Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update requests to fix CVEs (security) #6062

Closed
wants to merge 21 commits into from
Closed

Update requests to fix CVEs (security) #6062

Show file tree
Hide file tree
Changes from 18 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
2bb9a6d
Bump gitpython to 3.1.37
jk464 Nov 6, 2023
c6fd050
Bump requests to 2.31.0
jk464 Nov 6, 2023
f26c1fb
Bump importlib-metadata to 4.10.1
jk464 Nov 6, 2023
ee92b82
Bump virtualenv to 20.16.7
jk464 Nov 6, 2023
62f6f27
CHANGELOG for CVE fixes #6062
jk464 Nov 6, 2023
38a7f74
Bump, for py3.7+, cryptography to 41.0.4, pyopenssl to 23.2.0
jk464 Nov 7, 2023
61b47db
Add support for evaluating requirement markers
jk464 Nov 7, 2023
020c261
Revert "Add support for evaluating requirement markers"
jk464 Nov 7, 2023
62835c6
Revert "Bump virtualenv to 20.16.7"
jk464 Nov 7, 2023
e733e5d
fixup! Bump importlib-metadata to 4.10.1
jk464 Nov 7, 2023
21468f1
fixup! Bump importlib-metadata to 4.10.1
jk464 Nov 7, 2023
9e42739
Merge branch 'master' into bugfix/cves
arm4b Nov 24, 2023
e2a07d9
Update requests and importlib-metadata only
arm4b Nov 24, 2023
de32bf6
Update the Changelog
arm4b Nov 24, 2023
04e3360
Update argcomplete to 1.12.3 to be compatible with importlib-metadata<5
arm4b Nov 24, 2023
98cb808
Add code comments for updated dependencies for py3.6 vs py3.8
arm4b Nov 24, 2023
9c19042
Update st2-auth-ldap sha in pants lock
arm4b Nov 24, 2023
c7f13e7
Workaround conflict when incompatible urllib3 v2 is installed under t…
arm4b Nov 24, 2023
0a553fd
Try1: fix urllib3 py3.6
arm4b Nov 24, 2023
0d94e19
Revert urllib3 py3.6 workarounds
arm4b Nov 24, 2023
e16b325
Merge branch 'master' into bugfix/cves
arm4b Nov 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ Fixed

* Update version 3.1.15 of ``gitpython`` to 3.1.18 for py3.6 and to 3.1.37 for py3.8 (security). #6063

* Update requests from 2.25.1 to 2.27.1 for py3.6 and to 2.31.0 for py3.8 (security).
Update importlib-metadata from 3.10.1 to 4.8.3 for py3.6 and to 4.10.1 for py3.8 (security). #6062
Contributed by @jk464

Added
~~~~~
* Move `git clone` to `user_home/.st2packs` #5845
Expand Down
13 changes: 10 additions & 3 deletions fixed-requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,15 +54,22 @@ pytz==2021.1
pywinrm==0.4.1
pyyaml==5.4.1
redis==4.1.4
requests[security]==2.25.1
# Note: installs requests[security]==2.31.0 (security fixed) under py3.8 and requests[security]==2.27.1 (latest available, vulnerable) under py3.6
# TODO: Pin explicitly after dropping python3.6 support
requests[security]>=2.27.1,<=2.31.0
retrying==1.3.3
routes==2.4.1
semver==2.13.0
six==1.13.0
argparse==1.12.2
argcomplete==1.12.2
# Note: argcomplete 1.12.3 supports importlib-metadata<5
argcomplete==1.12.3
# Note: argcomplete supports urllib3<3,>=1.21.1 installing urllib3 v2, which is not compatible with python3.6
urllib3<2; python_version < '3.7'
prettytable==2.1.0
importlib-metadata==3.10.1
# Note: installs importlib-metadata==4.10.1 (security fixed) under py3.8 and importlib-metadata==4.8.3 (latest available, vulnerable) under py3.6
# TODO: Pin to 4.10.1 or higher after dropping python3.6 support
importlib-metadata>=4.8.3,<=4.10.1
# importlib-metadata requires typing-extensions but v4.2.0 requires py3.7+
typing-extensions<4.2
# NOTE: sseclient has various issues which sometimes hang the connection for a long time, etc.
Expand Down
2 changes: 1 addition & 1 deletion lockfiles/st2.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4009,7 +4009,7 @@
"artifacts": [
{
"algorithm": "sha256",
"hash": "c521a3dfc6948a6a57da4dcaa48e0b3390fadcf00d36e3948510cd1c32a10d96",
"hash": "29c6ff480b24e4bc316ed69eac5503c71f4700ed17649ae5c5ca8cd745e5852f",
"url": "git+https://github.com/StackStorm/st2-auth-ldap.git@master"
}
],
Expand Down
7 changes: 4 additions & 3 deletions requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ MarkupSafe<2.1.0,>=0.23
RandomWords
amqp==5.0.6
apscheduler==3.7.0
argcomplete==1.12.2
argcomplete==1.12.3
bcrypt==3.2.0
cffi<1.15.0
chardet<3.1.0
Expand All @@ -23,7 +23,7 @@ gitdb==4.0.2
gitpython<=3.1.37
greenlet==1.0.0
gunicorn==21.2.0
importlib-metadata==3.10.1
importlib-metadata>=4.8.3,<=4.10.1
jinja2==2.11.3
jsonpath-rw==1.4.0
jsonschema==2.6.0
Expand Down Expand Up @@ -60,7 +60,7 @@ pywinrm==0.4.1
pyyaml==5.4.1
redis==4.1.4
rednose
requests[security]==2.25.1
requests[security]>=2.27.1,<=2.31.0
retrying==1.3.3
routes==2.4.1
semver==2.13.0
Expand All @@ -75,6 +75,7 @@ tenacity>=3.2.1,<7.0.0
tooz==2.8.0
typing-extensions<4.2
unittest2
urllib3<2; python_version < '3.7'
webob==1.8.7
webtest
zake==0.2.2
Expand Down
2 changes: 1 addition & 1 deletion st2actions/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,5 +21,5 @@ pyparsing<3
python-dateutil==2.8.1
python-json-logger
pyyaml==5.4.1
requests[security]==2.25.1
requests[security]>=2.27.1,<=2.31.0
six==1.13.0
2 changes: 2 additions & 0 deletions st2client/in-requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ importlib-metadata
# importlib-metadata requires typing-extensions
typing-extensions
argcomplete
# argcomplete requires urllib3
urllib3
prettytable
pytz
python-dateutil
Expand Down
7 changes: 4 additions & 3 deletions st2client/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@
# If you want to update depdencies for a single component, modify the
# in-requirements.txt for that component and then run 'make requirements' to
# update the component requirements.txt
argcomplete==1.12.2
argcomplete==1.12.3
cffi<1.15.0
chardet<3.1.0
cryptography==39.0.1
importlib-metadata==3.10.1
importlib-metadata>=4.8.3,<=4.10.1
jsonpath-rw==1.4.0
jsonschema==2.6.0
orjson==3.5.2
Expand All @@ -21,8 +21,9 @@ python-dateutil==2.8.1
python-editor==1.0.4
pytz==2021.1
pyyaml==5.4.1
requests[security]==2.25.1
requests[security]>=2.27.1,<=2.31.0
six==1.13.0
sseclient-py==1.7
typing-extensions<4.2
urllib3<2; python_version < '3.7'
Copy link
Member

@arm4b arm4b Nov 24, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, environment markers are all buggy with the current pip version 🤯

Under py3.8 https://app.circleci.com/pipelines/github/StackStorm/st2/4267/workflows/6d50c81f-3524-4f8d-8279-71f47ee5dd67/jobs/16065?invite=true#step-109-925583_94:

[package: st2] [20:53:43]      The conflict is caused by:
[package: st2] [20:53:43]          requests[security] 2.31.0 depends on urllib3<3 and >=1.21.1
[package: st2] [20:53:43]          requests 2.31.0 depends on urllib3<3 and >=1.21.1
[package: st2] [20:53:43]          st2client 3.9.dev0 depends on urllib3<2

which is wrong.

I can't see any path forward for updating requests[security] so far as it requires urllib3 v2 which is incompatible with python3.6. And for some reason urllib3 v2 is pulled.

zipp<3.16.0
2 changes: 1 addition & 1 deletion st2common/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ python-dateutil==2.8.1
python-statsd==2.1.0
pyyaml==5.4.1
redis==4.1.4
requests[security]==2.25.1
requests[security]>=2.27.1,<=2.31.0
retrying==1.3.3
routes==2.4.1
semver==2.13.0
Expand Down