CVE-2023-47248

Advisory

Dipdup 7.2.0 upgrades its PyArrow dependency to address the vulnerability CVE-2023-47248. The version has been changed from approximately 12.0 (~=12.0) to a specified range of >=14.0.1,<15.
https://github.com/dipdup-io/dipdup/commit/575b4366c2467a9af1cf02675bac7ddf686cf762

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Added

- api: Added HTTP API to manage a running indexer.
- config: Added `http.request_timeout` option to set the total timeout for HTTP requests.
- evm.subsquid: Added Prometheus metrics required for Subsquid Cloud deployments.
- project: Added optional `package_manager` field to replay config.
- project: Added Makefile to the default project template (only for new projects).
- tezos.tzkt: Added support for Etherlink smart rollups (`sr1…` addresses).

Fixed

- cli: Don't suppress uncaught exceptions when performance monitoring is disabled.
- codegen: Use datamodel-code-generator from the project's virtualenv.
- evm.node: Fixed an issue with realtime subscriptions which led to indexing being stuck in some cases.
- http: Use `request_timeout` instead of `connection_timeout` for total timeout.
- install: Don't install datamodel-code-generator as a CLI tool.
- install: Respect package manager if specified in pyproject.toml.

Performance

- evm.subsquid.events: Request logs in batches to speed up the last mile indexing.

Security

- deps: Updated PyArrow to 14.0.1 to fix [CVE-2023-47248](https://github.com/advisories/GHSA-5wvp-7f3h-6wmm)

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47248