Product Research Enterprise Plans Docs

PyPi: Conan

CVE-2022-29217

Transitive

Safety vulnerability ID: 49249

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at May 24, 2022 Updated at Nov 21, 2024

Scan your Python projects for vulnerabilities →

Advisory

Conan 1.49.0 updates its dependency 'pyjwt' requirement to ">=2.4.0, <3.0.0" to include a security fix.

Affected package

conan

Latest version: 2.9.3

Conan C/C++ package manager

Affected versions

Fixed versions

Vulnerability changelog

- Feature: Add `install_substitutes` to system package manager tools to be able to install sets of packages that are equivalent with different names for different distros. (https://github.com/conan-io/conan/pull/11367). Docs: [:page_with_curl:](https://github.com/conan-io/docs/pull/2563)
- Feature: Do not automatically fix the shared libraries to add the rpath in Apple and add an external tool `tools.apple.fix_apple_shared_install_name` to do it optionally in recipes for packages that do not set the correct `LC_ID_DYLIB`. (https://github.com/conan-io/conan/pull/11365). Docs: [:page_with_curl:](https://github.com/conan-io/docs/pull/2562)
- Feature: Allow pyyaml 6.0 dependency. (https://github.com/conan-io/conan/pull/11363)
- Feature: Removed Python 2.7 support, as a result of an unsolvable security vulnerability in pyjwt. (https://github.com/conan-io/conan/pull/11357). Docs: [:page_with_curl:](https://github.com/conan-io/docs/pull/2552)
- Feature: The ``conanfile.txt`` file now accepts a ``[layout]`` that can be filled with 3 predefined layouts: ``cmake_layout``, ``vs_layout`` and ``bazel_layout``. (https://github.com/conan-io/conan/pull/11348). Docs: [:page_with_curl:](https://github.com/conan-io/docs/pull/2554)
- Feature: Remove the parameter ``copy_symlink_folders`` of the ``conan.tool.files.copy`` function and now, any symlink file pointing to a folder will be treated as a regular file. (https://github.com/conan-io/conan/pull/11330). Docs: [:page_with_curl:](https://github.com/conan-io/docs/pull/2558)
- Feature: Tools `can_run` validates if it is possible to run a and application build for a non-native architecture. (https://github.com/conan-io/conan/pull/11321). Docs: [:page_with_curl:](https://github.com/conan-io/docs/pull/2547)
- Feature: Add `CMAKE_SYSROOT` support for `CMakeToolchain`. (https://github.com/conan-io/conan/pull/11317). Docs: [:page_with_curl:](https://github.com/conan-io/docs/pull/2564)
- Feature: Add `--sysroot` support for `AutotoolsToolchain` and remove support for `cpp_info.sysroot` in `AutotoolsDeps`. (https://github.com/conan-io/conan/pull/11317). Docs: [:page_with_curl:](https://github.com/conan-io/docs/pull/2564)
- Feature: Add `tools.build:sysroot` conf. (https://github.com/conan-io/conan/pull/11317). Docs: [:page_with_curl:](https://github.com/conan-io/docs/pull/2564)
- Feature: Improved `cmake_layout` and `CMakePresets.json` feature so you can manage different configurations using the same `CMakeUserPresets.json` not only for multi-config (Debug/Release) but for any set of settings specified in a new conf `tools.cmake.cmake_layout:build_folder_vars` that accepts a list of settings to use. e.g `tools.cmake.cmake_layout:build_folder_vars=["settings.compiler", "options.shared"]` (https://github.com/conan-io/conan/pull/11308). Docs: [:page_with_curl:](https://github.com/conan-io/docs/pull/2561)
- Feature: Adds GCC 9.4 in the list of compilers supported in the settings file. (https://github.com/conan-io/conan/pull/11296)
- Feature: Raise an error when running CMake if CMAKE_BUILD_TYPE is not defined and the generator is not multi-config. (https://github.com/conan-io/conan/pull/11294). Docs: [:page_with_curl:](https://github.com/conan-io/docs/pull/2557)
- Feature: Implement a ``check_min_vs()`` checker that will work for both ``Visual Studio`` and ``msvc`` to allow migration from 1.X to 2.0 (https://github.com/conan-io/conan/pull/11292). Docs: [:page_with_curl:](https://github.com/conan-io/docs/pull/2555)
- Feature: More flexibility in Autotools tools to override arguments and avoid all default arguments for `make`, `autoreconf` and `configure`. (https://github.com/conan-io/conan/pull/11284). Docs: [:page_with_curl:](https://github.com/conan-io/docs/pull/2562)
- Feature: Add components support in XcodeDeps. (https://github.com/conan-io/conan/pull/11233). Docs: [:page_with_curl:](https://github.com/conan-io/docs/pull/2560)
- Feature: Define new ``tools.cmake.cmaketoolchain:toolset_arch`` to define VS toolset x64 or x86 architecture (https://github.com/conan-io/conan/pull/11147). Docs: [:page_with_curl:](https://github.com/conan-io/docs/pull/2556)
- Feature: Add new `xtensalx7` option for the `arch_target` and `arch` settings, allowing targeting Espressif's ESP32-S2 and ESP32-S3 microcontrollers. (https://github.com/conan-io/conan/pull/11143)
- Fix: Use `interface_library` with `shared_library` on Windows in BazelDeps. (https://github.com/conan-io/conan/pull/11355)
- Fix: BazelDeps generator cannot find a lib when it's named with the basename of the lib file. (https://github.com/conan-io/conan/pull/11343)
- Fix: Avoid empty paths in run environments PATH, LD_LIBRARY_PATH, DYLD_LIBRARY_PATH env-vars. (https://github.com/conan-io/conan/pull/11298)
- Fix: Use `DESTDIR` argument in `make install` step instead of using the `--prefix` in configure. (https://github.com/conan-io/conan/pull/11284). Docs: [:page_with_curl:](https://github.com/conan-io/docs/pull/2562)
- Fix: Add `-DCMAKE_BUILD_TYPE` to markdown generator instructions for CMake single config. (https://github.com/conan-io/conan/pull/11220)
- Fix: Fixing ``--require-override`` over conditional ``requirements()`` method. (https://github.com/conan-io/conan/pull/11209)
- Fix: Placing quote marks around echo statement in `save_sh` function. (https://github.com/conan-io/conan/pull/11123)
- Bugfix: Force ``conan_server`` to use ``pyjwt>=2.4.0`` to solve a known vulnerability. (https://github.com/conan-io/conan/pull/11350)
- Bugfix: Fix case where CMakeDeps generator may use the wrong dependency name for transitive dependencies. (https://github.com/conan-io/conan/pull/11307)
- Bugfix: Link ``cpp_info.objects`` first in ``CMakeDeps`` generator, as they can have dependencies to ``system_libs`` that need to be after them in some platforms to correctly link. (https://github.com/conan-io/conan/pull/11272)
- Bugfix: Update cmake_layout generators folder to honor os path format. (https://github.com/conan-io/conan/pull/11252)
- Bugfix: Catching `KeyError` if `USERNAME` is not set as env variable on Windows. (https://github.com/conan-io/conan/pull/11223)
- Bugfix: Add Rocky Linux to with_yum. (https://github.com/conan-io/conan/pull/11212)

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29217

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): HIGH
Availability Availability (A): NONE

CVSS v2 Details

MEDIUM 5.0

Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (Au): NONE
Confidentiality Impact (C): NONE
Integrity Impact (I): PARTIAL
Availability Impact (A): NONE