All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] sphinx: Bump urllib3 version
@ 2023-10-05 16:27 Tom Rini
  2023-10-06  1:41 ` Simon Glass
  0 siblings, 1 reply; 6+ messages in thread
From: Tom Rini @ 2023-10-05 16:27 UTC (permalink / raw)
  To: u-boot; +Cc: Heinrich Schuchardt

While not a direct issue for us, urllib3 before 1.26.17 is vulnerable to
CVE-2023-43804 to bump our version up.

Reported-by: GitHub dependabot
Signed-off-by: Tom Rini <trini@konsulko.com>
---
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
 doc/sphinx/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/sphinx/requirements.txt b/doc/sphinx/requirements.txt
index 6ccbe527ee79..23a296d3fca9 100644
--- a/doc/sphinx/requirements.txt
+++ b/doc/sphinx/requirements.txt
@@ -23,4 +23,4 @@ sphinxcontrib-htmlhelp==2.0.0
 sphinxcontrib-jsmath==1.0.1
 sphinxcontrib-qthelp==1.0.3
 sphinxcontrib-serializinghtml==1.1.5
-urllib3==1.26.9
+urllib3==1.26.17
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH] sphinx: Bump urllib3 version
  2023-10-05 16:27 [PATCH] sphinx: Bump urllib3 version Tom Rini
@ 2023-10-06  1:41 ` Simon Glass
  2023-10-06 19:50   ` Heinrich Schuchardt
  0 siblings, 1 reply; 6+ messages in thread
From: Simon Glass @ 2023-10-06  1:41 UTC (permalink / raw)
  To: Tom Rini; +Cc: u-boot, Heinrich Schuchardt

On Thu, 5 Oct 2023 at 10:27, Tom Rini <trini@konsulko.com> wrote:
>
> While not a direct issue for us, urllib3 before 1.26.17 is vulnerable to
> CVE-2023-43804 to bump our version up.
>
> Reported-by: GitHub dependabot
> Signed-off-by: Tom Rini <trini@konsulko.com>
> ---
> Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
> ---
>  doc/sphinx/requirements.txt | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Simon Glass <sjg@chromium.org>

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] sphinx: Bump urllib3 version
  2023-10-06  1:41 ` Simon Glass
@ 2023-10-06 19:50   ` Heinrich Schuchardt
  2023-10-06 20:52     ` Tom Rini
  0 siblings, 1 reply; 6+ messages in thread
From: Heinrich Schuchardt @ 2023-10-06 19:50 UTC (permalink / raw)
  To: Tom Rini; +Cc: u-boot, Simon Glass

On 10/6/23 03:41, Simon Glass wrote:
> On Thu, 5 Oct 2023 at 10:27, Tom Rini <trini@konsulko.com> wrote:
>>
>> While not a direct issue for us, urllib3 before 1.26.17 is vulnerable to
>> CVE-2023-43804 to bump our version up.

The same bug is also fixed in 2.0.6. Why should we stick with the old
series? I could not see any issues building the documentation locally
and on Github with 2.0.6.

Best regards

Heinrich

>>
>> Reported-by: GitHub dependabot
>> Signed-off-by: Tom Rini <trini@konsulko.com>
>> ---
>> Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
>> ---
>>   doc/sphinx/requirements.txt | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> Reviewed-by: Simon Glass <sjg@chromium.org>


^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] sphinx: Bump urllib3 version
  2023-10-06 19:50   ` Heinrich Schuchardt
@ 2023-10-06 20:52     ` Tom Rini
  0 siblings, 0 replies; 6+ messages in thread
From: Tom Rini @ 2023-10-06 20:52 UTC (permalink / raw)
  To: Heinrich Schuchardt; +Cc: u-boot, Simon Glass

[-- Attachment #1: Type: text/plain, Size: 754 bytes --]

On Fri, Oct 06, 2023 at 09:50:20PM +0200, Heinrich Schuchardt wrote:
> On 10/6/23 03:41, Simon Glass wrote:
> > On Thu, 5 Oct 2023 at 10:27, Tom Rini <trini@konsulko.com> wrote:
> > > 
> > > While not a direct issue for us, urllib3 before 1.26.17 is vulnerable to
> > > CVE-2023-43804 to bump our version up.
> 
> The same bug is also fixed in 2.0.6. Why should we stick with the old
> series? I could not see any issues building the documentation locally
> and on Github with 2.0.6.

There's probably a number of packages we could bump for similar reasons,
if you'd like to unfreeze, build, check the output and refreeze.  I'm
just posting something to get Dependabot to be silenced since I get this
whenever I push a branch.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] sphinx: Bump urllib3 version
  2023-10-18 12:33 Tom Rini
@ 2023-10-18 12:43 ` Heinrich Schuchardt
  0 siblings, 0 replies; 6+ messages in thread
From: Heinrich Schuchardt @ 2023-10-18 12:43 UTC (permalink / raw)
  To: Tom Rini; +Cc: u-boot

On 10/18/23 14:33, Tom Rini wrote:
> While unlikely to be a direct issue for us, urllib3 before 2.0.7 is
> vulnerable to CVE-2023-45803, so bump our version up.
> 
> Reported-by: GitHub dependabot
> Signed-off-by: Tom Rini <trini@konsulko.com>

Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>

> ---
> Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
> ---
>   doc/sphinx/requirements.txt | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/doc/sphinx/requirements.txt b/doc/sphinx/requirements.txt
> index 6d45a3fefffe..39ececb96c2b 100644
> --- a/doc/sphinx/requirements.txt
> +++ b/doc/sphinx/requirements.txt
> @@ -23,4 +23,4 @@ sphinxcontrib-htmlhelp==2.0.0
>   sphinxcontrib-jsmath==1.0.1
>   sphinxcontrib-qthelp==1.0.3
>   sphinxcontrib-serializinghtml==1.1.5
> -urllib3==2.0.6
> +urllib3==2.0.7


^ permalink raw reply	[flat|nested] 6+ messages in thread
* [PATCH] sphinx: Bump urllib3 version
@ 2023-10-18 12:33 Tom Rini
  2023-10-18 12:43 ` Heinrich Schuchardt
  0 siblings, 1 reply; 6+ messages in thread
From: Tom Rini @ 2023-10-18 12:33 UTC (permalink / raw)
  To: u-boot; +Cc: Heinrich Schuchardt

While unlikely to be a direct issue for us, urllib3 before 2.0.7 is
vulnerable to CVE-2023-45803, so bump our version up.

Reported-by: GitHub dependabot
Signed-off-by: Tom Rini <trini@konsulko.com>
---
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
 doc/sphinx/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/sphinx/requirements.txt b/doc/sphinx/requirements.txt
index 6d45a3fefffe..39ececb96c2b 100644
--- a/doc/sphinx/requirements.txt
+++ b/doc/sphinx/requirements.txt
@@ -23,4 +23,4 @@ sphinxcontrib-htmlhelp==2.0.0
 sphinxcontrib-jsmath==1.0.1
 sphinxcontrib-qthelp==1.0.3
 sphinxcontrib-serializinghtml==1.1.5
-urllib3==2.0.6
+urllib3==2.0.7
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-10-18 12:43 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-05 16:27 [PATCH] sphinx: Bump urllib3 version Tom Rini
2023-10-06  1:41 ` Simon Glass
2023-10-06 19:50   ` Heinrich Schuchardt
2023-10-06 20:52     ` Tom Rini
2023-10-18 12:33 Tom Rini
2023-10-18 12:43 ` Heinrich Schuchardt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.