From b256bf9b762fed2a6cc0728319155be8b76d671a Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Thu, 2 Apr 2020 14:12:33 +1100 Subject: [PATCH] Update safetydb (#104) --- HISTORY.md | 4 + build.gradle | 7 +- src/main/resources/safety-db/insecure.json | 1117 +++- .../resources/safety-db/insecure_full.json | 5776 ++++++++++++++++- 4 files changed, 6566 insertions(+), 338 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index a1ee38ec..5bad8c30 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,5 +1,9 @@ # Release History +## 1.15.0 + +* Updated SafetyDB to latest version (April 2020) + ## 1.14.0 * Reduced size of Docker image [pull#98](pull/98) diff --git a/build.gradle b/build.gradle index 5ac5cebf..91085e70 100644 --- a/build.gradle +++ b/build.gradle @@ -7,7 +7,7 @@ plugins { } group 'org.tonybaloney.security' -version '1.14.0' +version '1.15.0' repositories { mavenCentral() @@ -39,10 +39,9 @@ intellij.version = project.hasProperty('intellijVersion') ? project.getProperty( patchPluginXml { changeNotes """ -

1.14.0

+

1.15.0

""" } diff --git a/src/main/resources/safety-db/insecure.json b/src/main/resources/safety-db/insecure.json index 0ff0db55..4b252bc9 100644 --- a/src/main/resources/safety-db/insecure.json +++ b/src/main/resources/safety-db/insecure.json @@ -3,18 +3,39 @@ "<0", ">0" ], + "aegea": [ + "<2.2.7" + ], + "aethos": [ + "<0.3.0.1" + ], + "agraph-python": [ + "<101.0.3" + ], + "aiida": [ + "<0.12.3" + ], "aiida-core": [ "<0.12.3" ], + "aiocoap": [ + "<0.4a1" + ], "aiocouchdb": [ "<0.6.0" ], + "aioftp": [ + "<0.15.0" + ], "aiohttp": [ "<0.16.3" ], "aiohttp-auth-autz": [ "<0.2.0" ], + "aiohttp-jinja2": [ + "<1.1.1" + ], "aioli": [ "<0.16.3" ], @@ -34,6 +55,12 @@ "ambient-api": [ "<1.5.2" ], + "ampache": [ + "<3.6-alpha5", + "<3.8.0", + "<3.8.2", + "<4.0.0" + ], "anncolvar": [ "<0.4" ], @@ -77,6 +104,19 @@ "<0", ">0" ], + "appdaemon": [ + "<3.0.4" + ], + "appdaemontestframework": [ + "<2.0.1", + "<2.3.3" + ], + "apphelpers": [ + "<0.9.2" + ], + "appwrite": [ + "<0.4.0" + ], "archmage": [ "<0.3.1" ], @@ -87,6 +127,9 @@ "astropy": [ "<3.0.1" ], + "att-iot-gateway": [ + "<0.4.0" + ], "authbwc": [ "<0.1.4", "<0.3.1" @@ -98,12 +141,25 @@ "avocado-framework": [ "<0.17.0" ], + "awkward": [ + "<0.10.1" + ], + "aws-parallelcluster": [ + "<2.4.0" + ], "awscli": [ "<1.11.83" ], + "backend.ai-manager": [ + "<19.09.0rc4" + ], "bakercm": [ "<0.4.4" ], + "basketball-reference-web-scraper": [ + "<4.2.2", + "<4.2.3" + ], "bbcode": [ "<1.0.9" ], @@ -111,12 +167,21 @@ "<0.9.4", "<1.6.4" ], + "benchexec": [ + "<2.2" + ], "bepasty": [ "<0.3.0" ], + "berglas": [ + "<0.2.0" + ], "bigchaindb-driver": [ "<0.5.2" ], + "bigdl": [ + "<0.8.0" + ], "bincrafters-envy": [ "<0.1.3" ], @@ -129,11 +194,17 @@ "bise.theme": [ "<2.4" ], + "bitbot": [ + "<1.12.0" + ], "bjoern": [ "<1.4.2" ], "bleach": [ "<2.1", + "<=3.1.0", + "<=3.1.1", + "<=3.1.3", ">=2.1,<2.1.3" ], "blinkpy": [ @@ -154,11 +225,14 @@ "<0.5.1" ], "bokeh": [ - "<1.0.4" + "<1.0.4", + "<1.1.0", + "<1.2.0" ], "boss-cli": [ "<1.0.0alpha.18", - "<1.0.0alpha.20" + "<1.0.0alpha.20", + "<1.0.0beta.6" ], "bottle": [ "<0.12.10", @@ -166,12 +240,20 @@ ">=0.11,<0.11.7", ">=0.12,<0.12.6" ], + "boussole": [ + "<1.5.0" + ], "brasil.gov.portal": [ "<1.5.1" ], + "bsblan": [ + "<0.27" + ], "buildbot": [ "<1.3.0", - "<2.0.0" + "<1.8.2", + "<2.0.0", + "<2.3.1" ], "bzip": [ "<0", @@ -180,8 +262,13 @@ "cairosvg": [ "<1.0.21" ], + "callisto-core": [ + "<0.27.9" + ], "candig-server": [ - "<0.9.2" + "<0.9.0", + "<0.9.2", + "<1.0.2" ], "cbapi": [ ">=1.3.3,<1.3.4" @@ -189,6 +276,9 @@ "celery": [ ">=4.0,<4.0.1" ], + "cellxgene": [ + "<0.12.0" + ], "centrifuge": [ "<0.3.8" ], @@ -205,9 +295,18 @@ "chanjo-report": [ "<2.4.0" ], + "chaosloader": [ + "<1.0.0" + ], + "charm-tools": [ + "<2.6.0" + ], "cheetah": [ "<0.9.17rc1" ], + "cheetah3": [ + "<3.2.2" + ], "cherrymusic": [ "<0.36.0" ], @@ -217,6 +316,9 @@ "cipher.googlepam": [ "<1.5.1" ], + "circup": [ + "<0.0.6" + ], "ckan": [ "<1.5.1", "<1.8.1" @@ -228,6 +330,9 @@ "clearsilver": [ "<0.10.5" ], + "client-sdk-python": [ + "<4.7.0" + ], "cloudinary": [ "<1.0.21" ], @@ -237,12 +342,19 @@ "cmsplugin-filer": [ "<1.0.0" ], + "cnx-publishing": [ + "<0.17.6" + ], "cockroachdb": [ "<0.3.2" ], "codalab": [ "<0.2.33" ], + "codecov": [ + "<2.0.16", + "<2.0.17" + ], "coinbasepro": [ "<0.1.0" ], @@ -282,11 +394,16 @@ "collins-client": [ "<2.1.0" ], + "colonyscanalyser": [ + "<0.2.0" + ], "conference-scheduler-cli": [ "<=0.10.1" ], "confidant": [ - "<1.1.14" + "<1.1.13", + "<1.1.14", + "<5.0.0" ], "confidence": [ "<0.4" @@ -294,11 +411,16 @@ "confire": [ "<=0.2.0" ], + "confluent-kafka": [ + "<1.1.0", + "<1.3.0" + ], "conn-check": [ "<1.0.18" ], "container-service-extension": [ - "<1.2.5" + "<1.2.5", + "<2.5.0b1" ], "contentful": [ "<1.11.3" @@ -309,6 +431,14 @@ "contestms": [ "<1.2.0" ], + "cookie-manager": [ + "<1.0.3" + ], + "cookiecutter": [ + "<0.1.0", + "<0.3.1", + "<1.1.0" + ], "cosmos-wfm": [ "<2.1.1" ], @@ -322,6 +452,12 @@ "<0.11.0", "<0.14.0" ], + "credstash": [ + "<1.16.0" + ], + "creopyson": [ + "<0.4.2" + ], "cromwell-tools": [ "<1.0.0" ], @@ -353,6 +489,9 @@ "cumin": [ "1.11.13", "<1.11.18,>=1.11.17", "<1.11.19,>=1.11.0", "<1.11.22,>1.11", "<1.11.22,>1.11.21", + "<1.11.27", "<1.2.2", "<1.2.7", "<1.3.2", @@ -410,23 +572,46 @@ "<1.8.10", "<1.8.15", "<2.0.11,>=2.0.0", - "<2.0.8,>2.0.6", "<2.1.10,>2.1", "<2.1.2,>=2.1", "<2.1.2,>=2.1.0", "<2.1.5,>=2.1.4", "<2.1.6,>=2.1.0", "<2.2.3,>2.2", + "==1.11.14", + "==1.11.20", + "==1.11.22", + "==1.11.26", + "==1.11.27", "==1.8.14", + "==2.0.7", "==2.0.9", + "==2.1.10", + "==2.1.14", + "==2.1.8", + "==2.1.9", + "==2.2.1", + "==2.2.10", + "==2.2.2", + "==2.2.3", + "==2.2.7", + "==2.2.8", + "==2.2.9", + "==3.0", + "==3.0.2", + "==3.0.3", ">=1.1,<1.1.1", ">=1.10,<1.10.3", ">=1.10,<1.10.7", ">=1.10,<1.10.8", ">=1.10,<1.10rc1", ">=1.11,<1.11.11", + ">=1.11,<1.11.28", ">=1.11,<1.11.5", - ">=1.11.0, <1.11.15", + ">=1.11.0,<1.11.15", + ">=1.11.0,<1.11.21", + ">=1.11.0,<1.11.23", + ">=1.11.0,<1.11.29", ">=1.11.8,<1.11.10", ">=1.2,<1.2.4", ">=1.2,<1.2.5", @@ -467,7 +652,19 @@ ">=1.9,<1.9rc2", ">=2.0,<2.0.2", ">=2.0,<2.0.3", - ">=2.0.0, <2.0.8" + ">=2.0,<2.2.9", + ">=2.0.0,<2.0.8", + ">=2.1,<2.1.15", + ">=2.1,<2.1.9", + ">=2.1.0,<2.1.11", + ">=2.2,<2.2.10", + ">=2.2,<2.2.2", + ">=2.2,<2.2.8", + ">=2.2.0,<2.2.11", + ">=2.2.0,<2.2.4", + ">=3.0,<3.0.1", + ">=3.0,<3.0.3", + ">=3.0.0,<3.0.4" ], "django-access-tokens": [ "<0.9.2" @@ -480,7 +677,8 @@ ], "django-allauth": [ "<0.28.0", - "<0.34.0" + "<0.34.0", + "<0.41.0" ], "django-allauth-underground": [ "<0.28.0" @@ -520,6 +718,9 @@ "<3.0.17", "<3.4.3" ], + "django-cors-headers": [ + "<3.0.0" + ], "django-countries": [ "<3.4" ], @@ -565,6 +766,9 @@ "django-fluent-comments": [ "<1.0.1" ], + "django-formidable": [ + "<4.0.0" + ], "django-friendship": [ "<1.2.0" ], @@ -574,6 +778,9 @@ "django-hashedfilenamestorage": [ "<2.4" ], + "django-hashid-field": [ + "<3.1.1" + ], "django-haystack": [ "<1.1" ], @@ -581,7 +788,8 @@ "<1.0.7" ], "django-howl": [ - "<1.0.4" + "<1.0.4", + "<1.0.5" ], "django-html5-appcache": [ "<0.3.0" @@ -602,6 +810,9 @@ "django-lfs": [ "<0.6.9" ], + "django-mail-auth": [ + "<0.1.3" + ], "django-make-app": [ "<0.1.3" ], @@ -627,11 +838,17 @@ "<18.9.3" ], "django-newsletter": [ - "<0.7" + "<0.7", + "<0.9", + "<0.9b1" ], "django-ninecms": [ "<0.4.5b" ], + "django-orghierarchy": [ + "<0.1.13", + "<0.1.18" + ], "django-piston": [ "<0.2.3" ], @@ -704,6 +921,9 @@ "django-tastypie": [ "<0.9.10" ], + "django-triggers": [ + "<2.0.13" + ], "django-ucamlookup": [ "<1.9" ], @@ -740,13 +960,28 @@ "<0.17.2" ], "djblets": [ - "<0.8.3" + "<0.8.3", + "==0.7.21" + ], + "djedefre": [ + "<0.7.0", + "<1.3.2", + "<1.5.1" ], "djoser": [ "<0.7.0", "<1.3.2", "<1.5.1" ], + "dlhub-gateway": [ + "<2.0.0" + ], + "dmoj": [ + "<1.4.0" + ], + "docassemble": [ + "<0.5.105" + ], "docker": [ "<3.5.1" ], @@ -771,11 +1006,19 @@ "easy-install": [ "<0.7" ], + "ec2-metadata": [ + "<2.2.0" + ], + "ecdsa": [ + "<0.13.3", + "<0.14" + ], "edrnsite.policy": [ "<1.0.5" ], "eh": [ - "<0.2.8" + "<0.2.8", + "<1.3.0" ], "electrumx": [ "<1.4.1" @@ -796,15 +1039,43 @@ "etherweaver": [ "<0.3.0" ], + "ethically": [ + "<0.0.3" + ], + "ethsnarks": [ + "<0.18.10.1" + ], + "etlstat": [ + "<0.6.1" + ], "euphorie": [ + "<11.1.2", "<6.1" ], "event-tracking": [ "<0.2.9" ], + "extensiveautomation-server": [ + "<12.1.0", + "<13.0.0", + "<14.0.0", + "<16.0.0" + ], "eyed3": [ "<0.6.18" ], + "faker": [ + "<0.1", + "<2.1.2" + ], + "fast-curator": [ + "<0.2.2" + ], + "fastapi": [ + "<0.18.0", + "<0.30.0", + "<0.37.0" + ], "featureserver": [ "<1.06" ], @@ -816,6 +1087,13 @@ "<5.0.1", "<5.1.2" ], + "fincity-django-allauth": [ + "<0.18.0", + "<0.28.0", + "<0.34.0", + "<0.35.0", + "<0.38.0" + ], "flashfocus": [ "<1.2.0" ], @@ -829,12 +1107,23 @@ "<1.5.3", "<=1.5.2" ], + "flask-appbuilder": [ + "<0.2.0", + "<0.7.8", + "<1.9.0", + "<1.9.2", + "<2.2.2", + "<2.2.4" + ], "flask-async": [ "<0.6.1" ], "flask-exceptions": [ "<1.2.2" ], + "flask-flatpages": [ + "<0.7.1" + ], "flask-i18n": [ "<1.1.1" ], @@ -850,6 +1139,9 @@ "flask-micropub": [ "<0.2.2" ], + "flask-monitoring": [ + "<1.10.0" + ], "flask-oauthlib": [ "<0.9.1" ], @@ -859,6 +1151,12 @@ "flask-security-fork": [ "<1.8.1" ], + "flask-sieve": [ + "<1.1.0" + ], + "flask-socketio": [ + "<4.2.0" + ], "flask-statsdclient": [ "<2.0.2" ], @@ -892,6 +1190,9 @@ "ftw.dashboard.portlets.postit": [ "<1.3.4" ], + "ftw.lawgiver": [ + "<1.16.1" + ], "ftw.mail": [ "<2.2.3" ], @@ -913,6 +1214,13 @@ "genshi": [ "<0.6.1" ], + "geokey": [ + "<1.11.2", + "<1.3.1" + ], + "geonode": [ + "<2.10.3" + ], "gevent": [ "<1.2a1" ], @@ -940,9 +1248,24 @@ "google-appengine": [ "<1.5.4" ], + "gordo-components": [ + "<0.15.1" + ], + "gphotos-sync": [ + "<2.9" + ], + "great-components": [ + "<25.0.1" + ], "guillotina": [ "<4.5.8" ], + "gvar": [ + "<9.2.1" + ], + "heedy": [ + "<0.3.0a1" + ], "henosis": [ "<0.0.11" ], @@ -951,14 +1274,16 @@ ], "homeassistant": [ "<0.37", - "<0.73.2", - "<3.0", - ">=0.56" + ">=0.56,<0.73.2", + ">=0.98,<0.98.5" ], "hpack": [ "<1.2.0", "<2.3.0" ], + "hpim-dm": [ + "<1.0" + ], "html5": [ "<0.99999999" ], @@ -969,6 +1294,9 @@ "httpauth": [ "<0.2" ], + "httpie": [ + "<1.0.3" + ], "httplib2": [ "<=0.9.2" ], @@ -993,28 +1321,57 @@ "<1.9.5", "<1.9.6" ], + "ib-client": [ + "<0.1.2" + ], "im": [ + "1.5.0", "<1.5.0" ], + "imageio": [ + "<2.6.0" + ], "indico": [ - "<2.0.2" + "<2.0.2", + ">=2.0.0,<2.0.3", + ">=2.1.0,<2.1.10", + ">=2.1.0,<2.1.11", + ">=2.1.0,<2.1.3", + ">=2.2.0,<2.2.3", + ">=2.2.0,<2.2.4" ], "insecure-package": [ "<0.2.0" ], + "inspetor": [ + "<2.3.1" + ], + "instana": [ + "<1.20.2", + "<1.36.1", + "<1.37.1" + ], "invenio": [ "<1.0.2", "<1.1.2" ], "invenio-admin": [ "<1.0.1", + "<1.1.1", "==1.1.0" ], + "invenio-app": [ + "<1.1.1" + ], + "invenio-records": [ + "<1.0.2" + ], "invenio-search": [ "<0.1.3" ], "ipwb": [ - "<0.2018.08.29.1434" + "<0.2018.08.29.1434", + "<0.2019.07.26.1435" ], "ipython": [ "<3.2.2" @@ -1034,6 +1391,13 @@ "isso": [ "<0.6" ], + "isso-cn": [ + "<0.6", + "<0.7" + ], + "jarbas-utils": [ + "<0.5.1" + ], "jinja": [ "<2.7.2", "<2.7.3" @@ -1042,6 +1406,11 @@ "<2.7.2", "<2.7.3" ], + "jnitrace": [ + "<1.0.6", + "<2.2.1", + "<3.0.5" + ], "jose": [ "<0.3.0" ], @@ -1051,6 +1420,22 @@ "jsonrpc-pyclient": [ "<0.7.0" ], + "jumpssh": [ + "<1.6.3" + ], + "junos-eznc": [ + "<2.2.1" + ], + "jupyter-nbrequirements": [ + "<0.6.0" + ], + "jwql": [ + "<0.16.0" + ], + "kafkacrypto": [ + "<0.9.5", + "<0.9.8" + ], "kalliope": [ "<0.5.3" ], @@ -1067,26 +1452,39 @@ "kdcproxy": [ "<0.3.2" ], + "kedro-viz": [ + "<2.1.0", + "<3.0.0" + ], "keyring": [ - "<0.9.1" + "<0.10", + "<0.9.1", + "<=0.10" ], "keystonemiddleware": [ "<1.5.4", "<1.6.0", ">=2.0,<2.3.3" ], + "khoros": [ + "<2.3.1" + ], + "khorosjx": [ + "<2.3.1" + ], "kinto": [ "<12.0.2", "<13.0.0", "<5.1.0" ], "kinto-dist": [ - "<8.2.3", - "<=6.0.2", - ">=6.0.0" + "<15.0.2", + "<17.0.0", + ">=6.0.0,<=6.0.2" ], "kiwitcms": [ - "<6.0" + "<6.0", + "<8.1" ], "knowledge-repo": [ "<0.8.0" @@ -1095,14 +1493,21 @@ "<1.3.2" ], "kuber": [ + "<10.0.1", "<9.0.0a1" ], "kubernetes": [ - "<7.0.1" + "<7.0.1", + ">=10.0,<10.0.1", + ">=8.0,<8.0.1", + ">=9.0,<9.0.0a1" ], "kubernetes-asyncio": [ "<8.0.3" ], + "kubetest": [ + "<0.1.0" + ], "kytos": [ "<2019.1b3" ], @@ -1112,9 +1517,18 @@ "lambda-tools": [ "<0.1.2" ], + "lambda-warmer-py": [ + "<1.2.0" + ], "lambdajson": [ "<0.1.5" ], + "lapdog": [ + "<0.18.7" + ], + "launchdarkly-server-sdk": [ + "<6.12.2" + ], "ldap3": [ "<0.9.5.4", "<2.4" @@ -1125,6 +1539,11 @@ "libtaxii": [ "<1.1.105" ], + "lifx-control-panel": [ + "<1.5.4", + "<1.6.3", + "<1.7.6" + ], "livefyre": [ "<2.0.3" ], @@ -1134,6 +1553,9 @@ "logilab-common": [ "<0.61.0" ], + "luckycharms": [ + "<0.5.2" + ], "luigi": [ "<2.1.1", "<2.7.5" @@ -1141,6 +1563,9 @@ "lxml": [ "<3.3.5" ], + "maestral": [ + "<0.4.1" + ], "mailman": [ "<2.1.14", "<2.1.14rc1", @@ -1178,9 +1603,18 @@ "matthisk-httpsig": [ "<1.0.0" ], + "mautrix-telegram": [ + "<0.6.0" + ], "maxminddb": [ "<1.1.2" ], + "mdbackup": [ + "<0.2.0" + ], + "megalib": [ + "<0.9.5alpha" + ], "mercurial": [ "<4.1.3" ], @@ -1193,6 +1627,15 @@ "mgp2pdf": [ "<0.10" ], + "mi": [ + "<0.1", + "<0.4.2", + "<1.0a3", + "<1.1a1", + "<1.3a1", + "<1.6a1", + "<1.6a2" + ], "mini-amf": [ "<0.8" ], @@ -1204,13 +1647,17 @@ ], "mistune": [ "<0.7.2", - "<0.8.1" + "<0.8.1", + "==0.7.4" ], "mitmproxy": [ "<0.17", "<4.0.3", "<4.0.4" ], + "mitogen": [ + "<0.2.8" + ], "mixminion": [ "<0.0.2" ], @@ -1225,11 +1672,23 @@ ], "moin": [ "<1.6.1", - "<1.9.10" + "<1.9.10", + "<2.2.2" ], "mollie-api-python": [ "<2.0.4" ], + "monero": [ + "<0.10.0", + "<0.12.0.0", + "<0.9.1" + ], + "monoshape": [ + "<1.2" + ], + "mopidy-jellyfin": [ + "<0.3.1" + ], "morepath": [ "<0.14" ], @@ -1249,7 +1708,8 @@ "<2.0.0beta" ], "mtprotoproxy": [ - "<1.0.0" + "<1.0.0", + "<1.0.6" ], "murano-dashboard": [ "<1.0.3", @@ -1265,9 +1725,25 @@ "<2.0.4", "<=8.0.13" ], + "nanopb": [ + "<0.2.8", + "<0.2.9.1", + "<0.3.1", + ">=0.2.0,<0.2.9.1", + ">=0.3.0,<0.3.1" + ], + "nba-scraper": [ + "<0.2.7" + ], + "nearbeach": [ + "<0.22.1" + ], "neo-python": [ "<0.7.8" ], + "netdumplings": [ + "<0.4.0" + ], "newrelic": [ ">=1.1.0.192,<=2.106.0.87" ], @@ -1280,9 +1756,15 @@ "ngraph-mxnet": [ "<1.0.0" ], + "nifcloud": [ + "<0.1.7" + ], "noiseprotocol": [ "<0.2.1" ], + "normcap": [ + "<0.1.1" + ], "notable": [ "<0.0.6" ], @@ -1294,6 +1776,7 @@ "<4.7.1" ], "nova": [ + "<2012.1", "<2013.2.3" ], "nsupdate": [ @@ -1311,15 +1794,31 @@ "<0.7.0" ], "oci": [ - "<2.1.3" + "<2.0.2", + "<2.1.3", + "<2.10.0" ], "oci-cli": [ "<2.4.10", - "<2.4.40" + "<2.4.40", + "<2.5.9", + "<2.6.3" + ], + "octavia": [ + "<0.9.0", + ">=0.10.0,<2.1.2", + ">=3.0.0,<3.2.0", + ">=4.0.0,<4.1.0" + ], + "oe-geoutils": [ + "<1.5.2" ], "onegov.form": [ "<0.16.1" ], + "onelogin-aws-assume-role": [ + "<1.3.0" + ], "onixcheck": [ "<0.8.0" ], @@ -1329,17 +1828,38 @@ "ooniprobe": [ "<1.0.2" ], + "openapigenerator": [ + "", + "<3.2.1", + "<3.2.2", + "<3.3.2", + "<3.3.3", + "<4.0.0", + "<4.0.0b3", + "<4.0.0beta2", + "<4.0.2", + "<4.0.3", + "<4.1.0", + "<4.1.3", + "<4.2.1", + "<4.3.0" + ], "openslides": [ "<2.1" ], "opentaxii": [ "<0.1.11" ], + "ores": [ + "<1.3.1" + ], "otpauth": [ "<1.0.1" ], "ovirt-engine-sdk-python": [ - "<3.1.0.8" + "<3.1.0.8", + "<3.4.0.7", + "==3.5.0.4" ], "ovs": [ "<1.3.0" @@ -1350,10 +1870,24 @@ "pakettikauppa": [ "<0.1.2" ], + "palladium": [ + "<1.2.2" + ], + "pandevice": [ + "<0.11.0" + ], "pando": [ "<0.39", "<0.42" ], + "paradrop": [ + "<0.10.0", + "<0.13.0", + "<0.5" + ], + "paramiko-ng": [ + "<1.7.2" + ], "passlib": [ "<1.4" ], @@ -1374,6 +1908,9 @@ "pdfextract": [ "<0.0.2" ], + "pdkit": [ + "<1.2.1" + ], "peewee": [ "<2.10.0" ], @@ -1399,7 +1936,9 @@ "<2.7.0", "<3.1.1", "<3.1.2", - "<3.3.2" + "<3.3.2", + "<6.2.2", + ">6.0,<6.2.2" ], "pillow-simd": [ "<2.3.2", @@ -1411,12 +1950,16 @@ "<3.1.1", "<3.1.2" ], + "pim-dm": [ + "<1.0" + ], "pinax-likes": [ "<0.3" ], "pip": [ "<1.3", "<1.4", + "<1.5", "<6.0", "<6.1.0" ], @@ -1426,6 +1969,9 @@ "pkgcore": [ "<0.4.7.12" ], + "platformio": [ + "<4.1.0" + ], "plomino": [ "<1.18", "<1.5.3" @@ -1447,8 +1993,21 @@ ">5,<=5.0.6", ">=2.1,<4.2", ">=2.5,<4.0", + ">=3.3.0,<=3.3.6", ">=4,<4.2a2", - ">=5.0,<5.1rc1" + ">=4.0,<=4.0.9", + ">=4.0,<=5.2.1", + ">=4.1.0,<=4.1.6", + ">=4.2.0,<=4.2.7", + ">=4.3,<=4.3.2", + ">=4.3,<=5.2.0", + ">=4.3,<=5.2.1", + ">=5.0,<5.1rc1", + ">=5.0,<=5.2.1", + ">=5.2.0,<=5.2.1" + ], + "plone-app-contentmenu": [ + "<1.1.7" ], "plone-app-contenttypes": [ "<1.2.15" @@ -1466,13 +2025,15 @@ "<2.3.0" ], "plone.app.content": [ - "<3.3.1" + "<3.3.1", + "<3.8.1" ], "plone.app.contentmenu": [ "<1.1.7" ], "plone.app.contenttypes": [ - "<1.2.15" + "<1.2.15", + "<2.1.6" ], "plone.app.discussion": [ "<2.4.14", @@ -1481,6 +2042,9 @@ "plone.app.event": [ "<3.0" ], + "plone.app.layout": [ + "<3.4.1" + ], "plone.app.linkintegrity": [ "<1.0.2" ], @@ -1490,12 +2054,25 @@ "plone.formwidget.contenttree": [ "<1.0a3" ], + "plone.memoize": [ + "<1.0.3" + ], "plone.mockup": [ "<2.1.3" ], "plone.openid": [ "<2.0.2" ], + "plone.recipe.varnish": [ + "<6.0.0b1" + ], + "plone.z3cform": [ + "<0.5.9" + ], + "plotly": [ + "<1.15.0", + "<1.22.0" + ], "plumi.app": [ "<4.2", "<4.2.1", @@ -1513,6 +2090,13 @@ "polemarch": [ "<1.2.1" ], + "polyaxon": [ + "<0.4.1", + "<0.4.3", + "<0.5.1", + "<0.5.5", + "<0.6.0" + ], "poorwsgi": [ "<1.0.2" ], @@ -1521,6 +2105,12 @@ "<2.8.0rc6", ">=2.6,<2.7.3" ], + "postfix-mta-sts-resolver": [ + "<0.6.1" + ], + "prefect": [ + "<0.5.1" + ], "pretaweb.healthcheck": [ "<1.0" ], @@ -1533,11 +2123,15 @@ "products-ploneformgen": [ "<1.8.1" ], + "products-zopetree": [ + "<1.3" + ], "products.cmfcontentpanels": [ "<1.4.1" ], "products.cmfcore": [ - "<2.1.0beta2" + "<2.1.0beta2", + "<2.3.0beta" ], "products.cmfplone": [ "<5.1b1" @@ -1548,6 +2142,9 @@ "products.cmfuid": [ "<2.1.0beta2" ], + "products.dcworkflow": [ + "<2.1.0beta2" + ], "products.ldapuserfolder": [ "<2.19", "==2.9" @@ -1561,9 +2158,18 @@ "products.poi": [ "<2.2.3" ], + "psd-tools": [ + ">=1.8.37,<=1.9.3" + ], + "psutil": [ + "<=5.6.5" + ], "ptah": [ "<0.3.3" ], + "puput": [ + "<1.0.4" + ], "pure": [ "<1.5.2" ], @@ -1574,12 +2180,18 @@ "pwman3": [ "<0.4.0" ], + "py-ci": [ + "<0.5.2" + ], "py-espeak-ng": [ "<1.49.0" ], "py-ms": [ "<1.0.1" ], + "py-rate": [ + "<0.3.0" + ], "py3web": [ "<0.21" ], @@ -1592,9 +2204,19 @@ "pyarmor": [ "<5.1.2" ], + "pybald": [ + "<0.5.6" + ], + "pybible-cli": [ + "<1.1.2" + ], "pycapnp": [ "<0.5.5" ], + "pycapnp-async": [ + "<0.5.4", + "<0.5.5" + ], "pycares": [ "<2.1.1" ], @@ -1602,6 +2224,10 @@ "<1.1.0", "<1.1.2" ], + "pycookiecheat": [ + "<0.2.0", + "<0.4.5" + ], "pycrypto": [ "<2.6", "<2.6.1", @@ -1616,6 +2242,12 @@ "pydal": [ "<15.02.27" ], + "pydotz": [ + "<1.2.0" + ], + "pyforce": [ + "<1.8.0" + ], "pyftpdlib": [ "<0.3.0", "<0.5.1", @@ -1624,6 +2256,9 @@ "pygresql": [ "<4.0" ], + "pyinaturalist": [ + "<0.7.0" + ], "pyjwt": [ "<1.0.0", "<1.5.1" @@ -1644,12 +2279,21 @@ "pymemcache": [ "<1.3.6" ], + "pymisp": [ + "<2.4.106" + ], + "pymls": [ + "<1.4.10" + ], "pymongo": [ "<2.5.2" ], "pynoorm": [ "<0.4.2" ], + "pynps": [ + "<1.2.0" + ], "pyoes": [ "<0.9.0" ], @@ -1671,7 +2315,8 @@ "<1.2.6" ], "pyplanet": [ - "<0.6.2" + "<0.6.2", + "<0.7.0" ], "pyrad": [ "<0.6" @@ -1680,6 +2325,13 @@ "<1.1.1" ], "pyramid": [ + "<0.2", + "<0.4.2", + "<1.0a3", + "<1.1a1", + "<1.3a1", + "<1.4a4", + "<1.6a1", "<1.6a2" ], "pyramid-odesk": [ @@ -1694,11 +2346,15 @@ "pyro4": [ "<4.72" ], + "pyrotools": [ + "<1.0.1" + ], "pysam": [ "<0.11.2" ], "pysaml2": [ "<4.4.0", + "<5.0.0", "<=4.4.0" ], "pysandbox": [ @@ -1710,6 +2366,9 @@ "pyshop": [ "<0.7.1" ], + "pyspf": [ + "<2.0.1" + ], "pytest-aoc": [ "<1.2a6" ], @@ -1761,12 +2420,20 @@ "python-cjson": [ "<1.0.5" ], + "python-clu": [ + "<0.5.1" + ], "python-dbusmock": [ "<0.15.1" ], "python-docx": [ "<0.8.6" ], + "python-engineio": [ + "<3.5.2", + "<3.9.0", + "<=3.8.2" + ], "python-fedora": [ "<=0.8.0" ], @@ -1779,6 +2446,7 @@ "python-keystoneclient": [ "<1.4.0", "<1.5.4", + ">=0.2.3,<=0.2.5", ">=2.0,<2.3.3" ], "python-libtorrent": [ @@ -1806,9 +2474,18 @@ "<2.1.9", "<2.4.0" ], + "python-secrets": [ + "<0.9.1", + "<19.10.0", + "<19.8.0", + "<19.8.3" + ], "python-smooch": [ "<1.0.4" ], + "python-socketio": [ + "<4.3.0" + ], "python-zeep": [ "<0.4.0" ], @@ -1821,6 +2498,9 @@ "<1.2.6", "<1.4.0" ], + "pytrackdat": [ + "<0.2.0" + ], "pytsite": [ "<1.2" ], @@ -1828,21 +2508,34 @@ "<0.20.0" ], "pyvcloud": [ - "<20.0.0" + "<20.0.0", + "<20.1.0" ], "pyvisa": [ "<0.9" ], "pywbem": [ - "<0.13.0" + "<0.13.0", + "<1.0.0" ], "pywebsite": [ "<0.1.14pre", "<0.1.9pre" ], + "pywren-ibm-cloud": [ + "<1.0.1", + "<1.0.19" + ], "pyxmlsecurity": [ "<0.9" ], + "pyxnat": [ + "<1.1.0.0" + ], + "pyyaml": [ + "<4", + "<5.3.1" + ], "qi-jabberhelpdesk": [ "<0.30" ], @@ -1861,14 +2554,52 @@ "quintagroup.seoptimizer": [ "<3.0.4" ], + "qurro": [ + "<0.4.0" + ], + "qutebrowser": [ + "<1.0.3", + "<1.1.2", + "<1.10.0", + "<1.3.0", + "<1.3.3", + "<1.4.0", + "<1.4.1", + "<1.5.0", + "<1.6.0", + "<1.6.1", + "<1.6.2", + "<1.7.0", + "<1.8.0", + "<1.8.1", + "<1.8.2" + ], "radicale": [ "<1.1.2" ], + "raiden": [ + "<0.10.0", + "<0.2.0", + ">=0.100,<0.100.5.dev0" + ], + "raiden-services": [ + "<0.2.0" + ], "rauth": [ "<0.7.0" ], - "rdflib": [ - "==4.2.2" + "raylib": [ + "<1.1.1", + "<1.2" + ], + "rdiff-backup": [ + "<0.5.0", + "<0.9.3", + "<1.0.2", + "<1.1.6" + ], + "readsettings": [ + "<3.3.1" ], "recurly": [ "<=2.6.2" @@ -1877,6 +2608,12 @@ "<0.2.1alpha", "<0.5.0-alpha" ], + "renku": [ + "<0.6.0" + ], + "repobee": [ + "<2.0.2" + ], "requests": [ "<2.3.0", "<2.6.0", @@ -1886,12 +2623,18 @@ "requests-kerberos": [ "<0.6" ], + "responsibly": [ + "<0.0.3" + ], "restauth": [ "<0.6.3" ], "restkit": [ "<=4.2.2" ], + "restrictedpython": [ + "<4.0" + ], "restview": [ "<2.8.1" ], @@ -1901,20 +2644,31 @@ "rinzler": [ "<2.0.5" ], + "river-admin": [ + "<0.5.2" + ], "robotraconteur": [ "<0.9.0" ], "rope": [ "<0.10" ], + "rotten-tomatoes-cli": [ + "<0.0.2" + ], "roundup": [ - "<1.4.20" + "<1.4.20", + "==1.6" ], "rpc4django": [ "<0.2.3" ], "rply": [ - "<0.7.1" + "<0.7.1", + "<0.7.4" + ], + "rpyc": [ + "<4.1.2" ], "rs-django-jet": [ "<1.0.4" @@ -1927,23 +2681,75 @@ "rsanic": [ "<0.2.2" ], + "rss2email": [ + "<3.10" + ], "rtv": [ "<1.12.1" ], "ruffruffs": [ "<2.6.0" ], + "s4": [ + "<0.4.2" + ], "safety": [ "<1.8.4" ], + "sagemaker-containers": [ + "<2.8.2" + ], + "sanic-oauthlib": [ + "<0.9.1" + ], "satosa": [ "<0.6.1" ], "sbp": [ - "<2.4.2" + "<2.4.2", + "<2.6.5", + "<2.7.0" + ], + "scapy": [ + "==2.4.0", + ">=2.4.0,<2.4.2" + ], + "sceptre": [ + "<2.3.0" + ], + "scrapydd": [ + "<0.6.3" + ], + "scvae": [ + "<2.1.1" + ], + "sdcclient": [ + "<0.7.0" + ], + "seed-auth-api": [ + "<0.9.3" + ], + "seed-control-interface": [ + "<0.9.16" + ], + "seed-control-interface-service": [ + "<0.9.6" + ], + "seed-identity-store": [ + "<0.10.2" + ], + "seed-message-sender": [ + "<0.10.9" + ], + "seed-scheduler": [ + "<0.10.2" ], "seed-stage-based-messaging": [ - "<0.11.0" + "<0.11.0", + "<0.13.0" + ], + "seldon-core": [ + "<0.5.1" ], "sentry": [ "<0.12.2", @@ -1960,7 +2766,11 @@ "<8.8" ], "sequoia-client-sdk": [ - "<1.2.0" + "<1.2.0", + "<2.0.0" + ], + "serpscrap": [ + "<0.13.0" ], "sesame": [ "<0.3.0" @@ -1980,9 +2790,21 @@ "sftp-cloudfs": [ "<0.13.1" ], + "shaka-streamer": [ + "<0.3.0" + ], "shiftboiler": [ "<0.6.5" ], + "simple-salesforce": [ + "<1.0.0" + ], + "simplemonitor": [ + "<2.7" + ], + "simulaqron": [ + "<3.0.7" + ], "slackeventsapi": [ "<2.1.0" ], @@ -1992,6 +2814,9 @@ "snappass": [ "<1.4.1" ], + "sncli": [ + "<0.4.0" + ], "soapfish": [ "<0.6.0" ], @@ -2002,7 +2827,17 @@ "<0.12.6" ], "sopel": [ - "<4.4.0" + "<4.4.0", + "<6.3.0" + ], + "sparselandtools": [ + "<1.0.1" + ], + "sphinx-paragraph-extractor": [ + "<1.0.4" + ], + "spintest": [ + "<0.2.0" ], "splash": [ "<2.0.1", @@ -2014,15 +2849,27 @@ "spud": [ "<0.8" ], + "sqlathanor": [ + "<0.5.0" + ], + "ssh-audit": [ + "<2.2.0" + ], "starcluster": [ "<0.95.3" ], "stargate": [ "<0.4" ], + "staty": [ + "<1.2.3" + ], "stegano": [ "<0.8.6" ], + "stomp.py": [ + "<4.1.22" + ], "stormpath": [ "<2.0.5", "<2.5.0" @@ -2030,6 +2877,9 @@ "stormpath-sdk": [ "<2.5.0" ], + "streamlit": [ + "<0.57.0" + ], "streamsx-kafka": [ "<1.5.1" ], @@ -2046,7 +2896,14 @@ "<0.7.0" ], "superset": [ - "<0.11.0" + "<0.11.0a", + "<0.14.0a", + "<0.19.1a", + "<0.23.0a", + "<0.29.0rc8a", + "<0.32.0rc2.dev2a", + "<0.33.0rc1a", + "<0.34.0a" ], "superset-hand": [ "<0.11.0" @@ -2066,6 +2923,16 @@ "swift": [ "<2.6.0" ], + "swifter": [ + "<0.292" + ], + "syft": [ + "<0.2.3", + "<0.2.3.a1" + ], + "synse": [ + "<2.2.6" + ], "tablib": [ "<0.11.4" ], @@ -2075,6 +2942,13 @@ "<1.8.3", "<1.9.1" ], + "taskcluster": [ + "<24.1.3" + ], + "tbats": [ + "<1.0.7", + "<1.0.8" + ], "telemeta": [ "<1.4.31" ], @@ -2083,17 +2957,39 @@ ">0" ], "tendenci": [ - "<11.1.1" + "<11.1.1", + "<11.2.12", + "<11.2.8", + "<7.4.0" + ], + "teneto": [ + "<0.4.5" ], "tensorflow": [ - "<1.10.0" + "<1.10.0", + "<1.12.2", + "<2.0", + ">=1.0,<1.15.2", + ">=2.0.0a0,<2.0.1" ], "textract": [ "<1.5.0" ], + "tf-encrypted": [ + "<0.5.1" + ], + "thamos": [ + "<0.1.0" + ], "thorn": [ "<1.1.0" ], + "thrift": [ + "<0.11.0", + "<0.9", + "<0.9.3", + "<0.9.3.1" + ], "tiddlyweb": [ "<1.2.18" ], @@ -2129,6 +3025,9 @@ "trosnoth": [ "<1.13.0" ], + "trustpilot": [ + "<6.1.0" + ], "tryton": [ "<2.4.0" ], @@ -2136,6 +3035,7 @@ "<2.4.0" ], "tuf": [ + "<0.11.1", "<1.3" ], "tweepy": [ @@ -2144,6 +3044,28 @@ "twilio": [ "<3.5.0" ], + "twine": [ + "<2.0.0" + ], + "twisted": [ + "<17.1.0", + "<19.2.0", + "<19.2.1", + "<19.7.0", + "<20.3.0" + ], + "twitchirc": [ + "<1.3" + ], + "twodolib": [ + "<0.5.1" + ], + "udata": [ + "<1.6.16" + ], + "ugoira": [ + "<0.5.0" + ], "unicef-locations": [ "<1.4.2" ], @@ -2163,25 +3085,56 @@ ], "urllib3": [ "<1.23", + "<1.24.2", + "<=1.24.1", "==1.17", - "==1.18" + "==1.18", + ">=1.25.2,<=1.25.7" ], "verifone": [ "<0.1.8" ], "vermin": [ + "<0.10.1", "<0.4.11", "<0.4.8", - "<0.4.9" + "<0.4.9", + "<0.5.0" + ], + "vips-hash": [ + "<0.2.0" ], "virtualenv": [ "<1.5" ], + "virustotal-python": [ + "<0.0.3", + "<0.0.8" + ], "vnccollab.theme": [ "<1.5.2" ], + "vorta": [ + "<0.6.21" + ], + "wagtail-2fa": [ + "<1.1.0", + "<1.4.1" + ], "waitress": [ - "<1.0.0" + "<0.9.0", + "<1.0.0", + "<1.2.0b1", + "<1.4.0", + "<1.4.1", + "<1.4.2", + "<1.4.3" + ], + "wandb": [ + "<0.8.0" + ], + "wasmer": [ + "<0.2.1" ], "watchmaker": [ "<0.14.0" @@ -2196,14 +3149,25 @@ "<4.7.0" ], "webargs": [ - "<5.1.3" + "<5.1.3", + ">=5.0,<=5.5.2", + ">=6.0.0b1,<=6.0.0b4" + ], + "webp": [ + "<0.1.2" ], "websockets": [ "<5.0,>=4.0.0" ], "werkzeug": [ "<0.11.11", - "<0.8" + "<0.12", + "<0.15.0", + "<0.3.1", + "<0.6.1", + "<0.8", + "<0.8.3", + ">=0.15.0,<0.15.5" ], "whitenoise": [ "<4.1.3" @@ -2211,12 +3175,26 @@ "will": [ "<0.5.4" ], + "wirepas-backend-client": [ + "<1.2.0rc2" + ], + "wordops": [ + "<1.16.0", + "<3.9.6", + "<3.9.7", + "<3.9.9", + "<3.9.9.1" + ], "wpull": [ "<0.1006.1" ], "xdg": [ + "<0.26", "<=0.25" ], + "xmlschema-acue": [ + "<0.9.27" + ], "xtea3": [ "<1.0.0" ], @@ -2224,7 +3202,8 @@ "<3.2.0" ], "yahoo-earnings-calendar": [ - "<0.4.0" + "<0.4.0", + "<0.5.2" ], "yasha": [ "<4.0" @@ -2263,7 +3242,13 @@ ], "zope": [ "<2.13.19", - "<3.9.0" + "<3.9.0", + ">=2.10,<2.10.11", + ">=2.11,<2.11.6", + ">=2.12,<2.12.3", + ">=2.8,<2.8.12", + ">=2.9,<2.9.12", + ">=3.1.1,<=3.4.1" ], "zope.html": [ "<1.2" @@ -2284,6 +3269,22 @@ "zopeskel": [ "<2.11" ], + "zsl": [ + "<0.22.0" + ], + "zulip": [ + "<1.5.2", + "<1.6.0", + "<1.7.0", + "<1.7.1", + "<1.7.2", + "<1.8.0", + "<2.0.5", + "<2.0.7", + "<2.0.8", + "<2.1.0", + "<2.1.2" + ], "zwiki": [ "<0.37", "<0.59" diff --git a/src/main/resources/safety-db/insecure_full.json b/src/main/resources/safety-db/insecure_full.json index a5bb63fe..7fb97445 100644 --- a/src/main/resources/safety-db/insecure_full.json +++ b/src/main/resources/safety-db/insecure_full.json @@ -11,6 +11,50 @@ "v": ">0,<0" } ], + "aegea": [ + { + "advisory": "Aegea 2.2.7 avoids CVE-2018-1000805.", + "cve": "CVE-2018-1000805", + "id": "pyup.io-37611", + "specs": [ + "<2.2.7" + ], + "v": "<2.2.7" + } + ], + "aethos": [ + { + "advisory": "Aethos 0.3.0.1 hotfixed NLTK package in setup.py and the vulnerable version.", + "cve": null, + "id": "pyup.io-37721", + "specs": [ + "<0.3.0.1" + ], + "v": "<0.3.0.1" + } + ], + "agraph-python": [ + { + "advisory": "Agraph-python before 101.0.3 updates numpy to 1.16.0 and urllib3 to 1.24.2 for security reasons.", + "cve": null, + "id": "pyup.io-37085", + "specs": [ + "<101.0.3" + ], + "v": "<101.0.3" + } + ], + "aiida": [ + { + "advisory": "Aiida 0.12.3 fixes a security vulnerability by upgrading `paramiko` to `2.4.2`.", + "cve": null, + "id": "pyup.io-37054", + "specs": [ + "<0.12.3" + ], + "v": "<0.12.3" + } + ], "aiida-core": [ { "advisory": "aiida-core 0.12.3 fixes security vulnerability by upgrading `paramiko` to `2.4.2`", @@ -22,6 +66,17 @@ "v": "<0.12.3" } ], + "aiocoap": [ + { + "advisory": "The proxy in aiocoap 0.4a1 only creates log files when explicitly requested (18ddf8c). Also, support for secured protocols has been added.", + "cve": null, + "id": "pyup.io-37469", + "specs": [ + "<0.4a1" + ], + "v": "<0.4a1" + } + ], "aiocouchdb": [ { "advisory": "aiocouchdb 0.6.0 now correctly set members for database security.", @@ -33,6 +88,17 @@ "v": "<0.6.0" } ], + "aioftp": [ + { + "advisory": "The server of aioftp 0.15.0 uses explicit mapping of available commands for security reasons.", + "cve": null, + "id": "pyup.io-38045", + "specs": [ + "<0.15.0" + ], + "v": "<0.15.0" + } + ], "aiohttp": [ { "advisory": "aiohttp 0.16.3 fixes a StaticRoute vulnerability to directory traversal attacks.", @@ -55,6 +121,17 @@ "v": "<0.2.0" } ], + "aiohttp-jinja2": [ + { + "advisory": "Aiohttp-jinja2 1.1.1 bumps minimal supported ``jinja2`` version to 2.10.1 to avoid a security vulnerability problem.", + "cve": null, + "id": "pyup.io-37095", + "specs": [ + "<1.1.1" + ], + "v": "<1.1.1" + } + ], "aioli": [ { "advisory": "aioli 0.16.3 fixes StaticRoute vulnerability to directory traversal attacks.", @@ -130,6 +207,44 @@ "v": "<1.5.2" } ], + "ampache": [ + { + "advisory": "ampache 3.6alpha1 fixes persistent XSS vulnerabilities in user self-editing and in AJAX object editing", + "cve": null, + "id": "pyup.io-37866", + "specs": [ + "<3.6-alpha5" + ], + "v": "<3.6-alpha5" + }, + { + "advisory": "ampache 3.8 fixes an XSS vulnerability - see CVE-2014-8620", + "cve": "CVE-2014-8620", + "id": "pyup.io-37865", + "specs": [ + "<3.8.0" + ], + "v": "<3.8.0" + }, + { + "advisory": "ampache 3.8.2 fixes a potential security vulnerability on smartplaylist search rule and catalog management actions", + "cve": null, + "id": "pyup.io-37864", + "specs": [ + "<3.8.2" + ], + "v": "<3.8.2" + }, + { + "advisory": "ampache 4.0.0:\r\n* Resolves CVE-2019-12385 for the SQL Injection\r\n* Resolves CVE-2019-12386 for the persistent XSS\r\n* Resolves NS-18-046 Multiple Reflected Cross-site Scripting Vulnerabilities in Ampache 3.9.0", + "cve": "CVE-2019-12385, CVE-2019-12386", + "id": "pyup.io-37863", + "specs": [ + "<4.0.0" + ], + "v": "<4.0.0" + } + ], "anncolvar": [ { "advisory": "anncolvar 0.4 updates requirements.txt to fix security issues.", @@ -365,6 +480,59 @@ "v": ">0,<0" } ], + "appdaemon": [ + { + "advisory": "Appdaemon 3.0.4 uses yaml.Safeloader to work around a known security issue with PyYaml.", + "cve": null, + "id": "pyup.io-37096", + "specs": [ + "<3.0.4" + ], + "v": "<3.0.4" + } + ], + "appdaemontestframework": [ + { + "advisory": "appdaemontestframework 2.0.1 updates dependencies to prevent security vulnerabilities", + "cve": null, + "id": "pyup.io-37908", + "specs": [ + "<2.0.1" + ], + "v": "<2.0.1" + }, + { + "advisory": "appdaemontestframework 2.3.3 update dependencies to fix security vulnerability", + "cve": null, + "id": "pyup.io-37907", + "specs": [ + "<2.3.3" + ], + "v": "<2.3.3" + } + ], + "apphelpers": [ + { + "advisory": "To secure the API access, apphelpers 0.9.2 adds the new options `groups_forbidden` and `groups_required`.", + "cve": null, + "id": "pyup.io-37151", + "specs": [ + "<0.9.2" + ], + "v": "<0.9.2" + } + ], + "appwrite": [ + { + "advisory": "Appwrite 0.4.0:\r\n* Includes a PHP-FPM security patch fix (https://bugs.php.net/patch-display.php?bug_id=78599&patch=0001-Fix-bug-78599-env_path_info-underflow-can-lead-to-RC.patch&revision=latest) - Upgraded PHP version to 7.3.12 [Major]\r\n* Removes executable permission from avatars files [Minor]\r\n* Updates SDK Generator Twig dependency with security issue: https://www.exploit-db.com/exploits/44102 [Minor]", + "cve": null, + "id": "pyup.io-37717", + "specs": [ + "<0.4.0" + ], + "v": "<0.4.0" + } + ], "archmage": [ { "advisory": "Directory traversal vulnerability in arCHMage 0.2.4 allows remote attackers to write to arbitrary files via a .. (dot dot) in a CHM file.", @@ -407,6 +575,17 @@ "v": "<3.0.1" } ], + "att-iot-gateway": [ + { + "advisory": "Att-iot-gateway before 0.4.0 uses a insecure HTTP connection.", + "cve": null, + "id": "pyup.io-34257", + "specs": [ + "<0.4.0" + ], + "v": "<0.4.0" + } + ], "authbwc": [ { "advisory": "authbwc 0.1.4 fixes an issue with the way the HTTP session user permissions were loaded. This vulnerability made it possible for a user to gain the permissions of the user logged in previously. The user would have had to be sharing the same http session for this access to have been gained.", @@ -458,6 +637,28 @@ "v": "<0.17.0" } ], + "awkward": [ + { + "advisory": "Awkward 0.10.1 closes a security hole and backward incompatibility in `awkward.persist.whitelist` handling.", + "cve": null, + "id": "pyup.io-37154", + "specs": [ + "<0.10.1" + ], + "v": "<0.10.1" + } + ], + "aws-parallelcluster": [ + { + "advisory": "Aws-parallelcluster 2.4.0 removes AWS credentials from the ``parallelcluster`` config file for a better security posture. Credentials can now be set up following the canonical procedure used for the aws cli.", + "cve": null, + "id": "pyup.io-37211", + "specs": [ + "<2.4.0" + ], + "v": "<2.4.0" + } + ], "awscli": [ { "advisory": "awscli 1.11.83 fixes a possible security issue where files could be downloaded to a directory outside the destination directory if the key contained relative paths when downloading files recursively.", @@ -469,6 +670,17 @@ "v": "<1.11.83" } ], + "backend.ai-manager": [ + { + "advisory": "Backend.ai-manager 19.09.0rc4 fixes privilege escalation because domain-admins could run sessions on behalf of super-admins in the same domain. It also introduces Image import (171) - currently this is limited to import Python-based kernels only. This is implemented on top of batch tasks, with some specialization to prevent security issues due to direct access to agent host's Docker daemon. Importing as service-port only image support will be added in future releases.", + "cve": null, + "id": "pyup.io-37531", + "specs": [ + "<19.09.0rc4" + ], + "v": "<19.09.0rc4" + } + ], "bakercm": [ { "advisory": "bakercm 0.4.4 updates pythoncryptodome after security issue #16", @@ -480,9 +692,29 @@ "v": "<0.4.4" } ], + "basketball-reference-web-scraper": [ + { + "advisory": "Basketball-reference-web-scraper 4.2.2 includes upgrades the `urllib3` library to `1.25.2` due to a security vulnerability with versions less than `1.24.2`.", + "cve": null, + "id": "pyup.io-37123", + "specs": [ + "<4.2.2" + ], + "v": "<4.2.2" + }, + { + "advisory": "Basketball-reference-web-scraper 4.2.3 updates urllib3 to 1.24.3 to avoid a security vulnerability. This also fulfills the requirement to update the `requests` version.", + "cve": null, + "id": "pyup.io-37195", + "specs": [ + "<4.2.3" + ], + "v": "<4.2.3" + } + ], "bbcode": [ { - "advisory": "bbcode 1.0.9 escapes quotes correctly to prevent XSS.", + "advisory": "bbcode 1.0.9 escapes quotes correctly to prevent XSS", "cve": null, "id": "pyup.io-25634", "specs": [ @@ -511,6 +743,17 @@ "v": "<1.6.4" } ], + "benchexec": [ + { + "advisory": "Benchexec 2.2 fixes two security issues:\r\n- Since BenchExec 2.1, the setup of the container for the tool-info module (which was added in BenchExec 1.20) could silently fail, for example if user namespaces are disabled on the system. In this case the tool-info module would be executed outside of the container. Run execution was not affected.\r\n- The kernel offers a keyring feature for storage of keys related to features like Kerberos and ecryptfs. Before Linux 5.2, there existed one keyring per user, and BenchExec did not prevent access from the tool inside the container to the kernel keyring of the user who started BenchExec. Now such accesses are forbidden (on all kernel versions) using seccomp (http://man7.org/linux/man-pages/man2/seccomp.2.html) if libseccomp2 (https://github.com/seccomp/libseccomp) is installed, which should be the case on any standard distribution. Note that seccomp filters do have a slight performance impact and could prevent some binaries on exotic architectures from working. In such a case please file a bug report (https://github.com/sosy-lab/benchexec/issues/new).", + "cve": null, + "id": "pyup.io-37510", + "specs": [ + "<2.2" + ], + "v": "<2.2" + } + ], "bepasty": [ { "advisory": "bepasty 0.3.0 contains two security fixes: \r\n- When showing potentially dangerous text/* types, force the\r\n content-type to be text/plain and also turn the browser's sniffer off.\r\n- Prevent disclosure of locked item's metadata", @@ -522,6 +765,17 @@ "v": "<0.3.0" } ], + "berglas": [ + { + "advisory": "Berglas 0.2.0 no longer trusts the environment variables.", + "cve": null, + "id": "pyup.io-37340", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" + } + ], "bigchaindb-driver": [ { "advisory": "bigchaindb-driver before 0.5.2 used an unsecure version of `cryptoconditions` - CVE-2018-10903", @@ -533,6 +787,17 @@ "v": "<0.5.2" } ], + "bigdl": [ + { + "advisory": "Bigdl 0.8.0 fixes the scala compiler security issue in 2.10 & 2.11", + "cve": null, + "id": "pyup.io-37576", + "specs": [ + "<0.8.0" + ], + "v": "<0.8.0" + } + ], "bincrafters-envy": [ { "advisory": "bincrafters-envy 0.1.3 updates the request module", @@ -577,6 +842,17 @@ "v": "<2.4" } ], + "bitbot": [ + { + "advisory": "For security reasons, REST API only listens on localhost in Bitbot 1.12.0.", + "cve": null, + "id": "pyup.io-37551", + "specs": [ + "<1.12.0" + ], + "v": "<1.12.0" + } + ], "bjoern": [ { "advisory": "bjoern before 1.4.2 uses a insecure Django release which is vulnerable to CVE-2015-0219, see https://www.djangoproject.com/weblog/2015/jan/13/security/.", @@ -598,6 +874,33 @@ ], "v": "<2.1" }, + { + "advisory": "The ``bleach.clean`` behavior parsing ``noscript`` tags did not match browser behavior in Bleach versions v2.1.4, v3.0.2, and v3.1.0 (and probably earlier versions too). \r\n\r\nCalls to ``bleach.clean`` allowing ``noscript`` and one or more of the raw text tags (``title``, ``textarea``, ``script``, ``style``, ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable to a mutation XSS.\r\n\r\nSee: https://bugzilla.mozilla.org/show_bug.cgi?id=1615315", + "cve": null, + "id": "pyup.io-37910", + "specs": [ + "<=3.1.0" + ], + "v": "<=3.1.0" + }, + { + "advisory": "The ``bleach.clean`` behavior parsing embedded MathML and SVG content with RCDATA tags in Bleach versions <= 3.1.1 did not match browser behavior and could result in a mutation XSS.\r\n\r\nCalls to ``bleach.clean`` with ``strip=False`` and ``math`` or ``svg`` tags and one or more of the RCDATA tags ``script``, ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or ``xmp`` in the allowed tags whitelist were vulnerable to a mutation XSS.\r\n\r\nThis security issue was confirmed in Bleach version v3.1.1. Earlier versions are likely affected too.", + "cve": null, + "id": "pyup.io-38076", + "specs": [ + "<=3.1.1" + ], + "v": "<=3.1.1" + }, + { + "advisory": "The ``bleach.clean`` behavior parsing style attributes in bleach before 3.1.4 could result in a regular expression denial of service (ReDoS). Calls to ``bleach.clean`` with an allowed tag with an allowed ``style`` attribute were vulnerable to ReDoS. For example, ``bleach.clean(..., attributes={'a': ['style']})``. This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1, v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar regular expression and should be considered vulnerable too.", + "cve": null, + "id": "pyup.io-38107", + "specs": [ + "<=3.1.3" + ], + "v": "<=3.1.3" + }, { "advisory": "bleach 2.1.3 fixes a security issue. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible to construct a URI value with a scheme that was not allowed that would slide through unsanitized.", "cve": "CVE-2018-7753", @@ -690,6 +993,24 @@ "<1.0.4" ], "v": "<1.0.4" + }, + { + "advisory": "Bokeh before 1.1.0 includes a handlebars security vulnerability [components: bokehjs & build]. NPM won't install.", + "cve": null, + "id": "pyup.io-37031", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, + { + "advisory": "Bokeh 1.2.0 fixes a security vulnerabilities reported by npm audit.", + "cve": null, + "id": "pyup.io-37170", + "specs": [ + "<1.2.0" + ], + "v": "<1.2.0" } ], "boss-cli": [ @@ -710,6 +1031,15 @@ "<1.0.0alpha.20" ], "v": "<1.0.0alpha.20" + }, + { + "advisory": "Boss-cli 1.0.0beta.6 uses yaml.FullLoader for loading yaml config and upgrades the dependency pyyaml (CVE-2017-18342).", + "cve": "CVE-2017-18342", + "id": "pyup.io-37129", + "specs": [ + "<1.0.0beta.6" + ], + "v": "<1.0.0beta.6" } ], "bottle": [ @@ -734,6 +1064,17 @@ "v": ">=0.10,<0.10.12,>=0.11,<0.11.7,>=0.12,<0.12.6" } ], + "boussole": [ + { + "advisory": "Boussole 1.5.0 fixes the PyYAML 'load()' deprecation warning. For a recent security issue, PyYAML has introduced a change to its ``load()`` method to be more safe. Boussole now uses the full loader mode so it does not trigger a warning anymore.", + "cve": null, + "id": "pyup.io-37147", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + } + ], "brasil.gov.portal": [ { "advisory": "brasil.gov.portal before 1.5.1 uses Plone <4.3.15 which is vulnerable to several XSS and redirect flaws, and a sandbox escape.", @@ -745,9 +1086,20 @@ "v": "<1.5.1" } ], + "bsblan": [ + { + "advisory": "Bsblan 0.27 sets the DEFAULT_FLAG in config to read-only for added level of security.", + "cve": null, + "id": "pyup.io-37697", + "specs": [ + "<0.27" + ], + "v": "<0.27" + } + ], "buildbot": [ { - "advisory": "buildbot before 1.3.0 did not use ``hmac.compare_digest()`` in GitHub hooks.", + "advisory": "Buildbot before 1.3.0 did not use ``hmac.compare_digest()`` in GitHub hooks.", "cve": null, "id": "pyup.io-36320", "specs": [ @@ -755,6 +1107,15 @@ ], "v": "<1.3.0" }, + { + "advisory": "Buildbot 1.8.2 fixes a vulnerability in OAuth where user-submitted authorization tokens are used for authentication. See: .", + "cve": null, + "id": "pyup.io-37161", + "specs": [ + "<1.8.2" + ], + "v": "<1.8.2" + }, { "advisory": "buildbot 2.0.0 fixes CRLF injection vulnerability with validating user provided redirect parameters (https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code)", "cve": null, @@ -765,13 +1126,13 @@ "v": "<2.0.0" }, { - "advisory": "buildbot 2.0.0 fixes CRLF injection vulnerability with validating user provided redirect parameters", + "advisory": "Buildbot 2.3.1 fixes a vulnerability in OAuth where a user-submitted authorization token was used for authentication. See: .", "cve": null, - "id": "pyup.io-36880", + "id": "pyup.io-37160", "specs": [ - "<2.0.0" + "<2.3.1" ], - "v": "<2.0.0" + "v": "<2.3.1" } ], "bzip": [ @@ -797,7 +1158,27 @@ "v": "<1.0.21" } ], + "callisto-core": [ + { + "advisory": "Callisto-core 0.27.9 includes some not further specified security updates.", + "cve": null, + "id": "pyup.io-37355", + "specs": [ + "<0.27.9" + ], + "v": "<0.27.9" + } + ], "candig-server": [ + { + "advisory": "Candig-server 0.9.0 has enhanced security through a refined data access control mechanism.", + "cve": null, + "id": "pyup.io-37219", + "specs": [ + "<0.9.0" + ], + "v": "<0.9.0" + }, { "advisory": "candig-server 0.9.2 changes: Jinja2 package has been updated to resolve security vulnerability issues.", "cve": null, @@ -806,6 +1187,15 @@ "<0.9.2" ], "v": "<0.9.2" + }, + { + "advisory": "Candig-server 1.0.2 updates WerkZeug to 0.15.5 to resolve its security vulnerabilities.", + "cve": null, + "id": "pyup.io-37467", + "specs": [ + "<1.0.2" + ], + "v": "<1.0.2" } ], "cbapi": [ @@ -830,13 +1220,24 @@ "v": ">=4.0,<4.0.1" } ], - "centrifuge": [ + "cellxgene": [ { - "advisory": "centrifuge 0.3.8 includes a security fix! Please, upgrade to this version or disable access to `/dumps` location.", + "advisory": "Cellxgene 0.12.0 has Python and Javascript package updates, for both security and performance.", "cve": null, - "id": "pyup.io-25647", + "id": "pyup.io-37801", "specs": [ - "<0.3.8" + "<0.12.0" + ], + "v": "<0.12.0" + } + ], + "centrifuge": [ + { + "advisory": "centrifuge 0.3.8 includes a security fix! Please, upgrade to this version or disable access to `/dumps` location.", + "cve": null, + "id": "pyup.io-25647", + "specs": [ + "<0.3.8" ], "v": "<0.3.8" } @@ -894,6 +1295,28 @@ "v": "<2.4.0" } ], + "chaosloader": [ + { + "advisory": "Chaosloader 1.0.0 adds secure encrypted password to travis.yml.", + "cve": null, + "id": "pyup.io-37048", + "specs": [ + "<1.0.0" + ], + "v": "<1.0.0" + } + ], + "charm-tools": [ + { + "advisory": "Charm-tools 2.6.0 addresses security alerts from GitHub (#484).", + "cve": null, + "id": "pyup.io-37201", + "specs": [ + "<2.6.0" + ], + "v": "<2.6.0" + } + ], "cheetah": [ { "advisory": "cheetah 0.9.17rc1 removeS the use of temp files for handling imports with dynamic compilation. This removes a whole slew of issues, including a temp file security issue.", @@ -905,6 +1328,17 @@ "v": "<0.9.17rc1" } ], + "cheetah3": [ + { + "advisory": "Cheetah3 version 3.2.2 replaces the outdated and insecure ``mktemp`` with ``mkstemp``.", + "cve": null, + "id": "pyup.io-37134", + "specs": [ + "<3.2.2" + ], + "v": "<3.2.2" + } + ], "cherrymusic": [ { "advisory": "Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the \"value\" parameter to \"download.\"", @@ -938,6 +1372,17 @@ "v": "<1.5.1" } ], + "circup": [ + { + "advisory": "circup 0.0.6 includes an unspecified security fix", + "cve": null, + "id": "pyup.io-37936", + "specs": [ + "<0.0.6" + ], + "v": "<0.0.6" + } + ], "ckan": [ { "advisory": "ckan 1.5.1 fixes a security issue affecting CKAN v1.5 and before.", @@ -989,6 +1434,17 @@ "v": "<0.10.5" } ], + "client-sdk-python": [ + { + "advisory": "Client-sdk-python 4.7.0 upgrades eth-hash to 0.2.0 with pycryptodome 3.6.6 which resolves a vulnerability.", + "cve": null, + "id": "pyup.io-37584", + "specs": [ + "<4.7.0" + ], + "v": "<4.7.0" + } + ], "cloudinary": [ { "advisory": "cloudinary before 1.0.21 is vulnerable to an XSS attack on cloudinary_cors.html.", @@ -1022,6 +1478,17 @@ "v": "<1.0.0" } ], + "cnx-publishing": [ + { + "advisory": "Cnx-publishing 0.17.6 bumps urllib3 for a security fix.", + "cve": null, + "id": "pyup.io-38128", + "specs": [ + "<0.17.6" + ], + "v": "<0.17.6" + } + ], "cockroachdb": [ { "advisory": "cockroachdb 0.3.2 updated urllib3 to remove security vulnerability.", @@ -1044,6 +1511,26 @@ "v": "<0.2.33" } ], + "codecov": [ + { + "advisory": "Codecov 2.0.16 fixes a reported command injection vulnerability.", + "cve": null, + "id": "pyup.io-37934", + "specs": [ + "<2.0.16" + ], + "v": "<2.0.16" + }, + { + "advisory": "Codecov 2.0.17 fixes a reported command injection vulnerability.", + "cve": null, + "id": "pyup.io-38075", + "specs": [ + "<2.0.17" + ], + "v": "<2.0.17" + } + ], "coinbasepro": [ { "advisory": "coinbasepro 0.1.0 updates requests version to >=2.20.0 to address security vulnerability.", @@ -1187,6 +1674,17 @@ "v": "<2.1.0" } ], + "colonyscanalyser": [ + { + "advisory": "Colonyscanalyser 0.2.0 adds snyk security checks for dependencies.", + "cve": null, + "id": "pyup.io-37635", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" + } + ], "conference-scheduler-cli": [ { "advisory": "In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.", @@ -1199,6 +1697,15 @@ } ], "confidant": [ + { + "advisory": "Confidant 1.1.13 includes a security fix. It was discovered when adding tests after a refactor of some of the KMS authentication code that confidant wasn't properly checking the expiration of KMS auth tokens. If tokens were able to be exfiltrated from a service, they could be used indefinitely. Also, any tokens that are expired will now correctly fail to authenticate.", + "cve": null, + "id": "pyup.io-26670", + "specs": [ + "<1.1.13" + ], + "v": "<1.1.13" + }, { "advisory": "confidant 1.1.14 contains a security fix: While preparing for the 1.1 stable release Lyft found a KMS authentication vulnerability in the unreleased 1.1 branch while performing an audit of the code. The vulnerability was introduced while adding the scoped auth key feature (for limiting authentication keys and services to specific AWS accounts), where the key was not properly checked after decryption. This check is an additional verification to add additional safety on-top of the IAM policy of your KMS keys. If IAM policy allows users to use KMS keys without limits on encryption context, a KMS key that wasn't intended to be used for auth, could be used for auth.", "cve": null, @@ -1207,6 +1714,15 @@ "<1.1.14" ], "v": "<1.1.14" + }, + { + "advisory": "In confidant 5.0.0, requirements have been updated to resolve some reported security vulnerabilities in a few of the frozen requirements. A library affecting user sessions was upgraded which will cause users to be logged out after upgrade, which means if you're doing a rolling upgrade, that during the upgrade, you may have users that seemingly randomly get logged out. After a finished upgrade, users should only be logged out once, if they're currently logged in.", + "cve": null, + "id": "pyup.io-37471", + "specs": [ + "<5.0.0" + ], + "v": "<5.0.0" } ], "confidence": [ @@ -1231,6 +1747,26 @@ "v": "<=0.2.0" } ], + "confluent-kafka": [ + { + "advisory": "Confluent-kafka 1.1.0 securely clears the private key data from memory after last use.", + "cve": null, + "id": "pyup.io-37508", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, + { + "advisory": "Confluent-kafka 1.3.0 upgrades builtin lz4 to 1.9.2. See https://github.com/edenhill/librdkafka/issues/2598 and CVE-2019-17543.", + "cve": "CVE-2019-17543", + "id": "pyup.io-38072", + "specs": [ + "<1.3.0" + ], + "v": "<1.3.0" + } + ], "conn-check": [ { "advisory": "conn-check 1.0.18 ensures pyOpenSSL is always used instead of the ssl modules, see https://urllib3.readthedocs.org/en/latest/security.htmlpyopenssl.", @@ -1251,6 +1787,15 @@ "<1.2.5" ], "v": "<1.2.5" + }, + { + "advisory": "Container-service-extension 2.5.0b1 updates the hardcoded_password_string: false positives and test environment password strings marked not vulnerable.", + "cve": null, + "id": "pyup.io-37529", + "specs": [ + "<2.5.0b1" + ], + "v": "<2.5.0b1" } ], "contentful": [ @@ -1286,6 +1831,46 @@ "v": "<1.2.0" } ], + "cookie-manager": [ + { + "advisory": "Cookie-manager 1.0.3 bumps dependency versions to fix a security issue.", + "cve": null, + "id": "pyup.io-38106", + "specs": [ + "<1.0.3" + ], + "v": "<1.0.3" + } + ], + "cookiecutter": [ + { + "advisory": "Cookiecutter 0.1.0 fixes insecure gitlab_token retrieval - see: https://github.com/NathanUrwin/cookiecutter-git/issues/6", + "cve": null, + "id": "pyup.io-34683", + "specs": [ + "<0.1.0" + ], + "v": "<0.1.0" + }, + { + "advisory": "Cookiecutter 0.3.1 updates Pillow version to 3.2.0 (security fix).", + "cve": null, + "id": "pyup.io-27445", + "specs": [ + "<0.3.1" + ], + "v": "<0.3.1" + }, + { + "advisory": "Cookiecutter 1.1.0 sets explicitly the list of allowed hosts for security reasons.", + "cve": null, + "id": "pyup.io-37672", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + } + ], "cosmos-wfm": [ { "advisory": "cosmos-wfm before 2.1.1 is vulnerable to an attack where malicious hackers can run arbitrary code if they have file system (even external mounts!)+network access on the machine running luigid (executed by the user that you run luigid with).", @@ -1339,6 +1924,28 @@ "v": "<0.14.0" } ], + "credstash": [ + { + "advisory": "credstash 1.16.0 updates to pyyaml>=4.2b1 due to security vulnerability in older versions", + "cve": null, + "id": "pyup.io-37852", + "specs": [ + "<1.16.0" + ], + "v": "<1.16.0" + } + ], + "creopyson": [ + { + "advisory": "Creopyson 0.4.2 modifies the pipenv config for the bleach security alert.", + "cve": null, + "id": "pyup.io-37964", + "specs": [ + "<0.4.2" + ], + "v": "<0.4.2" + } + ], "cromwell-tools": [ { "advisory": "cromwell-tools 1.0.0 updates requests to avoid security issues.", @@ -1482,6 +2089,17 @@ "v": "=2.20.0 because of a security vulnerability in <=2.19.X.", + "cve": null, + "id": "pyup.io-37204", + "specs": [ + "<2018.10.30.0" + ], + "v": "<2018.10.30.0" + } + ], "ddtrace": [ { "advisory": "ddtrace 0.11.0 removes the `sql.query` tag from SQL spans, so that the content is properly obfuscated in the Agent. This security fix is required to prevent wrong data collection of reported SQL queries. This issue impacts only MySQL integrations and NOT `psycopg2` or `sqlalchemy` while using the PostgreSQL driver.", @@ -1537,6 +2166,73 @@ "v": "<0.9.51" } ], + "debops": [ + { + "advisory": "Debops 0.8.0 installs upstream NodeSource APT packages by default. This is due to `no security support in Debian Stable`__, therefore an upstream packages should be considered more secure. The upstream NodeJS packages include a compatible NPM release, therefore it won't be separately installed from GitHub.", + "cve": null, + "id": "pyup.io-36371", + "specs": [ + "<0.8.0" + ], + "v": "<0.8.0" + }, + { + "advisory": "Debops 1.0.0:\r\n\r\n- The :command:`lxc-prepare-ssh` script will read the public SSH keys from specific files (``root`` key file, and the ``$SUDO_USER`` key file) and will not accept any custom files to read from, to avoid possible security issues. Each public SSH key listed in the key files is validated before being added to the container's ``root`` account.\r\n\r\n- The :command:`lxc-new-unprivileged` script will similarly not accept any custom files as initial LXC container configuration to fix any potential security holes when used via :command:`sudo`. The default LXC configuration file used by the script can be configured in :file:`/etc/lxc/lxc.conf` configuration file.\r\n\r\n- (:ref:`debops.php` role) New APT signing keys` have been created for his Debian APT repository with PHP packages, due to security concerns. The :ref:`debops.php` role will remove the old APT GPG key and add the new one automatically. See: .", + "cve": null, + "id": "pyup.io-37159", + "specs": [ + "<1.0.0" + ], + "v": "<1.0.0" + }, + { + "advisory": "The :command:`lxc-prepare-ssh` script in debops 1.1.0 will no longer install SSH keys from the LXC host ``root`` account on the LXC container ``root`` account. This can cause confusion and unintended security breaches when other services (for example backup scripts or remote command execution tools) install their own SSH keys on the LXC host and they are subsequently copied inside of the LXC containers created on that host.", + "cve": null, + "id": "pyup.io-37404", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, + { + "advisory": "In debops 1.2.0:\r\n- The use of the ``params`` option in the ``ldap_attrs`` and ``ldap_entry`` Ansible modules is deprecated due to their insecure nature.\r\n- The CVE-2019-11043 vulnerability has been mitigated in the :command:`nginx` ``php`` and ``php5`` configuration templates. The mitigation is based on the `suggested workaround`__ from the PHP Bug Tracker.\r\n- A security patch for the CVE-2019-11043 vulnerability has been applied in the Nextcloud configuration for the :ref:`debops.nginx` role. The patch is based on the `fix suggested by upstream`.", + "cve": "CVE-2019-11043", + "id": "pyup.io-37733", + "specs": [ + "<1.2.0" + ], + "v": "<1.2.0" + }, + { + "advisory": "RoundCube in debops 2.0.0 uses the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.", + "cve": null, + "id": "pyup.io-26403", + "specs": [ + "<2.0.0" + ], + "v": "<2.0.0" + } + ], + "decaptcha": [ + { + "advisory": "decaptcha 1.0.0 includes a patch for security vulnerability: pin pillow>=6.2.0", + "cve": null, + "id": "pyup.io-37892", + "specs": [ + "<1.0.0" + ], + "v": "<1.0.0" + }, + { + "advisory": "decaptcha 1.0.1 includes a patch for security vulnerability: tensorflow==1.15.0", + "cve": null, + "id": "pyup.io-37891", + "specs": [ + "<1.0.1" + ], + "v": "<1.0.1" + } + ], "definitions": [ { "advisory": "There is a vulnerability in load() method in definitions/parser.py in the Danijar Hafner definitions package for Python. It can execute arbitrary python commands resulting in command execution.", @@ -1599,6 +2295,28 @@ "v": "<1.3.1" } ], + "deltachat": [ + { + "advisory": "deltachat 1.0.0beta.2 has several security fixes", + "cve": null, + "id": "pyup.io-37922", + "specs": [ + "<1.0.0beta.2" + ], + "v": "<1.0.0beta.2" + } + ], + "deluge": [ + { + "advisory": "Deluge 2.0.0 updates SSL/TLS Protocol parameters for better security.", + "cve": null, + "id": "pyup.io-37155", + "specs": [ + "<2.0.0" + ], + "v": "<2.0.0" + } + ], "destringcare": [ { "advisory": "destringcare 0.0.4 change: Removed `pycrypto` due to security issue", @@ -1610,6 +2328,17 @@ "v": "<0.0.4" } ], + "directory-components": [ + { + "advisory": "Directory-components 25.0.1 includes an update to fix the lodash vulnerability.", + "cve": null, + "id": "pyup.io-37298", + "specs": [ + "<25.0.1" + ], + "v": "<25.0.1" + } + ], "discogs-client": [ { "advisory": "discogs-client 2.2.2 updates dependencies to resolve security vulnerabilities", @@ -1701,15 +2430,6 @@ ], "v": "<1.1.4,>=1.2,<1.2.5" }, - { - "advisory": "django 1.11.15 fixes a phishing security issue in 1.11.14 if the :class:`~django.middleware.common.CommonMiddleware` and the\r\n:setting:`APPEND_SLASH` setting are both enabled, and if the project has a\r\nURL pattern that accepts any path ending in a slash.", - "cve": null, - "id": "pyup.io-36359", - "specs": [ - "<1.11.15,>1.11.13" - ], - "v": "<1.11.15,>1.11.13" - }, { "advisory": "django 1.11.18 fixes a security issue in 1.11.17 (CVE-2019-3498) where content spoofing possibility in the default 404 page.\r\n\r\nAn attacker could craft a malicious URL that could make spoofed content appear\r\non the default page generated by the ``django.views.defaults.page_not_found()``\r\nview.\r\n\r\nThe URL path is no longer displayed in the default 404 template and the\r\n``request_path`` context variable is now quoted to fix the issue for custom\r\ntemplates that use the path.", "cve": null, @@ -1748,6 +2468,17 @@ ], "v": "<1.11.22,>1.11.21" }, + { + "advisory": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) See CVE-2019-19844.", + "cve": "CVE-2019-19844", + "id": "pyup.io-37771", + "specs": [ + "<1.11.27", + ">=2.0,<2.2.9", + ">=3.0,<3.0.1" + ], + "v": "<1.11.27,>=2.0,<2.2.9,>=3.0,<3.0.1" + }, { "advisory": "Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.", "cve": "CVE-2010-3082", @@ -1899,15 +2630,6 @@ ], "v": "<2.0.11,>=2.0.0" }, - { - "advisory": "django 2.0.8 fixes a security issue and several bugs in 2.0.7 if the :class:`~django.middleware.common.CommonMiddleware` and the\r\n:setting:`APPEND_SLASH` setting are both enabled, and if the project has a\r\nURL pattern that accepts any path ending in a slash", - "cve": null, - "id": "pyup.io-36358", - "specs": [ - "<2.0.8,>2.0.6" - ], - "v": "<2.0.8,>2.0.6" - }, { "advisory": "An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the \"view\" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.", "cve": "CVE-2018-16984", @@ -1945,18 +2667,207 @@ "v": "<2.1.6,>=2.1.0" }, { - "advisory": "django 2.0.10 fixes a security issue - CVE-2019-3498 - where content spoofing possibility in the default 404 page.\r\n\r\nAn attacker could craft a malicious URL that could make spoofed content appear\r\non the default page generated by the ``django.views.defaults.page_not_found()``\r\nview.\r\n\r\nThe URL path is no longer displayed in the default 404 template and the\r\n``request_path`` context variable is now quoted to fix the issue for custom\r\ntemplates that use the path.", - "cve": "CVE-2019-3498", - "id": "pyup.io-36770", + "advisory": "django 1.11.15 fixes a phishing security issue in 1.11.14 if the :class:`~django.middleware.common.CommonMiddleware` and the :setting:`APPEND_SLASH` setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash.", + "cve": null, + "id": "pyup.io-36359", "specs": [ - "==2.0.9" + "==1.11.14" ], - "v": "==2.0.9" + "v": "==1.11.14" }, { - "advisory": "Django 1.10.3 fixes two security issues and several bugs in 1.10.2.\r\n\r\nUser with hardcoded password created when running tests on Oracle\r\n=================================================================\r\n\r\nWhen running tests with an Oracle database, Django creates a temporary database\r\nuser. In older versions, if a password isn't manually specified in the database\r\nsettings ``TEST`` dictionary, a hardcoded password is used. This could allow\r\nan attacker with network access to the database server to connect.\r\n\r\nThis user is usually dropped after the test suite completes, but not when using\r\nthe ``manage.py test --keepdb`` option or if the user has an active session\r\n(such as an attacker's connection).\r\n\r\nA randomly generated password is now used for each test run.\r\n\r\nDNS rebinding vulnerability when ``DEBUG=True``\r\n===============================================", + "advisory": "Django 1.11.21 fixes a security issue in 1.11.20: CVE-2019-12308 (AdminURLFieldWidget XSS).", "cve": null, - "id": "pyup.io-25722", + "id": "pyup.io-37186", + "specs": [ + "==1.11.20" + ], + "v": "==1.11.20" + }, + { + "advisory": "Django 1.11.23 fixes the following security issues in 1.11.22: CVE-2019-14232, CVE-2019-14233, CVE-2019-14234, and CVE-2019-14235.", + "cve": "CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235", + "id": "pyup.io-37326", + "specs": [ + "==1.11.22" + ], + "v": "==1.11.22" + }, + { + "advisory": "Django 1.11.27 fixes CVE-2019-19844 in 1.11.26: potential account hijack via password reset form.", + "cve": null, + "id": "pyup.io-37663", + "specs": [ + "==1.11.26" + ], + "v": "==1.11.26" + }, + { + "advisory": "Django 1.11.28 fixes a security issue in 1.11.27. Potential SQL injection via ``StringAgg(delimiter)``. See: CVE-2020-7471.", + "cve": "CVE-2020-7471", + "id": "pyup.io-37817", + "specs": [ + "==1.11.27" + ], + "v": "==1.11.27" + }, + { + "advisory": "django 2.0.8 fixes a security issue and several bugs in 2.0.7 if the :class:`~django.middleware.common.CommonMiddleware` and the\r\n:setting:`APPEND_SLASH` setting are both enabled, and if the project has a\r\nURL pattern that accepts any path ending in a slash", + "cve": null, + "id": "pyup.io-36358", + "specs": [ + "==2.0.7" + ], + "v": "==2.0.7" + }, + { + "advisory": "django 2.0.10 fixes a security issue - CVE-2019-3498 - where content spoofing possibility in the default 404 page.\r\n\r\nAn attacker could craft a malicious URL that could make spoofed content appear\r\non the default page generated by the ``django.views.defaults.page_not_found()``\r\nview.\r\n\r\nThe URL path is no longer displayed in the default 404 template and the\r\n``request_path`` context variable is now quoted to fix the issue for custom\r\ntemplates that use the path.", + "cve": "CVE-2019-3498", + "id": "pyup.io-36770", + "specs": [ + "==2.0.9" + ], + "v": "==2.0.9" + }, + { + "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``\r\n- CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``\r\n- CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``\r\n- CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``", + "cve": "CVE-2019-14232, CVE-2019-14233, CVE-2019-14234, CVE-2019-14235", + "id": "pyup.io-37325", + "specs": [ + "==2.1.10" + ], + "v": "==2.1.10" + }, + { + "advisory": "Django 2.1.15 fixes CVE-2019-19118 in 2.1.14: Privilege escalation in the Django admin.", + "cve": "CVE-2019-19118", + "id": "pyup.io-37657", + "specs": [ + "==2.1.14" + ], + "v": "==2.1.14" + }, + { + "advisory": "Django 2.1.9 fixes security issues in 2.1.8: CVE-2019-12308 (AdminURLFieldWidget XSS) and it includes a patched bundled jQuery for CVE-2019-11358 (Prototype pollution).", + "cve": "CVE-2019-12308, CVE-2019-11358", + "id": "pyup.io-37185", + "specs": [ + "==2.1.8" + ], + "v": "==2.1.8" + }, + { + "advisory": "Django 2.1.10 fixes a security issue in 2.1.9. CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle", + "cve": "CVE-2020-9402", + "id": "pyup.io-37258", + "specs": [ + "==2.1.9" + ], + "v": "==2.1.9" + }, + { + "advisory": "Django 2.2.2 fixes security issues in 2.2.1: CVE-2019-12308 (AdminURLFieldWidget XSS) and it includes a patched bundled jQuery for CVE-2019-11358 (Prototype pollution).", + "cve": "CVE-2019-12308, CVE-2019-11358", + "id": "pyup.io-37184", + "specs": [ + "==2.2.1" + ], + "v": "==2.2.1" + }, + { + "advisory": "Django 2.2.11 fixes a security issue in 2.2.10. Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle. See CVE-2020-9402.", + "cve": "CVE-2020-9402", + "id": "pyup.io-37969", + "specs": [ + "==2.2.10" + ], + "v": "==2.2.10" + }, + { + "advisory": "Django 2.2.3 fixes CVE-2019-12781 in 2.2.2: incorrect HTTP detection with reverse-proxy connecting via HTTPS.", + "cve": "CVE-2019-12781", + "id": "pyup.io-37324", + "specs": [ + "==2.2.2" + ], + "v": "==2.2.2" + }, + { + "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``\r\n- CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``\r\n- CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``\r\n- CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``", + "cve": "CVE-2019-14232, CVE-2019-14233, CVE-2019-14234, CVE-2019-14235", + "id": "pyup.io-37323", + "specs": [ + "==2.2.3" + ], + "v": "==2.2.3" + }, + { + "advisory": "Django 2.2.8 fixes CVE-2019-19118 in 2.2.7: Privilege escalation in the Django admin.", + "cve": "CVE-2019-19118", + "id": "pyup.io-37656", + "specs": [ + "==2.2.7" + ], + "v": "==2.2.7" + }, + { + "advisory": "Django 2.2.9 fixes CVE-2019-19844 in 2.2.8: potential account hijack via password reset form.", + "cve": null, + "id": "pyup.io-37662", + "specs": [ + "==2.2.8" + ], + "v": "==2.2.8" + }, + { + "advisory": "Django 2.2.10 fixes a security issue in 2.2.9. Potential SQL injection via ``StringAgg(delimiter)``. See CVE-2020-7471.", + "cve": "CVE-2020-7471", + "id": "pyup.io-37816", + "specs": [ + "==2.2.9" + ], + "v": "==2.2.9" + }, + { + "advisory": "Django 3.0.1 fixes CVE-2019-19844 in 3.0: potential account hijack via password reset form.", + "cve": "CVE-2019-19844", + "id": "pyup.io-37661", + "specs": [ + "==3.0" + ], + "v": "==3.0" + }, + { + "advisory": "Django 3.0.3 fixes a security issue and several bugs in 3.0.2. Potential SQL injection via ``StringAgg(delimiter)``. See: CVE-2020-7471.", + "cve": "CVE-2020-7471", + "id": "pyup.io-37815", + "specs": [ + "==3.0.2" + ], + "v": "==3.0.2" + }, + { + "advisory": "Django 3.0.4 fixes a security issue in 3.0.3: potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle.", + "cve": "CVE-2020-9402", + "id": "pyup.io-27043", + "specs": [ + "==3.0.3" + ], + "v": "==3.0.3" + }, + { + "advisory": "Django 3.0.4 fixes a security issue in 3.0.3. Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle. See CVE-2020-9402.", + "cve": null, + "id": "pyup.io-37968", + "specs": [ + "==3.0.3" + ], + "v": "==3.0.3" + }, + { + "advisory": "Django 1.10.3 fixes two security issues and several bugs in 1.10.2.\r\n\r\nUser with hardcoded password created when running tests on Oracle\r\n=================================================================\r\n\r\nWhen running tests with an Oracle database, Django creates a temporary database\r\nuser. In older versions, if a password isn't manually specified in the database\r\nsettings ``TEST`` dictionary, a hardcoded password is used. This could allow\r\nan attacker with network access to the database server to connect.\r\n\r\nThis user is usually dropped after the test suite completes, but not when using\r\nthe ``manage.py test --keepdb`` option or if the user has an active session\r\n(such as an attacker's connection).\r\n\r\nA randomly generated password is now used for each test run.\r\n\r\nDNS rebinding vulnerability when ``DEBUG=True``\r\n===============================================", + "cve": null, + "id": "pyup.io-25722", "specs": [ ">=1.10,<1.10.3" ], @@ -1980,6 +2891,17 @@ ], "v": ">=1.10,<1.10.8" }, + { + "advisory": "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.", + "cve": "CVE-2020-7471", + "id": "pyup.io-37970", + "specs": [ + ">=1.11,<1.11.28", + ">=2.2,<2.2.10", + ">=3.0,<3.0.3" + ], + "v": ">=1.11,<1.11.28,>=2.2,<2.2.10,>=3.0,<3.0.3" + }, { "advisory": "Django 1.11.5 fixes a security issue and several bugs in 1.11.4.\r\n\r\nCVE-2017-12794: Possible XSS in traceback section of technical 500 debug page\r\n=============================================================================\r\n\r\nIn older versions, HTML autoescaping was disabled in a portion of the template\r\nfor the technical 500 debug page. Given the right circumstances, this allowed\r\na cross-site scripting attack. This vulnerability shouldn't affect most\r\nproduction sites since you shouldn't run with ``DEBUG = True`` (which makes\r\nthis page accessible) in your production settings.", "cve": null, @@ -1994,10 +2916,76 @@ "cve": "CVE-2018-14574", "id": "pyup.io-36368", "specs": [ - ">=1.11.0, <1.11.15", - ">=2.0.0, <2.0.8" + ">=1.11.0,<1.11.15", + ">=2.0.0,<2.0.8" + ], + "v": ">=1.11.0,<1.11.15,>=2.0.0,<2.0.8" + }, + { + "advisory": "An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.", + "cve": "CVE-2019-12308", + "id": "pyup.io-37191", + "specs": [ + ">=1.11.0,<1.11.21", + ">=2.1,<2.1.9", + ">=2.2,<2.2.2" + ], + "v": ">=1.11.0,<1.11.21,>=2.1,<2.1.9,>=2.2,<2.2.2" + }, + { + "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.", + "cve": "CVE-2019-14234", + "id": "pyup.io-37357", + "specs": [ + ">=1.11.0,<1.11.23", + ">=2.1.0,<2.1.11", + ">=2.2.0,<2.2.4" + ], + "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" + }, + { + "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.", + "cve": "CVE-2019-14235", + "id": "pyup.io-37331", + "specs": [ + ">=1.11.0,<1.11.23", + ">=2.1.0,<2.1.11", + ">=2.2.0,<2.2.4" + ], + "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" + }, + { + "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.", + "cve": "CVE-2019-14233", + "id": "pyup.io-37330", + "specs": [ + ">=1.11.0,<1.11.23", + ">=2.1.0,<2.1.11", + ">=2.2.0,<2.2.4" + ], + "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" + }, + { + "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", + "cve": "CVE-2019-14232", + "id": "pyup.io-37329", + "specs": [ + ">=1.11.0,<1.11.23", + ">=2.1.0,<2.1.11", + ">=2.2.0,<2.2.4" + ], + "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" + }, + { + "advisory": "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. See CVE-2020-9402.", + "cve": "CVE-2020-9402", + "id": "pyup.io-38010", + "specs": [ + ">=1.11.0,<1.11.29", + ">=2.2.0,<2.2.11", + ">=3.0.0,<3.0.4" ], - "v": ">=1.11.0, <1.11.15,>=2.0.0, <2.0.8" + "v": ">=1.11.0,<1.11.29,>=2.2.0,<2.2.11,>=3.0.0,<3.0.4" }, { "advisory": "CVE-2018-6188: Information leakage in ``AuthenticationForm``\r\n============================================================\r\n\r\nA regression in Django 1.11.8 made\r\n:class:`~django.contrib.auth.forms.AuthenticationForm` run its\r\n``confirm_login_allowed()`` method even if an incorrect password is entered.\r\nThis can leak information about a user, depending on what messages\r\n``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't\r\noverridden, an attacker enter an arbitrary username and see if that user has\r\nbeen set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,\r\nmore sensitive details could be leaked.\r\n\r\nThis issue is fixed with the caveat that ``AuthenticationForm`` can no longer\r\nraise the \"This account is inactive.\" error if the authentication backend\r\nrejects inactive users (the default authentication backend, ``ModelBackend``,\r\nhas done that since Django 1.10). This issue will be revisited for Django 2.1\r\nas a fix to address the caveat will likely be too invasive for inclusion in\r\nolder versions.", @@ -2267,6 +3255,16 @@ ">=2.0,<2.0.2" ], "v": ">=2.0,<2.0.2" + }, + { + "advisory": "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.) See: CVE-2019-19118.", + "cve": "CVE-2019-19118", + "id": "pyup.io-37766", + "specs": [ + ">=2.1,<2.1.15", + ">=2.2,<2.2.8" + ], + "v": ">=2.1,<2.1.15,>=2.2,<2.2.8" } ], "django-access-tokens": [ @@ -2320,6 +3318,15 @@ "<0.34.0" ], "v": "<0.34.0" + }, + { + "advisory": "Django-allauth 0.41.0 conforms to the general Django 3.0.1, 2.2.9, and 1.11.27 security release - see CVE-2019-19844 and https://www.djangoproject.com/weblog/2019/dec/18/security-releases/", + "cve": null, + "id": "pyup.io-37664", + "specs": [ + "<0.41.0" + ], + "v": "<0.41.0" } ], "django-allauth-underground": [ @@ -2505,6 +3512,17 @@ "v": "<3.4.3" } ], + "django-cors-headers": [ + { + "advisory": "In django-cors-headers version 3.0.0, ``CORS_ORIGIN_WHITELIST`` requires URI schemes, and optionally ports. This is part of the CORS specification (Section 3.2 ) that was not implemented in this library, except from with the ``CORS_ORIGIN_REGEX_WHITELIST`` setting. It fixes a security issue where the CORS middleware would allow requests between schemes, for example from insecure ``http://`` Origins to a secure ``https://`` site.\r\n\r\nYou will need to update your whitelist to include schemes, for example from this:\r\n\r\nCORS_ORIGIN_WHITELIST = ['example.com']\r\n\r\nto this:\r\n\r\nCORS_ORIGIN_WHITELIST = ['https://example.com']", + "cve": null, + "id": "pyup.io-37132", + "specs": [ + "<3.0.0" + ], + "v": "<3.0.0" + } + ], "django-countries": [ { "advisory": "django-countries 3.4 fixes a XSS escaping issue in CountrySelectWidget.", @@ -2514,6 +3532,15 @@ "<3.4" ], "v": "<3.4" + }, + { + "advisory": "django-countries 3.4 fixes an XSS escaping issue in CountrySelectWidget", + "cve": null, + "id": "pyup.io-37951", + "specs": [ + "<3.4" + ], + "v": "<3.4" } ], "django-crispy-forms": [ @@ -2679,6 +3706,17 @@ "v": "<1.0.1" } ], + "django-formidable": [ + { + "advisory": "Django-formidable 4.0.0 adds an XSS prevention mechanism.", + "cve": null, + "id": "pyup.io-37875", + "specs": [ + "<4.0.0" + ], + "v": "<4.0.0" + } + ], "django-friendship": [ { "advisory": "django-friendship 1.2.0 fixes a security issue where the library was not checking the owner of a FriendRequest during accept and cancelation.", @@ -2712,6 +3750,17 @@ "v": "<2.4" } ], + "django-hashid-field": [ + { + "advisory": "Django-hashid-field 3.1.1 fixes a security bug where comparison operators (gt, gte, lt, lte) would allow integer lookups regardless of ALLOW_INT_LOOKUP setting.", + "cve": null, + "id": "pyup.io-37680", + "specs": [ + "<3.1.1" + ], + "v": "<3.1.1" + } + ], "django-haystack": [ { "advisory": "django-haystack 1.1 removes insecure use of ``eval`` from the Whoosh backend.", @@ -2743,6 +3792,15 @@ "<1.0.4" ], "v": "<1.0.4" + }, + { + "advisory": "Django-howl 1.0.5 updates Pipfile.lock and test environment to avoid security issues.", + "cve": null, + "id": "pyup.io-38069", + "specs": [ + "<1.0.5" + ], + "v": "<1.0.5" } ], "django-html5-appcache": [ @@ -2820,6 +3878,17 @@ "v": "<0.6.9" } ], + "django-mail-auth": [ + { + "advisory": "Django-mail-auth 0.1.3 fixes session key security issues.", + "cve": null, + "id": "pyup.io-37171", + "specs": [ + "<0.1.3" + ], + "v": "<0.1.3" + } + ], "django-make-app": [ { "advisory": "An exploitable vulnerability exists in the YAML parsing functionality in the read_yaml_file method in io_utils.py in django_make_app 0.1.3. A YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.", @@ -2933,6 +4002,24 @@ "<0.7" ], "v": "<0.7" + }, + { + "advisory": "django-newsletter 0.9 updates several dependencies (waitress, Django) due to security issues", + "cve": null, + "id": "pyup.io-37916", + "specs": [ + "<0.9" + ], + "v": "<0.9" + }, + { + "advisory": "Django-newsletter 0.9b1 updates several dependencies due to security issues.", + "cve": null, + "id": "pyup.io-37677", + "specs": [ + "<0.9b1" + ], + "v": "<0.9b1" } ], "django-ninecms": [ @@ -2946,6 +4033,26 @@ "v": "<0.4.5b" } ], + "django-orghierarchy": [ + { + "advisory": "Django-orghierarchy 0.1.13 updates Django for security reasons.", + "cve": null, + "id": "pyup.io-37039", + "specs": [ + "<0.1.13" + ], + "v": "<0.1.13" + }, + { + "advisory": "Django-orghierarchy 0.1.18 includes a not further specified security update.", + "cve": null, + "id": "pyup.io-37038", + "specs": [ + "<0.1.18" + ], + "v": "<0.1.18" + } + ], "django-piston": [ { "advisory": "emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.", @@ -3044,6 +4151,15 @@ } ], "django-rest-registration": [ + { + "advisory": "Django-rest-registration 0.5.0 fixes a critical security issue with misusing the Django Signer API. See: .", + "cve": null, + "id": "pyup.io-37385", + "specs": [ + "<0.5.0" + ], + "v": "<0.5.0" + }, { "advisory": "verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument.", "cve": "CVE-2019-13177", @@ -3198,7 +4314,7 @@ ], "django-storages": [ { - "advisory": "django-storages before 1.7 - the ``S3BotoStorage`` and ``S3Boto3Storage`` backends have an insecure\r\n default ACL of ``public-read``. It is recommended that all current users upgrade to 1.7 and audit their bucket\r\n permissions. Support has been added for setting ``AWS_DEFAULT_ACL = None`` and ``AWS_BUCKET_ACL =\r\n None``. V1.7 will raise a warning if ``AWS_DEFAULT_ACL`` or ``AWS_BUCKET_ACL`` is not explicitly set.", + "advisory": "In django-storages before 1.7 - the ``S3BotoStorage`` and ``S3Boto3Storage`` backends have an insecure default ACL of ``public-read``. It is recommended that all current users upgrade to 1.7 and audit their bucket permissions. Support has been added for setting ``AWS_DEFAULT_ACL = None`` and ``AWS_BUCKET_ACL = None``. V1.7 will raise a warning if ``AWS_DEFAULT_ACL`` or ``AWS_BUCKET_ACL`` is not explicitly set.", "cve": null, "id": "pyup.io-36434", "specs": [ @@ -3218,6 +4334,17 @@ "v": "<0.9.10" } ], + "django-triggers": [ + { + "advisory": "Django-triggers 2.0.13 updates some dependencies to their latest secure versions.", + "cve": null, + "id": "pyup.io-37072", + "specs": [ + "<2.0.13" + ], + "v": "<2.0.13" + } + ], "django-ucamlookup": [ { "advisory": "django-ucamlookup 1.9 fixes XXS vulnerability in template macros", @@ -3391,6 +4518,44 @@ "<0.8.3" ], "v": "<0.8.3" + }, + { + "advisory": "An eval() vulnerability exists in Python Software Foundation Djblets 0.7.21 and Beanbag Review Board before 1.7.15 when parsing JSON requests. See: CVE-2013-4409.", + "cve": "CVE-2013-4409", + "id": "pyup.io-37636", + "specs": [ + "==0.7.21" + ], + "v": "==0.7.21" + } + ], + "djedefre": [ + { + "advisory": "djedefre 0.7.0 fixes a security bug in \"djoser.views.UserView\"", + "cve": null, + "id": "pyup.io-37913", + "specs": [ + "<0.7.0" + ], + "v": "<0.7.0" + }, + { + "advisory": "djedefre 1.3.2 fixes vulnerability of user endpoints.", + "cve": null, + "id": "pyup.io-37912", + "specs": [ + "<1.3.2" + ], + "v": "<1.3.2" + }, + { + "advisory": "djedefre 1.5.1 fixes a vulnerability of UserViewSet that allows to create new accounts on wrong endpoint", + "cve": null, + "id": "pyup.io-37911", + "specs": [ + "<1.5.1" + ], + "v": "<1.5.1" } ], "djoser": [ @@ -3422,31 +4587,64 @@ "v": "<1.5.1" } ], - "docker": [ + "dlhub-gateway": [ { - "advisory": "docker 3.5.1 bumps version of `pyOpenSSL` in `requirements.txt` and `setup.py` to prevent\r\n installation of a vulnerable version.", + "advisory": "Dlhub-gateway 2.0.0 fixes security requirements in the swagger spec.", "cve": null, - "id": "pyup.io-36783", + "id": "pyup.io-37339", "specs": [ - "<3.5.1" + "<2.0.0" ], - "v": "<3.5.1" + "v": "<2.0.0" } ], - "docker-registry": [ + "dmoj": [ { - "advisory": "docker-registry 0.8.1 has security fixes (path traversing prevention and token validation).", + "advisory": "Dmoj 1.4.0 includes a number of enhancements and security fixes.", "cve": null, - "id": "pyup.io-25805", + "id": "pyup.io-37474", "specs": [ - "<0.8.1" + "<1.4.0" ], - "v": "<0.8.1" + "v": "<1.4.0" } ], - "donfig": [ + "docassemble": [ { - "advisory": "An issue was discovered in Donfig 0.3.0. There is a vulnerability in the collect_yaml method in config_obj.py. It can execute arbitrary Python commands, resulting in command execution.", + "advisory": "Docassemble 0.5.105 upgrades 'bleach' due to security vulnerability", + "cve": null, + "id": "pyup.io-37941", + "specs": [ + "<0.5.105" + ], + "v": "<0.5.105" + } + ], + "docker": [ + { + "advisory": "docker 3.5.1 bumps version of `pyOpenSSL` in `requirements.txt` and `setup.py` to prevent\r\n installation of a vulnerable version.", + "cve": null, + "id": "pyup.io-36783", + "specs": [ + "<3.5.1" + ], + "v": "<3.5.1" + } + ], + "docker-registry": [ + { + "advisory": "docker-registry 0.8.1 has security fixes (path traversing prevention and token validation).", + "cve": null, + "id": "pyup.io-25805", + "specs": [ + "<0.8.1" + ], + "v": "<0.8.1" + } + ], + "donfig": [ + { + "advisory": "An issue was discovered in Donfig 0.3.0. There is a vulnerability in the collect_yaml method in config_obj.py. It can execute arbitrary Python commands, resulting in command execution.", "cve": "CVE-2019-7537", "id": "pyup.io-36976", "specs": [ @@ -3519,6 +4717,46 @@ "v": "<0.7" } ], + "ec2-metadata": [ + { + "advisory": "Ec2-metadata 2.2.0 moves to use Instance Metadata Service version 2 due to its increased security - see: https://github.com/adamchainz/ec2-metadata/issues/150", + "cve": null, + "id": "pyup.io-38053", + "specs": [ + "<2.2.0" + ], + "v": "<2.2.0" + } + ], + "ecdsa": [ + { + "advisory": "A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions. See: CVE-2019-14859.", + "cve": "CVE-2019-14859", + "id": "pyup.io-37763", + "specs": [ + "<0.13.3" + ], + "v": "<0.13.3" + }, + { + "advisory": "An error-handling flaw was found in python-ecdsa before version 0.13.3. During signature decoding, malformed DER signatures could raise unexpected exceptions (or no exceptions at all), which could lead to a denial of service. See CVE-2019-14853.", + "cve": "CVE-2019-14853", + "id": "pyup.io-37762", + "specs": [ + "<0.13.3" + ], + "v": "<0.13.3" + }, + { + "advisory": "In ecdsa 0.14, deterministic signatures verify that the signature won't leak private key through very unlikely selection of `k` value (the nonce). Nonce bit size hiding was added (hardening against Minerva attack). Please note that it DOES NOT make library secure against side channel attacks (timing attacks).", + "cve": null, + "id": "pyup.io-37637", + "specs": [ + "<0.14" + ], + "v": "<0.14" + } + ], "edrnsite.policy": [ { "advisory": "Unspecified vulnerability in Plone 2.5 through 4.0, as used in Conga, luci, and possibly other products, allows remote attackers to obtain administrative access, read or create arbitrary content, and change the site skin via unknown vectors.", @@ -3539,6 +4777,15 @@ "<0.2.8" ], "v": "<0.2.8" + }, + { + "advisory": "Eh 1.3.0 fixes a pyyaml security issue.", + "cve": null, + "id": "pyup.io-37500", + "specs": [ + "<1.3.0" + ], + "v": "<1.3.0" } ], "electrumx": [ @@ -3625,7 +4872,49 @@ "v": "<0.3.0" } ], + "ethically": [ + { + "advisory": "Ethically 0.0.3 fixes security issues with dependencies.", + "cve": null, + "id": "pyup.io-37042", + "specs": [ + "<0.0.3" + ], + "v": "<0.0.3" + } + ], + "ethsnarks": [ + { + "advisory": "Ethsnarks 0.18.10.1 fixes security bugs in MiMC-p/p and Miximus.", + "cve": null, + "id": "pyup.io-37387", + "specs": [ + "<0.18.10.1" + ], + "v": "<0.18.10.1" + } + ], + "etlstat": [ + { + "advisory": "etlstat 0.6.1 updates SQLAlchemy in requirements.txt to fix moderate security issues", + "cve": null, + "id": "pyup.io-37878", + "specs": [ + "<0.6.1" + ], + "v": "<0.6.1" + } + ], "euphorie": [ + { + "advisory": "Euphorie 11.1.2 tightens the security on several client views.", + "cve": null, + "id": "pyup.io-37459", + "specs": [ + "<11.1.2" + ], + "v": "<11.1.2" + }, { "advisory": "euphorie 6.1 fixes a security issue: modify client to always check if a survey session belongs to the current user.", "cve": null, @@ -3647,6 +4936,44 @@ "v": "<0.2.9" } ], + "extensiveautomation-server": [ + { + "advisory": "Extensiveautomation-server 12.1.0 reactivates SSLv3 cipher to support Linux client in python 2.6, fixes a security issue on folder creation in repository (no more full rights), and fixes a security issue on web services (bad handle of the level access).", + "cve": null, + "id": "pyup.io-37348", + "specs": [ + "<12.1.0" + ], + "v": "<12.1.0" + }, + { + "advisory": "Extensiveautomation-server 13.0.0 includes various security improvements:\r\n- No longer uses truncate tables.\r\n- No longer creates folders with 777 mode.\r\n- Includes a new script to secure the server after a from-scratch installation.\r\n- Dumps mysql user in settings file, with updates on all services.", + "cve": null, + "id": "pyup.io-37347", + "specs": [ + "<13.0.0" + ], + "v": "<13.0.0" + }, + { + "advisory": "Extensiveautomation-server 14.0.0 includes various security updates:\r\n- It has a minor improvement to secure the product (php and apache).\r\n- It encrypts test environment data.\r\n- It no longer run server as root.\r\n- It no longer uses the root account for database access.", + "cve": null, + "id": "pyup.io-37346", + "specs": [ + "<14.0.0" + ], + "v": "<14.0.0" + }, + { + "advisory": "Extensiveautomation-server 16.0.0 fixes a security issue on rest API: it fixes the error on the get variables listing.", + "cve": null, + "id": "pyup.io-37345", + "specs": [ + "<16.0.0" + ], + "v": "<16.0.0" + } + ], "eyed3": [ { "advisory": "tag.py in eyeD3 (aka python-eyed3) 7.0.3, 0.6.18, and earlier for Python allows local users to modify arbitrary files via a symlink attack on a temporary file.", @@ -3658,6 +4985,66 @@ "v": "<0.6.18" } ], + "faker": [ + { + "advisory": "Faker 0.1 includes the message: \"`bundler-audit` has identified that i18 has fix a security vulnerability, that has been fixed in the 0.8 version.\"", + "cve": null, + "id": "pyup.io-37386", + "specs": [ + "<0.1" + ], + "v": "<0.1" + }, + { + "advisory": "Faker 2.1.2: `bundler-audit` has identified that i18 has a security vulnerability, that has been fixed in the 0.8 version.", + "cve": null, + "id": "pyup.io-37658", + "specs": [ + "<2.1.2" + ], + "v": "<2.1.2" + } + ], + "fast-curator": [ + { + "advisory": "Fast-curator 0.2.2 switches to pyyaml `safe_load` for better security.", + "cve": null, + "id": "pyup.io-37514", + "specs": [ + "<0.2.2" + ], + "v": "<0.2.2" + } + ], + "fastapi": [ + { + "advisory": "Fastapi 0.18.0 updates dependencies for security reasons.", + "cve": null, + "id": "pyup.io-37084", + "specs": [ + "<0.18.0" + ], + "v": "<0.18.0" + }, + { + "advisory": "Fastapi 0.30.0 avoids/fixes a potential security issue: as the returned object is passed directly to Pydantic, if the returned object was a subclass of the `response_model` (e.g. you return a `UserInDB` that inherits from `User` but contains extra fields, like `hashed_password`, and `User` is used in the `response_model`), it would still pass the validation (because `UserInDB` is a subclass of `User`) and the object would be returned as-is, including the `hashed_password`. To fix this, the declared `response_model` is cloned, if it is a Pydantic model class (or contains Pydantic model classes in it, e.g. in a `List[Item]`), the Pydantic model class(es) will be a different one (the \"cloned\" one). So, an object that is a subclass won't simply pass the validation and returned as-is, because it is no longer a sub-class of the cloned `response_model`. Instead, a new Pydantic model object will be created with the contents of the returned object. So, it will be a new object (made with the data from the returned one), and will be filtered by the cloned `response_model`, containing only the declared fields as normally.", + "cve": null, + "id": "pyup.io-37231", + "specs": [ + "<0.30.0" + ], + "v": "<0.30.0" + }, + { + "advisory": "Fastapi 0.37.0 fixes a security issue: when returning a sub-class of a response model and using `skip_defaults` it could leak information. See: https://github.com/tiangolo/fastapi/pull/485", + "cve": null, + "id": "pyup.io-37428", + "specs": [ + "<0.37.0" + ], + "v": "<0.37.0" + } + ], "featureserver": [ { "advisory": "featureserver before 1.06 allowed JSON callbacks.", @@ -3727,6 +5114,53 @@ "v": "<5.1.2" } ], + "fincity-django-allauth": [ + { + "advisory": "In fincity-django-allauth 0.18.0, the Persona provider now requires the ``AUDIENCE`` parameter to be explicitly configured, as required by the Persona specification for security reasons. Also, the inline Javascript is removed from the ``fbconnect.html`` template, which allows for a more strict ``Content-Security-Policy``. If you were using the builtin ``fbconnect.html`` this change should go by unnoticed.", + "cve": null, + "id": "pyup.io-37466", + "specs": [ + "<0.18.0" + ], + "v": "<0.18.0" + }, + { + "advisory": "Version prior to fincity-django-allauth 0.28.0 contained a vulnerability allowing an attacker to alter the provider specific settings for ``SCOPE`` and/or ``AUTH_PARAMS`` (part of the larger ``SOCIALACCOUNT_PROVIDERS`` setting). The changes would persist across subsequent requests for all users, provided these settings were explicitly set within your project. These settings translate directly into request parameters, giving the attacker undesirable control over the OAuth(2) handshake. You are not affected if you did not explicitly configure these settings.", + "cve": null, + "id": "pyup.io-37464", + "specs": [ + "<0.28.0" + ], + "v": "<0.28.0" + }, + { + "advisory": "Before fincity-django-allauth 0.34.0, the \"Set Password\" view did not properly check whether or not the user already had a usable password set. This allowed an attacker to set the password without providing the current password, but only in case the attacker already gained control over the victim's session.", + "cve": null, + "id": "pyup.io-37463", + "specs": [ + "<0.34.0" + ], + "v": "<0.34.0" + }, + { + "advisory": "As an extra security measure on top of what the standard Django password reset token generator is already facilitating, allauth in fincity-django-allauth 0.35.0 adds the user email address to the hash such that whenever the user's email address changes the token is invalidated.", + "cve": null, + "id": "pyup.io-37462", + "specs": [ + "<0.35.0" + ], + "v": "<0.35.0" + }, + { + "advisory": "Before fincity-django-allauth 0.38.0, the ``{% user_display user %}`` tag did not escape properly. Depending on the username validation rules, this could lead to XSS issues.", + "cve": null, + "id": "pyup.io-37465", + "specs": [ + "<0.38.0" + ], + "v": "<0.38.0" + } + ], "flashfocus": [ { "advisory": "flashfocus 1.2.0 updates pyaml version in requirements due to security vulnerability", @@ -3796,6 +5230,80 @@ "v": "<=1.5.2" } ], + "flask-appbuilder": [ + { + "advisory": "Flask-appbuilder 0.2.0 includes reset password corrections.", + "cve": null, + "id": "pyup.io-37060", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" + }, + { + "advisory": "Flask-appbuilder 0.7.8 has better security than previous versions. No details are given.", + "cve": null, + "id": "pyup.io-37064", + "specs": [ + "<0.7.8" + ], + "v": "<0.7.8" + }, + { + "advisory": "flask-appbuilder 0.7.8 adds new, added optional parameter \"label\" and \"category_label\" for menu items, better security and i18n", + "cve": null, + "id": "pyup.io-37905", + "specs": [ + "<0.7.8" + ], + "v": "<0.7.8" + }, + { + "advisory": "flask-appbuilder 1.9.0 prevents masquerade attacks through oauth providers", + "cve": null, + "id": "pyup.io-37828", + "specs": [ + "<1.9.0" + ], + "v": "<1.9.0" + }, + { + "advisory": "Flask-appbuilder 1.9.0 prevent masquerade attacks through OAuth providers and fixes crash on OAuth errors, which was a security concern.", + "cve": null, + "id": "pyup.io-37061", + "specs": [ + "<1.9.0" + ], + "v": "<1.9.0" + }, + { + "advisory": "flask-appbuilder 1.9.2 fixes possible SQL injection vulnerability", + "cve": null, + "id": "pyup.io-37297", + "specs": [ + "<1.9.2" + ], + "v": "<1.9.2" + }, + { + "advisory": "Flask-appbuilder 2.2.2 make userstatschartview optional (a security issue) (#1239).", + "cve": null, + "id": "pyup.io-37059", + "specs": [ + "<2.2.2" + ], + "v": "<2.2.2" + }, + { + "advisory": "Flask-appbuilder 2.2.4 toggles pvm, perm and vm mvc views config options (a security issue) (#1259).", + "cve": null, + "id": "pyup.io-37130", + "specs": [ + "<2.2.4" + ], + "v": "<2.2.4" + } + ], "flask-async": [ { "advisory": "flask-async 0.6.1 fixes a security problem that allowed clients to download arbitrary files if the host server was a windows based operating system and the client uses backslashes to escape the directory the files where exposed from.", @@ -3818,6 +5326,17 @@ "v": "<1.2.2" } ], + "flask-flatpages": [ + { + "advisory": "Flask-flatpages 0.7.1 updates its dependencies to resolve some severe security alerts.", + "cve": null, + "id": "pyup.io-37077", + "specs": [ + "<0.7.1" + ], + "v": "<0.7.1" + } + ], "flask-i18n": [ { "advisory": "flask-i18n 1.1.1 update is for security vulnerabilities", @@ -3873,6 +5392,17 @@ "v": "<0.2.2" } ], + "flask-monitoring": [ + { + "advisory": "flask-monitoring 1.10.0 adds security for automatic endpoint-data retrieval", + "cve": null, + "id": "pyup.io-37847", + "specs": [ + "<1.10.0" + ], + "v": "<1.10.0" + } + ], "flask-oauthlib": [ { "advisory": "flask-oauthlib before 0.9.1 improves on security. (Without further details).", @@ -3906,15 +5436,37 @@ "v": "<1.8.1" } ], - "flask-statsdclient": [ + "flask-sieve": [ { - "advisory": "flask-statsdclient 2.0.2 is for security vulnerabilities", + "advisory": "Flask-sieve 1.1.0 updates Pillow (PIL-fork) to fix security vulnerabilities.", "cve": null, - "id": "pyup.io-36813", + "id": "pyup.io-37632", "specs": [ - "<2.0.2" + "<1.1.0" ], - "v": "<2.0.2" + "v": "<1.1.0" + } + ], + "flask-socketio": [ + { + "advisory": "Flask-socketio 4.2.0 addresses potential websocket cross-origin attacks. See: .", + "cve": null, + "id": "pyup.io-37309", + "specs": [ + "<4.2.0" + ], + "v": "<4.2.0" + } + ], + "flask-statsdclient": [ + { + "advisory": "flask-statsdclient 2.0.2 is for security vulnerabilities", + "cve": null, + "id": "pyup.io-36813", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" } ], "flex": [ @@ -4027,6 +5579,17 @@ "v": "<1.3.4" } ], + "ftw.lawgiver": [ + { + "advisory": "Ftw.lawgiver 1.16.1 fixes the workflow security.", + "cve": null, + "id": "pyup.io-37470", + "specs": [ + "<1.16.1" + ], + "v": "<1.16.1" + } + ], "ftw.mail": [ { "advisory": "ftw.mail 2.2.3 makes mail view XSS-save using the safe-html transform for the mail-body display.", @@ -4104,6 +5667,37 @@ "v": "<0.6.1" } ], + "geokey": [ + { + "advisory": "Geokey 1.11.2 upgrades the REST framework (+GIS) dependencies in order to resolve reported vulnerability issue.", + "cve": null, + "id": "pyup.io-37207", + "specs": [ + "<1.11.2" + ], + "v": "<1.11.2" + }, + { + "advisory": "Geokey 1.3.1 includes a not further specified security update.", + "cve": null, + "id": "pyup.io-35080", + "specs": [ + "<1.3.1" + ], + "v": "<1.3.1" + } + ], + "geonode": [ + { + "advisory": "geonode 2.10.30\r\n\r\n== Bumps ==\r\ndjango from 1.11.21 to 1.11.22\r\ntwisted from 18.9.0 to 19.2.1\r\nurllib3 to 1.24.2\r\n\r\n== Also ==\r\nRemoves not useful and potentially blocking calls from signals and login/out calls\r\nGeneral security and encoding updates\r\nSecurity vulnerabilities on deps (PyYAML)\r\nEnforce GeoNode REST service API security", + "cve": null, + "id": "pyup.io-37877", + "specs": [ + "<2.10.3" + ], + "v": "<2.10.3" + } + ], "gevent": [ { "advisory": "gevent 1.2a1 includes a security related fix. Errors logged by :class:`~gevent.pywsgi.WSGIHandler` no longer print the entire WSGI environment by default. This avoids possible information disclosure vulnerabilities. Applications can also opt-in to a higher security level for the WSGI environment if they choose and their frameworks support it. Originally reported in :pr:`779` by sean-peters-au and changed in :pr:`781`.", @@ -4256,6 +5850,39 @@ "v": "<1.5.4" } ], + "gordo-components": [ + { + "advisory": "Gordo-components 0.15.1 updates the dependency urllib3 >= 1.24.2 to address urllib3 security alert - see https://nvd.nist.gov/vuln/detail/CVE-2019-11324", + "cve": "CVE-2019-11324", + "id": "pyup.io-37545", + "specs": [ + "<0.15.1" + ], + "v": "<0.15.1" + } + ], + "gphotos-sync": [ + { + "advisory": "gphotos-sync 2.9 update dependencies for security patches", + "cve": null, + "id": "pyup.io-37829", + "specs": [ + "<2.9" + ], + "v": "<2.9" + } + ], + "great-components": [ + { + "advisory": "great-components 25.0.1 updates lodash vulnerability", + "cve": null, + "id": "pyup.io-37925", + "specs": [ + "<25.0.1" + ], + "v": "<25.0.1" + } + ], "guillotina": [ { "advisory": "guillotina 4.5.8 fixes memory leak in security policy lookups", @@ -4267,6 +5894,28 @@ "v": "<4.5.8" } ], + "gvar": [ + { + "advisory": "Gvar 9.2.1 fixes bugs in gvar.load and gvar.dump caused by recent security upgrades to pyYAML.", + "cve": null, + "id": "pyup.io-37809", + "specs": [ + "<9.2.1" + ], + "v": "<9.2.1" + } + ], + "heedy": [ + { + "advisory": "Heedy 0.3.0a1 reports it its changelog: There might [...] be security issues. Use at your own risk.", + "cve": null, + "id": "pyup.io-37687", + "specs": [ + "<0.3.0a1" + ], + "v": "<0.3.0a1" + } + ], "henosis": [ { "advisory": "henosis before 0.0.11 included a vulnerability that was opened by using `yaml.load` as opposed to `yaml.safe_load` ([issue 22](https://github.com/vc1492a/henosis/issues/22)).", @@ -4304,19 +5953,18 @@ "cve": null, "id": "pyup.io-36326", "specs": [ - "<0.73.2", - ">=0.56" + ">=0.56,<0.73.2" ], - "v": "<0.73.2,>=0.56" + "v": ">=0.56,<0.73.2" }, { - "advisory": "homeassistant 3.0 docker: Fix cve-2019-5736", + "advisory": "The markdown renderer in homeassistant 0.98 is vulnerable to an XSS attack if exposed to specially crafted markdown. This was fixed in 0.98.5. See: .", "cve": null, - "id": "pyup.io-36934", + "id": "pyup.io-37453", "specs": [ - "<3.0" + ">=0.98,<0.98.5" ], - "v": "<3.0" + "v": ">=0.98,<0.98.5" } ], "hpack": [ @@ -4339,6 +5987,17 @@ "v": "<2.3.0" } ], + "hpim-dm": [ + { + "advisory": "hpim-dm 1.0 includes dissertation work and security implementation", + "cve": null, + "id": "pyup.io-37836", + "specs": [ + "<1.0" + ], + "v": "<1.0" + } + ], "html5": [ { "advisory": "html5 before 0.99999999 is vulnerable to a XSS attack. Upgrading avoids the XSS bug potentially caused by serializer allowing attribute values to be escaped out of in old browser versions, changing the quote_attr_values option on serializer to take one of three values, \"always\" (the old True value), \"legacy\" (the new option, and the new default), and \"spec\" (the old False value, and the old default).", @@ -4391,6 +6050,17 @@ "v": "<0.2" } ], + "httpie": [ + { + "advisory": "Httpie 1.0.3 fixes CVE-2019-10751. The way the output filename is generated for ``--download`` requests without ``--output`` resulting in a redirect has been changed to only consider the initial URL as the base for the generated filename, and not the final one. See: .", + "cve": "CVE-2019-10751", + "id": "pyup.io-37405", + "specs": [ + "<1.0.3" + ], + "v": "<1.0.3" + } + ], "httplib2": [ { "advisory": "httplib2 before and including 0.9.2 on \"SSL certificate hostname mismatch\" it is checked only once: https://github.com/httplib2/httplib2/issues/5", @@ -4495,7 +6165,27 @@ "v": "<1.9.6" } ], + "ib-client": [ + { + "advisory": "Ib-client 0.1.2 updates packages (especially Jinja2 which had a vulnerability in version 2.10).", + "cve": null, + "id": "pyup.io-37047", + "specs": [ + "<0.1.2" + ], + "v": "<0.1.2" + } + ], "im": [ + { + "advisory": "Im 1.5.0 removes the use of non-secure Pickle data.", + "cve": null, + "id": "pyup.io-37434", + "specs": [ + "1.5.0" + ], + "v": "1.5.0" + }, { "advisory": "im before 1.5.0 removes use of insecure Pickle data.", "cve": null, @@ -4506,6 +6196,17 @@ "v": "<1.5.0" } ], + "imageio": [ + { + "advisory": "imageio 2.6.0 fixes a security vulnerability for Windows users that have dcmtk installed, and where an attacker can set the filename", + "cve": null, + "id": "pyup.io-37902", + "specs": [ + "<2.6.0" + ], + "v": "<2.6.0" + } + ], "indico": [ { "advisory": "indico before 2.0.2 uses a insecure transitive dependency (bleach).", @@ -4515,6 +6216,52 @@ "<2.0.2" ], "v": "<2.0.2" + }, + { + "advisory": "Indico 2.0.3 no longer shows contribution information (metadata including title, speakers and a partial description) in the contribution list unless the user has access to a contribution.", + "cve": null, + "id": "pyup.io-37568", + "specs": [ + ">=2.0.0,<2.0.3" + ], + "v": ">=2.0.0,<2.0.3" + }, + { + "advisory": "Indico 2.1.11 fixes more places where LaTeX input was not correctly sanitized. While the biggest security impact (reading local files) has already been mitigated when fixing the initial vulnerability in the previous release, it is still strongly recommended to update.", + "cve": null, + "id": "pyup.io-37570", + "specs": [ + ">=2.1.0,<2.1.11" + ], + "v": ">=2.1.0,<2.1.11" + }, + { + "advisory": "Indico 2.1.3\r\n- Only returns timetable entries for the current session when updating a session through the timetable (issue 3474)\r\n- Prevents session managers/coordinators from modifying certain timetable entries or scheduling contributions not assigned to their session\r\n- Restricts access to timetable entry details to users who are authorized to see them", + "cve": null, + "id": "pyup.io-34153", + "specs": [ + ">=2.1.0,<2.1.3" + ], + "v": ">=2.1.0,<2.1.3" + }, + { + "advisory": "Indico 2.2.3 and 2.1.10\r\n- Strip ``@``, ``+``, ``-`` and ``=`` from the beginning of strings when exporting CSV files to avoid security issues when opening the CSV file in Excel.\r\n- Use 027 instead of 000 umask when temporarily changing it to get the current umask.\r\n- Fix LaTeX sanitization to prevent malicious users from running unsafe LaTeX commands through specially crafted abstracts or contribution descriptions, which could lead to the disclosure of local file contents.", + "cve": null, + "id": "pyup.io-37567", + "specs": [ + ">=2.2.0,<2.2.3", + ">=2.1.0,<2.1.10" + ], + "v": ">=2.2.0,<2.2.3,>=2.1.0,<2.1.10" + }, + { + "advisory": "Indico 2.2.4 fixes more places where LaTeX input was not correctly sanitized. While the biggest security impact (reading local files) has already been mitigated when fixing the initial vulnerability in the previous release, it is still strongly recommended to update.", + "cve": null, + "id": "pyup.io-37569", + "specs": [ + ">=2.2.0,<2.2.4" + ], + "v": ">=2.2.0,<2.2.4" } ], "insecure-package": [ @@ -4528,6 +6275,46 @@ "v": "<0.2.0" } ], + "inspetor": [ + { + "advisory": "Inspetor 2.3.1 updates `sprockets` in `Gemfile.lock` to fix security warnings.", + "cve": null, + "id": "pyup.io-37343", + "specs": [ + "<2.3.1" + ], + "v": "<2.3.1" + } + ], + "instana": [ + { + "advisory": "Instana 1.20.2 upgrades the `event-loop-lag` because of security vulnerabilities in its dependency tree.", + "cve": null, + "id": "pyup.io-34809", + "specs": [ + "<1.20.2" + ], + "v": "<1.20.2" + }, + { + "advisory": "Instana 1.36.1 upgrades the `event-loop-lag` to address a security vulnerability. See: .", + "cve": null, + "id": "pyup.io-37188", + "specs": [ + "<1.36.1" + ], + "v": "<1.36.1" + }, + { + "advisory": "Instana 1.37.1 switches to `@risingstack/v8-profiler` due to security issues in the transitive dependencies of `v8-profiler`.", + "cve": null, + "id": "pyup.io-37187", + "specs": [ + "<1.37.1" + ], + "v": "<1.37.1" + } + ], "invenio": [ { "advisory": "invenio 1.0.2 includes fixes for several undisclosed XSS vulnerabilities.", @@ -4558,6 +6345,37 @@ "==1.1.0" ], "v": "<1.0.1,==1.1.0" + }, + { + "advisory": "invenio-admin 1.1.1 bumps Flask-Admin to v1.5.3 due to Cross-Site Scripting vulnerability in previous versions", + "cve": null, + "id": "pyup.io-38011", + "specs": [ + "<1.1.1" + ], + "v": "<1.1.1" + } + ], + "invenio-app": [ + { + "advisory": "Invenio-app 1.1.1 fixes a security issue where APP_ALLOWED_HOSTS was not always being checked, and thus could allow host header injection attacks.", + "cve": null, + "id": "pyup.io-37311", + "specs": [ + "<1.1.1" + ], + "v": "<1.1.1" + } + ], + "invenio-records": [ + { + "advisory": "Invenio-records 1.0.2 fixes a XSS vulnerability in the admin interface.", + "cve": null, + "id": "pyup.io-37322", + "specs": [ + "<1.0.2" + ], + "v": "<1.0.2" } ], "invenio-search": [ @@ -4580,6 +6398,15 @@ "<0.2018.08.29.1434" ], "v": "<0.2018.08.29.1434" + }, + { + "advisory": "Ipwb 0.2019.07.26.1435 updates Flask for replay to the latest version to address a security vulnerability in an older versions.", + "cve": null, + "id": "pyup.io-37304", + "specs": [ + "<0.2019.07.26.1435" + ], + "v": "<0.2019.07.26.1435" } ], "ipython": [ @@ -4657,6 +6484,37 @@ "v": "<0.6" } ], + "isso-cn": [ + { + "advisory": "Isso-cn 0.6 fixes a cross-site request forgery vulnerability for comment creation, voting, editing and deletion.", + "cve": null, + "id": "pyup.io-37714", + "specs": [ + "<0.6" + ], + "v": "<0.6" + }, + { + "advisory": "Isso-cn 0.7 fixes a malicious HTML injection (due to wrong API usage). All unknown/unsafe HTML tags are now removed from the output (`html5lib` 0.99(9) or later) or properly escaped (older `html5lib` versions).", + "cve": null, + "id": "pyup.io-37713", + "specs": [ + "<0.7" + ], + "v": "<0.7" + } + ], + "jarbas-utils": [ + { + "advisory": "jarbas-utils 0.5.1 casts encryption key to bytes", + "cve": null, + "id": "pyup.io-37883", + "specs": [ + "<0.5.1" + ], + "v": "<0.5.1" + } + ], "jinja": [ { "advisory": "jinja 2.7.2 fixes a security issue: Changed the default folder for the filesystem cache to be user specific and read and write protected on UNIX systems. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747 for more information.", @@ -4697,6 +6555,35 @@ "v": "<2.7.3" } ], + "jnitrace": [ + { + "advisory": "Jnitrace 1.0.6 bumps version of minimilist to fix vulnerability CVE-2020-7598.", + "cve": "CVE-2020-7598", + "id": "pyup.io-38061", + "specs": [ + "<1.0.6" + ], + "v": "<1.0.6" + }, + { + "advisory": "Jnitrace 2.2.1 upgrades eslint-package to patch security vulnerability.", + "cve": null, + "id": "pyup.io-37427", + "specs": [ + "<2.2.1" + ], + "v": "<2.2.1" + }, + { + "advisory": "Jnitrace 3.0.5 bumps version of acorn to 7.1.1 to fix vulnerability CVE-2020-7598.", + "cve": "CVE-2020-7598", + "id": "pyup.io-38060", + "specs": [ + "<3.0.5" + ], + "v": "<3.0.5" + } + ], "jose": [ { "advisory": "jose 0.3.0 fixed critical JWT vulnerability.", @@ -4730,49 +6617,113 @@ "v": "<0.7.0" } ], - "kalliope": [ + "jumpssh": [ { - "advisory": "kalliope 0.5.3 update request lib to fix security vulnerabilities.", + "advisory": "Jumpssh 1.6.3 removes pytest-runner from setup_requires as this is deprecated for security reasons, see https://github.com/pytest-dev/pytest-runner", "cve": null, - "id": "pyup.io-36808", + "id": "pyup.io-38051", "specs": [ - "<0.5.3" + "<1.6.3" ], - "v": "<0.5.3" + "v": "<1.6.3" } ], - "katal": [ + "junos-eznc": [ { - "advisory": "katal before 0.0.6 uses eval() internally.", - "cve": null, - "id": "pyup.io-34247", + "advisory": "Junos-eznc 2.2.1 fixes PyYAML as per CVE-2017-18342.", + "cve": "CVE-2017-18342", + "id": "pyup.io-37081", "specs": [ - "<0.0.6" + "<2.2.1" ], - "v": "<0.0.6" + "v": "<2.2.1" } ], - "katka-core": [ + "jupyter-nbrequirements": [ { - "advisory": "katka-core 0.11.0 decreases the amount of gaping security holes", + "advisory": "Jupyter-nbrequirements 0.6.0 bumps bleach from 3.1.0 to 3.1.1 because it provides better security.", "cve": null, - "id": "pyup.io-36914", + "id": "pyup.io-38077", "specs": [ - "<0.11.0" + "<0.6.0" ], - "v": "<0.11.0" + "v": "<0.6.0" } ], - "kaze-python": [ + "jwql": [ { - "advisory": "kaze-python 0.6.5 fixes vulnerability to RPC invoke functionality that can send node into unclosed loop during 'test' invokes.", + "advisory": "Jwql 0.16.0 updates ``django`` to fix security issues.", "cve": null, - "id": "pyup.io-36494", + "id": "pyup.io-37148", "specs": [ - "<0.6.5" + "<0.16.0" ], - "v": "<0.6.5" - }, + "v": "<0.16.0" + } + ], + "kafkacrypto": [ + { + "advisory": "Kafkacrypto 0.9.5 includes one low severity security fix identified during the crypto review.", + "cve": null, + "id": "pyup.io-37515", + "specs": [ + "<0.9.5" + ], + "v": "<0.9.5" + }, + { + "advisory": "Kafkacrypto 0.9.8 includes:\r\n- Implementation of allowlist and denylists. This removes the need for separate code pathways for root of trusts, enabling them to be treated as entries in allowlist.\r\n- Implementation of automatic processing of messages to adjust allowlists, denylists, and chains. This enables very short chain lifetimes, a security benefit. It also enables a private key to self-sign that it should be revoked.\r\n- Implementation of a pathlength constraint for further tightening of chains. Minimum usable value is typically 1, unless the end of the chain will not sign any further messages.\r\n- Fix kafka wrapper poll implementation to make the timeout optional.", + "cve": null, + "id": "pyup.io-37560", + "specs": [ + "<0.9.8" + ], + "v": "<0.9.8" + } + ], + "kalliope": [ + { + "advisory": "kalliope 0.5.3 update request lib to fix security vulnerabilities.", + "cve": null, + "id": "pyup.io-36808", + "specs": [ + "<0.5.3" + ], + "v": "<0.5.3" + } + ], + "katal": [ + { + "advisory": "katal before 0.0.6 uses eval() internally.", + "cve": null, + "id": "pyup.io-34247", + "specs": [ + "<0.0.6" + ], + "v": "<0.0.6" + } + ], + "katka-core": [ + { + "advisory": "katka-core 0.11.0 decreases the amount of gaping security holes", + "cve": null, + "id": "pyup.io-36914", + "specs": [ + "<0.11.0" + ], + "v": "<0.11.0" + } + ], + "kaze-python": [ + { + "advisory": "kaze-python 0.6.5 fixes vulnerability to RPC invoke functionality that can send node into unclosed loop during 'test' invokes.", + "cve": null, + "id": "pyup.io-36494", + "specs": [ + "<0.6.5" + ], + "v": "<0.6.5" + }, { "advisory": "kaze-python 0.7.8 fixes vulnerability to RPC invoke functionality that can send node into unclosed loop during 'test' invokes.", "cve": null, @@ -4794,7 +6745,36 @@ "v": "<0.3.2" } ], + "kedro-viz": [ + { + "advisory": "Kedro-viz 2.1.0 fixes an infosec vulnerability in LoDash (16).", + "cve": null, + "id": "pyup.io-37353", + "specs": [ + "<2.1.0" + ], + "v": "<2.1.0" + }, + { + "advisory": "Kedro-viz 3.0.0 includes a Snyk fix for one, unspecified vulnerability.", + "cve": null, + "id": "pyup.io-37615", + "specs": [ + "<3.0.0" + ], + "v": "<3.0.0" + } + ], "keyring": [ + { + "advisory": "Python keyring lib before 0.10 created keyring files with world-readable permissions. See: CVE-2012-5577.", + "cve": "CVE-2012-5577", + "id": "pyup.io-37610", + "specs": [ + "<0.10" + ], + "v": "<0.10" + }, { "advisory": "Python Keyring 0.9.1 does not securely initialize the cipher when encrypting passwords for CryptedFileKeyring files, which makes it easier for local users to obtain passwords via a brute-force attack.", "cve": "CVE-2012-4571", @@ -4803,6 +6783,15 @@ "<0.9.1" ], "v": "<0.9.1" + }, + { + "advisory": "Python keyring has insecure permissions on new databases allowing world-readable files to be created. See: CVE-2012-5578.", + "cve": "CVE-2012-5578", + "id": "pyup.io-37743", + "specs": [ + "<=0.10" + ], + "v": "<=0.10" } ], "keystonemiddleware": [ @@ -4826,6 +6815,28 @@ "v": "<1.6.0" } ], + "khoros": [ + { + "advisory": "Khoros 2.3.1 updates requirements.txt to use Bleach to version 3.1.1 to mitigate a security alert for a mutation XSS vulnerability. See: https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r", + "cve": null, + "id": "pyup.io-37961", + "specs": [ + "<2.3.1" + ], + "v": "<2.3.1" + } + ], + "khorosjx": [ + { + "advisory": "khorosjx 2.3.1 upgrades the bleach package to version 3.1.1 to mitigate an XSS security issue", + "cve": null, + "id": "pyup.io-37935", + "specs": [ + "<2.3.1" + ], + "v": "<2.3.1" + } + ], "kinto": [ { "advisory": "kinto 12.0.2\r\n **security**: Fix a pagination bug in the PostgreSQL backend that could leak records between collections", @@ -4857,34 +6868,51 @@ ], "kinto-dist": [ { - "advisory": "Since Kinto 8.2.0 the `account` plugin had a security flaw where the password wasn't verified during the session duration. It now validates the account user password even when the session is cached (Kinto/kinto1583).", + "advisory": "Signer parameters in kinto-dist before 15.0.2 were displayed in capabilities. This was a security concern.", + "cve": null, + "id": "pyup.io-37169", + "specs": [ + "<15.0.2" + ], + "v": "<15.0.2" + }, + { + "advisory": "Kinto-dist 17.0.0 fixes a pagination bug in the PostgreSQL backend that could leak records between collections.", "cve": null, "id": "pyup.io-36153", "specs": [ - "<8.2.3" + "<17.0.0" ], - "v": "<8.2.3" + "v": "<17.0.0" }, { - "advisory": "kinto-dist between 6.0.0 and 6.0.2 included Kinto 8.2.0 where the `account` plugin had a security flaw where the password wasn't verified during the session duration.", + "advisory": "Kinto-dist between 6.0.0 and 6.0.2 included Kinto 8.2.0 where the `account` plugin had a security flaw where the password wasn't verified during the session duration.", "cve": null, "id": "pyup.io-36291", "specs": [ - ">=6.0.0", - "<=6.0.2" + ">=6.0.0,<=6.0.2" ], "v": ">=6.0.0,<=6.0.2" } ], "kiwitcms": [ { - "advisory": "kiwitcms 6.0 includes a medium severity security update that includes new versions\r\nof Django and Patternfly.", + "advisory": "Kiwitcms 6.0 updates to Django 2.1.2 (due to a high severity security issue) and to Patternfly 3.54.8.", "cve": null, "id": "pyup.io-36649", "specs": [ "<6.0" ], "v": "<6.0" + }, + { + "advisory": "Kiwi TCMS 8.1 prevents an XSS attack via tags by having the JSON-RPC handler escape all HTML strings. Additionally, it updates Django from 3.0.3 to 3.0.4, which fixes security issue CVE-2020-9402.", + "cve": "CVE-2020-9402", + "id": "pyup.io-37503", + "specs": [ + "<8.1" + ], + "v": "<8.1" } ], "knowledge-repo": [ @@ -4910,6 +6938,15 @@ } ], "kuber": [ + { + "advisory": "Kuber 10.0.1 bumps the urllib3 version to pick up security fix for CVE-2019-11324.", + "cve": "CVE-2019-11324", + "id": "pyup.io-38099", + "specs": [ + "<10.0.1" + ], + "v": "<10.0.1" + }, { "advisory": "kuber 9.0.0a1 bumps urllib3 version to pick up security fix for CVE-2018-20060.", "cve": null, @@ -4929,6 +6966,33 @@ "<7.0.1" ], "v": "<7.0.1" + }, + { + "advisory": "Kubernetes 10.0.1 Bumps urllib3 version to pick up security fix for CVE-2019-11324 - see: https://github.com/kubernetes-client/python/pull/897", + "cve": null, + "id": "pyup.io-38036", + "specs": [ + ">=10.0,<10.0.1" + ], + "v": ">=10.0,<10.0.1" + }, + { + "advisory": "Kubernetes 8.0.1 Bumps urllib3 version to pick up security fix for CVE-2018-20060 - see: https://github.com/kubernetes-client/python/pull/707", + "cve": "CVE-2018-20060", + "id": "pyup.io-36761", + "specs": [ + ">=8.0,<8.0.1" + ], + "v": ">=8.0,<8.0.1" + }, + { + "advisory": "Kubernetes 9.0.0a1 Bumps urllib3 version to pick up security fix for CVE-2018-20060 - see: https://github.com/kubernetes-client/python/pull/707", + "cve": "CVE-2018-20060", + "id": "pyup.io-36760", + "specs": [ + ">=9.0,<9.0.0a1" + ], + "v": ">=9.0,<9.0.0a1" } ], "kubernetes-asyncio": [ @@ -4942,6 +7006,17 @@ "v": "<8.0.3" } ], + "kubetest": [ + { + "advisory": "Kubetest 0.1.0 updates the pyyaml version for security reasons. See: CVE-2017-18342.", + "cve": "CVE-2017-18342", + "id": "pyup.io-37070", + "specs": [ + "<0.1.0" + ], + "v": "<0.1.0" + } + ], "kytos": [ { "advisory": "kytos 2019.1b3 change: Changed some dependencies versions in order to fix security bugs", @@ -4975,6 +7050,17 @@ "v": "<0.1.2" } ], + "lambda-warmer-py": [ + { + "advisory": "Lambda-warmer-py 1.2.0 upgrades the lodash dependency for security issues [131577c].", + "cve": null, + "id": "pyup.io-37371", + "specs": [ + "<1.2.0" + ], + "v": "<1.2.0" + } + ], "lambdajson": [ { "advisory": "lambdajson 0.1.5 includes a security fix. Using ast.literal_eval as eval.", @@ -4986,6 +7072,28 @@ "v": "<0.1.5" } ], + "lapdog": [ + { + "advisory": "Lapdog 0.18.7 improves API security by switching to custom Lapdog OAuth tokens. Currently this is only supported by Broad accounts. Non-broad accounts will continue to use standard Google application-default credentials when authenticating through the Lapdog API.", + "cve": null, + "id": "pyup.io-37597", + "specs": [ + "<0.18.7" + ], + "v": "<0.18.7" + } + ], + "launchdarkly-server-sdk": [ + { + "advisory": "Setting `verify_ssl` to `False` in the client configuration of launchdarkly-server-sdk before 6.12.2 did not have the expected effect of completely turning off SSL/TLS verification, because it still left _certificate_ verification in effect, so it would allow a totally insecure connection but reject a secure connection whose certificate had an unknown CA. This has been changed so that it will turn off certificate verification as well. This is not a recommended practice and a future version of the SDK will add a way to specify a custom certificate authority instead (to support, for instance, using the Relay Proxy with a self-signed certificate).", + "cve": null, + "id": "pyup.io-38082", + "specs": [ + "<6.12.2" + ], + "v": "<6.12.2" + } + ], "ldap3": [ { "advisory": "ldap3 before 0.9.5.4 has several security issues in lazy connections.", @@ -5028,6 +7136,35 @@ "v": "<1.1.105" } ], + "lifx-control-panel": [ + { + "advisory": "Lifx-control-panel 1.5.4 fixes a pretty major security exploit. It adds safe-scopes to all `eval()` calls.", + "cve": null, + "id": "pyup.io-37424", + "specs": [ + "<1.5.4" + ], + "v": "<1.5.4" + }, + { + "advisory": "Lifx-control-panel 1.6.3 removes all `eval()` statements for security.", + "cve": null, + "id": "pyup.io-37423", + "specs": [ + "<1.6.3" + ], + "v": "<1.6.3" + }, + { + "advisory": "lifx-control-panel 1.7.6:\r\n* Pyinstaller 3.6 fixes several security vulnerabilities \r\n* Updated other key repositories, increasing security and speed", + "cve": null, + "id": "pyup.io-37853", + "specs": [ + "<1.7.6" + ], + "v": "<1.7.6" + } + ], "livefyre": [ { "advisory": "livefyre before 2.0.3 uses a release of a transitive dependency with known security vulnerabilities (PyJWT).", @@ -5070,6 +7207,17 @@ "v": "<0.61.0" } ], + "luckycharms": [ + { + "advisory": "Luckycharms 0.5.2 upgrades some dependencies with security vulnerabilities.", + "cve": null, + "id": "pyup.io-37144", + "specs": [ + "<0.5.2" + ], + "v": "<0.5.2" + } + ], "luigi": [ { "advisory": "luigi 2.1.1 fixes a security issue where malicious users can run arbitrary code if they have file system (even external mounts!)+network access on the machine running luigid (executed by the user that you run luigid with).", @@ -5101,6 +7249,17 @@ "v": "<3.3.5" } ], + "maestral": [ + { + "advisory": "Communication between the sync daemon and frontend (GUI or CLI) in maestral 0.4.1 is faster and more secure than in previous versions. Additionally, it uses Unix domain sockets instead of TCP/IP sockets for communication with daemon. This means that communication is lighter, faster and more secure (other users on the same PC can no longer connect to your sync daemon).", + "cve": null, + "id": "pyup.io-37523", + "specs": [ + "<0.4.1" + ], + "v": "<0.4.1" + } + ], "mailman": [ { "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) full name or (2) username field in a confirmation message.", @@ -5180,6 +7339,15 @@ ], "v": "<1.0.1.14" }, + { + "advisory": "Python-markdown2 before 1.0.1.14 has multiple cross-site scripting (XSS) issues. See CVE-2009-3724.", + "cve": "CVE-2009-3724", + "id": "pyup.io-37735", + "specs": [ + "<1.0.1.14" + ], + "v": "<1.0.1.14" + }, { "advisory": "markdown2 before 1.0.1.15 is vulnerable to a XSS attack via JavaScript injection in a carefully crafted image reference (usage of double-quotes in the URL).", "cve": null, @@ -5250,6 +7418,17 @@ "v": "<1.0.0" } ], + "mautrix-telegram": [ + { + "advisory": "Mautrix-telegram 0.6.0 fixes a vulnerability in event handling.", + "cve": null, + "id": "pyup.io-37432", + "specs": [ + "<0.6.0" + ], + "v": "<0.6.0" + } + ], "maxminddb": [ { "advisory": "maxminddb 1.1.2 includes a number of important security fixes. Among these fixes is improved validation of the database metadata. Unfortunately, MaxMind GeoIP2 and GeoLite2 databases created earlier than January 28, 2014 had an invalid data type for the `record_size` in the metadata. Previously these databases worked on little endian machines with libmaxminddb but did not work on big endian machines. Due to increased safety checks when reading the file, these databases will no longer work on any platform. If you are using one of these databases, we recommend that you upgrade to the latest GeoLite2 or GeoIP2 database", @@ -5261,6 +7440,28 @@ "v": "<1.1.2" } ], + "mdbackup": [ + { + "advisory": "Mdbackup 0.2.0 comes with some bug fixes that made the utility more secure. It introduces the ``Vault secret backend``, where important data (like passwords) can be stored, and the ``File secret backend`` (a fallback secret backend) where secrets are read from the file system directly.", + "cve": null, + "id": "pyup.io-37725", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" + } + ], + "megalib": [ + { + "advisory": "Megalib 0.9.5alpha updates requirements.txt to fix a vulnerability.", + "cve": null, + "id": "pyup.io-37099", + "specs": [ + "<0.9.5alpha" + ], + "v": "<0.9.5alpha" + } + ], "mercurial": [ { "advisory": "In Mercurial before 4.1.3, \"hg serve --stdio\" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.", @@ -5305,57 +7506,131 @@ "v": "<0.10" } ], - "mini-amf": [ + "mi": [ { - "advisory": "mini-amf before 0.8 is vulnerable to XML entity attacks.", + "advisory": "Mi 0.1 removes ``pyramid.session.signed_serialize``, and ``pyramid.session.signed_deserialize``. These methods were only used by the now-removed ``pyramid.session.UnencryptedCookieSessionFactoryConfig`` and were coupled to the vulnerable pickle serialization format which could lead to remove code execution if the secret key is compromised. See: .", "cve": null, - "id": "pyup.io-33048", + "id": "pyup.io-38079", "specs": [ - "<0.8" + "<0.1" ], - "v": "<0.8" - } - ], - "misago": [ + "v": "<0.1" + }, { - "advisory": "misago 0.19.4 updates requests to 2.20.0 resolving potential vulnerability in HTTP connections handling.", + "advisory": "mi 0.4.2 changes the default paster template generator to use ``Paste#http`` server rather than ``PasteScript#cherrpy`` server. The cherrypy server has a security risk in it when ``REMOTE_USER`` is trusted by the downstream application.", "cve": null, - "id": "pyup.io-36607", + "id": "pyup.io-37993", "specs": [ - "<0.19.4" + "<0.4.2" ], - "v": "<0.19.4" - } - ], - "mishmash": [ + "v": "<0.4.2" + }, { - "advisory": "mishmash 0.3b12 - Pyaml >= 4.2b1 for security alert.", + "advisory": "In mi before 1.0a3, the pylons_* paster template used the same string (``your_app_secret_string``) for the ``session.secret`` setting in the generated ``development.ini``. This was a security risk if left unchanged in a project that used one of the templates to produce production applications. It now uses a randomly generated string.", "cve": null, - "id": "pyup.io-36795", + "id": "pyup.io-37982", "specs": [ - "<0.3b12" + "<1.0a3" ], - "v": "<0.3b12" - } - ], - "mistune": [ + "v": "<1.0a3" + }, { - "advisory": "mistune before 0.7.2 is vulnerable to an XSS attack. It is possible to bypass the renderer's link security check.", + "advisory": "The default Mako renderer in mi version 1.1a1 is configured to escape all HTML in expression tags. This is intended to help prevent XSS attacks caused by rendering unsanitized input from users. To revert this behavior in user's templates, they need to filter the expression through the 'n' filter. For example, ${ myhtml | n }. See https://github.com/Pylons/pyramid/issues/193.", "cve": null, - "id": "pyup.io-25890", + "id": "pyup.io-37979", "specs": [ - "<0.7.2" + "<1.1a1" ], - "v": "<0.7.2" + "v": "<1.1a1" }, { - "advisory": "mistune before 0.8.1 has a cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py which allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the \"key\" argument.", - "cve": "CVE-2017-16876", - "id": "pyup.io-36332", + "advisory": "The AuthTktAuthenticationPolicy before mi 1.3a1 did not use a timing-attack-aware string comparator. See https://github.com/Pylons/pyramid/pull/320 for more info.", + "cve": null, + "id": "pyup.io-37974", "specs": [ - "<0.8.1" + "<1.3a1" + ], + "v": "<1.3a1" + }, + { + "advisory": "Mi 1.6a1 improves robustness to timing attacks in the ``AuthTktCookieHelper`` and the ``SignedCookieSessionFactory`` classes by using the stdlib's ``hmac.compare_digest`` if it is available (such as Python 2.7.7+ and 3.3+). See: . Additionally, it avoids timing attacks against CSRF tokens. See: .", + "cve": null, + "id": "pyup.io-38003", + "specs": [ + "<1.6a1" + ], + "v": "<1.6a1" + }, + { + "advisory": "mi 1.6a2 further fixes the JSONP renderer by prefixing the returned content with a comment. This should mitigate attacks from Flash (See CVE-2014-4671). See https://github.com/Pylons/pyramid/pull/1649", + "cve": "CVE-2014-4671", + "id": "pyup.io-38002", + "specs": [ + "<1.6a2" + ], + "v": "<1.6a2" + } + ], + "mini-amf": [ + { + "advisory": "mini-amf before 0.8 is vulnerable to XML entity attacks.", + "cve": null, + "id": "pyup.io-33048", + "specs": [ + "<0.8" + ], + "v": "<0.8" + } + ], + "misago": [ + { + "advisory": "misago 0.19.4 updates requests to 2.20.0 resolving potential vulnerability in HTTP connections handling.", + "cve": null, + "id": "pyup.io-36607", + "specs": [ + "<0.19.4" + ], + "v": "<0.19.4" + } + ], + "mishmash": [ + { + "advisory": "mishmash 0.3b12 - Pyaml >= 4.2b1 for security alert.", + "cve": null, + "id": "pyup.io-36795", + "specs": [ + "<0.3b12" + ], + "v": "<0.3b12" + } + ], + "mistune": [ + { + "advisory": "mistune before 0.7.2 is vulnerable to an XSS attack. It is possible to bypass the renderer's link security check.", + "cve": null, + "id": "pyup.io-25890", + "specs": [ + "<0.7.2" + ], + "v": "<0.7.2" + }, + { + "advisory": "mistune before 0.8.1 has a cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py which allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the \"key\" argument.", + "cve": "CVE-2017-16876", + "id": "pyup.io-36332", + "specs": [ + "<0.8.1" ], "v": "<0.8.1" + }, + { + "advisory": "Mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\\nscript:) or a crafted email address, related to the escape and autolink functions.", + "cve": null, + "id": "pyup.io-35030", + "specs": [ + "==0.7.4" + ], + "v": "==0.7.4" } ], "mitmproxy": [ @@ -5387,6 +7662,17 @@ "v": "<4.0.4" } ], + "mitogen": [ + { + "advisory": "Before mitogen version 0.2.8, unidirectional routing, where contexts may optionally only communicate with parents and never siblings (so that air-gapped networks cannot be unintentionally bridged) was not inherited when a child was initiated directly from another child. This did not effect Ansible, since the controller initiates any new child used for routing, only forked tasks are initiated by children [gh:commit:`5924af15`].", + "cve": null, + "id": "pyup.io-37381", + "specs": [ + "<0.2.8" + ], + "v": "<0.2.8" + } + ], "mixminion": [ { "advisory": "mixminion before 0.0.2 is vulnerable to certain trivial DoS attacks. In particular, it's possible to send zlib bombs or flood a server with open connections.", @@ -5458,6 +7744,15 @@ "<1.9.10" ], "v": "<1.9.10" + }, + { + "advisory": "Moin 2.2.2 removes two cross-site scripting vulnerabilities reported by \"office\".", + "cve": null, + "id": "pyup.io-36475", + "specs": [ + "<2.2.2" + ], + "v": "<2.2.2" } ], "mollie-api-python": [ @@ -5471,6 +7766,57 @@ "v": "<2.0.4" } ], + "monero": [ + { + "advisory": "Monero 0.10.0 includes a temporary patch (via a predefined user-agent) for the Cross-Site Request Forgery attack against monero-wallet-cli's RPC API.", + "cve": null, + "id": "pyup.io-37447", + "specs": [ + "<0.10.0" + ], + "v": "<0.10.0" + }, + { + "advisory": "Monero 0.12.0.0 includes tweaked PoW to block DoS attacks from ASICs, as well as a way to securely erase keys from memory, for most cases, when no longer in use.", + "cve": null, + "id": "pyup.io-37446", + "specs": [ + "<0.12.0.0" + ], + "v": "<0.12.0.0" + }, + { + "advisory": "Monero 0.9.1 includes a bug fix for the block 913193 attack, plus checkpoints.", + "cve": null, + "id": "pyup.io-37448", + "specs": [ + "<0.9.1" + ], + "v": "<0.9.1" + } + ], + "monoshape": [ + { + "advisory": "Monoshape 1.2 updates Pillow version for security.", + "cve": null, + "id": "pyup.io-37605", + "specs": [ + "<1.2" + ], + "v": "<1.2" + } + ], + "mopidy-jellyfin": [ + { + "advisory": "Mopidy-jellyfin 0.3.1 addresses a security vulnerability in one of its dependencies.", + "cve": null, + "id": "pyup.io-37281", + "specs": [ + "<0.3.1" + ], + "v": "<0.3.1" + } + ], "morepath": [ { "advisory": "morepath before 0.14 has no host header validation to protect against header poisoning attacks.", @@ -5546,6 +7892,15 @@ "<1.0.0" ], "v": "<1.0.0" + }, + { + "advisory": "Mtprotoproxy 1.0.6 adds more protections from replay attacks.", + "cve": null, + "id": "pyup.io-37407", + "specs": [ + "<1.0.6" + ], + "v": "<1.0.6" } ], "murano-dashboard": [ @@ -5602,6 +7957,67 @@ "v": "<=8.0.13" } ], + "nanopb": [ + { + "advisory": "Nanopb 0.2.8 fixes a security issue with PB_ENABLE_MALLOC.", + "cve": null, + "id": "pyup.io-37705", + "specs": [ + "<0.2.8" + ], + "v": "<0.2.8" + }, + { + "advisory": "Nanopb 0.2.9.1 fixes a security issue due to size_t overflows.", + "cve": null, + "id": "pyup.io-37808", + "specs": [ + "<0.2.9.1" + ], + "v": "<0.2.9.1" + }, + { + "advisory": "Nanopb before 0.3.1 fixes a security issue due to size_t overflows.", + "cve": null, + "id": "pyup.io-37704", + "specs": [ + "<0.3.1" + ], + "v": "<0.3.1" + }, + { + "advisory": "Nanopb 0.2.9.1 and 0.3.1 fix a security issue due to size_t overflows (issue 132).", + "cve": null, + "id": "pyup.io-37706", + "specs": [ + ">=0.3.0,<0.3.1", + ">=0.2.0,<0.2.9.1" + ], + "v": ">=0.3.0,<0.3.1,>=0.2.0,<0.2.9.1" + } + ], + "nba-scraper": [ + { + "advisory": "Nba-scraper 0.2.7 removes a security flaw where it wasn't verifying SSL certificates during testing.", + "cve": null, + "id": "pyup.io-37142", + "specs": [ + "<0.2.7" + ], + "v": "<0.2.7" + } + ], + "nearbeach": [ + { + "advisory": "Nearbeach 0.22.1 fixes several security issues in relation to Bandit, identified by Nearbeach as BUG491, BUG492, BUG493, BUG494, BUG495, BUG496, BUG497, and BUG498.", + "cve": null, + "id": "pyup.io-37602", + "specs": [ + "<0.22.1" + ], + "v": "<0.22.1" + } + ], "neo-python": [ { "advisory": "neo-python 0.7.8 fixes vulnerability to RPC invoke functionality that can send node into unclosed loop during 'test' invokes.", @@ -5613,6 +8029,17 @@ "v": "<0.7.8" } ], + "netdumplings": [ + { + "advisory": "Netdumplings 0.4.0 updates the websockets dependency to v7 to fix security warnings.", + "cve": null, + "id": "pyup.io-37208", + "specs": [ + "<0.4.0" + ], + "v": "<0.4.0" + } + ], "newrelic": [ { "advisory": "New Relic agents run explain plans for Slow Transaction Traces and Slow SQL Queries. Previous versions of the agents would run an explain plan on the SQL query by prepending the query with explain. This may cause an issue when there are multiple statements separated by semicolons in a single query. The first statement in the string returns its explain plan, but any subsequent statement after that may execute as a general SQL statement. Depending on the language, library, and database, the agent may return the results of the additional statements to New Relic. It is also possible that the additional statements could execute an additional INSERT or UPDATE command. With this security update, New Relic agents will no longer run explain plans on any query that contains a semicolon as a statement separator.", @@ -5657,6 +8084,17 @@ "v": "<1.0.0" } ], + "nifcloud": [ + { + "advisory": "Nifcloud 0.1.7 updates dependencies to fix a vulnerability.", + "cve": null, + "id": "pyup.io-37098", + "specs": [ + "<0.1.7" + ], + "v": "<0.1.7" + } + ], "noiseprotocol": [ { "advisory": "noiseprotocol before 0.2.1 used an insecure transitive dependency (Cryptography<=2.1.3).", @@ -5668,6 +8106,17 @@ "v": "<0.2.1" } ], + "normcap": [ + { + "advisory": "Normcap 0.1.1 updates PyInstaller to avoid potential vulnerability.", + "cve": null, + "id": "pyup.io-37722", + "specs": [ + "<0.1.1" + ], + "v": "<0.1.1" + } + ], "notable": [ { "advisory": "notable 0.0.6 fixes a security regression in the new BoltDB backend.", @@ -5711,6 +8160,24 @@ } ], "nova": [ + { + "advisory": "OpenStack Nova before 2012.1 allows someone with access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the EC2_SECRET_KEY (equivalent to a password). Exposing the EC2_ACCESS_KEY via http or tools that allow man-in-the-middle over https could allow an attacker to easily obtain the EC2_SECRET_KEY. An attacker could also presumably brute force values for EC2_ACCESS_KEY. See CVE-2011-4076.", + "cve": "CVE-2011-4076", + "id": "pyup.io-37736", + "specs": [ + "<2012.1" + ], + "v": "<2012.1" + }, + { + "advisory": "Versions of nova before 2012.1 could expose hypervisor host files to a guest operating system when processing a maliciously constructed qcow filesystem. See: CVE-2011-3147.", + "cve": "CVE-2011-3147", + "id": "pyup.io-37087", + "specs": [ + "<2012.1" + ], + "v": "<2012.1" + }, { "advisory": "The OpenStack Nova (python-nova) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.2 and 1:2014.1-0 before 1:2014.1-0ubuntu1.2 and Openstack Cinder (python-cinder) package 1:2013.2.3-0 before 1:2013.2.3-0ubuntu1.1 and 1:2014.1-0 before 1:2014.1-0ubuntu1.1 for Ubuntu 13.10 and 14.04 LTS does not properly set the sudo configuration, which makes it easier for attackers to gain privileges by leveraging another vulnerability.", "cve": "CVE-2013-1068", @@ -5793,6 +8260,15 @@ } ], "oci": [ + { + "advisory": "oci 2.0.2 opened up the dependency pinning on cryptography due to CVE-2018-10903 - OCI does not call the affected method in cryptography, but upgrading is recommended", + "cve": "CVE-2018-10903", + "id": "pyup.io-37415", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + }, { "advisory": "In oci 2.1.3 pyOpenSSL pinning was changed to pyOpenSSL>=17.5.0 and cryptography pinning to cryptography>=2.1.4 to address vulnerability `CVE-2018-1000808`", "cve": null, @@ -5801,6 +8277,24 @@ "<2.1.3" ], "v": "<2.1.3" + }, + { + "advisory": "oci 2.1.3 pyOpenSSL pinning was changed to pyOpenSSL>=17.5.0 and cryptography pinning to cryptography>=2.1.4 to address vulnerability CVE-2018-1000808", + "cve": "CVE-2018-1000808", + "id": "pyup.io-37831", + "specs": [ + "<2.1.3" + ], + "v": "<2.1.3" + }, + { + "advisory": "oci 2.10.0 changes pyOpenSSL pinning to pyOpenSSL>=17.5.0 and cryptography pinning to cryptography>=2.1.4 to address vulnerability CVE-2018-1000808", + "cve": "CVE-2018-1000808", + "id": "pyup.io-37830", + "specs": [ + "<2.10.0" + ], + "v": "<2.10.0" } ], "oci-cli": [ @@ -5814,13 +8308,64 @@ "v": "<2.4.10" }, { - "advisory": "oci-cli 2.4.40 - pyOpenSSL was upgraded to version 17.5.0 and cryptography to version 2.1.4 to address a vulnerability identified on GitHub as CVE-2018-1000808.", - "cve": null, + "advisory": "In oci-cli 2.4.40, pyOpenSSL was upgraded to version 17.5.0 and cryptography to version 2.1.4 to address a vulnerability identified on GitHub as CVE-2018-1000808.", + "cve": "CVE-2018-1000808", "id": "pyup.io-36804", "specs": [ "<2.4.40" ], "v": "<2.4.40" + }, + { + "advisory": "Oci-cli 2.5.9 upgrades Jinja2 to version 2.10.1 to address a vulnerability identified on GitHub as CVE-2019-10906. Jinga isn't used in Oci-cli's run-time system but as part of its documentation build process.", + "cve": "CVE-2019-10906", + "id": "pyup.io-37139", + "specs": [ + "<2.5.9" + ], + "v": "<2.5.9" + }, + { + "advisory": "Oci-cli 2.6.3 fixes CVE-2017-18342. In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used.", + "cve": "CVE-2017-18342", + "id": "pyup.io-37417", + "specs": [ + "<2.6.3" + ], + "v": "<2.6.3" + } + ], + "octavia": [ + { + "advisory": "An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.", + "cve": "CVE-2019-3895", + "id": "pyup.io-37192", + "specs": [ + "<0.9.0" + ], + "v": "<0.9.0" + }, + { + "advisory": "Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.", + "cve": "CVE-2019-17134", + "id": "pyup.io-37547", + "specs": [ + ">=0.10.0,<2.1.2", + ">=3.0.0,<3.2.0", + ">=4.0.0,<4.1.0" + ], + "v": ">=0.10.0,<2.1.2,>=3.0.0,<3.2.0,>=4.0.0,<4.1.0" + } + ], + "oe-geoutils": [ + { + "advisory": "Oe-geoutils 1.5.2 solves security vulnerabilities from external packages 101.", + "cve": null, + "id": "pyup.io-37666", + "specs": [ + "<1.5.2" + ], + "v": "<1.5.2" } ], "onegov.form": [ @@ -5834,6 +8379,17 @@ "v": "<0.16.1" } ], + "onelogin-aws-assume-role": [ + { + "advisory": "For security reasons, onelogin-aws-assume-role 1.3.0 removes the ability to provide the IP using a command line parameter and is instead able to provide the IP address at the onelogin.sdk.json file.", + "cve": null, + "id": "pyup.io-37158", + "specs": [ + "<1.3.0" + ], + "v": "<1.3.0" + } + ], "onixcheck": [ { "advisory": "onixcheck 0.8.0 adds secured XML-Parsing via defusedxml.", @@ -5867,9 +8423,138 @@ "v": "<1.0.2" } ], - "openslides": [ + "openapigenerator": [ { - "advisory": "openslides 2.1 now validates HTML strings from CKEditor against XSS attacks.", + "advisory": "Openapigenerator 3.2.2 updates vulnerable dependencies (JavaScript, #784).", + "cve": null, + "id": "pyup.io-37622", + "specs": [ + "", + "<3.2.2" + ], + "v": ",<3.2.2" + }, + { + "advisory": "Openapigenerator 3.2.1 updates vulnerable dependencies (Javascript, #784).", + "cve": null, + "id": "pyup.io-37796", + "specs": [ + "<3.2.1" + ], + "v": "<3.2.1" + }, + { + "advisory": "Openapigenerator 3.2.1 updates vulnerable dependencies (Javascript, #784).", + "cve": null, + "id": "pyup.io-37631", + "specs": [ + "<3.2.1" + ], + "v": "<3.2.1" + }, + { + "advisory": "Openapigenerator 3.3.2 fixes the Jackson databind security issue (Java, #1259).", + "cve": null, + "id": "pyup.io-37629", + "specs": [ + "<3.3.2" + ], + "v": "<3.3.2" + }, + { + "advisory": "Openapigenerator 3.3.3 fixes jackson-databind (Java) security issue #1259.", + "cve": null, + "id": "pyup.io-37797", + "specs": [ + "<3.3.3" + ], + "v": "<3.3.3" + }, + { + "advisory": "Openapigenerator 4.0.0 upgrades GRADLE to 2.14.1 to fix a vulnerability (Android, Java, Scala, #2416).", + "cve": null, + "id": "pyup.io-37627", + "specs": [ + "<4.0.0" + ], + "v": "<4.0.0" + }, + { + "advisory": "Apenapigenerator v4.0.0-beta3 upgrades GRADLE to 2.14.1 to fix a vulnerability (Java, Scala, #2416).", + "cve": null, + "id": "pyup.io-37630", + "specs": [ + "<4.0.0b3" + ], + "v": "<4.0.0b3" + }, + { + "advisory": "Openapigenerator 4.0.0beta2 fixes a security issue with dependencies (Java, #1820).", + "cve": null, + "id": "pyup.io-37628", + "specs": [ + "<4.0.0beta2" + ], + "v": "<4.0.0beta2" + }, + { + "advisory": "Openapigenerator 4.0.2 bumps up the babel-cli version to fix security alert (Javascript/NodeJS, #3121).", + "cve": null, + "id": "pyup.io-37626", + "specs": [ + "<4.0.2" + ], + "v": "<4.0.2" + }, + { + "advisory": "Openapigenerator 4.0.3 update JS flow dependencies to fix security issues (JavaScript, #3296).", + "cve": null, + "id": "pyup.io-37625", + "specs": [ + "<4.0.3" + ], + "v": "<4.0.3" + }, + { + "advisory": "Openapigenerator 4.1.0 updates to address recent lodash Object prototype vulnerability (general, #3348).", + "cve": null, + "id": "pyup.io-37624", + "specs": [ + "<4.1.0" + ], + "v": "<4.1.0" + }, + { + "advisory": "Openapigenerator 4.1.3 fixes the jackson-databind security issue (general, #3945).", + "cve": null, + "id": "pyup.io-37623", + "specs": [ + "<4.1.3" + ], + "v": "<4.1.3" + }, + { + "advisory": "Openapigenerator 4.2.1 fixes the Jackson databind security issue (Java, #4370).", + "cve": null, + "id": "pyup.io-37798", + "specs": [ + "<4.2.1" + ], + "v": "<4.2.1" + }, + { + "advisory": "Openapigenerator 4.3.0 fixes CVE-2020-8130 [Ruby - #5483].", + "cve": "CVE-2020-8130", + "id": "pyup.io-38120", + "specs": [ + "<4.3.0" + ], + "v": "<4.3.0" + } + ], + "openslides": [ + { + "advisory": "openslides 2.1 now validates HTML strings from CKEditor against XSS attacks.", "cve": null, "id": "pyup.io-34681", "specs": [ @@ -5889,6 +8574,17 @@ "v": "<0.1.11" } ], + "ores": [ + { + "advisory": "Ores 1.3.1 addresses yaml security issue by bumping dependency version", + "cve": null, + "id": "pyup.io-37949", + "specs": [ + "<1.3.1" + ], + "v": "<1.3.1" + } + ], "otpauth": [ { "advisory": "otpauth before 1.0.1 is vulnerable to timing attacks.", @@ -5909,6 +8605,16 @@ "<3.1.0.8" ], "v": "<3.1.0.8" + }, + { + "advisory": "ovirt-engine-sdk-python before 3.4.0.7 and 3.5.0.4 does not verify that the hostname of the remote endpoint matches the Common Name (CN) or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. This could allow man-in-the-middle attackers to spoof remote endpoints via an arbitrary valid certificate.", + "cve": "CVE-2014-0161", + "id": "pyup.io-37754", + "specs": [ + "<3.4.0.7", + "==3.5.0.4" + ], + "v": "<3.4.0.7,==3.5.0.4" } ], "ovs": [ @@ -5944,6 +8650,28 @@ "v": "<0.1.2" } ], + "palladium": [ + { + "advisory": "Palladium 1.2.2 updates requirements, fixing potential security vulnerabilities in dependencies.", + "cve": null, + "id": "pyup.io-37378", + "specs": [ + "<1.2.2" + ], + "v": "<1.2.2" + } + ], + "pandevice": [ + { + "advisory": "Pandevice 0.11.0 adds `uuid` params for security and NAT rules.", + "cve": null, + "id": "pyup.io-37198", + "specs": [ + "<0.11.0" + ], + "v": "<0.11.0" + } + ], "pando": [ { "advisory": "pando before 0.39 is vulnerable to security bugs related to CRLF injection.", @@ -5964,6 +8692,46 @@ "v": "<0.42" } ], + "paradrop": [ + { + "advisory": "Paradrop 0.10.0 supports more WiFi encryption settings, including properly supporting CCMP for better security.", + "cve": null, + "id": "pyup.io-37491", + "specs": [ + "<0.10.0" + ], + "v": "<0.10.0" + }, + { + "advisory": "Paradrop 0.13.0 updates dependency versions to address vulnerabilities in old versions of pyOpenSSL, requests, and urllib3.", + "cve": null, + "id": "pyup.io-37490", + "specs": [ + "<0.13.0" + ], + "v": "<0.13.0" + }, + { + "advisory": "Paradrop 0.5 secures the router settings page with a login system.", + "cve": null, + "id": "pyup.io-37492", + "specs": [ + "<0.5" + ], + "v": "<0.5" + } + ], + "paramiko-ng": [ + { + "advisory": "Paramiko-ng 1.7.2 fixes the PRNG to be more secure on windows and in cases where fork() is called.", + "cve": null, + "id": "pyup.io-37114", + "specs": [ + "<1.7.2" + ], + "v": "<1.7.2" + } + ], "passlib": [ { "advisory": "passlib before 1.4 not disabled unix_fallback's \"wildcard password\" support unless explicitly enabled by user.", @@ -6057,6 +8825,17 @@ "v": "<0.0.2" } ], + "pdkit": [ + { + "advisory": "Pdkit 1.2.1 includes an unspecified security fix for included libraries.", + "cve": null, + "id": "pyup.io-37793", + "specs": [ + "<1.2.1" + ], + "v": "<1.2.1" + } + ], "peewee": [ { "advisory": "The main change in this release is the removal of the `AESEncryptedField`,\r\nwhich was included as part of the `playhouse.fields` extension. It was brought\r\nto my attention that there was some serious potential for security\r\nvulnerabilities. Rather than give users a false sense of security, I've decided\r\nthe best course of action is to remove the field.", @@ -6238,6 +9017,51 @@ "<3.3.2" ], "v": "<3.3.2" + }, + { + "advisory": "libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. See: CVE-2020-5313.", + "cve": "CVE-2020-5313", + "id": "pyup.io-37782", + "specs": [ + "<6.2.2" + ], + "v": "<6.2.2" + }, + { + "advisory": "libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. See:CVE-2020-5312.", + "cve": "CVE-2020-5312", + "id": "pyup.io-37781", + "specs": [ + "<6.2.2" + ], + "v": "<6.2.2" + }, + { + "advisory": "libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow. See: CVE-2020-5311.", + "cve": "CVE-2020-5311", + "id": "pyup.io-37780", + "specs": [ + "<6.2.2" + ], + "v": "<6.2.2" + }, + { + "advisory": "libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. See: CVE-2020-5310.", + "cve": "CVE-2020-5310", + "id": "pyup.io-37779", + "specs": [ + "<6.2.2" + ], + "v": "<6.2.2" + }, + { + "advisory": "There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer. See: CVE-2019-19911.", + "cve": "CVE-2019-19911", + "id": "pyup.io-37772", + "specs": [ + ">6.0,<6.2.2" + ], + "v": ">6.0,<6.2.2" } ], "pillow-simd": [ @@ -6314,6 +9138,17 @@ "v": "<3.1.2" } ], + "pim-dm": [ + { + "advisory": "pim-dm 1.0 includes dissertation work and an unspecified security implementation", + "cve": null, + "id": "pyup.io-37857", + "specs": [ + "<1.0" + ], + "v": "<1.0" + } + ], "pinax-likes": [ { "advisory": "pinax-likes before 0.3 allows users to like anything and everything, which could potentially lead to security problems (eg. liking entries in permission tables, and thus seeing their content; liking administrative users and thus getting their username).", @@ -6353,6 +9188,15 @@ ], "v": "<1.4" }, + { + "advisory": "The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks. See CVE-2013-5123.", + "cve": "CVE-2013-5123", + "id": "pyup.io-37752", + "specs": [ + "<1.5" + ], + "v": "<1.5" + }, { "advisory": "pip before 6.0 is not using a randomized and secure default build directory when possible. (CVE-2014-8991).", "cve": null, @@ -6394,6 +9238,17 @@ "v": "<0.4.7.12" } ], + "platformio": [ + { + "advisory": "platformio 4.1.0 fixes a security issue when extracting items from TAR archive - see https://github.com/platformio/platformio-core/issues/2995", + "cve": null, + "id": "pyup.io-37869", + "specs": [ + "<4.1.0" + ], + "v": "<4.1.0" + } + ], "plomino": [ { "advisory": "plomino before 1.18 has a major vulnerability in open_url (now, targeted sources must be declared safe from an local package).", @@ -6544,6 +9399,19 @@ ], "v": ">=2.5,<4.0" }, + { + "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Zope, as used in Plone 3.3.x through 3.3.6, 4.0.x through 4.0.9, 4.1.x through 4.1.6, 4.2.x through 4.2.7, and 4.3 through 4.3.2, allow remote attackers to inject arbitrary web script or HTML via unspecified input in the (1) browser_id_manager or (2) OFS.Image method. See: CVE-2013-7062.", + "cve": "CVE-2013-7062", + "id": "pyup.io-37753", + "specs": [ + ">=3.3.0,<=3.3.6", + ">=4.0,<=4.0.9", + ">=4.1.0,<=4.1.6", + ">=4.2.0,<=4.2.7", + ">=4.3,<=4.3.2" + ], + "v": ">=3.3.0,<=3.3.6,>=4.0,<=4.0.9,>=4.1.0,<=4.1.6,>=4.2.0,<=4.2.7,>=4.3,<=4.3.2" + }, { "advisory": "The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587.", "cve": "CVE-2011-4030", @@ -6552,6 +9420,71 @@ ">=4,<4.2a2" ], "v": ">=4,<4.2a2" + }, + { + "advisory": "SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.) See: CVE-2020-7939.", + "cve": "CVE-2020-7939", + "id": "pyup.io-37787", + "specs": [ + ">=4.0,<=5.2.1" + ], + "v": ">=4.0,<=5.2.1" + }, + { + "advisory": "An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site. See: CVE-2020-7936.", + "cve": "CVE-2020-7936", + "id": "pyup.io-37784", + "specs": [ + ">=4.0,<=5.2.1" + ], + "v": ">=4.0,<=5.2.1" + }, + { + "advisory": "Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking. See: CVE-2020-7940.", + "cve": "CVE-2020-7940", + "id": "pyup.io-37788", + "specs": [ + ">=4.3,<=5.2.0" + ], + "v": ">=4.3,<=5.2.0" + }, + { + "advisory": "A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission.", + "cve": "CVE-2020-7941", + "id": "pyup.io-36898", + "specs": [ + ">=4.3,<=5.2.1" + ], + "v": ">=4.3,<=5.2.1" + }, + { + "advisory": "An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. See: CVE-2020-7937.", + "cve": "CVE-2020-7937", + "id": "pyup.io-37785", + "specs": [ + ">=5.0,<=5.2.1" + ], + "v": ">=5.0,<=5.2.1" + }, + { + "advisory": "plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level. See: CVE-2020-7938.", + "cve": "CVE-2020-7938", + "id": "pyup.io-37786", + "specs": [ + ">=5.2.0,<=5.2.1" + ], + "v": ">=5.2.0,<=5.2.1" + } + ], + "plone-app-contentmenu": [ + { + "advisory": "Plone-app-contentmenu 1.1.7 escapes the title of the defaultpage in the DisplayMenu. This fixes a potential\r\n xss attack and http://dev.plone.org/plone/ticket/8377.", + "cve": null, + "id": "pyup.io-36047", + "specs": [ + "<1.1.7" + ], + "v": "<1.1.7" } ], "plone-app-contenttypes": [ @@ -6618,6 +9551,15 @@ "<3.3.1" ], "v": "<3.3.1" + }, + { + "advisory": "Plone.app.content 3.8.1 integrate the Plone20200121 hotfix to prevent XSS in title - see: https://plone.org/security/hotfix/20200121/xss-in-the-title-field-on-plone-5-0-and-higher", + "cve": null, + "id": "pyup.io-38030", + "specs": [ + "<3.8.1" + ], + "v": "<3.8.1" } ], "plone.app.contentmenu": [ @@ -6640,6 +9582,15 @@ "<1.2.15" ], "v": "<1.2.15" + }, + { + "advisory": "plone.app.contenttypes 2.1.6 integrates PloneHotFix20200121: add more permission checks - see https://plone.org/security/hotfix/20200121/privilege-escalation-for-overwriting-content", + "cve": "CVE-2020-7941", + "id": "pyup.io-37887", + "specs": [ + "<2.1.6" + ], + "v": "<2.1.6" } ], "plone.app.discussion": [ @@ -6673,6 +9624,17 @@ "v": "<3.0" } ], + "plone.app.layout": [ + { + "advisory": "Plone.app.layout 3.4.1 integrate the Plone20200121 hotfix to prevent XSS in title - see: https://plone.org/security/hotfix/20200121/xss-in-the-title-field-on-plone-5-0-and-higher", + "cve": null, + "id": "pyup.io-38031", + "specs": [ + "<3.4.1" + ], + "v": "<3.4.1" + } + ], "plone.app.linkintegrity": [ { "advisory": "plone.app.linkintegrity 1.0.2 fixed security issue due to using pickles (see CVE-2007-5741).", @@ -6706,6 +9668,17 @@ "v": "<1.0a3" } ], + "plone.memoize": [ + { + "advisory": "Plone.memoize 1.0.3 no longeruses hash when making cache keys. This is to avoid cache collisions, and to avoid a potential security problem where an attacker could manually craft collisions. Also, the use of hash() is no longer recommending in tests.", + "cve": null, + "id": "pyup.io-37107", + "specs": [ + "<1.0.3" + ], + "v": "<1.0.3" + } + ], "plone.mockup": [ { "advisory": "plone.mockup before 2.1.3 is vulnerable to a XSS attack in structure and relateditem pattern.", @@ -6728,13 +9701,55 @@ "v": "<2.0.2" } ], - "plumi.app": [ + "plone.recipe.varnish": [ { - "advisory": "plumi.app 4.2 includes a security hotfix related to LinguaPlone & plone.app.discussion.", + "advisory": "Plone.recipe.varnish 6.0.0b1 updates to Varnish 6.0.6 LTS security release.", "cve": null, - "id": "pyup.io-26011", + "id": "pyup.io-37942", "specs": [ - "<4.2" + "<6.0.0b1" + ], + "v": "<6.0.0b1" + } + ], + "plone.z3cform": [ + { + "advisory": "Plone.z3cform 0.5.9 fixes a security problem with the ++widget++ namespace [optilude].", + "cve": null, + "id": "pyup.io-37035", + "specs": [ + "<0.5.9" + ], + "v": "<0.5.9" + } + ], + "plotly": [ + { + "advisory": "Plotly 1.15.0 improves a potential XSS input in `text` fields.", + "cve": null, + "id": "pyup.io-37053", + "specs": [ + "<1.15.0" + ], + "v": "<1.15.0" + }, + { + "advisory": "Plotly 1.22.0 fixes an XSS vulnerability in a trace name on hover.", + "cve": null, + "id": "pyup.io-37052", + "specs": [ + "<1.22.0" + ], + "v": "<1.22.0" + } + ], + "plumi.app": [ + { + "advisory": "plumi.app 4.2 includes a security hotfix related to LinguaPlone & plone.app.discussion.", + "cve": null, + "id": "pyup.io-26011", + "specs": [ + "<4.2" ], "v": "<4.2" }, @@ -6801,6 +9816,53 @@ "v": "<1.2.1" } ], + "polyaxon": [ + { + "advisory": "Polyaxon 0.4.1 updates dependencies exposing security vulnerabilities.", + "cve": null, + "id": "pyup.io-38029", + "specs": [ + "<0.4.1" + ], + "v": "<0.4.1" + }, + { + "advisory": "Polyaxon 0.4.3 update some packages that have some security and deprecation problems.", + "cve": null, + "id": "pyup.io-38028", + "specs": [ + "<0.4.3" + ], + "v": "<0.4.3" + }, + { + "advisory": "Polyaxon 0.5.1 updates lodash: vulnerability issue.", + "cve": null, + "id": "pyup.io-38025", + "specs": [ + "<0.5.1" + ], + "v": "<0.5.1" + }, + { + "advisory": "Polyaxon 0.5.5 updates dependencies with security release.", + "cve": null, + "id": "pyup.io-38023", + "specs": [ + "<0.5.5" + ], + "v": "<0.5.5" + }, + { + "advisory": "Polyaxon 0.6.0 fixes some unspecified security issues.", + "cve": null, + "id": "pyup.io-38022", + "specs": [ + "<0.6.0" + ], + "v": "<0.6.0" + } + ], "poorwsgi": [ { "advisory": "poorwsgi 1.0.2 includes several security related enhancements related to secret key generation.", @@ -6841,6 +9903,28 @@ "v": ">=2.6,<2.7.3" } ], + "postfix-mta-sts-resolver": [ + { + "advisory": "Postfix-mta-sts-resolver 0.6.1 hardens the container security.", + "cve": null, + "id": "pyup.io-37461", + "specs": [ + "<0.6.1" + ], + "v": "<0.6.1" + } + ], + "prefect": [ + { + "advisory": "Prefect 0.5.1 bumps `distributed` to 1.26.1 for enhanced security features - [878].", + "cve": null, + "id": "pyup.io-37020", + "specs": [ + "<0.5.1" + ], + "v": "<0.5.1" + } + ], "pretaweb.healthcheck": [ { "advisory": "pretaweb.healthcheck before 1.0 is vulnerable to DoS attacks.", @@ -6885,6 +9969,17 @@ "v": "<1.8.1" } ], + "products-zopetree": [ + { + "advisory": "Products-zopetree 1.3 fixes a security hole in the tree state decompressing mechanism. Previous versions were vulnerable to a denial of service attack using large tree states.", + "cve": null, + "id": "pyup.io-37726", + "specs": [ + "<1.3" + ], + "v": "<1.3" + } + ], "products.cmfcontentpanels": [ { "advisory": "products.cmfcontentpanels before 1.4.1 has two not disclosed security issues.", @@ -6898,13 +9993,22 @@ ], "products.cmfcore": [ { - "advisory": "Cross-site scripting (XSS) vulnerability in Zope 2.10.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a HTTP GET request.", + "advisory": "Cross-site scripting (XSS) vulnerability in Zope 2.10.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a HTTP GET request. See: CVE-2007-0240.", "cve": "CVE-2007-0240", "id": "pyup.io-35820", "specs": [ "<2.1.0beta2" ], "v": "<2.1.0beta2" + }, + { + "advisory": "Products.cmfcore 2.3.0beta tightens the security for anonymous test user.", + "cve": null, + "id": "pyup.io-35818", + "specs": [ + "<2.3.0beta" + ], + "v": "<2.3.0beta" } ], "products.cmfplone": [ @@ -6940,6 +10044,17 @@ "v": "<2.1.0beta2" } ], + "products.dcworkflow": [ + { + "advisory": "Products.dcworkflow 2.1.0beta2 adds POST-only protections to security critical methods. See: CVE-2007-0240.", + "cve": "CVE-2007-0240", + "id": "pyup.io-38035", + "specs": [ + "<2.1.0beta2" + ], + "v": "<2.1.0beta2" + } + ], "products.ldapuserfolder": [ { "advisory": "The authenticate function in LDAPUserFolder/LDAPUserFolder.py in zope-ldapuserfolder 2.9-1 does not verify the password for the emergency account, which allows remote attackers to gain privileges.", @@ -6993,6 +10108,28 @@ "v": "<2.2.3" } ], + "psd-tools": [ + { + "advisory": "Psd-tools 1.9.4 fixes a security issue related to compression in 1.8.37 - 1.9.3.", + "cve": null, + "id": "pyup.io-37654", + "specs": [ + ">=1.8.37,<=1.9.3" + ], + "v": ">=1.8.37,<=1.9.3" + } + ], + "psutil": [ + { + "advisory": "psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object. See CVE-2019-18874.", + "cve": "CVE-2019-18874", + "id": "pyup.io-37765", + "specs": [ + "<=5.6.5" + ], + "v": "<=5.6.5" + } + ], "ptah": [ { "advisory": "ptah before 0.3.3 is vulnerable to a undisclosed attack.", @@ -7004,6 +10141,17 @@ "v": "<0.3.3" } ], + "puput": [ + { + "advisory": "Puput 1.0.4 update the Django version to greater than 2.1.6 to fix security issues.", + "cve": null, + "id": "pyup.io-37153", + "specs": [ + "<1.0.4" + ], + "v": "<1.0.4" + } + ], "pure": [ { "advisory": "pure 1.5.2 prevents double prompt expansion in preprompt (e.g. secure against bad git branch names)", @@ -7038,6 +10186,17 @@ "v": "<0.4.0" } ], + "py-ci": [ + { + "advisory": "Py-ci 0.5.2 upgrades versions of requests and jinja2 due to security alerts. See: .", + "cve": null, + "id": "pyup.io-37333", + "specs": [ + "<0.5.2" + ], + "v": "<0.5.2" + } + ], "py-espeak-ng": [ { "advisory": "py-espeak-ng 1.49.0 fixes many logic and security issues reported by clang scan-build, Coverity and msvc /analyze.", @@ -7060,6 +10219,17 @@ "v": "<1.0.1" } ], + "py-rate": [ + { + "advisory": "The luigi functionality before py-rate 0.3.0 was reported as vulnerable.", + "cve": null, + "id": "pyup.io-37312", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + } + ], "py3web": [ { "advisory": "py3web before 0.21 isn't checking for bad characters in headers.", @@ -7104,6 +10274,28 @@ "v": "<5.1.2" } ], + "pybald": [ + { + "advisory": "Pybald 0.5.6 updates SQLAlchemy dependency to 1.3.3 to mitigate a security issue with SQLAlchemy verstions <= 1.3.0.", + "cve": null, + "id": "pyup.io-37104", + "specs": [ + "<0.5.6" + ], + "v": "<0.5.6" + } + ], + "pybible-cli": [ + { + "advisory": "Version 1.1.2: Bible pickle files have been replaced by JSON files for better performance and security.", + "cve": null, + "id": "pyup.io-38043", + "specs": [ + "<1.1.2" + ], + "v": "<1.1.2" + } + ], "pycapnp": [ { "advisory": "pycapnp before 0.5.5 bundled an insecure library (libcapnp).", @@ -7115,6 +10307,26 @@ "v": "<0.5.5" } ], + "pycapnp-async": [ + { + "advisory": "Pycapnp-async 0.5.4 updates the bundled C++ libcapnp to v0.5.1.1 security release.", + "cve": null, + "id": "pyup.io-37586", + "specs": [ + "<0.5.4" + ], + "v": "<0.5.4" + }, + { + "advisory": "Pycapnp-async 0.5.5 updates the bundled C++ libcapnp to v0.5.1.2 security release.", + "cve": null, + "id": "pyup.io-37585", + "specs": [ + "<0.5.5" + ], + "v": "<0.5.5" + } + ], "pycares": [ { "advisory": "pycares before 2.1.1 is vulnerable to CVE-2016-5180.", @@ -7146,6 +10358,26 @@ "v": "<1.1.2" } ], + "pycookiecheat": [ + { + "advisory": "Pycookiecheat 0.2.0 makes SQL query more secure by avoiding string formatting.", + "cve": null, + "id": "pyup.io-26729", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" + }, + { + "advisory": "Pycookiecheat 0.4.5 went back to using cryptography due to CVE-2013-7459.", + "cve": "CVE-2013-7459", + "id": "pyup.io-37543", + "specs": [ + "<0.4.5" + ], + "v": "<0.4.5" + } + ], "pycrypto": [ { "advisory": "In the ElGamal schemes (for both encryption and signatures), g is supposed to be the generator of the entire Z^*_p group. However, in PyCrypto 2.5 and earlier, g is more simply the generator of a random sub-group of Z^*_p.", @@ -7217,6 +10449,28 @@ "v": "<15.02.27" } ], + "pydotz": [ + { + "advisory": "pydotz 1.2.0 no longer has paths hard-coded due to security and privacy issues", + "cve": null, + "id": "pyup.io-37972", + "specs": [ + "<1.2.0" + ], + "v": "<1.2.0" + } + ], + "pyforce": [ + { + "advisory": "Pyforce 1.8.0 fixes the external entities vulnerability #35.", + "cve": null, + "id": "pyup.io-38058", + "specs": [ + "<1.8.0" + ], + "v": "<1.8.0" + } + ], "pyftpdlib": [ { "advisory": "pyftpdlib before 0.3.0 has a path traversal vulnerability in case of symbolic links escaping user's home directory.", @@ -7257,6 +10511,17 @@ "v": "<4.0" } ], + "pyinaturalist": [ + { + "advisory": "Pyinaturalist 0.7.0 includes minor dependencies updates for security reasons.", + "cve": null, + "id": "pyup.io-37127", + "specs": [ + "<0.7.0" + ], + "v": "<0.7.0" + } + ], "pyjwt": [ { "advisory": "pyjwt before 1.0.0 allows to bypass signature verification by setting the alg header to None.", @@ -7357,6 +10622,28 @@ "v": "<1.3.6" } ], + "pymisp": [ + { + "advisory": "Pymisp 2.4.106 fixes CVE-2019-11324 (urllib3).", + "cve": "CVE-2019-11324", + "id": "pyup.io-37292", + "specs": [ + "<2.4.106" + ], + "v": "<2.4.106" + } + ], + "pymls": [ + { + "advisory": "Pymls 1.4.10 fixes the Github-reported security issues in requirements.txt and bumps PyYAML version in setup for security reasons (CVE-2017-18342).", + "cve": "CVE-2017-18342", + "id": "pyup.io-37193", + "specs": [ + "<1.4.10" + ], + "v": "<1.4.10" + } + ], "pymongo": [ { "advisory": "bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo) before 2.5.2, as used in MongoDB, allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to decoding of an \"invalid DBRef.\"", @@ -7379,6 +10666,17 @@ "v": "<0.4.2" } ], + "pynps": [ + { + "advisory": "Pynps 1.2.0 removes support for search after updating database for security reasons.", + "cve": null, + "id": "pyup.io-37724", + "specs": [ + "<1.2.0" + ], + "v": "<1.2.0" + } + ], "pyoes": [ { "advisory": "pyoes 0.9.0 change: Libs updaten - security alert", @@ -7481,6 +10779,15 @@ "<0.6.2" ], "v": "<0.6.2" + }, + { + "advisory": "Pyplanet 0.7.0 updates some libraries to fix some security issues (none of which were critical).", + "cve": null, + "id": "pyup.io-37476", + "specs": [ + "<0.7.0" + ], + "v": "<0.7.0" } ], "pyrad": [ @@ -7507,40 +10814,103 @@ ], "pyramid": [ { - "advisory": "pyramid before 1.6a2 isn't sanitising JSONP callbacks correctly, see CVE-2014-4671.", + "advisory": "Pyramid 0.2 adds ACL-based security.", "cve": null, - "id": "pyup.io-32204", + "id": "pyup.io-32177", "specs": [ - "<1.6a2" + "<0.2" ], - "v": "<1.6a2" - } - ], - "pyramid-odesk": [ + "v": "<0.2" + }, { - "advisory": "pyramid-odesk before 1.1.2 performs logins and logouts through GET and is vulnerable to CSRF attacks.", + "advisory": "Pyramid 0.4.2 changes the default paster template generator to use ``Paste#http`` server rather than ``PasteScript#cherrpy`` server. The cherrypy server has a security risk in it when ``REMOTE_USER`` is trusted by the downstream application.", "cve": null, - "id": "pyup.io-26051", + "id": "pyup.io-32184", "specs": [ - "<1.1.2" + "<0.4.2" ], - "v": "<1.1.2" - } - ], - "pyramid-weblayer": [ + "v": "<0.4.2" + }, { - "advisory": "pyramid-weblayer before 0.12 does not protect AJAX requests through the CSRF machinery.", + "advisory": "In pyramid before 1.0a3, the pylons_* paster template used the same string (``your_app_secret_string``) for the ``session.secret`` setting in the generated ``development.ini``. This was a security risk if left unchanged in a project that used one of the templates to produce production applications. It now uses a randomly generated string.", "cve": null, - "id": "pyup.io-26052", + "id": "pyup.io-32685", "specs": [ - "<0.12" + "<1.0a3" ], - "v": "<0.12" - } - ], - "pyro": [ + "v": "<1.0a3" + }, { - "advisory": "pyro before 3.15 unsafely handles pid files in temporary directory locations and opening the pid file as root. An attacker can use this flaw to overwrite arbitrary files via symlinks.", + "advisory": "The default Mako renderer in pyramid 1.1a1 is configured to escape all HTML in expression tags. This is intended to help prevent XSS attacks caused by rendering unsanitized input from users. To revert this behavior in user's templates, they need to filter the expression through the 'n' filter. For example, ${ myhtml | n }. See .", + "cve": null, + "id": "pyup.io-32194", + "specs": [ + "<1.1a1" + ], + "v": "<1.1a1" + }, + { + "advisory": "The AuthTktAuthenticationPolicy in pyramid before 1.3a1 did not use a timing-attack-aware string comparator. See https://github.com/Pylons/pyramid/pull/320 for more info.", + "cve": null, + "id": "pyup.io-32688", + "specs": [ + "<1.3a1" + ], + "v": "<1.3a1" + }, + { + "advisory": "In pyramid 1.4a4 the ``pyramid.authentication.AuthTktAuthenticationPolicy`` has been updated to support newer hashing algorithms such as ``sha512``. Existing applications should consider updating if possible for improved security over the default md5 hashing.", + "cve": null, + "id": "pyup.io-32201", + "specs": [ + "<1.4a4" + ], + "v": "<1.4a4" + }, + { + "advisory": "Pyramid 1.6a1 improves robustness to timing attacks in the ``AuthTktCookieHelper`` and the ``SignedCookieSessionFactory`` classes by using the stdlib's ``hmac.compare_digest`` if it is available (such as Python 2.7.7+ and 3.3+). See: . Also, it avoids timing attacks against CSRF tokens. See: .", + "cve": null, + "id": "pyup.io-32203", + "specs": [ + "<1.6a1" + ], + "v": "<1.6a1" + }, + { + "advisory": "pyramid before 1.6a2 isn't sanitising JSONP callbacks correctly, see CVE-2014-4671.", + "cve": null, + "id": "pyup.io-32204", + "specs": [ + "<1.6a2" + ], + "v": "<1.6a2" + } + ], + "pyramid-odesk": [ + { + "advisory": "pyramid-odesk before 1.1.2 performs logins and logouts through GET and is vulnerable to CSRF attacks.", + "cve": null, + "id": "pyup.io-26051", + "specs": [ + "<1.1.2" + ], + "v": "<1.1.2" + } + ], + "pyramid-weblayer": [ + { + "advisory": "pyramid-weblayer before 0.12 does not protect AJAX requests through the CSRF machinery.", + "cve": null, + "id": "pyup.io-26052", + "specs": [ + "<0.12" + ], + "v": "<0.12" + } + ], + "pyro": [ + { + "advisory": "pyro before 3.15 unsafely handles pid files in temporary directory locations and opening the pid file as root. An attacker can use this flaw to overwrite arbitrary files via symlinks.", "cve": "CVE-2011-2765", "id": "pyup.io-36385", "specs": [ @@ -7560,6 +10930,17 @@ "v": "<4.72" } ], + "pyrotools": [ + { + "advisory": "Pyrotools before 1.0.1 updates requirements.txt to make sure urllib3 is a safe version. See CVE-2019-11324.", + "cve": "CVE-2019-11324", + "id": "pyup.io-37086", + "specs": [ + "<1.0.1" + ], + "v": "<1.0.1" + } + ], "pysam": [ { "advisory": "pysam 0.11.2 wraps htslib/samtools/bcfools versions 1.4.1 in response to a security fix in these libraries", @@ -7590,6 +10971,15 @@ ], "v": "<4.4.0" }, + { + "advisory": "PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed. See: CVE-2020-5390.", + "cve": "CVE-2020-5390", + "id": "pyup.io-37783", + "specs": [ + "<5.0.0" + ], + "v": "<5.0.0" + }, { "advisory": "pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.", "cve": "CVE-2017-1000433", @@ -7658,6 +11048,17 @@ "v": "<0.7.1" } ], + "pyspf": [ + { + "advisory": "Pyspf 2.0.1 prevents cache poisoning attacks and malformed RR attacks.", + "cve": null, + "id": "pyup.io-37431", + "specs": [ + "<2.0.1" + ], + "v": "<2.0.1" + } + ], "pytest-aoc": [ { "advisory": "pytest-aoc 1.2a6 removes security misfeature: no cookies inside setup.cfg.", @@ -7902,6 +11303,17 @@ "v": "<1.0.5" } ], + "python-clu": [ + { + "advisory": "Python-clu 0.5.1 removes an insecure Django requirement.", + "cve": null, + "id": "pyup.io-37800", + "specs": [ + "<0.5.1" + ], + "v": "<0.5.1" + } + ], "python-dbusmock": [ { "advisory": "python-dbusmock before 0.15.1 is vulnerable to a tempfile attack. When loading a template from an arbitrary file through the AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() Python method, don't create or use Python's *.pyc cached files. By tricking a user into loading a template from a world-writable directory like /tmp, an attacker could run arbitrary code with the user's privileges by putting a crafted .pyc file into that directory. Note that this is highly unlikely to actually appear in practice as custom dbusmock templates are usually shipped in project directories, not directly in world-writable directories.", @@ -7911,6 +11323,15 @@ "<0.15.1" ], "v": "<0.15.1" + }, + { + "advisory": "Python-dbusmock before version 0.15.1 AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() method could be tricked into executing malicious code if an attacker supplies a .pyc file. See CVE-2015-1326.", + "cve": "CVE-2015-1326", + "id": "pyup.io-37088", + "specs": [ + "<0.15.1" + ], + "v": "<0.15.1" } ], "python-docx": [ @@ -7924,6 +11345,35 @@ "v": "<0.8.6" } ], + "python-engineio": [ + { + "advisory": "Python-engineio 3.5.2 removes a security alert in the requirements.", + "cve": null, + "id": "pyup.io-37168", + "specs": [ + "<3.5.2" + ], + "v": "<3.5.2" + }, + { + "advisory": "Python-engineio 3.9.0 addresses potential websocket cross-origin attacks. See: .", + "cve": null, + "id": "pyup.io-37307", + "specs": [ + "<3.9.0" + ], + "v": "<3.9.0" + }, + { + "advisory": "An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted. See: .", + "cve": "CVE-2019-13611", + "id": "pyup.io-37288", + "specs": [ + "<=3.8.2" + ], + "v": "<=3.8.2" + } + ], "python-fedora": [ { "advisory": "python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection", @@ -7976,6 +11426,24 @@ ">=2.0,<2.3.3" ], "v": "<1.5.4,>=2.0,<2.3.3" + }, + { + "advisory": "python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass. See: CVE-2013-2166.", + "cve": "CVE-2013-2166", + "id": "pyup.io-37748", + "specs": [ + ">=0.2.3,<=0.2.5" + ], + "v": ">=0.2.3,<=0.2.5" + }, + { + "advisory": "python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass. See CVE-2013-2167.", + "cve": "CVE-2013-2167", + "id": "pyup.io-37749", + "specs": [ + ">=0.2.3,<=0.2.5" + ], + "v": ">=0.2.3,<=0.2.5" } ], "python-libtorrent": [ @@ -8083,6 +11551,44 @@ "v": "<2.4.0" } ], + "python-secrets": [ + { + "advisory": "Python-secrets 0.9.1 adds ``six`` for securing ``input`` call.", + "cve": null, + "id": "pyup.io-37582", + "specs": [ + "<0.9.1" + ], + "v": "<0.9.1" + }, + { + "advisory": "Python-secrets before 19.10.0 adds control of umask for better file perm security.", + "cve": null, + "id": "pyup.io-37583", + "specs": [ + "<19.10.0" + ], + "v": "<19.10.0" + }, + { + "advisory": "Python-secrets before 19.8.0 adds insecure permissions checking", + "cve": null, + "id": "pyup.io-37401", + "specs": [ + "<19.8.0" + ], + "v": "<19.8.0" + }, + { + "advisory": "Python-secrets 19.8.3 ensures more secure permissions.", + "cve": null, + "id": "pyup.io-37421", + "specs": [ + "<19.8.3" + ], + "v": "<19.8.3" + } + ], "python-smooch": [ { "advisory": "python-smooch 1.0.4 bumps requests gem due to [vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2018-18074).", @@ -8094,6 +11600,17 @@ "v": "<1.0.4" } ], + "python-socketio": [ + { + "advisory": "Python-socketio 4.3.0 addresses potential websocket cross-origin attacks. See: .", + "cve": null, + "id": "pyup.io-37308", + "specs": [ + "<4.3.0" + ], + "v": "<4.3.0" + } + ], "python-zeep": [ { "advisory": "python-zeep 0.4.0 adds defusedxml module for XML security issues.", @@ -8154,6 +11671,17 @@ "v": "<1.4.0" } ], + "pytrackdat": [ + { + "advisory": "Pytrackdat 0.2.0 validates the security of the administrator passwords.", + "cve": null, + "id": "pyup.io-37141", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" + } + ], "pytsite": [ { "advisory": "pytsite before 1.2 has a critical web login security issue.", @@ -8185,6 +11713,15 @@ "<20.0.0" ], "v": "<20.0.0" + }, + { + "advisory": "Pyvcloud 20.1.0 includes a fix for a pyyaml vulnerability found in requirements.txt", + "cve": null, + "id": "pyup.io-37518", + "specs": [ + "<20.1.0" + ], + "v": "<20.1.0" } ], "pyvisa": [ @@ -8207,6 +11744,15 @@ "<0.13.0" ], "v": "<0.13.0" + }, + { + "advisory": "Pywbem 1.0.0 increases versions of the following packages to address security vulnerabilities:\r\n* requests from 2.19.1 to 2.20.1\r\n* urllib3 from 1.22 to 1.23\r\n* bleach from 2.1.0 to 2.1.4", + "cve": null, + "id": "pyup.io-37517", + "specs": [ + "<1.0.0" + ], + "v": "<1.0.0" } ], "pywebsite": [ @@ -8229,6 +11775,26 @@ "v": "<0.1.9pre" } ], + "pywren-ibm-cloud": [ + { + "advisory": "Pywren-ibm-cloud 1.0.1 fixes the flask security issues. See CVE-2018-1000656.", + "cve": "CVE-2018-1000656", + "id": "pyup.io-37480", + "specs": [ + "<1.0.1" + ], + "v": "<1.0.1" + }, + { + "advisory": "Pywren-ibm-cloud 1.0.19 fixes the CVE-2019-12855 security alert.", + "cve": "CVE-2019-12855", + "id": "pyup.io-37479", + "specs": [ + "<1.0.19" + ], + "v": "<1.0.19" + } + ], "pyxmlsecurity": [ { "advisory": "pyxmlsecurity 0.9 protects against wrapping attacks.", @@ -8240,6 +11806,37 @@ "v": "<0.9" } ], + "pyxnat": [ + { + "advisory": "Pyxnat 1.1.0.0 fixes a vulnerability by upgrading the `requests` package.", + "cve": null, + "id": "pyup.io-37196", + "specs": [ + "<1.1.0.0" + ], + "v": "<1.1.0.0" + } + ], + "pyyaml": [ + { + "advisory": "Pyyaml before 4 uses ``yaml.load`` which has been assigned CVE-2017-18342.", + "cve": "CVE-2017-18342", + "id": "pyup.io-36333", + "specs": [ + "<4" + ], + "v": "<4" + }, + { + "advisory": "A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor. See: CVE-2020-1747.", + "cve": "CVE-2020-1747", + "id": "pyup.io-38100", + "specs": [ + "<5.3.1" + ], + "v": "<5.3.1" + } + ], "qi-jabberhelpdesk": [ { "advisory": "qi-jabberhelpdesk 0.30 includes unspecified security fixes, some vulnerable xml-rpc calls fixed. [ggozad]", @@ -8306,92 +11903,352 @@ "v": "<3.0.4" } ], - "radicale": [ + "qurro": [ { - "advisory": "radicale before 1.1.2 is vulnerable to bruteforce attacks when using the htpasswd authentication method.", + "advisory": "The text boxes in qurro 0.4.0 describing the currently-selected numerator / denominator features are now \"read-only\" (you can't edit them while using Qurro). This should remove any vulnerability to accidental edits of these text boxes.", "cve": null, - "id": "pyup.io-33323", + "id": "pyup.io-37374", "specs": [ - "<1.1.2" + "<0.4.0" ], - "v": "<1.1.2" + "v": "<0.4.0" } ], - "rauth": [ + "qutebrowser": [ { - "advisory": "rauth before 0.7.0 isn't using a secure random number generator.", + "advisory": "Qutebrowser 1.0.3 ships with PyQt 5.9.1 and Qt 5.9.2 which includes security fixes from Chromium up to version 61.0.3163.79.", "cve": null, - "id": "pyup.io-26099", - "specs": [ - "<0.7.0" - ], - "v": "<0.7.0" - } - ], - "rdflib": [ - { - "advisory": "The CLI tools in RDFLib 4.2.2 can load Python modules from the current working directory, allowing code injection, because \"python -m\" looks in this directory, as demonstrated by rdf2dot.", - "cve": "CVE-2019-7653", - "id": "pyup.io-36882", + "id": "pyup.io-35044", "specs": [ - "==4.2.2" + "<1.0.3" ], - "v": "==4.2.2" - } - ], - "recurly": [ + "v": "<1.0.3" + }, { - "advisory": "The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, 2.4.5, 2.5.1, 2.6.2 is vulnerable to a Server-Side Request Forgery vulnerability in the \"Resource.get\" method that could result in compromise of API keys or other critical resources.", - "cve": "CVE-2017-0906", - "id": "pyup.io-35697", + "advisory": "Qutebrowser 1.1.2 ships with Qt 5.10.1 which includes security fixes from Chromium up to version 64.0.3282.140.", + "cve": null, + "id": "pyup.io-35786", "specs": [ - "<=2.6.2" + "<1.1.2" ], - "v": "<=2.6.2" - } - ], - "remme": [ + "v": "<1.1.2" + }, { - "advisory": "remme 0.2.1alpha reviewed and fixed security issues on token operations.", + "advisory": "Qutebrowser 1.10.0 ships with Qt/QtWebEngine 5.14.1 in the macOS and Windows releases, which are based on Chromium 77.0.3865.129 with security fixes up to Chromium 79.0.3945.117.", "cve": null, - "id": "pyup.io-36973", + "id": "pyup.io-37811", "specs": [ - "<0.2.1alpha" + "<1.10.0" ], - "v": "<0.2.1alpha" + "v": "<1.10.0" }, { - "advisory": "remme 0.5.0alpha upgrades py-cryptography to mitigate CVE-2018-10903.", + "advisory": "In qutebrowser 1.3.0, support for JavaScript Shared Web Workers has been disabled on Qt versions older than 5.11 because of security issues in Chromium. You can get the same effect in earlier versions via `:set qt.args ['disable-shared-workers']`. An equivalent workaround is also contained in Qt 5.9.5 and 5.10.1.", "cve": null, - "id": "pyup.io-36971", + "id": "pyup.io-36929", "specs": [ - "<0.5.0-alpha" + "<1.3.0" ], - "v": "<0.5.0-alpha" - } - ], - "requests": [ + "v": "<1.3.0" + }, { - "advisory": "requests before 2.3.0 exposes Authorization or Proxy-Authorization headers on redirect.\r\n Fix CVE-2014-1829 and CVE-2014-1830 respectively", - "cve": null, - "id": "pyup.io-26101", + "advisory": "In qutebrowser 1.3.3, an XSS vulnerability on the `qute://history` page allowed websites to inject HTML into the page via a crafted title tag. This could allow them to steal your browsing history. If you're currently unable to upgrade, avoid using `:history`. See CVE-2018-1000559.", + "cve": "CVE-2018-1000559", + "id": "pyup.io-37812", "specs": [ - "<2.3.0" + "<1.3.3" ], - "v": "<2.3.0" + "v": "<1.3.3" }, { - "advisory": "requests 2.6.0 fixes handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing.", + "advisory": "Qutebrowser 1.4.0 ships with Qt 5.11.1 in the macOS and Windows releases, which are based on Chromium 65.0.3325.151 with security fixes up to Chromium 67.0.3396.87. The security fix in v1.3.3 caused URLs with ampersands (`www.example.com?one=1&two=2`) to send the wrong arguments when clicked on the `qute://history` page.", "cve": null, - "id": "pyup.io-26102", + "id": "pyup.io-36294", "specs": [ - "<2.6.0" + "<1.4.0" ], - "v": "<2.6.0" + "v": "<1.4.0" }, { - "advisory": "The Requests package before 2.19.1 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.", - "cve": "CVE-2018-18074", + "advisory": "Qutebrowser 1.4.1 fixes the CSRF issue on the qute://settings page, leading to possible arbitrary code execution. See https://github.com/qutebrowser/qutebrowser/issues/4060 and CVE-2018-10895.", + "cve": "CVE-2018-10895", + "id": "pyup.io-36970", + "specs": [ + "<1.4.1" + ], + "v": "<1.4.1" + }, + { + "advisory": "Qutebrowser 1.5.0 ships with Python 3.7, PyQt 5.11.3 and Qt 5.11.2. QtWebEngine includes security fixes up to Chromium 68.0.3440.75 and various other fixes.", + "cve": null, + "id": "pyup.io-36521", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + }, + { + "advisory": "Qutebrowser 1.6.0 ships with Qt 5.12.1 which is based on Chromium 69.0.3497.128 with security fixes up to 71.0.3578.94.", + "cve": null, + "id": "pyup.io-36199", + "specs": [ + "<1.6.0" + ], + "v": "<1.6.0" + }, + { + "advisory": "Qutebrowser 1.6.1 ships with Qt 5.12.2 in the macOS and Windows releases, which includes security fixes up to Chromium 72.0.3626.121 (including CVE-2019-5786 which is known to be exploited in the wild).", + "cve": null, + "id": "pyup.io-36280", + "specs": [ + "<1.6.1" + ], + "v": "<1.6.1" + }, + { + "advisory": "Qutebrowser 1.6.2 ships with Qt 5.12.3 in the macOS and Windows releases, which includes security fixes up to Chromium 73.0.3683.75.", + "cve": null, + "id": "pyup.io-37120", + "specs": [ + "<1.6.2" + ], + "v": "<1.6.2" + }, + { + "advisory": "Qutebrowser 1.7.0 ships with Qt 5.12.4 in the macOS and Windows releases, which includes security fixes up to Chromium 74.0.3729.157.", + "cve": null, + "id": "pyup.io-37507", + "specs": [ + "<1.7.0" + ], + "v": "<1.7.0" + }, + { + "advisory": "Qutebrowser 1.8.0 ships with Qt 5.13.0 and QtWebEngine 5.13.1 in the macOS releases (based on Chromium 73.0.3683.105), and Qt/QtWebEngine 5.12.5 in the Windows release (based on Chromium 69.0.3497.128), which both include security fixes up to Chromium 76.0.3809.87.", + "cve": null, + "id": "pyup.io-37506", + "specs": [ + "<1.8.0" + ], + "v": "<1.8.0" + }, + { + "advisory": "Qutebrowser 1.8.1 ships with Qt/QtWebEngine 5.12.5 in the macOS and Windows releases, which are based on Chromium 69.0.3497.128 with security fixes up to Chromium 76.0.3809.87.", + "cve": null, + "id": "pyup.io-37511", + "specs": [ + "<1.8.1" + ], + "v": "<1.8.1" + }, + { + "advisory": "Qutebrowser 1.8.2 ships with Qt 5.12.6 in the macOS and Windows releases, which includes security fixes up to Chromium 77.0.3865.120 plus a security fix for CVE-2019-13720 from Chromium 78.", + "cve": null, + "id": "pyup.io-36433", + "specs": [ + "<1.8.2" + ], + "v": "<1.8.2" + } + ], + "radicale": [ + { + "advisory": "radicale before 1.1.2 is vulnerable to bruteforce attacks when using the htpasswd authentication method.", + "cve": null, + "id": "pyup.io-33323", + "specs": [ + "<1.1.2" + ], + "v": "<1.1.2" + } + ], + "raiden": [ + { + "advisory": "Raiden 0.10.0 fixes a security issue where an attacker could eavesdrop Matrix communications between two nodes in private rooms.", + "cve": null, + "id": "pyup.io-37316", + "specs": [ + "<0.10.0" + ], + "v": "<0.10.0" + }, + { + "advisory": "The Monitoring Service database in raiden before 0.2.0 (before 0.100.5.dev0) is vulnerable to timing based Monitoring Request injection. See .", + "cve": null, + "id": "pyup.io-37364", + "specs": [ + "<0.2.0", + ">=0.100,<0.100.5.dev0" + ], + "v": "<0.2.0,>=0.100,<0.100.5.dev0" + } + ], + "raiden-services": [ + { + "advisory": "In raiden-services before 0.2.0 , the Monitoring Service database was vulnerable to timing-based Monitoring Request injection. See: .", + "cve": null, + "id": "pyup.io-37317", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" + } + ], + "rauth": [ + { + "advisory": "rauth before 0.7.0 isn't using a secure random number generator.", + "cve": null, + "id": "pyup.io-26099", + "specs": [ + "<0.7.0" + ], + "v": "<0.7.0" + } + ], + "raylib": [ + { + "advisory": "Raylib 1.1.1 adds a security check if a file doesn't exist - [textures]", + "cve": null, + "id": "pyup.io-37166", + "specs": [ + "<1.1.1" + ], + "v": "<1.1.1" + }, + { + "advisory": "Raylib 1.2 adds a security check in case deployed vertex excess buffer size - [rlgl]", + "cve": null, + "id": "pyup.io-37165", + "specs": [ + "<1.2" + ], + "v": "<1.2" + } + ], + "rdiff-backup": [ + { + "advisory": "Version 0.5.0 increased rdiff-backup's security by using popen2.Popen3 and os.spawnvp instead of os.popen and os.system.", + "cve": null, + "id": "pyup.io-38068", + "specs": [ + "<0.5.0" + ], + "v": "<0.5.0" + }, + { + "advisory": "Rdiff-backup 0.9.3 adds some security features to the protocol, so rdiff-backup will now only allow commands from remote connections. The extra security will be enabled automatically on the client (it knows what to expect), but\r\nthe extra switches --restrict, --restrict-update-only, and --restrict-read-only have been added for use with --server.", + "cve": null, + "id": "pyup.io-38067", + "specs": [ + "<0.9.3" + ], + "v": "<0.9.3" + }, + { + "advisory": "Rdiff-backup 1.0.2 includes a fix for a spurious security violation from --create-full-path and a fix for bug 14545 which was introduced in version 1.0.1: Quoting caused a spurious security violation.", + "cve": null, + "id": "pyup.io-38064", + "specs": [ + "<1.0.2" + ], + "v": "<1.0.2" + }, + { + "advisory": "Rdiff-backup 1.1.6 fixes a security violation when restoring from a remote repository.", + "cve": null, + "id": "pyup.io-38063", + "specs": [ + "<1.1.6" + ], + "v": "<1.1.6" + } + ], + "readsettings": [ + { + "advisory": "Readsettings 3.3.1 replaces `yaml.load` with the more secure, `yaml.safe_load`.", + "cve": null, + "id": "pyup.io-37027", + "specs": [ + "<3.3.1" + ], + "v": "<3.3.1" + } + ], + "recurly": [ + { + "advisory": "The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, 2.4.5, 2.5.1, 2.6.2 is vulnerable to a Server-Side Request Forgery vulnerability in the \"Resource.get\" method that could result in compromise of API keys or other critical resources.", + "cve": "CVE-2017-0906", + "id": "pyup.io-35697", + "specs": [ + "<=2.6.2" + ], + "v": "<=2.6.2" + } + ], + "remme": [ + { + "advisory": "remme 0.2.1alpha reviewed and fixed security issues on token operations.", + "cve": null, + "id": "pyup.io-36973", + "specs": [ + "<0.2.1alpha" + ], + "v": "<0.2.1alpha" + }, + { + "advisory": "remme 0.5.0alpha upgrades py-cryptography to mitigate CVE-2018-10903.", + "cve": null, + "id": "pyup.io-36971", + "specs": [ + "<0.5.0-alpha" + ], + "v": "<0.5.0-alpha" + } + ], + "renku": [ + { + "advisory": "Renku 0.6.0 updates the werkzeug package due to security concerns - see https://github.com/SwissDataScienceCenter/renku-python/issues/633", + "cve": null, + "id": "pyup.io-37548", + "specs": [ + "<0.6.0" + ], + "v": "<0.6.0" + } + ], + "repobee": [ + { + "advisory": "Repobee 2.0.2 filters out secure token from `show-config` command output [92aa5cf08cc08d2647a9f22bb6ff120cd5a88360].", + "cve": null, + "id": "pyup.io-37383", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + } + ], + "requests": [ + { + "advisory": "requests before 2.3.0 exposes Authorization or Proxy-Authorization headers on redirect.\r\n Fix CVE-2014-1829 and CVE-2014-1830 respectively", + "cve": null, + "id": "pyup.io-26101", + "specs": [ + "<2.3.0" + ], + "v": "<2.3.0" + }, + { + "advisory": "requests 2.6.0 fixes handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing.", + "cve": null, + "id": "pyup.io-26102", + "specs": [ + "<2.6.0" + ], + "v": "<2.6.0" + }, + { + "advisory": "The Requests package through 2.19.1 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.", + "cve": "CVE-2018-18074", "id": "pyup.io-36546", "specs": [ "<=2.19.1" @@ -8419,6 +12276,17 @@ "v": "<0.6" } ], + "responsibly": [ + { + "advisory": "Responsibly 0.0.3 fixes security issues with its dependencies.", + "cve": null, + "id": "pyup.io-37335", + "specs": [ + "<0.0.3" + ], + "v": "<0.0.3" + } + ], "restauth": [ { "advisory": "restauth before 0.6.3 did not verify passwords for services when using SECURE_CACHE = True.", @@ -8441,6 +12309,17 @@ "v": "<=4.2.2" } ], + "restrictedpython": [ + { + "advisory": "Restrictedpython 4.0 ships with a default implementation for ``_getattr_`` which prevents from using the ``format()`` method on str/unicode as it is not safe. See .\r\n\r\n **Caution:** If you do not already have secured the access to this ``format()`` method in your ``_getattr_`` implementation use ``RestrictedPython.Guards.safer_getattr()`` in your implementation to benefit from this fix.", + "cve": null, + "id": "pyup.io-37433", + "specs": [ + "<4.0" + ], + "v": "<4.0" + } + ], "restview": [ { "advisory": "restview before 2.8.1 isn't properly checking the host header in HTTP requests, leading to possible DNS rebinding attacks. More info: https://github.com/mgedmin/restview/issues/51", @@ -8474,6 +12353,17 @@ "v": "<2.0.5" } ], + "river-admin": [ + { + "advisory": "River-admin 0.5.2 fixes a vulnerability issue with `serialize-javascript` dependency.", + "cve": null, + "id": "pyup.io-37698", + "specs": [ + "<0.5.2" + ], + "v": "<0.5.2" + } + ], "robotraconteur": [ { "advisory": "robotraconteur 0.9.0 changes: The `LocalTransport` file handle locations have been moved for increased security", @@ -8496,6 +12386,17 @@ "v": "<0.10" } ], + "rotten-tomatoes-cli": [ + { + "advisory": "Rotten-tomatoes-cli 0.0.2 updates the `pyyaml`, `urllib3`, and `requests` dependencies to avoid security vulnerabilities.", + "cve": null, + "id": "pyup.io-37315", + "specs": [ + "<0.0.2" + ], + "v": "<0.0.2" + } + ], "roundup": [ { "advisory": "Cross-site scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link.", @@ -8514,6 +12415,24 @@ "<1.4.20" ], "v": "<1.4.20" + }, + { + "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*. See: CVE-2012-6133.", + "cve": "CVE-2012-6133", + "id": "pyup.io-37744", + "specs": [ + "<1.4.20" + ], + "v": "<1.4.20" + }, + { + "advisory": "Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors. See: CVE-2019-10904.", + "cve": "CVE-2019-10904", + "id": "pyup.io-37025", + "specs": [ + "==1.6" + ], + "v": "==1.6" } ], "rpc4django": [ @@ -8536,6 +12455,26 @@ "<0.7.1" ], "v": "<0.7.1" + }, + { + "advisory": "python-rply before 0.7.4 insecurely creates temporary files. See: CVE-2014-1938.", + "cve": "CVE-2014-1938", + "id": "pyup.io-37755", + "specs": [ + "<0.7.4" + ], + "v": "<0.7.4" + } + ], + "rpyc": [ + { + "advisory": "Rpyc 4.1.2 includes a fix for CVE-2019-16328 which was caused by a missing protocol security check.", + "cve": "CVE-2019-16328", + "id": "pyup.io-37525", + "specs": [ + "<4.1.2" + ], + "v": "<4.1.2" } ], "rs-django-jet": [ @@ -8589,6 +12528,17 @@ "v": "<0.2.2" } ], + "rss2email": [ + { + "advisory": "Rss2email 3.10 fixes SMTP security issues.", + "cve": null, + "id": "pyup.io-37430", + "specs": [ + "<3.10" + ], + "v": "<3.10" + } + ], "rtv": [ { "advisory": "rtv before 1.12.1 has a security vulnerability where malicious URLs could inject python code.", @@ -8611,6 +12561,17 @@ "v": "<2.6.0" } ], + "s4": [ + { + "advisory": "S4 0.4.2 upgrades boto3 to minimum requirement to fix a vulnerability in a urllib3 dependency.", + "cve": null, + "id": "pyup.io-37119", + "specs": [ + "<0.4.2" + ], + "v": "<0.4.2" + } + ], "safety": [ { "advisory": "safety before 1.8.4 included the cryptography version <2.3, which had a security vulnerability.", @@ -8622,6 +12583,28 @@ "v": "<1.8.4" } ], + "sagemaker-containers": [ + { + "advisory": "Sagemaker-containers 2.8.2 updates a dependency for security reasons.", + "cve": null, + "id": "pyup.io-38087", + "specs": [ + "<2.8.2" + ], + "v": "<2.8.2" + } + ], + "sanic-oauthlib": [ + { + "advisory": "Sanic-oauthlib 0.9.1 improves security in a not further specified way.", + "cve": null, + "id": "pyup.io-37397", + "specs": [ + "<0.9.1" + ], + "v": "<0.9.1" + } + ], "satosa": [ { "advisory": "satosa before 0.6.1 uses an insecure transitive dependency (pycrypto).", @@ -8642,6 +12625,163 @@ "<2.4.2" ], "v": "<2.4.2" + }, + { + "advisory": "Sbp v2.6.5 pins minor rev versions, security fix for requests - see: https://github.com/swift-nav/libsbp/pull/709", + "cve": null, + "id": "pyup.io-36662", + "specs": [ + "<2.6.5" + ], + "v": "<2.6.5" + }, + { + "advisory": "sbp 2.7.0 updates requests to resolve security issue (https://github.com/swift-nav/libsbp/pull/708)", + "cve": null, + "id": "pyup.io-37937", + "specs": [ + "<2.7.0" + ], + "v": "<2.7.0" + }, + { + "advisory": "Sbp 2.7.0 updates requests to resolve security issue - see https://github.com/swift-nav/libsbp/pull/708", + "cve": null, + "id": "pyup.io-37642", + "specs": [ + "<2.7.0" + ], + "v": "<2.7.0" + } + ], + "scapy": [ + { + "advisory": "Scapy 2.4.0 is affected by: Denial of Service. The impact is: infinite loop, resource consumption and program unresponsive. The component is: _RADIUSAttrPacketListField.getfield(self..). The attack vector is: over the network or in a pcap. both work. See: CVE-2019-1010142.", + "cve": "CVE-2019-1010142", + "id": "pyup.io-37285", + "specs": [ + "==2.4.0" + ], + "v": "==2.4.0" + }, + { + "advisory": "Scapy 2.4.2 addresses a Malicious Radius Attribute DoS vulnerability. See: .", + "cve": null, + "id": "pyup.io-37341", + "specs": [ + ">=2.4.0,<2.4.2" + ], + "v": ">=2.4.0,<2.4.2" + } + ], + "sceptre": [ + { + "advisory": "sceptre 2.3.0 fixes Jinja autoescape vulnerability", + "cve": null, + "id": "pyup.io-37821", + "specs": [ + "<2.3.0" + ], + "v": "<2.3.0" + } + ], + "scrapydd": [ + { + "advisory": "Scrapydd 0.6.3 enhances the security by adding protection against cross-site request forgery.", + "cve": null, + "id": "pyup.io-37457", + "specs": [ + "<0.6.3" + ], + "v": "<0.6.3" + } + ], + "scvae": [ + { + "advisory": "scvae 2.1.1 updates TensorFlow because of a security vulnerability.", + "cve": null, + "id": "pyup.io-37932", + "specs": [ + "<2.1.1" + ], + "v": "<2.1.1" + } + ], + "sdcclient": [ + { + "advisory": "Sdcclient 0.7.0 adds support for secure commands audit.", + "cve": null, + "id": "pyup.io-37050", + "specs": [ + "<0.7.0" + ], + "v": "<0.7.0" + } + ], + "seed-auth-api": [ + { + "advisory": "Seed-auth-api 0.9.3 includes upgrades of dependencies with security vulnerabilities.", + "cve": null, + "id": "pyup.io-37441", + "specs": [ + "<0.9.3" + ], + "v": "<0.9.3" + } + ], + "seed-control-interface": [ + { + "advisory": "Seed-control-interface-service 0.9.16 includes upgrades of dependencies with security vulnerabilities.", + "cve": null, + "id": "pyup.io-37440", + "specs": [ + "<0.9.16" + ], + "v": "<0.9.16" + } + ], + "seed-control-interface-service": [ + { + "advisory": "Seed-control-interface-service 0.9.6 includes upgrades of dependencies with security vulnerabilities.", + "cve": null, + "id": "pyup.io-37442", + "specs": [ + "<0.9.6" + ], + "v": "<0.9.6" + } + ], + "seed-identity-store": [ + { + "advisory": "Seed-identity-store 0.10.2 includes upgrades of dependencies with security vulnerabilities.", + "cve": null, + "id": "pyup.io-37437", + "specs": [ + "<0.10.2" + ], + "v": "<0.10.2" + } + ], + "seed-message-sender": [ + { + "advisory": "Seed-message-sender 0.10.9 includes upgrades of dependencies with security vulnerabilities.", + "cve": null, + "id": "pyup.io-37436", + "specs": [ + "<0.10.9" + ], + "v": "<0.10.9" + } + ], + "seed-scheduler": [ + { + "advisory": "Seed-scheduler 0.10.2 includes upgrades of dependencies with security vulnerabilities.", + "cve": null, + "id": "pyup.io-37439", + "specs": [ + "<0.10.2" + ], + "v": "<0.10.2" } ], "seed-stage-based-messaging": [ @@ -8653,6 +12793,26 @@ "<0.11.0" ], "v": "<0.11.0" + }, + { + "advisory": "Seed-stage-based-messaging 0.13.0 includes upgrades of dependencies with security vulnerabilities.", + "cve": null, + "id": "pyup.io-37438", + "specs": [ + "<0.13.0" + ], + "v": "<0.13.0" + } + ], + "seldon-core": [ + { + "advisory": "seldon-core 0.5.1 bumps pillow from 6.0.0 to 6.2.0, see: https://github.com/SeldonIO/seldon-core/pull/1062", + "cve": null, + "id": "pyup.io-37893", + "specs": [ + "<0.5.1" + ], + "v": "<0.5.1" } ], "sentry": [ @@ -8767,13 +12927,33 @@ ], "sequoia-client-sdk": [ { - "advisory": "sequoia-client-sdk 1.2.0 upgrades libraries `urllib3` and `requests` upgraded to solve security issues:", + "advisory": "sequoia-client-sdk 1.2.0 upgrades libraries `urllib3` and `requests` upgraded to solve security issues:", + "cve": null, + "id": "pyup.io-36949", + "specs": [ + "<1.2.0" + ], + "v": "<1.2.0" + }, + { + "advisory": "Sequoia-client-sdk 2.0.0 upgrades `urllib3` and `requests` to solve security issues.", + "cve": null, + "id": "pyup.io-37199", + "specs": [ + "<2.0.0" + ], + "v": "<2.0.0" + } + ], + "serpscrap": [ + { + "advisory": "Serpscrap 0.13.0 updates the dependency on chromedriver to >= 76.0.3809.68 and sqlalchemy>=1.3.7 to solve security issues and other minor update changes.", "cve": null, - "id": "pyup.io-36949", + "id": "pyup.io-37406", "specs": [ - "<1.2.0" + "<0.13.0" ], - "v": "<1.2.0" + "v": "<0.13.0" } ], "sesame": [ @@ -8850,6 +13030,17 @@ "v": "<0.13.1" } ], + "shaka-streamer": [ + { + "advisory": "Shaka-streamer 0.3.0 fixes the PyYAML deprecation warning and YAML loading vulnerability - see: https://github.com/google/shaka-streamer/issues/35", + "cve": null, + "id": "pyup.io-37578", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + } + ], "shiftboiler": [ { "advisory": "shiftboiler before 0.6.5 included a minor security issue: If google login did not return an id, user can takeover another user's account.", @@ -8861,6 +13052,39 @@ "v": "<0.6.5" } ], + "simple-salesforce": [ + { + "advisory": "Simple-salesforce 1.0.0 makes the minimum version of requests v2.22.0, which allow removal of requests. This is reported as a security-related update.", + "cve": null, + "id": "pyup.io-38083", + "specs": [ + "<1.0.0" + ], + "v": "<1.0.0" + } + ], + "simplemonitor": [ + { + "advisory": "simplemonitor 2.7 changes the remote monitor protocol and uses the JSON format for remote monitor protocol (more secure than pickle)", + "cve": null, + "id": "pyup.io-37886", + "specs": [ + "<2.7" + ], + "v": "<2.7" + } + ], + "simulaqron": [ + { + "advisory": "Simulaqron 3.0.7 bumps to twisted 19.7 due to security vulnerabilities with earlier versions.", + "cve": null, + "id": "pyup.io-37571", + "specs": [ + "<3.0.7" + ], + "v": "<3.0.7" + } + ], "slackeventsapi": [ { "advisory": "slackeventsapi 2.1.0 updates minimum Flask version to address security vulnerability (45)", @@ -8894,6 +13118,17 @@ "v": "<1.4.1" } ], + "sncli": [ + { + "advisory": "Sncli 0.4.0 contains a security fix for an arbitrary code execution bug. Copying text from notes to the clipboard was being performed by building a shell command to execute. This resulted in the line being copied substituted directly into the shell command. A carefully crafted line could run any arbitrary shell command, and some lines could crash the\r\nprocess causing the line to fail to copy. This fixes the issue by not using a shell to interpret the command, and\r\npassing the text to be copied directly to stdin.", + "cve": null, + "id": "pyup.io-37302", + "specs": [ + "<0.4.0" + ], + "v": "<0.4.0" + } + ], "soapfish": [ { "advisory": "soapfish before 0.6.0 has a potential security issue - pattern restrictions were not applied correctly.", @@ -8929,13 +13164,55 @@ ], "sopel": [ { - "advisory": "sopel before 4.4.0 has a security issue involving improperly named channel logs.", + "advisory": "A security issue involving an improperly named channel logs was fixed in Sopel 4.4.0.", "cve": null, "id": "pyup.io-26139", "specs": [ "<4.4.0" ], "v": "<4.4.0" + }, + { + "advisory": "Sopel 6.3.0 uses the `requests` package for stability and security.", + "cve": null, + "id": "pyup.io-27413", + "specs": [ + "<6.3.0" + ], + "v": "<6.3.0" + } + ], + "sparselandtools": [ + { + "advisory": "sparselandtools 1.0.1 requires newer versions of third party packages for security reasons in some cases", + "cve": null, + "id": "pyup.io-37929", + "specs": [ + "<1.0.1" + ], + "v": "<1.0.1" + } + ], + "sphinx-paragraph-extractor": [ + { + "advisory": "Sphinx-paragraph-extractor 1.0.4 updates dependencies for security reasons.", + "cve": null, + "id": "pyup.io-37082", + "specs": [ + "<1.0.4" + ], + "v": "<1.0.4" + } + ], + "spintest": [ + { + "advisory": "spintest 0.2.0 renders the UUID Token invisible in the log to avoid security violation, when spintest is used during the CI/CD tools", + "cve": null, + "id": "pyup.io-37859", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" } ], "splash": [ @@ -8980,6 +13257,28 @@ "v": "<0.8" } ], + "sqlathanor": [ + { + "advisory": "Sqlathanor 0.5.0 updates the ``requirements.txt`` (which does not actually indicate utilization dependencies, and instead indicates development dependencies) to upgrade a number of libraries that had recently had security vulnerabilities discovered.", + "cve": null, + "id": "pyup.io-37403", + "specs": [ + "<0.5.0" + ], + "v": "<0.5.0" + } + ], + "ssh-audit": [ + { + "advisory": "Ssh-audit 2.2.0 re-classifies the very common `ssh-rsa` host key type as weak, due to practical SHA-1 attacks - see https://eprint.iacr.org/2020/014.pdf", + "cve": null, + "id": "pyup.io-38046", + "specs": [ + "<2.2.0" + ], + "v": "<2.2.0" + } + ], "starcluster": [ { "advisory": "starcluster before 0.95.3 opens up the VPC to the internet by default which is a security risk and it requires a special VPC configuration (internet gateway attached to the VPC and a route to the gateway with dest CIDR block 0.0.0.0/0 associated with the VPC subnet). Configuring this automatically (which does not happen currently) would be a security risk and without this configuration StarCluster cannot connect to the VPC nodes even though they've been assigned a public IP.", @@ -9002,6 +13301,17 @@ "v": "<0.4" } ], + "staty": [ + { + "advisory": "Staty 1.2.3 updates requirements to fix security issues.", + "cve": null, + "id": "pyup.io-37049", + "specs": [ + "<1.2.3" + ], + "v": "<1.2.3" + } + ], "stegano": [ { "advisory": "stegano 0.8.6 fixes a potential security issue related to CVE-2018-18074.", @@ -9013,6 +13323,17 @@ "v": "<0.8.6" } ], + "stomp.py": [ + { + "advisory": "Stomp.py 4.1.22 reduces verbosity in logging to not include headers unless debug level is turned on. This was a potential security issue as per: .", + "cve": null, + "id": "pyup.io-37046", + "specs": [ + "<4.1.22" + ], + "v": "<4.1.22" + } + ], "stormpath": [ { "advisory": "stormpath before 2.0.5 is using an insecure transitive dependency (pyjwt).", @@ -9044,6 +13365,17 @@ "v": "<2.5.0" } ], + "streamlit": [ + { + "advisory": "The `server.address` config option in streamlit 0.57.0 binds the server to that address for added security.", + "cve": null, + "id": "pyup.io-38121", + "specs": [ + "<0.57.0" + ], + "v": "<0.57.0" + } + ], "streamsx-kafka": [ { "advisory": "streamsx-kafka 1.5.1 - resolves security vulnerabilities in third-party libs", @@ -9101,13 +13433,76 @@ ], "superset": [ { - "advisory": "superset before 0.11.0 is vulnerable to a XSS attack on FAB list views.", + "advisory": "Superset 0.11.0a allows for requesting access when denied on a dashboard view (#1192). It also allows to set static headers as configuration (#1126) and prevents XSS on FAB list views (#1125).", "cve": null, "id": "pyup.io-26147", "specs": [ - "<0.11.0" + "<0.11.0a" ], - "v": "<0.11.0" + "v": "<0.11.0a" + }, + { + "advisory": "Superset 0.14.0a improves jinja2 security by using SandboxedEnvironment (#1632) and improves the security scheme (#1587).", + "cve": null, + "id": "pyup.io-37486", + "specs": [ + "<0.14.0a" + ], + "v": "<0.14.0a" + }, + { + "advisory": "Superset 0.19.1a prevents XSS markup viz (#3211).", + "cve": null, + "id": "pyup.io-37487", + "specs": [ + "<0.19.1a" + ], + "v": "<0.19.1a" + }, + { + "advisory": "Superset 0.23.0a bumps dependencies with security issues (#4427). It also fixes 4 security vulnerabilities (#4390) and adds all derived FAB UserModelView views to admin only (#4180).", + "cve": null, + "id": "pyup.io-36204", + "specs": [ + "<0.23.0a" + ], + "v": "<0.23.0a" + }, + { + "advisory": "Superset 0.29.0rc8a secures unsecured views and prevent regressions (#6553).", + "cve": null, + "id": "pyup.io-37488", + "specs": [ + "<0.29.0rc8a" + ], + "v": "<0.29.0rc8a" + }, + { + "advisory": "Superset 0.32.0rc2.dev2a includes new, deprecate merge_perm. Also, the FAB method is fixed (#7355).", + "cve": null, + "id": "pyup.io-26584", + "specs": [ + "<0.32.0rc2.dev2a" + ], + "v": "<0.32.0rc2.dev2a" + }, + { + "advisory": "Superset 0.33.0rc1a adds Flask-Talisman (#7443).", + "cve": null, + "id": "pyup.io-37485", + "specs": [ + "<0.33.0rc1a" + ], + "v": "<0.33.0rc1a" + }, + { + "advisory": "Superset 0.34.0a adds docstrings and type hints (#7952), and bumps python libs, addressing insecure releases (#7550).", + "cve": null, + "id": "pyup.io-26602", + "specs": [ + "<0.34.0a" + ], + "v": "<0.34.0a" } ], "superset-hand": [ @@ -9168,6 +13563,48 @@ "v": "<2.6.0" } ], + "swifter": [ + { + "advisory": "Swifter 0.292 fixes a known security vulnerability in parso <= 0.4.0 by requiring parso > 0.4.0", + "cve": null, + "id": "pyup.io-37369", + "specs": [ + "<0.292" + ], + "v": "<0.292" + } + ], + "syft": [ + { + "advisory": "Syft 0.2.3:\r\n* Fixes a potential security issue with unsafe YAML loading\r\n* Removes an insecure eval in native tensor interpreter", + "cve": null, + "id": "pyup.io-37958", + "specs": [ + "<0.2.3" + ], + "v": "<0.2.3" + }, + { + "advisory": "syft 0.2.3.a1 removes an insecure eval in native tensor interpreter", + "cve": null, + "id": "pyup.io-37930", + "specs": [ + "<0.2.3.a1" + ], + "v": "<0.2.3.a1" + } + ], + "synse": [ + { + "advisory": "Synse 2.2.6 updates pyyaml version for CVE-2017-18342. See: .", + "cve": "CVE-2017-18342", + "id": "pyup.io-37393", + "specs": [ + "<2.2.6" + ], + "v": "<2.2.6" + } + ], "tablib": [ { "advisory": "An exploitable vulnerability exists in the Databook loading functionality of Tablib 0.11.4. A yaml loaded Databook can execute arbitrary python commands resulting in command execution. An attacker can insert python into loaded yaml to trigger this vulnerability.", @@ -9217,6 +13654,37 @@ "v": "<1.9.1" } ], + "taskcluster": [ + { + "advisory": "Taskcluster 24.1.3 fixes a possible XSS vulnerability with the lazylog viewer - see: http://bugzil.la/1605933", + "cve": null, + "id": "pyup.io-37675", + "specs": [ + "<24.1.3" + ], + "v": "<24.1.3" + } + ], + "tbats": [ + { + "advisory": "Tbats 1.0.7 upgrades its dependencies due to an vulnerability in Jinja2. In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.", + "cve": null, + "id": "pyup.io-37051", + "specs": [ + "<1.0.7" + ], + "v": "<1.0.7" + }, + { + "advisory": "Tbats 1.0.8 upgrades its dependencies due to an vulnerability in urllib3. See CVE-2019-11324.", + "cve": "CVE-2019-11324", + "id": "pyup.io-37336", + "specs": [ + "<1.0.8" + ], + "v": "<1.0.8" + } + ], "telemeta": [ { "advisory": "telemeta before 1.4.31 has a undisclosed security vulnerability in TELEMETA_EXPORT_CACHE_DIR.", @@ -9249,28 +13717,136 @@ "<11.1.1" ], "v": "<11.1.1" + }, + { + "advisory": "Tendenci 11.2.12 strips null bytes to avoid null byte injection attacks.", + "cve": null, + "id": "pyup.io-37350", + "specs": [ + "<11.2.12" + ], + "v": "<11.2.12" + }, + { + "advisory": "Tendenci 11.2.8 upgrades bootstrap from 3.3.1 to 3.4.1. There are XSS vulnerabilities in version lower than 3.4.1.", + "cve": null, + "id": "pyup.io-37150", + "specs": [ + "<11.2.8" + ], + "v": "<11.2.8" + }, + { + "advisory": "Tendenci 7.4.0 disables GZipMiddleware to prevent BREACH attacks and prevents fraudulent simultaneous reuse of PayPal transactions.", + "cve": null, + "id": "pyup.io-35055", + "specs": [ + "<7.4.0" + ], + "v": "<7.4.0" + } + ], + "teneto": [ + { + "advisory": "In teneto 0.4.5, save_tenetobids_snapshot to export current teneto settings. save_to_pickle (and corresponding load function) have been removed as they are not secure.", + "cve": null, + "id": "pyup.io-37550", + "specs": [ + "<0.4.5" + ], + "v": "<0.4.5" + } + ], + "tensorflow": [ + { + "advisory": "tensorflow before 1.10.0 uses an insecure grpc dependency.", + "cve": null, + "id": "pyup.io-36375", + "specs": [ + "<1.10.0" + ], + "v": "<1.10.0" + }, + { + "advisory": "Tensorflow 1.12.2 fixes a potential security vulnerability where carefully crafted GIF images can produce a null pointer dereference during decoding.", + "cve": null, + "id": "pyup.io-37167", + "specs": [ + "<1.12.2" + ], + "v": "<1.12.2" + }, + { + "advisory": "Tensorflow 2.0 fixes a potential security vulnerability where decoding variant tensors from proto could result in heap out of bounds memory access.", + "cve": null, + "id": "pyup.io-37524", + "specs": [ + "<2.0" + ], + "v": "<2.0" + }, + { + "advisory": "Tensorflow 1.15.2 and 2.0.1 update `sqlite3` to `3.30.01` to handle CVE-2019-19646, CVE-2019-19645 and CVE-2019-16168.", + "cve": null, + "id": "pyup.io-38038", + "specs": [ + ">=1.0,<1.15.2", + ">=2.0.0a0,<2.0.1" + ], + "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + }, + { + "advisory": "In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Python) to a tf.float16 value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a tf.float16 value. Similar effects can be obtained by manipulating saved models and checkpoints whereby replacing a scalar tf.float16 value with a scalar string will trigger this issue due to automatic conversions. This can be easily reproduced by tf.constant(\"hello\", tf.float16), if eager execution is enabled. This issue is patched in TensorFlow 1.15.1 and 2.0.1 with this vulnerability patched. TensorFlow 2.1.0 was released after we fixed the issue, thus it is not affected. Users are encouraged to switch to TensorFlow 1.15.1, 2.0.1 or 2.1.0. See: CVE-2020-5215.", + "cve": "CVE-2020-5215", + "id": "pyup.io-37776", + "specs": [ + ">=1.0,<1.15.2", + ">=2.0.0a0,<2.0.1" + ], + "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + }, + { + "advisory": "Tensorflow 1.15.2 and 2.0.1 update `curl` to `7.66.0` to handle CVE-2019-5482 and CVE-2019-5481.", + "cve": "CVE-2019-5482, CVE-2019-5481", + "id": "pyup.io-38039", + "specs": [ + ">=1.0,<1.15.2", + ">=2.0.0a0,<2.0.1" + ], + "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + } + ], + "textract": [ + { + "advisory": "textract before 1.5.0 doesn't properly uses subprocess.call.", + "cve": null, + "id": "pyup.io-26157", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" } ], - "tensorflow": [ + "tf-encrypted": [ { - "advisory": "tensorflow before 1.10.0 uses an insecure grpc dependency.", + "advisory": "Tf-encrypted before 0.5.1 did not include a secure version of `tf.negative`.", "cve": null, - "id": "pyup.io-36375", + "id": "pyup.io-37058", "specs": [ - "<1.10.0" + "<0.5.1" ], - "v": "<1.10.0" + "v": "<0.5.1" } ], - "textract": [ + "thamos": [ { - "advisory": "textract before 1.5.0 doesn't properly uses subprocess.call.", + "advisory": "Thamos 0.1.0 uses yaml.safe_load for security reasons.", "cve": null, - "id": "pyup.io-26157", + "id": "pyup.io-37295", "specs": [ - "<1.5.0" + "<0.1.0" ], - "v": "<1.5.0" + "v": "<0.1.0" } ], "thorn": [ @@ -9284,6 +13860,44 @@ "v": "<1.1.0" } ], + "thrift": [ + { + "advisory": "Thrift 0.11.0 improves SSL security by adding cross client checks to make sure SSLv3 protocol cannot be negotiated - see: https://issues.apache.org/jira/browse/THRIFT-4084", + "cve": null, + "id": "pyup.io-37644", + "specs": [ + "<0.11.0" + ], + "v": "<0.11.0" + }, + { + "advisory": "Thrift 0.9 fixes a denial of Service attack in TBinaryProtocol.readString - see: https://issues.apache.org/jira/browse/THRIFT-2272", + "cve": null, + "id": "pyup.io-37646", + "specs": [ + "<0.9" + ], + "v": "<0.9" + }, + { + "advisory": "Thrift 0.9.3 fixes:\r\n- C++ TSSLSocket shutdown delay/vulnerability - see: https://issues.apache.org/jira/browse/THRIFT-3061\r\n- Thrift C++ library SSL socket by default allows for unsecure SSLv3 negotiation - see: https://issues.apache.org/jira/browse/THRIFT-3164", + "cve": null, + "id": "pyup.io-37645", + "specs": [ + "<0.9.3" + ], + "v": "<0.9.3" + }, + { + "advisory": "Thrift 0.9.3.1 fixes CVE-2018-1320 in 0.9.3 - see: https://issues.apache.org/jira/browse/THRIFT-4506", + "cve": "CVE-2018-1320", + "id": "pyup.io-37643", + "specs": [ + "<0.9.3.1" + ], + "v": "<0.9.3.1" + } + ], "tiddlyweb": [ { "advisory": "tiddlyweb before 1.2.18 allowed empty passwords to authenticate.", @@ -9415,6 +14029,17 @@ "v": "<1.13.0" } ], + "trustpilot": [ + { + "advisory": "Trustpilot 6.1.0 includes security upgrades of the requests and urllib dependencies.", + "cve": null, + "id": "pyup.io-38105", + "specs": [ + "<6.1.0" + ], + "v": "<6.1.0" + } + ], "tryton": [ { "advisory": "model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call.", @@ -9439,7 +14064,16 @@ ], "tuf": [ { - "advisory": "tuf before 1.3 has a security issues with pip's use of temp build directories.", + "advisory": "Tuf 0.11.1 prevents a persistent freeze attack - see: https://github.com/theupdateframework/tuf/pull/737", + "cve": null, + "id": "pyup.io-36279", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Tuf 1.3 fixes security issues with pip's use of temp build directories.", "cve": null, "id": "pyup.io-26167", "specs": [ @@ -9470,6 +14104,108 @@ "v": "<3.5.0" } ], + "twine": [ + { + "advisory": "Twine 2.0.0 bumps requests to 2.20 (or later) to avoid reported security vulnerabilities in earlier releases (bug 491).", + "cve": null, + "id": "pyup.io-37504", + "specs": [ + "<2.0.0" + ], + "v": "<2.0.0" + } + ], + "twisted": [ + { + "advisory": "In twisted Core 17.1.0, twisted.internet.ssl.CertificateOptions has the new constructor argument 'raiseMinimumTo', allowing you to increase the minimum TLS version to this version or Twisted's default, whichever is higher. The additional new constructor arguments 'lowerMaximumSecurityTo' and 'insecurelyLowerMinimumTo' allow finer grained control over negotiated versions that don't honour Twisted's defaults, for working around broken peers, at the cost of reducing the security of the TLS it will negotiate. (#6800)", + "cve": null, + "id": "pyup.io-34914", + "specs": [ + "<17.1.0" + ], + "v": "<17.1.0" + }, + { + "advisory": "Before twisted 19.2.0, the twisted.web.client.Request and twisted.web.client.HTTPClient were both vulnerable to header injection attacks. They now replace linear whitespace ('\\r', '\\n', and '\\r\\n') with a single space. (#9421)", + "cve": null, + "id": "pyup.io-37040", + "specs": [ + "<19.2.0" + ], + "v": "<19.2.0" + }, + { + "advisory": "In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.", + "cve": "CVE-2019-12387", + "id": "pyup.io-37209", + "specs": [ + "<19.2.1" + ], + "v": "<19.2.1" + }, + { + "advisory": "In twisted 19.7.0, twisted.words.protocols.jabber.xmlstream.TLSInitiatingInitializer properly verifies the server's certificate against platform CAs and the stream's domain, mitigating CVE-2019-12855. (#9561)", + "cve": "CVE-2019-12855", + "id": "pyup.io-37554", + "specs": [ + "<19.7.0" + ], + "v": "<19.7.0" + }, + { + "advisory": "In twisted before 20.3.0, twisted.web.http was subject to several request smuggling attacks. Requests with multiple Content-Length headers were allowed and now fail with a 400; requests with a Content-Length header and a Transfer-Encoding header honored the first header and now fail with a 400; requests whose Transfer-Encoding header had a value other than \"chunked\" and \"identity\" were allowed and now fail with a 400. (9770)", + "cve": "CVE-2020-10108,CVE-2020-10109", + "id": "pyup.io-38085", + "specs": [ + "<20.3.0" + ], + "v": "<20.3.0" + } + ], + "twitchirc": [ + { + "advisory": "twitchirc before 1.3 does not include a secure option to [`Connection`](twitchirc/twitchirc/connection.py)", + "cve": null, + "id": "pyup.io-37820", + "specs": [ + "<1.3" + ], + "v": "<1.3" + } + ], + "twodolib": [ + { + "advisory": "Twodolib 0.5.1 updated its requirements for security reasons.", + "cve": null, + "id": "pyup.io-37306", + "specs": [ + "<0.5.1" + ], + "v": "<0.5.1" + } + ], + "udata": [ + { + "advisory": "Udata 1.6.16 prevents Google ranking spam attacks on reuse pages (`rel=nofollow` on reuse link) - see: https://github.com/opendatateam/udata/pull/2320", + "cve": null, + "id": "pyup.io-37589", + "specs": [ + "<1.6.16" + ], + "v": "<1.6.16" + } + ], + "ugoira": [ + { + "advisory": "Ugoira 0.5.0 uses secure protocol (HTTPS) instead of naive (HTTP).", + "cve": null, + "id": "pyup.io-37200", + "specs": [ + "<0.5.0" + ], + "v": "<0.5.0" + } + ], "unicef-locations": [ { "advisory": "unicef-locations 1.4.2 updates requirements, django security alert, and moved to psycopg2-binary", @@ -9533,92 +14269,275 @@ "cve": "CVE-2018-20060", "id": "pyup.io-36541", "specs": [ - "<1.23" + "<1.23" + ], + "v": "<1.23" + }, + { + "advisory": "The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument. See: CVE-2019-11324.", + "cve": "CVE-2019-11324", + "id": "pyup.io-37071", + "specs": [ + "<1.24.2" + ], + "v": "<1.24.2" + }, + { + "advisory": "In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter. See: CVE-2019-11236.", + "cve": "CVE-2019-11236", + "id": "pyup.io-37055", + "specs": [ + "<=1.24.1" + ], + "v": "<=1.24.1" + }, + { + "advisory": "Users who are using urllib3 version 1.17 or 1.18 along with PyOpenSSL injection and OpenSSL 1.1.0 *must* upgrade to this version. This release fixes a vulnerability whereby urllib3 in the above configuration would silently fail to validate TLS certificates due to erroneously setting invalid flags in OpenSSL's ``SSL_CTX_set_verify`` function. These erroneous flags do not cause a problem in OpenSSL versions before 1.1.0, which interprets the presence of any flag as requesting certificate validation.", + "cve": null, + "id": "pyup.io-26170", + "specs": [ + "==1.17", + "==1.18" + ], + "v": "==1.17,==1.18" + }, + { + "advisory": "The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2). See: CVE-2020-7212.", + "cve": "CVE-2020-7212", + "id": "pyup.io-27519", + "specs": [ + ">=1.25.2,<=1.25.7" + ], + "v": ">=1.25.2,<=1.25.7" + } + ], + "verifone": [ + { + "advisory": "verifone 0.1.8 updates Pipfiles and requirement files. There was security issue in PyYAML module.", + "cve": null, + "id": "pyup.io-36774", + "specs": [ + "<0.1.8" + ], + "v": "<0.1.8" + } + ], + "vermin": [ + { + "advisory": "Vermin 0.10.1 fixes the security advisory by upgrading bleach from 3.1.0 to 3.1.1.", + "cve": null, + "id": "pyup.io-38033", + "specs": [ + "<0.10.1" + ], + "v": "<0.10.1" + }, + { + "advisory": "vermin 0.4.11 Due to a security vulnerability in PyYAML <=3.13, it has been updated to 4.2b1.", + "cve": null, + "id": "pyup.io-36942", + "specs": [ + "<0.4.11" + ], + "v": "<0.4.11" + }, + { + "advisory": "vermin 0.4.8 updates `requests` to 2.20.0 to avoid security vulnerability in <=2.19.1", + "cve": null, + "id": "pyup.io-36603", + "specs": [ + "<0.4.8" + ], + "v": "<0.4.8" + }, + { + "advisory": "vermin 0.4.9 updates a security vulnerability in `urllib3` <1.23. It has been updated to 1.24.1. `requests` has been updates to 2.20.0 in v0.4.8.", + "cve": null, + "id": "pyup.io-36725", + "specs": [ + "<0.4.9" + ], + "v": "<0.4.9" + }, + { + "advisory": "Vermin 0.5.0 upgrades urllib3 to version 1.24.2 due to a security vulnerability. See CVE-2019-11324.", + "cve": "CVE-2019-11324", + "id": "pyup.io-37094", + "specs": [ + "<0.5.0" + ], + "v": "<0.5.0" + } + ], + "vips-hash": [ + { + "advisory": "Vips-hash 0.2.0 sets `pycryptodomex` version to `>=3.6.6,<4` to fix a vulnerability.", + "cve": null, + "id": "pyup.io-37354", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" + } + ], + "virtualenv": [ + { + "advisory": "virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/.", + "cve": "CVE-2011-4617", + "id": "pyup.io-26172", + "specs": [ + "<1.5" + ], + "v": "<1.5" + } + ], + "virustotal-python": [ + { + "advisory": "Virustotal-python 0.0.3 updates urllib3 to 1.24.2 for security reasons. See CVE-2019-11236.", + "cve": "CVE-2019-11236", + "id": "pyup.io-37078", + "specs": [ + "<0.0.3" + ], + "v": "<0.0.3" + }, + { + "advisory": "Virustotal-python 0.0.8 bumps dependencies to address security issues", + "cve": null, + "id": "pyup.io-37960", + "specs": [ + "<0.0.8" + ], + "v": "<0.0.8" + } + ], + "vnccollab.theme": [ + { + "advisory": "vnccollab.theme before 1.5.2 has an undisclosed vulnerability in VNC Zimlet.", + "cve": null, + "id": "pyup.io-26173", + "specs": [ + "<1.5.2" + ], + "v": "<1.5.2" + } + ], + "vorta": [ + { + "advisory": "Vorta 0.6.21 includes a not further specified, small security improvement.", + "cve": null, + "id": "pyup.io-37332", + "specs": [ + "<0.6.21" + ], + "v": "<0.6.21" + } + ], + "wagtail-2fa": [ + { + "advisory": "Wagtail-2fa 1.1.0 requires the user to enter their password when creating a new token. This is done based on feedback of a security test by an external company.", + "cve": null, + "id": "pyup.io-37614", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + }, + { + "advisory": "wagtail-2fa 1.4.1 resolve a possible vulnerability where users could delete other users' 2FA devices", + "cve": null, + "id": "pyup.io-37860", + "specs": [ + "<1.4.1" + ], + "v": "<1.4.1" + } + ], + "waitress": [ + { + "advisory": "Waitress 0.9.0 adds in checking for line feed/carriage return HTTP Response Splitting in the status line, as well as\r\n the key of a header. See https://github.com/Pylons/waitress/pull/124 and https://github.com/Pylons/waitress/issues/122.", + "cve": null, + "id": "pyup.io-36764", + "specs": [ + "<0.9.0" ], - "v": "<1.23" + "v": "<0.9.0" }, { - "advisory": "Users who are using urllib3 version 1.17 or 1.18 along with PyOpenSSL injection and OpenSSL 1.1.0 *must* upgrade to this version. This release fixes a vulnerability whereby urllib3 in the above configuration would silently fail to validate TLS certificates due to erroneously setting invalid flags in OpenSSL's ``SSL_CTX_set_verify`` function. These erroneous flags do not cause a problem in OpenSSL versions before 1.1.0, which interprets the presence of any flag as requesting certificate validation.", + "advisory": "Waitress before 1.0.0 drops HTTP headers that contain an underscore in the key when received from a client. This is to stop any possible underscore/dash conflation that may lead to security issues. See: https://github.com/Pylons/waitress/pull/80 and https://www.djangoproject.com/weblog/2015/jan/13/security/", "cve": null, - "id": "pyup.io-26170", + "id": "pyup.io-26174", "specs": [ - "==1.17", - "==1.18" + "<1.0.0" ], - "v": "==1.17,==1.18" - } - ], - "verifone": [ + "v": "<1.0.0" + }, { - "advisory": "verifone 0.1.8 updates Pipfiles and requirement files. There was security issue in PyYAML module.", + "advisory": "waitress 1.2.0b1 provides a new security feature when using Waitress behind a proxy in that it is possible to remove untrusted proxy headers thereby making sure that downstream WSGI applications don't accidentally use those proxy headers to make security decisions", "cve": null, - "id": "pyup.io-36774", + "id": "pyup.io-26390", "specs": [ - "<0.1.8" + "<1.2.0b1" ], - "v": "<0.1.8" - } - ], - "vermin": [ + "v": "<1.2.0b1" + }, { - "advisory": "vermin 0.4.11 Due to a security vulnerability in PyYAML <=3.13, it has been updated to 4.2b1.", - "cve": null, - "id": "pyup.io-36942", + "advisory": "Waitress 1.4.0 addresses an issue in which a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR, (although the line terminator for the start-line and header fields is the sequence CRLF).\r\n\r\nSee\r\nhttps://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6\r\nCVE-ID: CVE-2019-16785\r\nCVE-ID: CVE-2019-16786", + "cve": "CVE-2019-16785, CVE-2019-16786", + "id": "pyup.io-37822", "specs": [ - "<0.4.11" + "<1.4.0" ], - "v": "<0.4.11" + "v": "<1.4.0" }, { - "advisory": "vermin 0.4.8 updates `requests` to 2.20.0 to avoid security vulnerability in <=2.19.1", - "cve": null, - "id": "pyup.io-36603", + "advisory": "1.4.1 introduces a function which strips whitespace from header values to prevent accidentally treatment of non-printable characters as whitespace, leading to a potential HTTP request smuggling/splitting security issue - see https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 and CVE-2019-16789", + "cve": "CVE-2019-16789", + "id": "pyup.io-37674", "specs": [ - "<0.4.8" + "<1.4.1" ], - "v": "<0.4.8" + "v": "<1.4.1" }, { - "advisory": "vermin 0.4.9 updates a security vulnerability in `urllib3` <1.23. It has been updated to 1.24.1. `requests` has been updates to 2.20.0 in v0.4.8.", - "cve": null, - "id": "pyup.io-36725", + "advisory": "Waitress 1.4.2 improves a function (introduced in 1.4.1) that strips whitespace from header values to prevent accidentally treatment of non-printable characters as whitespace, leading to a potential HTTP request smuggling/splitting security issue - see https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 and CVE-ID: CVE-2019-16789", + "cve": "CVE-2019-16789", + "id": "pyup.io-37673", "specs": [ - "<0.4.9" + "<1.4.2" ], - "v": "<0.4.9" - } - ], - "virtualenv": [ + "v": "<1.4.2" + }, { - "advisory": "virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/.", - "cve": "CVE-2011-4617", - "id": "pyup.io-26172", + "advisory": "waitress 1.4.3 fixes a regular expression function (introduced in 1.4.2 to make sure that it matches RFC7230) that led to catastrophic backtracking which allows for a Denial of Service and CPU usage going to a 100% - see https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc", + "cve": null, + "id": "pyup.io-37667", "specs": [ - "<1.5" + "<1.4.3" ], - "v": "<1.5" + "v": "<1.4.3" } ], - "vnccollab.theme": [ + "wandb": [ { - "advisory": "vnccollab.theme before 1.5.2 has an undisclosed vulnerability in VNC Zimlet.", + "advisory": "Socket in wandb 0.8.0 only binds to localhost for improved security and prevents firewall warnings in OSX.", "cve": null, - "id": "pyup.io-26173", + "id": "pyup.io-37149", "specs": [ - "<1.5.2" + "<0.8.0" ], - "v": "<1.5.2" + "v": "<0.8.0" } ], - "waitress": [ + "wasmer": [ { - "advisory": "waitress before 1.0.0 doesn't drop HTTP headers containing an underscore, possibly leading to security issues.", + "advisory": "Wasmer 0.2.1 updates the hashing algorithm for caching to be crypto-secure.", "cve": null, - "id": "pyup.io-26174", + "id": "pyup.io-37044", "specs": [ - "<1.0.0" + "<0.2.1" ], - "v": "<1.0.0" + "v": "<0.2.1" } ], "watchmaker": [ @@ -9641,6 +14560,15 @@ "<0.39" ], "v": "<0.39" + }, + { + "advisory": "Web-py 0.39 fixes a security issue with the form module (tx Orange Tsai) and a security issue with the db module (tx Adri\u00e1n Brav and Orange Tsai).", + "cve": null, + "id": "pyup.io-35894", + "specs": [ + "<0.39" + ], + "v": "<0.39" } ], "web.py": [ @@ -9674,6 +14602,35 @@ "<5.1.3" ], "v": "<5.1.3" + }, + { + "advisory": "Flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF. See: CVE-2020-7965.", + "cve": "CVE-2020-7965", + "id": "pyup.io-37685", + "specs": [ + ">=5.0,<=5.5.2" + ], + "v": ">=5.0,<=5.5.2" + }, + { + "advisory": "Flaskparser.py in Webargs 6.0.0b1 through 6.0.0b4 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF. See: CVE-2020-7965.", + "cve": "CVE-2020-7965", + "id": "pyup.io-37684", + "specs": [ + ">=6.0.0b1,<=6.0.0b4" + ], + "v": ">=6.0.0b1,<=6.0.0b4" + } + ], + "webp": [ + { + "advisory": "Webp 1.0.1 adds further security related hardening in libwebp & libwebpmux.", + "cve": null, + "id": "pyup.io-36726", + "specs": [ + "<0.1.2" + ], + "v": "<0.1.2" } ], "websockets": [ @@ -9697,6 +14654,42 @@ ], "v": "<0.11.11" }, + { + "advisory": "The defaults of ``generate_password_hash`` in werkzeug 0.12 have been changed to more secure ones, see pull request ``#753``.", + "cve": null, + "id": "pyup.io-26435", + "specs": [ + "<0.12" + ], + "v": "<0.12" + }, + { + "advisory": "Werkzeug 0.15.0 refactors class:`~middleware.proxy_fix.ProxyFix` to support more headers, multiple values, and a more secure configuration.", + "cve": null, + "id": "pyup.io-36967", + "specs": [ + "<0.15.0" + ], + "v": "<0.15.0" + }, + { + "advisory": "Werkzeug 0.3.1 fixes a security problem with `werkzeug.contrib.SecureCookie`.", + "cve": null, + "id": "pyup.io-26428", + "specs": [ + "<0.3.1" + ], + "v": "<0.3.1" + }, + { + "advisory": "Werkzeug 0.6.1 adds secure password hashing and checking functions.", + "cve": null, + "id": "pyup.io-26437", + "specs": [ + "<0.6.1" + ], + "v": "<0.6.1" + }, { "advisory": "werkzeug before 0.8 allowed newlines in the header datastructure, allowing header injection attacks.", "cve": null, @@ -9705,6 +14698,24 @@ "<0.8" ], "v": "<0.8" + }, + { + "advisory": "Werkzeug 0.8.3 fixes an XSS problem with redirect targets coming from untrusted sources.", + "cve": null, + "id": "pyup.io-26427", + "specs": [ + "<0.8.3" + ], + "v": "<0.8.3" + }, + { + "advisory": ":class:`~exceptions.BadRequestKeyError` in werkzeug 0.15.5 adds the ``KeyError`` message to the description if ``e.show_exception`` is set to ``True``. This is a more secure default than the original 0.15.0 behavior and makes it easier to control without losing information.", + "cve": null, + "id": "pyup.io-37276", + "specs": [ + ">=0.15.0,<0.15.5" + ], + "v": ">=0.15.0,<0.15.5" } ], "whitenoise": [ @@ -9729,6 +14740,64 @@ "v": "<0.5.4" } ], + "wirepas-backend-client": [ + { + "advisory": "Wirepas-backend-client 1.2.0rc2 hides credentials when printing to stdout - see https://github.com/wirepas/backend-client/issues/48", + "cve": null, + "id": "pyup.io-37522", + "specs": [ + "<1.2.0rc2" + ], + "v": "<1.2.0rc2" + } + ], + "wordops": [ + { + "advisory": "The hsts flag in wordops before 1.16.0 on site was not secure with letsencrypt.", + "cve": null, + "id": "pyup.io-37541", + "specs": [ + "<1.16.0" + ], + "v": "<1.16.0" + }, + { + "advisory": "Wordops 3.9.6 adds fail2ban with custom jails to secure WordPress & SSH.", + "cve": null, + "id": "pyup.io-37540", + "specs": [ + "<3.9.6" + ], + "v": "<3.9.6" + }, + { + "advisory": "Wordops 3.9.7 secures the proftpd stack with TLS.", + "cve": null, + "id": "pyup.io-37539", + "specs": [ + "<3.9.7" + ], + "v": "<3.9.7" + }, + { + "advisory": "Wordops 3.9.9 adds `wo secure --ssh` to harden ssh security.", + "cve": null, + "id": "pyup.io-37534", + "specs": [ + "<3.9.9" + ], + "v": "<3.9.9" + }, + { + "advisory": "Wordops 3.9.9.1 improves the sshd_config template according to Mozilla Infosec guidelines.", + "cve": null, + "id": "pyup.io-37533", + "specs": [ + "<3.9.9.1" + ], + "v": "<3.9.9.1" + } + ], "wpull": [ { "advisory": "wpull before 0.1006.1 is leaking HTTP header fields when transitioning from HTTP to HTTPS.", @@ -9741,6 +14810,15 @@ } ], "xdg": [ + { + "advisory": "A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call. See: CVE-2019-12761.", + "cve": "CVE-2019-12761", + "id": "pyup.io-37203", + "specs": [ + "<0.26" + ], + "v": "<0.26" + }, { "advisory": "Race condition in the xdg.BaseDirectory.get_runtime_dir function in python-xdg 0.25 allows local users to overwrite arbitrary files by pre-creating /tmp/pyxdg-runtime-dir-fallback-victim to point to a victim-owned location, then replacing it with a symlink to an attacker-controlled location once the get_runtime_dir function is called.", "cve": "CVE-2014-1624", @@ -9751,6 +14829,17 @@ "v": "<=0.25" } ], + "xmlschema-acue": [ + { + "advisory": "Xmlschema-acue 0.9.27:\r\n- Adds support for preventing XML attacks with the use of the *defusedxml* package (added *defuse* argument to schemas)\r\n- Fixes the group circularity (issue 58)\r\n- Fixes the billion laughs attacks using XSD groups expansion", + "cve": null, + "id": "pyup.io-37716", + "specs": [ + "<0.9.27" + ], + "v": "<0.9.27" + } + ], "xtea3": [ { "advisory": "xtea3 1.0.0 change: Removal of CBCMAC (security reasons)", @@ -9782,6 +14871,15 @@ "<0.4.0" ], "v": "<0.4.0" + }, + { + "advisory": "Yahoo-earnings-calendar 0.5.2 upgrades urllib3 to 1.24.2 for security reasons.", + "cve": null, + "id": "pyup.io-37079", + "specs": [ + "<0.5.2" + ], + "v": "<0.5.2" } ], "yasha": [ @@ -9958,6 +15056,20 @@ "<3.9.0" ], "v": "<3.9.0" + }, + { + "advisory": "CVE-2011-4924: Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3, 3.1.1 through 3.4.1. allows remote attackers to inject arbitrary web script or HTML via vectors related to the way error messages perform sanitization. NOTE: this issue exists because of an incomplete fix for CVE-2010-1104.", + "cve": "CVE-2011-4924", + "id": "pyup.io-37737", + "specs": [ + ">=2.8,<2.8.12", + ">=2.9,<2.9.12", + ">=2.10,<2.10.11", + ">=2.11,<2.11.6", + ">=2.12,<2.12.3", + ">=3.1.1,<=3.4.1" + ], + "v": ">=2.8,<2.8.12,>=2.9,<2.9.12,>=2.10,<2.10.11,>=2.11,<2.11.6,>=2.12,<2.12.3,>=3.1.1,<=3.4.1" } ], "zope.html": [ @@ -10052,6 +15164,118 @@ "v": "<2.11" } ], + "zsl": [ + { + "advisory": "zsl 0.22.0 upgrade to newest Flask and removes vulnerable dependencies", + "cve": null, + "id": "pyup.io-37856", + "specs": [ + "<0.22.0" + ], + "v": "<0.22.0" + } + ], + "zulip": [ + { + "advisory": "Zulip 1.5.2:\r\n- CVE-2017-0896: Restricting inviting new users to admins was broken.\r\n- CVE-2015-8861: Insecure old version of handlebars templating engine.", + "cve": "CVE-2017-0896,CVE-2015-8861", + "id": "pyup.io-35007", + "specs": [ + "<1.5.2" + ], + "v": "<1.5.2" + }, + { + "advisory": "Zulip 1.6.0 adds security hardening before serving uploaded files. It also refactors various endpoints to use a single code path for security hardening.", + "cve": null, + "id": "pyup.io-35006", + "specs": [ + "<1.6.0" + ], + "v": "<1.6.0" + }, + { + "advisory": "Zulip 1.7.0 adds a new \"incoming webhook\" bot type, limited to only sending messages into Zulip, for better security.", + "cve": null, + "id": "pyup.io-35078", + "specs": [ + "<1.7.0" + ], + "v": "<1.7.0" + }, + { + "advisory": "Zulip 1.7.1 is a security release, with a handful of cherry-picked changes since 1.7.0. It includes fixes for the upgrade process. Also, on a server with multiple realms, a vulnerability in the invitation system allowed an authorized user of one realm to create an account on any other realm. See CVE-2017-0910.", + "cve": "CVE-2017-0910", + "id": "pyup.io-35077", + "specs": [ + "<1.7.1" + ], + "v": "<1.7.1" + }, + { + "advisory": "Zulip 1.7.2 is a security release, with a handful of cherry-picked changes since 1.7.1.\r\n- CVE-2018-9986: Fix XSS issues with frontend markdown processor.\r\n- CVE-2018-9987: Fix XSS issue with muting notifications.\r\n- CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.\r\n- CVE-2018-9999: Fix XSS issue with user uploads. The fix for this adds a Content-Security-Policy for the `LOCAL_UPLOADS_DIR` storage backend for user-uploaded files.", + "cve": "CVE-2018-9986,CVE-2018-9987,CVE-2018-9990,CVE-2018-9999", + "id": "pyup.io-36168", + "specs": [ + "<1.7.2" + ], + "v": "<1.7.2" + }, + { + "advisory": "Zulip 1.8.0 includes several important security fixes since 1.7.0, which were released already in 1.7.1 and 1.7.2.\r\n- The security model for private streams has changed. Now organization administrators can remove users, edit descriptions, and rename private streams they are not subscribed to. See Zulip's security model documentation for details.\r\n- On Xenial, the local uploads backend now does the same security checks that the S3 backend did before serving files to users. Ubuntu Trusty's version of nginx is too old to support this and so the legacy model is the default; we recommend upgrading.", + "cve": null, + "id": "pyup.io-36187", + "specs": [ + "<1.8.0" + ], + "v": "<1.8.0" + }, + { + "advisory": "Zulip 2.0.5 fixes DoS vulnerability in Markdown LINK_RE (CVE-2019-16215). It also fixes MIME type validation (CVE-2019-16216).", + "cve": "CVE-2019-16215,CVE-2019-16216", + "id": "pyup.io-38117", + "specs": [ + "<2.0.5" + ], + "v": "<2.0.5" + }, + { + "advisory": "Zulip 2.0.7 inlcudes a fix for insecure account creation via social authentication - see CVE-2019-18933. It also adds backend enforcement of zxcvbn password strength checks.", + "cve": "CVE-2019-18933", + "id": "pyup.io-38116", + "specs": [ + "<2.0.7" + ], + "v": "<2.0.7" + }, + { + "advisory": "Zulip 2.0.8 includes a fix for CVE-2019-19775: Close open redirect in thumbnail view.", + "cve": "CVE-2019-19775", + "id": "pyup.io-36735", + "specs": [ + "<2.0.8" + ], + "v": "<2.0.8" + }, + { + "advisory": "Zulip 2.1.0 improves default nginx TLS settings for stronger security.", + "cve": null, + "id": "pyup.io-38115", + "specs": [ + "<2.1.0" + ], + "v": "<2.1.0" + }, + { + "advisory": "Zulip 2.1.2 includes a corrected fix for CVE-2019-19775 (the original fix was affected by an unfixed security bug in Python's urllib, CVE-2015-2104). It also adds authentication for redis and memcached even in configurations where these are running on localhost, for add hardening against attacks from malicious processes running on the Zulip server.", + "cve": "CVE-2019-19775,CVE-2015-2104", + "id": "pyup.io-38114", + "specs": [ + "<2.1.2" + ], + "v": "<2.1.2" + } + ], "zwiki": [ { "advisory": "zwiki before <0.37 has a cross-site scripting vulnerability in standard error messages.",