[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BF18622263EEE575+20241017034004.113456-2-wangyuli@uniontech.com>
Date: Thu, 17 Oct 2024 11:39:49 +0800
From: WangYuli <wangyuli@...ontech.com>
To: helen.koike@...labora.com,
maarten.lankhorst@...ux.intel.com,
mripard@...nel.org,
tzimmermann@...e.de,
airlied@...il.com,
simona@...ll.ch,
wangyuli@...ontech.com,
david.heidelberg@...labora.com
Cc: dri-devel@...ts.freedesktop.org,
linux-kernel@...r.kernel.org,
guanwentao@...ontech.com,
zhanjun@...ontech.com
Subject: [RESEND. PATCH 2/5] drm/ci: Upgrade urllib3 requirement to 2.2.2
GitHub Dependabot has issued the following alert:
"build(deps): bump urllib3 from 2.0.7 to 2.2.2 in
/drivers/gpu/drm/ci/xfails.
When using urllib3's proxy support with, the header is only sent
to the configured proxy, as expected.
However, when sending HTTP requests without using urllib3's proxy
support, it's possible to accidentally configure the header even
though it won't have any effect as the request is not using a
forwarding proxy or a tunneling proxy. In those cases, urllib3
doesn't treat the HTTP header as one carrying authentication
material and thus doesn't strip the header on cross-origin redirects.
Because this is a highly unlikely scenario, we believe the severity
of this vulnerability is low for almost all users. Out of an
abundance of caution urllib3 will automatically strip the header
during cross-origin redirects to avoid the small chance that users
are doing this on accident.
Users should use urllib3's proxy support or disable automatic
redirects to achieve safe processing of the header, but we still
decided to strip the header by default in order to further protect
users who aren't using the correct approach.
Severity: 4.4 / 10 (Moderate)
Attack vector: Network
Attack complexity: High
Privileges required: High
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: None
Availability: None
CVE ID: CVE-2024-37891"
To avoid disturbing everyone with the kernel repo hosted on GitHub,
I suggest we upgrade our python dependencies once again to appease
GitHub Dependabot.
Link: https://github.com/dependabot
Signed-off-by: WangYuli <wangyuli@...ontech.com>
---
drivers/gpu/drm/ci/xfails/requirements.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt
index 5e6d48d98e4e..2fae1299e07b 100644
--- a/drivers/gpu/drm/ci/xfails/requirements.txt
+++ b/drivers/gpu/drm/ci/xfails/requirements.txt
@@ -13,5 +13,5 @@ ruamel.yaml==0.17.32
ruamel.yaml.clib==0.2.7
setuptools==70.0.0
tenacity==8.2.3
-urllib3==2.0.7
+urllib3==2.2.2
wheel==0.41.1
--
2.45.2
Powered by blists - more mailing lists