Bump four vendored python dependencies with security advisories
Categories
(Firefox Build System :: General, task)
Tracking
(firefox-esr78 wontfix, firefox87 wontfix, firefox88 wontfix, firefox89 wontfix, firefox90 fixed)
People
(Reporter: mhentges, Assigned: mhentges)
References
Details
(Keywords: sec-other, Whiteboard: [post-critsmash-triage][adv-main90-])
Attachments
(1 file)
+==============================================================================+
| |
| /$$$$$$ /$$ |
| /$$__ $$ | $$ |
| /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ |
| /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ |
| | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ |
| \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ |
| /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ |
| |_______/ \_______/|__/ \_______/ \___/ \____ $$ |
| /$$ | $$ |
| | $$$$$$/ |
| by pyup.io \______/ |
| |
+==============================================================================+
| REPORT |
| checked 43 packages, using free DB (updated once a month) |
+============================+===========+==========================+==========+
| package | installed | affected | ID |
+============================+===========+==========================+==========+
| jinja2 | 2.11.2 | >=0.0.0,<2.11.3 | 39525 |
+==============================================================================+
| This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS |
| vulnerability of the regex is mainly due to the sub-pattern |
| [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ This issue can be mitigated by Markdown to |
| format user content instead of the urlize filter, or by implementing request |
| timeouts and limiting process memory. See CVE-2020-28493. |
+==============================================================================+
| py | 1.5.4 | <=1.9.0 | 39253 |
+==============================================================================+
| A denial of service via regular expression in the py.path.svnwc component of |
| py (aka python-py) through 1.9.0 could be used by attackers to cause a |
| compute-time denial of service attack by supplying malicious input to the |
| blame functionality. See CVE-2020-29651. |
+==============================================================================+
| pyyaml | 5.3.1 | <5.4 | 39611 |
+==============================================================================+
| A vulnerability was discovered in the PyYAML library in versions before 5.4, |
| where it is susceptible to arbitrary code execution when it processes |
| untrusted YAML files through the full_load method or with the FullLoader |
| loader. Applications that use the library to process untrusted input may be |
| vulnerable to this flaw. This flaw allows an attacker to execute arbitrary |
| code on the system by abusing the python/object/new constructor. This flaw |
| is due to an incomplete fix for CVE-2020-1747. See CVE-2020-14343. |
+==============================================================================+
| requests | 2.9.1 | <=2.19.1 | 36546 |
+==============================================================================+
| The Requests package through 2.19.1 sends an HTTP Authorization header to an |
| http URI upon receiving a same-hostname https-to-http redirect, which makes |
| it easier for remote attackers to discover credentials by sniffing the |
| network. |
+==============================================================================+
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 1•3 years ago
|
||
Did you know that our version of requests
was from 2015? Phwoar!
This bumps jinja2
, py
, pyyaml
, requests
and urllib3
.
There's significant risk for regressions due to breaking changes,
though due to the dynamic nature of Python, they're tricky to track
down.
The potential breaking changes I'm expecting to potentially affect
us are:
requests@2.11.0
: No longer accepts non-strings as header values.requests@2.16.0
:requests.packages
namespace was removed due to
packages no longer being vendored. The namespace has been incrementally
restored over future releases, but it's unclear to what degree.requests@2.24.0
: Redirect resolution now only happens when
allow_redirects
isTrue
.urllib3
was bumped from1.13.1
to1.26
, unsure what
repercussions that will have.
Comment 2•3 years ago
|
||
this is more a risk for "people building FIrefox" than for Firefox users, right? Not sure how to rate that to represent the right set of risks.
Assignee | ||
Comment 3•3 years ago
|
||
That's correct, yes, the vulnerabilities reported here would not affect Firefox users.
Updated•3 years ago
|
Updated•3 years ago
|
Comment 4•3 years ago
|
||
Backed out for gecko decision task bustage:
https://hg.mozilla.org/integration/autoland/rev/6607000204c56c89613f1637f7df93b53689907c
Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&selectedTaskRun=Gtdq8lj5R8moqwGzb09iPA.0&searchStr=gecko%2Cdecision%2Ctask%2Copt%2Cgecko%2Cdecision%2Ctask%2Cd&revision=0de04343f5c5f260ff969d92ceb1049d012f2e6e
Failure log: https://treeherder.mozilla.org/logviewer?job_id=336512638&repo=autoland
[task 2021-04-14T15:46:49.303Z] + ./mach --log-no-times taskgraph decision --pushlog-id=141046 --pushdate=1618415068 --project=autoland --owner=mhentges@mozilla.com --level=3 --tasks-for=hg-push --base-repository=https://hg.mozilla.org/mozilla-unified --head-repository=https://hg.mozilla.org/integration/autoland --head-ref=0de04343f5c5f260ff969d92ceb1049d012f2e6e --head-rev=0de04343f5c5f260ff969d92ceb1049d012f2e6e
[task 2021-04-14T15:46:49.969Z] Error running mach:
[task 2021-04-14T15:46:49.969Z]
[task 2021-04-14T15:46:49.969Z] ['--log-no-times', 'taskgraph', 'decision', '--pushlog-id=141046', '--pushdate=1618415068', '--project=autoland', '--owner=mhentges@mozilla.com', '--level=3', '--tasks-for=hg-push', '--base-repository=https://hg.mozilla.org/mozilla-unified', '--head-repository=https://hg.mozilla.org/integration/autoland', '--head-ref=0de04343f5c5f260ff969d92ceb1049d012f2e6e', '--head-rev=0de04343f5c5f260ff969d92ceb1049d012f2e6e']
[task 2021-04-14T15:46:49.969Z]
[task 2021-04-14T15:46:49.969Z] The error occurred in code that was called by the mach command. This is either
[task 2021-04-14T15:46:49.969Z] a bug in the called code itself or in the way that mach is calling it.
[task 2021-04-14T15:46:49.969Z] You can invoke |./mach busted| to check if this issue is already on file. If it
[task 2021-04-14T15:46:49.969Z] isn't, please use |./mach busted file taskgraph| to report it. If |./mach busted| is
[task 2021-04-14T15:46:49.969Z] misbehaving, you can also inspect the dependencies of bug 1543241.
[task 2021-04-14T15:46:49.969Z]
[task 2021-04-14T15:46:49.969Z] If filing a bug, please include the full output of mach, including this error
[task 2021-04-14T15:46:49.969Z] message.
[task 2021-04-14T15:46:49.969Z]
[task 2021-04-14T15:46:49.969Z] The details of the failure are as follows:
[task 2021-04-14T15:46:49.969Z]
[task 2021-04-14T15:46:49.969Z] ModuleNotFoundError: No module named 'chardet'
[task 2021-04-14T15:46:49.969Z]
[task 2021-04-14T15:46:49.969Z] File "/builds/worker/checkouts/gecko/taskcluster/mach_commands.py", line 349, in taskgraph_decision
[task 2021-04-14T15:46:49.969Z] import taskgraph.decision
[task 2021-04-14T15:46:49.969Z] File "/builds/worker/checkouts/gecko/taskcluster/taskgraph/decision.py", line 21, in <module>
[task 2021-04-14T15:46:49.969Z] from .actions import render_actions_json
[task 2021-04-14T15:46:49.969Z] File "/builds/worker/checkouts/gecko/taskcluster/taskgraph/actions/__init__.py", line 9, in <module>
[task 2021-04-14T15:46:49.969Z] from .registry import (
[task 2021-04-14T15:46:49.969Z] File "/builds/worker/checkouts/gecko/taskcluster/taskgraph/actions/registry.py", line 16, in <module>
[task 2021-04-14T15:46:49.969Z] from taskgraph import create
[task 2021-04-14T15:46:49.969Z] File "/builds/worker/checkouts/gecko/taskcluster/taskgraph/create.py", line 15, in <module>
[task 2021-04-14T15:46:49.969Z] from taskgraph.util.parameterization import resolve_timestamps
[task 2021-04-14T15:46:49.969Z] File "/builds/worker/checkouts/gecko/taskcluster/taskgraph/util/parameterization.py", line 12, in <module>
[task 2021-04-14T15:46:49.969Z] from taskgraph.util.taskcluster import get_artifact_url
[task 2021-04-14T15:46:49.969Z] File "/builds/worker/checkouts/gecko/taskcluster/taskgraph/util/taskcluster.py", line 12, in <module>
[task 2021-04-14T15:46:49.969Z] import requests
[task 2021-04-14T15:46:49.969Z] File "/builds/worker/checkouts/gecko/third_party/python/requests/requests/__init__.py", line 44, in <module>
[task 2021-04-14T15:46:49.969Z] import chardet
Assignee | ||
Updated•3 years ago
|
Comment 5•3 years ago
|
||
Bump python dependencies r=firefox-build-system-reviewers,glandium
https://hg.mozilla.org/integration/autoland/rev/b413fce77522a68cde868d5843890572ab4eb3cf
https://hg.mozilla.org/mozilla-central/rev/b413fce77522
Updated•3 years ago
|
Comment 6•3 years ago
|
||
Backed out because several people ran into bug 1706456.
https://hg.mozilla.org/mozilla-central/rev/6531d095b2a75de865a5ef57def7781187633b87
Comment 8•3 years ago
|
||
Bump python dependencies r=firefox-build-system-reviewers,glandium
https://hg.mozilla.org/integration/autoland/rev/85ea0bb3c7cdd6a9dc1cbecd0fe0068ad666c5c7
https://hg.mozilla.org/mozilla-central/rev/85ea0bb3c7cd
Updated•3 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Description
•