Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
+==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 1 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pipenv | 2020.8.13 | >=2018.10.9,<=2021.11.23 | 44492 | +==============================================================================+ | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version | | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of | | requirements files allows an attacker to insert a specially crafted string | | inside a comment anywhere within a requirements.txt file, which will cause | | victims who use pipenv to install the requirements file to download | | dependencies from a package index server controlled by the attacker. By | | embedding malicious code in packages served from their malicious index | | server, the attacker can trigger arbitrary remote code execution (RCE) on | | the victims' systems. If an attacker is able to hide a malicious '--index- | | url' option in a requirements file that a victim installs with pipenv, the | | attacker can embed arbitrary malicious code in packages served from their | | malicious index server that will be executed on the victim's host during | | installation (remote code execution/RCE). When pip installs from a source | | distribution, any code in the setup.py is executed by the install process. | | GHSA-qc9x-gjcv-465w | +==============================================================================+ | REPORT | | checked 63 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pillow | 8.3.2 | <9.0.0 | 44487 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow | | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that | | use the Python exec method. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict- | | builtins-available-to-imagemath-eval | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44485 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in | | Pillow before 9.0.0 improperly initializes ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44524 | +==============================================================================+ | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to | | avoid Denial of Service attacks. | | python-pillow/Pillow#5921 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44525 | +==============================================================================+ | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. | | python-pillow/Pillow#5912 | | https://github.com/python- | | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44486 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in | | Pillow before 9.0.0 has a buffer over-read during initialization of | | ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | urllib3 | 1.25.11 | <1.26.5 | 43975 | +==============================================================================+ | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in | | urllib3 before 1.26.5. When provided with a URL containing many @ characters | | in the authority component, the authority regular expression exhibits | | catastrophic backtracking, causing a denial of service if a URL were passed | | as a parameter or redirected to via an HTTP redirect. | | GHSA-q2q7-5pp4-w6pg | +==============================================================================+
- Loading branch information
