Bug 2091532 - Drop golang-github-BurntSushi-toml and golang-gopkg-yaml
Summary: Drop golang-github-BurntSushi-toml and golang-gopkg-yaml
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: distribution
Version: 17.0 (Wallaby)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: beta
: 17.0
Assignee: Miguel Garcia
QA Contact: Lon Hohberger
URL:
Whiteboard:
Depends On:
Blocks: 2091534 2091533
TreeView+ depends on / blocked
 
Reported: 2022-05-30 08:54 UTC by Miguel Garcia
Modified: 2022-09-21 12:22 UTC (History)
5 users (show)

Fixed In Version: golang-github-urfave-cli-1.20.0-7.el9ost
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 2091533 (view as bug list)
Environment:
Last Closed: 2022-09-21 12:21:38 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-15431 0 None None None 2022-05-30 09:03:21 UTC
Red Hat Product Errata RHEA-2022:6543 0 None None None 2022-09-21 12:22:06 UTC

Description Miguel Garcia 2022-05-30 08:54:56 UTC 
golang-github-BurntSushi-toml and golang-gopkg-yaml were originally added as dependencies of golang-github-urfave-cli, which was added as a dependency of golang-github-vbatts-tar-split.

tar-split doesn't use the toml/yaml functionalities from urfave-cli, and those are very easily severable from the latter.

Patching toml/yaml out allows us to remove both packages, reducing our dependencies and our CVE attack surface.
Comment 3 Jon Schlueter 2022-06-30 20:33:50 UTC 
verified not in advisory or latest compose
Comment 8 errata-xmlrpc 2022-09-21 12:21:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543
Note You need to log in before you can comment on or make changes to this bug.