Bug #65555: old pinned mistune in admin/doc-requirements.txt is vulnerable to CVE-2022-34749 - devops - Ceph

Actions

Copy link

Bug #65555

open

old pinned mistune in admin/doc-requirements.txt is vulnerable to CVE-2022-34749

Added by Ken Dreyer 13 days ago. Updated 13 days ago.

Status:

New

Priority:

Normal

Assignee:

Ken Dreyer

Category:

Target version:

% Done:

Source:

Tags:

Backport:

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

ceph-qa-suite:

Pull request ID:

56973

Crash signature (v1):

Crash signature (v2):

Description

admin/doc-requirements.txt pins to an older mistune library version. Security scanners treat this as a vulnerability (CVE-2022-34749, https://github.com/advisories/GHSA-fw3v-x4f2-v673)

https://github.com/ceph/ceph/pull/44227 is the original commit to pin it.

(Originally reported downstream at https://bugzilla.redhat.com/show_bug.cgi?id=2255447)

Do we still need mistune explicitly listed in doc-requirements.txt?

Actions

Copy link

Updated by Ken Dreyer 13 days ago

Subject changed from old pinned mistune in admin/doc-requirements.txt to old pinned mistune in admin/doc-requirements.txt is vulnerable to CVE-2022-34749

Actions

Copy link

Updated by Ken Dreyer 13 days ago

Assignee set to Ken Dreyer
Pull request ID set to 56973

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Ceph » devops

Custom queries

Bug #65555

old pinned mistune in admin/doc-requirements.txt is vulnerable to CVE-2022-34749

Updated by Ken Dreyer 13 days ago

Updated by Ken Dreyer 13 days ago