openshift installs a version of pyyaml with an open CVE
ryanpetrello opened this issue · 1 comments
ryanpetrello commented
The currently released version of openshift
depends on kubernetes==10.1.0
which in turn is pinning an old version of pyyaml
with a high-severity open CVE:
https://github.com/kubernetes-client/python/blob/v10.1.0/requirements.txt#L5
GHSA-rprw-h62v-c2w7
$ pip install openshift && pip freeze | grep -i yaml
PyYAML==3.13
This recent change, which unpins the version of kubernetes
, would probably fix this issue. Is there any ETA on when this will land in a new published version of openshift
?
related: #289
ryanpetrello commented
This is fixed in the latest version, 0.11.0
:
$ pip install openshift && pip freeze | grep -i yaml
PyYAML==5.3.1
Thank you @fabianvf!