pyupio / safety-db Goto Github PK

Thanks for posting this tool, looks very promising!

I just tried this on Windows and I got an error:

  safety\formatter.py", line 27, in get_terminal_size
    rows, columns = subprocess.check_output(['stty', 'size']).split()
WindowsError: [Error 2] Le fichier spécifié est introuvable

I guess the stty command is not available on Windows. There is an API to get this information. Would you be willing to accept a patch to fix this?

Thanks!

I have a use case where using your PyPI package would be oodles better than to download insecure.json from github. In your documentation, the expected installation method is through pip install, but:

1. per #2273 that use case is broken
2. the latest version is more than a year old

Updating the PyPI package would fix those two issues.

Should you so choose, you can then automate the PyPI package update on a monthly basis for one of your Travis runs.

nucular!

The package on PyPI published for this repository doesn't seem to actually work.

(aaa) ~/tmp/aaa:$ pip install --no-cache-dir safety-db
Collecting safety-db
  Downloading https://files.pythonhosted.org/packages/99/f4/2ceadae6059942cbae3d66a789f70dbf871cc9230eacc79ab00d4902bb88/safety_db-2017.4.19-py2.py3-none-any.whl
Installing collected packages: safety-db
Successfully installed safety-db-2017.4.19

(aaa) ~/tmp/aaa:$ python
Python 2.7.14 (default, Feb  6 2018, 20:04:00)
[GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import safety_db
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/jasonsimeone/tmp/aaa/lib/python2.7/site-packages/safety_db.py", line 13, in <module>
    with open("data/insecure.json") as __f:
IOError: [Errno 2] No such file or directory: 'data/insecure.json'
>>>

(aaa) ~/tmp/aaa:$ find . -name insecure.json

Looking in the wheel, the data files aren't there:

$ unzip -l safety_db-2017.4.19-py2.py3-none-any.whl
Archive:  safety_db-2017.4.19-py2.py3-none-any.whl
  Length      Date    Time    Name
---------  ---------- -----   ----
      576  04-19-2017 10:11   safety_db.py
     2324  04-19-2017 10:32   safety_db-2017.4.19.dist-info/DESCRIPTION.rst
    19341  04-19-2017 10:32   safety_db-2017.4.19.dist-info/LICENSE.txt
      905  04-19-2017 10:32   safety_db-2017.4.19.dist-info/metadata.json
       10  04-19-2017 10:32   safety_db-2017.4.19.dist-info/top_level.txt
      110  04-19-2017 10:32   safety_db-2017.4.19.dist-info/WHEEL
     3017  04-19-2017 10:32   safety_db-2017.4.19.dist-info/METADATA
      699  04-19-2017 10:32   safety_db-2017.4.19.dist-info/RECORD
---------                     -------
    26982                     8 files

Hi – 
Y'all have a record of a vuln in the python-nomad library:

Problem is, there is no 2.20.0 version of python-nomad; the most recent release is 1.2.1.

It looks like y'all might have picked up the changelog of the 1.0.1 release, which was updating the requests library to 2.20.0 (!) for the exact issue described in your advisory, and somehow transposed that onto python-nomad?

I am just trying this out, and not sure if I am missing anything. But seems like the steps do not work for a new python environment at least. I am not sure if the issue is with packaging the data directory in the package or not yet, but seems that way.

python3 -m venv .env
source .env/bin/activate
pip install safety-db
python -c "import safety_db"

Traceback (most recent call last):
File "", line 1, in
File "/home/vagrant/virtualenvs/api/lib/python3.6/site-packages/safety_db.py", line 13, in
with open("data/insecure.json") as __f:
IOError: [Errno 2] No such file or directory: 'data/insecure.json'

Edit: The traceback output was using a different environment and has been fixed, but the issue persists either way.

Looking through the list on https://pyupio.github.io/safety-db/ it seems to be in alphabetical order but stops at ftw.mail. The raw json data has a lot more packages in it.

Here is the vulnerability in safety-db/data/insecure_full.json:

"anncolvar": [
        {
            "advisory": "anncolvar 0.4 updates requirements.txt to fix security issues.",
            "cve": null,
            "id": "pyup.io-36803",
            "specs": [
                "<0.4"
            ],
            "v": "<0.4"
        }
    ],
    "annotator": [
        {
            "advisory": "annotator 0.11.2 fixes a bug that allowed authenticated users to overwrite annotations on which they did not have permissions.",
            "cve": null,
            "id": "pyup.io-25615",
            "specs": [
                "<0.11.2"
            ],
            "v": "<0.11.2"
        }
    ],

Here is my requirements.txt:

anncolvar==-0.3
annotator==0.10.1

Here are the results of running safety check -r requirements.txt --json

[
    [
        "annotator",
        "<0.11.2",
        "0.10.1",
        "annotator 0.11.2 fixes a bug that allowed authenticated users to overwrite annotations on which they did not have permissions.",
        "25615"
    ]
]

Note that annotator is mentioned but anncolvar is not.

As reported at #2278 it looks like the spec for that CVE is not properly set and should be <2.20.0 instead.

I assume whilst trying to mitigate some of the issues of the unique version numbering used by html5lib they have started giving each version two version numbers for each release.

https://pypi.python.org/pypi/html5lib

0.9999999 (seven 9s) is the same software as 1.0b8.

% echo "html5lib==0.9999999" | safety check --stdin
stty: stdin isn't a terminal
safety report
---
-> html5lib, installed 0.9999999, affected <0.99999999, id 25846

We should see the same vulnerability for 1.0b8

% echo "html5lib==1.0b8" | safety check --stdin
stty: stdin isn't a terminal
safety report
---
No known security vulnerabilities found.

I couldn't find the December update of this repository, while README says it updates monthly. Do you have a plan to execute the December update? I've found that after the August update, there's no meaningful update for JSON files. Does this mean there's no security vuln since September?

Also, according to the LinkedIn profile, Jwomers, was the CEO of pyup, had left the company.

Is safety-db active project?

Hello,

We recently started see:

Checking installed package safety…
27519: urllib3 >=1.25.2,<=1.25.7 resolved (1.25.6 installed)!
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).

ID=27519

But that is not in
https://github.com/pyupio/safety-db/blob/master/data/insecure_full.json

It was difficult therefore to find the true CVE, but some searching around eventually landed me to:
https://cve.circl.lu/cve/CVE-2020-7212

What would safety recommend in these situations?

1. how is there an ID listed that isn't in the manifest?
2. couldn't we also print the CVE in the output by default to make things easier?

As reported on #2275 this should be reviewed.

Loader keeps spinning, in the chrome inspector I can see that it tries to load the JSON but fails to do so because:

<Error>
<Code>
NoSuchBucket
</Code>
<Message>
The specified bucket does not exist
</Message>
<BucketName>
safety-db-mirror-2
</BucketName>
<RequestId>
3C009E7734F8C4F1
</RequestId>
<HostId>
21xPzzACLs4JZm+I7wEG+tSso/t3h5ygnuhJQjoTMSXGEzxZvDH+f/7UdDny8ZDJI3tGKTgITjU=
</HostId>
</Error>

Are submissions to this database from the public allowed to made, and if so, is this GH issues page the place to do it?

I noticed an important security bulletin was released by New Relic for their Python agent only a couple of weeks ago and I'd like to make that available in your vuln database.

Could you please include in safety-db the following malicious packages,
crafted for typosquatting:

acqusition
apidev-coop
bzip
crypt
django-server
pwd
setup-tools
telnet
urlib3
urllib

Source: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/

Thanks for reporting @int-ua

For example Pillow==2.4.0 is not affected by CVE-2016-3076 but it's still shown as vulnerable.
What I Did

$ safety check --full-report
pillow │ 2.4.0 │ <3.1.2 │ 25943
pillow before 3.1.2 is vulnerable to an integer overflow in Jpeg2KEncode.c causing a buffer overflow. CVE-2016-3076.

I run safety via pipenv check:

36351: cryptography >=1.9.0 resolved (2.3 installed)!
python-cryptography versions >=1.9.0 and <2.3 did not enforce a minimum tag length for finalize_with_tag API. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.

As you can see I got version cryptography 2.3 installed, but the check still fails.

Hello,

We had previously used the ID of 33151 which was included in 4736e94, and appears to have been removed in e604513, but in 1b083bd has been changed to ID 35015.

This is for CVE-2013-7459.

We will update our use of the ID, but are curious to know how to expect the IDs to be stable over time, or if this was an unintentional change?

https://github.com/pyupio/safety-db/blob/master/data/insecure.json#L1010 has <2.6.1, but http://www.cvedetails.com/cve/CVE-2013-7459/ was issued for 2.6.1.

• 1.4.0 2016.07.18
  • Multiple Mock strategies now share entries when using the same Server object
  • Added AsyncStreamStrategy
  • Added Connection.extend.standard.persistent_search() (Thanks martinrm77)
  • Added escaping of character > 0x7F in filter validation (thanks cfelder)
  • Added better descriptions of Exception in abstraction layer (thanks cfelder)
  • Added queue in Persistent Search
  • Added callback in Persistent Search
  • MockStrategy now honors raise_exception parameter (thanks Simon)
• 1.3.3 2016.07.03
  • Change paameter name from 'check' to 'fix' in connection.extend.novell.add_members_to_groups() and connection.extend.novell.remove_members_from_groups
  • Added connection.extend.novell.check_groups_memberships() that check if members are in groups and fixes the user-group relation if incorrect
  • Updated docs link to ldap3.readthedocs.io
  • Fixed error in utils.conv.check_escape (thanks Anjuta)
  • Fixed typo in server.py when IP_V4_PREFERRED is used (thanks eva8668)
  • Host name certificate matching exception and logging is much more informative (thanks eddie-dunn)
  • Fixed typo in docs for use_ssl (thanks Brooks Kindle)
  • Tested against Python 2.6., Python 2.7.12, Python 3.5.2 and PyPy 5.3.1
• 1.3.2 2016.07.01
  • unreleased on pypi
• 1.3.1 2016.05.11
  • Added support for mocking the ldap3 library
  • Added support for MockSync strategy (thanks Roxana)
  • Added checked_attributes=True parameter to connection.response_to_json()
  • Added checked_attributes=True parameter to entry.entry_to_json()
  • MockSyncBase strategy supports bind(), unbind(), delete(), compare(), modify(), modify_dn(), abandon(), add()
  • MockSyncBase strategy accepts directory entries in json file
  • Fixed schema representation (thanks Conrado)
  • Allow connection.abandon(0), useful to "ping" the server
  • Added connection.abandon() test suite
  • Reusable strategy checks bind credential at bind() time, only on one worker connection
  • Reusable strategy ignores abandon() operation because of multiple connection workers
  • Reusable strategy honours return_empty_attributes connection parameter
  • Added lazy information to connection representation
  • Added support for hash (LM:NTLM) Windows NTLM authentication (thanks Dirk)
  • Fixed representation of empty attributes in connection.entries
  • Comparison of entry attributes value is easier
  • Added new extended operation connection.extend.novell.start_transaction()
  • Added new extended operation connection.extend.novell.end_transaction()
  • Added new extended operation connection.extend.novell.add_members_to_groups(members, groups, check, transaction)
  • Added new extended operation connection.extend.novell.remove_members_from_groups(members, groups, check, transaction)
  • Added new exception LDAPTransactionError
  • Added logic to handle Novell Transaction Error Unsolicited Notice
  • Ignore cheching of ssl context when cadata, cafile and capath are not provided (thanks DelboyJan)
• 1.2.2 2016.03.23
  • repr encoding set to 'ascii' when sys.stdout.encoding is None (thanks Jeff)
• 1.2.1 2016.03.19
  • try to use the requested ssl protocol in SSLContext for Python>=3.4 (thanks Patrick)
  • added return_empty_attributes to Connection object to return an empty list when the attribute requested is missing in the retrieved object
• 1.1.2 2016.03.10
  • Added rebind() method to Connection object to rebind with a different user (thanks Lorenzo)
  • Added Tests for rebind operation
  • Start_tls honored in referrals
  • Default ldaps port honored in referrals
  • Additional connection parameters honored in referrals and in the restartable strategy
  • Server connection timeout is honored while connecting, connection receive timeout while receiving
  • Extended operations followed on referrals (thanks Pavel)
  • Added receive_timeout parameter in Connection object to set socket in non-blocking mode with a specified timeout (thanks Antho)
  • Fixed abstract entry getattr() throwing KeyError instead of AttributeError (thanks Kilroy)
  • Fixed start_tls() Reusable strategy
• 1.0.4 2016.01.25
  • Controls can be added to extended operation in the extend package (thanks Hinel)
• 1.0.3 2015.12.1
  • Fixed set_config_parameter (thanks Sigmunau)
  • Disabled unauthenticated authentication, see RFC 4513 section 5.1.2 (thanks Petros)
  • Fixed falsey value in abstract Entry object contains() (thanks Vampouille)
• 1.0.2 2015.12.07
  • Allowed_referral_hosts in Server objects defaults to [('*', True)] to accept any referral server with authentication
  • Referral uri is now properly percent-undecoded (thanks TWAC)
  • Referral Server object now use the same configuration of the original Server object
  • Fixed contains() in Entry object (thanks Vampouille)
• 1.0.1 2015.12.06
  • Removed the compat package
  • Refactored docs for extend operations
• 1.0.0 2015.12.06
  • Private RC for production
  • Status moved to 5 - Production/Stable
• 0.9.9.4 2015.12.02
  • Added items() to CaseInsensitiveDict class (thanks Jan-Hendrik)
  • Added set_config_parameter() in ldap3 namespace to modify the values of the configurable parameters of ldap3
  • Added microsoft.extend.modify_password() extended operation to change AD password
  • Fixed find_active_random_server() in pooling (thanks Sargul)
  • Fixed referral decoding in fast ber decoder (thanks TWAC)
• 0.9.9.3 2015.11.15
  • Added LDAPI (LDAP over IPC) support for unix socket communication
  • Added mandatory_in and optional_in in server schema for attribute types. Now you can see in which classes attributes are used
  • Added last_transmitted_time and last_received_time to Usage object to track time of the last sent and received operation
  • Exception SessionTerminatedByServer renamed to SessionTerminatedByServerError and added to ldap3 namespace
  • Added get_config_parameter() in ldap3 namespace to read the current value of ldap3 configurable parameters
  • Added SASL mechanism name as constants in the ldap3 namespace
  • Added escape_filter_chars in utils.conv (thanks Peter)
  • Reverted ALL_ATTRIBUTES behaviour in search to 0.9.9.1 (thanks Petros)
• 0.9.9.2 2015.10.19
  • Fixed hasattr() behaviour for Entry object in Python 3
  • Allows empty sasl_credentials in SASL bind
  • Added POOLING_LOOP_TIMEOUT constant to specify how many seconds the server pooling strategy has to wait before retrying if it did not find an active server (defaults to 10)
  • Pooling strategy now allows to specify the number of cycles to try when finding a server (with active=N)
  • Pooling strategy now allows to specify how many seconds a server must be considered offline before retrying to check for availabiliry (with exhaust=N)
  • Connection.entries defaults to empty list
  • ALL_ATTRIBUTES don't send any attribute in the attribute list (was sending '*') while searching
  • Added DirSync extended function for Microsoft Active Directory
  • Added LDAP_SERVER_DIRSYNC_OID control for Microsoft Active Directory
  • Added LDAP_SERVER_EXTENDED_DN_OID control for Microsoft Active Directory
  • Added LDAP_SERVER_SHOW_DELETED_OID control for Microsoft Active Directory
  • Fixed AD tests for single valued attributes
  • Added ACL attribute in the ATTRIBUTES_EXCLUDED_FROM_CHECK list
• 0.9.9.1 2015.09.21
  • Allows empty member values in groups while adding - this should not be as per rfc4511 4.1.7, but some servers expects it (thanks John)
  • Faster case insensitive dict while getting and setting key (thanks Pierre)
  • Updated setuptools to 18.3.2
  • Updated wheel to 0.26
  • Tested against Python 2.6 - Python 2.7 - Python 3.3 - Python 3.4 - Python 3.5 - pypy - pypy3
• 0.9.9 2015.09.09
  • Fixed boolean value for True value in ASN.1 encoding for certain ldap servers. (thanks Will)
  • Fixed follow auto referrals. (thanks WIll)
  • Now protocol defined integer values can be used for scope and derefAliases arguments when searching. (thanks Will)
  • Added description field in the AttrDef object. (thanks Hogne)
  • Added a custom ber decoder. Decoding of received packets is now 10x faster.
  • Added new boolean argument fast_decoder in connection object. Defaults to True.
  • Highest date correctly managed by the format_ad_timestamp() formatter. (thanks Will)
  • Fix for latest gssapi kerberos authentication module (thanks Alex)
  • Added freeIPA OID descriptors
  • Removed unneeded OidInfo class
• 0.9.8.8 2015.08.14
  • Coerce objectClass to a list in Add operation. (thanks Yutaka)
  • ObjectClass attribute values mantain their order in the Add operation. (thanks Yutaka)
  • Fixed search filter composition when the value part of the assertion contains = character. (thanks Eero)
  • Fixed modify_password extended operation when no hash method is specified. (thanks midnightlynx)
  • Added credentials to kerberos authentication. (thanks Alex)
  • Target name can be specified in sasl_credentials for Kerberos authentication. (thanks Alex)
  • Target name can be read from DNS in sasl_credential for Kerberos authentication. (thanks Alex)
  • Fixed connection.entries error when referrals are in the search response. (thanks WIll)
• 0.9.8.7 2015.07.19
  • Backported ssl.match_hostname from Python 3.4.3 standard library to be used in Python < 2.7.10
  • Use backports.ssl_match_hostname if present instead of static backported functions for matching server names in ssl certificate (thanks Michal)
  • Attributes values are properly printed when not strings in abstract.attribute (thanks hogneh)
  • Checking unicode repr() in python2
  • Added hashing capability to Modify Password extended operation (thanks Gawain)
• 0.9.8.6 2015.06.30
  • Modify operation now accept multiple changes for same attribute (Thanks Lorenzo)
  • Fixed entries property in connection when objects from multiple object classes are returned
  • Hide sensitive data in logging. use the utils.log.set_library_hide_sensitive_data(False) to show sensitive data
    and utils.log.get_library_hide_sensitive_data() to get the current value
  • Limited number of characters in a single log line. use the utils.log.set_library_log_max_line_length(length) to set
    and utils.log.get_library_log_max_line_length(length) to get the current value
  • Added CHANGES.txt with full changelog, latest changes only in README.txt
• 0.9.8.5.post2 2015.06.24
  • Updated pyasn1 to 0.1.8
  • Fixed error in not filter with pyasn1 0.1.8
• 0.9.8.5 2015.06.23
  • Updated docs with ldap operations pages
  • Fixed a bug where an Exception was raised on OpenBSD for missing IPV4_MAPPED flag
  • Fixed missing add operation usage metrics
  • Abstract Attribute doesn't permit "falsy" values or None as default (thanks Lucas)
• 0.9.8.4 2015.05.19
  • Added EXTENDED log detail level with prettyPrint description of ldap messages
  • Fixed logging of IPv6 address description
  • Fixed checking of open address when dns returns more than one ip for the same host
  • Fixed selection of proper address when failing back from IPv6 to IPv4 and vice-versa
  • When sending controls controlValue is now optional (as stated in RFC 4511), specify None to not send it
  • Moved badges to shields.io
• 0.9.8.3 2015.05.11
  • Added support for logging
  • Added LDAPInvalidTlsSpecificationError exception
  • Added support for kerberos sasl - needs the gssapi package (thanks sigmaris and pefoley2)
  • Added support for using generator objects in ldap operations (thanks Matt)
  • Fixed bug in collect_usage (thanks Philippe)
  • Changed default server mode from IP_SYSTEM_DEFAULT to IP_V6_PREFERRED
• 0.9.8.2 2015.04.08
  • SaslCred returned as raw bytes (thanks Peter)
  • Search_paged now properly works in abstract.reader (thanks wazboy)
• 0.9.8.1 2015.04.04
  • Added NTLMv2 authentication method
  • extend.standard.who_am_i() now try to decode the authzid as unicode
  • Tests for AD (Active Directory) now use tls_before_bind when opening a connection
  • 0.9.8 not working for pypi problems
• 0.9.7.12 2015.03.18
  • Fixed missing optional authzid in digestMD5 sasl mechanism (thanks Damiano)
  • Changed unneeded classmethods to staticmethods
• 0.9.7.11 2015.03.12
  • Fixed address_info resolution on systems without the IPV4MAPPED flag (thanks Andryi)
• 0.9.7.10 2015.02.28
  • Fixed bug in PagedSearch when server has a hard limit on the number of entries returned (thanks Reimar)
  • 0.9.7.9 not working for pypi problems
  • 0.9.7.8 not working for pypi problems
  • 0.9.7.7 not working for pypi problems
  • 0.9.7.6 not working for pypi problems
• 0.9.7.5 2015.02.20
  • Fixed exception raised when opening a connection to a server. If there is only one candidate address and there is an error it returns the specific Exception, not a generic LDAPException error
  • Address_info filters out any impossible address to reach
  • Address_info include an IPV4MAPPED address for IPV6 host that try to reach an IPV4 only server
  • Added SyncMock strategy (needs the sldap3 package)
  • Fixed bug when using the aproximation operation in ldap search operations (thanks Laurent)
  • Removed response from exception raised with raise_exceptions=True to avoid very long exceptions message
• 0.9.7.4 2015.02.02
  • Added connection.entries property for storing response from search operations as and abstract.Entry collection.
• 0.9.7.3 2015.01.25
  • Modify operation type can also be passed as integer
• 0.9.7.2 2015.01.16
  • Fixed a bug when resolving IP address with getaddrinfo(). On OSX returned an UDP connection (thanks Hiroshi).
• 0.9.7.1 2015.01.05
  • Moved to Github
  • Moved to Travis-CI for continuous integration
  • Moved to ReadTheDocs for documentation
  • Moved testing servers in the cloud, to allow testing from Travis-CI
  • Project renamed from python3-ldap to ldap3 to avoid name clashing with the existing python-ldap library
  • Constant values in ldap3 are now strings. This is helpful in testing and debugging
  • Test suite fully refactored to be used in cloud lab and local development lab
  • Test suite includes options for testing against eDirectory, Active Directory and OpenLDAP
• 0.9.7 2014.12.17
  • Fixed bug for auto_range used in paged search
  • Added dual IP stack mode parameter in Server object, values are: IP_SYSTEM_DEFAULT, IP_V4_ONLY, IP_V4_PREFERRED, IP_V6_ONLY, IP_V6_PREFERRED
  • Added read_server_info parameter to bind() and start_tls() to avoid multiple schema and info read operations with auto_bind
  • Redesigned Reusable (pooled) strategy
  • Added LDAPResponseTimeoutError exception raised when get_response() doesn't receive any response in the allowed timeout period
  • Added shortened authentication parameters in ldap3 namespace: ANONYMOUS, SIMPLE, SASL
  • Added shortened scope parameters in ldap3 namespace: BASE, LEVEL, SUBTREE
  • Added shortened get_info parameters in ldap3 namespace: NONE, DSA, SCHEMA, ALL
  • Added shortened alias dereferencing parameters in ldap3 namespace: DEREF_NONE, DEREF_SEARCH, DEREF_BASE, DEREF_ALWAYS
  • Added shortened connection strategy parameters in ldap3 namespace: SYNC, ASYNC, LDIF, RESTARTABLE, REUSABLE
  • Added shortened pooling strategy parameters in ldap3 namespace: FIRST, ROUND_ROBIN, RANDOM
  • Added reentrant lock to avoid race conditions in the Connection object
  • When runs in Python 2.7.9 uses SSLContext
  • Tested against Python 2.7.9, PyPy 2.4.0 and PyPy3 2.4.0
  • setuptools updated to 8.2.1
• 0.9.6.2 2014.11.17
  • Changed SESSION_TERMINATED_BY_SERVER from 0 to -2
  • Removed unneeded FORMAT_xxx variables in ldap3 namespace
  • Fixed bug in auto_range when search operation returns search continuations
  • Added infrastructure for Mock DSA (not functional yet)
• 0.9.6.1 2014.11.11
  • Added boolean parameter "auto_range" to catch the "range" ldap tag in searches. When true all needed search operation are made to fully obtain the whole range of result values
  • Fixed bug in sdist
  • Added offline schema for Fedora 389 Directory Server 1.3.3
  • Fixed bug while reading DSA info
• 0.9.6 2014.11.01
  • New feature 'offline schema' to let the client have knowledge of schema and DSA info even if not returned by the server
  • Offline schema for Novell eDirectory 8.8.8
  • Offline schema for Microsoft Active Directory 2012 R2
  • Offline schema for slapd 2.4 (Openldap)
  • Added server.info.to_json() and server.info.to_file to JSON serialize schema and info from Server object
  • Added Server.from_json() and Server.from_file() to create a Server object from a JSON definition
  • Added response_to_json() and response_to_file() to Connection object to serialize search response entries in JSON as a string or as a file
  • New exception hierarchy LDAPConfigurationError includes library configuration exceptions
  • New exception LDAPInvalidConfigurationDefinitionError
  • Dsa info and schema are not read twice when binding (thanks phobie)
  • LDAPStartTLSError exception is merged with exception raised from ssl packaged
  • Digest-MD5 SASL authentication accepts directives with list attributes (thanks John)
  • Fixed caseInsensitiveDictionary for keys() and values() methods
  • Fixed matching of certificate name in ssl with Python2
  • Attributes names and formatters are checked even if schema is not read by the server
  • Fixed fractional time when parsing generalized time
  • Specific decoder for Active Directory ObjectGuid and ObjectSid
  • Added additional checking for unicode in Python 2
  • Tested against Python 3.4.2, 2.7.8, 2.6.6
  • Updated setuptools to 7.0
• 0.9.5.4 2014.09.22
  • Fixed security issue in lazy connections (thanks Moritz)
  • Added ldap3.utils.dn with parse_dn(dn) to verify dn compliance with RFC4514
  • Added safe_dn(dn) to properly escape dn (if possible)
  • Added ldap3.utils.uri with parse_uri(uri) to verify uri compliance with RFC4516
  • Check for trailing slashes in hostname (thanks Dylan)
  • Timeout for socket connect operation. Server.connect_timeout = seconds_to_wait_for_establishing_connection (thanks Florian)
  • Closing socket error doesn't raise exception anymore
  • ServerPool can be implicity defined with a list of server names (even when defining a connection)
• 0.9.5.3 2014.08.24
  • elements returned in schema and dsa info are in a case insensitive dictionary (can be changed in ldap3.CASE_INSENSITIVE_SCHEMA_NAMES = True|False)
  • attributes name returned in searches are now case insensitive (can be changed in ldap3.CASE_INSENSITIVE_ATTRIBUTE_NAMES = True|False)
  • change parameter name from separe_rdn to separate_rdn in ldap3.utils.conv.to_dn()
  • sync dev from Bitbucket to GitHub
  • schema attributes are explicitly read (useful for Active directory and 389 Directory Server)
  • new extended operation: list_replicas (Novell)
  • new extended operation: get_replica_info (Novell)
  • new extended operation: partition_entry_count (Novell)
  • renamed convert_to_ldif() to _convert_to_ldif()
• 0.9.5.2 2014.08.05
  • fixed LDAPOperationResult.str (thanks David)
  • added to_dn() in utils.conv to convert a dn string to a list of components (strings or tuples)
  • added version in ldap3
  • don't raise exception if the schema cannot be read in unauthenticated state
  • server.address_info is now a property
• 0.9.5.1 2014.08.02
  • getaddrinfo called only once
  • real_server machinery removed - messageId is now global and monotonic for the whole library
  • attributes are returned formatted if schema is read and check_names = True, removed checked_attributes
  • bind result is populated again when successful (was removed in 0.9.2.1)
  • exception is now raised if you receive multiple extended response to a single extended request. This is not allowed by RFC 4511
• 0.9.5 2014.07.22
  • added support for IPv6 (thanks Robert)
  • auto_bind can be used even for establishing tls, possible values (defined in ldap3) are: AUTO_BIND_NONE, AUTO_BIND_NO_TLS, AUTO_BIND_TLS_AFTER_BIND, AUTO_BIND_TLS_BEFORE_BIND
  • refactored extend package to use classes
  • new extended operation: get_universal_password (Novell)
  • new extended operation: set_universal_password (Novell)
  • added parsing of hostname in scheme://hostname:hostport format. This has the precedence on the parameters (thanks Sorin)
  • added extra checks when the schema is read (with the get_info parameter) but nothing is returned by the server
  • updated setuptools to version 5.4.1
  • when check_name is True and schema is read attributes are checked and formatted in "checked_attributes" as specified by RFCs and schema
  • added formatter for generalizedTime syntax as specified in rfc 4517 (asn.1)
  • custom formatter can be added in Server definition
• 0.9.4.2 2014.07.03
  • Moved to Bitbucket + Mercurial
  • Fixed import in core.tls package
  • Removed unneeded imports
• 0.9.4.1 2014.07.02
  • included missing extend package (thanks to debnet)
• 0.9.4 2014.07.02
  • when running in python 3.4 or newer now Tls class uses SSLContext object with default secure setting
  • added parameters ca_certs_path, ca_certs_data, local_private_key_password to Tls object creation, valid when using SSLContext
  • in python 3.4 or newer the system CA certificates configuration can be used (just leave ca_cert_file, ca_certs_path and ca_certs_data set to None)
  • removed TLSv1 as default for Tls connection
  • upgraded backported ssl function from python 3.4.1 when using with python 2
  • when creating a connection server can now be a string, the name of the server to connect in cleartext on default port 389
  • fixed bug in ldap3.util.conv.escape_bytes()
  • attributes parameter in search can be a tuple
  • check_names parameter in connection now defaults to True (so if schema info is available attribute and class name will be checked when performing LDAP operations)
  • remove the connection.close() method - you must use connection.unbind()
  • new exception LDAPExtensionError for signaling when the requestValue of extended operation is of unknown ASN1 type
  • exiting connection manager doesn't raise exception if unbind is not successful (needed in long operations)
  • new extended operation: modify_password (RFC3062)
  • new extended operation: who_am_i (RFC4532)
  • new extended operation: get_bind_dn (Novell)
  • updated setuptools to version 5.3
• 0.9.3.5 2014.06.22
  • Exception history in restartable strategy is printed when reached the maximum number of retries
  • Fixed conditions on terminated_by_server unsolicited message
  • Added python2.6 egg installation package
• 0.9.3.4 2014.06.16
  • Exception can now be imported from ldap3 package
  • Escape_bytes return '' for empty string instead of None (thanks Brian)
  • Added exception history to restartable connection (except than for infinite retries)
  • Fixed start_tls retrying in restartable connection (thanks Brian)
  • New exception LDAPMaximumRetriesError for signaling when the SyncRestartable Strategy has reached the maximum number of retries while performing an operation
  • Inverted deleteoldrdn value in LDIF output (thanks Joseph)
• 0.9.3.3 2014.06.01
  • Fixed a bug in LDIFProducer when using context manager for connection
  • LDIF header in stream is added only whene there are actua data in the stream
  • Now LDIF stream can be added to an existing file - version header will not be written if stream is not empty
• 0.9.3.2 2014.05.30
  • Fixed a bug while reading schema
  • Add an implicit open() when trying binding on a closed connection
• 0.9.3.1 2014.05.28
  • Added stream capability to LDIFProducer strategy
  • Customizable line separator for ldif output
  • Customizable sorting order in ldif output
  • object_class parameter is now optional in connection.add()
  • Fixed objectClass attribute case sensitive dependency in add operation
  • Added stream capability to response_to_ldif() while searching
• 0.9.3 2014.05.20
  • Now the key in server.schema.attribute_type is the attribute name (was the oid)
  • Now the key in server.schema.object_classes is the class name (was the oid)
  • Added check_names to Connection definition to have the names of attributes and object class checked against the schema
  • Updated setuptools to 3.6
  • Added wheel installation format
  • Added raise_exceptions mode for connection
  • Exception hierarchy reworked
  • Added locking to Server object (for multithreading)
• 0.9.2.2 2014.04.30
  • fixed a bug from 0.9.1 that broke start_tls() (thanks Mark)
• 0.9.2.1 2014.04.28
  • fixed a bug in 0.9.2 that allowed only string attributes in add, modify and compare operations (thank Mladen)
• 0.9.2 2014.04.26
  • changed return value in get_response from response to (response, result) - helpful for multi threaded connections
  • added ReusableStrategy for pooling connections
  • refined docstrings (thanks Will)
  • result and response attributes don't overlap anymore. Operation result is only in result attribute.
  • fixed search for binary values (thanks Marcin)
  • added convenience function to convert bytes to LDAP binary value string format for search filter
• 0.9.1 2014.03.30
  • added laziness flag to test suite
  • changed ServerPool signature to accept active and exhaust parameters
  • removed unneeded start_listen parameter
  • added 'lazy' parameter to open, to bind and to unbind a connection only when an effective operation is performed
  • fixed start_tls in SyncWaitRestartable strategy
  • fixed certificate name checking while opening an ssl connection
  • fixed syntax error during installation
  • socket operations now raises proper exception, not generic LDAPException (thanks Joseph)
  • tested against Python 3.4, 3.3, 2.7, 2.6
  • updated setuptools to 3.3
• 0.9.0 2014.03.20
  • PEP8 compliance
  • added ldap3.compat package with older (non PEP8 compliant) signatures
  • renamed ldap3.abstraction to ldap3.abstract
  • moved connection.py, server.py and tls.py files to ldap3.core
  • fixed SyncWaitRestartableStrategy (thanks Christoph)
• 0.8.3 2014.03.08
  • added SyncWaitRestartable strategy
  • removed useless forceBind parameter
  • usage statistics updated with restartable success/failure counters and open/closed/wrapped socket counters
• 0.8.2 2014.03.04
  • Added refresh() method to Entry object to read again the attributes from the Reader in the abstraction layer
  • Fixed Python 2.6 issues
  • Fixed test suite for Python 2.6
• 0.8,1 2014.02.12
  • Changed exceptions returned by the library to LDAPException, a subclass of Exception.
  • Fixed documentation typos
• 0.8.0 - 2014.02.08
  • Added abstraction layer (for searching)
  • Added context manager to Connection class
  • Added readOnly parameter to Connection class
  • Fixed a bug in search with 'less than' parameter
  • Remove validation of available SSL protocols because different Python interpreters can use different ssl packages
• 0.7.3 - 2014.01.05
  • Added SASL DIGEST-MD5 support
  • Moved to intrapackage (relative) imports
• 0.7.2 - 2013.12.30
  • Fixed a bug when parentheses are used in search filter as ASCII escaped sequences
• 0.7.1 - 2013.12.21
  • Completed support for LDFI as per RFC2849
  • Added new LDIF_PRODUCER strategy to generate LDIF-CHANGE stream
  • Fixed a bug in the autoReferral feature when controls where used in operation
• 0.7.0 - 2013.12.12
  • Added support for LDIF as per RFC2849
  • Added LDIF-CONTENT compliant search responses
  • Added exception when using autoBind if connection is not successful
• 0.6.7 - 2013.12.03
  • Fixed exception when DSA is not willing to return rootDSE and schema info
• 0.6.6 - 2013.11.13
  • Added parameters to test suite
• 0.6.5 - 2013.11.05
  • Modified rawAttributes decoding, now null (empty) values are returned
• 0.6.4 - 2013.10.16
  • Added simple paged search as per RFC2696
  • Controls return values are decoded and stored in result attribute of connection
• 0.6.3 - 2013.10.07
  • Added Extesible Filter syntax to search filter
  • Fixed exception while closing connection in AsyncThreaded strategy
• 0.6.2 - 2013.10.01
  • Fix for referrals in searchRefResult
  • Disabled schema reading on Active Directory
• 0.6.1 - 2013.09.22
  • Experimental support for Python 2 - no unicode
  • Added backport of ssl.match_name for Python 2
  • Minor fixes for using the client in Python 2
  • Fix for getting schema info with AsyncThreaded strategy
• 0.6.0 - 2013.09.16
  • Moved to beta!
  • Added support site hosted on www.assembla.com
  • Added public svn repository on www.assembla.com
  • Added getInfo to server object, parameter can be: GET_NO_INFO, GET_DSA_INFO, GET_SCHEMA_INFO, GET_ALL_INFO
  • Added method to read the schema from the server. Schema is decoded and returned in different dictionaries of the server.schema object
  • Updated connection usage info (elapsed time is now computed when connection is closed)
  • Updated OID dictionary with extensions and controls from Active Directory specifications.
• 0.5.3 - 2013.09.03
  • Added getOperationalAttributes boolean to Search operation to fetch the operational attributes during search
  • Added increment operation to modify operation as per RFC4525
  • Added dictionary of OID descriptions (for DSE and schema decoding)
  • Added method to get Info from DSE (returned in server.info object)
  • Modified exceptions for sending controls in LDAP request
  • Added connection usage (in connection.usage if collectUsage=True in connection definition)
  • Fixed StartTls in asynchronous client strategy
• 0.5.2 - 2013.08.27
  • Added SASLprep profile for validating password
  • Fixed RFC4511 asn1 definitions
• 0.5.1 - 2013.08.17
  • Refactored package structure
  • Project description reformatted with reStructuredText
  • Added Windows graphical installation
• 0.5.0 - 2013.08.15
  • Added reference to LGPL v3 license
  • Added Tls object to hold ssl/tls configuration
  • Added StartTLS feature
  • Added SASL feature
  • Added SASL EXTERNAL mechanism
  • Fixed Unbind
  • connection.close in now an alias for connection.unbind
• 0.4.4 - 2013.08.01
  • Added 'Controls' to all LDAP Requests
  • Added Extended Request feature
  • Added Intermediate Response feature
  • Added namespace 'ldap3'
• 0.4.3 - 2013.07.31
  • Test suite refactored
  • Fixed single object search response error
  • Changed attributes returned in search from tuple to dict
  • Added 'raw_attributes' key in search response to hold undecoded (binary) attribute values read from ldap
  • Added repr for Server and Connection objects to re-create the object instance
• 0.4.2 - 2013.07.29
  • Added autoReferral feature as per RFC4511 (4.1.10)
  • Added allowedReferralHosts to conform to Security considerations of RFC4516
• 0.4.1 - 2013.07.20
  • Add validation to Abandon operation
  • Added connection.request to hold a dictionary of infos about last request
  • Added info about outstanding operation in connection.strategy._oustanding
  • Implemented RFC4515 for search filter coding and decoding
  • Added a parser to build filter string from LdapMessage
• 0.4.0 - 2013.07.15
  • Refactoring of the connection and strategy classes
  • Added the ldap3.strategy namespace to contain client connection strategies
  • Added ssl authentication
  • Moved authentication parameters from Server object to Connection object
  • Added ssl parameters to Server Object
• 0.3.0 - 2013.07.14
  • Fixed AsyncThreaded strategy with _outstanding and _responses attributes to hold the pending requests and the not-yet-read responses
  • Added Extended Operation
  • Added "Unsolicited Notification" discover logic
  • Added managing of "Notice of Disconnection" from server to properly close connection
• 0.2.0 - 2013.07.13
  • Update setup with setuptools 0.7
  • Docstrings added to class
  • Removed ez_setup dependency
  • Removed distribute dependency
• 0.1.0 - 2013.07.12
  • Initial upload on pypi
  • PyASN1 RFC4511 module completed and tested
  • Synchronous client working properly
  • Asynchronous client working but not fully tested
  • Basic authentication working

• safety version: 1.8.5, 1.8.7
• Python version: 3.7, 3.8
• Operating System: Linux, OSX

Description

Pyup Safety (https://pyup.io/safety/) is flagging the following security vulnerabilities in the Python commonmark package (which blocks builds for those like us who use Safety as a build gate). However it's not clear that this is actually a problem with the Python commonmark package rather than the Javascript package by the same name. The version numbers mentioned for the vulnerabilities (e.g., 0.29.0) don't correspond to the Python pacakge's versions, and cached-path-relative isn't a Python package at all.

safety report
checked  packages, using pyup.io's DB
---
-> commonmark, installed 0.9.1, affected <0.29.0, id 37115
Commonmark 0.29.0 requires cached-path-relative >= 1.0.2. This fixes a security vulnerability, but it's only in the dev dependencies.
--
-> commonmark, installed 0.9.1, affected <0.25.1, id 34313
Commonmark 0.25.1 fixes a dingus vulnerability.  Use an iframe and innerHTML to prevent `<script>` tags from executing. Dingus:  let preview show when query has `text=`.  Previously, these URLs opened the HTML pane first, but now that we have XSS protection (the iframe), it should be okay to open the preview pane first. * Dingus: don't print sourcepos attributes in HTML/AST view.
--

What I Did

safety check  (with the usual requirements files enumerated)

Hi, looks like pyjwt was patched in July, but safety-db is still only checking for <1.0.0.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11424

TLDR: There are versions of https://pypi.org/project/waitress/ which are vulnerable to CVE-2019-16785, CVE-2019-16786, CVE-2019-16787 and Safety does not detect them

• safety version: 1.8.4
• Python version: 2.7.15
• Operating System: Solaris 10u11, HP-UX 11.31.

Description

pyOpenSSL vulnerabilities with IDs 36533/36534, corresponding to CVE-2018-1000807 and CVE-2018-1000807, fixed upstream in pyca/pyopenssl#723 do not seem to be applicable to pyOpenSSL version 0.13.1.

Although quite old, pyOpenSSL version 0.13.1 doesn't require the cffi-based OpenSSL bindings provided by the cryptography module, so it's still relevant on platforms such as Solaris 10 or HP-UX, which are not supported by cryptography.

What I Did

For example, on a SPARC machine running Solaris 10u11, we have the following packages installed:

Package      Version Latest Type 
------------ ------- ------ -----
pip          9.0.3   18.1   wheel
pycparser    2.14    2.19   sdist
pycryptodome 3.6.6   3.7.0  sdist
pyOpenSSL    0.13.1  18.0.0 wheel
setuptools   39.0.1  40.6.2 wheel
wheel        0.26.0  0.32.2 wheel

But lately safety will complain for pyOpenSSL:

safety report
checked 22 packages, using default DB
---
-> pyopenssl, installed 0.13.1, affected <17.5.0, id 36533
Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on the calling application and if it retains a reference to the memory.. This vulnerability appears to have been fixed in 17.5.0.
--
-> pyopenssl, installed 0.13.1, affected <17.5.0, id 36534
Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS pyupio/safety#12 Store that can result in Denial of service if memory runs low or is exhausted.
--

Please check for these vulnerabilities only for older pyOpenSSL versions. Not sure where they were introduced, but 0.13.1 doesn't seem to be affected.

Thank you!

Hello,

I'm having difficulties with version strings parsing. Let's have this example from insecure_full.json

"django": [
        {
            "cve": "CVE-2016-9014",
            "v": "<1.8.16,>=1.9,<1.9.11,>=1.10,<1.10.3"
        }
]

The version string wants to probably match versions <1.8.16 or >=1.9 and <1.9.11 or >=1.10 and <1.10.3. The problem is that it uses comma for both and / or.

When looking at PEP 440 specification it says that comma is equivalent to logical and so that string should be parsed as <1.8.16 and >=1.9 and <1.9.11 and >=1.10 and <1.10.3, which matches no version.

For example npm semver uses space for logical and and || for logical or, but PEP 440 doesn't specify (if I see correctly) any operator for logical or so I'm thinking how to make this work.

The only way I can think of at the moment is using a list like:

"v": ["<1.8.16", ">=1.9,<1.9.11", ">=1.10,<1.10.3"]

What do you think ?

Source: https://www.reddit.com/r/Python/comments/8hvzja/backdoor_in_sshdecorator_package/

• safety version: 1.8.5
• Python version: 3.x
• Operating System: linux

TLDR: Safety does not detect https://nvd.nist.gov/vuln/detail/CVE-2019-9740

Description

Starting from 4/6/2020 morning, the pipenv check is failing because connection to safety db timed out. Please see steps below to reproduce issue.

Details

1. Create a new folder (e.g., sample)
2. Change to the new folder.
3. Run pipenv shell and pipenv check. Following error will be raised and it says the connection to pyup.io is timed out.

pipenv check
Checking PEP 508 requirements…
Passed!
Checking installed package safety…
An error occurred:
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/connection.py", line 141, in _new_conn
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/util/connection.py", line 83, in create_connection
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/util/connection.py", line 73, in create_connection
socket.timeout: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/connectionpool.py", line 601, in urlopen
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/connectionpool.py", line 346, in _make_request
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/connectionpool.py", line 850, in _validate_conn
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/connection.py", line 284, in connect
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/connection.py", line 146, in _new_conn
urllib3.exceptions.ConnectTimeoutError: (<urllib3.connection.VerifiedHTTPSConnection object at 0x108044ad0>, 'Connection to pyup.io timed out. (connect timeout=5)')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/requests/adapters.py", line 440, in send
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/connectionpool.py", line 639, in urlopen
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/util/retry.py", line 388, in increment
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='pyup.io', port=443): Max retries exceeded with url: /api/v1/safety/insecure.json (Caused by ConnectTimeoutError(<urllib3.connection.VerifiedHTTPSConnection object at 0x108044ad0>, 'Connection to pyup.io timed out. (connect timeout=5)'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/Cellar/python/3.7.7/Frameworks/Python.framework/Versions/3.7/lib/python3.7/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/local/Cellar/python/3.7.7/Frameworks/Python.framework/Versions/3.7/lib/python3.7/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/__main__.py", line 12, in <module>
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/click/core.py", line 722, in __call__
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/click/core.py", line 697, in main
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/click/core.py", line 1066, in invoke
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/click/core.py", line 895, in invoke
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/click/core.py", line 535, in invoke
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/safety/cli.py", line 63, in check
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/safety/safety.py", line 126, in check
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/safety/safety.py", line 108, in fetch_database
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/safety/safety.py", line 79, in fetch_database_url
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/requests/api.py", line 72, in get
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/requests/api.py", line 58, in request
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/requests/sessions.py", line 508, in request
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/requests/sessions.py", line 618, in send
  File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/requests/adapters.py", line 496, in send
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='pyup.io', port=443): Max retries exceeded with url: /api/v1/safety/insecure.json (Caused by ConnectTimeoutError(<urllib3.connection.VerifiedHTTPSConnection object at 0x108044ad0>, 'Connection to pyup.io timed out. (connect timeout=5)'))

The Safety DB free version claims to be updated monthly. The last update was 2019-11-01, almost three months ago.

From the README:

The data is made available by pyup.io and synced with this repository once per month.

I fully understand this is an open source project but could you please either go to a monthly cadence or set the expectations with an accurate description?

Issue description

Starting from today (3/17), the pipenv check is reporting following vulnerability based on security check info in the db. But the reported python-gnupg version is invalid and also both pip lib & gpg executable are up-to-date.

Could someone please check the DB being used by pipenv for this python-gnupg lib? It was working fine as of yesterday and there was no change in our app code or pipenv setup. Please see more pipenv details in the original issue reported in pipenv repo here (pypa/pipenv#4156).

# install latest python-gnupg package (version 0.4.5)
# https://pypi.org/project/python-gnupg/
$ pipenv install python-gnupg

# pipenv check was working fine as of 3/16/2020 and starts to reporting following error on 3/17/2020
$ pipenv check
Checking PEP 508 requirements…
Passed!
Checking installed package safety…
37367: python-gnupg <2.2.12 resolved (0.4.5 installed)!
Python-gnupg 2.2.12 - [dirmngr] Avoid possible CSRF attacks via http redirects.  A HTTP query will not anymore follow a 3xx redirect unless the Location header gives the same host.  If the host is different only the host and port is taken from the Location header and the original path and query parts are kept.

The required 2.2.12 version is invalid for the python package and looks like reference to actual gpg executable version, which is already satisfied on the machine.

$ gpg --version
gpg (GnuPG) 2.2.19

There is no more recent version, so my project it appears is just permanently marked as "insecure" with no explanation.

As a user, I might want to have that datebase locally, is it possible to add a setup.py for that?

It looks like in the latest update PyCrypto 2.6.1 is not marked vulnerable:

    "pycrypto": [
        "<2.6",
        "<2.6.1"

See discussion in #2252, CVE-2013-7459 applies to 2.6.1.

https://pyup.io/api/v1/safety/insecure_full.json is returning:

  "pip": [
    "<1.4",
    "<6.0",
    "<6.1.0",
    "<1.3",
    "<1.3",
    "",
    "<1.5"
  ],

The empty string value causes pip to always be reported as vulnerable

Hi,
For some reason pyup has skipped a new release I made for the package ccnmtlsettings: https://pypi.org/project/ccnmtlsettings/1.6.0/

Consider the section below. Is this the same as just saying "<2.3.1" since that essentially pre-empts all the other ones?

ansible: [ "<1.2.3", "<1.5.4", "<1.5.5", "<1.6.4", "<1.6.6", "<1.6.7", "<1.7", "<1.7.1", "<1.8.3", "<1.9.2", "<1.9.6", "<2.0.2", "<2.2.1", "<2.3.1" ],

Please update insecure_full.json.

Hi !

not sure what's the best way to add vulnerabilities to safety-db so I'm opening this issue to report those two CVEs in SQLAlchemy:

• https://nvd.nist.gov/vuln/detail/CVE-2019-7548 (HIGH)
• https://nvd.nist.gov/vuln/detail/CVE-2019-7164 (CRITICAL)

Let me know what's the best way to help !

Safety is failing on Django 3.0.4 after detecting 3.0.4 for an issue supposedly resolved in 3.0.4, per Safety's own output.

╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package                    │ installed │ affected                 │ ID       │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ django                     │ 3.0.4     │                          │ 38010    │
╞══════════════════════════════════════════════════════════════════════════════╡
│ Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows   │
│ SQL Injection if untrusted data is used as a tolerance parameter in GIS      │
│ functions and aggregates on Oracle. By passing a suitably crafted tolerance  │
│ to GIS functions and aggregates on Oracle, it was possible to break escaping │
│ and inject malicious SQL. See: CVE-2020-9402.                                │
╘══════════════════════════════════════════════════════════════════════════════╛

• safety, version 1.8.5
• Python 3.7.5
• operating system: Ubuntu 18.04

Description

Starting today, safety check suddenly reports

╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package                    │ installed │ affected                 │ ID       │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ monero                     │ 0.7.1     │ <0.10.0                  │ 37447    │
│ monero                     │ 0.7.1     │ <0.12.0.0                │ 37446    │
│ monero                     │ 0.7.1     │ <0.9.1                   │ 37448    │
╘══════════════════════════════════════════════════════════════════════════════╛

however, it mistakes this package with something else -- the package I use has no newer version than 0.7.1.

The June updates didn't make any changes to the underlying database files, which doesn't seem correct. Could someone please verify the update process is functioning as intended?

Commits in question

1. f8985b0
2. 5f65819

Commit Histories

1. insecure.json = https://github.com/pyupio/safety-db/commits/master/data/insecure.json
2. insecure_full.json = https://github.com/pyupio/safety-db/commits/master/data/insecure_full.json

Hi, I'm not sure if this is the correct place to report this. Pyup is reporting we have a vulnerable package (commonmark) https://pyup.io/repos/github/readthedocs/readthedocs.org/commits/?page=1#e23183aa128e563b367d84f8010b4f67d6b0835e

But we are using the latest version of commonmark. I dig a little and turns out the bot is reporting the version from the npm package, not from the one in pypi

https://github.com/commonmark/commonmark.js/blob/98c25ab583dd6dcc4d350c7779a0fe0f09e0a221/changelog.txt#L216-L217

Two patch releases were published:

https://www.djangoproject.com/weblog/2018/feb/01/security-releases/

The default insecurity of yaml.load has been assigned CVE-2017-18342. This is resolved in PyYAML >= 4

html5lib has done something whacky with their changelogs, but it's causing havoc with safety because it things the version number is all one version and said version doesn't exist.

https://pyup.io/changelogs/html5lib/

https://github.com/html5lib/html5lib-python/blob/master/CHANGES.rst

We use TensorFlow 1.15.2, and get the following report:

$ safety check -r requirements.master.txt  --full-report
╒══════════════════════════════════════════════════════════════════════════════╕
...
╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package                    │ installed │ affected                 │ ID       │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ tensorflow                 │ 1.15.2    │ <2.0                     │ 37524    │
╞══════════════════════════════════════════════════════════════════════════════╡
│ Tensorflow 2.0 fixes a potential security vulnerability where decoding       │
│ variant tensors from proto could result in heap out of bounds memory access. │
╘══════════════════════════════════════════════════════════════════════════════╛

However, the fix has been backported to TensorFlow 1.15.0+: tensorflow/tensorflow#37701. Can you please update the affected versions to <1.15.0?

Thanks!

Output:

╒══════════════════════════════════════════════════════════════════════════════╕
│                                                                              │
│                               /$$$$$$            /$$                         │
│                              /$$__  $$          | $$                         │
│           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           │
│          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           │
│         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           │
│          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           │
│          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           │
│         |_______/  \_______/|__/     \_______/   \___/   \____  $$           │
│                                                          /$$  | $$           │
│                                                         |  $$$$$$/           │
│  by pyup.io                                              \______/            │
│                                                                              │
╞══════════════════════════════════════════════════════════════════════════════╡
│ REPORT                                                                       │
│ checked 305 packages, using pyup.io's DB                                     │
╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package                    │ installed │ affected                 │ ID       │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ django                     │ 2.2.11    │                          │ 38010    │
╞══════════════════════════════════════════════════════════════════════════════╡
│ Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows   │
│ SQL Injection if untrusted data is used as a tolerance parameter in GIS      │
│ functions and aggregates on Oracle. By passing a suitably crafted tolerance  │
│ to GIS functions and aggregates on Oracle, it was possible to break escaping │
│ and inject malicious SQL. See: CVE-2020-9402.                                │
╘══════════════════════════════════════════════════════════════════════════════╛

Why it's wrong: https://nvd.nist.gov/vuln/detail/CVE-2020-9402

based on #2262

Safety DB ID 37765 marks psutil >=5.6.5 as affected by CVE-2019-18874, according to the project fixed in 5.6.6, but the version specifier should be <=5.6.5. This means we're not able to install any of the secure versions, such as the current 5.7.0!

Workaround: safety check --ignore=37765 …