Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ Bug ] ansible-core CVEs #179

Open
gwright99 opened this issue Feb 11, 2025 · 0 comments
Open

[ Bug ] ansible-core CVEs #179

gwright99 opened this issue Feb 11, 2025 · 0 comments

Comments

@gwright99
Copy link
Collaborator

gwright99 commented Feb 11, 2025
edited
Loading

Background

While fixing other detected CVEs, two ansible-core CVEs remained after the latest scan.

Image

Investigation

As per @schaluva:

  • Standard pip install ansible-core pulls in a stable (impacted) version.
  • Running pip install git+https://github.com/ansible/[email protected] retrieves the RC but throws a Python dependency error: ERROR: Package 'ansible-core' requires a different Python: 3.9.20 not in '>=3.11'

Decision

Current as of Feb 11, 2025: Will not fix.

Reasoning:

  • Both vulnerabilities are not yet categorized.
  • One of the vulnerabilities does not have a mitigation strategy.
  • Upgrading Python means breaking from the native installation available via our chosen AMI (potentially impacting Python-dependent components of the solution).
  • Disruption risk not worth the remediation reward, for now.

We will revisit this issue a few months from now to see if a better solution is available by then.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gwright99