| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AE44DC1999A1FDF9+20240918130725.448656-2-wangyuli@uniontech.com> Date: Wed, 18 Sep 2024 21:06:40 +0800 From: WangYuli <wangyuli@...ontech.com> To: helen.koike@...labora.com, maarten.lankhorst@...ux.intel.com, mripard@...nel.org, tzimmermann@...e.de, airlied@...il.com, simona@...ll.ch, wangyuli@...ontech.com, david.heidelberg@...labora.com Cc: dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org, guanwentao@...ontech.com, zhanjun@...ontech.com Subject: [PATCH 1/4] drm/ci: Upgrade urllib3 requirement to 2.2.2 GitHub Dependabot has issued the following alert: "build(deps): bump urllib3 from 2.0.7 to 2.2.2 in /drivers/gpu/drm/ci/xfails. When using urllib3's proxy support with, the header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure the header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. Severity: 4.4 / 10 (Moderate) Attack vector: Network Attack complexity: High Privileges required: High User interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None CVE ID: CVE-2024-37891" To avoid disturbing everyone with the kernel repo hosted on GitHub, I suggest we upgrade our python dependencies once again to appease GitHub Dependabot. Link: https://github.com/dependabot Signed-off-by: WangYuli <wangyuli@...ontech.com> --- drivers/gpu/drm/ci/xfails/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt index 5e6d48d98e4e..2fae1299e07b 100644 --- a/drivers/gpu/drm/ci/xfails/requirements.txt +++ b/drivers/gpu/drm/ci/xfails/requirements.txt @@ -13,5 +13,5 @@ ruamel.yaml==0.17.32 ruamel.yaml.clib==0.2.7 setuptools==70.0.0 tenacity==8.2.3 -urllib3==2.0.7 +urllib3==2.2.2 wheel==0.41.1 -- 2.45.2
Powered by blists - more mailing lists