While doing security audit on packages getting build with Ceph-4, came across package 'python-repoze-lru' which is not updated since Sep 4, 2011(version 0.4) in downstream. The latest release in upstream is 0.7 from Sep 7, 2017. Project Homepage: http://pypi.python.org/pypi/repoze.lru https://github.com/repoze/repoze.lru Checking the dependencies python3-repoze-lru is required by: ceph-mgr-dashboard-2:14.2.4-60.el8cp.noarch python3-routes-0:2.4.1-2.el8ost.noarch Considering security implications, we might want to remove this package in future if nothing is actually using it or use the updated one.
Is the package being used by anyone?
The exact dependency chain is: ceph-dashboard -> python3-cherrypy -> python3-routes -> python3-repoze-lru. I couldn't find any CVEs for repoze-lru package, and checked the commit history between 0.4..0.7, and ~6 commits out of 85 are bugfixes (the remaining are Python 2-3 compatibility-related, docs, tests/coverage, new functionality and clean-ups). None of those bugfixes seem security related. @Timothy, nevertheless, could you please take care of looking how to upgrade python3-repoze-lru to a newer version? Thanks!
Any news?
(In reply to Ernesto Puerta from comment #2) > The exact dependency chain is: ceph-dashboard -> python3-cherrypy -> > python3-routes -> python3-repoze-lru. > > I couldn't find any CVEs for repoze-lru package, and checked the commit > history between 0.4..0.7, and ~6 commits out of 85 are bugfixes (the > remaining are Python 2-3 compatibility-related, docs, tests/coverage, new > functionality and clean-ups). None of those bugfixes seem security related. > > @Timothy, nevertheless, could you please take care of looking how to upgrade > python3-repoze-lru to a newer version? Thanks! Sure @Ernesto. Thank you!
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat Ceph Storage 4.2 Security and Bug Fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0081