From 3b5a52287f7ecc47066b2fafab107b999c6252d2 Mon Sep 17 00:00:00 2001 From: "github.actions" Date: Sat, 27 Jul 2024 08:04:51 +0000 Subject: [PATCH] Latest data: Sat Jul 27 08:04:51 UTC 2024 --- audits/mentat-requirements.audit.json | 5 +++-- requirements/datalad-requirements.txt | 10 +++++----- requirements/parliament-requirements.txt | 8 ++++---- requirements/tartufo-requirements.txt | 2 +- 4 files changed, 13 insertions(+), 12 deletions(-) diff --git a/audits/mentat-requirements.audit.json b/audits/mentat-requirements.audit.json index 858ee925..5525b8d3 100644 --- a/audits/mentat-requirements.audit.json +++ b/audits/mentat-requirements.audit.json @@ -694,7 +694,7 @@ ], "vulnerabilities": [ { - "modified": "2024-07-18T20:01:22Z", + "modified": "2024-07-26T22:12:12Z", "published": "2024-07-18T17:18:46Z", "schema_version": "1.6.0", "id": "GHSA-g92j-qhmh-64v2", @@ -702,7 +702,7 @@ "CVE-2024-40647" ], "summary": "Sentry's Python SDK unintentionally exposes environment variables to subprocesses", - "details": "### Impact\n\nThe bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the `env={}` setting.\n\n### Details\n\nIn Python's `subprocess` calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use `env` argument in `subprocess` calls, like in this example:\n\n```\n>>> subprocess.check_output([\"env\"], env={\"TEST\":\"1\"})\nb'TEST=1\\n'\n```\n\nIf you'd want to not pass any variables, you can set an empty dict:\n\n```\n>>> subprocess.check_output([\"env\"], env={})\nb''\n```\n\nHowever, the bug in Sentry SDK <2.8.0 causes **all environment variables** to be passed to the subprocesses when `env={}` is set, unless the Sentry SDK's [Stdlib](https://docs.sentry.io/platforms/python/integrations/default-integrations/#stdlib) integration is disabled. The Stdlib integration is enabled by default.\n\n### Patches\nThe issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in [sentry-sdk==2.8.0](https://github.com/getsentry/sentry-python/releases/tag/2.8.0).\n\n### Workarounds\n\nWe strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:\n\n1. In your application, replace `env={}` with the minimal dict `env={\"EMPTY_ENV\":\"1\"}` or similar.\n\nOR\n\n2. Disable Stdlib integration:\n```\nimport sentry_sdk\n\n# Should go before sentry_sdk.init\nsentry_sdk.integrations._DEFAULT_INTEGRATIONS.remove(\"sentry_sdk.integrations.stdlib.StdlibIntegration\")\n\nsentry_sdk.init(...)\n```\n\n### References\n* Sentry docs: [Default integrations](https://docs.sentry.io/platforms/python/integrations/default-integrations/)\n* Python docs: [subprocess module](https://docs.python.org/3/library/subprocess.html)\n* Patch https://github.com/getsentry/sentry-python/pull/3251 \n", + "details": "### Impact\n\nThe bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the `env={}` setting.\n\n### Details\n\nIn Python's `subprocess` calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use `env` argument in `subprocess` calls, like in this example:\n\n```\n>>> subprocess.check_output([\"env\"], env={\"TEST\":\"1\"})\nb'TEST=1\\n'\n```\n\nIf you'd want to not pass any variables, you can set an empty dict:\n\n```\n>>> subprocess.check_output([\"env\"], env={})\nb''\n```\n\nHowever, the bug in Sentry SDK <2.8.0 causes **all environment variables** to be passed to the subprocesses when `env={}` is set, unless the Sentry SDK's [Stdlib](https://docs.sentry.io/platforms/python/integrations/default-integrations/#stdlib) integration is disabled. The Stdlib integration is enabled by default.\n\n### Patches\nThe issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in [sentry-sdk==2.8.0](https://github.com/getsentry/sentry-python/releases/tag/2.8.0). The fix was also backported to [sentry-sdk==1.45.1](https://github.com/getsentry/sentry-python/releases/tag/1.45.1).\n\n### Workarounds\n\nWe strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:\n\n1. In your application, replace `env={}` with the minimal dict `env={\"EMPTY_ENV\":\"1\"}` or similar.\n\nOR\n\n2. Disable Stdlib integration:\n```\nimport sentry_sdk\n\n# Should go before sentry_sdk.init\nsentry_sdk.integrations._DEFAULT_INTEGRATIONS.remove(\"sentry_sdk.integrations.stdlib.StdlibIntegration\")\n\nsentry_sdk.init(...)\n```\n\n### References\n* Sentry docs: [Default integrations](https://docs.sentry.io/platforms/python/integrations/default-integrations/)\n* Python docs: [subprocess module](https://docs.python.org/3/library/subprocess.html)\n* Patch https://github.com/getsentry/sentry-python/pull/3251 \n", "affected": [ { "package": { @@ -919,6 +919,7 @@ "1.44.0", "1.44.1", "1.45.0", + "1.45.1", "1.5.0", "1.5.1", "1.5.10", diff --git a/requirements/datalad-requirements.txt b/requirements/datalad-requirements.txt index 12afdbbf..43f6c605 100644 --- a/requirements/datalad-requirements.txt +++ b/requirements/datalad-requirements.txt @@ -1,14 +1,14 @@ annexremote==1.6.5 backports-tarfile==1.2.0 -boto3==1.34.138 -botocore==1.34.138 +boto3==1.34.149 +botocore==1.34.149 chardet==5.2.0 charset-normalizer==3.3.2 distro==1.9.0 fasteners==0.19 -humanize==4.9.0 +humanize==4.10.0 idna==3.7 -importlib-metadata==8.0.0 +importlib-metadata==8.2.0 iso8601==2.1.0 jaraco-classes==3.4.0 jaraco-context==5.3.0 @@ -24,7 +24,7 @@ packaging==24.1 patool==2.3.0 platformdirs==4.2.2 python-dateutil==2.9.0.post0 -python-gitlab==4.7.0 +python-gitlab==4.8.0 requests==2.32.3 requests-toolbelt==1.0.0 s3transfer==0.10.2 diff --git a/requirements/parliament-requirements.txt b/requirements/parliament-requirements.txt index 7db58422..0820d1d1 100644 --- a/requirements/parliament-requirements.txt +++ b/requirements/parliament-requirements.txt @@ -1,11 +1,11 @@ -boto3==1.34.128 -botocore==1.34.128 +boto3==1.34.149 +botocore==1.34.149 jmespath==1.0.1 json-cfg==0.4.2 kwonly-args==1.0.10 python-dateutil==2.9.0.post0 pyyaml==6.0.1 -s3transfer==0.10.1 -setuptools==70.0.0 +s3transfer==0.10.2 +setuptools==71.1.0 six==1.16.0 urllib3==2.2.2 diff --git a/requirements/tartufo-requirements.txt b/requirements/tartufo-requirements.txt index 88046e90..41ed573c 100644 --- a/requirements/tartufo-requirements.txt +++ b/requirements/tartufo-requirements.txt @@ -3,4 +3,4 @@ click==8.1.7 gitdb==4.0.11 gitpython==3.1.43 smmap==5.0.1 -tomlkit==0.11.8 +tomlkit==0.13.0