diff --git a/audits/abi3audit-requirements.audit.json b/audits/abi3audit-requirements.audit.json deleted file mode 100644 index 6f487abc..00000000 --- a/audits/abi3audit-requirements.audit.json +++ /dev/null @@ -1,320 +0,0 @@ -[ - { - "package": { - "name": "requests", - "version": "2.28.2", - "ecosystem": "PyPI", - "commit": "" - }, - "vulnerabilities": [ - { - "modified": "2023-09-20T19:34:14Z", - "published": "2023-05-22T20:36:32Z", - "schema_version": "1.6.0", - "id": "GHSA-j8r2-6x86-q33q", - "aliases": [ - "CVE-2023-32681" - ], - "summary": "Unintended leak of Proxy-Authorization header in requests", - "details": "### Impact\n\nSince Requests v2.3.0, Requests has been vulnerable to potentially leaking `Proxy-Authorization` headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how `rebuild_proxies` is used to recompute and [reattach the `Proxy-Authorization` header](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328) to requests when redirected. Note this behavior has _only_ been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. `https://username:password@proxy:8080`).\n\n**Current vulnerable behavior(s):**\n\n1. HTTP \u2192 HTTPS: **leak**\n2. HTTPS \u2192 HTTP: **no leak**\n3. HTTPS \u2192 HTTPS: **leak**\n4. HTTP \u2192 HTTP: **no leak**\n\nFor HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.\n\nThe reason this currently works for HTTPS connections in Requests is the `Proxy-Authorization` header is also handled by urllib3 with our usage of the ProxyManager in adapters.py with [`proxy_manager_for`](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/adapters.py#L199-L235). This will compute the required proxy headers in `proxy_headers` and pass them to the Proxy Manager, avoiding attaching them directly to the Request object. This will be our preferred option going forward for default usage.\n\n### Patches\nStarting in Requests v2.31.0, Requests will no longer attach this header to redirects with an HTTPS destination. This should have no negative impacts on the default behavior of the library as the proxy credentials are already properly being handled by urllib3's ProxyManager.\n\nFor users with custom adapters, this _may_ be potentially breaking if you were already working around this behavior. The previous functionality of `rebuild_proxies` doesn't make sense in any case, so we would encourage any users impacted to migrate any handling of Proxy-Authorization directly into their custom adapter.\n\n### Workarounds\nFor users who are not able to update Requests immediately, there is one potential workaround.\n\nYou may disable redirects by setting `allow_redirects` to `False` on all calls through Requests top-level APIs. Note that if you're currently relying on redirect behaviors, you will need to capture the 3xx response codes and ensure a new request is made to the redirect destination.\n```\nimport requests\nr = requests.get('http://github.com/', allow_redirects=False)\n```\n\n### Credits\n\nThis vulnerability was discovered and disclosed by the following individuals.\n\nDennis Brinkrolf, Haxolot (https://haxolot.com/)\nTobias Funke, (tobiasfunke93@gmail.com)", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "requests", - "purl": "pkg:pypi/requests" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.3.0" - }, - { - "fixed": "2.31.0" - } - ] - } - ], - "versions": [ - "2.10.0", - "2.11.0", - "2.11.1", - "2.12.0", - "2.12.1", - "2.12.2", - "2.12.3", - "2.12.4", - "2.12.5", - "2.13.0", - "2.14.0", - "2.14.1", - "2.14.2", - "2.15.0", - "2.15.1", - "2.16.0", - "2.16.1", - "2.16.2", - "2.16.3", - "2.16.4", - "2.16.5", - "2.17.0", - "2.17.1", - "2.17.2", - "2.17.3", - "2.18.0", - "2.18.1", - "2.18.2", - "2.18.3", - "2.18.4", - "2.19.0", - "2.19.1", - "2.20.0", - "2.20.1", - "2.21.0", - "2.22.0", - "2.23.0", - "2.24.0", - "2.25.0", - "2.25.1", - "2.26.0", - "2.27.0", - "2.27.1", - "2.28.0", - "2.28.1", - "2.28.2", - "2.29.0", - "2.3.0", - "2.30.0", - "2.4.0", - "2.4.1", - "2.4.2", - "2.4.3", - "2.5.0", - "2.5.1", - "2.5.2", - "2.5.3", - "2.6.0", - "2.6.1", - "2.6.2", - "2.7.0", - "2.8.0", - "2.8.1", - "2.9.0", - "2.9.1", - "2.9.2" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-j8r2-6x86-q33q/GHSA-j8r2-6x86-q33q.json" - }, - "ecosystem_specific": { - "affected_functions": [ - "requests.sessions.SessionRedirectMixin.rebuild_proxies" - ] - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32681" - }, - { - "type": "WEB", - "url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5" - }, - { - "type": "PACKAGE", - "url": "https://github.com/psf/requests" - }, - { - "type": "WEB", - "url": "https://github.com/psf/requests/releases/tag/v2.31.0" - }, - { - "type": "WEB", - "url": "https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml" - }, - { - "type": "WEB", - "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/" - }, - { - "type": "WEB", - "url": "https://security.gentoo.org/glsa/202309-08" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "github_reviewed": true, - "github_reviewed_at": "2023-05-22T20:36:32Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - }, - { - "modified": "2023-06-05T01:13:00Z", - "published": "2023-05-26T18:15:00Z", - "schema_version": "1.6.0", - "id": "PYSEC-2023-74", - "aliases": [ - "CVE-2023-32681", - "GHSA-j8r2-6x86-q33q" - ], - "details": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "requests", - "purl": "pkg:pypi/requests" - }, - "ranges": [ - { - "type": "GIT", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5" - } - ], - "repo": "https://github.com/psf/requests" - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.3.0" - }, - { - "fixed": "2.31.0" - } - ] - } - ], - "versions": [ - "2.10.0", - "2.11.0", - "2.11.1", - "2.12.0", - "2.12.1", - "2.12.2", - "2.12.3", - "2.12.4", - "2.12.5", - "2.13.0", - "2.14.0", - "2.14.1", - "2.14.2", - "2.15.0", - "2.15.1", - "2.16.0", - "2.16.1", - "2.16.2", - "2.16.3", - "2.16.4", - "2.16.5", - "2.17.0", - "2.17.1", - "2.17.2", - "2.17.3", - "2.18.0", - "2.18.1", - "2.18.2", - "2.18.3", - "2.18.4", - "2.19.0", - "2.19.1", - "2.20.0", - "2.20.1", - "2.21.0", - "2.22.0", - "2.23.0", - "2.24.0", - "2.25.0", - "2.25.1", - "2.26.0", - "2.27.0", - "2.27.1", - "2.28.0", - "2.28.1", - "2.28.2", - "2.29.0", - "2.3.0", - "2.30.0", - "2.4.0", - "2.4.1", - "2.4.2", - "2.4.3", - "2.5.0", - "2.5.1", - "2.5.2", - "2.5.3", - "2.6.0", - "2.6.1", - "2.6.2", - "2.7.0", - "2.8.0", - "2.8.1", - "2.9.0", - "2.9.1", - "2.9.2" - ], - "database_specific": { - "source": "https://github.com/pypa/advisory-database/blob/main/vulns/requests/PYSEC-2023-74.yaml" - } - } - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q" - }, - { - "type": "WEB", - "url": "https://github.com/psf/requests/releases/tag/v2.31.0" - }, - { - "type": "FIX", - "url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/" - } - ] - } - ], - "groups": [ - { - "ids": [ - "GHSA-j8r2-6x86-q33q", - "PYSEC-2023-74" - ] - } - ] - } -] \ No newline at end of file diff --git a/audits/alot-requirements.audit.json b/audits/alot-requirements.audit.json index c388498d..959c3690 100644 --- a/audits/alot-requirements.audit.json +++ b/audits/alot-requirements.audit.json @@ -122,7 +122,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-25T21:31:04Z", + "modified": "2023-10-27T21:07:15Z", "published": "2023-10-25T21:15:13Z", "schema_version": "1.6.0", "id": "GHSA-xc8x-vp79-p3wm", @@ -130,7 +130,7 @@ "CVE-2023-46137" ], "summary": "twisted.web has disordered HTTP pipeline response", - "details": "### Summary\nWhen sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order.\n\n### Details\nThere's an example faulty program:\n```python\nfrom twisted.internet import reactor, endpoints\nfrom twisted.web import server\nfrom twisted.web.proxy import ReverseProxyResource\nfrom twisted.web.resource import Resource\n\nclass Second(Resource):\n isLeaf = True\n def render_GET(self, request):\n return b'SECOND\\n'\n\nclass First(Resource):\n isLeaf = True\n def render_GET(self, request):\n def send_response():\n request.write(b'FIRST DELAYED\\n')\n request.finish()\n reactor.callLater(0.5, send_response)\n return server.NOT_DONE_YET\n\nroot = Resource()\n\nroot.putChild(b'second', Second())\nroot.putChild(b'first', First())\n\nendpoint = endpoints.TCP4ServerEndpoint(reactor, 8080)\nendpoint.listen(server.Site(root))\nreactor.run()\n```\nWhen two requests for `/first` and `/second` are sent in the same order, the second request will be responded to first.\n```shell\necho -en \"GET /first HTTP/1.1\\r\\nHost: a\\r\\n\\r\\nGET /second HTTP/1.1\\r\\nHost: a\\r\\n\\r\\n\" | nc localhost 8080\n```\n\n### Impact\nIf one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline.", + "details": "### Summary\nWhen sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order.\n\n### Details\nThere's an example faulty program:\n```python\nfrom twisted.internet import reactor, endpoints\nfrom twisted.web import server\nfrom twisted.web.proxy import ReverseProxyResource\nfrom twisted.web.resource import Resource\n\nclass Second(Resource):\n isLeaf = True\n def render_GET(self, request):\n return b'SECOND\\n'\n\nclass First(Resource):\n isLeaf = True\n def render_GET(self, request):\n def send_response():\n request.write(b'FIRST DELAYED\\n')\n request.finish()\n reactor.callLater(0.5, send_response)\n return server.NOT_DONE_YET\n\nroot = Resource()\n\nroot.putChild(b'second', Second())\nroot.putChild(b'first', First())\n\nendpoint = endpoints.TCP4ServerEndpoint(reactor, 8080)\nendpoint.listen(server.Site(root))\nreactor.run()\n```\n\nWhen two requests for `/first` and `/second` are sent in the same order, the second request will be responded to first.\n```shell\necho -en \"GET /first HTTP/1.1\\r\\nHost: a\\r\\n\\r\\nGET /second HTTP/1.1\\r\\nHost: a\\r\\n\\r\\n\" | nc localhost 8080\n```\n\n### Impact\nIf one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline.", "affected": [ { "package": { @@ -264,6 +264,10 @@ "type": "WEB", "url": "https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46137" + }, { "type": "PACKAGE", "url": "https://github.com/twisted/twisted" diff --git a/audits/bbot-requirements.audit.json b/audits/bbot-requirements.audit.json index 64a3f94b..489c790d 100644 --- a/audits/bbot-requirements.audit.json +++ b/audits/bbot-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-10T23:00:06Z", + "modified": "2023-10-28T05:36:04Z", "published": "2023-10-04T15:30:35Z", "schema_version": "1.6.0", "id": "GHSA-ww3m-ffrm-qvqv", @@ -165,11 +165,6 @@ ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-ww3m-ffrm-qvqv/GHSA-ww3m-ffrm-qvqv.json" - }, - "ecosystem_specific": { - "affected_functions": [ - "" - ] } } ], diff --git a/audits/duplicity-requirements.audit.json b/audits/duplicity-requirements.audit.json deleted file mode 100644 index c444d3aa..00000000 --- a/audits/duplicity-requirements.audit.json +++ /dev/null @@ -1,398 +0,0 @@ -[ - { - "package": { - "name": "urllib3", - "version": "1.26.17", - "ecosystem": "PyPI", - "commit": "" - }, - "vulnerabilities": [ - { - "modified": "2023-10-26T14:47:11Z", - "published": "2023-10-17T20:15:25Z", - "schema_version": "1.6.0", - "id": "GHSA-g4mx-q9vg-27p4", - "aliases": [ - "CVE-2023-45803" - ], - "summary": "urllib3's request body not stripped after redirect from 303 status changes request method to GET", - "details": "urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 303 \"See Other\" after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although the behavior of removing the request body is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers.\n\nFrom [RFC 9110 Section 9.3.1](https://www.rfc-editor.org/rfc/rfc9110.html#name-get):\n\n> A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported.\n\n## Affected usages\n\nBecause the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable.\n\nBoth of the following conditions must be true to be affected by this vulnerability:\n\n* If you're using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON)\n* The origin service is compromised and starts redirecting using 303 to a malicious peer or the redirected-to service becomes compromised.\n\n## Remediation\n\nYou can remediate this vulnerability with any of the following steps:\n\n* Upgrade to a patched version of urllib3 (v1.26.18 or v2.0.7)\n* Disable redirects for services that you aren't expecting to respond with redirects with `redirects=False`.\n* Disable automatic redirects with `redirects=False` and handle 303 redirects manually by stripping the HTTP request body.\n", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "urllib3", - "purl": "pkg:pypi/urllib3" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.7" - } - ] - } - ], - "versions": [ - "2.0.0", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json" - } - }, - { - "package": { - "ecosystem": "PyPI", - "name": "urllib3", - "purl": "pkg:pypi/urllib3" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.26.18" - } - ] - } - ], - "versions": [ - "0.2", - "0.3", - "0.3.1", - "0.4.0", - "0.4.1", - "1.0", - "1.0.1", - "1.0.2", - "1.1", - "1.10", - "1.10.1", - "1.10.2", - "1.10.3", - "1.10.4", - "1.11", - "1.12", - "1.13", - "1.13.1", - "1.14", - "1.15", - "1.15.1", - "1.16", - "1.17", - "1.18", - "1.18.1", - "1.19", - "1.19.1", - "1.2", - "1.2.1", - "1.2.2", - "1.20", - "1.21", - "1.21.1", - "1.22", - "1.23", - "1.24", - "1.24.1", - "1.24.2", - "1.24.3", - "1.25", - "1.25.1", - "1.25.10", - "1.25.11", - "1.25.2", - "1.25.3", - "1.25.4", - "1.25.5", - "1.25.6", - "1.25.7", - "1.25.8", - "1.25.9", - "1.26.0", - "1.26.1", - "1.26.10", - "1.26.11", - "1.26.12", - "1.26.13", - "1.26.14", - "1.26.15", - "1.26.16", - "1.26.17", - "1.26.2", - "1.26.3", - "1.26.4", - "1.26.5", - "1.26.6", - "1.26.7", - "1.26.8", - "1.26.9", - "1.3", - "1.4", - "1.5", - "1.6", - "1.7", - "1.7.1", - "1.8", - "1.8.2", - "1.8.3", - "1.9", - "1.9.1" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36" - }, - { - "type": "WEB", - "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml" - }, - { - "type": "PACKAGE", - "url": "https://github.com/urllib3/urllib3" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/releases/tag/1.26.18" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/releases/tag/2.0.7" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/" - }, - { - "type": "WEB", - "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "github_reviewed": true, - "github_reviewed_at": "2023-10-17T20:15:25Z", - "nvd_published_at": null, - "severity": "MODERATE" - } - }, - { - "modified": "2023-10-25T18:28:34Z", - "published": "2023-10-17T20:15:00Z", - "schema_version": "1.6.0", - "id": "PYSEC-2023-212", - "aliases": [ - "CVE-2023-45803", - "GHSA-g4mx-q9vg-27p4" - ], - "details": "urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "urllib3", - "purl": "pkg:pypi/urllib3" - }, - "ranges": [ - { - "type": "GIT", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "4e98d57809dacab1cbe625fddeec1a290c478ea9" - } - ], - "repo": "https://github.com/urllib3/urllib3" - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.7" - }, - { - "introduced": "0" - }, - { - "fixed": "1.26.18" - } - ] - } - ], - "versions": [ - "0.2", - "0.3", - "0.3.1", - "0.4.0", - "0.4.1", - "1.0", - "1.0.1", - "1.0.2", - "1.1", - "1.10", - "1.10.1", - "1.10.2", - "1.10.3", - "1.10.4", - "1.11", - "1.12", - "1.13", - "1.13.1", - "1.14", - "1.15", - "1.15.1", - "1.16", - "1.17", - "1.18", - "1.18.1", - "1.19", - "1.19.1", - "1.2", - "1.2.1", - "1.2.2", - "1.20", - "1.21", - "1.21.1", - "1.22", - "1.23", - "1.24", - "1.24.1", - "1.24.2", - "1.24.3", - "1.25", - "1.25.1", - "1.25.10", - "1.25.11", - "1.25.2", - "1.25.3", - "1.25.4", - "1.25.5", - "1.25.6", - "1.25.7", - "1.25.8", - "1.25.9", - "1.26.0", - "1.26.1", - "1.26.10", - "1.26.11", - "1.26.12", - "1.26.13", - "1.26.14", - "1.26.15", - "1.26.16", - "1.26.17", - "1.26.2", - "1.26.3", - "1.26.4", - "1.26.5", - "1.26.6", - "1.26.7", - "1.26.8", - "1.26.9", - "1.3", - "1.4", - "1.5", - "1.6", - "1.7", - "1.7.1", - "1.8", - "1.8.2", - "1.8.3", - "1.9", - "1.9.1", - "2.0.0", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6" - ], - "database_specific": { - "source": "https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2023-212.yaml" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" - } - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4" - }, - { - "type": "WEB", - "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get" - }, - { - "type": "FIX", - "url": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9" - }, - { - "type": "ARTICLE", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/" - } - ] - } - ], - "groups": [ - { - "ids": [ - "GHSA-g4mx-q9vg-27p4", - "PYSEC-2023-212" - ] - } - ] - } -] \ No newline at end of file diff --git a/audits/magic-wormhole-requirements.audit.json b/audits/magic-wormhole-requirements.audit.json index 9e515ee1..c3c16278 100644 --- a/audits/magic-wormhole-requirements.audit.json +++ b/audits/magic-wormhole-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-25T21:31:04Z", + "modified": "2023-10-27T21:07:15Z", "published": "2023-10-25T21:15:13Z", "schema_version": "1.6.0", "id": "GHSA-xc8x-vp79-p3wm", @@ -16,7 +16,7 @@ "CVE-2023-46137" ], "summary": "twisted.web has disordered HTTP pipeline response", - "details": "### Summary\nWhen sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order.\n\n### Details\nThere's an example faulty program:\n```python\nfrom twisted.internet import reactor, endpoints\nfrom twisted.web import server\nfrom twisted.web.proxy import ReverseProxyResource\nfrom twisted.web.resource import Resource\n\nclass Second(Resource):\n isLeaf = True\n def render_GET(self, request):\n return b'SECOND\\n'\n\nclass First(Resource):\n isLeaf = True\n def render_GET(self, request):\n def send_response():\n request.write(b'FIRST DELAYED\\n')\n request.finish()\n reactor.callLater(0.5, send_response)\n return server.NOT_DONE_YET\n\nroot = Resource()\n\nroot.putChild(b'second', Second())\nroot.putChild(b'first', First())\n\nendpoint = endpoints.TCP4ServerEndpoint(reactor, 8080)\nendpoint.listen(server.Site(root))\nreactor.run()\n```\nWhen two requests for `/first` and `/second` are sent in the same order, the second request will be responded to first.\n```shell\necho -en \"GET /first HTTP/1.1\\r\\nHost: a\\r\\n\\r\\nGET /second HTTP/1.1\\r\\nHost: a\\r\\n\\r\\n\" | nc localhost 8080\n```\n\n### Impact\nIf one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline.", + "details": "### Summary\nWhen sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order.\n\n### Details\nThere's an example faulty program:\n```python\nfrom twisted.internet import reactor, endpoints\nfrom twisted.web import server\nfrom twisted.web.proxy import ReverseProxyResource\nfrom twisted.web.resource import Resource\n\nclass Second(Resource):\n isLeaf = True\n def render_GET(self, request):\n return b'SECOND\\n'\n\nclass First(Resource):\n isLeaf = True\n def render_GET(self, request):\n def send_response():\n request.write(b'FIRST DELAYED\\n')\n request.finish()\n reactor.callLater(0.5, send_response)\n return server.NOT_DONE_YET\n\nroot = Resource()\n\nroot.putChild(b'second', Second())\nroot.putChild(b'first', First())\n\nendpoint = endpoints.TCP4ServerEndpoint(reactor, 8080)\nendpoint.listen(server.Site(root))\nreactor.run()\n```\n\nWhen two requests for `/first` and `/second` are sent in the same order, the second request will be responded to first.\n```shell\necho -en \"GET /first HTTP/1.1\\r\\nHost: a\\r\\n\\r\\nGET /second HTTP/1.1\\r\\nHost: a\\r\\n\\r\\n\" | nc localhost 8080\n```\n\n### Impact\nIf one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline.", "affected": [ { "package": { @@ -150,6 +150,10 @@ "type": "WEB", "url": "https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46137" + }, { "type": "PACKAGE", "url": "https://github.com/twisted/twisted" diff --git a/audits/scrapy-requirements.audit.json b/audits/scrapy-requirements.audit.json index c61e209f..bcc62107 100644 --- a/audits/scrapy-requirements.audit.json +++ b/audits/scrapy-requirements.audit.json @@ -8,7 +8,7 @@ }, "vulnerabilities": [ { - "modified": "2023-10-25T21:31:04Z", + "modified": "2023-10-27T21:07:15Z", "published": "2023-10-25T21:15:13Z", "schema_version": "1.6.0", "id": "GHSA-xc8x-vp79-p3wm", @@ -16,7 +16,7 @@ "CVE-2023-46137" ], "summary": "twisted.web has disordered HTTP pipeline response", - "details": "### Summary\nWhen sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order.\n\n### Details\nThere's an example faulty program:\n```python\nfrom twisted.internet import reactor, endpoints\nfrom twisted.web import server\nfrom twisted.web.proxy import ReverseProxyResource\nfrom twisted.web.resource import Resource\n\nclass Second(Resource):\n isLeaf = True\n def render_GET(self, request):\n return b'SECOND\\n'\n\nclass First(Resource):\n isLeaf = True\n def render_GET(self, request):\n def send_response():\n request.write(b'FIRST DELAYED\\n')\n request.finish()\n reactor.callLater(0.5, send_response)\n return server.NOT_DONE_YET\n\nroot = Resource()\n\nroot.putChild(b'second', Second())\nroot.putChild(b'first', First())\n\nendpoint = endpoints.TCP4ServerEndpoint(reactor, 8080)\nendpoint.listen(server.Site(root))\nreactor.run()\n```\nWhen two requests for `/first` and `/second` are sent in the same order, the second request will be responded to first.\n```shell\necho -en \"GET /first HTTP/1.1\\r\\nHost: a\\r\\n\\r\\nGET /second HTTP/1.1\\r\\nHost: a\\r\\n\\r\\n\" | nc localhost 8080\n```\n\n### Impact\nIf one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline.", + "details": "### Summary\nWhen sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order.\n\n### Details\nThere's an example faulty program:\n```python\nfrom twisted.internet import reactor, endpoints\nfrom twisted.web import server\nfrom twisted.web.proxy import ReverseProxyResource\nfrom twisted.web.resource import Resource\n\nclass Second(Resource):\n isLeaf = True\n def render_GET(self, request):\n return b'SECOND\\n'\n\nclass First(Resource):\n isLeaf = True\n def render_GET(self, request):\n def send_response():\n request.write(b'FIRST DELAYED\\n')\n request.finish()\n reactor.callLater(0.5, send_response)\n return server.NOT_DONE_YET\n\nroot = Resource()\n\nroot.putChild(b'second', Second())\nroot.putChild(b'first', First())\n\nendpoint = endpoints.TCP4ServerEndpoint(reactor, 8080)\nendpoint.listen(server.Site(root))\nreactor.run()\n```\n\nWhen two requests for `/first` and `/second` are sent in the same order, the second request will be responded to first.\n```shell\necho -en \"GET /first HTTP/1.1\\r\\nHost: a\\r\\n\\r\\nGET /second HTTP/1.1\\r\\nHost: a\\r\\n\\r\\n\" | nc localhost 8080\n```\n\n### Impact\nIf one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline.", "affected": [ { "package": { @@ -150,6 +150,10 @@ "type": "WEB", "url": "https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46137" + }, { "type": "PACKAGE", "url": "https://github.com/twisted/twisted" diff --git a/requirements/abi3audit-requirements.txt b/requirements/abi3audit-requirements.txt index 767bd3c9..e15a54c0 100644 --- a/requirements/abi3audit-requirements.txt +++ b/requirements/abi3audit-requirements.txt @@ -1,16 +1,16 @@ abi3info==2023.10.22 -appdirs==1.4.4 attrs==23.1.0 cattrs==23.1.2 charset-normalizer==3.3.1 idna==3.4 kaitaistruct==0.10 -markdown-it-py==2.2.0 +markdown-it-py==3.0.0 mdurl==0.1.2 pefile==2023.2.7 +platformdirs==3.11.0 pyelftools==0.30 -requests==2.28.2 -requests-cache==0.9.8 -rich==13.3.5 +requests==2.31.0 +requests-cache==1.1.0 +rich==13.6.0 url-normalize==1.4.3 -urllib3==1.26.18 +urllib3==2.0.7 diff --git a/requirements/awscli-requirements.txt b/requirements/awscli-requirements.txt index 1a694b91..cd5e1c11 100644 --- a/requirements/awscli-requirements.txt +++ b/requirements/awscli-requirements.txt @@ -1,4 +1,4 @@ -awscrt==0.16.16 +awscrt==0.19.6 colorama==0.4.6 cryptography==40.0.1 distro==1.8.0 diff --git a/requirements/borgmatic-requirements.txt b/requirements/borgmatic-requirements.txt index 7154b8c1..cc4765b8 100644 --- a/requirements/borgmatic-requirements.txt +++ b/requirements/borgmatic-requirements.txt @@ -1,5 +1,5 @@ attrs==23.1.0 -charset-normalizer==3.3.0 +charset-normalizer==3.3.1 colorama==0.4.6 idna==3.4 jsonschema==4.19.1 @@ -7,6 +7,6 @@ jsonschema-specifications==2023.7.1 referencing==0.30.2 requests==2.31.0 rpds-py==0.10.6 -ruamel-yaml==0.17.35 +ruamel-yaml==0.17.40 ruamel-yaml-clib==0.2.8 urllib3==2.0.7 diff --git a/requirements/conda-lock-requirements.txt b/requirements/conda-lock-requirements.txt index 4f823a1e..582173b9 100644 --- a/requirements/conda-lock-requirements.txt +++ b/requirements/conda-lock-requirements.txt @@ -2,7 +2,7 @@ annotated-types==0.6.0 appdirs==1.4.4 cachecontrol==0.13.1 cachy==0.3.0 -charset-normalizer==3.3.0 +charset-normalizer==3.3.1 click==8.1.7 click-default-group==1.2.4 clikit==0.6.2 @@ -21,7 +21,7 @@ pydantic==2.4.2 pydantic-core==2.10.1 pylev==1.4.0 requests==2.31.0 -ruamel-yaml==0.17.40 +ruamel-yaml==0.18.2 ruamel-yaml-clib==0.2.8 smmap==5.0.1 tomlkit==0.12.1 diff --git a/requirements/duplicity-requirements.txt b/requirements/duplicity-requirements.txt index fffdd502..bec24fa5 100644 --- a/requirements/duplicity-requirements.txt +++ b/requirements/duplicity-requirements.txt @@ -1,16 +1,16 @@ args==0.1.0 +atom==0.10.3 attrs==23.1.0 -azure-core==1.29.4 -azure-storage-blob==12.18.2 +azure-core==1.29.5 +azure-storage-blob==12.18.3 b2sdk==1.24.1 bcrypt==4.0.1 -boto==2.49.0 -boto3==1.28.62 -botocore==1.31.62 -boxsdk==3.9.1 -cachetools==5.3.1 +boto3==1.28.73 +botocore==1.31.73 +boxsdk==3.9.2 +cachetools==5.3.2 chardet==5.2.0 -charset-normalizer==3.3.0 +charset-normalizer==3.3.1 clint==0.5.1 debtcollector==2.5.0 dropbox==11.36.2 @@ -18,11 +18,11 @@ ecdsa==0.18.0 fasteners==0.19 gdata-python3==3.0.1 google-api-core==2.12.0 -google-api-python-client==2.102.0 -google-auth==2.23.2 +google-api-python-client==2.105.0 +google-auth==2.23.3 google-auth-httplib2==0.1.1 google-auth-oauthlib==1.1.0 -googleapis-common-protos==1.60.0 +googleapis-common-protos==1.61.0 httplib2==0.22.0 humanize==4.8.0 idna==3.4 @@ -51,14 +51,14 @@ paramiko==3.3.1 pbr==5.11.1 pexpect==4.8.0 ply==3.11 -psutil==5.9.5 +psutil==5.9.6 ptyprocess==0.7.0 pyasn1==0.5.0 pyasn1-modules==0.3.0 -PyDrive2==1.17.0 -PyJWT==2.8.0 -PyNaCl==1.5.0 -pyOpenSSL==23.2.0 +pydrive2==1.17.0 +pyjwt==2.8.0 +pynacl==1.5.0 +pyopenssl==23.3.0 pyparsing==3.1.1 python-dateutil==2.8.2 python-keystoneclient==5.2.0 @@ -75,6 +75,6 @@ tlslite-ng==0.7.6 tqdm==4.66.1 tzdata==2023.3 uritemplate==4.1.1 -urllib3==1.26.17 +urllib3==2.0.7 wrapt==1.15.0 zipp==3.17.0 diff --git a/requirements/enex2notion-requirements.txt b/requirements/enex2notion-requirements.txt index 99829dca..97dfd35c 100644 --- a/requirements/enex2notion-requirements.txt +++ b/requirements/enex2notion-requirements.txt @@ -1,7 +1,7 @@ beautifulsoup4==4.12.2 bs4==0.0.1 cached-property==1.5.2 -charset-normalizer==3.3.0 +charset-normalizer==3.3.1 commonmark==0.9.1 dictdiffer==0.9.0 idna==3.4 diff --git a/requirements/moto-requirements.txt b/requirements/moto-requirements.txt index 8878a163..53be3719 100644 --- a/requirements/moto-requirements.txt +++ b/requirements/moto-requirements.txt @@ -16,7 +16,7 @@ multipart==0.2.4 openapi-schema-validator==0.6.2 openapi-spec-validator==0.7.1 pathable==0.4.3 -py-partiql-parser==0.4.0 +py-partiql-parser==0.4.1 pyasn1==0.5.0 python-jose==3.3.0 requests==2.31.0 diff --git a/requirements/pgcli-requirements.txt b/requirements/pgcli-requirements.txt index ad59470a..9051e3c0 100644 --- a/requirements/pgcli-requirements.txt +++ b/requirements/pgcli-requirements.txt @@ -1,12 +1,13 @@ cli-helpers==2.3.0 -click==8.1.3 +click==8.1.7 configobj==5.0.8 -pendulum==2.1.2 +pendulum==3.0.0b1 pgspecial==2.1.0 -prompt-toolkit==3.0.38 -psycopg==3.1.8 +prompt-toolkit==3.0.39 +psycopg==3.1.12 python-dateutil==2.8.2 -pytzdata==2020.1 -setproctitle==1.3.2 +setproctitle==1.3.3 sqlparse==0.4.4 -wcwidth==0.2.6 +time-machine==2.13.0 +tzdata==2023.3 +wcwidth==0.2.8 diff --git a/requirements/sqlfluff-requirements.txt b/requirements/sqlfluff-requirements.txt index 2e4c058a..ca511f49 100644 --- a/requirements/sqlfluff-requirements.txt +++ b/requirements/sqlfluff-requirements.txt @@ -8,7 +8,7 @@ jinja2==3.1.2 markupsafe==2.1.3 pathspec==0.11.2 pluggy==1.3.0 -pytest==7.4.2 +pytest==7.4.3 regex==2023.10.3 -tblib==2.0.0 +tblib==3.0.0 tqdm==4.66.1 diff --git a/requirements/vit-requirements.txt b/requirements/vit-requirements.txt index ae8a038c..4eaccae0 100644 --- a/requirements/vit-requirements.txt +++ b/requirements/vit-requirements.txt @@ -1,2 +1,2 @@ tasklib==2.5.1 -urwid==2.1.2 +urwid==2.2.2 diff --git a/requirements/vunnel-requirements.txt b/requirements/vunnel-requirements.txt index d9c6edd9..ca8664d7 100644 --- a/requirements/vunnel-requirements.txt +++ b/requirements/vunnel-requirements.txt @@ -14,10 +14,10 @@ iniconfig==2.0.0 jinja2==3.1.2 markupsafe==2.1.3 mergedeep==1.3.4 -orjson==3.9.9 +orjson==3.9.10 packaging==23.2 pluggy==1.3.0 -pytest==7.4.2 +pytest==7.4.3 pytest-snapshot==0.9.0 python-dateutil==2.8.2 requests==2.31.0