GitHub Dependabot has issued the following alert: "build(deps): bump idna from 3.4 to 3.7 in /drivers/gpu/drm/ci/xfails. A specially crafted argument to the function could consume significant resources. This may lead to a denial-of-service. The function has been refined to reject such strings without the associated resource consumption in version 3.7. Severity: 6.9 / 10 (Moderate) Attack vector: Local Attack complexity: Low Attack Requirements: None Privileges required: None User interaction: None Confidentiality: None Integrity: None Availability: High CVE ID: CVE-2024-3651" To avoid disturbing everyone with the kernel repo hosted on GitHub, I suggest we upgrade our python dependencies once again to appease GitHub Dependabot. Link: https://github.com/dependabot Link: https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb Signed-off-by: WangYuli <wangyuli@xxxxxxxxxxxxx> --- drivers/gpu/drm/ci/xfails/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt index f69b58356a37..8b2b1fa16614 100644 --- a/drivers/gpu/drm/ci/xfails/requirements.txt +++ b/drivers/gpu/drm/ci/xfails/requirements.txt @@ -4,7 +4,7 @@ termcolor==2.3.0 # ci-collate dependencies certifi==2023.7.22 charset-normalizer==3.2.0 -idna==3.4 +idna==3.7 pip==23.3 python-gitlab==3.15.0 requests==2.32.0 -- 2.45.2
