Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

patch: update requests dep for CVE-2018-18074 #225

Merged
merged 2 commits into from
Oct 30, 2018
Merged

patch: update requests dep for CVE-2018-18074 #225

merged 2 commits into from
Oct 30, 2018

Conversation

edaniszewski
Copy link
Contributor

This PR updates the version of requests to 2.20.0 to patch the CVE-2018-18074 vulnerability found in requests<=2.19.1.

Bumps the version to 2.2.4 for patch release.

marcoceppi
marcoceppi approved these changes Oct 30, 2018
View reviewed changes
Copy link
Contributor

@marcoceppi marcoceppi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

requirements.txt
@@ -24,7 +24,7 @@ pyasn1==0.4.3 # via pyasn1-modules, rsa
python-dateutil==2.7.3 # via kubernetes
pyyaml==3.12
requests-oauthlib==1.0.0 # via kubernetes
requests==2.19.1 # via kubernetes, requests-oauthlib
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: the # via ... is still valid. Neither kubernetes nor requests-oauthlib pins an explicit version of the library

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, the requirements.txt is autogenerated via pip-compile, so if it sees the dep defined in setup.py, it assumes its a project dependency and doesn't add on the # via ... comment. I could add it back in, but it would just get removed whenever requirements.txt is regenerated.

I'll make a note of this directly in setup.py.

@edaniszewski edaniszewski merged commit ee417d0 into master Oct 30, 2018
@edaniszewski edaniszewski deleted the dependency-vulnerability branch October 30, 2018 13:43
@marcoceppi
Copy link
Contributor

We shouldn't need to change anything except run freeze again. That would lock requests at 2.20.0 and rebuild docker images

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcoceppi marcoceppi marcoceppi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@edaniszewski @marcoceppi