Vulnerability: CVE-2015-20107, Python #1406
Comments
|
This issue is still open in Python https://bugs.python.org/issue24778 We aren't using the mailcap module. There is currently some work toward removing this module in 3.13, but it does look like there is a fix in one of the latest versions of 3.10 and there is a backport for the next security release of 3.9. https://security-tracker.debian.org/tracker/CVE-2015-20107 MyLA is still running Python 3.8 and that should also get this release, but we may want to look to ugprading. I think we'll have to revisit this in the next release? |
|
The fix is in Python 3.10.6-1. Will update docker image to Python 3.10 and verify the OpenShift vulnerability report. |
|
@lsloan, we discussed this in the meeting. This is how I would approach it.
If many dependencies don't support 3.10, or there is a problem when trying it, we'll have to wait on a patch to 3.8 or 3.9, and we can inform stakeholders that is our plan. |
|
I think if you switch the base image to And then login to the container and run pip check it should tell you if everything is good. You'll also need to update the Openshift Docker file. 3.10-slim is available there too. It hopefully should be noticeable if something isn't right. |
|
Building with So, installing the newer Python and running |
|
Looks like I'll need to update And |
Cleaned up trailing spaces on a few lines.
Resolves vulnerability CVE-2015-20107.
Upgrade `pandas` and related modules to work with Python 3.10.
Derive PostgreSQL connect string for data warehouse DB from Django connections, then create a single engine for all queries that will use that DB.
* #1406 - spelling correction & clean-up Cleaned up trailing spaces on a few lines. * #1406 - upgrade to Python 3.10 Resolves vulnerability CVE-2015-20107. * #1406 - upgrade `pandas` for Python 3.10 Upgrade `pandas` and related modules to work with Python 3.10. * #1406 - fix all warehouse connections Derive PostgreSQL connect string for data warehouse DB from Django connections, then create a single engine for all queries that will use that DB. * Create utility function for creating mysql and postgres engines; apply to views' * Remove other database conn prep * Reuse create_sqlalchemy_engine in data_validation * Remove unused variable * Make a couple minor modifications to db_util * Make one read_sql call one line * Remove unused import * Update numpy, pangres; change mypy version * Remove type parameter, use Django ENGINE * Reverting change to validate_udw_vs_udp since it already created an engine Co-authored-by: Sam Sciolla <ssciolla@umich.edu> Co-authored-by: Code Hugger (Matthew Jones) <jonespm@umich.edu>
|
I will QA this |
|
Test passes
|
…u#1426) * tl-its-umich-edu#1406 - spelling correction & clean-up Cleaned up trailing spaces on a few lines. * tl-its-umich-edu#1406 - upgrade to Python 3.10 Resolves vulnerability CVE-2015-20107. * tl-its-umich-edu#1406 - upgrade `pandas` for Python 3.10 Upgrade `pandas` and related modules to work with Python 3.10. * tl-its-umich-edu#1406 - fix all warehouse connections Derive PostgreSQL connect string for data warehouse DB from Django connections, then create a single engine for all queries that will use that DB. * Create utility function for creating mysql and postgres engines; apply to views' * Remove other database conn prep * Reuse create_sqlalchemy_engine in data_validation * Remove unused variable * Make a couple minor modifications to db_util * Make one read_sql call one line * Remove unused import * Update numpy, pangres; change mypy version * Remove type parameter, use Django ENGINE * Reverting change to validate_udw_vs_udp since it already created an engine Co-authored-by: Sam Sciolla <ssciolla@umich.edu> Co-authored-by: Code Hugger (Matthew Jones) <jonespm@umich.edu>
From vulnerabilities spreadsheet, based on Unizin analysis:
The text was updated successfully, but these errors were encountered: