Upgraded versions for dependent repo and included gunicorn as http se… (

#35) * Upgraded versions for dependent repo and included gunicorn as http server - reverted redis version as dependency also needed to be chaged. - Versions for flask updated to available - Versions for gitpython updated to >=3.1.20 - Versions for marshmellow updated to >=3.14.1 - Versions for requests updated to >=2.27.1 - contextvars library added * - resolved another critical vulerability CVE-2022-24439 Detail All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. Resolution :: Upgrade GitPython to version 3.1.30 or higher. https://nvd.nist.gov/vuln/detail/CVE-2022-24439 https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858
redhataccess · Feb 1, 2023 · 7d05a6a · 7d05a6a
1 parent 4f842ac
commit 7d05a6a
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 27 deletions.
diff --git a/requirements.txt b/requirements.txt
@@ -1,18 +1,20 @@
 flasgger==0.9.5
-Flask==1.1.2
+Flask>=2.2.2
 #git2pantheon~=0.1
-Werkzeug==1.0.1
-redis==3.5.3
-setuptools==54.2.0
-flask-cors==3.0.10
-
-marshmallow==3.10.0
-Flask-Executor==0.9.4
+redis>=4.4.2
+setuptools==66.0.0
+Flask-Cors==3.0.10
+marshmallow>=3.19.1
+Flask-Executor==1.0.0
 giturlparse==0.10.0
-PyYAML==5.4.1
-edgegrid-python==1.0.10
-decorest==0.0.6
-requests
-requests-toolbelt==0.9.1
-gitpython==3.1.11
-git+https://github.com/redhataccess/pantheon-uploader.git
+PyYAML==6.0
+edgegrid-python==1.3.1
+decorest==0.1.0
+requests>=2.28.3
+requests-toolbelt==0.10.1
+gitpython>=3.1.30
+gunicorn==20.1.0
+jinja2==3.1.2
+typing-extensions>=4.4.0
+contextvars>=2.4
+git+https://github.com/redhataccess/pantheon-uploader.git
diff --git a/setup.py b/setup.py
@@ -20,28 +20,28 @@
         'pyxdg>=0.26',
         'PyYAML>=5.3.1',
         'redis>=3.5.3',
-        'requests>=2.22.0',
         'requests-file>=1.4.3',
         'requests-ftp>=0.3.1',
         'simpleline>=1.6',
         'six>=1.14.0',
         'tinycss2>=1.0.2',
-        'Flask>=1.1.2',
+        'Flask>=2.0.3',
         'urllib3>=1.25.7',
         'webencodings>=0.5.1',
-        'Werkzeug>=1.0.1',
         'xcffib>=0.9.0',
-        'gitpython==3.1.11',
-        'flask-cors>=3.0.9',
+        'gitpython>=3.1.30',
+        'Flask-Cors>=3.0.10',
         'flasgger>=0.9.5',
-        'Flask-Executor>=0.9.4',
+        'Flask-Executor>=1.0.0',
         'giturlparse>=0.10.0',
-        'marshmallow>=3.9.1',
-        'gunicorn',
-        'edgegrid-python>=1.0.10',
-        'decorest>=0.0.6',
-        'requests',
-        'requests-toolbelt>=0.9.1',
+        'marshmallow>=3.14.1',
+        'gunicorn>=20.1.0',
+        'edgegrid-python>=1.3.1',
+        'decorest>=0.1.0',
+        'requests>=2.27.1',
+        'requests-toolbelt>=0.10.1',
+        'contextvars>=2.3',
+        'typing-extensions>=4.4.0',
         'pantheon-uploader@ git+https://github.com/redhataccess/pantheon-uploader.git@master#egg=pantheon-uploader-0.2'
     ],
     dependency_links=['https://github.com/redhataccess/pantheon-uploader/tarball/master#egg=pantheon-uploader'],