From f25400d046a3d654208680e83f40787d9e2d9431 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Brunner?= Date: Wed, 2 Feb 2022 08:59:01 +0100 Subject: [PATCH] Fix security dependency +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 1 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pipenv | 2020.8.13 | >=2018.10.9,<=2021.11.23 | 44492 | +==============================================================================+ | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version | | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of | | requirements files allows an attacker to insert a specially crafted string | | inside a comment anywhere within a requirements.txt file, which will cause | | victims who use pipenv to install the requirements file to download | | dependencies from a package index server controlled by the attacker. By | | embedding malicious code in packages served from their malicious index | | server, the attacker can trigger arbitrary remote code execution (RCE) on | | the victims' systems. If an attacker is able to hide a malicious '--index- | | url' option in a requirements file that a victim installs with pipenv, the | | attacker can embed arbitrary malicious code in packages served from their | | malicious index server that will be executed on the victim's host during | | installation (remote code execution/RCE). When pip installs from a source | | distribution, any code in the setup.py is executed by the install process. | | https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w | +==============================================================================+ | REPORT | | checked 63 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pillow | 8.3.2 | <9.0.0 | 44487 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow | | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that | | use the Python exec method. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict- | | builtins-available-to-imagemath-eval | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44485 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in | | Pillow before 9.0.0 improperly initializes ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44524 | +==============================================================================+ | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to | | avoid Denial of Service attacks. | | https://github.com/python-pillow/Pillow/pull/5921 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44525 | +==============================================================================+ | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. | | https://github.com/python-pillow/Pillow/pull/5912 | | https://github.com/python- | | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44486 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in | | Pillow before 9.0.0 has a buffer over-read during initialization of | | ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | urllib3 | 1.25.11 | <1.26.5 | 43975 | +==============================================================================+ | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in | | urllib3 before 1.26.5. When provided with a URL containing many @ characters | | in the authority component, the authority regular expression exhibits | | catastrophic backtracking, causing a denial of service if a URL were passed | | as a parameter or redirected to via an HTTP redirect. | | https://github.com/advisories/GHSA-q2q7-5pp4-w6pg | +==============================================================================+ --- Pipfile | 15 ++--- Pipfile.lock | 145 +++++++++++++++++++++++------------------------ requirements.txt | 2 +- 3 files changed, 79 insertions(+), 83 deletions(-) diff --git a/Pipfile b/Pipfile index cf33c0bbd..017d64408 100644 --- a/Pipfile +++ b/Pipfile @@ -17,19 +17,20 @@ gunicorn = "==20.0.4" # c2cwsgiutils objgraph = "==3.5.0" # c2cwsgiutils psycopg2 = "==2.8.6" # c2cwsgiutils pyramid-tm = "==2.4" # c2cwsgiutils -sentry-sdk = "==1.0.0" # c2cwsgiutils +sentry-sdk = "==1.5.4" # c2cwsgiutils sqlalchemy = "==1.3.23" # c2cwsgiutils transaction = "==3.0.1" # c2cwsgiutils ujson = "==4.0.2" # c2cwsgiutils cornice = "==5.1.0" # c2cwsgiutils "zope.sqlalchemy" = "==1.3" # c2cwsgiutils jsonschema = "==3.2.0" +setuptools = "==45.2.0" # Lock dependencies attrs = "==20.3.0" azure-core = "==1.13.0" azure-storage-blob = "==12.8.0" -boto3 = "==1.17.52" -botocore = "==1.20.52" +boto3 = "==1.20.46" +botocore = "==1.23.46" bottle = "==0.12.19" cee-syslog-handler = "==0.6.0" certifi = "==2020.12.5" @@ -46,7 +47,7 @@ markupsafe = "==1.1.1" msrest = "==0.6.21" oauthlib = "==3.1.0" pastedeploy = "==2.1.1" -pillow = "==8.3.2" +pillow = "==9.0.0" plaster = "==1.0" plaster-pastedeploy = "==0.7" pycparser = "==2.20" @@ -54,12 +55,12 @@ pyproj = "==3.0.1" pyramid = "==1.10.8" pyrsistent = "==0.17.3" redis = "==3.5.3" -requests = "==2.25.1" +requests = "==2.27.1" requests-oauthlib = "==1.3.0" -s3transfer = "==0.3.7" +s3transfer = "==0.5.0" six = "==1.15.0" translationstring = "==1.4" -urllib3 = "==1.26.4" +urllib3 = "==1.26.8" venusian = "==3.0.0" webob = "==1.8.7" "zope.deprecation" = "==4.4.0" diff --git a/Pipfile.lock b/Pipfile.lock index 974fb5ddf..bb21e73d3 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "0c6b4dc7e8d113712f1b03130aec075178a2ae149f66b9b0605cab831e49f62b" + "sha256": "98276aed90506f855325931f0a1a3f7be26de458803e7c449b21e2fb96cf2e13" }, "pipfile-spec": 6, "requires": {}, @@ -40,19 +40,19 @@ }, "boto3": { "hashes": [ - "sha256:41b1ba590e887b85520c0e97e811630b8eeb71860c9b1faa3190c3bd45856176", - "sha256:ed640c17c97af289be4693740c1cbf95a456e9c495e3973a1ed6f51a396846d2" + "sha256:a2ffce001160d7e7c72a90c3084700d50eb64ea4a3aae8afe21566971d1fd611", + "sha256:d7effba509d7298ef49316ba2da7a2ea115f2a7ff691f875f6354666663cf386" ], "index": "pypi", - "version": "==1.17.52" + "version": "==1.20.46" }, "botocore": { "hashes": [ - "sha256:cd24db07268d3b9356cb745aeb6de1e4aaa73b555843b9f8650f5b4068051013", - "sha256:dd5f5808ec48a999b9634b387ad6ab7a1a23ba1f9712a875066d234808f8aa62" + "sha256:354bce55e5adc8e2fe106acfd455ce448f9b920d7b697d06faa8cf200fd6566b", + "sha256:38dd4564839f531725b667db360ba7df2125ceb3752b0ba12759c3e918015b95" ], "index": "pypi", - "version": "==1.20.52" + "version": "==1.23.46" }, "bottle": { "hashes": [ @@ -148,6 +148,14 @@ "index": "pypi", "version": "==4.0.0" }, + "charset-normalizer": { + "hashes": [ + "sha256:2842d8f5e82a1f6aa437380934d5e1cd4fcf2003b06fed6940769c164a480a45", + "sha256:98398a9d69ee80548c762ba991a4728bfc3836768ed226b3945908d1a688371c" + ], + "markers": "python_version >= '3'", + "version": "==2.0.11" + }, "cornice": { "hashes": [ "sha256:b002c23c82229c30d4b5b62a883b80c7d3cf3f2d21baf2f6913e444bfbc2d9f2", @@ -340,62 +348,41 @@ }, "pillow": { "hashes": [ - "sha256:0412516dcc9de9b0a1e0ae25a280015809de8270f134cc2c1e32c4eeb397cf30", - "sha256:04835e68ef12904bc3e1fd002b33eea0779320d4346082bd5b24bec12ad9c3e9", - "sha256:06d1adaa284696785375fa80a6a8eb309be722cf4ef8949518beb34487a3df71", - "sha256:085a90a99404b859a4b6c3daa42afde17cb3ad3115e44a75f0d7b4a32f06a6c9", - "sha256:0b9911ec70731711c3b6ebcde26caea620cbdd9dcb73c67b0730c8817f24711b", - "sha256:10e00f7336780ca7d3653cf3ac26f068fa11b5a96894ea29a64d3dc4b810d630", - "sha256:11c27e74bab423eb3c9232d97553111cc0be81b74b47165f07ebfdd29d825875", - "sha256:11eb7f98165d56042545c9e6db3ce394ed8b45089a67124298f0473b29cb60b2", - "sha256:13654b521fb98abdecec105ea3fb5ba863d1548c9b58831dd5105bb3873569f1", - "sha256:15ccb81a6ffc57ea0137f9f3ac2737ffa1d11f786244d719639df17476d399a7", - "sha256:18a07a683805d32826c09acfce44a90bf474e6a66ce482b1c7fcd3757d588df3", - "sha256:19ec4cfe4b961edc249b0e04b5618666c23a83bc35842dea2bfd5dfa0157f81b", - "sha256:1c3ff00110835bdda2b1e2b07f4a2548a39744bb7de5946dc8e95517c4fb2ca6", - "sha256:27a330bf7014ee034046db43ccbb05c766aa9e70b8d6c5260bfc38d73103b0ba", - "sha256:2b11c9d310a3522b0fd3c35667914271f570576a0e387701f370eb39d45f08a4", - "sha256:2c661542c6f71dfd9dc82d9d29a8386287e82813b0375b3a02983feac69ef864", - "sha256:2cde7a4d3687f21cffdf5bb171172070bb95e02af448c4c8b2f223d783214056", - "sha256:2d5e9dc0bf1b5d9048a94c48d0813b6c96fccfa4ccf276d9c36308840f40c228", - "sha256:2f23b2d3079522fdf3c09de6517f625f7a964f916c956527bed805ac043799b8", - "sha256:35d27687f027ad25a8d0ef45dd5208ef044c588003cdcedf05afb00dbc5c2deb", - "sha256:35d409030bf3bd05fa66fb5fdedc39c521b397f61ad04309c90444e893d05f7d", - "sha256:4326ea1e2722f3dc00ed77c36d3b5354b8fb7399fb59230249ea6d59cbed90da", - "sha256:4abc247b31a98f29e5224f2d31ef15f86a71f79c7f4d2ac345a5d551d6393073", - "sha256:4d89a2e9219a526401015153c0e9dd48319ea6ab9fe3b066a20aa9aee23d9fd3", - "sha256:4e59e99fd680e2b8b11bbd463f3c9450ab799305d5f2bafb74fefba6ac058616", - "sha256:548794f99ff52a73a156771a0402f5e1c35285bd981046a502d7e4793e8facaa", - "sha256:56fd98c8294f57636084f4b076b75f86c57b2a63a8410c0cd172bc93695ee979", - "sha256:59697568a0455764a094585b2551fd76bfd6b959c9f92d4bdec9d0e14616303a", - "sha256:6bff50ba9891be0a004ef48828e012babaaf7da204d81ab9be37480b9020a82b", - "sha256:6cb3dd7f23b044b0737317f892d399f9e2f0b3a02b22b2c692851fb8120d82c6", - "sha256:7dbfbc0020aa1d9bc1b0b8bcf255a7d73f4ad0336f8fd2533fcc54a4ccfb9441", - "sha256:838eb85de6d9307c19c655c726f8d13b8b646f144ca6b3771fa62b711ebf7624", - "sha256:8b68f565a4175e12e68ca900af8910e8fe48aaa48fd3ca853494f384e11c8bcd", - "sha256:8f284dc1695caf71a74f24993b7c7473d77bc760be45f776a2c2f4e04c170550", - "sha256:963ebdc5365d748185fdb06daf2ac758116deecb2277ec5ae98139f93844bc09", - "sha256:a048dad5ed6ad1fad338c02c609b862dfaa921fcd065d747194a6805f91f2196", - "sha256:a1bd983c565f92779be456ece2479840ec39d386007cd4ae83382646293d681b", - "sha256:a66566f8a22561fc1a88dc87606c69b84fa9ce724f99522cf922c801ec68f5c1", - "sha256:bcb04ff12e79b28be6c9988f275e7ab69f01cc2ba319fb3114f87817bb7c74b6", - "sha256:bd24054aaf21e70a51e2a2a5ed1183560d3a69e6f9594a4bfe360a46f94eba83", - "sha256:be25cb93442c6d2f8702c599b51184bd3ccd83adebd08886b682173e09ef0c3f", - "sha256:c691b26283c3a31594683217d746f1dad59a7ae1d4cfc24626d7a064a11197d4", - "sha256:cc9d0dec711c914ed500f1d0d3822868760954dce98dfb0b7382a854aee55d19", - "sha256:ce2e5e04bb86da6187f96d7bab3f93a7877830981b37f0287dd6479e27a10341", - "sha256:ce651ca46d0202c302a535d3047c55a0131a720cf554a578fc1b8a2aff0e7d96", - "sha256:d0c8ebbfd439c37624db98f3877d9ed12c137cadd99dde2d2eae0dab0bbfc355", - "sha256:d675a876b295afa114ca8bf42d7f86b5fb1298e1b6bb9a24405a3f6c8338811c", - "sha256:dde3f3ed8d00c72631bc19cbfff8ad3b6215062a5eed402381ad365f82f0c18c", - "sha256:e5a31c07cea5edbaeb4bdba6f2b87db7d3dc0f446f379d907e51cc70ea375629", - "sha256:f514c2717012859ccb349c97862568fdc0479aad85b0270d6b5a6509dbc142e2", - "sha256:fc0db32f7223b094964e71729c0361f93db43664dd1ec86d3df217853cedda87", - "sha256:fd4fd83aa912d7b89b4b4a1580d30e2a4242f3936882a3f433586e5ab97ed0d5", - "sha256:feb5db446e96bfecfec078b943cc07744cc759893cef045aa8b8b6d6aaa8274e" - ], - "index": "pypi", - "version": "==8.3.2" + "sha256:03b27b197deb4ee400ed57d8d4e572d2d8d80f825b6634daf6e2c18c3c6ccfa6", + "sha256:0b281fcadbb688607ea6ece7649c5d59d4bbd574e90db6cd030e9e85bde9fecc", + "sha256:0ebd8b9137630a7bbbff8c4b31e774ff05bbb90f7911d93ea2c9371e41039b52", + "sha256:113723312215b25c22df1fdf0e2da7a3b9c357a7d24a93ebbe80bfda4f37a8d4", + "sha256:2d16b6196fb7a54aff6b5e3ecd00f7c0bab1b56eee39214b2b223a9d938c50af", + "sha256:2fd8053e1f8ff1844419842fd474fc359676b2e2a2b66b11cc59f4fa0a301315", + "sha256:31b265496e603985fad54d52d11970383e317d11e18e856971bdbb86af7242a4", + "sha256:3586e12d874ce2f1bc875a3ffba98732ebb12e18fb6d97be482bd62b56803281", + "sha256:47f5cf60bcb9fbc46011f75c9b45a8b5ad077ca352a78185bd3e7f1d294b98bb", + "sha256:490e52e99224858f154975db61c060686df8a6b3f0212a678e5d2e2ce24675c9", + "sha256:500d397ddf4bbf2ca42e198399ac13e7841956c72645513e8ddf243b31ad2128", + "sha256:52abae4c96b5da630a8b4247de5428f593465291e5b239f3f843a911a3cf0105", + "sha256:6579f9ba84a3d4f1807c4aab4be06f373017fc65fff43498885ac50a9b47a553", + "sha256:68e06f8b2248f6dc8b899c3e7ecf02c9f413aab622f4d6190df53a78b93d97a5", + "sha256:6c5439bfb35a89cac50e81c751317faea647b9a3ec11c039900cd6915831064d", + "sha256:72c3110228944019e5f27232296c5923398496b28be42535e3b2dc7297b6e8b6", + "sha256:72f649d93d4cc4d8cf79c91ebc25137c358718ad75f99e99e043325ea7d56100", + "sha256:7aaf07085c756f6cb1c692ee0d5a86c531703b6e8c9cae581b31b562c16b98ce", + "sha256:80fe92813d208ce8aa7d76da878bdc84b90809f79ccbad2a288e9bcbeac1d9bd", + "sha256:95545137fc56ce8c10de646074d242001a112a92de169986abd8c88c27566a05", + "sha256:97b6d21771da41497b81652d44191489296555b761684f82b7b544c49989110f", + "sha256:98cb63ca63cb61f594511c06218ab4394bf80388b3d66cd61d0b1f63ee0ea69f", + "sha256:9f3b4522148586d35e78313db4db0df4b759ddd7649ef70002b6c3767d0fdeb7", + "sha256:a09a9d4ec2b7887f7a088bbaacfd5c07160e746e3d47ec5e8050ae3b2a229e9f", + "sha256:b5050d681bcf5c9f2570b93bee5d3ec8ae4cf23158812f91ed57f7126df91762", + "sha256:bb47a548cea95b86494a26c89d153fd31122ed65255db5dcbc421a2d28eb3379", + "sha256:bc462d24500ba707e9cbdef436c16e5c8cbf29908278af053008d9f689f56dee", + "sha256:c2067b3bb0781f14059b112c9da5a91c80a600a97915b4f48b37f197895dd925", + "sha256:d154ed971a4cc04b93a6d5b47f37948d1f621f25de3e8fa0c26b2d44f24e3e8f", + "sha256:d5dcea1387331c905405b09cdbfb34611050cc52c865d71f2362f354faee1e9f", + "sha256:ee6e2963e92762923956fe5d3479b1fdc3b76c83f290aad131a2f98c3df0593e", + "sha256:fd0e5062f11cb3e730450a7d9f323f4051b532781026395c4323b8ad055523c4" + ], + "index": "pypi", + "version": "==9.0.0" }, "plaster": { "hashes": [ @@ -564,11 +551,11 @@ }, "requests": { "hashes": [ - "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804", - "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e" + "sha256:68d7c56fd5a8999887728ef304a6d12edc7be74f1cfa47714fc8b414525c9a61", + "sha256:f22fa1e554c9ddfd16e6e41ac79759e17be9e492b3587efa038054674760e72d" ], "index": "pypi", - "version": "==2.25.1" + "version": "==2.27.1" }, "requests-oauthlib": { "hashes": [ @@ -581,19 +568,27 @@ }, "s3transfer": { "hashes": [ - "sha256:35627b86af8ff97e7ac27975fe0a98a312814b46c6333d8a6b889627bcd80994", - "sha256:efa5bd92a897b6a8d5c1383828dca3d52d0790e0756d49740563a3fb6ed03246" + "sha256:50ed823e1dc5868ad40c8dc92072f757aa0e653a192845c94a3b676f4a62da4c", + "sha256:9c1dc369814391a6bda20ebbf4b70a0f34630592c9aa520856bf384916af2803" ], "index": "pypi", - "version": "==0.3.7" + "version": "==0.5.0" }, "sentry-sdk": { "hashes": [ - "sha256:71de00c9711926816f750bc0f57ef2abbcb1bfbdf5378c601df7ec978f44857a", - "sha256:9221e985f425913204989d0e0e1cbb719e8b7fa10540f1bc509f660c06a34e66" + "sha256:4fc7960a82c95d906a0514cf4d9aacba1743eb9863a5b7c2a01c525a7d9b21e6", + "sha256:f7e54567937ebcbe938c4df1075ec891587faeb7c74184b88cf2894e47c86116" + ], + "index": "pypi", + "version": "==1.5.4" + }, + "setuptools": { + "hashes": [ + "sha256:316484eebff54cc18f322dea09ed031b7e3eb00811b19dcedb09bc09bba7d93d", + "sha256:89c6e6011ec2f6d57d43a3f9296c4ef022c2cbf49bab26b407fe67992ae3397f" ], "index": "pypi", - "version": "==1.0.0" + "version": "==45.2.0" }, "shapely": { "hashes": [ @@ -728,11 +723,11 @@ }, "urllib3": { "hashes": [ - "sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df", - "sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937" + "sha256:000ca7f471a233c2251c6c7023ee85305721bfdf18621ebff4fd17a8653427ed", + "sha256:0e7c33d9a63e7ddfcb86780aac87befc2fbddf46c58dbb487e0855f7ceec283c" ], "index": "pypi", - "version": "==1.26.4" + "version": "==1.26.8" }, "venusian": { "hashes": [ diff --git a/requirements.txt b/requirements.txt index b15694c7e..9253020eb 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +1 @@ -pipenv==2020.11.15 +pipenv==2022.1.8