[Bug]: Vulnerable from pefile package 2022.5.30 version

[YuweiChen1110]

Contact Details

yuwei.chen@intel.com

Describe the Bug

Recently, when use the pytool for unittest, one vulnerable is scaned by Intel IT with warning:

"Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via a crafted Set-Cookie HEADER from a malicious web server. "

It is raised by the future package used by pefile package which is used in pytools.

This issue has been fixed in pefile package's 2022.6.26 commit. However, the pytools still uses the pefile package's 2022.5.30 official release version.

Please help accelerate the new official version release which includes the newest pefile package.

What Python version are you using?

Python 3.9

Reproduction steps

Please help accelerate the new official version release which includes the newest pefile package.

Expected behavior

Please help accelerate the new official version release which includes the newest pefile package.

Execution Environment

No response

Pip packages

No response

Additional context

No response

[Javagedes]

@YuweiChen1110 I have requested the maintainer do a release via https://github.com/erocarrera/pefile/issues/364 and will monitor and update our version of pefile if they are willing to do a release. If not, I will see what else can be done.

Thanks for bringing this to my attention!

[Javagedes]

@YuweiChen1110 pefile has completed a release and dependabot will pick it up tomorrow morning. I will merge it and do a release when this happens.

[Javagedes]

Release 0.21.4 resolved this.

[Javagedes]

Correction, this will be resolved in release 0.21.6.

[YuweiChen1110]

Thanks for such quick response, we will try the newest version. Thanks