chore(deps): update dependency astropy to v5.3.3 [security] #533
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.2.2
->5.3.3
GitHub Vulnerability Alerts
CVE-2023-41334
Summary
RCE due to improper input validation in TranformGraph().to_dot_graph function
Details
Due to improper input validation a malicious user can provide a command or a script file as a value to
savelayout
argument, which will be placed as the first value in a list of arguments passed tosubprocess.Popen
.https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539
Although an error will be raised, the command or script will be executed successfully.
PoC
Impact
code execution on the user's machine
Release Notes
astropy/astropy (astropy)
v5.3.3
Compare Source
===========================
Bug Fixes
astropy.coordinates
^^^^^^^^^^^^^^^^^^^
TransformGraph.to_dot_graph()
now throws an exception for invalidsavelayout
.astropy.cosmology
^^^^^^^^^^^^^^^^^
w0wzCDM
functions ininv_efunc
has been corrected to 3, from -3. [#15224]astropy.modeling
^^^^^^^^^^^^^^^^
filter_non_finite
keyword argument in a fitter call. Now when
filter_non_finite
is True,non-finite weights will also be filtered to prevent crashes in
LevMarLSQFitter
. [#15215]astropy.units
^^^^^^^^^^^^^
astropy.units.Quantity
's implementation ofnumpy.nanmedian()
,where for Numpy >= 1.25 an exception was raised for some array shapes and axis
combinations. [#15228]
Other Changes and Additions
v5.3.2
Compare Source
==========================
Bug Fixes
astropy.coordinates
^^^^^^^^^^^^^^^^^^^
-OO
flag. [#15037]astropy.nddata
^^^^^^^^^^^^^^
NDData
without masks or units. [#15082]astropy.units
^^^^^^^^^^^^^
np.power()
for instances ofQuantity
toallow any array as the second operand if all its elements have the same value. [#15101]
v5.3.1
Compare Source
==========================
Bug Fixes
astropy.cosmology
^^^^^^^^^^^^^^^^^
wowzCDM.de_density_scale
has been corrected to 3, from -3. [#14991]astropy.io.fits
^^^^^^^^^^^^^^^
Fix crash when a PrimaryHDU has a GROUPS keyword with a non-boolean value (i.e.
not a random-groups HDU). [#14998]
Fixed a bug that caused
Cutout2D
to not work correctly withCompImageHDU.section
[#14999]Fixed a bug that caused compressed images with TFORM missing the optional '1' prefix to not be readable. [#15001]
astropy.modeling
^^^^^^^^^^^^^^^^
astropy.nddata
^^^^^^^^^^^^^^
NDData.mask
, plus a fixfor arithmetic between masked and unmasked
NDData
objects. [#14995]astropy.table
^^^^^^^^^^^^^
order of rows within groups to not match the original table order when an indexed table
was grouped. [#14907]
astropy.units
^^^^^^^^^^^^^
v5.3
Compare Source
==========================
Bug Fixes
astropy.io.misc
^^^^^^^^^^^^^^^
astropy.io.misc.yaml
sodump()` with a numpy object array or
load()with YAML representing a Numpy object array both raise
TypeError``. This prevents problems like a segmentation fault. [#15373]astropy.io.votable
^^^^^^^^^^^^^^^^^^
convert_to_writable_filelike
whereGzipFile
was notclosed properly. [#15359]
astropy.units
^^^^^^^^^^^^^
In VOUnit, the spaces around the slash were removed in the formatting of
fractions, and fractional powers now also use the "**" operator. [#15282]
We now ensure that the unit
u.cgs.cm
is just an alias ofu.si.cm
,instead of a redefinition. This ensures that
u.Unit("cm") / u.cm
will reliably cancel to dimensionless (instead of some "cm / cm"). [#15368]
astropy.utils
^^^^^^^^^^^^^
Masked
,np.ptp
and the.ptp()
method now properly account forthe mask, ensuring the result is identical to subtracting the maximum and
minimum (with the same arguments). [#15380]
Other Changes and Additions
Compatibility with Python 3.12. [#14784]
Replaced the URL of
IETF_LEAP_SECOND_URL
because the original is nowdefunct and IETF now defers to IANA for such look-up. [#15421]
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.