From 6697c0f23f17ecb3a9b885aa39d290bbe14f0e57 Mon Sep 17 00:00:00 2001 From: Scott Hussey Date: Fri, 21 Sep 2018 11:59:12 -0500 Subject: [PATCH] Revert pyghmi to insecure version - Pyghmi 1.0.44 uses pycrypto 2.6.1 which has an open CVE against it. - Updating Pyghmi to 1.1.0+ to absorb the change to cryptography breaks functionality in all testing against baremetal IPMI interfaces. - This reversion has minimal risk because the only usage of pycrypto in Drydock is via the Pyghmi library to initiate connections to server IPMI interfaces. Arbitrary user input is not used for any pycrypto arguments. - This is a temporary solution, longterm Drydock will move away from Pyghmi - either to a different IPMI library or to no IPMI support and instead using Redfish. Change-Id: Ie5cd021528f61a3a2c04b156bf60b94b8f42dd5c --- python/requirements-direct.txt | 2 +- python/requirements-lock.txt | 11 ++++------- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/python/requirements-direct.txt b/python/requirements-direct.txt index 106a6372..52b97ddc 100644 --- a/python/requirements-direct.txt +++ b/python/requirements-direct.txt @@ -1,5 +1,5 @@ PyYAML==3.12 -pyghmi==1.1.0 +pyghmi==1.0.44 netaddr falcon oslo.versionedobjects==1.23.0 diff --git a/python/requirements-lock.txt b/python/requirements-lock.txt index eeaf645b..d75a6270 100644 --- a/python/requirements-lock.txt +++ b/python/requirements-lock.txt @@ -1,15 +1,12 @@ alembic==0.8.2 amqp==2.3.2 -asn1crypto==0.24.0 Babel==2.6.0 Beaker==1.9.1 cachetools==2.1.0 certifi==2018.8.24 -cffi==1.11.5 chardet==3.0.4 click==6.7 contextlib2==0.5.5 -cryptography==2.3.1 debtcollector==1.20.0 defusedxml==0.5.0 dnspython==1.15.0 @@ -54,10 +51,10 @@ prettytable==0.7.2 psycopg2==2.7.3.1 PTable==0.9.2 pycadf==2.8.0 -pycparser==2.18 -pyghmi==1.1.0 +pycrypto==2.6.1 +pyghmi==1.0.44 pymongo==3.6.1 -pyparsing==2.2.0 +pyparsing==2.2.1 python-dateutil==2.7.3 python-editor==1.0.3 python-keystoneclient==3.17.0 @@ -68,7 +65,7 @@ repoze.lru==0.7 requests==2.19.1 rfc3986==1.1.0 Routes==2.4.1 -setuptools==40.3.0 +setuptools==40.4.1 six==1.11.0 SQLAlchemy==1.2.8 statsd==3.3.0