openshift installs a version of pyyaml with an open CVE
ryanpetrello opened this issue · 1 comments
ryanpetrello commented
The currently released version of openshift depends on kubernetes==10.1.0 which in turn is pinning an old version of pyyaml with a high-severity open CVE:
https://github.com/kubernetes-client/python/blob/v10.1.0/requirements.txt#L5
GHSA-rprw-h62v-c2w7
$ pip install openshift && pip freeze | grep -i yaml
PyYAML==3.13This recent change, which unpins the version of kubernetes, would probably fix this issue. Is there any ETA on when this will land in a new published version of openshift?
related: #289
ryanpetrello commented
This is fixed in the latest version, 0.11.0:
$ pip install openshift && pip freeze | grep -i yaml
PyYAML==5.3.1Thank you @fabianvf!