Vulnerability issue: Lib/ipaddress.py in Python version

[prathod09]

What happened (please include outputs or screenshots):
While using the kubernetes (version 29.0.0), we are getting the following vulnerability due to the ipaddress version with python version in the requirements.txt of the man in the kubernetes client.

Description: Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.

What you expected to happen:
Recommendation: Upgrade to version v3.5.10,v3.6.12,v3.7.9,v3.8.4v3.9.0

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:
Is it ok to upgrade the version? or if you can please help resolve the issue. Thanks!

Environment:

• Kubernetes version (kubectl version): 29.0.0
• OS (e.g., MacOS 10.13.6):
• Python version (python --version)
• Python client version (pip list | grep kubernetes)

[tomplus]

The library ipaddress is a part of the Python Standard Library, so to fix this vulnerability issue you have to upgrade your environment, not kubernetes library.

There is ipaddress in requirements.txt but it's for old python 2.7 only (when the module existed as a standalone library). I've added a PR to remove it to avoid confusion in the future.

[prathod09]

Thanks for the changes and the updates!

[prathod09]

Hi @tomplus, when are you planning to merge the PR? Do you have any planned date? Thanks!

[prathod09]

Thanks for the quick remediation. Any tentative idea when it will be released as part of the python package?