search

ContinuumIO / anaconda-issues

Anaconda issue tracking
646 stars 220 forks source link

Anaconda vulnerabilities #10131

Open Tagar opened 6 years ago

Tagar commented 6 years ago

safety output for Anaconda 4.4:

╞══════════════════════════════════════════════════════════════════════════════╡
│ REPORT                                                                       │
│ checked 191 packages, using pyup.io's DB                                     │
╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package                    │ installed │ affected                 │ ID       │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ rope                       │ 0.9.4     │ <0.10                    │ 36155    │
│ pycrypto                   │ 2.6.1     │ <=2.6.1                  │ 35015    │
│ mistune                    │ 0.7.4     │ <0.8.1                   │ 36332    │
│ html5lib                   │ 0.999     │ <0.99999999              │ 25846    │
│ html5lib                   │ 0.999     │ <0.99999999              │ 35693    │
│ html5lib                   │ 0.999     │ <0.99999999              │ 35694    │
│ html5lib                   │ 0.999     │ <0.99999999              │ 25846    │
│ html5lib                   │ 0.999     │ <0.99999999              │ 35693    │
│ html5lib                   │ 0.999     │ <0.99999999              │ 35694    │
│ html5lib                   │ 0.999     │ <0.99999999              │ 25846    │
│ html5lib                   │ 0.999     │ <0.99999999              │ 35693    │
│ html5lib                   │ 0.999     │ <0.99999999              │ 35694    │
│ flask                      │ 0.12.2    │ <0.12.3                  │ 36388    │
│ bleach                     │ 1.5.0     │ <2.1                     │ 34965    │
│ astropy                    │ 1.3.2     │ <3.0.1                   │ 35810    │
╘══════════════════════════════════════════════════════════════════════════════╛

Does Anaconda track all Python package vulnerabilities that are part of Anaconda distro?

Is it part of Anaconda Enterprise perhaps?

Thanks.

msarahan commented 6 years ago

This is a feature that we're looking to add to Anaconda Enterprise soon. We have some prototype stuff that matches CVE's with out packages, allowing us to examine not just python packages.

Note: we definitely do not patch old releases, so any vulnerabilities in Anaconda 4.4 will still be there. The component packages can be updated, but we do not patch and reissue old versions.

Tagar commented 6 years ago

Thanks a lot for quick response @msarahan That's great that you'll be checking not only Python vulnerabilities and comparing against CVE vulnerabilities.