Skip to content

Commit ab74db7

Browse files
sbrunnersbrunner
committed
Fix security dependency
 +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 1 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pipenv | 2020.8.13 | >=2018.10.9,<=2021.11.23 | 44492 | +==============================================================================+ | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version | | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of | | requirements files allows an attacker to insert a specially crafted string | | inside a comment anywhere within a requirements.txt file, which will cause | | victims who use pipenv to install the requirements file to download | | dependencies from a package index server controlled by the attacker. By | | embedding malicious code in packages served from their malicious index | | server, the attacker can trigger arbitrary remote code execution (RCE) on | | the victims' systems. If an attacker is able to hide a malicious '--index- | | url' option in a requirements file that a victim installs with pipenv, the | | attacker can embed arbitrary malicious code in packages served from their | | malicious index server that will be executed on the victim's host during | | installation (remote code execution/RCE). When pip installs from a source | | distribution, any code in the setup.py is executed by the install process. | | GHSA-qc9x-gjcv-465w | +==============================================================================+ | REPORT | | checked 63 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pillow | 8.3.2 | <9.0.0 | 44487 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow | | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that | | use the Python exec method. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict- | | builtins-available-to-imagemath-eval | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44485 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in | | Pillow before 9.0.0 improperly initializes ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44524 | +==============================================================================+ | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to | | avoid Denial of Service attacks. | | python-pillow/Pillow#5921 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44525 | +==============================================================================+ | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. | | python-pillow/Pillow#5912 | | https://github.com/python- | | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44486 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in | | Pillow before 9.0.0 has a buffer over-read during initialization of | | ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | urllib3 | 1.25.11 | <1.26.5 | 43975 | +==============================================================================+ | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in | | urllib3 before 1.26.5. When provided with a URL containing many @ characters | | in the authority component, the authority regular expression exhibits | | catastrophic backtracking, causing a denial of service if a URL were passed | | as a parameter or redirected to via an HTTP redirect. | | GHSA-q2q7-5pp4-w6pg | +==============================================================================+
1 parent 101e18a commit ab74db7

File tree

4 files changed

+109
-72
lines changed

4 files changed

+109
-72
lines changed

Pipfile

Lines changed: 34 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ transaction = "==3.0.0" # c2cwsgiutils
2424
ujson = "==4.0.1" # c2cwsgiutils
2525
cornice = "==5.0.3" # c2cwsgiutils
2626
"zope.sqlalchemy" = "==1.3" # c2cwsgiutils
27+
setuptools = "==59.7.0"
2728
# Pin
2829
"azure-core" = "==1.13.0"
2930
"azure-storage-blob" = "==12.8.0"
@@ -45,7 +46,7 @@ cornice = "==5.0.3" # c2cwsgiutils
4546
"msrest" = "==0.6.21"
4647
"oauthlib" = "==3.1.0"
4748
"pastedeploy" = "==2.1.1"
48-
pillow = "==8.3.2"
49+
pillow = "==9.0.0"
4950
"plaster" = "==1.0"
5051
"plaster-pastedeploy" = "==0.7"
5152
"pycparser" = "==2.20"
@@ -70,3 +71,35 @@ pytest = "==6.1.1"
7071
mypy = "==0.790"
7172
prospector = "==1.3.1"
7273
flake8 = "==3.8.4"
74+
# Lock dependencies
75+
astroid = "==2.4.1"
76+
attrs = "==21.1.0"
77+
dodgy = "==0.2.1"
78+
flake8-polyfill = "==1.0.2"
79+
iniconfig = "==1.1.1"
80+
isort = "==4.3.21"
81+
lazy-object-proxy = "==1.4.3"
82+
mccabe = "==0.6.1"
83+
mypy-extensions = "==0.4.3"
84+
packaging = "==20.9"
85+
pep8-naming = "==0.10.0"
86+
pluggy = "==0.13.1"
87+
py = "==1.10.0"
88+
pycodestyle = "==2.6.0"
89+
pydocstyle = "==6.0.0"
90+
pyflakes = "==2.2.0"
91+
pylint = "==2.5.3"
92+
pylint-celery = "==0.3"
93+
pylint-django = "==2.1.0"
94+
pylint-flask = "==0.6"
95+
pylint-plugin-utils = "==0.6"
96+
pyparsing = "==2.4.7"
97+
pyyaml = "==5.4.1"
98+
requirements-detector = "==0.7"
99+
setoptconf = "==0.2.0"
100+
six = "==1.15.0"
101+
snowballstemmer = "==2.1.0"
102+
toml = "==0.10.2"
103+
typed-ast = "==1.4.3"
104+
typing-extensions = "==3.10.0.0"
105+
wrapt = "==1.12.1"

0 commit comments

Comments
 (0)