[requirements][requests] security update for requests in stable branches
Jim Rollenhagen
jim at jimrollenhagen.com
Fri Feb 15 18:06:21 UTC 2019
On Fri, Feb 15, 2019 at 1:02 PM Jeremy Stanley <fungi at yuggoth.org> wrote:
> On 2019-02-15 01:27:49 -0600 (-0600), Matthew Thode wrote:
> > Recently it was reported to us that requests had a recent release that
> > addressed a CVE (CVE-2018-18074). Requests has no stable branches so
> > the only way to update openstack stable branches is to update to 2.20.1
> > in this case.
> [...]
>
> In the past we've assumed that folks consuming stable branches are
> doing so on distributions which are backporting security fixes for
> our dependencies anyway, so treating requirements for stable
> branches as a snapshot in time (even if that snapshot includes
> versions of dependencies with known vulnerabilities) is acceptable.
>
Interesting, I didn't realize this.
I know openstack-ansible and kolla both (optionally?) deploy from source,
so maybe it's time to start talking about it. Or should those projects
handle security fixes themselves when deploying from source?
// jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190215/0cdfa410/attachment.html>
More information about the openstack-discuss
mailing list