| MarcoAurelio | |
| Sep 4 2018, 8:32 AM |
| F25646983: Sin título.png | |
| Sep 4 2018, 8:32 AM |
Report of vulnerable dependency:
Description: https://nvd.nist.gov/vuln/detail/CVE-2018-10903
Should be updated in requirements.txt to use a working and safe one.
Making the task private for now as caution. If it does not need to be, please feel free to make it public again.
Thanks.
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| Remove cryptography<2.3 from python<=2.7.6 requirements | pywikibot/core | master | +5 -16 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Dalba | T203435 'cryptography' dependency reported as vulnerable | |||
| Declined | None | T203471 Drop support for Python 2.7.6 and lower | |||
| Resolved | Xqt | T191192 Drop support for python 2.7.2 and 2.7.3 |
GitHub is spamming e-mails with this issue.
The only solution to this I can think of is to deprecate Python 2.7.6 and lower.
Yes, I got that from GitHub (me and the whole lot of owners of the @wikimedia GitHub organisation I guess). Apparently there's a button to ignore this issue, but I prefered to ask here what to do. If the pywikibot and the security people is happy with ignoring this issue, I or another owner of gihub.com/wikimedia could set it to ignore. I am no expert, so I think it's best to ask first.
Is that a viable option?
cryptography<2.3 is now removed from Python<=2.7.6 dependencies, which means that some users of those python versions may experience difficulties connecting to internet, but thats a requests package issue really and it's better than having an insecure dependency installed by pywikibot.
Users of older Python versions might now receive deprecation messages like the following, or in some cases might be unable to connect to https websites with some SSL-related errors.
InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning. SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.