Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade urllib3 due to CVE-2023-43804 #9306

Merged
merged 1 commit into from
Oct 12, 2023
Merged

Upgrade urllib3 due to CVE-2023-43804 #9306

merged 1 commit into from
Oct 12, 2023

Conversation

geekosaur
Copy link
Collaborator

As reported by dependabot. Closes #9305.

@geekosaur
Copy link
Collaborator Author

geekosaur commented Oct 3, 2023
edited
Loading

The failures are due to #9303 and #9307.

ulysses4ever
ulysses4ever approved these changes Oct 3, 2023
View reviewed changes
Copy link
Collaborator

@ulysses4ever ulysses4ever left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

doc/requirements.txt Outdated Show resolved Hide resolved
@geekosaur geekosaur self-assigned this Oct 3, 2023
@ulysses4ever
Copy link
Collaborator

@mergify rebase

@mergify
Copy link
Contributor

mergify bot commented Oct 10, 2023

rebase

✅ Branch has been successfully rebased

@ulysses4ever ulysses4ever added the merge me Tell Mergify Bot to merge label Oct 10, 2023
@mergify mergify bot added the merge delay passed Applied (usually by Mergify) when PR approved and received no updates for 2 days label Oct 12, 2023
@mergify mergify bot merged commit 9f37325 into master Oct 12, 2023
45 checks passed
@mergify mergify bot deleted the cve-2023-43804 branch October 12, 2023 17:16
@geekosaur
Copy link
Collaborator Author

Did this need to be backported or something? Github is still complaining about the CVE regression.

@ulysses4ever
Copy link
Collaborator

@geekosaur that's my thought too. I don't know for sure though. I hit this issue the second time in my life (i.e. Dependabot keeps complaining about a security issue that was fixed on the default branch), and I'm very eager to find out how to fix it. Most mysterious is that we don't know which branches Dependabot looks at. There are 159 branches on this repo currently...

@ulysses4ever
Copy link
Collaborator

This SO thread (albeit from 5 years ago) claims the opposite though: that only the default branch is inspected.

@geekosaur
Copy link
Collaborator Author

Apparently we got the update wrong? It wants to do the update on master, and says we're using 2.0.6 still.

@geekosaur
Copy link
Collaborator Author

Yeh, wrong version apparently.

@ulysses4ever
Copy link
Collaborator

Re-reading #9305, we did everything right. It's just a new vulnerability that hits the newer version of urllib3, which was suggested by the bot previously.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fgaz fgaz fgaz approved these changes

@ulysses4ever ulysses4ever ulysses4ever approved these changes

Assignees

@geekosaur geekosaur

Labels
merge delay passed Applied (usually by Mergify) when PR approved and received no updates for 2 days merge me Tell Mergify Bot to merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Github / dependabot warning about CVE-2023-43804 in urllib3 < 2.0.6
3 participants
@geekosaur @ulysses4ever @fgaz