@@ -14,24 +14,23 @@ Server Side Template Injection (SSTI) where it takes the "source" parameter as
1414a template object, renders it, and then returns it. The attacker can exploit it
1515with ` {{INJECTION COMMANDS}} ` in a URI*
1616
17- - cylc-7 (7.8.x branch, written in Python 2) has a bundled copy of Jinja2 2.10
18- that cannot be updated because the new Jinja2 requires Python 3. However ** this
19- CVE does not impact cylc-7 because Cylc workflow definitions are not web
20- pages** .
21- - cylc-8 (master branch, Python 3 - not yet released) does not bundle Jinja2,
22- and uses the fixed version 2.10.1.
17+ cylc-7.8.x (which supports Python 2.6 and 2.7 bundles Jinja2 2.10. But ** this
18+ CVE does not impact cylc-7 because Cylc workflow definitions are not web pages** .
2319
24- -------------------------------------------------------------------------------
25- ## __ cylc-7.8.5 (2019-Q4?)__
20+ cylc-7.9.x (which requires Python 2.7) bundles Jinja2 2.11.
21+
22+ cylc-8 (master branch, Python 3 - not yet released) uses proper Python package
23+ management and does not bundle Jinja2.
2624
25+ -------------------------------------------------------------------------------
26+ ## __ cylc-7.8.5 (2020-04-22)__
2727
2828### Enhancements
2929
3030[ #3349 ] ( https://github.com/cylc/cylc-flow/pull/3349 ) - new command `cylc
3131ref-graph` to generate text-format "reference graphs" without PyGTK (back-port
3232from Python 3 master for Cylc 8).
3333
34-
3534## Fixes
3635
3736[ #3514 ] ( https://github.com/cylc/cylc-flow/pull/3514 ) - Fix expanded ids
0 commit comments