Details: https://nvd.nist.gov/vuln/detail/CVE-2023-26112
The fix[1] is already included in the recipe version (5.0.9),
the CVE can be marked as patched.
[1]: 7c618b0bba
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The related CVEs are tracked with configobj_peroject:configobj CPE in the
database, and the default python:configobj CPE doesn't match relevant entries.
Set CVE_PRODUCT accordingly.
See CVE db query:
sqlite> select * from products where product like '%configobj%';
CVE-2023-26112|configobj_project|configobj|-|||
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Drop extra '2014' in LICENSE file.
Changelog:
===========
- Address CVE-2023-26112 ReDoS
- Drop Python 2 support and compatibility code
- Extra 2014
- setup.py: fix license tag
- Update minimum python to 3.7 everywhere, and add 3.12
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
