fastapi-mvc icon indicating copy to clipboard operation
fastapi-mvc copied to clipboard

Published 20 hours ago verified publisher icon fastapi-mvc

[CVE-2021-33503] Address an security vulnerability in urllib3 prior `1.26.5`

Open rszamszur opened this issue 1 year ago • 0 comments

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33503

Both fastapi-mvc package and generated project from it are unaffected since they are already using the patched version:

  • https://github.com/rszamszur/fastapi-mvc/blob/a948e615cb109c239fc17f228f1415079c15ef08/poetry.lock#L776-L778
  • https://github.com/rszamszur/fastapi-mvc-example/blob/81380369827ad4eb2c694ea991209bee8636a7a4/poetry.lock#L914-L916

Affected:

  • Poetry installed via make install target. By default, it installs 1.1.13 which has a vulnerable version of urllib3: https://github.com/python-poetry/poetry/blob/68649946fe09d52ed1a5844bda6690ba6327c408/poetry.lock#L1028-L1030
  • Nix expression for nix-shell will fail to evaluate
$ nix-shell shell.nix
error: Package ‘python3.9-poetry-1.1.12’ in /nix/store/1c8ib0v2mnm88bdm6rr0imyzg9449108-nixos-21.11.337905.902d91def1e/nixos/pkgs/development/tools/poetry2nix/poetry2nix/pkgs/poetry/default.nix:18 is marked as insecure, refusing to evaluate.

Known issues:
 - CVE-2021-33503

You can install it anyway by allowing this package, using the
following methods:

a) To temporarily allow all insecure packages, you can use an environment
   variable for a single invocation of the nix tools:

     $ export NIXPKGS_ALLOW_INSECURE=1
     
 Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
 (Flake) command, `--impure` must be passed in order to read this
 environment variable.
    
b) for `nixos-rebuild` you can add ‘python3.9-poetry-1.1.12’ to
   `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
   like so:

     {
       nixpkgs.config.permittedInsecurePackages = [
         "python3.9-poetry-1.1.12"
       ];
     }

c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
   ‘python3.9-poetry-1.1.12’ to `permittedInsecurePackages` in
   ~/.config/nixpkgs/config.nix, like so:

     {
       permittedInsecurePackages = [
         "python3.9-poetry-1.1.12"
       ];
     }

This either will be fixed with #21 (when officially released) or they may add a patch for 1.1.x minor.

rszamszur avatar Jun 29 '22 20:06 rszamszur