fastapi-mvc
fastapi-mvc copied to clipboard
[CVE-2021-33503] Address an security vulnerability in urllib3 prior `1.26.5`
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33503
Both fastapi-mvc
package and generated project from it are unaffected since they are already using the patched version:
- https://github.com/rszamszur/fastapi-mvc/blob/a948e615cb109c239fc17f228f1415079c15ef08/poetry.lock#L776-L778
- https://github.com/rszamszur/fastapi-mvc-example/blob/81380369827ad4eb2c694ea991209bee8636a7a4/poetry.lock#L914-L916
Affected:
- Poetry installed via
make install
target. By default, it installs1.1.13
which has a vulnerable version ofurllib3
: https://github.com/python-poetry/poetry/blob/68649946fe09d52ed1a5844bda6690ba6327c408/poetry.lock#L1028-L1030 - Nix expression for nix-shell will fail to evaluate
$ nix-shell shell.nix
error: Package ‘python3.9-poetry-1.1.12’ in /nix/store/1c8ib0v2mnm88bdm6rr0imyzg9449108-nixos-21.11.337905.902d91def1e/nixos/pkgs/development/tools/poetry2nix/poetry2nix/pkgs/poetry/default.nix:18 is marked as insecure, refusing to evaluate.
Known issues:
- CVE-2021-33503
You can install it anyway by allowing this package, using the
following methods:
a) To temporarily allow all insecure packages, you can use an environment
variable for a single invocation of the nix tools:
$ export NIXPKGS_ALLOW_INSECURE=1
Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
(Flake) command, `--impure` must be passed in order to read this
environment variable.
b) for `nixos-rebuild` you can add ‘python3.9-poetry-1.1.12’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"python3.9-poetry-1.1.12"
];
}
c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘python3.9-poetry-1.1.12’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"python3.9-poetry-1.1.12"
];
}
This either will be fixed with #21 (when officially released) or they may add a patch for 1.1.x minor.