Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

updated pip pkg: requests, Jinja2, tqdm, Werkzeug #9196

Merged
merged 1 commit into from
May 27, 2024

Conversation

smuzaffar
Copy link
Contributor

As nonted by dependabot, this update fixes following isses

  • Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
  • Requests Session object does not verify requests after making first request with verify=False
  • Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
  • tqdm CLI arguments injection attack

@smuzaffar
Copy link
Contributor Author

please test

@cmsbuild
Copy link
Contributor

A new Pull Request was created by @smuzaffar for branch IB/CMSSW_14_1_X/master.

@smuzaffar, @aandvalenzuela, @iarspider can you please review it and eventually sign? Thanks.
@antoniovilela, @rappoccio, @sextonkennedy you are the release manager for this.
cms-bot commands are listed here

@cmsbuild
Copy link
Contributor

cmsbuild commented May 21, 2024

cms-bot internal usage

@cmsbuild
Copy link
Contributor

+1

Summary: https://cmssdt.cern.ch/SDT/jenkins-artifacts/pull-request-integration/PR-6643eb/39439/summary.html
COMMIT: 98f692f
CMSSW: CMSSW_14_1_X_2024-05-20-2300/el8_amd64_gcc12
User test area: For local testing, you can use /cvmfs/cms-ci.cern.ch/week0/cms-sw/cmsdist/9196/39439/install.sh to create a dev area with all the needed externals and cmssw changes.

Comparison Summary

Summary:

@smuzaffar
Copy link
Contributor Author

+externals

@smuzaffar smuzaffar merged commit 9ad811d into IB/CMSSW_14_1_X/master May 27, 2024
9 checks passed
@cmsbuild
Copy link
Contributor

This pull request is fully signed and it will be integrated in one of the next IB/CMSSW_14_1_X/master IBs (tests are also fine). This pull request will now be reviewed by the release team before it's merged. @rappoccio, @antoniovilela, @sextonkennedy (and backports should be raised in the release meeting by the corresponding L2)

@cmsbuild cmsbuild mentioned this pull request May 27, 2024
@smuzaffar smuzaffar deleted the py-pkg-security-fixes branch June 6, 2024 20:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants