pyupio / safety-db Goto Github PK
View Code? Open in Web Editor NEWA curated database of insecure Python packages
Home Page: https://pyup.io
License: Other
A curated database of insecure Python packages
Home Page: https://pyup.io
License: Other
Thanks for posting this tool, looks very promising!
I just tried this on Windows and I got an error:
safety\formatter.py", line 27, in get_terminal_size
rows, columns = subprocess.check_output(['stty', 'size']).split()
WindowsError: [Error 2] Le fichier spécifié est introuvable
I guess the stty
command is not available on Windows. There is an API to get this information. Would you be willing to accept a patch to fix this?
Thanks!
I have a use case where using your PyPI package would be oodles better than to download insecure.json
from github. In your documentation, the expected installation method is through pip install
, but:
Updating the PyPI package would fix those two issues.
Should you so choose, you can then automate the PyPI package update on a monthly basis for one of your Travis runs.
nucular!
The package on PyPI published for this repository doesn't seem to actually work.
(aaa) ~/tmp/aaa:$ pip install --no-cache-dir safety-db
Collecting safety-db
Downloading https://files.pythonhosted.org/packages/99/f4/2ceadae6059942cbae3d66a789f70dbf871cc9230eacc79ab00d4902bb88/safety_db-2017.4.19-py2.py3-none-any.whl
Installing collected packages: safety-db
Successfully installed safety-db-2017.4.19
(aaa) ~/tmp/aaa:$ python
Python 2.7.14 (default, Feb 6 2018, 20:04:00)
[GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import safety_db
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/Users/jasonsimeone/tmp/aaa/lib/python2.7/site-packages/safety_db.py", line 13, in <module>
with open("data/insecure.json") as __f:
IOError: [Errno 2] No such file or directory: 'data/insecure.json'
>>>
(aaa) ~/tmp/aaa:$ find . -name insecure.json
Looking in the wheel, the data files aren't there:
$ unzip -l safety_db-2017.4.19-py2.py3-none-any.whl
Archive: safety_db-2017.4.19-py2.py3-none-any.whl
Length Date Time Name
--------- ---------- ----- ----
576 04-19-2017 10:11 safety_db.py
2324 04-19-2017 10:32 safety_db-2017.4.19.dist-info/DESCRIPTION.rst
19341 04-19-2017 10:32 safety_db-2017.4.19.dist-info/LICENSE.txt
905 04-19-2017 10:32 safety_db-2017.4.19.dist-info/metadata.json
10 04-19-2017 10:32 safety_db-2017.4.19.dist-info/top_level.txt
110 04-19-2017 10:32 safety_db-2017.4.19.dist-info/WHEEL
3017 04-19-2017 10:32 safety_db-2017.4.19.dist-info/METADATA
699 04-19-2017 10:32 safety_db-2017.4.19.dist-info/RECORD
--------- -------
26982 8 files
Hi –
Y'all have a record of a vuln in the python-nomad library:
safety-db/data/insecure_full.json
Lines 11472 to 11482 in cada380
Problem is, there is no 2.20.0 version of python-nomad; the most recent release is 1.2.1.
It looks like y'all might have picked up the changelog of the 1.0.1 release, which was updating the requests
library to 2.20.0 (!) for the exact issue described in your advisory, and somehow transposed that onto python-nomad?
I am just trying this out, and not sure if I am missing anything. But seems like the steps do not work for a new python environment at least. I am not sure if the issue is with packaging the data directory in the package or not yet, but seems that way.
python3 -m venv .env
source .env/bin/activate
pip install safety-db
python -c "import safety_db"
Traceback (most recent call last):
File "", line 1, in
File "/home/vagrant/virtualenvs/api/lib/python3.6/site-packages/safety_db.py", line 13, in
with open("data/insecure.json") as __f:
IOError: [Errno 2] No such file or directory: 'data/insecure.json'
Edit: The traceback output was using a different environment and has been fixed, but the issue persists either way.
Looking through the list on https://pyupio.github.io/safety-db/ it seems to be in alphabetical order but stops at ftw.mail. The raw json data has a lot more packages in it.
Here is the vulnerability in safety-db/data/insecure_full.json:
"anncolvar": [
{
"advisory": "anncolvar 0.4 updates requirements.txt to fix security issues.",
"cve": null,
"id": "pyup.io-36803",
"specs": [
"<0.4"
],
"v": "<0.4"
}
],
"annotator": [
{
"advisory": "annotator 0.11.2 fixes a bug that allowed authenticated users to overwrite annotations on which they did not have permissions.",
"cve": null,
"id": "pyup.io-25615",
"specs": [
"<0.11.2"
],
"v": "<0.11.2"
}
],
Here is my requirements.txt:
anncolvar==-0.3
annotator==0.10.1
Here are the results of running safety check -r requirements.txt --json
[
[
"annotator",
"<0.11.2",
"0.10.1",
"annotator 0.11.2 fixes a bug that allowed authenticated users to overwrite annotations on which they did not have permissions.",
"25615"
]
]
Note that annotator is mentioned but anncolvar is not.
As reported at #2278 it looks like the spec for that CVE is not properly set and should be <2.20.0
instead.
I assume whilst trying to mitigate some of the issues of the unique version numbering used by html5lib they have started giving each version two version numbers for each release.
https://pypi.python.org/pypi/html5lib
0.9999999 (seven 9s) is the same software as 1.0b8.
% echo "html5lib==0.9999999" | safety check --stdin
stty: stdin isn't a terminal
safety report
---
-> html5lib, installed 0.9999999, affected <0.99999999, id 25846
We should see the same vulnerability for 1.0b8
% echo "html5lib==1.0b8" | safety check --stdin
stty: stdin isn't a terminal
safety report
---
No known security vulnerabilities found.
I couldn't find the December update of this repository, while README says it updates monthly. Do you have a plan to execute the December update? I've found that after the August update, there's no meaningful update for JSON files. Does this mean there's no security vuln since September?
Also, according to the LinkedIn profile, Jwomers, was the CEO of pyup, had left the company.
Is safety-db active project?
Hello,
We recently started see:
Checking installed package safety…
27519: urllib3 >=1.25.2,<=1.25.7 resolved (1.25.6 installed)!
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).
ID=27519
But that is not in
https://github.com/pyupio/safety-db/blob/master/data/insecure_full.json
It was difficult therefore to find the true CVE, but some searching around eventually landed me to:
https://cve.circl.lu/cve/CVE-2020-7212
What would safety recommend in these situations?
As reported on #2275 this should be reviewed.
Loader keeps spinning, in the chrome inspector I can see that it tries to load the JSON but fails to do so because:
<Error>
<Code>
NoSuchBucket
</Code>
<Message>
The specified bucket does not exist
</Message>
<BucketName>
safety-db-mirror-2
</BucketName>
<RequestId>
3C009E7734F8C4F1
</RequestId>
<HostId>
21xPzzACLs4JZm+I7wEG+tSso/t3h5ygnuhJQjoTMSXGEzxZvDH+f/7UdDny8ZDJI3tGKTgITjU=
</HostId>
</Error>
Are submissions to this database from the public allowed to made, and if so, is this GH issues page the place to do it?
I noticed an important security bulletin was released by New Relic for their Python agent only a couple of weeks ago and I'd like to make that available in your vuln database.
Could you please include in safety-db
the following malicious packages,
crafted for typosquatting:
acqusition
apidev-coop
bzip
crypt
django-server
pwd
setup-tools
telnet
urlib3
urllib
Thanks for reporting @int-ua
For example Pillow==2.4.0 is not affected by CVE-2016-3076 but it's still shown as vulnerable.
What I Did
$ safety check --full-report
pillow │ 2.4.0 │ <3.1.2 │ 25943
pillow before 3.1.2 is vulnerable to an integer overflow in Jpeg2KEncode.c causing a buffer overflow. CVE-2016-3076.
I run safety via pipenv check
:
36351: cryptography >=1.9.0 resolved (2.3 installed)!
python-cryptography versions >=1.9.0 and <2.3 did not enforce a minimum tag length for finalize_with_tag API. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.
As you can see I got version cryptography 2.3 installed, but the check still fails.
Hello,
We had previously used the ID of 33151
which was included in 4736e94, and appears to have been removed in e604513, but in 1b083bd has been changed to ID 35015.
This is for CVE-2013-7459.
We will update our use of the ID, but are curious to know how to expect the IDs to be stable over time, or if this was an unintentional change?
https://github.com/pyupio/safety-db/blob/master/data/insecure.json#L1010 has <2.6.1, but http://www.cvedetails.com/cve/CVE-2013-7459/ was issued for 2.6.1.
Pyup Safety (https://pyup.io/safety/) is flagging the following security vulnerabilities in the Python commonmark
package (which blocks builds for those like us who use Safety as a build gate). However it's not clear that this is actually a problem with the Python commonmark
package rather than the Javascript package by the same name. The version numbers mentioned for the vulnerabilities (e.g., 0.29.0) don't correspond to the Python pacakge's versions, and cached-path-relative
isn't a Python package at all.
safety report
checked packages, using pyup.io's DB
---
-> commonmark, installed 0.9.1, affected <0.29.0, id 37115
Commonmark 0.29.0 requires cached-path-relative >= 1.0.2. This fixes a security vulnerability, but it's only in the dev dependencies.
--
-> commonmark, installed 0.9.1, affected <0.25.1, id 34313
Commonmark 0.25.1 fixes a dingus vulnerability. Use an iframe and innerHTML to prevent `<script>` tags from executing. Dingus: let preview show when query has `text=`. Previously, these URLs opened the HTML pane first, but now that we have XSS protection (the iframe), it should be okay to open the preview pane first. * Dingus: don't print sourcepos attributes in HTML/AST view.
--
safety check (with the usual requirements files enumerated)
Hi, looks like pyjwt was patched in July, but safety-db is still only checking for <1.0.0.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11424
TLDR: There are versions of https://pypi.org/project/waitress/ which are vulnerable to CVE-2019-16785, CVE-2019-16786, CVE-2019-16787 and Safety does not detect them
pyOpenSSL vulnerabilities with IDs 36533/36534, corresponding to CVE-2018-1000807 and CVE-2018-1000807, fixed upstream in pyca/pyopenssl#723 do not seem to be applicable to pyOpenSSL version 0.13.1.
Although quite old, pyOpenSSL version 0.13.1 doesn't require the cffi-based OpenSSL bindings provided by the cryptography
module, so it's still relevant on platforms such as Solaris 10 or HP-UX, which are not supported by cryptography
.
For example, on a SPARC machine running Solaris 10u11, we have the following packages installed:
Package Version Latest Type
------------ ------- ------ -----
pip 9.0.3 18.1 wheel
pycparser 2.14 2.19 sdist
pycryptodome 3.6.6 3.7.0 sdist
pyOpenSSL 0.13.1 18.0.0 wheel
setuptools 39.0.1 40.6.2 wheel
wheel 0.26.0 0.32.2 wheel
But lately safety
will complain for pyOpenSSL:
safety report
checked 22 packages, using default DB
---
-> pyopenssl, installed 0.13.1, affected <17.5.0, id 36533
Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on the calling application and if it retains a reference to the memory.. This vulnerability appears to have been fixed in 17.5.0.
--
-> pyopenssl, installed 0.13.1, affected <17.5.0, id 36534
Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS pyupio/safety#12 Store that can result in Denial of service if memory runs low or is exhausted.
--
Please check for these vulnerabilities only for older pyOpenSSL versions. Not sure where they were introduced, but 0.13.1 doesn't seem to be affected.
Thank you!
Hello,
I'm having difficulties with version strings parsing. Let's have this example from insecure_full.json
"django": [
{
"cve": "CVE-2016-9014",
"v": "<1.8.16,>=1.9,<1.9.11,>=1.10,<1.10.3"
}
]
The version string wants to probably match versions <1.8.16 or
>=1.9 and
<1.9.11 or
>=1.10 and
<1.10.3. The problem is that it uses comma for both and
/ or
.
When looking at PEP 440 specification it says that comma is equivalent to logical and
so that string should be parsed as <1.8.16 and
>=1.9 and
<1.9.11 and
>=1.10 and
<1.10.3, which matches no version.
For example npm semver uses space for logical and
and ||
for logical or
, but PEP 440 doesn't specify (if I see correctly) any operator for logical or
so I'm thinking how to make this work.
The only way I can think of at the moment is using a list like:
"v": ["<1.8.16", ">=1.9,<1.9.11", ">=1.10,<1.10.3"]
What do you think ?
TLDR: Safety does not detect https://nvd.nist.gov/vuln/detail/CVE-2019-9740
Starting from 4/6/2020 morning, the pipenv check
is failing because connection to safety db timed out. Please see steps below to reproduce issue.
sample
)pipenv shell
and pipenv check
. Following error will be raised and it says the connection to pyup.io is timed out.pipenv check
Checking PEP 508 requirements…
Passed!
Checking installed package safety…
An error occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/connection.py", line 141, in _new_conn
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/util/connection.py", line 83, in create_connection
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/util/connection.py", line 73, in create_connection
socket.timeout: timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/connectionpool.py", line 601, in urlopen
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/connectionpool.py", line 346, in _make_request
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/connectionpool.py", line 850, in _validate_conn
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/connection.py", line 284, in connect
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/connection.py", line 146, in _new_conn
urllib3.exceptions.ConnectTimeoutError: (<urllib3.connection.VerifiedHTTPSConnection object at 0x108044ad0>, 'Connection to pyup.io timed out. (connect timeout=5)')
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/requests/adapters.py", line 440, in send
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/connectionpool.py", line 639, in urlopen
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/urllib3/util/retry.py", line 388, in increment
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='pyup.io', port=443): Max retries exceeded with url: /api/v1/safety/insecure.json (Caused by ConnectTimeoutError(<urllib3.connection.VerifiedHTTPSConnection object at 0x108044ad0>, 'Connection to pyup.io timed out. (connect timeout=5)'))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/Cellar/python/3.7.7/Frameworks/Python.framework/Versions/3.7/lib/python3.7/runpy.py", line 193, in _run_module_as_main
"__main__", mod_spec)
File "/usr/local/Cellar/python/3.7.7/Frameworks/Python.framework/Versions/3.7/lib/python3.7/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/__main__.py", line 12, in <module>
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/click/core.py", line 722, in __call__
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/click/core.py", line 697, in main
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/click/core.py", line 1066, in invoke
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/click/core.py", line 895, in invoke
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/click/core.py", line 535, in invoke
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/safety/cli.py", line 63, in check
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/safety/safety.py", line 126, in check
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/safety/safety.py", line 108, in fetch_database
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/safety/safety.py", line 79, in fetch_database_url
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/requests/api.py", line 72, in get
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/requests/api.py", line 58, in request
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/requests/sessions.py", line 508, in request
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/requests/sessions.py", line 618, in send
File "/usr/local/lib/python3.7/site-packages/pipenv/patched/safety.zip/requests/adapters.py", line 496, in send
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='pyup.io', port=443): Max retries exceeded with url: /api/v1/safety/insecure.json (Caused by ConnectTimeoutError(<urllib3.connection.VerifiedHTTPSConnection object at 0x108044ad0>, 'Connection to pyup.io timed out. (connect timeout=5)'))
The Safety DB free version claims to be updated monthly. The last update was 2019-11-01, almost three months ago.
From the README:
The data is made available by pyup.io and synced with this repository once per month.
I fully understand this is an open source project but could you please either go to a monthly cadence or set the expectations with an accurate description?
Starting from today (3/17), the pipenv check
is reporting following vulnerability based on security check info in the db. But the reported python-gnupg
version is invalid and also both pip lib & gpg executable are up-to-date.
Could someone please check the DB being used by pipenv for this python-gnupg
lib? It was working fine as of yesterday and there was no change in our app code or pipenv setup. Please see more pipenv details in the original issue reported in pipenv repo here (pypa/pipenv#4156).
# install latest python-gnupg package (version 0.4.5)
# https://pypi.org/project/python-gnupg/
$ pipenv install python-gnupg
# pipenv check was working fine as of 3/16/2020 and starts to reporting following error on 3/17/2020
$ pipenv check
Checking PEP 508 requirements…
Passed!
Checking installed package safety…
37367: python-gnupg <2.2.12 resolved (0.4.5 installed)!
Python-gnupg 2.2.12 - [dirmngr] Avoid possible CSRF attacks via http redirects. A HTTP query will not anymore follow a 3xx redirect unless the Location header gives the same host. If the host is different only the host and port is taken from the Location header and the original path and query parts are kept.
The required 2.2.12
version is invalid for the python package and looks like reference to actual gpg
executable version, which is already satisfied on the machine.
$ gpg --version
gpg (GnuPG) 2.2.19
There is no more recent version, so my project it appears is just permanently marked as "insecure" with no explanation.
As a user, I might want to have that datebase locally, is it possible to add a setup.py for that?
It looks like in the latest update PyCrypto 2.6.1 is not marked vulnerable:
"pycrypto": [
"<2.6",
"<2.6.1"
See discussion in #2252, CVE-2013-7459 applies to 2.6.1.
https://pyup.io/api/v1/safety/insecure_full.json is returning:
"pip": [
"<1.4",
"<6.0",
"<6.1.0",
"<1.3",
"<1.3",
"",
"<1.5"
],
The empty string value causes pip to always be reported as vulnerable
Hi,
For some reason pyup has skipped a new release I made for the package ccnmtlsettings: https://pypi.org/project/ccnmtlsettings/1.6.0/
Consider the section below. Is this the same as just saying "<2.3.1" since that essentially pre-empts all the other ones?
ansible: [ "<1.2.3", "<1.5.4", "<1.5.5", "<1.6.4", "<1.6.6", "<1.6.7", "<1.7", "<1.7.1", "<1.8.3", "<1.9.2", "<1.9.6", "<2.0.2", "<2.2.1", "<2.3.1" ],
Please update insecure_full.json
.
Hi !
not sure what's the best way to add vulnerabilities to safety-db so I'm opening this issue to report those two CVEs in SQLAlchemy:
Let me know what's the best way to help !
Safety is failing on Django 3.0.4 after detecting 3.0.4 for an issue supposedly resolved in 3.0.4, per Safety's own output.
╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package │ installed │ affected │ ID │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ django │ 3.0.4 │ │ 38010 │
╞══════════════════════════════════════════════════════════════════════════════╡
│ Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows │
│ SQL Injection if untrusted data is used as a tolerance parameter in GIS │
│ functions and aggregates on Oracle. By passing a suitably crafted tolerance │
│ to GIS functions and aggregates on Oracle, it was possible to break escaping │
│ and inject malicious SQL. See: CVE-2020-9402. │
╘══════════════════════════════════════════════════════════════════════════════╛
Starting today, safety check
suddenly reports
╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package │ installed │ affected │ ID │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ monero │ 0.7.1 │ <0.10.0 │ 37447 │
│ monero │ 0.7.1 │ <0.12.0.0 │ 37446 │
│ monero │ 0.7.1 │ <0.9.1 │ 37448 │
╘══════════════════════════════════════════════════════════════════════════════╛
however, it mistakes this package with something else -- the package I use has no newer version than 0.7.1.
The June updates didn't make any changes to the underlying database files, which doesn't seem correct. Could someone please verify the update process is functioning as intended?
insecure.json
= https://github.com/pyupio/safety-db/commits/master/data/insecure.jsoninsecure_full.json
= https://github.com/pyupio/safety-db/commits/master/data/insecure_full.jsonHi, I'm not sure if this is the correct place to report this. Pyup is reporting we have a vulnerable package (commonmark) https://pyup.io/repos/github/readthedocs/readthedocs.org/commits/?page=1#e23183aa128e563b367d84f8010b4f67d6b0835e
But we are using the latest version of commonmark. I dig a little and turns out the bot is reporting the version from the npm package, not from the one in pypi
Two patch releases were published:
https://www.djangoproject.com/weblog/2018/feb/01/security-releases/
The default insecurity of yaml.load
has been assigned CVE-2017-18342. This is resolved in PyYAML >= 4
html5lib has done something whacky with their changelogs, but it's causing havoc with safety because it things the version number is all one version and said version doesn't exist.
https://pyup.io/changelogs/html5lib/
https://github.com/html5lib/html5lib-python/blob/master/CHANGES.rst
We use TensorFlow 1.15.2, and get the following report:
$ safety check -r requirements.master.txt --full-report
╒══════════════════════════════════════════════════════════════════════════════╕
...
╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package │ installed │ affected │ ID │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ tensorflow │ 1.15.2 │ <2.0 │ 37524 │
╞══════════════════════════════════════════════════════════════════════════════╡
│ Tensorflow 2.0 fixes a potential security vulnerability where decoding │
│ variant tensors from proto could result in heap out of bounds memory access. │
╘══════════════════════════════════════════════════════════════════════════════╛
However, the fix has been backported to TensorFlow 1.15.0+: tensorflow/tensorflow#37701. Can you please update the affected versions to <1.15.0
?
Thanks!
Output:
╒══════════════════════════════════════════════════════════════════════════════╕
│ │
│ /$$$$$$ /$$ │
│ /$$__ $$ | $$ │
│ /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ │
│ /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ │
│ | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ │
│ \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ │
│ /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ │
│ |_______/ \_______/|__/ \_______/ \___/ \____ $$ │
│ /$$ | $$ │
│ | $$$$$$/ │
│ by pyup.io \______/ │
│ │
╞══════════════════════════════════════════════════════════════════════════════╡
│ REPORT │
│ checked 305 packages, using pyup.io's DB │
╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package │ installed │ affected │ ID │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ django │ 2.2.11 │ │ 38010 │
╞══════════════════════════════════════════════════════════════════════════════╡
│ Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows │
│ SQL Injection if untrusted data is used as a tolerance parameter in GIS │
│ functions and aggregates on Oracle. By passing a suitably crafted tolerance │
│ to GIS functions and aggregates on Oracle, it was possible to break escaping │
│ and inject malicious SQL. See: CVE-2020-9402. │
╘══════════════════════════════════════════════════════════════════════════════╛
Why it's wrong: https://nvd.nist.gov/vuln/detail/CVE-2020-9402
based on #2262
Safety DB ID 37765 marks psutil >=5.6.5 as affected by CVE-2019-18874, according to the project fixed in 5.6.6, but the version specifier should be <=5.6.5. This means we're not able to install any of the secure versions, such as the current 5.7.0!
Workaround: safety check --ignore=37765 …
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.