Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

{Packaging} Bump OAuthLib to 3.2.2 #25356

Merged
merged 2 commits into from Feb 14, 2023
Merged

{Packaging} Bump OAuthLib to 3.2.2 #25356

merged 2 commits into from Feb 14, 2023

Conversation

bebound
Copy link
Contributor

@bebound bebound commented Feb 6, 2023

Description

Close #25351, oauthlib 3.2.0 fixes PRISMA-2021-0041:

There is no support for PKCE implementation in the oauthlib client. Client-side PKCE for OAuth2 RFC 7636 is required for applications to have secure communication with the authorization server. OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. -- oauthlib/oauthlib#774

This checklist is used to make sure that common guidelines for a pull request are followed.

@ghost ghost requested review from jiasli, wangzelin007, yonzhan and kairu-ms February 6, 2023 02:42
@ghost ghost added the Auto-Assign Auto assign by bot label Feb 6, 2023
@ghost ghost assigned jiasli Feb 6, 2023
@ghost ghost added this to the Feb 2023 (2023-03-07) milestone Feb 6, 2023
@ghost ghost added the Packaging label Feb 6, 2023
@yonzhan
Copy link
Collaborator

yonzhan commented Feb 6, 2023

Packaging

@bebound bebound marked this pull request as ready for review February 6, 2023 03:43
@jiasli
Copy link
Member

jiasli commented Feb 6, 2023
edited

Can we provide why oauthlib is installed?

@bebound
Copy link
Contributor Author

bebound commented Feb 6, 2023

azure-mgmt-monitor/azure-mgmt-recoveryservicesbackup -> msrest -> requests-oauthlib -> oauthlib

@bebound bebound merged commit de1f27e into Azure:dev Feb 14, 2023
@bebound bebound deleted the update-oauthlib branch February 14, 2023 06:34
avgale pushed a commit to avgale/azure-cli that referenced this pull request Aug 24, 2023
@bebound
{Packaging} Bump OAuthLib to 3.2.2 (Azure#25356)
e2a3aeb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jiasli jiasli jiasli approved these changes

@wangzelin007 wangzelin007 Awaiting requested review from wangzelin007

@yonzhan yonzhan Awaiting requested review from yonzhan

@kairu-ms kairu-ms Awaiting requested review from kairu-ms

Assignees

@jiasli jiasli

Labels
Auto-Assign Auto assign by bot Packaging
Projects
None yet
Milestone
Feb 2023 (2023-03-07)
Development

Successfully merging this pull request may close these issues.

OAuthlib dependency contains vulnerability
3 participants
@bebound @yonzhan @jiasli