PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict.
Release Notes
PyMySQL/PyMySQL (pymysql)
### [`v1.1.1`](https://togithub.com/PyMySQL/PyMySQL/blob/HEAD/CHANGELOG.md#v111)
[Compare Source](https://togithub.com/PyMySQL/PyMySQL/compare/v1.1.0...v1.1.1)
Release date: 2024-05-21
> \[!WARNING]
> This release fixes a vulnerability (CVE-2024-36039).
> All users are recommended to update to this version.
>
> If you can not update soon, check the input value from
> untrusted source has an expected type. Only dict input
> from untrusted source can be an attack vector.
- Prohibit dict parameter for `Cursor.execute()`. It didn't produce valid SQL
and might cause SQL injection. (CVE-2024-36039)
- Added ssl_key_password param. [#1145](https://togithub.com/PyMySQL/PyMySQL/issues/1145)
### [`v1.1.0`](https://togithub.com/PyMySQL/PyMySQL/blob/HEAD/CHANGELOG.md#v110)
[Compare Source](https://togithub.com/PyMySQL/PyMySQL/compare/v1.0.3...v1.1.0)
Release date: 2023-06-26
- Fixed SSCursor raising OperationalError for query timeouts on wrong statement ([#1032](https://togithub.com/PyMySQL/PyMySQL/issues/1032))
- Exposed `Cursor.warning_count` to check for warnings without additional query ([#1056](https://togithub.com/PyMySQL/PyMySQL/issues/1056))
- Make Cursor iterator ([#995](https://togithub.com/PyMySQL/PyMySQL/issues/995))
- Support '\_' in key name in my.cnf ([#1114](https://togithub.com/PyMySQL/PyMySQL/issues/1114))
- `Cursor.fetchall()` returns empty list instead of tuple ([#1115](https://togithub.com/PyMySQL/PyMySQL/issues/1115)). Note that `Cursor.fetchmany()` still return empty tuple after reading all rows for compatibility with Django.
- Deprecate Error classes in Cursor class ([#1117](https://togithub.com/PyMySQL/PyMySQL/issues/1117))
- Add `Connection.set_character_set(charset, collation=None)`. This method is compatible with mysqlclient. ([#1119](https://togithub.com/PyMySQL/PyMySQL/issues/1119))
- Deprecate `Connection.set_charset(charset)` ([#1119](https://togithub.com/PyMySQL/PyMySQL/issues/1119))
- New connection always send "SET NAMES charset \[COLLATE collation]" query. ([#1119](https://togithub.com/PyMySQL/PyMySQL/issues/1119))
Since collation table is vary on MySQL server versions, collation in handshake is fragile.
- Support `charset="utf8mb3"` option ([#1127](https://togithub.com/PyMySQL/PyMySQL/issues/1127))
### [`v1.0.3`](https://togithub.com/PyMySQL/PyMySQL/blob/HEAD/CHANGELOG.md#v103)
[Compare Source](https://togithub.com/PyMySQL/PyMySQL/compare/v1.0.2...v1.0.3)
Release date: 2023-03-28
- Dropped support of end of life MySQL version 5.6
- Dropped support of end of life MariaDB versions below 10.3
- Dropped support of end of life Python version 3.6
- Removed `_last_executed` because of duplication with `_executed` by [@rajat315315](https://togithub.com/rajat315315) in [https://github.com/PyMySQL/PyMySQL/pull/948](https://togithub.com/PyMySQL/PyMySQL/pull/948)
- Fix generating authentication response with long strings by [@netch80](https://togithub.com/netch80) in [https://github.com/PyMySQL/PyMySQL/pull/988](https://togithub.com/PyMySQL/PyMySQL/pull/988)
- update pymysql.constants.CR by [@Nothing4You](https://togithub.com/Nothing4You) in [https://github.com/PyMySQL/PyMySQL/pull/1029](https://togithub.com/PyMySQL/PyMySQL/pull/1029)
- Document that the ssl connection parameter can be an SSLContext by [@cakemanny](https://togithub.com/cakemanny) in [https://github.com/PyMySQL/PyMySQL/pull/1045](https://togithub.com/PyMySQL/PyMySQL/pull/1045)
- Raise ProgrammingError on -np.inf in addition to np.inf by [@cdcadman](https://togithub.com/cdcadman) in [https://github.com/PyMySQL/PyMySQL/pull/1067](https://togithub.com/PyMySQL/PyMySQL/pull/1067)
- Use Python 3.11 release instead of -dev in tests by [@Nothing4You](https://togithub.com/Nothing4You) in [https://github.com/PyMySQL/PyMySQL/pull/1076](https://togithub.com/PyMySQL/PyMySQL/pull/1076)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
==1.0.2->==1.1.1GitHub Vulnerability Alerts
CVE-2024-36039
PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by
escape_dict.Release Notes
PyMySQL/PyMySQL (pymysql)
### [`v1.1.1`](https://togithub.com/PyMySQL/PyMySQL/blob/HEAD/CHANGELOG.md#v111) [Compare Source](https://togithub.com/PyMySQL/PyMySQL/compare/v1.1.0...v1.1.1) Release date: 2024-05-21 > \[!WARNING] > This release fixes a vulnerability (CVE-2024-36039). > All users are recommended to update to this version. > > If you can not update soon, check the input value from > untrusted source has an expected type. Only dict input > from untrusted source can be an attack vector. - Prohibit dict parameter for `Cursor.execute()`. It didn't produce valid SQL and might cause SQL injection. (CVE-2024-36039) - Added ssl_key_password param. [#1145](https://togithub.com/PyMySQL/PyMySQL/issues/1145) ### [`v1.1.0`](https://togithub.com/PyMySQL/PyMySQL/blob/HEAD/CHANGELOG.md#v110) [Compare Source](https://togithub.com/PyMySQL/PyMySQL/compare/v1.0.3...v1.1.0) Release date: 2023-06-26 - Fixed SSCursor raising OperationalError for query timeouts on wrong statement ([#1032](https://togithub.com/PyMySQL/PyMySQL/issues/1032)) - Exposed `Cursor.warning_count` to check for warnings without additional query ([#1056](https://togithub.com/PyMySQL/PyMySQL/issues/1056)) - Make Cursor iterator ([#995](https://togithub.com/PyMySQL/PyMySQL/issues/995)) - Support '\_' in key name in my.cnf ([#1114](https://togithub.com/PyMySQL/PyMySQL/issues/1114)) - `Cursor.fetchall()` returns empty list instead of tuple ([#1115](https://togithub.com/PyMySQL/PyMySQL/issues/1115)). Note that `Cursor.fetchmany()` still return empty tuple after reading all rows for compatibility with Django. - Deprecate Error classes in Cursor class ([#1117](https://togithub.com/PyMySQL/PyMySQL/issues/1117)) - Add `Connection.set_character_set(charset, collation=None)`. This method is compatible with mysqlclient. ([#1119](https://togithub.com/PyMySQL/PyMySQL/issues/1119)) - Deprecate `Connection.set_charset(charset)` ([#1119](https://togithub.com/PyMySQL/PyMySQL/issues/1119)) - New connection always send "SET NAMES charset \[COLLATE collation]" query. ([#1119](https://togithub.com/PyMySQL/PyMySQL/issues/1119)) Since collation table is vary on MySQL server versions, collation in handshake is fragile. - Support `charset="utf8mb3"` option ([#1127](https://togithub.com/PyMySQL/PyMySQL/issues/1127)) ### [`v1.0.3`](https://togithub.com/PyMySQL/PyMySQL/blob/HEAD/CHANGELOG.md#v103) [Compare Source](https://togithub.com/PyMySQL/PyMySQL/compare/v1.0.2...v1.0.3) Release date: 2023-03-28 - Dropped support of end of life MySQL version 5.6 - Dropped support of end of life MariaDB versions below 10.3 - Dropped support of end of life Python version 3.6 - Removed `_last_executed` because of duplication with `_executed` by [@rajat315315](https://togithub.com/rajat315315) in [https://github.com/PyMySQL/PyMySQL/pull/948](https://togithub.com/PyMySQL/PyMySQL/pull/948) - Fix generating authentication response with long strings by [@netch80](https://togithub.com/netch80) in [https://github.com/PyMySQL/PyMySQL/pull/988](https://togithub.com/PyMySQL/PyMySQL/pull/988) - update pymysql.constants.CR by [@Nothing4You](https://togithub.com/Nothing4You) in [https://github.com/PyMySQL/PyMySQL/pull/1029](https://togithub.com/PyMySQL/PyMySQL/pull/1029) - Document that the ssl connection parameter can be an SSLContext by [@cakemanny](https://togithub.com/cakemanny) in [https://github.com/PyMySQL/PyMySQL/pull/1045](https://togithub.com/PyMySQL/PyMySQL/pull/1045) - Raise ProgrammingError on -np.inf in addition to np.inf by [@cdcadman](https://togithub.com/cdcadman) in [https://github.com/PyMySQL/PyMySQL/pull/1067](https://togithub.com/PyMySQL/PyMySQL/pull/1067) - Use Python 3.11 release instead of -dev in tests by [@Nothing4You](https://togithub.com/Nothing4You) in [https://github.com/PyMySQL/PyMySQL/pull/1076](https://togithub.com/PyMySQL/PyMySQL/pull/1076)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.