Nicolas Chaillan
Nicolas Chaillan
We really need a fix on this. Lots of customers are fricking out when they see a High CVE finding... Any ETA?
> Before getting too alarmed, we may want to wait for a sober analysis of this vulnerability, bearing in mind that it has been known for several years, without any...
> ```diff > ```diff > (testing_data) > + taggedtest_reloaded = brill_tagger_reloaded.tag_sents(testing_data) > if taggedtest == taggedtest_reloaded: > print("Reloaded tagger tried on test set, results identical") > else: > ``` >...
> > Now that it has a public NIST CVE, people will exploit it. This isn't something you "wait" on. This is something you address right away... > > @nicolaschaillan,...
> I inspected a typical pickle in each series, looking at their type() and eventual __dict__. > > The _tagsets_ and _averaged_perceptron_tagger_ packages contain only simple data structures, and can...
> > The solution is simple. Whitelist which pickles can be loaded. Give control to the tenant to decide which ones are fine or not. Maybe by name or something....
https://github.com/advisories/GHSA-cgvx-9447-vcch
@corydolphin any update on this please? This is quite urgent or we will need to move to another lib unfortunately
It didn't; Can we get this patched please? this is a real security risk.