Skip to content

[Release] Cut a new release to address CVE-2025-29787 #824

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
AlecRosenbaum opened this issue Apr 10, 2025 · 2 comments
Closed

[Release] Cut a new release to address CVE-2025-29787 #824

AlecRosenbaum opened this issue Apr 10, 2025 · 2 comments
Labels
bug Something isn't working

Comments

@AlecRosenbaum
Copy link

The version of the rust sdk in the most recent release includes a version of the zip crate affected by CVE-2025-29787.

While I don't suspect from an application-usage perspective that the temporal core sdk is extracting untrusted zip files, automated vulnerability scanning tools still pick up on the vulnerable version and prompt us to respond in some form.

Current master of this repository already has the core sdk bumped to a version that is not vulnerable, there just hasn't been a release uploaded to pypi since it was patched. The zip patch was included with #802 I think just as a side-effect of the other work done in that change.

@AlecRosenbaum AlecRosenbaum added the bug Something isn't working label Apr 10, 2025
@cretz
Copy link
Member

cretz commented Apr 10, 2025

We plan on making our next release soon, though no exact date

@dandavison
Copy link
Contributor

This was released in https://github.com/temporalio/sdk-python/releases/tag/1.11.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants