Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Django to resolve CVEs #15360

Open
wants to merge 1 commit into
base: devel
Choose a base branch
from
Open

Upgrade Django to resolve CVEs #15360

wants to merge 1 commit into from
+2 −2

Conversation

cigamit
Copy link

@cigamit cigamit commented Jul 12, 2024

SUMMARY

Upgrade Django to fix CVE-2024-39329

This will also close out the following CVEs. I don't believe we use the affected code, but our scanners will stop complaining.
CVE-2024-38875
CVE-2024-39330
CVE-2024-39614
CVE-2024-27351

ISSUE TYPE
  • Bug, Docs Fix or other nominal change
COMPONENT NAME
  • Other
AWX VERSION
devel
ADDITIONAL INFORMATION

@github-actions github-actions bot added dependencies Pull requests that update a dependency file community labels Jul 12, 2024
TheRealHaoLiu
TheRealHaoLiu reviewed Jul 18, 2024
View reviewed changes
requirements/requirements.in
@@ -12,7 +12,7 @@ cryptography>=41.0.7 # CVE-2023-49083
Cython<3 # due to https://github.com/yaml/pyyaml/pull/702
daphne
distro
django==4.2.10 # CVE-2024-24680
django==4.2.14 # CVE-2024-39329
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@thedoubl3j we should probably unpin this? like >= instead of ==?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, we do not unpin django.

thedoubl3j
thedoubl3j approved these changes Jul 18, 2024
View reviewed changes
Copy link
Member

@thedoubl3j thedoubl3j left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changes are minimal and no other deps need bumps with this. 4 in 1. thanks @cigamit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TheRealHaoLiu TheRealHaoLiu TheRealHaoLiu left review comments

@thedoubl3j thedoubl3j thedoubl3j approved these changes

Assignees
No one assigned
Labels
community dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cigamit @thedoubl3j @TheRealHaoLiu