From dc619947ab789b59f00db68ea46b385aee918cea Mon Sep 17 00:00:00 2001 From: stacksharebot Date: Thu, 29 Feb 2024 20:37:46 +0000 Subject: [PATCH 1/2] Update techstack.yml --- techstack.yml | 46 +++++++++++++++++++++++++++++++++------------- 1 file changed, 33 insertions(+), 13 deletions(-) diff --git a/techstack.yml b/techstack.yml index f7d413b..c6e2f2c 100644 --- a/techstack.yml +++ b/techstack.yml @@ -2,7 +2,7 @@ repo_name: kclhi/phenoflow report_id: 647b5f87b1d7ebcdaa8ea8cadb6679b4 version: 0.1 repo_type: Public -timestamp: '2024-02-11T18:36:21+00:00' +timestamp: '2024-02-29T20:00:34+00:00' requested_by: martinchapman provider: github branch: git-backend @@ -462,24 +462,44 @@ tools: last_updated_by: Martin Chapman last_updated_on: 2023-04-20 17:33:27.000000000 Z vulnerabilities: + - name: cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates + when called with a non-matching certificate and private key and an hmac_hash + override + cve_id: CVE-2024-26130 + cve_url: https://github.com/advisories/GHSA-6vqw-3v5j-54x4 + detected_date: Feb 22 + severity: high + first_patched: 42.0.4 - name: cryptography mishandles SSH certificates cve_id: CVE-2023-38325 cve_url: https://github.com/advisories/GHSA-cf7p-gm2m-833m detected_date: Jul 15 severity: high first_patched: 41.0.2 + - name: Python Cryptography package vulnerable to Bleichenbacher timing oracle attack + cve_id: CVE-2023-50782 + cve_url: https://github.com/advisories/GHSA-3ww4-gg4f-jr7f + detected_date: Feb 6 + severity: high + first_patched: 42.0.0 - name: cryptography vulnerable to NULL-dereference when loading PKCS7 certificates cve_id: CVE-2023-49083 cve_url: https://github.com/advisories/GHSA-jfhm-5ghh-2f97 detected_date: Nov 29 severity: moderate first_patched: 41.0.6 - - name: Python Cryptography package vulnerable to Bleichenbacher timing oracle attack - cve_id: CVE-2023-50782 - cve_url: https://github.com/advisories/GHSA-3ww4-gg4f-jr7f - detected_date: Feb 6 + - name: Null pointer dereference in PKCS12 parsing + cve_id: CVE-2024-0727 + cve_url: https://github.com/advisories/GHSA-9v9h-cgj8-h64p + detected_date: Feb 17 severity: moderate - first_patched: 42.0.0 + first_patched: 42.0.2 + - name: Vulnerable OpenSSL included in cryptography wheels + cve_id: + cve_url: https://github.com/advisories/GHSA-v8gr-m533-ghj9 + detected_date: Sep 22 + severity: low + first_patched: 41.0.4 - name: Vulnerable OpenSSL included in cryptography wheels cve_id: cve_url: https://github.com/advisories/GHSA-5cpq-8wj7-hf2v @@ -492,12 +512,6 @@ tools: detected_date: Aug 2 severity: low first_patched: 41.0.3 - - name: Vulnerable OpenSSL included in cryptography wheels - cve_id: - cve_url: https://github.com/advisories/GHSA-v8gr-m533-ghj9 - detected_date: Sep 22 - severity: low - first_patched: 41.0.4 - name: docutils description: Docutils -- Python Documentation Utilities package_url: https://pypi.org/project/docutils @@ -760,7 +774,13 @@ tools: last_updated_by: Martin Chapman last_updated_on: 2023-04-20 17:33:27.000000000 Z vulnerabilities: - - name: Starlette Content-Type Header ReDoS + - name: python-multipart vulnerable to Content-Type Header ReDoS + cve_id: CVE-2024-24762 + cve_url: https://github.com/advisories/GHSA-2jv5-9r88-3w3p + detected_date: Feb 17 + severity: high + first_patched: 0.36.2 + - name: 'Duplicate Advisory: Starlette Content-Type Header ReDoS' cve_id: cve_url: https://github.com/advisories/GHSA-93gm-qmq6-w238 detected_date: Feb 6 From f18ac2312747fa8b2778b7045ce8cf3b99769d24 Mon Sep 17 00:00:00 2001 From: stacksharebot Date: Thu, 29 Feb 2024 20:37:47 +0000 Subject: [PATCH 2/2] Update techstack.md --- techstack.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/techstack.md b/techstack.md index 80945f4..304264f 100644 --- a/techstack.md +++ b/techstack.md @@ -60,7 +60,7 @@ Full tech stack [here](/techstack.md) # Tech Stack File ![](https://img.stackshare.io/repo.svg "repo") [kclhi/phenoflow](https://github.com/kclhi/phenoflow)![](https://img.stackshare.io/public_badge.svg "public")

-|89
Tools used|02/11/24
Report generated| +|89
Tools used|02/29/24
Report generated| |------|------| @@ -314,7 +314,7 @@ Full tech stack [here](/techstack.md) |[cffi](https://pypi.org/project/cffi)|v1.15.1|04/20/23|Martin Chapman |MIT|N/A| |[chardet](https://pypi.org/project/chardet)|v5.1.0|04/20/23|Martin Chapman |LGPL-2.1|N/A| |[click](https://pypi.org/project/click)|v8.1.3|04/20/23|Martin Chapman |BSD-3-Clause|N/A| -|[cryptography](https://pypi.org/project/cryptography)|v40.0.2|04/20/23|Martin Chapman |BSD-3-Clause,Apache-2.0|[CVE-2023-38325](https://github.com/advisories/GHSA-cf7p-gm2m-833m) (High)
[CVE-2023-49083](https://github.com/advisories/GHSA-jfhm-5ghh-2f97) (Moderate)
[CVE-2023-50782](https://github.com/advisories/GHSA-3ww4-gg4f-jr7f) (Moderate)
[](https://github.com/advisories/GHSA-5cpq-8wj7-hf2v) (Low)
[](https://github.com/advisories/GHSA-jm77-qphf-c4w8) (Low)
[](https://github.com/advisories/GHSA-v8gr-m533-ghj9) (Low)| +|[cryptography](https://pypi.org/project/cryptography)|v40.0.2|04/20/23|Martin Chapman |BSD-3-Clause,Apache-2.0|[CVE-2024-26130](https://github.com/advisories/GHSA-6vqw-3v5j-54x4) (High)
[CVE-2023-38325](https://github.com/advisories/GHSA-cf7p-gm2m-833m) (High)
[CVE-2023-50782](https://github.com/advisories/GHSA-3ww4-gg4f-jr7f) (High)
[CVE-2023-49083](https://github.com/advisories/GHSA-jfhm-5ghh-2f97) (Moderate)
[CVE-2024-0727](https://github.com/advisories/GHSA-9v9h-cgj8-h64p) (Moderate)
[](https://github.com/advisories/GHSA-v8gr-m533-ghj9) (Low)
[](https://github.com/advisories/GHSA-5cpq-8wj7-hf2v) (Low)
[](https://github.com/advisories/GHSA-jm77-qphf-c4w8) (Low)| |[docutils](https://pypi.org/project/docutils)|v0.19|04/20/23|Martin Chapman |Unlicense,Python-2.0,BSD-2-Clause,CNRI-Python-GPL-Compatible|N/A| |[gitdb](https://pypi.org/project/gitdb)|v4.0.10|04/20/23|Martin Chapman |BSD-3-Clause|N/A| |[h11](https://pypi.org/project/h11)|v0.14.0|04/20/23|Martin Chapman |MIT|N/A| @@ -332,7 +332,7 @@ Full tech stack [here](/techstack.md) |[requests-toolbelt](https://pypi.org/project/requests-toolbelt)|v0.10.1|04/20/23|Martin Chapman |Apache-2.0|N/A| |[ruamel.yaml](https://pypi.org/project/ruamel.yaml)|v0.16.5|04/20/23|Martin Chapman |MIT|N/A| |[six](https://pypi.org/project/six)|v1.16.0|04/20/23|Martin Chapman |MIT|N/A| -|[starlette](https://pypi.org/project/starlette)|v0.26.1|04/20/23|Martin Chapman |BSD-3-Clause|[](https://github.com/advisories/GHSA-93gm-qmq6-w238) (High)
[](https://github.com/advisories/GHSA-qj8w-rv5x-2v9h) (High)
[CVE-2023-29159](https://github.com/advisories/GHSA-v5gw-mw7f-84px) (Low)| +|[starlette](https://pypi.org/project/starlette)|v0.26.1|04/20/23|Martin Chapman |BSD-3-Clause|[CVE-2024-24762](https://github.com/advisories/GHSA-2jv5-9r88-3w3p) (High)
[](https://github.com/advisories/GHSA-93gm-qmq6-w238) (High)
[](https://github.com/advisories/GHSA-qj8w-rv5x-2v9h) (High)
[CVE-2023-29159](https://github.com/advisories/GHSA-v5gw-mw7f-84px) (Low)| |[tqdm](https://pypi.org/project/tqdm)|v4.65.0|04/20/23|Martin Chapman |MPL-2.0,MIT|N/A| |[twine](https://pypi.org/project/twine)|v4.0.2|04/20/23|Martin Chapman |Apache-2.0|N/A| |[urllib3](https://pypi.org/project/urllib3)|v1.26.15|04/20/23|Martin Chapman |MIT|[CVE-2023-45803](https://github.com/advisories/GHSA-g4mx-q9vg-27p4) (Moderate)
[CVE-2023-43804](https://github.com/advisories/GHSA-v845-jxx5-vc9f) (Moderate)|