search

miracum / ahd2fhir

A REST service for mapping text analysis results from Averbis Health Discovery to FHIR resources.
Apache License 2.0
8 stars 0 forks source link

chore(deps): bump dnspython from 2.6.0 to 2.6.1 in /tests/e2e #167

Closed dependabot[bot] closed 7 months ago

dependabot[bot] commented 7 months ago

Bumps dnspython from 2.6.0 to 2.6.1.

Release notes

Sourced from dnspython's releases.

dnspython 2.6.1

See What's New for details.

This is a bug fix release for 2.6.0 where the "TuDoor" fix erroneously suppressed legitimate Truncated exceptions. This caused the stub resolver to timeout instead of failing over to TCP when a legitimate truncated response was received over UDP.

This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.

Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

Changelog

Sourced from dnspython's changelog.

2.6.1

  • The Tudoor fix ate legitimate Truncated exceptions, preventing the resolver from failing over to TCP and causing the query to timeout #1053.
Commits


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/miracum/ahd2fhir/network/alerts).
github-actions[bot] commented 7 months ago

Target ghcr.io/miracum/ahd2fhir:pr-167 (debian 12.5)

Show detailed table of vulnerabilities
Package ID Severity Installed Version Fixed Version
libc6 CVE-2010-4756 LOW 2.36-9+deb12u4
libc6 CVE-2018-20796 LOW 2.36-9+deb12u4
libc6 CVE-2019-1010022 LOW 2.36-9+deb12u4
libc6 CVE-2019-1010023 LOW 2.36-9+deb12u4
libc6 CVE-2019-1010024 LOW 2.36-9+deb12u4
libc6 CVE-2019-1010025 LOW 2.36-9+deb12u4
libc6 CVE-2019-9192 LOW 2.36-9+deb12u4
libexpat1 CVE-2023-52425 HIGH 2.5.0-1
libexpat1 CVE-2023-52426 LOW 2.5.0-1
libexpat1 CVE-2024-28757 LOW 2.5.0-1
libgcc-s1 CVE-2023-4039 MEDIUM 12.2.0-14
libgcc-s1 CVE-2022-27943 LOW 12.2.0-14
libgomp1 CVE-2023-4039 MEDIUM 12.2.0-14
libgomp1 CVE-2022-27943 LOW 12.2.0-14
libgssapi-krb5-2 CVE-2024-26458 HIGH 1.20.1-2+deb12u1
libgssapi-krb5-2 CVE-2024-26461 HIGH 1.20.1-2+deb12u1
libgssapi-krb5-2 CVE-2024-26462 HIGH 1.20.1-2+deb12u1
libgssapi-krb5-2 CVE-2018-5709 LOW 1.20.1-2+deb12u1
libk5crypto3 CVE-2024-26458 HIGH 1.20.1-2+deb12u1
libk5crypto3 CVE-2024-26461 HIGH 1.20.1-2+deb12u1
libk5crypto3 CVE-2024-26462 HIGH 1.20.1-2+deb12u1
libk5crypto3 CVE-2018-5709 LOW 1.20.1-2+deb12u1
libkrb5-3 CVE-2024-26458 HIGH 1.20.1-2+deb12u1
libkrb5-3 CVE-2024-26461 HIGH 1.20.1-2+deb12u1
libkrb5-3 CVE-2024-26462 HIGH 1.20.1-2+deb12u1
libkrb5-3 CVE-2018-5709 LOW 1.20.1-2+deb12u1
libkrb5support0 CVE-2024-26458 HIGH 1.20.1-2+deb12u1
libkrb5support0 CVE-2024-26461 HIGH 1.20.1-2+deb12u1
libkrb5support0 CVE-2024-26462 HIGH 1.20.1-2+deb12u1
libkrb5support0 CVE-2018-5709 LOW 1.20.1-2+deb12u1
libncursesw6 CVE-2023-50495 MEDIUM 6.4-4
libncursesw6 CVE-2023-45918 LOW 6.4-4
libpython3.11-minimal CVE-2023-24329 HIGH 3.11.2-6
libpython3.11-minimal CVE-2023-41105 HIGH 3.11.2-6
libpython3.11-minimal CVE-2023-6597 HIGH 3.11.2-6
libpython3.11-minimal CVE-2023-27043 MEDIUM 3.11.2-6
libpython3.11-minimal CVE-2023-40217 MEDIUM 3.11.2-6
libpython3.11-minimal CVE-2024-0450 MEDIUM 3.11.2-6
libpython3.11-stdlib CVE-2023-24329 HIGH 3.11.2-6
libpython3.11-stdlib CVE-2023-41105 HIGH 3.11.2-6
libpython3.11-stdlib CVE-2023-6597 HIGH 3.11.2-6
libpython3.11-stdlib CVE-2023-27043 MEDIUM 3.11.2-6
libpython3.11-stdlib CVE-2023-40217 MEDIUM 3.11.2-6
libpython3.11-stdlib CVE-2024-0450 MEDIUM 3.11.2-6
libsqlite3-0 CVE-2023-7104 HIGH 3.40.1-2
libsqlite3-0 CVE-2024-0232 MEDIUM 3.40.1-2
libsqlite3-0 CVE-2021-45346 LOW 3.40.1-2
libssl3 CVE-2023-5678 MEDIUM 3.0.11-1~deb12u2
libssl3 CVE-2023-6129 MEDIUM 3.0.11-1~deb12u2
libssl3 CVE-2023-6237 MEDIUM 3.0.11-1~deb12u2
libssl3 CVE-2024-0727 MEDIUM 3.0.11-1~deb12u2
libssl3 CVE-2007-6755 LOW 3.0.11-1~deb12u2
libssl3 CVE-2010-0928 LOW 3.0.11-1~deb12u2
libssl3 CVE-2024-2511 LOW 3.0.11-1~deb12u2
libstdc++6 CVE-2023-4039 MEDIUM 12.2.0-14
libstdc++6 CVE-2022-27943 LOW 12.2.0-14
libtinfo6 CVE-2023-50495 MEDIUM 6.4-4
libtinfo6 CVE-2023-45918 LOW 6.4-4
libuuid1 CVE-2024-28085 HIGH 2.38.1-5+b1 2.38.1-5+deb12u1
libuuid1 CVE-2022-0563 LOW 2.38.1-5+b1
python3.11-minimal CVE-2023-24329 HIGH 3.11.2-6
python3.11-minimal CVE-2023-41105 HIGH 3.11.2-6
python3.11-minimal CVE-2023-6597 HIGH 3.11.2-6
python3.11-minimal CVE-2023-27043 MEDIUM 3.11.2-6
python3.11-minimal CVE-2023-40217 MEDIUM 3.11.2-6
python3.11-minimal CVE-2024-0450 MEDIUM 3.11.2-6
zlib1g CVE-2023-45853 CRITICAL 1:1.2.13.dfsg-1

No Misconfigurations found

Target Python

Show detailed table of vulnerabilities
Package ID Severity Installed Version Fixed Version
pip CVE-2023-5752 MEDIUM 23.2.1 23.3

No Misconfigurations found

github-actions[bot] commented 7 months ago

🦙 MegaLinter status: ✅ SUCCESS

Descriptor Linter Files Fixed Errors Elapsed time
✅ ACTION actionlint 5 0 0.05s
✅ BASH bash-exec 2 0 0.04s
✅ BASH shellcheck 2 0 0.03s
✅ BASH shfmt 2 0 0.0s
✅ DOCKERFILE hadolint 2 0 0.21s
✅ JSON eslint-plugin-jsonc 17 0 2.68s
✅ JSON jsonlint 17 0 0.43s
✅ JSON npm-package-json-lint yes no 0.71s
✅ JSON prettier 17 0 2.15s
✅ MARKDOWN markdownlint 3 0 0.72s
✅ PYTHON bandit 31 0 1.95s
✅ PYTHON black 31 0 2.61s
✅ PYTHON flake8 31 0 1.24s
✅ PYTHON isort 31 0 0.42s
✅ PYTHON mypy 31 0 12.14s
✅ PYTHON pyright 31 0 11.55s
✅ PYTHON ruff 31 0 0.04s
✅ REPOSITORY checkov yes no 15.16s
✅ REPOSITORY gitleaks yes no 0.13s
✅ REPOSITORY git_diff yes no 0.02s
✅ REPOSITORY grype yes no 13.91s
✅ REPOSITORY kics yes no 37.28s
✅ REPOSITORY secretlint yes no 1.2s
✅ REPOSITORY syft yes no 0.61s
✅ REPOSITORY trivy yes no 9.22s
✅ REPOSITORY trivy-sbom yes no 6.69s
✅ REPOSITORY trufflehog yes no 12.65s
✅ YAML prettier 15 0 1.15s
✅ YAML yamllint 15 0 0.62s

See detailed report in MegaLinter reports

You could have same capabilities but better runtime performances if you request a new MegaLinter flavor.

_MegaLinter is graciously provided by OX Security_

dependabot[bot] commented 7 months ago

Looks like dnspython is up-to-date now, so this is no longer needed.