.3 adds some security features to the protocol, so rdiff-backup will now only allow commands from remote connections. The extra security will be enabled automatically on the client (it knows what to expect), but\r\nthe extra switches --restrict, --restrict-update-only, and --restrict-read-only have been added for use with --server.", + "advisory": "telemeta before 1.4.31 has a undisclosed security vulnerability in TELEMETA_EXPORT_CACHE_DIR.", "cve": null, - "id": "pyup.io-38067", + "id": "pyup.io-26156", "specs": [ - "<0.9.3" + "<1.4.31" ], - "v": "<0.9.3" - }, + "v": "<1.4.31" + } + ], + "teleserver": [ { - "advisory": "Rdiff-backup 1.0.2 includes a fix for a spurious security violation from --create-full-path and a fix for bug 14545 which was introduced in version 1.0.1: Quoting caused a spurious security violation.", + "advisory": "Teleserver 2.2.0 increases the security by implementing better user verification. Now there are three ways of accessing teleserver: with GUI credentials, with service principal generated from system tab or with temporary token created via /login route of API.", "cve": null, - "id": "pyup.io-38064", + "id": "pyup.io-38021", "specs": [ - "<1.0.2" + "<2.2.0" ], - "v": "<1.0.2" - }, + "v": "<2.2.0" + } + ], + "telnet": [ { - "advisory": "Rdiff-backup 1.1.6 fixes a security violation when restoring from a remote repository.", + "advisory": "telnet is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", "cve": null, - "id": "pyup.io-38063", + "id": "pyup.io-34985", "specs": [ - "<1.1.6" + ">0", + "<0" ], - "v": "<1.1.6" + "v": ">0,<0" } ], - "readsettings": [ + "tendenci": [ { - "advisory": "Readsettings 3.3.1 replaces `yaml.load` with the more secure, `yaml.safe_load`.", + "advisory": "Tendenci 11.0.1 patches a security hole in payments that could potentially expose user data.", "cve": null, - "id": "pyup.io-37027", + "id": "pyup.io-38510", "specs": [ - "<3.3.1" + "<11.0.1" ], - "v": "<3.3.1" - } - ], - "recurly": [ + "v": "<11.0.1" + }, { - "advisory": "The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, 2.4.5, 2.5.1, 2.6.2 is vulnerable to a Server-Side Request Forgery vulnerability in the \"Resource.get\" method that could result in compromise of API keys or other critical resources.", - "cve": "CVE-2017-0906", - "id": "pyup.io-35697", + "advisory": "Tendenci 11.0.4 updates its requirements.txt to require django >=1.11.16 because there are vulnerabilities in Django 1.11.x before 1.11.15.", + "cve": null, + "id": "pyup.io-38940", "specs": [ - "<=2.6.2" + "<11.0.4" ], - "v": "<=2.6.2" - } - ], - "remme": [ + "v": "<11.0.4" + }, { - "advisory": "remme 0.2.1alpha reviewed and fixed security issues on token operations.", + "advisory": "tendenci 11.1.1 updates Django version to 1.11.20 to patch a security issue in django 1.11.18", "cve": null, - "id": "pyup.io-36973", + "id": "pyup.io-36888", "specs": [ - "<0.2.1alpha" + "<11.1.1" ], - "v": "<0.2.1alpha" + "v": "<11.1.1" }, { - "advisory": "Remme 0.5.0alpha upgrades py-cryptography to mitigate CVE-2018-10903.", - "cve": "CVE-2018-10903", - "id": "pyup.io-36971", + "advisory": "Tendenci 11.2.12 strips null bytes to avoid null byte injection attacks.", + "cve": null, + "id": "pyup.io-37350", "specs": [ - "<0.5.0-alpha" + "<11.2.12" ], - "v": "<0.5.0-alpha" - } - ], - "rendertron": [ + "v": "<11.2.12" + }, { - "advisory": "Rendertron 3.0.0 fixes a security issue with AppEngine deployments.", + "advisory": "Tendenci 11.2.8 upgrades bootstrap from 3.3.1 to 3.4.1. There are XSS vulnerabilities in version lower than 3.4.1.", "cve": null, - "id": "pyup.io-38571", + "id": "pyup.io-37150", "specs": [ - "<3.0.0" + "<11.2.8" ], - "v": "<3.0.0" - } - ], - "renku": [ + "v": "<11.2.8" + }, { - "advisory": "Renku version 0.4.0 fixes CVE-2017-18342.", - "cve": "CVE-2017-18342", - "id": "pyup.io-38552", + "advisory": "Tendenci 11.4.7 prevents unauthorized use of renewal URLs.", + "cve": null, + "id": "pyup.io-38509", "specs": [ - "<0.4.0" + "<11.4.7" ], - "v": "<0.4.0" + "v": "<11.4.7" }, { - "advisory": "Renku 0.6.0 updates the werkzeug package due to security concerns - see https://github.com/SwissDataScienceCenter/renku-python/issues/633", + "advisory": "Tendenci 11.4.9 handles the case in event registrations when management forms are tampered maliciously.", "cve": null, - "id": "pyup.io-37548", + "id": "pyup.io-38939", "specs": [ - "<0.6.0" + "<11.4.9" ], - "v": "<0.6.0" - } - ], - "repobee": [ + "v": "<11.4.9" + }, { - "advisory": "Repobee 0.4.0 adds a strict security policy to prevent malicious code from executing.", + "advisory": "Tendenci 12.0.5 removes .doc and .xls from the allowed file upload extensions for security reasons. Besides the general threats, determining the mime type for the .doc and .xls files (generated by old MS Word and MS Excel) requires feeding the entire file content due to their format not complying with the standard.", "cve": null, - "id": "pyup.io-38523", + "id": "pyup.io-38274", "specs": [ - "<0.4.0" + "<12.0.5" ], - "v": "<0.4.0" + "v": "<12.0.5" }, { - "advisory": "Repobee 1.3.2 uses git pull instead of git clone. This is a security update.", + "advisory": "Tendenci 12.2 updates Django version to 2.2.16, which fixes two security issues and two data loss bugs in version 2.2.15.", "cve": null, - "id": "pyup.io-38522", + "id": "pyup.io-38767", "specs": [ - "<1.3.2" + "<12.2" ], - "v": "<1.3.2" + "v": "<12.2" }, { - "advisory": "Repobee 2.0.2 includes a fix that filters out secure token from `show-config` command output [92aa5cf08cc08d2647a9f22bb6ff120cd5a88360].", + "advisory": "Tendenci 12.3.1 fixes a potential HTML Injection and XSS vulnerability in a few areas of the admin backend.", "cve": null, - "id": "pyup.io-37383", + "id": "pyup.io-38970", "specs": [ - "<2.0.2" + "<12.3.1" ], - "v": "<2.0.2" - } - ], - "reportlab": [ + "v": "<12.3.1" + }, { - "advisory": "ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with ' odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF. See CVE-2020-28463.", + "advisory": "Tendenci 7.4.0 disables GZipMiddleware to prevent BREACH attacks and prevents fraudulent simultaneous reuse of PayPal transactions.", "cve": null, - "id": "pyup.io-39642", + "id": "pyup.io-35055", "specs": [ - ">=0.0" + "<7.4.0" ], - "v": ">=0.0" + "v": "<7.4.0" } ], - "requests": [ + "teneto": [ { - "advisory": "Requests before 2.3.0 exposes Authorization or Proxy-Authorization headers on redirect. This fixes CVE-2014-1830.", - "cve": "CVE-2014-1830", - "id": "pyup.io-39575", + "advisory": "In teneto 0.4.5, save_tenetobids_snapshot to export current teneto settings. save_to_pickle (and corresponding load function) have been removed as they are not secure.", + "cve": null, + "id": "pyup.io-37550", "specs": [ - "<2.3.0" + "<0.4.5" ], - "v": "<2.3.0" - }, + "v": "<0.4.5" + } + ], + "tensorflow": [ { - "advisory": "Requests before 2.3.0 exposes Authorization or Proxy-Authorization headers on redirect. See: CVE-2014-1829.", + "advisory": "tensorflow before 1.10.0 uses an insecure grpc dependency.", "cve": null, - "id": "pyup.io-26101", + "id": "pyup.io-36375", "specs": [ - "<2.3.0" + "<1.10.0" ], - "v": "<2.3.0" + "v": "<1.10.0" }, { - "advisory": "requests 2.6.0 fixes handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing.", + "advisory": "Tensorflow 1.12.2 fixes a potential security vulnerability where carefully crafted GIF images can produce a null pointer dereference during decoding.", "cve": null, - "id": "pyup.io-26102", + "id": "pyup.io-37167", "specs": [ - "<2.6.0" + "<1.12.2" ], - "v": "<2.6.0" + "v": "<1.12.2" }, { - "advisory": "The Requests package through 2.19.1 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.", - "cve": "CVE-2018-18074", - "id": "pyup.io-36546", + "advisory": "The original changelog reads: \"Tensorflow 2.0 fixes a potential security vulnerability where decoding variant tensors from proto could result in heap out of bounds memory access.\" However, it was later confirmed that the fix was already included in 1.15 and later. See: .", + "cve": null, + "id": "pyup.io-37524", "specs": [ - "<=2.19.1" + "<1.15.0" ], - "v": "<=2.19.1" + "v": "<1.15.0" }, { - "advisory": "The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.", - "cve": "CVE-2015-2296", - "id": "pyup.io-26103", - "specs": [ - ">=2.1,<=2.5.3" - ], - "v": ">=2.1,<=2.5.3" - } - ], - "requests-kerberos": [ - { - "advisory": "requests-kerberos before 0.6 isn't handling mutual authentication correctly.", - "cve": null, - "id": "pyup.io-26104", + "advisory": "Tensorflow 1.15.3 updates Apache Spark to `2.4.5` to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770.", + "cve": "CVE-2018-11770", + "id": "pyup.io-39841", "specs": [ - "<0.6" + "<1.15.3" ], - "v": "<0.6" + "v": "<1.15.3" }, { - "advisory": "Python-requests-Kerberos through 0.5 does not handle mutual authentication. See: CVE-2014-8650 and .", - "cve": "CVE-2014-8650", - "id": "pyup.io-37758", + "advisory": "Tensorflow 1.15.3 updates Apache Spark to `2.4.5` to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770.", + "cve": "CVE-2018-17190", + "id": "pyup.io-39842", "specs": [ - "<=0.5" + "<1.15.3" ], - "v": "<=0.5" - } - ], - "resilient": [ + "v": "<1.15.3" + }, { - "advisory": "IBM Resilient OnPrem 38.2 could allow a privileged user to inject malicious commands through Python3 scripting. IBM X-Force ID: 185503. See CVE-2020-4636.", - "cve": "CVE-2020-4636", - "id": "pyup.io-38888", + "advisory": "Tensorflow 1.15.3 updates Apache Spark to `2.4.5` to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770.", + "cve": "CVE-2019-10099", + "id": "pyup.io-39843", "specs": [ - "==38.2" + "<1.15.3" ], - "v": "==38.2" - } - ], - "responsibly": [ + "v": "<1.15.3" + }, { - "advisory": "Responsibly 0.0.3 fixes security issues with its dependencies.", - "cve": null, - "id": "pyup.io-37335", + "advisory": "Tensorflow 1.15.3 updates `libjpeg-turbo` to `2.0.4` to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960.", + "cve": "CVE-2019-13960", + "id": "pyup.io-39844", "specs": [ - "<0.0.3" + "<1.15.3" ], - "v": "<0.0.3" - } - ], - "restauth": [ + "v": "<1.15.3" + }, { - "advisory": "restauth before 0.6.3 did not verify passwords for services when using SECURE_CACHE = True.", - "cve": null, - "id": "pyup.io-26105", + "advisory": "Tensorflow 1.15.3 updates `libjpeg-turbo` to `2.0.4` to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960.", + "cve": "CVE-2018-20330", + "id": "pyup.io-39845", "specs": [ - "<0.6.3" + "<1.15.3" ], - "v": "<0.6.3" - } - ], - "restkit": [ + "v": "<1.15.3" + }, { - "advisory": "Restkit allows man-in-the-middle attackers to spoof TLS servers by leveraging use of the ssl.wrap_socket function in Python with the default CERT_NONE value for the cert_reqs argument.", - "cve": "CVE-2015-2674", - "id": "pyup.io-35609", + "advisory": "Tensorflow 1.15.3 updates `libjpeg-turbo` to `2.0.4` to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960.", + "cve": "CVE-2018-19664", + "id": "pyup.io-39846", "specs": [ - "<=4.2.2" + "<1.15.3" ], - "v": "<=4.2.2" - } - ], - "restrictedpython": [ + "v": "<1.15.3" + }, { - "advisory": "Restrictedpython 4.0 ships with a default implementation for ``_getattr_`` which prevents from using the ``format()`` method on str/unicode as it is not safe. See .\r\n\r\n **Caution:** If you do not already have secured the access to this ``format()`` method in your ``_getattr_`` implementation use ``RestrictedPython.Guards.safer_getattr()`` in your implementation to benefit from this fix.", - "cve": null, - "id": "pyup.io-37433", + "advisory": "Tensorflow 1.15.3 updates `curl` to `7.69.1` to handle CVE-2019-15601.", + "cve": "CVE-2019-15601", + "id": "pyup.io-39847", "specs": [ - "<4.0" + "<1.15.3" ], - "v": "<4.0" - } - ], - "restview": [ + "v": "<1.15.3" + }, { - "advisory": "restview before 2.8.1 isn't properly checking the host header in HTTP requests, leading to possible DNS rebinding attacks. More info: https://github.com/mgedmin/restview/issues/51", - "cve": null, - "id": "pyup.io-35166", + "advisory": "Tensorflow 1.15.3 updates `sqlite3` to `3.31.01` to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645.", + "cve": "CVE-2019-19645", + "id": "pyup.io-39848", "specs": [ - "<2.8.1" + "<1.15.3" ], - "v": "<2.8.1" - } - ], - "ricloud": [ + "v": "<1.15.3" + }, { - "advisory": "ricloud 2.3.8 updates requests in requirements due to vulnerability discovery.", - "cve": null, - "id": "pyup.io-36723", + "advisory": "Tensorflow 1.15.3 updates `sqlite3` to `3.31.01` to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645.", + "cve": "CVE-2019-19244", + "id": "pyup.io-39849", "specs": [ - "<2.3.8" + "<1.15.3" ], - "v": "<2.3.8" - } - ], - "rinzler": [ + "v": "<1.15.3" + }, { - "advisory": "rinzler 2.0.5 includes a PyYAML vulnerability correction", - "cve": null, - "id": "pyup.io-36895", + "advisory": "Tensorflow 1.15.3 updates `sqlite3` to `3.31.01` to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645.", + "cve": "CVE-2019-19880", + "id": "pyup.io-38462", "specs": [ - "<2.0.5" + "<1.15.3" ], - "v": "<2.0.5" - } - ], - "river-admin": [ + "v": "<1.15.3" + }, { - "advisory": "River-admin 0.5.2 fixes a vulnerability issue with `serialize-javascript` dependency.", - "cve": null, - "id": "pyup.io-37698", + "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26271", + "id": "pyup.io-39743", "specs": [ - "<0.5.2" + "<1.15.5" ], - "v": "<0.5.2" - } - ], - "robotraconteur": [ + "v": "<1.15.5" + }, { - "advisory": "robotraconteur 0.9.0 changes: The `LocalTransport` file handle locations have been moved for increased security", - "cve": null, - "id": "pyup.io-37221", + "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26270", + "id": "pyup.io-39745", "specs": [ - "<0.9.0" + "<1.15.5" ], - "v": "<0.9.0" - } - ], - "rope": [ + "v": "<1.15.5" + }, { - "advisory": "base/oi/doa.py in the Rope library in CPython (aka Python) allows remote attackers to execute arbitrary code by leveraging an unsafe call to pickle.load.", - "cve": "CVE-2014-3539", - "id": "pyup.io-36155", + "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26268", + "id": "pyup.io-39746", "specs": [ - "<0.10" + "<1.15.5" ], - "v": "<0.10" - } - ], - "rosdep": [ + "v": "<1.15.5" + }, { - "advisory": "Rosdep 0.15.2 migrates to yaml.safe_load to avoid yaml.load vulnerabilities.", - "cve": null, - "id": "pyup.io-39115", + "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26267", + "id": "pyup.io-39747", "specs": [ - "<0.15.2" + "<1.15.5" ], - "v": "<0.15.2" - } - ], - "rotten-tomatoes-cli": [ + "v": "<1.15.5" + }, { - "advisory": "Rotten-tomatoes-cli 0.0.2 updates the `pyyaml`, `urllib3`, and `requests` dependencies to avoid security vulnerabilities.", - "cve": null, - "id": "pyup.io-37315", + "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26266", + "id": "pyup.io-39748", "specs": [ - "<0.0.2" + "<1.15.5" ], - "v": "<0.0.2" - } - ], - "roundup": [ + "v": "<1.15.5" + }, { - "advisory": "Cross-site scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link.", - "cve": "CVE-2012-6130", - "id": "pyup.io-33162", + "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-15250", + "id": "pyup.io-39749", "specs": [ - "<1.4.20" + "<1.15.5" ], - "v": "<1.4.20" + "v": "<1.15.5" }, { - "advisory": "Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1.", - "cve": "CVE-2012-6131", - "id": "pyup.io-33163", + "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-14155", + "id": "pyup.io-39750", "specs": [ - "<1.4.20" + "<1.15.5" ], - "v": "<1.4.20" + "v": "<1.15.5" }, { - "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*. See: CVE-2012-6133.", - "cve": "CVE-2012-6133", - "id": "pyup.io-37744", + "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-13790", + "id": "pyup.io-39751", "specs": [ - "<1.4.20" + "<1.15.5" ], - "v": "<1.4.20" + "v": "<1.15.5" }, { - "advisory": "Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors. See: CVE-2019-10904.", - "cve": "CVE-2019-10904", - "id": "pyup.io-37025", + "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2019-20838", + "id": "pyup.io-39410", "specs": [ - "==1.6" + "<1.15.5" ], - "v": "==1.6" - } - ], - "rpc4django": [ + "v": "<1.15.5" + }, { - "advisory": "rpc4django before 0.2.3 is vulnerable to billion laughs denial of service attack.", - "cve": null, - "id": "pyup.io-26108", + "advisory": "In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is needed for the tensor it creates. However, as soon as there are enough bytes, the above snippet causes a segmentation fault. This is because the allocator used to return the buffer data is not marked as returning an opaque handle since the needed virtual method is not overridden. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0. See CVE-2020-26268.", + "cve": "CVE-2020-26268", + "id": "pyup.io-39265", "specs": [ - "<0.2.3" + "<1.15.5", + ">=2.0.0a0,<2.0.4", + ">=2.1.0rc0,<2.1.3", + ">=2.2.0rc0,<2.2.2", + ">=2.3.0rc0,<2.3.2", + ">=2.4.0rc0,<2.4.0", + ">=2.4.0rc0,<=2.4.0rc4" ], - "v": "<0.2.3" - } - ], - "rply": [ + "v": "<1.15.5,>=2.0.0a0,<2.0.4,>=2.1.0rc0,<2.1.3,>=2.2.0rc0,<2.2.2,>=2.3.0rc0,<2.3.2,>=2.4.0rc0,<2.4.0,>=2.4.0rc0,<=2.4.0rc4" + }, { - "advisory": "The parser cache functionality in parsergenerator.py in RPLY (aka python-rply) before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-*.json file with a predictable name.", - "cve": "CVE-2014-1604", - "id": "pyup.io-35520", + "advisory": "Tensorflow 1.15.2 updates `sqlite3` to `3.30.01` to handle CVE-2019-16168.", + "cve": "CVE-2019-16168", + "id": "pyup.io-39568", "specs": [ - "<0.7.1" + ">=1.0,<1.15.2", + ">=2.0.0a0,<2.0.1" ], - "v": "<0.7.1" + "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" }, { - "advisory": "python-rply before 0.7.4 insecurely creates temporary files. See: CVE-2014-1938.", - "cve": "CVE-2014-1938", - "id": "pyup.io-37755", + "advisory": "Tensorflow 1.15.2 `sqlite3` to `3.30.01` to handle CVE-2019-19645.", + "cve": "CVE-2019-19645", + "id": "pyup.io-39569", "specs": [ - "<0.7.4" + ">=1.0,<1.15.2", + ">=2.0.0a0,<2.0.1" ], - "v": "<0.7.4" - } - ], - "rpyc": [ + "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + }, { - "advisory": "Rpyc 4.1.2 includes a fix for CVE-2019-16328 which was caused by a missing protocol security check.", - "cve": "CVE-2019-16328", - "id": "pyup.io-37525", + "advisory": "Tensorflow 1.15.2 updates `curl` to `7.66.0` to handle CVE-2019-5481.", + "cve": "CVE-2019-5481", + "id": "pyup.io-39570", "specs": [ - "<4.1.2" + ">=1.0,<1.15.2", + ">=2.0.0a0,<2.0.1" ], - "v": "<4.1.2" - } - ], - "rs-django-jet": [ + "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + }, { - "advisory": "rs-django-jet 1.0.4 fixes security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions.", - "cve": null, - "id": "pyup.io-36903", + "advisory": "Tensorflow 1.15.2 and 2.0.1 update `curl` to `7.66.0` to handle CVE-2019-5482.", + "cve": "CVE-2019-5482", + "id": "pyup.io-38039", "specs": [ - "<1.0.4" + ">=1.0,<1.15.2", + ">=2.0.0a0,<2.0.1" ], - "v": "<1.0.4" - } - ], - "rsa": [ + "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + }, { - "advisory": "rsa 2.0 includes several undisclosed security improvements.", - "cve": null, - "id": "pyup.io-26109", + "advisory": "Tensorflow 1.15.2 and 2.0.1 update `sqlite3` to `3.30.01` to handle CVE-2019-19646.", + "cve": "CVE-2019-19646", + "id": "pyup.io-38038", "specs": [ - "<2.0" + ">=1.0,<1.15.2", + ">=2.0.0a0,<2.0.1" ], - "v": "<2.0" + "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" }, { - "advisory": "The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.", - "cve": "CVE-2016-1494", - "id": "pyup.io-33164", + "advisory": "In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Python) to a tf.float16 value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a tf.float16 value. Similar effects can be obtained by manipulating saved models and checkpoints whereby replacing a scalar tf.float16 value with a scalar string will trigger this issue due to automatic conversions. This can be easily reproduced by tf.constant(\"hello\", tf.float16), if eager execution is enabled. This issue is patched in TensorFlow 1.15.1 and 2.0.1 with this vulnerability patched. TensorFlow 2.1.0 was released after we fixed the issue, thus it is not affected. Users are encouraged to switch to TensorFlow 1.15.1, 2.0.1 or 2.1.0. See: CVE-2020-5215.", + "cve": "CVE-2020-5215", + "id": "pyup.io-37776", "specs": [ - "<3.3" + ">=1.0,<1.15.2", + ">=2.0.0a0,<2.0.1" ], - "v": "<3.3" + "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" }, { - "advisory": "rsa before 3.4 has a undisclosed side-channel vulnerability.", - "cve": null, - "id": "pyup.io-26112", + "advisory": "Tensorflow 1.15.2 updates `sqlite3` to `3.30.01` to address CVE-2019-16168.", + "cve": "CVE-2019-16168", + "id": "pyup.io-39541", "specs": [ - "<3.4" + ">=1.0.0,<1.15.2" ], - "v": "<3.4" + "v": ">=1.0.0,<1.15.2" }, { - "advisory": "Rsa 4.3 includes two security fixes:\r\n- Choose blinding factor relatively prime to N.\r\n- Reject cyphertexts (when decrypting) and signatures (when verifying) that have been modified by prepending zero bytes. This resolves CVE-2020-13757.", - "cve": "CVE-2020-13757", - "id": "pyup.io-38414", + "advisory": "Tensorflow 1.15.2 updates `sqlite3` to `3.30.01` to address CVE-2019-16164.", + "cve": "CVE-2019-19646", + "id": "pyup.io-39542", "specs": [ - "<4.3" + ">=1.0.0,<1.15.2" ], - "v": "<4.3" + "v": ">=1.0.0,<1.15.2" }, { - "advisory": "Python-RSA 4.0 ignores leading '\\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation). See CVE-2020-13757.", - "cve": "CVE-2020-13757", - "id": "pyup.io-38369", + "advisory": "Tensorflow 1.15.2 updates `sqlite3` to `3.30.01` to address CVE-2019-19645.", + "cve": "CVE-2019-19645", + "id": "pyup.io-39543", "specs": [ - "==4.0" + ">=1.0.0,<1.15.2" ], - "v": "==4.0" - } - ], - "rsanic": [ + "v": ">=1.0.0,<1.15.2" + }, { - "advisory": "rsanic before 0.2.2 is vulnerable to XSS attacks.", - "cve": null, - "id": "pyup.io-33007", + "advisory": "Tensorflow 1.15.2 updates `curl` to `7.66.0` to address CVE-2019-5481.", + "cve": "CVE-2019-5481", + "id": "pyup.io-39544", "specs": [ - "<0.2.2" + ">=1.0.0,<1.15.2" ], - "v": "<0.2.2" - } - ], - "rsconnect-jupyter": [ + "v": ">=1.0.0,<1.15.2" + }, { - "advisory": "In addition to disabling TLS checking entirely, users in rsconnect-jupyter 1.3.0 have the option of uploading their own self-signed certificate bundle as a more secure TLS alternative.", - "cve": null, - "id": "pyup.io-38119", + "advisory": "Tensorflow 1.15.2 updates `curl` to `7.66.0` to address CVE-2019-5482.", + "cve": "CVE-2019-5482", + "id": "pyup.io-39545", "specs": [ - "<1.3.0" + ">=1.0.0,<1.15.2" ], - "v": "<1.3.0" - } - ], - "rss2email": [ + "v": ">=1.0.0,<1.15.2" + }, { - "advisory": "Rss2email 3.10 fixes SMTP security issues.", - "cve": null, - "id": "pyup.io-37430", + "advisory": "Tensorflow 1.15.2 fixes a security vulnerability to address CVE-2020-5215 where converting a Python string to a `tf.float16` value produces a segmentation fault.", + "cve": "CVE-2020-5215", + "id": "pyup.io-38549", "specs": [ - "<3.10" + ">=1.0.0,<1.15.2" ], - "v": "<3.10" - } - ], - "rtslib-fb": [ + "v": ">=1.0.0,<1.15.2" + }, { - "advisory": "Rtslib-fb 2.1.73 includes a fix for CVE-2020-14019.", - "cve": "CVE-2020-14019", - "id": "pyup.io-38468", + "advisory": "Tensorflow 1.15.4 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-15358", + "id": "pyup.io-39973", "specs": [ - "<2.1.73" + ">=1.15.0rc0,<1.15.4" ], - "v": "<2.1.73" - } - ], - "rtv": [ + "v": ">=1.15.0rc0,<1.15.4" + }, { - "advisory": "rtv before 1.12.1 has a security vulnerability where malicious URLs could inject python code.", - "cve": null, - "id": "pyup.io-26113", + "advisory": "Tensorflow 1.15.4 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13871", + "id": "pyup.io-39974", "specs": [ - "<1.12.1" + ">=1.15.0rc0,<1.15.4" ], - "v": "<1.12.1" - } - ], - "ruffruffs": [ + "v": ">=1.15.0rc0,<1.15.4" + }, { - "advisory": "ruffruffs 2.6.0 fixes handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing.", - "cve": null, - "id": "pyup.io-26116", + "advisory": "Tensorflow 1.15.4 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13631", + "id": "pyup.io-39975", "specs": [ - "<2.6.0" + ">=1.15.0rc0,<1.15.4" ], - "v": "<2.6.0" - } - ], - "runway": [ + "v": ">=1.15.0rc0,<1.15.4" + }, { - "advisory": "Runway 1.16.0 has enhanced security via nonce signing (Static Site AuthEdge).", - "cve": null, - "id": "pyup.io-39085", + "advisory": "Tensorflow 1.15.4 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13630", + "id": "pyup.io-39976", "specs": [ - "<1.16.0" + ">=1.15.0rc0,<1.15.4" ], - "v": "<1.16.0" - } - ], - "s4": [ + "v": ">=1.15.0rc0,<1.15.4" + }, { - "advisory": "S4 0.4.2 upgrades boto3 to minimum requirement to fix a vulnerability in a urllib3 dependency.", - "cve": null, - "id": "pyup.io-37119", + "advisory": "Tensorflow 1.15.4 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13435", + "id": "pyup.io-39977", "specs": [ - "<0.4.2" + ">=1.15.0rc0,<1.15.4" ], - "v": "<0.4.2" - } - ], - "safety": [ + "v": ">=1.15.0rc0,<1.15.4" + }, { - "advisory": "safety before 1.8.4 included the cryptography version <2.3, which had a security vulnerability.", - "cve": null, - "id": "pyup.io-36367", + "advisory": "Tensorflow 1.15.4 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13434", + "id": "pyup.io-39978", "specs": [ - "<1.8.4" + ">=1.15.0rc0,<1.15.4" ], - "v": "<1.8.4" - } - ], - "sagemaker-containers": [ + "v": ">=1.15.0rc0,<1.15.4" + }, { - "advisory": "Sagemaker-containers 2.8.2 updates a dependency for security reasons.", - "cve": null, - "id": "pyup.io-38087", + "advisory": "Tensorflow 1.15.4 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-11656", + "id": "pyup.io-39979", "specs": [ - "<2.8.2" + ">=1.15.0rc0,<1.15.4" ], - "v": "<2.8.2" - } - ], - "salt": [ + "v": ">=1.15.0rc0,<1.15.4" + }, { - "advisory": "Salt 3000.4 prevents creating world-readable private keys with the TLS execution module (cve-2020-17490).", - "cve": "CVE-2020-17490", - "id": "pyup.io-39574", + "advisory": "Tensorflow 1.15.4 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-11655", + "id": "pyup.io-39980", "specs": [ - "<3000.4" + ">=1.15.0rc0,<1.15.4" ], - "v": "<3000.4" + "v": ">=1.15.0rc0,<1.15.4" }, { - "advisory": "Salt 3000.4 prevents shell injections in netapi SSH client (CVE-2020-16846).", - "cve": null, - "id": "pyup.io-39159", + "advisory": "Tensorflow 1.15.4 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-9327", + "id": "pyup.io-39981", "specs": [ - "<3000.4" + ">=1.15.0rc0,<1.15.4" ], - "v": "<3000.4" + "v": ">=1.15.0rc0,<1.15.4" }, { - "advisory": "Salt 3001.1 updates PyYAML for security reasons. Additionally, psutil was updated due to CVE-2019-18874.", - "cve": "CVE-2019-18874", - "id": "pyup.io-38668", + "advisory": "Tensorflow 1.15.4 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15211", + "id": "pyup.io-39982", "specs": [ - "<3001.1" + ">=1.15.0rc0,<1.15.4" ], - "v": "<3001.1" + "v": ">=1.15.0rc0,<1.15.4" }, { - "advisory": "Salt 3001.2 prevents creating world-readable private keys with the TLS execution module (cve-2020-17490).", - "cve": "CVE-2020-17490", - "id": "pyup.io-39573", + "advisory": "Tensorflow 1.15.4 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15210", + "id": "pyup.io-39983", "specs": [ - ">=3001,<3001.2" + ">=1.15.0rc0,<1.15.4" ], - "v": ">=3001,<3001.2" + "v": ">=1.15.0rc0,<1.15.4" }, { - "advisory": "Salt 3001.2 prevents shell injections in netapi SSH client (CVE-2020-16846).", - "cve": null, - "id": "pyup.io-39158", + "advisory": "Tensorflow 1.15.4 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15209", + "id": "pyup.io-39984", "specs": [ - ">=3001,<3001.2" + ">=1.15.0rc0,<1.15.4" ], - "v": ">=3001,<3001.2" + "v": ">=1.15.0rc0,<1.15.4" }, { - "advisory": "Salt 3002.1 properly validates eauth credentials and tokens along with their ACLs. Prior to this change eauth was not properly validated when calling Salt ssh via the salt-api. Any value for 'eauth' or 'token' would allow a user to bypass authentication and make calls to Salt ssh (CVE-2020-25592).", - "cve": "CVE-2020-25592", - "id": "pyup.io-39571", + "advisory": "Tensorflow 1.15.4 fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208).", + "cve": "CVE-2020-15208", + "id": "pyup.io-39985", "specs": [ - ">=3002,<3002.1" + ">=1.15.0rc0,<1.15.4" ], - "v": ">=3002,<3002.1" + "v": ">=1.15.0rc0,<1.15.4" }, { - "advisory": "Salt 3002.1 prevents creating world-readable private keys with the TLS execution module (cve-2020-17490).", - "cve": "CVE-2020-17490", - "id": "pyup.io-39572", + "advisory": "Tensorflow 1.15.4 fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207).", + "cve": "CVE-2020-15207", + "id": "pyup.io-39986", "specs": [ - ">=3002,<3002.1" + ">=1.15.0rc0,<1.15.4" ], - "v": ">=3002,<3002.1" + "v": ">=1.15.0rc0,<1.15.4" }, { - "advisory": "Salt 3002.1 prevents shell injections in netapi SSH client (CVE-2020-16846).", - "cve": null, - "id": "pyup.io-39157", + "advisory": "Tensorflow 1.15.4 fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206).", + "cve": "CVE-2020-15206", + "id": "pyup.io-39987", "specs": [ - ">=3002,<3002.1" + ">=1.15.0rc0,<1.15.4" ], - "v": ">=3002,<3002.1" - } - ], - "salted": [ + "v": ">=1.15.0rc0,<1.15.4" + }, { - "advisory": "Salted 0.5.4 requires lxml version >= 4.6.2 as it fixes a vulnerability and works with Python 3.9.", - "cve": null, - "id": "pyup.io-39320", + "advisory": "Tensorflow 1.15.4 fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205).", + "cve": "CVE-2020-15205", + "id": "pyup.io-39988", "specs": [ - "<0.5.4" + ">=1.15.0rc0,<1.15.4" ], - "v": "<0.5.4" - } - ], - "sanic-oauthlib": [ + "v": ">=1.15.0rc0,<1.15.4" + }, { - "advisory": "Sanic-oauthlib 0.5.0 mentions \"**Security bug** for access token via `#92`\". No other information was provided.", - "cve": null, - "id": "pyup.io-38524", + "advisory": "Tensorflow 1.15.4 fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204).", + "cve": "CVE-2020-15204", + "id": "pyup.io-39989", "specs": [ - "<0.5.0" + ">=1.15.0rc0,<1.15.4" ], - "v": "<0.5.0" + "v": ">=1.15.0rc0,<1.15.4" }, { - "advisory": "Sanic-oauthlib 0.9.1 improves security in a not further specified way.", - "cve": null, - "id": "pyup.io-37397", + "advisory": "Tensorflow 1.15.4 fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203).", + "cve": "CVE-2020-15203", + "id": "pyup.io-39990", "specs": [ - "<0.9.1" + ">=1.15.0rc0,<1.15.4" ], - "v": "<0.9.1" - } - ], - "satosa": [ + "v": ">=1.15.0rc0,<1.15.4" + }, { - "advisory": "satosa before 0.6.1 uses an insecure transitive dependency (pycrypto).", - "cve": null, - "id": "pyup.io-34714", + "advisory": "Tensorflow 1.15.4 fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202).", + "cve": "CVE-2020-15202", + "id": "pyup.io-39991", "specs": [ - "<0.6.1" + ">=1.15.0rc0,<1.15.4" ], - "v": "<0.6.1" - } - ], - "sbp": [ + "v": ">=1.15.0rc0,<1.15.4" + }, { - "advisory": "sbp 2.4.2 updates mocha away from a security vulnerability in growl [\\575](https://github.com/swift-nav/libsbp/pull/575)", - "cve": null, - "id": "pyup.io-36695", + "advisory": "Tensorflow 1.15.4 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15193", + "id": "pyup.io-39992", "specs": [ - "<2.4.2" + ">=1.15.0rc0,<1.15.4" ], - "v": "<2.4.2" + "v": ">=1.15.0rc0,<1.15.4" }, { - "advisory": "Sbp v2.6.5 pins minor rev versions, security fix for requests - see: https://github.com/swift-nav/libsbp/pull/709", - "cve": null, - "id": "pyup.io-36662", + "advisory": "Tensorflow 1.15.4 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15195", + "id": "pyup.io-39993", "specs": [ - "<2.6.5" + ">=1.15.0rc0,<1.15.4" ], - "v": "<2.6.5" + "v": ">=1.15.0rc0,<1.15.4" }, { - "advisory": "sbp 2.7.0 updates requests to resolve security issue (https://github.com/swift-nav/libsbp/pull/708)", - "cve": null, - "id": "pyup.io-37937", + "advisory": "Tensorflow 1.15.4 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15194", + "id": "pyup.io-39994", "specs": [ - "<2.7.0" + ">=1.15.0rc0,<1.15.4" ], - "v": "<2.7.0" + "v": ">=1.15.0rc0,<1.15.4" }, { - "advisory": "Sbp 2.7.0 updates requests to resolve security issue - see https://github.com/swift-nav/libsbp/pull/708", - "cve": null, - "id": "pyup.io-37642", + "advisory": "Tensorflow 1.15.4 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15192", + "id": "pyup.io-39995", "specs": [ - "<2.7.0" + ">=1.15.0rc0,<1.15.4" ], - "v": "<2.7.0" + "v": ">=1.15.0rc0,<1.15.4" }, { - "advisory": "Sbp 3.1.1 fixes a JavaScript security warning. See: .", - "cve": null, - "id": "pyup.io-38393", + "advisory": "Tensorflow 1.15.4 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15191", + "id": "pyup.io-39996", "specs": [ - "<2.8.0" + ">=1.15.0rc0,<1.15.4" ], - "v": "<2.8.0" - } - ], - "scalyr-agent-2": [ + "v": ">=1.15.0rc0,<1.15.4" + }, { - "advisory": "The Scalyr Agent before 2.1.10 has Missing SSL Certificate Validation because, in some circumstances, native Python code is used that lacks a comparison of the hostname to commonName and subjectAltName. See: CVE-2020-24715.", - "cve": "CVE-2020-24715", - "id": "pyup.io-38724", + "advisory": "Tensorflow 1.15.4 fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190).", + "cve": "CVE-2020-15190", + "id": "pyup.io-38818", "specs": [ - "<2.1.10" + ">=1.15.0rc0,<1.15.4" ], - "v": "<2.1.10" + "v": ">=1.15.0rc0,<1.15.4" }, { - "advisory": "Scalyr-agent-2 version 2.1.10 fixes two bugs which opened up the possibility for MITM attack if an attacker was able to spoof or control the DNS. Additionally, this version explicitly requests TLS v1.2, which makes the agent more robust against potential downgrade attacks when connecting to the Scalyr API. This is only true when running the agent under Python >= 2.7.9.", - "cve": null, - "id": "pyup.io-38807", + "advisory": "In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, to mimic Python's indexing with negative values, TFLite uses `ResolveAxis` to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the `DCHECK` does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out of bounds which results in segfaults and/or data corruption. The issue is patched in commit 2d88f470dea2671b430884260f3626b1fe99830a, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. See: CVE-2020-15207.", + "cve": "CVE-2020-15207", + "id": "pyup.io-38824", "specs": [ - "<2.1.10" + ">=1.15.0rc0,<1.15.4", + ">=2.0.0a0,<2.0.3", + ">=2.1.0rc0,<2.1.2", + ">=2.2.0rc0,<2.2.1", + ">=2.3.0rc0,<2.3.1" ], - "v": "<2.1.10" - } - ], - "scapy": [ + "v": ">=1.15.0rc0,<1.15.4,>=2.0.0a0,<2.0.3,>=2.1.0rc0,<2.1.2,>=2.2.0rc0,<2.2.1,>=2.3.0rc0,<2.3.1" + }, { - "advisory": "Scapy 2.4.0 is affected by: Denial of Service. The impact is: infinite loop, resource consumption and program unresponsive. The component is: _RADIUSAttrPacketListField.getfield(self..). The attack vector is: over the network or in a pcap. both work. See: CVE-2019-1010142.", - "cve": "CVE-2019-1010142", - "id": "pyup.io-37285", + "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2019-20838", + "id": "pyup.io-39409", "specs": [ - "==2.4.0" + ">=2.0.0,<2.0.4" ], - "v": "==2.4.0" + "v": ">=2.0.0,<2.0.4" }, { - "advisory": "Scapy 2.4.2 addresses a Malicious Radius Attribute DoS vulnerability. See: .", - "cve": null, - "id": "pyup.io-37341", + "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26271", + "id": "pyup.io-39735", "specs": [ - ">=2.4.0,<2.4.2" + ">=2.0.0,<2.0.4" ], - "v": ">=2.4.0,<2.4.2" - } - ], - "sceptre": [ + "v": ">=2.0.0,<2.0.4" + }, { - "advisory": "sceptre 2.3.0 fixes Jinja autoescape vulnerability", - "cve": null, - "id": "pyup.io-37821", + "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26270", + "id": "pyup.io-39736", "specs": [ - "<2.3.0" + ">=2.0.0,<2.0.4" ], - "v": "<2.3.0" - } - ], - "scons": [ + "v": ">=2.0.0,<2.0.4" + }, { - "advisory": "Scons 4.0.0 converts the remaining uses of an insecure/deprecated mktemp method.", - "cve": null, - "id": "pyup.io-38489", + "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26268", + "id": "pyup.io-39737", "specs": [ - "<4.0.0" + ">=2.0.0,<2.0.4" ], - "v": "<4.0.0" - } - ], - "scrape": [ + "v": ">=2.0.0,<2.0.4" + }, { - "advisory": "Scrape 0.10.2 updates the 'lxml' dependency from 4.3.0 to 4.6.2. This is a security patch.", - "cve": null, - "id": "pyup.io-39424", + "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26267", + "id": "pyup.io-39738", "specs": [ - "<0.10.2" + ">=2.0.0,<2.0.4" ], - "v": "<0.10.2" - } - ], - "scrapydd": [ + "v": ">=2.0.0,<2.0.4" + }, { - "advisory": "Scrapydd 0.6.3 enhances the security by adding protection against cross-site request forgery.", - "cve": null, - "id": "pyup.io-37457", + "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26266", + "id": "pyup.io-39739", "specs": [ - "<0.6.3" + ">=2.0.0,<2.0.4" ], - "v": "<0.6.3" - } - ], - "scvae": [ + "v": ">=2.0.0,<2.0.4" + }, { - "advisory": "scvae 2.1.1 updates TensorFlow because of a security vulnerability.", - "cve": null, - "id": "pyup.io-37932", + "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-15250", + "id": "pyup.io-39740", "specs": [ - "<2.1.1" + ">=2.0.0,<2.0.4" ], - "v": "<2.1.1" - } - ], - "sdcclient": [ + "v": ">=2.0.0,<2.0.4" + }, { - "advisory": "Sdcclient 0.7.0 adds support for secure commands audit.", - "cve": null, - "id": "pyup.io-37050", + "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-14155", + "id": "pyup.io-39741", "specs": [ - "<0.7.0" + ">=2.0.0,<2.0.4" ], - "v": "<0.7.0" - } - ], - "seed-auth-api": [ + "v": ">=2.0.0,<2.0.4" + }, { - "advisory": "Seed-auth-api 0.9.3 includes upgrades of dependencies with security vulnerabilities.", - "cve": null, - "id": "pyup.io-37441", + "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-13790", + "id": "pyup.io-39742", "specs": [ - "<0.9.3" + ">=2.0.0,<2.0.4" ], - "v": "<0.9.3" - } - ], - "seed-control-interface": [ + "v": ">=2.0.0,<2.0.4" + }, { - "advisory": "Seed-control-interface-service 0.9.16 includes upgrades of dependencies with security vulnerabilities.", - "cve": null, - "id": "pyup.io-37440", + "advisory": "Tensorflow 2.0.1 updates `sqlite3` to `3.30.01` to address CVE-2019-16168.", + "cve": "CVE-2019-16168", + "id": "pyup.io-39536", "specs": [ - "<0.9.16" + ">=2.0.0a0,<2.0.1" ], - "v": "<0.9.16" - } - ], - "seed-control-interface-service": [ + "v": ">=2.0.0a0,<2.0.1" + }, { - "advisory": "Seed-control-interface-service 0.9.6 includes upgrades of dependencies with security vulnerabilities.", - "cve": null, - "id": "pyup.io-37442", + "advisory": "Tensorflow 2.0.1 updates `sqlite3` to `3.30.01` to address CVE-2019-19646.", + "cve": "CVE-2019-19646", + "id": "pyup.io-39537", "specs": [ - "<0.9.6" + ">=2.0.0a0,<2.0.1" ], - "v": "<0.9.6" - } - ], - "seed-identity-store": [ + "v": ">=2.0.0a0,<2.0.1" + }, { - "advisory": "Seed-identity-store 0.10.2 includes upgrades of dependencies with security vulnerabilities.", - "cve": null, - "id": "pyup.io-37437", + "advisory": "Tensorflow 2.0.1 updates `sqlite3` to `3.30.01` to address CVE-2019-19645.", + "cve": "CVE-2019-19645", + "id": "pyup.io-39538", "specs": [ - "<0.10.2" + ">=2.0.0a0,<2.0.1" ], - "v": "<0.10.2" - } - ], - "seed-message-sender": [ + "v": ">=2.0.0a0,<2.0.1" + }, { - "advisory": "Seed-message-sender 0.10.9 includes upgrades of dependencies with security vulnerabilities.", - "cve": null, - "id": "pyup.io-37436", + "advisory": "Tensorflow 2.0.1 updates `curl` to `7.66.0` to address CVE-2019-5481.", + "cve": "CVE-2019-5481", + "id": "pyup.io-39539", "specs": [ - "<0.10.9" + ">=2.0.0a0,<2.0.1" ], - "v": "<0.10.9" - } - ], - "seed-scheduler": [ + "v": ">=2.0.0a0,<2.0.1" + }, { - "advisory": "Seed-scheduler 0.10.2 includes upgrades of dependencies with security vulnerabilities.", - "cve": null, - "id": "pyup.io-37439", + "advisory": "Tensorflow 2.0.1 updates `curl` to `7.66.0` to address CVE-2019-5482.", + "cve": "CVE-2019-5482", + "id": "pyup.io-39540", "specs": [ - "<0.10.2" + ">=2.0.0a0,<2.0.1" ], - "v": "<0.10.2" - } - ], - "seed-stage-based-messaging": [ + "v": ">=2.0.0a0,<2.0.1" + }, { - "advisory": "seed-stage-based-messaging 0.11.0 upgrades requests to fix security vulnerability", - "cve": null, - "id": "pyup.io-36653", + "advisory": "Tensorflow 2.0.1 fixes a security vulnerability to address CVE-2020-5215 where converting a Python string to a `tf.float16` value produces a segmentation fault.", + "cve": "CVE-2020-5215", + "id": "pyup.io-38550", "specs": [ - "<0.11.0" + ">=2.0.0a0,<2.0.1" ], - "v": "<0.11.0" + "v": ">=2.0.0a0,<2.0.1" }, { - "advisory": "Seed-stage-based-messaging 0.13.0 includes upgrades of dependencies with security vulnerabilities.", - "cve": null, - "id": "pyup.io-37438", + "advisory": "Tensorflow 2.0.2 updates Apache Spark to `2.4.5` to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2019-10099", + "id": "pyup.io-39824", "specs": [ - "<0.13.0" + ">=2.0.0a0,<2.0.2" ], - "v": "<0.13.0" - } - ], - "seldon-core": [ + "v": ">=2.0.0a0,<2.0.2" + }, { - "advisory": "Seldon-core 0.2.4 includes a fix for Github security vulnerabilities in dependencies (issue 259) and a fix for vulnerability warnings with updates to engine and apife pom (issue 263).", - "cve": null, - "id": "pyup.io-39360", + "advisory": "Tensorflow 2.0.2 updates Apache Spark to `2.4.5` to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2018-17190", + "id": "pyup.io-39825", "specs": [ - "<0.2.4" + ">=2.0.0a0,<2.0.2" ], - "v": "<0.2.4" + "v": ">=2.0.0a0,<2.0.2" }, { - "advisory": "Seldon-core 0.3.0 includes a fix for old Containers & Security Vulnerabilities (issue 528). It also updates the TF version for security (pull 575), and updates jackson-databind from version 2.8.11.2 to version 2.9.8 to address CVE-2018-12023 (pull 547).", - "cve": "CVE-2018-12023", - "id": "pyup.io-39547", + "advisory": "Tensorflow 2.0.2 updates Apache Spark to `2.4.5` to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2018-11770", + "id": "pyup.io-39826", "specs": [ - "<0.3.0" + ">=2.0.0a0,<2.0.2" ], - "v": "<0.3.0" + "v": ">=2.0.0a0,<2.0.2" }, { - "advisory": "Seldon-core 0.3.0 includes a fix for old Containers & Security Vulnerabilities (issue 528). It also updates the TF version for security (pull 575), and updates jackson-databind from version 2.8.11.2 to version 2.9.8 to address CVE-2018-12022.", - "cve": null, - "id": "pyup.io-39359", + "advisory": "Tensorflow 2.0.2 updates `sqlite3` to `3.31.01` to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645", + "cve": "CVE-2019-19880", + "id": "pyup.io-38461", "specs": [ - "<0.3.0" + ">=2.0.0a0,<2.0.2" ], - "v": "<0.3.0" + "v": ">=2.0.0a0,<2.0.2" }, { - "advisory": "Seldon-core 0.4.0 includes a fix for CVE-2018-1000654 in openjdk:8u201-jre-alpine3.", - "cve": "CVE-2018-1000654", - "id": "pyup.io-39358", + "advisory": "Tensorflow 2.0.2 updates `sqlite3` to `3.31.01` to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645", + "cve": "CVE-2019-19244", + "id": "pyup.io-39818", "specs": [ - "<0.4.0" + ">=2.0.0a0,<2.0.2" ], - "v": "<0.4.0" + "v": ">=2.0.0a0,<2.0.2" }, { - "advisory": "Seldon-core 0.4.2 closes issue 981 which addresses a Java dependencies that is not secure, and also closes issue 893 about a patch to prevent XSS.", - "cve": null, - "id": "pyup.io-39357", + "advisory": "Tensorflow 2.0.2 updates `sqlite3` to `3.31.01` to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645", + "cve": "CVE-2019-19645", + "id": "pyup.io-39819", "specs": [ - "<0.4.2" + ">=2.0.0a0,<2.0.2" ], - "v": "<0.4.2" + "v": ">=2.0.0a0,<2.0.2" }, { - "advisory": "seldon-core 0.5.1 bumps pillow from 6.0.0 to 6.2.0, see: https://github.com/SeldonIO/seldon-core/pull/1062", - "cve": null, - "id": "pyup.io-37893", + "advisory": "Tensorflow 2.0.2 updates `curl` to `7.69.1` to handle CVE-2019-15601", + "cve": "CVE-2019-15601", + "id": "pyup.io-39820", "specs": [ - "<0.5.1" + ">=2.0.0a0,<2.0.2" ], - "v": "<0.5.1" + "v": ">=2.0.0a0,<2.0.2" }, { - "advisory": "Seldon-core 1.0.0 includes a fix for CVE-2019-18224.", - "cve": "CVE-2019-18224", - "id": "pyup.io-39546", + "advisory": "tensorflow 2.0.2 updates `libjpeg-turbo` to `2.0.4` to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960", + "cve": "CVE-2018-19664", + "id": "pyup.io-39821", "specs": [ - "<1.0.0" + ">=2.0.0a0,<2.0.2" ], - "v": "<1.0.0" + "v": ">=2.0.0a0,<2.0.2" }, { - "advisory": "Seldon-core 1.0.0 includes a fix for CVE-2019-5482.", - "cve": null, - "id": "pyup.io-39361", + "advisory": "tensorflow 2.0.2 updates `libjpeg-turbo` to `2.0.4` to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960", + "cve": "CVE-2018-20330", + "id": "pyup.io-39822", "specs": [ - "<1.0.0" + ">=2.0.0a0,<2.0.2" ], - "v": "<1.0.0" + "v": ">=2.0.0a0,<2.0.2" }, { - "advisory": "Seldon-core 1.0.2 includes a fix for CVE-2019-18224.", - "cve": "CVE-2019-18224", - "id": "pyup.io-39356", + "advisory": "tensorflow 2.0.2 updates `libjpeg-turbo` to `2.0.4` to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960", + "cve": "CVE-2019-13960", + "id": "pyup.io-39823", "specs": [ - "<1.0.2" + ">=2.0.0a0,<2.0.2" ], - "v": "<1.0.2" + "v": ">=2.0.0a0,<2.0.2" }, { - "advisory": "Seldon-core 1.2.0 adds XSS patches to executor. It also closes potential security vulnerability issues with Default Engine Java Opts (issue 1597) and Java JMX Server (issue 1595).", - "cve": null, - "id": "pyup.io-39328", + "advisory": "Tensorflow 2.0.3 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-15358", + "id": "pyup.io-39949", "specs": [ - "<1.2.0" + ">=2.0.0a0,<2.0.3" ], - "v": "<1.2.0" - } - ], - "selenium-wire": [ + "v": ">=2.0.0a0,<2.0.3" + }, { - "advisory": "Selenium-wire 1.2.1 uses SHA256 digest when creating site certificates to fix Chrome HSTS security errors.", - "cve": null, - "id": "pyup.io-38396", + "advisory": "Tensorflow 2.0.3 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13871", + "id": "pyup.io-39950", "specs": [ - "<1.2.1" + ">=2.0.0a0,<2.0.3" ], - "v": "<1.2.1" - } - ], - "sentry": [ + "v": ">=2.0.0a0,<2.0.3" + }, { - "advisory": "sentry before 0.12.2 has a security flaw where exponential numbers in specially crafted params could cause a CPU attack.", - "cve": null, - "id": "pyup.io-33030", + "advisory": "Tensorflow 2.0.3 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13631", + "id": "pyup.io-39951", "specs": [ - "<0.12.2" + ">=2.0.0a0,<2.0.3" ], - "v": "<0.12.2" + "v": ">=2.0.0a0,<2.0.3" }, { - "advisory": "Sentry 5.7.0 updates https-proxy-agent to 3.0.0 for security reasons (issue 2262).", - "cve": null, - "id": "pyup.io-39296", + "advisory": "Tensorflow 2.0.3 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13630", + "id": "pyup.io-39952", "specs": [ - "<5.7.0" + ">=2.0.0a0,<2.0.3" ], - "v": "<5.7.0" + "v": ">=2.0.0a0,<2.0.3" }, { - "advisory": "sentry before 6.1.1 is vulnerable to a remote code execution exploit.", - "cve": null, - "id": "pyup.io-26117", + "advisory": "Tensorflow 2.0.3 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13435", + "id": "pyup.io-39953", "specs": [ - "<6.1.1" + ">=2.0.0a0,<2.0.3" ], - "v": "<6.1.1" + "v": ">=2.0.0a0,<2.0.3" }, { - "advisory": "sentry before 7.4.0 has a XSS vulnerability with tag values not being escaped (on the group details page).", - "cve": null, - "id": "pyup.io-26118", + "advisory": "Tensorflow 2.0.3 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13434", + "id": "pyup.io-39954", "specs": [ - "<7.4.0" + ">=2.0.0a0,<2.0.3" ], - "v": "<7.4.0" + "v": ">=2.0.0a0,<2.0.3" }, { - "advisory": "sentry before 7.5.5 is vulnerable to a XSS attack in tags and the stream filter box.", - "cve": null, - "id": "pyup.io-26119", + "advisory": "Tensorflow 2.0.3 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-11656", + "id": "pyup.io-39955", "specs": [ - "<7.5.5" + ">=2.0.0a0,<2.0.3" ], - "v": "<7.5.5" + "v": ">=2.0.0a0,<2.0.3" }, { - "advisory": "sentry before 7.6.1 is vulnerable to a XSS attack in tags and the stream filter box.", - "cve": null, - "id": "pyup.io-26120", + "advisory": "Tensorflow 2.0.3 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-11655", + "id": "pyup.io-39956", "specs": [ - "<7.6.1" + ">=2.0.0a0,<2.0.3" ], - "v": "<7.6.1" + "v": ">=2.0.0a0,<2.0.3" }, { - "advisory": "sentry before 8.1.4 has a security issue where a superuser had the ability to inject data into audit logs through the admin UI.", - "cve": null, - "id": "pyup.io-26121", + "advisory": "Tensorflow 2.0.3 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-9327", + "id": "pyup.io-39957", "specs": [ - "<8.1.4" + ">=2.0.0a0,<2.0.3" ], - "v": "<8.1.4" + "v": ">=2.0.0a0,<2.0.3" }, { - "advisory": "sentry before 8.1.5 if being run in multi-organization mode, it was possible for a user to craft a URL which would allow them to view membership details of other users.", - "cve": null, - "id": "pyup.io-26122", + "advisory": "Tensorflow 2.0.3 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15211", + "id": "pyup.io-39958", "specs": [ - "<8.1.5" + ">=2.0.0a0,<2.0.3" ], - "v": "<8.1.5" + "v": ">=2.0.0a0,<2.0.3" }, { - "advisory": "sentry before 8.2.2 has a security issue where a superuser had the ability to inject data into audit logs through the admin UI.", - "cve": null, - "id": "pyup.io-26123", + "advisory": "Tensorflow 2.0.3 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15210", + "id": "pyup.io-39959", "specs": [ - "<8.2.2" + ">=2.0.0a0,<2.0.3" ], - "v": "<8.2.2" + "v": ">=2.0.0a0,<2.0.3" }, { - "advisory": "sentry before 8.2.4 if being run in multi-organization mode, it was possible for a user to craft a URL which would allow them to view membership details of other users.", - "cve": null, - "id": "pyup.io-26124", + "advisory": "Tensorflow 2.0.3 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15209", + "id": "pyup.io-39960", "specs": [ - "<8.2.4" + ">=2.0.0a0,<2.0.3" ], - "v": "<8.2.4" + "v": ">=2.0.0a0,<2.0.3" }, { - "advisory": "sentry before 8.2.5 is vulnerable to an attack which allows API keys more permission than granted within the organization.", - "cve": null, - "id": "pyup.io-26125", + "advisory": "Tensorflow 2.0.3 fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208).", + "cve": "CVE-2020-15208", + "id": "pyup.io-39961", "specs": [ - "<8.2.5" + ">=2.0.0a0,<2.0.3" ], - "v": "<8.2.5" + "v": ">=2.0.0a0,<2.0.3" }, { - "advisory": "sentry before 8.3.3 is vulnerable to an attack which allows API keys more permission than granted within the organization.", - "cve": null, - "id": "pyup.io-26126", + "advisory": "Tensorflow 2.0.3 fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207).", + "cve": "CVE-2020-15207", + "id": "pyup.io-39962", "specs": [ - "<8.3.3" + ">=2.0.0a0,<2.0.3" ], - "v": "<8.3.3" + "v": ">=2.0.0a0,<2.0.3" }, { - "advisory": "sentry 8.8 includes various security fixes related to CSRF and XSS.", - "cve": null, - "id": "pyup.io-26127", + "advisory": "Tensorflow 2.0.3 fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206).", + "cve": "CVE-2020-15206", + "id": "pyup.io-39963", "specs": [ - "<8.8" + ">=2.0.0a0,<2.0.3" ], - "v": "<8.8" - } - ], - "sequoia-client-sdk": [ + "v": ">=2.0.0a0,<2.0.3" + }, { - "advisory": "sequoia-client-sdk 1.2.0 upgrades libraries `urllib3` and `requests` upgraded to solve security issues:", - "cve": null, - "id": "pyup.io-36949", + "advisory": "Tensorflow 2.0.3 fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205).", + "cve": "CVE-2020-15205", + "id": "pyup.io-39964", "specs": [ - "<1.2.0" + ">=2.0.0a0,<2.0.3" ], - "v": "<1.2.0" + "v": ">=2.0.0a0,<2.0.3" }, { - "advisory": "Sequoia-client-sdk 2.0.0 upgrades `urllib3` and `requests` to solve security issues.", - "cve": null, - "id": "pyup.io-37199", + "advisory": "Tensorflow 2.0.3 fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204).", + "cve": "CVE-2020-15204", + "id": "pyup.io-39965", "specs": [ - "<2.0.0" + ">=2.0.0a0,<2.0.3" ], - "v": "<2.0.0" - } - ], - "serpscrap": [ + "v": ">=2.0.0a0,<2.0.3" + }, { - "advisory": "Serpscrap 0.13.0 updates the dependency on chromedriver to >= 76.0.3809.68 and sqlalchemy>=1.3.7 to solve security issues and other minor update changes.", - "cve": null, - "id": "pyup.io-37406", + "advisory": "Tensorflow 2.0.3 fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203).", + "cve": "CVE-2020-15203", + "id": "pyup.io-39966", "specs": [ - "<0.13.0" + ">=2.0.0a0,<2.0.3" ], - "v": "<0.13.0" - } - ], - "sesame": [ + "v": ">=2.0.0a0,<2.0.3" + }, { - "advisory": "sesame 0.3.0 is using a secure extraction/decryption using tempfile.", - "cve": null, - "id": "pyup.io-26128", + "advisory": "Tensorflow 2.0.3 fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202).", + "cve": "CVE-2020-15202", + "id": "pyup.io-39967", "specs": [ - "<0.3.0" + ">=2.0.0a0,<2.0.3" ], - "v": "<0.3.0" - } - ], - "setup-tools": [ + "v": ">=2.0.0a0,<2.0.3" + }, { - "advisory": "setup-tools is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", - "cve": null, - "id": "pyup.io-34984", + "advisory": "Tensorflow 2.0.3 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15195", + "id": "pyup.io-39968", "specs": [ - ">0", - "<0" + ">=2.0.0a0,<2.0.3" ], - "v": ">0,<0" - } - ], - "setuptools": [ + "v": ">=2.0.0a0,<2.0.3" + }, { - "advisory": "setuptools 0.9.5 fixes a security vulnerability in SSL certificate validation.", - "cve": null, - "id": "pyup.io-26129", + "advisory": "Tensorflow 2.0.3 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15194", + "id": "pyup.io-39969", "specs": [ - "<0.9.5" + ">=2.0.0a0,<2.0.3" ], - "v": "<0.9.5" + "v": ">=2.0.0a0,<2.0.3" }, { - "advisory": "setuptools before 1.3 has a security vulnerability in SSL match_hostname check as reported in Python 17997.", - "cve": null, - "id": "pyup.io-26132", + "advisory": "Tensorflow 2.0.3 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15193", + "id": "pyup.io-39970", "specs": [ - "<1.3" + ">=2.0.0a0,<2.0.3" ], - "v": "<1.3" + "v": ">=2.0.0a0,<2.0.3" }, { - "advisory": "setuptools 3.0 avoids the potential security vulnerabilities presented by use of tar archives in ez_setup.py. It also leverages the security features added to ZipFile.extract in Python 2.7.4.", - "cve": null, - "id": "pyup.io-26133", + "advisory": "Tensorflow 2.0.3 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15192", + "id": "pyup.io-39971", "specs": [ - "<3.0" + ">=2.0.0a0,<2.0.3" ], - "v": "<3.0" - } - ], - "sevabot": [ + "v": ">=2.0.0a0,<2.0.3" + }, { - "advisory": "sevabot before 1.1 allows arbitrary commands to be executed.", - "cve": null, - "id": "pyup.io-26134", + "advisory": "Tensorflow 2.0.3 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15191", + "id": "pyup.io-39972", "specs": [ - "<1.1" + ">=2.0.0a0,<2.0.3" ], - "v": "<1.1" - } - ], - "sftp-cloudfs": [ + "v": ">=2.0.0a0,<2.0.3" + }, { - "advisory": "sftp-cloudfs before 0.13.1 is using an insecure transitive dependency (ftp-cloudfs<=0.26.1).", - "cve": null, - "id": "pyup.io-26135", + "advisory": "Tensorflow 2.0.3 fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190).", + "cve": "CVE-2020-15190", + "id": "pyup.io-38817", "specs": [ - "<0.13.1" + ">=2.0.0a0,<2.0.3" ], - "v": "<0.13.1" - } - ], - "shaka-streamer": [ + "v": ">=2.0.0a0,<2.0.3" + }, { - "advisory": "Shaka-streamer 0.3.0 fixes the PyYAML deprecation warning and YAML loading vulnerability - see: https://github.com/google/shaka-streamer/issues/35", - "cve": null, - "id": "pyup.io-37578", + "advisory": "Tensorflow 2.1.1 updates Apache Spark to `2.4.5` to handle (CVE-2019-10099), (CVE-2018-17190) and (CVE-2018-11770).", + "cve": "CVE-2018-11770", + "id": "pyup.io-40005", "specs": [ - "<0.3.0" + ">=2.1.0,<2.1.1" ], - "v": "<0.3.0" - } - ], - "shiftboiler": [ + "v": ">=2.1.0,<2.1.1" + }, { - "advisory": "shiftboiler before 0.6.5 included a minor security issue: If google login did not return an id, user can takeover another user's account.", - "cve": null, - "id": "pyup.io-36542", + "advisory": "Tensorflow 2.1.1 updates Apache Spark to `2.4.5` to handle (CVE-2019-10099), (CVE-2018-17190) and (CVE-2018-11770).", + "cve": "CVE-2018-17190", + "id": "pyup.io-40006", "specs": [ - "<0.6.5" + ">=2.1.0,<2.1.1" ], - "v": "<0.6.5" + "v": ">=2.1.0,<2.1.1" }, { - "advisory": "Shiftboiler 0.9.3 contains improvements around application security. For instance session cookies and FlaskLogin's remember me cookies are now set to be secure and http-only by default in production environments. Additionally, flask applications are now CSRF-protected out of the box so you don't have to remember to enable this feature.", - "cve": null, - "id": "pyup.io-38472", + "advisory": "Tensorflow 2.1.1 updates Apache Spark to `2.4.5` to handle (CVE-2019-10099), (CVE-2018-17190) and (CVE-2018-11770).", + "cve": "CVE-2019-10099", + "id": "pyup.io-40007", "specs": [ - "<0.9.3" + ">=2.1.0,<2.1.1" ], - "v": "<0.9.3" - } - ], - "simplemonitor": [ + "v": ">=2.1.0,<2.1.1" + }, { - "advisory": "simplemonitor 2.7 changes the remote monitor protocol and uses the JSON format for remote monitor protocol (more secure than pickle)", - "cve": null, - "id": "pyup.io-37886", + "advisory": "Tensorflow 2.1.1 updates `libjpeg-turbo` to `2.0.4` to handle (CVE-2018-19664), (CVE-2018-20330) and (CVE-2019-13960).", + "cve": "CVE-2019-13960", + "id": "pyup.io-40008", "specs": [ - "<2.7" + ">=2.1.0,<2.1.1" ], - "v": "<2.7" - } - ], - "simulaqron": [ + "v": ">=2.1.0,<2.1.1" + }, { - "advisory": "Simulaqron 3.0.7 bumps to twisted 19.7 due to security vulnerabilities with earlier versions.", - "cve": null, - "id": "pyup.io-37571", + "advisory": "Tensorflow 2.1.1 updates `libjpeg-turbo` to `2.0.4` to handle (CVE-2018-19664), (CVE-2018-20330) and (CVE-2019-13960).", + "cve": "CVE-2018-20330", + "id": "pyup.io-40009", "specs": [ - "<3.0.7" + ">=2.1.0,<2.1.1" ], - "v": "<3.0.7" - } - ], - "slackeventsapi": [ + "v": ">=2.1.0,<2.1.1" + }, { - "advisory": "slackeventsapi 2.1.0 updates minimum Flask version to address security vulnerability (45)", - "cve": null, - "id": "pyup.io-36729", + "advisory": "Tensorflow 2.1.1 updates `libjpeg-turbo` to `2.0.4` to handle (CVE-2018-19664), (CVE-2018-20330) and (CVE-2019-13960).", + "cve": "CVE-2018-19664", + "id": "pyup.io-40010", "specs": [ - "<2.1.0" + ">=2.1.0,<2.1.1" ], - "v": "<2.1.0" - } - ], - "smeagol": [ + "v": ">=2.1.0,<2.1.1" + }, { - "advisory": "smeagol 0.1.0 has several known bugs and security issues that need to be addressed before it can be used in production.", - "cve": null, - "id": "pyup.io-34818", + "advisory": "Tensorflow 2.1.1 updates `curl` to `7.69.1` to handle (CVE-2019-15601).", + "cve": "CVE-2019-15601", + "id": "pyup.io-40011", "specs": [ - "<0.1.0" + ">=2.1.0,<2.1.1" ], - "v": "<0.1.0" - } - ], - "smqtk": [ + "v": ">=2.1.0,<2.1.1" + }, { - "advisory": "Smqtk 0.11.0 includes a number of security and stability fixes for algorithms and the IQR demo web application.", - "cve": null, - "id": "pyup.io-38777", + "advisory": "Tensorflow 2.1.1 updates `sqlite3` to `3.31.01` to handle (CVE-2019-19880), (CVE-2019-19244) and (CVE-2019-19645).", + "cve": "CVE-2019-19645", + "id": "pyup.io-40012", "specs": [ - "<0.11.0" + ">=2.1.0,<2.1.1" ], - "v": "<0.11.0" - } - ], - "snakemake": [ + "v": ">=2.1.0,<2.1.1" + }, { - "advisory": "Snakemake 5.28.0 parses values more securely when using --config.", - "cve": null, - "id": "pyup.io-39106", + "advisory": "Tensorflow 2.1.1 updates `sqlite3` to `3.31.01` to handle (CVE-2019-19880), (CVE-2019-19244) and (CVE-2019-19645).", + "cve": "CVE-2019-19244", + "id": "pyup.io-40013", "specs": [ - "<5.28.0" + ">=2.1.0,<2.1.1" ], - "v": "<5.28.0" - } - ], - "snappass": [ + "v": ">=2.1.0,<2.1.1" + }, { - "advisory": "Snappass 1.4.1 upgrades cryptography to 2.3.1. See: CVE-2018-10903.", - "cve": "CVE-2018-10903", - "id": "pyup.io-36605", + "advisory": "Tensorflow 2.1.1 updates `sqlite3` to `3.31.01` to handle (CVE-2019-19880), (CVE-2019-19244) and (CVE-2019-19645).", + "cve": "CVE-2019-19880", + "id": "pyup.io-38460", "specs": [ - "<1.4.1" + ">=2.1.0,<2.1.1" ], - "v": "<1.4.1" - } - ], - "sncli": [ + "v": ">=2.1.0,<2.1.1" + }, { - "advisory": "Sncli 0.4.0 contains a security fix for an arbitrary code execution bug. Copying text from notes to the clipboard was being performed by building a shell command to execute. This resulted in the line being copied substituted directly into the shell command. A carefully crafted line could run any arbitrary shell command, and some lines could crash the\r\nprocess causing the line to fail to copy. This fixes the issue by not using a shell to interpret the command, and\r\npassing the text to be copied directly to stdin.", - "cve": null, - "id": "pyup.io-37302", + "advisory": "Tensorflow 2.1.3 fixes an access to unitialized memory in Eigen code (CVE-2020-26266).", + "cve": "CVE-2020-26266", + "id": "pyup.io-39408", "specs": [ - "<0.4.0" + ">=2.1.0,<2.1.3" ], - "v": "<0.4.0" - } - ], - "soapfish": [ + "v": ">=2.1.0,<2.1.3" + }, { - "advisory": "soapfish before 0.6.0 has a potential security issue - pattern restrictions were not applied correctly.", - "cve": null, - "id": "pyup.io-26136", + "advisory": "Tensorflow 2.1.3 updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-14155", + "id": "pyup.io-39997", "specs": [ - "<0.6.0" + ">=2.1.0,<2.1.3" ], - "v": "<0.6.0" - } - ], - "soappy": [ + "v": ">=2.1.0,<2.1.3" + }, { - "advisory": "soappy before 0.12.6 allows remote attackers to read arbitrary files via a SOAP request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.", - "cve": null, - "id": "pyup.io-26137", + "advisory": "Tensorflow 2.1.3 updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2019-20838", + "id": "pyup.io-39998", "specs": [ - "<0.12.6" + ">=2.1.0,<2.1.3" ], - "v": "<0.12.6" - } - ], - "soappy-py3": [ + "v": ">=2.1.0,<2.1.3" + }, { - "advisory": "soappy-py3 before 0.12.6 allows remote attackers to read arbitrary files via a SOAP request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.", - "cve": null, - "id": "pyup.io-26138", + "advisory": "Tensorflow 2.1.3 updates 'junit' to '4.13.1' to handle [CVE-2020-15250].", + "cve": "CVE-2020-15250", + "id": "pyup.io-39999", "specs": [ - "<0.12.6" + ">=2.1.0,<2.1.3" ], - "v": "<0.12.6" - } - ], - "sockjs-tornado": [ + "v": ">=2.1.0,<2.1.3" + }, { - "advisory": "Sockjs-tornado 1.0.7 includes a fix for a XSS vulnerability. No details are given. Possibly it's related to the XSS vulnerability that was addressed in 1.0.6, which jeopardized the HTMLFILE transport.", - "cve": null, - "id": "pyup.io-38215", + "advisory": "Tensorflow 2.1.3 updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790.", + "cve": "CVE-2020-13790", + "id": "pyup.io-40000", "specs": [ - "<1.0.7" + ">=2.1.0,<2.1.3" ], - "v": "<1.0.7" - } - ], - "sopel": [ + "v": ">=2.1.0,<2.1.3" + }, { - "advisory": "'web.get' and 'web.post' in sopel 4.1.0 can be told to limit how much they read from a URL, to prevent malicious use.", - "cve": null, - "id": "pyup.io-39121", + "advisory": "Tensorflow 2.1.3 fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271).", + "cve": "CVE-2020-26271", + "id": "pyup.io-40001", "specs": [ - "<4.1.0" + ">=2.1.0,<2.1.3" ], - "v": "<4.1.0" + "v": ">=2.1.0,<2.1.3" }, { - "advisory": "A security issue involving an improperly named channel logs was fixed in Sopel 4.4.0.", - "cve": null, - "id": "pyup.io-26139", + "advisory": "Tensorflow 2.1.3 fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270).", + "cve": "CVE-2020-26270", + "id": "pyup.io-40002", "specs": [ - "<4.4.0" + ">=2.1.0,<2.1.3" ], - "v": "<4.4.0" + "v": ">=2.1.0,<2.1.3" }, { - "advisory": "Sopel 6.3.0 uses the `requests` package for stability and security.", - "cve": null, - "id": "pyup.io-27413", + "advisory": "Tensorflow 2.1.3 fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268).", + "cve": "CVE-2020-26268", + "id": "pyup.io-40003", "specs": [ - "<6.3.0" + ">=2.1.0,<2.1.3" ], - "v": "<6.3.0" - } - ], - "spacepy-x": [ + "v": ">=2.1.0,<2.1.3" + }, { - "advisory": "HTTPS has been re-enabled in spacepy-x 1.0.1 for secure API goodness.", - "cve": null, - "id": "pyup.io-37388", + "advisory": "Tensorflow 2.1.3 fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267).", + "cve": "CVE-2020-26267", + "id": "pyup.io-40004", "specs": [ - "<1.0.1" + ">=2.1.0,<2.1.3" ], - "v": "<1.0.1" - } - ], - "sparselandtools": [ + "v": ">=2.1.0,<2.1.3" + }, { - "advisory": "sparselandtools 1.0.1 requires newer versions of third party packages for security reasons in some cases", - "cve": null, - "id": "pyup.io-37929", + "advisory": "Tensorflow 2.1.2 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-15358", + "id": "pyup.io-39925", "specs": [ - "<1.0.1" + ">=2.1.0rc0,<2.1.2" ], - "v": "<1.0.1" - } - ], - "sphinx": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons.", - "cve": null, - "id": "pyup.io-38330", + "advisory": "Tensorflow 2.1.2 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13871", + "id": "pyup.io-39926", "specs": [ - "<3.0.4" + ">=2.1.0rc0,<2.1.2" ], - "v": "<3.0.4" - } - ], - "sphinx-paragraph-extractor": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "Sphinx-paragraph-extractor 1.0.4 updates dependencies for security reasons.", - "cve": null, - "id": "pyup.io-37082", + "advisory": "Tensorflow 2.1.2 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13631", + "id": "pyup.io-39927", "specs": [ - "<1.0.4" + ">=2.1.0rc0,<2.1.2" ], - "v": "<1.0.4" - } - ], - "spintest": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "spintest 0.2.0 renders the UUID Token invisible in the log to avoid security violation, when spintest is used during the CI/CD tools", - "cve": null, - "id": "pyup.io-37859", + "advisory": "Tensorflow 2.1.2 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13630", + "id": "pyup.io-39928", "specs": [ - "<0.2.0" + ">=2.1.0rc0,<2.1.2" ], - "v": "<0.2.0" - } - ], - "splash": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "splash before 2.0.1 is vulnerable to a XSS attack in HTTP UI.", - "cve": null, - "id": "pyup.io-26140", + "advisory": "Tensorflow 2.1.2 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13435", + "id": "pyup.io-39929", "specs": [ - "<2.0.1" + ">=2.1.0rc0,<2.1.2" ], - "v": "<2.0.1" + "v": ">=2.1.0rc0,<2.1.2" }, { - "advisory": "In splash before 2.3.2 xvfb binds to ports in the range 6000-6200 on all available interfaces.", - "cve": null, - "id": "pyup.io-33045", + "advisory": "Tensorflow 2.1.2 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13434", + "id": "pyup.io-39930", "specs": [ - "<2.3.2" + ">=2.1.0rc0,<2.1.2" ], - "v": "<2.3.2" - } - ], - "splunk-sdk": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "Splunk-SDK-Python before 1.6.6 does not properly verify untrusted TLS server certificates, which could result in man-in-the-middle attacks.", - "cve": "CVE-2019-5729", - "id": "pyup.io-36969", + "advisory": "Tensorflow 2.1.2 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-11656", + "id": "pyup.io-39931", "specs": [ - "<1.6.6" + ">=2.1.0rc0,<2.1.2" ], - "v": "<1.6.6" - } - ], - "spud": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "spud before 0.8 doesn't check permissions. Anybody could edit photos.", - "cve": null, - "id": "pyup.io-26141", + "advisory": "Tensorflow 2.1.2 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-11655", + "id": "pyup.io-39932", "specs": [ - "<0.8" + ">=2.1.0rc0,<2.1.2" ], - "v": "<0.8" - } - ], - "spyder-terminal": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "Spyder-terminal 0.3.1 resolves several vulnerabilities. See: .", - "cve": null, - "id": "pyup.io-39132", + "advisory": "Tensorflow 2.1.2 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-9327", + "id": "pyup.io-39933", "specs": [ - "<0.3.1" + ">=2.1.0rc0,<2.1.2" ], - "v": "<0.3.1" - } - ], - "sqlalchemy": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. See: CVE-2019-7164.", - "cve": "CVE-2019-7164", - "id": "pyup.io-38497", + "advisory": "Tensorflow 2.1.2 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15211", + "id": "pyup.io-39934", "specs": [ - "<=1.2.17", - ">=1.3.0b1,<=1.3.0b2" + ">=2.1.0rc0,<2.1.2" ], - "v": "<=1.2.17,>=1.3.0b1,<=1.3.0b2" + "v": ">=2.1.0rc0,<2.1.2" }, { - "advisory": "SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled. See: CVE-2019-7548.", - "cve": "CVE-2019-7548", - "id": "pyup.io-38496", + "advisory": "Tensorflow 2.1.2 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15210", + "id": "pyup.io-39935", "specs": [ - "==1.2.17" + ">=2.1.0rc0,<2.1.2" ], - "v": "==1.2.17" - } - ], - "sqlalchemy-cockroachdb": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "Sqlalchemy-cockroachdb 0.3.2 updates urllib3 to remove a security vulnerability.", - "cve": null, - "id": "pyup.io-38405", + "advisory": "Tensorflow 2.1.2 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15209", + "id": "pyup.io-39936", "specs": [ - "<0.3.2" + ">=2.1.0rc0,<2.1.2" ], - "v": "<0.3.2" - } - ], - "sqlathanor": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "Sqlathanor 0.5.0 updates the ``requirements.txt`` (which does not actually indicate utilization dependencies, and instead indicates development dependencies) to upgrade a number of libraries that had recently had security vulnerabilities discovered.", - "cve": null, - "id": "pyup.io-37403", + "advisory": "Tensorflow 2.1.2 fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208).", + "cve": "CVE-2020-15208", + "id": "pyup.io-39937", "specs": [ - "<0.5.0" + ">=2.1.0rc0,<2.1.2" ], - "v": "<0.5.0" - } - ], - "sqlfluff": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "Sqlfluff 0.3.2 moves to `SandboxedEnvironment` rather than `Environment` for jinja templating for security.", - "cve": null, - "id": "pyup.io-38270", + "advisory": "Tensorflow 2.1.2 fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207).", + "cve": "CVE-2020-15207", + "id": "pyup.io-39938", "specs": [ - "<0.3.2" + ">=2.1.0rc0,<2.1.2" ], - "v": "<0.3.2" - } - ], - "ssh-audit": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "Ssh-audit 2.2.0 re-classifies the very common `ssh-rsa` host key type as weak, due to practical SHA-1 attacks - see https://eprint.iacr.org/2020/014.pdf", - "cve": null, - "id": "pyup.io-38046", + "advisory": "Tensorflow 2.1.2 fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206).", + "cve": "CVE-2020-15206", + "id": "pyup.io-39939", "specs": [ - "<2.2.0" + ">=2.1.0rc0,<2.1.2" ], - "v": "<2.2.0" - } - ], - "ssh-decorate": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "Ssh-decorate version 0.28 through 0.31 is known to contain a backdoor that steals SSH credentials.", - "cve": null, - "id": "pyup.io-38498", + "advisory": "Tensorflow 2.1.2 fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205).", + "cve": "CVE-2020-15205", + "id": "pyup.io-39940", "specs": [ - ">=0.28,<=0.31" + ">=2.1.0rc0,<2.1.2" ], - "v": ">=0.28,<=0.31" - } - ], - "ssh-mitm": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "ssh-mitm before 0.3.11", - "cve": null, - "id": "pyup.io-39436", + "advisory": "Tensorflow 2.1.2 fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204).", + "cve": "CVE-2020-15204", + "id": "pyup.io-39941", "specs": [ - "<0.3.11" + ">=2.1.0rc0,<2.1.2" ], - "v": "<0.3.11" + "v": ">=2.1.0rc0,<2.1.2" }, { - "advisory": "Ssh-mitm version 0.3.12 adds support for CVE-2019-6110 .", - "cve": "CVE-2019-6110", - "id": "pyup.io-39455", + "advisory": "Tensorflow 2.1.2 fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203).", + "cve": "CVE-2020-15203", + "id": "pyup.io-39942", "specs": [ - "<0.3.12" + ">=2.1.0rc0,<2.1.2" ], - "v": "<0.3.12" + "v": ">=2.1.0rc0,<2.1.2" }, { - "advisory": "Ssh-mitm version 0.3.12 adds support for CVE-2019-6111.", - "cve": "CVE-2019-6111", - "id": "pyup.io-39456", + "advisory": "Tensorflow 2.1.2 fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202).", + "cve": "CVE-2020-15202", + "id": "pyup.io-39943", "specs": [ - "<0.3.12" + ">=2.1.0rc0,<2.1.2" ], - "v": "<0.3.12" + "v": ">=2.1.0rc0,<2.1.2" }, { - "advisory": "Ssh-mitm 0.3.19 added support for CVE-2020-14145 (OpenSSH Client information leak).", - "cve": "CVE-2020-14145", - "id": "pyup.io-39504", + "advisory": "Tensorflow 2.1.2 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15195", + "id": "pyup.io-39944", "specs": [ - "<0.3.19" + ">=2.1.0rc0,<2.1.2" ], - "v": "<0.3.19" - } - ], - "sslyze": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "Sslyze 3.0.2 improves the check for HTTP security headers by adding support for HTTP redirections.", - "cve": null, - "id": "pyup.io-38197", + "advisory": "Tensorflow 2.1.2 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15194", + "id": "pyup.io-39945", "specs": [ - "<3.0.2" + ">=2.1.0rc0,<2.1.2" ], - "v": "<3.0.2" - } - ], - "starcluster": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "starcluster before 0.95.3 opens up the VPC to the internet by default which is a security risk and it requires a special VPC configuration (internet gateway attached to the VPC and a route to the gateway with dest CIDR block 0.0.0.0/0 associated with the VPC subnet). Configuring this automatically (which does not happen currently) would be a security risk and without this configuration StarCluster cannot connect to the VPC nodes even though they've been assigned a public IP.", - "cve": null, - "id": "pyup.io-26142", + "advisory": "Tensorflow 2.1.2 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15193", + "id": "pyup.io-39946", "specs": [ - "<0.95.3" + ">=2.1.0rc0,<2.1.2" ], - "v": "<0.95.3" - } - ], - "stargate": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "stargate before 0.4 has several undisclosed security vulnerabilities.", - "cve": null, - "id": "pyup.io-26143", + "advisory": "Tensorflow 2.1.2 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15192", + "id": "pyup.io-39947", "specs": [ - "<0.4" + ">=2.1.0rc0,<2.1.2" ], - "v": "<0.4" - } - ], - "staty": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "Staty 1.2.3 updates requirements to fix security issues.", - "cve": null, - "id": "pyup.io-37049", + "advisory": "Tensorflow 2.1.2 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15191", + "id": "pyup.io-39948", "specs": [ - "<1.2.3" + ">=2.1.0rc0,<2.1.2" ], - "v": "<1.2.3" - } - ], - "stegano": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "Stegano 0.8.6 fixes a potential security issue related to CVE-2018-18074.", - "cve": "CVE-2018-18074", - "id": "pyup.io-36625", + "advisory": "Tensorflow 2.1.2 fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190).", + "cve": "CVE-2020-15190", + "id": "pyup.io-38816", "specs": [ - "<0.8.6" + ">=2.1.0rc0,<2.1.2" ], - "v": "<0.8.6" - } - ], - "stomp.py": [ + "v": ">=2.1.0rc0,<2.1.2" + }, { - "advisory": "Stomp.py 4.1.22 reduces verbosity in logging to not include headers unless debug level is turned on. This was a potential security issue as per: .", - "cve": null, - "id": "pyup.io-37046", + "advisory": "Tensorflow 2.2.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266).", + "cve": "CVE-2020-26266", + "id": "pyup.io-39731", "specs": [ - "<4.1.22" + ">=2.2.0,<2.2.2" ], - "v": "<4.1.22" - } - ], - "stork": [ + "v": ">=2.2.0,<2.2.2" + }, { - "advisory": "Stork 3.0.1 includes re-compiled dependencies to fix a security issue in a pinned dependency.", - "cve": null, - "id": "pyup.io-38611", + "advisory": "Tensorflow 2.2.2 updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2019-20838", + "id": "pyup.io-39407", "specs": [ - "<3.0.1" + ">=2.2.0,<2.2.2" ], - "v": "<3.0.1" - } - ], - "stormpath": [ + "v": ">=2.2.0,<2.2.2" + }, { - "advisory": "stormpath before 2.0.5 is using an insecure transitive dependency (pyjwt).", - "cve": null, - "id": "pyup.io-26144", + "advisory": "Tensorflow 2.2.2 fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271).", + "cve": "CVE-2020-26271", + "id": "pyup.io-39727", "specs": [ - "<2.0.5" + ">=2.2.0,<2.2.2" ], - "v": "<2.0.5" + "v": ">=2.2.0,<2.2.2" }, { - "advisory": "stormpath before 2.5.0 doesn't validate JWT correctly.", - "cve": null, - "id": "pyup.io-26145", + "advisory": "Tensorflow 2.2.2 fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270).", + "cve": "CVE-2020-26270", + "id": "pyup.io-39728", "specs": [ - "<2.5.0" + ">=2.2.0,<2.2.2" ], - "v": "<2.5.0" - } - ], - "stormpath-sdk": [ + "v": ">=2.2.0,<2.2.2" + }, { - "advisory": "stormpath-sdk before 2.5.0 doesn't validate JWT correctly.", - "cve": null, - "id": "pyup.io-26146", + "advisory": "Tensorflow 2.2.2 fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268).", + "cve": "CVE-2020-26268", + "id": "pyup.io-39729", "specs": [ - "<2.5.0" + ">=2.2.0,<2.2.2" ], - "v": "<2.5.0" - } - ], - "streamlit": [ + "v": ">=2.2.0,<2.2.2" + }, { - "advisory": "The `server.address` config option in streamlit 0.57.0 binds the server to that address for added security.", - "cve": null, - "id": "pyup.io-38121", + "advisory": "Tensorflow 2.2.2 fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267).", + "cve": "CVE-2020-26267", + "id": "pyup.io-39730", "specs": [ - "<0.57.0" + ">=2.2.0,<2.2.2" ], - "v": "<0.57.0" - } - ], - "streamsx-kafka": [ + "v": ">=2.2.0,<2.2.2" + }, { - "advisory": "streamsx-kafka 1.5.1 - resolves security vulnerabilities in third-party libs", - "cve": null, - "id": "pyup.io-36807", + "advisory": "Tensorflow 2.2.2 updates 'junit' to '4.13.1' to handle [CVE-2020-15250].", + "cve": "CVE-2020-15250", + "id": "pyup.io-39732", "specs": [ - "<1.5.1" + ">=2.2.0,<2.2.2" ], - "v": "<1.5.1" - } - ], - "streamsx-objectstorage": [ + "v": ">=2.2.0,<2.2.2" + }, { - "advisory": "streamsx-objectstorage 1.7.2 resolves security vulnerabilities in third-party libs #135", - "cve": null, - "id": "pyup.io-36618", + "advisory": "Tensorflow 2.2.2 updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-14155", + "id": "pyup.io-39733", "specs": [ - "<1.7.0" + ">=2.2.0,<2.2.2" ], - "v": "<1.7.0" - } - ], - "streamsx.messagehub": [ + "v": ">=2.2.0,<2.2.2" + }, { - "advisory": "streamsx.messagehub 1.5.1 resolves security vulnerabilities in third-party libs", - "cve": null, - "id": "pyup.io-36727", + "advisory": "Tensorflow 2.2.2 updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790.", + "cve": "CVE-2020-13790", + "id": "pyup.io-39734", "specs": [ - "<1.5.1" + ">=2.2.0,<2.2.2" ], - "v": "<1.5.1" - } - ], - "substra": [ + "v": ">=2.2.0,<2.2.2" + }, { - "advisory": "Substra 0.0.19 fixes a vulnerability in lodash.", - "cve": null, - "id": "pyup.io-38835", + "advisory": "Tensorflow 2.2.1 updates `sqlite3` to `3.33.00` to handle CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358.", + "cve": "CVE-2020-15358", + "id": "pyup.io-39898", "specs": [ - "<0.0.19" + ">=2.2.0rc0,<2.2.1" ], - "v": "<0.0.19" - } - ], - "suds": [ + "v": ">=2.2.0rc0,<2.2.1" + }, { - "advisory": "cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/.", - "cve": "CVE-2013-2217", - "id": "pyup.io-35433", + "advisory": "Tensorflow 2.2.1 updates `sqlite3` to `3.33.00` to handle CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358.", + "cve": "CVE-2020-13871", + "id": "pyup.io-39899", "specs": [ - "<=0.4" + ">=2.2.0rc0,<2.2.1" ], - "v": "<=0.4" - } - ], - "suds-community": [ + "v": ">=2.2.0rc0,<2.2.1" + }, { - "advisory": "suds-community 0.7.0 fixes `FileCache` default cache location related security issue.", - "cve": "CVE-2013-2217", - "id": "pyup.io-36562", + "advisory": "Tensorflow 2.2.1 updates `sqlite3` to `3.33.00` to handle CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358.", + "cve": "CVE-2020-13631", + "id": "pyup.io-39900", "specs": [ - "<0.7.0" + ">=2.2.0rc0,<2.2.1" ], - "v": "<0.7.0" - } - ], - "superset": [ + "v": ">=2.2.0rc0,<2.2.1" + }, { - "advisory": "Superset 0.11.0a allows for requesting access when denied on a dashboard view (#1192). It also allows to set static headers as configuration (#1126) and prevents XSS on FAB list views (#1125).", - "cve": null, - "id": "pyup.io-26147", + "advisory": "Tensorflow 2.2.1 updates `sqlite3` to `3.33.00` to handle CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358.", + "cve": "CVE-2020-13630", + "id": "pyup.io-39901", "specs": [ - "<0.11.0a" + ">=2.2.0rc0,<2.2.1" ], - "v": "<0.11.0a" + "v": ">=2.2.0rc0,<2.2.1" }, { - "advisory": "Superset 0.14.0a improves jinja2 security by using SandboxedEnvironment (#1632) and improves the security scheme (#1587).", - "cve": null, - "id": "pyup.io-37486", + "advisory": "Tensorflow 2.2.1 updates `sqlite3` to `3.33.00` to handle CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358.", + "cve": "CVE-2020-13435", + "id": "pyup.io-39902", "specs": [ - "<0.14.0a" + ">=2.2.0rc0,<2.2.1" ], - "v": "<0.14.0a" + "v": ">=2.2.0rc0,<2.2.1" }, { - "advisory": "Superset 0.19.1a prevents XSS markup viz (#3211).", - "cve": null, - "id": "pyup.io-37487", + "advisory": "Tensorflow 2.2.1 updates `sqlite3` to `3.33.00` to handle CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358.", + "cve": "CVE-2020-13434", + "id": "pyup.io-39903", "specs": [ - "<0.19.1a" + ">=2.2.0rc0,<2.2.1" ], - "v": "<0.19.1a" + "v": ">=2.2.0rc0,<2.2.1" }, { - "advisory": "Superset 0.23.0a bumps dependencies with security issues (#4427). It also fixes 4 security vulnerabilities (#4390) and adds all derived FAB UserModelView views to admin only (#4180).", - "cve": null, - "id": "pyup.io-36204", + "advisory": "Tensorflow 2.2.1 updates `sqlite3` to `3.33.00` to handle CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358.", + "cve": "CVE-2020-11656", + "id": "pyup.io-39904", "specs": [ - "<0.23.0a" + ">=2.2.0rc0,<2.2.1" ], - "v": "<0.23.0a" + "v": ">=2.2.0rc0,<2.2.1" }, { - "advisory": "Superset 0.29.0rc8a secures unsecured views and prevent regressions (#6553).", - "cve": null, - "id": "pyup.io-37488", + "advisory": "Tensorflow 2.2.1 updates `sqlite3` to `3.33.00` to handle CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358.", + "cve": "CVE-2020-1165", + "id": "pyup.io-39905", "specs": [ - "<0.29.0rc8a" + ">=2.2.0rc0,<2.2.1" ], - "v": "<0.29.0rc8a" + "v": ">=2.2.0rc0,<2.2.1" }, { - "advisory": "Superset 0.32.0rc2.dev2a includes new, deprecate merge_perm. Also, the FAB method is fixed (#7355).", - "cve": null, - "id": "pyup.io-26584", + "advisory": "Tensorflow 2.2.1 updates `sqlite3` to `3.33.00` to handle CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358.", + "cve": "CVE-2020-9327", + "id": "pyup.io-39906", "specs": [ - "<0.32.0rc2.dev2a" + ">=2.2.0rc0,<2.2.1" ], - "v": "<0.32.0rc2.dev2a" + "v": ">=2.2.0rc0,<2.2.1" }, { - "advisory": "Superset 0.33.0rc1a adds Flask-Talisman (#7443).", - "cve": null, - "id": "pyup.io-37485", + "advisory": "Tensorflow 2.2.1 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15214", + "id": "pyup.io-39907", "specs": [ - "<0.33.0rc1a" + ">=2.2.0rc0,<2.2.1" ], - "v": "<0.33.0rc1a" + "v": ">=2.2.0rc0,<2.2.1" }, { - "advisory": "Superset 0.34.0a adds docstrings and type hints (#7952), and bumps python libs, addressing insecure releases (#7550).", - "cve": null, - "id": "pyup.io-26602", + "advisory": "Tensorflow 2.2.1 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15213", + "id": "pyup.io-39908", "specs": [ - "<0.34.0a" + ">=2.2.0rc0,<2.2.1" ], - "v": "<0.34.0a" - } - ], - "superset-hand": [ + "v": ">=2.2.0rc0,<2.2.1" + }, { - "advisory": "superset-hand before 0.11.0 is vulnerable to a XSS attack on FAB list views.", - "cve": null, - "id": "pyup.io-26148", + "advisory": "Tensorflow 2.2.1 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15212", + "id": "pyup.io-39909", "specs": [ - "<0.11.0" + ">=2.2.0rc0,<2.2.1" ], - "v": "<0.11.0" - } - ], - "superset-tddv": [ + "v": ">=2.2.0rc0,<2.2.1" + }, { - "advisory": "superset-tddv before 0.11.0 is vulnerable to a XSS attack on FAB list views.", - "cve": null, - "id": "pyup.io-26149", + "advisory": "Tensorflow 2.2.1 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15211", + "id": "pyup.io-39910", "specs": [ - "<0.11.0" + ">=2.2.0rc0,<2.2.1" ], - "v": "<0.11.0" - } - ], - "supervisor": [ + "v": ">=2.2.0rc0,<2.2.1" + }, { - "advisory": "In supervisor before 3.3.3 (fix backported to 3.2.4, 3.1.4 and 3.0.1) a vulnerability was found where an authenticated client can send a malicious XML-RPC request to ``supervisord`` that will run arbitrary shell commands on the server. The commands will be run as the same user as ``supervisord``. Depending on how ``supervisord`` has been configured, this may be root. See https://github.com/Supervisor/supervisor/issues/964 for details.", - "cve": null, - "id": "pyup.io-34840", + "advisory": "Tensorflow 2.2.1 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15210", + "id": "pyup.io-39911", "specs": [ - ">=3.3,<3.3.3", - ">=3.2,<3.2.4", - ">=3.1,<3.1.4", - "<3.0.1" + ">=2.2.0rc0,<2.2.1" ], - "v": ">=3.3,<3.3.3,>=3.2,<3.2.4,>=3.1,<3.1.4,<3.0.1" - } - ], - "svglib": [ + "v": ">=2.2.0rc0,<2.2.1" + }, { - "advisory": "The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call. See: CVE-2020-10799.", - "cve": "CVE-2020-10799", - "id": "pyup.io-38089", + "advisory": "Tensorflow 2.2.1 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15209", + "id": "pyup.io-39912", "specs": [ - "<=0.9.3" + ">=2.2.0rc0,<2.2.1" ], - "v": "<=0.9.3" - } - ], - "swauth": [ + "v": ">=2.2.0rc0,<2.2.1" + }, { - "advisory": "swauth before 1.1.0 has multiple undisclosed security vulnerabilities.", - "cve": null, - "id": "pyup.io-26150", + "advisory": "Tensorflow 2.2.1 fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208).", + "cve": "CVE-2020-15208", + "id": "pyup.io-39913", "specs": [ - "<1.1.0" + ">=2.2.0rc0,<2.2.1" ], - "v": "<1.1.0" - } - ], - "swift": [ + "v": ">=2.2.0rc0,<2.2.1" + }, { - "advisory": "swift before 2.6.0 is vulnerable to an attack where an unfinished read of a large object would leak a socket file descriptor and a small amount of memory. (CVE-2016-0738)", - "cve": "CVE-2016-0738", - "id": "pyup.io-26151", + "advisory": "Tensorflow 2.2.1 fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207).", + "cve": "CVE-2020-15207", + "id": "pyup.io-39914", "specs": [ - "<2.6.0" + ">=2.2.0rc0,<2.2.1" ], - "v": "<2.6.0" + "v": ">=2.2.0rc0,<2.2.1" }, { - "advisory": "OpenStack Swift as of 2013-12-15 mishandles PYTHON_EGG_CACHE. See: CVE-2013-7109.\r\n\r\nConcerns about this vulnerability were minor, and the affected versions are not clear. See: .", - "cve": "CVE-2013-7109", - "id": "pyup.io-37917", + "advisory": "Tensorflow 2.2.1 fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206).", + "cve": "CVE-2020-15206", + "id": "pyup.io-39915", "specs": [ - ">=1.0.2,<2.15.2" + ">=2.2.0rc0,<2.2.1" ], - "v": ">=1.0.2,<2.15.2" - } - ], - "swifter": [ + "v": ">=2.2.0rc0,<2.2.1" + }, { - "advisory": "Swifter 0.292 fixes a known security vulnerability in parso <= 0.4.0 by requiring parso > 0.4.0", - "cve": null, - "id": "pyup.io-37369", + "advisory": "Tensorflow 2.2.1 fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205).", + "cve": "CVE-2020-15205", + "id": "pyup.io-39916", "specs": [ - "<0.292" + ">=2.2.0rc0,<2.2.1" ], - "v": "<0.292" - } - ], - "syft": [ + "v": ">=2.2.0rc0,<2.2.1" + }, { - "advisory": "Syft 0.2.3:\r\n* Fixes a potential security issue with unsafe YAML loading\r\n* Removes an insecure eval in native tensor interpreter", - "cve": null, - "id": "pyup.io-37958", + "advisory": "Tensorflow 2.2.1 fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204).", + "cve": "CVE-2020-15204", + "id": "pyup.io-39917", "specs": [ - "<0.2.3" + ">=2.2.0rc0,<2.2.1" ], - "v": "<0.2.3" + "v": ">=2.2.0rc0,<2.2.1" }, { - "advisory": "syft 0.2.3.a1 removes an insecure eval in native tensor interpreter", - "cve": null, - "id": "pyup.io-37930", + "advisory": "Tensorflow 2.2.1 fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203).", + "cve": "CVE-2020-15203", + "id": "pyup.io-39918", "specs": [ - "<0.2.3.a1" + ">=2.2.0rc0,<2.2.1" ], - "v": "<0.2.3.a1" - } - ], - "synse": [ + "v": ">=2.2.0rc0,<2.2.1" + }, { - "advisory": "Synse 2.1.2 updates dependencies to fix a security vulnerability. See: .", - "cve": null, - "id": "pyup.io-38512", + "advisory": "Tensorflow 2.2.1 fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202).", + "cve": "CVE-2020-15202", + "id": "pyup.io-39919", "specs": [ - "<2.1.2" + ">=2.2.0rc0,<2.2.1" ], - "v": "<2.1.2" + "v": ">=2.2.0rc0,<2.2.1" }, { - "advisory": "Synse v2.2.4 updates requests dep for CVE-2018-18074. See: .", - "cve": "CVE-2018-18074", - "id": "pyup.io-38511", + "advisory": "Tensorflow 2.2.1 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15195", + "id": "pyup.io-39920", "specs": [ - "<2.2.4" + ">=2.2.0rc0,<2.2.1" ], - "v": "<2.2.4" + "v": ">=2.2.0rc0,<2.2.1" }, { - "advisory": "Synse 2.2.6 updates pyyaml version for CVE-2017-18342. See: .", - "cve": "CVE-2017-18342", - "id": "pyup.io-37393", + "advisory": "Tensorflow 2.2.1 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15194", + "id": "pyup.io-39921", "specs": [ - "<2.2.6" + ">=2.2.0rc0,<2.2.1" ], - "v": "<2.2.6" - } - ], - "tablib": [ + "v": ">=2.2.0rc0,<2.2.1" + }, { - "advisory": "An exploitable vulnerability exists in the Databook loading functionality of Tablib 0.11.4. A yaml loaded Databook can execute arbitrary python commands resulting in command execution. An attacker can insert python into loaded yaml to trigger this vulnerability.", - "cve": "CVE-2017-2810", - "id": "pyup.io-35731", + "advisory": "Tensorflow 2.2.1 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15193", + "id": "pyup.io-39922", "specs": [ - "<0.11.4" + ">=2.2.0rc0,<2.2.1" ], - "v": "<0.11.4" - } - ], - "tahoe-lafs": [ + "v": ">=2.2.0rc0,<2.2.1" + }, { - "advisory": "tahoe-lafs before 1.2.0 doesn't make the immutable-file \"ciphertext hash tree\" mandatory.", - "cve": null, - "id": "pyup.io-26152", + "advisory": "Tensorflow 2.2.1 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15192", + "id": "pyup.io-39923", "specs": [ - "<1.2.0" + ">=2.2.0rc0,<2.2.1" ], - "v": "<1.2.0" + "v": ">=2.2.0rc0,<2.2.1" }, { - "advisory": "tahoe-lafs before 1.4.1 is vulnerable to timing attacks due to our use of strcmp against the write-enabler.", - "cve": null, - "id": "pyup.io-26153", + "advisory": "Tensorflow 2.2.1 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15191", + "id": "pyup.io-39924", "specs": [ - "<1.4.1" + ">=2.2.0rc0,<2.2.1" ], - "v": "<1.4.1" + "v": ">=2.2.0rc0,<2.2.1" }, { - "advisory": "tahoe-lafs before 1.8.3 has a flaw that would allow a person who knows a storage index of a file to delete shares of that file.", - "cve": null, - "id": "pyup.io-26154", + "advisory": "Tensorflow 2.2.1 fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190).", + "cve": "CVE-2020-15190", + "id": "pyup.io-38815", "specs": [ - "<1.8.3" + ">=2.2.0rc0,<2.2.1" ], - "v": "<1.8.3" + "v": ">=2.2.0rc0,<2.2.1" }, { - "advisory": "tahoe-lafs before 1.9.1 has a flaw that would allow servers to cause undetected corruption when\r\n retrieving the contents of mutable files (both SDMF and MDMF).", - "cve": null, - "id": "pyup.io-26155", + "advisory": "In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1. See: CVE-2020-15193.", + "cve": "CVE-2020-15193", + "id": "pyup.io-38823", "specs": [ - "<1.9.1" + ">=2.2.0rc0,<2.2.1", + ">=2.3.0rc0,<2.3.1" ], - "v": "<1.9.1" - } - ], - "tapestry": [ + "v": ">=2.2.0rc0,<2.2.1,>=2.3.0rc0,<2.3.1" + }, { - "advisory": "Tapestry 1.1.0 closed the security issue which could result in recovery from unauthenticated blocks without warning the user.", - "cve": null, - "id": "pyup.io-39374", + "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26271", + "id": "pyup.io-39719", "specs": [ - "<1.1.0" + ">=2.3.0,<2.3.2" ], - "v": "<1.1.0" - } - ], - "taskcluster": [ + "v": ">=2.3.0,<2.3.2" + }, { - "advisory": "Taskcluster 24.1.3 fixes a possible XSS vulnerability with the lazylog viewer - see: http://bugzil.la/1605933", - "cve": null, - "id": "pyup.io-37675", + "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26270", + "id": "pyup.io-39720", "specs": [ - "<24.1.3" + ">=2.3.0,<2.3.2" ], - "v": "<24.1.3" - } - ], - "tbats": [ + "v": ">=2.3.0,<2.3.2" + }, { - "advisory": "Tbats 1.0.7 upgrades its dependencies due to an vulnerability in Jinja2. In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.", - "cve": null, - "id": "pyup.io-37051", + "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26268", + "id": "pyup.io-39721", "specs": [ - "<1.0.7" + ">=2.3.0,<2.3.2" ], - "v": "<1.0.7" + "v": ">=2.3.0,<2.3.2" }, { - "advisory": "Tbats 1.0.8 upgrades its dependencies due to an vulnerability in urllib3. See CVE-2019-11324.", - "cve": "CVE-2019-11324", - "id": "pyup.io-37336", + "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26267", + "id": "pyup.io-39722", "specs": [ - "<1.0.8" + ">=2.3.0,<2.3.2" ], - "v": "<1.0.8" - } - ], - "td-ameritrade-python-api": [ + "v": ">=2.3.0,<2.3.2" + }, { - "advisory": "Td-ameritrade-python-api 0.3.2 no longer auto-generates 'credentials.json' in the utility folder out of a concern for security. Instead, the user must specify where they would like to cache their refresh token.", - "cve": null, - "id": "pyup.io-39230", + "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26266", + "id": "pyup.io-39723", "specs": [ - "<0.3.2" + ">=2.3.0,<2.3.2" ], - "v": "<0.3.2" - } - ], - "telegram-stats-bot": [ + "v": ">=2.3.0,<2.3.2" + }, { - "advisory": "Telegram-stats-bot 0.3.1 bumps crypography requirement to address a security vulnerability.", - "cve": null, - "id": "pyup.io-39382", + "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-15250", + "id": "pyup.io-39724", "specs": [ - "<0.3.1" + ">=2.3.0,<2.3.2" ], - "v": "<0.3.1" - } - ], - "telemeta": [ + "v": ">=2.3.0,<2.3.2" + }, { - "advisory": "telemeta before 1.4.31 has a undisclosed security vulnerability in TELEMETA_EXPORT_CACHE_DIR.", - "cve": null, - "id": "pyup.io-26156", + "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-14155", + "id": "pyup.io-39725", "specs": [ - "<1.4.31" + ">=2.3.0,<2.3.2" ], - "v": "<1.4.31" - } - ], - "teleserver": [ + "v": ">=2.3.0,<2.3.2" + }, { - "advisory": "Teleserver 2.2.0 increases the security by implementing better user verification. Now there are three ways of accessing teleserver: with GUI credentials, with service principal generated from system tab or with temporary token created via /login route of API.", - "cve": null, - "id": "pyup.io-38021", + "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-13790", + "id": "pyup.io-39726", "specs": [ - "<2.2.0" + ">=2.3.0,<2.3.2" ], - "v": "<2.2.0" - } - ], - "telnet": [ + "v": ">=2.3.0,<2.3.2" + }, { - "advisory": "telnet is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", - "cve": null, - "id": "pyup.io-34985", + "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2019-20838", + "id": "pyup.io-39406", "specs": [ - ">0", - "<0" + ">=2.3.0,<2.3.2" ], - "v": ">0,<0" - } - ], - "tendenci": [ + "v": ">=2.3.0,<2.3.2" + }, { - "advisory": "Tendenci 11.0.1 patches a security hole in payments that could potentially expose user data.", - "cve": null, - "id": "pyup.io-38510", + "advisory": "Tensorflow 2.3.1 updates `sqlite3` to `3.33.00` to handle (CVE-2020-15358).", + "cve": "CVE-2020-15358", + "id": "pyup.io-39873", "specs": [ - "<11.0.1" + ">=2.3.0rc0,<2.3.1" ], - "v": "<11.0.1" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tendenci 11.0.4 updates its requirements.txt to require django >=1.11.16 because there are vulnerabilities in Django 1.11.x before 1.11.15.", - "cve": null, - "id": "pyup.io-38940", + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15214", + "id": "pyup.io-39874", "specs": [ - "<11.0.4" + ">=2.3.0rc0,<2.3.1" ], - "v": "<11.0.4" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "tendenci 11.1.1 updates Django version to 1.11.20 to patch a security issue in django 1.11.18", - "cve": null, - "id": "pyup.io-36888", + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15213", + "id": "pyup.io-39875", "specs": [ - "<11.1.1" + ">=2.3.0rc0,<2.3.1" ], - "v": "<11.1.1" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tendenci 11.2.12 strips null bytes to avoid null byte injection attacks.", - "cve": null, - "id": "pyup.io-37350", + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15212", + "id": "pyup.io-39876", "specs": [ - "<11.2.12" + ">=2.3.0rc0,<2.3.1" ], - "v": "<11.2.12" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tendenci 11.2.8 upgrades bootstrap from 3.3.1 to 3.4.1. There are XSS vulnerabilities in version lower than 3.4.1.", - "cve": null, - "id": "pyup.io-37150", + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15211", + "id": "pyup.io-39877", "specs": [ - "<11.2.8" + ">=2.3.0rc0,<2.3.1" ], - "v": "<11.2.8" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tendenci 11.4.7 prevents unauthorized use of renewal URLs.", - "cve": null, - "id": "pyup.io-38509", + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15210", + "id": "pyup.io-39878", "specs": [ - "<11.4.7" + ">=2.3.0rc0,<2.3.1" ], - "v": "<11.4.7" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tendenci 11.4.9 handles the case in event registrations when management forms are tampered maliciously.", - "cve": null, - "id": "pyup.io-38939", + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15209", + "id": "pyup.io-39879", "specs": [ - "<11.4.9" + ">=2.3.0rc0,<2.3.1" ], - "v": "<11.4.9" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tendenci 12.0.5 removes .doc and .xls from the allowed file upload extensions for security reasons. Besides the general threats, determining the mime type for the .doc and .xls files (generated by old MS Word and MS Excel) requires feeding the entire file content due to their format not complying with the standard.", - "cve": null, - "id": "pyup.io-38274", + "advisory": "Tensorflow 2.3.1 fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208).", + "cve": "CVE-2020-15208", + "id": "pyup.io-39880", "specs": [ - "<12.0.5" + ">=2.3.0rc0,<2.3.1" ], - "v": "<12.0.5" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tendenci 12.2 updates Django version to 2.2.16, which fixes two security issues and two data loss bugs in version 2.2.15.", - "cve": null, - "id": "pyup.io-38767", + "advisory": "Tensorflow 2.3.1 fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207).", + "cve": "CVE-2020-15207", + "id": "pyup.io-39881", "specs": [ - "<12.2" + ">=2.3.0rc0,<2.3.1" ], - "v": "<12.2" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tendenci 12.3.1 fixes a potential HTML Injection and XSS vulnerability in a few areas of the admin backend.", - "cve": null, - "id": "pyup.io-38970", + "advisory": "Tensorflow 2.3.1 fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206).", + "cve": "CVE-2020-15206", + "id": "pyup.io-39882", "specs": [ - "<12.3.1" + ">=2.3.0rc0,<2.3.1" ], - "v": "<12.3.1" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tendenci 12.3.2 updates exports to prevent potential CSV injection in the exported CSV files.", - "cve": null, - "id": "pyup.io-38976", + "advisory": "Tensorflow 2.3.1 fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205).", + "cve": "CVE-2020-15205", + "id": "pyup.io-39883", "specs": [ - "<12.3.2" + ">=2.3.0rc0,<2.3.1" ], - "v": "<12.3.2" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tendenci 7.4.0 disables GZipMiddleware to prevent BREACH attacks and prevents fraudulent simultaneous reuse of PayPal transactions.", - "cve": null, - "id": "pyup.io-35055", + "advisory": "Tensorflow 2.3.1 fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204).", + "cve": "CVE-2020-15204", + "id": "pyup.io-39884", "specs": [ - "<7.4.0" + ">=2.3.0rc0,<2.3.1" ], - "v": "<7.4.0" - } - ], - "teneto": [ + "v": ">=2.3.0rc0,<2.3.1" + }, { - "advisory": "In teneto 0.4.5, save_tenetobids_snapshot to export current teneto settings. save_to_pickle (and corresponding load function) have been removed as they are not secure.", - "cve": null, - "id": "pyup.io-37550", + "advisory": "Tensorflow 2.3.1 fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203).", + "cve": "CVE-2020-15203", + "id": "pyup.io-39885", "specs": [ - "<0.4.5" + ">=2.3.0rc0,<2.3.1" ], - "v": "<0.4.5" - } - ], - "tensorflow": [ + "v": ">=2.3.0rc0,<2.3.1" + }, { - "advisory": "tensorflow before 1.10.0 uses an insecure grpc dependency.", - "cve": null, - "id": "pyup.io-36375", + "advisory": "Tensorflow 2.3.1 fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202).", + "cve": "CVE-2020-15202", + "id": "pyup.io-39886", "specs": [ - "<1.10.0" + ">=2.3.0rc0,<2.3.1" ], - "v": "<1.10.0" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tensorflow 1.12.2 fixes a potential security vulnerability where carefully crafted GIF images can produce a null pointer dereference during decoding.", - "cve": null, - "id": "pyup.io-37167", + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15201", + "id": "pyup.io-39887", "specs": [ - "<1.12.2" + ">=2.3.0rc0,<2.3.1" ], - "v": "<1.12.2" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "The original changelog reads: \"Tensorflow 2.0 fixes a potential security vulnerability where decoding variant tensors from proto could result in heap out of bounds memory access.\" However, it was later confirmed that the fix was already included in 1.15 and later. See: .", - "cve": null, - "id": "pyup.io-37524", + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15200", + "id": "pyup.io-39888", "specs": [ - "<1.15.0" + ">=2.3.0rc0,<2.3.1" ], - "v": "<1.15.0" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "tensorflow 1.15.3\r\n* Updates `sqlite3` to `3.31.01` to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates `curl` to `7.69.1` to handle CVE-2019-15601\r\n* Updates `libjpeg-turbo` to `2.0.4` to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to `2.4.5` to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", - "cve": null, - "id": "pyup.io-38462", + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15199", + "id": "pyup.io-39889", "specs": [ - "<1.15.3" + ">=2.3.0rc0,<2.3.1" ], - "v": "<1.15.3" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", - "cve": null, - "id": "pyup.io-39410", + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15198", + "id": "pyup.io-39890", "specs": [ - "<1.15.5" + ">=2.3.0rc0,<2.3.1" ], - "v": "<1.15.5" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is needed for the tensor it creates. However, as soon as there are enough bytes, the above snippet causes a segmentation fault. This is because the allocator used to return the buffer data is not marked as returning an opaque handle since the needed virtual method is not overridden. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0. See CVE-2020-26268.", - "cve": "CVE-2020-26268", - "id": "pyup.io-39265", + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15197", + "id": "pyup.io-39891", "specs": [ - "<1.15.5", - ">=2.0.0a0,<2.0.4", - ">=2.1.0rc0,<2.1.3", - ">=2.2.0rc0,<2.2.2", - ">=2.3.0rc0,<2.3.2", - ">=2.4.0rc0,<2.4.0", - ">=2.4.0rc0,<=2.4.0rc4" + ">=2.3.0rc0,<2.3.1" ], - "v": "<1.15.5,>=2.0.0a0,<2.0.4,>=2.1.0rc0,<2.1.3,>=2.2.0rc0,<2.2.2,>=2.3.0rc0,<2.3.2,>=2.4.0rc0,<2.4.0,>=2.4.0rc0,<=2.4.0rc4" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tensorflow 1.15.2 updates `sqlite3` to `3.30.01` to handle CVE-2019-16168.", - "cve": "CVE-2019-16168", - "id": "pyup.io-39568", + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15196", + "id": "pyup.io-39892", "specs": [ - ">=1.0,<1.15.2", - ">=2.0.0a0,<2.0.1" + ">=2.3.0rc0,<2.3.1" ], - "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tensorflow 1.15.2 `sqlite3` to `3.30.01` to handle CVE-2019-19645.", - "cve": "CVE-2019-19645", - "id": "pyup.io-39569", + "advisory": "Tensorflow 2.3.1 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15195", + "id": "pyup.io-39893", "specs": [ - ">=1.0,<1.15.2", - ">=2.0.0a0,<2.0.1" + ">=2.3.0rc0,<2.3.1" ], - "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tensorflow 1.15.2 updates `curl` to `7.66.0` to handle CVE-2019-5481.", - "cve": "CVE-2019-5481", - "id": "pyup.io-39570", + "advisory": "Tensorflow 2.3.1 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15194", + "id": "pyup.io-39894", "specs": [ - ">=1.0,<1.15.2", - ">=2.0.0a0,<2.0.1" + ">=2.3.0rc0,<2.3.1" ], - "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tensorflow 1.15.2 and 2.0.1 update `curl` to `7.66.0` to handle CVE-2019-5482.", - "cve": null, - "id": "pyup.io-38039", + "advisory": "Tensorflow 2.3.1 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15193", + "id": "pyup.io-39895", "specs": [ - ">=1.0,<1.15.2", - ">=2.0.0a0,<2.0.1" + ">=2.3.0rc0,<2.3.1" ], - "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tensorflow 1.15.2 and 2.0.1 update `sqlite3` to `3.30.01` to handle CVE-2019-19646.", - "cve": null, - "id": "pyup.io-38038", + "advisory": "Tensorflow 2.3.1 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15192", + "id": "pyup.io-39896", "specs": [ - ">=1.0,<1.15.2", - ">=2.0.0a0,<2.0.1" + ">=2.3.0rc0,<2.3.1" ], - "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Python) to a tf.float16 value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a tf.float16 value. Similar effects can be obtained by manipulating saved models and checkpoints whereby replacing a scalar tf.float16 value with a scalar string will trigger this issue due to automatic conversions. This can be easily reproduced by tf.constant(\"hello\", tf.float16), if eager execution is enabled. This issue is patched in TensorFlow 1.15.1 and 2.0.1 with this vulnerability patched. TensorFlow 2.1.0 was released after we fixed the issue, thus it is not affected. Users are encouraged to switch to TensorFlow 1.15.1, 2.0.1 or 2.1.0. See: CVE-2020-5215.", - "cve": "CVE-2020-5215", - "id": "pyup.io-37776", + "advisory": "Tensorflow 2.3.1 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15191", + "id": "pyup.io-39897", "specs": [ - ">=1.0,<1.15.2", - ">=2.0.0a0,<2.0.1" + ">=2.3.0rc0,<2.3.1" ], - "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tensorflow 1.15.2 updates `sqlite3` to `3.30.01` to address CVE-2019-16168.", - "cve": "CVE-2019-16168", - "id": "pyup.io-39541", + "advisory": "Tensorflow 2.3.1 fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190).", + "cve": "CVE-2020-15190", + "id": "pyup.io-38814", "specs": [ - ">=1.0.0,<1.15.2" + ">=2.3.0rc0,<2.3.1" ], - "v": ">=1.0.0,<1.15.2" + "v": ">=2.3.0rc0,<2.3.1" }, { - "advisory": "Tensorflow 1.15.2 updates `sqlite3` to `3.30.01` to address CVE-2019-16164.", - "cve": "CVE-2019-19646", - "id": "pyup.io-39542", + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15214", + "id": "pyup.io-39850", "specs": [ - ">=1.0.0,<1.15.2" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=1.0.0,<1.15.2" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 1.15.2 updates `sqlite3` to `3.30.01` to address CVE-2019-19645.", - "cve": "CVE-2019-19645", - "id": "pyup.io-39543", + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15213", + "id": "pyup.io-39851", "specs": [ - ">=1.0.0,<1.15.2" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=1.0.0,<1.15.2" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 1.15.2 updates `curl` to `7.66.0` to address CVE-2019-5481.", - "cve": "CVE-2019-5481", - "id": "pyup.io-39544", + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15212", + "id": "pyup.io-39852", "specs": [ - ">=1.0.0,<1.15.2" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=1.0.0,<1.15.2" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 1.15.2 updates `curl` to `7.66.0` to address CVE-2019-5482.", - "cve": "CVE-2019-5482", - "id": "pyup.io-39545", + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15211", + "id": "pyup.io-39853", "specs": [ - ">=1.0.0,<1.15.2" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=1.0.0,<1.15.2" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 1.15.2 fixes a security vulnerability to address CVE-2020-5215 where converting a Python string to a `tf.float16` value produces a segmentation fault.", - "cve": null, - "id": "pyup.io-38549", + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15210", + "id": "pyup.io-39854", "specs": [ - ">=1.0.0,<1.15.2" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=1.0.0,<1.15.2" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 1.15.4:\r\n* Fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190)\r\n* Fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193)\r\n* Fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195)\r\n* Fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202)\r\n* Fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203)\r\n* Fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204)\r\n* Fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205)\r\n* Fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206)\r\n* Fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207)\r\n* Fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208)\r\n* Fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211)\r\n* Updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358)", - "cve": null, - "id": "pyup.io-38818", + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15209", + "id": "pyup.io-39855", "specs": [ - ">=1.15.0rc0,<1.15.4" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=1.15.0rc0,<1.15.4" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, to mimic Python's indexing with negative values, TFLite uses `ResolveAxis` to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the `DCHECK` does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out of bounds which results in segfaults and/or data corruption. The issue is patched in commit 2d88f470dea2671b430884260f3626b1fe99830a, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. See: CVE-2020-15207.", - "cve": "CVE-2020-15207", - "id": "pyup.io-38824", + "advisory": "Tensorflow 2.4.0 fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208).", + "cve": "CVE-2020-15208", + "id": "pyup.io-39856", "specs": [ - ">=1.15.0rc0,<1.15.4", - ">=2.0.0a0,<2.0.3", - ">=2.1.0rc0,<2.1.2", - ">=2.2.0rc0,<2.2.1", - ">=2.3.0rc0,<2.3.1" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=1.15.0rc0,<1.15.4,>=2.0.0a0,<2.0.3,>=2.1.0rc0,<2.1.2,>=2.2.0rc0,<2.2.1,>=2.3.0rc0,<2.3.1" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", - "cve": null, - "id": "pyup.io-39409", + "advisory": "Tensorflow 2.4.0 fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207).", + "cve": "CVE-2020-15207", + "id": "pyup.io-39857", "specs": [ - ">=2.0.0,<2.0.4" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=2.0.0,<2.0.4" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 2.0.1 updates `sqlite3` to `3.30.01` to address CVE-2019-16168.", - "cve": "CVE-2019-16168", - "id": "pyup.io-39536", + "advisory": "Tensorflow 2.4.0 fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206).", + "cve": "CVE-2020-15206", + "id": "pyup.io-39858", "specs": [ - ">=2.0.0a0,<2.0.1" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=2.0.0a0,<2.0.1" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 2.0.1 updates `sqlite3` to `3.30.01` to address CVE-2019-19646.", - "cve": "CVE-2019-19646", - "id": "pyup.io-39537", + "advisory": "Tensorflow 2.4.0 fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205).", + "cve": "CVE-2020-15205", + "id": "pyup.io-39859", "specs": [ - ">=2.0.0a0,<2.0.1" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=2.0.0a0,<2.0.1" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 2.0.1 updates `sqlite3` to `3.30.01` to address CVE-2019-19645.", - "cve": "CVE-2019-19645", - "id": "pyup.io-39538", + "advisory": "Tensorflow 2.4.0 fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204).", + "cve": "CVE-2020-15204", + "id": "pyup.io-39860", "specs": [ - ">=2.0.0a0,<2.0.1" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=2.0.0a0,<2.0.1" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 2.0.1 updates `curl` to `7.66.0` to address CVE-2019-5481.", - "cve": "CVE-2019-5481", - "id": "pyup.io-39539", + "advisory": "Tensorflow 2.4.0 fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203).", + "cve": "CVE-2020-15203", + "id": "pyup.io-39861", "specs": [ - ">=2.0.0a0,<2.0.1" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=2.0.0a0,<2.0.1" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 2.0.1 updates `curl` to `7.66.0` to address CVE-2019-5482.", - "cve": "CVE-2019-5482", - "id": "pyup.io-39540", + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15201", + "id": "pyup.io-39862", "specs": [ - ">=2.0.0a0,<2.0.1" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=2.0.0a0,<2.0.1" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 2.0.1 fixes a security vulnerability to address CVE-2020-5215 where converting a Python string to a `tf.float16` value produces a segmentation fault.", - "cve": null, - "id": "pyup.io-38550", + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15200", + "id": "pyup.io-39863", "specs": [ - ">=2.0.0a0,<2.0.1" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=2.0.0a0,<2.0.1" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "tensorflow 2.0.2\r\n* Updates `sqlite3` to `3.31.01` to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates `curl` to `7.69.1` to handle CVE-2019-15601\r\n* Updates `libjpeg-turbo` to `2.0.4` to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to `2.4.5` to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", - "cve": null, - "id": "pyup.io-38461", + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15199", + "id": "pyup.io-39864", "specs": [ - ">=2.0.0a0,<2.0.2" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=2.0.0a0,<2.0.2" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 2.0.3:\r\n* Fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190)\r\n* Fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193)\r\n* Fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195)\r\n* Fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202)\r\n* Fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203)\r\n* Fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204)\r\n* Fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205)\r\n* Fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206)\r\n* Fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207)\r\n* Fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208)\r\n* Fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211)\r\n* Updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358)", - "cve": null, - "id": "pyup.io-38817", + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15198", + "id": "pyup.io-39865", "specs": [ - ">=2.0.0a0,<2.0.3" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=2.0.0a0,<2.0.3" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 2.1.3 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", - "cve": null, - "id": "pyup.io-39408", + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15197", + "id": "pyup.io-39866", "specs": [ - ">=2.1.0,<2.1.3" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=2.1.0,<2.1.3" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 2.1.2\r\n* Fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190)\r\n* Fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193)\r\n* Fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195)\r\n* Fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202)\r\n* Fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203)\r\n* Fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204)\r\n* Fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205)\r\n* Fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206)\r\n* Fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207)\r\n* Fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208)\r\n* Fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211)\r\n* Updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358)", - "cve": null, - "id": "pyup.io-38816", + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15196", + "id": "pyup.io-39867", "specs": [ - ">=2.1.0rc0,<2.1.2" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=2.1.0rc0,<2.1.2" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 2.2.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", - "cve": null, - "id": "pyup.io-39407", + "advisory": "Tensorflow 2.4.0 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15195", + "id": "pyup.io-39868", "specs": [ - ">=2.2.0,<2.2.2" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=2.2.0,<2.2.2" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 2.2.1:\r\n* Fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190)\r\n* Fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193)\r\n* Fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195)\r\n* Fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202)\r\n* Fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203)\r\n* Fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204)\r\n* Fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205)\r\n* Fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206)\r\n* Fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207)\r\n* Fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208)\r\n* Fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211)\r\n* Fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214)\r\n* Updates `sqlite3` to `3.33.00` to handle CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358.", - "cve": null, - "id": "pyup.io-38815", + "advisory": "Tensorflow 2.4.0 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15194", + "id": "pyup.io-39869", "specs": [ - ">=2.2.0rc0,<2.2.1" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=2.2.0rc0,<2.2.1" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1. See: CVE-2020-15193.", + "advisory": "Tensorflow 2.4.0 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", "cve": "CVE-2020-15193", - "id": "pyup.io-38823", + "id": "pyup.io-39870", "specs": [ - ">=2.2.0rc0,<2.2.1", - ">=2.3.0rc0,<2.3.1" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=2.2.0rc0,<2.2.1,>=2.3.0rc0,<2.3.1" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", - "cve": null, - "id": "pyup.io-39406", + "advisory": "Tensorflow 2.4.0 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15192", + "id": "pyup.io-39871", "specs": [ - ">=2.3.0,<2.3.2" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=2.3.0,<2.3.2" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 2.3.1:\r\n* Fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190)\r\n* Fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193)\r\n* Fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195)\r\n* Fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201) \r\n* Fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202)\r\n* Fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203)\r\n* Fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204)\r\n* Fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205)\r\n* Fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206)\r\n* Fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207)\r\n* Fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208)\r\n* Fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211)\r\n* Fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214)\r\n* Updates `sqlite3` to `3.33.00` to handle (CVE-2020-15358)", - "cve": null, - "id": "pyup.io-38814", + "advisory": "Tensorflow 2.4.0 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15191", + "id": "pyup.io-39872", "specs": [ - ">=2.3.0rc0,<2.3.1" + ">=2.4.0rc0,<2.4.0" ], - "v": ">=2.3.0rc0,<2.3.1" + "v": ">=2.4.0rc0,<2.4.0" }, { - "advisory": "Tensorflow 2.4.0:\r\n* Fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190)\r\n* Fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193)\r\n* Fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195)\r\n* Fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201) \r\n* Fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202)\r\n* Fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203)\r\n* Fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204)\r\n* Fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205)\r\n* Fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206)\r\n* Fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207)\r\n* Fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208)\r\n* Fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211)\r\n* Fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214)", - "cve": null, + "advisory": "Tensorflow 2.4.0 fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190).", + "cve": "CVE-2020-15190", "id": "pyup.io-38813", "specs": [ ">=2.4.0rc0,<2.4.0" @@ -20229,7 +23403,7 @@ }, { "advisory": "Tensorflow-directml 1.12.3 updates 'png_archive' dependency to 1.6.37 to not be affected by CVE-2019-7317.", - "cve": null, + "cve": "CVE-2019-7317", "id": "pyup.io-39318", "specs": [ "<1.12.3" @@ -20283,7 +23457,7 @@ }, { "advisory": "Tensorflow-directml 1.15.2:\r\n* Updates sqlite3 to 3.30.01 to handle CVE-2019-19645.", - "cve": null, + "cve": "CVE-2019-19645", "id": "pyup.io-39559", "specs": [ "<1.15.2" @@ -20292,7 +23466,7 @@ }, { "advisory": "Tensorflow-directml 1.15.2:\r\n* Updates sqlite3 to 3.30.01 to handle CVE-2019-16168.", - "cve": null, + "cve": "CVE-2019-16168", "id": "pyup.io-39558", "specs": [ "<1.15.2" @@ -20301,7 +23475,7 @@ }, { "advisory": "Tensorflow-directml 1.15.2:\r\n* Updates curl to 7.66.0 to handle CVE-2019-5481.", - "cve": null, + "cve": "CVE-2019-5481", "id": "pyup.io-39561", "specs": [ "<1.15.2" @@ -20310,7 +23484,7 @@ }, { "advisory": "Tensorflow-directml 1.15.2:\r\n* Updates sqlite3 to 3.30.01 to handle CVE-2019-19646.", - "cve": null, + "cve": "CVE-2019-19646", "id": "pyup.io-39560", "specs": [ "<1.15.2" @@ -20319,7 +23493,7 @@ }, { "advisory": "Tensorflow-directml 1.15.2:\r\n* Updates curl to 7.66.0 to handle CVE-2019-5482.", - "cve": null, + "cve": "CVE-2019-5482", "id": "pyup.io-39562", "specs": [ "<1.15.2" @@ -20328,7 +23502,7 @@ }, { "advisory": "Tensorflow-directml 1.15.2:\r\n* Fixes a security vulnerability where converting a Python string to a tf.float16 value produces a segmentation fault. See CVE-2020-5215.", - "cve": null, + "cve": "CVE-2020-5215", "id": "pyup.io-38779", "specs": [ "<1.15.2" @@ -20336,13 +23510,94 @@ "v": "<1.15.2" }, { - "advisory": "Tensorflow-directml 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", - "cve": null, + "advisory": "Tensorflow-directml 1.15.3 updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645.", + "cve": "CVE-2019-19880", "id": "pyup.io-38778", "specs": [ "<1.15.3" ], "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.3 updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645.", + "cve": "CVE-2019-19244", + "id": "pyup.io-39827", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.3 updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645.", + "cve": "CVE-2019-19645", + "id": "pyup.io-39828", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.3 updates curl to 7.69.1 to handle CVE-2019-15601.", + "cve": "CVE-2019-15601", + "id": "pyup.io-39829", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.3 updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960.", + "cve": "CVE-2019-13960", + "id": "pyup.io-39830", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.3 updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960.", + "cve": "CVE-2018-20330", + "id": "pyup.io-39831", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.3 updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960.", + "cve": "CVE-2018-19664", + "id": "pyup.io-39832", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.3 updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770.", + "cve": "CVE-2018-11770", + "id": "pyup.io-39833", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.3 updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770.", + "cve": "CVE-2018-17190", + "id": "pyup.io-39834", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.3 updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770.", + "cve": "CVE-2019-10099", + "id": "pyup.io-39835", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" } ], "tensorpy": [ @@ -20376,6 +23631,17 @@ "v": "<1.2.15" } ], + "tern": [ + { + "advisory": "Tern before version 2.5.0 includes the vulnerable dependency urllib3. See also CVE-2021-28363 and .", + "cve": null, + "id": "pyup.io-40055", + "specs": [ + "<2.5.0" + ], + "v": "<2.5.0" + } + ], "textract": [ { "advisory": "textract before 1.5.0 doesn't properly uses subprocess.call.", @@ -20520,6 +23786,17 @@ "v": "<2.0.0" } ], + "tksvg": [ + { + "advisory": "Tksvg 0.6 applies security patches 184 and 185.", + "cve": null, + "id": "pyup.io-39839", + "specs": [ + "<0.6" + ], + "v": "<0.6" + } + ], "tlslite": [ { "advisory": "The tlslite library before 0.4.9 for Python allows remote attackers to trigger a denial of service (runtime exception and process crash).", @@ -20866,7 +24143,7 @@ }, { "advisory": "In twisted before 20.3.0, twisted.web.http was subject to several request smuggling attacks. Requests with multiple Content-Length headers were allowed (CVE-2020-10108) and now fail with a 400.", - "cve": null, + "cve": "CVE-2020-10108", "id": "pyup.io-38085", "specs": [ "<20.3.0" @@ -21101,6 +24378,15 @@ ">=1.25.2,<=1.25.7" ], "v": ">=1.25.2,<=1.25.7" + }, + { + "advisory": "The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted. See CVE-2021-28363.", + "cve": "CVE-2021-28363", + "id": "pyup.io-40014", + "specs": [ + ">=1.26.0,<1.26.4" + ], + "v": ">=1.26.0,<1.26.4" } ], "uvicorn": [ @@ -21356,6 +24642,15 @@ ], "v": ">=2.8,<2.8.1" }, + { + "advisory": "Wagtail 2.9.3 includes a fix for CVE-2020-15118 to prevent HTML injection through the form field help text.", + "cve": "CVE-2020-15118", + "id": "pyup.io-38921", + "specs": [ + ">=2.9.0,<2.9.3" + ], + "v": ">=2.9.0,<2.9.3" + }, { "advisory": "In Wagtail before versions 2.7.4 and 2.9.3, when a form page type is made available to Wagtail editors through the `wagtail.contrib.forms` app, and the page template is built using Django's standard form rendering helpers such as form.as_p, any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation. This functionality should therefore not have been made available to editor-level users. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 2.7.4 (for the LTS 2.7 branch) and Wagtail 2.9.3 (for the current 2.9 branch). In these versions, help text will be escaped to prevent the inclusion of HTML tags. Site owners who wish to re-enable the use of HTML within help text (and are willing to accept the risk of this being exploited by editors) may set WAGTAILFORMS_HELP_TEXT_ALLOW_HTML = True in their configuration settings. Site owners who are unable to upgrade to the new versions can secure their form page templates by rendering forms field-by-field as per Django's documentation, but omitting the |safe filter when outputting the help text. See: CVE-2020-15118.", "cve": "CVE-2020-15118", @@ -21417,7 +24712,7 @@ }, { "advisory": "Waitress 1.4.0 addresses an issue in which a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR, (although the line terminator for the start-line and header fields is the sequence CRLF).\r\n\r\nSee\r\nhttps://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6\r\nCVE-ID: CVE-2019-16786", - "cve": null, + "cve": "CVE-2019-16786", "id": "pyup.io-39556", "specs": [ "<1.4.0" @@ -21426,7 +24721,7 @@ }, { "advisory": "Waitress 1.4.0 addresses an issue in which a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR, (although the line terminator for the start-line and header fields is the sequence CRLF).\r\n\r\nSee\r\nhttps://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6\r\n\r\nSee: CVE-2019-16785", - "cve": null, + "cve": "CVE-2019-16785", "id": "pyup.io-37822", "specs": [ "<1.4.0" @@ -21591,6 +24886,15 @@ ], "v": "<1.3.3" }, + { + "advisory": "Web3 1.3.4 includes fixes for 4 vulnerabilities.", + "cve": null, + "id": "pyup.io-39656", + "specs": [ + "<1.3.4" + ], + "v": "<1.3.4" + }, { "advisory": "web3 4.7.0 upgrades eth-hash to 0.2.0 with pycryptodome 3.6.6 which resolves a vulnerability.", "cve": null, @@ -22160,7 +25464,7 @@ }, { "advisory": "Zope 3.9.0 fixes CVE-2009-2701.", - "cve": null, + "cve": "CVE-2009-2701", "id": "pyup.io-36590", "specs": [ "<3.9.0" @@ -22288,7 +25592,7 @@ "zulip": [ { "advisory": "Zulip 1.5.2:\r\n- CVE-2015-8861: Insecure old version of handlebars templating engine.", - "cve": null, + "cve": "CVE-2015-8861", "id": "pyup.io-39553", "specs": [ "<1.5.2" @@ -22297,7 +25601,7 @@ }, { "advisory": "Zulip 1.5.2:\r\n- CVE-2017-0896: Restricting inviting new users to admins was broken.", - "cve": null, + "cve": "CVE-2017-0896", "id": "pyup.io-35007", "specs": [ "<1.5.2" @@ -22333,7 +25637,7 @@ }, { "advisory": "Zulip 1.7.2 is a security release, with changes since 1.7.1.\r\n- CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.", - "cve": null, + "cve": "CVE-2018-9990", "id": "pyup.io-39551", "specs": [ "<1.7.2" @@ -22342,7 +25646,7 @@ }, { "advisory": "Zulip 1.7.2 is a security release, with a handful of cherry-picked changes since 1.7.1.\r\n- CVE-2018-9986: Fix XSS issues with frontend markdown processor.", - "cve": null, + "cve": "CVE-2018-9986", "id": "pyup.io-36168", "specs": [ "<1.7.2" @@ -22351,7 +25655,7 @@ }, { "advisory": "Zulip 1.7.2 is a security release, with changes since 1.7.1.\r\n- CVE-2018-9987: Fix XSS issue with muting notifications.", - "cve": null, + "cve": "CVE-2018-9987", "id": "pyup.io-39552", "specs": [ "<1.7.2" @@ -22360,7 +25664,7 @@ }, { "advisory": "Zulip 1.7.2 is a security release, with changes since 1.7.1.\r\n- CVE-2018-9999: Fix XSS issue with user uploads. The fix for this adds a Content-Security-Policy for the `LOCAL_UPLOADS_DIR` storage backend for user-uploaded files.", - "cve": null, + "cve": "CVE-2018-9999", "id": "pyup.io-39550", "specs": [ "<1.7.2" @@ -22387,7 +25691,7 @@ }, { "advisory": "Zulip 2.0.5 fixes DoS vulnerability in Markdown LINK_RE (CVE-2019-16215).", - "cve": null, + "cve": "CVE-2019-16215", "id": "pyup.io-38117", "specs": [ "<2.0.5" @@ -22432,7 +25736,7 @@ }, { "advisory": "Zulip Server 2.1.3 includes a fix for:\r\n- CVE-2020-10935: Fix XSS vulnerability in local link rewriting.", - "cve": null, + "cve": "CVE-2020-10935", "id": "pyup.io-39548", "specs": [ "<2.1.3" @@ -22441,7 +25745,7 @@ }, { "advisory": "Zulip Server 2.1.3 includes a fix for:\r\n- CVE-2020-9444: Prevent reverse tabnapping attacks.", - "cve": null, + "cve": "CVE-2020-9444", "id": "pyup.io-38200", "specs": [ "<2.1.3"