[FOLIO-3728] jenkins-pipeline-libs requirements: certifi==2022.12.7, rsa==4.9, urllib3==1.25.11 Created: 27/Feb/23  Updated: 22/Mar/23  Resolved: 03/Mar/23

Status: Closed
Project: FOLIO
Components: Continuous Integration
Affects versions: None
Fix versions: None

Type: Bug Priority: TBD
Reporter: Julian Ladisch Assignee: David Crossley
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint: DevOps Sprint 160
Development Team: FOLIO DevOps
RCA Group: Related dependency upgrade

 Description   

In https://github.com/folio-org/jenkins-pipeline-libs/blob/master/resources/org/folio/requirements.txt upgrade vulnerable dependencies:

Upgrade certifi from 2019.9.11 to 2022.12.7 fixing Insufficient Verification of Data Authenticity:

https://nvd.nist.gov/vuln/detail/CVE-2022-23491

Upgrade rsa from 4.0 to 4.9 fixing Timing Attack and Access Restriction Bypass:

https://nvd.nist.gov/vuln/detail/CVE-2020-25658
https://nvd.nist.gov/vuln/detail/CVE-2020-13757

Upgrade urllib3 from 1.25.6 to 1.25.11 fixing HTTP Header Injection, Denial of Service (DoS), and Regular Expression Denial of Service (ReDoS):

https://nvd.nist.gov/vuln/detail/CVE-2020-26137
https://nvd.nist.gov/vuln/detail/CVE-2020-7212
https://nvd.nist.gov/vuln/detail/CVE-2021-33503



 Comments   
Comment by David Crossley [ 02/Mar/23 ]

I will soon do some build tests using this branch.

Comment by David Crossley [ 03/Mar/23 ]

The git history shows that these requirements were added for some scripts to cleanup stuff in Kubernetes, and moved to Jenkins. The Jenkins jobs were subsequently disabled.

Generated at Thu Feb 08 23:30:15 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.