From 5995f5d1af78b0c7f5f57dbb53460b539b444b57 Mon Sep 17 00:00:00 2001 From: "github.actions" Date: Thu, 9 Jan 2025 08:06:09 +0000 Subject: [PATCH] Latest data: Thu Jan 9 08:06:09 UTC 2025 --- audits/aider-requirements.audit.json | 51 +++---------------- audits/ansible-lint-requirements.audit.json | 51 +++---------------- audits/certsync-requirements.audit.json | 51 +++---------------- audits/charmcraft-requirements.audit.json | 51 +++---------------- audits/gdbgui-requirements.audit.json | 51 +++---------------- audits/gi-docgen-requirements.audit.json | 51 +++---------------- audits/harlequin-requirements.audit.json | 51 +++---------------- audits/libplacebo-requirements.audit.json | 51 +++---------------- audits/litani-requirements.audit.json | 51 +++---------------- audits/mentat-requirements.audit.json | 51 +++---------------- audits/organize-tool-requirements.audit.json | 51 +++---------------- audits/pytorch-requirements.audit.json | 51 +++---------------- audits/recon-ng-requirements.audit.json | 51 +++---------------- audits/sail-requirements.audit.json | 51 +++---------------- audits/vunnel-requirements.audit.json | 51 +++---------------- .../check-jsonschema-requirements.txt | 16 +++--- requirements/ggshield-requirements.txt | 8 +-- requirements/kaskade-requirements.txt | 10 ++-- requirements/semgrep-requirements.txt | 12 ++--- requirements/snakemake-requirements.txt | 8 +-- 20 files changed, 132 insertions(+), 687 deletions(-) diff --git a/audits/aider-requirements.audit.json b/audits/aider-requirements.audit.json index d65bb95a..957f9d5e 100644 --- a/audits/aider-requirements.audit.json +++ b/audits/aider-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-26T20:27:33Z", + "modified": "2025-01-08T16:26:10Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -22,6 +22,8 @@ "CGA-372m-j842-xpmm", "CGA-9x7g-9rfp-4xhm", "CGA-gvvw-7w3r-7m54", + "CGA-h79h-32w2-7vmp", + "CGA-jjj9-fv4h-c9cv", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", "CGA-whf8-42p9-686q" @@ -40,7 +42,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "3.1.5" @@ -49,48 +51,7 @@ } ], "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", "3.0.1", "3.0.2", "3.0.3", @@ -162,12 +123,14 @@ ], "related": [ "CGA-48m9-g63w-3pmj", + "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", "CGA-h3v9-xgx5-mrgr", - "CGA-p9v5-jpj2-q3ww" + "CGA-p9v5-jpj2-q3ww", + "CGA-rx48-pgcw-gx64" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/ansible-lint-requirements.audit.json b/audits/ansible-lint-requirements.audit.json index f1720e6f..3b454e64 100644 --- a/audits/ansible-lint-requirements.audit.json +++ b/audits/ansible-lint-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-26T20:27:33Z", + "modified": "2025-01-08T16:26:10Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -22,6 +22,8 @@ "CGA-372m-j842-xpmm", "CGA-9x7g-9rfp-4xhm", "CGA-gvvw-7w3r-7m54", + "CGA-h79h-32w2-7vmp", + "CGA-jjj9-fv4h-c9cv", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", "CGA-whf8-42p9-686q" @@ -40,7 +42,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "3.1.5" @@ -49,48 +51,7 @@ } ], "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", "3.0.1", "3.0.2", "3.0.3", @@ -162,12 +123,14 @@ ], "related": [ "CGA-48m9-g63w-3pmj", + "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", "CGA-h3v9-xgx5-mrgr", - "CGA-p9v5-jpj2-q3ww" + "CGA-p9v5-jpj2-q3ww", + "CGA-rx48-pgcw-gx64" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/certsync-requirements.audit.json b/audits/certsync-requirements.audit.json index 418daa2b..9835ba76 100644 --- a/audits/certsync-requirements.audit.json +++ b/audits/certsync-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-26T20:27:33Z", + "modified": "2025-01-08T16:26:10Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -22,6 +22,8 @@ "CGA-372m-j842-xpmm", "CGA-9x7g-9rfp-4xhm", "CGA-gvvw-7w3r-7m54", + "CGA-h79h-32w2-7vmp", + "CGA-jjj9-fv4h-c9cv", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", "CGA-whf8-42p9-686q" @@ -40,7 +42,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "3.1.5" @@ -49,48 +51,7 @@ } ], "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", "3.0.1", "3.0.2", "3.0.3", @@ -162,12 +123,14 @@ ], "related": [ "CGA-48m9-g63w-3pmj", + "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", "CGA-h3v9-xgx5-mrgr", - "CGA-p9v5-jpj2-q3ww" + "CGA-p9v5-jpj2-q3ww", + "CGA-rx48-pgcw-gx64" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/charmcraft-requirements.audit.json b/audits/charmcraft-requirements.audit.json index be45e459..425ccef1 100644 --- a/audits/charmcraft-requirements.audit.json +++ b/audits/charmcraft-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-26T20:27:33Z", + "modified": "2025-01-08T16:26:10Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -22,6 +22,8 @@ "CGA-372m-j842-xpmm", "CGA-9x7g-9rfp-4xhm", "CGA-gvvw-7w3r-7m54", + "CGA-h79h-32w2-7vmp", + "CGA-jjj9-fv4h-c9cv", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", "CGA-whf8-42p9-686q" @@ -40,7 +42,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "3.1.5" @@ -49,48 +51,7 @@ } ], "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", "3.0.1", "3.0.2", "3.0.3", @@ -162,12 +123,14 @@ ], "related": [ "CGA-48m9-g63w-3pmj", + "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", "CGA-h3v9-xgx5-mrgr", - "CGA-p9v5-jpj2-q3ww" + "CGA-p9v5-jpj2-q3ww", + "CGA-rx48-pgcw-gx64" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/gdbgui-requirements.audit.json b/audits/gdbgui-requirements.audit.json index e4edffbb..607ee44f 100644 --- a/audits/gdbgui-requirements.audit.json +++ b/audits/gdbgui-requirements.audit.json @@ -272,7 +272,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-26T20:27:33Z", + "modified": "2025-01-08T16:26:10Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -284,6 +284,8 @@ "CGA-372m-j842-xpmm", "CGA-9x7g-9rfp-4xhm", "CGA-gvvw-7w3r-7m54", + "CGA-h79h-32w2-7vmp", + "CGA-jjj9-fv4h-c9cv", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", "CGA-whf8-42p9-686q" @@ -302,7 +304,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "3.1.5" @@ -311,48 +313,7 @@ } ], "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", "3.0.1", "3.0.2", "3.0.3", @@ -715,12 +676,14 @@ ], "related": [ "CGA-48m9-g63w-3pmj", + "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", "CGA-h3v9-xgx5-mrgr", - "CGA-p9v5-jpj2-q3ww" + "CGA-p9v5-jpj2-q3ww", + "CGA-rx48-pgcw-gx64" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/gi-docgen-requirements.audit.json b/audits/gi-docgen-requirements.audit.json index 2015b249..eabe9fbf 100644 --- a/audits/gi-docgen-requirements.audit.json +++ b/audits/gi-docgen-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-26T20:27:33Z", + "modified": "2025-01-08T16:26:10Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -22,6 +22,8 @@ "CGA-372m-j842-xpmm", "CGA-9x7g-9rfp-4xhm", "CGA-gvvw-7w3r-7m54", + "CGA-h79h-32w2-7vmp", + "CGA-jjj9-fv4h-c9cv", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", "CGA-whf8-42p9-686q" @@ -40,7 +42,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "3.1.5" @@ -49,48 +51,7 @@ } ], "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", "3.0.1", "3.0.2", "3.0.3", @@ -162,12 +123,14 @@ ], "related": [ "CGA-48m9-g63w-3pmj", + "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", "CGA-h3v9-xgx5-mrgr", - "CGA-p9v5-jpj2-q3ww" + "CGA-p9v5-jpj2-q3ww", + "CGA-rx48-pgcw-gx64" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/harlequin-requirements.audit.json b/audits/harlequin-requirements.audit.json index 607edb0c..06d0e1fc 100644 --- a/audits/harlequin-requirements.audit.json +++ b/audits/harlequin-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-26T20:27:33Z", + "modified": "2025-01-08T16:26:10Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -22,6 +22,8 @@ "CGA-372m-j842-xpmm", "CGA-9x7g-9rfp-4xhm", "CGA-gvvw-7w3r-7m54", + "CGA-h79h-32w2-7vmp", + "CGA-jjj9-fv4h-c9cv", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", "CGA-whf8-42p9-686q" @@ -40,7 +42,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "3.1.5" @@ -49,48 +51,7 @@ } ], "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", "3.0.1", "3.0.2", "3.0.3", @@ -162,12 +123,14 @@ ], "related": [ "CGA-48m9-g63w-3pmj", + "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", "CGA-h3v9-xgx5-mrgr", - "CGA-p9v5-jpj2-q3ww" + "CGA-p9v5-jpj2-q3ww", + "CGA-rx48-pgcw-gx64" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/libplacebo-requirements.audit.json b/audits/libplacebo-requirements.audit.json index 6eae4b42..1f01bf51 100644 --- a/audits/libplacebo-requirements.audit.json +++ b/audits/libplacebo-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-26T20:27:33Z", + "modified": "2025-01-08T16:26:10Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -22,6 +22,8 @@ "CGA-372m-j842-xpmm", "CGA-9x7g-9rfp-4xhm", "CGA-gvvw-7w3r-7m54", + "CGA-h79h-32w2-7vmp", + "CGA-jjj9-fv4h-c9cv", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", "CGA-whf8-42p9-686q" @@ -40,7 +42,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "3.1.5" @@ -49,48 +51,7 @@ } ], "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", "3.0.1", "3.0.2", "3.0.3", @@ -162,12 +123,14 @@ ], "related": [ "CGA-48m9-g63w-3pmj", + "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", "CGA-h3v9-xgx5-mrgr", - "CGA-p9v5-jpj2-q3ww" + "CGA-p9v5-jpj2-q3ww", + "CGA-rx48-pgcw-gx64" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/litani-requirements.audit.json b/audits/litani-requirements.audit.json index c870e67f..e2c4e357 100644 --- a/audits/litani-requirements.audit.json +++ b/audits/litani-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-26T20:27:33Z", + "modified": "2025-01-08T16:26:10Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -22,6 +22,8 @@ "CGA-372m-j842-xpmm", "CGA-9x7g-9rfp-4xhm", "CGA-gvvw-7w3r-7m54", + "CGA-h79h-32w2-7vmp", + "CGA-jjj9-fv4h-c9cv", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", "CGA-whf8-42p9-686q" @@ -40,7 +42,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "3.1.5" @@ -49,48 +51,7 @@ } ], "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", "3.0.1", "3.0.2", "3.0.3", @@ -162,12 +123,14 @@ ], "related": [ "CGA-48m9-g63w-3pmj", + "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", "CGA-h3v9-xgx5-mrgr", - "CGA-p9v5-jpj2-q3ww" + "CGA-p9v5-jpj2-q3ww", + "CGA-rx48-pgcw-gx64" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/mentat-requirements.audit.json b/audits/mentat-requirements.audit.json index e147b9b4..d600ccef 100644 --- a/audits/mentat-requirements.audit.json +++ b/audits/mentat-requirements.audit.json @@ -376,7 +376,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-26T20:27:33Z", + "modified": "2025-01-08T16:26:10Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -388,6 +388,8 @@ "CGA-372m-j842-xpmm", "CGA-9x7g-9rfp-4xhm", "CGA-gvvw-7w3r-7m54", + "CGA-h79h-32w2-7vmp", + "CGA-jjj9-fv4h-c9cv", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", "CGA-whf8-42p9-686q" @@ -406,7 +408,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "3.1.5" @@ -415,48 +417,7 @@ } ], "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", "3.0.1", "3.0.2", "3.0.3", @@ -819,12 +780,14 @@ ], "related": [ "CGA-48m9-g63w-3pmj", + "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", "CGA-h3v9-xgx5-mrgr", - "CGA-p9v5-jpj2-q3ww" + "CGA-p9v5-jpj2-q3ww", + "CGA-rx48-pgcw-gx64" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/organize-tool-requirements.audit.json b/audits/organize-tool-requirements.audit.json index a20c11b4..7c91a6d6 100644 --- a/audits/organize-tool-requirements.audit.json +++ b/audits/organize-tool-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-26T20:27:33Z", + "modified": "2025-01-08T16:26:10Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -22,6 +22,8 @@ "CGA-372m-j842-xpmm", "CGA-9x7g-9rfp-4xhm", "CGA-gvvw-7w3r-7m54", + "CGA-h79h-32w2-7vmp", + "CGA-jjj9-fv4h-c9cv", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", "CGA-whf8-42p9-686q" @@ -40,7 +42,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "3.1.5" @@ -49,48 +51,7 @@ } ], "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", "3.0.1", "3.0.2", "3.0.3", @@ -162,12 +123,14 @@ ], "related": [ "CGA-48m9-g63w-3pmj", + "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", "CGA-h3v9-xgx5-mrgr", - "CGA-p9v5-jpj2-q3ww" + "CGA-p9v5-jpj2-q3ww", + "CGA-rx48-pgcw-gx64" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/pytorch-requirements.audit.json b/audits/pytorch-requirements.audit.json index a0ae2dd6..99d25341 100644 --- a/audits/pytorch-requirements.audit.json +++ b/audits/pytorch-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-26T20:27:33Z", + "modified": "2025-01-08T16:26:10Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -22,6 +22,8 @@ "CGA-372m-j842-xpmm", "CGA-9x7g-9rfp-4xhm", "CGA-gvvw-7w3r-7m54", + "CGA-h79h-32w2-7vmp", + "CGA-jjj9-fv4h-c9cv", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", "CGA-whf8-42p9-686q" @@ -40,7 +42,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "3.1.5" @@ -49,48 +51,7 @@ } ], "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", "3.0.1", "3.0.2", "3.0.3", @@ -162,12 +123,14 @@ ], "related": [ "CGA-48m9-g63w-3pmj", + "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", "CGA-h3v9-xgx5-mrgr", - "CGA-p9v5-jpj2-q3ww" + "CGA-p9v5-jpj2-q3ww", + "CGA-rx48-pgcw-gx64" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/recon-ng-requirements.audit.json b/audits/recon-ng-requirements.audit.json index af701a7f..f4a34831 100644 --- a/audits/recon-ng-requirements.audit.json +++ b/audits/recon-ng-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-26T20:27:33Z", + "modified": "2025-01-08T16:26:10Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -22,6 +22,8 @@ "CGA-372m-j842-xpmm", "CGA-9x7g-9rfp-4xhm", "CGA-gvvw-7w3r-7m54", + "CGA-h79h-32w2-7vmp", + "CGA-jjj9-fv4h-c9cv", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", "CGA-whf8-42p9-686q" @@ -40,7 +42,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "3.1.5" @@ -49,48 +51,7 @@ } ], "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", "3.0.1", "3.0.2", "3.0.3", @@ -162,12 +123,14 @@ ], "related": [ "CGA-48m9-g63w-3pmj", + "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", "CGA-h3v9-xgx5-mrgr", - "CGA-p9v5-jpj2-q3ww" + "CGA-p9v5-jpj2-q3ww", + "CGA-rx48-pgcw-gx64" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/sail-requirements.audit.json b/audits/sail-requirements.audit.json index 41beeb9b..8fa1f093 100644 --- a/audits/sail-requirements.audit.json +++ b/audits/sail-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-26T20:27:33Z", + "modified": "2025-01-08T16:26:10Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -22,6 +22,8 @@ "CGA-372m-j842-xpmm", "CGA-9x7g-9rfp-4xhm", "CGA-gvvw-7w3r-7m54", + "CGA-h79h-32w2-7vmp", + "CGA-jjj9-fv4h-c9cv", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", "CGA-whf8-42p9-686q" @@ -40,7 +42,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "3.1.5" @@ -49,48 +51,7 @@ } ], "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", "3.0.1", "3.0.2", "3.0.3", @@ -162,12 +123,14 @@ ], "related": [ "CGA-48m9-g63w-3pmj", + "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", "CGA-h3v9-xgx5-mrgr", - "CGA-p9v5-jpj2-q3ww" + "CGA-p9v5-jpj2-q3ww", + "CGA-rx48-pgcw-gx64" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/audits/vunnel-requirements.audit.json b/audits/vunnel-requirements.audit.json index 664dc271..a9e9d936 100644 --- a/audits/vunnel-requirements.audit.json +++ b/audits/vunnel-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-12-26T20:27:33Z", + "modified": "2025-01-08T16:26:10Z", "published": "2024-12-23T17:54:12Z", "schema_version": "1.6.0", "id": "GHSA-gmj6-6f8f-6699", @@ -22,6 +22,8 @@ "CGA-372m-j842-xpmm", "CGA-9x7g-9rfp-4xhm", "CGA-gvvw-7w3r-7m54", + "CGA-h79h-32w2-7vmp", + "CGA-jjj9-fv4h-c9cv", "CGA-mvqg-6j62-4pjm", "CGA-vj5f-6mc5-q329", "CGA-whf8-42p9-686q" @@ -40,7 +42,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "3.1.5" @@ -49,48 +51,7 @@ } ], "versions": [ - "2.0", - "2.0rc1", - "2.1", - "2.1.1", - "2.10", - "2.10.1", - "2.10.2", - "2.10.3", - "2.11.0", - "2.11.1", - "2.11.2", - "2.11.3", - "2.2", - "2.2.1", - "2.3", - "2.3.1", - "2.4", - "2.4.1", - "2.5", - "2.5.1", - "2.5.2", - "2.5.3", - "2.5.4", - "2.5.5", - "2.6", - "2.7", - "2.7.1", - "2.7.2", - "2.7.3", - "2.8", - "2.8.1", - "2.9", - "2.9.1", - "2.9.2", - "2.9.3", - "2.9.4", - "2.9.5", - "2.9.6", "3.0.0", - "3.0.0a1", - "3.0.0rc1", - "3.0.0rc2", "3.0.1", "3.0.2", "3.0.3", @@ -162,12 +123,14 @@ ], "related": [ "CGA-48m9-g63w-3pmj", + "CGA-6g29-xf5c-xrq4", "CGA-79fr-pvjg-j9xm", "CGA-crfr-r549-cvmg", "CGA-f7wq-crqm-v76f", "CGA-gm37-p355-3fq6", "CGA-h3v9-xgx5-mrgr", - "CGA-p9v5-jpj2-q3ww" + "CGA-p9v5-jpj2-q3ww", + "CGA-rx48-pgcw-gx64" ], "summary": "Jinja has a sandbox breakout through indirect reference to format method", "details": "An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to execute arbitrary Python code.\n\nTo exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.\n\nJinja's sandbox does catch calls to `str.format` and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's `format` method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.", diff --git a/requirements/check-jsonschema-requirements.txt b/requirements/check-jsonschema-requirements.txt index 0833330d..76665fc4 100644 --- a/requirements/check-jsonschema-requirements.txt +++ b/requirements/check-jsonschema-requirements.txt @@ -1,7 +1,7 @@ arrow==1.3.0 -attrs==24.2.0 -charset-normalizer==3.4.0 -click==8.1.7 +attrs==24.3.0 +charset-normalizer==3.4.1 +click==8.1.8 fqdn==1.5.1 idna==3.10 isoduration==20.11.0 @@ -14,10 +14,10 @@ regress==2024.11.1 requests==2.32.3 rfc3339-validator==0.1.4 rfc3987==1.3.8 -rpds-py==0.21.0 -ruamel-yaml==0.18.6 -six==1.16.0 -types-python-dateutil==2.9.0.20241003 +rpds-py==0.22.3 +ruamel-yaml==0.18.7 +six==1.17.0 +types-python-dateutil==2.9.0.20241206 uri-template==1.3.0 -urllib3==2.2.3 +urllib3==2.3.0 webcolors==24.11.1 diff --git a/requirements/ggshield-requirements.txt b/requirements/ggshield-requirements.txt index 3da1fe8d..883c3ddc 100644 --- a/requirements/ggshield-requirements.txt +++ b/requirements/ggshield-requirements.txt @@ -1,5 +1,5 @@ charset-normalizer==3.1.0 -click==8.1.7 +click==8.1.8 commonmark==0.9.1 idna==3.10 marshmallow==3.18.0 @@ -8,14 +8,14 @@ mypy-extensions==1.0.0 oauthlib==3.2.2 packaging==24.2 platformdirs==3.0.0 -pygitguardian==1.18.0 -pygments==2.18.0 +pygitguardian==1.19.0 +pygments==2.19.1 pyjwt==2.6.0 python-dotenv==0.21.1 pyyaml==6.0.2 requests==2.32.3 rich==12.5.1 -setuptools==75.6.0 +setuptools==75.7.0 typing-extensions==4.12.2 typing-inspect==0.9.0 urllib3==2.2.3 diff --git a/requirements/kaskade-requirements.txt b/requirements/kaskade-requirements.txt index 31acd8e5..7f3e1b81 100644 --- a/requirements/kaskade-requirements.txt +++ b/requirements/kaskade-requirements.txt @@ -1,16 +1,16 @@ -anyio==4.7.0 +anyio==4.8.0 attrs==24.3.0 avro==1.12.0 cachetools==5.5.0 charset-normalizer==3.4.1 click==8.1.8 cloup==3.0.5 -confluent-kafka==2.7.0 +confluent-kafka==2.8.0 fastavro==1.10.0 googleapis-common-protos==1.66.0 h11==0.14.0 httpcore==1.0.7 -httpx==0.27.2 +httpx==0.28.1 idna==3.10 jsonschema==4.23.0 jsonschema-specifications==2024.10.1 @@ -19,8 +19,8 @@ markdown-it-py==3.0.0 mdit-py-plugins==0.4.2 mdurl==0.1.2 platformdirs==4.3.6 -protobuf==5.29.2 -pygments==2.18.0 +protobuf==5.29.3 +pygments==2.19.1 pyrsistent==0.20.0 referencing==0.35.1 requests==2.32.3 diff --git a/requirements/semgrep-requirements.txt b/requirements/semgrep-requirements.txt index c7b88b8f..db290fea 100644 --- a/requirements/semgrep-requirements.txt +++ b/requirements/semgrep-requirements.txt @@ -1,8 +1,8 @@ attrs==24.3.0 boltons==21.0.0 bracex==2.5.post1 -charset-normalizer==3.4.0 -click==8.1.7 +charset-normalizer==3.4.1 +click==8.1.8 click-option-group==0.5.6 colorama==0.4.6 defusedxml==0.7.1 @@ -29,16 +29,16 @@ opentelemetry-util-http==0.46b0 packaging==24.2 peewee==3.17.8 protobuf==4.25.5 -pygments==2.18.0 +pygments==2.19.1 referencing==0.35.1 requests==2.32.3 rich==13.5.3 rpds-py==0.22.3 -ruamel-yaml==0.18.6 -setuptools==75.6.0 +ruamel-yaml==0.18.10 +setuptools==75.8.0 tomli==2.0.2 typing-extensions==4.12.2 -urllib3==2.2.3 +urllib3==2.3.0 wcmatch==8.5.2 wrapt==1.17.0 zipp==3.21.0 diff --git a/requirements/snakemake-requirements.txt b/requirements/snakemake-requirements.txt index dccb281e..db0ef015 100644 --- a/requirements/snakemake-requirements.txt +++ b/requirements/snakemake-requirements.txt @@ -1,7 +1,7 @@ appdirs==1.4.4 argparse-dataclass==2.0.0 attrs==24.3.0 -charset-normalizer==3.4.0 +charset-normalizer==3.4.1 conda-inject==1.3.2 configargparse==1.7 connection-pool==0.0.3 @@ -9,8 +9,8 @@ datrie==0.8.2 docutils==0.21.2 dpath==2.2.0 fastjsonschema==2.21.1 -gitdb==4.0.11 -gitpython==3.1.43 +gitdb==4.0.12 +gitpython==3.1.44 humanfriendly==10.0 idna==3.10 immutables==0.21 @@ -31,7 +31,7 @@ requests==2.32.3 reretry==0.11.8 rpds-py==0.22.3 smart-open==7.1.0 -smmap==5.0.1 +smmap==5.0.2 snakemake-interface-common==1.17.4 snakemake-interface-executor-plugins==9.3.3 snakemake-interface-report-plugins==1.1.0