Skip to content

fix: update certifi version to address CVE-2023-37920#6509

Merged
klesh merged 1 commit into
apache:mainfrom
antoinecaputo:fix#6508
Nov 27, 2023
Merged

fix: update certifi version to address CVE-2023-37920#6509
klesh merged 1 commit into
apache:mainfrom
antoinecaputo:fix#6508

Conversation

@antoinecaputo
Copy link
Copy Markdown
Contributor

@antoinecaputo antoinecaputo commented Nov 23, 2023

Summary

Fix image vulnerability from docker and aws inspector scan

Does this close any open issues?

Closes #6508

Screenshots

image
image

Other Information

As it has been discussed on psf/requests repo, update certifi version to address critical CVE #6494, maintainers have decided to not update certifi :

This change isn't required. Requests already support the latest version of cryptography and users are free to upgrade as needed.

I have overridden poetry certifi version dependency to 2023.07.22 as mentioned in fix subdependency versions, while keeping subdeps separated from direct dependencies. #2546

It only concerns the backend/python/pydevlake/pyproject.toml file since other pyproject files include it as a dependency.

[tool.poetry.dependencies]
python = "~3.9"
pydevlake = { path = "../../pydevlake", develop = true }

Lock files have been updated with poetry lock --no-update to keep the same dependencies versions in :

  • backend/python/pydevlake
  • backend/python/plugins/azuredevops
  • backend/python/test/fakeplugin

@antoinecaputo
fix: update certifi version to address CVE-2023-37920
ad83020 
image vulnerability from docker and aws inspector scan

closes apache#6508
@klesh
Copy link
Copy Markdown
Contributor

klesh commented Nov 24, 2023

LGTM
@keon94 @CamilleTeruel What do you think?

@CamilleTeruel
Copy link
Copy Markdown
Contributor

CamilleTeruel commented Nov 24, 2023

LGTM @keon94 @CamilleTeruel What do you think?

LGTM too

@klesh klesh merged commit 0f990b1 into apache:main Nov 27, 2023
klesh pushed a commit that referenced this pull request Nov 27, 2023
@antoinecaputo
fix: update certifi version to address CVE-2023-37920 (#6509)
f3569b5 
image vulnerability from docker and aws inspector scan

closes #6508
@klesh klesh mentioned this pull request Nov 27, 2023
Merged
@klesh klesh added the cherrypick-completed Use this alongside needs-cherrypick-* labels after the PR has been cherrypicked. label Nov 27, 2023
klesh pushed a commit that referenced this pull request Nov 27, 2023
@antoinecaputo
fix: update certifi version to address CVE-2023-37920 (#6509) (#6518)
e0f3bcc 
image vulnerability from docker and aws inspector scan

closes #6508

Co-authored-by: antoinecaputo <44469196+antoinecaputo@users.noreply.github.com>
@antoinecaputo antoinecaputo deleted the fix#6508 branch November 27, 2023 08:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@klesh klesh klesh approved these changes

Assignees

No one assigned

Labels

cherrypick-completed Use this alongside needs-cherrypick-* labels after the PR has been cherrypicked. needs-cherrypick-v0.20

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug][pydevlake] Certifi CVE-2023-37920

3 participants

@antoinecaputo @klesh @CamilleTeruel