CVE-2018-7753

Advisory

Pywbem 0.14.3 updates its dependency 'bleach' to v2.1.4 to include a security fix.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

------------

This version is currently in development and is shown as |version|.

This version contains all fixes up to pywbem 0.14.2.

Released: not yet

**Incompatible changes:**

* Removed Python 2.6 support.

The Python Software Foundation stopped supporting Python 2.6 with the
2.6.9 release in October 2013. Since then, many Python package projects have
continued releasing versions for Python 2.6, including pywbem. In 2017 and
2018, a number of Python package projects have actively removed support for
Python 2.6 and it has become an increasingly difficult task for pywbem to
keep supporting Python 2.6. For this reason, Python 2.6 support has been
removed from pywbem in its 1.0.0 version.

This allowed eliminating a lot of Python version dependent code,
eliminating the dependency to the unittest2 package, and lifting a number
of restrictions in test code.

**Deprecations:**

**Bug fixes:**

* Dev/Test: Pinned lxml to <4.4.0 because that version removed Python 3.4
support.

* Dev/Test: Pinned pytest to <5.0.0 for Python < 3.5 because that version
requires Python >= 3.5.

* Test: Temporary fix for pytest option `--pythonwarnings` in end2end tests
(issue 1714).

* Test: Fixed AttributeError in end2end assertion functions (Issue 1714)

* Change history: Removed incorrect statement about commenting out
server-specific functionality from the tuple parser from the change history
of pywbem 0.14.0.

* Test: Added and fixed profile definitions for end2end tests. (Issue 1714)

* Fix issue in the Jupyter notebook iterablecimoperations where the
IterQueryInstance example did not correctly processthe return from the
operation. It attempted to itereate the returned object and should have
been iterating the generator property in that object. Documentation of
that example and the example were corrected. (see issue 1741)

* Fix issue in pywbem_mock/_wbemconnection_mock.py with EnumerateInstances that
includes a property list with a property name that differs in case from the
property name in the returned instance. Works in the conn_lite=True mode but
fails in conn_lite=False mode because the test was case insensitive.

* Test: Fixed Appveyor CI setup for UNIX-like environments under Windows
(Issue 1729)

* Windows install: Upgraded version of Win32/64OpenSSL.exe that is downloaded
during installation on native Windows, from 1.1.0j to 1.1.0k. This became
necessary because the maintainer of the Win32OpenSSL project at
https://slproweb.com/products/Win32OpenSSL.html removes the previous version
from the web site whenever a new version is released, causing the pywbem
installation to fail during invocation of pywbem_os_setup.bat on Windows.
Related to that, fixed the way pywbem_os_setup.bat recognizes that the
version does not exist.
(see issue 1754)

* Add Jupyter tutorial for pywbem_mock to table of notebooks in documentation.

* Fix issue with Python 3 and WBEMconnection certificate handling. pywbem
was getting AttributeError: 'SSLContext' object has no attribute 'load_cert'
because incorrect method called. (See issue 1769)

* Fixed that the `OpenAssociatorInstances()` and `OpenReferenceInstances()`
methods of `WBEMConnections` incorrectly supported an `IncludeQualifiers`
parameter, and that the `OpenEnumerateInstances()` method of
`WBEMConnections` incorrectly supported an `IncludeQualifiers` and a
`LocalOnly` parameter, that were never supported as per DSP0200.
Specifying these parameters as `True` or `False` on these methods caused
properly implemented WBEM servers to reject the operation. These parameters
now still exist on these operations but are ignored and are not passed on to
WBEM servers.
The corresponding `Iter...()` methods now also ignore these parameters if the
pull operations are used; they are still passed on if the traditional
operations are used.
(See issue 1780)

* Added test to tests/manual/cim_operations.py specifically to test the iter and
pull operations for the IncludeQualifier and LocalOnly parameters based on
issue 1780.

* Test: Fixed errors on Python 2.6 about unnamed format replacements.

* Fixed incorrect format specifiers in exceptions raised in pywbem_mock.
(See issue 1817)

* Fixed missing suport for the ANY scope in pywbem_mock. (See issue 1820)

* Increased version of WinOpenSSL used on Windows from 1.1.0k to 1.1.0L.

* Fixed the issue that EnumerateInstances did not return instances without
properties unless DeepInheritance was set (see issue 1802).

* Fixed bad formatting on --mock-server option in wbemcli.py.

* Fixed the issue with 'dnf makecache fast' during pywbem_os_setup.sh on Fedora
(See issue 1844)

**Enhancements:**

* Changed GetCentralInstances methodology in WBEMServer.get_central_instances()
to be bypassed by default, because (1) WBEM servers do not implement it at
this point, and (2) there are WBEM servers that do not behave gracefully
when unknown CIM methods are invoked. Because WBEM servers are required to
implement one of the other methodologies, this change is not incompatible for
pywbem users.

* Improved the performance for receiving large CIM-XML responses in the
tupleparser by moving type checks for text content in XML into an error
handling path, and by replacing some isinstance() calls with type()
comparison.

* Improved the quality of the information in TypeError exceptions that are raised
due to invalid types passed in WBEMConnection operation arguments. (Issue 1736)

* Docs: Updated the trouble shooting section with an entry that explains
how a user can resolve the installation failure that is caused on Windows
when the Win32OpenSSL project at
https://slproweb.com/products/Win32OpenSSL.html removes the previous version
from their web site when a new version is released.

* Increased versions of the following packages to address security
vulnerabilities:

* requests from 2.19.1 to 2.20.1
* urllib3 from 1.22 to 1.23
* bleach from 2.1.0 to 2.1.4

These packages are only used for development of pywbem.

* Docs: Clarified how the pywbem_os_setup.sh/bat scripts can be downloaded
using a predictable URL, for automated downloads.

* Improved handling of missing WinOpenSSL on Windows by recommending manual
download of next version.

* Test: Added support for running the pywbem tests against an installed version
of pywbem, ignoring the version of pywbem that exists in the respective
directories of the repo work directory. This is useful for testing a
version of pywbem that has been installed as an OS-level package.
(See issue 1803)

* Docs: Improved the section about installing to a native Windows environment
(See issue 1804)

* Improved error messages and error handling in wbemcli and in the pywbem
mock support.

**Cleanup:**

* Test: Removed pinning of distro version on Travis to Ubuntu xenial (16.04)
for Python 3.7, because that is now the default distro version, in order to
pick up a future increase of the default distro version automatically.

**Known issues:**

* See `list of open issues`_.

.. _`list of open issues`: https://github.com/pywbem/pywbem/issues

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7753