Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There seems to be a security vulnerability related to an outdated python package #101

Open
kurtwheeler opened this issue Aug 7, 2018 · 2 comments

Comments

@kurtwheeler
Copy link
Member

@cgreene received the following notice:

Project Cognoma organization
Warning!     
cognoma / core-service

Known security vulnerabilities detected
Dependency pycrypto     Version <=2.6.1     
Vulnerabilities
CVE-2018-6594 Moderate severity
    Defined in requirements.txt     

It seems like this could be as simple as updating pycrypto and redeploying.

@kurtwheeler
Copy link
Member Author

Looks like the fix is to replace pycrypto with pycryptodome: pycrypto/pycrypto#253 (comment)

@kurtwheeler
Copy link
Member Author

It looks like it might only be listed as dependency and not actually used:

kurt@kurtputer:~/Development/cognoma/core-service$ ggrep pycrypto
requirements.txt:32:pycrypto==2.6.1
kurt@kurtputer:~/Development/cognoma/core-service$ ggrep Crypto
requirements.txt:6:cryptography==1.5.2
requirements.txt:32:pycrypto==2.6.1

However it's hard to tell if it's actually being used by another dependency...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant