Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: update certifi version to address CVE-2023-37920 #6509

Merged
merged 1 commit into from
Nov 27, 2023
Merged

fix: update certifi version to address CVE-2023-37920 #6509

merged 1 commit into from
Nov 27, 2023

Conversation

antoinecaputo
Copy link
Contributor

Summary

Fix image vulnerability from docker and aws inspector scan

Does this close any open issues?

Closes #6508

Screenshots

image
image

Other Information

As it has been discussed on psf/requests repo, update certifi version to address critical CVE #6494, maintainers have decided to not update certifi :

This change isn't required. Requests already support the latest version of cryptography and users are free to upgrade as needed.

I have overridden poetry certifi version dependency to 2023.07.22 as mentioned in fix subdependency versions, while keeping subdeps separated from direct dependencies. #2546

It only concerns the backend/python/pydevlake/pyproject.toml file since other pyproject files include it as a dependency.

[tool.poetry.dependencies]
python = "~3.9"
pydevlake = { path = "../../pydevlake", develop = true }

Lock files have been updated with poetry lock --no-update to keep the same dependencies versions in :

  • backend/python/pydevlake
  • backend/python/plugins/azuredevops
  • backend/python/test/fakeplugin

@antoinecaputo
fix: update certifi version to address CVE-2023-37920
ad83020 
image vulnerability from docker and aws inspector scan

closes apache#6508
@klesh
Copy link
Contributor

klesh commented Nov 24, 2023

LGTM
@keon94 @CamilleTeruel What do you think?

@CamilleTeruel
Copy link
Contributor

LGTM @keon94 @CamilleTeruel What do you think?

LGTM too

@klesh klesh merged commit 0f990b1 into apache:main Nov 27, 2023
10 checks passed
klesh pushed a commit that referenced this pull request Nov 27, 2023
@antoinecaputo @klesh
fix: update certifi version to address CVE-2023-37920 (#6509)
f3569b5 
image vulnerability from docker and aws inspector scan

closes #6508
@klesh klesh mentioned this pull request Nov 27, 2023
Merged
@klesh klesh added the cherrypick-completed Use this alongside needs-cherrypick-* labels after the PR has been cherrypicked. label Nov 27, 2023
klesh added a commit that referenced this pull request Nov 27, 2023
@klesh @antoinecaputo
fix: update certifi version to address CVE-2023-37920 (#6509) (#6518)
e0f3bcc 
image vulnerability from docker and aws inspector scan

closes #6508

Co-authored-by: antoinecaputo <44469196+antoinecaputo@users.noreply.github.com>
@antoinecaputo antoinecaputo deleted the fix#6508 branch November 27, 2023 08:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@klesh klesh klesh approved these changes

Assignees
No one assigned
Labels
cherrypick-completed Use this alongside needs-cherrypick-* labels after the PR has been cherrypicked. needs-cherrypick-v0.20
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug][pydevlake] Certifi CVE-2023-37920
3 participants
@antoinecaputo @klesh @CamilleTeruel