Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency langchain to v0.1.0 [security] #1297

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency langchain to v0.1.0 [security] #1297

wants to merge 1 commit into from

Conversation

plural-renovate[bot]
Copy link
Contributor

@plural-renovate plural-renovate bot commented Feb 26, 2024
edited
Loading

This PR contains the following updates:

Package Update Change
langchain minor ==0.0.329 -> ==0.1.0

GitHub Vulnerability Alerts

CVE-2024-0243

With the following crawler configuration:

from bs4 import BeautifulSoup as Soup

url = "https://example.com"
loader = RecursiveUrlLoader(
    url=url, max_depth=2, extractor=lambda x: Soup(x, "html.parser").text 
)
docs = loader.load()

An attacker in control of the contents of https://example.com could place a malicious HTML file in there with links like "https://example.completely.different/my_file.html" and the crawler would proceed to download that file as well even though prevent_outside=True.

https://github.com/langchain-ai/langchain/blob/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22/libs/community/langchain_community/document_loaders/recursive_url_loader.py#L51-L51

Resolved in https://github.com/langchain-ai/langchain/pull/15559

CVE-2024-28088

LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution.

CVE-2024-3571

langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted directory ('Path Traversal') in its LocalFileStore functionality. An attacker can leverage this vulnerability to read or write files anywhere on the filesystem, potentially leading to information disclosure or remote code execution. The issue lies in the handling of file paths in the mset and mget methods, where user-supplied input is not adequately sanitized, allowing directory traversal sequences to reach unintended directories.

Release Notes

langchain-ai/langchain (langchain)

v0.1.0

Compare Source

What's Changed

New Contributors

Full Changelog: langchain-ai/langchain@v0.0.354...v0.1.0

v0.0.354

Compare Source

What's Changed

New Contributors

Full Changelog: langchain-ai/langchain@v0.0.353...v0.0.354

v0.0.353

Compare Source

What's Changed

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@plural-renovate plural-renovate bot added the dependencies Pull requests that update a dependency file label Feb 26, 2024
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch 2 times, most recently from db2ebdf to 6d68f02 Compare March 6, 2024 18:09
@plural-renovate plural-renovate bot changed the title chore(deps): update dependency langchain to v0.1.0 [security] chore(deps): update dependency langchain to v0.1.11 [security] Mar 6, 2024
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch from 6d68f02 to e4c3704 Compare March 7, 2024 17:14
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch from e4c3704 to fff8944 Compare March 15, 2024 02:59
@plural-renovate plural-renovate bot changed the title chore(deps): update dependency langchain to v0.1.11 [security] chore(deps): update dependency langchain to v0.1.0 [security] Mar 15, 2024
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch 2 times, most recently from 7e144b8 to 44fd267 Compare May 7, 2024 21:43
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch from 44fd267 to 7ca2bb4 Compare May 10, 2024 23:05
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch from 7ca2bb4 to 8b91e96 Compare June 5, 2024 16:51
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch 4 times, most recently from 215d1c9 to c3c1439 Compare June 24, 2024 22:11
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch 2 times, most recently from cf07268 to b843ed9 Compare July 3, 2024 16:01
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-langchain-vulnerability branch from b843ed9 to f9dd351 Compare July 4, 2024 00:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants