From ff697eac4d79e626be57f32bcdc7a2610ce4db9a Mon Sep 17 00:00:00 2001 From: Beni Cherniavsky-Paskin Date: Wed, 11 May 2022 13:21:03 +0300 Subject: [PATCH] Bump kubeclient >= 4.9.3 to avoid Kubeclient::Config vulnerability 4.9.3 fixed [CVE-2022-0759 in `Kubeclient::Config`](https://github.com/ManageIQ/kubeclient/issues/554), which I see you do use, at least in `create_client_from_config`. Current "~> 4.3" range already allows 4.9.x but safer to force it as minimum. --- fog-kubevirt.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fog-kubevirt.gemspec b/fog-kubevirt.gemspec index 18cc3b8..4cfaf8f 100644 --- a/fog-kubevirt.gemspec +++ b/fog-kubevirt.gemspec @@ -32,5 +32,5 @@ Gem::Specification.new do |spec| spec.add_development_dependency "webmock", "~> 3.5" spec.add_dependency("fog-core", "~> 2.1") - spec.add_dependency("kubeclient", "~> 4.3") + spec.add_dependency("kubeclient", ">= 4.9.3", "< 5.0.0") end