Skip to content

fix(deps): update dependency snowflake-connector-python to v3.12.3 [security] #10366

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 26, 2024
Merged

fix(deps): update dependency snowflake-connector-python to v3.12.3 [security] #10366

merged 2 commits into from
Oct 26, 2024
+28 −28

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 24, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
snowflake-connector-python (source, changelog) 3.12.2 -> 3.12.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-49750

Issue

Snowflake recently learned about and remediated a set of vulnerabilities in the Snowflake Connector for Python. Under specific conditions, certain users credentials (or portions of those credentials) were logged locally by the Connector to the users own systems. The credentials were not logged by Snowflake.

These vulnerabilities affect versions up to and including 3.12.2. Snowflake fixed the issue in version 3.12.3.

Vulnerability Details

When the logging level was set by the user to DEBUG, the Connector could have logged Duo passcodes (when specified via the “passcode” parameter) and Azure SAS tokens. Additionally, the SecretDetector logging formatter, if enabled, contained bugs which caused it to not fully redact JWT tokens and certain private key formats.

Solution

Snowflake released version 3.12.3 of the Snowflake Connector for Python, which fixes these issues. We recommend users upgrade to version 3.12.3 and review their logs for any potentially sensitive information that may have been captured.

Additional Information

If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.

Release Notes

snowflakedb/snowflake-connector-python (snowflake-connector-python)

v3.12.3: 3.12.3

Compare Source

  • v3.12.3(October 25,2024)
    • Improved the error message for SSL-related issues to provide clearer guidance when an SSL error occurs.
    • Improved error message for SQL execution cancellations caused by timeout.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sorry, something went wrong.

@renovate renovate bot added dependencies Issues or PRs related to dependencies snowflake The Snowflake backend labels Oct 24, 2024
@cpcloud cpcloud added this to the 10.0 milestone Oct 26, 2024
renovate bot and others added 2 commits October 26, 2024 07:39
@renovate @cpcloud
fix(deps): update dependency snowflake-connector-python to v3.12.3 [s…
95ccf30 
…ecurity]
@cpcloud
chore(deps): relock requirements-dev.txt

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
Loading
Loading status checks…
a002891
@cpcloud cpcloud force-pushed the renovate/pypi-snowflake-connector-python-vulnerability branch from 40eb8d0 to a002891 Compare October 26, 2024 11:41
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Oct 26, 2024

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@cpcloud
Copy link
Member

cpcloud commented Oct 26, 2024

Snowflake tests look good:

cloud in 🌐 falcon in …/ibis on  renovate/pypi-snowflake-connector-python-vulnerability is 📦 v9.5.0 via 🐍 v3.12.6 via ❄️  impure (ibis-3.12-env)
❯ pytest -m snowflake -n 8 --dist loadgroup -q
bringing up nodes...
..................s...x....................x...............x....x...............x..................x.....x....x..x..............................x..x....s.....x...... [  8%]
..............x.......x........xx..........................x.x.......x........x....................x.......x.......................................x....s............ [ 16%]
...s....................................s.................................x...................x................x........................x............x......x........ [ 24%]
.................x....................xx.x.xxx.xx.x.xxx....x....xxxxxxxxxxx.x.x...x........x..xx..x...x...x...........x............x.......x........x.x.x............ [ 32%]
......x...x........x................................x.............xx.....x..................................................s...................x..x...........x..... [ 40%]
.x.x......xxx...x.x..x...x.x.....x....xxx........x............x.....x..x.....x....x.....x.........xxx.....x.....x..x.....x......x.......xx...x................x.....x [ 49%]
.x................x.xx...x............x.......................x..x....x...............................................x....x.x..x.................................x.. [ 57%]
.......x................x...............................x..x.x.x......x..x.x......xx.xx......x..x...........................xx............x.........................x [ 65%]
..................x...........x.....x......................................x...............x...x..xx......................xx.......x.x.....x......................... [ 73%]
.....x........................x.....................................................x..................................x..................xxx......xx..x....xx.x.xx.. [ 81%]
...xx.xxxx...xxxx.x..x.x....xx...xx.xxx..x.xx.x......xx.xxxxx..x..xxx......xxxxx...xxxxx...xxxxx.x................................................................... [ 90%]
...x...............................s....................................................................s...........................................................x [ 98%]
.....................s....s.........                                                                                                                                  [100%]
1779 passed, 10 skipped, 227 xfailed in 225.80s (0:03:45)

@cpcloud cpcloud merged commit d841789 into main Oct 26, 2024
78 checks passed
@cpcloud cpcloud deleted the renovate/pypi-snowflake-connector-python-vulnerability branch October 26, 2024 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Issues or PRs related to dependencies snowflake The Snowflake backend
Projects
None yet
Milestone
10.0
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@cpcloud