Safety CI > crim-ca/weaver

html-responses

1 year, 11 months ago

ca241fff

more process description metadata in HTML view

pip 24.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pip	24.0	<25.2	show Affected versions of the pip package are vulnerable to Arbitrary File Overwrite due to improper validation of symbolic link targets in the fallback tar extraction code. In src/pip/_internal/utils/unpacking.py, the _untar_without_filter routine used when the Python tarfile module lacks PEP 706 (no tarfile.data_filter) extracted symlink members with tar._extract_member without verifying that link destinations resolve under the extraction root, a check later added via the is_symlink_target_in_tar helper.
pip	24.0	<26.0	show Affected versions of the pip package are vulnerable to Path Traversal due to an incorrect directory containment check when extracting wheel archives. In src/pip/_internal/utils/unpacking.py, the is_within_directory() helper used os.path.commonprefix() (character-by-character) to compare directory and target paths, allowing crafted paths like a parent-directory substring match to be treated as safely inside the installation directory.
pip	24.0	<25.0	show Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation.

Package

Installed

Affected

Info

pip

24.0

<25.2

show

Affected versions of the pip package are vulnerable to Arbitrary File Overwrite due to improper validation of symbolic link targets in the fallback tar extraction code. In src/pip/_internal/utils/unpacking.py, the _untar_without_filter routine used when the Python tarfile module lacks PEP 706 (no tarfile.data_filter) extracted symlink members with tar._extract_member without verifying that link destinations resolve under the extraction root, a check later added via the is_symlink_target_in_tar helper.

pip

24.0

<26.0

show

Affected versions of the pip package are vulnerable to Path Traversal due to an incorrect directory containment check when extracting wheel archives. In src/pip/_internal/utils/unpacking.py, the is_within_directory() helper used os.path.commonprefix() (character-by-character) to compare directory and target paths, allowing crafted paths like a parent-directory substring match to be treated as safely inside the installation directory.

pip

24.0

<25.0

show

Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation.

summary-links

1 year, 11 months ago

0111a536

Merge branch 'summary-links' of github-crim:crim-ca/weaver into summary-links

No dependencies with known security vulnerabilities.

summary-links

1 year, 11 months ago

7e043404

Merge branch 'master' into summary-links

No dependencies with known security vulnerabilities.

summary-links

1 year, 11 months ago

7825e88d

add links to process summary listing (fix https://github.com/crim-ca/weaver/issues/622)

No dependencies with known security vulnerabilities.

master

1 year, 11 months ago

30d18899

Merge pull request #621 from crim-ca/gunicorn

No dependencies with known security vulnerabilities.

html-responses

1 year, 11 months ago

8536e1ed

add html alternate link to process description (relates to https://github.com/crim-ca/weaver/issues/

pip 24.0 has known security vulnerabilities.

Package	Installed	Affected	Info
pip	24.0	<25.2	show Affected versions of the pip package are vulnerable to Arbitrary File Overwrite due to improper validation of symbolic link targets in the fallback tar extraction code. In src/pip/_internal/utils/unpacking.py, the _untar_without_filter routine used when the Python tarfile module lacks PEP 706 (no tarfile.data_filter) extracted symlink members with tar._extract_member without verifying that link destinations resolve under the extraction root, a check later added via the is_symlink_target_in_tar helper.
pip	24.0	<26.0	show Affected versions of the pip package are vulnerable to Path Traversal due to an incorrect directory containment check when extracting wheel archives. In src/pip/_internal/utils/unpacking.py, the is_within_directory() helper used os.path.commonprefix() (character-by-character) to compare directory and target paths, allowing crafted paths like a parent-directory substring match to be treated as safely inside the installation directory.
pip	24.0	<25.0	show Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation.

Package

Installed

Affected

Info

pip

24.0

<25.2

show

Affected versions of the pip package are vulnerable to Arbitrary File Overwrite due to improper validation of symbolic link targets in the fallback tar extraction code. In src/pip/_internal/utils/unpacking.py, the _untar_without_filter routine used when the Python tarfile module lacks PEP 706 (no tarfile.data_filter) extracted symlink members with tar._extract_member without verifying that link destinations resolve under the extraction root, a check later added via the is_symlink_target_in_tar helper.

pip

24.0

<26.0

show

Affected versions of the pip package are vulnerable to Path Traversal due to an incorrect directory containment check when extracting wheel archives. In src/pip/_internal/utils/unpacking.py, the is_within_directory() helper used os.path.commonprefix() (character-by-character) to compare directory and target paths, allowing crafted paths like a parent-directory substring match to be treated as safely inside the installation directory.

pip

24.0

<25.0

show

Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation.

fix-wps-missing-request-options

1 year, 11 months ago

585e7ff9

Merge branch 'master' into fix-wps-missing-request-options

No dependencies with known security vulnerabilities.

gunicorn

1 year, 11 months ago

f3e738d9

Merge branch 'master' into gunicorn

No dependencies with known security vulnerabilities.

master

1 year, 11 months ago

60442fa9

Merge pull request #619 from crim-ca/pin-remark-lint

No dependencies with known security vulnerabilities.

pin-remark-lint

1 year, 11 months ago

a4656da0

ensure npm packages installed to avoid CI error

No dependencies with known security vulnerabilities.

pin-remark-lint

1 year, 12 months ago

b7a6dd6b

revert

No dependencies with known security vulnerabilities.

pin-remark-lint

1 year, 12 months ago

275df4c3

adjust sphinx-autoapi

No dependencies with known security vulnerabilities.

pin-remark-lint

1 year, 12 months ago

900c935a

adjust npm based linters

No dependencies with known security vulnerabilities.

pin-remark-lint

1 year, 12 months ago

3a7c24e4

fix invalid package references

No dependencies with known security vulnerabilities.

pin-remark-lint

1 year, 12 months ago

a896f4af

add --no-install flag to npmx run

No dependencies with known security vulnerabilities.