Fix issues from Nov 2022 security issue changes #1229
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
KSchopmeyer
force-pushed
the
ks/nov-security-issues
branch
3 times, most recently
from
90fbe29
to
da75df1
Compare
KSchopmeyer
force-pushed
the
ks/nov-security-issues
branch
2 times, most recently
from
87a8a4d
to
de3b490
Compare
KSchopmeyer
force-pushed
the
ks/nov-security-issues
branch
3 times, most recently
from
83570e8
to
ec6dab9
Compare
wheel - Set issue 51499 ignore in Makefile. Cannot set min version to
0.38.0 since that release yanked because of circular reference
issues
safety - set issue 51499 ignore in Makefile. Set in version to
1.9.0 for pythyon == '3.5' and 2.2.0 for python >= '3.6'. Safety ver 2.2.0 also requires dparse >= 0.6.2. Update to click reqired also becacuse safety
version 2.2.0 requires click >=8.0.2
py - No release to fix issue 51457. Fix is ver > 1.11.0. Marked ignore
+============================+===========+==========================+==========+
| package | installed | affected | ID
|
+============================+===========+==========================+==========+
| wheel | 0.30.0 | <0.38.0 |
51499 |
+==============================================================================+
| Wheel 0.38.0 fixes a potential DoS attack via the 'WHEEL_INFO_RE'
regular |
| expression.
|
+==============================================================================+
| wheel | 0.32.0 | <0.38.0 |
51499 |
+==============================================================================+
| Wheel 0.38.0 fixes a potential DoS attack via the 'WHEEL_INFO_RE'
regular |
| expression.
|
+==============================================================================+
| wheel | 0.33.5 | <0.38.0 |
51499 |
+==============================================================================+
| Wheel 0.38.0 fixes a potential DoS attack via the 'WHEEL_INFO_RE'
regular |
| expression.
|
+==============================================================================+
| safety | 1.8.7 | <2.2.0 |
51358 |
+==============================================================================+
| Safety 2.2.0 updates its dependency 'dparse' to include a security
fix. |
+==============================================================================+
| safety | 1.9.0 | <2.2.0 |
51358 |
+==============================================================================+
| Safety 2.2.0 updates its dependency 'dparse' to include a security
fix. |
+==============================================================================+
| py | 1.10.0 | <=1.11.0 |
51457 |
+==============================================================================+
| Py throughout 1.11.0 allows remote attackers to conduct a ReDoS
(Regular |
| expression Denial of Service) attack via a Subversion repository with
|
| crafted info data, because the InfoSvnCommand argument is mishandled.
|
| pytest-dev/py#287
|
+==============================================================================
KSchopmeyer
force-pushed
the
ks/nov-security-issues
branch
from
ec6dab9
to
3aba88f
Compare
|
As shown by pr # 1230, which works when safety is limited to <2.2.0 it is the safety update to 2.2.0 that is causing the problems. IN particular, that safety update adds requirements for other update including click to 8.0.2 and dparse which leads to further issues. I finally tried update to pip and that is where an importlib-meta showed up but I do not know how we evaluate what the minimum level of pip should be: DISCUSSION: I propose we accept this pr, kill off #1230 and write a new PR to push the upgrade of safety to 2.2.0 for next release. That gives us time to sort out the issues that are caused by the update to safety package. I am open to alternatives. |
|
On the long pip backtracking: When using pip 22.3.1 on Python 33.9 with minimum package levels, it detects a dependency conflict: |
Signed-off-by: Andreas Maier <andreas.r.maier@gmx.de>
Signed-off-by: Andreas Maier <andreas.r.maier@gmx.de>
Signed-off-by: Andreas Maier <andreas.r.maier@gmx.de>
andy-maier
approved these changes
Nov 8, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See commit message for details of changes
NOTE: Removed review needed because there is an issue with the build for python 3.10, ubuntu, minimum (test / test (ubuntu-latest, 3.10, minimum) and the development setup step hundreds of times too long (hours in place of seconds) when I finally killed that step. In a previous test it was in the development setup step for over an hour and not completed where all other tests completed the development setup step in about 30 seconds. Issue tied to pip issuing the following message for each item:
NOTE: Same issue occurs with local test using python 3.9 in local test of develop with PACKAGE_LEVEL=minimum.
The following is the safety table output defining the current safety issues from 1 November:
+============================+===========+==========================+==========+
| package | installed | affected | ID |
+============================+===========+==========================+==========+
| wheel | 0.30.0 | <0.38.0 | 51499 |
+==============================================================================+
| Wheel 0.38.0 fixes a potential DoS attack via the 'WHEEL_INFO_RE'
regular |
| expression.
|
+==============================================================================+
| wheel | 0.32.0 | <0.38.0 | 51499 |
+==============================================================================+
| Wheel 0.38.0 fixes a potential DoS attack via the 'WHEEL_INFO_RE'
regular |
| expression.
|
+==============================================================================+
| wheel | 0.33.5 | <0.38.0 |
51499 |
+==============================================================================+
| Wheel 0.38.0 fixes a potential DoS attack via the 'WHEEL_INFO_RE'
regular |
| expression.
|
+==============================================================================+
| safety | 1.8.7 | <2.2.0 | 51358 |
+==============================================================================+
| Safety 2.2.0 updates its dependency 'dparse' to include a security
fix. |
+==============================================================================+
| safety | 1.9.0 | <2.2.0 | 51358 |
+==============================================================================+
| Safety 2.2.0 updates its dependency 'dparse' to include a security
fix. |
+==============================================================================+
| py | 1.10.0 | <=1.11.0 | 51457 |
+==============================================================================+
| Py throughout 1.11.0 allows remote attackers to conduct a ReDoS
(Regular |
| expression Denial of Service) attack via a Subversion repository with
|
| crafted info data, because the InfoSvnCommand argument is mishandled.
|
| pytest-dev/py#287
|
+==============================================================================