Fix CVE

sbrunner · sbrunner · commit 67abe596a56d · 2022-02-04T10:26:25.000+01:00
``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | urllib3 | 1.25.9 | <1.26.5 | 43975 | +==============================================================================+ | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in | | urllib3 before 1.26.5. When provided with a URL containing many @ characters | | in the authority component, the authority regular expression exhibits | | catastrophic backtracking, causing a denial of service if a URL were passed | | as a parameter or redirected to via an HTTP redirect. | | GHSA-q2q7-5pp4-w6pg | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44716 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the | | array_from_pyobj function of fortranobject.c, which allows attackers to | | conduct a Denial of Service attacks by carefully constructing an array with | | negative values. | | numpy/numpy#19000 | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44717 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string | | comparison in the numpy.core component in NumPy before 1.22.0 allows | | attackers to trigger slightly incorrect copying by constructing specific | | string objects. NOTE: the vendor states that this reported code behavior is | | "completely harmless." | | numpy/numpy#18993 | +==============================================================================+ | numpy | 1.21.5 | >0 | 44715 | +==============================================================================+ | All versions of Numpy are affected by CVE-2021-41495: A null Pointer | | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew | | function due to missing return-value validation, which allows attackers to | | conduct DoS attacks by repetitively creating sort arrays. | | numpy/numpy#19038 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44487 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow | | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that | | use the Python exec method. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict- | | builtins-available-to-imagemath-eval | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44485 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in | | Pillow before 9.0.0 improperly initializes ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44524 | +==============================================================================+ | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to | | avoid Denial of Service attacks. | | python-pillow/Pillow#5921 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44525 | +==============================================================================+ | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. | | python-pillow/Pillow#5912 | | https://github.com/python- | | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44486 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in | | Pillow before 9.0.0 has a buffer over-read during initialization of | | ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | pipenv | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492 | +==============================================================================+ | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version | | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of | | requirements files allows an attacker to insert a specially crafted string | | inside a comment anywhere within a requirements.txt file, which will cause | | victims who use pipenv to install the requirements file to download | | dependencies from a package index server controlled by the attacker. By | | embedding malicious code in packages served from their malicious index | | server, the attacker can trigger arbitrary remote code execution (RCE) on | | the victims' systems. If an attacker is able to hide a malicious '--index- | | url' option in a requirements file that a victim installs with pipenv, the | | attacker can embed arbitrary malicious code in packages served from their | | malicious index server that will be executed on the victim's host during | | installation (remote code execution/RCE). When pip installs from a source | | distribution, any code in the setup.py is executed by the install process. | | GHSA-qc9x-gjcv-465w | +==============================================================================+ ```
diff --git a/Pipfile b/Pipfile
@@ -156,13 +156,13 @@ markupsafe = "==1.1.1"
 munch = "==2.5.0"
 netifaces = "==0.10.9"
 networkx = "==1.7"
-numpy = "==1.21.5"
+numpy = "==1.22.2"
 objgraph = "==3.5.0"
 paste = "==3.5.0"
 pastedeploy = "==2.1.1"
 pbr = "==5.5.1"
 peppercorn = "==0.6"
-pillow = "==8.3.2"
+pillow = "==9.0.1"
 pipfile = "==0.0.2"
 plaster = "==1.0"
 plaster-pastedeploy = "==0.7"
diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/doc/Pipfile b/doc/Pipfile
@@ -21,7 +21,7 @@ markupsafe = "==1.1.1"
 packaging = "==20.1"
 pyparsing = "==2.4.6"
 pytz = "==2019.3"
-requests = "==2.22.0"
+requests = "==2.27.1"
 six = "==1.14.0"
 snowballstemmer = "==2.0.0"
 sphinxcontrib-applehelp = "==1.0.1"
@@ -30,4 +30,4 @@ sphinxcontrib-htmlhelp = "==1.0.2"
 sphinxcontrib-jsmath = "==1.0.1"
 sphinxcontrib-qthelp = "==1.0.2"
 sphinxcontrib-serializinghtml = "==1.1.3"
-urllib3 = "==1.25.9"
+urllib3 = "==1.26.8"
diff --git a/doc/Pipfile.lock b/doc/Pipfile.lock
diff --git a/doc/pip-cve-ignore b/doc/pip-cve-ignore
@@ -1 +1,2 @@
 42194
+44492
diff --git a/docker/qgisserver/pip-cve-ignore b/docker/qgisserver/pip-cve-ignore
@@ -0,0 +1 @@
+44492
