Security Vulneratbility CVE-2022-40899 on future 0.18.2

[donfiguerres]

Hello! We got a security vulnerability warning in our builds due to our dependency on future 0.18.2.

• pyup report: https://pyup.io/vulnerabilities/CVE-2022-40899/52510/
• MITRE CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40899
• GitHub Advisory: GHSA-v3c5-jqr6-7qm8

Desciption:
An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.

https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215

The report has a link to pull request to fix a similar issue in cpython.
python/cpython#17157

[IsmaelMartinez]

seems like there is already a PR open for this #610

[Erriez]

Is there also a release plan for users to update from v0.18.2?

[ghost]

Is there also a release plan for users to update from v0.18.2?

v0.18.2 was released on Jun 13, 2020… #610 mentions that the project is more or less dead. It is supposed to help moving from Python 2 to 3. Python 2 has been dead for a long time. It might be better to just remove all references to this library from your code. Of course, this is make harder if some dependency of yours uses it.

poetry show --tree --why future can give you a list, providing you use poetry.

[Erriez]

It might be better to just remove all references to this library from your code.

@ygworldr Thanks for your suggestion. Problem solved by updating packages in my project and no need for future anymore..

[sfdye]

Backport merged in #610

[skshetry]

Does this vulnerability have an effect on Python 3?

The docs says:

The imports have no effect on Python 3.

[sfdye]

0.18.3 released!
https://pypi.org/project/future/0.18.3/