From d0c88297fc786ec15eaef802ba1041706865464f Mon Sep 17 00:00:00 2001
From: Francis Charette Migneault <francis.charette.migneault@gmail.com>
Date: Tue, 23 Jul 2024 15:39:51 -0400
Subject: [PATCH 1/3] security updates for setuptools, requests, urllib, zipp
 (fixes #614, fixes #615, fixes #616, fixes #617, fixes #618, fixes #619)

---
 CHANGES.rst          | 9 ++++++++-
 Dockerfile           | 2 +-
 requirements-doc.txt | 1 +
 requirements-sys.txt | 2 +-
 requirements.txt     | 4 +++-
 setup.py             | 2 +-
 6 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index 7eb23785..bc61446c 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -9,7 +9,14 @@ Changes
 `Unreleased <https://github.com/Ouranosinc/Magpie/tree/master>`_ (latest)
 ------------------------------------------------------------------------------------
 
-* Nothing new for the moment.
+Features / Changes
+~~~~~~~~~~~~~~~~~~~~~
+
+* Update docker with latest ``python:3.11-alpine3.20`` base.
+* Pin ``setuptools>=71.0.3`` for CVE-2024-6345.
+* Pin ``requests>=2.32.3`` for CVE-2024-35195.
+* Pin ``urllib3>=2.2.2`` for CVE-2024-37891.
+* Pin ``zipp>=3.19.1`` for CVE-2024-5569.
 
 .. _changes_4.1.0:
 
diff --git a/Dockerfile b/Dockerfile
index 09494f11..a1d8ea92 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.11-alpine3.19
+FROM python:3.11-alpine3.20
 LABEL Description="Runs Magpie AuthN/AuthZ service for REST-API and UI interfaces."
 LABEL Maintainer="Francis Charette-Migneault <francis.charette-migneault@crim.ca>"
 LABEL Vendor="CRIM"
diff --git a/requirements-doc.txt b/requirements-doc.txt
index 8f20d6fb..f030237d 100644
--- a/requirements-doc.txt
+++ b/requirements-doc.txt
@@ -2,6 +2,7 @@
 # these are doc-only requirements
 # we actually need to install all requirements during docs build because of OpenAPI generation
 # (see 'docs/conf.py')
+-r requirements.txt
 astroid<2.12    # pin to resolve sphinx-autoapi (see https://github.com/readthedocs/sphinx-autoapi/issues/349)
 pycodestyle>=2.6.0,<3
 # sphinx-autoapi dropped 3.5 support at 1.3.0
diff --git a/requirements-sys.txt b/requirements-sys.txt
index 540f0dd5..2fdb0a0f 100644
--- a/requirements-sys.txt
+++ b/requirements-sys.txt
@@ -1,2 +1,2 @@
 pip
-setuptools>=65.5.1
+setuptools>=71.0.3
diff --git a/requirements.txt b/requirements.txt
index cea426e4..196be30e 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -25,7 +25,7 @@ pyramid_retry==2.1.1
 pyramid_tm>=2.2.1
 python-dotenv
 pyyaml>=5.1
-requests
+requests>=2.32.3
 requests_file
 simplejson
 six>=1.12.0
@@ -36,8 +36,10 @@ sqlalchemy-utils==0.39.0  # pyup: ignore
 threddsclient>=0.4.2
 transaction
 typing_extensions
+urllib3>=2.2.2
 wheel>=0.38
 webob
 ziggurat_foundations==0.9.1
 zope.interface>=4.7.2,<5
 zope.sqlalchemy==1.6
+zipp>=3.19.1
diff --git a/setup.py b/setup.py
index b922df83..aafb3b8e 100644
--- a/setup.py
+++ b/setup.py
@@ -217,7 +217,7 @@ def _extra_requirements(base_requirements, other_requirements):
         "Programming Language :: Python :: 3.11",
         "Programming Language :: Python :: 3.12",
     ],
-    python_requires=">=3.5, <4",
+    python_requires=">=3.8, <4",
 
     # -- Package structure -------------------------------------------------
     packages=[__meta__.__package__],

From e67771b06cc9b3eff32bba88725145bcb2bdec84 Mon Sep 17 00:00:00 2001
From: Francis Charette Migneault <francis.charette.migneault@gmail.com>
Date: Tue, 23 Jul 2024 15:45:05 -0400
Subject: [PATCH 2/3] pin twitcher>=0.10.0 for same security fixes as magpie
 (relates to https://github.com/bird-house/twitcher/pull/136)

---
 CHANGES.rst          | 2 ++
 Dockerfile.adapter   | 2 +-
 requirements-dev.txt | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index bc61446c..371103f4 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -17,6 +17,8 @@ Features / Changes
 * Pin ``requests>=2.32.3`` for CVE-2024-35195.
 * Pin ``urllib3>=2.2.2`` for CVE-2024-37891.
 * Pin ``zipp>=3.19.1`` for CVE-2024-5569.
+* Pin ``pyramid-twitcher>=0.10.0`` and ``birdhouse/twitcher:v0.10.0`` for same security updates as above
+  (relates to `bird-house/twitcher#136 <https://github.com/bird-house/twitcher/pull/136>`_).
 
 .. _changes_4.1.0:
 
diff --git a/Dockerfile.adapter b/Dockerfile.adapter
index 8580493c..44e01c08 100644
--- a/Dockerfile.adapter
+++ b/Dockerfile.adapter
@@ -3,7 +3,7 @@
 #   docker run will need to override ini file with mounted volume
 #   using config 'twitcher.adapter = magpie.adapter.MagpieAdapter'
 #
-FROM birdhouse/twitcher:v0.9.0
+FROM birdhouse/twitcher:v0.10.0
 LABEL Description="Configures MagpieAdapter on top of Twitcher application."
 LABEL Maintainer="Francis Charette-Migneault <francis.charette-migneault@crim.ca>"
 LABEL Vendor="CRIM"
diff --git a/requirements-dev.txt b/requirements-dev.txt
index bcca6abf..b28f4250 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -14,7 +14,7 @@ mock>4
 pylint>=2.11,!=2.12,!=2.15
 pylint-quotes
 # bird-house/twticher, must match version in Dockerfile.adapater
-pyramid-twitcher>=0.9.0
+pyramid-twitcher>=0.10.0
 pytest
 safety
 tox>=3.0

From 1d5c92edecf4a8a5cd95b5ff89f47d8724348737 Mon Sep 17 00:00:00 2001
From: Francis Charette Migneault <francis.charette.migneault@gmail.com>
Date: Tue, 23 Jul 2024 16:27:52 -0400
Subject: [PATCH 3/3] fix inter-package dependency resolution

---
 requirements-sys.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/requirements-sys.txt b/requirements-sys.txt
index 2fdb0a0f..18a014bc 100644
--- a/requirements-sys.txt
+++ b/requirements-sys.txt
@@ -1,2 +1,3 @@
 pip
+packaging>=22.0
 setuptools>=71.0.3