saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-16 09:40:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
117424 commits 34 branches 292 tags 802 MiB
Commit graph

41 commits

Author SHA1 Message Date
Pedro Algarvio
53aafe7eba Bump to pyyaml==6.0.1 due to https://github.com/yaml/pyyaml/issues/601 
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2023-07-18 14:21:40 +01:00
Pedro Algarvio
5b2e752d5e Bump to cryptography==41.0.2 to address GHSA-cf7p-gm2m-833m 
The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.
References:

https://nvd.nist.gov/vuln/detail/CVE-2023-38325
[https://github.com/pyca/cryptography/issues/9207](pyca/cryptography#9207)
[https://github.com/pyca/cryptography/issues/9208](pyca/cryptography#9208)
[https://github.com/pyca/cryptography/compare/41.0.1...41.0.2](pyca/cryptography@41.0.1...41.0.2)
https://pypi.org/project/cryptography/#history
[1ca7adc97b](pyca/cryptography@1ca7adc)

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2023-07-16 17:44:45 -07:00
Pedro Algarvio
3d097b8ed5 Upgrade to cryptography==41.0.1(and therefor pyopenssl==23.2.0 due to https://github.com/advisories/GHSA-5cpq-8wj7-hf2v 
This only really impacts pip installs of Salt and the windows onedir
since the linux and macos onedir build every package dependency from
source, not from pre-existing wheels.

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2023-07-06 18:04:43 +01:00
Megan Wilhite
dc8baed208 Update requests 2023-05-29 18:08:57 +01:00
Twangboy
e5c58d9ab9 Bump pyzmq to 25.0.2 on Windows 2023-04-13 12:32:43 +01:00
Twangboy
a32b2f82db Remove mako from Windows and MacOS 2023-04-04 08:33:30 +01:00
Pedro Algarvio
9a32f14e41 Upgrade to pyopenssl==23.0.0 due to the cryptography upgrade. 
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2023-03-22 15:08:20 +00:00
Pedro Algarvio
5e7d4e3021 Upgrade to cryptography>=39.0.1 
Due to:
  * GHSA-x4qr-2fvf-3mr5
  * GHSA-w7pp-m8wf-vj6r

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2023-03-22 15:08:20 +00:00
MKLeb
463d97e95f Revert "Upgrade to cryptography==39.0.1" 
This reverts commit 78fedf1656.
 2023-02-24 07:20:18 +00:00
Pedro Algarvio
78fedf1656 Upgrade to cryptography==39.0.1 
Due to:
  * https://github.com/advisories/GHSA-x4qr-2fvf-3mr5
  * https://github.com/advisories/GHSA-w7pp-m8wf-vj6r

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2023-02-23 05:49:08 +00:00
Pedro Algarvio
4b708715f2 Upgrade to werkzeug==2.2.3 
This addresses:
  * https://github.com/advisories/GHSA-px8h-6qxv-m22q
  * https://github.com/advisories/GHSA-xg9f-g7g7-2323

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2023-02-23 05:49:08 +00:00
Daniel A. Wozniak
990728fe46 Bump pyzmq to latest version on Windows 2023-02-15 14:24:35 -07:00
Pedro Algarvio
3fa827925f Fix pre-commit by changing the pyzmq requirements. 
It's now `pyzmq>=20.0.0` on all platforms, and `<=22.0.3` just for windows.

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2023-02-09 05:37:59 +00:00
Pedro Algarvio
cea048be5f Update docs related requirements 
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2023-02-04 14:11:36 +00:00
Pedro Algarvio
6acef263b1 Stop triggering the jinja2.contextfunction deprecation warning 
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2023-01-18 11:54:43 +00:00
Pedro Algarvio
5a0fd275eb Update setptoctitle requirements to stop getting the PY_SSIZE_T_CLEAN warning 
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2023-01-18 11:54:43 +00:00
Pedro Algarvio
4ecfd3d3d5 Use packaging for version parsing. looseversion when needed only. 
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2023-01-09 12:31:51 -07:00
Twangboy
ec7926b662
Fix pre-commit 2023-01-03 09:00:00 -07:00
Twangboy
2eb4c90f40
Update pythonnet to 3.0.1 to support Python 3.10 2023-01-03 08:59:54 -07:00
Pedro Algarvio
e47e47a7e6 Bump to gitpython==3.1.30 because of https://github.com/advisories/GHSA-hcpj-qp55-gfph 
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2022-12-31 15:02:22 +00:00
Pedro Algarvio
7969d09be9 Bump to wheel==0.38.4 due to https://github.com/advisories/GHSA-qwmp-2cf2-g9g6 
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2022-12-28 15:49:37 +00:00
Twangboy
ca4d05043f Remove libnacl from requirements 2022-12-23 10:25:16 +00:00
David Murphy
75b1be30a6 Further cleanup, removed used of looseversion and packaging 2022-12-20 07:07:21 -07:00
David Murphy
e8441238e1 Initial removal usage of distutils and replacement with setuptools 2022-12-20 07:07:21 -07:00
Pedro Algarvio
7df5feb62b Bump to certifi>=2022.12.7 
Follow up to https://github.com/saltstack/salt/pull/63284

See https://github.com/advisories/GHSA-43fp-rhv2-5gv8 for additional context.

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2022-12-12 04:32:02 +00:00
Pedro Algarvio
f59bf99cda
Drop pycurl requirement, see https://github.com/saltstack/relative-environment-for-python/issues/50 
Properly compile windows requirements on Py3.10

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2022-12-05 05:03:44 +00:00
Megan Wilhite
78e8862529 Bump mako for remaining requirement files 2022-10-03 14:19:02 -06:00
Carlos Álvaro
b3c6d949ba fix: Update setproctitle version for all platforms 2022-09-01 13:33:16 -06:00
Pedro Algarvio
e3929c59d1 Bump to `pyzmq==23.2.0` for Python >=3.9 
This way we can use wheel packages on Py3.10 instead of having it build
from source.

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2022-07-10 09:42:59 +01:00
Pedro Algarvio
e68cd5e991 Bump to `lxml==4.9.1 to address CVE-2022-2309` 
See https://github.com/advisories/GHSA-wrxv-2j5q-m38w

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2022-07-08 11:29:32 +01:00
Pedro Algarvio
f6fd24f125 Upgrade some requirements 
These requirements should be kept up-to-date as much as possible.

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2022-06-06 07:18:12 -06:00
Pedro Algarvio
46e6416e5b Update to `python-gnupg==0.4.8` 
Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2022-04-08 09:10:15 -04:00
Wayne Werner
f4e12fc7ba Updating msgpack version for windows 
Before it was pinned to an out of date buggy version, this should fix
some errors and inconsistencies.
 2022-04-07 15:52:57 -04:00
Pedro Algarvio
75ed972d72 Update requirements to address know security vulnerabilities 
Closes #61516
Closes #61515
Closes #61514
Closes #61513
Closes #61520
Closes #61096
Closes #60944
Closes #61558
Closes #61559
Closes #61560
Closes #61561

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
 2022-02-08 06:34:43 -08:00
Pedro Algarvio
2ed6d1a974 Enforce requirements and their versions consistency 
Use use the packaging requirements as version constraints to all other
requirements files which should include Salt's base requirements.

The nox sessions now don't install the base requirements since the "top"
requirements file includes the base requirements.

All of this, ensuring that the same versions are used on all of them.
 2021-09-21 13:42:53 -07:00
Pedro Algarvio
a46aa3a55c Bump to `urllib3==1.26.6` 
GHSA-q2q7-5pp4-w6pg

high severity

Vulnerable versions: < 1.26.5
Patched version: 1.26.5

Impact

When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits
catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Patches

The issue has been fixed in urllib3 v1.26.5.

References

* [CVE-2021-33503](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33503)
* [JVNVU#92413403 (English)](https://jvn.jp/en/vu/JVNVU92413403/)
* [JVNVU#92413403 (Japanese)](https://jvn.jp/vu/JVNVU92413403/)
* [urllib3 v1.26.5](https://github.com/urllib3/urllib3/releases/tag/1.26.5)
 2021-08-02 16:13:40 -07:00
Pedro Algarvio
a0c612b453 Enable Py3.10 windows requirements 2021-07-23 13:06:52 -07:00
Pedro Algarvio
5f66dce4a9 Match PyYAML versions 
This will prevent issues like:
```
Installing collected packages: pyyaml
  Attempting uninstall: pyyaml
    Found existing installation: PyYAML 5.3.1
    Uninstalling PyYAML-5.3.1:
ERROR: Could not install packages due to an OSError: [Errno 2] No such file or directory: '~/.cache/pre-commit/repo55iq10l1/py_env-python3/lib/python3.8/site-packages/PyYAML-5.3.1.dist-info/'
```
 2021-06-09 12:53:22 -07:00
Pedro Algarvio
ec6e96a036 Upgrade to six==1.16.0 to avoid problems on CI runs 
```
13:59:02  nox > Session invoke-pre-commit was successful.
13:59:02  nox > Running session invoke-pre-commit
13:59:02  nox > pip install --progress-bar=off -r requirements/static/ci/py3.7/invoke.txt
13:59:02  Collecting blessings==1.7
13:59:02    Using cached blessings-1.7-py3-none-any.whl (18 kB)
13:59:02  Collecting invoke==1.4.1
13:59:02    Using cached invoke-1.4.1-py3-none-any.whl (210 kB)
13:59:02  Collecting pyyaml==5.3.1
13:59:02    Using cached PyYAML-5.3.1.tar.gz (269 kB)
13:59:02  Collecting six==1.15.0
13:59:02    Using cached six-1.15.0-py2.py3-none-any.whl (10 kB)
13:59:02  Building wheels for collected packages: pyyaml
13:59:02    Building wheel for pyyaml (setup.py) ... - \ | / - \ | done
13:59:02    Created wheel for pyyaml: filename=PyYAML-5.3.1-cp37-cp37m-linux_x86_64.whl size=546391 sha256=e42e1d66cc32087f4d33ceb81268c86b59f1a97029b19459f91b8d6ad1430167
13:59:02    Stored in directory: /var/jenkins/.cache/pip/wheels/5e/03/1e/e1e954795d6f35dfc7b637fe2277bff021303bd9570ecea653
13:59:02  Successfully built pyyaml
13:59:02  Installing collected packages: six, pyyaml, invoke, blessings
13:59:02    Attempting uninstall: six
13:59:02      Found existing installation: six 1.16.0
13:59:02      Uninstalling six-1.16.0:
13:59:02  ERROR: Could not install packages due to an OSError: [Errno 2] No such file or directory: '/var/jenkins/.cache/pre-commit/repomw8oee1s/py_env-python3/lib/python3.7/site-packages/__pycache__/six.cpython-37.pyc'
13:59:02
13:59:02  nox > Command pip install --progress-bar=off -r requirements/static/ci/py3.7/invoke.txt failed with exit code 1
13:59:02  nox > Session invoke-pre-commit failed.
```
 2021-05-27 09:32:39 -04:00
Pedro Algarvio
8ebaf76106 Update Jinja2 and lxml due to security related bugfix releases 
Jinja2
------

CVE-2020-28493
moderate severity
Vulnerable versions: < 2.11.3
Patched version: 2.11.3

This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9.-]+.[a-zA-Z0-9.-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.

lxml
----

CVE-2021-28957
moderate severity
Vulnerable versions: < 4.6.3
Patched version: 4.6.3

An XSS vulnerability was discovered in the python lxml clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
 2021-05-24 08:19:57 -04:00
Pedro Algarvio
2ea5ad81a9 Compile the requirements 2021-05-05 06:48:41 -07:00