Python Vulnerabilities

[MikeNikolayev]

Discussed in #555

^{Originally posted by MikeNikolayev July 21, 2024}
I installed latest tag (built 6 month ago) and found vulnerabilities list.
All of them are already fixed in requirements file. Do you mind building a new tag with fixes?
The list

1. Library: idna (METADATA)

   • Vulnerability: CVE-2024-3651
   • Severity: MEDIUM
   • Status: fixed
   • Installed Version: 3.6
   • Fixed Version: 3.7
   • Title: python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode()
   • More info: CVE-2024-3651

2. Library: requests (METADATA)

   • Vulnerability: CVE-2024-35195
   • Severity: MEDIUM
   • Installed Version: 2.31.0
   • Fixed Version: 2.32.0
   • Title: requests: subsequent requests to the same host ignore cert verification
   • More info: CVE-2024-35195

3. Library: sqlparse (METADATA)

   • Vulnerability: CVE-2024-4340
   • Severity: HIGH
   • Installed Version: 0.4.4
   • Fixed Version: 0.5.0
   • Title: sqlparse: parsing heavily nested list leads to denial of service
   • More info: CVE-2024-4340

4. Library: urllib3 (METADATA)

   • Vulnerability: CVE-2024-37891
   • Severity: MEDIUM
   • Installed Version: 1.26.18
   • Fixed Version: 1.26.19, 2.2.2
   • Title: urllib3: proxy-authorization request header is not stripped during cross-origin redirects
   • More info: CVE-2024-37891

[toluaina]

all done and thanks for pointing this out. A new version has been published.