nickumia-reisys
commented
1 year ago There is a better chance that we'll be able to patch this vulnerability if we are on CKAN 2.10.0 (but there may still be issues).
Open nickumia-reisys opened 1 year ago
nickumia-reisys
commented
1 year ago There is a better chance that we'll be able to patch this vulnerability if we are on CKAN 2.10.0 (but there may still be issues).
nickumia-reisys
commented
1 year ago See efforts to upgrade in the following two PRs:
hkdctol
commented
1 year ago Adding a March milestone to this so that we will look at it again, but given the discussion today at sync this seems like it has to await the CKAN 2.10 update which is #4209
nickumia-reisys
commented
1 year ago Blocked by CKAN releasing compatibility changes to core code. See PR for details:
nickumia-reisys
commented
11 months ago 
btylerburton
commented
11 months ago Conversation with CKAN core team on release schedule. No new developments, but at least they are aware that we are awaiting these fixes.
gujral-rei
commented
2 months ago followed up with CKAN
rshewitt
_Please keep any sensitive details in Google Drive._
Date of report: 02/15/2023 Severity: High Due date: 03/15/2023
Due date is based on severity and described in RA-5. 15-days for Critical, 30-days for High, and 90-days for Moderate and lower.
Brief description
From our automated snyk scans, the above vulnerability in the
werkzeugpackage was highlighted. After an investigation, it seems like there is no path forward to patch it. The upgrade ofwerkzeugcascades into a bunch of breaking versions withFlaskandJinja2and other packages. There is an open issue about running CKAN with the latest version ofFlaskand the patch release ofCKAN 2.9.8still referencesFlask==1.1.1.There is an open ticket in upstream CKAN that talk about the work related to this upgrade
There was an old patch that was completed in 11/2022, but Snyk says that the new vulnerability requires a newer release,
Other list of references: