Page MenuHomePhabricator

'cryptography' dependency reported as vulnerable
Closed, ResolvedPublic

Description

Report of vulnerable dependency:

Description: https://nvd.nist.gov/vuln/detail/CVE-2018-10903

Should be updated in requirements.txt to use a working and safe one.

Making the task private for now as caution. If it does not need to be, please feel free to make it public again.

Thanks.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 4 2018, 8:32 AM

GitHub is spamming e-mails with this issue.

The only solution to this I can think of is to deprecate Python 2.7.6 and lower.

GitHub is spamming e-mails with this issue.

Yes, I got that from GitHub (me and the whole lot of owners of the @wikimedia GitHub organisation I guess). Apparently there's a button to ignore this issue, but I prefered to ask here what to do. If the pywikibot and the security people is happy with ignoring this issue, I or another owner of gihub.com/wikimedia could set it to ignore. I am no expert, so I think it's best to ask first.

The only solution to this I can think of is to deprecate Python 2.7.6 and lower.

Is that a viable option?

Dvorapa added a subscriber: Dalba.Sep 4 2018, 2:54 PM
Dvorapa added a comment.EditedSep 4 2018, 3:00 PM

The only solution to this I can think of is to deprecate Python 2.7.6 and lower.

Is that a viable option?

In my opinion yes, this should be definitely ok. See also T199959 (@Dalba seems to be ok with that too).

Dalba closed this task as Resolved.EditedSep 8 2018, 10:18 AM
Dalba claimed this task.

cryptography<2.3 is now removed from Python<=2.7.6 dependencies, which means that some users of those python versions may experience difficulties connecting to internet, but thats a requests package issue really and it's better than having an insecure dependency installed by pywikibot.

Users of older Python versions might now receive deprecation messages like the following, or in some cases might be unable to connect to https websites with some SSL-related errors.

InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.

SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.

Thanks @Dalba.

@Aklapper Can you make this task visible, now that it is resolved?

Thanks.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 8 2018, 2:14 PM
Bawolff added a subscriber: Bawolff.

Thanks @Dalba.

@Aklapper Can you make this task visible, now that it is resolved?

Thanks.

Should be visible now

Xqt changed the status of subtask T203471: Drop support for Python 2.7.6 and lower from Open to Stalled.Oct 26 2018, 3:00 AM
Xqt changed the status of subtask T203471: Drop support for Python 2.7.6 and lower from Stalled to Open.Feb 13 2019, 3:29 PM