Check Packages for Installed Malicious Packages
Build: #72 failed
Job: Check For Known Vulnerabilities Macos 12 Py 3.10 failed
Job result summary
- Completed
- Duration
- 3 minutes
- Agent
- hybrid.cv.nrao.edu (2)
- Total tests
- 71
- Number of retries
- 1
Tests
- 71 tests in total
- 4 tests failed
- 4 failures are new
- < 1 second taken in total.
Status | Test | Duration | |
---|---|---|---|
Collapse |
pip
v_22_3_1
|
< 1 sec | |
When installing a package from a Mercurial VCS URL (ie pip install hg+...) with pip prior to v23.3 the specified Mercurial revision could be used to inject arbitrary configuration options to the hg clone call (ie --config). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who arent installing from Mercurial. When installing a package from a Mercurial VCS URL (ie pip install hg+...) with pip prior to v23.3 the specified Mercurial revision could be used to inject arbitrary configuration options to the hg clone call (ie --config). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who arent installing from Mercurial. |
|||
Collapse |
protobuf
v_3_20_1
|
< 1 sec | |
Summary A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message which could lead to a denial of service (DoS) on services using the libraries. Reporter: ClusterFuzz(https://google.github.io/clusterfuzz/) Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below. Summary A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message which could lead to a denial of service (DoS) on services using the libraries. Reporter: ClusterFuzz(https://google.github.io/clusterfuzz/) Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below. |
|||
Collapse |
setuptools
v_65_5_0
|
< 1 sec | |
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in packageindex.py. Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in packageindex.py. |
|||
Collapse |
urllib3
v_1_26_6
|
< 1 sec | |
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesnt treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP that is the responsibility of the user. However it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesnt disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5. urllib3 is a user-friendly HTTP client library for Python. urllib3 doesnt treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP that is the responsibility of the user. However it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesnt disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5. |
Error summary
The build generated some errors. See the full build log for more details.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 6554k 100 6554k 0 0 49.9M 0 --:--:-- --:--:-- --:--:-- 51.6M
[46065] Failed to execute script 'atlutil' due to unhandled exception!
Traceback (most recent call last):
File "atlutil.py", line 200, in <module>
File "atlutil.py", line 165, in has_fix_version
KeyError: 'fields'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 201 100 201 0 0 2766 0 --:--:-- --:--:-- --:--:-- 2913
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 511 100 511 0 0 7430 0 --:--:-- --:--:-- --:--:-- 7861
[notice] A new release of pip available: 22.3.1 -> 24.3.1
[notice] To update, run: python3 -m pip install --upgrade pip
[notice] A new release of pip available: 22.3.1 -> 24.3.1
[notice] To update, run: python3 -m pip install --upgrade pip
Found 6 known vulnerabilities in 4 packages
Cloning into 'casa-build-utils'...
Switched to a new branch 'CAS-14256'
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 6554k 100 6554k 0 0 49.9M 0 --:--:-- --:--:-- --:--:-- 51.6M
[46065] Failed to execute script 'atlutil' due to unhandled exception!
Traceback (most recent call last):
File "atlutil.py", line 200, in <module>
File "atlutil.py", line 165, in has_fix_version
KeyError: 'fields'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 201 100 201 0 0 2766 0 --:--:-- --:--:-- --:--:-- 2913
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 511 100 511 0 0 7430 0 --:--:-- --:--:-- --:--:-- 7861
[notice] A new release of pip available: 22.3.1 -> 24.3.1
[notice] To update, run: python3 -m pip install --upgrade pip
[notice] A new release of pip available: 22.3.1 -> 24.3.1
[notice] To update, run: python3 -m pip install --upgrade pip
Found 6 known vulnerabilities in 4 packages
Cloning into 'casa-build-utils'...
Switched to a new branch 'CAS-14256'