Security fixes and python 2.7.16 bug-fix update #528
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Fix #525: Update to python 2.7.16 which fixes a bunch of potential crashes, also updating to match the Dockerfile. * Fix #511 update `urllib3` from 1.23 to 1.24.2 (not to 1.25.1 which is incompatible with this version of requests). https://nvd.nist.gov/vuln/detail/CVE-2019-11324 * Fix #527 update `Jinja2` from 2.10 to 2.10.1. https://nvd.nist.gov/vuln/detail/CVE-2019-10906 * Fix #478 update `pyyaml` from 3.13 to 5.1, which deprecates `yaml.load()` but doesn't actually fix the vulnerability. It looks like they tried to close the execute-arbitrary-code vulnerability in 4.0 but reverted the incompatibility. Still, this update should appease GitHub's security scanner. Change our code to call `yaml.safe_load()` instead of `yaml.load()`, although I think we're calling `ruamel.yaml`. https://nvd.nist.gov/vuln/detail/CVE-2017-18342 * Fix #479 `requests` from 2.19.1 to 2.21.0. It's used by FireWorks, bokeh, confluent_kafka, and ipython. https://nvd.nist.gov/vuln/detail/CVE-2018-18074 * Update `ruamel.yaml` from 0.15.43 to 0.15.94. That's 51 new bug fix releases! Clearly YAML is over-complicated. * Update NumPy from 1.14.5 to 1.14.6 for a thread safety bug fix. (Releases 1.15 & 1.16 are substantial changes, and 1.17 will drop support for Python 2.7.) * Add the `typing` and `mypy` pips while we're updating pyenvs. We'll need these when we start adding static type checking.
... to test the new 2.7.16-based pyenv on Sherlock. When we merge in this PR, I'll delete and recreate the `wcEcoli2` pyenv. (Or we _could_ switch all our working dirs to `wcEcoli3` and keep `wcEcoli2` around just in case.) In any case we should update the pyenv on our local machines. [This is another thing that gets simpler with Docker.]
|
Looks good! So are we going to be using |
prismofeverything
approved these changes
Apr 29, 2019
|
My current preference is to rebuild Preferences for when the pyenv will be out of commission for 30-60 minutes? I'll update the paper release repo so GitHub will stop the scary warning there. |
|
I think it would be good to rebuild |
|
Sure, if it runs the same as before. The only issue would be is if we ever
want to run things in the old `wcEcoli2` environment. I don't know why we
would ever want to do that but computers have made me paranoid about
throwing anything away. Is it easy keep a copy around somewhere?
`wcEcoliLegacy1` or something.
…On Tue, Apr 30, 2019 at 9:09 AM Travis Horst ***@***.***> wrote:
I think it would be good to rebuild wcEcoli2 instead of updating
everywhere. I don't have any plans for using sherlock but probably the best
time to do it would be an evening after checking that no one has any jobs
submitted.
—
You are receiving this because your review was requested.
Reply to this email directly, view it on GitHub
<#528 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAACG5ZPEGS7XCXURJAYP6TPTBVLDANCNFSM4HI3NJDA>
.
|
|
Thanks for reminding me to check for running jobs. I'll do that tonight. There's no reliable way to rename or copy pyenv virtual environments but anyone can rebuild from a previous |
... now that the PR build ran.
The new pyenv wcEcoli2 is up on Sherlock.Please rebuild the pyenv on your local machines.See https://github.com/CovertLab/wcEcoli/blob/master/docs/create-pyenv.md |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
urllib3from 1.23 to 1.24.2 (not to 1.25.1 which is incompatible with this version of requests). https://nvd.nist.gov/vuln/detail/CVE-2019-11324Jinja2from 2.10 to 2.10.1. https://nvd.nist.gov/vuln/detail/CVE-2019-10906pyyamlfrom 3.13 to 5.1, which deprecatesyaml.load()but doesn't actually fix the vulnerability. It looks like they tried to close the execute-arbitrary-code vulnerability in 4.0 but reverted the incompatibility. Still, this update should appease GitHub's security scanner. Change our code to callyaml.safe_load()instead ofyaml.load(), although I think we're callingruamel.yaml. https://nvd.nist.gov/vuln/detail/CVE-2017-18342requestssecurity vulnerability #479requestsfrom 2.19.1 to 2.21.0. It's used by FireWorks, bokeh, confluent_kafka, and ipython. https://nvd.nist.gov/vuln/detail/CVE-2018-18074ruamel.yamlfrom 0.15.43 to 0.15.94. That's 51 new bug fix releases! Clearly YAML is over-complicated.typingpip while we're updating pyenvs. We'll need it to start adding static type checking.