Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency vulnerability - py - CVE-2020-29651 #378

Closed
earthgecko opened this issue Dec 10, 2020 · 1 comment
Closed

Dependency vulnerability - py - CVE-2020-29651 #378

earthgecko opened this issue Dec 10, 2020 · 1 comment

Comments

@earthgecko
Copy link
Owner

As per SNYK-PYTHON-PY-1049546: Regular Expression Denial of Service (ReDoS) [Medium Severity] https://snyk.io/vuln/SNYK-PYTHON-PY-1049546 in py@1.9.0

Tracking py vulnerability - pytest-dev/py#256

py is required by pytest in requirements.txt

py==1.9.0
  - pytest==5.4.3 [requires: py>=1.5.0]

Fixed in py, but no new py release with the fix yet.
@earthgecko
Copy link
Owner Author

New py 1.10.0 release (pytest-dev/py@e5ff378) will resolve this issue with https://pypi.org/project/py/1.10.0/ which in now available.

earthgecko added a commit that referenced this issue Dec 12, 2020
@earthgecko
py 1.10.0 with CVE-2020-29651 mitigated
a1ff55e 
IssueID #3694: #3874: SNYK-PYTHON-PY-1049546
Dependency vulnerability - py - CVE-2020-29651 #378

- Update py to 1.10.0 which resolves CVE-2020-29651 by implementing
  pytest-dev/py#257 which fixes
  pytest-dev/py#256

Modified:
dev-requirements.txt
requirements.txt
@earthgecko earthgecko mentioned this issue Dec 12, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@earthgecko