lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <BF18622263EEE575+20241017034004.113456-2-wangyuli@uniontech.com>
Date: Thu, 17 Oct 2024 11:39:49 +0800
From: WangYuli <wangyuli@...ontech.com>
To: helen.koike@...labora.com,
	maarten.lankhorst@...ux.intel.com,
	mripard@...nel.org,
	tzimmermann@...e.de,
	airlied@...il.com,
	simona@...ll.ch,
	wangyuli@...ontech.com,
	david.heidelberg@...labora.com
Cc: dri-devel@...ts.freedesktop.org,
	linux-kernel@...r.kernel.org,
	guanwentao@...ontech.com,
	zhanjun@...ontech.com
Subject: [RESEND. PATCH 2/5] drm/ci: Upgrade urllib3 requirement to 2.2.2

GitHub Dependabot has issued the following alert:

"build(deps): bump urllib3 from 2.0.7 to 2.2.2 in
 /drivers/gpu/drm/ci/xfails.

 When using urllib3's proxy support with, the header is only sent
 to the configured proxy, as expected.

 However, when sending HTTP requests without using urllib3's proxy
 support, it's possible to accidentally configure the header even
 though it won't have any effect as the request is not using a
 forwarding proxy or a tunneling proxy. In those cases, urllib3
 doesn't treat the HTTP header as one carrying authentication
 material and thus doesn't strip the header on cross-origin redirects.

 Because this is a highly unlikely scenario, we believe the severity
 of this vulnerability is low for almost all users. Out of an
 abundance of caution urllib3 will automatically strip the header
 during cross-origin redirects to avoid the small chance that users
 are doing this on accident.

 Users should use urllib3's proxy support or disable automatic
 redirects to achieve safe processing of the header, but we still
 decided to strip the header by default in order to further protect
 users who aren't using the correct approach.

 Severity: 4.4 / 10 (Moderate)
 Attack vector:        Network
 Attack complexity:       High
 Privileges required:     High
 User interaction:        None
 Scope:              Unchanged
 Confidentiality:         High
 Integrity:               None
 Availability:            None
 CVE ID:        CVE-2024-37891"

To avoid disturbing everyone with the kernel repo hosted on GitHub,
I suggest we upgrade our python dependencies once again to appease
GitHub Dependabot.

Link: https://github.com/dependabot
Signed-off-by: WangYuli <wangyuli@...ontech.com>
---
 drivers/gpu/drm/ci/xfails/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt
index 5e6d48d98e4e..2fae1299e07b 100644
--- a/drivers/gpu/drm/ci/xfails/requirements.txt
+++ b/drivers/gpu/drm/ci/xfails/requirements.txt
@@ -13,5 +13,5 @@ ruamel.yaml==0.17.32
 ruamel.yaml.clib==0.2.7
 setuptools==70.0.0
 tenacity==8.2.3
-urllib3==2.0.7
+urllib3==2.2.2
 wheel==0.41.1
-- 
2.45.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ