Upgrade lxml library #13244
Assignees
Labels
Comments
This was referenced Dec 1, 2022
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Please confirm the following
Bug Summary
AWX has a dependency on django-social-core for SAML/OIDC authentication.
Django Social Core has a dependency on python3-saml.
Python3 SMAL depends on lxml and has pinned the version to 4.7.0.
Unfortunately, there is a CVE against this version of lxml CVE-2022-2309.
There was an attempt to update to get past this CVE in #13185 but because if the dependencies, there is no way to just update this library in this manner.
Django Social Core is aware of the issue but want python3-saml to fix their issue python-social-auth/social-core#659 (comment).
[Issues](is:issue is:open lxml ) and a PR have been raised on python3-saml but unfortunately, python3-saml is no longer maintained. In the issue linked about maintenance they are working on transitioning this library from onelogin to another maintainer but that is not expected to happen until at least the end of the year.
Others have forked python3-saml to try and get around the pinned version of lxml into a more current version. We should think about doing something similar until python3-saml is migrated, maintained and updated in django-social-core.
AWX version
awx: 21.9.1.dev9+gfe48dc412f.d20221129
Select the relevant components
Installation method
N/A
Modifications
no
Ansible version
N/A
Operating system
N/A
Web browser
No response
Steps to reproduce
Install AWX, look at the version of lxml.
Expected results
lxml should be an updated version without a CVE.
Actual results
The used version of lxml is affected by the CVE.
Additional information
No response
The text was updated successfully, but these errors were encountered: