Fix CVEs and bump receptorctl (#14925)

CVE-2023-47627 CVE-2023-49083 CVE-2023-41040 CVE-2024-22195 CVE-2023-46137
author: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com> 2024-02-26 16:48:38 +0100
committer: GitHub <noreply@github.com> 2024-02-26 16:48:38 +0100
commit: 88e406e121dc4ca70dc82169dd49f62d33400d8f (patch)
tree: e83cd70d6881f9522739681ead7c7fb6b65ccac9 /requirements
parent: Fixed some misc errors in illustrations and header formatting (diff)
download: awx-88e406e121dc4ca70dc82169dd49f62d33400d8f.tar.xz
awx-88e406e121dc4ca70dc82169dd49f62d33400d8f.zip
2 files changed, 16 insertions, 18 deletions
diff --git a/requirements/requirements.in b/requirements/requirements.in
index e8136652b3..3601c4a07b 100644
--- a/requirements/requirements.in
+++ b/requirements/requirements.in
@@ -1,4 +1,4 @@
-aiohttp
+aiohttp>=3.8.6  # CVE-2023-47627
 ansiconv==1.0.0  # UPGRADE BLOCKER: from 2013, consider replacing instead of upgrading
 asciichartpy
 asn1
@@ -8,7 +8,7 @@ boto3
 botocore
 channels
 channels-redis==3.4.1  # see UPGRADE BLOCKERs
-cryptography>=41.0.2  # CVE-2023-38325
+cryptography>=41.0.6  # CVE-2023-49083
 Cython<3 # this is needed as a build dependency, one day we may have separated build deps
 daphne
 distro
@@ -26,15 +26,15 @@ django-split-settings==1.0.0    # We hit a strange issue where the release proce
 djangorestframework
 djangorestframework-yaml
 filelock
-GitPython>=3.1.32  # CVE-2023-40267
+GitPython>=3.1.37  # CVE-2023-41040
 hiredis==2.0.0  # see UPGRADE BLOCKERs
 irc
-jinja2
+jinja2>=3.1.3  # CVE-2024-22195
 JSON-log-formatter
 jsonschema
 Markdown  # used for formatting API help
 openshift
-pexpect==4.7.0 # see library notes
+pexpect==4.7.0  # see library notes
 prometheus_client
 psycopg
 psutil
@@ -49,20 +49,20 @@ pyyaml>=6.0.1
 receptorctl
 social-auth-core[openidconnect]==4.4.2  # see UPGRADE BLOCKERs
 social-auth-app-django==5.4.0  # see UPGRADE BLOCKERs
-sqlparse >= 0.4.4   # Required by django https://github.com/ansible/awx/security/dependabot/96
+sqlparse>=0.4.4   # Required by django https://github.com/ansible/awx/security/dependabot/96
 redis
 requests
 slack-sdk
 tacacs_plus==1.0  # UPGRADE BLOCKER: auth does not work with later versions
 twilio
-twisted[tls]
+twisted[tls]>=23.10.0  # CVE-2023-46137
 uWSGI
 uwsgitop
-wheel>=0.38.1 # CVE-2022-40898
+wheel>=0.38.1  # CVE-2022-40898
 pip==21.2.4  # see UPGRADE BLOCKERs
 setuptools  # see UPGRADE BLOCKERs
 setuptools_scm[toml]  # see UPGRADE BLOCKERs, xmlsec build dep
-setuptools-rust >= 0.11.4 # cryptography build dep
+setuptools-rust>=0.11.4  # cryptography build dep
 pkgconfig>=1.5.1  # xmlsec build dep - needed for offline build
 
 # Temporarily added to use ansible-runner from git branch, to be removed
diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index f7eccba4c2..a23369eb2f 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -1,6 +1,6 @@
 adal==1.2.7
     # via msrestazure
-aiohttp==3.8.3
+aiohttp==3.9.3
     # via -r /awx_devel/requirements/requirements.in
 aioredis==1.3.1
     # via channels-redis
@@ -70,14 +70,12 @@ channels==3.0.5
 channels-redis==3.4.1
     # via -r /awx_devel/requirements/requirements.in
 charset-normalizer==2.1.1
-    # via
-    #   aiohttp
-    #   requests
+    # via requests
 click==8.1.3
     # via receptorctl
 constantly==15.1.0
     # via twisted
-cryptography==41.0.3
+cryptography==41.0.7
     # via
     #   -r /awx_devel/requirements/requirements.in
     #   adal
@@ -163,7 +161,7 @@ frozenlist==1.3.3
     #   aiosignal
 gitdb==4.0.10
     # via gitpython
-gitpython==3.1.32
+gitpython==3.1.42
     # via -r /awx_devel/requirements/requirements.in
 google-auth==2.14.1
     # via kubernetes
@@ -216,7 +214,7 @@ jaraco-text==3.11.0
     # via
     #   irc
     #   jaraco-collections
-jinja2==3.1.2
+jinja2==3.1.3
     # via -r /awx_devel/requirements/requirements.in
 jmespath==1.0.1
     # via
@@ -362,7 +360,7 @@ pyyaml==6.0.1
     #   djangorestframework-yaml
     #   kubernetes
     #   receptorctl
-receptorctl==1.4.2
+receptorctl==1.4.4
     # via -r /awx_devel/requirements/requirements.in
 redis==4.3.5
     # via -r /awx_devel/requirements/requirements.in
@@ -440,7 +438,7 @@ tomli==2.0.1
     # via setuptools-scm
 twilio==7.15.3
     # via -r /awx_devel/requirements/requirements.in
-twisted[tls]==22.10.0
+twisted[tls]==23.10.0
     # via
     #   -r /awx_devel/requirements/requirements.in
     #   daphne
author	Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>	2024-02-26 16:48:38 +0100
committer	GitHub <noreply@github.com>	2024-02-26 16:48:38 +0100
commit	88e406e121dc4ca70dc82169dd49f62d33400d8f (patch)
tree	e83cd70d6881f9522739681ead7c7fb6b65ccac9 /requirements
parent	Fixed some misc errors in illustrations and header formatting (diff)
download	awx-88e406e121dc4ca70dc82169dd49f62d33400d8f.tar.xz awx-88e406e121dc4ca70dc82169dd49f62d33400d8f.zip