Upgrade python modules in testing/mozharness/requirements.txt

RESOLVED FIXED

Status

defect
RESOLVED FIXED
10 months ago
6 months ago

People

(Reporter: sfraser, Assigned: sfraser)

Tracking

unspecified

Firefox Tracking Flags

(firefox-esr60 fixed, firefox64 fixed)

Details

Attachments

(1 attachment)

suite 1
~~~~~~~
Ran 62 checks (56 tests, 6 subtests)
Expected results: 55
Unexpected results: 7
  test: 1 (1 fail)
  subtest: 6 (6 fail)

Unexpected Results
------------------
/Users/sfraser/hg.m.o/mozilla-unified/testing/mozharness/requirements.txt
  FAIL dulwich - dulwich installed:0.8.7 affected:<0.9.920150320 description:Buffer overflow in the C implementation of the apply_delta function in _pack.c in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a crafted pack file.
  FAIL logilab-common - logilab-common installed:0.59.0 affected:<0.61.0 description:The Execute class in shellutils in logilab-commons before 0.61.0 uses tempfile.mktemp, which allows local users to have an unspecified impact by pre-creating the temporary file.
  FAIL logilab-common - logilab-common installed:0.59.0 affected:<0.61.0 description:The (1) extract_keys_from_pdf and (2) fill_pdf functions in pdf_ext.py in logilab-commons before 0.61.0 allows local users to overwrite arbitrary files and possibly have other unspecified impact via a symlink attack on /tmp/toto.fdf.
  FAIL pycrypto - pycrypto installed:2.6 affected:<2.6.1 description:The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process.
  FAIL pycrypto - pycrypto installed:2.6 affected:<2.6.1 description:lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for PyCrypto's ElGamal implementation.
  FAIL pycrypto - pycrypto installed:2.6 affected:<=2.6.1 description:Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) 2.6.1 allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py.
  FAIL /Users/sfraser/hg.m.o/mozilla-unified/testing/mozharness/requirements.txt - logilab-common dulwich pycrypto
Assignee

Updated

9 months ago
Assignee: nobody → sfraser

Comment 2

7 months ago
Pushed by sfraser@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/aa4ddb427b95
Security updates for python r=jlund

Comment 3

7 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/aa4ddb427b95
Status: NEW → RESOLVED
Last Resolved: 7 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.