Closed misogihagi closed 10 months ago
lukehinds
commented
10 months ago @ericwb / @sigmavirus24 worth us getting a release out to turn off the noisey cve scanners, but I don't believe we are impacted. The exploit seems to only work when USE_SHELL or Shell=True is use (we do in fact warn against it).
sigmavirus24
commented
10 months ago @ericwb / @sigmavirus24 worth us getting a release out to turn off the noisey cve scanners, but I don't believe we are impacted. The exploit seems to only work when USE_SHELL or Shell=True is use (we do in fact warn against it).
It really doesn't feel worth it. Greater equal means reinstalling will get you the new version unless you otherwise have it constrained. And if you have it constrained you have the power to shut up those scanners that suck so very much
lukehinds
commented
10 months ago @ericwb / @sigmavirus24 worth us getting a release out to turn off the noisey cve scanners, but I don't believe we are impacted. The exploit seems to only work when USE_SHELL or Shell=True is use (we do in fact warn against it).
It really doesn't feel worth it. Greater equal means reinstalling will get you the new version unless you otherwise have it constrained. And if you have it constrained you have the power to shut up those scanners that suck so very much
I am inclined to agree. Let's roll it up in the next release.
I will close, but thanks for raising @misogihagi
lukehinds
commented
10 months ago Reopen (it was a PR, not an issue)
ericwb
commented
10 months ago We also don't support or test running Bandit on Windows, so this CVE doesn't apply.
sigmavirus24
commented
10 months ago Fixing this by making gitpython an extra
https://github.com/advisories/GHSA-2mqj-m65w-jghx