On 2019-02-15 01:27:49 -0600 (-0600), Matthew Thode wrote:
Recently it was reported to us that requests had a recent release that addressed a CVE (CVE-2018-18074). Requests has no stable branches so the only way to update openstack stable branches is to update to 2.20.1 in this case. [...]
In the past we've assumed that folks consuming stable branches are doing so on distributions which are backporting security fixes for our dependencies anyway, so treating requirements for stable branches as a snapshot in time (even if that snapshot includes versions of dependencies with known vulnerabilities) is acceptable. If we need to start worrying about vulnerable dependencies on stable branches now, this implies quite a bit of extra work. I don't personally see any special need to make an exception for the requests library in this case. Will, e.g., CentOS or Ubuntu be replacing their LTS python-requests packages with 2.20.1 rather than just backporting a fix to the package versions they currently have? -- Jeremy Stanley