Closed Bug 1476001 Opened 2 years ago Closed 2 years ago
Upgrade python modules in testing/mozharness/requirements
suite 1 ~~~~~~~ Ran 62 checks (56 tests, 6 subtests) Expected results: 55 Unexpected results: 7 test: 1 (1 fail) subtest: 6 (6 fail) Unexpected Results ------------------ /Users/sfraser/hg.m.o/mozilla-unified/testing/mozharness/requirements.txt FAIL dulwich - dulwich installed:0.8.7 affected:<0.9.920150320 description:Buffer overflow in the C implementation of the apply_delta function in _pack.c in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a crafted pack file. FAIL logilab-common - logilab-common installed:0.59.0 affected:<0.61.0 description:The Execute class in shellutils in logilab-commons before 0.61.0 uses tempfile.mktemp, which allows local users to have an unspecified impact by pre-creating the temporary file. FAIL logilab-common - logilab-common installed:0.59.0 affected:<0.61.0 description:The (1) extract_keys_from_pdf and (2) fill_pdf functions in pdf_ext.py in logilab-commons before 0.61.0 allows local users to overwrite arbitrary files and possibly have other unspecified impact via a symlink attack on /tmp/toto.fdf. FAIL pycrypto - pycrypto installed:2.6 affected:<2.6.1 description:The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process. FAIL pycrypto - pycrypto installed:2.6 affected:<2.6.1 description:lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for PyCrypto's ElGamal implementation. FAIL pycrypto - pycrypto installed:2.6 affected:<=2.6.1 description:Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) 2.6.1 allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py. FAIL /Users/sfraser/hg.m.o/mozilla-unified/testing/mozharness/requirements.txt - logilab-common dulwich pycrypto
Pushed by email@example.com: https://hg.mozilla.org/integration/autoland/rev/aa4ddb427b95 Security updates for python r=jlund
You need to log in before you can comment on or make changes to this bug.