From 2bb9a6d5b0d7648ed9bc7f73a9d9d5ab971858cc Mon Sep 17 00:00:00 2001 From: jk464 Date: Mon, 6 Nov 2023 18:34:04 +0000 Subject: [PATCH 01/19] Bump gitpython to 3.1.37 Fixes: * CVE-2023-40267 * CVE-2023-41040 * CVE-2023-40590 * CVE-2022-24439 * XRAY-198950 --- fixed-requirements.txt | 2 +- requirements-pants.txt | 2 +- requirements.txt | 2 +- st2actions/requirements.txt | 2 +- st2common/requirements.txt | 2 +- st2common/tests/fixtures/requirements-used-for-tests.txt | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index 37b2e463ed..bda94a80de 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -12,7 +12,7 @@ cryptography==39.0.1 # depend on rely eventlet==0.30.2 flex==6.14.1 -gitpython==3.1.15 +gitpython>=3.1.18,<=3.1.37 # Needed by gitpython, old versions used to bundle it gitdb==4.0.2 # Note: greenlet is used by eventlet diff --git a/requirements-pants.txt b/requirements-pants.txt index 3e07857de0..744a49d28a 100644 --- a/requirements-pants.txt +++ b/requirements-pants.txt @@ -16,7 +16,7 @@ eventlet<0.31 flex # gitpython & gitdb are used for pack management gitdb -gitpython +gitpython>=3.1.18,<=3.1.37 # st2common/tests/integration/test_util_green.py requires greenlet (as does eventlet) greenlet gunicorn diff --git a/requirements.txt b/requirements.txt index 0953473395..dca48ab863 100644 --- a/requirements.txt +++ b/requirements.txt @@ -20,7 +20,7 @@ dnspython>=1.16.0,<2.0.0 eventlet==0.30.2 flex==6.14.1 gitdb==4.0.2 -gitpython==3.1.15 +gitpython>=3.1.18,<=3.1.37 greenlet==1.0.0 gunicorn==20.1.0 importlib-metadata==3.10.1 diff --git a/st2actions/requirements.txt b/st2actions/requirements.txt index acd17a961e..907e8a0d75 100644 --- a/st2actions/requirements.txt +++ b/st2actions/requirements.txt @@ -9,7 +9,7 @@ MarkupSafe<2.1.0,>=0.23 apscheduler==3.7.0 chardet<3.1.0 eventlet==0.30.2 -gitpython==3.1.15 +gitpython>=3.1.18,<=3.1.37 jinja2==2.11.3 kombu==5.0.2 lockfile==0.12.2 diff --git a/st2common/requirements.txt b/st2common/requirements.txt index 2fe21fe468..40c3c45f54 100644 --- a/st2common/requirements.txt +++ b/st2common/requirements.txt @@ -17,7 +17,7 @@ dnspython>=1.16.0,<2.0.0 eventlet==0.30.2 flex==6.14.1 gitdb==4.0.2 -gitpython==3.1.15 +gitpython>=3.1.18,<=3.1.37 greenlet==1.0.0 jinja2==2.11.3 jsonpath-rw==1.4.0 diff --git a/st2common/tests/fixtures/requirements-used-for-tests.txt b/st2common/tests/fixtures/requirements-used-for-tests.txt index 3fbf5f14d0..b18e62140f 100644 --- a/st2common/tests/fixtures/requirements-used-for-tests.txt +++ b/st2common/tests/fixtures/requirements-used-for-tests.txt @@ -14,7 +14,7 @@ git+https://github.com/StackStorm/st2-auth-backend-flat-file.git@master#egg=st2- git+https://github.com/StackStorm/st2.git#egg=python_runner&subdirectory=contrib/runners/python_runner hg+https://hg.repo/some_pkg.git#egg=SomePackageHq svn+svn://svn.repo/some_pkg/trunk/@ma-branch#egg=SomePackageSvn -gitpython==2.1.11 +gitpython>=3.1.18,<=3.1.37 ose-timer==0.7.5 oslo.config<1.13,>=1.12.1 requests[security]<2.22.0,>=2.21.0 From c6fd05036842e9ad0610a8cc1fea084b7b63c663 Mon Sep 17 00:00:00 2001 From: jk464 Date: Mon, 6 Nov 2023 18:40:35 +0000 Subject: [PATCH 02/19] Bump requests to 2.31.0 Fixes: * CVE-2023-32681 --- fixed-requirements.txt | 2 +- requirements.txt | 2 +- st2actions/requirements.txt | 2 +- st2client/requirements.txt | 2 +- st2common/requirements.txt | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index bda94a80de..10910e764d 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -52,7 +52,7 @@ pytz==2021.1 pywinrm==0.4.1 pyyaml==5.4.1 redis==4.1.4 -requests[security]==2.25.1 +requests[security]>=2.27.1,<=2.31.0 retrying==1.3.3 routes==2.4.1 semver==2.13.0 diff --git a/requirements.txt b/requirements.txt index dca48ab863..4a527584f5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -60,7 +60,7 @@ pywinrm==0.4.1 pyyaml==5.4.1 redis==4.1.4 rednose -requests[security]==2.25.1 +requests[security]>=2.27.1,<=2.31.0 retrying==1.3.3 routes==2.4.1 semver==2.13.0 diff --git a/st2actions/requirements.txt b/st2actions/requirements.txt index 907e8a0d75..3a9b60a0e4 100644 --- a/st2actions/requirements.txt +++ b/st2actions/requirements.txt @@ -21,5 +21,5 @@ pyparsing<3 python-dateutil==2.8.1 python-json-logger pyyaml==5.4.1 -requests[security]==2.25.1 +requests[security]>=2.27.1,<=2.31.0 six==1.13.0 diff --git a/st2client/requirements.txt b/st2client/requirements.txt index a99071ba7f..15babeb84e 100644 --- a/st2client/requirements.txt +++ b/st2client/requirements.txt @@ -21,7 +21,7 @@ python-dateutil==2.8.1 python-editor==1.0.4 pytz==2021.1 pyyaml==5.4.1 -requests[security]==2.25.1 +requests[security]>=2.27.1,<=2.31.0 six==1.13.0 sseclient-py==1.7 typing-extensions<4.2 diff --git a/st2common/requirements.txt b/st2common/requirements.txt index 40c3c45f54..caf7241ec0 100644 --- a/st2common/requirements.txt +++ b/st2common/requirements.txt @@ -36,7 +36,7 @@ python-dateutil==2.8.1 python-statsd==2.1.0 pyyaml==5.4.1 redis==4.1.4 -requests[security]==2.25.1 +requests[security]>=2.27.1,<=2.31.0 retrying==1.3.3 routes==2.4.1 semver==2.13.0 From f26c1fb6d3645430fe81cd7f26565115bec65326 Mon Sep 17 00:00:00 2001 From: jk464 Date: Mon, 6 Nov 2023 18:42:13 +0000 Subject: [PATCH 03/19] Bump importlib-metadata to 4.10.1 Fixes: * XRAY-195083 --- fixed-requirements.txt | 2 +- requirements.txt | 2 +- st2client/requirements.txt | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index 10910e764d..2750b88ce8 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -60,7 +60,7 @@ six==1.13.0 argparse==1.12.2 argcomplete==1.12.2 prettytable==2.1.0 -importlib-metadata==3.10.1 +importlib-metadata>=4.8.3,<=4.10.1 # importlib-metadata requires typing-extensions but v4.2.0 requires py3.7+ typing-extensions<4.2 # NOTE: sseclient has various issues which sometimes hang the connection for a long time, etc. diff --git a/requirements.txt b/requirements.txt index 4a527584f5..6863d582e0 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ gitdb==4.0.2 gitpython>=3.1.18,<=3.1.37 greenlet==1.0.0 gunicorn==20.1.0 -importlib-metadata==3.10.1 +importlib-metadata>=4.8.3,<=4.10.1 jinja2==2.11.3 jsonpath-rw==1.4.0 jsonschema==2.6.0 diff --git a/st2client/requirements.txt b/st2client/requirements.txt index 15babeb84e..c6f3fc01bf 100644 --- a/st2client/requirements.txt +++ b/st2client/requirements.txt @@ -8,8 +8,8 @@ argcomplete==1.12.2 cffi<1.15.0 chardet<3.1.0 -cryptography==39.0.1 -importlib-metadata==3.10.1 +cryptography>=40.0.2,<=41.0.4 +importlib-metadata>=4.8.3,<=4.10.1 jsonpath-rw==1.4.0 jsonschema==2.6.0 orjson==3.5.2 From ee92b8205179ec3e1e00ce744dc8229319b262dc Mon Sep 17 00:00:00 2001 From: jk464 Date: Mon, 6 Nov 2023 18:52:23 +0000 Subject: [PATCH 04/19] Bump virtualenv to 20.16.7 Fixes: * CVE-2019-20916 --- fixed-requirements.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index 2750b88ce8..0bbf92c408 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -69,8 +69,8 @@ stevedore==1.30.1 tenacity>=3.2.1,<7.0.0 tooz==2.8.0 # Note: virtualenv embeds wheels for pip, wheel, and setuptools. So pinning virtualenv pins those as well. -# virtualenv==20.4.0 (<21) has pip==20.3.3 wheel==0.36.2 setuptools==51.3.3 -virtualenv==20.4.0 +# virtualenv<=20.16.7 (<21) has pip==22.3.1 wheel==0.38.4 setuptools==65.5.1 +virtualenv<=20.16.7 webob==1.8.7 zake==0.2.2 # test requirements below From 62f6f272ab517c293ed1f9790e40ca8b737bcd52 Mon Sep 17 00:00:00 2001 From: jk464 Date: Mon, 6 Nov 2023 20:25:15 +0000 Subject: [PATCH 05/19] CHANGELOG for CVE fixes #6062 --- CHANGELOG.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 6a4f2284d5..9fa971de06 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -24,6 +24,9 @@ Fixed * Update cryptography 3.4.7 -> 39.0.1, pyOpenSSL 21.0.0 -> 23.1.0, paramiko 2.10.5 -> 2.11.0 (security). #6055 +* Bump virtualenv to 20.16.7, importlib-metadata to 4.10.1, requests to 2.31.0, gitpython to 3.1.37. #6062 + Contributed by @jk464 + Added ~~~~~ From 38a7f74b7461a375941e9ef40b24ea01ebe2b576 Mon Sep 17 00:00:00 2001 From: jk464 Date: Tue, 7 Nov 2023 10:44:45 +0000 Subject: [PATCH 06/19] Bump, for py3.7+, cryptography to 41.0.4, pyopenssl to 23.2.0 Fixes: * CVE-2023-4807 * CVE-2023-2650 * CVE-2023-3446 For StackStorm on Python 3.8 only --- CHANGELOG.rst | 2 +- fixed-requirements.txt | 4 ++-- requirements.txt | 4 ++-- st2client/requirements.txt | 2 +- st2common/requirements.txt | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 9fa971de06..07af81e83e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -24,7 +24,7 @@ Fixed * Update cryptography 3.4.7 -> 39.0.1, pyOpenSSL 21.0.0 -> 23.1.0, paramiko 2.10.5 -> 2.11.0 (security). #6055 -* Bump virtualenv to 20.16.7, importlib-metadata to 4.10.1, requests to 2.31.0, gitpython to 3.1.37. #6062 +* Bump virtualenv to 20.16.7, importlib-metadata to 4.10.1, requests to 2.31.0, gitpython to 3.1.37, and for Python3.8 only cryptography to 41.0.4, pyopenssl to 23.2.0. #6062 Contributed by @jk464 Added diff --git a/fixed-requirements.txt b/fixed-requirements.txt index 0bbf92c408..3995f711ba 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -7,7 +7,7 @@ chardet<3.1.0 cffi<1.15.0 # NOTE: 2.0 version breaks pymongo work with hosts dnspython>=1.16.0,<2.0.0 -cryptography==39.0.1 +cryptography>=40.0.2,<=41.0.4 # Note: 0.20.0 removed select.poll() on which some of our code and libraries we # depend on rely eventlet==0.30.2 @@ -45,7 +45,7 @@ pymongo==3.11.3 pyparsing<3 zstandard==0.15.2 # pyOpenSSL 23.1.0 supports cryptography up to 40.0.x -pyOpenSSL==23.1.0 +pyOpenSSL<=23.2.0 python-editor==1.0.4 python-keyczar==0.716 pytz==2021.1 diff --git a/requirements.txt b/requirements.txt index 6863d582e0..1ce729c1a1 100644 --- a/requirements.txt +++ b/requirements.txt @@ -14,7 +14,7 @@ bcrypt==3.2.0 cffi<1.15.0 chardet<3.1.0 ciso8601 -cryptography==39.0.1 +cryptography>=40.0.2,<=41.0.4 decorator==4.4.2 dnspython>=1.16.0,<2.0.0 eventlet==0.30.2 @@ -45,7 +45,7 @@ passlib==1.7.4 prettytable==2.1.0 prompt-toolkit==1.0.15 psutil==5.8.0 -pyOpenSSL==23.1.0 +pyOpenSSL<=23.2.0 pyinotify==0.9.6 ; platform_system=="Linux" pymongo==3.11.3 pyparsing<3 diff --git a/st2client/requirements.txt b/st2client/requirements.txt index c6f3fc01bf..b3ea9d4194 100644 --- a/st2client/requirements.txt +++ b/st2client/requirements.txt @@ -15,7 +15,7 @@ jsonschema==2.6.0 orjson==3.5.2 prettytable==2.1.0 prompt-toolkit==1.0.15 -pyOpenSSL==23.1.0 +pyOpenSSL<=23.2.0 pysocks python-dateutil==2.8.1 python-editor==1.0.4 diff --git a/st2common/requirements.txt b/st2common/requirements.txt index caf7241ec0..ac2618b168 100644 --- a/st2common/requirements.txt +++ b/st2common/requirements.txt @@ -11,7 +11,7 @@ apscheduler==3.7.0 cffi<1.15.0 chardet<3.1.0 ciso8601 -cryptography==39.0.1 +cryptography>=40.0.2,<=41.0.4 decorator==4.4.2 dnspython>=1.16.0,<2.0.0 eventlet==0.30.2 @@ -30,7 +30,7 @@ orjson==3.5.2 orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0 oslo.config>=1.12.1,<1.13 paramiko==2.11.0 -pyOpenSSL==23.1.0 +pyOpenSSL<=23.2.0 pymongo==3.11.3 python-dateutil==2.8.1 python-statsd==2.1.0 From 61b47db603c7d21a06142228f031713ba77d7a35 Mon Sep 17 00:00:00 2001 From: jk464 Date: Tue, 7 Nov 2023 12:38:59 +0000 Subject: [PATCH 07/19] Add support for evaluating requirement markers --- scripts/fixate-requirements.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/scripts/fixate-requirements.py b/scripts/fixate-requirements.py index e7b8377297..406c999cc8 100755 --- a/scripts/fixate-requirements.py +++ b/scripts/fixate-requirements.py @@ -73,6 +73,8 @@ # Do not error, as will only use on pip >= 20 pass +from packaging.requirements import Requirement + def parse_args(): parser = argparse.ArgumentParser( @@ -190,6 +192,12 @@ def write_requirements( if not req.req: continue + # If the requirement has markers, and they don't meet the + # current environment ignore this requirement + packaging_req = Requirement(req.requirement) + if packaging_req.marker and not packaging_req.marker.evaluate(): + continue + if project_name in fixedreq_hash: raise ValueError( 'Duplicate definition for dependency "%s"' % (project_name) From 020c261716f2d3d691185d0bc4dcd2b319ac2d3b Mon Sep 17 00:00:00 2001 From: jk464 Date: Tue, 7 Nov 2023 13:00:02 +0000 Subject: [PATCH 08/19] Revert "Add support for evaluating requirement markers" This reverts commit b1aa079357c2e8a7b0f9a30f4fb5f03ac7abec2f. --- scripts/fixate-requirements.py | 8 -------- 1 file changed, 8 deletions(-) diff --git a/scripts/fixate-requirements.py b/scripts/fixate-requirements.py index 406c999cc8..e7b8377297 100755 --- a/scripts/fixate-requirements.py +++ b/scripts/fixate-requirements.py @@ -73,8 +73,6 @@ # Do not error, as will only use on pip >= 20 pass -from packaging.requirements import Requirement - def parse_args(): parser = argparse.ArgumentParser( @@ -192,12 +190,6 @@ def write_requirements( if not req.req: continue - # If the requirement has markers, and they don't meet the - # current environment ignore this requirement - packaging_req = Requirement(req.requirement) - if packaging_req.marker and not packaging_req.marker.evaluate(): - continue - if project_name in fixedreq_hash: raise ValueError( 'Duplicate definition for dependency "%s"' % (project_name) From 62835c6043474c42cb15f2e955e5d3a460e743a4 Mon Sep 17 00:00:00 2001 From: jk464 Date: Tue, 7 Nov 2023 15:19:38 +0000 Subject: [PATCH 09/19] Revert "Bump virtualenv to 20.16.7" This reverts commit ee92b8205179ec3e1e00ce744dc8229319b262dc. --- fixed-requirements.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index 3995f711ba..defa2104e0 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -69,8 +69,8 @@ stevedore==1.30.1 tenacity>=3.2.1,<7.0.0 tooz==2.8.0 # Note: virtualenv embeds wheels for pip, wheel, and setuptools. So pinning virtualenv pins those as well. -# virtualenv<=20.16.7 (<21) has pip==22.3.1 wheel==0.38.4 setuptools==65.5.1 -virtualenv<=20.16.7 +# virtualenv==20.4.0 (<21) has pip==20.3.3 wheel==0.36.2 setuptools==51.3.3 +virtualenv==20.4.0 webob==1.8.7 zake==0.2.2 # test requirements below From e733e5d5c8e685a943548f7441956170158dccad Mon Sep 17 00:00:00 2001 From: jk464 Date: Tue, 7 Nov 2023 15:37:42 +0000 Subject: [PATCH 10/19] fixup! Bump importlib-metadata to 4.10.1 --- fixed-requirements.txt | 2 +- requirements.txt | 2 +- st2client/requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index defa2104e0..290cf2074e 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -60,7 +60,7 @@ six==1.13.0 argparse==1.12.2 argcomplete==1.12.2 prettytable==2.1.0 -importlib-metadata>=4.8.3,<=4.10.1 +importlib-metadata>=3.10.1,<=4.10.1 # importlib-metadata requires typing-extensions but v4.2.0 requires py3.7+ typing-extensions<4.2 # NOTE: sseclient has various issues which sometimes hang the connection for a long time, etc. diff --git a/requirements.txt b/requirements.txt index 1ce729c1a1..cb162ae7af 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ gitdb==4.0.2 gitpython>=3.1.18,<=3.1.37 greenlet==1.0.0 gunicorn==20.1.0 -importlib-metadata>=4.8.3,<=4.10.1 +importlib-metadata>=3.10.1,<=4.10.1 jinja2==2.11.3 jsonpath-rw==1.4.0 jsonschema==2.6.0 diff --git a/st2client/requirements.txt b/st2client/requirements.txt index b3ea9d4194..e84ee61429 100644 --- a/st2client/requirements.txt +++ b/st2client/requirements.txt @@ -9,7 +9,7 @@ argcomplete==1.12.2 cffi<1.15.0 chardet<3.1.0 cryptography>=40.0.2,<=41.0.4 -importlib-metadata>=4.8.3,<=4.10.1 +importlib-metadata>=3.10.1,<=4.10.1 jsonpath-rw==1.4.0 jsonschema==2.6.0 orjson==3.5.2 From 21468f18acd0f49d59dfd82d022b559a5df97d0b Mon Sep 17 00:00:00 2001 From: jk464 Date: Tue, 7 Nov 2023 16:18:44 +0000 Subject: [PATCH 11/19] fixup! Bump importlib-metadata to 4.10.1 --- fixed-requirements.txt | 2 +- requirements.txt | 2 +- st2client/requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index 290cf2074e..005595e865 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -60,7 +60,7 @@ six==1.13.0 argparse==1.12.2 argcomplete==1.12.2 prettytable==2.1.0 -importlib-metadata>=3.10.1,<=4.10.1 +importlib-metadata<=4.10.1 # importlib-metadata requires typing-extensions but v4.2.0 requires py3.7+ typing-extensions<4.2 # NOTE: sseclient has various issues which sometimes hang the connection for a long time, etc. diff --git a/requirements.txt b/requirements.txt index cb162ae7af..df94b1002f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ gitdb==4.0.2 gitpython>=3.1.18,<=3.1.37 greenlet==1.0.0 gunicorn==20.1.0 -importlib-metadata>=3.10.1,<=4.10.1 +importlib-metadata<=4.10.1 jinja2==2.11.3 jsonpath-rw==1.4.0 jsonschema==2.6.0 diff --git a/st2client/requirements.txt b/st2client/requirements.txt index e84ee61429..aa2e36dbbf 100644 --- a/st2client/requirements.txt +++ b/st2client/requirements.txt @@ -9,7 +9,7 @@ argcomplete==1.12.2 cffi<1.15.0 chardet<3.1.0 cryptography>=40.0.2,<=41.0.4 -importlib-metadata>=3.10.1,<=4.10.1 +importlib-metadata<=4.10.1 jsonpath-rw==1.4.0 jsonschema==2.6.0 orjson==3.5.2 From e2a07d93db21f815f506c58e78b07e228bc55359 Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Fri, 24 Nov 2023 18:11:21 +0000 Subject: [PATCH 12/19] Update requests and importlib-metadata only --- fixed-requirements.txt | 2 +- requirements-pants.txt | 2 +- requirements.txt | 2 +- st2client/requirements.txt | 4 ++-- st2common/tests/fixtures/requirements-used-for-tests.txt | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index 76a03274b1..af8c03bfef 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -85,4 +85,4 @@ psutil==5.8.0 python-dateutil==2.8.1 python-statsd==2.1.0 orjson==3.5.2 -zipp<3.16.0 \ No newline at end of file +zipp<3.16.0 diff --git a/requirements-pants.txt b/requirements-pants.txt index 1aec17f6c3..ef04eaaf91 100644 --- a/requirements-pants.txt +++ b/requirements-pants.txt @@ -16,7 +16,7 @@ eventlet<0.31 flex # gitpython & gitdb are used for pack management gitdb -gitpython>=3.1.18,<=3.1.37 +gitpython # st2common/tests/integration/test_util_green.py requires greenlet (as does eventlet) greenlet gunicorn diff --git a/requirements.txt b/requirements.txt index 6b2206e634..d1e836eb40 100644 --- a/requirements.txt +++ b/requirements.txt @@ -79,4 +79,4 @@ webob==1.8.7 webtest zake==0.2.2 zipp<3.16.0 -zstandard==0.15.2 \ No newline at end of file +zstandard==0.15.2 diff --git a/st2client/requirements.txt b/st2client/requirements.txt index aa2e36dbbf..8a963eaff8 100644 --- a/st2client/requirements.txt +++ b/st2client/requirements.txt @@ -8,14 +8,14 @@ argcomplete==1.12.2 cffi<1.15.0 chardet<3.1.0 -cryptography>=40.0.2,<=41.0.4 +cryptography==39.0.1 importlib-metadata<=4.10.1 jsonpath-rw==1.4.0 jsonschema==2.6.0 orjson==3.5.2 prettytable==2.1.0 prompt-toolkit==1.0.15 -pyOpenSSL<=23.2.0 +pyOpenSSL==23.1.0 pysocks python-dateutil==2.8.1 python-editor==1.0.4 diff --git a/st2common/tests/fixtures/requirements-used-for-tests.txt b/st2common/tests/fixtures/requirements-used-for-tests.txt index b18e62140f..3fbf5f14d0 100644 --- a/st2common/tests/fixtures/requirements-used-for-tests.txt +++ b/st2common/tests/fixtures/requirements-used-for-tests.txt @@ -14,7 +14,7 @@ git+https://github.com/StackStorm/st2-auth-backend-flat-file.git@master#egg=st2- git+https://github.com/StackStorm/st2.git#egg=python_runner&subdirectory=contrib/runners/python_runner hg+https://hg.repo/some_pkg.git#egg=SomePackageHq svn+svn://svn.repo/some_pkg/trunk/@ma-branch#egg=SomePackageSvn -gitpython>=3.1.18,<=3.1.37 +gitpython==2.1.11 ose-timer==0.7.5 oslo.config<1.13,>=1.12.1 requests[security]<2.22.0,>=2.21.0 From de32bf6e7cecd4b55dafd5f3f6d420b13545b0a5 Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Fri, 24 Nov 2023 19:24:31 +0000 Subject: [PATCH 13/19] Update the Changelog --- CHANGELOG.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index b89d4d8f9c..94d56b6f22 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -38,7 +38,8 @@ Fixed * Update version 3.1.15 of ``gitpython`` to 3.1.18 for py3.6 and to 3.1.37 for py3.8 (security). #6063 -* Update requests 2.25.1 -> 2.31.0 and importlib-metadata 3.10.1 -> 4.10.1 (security). #6062 +* Update requests from 2.25.1 to 2.27.1 for py3.6 and to 2.31.0 for py3.8 (security). + Update importlib-metadata from 3.10.1 to 4.8.3 for py3.6 and to 4.10.1 for py3.8 (security). #6062 Contributed by @jk464 Added From 04e336095521324546b2c3a16fa8e55c20959e58 Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Fri, 24 Nov 2023 19:43:15 +0000 Subject: [PATCH 14/19] Update argcomplete to 1.12.3 to be compatible with importlib-metadata<5 See https://kislyuk.github.io/argcomplete/changelog.html#changes-for-v1-12-3-2021-04-19 https://github.com/kislyuk/argcomplete/pull/345 --- fixed-requirements.txt | 3 ++- requirements.txt | 2 +- st2client/requirements.txt | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index af8c03bfef..a2ecceb5fc 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -60,7 +60,8 @@ routes==2.4.1 semver==2.13.0 six==1.13.0 argparse==1.12.2 -argcomplete==1.12.2 +# Note: argcomplete 1.12.3 supports importlib-metadata<5 +argcomplete==1.12.3 prettytable==2.1.0 importlib-metadata<=4.10.1 # importlib-metadata requires typing-extensions but v4.2.0 requires py3.7+ diff --git a/requirements.txt b/requirements.txt index d1e836eb40..3c58921c10 100644 --- a/requirements.txt +++ b/requirements.txt @@ -9,7 +9,7 @@ MarkupSafe<2.1.0,>=0.23 RandomWords amqp==5.0.6 apscheduler==3.7.0 -argcomplete==1.12.2 +argcomplete==1.12.3 bcrypt==3.2.0 cffi<1.15.0 chardet<3.1.0 diff --git a/st2client/requirements.txt b/st2client/requirements.txt index 8a963eaff8..7a17d2a982 100644 --- a/st2client/requirements.txt +++ b/st2client/requirements.txt @@ -5,7 +5,7 @@ # If you want to update depdencies for a single component, modify the # in-requirements.txt for that component and then run 'make requirements' to # update the component requirements.txt -argcomplete==1.12.2 +argcomplete==1.12.3 cffi<1.15.0 chardet<3.1.0 cryptography==39.0.1 From 98cb808782af05948e99055e81774c6b93cb0c2b Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Fri, 24 Nov 2023 20:05:11 +0000 Subject: [PATCH 15/19] Add code comments for updated dependencies for py3.6 vs py3.8 --- fixed-requirements.txt | 6 +++++- requirements.txt | 2 +- st2client/requirements.txt | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index a2ecceb5fc..cba3b8718e 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -54,6 +54,8 @@ pytz==2021.1 pywinrm==0.4.1 pyyaml==5.4.1 redis==4.1.4 +# Note: installs requests[security]==2.31.0 (security fixed) under py3.8 and requests[security]==2.27.1 (latest available, vulnerable) under py3.6 +# TODO: Pin explicitly after dropping python3.6 support requests[security]>=2.27.1,<=2.31.0 retrying==1.3.3 routes==2.4.1 @@ -63,7 +65,9 @@ argparse==1.12.2 # Note: argcomplete 1.12.3 supports importlib-metadata<5 argcomplete==1.12.3 prettytable==2.1.0 -importlib-metadata<=4.10.1 +# Note: installs importlib-metadata==4.10.1 (security fixed) under py3.8 and importlib-metadata==4.8.3 (latest available, vulnerable) under py3.6 +# TODO: Pin to 4.10.1 or higher after dropping python3.6 support +importlib-metadata>=4.8.3,<=4.10.1 # importlib-metadata requires typing-extensions but v4.2.0 requires py3.7+ typing-extensions<4.2 # NOTE: sseclient has various issues which sometimes hang the connection for a long time, etc. diff --git a/requirements.txt b/requirements.txt index 3c58921c10..731002457b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ gitdb==4.0.2 gitpython<=3.1.37 greenlet==1.0.0 gunicorn==21.2.0 -importlib-metadata<=4.10.1 +importlib-metadata>=4.8.3,<=4.10.1 jinja2==2.11.3 jsonpath-rw==1.4.0 jsonschema==2.6.0 diff --git a/st2client/requirements.txt b/st2client/requirements.txt index 7a17d2a982..3fda16e0c1 100644 --- a/st2client/requirements.txt +++ b/st2client/requirements.txt @@ -9,7 +9,7 @@ argcomplete==1.12.3 cffi<1.15.0 chardet<3.1.0 cryptography==39.0.1 -importlib-metadata<=4.10.1 +importlib-metadata>=4.8.3,<=4.10.1 jsonpath-rw==1.4.0 jsonschema==2.6.0 orjson==3.5.2 From 9c190425ab2b9a8a980eab22e71c4bea6603449e Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Fri, 24 Nov 2023 20:13:56 +0000 Subject: [PATCH 16/19] Update st2-auth-ldap sha in pants lock Following the https://github.com/StackStorm/st2-auth-ldap/pull/111 --- lockfiles/st2.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lockfiles/st2.lock b/lockfiles/st2.lock index 1d97f6325d..8e0cae8e97 100644 --- a/lockfiles/st2.lock +++ b/lockfiles/st2.lock @@ -4009,7 +4009,7 @@ "artifacts": [ { "algorithm": "sha256", - "hash": "c521a3dfc6948a6a57da4dcaa48e0b3390fadcf00d36e3948510cd1c32a10d96", + "hash": "29c6ff480b24e4bc316ed69eac5503c71f4700ed17649ae5c5ca8cd745e5852f", "url": "git+https://github.com/StackStorm/st2-auth-ldap.git@master" } ], From c7f13e74432b295b021d427b1fef0dfd037dff0e Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Fri, 24 Nov 2023 20:50:59 +0000 Subject: [PATCH 17/19] Workaround conflict when incompatible urllib3 v2 is installed under the py3.6 --- fixed-requirements.txt | 2 ++ requirements.txt | 1 + st2client/in-requirements.txt | 2 ++ st2client/requirements.txt | 1 + 4 files changed, 6 insertions(+) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index cba3b8718e..5ce7010826 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -64,6 +64,8 @@ six==1.13.0 argparse==1.12.2 # Note: argcomplete 1.12.3 supports importlib-metadata<5 argcomplete==1.12.3 +# Note: argcomplete supports urllib3<3,>=1.21.1 installing urllib3 v2, which is not compatible with python3.6 +urllib3<2; python_version < '3.7' prettytable==2.1.0 # Note: installs importlib-metadata==4.10.1 (security fixed) under py3.8 and importlib-metadata==4.8.3 (latest available, vulnerable) under py3.6 # TODO: Pin to 4.10.1 or higher after dropping python3.6 support diff --git a/requirements.txt b/requirements.txt index 731002457b..00813b5470 100644 --- a/requirements.txt +++ b/requirements.txt @@ -75,6 +75,7 @@ tenacity>=3.2.1,<7.0.0 tooz==2.8.0 typing-extensions<4.2 unittest2 +urllib3<2; python_version < '3.7' webob==1.8.7 webtest zake==0.2.2 diff --git a/st2client/in-requirements.txt b/st2client/in-requirements.txt index b0057916f1..6d596c08d4 100644 --- a/st2client/in-requirements.txt +++ b/st2client/in-requirements.txt @@ -3,6 +3,8 @@ importlib-metadata # importlib-metadata requires typing-extensions typing-extensions argcomplete +# argcomplete requires urllib3 +urllib3 prettytable pytz python-dateutil diff --git a/st2client/requirements.txt b/st2client/requirements.txt index 3fda16e0c1..79f2662154 100644 --- a/st2client/requirements.txt +++ b/st2client/requirements.txt @@ -25,4 +25,5 @@ requests[security]>=2.27.1,<=2.31.0 six==1.13.0 sseclient-py==1.7 typing-extensions<4.2 +urllib3<2; python_version < '3.7' zipp<3.16.0 From 0a553fd28b0c51659b544d408655e8060c6eccf7 Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Fri, 24 Nov 2023 21:18:20 +0000 Subject: [PATCH 18/19] Try1: fix urllib3 py3.6 --- fixed-requirements.txt | 2 +- requirements.txt | 2 +- st2client/requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index 5ce7010826..0b6e9e3d2b 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -65,7 +65,7 @@ argparse==1.12.2 # Note: argcomplete 1.12.3 supports importlib-metadata<5 argcomplete==1.12.3 # Note: argcomplete supports urllib3<3,>=1.21.1 installing urllib3 v2, which is not compatible with python3.6 -urllib3<2; python_version < '3.7' +#urllib3<2; python_version < '3.7' prettytable==2.1.0 # Note: installs importlib-metadata==4.10.1 (security fixed) under py3.8 and importlib-metadata==4.8.3 (latest available, vulnerable) under py3.6 # TODO: Pin to 4.10.1 or higher after dropping python3.6 support diff --git a/requirements.txt b/requirements.txt index 00813b5470..9db289ab7e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -75,7 +75,7 @@ tenacity>=3.2.1,<7.0.0 tooz==2.8.0 typing-extensions<4.2 unittest2 -urllib3<2; python_version < '3.7' +urllib3 webob==1.8.7 webtest zake==0.2.2 diff --git a/st2client/requirements.txt b/st2client/requirements.txt index 79f2662154..d72de95213 100644 --- a/st2client/requirements.txt +++ b/st2client/requirements.txt @@ -25,5 +25,5 @@ requests[security]>=2.27.1,<=2.31.0 six==1.13.0 sseclient-py==1.7 typing-extensions<4.2 -urllib3<2; python_version < '3.7' +urllib3 zipp<3.16.0 From 0d94e198696029bea8ebb0544c11d5c798cb8db5 Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Fri, 24 Nov 2023 21:28:22 +0000 Subject: [PATCH 19/19] Revert urllib3 py3.6 workarounds --- fixed-requirements.txt | 2 -- requirements.txt | 1 - st2client/in-requirements.txt | 2 -- st2client/requirements.txt | 1 - 4 files changed, 6 deletions(-) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index 0b6e9e3d2b..cba3b8718e 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -64,8 +64,6 @@ six==1.13.0 argparse==1.12.2 # Note: argcomplete 1.12.3 supports importlib-metadata<5 argcomplete==1.12.3 -# Note: argcomplete supports urllib3<3,>=1.21.1 installing urllib3 v2, which is not compatible with python3.6 -#urllib3<2; python_version < '3.7' prettytable==2.1.0 # Note: installs importlib-metadata==4.10.1 (security fixed) under py3.8 and importlib-metadata==4.8.3 (latest available, vulnerable) under py3.6 # TODO: Pin to 4.10.1 or higher after dropping python3.6 support diff --git a/requirements.txt b/requirements.txt index 9db289ab7e..731002457b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -75,7 +75,6 @@ tenacity>=3.2.1,<7.0.0 tooz==2.8.0 typing-extensions<4.2 unittest2 -urllib3 webob==1.8.7 webtest zake==0.2.2 diff --git a/st2client/in-requirements.txt b/st2client/in-requirements.txt index 6d596c08d4..b0057916f1 100644 --- a/st2client/in-requirements.txt +++ b/st2client/in-requirements.txt @@ -3,8 +3,6 @@ importlib-metadata # importlib-metadata requires typing-extensions typing-extensions argcomplete -# argcomplete requires urllib3 -urllib3 prettytable pytz python-dateutil diff --git a/st2client/requirements.txt b/st2client/requirements.txt index d72de95213..3fda16e0c1 100644 --- a/st2client/requirements.txt +++ b/st2client/requirements.txt @@ -25,5 +25,4 @@ requests[security]>=2.27.1,<=2.31.0 six==1.13.0 sseclient-py==1.7 typing-extensions<4.2 -urllib3 zipp<3.16.0