Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Bump pywin32 from 228 to 301 in /python/lib/dcoscli #533

Open
wants to merge 1 commit into
base: 2.2-patch.x
Choose a base branch
from

Conversation

dependabot-preview[bot]
Copy link
Contributor

Bumps pywin32 from 228 to 301.

Release notes

Sourced from pywin32's releases.

Release 301

The changes

If you use pip: pip install pywin32 --upgrade

A number of things don't work via pip, so you may choose to install binaries - but you must choose both the correct Python version and "bittedness".

Even if you have a 64bit computer, if you installed a 32bit version of Python you must install the 32bit version of pywin32.

There is one binary per-version, per-bittedness. To determine what version of Python you have, start Python and look at the first line of the banner. Compare these 2:

Python 2.7.2+ ... [MSC v.1500 32 bit (Intel)] on win32
Python 2.7.2+ ... [MSC v.1500 64 bit (AMD64)] on win32
                              ^^^^^^^^^^^^^^

If the installation process informs you that Python is not found in the registry, it almost certainly means you have downloaded the wrong version - either for the wrong version of Python, or the wrong "bittedness".

Release 300

This is the first release to support only Python 3.5 and up - Python 2 is no longer supported. To celebrate, the build numbers have jumped to 300! There were significant changes in this release - you are encouraged to read CHANGES.txt carefully.

To download pywin32 binaries you must choose both the correct Python version and "bittedness".

Note that there is one download package for each supported version of Python - please check what version of Python you have installed and download the corresponding package.

Some packages have a 32bit and a 64bit version available - you must download the one which corresponds to the Python you have installed. Even if you have a 64bit computer, if you installed a 32bit version of Python you must install the 32bit version of pywin32.

To determine what version of Python you have, just start Python and look at the first line of the banner. A 32bit build will look something like

Python 3.8.1+ ... [MSC v.1913 32 bit (Intel)] on win32

While a 64bit build will look something like:

Python 3.8.1+ ... [MSC v.1913 64 bit (AMD64)] on win32

If the installation process informs you that Python is not found in the registry, it almost certainly means you have downloaded the wrong version - either for the wrong version of Python, or the wrong "bittedness".

Changelog

Sourced from pywin32's changelog.

A changelog for recent builds as pasted into the sourceforge page.

Generally created by hand after running: hg log -rb2xx: > log.out However contributors are encouraged to add their own entries for their work.

Note that build 228 was the last version supporting Python 2.

Since build 300:

  • Fix some confusion on how dynamic COM object properties work. The old code was confused, so there's a chance there will be some subtle regression here - please open a bug if you find anything, but this should fix #1427.

  • COM objects are now registered with the full path to pythoncomXX.dll, fixes #1704.

  • Creating a win32crypt.CRYPT_ATTRIBUTE object now correctly sets cbData.

  • Add wrap and unwrap operations defined in the GSSAPI to the sspi module and enhance the examples given in this module. (#1692, Emmanuel Coirier)

  • Fix a bug in win32profile.GetEnvironmentStrings() relating to environment variables with an equals sign (@​maxim-krikun in #1661)

  • Fixed a bug where certain COM dates would fail to be converted to a Python datetime object with ValueError: microsecond must be in 0..999999. Shoutout to @​hujiaxing for reporting and helping reproduce the issue (#1655)

  • Added win32com.shell.SHGetKnownFolderPath() and related constants.

  • CoClass objects should work better with special methods like len etc. (#1699)

  • Shifted work in win32.lib.pywin32_bootstrap to Python's import system from manual path manipulations (@​wkschwartz in #1651)

  • Fixed a bug where win32print.DeviceCapabilities would return strings containing the null character followed by junk characters. (#1654, #1660, Lincoln Puzey)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview dependabot-preview bot requested a review from pierrebeitz as a code owner May 31, 2021 11:20
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels May 31, 2021
@mesosphere-ci
Copy link
Collaborator

Can one of the admins verify this patch?

2 similar comments
@mesosphere-ci
Copy link
Collaborator

Can one of the admins verify this patch?

@mesosphere-ci
Copy link
Collaborator

Can one of the admins verify this patch?

@dependabot-preview
Copy link
Contributor Author

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Integer overflow in pywin32

An integer overflow exists in pywin32 prior to version b301 when adding an access control entry (ACE) to an access control list (ACL) that would cause the size to be greater than 65535 bytes. An attacker who successfully exploited this vulnerability could crash the vulnerable process.

Affected versions: ["< 301"]

@dependabot-preview dependabot-preview bot changed the title Bump pywin32 from 228 to 301 in /python/lib/dcoscli [Security] Bump pywin32 from 228 to 301 in /python/lib/dcoscli Aug 9, 2021
@dependabot-preview dependabot-preview bot added the security Pull requests that address a security vulnerability label Aug 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file python Pull requests that update Python code security Pull requests that address a security vulnerability
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant