robvdl
commented
3 years ago Turns out there is no fixed version yet of tornado, 6.1 is the latest, the CVE is for "all versions":
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28476
Closed robvdl closed 3 years ago
robvdl
commented
3 years ago Turns out there is no fixed version yet of tornado, 6.1 is the latest, the CVE is for "all versions":
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28476
ybrs
commented
3 years ago Thanks for the update.
Checked the CVE, it's basically related to parsing query string in url. In singlebeat we don't use web framework part of tornado so it doesn't affect us.
Saying that it's always good to upgrade the dependencies. I'd be more than happy if you can pass a pull request for it.
Thank you
We just got a trigger from our security scanner that tornado <= 6.1 has a CVE.
single-beat is dependent on tornado<6 which triggers it to install 5.1.1
Can we please up that upper limit to <7.0.0, is there any reason it's pinned to that older version?
Happy to create a PR for it.