droa
October 9, 2024, 6:56am
1
Would it be possible to get a version of urllib3 distributed with pulpcore that has a fix for CVE-2024-37891?
https://access.redhat.com/security/cve/CVE-2024-37891
Problem:
python3.11-urllib3-1.26.18-3.el9.noarch.rpm is being flagged as affected by CVE-2024-37891
Expected outcome:
Provide fixed version python3.11-urllib3-1.26.19
Foreman and Proxy versions:
Foreman 3.12 / Pulpcore 3.49
Foreman and Proxy plugin versions:
N/A
Distribution and version:
RHEL9
Other relevant data:
Dirk
October 9, 2024, 8:42am
2
In Nightly is already urllib3 2.2.3, so it perhaps only needs a backport to the supported versions. If this is not compatible there is 1.26.20 which could be build instead. @Odilhao can you have a look please?
@Odilhao Can you provide any input about what is going to happen to that urllib3 package in pulpcore 3.49, please?
Dirk
October 24, 2024, 7:10am
4
Just as follow-up: version 2.2.3 was merged to github an 17.10. and the packages was released later on the same day.
2 Likes