CVE-2019-19275

Advisory

Pywbem 1.2.0.dev1 updates the minimum requirements for its dependency 'typed-ast' to include a security fix.
Note that this package is only needed for test and development of pywbem.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

-----------------

This version contains all fixes up to pywbem 1.1.x.

Released: not yet

**Incompatible changes:**

* Unsupported CIM infrastructure versions returned in CIM-XML responses from
WBEM servers are now raised as a new exception `pywbem.CIMVersionError`, and
were previously raised as `pywbem.CIMXMLParseError`.
Unsupported DTD versions and CIM-XML protocol versions returned in CIM-XML
responses from WBEM servers are now raised as new exceptions
`pywbem.DTDVersionError` and `pywbem.ProtocolVersionError`, and were
previously ignored by pywbem.
Since these new exceptions are derived from `pywbem.VersionError` which is
derived from `pywbem.VersionError`, this change is only incompatible
if such unsupported versions were specifically handled by users.

**Deprecations:**

**Bug fixes:**

* MOF compiler: Fixed bug where MOF compiler did not correctly install a CIM schema
in a non-default namespace because it tried to get the qualifiers from the
default namespace. (see issue 2502)

* Test: Changed dependency to 'typed-ast' to match the needs of 'astroid' and to
install it only on CPython. This allows re-enabling PyPy3 on Travis.

* Test: Pinned psutil to <=5.6.3 on PyPy2+3 to avoid an installation error.

* Test: Increased the minimum version of 'pyzmq' on Python 3.9 to 19.0.0 to
avoid an installation error.

* Test: Circumvented unicode issue with lxml.etree.fromstring()/XML() on
Python 3.9 by passing in binary strings.

* Test: Adjusted _format()/_ascii2() testcases to PyPy3 behavior with binary vs
unicode results.

* Test: Suppressed pylint warning about 'tracemalloc' methods on PyPy.

* Test: Disabled leaktest in travis also on PyPy3 (in addition to PyPy2).

* Test: Disabled 'make resourcetest' in Travis on Pypy2+3, and suppressed Pylint
issues about using 'tracemalloc' methods and disabled its unit tests.

* Fixed the bug that pywbem allowed reference typed CIMQualifier and
CIMQualifierDeclaration objects. DSP0004 disallows reference types on
qualifiers and qualifier declarations. This fix now causes CIM-XML responses
received from a WBEM server with reference typed qualifier values and qualifier
declarations to raise `pywbem.CIMXMLParseError` from `WBEMConnection`
operations.

* Fixed a `DeprecationWarning` issued by urllib3 about using the
`whitelist_methods` parameter of `Retry`.

* Security: Increased minimum version of 'PyYAML' to 5.2 on Python 3.4 and to
5.3.1 on Python 2.7 and >=3.5 to address security issues reported by safety.
The relevant functions of 'PyYAML' are not used by pywbem, though.

* Security: Increased minimum version of 'urllib3' to 1.24.2 on Python 3.4 and
to 1.25.9 on Python 2.7 and >=3.5 to address security issues reported by
safety. To support these versions of 'urllib3', increased minimum version of
'requests' to 2.20.1 on Python 3.4 and to 2.22.0 on Python 2.7 and >=3.5.

* Security: Increased minimum versions of several packages that are needed only
for test or development of pywbem to address security issues reported by
safety: requests-toolbelt to 0.8.0; lxml to 4.6.2 (except for Python 3.4);
pylint to 2.5.2 and astroid to 2.4.0 on Python >=3.5; typed-ast to 1.3.2 on
Python 3.4; twine to 3.0.0 on Python >=3.6; pkginfo to 1.4.2; bleach to 3.1.2
on Python 3.4 and to 3.1.4 on Python 2.7 and Python >=3.5.

* Fixed issue on GitHub Actions with macos by no longer running "brew update"
in pywbem_os_setup.sh. (issue 2544)

**Enhancements:**

* Logging: Added a value 'off' for the log destination in the
``pywbem.configure_logging()`` function that disables logging.
(part of issue 86)

* Improved exception handling during the parsing of CIM-XML responses received
from a WBEM server. Exceptions that were raised as TypeError or ValueError
during the creation of CIM objects that are part of the operation result, are
now raised as pywbem.CIMXMLParseError. Note that this is not an incompatible
change because users were already potentially getting pywbem.CIMXMLParseError
exceptions in other cases. (see issue 2512)

* Test: Added CIM-XML testcases in the area of instance paths. (see issue 2514)

* Docs: Clarified that `pywbem.type_from_name()` returns `CIMInstanceName` for
type name "reference", even though for use in CIM method parameters,
`CIMClassName` is also valid.

* Issued a new `pywbem.MissingKeybindingsWarning` warning if a `CIMInstanceName`
object that does not have any keybindings gets converted to CIM-XML by calling
its `tocimxml()` method, or gets converted to a WBEM URI by calling its
`to_wbem_uri()` method, or gets parsed from CIM-XML via an INSTANCENAME
element without keybindings. This is motivated by the fact that DSP0004 does
not allow instance paths without keys (section 8.2.5). (See issue 2514)

* Reduced memory consumption of CIM objects and CIM types by defining their
attributes to use Python slots. (see issue 2509)

* Reduced memory consumption of CIM objects by using lazy initialization of
dictionary-type attributes. This resulted in significant savings when the
attribute is typically unused, for example in ``CIMInstance.qualifiers``.
(see issue 2511)

* Added Python 3.9 to the supported Python versions and added tests for
it on Travis.

* Added a check for the DTDVERSION attribute value in CIM-XML responses from
WBEM servers to start with '2.'. A different version of the CIM-XML DTD
standard DSP0203 was never published, so this is not expected to be an
incompatible change.

* Unsupported versions for CIM infrastructure, DTD or protocol version returned
in CIM-XML responses from WBEM servers are now raised as new exceptions
`pywbem.CIMVersionError`, `pywbem.DTDVersionError`, and
`pywbem.ProtocolVersionError`, respectively. These new exceptions are
derived from the existing exception `pywbem.VersionError`. Previously,
unsupported CIM infrastructure versions were raised as
`pywbem.CIMXMLParseError`, and unsupported DTD or protocol versions were
ignored by pywbem.

* Removed the pinning of Pylint to 2.5.2 on Python >=3.5. Disabled the following
warnings that were newly reported by the latest version (2.6.0) of Pylint:
'signature-differs' because it does not recognize compatible signature changes;
'raise-missing-from' and 'super-with-arguments' because these issues cannot
reasonably be addressed as long as Python 2.7 is supported.

* In the makefile, added an ignore list for issues reported by safety along
with the reasons why each issue is ignored. This allowed enforcing that the
safety command reports no issues.

* Migrated from Travis and Appveyor to GitHub Actions. This required several
changes in package dependencies for development.

**Cleanup:**

* Test: Fixed all remaining ResourceWarnings during test. (issue 86)

* Test: Cleaned up DeprecationWarning for the propagation of key property values
introduced in pywbem 1.1.0. (see issue 2498)

**Known issues:**

* On Python 3.4, the urllib3 package is pinned to <1.25.8 because 1.25.9 removed
Python 3.4 support. As a consequence,
`safety issue <https://github.com/pyupio/safety-db/blob/master/data/insecure_full.json>`_
38834 cannot be addressed on Python 3.4.

* See `list of open issues`_.

.. _`list of open issues`: https://github.com/pywbem/pywbem/issues

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19275