6 Oct
2023
6 Oct
'23
10:52 p.m.
On Fri, Oct 06, 2023 at 09:50:20PM +0200, Heinrich Schuchardt wrote:
On 10/6/23 03:41, Simon Glass wrote:
On Thu, 5 Oct 2023 at 10:27, Tom Rini trini@konsulko.com wrote:
While not a direct issue for us, urllib3 before 1.26.17 is vulnerable to CVE-2023-43804 to bump our version up.
The same bug is also fixed in 2.0.6. Why should we stick with the old series? I could not see any issues building the documentation locally and on Github with 2.0.6.
There's probably a number of packages we could bump for similar reasons, if you'd like to unfreeze, build, check the output and refreeze. I'm just posting something to get Dependabot to be silenced since I get this whenever I push a branch.
--
Tom