-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Something strange happened with pre-release versions with wmagent #11188
Comments
Found similar package, that depends on |
Also problematic packages: |
@rakovskij-stanislav Hi Rakovskij, thank you very much for reporting this issue. I think those versions were the first ones to be uploaded to PyPi when we were commissioning this build/upload process. @goughes could you please check how we can remove a given package version from PyPi (I think we can mark them as DELETED). Once you know what the changes are required, I'd suggest to mark anything that is below 2.0.x version as deleted/deprecated, whatever is needed to tell Pypi not to download that version. |
@amaltaro, please check your email on cern.ch) |
@rakovskij-stanislav Hi Stanislav, sorry for the delayed response, we were discussing how to address this issue. |
The old (test) PyPi releases have been deleted yesterday and an up-to-date wmagent release has been built and uploaded to PyPi (version 2.0.4). Thanks! |
@amaltaro, Rakovsky Stanislav (Positive Technologies) |
Impact of the bug
Malicious code execution
Describe the bug
There are a release candidates of wmagent (https://pypi.org/project/wmagent/1.3.3rc2/#history)
In 1.3.3rc2 and 1.3.3rc1 there is a
requirements.txt
file with this content:These dependencies will be installed by
setup.py
:dbs-client
does not exist in pypi yet:The problem: the intruder can create malicious
dbs-client
package on pypi and it will be installed by our package users.Solution:
Need to delete these potential unsafe packages from pypi.
The text was updated successfully, but these errors were encountered: