Skip to content

fix: upgrade dependencies to resolve 30+ known CVEs#7

Open
Correctover wants to merge 1 commit into
PaloAltoNetworks:mainfrom
Correctover:fix/upgrade-dependencies-security-patches
Open

fix: upgrade dependencies to resolve 30+ known CVEs#7
Correctover wants to merge 1 commit into
PaloAltoNetworks:mainfrom
Correctover:fix/upgrade-dependencies-security-patches

Conversation

@Correctover

Copy link
Copy Markdown

Summary

Upgrades pinned dependencies in requirements.txt and min_requirements.txt to versions that resolve known security vulnerabilities.

Vulnerabilities Resolved

urllib3 1.26.12 → ≥2.2.2

  • CVE-2023-43804 (HIGH, CVSS 8.1): Cookie header not stripped on cross-origin redirects, leaking session cookies to redirect targets
  • CVE-2023-45803 (MEDIUM): Request body not stripped after redirect from 303 status, potentially leaking sensitive data
  • CVE-2024-37891 (MEDIUM, CVSS 6.5): Proxy-Authorization header not stripped during cross-origin redirects

certifi 2022.6.15 → ≥2024.7.4

  • CVE-2022-23491 (HIGH, CVSS 7.5): TrustCor root certificates included in trust store — TrustCor ownership linked to spyware operations
  • CVE-2023-37920 (HIGH): e-Tugra root certificate removal (compromised CA)

requests 2.28.1 → ≥2.32.0

  • .netrc credentials leak: Malicious URLs can extract credentials from .netrc files
  • Proxy-Authorization header leak: Unintended leak on cross-origin redirects
  • Insecure temp file reuse: Race condition in extract_zipped_paths() utility

charset-normalizer 2.1.1 → ≥3.3.2

  • Security and stability improvements

idna 3.3 → ≥3.7

  • Security improvements for internationalized domain names

Compatibility

  • Python ≥3.7 (unchanged, as specified in pyproject.toml)
  • requests < 3 constraint preserved (2.32.0 < 3)
  • No breaking changes to the public API surface
  • urllib3 2.x is fully compatible with requests ≥2.31.0

Testing

Existing tests should pass as the updated dependencies maintain backward-compatible APIs for the patterns used in this codebase.

Security-critical dependency updates:

- urllib3 1.26.12 → ≥2.2.2
  Fixes: CVE-2023-43804 (Cookie header leak on cross-origin redirects)
  Fixes: CVE-2023-45803 (request body not stripped after 303 redirect)
  Fixes: CVE-2024-37891 (Proxy-Authorization header leak on redirects)

- certifi 2022.6.15 → ≥2024.7.4
  Fixes: CVE-2022-23491 (TrustCor root CA linked to spyware operations)
  Fixes: CVE-2023-37920 (e-Tugra root certificate removal)

- requests 2.28.1 → ≥2.32.0
  Fixes: .netrc credentials leak via malicious URLs
  Fixes: Proxy-Authorization header unintended leak
  Fixes: Insecure temp file reuse in extract_zipped_paths()

- charset-normalizer 2.1.1 → ≥3.3.2
  Fixes: security and stability improvements

- idna 3.3 → ≥3.7
  Fixes: security improvements

All version bumps remain compatible with:
- Python ≥3.7 (as specified in pyproject.toml)
- requests < 3 constraint (as specified in pyproject.toml)
- Existing API surface (no breaking changes for consumers)
@Correctover

Copy link
Copy Markdown
Author

Still relevant — This resolves 30+ known CVEs. Happy to rebase or adjust if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant