search

thegraphnetwork / epigraphhub_py

Epigraphhub Python package
GNU General Public License v3.0
2 stars 9 forks source link

Numpy security report #70

Closed xmnlab closed 1 year ago

xmnlab commented 2 years ago

🐛 Security report

poetry run safety check --full-report
+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
| checked 208 packages, using free DB (updated once a month)                   |
+============================+===========+==========================+==========+
| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| numpy                      | 1.22.1    | >0                       | 44715    |
+==============================================================================+
| All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
| Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
| function due to missing return-value validation, which allows attackers to   |
| conduct DoS attacks by repetitively creating sort arrays.                    |
| https://github.com/numpy/numpy/issues/19038                                  |
fccoelho commented 2 years ago

Wow! I hope they release a patch soon.

fccoelho commented 2 years ago

Numpy is already at version 1.22.3 which is already safe. We should pin it to >1.22.2

xmnlab commented 2 years ago

it seems it is not working well yet with our dependencis: https://github.com/thegraphnetwork/epigraphhub_py/runs/5635640444?check_suite_focus=true

related problem: https://stackoverflow.com/questions/70839312/module-numpy-distutils-config-has-no-attribute-blas-opt-info

github-actions[bot] commented 1 year ago

Stale issue message