From ee0653986a90fef2dd51f2b68eb2dbda674a7215 Mon Sep 17 00:00:00 2001 From: Yuri Shevtsov Date: Tue, 19 Sep 2023 20:17:24 -0400 Subject: [PATCH 1/2] Bump certifi from 2023.5.7 to 2023.7.22 There is a securiy vulnerability for certifi versions <2023.7.22 (see details here: https://nvd.nist.gov/vuln/detail/CVE-2023-37920). Even though this version is only in /examples, it gets detected and flagged by static analysis tools when scanning docker images that have the latest version of pipenv installed. --- examples/Pipfile.lock | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/examples/Pipfile.lock b/examples/Pipfile.lock index cc811cc6..e59f6596 100644 --- a/examples/Pipfile.lock +++ b/examples/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "8d14434df45e0ef884d6c3f6e8048ba72335637a8631cc44792f52fd20b6f97a" + "sha256": "6a44fe37aaf35b2b653e3e4ff422efc6370108bf8a09a43858dfef57f7cd41a8" }, "pipfile-spec": 6, "requires": {}, @@ -16,11 +16,12 @@ "default": { "certifi": { "hashes": [ - "sha256:0f0d56dc5a6ad56fd4ba36484d6cc34451e1c6548c61daad8c320169f91eddc7", - "sha256:c6c2e98f5c7869efca1f8916fed228dd91539f9f1b444c314c06eef02980c716" + "sha256:539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082", + "sha256:92d6037539857d8206b8f6ae472e8b77db8058fec5937a1ef3f54304089edbb9" ], + "index": "pypi", "markers": "python_version >= '3.6'", - "version": "==2023.5.7" + "version": "==2023.7.22" }, "charset-normalizer": { "hashes": [ From e6862de9127c9691c3fa2211f8ccbb42758217f7 Mon Sep 17 00:00:00 2001 From: Yuri Shevtsov Date: Tue, 19 Sep 2023 20:50:38 -0400 Subject: [PATCH 2/2] Add news fragment --- news/5941.bugfix.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 news/5941.bugfix.rst diff --git a/news/5941.bugfix.rst b/news/5941.bugfix.rst new file mode 100644 index 00000000..8cb05946 --- /dev/null +++ b/news/5941.bugfix.rst @@ -0,0 +1 @@ +Bump certifi from 2023.5.7 to 2023.7.22 in /examples to address a security vulnerability