Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lxml has a vulnerability but we can not update because of python3-saml relies on <4.7.1 #319

Closed
brugnara opened this issue Aug 10, 2022 · 5 comments · Fixed by #323
Closed

lxml has a vulnerability but we can not update because of python3-saml relies on <4.7.1 #319

brugnara opened this issue Aug 10, 2022 · 5 comments · Fixed by #323

Comments

@brugnara
Copy link

Hi all.

As I mentioned in the subject of the issue, what I wanted to achieve is to update lxml to the first safe version which is the 4.9.1 but Poetry slams the door telling me I can not do it, and with valid reasons:

 SolverProblemError

  Because python3-saml (1.14.0) depends on lxml (<4.7.1)
   and no versions of python3-saml match >1.14.0,<1.15.0, python3-saml (>=1.14.0,<1.15.0) requires lxml (<4.7.1).
  So, because atoka-revenge depends on both lxml (^4.9.1) and python3-saml (~1.14.0), version solving failed.

Security output.

| lxml    | CVE-2022-2309    |          | 4.7.0             | 4.9.1         | lxml: NULL Pointer                    |
|         |                  |          |                   |               | Dereference in lxml                   |
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-2309  |

Am I missing something or do somebody have a suggestion on this, pretty please?

Thank you for considering my request.
jpaniagualaconich added a commit to jpaniagualaconich/python3-saml that referenced this issue Aug 17, 2022
@jpaniagualaconich
Bump up lxml version (fixes SAML-Toolkits#319)
6e5e904
jpaniagualaconich added a commit to jpaniagualaconich/python3-saml that referenced this issue Aug 19, 2022
@jpaniagualaconich
Bump up lxml version (fixes SAML-Toolkits#319)
105ac98
@nosnilmot nosnilmot mentioned this issue Aug 30, 2022
Merged
@koleror
Copy link

koleror commented Sep 2, 2022

Hi! Any news on this topic?
Any chance the PR could be merged?

@mapapuche
Copy link

Hello, same problem :/

@thechad12
Copy link

Hi - can you please merge this PR? We are facing this issue too.

@aquatix
Copy link

aquatix commented Oct 7, 2022

We would also really appreciate it if this PR can be merged/issue can be fixed. Running a vulnerable lxml in production does not sit well :)

@MatthijsvW
Copy link

Yes please, same here!

@nosnilmot nosnilmot mentioned this issue Nov 4, 2022
Closed
@pitbulk pitbulk mentioned this issue Feb 19, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove lxml version restriction nosnilmot/python3-saml
6 participants
@aquatix @koleror @brugnara @thechad12 @MatthijsvW @mapapuche