StarlingX

distcloud repo: security vulnerability found in requirement.txt

Bug #1862384 reported by Bin Qian on 2020-02-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Triaged	Low	Al Bailey

Bug Description

2 SQLAlchemy vulnerabilities found in distributedcloud/requirements.txt
Remediation
Upgrade SQLAlchemy to version 1.3.0 or later. For example:

SQLAlchemy>=1.3.0

CVE-2019-7164
moderate severity
Vulnerable versions: < 1.3.0
Patched version: 1.3.0
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.

CVE-2019-7548
moderate severity
Vulnerable versions: < 1.3.0
Patched version: 1.3.0
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.

1 Jinja2 vulnerability found in distributedcloud/requirements.txt
Remediation
Upgrade Jinja2 to version 2.10.1 or later. For example:

Jinja2>=2.10.1

CVE-2019-10906
high severity
Vulnerable versions: < 2.10.1
Patched version: 2.10.1
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

1 requests vulnerability found in distributedcloud/requirements.txt
Remediation
Upgrade requests to version 2.20.0 or later. For example:

requests>=2.20.0

CVE-2018-18074
moderate severity
Vulnerable versions: <= 2.19.1
Patched version: 2.20.0
The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

Tags:

Bin Qian (bqian20) on 2020-02-07

summary:

- distcloud repo: security vulnerability found in requirement.txt Edit
+ distcloud repo: security vulnerability found in requirement.txt

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-02-10:

As per Al Bailey, the requirements.txt file is out of date, and is only used during tox and not as part of the final product.

The spec files for the rpm discard the requirements.txt as part of building the rpms
https://opendev.org/starlingx/distcloud/src/branch/master/distributedcloud/centos/distributedcloud.spec#L99

The product (ISO) builds and packages with python2-requests-2.21 and python2-sqlalchemy-1.1.11 so there are no vulnerabilities.

We should get into the habit of updating those files, since it means that the version of those python modules that we are running tox against, is not the same as we are shipping with.

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-02-10:

Low priority - would be nice to fix, but not gating since this is not a real vulnerability. See notes above.

tags:	added: stx.security
Changed in starlingx:
importance:	Undecided → Low
status:	New → Triaged
assignee:	nobody → Al Bailey (albailey1974)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.