diff --git a/audits/aider-requirements.audit.json b/audits/aider-requirements.audit.json index d0d93aaf..34c8e2ea 100644 --- a/audits/aider-requirements.audit.json +++ b/audits/aider-requirements.audit.json @@ -20,13 +20,17 @@ "related": [ "CGA-2589-9xpr-fmp7", "CGA-372m-j842-xpmm", + "CGA-5jxw-7gv5-jv29", + "CGA-9fmg-5576-4h3w", "CGA-9x7g-9rfp-4xhm", + "CGA-f7cf-h8jg-fwmv", "CGA-gvvw-7w3r-7m54", "CGA-h79h-32w2-7vmp", "CGA-jjj9-fv4h-c9cv", "CGA-jr6g-xxjr-rgc8", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", + "CGA-vm55-cfmf-jr9r", "CGA-w9xc-2j9j-8rrv", "CGA-whf8-42p9-686q" ], @@ -124,9 +128,11 @@ "CVE-2024-56326" ], "related": [ + "CGA-3cj4-2jg2-4qm3", "CGA-48m9-g63w-3pmj", "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", + "CGA-8r3m-hvvj-88ff", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", @@ -134,7 +140,9 @@ "CGA-hvm4-vp8w-6q8r", "CGA-p9v5-jpj2-q3ww", "CGA-rx48-pgcw-gx64", - "CGA-w2xv-8gr2-xp8m" + "CGA-v3rh-g84v-9h7h", + "CGA-w2xv-8gr2-xp8m", + "CGA-wxqh-34vm-g4hv" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/ansible-lint-requirements.audit.json b/audits/ansible-lint-requirements.audit.json index b800aff7..462497a2 100644 --- a/audits/ansible-lint-requirements.audit.json +++ b/audits/ansible-lint-requirements.audit.json @@ -20,13 +20,17 @@ "related": [ "CGA-2589-9xpr-fmp7", "CGA-372m-j842-xpmm", + "CGA-5jxw-7gv5-jv29", + "CGA-9fmg-5576-4h3w", "CGA-9x7g-9rfp-4xhm", + "CGA-f7cf-h8jg-fwmv", "CGA-gvvw-7w3r-7m54", "CGA-h79h-32w2-7vmp", "CGA-jjj9-fv4h-c9cv", "CGA-jr6g-xxjr-rgc8", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", + "CGA-vm55-cfmf-jr9r", "CGA-w9xc-2j9j-8rrv", "CGA-whf8-42p9-686q" ], @@ -124,9 +128,11 @@ "CVE-2024-56326" ], "related": [ + "CGA-3cj4-2jg2-4qm3", "CGA-48m9-g63w-3pmj", "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", + "CGA-8r3m-hvvj-88ff", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", @@ -134,7 +140,9 @@ "CGA-hvm4-vp8w-6q8r", "CGA-p9v5-jpj2-q3ww", "CGA-rx48-pgcw-gx64", - "CGA-w2xv-8gr2-xp8m" + "CGA-v3rh-g84v-9h7h", + "CGA-w2xv-8gr2-xp8m", + "CGA-wxqh-34vm-g4hv" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/certsync-requirements.audit.json b/audits/certsync-requirements.audit.json index 3ad57626..fb2b7530 100644 --- a/audits/certsync-requirements.audit.json +++ b/audits/certsync-requirements.audit.json @@ -20,13 +20,17 @@ "related": [ "CGA-2589-9xpr-fmp7", "CGA-372m-j842-xpmm", + "CGA-5jxw-7gv5-jv29", + "CGA-9fmg-5576-4h3w", "CGA-9x7g-9rfp-4xhm", + "CGA-f7cf-h8jg-fwmv", "CGA-gvvw-7w3r-7m54", "CGA-h79h-32w2-7vmp", "CGA-jjj9-fv4h-c9cv", "CGA-jr6g-xxjr-rgc8", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", + "CGA-vm55-cfmf-jr9r", "CGA-w9xc-2j9j-8rrv", "CGA-whf8-42p9-686q" ], @@ -124,9 +128,11 @@ "CVE-2024-56326" ], "related": [ + "CGA-3cj4-2jg2-4qm3", "CGA-48m9-g63w-3pmj", "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", + "CGA-8r3m-hvvj-88ff", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", @@ -134,7 +140,9 @@ "CGA-hvm4-vp8w-6q8r", "CGA-p9v5-jpj2-q3ww", "CGA-rx48-pgcw-gx64", - "CGA-w2xv-8gr2-xp8m" + "CGA-v3rh-g84v-9h7h", + "CGA-w2xv-8gr2-xp8m", + "CGA-wxqh-34vm-g4hv" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/charmcraft-requirements.audit.json b/audits/charmcraft-requirements.audit.json index bf82fb9c..e9e8e4b1 100644 --- a/audits/charmcraft-requirements.audit.json +++ b/audits/charmcraft-requirements.audit.json @@ -20,13 +20,17 @@ "related": [ "CGA-2589-9xpr-fmp7", "CGA-372m-j842-xpmm", + "CGA-5jxw-7gv5-jv29", + "CGA-9fmg-5576-4h3w", "CGA-9x7g-9rfp-4xhm", + "CGA-f7cf-h8jg-fwmv", "CGA-gvvw-7w3r-7m54", "CGA-h79h-32w2-7vmp", "CGA-jjj9-fv4h-c9cv", "CGA-jr6g-xxjr-rgc8", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", + "CGA-vm55-cfmf-jr9r", "CGA-w9xc-2j9j-8rrv", "CGA-whf8-42p9-686q" ], @@ -124,9 +128,11 @@ "CVE-2024-56326" ], "related": [ + "CGA-3cj4-2jg2-4qm3", "CGA-48m9-g63w-3pmj", "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", + "CGA-8r3m-hvvj-88ff", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", @@ -134,7 +140,9 @@ "CGA-hvm4-vp8w-6q8r", "CGA-p9v5-jpj2-q3ww", "CGA-rx48-pgcw-gx64", - "CGA-w2xv-8gr2-xp8m" + "CGA-v3rh-g84v-9h7h", + "CGA-w2xv-8gr2-xp8m", + "CGA-wxqh-34vm-g4hv" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/condure-requirements.audit.json b/audits/condure-requirements.audit.json deleted file mode 100644 index 95e2c5e3..00000000 --- a/audits/condure-requirements.audit.json +++ /dev/null @@ -1,677 +0,0 @@ -[ - { - "package": { - "name": "setuptools", - "version": "69.1.1", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "condure-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-08-03T08:11:47Z", - "published": "2024-07-15T03:30:57Z", - "schema_version": "1.6.0", - "id": "GHSA-cx63-2mw6-8hw5", - "aliases": [ - "BIT-setuptools-2024-6345", - "CVE-2024-6345" - ], - "related": [ - "CGA-374g-f8mr-whvm", - "CGA-4mw5-xqpj-q4mq", - "CGA-c5cf-23gj-ccmf", - "CGA-c79m-39cv-2j6g", - "CGA-f2p4-hwhx-72xc", - "CGA-h655-78w4-797j", - "CGA-qmjx-gwcv-4p8x", - "CGA-rjmx-vqfq-f7rh", - "CGA-x22r-fp37-7vh6", - "CGA-xrq9-4hfh-g5jh" - ], - "summary": "setuptools vulnerable to Command Injection via package URL", - "details": "A vulnerability in the `package_index` module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "setuptools", - "purl": "pkg:pypi/setuptools" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "70.0.0" - } - ] - } - ], - "versions": [ - "0.6b1", - "0.6b2", - "0.6b3", - "0.6b4", - "0.6c1", - "0.6c10", - "0.6c11", - "0.6c2", - "0.6c3", - "0.6c4", - "0.6c5", - "0.6c6", - "0.6c7", - "0.6c8", - "0.6c9", - "0.7.2", - "0.7.3", - "0.7.4", - "0.7.5", - "0.7.6", - "0.7.7", - "0.7.8", - "0.8", - "0.9", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "0.9.6", - "0.9.7", - "0.9.8", - "1.0", - "1.1", - "1.1.1", - "1.1.2", - "1.1.3", - "1.1.4", - "1.1.5", - "1.1.6", - "1.1.7", - "1.2", - "1.3", - "1.3.1", - "1.3.2", - "1.4", - "1.4.1", - "1.4.2", - "10.0", - "10.0.1", - "10.1", - "10.2", - "10.2.1", - "11.0", - "11.1", - "11.2", - "11.3", - "11.3.1", - "12.0", - "12.0.1", - "12.0.2", - "12.0.3", - "12.0.4", - "12.0.5", - "12.1", - "12.2", - "12.3", - "12.4", - "13.0", - "13.0.1", - "13.0.2", - "14.0", - "14.1", - "14.1.1", - "14.2", - "14.3", - "14.3.1", - "15.0", - "15.1", - "15.2", - "16.0", - "17.0", - "17.1", - "17.1.1", - "18.0", - "18.0.1", - "18.1", - "18.2", - "18.3", - "18.3.1", - "18.3.2", - "18.4", - "18.5", - "18.6", - "18.6.1", - "18.7", - "18.7.1", - "18.8", - "18.8.1", - "19.0", - "19.1", - "19.1.1", - "19.2", - "19.3", - "19.4", - "19.4.1", - "19.5", - "19.6", - "19.6.1", - "19.6.2", - "19.7", - "2.0", - "2.0.1", - "2.0.2", - "2.1", - "2.1.1", - "2.1.2", - "2.2", - "20.0", - "20.1", - "20.1.1", - "20.10.1", - "20.2.2", - "20.3", - "20.3.1", - "20.4", - "20.6.6", - "20.6.7", - "20.6.8", - "20.7.0", - "20.8.0", - "20.8.1", - "20.9.0", - "21.0.0", - "21.1.0", - "21.2.0", - "21.2.1", - "21.2.2", - "22.0.0", - "22.0.1", - "22.0.2", - "22.0.4", - "22.0.5", - "23.0.0", - "23.1.0", - "23.2.0", - "23.2.1", - "24.0.0", - "24.0.1", - "24.0.2", - "24.0.3", - "24.1.0", - "24.1.1", - "24.2.0", - "24.2.1", - "24.3.0", - "24.3.1", - "25.0.0", - "25.0.1", - "25.0.2", - "25.1.0", - "25.1.1", - "25.1.2", - "25.1.3", - "25.1.4", - "25.1.5", - "25.1.6", - "25.2.0", - "25.3.0", - "25.4.0", - "26.0.0", - "26.1.0", - "26.1.1", - "27.0.0", - "27.1.0", - "27.1.2", - "27.2.0", - "27.3.0", - "27.3.1", - "28.0.0", - "28.1.0", - "28.2.0", - "28.3.0", - "28.4.0", - "28.5.0", - "28.6.0", - "28.6.1", - "28.7.0", - "28.7.1", - "28.8.0", - "28.8.1", - "29.0.0", - "29.0.1", - "3.0", - "3.0.1", - "3.0.2", - "3.1", - "3.2", - "3.3", - "3.4", - "3.4.1", - "3.4.2", - "3.4.3", - "3.4.4", - "3.5", - "3.5.1", - "3.5.2", - "3.6", - "3.7", - "3.7.1", - "3.8", - "3.8.1", - "30.0.0", - "30.1.0", - "30.2.0", - "30.2.1", - "30.3.0", - "30.4.0", - "31.0.0", - "31.0.1", - "32.0.0", - "32.1.0", - "32.1.1", - "32.1.2", - "32.1.3", - "32.2.0", - "32.3.0", - "32.3.1", - "33.1.0", - "33.1.1", - "34.0.0", - "34.0.1", - "34.0.2", - "34.0.3", - "34.1.0", - "34.1.1", - "34.2.0", - "34.3.0", - "34.3.1", - "34.3.2", - "34.3.3", - "34.4.0", - "34.4.1", - "35.0.0", - "35.0.1", - "35.0.2", - "36.0.1", - "36.1.0", - "36.1.1", - "36.2.0", - "36.2.1", - "36.2.2", - "36.2.3", - "36.2.4", - "36.2.5", - "36.2.6", - "36.2.7", - "36.3.0", - "36.4.0", - "36.5.0", - "36.6.0", - "36.6.1", - "36.7.0", - "36.7.1", - "36.7.2", - "36.8.0", - "37.0.0", - "38.0.0", - "38.1.0", - "38.2.0", - "38.2.1", - "38.2.3", - "38.2.4", - "38.2.5", - "38.3.0", - "38.4.0", - "38.4.1", - "38.5.0", - "38.5.1", - "38.5.2", - "38.6.0", - "38.6.1", - "38.7.0", - "39.0.0", - "39.0.1", - "39.1.0", - "39.2.0", - "4.0", - "4.0.1", - "40.0.0", - "40.1.0", - "40.1.1", - "40.2.0", - "40.3.0", - "40.4.0", - "40.4.1", - "40.4.2", - "40.4.3", - "40.5.0", - "40.6.0", - "40.6.1", - "40.6.2", - "40.6.3", - "40.7.0", - "40.7.1", - "40.7.2", - "40.7.3", - "40.8.0", - "40.9.0", - "41.0.0", - "41.0.1", - "41.1.0", - "41.2.0", - "41.3.0", - "41.4.0", - "41.5.0", - "41.5.1", - "41.6.0", - "42.0.0", - "42.0.1", - "42.0.2", - "43.0.0", - "44.0.0", - "44.1.0", - "44.1.1", - "45.0.0", - "45.1.0", - "45.2.0", - "45.3.0", - "46.0.0", - "46.1.0", - "46.1.1", - "46.1.2", - "46.1.3", - "46.2.0", - "46.3.0", - "46.3.1", - "46.4.0", - "47.0.0", - "47.1.0", - "47.1.1", - "47.2.0", - "47.3.0", - "47.3.1", - "47.3.2", - "48.0.0", - "49.0.0", - "49.0.1", - "49.1.0", - "49.1.1", - "49.1.2", - "49.1.3", - "49.2.0", - "49.2.1", - "49.3.0", - "49.3.1", - "49.3.2", - "49.4.0", - "49.5.0", - "49.6.0", - "5.0", - "5.0.1", - "5.0.2", - "5.1", - "5.2", - "5.3", - "5.4", - "5.4.1", - "5.4.2", - "5.5", - "5.5.1", - "5.6", - "5.7", - "5.8", - "50.0.0", - "50.0.1", - "50.0.2", - "50.0.3", - "50.1.0", - "50.2.0", - "50.3.0", - "50.3.1", - "50.3.2", - "51.0.0", - "51.1.0", - "51.1.0.post20201221", - "51.1.1", - "51.1.2", - "51.2.0", - "51.3.0", - "51.3.1", - "51.3.2", - "51.3.3", - "52.0.0", - "53.0.0", - "53.1.0", - "54.0.0", - "54.1.0", - "54.1.1", - "54.1.2", - "54.1.3", - "54.2.0", - "56.0.0", - "56.1.0", - "56.2.0", - "57.0.0", - "57.1.0", - "57.2.0", - "57.3.0", - "57.4.0", - "57.5.0", - "58.0.0", - "58.0.1", - "58.0.2", - "58.0.3", - "58.0.4", - "58.1.0", - "58.2.0", - "58.3.0", - "58.4.0", - "58.5.0", - "58.5.1", - "58.5.2", - "58.5.3", - "59.0.1", - "59.1.0", - "59.1.1", - "59.2.0", - "59.3.0", - "59.4.0", - "59.5.0", - "59.6.0", - "59.7.0", - "59.8.0", - "6.0.1", - "6.0.2", - "6.1", - "60.0.0", - "60.0.1", - "60.0.2", - "60.0.3", - "60.0.4", - "60.0.5", - "60.1.0", - "60.1.1", - "60.10.0", - "60.2.0", - "60.3.0", - "60.3.1", - "60.4.0", - "60.5.0", - "60.6.0", - "60.7.0", - "60.7.1", - "60.8.0", - "60.8.1", - "60.8.2", - "60.9.0", - "60.9.1", - "60.9.2", - "60.9.3", - "61.0.0", - "61.1.0", - "61.1.1", - "61.2.0", - "61.3.0", - "61.3.1", - "62.0.0", - "62.1.0", - "62.2.0", - "62.3.0", - "62.3.1", - "62.3.2", - "62.3.3", - "62.3.4", - "62.4.0", - "62.5.0", - "62.6.0", - "63.0.0", - "63.0.0b1", - "63.1.0", - "63.2.0", - "63.3.0", - "63.4.0", - "63.4.1", - "63.4.2", - "63.4.3", - "64.0.0", - "64.0.1", - "64.0.2", - "64.0.3", - "65.0.0", - "65.0.1", - "65.0.2", - "65.1.0", - "65.1.1", - "65.2.0", - "65.3.0", - "65.4.0", - "65.4.1", - "65.5.0", - "65.5.1", - "65.6.0", - "65.6.1", - "65.6.2", - "65.6.3", - "65.7.0", - "66.0.0", - "66.1.0", - "66.1.1", - "67.0.0", - "67.1.0", - "67.2.0", - "67.3.1", - "67.3.2", - "67.3.3", - "67.4.0", - "67.5.0", - "67.5.1", - "67.6.0", - "67.6.1", - "67.7.0", - "67.7.1", - "67.7.2", - "67.8.0", - "68.0.0", - "68.1.0", - "68.1.2", - "68.2.0", - "68.2.1", - "68.2.2", - "69.0.0", - "69.0.1", - "69.0.2", - "69.0.3", - "69.1.0", - "69.1.1", - "69.2.0", - "69.3.0", - "69.3.1", - "69.4.0", - "69.4.1", - "69.4.2", - "69.5.0", - "69.5.1", - "7.0", - "8.0", - "8.0.1", - "8.0.2", - "8.0.3", - "8.0.4", - "8.1", - "8.2", - "8.2.1", - "8.3", - "9.0", - "9.0.1", - "9.1" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-cx63-2mw6-8hw5/GHSA-cx63-2mw6-8hw5.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6345" - }, - { - "type": "WEB", - "url": "https://github.com/pypa/setuptools/pull/4332" - }, - { - "type": "WEB", - "url": "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pypa/setuptools" - }, - { - "type": "WEB", - "url": "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-94" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-07-15T16:25:38Z", - "nvd_published_at": "2024-07-15T01:15:01Z", - "severity": "HIGH" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-cx63-2mw6-8hw5" - ], - "aliases": [ - "BIT-setuptools-2024-6345", - "CVE-2024-6345", - "GHSA-cx63-2mw6-8hw5" - ], - "max_severity": "8.8" - } - ] - } -] \ No newline at end of file diff --git a/audits/gdbgui-requirements.audit.json b/audits/gdbgui-requirements.audit.json index 3504fb56..6be7c76c 100644 --- a/audits/gdbgui-requirements.audit.json +++ b/audits/gdbgui-requirements.audit.json @@ -282,13 +282,17 @@ "related": [ "CGA-2589-9xpr-fmp7", "CGA-372m-j842-xpmm", + "CGA-5jxw-7gv5-jv29", + "CGA-9fmg-5576-4h3w", "CGA-9x7g-9rfp-4xhm", + "CGA-f7cf-h8jg-fwmv", "CGA-gvvw-7w3r-7m54", "CGA-h79h-32w2-7vmp", "CGA-jjj9-fv4h-c9cv", "CGA-jr6g-xxjr-rgc8", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", + "CGA-vm55-cfmf-jr9r", "CGA-w9xc-2j9j-8rrv", "CGA-whf8-42p9-686q" ], @@ -677,9 +681,11 @@ "CVE-2024-56326" ], "related": [ + "CGA-3cj4-2jg2-4qm3", "CGA-48m9-g63w-3pmj", "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", + "CGA-8r3m-hvvj-88ff", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", @@ -687,7 +693,9 @@ "CGA-hvm4-vp8w-6q8r", "CGA-p9v5-jpj2-q3ww", "CGA-rx48-pgcw-gx64", - "CGA-w2xv-8gr2-xp8m" + "CGA-v3rh-g84v-9h7h", + "CGA-w2xv-8gr2-xp8m", + "CGA-wxqh-34vm-g4hv" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/gi-docgen-requirements.audit.json b/audits/gi-docgen-requirements.audit.json index b1db3dcb..6295fe1b 100644 --- a/audits/gi-docgen-requirements.audit.json +++ b/audits/gi-docgen-requirements.audit.json @@ -20,13 +20,17 @@ "related": [ "CGA-2589-9xpr-fmp7", "CGA-372m-j842-xpmm", + "CGA-5jxw-7gv5-jv29", + "CGA-9fmg-5576-4h3w", "CGA-9x7g-9rfp-4xhm", + "CGA-f7cf-h8jg-fwmv", "CGA-gvvw-7w3r-7m54", "CGA-h79h-32w2-7vmp", "CGA-jjj9-fv4h-c9cv", "CGA-jr6g-xxjr-rgc8", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", + "CGA-vm55-cfmf-jr9r", "CGA-w9xc-2j9j-8rrv", "CGA-whf8-42p9-686q" ], @@ -124,9 +128,11 @@ "CVE-2024-56326" ], "related": [ + "CGA-3cj4-2jg2-4qm3", "CGA-48m9-g63w-3pmj", "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", + "CGA-8r3m-hvvj-88ff", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", @@ -134,7 +140,9 @@ "CGA-hvm4-vp8w-6q8r", "CGA-p9v5-jpj2-q3ww", "CGA-rx48-pgcw-gx64", - "CGA-w2xv-8gr2-xp8m" + "CGA-v3rh-g84v-9h7h", + "CGA-w2xv-8gr2-xp8m", + "CGA-wxqh-34vm-g4hv" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/harlequin-requirements.audit.json b/audits/harlequin-requirements.audit.json index 0765ba2f..f2bf5491 100644 --- a/audits/harlequin-requirements.audit.json +++ b/audits/harlequin-requirements.audit.json @@ -20,13 +20,17 @@ "related": [ "CGA-2589-9xpr-fmp7", "CGA-372m-j842-xpmm", + "CGA-5jxw-7gv5-jv29", + "CGA-9fmg-5576-4h3w", "CGA-9x7g-9rfp-4xhm", + "CGA-f7cf-h8jg-fwmv", "CGA-gvvw-7w3r-7m54", "CGA-h79h-32w2-7vmp", "CGA-jjj9-fv4h-c9cv", "CGA-jr6g-xxjr-rgc8", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", + "CGA-vm55-cfmf-jr9r", "CGA-w9xc-2j9j-8rrv", "CGA-whf8-42p9-686q" ], @@ -124,9 +128,11 @@ "CVE-2024-56326" ], "related": [ + "CGA-3cj4-2jg2-4qm3", "CGA-48m9-g63w-3pmj", "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", + "CGA-8r3m-hvvj-88ff", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", @@ -134,7 +140,9 @@ "CGA-hvm4-vp8w-6q8r", "CGA-p9v5-jpj2-q3ww", "CGA-rx48-pgcw-gx64", - "CGA-w2xv-8gr2-xp8m" + "CGA-v3rh-g84v-9h7h", + "CGA-w2xv-8gr2-xp8m", + "CGA-wxqh-34vm-g4hv" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/libplacebo-requirements.audit.json b/audits/libplacebo-requirements.audit.json index 84a72d4d..773a7fdb 100644 --- a/audits/libplacebo-requirements.audit.json +++ b/audits/libplacebo-requirements.audit.json @@ -20,13 +20,17 @@ "related": [ "CGA-2589-9xpr-fmp7", "CGA-372m-j842-xpmm", + "CGA-5jxw-7gv5-jv29", + "CGA-9fmg-5576-4h3w", "CGA-9x7g-9rfp-4xhm", + "CGA-f7cf-h8jg-fwmv", "CGA-gvvw-7w3r-7m54", "CGA-h79h-32w2-7vmp", "CGA-jjj9-fv4h-c9cv", "CGA-jr6g-xxjr-rgc8", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", + "CGA-vm55-cfmf-jr9r", "CGA-w9xc-2j9j-8rrv", "CGA-whf8-42p9-686q" ], @@ -124,9 +128,11 @@ "CVE-2024-56326" ], "related": [ + "CGA-3cj4-2jg2-4qm3", "CGA-48m9-g63w-3pmj", "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", + "CGA-8r3m-hvvj-88ff", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", @@ -134,7 +140,9 @@ "CGA-hvm4-vp8w-6q8r", "CGA-p9v5-jpj2-q3ww", "CGA-rx48-pgcw-gx64", - "CGA-w2xv-8gr2-xp8m" + "CGA-v3rh-g84v-9h7h", + "CGA-w2xv-8gr2-xp8m", + "CGA-wxqh-34vm-g4hv" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/litani-requirements.audit.json b/audits/litani-requirements.audit.json index 336aeeb6..0f93d6d9 100644 --- a/audits/litani-requirements.audit.json +++ b/audits/litani-requirements.audit.json @@ -20,13 +20,17 @@ "related": [ "CGA-2589-9xpr-fmp7", "CGA-372m-j842-xpmm", + "CGA-5jxw-7gv5-jv29", + "CGA-9fmg-5576-4h3w", "CGA-9x7g-9rfp-4xhm", + "CGA-f7cf-h8jg-fwmv", "CGA-gvvw-7w3r-7m54", "CGA-h79h-32w2-7vmp", "CGA-jjj9-fv4h-c9cv", "CGA-jr6g-xxjr-rgc8", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", + "CGA-vm55-cfmf-jr9r", "CGA-w9xc-2j9j-8rrv", "CGA-whf8-42p9-686q" ], @@ -124,9 +128,11 @@ "CVE-2024-56326" ], "related": [ + "CGA-3cj4-2jg2-4qm3", "CGA-48m9-g63w-3pmj", "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", + "CGA-8r3m-hvvj-88ff", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", @@ -134,7 +140,9 @@ "CGA-hvm4-vp8w-6q8r", "CGA-p9v5-jpj2-q3ww", "CGA-rx48-pgcw-gx64", - "CGA-w2xv-8gr2-xp8m" + "CGA-v3rh-g84v-9h7h", + "CGA-w2xv-8gr2-xp8m", + "CGA-wxqh-34vm-g4hv" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/mentat-requirements.audit.json b/audits/mentat-requirements.audit.json deleted file mode 100644 index 758b21fc..00000000 --- a/audits/mentat-requirements.audit.json +++ /dev/null @@ -1,1562 +0,0 @@ -[ - { - "package": { - "name": "gitpython", - "version": "3.1.37", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "mentat-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-09-20T21:23:27Z", - "published": "2024-01-10T15:46:00Z", - "schema_version": "1.6.0", - "id": "GHSA-2mqj-m65w-jghx", - "aliases": [ - "CVE-2024-22190", - "PYSEC-2024-4" - ], - "summary": "Untrusted search path under some conditions on Windows allows arbitrary code execution", - "details": "### Summary\n\nThis issue exists because of an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository.\n\n### Details\n\nAlthough GitPython often avoids executing programs found in an untrusted search path since 3.1.33, two situations remain where this still occurs. Either can allow arbitrary code execution under some circumstances.\n\n#### When a shell is used\n\nGitPython can be told to run `git` commands through a shell rather than as direct subprocesses, by passing `shell=True` to any method that accepts it, or by both setting `Git.USE_SHELL = True` and not passing `shell=False`. Then the Windows `cmd.exe` shell process performs the path search, and GitPython does not prevent that shell from finding and running `git` in the current directory.\n\nWhen GitPython runs `git` directly rather than through a shell, the GitPython process performs the path search, and currently omits the current directory by setting `NoDefaultCurrentDirectoryInExePath` in its own environment during the `Popen` call. Although the `cmd.exe` shell will honor this environment variable when present, GitPython does not currently pass it into the shell subprocess's environment.\n\nFurthermore, because GitPython sets the subprocess CWD to the root of a repository's working tree, using a shell will run a malicious `git.exe` in an untrusted repository even if GitPython itself is run from a trusted location.\n\nThis also applies if `Git.execute` is called directly with `shell=True` (or after `Git.USE_SHELL = True`) to run any command.\n\n#### When hook scripts are run\n\nOn Windows, GitPython uses `bash.exe` to run hooks that appear to be scripts. However, unlike when running `git`, no steps are taken to avoid finding and running `bash.exe` in the current directory.\n\nThis allows the author of an untrusted fork or branch to cause a malicious `bash.exe` to be run in some otherwise safe workflows. An example of such a scenario is if the user installs a trusted hook while on a trusted branch, then switches to an untrusted feature branch (possibly from a fork) to review proposed changes. If the untrusted feature branch contains a malicious `bash.exe` and the user's current working directory is the working tree, and the user performs an action that runs the hook, then although the hook itself is uncorrupted, it runs with the malicious `bash.exe`.\n\nNote that, while `bash.exe` is a shell, this is a separate scenario from when `git` is run using the unrelated Windows `cmd.exe` shell.\n\n### PoC\n\nOn Windows, create a `git.exe` file in a repository. Then create a `Repo` object, and call any method through it (directly or indirectly) that supports the `shell` keyword argument with `shell=True`:\n\n```powershell\nmkdir testrepo\ngit init testrepo\ncp ... testrepo git.exe # Replace \"...\" with any executable of choice.\npython -c \"import git; print(git.Repo('testrepo').git.version(shell=True))\"\n```\n\nThe `git.exe` executable in the repository directory will be run.\n\nOr use no `Repo` object, but do it from the location with the `git.exe`:\n\n```powershell\ncd testrepo\npython -c \"import git; print(git.Git().version(shell=True))\"\n```\n\nThe `git.exe` executable in the current directory will be run.\n\nFor the scenario with hooks, install a hook in a repository, create a `bash.exe` file in the current directory, and perform an operation that causes GitPython to attempt to run the hook:\n\n```powershell\nmkdir testrepo\ncd testrepo\ngit init\nmv .git/hooks/pre-commit.sample .git/hooks/pre-commit\ncp ... bash.exe # Replace \"...\" with any executable of choice.\necho \"Some text\" >file.txt\ngit add file.txt\npython -c \"import git; git.Repo().index.commit('Some message')\"\n```\n\nThe `bash.exe` executable in the current directory will be run.\n\n### Impact\n\nThe greatest impact is probably in applications that set `Git.USE_SHELL = True` for historical reasons. (Undesired console windows had, in the past, been created in some kinds of applications, when it was not used.) Such an application may be vulnerable to arbitrary code execution from a malicious repository, even with no other exacerbating conditions. This is to say that, if a shell is used to run `git`, the full effect of CVE-2023-40590 is still present. Furthermore, as noted above, running the application itself from a trusted directory is not a sufficient mitigation.\n\nAn application that does not direct GitPython to use a shell to run `git` subprocesses thus avoids most of the risk. However, there is no such straightforward way to prevent GitPython from running `bash.exe` to interpret hooks. So while the conditions needed for that to be exploited are more involved, it may be harder to mitigate decisively prior to patching.\n\n### Possible solutions\n\nA straightforward approach would be to address each bug directly:\n\n- When a shell is used, pass `NoDefaultCurrentDirectoryInExePath` into the subprocess environment, because in that scenario the subprocess is the `cmd.exe` shell that itself performs the path search.\n- Set `NoDefaultCurrentDirectoryInExePath` in the GitPython process environment during the `Popen` call made to run hooks with a `bash.exe` subprocess.\n\nThese need only be done on Windows.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "gitpython", - "purl": "pkg:pypi/gitpython" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.1.41" - } - ] - } - ], - "versions": [ - "0.1.7", - "0.2.0-beta1", - "0.3.0-beta1", - "0.3.0-beta2", - "0.3.1-beta2", - "0.3.2", - "0.3.2.1", - "0.3.2.RC1", - "0.3.3", - "0.3.4", - "0.3.5", - "0.3.6", - "0.3.7", - "1.0.0", - "1.0.1", - "1.0.2", - "2.0.0", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.0.8", - "2.0.9", - "2.0.9.dev0", - "2.0.9.dev1", - "2.1.0", - "2.1.1", - "2.1.10", - "2.1.11", - "2.1.12", - "2.1.13", - "2.1.14", - "2.1.15", - "2.1.2", - "2.1.3", - "2.1.4", - "2.1.5", - "2.1.6", - "2.1.7", - "2.1.8", - "2.1.9", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.10", - "3.1.11", - "3.1.12", - "3.1.13", - "3.1.14", - "3.1.15", - "3.1.16", - "3.1.17", - "3.1.18", - "3.1.19", - "3.1.2", - "3.1.20", - "3.1.22", - "3.1.23", - "3.1.24", - "3.1.25", - "3.1.26", - "3.1.27", - "3.1.28", - "3.1.29", - "3.1.3", - "3.1.30", - "3.1.31", - "3.1.32", - "3.1.33", - "3.1.34", - "3.1.35", - "3.1.36", - "3.1.37", - "3.1.38", - "3.1.4", - "3.1.40", - "3.1.5", - "3.1.6", - "3.1.7", - "3.1.8", - "3.1.9" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-2mqj-m65w-jghx/GHSA-2mqj-m65w-jghx.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22190" - }, - { - "type": "WEB", - "url": "https://github.com/gitpython-developers/GitPython/pull/1792" - }, - { - "type": "WEB", - "url": "https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f" - }, - { - "type": "PACKAGE", - "url": "https://github.com/gitpython-developers/GitPython" - }, - { - "type": "WEB", - "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2024-4.yaml" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-426" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-01-10T15:46:00Z", - "nvd_published_at": "2024-01-11T02:15:48Z", - "severity": "HIGH" - } - }, - { - "modified": "2024-01-18T16:56:49Z", - "published": "2024-01-11T02:15:00Z", - "schema_version": "1.6.0", - "id": "PYSEC-2024-4", - "aliases": [ - "CVE-2024-22190", - "GHSA-2mqj-m65w-jghx" - ], - "details": "GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "gitpython", - "purl": "pkg:pypi/gitpython" - }, - "ranges": [ - { - "type": "GIT", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "ef3192cc414f2fd9978908454f6fd95243784c7f" - } - ], - "repo": "https://github.com/gitpython-developers/GitPython" - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.1.41" - } - ] - } - ], - "versions": [ - "0.1.7", - "0.2.0-beta1", - "0.3.0-beta1", - "0.3.0-beta2", - "0.3.1-beta2", - "0.3.2", - "0.3.2.1", - "0.3.2.RC1", - "0.3.3", - "0.3.4", - "0.3.5", - "0.3.6", - "0.3.7", - "1.0.0", - "1.0.1", - "1.0.2", - "2.0.0", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.0.8", - "2.0.9", - "2.0.9.dev0", - "2.0.9.dev1", - "2.1.0", - "2.1.1", - "2.1.10", - "2.1.11", - "2.1.12", - "2.1.13", - "2.1.14", - "2.1.15", - "2.1.2", - "2.1.3", - "2.1.4", - "2.1.5", - "2.1.6", - "2.1.7", - "2.1.8", - "2.1.9", - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.0.4", - "3.0.5", - "3.0.6", - "3.0.7", - "3.0.8", - "3.0.9", - "3.1.0", - "3.1.1", - "3.1.10", - "3.1.11", - "3.1.12", - "3.1.13", - "3.1.14", - "3.1.15", - "3.1.16", - "3.1.17", - "3.1.18", - "3.1.19", - "3.1.2", - "3.1.20", - "3.1.22", - "3.1.23", - "3.1.24", - "3.1.25", - "3.1.26", - "3.1.27", - "3.1.28", - "3.1.29", - "3.1.3", - "3.1.30", - "3.1.31", - "3.1.32", - "3.1.33", - "3.1.34", - "3.1.35", - "3.1.36", - "3.1.37", - "3.1.38", - "3.1.4", - "3.1.40", - "3.1.5", - "3.1.6", - "3.1.7", - "3.1.8", - "3.1.9" - ], - "database_specific": { - "source": "https://github.com/pypa/advisory-database/blob/main/vulns/gitpython/PYSEC-2024-4.yaml" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - } - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx" - }, - { - "type": "ADVISORY", - "url": "https://github.com/gitpython-developers/GitPython/pull/1792" - }, - { - "type": "FIX", - "url": "https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f" - } - ] - } - ], - "groups": [ - { - "ids": [ - "PYSEC-2024-4", - "GHSA-2mqj-m65w-jghx" - ], - "aliases": [ - "CVE-2024-22190", - "GHSA-2mqj-m65w-jghx", - "PYSEC-2024-4" - ], - "max_severity": "8.6" - } - ] - }, - { - "package": { - "name": "jinja2", - "version": "3.1.2", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "mentat-requirements" - ], - "vulnerabilities": [ - { - "modified": "2025-01-08T16:26:10Z", - "published": "2024-12-23T17:54:12Z", - "schema_version": "1.6.0", - "id": "GHSA-gmj6-6f8f-6699", - "aliases": [ - "CVE-2024-56201" - ], - "related": [ - "CGA-2589-9xpr-fmp7", - "CGA-372m-j842-xpmm", - "CGA-9x7g-9rfp-4xhm", - "CGA-gvvw-7w3r-7m54", - "CGA-h79h-32w2-7vmp", - "CGA-jjj9-fv4h-c9cv", - "CGA-jr6g-xxjr-rgc8", - "CGA-mvqg-6j62-4pjm", - "CGA-vj5f-6mc5-q329", - "CGA-w9xc-2j9j-8rrv", - "CGA-whf8-42p9-686q" - ], - "summary": "Jinja has a sandbox breakout through malicious filenames", - "details": "A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.\n\nTo exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "jinja2", - "purl": "pkg:pypi/jinja2" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "3.0.0" - }, - { - "fixed": "3.1.5" - } - ] - } - ], - "versions": [ - "3.0.0", - "3.0.1", - "3.0.2", - "3.0.3", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.1.4" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.1.4", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-gmj6-6f8f-6699/GHSA-gmj6-6f8f-6699.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56201" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/jinja/issues/1792" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/jinja" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/jinja/releases/tag/3.1.5" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-150" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-12-23T17:54:12Z", - "nvd_published_at": "2024-12-23T16:15:07Z", - "severity": "MODERATE" - } - }, - { - "modified": "2024-02-16T08:18:43Z", - "published": "2024-01-11T15:20:48Z", - "schema_version": "1.6.0", - "id": "GHSA-h5c8-rqwp-cp95", - "aliases": [ - "CVE-2024-22195" - ], - "related": [ - "CGA-493q-4x4c-mfjv", - "CGA-f27q-c9f6-2v7h", - "CGA-hgvf-wwm9-3343" - ], - "summary": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter", - "details": "The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "jinja2", - "purl": "pkg:pypi/jinja2" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.1.3" - } - ] - } - ], - "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", - "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", - "3.0.1", - "3.0.2", - "3.0.3", - "3.1.0", - "3.1.1", - "3.1.2" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-h5c8-rqwp-cp95/GHSA-h5c8-rqwp-cp95.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22195" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/jinja/commit/716795349a41d4983a9a4771f7d883c96ea17be7" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/jinja" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/jinja/releases/tag/3.1.3" - }, - { - "type": "WEB", - "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-01-11T15:20:48Z", - "nvd_published_at": "2024-01-11T03:15:11Z", - "severity": "MODERATE" - } - }, - { - "modified": "2024-10-22T05:28:58Z", - "published": "2024-05-06T14:20:59Z", - "schema_version": "1.6.0", - "id": "GHSA-h75v-3vvj-5mfj", - "aliases": [ - "CGA-g5xx-83xq-8g5j", - "CVE-2024-34064" - ], - "related": [ - "CGA-3h69-x6cf-g5c9", - "CGA-8hp4-mxq9-cfjp", - "CGA-8q5r-j4hw-jrcv", - "CGA-j4qq-j23r-522f", - "CGA-ph4r-hmw2-vp9r", - "CGA-rwrm-vm7r-mrmj", - "CGA-w4rq-c3cf-82f3", - "CGA-x9j2-vg55-h4p4" - ], - "summary": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter", - "details": "The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.\n\nAccepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "jinja2", - "purl": "pkg:pypi/jinja2" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.1.4" - } - ] - } - ], - "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", - "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", - "3.0.1", - "3.0.2", - "3.0.3", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-h75v-3vvj-5mfj/GHSA-h75v-3vvj-5mfj.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34064" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/jinja" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-05-06T14:20:59Z", - "nvd_published_at": "2024-05-06T15:15:23Z", - "severity": "MODERATE" - } - }, - { - "modified": "2024-12-27T19:24:19Z", - "published": "2024-12-23T17:56:08Z", - "schema_version": "1.6.0", - "id": "GHSA-q2x7-8rv6-6q7h", - "aliases": [ - "CVE-2024-56326" - ], - "related": [ - "CGA-48m9-g63w-3pmj", - "CGA-6g29-xf5c-xrq4", - "CGA-79fr-pvjg-j9xm", - "CGA-crfr-r549-cvmg", - "CGA-f7wq-crqm-v76f", - "CGA-gm37-p355-3fq6", - "CGA-h3v9-xgx5-mrgr", - "CGA-hvm4-vp8w-6q8r", - "CGA-p9v5-jpj2-q3ww", - "CGA-rx48-pgcw-gx64", - "CGA-w2xv-8gr2-xp8m" - ], - "summary": "Jinja has a sandbox breakout through indirect reference to format method", - "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "jinja2", - "purl": "pkg:pypi/jinja2" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.1.5" - } - ] - } - ], - "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", - "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", - "3.0.1", - "3.0.2", - "3.0.3", - "3.1.0", - "3.1.1", - "3.1.2", - "3.1.3", - "3.1.4" - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.1.4", - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-q2x7-8rv6-6q7h/GHSA-q2x7-8rv6-6q7h.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56326" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4" - }, - { - "type": "PACKAGE", - "url": "https://github.com/pallets/jinja" - }, - { - "type": "WEB", - "url": "https://github.com/pallets/jinja/releases/tag/3.1.5" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-693" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-12-23T17:56:08Z", - "nvd_published_at": "2024-12-23T16:15:07Z", - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-gmj6-6f8f-6699" - ], - "aliases": [ - "CVE-2024-56201", - "GHSA-gmj6-6f8f-6699" - ], - "max_severity": "8.8" - }, - { - "ids": [ - "GHSA-h5c8-rqwp-cp95" - ], - "aliases": [ - "CVE-2024-22195", - "GHSA-h5c8-rqwp-cp95" - ], - "max_severity": "5.4" - }, - { - "ids": [ - "GHSA-h75v-3vvj-5mfj" - ], - "aliases": [ - "CGA-g5xx-83xq-8g5j", - "CVE-2024-34064", - "GHSA-h75v-3vvj-5mfj" - ], - "max_severity": "5.4" - }, - { - "ids": [ - "GHSA-q2x7-8rv6-6q7h" - ], - "aliases": [ - "CVE-2024-56326", - "GHSA-q2x7-8rv6-6q7h" - ], - "max_severity": "7.8" - } - ] - }, - { - "package": { - "name": "sentry-sdk", - "version": "1.34.0", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "mentat-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-07-26T22:12:12Z", - "published": "2024-07-18T17:18:46Z", - "schema_version": "1.6.0", - "id": "GHSA-g92j-qhmh-64v2", - "aliases": [ - "CVE-2024-40647" - ], - "summary": "Sentry's Python SDK unintentionally exposes environment variables to subprocesses", - "details": "### Impact\n\nThe bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the `env={}` setting.\n\n### Details\n\nIn Python's `subprocess` calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use `env` argument in `subprocess` calls, like in this example:\n\n```\n>>> subprocess.check_output([\"env\"], env={\"TEST\":\"1\"})\nb'TEST=1\\n'\n```\n\nIf you'd want to not pass any variables, you can set an empty dict:\n\n```\n>>> subprocess.check_output([\"env\"], env={})\nb''\n```\n\nHowever, the bug in Sentry SDK <2.8.0 causes **all environment variables** to be passed to the subprocesses when `env={}` is set, unless the Sentry SDK's [Stdlib](https://docs.sentry.io/platforms/python/integrations/default-integrations/#stdlib) integration is disabled. The Stdlib integration is enabled by default.\n\n### Patches\nThe issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in [sentry-sdk==2.8.0](https://github.com/getsentry/sentry-python/releases/tag/2.8.0). The fix was also backported to [sentry-sdk==1.45.1](https://github.com/getsentry/sentry-python/releases/tag/1.45.1).\n\n### Workarounds\n\nWe strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:\n\n1. In your application, replace `env={}` with the minimal dict `env={\"EMPTY_ENV\":\"1\"}` or similar.\n\nOR\n\n2. Disable Stdlib integration:\n```\nimport sentry_sdk\n\n# Should go before sentry_sdk.init\nsentry_sdk.integrations._DEFAULT_INTEGRATIONS.remove(\"sentry_sdk.integrations.stdlib.StdlibIntegration\")\n\nsentry_sdk.init(...)\n```\n\n### References\n* Sentry docs: [Default integrations](https://docs.sentry.io/platforms/python/integrations/default-integrations/)\n* Python docs: [subprocess module](https://docs.python.org/3/library/subprocess.html)\n* Patch https://github.com/getsentry/sentry-python/pull/3251 \n", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "sentry-sdk", - "purl": "pkg:pypi/sentry-sdk" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.8.0" - } - ] - } - ], - "versions": [ - "0.1.0", - "0.1.0rc1", - "0.1.0rc10", - "0.1.0rc11", - "0.1.0rc12", - "0.1.0rc13", - "0.1.0rc14", - "0.1.0rc15", - "0.1.0rc16", - "0.1.0rc2", - "0.1.0rc3", - "0.1.0rc4", - "0.1.0rc5", - "0.1.0rc6", - "0.1.0rc7", - "0.1.0rc8", - "0.1.0rc9", - "0.1.1", - "0.1.2", - "0.1.3", - "0.10.0", - "0.10.1", - "0.10.2", - "0.11.0", - "0.11.1", - "0.11.2", - "0.12.0", - "0.12.1", - "0.12.2", - "0.12.3", - "0.13.0", - "0.13.1", - "0.13.2", - "0.13.3", - "0.13.4", - "0.13.5", - "0.14.0", - "0.14.1", - "0.14.2", - "0.14.3", - "0.14.4", - "0.15.0", - "0.15.1", - "0.16.0", - "0.16.1", - "0.16.2", - "0.16.3", - "0.16.4", - "0.16.5", - "0.17.0", - "0.17.1", - "0.17.2", - "0.17.3", - "0.17.4", - "0.17.5", - "0.17.6", - "0.17.7", - "0.17.8", - "0.18.0", - "0.19.0", - "0.19.1", - "0.19.2", - "0.19.3", - "0.19.4", - "0.19.5", - "0.2.1", - "0.2.2", - "0.20.0", - "0.20.1", - "0.20.2", - "0.20.3", - "0.3.0", - "0.3.1", - "0.3.10", - "0.3.11", - "0.3.2", - "0.3.3", - "0.3.4", - "0.3.5", - "0.3.6", - "0.3.7", - "0.3.8", - "0.3.9", - "0.4.0", - "0.4.1", - "0.4.2", - "0.4.3", - "0.5.0", - "0.5.1", - "0.5.2", - "0.5.3", - "0.5.4", - "0.5.5", - "0.6.0", - "0.6.1", - "0.6.2", - "0.6.3", - "0.6.4", - "0.6.5", - "0.6.6", - "0.6.7", - "0.6.8", - "0.6.9", - "0.7.0", - "0.7.1", - "0.7.10", - "0.7.11", - "0.7.12", - "0.7.13", - "0.7.14", - "0.7.2", - "0.7.3", - "0.7.4", - "0.7.5", - "0.7.6", - "0.7.7", - "0.7.8", - "0.7.9", - "0.8.0", - "0.8.1", - "0.9.0", - "0.9.1", - "0.9.2", - "0.9.3", - "0.9.4", - "0.9.5", - "1.0.0", - "1.1.0", - "1.10.0", - "1.10.1", - "1.11.0", - "1.11.1", - "1.12.0", - "1.12.1", - "1.13.0", - "1.14.0", - "1.15.0", - "1.16.0", - "1.17.0", - "1.18.0", - "1.19.0", - "1.19.1", - "1.2.0", - "1.20.0", - "1.21.0", - "1.21.1", - "1.22.0", - "1.22.1", - "1.22.2", - "1.23.0", - "1.23.1", - "1.24.0", - "1.25.0", - "1.25.1", - "1.26.0", - "1.27.0", - "1.27.1", - "1.28.0", - "1.28.1", - "1.29.0", - "1.29.1", - "1.29.2", - "1.3.0", - "1.3.1", - "1.30.0", - "1.31.0", - "1.32.0", - "1.33.0", - "1.33.1", - "1.34.0", - "1.35.0", - "1.36.0", - "1.37.0", - "1.37.1", - "1.38.0", - "1.39.0", - "1.39.1", - "1.39.2", - "1.4.0", - "1.4.1", - "1.4.2", - "1.4.3", - "1.40.0", - "1.40.1", - "1.40.2", - "1.40.3", - "1.40.4", - "1.40.5", - "1.40.6", - "1.41.0", - "1.42.0", - "1.43.0", - "1.44.0", - "1.44.1", - "1.45.0", - "1.45.1", - "1.5.0", - "1.5.1", - "1.5.10", - "1.5.11", - "1.5.12", - "1.5.2", - "1.5.3", - "1.5.4", - "1.5.5", - "1.5.6", - "1.5.7", - "1.5.8", - "1.5.9", - "1.6.0", - "1.7.0", - "1.7.1", - "1.7.2", - "1.8.0", - "1.9.0", - "1.9.1", - "1.9.10", - "1.9.2", - "1.9.3", - "1.9.4", - "1.9.5", - "1.9.6", - "1.9.7", - "1.9.8", - "1.9.9", - "2.0.0", - "2.0.0a1", - "2.0.0a2", - "2.0.0rc1", - "2.0.0rc2", - "2.0.0rc3", - "2.0.0rc4", - "2.0.0rc5", - "2.0.0rc6", - "2.0.1", - "2.1.0", - "2.1.1", - "2.2.0", - "2.2.1", - "2.3.0", - "2.3.1", - "2.4.0", - "2.5.0", - "2.5.1", - "2.6.0", - "2.7.0", - "2.7.1" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-g92j-qhmh-64v2/GHSA-g92j-qhmh-64v2.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/getsentry/sentry-python/security/advisories/GHSA-g92j-qhmh-64v2" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40647" - }, - { - "type": "WEB", - "url": "https://github.com/getsentry/sentry-python/pull/3251" - }, - { - "type": "WEB", - "url": "https://github.com/getsentry/sentry-python/commit/763e40aa4cb57ecced467f48f78f335c87e9bdff" - }, - { - "type": "WEB", - "url": "https://docs.python.org/3/library/subprocess.html" - }, - { - "type": "WEB", - "url": "https://docs.sentry.io/platforms/python/integrations/default-integrations" - }, - { - "type": "WEB", - "url": "https://docs.sentry.io/platforms/python/integrations/default-integrations/#stdlib" - }, - { - "type": "PACKAGE", - "url": "https://github.com/getsentry/sentry-python" - }, - { - "type": "WEB", - "url": "https://github.com/getsentry/sentry-python/releases/tag/2.8.0" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-200" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-07-18T17:18:46Z", - "nvd_published_at": "2024-07-18T17:15:05Z", - "severity": "LOW" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-g92j-qhmh-64v2" - ], - "aliases": [ - "CVE-2024-40647", - "GHSA-g92j-qhmh-64v2" - ], - "max_severity": "2.5" - } - ] - }, - { - "package": { - "name": "tqdm", - "version": "4.66.1", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "mentat-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-06-10T19:03:48Z", - "published": "2024-05-03T19:33:28Z", - "schema_version": "1.6.0", - "id": "GHSA-g7vv-2v7x-gj9p", - "aliases": [ - "CVE-2024-34062" - ], - "related": [ - "CGA-5g34-q98x-rv72", - "CGA-wprj-p696-fg4q" - ], - "summary": "tqdm CLI arguments injection attack", - "details": "### Impact\nAny optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. Example:\n\n```sh\npython -m tqdm --manpath=\"\\\" + str(exec(\\\"import os\\nos.system('echo hi && killall python3')\\\")) + \\\"\"\n```\n\n### Patches\nhttps://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316 released in `tqdm>=4.66.3`\n\n### Workarounds\nNone\n\n### References\n- https://github.com/tqdm/tqdm/releases/tag/v4.66.3", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "tqdm", - "purl": "pkg:pypi/tqdm" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "4.4.0" - }, - { - "fixed": "4.66.3" - } - ] - } - ], - "versions": [ - "4.10.0", - "4.11.0", - "4.11.1", - "4.11.2", - "4.12.0", - "4.13.0", - "4.14.0", - "4.15.0", - "4.16.0", - "4.17.0", - "4.17.1", - "4.18.0", - "4.19.1", - "4.19.1.post1", - "4.19.2", - "4.19.4", - "4.19.5", - "4.19.6", - "4.19.7", - "4.19.8", - "4.19.9", - "4.20.0", - "4.21.0", - "4.22.0", - "4.23.0", - "4.23.1", - "4.23.2", - "4.23.3", - "4.23.4", - "4.24.0", - "4.25.0", - "4.26.0", - "4.27.0", - "4.28.0", - "4.28.1", - "4.29.0", - "4.29.1", - "4.30.0", - "4.31.0", - "4.31.1", - "4.32.0", - "4.32.1", - "4.32.2", - "4.33.0", - "4.34.0", - "4.35.0", - "4.36.0", - "4.36.1", - "4.37.0", - "4.38.0", - "4.39.0", - "4.4.0", - "4.4.1", - "4.4.3", - "4.40.0", - "4.40.1", - "4.40.2", - "4.41.0", - "4.41.1", - "4.42.0", - "4.42.1", - "4.43.0", - "4.44.0", - "4.44.1", - "4.45.0", - "4.46.0", - "4.46.1", - "4.47.0", - "4.48.0", - "4.48.1", - "4.48.2", - "4.49.0", - "4.5.0", - "4.5.2", - "4.50.0", - "4.50.1", - "4.50.2", - "4.51.0", - "4.52.0", - "4.53.0", - "4.54.0", - "4.54.1", - "4.55.0", - "4.55.1", - "4.55.2", - "4.56.0", - "4.56.1", - "4.56.2", - "4.57.0", - "4.58.0", - "4.59.0", - "4.6.1", - "4.6.2", - "4.60.0", - "4.61.0", - "4.61.1", - "4.61.2", - "4.62.0", - "4.62.1", - "4.62.2", - "4.62.3", - "4.63.0", - "4.63.1", - "4.63.2", - "4.64.0", - "4.64.1", - "4.65.0", - "4.65.1", - "4.65.2", - "4.66.0", - "4.66.1", - "4.66.2", - "4.7.0", - "4.7.1", - "4.7.2", - "4.7.4", - "4.7.6", - "4.8.1", - "4.8.2", - "4.8.3", - "4.8.4", - "4.9.0" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-g7vv-2v7x-gj9p/GHSA-g7vv-2v7x-gj9p.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34062" - }, - { - "type": "WEB", - "url": "https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316" - }, - { - "type": "PACKAGE", - "url": "https://github.com/tqdm/tqdm" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-74" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-05-03T19:33:28Z", - "nvd_published_at": "2024-05-03T10:15:08Z", - "severity": "LOW" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-g7vv-2v7x-gj9p" - ], - "aliases": [ - "CVE-2024-34062", - "GHSA-g7vv-2v7x-gj9p" - ], - "max_severity": "3.9" - } - ] - } -] \ No newline at end of file diff --git a/audits/organize-tool-requirements.audit.json b/audits/organize-tool-requirements.audit.json index a1b2f0da..284e75ac 100644 --- a/audits/organize-tool-requirements.audit.json +++ b/audits/organize-tool-requirements.audit.json @@ -20,13 +20,17 @@ "related": [ "CGA-2589-9xpr-fmp7", "CGA-372m-j842-xpmm", + "CGA-5jxw-7gv5-jv29", + "CGA-9fmg-5576-4h3w", "CGA-9x7g-9rfp-4xhm", + "CGA-f7cf-h8jg-fwmv", "CGA-gvvw-7w3r-7m54", "CGA-h79h-32w2-7vmp", "CGA-jjj9-fv4h-c9cv", "CGA-jr6g-xxjr-rgc8", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", + "CGA-vm55-cfmf-jr9r", "CGA-w9xc-2j9j-8rrv", "CGA-whf8-42p9-686q" ], @@ -124,9 +128,11 @@ "CVE-2024-56326" ], "related": [ + "CGA-3cj4-2jg2-4qm3", "CGA-48m9-g63w-3pmj", "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", + "CGA-8r3m-hvvj-88ff", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", @@ -134,7 +140,9 @@ "CGA-hvm4-vp8w-6q8r", "CGA-p9v5-jpj2-q3ww", "CGA-rx48-pgcw-gx64", - "CGA-w2xv-8gr2-xp8m" + "CGA-v3rh-g84v-9h7h", + "CGA-w2xv-8gr2-xp8m", + "CGA-wxqh-34vm-g4hv" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/pytorch-requirements.audit.json b/audits/pytorch-requirements.audit.json index f09e8530..4e6b0f64 100644 --- a/audits/pytorch-requirements.audit.json +++ b/audits/pytorch-requirements.audit.json @@ -20,13 +20,17 @@ "related": [ "CGA-2589-9xpr-fmp7", "CGA-372m-j842-xpmm", + "CGA-5jxw-7gv5-jv29", + "CGA-9fmg-5576-4h3w", "CGA-9x7g-9rfp-4xhm", + "CGA-f7cf-h8jg-fwmv", "CGA-gvvw-7w3r-7m54", "CGA-h79h-32w2-7vmp", "CGA-jjj9-fv4h-c9cv", "CGA-jr6g-xxjr-rgc8", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", + "CGA-vm55-cfmf-jr9r", "CGA-w9xc-2j9j-8rrv", "CGA-whf8-42p9-686q" ], @@ -124,9 +128,11 @@ "CVE-2024-56326" ], "related": [ + "CGA-3cj4-2jg2-4qm3", "CGA-48m9-g63w-3pmj", "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", + "CGA-8r3m-hvvj-88ff", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", @@ -134,7 +140,9 @@ "CGA-hvm4-vp8w-6q8r", "CGA-p9v5-jpj2-q3ww", "CGA-rx48-pgcw-gx64", - "CGA-w2xv-8gr2-xp8m" + "CGA-v3rh-g84v-9h7h", + "CGA-w2xv-8gr2-xp8m", + "CGA-wxqh-34vm-g4hv" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/recon-ng-requirements.audit.json b/audits/recon-ng-requirements.audit.json index 230a7790..07757d92 100644 --- a/audits/recon-ng-requirements.audit.json +++ b/audits/recon-ng-requirements.audit.json @@ -20,13 +20,17 @@ "related": [ "CGA-2589-9xpr-fmp7", "CGA-372m-j842-xpmm", + "CGA-5jxw-7gv5-jv29", + "CGA-9fmg-5576-4h3w", "CGA-9x7g-9rfp-4xhm", + "CGA-f7cf-h8jg-fwmv", "CGA-gvvw-7w3r-7m54", "CGA-h79h-32w2-7vmp", "CGA-jjj9-fv4h-c9cv", "CGA-jr6g-xxjr-rgc8", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", + "CGA-vm55-cfmf-jr9r", "CGA-w9xc-2j9j-8rrv", "CGA-whf8-42p9-686q" ], @@ -124,9 +128,11 @@ "CVE-2024-56326" ], "related": [ + "CGA-3cj4-2jg2-4qm3", "CGA-48m9-g63w-3pmj", "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", + "CGA-8r3m-hvvj-88ff", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", @@ -134,7 +140,9 @@ "CGA-hvm4-vp8w-6q8r", "CGA-p9v5-jpj2-q3ww", "CGA-rx48-pgcw-gx64", - "CGA-w2xv-8gr2-xp8m" + "CGA-v3rh-g84v-9h7h", + "CGA-w2xv-8gr2-xp8m", + "CGA-wxqh-34vm-g4hv" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/sail-requirements.audit.json b/audits/sail-requirements.audit.json index 40d76512..f5513c8b 100644 --- a/audits/sail-requirements.audit.json +++ b/audits/sail-requirements.audit.json @@ -20,13 +20,17 @@ "related": [ "CGA-2589-9xpr-fmp7", "CGA-372m-j842-xpmm", + "CGA-5jxw-7gv5-jv29", + "CGA-9fmg-5576-4h3w", "CGA-9x7g-9rfp-4xhm", + "CGA-f7cf-h8jg-fwmv", "CGA-gvvw-7w3r-7m54", "CGA-h79h-32w2-7vmp", "CGA-jjj9-fv4h-c9cv", "CGA-jr6g-xxjr-rgc8", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", + "CGA-vm55-cfmf-jr9r", "CGA-w9xc-2j9j-8rrv", "CGA-whf8-42p9-686q" ], @@ -124,9 +128,11 @@ "CVE-2024-56326" ], "related": [ + "CGA-3cj4-2jg2-4qm3", "CGA-48m9-g63w-3pmj", "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", + "CGA-8r3m-hvvj-88ff", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", @@ -134,7 +140,9 @@ "CGA-hvm4-vp8w-6q8r", "CGA-p9v5-jpj2-q3ww", "CGA-rx48-pgcw-gx64", - "CGA-w2xv-8gr2-xp8m" + "CGA-v3rh-g84v-9h7h", + "CGA-w2xv-8gr2-xp8m", + "CGA-wxqh-34vm-g4hv" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/vunnel-requirements.audit.json b/audits/vunnel-requirements.audit.json index 595582b6..657dbf12 100644 --- a/audits/vunnel-requirements.audit.json +++ b/audits/vunnel-requirements.audit.json @@ -20,13 +20,17 @@ "related": [ "CGA-2589-9xpr-fmp7", "CGA-372m-j842-xpmm", + "CGA-5jxw-7gv5-jv29", + "CGA-9fmg-5576-4h3w", "CGA-9x7g-9rfp-4xhm", + "CGA-f7cf-h8jg-fwmv", "CGA-gvvw-7w3r-7m54", "CGA-h79h-32w2-7vmp", "CGA-jjj9-fv4h-c9cv", "CGA-jr6g-xxjr-rgc8", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", + "CGA-vm55-cfmf-jr9r", "CGA-w9xc-2j9j-8rrv", "CGA-whf8-42p9-686q" ], @@ -124,9 +128,11 @@ "CVE-2024-56326" ], "related": [ + "CGA-3cj4-2jg2-4qm3", "CGA-48m9-g63w-3pmj", "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", + "CGA-8r3m-hvvj-88ff", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", @@ -134,7 +140,9 @@ "CGA-hvm4-vp8w-6q8r", "CGA-p9v5-jpj2-q3ww", "CGA-rx48-pgcw-gx64", - "CGA-w2xv-8gr2-xp8m" + "CGA-v3rh-g84v-9h7h", + "CGA-w2xv-8gr2-xp8m", + "CGA-wxqh-34vm-g4hv" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/requirements/aider-requirements.txt b/requirements/aider-requirements.txt index f75af844..11096fc9 100644 --- a/requirements/aider-requirements.txt +++ b/requirements/aider-requirements.txt @@ -32,7 +32,7 @@ jiter==0.8.0 json5==0.10.0 jsonschema==4.23.0 jsonschema-specifications==2024.10.1 -litellm==1.53.9 +litellm==1.57.5 markdown-it-py==3.0.0 markupsafe==3.0.2 mccabe==0.7.0 @@ -67,7 +67,7 @@ regex==2024.11.6 requests==2.32.3 rich==13.9.4 rpds-py==0.22.3 -setuptools==75.6.0 +setuptools==75.8.0 six==1.17.0 smmap==5.0.1 sniffio==1.3.1 diff --git a/requirements/cobo-cli-requirements.txt b/requirements/cobo-cli-requirements.txt index 5cdcbbe8..170ab42c 100644 --- a/requirements/cobo-cli-requirements.txt +++ b/requirements/cobo-cli-requirements.txt @@ -1,28 +1,28 @@ annotated-types==0.7.0 cffi==1.17.1 -charset-normalizer==3.4.0 -click==8.1.7 +charset-normalizer==3.4.1 +click==8.1.8 dataclasses-json==0.6.7 dnspython==2.7.0 email-validator==2.2.0 -gitdb==4.0.11 -gitpython==3.1.43 +gitdb==4.0.12 +gitpython==3.1.44 idna==3.10 -marshmallow==3.23.1 +marshmallow==3.25.0 mypy-extensions==1.0.0 packaging==24.2 pycparser==2.22 -pydantic==2.10.3 -pydantic-core==2.27.1 -pydantic-settings==2.7.0 +pydantic==2.10.5 +pydantic-core==2.27.2 +pydantic-settings==2.7.1 pynacl==1.5.0 python-dotenv==1.0.1 pyyaml==6.0.2 requests==2.32.3 -smmap==5.0.1 +smmap==5.0.2 tomli==2.2.1 tomli-w==1.1.0 typing-extensions==4.12.2 typing-inspect==0.9.0 -urllib3==2.2.3 +urllib3==2.3.0 websocket-client==1.8.0 diff --git a/requirements/condure-requirements.txt b/requirements/condure-requirements.txt deleted file mode 100644 index 93bc4338..00000000 --- a/requirements/condure-requirements.txt +++ /dev/null @@ -1,4 +0,0 @@ -packaging==23.2 -pyzmq==25.1.2 -setuptools==69.1.1 -tnetstring3==0.3.1 diff --git a/requirements/localai-requirements.txt b/requirements/localai-requirements.txt index 18d05596..fe530929 100644 --- a/requirements/localai-requirements.txt +++ b/requirements/localai-requirements.txt @@ -1 +1 @@ -grpcio-tools==1.68.1 +grpcio-tools==1.69.0 diff --git a/requirements/mentat-requirements.txt b/requirements/mentat-requirements.txt deleted file mode 100644 index 59124f63..00000000 --- a/requirements/mentat-requirements.txt +++ /dev/null @@ -1,56 +0,0 @@ -annotated-types==0.7.0 -anyio==3.7.1 -attrs==23.1.0 -backoff==2.2.1 -cffi==1.17.1 -charset-normalizer==3.4.0 -distro==1.9.0 -fire==0.5.0 -gitdb==4.0.11 -gitpython==3.1.37 -h11==0.14.0 -httpcore==1.0.7 -httpx==0.28.0 -idna==3.10 -iniconfig==2.0.0 -jinja2==3.1.2 -jsonschema==4.23.0 -jsonschema-specifications==2024.10.1 -markupsafe==3.0.2 -openai==1.3.0 -outcome==1.3.0.post0 -packaging==24.2 -pluggy==1.5.0 -prompt-toolkit==3.0.39 -pycparser==2.22 -pydantic==2.9.2 -pydantic-core==2.23.4 -pygments==2.15.1 -pysocks==1.7.1 -pytest==7.4.0 -pytest-asyncio==0.21.1 -pytest-mock==3.11.1 -pytest-reportlog==0.4.0 -python-dotenv==1.0.0 -referencing==0.35.1 -regex==2024.11.6 -requests==2.32.3 -rpds-py==0.21.0 -selenium==4.15.2 -sentry-sdk==1.34.0 -six==1.16.0 -smmap==5.0.1 -sniffio==1.3.1 -sortedcontainers==2.4.0 -sounddevice==0.4.6 -soundfile==0.12.1 -termcolor==2.3.0 -tiktoken==0.4.0 -tqdm==4.66.1 -trio==0.24.0 -trio-websocket==0.11.1 -typing-extensions==4.12.2 -urllib3==2.2.3 -wcwidth==0.2.13 -webdriver-manager==4.0.1 -wsproto==1.2.0 diff --git a/requirements/parsedmarc-requirements.txt b/requirements/parsedmarc-requirements.txt index fbc188c4..65e0b5dd 100644 --- a/requirements/parsedmarc-requirements.txt +++ b/requirements/parsedmarc-requirements.txt @@ -5,8 +5,8 @@ attrs==24.3.0 azure-core==1.32.0 azure-identity==1.19.0 azure-monitor-ingestion==1.0.4 -boto3==1.35.87 -botocore==1.35.87 +boto3==1.35.96 +botocore==1.35.96 cachetools==5.5.0 charset-normalizer==3.4.1 dateparser==1.2.0 @@ -18,7 +18,7 @@ expiringdict==1.2.2 frozenlist==1.5.0 geoip2==4.8.1 google-api-core==2.24.0 -google-api-python-client==2.156.0 +google-api-python-client==2.158.0 google-auth==2.37.0 google-auth-httplib2==0.2.0 google-auth-oauthlib==1.2.1 @@ -33,7 +33,7 @@ kafka-python-ng==2.2.3 lxml==5.3.0 mail-parser==3.15.0 mailsuite==1.9.18 -maxminddb==2.6.2 +maxminddb==2.6.3 msal==1.31.1 msal-extensions==1.2.0 msgraph-core==0.2.2 @@ -43,14 +43,14 @@ opensearch-py==2.8.0 portalocker==2.10.1 propcache==0.2.1 proto-plus==1.25.0 -protobuf==5.29.2 +protobuf==5.29.3 publicsuffix2==2.20191221 -publicsuffixlist==1.0.2.20241225 +publicsuffixlist==1.0.2.20250110 pyasn1==0.6.1 pyasn1-modules==0.4.1 pygelf==0.4.2 pyjwt==2.10.1 -pyparsing==3.2.0 +pyparsing==3.2.1 python-dateutil==2.9.0.post0 pytz==2024.2 regex==2024.11.6 diff --git a/requirements/pdm-requirements.txt b/requirements/pdm-requirements.txt index 4b532925..3a06cf65 100644 --- a/requirements/pdm-requirements.txt +++ b/requirements/pdm-requirements.txt @@ -1,4 +1,4 @@ -anyio==4.7.0 +anyio==4.8.0 blinker==1.9.0 dep-logic==0.4.10 distlib==0.3.9 @@ -14,9 +14,9 @@ markdown-it-py==3.0.0 mdurl==0.1.2 msgpack==1.1.0 packaging==24.2 -pbs-installer==2024.10.16 +pbs-installer==2025.1.6 platformdirs==4.3.6 -pygments==2.18.0 +pygments==2.19.1 pyproject-hooks==1.2.0 python-dotenv==1.0.1 resolvelib==1.1.0 @@ -27,4 +27,4 @@ socksio==1.0.0 tomlkit==0.13.2 truststore==0.10.0 unearth==0.17.2 -virtualenv==20.28.0 +virtualenv==20.28.1 diff --git a/requirements/polynote-requirements.txt b/requirements/polynote-requirements.txt index 597543af..f6d07c79 100644 --- a/requirements/polynote-requirements.txt +++ b/requirements/polynote-requirements.txt @@ -1 +1 @@ -jep==4.2.0 +jep==4.2.2 diff --git a/requirements/rawdog-requirements.txt b/requirements/rawdog-requirements.txt index 0245c839..fd407425 100644 --- a/requirements/rawdog-requirements.txt +++ b/requirements/rawdog-requirements.txt @@ -2,9 +2,9 @@ aiohappyeyeballs==2.4.4 aiohttp==3.11.11 aiosignal==1.3.2 annotated-types==0.7.0 -anyio==4.7.0 +anyio==4.8.0 attrs==24.3.0 -charset-normalizer==3.4.0 +charset-normalizer==3.4.1 click==8.1.8 distro==1.9.0 filelock==3.16.1 @@ -13,20 +13,20 @@ fsspec==2024.12.0 h11==0.14.0 httpcore==1.0.7 httpx==0.27.2 -huggingface-hub==0.27.0 +huggingface-hub==0.27.1 idna==3.10 importlib-metadata==8.5.0 jinja2==3.1.5 jiter==0.8.2 jsonschema==4.23.0 jsonschema-specifications==2024.10.1 -litellm==1.55.10 +litellm==1.57.5 markupsafe==3.0.2 multidict==6.1.0 -openai==1.58.1 +openai==1.59.6 packaging==24.2 propcache==0.2.1 -pydantic==2.10.4 +pydantic==2.10.5 pydantic-core==2.27.2 python-dotenv==1.0.1 pyyaml==6.0.2 @@ -40,5 +40,6 @@ tokenizers==0.21.0 tqdm==4.67.1 typing-extensions==4.12.2 urllib3==2.3.0 +uvloop==0.21.0 yarl==1.18.3 zipp==3.21.0 diff --git a/requirements/weaviate-cli-requirements.txt b/requirements/weaviate-cli-requirements.txt index bb195e82..b1031a04 100644 --- a/requirements/weaviate-cli-requirements.txt +++ b/requirements/weaviate-cli-requirements.txt @@ -1,22 +1,24 @@ annotated-types==0.7.0 -anyio==4.7.0 +anyio==4.8.0 authlib==1.3.1 click==8.1.7 -grpcio==1.68.1 -grpcio-health-checking==1.68.1 -grpcio-tools==1.68.1 +grpcio==1.69.0 +grpcio-health-checking==1.69.0 +grpcio-tools==1.69.0 h11==0.14.0 httpcore==1.0.7 httpx==0.28.1 idna==3.10 -importlib-resources==6.4.5 -numpy==2.2.0 -protobuf==5.29.1 -pydantic==2.10.3 -pydantic-core==2.27.1 +importlib-resources==6.5.2 +numpy==2.2.1 +prettytable==3.12.0 +protobuf==5.29.3 +pydantic==2.10.5 +pydantic-core==2.27.2 semver==3.0.2 -setuptools==75.6.0 +setuptools==75.8.0 sniffio==1.3.1 typing-extensions==4.12.2 validators==0.34.0 -weaviate-client==4.10.1 +wcwidth==0.2.13 +weaviate-client==4.10.2