[Debian]: CVE: CVE-2022-21797: python3-joblib: Arbitrary Code Execution
Bug #2018639 reported by
Yue Tao
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
High
|
Zhixiong Chi |
Bug Description
CVE-2022-21797: https:/
The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
Score:
cve_id status cvss3Score
CVE-2022-21797 fixed 9.8
References:
['python3-
CVE References
Changed in starlingx: | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: stx.9.0 stx.security |
Changed in starlingx: | |
assignee: | nobody → Zhixiong Chi (zhixiongchi) |
status: | Triaged → In Progress |
To post a comment you must log in.
Reviewed: https:/ /review. opendev. org/c/starlingx /tools/ +/882801 /opendev. org/starlingx/ tools/commit/ de258cf5e599055 6b9e29b178627b4 c46c79a888
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit de258cf5e599055 6b9e29b178627b4 c46c79a888
Author: Zhixiong Chi <email address hidden>
Date: Mon May 8 12:42:49 2023 +0800
python3-joblib: fix CVE-2022-21797
Upgrade python3-joblib to 0.17.0-4+deb11u1
Refer to: /security- tracker. debian. org/tracker/ CVE-2022- 21797
https:/
Test Plan:
Pass: downloader
Pass: build-pkgs --clean
Pass: build-image
Pass: Jenkins Installation
PASS: dpkg -l |grep python3-joblib
ii python3-joblib 0.17.0-4+deb11u1
Closes-Bug: 2018639
Signed-off-by: Zhixiong Chi <email address hidden> 51599728acef7d7 1973e5c390c
Change-Id: I670f4716355844