Skip to content

Update dependency PyMySQL to v1 [SECURITY] #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency PyMySQL to v1 [SECURITY] #75

wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
PyMySQL (changelog) ==0.10.0 -> ==1.1.1 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-36039

PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict.

Release Notes

PyMySQL/PyMySQL (PyMySQL)

v1.1.1

Compare Source

Release date: 2024-05-21

[!WARNING]
This release fixes a vulnerability (CVE-2024-36039).
All users are recommended to update to this version.

If you can not update soon, check the input value from
untrusted source has an expected type. Only dict input
from untrusted source can be an attack vector.

  • Prohibit dict parameter for Cursor.execute(). It didn't produce valid SQL
    and might cause SQL injection. (CVE-2024-36039)
  • Added ssl_key_password param. #​1145

v1.1.0

Compare Source

Release date: 2023-06-26

  • Fixed SSCursor raising OperationalError for query timeouts on wrong statement (#​1032)
  • Exposed Cursor.warning_count to check for warnings without additional query (#​1056)
  • Make Cursor iterator (#​995)
  • Support '_' in key name in my.cnf (#​1114)
  • Cursor.fetchall() returns empty list instead of tuple (#​1115). Note that Cursor.fetchmany() still return empty tuple after reading all rows for compatibility with Django.
  • Deprecate Error classes in Cursor class (#​1117)
  • Add Connection.set_character_set(charset, collation=None). This method is compatible with mysqlclient. (#​1119)
  • Deprecate Connection.set_charset(charset) (#​1119)
  • New connection always send "SET NAMES charset [COLLATE collation]" query. (#​1119)
    Since collation table is vary on MySQL server versions, collation in handshake is fragile.
  • Support charset="utf8mb3" option (#​1127)

v1.0.3

Compare Source

Release date: 2023-03-28

  • Dropped support of end of life MySQL version 5.6
  • Dropped support of end of life MariaDB versions below 10.3
  • Dropped support of end of life Python version 3.6
  • Removed _last_executed because of duplication with _executed by @​rajat315315 in #​948
  • Fix generating authentication response with long strings by @​netch80 in #​988
  • update pymysql.constants.CR by @​Nothing4You in #​1029
  • Document that the ssl connection parameter can be an SSLContext by @​cakemanny in #​1045
  • Raise ProgrammingError on -np.inf in addition to np.inf by @​cdcadman in #​1067
  • Use Python 3.11 release instead of -dev in tests by @​Nothing4You in #​1076

v1.0.2

Compare Source

Release date: 2021-01-09

  • Fix user, password, host, database are still positional arguments.
    All arguments of connect() are now keyword-only. (#​941)

v1.0.1

Compare Source

Release date: 2021-01-08

  • Stop emitting DeprecationWarning for use of db and passwd.
    Note that they are still deprecated. (#​939)
  • Add python_requires=">=3.6" to setup.py. (#​936)

v1.0.0

Compare Source

Release date: 2021-01-07

Backward incompatible changes:

  • Python 2.7 and 3.5 are not supported.
  • connect() uses keyword-only arguments. User must use keyword argument.
  • connect() kwargs db and passwd are now deprecated; Use database and password instead.
  • old_password authentication method (used by MySQL older than 4.1) is not supported.
  • MySQL 5.5 and MariaDB 5.5 are not officially supported, although it may still works.
  • Removed escape_dict, escape_sequence, and escape_string from pymysql
    module. They are still in pymysql.converters.

Other changes:

  • Connection supports context manager API. __exit__ closes the connection. (#​886)
  • Add MySQL Connector/Python compatible TLS options (#​903)
  • Major code cleanup; PyMySQL now uses black and flake8.

v0.10.1

Compare Source

Release date: 2020-09-10

  • Fix missing import of ProgrammingError. (#​878)
  • Fix auth switch request handling. (#​890)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants