CVE-2019-1010017

Advisory

Python-libnmap 0.7.2 adds unittest for defusedxml to fix billionlaugh and external entities security issues. It also includes a fix for security issue on XXE (XML External Entities). See: CVE-2019-1010017.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Added

- Added pre-commit hook support to enforce code style (black, isort)
- Added unittest for defusedxml to fix billionlaugh and external entities security issues
- Added extra_requires for plugins deps and defusedxml
- Added banner_dict support + unittest (Merge edited PR from cfoulds)
- Added black, isort in tox environment
- Added more unit tests in several modules to improve code collaboration and automated tested
- Added GitHub action pipeline to run pytests, black and isort checks
- Added GitHub action pipeline to publish pypi package

Changed

- Code linted and styled with black and isort
- Changed Licence from CC-BY to Apache 2.0, considering that CC is [not appropriate for code licensing](https://creativecommons.org/faq/can-i-apply-a-creative-commons-license-to-software)
- Changelog now using [Keep-a-changelog](https://keepachangelog.com/en/1.0.0/) specs

Removed

- Removed travis build in favor of GitHub Actions pipelines

Fixed

- Fix empty nmap outputs due to subprocess race condition (Merge PR79 from Shouren)
- Add extra_requires for plugins deps and defusedxml
- Removed code duplication in sudo_run and sudo_run_background from process.py

Security

- Fix for security issue on XXE (XML External Entities) - CVE-2019-1010017

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010017
• https://github.com/savon-noir/python-libnmap/issues/87