[PATCH] sphinx: Bump urllib3 version
While not a direct issue for us, urllib3 before 1.26.17 is vulnerable to CVE-2023-43804 to bump our version up.
Reported-by: GitHub dependabot Signed-off-by: Tom Rini trini@konsulko.com --- Cc: Heinrich Schuchardt xypron.glpk@gmx.de --- doc/sphinx/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/sphinx/requirements.txt b/doc/sphinx/requirements.txt index 6ccbe527ee79..23a296d3fca9 100644 --- a/doc/sphinx/requirements.txt +++ b/doc/sphinx/requirements.txt @@ -23,4 +23,4 @@ sphinxcontrib-htmlhelp==2.0.0 sphinxcontrib-jsmath==1.0.1 sphinxcontrib-qthelp==1.0.3 sphinxcontrib-serializinghtml==1.1.5 -urllib3==1.26.9 +urllib3==1.26.17
On Thu, 5 Oct 2023 at 10:27, Tom Rini trini@konsulko.com wrote:
While not a direct issue for us, urllib3 before 1.26.17 is vulnerable to CVE-2023-43804 to bump our version up.
Reported-by: GitHub dependabot Signed-off-by: Tom Rini trini@konsulko.com
Cc: Heinrich Schuchardt xypron.glpk@gmx.de
doc/sphinx/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Simon Glass sjg@chromium.org
On 10/6/23 03:41, Simon Glass wrote:
On Thu, 5 Oct 2023 at 10:27, Tom Rini trini@konsulko.com wrote:
While not a direct issue for us, urllib3 before 1.26.17 is vulnerable to CVE-2023-43804 to bump our version up.
The same bug is also fixed in 2.0.6. Why should we stick with the old series? I could not see any issues building the documentation locally and on Github with 2.0.6.
Best regards
Heinrich
Reported-by: GitHub dependabot Signed-off-by: Tom Rini trini@konsulko.com
Cc: Heinrich Schuchardt xypron.glpk@gmx.de
doc/sphinx/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Simon Glass sjg@chromium.org
On Fri, Oct 06, 2023 at 09:50:20PM +0200, Heinrich Schuchardt wrote:
On 10/6/23 03:41, Simon Glass wrote:
On Thu, 5 Oct 2023 at 10:27, Tom Rini trini@konsulko.com wrote:
While not a direct issue for us, urllib3 before 1.26.17 is vulnerable to CVE-2023-43804 to bump our version up.
The same bug is also fixed in 2.0.6. Why should we stick with the old series? I could not see any issues building the documentation locally and on Github with 2.0.6.
There's probably a number of packages we could bump for similar reasons, if you'd like to unfreeze, build, check the output and refreeze. I'm just posting something to get Dependabot to be silenced since I get this whenever I push a branch.
participants (3)
-
Heinrich Schuchardt -
Simon Glass -
Tom Rini