View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0001508bareos-coreGeneralpublic2023-01-10 18:592023-02-07 13:59
ReporterRuth Ivimey-Cook Assigned Tobruno-at-bareos  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version22.0.0 
Summary0001508: Github reporting severe CVE on pipfile.lock
DescriptionFor many weeks now, Github Security alert digest has been reminding me that there is a security fail in pipfile.lock in my clone of the bareos repo:

Known security vulnerabilities detected
Dependency GitPython Version <= 3.1.29 Upgrade to ~> 3.1.30
Defined in Pipfile.lock
Vulnerabilities
CVE-2022-24439 High severity

The stanza in pipfile reads:

        "gitpython": {
            "hashes": [
                "sha256:3283ae2fba31c913d857e12e5ba5f9a7772bbc064ae2bb09efafa71b0dd4939b",
                "sha256:be27633e7509e58391f10207cd32b2a6cf5b908f92d9cd30da2e514e1137af61"
            ],
            "index": "pypi",
            "version": "==3.1.14"
        },


I would suggest this is updated to 3.1.30 or later (even if at present this specific CVE can't be accessed because that might change!)
TagsNo tags attached.

Activities

stephand

stephand

2023-01-11 09:31

developer   ~0004854

Thanks for pointing this out. As of https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439 the clone command is affected by this vulnerability, but that is not used by any of the scripts in https://github.com/bareos/bareos/tree/master/devtools/pip-tools, so it is probably irrelevant. Nevertheless this will be updated in the future.
bruno-at-bareos

bruno-at-bareos

2023-01-12 16:05

manager   ~0004855

Will be fixed once PR935 will be in https://github.com/bareos/bareos/pull/935
bruno-at-bareos

bruno-at-bareos

2023-02-07 13:59

manager   ~0004878

PR935 merge in

Issue History

Date Modified Username Field Change
2023-01-10 18:59 Ruth Ivimey-Cook New Issue
2023-01-11 09:31 stephand Note Added: 0004854
2023-01-12 16:05 bruno-at-bareos Note Added: 0004855
2023-02-07 13:59 bruno-at-bareos Assigned To => bruno-at-bareos
2023-02-07 13:59 bruno-at-bareos Status new => closed
2023-02-07 13:59 bruno-at-bareos Resolution open => fixed
2023-02-07 13:59 bruno-at-bareos Note Added: 0004878