Update certain python dependencies for CVEs

ManageIQ / manageiq-appliance-build

Scripts to build ManageIQ appliances

Apache License 2.0

10 stars 55 forks source link

Update certain python dependencies for CVEs #521

Closed Fryguy closed 2 years ago

Fryguy commented 2 years ago

Bump pygments to 2.7.4 for CVE-2021-20270 and CVE-2021-27291
Bump urllib3 to 1.26.5 for CVE-2021-33503
- This required bumping requests to 2.25.1
Bump lxml to 4.9.1 for CVE-2018-19787, CVE-2020-27783, CVE-2021-28957, CVE-2021-43818, and CVE-2022-2309
Bump jinja2 to 2.11.3 for CVE-2020-28493
Bump paramiko to 2.10.1 for CVE-2022-24302

Also be more explicit for PyYAML to match the installed package

@agrare Please review. I verified with the vsphere.yml and the hello_world.yml on the docker images

Fryguy commented 2 years ago

Backported to oparin in commit 45ab36f896ea4fc865b423d12848c401dc27ed2d.

commit 45ab36f896ea4fc865b423d12848c401dc27ed2d
Author: Adam Grare <adam@grare.com>
Date:   Tue Sep 6 09:09:17 2022 -0400

    Merge pull request #521 from Fryguy/update_python_security2

    Update certain python dependencies for CVEs

    (cherry picked from commit 01a0ec4fce4cc12c03529d3fb2e7c913f357c7aa)

Fryguy commented 2 years ago

Backported to morphy in commit 96522807d25ba9c04e1cdb1e38bbb0e836def3a8.

commit 96522807d25ba9c04e1cdb1e38bbb0e836def3a8
Author: Adam Grare <adam@grare.com>
Date:   Tue Sep 6 09:09:17 2022 -0400

    Merge pull request #521 from Fryguy/update_python_security2

    Update certain python dependencies for CVEs

    (cherry picked from commit 01a0ec4fce4cc12c03529d3fb2e7c913f357c7aa)

Fryguy commented 2 years ago

Backported to najdorf in commit 72045ba219c2e1f3029d63d751e3ce6d06ecc8fe.

commit 72045ba219c2e1f3029d63d751e3ce6d06ecc8fe
Author: Adam Grare <adam@grare.com>
Date:   Tue Sep 6 09:09:17 2022 -0400

    Merge pull request #521 from Fryguy/update_python_security2

    Update certain python dependencies for CVEs

    (cherry picked from commit 01a0ec4fce4cc12c03529d3fb2e7c913f357c7aa)