Pulpcore 3.17.2, 3.16.2 and 3.14.10 have been released.
It contains a fix to be compatible with the recent Django releases which address some CVEs.
One of CVEs (CVE-2021-45452: Potential directory-traversal via Storage.save() ) is affecting import/export functionality in Pulp. This issue has severity “low” according to the Django security policy.
Depending on your Pulp version, if you want to have a fix for this CVE and thus install Django 2.2.26 or 3.2.11, you need to upgrade your Pulp to one of the releases mentioned in this post, otherwise import/export won’t work.
We always encourage to upgrade your Pulp to the latest release, which is 3.17.2 at the moment.
Installation and Upgrade
For 3.17.2, to install or upgrade to, users should use the pulp_installer they likely already have for this version, the upgrade of the installer is not needed.
The pulp_installer collection can be installed from Ansible Galaxy with the following command:
ansible-galaxy collection install --force pulp.pulp_installer:==3.17.0
For 3.16.2, to install or upgrade to, users should use the pulp_installer they likely already have for this version, the upgrade of the installer is not needed.
The pulp_installer collection can be installed from Ansible Galaxy with the following command:
ansible-galaxy collection install --force pulp.pulp_installer:==3.16.0
For 3.14.10, users should use the 3.14.10 release of the pulp_installer to install or upgrade their installations.
The pulp_installer collection can be installed from Ansible Galaxy with the following command:
ansible-galaxy collection install --force pulp.pulp_installer:==3.14.10