[Bug 1177083] New: python-aliyun-python-sdk-core package ships a vendored python-requests package
https://bugzilla.suse.com/show_bug.cgi?id=1177083 Bug ID: 1177083 Summary: python-aliyun-python-sdk-core package ships a vendored python-requests package Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Cloud:Tools Assignee: public-cloud-maintainers@suse.de Reporter: adrian.glaubitz@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- The python-aliyun-python-sdk-core ships a vendored version of the python-requests package which should be removed in the next version update to avoid hidden vulnerabilities in the embedded version of python-requests as well as avoid code duplicity. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1177083 John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|public-cloud-maintainers@su |adrian.glaubitz@suse.com |se.de | -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1177083 John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1177083 https://bugzilla.suse.com/show_bug.cgi?id=1177083#c1 --- Comment #1 from John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> --- Package update fixing this bug has been submitted to d:l:p:aliyun now: https://build.opensuse.org/request/show/871805 (along with 220 additional updates). -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1177083 https://bugzilla.suse.com/show_bug.cgi?id=1177083#c2 --- Comment #2 from John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> --- This has been fixed in Cloud:Tools but not yet in SLE-15. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1177083 https://bugzilla.suse.com/show_bug.cgi?id=1177083#c3 --- Comment #3 from John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> --- I have prepared an update to the Alibaba SDK for Python in SLE-15-SP1:
https://build.suse.de/project/show/home:glaubitz:staging20:SUSE-SLE-15-SP1:U...
It involves updating python-cryptography and python-cryptography-vectors to version 2.9.2:
https://build.suse.de/project/show/home:glaubitz:staging21:SUSE-SLE-15-SP1:U...
I have verified (with basic tests) that the updated SDK works properly on SLE-15. I just need to adjust the changelogs. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1177083 https://bugzilla.suse.com/show_bug.cgi?id=1177083#c4 --- Comment #4 from John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> --- Packages are ready now. Just waiting for the ECO to be accepted. Then submission changelog entries will be added in an automated fashion and packages will be submitted. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1177083 Jeffrey Cheung <jcheung@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jcheung@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1177083 https://bugzilla.suse.com/show_bug.cgi?id=1177083#c7 --- Comment #7 from Swamp Workflow Management <swamp@suse.de> --- SUSE-SU-2022:4044-1: An update that solves one vulnerability, contains four features and has three fixes is now available. Category: security (important) Bug References: 1101820,1149792,1176785,1177083 CVE References: CVE-2018-10903 JIRA References: ECO-3105,PM-2352,PM-2730,SLE-18312 Sources used: openSUSE Leap Micro 5.2 (src): python-cryptography-2.9.2-150200.13.1 openSUSE Leap 15.3 (src): python-cryptography-2.9.2-150200.13.1, python-cryptography-vectors-2.9.2-150200.3.3.1 SUSE Manager Server 4.1 (src): python-cryptography-2.9.2-150200.13.1 SUSE Manager Retail Branch Server 4.1 (src): python-cryptography-2.9.2-150200.13.1 SUSE Manager Proxy 4.1 (src): python-cryptography-2.9.2-150200.13.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): python-cryptography-2.9.2-150200.13.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): python-cryptography-2.9.2-150200.13.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): python-cryptography-2.9.2-150200.13.1 SUSE Linux Enterprise Module for Python2 15-SP3 (src): python-cryptography-2.9.2-150200.13.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): python-cryptography-2.9.2-150200.13.1 SUSE Linux Enterprise Micro 5.2 (src): python-cryptography-2.9.2-150200.13.1 SUSE Linux Enterprise Micro 5.1 (src): python-cryptography-2.9.2-150200.13.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): python-cryptography-2.9.2-150200.13.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): python-cryptography-2.9.2-150200.13.1 SUSE Enterprise Storage 7 (src): python-cryptography-2.9.2-150200.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1177083 https://bugzilla.suse.com/show_bug.cgi?id=1177083#c8 --- Comment #8 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2022:4567-1: An update that has one recommended fix and contains four features can now be installed. Category: recommended (critical) Bug References: 1177083 CVE References: JIRA References: ECO-3329,PM-2475,PM-2730,SLE-18312 Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): python-bcrypt-3.1.4-150100.6.2.1, python-cffi-1.15.0-150000.4.11.2, python-cryptography-2.9.2-150100.7.8.2 SUSE Linux Enterprise Server 15-SP1-LTSS (src): python-bcrypt-3.1.4-150100.6.2.1, python-cffi-1.15.0-150000.4.11.2, python-cryptography-2.9.2-150100.7.8.2 SUSE Linux Enterprise Server 15-SP1-BCL (src): python-bcrypt-3.1.4-150100.6.2.1, python-cffi-1.15.0-150000.4.11.2, python-cryptography-2.9.2-150100.7.8.2 SUSE Linux Enterprise Module for Public Cloud 15-SP1 (src): python-cryptography-vectors-2.9.2-150000.3.7.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): python-bcrypt-3.1.4-150100.6.2.1, python-cffi-1.15.0-150000.4.11.2, python-cryptography-2.9.2-150100.7.8.2 SUSE Enterprise Storage 6 (src): python-bcrypt-3.1.4-150100.6.2.1, python-cffi-1.15.0-150000.4.11.2, python-cryptography-2.9.2-150100.7.8.2 SUSE CaaS Platform 4.0 (src): python-bcrypt-3.1.4-150100.6.2.1, python-cffi-1.15.0-150000.4.11.2, python-cryptography-2.9.2-150100.7.8.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com