Fix urllib3 CVEs by upgrading to >= 2.7.0#1462
Conversation
This commit fixes the following CVEs by upgrading urllib3: - CVE-2025-66418: Unbounded decompression chain leads to resource exhaustion - CVE-2025-66471: Excessive resource consumption - CVE-2026-21441: DoS via redirect response decompression - CVE-2026-44431: Sensitive headers forwarded across origins All four CVEs require urllib3 >= 2.7.0 to be fully resolved. Jira tickets: MIG-1808, MIG-1809, MIG-1810, MIG-1811, MIG-1812, MIG-1813, MIG-1814, MIG-1815, MIG-1816, MIG-1826, MIG-1827, MIG-1828, MIG-1829, MIG-1830, MIG-1831, MIG-1832, MIG-1833, MIG-1834, MIG-1835, MIG-1836, MIG-1837, MIG-1838, MIG-1839, MIG-1840, MIG-1841, MIG-1842, MIG-1843, MIG-1916
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Closing this PR as urllib3 is no longer present in the latest ART build SBOM for this component. The related Jira tickets will be marked as not affected. |
This PR fixes the following CVEs by upgrading urllib3 to version 2.7.0 or higher:
All four CVEs require urllib3 >= 2.7.0 to be fully resolved.
Jira tickets resolved: MIG-1808, MIG-1809, MIG-1810, MIG-1811, MIG-1812, MIG-1813, MIG-1814, MIG-1815, MIG-1816, MIG-1826, MIG-1827, MIG-1828, MIG-1829, MIG-1830, MIG-1831, MIG-1832, MIG-1833, MIG-1834, MIG-1835, MIG-1836, MIG-1837, MIG-1838, MIG-1839, MIG-1840, MIG-1841, MIG-1842, MIG-1843, MIG-1916
Testing: Container images should be rebuilt with Konflux to verify the fix.