[FOLIO-3728] jenkins-pipeline-libs requirements: certifi==2022.12.7, rsa==4.9, urllib3==1.25.11 Created: 27/Feb/23 Updated: 22/Mar/23 Resolved: 03/Mar/23 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | Continuous Integration |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | TBD |
| Reporter: | Julian Ladisch | Assignee: | David Crossley |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Sprint: | DevOps Sprint 160 |
| Development Team: | FOLIO DevOps |
| RCA Group: | Related dependency upgrade |
| Description |
|
In https://github.com/folio-org/jenkins-pipeline-libs/blob/master/resources/org/folio/requirements.txt upgrade vulnerable dependencies: Upgrade certifi from 2019.9.11 to 2022.12.7 fixing Insufficient Verification of Data Authenticity: https://nvd.nist.gov/vuln/detail/CVE-2022-23491 Upgrade rsa from 4.0 to 4.9 fixing Timing Attack and Access Restriction Bypass: https://nvd.nist.gov/vuln/detail/CVE-2020-25658 Upgrade urllib3 from 1.25.6 to 1.25.11 fixing HTTP Header Injection, Denial of Service (DoS), and Regular Expression Denial of Service (ReDoS): https://nvd.nist.gov/vuln/detail/CVE-2020-26137 |
| Comments |
| Comment by David Crossley [ 02/Mar/23 ] |
|
I will soon do some build tests using this branch. |
| Comment by David Crossley [ 03/Mar/23 ] |
|
The git history shows that these requirements were added for some scripts to cleanup stuff in Kubernetes, and moved to Jenkins. The Jenkins jobs were subsequently disabled. |