View Issue Details

IDProjectCategoryView StatusLast Update
0001508bareos-coreGeneralpublic2023-01-12 16:05
ReporterRuth Ivimey-Cook Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version22.0.0 
Summary0001508: Github reporting severe CVE on pipfile.lock
DescriptionFor many weeks now, Github Security alert digest has been reminding me that there is a security fail in pipfile.lock in my clone of the bareos repo:

Known security vulnerabilities detected
Dependency GitPython Version <= 3.1.29 Upgrade to ~> 3.1.30
Defined in Pipfile.lock
Vulnerabilities
CVE-2022-24439 High severity

The stanza in pipfile reads:

        "gitpython": {
            "hashes": [
                "sha256:3283ae2fba31c913d857e12e5ba5f9a7772bbc064ae2bb09efafa71b0dd4939b",
                "sha256:be27633e7509e58391f10207cd32b2a6cf5b908f92d9cd30da2e514e1137af61"
            ],
            "index": "pypi",
            "version": "==3.1.14"
        },


I would suggest this is updated to 3.1.30 or later (even if at present this specific CVE can't be accessed because that might change!)
TagsNo tags attached.
bareos-master: impact
bareos-master: action
bareos-19.2: impact
bareos-19.2: action
bareos-18.2: impact
bareos-18.2: action
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impact
bareos-16.2: action
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impact
bareos-14.2: action
bareos-13.2: impact
bareos-13.2: action
bareos-12.4: impact
bareos-12.4: action

Activities

stephand

stephand

2023-01-11 09:31

developer   ~0004854

Thanks for pointing this out. As of https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439 the clone command is affected by this vulnerability, but that is not used by any of the scripts in https://github.com/bareos/bareos/tree/master/devtools/pip-tools, so it is probably irrelevant. Nevertheless this will be updated in the future.
bruno-at-bareos

bruno-at-bareos

2023-01-12 16:05

developer   ~0004855

Will be fixed once PR935 will be in https://github.com/bareos/bareos/pull/935

Issue History

Date Modified Username Field Change
2023-01-10 18:59 Ruth Ivimey-Cook New Issue
2023-01-11 09:31 stephand Note Added: 0004854
2023-01-12 16:05 bruno-at-bareos Note Added: 0004855