Pydantic: potential DOS risk with pydantic - fix pending

Created on 5 May 2020  路  3Comments  路  Source: samuelcolvin/pydantic

I have been made aware of a potential DOS attack risk in pydantic.

The fix I believe is relatively trivial, I will release:

  • v1.5.2 based of the current v1.5.1 tag
  • v1.4.1 based of the current v1.4 tag

These releases will be made just after 1pm UTC on 2020/5/11, that's next Monday.

If you require a fix to any other version, please let me know on this issue.

Security bug
Source
picture samuelcolvin
👍3

All 3 comments

To wait for potential upstream fixes to this issue, these releases have been delayed.

I'll comment here as soon as I know when a fix can be released for pydantic.

samuelcolvin picture samuelcolvin on 6 May 2020
👍1

Is this issue still necessary?

PrettyWood picture PrettyWood on 3 Jan 2021

The python security team are refusing to fix the the upstream error (because it would be complex, and I think a little because they're embarrassed) but have ask packages not to mitigate the problem in libraries to avoid making it public.

The whole situation is extremely frustrating.

samuelcolvin picture samuelcolvin on 4 Jan 2021
😕1 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sbv-trueenergy picture sbv-trueenergy  路  3Comments
iwoloschin picture iwoloschin  路  3Comments
ashpreetbedi picture ashpreetbedi  路  3Comments
dconathan picture dconathan  路  3Comments
sommd picture sommd  路  3Comments