Safety CI > irrdnet/irrd

pyup-scheduled-update-2022-10-24

3 years, 7 months ago

ce4a8267

Update sphinxcontrib-spelling from 7.6.1 to 7.6.2

No dependencies with known security vulnerabilities.

pyup-scheduled-update-2022-10-24

3 years, 7 months ago

64daab20

Update setuptools from 65.4.1 to 65.5.0

No dependencies with known security vulnerabilities.

pyup-scheduled-update-2022-10-24

3 years, 7 months ago

0b74a795

Update pytest-env from 0.6.2 to 0.8.1

No dependencies with known security vulnerabilities.

pyup-scheduled-update-2022-10-24

3 years, 7 months ago

fcb4bc1d

Update psutil from 5.9.2 to 5.9.3

No dependencies with known security vulnerabilities.

pyup-scheduled-update-2022-10-24

3 years, 7 months ago

7df10c8d

Update uvicorn from 0.18.3 to 0.19.0

No dependencies with known security vulnerabilities.

pyup-scheduled-update-2022-10-24

3 years, 7 months ago

9d1bd91d

Update uvicorn from 0.18.3 to 0.19.0

No dependencies with known security vulnerabilities.

pyup-scheduled-update-2022-10-24

3 years, 7 months ago

825f0754

Update pytz from 2022.4 to 2022.5

No dependencies with known security vulnerabilities.

pyup-scheduled-update-2022-10-24

3 years, 7 months ago

c664b028

Update python-daemon from 2.3.1 to 2.3.2

No dependencies with known security vulnerabilities.

clarify-nrtm-end-error

3 years, 7 months ago

830062e3

Update NRTM missing/invalid %END error message This was confusing users more than needed.

No dependencies with known security vulnerabilities.

pyup-scheduled-update-2022-10-17

3 years, 7 months ago

cbe3aa70

Update setuptools from 65.4.1 to 65.5.0

No dependencies with known security vulnerabilities.

pyup-scheduled-update-2022-10-17

3 years, 7 months ago

023105f8

Update sphinxcontrib-spelling from 7.6.1 to 7.6.2

No dependencies with known security vulnerabilities.

main

4 years, 2 months ago

49e5f252

Enforce fork start method for MacOS compatibility

ujson 4.3.0 and twisted 22.1.0 have known security vulnerabilities.

Package	Installed	Affected	Info
ujson	4.3.0	<5.12.1	show Affected versions of the ujson package are vulnerable to Denial of Service (DoS) due to a missing reference count decrement on an allocated Python string object during a write failure. The objToJSONFile() function in objToJSON.c allocates a serialised string via ujson_dumps_internal(), invokes the file object's write() method, and returns early when that call raises an exception without ever calling Py_DECREF on the resulting string, causing the allocation to never be freed. An attacker who can supply a file-like object whose write() method reliably raises exceptions — for instance, by repeatedly making requests to a web server that calls ujson.dump() and then closing connections mid-response — can drive the process into linear, unbounded memory growth, eventually exhausting available memory.
ujson	4.3.0	<=5.1.0	show UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation.
ujson	4.3.0	<5.4.0	show Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect handling of invalid surrogate pair characters. https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wpqr-jcpx-745r
ujson	4.3.0	<5.4.0	show Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python. https://github.com/ultrajson/ultrajson/security/advisories/GHSA-fm67-cv37-96ff
twisted	22.1.0	<24.7.0rc1	show Affected versions of Twisted are vulnerable to HTTP Request Smuggling. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.
twisted	22.1.0	>=0.9.4,<22.10.0rc1	show Twisted 22.10.0rc1 includes a fix for CVE-2022-39348: NameVirtualHost Host header injection. https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647
twisted	22.1.0	<22.4.0rc1	show Twisted 22.4.0rc1 includes a fix for CVE-2022-24801: Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the 'twisted.web.http' module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filtering malformed requests by other means, such as configurating an upstream proxy. https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq
twisted	22.1.0	<=25.5.0	show Affected versions of the Twisted package are vulnerable to Denial of Service due to unbounded resource consumption when decoding DNS names with chained compression pointers. The Name.decode method in src/twisted/names/dns.py enforces no per-message limit on pointer dereferences and resets its visited set for each Question record, while DNSServerFactory processes every record in QDCOUNT without validating it, so a Message containing thousands of questions that all reference a long shared chain of compression pointers forces the parser into millions of redundant traversals.
twisted	22.1.0	>=16.3.0,<23.10.0rc1	show Twisted 23.10.0rc1 includes a fix for CVE-2023-46137: Disordered HTTP pipeline response in twisted.web. #NOTE: The data we include in this advisory differs from the publicly available on nist.nvd.gov. As indicated in the project's changelog, the vulnerability was introduced in Twisted 16.3.0. https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm
twisted	22.1.0	<24.7.0rc1	show Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.
twisted	22.1.0	>21.7.0,<22.2.0	show Twisted 22.2.0 includes a fix for CVE-2022-21716: Prior to 22.2.0, Twisted SSH client and server implementation is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx

pyup-scheduled-update-2022-03-28

4 years, 2 months ago

dee250db

Update mypy from 0.931 to 0.942

ujson 4.3.0 has known security vulnerabilities.

Package	Installed	Affected	Info
ujson	4.3.0	<5.12.1	show Affected versions of the ujson package are vulnerable to Denial of Service (DoS) due to a missing reference count decrement on an allocated Python string object during a write failure. The objToJSONFile() function in objToJSON.c allocates a serialised string via ujson_dumps_internal(), invokes the file object's write() method, and returns early when that call raises an exception without ever calling Py_DECREF on the resulting string, causing the allocation to never be freed. An attacker who can supply a file-like object whose write() method reliably raises exceptions — for instance, by repeatedly making requests to a web server that calls ujson.dump() and then closing connections mid-response — can drive the process into linear, unbounded memory growth, eventually exhausting available memory.
ujson	4.3.0	<=5.1.0	show UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation.
ujson	4.3.0	<5.4.0	show Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect handling of invalid surrogate pair characters. https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wpqr-jcpx-745r
ujson	4.3.0	<5.4.0	show Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python. https://github.com/ultrajson/ultrajson/security/advisories/GHSA-fm67-cv37-96ff

pyup-scheduled-update-2022-03-28

4 years, 2 months ago

b2ec69e4

Update sphinx from 4.3.2 to 4.5.0

ujson 4.3.0 has known security vulnerabilities.

Package	Installed	Affected	Info
ujson	4.3.0	<5.12.1	show Affected versions of the ujson package are vulnerable to Denial of Service (DoS) due to a missing reference count decrement on an allocated Python string object during a write failure. The objToJSONFile() function in objToJSON.c allocates a serialised string via ujson_dumps_internal(), invokes the file object's write() method, and returns early when that call raises an exception without ever calling Py_DECREF on the resulting string, causing the allocation to never be freed. An attacker who can supply a file-like object whose write() method reliably raises exceptions — for instance, by repeatedly making requests to a web server that calls ujson.dump() and then closing connections mid-response — can drive the process into linear, unbounded memory growth, eventually exhausting available memory.
ujson	4.3.0	<=5.1.0	show UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation.
ujson	4.3.0	<5.4.0	show Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect handling of invalid surrogate pair characters. https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wpqr-jcpx-745r
ujson	4.3.0	<5.4.0	show Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python. https://github.com/ultrajson/ultrajson/security/advisories/GHSA-fm67-cv37-96ff

pyup-scheduled-update-2022-03-28

4 years, 2 months ago

9b5881ca

Update twisted from 22.1.0 to 22.2.0

ujson 4.3.0 has known security vulnerabilities.

Package	Installed	Affected	Info
ujson	4.3.0	<5.12.1	show Affected versions of the ujson package are vulnerable to Denial of Service (DoS) due to a missing reference count decrement on an allocated Python string object during a write failure. The objToJSONFile() function in objToJSON.c allocates a serialised string via ujson_dumps_internal(), invokes the file object's write() method, and returns early when that call raises an exception without ever calling Py_DECREF on the resulting string, causing the allocation to never be freed. An attacker who can supply a file-like object whose write() method reliably raises exceptions — for instance, by repeatedly making requests to a web server that calls ujson.dump() and then closing connections mid-response — can drive the process into linear, unbounded memory growth, eventually exhausting available memory.
ujson	4.3.0	<=5.1.0	show UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation.
ujson	4.3.0	<5.4.0	show Ujson 5.4.0 includes a fix for CVE-2022-31116: Incorrect handling of invalid surrogate pair characters. https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wpqr-jcpx-745r
ujson	4.3.0	<5.4.0	show Ujson 5.4.0 includes a fix for CVE-2022-31117: In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python. https://github.com/ultrajson/ultrajson/security/advisories/GHSA-fm67-cv37-96ff