Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-40898: Vulnerability due to transitive dependency #257

Closed
syn-4ck opened this issue Jan 15, 2023 · 1 comment
Closed

CVE-2022-40898: Vulnerability due to transitive dependency #257

syn-4ck opened this issue Jan 15, 2023 · 1 comment

Comments

@syn-4ck
Copy link

syn-4ck commented Jan 15, 2023
edited
Loading

A high severity vulnerability is detected by Snyk in ciscoconfparse package due to pyroma@4.1 › wheel@0.30.0.

image

Could you review the dependency and bump the version (I think that the latest is still vulnerable) or try to pin the wheel package in version 0.38.0? Thanks in advance.

Regards.
@syn-4ck syn-4ck mentioned this issue Jan 15, 2023
Closed
@mpenning
Copy link
Owner

mpenning commented Jan 20, 2023
edited
Loading

This technically is not a ciscoconfparse vulnerability. The wheel package is not unique to ciscoconfparse.

I don't think this CVE matters much for ciscoconfparse, but the latest git HEAD commit hash (79ef365dad5aa3ac047a3b71d7aa68ec1a60221a) has upgraded package dependencies... we need wheel > 0.38.0 to fix CVE-2022-40898.

Version 1.7.2 will include the modified requirements.txt to manually upgrade the wheel package version.

@mpenning mpenning changed the title Vulnerability due to transitive dependency CVE-2022-40898: Vulnerability due to transitive dependency Jan 25, 2023
mpenning added a commit that referenced this issue Jan 25, 2023
@mpenning
Explicitly upgrade wheel, ref Issue #257
f5bb234
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mpenning @syn-4ck