Skip to content

Remove upper bound on urllib in the local_requirements.txt for CVE-2023-43804 #4168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jmahlik opened this issue Oct 5, 2023 · 2 comments · Fixed by #4219
Closed

Remove upper bound on urllib in the local_requirements.txt for CVE-2023-43804 #4168

jmahlik opened this issue Oct 5, 2023 · 2 comments · Fixed by #4219
Labels
type: bug

Comments

@jmahlik
Copy link
Contributor

jmahlik commented Oct 5, 2023

Describe the bug
It's not possible to install higher versions of urllib3 to upgrade past the vulnerable version. Recommend removing the upper bound entirely since urllib3 2.0+ is out.

Unless removing entirely causes test failures. Then it could be upper bounded to <2.0.0. I'd be willing to work on updating dependencies to support urllib3 2.0+ if needed.

https://www.cve.org/CVERecord?id=CVE-2023-43804

sagemaker-python-sdk/requirements/extras/local_requirements.txt

Line 1 in f631e41

urllib3>=1.26.8,<1.26.15

To reproduce

python -m pip install urllib3>=1.26.17 sagemaker[local]==2.188.0
...

ERROR: Cannot install sagemaker-templates==19.1.1 and sagemaker[local]==2.188.0 because these package versions have conflicting dependencies.

The conflict is caused by:
    sagemaker-templates 19.1.1 depends on urllib3>=1.26.17
    sagemaker[local] 2.188.0 depends on urllib3<1.26.15 and >=1.26.8; extra == "local"

Expected behavior
Installable.

Screenshots or logs

System information
A description of your system. Please provide:

  • SageMaker Python SDK version: main
  • Framework name (eg. PyTorch) or algorithm (eg. KMeans): n/a
  • Framework version: n/a
  • Python version: 3.11
  • CPU or GPU: cpu
  • Custom Docker image (Y/N): N

Additional context
Add any other context about the problem here.
@jmahlik
Copy link
Contributor Author

jmahlik commented Oct 18, 2023

There is now also https://www.cve.org/CVERecord?id=CVE-2023-45803. Submitting PR.

@jmahlik
Copy link
Contributor Author

jmahlik commented Oct 18, 2023

Docker python 6.1 now supports urllib 2+ so safe to go with the upper bound of 3.

jmahlik added a commit to StateFarmIns/sagemaker-python-sdk that referenced this issue Oct 19, 2023
@jmahlik
fix: relax upper bound on urllib in local mode requirements for CVE-2…
bfc4d39 
…023-43804 and CVE-2023-45803

Docker python 6.1 now supports urllib 2+

https://github.com/docker/docker-py/releases/tag/6.1.0

Closes aws#4168
jmahlik added a commit to StateFarmIns/sagemaker-python-sdk that referenced this issue Oct 19, 2023
@jmahlik
fix: relax upper bound on urllib in local mode requirements
c4da90e 
Allows users to upgrade addressing CVE-2023-43804 and CVE-2023-45803

Docker python 6.1 now supports urllib 2+ https://github.com/docker/docker-py/releases/tag/6.1.0

closes aws#4168
@jmahlik jmahlik mentioned this issue Oct 19, 2023
Merged
8 tasks
jmahlik added a commit to StateFarmIns/sagemaker-python-sdk that referenced this issue Oct 23, 2023
@jmahlik
fix: relax upper bound on urllib in local mode requirements
a967af9 
Allows users to upgrade addressing CVE-2023-43804 and CVE-2023-45803

Docker python 6.1 now supports urllib 2+ https://github.com/docker/docker-py/releases/tag/6.1.0

closes aws#4168
@jmahlik jmahlik mentioned this issue Jan 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: relax upper bound on urllib in local mode requirements StateFarmIns/sagemaker-python-sdk
1 participant
@jmahlik