Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

urllib3 vulnerability #3181

Closed
jbmoorhouse opened this issue Oct 4, 2023 · 4 comments
Closed

urllib3 vulnerability #3181

jbmoorhouse opened this issue Oct 4, 2023 · 4 comments
Assignees
Labels
dependencies Pull requests that update a dependency file

Comments

@jbmoorhouse
Copy link

jbmoorhouse commented Oct 4, 2023

Problem

urllib3 vulnerability .Trivy complains about the following version 1.26.11 due to GHSA-v845-jxx5-vc9f. Note the link below currently yields a 404 😒 .

Library Vulnerability Severity Installed Version Fixed Version Title
urllib3 CVE-2023-43804 MEDIUM 1.26.11 2.0.6, 1.26.17 Cookie HTTP header isn't stripped on cross-origin redirects https://avd.aquasec.com/nvd/cve-2023-43804

Anything Else?

It looks like this is being addressed in #3180 Is this close to being in a merge-able state?

@mattelen
Copy link

mattelen commented Oct 4, 2023

Ah I'm also getting hit with this. A speedy result would be much appreciated.

@HubertBos
Copy link

Hi

Any plans to resolve this issue shortly?

@akx
Copy link
Contributor

akx commented Nov 21, 2023

Installing this library does not require exactly that version of urllib3:

docker-py/setup.py

Lines 12 to 17 in 78439eb

requirements = [
'packaging >= 14.0',
'requests >= 2.26.0',
'urllib3 >= 1.26.0',
'websocket-client >= 0.32.0',
]

There is nothing the maintainers of this library need to do so downstream projects and applications can use a newer version; requirements.txt is only used for tests.

@milas
Copy link
Contributor

milas commented Nov 21, 2023

Yes, as mentioned above, you should be able to use newer, compatible versions of urllib3, the setup.py defines a minimum version.

Regardless, the version in requirements.txt (which is used for tests/development) has been bumped thanks to dependabot in #3183, so hopefully that will eliminate any noise from security scanners.

@milas milas closed this as completed Nov 21, 2023
@milas milas added the dependencies Pull requests that update a dependency file label Nov 21, 2023
@milas milas self-assigned this Nov 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

No branches or pull requests

5 participants