Build: #5 failed

Job: ZZ - Check For Known Vulnerabilities ManyLinux2014 Python 3.10 failed

Job result summary

Completed
Duration
4 minutes
Agent
cbt-el7-10.cv.nrao.edu
Total tests
71

Tests

  • 71 tests in total
  • 4 tests failed
  • 4 failures are new
  • < 1 second taken in total.
New test failures 4
Status Test Duration
Collapse Failed pip v_22_3_1 History
< 1 sec
When installing a package from a Mercurial VCS URL  (ie pip install  hg+...) with pip prior to v23.3 the specified Mercurial revision could  be used to inject arbitrary configuration options to the hg clone  call (ie --config). Controlling the Mercurial configuration can modify  how and which repository is installed. This vulnerability does not  affect users who arent installing from Mercurial. 
When installing a package from a Mercurial VCS URL  (ie pip install  hg+...) with pip prior to v23.3 the specified Mercurial revision could  be used to inject arbitrary configuration options to the hg clone  call (ie --config). Controlling the Mercurial configuration can modify  how and which repository is installed. This vulnerability does not  affect users who arent installing from Mercurial. 
Collapse Failed protobuf v_3_20_1 History
< 1 sec
 Summary  A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message which could lead to a denial of service (DoS) on services using the libraries.  Reporter: ClusterFuzz(https://google.github.io/clusterfuzz/)  Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below.  
 Summary  A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message which could lead to a denial of service (DoS) on services using the libraries.  Reporter: ClusterFuzz(https://google.github.io/clusterfuzz/)  Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below.  
Collapse Failed setuptools v_65_5_0 History
< 1 sec
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in packageindex.py.
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in packageindex.py.
Collapse Failed urllib3 v_1_26_6 History
< 1 sec
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesnt treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP that is the responsibility of the user. However it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesnt disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesnt treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP that is the responsibility of the user. However it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesnt disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Error summary

The build generated some errors. See the full build log for more details.

Error response from daemon: No such container: wheel-container-test
Error response from daemon: No such container: wheel-container-test
fatal: could not read Username for 'https://open-bitbucket.nrao.edu': No such device or address
cat: /home/casatest/.casa/toolrc.py: No such file or directory
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

[notice] A new release of pip available: 22.3.1 -> 24.3.1
[notice] To update, run: pip install --upgrade pip
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

[notice] A new release of pip available: 22.3.1 -> 24.3.1
[notice] To update, run: pip install --upgrade pip
Found 6 known vulnerabilities in 4 packages
Switched to a new branch 'CAS-14256'