Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

requests security vulnerability #479

Closed
1fish2 opened this issue Mar 23, 2019 · 0 comments · Fixed by #528
Closed

requests security vulnerability #479

1fish2 opened this issue Mar 23, 2019 · 0 comments · Fixed by #528
Assignees
@1fish2
Labels
security security vulnerabilities

Comments

@1fish2
Copy link
Contributor

1fish2 commented Mar 23, 2019

GitHub is warning about a security vulnerability in the requests package. See #478.

We should probably update from requests==2.19.1 to 2.21.0. Our code doesn't import requests directly. It's used by FireWorks, bokeh, confluent_kafka, and ipython.

/usr/local/var/pyenv/versions/wcEcoli2/lib/python2.7/site-packages $ grep 'Requires.*requests' */METADATA
FireWorks-1.8.7.dist-info/METADATA:Requires-Dist: requests (>=2.01) ; extra == 'newt'
bokeh-0.11.1.dist-info/METADATA:Requires-Dist: requests (>=1.2.3)
confluent_kafka-0.11.5.dist-info/METADATA:Requires-Dist: requests; extra == 'avro'
ipython-5.7.0.dist-info/METADATA:Requires-Dist: requests; extra == 'all'
ipython-5.7.0.dist-info/METADATA:Requires-Dist: requests; extra == 'test'

The requests package has helpful release notes.

  • In v2.20.0: Requests removes Authorization header from requests redirected from https to http on the same hostname. (CVE-2018-18074).
    Fixed exception leak where certain redirect urls would raise uncaught urllib3 exceptions.
  • In v2.20.1: Fixed bug with unintended Authorization header stripping for redirects using default ports (http/80, https/443)
  • In v2.21.0: Something boring about Internationalized Domain Names in Applications (IDNA).
@1fish2 1fish2 added the security security vulnerabilities label Mar 23, 2019
@1fish2 1fish2 self-assigned this Apr 26, 2019
1fish2 added a commit that referenced this issue Apr 27, 2019
@1fish2
security fixes and python 2.7.16 bug-fix update
2187021 
* Fix #525: Update to python 2.7.16 which fixes a bunch of potential crashes, also updating to match the Dockerfile.
* Fix #511 update `urllib3` from 1.23 to 1.24.2 (not to 1.25.1 which is incompatible with this version of requests). https://nvd.nist.gov/vuln/detail/CVE-2019-11324
* Fix #527 update `Jinja2` from 2.10 to 2.10.1. https://nvd.nist.gov/vuln/detail/CVE-2019-10906
* Fix #478 update `pyyaml` from 3.13 to 5.1, which deprecates `yaml.load()` but doesn't actually fix the vulnerability. It looks like they tried to close the execute-arbitrary-code vulnerability in 4.0 but reverted the incompatibility. Still, this update should appease GitHub's security scanner. Change our code to call `yaml.safe_load()` instead of `yaml.load()`, although I think we're calling `ruamel.yaml`. https://nvd.nist.gov/vuln/detail/CVE-2017-18342
* Fix #479 `requests` from 2.19.1 to 2.21.0. It's used by FireWorks, bokeh, confluent_kafka, and ipython. https://nvd.nist.gov/vuln/detail/CVE-2018-18074
* Update `ruamel.yaml` from 0.15.43 to 0.15.94. That's 51 new bug fix releases! Clearly YAML is over-complicated.
* Update NumPy from 1.14.5 to 1.14.6 for a thread safety bug fix. (Releases 1.15 & 1.16 are substantial changes, and 1.17 will drop support for Python 2.7.)
* Add the `typing` and `mypy` pips while we're updating pyenvs. We'll need these when we start adding static type checking.
@1fish2 1fish2 mentioned this issue Apr 27, 2019
Merged
1fish2 added a commit that referenced this issue May 1, 2019
@1fish2
Security fixes and python 2.7.16 bug-fix update (#528)
304aedc 
* Fix #525: Update to python 2.7.16 which fixes a bunch of potential crashes, also updating to match the Dockerfile.
* Fix #511 update `urllib3` from 1.23 to 1.24.2 (not to 1.25.1 which is incompatible with this version of requests). https://nvd.nist.gov/vuln/detail/CVE-2019-11324
* Fix #527 update `Jinja2` from 2.10 to 2.10.1. https://nvd.nist.gov/vuln/detail/CVE-2019-10906
* Fix #478 update `pyyaml` from 3.13 to 5.1, which deprecates `yaml.load()` but doesn't actually fix the vulnerability. It looks like they tried to close the execute-arbitrary-code vulnerability in 4.0 but reverted the incompatibility. Still, this update should appease GitHub's security scanner. Change our code to call `yaml.safe_load()` instead of `yaml.load()`, although I think we're calling `ruamel.yaml`. https://nvd.nist.gov/vuln/detail/CVE-2017-18342
* Fix #479 `requests` from 2.19.1 to 2.21.0. It's used by FireWorks, bokeh, confluent_kafka, and ipython. https://nvd.nist.gov/vuln/detail/CVE-2018-18074
* Update `ruamel.yaml` from 0.15.43 to 0.15.94. That's 51 new bug fix releases! Clearly YAML is over-complicated.
* Update NumPy from 1.14.5 to 1.14.6 for a thread safety bug fix. (Releases 1.15 & 1.16 are substantial changes, and 1.17 will drop support for Python 2.7.)
* Add the `typing` and `mypy` pips while we're updating pyenvs. We'll need these when we start adding static type checking.

## Soon I'll delete and recreate the `wcEcoli2` pyenv.
## Please update the `wcEcoli2` pyenv on your local machines.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@1fish2 1fish2

Labels
security security vulnerabilities
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Security fixes and python 2.7.16 bug-fix update CovertLab/wcEcoli
1 participant
@1fish2