-
-
Notifications
You must be signed in to change notification settings - Fork 767
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade v2 dependencies to address recent security vulnerabilities like CVE-2024-34069 in werkzeug #1969
Comments
Kudos to @mfmarche who opened this PR https://github.com/spec-first/connexion/pull/1967/files |
People asked the Werkzeug maintainers for a fix to the 2024 CVE in their v2 release, and they declined. They explained that the vulnerability can be completely avoided by explicitly disabling the debugger. That may be a viable workaround. Please see discussion here: pallets/werkzeug#2915 |
If you would please consider upgrading the V2 branch to Werkzeug version 2.3.8, even that would be a help, because it would address CVE-2023-46136 at minimal cost & disruption. |
Please see #1757
|
Thanks @RobbeSneyders for the warning about Werkzeug. Gotta start somewhere tho, I started by checking out branch "v2" and running tox, with absolutely no version updates at all. The result was not promising. For example:
And also:
Tox is configured to test against python 3.7, 3.8, 3.9; those are a bit out of date at this point. It would help if you can provide guidance. Is that the right branch? Are there some undocumented yet 100% required setup steps? Please comment. |
The first step would indeed be to get the tests green without any additional changes. The last v2 release was almost 2 years ago though, so I would not be surprised if the tests are broken due to dependencies. The test setup also changed quite a bit between v2 and v3, so I'm not very familiar anymore with how it was set up for v2. I just submitted a pipeline to check the v2 tests here and the first issue it runs into is the I would be happy to approve workflow runs on your PR so you can test them with github actions so you don't have to worry about your local setup. |
Here's the latest vulnerability identified in Werkzeug: CVE-2024-49767 |
Sorry I realized very late that this is basically a dupe of #1958 |
I installed python 3.9 and made the following minor changes. This lets the test suite I didn't yet attempt to change the version of
I don't see any way to pin to an old version of setuptools. Maybe that's the wrong thing to do anyhow?
|
I am trying to understand what |
For what it's worth, I dug thru the git history in branch v2 and found commit f55cb1c that still has file
|
tl;dr - it appears to me that changes in the package |
I recommend running the v2 test suite with the old version of setuptools and other test dependencies and fixing any failing tests. If the tests are green again, you can update the test setup. I would not try to do both at once. |
Ok I will keep trying to run the v2 test suite with the old setuptools. With the patches shown a couple comments above, tox runs
I found that sorting the tags in the /input/ to the function yields consistent sorted order in the message with both
|
The main goal was upgrading werkzeug for CVE-2024-34069. After switching to python 3.12, it proved more difficult with changes to setuptools, etc. I decided to pull the pyproject from the main, and utilize that, alone with updated dependencies. Small changes were needed in various api changes, notably: - flask change of request_ctx - swagger_ui_bundle version change, default_template_dir change - aiohttp middleware api slightly changed - flask json change, using flask.json.provider I believe these changes will have minimal impact to users, but the changes are likely breaking for some, specifically, the move to latest flask. fixes spec-first#1969 Signed-off-by: Mike Marchetti <[email protected]>
@chrisinmtown see my MR: #1992 . I haven't tested on py311, but I don't anticipate it being a problem. |
Please patch version 2 security issues for us long-time loyal users! I really do want to upgrade to Connexion v3 but that path is long & windy. Current security vulnerabilities are critical.
Description
Connexion 2.x with Flask is flagged for vulnerabilities in the
werkzeug
library version < 3.0.6:The version that addresses al problems is 3.0.6, but that is a disruptive change. A version that addresses the 2023 CVS is 2.3.8.
Expected behaviour
Security scans of Connexion/Flask dependencies yield no CVE numbers
Actual behaviour
Security scans of Connexion/Flask dependencies yield the issues listed above
Steps to reproduce
Let the Github security check run on a requirements.txt file
Additional info:
Just for the record, here are the dependencies from the Connexion V2 branch, which is what we're running from PyPI as 2.14.2:
The text was updated successfully, but these errors were encountered: