Update dependency with security issues

``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 118 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pycryptodome | 3.10.3 | <3.11.0 | 42084 | +==============================================================================+ | Pycryptodome version 3.11.0 includes a fix for the DSA construction | | algorithm. Modulus "p" primality check wasn't working. | | Legrandin/pycryptodome@183f8d1c7a5e145e7 | | 8b86fb54da7e327a277d9c6 | +==============================================================================+ | babel | 2.9.0 | <2.9.1 | 42203 | +==============================================================================+ | Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before | | 2.9.1 allows attackers to load arbitrary locale .dat files (containing | | serialized Python objects) via directory traversal, leading to code | | execution. | | python-babel/babel#782 | | https://lists.debian.org/debian-lts/2021/10/msg00040.html | | https://www.tenable.com/security/research/tra-2021-14 | | https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html | +==============================================================================+ | sqlalchemy-utils | 0.36.8 | >=0.27.0 | 42194 | +==============================================================================+ | Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES | | with CBC mode. The IV that it uses is not random though. | | kvesteri/sqlalchemy-utils#166 | +==============================================================================+ | babel | 2.9.0 | <2.9.1 | 42203 | +==============================================================================+ | Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before | | 2.9.1 allows attackers to load arbitrary locale .dat files (containing | | serialized Python objects) via directory traversal, leading to code | | execution. | | python-babel/babel#782 | | https://lists.debian.org/debian-lts/2021/10/msg00040.html | | https://www.tenable.com/security/research/tra-2021-14 | | https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html | +==============================================================================+ ```
camptocamp · Nov 10, 2021 · df43e30 · df43e30
1 parent e539db3
commit df43e30
Show file tree

Hide file tree

Showing 2 changed files with 168 additions and 64 deletions.
diff --git a/Pipfile b/Pipfile
@@ -5,7 +5,7 @@ verify_ssl = true
 
 [dev-packages]
 awscli = "==1.19.84"  # Work with Object storage
-Babel = "==2.9.0"  # i18n
+Babel = "==2.9.1"  # i18n
 bandit = "==1.7.0"  # lint
 beautifulsoup4 = "==4.9.3"  # admin tests
 coverage = "==5.4"  # Build coverage XML for Codacy
@@ -20,6 +20,70 @@ WebTest = "==2.0.35"  # admin tests
 prospector = {extras = ["with_mypy", "with_bandit", "with_pyroma"],version = "==1.3.1"}
 mypy = "==0.800"
 flake8 = "==3.8.4"
+# Lock dependencies
+astroid = "==2.4.1"
+attrs = "==20.3.0"
+botocore = "==1.20.84"
+certifi = "==2020.12.5"
+chardet = "==4.0.0"
+click = "==7.1.2"
+colorama = "==0.4.3"
+docopt = "==0.6.2"
+docutils = "==0.15.2"
+dodgy = "==0.2.1"
+flake8-polyfill = "==1.0.2"
+gitdb = "==4.0.5"
+gitpython = "==3.1.12"
+idna = "==2.10"
+iniconfig = "==1.1.1"
+isort = "==4.3.21"
+jmespath = "==0.10.0"
+lazy-object-proxy = "==1.4.3"
+markupsafe = "==1.1.1"
+mccabe = "==0.6.1"
+mypy-extensions = "==0.4.3"
+packaging = "==20.9"
+paste = "==3.5.0"
+pastedeploy = "==2.1.1"
+pbr = "==5.5.1"
+pep8-naming = "==0.10.0"
+pluggy = "==0.13.1"
+py = "==1.10.0"
+pyasn1 = "==0.4.8"
+pycodestyle = "==2.6.0"
+pydocstyle = "==5.1.1"
+pyflakes = "==2.2.0"
+pygments = "==2.7.4"
+pylint = "==2.5.3"
+pylint-celery = "==0.3"
+pylint-django = "==2.1.0"
+pylint-flask = "==0.6"
+pylint-plugin-utils = "==0.6"
+pyparsing = "==2.4.7"
+pyroma = "==2.6"
+pytest = "==6.2.2"
+python-dateutil = "==2.8.1"
+python-slugify = "==4.0.1"
+pytz = "==2021.1"
+pyyaml = "==5.4.1"
+requests = "==2.25.1"
+requirements-detector = "==0.7"
+rsa = "==4.5"
+s3transfer = "==0.4.2"
+setoptconf = "==0.2.0"
+six = "==1.15.0"
+smmap = "==3.0.5"
+snowballstemmer = "==2.1.0"
+soupsieve = "==2.1"
+stevedore = "==3.3.0"
+text-unidecode = "==1.3"
+toml = "==0.10.2"
+typed-ast = "==1.4.2"
+typing-extensions = "==3.7.4.3"
+urllib3 = "==1.26.3"
+waitress = "==1.4.4"
+webob = "==1.8.6"
+wrapt = "==1.12.1"
 
 [packages]
 alembic = "==1.5.3"  # geoportal
@@ -40,7 +104,7 @@ OWSLib = "==0.22.0"  # geoportal
 papyrus = "==2.4"  # commons, geoportal
 passwordgenerator = "==1.4"  # # geoportal
 psycopg2-binary = "==2.8.6"  # geoportal
-pycryptodome = "==3.10.3"  # geoportal
+pycryptodome = "==3.11.0"  # geoportal
 pyproj = "==3.0.0.post1"  # admin, other?
 pyotp = "==2.5.1"  # geoportal
 pyramid = "==1.10.5"  # geoportal
@@ -65,7 +129,7 @@ oauthlib = "==3.1.0"
 affine = "==2.3.0"
 argparse = "==1.4.0"
 attrs = "==20.3.0"
-babel = "==2.9.0"
+babel = "==2.9.1"
 beaker = "==1.11.0"
 beaker-redis = "==1.1.0"
 boltons = "==20.2.1"
@@ -125,6 +189,14 @@ venusian = "==3.0.0"
 waitress = "==1.4.4"
 webob = "==1.8.6"
 "zope.deprecation" = "==4.4.0"
+# Lock dependencies
+pyramid-debugtoolbar = "==4.9"
+pyramid-mako = "==1.1.0"
+pyramid-multiauth = "==0.9.0"
+pyramid-tm = "==2.4"
+simplejson = "==3.17.2"
+"zope.interface" = "==5.2.0"
+"zope.sqlalchemy" = "==1.3"
 
 [requires]
 python_version = "3.8"