security updates for setuptools, requests, urllib, zipp (fixes #614, f…

…ixes #615, fixes #616, fixes #617, fixes #618, fixes #619)
Ouranosinc · Jul 23, 2024 · d0c8829 · d0c8829
1 parent af17ee6
commit d0c8829
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 5 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -9,7 +9,14 @@ Changes
 `Unreleased <https://github.com/Ouranosinc/Magpie/tree/master>`_ (latest)
 ------------------------------------------------------------------------------------
 
-* Nothing new for the moment.
+Features / Changes
+~~~~~~~~~~~~~~~~~~~~~
+
+* Update docker with latest ``python:3.11-alpine3.20`` base.
+* Pin ``setuptools>=71.0.3`` for CVE-2024-6345.
+* Pin ``requests>=2.32.3`` for CVE-2024-35195.
+* Pin ``urllib3>=2.2.2`` for CVE-2024-37891.
+* Pin ``zipp>=3.19.1`` for CVE-2024-5569.
 
 .. _changes_4.1.0:
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.11-alpine3.19
+FROM python:3.11-alpine3.20
 LABEL Description="Runs Magpie AuthN/AuthZ service for REST-API and UI interfaces."
 LABEL Maintainer="Francis Charette-Migneault <francis.charette-migneault@crim.ca>"
 LABEL Vendor="CRIM"

diff --git a/requirements-doc.txt b/requirements-doc.txt
@@ -2,6 +2,7 @@
 # these are doc-only requirements
 # we actually need to install all requirements during docs build because of OpenAPI generation
 # (see 'docs/conf.py')
+-r requirements.txt
 astroid<2.12    # pin to resolve sphinx-autoapi (see https://github.com/readthedocs/sphinx-autoapi/issues/349)
 pycodestyle>=2.6.0,<3
 # sphinx-autoapi dropped 3.5 support at 1.3.0

diff --git a/requirements-sys.txt b/requirements-sys.txt
@@ -1,2 +1,2 @@
 pip
-setuptools>=65.5.1
+setuptools>=71.0.3
diff --git a/requirements.txt b/requirements.txt
@@ -25,7 +25,7 @@ pyramid_retry==2.1.1
 pyramid_tm>=2.2.1
 python-dotenv
 pyyaml>=5.1
-requests
+requests>=2.32.3
 requests_file
 simplejson
 six>=1.12.0
@@ -36,8 +36,10 @@ sqlalchemy-utils==0.39.0  # pyup: ignore
 threddsclient>=0.4.2
 transaction
 typing_extensions
+urllib3>=2.2.2
 wheel>=0.38
 webob
 ziggurat_foundations==0.9.1
 zope.interface>=4.7.2,<5
 zope.sqlalchemy==1.6
+zipp>=3.19.1
diff --git a/setup.py b/setup.py
@@ -217,7 +217,7 @@ def _extra_requirements(base_requirements, other_requirements):
         "Programming Language :: Python :: 3.11",
         "Programming Language :: Python :: 3.12",
     ],
-    python_requires=">=3.5, <4",
+    python_requires=">=3.8, <4",
 
     # -- Package structure -------------------------------------------------
     packages=[__meta__.__package__],