Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Jinja to 2.10.1 #4343

Closed
emkll opened this issue Apr 12, 2019 · 4 comments · Fixed by #4865
Closed

Update Jinja to 2.10.1 #4343

emkll opened this issue Apr 12, 2019 · 4 comments · Fixed by #4865
Assignees
@emkll
Labels
security
Milestone
1.1.0

Comments

@emkll
Copy link
Contributor

emkll commented Apr 12, 2019

Description

The version of Jinja used is vulnerable to CVE-2019-10906, see pallet's advisory for more details.

Since neither SecureDrop nor Flask uses Jinja's SandboxedEnvironment, this vulnerability should not be exploitable on SecureDrop instances. It is however used in the development environment by sphynx and mypy (but don't use the format_map method that could be used to escape the sandbox).

Regardless, we should still update the dependency to ensure future functionality is secure and to reduce alert noise.
@emkll emkll added this to the 0.12.2 milestone Apr 12, 2019
@emkll emkll mentioned this issue Apr 15, 2019
Merged
4 tasks
@redshiftzero
Copy link
Contributor

redshiftzero commented Apr 15, 2019
edited
Loading

upstream issue: ansible/molecule#1976

@redshiftzero
Copy link
Contributor

the 2.20.2 release of molecule can be used now

@redshiftzero
Copy link
Contributor

scratch that, that release is not from the main branch, it's from stable/2.20 which does not have the fix (ref: https://github.com/ansible/molecule/tree/stable/2.20)

@redshiftzero
Copy link
Contributor

we can now update to molecule 2.22 to resolve this: https://github.com/ansible/molecule/blob/2.22/setup.cfg#L84

@eloquence eloquence modified the milestones: 0.12.2, 1.1.0 Sep 19, 2019
@emkll emkll mentioned this issue Sep 25, 2019
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@emkll emkll

Labels
security
Projects
None yet
Milestone
1.1.0
Development

Successfully merging a pull request may close this issue.

Updates pip dependencies: Ansible, Pyyaml, Jinja2, Molecule, Werkzeug freedomofpress/securedrop
3 participants
@eloquence @redshiftzero @emkll