Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[#52] Fix CVE-2023-40217. #53

Merged
merged 10 commits into from
Oct 13, 2023
Merged

[#52] Fix CVE-2023-40217. #53

merged 10 commits into from
Oct 13, 2023

Conversation

dumol
Copy link
Contributor

@dumol dumol commented Oct 6, 2023

Scope

Fixes #52

Changes

Updates used Python version to 3.11.6 to fix CVE-2023-40217.

Drive-by changes:

  • Updates OpenSSL to 3.1.3 for Python's ssl to fix CVE-2023-4807 (where built from sources).
  • Updates cryptography to version 41.0.4 with OpenSSL 3.1.3 to fix CVE-2023-4807.
  • Updates SQLite to version 3.43.1 fixing CVE-2023-36191 and CVE-2021-31239.
  • Updates other Python modules to latest version: setuptools to 68.2.2, cffi to 1.16.0, setproctitle to 1.3.3, charset_normalizer to 3.3.0.

Testing

Review changes.

Check the automated tests.

@dumol dumol added the security label Oct 6, 2023
@dumol dumol self-assigned this Oct 6, 2023
pythia.conf Outdated Show resolved Hide resolved
Copy link
Member

@adiroiban adiroiban left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this is not yet ready to ready.

So far, it looks good.
Many thanks.
Only minor comments

@@ -94,3 +95,74 @@ jobs:
with:
sudo: false
limit-access-to-actor: true

linux-arm64:
runs-on: laja
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that is best to start a linux container on macos, and run the action runner inside the container and then have this job run

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True, the support for launching containers from GitHub's runner is exclusive to Linux.

For later reference, on macOS it errors out with: Error: Container operations are only supported on Linux runners

@dumol
Copy link
Contributor Author

dumol commented Oct 13, 2023

The 3.11.6.b5ae34b testing packages are already used in SFTPPlus 4.33.0.

To avoid their automatic removal, they've been copied manually to production at https://bin.chevah.com:20443/production/3.11.6.b5ae34b/ without being released through GitHub releases.

@dumol dumol merged commit 5f60fbc into master Oct 13, 2023
5 checks passed
@dumol dumol deleted the 52-CVE-2023-40217-fix branch October 13, 2023 11:22
@dumol dumol restored the 52-CVE-2023-40217-fix branch October 13, 2023 11:22
@dumol dumol deleted the 52-CVE-2023-40217-fix branch September 27, 2024 13:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Fix CVE-2023-40217.
3 participants