Hue Aquascan CVEs #1095
Merged
Hue Aquascan CVEs #1095
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… identified vulnerabilities - Adding Django-1.11.29
… identified vulnerabilities - Removing Django-1.11.22
…missing in mako context' (cherry picked from commit cf717de)
…_HOST contains multiple hosts (cherry picked from commit 26e5f7a)
… identified vulnerabilities - Adding cryptography-2.9 - Removing cryptography-2.1.4
… identified vulnerabilities - Adding MarkupSafe-1.1.1 - Removing MarkupSafe-0.9.3
… identified vulnerabilities - Adding PyYAML-5.3.1 - Removing PyYAML-3.12
… identified vulnerabilities - Adding requests-2.23.0 - Removing requests-2.18.4
… identified vulnerabilities - Adding urllib3-1.22 - Removing urllib3-1.25.8
… identified vulnerabilities - Adding requests-kerberos-0.12.0 - Removing requests-kerberos-0.6.1
…tion library fails to authenticate kerberos requests to the same destination current python request Kerberos library fails generating the GSSAPI authentication token with kerberos for the host which run multiple kerberised Testing Done: - Manual testing - using multiple load generator scripts - Tested on different cluster with Python 2.6 and Python 2.7
… identified vulnerabilities - Adding MarkupPy-1.14
… identified vulnerabilities - Adding tablib-0.14.0 - Removing tablib-0.10.0
… identified vulnerabilities - Adding odfpy-1.4.1
… identified vulnerabilities - Adding openpyxl-2.6.4 - Removing openpyxl-2.3.0-b2 - Removing openpyxl-2.5.3
… identified vulnerabilities - Adding pysaml2-4.9.0 - Removing pysaml2-4.4.0
This is also tracked by IdentityPython/pysaml2#278. This patch adds support for SAML certificates that are protected with a password. The way it does so is with a bit of trickiness, due to the fact that `xmlsec1`, which is an external program that pysaml2 uses to sign the XML requests, which does not have great support for password protected certificates. It either supports passing in the password on the command line (which is not safe since someone else on the machine could see the password), or through an interactive prompt. The proper way to fix this would be to update pysaml2 to use another xmlsec library, but implementing that may take some time. In the short/medium term, this patch implements this instead by decrypting the certificate in memory, and passing this decrypted certificate to xmlsec1 through a named pipe. This protects us from the decrypted certificate ever hitting the disk. Unfortunately, this solution is only portable to POSIX-compatible platforms. That is fine for Hue, but it probably means we cannot push this patch to the upstream pysaml2 repository. This patch will tied us over until the upstream project switches to a better xmlsec library.
… identified vulnerabilities - Adding chardet-3.0.4
… identified vulnerabilities - Adding pycryptodomex-3.9.7 - Removing pycrypto-2.6.1 - Removing pycryptodomex-3.4.7
romainr
approved these changes
Apr 10, 2020
There was a problem hiding this comment.
+1 Ship it!
To make sure we don't miss any backports, should we:
submit pull requests again to their components
add some basic tests
?
(it does not need to be all done now, but maybe a scope of all the task to do would be nice. FYI this would also help to prepare Python 3. With Python 3 as we just pip dependencies we could fork them and point to ours if really needed)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.