Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Please upgrade urllib3 dependency to avoid a security vulnerability

See original GitHub issue

Description

I installed awsebcli in a virtualenv and I have pinned my libraries into requirements.txt (via pip freeze > requirements.txt).

My requirements.txt contains these two libraries as a result:

awsebcli==3.20.1
urllib3==1.25.11

With this version of urllib3 installed, GitHub Dependabot gives a warning about a security vulnerability (https://github.com/advisories/GHSA-q2q7-5pp4-w6pg). The current dependency range for awsebcli is urllib3>=1.25.4,<1.26, which means that this dependency can’t be satisfied. (source)

In my case, this is not particularly serious because there is no workflow in which user input could be passed into urllib3, but that might not be the case for all users who use awsebcli. However, it is vexing that there is a Dependabot security vulnerability that I have to continue to ignore.

Can we update the setup.py for awsebcli to allow installing urllib3==1.26.5 or higher? That is the minimum version that no longer contains the vulnerability.

Steps to reproduce

I am using Python 3.9.5 on Windows, using Git Bash - but the same problem should be reproducible on other platforms as well.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

OS: Windows
EBCLI version: 3.20.1

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:5

Top GitHub Comments

1reaction

plygrndcommented, Aug 31, 2021

@eytanhanig I’m with AWS Security - thanks for letting us know about this. I’ll reply to your email.

To your comment above:

AWS’ Vulnerability Policy states that “you will receive progress updates from AWS at least every five US working days”. The failure of AWS to respond to this ticket is potentially a violation of their SLA.

We don’t use GitHub to manage security issue reports. If you discover or become aware of a potential security issue within any of AWS’s open source offerings, please email aws-security@amazon.com.

0reactions

dennisjleecommented, Sep 8, 2021

Looks like this was resolved - thanks!

https://github.com/aws/aws-elastic-beanstalk-cli/commit/eaea1712c5d70c15b8c1f040b3625182573dc7f1

Top Results From Across the Web

Inconsistent urllib3 version requirements between setup.py ...

When I saw that our code was giving warnings about dependencies of requests and I went to the Github issues page and I...

python-urllib3 - security update - Vulners

A vulnerability was discovered in python-urllib3, an HTTP library with thread-safe connection pooling, whereby an attacker can inject CRLF characters in the ...

urllib3 - Python Package Health Analysis - Snyk

The python package urllib3 was scanned for known vulnerabilities and missing license, and no issues were found. Thus the package was deemed as...

Can I upgrade an individual Python package? - Stack Overflow

I'm fairly new to Python. What I tried: pipenv install urllib3~=1.26.5. What I got: Resolving dependencies.

v2.0 Migration Guide - urllib3 2.0.0a1 documentation

Please take the DeprecationWarnings you receive when migrating from v1.x to ... your users' dependencies which will then cause issues with them upgrading...