search

liuliqiang / redisbeat

celery redis scheduler, dynamic add/modify/delete task from celery.
MIT License
178 stars 44 forks source link

Problematic dependency on jsonpickle==1.2 #35

Closed pcoccoli closed 1 year ago

pcoccoli commented 3 years ago

Output from https://github.com/pyupio/safety:

safety check --full-report
+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
| checked 200 packages, using default DB                                       |
+============================+===========+==========================+==========+
| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| jsonpickle                 | 1.2       | <=1.4.1                  | 39319    |
+==============================================================================+
| Jsonpickle through 1.4.1 allows remote code execution during deserialization |
| of a malicious payload through the decode() function. See CVE-2020-22083.    |
+==============================================================================+

Can redisbeat work with a newer version of jsonpickle? setup.py requires that exact version: https://github.com/liuliqiang/redisbeat/blob/c1a9a4f1ed805f23fab99f731f4306aa24767877/setup.py#L75

liuliqiang commented 3 years ago

Thanks @pcoccoli . I will fixed it in these dyas.

liuliqiang commented 1 year ago

Fixed at lastest version: 1.2.6.