[<prev] [next>] [day] [month] [year] [list]
Message-ID: <B855B90C2EECA04E+20241017034004.113456-4-wangyuli@uniontech.com>
Date: Thu, 17 Oct 2024 11:39:51 +0800
From: WangYuli <wangyuli@...ontech.com>
To: helen.koike@...labora.com,
maarten.lankhorst@...ux.intel.com,
mripard@...nel.org,
tzimmermann@...e.de,
airlied@...il.com,
simona@...ll.ch,
wangyuli@...ontech.com,
david.heidelberg@...labora.com
Cc: dri-devel@...ts.freedesktop.org,
linux-kernel@...r.kernel.org,
guanwentao@...ontech.com,
zhanjun@...ontech.com
Subject: [RESEND. PATCH 4/5] drm/ci: Upgrade idna requirement to 3.7
GitHub Dependabot has issued the following alert:
"build(deps): bump idna from 3.4 to 3.7 in /drivers/gpu/drm/ci/xfails.
A specially crafted argument to the function could consume
significant resources. This may lead to a denial-of-service.
The function has been refined to reject such strings without the
associated resource consumption in version 3.7.
Severity: 6.9 / 10 (Moderate)
Attack vector: Local
Attack complexity: Low
Attack Requirements: None
Privileges required: None
User interaction: None
Confidentiality: None
Integrity: None
Availability: High
CVE ID: CVE-2024-3651"
To avoid disturbing everyone with the kernel repo hosted on GitHub,
I suggest we upgrade our python dependencies once again to appease
GitHub Dependabot.
Link: https://github.com/dependabot
Link: https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb
Signed-off-by: WangYuli <wangyuli@...ontech.com>
---
drivers/gpu/drm/ci/xfails/requirements.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt
index f69b58356a37..8b2b1fa16614 100644
--- a/drivers/gpu/drm/ci/xfails/requirements.txt
+++ b/drivers/gpu/drm/ci/xfails/requirements.txt
@@ -4,7 +4,7 @@ termcolor==2.3.0
# ci-collate dependencies
certifi==2023.7.22
charset-normalizer==3.2.0
-idna==3.4
+idna==3.7
pip==23.3
python-gitlab==3.15.0
requests==2.32.0
--
2.45.2
Powered by blists - more mailing lists