Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Vulneratbility CVE-2022-40899 on future 0.18.2 #612

Closed
donfiguerres opened this issue Jan 3, 2023 · 7 comments
Closed

Security Vulneratbility CVE-2022-40899 on future 0.18.2 #612

donfiguerres opened this issue Jan 3, 2023 · 7 comments

Comments

@donfiguerres
Copy link

donfiguerres commented Jan 3, 2023

Hello! We got a security vulnerability warning in our builds due to our dependency on future 0.18.2.

Desciption:
An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.

https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215

The report has a link to pull request to fix a similar issue in cpython.
python/cpython#17157

@IsmaelMartinez
Copy link

seems like there is already a PR open for this #610

@Erriez
Copy link

Erriez commented Jan 4, 2023

Is there also a release plan for users to update from v0.18.2?

@ghost
Copy link

ghost commented Jan 5, 2023

Is there also a release plan for users to update from v0.18.2?

v0.18.2 was released on Jun 13, 2020… #610 mentions that the project is more or less dead. It is supposed to help moving from Python 2 to 3. Python 2 has been dead for a long time. It might be better to just remove all references to this library from your code. Of course, this is make harder if some dependency of yours uses it.

poetry show --tree --why future can give you a list, providing you use poetry.

@Erriez
Copy link

Erriez commented Jan 5, 2023

It might be better to just remove all references to this library from your code.

@ygworldr Thanks for your suggestion. Problem solved by updating packages in my project and no need for future anymore..

@sfdye
Copy link
Collaborator

sfdye commented Jan 12, 2023

Backport merged in #610

@skshetry
Copy link

Does this vulnerability have an effect on Python 3?

The docs says:

The imports have no effect on Python 3.

@sfdye
Copy link
Collaborator

sfdye commented Jan 13, 2023

0.18.3 released!
https://pypi.org/project/future/0.18.3/

@sfdye sfdye closed this as completed Jan 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants