Skip to content

[Cinder] Bump PyMySQL to 1.1.1 #103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
hemna wants to merge 1 commit into
base: wallaby-m3-cinder
Choose a base branch
from
Open

[Cinder] Bump PyMySQL to 1.1.1 #103

hemna wants to merge 1 commit into from

Conversation

@hemna
Copy link

@hemna hemna commented Mar 27, 2025

This addresses a vulnerability in the older pymysql.

@hemna
[Cinder] Bump PyMySQL to 1.1.1
04cf40b 
This addresses a vulnerability in the older pymysql.

CVE-2024-36039
@hemna hemna force-pushed the bump-cinder-pymysql branch from 1eb6d53 to 04cf40b Compare March 27, 2025 15:55
@joker-at-work
Copy link

joker-at-work commented Mar 28, 2025
edited
Loading

What's in the changelog from 1.0.2 to 1.1.1? Are all the changes safe to use and compatible?

@hemna
Copy link
Author

hemna commented Mar 28, 2025 

Release date: 2024-05-21

Warning

This release fixes a vulnerability (CVE-2024-36039). All users are recommended to update to this version.

If you can not update soon, check the input value from untrusted source has an expected type. Only dict input from untrusted source can be an attack vector.

Prohibit dict parameter for Cursor.execute(). It didn't produce valid SQL and might cause SQL injection. (CVE-2024-36039)

@joker-at-work
Copy link

joker-at-work commented Mar 28, 2025

So they prohibit it now and raise a TypeError - if this doesn't break Cinder now, how are we hit by that CVE?

With changelog I meant that we might want to look at what else changed that might break OpenStack, i.e. https://github.com/PyMySQL/PyMySQL/releases/tag/v1.0.3 https://github.com/PyMySQL/PyMySQL/releases/tag/v1.1.0 and https://github.com/PyMySQL/PyMySQL/releases/tag/v1.1.1
as you're not proposing to backport that one change to fix the CVE, but to bump pymysql and thus introducing at least 20 additional changes in the code.

@joker-at-work
Copy link

joker-at-work commented Mar 28, 2025

Additionally, I'm wondering if this is relevant when we have SQLAlchemy in between or if they would do their own escaping/transforming anyways.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Scsabiii Scsabiii Scsabiii approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@hemna @joker-at-work @Scsabiii