config repo: security vulnerability found in requirement.txt
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Low
|
Unassigned |
Bug Description
GitHub reports a security vulnerability found in requirement.txt of config repo.
1 django vulnerability found in …/sysinv/
Remediation
Upgrade django to version 2.2.10 or later. For example:
django>=2.2.10
Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2020-7471
moderate severity
Vulnerable versions: >= 2.0.0, < 2.2.10
Patched version: 2.2.10
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.
tags: | added: stx.security |
tags: | added: stx.8.0 |
Changed in starlingx: | |
status: | Triaged → Fix Released |
From Al Bailey: django- 1.11.20
StarlingX ships with python2-
This vulnerability warning is for Django 1.11 before 1.11.28 allows SQL Injection
So this issue applies to us.
However, we are currently locked based on the “stein” upper constraints which is 1.11.20 /github. com/openstack/ requirements/ blob/stable/ stein/upper- constraints. txt#L419
https:/
Train locks to 1.11.24, but that would also have his CVE violation /github. com/openstack/ requirements/ blob/stable/ train/upper- constraints. txt#L507
https:/