On Thu, 8 Nov 2018 at 07:32, Neil Williams neil.williams@linaro.org wrote:
To avoid CVE-2018-18074, LAVA has bumped the dependency on python3-requests to 2.20.0
https://git.lavasoftware.org/lava/lava/commit/0eb0d3ed7fa122b08c7ada7d27cfab...
If you are running LAVA on Stretch, you should take advantage of the security fix by installing python3-requests from stretch-backports.
If you are tracking the daily packages for a staging instance, those packages now depend on 2.20.0. Installing those packages on Stretch will require installing python3-requests from stretch-backports. This may cause automatic upgrades to be unable to upgrade the LAVA packages.
$ sudo apt -t stretch-backports install python3-requests
If you are running on buster, the new version is already available in buster and will be upgraded automatically.
Note that lava-server and lava-dispatcher both use python3-requests, so this upgrade needs to happen on all masters and all workers running Stretch.
If you have other software using python3-requests, it is recommended to upgrade all of those machines as well.