Merge pull request #622 from Ouranosinc/security-updates

Ouranosinc · Jul 23, 2024 · 465faba · 465faba
2 parents 933722d + 42819bc
commit 465faba
Show file tree

Hide file tree

Showing 8 changed files with 20 additions and 7 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -9,7 +9,16 @@ Changes
 `Unreleased <https://github.com/Ouranosinc/Magpie/tree/master>`_ (latest)
 ------------------------------------------------------------------------------------
 
-* Nothing new for the moment.
+Features / Changes
+~~~~~~~~~~~~~~~~~~~~~
+
+* Update docker with latest ``python:3.11-alpine3.20`` base.
+* Pin ``setuptools>=71.0.3`` for CVE-2024-6345.
+* Pin ``requests>=2.32.3`` for CVE-2024-35195.
+* Pin ``urllib3>=2.2.2`` for CVE-2024-37891.
+* Pin ``zipp>=3.19.1`` for CVE-2024-5569.
+* Pin ``pyramid-twitcher>=0.10.0`` and ``birdhouse/twitcher:v0.10.0`` for same security updates as above
+  (relates to `bird-house/twitcher#136 <https://github.com/bird-house/twitcher/pull/136>`_).
 
 .. _changes_4.1.0:
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.11-alpine3.19
+FROM python:3.11-alpine3.20
 LABEL Description="Runs Magpie AuthN/AuthZ service for REST-API and UI interfaces."
 LABEL Maintainer="Francis Charette-Migneault <francis.charette-migneault@crim.ca>"
 LABEL Vendor="CRIM"

diff --git a/Dockerfile.adapter b/Dockerfile.adapter
@@ -3,7 +3,7 @@
 #   docker run will need to override ini file with mounted volume
 #   using config 'twitcher.adapter = magpie.adapter.MagpieAdapter'
 #
-FROM birdhouse/twitcher:v0.9.0
+FROM birdhouse/twitcher:v0.10.0
 LABEL Description="Configures MagpieAdapter on top of Twitcher application."
 LABEL Maintainer="Francis Charette-Migneault <francis.charette-migneault@crim.ca>"
 LABEL Vendor="CRIM"

diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -14,7 +14,7 @@ mock>4
 pylint>=2.11,!=2.12,!=2.15
 pylint-quotes
 # bird-house/twticher, must match version in Dockerfile.adapater
-pyramid-twitcher>=0.9.0
+pyramid-twitcher>=0.10.0
 pytest
 safety
 tox>=3.0

diff --git a/requirements-doc.txt b/requirements-doc.txt
@@ -2,6 +2,7 @@
 # these are doc-only requirements
 # we actually need to install all requirements during docs build because of OpenAPI generation
 # (see 'docs/conf.py')
+-r requirements.txt
 astroid<2.12    # pin to resolve sphinx-autoapi (see https://github.com/readthedocs/sphinx-autoapi/issues/349)
 pycodestyle>=2.6.0,<3
 # sphinx-autoapi dropped 3.5 support at 1.3.0

diff --git a/requirements-sys.txt b/requirements-sys.txt
@@ -1,2 +1,3 @@
 pip
-setuptools>=65.5.1
+packaging>=22.0
+setuptools>=71.0.3
diff --git a/requirements.txt b/requirements.txt
@@ -25,7 +25,7 @@ pyramid_retry==2.1.1
 pyramid_tm>=2.2.1
 python-dotenv
 pyyaml>=5.1
-requests
+requests>=2.32.3
 requests_file
 simplejson
 six>=1.12.0
@@ -36,8 +36,10 @@ sqlalchemy-utils==0.39.0  # pyup: ignore
 threddsclient>=0.4.2
 transaction
 typing_extensions
+urllib3>=2.2.2
 wheel>=0.38
 webob
 ziggurat_foundations==0.9.1
 zope.interface>=4.7.2,<5
 zope.sqlalchemy==1.6
+zipp>=3.19.1
diff --git a/setup.py b/setup.py
@@ -217,7 +217,7 @@ def _extra_requirements(base_requirements, other_requirements):
         "Programming Language :: Python :: 3.11",
         "Programming Language :: Python :: 3.12",
     ],
-    python_requires=">=3.5, <4",
+    python_requires=">=3.8, <4",
 
     # -- Package structure -------------------------------------------------
     packages=[__meta__.__package__],