New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix issues from Nov 2022 security issue changes #1229
Conversation
90fbe29
to
da75df1
Compare
87a8a4d
to
de3b490
Compare
83570e8
to
ec6dab9
Compare
wheel - Set issue 51499 ignore in Makefile. Cannot set min version to 0.38.0 since that release yanked because of circular reference issues safety - set issue 51499 ignore in Makefile. Set in version to 1.9.0 for pythyon == '3.5' and 2.2.0 for python >= '3.6'. Safety ver 2.2.0 also requires dparse >= 0.6.2. Update to click reqired also becacuse safety version 2.2.0 requires click >=8.0.2 py - No release to fix issue 51457. Fix is ver > 1.11.0. Marked ignore +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | wheel | 0.30.0 | <0.38.0 | 51499 | +==============================================================================+ | Wheel 0.38.0 fixes a potential DoS attack via the 'WHEEL_INFO_RE' regular | | expression. | +==============================================================================+ | wheel | 0.32.0 | <0.38.0 | 51499 | +==============================================================================+ | Wheel 0.38.0 fixes a potential DoS attack via the 'WHEEL_INFO_RE' regular | | expression. | +==============================================================================+ | wheel | 0.33.5 | <0.38.0 | 51499 | +==============================================================================+ | Wheel 0.38.0 fixes a potential DoS attack via the 'WHEEL_INFO_RE' regular | | expression. | +==============================================================================+ | safety | 1.8.7 | <2.2.0 | 51358 | +==============================================================================+ | Safety 2.2.0 updates its dependency 'dparse' to include a security fix. | +==============================================================================+ | safety | 1.9.0 | <2.2.0 | 51358 | +==============================================================================+ | Safety 2.2.0 updates its dependency 'dparse' to include a security fix. | +==============================================================================+ | py | 1.10.0 | <=1.11.0 | 51457 | +==============================================================================+ | Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular | | expression Denial of Service) attack via a Subversion repository with | | crafted info data, because the InfoSvnCommand argument is mishandled. | | pytest-dev/py#287 | +==============================================================================
ec6dab9
to
3aba88f
Compare
As shown by pr # 1230, which works when safety is limited to <2.2.0 it is the safety update to 2.2.0 that is causing the problems. IN particular, that safety update adds requirements for other update including click to 8.0.2 and dparse which leads to further issues. I finally tried update to pip and that is where an importlib-meta showed up but I do not know how we evaluate what the minimum level of pip should be: DISCUSSION: I propose we accept this pr, kill off #1230 and write a new PR to push the upgrade of safety to 2.2.0 for next release. That gives us time to sort out the issues that are caused by the update to safety package. I am open to alternatives. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comment
On the long pip backtracking: When using pip 22.3.1 on Python 33.9 with minimum package levels, it detects a dependency conflict:
|
Signed-off-by: Andreas Maier <andreas.r.maier@gmx.de>
Signed-off-by: Andreas Maier <andreas.r.maier@gmx.de>
Signed-off-by: Andreas Maier <andreas.r.maier@gmx.de>
See commit message for details of changes
NOTE: Removed review needed because there is an issue with the build for python 3.10, ubuntu, minimum (test / test (ubuntu-latest, 3.10, minimum) and the development setup step hundreds of times too long (hours in place of seconds) when I finally killed that step. In a previous test it was in the development setup step for over an hour and not completed where all other tests completed the development setup step in about 30 seconds. Issue tied to pip issuing the following message for each item:
NOTE: Same issue occurs with local test using python 3.9 in local test of develop with PACKAGE_LEVEL=minimum.
The following is the safety table output defining the current safety issues from 1 November:
+============================+===========+==========================+==========+
| package | installed | affected | ID |
+============================+===========+==========================+==========+
| wheel | 0.30.0 | <0.38.0 | 51499 |
+==============================================================================+
| Wheel 0.38.0 fixes a potential DoS attack via the 'WHEEL_INFO_RE'
regular |
| expression.
|
+==============================================================================+
| wheel | 0.32.0 | <0.38.0 | 51499 |
+==============================================================================+
| Wheel 0.38.0 fixes a potential DoS attack via the 'WHEEL_INFO_RE'
regular |
| expression.
|
+==============================================================================+
| wheel | 0.33.5 | <0.38.0 |
51499 |
+==============================================================================+
| Wheel 0.38.0 fixes a potential DoS attack via the 'WHEEL_INFO_RE'
regular |
| expression.
|
+==============================================================================+
| safety | 1.8.7 | <2.2.0 | 51358 |
+==============================================================================+
| Safety 2.2.0 updates its dependency 'dparse' to include a security
fix. |
+==============================================================================+
| safety | 1.9.0 | <2.2.0 | 51358 |
+==============================================================================+
| Safety 2.2.0 updates its dependency 'dparse' to include a security
fix. |
+==============================================================================+
| py | 1.10.0 | <=1.11.0 | 51457 |
+==============================================================================+
| Py throughout 1.11.0 allows remote attackers to conduct a ReDoS
(Regular |
| expression Denial of Service) attack via a Subversion repository with
|
| crafted info data, because the InfoSvnCommand argument is mishandled.
|
| pytest-dev/py#287
|
+==============================================================================