On 2015-08-04 20:37:37 +0000 (+0000), Ian Cordasco wrote: [...] > When I tried bumping the version for the first two, we had a discussion > about the impact to OpenStack and it was decided that there wasn't a > necessity to bump the version. There was no need to have a discussion > about 3 because (as far as I'm aware) there isn't any service that uses > cookies so that also doesn't have any effect. > > Being aware of these CVEs is one thing and would be nice. If we can > determine that a CVE affects us, we most certainly should bump the minimum > required version of that library in OpenStack. That said, part of the > argument against increasing the lower bound on requests (at the time) was > due to packagers not wanting to or being able to (I forget which) package > the newer version (and no the review was not sent to a stable/* branch). > So if we're going to be conflicting with downstream re-distributors, then > this might be harder than we think. [...]
I don't think the intent of this is to blacklist potentially vulnerable versions of dependencies, it's to help us not prevent the use of fixed versions. Evaluating our upper-constraints.txt would in theory let us know: 1. dependencies which have been basically abandoned by their caretakers and have fallen into a vulnerable state, so potentially need assistance from our community 2. dependencies on which we have a restrictive upper bound, which prevents our users from consuming a release where some vulnerability has been fixed Arguably also 3. lots of CVEs which aren't applicable for some reason, so we likely need a means to whitelist those and filter them from the report. -- Jeremy Stanley __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
