distcloud repo: security vulnerability found in requirement.txt
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Triaged
|
Low
|
Al Bailey |
Bug Description
2 SQLAlchemy vulnerabilities found in distributedclou
Remediation
Upgrade SQLAlchemy to version 1.3.0 or later. For example:
SQLAlchemy>=1.3.0
CVE-2019-7164
moderate severity
Vulnerable versions: < 1.3.0
Patched version: 1.3.0
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
CVE-2019-7548
moderate severity
Vulnerable versions: < 1.3.0
Patched version: 1.3.0
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
1 Jinja2 vulnerability found in distributedclou
Remediation
Upgrade Jinja2 to version 2.10.1 or later. For example:
Jinja2>=2.10.1
CVE-2019-10906
high severity
Vulnerable versions: < 2.10.1
Patched version: 2.10.1
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
1 requests vulnerability found in distributedclou
Remediation
Upgrade requests to version 2.20.0 or later. For example:
requests>=2.20.0
CVE-2018-18074
moderate severity
Vulnerable versions: <= 2.19.1
Patched version: 2.20.0
The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
summary: |
- distcloud repo: security vulnerability found in requirement.txt Edit + distcloud repo: security vulnerability found in requirement.txt |
As per Al Bailey, the requirements.txt file is out of date, and is only used during tox and not as part of the final product.
The spec files for the rpm discard the requirements.txt as part of building the rpms /opendev. org/starlingx/ distcloud/ src/branch/ master/ distributedclou d/centos/ distributedclou d.spec# L99
https:/
The product (ISO) builds and packages with python2- requests- 2.21 and python2- sqlalchemy- 1.1.11 so there are no vulnerabilities.
We should get into the habit of updating those files, since it means that the version of those python modules that we are running tox against, is not the same as we are shipping with.